[kirkstone,04/29] curl: Add patch to fix CVE-2022-43551

Message ID	c262d999034001d1253330b3c65996d0d5fb113f.1672594521.git.steve@sakoman.com
State	Accepted, archived
Commit	baa18f2cf107af7a5e1c7b7befad46e6c48f4222
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.216.49, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 04/29] curl: Add patch to fix CVE-2022-43551 Date: Sun, 1 Jan 2023 07:37:26 -1000 Message-Id: <c262d999034001d1253330b3c65996d0d5fb113f.1672594521.git.steve@sakoman.com> In-Reply-To: <cover.1672594521.git.steve@sakoman.com> References: <cover.1672594521.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[kirkstone,01/29] systemd: CVE-2022-45873 deadlock in systemd-coredump via a crash with a long backtrace \| expand [kirkstone,01/29] systemd: CVE-2022-45873 deadlock in systemd-coredump via a crash with a long back… [kirkstone,02/29] sqlite: fix CVE-2022-46908 safe mode authorizer callback allows disallowed UDFs. [kirkstone,03/29] curl: Correct LICENSE from MIT-open-group to curl [kirkstone,04/29] curl: Add patch to fix CVE-2022-43551 [kirkstone,05/29] curl: Add patch to fix CVE-2022-43552 [kirkstone,06/29] libX11: CVE-2022-3554 & CVE-2022-3555 Fix memory leak [kirkstone,07/29] cairo: update patch for CVE-2019-6461 with upstream solution [kirkstone,08/29] binutils : Fix CVE-2022-4285 [kirkstone,09/29] linux-yocto/5.10: update to v5.10.152 [kirkstone,10/29] linux-yocto/5.10: update to v5.10.154 [kirkstone,11/29] linux-yocto/5.10: update to v5.10.160 [kirkstone,12/29] libpng: upgrade 1.6.38 -> 1.6.39 [kirkstone,13/29] webkitgtk: 2.36.7 -> 2.36.8 [kirkstone,14/29] libnewt: update 0.52.21 -> 0.52.23 [kirkstone,15/29] ruby: merge .inc into .bb [kirkstone,16/29] ruby: update 3.1.2 -> 3.1.3 [kirkstone,17/29] tzdata: update 2022d -> 2022g [kirkstone,18/29] gstreamer1.0: upgrade 1.20.4 -> 1.20.5 [kirkstone,19/29] openssh: remove RRECOMMENDS to rng-tools for sshd package [kirkstone,20/29] baremetal-image: Avoid overriding qemu variables from IMAGE_CLASSES [kirkstone,21/29] go-crosssdk: avoid host contamination by GOCACHE [kirkstone,22/29] libepoxy: remove upstreamed patch [kirkstone,23/29] classes/create-spdx: Add SPDX_PRETTY option [kirkstone,24/29] libxml2: fix test data checksums [kirkstone,25/29] kernel.bbclass: remove empty module directories to prevent QA issues [kirkstone,26/29] devtool/upgrade: correctly handle recipes where S is a subdir of upstream tree [kirkstone,27/29] qemuboot.bbclass: make sure runqemu boots bundled initramfs kernel image [kirkstone,28/29] valgrind: skip the boost_thread test on arm [kirkstone,29/29] oeqa/concurrencytest: Add number of failures to summary output

Message ID

c262d999034001d1253330b3c65996d0d5fb113f.1672594521.git.steve@sakoman.com

State

Accepted, archived

Commit

baa18f2cf107af7a5e1c7b7befad46e6c48f4222

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 04/29] curl: Add patch to fix CVE-2022-43551
Date: Sun,  1 Jan 2023 07:37:26 -1000
Message-Id: 
 <c262d999034001d1253330b3c65996d0d5fb113f.1672594521.git.steve@sakoman.com>
In-Reply-To: <cover.1672594521.git.steve@sakoman.com>
References: <cover.1672594521.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[kirkstone,01/29] systemd: CVE-2022-45873 deadlock in systemd-coredump via a crash with a long backtrace | expand

Commit Message

Steve Sakoman Jan. 1, 2023, 5:37 p.m. UTC

From: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>

Add patch to fix the security issue "curl's HSTS check could be bypassed
to trick it to keep using HTTP. Using its HSTS support, curl can be
instructed to use HTTPS instead of using an insecure clear-text HTTP
step even when HTTP is provided in the URL." as per below link
Link: https://curl.se/docs/CVE-2022-43551.html

Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../curl/curl/CVE-2022-43551.patch            | 35 +++++++++++++++++++
 meta/recipes-support/curl/curl_7.82.0.bb      |  1 +
 2 files changed, 36 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2022-43551.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2022-43551.patch b/meta/recipes-support/curl/curl/CVE-2022-43551.patch
new file mode 100644
index 0000000000..e1ec7bf72e
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-43551.patch
@@ -0,0 +1,35 @@ 
+From 9e71901634e276dd050481c4320f046bebb1bc28 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 19 Dec 2022 08:36:55 +0100
+Subject: [PATCH] http: use the IDN decoded name in HSTS checks
+
+Otherwise it stores the info HSTS into the persistent cache for the IDN
+name which will not match when the HSTS status is later checked for
+using the decoded name.
+
+Reported-by: Hiroki Kurosawa
+
+Closes #10111
+
+CVE: CVE-2022-43551
+Upstream-Status: Backport [https://github.com/curl/curl/commit/9e71901634e276dd050481c4320f046bebb1bc28]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+Comments: Hunk refresh to remove patch-fuzz warning
+
+---
+ lib/http.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/http.c b/lib/http.c
+index 85528a2218eee..a784745a8d505 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -3652,7 +3652,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn,
+   else if(data->hsts && checkprefix("Strict-Transport-Security:", headp) &&
+           (conn->handler->flags & PROTOPT_SSL)) {
+     CURLcode check =
+-      Curl_hsts_parse(data->hsts, data->state.up.hostname,
++      Curl_hsts_parse(data->hsts, conn->host.name,
+                       headp + strlen("Strict-Transport-Security:"));
+     if(check)
+       infof(data, "Illegal STS header skipped");
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index 4774ae7f2b..bd68e40ca4 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -32,6 +32,7 @@  SRC_URI = "https://curl.se/download/${BP}.tar.xz \
            file://CVE-2022-32221.patch \
            file://CVE-2022-42916.patch \
            file://CVE-2022-42915.patch \
+           file://CVE-2022-43551.patch \
            "
 SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"

[kirkstone,04/29] curl: Add patch to fix CVE-2022-43551

Commit Message

Patch