--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: curl@packages.debian.org, guilherme@puida.xyz
Control: affects -1 + src:curl
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
1. Fix CVE-2004
> When a protocol selection parameter option disables all protocols
> without adding any then the default set of protocols would remain in
> the allowed set due to an error in the logic for removing protocols.
> The flaw is only present if the set of selected protocols disables the
> entire set of available protocols, in itself a command with no
> practical use and therefore unlikely to be encountered in real
> situations. The curl security team has thus assessed this to be low
> severity bug.
2. Fix CVE-2398
> When an application tells libcurl it wants to allow HTTP/2 server
> push, and the amount of received headers for the push surpasses the
> maximum allowed limit (1000), libcurl aborts the server push. When
> aborting, libcurl inadvertently does not free all the previously
> allocated headers and instead leaks the memory. Further, this error
> condition fails silently and is therefore not easily detected by an
> application.
3. Fix incorrect handling of ldap URLs for IPv6 addresses
(closes: #1053642)
[ Impact ]
As the vulnerabities are present in bookworm's curl code, they can be
exploited by malicious actors.
[ Tests ]
Upstream provides an extensive test suite, and there are no test
failures when building or running autopkgtest.
[ Risks ]
The patches introduced are not very complex, but some amount of
backporting was needed in able to apply the patches to the curl version
currently in bookworm. There is a chance of introducing some bugs here,
but the test suite should catch most of them. samueloph also reviewed my
changes.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
1. Imported and backported the upstream patch that fixes CVE-2024-2004.
2. Imported and backported the upstream patch that fixes CVE-2024-2398.
3. Imported and backported the upstream patch that fixes #1053643.
--puida
diff -Nru curl-7.88.1/debian/changelog curl-7.88.1/debian/changelog
--- curl-7.88.1/debian/changelog 2023-12-10 03:07:30.000000000 -0300
+++ curl-7.88.1/debian/changelog 2024-04-02 20:02:10.000000000 -0300
@@ -1,3 +1,18 @@
+curl (7.88.1-10+deb12u6) bookworm; urgency=medium
+
+ * Team upload.
+
+ [ Sergio Durigan Junior ]
+ * d/p/openldap-create-ldap-URLs-correctly-for-IPv6-addresses.patch:
+ (Closes: #1053643)
+
+ [ Guilherme Puida Moreira ]
+ * Add patches to fix CVE-2024-2004 and CVE-2024-2398.
+ * d/p/openldap-create-ldap-URLs-correctly-for-IPv6-addresses.patch:
+ Refresh patch.
+
+ -- Guilherme Puida Moreira <guilherme@puida.xyz> Tue, 02 Apr 2024 20:02:10 -0300
+
curl (7.88.1-10+deb12u5) bookworm-security; urgency=high
* Add patches to fix CVE-2023-46218 and CVE-2023-46219
diff -Nru curl-7.88.1/debian/patches/CVE-2024-2004.patch curl-7.88.1/debian/patches/CVE-2024-2004.patch
--- curl-7.88.1/debian/patches/CVE-2024-2004.patch 1969-12-31 21:00:00.000000000 -0300
+++ curl-7.88.1/debian/patches/CVE-2024-2004.patch 2024-04-02 20:02:10.000000000 -0300
@@ -0,0 +1,135 @@
+From 17d302e56221f5040092db77d4f85086e8a20e0e Mon Sep 17 00:00:00 2001
+From: Daniel Gustafsson <daniel@yesql.se>
+Date: Tue, 27 Feb 2024 15:43:56 +0100
+Subject: [PATCH] setopt: Fix disabling all protocols
+
+When disabling all protocols without enabling any, the resulting
+set of allowed protocols remained the default set. Clearing the
+allowed set before inspecting the passed value from --proto make
+the set empty even in the errorpath of no protocols enabled.
+
+Co-authored-by: Dan Fandrich <dan@telarity.com>
+Reported-by: Dan Fandrich <dan@telarity.com>
+Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+Closes: #13004
+
+Backported by: Guilherme Puida Moreira <guilherme@puida.xyz>
+ * Small change in the Makefile to add a new test.
+
+---
+ lib/setopt.c | 16 ++++++++--------
+ tests/data/Makefile.inc | 2 +-
+ tests/data/test1474 | 42 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 51 insertions(+), 9 deletions(-)
+ create mode 100644 tests/data/test1474
+
+Index: curl/lib/setopt.c
+===================================================================
+--- curl.orig/lib/setopt.c
++++ curl/lib/setopt.c
+@@ -150,6 +150,12 @@ static CURLcode setstropt_userpwd(char *
+
+ static CURLcode protocol2num(const char *str, curl_prot_t *val)
+ {
++ /*
++ * We are asked to cherry-pick protocols, so play it safe and disallow all
++ * protocols to start with, and re-add the wanted ones back in.
