[source] curl: fix CVE-2017-2629 SSL_VERIFYSTATUS ignored

LEDE Commits lede-commits at lists.infradead.org
Mon Mar 13 15:01:12 PDT 2017


hauke pushed a commit to source.git, branch lede-17.01:
https://git.lede-project.org/111cf1b9f37b902dbc4ac2934f38ee6418600f69

commit 111cf1b9f37b902dbc4ac2934f38ee6418600f69
Author: Hauke Mehrtens <hauke at hauke-m.de>
AuthorDate: Mon Mar 13 22:51:20 2017 +0100

    curl: fix CVE-2017-2629 SSL_VERIFYSTATUS ignored
    
    This fixes the following security problem:
    https://curl.haxx.se/docs/adv_20170222.html
    
    Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
---
 package/network/utils/curl/Makefile                |  2 +-
 .../curl/patches/001-curl-https-openssl-fix.patch  |  6 ++--
 .../utils/curl/patches/100-CVE-2017-2629.patch     | 33 ++++++++++++++++++++++
 3 files changed, 36 insertions(+), 5 deletions(-)

diff --git a/package/network/utils/curl/Makefile b/package/network/utils/curl/Makefile
index 950044a..68558a9 100644
--- a/package/network/utils/curl/Makefile
+++ b/package/network/utils/curl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=curl
 PKG_VERSION:=7.52.1
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=http://curl.haxx.se/download/ \
diff --git a/package/network/utils/curl/patches/001-curl-https-openssl-fix.patch b/package/network/utils/curl/patches/001-curl-https-openssl-fix.patch
index 259f618..9658ef5 100644
--- a/package/network/utils/curl/patches/001-curl-https-openssl-fix.patch
+++ b/package/network/utils/curl/patches/001-curl-https-openssl-fix.patch
@@ -12,11 +12,9 @@ Bug: #1174
  lib/vtls/vtls.c | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
-diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
-index b808e1c..707f24b 100644
 --- a/lib/vtls/vtls.c
 +++ b/lib/vtls/vtls.c
-@@ -484,7 +484,7 @@ void Curl_ssl_close_all(struct Curl_easy *data)
+@@ -484,7 +484,7 @@ void Curl_ssl_close_all(struct Curl_easy
    curlssl_close_all(data);
  }
  
@@ -25,7 +23,7 @@ index b808e1c..707f24b 100644
      defined(USE_DARWINSSL) || defined(USE_NSS)
  /* This function is for OpenSSL, GnuTLS, darwinssl, and schannel only. */
  int Curl_ssl_getsock(struct connectdata *conn, curl_socket_t *socks,
-@@ -518,7 +518,7 @@ int Curl_ssl_getsock(struct connectdata *conn,
+@@ -518,7 +518,7 @@ int Curl_ssl_getsock(struct connectdata
    (void)numsocks;
    return GETSOCK_BLANK;
  }
diff --git a/package/network/utils/curl/patches/100-CVE-2017-2629.patch b/package/network/utils/curl/patches/100-CVE-2017-2629.patch
new file mode 100644
index 0000000..f2cd869
--- /dev/null
+++ b/package/network/utils/curl/patches/100-CVE-2017-2629.patch
@@ -0,0 +1,33 @@
+From a00a42b4abe8363a46071bb3b43b1b7138f5259b Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel at haxx.se>
+Date: Sun, 22 Jan 2017 18:11:55 +0100
+Subject: [PATCH] TLS: make SSL_VERIFYSTATUS work again
+
+The CURLOPT_SSL_VERIFYSTATUS option was not properly handled by libcurl
+and thus even if the status couldn't be verified, the connection would
+be allowed and the user would not be told about the failed verification.
+
+Regression since cb4e2be7c6d42ca
+
+CVE-2017-2629
+Bug: https://curl.haxx.se/docs/adv_20170222.html
+
+Reported-by: Marcus Hoffmann
+---
+ lib/url.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -4141,8 +4141,11 @@ static struct connectdata *allocate_conn
+   conn->bits.ftp_use_epsv = data->set.ftp_use_epsv;
+   conn->bits.ftp_use_eprt = data->set.ftp_use_eprt;
+ 
++  conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus;
+   conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer;
+   conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost;
++  conn->proxy_ssl_config.verifystatus =
++    data->set.proxy_ssl.primary.verifystatus;
+   conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer;
+   conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost;
+ 



More information about the lede-commits mailing list