poky/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch - openbmc/openbmc - Gitiles

 From 782a5e8e5b0271f8cb33eeef6a3819b0149093e0 Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Mon, 9 May 2022 23:13:53 +0200
 Subject: [PATCH] url: check SSH config match on connection reuse

 CVE-2022-27782

 Reported-by: Harry Sintonen
 Bug: https://curl.se/docs/CVE-2022-27782.html
 Closes #8825

 Upstream-Status: Backport [https://github.com/curl/curl/commit/1645e9b44505abd5cbaf65da5282c3f33b5924a5]
 Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
 ---
  lib/url.c      | 11 +++++++++++
  lib/vssh/ssh.h |  6 +++---
  2 files changed, 14 insertions(+), 3 deletions(-)

 diff --git a/lib/url.c b/lib/url.c
 index 5ebf5e2..c713e54 100644
 --- a/lib/url.c
 +++ b/lib/url.c
 @@ -1098,6 +1098,12 @@ static void prune_dead_connections(struct Curl_easy *data)
    }
  }

 +static bool ssh_config_matches(struct connectdata *one,
 +                               struct connectdata *two)
 +{
 +  return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) &&
 +          Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub));
 +}
  /*
   * Given one filled in connection struct (named needle), this function should
   * detect if there already is one that has all the significant details
 @@ -1356,6 +1362,11 @@ ConnectionExists(struct Curl_easy *data,
           (data->state.httpwant < CURL_HTTP_VERSION_2_0))
          continue;

 +      if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
 +        if(!ssh_config_matches(needle, check))
 +          continue;
 +      }
 +
        if((needle->handler->flags&PROTOPT_SSL)
  #ifndef CURL_DISABLE_PROXY
           || !needle->bits.httpproxy || needle->bits.tunnel_proxy
 diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h
 index 7972081..30d82e5 100644
 --- a/lib/vssh/ssh.h
 +++ b/lib/vssh/ssh.h
 @@ -7,7 +7,7 @@
   *                            | (__| |_| |  _ <| |___
   *                             \___|\___/|_| \_\_____|
   *
 - * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
 + * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
   *
   * This software is licensed as described in the file COPYING, which
   * you should have received as part of this distribution. The terms
 @@ -131,8 +131,8 @@ struct ssh_conn {

    /* common */
    const char *passphrase;     /* pass-phrase to use */
 -  char *rsa_pub;              /* path name */
 -  char *rsa;                  /* path name */
 +  char *rsa_pub;              /* strdup'ed public key file */
 +  char *rsa;                  /* strdup'ed private key file */
    bool authed;                /* the connection has been authenticated fine */
    bool acceptfail;            /* used by the SFTP_QUOTE (continue if
                                   quote command fails) */
	From 782a5e8e5b0271f8cb33eeef6a3819b0149093e0 Mon Sep 17 00:00:00 2001
	From: Daniel Stenberg <daniel@haxx.se>
	Date: Mon, 9 May 2022 23:13:53 +0200
	Subject: [PATCH] url: check SSH config match on connection reuse

	CVE-2022-27782

	Reported-by: Harry Sintonen
	Bug: https://curl.se/docs/CVE-2022-27782.html
	Closes #8825

	Upstream-Status: Backport [https://github.com/curl/curl/commit/1645e9b44505abd5cbaf65da5282c3f33b5924a5]
	Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
	---
	lib/url.c \| 11 +++++++++++
	lib/vssh/ssh.h \| 6 +++---
	2 files changed, 14 insertions(+), 3 deletions(-)

	diff --git a/lib/url.c b/lib/url.c
	index 5ebf5e2..c713e54 100644
	--- a/lib/url.c
	+++ b/lib/url.c
	@@ -1098,6 +1098,12 @@ static void prune_dead_connections(struct Curl_easy *data)
	}
	}

	+static bool ssh_config_matches(struct connectdata *one,
	+ struct connectdata *two)
	+{
	+ return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) &&
	+ Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub));
	+}
	/*
	* Given one filled in connection struct (named needle), this function should
	* detect if there already is one that has all the significant details
	@@ -1356,6 +1362,11 @@ ConnectionExists(struct Curl_easy *data,
	(data->state.httpwant < CURL_HTTP_VERSION_2_0))
	continue;

	+ if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
	+ if(!ssh_config_matches(needle, check))
	+ continue;
	+ }
	+
	if((needle->handler->flags&PROTOPT_SSL)
	#ifndef CURL_DISABLE_PROXY
	\|\| !needle->bits.httpproxy \|\| needle->bits.tunnel_proxy
	diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h
	index 7972081..30d82e5 100644
	--- a/lib/vssh/ssh.h
	+++ b/lib/vssh/ssh.h
	@@ -7,7 +7,7 @@
	* \| (__\| \|_\| \| _ <\| \|___
	* \___\|\___/\|_\| \_\_____\|
	*
	- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
	+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
	*
	* This software is licensed as described in the file COPYING, which
	* you should have received as part of this distribution. The terms
	@@ -131,8 +131,8 @@ struct ssh_conn {

	/* common */
	const char passphrase; / pass-phrase to use */
	- char rsa_pub; / path name */
	- char rsa; / path name */
	+ char rsa_pub; / strdup'ed public key file */
	+ char rsa; / strdup'ed private key file */
	bool authed; /* the connection has been authenticated fine */
	bool acceptfail; /* used by the SFTP_QUOTE (continue if
	quote command fails) */