From 044405e47dad051b47f84f6e5740120653e34a86 Mon Sep 17 00:00:00 2001 From: Monsterwxl <2018302060011@whu.edu.cn> Date: Fri, 14 Jul 2023 22:53:50 -0400 Subject: [PATCH 1/2] Repair CVE-2023-27533 --- debian/changelog | 7 ++ lib/telnet.c | 180 +++++++++++++++++++++++++++++------------------ 2 files changed, 117 insertions(+), 70 deletions(-) diff --git a/debian/changelog b/debian/changelog index fd215eb36..dbbbed850 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +url (7.68.0-ok5.4) yangtze; urgency=medium + + * CVE-2023-27533 + + -- monsterwxl <2018302060011@whu.edu.cn> Fri, 14 Jul 2023 14:30:41 -0400 + + curl (7.68.0-ok5.3) yangtze; urgency=medium * CVE-2023-27538 diff --git a/lib/telnet.c b/lib/telnet.c index f585bce7a..b05bb0298 100644 --- a/lib/telnet.c +++ b/lib/telnet.c @@ -815,23 +815,32 @@ static void printsub(struct Curl_easy *data, } } -static CURLcode check_telnet_options(struct connectdata *conn) +static bool str_is_nonascii(const char *str) +{ + size_t len = strlen(str); + while(len--) { + if(*str & 0x80) + return TRUE; + str++; + } + return FALSE; +} + +static CURLcode check_telnet_options(struct Curl_easy *data) { struct curl_slist *head; struct curl_slist *beg; - char option_keyword[128] = ""; - char option_arg[256] = ""; - struct Curl_easy *data = conn->data; - struct TELNET *tn = (struct TELNET *)conn->data->req.protop; + struct TELNET *tn = data->req.p.telnet; CURLcode result = CURLE_OK; - int binary_option; - /* Add the user name as an environment variable if it was given on the command line */ - if(conn->bits.user_passwd) { - msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user); - beg = curl_slist_append(tn->telnet_vars, option_arg); - if(!beg) { + if(data->state.aptr.user) { + char buffer[256]; + if(str_is_nonascii(data->conn->user)) + return CURLE_BAD_FUNCTION_ARGUMENT; + msnprintf(buffer, sizeof(buffer), "USER,%s", data->conn->user); + beg = curl_slist_append(tn->telnet_vars, buffer); + if(!beg){ curl_slist_free_all(tn->telnet_vars); tn->telnet_vars = NULL; return CURLE_OUT_OF_MEMORY; @@ -839,79 +848,110 @@ static CURLcode check_telnet_options(struct connectdata *conn) tn->telnet_vars = beg; tn->us_preferred[CURL_TELOPT_NEW_ENVIRON] = CURL_YES; } - - for(head = data->set.telnet_options; head; head = head->next) { - if(sscanf(head->data, "%127[^= ]%*[ =]%255s", - option_keyword, option_arg) == 2) { - - /* Terminal type */ - if(strcasecompare(option_keyword, "TTYPE")) { - strncpy(tn->subopt_ttype, option_arg, 31); - tn->subopt_ttype[31] = 0; /* String termination */ - tn->us_preferred[CURL_TELOPT_TTYPE] = CURL_YES; - continue; - } - - /* Display variable */ - if(strcasecompare(option_keyword, "XDISPLOC")) { - strncpy(tn->subopt_xdisploc, option_arg, 127); - tn->subopt_xdisploc[127] = 0; /* String termination */ - tn->us_preferred[CURL_TELOPT_XDISPLOC] = CURL_YES; + for(head = data->set.telnet_options; head && !result; head = head->next) { + size_t olen; + char *option = head->data; + char *arg; + char *sep = strchr(option, '='); + if(sep) { + olen = sep - option; + arg = ++sep; + if(str_is_nonascii(arg)) continue; - } - - /* Environment variable */ - if(strcasecompare(option_keyword, "NEW_ENV")) { - beg = curl_slist_append(tn->telnet_vars, option_arg); - if(!beg) { - result = CURLE_OUT_OF_MEMORY; - break; + switch(olen) { + case 5: + /* Terminal type */ + if(strncasecompare(option, "TTYPE", 5)) { + strncpy(tn->subopt_ttype, arg, 31); + tn->subopt_ttype[31] = 0; /* String termination */ + tn->us_preferred[CURL_TELOPT_TTYPE] = CURL_YES; } - tn->telnet_vars = beg; - tn->us_preferred[CURL_TELOPT_NEW_ENVIRON] = CURL_YES; - continue; - } - - /* Window Size */ - if(strcasecompare(option_keyword, "WS")) { - if(sscanf(option_arg, "%hu%*[xX]%hu", - &tn->subopt_wsx, &tn->subopt_wsy) == 2) - tn->us_preferred[CURL_TELOPT_NAWS] = CURL_YES; - else { - failf(data, "Syntax error in telnet option: %s", head->data); - result = CURLE_TELNET_OPTION_SYNTAX; - break; + else + result = CURLE_UNKNOWN_OPTION; + break; + + case 8: + /* Display variable */ + if(strncasecompare(option, "XDISPLOC", 8)) { + strncpy(tn->subopt_xdisploc, arg, 127); + tn->subopt_xdisploc[127] = 0; /* String termination */ + tn->us_preferred[CURL_TELOPT_XDISPLOC] = CURL_YES; } - continue; - } - - /* To take care or not of the 8th bit in data exchange */ - if(strcasecompare(option_keyword, "BINARY")) { - binary_option = atoi(option_arg); - if(binary_option != 1) { - tn->us_preferred[CURL_TELOPT_BINARY] = CURL_NO; - tn->him_preferred[CURL_TELOPT_BINARY] = CURL_NO; + else + result = CURLE_UNKNOWN_OPTION; + break; + + case 7: + /* Environment variable */ + if(strncasecompare(option, "NEW_ENV", 7)) { + beg = curl_slist_append(tn->telnet_vars, arg); + if(!beg) { + result = CURLE_OUT_OF_MEMORY; + break; + } + tn->telnet_vars = beg; + tn->us_preferred[CURL_TELOPT_NEW_ENVIRON] = CURL_YES; } - continue; + else + result = CURLE_UNKNOWN_OPTION; + break; + + case 2: + /* Window Size */ + if(strncasecompare(option, "WS", 2)) { + char *p; + unsigned long x = strtoul(arg, &p, 10); + unsigned long y = 0; + if(x && (x <= 0xffff) && Curl_raw_tolower(*p) == 'x') { + p++; + y = strtoul(p, NULL, 10); + if(y && (y <= 0xffff)) { + tn->subopt_wsx = (unsigned short)x; + tn->subopt_wsy = (unsigned short)y; + tn->us_preferred[CURL_TELOPT_NAWS] = CURL_YES; + } + } + if(!y) { + failf(data, "Syntax error in telnet option: %s", head->data); + result = CURLE_SETOPT_OPTION_SYNTAX; + } + } + else + result = CURLE_UNKNOWN_OPTION; + break; + + case 6: + /* To take care or not of the 8th bit in data exchange */ + if(strncasecompare(option, "BINARY", 6)) { + int binary_option = atoi(arg); + if(binary_option != 1) { + tn->us_preferred[CURL_TELOPT_BINARY] = CURL_NO; + tn->him_preferred[CURL_TELOPT_BINARY] = CURL_NO; + } + } + else + result = CURLE_UNKNOWN_OPTION; + break; + + default: + failf(data, "Unknown telnet option %s", head->data); + result = CURLE_UNKNOWN_OPTION; + break; } - - failf(data, "Unknown telnet option %s", head->data); - result = CURLE_UNKNOWN_OPTION; - break; } - failf(data, "Syntax error in telnet option: %s", head->data); - result = CURLE_TELNET_OPTION_SYNTAX; - break; + else { + failf(data, "Syntax error in telnet option: %s", head->data); + result = CURLE_SETOPT_OPTION_SYNTAX; + } } - if(result) { curl_slist_free_all(tn->telnet_vars); tn->telnet_vars = NULL; } - return result; } + /* * suboption() * -- Gitee From