Your message dated Sat, 09 Nov 2024 10:51:02 +0000 with message-id <b0a29248bc631362ed06a8879f93b8cdae5414d0.ca...@adam-barratt.org.uk> and subject line Closing bugs released with 12.8 has caused the Debian Bug report #1086163, regarding bookworm-pu: package curl/7.88.1-10+deb12u8 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1086163: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086163 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Control: affects -1 + src:curl X-Debbugs-Cc: c...@packages.debian.org, aquilamac...@riseup.net, samuel...@debian.org User: release.debian....@packages.debian.org Usertags: pu Tags: bookworm Severity: normal [ Reason ] The reason is to fix CVE-2024-8096 [1], which involves improper handling of OCSP stapling in curl when using GnuTLS as the TLS backend. If the OCSP status returns an error other than "revoked" (e.g., "unauthorized"), curl fails to mark the certificate as invalid. [ Impact ] The vulnerabilities in the curl code of bookworm can be exploited by attackers, potentially compromising secure connections. [ Tests ] Autopkgtest passed without issues [3]. [ Risks ] The patch simplifies OCSP response handling by improving error checks. It is low-risk, as it refines existing functionality without major changes to the code structure. The patch from upstream was not altered, meaning that any potential regressions would only stem from upstream changes, not from modifications on our side. Any potential minor risk would only impact the GnuTLS backend, leaving other TLS backends unaffected. samueloph also reviewed and approved my changes. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] 1. Imported the upstream patch that fixes CVE-2024-8096. [1] https://security-tracker.debian.org/tracker/CVE-2024-8096 [2] https://hackerone.com/reports/2669852 [3] https://salsa.debian.org/aquilamacedo/curl/-/jobs/6297570)diff -Nru curl-7.88.1/debian/changelog curl-7.88.1/debian/changelog --- curl-7.88.1/debian/changelog 2024-08-17 14:06:29.000000000 -0300 +++ curl-7.88.1/debian/changelog 2024-09-17 16:29:24.000000000 -0300 @@ -1,3 +1,14 @@ +curl (7.88.1-10+deb12u8) bookworm; urgency=medium + + * Team upload. + * Import patch for CVE-2024-8096 + - CVE-2024-8096: When the TLS backend is GnuTLS, curl may incorrectly + handle OCSP stapling. If the OCSP status reports an error other than + "revoked" (e.g., "unauthorized"), it is not treated as a bad certificate, + potentially allowing invalid certificates to be considered valid. + + -- Aquila Macedo Costa <aquilamac...@riseup.net> Tue, 17 Sep 2024 16:29:24 -0300 + curl (7.88.1-10+deb12u7) bookworm; urgency=medium * Team upload. diff -Nru curl-7.88.1/debian/patches/CVE-2024-8096.patch curl-7.88.1/debian/patches/CVE-2024-8096.patch --- curl-7.88.1/debian/patches/CVE-2024-8096.patch 1969-12-31 21:00:00.000000000 -0300 +++ curl-7.88.1/debian/patches/CVE-2024-8096.patch 2024-09-17 16:29:07.000000000 -0300 @@ -0,0 +1,200 @@ +From aeb1a281cab13c7ba791cb104e556b20e713941f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <dan...@haxx.se> +Date: Tue, 20 Aug 2024 16:14:39 +0200 +Subject: [PATCH] gtls: fix OCSP stapling management + +Reported-by: Hiroki Kurosawa +Closes #14642 +--- + lib/vtls/gtls.c | 146 ++++++++++++++++++++++++------------------------ + 1 file changed, 73 insertions(+), 73 deletions(-) + +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 03d6fcc038aac3..c7589d9d39bc81 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -850,6 +850,13 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf, + init_flags |= GNUTLS_NO_TICKETS; + #endif + ++#if defined(GNUTLS_NO_STATUS_REQUEST) ++ if(!config->verifystatus) ++ /* Disable the "status_request" TLS extension, enabled by default since ++ GnuTLS 3.8.0. */ ++ init_flags |= GNUTLS_NO_STATUS_REQUEST; ++#endif ++ + rc = gnutls_init(>ls->session, init_flags); + if(rc != GNUTLS_E_SUCCESS) { + failf(data, "gnutls_init() failed: %d", rc); +@@ -1321,104 +1328,97 @@ Curl_gtls_verifyserver(struct Curl_easy *data, + infof(data, " server certificate verification SKIPPED"); + + if(config->verifystatus) { +- if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) { +- gnutls_datum_t status_request; +- gnutls_ocsp_resp_t ocsp_resp; ++ gnutls_datum_t status_request; ++ gnutls_ocsp_resp_t ocsp_resp; ++ gnutls_ocsp_cert_status_t status; ++ gnutls_x509_crl_reason_t reason; + +- gnutls_ocsp_cert_status_t status; +- gnutls_x509_crl_reason_t reason; ++ rc = gnutls_ocsp_status_request_get(session, &status_request); + +- rc = gnutls_ocsp_status_request_get(session, &status_request); ++ if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { ++ failf(data, "No OCSP response received"); ++ return CURLE_SSL_INVALIDCERTSTATUS; ++ } + +- infof(data, " server certificate status verification