From d46b4ac92e93378363b29f2f836113d2bc2561c0 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 28 Mar 2023 08:56:16 +0000 Subject: [PATCH] import curl-7.76.1-23.el9 --- .curl.metadata | 1 + .gitignore | 1 + SOURCES/0001-curl-7.76.1-resource-leaks.patch | 133 ++ SOURCES/0002-curl-7.76.1-CVE-2021-22898.patch | 31 + SOURCES/0003-curl-7.76.1-CVE-2021-22901.patch | 1012 ++++++++ SOURCES/0004-curl-7.76.1-ldaps-segv.patch | 44 + SOURCES/0005-curl-7.76.1-CVE-2021-22924.patch | 279 +++ SOURCES/0006-curl-7.76.1-CVE-2021-22925.patch | 47 + SOURCES/0007-curl-7.76.1-CVE-2021-22945.patch | 33 + SOURCES/0008-curl-7.76.1-CVE-2021-22946.patch | 331 +++ SOURCES/0009-curl-7.76.1-CVE-2021-22947.patch | 354 +++ SOURCES/0010-curl-7.76.1-CVE-2022-22576.patch | 148 ++ SOURCES/0011-curl-7.76.1-CVE-2022-27775.patch | 40 + SOURCES/0012-curl-7.76.1-CVE-2022-27776.patch | 243 ++ SOURCES/0013-curl-7.76.1-CVE-2022-27774.patch | 635 +++++ SOURCES/0014-curl-7.76.1-CVE-2022-27782.patch | 461 ++++ SOURCES/0015-curl-7.76.1-tests-openssh.patch | 101 + SOURCES/0016-curl-7.76.1-CVE-2022-32208.patch | 70 + SOURCES/0017-curl-7.76.1-CVE-2022-32206.patch | 143 ++ SOURCES/0019-curl-7.76.1-CVE-2022-32207.patch | 425 ++++ .../0020-curl-7.76.1-openldap-rebase.patch | 186 ++ SOURCES/0021-curl-7.76.1-CVE-2022-35252.patch | 136 ++ SOURCES/0022-curl-7.76.1-CVE-2022-32221.patch | 251 ++ SOURCES/0023-curl-7.76.1-CVE-2022-43552.patch | 81 + SOURCES/0024-curl-7.76.1-CVE-2023-23916.patch | 678 ++++++ SOURCES/0101-curl-7.32.0-multilib.patch | 91 + SOURCES/0102-curl-7.36.0-debug.patch | 61 + .../0105-curl-7.63.0-lib1560-valgrind.patch | 39 + SPECS/curl.spec | 2089 +++++++++++++++++ 29 files changed, 8144 insertions(+) create mode 100644 .curl.metadata create mode 100644 .gitignore create mode 100644 SOURCES/0001-curl-7.76.1-resource-leaks.patch create mode 100644 SOURCES/0002-curl-7.76.1-CVE-2021-22898.patch create mode 100644 SOURCES/0003-curl-7.76.1-CVE-2021-22901.patch create mode 100644 SOURCES/0004-curl-7.76.1-ldaps-segv.patch create mode 100644 SOURCES/0005-curl-7.76.1-CVE-2021-22924.patch create mode 100644 SOURCES/0006-curl-7.76.1-CVE-2021-22925.patch create mode 100644 SOURCES/0007-curl-7.76.1-CVE-2021-22945.patch create mode 100644 SOURCES/0008-curl-7.76.1-CVE-2021-22946.patch create mode 100644 SOURCES/0009-curl-7.76.1-CVE-2021-22947.patch create mode 100644 SOURCES/0010-curl-7.76.1-CVE-2022-22576.patch create mode 100644 SOURCES/0011-curl-7.76.1-CVE-2022-27775.patch create mode 100644 SOURCES/0012-curl-7.76.1-CVE-2022-27776.patch create mode 100644 SOURCES/0013-curl-7.76.1-CVE-2022-27774.patch create mode 100644 SOURCES/0014-curl-7.76.1-CVE-2022-27782.patch create mode 100644 SOURCES/0015-curl-7.76.1-tests-openssh.patch create mode 100644 SOURCES/0016-curl-7.76.1-CVE-2022-32208.patch create mode 100644 SOURCES/0017-curl-7.76.1-CVE-2022-32206.patch create mode 100644 SOURCES/0019-curl-7.76.1-CVE-2022-32207.patch create mode 100644 SOURCES/0020-curl-7.76.1-openldap-rebase.patch create mode 100644 SOURCES/0021-curl-7.76.1-CVE-2022-35252.patch create mode 100644 SOURCES/0022-curl-7.76.1-CVE-2022-32221.patch create mode 100644 SOURCES/0023-curl-7.76.1-CVE-2022-43552.patch create mode 100644 SOURCES/0024-curl-7.76.1-CVE-2023-23916.patch create mode 100644 SOURCES/0101-curl-7.32.0-multilib.patch create mode 100644 SOURCES/0102-curl-7.36.0-debug.patch create mode 100644 SOURCES/0105-curl-7.63.0-lib1560-valgrind.patch create mode 100644 SPECS/curl.spec diff --git a/.curl.metadata b/.curl.metadata new file mode 100644 index 0000000..c2a3f04 --- /dev/null +++ b/.curl.metadata @@ -0,0 +1 @@ +d38ab79ef7a6d92df91ca8dfcf9a5eaf7e25b725 SOURCES/curl-7.76.1.tar.xz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e076830 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/curl-7.76.1.tar.xz diff --git a/SOURCES/0001-curl-7.76.1-resource-leaks.patch b/SOURCES/0001-curl-7.76.1-resource-leaks.patch new file mode 100644 index 0000000..3fd4f40 --- /dev/null +++ b/SOURCES/0001-curl-7.76.1-resource-leaks.patch @@ -0,0 +1,133 @@ +From 2281afef6757ed66c9e8a9a737aa91cb9e2950ef Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Fri, 30 Apr 2021 18:14:45 +0200 +Subject: [PATCH 1/2] http2: fix resource leaks in set_transfer_url() + +... detected by Coverity: + +Error: RESOURCE_LEAK (CWE-772): +lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.] +lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()". +lib/http2.c:486: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.] +lib/http2.c:488: leaked_storage: Variable "u" going out of scope leaks the storage it points to. + +Error: RESOURCE_LEAK (CWE-772): +lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.] +lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()". +lib/http2.c:493: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.] +lib/http2.c:495: leaked_storage: Variable "u" going out of scope leaks the storage it points to. + +Error: RESOURCE_LEAK (CWE-772): +lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.] +lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()". +lib/http2.c:500: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.] +lib/http2.c:502: leaked_storage: Variable "u" going out of scope leaks the storage it points to. + +Error: RESOURCE_LEAK (CWE-772): +lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.] +lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()". +lib/http2.c:505: noescape: Resource "u" is not freed or pointed-to in "curl_url_get". [Note: The source code implementation of the function has been overridden by a builtin model.] +lib/http2.c:507: leaked_storage: Variable "u" going out of scope leaks the storage it points to. + +Closes #6986 + +Upstream-commit: 31931704707324af4b4edb24cc877829f7e9949e +Signed-off-by: Kamil Dudka +--- + lib/http2.c | 24 +++++++++++++++++------- + 1 file changed, 17 insertions(+), 7 deletions(-) + +diff --git a/lib/http2.c b/lib/http2.c +index ce9a0d3..d5ba89b 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -500,32 +500,42 @@ static int set_transfer_url(struct Curl_easy *data, + CURLU *u = curl_url(); + CURLUcode uc; + char *url; ++ int rc = 0; + + v = curl_pushheader_byname(hp, ":scheme"); + if(v) { + uc = curl_url_set(u, CURLUPART_SCHEME, v, 0); +- if(uc) +- return 1; ++ if(uc) { ++ rc = 1; ++ goto fail; ++ } + } + + v = curl_pushheader_byname(hp, ":authority"); + if(v) { + uc = curl_url_set(u, CURLUPART_HOST, v, 0); +- if(uc) +- return 2; ++ if(uc) { ++ rc = 2; ++ goto fail; ++ } + } + + v = curl_pushheader_byname(hp, ":path"); + if(v) { + uc = curl_url_set(u, CURLUPART_PATH, v, 0); +- if(uc) +- return 3; ++ if(uc) { ++ rc = 3; ++ goto fail; ++ } + } + + uc = curl_url_get(u, CURLUPART_URL, &url, 0); + if(uc) +- return 4; ++ rc = 4; ++ fail: + curl_url_cleanup(u); ++ if(rc) ++ return rc; + + if(data->state.url_alloc) + free(data->state.url); +-- +2.30.2 + + +From 92ad72983f8462be1d5a5228672657ddf4d7ed72 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Fri, 30 Apr 2021 18:18:02 +0200 +Subject: [PATCH 2/2] http2: fix a resource leak in push_promise() + +... detected by Coverity: + +Error: RESOURCE_LEAK (CWE-772): +lib/http2.c:532: alloc_fn: Storage is returned from allocation function "duphandle". +lib/http2.c:532: var_assign: Assigning: "newhandle" = storage returned from "duphandle(data)". +lib/http2.c:552: noescape: Resource "newhandle" is not freed or pointed-to in "set_transfer_url". +lib/http2.c:555: leaked_storage: Variable "newhandle" going out of scope leaks the storage it points to. + +Closes #6986 + +Upstream-commit: 3a6058cb976981ec1db870f9657c73c9a1162822 +Signed-off-by: Kamil Dudka +--- + lib/http2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/http2.c b/lib/http2.c +index d5ba89b..d0f69ea 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -581,6 +581,7 @@ static int push_promise(struct Curl_easy *data, + + rv = set_transfer_url(newhandle, &heads); + if(rv) { ++ (void)Curl_close(&newhandle); + rv = CURL_PUSH_DENY; + goto fail; + } +-- +2.30.2 + diff --git a/SOURCES/0002-curl-7.76.1-CVE-2021-22898.patch b/SOURCES/0002-curl-7.76.1-CVE-2021-22898.patch new file mode 100644 index 0000000..691850b --- /dev/null +++ b/SOURCES/0002-curl-7.76.1-CVE-2021-22898.patch @@ -0,0 +1,31 @@ +From 886f7458bbf005299f3f8224103d1903cd6fa7a4 Mon Sep 17 00:00:00 2001 +From: Harry Sintonen +Date: Fri, 7 May 2021 13:09:57 +0200 +Subject: [PATCH] telnet: check sscanf() for correct number of matches + +CVE-2021-22898 + +Bug: https://curl.se/docs/CVE-2021-22898.html + +Upstream-commit: 39ce47f219b09c380b81f89fe54ac586c8db6bde +Signed-off-by: Kamil Dudka +--- + lib/telnet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/telnet.c b/lib/telnet.c +index f96a4cb..4551435 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -921,7 +921,7 @@ static void suboption(struct Curl_easy *data) + size_t tmplen = (strlen(v->data) + 1); + /* Add the variable only if it fits */ + if(len + tmplen < (int)sizeof(temp)-6) { +- if(sscanf(v->data, "%127[^,],%127s", varname, varval)) { ++ if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { + msnprintf((char *)&temp[len], sizeof(temp) - len, + "%c%s%c%s", CURL_NEW_ENV_VAR, varname, + CURL_NEW_ENV_VALUE, varval); +-- +2.31.1 + diff --git a/SOURCES/0003-curl-7.76.1-CVE-2021-22901.patch b/SOURCES/0003-curl-7.76.1-CVE-2021-22901.patch new file mode 100644 index 0000000..1af7204 --- /dev/null +++ b/SOURCES/0003-curl-7.76.1-CVE-2021-22901.patch @@ -0,0 +1,1012 @@ +From c8210a16e8b61704da7bbf4bb0992ecbb1c7746d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 17 May 2021 08:54:00 +0200 +Subject: [PATCH 1/3] conn: add 'attach' to protocol handler, make libssh2 use + it + +The libssh2 backend has SSH session associated with the connection but +the callback context is the easy handle, so when a connection gets +attached to a transfer, the protocol handler now allows for a custom +function to get used to set things up correctly. + +Reported-by: Michael O'Farrell +Fixes #6898 +Closes #7078 + +Upstream-commit: 0c55fbab45bedb761766109d41c3da49c4bc66c6 +Signed-off-by: Kamil Dudka +--- + lib/curl_rtmp.c | 6 ++++++ + lib/dict.c | 1 + + lib/file.c | 1 + + lib/ftp.c | 2 ++ + lib/gopher.c | 2 ++ + lib/http.c | 2 ++ + lib/http2.c | 2 ++ + lib/imap.c | 2 ++ + lib/ldap.c | 2 ++ + lib/mqtt.c | 1 + + lib/multi.c | 2 ++ + lib/openldap.c | 2 ++ + lib/pop3.c | 2 ++ + lib/rtsp.c | 1 + + lib/smb.c | 2 ++ + lib/smtp.c | 2 ++ + lib/telnet.c | 1 + + lib/tftp.c | 1 + + lib/url.c | 1 + + lib/urldata.h | 4 ++++ + lib/vssh/libssh.c | 2 ++ + lib/vssh/libssh2.c | 20 ++++++++++++++++++++ + lib/vssh/ssh.h | 3 +++ + lib/vssh/wolfssh.c | 2 ++ + 24 files changed, 66 insertions(+) + +diff --git a/lib/curl_rtmp.c b/lib/curl_rtmp.c +index 1360f33..2fa0267 100644 +--- a/lib/curl_rtmp.c ++++ b/lib/curl_rtmp.c +@@ -79,6 +79,7 @@ const struct Curl_handler Curl_handler_rtmp = { + rtmp_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_RTMP, /* defport */ + CURLPROTO_RTMP, /* protocol */ + CURLPROTO_RTMP, /* family */ +@@ -101,6 +102,7 @@ const struct Curl_handler Curl_handler_rtmpt = { + rtmp_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_RTMPT, /* defport */ + CURLPROTO_RTMPT, /* protocol */ + CURLPROTO_RTMPT, /* family */ +@@ -123,6 +125,7 @@ const struct Curl_handler Curl_handler_rtmpe = { + rtmp_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_RTMP, /* defport */ + CURLPROTO_RTMPE, /* protocol */ + CURLPROTO_RTMPE, /* family */ +@@ -145,6 +148,7 @@ const struct Curl_handler Curl_handler_rtmpte = { + rtmp_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_RTMPT, /* defport */ + CURLPROTO_RTMPTE, /* protocol */ + CURLPROTO_RTMPTE, /* family */ +@@ -167,6 +171,7 @@ const struct Curl_handler Curl_handler_rtmps = { + rtmp_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_RTMPS, /* defport */ + CURLPROTO_RTMPS, /* protocol */ + CURLPROTO_RTMP, /* family */ +@@ -189,6 +194,7 @@ const struct Curl_handler Curl_handler_rtmpts = { + rtmp_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_RTMPS, /* defport */ + CURLPROTO_RTMPTS, /* protocol */ + CURLPROTO_RTMPT, /* family */ +diff --git a/lib/dict.c b/lib/dict.c +index 4319dad..7b27f79 100644 +--- a/lib/dict.c ++++ b/lib/dict.c +@@ -89,6 +89,7 @@ const struct Curl_handler Curl_handler_dict = { + ZERO_NULL, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_DICT, /* defport */ + CURLPROTO_DICT, /* protocol */ + CURLPROTO_DICT, /* family */ +diff --git a/lib/file.c b/lib/file.c +index 1d174e5..10d8f05 100644 +--- a/lib/file.c ++++ b/lib/file.c +@@ -111,6 +111,7 @@ const struct Curl_handler Curl_handler_file = { + file_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + 0, /* defport */ + CURLPROTO_FILE, /* protocol */ + CURLPROTO_FILE, /* family */ +diff --git a/lib/ftp.c b/lib/ftp.c +index 5bf44f1..5ef1e2e 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -175,6 +175,7 @@ const struct Curl_handler Curl_handler_ftp = { + ftp_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_FTP, /* defport */ + CURLPROTO_FTP, /* protocol */ + CURLPROTO_FTP, /* family */ +@@ -205,6 +206,7 @@ const struct Curl_handler Curl_handler_ftps = { + ftp_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_FTPS, /* defport */ + CURLPROTO_FTPS, /* protocol */ + CURLPROTO_FTP, /* family */ +diff --git a/lib/gopher.c b/lib/gopher.c +index a39cc7e..f61232f 100644 +--- a/lib/gopher.c ++++ b/lib/gopher.c +@@ -74,6 +74,7 @@ const struct Curl_handler Curl_handler_gopher = { + ZERO_NULL, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_GOPHER, /* defport */ + CURLPROTO_GOPHER, /* protocol */ + CURLPROTO_GOPHER, /* family */ +@@ -97,6 +98,7 @@ const struct Curl_handler Curl_handler_gophers = { + ZERO_NULL, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_GOPHER, /* defport */ + CURLPROTO_GOPHERS, /* protocol */ + CURLPROTO_GOPHER, /* family */ +diff --git a/lib/http.c b/lib/http.c +index 02c81c4..91da200 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -133,6 +133,7 @@ const struct Curl_handler Curl_handler_http = { + ZERO_NULL, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_HTTP, /* defport */ + CURLPROTO_HTTP, /* protocol */ + CURLPROTO_HTTP, /* family */ +@@ -160,6 +161,7 @@ const struct Curl_handler Curl_handler_https = { + ZERO_NULL, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_HTTPS, /* defport */ + CURLPROTO_HTTPS, /* protocol */ + CURLPROTO_HTTP, /* family */ +diff --git a/lib/http2.c b/lib/http2.c +index d0f69ea..1eb4e89 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -319,6 +319,7 @@ static const struct Curl_handler Curl_handler_http2 = { + http2_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + http2_conncheck, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_HTTP, /* defport */ + CURLPROTO_HTTP, /* protocol */ + CURLPROTO_HTTP, /* family */ +@@ -341,6 +342,7 @@ static const struct Curl_handler Curl_handler_http2_ssl = { + http2_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + http2_conncheck, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_HTTP, /* defport */ + CURLPROTO_HTTPS, /* protocol */ + CURLPROTO_HTTP, /* family */ +diff --git a/lib/imap.c b/lib/imap.c +index e887357..e50d7fd 100644 +--- a/lib/imap.c ++++ b/lib/imap.c +@@ -136,6 +136,7 @@ const struct Curl_handler Curl_handler_imap = { + imap_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_IMAP, /* defport */ + CURLPROTO_IMAP, /* protocol */ + CURLPROTO_IMAP, /* family */ +@@ -164,6 +165,7 @@ const struct Curl_handler Curl_handler_imaps = { + imap_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_IMAPS, /* defport */ + CURLPROTO_IMAPS, /* protocol */ + CURLPROTO_IMAP, /* family */ +diff --git a/lib/ldap.c b/lib/ldap.c +index 860a4a8..d632a7e 100644 +--- a/lib/ldap.c ++++ b/lib/ldap.c +@@ -149,6 +149,7 @@ const struct Curl_handler Curl_handler_ldap = { + ZERO_NULL, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_LDAP, /* defport */ + CURLPROTO_LDAP, /* protocol */ + CURLPROTO_LDAP, /* family */ +@@ -176,6 +177,7 @@ const struct Curl_handler Curl_handler_ldaps = { + ZERO_NULL, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_LDAPS, /* defport */ + CURLPROTO_LDAPS, /* protocol */ + CURLPROTO_LDAP, /* family */ +diff --git a/lib/mqtt.c b/lib/mqtt.c +index 2134409..d88fa73 100644 +--- a/lib/mqtt.c ++++ b/lib/mqtt.c +@@ -86,6 +86,7 @@ const struct Curl_handler Curl_handler_mqtt = { + ZERO_NULL, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_MQTT, /* defport */ + CURLPROTO_MQTT, /* protocol */ + CURLPROTO_MQTT, /* family */ +diff --git a/lib/multi.c b/lib/multi.c +index be3e41f..e624bc3 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -890,6 +890,8 @@ void Curl_attach_connnection(struct Curl_easy *data, + data->conn = conn; + Curl_llist_insert_next(&conn->easyq, conn->easyq.tail, data, + &data->conn_queue); ++ if(conn->handler->attach) ++ conn->handler->attach(data, conn); + } + + static int waitconnect_getsock(struct connectdata *conn, +diff --git a/lib/openldap.c b/lib/openldap.c +index b6980c5..b515554 100644 +--- a/lib/openldap.c ++++ b/lib/openldap.c +@@ -107,6 +107,7 @@ const struct Curl_handler Curl_handler_ldap = { + ldap_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_LDAP, /* defport */ + CURLPROTO_LDAP, /* protocol */ + CURLPROTO_LDAP, /* family */ +@@ -134,6 +135,7 @@ const struct Curl_handler Curl_handler_ldaps = { + ldap_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_LDAPS, /* defport */ + CURLPROTO_LDAPS, /* protocol */ + CURLPROTO_LDAP, /* family */ +diff --git a/lib/pop3.c b/lib/pop3.c +index ccfebd0..6168b12 100644 +--- a/lib/pop3.c ++++ b/lib/pop3.c +@@ -131,6 +131,7 @@ const struct Curl_handler Curl_handler_pop3 = { + pop3_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_POP3, /* defport */ + CURLPROTO_POP3, /* protocol */ + CURLPROTO_POP3, /* family */ +@@ -159,6 +160,7 @@ const struct Curl_handler Curl_handler_pop3s = { + pop3_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_POP3S, /* defport */ + CURLPROTO_POP3S, /* protocol */ + CURLPROTO_POP3, /* family */ +diff --git a/lib/rtsp.c b/lib/rtsp.c +index 3029ff5..cdd49dc 100644 +--- a/lib/rtsp.c ++++ b/lib/rtsp.c +@@ -109,6 +109,7 @@ const struct Curl_handler Curl_handler_rtsp = { + rtsp_disconnect, /* disconnect */ + rtsp_rtp_readwrite, /* readwrite */ + rtsp_conncheck, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_RTSP, /* defport */ + CURLPROTO_RTSP, /* protocol */ + CURLPROTO_RTSP, /* family */ +diff --git a/lib/smb.c b/lib/smb.c +index 183bc12..9f65cfd 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -88,6 +88,7 @@ const struct Curl_handler Curl_handler_smb = { + smb_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_SMB, /* defport */ + CURLPROTO_SMB, /* protocol */ + CURLPROTO_SMB, /* family */ +@@ -114,6 +115,7 @@ const struct Curl_handler Curl_handler_smbs = { + smb_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_SMBS, /* defport */ + CURLPROTO_SMBS, /* protocol */ + CURLPROTO_SMB, /* family */ +diff --git a/lib/smtp.c b/lib/smtp.c +index be4cd67..1defb25 100644 +--- a/lib/smtp.c ++++ b/lib/smtp.c +@@ -136,6 +136,7 @@ const struct Curl_handler Curl_handler_smtp = { + smtp_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_SMTP, /* defport */ + CURLPROTO_SMTP, /* protocol */ + CURLPROTO_SMTP, /* family */ +@@ -164,6 +165,7 @@ const struct Curl_handler Curl_handler_smtps = { + smtp_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_SMTPS, /* defport */ + CURLPROTO_SMTPS, /* protocol */ + CURLPROTO_SMTP, /* family */ +diff --git a/lib/telnet.c b/lib/telnet.c +index 4551435..fdd137f 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -185,6 +185,7 @@ const struct Curl_handler Curl_handler_telnet = { + ZERO_NULL, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_TELNET, /* defport */ + CURLPROTO_TELNET, /* protocol */ + CURLPROTO_TELNET, /* family */ +diff --git a/lib/tftp.c b/lib/tftp.c +index 76d3ff4..bf499f3 100644 +--- a/lib/tftp.c ++++ b/lib/tftp.c +@@ -182,6 +182,7 @@ const struct Curl_handler Curl_handler_tftp = { + tftp_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_TFTP, /* defport */ + CURLPROTO_TFTP, /* protocol */ + CURLPROTO_TFTP, /* family */ +diff --git a/lib/url.c b/lib/url.c +index 19fcfb8..9f2c9f2 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -292,6 +292,7 @@ static const struct Curl_handler Curl_handler_dummy = { + ZERO_NULL, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + 0, /* defport */ + 0, /* protocol */ + 0, /* family */ +diff --git a/lib/urldata.h b/lib/urldata.h +index fec8756..2bb7d81 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -791,12 +791,16 @@ struct Curl_handler { + struct connectdata *conn, + unsigned int checks_to_perform); + ++ /* attach() attaches this transfer to this connection */ ++ void (*attach)(struct Curl_easy *data, struct connectdata *conn); ++ + int defport; /* Default port. */ + unsigned int protocol; /* See CURLPROTO_* - this needs to be the single + specific protocol bit */ + unsigned int family; /* single bit for protocol family; basically the + non-TLS name of the protocol this is */ + unsigned int flags; /* Extra particular characteristics, see PROTOPT_* */ ++ + }; + + #define PROTOPT_NONE 0 /* nothing extra */ +diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c +index 4644f4c..450ab28 100644 +--- a/lib/vssh/libssh.c ++++ b/lib/vssh/libssh.c +@@ -159,6 +159,7 @@ const struct Curl_handler Curl_handler_scp = { + scp_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_SSH, /* defport */ + CURLPROTO_SCP, /* protocol */ + CURLPROTO_SCP, /* family */ +@@ -185,6 +186,7 @@ const struct Curl_handler Curl_handler_sftp = { + sftp_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_SSH, /* defport */ + CURLPROTO_SFTP, /* protocol */ + CURLPROTO_SFTP, /* family */ +diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c +index 9d188d0..0a468dd 100644 +--- a/lib/vssh/libssh2.c ++++ b/lib/vssh/libssh2.c +@@ -121,6 +121,7 @@ static int ssh_getsock(struct Curl_easy *data, struct connectdata *conn, + curl_socket_t *sock); + static CURLcode ssh_setup_connection(struct Curl_easy *data, + struct connectdata *conn); ++static void ssh_attach(struct Curl_easy *data, struct connectdata *conn); + + /* + * SCP protocol handler. +@@ -142,6 +143,7 @@ const struct Curl_handler Curl_handler_scp = { + scp_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ssh_attach, + PORT_SSH, /* defport */ + CURLPROTO_SCP, /* protocol */ + CURLPROTO_SCP, /* family */ +@@ -170,6 +172,7 @@ const struct Curl_handler Curl_handler_sftp = { + sftp_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ssh_attach, + PORT_SSH, /* defport */ + CURLPROTO_SFTP, /* protocol */ + CURLPROTO_SFTP, /* family */ +@@ -3607,4 +3610,21 @@ size_t Curl_ssh_version(char *buffer, size_t buflen) + return msnprintf(buffer, buflen, "libssh2/%s", LIBSSH2_VERSION); + } + ++/* The SSH session is associated with the *CONNECTION* but the callback user ++ * pointer is an easy handle pointer. This function allows us to reassign the ++ * user pointer to the *CURRENT* (new) easy handle. ++ */ ++static void ssh_attach(struct Curl_easy *data, struct connectdata *conn) ++{ ++ DEBUGASSERT(data); ++ DEBUGASSERT(conn); ++ if(conn->handler->protocol & PROTO_FAMILY_SSH) { ++ struct ssh_conn *sshc = &conn->proto.sshc; ++ if(sshc->ssh_session) { ++ /* only re-attach if the session already exists */ ++ void **abstract = libssh2_session_abstract(sshc->ssh_session); ++ *abstract = data; ++ } ++ } ++} + #endif /* USE_LIBSSH2 */ +diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h +index 