import curl-7.76.1-26.el9

1 year ago · 856b49f092
parent 8da4fe5868
commit 856b49f092
9 changed files with 1231 additions and 278 deletions
--- a/SOURCES/0025-curl-7.76.1-CVE-2023-27533.patch
+++ b/SOURCES/0025-curl-7.76.1-CVE-2023-27533.patch
@ -0,0 +1,59 @@
 From c9828d86040737a47da862197b5def7ff6b0e3c4 Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Mon, 6 Mar 2023 12:07:33 +0100
 Subject: [PATCH] telnet: only accept option arguments in ascii
 To avoid embedded telnet negotiation commands etc.
 Reported-by: Harry Sintonen
 Closes #10728
 Upstream-commit: 538b1e79a6e7b0bb829ab4cecc828d32105d0684
 Signed-off-by: Kamil Dudka <kdudka@redhat.com>
 ---
 lib/telnet.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 diff --git a/lib/telnet.c b/lib/telnet.c
 index 22bc81e..baea885 100644
 --- a/lib/telnet.c
 +++ b/lib/telnet.c
@@ -770,6 +770,17 @@ static void printsub(struct Curl_easy *data,
   }
 }
 +static bool str_is_nonascii(const char *str)
 +{
 +  size_t len = strlen(str);
 +  while(len--) {
 +    if(*str & 0x80)
 +      return TRUE;
 +    str++;
 +  }
 +  return FALSE;
 +}
 +
 static CURLcode check_telnet_options(struct Curl_easy *data)
 {
   struct curl_slist *head;
@@ -784,6 +795,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data)
   /* Add the user name as an environment variable if it
      was given on the command line */
   if(conn->bits.user_passwd) {
 +    if(str_is_nonascii(data->conn->user))
 +      return CURLE_BAD_FUNCTION_ARGUMENT;
     msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user);
     beg = curl_slist_append(tn->telnet_vars, option_arg);
     if(!beg) {
@@ -798,6 +811,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data)
   for(head = data->set.telnet_options; head; head = head->next) {
     if(sscanf(head->data, "%127[^= ]%*[ =]%255s",
               option_keyword, option_arg) == 2) {
 +      if(str_is_nonascii(option_arg))
 +        continue;
       /* Terminal type */
       if(strcasecompare(option_keyword, "TTYPE")) {
 -- 
 2.39.2
--- a/SOURCES/0026-curl-7.76.1-CVE-2023-27534.patch
+++ b/SOURCES/0026-curl-7.76.1-CVE-2023-27534.patch
--- a/SOURCES/0028-curl-7.76.1-CVE-2023-27536.patch
+++ b/SOURCES/0028-curl-7.76.1-CVE-2023-27536.patch
@ -0,0 +1,54 @@
 From 9d6dd7bc1dea42ae8e710aeae714e2a2c290de61 Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Fri, 10 Mar 2023 09:22:43 +0100
 Subject: [PATCH] url: only reuse connections with same GSS delegation
 Reported-by: Harry Sintonen
 Closes #10731
 Upstream-commit: cb49e67303dbafbab1cebf4086e3ec15b7d56ee5
 Signed-off-by: Kamil Dudka <kdudka@redhat.com>
 ---
 lib/url.c     | 6 ++++++
 lib/urldata.h | 1 +
 2 files changed, 7 insertions(+)
 diff --git a/lib/url.c b/lib/url.c
 index 3b11b7e..cbbc7f3 100644
 --- a/lib/url.c
 +++ b/lib/url.c
@@ -1325,6 +1325,11 @@ ConnectionExists(struct Curl_easy *data,
         }
       }
 +      /* GSS delegation differences do not actually affect every connection
 +         and auth method, but this check takes precaution before efficiency */
 +      if(needle->gssapi_delegation != check->gssapi_delegation)
 +        continue;
 +
       if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
         if(!ssh_config_matches(needle, check))
           continue;
@@ -1785,6 +1790,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
   conn->fclosesocket = data->set.fclosesocket;
