diff options
Diffstat (limited to 'poky/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch')
-rw-r--r-- | poky/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/poky/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch b/poky/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch new file mode 100644 index 0000000000..a642336797 --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch @@ -0,0 +1,35 @@ +From 56a145d6ca031841610daeebde99fbde0f8fcf21 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 26 Apr 2022 07:46:19 +0200 +Subject: [PATCH] gnutls: don't leak the SRP credentials in redirects + +Follow-up to 620ea21410030 and 139a54ed0a172a + +Reported-by: Harry Sintonen +Closes #8752 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/093531556203decd92d92bccd431edbe5561781c] +Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> +--- + lib/vtls/gtls.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 5749376..fe45b3a 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -437,11 +437,11 @@ gtls_connect_step1(struct Curl_easy *data, + } + + #ifdef HAVE_GNUTLS_SRP +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { ++ if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && ++ Curl_allow_auth_to_host(data)) { + infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username)); + +- rc = gnutls_srp_allocate_client_credentials( +- &backend->srp_client_cred); ++ rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred); + if(rc != GNUTLS_E_SUCCESS) { + failf(data, "gnutls_srp_allocate_client_cred() failed: %s", + gnutls_strerror(rc)); |