52e1ee6..505b078 100644 +--- a/lib/vssh/ssh.h ++++ b/lib/vssh/ssh.h +@@ -263,9 +263,12 @@ extern const struct Curl_handler Curl_handler_sftp; + CURLcode Curl_ssh_init(void); + void Curl_ssh_cleanup(void); + size_t Curl_ssh_version(char *buffer, size_t buflen); ++void Curl_ssh_attach(struct Curl_easy *data, ++ struct connectdata *conn); + #else + /* for non-SSH builds */ + #define Curl_ssh_cleanup() ++#define Curl_ssh_attach(x,y) + #endif + + #endif /* HEADER_CURL_SSH_H */ +diff --git a/lib/vssh/wolfssh.c b/lib/vssh/wolfssh.c +index de0b1c7..8aa8067 100644 +--- a/lib/vssh/wolfssh.c ++++ b/lib/vssh/wolfssh.c +@@ -91,6 +91,7 @@ const struct Curl_handler Curl_handler_scp = { + wscp_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_SSH, /* defport */ + CURLPROTO_SCP, /* protocol */ + PROTOPT_DIRLOCK | PROTOPT_CLOSEACTION +@@ -119,6 +120,7 @@ const struct Curl_handler Curl_handler_sftp = { + wsftp_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ ++ ZERO_NULL, /* attach connection */ + PORT_SSH, /* defport */ + CURLPROTO_SFTP, /* protocol */ + CURLPROTO_SFTP, /* family */ +-- +2.31.1 + + +From b5971f4854aab00fcd7810aa9a425c0a6790e050 Mon Sep 17 00:00:00 2001 +From: Harry Sintonen +Date: Wed, 5 May 2021 13:42:26 +0200 +Subject: [PATCH 2/3] openssl: associate/detach the transfer from connection + +CVE-2021-22901 + +Bug: https://curl.se/docs/CVE-2021-22901.html + +Upstream-commit: 7f4a9a9b2a49547eae24d2e19bc5c346e9026479 +Signed-off-by: Kamil Dudka +--- + lib/multi.c | 5 +- + lib/vtls/gskit.c | 4 +- + lib/vtls/gtls.c | 4 +- + lib/vtls/mbedtls.c | 4 +- + lib/vtls/mesalink.c | 4 +- + lib/vtls/nss.c | 4 +- + lib/vtls/openssl.c | 146 +++++++++++++++++++++++++++++++------------ + lib/vtls/rustls.c | 4 +- + lib/vtls/schannel.c | 4 +- + lib/vtls/sectransp.c | 2 + + lib/vtls/vtls.c | 23 ++++++- + lib/vtls/vtls.h | 12 ++++ + lib/vtls/wolfssl.c | 4 +- + 13 files changed, 171 insertions(+), 49 deletions(-) + +diff --git a/lib/multi.c b/lib/multi.c +index e624bc3..2228264 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -872,8 +872,10 @@ bool Curl_multiplex_wanted(const struct Curl_multi *multi) + void Curl_detach_connnection(struct Curl_easy *data) + { + struct connectdata *conn = data->conn; +- if(conn) ++ if(conn) { + Curl_llist_remove(&conn->easyq, &data->conn_queue, NULL); ++ Curl_ssl_detach_conn(data, conn); ++ } + data->conn = NULL; + } + +@@ -892,6 +894,7 @@ void Curl_attach_connnection(struct Curl_easy *data, + &data->conn_queue); + if(conn->handler->attach) + conn->handler->attach(data, conn); ++ Curl_ssl_associate_conn(data, conn); + } + + static int waitconnect_getsock(struct connectdata *conn, +diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c +index b0c7343..3fe54c1 100644 +--- a/lib/vtls/gskit.c ++++ b/lib/vtls/gskit.c +@@ -1281,7 +1281,9 @@ const struct Curl_ssl Curl_ssl_gskit = { + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ +- NULL /* sha256sum */ ++ NULL, /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + #endif /* USE_GSKIT */ +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index e3fad7f..ea54fe3 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -1645,7 +1645,9 @@ const struct Curl_ssl Curl_ssl_gnutls = { + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ +- gtls_sha256sum /* sha256sum */ ++ gtls_sha256sum, /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + #endif /* USE_GNUTLS */ +diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c +index 4b36f2d..0a9f7b4 100644 +--- a/lib/vtls/mbedtls.c ++++ b/lib/vtls/mbedtls.c +@@ -1113,7 +1113,9 @@ const struct Curl_ssl Curl_ssl_mbedtls = { + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ +- mbedtls_sha256sum /* sha256sum */ ++ mbedtls_sha256sum, /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + #endif /* USE_MBEDTLS */ +diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c +index 5d6a149..0a41dd3 100644 +--- a/lib/vtls/mesalink.c ++++ b/lib/vtls/mesalink.c +@@ -667,7 +667,9 @@ const struct Curl_ssl Curl_ssl_mesalink = { + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ +- NULL /* sha256sum */ ++ NULL, /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + #endif +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index a9f6959..ae3945c 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -2442,7 +2442,9 @@ const struct Curl_ssl Curl_ssl_nss = { + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + nss_false_start, /* false_start */ +- nss_sha256sum /* sha256sum */ ++ nss_sha256sum, /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + #endif /* USE_NSS */ +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 6583300..2404393 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -246,6 +246,10 @@ struct ssl_backend_data { + #endif + }; + ++static void ossl_associate_connection(struct Curl_easy *data, ++ struct connectdata *conn, ++ int sockindex); ++ + /* + * Number of bytes to read from the random number seed file. This must be + * a finite value (because some entropy "files" like /dev/urandom have +@@ -2528,6 +2532,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + curl_socket_t sockfd = conn->sock[sockindex]; + struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + ctx_option_t ctx_options = 0; ++ void *ssl_sessionid = NULL; + + #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME + bool sni; +@@ -3209,46 +3214,23 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + } + #endif + +- /* Check if there's a cached ID we can/should use here! */ +- if(SSL_SET_OPTION(primary.sessionid)) { +- void *ssl_sessionid = NULL; +- int data_idx = ossl_get_ssl_data_index(); +- int connectdata_idx = ossl_get_ssl_conn_index(); +- int sockindex_idx = ossl_get_ssl_sockindex_index(); +- int proxy_idx = ossl_get_proxy_index(); +- +- if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 && +- proxy_idx >= 0) { +- /* Store the data needed for the "new session" callback. +- * The sockindex is stored as a pointer to an array element. */ +- SSL_set_ex_data(backend->handle, data_idx, data); +- SSL_set_ex_data(backend->handle, connectdata_idx, conn); +- SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex); +-#ifndef CURL_DISABLE_PROXY +- SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1: +- NULL); +-#else +- SSL_set_ex_data(backend->handle, proxy_idx, NULL); +-#endif +- +- } ++ ossl_associate_connection(data, conn, sockindex); + +- Curl_ssl_sessionid_lock(data); +- if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE, +- &ssl_sessionid, NULL, sockindex)) { +- /* we got a session id, use it! */ +- if(!SSL_set_session(backend->handle, ssl_sessionid)) { +- Curl_ssl_sessionid_unlock(data); +- failf(data, "SSL: SSL_set_session failed: %s", +- ossl_strerror(ERR_get_error(), error_buffer, +- sizeof(error_buffer))); +- return CURLE_SSL_CONNECT_ERROR; +- } +- /* Informational message */ +- infof(data, "SSL re-using session ID\n"); ++ Curl_ssl_sessionid_lock(data); ++ if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE, ++ &ssl_sessionid, NULL, sockindex)) { ++ /* we got a session id, use it! */ ++ if(!SSL_set_session(backend->handle, ssl_sessionid)) { ++ Curl_ssl_sessionid_unlock(data); ++ failf(data, "SSL: SSL_set_session failed: %s", ++ ossl_strerror(ERR_get_error(), error_buffer, ++ sizeof(error_buffer))); ++ return CURLE_SSL_CONNECT_ERROR; + } +- Curl_ssl_sessionid_unlock(data); ++ /* Informational message */ ++ infof(data, "SSL re-using session ID\n"); + } ++ Curl_ssl_sessionid_unlock(data); + + #ifndef CURL_DISABLE_PROXY + if(conn->proxy_ssl[sockindex].use) { +@@ -4474,6 +4456,90 @@ static void *ossl_get_internals(struct ssl_connect_data *connssl, + (void *)backend->ctx : (void *)backend->handle; + } + ++static void ossl_associate_connection(struct Curl_easy *data, ++ struct connectdata *conn, ++ int sockindex) ++{ ++ struct ssl_connect_data *connssl = &conn->ssl[sockindex]; ++ struct ssl_backend_data *backend = connssl->backend; ++ ++ /* If we don't have SSL context, do nothing. */ ++ if(!backend->handle) ++ return; ++ ++ if(SSL_SET_OPTION(primary.sessionid)) { ++ int data_idx = ossl_get_ssl_data_index(); ++ int connectdata_idx = ossl_get_ssl_conn_index(); ++ int sockindex_idx = ossl_get_ssl_sockindex_index(); ++ int proxy_idx = ossl_get_proxy_index(); ++ ++ if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 && ++ proxy_idx >= 0) { ++ /* Store the data needed for the "new session" callback. ++ * The sockindex is stored as a pointer to an array element. */ ++ SSL_set_ex_data(backend->handle, data_idx, data); ++ SSL_set_ex_data(backend->handle, connectdata_idx, conn); ++ SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex); ++#ifndef CURL_DISABLE_PROXY ++ SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1: ++ NULL); ++#else ++ SSL_set_ex_data(backend->handle, proxy_idx, NULL); ++#endif ++ } ++ } ++} ++ ++/* ++ * Starting with TLS 1.3, the ossl_new_session_cb callback gets called after ++ * the handshake. If the transfer that sets up the callback gets killed before ++ * this callback arrives, we must make sure to properly clear the data to ++ * avoid UAF problems. A future optimization could be to instead store another ++ * transfer that might still be using the same connection. ++ */ ++ ++static void ossl_disassociate_connection(struct Curl_easy *data, ++ int sockindex) ++{ ++ struct connectdata *conn = data->conn; ++ struct ssl_connect_data *connssl = &conn->ssl[sockindex]; ++ struct ssl_backend_data *backend = connssl->backend; ++ ++ /* If we don't have SSL context, do nothing. */ ++ if(!backend->handle) ++ return; ++ ++ if(SSL_SET_OPTION(primary.sessionid)) { ++ bool isproxy = FALSE; ++ bool incache; ++ void *old_ssl_sessionid = NULL; ++ int data_idx = ossl_get_ssl_data_index(); ++ int connectdata_idx = ossl_get_ssl_conn_index(); ++ int sockindex_idx = ossl_get_ssl_sockindex_index(); ++ int proxy_idx = ossl_get_proxy_index(); ++ ++ if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 && ++ proxy_idx >= 0) { ++ /* Invalidate the session cache entry, if any */ ++ isproxy = SSL_get_ex_data(backend->handle, proxy_idx) ? TRUE : FALSE; ++ ++ /* Disable references to data in "new session" callback to avoid ++ * accessing a stale pointer. */ ++ SSL_set_ex_data(backend->handle, data_idx, NULL); ++ SSL_set_ex_data(backend->handle, connectdata_idx, NULL); ++ SSL_set_ex_data(backend->handle, sockindex_idx, NULL); ++ SSL_set_ex_data(backend->handle, proxy_idx, NULL); ++ } ++ ++ Curl_ssl_sessionid_lock(data); ++ incache = !(Curl_ssl_getsessionid(data, conn, isproxy, ++ &old_ssl_sessionid, NULL, sockindex)); ++ if(incache) ++ Curl_ssl_delsessionid(data, old_ssl_sessionid); ++ Curl_ssl_sessionid_unlock(data); ++ } ++} ++ + const struct Curl_ssl Curl_ssl_openssl = { + { CURLSSLBACKEND_OPENSSL, "openssl" }, /* info */ + +@@ -4508,10 +4574,12 @@ const struct Curl_ssl Curl_ssl_openssl = { + ossl_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ + #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256) +- ossl_sha256sum /* sha256sum */ ++ ossl_sha256sum, /* sha256sum */ + #else +- NULL /* sha256sum */ ++ NULL, /* sha256sum */ + #endif ++ ossl_associate_connection, /* associate_connection */ ++ ossl_disassociate_connection /* disassociate_connection */ + }; + + #endif /* USE_OPENSSL */ +diff --git a/lib/vtls/rustls.c b/lib/vtls/rustls.c +index e4f589d..fb8d634 100644 +--- a/lib/vtls/rustls.c ++++ b/lib/vtls/rustls.c +@@ -554,7 +554,9 @@ const struct Curl_ssl Curl_ssl_rustls = { + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ +- NULL /* sha256sum */ ++ NULL, /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + #endif /* USE_RUSTLS */ +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c +index 961a71f..a80eb50 100644 +--- a/lib/vtls/schannel.c ++++ b/lib/vtls/schannel.c +@@ -2429,7 +2429,9 @@ const struct Curl_ssl Curl_ssl_schannel = { + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ +- schannel_sha256sum /* sha256sum */ ++ schannel_sha256sum, /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + #endif /* USE_SCHANNEL */ +diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c +index 9d637da..b24b489 100644 +--- a/lib/vtls/sectransp.c ++++ b/lib/vtls/sectransp.c +@@ -3314,6 +3314,8 @@ const struct Curl_ssl Curl_ssl_sectransp = { + Curl_none_engines_list, /* engines_list */ + sectransp_false_start, /* false_start */ + sectransp_sha256sum /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + #ifdef __clang__ +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index 2e07df0..22cfb88 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -579,6 +579,25 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, + return CURLE_OK; + } + ++void Curl_ssl_associate_conn(struct Curl_easy *data, ++ struct connectdata *conn) ++{ ++ if(Curl_ssl->associate_connection) { ++ Curl_ssl->associate_connection(data, conn, FIRSTSOCKET); ++ if(conn->sock[SECONDARYSOCKET] && conn->bits.sock_accepted) ++ Curl_ssl->associate_connection(data, conn, SECONDARYSOCKET); ++ } ++} ++ ++void Curl_ssl_detach_conn(struct Curl_easy *data, ++ struct connectdata *conn) ++{ ++ if(Curl_ssl->disassociate_connection) { ++ Curl_ssl->disassociate_connection(data, FIRSTSOCKET); ++ if(conn->sock[SECONDARYSOCKET] && conn->bits.sock_accepted) ++ Curl_ssl->disassociate_connection(data, SECONDARYSOCKET); ++ } ++} + + void Curl_ssl_close_all(struct Curl_easy *data) + { +@@ -1207,7 +1226,9 @@ static const struct Curl_ssl Curl_ssl_multi = { + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ +- NULL /* sha256sum */ ++ NULL, /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + const struct Curl_ssl *Curl_ssl = +diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h +index 2b43e77..78d1003 100644 +--- a/lib/vtls/vtls.h ++++ b/lib/vtls/vtls.h +@@ -83,6 +83,11 @@ struct Curl_ssl { + bool (*false_start)(void); + CURLcode (*sha256sum)(const unsigned char *input, size_t inputlen, + unsigned char *sha256sum, size_t sha256sumlen); ++ ++ void (*associate_connection)(struct Curl_easy *data, ++ struct connectdata *conn, ++ int sockindex); ++ void (*disassociate_connection)(struct Curl_easy *data, int sockindex); + }; + + #ifdef USE_SSL +@@ -277,6 +282,11 @@ bool Curl_ssl_cert_status_request(void); + + bool Curl_ssl_false_start(void); + ++void Curl_ssl_associate_conn(struct Curl_easy *data, ++ struct connectdata *conn); ++void Curl_ssl_detach_conn(struct Curl_easy *data, ++ struct connectdata *conn); ++ + #define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */ + + #else /* if not USE_SSL */ +@@ -303,6 +313,8 @@ bool Curl_ssl_false_start(void); + #define Curl_ssl_cert_status_request() FALSE + #define Curl_ssl_false_start() FALSE + #define Curl_ssl_tls13_ciphersuites() FALSE ++#define Curl_ssl_associate_conn(a,b) Curl_nop_stmt ++#define Curl_ssl_detach_conn(a,b) Curl_nop_stmt + #endif + + #endif /* HEADER_CURL_VTLS_H */ +diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c +index c6f4280..9c1598b 100644 +--- a/lib/vtls/wolfssl.c ++++ b/lib/vtls/wolfssl.c +@@ -1164,7 +1164,9 @@ const struct Curl_ssl Curl_ssl_wolfssl = { + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ +- wolfssl_sha256sum /* sha256sum */ ++ wolfssl_sha256sum, /* sha256sum */ ++ NULL, /* associate_connection */ ++ NULL /* disassociate_connection */ + }; + + #endif +-- +2.31.1 + + +From dd657bd43c0dc406a0be442a3b6546b3f97bb13f Mon Sep 17 00:00:00 2001 +From: Koichi Shiraishi +Date: Mon, 24 May 2021 20:26:44 +0900 +Subject: [PATCH 3/3] sectransp: fix 7f4a9a9b2a49 commit about missing comma + +Follow-up to 7f4a9a9b2a495 + +Closes #7119 + +Upstream-commit: 98770344b2d6527c5b504fa740d7bbddbee1728e +Signed-off-by: Kamil Dudka +--- + lib/vtls/sectransp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c +index b24b489..f2d7835 100644 +--- a/lib/vtls/sectransp.c ++++ b/lib/vtls/sectransp.c +@@ -3313,7 +3313,7 @@ const struct Curl_ssl Curl_ssl_sectransp = { + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + sectransp_false_start, /* false_start */ +- sectransp_sha256sum /* sha256sum */ ++ sectransp_sha256sum, /* sha256sum */ + NULL, /* associate_connection */ + NULL /* disassociate_connection */ + }; +-- +2.31.1 + diff --git a/SOURCES/0004-curl-7.76.1-ldaps-segv.patch b/SOURCES/0004-curl-7.76.1-ldaps-segv.patch new file mode 100644 index 0000000..23f77b1 --- /dev/null +++ b/SOURCES/0004-curl-7.76.1-ldaps-segv.patch @@ -0,0 +1,44 @@ +From 39b68b3f82535d06e50443db4c191dbaa00df4eb Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat +Date: Fri, 23 Apr 2021 00:33:46 +0200 +Subject: [PATCH] vtls: reset ssl use flag upon negotiation failure + +Fixes the segfault in ldaps disconnect. + +Reported-by: Illarion Taev +Fixes #6934 +Closes #6937 + +Upstream-commit: a4554b2c5e7c5788c8198001598818599c60ff7d +Signed-off-by: Kamil Dudka +--- + lib/vtls/vtls.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index 22cfb88..fa8a6fa 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -315,6 +315,8 @@ Curl_ssl_connect(struct Curl_easy *data, struct connectdata *conn, + + if(!result) + Curl_pgrsTime(data, TIMER_APPCONNECT); /* SSL is connected */ ++ else ++ conn->ssl[sockindex].use = FALSE; + + return result; + } +@@ -338,7 +340,9 @@ Curl_ssl_connect_nonblocking(struct Curl_easy *data, struct connectdata *conn, + /* mark this is being ssl requested from here on. */ + conn->ssl[sockindex].use = TRUE; + result = Curl_ssl->connect_nonblocking(data, conn, sockindex, done); +- if(!result && *done) ++ if(result) ++ conn->ssl[sockindex].use = FALSE; ++ else if(*done) + Curl_pgrsTime(data, TIMER_APPCONNECT); /* SSL is connected */ + return result; + } +-- +2.31.1 + diff --git a/SOURCES/0005-curl-7.76.1-CVE-2021-22924.patch b/SOURCES/0005-curl-7.76.1-CVE-2021-22924.patch new file mode 100644 index 0000000..3160b8f --- /dev/null +++ b/SOURCES/0005-curl-7.76.1-CVE-2021-22924.patch @@ -0,0 +1,279 @@ +From 30c7b4dd01734b6ba20bfc7790b9fe8bc0500214 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 19 Jun 2021 00:42:28 +0200 +Subject: [PATCH] vtls: fix connection reuse checks for issuer cert and case + sensitivity + +CVE-2021-22924 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2021-22924.html + +Upstream-commit: 5ea3145850ebff1dc2b13d17440300a01ca38161 +Signed-off-by: Kamil Dudka +--- + lib/url.c | 10 ++++++---- + lib/urldata.h | 4 ++-- + lib/vtls/gtls.c | 10 +++++----- + lib/vtls/nss.c | 4 ++-- + lib/vtls/openssl.c | 18 +++++++++--------- + lib/vtls/vtls.c | 26 +++++++++++++++++++++----- + 6 files changed, 45 insertions(+), 27 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index 9f2c9f2..bdcb095 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -3723,6 +3723,8 @@ static CURLcode create_conn(struct Curl_easy *data, + */ + data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH]; + data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE]; ++ data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT]; ++ data->set.ssl.primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT]; + data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE]; + data->set.ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET]; + data->set.ssl.primary.cipher_list = +@@ -3747,8 +3749,11 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.proxy_ssl.primary.pinned_key = + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]; + data->set.proxy_ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_PROXY]; ++ data->set.proxy_ssl.primary.issuercert = ++ data->set.str[STRING_SSL_ISSUERCERT_PROXY]; ++ data->set.proxy_ssl.primary.issuercert_blob = ++ data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY]; + data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; +- data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY]; + data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY]; + data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY]; + data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY]; +@@ -3757,7 +3762,6 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY]; + #endif + data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE]; +- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT]; + data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE]; + data->set.ssl.key = data->set.str[STRING_KEY]; + data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE]; +@@ -3771,9 +3775,7 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; + #endif + #endif +- + data->set.ssl.key_blob = data->set.blobs[BLOB_KEY]; +- data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT]; + + if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary, + &conn->ssl_config)) { +diff --git a/lib/urldata.h b/lib/urldata.h +index 2bb7d81..7cf63d0 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -246,6 +246,7 @@ struct ssl_primary_config { + long version_max; /* max supported version the client wants to use*/ + char *CApath; /* certificate dir (doesn't work on windows) */ + char *CAfile; /* certificate to verify peer against */ ++ char *issuercert; /* optional issuer certificate filename */ + char *clientcert; + char *random_file; /* path to file containing "random" data */ + char *egdsocket; /* path to file containing the EGD daemon socket */ +@@ -253,6 +254,7 @@ struct ssl_primary_config { + char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ + char *pinned_key; + struct curl_blob *cert_blob; ++ struct curl_blob *issuercert_blob; + char *curves; /* list of curves to use */ + BIT(verifypeer); /* set TRUE if this is desired */ + BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */ +@@ -264,8 +266,6 @@ struct ssl_config_data { + struct ssl_primary_config primary; + long certverifyresult; /* result from the certificate verification */ + char *CRLfile; /* CRL to check certificate revocation */ +- char *issuercert;/* optional issuer certificate filename */ +- struct curl_blob *issuercert_blob; + curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ + void *fsslctxp; /* parameter for call back */ + char *cert_type; /* format for certificate (default: PEM)*/ +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index ea54fe3..ccc5ce8 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -849,7 +849,7 @@ gtls_connect_step3(struct Curl_easy *data, + if(!chainp) { + if(SSL_CONN_CONFIG(verifypeer) || + SSL_CONN_CONFIG(verifyhost) || +- SSL_SET_OPTION(issuercert)) { ++ SSL_CONN_CONFIG(issuercert)) { + #ifdef HAVE_GNUTLS_SRP + if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP + && SSL_SET_OPTION(username) != NULL +@@ -1033,21 +1033,21 @@ gtls_connect_step3(struct Curl_easy *data, + gnutls_x509_crt_t format */ + gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER); + +- if(SSL_SET_OPTION(issuercert)) { ++ if(SSL_CONN_CONFIG(issuercert)) { + gnutls_x509_crt_init(&x509_issuer); +- issuerp = load_file(SSL_SET_OPTION(issuercert)); ++ issuerp = load_file(SSL_CONN_CONFIG(issuercert)); + gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM); + rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer); + gnutls_x509_crt_deinit(x509_issuer); + unload_file(issuerp); + if(rc <= 0) { + failf(data, "server certificate issuer check failed (IssuerCert: %s)", +- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none"); ++ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); + gnutls_x509_crt_deinit(x509_cert); + return CURLE_SSL_ISSUER_ERROR; + } + infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n", +- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none"); ++ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); + } + + size = sizeof(certname); +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index