mirror of
https://github.com/hak5/wifipineapple-openwrt.git
synced 2025-10-29 16:57:19 +00:00
db9be1fa75
This fixes the following security vulnerabilities in curl: * CVE-2015-3143 * CVE-2015-3144 * CVE-2015-3145 * CVE-2015-3148 * CVE-2015-3153 * CVE-2015-3236 * CVE-2015-3237 This was fixed in trunk with update to version 7.43.0 in r46169. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> git-svn-id: svn://svn.openwrt.org/openwrt/branches/chaos_calmer@46312 3c298f89-4303-0410-b956-a3cf2f4a3e73
38 lines
1.4 KiB
Diff
38 lines
1.4 KiB
Diff
From 6abfb512ed22c2de891a4398616d81a2a0690b5a Mon Sep 17 00:00:00 2001
|
|
From: Daniel Stenberg <daniel@haxx.se>
|
|
Date: Sat, 18 Apr 2015 23:50:16 +0200
|
|
Subject: [PATCH] http_done: close Negotiate connections when done
|
|
|
|
When doing HTTP requests Negotiate authenticated, the entire connnection
|
|
may become authenticated and not just the specific HTTP request which is
|
|
otherwise how HTTP works, as Negotiate can basically use NTLM under the
|
|
hood. curl was not adhering to this fact but would assume that such
|
|
requests would also be authenticated per request.
|
|
|
|
CVE-2015-3148
|
|
|
|
Bug: http://curl.haxx.se/docs/adv_20150422B.html
|
|
Reported-by: Isaac Boukris
|
|
---
|
|
lib/http.c | 8 +++++++-
|
|
1 file changed, 7 insertions(+), 1 deletion(-)
|
|
|
|
--- a/lib/http.c
|
|
+++ b/lib/http.c
|
|
@@ -1493,8 +1493,14 @@ CURLcode Curl_http_done(struct connectda
|
|
|
|
#ifdef USE_SPNEGO
|
|
if(data->state.proxyneg.state == GSS_AUTHSENT ||
|
|
- data->state.negotiate.state == GSS_AUTHSENT)
|
|
+ data->state.negotiate.state == GSS_AUTHSENT) {
|
|
+ /* add forbid re-use if http-code != 401 as a WA
|
|
+ * only needed for 401 that failed handling
|
|
+ * otherwie state will be RECV with current code */
|
|
+ if((data->req.httpcode != 401) && (data->req.httpcode != 407))
|
|
+ connclose(conn, "Negotiate transfer completed");
|
|
Curl_cleanup_negotiate(data);
|
|
+ }
|
|
#endif
|
|
|
|
/* set the proper values (possibly modified on POST) */
|