Re: [SECURITY ADVISORY 1/4] libcurl wrong re-use of connections
Date: Wed, 9 Apr 2014 18:04:22 +0200
Sorry, I wasn't subscribed to curl-library, so I have to reply like
> From: Alessandro Ghedini <alessandro_at_ghedini.me>
> Date: Sun, 30 Mar 2014 15:34:49 +0200
> On mer, mar 26, 2014 at 08:04:30 +0100, Daniel Stenberg wrote:
> > 3. THE SOLUTION
> > libcurl 7.36.0 makes sure that connections are re-used more strictly.
> > A patch for this problem is available at:
> > http://curl.haxx.se/libcurl-bad-reuse.patch
> I've been trying to backport that patch to curl 7.26.0 (used in Debian stable),
> but I've noticed that the connection reuse has changed drastically since then,
> and that patch doesn't seem to be enough to fix the issue (in fact, it actually
> breaks the test suite, since test 519 freezes for some reason). I haven't even
> tried to backport it to Debian oldstable (7.21.0).
> Is there someone that successfully backported it to something
> pre-7.30.0, or
> should I just give up?
On old curl, the test server (sws) runs in a single thread and doesn't fork.
The test 519 connects to the server over HTTP with a username/password and
later tries it with anotheruser/anotherpassword.
The server runs a simple accept() loop where it serves the clients using
Before the security patch, the two GET requests the test makes were
issued from a single connection.
Thus the server served the first request and later the other in a single
run of the accept() loop.
After the patch, the two request now come in two separate connections.
So the server accept()s and serves the first connection and then waits in
recv(), because the connection is still open.
The code never gets to another accept() so the second connection isn't
served at all.
I just disabled the 519 test.
The test 519 works against a forking server (run as 'sws --fork port').
I attach the backported patch (against 7.19.7).
-- Vita Cizek
- text/x-patch attachment: curl-CVE-2014-0138.patch
- application/pgp-signature attachment: Digital signature