[Buildroot] [PATCH] package/libcurl: security bump to version 7.79.1
Arnout Vandecappelle
arnout at mind.be
Wed Sep 22 19:27:55 UTC 2021
On 22/09/2021 10:53, Peter Korsgaard wrote:
> Fixes the following security issues:
>
> - CVE-2021-22945: UAF and double-free in MQTT sending
> When sending data to an MQTT server, libcurl could in some circumstances
> erroneously keep a pointer to an already freed memory area and both use
> that again in a subsequent call to send data and also free it again.
>
> https://curl.se/docs/CVE-2021-22945.html
>
> - CVE-2021-22946: Protocol downgrade required TLS bypassed
> A user can tell curl to require a successful upgrade to TLS when speaking
> to an IMAP, POP3 or FTP server (--ssl-reqd on the command line or
> CURLOPT_USE_SSL set to CURLUSESSL_CONTROL or CURLUSESSL_ALL with libcurl).
> This requirement could be bypassed if the server would return a properly
> crafted but perfectly legitimate response.
>
> This flaw would then make curl silently continue its operations without
> TLS contrary to the instructions and expectations, exposing possibly
> sensitive data in clear text over the network.
>
> https://curl.se/docs/CVE-2021-22946.html
>
> - CVE-2021-22947: STARTTLS protocol injection via MITM
> When curl connects to an IMAP, POP3, SMTP or FTP server to exchange data
> securely using STARTTLS to upgrade the connection to TLS level, the server
> can still respond and send back multiple responses before the TLS upgrade.
> Such multiple "pipelined" responses are cached by curl. curl would then
> upgrade to TLS but not flush the in-queue of cached responses and instead
> use and trust the responses it got before the TLS handshake as if they
> were authenticated.
>
> Using this flaw, it allows a Man-In-The-Middle attacker to first inject
> the fake responses, then pass-through the TLS traffic from the legitimate
> server and trick curl into sending data back to the user thinking the
> attacker's injected data comes from the TLS-protected server.
>
> Over POP3 and IMAP an attacker can inject fake response data.
>
> https://curl.se/docs/CVE-2021-22947.html
>
> In addition, 7.79.1 fixes a number of regressions in 7.79.0:
> https://daniel.haxx.se/blog/2021/09/22/curl-7-79-1-patched-up-and-ready/
>
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Applied to master, thanks.
Regards,
Arnout
> ---
> package/libcurl/libcurl.hash | 4 ++--
> package/libcurl/libcurl.mk | 2 +-
> 2 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/package/libcurl/libcurl.hash b/package/libcurl/libcurl.hash
> index 5e5776d1e3..b13f01c874 100644
> --- a/package/libcurl/libcurl.hash
> +++ b/package/libcurl/libcurl.hash
> @@ -1,5 +1,5 @@
> # Locally calculated after checking pgp signature
> -# https://curl.se/download/curl-7.78.0.tar.xz.asc
> +# https://curl.se/download/curl-7.79.1.tar.xz.asc
> # signed with key 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2
> -sha256 be42766d5664a739c3974ee3dfbbcbe978a4ccb1fe628bb1d9b59ac79e445fb5 curl-7.78.0.tar.xz
> +sha256 0606f74b1182ab732a17c11613cbbaf7084f2e6cca432642d0e3ad7c224c3689 curl-7.79.1.tar.xz
> sha256 6fd1a1c008b5ef4c4741dd188c3f8af6944c14c25afa881eb064f98fb98358e7 COPYING
> diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
> index 4e3c6d4523..a70ebe4113 100644
> --- a/package/libcurl/libcurl.mk
> +++ b/package/libcurl/libcurl.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -LIBCURL_VERSION = 7.78.0
> +LIBCURL_VERSION = 7.79.1
> LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.xz
> LIBCURL_SITE = https://curl.se/download
> LIBCURL_DEPENDENCIES = host-pkgconf \
>
More information about the buildroot
mailing list