a875933d75cb55729bdf8ac004bcc4eedf97af3e Mon Sep 17 00:00:00 2001 From: monsterwxl <2018302060011@whu.edu.cn> Date: Wed, 9 Aug 2023 11:01:30 +0800 Subject: [PATCH 2/2] Repair CVE-2023-27533 --- debian/changelog | 7 -- lib/telnet.c | 180 ++++++++++++++++++----------------------------- 2 files changed, 70 insertions(+), 117 deletions(-) diff --git a/debian/changelog b/debian/changelog index dbbbed850..fd215eb36 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,10 +1,3 @@ -url (7.68.0-ok5.4) yangtze; urgency=medium - - * CVE-2023-27533 - - -- monsterwxl <2018302060011@whu.edu.cn> Fri, 14 Jul 2023 14:30:41 -0400 - - curl (7.68.0-ok5.3) yangtze; urgency=medium * CVE-2023-27538 diff --git a/lib/telnet.c b/lib/telnet.c index b05bb0298..f585bce7a 100644 --- a/lib/telnet.c +++ b/lib/telnet.c @@ -815,32 +815,23 @@ static void printsub(struct Curl_easy *data, } } -static bool str_is_nonascii(const char *str) -{ - size_t len = strlen(str); - while(len--) { - if(*str & 0x80) - return TRUE; - str++; - } - return FALSE; -} - -static CURLcode check_telnet_options(struct Curl_easy *data) +static CURLcode check_telnet_options(struct connectdata *conn) { struct curl_slist *head; struct curl_slist *beg; - struct TELNET *tn = data->req.p.telnet; + char option_keyword[128] = ""; + char option_arg[256] = ""; + struct Curl_easy *data = conn->data; + struct TELNET *tn = (struct TELNET *)conn->data->req.protop; CURLcode result = CURLE_OK; + int binary_option; + /* Add the user name as an environment variable if it was given on the command line */ - if(data->state.aptr.user) { - char buffer[256]; - if(str_is_nonascii(data->conn->user)) - return CURLE_BAD_FUNCTION_ARGUMENT; - msnprintf(buffer, sizeof(buffer), "USER,%s", data->conn->user); - beg = curl_slist_append(tn->telnet_vars, buffer); - if(!beg){ + if(conn->bits.user_passwd) { + msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user); + beg = curl_slist_append(tn->telnet_vars, option_arg); + if(!beg) { curl_slist_free_all(tn->telnet_vars); tn->telnet_vars = NULL; return CURLE_OUT_OF_MEMORY; @@ -848,110 +839,79 @@ static CURLcode check_telnet_options(struct Curl_easy *data) tn->telnet_vars = beg; tn->us_preferred[CURL_TELOPT_NEW_ENVIRON] = CURL_YES; } - for(head = data->set.telnet_options; head && !result; head = head->next) { - size_t olen; - char *option = head->data; - char *arg; - char *sep = strchr(option, '='); - if(sep) { - olen = sep - option; - arg = ++sep; - if(str_is_nonascii(arg)) + + for(head = data->set.telnet_options; head; head = head->next) { + if(sscanf(head->data, "%127[^= ]%*[ =]%255s", + option_keyword, option_arg) == 2) { + + /* Terminal type */ + if(strcasecompare(option_keyword, "TTYPE")) { + strncpy(tn->subopt_ttype, option_arg, 31); + tn->subopt_ttype[31] = 0; /* String termination */ + tn->us_preferred[CURL_TELOPT_TTYPE] = CURL_YES; continue; - switch(olen) { - case 5: - /* Terminal type */ - if(strncasecompare(option, "TTYPE", 5)) { - strncpy(tn->subopt_ttype, arg, 31); - tn->subopt_ttype[31] = 0; /* String termination */ - tn->us_preferred[CURL_TELOPT_TTYPE] = CURL_YES; - } - else - result = CURLE_UNKNOWN_OPTION; - break; - - case 8: - /* Display variable */ - if(strncasecompare(option, "XDISPLOC", 8)) { - strncpy(tn->subopt_xdisploc, arg, 127); - tn->subopt_xdisploc[127] = 0; /* String termination */ - tn->us_preferred[CURL_TELOPT_XDISPLOC] = CURL_YES; - } - else - result = CURLE_UNKNOWN_OPTION; - break; - - case 7: - /* Environment variable */ - if(strncasecompare(option, "NEW_ENV", 7)) { - beg = curl_slist_append(tn->telnet_vars, arg); - if(!beg) { - result = CURLE_OUT_OF_MEMORY; - break; - } - tn->telnet_vars = beg; - tn->us_preferred[CURL_TELOPT_NEW_ENVIRON] = CURL_YES; + } + + /* Display variable */ + if(strcasecompare(option_keyword, "XDISPLOC")) { + strncpy(tn->subopt_xdisploc, option_arg, 127); + tn->subopt_xdisploc[127] = 0; /* String termination */ + tn->us_preferred[CURL_TELOPT_XDISPLOC] = CURL_YES; + continue; + } + + /* Environment variable */ + if(strcasecompare(option_keyword, "NEW_ENV")) { + beg = curl_slist_append(tn->telnet_vars, option_arg); + if(!beg) { + result = CURLE_OUT_OF_MEMORY; + break; } - else - result = CURLE_UNKNOWN_OPTION; - break; - - case 2: - /* Window Size */ - if(strncasecompare(option, "WS", 2)) { - char *p; - unsigned long x = strtoul(arg, &p, 10); - unsigned long y = 0; - if(x && (x <= 0xffff) && Curl_raw_tolower(*p) == 'x') { - p++; - y = strtoul(p, NULL, 10); - if(y && (y <= 0xffff)) { - tn->subopt_wsx = (unsigned short)x; - tn->subopt_wsy = (unsigned short)y; - tn->us_preferred[CURL_TELOPT_NAWS] = CURL_YES; - } - } - if(!y) { - failf(data, "Syntax error in telnet option: %s", head->data); - result = CURLE_SETOPT_OPTION_SYNTAX; - } + tn->telnet_vars = beg; + tn->us_preferred[CURL_TELOPT_NEW_ENVIRON] = CURL_YES; + continue; + } + + /* Window Size */ + if(strcasecompare(option_keyword, "WS")) { + if(sscanf(option_arg, "%hu%*[xX]%hu", + &tn->subopt_wsx, &tn->subopt_wsy) == 2) + tn->us_preferred[CURL_TELOPT_NAWS] = CURL_YES; + else { + failf(data, "Syntax error in telnet option: %s", head->data); + result = CURLE_TELNET_OPTION_SYNTAX; + break; } - else - result = CURLE_UNKNOWN_OPTION; - break; - - case 6: - /* To take care or not of the 8th bit in data exchange */ - if(strncasecompare(option, "BINARY", 6)) { - int binary_option = atoi(arg); - if(binary_option != 1) { - tn->us_preferred[CURL_TELOPT_BINARY] = CURL_NO; - tn->him_preferred[CURL_TELOPT_BINARY] = CURL_NO; - } + continue; + } + + /* To take care or not of the 8th bit in data exchange */ + if(strcasecompare(option_keyword, "BINARY")) { + binary_option = atoi(option_arg); + if(binary_option != 1) { + tn->us_preferred[CURL_TELOPT_BINARY] = CURL_NO; + tn->him_preferred[CURL_TELOPT_BINARY] = CURL_NO; } - else - result = CURLE_UNKNOWN_OPTION; - break; - - default: - failf(data, "Unknown telnet option %s", head->data); - result = CURLE_UNKNOWN_OPTION; - break; + continue; } + + failf(data, "Unknown telnet option %s", head->data); + result = CURLE_UNKNOWN_OPTION; + break; } - else { - failf(data, "Syntax error in telnet option: %s", head->data); - result = CURLE_SETOPT_OPTION_SYNTAX; - } + failf(data, "Syntax error in telnet option: %s", head->data); + result = CURLE_TELNET_OPTION_SYNTAX; + break; } + if(result) { curl_slist_free_all(tn->telnet_vars); tn->telnet_vars = NULL; } + return result; } - /* * suboption() * -- Gitee