From ee2df615e39a58af46034ae6e965009100ea1f8a Mon Sep 17 00:00:00 2001 From: Muhammad Falak R Wani Date: Tue, 15 Oct 2024 16:31:21 +0530 Subject: [PATCH 1/2] curl: address CVE-2024-8096 Signed-off-by: Muhammad Falak R Wani --- SPECS/curl/CVE-2024-8096.patch | 200 +++++++++++++++++++++++++++++++++ SPECS/curl/curl.spec | 6 +- 2 files changed, 205 insertions(+), 1 deletion(-) create mode 100644 SPECS/curl/CVE-2024-8096.patch diff --git a/SPECS/curl/CVE-2024-8096.patch b/SPECS/curl/CVE-2024-8096.patch new file mode 100644 index 00000000000..0f780f08c32 --- /dev/null +++ b/SPECS/curl/CVE-2024-8096.patch @@ -0,0 +1,200 @@ +From aeb1a281cab13c7ba791cb104e556b20e713941f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 20 Aug 2024 16:14:39 +0200 +Subject: [PATCH] gtls: fix OCSP stapling management + +Reported-by: Hiroki Kurosawa +Closes #14642 +--- + lib/vtls/gtls.c | 146 ++++++++++++++++++++++++------------------------ + 1 file changed, 73 insertions(+), 73 deletions(-) + +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 03d6fcc038aac3..c7589d9d39bc81 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -850,6 +850,13 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf, + init_flags |= GNUTLS_NO_TICKETS; + #endif + ++#if defined(GNUTLS_NO_STATUS_REQUEST) ++ if(!config->verifystatus) ++ /* Disable the "status_request" TLS extension, enabled by default since ++ GnuTLS 3.8.0. */ ++ init_flags |= GNUTLS_NO_STATUS_REQUEST; ++#endif ++ + rc = gnutls_init(>ls->session, init_flags); + if(rc != GNUTLS_E_SUCCESS) { + failf(data, "gnutls_init() failed: %d", rc); +@@ -1321,104 +1328,97 @@ Curl_gtls_verifyserver(struct Curl_easy *data, + infof(data, " server certificate verification SKIPPED"); + + if(config->verifystatus) { +- if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) { +- gnutls_datum_t status_request; +- gnutls_ocsp_resp_t ocsp_resp; ++ gnutls_datum_t status_request; ++ gnutls_ocsp_resp_t ocsp_resp; ++ gnutls_ocsp_cert_status_t status; ++ gnutls_x509_crl_reason_t reason; + +- gnutls_ocsp_cert_status_t status; +- gnutls_x509_crl_reason_t reason; ++ rc = gnutls_ocsp_status_request_get(session, &status_request); + +- rc = gnutls_ocsp_status_request_get(session, &status_request); ++ if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { ++ failf(data, "No OCSP response received"); ++ return CURLE_SSL_INVALIDCERTSTATUS; ++ } + +- infof(data, " server certificate status verification FAILED"); ++ if(rc < 0) { ++ failf(data, "Invalid OCSP response received"); ++ return CURLE_SSL_INVALIDCERTSTATUS; ++ } + +- if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { +- failf(data, "No OCSP response received"); +- return CURLE_SSL_INVALIDCERTSTATUS; +- } ++ gnutls_ocsp_resp_init(&ocsp_resp); + +- if(rc < 0) { +- failf(data, "Invalid OCSP response received"); +- return CURLE_SSL_INVALIDCERTSTATUS; +- } ++ rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request); ++ if(rc < 0) { ++ failf(data, "Invalid OCSP response received"); ++ return CURLE_SSL_INVALIDCERTSTATUS; ++ } + +- gnutls_ocsp_resp_init(&ocsp_resp); ++ (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL, ++ &status, NULL, NULL, NULL, &reason); + +- rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request); +- if(rc < 0) { +- failf(data, "Invalid OCSP response received"); +- return CURLE_SSL_INVALIDCERTSTATUS; +- } ++ switch(status) { ++ case GNUTLS_OCSP_CERT_GOOD: ++ break; + +- (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL, +- &status, NULL, NULL, NULL, &reason); ++ case GNUTLS_OCSP_CERT_REVOKED: { ++ const char *crl_reason; + +- switch(status) { +- case GNUTLS_OCSP_CERT_GOOD: ++ switch(reason) { ++ default: ++ case GNUTLS_X509_CRLREASON_UNSPECIFIED: ++ crl_reason = "unspecified reason"; + break; + +- case GNUTLS_OCSP_CERT_REVOKED: { +- const char *crl_reason; +- +- switch(reason) { +- default: +- case GNUTLS_X509_CRLREASON_UNSPECIFIED: +- crl_reason = "unspecified reason"; +- break; +- +- case GNUTLS_X509_CRLREASON_KEYCOMPROMISE: +- crl_reason = "private key compromised"; +- break; +- +- case GNUTLS_X509_CRLREASON_CACOMPROMISE: +- crl_reason = "CA compromised"; +- break; +- +- case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED: +- crl_reason = "affiliation has changed"; +- break; ++ case GNUTLS_X509_CRLREASON_KEYCOMPROMISE: ++ crl_reason = "private key compromised"; ++ break; + +- case GNUTLS_X509_CRLREASON_SUPERSEDED: +- crl_reason = "certificate superseded"; +- break; ++ case GNUTLS_X509_CRLREASON_CACOMPROMISE: ++ crl_reason = "CA compromised"; ++ break; + +- case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION: +- crl_reason = "operation has ceased"; +- break; ++ case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED: ++ crl_reason = "affiliation has changed"; ++ break; + +- case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD: +- crl_reason = "certificate is on hold"; +- break; ++ case GNUTLS_X509_CRLREASON_SUPERSEDED: ++ crl_reason = "certificate superseded"; ++ break; + +- case GNUTLS_X509_CRLREASON_REMOVEFROMCRL: +- crl_reason = "will be removed from delta CRL"; +- break; ++ case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION: ++ crl_reason = "operation has ceased"; ++ break; + +- case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN: +- crl_reason = "privilege withdrawn"; +- break; ++ case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD: ++ crl_reason = "certificate is on hold"; ++ break; + +- case GNUTLS_X509_CRLREASON_AACOMPROMISE: +- crl_reason = "AA compromised"; +- break; +- } ++ case GNUTLS_X509_CRLREASON_REMOVEFROMCRL: ++ crl_reason = "will be removed from delta CRL"; ++ break; + +- failf(data, "Server certificate was revoked: %s", crl_reason); ++ case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN: ++ crl_reason = "privilege withdrawn"; + break; +- } + +- default: +- case GNUTLS_OCSP_CERT_UNKNOWN: +- failf(data, "Server certificate status is unknown"); ++ case GNUTLS_X509_CRLREASON_AACOMPROMISE: ++ crl_reason = "AA compromised"; + break; + } + +- gnutls_ocsp_resp_deinit(ocsp_resp); ++ failf(data, "Server certificate was revoked: %s", crl_reason); ++ break; ++ } + +- return CURLE_SSL_INVALIDCERTSTATUS; ++ default: ++ case GNUTLS_OCSP_CERT_UNKNOWN: ++ failf(data, "Server certificate status is unknown"); ++ break; + } +- else +- infof(data, " server certificate status verification OK"); ++ ++ gnutls_ocsp_resp_deinit(ocsp_resp); ++ if(status != GNUTLS_OCSP_CERT_GOOD) ++ return CURLE_SSL_INVALIDCERTSTATUS; + } + else + infof(data, " server certificate status verification SKIPPED"); diff --git a/SPECS/curl/curl.spec b/SPECS/curl/curl.spec index c4d5b5fb2dd..514766bb87c 100644 --- a/SPECS/curl/curl.spec +++ b/SPECS/curl/curl.spec @@ -1,7 +1,7 @@ Summary: An URL retrieval utility and library Name: curl Version: 8.8.0 -Release: 2%{?dist} +Release: 3%{?dist} License: curl Vendor: Microsoft Corporation Distribution: Mariner @@ -9,6 +9,7 @@ Group: System Environment/NetworkingLibraries URL: https://curl.haxx.se Source0: https://curl.haxx.se/download/%{name}-%{version}.tar.gz Patch0: CVE-2024-6197.patch +Patch1: CVE-2024-8096.patch BuildRequires: krb5-devel BuildRequires: libssh2-devel BuildRequires: nghttp2-devel @@ -86,6 +87,9 @@ find %{buildroot} -type f -name "*.la" -delete -print %{_libdir}/libcurl.so.