* curl
@ 2023-03-09 15:15 Valek, Andrej
2023-03-09 15:24 ` curl Steve Sakoman
0 siblings, 1 reply; 13+ messages in thread
From: Valek, Andrej @ 2023-03-09 15:15 UTC (permalink / raw)
To: steve; +Cc: openembedded-core
Hello Steve,
I have a question about curl. Would it be possible to backport some
fixes for CVEs from kirkstone to dunfell?
CVE-2022-32221
CVE-2022-42915
CVE-2022-42916
CVE-2022-43552
CVE-2022-43551
Thank you,
Andrej
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: curl
2023-03-09 15:15 curl Valek, Andrej
@ 2023-03-09 15:24 ` Steve Sakoman
2023-03-10 9:54 ` [OE-core][dunfell][PATCH 1/2] curl: Fix CVE CVE-2022-43552 Andrej Valek
2023-03-10 12:45 ` [OE-core][dunfell][PATCH] curl: Fix CVE CVE-2021-22897 Andrej Valek
0 siblings, 2 replies; 13+ messages in thread
From: Steve Sakoman @ 2023-03-09 15:24 UTC (permalink / raw)
To: Valek, Andrej; +Cc: openembedded-core
On Thu, Mar 9, 2023 at 5:15 AM Valek, Andrej <andrej.valek@siemens.com> wrote:
> I have a question about curl. Would it be possible to backport some
> fixes for CVEs from kirkstone to dunfell?
The curl versions in kirkstone and dunfell are different, so a direct
cherry-pick of those patches may or may not work.
If you could test cherry-picking them and then submit the patches to
the list (with your Signed-off-by added) I would be happy to take them
:-)
Steve
^ permalink raw reply [flat|nested] 13+ messages in thread
* [OE-core][dunfell][PATCH 1/2] curl: Fix CVE CVE-2022-43552
2023-03-09 15:24 ` curl Steve Sakoman
@ 2023-03-10 9:54 ` Andrej Valek
2023-03-10 9:54 ` [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551 Andrej Valek
2023-03-10 12:45 ` [OE-core][dunfell][PATCH] curl: Fix CVE CVE-2021-22897 Andrej Valek
1 sibling, 1 reply; 13+ messages in thread
From: Andrej Valek @ 2023-03-10 9:54 UTC (permalink / raw)
To: openembedded-core; +Cc: Andrej Valek
https://curl.se/docs/CVE-2022-43552.html
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
.../curl/curl/CVE-2022-43552.patch | 79 +++++++++++++++++++
meta/recipes-support/curl/curl_7.69.1.bb | 1 +
2 files changed, 80 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-43552.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2022-43552.patch b/meta/recipes-support/curl/curl/CVE-2022-43552.patch
new file mode 100644
index 0000000000..7dc7dfa5ae
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-43552.patch
@@ -0,0 +1,79 @@
+From 4f20188ac644afe174be6005ef4f6ffba232b8b2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 19 Dec 2022 08:38:37 +0100
+Subject: [PATCH] smb/telnet: do not free the protocol struct in *_done()
+
+It is managed by the generic layer.
+
+Reported-by: Trail of Bits
+
+Closes #10112
+
+CVE: CVE-2022-43552
+Upstream-Status: Backport [https://github.com/curl/curl/commit/4f20188ac644afe174be6005ef4f6ffba232b8b2]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+
+---
+ lib/smb.c | 14 ++------------
+ lib/telnet.c | 3 ---
+ 2 files changed, 2 insertions(+), 15 deletions(-)
+
+diff --git a/lib/smb.c b/lib/smb.c
+index 2cfe041dff072..48d5a2fe006d5 100644
+--- a/lib/smb.c
++++ b/lib/smb.c
+@@ -61,8 +61,6 @@ static CURLcode smb_connect(struct conne
+ static CURLcode smb_connection_state(struct connectdata *conn, bool *done);
+ static CURLcode smb_do(struct connectdata *conn, bool *done);
+ static CURLcode smb_request_state(struct connectdata *conn, bool *done);
+-static CURLcode smb_done(struct connectdata *conn, CURLcode status,
+- bool premature);
+ static CURLcode smb_disconnect(struct connectdata *conn, bool dead);
+ static int smb_getsock(struct connectdata *conn, curl_socket_t *socks);
+ static CURLcode smb_parse_url_path(struct connectdata *conn);
+@@ -74,7 +72,7 @@ const struct Curl_handler Curl_handler_s
+ "SMB", /* scheme */
+ smb_setup_connection, /* setup_connection */
+ smb_do, /* do_it */
+- smb_done, /* done */
++ ZERO_NULL, /* done */
+ ZERO_NULL, /* do_more */
+ smb_connect, /* connect_it */
+ smb_connection_state, /* connecting */
+@@ -99,7 +97,7 @@ const struct Curl_handler Curl_handler_s
+ "SMBS", /* scheme */
+ smb_setup_connection, /* setup_connection */
+ smb_do, /* do_it */
+- smb_done, /* done */
++ ZERO_NULL, /* done */
+ ZERO_NULL, /* do_more */
+ smb_connect, /* connect_it */
+ smb_connection_state, /* connecting */
+@@ -919,14 +917,6 @@ static CURLcode smb_request_state(struct
+ return CURLE_OK;
+ }
+
+-static CURLcode smb_done(struct connectdata *conn, CURLcode status,
+- bool premature)
+-{
+- (void) premature;
+- Curl_safefree(conn->data->req.protop);
+- return status;
+-}
+-
+ static CURLcode smb_disconnect(struct connectdata *conn, bool dead)
+ {
+ struct smb_conn *smbc = &conn->proto.smbc;
+diff -Naurp curl-7.69.1.orig/lib/telnet.c curl-7.69.1/lib/telnet.c
+--- curl-7.69.1.orig/lib/telnet.c 2020-03-09 16:31:01.000000000 +0100
++++ curl-7.69.1/lib/telnet.c 2023-03-10 10:35:27.978378949 +0100
+@@ -1290,8 +1290,6 @@ static CURLcode telnet_done(struct conne
+ curl_slist_free_all(tn->telnet_vars);
+ tn->telnet_vars = NULL;
+
+- Curl_safefree(conn->data->req.protop);
+-
+ return CURLE_OK;
+ }
+
\ No newline at end of file
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index 63faae6296..899daf8eac 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -41,6 +41,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://CVE-2022-35252.patch \
file://CVE-2022-32221.patch \
file://CVE-2022-35260.patch \
+ file://CVE-2022-43552.patch \
"
SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"
--
2.39.2
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551
2023-03-10 9:54 ` [OE-core][dunfell][PATCH 1/2] curl: Fix CVE CVE-2022-43552 Andrej Valek
@ 2023-03-10 9:54 ` Andrej Valek
2023-03-14 14:26 ` Steve Sakoman
[not found] ` <174C4F5C0F6A96A7.18998@lists.openembedded.org>
0 siblings, 2 replies; 13+ messages in thread
From: Andrej Valek @ 2023-03-10 9:54 UTC (permalink / raw)
To: openembedded-core; +Cc: Andrej Valek
All mentioned CVEs are related to HSTS check feature, which is not
implemented in version 7.69.1 .
