Debian Bug report logs -
#1017589
CVE-2021-22946: ftp,imap,pop3: do not ignore ssl-reqd
Reported by: Akira Shibakawa <arabishi900@gmail.com>
Date: Thu, 18 Aug 2022 03:30:01 UTC
Severity: normal
Tags: fixed-upstream, patch, security, upstream
Found in versions curl/7.64.0-4, curl/7.64.0-4+deb10u2
Fixed in versions curl/7.79.1-1, curl/7.74.0-1.3+deb11u2
Done: Salvatore Bonaccorso <carnil@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Alessandro Ghedini <ghedo@debian.org>:
Bug#1017589; Package libcurl4.
(Thu, 18 Aug 2022 03:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Akira Shibakawa <arabishi900@gmail.com>:
New Bug report received and forwarded. Copy sent to Alessandro Ghedini <ghedo@debian.org>.
(Thu, 18 Aug 2022 03:30:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libcurl4
Version: 7.64.0-4+deb10u2
Severity: normal
Tags: patch
CVE-2021-22946 has not been fixed for buster.
https://security-tracker.debian.org/tracker/CVE-2021-22946
So, I ported upstream patch to 7.64.0-4+deb10u2.
https://github.com/curl/curl/commit/364f174724ef115c63d5e5dc1d3342c8a43b1cca
For testing, I applied the attached patch in two ways:
* Apply all hunks of the patch
* Apply hunks except for ftp.c, imap.,c pop3.c
Then, I built the source and ran test984-986 for these case.
```
$ env PKG_CONFIG_PATH=/usr/lib/x86_64-linux-gnu/pkgconfig ./configure --with-ssl --prefix=`pwd`/install
$ make
$ make test
```
I confirmed that test 984-986 has passed only for former case.
*** ftp-imap-pop3-do-not-ignore-ssl-reqd.patch
Index: curl-7.64.0/lib/ftp.c
===================================================================
--- curl-7.64.0.orig/lib/ftp.c
+++ curl-7.64.0/lib/ftp.c
@@ -2622,9 +2622,12 @@ static CURLcode ftp_statemach_act(struct
/* we have now received a full FTP server response */
switch(ftpc->state) {
case FTP_WAIT220:
- if(ftpcode == 230)
- /* 230 User logged in - already! */
- return ftp_state_user_resp(conn, ftpcode, ftpc->state);
+ if(ftpcode == 230) {
+ /* 230 User logged in - already! Take as 220 if TLS required. */
+ if(data->set.use_ssl <= CURLUSESSL_TRY ||
+ conn->ssl[FIRSTSOCKET].use)
+ return ftp_state_user_resp(conn, ftpcode, ftpc->state);
+ }
else if(ftpcode != 220) {
failf(data, "Got a %03d ftp-server response when 220 was expected",
ftpcode);
Index: curl-7.64.0/lib/imap.c
===================================================================
--- curl-7.64.0.orig/lib/imap.c
+++ curl-7.64.0/lib/imap.c
@@ -922,22 +922,18 @@ static CURLcode imap_state_capability_re
line += wordlen;
}
}
- else if(imapcode == IMAP_RESP_OK) {
- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
- /* We don't have a SSL/TLS connection yet, but SSL is requested */
- if(imapc->tls_supported)
- /* Switch to TLS connection now */
- result = imap_perform_starttls(conn);
- else if(data->set.use_ssl == CURLUSESSL_TRY)
- /* Fallback and carry on with authentication */
- result = imap_perform_authentication(conn);
- else {
- failf(data, "STARTTLS not supported.");
- result = CURLE_USE_SSL_FAILED;
- }
+ else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
+ /* PREAUTH is not compatible with STARTTLS. */
+ if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) {
+ /* Switch to TLS connection now */
+ result = imap_perform_starttls(conn);
}
- else
+ else if(data->set.use_ssl <= CURLUSESSL_TRY)
result = imap_perform_authentication(conn);
+ else {
+ failf(data, "STARTTLS not available.");
+ result = CURLE_USE_SSL_FAILED;
+ }
}
else
result = imap_perform_authentication(conn);
Index: curl-7.64.0/lib/pop3.c
===================================================================
--- curl-7.64.0.orig/lib/pop3.c
+++ curl-7.64.0/lib/pop3.c
@@ -726,28 +726,23 @@ static CURLcode pop3_state_capa_resp(str
}
}
}
- else if(pop3code == '+') {
- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
- /* We don't have a SSL/TLS connection yet, but SSL is requested */
- if(pop3c->tls_supported)
- /* Switch to TLS connection now */
- result = pop3_perform_starttls(conn);
- else if(data->set.use_ssl == CURLUSESSL_TRY)
- /* Fallback and carry on with authentication */
- result = pop3_perform_authentication(conn);
- else {
- failf(data, "STLS not supported.");
- result = CURLE_USE_SSL_FAILED;
- }
- }
- else
- result = pop3_perform_authentication(conn);
- }
else {
/* Clear text is supported when CAPA isn't recognised */
- pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
+ if(pop3code != '+')
+ pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
- result = pop3_perform_authentication(conn);
+ if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use)
+ result = pop3_perform_authentication(conn);
+ else if(pop3code == '+' && pop3c->tls_supported)
+ /* Switch to TLS connection now */
+ result = pop3_perform_starttls(conn);
+ else if(data->set.use_ssl <= CURLUSESSL_TRY)
+ /* Fallback and carry on with authentication */
+ result = pop3_perform_authentication(conn);
+ else {
+ failf(data, "STLS not supported.");
+ result = CURLE_USE_SSL_FAILED;
+ }
}
return result;
Index: curl-7.64.0/tests/data/Makefile.inc
===================================================================
--- curl-7.64.0.orig/tests/data/Makefile.inc
+++ curl-7.64.0/tests/data/Makefile.inc
@@ -108,6 +108,8 @@ test927 test928 test929 test930 test931
test936 test937 test938 test939 test940 test941 test942 test943 test944 \
test945 test946 test947 test948 test949 test950 test951 test952 \
\
+test984 test985 test986 \
+\
test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \
Index: curl-7.64.0/tests/data/test984
===================================================================
--- /dev/null
+++ curl-7.64.0/tests/data/test984
@@ -0,0 +1,56 @@
+<testcase>
+<info>
+<keywords>
+IMAP
+STARTTLS
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<servercmd>
+REPLY CAPABILITY A001 BAD Not implemented
+</servercmd>
+</reply>
+
+#
+# Client-side
+<client>
+<features>
+SSL
+</features>
+<server>
+imap
+</server>
+ <name>
+IMAP require STARTTLS with failing capabilities
+ </name>
+ <command>
+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd
+</command>
+<file name="log/upload%TESTNUMBER">
+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
+From: Fred Foobar <foobar@example.COM>
+Subject: afternoon meeting
+To: joe@example.com
+Message-Id: <B27397-0100000@example.COM>
+MIME-Version: 1.0
+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
+
+Hello Joe, do you think we can meet at 3:30 tomorrow?
