From 01e0a63a2db718db08a08e199b77fc668ecaa56c Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Wed, 6 Mar 2024 03:34:36 +0300 Subject: [PATCH] import curl-7.76.1-26.el9_3.3 --- SOURCES/0034-curl-7.61.1-64K-sftp.patch | 31 ++++++++++++ SOURCES/0035-curl-7.76.1-CVE-2023-46218.patch | 48 +++++++++++++++++++ SPECS/curl.spec | 14 +++++- 3 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0034-curl-7.61.1-64K-sftp.patch create mode 100644 SOURCES/0035-curl-7.76.1-CVE-2023-46218.patch diff --git a/SOURCES/0034-curl-7.61.1-64K-sftp.patch b/SOURCES/0034-curl-7.61.1-64K-sftp.patch new file mode 100644 index 0000000..59e1248 --- /dev/null +++ b/SOURCES/0034-curl-7.61.1-64K-sftp.patch @@ -0,0 +1,31 @@ +From 35eb2614d86316ba9f5a6806ce64f56680fa1e97 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 5 Sep 2023 17:33:41 +0200 +Subject: [PATCH] libssh: cap SFTP packet size sent + +Due to libssh limitations + +Signed-off-by: Jakub Jelen + +Closes #11804 +--- + lib/vssh/libssh.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c +index dea0084575859b..7c6a2e53f338fa 100644 +--- a/lib/vssh/libssh.c ++++ b/lib/vssh/libssh.c +@@ -2567,6 +2567,12 @@ static ssize_t sftp_send(struct Curl_easy *data, int sockindex, + struct connectdata *conn = data->conn; + (void)sockindex; + ++ /* limit the writes to the maximum specified in Section 3 of ++ * https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-02 ++ */ ++ if(len > 32768) ++ len = 32768; ++ + nwrite = sftp_write(conn->proto.sshc.sftp_file, mem, len); + + myssh_block2waitfor(conn, FALSE); diff --git a/SOURCES/0035-curl-7.76.1-CVE-2023-46218.patch b/SOURCES/0035-curl-7.76.1-CVE-2023-46218.patch new file mode 100644 index 0000000..b7ec7bd --- /dev/null +++ b/SOURCES/0035-curl-7.76.1-CVE-2023-46218.patch @@ -0,0 +1,48 @@ +From 2b0994c29a721c91c572cff7808c572a24d251eb Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 23 Nov 2023 08:15:47 +0100 +Subject: [PATCH] cookie: lowercase the domain names before PSL checks + +Reported-by: Harry Sintonen + +Closes #12387 +--- + lib/cookie.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index 568cf537ad1b1f..9095cea3e97f22 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -1027,15 +1027,23 @@ Curl_cookie_add(struct Curl_easy *data, + * dereference it. + */ + if(data && (domain && co->domain && !isip(co->domain))) { +- const psl_ctx_t *psl = Curl_psl_use(data); +- int acceptable; +- +- if(psl) { +- acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain); +- Curl_psl_release(data); ++ bool acceptable = FALSE; ++ char lcase[256]; ++ char lcookie[256]; ++ size_t dlen = strlen(domain); ++ size_t clen = strlen(co->domain); ++ if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) { ++ const psl_ctx_t *psl = Curl_psl_use(data); ++ if(psl) { ++ /* the PSL check requires lowercase domain name and pattern */ ++ Curl_strntolower(lcase, domain, dlen + 1); ++ Curl_strntolower(lcookie, co->domain, clen + 1); ++ acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie); ++ Curl_psl_release(data); ++ } ++ else ++ acceptable = !bad_domain(domain); + } +- else +- acceptable = !bad_domain(domain); + + if(!acceptable) { + infof(data, "cookie '%s' dropped, domain '%s' must not " diff --git a/SPECS/curl.spec b/SPECS/curl.spec index f2c0c82..ab0e6c3 100644 --- a/SPECS/curl.spec +++ b/SPECS/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.76.1 -Release: 26%{?dist}.2 +Release: 26%{?dist}.3 License: MIT Source: https://curl.se/download/%{name}-%{version}.tar.xz @@ -101,6 +101,12 @@ Patch32: 0032-curl-7.76.1-CVE-2023-38545.patch # fix cookie injection with none file (CVE-2023-38546) Patch33: 0033-curl-7.61.1-CVE-2023-38546.patch +# cap SFTP packet size sent (RHEL-14837) +Patch34: 0034-curl-7.61.1-64K-sftp.patch + +# lowercase the domain names before PSL checks (CVE-2023-46218) +Patch35: 0035-curl-7.76.1-CVE-2023-46218.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -308,6 +314,8 @@ be installed. %patch31 -p1 %patch32 -p1 %patch33 -p1 +%patch34 -p1 +%patch35 -p1 # Fedora patches %patch101 -p1 @@ -533,6 +541,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Nov 28 2023 Jacek Migacz - 7.76.1-26.el9_3.3 +- cap SFTP packet size sent (RHEL-14837) +- lowercase the domain names before PSL checks (CVE-2023-46218) + * Thu Oct 12 2023 Jacek Migacz - 7.76.1-26.el9_3.2 - fix cookie injection with none file (CVE-2023-38546)