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
meta/recipes-support/curl/curl_7.69.1.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index 899daf8eac..ea36c0bd3d 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -56,6 +56,9 @@ CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-2021-22926 CVE-2021-229
# This CVE issue affects Windows only Hence whitelisting this CVE
CVE_CHECK_WHITELIST += "CVE-2021-22897"
+# HSTS check feature is not implemented
+CVE_CHECK_WHITELIST += "CVE-2022-42915 CVE-2022-42916 CVE-2022-43551"
+
inherit autotools pkgconfig binconfig multilib_header
PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} gnutls libidn proxy threaded-resolver verbose zlib"
--
2.39.2
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [OE-core][dunfell][PATCH] curl: Fix CVE CVE-2021-22897
2023-03-09 15:24 ` curl Steve Sakoman
2023-03-10 9:54 ` [OE-core][dunfell][PATCH 1/2] curl: Fix CVE CVE-2022-43552 Andrej Valek
@ 2023-03-10 12:45 ` Andrej Valek
2023-03-10 13:09 ` Valek, Andrej
1 sibling, 1 reply; 13+ messages in thread
From: Andrej Valek @ 2023-03-10 12:45 UTC (permalink / raw)
To: openembedded-core; +Cc: Andrej Valek
https://curl.se/docs/CVE-2021-22897.html
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
.../curl/curl/CVE-2021-22897.patch | 73 +++++++++++++++++++
meta/recipes-support/curl/curl_7.69.1.bb | 1 +
2 files changed, 74 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22897.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22897.patch b/meta/recipes-support/curl/curl/CVE-2021-22897.patch
new file mode 100644
index 0000000000..cbd6c067ce
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22897.patch
@@ -0,0 +1,73 @@
+From bbb71507b7bab52002f9b1e0880bed6a32834511 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 23 Apr 2021 10:54:10 +0200
+Subject: [PATCH] schannel: don't use static to store selected ciphers
+
+CVE-2021-22897
+
+Bug: https://curl.se/docs/CVE-2021-22897.html
+
+Upstream-Status: Backport
+[https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a32834511]
+
+CVE: CVE-2021-22897
+
+Signed-off-by: Daniel Stenberg <daniel@haxx.se>
+Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+---
+ lib/vtls/schannel.c | 9 +++++----
+ lib/vtls/schannel.h | 3 +++
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
+index 8c25ac5dd5a5..dba7072273a9 100644
+--- a/lib/vtls/schannel.c
++++ b/lib/vtls/schannel.c
+@@ -322,12 +322,12 @@ get_alg_id_by_name(char *name)
+ }
+
+ static CURLcode
+-set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers)
++set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers,
++ int *algIds)
+ {
+ char *startCur = ciphers;
+ int algCount = 0;
+- static ALG_ID algIds[45]; /*There are 45 listed in the MS headers*/
+- while(startCur && (0 != *startCur) && (algCount < 45)) {
++ while(startCur && (0 != *startCur) && (algCount < NUMOF_CIPHERS)) {
+ long alg = strtol(startCur, 0, 0);
+ if(!alg)
+ alg = get_alg_id_by_name(startCur);
+@@ -566,7 +566,8 @@ schannel_connect_step1(struct connectdat
+ }
+
+ if(SSL_CONN_CONFIG(cipher_list)) {
+- result = set_ssl_ciphers(&schannel_cred, SSL_CONN_CONFIG(cipher_list));
++ result = set_ssl_ciphers(&schannel_cred, SSL_CONN_CONFIG(cipher_list),
++ BACKEND->algIds);
+ if(CURLE_OK != result) {
+ failf(data, "Unable to set ciphers to passed via SSL_CONN_CONFIG");
+ return result;
+diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h
+index 2952caa1a5a1..77853aa30f96 100644
+--- a/lib/vtls/schannel.h
++++ b/lib/vtls/schannel.h
+@@ -70,6 +70,8 @@ CURLcode Curl_verify_certificate(struct
+ #endif
+ #endif
+
++#define NUMOF_CIPHERS 45 /* There are 45 listed in the MS headers */
++
+ struct curl_schannel_cred {
+ CredHandle cred_handle;
+ TimeStamp time_stamp;
+@@ -101,6 +103,7 @@ struct ssl_backend_data {
+ #ifdef HAS_MANUAL_VERIFY_API
+ bool use_manual_cred_validation; /* true if manual cred validation is used */
+ #endif
++ ALG_ID algIds[NUMOF_CIPHERS];
+ };
+ #endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */
+
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index ea36c0bd3d..384719dd15 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -19,6 +19,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://CVE-2020-8286.patch \
file://CVE-2021-22876.patch \
file://CVE-2021-22890.patch \
+ file://CVE-2021-22897.patch \
file://CVE-2021-22898.patch \
file://CVE-2021-22924.patch \
file://CVE-2021-22925.patch \
--
2.39.2
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [OE-core][dunfell][PATCH] curl: Fix CVE CVE-2021-22897
2023-03-10 12:45 ` [OE-core][dunfell][PATCH] curl: Fix CVE CVE-2021-22897 Andrej Valek
@ 2023-03-10 13:09 ` Valek, Andrej
2023-03-10 14:40 ` Steve Sakoman
0 siblings, 1 reply; 13+ messages in thread
From: Valek, Andrej @ 2023-03-10 13:09 UTC (permalink / raw)
To: openembedded-core; +Cc: steve
Hello again,
Looks like that this patch showed some isses/open points:
- CVE-2021-22897 is white-listed already, but in hardknott is fixed
already
https://github.com/openembedded/openembedded-core/blob/hardknott/meta/recipes-support/curl/curl/CVE-2021-22897.patch
- So do we have to ignore the patch, or apply and remove the
whitelist, or remove patch from hardknott?
- Https certificate at yocto.io has been expired ;)
Regards,
Andrej
On Fri, 2023-03-10 at 13:45 +0100, Andrej Valek wrote:
> https://curl.se/docs/CVE-2021-22897.html
>
> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> ---
> .../curl/curl/CVE-2021-22897.patch | 73
> +++++++++++++++++++
> meta/recipes-support/curl/curl_7.69.1.bb | 1 +
> 2 files changed, 74 insertions(+)
> create mode 100644 meta/recipes-support/curl/curl/CVE-2021-
> 22897.patch
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> b/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> new file mode 100644
> index 0000000000..cbd6c067ce
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> @@ -0,0 +1,73 @@
> +From bbb71507b7bab52002f9b1e0880bed6a32834511 Mon Sep 17 00:00:00
> 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Fri, 23 Apr 2021 10:54:10 +0200
> +Subject: [PATCH] schannel: don't use static to store selected
> ciphers
> +
> +CVE-2021-22897
> +
> +Bug: https://curl.se/docs/CVE-2021-22897.html
> +
> +Upstream-Status: Backport
> +[
> https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a3
> 2834511]
> +
> +CVE: CVE-2021-22897
> +
> +Signed-off-by: Daniel Stenberg <daniel@haxx.se>
> +Signed-off-by: Khairul Rohaizzat Jamaluddin
> <khairul.rohaizzat.jamaluddin@intel.com>
> +Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> +---
> + lib/vtls/schannel.c | 9 +++++----
> + lib/vtls/schannel.h | 3 +++
> + 2 files changed, 8 insertions(+), 4 deletions(-)
> +
> +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
> +index 8c25ac5dd5a5..dba7072273a9 100644
> +--- a/lib/vtls/schannel.c
> ++++ b/lib/vtls/schannel.c
> +@@ -322,12 +322,12 @@ get_alg_id_by_name(char *name)
> + }
> +
> + static CURLcode
> +-set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers)
> ++set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers,
> ++ int *algIds)
> + {
> + char *startCur = ciphers;
> + int algCount = 0;
> +- static ALG_ID algIds[45]; /*There are 45 listed in the MS
> headers*/
> +- while(startCur && (0 != *startCur) && (algCount < 45)) {
> ++ while(startCur && (0 != *startCur) && (algCount < NUMOF_CIPHERS))
> {
> + long alg = strtol(startCur, 0, 0);
> + if(!alg)
> + alg = get_alg_id_by_name(startCur);
> +@@ -566,7 +566,8 @@ schannel_connect_step1(struct connectdat
> + }
> +
> + if(SSL_CONN_CONFIG(cipher_list)) {
> +- result = set_ssl_ciphers(&schannel_cred,
> SSL_CONN_CONFIG(cipher_list));
> ++ result = set_ssl_ciphers(&schannel_cred,
> SSL_CONN_CONFIG(cipher_list),
> ++ BACKEND->algIds);
> + if(CURLE_OK != result) {
> + failf(data, "Unable to set ciphers to passed via
> SSL_CONN_CONFIG");
> + return result;
> +diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h
> +index 2952caa1a5a1..77853aa30f96 100644
> +--- a/lib/vtls/schannel.h
> ++++ b/lib/vtls/schannel.h
> +@@ -70,6 +70,8 @@ CURLcode Curl_verify_certificate(struct
> + #endif
> + #endif
> +
> ++#define NUMOF_CIPHERS 45 /* There are 45 listed in the MS headers
> */
> ++
> + struct curl_schannel_cred {
> + CredHandle cred_handle;
> + TimeStamp time_stamp;
> +@@ -101,6 +103,7 @@ struct ssl_backend_data {
> + #ifdef HAS_MANUAL_VERIFY_API
> + bool use_manual_cred_validation; /* true if manual cred
> validation is used */
> + #endif
> ++ ALG_ID algIds[NUMOF_CIPHERS];
> + };
> + #endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */
> +
> diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-
> support/curl/curl_7.69.1.bb
> index ea36c0bd3d..384719dd15 100644
> --- a/meta/recipes-support/curl/curl_7.69.1.bb
> +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> @@ -19,6 +19,7 @@ SRC_URI =
> "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
> file://CVE-2020-8286.patch \
> file://CVE-2021-22876.patch \
> file://CVE-2021-22890.patch \
> + file://CVE-2021-22897.patch \
> file://CVE-2021-22898.patch \
> file://CVE-2021-22924.patch \
> file://CVE-2021-22925.patch \
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [OE-core][dunfell][PATCH] curl: Fix CVE CVE-2021-22897
2023-03-10 13:09 ` Valek, Andrej
@ 2023-03-10 14:40 ` Steve Sakoman
2023-03-10 14:49 ` Valek, Andrej
0 siblings, 1 reply; 13+ messages in thread
From: Steve Sakoman @ 2023-03-10 14:40 UTC (permalink / raw)
To: Valek, Andrej; +Cc: openembedded-core
On Fri, Mar 10, 2023 at 3:09 AM Valek, Andrej <andrej.valek@siemens.com> wrote:
>
> Hello again,
>
> Looks like that this patch showed some isses/open points:
> - CVE-2021-22897 is white-listed already, but in hardknott is fixed
> already
> https://github.com/openembedded/openembedded-core/blob/hardknott/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> - So do we have to ignore the patch, or apply and remove the
> whitelist, or remove patch from hardknott?
Hardknott is no longer being maintained, so nothing needs to be done there.
Since this is a Windows only bug ("It can only trigger when Schannel
is used, which is the native TLS library in Microsoft Windows") I
think the existing whitelist is fine and we don't need this additional
patch.
> - Https certificate at yocto.io has been expired ;)
Can you give me the url which is giving the expired certificate error?
Thanks!
Steve
> Regards,
> Andrej
>
> On Fri, 2023-03-10 at 13:45 +0100, Andrej Valek wrote:
> > https://curl.se/docs/CVE-2021-22897.html
> >
> > Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> > ---
> > .../curl/curl/CVE-2021-22897.patch | 73
> > +++++++++++++++++++
> > meta/recipes-support/curl/curl_7.69.1.bb | 1 +
> > 2 files changed, 74 insertions(+)
> > create mode 100644 meta/recipes-support/curl/curl/CVE-2021-
> > 22897.patch
> >
> > diff --git a/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> > b/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> > new file mode 100644
> > index 0000000000..cbd6c067ce
> > --- /dev/null
> > +++ b/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> > @@ -0,0 +1,73 @@
> > +From bbb71507b7bab52002f9b1e0880bed6a32834511 Mon Sep 17 00:00:00
> > 2001
> > +From: Daniel Stenberg <daniel@haxx.se>
> > +Date: Fri, 23 Apr 2021 10:54:10 +0200
> > +Subject: [PATCH] schannel: don't use static to store selected
> > ciphers
> > +
> > +CVE-2021-22897
> > +
> > +Bug: https://curl.se/docs/CVE-2021-22897.html
> > +
> > +Upstream-Status: Backport
> > +[
> > https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a3
> > 2834511]
> > +
> > +CVE: CVE-2021-22897
> > +
> > +Signed-off-by: Daniel Stenberg <daniel@haxx.se>
> > +Signed-off-by: Khairul Rohaizzat Jamaluddin
> > <khairul.rohaizzat.jamaluddin@intel.com>
> > +Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> > +---
> > + lib/vtls/schannel.c | 9 +++++----
> > + lib/vtls/schannel.h | 3 +++
> > + 2 files changed, 8 insertions(+), 4 deletions(-)
> > +
> > +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
> > +index 8c25ac5dd5a5..dba7072273a9 100644
> > +--- a/lib/vtls/schannel.c
> > ++++ b/lib/vtls/schannel.c
> > +@@ -322,12 +322,12 @@ get_alg_id_by_name(char *name)
> > + }
> > +
> > + static CURLcode
> > +-set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers)
> > ++set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers,
> > ++ int *algIds)
> > + {
> > + char *startCur = ciphers;
> > + int algCount = 0;
> > +- static ALG_ID algIds[45]; /*There are 45 listed in the MS
> > headers*/
> > +- while(startCur && (0 != *startCur) && (algCount < 45)) {
> > ++ while(startCur && (0 != *startCur) && (algCount < NUMOF_CIPHERS))
> > {
> > + long alg = strtol(startCur, 0, 0);
> > + if(!alg)
> > + alg = get_alg_id_by_name(startCur);
> > +@@ -566,7 +566,8 @@ schannel_connect_step1(struct connectdat
> > + }
> > +
> > + if(SSL_CONN_CONFIG(cipher_list)) {
> > +- result = set_ssl_ciphers(&schannel_cred,
> > SSL_CONN_CONFIG(cipher_list));
> > ++ result = set_ssl_ciphers(&schannel_cred,
> > SSL_CONN_CONFIG(cipher_list),
> > ++ BACKEND->algIds);
> > + if(CURLE_OK != result) {
> > + failf(data, "Unable to set ciphers to passed via
> > SSL_CONN_CONFIG");
> > + return result;
> > +diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h
> > +index 2952caa1a5a1..77853aa30f96 100644
> > +--- a/lib/vtls/schannel.h
> > ++++ b/lib/vtls/schannel.h
> > +@@ -70,6 +70,8 @@ CURLcode Curl_verify_certificate(struct
> > + #endif
> > + #endif
> > +
> > ++#define NUMOF_CIPHERS 45 /* There are 45 listed in the MS headers
> > */
> > ++
> > + struct curl_schannel_cred {
> > + CredHandle cred_handle;
> > + TimeStamp time_stamp;
> > +@@ -101,6 +103,7 @@ struct ssl_backend_data {
> > + #ifdef HAS_MANUAL_VERIFY_API
> > + bool use_manual_cred_validation; /* true if manual cred
> > validation is used */
> > + #endif
> > ++ ALG_ID algIds[NUMOF_CIPHERS];
> > + };
> > + #endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */
> > +
> > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-
> > support/curl/curl_7.69.1.bb
> > index ea36c0bd3d..384719dd15 100644
> > --- a/meta/recipes-support/curl/curl_7.69.1.bb
> > +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> > @@ -19,6 +19,7 @@ SRC_URI =
> > "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
> > file://CVE-2020-8286.patch \
> > file://CVE-2021-22876.patch \
> > file://CVE-2021-22890.patch \
> > + file://CVE-2021-22897.patch \
> > file://CVE-2021-22898.patch \
> > file://CVE-2021-22924.patch \
> > file://CVE-2021-22925.patch \
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [OE-core][dunfell][PATCH] curl: Fix CVE CVE-2021-22897
2023-03-10 14:40 ` Steve Sakoman
@ 2023-03-10 14:49 ` Valek, Andrej
2023-03-10 14:56 ` Steve Sakoman
0 siblings, 1 reply; 13+ messages in thread
From: Valek, Andrej @ 2023-03-10 14:49 UTC (permalink / raw)
To: steve; +Cc: openembedded-core
Hello Steve,
- patch
- I'm fine with explanation
- Cert error
- for example here:
https://autobuilder.yocto.io/pub/non-release/patchmetrics/cve-status-dunfell.txt
Regards,
Andrej
On Fri, 2023-03-10 at 04:40 -1000, Steve Sakoman wrote:
> On Fri, Mar 10, 2023 at 3:09 AM Valek, Andrej
> <andrej.valek@siemens.com> wrote:
> >
> > Hello again,
> >
> > Looks like that this patch showed some isses/open points:
> > - CVE-2021-22897 is white-listed already, but in hardknott is fixed
> > already
> > https://github.com/openembedded/openembedded-core/blob/hardknott/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> > - So do we have to ignore the patch, or apply and remove the
> > whitelist, or remove patch from hardknott?