ae3945c..b0b1e8c 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -2156,9 +2156,9 @@ static CURLcode nss_do_connect(struct Curl_easy *data, + if(result) + goto error; + +- if(SSL_SET_OPTION(issuercert)) { ++ if(SSL_CONN_CONFIG(issuercert)) { + SECStatus ret = SECFailure; +- char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert)); ++ char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert)); + if(nickname) { + /* we support only nicknames in case of issuercert for now */ + ret = check_issuer_cert(backend->handle, nickname); +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 2404393..be7b811 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -3872,10 +3872,10 @@ static CURLcode servercert(struct Curl_easy *data, + deallocating the certificate. */ + + /* e.g. match issuer name with provided issuer certificate */ +- if(SSL_SET_OPTION(issuercert) || SSL_SET_OPTION(issuercert_blob)) { +- if(SSL_SET_OPTION(issuercert_blob)) +- fp = BIO_new_mem_buf(SSL_SET_OPTION(issuercert_blob)->data, +- (int)SSL_SET_OPTION(issuercert_blob)->len); ++ if(SSL_CONN_CONFIG(issuercert) || SSL_CONN_CONFIG(issuercert_blob)) { ++ if(SSL_CONN_CONFIG(issuercert_blob)) ++ fp = BIO_new_mem_buf(SSL_CONN_CONFIG(issuercert_blob)->data, ++ (int)SSL_CONN_CONFIG(issuercert_blob)->len); + else { + fp = BIO_new(BIO_s_file()); + if(fp == NULL) { +@@ -3889,10 +3889,10 @@ static CURLcode servercert(struct Curl_easy *data, + return CURLE_OUT_OF_MEMORY; + } + +- if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) { ++ if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) { + if(strict) + failf(data, "SSL: Unable to open issuer cert (%s)", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(backend->server_cert); + backend->server_cert = NULL; +@@ -3904,7 +3904,7 @@ static CURLcode servercert(struct Curl_easy *data, + if(!issuer) { + if(strict) + failf(data, "SSL: Unable to read issuer cert (%s)", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(issuer); + X509_free(backend->server_cert); +@@ -3915,7 +3915,7 @@ static CURLcode servercert(struct Curl_easy *data, + if(X509_check_issued(issuer, backend->server_cert) != X509_V_OK) { + if(strict) + failf(data, "SSL: Certificate issuer check failed (%s)", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(issuer); + X509_free(backend->server_cert); +@@ -3924,7 +3924,7 @@ static CURLcode servercert(struct Curl_easy *data, + } + + infof(data, " SSL certificate issuer check ok (%s)\n", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(issuer); + } +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index fa8a6fa..1aa6fc8 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -125,6 +125,16 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second) + return !memcmp(first->data, second->data, first->len); /* same data */ + } + ++static bool safecmp(char *a, char *b) ++{ ++ if(a && b) ++ return !strcmp(a, b); ++ else if(!a && !b) ++ return TRUE; /* match */ ++ return FALSE; /* no match */ ++} ++ ++ + bool + Curl_ssl_config_matches(struct ssl_primary_config *data, + struct ssl_primary_config *needle) +@@ -135,11 +145,13 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, + (data->verifyhost == needle->verifyhost) && + (data->verifystatus == needle->verifystatus) && + blobcmp(data->cert_blob, needle->cert_blob) && +- Curl_safe_strcasecompare(data->CApath, needle->CApath) && +- Curl_safe_strcasecompare(data->CAfile, needle->CAfile) && +- Curl_safe_strcasecompare(data->clientcert, needle->clientcert) && +- Curl_safe_strcasecompare(data->random_file, needle->random_file) && +- Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) && ++ blobcmp(data->issuercert_blob, needle->issuercert_blob) && ++ safecmp(data->CApath, needle->CApath) && ++ safecmp(data->CAfile, needle->CAfile) && ++ safecmp(data->issuercert, needle->issuercert) && ++ safecmp(data->clientcert, needle->clientcert) && ++ safecmp(data->random_file, needle->random_file) && ++ safecmp(data->egdsocket, needle->egdsocket) && + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && + Curl_safe_strcasecompare(data->curves, needle->curves) && +@@ -161,8 +173,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, + dest->sessionid = source->sessionid; + + CLONE_BLOB(cert_blob); ++ CLONE_BLOB(issuercert_blob); + CLONE_STRING(CApath); + CLONE_STRING(CAfile); ++ CLONE_STRING(issuercert); + CLONE_STRING(clientcert); + CLONE_STRING(random_file); + CLONE_STRING(egdsocket); +@@ -178,6 +192,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) + { + Curl_safefree(sslc->CApath); + Curl_safefree(sslc->CAfile); ++ Curl_safefree(sslc->issuercert); + Curl_safefree(sslc->clientcert); + Curl_safefree(sslc->random_file); + Curl_safefree(sslc->egdsocket); +@@ -185,6 +200,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) + Curl_safefree(sslc->cipher_list13); + Curl_safefree(sslc->pinned_key); + Curl_safefree(sslc->cert_blob); ++ Curl_safefree(sslc->issuercert_blob); + Curl_safefree(sslc->curves); + } + +-- +2.31.1 + diff --git a/SOURCES/0006-curl-7.76.1-CVE-2021-22925.patch b/SOURCES/0006-curl-7.76.1-CVE-2021-22925.patch new file mode 100644 index 0000000..769f74c --- /dev/null +++ b/SOURCES/0006-curl-7.76.1-CVE-2021-22925.patch @@ -0,0 +1,47 @@ +From 3dbac7fb8b39a4f9aa871401d9d2790f0583ba01 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 12 Jun 2021 18:25:15 +0200 +Subject: [PATCH] telnet: fix option parser to not send uninitialized contents + +CVE-2021-22925 + +Reported-by: Red Hat Product Security +Bug: https://curl.se/docs/CVE-2021-22925.html + +Upstream-commit: 894f6ec730597eb243618d33cc84d71add8d6a8a +Signed-off-by: Kamil Dudka +--- + lib/telnet.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/lib/telnet.c b/lib/telnet.c +index fdd137f..567c22c 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -922,12 +922,17 @@ static void suboption(struct Curl_easy *data) + size_t tmplen = (strlen(v->data) + 1); + /* Add the variable only if it fits */ + if(len + tmplen < (int)sizeof(temp)-6) { +- if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { +- msnprintf((char *)&temp[len], sizeof(temp) - len, +- "%c%s%c%s", CURL_NEW_ENV_VAR, varname, +- CURL_NEW_ENV_VALUE, varval); +- len += tmplen; +- } ++ int rv; ++ char sep[2] = ""; ++ varval[0] = 0; ++ rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval); ++ if(rv == 1) ++ len += msnprintf((char *)&temp[len], sizeof(temp) - len, ++ "%c%s", CURL_NEW_ENV_VAR, varname); ++ else if(rv >= 2) ++ len += msnprintf((char *)&temp[len], sizeof(temp) - len, ++ "%c%s%c%s", CURL_NEW_ENV_VAR, varname, ++ CURL_NEW_ENV_VALUE, varval); + } + } + msnprintf((char *)&temp[len], sizeof(temp) - len, +-- +2.31.1 + diff --git a/SOURCES/0007-curl-7.76.1-CVE-2021-22945.patch b/SOURCES/0007-curl-7.76.1-CVE-2021-22945.patch new file mode 100644 index 0000000..4d301fc --- /dev/null +++ b/SOURCES/0007-curl-7.76.1-CVE-2021-22945.patch @@ -0,0 +1,33 @@ +From bb7619897e53ed424e0712ca5a4c93d5fae99715 Mon Sep 17 00:00:00 2001 +From: z2_ on hackerone <> +Date: Tue, 24 Aug 2021 09:50:33 +0200 +Subject: [PATCH] mqtt: clear the leftovers pointer when sending succeeds + +CVE-2021-22945 + +Bug: https://curl.se/docs/CVE-2021-22945.html + +Upstream-commit: 43157490a5054bd24256fe12876931e8abc9df49 +Signed-off-by: Kamil Dudka +--- + lib/mqtt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/lib/mqtt.c b/lib/mqtt.c +index d88fa73..f3fc045 100644 +--- a/lib/mqtt.c ++++ b/lib/mqtt.c +@@ -128,6 +128,10 @@ static CURLcode mqtt_send(struct Curl_easy *data, + mq->sendleftovers = sendleftovers; + mq->nsend = nsend; + } ++ else { ++ mq->sendleftovers = NULL; ++ mq->nsend = 0; ++ } + return result; + } + +-- +2.31.1 + diff --git a/SOURCES/0008-curl-7.76.1-CVE-2021-22946.patch b/SOURCES/0008-curl-7.76.1-CVE-2021-22946.patch new file mode 100644 index 0000000..54a5957 --- /dev/null +++ b/SOURCES/0008-curl-7.76.1-CVE-2021-22946.patch @@ -0,0 +1,331 @@ +From 64f8bdbf7da9e6b65716ce0d020c6c01d0aba77d Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat +Date: Wed, 8 Sep 2021 11:56:22 +0200 +Subject: [PATCH] ftp,imap,pop3: do not ignore --ssl-reqd + +In imap and pop3, check if TLS is required even when capabilities +request has failed. + +In ftp, ignore preauthentication (230 status of server greeting) if TLS +is required. + +Bug: https://curl.se/docs/CVE-2021-22946.html + +CVE-2021-22946 + +Upstream-commit: 364f174724ef115c63d5e5dc1d3342c8a43b1cca +Signed-off-by: Kamil Dudka +--- + lib/ftp.c | 9 ++++--- + lib/imap.c | 24 ++++++++---------- + lib/pop3.c | 33 +++++++++++------------- + tests/data/Makefile.inc | 2 ++ + tests/data/test984 | 56 +++++++++++++++++++++++++++++++++++++++++ + tests/data/test985 | 54 +++++++++++++++++++++++++++++++++++++++ + tests/data/test986 | 53 ++++++++++++++++++++++++++++++++++++++ + 7 files changed, 195 insertions(+), 36 deletions(-) + create mode 100644 tests/data/test984 + create mode 100644 tests/data/test985 + create mode 100644 tests/data/test986 + +diff --git a/lib/ftp.c b/lib/ftp.c +index 5ef1e2e..71f998e 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -2678,9 +2678,12 @@ static CURLcode ftp_statemachine(struct Curl_easy *data, + /* we have now received a full FTP server response */ + switch(ftpc->state) { + case FTP_WAIT220: +- if(ftpcode == 230) +- /* 230 User logged in - already! */ +- return ftp_state_user_resp(data, ftpcode, ftpc->state); ++ if(ftpcode == 230) { ++ /* 230 User logged in - already! Take as 220 if TLS required. */ ++ if(data->set.use_ssl <= CURLUSESSL_TRY || ++ conn->bits.ftp_use_control_ssl) ++ return ftp_state_user_resp(data, ftpcode, ftpc->state); ++ } + else if(ftpcode != 220) { + failf(data, "Got a %03d ftp-server response when 220 was expected", + ftpcode); +diff --git a/lib/imap.c b/lib/imap.c +index e50d7fd..feb7445 100644 +--- a/lib/imap.c ++++ b/lib/imap.c +@@ -935,22 +935,18 @@ static CURLcode imap_state_capability_resp(struct Curl_easy *data, + line += wordlen; + } + } +- else if(imapcode == IMAP_RESP_OK) { +- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { +- /* We don't have a SSL/TLS connection yet, but SSL is requested */ +- if(imapc->tls_supported) +- /* Switch to TLS connection now */ +- result = imap_perform_starttls(data, conn); +- else if(data->set.use_ssl == CURLUSESSL_TRY) +- /* Fallback and carry on with authentication */ +- result = imap_perform_authentication(data, conn); +- else { +- failf(data, "STARTTLS not supported."); +- result = CURLE_USE_SSL_FAILED; +- } ++ else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { ++ /* PREAUTH is not compatible with STARTTLS. */ ++ if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) { ++ /* Switch to TLS connection now */ ++ result = imap_perform_starttls(data, conn); + } +- else ++ else if(data->set.use_ssl <= CURLUSESSL_TRY) + result = imap_perform_authentication(data, conn); ++ else { ++ failf(data, "STARTTLS not available."); ++ result = CURLE_USE_SSL_FAILED; ++ } + } + else + result = imap_perform_authentication(data, conn); +diff --git a/lib/pop3.c b/lib/pop3.c +index 6168b12..7698d1c 100644 +--- a/lib/pop3.c ++++ b/lib/pop3.c +@@ -740,28 +740,23 @@ static CURLcode pop3_state_capa_resp(struct Curl_easy *data, int pop3code, + } + } + } +- else if(pop3code == '+') { +- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { +- /* We don't have a SSL/TLS connection yet, but SSL is requested */ +- if(pop3c->tls_supported) +- /* Switch to TLS connection now */ +- result = pop3_perform_starttls(data, conn); +- else if(data->set.use_ssl == CURLUSESSL_TRY) +- /* Fallback and carry on with authentication */ +- result = pop3_perform_authentication(data, conn); +- else { +- failf(data, "STLS not supported."); +- result = CURLE_USE_SSL_FAILED; +- } +- } +- else +- result = pop3_perform_authentication(data, conn); +- } + else { + /* Clear text is supported when CAPA isn't recognised */ +- pop3c->authtypes |= POP3_TYPE_CLEARTEXT; ++ if(pop3code != '+') ++ pop3c->authtypes |= POP3_TYPE_CLEARTEXT; + +- result = pop3_perform_authentication(data, conn); ++ if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use) ++ result = pop3_perform_authentication(data, conn); ++ else if(pop3code == '+' && pop3c->tls_supported) ++ /* Switch to TLS connection now */ ++ result = pop3_perform_starttls(data, conn); ++ else if(data->set.use_ssl <= CURLUSESSL_TRY) ++ /* Fallback and carry on with authentication */ ++ result = pop3_perform_authentication(data, conn); ++ else { ++ failf(data, "STLS not supported."); ++ result = CURLE_USE_SSL_FAILED; ++ } + } + + return result; +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index d083baf..163ce59 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -117,6 +117,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \ + test954 test955 test956 test957 test958 test959 test960 test961 test962 \ + test963 test964 test965 test966 test967 test968 test969 test970 test971 \ + \ ++test984 test985 test986 \ ++\ + test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \ + test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \ + test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \ +diff --git a/tests/data/test984 b/tests/data/test984 +new file mode 100644 +index 0000000..e573f23 +--- /dev/null ++++ b/tests/data/test984 +@@ -0,0 +1,56 @@ ++ ++ ++ ++IMAP ++STARTTLS ++ ++ ++ ++# ++# Server-side ++ ++ ++REPLY CAPABILITY A001 BAD Not implemented ++ ++ ++ ++# ++# Client-side ++ ++ ++SSL ++ ++ ++imap ++ ++ ++IMAP require STARTTLS with failing capabilities ++ ++ ++imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd ++ ++ ++Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST) ++From: Fred Foobar ++Subject: afternoon meeting ++To: joe@example.com ++Message-Id: ++MIME-Version: 1.0 ++Content-Type: TEXT/PLAIN; CHARSET=US-ASCII ++ ++Hello Joe, do you think we can meet at 3:30 tomorrow? ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++# 64 is CURLE_USE_SSL_FAILED ++ ++64 ++ ++ ++A001 CAPABILITY ++ ++ ++ +diff --git a/tests/data/test985 b/tests/data/test985 +new file mode 100644 +index 0000000..d0db4aa +--- /dev/null ++++ b/tests/data/test985 +@@ -0,0 +1,54 @@ ++ ++ ++ ++POP3 ++STARTTLS ++ ++ ++ ++# ++# Server-side ++ ++ ++REPLY CAPA -ERR Not implemented ++ ++ ++From: me@somewhere ++To: fake@nowhere ++ ++body ++ ++-- ++ yours sincerely ++ ++ ++ ++# ++# Client-side ++ ++ ++SSL ++ ++ ++pop3 ++ ++ ++POP3 require STARTTLS with failing capabilities ++ ++ ++pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++# 64 is CURLE_USE_SSL_FAILED ++ ++64 ++ ++ ++CAPA ++ ++ ++ +diff --git a/tests/data/test986 b/tests/data/test986 +new file mode 100644 +index 0000000..a709437 +--- /dev/null ++++ b/tests/data/test986 +@@ -0,0 +1,53 @@ ++ ++ ++ ++FTP ++STARTTLS ++ ++ ++ ++# ++# Server-side ++ ++ ++REPLY welcome 230 Welcome ++REPLY AUTH 500 unknown command ++ ++ ++ ++# Client-side ++ ++ ++SSL ++ ++ ++ftp ++ ++ ++FTP require STARTTLS while preauthenticated ++ ++ ++data ++ to ++ see ++that FTPS ++works ++ so does it? ++ ++ ++--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++# 64 is CURLE_USE_SSL_FAILED ++ ++64 ++ ++ ++AUTH SSL ++AUTH TLS ++ ++ ++ +-- +2.31.1 + diff --git a/SOURCES/0009-curl-7.76.1-CVE-2021-22947.patch b/SOURCES/0009-curl-7.76.1-CVE-2021-22947.patch new file mode 100644 index 0000000..6c4cab1 --- /dev/null +++ b/SOURCES/0009-curl-7.76.1-CVE-2021-22947.patch @@ -0,0 +1,354 @@ +From a1ec463c8207bde97b3575d12e396e999a55a8d0 Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat +Date: Tue, 7 Sep 2021 13:26:42 +0200 +Subject: [PATCH] ftp,imap,pop3,smtp: reject STARTTLS server response + pipelining + +If a server pipelines future responses within the STARTTLS response, the +former are preserved in the pingpong cache across TLS negotiation and +used as responses to the encrypted commands. + +This fix detects pipelined STARTTLS responses and rejects them with an +error. + +CVE-2021-22947 + +Bug: https://curl.se/docs/CVE-2021-22947.html + +Upstream-commit: 8ef147c43646e91fdaad5d0e7b60351f842e5c68 +Signed-off-by: Kamil Dudka +--- + lib/ftp.c | 3 +++ + lib/imap.c | 4 +++ + lib/pop3.c | 4 +++ + lib/smtp.c | 4 +++ + tests/data/Makefile.inc | 2 +- + tests/data/test980 | 52 ++++++++++++++++++++++++++++++++++++ + tests/data/test981 | 59 +++++++++++++++++++++++++++++++++++++++++ + tests/data/test982 | 57 +++++++++++++++++++++++++++++++++++++++ + tests/data/test983 | 52 ++++++++++++++++++++++++++++++++++++ + 9 files changed, 236 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test980 + create mode 100644 tests/data/test981 + create mode 100644 tests/data/test982 + create mode 100644 tests/data/test983 + +diff --git a/lib/ftp.c b/lib/ftp.c +index 71f998e..e920138 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -2740,6 +2740,9 @@ static CURLcode ftp_statemachine(struct Curl_easy *data, + case FTP_AUTH: + /* we have gotten the response to a previous AUTH command */ + ++ if(pp->cache_size) ++ return CURLE_WEIRD_SERVER_REPLY; /* Forbid pipelining in response. */ ++ + /* RFC2228 (page 5) says: + * + * If the server is willing to accept the named security mechanism, +diff --git a/lib/imap.c b/lib/imap.c +index feb7445..09bc5d6 100644 +--- a/lib/imap.c ++++ b/lib/imap.c +@@ -964,6 +964,10 @@ static CURLcode imap_state_starttls_resp(struct Curl_easy *data, + + (void)instate; /* no use for this yet */ + ++ /* Pipelining in response is forbidden. */ ++ if(data->conn->proto.imapc.pp.cache_size) ++ return CURLE_WEIRD_SERVER_REPLY; ++ + if(imapcode != IMAP_RESP_OK) { + if(data->set.use_ssl != CURLUSESSL_TRY) { + failf(data, "STARTTLS denied"); +diff --git a/lib/pop3.c b/lib/pop3.c +index 7698d1c..dccfced 100644 +--- a/lib/pop3.c ++++ b/lib/pop3.c +@@ -771,6 +771,10 @@ static CURLcode pop3_state_starttls_resp(struct Curl_easy *data, + CURLcode result = CURLE_OK; + (void)instate; /* no use for this yet */ + ++ /* Pipelining in response is forbidden. */ ++ if(data->conn->proto.pop3c.pp.cache_size) ++ return CURLE_WEIRD_SERVER_REPLY; ++ + if(pop3code != '+') { + if(data->set.use_ssl != CURLUSESSL_TRY) { + failf(data, "STARTTLS denied"); +diff --git a/lib/smtp.c b/lib/smtp.c +index 1defb25..1f89777 100644 +--- a/lib/smtp.c ++++ b/lib/smtp.c +@@ -834,6 +834,10 @@ static CURLcode smtp_state_starttls_resp(struct Curl_easy *data, + CURLcode result = CURLE_OK; + (void)instate; /* no use for this yet */ + ++ /* Pipelining in response is forbidden. */ ++ if(data->conn->proto.smtpc.pp.cache_size) ++ return CURLE_WEIRD_SERVER_REPLY; ++ + if(smtpcode != 220) { + if(data->set.use_ssl != CURLUSESSL_TRY) { + failf(data, "STARTTLS denied, code %d", smtpcode); +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 163ce59..42b0569 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -117,7 +117,7 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \ + test954 test955 test956 test957 test958 test959 test960 test961 test962 \ + test963 test964 test965 test966 test967 test968 test969 test970 test971 \ + \ +-test984 test985 test986 \ ++test980 test981 test982 test983 test984 test985 test986 \ + \ + test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \ + test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \ +diff --git a/tests/data/test980 b/tests/data/test980 +new file mode 100644 +index 0000000..97567f8 +--- /dev/null ++++ b/tests/data/test980 +@@ -0,0 +1,52 @@ ++ ++ ++ ++SMTP ++STARTTLS ++ ++ ++ ++# ++# Server-side ++ ++ ++CAPA STARTTLS ++AUTH PLAIN ++REPLY STARTTLS 454 currently unavailable\r\n235 Authenticated\r\n250 2.1.0 Sender ok\r\n250 2.1.5 Recipient ok\r\n354 Enter mail\r\n250 2.0.0 Accepted ++REPLY AUTH 535 5.7.8 Authentication credentials invalid ++ ++ ++ ++# ++# Client-side ++ ++ ++SSL ++ ++ ++smtp ++ ++ ++SMTP STARTTLS pipelined server response ++ ++ ++mail body ++ ++ ++smtp://%HOSTIP:%SMTPPORT/%TESTNUMBER --mail-rcpt recipient@example.com --mail-from sender@example.com -u user:secret --ssl --sasl-ir -T - ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++# 8 is CURLE_WEIRD_SERVER_REPLY ++ ++8 ++ ++ ++EHLO %TESTNUMBER ++STARTTLS ++ ++ ++ +diff --git a/tests/data/test981 b/tests/data/test981 +new file mode 100644 +index 0000000..2b98ce4 +--- /dev/null ++++ b/tests/data/test981 +@@ -0,0 +1,59 @@ ++ ++ ++ ++IMAP ++STARTTLS ++ ++ ++ ++# ++# Server-side ++ ++ ++CAPA STARTTLS ++REPLY STARTTLS A002 BAD currently unavailable\r\nA003 OK Authenticated\r\nA004 OK Accepted ++REPLY LOGIN A003 BAD Authentication credentials invalid ++ ++ ++ ++# ++# Client-side ++ ++ ++SSL ++ ++ ++imap ++ ++ ++IMAP STARTTLS pipelined server response ++ ++ ++imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl ++ ++ ++Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST) ++From: Fred Foobar ++Subject: afternoon meeting ++To: joe@example.com ++Message-Id: ++MIME-Version: 1.0 ++Content-Type: TEXT/PLAIN; CHARSET=US-ASCII ++ ++Hello Joe, do you think we can meet at 3:30 tomorrow? ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++# 8 is CURLE_WEIRD_SERVER_REPLY ++ ++8 ++ ++ ++A001 CAPABILITY ++A002 STARTTLS ++ ++ ++ +diff --git a/tests/data/test982 b/tests/data/test982 +new file mode 100644 +index 0000000..9e07cc0 +--- /dev/null ++++ b/tests/data/test982 +@@ -0,0 +1,57 @@ ++ ++ ++ ++POP3 ++STARTTLS ++ ++ ++ ++# ++# Server-side ++ ++ ++CAPA STLS USER ++REPLY STLS -ERR currently unavailable\r\n+OK user accepted\r\n+OK authenticated ++REPLY PASS -ERR Authentication credentials invalid ++ ++ ++From: me@somewhere ++To: fake@nowhere ++ ++body ++ ++-- ++ yours sincerely ++ ++ ++ ++# ++# Client-side ++ ++ ++SSL ++ ++ ++pop3 ++ ++ ++POP3 STARTTLS pipelined server response ++ ++ ++pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++# 8 is CURLE_WEIRD_SERVER_REPLY ++ ++8 ++ ++ ++CAPA ++STLS ++ ++ ++ +diff --git a/tests/data/test983 b/tests/data/test983 +new file mode 100644 +index 0000000..300ec45 +--- /dev/null ++++ b/tests/data/test983 +@@ -0,0 +1,52 @@ ++ ++ ++ ++FTP ++STARTTLS ++ ++ ++ ++# ++# Server-side ++ ++ ++REPLY AUTH 500 unknown command\r\n500 unknown command\r\n331 give password\r\n230 Authenticated\r\n257 "/"\r\n200 OK\r\n200 OK\r\n200 OK\r\n226 Transfer complete ++REPLY PASS 530 Login incorrect ++ ++ ++ ++# Client-side ++ ++ ++SSL ++ ++ ++ftp ++ ++ ++FTP STARTTLS pipelined server response ++ ++ ++data ++ to ++ see ++that FTPS ++works ++ so does it? ++ ++ ++--ssl --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret -P %CLIENTIP ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++# 8 is CURLE_WEIRD_SERVER_REPLY ++ ++8 ++ ++ ++AUTH SSL ++ ++ ++ +-- +2.31.1 + diff --git a/SOURCES/0010-curl-7.76.1-CVE-2022-22576.patch b/SOURCES/0010-curl-7.76.1-CVE-2022-22576.patch new file mode 100644 index 0000000..90c94c7 --- /dev/null +++ b/SOURCES/0010-curl-7.76.1-CVE-2022-22576.patch @@ -0,0 +1,148 @@ +From 85d1103c2fc0c9b1bdfae470dbafd45758e1c2f0 Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat +Date: Mon, 25 Apr 2022 11:44:05 +0200 +Subject: [PATCH] url: check sasl additional parameters for connection reuse. + +Also move static function safecmp() as non-static Curl_safecmp() since +its purpose is needed at several places. + +Bug: https://curl.se/docs/CVE-2022-22576.html + +CVE-2022-22576 + +Closes #8746 + +Upstream-commit: 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425 +Signed-off-by: Kamil Dudka +--- + lib/strcase.c | 10 ++++++++++ + lib/strcase.h | 2 ++ + lib/url.c | 13 ++++++++++++- + lib/urldata.h | 1 + + lib/vtls/vtls.c | 21 ++++++--------------- + 5 files changed, 31 insertions(+), 16 deletions(-) + +diff --git a/lib/strcase.c b/lib/strcase.c +index dd46ca1..692a3f1 100644 +--- a/lib/strcase.c ++++ b/lib/strcase.c +@@ -251,6 +251,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n) + } while(*src++ && --n); + } + ++/* Compare case-sensitive NUL-terminated strings, taking care of possible ++ * null pointers. Return true if arguments match. ++ */ ++bool Curl_safecmp(char *a, char *b) ++{ ++ if(a && b) ++ return !strcmp(a, b); ++ return !a && !b; ++} ++ + /* --- public functions --- */ + + int curl_strequal(const char *first, const char *second) +diff --git a/lib/strcase.h b/lib/strcase.h +index b628656..382b80a 100644 +--- a/lib/strcase.h ++++ b/lib/strcase.h +@@ -48,4 +48,6 @@ char Curl_raw_toupper(char in); + void Curl_strntoupper(char *dest, const char *src, size_t n); + void Curl_strntolower(char *dest, const char *src, size_t n); + ++bool Curl_safecmp(char *a, char *b); ++ + #endif /* HEADER_CURL_STRCASE_H */ +diff --git a/lib/url.c b/lib/url.c +index adef2cd..94e3406 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -768,6 +768,7 @@ static void conn_free(struct connectdata *conn) + Curl_safefree(conn->passwd); + Curl_safefree(conn->sasl_authzid); + Curl_safefree(conn->options); ++ Curl_safefree(conn->oauth_bearer); + Curl_dyn_free(&conn->trailer); + Curl_safefree(conn->host.rawalloc); /* host name buffer */ + Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */ +@@ -1310,7 +1311,9 @@ ConnectionExists(struct Curl_easy *data, + /* This protocol requires credentials per connection, + so verify that we're using the same name and password as well */ + if(strcmp(needle->user, check->user) || +- strcmp(needle->passwd, check->passwd)) { ++ strcmp(needle->passwd, check->passwd) || ++ !