FAILED"); ++ if(rc < 0) { ++ failf(data, "Invalid OCSP response received"); ++ return CURLE_SSL_INVALIDCERTSTATUS; ++ } + +- if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { +- failf(data, "No OCSP response received"); +- return CURLE_SSL_INVALIDCERTSTATUS; +- } ++ gnutls_ocsp_resp_init(&ocsp_resp); + +- if(rc < 0) { +- failf(data, "Invalid OCSP response received"); +- return CURLE_SSL_INVALIDCERTSTATUS; +- } ++ rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request); ++ if(rc < 0) { ++ failf(data, "Invalid OCSP response received"); ++ return CURLE_SSL_INVALIDCERTSTATUS; ++ } + +- gnutls_ocsp_resp_init(&ocsp_resp); ++ (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL, ++ &status, NULL, NULL, NULL, &reason); + +- rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request); +- if(rc < 0) { +- failf(data, "Invalid OCSP response received"); +- return CURLE_SSL_INVALIDCERTSTATUS; +- } ++ switch(status) { ++ case GNUTLS_OCSP_CERT_GOOD: ++ break; + +- (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL, +- &status, NULL, NULL, NULL, &reason); ++ case GNUTLS_OCSP_CERT_REVOKED: { ++ const char *crl_reason; + +- switch(status) { +- case GNUTLS_OCSP_CERT_GOOD: ++ switch(reason) { ++ default: ++ case GNUTLS_X509_CRLREASON_UNSPECIFIED: ++ crl_reason = "unspecified reason"; + break; + +- case GNUTLS_OCSP_CERT_REVOKED: { +- const char *crl_reason; +- +- switch(reason) { +- default: +- case GNUTLS_X509_CRLREASON_UNSPECIFIED: +- crl_reason = "unspecified reason"; +- break; +- +- case GNUTLS_X509_CRLREASON_KEYCOMPROMISE: +- crl_reason = "private key compromised"; +- break; +- +- case GNUTLS_X509_CRLREASON_CACOMPROMISE: +- crl_reason = "CA compromised"; +- break; +- +- case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED: +- crl_reason = "affiliation has changed"; +- break; ++ case GNUTLS_X509_CRLREASON_KEYCOMPROMISE: ++ crl_reason = "private key compromised"; ++ break; + +- case GNUTLS_X509_CRLREASON_SUPERSEDED: +- crl_reason = "certificate superseded"; +- break; ++ case GNUTLS_X509_CRLREASON_CACOMPROMISE: ++ crl_reason = "CA compromised"; ++ break; + +- case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION: +- crl_reason = "operation has ceased"; +- break; ++ case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED: ++ crl_reason = "affiliation has changed"; ++ break; + +- case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD: +- crl_reason = "certificate is on hold"; +- break; ++ case GNUTLS_X509_CRLREASON_SUPERSEDED: ++ crl_reason = "certificate superseded"; ++ break; + +- case GNUTLS_X509_CRLREASON_REMOVEFROMCRL: +- crl_reason = "will be removed from delta CRL"; +- break; ++ case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION: ++ crl_reason = "operation has ceased"; ++ break; + +- case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN: +- crl_reason = "privilege withdrawn"; +- break; ++ case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD: ++ crl_reason = "certificate is on hold"; ++ break; + +- case GNUTLS_X509_CRLREASON_AACOMPROMISE: +- crl_reason = "AA compromised"; +- break; +- } ++ case GNUTLS_X509_CRLREASON_REMOVEFROMCRL: ++ crl_reason = "will be removed from delta CRL"; ++ break; + +- failf(data, "Server certificate was revoked: %s", crl_reason); ++ case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN: ++ crl_reason = "privilege withdrawn"; + break; +- } + +- default: +- case GNUTLS_OCSP_CERT_UNKNOWN: +- failf(data, "Server certificate status is unknown"); ++ case GNUTLS_X509_CRLREASON_AACOMPROMISE: ++ crl_reason = "AA compromised"; + break; + } + +- gnutls_ocsp_resp_deinit(ocsp_resp); ++ failf(data, "Server certificate was revoked: %s", crl_reason); ++ break; ++ } + +- return CURLE_SSL_INVALIDCERTSTATUS; ++ default: ++ case GNUTLS_OCSP_CERT_UNKNOWN: ++ failf(data, "Server certificate status is unknown"); ++ break; + } +- else +- infof(data, " server certificate status verification OK"); ++ ++ gnutls_ocsp_resp_deinit(ocsp_resp); ++ if(status != GNUTLS_OCSP_CERT_GOOD) ++ return CURLE_SSL_INVALIDCERTSTATUS; + } + else + infof(data, " server certificate status verification SKIPPED"); diff -Nru curl-7.88.1/debian/patches/series curl-7.88.1/debian/patches/series --- curl-7.88.1/debian/patches/series 2024-08-17 14:06:29.000000000 -0300 +++ curl-7.88.1/debian/patches/series 2024-09-17 16:29:22.000000000 -0300 @@ -48,6 +48,9 @@ CVE-2024-7264-0.patch CVE-2024-7264-1.patch +# Patches from 8.10.0. +CVE-2024-8096.patch + # Do not add patches below. # Used to generate packages for the other crypto libraries. 90_gnutls.patch
--- End Message ---
--- Begin Message ---Source: release.debian.org Version: 12.8 Hi, Each of the updates tracked by these bugs was included in today's 12.8 bookworm point release. Regards, Adam
--- End Message ---
