xref: /OK3568_Linux_fs/yocto/poky/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1From 782a5e8e5b0271f8cb33eeef6a3819b0149093e0 Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Mon, 9 May 2022 23:13:53 +0200
4Subject: [PATCH] url: check SSH config match on connection reuse
5
6CVE-2022-27782
7
8Reported-by: Harry Sintonen
9Bug: https://curl.se/docs/CVE-2022-27782.html
10Closes #8825
11
12Upstream-Status: Backport [https://github.com/curl/curl/commit/1645e9b44505abd5cbaf65da5282c3f33b5924a5]
13Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
14---
15 lib/url.c      | 11 +++++++++++
16 lib/vssh/ssh.h |  6 +++---
17 2 files changed, 14 insertions(+), 3 deletions(-)
18
19diff --git a/lib/url.c b/lib/url.c
20index 5ebf5e2..c713e54 100644
21--- a/lib/url.c
22+++ b/lib/url.c
23@@ -1098,6 +1098,12 @@ static void prune_dead_connections(struct Curl_easy *data)
24   }
25 }
26
27+static bool ssh_config_matches(struct connectdata *one,
28+                               struct connectdata *two)
29+{
30+  return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) &&
31+          Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub));
32+}
33 /*
34  * Given one filled in connection struct (named needle), this function should
35  * detect if there already is one that has all the significant details
36@@ -1356,6 +1362,11 @@ ConnectionExists(struct Curl_easy *data,
37          (data->state.httpwant < CURL_HTTP_VERSION_2_0))
38         continue;
39
40+      if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
41+        if(!ssh_config_matches(needle, check))
42+          continue;
43+      }
44+
45       if((needle->handler->flags&PROTOPT_SSL)
46 #ifndef CURL_DISABLE_PROXY
47          || !needle->bits.httpproxy || needle->bits.tunnel_proxy
48diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h
49index 7972081..30d82e5 100644
50--- a/lib/vssh/ssh.h
51+++ b/lib/vssh/ssh.h
52@@ -7,7 +7,7 @@
53  *                            | (__| |_| |  _ <| |___
54  *                             \___|\___/|_| \_\_____|
55  *
56- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
57+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
58  *
59  * This software is licensed as described in the file COPYING, which
60  * you should have received as part of this distribution. The terms
61@@ -131,8 +131,8 @@ struct ssh_conn {
62
63   /* common */
64   const char *passphrase;     /* pass-phrase to use */
65-  char *rsa_pub;              /* path name */
66-  char *rsa;                  /* path name */
67+  char *rsa_pub;              /* strdup'ed public key file */
68+  char *rsa;                  /* strdup'ed private key file */
69   bool authed;                /* the connection has been authenticated fine */
70   bool acceptfail;            /* used by the SFTP_QUOTE (continue if
71                                  quote command fails) */
72