>
> Hardknott is no longer being maintained, so nothing needs to be done
> there.
>
> Since this is a Windows only bug ("It can only trigger when Schannel
> is used, which is the native TLS library in Microsoft Windows") I
> think the existing whitelist is fine and we don't need this
> additional
> patch.
>
> > - Https certificate at yocto.io has been expired ;)
>
> Can you give me the url which is giving the expired certificate
> error?
>
> Thanks!
>
> Steve
>
> > Regards,
> > Andrej
> >
> > On Fri, 2023-03-10 at 13:45 +0100, Andrej Valek wrote:
> > > https://curl.se/docs/CVE-2021-22897.html
> > >
> > > Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> > > ---
> > > .../curl/curl/CVE-2021-22897.patch | 73
> > > +++++++++++++++++++
> > > meta/recipes-support/curl/curl_7.69.1.bb | 1 +
> > > 2 files changed, 74 insertions(+)
> > > create mode 100644 meta/recipes-support/curl/curl/CVE-2021-
> > > 22897.patch
> > >
> > > diff --git a/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> > > b/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> > > new file mode 100644
> > > index 0000000000..cbd6c067ce
> > > --- /dev/null
> > > +++ b/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> > > @@ -0,0 +1,73 @@
> > > +From bbb71507b7bab52002f9b1e0880bed6a32834511 Mon Sep 17
> > > 00:00:00
> > > 2001
> > > +From: Daniel Stenberg <daniel@haxx.se>
> > > +Date: Fri, 23 Apr 2021 10:54:10 +0200
> > > +Subject: [PATCH] schannel: don't use static to store selected
> > > ciphers
> > > +
> > > +CVE-2021-22897
> > > +
> > > +Bug: https://curl.se/docs/CVE-2021-22897.html
> > > +
> > > +Upstream-Status: Backport
> > > +[
> > > https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a3
> > > 2834511]
> > > +
> > > +CVE: CVE-2021-22897
> > > +
> > > +Signed-off-by: Daniel Stenberg <daniel@haxx.se>
> > > +Signed-off-by: Khairul Rohaizzat Jamaluddin
> > > <khairul.rohaizzat.jamaluddin@intel.com>
> > > +Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> > > +---
> > > + lib/vtls/schannel.c | 9 +++++----
> > > + lib/vtls/schannel.h | 3 +++
> > > + 2 files changed, 8 insertions(+), 4 deletions(-)
> > > +
> > > +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
> > > +index 8c25ac5dd5a5..dba7072273a9 100644
> > > +--- a/lib/vtls/schannel.c
> > > ++++ b/lib/vtls/schannel.c
> > > +@@ -322,12 +322,12 @@ get_alg_id_by_name(char *name)
> > > + }
> > > +
> > > + static CURLcode
> > > +-set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers)
> > > ++set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers,
> > > ++ int *algIds)
> > > + {
> > > + char *startCur = ciphers;
> > > + int algCount = 0;
> > > +- static ALG_ID algIds[45]; /*There are 45 listed in the MS
> > > headers*/
> > > +- while(startCur && (0 != *startCur) && (algCount < 45)) {
> > > ++ while(startCur && (0 != *startCur) && (algCount <
> > > NUMOF_CIPHERS))
> > > {
> > > + long alg = strtol(startCur, 0, 0);
> > > + if(!alg)
> > > + alg = get_alg_id_by_name(startCur);
> > > +@@ -566,7 +566,8 @@ schannel_connect_step1(struct connectdat
> > > + }
> > > +
> > > + if(SSL_CONN_CONFIG(cipher_list)) {
> > > +- result = set_ssl_ciphers(&schannel_cred,
> > > SSL_CONN_CONFIG(cipher_list));
> > > ++ result = set_ssl_ciphers(&schannel_cred,
> > > SSL_CONN_CONFIG(cipher_list),
> > > ++ BACKEND->algIds);
> > > + if(CURLE_OK != result) {
> > > + failf(data, "Unable to set ciphers to passed via
> > > SSL_CONN_CONFIG");
> > > + return result;
> > > +diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h
> > > +index 2952caa1a5a1..77853aa30f96 100644
> > > +--- a/lib/vtls/schannel.h
> > > ++++ b/lib/vtls/schannel.h
> > > +@@ -70,6 +70,8 @@ CURLcode Curl_verify_certificate(struct
> > > + #endif
> > > + #endif
> > > +
> > > ++#define NUMOF_CIPHERS 45 /* There are 45 listed in the MS
> > > headers
> > > */
> > > ++
> > > + struct curl_schannel_cred {
> > > + CredHandle cred_handle;
> > > + TimeStamp time_stamp;
> > > +@@ -101,6 +103,7 @@ struct ssl_backend_data {
> > > + #ifdef HAS_MANUAL_VERIFY_API
> > > + bool use_manual_cred_validation; /* true if manual cred
> > > validation is used */
> > > + #endif
> > > ++ ALG_ID algIds[NUMOF_CIPHERS];
> > > + };
> > > + #endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */
> > > +
> > > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb
> > > b/meta/recipes-
> > > support/curl/curl_7.69.1.bb
> > > index ea36c0bd3d..384719dd15 100644
> > > --- a/meta/recipes-support/curl/curl_7.69.1.bb
> > > +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> > > @@ -19,6 +19,7 @@ SRC_URI =
> > > "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
> > > file://CVE-2020-8286.patch \
> > > file://CVE-2021-22876.patch \
> > > file://CVE-2021-22890.patch \
> > > + file://CVE-2021-22897.patch \
> > > file://CVE-2021-22898.patch \
> > > file://CVE-2021-22924.patch \
> > > file://CVE-2021-22925.patch \
> >
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [OE-core][dunfell][PATCH] curl: Fix CVE CVE-2021-22897
2023-03-10 14:49 ` Valek, Andrej
@ 2023-03-10 14:56 ` Steve Sakoman
0 siblings, 0 replies; 13+ messages in thread
From: Steve Sakoman @ 2023-03-10 14:56 UTC (permalink / raw)
To: Valek, Andrej; +Cc: openembedded-core
On Fri, Mar 10, 2023 at 4:49 AM Valek, Andrej <andrej.valek@siemens.com> wrote:
>
> Hello Steve,
>
> - patch
> - I'm fine with explanation
> - Cert error
> - for example here:
> https://autobuilder.yocto.io/pub/non-release/patchmetrics/cve-status-dunfell.txt
Thanks, I opened a ticket with the infrastructure support team.
