Reviewed-by: Adolf Belka adolf.belka@ipfire.org
On 11/10/2023 09:48, Michael Tremer wrote:
https://curl.se/docs/CVE-2023-38545.html
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
lfs/curl | 1 + ...15d8aee6c1045be932a34fe6107c2f5ed147.patch | 38 +++++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 src/patches/curl-8.4.0-fb4415d8aee6c1045be932a34fe6107c2f5ed147.patch
diff --git a/lfs/curl b/lfs/curl index fb98b21af..a4fa21b1c 100644 --- a/lfs/curl +++ b/lfs/curl @@ -70,6 +70,7 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/curl-8.4.0-fb4415d8aee6c1045be932a34fe6107c2f5ed147.patch cd $(DIR_APP) && ./configure \ --prefix=/usr \ --disable-ipv6 \
diff --git a/src/patches/curl-8.4.0-fb4415d8aee6c1045be932a34fe6107c2f5ed147.patch b/src/patches/curl-8.4.0-fb4415d8aee6c1045be932a34fe6107c2f5ed147.patch new file mode 100644 index 000000000..0de35055f --- /dev/null +++ b/src/patches/curl-8.4.0-fb4415d8aee6c1045be932a34fe6107c2f5ed147.patch @@ -0,0 +1,38 @@ +From fb4415d8aee6c1045be932a34fe6107c2f5ed147 Mon Sep 17 00:00:00 2001 +From: Jay Satiro raysatiro@yahoo.com +Date: Wed, 11 Oct 2023 07:34:19 +0200 +Subject: [PATCH] socks: return error if hostname too long for remote resolve
+Prior to this change the state machine attempted to change the remote +resolve to a local resolve if the hostname was longer than 255 +characters. Unfortunately that did not work as intended and caused a +security issue.
+Bug: https://curl.se/docs/CVE-2023-38545.html
+diff --git a/lib/socks.c b/lib/socks.c +index c492d663c4738..a7b5ab07e47d0 100644 +--- a/lib/socks.c ++++ b/lib/socks.c +@@ -587,9 +587,9 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf,
/* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */if(!socks5_resolve_local && hostname_len > 255) {+- infof(data, "SOCKS5: server resolving disabled for hostnames of " +- "length > 255 [actual len=%zu]", hostname_len); +- socks5_resolve_local = TRUE; ++ failf(data, "SOCKS5: the destination hostname is too long to be " ++ "resolved remotely by the proxy."); ++ return CURLPX_LONG_HOSTNAME;
}if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI))+@@ -903,7 +903,7 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf,
}else {socksreq[len++] = 3;+- socksreq[len++] = (char) hostname_len; /* one byte address length */ ++ socksreq[len++] = (unsigned char) hostname_len; /* one byte length */
memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */len += hostname_len;}