| Message ID | 20230310124549.119027-1-andrej.valek@siemens.com |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [dunfell] curl: Fix CVE CVE-2021-22897 | expand |
Hello again, Looks like that this patch showed some isses/open points: - CVE-2021-22897 is white-listed already, but in hardknott is fixed already https://github.com/openembedded/openembedded-core/blob/hardknott/meta/recipes-support/curl/curl/CVE-2021-22897.patch - So do we have to ignore the patch, or apply and remove the whitelist, or remove patch from hardknott? - Https certificate at yocto.io has been expired ;) Regards, Andrej On Fri, 2023-03-10 at 13:45 +0100, Andrej Valek wrote: > https://curl.se/docs/CVE-2021-22897.html > > Signed-off-by: Andrej Valek <andrej.valek@siemens.com> > --- > .../curl/curl/CVE-2021-22897.patch | 73 > +++++++++++++++++++ > meta/recipes-support/curl/curl_7.69.1.bb | 1 + > 2 files changed, 74 insertions(+) > create mode 100644 meta/recipes-support/curl/curl/CVE-2021- > 22897.patch > > diff --git a/meta/recipes-support/curl/curl/CVE-2021-22897.patch > b/meta/recipes-support/curl/curl/CVE-2021-22897.patch > new file mode 100644 > index 0000000000..cbd6c067ce > --- /dev/null > +++ b/meta/recipes-support/curl/curl/CVE-2021-22897.patch > @@ -0,0 +1,73 @@ > +From bbb71507b7bab52002f9b1e0880bed6a32834511 Mon Sep 17 00:00:00 > 2001 > +From: Daniel Stenberg <daniel@haxx.se> > +Date: Fri, 23 Apr 2021 10:54:10 +0200 > +Subject: [PATCH] schannel: don't use static to store selected > ciphers > + > +CVE-2021-22897 > + > +Bug: https://curl.se/docs/CVE-2021-22897.html > + > +Upstream-Status: Backport > +[ > https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a3 > 2834511] > + > +CVE: CVE-2021-22897 > + > +Signed-off-by: Daniel Stenberg <daniel@haxx.se> > +Signed-off-by: Khairul Rohaizzat Jamaluddin > <khairul.rohaizzat.jamaluddin@intel.com> > +Signed-off-by: Andrej Valek <andrej.valek@siemens.com> > +--- > + lib/vtls/schannel.c | 9 +++++---- > + lib/vtls/schannel.h | 3 +++ > + 2 files changed, 8 insertions(+), 4 deletions(-) > + > +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c > +index 8c25ac5dd5a5..dba7072273a9 100644 > +--- a/lib/vtls/schannel.c > ++++ b/lib/vtls/schannel.c > +@@ -322,12 +322,12 @@ get_alg_id_by_name(char *name) > + } > + > + static CURLcode > +-set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers) > ++set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers, > ++ int *algIds) > + { > + char *startCur = ciphers; > + int algCount = 0; > +- static ALG_ID algIds[45]; /*There are 45 listed in the MS > headers*/ > +- while(startCur && (0 != *startCur) && (algCount < 45)) { > ++ while(startCur && (0 != *startCur) && (algCount < NUMOF_CIPHERS)) > { > + long alg = strtol(startCur, 0, 0); > + if(!alg) > + alg = get_alg_id_by_name(startCur); > +@@ -566,7 +566,8 @@ schannel_connect_step1(struct connectdat > + } > + > + if(SSL_CONN_CONFIG(cipher_list)) { > +- result = set_ssl_ciphers(&schannel_cred, > SSL_CONN_CONFIG(cipher_list)); > ++ result = set_ssl_ciphers(&schannel_cred, > SSL_CONN_CONFIG(cipher_list), > ++ BACKEND->algIds); > + if(CURLE_OK != result) { > + failf(data, "Unable to set ciphers to passed via > SSL_CONN_CONFIG"); > + return result; > +diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h > +index 2952caa1a5a1..77853aa30f96 100644 > +--- a/lib/vtls/schannel.h > ++++ b/lib/vtls/schannel.h > +@@ -70,6 +70,8 @@ CURLcode Curl_verify_certificate(struct > + #endif > + #endif > + > ++#define NUMOF_CIPHERS 45 /* There are 45 listed in the MS headers > */ > ++ > + struct curl_schannel_cred { > + CredHandle cred_handle; > + TimeStamp time_stamp; > +@@ -101,6 +103,7 @@ struct ssl_backend_data { > + #ifdef HAS_MANUAL_VERIFY_API > + bool use_manual_cred_validation; /* true if manual cred > validation is used */ > + #endif > ++ ALG_ID algIds[NUMOF_CIPHERS]; > + }; > + #endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */ > + > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes- > support/curl/curl_7.69.1.bb > index ea36c0bd3d..384719dd15 100644 > --- a/meta/recipes-support/curl/curl_7.69.1.bb > +++ b/meta/recipes-support/curl/curl_7.69.1.bb > @@ -19,6 +19,7 @@ SRC_URI = > "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ > file://CVE-2020-8286.patch \ > file://CVE-2021-22876.patch \ > file://CVE-2021-22890.patch \ > + file://CVE-2021-22897.patch \ > file://CVE-2021-22898.patch \ > file://CVE-2021-22924.patch \ > file://CVE-2021-22925.patch \
On Fri, Mar 10, 2023 at 3:09 AM Valek, Andrej <andrej.valek@siemens.com> wrote: > > Hello again, > > Looks like that this patch showed some isses/open points: > - CVE-2021-22897 is white-listed already, but in hardknott is fixed > already > https://github.com/openembedded/openembedded-core/blob/hardknott/meta/recipes-support/curl/curl/CVE-2021-22897.patch > - So do we have to ignore the patch, or apply and remove the > whitelist, or remove patch from hardknott? Hardknott is no longer being maintained, so nothing needs to be done there. Since this is a Windows only bug ("It can only trigger when Schannel is used, which is the native TLS library in Microsoft Windows") I think the existing whitelist is fine and we don't need this additional patch. > - Https certificate at yocto.io has been expired ;) Can you give me the url which is giving the expired certificate error? Thanks! Steve > Regards, > Andrej > > On Fri, 2023-03-10 at 13:45 +0100, Andrej Valek wrote: > > https://curl.se/docs/CVE-2021-22897.html > > > > Signed-off-by: Andrej Valek <andrej.valek@siemens.com> > > --- > > .../curl/curl/CVE-2021-22897.patch | 73 > > +++++++++++++++++++ > > meta/recipes-support/curl/curl_7.69.1.bb | 1 + > > 2 files changed, 74 insertions(+) > > create mode 100644 meta/recipes-support/curl/curl/CVE-2021- > > 22897.patch > > > > diff --git a/meta/recipes-support/curl/curl/CVE-2021-22897.patch > > b/meta/recipes-support/curl/curl/CVE-2021-22897.patch > > new file mode 100644 > > index 0000000000..cbd6c067ce > > --- /dev/null > > +++ b/meta/recipes-support/curl/curl/CVE-2021-22897.patch > > @@ -0,0 +1,73 @@ > > +From bbb71507b7bab52002f9b1e0880bed6a32834511 Mon Sep 17 00:00:00 > > 2001 > > +From: Daniel Stenberg <daniel@haxx.se> > > +Date: Fri, 23 Apr 2021 10:54:10 +0200 > > +Subject: [PATCH] schannel: don't use static to store selected > > ciphers > > + > > +CVE-2021-22897 > > + > > +Bug: https://curl.se/docs/CVE-2021-22897.html > > + > > +Upstream-Status: Backport > > +[ > > https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a3 > > 2834511] > > + > > +CVE: CVE-2021-22897 > > + > > +Signed-off-by: Daniel Stenberg <daniel@haxx.se> > > +Signed-off-by: Khairul Rohaizzat Jamaluddin > > <khairul.rohaizzat.jamaluddin@intel.com> > > +Signed-off-by: Andrej Valek <andrej.valek@siemens.com> > > +--- > > + lib/vtls/schannel.c | 9 +++++---- > > + lib/vtls/schannel.h | 3 +++ > > + 2 files changed, 8 insertions(+), 4 deletions(-) > > + > > +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c > > +index 