curl: fix CVE-2017-2629 SSL_VERIFYSTATUS ignored

This fixes the following security problem:
https://curl.haxx.se/docs/adv_20170222.html

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
lede-17.01
Hauke Mehrtens 2017-03-13 22:51:20 +01:00
parent c4ed92ae7d
commit 111cf1b9f3
3 changed files with 36 additions and 5 deletions

View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=curl
PKG_VERSION:=7.52.1
PKG_RELEASE:=2
PKG_RELEASE:=3
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=http://curl.haxx.se/download/ \

View File

@ -12,11 +12,9 @@ Bug: #1174
lib/vtls/vtls.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index b808e1c..707f24b 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -484,7 +484,7 @@ void Curl_ssl_close_all(struct Curl_easy *data)
@@ -484,7 +484,7 @@ void Curl_ssl_close_all(struct Curl_easy
curlssl_close_all(data);
}
@ -25,7 +23,7 @@ index b808e1c..707f24b 100644
defined(USE_DARWINSSL) || defined(USE_NSS)
/* This function is for OpenSSL, GnuTLS, darwinssl, and schannel only. */
int Curl_ssl_getsock(struct connectdata *conn, curl_socket_t *socks,
@@ -518,7 +518,7 @@ int Curl_ssl_getsock(struct connectdata *conn,
@@ -518,7 +518,7 @@ int Curl_ssl_getsock(struct connectdata
(void)numsocks;
return GETSOCK_BLANK;
}

View File

@ -0,0 +1,33 @@
From a00a42b4abe8363a46071bb3b43b1b7138f5259b Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 22 Jan 2017 18:11:55 +0100
Subject: [PATCH] TLS: make SSL_VERIFYSTATUS work again
The CURLOPT_SSL_VERIFYSTATUS option was not properly handled by libcurl
and thus even if the status couldn't be verified, the connection would
be allowed and the user would not be told about the failed verification.
Regression since cb4e2be7c6d42ca
CVE-2017-2629
Bug: https://curl.haxx.se/docs/adv_20170222.html
Reported-by: Marcus Hoffmann
---
lib/url.c | 3 +++
1 file changed, 3 insertions(+)
--- a/lib/url.c
+++ b/lib/url.c
@@ -4141,8 +4141,11 @@ static struct connectdata *allocate_conn
conn->bits.ftp_use_epsv = data->set.ftp_use_epsv;
conn->bits.ftp_use_eprt = data->set.ftp_use_eprt;
+ conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus;
conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer;
conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost;
+ conn->proxy_ssl_config.verifystatus =
+ data->set.proxy_ssl.primary.verifystatus;
conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer;
conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost;