[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1019052: marked as done (bullseye-pu: package curl/7.74.0-1.3+deb11u3)

Your message dated Sat, 10 Sep 2022 13:36:19 +0100
with message-id <92fe43e7805e82e43100a6471ccbf91cd9a12944.camel@adam-barratt.org.uk>
and subject line Closing requests for updates in 11.5
has caused the Debian Bug report #1019052,
regarding bullseye-pu: package curl/7.74.0-1.3+deb11u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1019052: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019052
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: carnil@debian.org,curl@packages.debian.org

Hi SRM,

[ Reason ]

curl is affected by another CVE which does not warrant a DSA,
CVE-2022-35252.

[ Impact ]

Will have the CVE open until it will be included in a future update.
Severity is low that said.

[ Tests ]

Have run the testsuite without the fix, confirming the 0008 test will
fail and is succeding after the fix.

[ Risks ]

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

Code rejects now cookies with "control bytes".

[ Other info ]

None

Regards,
Salvatore

diff -Nru curl-7.74.0/debian/changelog curl-7.74.0/debian/changelog
--- curl-7.74.0/debian/changelog	2022-07-23 17:47:52.000000000 +0200
+++ curl-7.74.0/debian/changelog	2022-09-03 12:26:12.000000000 +0200
@@ -1,3 +1,11 @@
+curl (7.74.0-1.3+deb11u3) bullseye; urgency=medium
+
+  * cookie: reject cookies with "control bytes" (CVE-2022-35252)
+    (Closes: #1018831)
+  * test8: verify that "ctrl-byte cookies" are ignored
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 03 Sep 2022 12:26:12 +0200
+
 curl (7.74.0-1.3+deb11u2) bullseye-security; urgency=high
 
   * Non-maintainer upload.
diff -Nru curl-7.74.0/debian/patches/cookie-reject-cookies-with-control-bytes.patch curl-7.74.0/debian/patches/cookie-reject-cookies-with-control-bytes.patch
--- curl-7.74.0/debian/patches/cookie-reject-cookies-with-control-bytes.patch	1970-01-01 01:00:00.000000000 +0100
+++ curl-7.74.0/debian/patches/cookie-reject-cookies-with-control-bytes.patch	2022-09-03 12:26:12.000000000 +0200
@@ -0,0 +1,65 @@
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 29 Aug 2022 00:09:17 +0200
+Subject: cookie: reject cookies with "control bytes"
+Origin: https://github.com/curl/curl/commit/8dfc93e573ca740544a2d79ebb0ed786592c65c3
+Bug-Debian: https://bugs.debian.org/1018831
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-35252
+
+Rejects 0x01 - 0x1f (except 0x09) plus 0x7f
+
+Reported-by: Axel Chong
+
+Bug: https://curl.se/docs/CVE-2022-35252.html
+
+CVE-2022-35252
+
+Closes #9381
+---
+ lib/cookie.c | 29 +++++++++++++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -375,6 +375,30 @@ static void strstore(char **str, const c
+ }
+ 
+ /*
++  RFC 6265 section 4.1.1 says a server should accept this range:
++
++  cookie-octet    = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
++
++  But Firefox and Chrome as of June 2022 accept space, comma and double-quotes
++  fine. The prime reason for filtering out control bytes is that some HTTP
++  servers return 400 for requests that contain such.
++*/
++static int invalid_octets(const char *p)
++{
++  /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */
++  static const char badoctets[] = {
++    "\x01\x02\x03\x04\x05\x06\x07\x08\x0a"
++    "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
++    "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f"
++  };
++  size_t vlen, len;
++  /* scan for all the octets that are *not* in cookie-octet */
++  len = strcspn(p, badoctets);
++  vlen = strlen(p);
++  return (len != vlen);
++}
++
++/*
+  * remove_expired() removes expired cookies.
+  */
+ static void remove_expired(struct CookieInfo *cookies)
+@@ -562,6 +586,11 @@ Curl_cookie_add(struct Curl_easy *data,
+             badcookie = TRUE;
+             break;
+           }
++          if(invalid_octets(whatptr) || invalid_octets(name)) {
++            infof(data, "invalid octets in name/value, cookie dropped");
++            badcookie = TRUE;
++            break;
++          }
+         }
+         else if(!len) {
+           /* this was a "<name>=" with no content, and we must allow
diff -Nru curl-7.74.0/debian/patches/series curl-7.74.0/debian/patches/series
--- curl-7.74.0/debian/patches/series	2022-07-23 17:47:52.000000000 +0200
+++ curl-7.74.0/debian/patches/series	2022-09-03 12:26:12.000000000 +0200
@@ -24,6 +24,8 @@
 CVE-2022-32207.patch
 CVE-2022-32208.patch
 CVE-2022-27774.patch
+cookie-reject-cookies-with-control-bytes.patch
+test8-verify-that-ctrl-byte-cookies-are-ignored.patch
 