8c25ac5dd5a5..dba7072273a9 100644 > > +--- a/lib/vtls/schannel.c > > ++++ b/lib/vtls/schannel.c > > +@@ -322,12 +322,12 @@ get_alg_id_by_name(char *name) > > + } > > + > > + static CURLcode > > +-set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers) > > ++set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers, > > ++ int *algIds) > > + { > > + char *startCur = ciphers; > > + int algCount = 0; > > +- static ALG_ID algIds[45]; /*There are 45 listed in the MS > > headers*/ > > +- while(startCur && (0 != *startCur) && (algCount < 45)) { > > ++ while(startCur && (0 != *startCur) && (algCount < NUMOF_CIPHERS)) > > { > > + long alg = strtol(startCur, 0, 0); > > + if(!alg) > > + alg = get_alg_id_by_name(startCur); > > +@@ -566,7 +566,8 @@ schannel_connect_step1(struct connectdat > > + } > > + > > + if(SSL_CONN_CONFIG(cipher_list)) { > > +- result = set_ssl_ciphers(&schannel_cred, > > SSL_CONN_CONFIG(cipher_list)); > > ++ result = set_ssl_ciphers(&schannel_cred, > > SSL_CONN_CONFIG(cipher_list), > > ++ BACKEND->algIds); > > + if(CURLE_OK != result) { > > + failf(data, "Unable to set ciphers to passed via > > SSL_CONN_CONFIG"); > > + return result; > > +diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h > > +index 2952caa1a5a1..77853aa30f96 100644 > > +--- a/lib/vtls/schannel.h > > ++++ b/lib/vtls/schannel.h > > +@@ -70,6 +70,8 @@ CURLcode Curl_verify_certificate(struct > > + #endif > > + #endif > > + > > ++#define NUMOF_CIPHERS 45 /* There are 45 listed in the MS headers > > */ > > ++ > > + struct curl_schannel_cred { > > + CredHandle cred_handle; > > + TimeStamp time_stamp; > > +@@ -101,6 +103,7 @@ struct ssl_backend_data { > > + #ifdef HAS_MANUAL_VERIFY_API > > + bool use_manual_cred_validation; /* true if manual cred > > validation is used */ > > + #endif > > ++ ALG_ID algIds[NUMOF_CIPHERS]; > > + }; > > + #endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */ > > + > > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes- > > support/curl/curl_7.69.1.bb > > index ea36c0bd3d..384719dd15 100644 > > --- a/meta/recipes-support/curl/curl_7.69.1.bb > > +++ b/meta/recipes-support/curl/curl_7.69.1.bb > > @@ -19,6 +19,7 @@ SRC_URI = > > "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ > > file://CVE-2020-8286.patch \ > > file://CVE-2021-22876.patch \ > > file://CVE-2021-22890.patch \ > > + file://CVE-2021-22897.patch \ > > file://CVE-2021-22898.patch \ > > file://CVE-2021-22924.patch \ > > file://CVE-2021-22925.patch \ >
Hello Steve, - patch - I'm fine with explanation - Cert error - for example here: https://autobuilder.yocto.io/pub/non-release/patchmetrics/cve-status-dunfell.txt Regards, Andrej On Fri, 2023-03-10 at 04:40 -1000, Steve Sakoman wrote: > On Fri, Mar 10, 2023 at 3:09 AM Valek, Andrej > <andrej.valek@siemens.com> wrote: > > > > Hello again, > > > > Looks like that this patch showed some isses/open points: > > - CVE-2021-22897 is white-listed already, but in hardknott is fixed > > already > > https://github.com/openembedded/openembedded-core/blob/hardknott/meta/recipes-support/curl/curl/CVE-2021-22897.patch > > - So do we have to ignore the patch, or apply and remove the > > whitelist, or remove patch from hardknott? > > Hardknott is no longer being maintained, so nothing needs to be done > there. > > Since this is a Windows only bug ("It can only trigger when Schannel > is used, which is the native TLS library in Microsoft Windows") I > think the existing whitelist is fine and we don't need this > additional > patch. > > > - Https certificate at yocto.io has been expired ;) > > Can you give me the url which is giving the expired certificate > error? > > Thanks! > > Steve > > > Regards, > > Andrej > > > > On Fri, 2023-03-10 at 13:45 +0100, Andrej Valek wrote: > > > https://curl.se/docs/CVE-2021-22897.html > > > > > > Signed-off-by: Andrej Valek <andrej.valek@siemens.com> > > > --- > > > .../curl/curl/CVE-2021-22897.patch | 73 > > > +++++++++++++++++++ > > > meta/recipes-support/curl/curl_7.69.1.bb | 1 + > > > 2 files changed, 74 insertions(+) > > > create mode 100644 meta/recipes-support/curl/curl/CVE-2021- > > > 22897.patch > > > > > > diff --git a/meta/recipes-support/curl/curl/CVE-2021-22897.patch > > > b/meta/recipes-support/curl/curl/CVE-2021-22897.patch > > > new file mode 100644 > > > index 0000000000..cbd6c067ce > > > --- /dev/null > > > +++ b/meta/recipes-support/curl/curl/CVE-2021-22897.patch > > > @@ -0,0 +1,73 @@ > > > +From bbb71507b7bab52002f9b1e0880bed6a32834511 Mon Sep 17 > > > 00:00:00 > > > 2001 > > > +From: Daniel Stenberg <daniel@haxx.se> > > > +Date: Fri, 23 Apr 2021 10:54:10 +0200 > > > +Subject: [PATCH] schannel: don't use static to store selected > > > ciphers > > > + > > > +CVE-2021-22897 > > > + > > > +Bug: https://curl.se/docs/CVE-2021-22897.html > > > + > > > +Upstream-Status: Backport > > > +[ > > > https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a3 > > > 2834511] > > > + > > > +CVE: CVE-2021-22897 > > > + > > > +Signed-off-by: Daniel Stenberg <daniel@haxx.se> > > > +Signed-off-by: Khairul Rohaizzat Jamaluddin > > > <khairul.rohaizzat.jamaluddin@intel.com> > > > +Signed-off-by: Andrej Valek <andrej.valek@siemens.com> > > > +--- > > > + lib/vtls/schannel.c | 9 +++++---- > > > + lib/vtls/schannel.h | 3 +++ > > > + 2 files changed, 8 insertions(+), 4 deletions(-) > > > + > > > +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c > > > +index 8c25ac5dd5a5..dba7072273a9 100644 > > > +--- a/lib/vtls/schannel.c > > > ++++ b/lib/vtls/schannel.c > > > +@@ -322,12 +322,12 @@ get_alg_id_by_name(char *name) > > > + } > > > + > > > + static CURLcode > > > +-set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers) > > > ++set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers, > > > ++ int *algIds) > > > + { > > > + char *startCur = ciphers; > > > + int algCount = 0; > > > +- static ALG_ID algIds[45]; /*There are 45 listed in the MS > > > headers*/ > > > +- while(startCur && (0 != *startCur) && (algCount < 45)) { > > > ++ while(startCur && (0 != *startCur) && (algCount < > > > NUMOF_CIPHERS)) > > > { > > > + long alg = strtol(startCur, 0, 0); > > > + if(!alg) > > > + alg = get_alg_id_by_name(startCur); > > > +@@ -566,7 +566,8 @@ schannel_connect_step1(struct connectdat > > > + } > > > + > > > + if(SSL_CONN_CONFIG(cipher_list)) { > > > +- result = set_ssl_ciphers(&schannel_cred, > > > SSL_CONN_CONFIG(cipher_list)); > > > ++ result = set_ssl_ciphers(&schannel_cred, > > > SSL_CONN_CONFIG(cipher_list), > > > ++ BACKEND->algIds); > > > + if(CURLE_OK != result) { > > > + failf(data, "Unable to set ciphers to passed via > > > SSL_CONN_CONFIG"); > > > + return result; > > > +diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h > > > +index 2952caa1a5a1..77853aa30f96 100644 > > > +--- a/lib/vtls/schannel.h > > > ++++ b/lib/vtls/schannel.h > > > +@@ -70,6 +70,8 @@ CURLcode Curl_verify_certificate(struct > > > + #endif > > > + #endif > > > + > > > ++#define NUMOF_CIPHERS 45 /* There are 45 listed in the MS > > > headers > > > */ > > > ++ > > > + struct curl_schannel_cred { > > > + CredHandle cred_handle; > > > + TimeStamp time_stamp; > > > +@@ -101,6 +103,7 @@ struct ssl_backend_data { > > > + #ifdef HAS_MANUAL_VERIFY_API > > > + bool use_manual_cred_validation; /* true if manual cred > > > validation is used */ > > > + #endif > > > ++ ALG_ID algIds[NUMOF_CIPHERS]; > > > + }; > > > + #endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */ > > > + > > > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb > > > b/meta/recipes- > > > support/curl/curl_7.69.1.bb > > > index ea36c0bd3d..384719dd15 100644 > > > --- a/meta/recipes-support/curl/curl_7.69.1.bb > > > +++ b/meta/recipes-support/curl/curl_7.69.1.bb > > > @@ -19,6 +19,7 @@ SRC_URI = > > > "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ > > > file://CVE-2020-8286.patch \ > > > file://CVE-2021-22876.patch \ > > > file://CVE-2021-22890.patch \ > > > + file://CVE-2021-22897.patch \ > > > file://CVE-2021-22898.patch \ > > > file://CVE-2021-22924.patch \ > > > file://CVE-2021-22925.patch \ > >
On Fri, Mar 10, 2023 at 4:49 AM Valek, Andrej <andrej.valek@siemens.com> wrote: > > Hello Steve, > > - patch > - I'm fine with explanation > - Cert error > - for example here: > https://autobuilder.yocto.io/pub/non-release/patchmetrics/cve-status-dunfell.txt Thanks, I opened a ticket with the infrastructure support team. Steve > On Fri, 2023-03-10 at 04:40 -1000, Steve Sakoman wrote: > > On Fri, Mar 10, 2023 at 3:09 AM Valek, Andrej > > <andrej.valek@siemens.com> wrote: > > > > > > Hello again, > > > > > > Looks like that this patch showed some isses/open points: > > > - CVE-2021-22897 is white-listed already, but in hardknott is fixed > > > already > > > https://github.com/openembedded/openembedded-core/blob/hardknott/meta/recipes-support/curl/curl/CVE-2021-22897.patch > > > - So do we have to ignore the patch, or apply and remove the > > > whitelist, or remove patch from hardknott? > > > > Hardknott is no longer being maintained, so nothing needs to be done > > there. > > > > Since this is a Windows only bug ("It can only trigger when Schannel > > is used, which is the native TLS library in Microsoft Windows") I > > think the existing whitelist is fine and we don't need this > > additional > > patch. > > > > > - Https certificate at yocto.io has been expired ;) > > > > Can you give me the url which is giving the expired certificate > > error? > > > > Thanks! > > > > Steve > > > > > Regards, > > > Andrej > > > > > > On Fri, 2023-03-10 at 13:45 +0100, Andrej Valek wrote: > > > > https://curl.se/docs/CVE-2021-22897.html > > > > > > > > Signed-off-by: Andrej Valek <andrej.valek@siemens.com> > > > > --- > > > > .../curl/curl/CVE-2021-22897.patch | 73 > > > > +++++++++++++++++++ > > > > meta/recipes-support/curl/curl_7.69.1.bb | 1 + > > > > 2 files changed, 74 insertions(+) > > > > create mode 100644 meta/recipes-support/curl/curl/CVE-2021- > > > > 22897.patch > > > > > > > > diff --git a/meta/recipes-support/curl/curl/CVE-2021-22897.patch > > > > b/meta/recipes-support/curl/curl/CVE-2021-22897.patch > > > > new file mode 100644 > > > > index 0000000000..cbd6c067ce > > > > --- /dev/null > > > > +++ b/meta/recipes-support/curl/curl/CVE-2021-22897.patch > > > > @@ -0,0 +1,73 @@ > > > > +From bbb71507b7bab52002f9b1e0880bed6a32834511 Mon Sep 17 > > > > 00:00:00 > > > > 2001 > > > > +From: Daniel Stenberg <daniel@haxx.se> > > > > +Date: Fri, 23 Apr 2021 10:54:10 +0200 > > > > +Subject: [PATCH] schannel: don't