--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: c...@packages.debian.org
Control: affects -1 + src:curl
User: release.debian....@packages.debian.org
Usertags: pu
Hi!
[ Reason ]
The reason is to fix CVE-2024-7264 [1] by cherry-picking and backporting
the upstream fixes released in curl 8.9.1.
[ Impact ]
Users will be vulnerable to the buffer overread bug.
[ Tests ]
All upstream integration tests were run for all SSL backends and passed
both locally (autopkgtest + sbuild) and on salsa CI [2]. Our LDAP test
also passed.
samueloph has also reviewed the patches/backport.
[ Risks ]
The code didn't change that much and it was a pretty internal function,
so no risk of breaking ABI/API of the library. From the report on
hackerone [3], it's suggested that this might not be easilly exploited,
but upstream didn't want to take the risk, so we probably shouldn't too.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Basically, cherry-pick upstream patches and I backported it by fixing
the return type of the function. In stable, it's const char, so I've
changed the return CURLcode to NULL.
[ Other info ]
We plan to fix it on bullseye too, let's see if we can make it on time.
Cheers,
Charles
[1] https://security-tracker.debian.org/tracker/CVE-2024-7264
[2] https://salsa.debian.org/charles/curl/-/pipelines/717928
[3] https://hackerone.com/reports/2629968
diff -Nru curl-7.88.1/debian/changelog curl-7.88.1/debian/changelog
--- curl-7.88.1/debian/changelog 2024-04-02 20:02:10.000000000 -0300
+++ curl-7.88.1/debian/changelog 2024-08-17 14:06:29.000000000 -0300
@@ -1,3 +1,10 @@
+curl (7.88.1-10+deb12u7) bookworm; urgency=medium
+
+ * debian/patches/CVE-2024-7264*: import and backport upstream patches to fix
+ CVE-2024-7264 - ASN.1 date parser overread. (Closes: #1077656)
+
+ -- Carlos Henrique Lima Melara <charlesmel...@riseup.net> Sat, 17 Aug 2024 14:06:29 -0300
+
curl (7.88.1-10+deb12u6) bookworm; urgency=medium
* Team upload.
diff -Nru curl-7.88.1/debian/patches/CVE-2024-7264-0.patch curl-7.88.1/debian/patches/CVE-2024-7264-0.patch
--- curl-7.88.1/debian/patches/CVE-2024-7264-0.patch 1969-12-31 21:00:00.000000000 -0300
+++ curl-7.88.1/debian/patches/CVE-2024-7264-0.patch 2024-08-17 14:06:29.000000000 -0300
@@ -0,0 +1,61 @@
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Tue, 30 Jul 2024 10:05:17 +0200
+Subject: x509asn1: clean up GTime2str
+
+Co-authored-by: Stefan Eissing
+Reported-by: Dov Murik
+
+Closes #14307
+
+Backported to Debian by Carlos Henrique Lima Melara <char...@debian.org>.
+
+Changes:
+- In this version, GTime2str doesn't return CURLcode, so change that to NULL.
+---
+ lib/vtls/x509asn1.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/lib/vtls/x509asn1.c b/lib/vtls/x509asn1.c
+index 39e4fb3..27f8512 100644
+--- a/lib/vtls/x509asn1.c
++++ b/lib/vtls/x509asn1.c
+@@ -543,7 +543,7 @@ static const char *GTime2str(const char *beg, const char *end)
+ /* Convert an ASN.1 Generalized time to a printable string.
+ Return the dynamically allocated string, or NULL if an error occurs. */
+
+- for(fracp = beg; fracp < end && *fracp >= '0' && *fracp <= '9'; fracp++)
++ for(fracp = beg; fracp < end && ISDIGIT(*fracp); fracp++)
+ ;
+
+ /* Get seconds digits. */
+@@ -562,17 +562,22 @@ static const char *GTime2str(const char *beg, const char *end)
+ return NULL;
+ }
+
+- /* Scan for timezone, measure fractional seconds. */
++ /* timezone follows optional fractional seconds. */
+ tzp = fracp;
+- fracl = 0;
++ fracl = 0; /* no fractional seconds detected so far */
+ if(fracp < end && (*fracp == '.' || *fracp == ',')) {
+- fracp++;
+- do
++ /* Have fractional seconds, e.g. "[.,]\d+". How many? */
++ tzp = fracp++; /* should be a digit char or BAD ARGUMENT */
++ while(tzp < end && ISDIGIT(*tzp))
+ tzp++;
+- while(tzp < end && *tzp >= '0' && *tzp <= '9');
+- /* Strip leading zeroes in fractional seconds. */
+- for(fracl = tzp - fracp - 1; fracl && fracp[fracl - 1] == '0'; fracl--)
+- ;
++ if(tzp == fracp) /* never looped, no digit after [.,] */
++ return NULL;
++ fracl = tzp - fracp - 1; /* number of fractional sec digits */
++ DEBUGASSERT(fracl > 0);
++ /* Strip trailing zeroes in fractional seconds.
