import curl-7.61.1-33.el8

1 year ago · c298ac823d
parent b2bfaf4b25
commit c298ac823d
4 changed files with 32 additions and 28 deletions
--- a/SOURCES/0049-curl-7.61.1-CVE-2023-27536.patch
+++ b/SOURCES/0049-curl-7.61.1-CVE-2023-27536.patch
@ -1,17 +1,20 @@
-From cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 Mon Sep 17 00:00:00 2001
+From 9d6dd7bc1dea42ae8e710aeae714e2a2c290de61 Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Fri, 10 Mar 2023 09:22:43 +0100
 Subject: [PATCH] url: only reuse connections with same GSS delegation

 Reported-by: Harry Sintonen
 Closes #10731
+
+Upstream-commit: cb49e67303dbafbab1cebf4086e3ec15b7d56ee5
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
 ---
 lib/url.c     | 6 ++++++
- lib/urldata.h | 1 +
- 2 files changed, 7 insertions(+)
+ lib/urldata.h | 2 ++
+ 2 files changed, 8 insertions(+)

 diff --git a/lib/url.c b/lib/url.c
-index df6ef1213..cc2f427dc 100644
+index 3b11b7e..cbbc7f3 100644
 --- a/lib/url.c
 +++ b/lib/url.c
@@ -1305,6 +1305,11 @@ ConnectionExists(struct Curl_easy *data,
@ -26,7 +29,8 @@ index df6ef1213..cc2f427dc 100644
       if(needle->handler->protocol & (CURLPROTO_SCP|CURLPROTO_SFTP)) {
         if(!ssh_config_matches(needle, check))
           continue;
-@@ -1950,5 +1950,6 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
+@@ -1949,6 +1954,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
+      it may live on without (this specific) Curl_easy */
   conn->fclosesocket = data->set.fclosesocket;
   conn->closesocket_client = data->set.closesocket_client;
 +  conn->gssapi_delegation = data->set.gssapi_delegation;
@ -34,18 +38,18 @@ index df6ef1213..cc2f427dc 100644
   return conn;
   error:
 diff --git a/lib/urldata.h b/lib/urldata.h
-index bf5daaf50..da5de5ba9 100644
+index ce90304..9e16f26 100644
 --- a/lib/urldata.h
 +++ b/lib/urldata.h
-@@ -1061,6 +1061,8 @@ struct connectdata {
-   char *unix_domain_socket;
-   bool abstract_unix_socket;
- #endif
-+
-+  unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */
- };
+@@ -856,6 +856,8 @@ struct connectdata {
+   int httpversion;        /* the HTTP version*10 reported by the server */
+   int rtspversion;        /* the RTSP version*10 reported by the server */
 
- /* The end of connectdata. */
+  unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */
+
+   struct curltime now;     /* "current" time */
+   struct curltime created; /* creation time */
+   curl_socket_t sock[2]; /* two sockets, the second is used for the data
 -- 
-2.40.1
+2.39.2

--- a/SOURCES/0051-curl-7.61.1-CVE-2023-28321.patch
+++ b/SOURCES/0051-curl-7.61.1-CVE-2023-28321.patch
--- a/SOURCES/0052-curl-7.61.1-rebuilt-certs.patch
+++ b/SOURCES/0052-curl-7.61.1-rebuilt-certs.patch
--- a/SPECS/curl.spec
+++ b/SPECS/curl.spec
@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.61.1
-Release: 30%{?dist}.3
+Release: 33%{?dist}
 License: MIT
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz

@ -139,17 +139,17 @@ Patch47:  0047-curl-7.61.1-CVE-2023-23916.patch
 # fix FTP too eager connection reuse (CVE-2023-27535)
 Patch48:  0048-curl-7.61.1-CVE-2023-27535.patch

+# fix GSS delegation too eager connection re-use (CVE-2023-27536)
+Patch49:  0049-curl-7.61.1-CVE-2023-27536.patch
+
 # sftp: do not specify O_APPEND when not in append mode (#2187717)
 Patch50:  0050-curl-7.61.1-sftp-upload-flags.patch

-# fix GSS delegation too eager connection re-use
-Patch51:  0051-curl-7.61.1-CVE-2023-27536.patch
+# fix host name wildcard checking (CVE-2023-28321)
+Patch51:  0051-curl-7.61.1-CVE-2023-28321.patch

 # rebuild certs with 2048-bit RSA keys
-Patch52:  0052-curl-7.61.1-rebuilt-certs.patch
-
-# fix host name wildcard checking
-Patch53:  0053-curl-7.61.1-CVE-2023-28321.patch
+Patch52:  0052-curl-7.61.1-certs.patch

 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
@ -372,10 +372,10 @@ sed -e 's|:8992/|:%{?__isa_bits}92/|g' -i tests/data/test97{3..6}
 %patch46 -p1
 %patch47 -p1
 %patch48 -p1
+%patch49 -p1
 %patch50 -p1
 %patch51 -p1
 git apply %{PATCH52}
-%patch53 -p1

 # make tests/*.py use Python 3
 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
@ -538,15 +538,15 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal

 %changelog
-* Tue Jun 13 2023 Jacek Migacz <jmigacz@redhat.com> - 7.61.1-30.el8_8.3
- fix GSS delegation too eager connection re-use (CVE-2023-27536)
- rebuild certs with 2048-bit RSA keys
+* Tue Jun 27 2023 Jacek Migacz <jmigacz@redhat.com> - 7.61.1-33
 - fix host name wildcard checking (CVE-2023-28321)
+- rebuild certs with 2048-bit RSA keys

-* Thu Apr 20 2023 Kamil Dudka <kdudka@redhat.com> - 7.61.1-30.el8_8.2
+* Thu Apr 20 2023 Kamil Dudka <kdudka@redhat.com> - 7.61.1-32
 - sftp: do not specify O_APPEND when not in append mode (#2187717)

-* Fri Mar 24 2023 Kamil Dudka <kdudka@redhat.com> - 7.61.1-30.el8_8.1
+* Fri Mar 24 2023 Kamil Dudka <kdudka@redhat.com> - 7.61.1-31
+- fix GSS delegation too eager connection re-use (CVE-2023-27536)
 - fix FTP too eager connection reuse (CVE-2023-27535)

 * Wed Feb 15 2023 Kamil Dudka <kdudka@redhat.com> - 7.61.1-30