| Message ID | 20210922085308.17902-1-peter@korsgaard.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | package/libcurl: security bump to version 7.79.1 | expand |
On 22/09/2021 10:53, Peter Korsgaard wrote: > Fixes the following security issues: > > - CVE-2021-22945: UAF and double-free in MQTT sending > When sending data to an MQTT server, libcurl could in some circumstances > erroneously keep a pointer to an already freed memory area and both use > that again in a subsequent call to send data and also free it again. > > https://curl.se/docs/CVE-2021-22945.html > > - CVE-2021-22946: Protocol downgrade required TLS bypassed > A user can tell curl to require a successful upgrade to TLS when speaking > to an IMAP, POP3 or FTP server (--ssl-reqd on the command line or > CURLOPT_USE_SSL set to CURLUSESSL_CONTROL or CURLUSESSL_ALL with libcurl). > This requirement could be bypassed if the server would return a properly > crafted but perfectly legitimate response. > > This flaw would then make curl silently continue its operations without > TLS contrary to the instructions and expectations, exposing possibly > sensitive data in clear text over the network. > > https://curl.se/docs/CVE-2021-22946.html > > - CVE-2021-22947: STARTTLS protocol injection via MITM > When curl connects to an IMAP, POP3, SMTP or FTP server to exchange data > securely using STARTTLS to upgrade the connection to TLS level, the server > can still respond and send back multiple responses before the TLS upgrade. > Such multiple "pipelined" responses are cached by curl. curl would then > upgrade to TLS but not flush the in-queue of cached responses and instead > use and trust the responses it got before the TLS handshake as if they > were authenticated. > > Using this flaw, it allows a Man-In-The-Middle attacker to first inject > the fake responses, then pass-through the TLS traffic from the legitimate > server and trick curl into sending data back to the user thinking the > attacker's injected data comes from the TLS-protected server. > > Over POP3 and IMAP an attacker can inject fake response data. > > https://curl.se/docs/CVE-2021-22947.html > > In addition, 7.79.1 fixes a number of regressions in 7.79.0: > https://daniel.haxx.se/blog/2021/09/22/curl-7-79-1-patched-up-and-ready/ > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Applied to master, thanks. Regards, Arnout > --- > package/libcurl/libcurl.hash | 4 ++-- > package/libcurl/libcurl.mk | 2 +- > 2 files changed, 3 insertions(+), 3 deletions(-) > > diff --git a/package/libcurl/libcurl.hash b/package/libcurl/libcurl.hash > index 5e5776d1e3..b13f01c874 100644 > --- a/package/libcurl/libcurl.hash > +++ b/package/libcurl/libcurl.hash > @@ -1,5 +1,5 @@ > # Locally calculated after checking pgp signature > -# https://curl.se/download/curl-7.78.0.tar.xz.asc > +# https://curl.se/download/curl-7.79.1.tar.xz.asc > # signed with key 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2 > -sha256 be42766d5664a739c3974ee3dfbbcbe978a4ccb1fe628bb1d9b59ac79e445fb5 curl-7.78.0.tar.xz > +sha256 0606f74b1182ab732a17c11613cbbaf7084f2e6cca432642d0e3ad7c224c3689 curl-7.79.1.tar.xz > sha256 6fd1a1c008b5ef4c4741dd188c3f8af6944c14c25afa881eb064f98fb98358e7 COPYING > diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk > index 4e3c6d4523..a70ebe4113 100644 > --- a/package/libcurl/libcurl.mk > +++ b/package/libcurl/libcurl.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -LIBCURL_VERSION = 7.78.0 > +LIBCURL_VERSION = 7.79.1 > LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.xz > LIBCURL_SITE = https://curl.se/download > LIBCURL_DEPENDENCIES = host-pkgconf \ >
diff --git a/package/libcurl/libcurl.hash b/package/libcurl/libcurl.hash index 5e5776d1e3..b13f01c874 100644 --- a/package/libcurl/libcurl.hash +++ b/package/libcurl/libcurl.hash @@ -1,5 +1,5 @@ # Locally calculated after checking pgp signature -# https://curl.se/download/curl-7.78.0.tar.xz.asc +# https://curl.se/download/curl-7.79.1.tar.xz.asc # signed with key 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2 -sha256 be42766d5664a739c3974ee3dfbbcbe978a4ccb1fe628bb1d9b59ac79e445fb5 curl-7.78.0.tar.xz +sha256 0606f74b1182ab732a17c11613cbbaf7084f2e6cca432642d0e3ad7c224c3689 curl-7.79.1.tar.xz sha256 6fd1a1c008b5ef4c4741dd188c3f8af6944c14c25afa881eb064f98fb98358e7 COPYING diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk index 4e3c6d4523..a70ebe4113 100644 --- a/package/libcurl/libcurl.mk +++ b/package/libcurl/libcurl.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBCURL_VERSION = 7.78.0 +LIBCURL_VERSION = 7.79.1 LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.xz LIBCURL_SITE = https://curl.se/download LIBCURL_DEPENDENCIES = host-pkgconf \
Fixes the following security issues: - CVE-2021-22945: UAF and double-free in MQTT sending When sending data to an MQTT server, libcurl could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it again. https://curl.se/docs/CVE-2021-22945.html - CVE-2021-22946: Protocol downgrade required TLS bypassed A user can tell curl to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (--ssl-reqd on the command line or CURLOPT_USE_SSL set to CURLUSESSL_CONTROL or CURLUSESSL_ALL with libcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response. This flaw would then make curl silently continue its operations without TLS contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network. https://curl.se/docs/CVE-2021-22946.html - CVE-2021-22947: STARTTLS protocol injection via MITM When curl connects to an IMAP, POP3, SMTP or FTP server to exchange data securely using STARTTLS to upgrade the connection to TLS level, the server can still respond and send back multiple responses before the TLS upgrade. Such multiple "pipelined" responses are cached by curl. curl would then upgrade to TLS but not flush the in-queue of cached responses and instead use and trust the responses it got before the TLS handshake as if they were authenticated. Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server. Over POP3 and IMAP an attacker can inject fake response data. https://curl.se/docs/CVE-2021-22947.html In addition, 7.79.1 fixes a number of regressions in 7.79.0: https://daniel.haxx.se/blog/2021/09/22/curl-7-79-1-patched-up-and-ready/ Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/libcurl/libcurl.hash | 4 ++-- package/libcurl/libcurl.mk | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-)