diff --git a/SOURCES/0025-curl-7.76.1-CVE-2023-27533.patch b/SOURCES/0025-curl-7.76.1-CVE-2023-27533.patch new file mode 100644 index 0000000..591c1cd --- /dev/null +++ b/SOURCES/0025-curl-7.76.1-CVE-2023-27533.patch @@ -0,0 +1,59 @@ +From c9828d86040737a47da862197b5def7ff6b0e3c4 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 6 Mar 2023 12:07:33 +0100 +Subject: [PATCH] telnet: only accept option arguments in ascii + +To avoid embedded telnet negotiation commands etc. + +Reported-by: Harry Sintonen +Closes #10728 + +Upstream-commit: 538b1e79a6e7b0bb829ab4cecc828d32105d0684 +Signed-off-by: Kamil Dudka +--- + lib/telnet.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/lib/telnet.c b/lib/telnet.c +index 22bc81e..baea885 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -770,6 +770,17 @@ static void printsub(struct Curl_easy *data, + } + } + ++static bool str_is_nonascii(const char *str) ++{ ++ size_t len = strlen(str); ++ while(len--) { ++ if(*str & 0x80) ++ return TRUE; ++ str++; ++ } ++ return FALSE; ++} ++ + static CURLcode check_telnet_options(struct Curl_easy *data) + { + struct curl_slist *head; +@@ -784,6 +795,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data) + /* Add the user name as an environment variable if it + was given on the command line */ + if(conn->bits.user_passwd) { ++ if(str_is_nonascii(data->conn->user)) ++ return CURLE_BAD_FUNCTION_ARGUMENT; + msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user); + beg = curl_slist_append(tn->telnet_vars, option_arg); + if(!beg) { +@@ -798,6 +811,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data) + for(head = data->set.telnet_options; head; head = head->next) { + if(sscanf(head->data, "%127[^= ]%*[ =]%255s", + option_keyword, option_arg) == 2) { ++ if(str_is_nonascii(option_arg)) ++ continue; + + /* Terminal type */ + if(strcasecompare(option_keyword, "TTYPE")) { +-- +2.39.2 + diff --git a/SOURCES/0026-curl-7.76.1-CVE-2023-27534.patch b/SOURCES/0026-curl-7.76.1-CVE-2023-27534.patch new file mode 100644 index 0000000..f9cff95 --- /dev/null +++ b/SOURCES/0026-curl-7.76.1-CVE-2023-27534.patch @@ -0,0 +1,1060 @@ +From 5085070dd92fe08f1de2c751fe54f52203ad3160 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 16 Oct 2022 18:09:14 +0200 +Subject: [PATCH 1/4] curl_path: return error if given a NULL homedir + +Closes #9740 + +Upstream-commit: 025bad1182ff87facbddd280dd07a0fc26b99f45 +Signed-off-by: Kamil Dudka +--- + lib/curl_path.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/curl_path.c b/lib/curl_path.c +index 6100d77..35ea5b3 100644 +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -120,7 +120,8 @@ CURLcode Curl_get_pathname(const char **cpp, char **path, char *homedir) + bool relativePath = false; + static const char WHITESPACE[] = " \t\r\n"; + +- if(!*cp) { ++ DEBUGASSERT(homedir); ++ if(!*cp || !homedir) { + *cpp = NULL; + *path = NULL; + return CURLE_QUOTE_ERROR; +-- +2.39.2 + + +From 69d0f1ba04c9c57d04f8e546e663ef9e9dba4542 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 30 Oct 2022 17:38:16 +0100 +Subject: [PATCH 2/4] style: use space after comment start and before comment + end + +/* like this */ + +/*not this*/ + +checksrc is updated accordingly + +Closes #9828 + +Upstream-commit: 52cc4a85fd7e5265ba8ff0f08adf4858f6773a11 +Signed-off-by: Kamil Dudka +--- + docs/examples/ephiperfifo.c | 4 +- + docs/examples/usercertinmem.c | 4 +- + include/curl/curl.h | 10 +-- + include/curl/typecheck-gcc.h | 2 +- + lib/curl_path.c | 4 - + lib/curl_rtmp.c | 12 +-- + lib/curl_setup.h | 2 +- + lib/dict.c | 2 +- + lib/file.c | 2 +- + lib/ftp.c | 2 +- + lib/gopher.c | 2 +- + lib/http.c | 4 +- + lib/http_chunks.c | 2 +- + lib/rtsp.c | 4 +- + lib/rtsp.h | 2 +- + lib/telnet.c | 2 +- + lib/urldata.h | 4 +- + lib/vauth/digest.c | 4 +- + lib/vauth/krb5_sspi.c | 2 +- + lib/vssh/libssh2.c | 4 +- + lib/vtls/schannel.c | 4 +- + lib/vtls/sectransp.c | 2 - + src/tool_cfgable.h | 5 +- + src/tool_getparam.c | 4 +- + tests/libtest/lib1525.c | 2 +- + tests/libtest/lib1526.c | 2 +- + tests/libtest/lib1527.c | 2 +- + tests/libtest/lib1528.c | 2 +- + tests/libtest/lib1591.c | 2 +- + tests/libtest/lib506.c | 2 +- + tests/libtest/lib557.c | 2 +- + tests/libtest/lib586.c | 2 +- + tests/libtest/stub_gssapi.h | 160 +++++++++++++++++----------------- + tests/server/tftp.h | 2 +- + tests/server/util.c | 2 +- + tests/unit/unit1300.c | 4 +- + 36 files changed, 132 insertions(+), 141 deletions(-) + +diff --git a/docs/examples/ephiperfifo.c b/docs/examples/ephiperfifo.c +index 11761b9..75336a4 100644 +--- a/docs/examples/ephiperfifo.c ++++ b/docs/examples/ephiperfifo.c +@@ -164,7 +164,7 @@ static int multi_timer_cb(CURLM *multi, long timeout_ms, GlobalInfo *g) + memset(&its, 0, sizeof(struct itimerspec)); + } + +- timerfd_settime(g->tfd, /*flags=*/0, &its, NULL); ++ timerfd_settime(g->tfd, /* flags= */0, &its, NULL); + return 0; + } + +@@ -195,7 +195,7 @@ static void check_multi_info(GlobalInfo *g) + } + } + +-/* Called by libevent when we get action on a multi socket filedescriptor*/ ++/* Called by libevent when we get action on a multi socket filedescriptor */ + static void event_cb(GlobalInfo *g, int fd, int revents) + { + CURLMcode rc; +diff --git a/docs/examples/usercertinmem.c b/docs/examples/usercertinmem.c +index 35218bd..79d3aef 100644 +--- a/docs/examples/usercertinmem.c ++++ b/docs/examples/usercertinmem.c +@@ -92,7 +92,7 @@ static CURLcode sslctx_function(CURL *curl, void *sslctx, void *parm) + "omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD\n"\ + "-----END CERTIFICATE-----\n"; + +-/*replace the XXX with the actual RSA key*/ ++/* replace the XXX with the actual RSA key */ + const char *mykey = + "-----BEGIN RSA PRIVATE KEY-----\n"\ + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n"\ +@@ -190,7 +190,7 @@ int main(void) + curl_easy_setopt(ch, CURLOPT_SSLCERTTYPE, "PEM"); + + /* both VERIFYPEER and VERIFYHOST are set to 0 in this case because there is +- no CA certificate*/ ++ no CA certificate */ + + curl_easy_setopt(ch, CURLOPT_SSL_VERIFYPEER, 0L); + curl_easy_setopt(ch, CURLOPT_SSL_VERIFYHOST, 0L); +diff --git a/include/curl/curl.h b/include/curl/curl.h +index bed8068..680303b 100644 +--- a/include/curl/curl.h ++++ b/include/curl/curl.h +@@ -371,7 +371,7 @@ typedef int (*curl_seek_callback)(void *instream, + #define CURL_READFUNC_PAUSE 0x10000001 + + /* Return code for when the trailing headers' callback has terminated +- without any errors*/ ++ without any errors */ + #define CURL_TRAILERFUNC_OK 0 + /* Return code for when was an error in the trailing header's list and we + want to abort the request */ +@@ -453,7 +453,7 @@ typedef void *(*curl_calloc_callback)(size_t nmemb, size_t size); + #define CURL_DID_MEMORY_FUNC_TYPEDEFS + #endif + +-/* the kind of data that is passed to information_callback*/ ++/* the kind of data that is passed to information_callback */ + typedef enum { + CURLINFO_TEXT = 0, + CURLINFO_HEADER_IN, /* 1 */ +@@ -689,7 +689,7 @@ typedef enum { + #define CURLOPT_WRITEINFO CURLOPT_OBSOLETE40 + #define CURLOPT_CLOSEPOLICY CURLOPT_OBSOLETE72 + +-#endif /*!CURL_NO_OLDIES*/ ++#endif /* !CURL_NO_OLDIES */ + + /* + * Proxy error codes. Returned in CURLINFO_PROXY_ERROR if CURLE_PROXY was +@@ -834,7 +834,7 @@ enum curl_khstat { + CURLKHSTAT_DEFER, /* do not accept it, but we can't answer right now so + this causes a CURLE_DEFER error but otherwise the + connection will be left intact etc */ +- CURLKHSTAT_FINE_REPLACE, /* accept and replace the wrong key*/ ++ CURLKHSTAT_FINE_REPLACE, /* accept and replace the wrong key */ + CURLKHSTAT_LAST /* not for use, only a marker for last-in-list */ + }; + +@@ -908,7 +908,7 @@ typedef enum { + #define CURLFTPSSL_ALL CURLUSESSL_ALL + #define CURLFTPSSL_LAST CURLUSESSL_LAST + #define curl_ftpssl curl_usessl +-#endif /*!CURL_NO_OLDIES*/ ++#endif /* !CURL_NO_OLDIES */ + + /* parameter for the CURLOPT_FTP_SSL_CCC option */ + typedef enum { +diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h +index 34d0267..9e6fafd 100644 +--- a/include/curl/typecheck-gcc.h ++++ b/include/curl/typecheck-gcc.h +@@ -429,7 +429,7 @@ CURLWARNING(_curl_easy_getinfo_err_curl_off_t, + (CURLINFO_OFF_T < (info)) + + +-/* typecheck helpers -- check whether given expression has requested type*/ ++/* typecheck helpers -- check whether given expression has requested type */ + + /* For pointers, you can use the curlcheck_ptr/curlcheck_arr macros, + * otherwise define a new macro. Search for __builtin_types_compatible_p +diff --git a/lib/curl_path.c b/lib/curl_path.c +index 35ea5b3..649da7d 100644 +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -146,15 +146,12 @@ CURLcode Curl_get_pathname(const char **cpp, char **path, char *homedir) + break; + } + if(cp[i] == '\0') { /* End of string */ +- /*error("Unterminated quote");*/ + goto fail; + } + if(cp[i] == '\\') { /* Escaped characters */ + i++; + if(cp[i] != '\'' && cp[i] != '\"' && + cp[i] != '\\') { +- /*error("Bad escaped character '\\%c'", +- cp[i]);*/ + goto fail; + } + } +@@ -162,7 +159,6 @@ CURLcode Curl_get_pathname(const char **cpp, char **path, char *homedir) + } + + if(j == 0) { +- /*error("Empty quotes");*/ + goto fail; + } + *cpp = cp + i + strspn(cp + i, WHITESPACE); +diff --git a/lib/curl_rtmp.c b/lib/curl_rtmp.c +index 2fa0267..8caba76 100644 +--- a/lib/curl_rtmp.c ++++ b/lib/curl_rtmp.c +@@ -83,7 +83,7 @@ const struct Curl_handler Curl_handler_rtmp = { + PORT_RTMP, /* defport */ + CURLPROTO_RTMP, /* protocol */ + CURLPROTO_RTMP, /* family */ +- PROTOPT_NONE /* flags*/ ++ PROTOPT_NONE /* flags */ + }; + + const struct Curl_handler Curl_handler_rtmpt = { +@@ -106,7 +106,7 @@ const struct Curl_handler Curl_handler_rtmpt = { + PORT_RTMPT, /* defport */ + CURLPROTO_RTMPT, /* protocol */ + CURLPROTO_RTMPT, /* family */ +- PROTOPT_NONE /* flags*/ ++ PROTOPT_NONE /* flags */ + }; + + const struct Curl_handler Curl_handler_rtmpe = { +@@ -129,7 +129,7 @@ const struct Curl_handler Curl_handler_rtmpe = { + PORT_RTMP, /* defport */ + CURLPROTO_RTMPE, /* protocol */ + CURLPROTO_RTMPE, /* family */ +- PROTOPT_NONE /* flags*/ ++ PROTOPT_NONE /* flags */ + }; + + const struct Curl_handler Curl_handler_rtmpte = { +@@ -152,7 +152,7 @@ const struct Curl_handler Curl_handler_rtmpte = { + PORT_RTMPT, /* defport */ + CURLPROTO_RTMPTE, /* protocol */ + CURLPROTO_RTMPTE, /* family */ +- PROTOPT_NONE /* flags*/ ++ PROTOPT_NONE /* flags */ + }; + + const struct Curl_handler Curl_handler_rtmps = { +@@ -175,7 +175,7 @@ const struct Curl_handler Curl_handler_rtmps = { + PORT_RTMPS, /* defport */ + CURLPROTO_RTMPS, /* protocol */ + CURLPROTO_RTMP, /* family */ +- PROTOPT_NONE /* flags*/ ++ PROTOPT_NONE /* flags */ + }; + + const struct Curl_handler Curl_handler_rtmpts = { +@@ -198,7 +198,7 @@ const struct Curl_handler Curl_handler_rtmpts = { + PORT_RTMPS, /* defport */ + CURLPROTO_RTMPTS, /* protocol */ + CURLPROTO_RTMPT, /* family */ +- PROTOPT_NONE /* flags*/ ++ PROTOPT_NONE /* flags */ + }; + + static CURLcode rtmp_setup_connection(struct Curl_easy *data, +diff --git a/lib/curl_setup.h b/lib/curl_setup.h +index cf1c26a..1d81141 100644 +--- a/lib/curl_setup.h ++++ b/lib/curl_setup.h +@@ -680,7 +680,7 @@ int netware_init(void); + # define UNUSED_PARAM __attribute__((__unused__)) + # define WARN_UNUSED_RESULT __attribute__((warn_unused_result)) + #else +-# define UNUSED_PARAM /*NOTHING*/ ++# define UNUSED_PARAM /* NOTHING */ + # define WARN_UNUSED_RESULT + #endif + +diff --git a/lib/dict.c b/lib/dict.c +index 7b27f79..0ccfc0e 100644 +--- a/lib/dict.c ++++ b/lib/dict.c +@@ -321,4 +321,4 @@ static CURLcode dict_do(struct Curl_easy *data, bool *done) + + return CURLE_OK; + } +-#endif /*CURL_DISABLE_DICT*/ ++#endif /* CURL_DISABLE_DICT */ +diff --git a/lib/file.c b/lib/file.c +index 10d8f05..8b67c12 100644 +--- a/lib/file.c ++++ b/lib/file.c +@@ -311,7 +311,7 @@ static CURLcode file_upload(struct Curl_easy *data) + + nread = readcount; + +- /*skip bytes before resume point*/ ++ /* skip bytes before resume point */ + if(data->state.resume_from) { + if((curl_off_t)nread <= data->state.resume_from) { + data->state.resume_from -= nread; +diff --git a/lib/ftp.c b/lib/ftp.c +index e920138..6043dea 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -1166,7 +1166,7 @@ static CURLcode ftp_state_use_port(struct Curl_easy *data, + port++; + } + +- /* maybe all ports were in use already*/ ++ /* maybe all ports were in use already */ + if(port > port_max) { + failf(data, "bind() failed, we ran out of ports!"); + Curl_closesocket(data, conn, portsock); +diff --git a/lib/gopher.c b/lib/gopher.c +index f61232f..bdd6420 100644 +--- a/lib/gopher.c ++++ b/lib/gopher.c +@@ -234,4 +234,4 @@ static CURLcode gopher_do(struct Curl_easy *data, bool *done) + Curl_setup_transfer(data, FIRSTSOCKET, -1, FALSE, -1); + return CURLE_OK; + } +-#endif /*CURL_DISABLE_GOPHER*/ ++#endif /* CURL_DISABLE_GOPHER */ +diff --git a/lib/http.c b/lib/http.c +index 28ef8dd..9a908fe 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2081,7 +2081,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn) + { + const char *ptr; + if(!data->state.this_is_a_follow) { +- /* Free to avoid leaking memory on multiple requests*/ ++ /* Free to avoid leaking memory on multiple requests */ + free(data->state.first_host); + + data->state.first_host = strdup(conn->host.name); +@@ -2999,7 +2999,7 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done) + /* continue with HTTP/1.1 when explicitly requested */ + break; + default: +- /* Check if user wants to use HTTP/2 with clear TCP*/ ++ /* Check if user wants to use HTTP/2 with clear TCP */ + #ifdef USE_NGHTTP2 + if(data->state.httpwant == CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE) { + #ifndef CURL_DISABLE_PROXY +diff --git a/lib/http_chunks.c b/lib/http_chunks.c +index beb9695..2c8b6c0 100644 +--- a/lib/http_chunks.c ++++ b/lib/http_chunks.c +@@ -124,7 +124,7 @@ CHUNKcode Curl_httpchunk_read(struct Curl_easy *data, + *wrote = 0; /* nothing's written yet */ + + /* the original data is written to the client, but we go on with the +- chunk read process, to properly calculate the content length*/ ++ chunk read process, to properly calculate the content length */ + if(data->set.http_te_skip && !k->ignorebody) { + result = Curl_client_write(data, CLIENTWRITE_BODY, datap, datalen); + if(result) { +diff --git a/lib/rtsp.c b/lib/rtsp.c +index cdd49dc..3391a8e 100644 +--- a/lib/rtsp.c ++++ b/lib/rtsp.c +@@ -309,7 +309,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done) + break; + case RTSPREQ_RECEIVE: + p_request = ""; +- /* Treat interleaved RTP as body*/ ++ /* Treat interleaved RTP as body */ + data->set.opt_no_body = FALSE; + break; + case RTSPREQ_LAST: +@@ -645,7 +645,7 @@ static CURLcode rtsp_rtp_readwrite(struct Curl_easy *data, + rtp_length = RTP_PKT_LENGTH(rtp); + + if(rtp_dataleft < rtp_length + 4) { +- /* Need more - incomplete payload*/ ++ /* Need more - incomplete payload */ + *readmore = TRUE; + break; + } +diff --git a/lib/rtsp.h b/lib/rtsp.h +index 1e9cb7d..2776359 100644 +--- a/lib/rtsp.h ++++ b/lib/rtsp.h +@@ -60,7 +60,7 @@ struct RTSP { + * HTTP functions can safely treat this as an HTTP struct, but RTSP aware + * functions can also index into the later elements. + */ +- struct HTTP http_wrapper; /*wrap HTTP to do the heavy lifting */ ++ struct HTTP http_wrapper; /* wrap HTTP to do the heavy lifting */ + + long CSeq_sent; /* CSeq of this request */ + long CSeq_recv; /* CSeq received */ +diff --git a/lib/telnet.c b/lib/telnet.c +index 803d4c5..82fde7d 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -569,7 +569,7 @@ void rec_do(struct Curl_easy *data, int option) + sendsuboption(data, option); + } + else if(tn->subnegotiation[option] == CURL_YES) { +- /* send information to achieve this option*/ ++ /* send information to achieve this option */ + tn->us[option] = CURL_YES; + send_negotiation(data, CURL_WILL, option); + sendsuboption(data, option); +diff --git a/lib/urldata.h b/lib/urldata.h +index 52e4583..c9a52ab 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -243,7 +243,7 @@ struct ssl_connect_data { + + struct ssl_primary_config { + long version; /* what version the client wants to use */ +- long version_max; /* max supported version the client wants to use*/ ++ long version_max; /* max supported version the client wants to use */ + char *CApath; /* certificate dir (doesn't work on windows) */ + char *CAfile; /* certificate to verify peer against */ + char *issuercert; /* optional issuer certificate filename */ +@@ -281,7 +281,7 @@ struct ssl_config_data { + char *key_passwd; /* plain text private key password */ + BIT(certinfo); /* gather lots of certificate info */ + BIT(falsestart); +- BIT(enable_beast); /* allow this flaw for interoperability's sake*/ ++ BIT(enable_beast); /* allow this flaw for interoperability's sake */ + BIT(no_revoke); /* disable SSL certificate revocation checks */ + BIT(no_partialchain); /* don't accept partial certificate chains */ + BIT(revoke_best_effort); /* ignore SSL revocation offline/missing revocation +diff --git a/lib/vauth/digest.c b/lib/vauth/digest.c +index 559852f..3fc4e50 100644 +--- a/lib/vauth/digest.c ++++ b/lib/vauth/digest.c +@@ -139,7 +139,7 @@ bool Curl_auth_digest_get_pair(const char *str, char *value, char *content, + } + + #if !defined(USE_WINDOWS_SSPI) +-/* Convert md5 chunk to RFC2617 (section 3.1.3) -suitable ascii string*/ ++/* Convert md5 chunk to RFC2617 (section 3.1.3) -suitable ascii string */ + static void auth_digest_md5_to_ascii(unsigned char *source, /* 16 bytes */ + unsigned char *dest) /* 33 bytes */ + { +@@ -148,7 +148,7 @@ static void auth_digest_md5_to_ascii(unsigned char *source, /* 16 bytes */ + msnprintf((char *) &dest[i * 2], 3, "%02x", source[i]); + } + +-/* Convert sha256 chunk to RFC7616 -suitable ascii string*/ ++/* Convert sha256 chunk to RFC7616 -suitable ascii string */ + static void auth_digest_sha256_to_ascii(unsigned char *source, /* 32 bytes */ + unsigned char *dest) /* 65 bytes */ + { +diff --git a/lib/vauth/krb5_sspi.c b/lib/vauth/krb5_sspi.c +index b2d1635..26bb794 100644 +--- a/lib/vauth/krb5_sspi.c ++++ b/lib/vauth/krb5_sspi.c +@@ -530,4 +530,4 @@ void Curl_auth_cleanup_gssapi(struct kerberos5data *krb5) + krb5->token_max = 0; + } + +-#endif /* USE_WINDOWS_SSPI && USE_KERBEROS5*/ ++#endif /* USE_WINDOWS_SSPI && USE_KERBEROS5 */ +diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c +index 0a468dd..e1c55b0 100644 +--- a/lib/vssh/libssh2.c ++++ b/lib/vssh/libssh2.c +@@ -571,9 +571,9 @@ static CURLcode ssh_knownhost(struct Curl_easy *data) + /* remove old host+key that doesn't match */ + if(host) + libssh2_knownhost_del(sshc->kh, host); +- /*FALLTHROUGH*/ ++ /* FALLTHROUGH */ + case CURLKHSTAT_FINE: +- /*FALLTHROUGH*/ ++ /* FALLTHROUGH */ + case CURLKHSTAT_FINE_ADD_TO_FILE: + /* proceed */ + if(keycheck != LIBSSH2_KNOWNHOST_CHECK_MATCH) { +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c +index a80eb50..61f4abf 100644 +--- a/lib/vtls/schannel.c ++++ b/lib/vtls/schannel.c +@@ -195,7 +195,7 @@ set_ssl_version_min_max(SCHANNEL_CRED *schannel_cred, struct Curl_easy *data, + return CURLE_OK; + } + +-/*longest is 26, buffer is slightly bigger*/ ++/* longest is 26, buffer is slightly bigger */ + #define LONGEST_ALG_ID 32 + #define CIPHEROPTION(X) \ + if(strcmp(#X, tmp) == 0) \ +@@ -218,7 +218,7 @@ get_alg_id_by_name(char *name) + CIPHEROPTION(CALG_MAC); + CIPHEROPTION(CALG_RSA_SIGN); + CIPHEROPTION(CALG_DSS_SIGN); +-/*ifdefs for the options that are defined conditionally in wincrypt.h*/ ++/* ifdefs for the options that are defined conditionally in wincrypt.h */ + #ifdef CALG_NO_SIGN + CIPHEROPTION(CALG_NO_SIGN); + #endif +diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c +index f2d7835..febf51a 100644 +--- a/lib/vtls/sectransp.c ++++ b/lib/vtls/sectransp.c +@@ -197,7 +197,6 @@ static OSStatus SocketRead(SSLConnectionRef connection, + size_t bytesToGo = *dataLength; + size_t initLen = bytesToGo; + UInt8 *currData = (UInt8 *)data; +- /*int sock = *(int *)connection;*/ + struct ssl_connect_data *connssl = (struct ssl_connect_data *)connection; + struct ssl_backend_data *backend = connssl->backend; + int sock = backend->ssl_sockfd; +@@ -258,7 +257,6 @@ static OSStatus SocketWrite(SSLConnectionRef connection, + size_t *dataLength) /* IN/OUT */ + { + size_t bytesSent = 0; +- /*int sock = *(int *)connection;*/ + struct ssl_connect_data *connssl = (struct ssl_connect_data *)connection; + struct ssl_backend_data *backend = connssl->backend; + int sock = backend->ssl_sockfd; +diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h +index 95c66d0..5046772 100644 +--- a/src/tool_cfgable.h ++++ b/src/tool_cfgable.h +@@ -258,11 +258,8 @@ struct OperationConfig { + bool xattr; /* store metadata in extended attributes */ + long gssapi_delegation; + bool ssl_allow_beast; /* allow this SSL vulnerability */ +- bool proxy_ssl_allow_beast; /* allow this SSL vulnerability for proxy*/ +- ++ bool proxy_ssl_allow_beast; /* allow this SSL vulnerability for proxy */ + bool ssl_no_revoke; /* disable SSL certificate revocation checks */ +- /*bool proxy_ssl_no_revoke; */ +- + bool ssl_revoke_best_effort; /* ignore SSL revocation offline/missing + revocation list errors */ + +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index f1393c3..51232ba 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -1064,7 +1064,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + /* This specifies the noproxy list */ + GetStr(&config->noproxy, nextarg); + break; +- case '7': /* --socks5-gssapi-nec*/ ++ case '7': /* --socks5-gssapi-nec */ + config->socks5_gssapi_nec = toggle; + break; + case '8': /* --proxy1.0 */ +@@ -1230,7 +1230,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + config->httpversion = CURL_HTTP_VERSION_2_0; + break; + case '3': /* --http2-prior-knowledge */ +- /* HTTP version 2.0 over clean TCP*/ ++ /* HTTP version 2.0 over clean TCP */ + config->httpversion = CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE; + break; + case '4': /* --http3 */ +diff --git a/tests/libtest/lib1525.c b/tests/libtest/lib1525.c +index a2a4db2..912372f 100644 +--- a/tests/libtest/lib1525.c ++++ b/tests/libtest/lib1525.c +@@ -48,7 +48,7 @@ int test(char *URL) + { + CURL *curl = NULL; + CURLcode res = CURLE_FAILED_INIT; +- /* http and proxy header list*/ ++ /* http and proxy header list */ + struct curl_slist *hhl = NULL; + + if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { +diff --git a/tests/libtest/lib1526.c b/tests/libtest/lib1526.c +index 37abc61..b287277 100644 +--- a/tests/libtest/lib1526.c ++++ b/tests/libtest/lib1526.c +@@ -46,7 +46,7 @@ int test(char *URL) + { + CURL *curl = NULL; + CURLcode res = CURLE_FAILED_INIT; +- /* http and proxy header list*/ ++ /* http and proxy header list */ + struct curl_slist *hhl = NULL, *phl = NULL, *tmp = NULL; + + if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { +diff --git a/tests/libtest/lib1527.c b/tests/libtest/lib1527.c +index 9e0e452..2f7c91b 100644 +--- a/tests/libtest/lib1527.c ++++ b/tests/libtest/lib1527.c +@@ -47,7 +47,7 @@ int test(char *URL) + { + CURL *curl = NULL; + CURLcode res = CURLE_FAILED_INIT; +- /* http header list*/ ++ /* http header list */ + struct curl_slist *hhl = NULL, *tmp = NULL; + + if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { +diff --git a/tests/libtest/lib1528.c b/tests/libtest/lib1528.c +index 98a332c..52dc0a0 100644 +--- a/tests/libtest/lib1528.c ++++ b/tests/libtest/lib1528.c +@@ -28,7 +28,7 @@ int test(char *URL) + { + CURL *curl = NULL; + CURLcode res = CURLE_FAILED_INIT; +- /* http header list*/ ++ /* http header list */ + struct curl_slist *hhl = NULL; + struct curl_slist *phl = NULL; + +diff --git a/tests/libtest/lib1591.c b/tests/libtest/lib1591.c +index 8349b1d..f7149cf 100644 +--- a/tests/libtest/lib1591.c ++++ b/tests/libtest/lib1591.c +@@ -75,7 +75,7 @@ int test(char *URL) + { + CURL *curl = NULL; + CURLcode res = CURLE_FAILED_INIT; +- /* http and proxy header list*/ ++ /* http and proxy header list */ + struct curl_slist *hhl = NULL; + + if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { +diff --git a/tests/libtest/lib506.c b/tests/libtest/lib506.c +index 559e731..acea39a 100644 +--- a/tests/libtest/lib506.c ++++ b/tests/libtest/lib506.c +@@ -347,7 +347,7 @@ int test(char *URL) + printf("-----------------\n"); + curl_slist_free_all(cookies); + +- /* try to free share, expect to fail because share is in use*/ ++ /* try to free share, expect to fail because share is in use */ + printf("try SHARE_CLEANUP...\n"); + scode = curl_share_cleanup(share); + if(scode == CURLSHE_OK) { +diff --git a/tests/libtest/lib557.c b/tests/libtest/lib557.c +index 00fbca3..4105a76 100644 +--- a/tests/libtest/lib557.c ++++ b/tests/libtest/lib557.c +@@ -1494,7 +1494,7 @@ static int test_weird_arguments(void) + "0123456789" /* 10 7 */ + "0123456789" /* 10 8 */ + "0123456789" /* 10 9 */ +- "0123456789" /* 10 10*/ ++ "0123456789" /* 10 10 */ + "0123456789" /* 10 11 */ + "01234567" /* 8 */ + ); +diff --git a/tests/libtest/lib586.c b/tests/libtest/lib586.c +index da63e7c..8d7822d 100644 +--- a/tests/libtest/lib586.c ++++ b/tests/libtest/lib586.c +@@ -215,7 +215,7 @@ int test(char *URL) + printf("PERFORM\n"); + curl_easy_perform(curl); + +- /* try to free share, expect to fail because share is in use*/ ++ /* try to free share, expect to fail because share is in use */ + printf("try SHARE_CLEANUP...\n"); + scode = curl_share_cleanup(share); + if(scode == CURLSHE_OK) { +diff --git a/tests/libtest/stub_gssapi.h b/tests/libtest/stub_gssapi.h +index 5a89102..735630c 100644 +--- a/tests/libtest/stub_gssapi.h ++++ b/tests/libtest/stub_gssapi.h +@@ -98,85 +98,85 @@ typedef struct gss_channel_bindings_struct { + gss_buffer_desc application_data; + } *gss_channel_bindings_t; + +-OM_uint32 gss_release_buffer(OM_uint32 * /*minor_status*/, +- gss_buffer_t /*buffer*/); +- +-OM_uint32 gss_init_sec_context(OM_uint32 * /*minor_status*/, +- gss_const_cred_id_t /*initiator_cred_handle*/, +- gss_ctx_id_t * /*context_handle*/, +- gss_const_name_t /*target_name*/, +- const gss_OID /*mech_type*/, +- OM_uint32 /*req_flags*/, +- OM_uint32 /*time_req*/, +- const gss_channel_bindings_t /*input_chan_bindings*/, +- const gss_buffer_t /*input_token*/, +- gss_OID * /*actual_mech_type*/, +- gss_buffer_t /*output_token*/, +- OM_uint32 * /*ret_flags*/, +- OM_uint32 * /*time_rec*/); +- +-OM_uint32 gss_delete_sec_context(OM_uint32 * /*minor_status*/, +- gss_ctx_id_t * /*context_handle*/, +- gss_buffer_t /*output_token*/); +- +-OM_uint32 gss_inquire_context(OM_uint32 * /*minor_status*/, +- gss_const_ctx_id_t /*context_handle*/, +- gss_name_t * /*src_name*/, +- gss_name_t * /*targ_name*/, +- OM_uint32 * /*lifetime_rec*/, +- gss_OID * /*mech_type*/, +- OM_uint32 * /*ctx_flags*/, +- int * /*locally_initiated*/, +- int * /*open_context*/); +- +-OM_uint32 gss_wrap(OM_uint32 * /*minor_status*/, +- gss_const_ctx_id_t /*context_handle*/, +- int /*conf_req_flag*/, +- gss_qop_t /*qop_req*/, +- const gss_buffer_t /*input_message_buffer*/, +- int * /*conf_state*/, +- gss_buffer_t /*output_message_buffer*/); +- +-OM_uint32 gss_unwrap(OM_uint32 * /*minor_status*/, +- gss_const_ctx_id_t /*context_handle*/, +- const gss_buffer_t /*input_message_buffer*/, +- gss_buffer_t /*output_message_buffer*/, +- int * /*conf_state*/, +- gss_qop_t * /*qop_state*/); +- +-OM_uint32 gss_seal(OM_uint32 * /*minor_status*/, +- gss_ctx_id_t /*context_handle*/, +- int /*conf_req_flag*/, +- int /*qop_req*/, +- gss_buffer_t /*input_message_buffer*/, +- int * /*conf_state*/, +- gss_buffer_t /*output_message_buffer*/); +- +-OM_uint32 gss_unseal(OM_uint32 * /*minor_status*/, +- gss_ctx_id_t /*context_handle*/, +- gss_buffer_t /*input_message_buffer*/, +- gss_buffer_t /*output_message_buffer*/, +- int * /*conf_state*/, +- int * /*qop_state*/); +- +-OM_uint32 gss_import_name(OM_uint32 * /*minor_status*/, +- const gss_buffer_t /*input_name_buffer*/, +- const gss_OID /*input_name_type*/, +- gss_name_t * /*output_name*/); +- +-OM_uint32 gss_release_name(OM_uint32 * /*minor_status*/, +- gss_name_t * /*input_name*/); +- +-OM_uint32 gss_display_name(OM_uint32 * /*minor_status*/, +- gss_const_name_t /*input_name*/, +- gss_buffer_t /*output_name_buffer*/, +- gss_OID * /*output_name_type*/); +- +-OM_uint32 gss_display_status(OM_uint32 * /*minor_status*/, +- OM_uint32 /*status_value*/, +- int /*status_type*/, +- const gss_OID /*mech_type*/, +- OM_uint32 * /*message_context*/, +- gss_buffer_t /*status_string*/); ++OM_uint32 gss_release_buffer(OM_uint32 * /* minor_status */, ++ gss_buffer_t /* buffer */); ++ ++OM_uint32 gss_init_sec_context(OM_uint32 * /* minor_status */, ++ gss_const_cred_id_t /* initiator_cred_handle */, ++ gss_ctx_id_t * /* context_handle */, ++ gss_const_name_t /* target_name */, ++ const gss_OID /* mech_type */, ++ OM_uint32 /* req_flags */, ++ OM_uint32 /* time_req */, ++ const gss_channel_bindings_t /* input_chan_bindings */, ++ const gss_buffer_t /* input_token */, ++ gss_OID * /* actual_mech_type */, ++ gss_buffer_t /* output_token */, ++ OM_uint32 * /* ret_flags */, ++ OM_uint32 * /* time_rec */); ++ ++OM_uint32 gss_delete_sec_context(OM_uint32 * /* minor_status */, ++ gss_ctx_id_t * /* context_handle */, ++ gss_buffer_t /* output_token */); ++ ++OM_uint32 gss_inquire_context(OM_uint32 * /* minor_status */, ++ gss_const_ctx_id_t /* context_handle */, ++ gss_name_t * /* src_name */, ++ gss_name_t * /* targ_name */, ++ OM_uint32 * /* lifetime_rec */, ++ gss_OID * /* mech_type */, ++ OM_uint32 * /* ctx_flags */, ++ int * /* locally_initiated */, ++ int * /* open_context */); ++ ++OM_uint32 gss_wrap(OM_uint32 * /* minor_status */, ++ gss_const_ctx_id_t /* context_handle */, ++ int /* conf_req_flag */, ++ gss_qop_t /* qop_req */, ++ const gss_buffer_t /* input_message_buffer */, ++ int * /* conf_state */, ++ gss_buffer_t /* output_message_buffer */); ++ ++OM_uint32 gss_unwrap(OM_uint32 * /* minor_status */, ++ gss_const_ctx_id_t /* context_handle */, ++ const gss_buffer_t /* input_message_buffer */, ++ gss_buffer_t /* output_message_buffer */, ++ int * /* conf_state */, ++ gss_qop_t * /* qop_state */); ++ ++OM_uint32 gss_seal(OM_uint32 * /* minor_status */, ++ gss_ctx_id_t /* context_handle n */, ++ int /* conf_req_flag */, ++ int /* qop_req */, ++ gss_buffer_t /* input_message_buffer */, ++ int * /* conf_state */, ++ gss_buffer_t /* output_message_buffer */); ++ ++OM_uint32 gss_unseal(OM_uint32 * /* minor_status */, ++ gss_ctx_id_t /* context_handle */, ++ gss_buffer_t /* input_message_buffer */, ++ gss_buffer_t /* output_message_buffer */, ++ int * /* conf_state */, ++ int * /* qop_state */); ++ ++OM_uint32 gss_import_name(OM_uint32 * /* minor_status */, ++ const gss_buffer_t /* input_name_buffer */, ++ const gss_OID /* input_name_type */, ++ gss_name_t * /* output_name */); ++ ++OM_uint32 gss_release_name(OM_uint32 * /* minor_status */, ++ gss_name_t * /* input_name */); ++ ++OM_uint32 gss_display_name(OM_uint32 * /* minor_status */, ++ gss_const_name_t /* input_name */, ++ gss_buffer_t /* output_name_buffer */, ++ gss_OID * /* output_name_type */); ++ ++OM_uint32 gss_display_status(OM_uint32 * /* minor_status */, ++ OM_uint32 /* status_value */, ++ int /* status_type */, ++ const gss_OID /* mech_type */, ++ OM_uint32 * /* message_context */, ++ gss_buffer_t /* status_string */); + + #endif /* HEADER_CURL_GSSAPI_STUBS_H */ +diff --git a/tests/server/tftp.h b/tests/server/tftp.h +index 5699672..ab59575 100644 +--- a/tests/server/tftp.h ++++ b/tests/server/tftp.h +@@ -32,7 +32,7 @@ + ((__GNUC__ == 2) && defined(__GNUC_MINOR__) && (__GNUC_MINOR__ >= 7))) + # define PACKED_STRUCT __attribute__((__packed__)) + #else +-# define PACKED_STRUCT /*NOTHING*/ ++# define PACKED_STRUCT /* NOTHING */ + #endif + + /* Using a packed struct as binary in a program is begging for problems, but +diff --git a/tests/server/util.c b/tests/server/util.c +index c4f16e4..a0dec98 100644 +--- a/tests/server/util.c ++++ b/tests/server/util.c +@@ -65,7 +65,7 @@ + ((__W32API_MAJOR_VERSION == 3) && (__W32API_MINOR_VERSION < 6)) + const struct in6_addr in6addr_any = {{ IN6ADDR_ANY_INIT }}; + #endif /* w32api < 3.6 */ +-#endif /* ENABLE_IPV6 && __MINGW32__*/ ++#endif /* ENABLE_IPV6 && __MINGW32__ */ + + static struct timeval tvnow(void); + +diff --git a/tests/unit/unit1300.c b/tests/unit/unit1300.c +index aba068a..936c77e 100644 +--- a/tests/unit/unit1300.c ++++ b/tests/unit/unit1300.c +@@ -91,10 +91,10 @@ UNITTEST_START + + fail_unless(Curl_llist_count(&llist) == 1, + "List size should be 1 after adding a new element"); +- /*test that the list head data holds my unusedData */ ++ /* test that the list head data holds my unusedData */ + fail_unless(llist.head->ptr == &unusedData_case1, + "head ptr should be first entry"); +- /*same goes for the list tail */ ++ /* same goes for the list tail */ + fail_unless(llist.tail == llist.head, + "tail and head should be the same"); + +-- +2.39.2 + + +From ab44f4893b87cb3ef567be525a393bc174b031e7 Mon Sep 17 00:00:00 2001 +From: Eric Vigeant +Date: Wed, 2 Nov 2022 11:47:09 -0400 +Subject: [PATCH 3/4] cur_path: do not add '/' if homedir ends with one + +When using SFTP and a path relative to the user home, do not add a +trailing '/' to the user home dir if it already ends with one. + +Closes #9844 + +Upstream-commit: 6c51adeb71da076c5c40a45e339e06bb4394a86b +Signed-off-by: Kamil Dudka +--- + lib/curl_path.