File curl-CVE-2022-27781.patch of Package curl.25570
From 625924941cbd684c2a6b10d18aa6920a27c31db3 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 3 May 2022 09:24:56 +0200
Subject: [PATCH] nss: return error if seemingly stuck in a cert loop
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2022-27781
Reported-by: Florian Kohnhäuser
Bug: https://curl.se/docs/CVE-2022-27781.html
---
lib/vtls/nss.c | 8 ++++++++
1 file changed, 8 insertions(+)
Index: curl-7.66.0/lib/vtls/nss.c
===================================================================
--- curl-7.66.0.orig/lib/vtls/nss.c
+++ curl-7.66.0/lib/vtls/nss.c
@@ -950,6 +950,9 @@ static void display_cert_info(struct Cur
PR_Free(common_name);
}
+/* A number of certs that will never occur in a real server handshake */
+#define TOO_MANY_CERTS 300
+
static CURLcode display_conn_info(struct connectdata *conn, PRFileDesc *sock)
{
CURLcode result = CURLE_OK;
@@ -986,6 +989,11 @@ static CURLcode display_conn_info(struct
cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA);
while(cert2) {
i++;
+ if(i >= TOO_MANY_CERTS) {
+ CERT_DestroyCertificate(cert2);
+ failf(data, "certificate loop");
+ return CURLE_SSL_CERTPROBLEM;
+ }
if(cert2->isRoot) {
CERT_DestroyCertificate(cert2);
break;