use static to store selected > > > > ciphers > > > > + > > > > +CVE-2021-22897 > > > > + > > > > +Bug: https://curl.se/docs/CVE-2021-22897.html > > > > + > > > > +Upstream-Status: Backport > > > > +[ > > > > https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a3 > > > > 2834511] > > > > + > > > > +CVE: CVE-2021-22897 > > > > + > > > > +Signed-off-by: Daniel Stenberg <daniel@haxx.se> > > > > +Signed-off-by: Khairul Rohaizzat Jamaluddin > > > > <khairul.rohaizzat.jamaluddin@intel.com> > > > > +Signed-off-by: Andrej Valek <andrej.valek@siemens.com> > > > > +--- > > > > + lib/vtls/schannel.c | 9 +++++---- > > > > + lib/vtls/schannel.h | 3 +++ > > > > + 2 files changed, 8 insertions(+), 4 deletions(-) > > > > + > > > > +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c > > > > +index 8c25ac5dd5a5..dba7072273a9 100644 > > > > +--- a/lib/vtls/schannel.c > > > > ++++ b/lib/vtls/schannel.c > > > > +@@ -322,12 +322,12 @@ get_alg_id_by_name(char *name) > > > > + } > > > > + > > > > + static CURLcode > > > > +-set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers) > > > > ++set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers, > > > > ++ int *algIds) > > > > + { > > > > + char *startCur = ciphers; > > > > + int algCount = 0; > > > > +- static ALG_ID algIds[45]; /*There are 45 listed in the MS > > > > headers*/ > > > > +- while(startCur && (0 != *startCur) && (algCount < 45)) { > > > > ++ while(startCur && (0 != *startCur) && (algCount < > > > > NUMOF_CIPHERS)) > > > > { > > > > + long alg = strtol(startCur, 0, 0); > > > > + if(!alg) > > > > + alg = get_alg_id_by_name(startCur); > > > > +@@ -566,7 +566,8 @@ schannel_connect_step1(struct connectdat > > > > + } > > > > + > > > > + if(SSL_CONN_CONFIG(cipher_list)) { > > > > +- result = set_ssl_ciphers(&schannel_cred, > > > > SSL_CONN_CONFIG(cipher_list)); > > > > ++ result = set_ssl_ciphers(&schannel_cred, > > > > SSL_CONN_CONFIG(cipher_list), > > > > ++ BACKEND->algIds); > > > > + if(CURLE_OK != result) { > > > > + failf(data, "Unable to set ciphers to passed via > > > > SSL_CONN_CONFIG"); > > > > + return result; > > > > +diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h > > > > +index 2952caa1a5a1..77853aa30f96 100644 > > > > +--- a/lib/vtls/schannel.h > > > > ++++ b/lib/vtls/schannel.h > > > > +@@ -70,6 +70,8 @@ CURLcode Curl_verify_certificate(struct > > > > + #endif > > > > + #endif > > > > + > > > > ++#define NUMOF_CIPHERS 45 /* There are 45 listed in the MS > > > > headers > > > > */ > > > > ++ > > > > + struct curl_schannel_cred { > > > > + CredHandle cred_handle; > > > > + TimeStamp time_stamp; > > > > +@@ -101,6 +103,7 @@ struct ssl_backend_data { > > > > + #ifdef HAS_MANUAL_VERIFY_API > > > > + bool use_manual_cred_validation; /* true if manual cred > > > > validation is used */ > > > > + #endif > > > > ++ ALG_ID algIds[NUMOF_CIPHERS]; > > > > + }; > > > > + #endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */ > > > > + > > > > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb > > > > b/meta/recipes- > > > > support/curl/curl_7.69.1.bb > > > > index ea36c0bd3d..384719dd15 100644 > > > > --- a/meta/recipes-support/curl/curl_7.69.1.bb > > > > +++ b/meta/recipes-support/curl/curl_7.69.1.bb > > > > @@ -19,6 +19,7 @@ SRC_URI = > > > > "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ > > > > file://CVE-2020-8286.patch \ > > > > file://CVE-2021-22876.patch \ > > > > file://CVE-2021-22890.patch \ > > > > + file://CVE-2021-22897.patch \ > > > > file://CVE-2021-22898.patch \ > > > > file://CVE-2021-22924.patch \ > > > > file://CVE-2021-22925.patch \ > > > >