++ * May reduce fracl to 0 if only '0's are present. */
++ while(fracl && fracp[fracl - 1] == '0')
++ fracl--;
+ }
+
+ /* Process timezone. */
diff -Nru curl-7.88.1/debian/patches/CVE-2024-7264-1.patch curl-7.88.1/debian/patches/CVE-2024-7264-1.patch
--- curl-7.88.1/debian/patches/CVE-2024-7264-1.patch 1969-12-31 21:00:00.000000000 -0300
+++ curl-7.88.1/debian/patches/CVE-2024-7264-1.patch 2024-08-17 14:06:29.000000000 -0300
@@ -0,0 +1,318 @@
+From: Stefan Eissing <ste...@eissing.org>
+Date: Tue, 30 Jul 2024 16:40:48 +0200
+Subject: x509asn1: unittests and fixes for gtime2str
+
+Fix issues in GTime2str() and add unit test cases to verify correct
+behaviour.
+
+Follow-up to 3c914bc6801
+
+Closes #14316
+
+Backported to Debian by Carlos Henrique Lima Melara <char...@debian.org>.
+
+Changes:
+- In this version, GTime2str doesn't return CURLcode, so change that to NULL.
+- Also change test helper function to match the correct type and pass the
+ correct arguments. In this version, GTime2str doesn't take struct dynbuf *.
+ It's aimed to not FTBFS if someone build the package with --enable-debug.
+---
+ lib/vtls/x509asn1.c | 31 ++++++++---
+ lib/vtls/x509asn1.h | 10 ++++
+ tests/data/Makefile.inc | 2 +-
+ tests/data/test1656 | 22 ++++++++
+ tests/unit/Makefile.inc | 4 +-
+ tests/unit/unit1656.c | 133 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 6 files changed, 192 insertions(+), 10 deletions(-)
+ create mode 100644 tests/data/test1656
+ create mode 100644 tests/unit/unit1656.c
+
+diff --git a/lib/vtls/x509asn1.c b/lib/vtls/x509asn1.c
+index 27f8512..f549504 100644
+--- a/lib/vtls/x509asn1.c
++++ b/lib/vtls/x509asn1.c
+@@ -567,12 +567,13 @@ static const char *GTime2str(const char *beg, const char *end)
+ fracl = 0; /* no fractional seconds detected so far */
+ if(fracp < end && (*fracp == '.' || *fracp == ',')) {
+ /* Have fractional seconds, e.g. "[.,]\d+". How many? */
+- tzp = fracp++; /* should be a digit char or BAD ARGUMENT */
++ fracp++; /* should be a digit char or BAD ARGUMENT */
++ tzp = fracp;
+ while(tzp < end && ISDIGIT(*tzp))
+ tzp++;
+ if(tzp == fracp) /* never looped, no digit after [.,] */
+ return NULL;
+- fracl = tzp - fracp - 1; /* number of fractional sec digits */
++ fracl = tzp - fracp; /* number of fractional sec digits */
+ DEBUGASSERT(fracl > 0);
+ /* Strip trailing zeroes in fractional seconds.
+ * May reduce fracl to 0 if only '0's are present. */
+@@ -581,18 +582,24 @@ static const char *GTime2str(const char *beg, const char *end)
+ }
+
+ /* Process timezone. */
+- if(tzp >= end)
+- ; /* Nothing to do. */
++ if(tzp >= end) {
++ tzp = "";
++ tzl = 0;
++ }
+ else if(*tzp == 'Z') {
+- tzp = " GMT";
+- end = tzp + 4;
++ sep = " ";
++ tzp = "GMT";
++ tzl = 3;
++ }
++ else if((*tzp == '+') || (*tzp == '-')) {
++ sep = " UTC";
++ tzl = end - tzp;
+ }
+ else {
+ sep = " ";
+- tzp++;
++ tzl = end - tzp;
+ }
+
+- tzl = end - tzp;
+ return curl_maprintf("%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s",
+ beg, beg + 4, beg + 6,
+ beg + 8, beg + 10, sec1, sec2,
+@@ -600,6 +607,14 @@ static const char *GTime2str(const char *beg, const char *end)
+ sep, (int)tzl, tzp);
+ }
+
++#ifdef UNITTESTS
++/* used by unit1656.c */
++const char Curl_x509_GTime2str(const char *beg, const char *end)
++{
++ return GTime2str(beg, end);
++}
++#endif
++
+ /*
+ * Convert an ASN.1 UTC time to a printable string.