++ */
++ *val = 0;
++
+ if(!str)
+ return CURLE_BAD_FUNCTION_ARGUMENT;
+
+@@ -158,8 +164,6 @@ static CURLcode protocol2num(const char
+ return CURLE_OK;
+ }
+
+- *val = 0;
+-
+ do {
+ const char *token = str;
+ size_t tlen;
+@@ -2666,22 +2670,18 @@ CURLcode Curl_vsetopt(struct Curl_easy *
+ break;
+
+ case CURLOPT_PROTOCOLS_STR: {
+- curl_prot_t prot;
+ argptr = va_arg(param, char *);
+- result = protocol2num(argptr, &prot);
++ result = protocol2num(argptr, &data->set.allowed_protocols);
+ if(result)
+ return result;
+- data->set.allowed_protocols = prot;
+ break;
+ }
+
+ case CURLOPT_REDIR_PROTOCOLS_STR: {
+- curl_prot_t prot;
+ argptr = va_arg(param, char *);
+- result = protocol2num(argptr, &prot);
++ result = protocol2num(argptr, &data->set.redir_protocols);
+ if(result)
+ return result;
+- data->set.redir_protocols = prot;
+ break;
+ }
+
+Index: curl/tests/data/Makefile.inc
+===================================================================
+--- curl.orig/tests/data/Makefile.inc
++++ curl/tests/data/Makefile.inc
+@@ -186,6 +186,7 @@ test1440 test1441 test1442 test1443 test
+ test1448 test1449 test1450 test1451 test1452 test1453 test1454 test1455 \
+ test1456 test1457 test1458 test1459 test1460 test1461 test1462 test1463 \
+ test1464 test1465 test1466 test1467 test1468 test1469 \
++test1474 \
+ \
+ test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \
+ test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \
+Index: curl/tests/data/test1474
+===================================================================
+--- /dev/null
++++ curl/tests/data/test1474
+@@ -0,0 +1,42 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP GET
++--proto
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data>
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++none
++</server>
++<features>
++http
++</features>
++<name>
++--proto -all disables all protocols
++</name>
++<command>
++--proto -all http://%HOSTIP:%NOLISTENPORT/%TESTNUMBER
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# 1 - Protocol "http" disabled
++<errorcode>
++1
++</errorcode>
++</verify>
++</testcase>
diff -Nru curl-7.88.1/debian/patches/CVE-2024-2398.patch curl-7.88.1/debian/patches/CVE-2024-2398.patch
--- curl-7.88.1/debian/patches/CVE-2024-2398.patch 1969-12-31 21:00:00.000000000 -0300
+++ curl-7.88.1/debian/patches/CVE-2024-2398.patch 2024-04-02 20:02:10.000000000 -0300
@@ -0,0 +1,91 @@
+From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Wed, 6 Mar 2024 09:36:08 +0100
+Subject: [PATCH] http2: push headers better cleanup
+
+- provide common cleanup method for push headers
+
+Closes #13054
+
+Backported by: Guilherme Puida Moreira <guilherme@puida.xyz>:
+ * Changed h2_stream_ctx to HTTP in free_push_headers.
+---
+ lib/http2.c | 34 +++++++++++++++-------------------
+ 1 file changed, 15 insertions(+), 19 deletions(-)
+
+Index: curl/lib/http2.c
+===================================================================
+--- curl.orig/lib/http2.c
++++ curl/lib/http2.c
+@@ -229,6 +229,15 @@ static CURLcode http2_data_setup(struct
+ return CURLE_OK;
+ }
+
++static void free_push_headers(struct HTTP *stream)
++{
++ size_t i;
++ for(i = 0; i<stream->push_headers_used; i++)
++ free(stream->push_headers[i]);
++ Curl_safefree(stream->push_headers);
++ stream->push_headers_used = 0;
++}
++
+ /*
+ * Initialize the cfilter context
+ */
+@@ -702,7 +711,6 @@ static int push_promise(struct Curl_cfil
+ struct HTTP *newstream;
+ struct curl_pushheaders heads;
+ CURLMcode rc;
+- size_t i;
+ /* clone the parent */
+ struct Curl_easy *newhandle = h2_duphandle(cf, data);
+ if(!newhandle) {
+@@ -738,11 +746,7 @@ static int push_promise(struct Curl_cfil
+ Curl_set_in_callback(data, false);
+
+ /* free the headers again */
+- for(i = 0; i<stream->push_headers_used; i++)
+- free(stream->push_headers[i]);
+- free(stream->push_headers);
+- stream->push_headers = NULL;
+- stream->push_headers_used = 0;
++ free_push_headers(stream);
+
+ if(rv) {
+ DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT));
+@@ -1198,14 +1202,14 @@ static int on_header(nghttp2_session *se
+ if(stream->push_headers_alloc > 1000) {
+ /* this is beyond crazy many headers, bail out */
+ failf(data_s, "Too many PUSH_PROMISE headers");
+- Curl_safefree(stream->push_headers);
++ free_push_headers(stream);
+ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+ }
+ stream->push_headers_alloc *= 2;
+- headp = Curl_saferealloc(stream->push_headers,
+- stream->push_headers_alloc * sizeof(char *));
++ headp = realloc(stream->push_headers,
++ stream->push_headers_alloc * sizeof(char *));
+ if(!headp) {
+- stream->push_headers = NULL;
++ free_push_headers(stream);
+ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+ }
+ stream->push_headers = headp;
+@@ -1364,14 +1368,7 @@ static void http2_data_done(struct Curl_
+ setup */
+ Curl_dyn_free(&stream->header_recvbuf);
+ Curl_dyn_free(&stream->trailer_recvbuf);
+- if(stream->push_headers) {
+- /* if they weren't used and then freed before */
+- for(; stream->push_headers_used > 0; --stream->push_headers_used) {
+- free(stream->push_headers[stream->push_headers_used - 1]);
+- }
+- free(stream->push_headers);
+- stream->push_headers = NULL;
+- }
++ free_push_headers(stream);
+
+ if(!ctx || !ctx->h2)
+ return;
diff -Nru curl-7.88.1/debian/patches/openldap-create-ldap-URLs-correctly-for-IPv6-addresses.patch curl-7.88.1/debian/patches/openldap-create-ldap-URLs-correctly-for-IPv6-addresses.patch
--- curl-7.88.1/debian/patches/openldap-create-ldap-URLs-correctly-for-IPv6-addresses.patch 1969-12-31 21:00:00.000000000 -0300
+++ curl-7.88.1/debian/patches/openldap-create-ldap-URLs-correctly-for-IPv6-addresses.patch 2024-04-02 20:02:10.000000000 -0300
@@ -0,0 +1,48 @@
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 30 Mar 2024 11:14:54 +0100
+Subject: openldap: create ldap URLs correctly for IPv6 addresses
+
+Reported-by: Sergio Durigan Junior
+Fixes #13228
+Closes #13235
+
+More context:
+
+When the user specified an IPv6 address to be used as an LDAP server,
+curl will fail to properly enclose it in square brackets, which causes
+the connection to fail because the host address cannot be
+distinguished from the port:
+
+$ curl -v ldap://[fd42:be5:e632:a6b3:216:3eff:feb1:5bc4]:389
+...
+* LDAP local: Cannot connect to ldap://fd42:be5:e632:a6b3:216:3eff:feb1:5bc4:389, Bad parameter to an ldap routine
+...
+
+Fix this by always enclosing the IPv6 address in square brackets.
+
+Origin: upstream, https://github.com/curl/curl/commit/56935a7dada6975d5a46aa494de0af195e4e8659
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053643
+---
+ lib/openldap.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+Index: curl/lib/openldap.c
+===================================================================
+--- curl.orig/lib/openldap.c
++++ curl/lib/openldap.c
+@@ -547,9 +547,12 @@ static CURLcode oldap_connect(struct Cur
+
+ (void)done;
+
+- hosturl = aprintf("ldap%s://%s:%d",
+- conn->handler->flags & PROTOPT_SSL? "s": "",
+- conn->host.name, conn->remote_port);
++ hosturl = aprintf("%s://%s%s%s:%d",
++ conn->handler->scheme,
++ conn->bits.ipv6_ip? "[": "",
++ conn->host.name,
++ conn->bits.ipv6_ip? "]": "",
++ conn->remote_port);
+ if(!hosturl)
+ return CURLE_OUT_OF_MEMORY;
+
diff -Nru curl-7.88.1/debian/patches/series curl-7.88.1/debian/patches/series
--- curl-7.88.1/debian/patches/series 2023-12-10 03:07:30.000000000 -0300
+++ curl-7.88.1/debian/patches/series 2024-04-02 20:02:10.000000000 -0300
@@ -7,6 +7,7 @@
Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch
fix-unix-domain-socket.patch
+openldap-create-ldap-URLs-correctly-for-IPv6-addresses.patch
# CVE fixes.
# Patches from 8.0.1.
@@ -39,6 +40,10 @@
CVE-2023-46218.patch
CVE-2023-46219.patch
+# Patches from 8.7.1.
+CVE-2024-2004.patch
+CVE-2024-2398.patch
+
# Do not add patches below.
# Used to generate packages for the other crypto libraries.
90_gnutls.patch
--- End Message ---