diff --git a/SOURCES/0037-curl-7.76.1-CVE-2024-2398.patch b/SOURCES/0037-curl-7.76.1-CVE-2024-2398.patch new file mode 100644 index 0000000..0b2db4f --- /dev/null +++ b/SOURCES/0037-curl-7.76.1-CVE-2024-2398.patch @@ -0,0 +1,80 @@ +From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Wed, 6 Mar 2024 09:36:08 +0100 +Subject: [PATCH] http2: push headers better cleanup + +- provide common cleanup method for push headers + +Closes #13054 +--- + lib/http2.c | 34 +++++++++++++++------------------- + 1 file changed, 15 insertions(+), 19 deletions(-) + +diff --git a/lib/http2.c b/lib/http2.c +index c63ecd38371ab4..96868728a53a1f 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -271,6 +271,15 @@ static CURLcode http2_data_setup(struct Curl_cfilter *cf, + return bitmap; + } + ++static void free_push_headers(struct HTTP *http) ++{ ++ size_t i; ++ for(i = 0; ipush_headers_used; i++) ++ free(http->push_headers[i]); ++ Curl_safefree(http->push_headers); ++ http->push_headers_used = 0; ++} ++ + /* + * http2_stream_free() free HTTP2 stream related data + */ +@@ -306,11 +315,7 @@ static void http2_data_done(struct Curl_cfilter *cf, + { + if(http) { + Curl_dyn_free(&http->header_recvbuf); +- for(; http->push_headers_used > 0; --http->push_headers_used) { +- free(http->push_headers[http->push_headers_used - 1]); +- } +- free(http->push_headers); +- http->push_headers = NULL; ++ free_push_headers(http); + } + } + +@@ -860,7 +861,6 @@ static int push_promise(struct Curl_cfilter *cf, + struct curl_pushheaders heads; + CURLMcode rc; + struct http_conn *httpc; +- size_t i; + /* clone the parent */ + struct Curl_easy *newhandle = duphandle(data); + if(!newhandle) { +@@ -905,11 +905,7 @@ static int push_promise(struct Curl_cfilter *cf, + Curl_set_in_callback(data, false); + + /* free the headers again */ +- for(i = 0; ipush_headers_used; i++) +- free(stream->push_headers[i]); +- free(stream->push_headers); +- stream->push_headers = NULL; +- stream->push_headers_used = 0; ++ free_push_headers(stream); + + if(rv) { + DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT)); +@@ -1426,10 +1422,10 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame, + stream->push_headers_alloc) { + char **headp; + stream->push_headers_alloc *= 2; +- headp = Curl_saferealloc(stream->push_headers, +- stream->push_headers_alloc * sizeof(char *)); ++ headp = realloc(stream->push_headers, ++ stream->push_headers_alloc * sizeof(char *)); + if(!headp) { +- stream->push_headers = NULL; ++ free_push_headers(stream); + return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + } + stream->push_headers = headp; diff --git a/SPECS/curl.spec b/SPECS/curl.spec index e2d44a5..979b169 100644 --- a/SPECS/curl.spec +++ b/SPECS/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.76.1 -Release: 29%{?dist} +Release: 29%{?dist}.1 License: MIT Source: https://curl.se/download/%{name}-%{version}.tar.xz @@ -110,6 +110,9 @@ Patch35: 0035-curl-7.76.1-64K-sftp.patch # lowercase the domain names before PSL checks (CVE-2023-46218) Patch36: 0036-curl-7.76.1-CVE-2023-46218.patch +# provide common cleanup method for push headers (CVE-2024-2398) +Patch37: 0037-curl-7.76.1-CVE-2024-2398.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -320,6 +323,7 @@ be installed. %patch34 -p1 %patch35 -p1 %patch36 -p1 +%patch37 -p1 # Fedora patches %patch101 -p1 @@ -545,6 +549,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Jun 6 2024 Jacek Migacz - 7.76.1-29.el9_4.1 +- provide common cleanup method for push headers (CVE-2024-2398) + * Wed Mar 6 2024 Jacek Migacz - 7.76.1-29 - rebuild for 9.4 GA