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22897.patch b/meta/recipes-support/curl/curl/CVE-2021-22897.patch new file mode 100644 index 0000000000..cbd6c067ce --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22897.patch @@ -0,0 +1,73 @@ +From bbb71507b7bab52002f9b1e0880bed6a32834511 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Fri, 23 Apr 2021 10:54:10 +0200 +Subject: [PATCH] schannel: don't use static to store selected ciphers + +CVE-2021-22897 + +Bug: https://curl.se/docs/CVE-2021-22897.html + +Upstream-Status: Backport +[https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a32834511] + +CVE: CVE-2021-22897 + +Signed-off-by: Daniel Stenberg <daniel@haxx.se> +Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com> +Signed-off-by: Andrej Valek <andrej.valek@siemens.com> +--- + lib/vtls/schannel.c | 9 +++++---- + lib/vtls/schannel.h | 3 +++ + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c +index 8c25ac5dd5a5..dba7072273a9 100644 +--- a/lib/vtls/schannel.c ++++ b/lib/vtls/schannel.c +@@ -322,12 +322,12 @@ get_alg_id_by_name(char *name) + } + + static CURLcode +-set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers) ++set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers, ++ int *algIds) + { + char *startCur = ciphers; + int algCount = 0; +- static ALG_ID algIds[45]; /*There are 45 listed in the MS headers*/ +- while(startCur && (0 != *startCur) && (algCount < 45)) { ++ while(startCur && (0 != *startCur) && (algCount < NUMOF_CIPHERS)) { + long alg = strtol(startCur, 0, 0); + if(!alg) + alg = get_alg_id_by_name(startCur); +@@ -566,7 +566,8 @@ schannel_connect_step1(struct connectdat + } + + if(SSL_CONN_CONFIG(cipher_list)) { +- result = set_ssl_ciphers(&schannel_cred, SSL_CONN_CONFIG(cipher_list)); ++ result = set_ssl_ciphers(&schannel_cred, SSL_CONN_CONFIG(cipher_list), ++ BACKEND->algIds); + if(CURLE_OK != result) { + failf(data, "Unable to set ciphers to passed via SSL_CONN_CONFIG"); + return result; +diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h +index 2952caa1a5a1..77853aa30f96 100644 +--- a/lib/vtls/schannel.h ++++ b/lib/vtls/schannel.h +@@ -70,6 +70,8 @@ CURLcode Curl_verify_certificate(struct + #endif + #endif + ++#define NUMOF_CIPHERS 45 /* There are 45 listed in the MS headers */ ++ + struct curl_schannel_cred { + CredHandle cred_handle; + TimeStamp time_stamp; +@@ -101,6 +103,7 @@ struct ssl_backend_data { + #ifdef HAS_MANUAL_VERIFY_API + bool use_manual_cred_validation; /* true if manual cred validation is used */ + #endif ++ ALG_ID algIds[NUMOF_CIPHERS]; + }; + #endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */ + diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb index ea36c0bd3d..384719dd15 100644 --- a/meta/recipes-support/curl/curl_7.69.1.bb +++ b/meta/recipes-support/curl/curl_7.69.1.bb @@ -19,6 +19,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://CVE-2020-8286.patch \ file://CVE-2021-22876.patch \ file://CVE-2021-22890.patch \ + file://CVE-2021-22897.patch \ file://CVE-2021-22898.patch \ file://CVE-2021-22924.patch \ file://CVE-2021-22925.patch \
https://curl.se/docs/CVE-2021-22897.html Signed-off-by: Andrej Valek <andrej.valek@siemens.com> --- .../curl/curl/CVE-2021-22897.patch | 73 +++++++++++++++++++ meta/recipes-support/curl/curl_7.69.1.bb | 1 + 2 files changed, 74 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22897.patch