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/lib/curl_path.c b/lib/curl_path.c +index 649da7d..5be6637 100644 +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -69,10 +69,14 @@ CURLcode Curl_getworkingpath(struct Curl_easy *data, + /* It is referenced to the home directory, so strip the + leading '/' */ + memcpy(real_path, homedir, homelen); +- real_path[homelen] = '/'; +- real_path[homelen + 1] = '\0'; ++ /* Only add a trailing '/' if homedir does not end with one */ ++ if(homelen == 0 || real_path[homelen - 1] != '/') { ++ real_path[homelen] = '/'; ++ homelen++; ++ real_path[homelen] = '\0'; ++ } + if(working_path_len > 3) { +- memcpy(real_path + homelen + 1, working_path + 3, ++ memcpy(real_path + homelen, working_path + 3, + 1 + working_path_len -3); + } + } +-- +2.39.2 + + +From a0b0e531267239c2beb4aeca15a0581a411d9c7b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 9 Mar 2023 16:22:11 +0100 +Subject: [PATCH 4/4] curl_path: create the new path with dynbuf + +Closes #10729 + +Upstream-commit: 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 +Signed-off-by: Kamil Dudka +--- + lib/curl_path.c | 75 +++++++++++++++++++++++-------------------------- + 1 file changed, 35 insertions(+), 40 deletions(-) + +diff --git a/lib/curl_path.c b/lib/curl_path.c +index 5be6637..b654aff 100644 +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -30,70 +30,65 @@ + #include "escape.h" + #include "memdebug.h" + ++#define MAX_SSHPATH_LEN 100000 /* arbitrary */ ++ + /* figure out the path to work with in this particular request */ + CURLcode Curl_getworkingpath(struct Curl_easy *data, + char *homedir, /* when SFTP is used */ + char **path) /* returns the allocated + real path to work with */ + { +- char *real_path = NULL; + char *working_path; + size_t working_path_len; ++ struct dynbuf npath; + CURLcode result = + Curl_urldecode(data, data->state.up.path, 0, &working_path, + &working_path_len, REJECT_ZERO); + if(result) + return result; + ++ /* new path to switch to in case we need to */ ++ Curl_dyn_init(&npath, MAX_SSHPATH_LEN); ++ + /* Check for /~/, indicating relative to the user's home directory */ +- if(data->conn->handler->protocol & CURLPROTO_SCP) { +- real_path = malloc(working_path_len + 1); +- if(real_path == NULL) { ++ if((data->conn->handler->protocol & CURLPROTO_SCP) && ++ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) { ++ /* It is referenced to the home directory, so strip the leading '/~/' */ ++ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) { + free(working_path); + return CURLE_OUT_OF_MEMORY; + } +- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) +- /* It is referenced to the home directory, so strip the leading '/~/' */ +- memcpy(real_path, working_path + 3, working_path_len - 2); +- else +- memcpy(real_path, working_path, 1 + working_path_len); + } +- else if(data->conn->handler->protocol & CURLPROTO_SFTP) { +- if((working_path_len > 1) && (working_path[1] == '~')) { +- size_t homelen = strlen(homedir); +- real_path = malloc(homelen + working_path_len + 1); +- if(real_path == NULL) { +- free(working_path); +- return CURLE_OUT_OF_MEMORY; +- } +- /* It is referenced to the home directory, so strip the +- leading '/' */ +- memcpy(real_path, homedir, homelen); +- /* Only add a trailing '/' if homedir does not end with one */ +- if(homelen == 0 || real_path[homelen - 1] != '/') { +- real_path[homelen] = '/'; +- homelen++; +- real_path[homelen] = '\0'; +- } +- if(working_path_len > 3) { +- memcpy(real_path + homelen, working_path + 3, +- 1 + working_path_len -3); +- } ++ else if((data->conn->handler->protocol & CURLPROTO_SFTP) && ++ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { ++ size_t len; ++ const char *p; ++ int copyfrom = 3; ++ if(Curl_dyn_add(&npath, homedir)) { ++ free(working_path); ++ return CURLE_OUT_OF_MEMORY; + } +- else { +- real_path = malloc(working_path_len + 1); +- if(real_path == NULL) { +- free(working_path); +- return CURLE_OUT_OF_MEMORY; +- } +- memcpy(real_path, working_path, 1 + working_path_len); ++ /* Copy a separating '/' if homedir does not end with one */ ++ len = Curl_dyn_len(&npath); ++ p = Curl_dyn_ptr(&npath); ++ if(len && (p[len-1] != '/')) ++ copyfrom = 2; ++ ++ if(Curl_dyn_addn(&npath, ++ &working_path[copyfrom], working_path_len - copyfrom)) { ++ free(working_path); ++ return CURLE_OUT_OF_MEMORY; + } + } + +- free(working_path); ++ if(Curl_dyn_len(&npath)) { ++ free(working_path); + +- /* store the pointer for the caller to receive */ +- *path = real_path; ++ /* store the pointer for the caller to receive */ ++ *path = Curl_dyn_ptr(&npath); ++ } ++ else ++ *path = working_path; + + return CURLE_OK; + } +-- +2.39.2 + diff --git a/SOURCES/0028-curl-7.76.1-CVE-2023-27536.patch b/SOURCES/0028-curl-7.76.1-CVE-2023-27536.patch new file mode 100644 index 0000000..7888e19 --- /dev/null +++ b/SOURCES/0028-curl-7.76.1-CVE-2023-27536.patch @@ -0,0 +1,54 @@ +From 9d6dd7bc1dea42ae8e710aeae714e2a2c290de61 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 10 Mar 2023 09:22:43 +0100 +Subject: [PATCH] url: only reuse connections with same GSS delegation + +Reported-by: Harry Sintonen +Closes #10731 + +Upstream-commit: cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 +Signed-off-by: Kamil Dudka +--- + lib/url.c | 6 ++++++ + lib/urldata.h | 1 + + 2 files changed, 7 insertions(+) + +diff --git a/lib/url.c b/lib/url.c +index 3b11b7e..cbbc7f3 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1325,6 +1325,11 @@ ConnectionExists(struct Curl_easy *data, + } + } + ++ /* GSS delegation differences do not actually affect every connection ++ and auth method, but this check takes precaution before efficiency */ ++ if(needle->gssapi_delegation != check->gssapi_delegation) ++ continue; ++ + if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { + if(!ssh_config_matches(needle, check)) + continue; +@@ -1785,6 +1790,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) + conn->fclosesocket = data->set.fclosesocket; + conn->closesocket_client = data->set.closesocket_client; + conn->lastused = Curl_now(); /* used now */ ++ conn->gssapi_delegation = data->set.gssapi_delegation; + + return conn; + error: +diff --git a/lib/urldata.h b/lib/urldata.h +index ce90304..9e16f26 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -995,6 +995,7 @@ struct connectdata { + char *sasl_authzid; /* authorisation identity string, allocated */ + char *oauth_bearer; /* OAUTH2 bearer, allocated */ + unsigned char httpversion; /* the HTTP version*10 reported by the server */ ++ unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */ + struct curltime now; /* "current" time */ + struct curltime created; /* creation time */ + struct curltime lastused; /* when returned to the connection cache */ +-- +2.39.2 + diff --git a/SOURCES/0029-curl-7.76.1-CVE-2023-27538.patch b/SOURCES/0029-curl-7.76.1-CVE-2023-27538.patch new file mode 100644 index 0000000..030b6bb --- /dev/null +++ b/SOURCES/0029-curl-7.76.1-CVE-2023-27538.patch @@ -0,0 +1,30 @@ +From 133e25afe4b8961b9c12334ee0bd3374db9a1fd4 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 10 Mar 2023 08:22:51 +0100 +Subject: [PATCH] url: fix the SSH connection reuse check + +Reported-by: Harry Sintonen +Closes #10735 + +Upstream-commit: af369db4d3833272b8ed443f7fcc2e757a0872eb +Signed-off-by: Kamil Dudka +--- + lib/url.