Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: c...@packages.debian.org, guilhe...@puida.xyz
Control: affects -1 + src:curl
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
1. Fix CVE-2024-2398
> When an application tells libcurl it wants to allow HTTP/2 server
> push, and the amount of received headers for the push surpasses the
> maximum allowed limit (1000), libcurl aborts the server push. When
> aborting, libcurl inadvertently does not free all the previously
> allocated headers and instead leaks the memory. Further, this error
> condition fails silently and is therefore not easily detected by an
> application.
[ Impact ]
The vulnerability is present in bullseye's curl code and can be
exploited by malicious actors.
[ Tests ]
Upstream provides an extensive test suite, and there are no test
failures when building the package.
[ Risks ]
The patch is not very complex, but some amount of backporting was needed
to apply it to the version of curl in bullseye. There is a chance of
introducing bugs here, but the test suite should catch most of them.
samueloph also reviewed my changes.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
1. Imported and backported the upstream patch that fixes CVE-2024-2398.
--puida
diff -Nru curl-7.74.0/debian/changelog curl-7.74.0/debian/changelog
--- curl-7.74.0/debian/changelog 2023-12-10 03:05:18.000000000 -0300
+++ curl-7.74.0/debian/changelog 2024-04-09 22:00:20.000000000 -0300
@@ -1,3 +1,12 @@
+curl (7.74.0-1.3+deb11u12) bullseye; urgency=medium
+
+ * Team upload.
+ * Import patch to fix CVE-2024-2398: Memory leak when HTTP/2 server push is
+ aborted.
+ * d/p/CVE-2024-2398.patch: Backport patch.
+
+ -- Guilherme Puida Moreira <guilhe...@puida.xyz> Tue, 09 Apr 2024 22:00:20 -0300
+
curl (7.74.0-1.3+deb11u11) bullseye-security; urgency=high
* Add patch to fix CVE-2023-46218
diff -Nru curl-7.74.0/debian/patches/CVE-2024-2398.patch curl-7.74.0/debian/patches/CVE-2024-2398.patch
--- curl-7.74.0/debian/patches/CVE-2024-2398.patch 1969-12-31 21:00:00.000000000 -0300
+++ curl-7.74.0/debian/patches/CVE-2024-2398.patch 2024-04-09 21:58:53.000000000 -0300
@@ -0,0 +1,88 @@
+From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <ste...@eissing.org>
+Date: Wed, 6 Mar 2024 09:36:08 +0100
+Subject: [PATCH] http2: push headers better cleanup
+
+- provide common cleanup method for push headers
+
+Closes #13054
+
+Backported by: Guilherme Puida Moreira <guilhe...@puida.xyz>:
+ * Changed h2_stream_ctx to HTTP in free_push_headers.
+ * Dropped unnaplicable hunk in push_promise, since it changed some code
+ that does not yet exist.
+---
+ lib/http2.c | 34 +++++++++++++++-------------------
+ 1 file changed, 15 insertions(+), 19 deletions(-)
+
+Index: curl/lib/http2.c
+===================================================================
+--- curl.orig/lib/http2.c
++++ curl/lib/http2.c
+@@ -155,6 +155,15 @@ static CURLcode http2_disconnect(struct
+ return CURLE_OK;
+ }
+
++static void free_push_headers(struct HTTP *stream)
++{
++ size_t i;
++ for(i = 0; i<stream->push_headers_used; i++)
++ free(stream->push_headers[i]);
++ Curl_safefree(stream->push_headers);
++ stream->push_headers_used = 0;
++}
++
+ /*
+ * The server may send us data at any point (e.g. PING frames). Therefore,
+ * we cannot assume that an HTTP/2 socket is dead just because it is readable.
+@@ -525,7 +534,6 @@ static int push_promise(struct Curl_easy
+ struct curl_pushheaders heads;
+ CURLMcode rc;
+ struct http_conn *httpc;
+- size_t i;
+ /* clone the parent */
+ struct Curl_easy *newhandle = duphandle(data);
+ if(!newhandle) {
+@@ -560,11 +568,7 @@ static int push_promise(struct Curl_easy
+ Curl_set_in_callback(data, false);
+
+ /* free the headers again */
+- for(i = 0; i<stream->push_headers_used; i++)
+- free(stream->push_headers[i]);
+- free(stream->push_headers);
+- stream->push_headers = NULL;
+- stream->push_headers_used = 0;
++ free_push_headers(stream);
+
+ if(rv) {
+ DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT));
+@@ -1001,10 +1005,10 @@ static int on_header(nghttp2_session *se
+ stream->push_headers_alloc) {
+ char **headp;
+ stream->push_headers_alloc *= 2;
+- headp = Curl_saferealloc(stream->push_headers,
+- stream->push_headers_alloc * sizeof(char *));
++ headp = realloc(stream->push_headers,
++ stream->push_headers_alloc * sizeof(char *));
+ if(!headp) {
+- stream->push_headers = NULL;
++ free_push_headers(stream);
+ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+ }
+ stream->push_headers = headp;
+@@ -1170,14 +1174,7 @@ void Curl_http2_done(struct Curl_easy *d
+ setup */
+ Curl_dyn_free(&http->header_recvbuf);
+ Curl_dyn_free(&http->trailer_recvbuf);
+- if(http->push_headers) {
+- /* if they weren't used and then freed before */
+- for(; http->push_headers_used > 0; --http->push_headers_used) {
+- free(http->push_headers[http->push_headers_used - 1]);
+- }
+- free(http->push_headers);
+- http->push_headers = NULL;
+- }
++ free_push_headers(http);
+
+ if(!(data->conn->handler->protocol&PROTO_FAMILY_HTTP) ||
+ !httpc->h2) /* not HTTP/2 ? */
diff -Nru curl-7.74.0/debian/patches/series curl-7.74.0/debian/patches/series
--- curl-7.74.0/debian/patches/series 2023-12-10 03:05:18.000000000 -0300
+++ curl-7.74.0/debian/patches/series 2024-04-09 21:07:01.000000000 -0300
@@ -48,6 +48,9 @@
# Patches from 8.5.0.
CVE-2023-46218.patch
+# Patches from 8.7.0.
+CVE-2024-2398.patch
+
# Always add CVE patches before these two patches
90_gnutls.patch
99_nss.patch