+ * Return the dynamically allocated string, or NULL if an error occurs.
+diff --git a/lib/vtls/x509asn1.h b/lib/vtls/x509asn1.h
+index 5496de4..a2c33fa 100644
+--- a/lib/vtls/x509asn1.h
++++ b/lib/vtls/x509asn1.h
+@@ -76,6 +76,16 @@ CURLcode Curl_extract_certinfo(struct Curl_easy *data, int certnum,
+ const char *beg, const char *end);
+ CURLcode Curl_verifyhost(struct Curl_cfilter *cf, struct Curl_easy *data,
+ const char *beg, const char *end);
++
++#ifdef UNITTESTS
++#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
++ defined(USE_MBEDTLS)
++
++/* used by unit1656.c */
++const char Curl_x509_GTime2str(const char *beg, const char *end);
++#endif
++#endif
++
+ #endif /* USE_GSKIT or USE_NSS or USE_GNUTLS or USE_WOLFSSL or USE_SCHANNEL
+ * or USE_SECTRANSP */
+ #endif /* HEADER_CURL_X509ASN1_H */
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 0a5f97d..85b2e8c 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -208,7 +208,7 @@ test1620 test1621 \
+ \
+ test1630 test1631 test1632 test1633 test1634 test1635 \
+ \
+-test1650 test1651 test1652 test1653 test1654 test1655 \
++test1650 test1651 test1652 test1653 test1654 test1655 test1656 \
+ test1660 test1661 test1662 \
+ \
+ test1670 test1671 \
+diff --git a/tests/data/test1656 b/tests/data/test1656
+new file mode 100644
+index 0000000..2fab21b
+--- /dev/null
++++ b/tests/data/test1656
+@@ -0,0 +1,22 @@
++<testcase>
++<info>
++<keywords>
++unittest
++Curl_x509_GTime2str
++</keywords>
++</info>
++
++#
++# Client-side
++<client>
++<server>
++none
++</server>
++<features>
++unittest
++</features>
++<name>
++Curl_x509_GTime2str unit tests
++</name>
++</client>
++</testcase>
+diff --git a/tests/unit/Makefile.inc b/tests/unit/Makefile.inc
+index 7a78954..9af1fd6 100644
+--- a/tests/unit/Makefile.inc
++++ b/tests/unit/Makefile.inc
+@@ -36,7 +36,7 @@ UNITPROGS = unit1300 unit1302 unit1303 unit1304 unit1305 unit1307 \
+ unit1600 unit1601 unit1602 unit1603 unit1604 unit1605 unit1606 unit1607 \
+ unit1608 unit1609 unit1610 unit1611 unit1612 unit1614 \
+ unit1620 unit1621 \
+- unit1650 unit1651 unit1652 unit1653 unit1654 unit1655 \
++ unit1650 unit1651 unit1652 unit1653 unit1654 unit1655 unit1656 \
+ unit1660 unit1661 \
+ unit2600 \
+ unit3200
+@@ -159,6 +159,8 @@ unit1654_CPPFLAGS = $(AM_CPPFLAGS)
+ unit1655_SOURCES = unit1655.c $(UNITFILES)
+ unit1655_CPPFLAGS = $(AM_CPPFLAGS)
+
++unit1656_SOURCES = unit1656.c $(UNITFILES)
++
+ unit1660_SOURCES = unit1660.c $(UNITFILES)
+ unit1660_CPPFLAGS = $(AM_CPPFLAGS)
+
+diff --git a/tests/unit/unit1656.c b/tests/unit/unit1656.c
+new file mode 100644
+index 0000000..644e72f
+--- /dev/null
++++ b/tests/unit/unit1656.c
+@@ -0,0 +1,133 @@
++/***************************************************************************
++ * _ _ ____ _
++ * Project ___| | | | _ \| |
++ * / __| | | | |_) | |
++ * | (__| |_| | _ <| |___
++ * \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) Daniel Stenberg, <dan...@haxx.se>, et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ * SPDX-License-Identifier: curl
++ *
++ ***************************************************************************/
++#include "curlcheck.h"
++
++#include "vtls/x509asn1.h"
++
++static CURLcode unit_setup(void)
++{
++ return CURLE_OK;
++}
++
++static void unit_stop(void)
++{
++
++}
++
++#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
++ defined(USE_MBEDTLS)
++
++#ifndef ARRAYSIZE
++#define ARRAYSIZE(A) (sizeof(A)/sizeof((A)[0]))
++#endif
++
++struct test_spec {
++ const char *input;
++ const char *exp_output;
++ CURLcode exp_result;
++};
++
++static struct test_spec test_specs[] = {