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/url.c b/lib/url.c +index 0c31486..3b11b7e 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1330,7 +1330,7 @@ ConnectionExists(struct Curl_easy *data, + if(needle->gssapi_delegation != check->gssapi_delegation) + continue; + +- if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { ++ if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) { + if(!ssh_config_matches(needle, check)) + continue; + } +-- +2.39.2 + diff --git a/SOURCES/0029-curl-7.76.1-CVE-2023-28322.patch b/SOURCES/0030-curl-7.76.1-CVE-2023-28322.patch similarity index 100% rename from SOURCES/0029-curl-7.76.1-CVE-2023-28322.patch rename to SOURCES/0030-curl-7.76.1-CVE-2023-28322.patch diff --git a/SOURCES/0030-curl-7.76.1-CVE-2023-38545.patch b/SOURCES/0030-curl-7.76.1-CVE-2023-38545.patch deleted file mode 100644 index b3a5487..0000000 --- a/SOURCES/0030-curl-7.76.1-CVE-2023-38545.patch +++ /dev/null @@ -1,136 +0,0 @@ -From 1d66562c67fc0099d0fd882c693e51dd0b10c45c Mon Sep 17 00:00:00 2001 -From: Jay Satiro -Date: Sat, 30 Sep 2023 03:40:02 -0400 -Subject: [PATCH] socks: return error if hostname too long for remote resolve - -Prior to this change the state machine attempted to change the remote -resolve to a local resolve if the hostname was longer than 255 -characters. Unfortunately that did not work as intended and caused a -security issue. - -Name resolvers cannot resolve hostnames longer than 255 characters. - -Bug: https://curl.se/docs/CVE-2023-38545.html ---- - lib/socks.c | 8 +++--- - tests/data/Makefile.inc | 2 +- - tests/data/test728 | 64 +++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 69 insertions(+), 5 deletions(-) - create mode 100644 tests/data/test728 - -diff --git a/lib/socks.c b/lib/socks.c -index c492d663c..a7b5ab07e 100644 ---- a/lib/socks.c -+++ b/lib/socks.c -@@ -531,13 +531,13 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user, - infof(data, "SOCKS5: connecting to HTTP proxy %s port %d\n", - hostname, remote_port); - - /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */ - if(!socks5_resolve_local && hostname_len > 255) { -- infof(data, "SOCKS5: server resolving disabled for hostnames of " -- "length > 255 [actual len=%zu]\n", hostname_len); -- socks5_resolve_local = TRUE; -+ failf(data, "SOCKS5: the destination hostname is too long to be " -+ "resolved remotely by the proxy."); -+ return CURLPX_LONG_HOSTNAME; - } - - if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI)) - infof(data, - "warning: unsupported value passed to CURLOPT_SOCKS5_AUTH: %lu\n", -@@ -855,7 +855,7 @@ CONNECT_RESOLVE_REMOTE: - - if(!socks5_resolve_local) { - socksreq[len++] = 3; /* ATYP: domain name = 3 */ -- socksreq[len++] = (char) hostname_len; /* one byte address length */ -+ socksreq[len++] = (unsigned char) hostname_len; /* one byte length */ - memcpy(&socksreq[len], hostname, hostname_len); /* address w/o NULL */ - len += hostname_len; - infof(data, "SOCKS5 connect to %s:%d (remotely resolved)\n", -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index 081e344d4..62ee53578 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -99,7 +99,7 @@ test672 test673 test674 test675 test676 test677 test678 test679 test680 \ - \ - test700 test701 test702 test703 test704 test705 test706 test707 test708 \ - test709 test710 test711 test712 test713 test714 test715 test716 test717 \ --test718 \ -+test718 test728 \ - \ - test800 test801 test802 test803 test804 test805 test806 test807 test808 \ - test809 test810 test811 test812 test813 test814 test815 test816 test817 \ -diff --git a/tests/data/test728 b/tests/data/test728 -new file mode 100644 -index 000000000..05bcf2883 ---- /dev/null -+++ b/tests/data/test728 -@@ -0,0 +1,64 @@ -+ -+ -+ -+HTTP -+HTTP GET -+SOCKS5 -+SOCKS5h -+followlocation -+ -+ -+ -+# -+# Server-side -+ -+# The hostname in this redirect is 256 characters and too long (> 255) for -+# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case. -+ -+HTTP/1.1 301 Moved Permanently -+Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ -+Content-Length: 0 -+Connection: close -+ -+ -+ -+ -+# -+# Client-side -+ -+ -+proxy -+ -+ -+http -+socks5 -+ -+ -+SOCKS5h with HTTP redirect to hostname too long -+ -+ -+--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/%TESTNUMBER -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+GET /%TESTNUMBER HTTP/1.1 -+Host: %HOSTIP:%HTTPPORT -+User-Agent: curl/%VERSION -+Accept: */* -+ -+ -+ -+97 -+ -+# the error message is verified because error code CURLE_PROXY (97) may be -+# returned for any number of reasons and we need to make sure it is -+# specifically for the reason below so that we know the check is working. -+ -+curl: (97) SOCKS5: the destination hostname is too long to be resolved remotely by the proxy. -+ -+ -+ --- -2.42.0 - diff --git a/SOURCES/0031-curl-7.61.1-CVE-2023-38546.patch b/SOURCES/0031-curl-7.61.1-CVE-2023-38546.patch deleted file mode 100644 index 770ff68..0000000 --- a/SOURCES/0031-curl-7.61.1-CVE-2023-38546.patch +++ /dev/null @@ -1,123 +0,0 @@ -From 61275672b46d9abb3285740467b882e22ed75da8 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 14 Sep 2023 23:28:32 +0200 -Subject: [PATCH] cookie: remove unnecessary struct fields - -Plus: reduce the hash table size from 256 to 63. It seems unlikely to -make much of a speed difference for most use cases but saves 1.5KB of -data per instance. - -Closes #11862 ---- - lib/cookie.c | 13 +------------ - lib/cookie.h | 13 ++++--------- - lib/easy.c | 4 +--- - 3 files changed, 6 insertions(+), 24 deletions(-) - -diff --git a/lib/cookie.c b/lib/cookie.c -index 4345a84c6fd9d..e39c89a94a960 100644 ---- a/lib/cookie.c -+++ b/lib/cookie.c -@@ -119,7 +119,6 @@ static void freecookie(struct Cookie *co) - free(co->name); - free(co->value); - free(co->maxage); -- free(co->version); - free(co); - } - -@@ -717,11 +716,7 @@ Curl_cookie_add(struct Curl_easy *data, - } - } - else if(strcasecompare("version", name)) { -- strstore(&co->version, whatptr); -- if(!co->version) { -- badcookie = TRUE; -- break; -- } -+ /* just ignore */ - } - else if(strcasecompare("max-age", name)) { - /* Defined in RFC2109: -@@ -1159,7 +1154,6 @@ Curl_cookie_add(struct Curl_easy *data, - free(clist->path); - free(clist->spath); - free(clist->expirestr); -- free(clist->version); - free(clist->maxage); - - *clist = *co; /* then store all the new data */ -@@ -1223,9 +1217,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data, - c = calloc(1, sizeof(struct CookieInfo)); - if(!c) - return NULL; /* failed to get memory */ -- c->filename = strdup(file?file:"none"); /* copy the name just in case */ -- if(!c->filename) -- goto fail; /* failed to get memory */ - } - else { - /* we got an already existing one, use that */ -@@ -1378,7 +1369,6 @@ static struct Cookie *dup_cookie(struct Cookie *src) - CLONE(name); - CLONE(value); - CLONE(maxage); -- CLONE(version); - d->expires = src->expires; - d->tailmatch = src->tailmatch; - d->secure = src->secure; -@@ -1595,7 +1585,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c) - { - if(c) { - unsigned int i; -- free(c->filename); - for(i = 0; i < COOKIE_HASH_SIZE; i++) - Curl_cookie_freelist(c->cookies[i]); - free(c); /* free the base struct as well */ -diff --git a/lib/cookie.h b/lib/cookie.h -index b3c0063b2cfb2..41e9e7a6914e0 100644 ---- a/lib/cookie.h -+++ b/lib/cookie.h -@@ -36,11 +36,7 @@ struct Cookie { - char *domain; /* domain = */ - curl_off_t expires; /* expires = */ - char *expirestr; /* the plain text version */ -- -- /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */ -- char *version; /* Version = */ - char *maxage; /* Max-Age = */ -- - bool tailmatch; /* whether we do tail-matching of the domain name */ - bool secure; /* whether the 'secure' keyword was used */ - bool livecookie; /* updated from a server, not a stored file */ -@@ -56,14 +52,13 @@ struct Cookie { - #define COOKIE_PREFIX__SECURE (1<<0) - #define COOKIE_PREFIX__HOST (1<<1) - --#define COOKIE_HASH_SIZE 256 -+#define COOKIE_HASH_SIZE 63 - - struct CookieInfo { - /* linked list of cookies we know of */ - struct Cookie *cookies[COOKIE_HASH_SIZE]; - -- char *filename; /* file we read from/write to */ -- long numcookies; /* number of cookies in the "jar" */ -+ int numcookies; /* number of cookies in the "jar" */ - bool running; /* state info, for cookie adding information */ - bool newsession; /* new session, discard session cookies on load */ - int lastct; /* last creation-time used in the jar */ -diff --git a/lib/easy.c b/lib/easy.c -index 16bbd35251d40..03195481f9780 100644 ---- a/lib/easy.c -+++ b/lib/easy.c -@@ -925,9 +925,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data) - if(data->cookies) { - /* If cookies are enabled in the parent handle, we enable them - in the clone as well! */ -- outcurl->cookies = Curl_cookie_init(data, -- data->cookies->filename, -- outcurl->cookies, -+ outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies, - data->set.cookiesession); - if(!outcurl->cookies) - goto fail; diff --git a/SOURCES/0028-curl-7.76.1-CVE-2023-28321.patch b/SOURCES/0031-curl-7.76.1-CVE-2023-28321.patch similarity index 99% rename from SOURCES/0028-curl-7.76.1-CVE-2023-28321.patch rename to SOURCES/0031-curl-7.76.1-CVE-2023-28321.patch index 0ca45f7..b306e91 100644 --- a/SOURCES/0028-curl-7.76.1-CVE-2023-28321.patch +++ b/SOURCES/0031-curl-7.76.1-CVE-2023-28321.patch @@ -143,7 +143,7 @@ index 84f962abebee3..f31b2c2a3f330 100644 -@@ -14,9 +13,9 @@ none +@@ -15,9 +14,9 @@ none unittest diff --git a/SPECS/curl.spec b/SPECS/curl.spec index fb0b4fd..7d29f90 100644 --- a/SPECS/curl.spec +++ b/SPECS/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.76.1 -Release: 23%{?dist}.4 +Release: 26%{?dist} License: MIT Source: https://curl.se/download/%{name}-%{version}.tar.xz @@ -74,20 +74,26 @@ Patch23: 0023-curl-7.76.1-CVE-2022-43552.patch # fix HTTP multi-header compression denial of service (CVE-2023-23916) Patch24: 0024-curl-7.76.1-CVE-2023-23916.patch +# fix TELNET option IAC injection (CVE-2023-27533) +Patch25: 0025-curl-7.76.1-CVE-2023-27533.patch + +# fix SFTP path ~ resolving discrepancy (CVE-2023-27534) +Patch26: 0026-curl-7.76.1-CVE-2023-27534.patch + # fix FTP too eager connection reuse (CVE-2023-27535) Patch27: 0027-curl-7.76.1-CVE-2023-27535.patch -# fix host name wildcard checking (CVE-2023-28321) -Patch28: 0028-curl-7.76.1-CVE-2023-28321.patch +# fix GSS delegation too eager connection re-use (CVE-2023-27536) +Patch28: 0028-curl-7.76.1-CVE-2023-27536.patch -# unify the upload/method handling (CVE-2023-28322) -Patch29: 0029-curl-7.76.1-CVE-2023-28322.patch +# fix SSH connection too eager reuse still (CVE-2023-27538) +Patch29: 0029-curl-7.76.1-CVE-2023-27538.patch -# return error if hostname too long for remote resolve (CVE-2023-38545) -Patch30: 0030-curl-7.76.1-CVE-2023-38545.patch +# unify the upload/method handling (CVE-2023-28322) +Patch30: 0030-curl-7.76.1-CVE-2023-28322.patch -# fix cookie injection with none file (CVE-2023-38546) -Patch31: 0031-curl-7.61.1-CVE-2023-38546.patch +# fix host name wildcard checking +Patch31: 0031-curl-7.76.1-CVE-2023-28321.patch # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -287,6 +293,8 @@ be installed. %patch22 -p1 %patch23 -p1 %patch24 -p1 +%patch25 -p1 +%patch26 -p1 %patch27 -p1 %patch28 -p1 %patch29 -p1 @@ -517,18 +525,19 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog -* Thu Oct 12 2023 Jacek Migacz - 7.76.1-23.el9_2.4 -- fix cookie injection with none file (CVE-2023-38546) - -* Tue Oct 10 2023 Jacek Migacz - 7.76.1-23.el9_2.3 -- return error if hostname too long for remote resolve (CVE-2023-38545) - -* Tue Jun 27 2023 Jacek Migacz - 7.76.1-23.el9_2.2 -- fix host name wildcard checking (CVE-2023-28321) +* Mon Jun 12 2023 Jacek Migacz - 7.76.1-26 - unify the upload/method handling (CVE-2023-28322) +- fix host name wildcard checking (CVE-2023-28321) + +* Wed Apr 12 2023 Kamil Dudka - 7.76.1-25 +- adapt the fix of CVE-2023-27535 for RHEL 9 curl -* Fri Mar 24 2023 Kamil Dudka - 7.76.1-23.el9_2.1 +* Fri Mar 24 2023 Kamil Dudka - 7.76.1-24 +- fix SSH connection too eager reuse still (CVE-2023-27538) +- fix GSS delegation too eager connection re-use (CVE-2023-27536) - fix FTP too eager connection reuse (CVE-2023-27535) +- fix SFTP path ~ resolving discrepancy (CVE-2023-27534) +- fix TELNET option IAC injection (CVE-2023-27533) * Wed Feb 15 2023 Kamil Dudka - 7.76.1-23 - fix HTTP multi-header compression denial of service (CVE-2023-23916)