   conn->closesocket_client = data->set.closesocket_client;
   conn->lastused = Curl_now(); /* used now */
 +  conn->gssapi_delegation = data->set.gssapi_delegation;
   return conn;
   error:
 diff --git a/lib/urldata.h b/lib/urldata.h
 index ce90304..9e16f26 100644
 --- a/lib/urldata.h
 +++ b/lib/urldata.h
@@ -995,6 +995,7 @@ struct connectdata {
   char *sasl_authzid;     /* authorisation identity string, allocated */
   char *oauth_bearer; /* OAUTH2 bearer, allocated */
   unsigned char httpversion; /* the HTTP version*10 reported by the server */
 +  unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */
   struct curltime now;     /* "current" time */
   struct curltime created; /* creation time */
   struct curltime lastused; /* when returned to the connection cache */
 -- 
 2.39.2
--- a/SOURCES/0029-curl-7.76.1-CVE-2023-27538.patch
+++ b/SOURCES/0029-curl-7.76.1-CVE-2023-27538.patch
@ -0,0 +1,30 @@
 From 133e25afe4b8961b9c12334ee0bd3374db9a1fd4 Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Fri, 10 Mar 2023 08:22:51 +0100
 Subject: [PATCH] url: fix the SSH connection reuse check
 Reported-by: Harry Sintonen
 Closes #10735
 Upstream-commit: af369db4d3833272b8ed443f7fcc2e757a0872eb
 Signed-off-by: Kamil Dudka <kdudka@redhat.com>
 ---
 lib/url.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/lib/url.c b/lib/url.c
 index 0c31486..3b11b7e 100644
 --- a/lib/url.c
 +++ b/lib/url.c
@@ -1330,7 +1330,7 @@ ConnectionExists(struct Curl_easy *data,
       if(needle->gssapi_delegation != check->gssapi_delegation)
         continue;
 -      if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
 +      if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) {
         if(!ssh_config_matches(needle, check))
           continue;
       }
 -- 
 2.39.2
--- a/SOURCES/0030-curl-7.76.1-CVE-2023-28322.patch
+++ b/SOURCES/0030-curl-7.76.1-CVE-2023-28322.patch
--- a/SOURCES/0030-curl-7.76.1-CVE-2023-38545.patch
+++ b/SOURCES/0030-curl-7.76.1-CVE-2023-38545.patch
@ -1,136 +0,0 @@
 From 1d66562c67fc0099d0fd882c693e51dd0b10c45c Mon Sep 17 00:00:00 2001
 From: Jay Satiro <raysatiro@yahoo.com>
 Date: Sat, 30 Sep 2023 03:40:02 -0400
 Subject: [PATCH] socks: return error if hostname too long for remote resolve
 Prior to this change the state machine attempted to change the remote
 resolve to a local resolve if the hostname was longer than 255
 characters. Unfortunately that did not work as intended and caused a
 security issue.
 Name resolvers cannot resolve hostnames longer than 255 characters.
 Bug: https://curl.se/docs/CVE-2023-38545.html
 ---
 lib/socks.c             |  8 +++---
 tests/data/Makefile.inc |  2 +-
 tests/data/test728      | 64 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 69 insertions(+), 5 deletions(-)
 create mode 100644 tests/data/test728
 diff --git a/lib/socks.c b/lib/socks.c
 index c492d663c..a7b5ab07e 100644
 --- a/lib/socks.c
 +++ b/lib/socks.c
@@ -531,13 +531,13 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user,
       infof(data, "SOCKS5: connecting to HTTP proxy %s port %d\n",
             hostname, remote_port);
     /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
     if(!socks5_resolve_local && hostname_len > 255) {
 -      infof(data, "SOCKS5: server resolving disabled for hostnames of "
 -            "length > 255 [actual len=%zu]\n", hostname_len);
 -      socks5_resolve_local = TRUE;
