Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP3:GA
curl.21972
curl-CVE-2020-8284.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File curl-CVE-2020-8284.patch of Package curl.21972
From 20ceeeeb6df4ad7444d0ac6f080557954e05ec1d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Tue, 24 Nov 2020 14:56:57 +0100 Subject: [PATCH] ftp: CURLOPT_FTP_SKIP_PASV_IP by default The command line tool also independently sets --ftp-skip-pasv-ip by default. Ten test cases updated to adapt the modified --libcurl output. Bug: https://curl.se/docs/CVE-2020-8284.html CVE-2020-8284 Reported-by: Varnavas Papaioannou --- docs/cmdline-opts/ftp-skip-pasv-ip.d | 2 ++ docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 | 8 +++++--- lib/url.c | 1 + src/tool_cfgable.c | 1 + tests/data/test1400 | 1 + tests/data/test1401 | 1 + tests/data/test1402 | 1 + tests/data/test1403 | 1 + tests/data/test1404 | 1 + tests/data/test1405 | 1 + tests/data/test1406 | 1 + tests/data/test1407 | 1 + tests/data/test1420 | 1 + Index: curl-7.60.0/docs/cmdline-opts/ftp-skip-pasv-ip.d =================================================================== --- curl-7.60.0.orig/docs/cmdline-opts/ftp-skip-pasv-ip.d +++ curl-7.60.0/docs/cmdline-opts/ftp-skip-pasv-ip.d @@ -9,4 +9,6 @@ to curl's PASV command when curl connect will re-use the same IP address it already uses for the control connection. +Since curl 7.74.0 this option is enabled by default. + This option has no effect if PORT, EPRT or EPSV is used instead of PASV. Index: curl-7.60.0/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 =================================================================== --- curl-7.60.0.orig/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 +++ curl-7.60.0/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 @@ -5,7 +5,7 @@ .\" * | (__| |_| | _ <| |___ .\" * \___|\___/|_| \_\_____| .\" * -.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. +.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. .\" * .\" * This software is licensed as described in the file COPYING, which .\" * you should have received as part of this distribution. The terms @@ -36,11 +36,13 @@ address it already uses for the control number from the 227-response. This option thus allows libcurl to work around broken server installations -that due to NATs, firewalls or incompetence report the wrong IP address back. +that due to NATs, firewalls or incompetence report the wrong IP address +back. Setting the option also reduces the risk for various sorts of client +abuse by malicious servers. This option has no effect if PORT, EPRT or EPSV is used instead of PASV. .SH DEFAULT -0 +1 since 7.74.0, was 0 before then. .SH PROTOCOLS FTP .SH EXAMPLE Index: curl-7.60.0/lib/url.c =================================================================== --- curl-7.60.0.orig/lib/url.c +++ curl-7.60.0/lib/url.c @@ -437,6 +437,7 @@ CURLcode Curl_init_userdefined(struct Cu set->ftp_use_eprt = TRUE; /* FTP defaults to EPRT operations */ set->ftp_use_pret = FALSE; /* mainly useful for drftpd servers */ set->ftp_filemethod = FTPFILE_MULTICWD; + set->ftp_skip_ip = TRUE; /* skip PASV IP by default */ set->dns_cache_timeout = 60; /* Timeout every 60 seconds by default */ Index: curl-7.60.0/src/tool_cfgable.c =================================================================== --- curl-7.60.0.orig/src/tool_cfgable.c +++ curl-7.60.0/src/tool_cfgable.c @@ -43,6 +43,7 @@ void config_init(struct OperationConfig* config->proto_default = NULL; config->tcp_nodelay = TRUE; /* enabled by default */ config->happy_eyeballs_timeout_ms = CURL_HET_DEFAULT; + config->ftp_skip_ip = TRUE; } static void free_config_fields(struct OperationConfig *config) Index: curl-7.60.0/tests/data/test1400 =================================================================== --- curl-7.60.0.orig/tests/data/test1400 +++ curl-7.60.0/tests/data/test1400 @@ -74,6 +74,7 @@ int main(int argc, char *argv[]) curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped"); curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); + curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); /* Here is a list of options the curl code used that cannot get generated Index: curl-7.60.0/tests/data/test1401 =================================================================== --- curl-7.60.0.orig/tests/data/test1401 +++ curl-7.60.0/tests/data/test1401 @@ -90,6 +90,7 @@ int main(int argc, char *argv[]) curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); curl_easy_setopt(hnd, CURLOPT_COOKIE, "chocolate=chip"); curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); + curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); curl_easy_setopt(hnd, CURLOPT_PROTOCOLS, (long)CURLPROTO_FILE | (long)CURLPROTO_FTP | Index: curl-7.60.0/tests/data/test1402 =================================================================== --- curl-7.60.0.orig/tests/data/test1402 +++ curl-7.60.0/tests/data/test1402 @@ -81,6 +81,7 @@ int main(int argc, char *argv[]) curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped"); curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); + curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); /* Here is a list of options the curl code used that cannot get generated Index: curl-7.60.0/tests/data/test1403 =================================================================== --- curl-7.60.0.orig/tests/data/test1403 +++ curl-7.60.0/tests/data/test1403 @@ -76,6 +76,7 @@ int main(int argc, char *argv[]) curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped"); curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); + curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); /* Here is a list of options the curl code used that cannot get generated Index: curl-7.60.0/tests/data/test1404 =================================================================== --- curl-7.60.0.orig/tests/data/test1404 +++ curl-7.60.0/tests/data/test1404 @@ -145,6 +145,7 @@ int main(int argc, char *argv[]) curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped"); curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); + curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); /* Here is a list of options the curl code used that cannot get generated Index: curl-7.60.0/tests/data/test1405 =================================================================== --- curl-7.60.0.orig/tests/data/test1405 +++ curl-7.60.0/tests/data/test1405 @@ -90,6 +90,7 @@ int main(int argc, char *argv[]) curl_easy_setopt(hnd, CURLOPT_POSTQUOTE, slist2); curl_easy_setopt(hnd, CURLOPT_PREQUOTE, slist3); curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); + curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); /* Here is a list of options the curl code used that cannot get generated Index: curl-7.60.0/tests/data/test1406 =================================================================== --- curl-7.60.0.orig/tests/data/test1406 +++ curl-7.60.0/tests/data/test1406 @@ -81,6 +81,7 @@ int main(int argc, char *argv[]) curl_easy_setopt(hnd, CURLOPT_HEADER, 1L); curl_easy_setopt(hnd, CURLOPT_UPLOAD, 1L); curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); + curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); curl_easy_setopt(hnd, CURLOPT_MAIL_FROM, "sender@example.com"); curl_easy_setopt(hnd, CURLOPT_MAIL_RCPT, slist1); Index: curl-7.60.0/tests/data/test1407 =================================================================== --- curl-7.60.0.orig/tests/data/test1407 +++ curl-7.60.0/tests/data/test1407 @@ -63,6 +63,7 @@ int main(int argc, char *argv[]) curl_easy_setopt(hnd, CURLOPT_DIRLISTONLY, 1L); curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret"); curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); + curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); /* Here is a list of options the curl code used that cannot get generated Index: curl-7.60.0/tests/data/test1420 =================================================================== --- curl-7.60.0.orig/tests/data/test1420 +++ curl-7.60.0/tests/data/test1420 @@ -68,6 +68,7 @@ int main(int argc, char *argv[]) curl_easy_setopt(hnd, CURLOPT_HEADER, 1L); curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret"); curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); + curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); /* Here is a list of options the curl code used that cannot get generated Index: curl-7.60.0/tests/data/test1139 =================================================================== --- curl-7.60.0.orig/tests/data/test1139 +++ curl-7.60.0/tests/data/test1139 @@ -15,13 +15,19 @@ documentation none </server> - <name> +<name> Verify that all libcurl options have man pages - </name> +</name> <command type="perl"> %SRCDIR/manpage-scan.pl %SRCDIR/.. %PWD/.. </command> </client> +<verify> +<stderr> +0 +</stderr> +</verify> + </testcase> Index: curl-7.60.0/tests/manpage-scan.pl =================================================================== --- curl-7.60.0.orig/tests/manpage-scan.pl +++ curl-7.60.0/tests/manpage-scan.pl @@ -286,4 +286,4 @@ foreach my $o (keys %opts) { } } -exit $errors; +print STDERR "$errors\n";
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