Steve
> On Fri, 2023-03-10 at 04:40 -1000, Steve Sakoman wrote:
> > On Fri, Mar 10, 2023 at 3:09 AM Valek, Andrej
> > <andrej.valek@siemens.com> wrote:
> > >
> > > Hello again,
> > >
> > > Looks like that this patch showed some isses/open points:
> > > - CVE-2021-22897 is white-listed already, but in hardknott is fixed
> > > already
> > > https://github.com/openembedded/openembedded-core/blob/hardknott/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> > > - So do we have to ignore the patch, or apply and remove the
> > > whitelist, or remove patch from hardknott?
> >
> > Hardknott is no longer being maintained, so nothing needs to be done
> > there.
> >
> > Since this is a Windows only bug ("It can only trigger when Schannel
> > is used, which is the native TLS library in Microsoft Windows") I
> > think the existing whitelist is fine and we don't need this
> > additional
> > patch.
> >
> > > - Https certificate at yocto.io has been expired ;)
> >
> > Can you give me the url which is giving the expired certificate
> > error?
> >
> > Thanks!
> >
> > Steve
> >
> > > Regards,
> > > Andrej
> > >
> > > On Fri, 2023-03-10 at 13:45 +0100, Andrej Valek wrote:
> > > > https://curl.se/docs/CVE-2021-22897.html
> > > >
> > > > Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> > > > ---
> > > > .../curl/curl/CVE-2021-22897.patch | 73
> > > > +++++++++++++++++++
> > > > meta/recipes-support/curl/curl_7.69.1.bb | 1 +
> > > > 2 files changed, 74 insertions(+)
> > > > create mode 100644 meta/recipes-support/curl/curl/CVE-2021-
> > > > 22897.patch
> > > >
> > > > diff --git a/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> > > > b/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> > > > new file mode 100644
> > > > index 0000000000..cbd6c067ce
> > > > --- /dev/null
> > > > +++ b/meta/recipes-support/curl/curl/CVE-2021-22897.patch
> > > > @@ -0,0 +1,73 @@
> > > > +From bbb71507b7bab52002f9b1e0880bed6a32834511 Mon Sep 17
> > > > 00:00:00
> > > > 2001
> > > > +From: Daniel Stenberg <daniel@haxx.se>
> > > > +Date: Fri, 23 Apr 2021 10:54:10 +0200
> > > > +Subject: [PATCH] schannel: don't use static to store selected
> > > > ciphers
> > > > +
> > > > +CVE-2021-22897
> > > > +
> > > > +Bug: https://curl.se/docs/CVE-2021-22897.html
> > > > +
> > > > +Upstream-Status: Backport
> > > > +[
> > > > https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a3
> > > > 2834511]
> > > > +
> > > > +CVE: CVE-2021-22897
> > > > +
> > > > +Signed-off-by: Daniel Stenberg <daniel@haxx.se>
> > > > +Signed-off-by: Khairul Rohaizzat Jamaluddin
> > > > <khairul.rohaizzat.jamaluddin@intel.com>
> > > > +Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> > > > +---
> > > > + lib/vtls/schannel.c | 9 +++++----
> > > > + lib/vtls/schannel.h | 3 +++
> > > > + 2 files changed, 8 insertions(+), 4 deletions(-)
> > > > +
> > > > +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
> > > > +index 8c25ac5dd5a5..dba7072273a9 100644
> > > > +--- a/lib/vtls/schannel.c
> > > > ++++ b/lib/vtls/schannel.c
> > > > +@@ -322,12 +322,12 @@ get_alg_id_by_name(char *name)
> > > > + }
> > > > +
> > > > + static CURLcode
> > > > +-set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers)
> > > > ++set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers,
> > > > ++ int *algIds)
> > > > + {
> > > > + char *startCur = ciphers;
> > > > + int algCount = 0;
> > > > +- static ALG_ID algIds[45]; /*There are 45 listed in the MS
> > > > headers*/
> > > > +- while(startCur && (0 != *startCur) && (algCount < 45)) {
> > > > ++ while(startCur && (0 != *startCur) && (algCount <
> > > > NUMOF_CIPHERS))
> > > > {
> > > > + long alg = strtol(startCur, 0, 0);
> > > > + if(!alg)
> > > > + alg = get_alg_id_by_name(startCur);
> > > > +@@ -566,7 +566,8 @@ schannel_connect_step1(struct connectdat
> > > > + }
> > > > +
> > > > + if(SSL_CONN_CONFIG(cipher_list)) {
> > > > +- result = set_ssl_ciphers(&schannel_cred,
> > > > SSL_CONN_CONFIG(cipher_list));
> > > > ++ result = set_ssl_ciphers(&schannel_cred,
> > > > SSL_CONN_CONFIG(cipher_list),
> > > > ++ BACKEND->algIds);
> > > > + if(CURLE_OK != result) {
> > > > + failf(data, "Unable to set ciphers to passed via
> > > > SSL_CONN_CONFIG");
> > > > + return result;
> > > > +diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h
> > > > +index 2952caa1a5a1..77853aa30f96 100644
> > > > +--- a/lib/vtls/schannel.h
> > > > ++++ b/lib/vtls/schannel.h
> > > > +@@ -70,6 +70,8 @@ CURLcode Curl_verify_certificate(struct
> > > > + #endif
> > > > + #endif
> > > > +
> > > > ++#define NUMOF_CIPHERS 45 /* There are 45 listed in the MS
> > > > headers
> > > > */
> > > > ++
> > > > + struct curl_schannel_cred {
> > > > + CredHandle cred_handle;
> > > > + TimeStamp time_stamp;
> > > > +@@ -101,6 +103,7 @@ struct ssl_backend_data {
> > > > + #ifdef HAS_MANUAL_VERIFY_API
> > > > + bool use_manual_cred_validation; /* true if manual cred
> > > > validation is used */
> > > > + #endif
> > > > ++ ALG_ID algIds[NUMOF_CIPHERS];
> > > > + };