 +      failf(data, "SOCKS5: the destination hostname is too long to be "
 +            "resolved remotely by the proxy.");
 +      return CURLPX_LONG_HOSTNAME;
     }
     if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI))
       infof(data,
             "warning: unsupported value passed to CURLOPT_SOCKS5_AUTH: %lu\n",
@@ -855,7 +855,7 @@ CONNECT_RESOLVE_REMOTE:
     if(!socks5_resolve_local) {
       socksreq[len++] = 3; /* ATYP: domain name = 3 */
 -      socksreq[len++] = (char) hostname_len; /* one byte address length */
 +      socksreq[len++] = (unsigned char) hostname_len; /* one byte length */
       memcpy(&socksreq[len], hostname, hostname_len); /* address w/o NULL */
       len += hostname_len;
       infof(data, "SOCKS5 connect to %s:%d (remotely resolved)\n",
 diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
 index 081e344d4..62ee53578 100644
 --- a/tests/data/Makefile.inc
 +++ b/tests/data/Makefile.inc
@@ -99,7 +99,7 @@ test672 test673 test674 test675 test676 test677 test678 test679 test680 \
 \
 test700 test701 test702 test703 test704 test705 test706 test707 test708 \
 test709 test710 test711 test712 test713 test714 test715 test716 test717 \
 -test718 \
 +test718 test728 \
 \
 test800 test801 test802 test803 test804 test805 test806 test807 test808 \
 test809 test810 test811 test812 test813 test814 test815 test816 test817 \
 diff --git a/tests/data/test728 b/tests/data/test728
 new file mode 100644
 index 000000000..05bcf2883
 --- /dev/null
 +++ b/tests/data/test728
@@ -0,0 +1,64 @@
 +<testcase>
 +<info>
 +<keywords>
 +HTTP
 +HTTP GET
 +SOCKS5
 +SOCKS5h
 +followlocation
 +</keywords>
 +</info>
 +
 +#
 +# Server-side
 +<reply>
 +# The hostname in this redirect is 256 characters and too long (> 255) for
 +# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case.
 +<data>
 +HTTP/1.1 301 Moved Permanently
 +Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/
 +Content-Length: 0
 +Connection: close
 +
 +</data>
 +</reply>
 +
 +#
 +# Client-side
 +<client>
 +<features>
 +proxy
 +</features>
 +<server>
 +http
 +socks5
 +</server>
 + <name>
 +SOCKS5h with HTTP redirect to hostname too long
 + </name>
 + <command>
 +--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/%TESTNUMBER
 +</command>
 +</client>
 +
 +#
 +# Verify data after the test has been "shot"
 +<verify>
 +<protocol crlf="yes">
 +GET /%TESTNUMBER HTTP/1.1
 +Host: %HOSTIP:%HTTPPORT
 +User-Agent: curl/%VERSION
 +Accept: */*
 +
 +</protocol>
 +<errorcode>
 +97
 +</errorcode>
 +# the error message is verified because error code CURLE_PROXY (97) may be
 +# returned for any number of reasons and we need to make sure it is
 +# specifically for the reason below so that we know the check is working.
 +<stderr mode="text">
 +curl: (97) SOCKS5: the destination hostname is too long to be resolved remotely by the proxy.
 +</stderr>
 +</verify>
 +</testcase>
 -- 
 2.42.0
--- a/SOURCES/0031-curl-7.61.1-CVE-2023-38546.patch
+++ b/SOURCES/0031-curl-7.61.1-CVE-2023-38546.patch
@ -1,123 +0,0 @@
 From 61275672b46d9abb3285740467b882e22ed75da8 Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Thu, 14 Sep 2023 23:28:32 +0200
 Subject: [PATCH] cookie: remove unnecessary struct fields
 Plus: reduce the hash table size from 256 to 63. It seems unlikely to
 make much of a speed difference for most use cases but saves 1.5KB of
 data per instance.