* %changelog +* Tue Oct 15 2024 Muhammad Falak - 8.8.0-3 +- Address CVE-2024-8096 + * Wed Sep 4 2024 Aadhar Agarwal - 8.8.0-2 - Patch CVE-2024-6197 From d7f186bb4280321aca46fbcd9285f3fac6631f88 Mon Sep 17 00:00:00 2001 From: Muhammad Falak R Wani Date: Wed, 23 Oct 2024 11:29:15 +0530 Subject: [PATCH 2/2] curl: manifest: update entry Signed-off-by: Muhammad Falak R Wani --- .../resources/manifests/package/pkggen_core_aarch64.txt | 6 +++--- .../resources/manifests/package/pkggen_core_x86_64.txt | 6 +++--- toolkit/resources/manifests/package/toolchain_aarch64.txt | 8 ++++---- toolkit/resources/manifests/package/toolchain_x86_64.txt | 8 ++++---- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 9e650a0ecdf..8c38aedb461 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -190,9 +190,9 @@ libssh2-1.9.0-4.cm2.aarch64.rpm libssh2-devel-1.9.0-4.cm2.aarch64.rpm krb5-1.19.4-3.cm2.aarch64.rpm nghttp2-1.57.0-2.cm2.aarch64.rpm -curl-8.8.0-2.cm2.aarch64.rpm -curl-devel-8.8.0-2.cm2.aarch64.rpm -curl-libs-8.8.0-2.cm2.aarch64.rpm +curl-8.8.0-3.cm2.aarch64.rpm +curl-devel-8.8.0-3.cm2.aarch64.rpm +curl-libs-8.8.0-3.cm2.aarch64.rpm createrepo_c-0.17.5-1.cm2.aarch64.rpm libxml2-2.10.4-4.cm2.aarch64.rpm libxml2-devel-2.10.4-4.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index c654795e4f3..f05d8035084 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -190,9 +190,9 @@ libssh2-1.9.0-4.cm2.x86_64.rpm libssh2-devel-1.9.0-4.cm2.x86_64.rpm krb5-1.19.4-3.cm2.x86_64.rpm nghttp2-1.57.0-2.cm2.x86_64.rpm -curl-8.8.0-2.cm2.x86_64.rpm -curl-devel-8.8.0-2.cm2.x86_64.rpm -curl-libs-8.8.0-2.cm2.x86_64.rpm +curl-8.8.0-3.cm2.x86_64.rpm +curl-devel-8.8.0-3.cm2.x86_64.rpm +curl-libs-8.8.0-3.cm2.x86_64.rpm createrepo_c-0.17.5-1.cm2.x86_64.rpm libxml2-2.10.4-4.cm2.x86_64.rpm libxml2-devel-2.10.4-4.cm2.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index b1d0f57986a..748b7010877 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -46,10 +46,10 @@ cracklib-lang-2.9.7-5.cm2.aarch64.rpm createrepo_c-0.17.5-1.cm2.aarch64.rpm createrepo_c-debuginfo-0.17.5-1.cm2.aarch64.rpm createrepo_c-devel-0.17.5-1.cm2.aarch64.rpm -curl-8.8.0-2.cm2.aarch64.rpm -curl-debuginfo-8.8.0-2.cm2.aarch64.rpm -curl-devel-8.8.0-2.cm2.aarch64.rpm -curl-libs-8.8.0-2.cm2.aarch64.rpm +curl-8.8.0-3.cm2.aarch64.rpm +curl-debuginfo-8.8.0-3.cm2.aarch64.rpm +curl-devel-8.8.0-3.cm2.aarch64.rpm +curl-libs-8.8.0-3.cm2.aarch64.rpm Cython-debuginfo-0.29.33-2.cm2.aarch64.rpm debugedit-5.0-2.cm2.aarch64.rpm debugedit-debuginfo-5.0-2.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 4f23cc9cd87..f52b1d030a0 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -49,10 +49,10 @@ createrepo_c-debuginfo-0.17.5-1.cm2.x86_64.rpm createrepo_c-devel-0.17.5-1.cm2.x86_64.rpm cross-binutils-common-2.37-8.cm2.noarch.rpm cross-gcc-common-11.2.0-8.cm2.noarch.rpm -curl-8.8.0-2.cm2.x86_64.rpm -curl-debuginfo-8.8.0-2.cm2.x86_64.rpm -curl-devel-8.8.0-2.cm2.x86_64.rpm -curl-libs-8.8.0-2.cm2.x86_64.rpm +curl-8.8.0-3.cm2.x86_64.rpm +curl-debuginfo-8.8.0-3.cm2.x86_64.rpm +curl-devel-8.8.0-3.cm2.x86_64.rpm +curl-libs-8.8.0-3.cm2.x86_64.rpm Cython-debuginfo-0.29.33-2.cm2.x86_64.rpm debugedit-5.0-2.cm2.x86_64.rpm debugedit-debuginfo-5.0-2.cm2.x86_64.rpm