File curl-CVE-2023-27533.patch of Package curl.30927
From 538b1e79a6e7b0bb829ab4cecc828d32105d0684 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 6 Mar 2023 12:07:33 +0100
Subject: [PATCH] telnet: only accept option arguments in ascii
To avoid embedded telnet negotiation commands etc.
Reported-by: Harry Sintonen
Closes #10728
---
lib/telnet.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
Index: curl-7.66.0/lib/telnet.c
===================================================================
--- curl-7.66.0.orig/lib/telnet.c
+++ curl-7.66.0/lib/telnet.c
@@ -815,6 +815,17 @@ static void printsub(struct Curl_easy *d
}
}
+static bool str_is_nonascii(const char *str)
+{
+ size_t len = strlen(str);
+ while(len--) {
+ if(*str & 0x80)
+ return TRUE;
+ str++;
+ }
+ return FALSE;
+}
+
static CURLcode check_telnet_options(struct connectdata *conn)
{
struct curl_slist *head;
@@ -827,6 +838,8 @@ static CURLcode check_telnet_options(str
was given on the command line */
if(conn->bits.user_passwd) {
char buffer[256];
+ if(str_is_nonascii(data->conn->user))
+ return CURLE_BAD_FUNCTION_ARGUMENT;
msnprintf(buffer, sizeof(buffer), "USER,%s", data->conn->user);
beg = curl_slist_append(tn->telnet_vars, buffer);
if(!beg) {
@@ -848,6 +861,8 @@ static CURLcode check_telnet_options(str
if(sep) {
olen = sep - option;
arg = ++sep;
+ if(str_is_nonascii(arg))
+ continue;
switch(olen) {
case 5:
/* Terminal type */