 Closes #11862
 ---
 lib/cookie.c | 13 +------------
 lib/cookie.h | 13 ++++---------
 lib/easy.c   |  4 +---
 3 files changed, 6 insertions(+), 24 deletions(-)
 diff --git a/lib/cookie.c b/lib/cookie.c
 index 4345a84c6fd9d..e39c89a94a960 100644
 --- a/lib/cookie.c
 +++ b/lib/cookie.c
@@ -119,7 +119,6 @@ static void freecookie(struct Cookie *co)
   free(co->name);
   free(co->value);
   free(co->maxage);
 -  free(co->version);
   free(co);
 }
@@ -717,11 +716,7 @@ Curl_cookie_add(struct Curl_easy *data,
           }
         }
         else if(strcasecompare("version", name)) {
 -          strstore(&co->version, whatptr);
 -          if(!co->version) {
 -            badcookie = TRUE;
 -            break;
 -          }
 +          /* just ignore */
         }
         else if(strcasecompare("max-age", name)) {
           /* Defined in RFC2109:
@@ -1159,7 +1154,6 @@ Curl_cookie_add(struct Curl_easy *data,
         free(clist->path);
         free(clist->spath);
         free(clist->expirestr);
 -        free(clist->version);
         free(clist->maxage);
         *clist = *co;  /* then store all the new data */
@@ -1223,9 +1217,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data,
     c = calloc(1, sizeof(struct CookieInfo));
     if(!c)
       return NULL; /* failed to get memory */
 -    c->filename = strdup(file?file:"none"); /* copy the name just in case */
 -    if(!c->filename)
 -      goto fail; /* failed to get memory */
   }
   else {
     /* we got an already existing one, use that */
@@ -1378,7 +1369,6 @@ static struct Cookie *dup_cookie(struct Cookie *src)
     CLONE(name);
     CLONE(value);
     CLONE(maxage);
 -    CLONE(version);
     d->expires = src->expires;
     d->tailmatch = src->tailmatch;
     d->secure = src->secure;
@@ -1595,7 +1585,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c)
 {
   if(c) {
     unsigned int i;
 -    free(c->filename);
     for(i = 0; i < COOKIE_HASH_SIZE; i++)
       Curl_cookie_freelist(c->cookies[i]);
     free(c); /* free the base struct as well */
 diff --git a/lib/cookie.h b/lib/cookie.h
 index b3c0063b2cfb2..41e9e7a6914e0 100644
 --- a/lib/cookie.h
 +++ b/lib/cookie.h
@@ -36,11 +36,7 @@ struct Cookie {
   char *domain;      /* domain = <this> */
   curl_off_t expires;  /* expires = <this> */
   char *expirestr;   /* the plain text version */
 -
 -  /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */
 -  char *version;     /* Version = <value> */
   char *maxage;      /* Max-Age = <value> */
 -
   bool tailmatch;    /* whether we do tail-matching of the domain name */
   bool secure;       /* whether the 'secure' keyword was used */
   bool livecookie;   /* updated from a server, not a stored file */
@@ -56,14 +52,13 @@ struct Cookie {
 #define COOKIE_PREFIX__SECURE (1<<0)
 #define COOKIE_PREFIX__HOST (1<<1)
 -#define COOKIE_HASH_SIZE 256
 +#define COOKIE_HASH_SIZE 63
 struct CookieInfo {
   /* linked list of cookies we know of */
   struct Cookie *cookies[COOKIE_HASH_SIZE];
 -  char *filename;  /* file we read from/write to */
 -  long numcookies; /* number of cookies in the "jar" */
 +  int numcookies;  /* number of cookies in the "jar" */
   bool running;    /* state info, for cookie adding information */
   bool newsession; /* new session, discard session cookies on load */
   int lastct;      /* last creation-time used in the jar */
 diff --git a/lib/easy.c b/lib/easy.c
 index 16bbd35251d40..03195481f9780 100644
 --- a/lib/easy.c
 +++ b/lib/easy.c
@@ -925,9 +925,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data)
   if(data->cookies) {
     /* If cookies are enabled in the parent handle, we enable them
        in the clone as well! */
 -    outcurl->cookies = Curl_cookie_init(data,
