Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP3:Update
curl-mini.28980
curl-CVE-2020-8284.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File curl-CVE-2020-8284.patch of Package curl-mini.28980
From 20ceeeeb6df4ad7444d0ac6f080557954e05ec1d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Tue, 24 Nov 2020 14:56:57 +0100 Subject: [PATCH] ftp: CURLOPT_FTP_SKIP_PASV_IP by default The command line tool also independently sets --ftp-skip-pasv-ip by default. Ten test cases updated to adapt the modified --libcurl output. Bug: https://curl.se/docs/CVE-2020-8284.html CVE-2020-8284 Reported-by: Varnavas Papaioannou --- docs/cmdline-opts/ftp-skip-pasv-ip.d | 2 ++ docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 | 8 +++++--- lib/url.c | 1 + src/tool_cfgable.c | 1 + tests/data/test1400 | 1 + tests/data/test1401 | 1 + tests/data/test1402 | 1 + tests/data/test1403 | 1 + tests/data/test1404 | 1 + tests/data/test1405 | 1 + tests/data/test1406 | 1 + tests/data/test1407 | 1 + tests/data/test1420 | 1 + Index: curl-7.66.0/docs/cmdline-opts/ftp-skip-pasv-ip.d =================================================================== --- curl-7.66.0.orig/docs/cmdline-opts/ftp-skip-pasv-ip.d +++ curl-7.66.0/docs/cmdline-opts/ftp-skip-pasv-ip.d @@ -9,4 +9,6 @@ to curl's PASV command when curl connect will re-use the same IP address it already uses for the control connection. +Since curl 7.74.0 this option is enabled by default. + This option has no effect if PORT, EPRT or EPSV is used instead of PASV. Index: curl-7.66.0/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 =================================================================== --- curl-7.66.0.orig/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 +++ curl-7.66.0/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 @@ -5,7 +5,7 @@ .\" * | (__| |_| | _ <| |___ .\" * \___|\___/|_| \_\_____| .\" * -.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. +.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. .\" * .\" * This software is licensed as described in the file COPYING, which .\" * you should have received as part of this distribution. The terms @@ -36,11 +36,13 @@ address it already uses for the control number from the 227-response. This option thus allows libcurl to work around broken server installations -that due to NATs, firewalls or incompetence report the wrong IP address back. +that due to NATs, firewalls or incompetence report the wrong IP address +back. Setting the option also reduces the risk for various sorts of client +abuse by malicious servers. This option has no effect if PORT, EPRT or EPSV is used instead of PASV. .SH DEFAULT -0 +1 since 7.74.0, was 0 before then. .SH PROTOCOLS FTP .SH EXAMPLE Index: curl-7.66.0/lib/url.c =================================================================== --- curl-7.66.0.orig/lib/url.c +++ curl-7.66.0/lib/url.c @@ -446,6 +446,7 @@ CURLcode Curl_init_userdefined(struct Cu set->ftp_use_eprt = TRUE; /* FTP defaults to EPRT operations */ set->ftp_use_pret = FALSE; /* mainly useful for drftpd servers */ set->ftp_filemethod = FTPFILE_MULTICWD; + set->ftp_skip_ip = TRUE; /* skip PASV IP by default */ #endif set->dns_cache_timeout = 60; /* Timeout every 60 seconds by default */ Index: curl-7.66.0/src/tool_cfgable.c =================================================================== --- curl-7.66.0.orig/src/tool_cfgable.c +++ curl-7.66.0/src/tool_cfgable.c @@ -44,6 +44,7 @@ void config_init(struct OperationConfig* config->tcp_nodelay = TRUE; /* enabled by default */ config->happy_eyeballs_timeout_ms = CURL_HET_DEFAULT; config->http09_allowed = FALSE; + config->ftp_skip_ip = TRUE; } static void free_config_fields(struct OperationConfig *config) Index: curl-7.66.0/tests/data/test1400 =================================================================== --- curl-7.66.0.orig/tests/data/test1400 +++ curl-7.66.0/tests/data/test1400 @@ -76,6 +76,7 @@ int main(int argc, char *argv[]) curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped"); curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); + curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); /* Here is a list of options the curl code used that cannot get generated Index: curl-7.66.0/tests/data/test1401 =================================================================== --- curl-7.66.0.orig/tests/data/test1401 +++ curl-7.66.0/tests/data/test1401 @@ -90,6 +90,7 @@ int main(int argc, char *argv[]) curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); curl_easy_setopt(hnd, CURLOPT_COOKIE, "chocolate=chip"); curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); + curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); curl_easy_setopt(hnd, CURLOPT_PROTOCOLS, (long)CURLPROTO_FILE | (long)CURLPROTO_FTP | Index: curl-7.66.0/tests/data/test1402 =================================================================== --- curl-7.66.0.orig/tests/data/test1402 +++ curl-7.66.0/tests/data/test1402 @@ -81,6 +81,7 @@ int main(int argc, char *argv[]) curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped"); curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); + curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); /* Here is a list of options the curl code used that cannot get generated Index: curl-7.66.0/tests/data/test1403 =================================================================== --- curl-7.66.0.orig/tests/data/test1403 +++ curl-7.66.0/tests/data/test1403 @@ -76,6 +76,7 @@ int main(int argc, char *argv[]) curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped"); curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); + curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); /* Here is a list of options the curl code used that cannot get generated Index: curl-7.66.0/tests/data/test1404 =================================================================== --- curl-7.66.0.orig/tests/data/test1404 +++ curl-7.66.0/tests/data/test1404 @@ -147,6 +147,7 @@ int main(int argc, char *argv[]) curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped"); curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); + curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); /* Here is a list of options the curl code used that cannot get generated Index: curl-7.66.0/tests/data/test1405 =================================================================== --- curl-7.66.0.orig/tests/data/test1405 +++ curl-7.66.0/tests/data/test1405 @@ -89,6 +89,7 @@ int main(int argc, char *argv[]) curl_easy_setopt(hnd, CURLOPT_POSTQUOTE, slist2); curl_easy_setopt(hnd, CURLOPT_PREQUOTE, slist3); curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); + curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); /* Here is a list of options the curl code used that cannot get generated Index: curl-7.66.0/tests/data/test1406 =================================================================== --- curl-7.66.0.orig/tests/data/test1406 +++ curl-7.66.0/tests/data/test1406 @@ -79,6 +79,7 @@ int main(int argc, char *argv[]) curl_easy_setopt(hnd, CURLOPT_URL, "smtp://%HOSTIP:%SMTPPORT/1406"); curl_easy_setopt(hnd, CURLOPT_UPLOAD, 1L); curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); + curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); curl_easy_setopt(hnd, CURLOPT_MAIL_FROM, "sender@example.com"); curl_easy_setopt(hnd, CURLOPT_MAIL_RCPT, slist1); Index: curl-7.66.0/tests/data/test1407 =================================================================== --- curl-7.66.0.orig/tests/data/test1407 +++ curl-7.66.0/tests/data/test1407 @@ -62,6 +62,7 @@ int main(int argc, char *argv[]) curl_easy_setopt(hnd, CURLOPT_DIRLISTONLY, 1L); curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret"); curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); + curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); /* Here is a list of options the curl code used that cannot get generated Index: curl-7.66.0/tests/data/test1420 =================================================================== --- curl-7.66.0.orig/tests/data/test1420 +++ curl-7.66.0/tests/data/test1420 @@ -67,6 +67,7 @@ int main(int argc, char *argv[]) curl_easy_setopt(hnd, CURLOPT_URL, "imap://%HOSTIP:%IMAPPORT/1420/;MAILINDEX=1"); curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret"); curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); + curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); /* Here is a list of options the curl code used that cannot get generated
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