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) || ++ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) { + /* one of them was different */ + continue; + } +@@ -3554,6 +3557,14 @@ static CURLcode create_conn(struct Curl_easy *data, + } + } + ++ if(data->set.str[STRING_BEARER]) { ++ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]); ++ if(!conn->oauth_bearer) { ++ result = CURLE_OUT_OF_MEMORY; ++ goto out; ++ } ++ } ++ + #ifdef USE_UNIX_SOCKETS + if(data->set.str[STRING_UNIX_SOCKET_PATH]) { + conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]); +diff --git a/lib/urldata.h b/lib/urldata.h +index cc8a600..03da59a 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -991,6 +991,7 @@ struct connectdata { + char *passwd; /* password string, allocated */ + char *options; /* options string, allocated */ + char *sasl_authzid; /* authorisation identity string, allocated */ ++ char *oauth_bearer; /* OAUTH2 bearer, allocated */ + unsigned char httpversion; /* the HTTP version*10 reported by the server */ + struct curltime now; /* "current" time */ + struct curltime created; /* creation time */ +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index 03b85ba..a40ac06 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second) + return !memcmp(first->data, second->data, first->len); /* same data */ + } + +-static bool safecmp(char *a, char *b) +-{ +- if(a && b) +- return !strcmp(a, b); +- else if(!a && !b) +- return TRUE; /* match */ +- return FALSE; /* no match */ +-} +- + + bool + Curl_ssl_config_matches(struct ssl_primary_config *data, +@@ -146,12 +137,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, + (data->verifystatus == needle->verifystatus) && + blobcmp(data->cert_blob, needle->cert_blob) && + blobcmp(data->issuercert_blob, needle->issuercert_blob) && +- safecmp(data->CApath, needle->CApath) && +- safecmp(data->CAfile, needle->CAfile) && +- safecmp(data->issuercert, needle->issuercert) && +- safecmp(data->clientcert, needle->clientcert) && +- safecmp(data->random_file, needle->random_file) && +- safecmp(data->egdsocket, needle->egdsocket) && ++ Curl_safecmp(data->CApath, needle->CApath) && ++ Curl_safecmp(data->CAfile, needle->CAfile) && ++ Curl_safecmp(data->issuercert, needle->issuercert) && ++ Curl_safecmp(data->clientcert, needle->clientcert) && ++ Curl_safecmp(data->random_file, needle->random_file) && ++ Curl_safecmp(data->egdsocket, needle->egdsocket) && + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && + Curl_safe_strcasecompare(data->curves, needle->curves) && +-- +2.34.1 + diff --git a/SOURCES/0011-curl-7.76.1-CVE-2022-27775.patch b/SOURCES/0011-curl-7.76.1-CVE-2022-27775.patch new file mode 100644 index 0000000..769a0fd --- /dev/null +++ b/SOURCES/0011-curl-7.76.1-CVE-2022-27775.patch @@ -0,0 +1,40 @@ +From 187d0795030ccb4f410eb6089e265ac3571e56dd Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 11:48:00 +0200 +Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey + +Make connections to two separate IPv6 zone ids create separate +connections. + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27775.html +Closes #8747 + +Upstream-commit: 058f98dc3fe595f21dc26a5b9b1699e519ba5705 +Signed-off-by: Kamil Dudka +--- + lib/conncache.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/lib/conncache.c b/lib/conncache.c +index cd5756a..9b9f683 100644 +--- a/lib/conncache.c ++++ b/lib/conncache.c +@@ -159,8 +159,12 @@ static void hashkey(struct connectdata *conn, char *buf, + /* report back which name we used */ + *hostp = hostname; + +- /* put the number first so that the hostname gets cut off if too long */ +- msnprintf(buf, len, "%ld%s", port, hostname); ++ /* put the numbers first so that the hostname gets cut off if too long */ ++#ifdef ENABLE_IPV6 ++ msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname); ++#else ++ msnprintf(buf, len, "%ld/%s", port, hostname); ++#endif + } + + /* Returns number of connections currently held in the connection cache. +-- +2.34.1 + diff --git a/SOURCES/0012-curl-7.76.1-CVE-2022-27776.patch b/SOURCES/0012-curl-7.76.1-CVE-2022-27776.patch new file mode 100644 index 0000000..7dd5fdf --- /dev/null +++ b/SOURCES/0012-curl-7.76.1-CVE-2022-27776.patch @@ -0,0 +1,243 @@ +From 2be87227d4b4024c91ff6c856520cac9c9619555 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 13:05:40 +0200 +Subject: [PATCH 1/2] http: avoid auth/cookie on redirects same host diff port + +CVE-2022-27776 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27776.html +Closes #8749 + +Upstream-commit: 6e659993952aa5f90f48864be84a1bbb047fc258 +Signed-off-by: Kamil Dudka +--- + lib/http.c | 33 +++++++++++++++++++++------------ + lib/urldata.h | 16 +++++++++------- + 2 files changed, 30 insertions(+), 19 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index 799d4fb..0791dcf 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -775,6 +775,21 @@ output_auth_headers(struct Curl_easy *data, + return CURLE_OK; + } + ++/* ++ * allow_auth_to_host() tells if autentication, cookies or other "sensitive ++ * data" can (still) be sent to this host. ++ */ ++static bool allow_auth_to_host(struct Curl_easy *data) ++{ ++ struct connectdata *conn = data->conn; ++ return (!data->state.this_is_a_follow || ++ data->set.allow_auth_to_other_hosts || ++ (data->state.first_host && ++ strcasecompare(data->state.first_host, conn->host.name) && ++ (data->state.first_remote_port == conn->remote_port) && ++ (data->state.first_remote_protocol == conn->handler->protocol))); ++} ++ + /** + * Curl_http_output_auth() setups the authentication headers for the + * host/proxy and the correct authentication +@@ -847,15 +862,11 @@ Curl_http_output_auth(struct Curl_easy *data, + with it */ + authproxy->done = TRUE; + +- /* To prevent the user+password to get sent to other than the original +- host due to a location-follow, we do some weirdo checks here */ +- if(!data->state.this_is_a_follow || +- conn->bits.netrc || +- !data->state.first_host || +- data->set.allow_auth_to_other_hosts || +- strcasecompare(data->state.first_host, conn->host.name)) { ++ /* To prevent the user+password to get sent to other than the original host ++ due to a location-follow */ ++ if(allow_auth_to_host(data) ++ || conn->bits.netrc) + result = output_auth_headers(data, conn, authhost, request, path, FALSE); +- } + else + authhost->done = TRUE; + +@@ -1906,10 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, + checkprefix("Cookie:", compare)) && + /* be careful of sending this potentially sensitive header to + other hosts */ +- (data->state.this_is_a_follow && +- data->state.first_host && +- !data->set.allow_auth_to_other_hosts && +- !strcasecompare(data->state.first_host, conn->host.name))) ++ !allow_auth_to_host(data)) + ; + else { + #ifdef USE_HYPER +@@ -2081,6 +2089,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn) + return CURLE_OUT_OF_MEMORY; + + data->state.first_remote_port = conn->remote_port; ++ data->state.first_remote_protocol = conn->handler->protocol; + } + Curl_safefree(data->state.aptr.host); + +diff --git a/lib/urldata.h b/lib/urldata.h +index 03da59a..f92052a 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1336,14 +1336,16 @@ struct UrlState { + char *ulbuf; /* allocated upload buffer or NULL */ + curl_off_t current_speed; /* the ProgressShow() function sets this, + bytes / second */ +- char *first_host; /* host name of the first (not followed) request. +- if set, this should be the host name that we will +- sent authorization to, no else. Used to make Location: +- following not keep sending user+password... This is +- strdup() data. +- */ ++ ++ /* host name, port number and protocol of the first (not followed) request. ++ if set, this should be the host name that we will sent authorization to, ++ no else. Used to make Location: following not keep sending user+password. ++ This is strdup()ed data. */ ++ char *first_host; ++ int first_remote_port; ++ unsigned int first_remote_protocol; ++ + int retrycount; /* number of retries on a new connection */ +- int first_remote_port; /* remote port of the first (not followed) request */ + struct Curl_ssl_session *session; /* array of 'max_ssl_sessions' size */ + long sessionage; /* number of the most recent session */ + struct tempbuf tempwrite[3]; /* BOTH, HEADER, BODY */ +-- +2.34.1 + + +From c0d12f1634785596746e5d461319dcb95b5b6ae8 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 13:05:47 +0200 +Subject: [PATCH 2/2] test898: verify the fix for CVE-2022-27776 + +Do not pass on Authorization headers on redirects to another port + +Upstream-commit: afe752e0504ab60bf63787ede0b992cbe1065f78 +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 2 +- + tests/data/test898 | 90 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 91 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test898 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 59d46bc..7ae2cf8 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -106,7 +106,7 @@ test854 test855 test856 test857 test858 test859 test860 test861 test862 \ + test863 test864 test865 test866 test867 test868 test869 test870 test871 \ + test872 test873 test874 test875 test876 test877 test878 test879 test880 \ + test881 test882 test883 test884 test885 test886 test887 test888 test889 \ +-test890 test891 test892 test893 test894 test895 test896 \ ++test890 test891 test892 test893 test894 test895 test896 test898 \ + \ + test900 test901 test902 test903 test904 test905 test906 test907 test908 \ + test909 test910 test911 test912 test913 test914 test915 test916 test917 \ +diff --git a/tests/data/test898 b/tests/data/test898 +new file mode 100644 +index 0000000..5cbb7d8 +--- /dev/null ++++ b/tests/data/test898 +@@ -0,0 +1,90 @@ ++ ++ ++ ++HTTP ++--location ++Authorization ++Cookie ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 ++ ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Connection: close ++Content-Type: text/html ++ ++hey ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Connection: close ++Content-Type: text/html ++ ++hey ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++HTTP with custom auth and cookies redirected to HTTP on a diff port ++ ++ ++-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -H "Authorization: Basic am9lOnNlY3JldA==" -H "Cookie: userpwd=am9lOnNlY3JldA==" ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET http://firsthost.com/ HTTP/1.1 ++Host: firsthost.com ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++Authorization: Basic am9lOnNlY3JldA== ++Cookie: userpwd=am9lOnNlY3JldA== ++ ++GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1 ++Host: firsthost.com:9999 ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +-- +2.34.1 + diff --git a/SOURCES/0013-curl-7.76.1-CVE-2022-27774.patch b/SOURCES/0013-curl-7.76.1-CVE-2022-27774.patch new file mode 100644 index 0000000..a911611 --- /dev/null +++ b/SOURCES/0013-curl-7.76.1-CVE-2022-27774.patch @@ -0,0 +1,635 @@ +From ecee0926868d138312e9608531b232f697e50cad Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 16:24:33 +0200 +Subject: [PATCH 1/4] connect: store "conn_remote_port" in the info struct + +To make it available after the connection ended. + +Upstream-commit: 08b8ef4e726ba10f45081ecda5b3cea788d3c839 +Signed-off-by: Kamil Dudka +--- + lib/connect.c | 1 + + lib/urldata.h | 6 +++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/connect.c b/lib/connect.c +index 64f9511..7518807 100644 +--- a/lib/connect.c ++++ b/lib/connect.c +@@ -619,6 +619,7 @@ void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn, + data->info.conn_scheme = conn->handler->scheme; + data->info.conn_protocol = conn->handler->protocol; + data->info.conn_primary_port = conn->port; ++ data->info.conn_remote_port = conn->remote_port; + data->info.conn_local_port = local_port; + } + +diff --git a/lib/urldata.h b/lib/urldata.h +index f92052a..5218f76 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1167,7 +1167,11 @@ struct PureInfo { + reused, in the connection cache. */ + + char conn_primary_ip[MAX_IPADR_LEN]; +- int conn_primary_port; ++ int conn_primary_port; /* this is the destination port to the connection, ++ which might have been a proxy */ ++ int conn_remote_port; /* this is the "remote port", which is the port ++ number of the used URL, independent of proxy or ++ not */ + char conn_local_ip[MAX_IPADR_LEN]; + int conn_local_port; + const char *conn_scheme; +-- +2.34.1 + + +From 12c129f8d0b165d83ed954f68717d88ffc1cfc5f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 16:24:33 +0200 +Subject: [PATCH 2/4] transfer: redirects to other protocols or ports clear + auth + +... unless explicitly permitted. + +Bug: https://curl.se/docs/CVE-2022-27774.html +Reported-by: Harry Sintonen +Closes #8748 + +Upstream-commit: 620ea21410030a9977396b4661806bc187231b79 +Signed-off-by: Kamil Dudka +--- + lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 48 insertions(+), 1 deletion(-) + +diff --git a/lib/transfer.c b/lib/transfer.c +index 1f8019b..752fe14 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1641,10 +1641,57 @@ CURLcode Curl_follow(struct Curl_easy *data, + return CURLE_OUT_OF_MEMORY; + } + else { +- + uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0); + if(uc) + return Curl_uc_to_curlcode(uc); ++ ++ /* Clear auth if this redirects to a different port number or protocol, ++ unless permitted */ ++ if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) { ++ char *portnum; ++ int port; ++ bool clear = FALSE; ++ ++ if(data->set.use_port && data->state.allow_port) ++ /* a custom port is used */ ++ port = (int)data->set.use_port; ++ else { ++ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum, ++ CURLU_DEFAULT_PORT); ++ if(uc) { ++ free(newurl); ++ return Curl_uc_to_curlcode(uc); ++ } ++ port = atoi(portnum); ++ free(portnum); ++ } ++ if(port != data->info.conn_remote_port) { ++ infof(data, "Clear auth, redirects to port from %u to %u", ++ data->info.conn_remote_port, port); ++ clear = TRUE; ++ } ++ else { ++ char *scheme; ++ const struct Curl_handler *p; ++ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0); ++ if(uc) { ++ free(newurl); ++ return Curl_uc_to_curlcode(uc); ++ } ++ ++ p = Curl_builtin_scheme(scheme); ++ if(p && (p->protocol != data->info.conn_protocol)) { ++ infof(data, "Clear auth, redirects scheme from %s to %s", ++ data->info.conn_scheme, scheme); ++ clear = TRUE; ++ } ++ free(scheme); ++ } ++ if(clear) { ++ Curl_safefree(data->state.aptr.user); ++ Curl_safefree(data->state.aptr.passwd); ++ } ++ } + } + + if(type == FOLLOW_FAKE) { +-- +2.34.1 + + +From 83bf4314d88cc16469afeaaefd6686a50371d1b7 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 16:24:33 +0200 +Subject: [PATCH 3/4] tests: verify the fix for CVE-2022-27774 + + - Test 973 redirects from HTTP to FTP, clear auth + - Test 974 redirects from HTTP to HTTP different port, clear auth + - Test 975 redirects from HTTP to FTP, permitted to keep auth + - Test 976 redirects from HTTP to HTTP different port, permitted to keep + auth + +Upstream-commit: 5295e8d64ac6949ecb3f9e564317a608f51b90d8 +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 1 + + tests/data/test973 | 88 +++++++++++++++++++++++++++++++++++++++++ + tests/data/test974 | 87 ++++++++++++++++++++++++++++++++++++++++ + tests/data/test975 | 88 +++++++++++++++++++++++++++++++++++++++++ + tests/data/test976 | 88 +++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 352 insertions(+) + create mode 100644 tests/data/test973 + create mode 100644 tests/data/test974 + create mode 100644 tests/data/test975 + create mode 100644 tests/data/test976 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 7ae2cf8..175fc43 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -116,6 +116,7 @@ test936 test937 test938 test939 test940 test941 test942 test943 test944 \ + test945 test946 test947 test948 test949 test950 test951 test952 test953 \ + test954 test955 test956 test957 test958 test959 test960 test961 test962 \ + test963 test964 test965 test966 test967 test968 test969 test970 test971 \ ++test973 test974 test975 test976 \ + \ + test980 test981 test982 test983 test984 test985 test986 \ + \ +diff --git a/tests/data/test973 b/tests/data/test973 +new file mode 100644 +index 0000000..6ced107 +--- /dev/null ++++ b/tests/data/test973 +@@ -0,0 +1,88 @@ ++ ++ ++ ++HTTP ++FTP ++--location ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002 ++ ++ ++ ++data ++ to ++ see ++that FTP ++works ++ so does it? ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002 ++ ++data ++ to ++ see ++that FTP ++works ++ so does it? ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ftp ++ ++ ++HTTP with auth redirected to FTP w/o auth ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -L -u joe:secret ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Basic am9lOnNlY3JldA== ++User-Agent: curl/%VERSION ++Accept: */* ++ ++USER anonymous ++PASS ftp@example.com ++PWD ++CWD a ++CWD path ++EPSV ++TYPE I ++SIZE %TESTNUMBER0002 ++RETR %TESTNUMBER0002 ++QUIT ++ ++ ++ +diff --git a/tests/data/test974 b/tests/data/test974 +new file mode 100644 +index 0000000..ac4e641 +--- /dev/null ++++ b/tests/data/test974 +@@ -0,0 +1,87 @@ ++ ++ ++ ++HTTP ++--location ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 ++ ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Connection: close ++Content-Type: text/html ++ ++hey ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Connection: close ++Content-Type: text/html ++ ++hey ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++HTTP with auth redirected to HTTP on a diff port w/o auth ++ ++ ++-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -u joe:secret ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET http://firsthost.com/ HTTP/1.1 ++Host: firsthost.com ++Authorization: Basic am9lOnNlY3JldA== ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1 ++Host: firsthost.com:9999 ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +diff --git a/tests/data/test975 b/tests/data/test975 +new file mode 100644 +index 0000000..85e03e4 +--- /dev/null ++++ b/tests/data/test975 +@@ -0,0 +1,88 @@ ++ ++ ++ ++HTTP ++FTP ++--location-trusted ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002 ++ ++ ++ ++data ++ to ++ see ++that FTP ++works ++ so does it? ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002 ++ ++data ++ to ++ see ++that FTP ++works ++ so does it? ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ftp ++ ++ ++HTTP with auth redirected to FTP allowing auth to continue ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER --location-trusted -u joe:secret ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Basic am9lOnNlY3JldA== ++User-Agent: curl/%VERSION ++Accept: */* ++ ++USER joe ++PASS secret ++PWD ++CWD a ++CWD path ++EPSV ++TYPE I ++SIZE %TESTNUMBER0002 ++RETR %TESTNUMBER0002 ++QUIT ++ ++ ++ +diff --git a/tests/data/test976 b/tests/data/test976 +new file mode 100644 +index 0000000..c4dd61e +--- /dev/null ++++ b/tests/data/test976 +@@ -0,0 +1,88 @@ ++ ++ ++ ++HTTP ++--location-trusted ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 ++ ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Connection: close ++Content-Type: text/html ++ ++hey ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Connection: close ++Content-Type: text/html ++ ++hey ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++HTTP with auth redirected to HTTP on a diff port --location-trusted ++ ++ ++-x http://%HOSTIP:%HTTPPORT http://firsthost.com --location-trusted -u joe:secret ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET http://firsthost.com/ HTTP/1.1 ++Host: firsthost.com ++Authorization: Basic am9lOnNlY3JldA== ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1 ++Host: firsthost.com:9999 ++Authorization: Basic am9lOnNlY3JldA== ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +-- +2.34.1 + + +From 443ce415aa60caaf8b1c9b0b71fff8d26263daca Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 17:59:15 +0200 +Subject: [PATCH 4/4] openssl: don't leak the SRP credentials in redirects + either + +Follow-up to 620ea21410030 + +Reported-by: Harry Sintonen +Closes #8751 + +Upstream-commit: 139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08 +Signed-off-by: Kamil Dudka +--- + lib/http.c | 10 +++++----- + lib/http.h | 6 ++++++ + lib/vtls/openssl.c | 3 ++- + 3 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index 0791dcf..4433824 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data, + } + + /* +- * allow_auth_to_host() tells if autentication, cookies or other "sensitive +- * data" can (still) be sent to this host. ++ * Curl_allow_auth_to_host() tells if authentication, cookies or other ++ * "sensitive data" can (still) be sent to this host. + */ +-static bool allow_auth_to_host(struct Curl_easy *data) ++bool Curl_allow_auth_to_host(struct Curl_easy *data) + { + struct connectdata *conn = data->conn; + return (!data->state.this_is_a_follow || +@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data, + + /* To prevent the user+password to get sent to other than the original host + due to a location-follow */ +- if(allow_auth_to_host(data) ++ if(Curl_allow_auth_to_host(data) + || conn->bits.netrc) + result = output_auth_headers(data, conn, authhost, request, path, FALSE); + else +@@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, + checkprefix("Cookie:", compare)) && + /* be careful of sending this potentially sensitive header to + other hosts */ +- !allow_auth_to_host(data)) ++ !Curl_allow_auth_to_host(data)) + ; + else { + #ifdef USE_HYPER +diff --git a/lib/http.h b/lib/http.h +index 07e963d..9000bae 100644 +--- a/lib/http.h ++++ b/lib/http.h +@@ -317,4 +317,10 @@ Curl_http_output_auth(struct Curl_easy *data, + bool proxytunnel); /* TRUE if this is the request setting + up the proxy tunnel */ + ++/* ++ * Curl_allow_auth_to_host() tells if authentication, cookies or other ++ * "sensitive data" can (still) be sent to this host. ++ */ ++bool Curl_allow_auth_to_host(struct Curl_easy *data); ++ + #endif /* HEADER_CURL_HTTP_H */ +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 1bafe96..97c5666 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -2857,7 +2857,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + #endif + + #ifdef USE_OPENSSL_SRP +- if(ssl_authtype == CURL_TLSAUTH_SRP) { ++ if((ssl_authtype == CURL_TLSAUTH_SRP) && ++ Curl_allow_auth_to_host(data)) { + char * const ssl_username = SSL_SET_OPTION(username); + + infof(data, "Using TLS-SRP username: %s\n", ssl_username); +-- +2.34.1 + diff --git a/SOURCES/0014-curl-7.76.1-CVE-2022-27782.patch b/SOURCES/0014-curl-7.76.1-CVE-2022-27782.patch new file mode 100644 index 0000000..515ebd3 --- /dev/null +++ b/SOURCES/0014-curl-7.76.1-CVE-2022-27782.patch @@ -0,0 +1,461 @@ +From 50481ac42b4beae6ea85345e37b051124ac00f11 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 28 Jan 2022 16:48:38 +0100 +Subject: [PATCH 1/3] setopt: fix the TLSAUTH #ifdefs for proxy-disabled builds + +Closes #8350 + +Upstream-commit: 96629ba2c212cda2bd1b7b04e2a9fc01ef70b75d +Signed-off-by: Kamil Dudka +--- + lib/setopt.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/lib/setopt.c b/lib/setopt.c +index 08827d1..9eaa187 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2021, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -2699,30 +2699,30 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) + data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + break; ++#ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_TLSAUTH_USERNAME: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY], + va_arg(param, char *)); +-#ifndef CURL_DISABLE_PROXY + if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && + !data->set.proxy_ssl.authtype) + data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ +-#endif + break; ++#endif + case CURLOPT_TLSAUTH_PASSWORD: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD], + va_arg(param, char *)); + if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) + data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + break; ++#ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_TLSAUTH_PASSWORD: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY], + va_arg(param, char *)); +-#ifndef CURL_DISABLE_PROXY + if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && + !data->set.proxy_ssl.authtype) + data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ +-#endif + break; ++#endif + case CURLOPT_TLSAUTH_TYPE: + argptr = va_arg(param, char *); + if(!argptr || +-- +2.34.1 + + +From 931fbabcae0b5d1a91657e6bb85f4f23fce7ac3d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 9 May 2022 23:13:53 +0200 +Subject: [PATCH 2/3] tls: check more TLS details for connection reuse + +CVE-2022-27782 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27782.html +Closes #8825 + +Upstream-commit: f18af4f874cecab82a9797e8c7541e0990c7a64c +Signed-off-by: Kamil Dudka +--- + lib/setopt.c | 29 +++++++++++++++++------------ + lib/url.c | 23 ++++++++++++++++------- + lib/urldata.h | 13 +++++++------ + lib/vtls/openssl.c | 10 +++++----- + lib/vtls/vtls.c | 21 +++++++++++++++++++++ + 5 files changed, 66 insertions(+), 30 deletions(-) + +diff --git a/lib/setopt.c b/lib/setopt.c +index 8e1bf12..7aa6fdb 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -2268,6 +2268,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + + case CURLOPT_SSL_OPTIONS: + arg = va_arg(param, long); ++ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff); + data->set.ssl.enable_beast = + (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE); + data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); +@@ -2281,6 +2282,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + #ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_SSL_OPTIONS: + arg = va_arg(param, long); ++ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff); + data->set.proxy_ssl.enable_beast = + (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE); + data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); +@@ -2696,49 +2698,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + case CURLOPT_TLSAUTH_USERNAME: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME], + va_arg(param, char *)); +- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ if(data->set.str[STRING_TLSAUTH_USERNAME] && ++ !data->set.ssl.primary.authtype) ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + break; + #ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_TLSAUTH_USERNAME: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY], + va_arg(param, char *)); + if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && +- !data->set.proxy_ssl.authtype) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ !data->set.proxy_ssl.primary.authtype) ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to ++ SRP */ + break; + #endif + case CURLOPT_TLSAUTH_PASSWORD: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD], + va_arg(param, char *)); +- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ if(data->set.str[STRING_TLSAUTH_USERNAME] && ++ !data->set.ssl.primary.authtype) ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ + break; + #ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_TLSAUTH_PASSWORD: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY], + va_arg(param, char *)); + if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && +- !data->set.proxy_ssl.authtype) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ !data->set.proxy_ssl.primary.authtype) ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ + break; + #endif + case CURLOPT_TLSAUTH_TYPE: + argptr = va_arg(param, char *); + if(!argptr || + strncasecompare(argptr, "SRP", strlen("SRP"))) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; + else +- data->set.ssl.authtype = CURL_TLSAUTH_NONE; ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE; + break; + #ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_TLSAUTH_TYPE: + argptr = va_arg(param, char *); + if(!argptr || + strncasecompare(argptr, "SRP", strlen("SRP"))) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; + else +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE; ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE; + break; + #endif + #endif +diff --git a/lib/url.c b/lib/url.c +index 94e3406..5ebf5e2 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -540,7 +540,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) + set->ssl.primary.verifypeer = TRUE; + set->ssl.primary.verifyhost = TRUE; + #ifdef USE_TLS_SRP +- set->ssl.authtype = CURL_TLSAUTH_NONE; ++ set->ssl.primary.authtype = CURL_TLSAUTH_NONE; + #endif + set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth + type */ +@@ -1719,11 +1719,17 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) + conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus; + conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer; + conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost; ++ conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options; ++#ifdef USE_TLS_SRP ++#endif + #ifndef CURL_DISABLE_PROXY + conn->proxy_ssl_config.verifystatus = + data->set.proxy_ssl.primary.verifystatus; + conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer; + conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost; ++ conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options; ++#ifdef USE_TLS_SRP ++#endif + #endif + conn->ip_version = data->set.ipver; + conn->bits.connect_only = data->set.connect_only; +@@ -3764,7 +3770,8 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.str[STRING_SSL_ISSUERCERT_PROXY]; + data->set.proxy_ssl.primary.issuercert_blob = + data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY]; +- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; ++ data->set.proxy_ssl.primary.CRLfile = ++ data->set.str[STRING_SSL_CRLFILE_PROXY]; + data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY]; + data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY]; + data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY]; +@@ -3772,18 +3779,20 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY]; + data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY]; + #endif +- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE]; ++ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE]; + data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE]; + data->set.ssl.key = data->set.str[STRING_KEY]; + data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE]; + data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD]; + data->set.ssl.primary.clientcert = data->set.str[STRING_CERT]; + #ifdef USE_TLS_SRP +- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME]; +- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD]; ++ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME]; ++ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD]; + #ifndef CURL_DISABLE_PROXY +- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; +- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; ++ data->set.proxy_ssl.primary.username = ++ data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; ++ data->set.proxy_ssl.primary.password = ++ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; + #endif + #endif + data->set.ssl.key_blob = data->set.blobs[BLOB_KEY]; +diff --git a/lib/urldata.h b/lib/urldata.h +index 5218f76..e006495 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -253,9 +253,16 @@ struct ssl_primary_config { + char *cipher_list; /* list of ciphers to use */ + char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ + char *pinned_key; ++ char *CRLfile; /* CRL to check certificate revocation */ + struct curl_blob *cert_blob; + struct curl_blob *issuercert_blob; ++#ifdef USE_TLS_SRP ++ char *username; /* TLS username (for, e.g., SRP) */ ++ char *password; /* TLS password (for, e.g., SRP) */ ++ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ ++#endif + char *curves; /* list of curves to use */ ++ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */ + BIT(verifypeer); /* set TRUE if this is desired */ + BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */ + BIT(verifystatus); /* set TRUE if certificate status must be checked */ +@@ -265,7 +272,6 @@ struct ssl_primary_config { + struct ssl_config_data { + struct ssl_primary_config primary; + long certverifyresult; /* result from the certificate verification */ +- char *CRLfile; /* CRL to check certificate revocation */ + curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ + void *fsslctxp; /* parameter for call back */ + char *cert_type; /* format for certificate (default: PEM)*/ +@@ -273,11 +279,6 @@ struct ssl_config_data { + struct curl_blob *key_blob; + char *key_type; /* format for private key (default: PEM) */ + char *key_passwd; /* plain text private key password */ +-#ifdef USE_TLS_SRP +- char *username; /* TLS username (for, e.g., SRP) */ +- char *password; /* TLS password (for, e.g., SRP) */ +- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ +-#endif + BIT(certinfo); /* gather lots of certificate info */ + BIT(falsestart); + BIT(enable_beast); /* allow this flaw for interoperability's sake*/ +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 97c5666..a4ef9d1 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -2546,7 +2546,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + #endif + const long int ssl_version = SSL_CONN_CONFIG(version); + #ifdef USE_OPENSSL_SRP +- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype); ++ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype); + #endif + char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); + const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); +@@ -2554,7 +2554,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile); + const char * const ssl_capath = SSL_CONN_CONFIG(CApath); + const bool verifypeer = SSL_CONN_CONFIG(verifypeer); +- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); ++ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); + char error_buffer[256]; + struct ssl_backend_data *backend = connssl->backend; + bool imported_native_ca = false; +@@ -2859,15 +2859,15 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + #ifdef USE_OPENSSL_SRP + if((ssl_authtype == CURL_TLSAUTH_SRP) && + Curl_allow_auth_to_host(data)) { +- char * const ssl_username = SSL_SET_OPTION(username); +- ++ char * const ssl_username = SSL_SET_OPTION(primary.username); ++ char * const ssl_password = SSL_SET_OPTION(primary.password); + infof(data, "Using TLS-SRP username: %s\n", ssl_username); + + if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) { + failf(data, "Unable to set SRP user name"); + return CURLE_BAD_FUNCTION_ARGUMENT; + } +- if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) { ++ if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) { + failf(data, "failed setting SRP password"); + return CURLE_BAD_FUNCTION_ARGUMENT; + } +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index a40ac06..e2d3438 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, + { + if((data->version == needle->version) && + (data->version_max == needle->version_max) && ++ (data->ssl_options == needle->ssl_options) && + (data->verifypeer == needle->verifypeer) && + (data->verifyhost == needle->verifyhost) && + (data->verifystatus == needle->verifystatus) && +@@ -143,9 +144,15 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, + Curl_safecmp(data->clientcert, needle->clientcert) && + Curl_safecmp(data->random_file, needle->random_file) && + Curl_safecmp(data->egdsocket, needle->egdsocket) && ++#ifdef USE_TLS_SRP ++ Curl_safecmp(data->username, needle->username) && ++ Curl_safecmp(data->password, needle->password) && ++ (data->authtype == needle->authtype) && ++#endif + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && + Curl_safe_strcasecompare(data->curves, needle->curves) && ++ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) && + Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) + return TRUE; + +@@ -162,6 +169,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, + dest->verifyhost = source->verifyhost; + dest->verifystatus = source->verifystatus; + dest->sessionid = source->sessionid; ++ dest->ssl_options = source->ssl_options; ++#ifdef USE_TLS_SRP ++ dest->authtype = source->authtype; ++#endif + + CLONE_BLOB(cert_blob); + CLONE_BLOB(issuercert_blob); +@@ -175,6 +186,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, + CLONE_STRING(cipher_list13); + CLONE_STRING(pinned_key); + CLONE_STRING(curves); ++ CLONE_STRING(CRLfile); ++#ifdef USE_TLS_SRP ++ CLONE_STRING(username); ++ CLONE_STRING(password); ++#endif + + return TRUE; + } +@@ -193,6 +209,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) + Curl_safefree(sslc->cert_blob); + Curl_safefree(sslc->issuercert_blob); + Curl_safefree(sslc->curves); ++ Curl_safefree(sslc->CRLfile); ++#ifdef USE_TLS_SRP ++ Curl_safefree(sslc->username); ++ Curl_safefree(sslc->password); ++#endif + } + + #ifdef USE_SSL +-- +2.34.1 + + +From 5e9832048b30492e02dd222cd8bfe997e03cffa1 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 9 May 2022 23:13:53 +0200 +Subject: [PATCH 3/3] url: check SSH config match on connection reuse + +CVE-2022-27782 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27782.html +Closes #8825 + +Upstream-commit: 1645e9b44505abd5cbaf65da5282c3f33b5924a5 +Signed-off-by: Kamil Dudka +--- + lib/url.c | 11 +++++++++++ + lib/vssh/ssh.h | 6 +++--- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index 5ebf5e2..c713e54 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1073,6 +1073,12 @@ static void prune_dead_connections(struct Curl_easy *data) + } + } + ++static bool ssh_config_matches(struct connectdata *one, ++ struct connectdata *two) ++{ ++ return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) && ++ Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub)); ++} + /* + * Given one filled in connection struct (named needle), this function should + * detect if there already is one that has all the significant details +@@ -1319,6 +1325,11 @@ ConnectionExists(struct Curl_easy *data, + } + } + ++ if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { ++ if(!ssh_config_matches(needle, check)) ++ continue; ++ } ++ + if((needle->handler->flags&PROTOPT_SSL) + #ifndef CURL_DISABLE_PROXY + || !needle->bits.httpproxy || needle->bits.tunnel_proxy +diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h +index 7972081..30d82e5 100644 +--- a/lib/vssh/ssh.h ++++ b/lib/vssh/ssh.h +@@ -7,7 +7,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2021, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -131,8 +131,8 @@ struct ssh_conn { + + /* common */ + const char *passphrase; /* pass-phrase to use */ +- char *rsa_pub; /* path name */ +- char *rsa; /* path name */ ++ char *rsa_pub; /* strdup'ed public key file */ ++ char *rsa; /* strdup'ed private key file */ + bool authed; /* the connection has been authenticated fine */ + bool acceptfail; /* used by the SFTP_QUOTE (continue if + quote command fails) */ +-- +2.34.1 + diff --git a/SOURCES/0015-curl-7.76.1-tests-openssh.patch b/SOURCES/0015-curl-7.76.1-tests-openssh.patch new file mode 100644 index 0000000..980404a --- /dev/null +++ b/SOURCES/0015-curl-7.76.1-tests-openssh.patch @@ -0,0 +1,101 @@ +From 85a8c0e9992cee271145ecf009f60b9bee9b7a60 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Wed, 15 Sep 2021 09:59:14 +0200 +Subject: [PATCH] tests/sshserver.pl: make it work with openssh-8.7p1 + +... by not using options with no argument where an argument is required: + +=== Start of file tests/log/ssh_server.log +curl_sshd_config line 6: no argument after keyword "DenyGroups" +curl_sshd_config line 7: no argument after keyword "AllowGroups" +curl_sshd_config line 10: Deprecated option AuthorizedKeysFile2 +curl_sshd_config line 29: Deprecated option KeyRegenerationInterval +curl_sshd_config line 39: Deprecated option RhostsRSAAuthentication +curl_sshd_config line 40: Deprecated option RSAAuthentication +curl_sshd_config line 41: Deprecated option ServerKeyBits +curl_sshd_config line 45: Deprecated option UseLogin +curl_sshd_config line 56: no argument after keyword "AcceptEnv" +curl_sshd_config: terminating, 3 bad configuration options +=== End of file tests/log/ssh_server.log + +=== Start of file log/sftp_server.log +curl_sftp_config line 33: Unsupported option "rhostsrsaauthentication" +curl_sftp_config line 34: Unsupported option "rsaauthentication" +curl_sftp_config line 52: no argument after keyword "sendenv" +curl_sftp_config: terminating, 1 bad configuration options +Connection closed. +Connection closed +=== End of file log/sftp_server.log + +Closes #7724 + +Upstream-commit: ab78d2c679dfb37b27e89f42ad050c3153fa7513 +Signed-off-by: Kamil Dudka +--- + tests/sshserver.pl | 14 -------------- + 1 file changed, 14 deletions(-) + +diff --git a/tests/sshserver.pl b/tests/sshserver.pl +index 9441939..2afaace 100644 +--- a/tests/sshserver.pl ++++ b/tests/sshserver.pl +@@ -428,9 +428,7 @@ if ($sshdid =~ /OpenSSH-Windows/) { + # ssh daemon configuration file options we might use and version support + # + # AFSTokenPassing : OpenSSH 1.2.1 and later [1] +-# AcceptEnv : OpenSSH 3.9.0 and later + # AddressFamily : OpenSSH 4.0.0 and later +-# AllowGroups : OpenSSH 1.2.1 and later + # AllowTcpForwarding : OpenSSH 2.3.0 and later + # AllowUsers : OpenSSH 1.2.1 and later + # AuthorizedKeysFile : OpenSSH 2.9.9 and later +@@ -441,7 +439,6 @@ if ($sshdid =~ /OpenSSH-Windows/) { + # ClientAliveCountMax : OpenSSH 2.9.0 and later + # ClientAliveInterval : OpenSSH 2.9.0 and later + # Compression : OpenSSH 3.3.0 and later +-# DenyGroups : OpenSSH 1.2.1 and later + # DenyUsers : OpenSSH 1.2.1 and later + # ForceCommand : OpenSSH 4.4.0 and later [3] + # GatewayPorts : OpenSSH 2.1.0 and later +@@ -534,9 +531,6 @@ if ($sshdid =~ /OpenSSH-Windows/) { + push @cfgarr, "AllowUsers $username"; + } + +-push @cfgarr, 'DenyGroups'; +-push @cfgarr, 'AllowGroups'; +-push @cfgarr, '#'; + push @cfgarr, "AuthorizedKeysFile $clipubkeyf_config"; + push @cfgarr, "AuthorizedKeysFile2 $clipubkeyf_config"; + push @cfgarr, "HostKey $hstprvkeyf_config"; +@@ -684,9 +678,6 @@ push @cfgarr, '#'; + #*************************************************************************** + # Options that might be supported or not in sshd OpenSSH 2.9.9 and later + # +-if(sshd_supports_opt('AcceptEnv','')) { +- push @cfgarr, 'AcceptEnv'; +-} + if(sshd_supports_opt('AddressFamily','any')) { + # Address family must be specified before ListenAddress + splice @cfgarr, 14, 0, 'AddressFamily any'; +@@ -873,7 +864,6 @@ if ($sshdid =~ /OpenSSH-Windows/) { + # RemoteForward : OpenSSH 1.2.1 and later [3] + # RhostsRSAAuthentication : OpenSSH 1.2.1 and later + # RSAAuthentication : OpenSSH 1.2.1 and later +-# SendEnv : OpenSSH 3.9.0 and later + # ServerAliveCountMax : OpenSSH 3.8.0 and later + # ServerAliveInterval : OpenSSH 3.8.0 and later + # SmartcardDevice : OpenSSH 2.9.9 and later [1][3] +@@ -1028,10 +1018,6 @@ if((($sshid =~ /OpenSSH/) && ($sshvernum >= 370)) || + push @cfgarr, 'RekeyLimit 1G'; + } + +-if(($sshid =~ /OpenSSH/) && ($sshvernum >= 390)) { +- push @cfgarr, 'SendEnv'; +-} +- + if((($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) || + (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) { + push @cfgarr, 'ServerAliveCountMax 3'; +-- +2.34.1 + diff --git a/SOURCES/0016-curl-7.76.1-CVE-2022-32208.patch b/SOURCES/0016-curl-7.76.1-CVE-2022-32208.patch new file mode 100644 index 0000000..9c2c836 --- /dev/null +++ b/SOURCES/0016-curl-7.76.1-CVE-2022-32208.patch @@ -0,0 +1,70 @@ +From d36661703e16bd740a3a928041b1e697a6617b98 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 9 Jun 2022 09:27:24 +0200 +Subject: [PATCH] krb5: return error properly on decode errors + +Bug: https://curl.se/docs/CVE-2022-32208.html +CVE-2022-32208 +Reported-by: Harry Sintonen +Closes #9051 + +Upstream-commit: 6ecdf5136b52af747e7bda08db9a748256b1cd09 +Signed-off-by: Kamil Dudka +--- + lib/krb5.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/lib/krb5.c b/lib/krb5.c +index 787137c..6f9e1f7 100644 +--- a/lib/krb5.c ++++ b/lib/krb5.c +@@ -146,11 +146,8 @@ krb5_decode(void *app_data, void *buf, int len, + enc.value = buf; + enc.length = len; + maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL); +- if(maj != GSS_S_COMPLETE) { +- if(len >= 4) +- strcpy(buf, "599 "); ++ if(maj != GSS_S_COMPLETE) + return -1; +- } + + memcpy(buf, dec.value, dec.length); + len = curlx_uztosi(dec.length); +@@ -523,6 +520,7 @@ static CURLcode read_data(struct connectdata *conn, + { + int len; + CURLcode result; ++ int nread; + + result = socket_read(fd, &len, sizeof(len)); + if(result) +@@ -531,7 +529,10 @@ static CURLcode read_data(struct connectdata *conn, + if(len) { + /* only realloc if there was a length */ + len = ntohl(len); +- buf->data = Curl_saferealloc(buf->data, len); ++ if(len > CURL_MAX_INPUT_LENGTH) ++ len = 0; ++ else ++ buf->data = Curl_saferealloc(buf->data, len); + } + if(!len || !buf->data) + return CURLE_OUT_OF_MEMORY; +@@ -539,8 +540,11 @@ static CURLcode read_data(struct connectdata *conn, + result = socket_read(fd, buf->data, len); + if(result) + return result; +- buf->size = conn->mech->decode(conn->app_data, buf->data, len, +- conn->data_prot, conn); ++ nread = conn->mech->decode(conn->app_data, buf->data, len, ++ conn->data_prot, conn); ++ if(nread < 0) ++ return CURLE_RECV_ERROR; ++ buf->size = (size_t)nread; + buf->index = 0; + return CURLE_OK; + } +-- +2.35.3 + diff --git a/SOURCES/0017-curl-7.76.1-CVE-2022-32206.patch b/SOURCES/0017-curl-7.76.1-CVE-2022-32206.patch new file mode 100644 index 0000000..43812a1 --- /dev/null +++ b/SOURCES/0017-curl-7.76.1-CVE-2022-32206.patch @@ -0,0 +1,143 @@ +From 24dedf9b260eebb7feae6fc273208b551fe54a79 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 16 May 2022 16:28:13 +0200 +Subject: [PATCH 1/2] content_encoding: return error on too many compression + steps + +The max allowed steps is arbitrarily set to 5. + +Bug: https://curl.se/docs/CVE-2022-32206.html +CVE-2022-32206 +Reported-by: Harry Sintonen +Closes #9049 + +Upstream-commit: 3a09fbb7f264c67c438d01a30669ce325aa508e2 +Signed-off-by: Kamil Dudka +--- + lib/content_encoding.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/lib/content_encoding.c b/lib/content_encoding.c +index c03637a..6f994b3 100644 +--- a/lib/content_encoding.c ++++ b/lib/content_encoding.c +@@ -1024,12 +1024,16 @@ static const struct content_encoding *find_encoding(const char *name, + return NULL; + } + ++/* allow no more than 5 "chained" compression steps */ ++#define MAX_ENCODE_STACK 5 ++ + /* Set-up the unencoding stack from the Content-Encoding header value. + * See RFC 7231 section 3.1.2.2. */ + CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, + const char *enclist, int maybechunked) + { + struct SingleRequest *k = &data->req; ++ int counter = 0; + + do { + const char *name; +@@ -1064,6 +1068,11 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, + if(!encoding) + encoding = &error_encoding; /* Defer error at stack use. */ + ++ if(++counter >= MAX_ENCODE_STACK) { ++ failf(data, "Reject response due to %u content encodings", ++ counter); ++ return CURLE_BAD_CONTENT_ENCODING; ++ } + /* Stack the unencoding stage. */ + writer = new_unencoding_writer(data, encoding, k->writer_stack); + if(!writer) +-- +2.35.3 + + +From b3cd74f01871281f0989860e04c546d896f0e72f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 16 May 2022 16:29:07 +0200 +Subject: [PATCH 2/2] test387: verify rejection of compression chain attack + +Upstream-commit: 7230b19a2e17a164f61f82e4e409a9777ea2421a +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 1 + + tests/data/test387 | 53 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 54 insertions(+) + create mode 100644 tests/data/test387 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 98d5516..9b5f4fb 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -62,6 +62,7 @@ test343 test344 test345 test346 test347 test348 test349 test350 test351 \ + test352 test353 test354 test355 test356 test357 test358 test359 test360 \ + test361 test362 \ + \ ++test387 \ + test393 test394 test395 test396 test397 \ + \ + test400 test401 test402 test403 test404 test405 test406 test407 test408 \ +diff --git a/tests/data/test387 b/tests/data/test387 +new file mode 100644 +index 0000000..015ec25 +--- /dev/null ++++ b/tests/data/test387 +@@ -0,0 +1,53 @@ ++ ++ ++ ++HTTP ++gzip ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Transfer-Encoding: gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip ++ ++-foo- ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++Response with overly long compression chain ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++ ++ ++# CURLE_BAD_CONTENT_ENCODING is 61 ++ ++61 ++ ++ ++curl: (61) Reject response due to 5 content encodings ++ ++ ++ +-- +2.35.3 + diff --git a/SOURCES/0019-curl-7.76.1-CVE-2022-32207.patch b/SOURCES/0019-curl-7.76.1-CVE-2022-32207.patch new file mode 100644 index 0000000..3d858d3 --- /dev/null +++ b/SOURCES/0019-curl-7.76.1-CVE-2022-32207.patch @@ -0,0 +1,425 @@ +From 36b47377c2d1a8d141d1ef810102748f27384f5c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 25 May 2022 10:09:53 +0200 +Subject: [PATCH 1/3] fopen: add Curl_fopen() for better overwriting of files + +Bug: https://curl.se/docs/CVE-2022-32207.html +CVE-2022-32207 +Reported-by: Harry Sintonen +Closes #9050 + +Upstream-commit: 20f9dd6bae50b7223171b17ba7798946e74f877f +Signed-off-by: Kamil Dudka +--- + CMakeLists.txt | 1 + + configure.ac | 1 + + lib/Makefile.inc | 2 + + lib/cookie.c | 17 ++---- + lib/curl_config.h.cmake | 3 ++ + lib/fopen.c | 113 ++++++++++++++++++++++++++++++++++++++++ + lib/fopen.h | 30 +++++++++++ + 7 files changed, 154 insertions(+), 13 deletions(-) + create mode 100644 lib/fopen.c + create mode 100644 lib/fopen.h + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index b77de6d..a0bfaad 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -982,6 +982,7 @@ elseif(HAVE_LIBSOCKET) + set(CMAKE_REQUIRED_LIBRARIES socket) + endif() + ++check_symbol_exists(fchmod "${CURL_INCLUDES}" HAVE_FCHMOD) + check_symbol_exists(basename "${CURL_INCLUDES}" HAVE_BASENAME) + check_symbol_exists(socket "${CURL_INCLUDES}" HAVE_SOCKET) + check_symbol_exists(select "${CURL_INCLUDES}" HAVE_SELECT) +diff --git a/configure.ac b/configure.ac +index d431870..7433bb9 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -4516,6 +4516,7 @@ AC_CHECK_DECLS([getpwuid_r], [], [AC_DEFINE(HAVE_DECL_GETPWUID_R_MISSING, 1, "Se + + + AC_CHECK_FUNCS([fnmatch \ ++ fchmod \ + geteuid \ + getpass_r \ + getppid \ +diff --git a/lib/Makefile.inc b/lib/Makefile.inc +index e8f110f..5139b03 100644 +--- a/lib/Makefile.inc ++++ b/lib/Makefile.inc +@@ -130,6 +130,7 @@ LIB_CFILES = \ + escape.c \ + file.c \ + fileinfo.c \ ++ fopen.c \ + formdata.c \ + ftp.c \ + ftplistparser.c \ +@@ -261,6 +262,7 @@ LIB_HFILES = \ + escape.h \ + file.h \ + fileinfo.h \ ++ fopen.h \ + formdata.h \ + ftp.h \ + ftplistparser.h \ +diff --git a/lib/cookie.c b/lib/cookie.c +index 8a6aa1a..cb0c03b 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -97,8 +97,8 @@ Example set of cookies: + #include "curl_memrchr.h" + #include "inet_pton.h" + #include "parsedate.h" +-#include "rand.h" + #include "rename.h" ++#include "fopen.h" + + /* The last 3 #include files should be in this order */ + #include "curl_printf.h" +@@ -1537,17 +1537,8 @@ static int cookie_output(struct Curl_easy *data, + use_stdout = TRUE; + } + else { +- unsigned char randsuffix[9]; +- +- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix))) +- return 2; +- +- tempstore = aprintf("%s.%s.tmp", filename, randsuffix); +- if(!tempstore) +- return 1; +- +- out = fopen(tempstore, FOPEN_WRITETEXT); +- if(!out) ++ error = Curl_fopen(data, filename, &out, &tempstore); ++ if(error) + goto error; + } + +@@ -1594,7 +1585,7 @@ static int cookie_output(struct Curl_easy *data, + if(!use_stdout) { + fclose(out); + out = NULL; +- if(Curl_rename(tempstore, filename)) { ++ if(tempstore && Curl_rename(tempstore, filename)) { + unlink(tempstore); + goto error; + } +diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake +index d2a0f43..c254359 100644 +--- a/lib/curl_config.h.cmake ++++ b/lib/curl_config.h.cmake +@@ -148,6 +148,9 @@ + /* Define to 1 if you have the header file. */ + #cmakedefine HAVE_ASSERT_H 1 + ++/* Define to 1 if you have the `fchmod' function. */ ++#cmakedefine HAVE_FCHMOD 1 ++ + /* Define to 1 if you have the `basename' function. */ + #cmakedefine HAVE_BASENAME 1 + +diff --git a/lib/fopen.c b/lib/fopen.c +new file mode 100644 +index 0000000..ad3691b +--- /dev/null ++++ b/lib/fopen.c +@@ -0,0 +1,113 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++ ++#include "curl_setup.h" ++ ++#if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) || \ ++ defined(USE_HSTS) ++ ++#ifdef HAVE_FCNTL_H ++#include ++#endif ++ ++#include "urldata.h" ++#include "rand.h" ++#include "fopen.h" ++/* The last 3 #include files should be in this order */ ++#include "curl_printf.h" ++#include "curl_memory.h" ++#include "memdebug.h" ++ ++/* ++ * Curl_fopen() opens a file for writing with a temp name, to be renamed ++ * to the final name when completed. If there is an existing file using this ++ * name at the time of the open, this function will clone the mode from that ++ * file. if 'tempname' is non-NULL, it needs a rename after the file is ++ * written. ++ */ ++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, ++ FILE **fh, char **tempname) ++{ ++ CURLcode result = CURLE_WRITE_ERROR; ++ unsigned char randsuffix[9]; ++ char *tempstore = NULL; ++ struct_stat sb; ++ int fd = -1; ++ *tempname = NULL; ++ ++ if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) { ++ /* a non-regular file, fallback to direct fopen() */ ++ *fh = fopen(filename, FOPEN_WRITETEXT); ++ if(*fh) ++ return CURLE_OK; ++ goto fail; ++ } ++ ++ result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix)); ++ if(result) ++ goto fail; ++ ++ tempstore = aprintf("%s.%s.tmp", filename, randsuffix); ++ if(!tempstore) { ++ result = CURLE_OUT_OF_MEMORY; ++ goto fail; ++ } ++ ++ result = CURLE_WRITE_ERROR; ++ fd = open(tempstore, O_WRONLY | O_CREAT | O_EXCL, 0600); ++ if(fd == -1) ++ goto fail; ++ ++#ifdef HAVE_FCHMOD ++ { ++ struct_stat nsb; ++ if((fstat(fd, &nsb) != -1) && ++ (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) { ++ /* if the user and group are the same, clone the original mode */ ++ if(fchmod(fd, sb.st_mode) == -1) ++ goto fail; ++ } ++ } ++#endif ++ ++ *fh = fdopen(fd, FOPEN_WRITETEXT); ++ if(!*fh) ++ goto fail; ++ ++ *tempname = tempstore; ++ return CURLE_OK; ++ ++fail: ++ if(fd != -1) { ++ close(fd); ++ unlink(tempstore); ++ } ++ ++ free(tempstore); ++ ++ *tempname = NULL; ++ return result; ++} ++ ++#endif /* ! disabled */ +diff --git a/lib/fopen.h b/lib/fopen.h +new file mode 100644 +index 0000000..289e55f +--- /dev/null ++++ b/lib/fopen.h +@@ -0,0 +1,30 @@ ++#ifndef HEADER_CURL_FOPEN_H ++#define HEADER_CURL_FOPEN_H ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++ ++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, ++ FILE **fh, char **tempname); ++ ++#endif +-- +2.35.3 + + +From bd7af48238b058e9b46fdf2e1333b355920c341c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 25 May 2022 10:09:53 +0200 +Subject: [PATCH 2/3] altsvc: use Curl_fopen() + +Upstream-commit: fab970a5d19c1faa2052239ec1e2602b892cbeb2 +Signed-off-by: Kamil Dudka +--- + lib/altsvc.c | 22 ++++++---------------- + 1 file changed, 6 insertions(+), 16 deletions(-) + +diff --git a/lib/altsvc.c b/lib/altsvc.c +index 242733b..4dc4078 100644 +--- a/lib/altsvc.c ++++ b/lib/altsvc.c +@@ -34,7 +34,7 @@ + #include "parsedate.h" + #include "sendf.h" + #include "warnless.h" +-#include "rand.h" ++#include "fopen.h" + #include "rename.h" + + /* The last 3 #include files should be in this order */ +@@ -329,8 +329,7 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data, + struct Curl_llist_element *n; + CURLcode result = CURLE_OK; + FILE *out; +- char *tempstore; +- unsigned char randsuffix[9]; ++ char *tempstore = NULL; + + if(!altsvc) + /* no cache activated */ +@@ -344,17 +343,8 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data, + /* marked as read-only, no file or zero length file name */ + return CURLE_OK; + +- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix))) +- return CURLE_FAILED_INIT; +- +- tempstore = aprintf("%s.%s.tmp", file, randsuffix); +- if(!tempstore) +- return CURLE_OUT_OF_MEMORY; +- +- out = fopen(tempstore, FOPEN_WRITETEXT); +- if(!out) +- result = CURLE_WRITE_ERROR; +- else { ++ result = Curl_fopen(data, file, &out, &tempstore); ++ if(!result) { + fputs("# Your alt-svc cache. https://curl.se/docs/alt-svc.html\n" + "# This file was generated by libcurl! Edit at your own risk.\n", + out); +@@ -366,10 +356,10 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data, + break; + } + fclose(out); +- if(!result && Curl_rename(tempstore, file)) ++ if(!result && tempstore && Curl_rename(tempstore, file)) + result = CURLE_WRITE_ERROR; + +- if(result) ++ if(result && tempstore) + unlink(tempstore); + } + free(tempstore); +-- +2.35.3 + + +From 2011622a36fa715f38277422241e77e25dfdf0d0 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 25 May 2022 10:09:54 +0200 +Subject: [PATCH 3/3] hsts: use Curl_fopen() + +Upstream-commit: d64115d7bb8ae4c136b620912da523c063f1d2ee +Signed-off-by: Kamil Dudka +--- + lib/hsts.c | 22 ++++++---------------- + 1 file changed, 6 insertions(+), 16 deletions(-) + +diff --git a/lib/hsts.c b/lib/hsts.c +index b9fa6f7..9d54c82 100644 +--- a/lib/hsts.c ++++ b/lib/hsts.c +@@ -35,7 +35,7 @@ + #include "sendf.h" + #include "strtoofft.h" + #include "parsedate.h" +-#include "rand.h" ++#include "fopen.h" + #include "rename.h" + + /* The last 3 #include files should be in this order */ +@@ -316,8 +316,7 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h, + struct Curl_llist_element *n; + CURLcode result = CURLE_OK; + FILE *out; +- char *tempstore; +- unsigned char randsuffix[9]; ++ char *tempstore = NULL; + + if(!h) + /* no cache activated */ +@@ -331,17 +330,8 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h, + /* marked as read-only, no file or zero length file name */ + goto skipsave; + +- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix))) +- return CURLE_FAILED_INIT; +- +- tempstore = aprintf("%s.%s.tmp", file, randsuffix); +- if(!tempstore) +- return CURLE_OUT_OF_MEMORY; +- +- out = fopen(tempstore, FOPEN_WRITETEXT); +- if(!out) +- result = CURLE_WRITE_ERROR; +- else { ++ result = Curl_fopen(data, file, &out, &tempstore); ++ if(!result) { + fputs("# Your HSTS cache. https://curl.se/docs/hsts.html\n" + "# This file was generated by libcurl! Edit at your own risk.\n", + out); +@@ -353,10 +343,10 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h, + break; + } + fclose(out); +- if(!result && Curl_rename(tempstore, file)) ++ if(!result && tempstore && Curl_rename(tempstore, file)) + result = CURLE_WRITE_ERROR; + +- if(result) ++ if(result && tempstore) + unlink(tempstore); + } + free(tempstore); +-- +2.35.3 + diff --git a/SOURCES/0020-curl-7.76.1-openldap-rebase.patch b/SOURCES/0020-curl-7.76.1-openldap-rebase.patch new file mode 100644 index 0000000..65870b5 --- /dev/null +++ b/SOURCES/0020-curl-7.76.1-openldap-rebase.patch @@ -0,0 +1,186 @@ +From c2acc48854be9f8590e57a7b44b649fb8537bed4 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 4 May 2021 16:14:13 +0200 +Subject: [PATCH] openldap: replace ldap_ prefix on private functions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Since openldap itself uses that prefix and with OpenĹDAP 2.5.4 (at +least) there's a symbol collision because of that. + +The private functions now use the 'oldap_' prefix where it previously +used 'ldap_'. + +Reported-by: 3eka on github +Fixes #7004 +Closes #7005 + +Upstream-commit: 8bdde6b14ce3b5fd71c772a578fcbd4b6fa6df19 +Signed-off-by: Kamil Dudka +--- + lib/openldap.c | 67 +++++++++++++++++++++++++------------------------- + 1 file changed, 34 insertions(+), 33 deletions(-) + +diff --git a/lib/openldap.c b/lib/openldap.c +index b515554..5a32c74 100644 +--- a/lib/openldap.c ++++ b/lib/openldap.c +@@ -76,16 +76,16 @@ extern int ldap_init_fd(ber_socket_t fd, int proto, const char *url, + LDAP **ld); + #endif + +-static CURLcode ldap_setup_connection(struct Curl_easy *data, +- struct connectdata *conn); +-static CURLcode ldap_do(struct Curl_easy *data, bool *done); +-static CURLcode ldap_done(struct Curl_easy *data, CURLcode, bool); +-static CURLcode ldap_connect(struct Curl_easy *data, bool *done); +-static CURLcode ldap_connecting(struct Curl_easy *data, bool *done); +-static CURLcode ldap_disconnect(struct Curl_easy *data, +- struct connectdata *conn, bool dead); ++static CURLcode oldap_setup_connection(struct Curl_easy *data, ++ struct connectdata *conn); ++static CURLcode oldap_do(struct Curl_easy *data, bool *done); ++static CURLcode oldap_done(struct Curl_easy *data, CURLcode, bool); ++static CURLcode oldap_connect(struct Curl_easy *data, bool *done); ++static CURLcode oldap_connecting(struct Curl_easy *data, bool *done); ++static CURLcode oldap_disconnect(struct Curl_easy *data, ++ struct connectdata *conn, bool dead); + +-static Curl_recv ldap_recv; ++static Curl_recv oldap_recv; + + /* + * LDAP protocol handler. +@@ -93,18 +93,18 @@ static Curl_recv ldap_recv; + + const struct Curl_handler Curl_handler_ldap = { + "LDAP", /* scheme */ +- ldap_setup_connection, /* setup_connection */ +- ldap_do, /* do_it */ +- ldap_done, /* done */ ++ oldap_setup_connection, /* setup_connection */ ++ oldap_do, /* do_it */ ++ oldap_done, /* done */ + ZERO_NULL, /* do_more */ +- ldap_connect, /* connect_it */ +- ldap_connecting, /* connecting */ ++ oldap_connect, /* connect_it */ ++ oldap_connecting, /* connecting */ + ZERO_NULL, /* doing */ + ZERO_NULL, /* proto_getsock */ + ZERO_NULL, /* doing_getsock */ + ZERO_NULL, /* domore_getsock */ + ZERO_NULL, /* perform_getsock */ +- ldap_disconnect, /* disconnect */ ++ oldap_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ + ZERO_NULL, /* attach connection */ +@@ -121,18 +121,18 @@ const struct Curl_handler Curl_handler_ldap = { + + const struct Curl_handler Curl_handler_ldaps = { + "LDAPS", /* scheme */ +- ldap_setup_connection, /* setup_connection */ +- ldap_do, /* do_it */ +- ldap_done, /* done */ ++ oldap_setup_connection, /* setup_connection */ ++ oldap_do, /* do_it */ ++ oldap_done, /* done */ + ZERO_NULL, /* do_more */ +- ldap_connect, /* connect_it */ +- ldap_connecting, /* connecting */ ++ oldap_connect, /* connect_it */ ++ oldap_connecting, /* connecting */ + ZERO_NULL, /* doing */ + ZERO_NULL, /* proto_getsock */ + ZERO_NULL, /* doing_getsock */ + ZERO_NULL, /* domore_getsock */ + ZERO_NULL, /* perform_getsock */ +- ldap_disconnect, /* disconnect */ ++ oldap_disconnect, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ + ZERO_NULL, /* attach connection */ +@@ -173,8 +173,8 @@ struct ldapreqinfo { + int nument; + }; + +-static CURLcode ldap_setup_connection(struct Curl_easy *data, +- struct connectdata *conn) ++static CURLcode oldap_setup_connection(struct Curl_easy *data, ++ struct connectdata *conn) + { + struct ldapconninfo *li; + LDAPURLDesc *lud; +@@ -209,7 +209,7 @@ static CURLcode ldap_setup_connection(struct Curl_easy *data, + static Sockbuf_IO ldapsb_tls; + #endif + +-static CURLcode ldap_connect(struct Curl_easy *data, bool *done) ++static CURLcode oldap_connect(struct Curl_easy *data, bool *done) + { + struct connectdata *conn = data->conn; + struct ldapconninfo *li = conn->proto.ldapc; +@@ -257,7 +257,7 @@ static CURLcode ldap_connect(struct Curl_easy *data, bool *done) + return CURLE_OK; + } + +-static CURLcode ldap_connecting(struct Curl_easy *data, bool *done) ++static CURLcode oldap_connecting(struct Curl_easy *data, bool *done) + { + struct connectdata *conn = data->conn; + struct ldapconninfo *li = conn->proto.ldapc; +@@ -356,14 +356,15 @@ static CURLcode ldap_connecting(struct Curl_easy *data, bool *done) + + if(info) + ldap_memfree(info); +- conn->recv[FIRSTSOCKET] = ldap_recv; ++ conn->recv[FIRSTSOCKET] = oldap_recv; + *done = TRUE; + + return CURLE_OK; + } + +-static CURLcode ldap_disconnect(struct Curl_easy *data, +- struct connectdata *conn, bool dead_connection) ++static CURLcode oldap_disconnect(struct Curl_easy *data, ++ struct connectdata *conn, ++ bool dead_connection) + { + struct ldapconninfo *li = conn->proto.ldapc; + (void) dead_connection; +@@ -384,7 +385,7 @@ static CURLcode ldap_disconnect(struct Curl_easy *data, + return CURLE_OK; + } + +-static CURLcode ldap_do(struct Curl_easy *data, bool *done) ++static CURLcode oldap_do(struct Curl_easy *data, bool *done) + { + struct connectdata *conn = data->conn; + struct ldapconninfo *li = conn->proto.ldapc; +@@ -429,8 +430,8 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done) + return CURLE_OK; + } + +-static CURLcode ldap_done(struct Curl_easy *data, CURLcode res, +- bool premature) ++static CURLcode oldap_done(struct Curl_easy *data, CURLcode res, ++ bool premature) + { + struct connectdata *conn = data->conn; + struct ldapreqinfo *lr = data->req.p.ldap; +@@ -452,8 +453,8 @@ static CURLcode ldap_done(struct Curl_easy *data, CURLcode res, + return CURLE_OK; + } + +-static ssize_t ldap_recv(struct Curl_easy *data, int sockindex, char *buf, +- size_t len, CURLcode *err) ++static ssize_t oldap_recv(struct Curl_easy *data, int sockindex, char *buf, ++ size_t len, CURLcode *err) + { + struct connectdata *conn = data->conn; + struct ldapconninfo *li = conn->proto.ldapc; +-- +2.35.3 + diff --git a/SOURCES/0021-curl-7.76.1-CVE-2022-35252.patch b/SOURCES/0021-curl-7.76.1-CVE-2022-35252.patch new file mode 100644 index 0000000..1ccd455 --- /dev/null +++ b/SOURCES/0021-curl-7.76.1-CVE-2022-35252.patch @@ -0,0 +1,136 @@ +From fbc2ac6f06ec13cc872ce7adb870f4d7c7d5dded Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 29 Aug 2022 00:09:17 +0200 +Subject: [PATCH 1/2] cookie: reject cookies with "control bytes" + +Rejects 0x01 - 0x1f (except 0x09) plus 0x7f + +Reported-by: Axel Chong + +Bug: https://curl.se/docs/CVE-2022-35252.html + +CVE-2022-35252 + +Closes #9381 + +Upstream-commit: 8dfc93e573ca740544a2d79ebb0ed786592c65c3 +Signed-off-by: Kamil Dudka +--- + lib/cookie.c | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +diff --git a/lib/cookie.c b/lib/cookie.c +index cb0c03b..e0470a1 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -383,6 +383,30 @@ static void strstore(char **str, const char *newstr) + *str = strdup(newstr); + } + ++/* ++ RFC 6265 section 4.1.1 says a server should accept this range: ++ ++ cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E ++ ++ But Firefox and Chrome as of June 2022 accept space, comma and double-quotes ++ fine. The prime reason for filtering out control bytes is that some HTTP ++ servers return 400 for requests that contain such. ++*/ ++static int invalid_octets(const char *p) ++{ ++ /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */ ++ static const char badoctets[] = { ++ "\x01\x02\x03\x04\x05\x06\x07\x08\x0a" ++ "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14" ++ "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f" ++ }; ++ size_t vlen, len; ++ /* scan for all the octets that are *not* in cookie-octet */ ++ len = strcspn(p, badoctets); ++ vlen = strlen(p); ++ return (len != vlen); ++} ++ + /* + * remove_expired() removes expired cookies. + */ +@@ -567,6 +591,11 @@ Curl_cookie_add(struct Curl_easy *data, + badcookie = TRUE; + break; + } ++ if(invalid_octets(whatptr) || invalid_octets(name)) { ++ infof(data, "invalid octets in name/value, cookie dropped"); ++ badcookie = TRUE; ++ break; ++ } + } + else if(!len) { + /* this was a "=" with no content, and we must allow +-- +2.37.1 + + +From 1a3e2bd48572761236934651091c899a4d460ef5 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 29 Aug 2022 00:09:17 +0200 +Subject: [PATCH 2/2] test8: verify that "ctrl-byte cookies" are ignored + +Upstream-commit: 2fc031d834d488854ffc58bf7dbcef7fa7c1fc28 +Signed-off-by: Kamil Dudka +--- + tests/data/test8 | 32 +++++++++++++++++++++++++++++++- + 1 file changed, 31 insertions(+), 1 deletion(-) + +diff --git a/tests/data/test8 b/tests/data/test8 +index a8548e6..8587611 100644 +--- a/tests/data/test8 ++++ b/tests/data/test8 +@@ -46,6 +46,36 @@ Set-Cookie: trailingspace = removed; path=/we/want; + Set-Cookie: nocookie=yes; path=/WE; + Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad; + Set-Cookie: partialip=nono; domain=.0.0.1; ++Set-Cookie: cookie1=%hex[%01-junk]hex% ++Set-Cookie: cookie2=%hex[%02-junk]hex% ++Set-Cookie: cookie3=%hex[%03-junk]hex% ++Set-Cookie: cookie4=%hex[%04-junk]hex% ++Set-Cookie: cookie5=%hex[%05-junk]hex% ++Set-Cookie: cookie6=%hex[%06-junk]hex% ++Set-Cookie: cookie7=%hex[%07-junk]hex% ++Set-Cookie: cookie8=%hex[%08-junk]hex% ++Set-Cookie: cookie9=%hex[junk-%09-]hex% ++Set-Cookie: cookie11=%hex[%0b-junk]hex% ++Set-Cookie: cookie12=%hex[%0c-junk]hex% ++Set-Cookie: cookie14=%hex[%0e-junk]hex% ++Set-Cookie: cookie15=%hex[%0f-junk]hex% ++Set-Cookie: cookie16=%hex[%10-junk]hex% ++Set-Cookie: cookie17=%hex[%11-junk]hex% ++Set-Cookie: cookie18=%hex[%12-junk]hex% ++Set-Cookie: cookie19=%hex[%13-junk]hex% ++Set-Cookie: cookie20=%hex[%14-junk]hex% ++Set-Cookie: cookie21=%hex[%15-junk]hex% ++Set-Cookie: cookie22=%hex[%16-junk]hex% ++Set-Cookie: cookie23=%hex[%17-junk]hex% ++Set-Cookie: cookie24=%hex[%18-junk]hex% ++Set-Cookie: cookie25=%hex[%19-junk]hex% ++Set-Cookie: cookie26=%hex[%1a-junk]hex% ++Set-Cookie: cookie27=%hex[%1b-junk]hex% ++Set-Cookie: cookie28=%hex[%1c-junk]hex% ++Set-Cookie: cookie29=%hex[%1d-junk]hex% ++Set-Cookie: cookie30=%hex[%1e-junk]hex% ++Set-Cookie: cookie31=%hex[%1f-junk]hex% ++Set-Cookie: cookie31=%hex[%7f-junk]hex% + + + +@@ -60,7 +90,7 @@ GET /we/want/%TESTNUMBER HTTP/1.1 + Host: %HOSTIP:%HTTPPORT + User-Agent: curl/%VERSION + Accept: */* +-Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes ++Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes; cookie9=junk- - + + + +-- +2.37.1 + diff --git a/SOURCES/0022-curl-7.76.1-CVE-2022-32221.patch b/SOURCES/0022-curl-7.76.1-CVE-2022-32221.patch new file mode 100644 index 0000000..4359c47 --- /dev/null +++ b/SOURCES/0022-curl-7.76.1-CVE-2022-32221.patch @@ -0,0 +1,251 @@ +From 08a53016db649bdf4f65c42a9704d35e052be7eb Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 15 Sep 2022 09:22:45 +0200 +Subject: [PATCH 1/2] setopt: when POST is set, reset the 'upload' field + +Reported-by: RobBotic1 on github +Fixes #9507 +Closes #9511 + +Upstream-commit: a64e3e59938abd7d667e4470a18072a24d7e9de9 +Signed-off-by: Kamil Dudka +--- + lib/setopt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/setopt.c b/lib/setopt.c +index d5e3b50..b8793b4 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -628,6 +628,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + } + else + data->set.method = HTTPREQ_GET; ++ data->set.upload = FALSE; + break; + + case CURLOPT_HTTPPOST: +-- +2.37.3 + + +From a5e36349807b98d31a16bd220f6434289465e16a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 15 Sep 2022 09:23:33 +0200 +Subject: [PATCH 2/2] test1948: verify PUT + POST reusing the same handle + +Reproduced #9507, verifies the fix + +Upstream-commit: 1edb15925e350be3b891f8a8de86600b22c0bb20 +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 1 + + tests/data/test1948 | 73 +++++++++++++++++++++++++++++++++++ + tests/libtest/Makefile.inc | 5 +++ + tests/libtest/lib1948.c | 79 ++++++++++++++++++++++++++++++++++++++ + 4 files changed, 158 insertions(+) + create mode 100644 tests/data/test1948 + create mode 100644 tests/libtest/lib1948.c + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 818ee08..0cfab9b 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -217,6 +217,7 @@ test1908 test1909 test1910 test1911 test1912 test1913 test1914 test1915 \ + test1916 test1917 test1918 \ + \ + test1933 test1934 test1935 test1936 \ ++test1948 \ + \ + test2000 test2001 test2002 test2003 test2004 test2005 test2006 test2007 \ + test2008 test2009 test2010 test2011 test2012 test2013 test2014 test2015 \ +diff --git a/tests/data/test1948 b/tests/data/test1948 +new file mode 100644 +index 0000000..639523d +--- /dev/null ++++ b/tests/data/test1948 +@@ -0,0 +1,73 @@ ++ ++ ++ ++HTTP ++HTTP POST ++HTTP PUT ++ ++ ++ ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Date: Thu, 01 Nov 2001 14:49:00 GMT ++Content-Type: text/html ++Content-Length: 6 ++ ++hello ++ ++ ++HTTP/1.1 200 OK ++Date: Thu, 01 Nov 2001 14:49:00 GMT ++Content-Type: text/html ++Content-Length: 6 ++ ++hello ++HTTP/1.1 200 OK ++Date: Thu, 01 Nov 2001 14:49:00 GMT ++Content-Type: text/html ++Content-Length: 6 ++ ++hello ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++ ++CURLOPT_POST after CURLOPT_UPLOAD reusing handle ++ ++ ++lib%TESTNUMBER ++ ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++PUT /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Accept: */* ++Content-Length: 22 ++Expect: 100-continue ++ ++This is test PUT data ++POST /1948 HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Accept: */* ++Content-Length: 22 ++Content-Type: application/x-www-form-urlencoded ++ ++This is test PUT data ++ ++ ++ +diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc +index 83a8af4..3192eca 100644 +--- a/tests/libtest/Makefile.inc ++++ b/tests/libtest/Makefile.inc +@@ -61,6 +61,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect \ + lib1591 lib1592 lib1593 lib1594 lib1596 \ + lib1905 lib1906 lib1907 lib1908 lib1910 lib1911 lib1912 lib1913 \ + lib1915 lib1916 lib1917 lib1918 lib1933 lib1934 lib1935 lib1936 \ ++ lib1948 \ + lib3010 + + chkdecimalpoint_SOURCES = chkdecimalpoint.c ../../lib/mprintf.c \ +@@ -690,6 +691,10 @@ lib1936_SOURCES = lib1936.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib1936_LDADD = $(TESTUTIL_LIBS) + lib1936_CPPFLAGS = $(AM_CPPFLAGS) + ++lib1948_SOURCES = lib1948.c $(SUPPORTFILES) ++lib1948_LDADD = $(TESTUTIL_LIBS) ++lib1948_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1948 ++ + lib3010_SOURCES = lib3010.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib3010_LDADD = $(TESTUTIL_LIBS) + lib3010_CPPFLAGS = $(AM_CPPFLAGS) +diff --git a/tests/libtest/lib1948.c b/tests/libtest/lib1948.c +new file mode 100644 +index 0000000..7c891a2 +--- /dev/null ++++ b/tests/libtest/lib1948.c +@@ -0,0 +1,79 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.haxx.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++ ++#include "test.h" ++ ++typedef struct ++{ ++ char *buf; ++ size_t len; ++} put_buffer; ++ ++static size_t put_callback(char *ptr, size_t size, size_t nmemb, void *stream) ++{ ++ put_buffer *putdata = (put_buffer *)stream; ++ size_t totalsize = size * nmemb; ++ size_t tocopy = (putdata->len < totalsize) ? putdata->len : totalsize; ++ memcpy(ptr, putdata->buf, tocopy); ++ putdata->len -= tocopy; ++ putdata->buf += tocopy; ++ return tocopy; ++} ++ ++int test(char *URL) ++{ ++ CURL *curl; ++ CURLcode res = CURLE_OUT_OF_MEMORY; ++ ++ curl_global_init(CURL_GLOBAL_DEFAULT); ++ ++ curl = curl_easy_init(); ++ if(curl) { ++ const char *testput = "This is test PUT data\n"; ++ put_buffer pbuf; ++ ++ /* PUT */ ++ curl_easy_setopt(curl, CURLOPT_UPLOAD, 1L); ++ curl_easy_setopt(curl, CURLOPT_HEADER, 1L); ++ curl_easy_setopt(curl, CURLOPT_READFUNCTION, put_callback); ++ pbuf.buf = (char *)testput; ++ pbuf.len = strlen(testput); ++ curl_easy_setopt(curl, CURLOPT_READDATA, &pbuf); ++ curl_easy_setopt(curl, CURLOPT_INFILESIZE, (long)strlen(testput)); ++ res = curl_easy_setopt(curl, CURLOPT_URL, URL); ++ if(!res) ++ res = curl_easy_perform(curl); ++ if(!res) { ++ /* POST */ ++ curl_easy_setopt(curl, CURLOPT_POST, 1L); ++ curl_easy_setopt(curl, CURLOPT_POSTFIELDS, testput); ++ curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, (long)strlen(testput)); ++ res = curl_easy_perform(curl); ++ } ++ curl_easy_cleanup(curl); ++ } ++ ++ curl_global_cleanup(); ++ return (int)res; ++} +-- +2.37.3 + diff --git a/SOURCES/0023-curl-7.76.1-CVE-2022-43552.patch b/SOURCES/0023-curl-7.76.1-CVE-2022-43552.patch new file mode 100644 index 0000000..bbc1b1b --- /dev/null +++ b/SOURCES/0023-curl-7.76.1-CVE-2022-43552.patch @@ -0,0 +1,81 @@ +From 5cdcf1dbd39c64e18a81fc912a36942a3ec87565 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 19 Dec 2022 08:38:37 +0100 +Subject: [PATCH] smb/telnet: do not free the protocol struct in *_done() + +It is managed by the generic layer. + +Reported-by: Trail of Bits + +Closes #10112 + +Upstream-commit: 4f20188ac644afe174be6005ef4f6ffba232b8b2 +Signed-off-by: Kamil Dudka +--- + lib/smb.c | 14 ++------------ + lib/telnet.c | 3 --- + 2 files changed, 2 insertions(+), 15 deletions(-) + +diff --git a/lib/smb.c b/lib/smb.c +index 039d680..f682c1f 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -60,8 +60,6 @@ static CURLcode smb_connect(struct Curl_easy *data, bool *done); + static CURLcode smb_connection_state(struct Curl_easy *data, bool *done); + static CURLcode smb_do(struct Curl_easy *data, bool *done); + static CURLcode smb_request_state(struct Curl_easy *data, bool *done); +-static CURLcode smb_done(struct Curl_easy *data, CURLcode status, +- bool premature); + static CURLcode smb_disconnect(struct Curl_easy *data, + struct connectdata *conn, bool dead); + static int smb_getsock(struct Curl_easy *data, struct connectdata *conn, +@@ -76,7 +74,7 @@ const struct Curl_handler Curl_handler_smb = { + "SMB", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -103,7 +101,7 @@ const struct Curl_handler Curl_handler_smbs = { + "SMBS", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -941,14 +939,6 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done) + return CURLE_OK; + } + +-static CURLcode smb_done(struct Curl_easy *data, CURLcode status, +- bool premature) +-{ +- (void) premature; +- Curl_safefree(data->req.p.smb); +- return status; +-} +- + static CURLcode smb_disconnect(struct Curl_easy *data, + struct connectdata *conn, bool dead) + { +diff --git a/lib/telnet.c b/lib/telnet.c +index 923c7f8..48cd0d7 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -1248,9 +1248,6 @@ static CURLcode telnet_done(struct Curl_easy *data, + + curl_slist_free_all(tn->telnet_vars); + tn->telnet_vars = NULL; +- +- Curl_safefree(data->req.p.telnet); +- + return CURLE_OK; + } + +-- +2.38.1 + diff --git a/SOURCES/0024-curl-7.76.1-CVE-2023-23916.patch b/SOURCES/0024-curl-7.76.1-CVE-2023-23916.patch new file mode 100644 index 0000000..755b2b3 --- /dev/null +++ b/SOURCES/0024-curl-7.76.1-CVE-2023-23916.patch @@ -0,0 +1,678 @@ +From 95f873ff983a1ae57415b3c16a881e74432cf8b8 Mon Sep 17 00:00:00 2001 +From: Fabian Keil +Date: Tue, 9 Feb 2021 14:04:32 +0100 +Subject: [PATCH 1/4] runtests.pl: support the nonewline attribute for the data + part + +Added to FILEFORMAT + +Closes #8239 + +Upstream-commit: 736847611a40c01e7c290407e22e2f0f5f8efd6a +Signed-off-by: Kamil Dudka +--- + tests/FILEFORMAT.md | 5 ++++- + tests/runtests.pl | 7 +++++++ + tests/server/getpart.c | 11 ++++++++++- + 3 files changed, 21 insertions(+), 2 deletions(-) + +diff --git a/tests/FILEFORMAT.md b/tests/FILEFORMAT.md +index b75a02a..0b98787 100644 +--- a/tests/FILEFORMAT.md ++++ b/tests/FILEFORMAT.md +@@ -185,7 +185,7 @@ which are treated together as a single identifier. + + ## `` + +-### `` ++### `` + + data to be sent to the client on its request and later verified that it + arrived safely. Set `nocheck="yes"` to prevent the test script from verifying +@@ -211,6 +211,9 @@ much sense for other sections than "data"). + `hex=yes` means that the data is a sequence of hex pairs. It will get decoded + and used as "raw" data. + ++`nonewline=yes` means that the last byte (the trailing newline character) ++should be cut off from the data before sending or comparing it. ++ + For FTP file listings, the `` section will be used *only* if you make + sure that there has been a CWD done first to a directory named `test-[num]` + where [num] is the test case number. Otherwise the ftp server can't know from +diff --git a/tests/runtests.pl b/tests/runtests.pl +index 40315aa..2e1500d 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -3837,6 +3837,13 @@ sub singletest { + else { + # check against the data section + @reply = getpart("reply", "data"); ++ if(@reply) { ++ my %hash = getpartattr("reply", "data"); ++ if($hash{'nonewline'}) { ++ # cut off the final newline from the final line of the data ++ chomp($reply[$#reply]); ++ } ++ } + # get the mode attribute + my $filemode=$replyattr{'mode'}; + if($filemode && ($filemode eq "text") && $has_textaware) { +diff --git a/tests/server/getpart.c b/tests/server/getpart.c +index 32b55bc..f8fe3f6 100644 +--- a/tests/server/getpart.c ++++ b/tests/server/getpart.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2021, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -295,6 +295,7 @@ int getpart(char **outbuf, size_t *outlen, + size_t outalloc = 256; + int in_wanted_part = 0; + int base64 = 0; ++ int nonewline = 0; + int error; + + enum { +@@ -360,6 +361,8 @@ int getpart(char **outbuf, size_t *outlen, + if(error) + return error; + } ++ if(nonewline) ++ (*outlen)--; + break; + } + } +@@ -377,6 +380,8 @@ int getpart(char **outbuf, size_t *outlen, + if(error) + return error; + } ++ if(nonewline) ++ (*outlen)--; + break; + } + } +@@ -451,6 +456,10 @@ int getpart(char **outbuf, size_t *outlen, + /* bit rough test, but "mostly" functional, */ + /* treat wanted part data as base64 encoded */ + base64 = 1; ++ if(strstr(patt, "nonewline=")) { ++ show(("* setting nonewline\n")); ++ nonewline = 1; ++ } + } + continue; + } +-- +2.39.1 + + +From 6e244e1bcb04012e11c537253e76e6f968d8bb72 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 1 Dec 2022 09:21:04 +0100 +Subject: [PATCH 2/4] runtests: do CRLF replacements per section only + +The `crlf="yes"` attribute and "hyper mode" are now only applied on a +subset of dedicated sections: data, datacheck, stdout and protocol. + +Updated test 2500 accordingly. + +Also made test1 use crlf="yes" for , mostly because it is +often used as a template test case. Going forward, using this attribute +we should be able to write test cases using linefeeds only and avoid +mixed line ending encodings. + +Follow-up to ca15b7512e8d11 + +Fixes #10009 +Closes #10010 + +Upstream-commit: 2f34a7347f315513bfda9ef14770d287fb246bcd +Signed-off-by: Kamil Dudka +--- + tests/FILEFORMAT.md | 22 +++++++++++++++------ + tests/data/test1 | 14 ++++++------- + tests/runtests.pl | 48 ++++++++++++++++++++++++++++++++++++++++++--- + 3 files changed, 68 insertions(+), 16 deletions(-) + +diff --git a/tests/FILEFORMAT.md b/tests/FILEFORMAT.md +index c1fbc57..dcb5695 100644 +--- a/tests/FILEFORMAT.md ++++ b/tests/FILEFORMAT.md +@@ -185,7 +185,7 @@ which are treated together as a single identifier. + + ## `` + +-### `` ++### `` + + data to be sent to the client on its request and later verified that it + arrived safely. Set `nocheck="yes"` to prevent the test script from verifying +@@ -214,12 +214,16 @@ and used as "raw" data. + `nonewline=yes` means that the last byte (the trailing newline character) + should be cut off from the data before sending or comparing it. + ++`crlf=yes` forces *header* newlines to become CRLF even if not written so in ++the source file. Note that this makes runtests.pl parse and "guess" what is a ++header and what is not in order to apply the CRLF line endings appropriately. ++ + For FTP file listings, the `` section will be used *only* if you make + sure that there has been a CWD done first to a directory named `test-[num]` + where [num] is the test case number. Otherwise the ftp server can't know from + which test file to load the list content. + +-### `` ++### `` + + Send back this contents instead of the one. The num is set by: + +@@ -243,7 +247,7 @@ The connect section is used instead of the 'data' for all CONNECT + requests. The remainder of the rules for the data section then apply but with + a connect prefix. + +-### `` ++### `` + if the data is sent but this is what should be checked afterwards. If + `nonewline=yes` is set, runtests will cut off the trailing newline from the + data before comparing with the one actually received by the client. +@@ -251,7 +255,7 @@ data before comparing with the one actually received by the client. + Use the `mode="text"` attribute if the output is in text mode on platforms + that have a text/binary difference. + +-### `` ++### `` + The contents of numbered datacheck sections are appended to the non-numbered + one. + +@@ -528,13 +532,16 @@ changing protocol data such as port numbers or user-agent strings. + One perl op per line that operates on the protocol dump. This is pretty + advanced. Example: `s/^EPRT .*/EPRT stripped/`. + +-### `` ++### `` + + the protocol dump curl should transmit, if 'nonewline' is set, we will cut off + the trailing newline of this given data before comparing with the one actually + sent by the client The `` and `` rules are applied before + comparisons are made. + ++`crlf=yes` forces the newlines to become CRLF even if not written so in the ++test. ++ + ### `` + + The protocol dump curl should transmit to a HTTP proxy (when the http-proxy +@@ -551,7 +558,7 @@ have a text/binary difference. + If 'nonewline' is set, we will cut off the trailing newline of this given data + before comparing with the one actually received by the client + +-### `` ++### `` + This verifies that this data was passed to stdout. + + Use the mode="text" attribute if the output is in text mode on platforms that +@@ -560,6 +567,9 @@ have a text/binary difference. + If 'nonewline' is set, we will cut off the trailing newline of this given data + before comparing with the one actually received by the client + ++`crlf=yes` forces the newlines to become CRLF even if not written so in the ++test. ++ + ### `` + The file's contents must be identical to this after the test is complete. Use + the mode="text" attribute if the output is in text mode on platforms that have +diff --git a/tests/data/test1 b/tests/data/test1 +index f39a08b..700bed8 100644 +--- a/tests/data/test1 ++++ b/tests/data/test1 +@@ -9,7 +9,7 @@ HTTP GET + # + # Server-side + +- ++ + HTTP/1.1 200 OK + Date: Tue, 09 Nov 2010 14:49:00 GMT + Server: test-server/fake +@@ -42,12 +42,12 @@ http://%HOSTIP:%HTTPPORT/%TESTNUMBER + # + # Verify data after the test has been "shot" + +- +-GET /%TESTNUMBER HTTP/1.1 +-Host: %HOSTIP:%HTTPPORT +-User-Agent: curl/%VERSION +-Accept: */* +- ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ + + + +diff --git a/tests/runtests.pl b/tests/runtests.pl +index 72a9989..b12a42d 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -3410,7 +3410,13 @@ sub subBase64 { + + my $prevupdate; + sub subNewlines { +- my ($thing) = @_; ++ my ($force, $thing) = @_; ++ ++ if($force) { ++ # enforce CRLF newline ++ $$thing =~ s/\x0d*\x0a/\x0d\x0a/; ++ return; ++ } + + # When curl is built with Hyper, it gets all response headers delivered as + # name/value pairs and curl "invents" the newlines when it saves the +@@ -3424,7 +3430,7 @@ sub subNewlines { + # skip curl error messages + ($$thing !~ /^curl: \(\d+\) /))) { + # enforce CRLF newline +- $$thing =~ s/\x0a/\x0d\x0a/; ++ $$thing =~ s/\x0d*\x0a/\x0d\x0a/; + $prevupdate = 1; + } + else { +@@ -3496,6 +3502,7 @@ sub prepro { + my (@entiretest) = @_; + my $show = 1; + my @out; ++ my $data_crlf; + for my $s (@entiretest) { + my $f = $s; + if($s =~ /^ *%if (.*)/) { +@@ -3519,9 +3526,19 @@ sub prepro { + next; + } + if($show) { ++ # The processor does CRLF replacements in the sections if ++ # necessary since those parts might be read by separate servers. ++ if($s =~ /^ */) { ++ if($1 =~ /crlf="yes"/ || $has_hyper) { ++ $data_crlf = 1; ++ } ++ } ++ elsif(($s =~ /^ *<\/data/) && $data_crlf) { ++ $data_crlf = 0; ++ } + subVariables(\$s, $testnum, "%"); + subBase64(\$s); +- subNewlines(\$s) if($has_hyper); ++ subNewlines(0, \$s) if($data_crlf); + push @out, $s; + } + } +@@ -3830,6 +3847,11 @@ sub singletest { + # of the datacheck + chomp($replycheckpart[$#replycheckpart]); + } ++ if($replycheckpartattr{'crlf'} || ++ ($has_hyper && ($keywords{"HTTP"} ++ || $keywords{"HTTPS"}))) { ++ map subNewlines(0, \$_), @replycheckpart; ++ } + push(@reply, @replycheckpart); + } + } +@@ -3851,6 +3873,11 @@ sub singletest { + map s/\r\n/\n/g, @reply; + map s/\n/\r\n/g, @reply; + } ++ if($replyattr{'crlf'} || ++ ($has_hyper && ($keywords{"HTTP"} ++ || $keywords{"HTTPS"}))) { ++ map subNewlines(0, \$_), @reply; ++ } + } + + # this is the valid protocol blurb curl should generate +@@ -4287,6 +4314,12 @@ sub singletest { + chomp($validstdout[$#validstdout]); + } + ++ if($hash{'crlf'} || ++ ($has_hyper && ($keywords{"HTTP"} ++ || $keywords{"HTTPS"}))) { ++ map subNewlines(0, \$_), @validstdout; ++ } ++ + $res = compare($testnum, $testname, "stdout", \@actual, \@validstdout); + if($res) { + return $errorreturncode; +@@ -4381,6 +4414,10 @@ sub singletest { + } + } + ++ if($hash{'crlf'}) { ++ map subNewlines(1, \$_), @protstrip; ++ } ++ + if((!$out[0] || ($out[0] eq "")) && $protstrip[0]) { + logmsg "\n $testnum: protocol FAILED!\n". + " There was no content at all in the file $SERVERIN.\n". +@@ -4512,6 +4549,11 @@ sub singletest { + map s/\r\n/\n/g, @outfile; + map s/\n/\r\n/g, @outfile; + } ++ if($hash{'crlf'} || ++ ($has_hyper && ($keywords{"HTTP"} ++ || $keywords{"HTTPS"}))) { ++ map subNewlines(0, \$_), @outfile; ++ } + + my $strip; + for $strip (@stripfile) { +-- +2.39.1 + + +From 228ed11bf33c63d9208a3fb38fe5a0d19c0764bd Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 27 Dec 2022 11:50:23 +0100 +Subject: [PATCH 3/4] runtests: support crlf="yes" for verify/proxy + +Upstream-commit: dc0725244a3163f1e2d5f51165db3a1a430f3ba0 +Signed-off-by: Kamil Dudka +--- + tests/FILEFORMAT.md | 4 ++-- + tests/runtests.pl | 5 +++++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/tests/FILEFORMAT.md b/tests/FILEFORMAT.md +index dcb5695..6646793 100644 +--- a/tests/FILEFORMAT.md ++++ b/tests/FILEFORMAT.md +@@ -532,7 +532,7 @@ changing protocol data such as port numbers or user-agent strings. + One perl op per line that operates on the protocol dump. This is pretty + advanced. Example: `s/^EPRT .