+</file>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+# 64 is CURLE_USE_SSL_FAILED
+<errorcode>
+64
+</errorcode>
+<protocol>
+A001 CAPABILITY
+</protocol>
+</verify>
+</testcase>
Index: curl-7.64.0/tests/data/test985
===================================================================
--- /dev/null
+++ curl-7.64.0/tests/data/test985
@@ -0,0 +1,54 @@
+<testcase>
+<info>
+<keywords>
+POP3
+STARTTLS
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<servercmd>
+REPLY CAPA -ERR Not implemented
+</servercmd>
+<data nocheck="yes">
+From: me@somewhere
+To: fake@nowhere
+
+body
+
+--
+ yours sincerely
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<features>
+SSL
+</features>
+<server>
+pop3
+</server>
+ <name>
+POP3 require STARTTLS with failing capabilities
+ </name>
+ <command>
+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd
+ </command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+# 64 is CURLE_USE_SSL_FAILED
+<errorcode>
+64
+</errorcode>
+<protocol>
+CAPA
+</protocol>
+</verify>
+</testcase>
Index: curl-7.64.0/tests/data/test986
===================================================================
--- /dev/null
+++ curl-7.64.0/tests/data/test986
@@ -0,0 +1,53 @@
+<testcase>
+<info>
+<keywords>
+FTP
+STARTTLS
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<servercmd>
+REPLY welcome 230 Welcome
+REPLY AUTH 500 unknown command
+</servercmd>
+</reply>
+
+# Client-side
+<client>
+<features>
+SSL
+</features>
+<server>
+ftp
+</server>
+ <name>
+FTP require STARTTLS while preauthenticated
+ </name>
+<file name="log/test%TESTNUMBER.txt">
+data
+ to
+ see
+that FTPS
+works
+ so does it?
+</file>
+ <command>
+--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+# 64 is CURLE_USE_SSL_FAILED
+<errorcode>
+64
+</errorcode>
+<protocol>
+AUTH SSL
+AUTH TLS
+</protocol>
+</verify>
+</testcase>
-- System Information:
Debian Release: 10.12
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-21-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libcurl4 depends on:
ii libc6 2.28-10+deb10u1
ii libcom-err2 1.44.5-1+deb10u3
ii libgssapi-krb5-2 1.17-3+deb10u3
ii libidn2-0 2.0.5-1+deb10u1
ii libk5crypto3 1.17-3+deb10u3
ii libkrb5-3 1.17-3+deb10u3
ii libldap-2.4-2 2.4.47+dfsg-3+deb10u7
ii libnghttp2-14 1.36.0-2+deb10u1
ii libpsl5 0.20.2-2
ii librtmp1 2.4+20151223.gitfa8646d.1-2
ii libssh4-1 1.8.0-2.1
ii libssl1.1 1.1.1n-0+deb10u3
ii zlib1g 1:1.2.11.dfsg-1+deb10u1
Versions of packages libcurl4 recommends:
ii ca-certificates 20200601~deb10u2
libcurl4 suggests no packages.
-- no debconf information
Marked as found in versions curl/7.64.0-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 18 Aug 2022 04:39:03 GMT) (full text, mbox, link).
Added tag(s) upstream, security, and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 18 Aug 2022 04:39:03 GMT) (full text, mbox, link).
Marked as fixed in versions curl/7.79.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 18 Aug 2022 04:39:04 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 18 Aug 2022 04:39:04 GMT) (full text, mbox, link).
Notification sent
to Akira Shibakawa <arabishi900@gmail.com>:
Bug acknowledged by developer.
(Thu, 18 Aug 2022 04:39:05 GMT) (full text, mbox, link).
Marked as fixed in versions curl/7.74.0-1.3+deb11u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 18 Aug 2022 04:39:05 GMT) (full text, mbox, link).
Message sent on
to Akira Shibakawa <arabishi900@gmail.com>:
Bug#1017589.
(Thu, 18 Aug 2022 04:39:08 GMT) (full text, mbox, link).
Message #20 received at 1017589-submitter@bugs.debian.org (full text, mbox, reply):
found 1017589 7.64.0-4
tags 1017589 + security upstream fixed-upstream
close 1017589 7.79.1-1
close 1017589 7.74.0-1.3+deb11u2
thanks
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Aug 18 13:18:46 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon