Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP3:GA
curl.27109
curl-CVE-2021-22947.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File curl-CVE-2021-22947.patch of Package curl.27109
From 259b4f2e1fd01fbc55e569ee0a507afeae34f77c Mon Sep 17 00:00:00 2001 From: Patrick Monnerat <patrick@monnerat.net> Date: Tue, 7 Sep 2021 13:26:42 +0200 Subject: [PATCH] ftp,imap,pop3,smtp: reject STARTTLS server response pipelining If a server pipelines future responses within the STARTTLS response, the former are preserved in the pingpong cache across TLS negotiation and used as responses to the encrypted commands. This fix detects pipelined STARTTLS responses and rejects them with an error. CVE-2021-22947 Bug: https://curl.se/docs/CVE-2021-22947.html --- lib/ftp.c | 3 +++ lib/imap.c | 4 +++ lib/pop3.c | 4 +++ lib/smtp.c | 4 +++ tests/data/Makefile.inc | 2 ++ tests/data/test980 | 52 ++++++++++++++++++++++++++++++++++++ tests/data/test981 | 59 +++++++++++++++++++++++++++++++++++++++++ tests/data/test982 | 57 +++++++++++++++++++++++++++++++++++++++ tests/data/test983 | 52 ++++++++++++++++++++++++++++++++++++ 9 files changed, 237 insertions(+) create mode 100644 tests/data/test980 create mode 100644 tests/data/test981 create mode 100644 tests/data/test982 create mode 100644 tests/data/test983 Index: curl-7.66.0/lib/ftp.c =================================================================== --- curl-7.66.0.orig/lib/ftp.c +++ curl-7.66.0/lib/ftp.c @@ -2663,6 +2663,9 @@ static CURLcode ftp_statemach_act(struct case FTP_AUTH: /* we have gotten the response to a previous AUTH command */ + if(pp->cache_size) + return CURLE_WEIRD_SERVER_REPLY; /* Forbid pipelining in response. */ + /* RFC2228 (page 5) says: * * If the server is willing to accept the named security mechanism, Index: curl-7.66.0/lib/imap.c =================================================================== --- curl-7.66.0.orig/lib/imap.c +++ curl-7.66.0/lib/imap.c @@ -946,6 +946,10 @@ static CURLcode imap_state_starttls_resp (void)instate; /* no use for this yet */ + /* Pipelining in response is forbidden. */ + if(data->conn->proto.imapc.pp.cache_size) + return CURLE_WEIRD_SERVER_REPLY; + if(imapcode != IMAP_RESP_OK) { if(data->set.use_ssl != CURLUSESSL_TRY) { failf(data, "STARTTLS denied"); Index: curl-7.66.0/lib/pop3.c =================================================================== --- curl-7.66.0.orig/lib/pop3.c +++ curl-7.66.0/lib/pop3.c @@ -753,6 +753,10 @@ static CURLcode pop3_state_starttls_resp (void)instate; /* no use for this yet */ + /* Pipelining in response is forbidden. */ + if(data->conn->proto.pop3c.pp.cache_size) + return CURLE_WEIRD_SERVER_REPLY; + if(pop3code != '+') { if(data->set.use_ssl != CURLUSESSL_TRY) { failf(data, "STARTTLS denied"); Index: curl-7.66.0/lib/smtp.c =================================================================== --- curl-7.66.0.orig/lib/smtp.c +++ curl-7.66.0/lib/smtp.c @@ -680,6 +680,10 @@ static CURLcode smtp_state_starttls_resp (void)instate; /* no use for this yet */ + /* Pipelining in response is forbidden. */ + if(data->conn->proto.smtpc.pp.cache_size) + return CURLE_WEIRD_SERVER_REPLY; + if(smtpcode != 220) { if(data->set.use_ssl != CURLUSESSL_TRY) { failf(data, "STARTTLS denied, code %d", smtpcode); Index: curl-7.66.0/tests/data/Makefile.inc =================================================================== --- curl-7.66.0.orig/tests/data/Makefile.inc +++ curl-7.66.0/tests/data/Makefile.inc @@ -109,7 +109,7 @@ test936 test937 test938 test939 test940 test945 test946 test947 test948 test949 test950 test951 test952 test953 \ test954 \ \ -test984 test985 test986 \ +test980 test981 test982 test983 test984 test985 test986 \ \ test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \ test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \ Index: curl-7.66.0/tests/data/test980 =================================================================== --- /dev/null +++ curl-7.66.0/tests/data/test980 @@ -0,0 +1,52 @@ +<testcase> +<info> +<keywords> +SMTP +STARTTLS +</keywords> +</info> + +# +# Server-side +<reply> +<servercmd> +CAPA STARTTLS +AUTH PLAIN +REPLY STARTTLS 454 currently unavailable\r\n235 Authenticated\r\n250 2.1.0 Sender ok\r\n250 2.1.5 Recipient ok\r\n354 Enter mail\r\n250 2.0.0 Accepted +REPLY AUTH 535 5.7.8 Authentication credentials invalid +</servercmd> +</reply> + +# +# Client-side +<client> +<features> +SSL +</features> +<server> +smtp +</server> + <name> +SMTP STARTTLS pipelined server response + </name> +<stdin> +mail body +</stdin> + <command> +smtp://%HOSTIP:%SMTPPORT/%TESTNUMBER --mail-rcpt recipient@example.com --mail-from sender@example.com -u user:secret --ssl --sasl-ir -T - +</command> +</client> + +# +# Verify data after the test has been "shot" +<verify> +# 8 is CURLE_WEIRD_SERVER_REPLY +<errorcode> +8 +</errorcode> +<protocol> +EHLO %TESTNUMBER +STARTTLS +</protocol> +</verify> +</testcase> Index: curl-7.66.0/tests/data/test981 =================================================================== --- /dev/null +++ curl-7.66.0/tests/data/test981 @@ -0,0 +1,59 @@ +<testcase> +<info> +<keywords> +IMAP +STARTTLS +</keywords> +</info> + +# +# Server-side +<reply> +<servercmd> +CAPA STARTTLS +REPLY STARTTLS A002 BAD currently unavailable\r\nA003 OK Authenticated\r\nA004 OK Accepted +REPLY LOGIN A003 BAD Authentication credentials invalid +</servercmd> +</reply> + +# +# Client-side +<client> +<features> +SSL +</features> +<server> +imap +</server> + <name> +IMAP STARTTLS pipelined server response + </name> + <command> +imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl +</command> +<file name="log/upload%TESTNUMBER"> +Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST) +From: Fred Foobar <foobar@example.COM> +Subject: afternoon meeting +To: joe@example.com +Message-Id: <B27397-0100000@example.COM> +MIME-Version: 1.0 +Content-Type: TEXT/PLAIN; CHARSET=US-ASCII + +Hello Joe, do you think we can meet at 3:30 tomorrow? +</file> +</client> + +# +# Verify data after the test has been "shot" +<verify> +# 8 is CURLE_WEIRD_SERVER_REPLY +<errorcode> +8 +</errorcode> +<protocol> +A001 CAPABILITY +A002 STARTTLS +</protocol> +</verify> +</testcase> Index: curl-7.66.0/tests/data/test982 =================================================================== --- /dev/null +++ curl-7.66.0/tests/data/test982 @@ -0,0 +1,57 @@ +<testcase> +<info> +<keywords> +POP3 +STARTTLS +</keywords> +</info> + +# +# Server-side +<reply> +<servercmd> +CAPA STLS USER +REPLY STLS -ERR currently unavailable\r\n+OK user accepted\r\n+OK authenticated +REPLY PASS -ERR Authentication credentials invalid +</servercmd> +<data nocheck="yes"> +From: me@somewhere +To: fake@nowhere + +body + +-- + yours sincerely +</data> +</reply> + +# +# Client-side +<client> +<features> +SSL +</features> +<server> +pop3 +</server> + <name> +POP3 STARTTLS pipelined server response + </name> + <command> +pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl + </command> +</client> + +# +# Verify data after the test has been "shot" +<verify> +# 8 is CURLE_WEIRD_SERVER_REPLY +<errorcode> +8 +</errorcode> +<protocol> +CAPA +STLS +</protocol> +</verify> +</testcase> Index: curl-7.66.0/tests/data/test983 =================================================================== --- /dev/null +++ curl-7.66.0/tests/data/test983 @@ -0,0 +1,52 @@ +<testcase> +<info> +<keywords> +FTP +STARTTLS +</keywords> +</info> + +# +# Server-side +<reply> +<servercmd> +REPLY AUTH 500 unknown command\r\n500 unknown command\r\n331 give password\r\n230 Authenticated\r\n257 "/"\r\n200 OK\r\n200 OK\r\n200 OK\r\n226 Transfer complete +REPLY PASS 530 Login incorrect +</servercmd> +</reply> + +# Client-side +<client> +<features> +SSL +</features> +<server> +ftp +</server> + <name> +FTP STARTTLS pipelined server response + </name> +<file name="log/test%TESTNUMBER.txt"> +data + to + see +that FTPS +works + so does it? +</file> + <command> +--ssl --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret -P %CLIENTIP +</command> +</client> + +# Verify data after the test has been "shot" +<verify> +# 8 is CURLE_WEIRD_SERVER_REPLY +<errorcode> +8 +</errorcode> +<protocol> +AUTH SSL +</protocol> +</verify> +</testcase>
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
