All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH] package/libcurl: security bump to version 7.79.0
@ 2021-09-20 20:30 Peter Korsgaard
  2021-09-22  8:53 ` Peter Korsgaard
  0 siblings, 1 reply; 2+ messages in thread
From: Peter Korsgaard @ 2021-09-20 20:30 UTC (permalink / raw)
  To: buildroot; +Cc: Matt Weber

Fixes the following security issues:

- CVE-2021-22945: UAF and double-free in MQTT sending
  When sending data to an MQTT server, libcurl could in some circumstances
  erroneously keep a pointer to an already freed memory area and both use
  that again in a subsequent call to send data and also free it again.

  https://curl.se/docs/CVE-2021-22945.html

- CVE-2021-22946: Protocol downgrade required TLS bypassed
  A user can tell curl to require a successful upgrade to TLS when speaking
  to an IMAP, POP3 or FTP server (--ssl-reqd on the command line or
  CURLOPT_USE_SSL set to CURLUSESSL_CONTROL or CURLUSESSL_ALL with libcurl).
  This requirement could be bypassed if the server would return a properly
  crafted but perfectly legitimate response.

  This flaw would then make curl silently continue its operations without
  TLS contrary to the instructions and expectations, exposing possibly
  sensitive data in clear text over the network.

  https://curl.se/docs/CVE-2021-22946.html

- CVE-2021-22947: STARTTLS protocol injection via MITM
  When curl connects to an IMAP, POP3, SMTP or FTP server to exchange data
  securely using STARTTLS to upgrade the connection to TLS level, the server
  can still respond and send back multiple responses before the TLS upgrade.
  Such multiple "pipelined" responses are cached by curl.  curl would then
  upgrade to TLS but not flush the in-queue of cached responses and instead
  use and trust the responses it got before the TLS handshake as if they
  were authenticated.

  Using this flaw, it allows a Man-In-The-Middle attacker to first inject
  the fake responses, then pass-through the TLS traffic from the legitimate
  server and trick curl into sending data back to the user thinking the
  attacker's injected data comes from the TLS-protected server.

  Over POP3 and IMAP an attacker can inject fake response data.

  https://curl.se/docs/CVE-2021-22947.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/libcurl/libcurl.hash | 4 ++--
 package/libcurl/libcurl.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/libcurl/libcurl.hash b/package/libcurl/libcurl.hash
index 5e5776d1e3..d9732e1669 100644
--- a/package/libcurl/libcurl.hash
+++ b/package/libcurl/libcurl.hash
@@ -1,5 +1,5 @@
 # Locally calculated after checking pgp signature
-# https://curl.se/download/curl-7.78.0.tar.xz.asc
+# https://curl.se/download/curl-7.79.0.tar.xz.asc
 # signed with key 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2
-sha256  be42766d5664a739c3974ee3dfbbcbe978a4ccb1fe628bb1d9b59ac79e445fb5  curl-7.78.0.tar.xz
+sha256  2a1420076f9ffc35c982c78e85b7a69e2ef5d532267895fdb2eac16ad9b680c9  curl-7.79.0.tar.xz
 sha256  6fd1a1c008b5ef4c4741dd188c3f8af6944c14c25afa881eb064f98fb98358e7  COPYING
diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
index 4e3c6d4523..4f637aea4e 100644
--- a/package/libcurl/libcurl.mk
+++ b/package/libcurl/libcurl.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBCURL_VERSION = 7.78.0
+LIBCURL_VERSION = 7.79.0
 LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.xz
 LIBCURL_SITE = https://curl.se/download
 LIBCURL_DEPENDENCIES = host-pkgconf \
-- 
2.20.1

_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [Buildroot] [PATCH] package/libcurl: security bump to version 7.79.0
  2021-09-20 20:30 [Buildroot] [PATCH] package/libcurl: security bump to version 7.79.0 Peter Korsgaard
@ 2021-09-22  8:53 ` Peter Korsgaard
  0 siblings, 0 replies; 2+ messages in thread
From: Peter Korsgaard @ 2021-09-22  8:53 UTC (permalink / raw)
  To: buildroot; +Cc: Matt Weber

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Fixes the following security issues:
 > - CVE-2021-22945: UAF and double-free in MQTT sending
 >   When sending data to an MQTT server, libcurl could in some circumstances
 >   erroneously keep a pointer to an already freed memory area and both use
 >   that again in a subsequent call to send data and also free it again.

 >   https://curl.se/docs/CVE-2021-22945.html

 > - CVE-2021-22946: Protocol downgrade required TLS bypassed
 >   A user can tell curl to require a successful upgrade to TLS when speaking
 >   to an IMAP, POP3 or FTP server (--ssl-reqd on the command line or
 >   CURLOPT_USE_SSL set to CURLUSESSL_CONTROL or CURLUSESSL_ALL with libcurl).
 >   This requirement could be bypassed if the server would return a properly
 >   crafted but perfectly legitimate response.

 >   This flaw would then make curl silently continue its operations without
 >   TLS contrary to the instructions and expectations, exposing possibly
 >   sensitive data in clear text over the network.

 >   https://curl.se/docs/CVE-2021-22946.html

 > - CVE-2021-22947: STARTTLS protocol injection via MITM
 >   When curl connects to an IMAP, POP3, SMTP or FTP server to exchange data
 >   securely using STARTTLS to upgrade the connection to TLS level, the server
 >   can still respond and send back multiple responses before the TLS upgrade.
 >   Such multiple "pipelined" responses are cached by curl.  curl would then
 >   upgrade to TLS but not flush the in-queue of cached responses and instead
 >   use and trust the responses it got before the TLS handshake as if they
 >   were authenticated.

 >   Using this flaw, it allows a Man-In-The-Middle attacker to first inject
 >   the fake responses, then pass-through the TLS traffic from the legitimate
 >   server and trick curl into sending data back to the user thinking the
 >   attacker's injected data comes from the TLS-protected server.

 >   Over POP3 and IMAP an attacker can inject fake response data.

 >   https://curl.se/docs/CVE-2021-22947.html

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

7.79.0 unfortunately added a few regressions, which have now been fixed
in 7.79.1:

https://daniel.haxx.se/blog/2021/09/22/curl-7-79-1-patched-up-and-ready/

So I've sent an updated patch for that instead.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-09-22  8:53 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-20 20:30 [Buildroot] [PATCH] package/libcurl: security bump to version 7.79.0 Peter Korsgaard
2021-09-22  8:53 ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.