++ { "190321134340", "1903-21-13 43:40:00", CURLE_OK },
++ { "", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
++ { "WTF", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
++ { "0WTF", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
++ { "19032113434", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
++ { "19032113434WTF", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
++ { "190321134340.", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
++ { "190321134340.1", "1903-21-13 43:40:00.1", CURLE_OK },
++ { "19032113434017.0", "1903-21-13 43:40:17", CURLE_OK },
++ { "19032113434017.01", "1903-21-13 43:40:17.01", CURLE_OK },
++ { "19032113434003.001", "1903-21-13 43:40:03.001", CURLE_OK },
++ { "19032113434003.090", "1903-21-13 43:40:03.09", CURLE_OK },
++ { "190321134340Z", "1903-21-13 43:40:00 GMT", CURLE_OK },
++ { "19032113434017.0Z", "1903-21-13 43:40:17 GMT", CURLE_OK },
++ { "19032113434017.01Z", "1903-21-13 43:40:17.01 GMT", CURLE_OK },
++ { "19032113434003.001Z", "1903-21-13 43:40:03.001 GMT", CURLE_OK },
++ { "19032113434003.090Z", "1903-21-13 43:40:03.09 GMT", CURLE_OK },
++ { "190321134340CET", "1903-21-13 43:40:00 CET", CURLE_OK },
++ { "19032113434017.0CET", "1903-21-13 43:40:17 CET", CURLE_OK },
++ { "19032113434017.01CET", "1903-21-13 43:40:17.01 CET", CURLE_OK },
++ { "190321134340+02:30", "1903-21-13 43:40:00 UTC+02:30", CURLE_OK },
++ { "19032113434017.0+02:30", "1903-21-13 43:40:17 UTC+02:30", CURLE_OK },
++ { "19032113434017.01+02:30", "1903-21-13 43:40:17.01 UTC+02:30", CURLE_OK },
++ { "190321134340-3", "1903-21-13 43:40:00 UTC-3", CURLE_OK },
++ { "19032113434017.0-04", "1903-21-13 43:40:17 UTC-04", CURLE_OK },
++ { "19032113434017.01-01:10", "1903-21-13 43:40:17.01 UTC-01:10", CURLE_OK },
++};
++
++static bool do_test(struct test_spec *spec, size_t i, struct dynbuf *dbuf)
++{
++ CURLcode result;
++ const char *in = spec->input;
++
++ Curl_dyn_reset(dbuf);
++ result = Curl_x509_GTime2str(dbuf, in, in + strlen(in));
++ if(result != spec->exp_result) {
++ fprintf(stderr, "test %zu: expect result %d, got %d\n",
++ i, spec->exp_result, result);
++ return FALSE;
++ }
++ else if(!result && strcmp(spec->exp_output, Curl_dyn_ptr(dbuf))) {
++ fprintf(stderr, "test %zu: input '%s', expected output '%s', got '%s'\n",
++ i, in, spec->exp_output, Curl_dyn_ptr(dbuf));
++ return FALSE;
++ }
++
++ return TRUE;
++}
++
++UNITTEST_START
++{
++ size_t i;
++ struct dynbuf dbuf;
++ bool all_ok = TRUE;
++
++ Curl_dyn_init(&dbuf, 32*1024);
++
++ if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) {
++ fprintf(stderr, "curl_global_init() failed\n");
++ return TEST_ERR_MAJOR_BAD;
++ }
++
++ for(i = 0; i < ARRAYSIZE(test_specs); ++i) {
++ if(!do_test(&test_specs[i], i, &dbuf))
++ all_ok = FALSE;
++ }
++ fail_unless(all_ok, "some tests of Curl_x509_GTime2str() fails");
++
++ Curl_dyn_free(&dbuf);
++ curl_global_cleanup();
++}
++UNITTEST_STOP
++
++#else
++
++UNITTEST_START
++{
++ puts("not tested since Curl_x509_GTime2str() is not built-in");
++}
++UNITTEST_STOP
++
++#endif
diff -Nru curl-7.88.1/debian/patches/series curl-7.88.1/debian/patches/series
--- curl-7.88.1/debian/patches/series 2024-04-02 20:02:10.000000000 -0300
+++ curl-7.88.1/debian/patches/series 2024-08-17 14:06:29.000000000 -0300
@@ -44,6 +44,10 @@
CVE-2024-2004.patch
CVE-2024-2398.patch
+# Patches from 8.9.1.
+CVE-2024-7264-0.patch
+CVE-2024-7264-1.patch
+
# Do not add patches below.
# Used to generate packages for the other crypto libraries.
90_gnutls.patch
signature.asc
Description: PGP signature
--- End Message ---