> > > > + #endif /* EXPOSE_SCHANNEL_INTERNAL_STRUCTS */
> > > > +
> > > > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb
> > > > b/meta/recipes-
> > > > support/curl/curl_7.69.1.bb
> > > > index ea36c0bd3d..384719dd15 100644
> > > > --- a/meta/recipes-support/curl/curl_7.69.1.bb
> > > > +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> > > > @@ -19,6 +19,7 @@ SRC_URI =
> > > > "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
> > > > file://CVE-2020-8286.patch \
> > > > file://CVE-2021-22876.patch \
> > > > file://CVE-2021-22890.patch \
> > > > + file://CVE-2021-22897.patch \
> > > > file://CVE-2021-22898.patch \
> > > > file://CVE-2021-22924.patch \
> > > > file://CVE-2021-22925.patch \
> > >
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551
2023-03-10 9:54 ` [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551 Andrej Valek
@ 2023-03-14 14:26 ` Steve Sakoman
[not found] ` <174C4F5C0F6A96A7.18998@lists.openembedded.org>
1 sibling, 0 replies; 13+ messages in thread
From: Steve Sakoman @ 2023-03-14 14:26 UTC (permalink / raw)
To: Andrej Valek; +Cc: openembedded-core
On Thu, Mar 9, 2023 at 11:54 PM Andrej Valek <andrej.valek@siemens.com> wrote:
>
> All mentioned CVEs are related to HSTS check feature, which is not
> implemented in version 7.69.1 .
Is this due to an error in the CPE database? If so, perhaps the
better approach would be to send a version correction request to
cpe_dictionary@nist.gov
Steve
> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> ---
> meta/recipes-support/curl/curl_7.69.1.bb | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
> index 899daf8eac..ea36c0bd3d 100644
> --- a/meta/recipes-support/curl/curl_7.69.1.bb
> +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> @@ -56,6 +56,9 @@ CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-2021-22926 CVE-2021-229
> # This CVE issue affects Windows only Hence whitelisting this CVE
> CVE_CHECK_WHITELIST += "CVE-2021-22897"
>
> +# HSTS check feature is not implemented
> +CVE_CHECK_WHITELIST += "CVE-2022-42915 CVE-2022-42916 CVE-2022-43551"
> +
> inherit autotools pkgconfig binconfig multilib_header
>
> PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} gnutls libidn proxy threaded-resolver verbose zlib"
> --
> 2.39.2
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#178321): https://lists.openembedded.org/g/openembedded-core/message/178321
> Mute This Topic: https://lists.openembedded.org/mt/97516349/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551
[not found] ` <174C4F5C0F6A96A7.18998@lists.openembedded.org>
@ 2023-03-14 14:39 ` Steve Sakoman
2023-03-14 15:07 ` Valek, Andrej
0 siblings, 1 reply; 13+ messages in thread
From: Steve Sakoman @ 2023-03-14 14:39 UTC (permalink / raw)
To: steve; +Cc: Andrej Valek, openembedded-core
On Tue, Mar 14, 2023 at 4:26 AM Steve Sakoman via
lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
wrote:
>
> On Thu, Mar 9, 2023 at 11:54 PM Andrej Valek <andrej.valek@siemens.com> wrote:
> >
> > All mentioned CVEs are related to HSTS check feature, which is not
> > implemented in version 7.69.1 .
>
> Is this due to an error in the CPE database? If so, perhaps the
> better approach would be to send a version correction request to
> cpe_dictionary@nist.gov
Hmmm . . . looking at the most recent dunfell CVE report I see that
only CVE-2022-42916 is listed.
The CPE database indicates the issue is present for versions 7.57.0
onwards up to but not including 7.88.0
Steve
> > Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> > ---
> > meta/recipes-support/curl/curl_7.69.1.bb | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
> > index 899daf8eac..ea36c0bd3d 100644
> > --- a/meta/recipes-support/curl/curl_7.69.1.bb
> > +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> > @@ -56,6 +56,9 @@ CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-2021-22926 CVE-2021-229
> > # This CVE issue affects Windows only Hence whitelisting this CVE
> > CVE_CHECK_WHITELIST += "CVE-2021-22897"
> >
> > +# HSTS check feature is not implemented
> > +CVE_CHECK_WHITELIST += "CVE-2022-42915 CVE-2022-42916 CVE-2022-43551"
> > +
> > inherit autotools pkgconfig binconfig multilib_header
> >
> > PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} gnutls libidn proxy threaded-resolver verbose zlib"
> > --
> > 2.39.2
> >
> >
> >
> >
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#178493): https://lists.openembedded.org/g/openembedded-core/message/178493
> Mute This Topic: https://lists.openembedded.org/mt/97516349/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551
2023-03-14 14:39 ` Steve Sakoman
@ 2023-03-14 15:07 ` Valek, Andrej
2023-03-14 15:09 ` Steve Sakoman
0 siblings, 1 reply; 13+ messages in thread
From: Valek, Andrej @ 2023-03-14 15:07 UTC (permalink / raw)
To: steve; +Cc: openembedded-core
Hello Steve,
Ok, looks like I received a wrong notification, sorry. So you can keep
there only the 42916.
Basically all the HSTS check features are not implemented in the 7.69.1
version.