 -                                        data->cookies->filename,
 -                                        outcurl->cookies,
 +    outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies,
                                         data->set.cookiesession);
     if(!outcurl->cookies)
       goto fail;
--- a/SOURCES/0031-curl-7.76.1-CVE-2023-28321.patch
+++ b/SOURCES/0031-curl-7.76.1-CVE-2023-28321.patch
@ -143,7 +143,7 @@ index 84f962abebee3..f31b2c2a3f330 100644
 </keywords>
 </info>
-@@ -14,9 +13,9 @@ none
+@@ -15,9 +14,9 @@ none
 <features>
 unittest
 </features>
--- a/SPECS/curl.spec
+++ b/SPECS/curl.spec
@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.76.1
-Release: 23%{?dist}.4
+Release: 26%{?dist}
 License: MIT
 Source: https://curl.se/download/%{name}-%{version}.tar.xz
@ -74,20 +74,26 @@ Patch23:  0023-curl-7.76.1-CVE-2022-43552.patch
 # fix HTTP multi-header compression denial of service (CVE-2023-23916)
 Patch24:  0024-curl-7.76.1-CVE-2023-23916.patch
 # fix TELNET option IAC injection (CVE-2023-27533)
 Patch25:  0025-curl-7.76.1-CVE-2023-27533.patch
 # fix SFTP path ~ resolving discrepancy (CVE-2023-27534)
 Patch26:  0026-curl-7.76.1-CVE-2023-27534.patch
 # fix FTP too eager connection reuse (CVE-2023-27535)
 Patch27:  0027-curl-7.76.1-CVE-2023-27535.patch
-# fix host name wildcard checking (CVE-2023-28321)
+# fix GSS delegation too eager connection re-use (CVE-2023-27536)
-Patch28:  0028-curl-7.76.1-CVE-2023-28321.patch
+Patch28:  0028-curl-7.76.1-CVE-2023-27536.patch
-# unify the upload/method handling (CVE-2023-28322)
+# fix SSH connection too eager reuse still (CVE-2023-27538)
-Patch29:  0029-curl-7.76.1-CVE-2023-28322.patch
+Patch29:  0029-curl-7.76.1-CVE-2023-27538.patch
-# return error if hostname too long for remote resolve (CVE-2023-38545)
+# unify the upload/method handling (CVE-2023-28322)
-Patch30:  0030-curl-7.76.1-CVE-2023-38545.patch
+Patch30:  0030-curl-7.76.1-CVE-2023-28322.patch
-# fix cookie injection with none file (CVE-2023-38546)
+# fix host name wildcard checking
-Patch31:  0031-curl-7.61.1-CVE-2023-38546.patch
+Patch31:  0031-curl-7.76.1-CVE-2023-28321.patch
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
@ -287,6 +293,8 @@ be installed.
 %patch22 -p1
 %patch23 -p1
 %patch24 -p1
 %patch25 -p1
 %patch26 -p1
 %patch27 -p1
 %patch28 -p1
 %patch29 -p1
@ -517,18 +525,19 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 %changelog
-* Thu Oct 12 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-23.el9_2.4
+* Mon Jun 12 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-26
 - fix cookie injection with none file (CVE-2023-38546)
 * Tue Oct 10 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-23.el9_2.3
 - return error if hostname too long for remote resolve (CVE-2023-38545)
 * Tue Jun 27 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-23.el9_2.2
 - fix host name wildcard checking (CVE-2023-28321)
 - unify the upload/method handling (CVE-2023-28322)
 - fix host name wildcard checking (CVE-2023-28321)
 * Wed Apr 12 2023 Kamil Dudka <kdudka@redhat.com> - 7.76.1-25
 - adapt the fix of CVE-2023-27535 for RHEL 9 curl
-* Fri Mar 24 2023 Kamil Dudka <kdudka@redhat.com> - 7.76.1-23.el9_2.1
+* Fri Mar 24 2023 Kamil Dudka <kdudka@redhat.com> - 7.76.1-24
 - fix SSH connection too eager reuse still (CVE-2023-27538)
 - fix GSS delegation too eager connection re-use (CVE-2023-27536)
 - fix FTP too eager connection reuse (CVE-2023-27535)
 - fix SFTP path ~ resolving discrepancy (CVE-2023-27534)
 - fix TELNET option IAC injection (CVE-2023-27533)
 * Wed Feb 15 2023 Kamil Dudka <kdudka@redhat.com> - 7.76.1-23
 - fix HTTP multi-header compression denial of service (CVE-2023-23916)