 # Always add CVE patches before these two patches
 90_gnutls.patch
diff -Nru curl-7.74.0/debian/patches/test8-verify-that-ctrl-byte-cookies-are-ignored.patch curl-7.74.0/debian/patches/test8-verify-that-ctrl-byte-cookies-are-ignored.patch
--- curl-7.74.0/debian/patches/test8-verify-that-ctrl-byte-cookies-are-ignored.patch	1970-01-01 01:00:00.000000000 +0100
+++ curl-7.74.0/debian/patches/test8-verify-that-ctrl-byte-cookies-are-ignored.patch	2022-09-03 12:26:12.000000000 +0200
@@ -0,0 +1,62 @@
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 29 Aug 2022 00:09:17 +0200
+Subject: test8: verify that "ctrl-byte cookies" are ignored
+Origin: https://github.com/curl/curl/commit/2fc031d834d488854ffc58bf7dbcef7fa7c1fc28
+
+---
+ tests/data/test8 | 32 +++++++++++++++++++++++++++++++-
+ 1 file changed, 31 insertions(+), 1 deletion(-)
+
+diff --git a/tests/data/test8 b/tests/data/test8
+index a8548e6c2ea5..858761159aa0 100644
+--- a/tests/data/test8
++++ b/tests/data/test8
+@@ -46,6 +46,36 @@ Set-Cookie: trailingspace    = removed; path=/we/want;
+ Set-Cookie: nocookie=yes; path=/WE;
+ Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad;
+ Set-Cookie: partialip=nono; domain=.0.0.1;
++Set-Cookie: cookie1=%hex[%01-junk]hex%
++Set-Cookie: cookie2=%hex[%02-junk]hex%
++Set-Cookie: cookie3=%hex[%03-junk]hex%
++Set-Cookie: cookie4=%hex[%04-junk]hex%
++Set-Cookie: cookie5=%hex[%05-junk]hex%
++Set-Cookie: cookie6=%hex[%06-junk]hex%
++Set-Cookie: cookie7=%hex[%07-junk]hex%
++Set-Cookie: cookie8=%hex[%08-junk]hex%
++Set-Cookie: cookie9=%hex[junk-%09-]hex%
++Set-Cookie: cookie11=%hex[%0b-junk]hex%
++Set-Cookie: cookie12=%hex[%0c-junk]hex%
++Set-Cookie: cookie14=%hex[%0e-junk]hex%
++Set-Cookie: cookie15=%hex[%0f-junk]hex%
++Set-Cookie: cookie16=%hex[%10-junk]hex%
++Set-Cookie: cookie17=%hex[%11-junk]hex%
++Set-Cookie: cookie18=%hex[%12-junk]hex%
++Set-Cookie: cookie19=%hex[%13-junk]hex%
++Set-Cookie: cookie20=%hex[%14-junk]hex%
++Set-Cookie: cookie21=%hex[%15-junk]hex%
++Set-Cookie: cookie22=%hex[%16-junk]hex%
++Set-Cookie: cookie23=%hex[%17-junk]hex%
++Set-Cookie: cookie24=%hex[%18-junk]hex%
++Set-Cookie: cookie25=%hex[%19-junk]hex%
++Set-Cookie: cookie26=%hex[%1a-junk]hex%
++Set-Cookie: cookie27=%hex[%1b-junk]hex%
++Set-Cookie: cookie28=%hex[%1c-junk]hex%
++Set-Cookie: cookie29=%hex[%1d-junk]hex%
++Set-Cookie: cookie30=%hex[%1e-junk]hex%
++Set-Cookie: cookie31=%hex[%1f-junk]hex%
++Set-Cookie: cookie31=%hex[%7f-junk]hex%
+ 
+ </file>
+ <precheck>
+@@ -60,7 +90,7 @@ GET /we/want/%TESTNUMBER HTTP/1.1
+ Host: %HOSTIP:%HTTPPORT
+ User-Agent: curl/%VERSION
+ Accept: */*
+-Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes
++Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes; cookie9=junk-	-
+ 
+ </protocol>
+ </verify>
+-- 
+2.30.2
+

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.5

Hi,

The updates referred to in each of these bugs were included in today's
11.5 point release.

Regards,

Adam

--- End Message ---
Reply to: