File curl-CVE-2015-3148.patch of Package curl.10931

Overview Repositories Revisions Requests Users Attributes Meta

File curl-CVE-2015-3148.patch of Package curl.10931

From 21b8c694881ce8a48121d6e0152e834ed3901e25 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 18 Apr 2015 23:50:16 +0200
Subject: [PATCH] http_done: close Negotiate connections if not 401

When doing HTTP requests Negotiate authenticated, the entire connnection
may become authenticated and not just the specific HTTP request which is
otherwise how HTTP works, as Negotiate can basically use NTLM under the
hood. curl was not adhering to this fact but would assume that such
requests would also be authenticated per request.

Bug: http://curl.haxx.se/docs/adv_20150422B.html
Reported-by: Isaac Boukris

commit f78ae415d24b9bd89d6c121c556e411fdb21c6aa
Author: David Woodhouse <David.Woodhouse@intel.com>
Date:   Fri Jul 11 11:09:34 2014 +0100

Don't clear GSSAPI state between each exchange in the negotiation
    
    GSSAPI doesn't work very well if we forget everything ever time.
    
    XX: Is Curl_http_done() the right place to do the final cleanup?

Index: curl-7.37.0/lib/http.c
===================================================================
--- curl-7.37.0.orig/lib/http.c	2014-05-20 19:16:53.000000000 +0200
+++ curl-7.37.0/lib/http.c	2015-04-24 10:49:29.702294822 +0200
@@ -1442,6 +1442,18 @@ CURLcode Curl_http_done(struct connectda
 
   Curl_unencode_cleanup(conn);
 
+#ifdef USE_HTTP_NEGOTIATE
+  if(data->state.proxyneg.state == GSS_AUTHSENT ||
+      data->state.negotiate.state == GSS_AUTHSENT) {
+    /* add forbid re-use if http-code != 401/407 as a WA only needed for
+     * 401/407 that signal auth failure (empty) otherwise state will be RECV
+     * with current code */
+    if((data->req.httpcode != 401) && (data->req.httpcode != 407))
+      conn->bits.close = TRUE;
+    Curl_cleanup_negotiate(data);
+  }
+#endif
+
   /* set the proper values (possibly modified on POST) */
   conn->fread_func = data->set.fread_func; /* restore */
   conn->fread_in = data->set.in; /* restore */
Index: curl-7.37.0/lib/http_negotiate.c
===================================================================
--- curl-7.37.0.orig/lib/http_negotiate.c	2014-04-25 14:01:03.000000000 +0200
+++ curl-7.37.0/lib/http_negotiate.c	2015-04-20 14:03:05.296884827 +0200
@@ -355,7 +355,6 @@ CURLcode Curl_output_negotiate(struct co
   }
 
   Curl_safefree(encoded);
-  Curl_cleanup_negotiate(conn->data);
 
   return (userp == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK;
 }
Index: curl-7.37.0/lib/http_negotiate_sspi.c
===================================================================
--- curl-7.37.0.orig/lib/http_negotiate_sspi.c	2014-04-25 14:01:03.000000000 +0200
+++ curl-7.37.0/lib/http_negotiate_sspi.c	2015-04-20 14:03:05.296884827 +0200
@@ -268,7 +268,6 @@ CURLcode Curl_output_negotiate(struct co
   else
     conn->allocptr.userpwd = userp;
   free(encoded);
-  Curl_cleanup_negotiate (conn->data);
   return (userp == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK;
 }

Places

File curl-CVE-2015-3148.patch of Package curl.10931

Places