Regards,
Andrej
On Tue, 2023-03-14 at 04:39 -1000, Steve Sakoman wrote:
> On Tue, Mar 14, 2023 at 4:26 AM Steve Sakoman via
> lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
> wrote:
> >
> > On Thu, Mar 9, 2023 at 11:54 PM Andrej Valek
> > <andrej.valek@siemens.com> wrote:
> > >
> > > All mentioned CVEs are related to HSTS check feature, which is
> > > not
> > > implemented in version 7.69.1 .
> >
> > Is this due to an error in the CPE database? If so, perhaps the
> > better approach would be to send a version correction request to
> > cpe_dictionary@nist.gov
>
> Hmmm . . . looking at the most recent dunfell CVE report I see that
> only CVE-2022-42916 is listed.
>
> The CPE database indicates the issue is present for versions 7.57.0
> onwards up to but not including 7.88.0
>
> Steve
>
>
> > > Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> > > ---
> > > meta/recipes-support/curl/curl_7.69.1.bb | 3 +++
> > > 1 file changed, 3 insertions(+)
> > >
> > > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb
> > > b/meta/recipes-support/curl/curl_7.69.1.bb
> > > index 899daf8eac..ea36c0bd3d 100644
> > > --- a/meta/recipes-support/curl/curl_7.69.1.bb
> > > +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> > > @@ -56,6 +56,9 @@ CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-
> > > 22923 CVE-2021-22926 CVE-2021-229
> > > # This CVE issue affects Windows only Hence whitelisting this
> > > CVE
> > > CVE_CHECK_WHITELIST += "CVE-2021-22897"
> > >
> > > +# HSTS check feature is not implemented
> > > +CVE_CHECK_WHITELIST += "CVE-2022-42915 CVE-2022-42916 CVE-2022-
> > > 43551"
> > > +
> > > inherit autotools pkgconfig binconfig multilib_header
> > >
> > > PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6',
> > > d)} gnutls libidn proxy threaded-resolver verbose zlib"
> > > --
> > > 2.39.2
> > >
> > >
> > >
> > >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#178493):
> > https://lists.openembedded.org/g/openembedded-core/message/178493
> > Mute This Topic: https://lists.openembedded.org/mt/97516349/3620601
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe:
> > https://lists.openembedded.org/g/openembedded-core/unsub [
> > steve@sakoman.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551
2023-03-14 15:07 ` Valek, Andrej
@ 2023-03-14 15:09 ` Steve Sakoman
0 siblings, 0 replies; 13+ messages in thread
From: Steve Sakoman @ 2023-03-14 15:09 UTC (permalink / raw)
To: Valek, Andrej; +Cc: openembedded-core
On Tue, Mar 14, 2023 at 5:07 AM Valek, Andrej <andrej.valek@siemens.com> wrote:
>
> Hello Steve,
>
> Ok, looks like I received a wrong notification, sorry. So you can keep
> there only the 42916.
> Basically all the HSTS check features are not implemented in the 7.69.1
> version.
I still have the same comment on how we should handle this issue:
> > > Is this due to an error in the CPE database? If so, perhaps the
> > > better approach would be to send a version correction request to
> > > cpe_dictionary@nist.gov
Steve
> > > > Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> > > > ---
> > > > meta/recipes-support/curl/curl_7.69.1.bb | 3 +++
> > > > 1 file changed, 3 insertions(+)
> > > >
> > > > diff --git a/meta/recipes-support/curl/curl_7.69.1.bb
> > > > b/meta/recipes-support/curl/curl_7.69.1.bb
> > > > index 899daf8eac..ea36c0bd3d 100644
> > > > --- a/meta/recipes-support/curl/curl_7.69.1.bb
> > > > +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> > > > @@ -56,6 +56,9 @@ CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-
> > > > 22923 CVE-2021-22926 CVE-2021-229
> > > > # This CVE issue affects Windows only Hence whitelisting this
> > > > CVE
> > > > CVE_CHECK_WHITELIST += "CVE-2021-22897"
> > > >
> > > > +# HSTS check feature is not implemented
> > > > +CVE_CHECK_WHITELIST += "CVE-2022-42915 CVE-2022-42916 CVE-2022-
> > > > 43551"
> > > > +
> > > > inherit autotools pkgconfig binconfig multilib_header
> > > >
> > > > PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6',
> > > > d)} gnutls libidn proxy threaded-resolver verbose zlib"
> > > > --
> > > > 2.39.2
> > > >
> > > >
> > > >
> > > >
> > >
> > > -=-=-=-=-=-=-=-=-=-=-=-
> > > Links: You receive all messages sent to this group.
> > > View/Reply Online (#178493):
> > > https://lists.openembedded.org/g/openembedded-core/message/178493
> > > Mute This Topic: https://lists.openembedded.org/mt/97516349/3620601
> > > Group Owner: openembedded-core+owner@lists.openembedded.org
> > > Unsubscribe:
> > > https://lists.openembedded.org/g/openembedded-core/unsub [
> > > steve@sakoman.com]
> > > -=-=-=-=-=-=-=-=-=-=-=-
> > >
>
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2023-03-14 15:09 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-09 15:15 curl Valek, Andrej
2023-03-09 15:24 ` curl Steve Sakoman
2023-03-10 9:54 ` [OE-core][dunfell][PATCH 1/2] curl: Fix CVE CVE-2022-43552 Andrej Valek
2023-03-10 9:54 ` [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551 Andrej Valek
2023-03-14 14:26 ` Steve Sakoman
[not found] ` <174C4F5C0F6A96A7.18998@lists.openembedded.org>
2023-03-14 14:39 ` Steve Sakoman
2023-03-14 15:07 ` Valek, Andrej
2023-03-14 15:09 ` Steve Sakoman
2023-03-10 12:45 ` [OE-core][dunfell][PATCH] curl: Fix CVE CVE-2021-22897 Andrej Valek
2023-03-10 13:09 ` Valek, Andrej
2023-03-10 14:40 ` Steve Sakoman
2023-03-10 14:49 ` Valek, Andrej
2023-03-10 14:56 ` Steve Sakoman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.