File curl-CVE-2021-22924.patch of Package curl.28253

Overview Repositories Revisions Requests Users Attributes Meta

File curl-CVE-2021-22924.patch of Package curl.28253

From 6c07d0c65e2c8d381efe100947d20e147da2217b Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 19 Jun 2021 00:42:28 +0200
Subject: [PATCH] vtls: fix connection reuse checks for issuer cert and case
 sensitivity

CVE-2021-22924

Reported-by: Harry Sintonen
Bug: https://curl.se/docs/CVE-2021-22924.html
---

lib/vtls/vtls.c    | 26 +++++++++++++++++++++-----

Index: curl-7.37.0/lib/vtls/vtls.c
===================================================================
--- curl-7.37.0.orig/lib/vtls/vtls.c
+++ curl-7.37.0/lib/vtls/vtls.c
@@ -109,6 +109,7 @@ Curl_ssl_config_matches(struct ssl_confi
      (data->verifyhost == needle->verifyhost) &&
      safe_strequal(data->CApath, needle->CApath) &&
      safe_strequal(data->CAfile, needle->CAfile) &&
+     safe_strequal(data->issuercert, needle->issuercert) &&
      safe_strequal(data->clientcert, needle->clientcert) &&
      safe_strequal(data->random_file, needle->random_file) &&
      safe_strequal(data->egdsocket, needle->egdsocket) &&
@@ -143,6 +144,14 @@ Curl_clone_ssl_config(struct ssl_config_
   else
     dest->CApath = NULL;
 
+  if(source->issuercert) {
+    dest->issuercert = strdup(source->issuercert);
+    if(!dest->issuercert)
+      return FALSE;
+  }
+  else
+    dest->issuercert = NULL;
+
   if(source->cipher_list) {
     dest->cipher_list = strdup(source->cipher_list);
     if(!dest->cipher_list)
@@ -183,6 +192,7 @@ void Curl_free_ssl_config(struct ssl_con
 {
   Curl_safefree(sslc->CAfile);
   Curl_safefree(sslc->CApath);
+  Curl_safefree(sslc->issuercert);
   Curl_safefree(sslc->cipher_list);
   Curl_safefree(sslc->egdsocket);
   Curl_safefree(sslc->random_file);

Places

File curl-CVE-2021-22924.patch of Package curl.28253

Places