*/EPRT stripped/`. + +-### `` ++### `` + + the protocol dump curl should transmit, if 'nonewline' is set, we will cut off + the trailing newline of this given data before comparing with the one actually +@@ -542,7 +542,7 @@ comparisons are made. + `crlf=yes` forces the newlines to become CRLF even if not written so in the + test. + +-### `` ++### `` + + The protocol dump curl should transmit to a HTTP proxy (when the http-proxy + server is used), if 'nonewline' is set, we will cut off the trailing newline +diff --git a/tests/runtests.pl b/tests/runtests.pl +index b12a42d..5cdc83d 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -4510,6 +4510,11 @@ sub singletest { + } + } + ++ if($hash{'crlf'} || ++ ($has_hyper && ($keywords{"HTTP"} || $keywords{"HTTPS"}))) { ++ map subNewlines(0, \$_), @protstrip; ++ } ++ + $res = compare($testnum, $testname, "proxy", \@out, \@protstrip); + if($res) { + return $errorreturncode; +-- +2.39.1 + + +From bc5fc958b017895728962c9d44c469418cbec1a0 Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat +Date: Mon, 13 Feb 2023 08:33:09 +0100 +Subject: [PATCH 4/4] content_encoding: do not reset stage counter for each + header + +Test 418 verifies + +Closes #10492 + +Upstream-commit: 119fb187192a9ea13dc90d9d20c215fc82799ab9 +Signed-off-by: Kamil Dudka +--- + lib/content_encoding.c | 7 +- + lib/urldata.h | 1 + + tests/data/Makefile.inc | 1 + + tests/data/test387 | 2 +- + tests/data/test418 | 152 ++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 158 insertions(+), 5 deletions(-) + create mode 100644 tests/data/test418 + +diff --git a/lib/content_encoding.c b/lib/content_encoding.c +index bfc13e2..94344d6 100644 +--- a/lib/content_encoding.c ++++ b/lib/content_encoding.c +@@ -1033,7 +1033,6 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, + const char *enclist, int maybechunked) + { + struct SingleRequest *k = &data->req; +- int counter = 0; + + do { + const char *name; +@@ -1068,9 +1067,9 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, + if(!encoding) + encoding = &error_encoding; /* Defer error at stack use. */ + +- if(++counter >= MAX_ENCODE_STACK) { +- failf(data, "Reject response due to %u content encodings", +- counter); ++ if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) { ++ failf(data, "Reject response due to more than %u content encodings", ++ MAX_ENCODE_STACK); + return CURLE_BAD_CONTENT_ENCODING; + } + /* Stack the unencoding stage. */ +diff --git a/lib/urldata.h b/lib/urldata.h +index 5b4b34f..8c8c20b 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -700,6 +700,7 @@ struct SingleRequest { + #ifndef CURL_DISABLE_DOH + struct dohdata *doh; /* DoH specific data for this request */ + #endif ++ unsigned char writer_stack_depth; /* Unencoding stack depth. */ + BIT(header); /* incoming data has HTTP header */ + BIT(content_range); /* set TRUE if Content-Range: was found */ + BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index fb51cd6..86b6f85 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -67,6 +67,7 @@ test393 test394 test395 test396 test397 \ + \ + test400 test401 test402 test403 test404 test405 test406 test407 test408 \ + test409 test410 \ ++ test418 \ + \ + test430 test431 test432 test433 test434 \ + \ +diff --git a/tests/data/test387 b/tests/data/test387 +index 015ec25..644fc7f 100644 +--- a/tests/data/test387 ++++ b/tests/data/test387 +@@ -47,7 +47,7 @@ Accept: */* + 61 + + +-curl: (61) Reject response due to 5 content encodings ++curl: (61) Reject response due to more than 5 content encodings + + + +diff --git a/tests/data/test418 b/tests/data/test418 +new file mode 100644 +index 0000000..50e974e +--- /dev/null ++++ b/tests/data/test418 +@@ -0,0 +1,152 @@ ++ ++ ++ ++HTTP ++gzip ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++ ++-foo- ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++Response with multiple Transfer-Encoding headers ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++ ++ ++# CURLE_BAD_CONTENT_ENCODING is 61 ++ ++61 ++ ++ ++curl: (61) Reject response due to more than 5 content encodings ++ ++ ++ +-- +2.39.1 + diff --git a/SOURCES/0101-curl-7.32.0-multilib.patch b/SOURCES/0101-curl-7.32.0-multilib.patch new file mode 100644 index 0000000..46c8986 --- /dev/null +++ b/SOURCES/0101-curl-7.32.0-multilib.patch @@ -0,0 +1,91 @@ +From 2a4754a3a7cf60ecc36d83cbe50b8c337cb87632 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Fri, 12 Apr 2013 12:04:05 +0200 +Subject: [PATCH] prevent multilib conflicts on the curl-config script + +--- + curl-config.in | 23 +++++------------------ + docs/curl-config.1 | 4 +++- + libcurl.pc.in | 1 + + 3 files changed, 9 insertions(+), 19 deletions(-) + +diff --git a/curl-config.in b/curl-config.in +index 150004d..95d0759 100644 +--- a/curl-config.in ++++ b/curl-config.in +@@ -76,7 +76,7 @@ while test $# -gt 0; do + ;; + + --cc) +- echo "@CC@" ++ echo "gcc" + ;; + + --prefix) +@@ -155,32 +155,19 @@ while test $# -gt 0; do + ;; + + --libs) +- if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then +- CURLLIBDIR="-L@libdir@ " +- else +- CURLLIBDIR="" +- fi +- if test "X@ENABLE_SHARED@" = "Xno"; then +- echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@ +- else +- echo ${CURLLIBDIR}-lcurl +- fi ++ echo -lcurl + ;; + --ssl-backends) + echo "@SSL_BACKENDS@" + ;; + + --static-libs) +- if test "X@ENABLE_STATIC@" != "Xno" ; then +- echo @libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_LIBS@ +- else +- echo "curl was built with static libraries disabled" >&2 +- exit 1 +- fi ++ echo "curl was built with static libraries disabled" >&2 ++ exit 1 + ;; + + --configure) +- echo @CONFIGURE_OPTIONS@ ++ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//' + ;; + + *) +diff --git a/docs/curl-config.1 b/docs/curl-config.1 +index 14a9d2b..ffcc004 100644 +--- a/docs/curl-config.1 ++++ b/docs/curl-config.1 +@@ -70,7 +70,9 @@ no, one or several names. If more than one name, they will appear + comma-separated. (Added in 7.58.0) + .IP "--static-libs" + Shows the complete set of libs and other linker options you will need in order +-to link your application with libcurl statically. (Added in 7.17.1) ++to link your application with libcurl statically. Note that Fedora/RHEL libcurl ++packages do not provide any static libraries, thus cannot be linked statically. ++(Added in 7.17.1) + .IP "--version" + Outputs version information about the installed libcurl. + .IP "--vernum" +diff --git a/libcurl.pc.in b/libcurl.pc.in +index 2ba9c39..f8f8b00 100644 +--- a/libcurl.pc.in ++++ b/libcurl.pc.in +@@ -29,6 +29,7 @@ libdir=@libdir@ + includedir=@includedir@ + supported_protocols="@SUPPORT_PROTOCOLS@" + supported_features="@SUPPORT_FEATURES@" ++configure_options=@CONFIGURE_OPTIONS@ + + Name: libcurl + URL: https://curl.se/ +-- +2.26.2 + diff --git a/SOURCES/0102-curl-7.36.0-debug.patch b/SOURCES/0102-curl-7.36.0-debug.patch new file mode 100644 index 0000000..c096d67 --- /dev/null +++ b/SOURCES/0102-curl-7.36.0-debug.patch @@ -0,0 +1,61 @@ +From 3602ee9dcc74683f91fe4f9ca228aa17a6474403 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Wed, 31 Oct 2012 11:38:30 +0100 +Subject: [PATCH] prevent configure script from discarding -g in CFLAGS + (#496778) + +--- + m4/curl-compilers.m4 | 26 ++++++-------------------- + 1 file changed, 6 insertions(+), 20 deletions(-) + +diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4 +index c64db4bc6..d115a4aed 100644 +--- a/m4/curl-compilers.m4 ++++ b/m4/curl-compilers.m4 +@@ -106,18 +106,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_CLANG], [ + clangvhi=`echo $clangver | cut -d . -f1` + clangvlo=`echo $clangver | cut -d . -f2` + compiler_num=`(expr $clangvhi "*" 100 + $clangvlo) 2>/dev/null` +- flags_dbg_all="-g -g0 -g1 -g2 -g3" +- flags_dbg_all="$flags_dbg_all -ggdb" +- flags_dbg_all="$flags_dbg_all -gstabs" +- flags_dbg_all="$flags_dbg_all -gstabs+" +- flags_dbg_all="$flags_dbg_all -gcoff" +- flags_dbg_all="$flags_dbg_all -gxcoff" +- flags_dbg_all="$flags_dbg_all -gdwarf-2" +- flags_dbg_all="$flags_dbg_all -gvms" ++ flags_dbg_all="" + flags_dbg_yes="-g" + flags_dbg_off="" +- flags_opt_all="-O -O0 -O1 -O2 -Os -O3 -O4" +- flags_opt_yes="-Os" ++ flags_opt_all="" ++ flags_opt_yes="" + flags_opt_off="-O0" + else + AC_MSG_RESULT([no]) +@@ -175,18 +168,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [ + gccvhi=`echo $gccver | cut -d . -f1` + gccvlo=`echo $gccver | cut -d . -f2` + compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` +- flags_dbg_all="-g -g0 -g1 -g2 -g3" +- flags_dbg_all="$flags_dbg_all -ggdb" +- flags_dbg_all="$flags_dbg_all -gstabs" +- flags_dbg_all="$flags_dbg_all -gstabs+" +- flags_dbg_all="$flags_dbg_all -gcoff" +- flags_dbg_all="$flags_dbg_all -gxcoff" +- flags_dbg_all="$flags_dbg_all -gdwarf-2" +- flags_dbg_all="$flags_dbg_all -gvms" ++ flags_dbg_all="" + flags_dbg_yes="-g" + flags_dbg_off="" +- flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast" +- flags_opt_yes="-O2" ++ flags_opt_all="" ++ flags_opt_yes="" + flags_opt_off="-O0" + CURL_CHECK_DEF([_WIN32], [], [silent]) + else +-- +1.7.1 + diff --git a/SOURCES/0105-curl-7.63.0-lib1560-valgrind.patch b/SOURCES/0105-curl-7.63.0-lib1560-valgrind.patch new file mode 100644 index 0000000..ae24828 --- /dev/null +++ b/SOURCES/0105-curl-7.63.0-lib1560-valgrind.patch @@ -0,0 +1,39 @@ +From f55cca0e86f59ec11ffafd5c0503c39ca3723e2e Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 4 Feb 2019 17:32:56 +0100 +Subject: [PATCH] libtest: compile lib1560.c with -fno-builtin-strcmp + +... to prevent valgrind from reporting false positives on x86_64: + +Conditional jump or move depends on uninitialised value(s) + at 0x10BCAA: part2id (lib1560.c:489) + by 0x10BCAA: updateurl (lib1560.c:521) + by 0x10BCAA: set_parts (lib1560.c:630) + by 0x10BCAA: test (lib1560.c:802) + by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so) + +Conditional jump or move depends on uninitialised value(s) + at 0x10BCC3: part2id (lib1560.c:491) + by 0x10BCC3: updateurl (lib1560.c:521) + by 0x10BCC3: set_parts (lib1560.c:630) + by 0x10BCC3: test (lib1560.c:802) + by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so) +--- + tests/libtest/Makefile.inc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc +index 080421b..ea3b806 100644 +--- a/tests/libtest/Makefile.inc ++++ b/tests/libtest/Makefile.inc +@@ -593,6 +593,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib1559_LDADD = $(TESTUTIL_LIBS) + + lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) ++lib1560_CFLAGS = $(AM_CFLAGS) -fno-builtin-strcmp + lib1560_LDADD = $(TESTUTIL_LIBS) + + lib1564_SOURCES = lib1564.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) +-- +2.17.2 + diff --git a/SPECS/curl.spec b/SPECS/curl.spec new file mode 100644 index 0000000..f84d473 --- /dev/null +++ b/SPECS/curl.spec @@ -0,0 +1,2089 @@ +Summary: A utility for getting files from remote servers (FTP, HTTP, and others) +Name: curl +Version: 7.76.1 +Release: 23%{?dist} +License: MIT +Source: https://curl.se/download/%{name}-%{version}.tar.xz + +# http2: fix resource leaks detected by Coverity +Patch1: 0001-curl-7.76.1-resource-leaks.patch + +# fix TELNET stack contents disclosure (CVE-2021-22898) +Patch2: 0002-curl-7.76.1-CVE-2021-22898.patch + +# fix TLS session caching disaster (CVE-2021-22901) +Patch3: 0003-curl-7.76.1-CVE-2021-22901.patch + +# fix SIGSEGV upon disconnect of a ldaps:// transfer (#1941925) +Patch4: 0004-curl-7.76.1-ldaps-segv.patch + +# fix bad connection reuse due to flawed path name checks (CVE-2021-22924) +Patch5: 0005-curl-7.76.1-CVE-2021-22924.patch + +# fix TELNET stack contents disclosure again (CVE-2021-22925) +Patch6: 0006-curl-7.76.1-CVE-2021-22925.patch + +# fix use-after-free and double-free in MQTT sending (CVE-2021-22945) +Patch7: 0007-curl-7.76.1-CVE-2021-22945.patch + +# fix protocol downgrade required TLS bypass (CVE-2021-22946) +Patch8: 0008-curl-7.76.1-CVE-2021-22946.patch + +# fix STARTTLS protocol injection via MITM (CVE-2021-22947) +Patch9: 0009-curl-7.76.1-CVE-2021-22947.patch + +# fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576) +Patch10: 0010-curl-7.76.1-CVE-2022-22576.patch + +# fix bad local IPv6 connection reuse (CVE-2022-27775) +Patch11: 0011-curl-7.76.1-CVE-2022-27775.patch + +# fix auth/cookie leak on redirect (CVE-2022-27776) +Patch12: 0012-curl-7.76.1-CVE-2022-27776.patch + +# fix credential leak on redirect (CVE-2022-27774) +Patch13: 0013-curl-7.76.1-CVE-2022-27774.patch + +# fix too eager reuse of TLS and SSH connections (CVE-2022-27782) +Patch14: 0014-curl-7.76.1-CVE-2022-27782.patch + +# make upstream tests work with openssh-8.7p1 +Patch15: 0015-curl-7.76.1-tests-openssh.patch + +# fix FTP-KRB bad message verification (CVE-2022-32208) +Patch16: 0016-curl-7.76.1-CVE-2022-32208.patch + +# fix HTTP compression denial of service (CVE-2022-32206) +Patch17: 0017-curl-7.76.1-CVE-2022-32206.patch + +# fix unpreserved file permissions (CVE-2022-32207) +Patch19: 0019-curl-7.76.1-CVE-2022-32207.patch + +# fix build failure caused by openldap rebase (#2094159) +Patch20: 0020-curl-7.76.1-openldap-rebase.patch + +# control code in cookie denial of service (CVE-2022-35252) +Patch21: 0021-curl-7.76.1-CVE-2022-35252.patch + +# fix POST following PUT confusion (CVE-2022-32221) +Patch22: 0022-curl-7.76.1-CVE-2022-32221.patch + +# smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552) +Patch23: 0023-curl-7.76.1-CVE-2022-43552.patch + +# fix HTTP multi-header compression denial of service (CVE-2023-23916) +Patch24: 0024-curl-7.76.1-CVE-2023-23916.patch + +# patch making libcurl multilib ready +Patch101: 0101-curl-7.32.0-multilib.patch + +# prevent configure script from discarding -g in CFLAGS (#496778) +Patch102: 0102-curl-7.36.0-debug.patch + +# prevent valgrind from reporting false positives on x86_64 +Patch105: 0105-curl-7.63.0-lib1560-valgrind.patch + +Provides: curl-full = %{version}-%{release} +Provides: webclient +URL: https://curl.se/ +BuildRequires: automake +BuildRequires: brotli-devel +BuildRequires: coreutils +BuildRequires: gcc +BuildRequires: groff +BuildRequires: krb5-devel +BuildRequires: libidn2-devel +BuildRequires: libnghttp2-devel +BuildRequires: libpsl-devel +BuildRequires: libssh-devel +BuildRequires: libtool +BuildRequires: make +BuildRequires: openldap-devel +BuildRequires: openssh-clients +BuildRequires: openssh-server +BuildRequires: openssl-devel +BuildRequires: perl-interpreter +BuildRequires: pkgconfig +BuildRequires: python-unversioned-command +BuildRequires: python3-devel +BuildRequires: sed +BuildRequires: zlib-devel + +# needed to compress content of tool_hugehelp.c after changing curl.1 man page +BuildRequires: perl(IO::Compress::Gzip) + +# needed for generation of shell completions +BuildRequires: perl(Getopt::Long) +BuildRequires: perl(Pod::Usage) +BuildRequires: perl(strict) +BuildRequires: perl(warnings) + +# gnutls-serv is used by the upstream test-suite +BuildRequires: gnutls-utils + +# hostname(1) is used by the test-suite but it is missing in armv7hl buildroot +BuildRequires: hostname + +# nghttpx (an HTTP/2 proxy) is used by the upstream test-suite +BuildRequires: nghttp2 + +# perl modules used in the test suite +BuildRequires: perl(Cwd) +BuildRequires: perl(Digest::MD5) +BuildRequires: perl(Exporter) +BuildRequires: perl(File::Basename) +BuildRequires: perl(File::Copy) +BuildRequires: perl(File::Spec) +BuildRequires: perl(IPC::Open2) +BuildRequires: perl(MIME::Base64) +BuildRequires: perl(Time::Local) +BuildRequires: perl(Time::HiRes) +BuildRequires: perl(vars) + +%if 0%{?fedora} +# needed for upstream test 1451 +BuildRequires: python3-impacket +%endif + +# The test-suite runs automatically through valgrind if valgrind is available +# on the system. By not installing valgrind into mock's chroot, we disable +# this feature for production builds on architectures where valgrind is known +# to be less reliable, in order to avoid unnecessary build failures (see RHBZ +# #810992, #816175, and #886891). Nevertheless developers are free to install +# valgrind manually to improve test coverage on any architecture. +%ifarch x86_64 +BuildRequires: valgrind +%endif + +# stunnel is used by upstream tests but it does not seem to work reliably +# on s390x and occasionally breaks some tests (mainly 1561 and 1562) +%ifnarch s390x +BuildRequires: stunnel +%endif + +# using an older version of libcurl could result in CURLE_UNKNOWN_OPTION +Requires: libcurl%{?_isa} >= %{version}-%{release} + +# require at least the version of libpsl that we were built against, +# to ensure that we have the necessary symbols available (#1631804) +%global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0) + +# require at least the version of libssh that we were built against, +# to ensure that we have the necessary symbols available (#525002, #642796) +%global libssh_version %(pkg-config --modversion libssh 2>/dev/null || echo 0) + +# require at least the version of openssl-libs that we were built against, +# to ensure that we have the necessary symbols available (#1462184, #1462211) +# (we need to translate 3.0.0-alpha16 -> 3.0.0-0.alpha16 and 3.0.0-beta1 -> 3.0.0-0.beta1 though) +%global openssl_version %({ pkg-config --modversion openssl 2>/dev/null || echo 0;} | sed 's|-|-0.|') + +%description +curl is a command line tool for transferring data with URL syntax, supporting +FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, +SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP +uploading, HTTP form based upload, proxies, cookies, user+password +authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer +resume, proxy tunneling and a busload of other useful tricks. + +%package -n libcurl +Summary: A library for getting files from web servers +Requires: libpsl%{?_isa} >= %{libpsl_version} +Requires: libssh%{?_isa} >= %{libssh_version} +Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} +Provides: libcurl-full = %{version}-%{release} +Provides: libcurl-full%{?_isa} = %{version}-%{release} + +%description -n libcurl +libcurl is a free and easy-to-use client-side URL transfer library, supporting +FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, +SMTP, POP3 and RTSP. libcurl supports SSL certificates, HTTP POST, HTTP PUT, +FTP uploading, HTTP form based upload, proxies, cookies, user+password +authentication (Basic, Digest, NTLM, Negotiate, Kerberos4), file transfer +resume, http proxy tunneling and more. + +%package -n libcurl-devel +Summary: Files needed for building applications with libcurl +Requires: libcurl%{?_isa} = %{version}-%{release} + +Provides: curl-devel = %{version}-%{release} +Provides: curl-devel%{?_isa} = %{version}-%{release} +Obsoletes: curl-devel < %{version}-%{release} + +%description -n libcurl-devel +The libcurl-devel package includes header files and libraries necessary for +developing programs which use the libcurl library. It contains the API +documentation of the library, too. + +%package -n curl-minimal +Summary: Conservatively configured build of curl for minimal installations +Provides: curl = %{version}-%{release} +Conflicts: curl +RemovePathPostfixes: .minimal + +# using an older version of libcurl could result in CURLE_UNKNOWN_OPTION +Requires: libcurl%{?_isa} >= %{version}-%{release} + +%description -n curl-minimal +This is a replacement of the 'curl' package for minimal installations. It +comes with a limited set of features compared to the 'curl' package. On the +other hand, the package is smaller and requires fewer run-time dependencies to +be installed. + +%package -n libcurl-minimal +Summary: Conservatively configured build of libcurl for minimal installations +Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} +Provides: libcurl = %{version}-%{release} +Provides: libcurl%{?_isa} = %{version}-%{release} +Conflicts: libcurl%{?_isa} +RemovePathPostfixes: .minimal +# needed for RemovePathPostfixes to work with shared libraries +%undefine __brp_ldconfig + +%description -n libcurl-minimal +This is a replacement of the 'libcurl' package for minimal installations. It +comes with a limited set of features compared to the 'libcurl' package. On the +other hand, the package is smaller and requires fewer run-time dependencies to +be installed. + +%prep +%setup -q + +# upstream patches +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 + +# Fedora patches +%patch101 -p1 +%patch102 -p1 +%patch105 -p1 + +# disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed +# with errno 98: Address already in use' in Koji environment), and test 1801 +# +printf "1112\n1455\n1592\n1801\n" >> tests/data/DISABLED + +# disable test 1319 on ppc64 (server times out) +%ifarch ppc64 +echo "1319" >> tests/data/DISABLED +%endif + +# temporarily disable test 582 on s390x (client times out) +%ifarch s390x +echo "582" >> tests/data/DISABLED +%endif + +# temporarily disable tests 702 703 716 on armv7hl (#1829180) +%ifarch armv7hl +printf "702\n703\n716\n" >> tests/data/DISABLED +%endif + +# temporarily disable tests 2034 2037 2041 on aarch64 +%ifarch aarch64 +printf "2034\n2037\n2041\n" >> tests/data/DISABLED +%endif + +# adapt test 323 for updated OpenSSL +sed -e 's|^35$|35,52|' -i tests/data/test323 + +# use localhost6 instead of ip6-localhost in the curl test-suite +( + # avoid glob expansion in the trace output of `bash -x` + { set +x; } 2>/dev/null + cmd="sed -e 's|ip6-localhost|localhost6|' -i tests/data/test[0-9]*" + printf "+ %s\n" "$cmd" >&2 + eval "$cmd" +) + +# regenerate the configure script and Makefile.in files +autoreconf -fiv + +%build +mkdir build-{full,minimal} +export common_configure_opts=" \ + --cache-file=../config.cache \ + --disable-hsts \ + --disable-static \ + --enable-ipv6 \ + --enable-symbol-hiding \ + --enable-threaded-resolver \ + --without-libmetalink \ + --without-zstd \ + --with-gssapi \ + --with-nghttp2 \ + --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt" + +%global _configure ../configure + +# configure minimal build +( + cd build-minimal + %configure $common_configure_opts \ + --disable-dict \ + --disable-gopher \ + --disable-imap \ + --disable-ldap \ + --disable-ldaps \ + --disable-manual \ + --disable-mqtt \ + --disable-ntlm \ + --disable-ntlm-wb \ + --disable-pop3 \ + --disable-rtsp \ + --disable-smb \ + --disable-smtp \ + --disable-telnet \ + --disable-tftp \ + --disable-tls-srp \ + --without-brotli \ + --without-libidn2 \ + --without-libpsl \ + --without-libssh +) + +# configure full build +( + cd build-full + %configure $common_configure_opts \ + --enable-dict \ + --enable-gopher \ + --enable-imap \ + --enable-ldap \ + --enable-ldaps \ + --enable-manual \ + --enable-mqtt \ + --enable-ntlm \ + --enable-ntlm-wb \ + --enable-pop3 \ + --enable-rtsp \ + --enable-smb \ + --enable-smtp \ + --enable-telnet \ + --enable-tftp \ + --enable-tls-srp \ + --with-brotli \ + --with-libidn2 \ + --with-libpsl \ + --with-libssh +) + +# avoid using rpath +sed -e 's/^runpath_var=.*/runpath_var=/' \ + -e 's/^hardcode_libdir_flag_spec=".*"$/hardcode_libdir_flag_spec=""/' \ + -i build-{full,minimal}/libtool + +%make_build V=1 -C build-minimal +%make_build V=1 -C build-full + +%check +# compile upstream test-cases +%make_build V=1 -C build-minimal/tests +%make_build V=1 -C build-full/tests + +# relax crypto policy for the test-suite to make it pass again (#1610888) +export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=XXX +export OPENSSL_CONF= + +# make runtests.pl work for out-of-tree builds +export srcdir=../../tests + +# prevent valgrind from being extremely slow (#1662656) +# https://fedoraproject.org/wiki/Changes/DebuginfodByDefault +unset DEBUGINFOD_URLS + +# run the upstream test-suite for both curl-minimal and curl-full +for size in minimal full; do ( + cd build-${size} + + # we have to override LD_LIBRARY_PATH because we eliminated rpath + export LD_LIBRARY_PATH="${PWD}/lib/.libs" + + cd tests + perl -I../../tests ../../tests/runtests.pl -a -p -v '!flaky' +) +done + + +%install +# install and rename the library that will be packaged as libcurl-minimal +%make_install -C build-minimal/lib +rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.{la,so} +for i in ${RPM_BUILD_ROOT}%{_libdir}/*; do + mv -v $i $i.minimal +done + +# install and rename the executable that will be packaged as curl-minimal +%make_install -C build-minimal/src +mv -v ${RPM_BUILD_ROOT}%{_bindir}/curl{,.minimal} + +# install libcurl.m4 +install -d $RPM_BUILD_ROOT%{_datadir}/aclocal +install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal + +# install the executable and library that will be packaged as curl and libcurl +cd build-full +%make_install + +# install zsh completion for curl +# (we have to override LD_LIBRARY_PATH because we eliminated rpath) +LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \ + %make_install -C scripts + +# do not install /usr/share/fish/completions/curl.fish which is also installed +# by fish-3.0.2-1.module_f31+3716+57207597 and would trigger a conflict +rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish + +rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la + +%ldconfig_scriptlets -n libcurl + +%ldconfig_scriptlets -n libcurl-minimal + +%files +%doc CHANGES +%doc README +%doc docs/BUGS.md +%doc docs/FAQ +%doc docs/FEATURES.md +%doc docs/TODO +%doc docs/TheArtOfHttpScripting.md +%{_bindir}/curl +%{_mandir}/man1/curl.1* +%{_datadir}/zsh + +%files -n libcurl +%license COPYING +%{_libdir}/libcurl.so.4 +%{_libdir}/libcurl.so.4.[0-9].[0-9] + +%files -n libcurl-devel +%doc docs/examples/*.c docs/examples/Makefile.example docs/INTERNALS.md +%doc docs/CONTRIBUTE.md docs/libcurl/ABI.md +%{_bindir}/curl-config* +%{_includedir}/curl +%{_libdir}/*.so +%{_libdir}/pkgconfig/*.pc +%{_mandir}/man1/curl-config.1* +%{_mandir}/man3/* +%{_datadir}/aclocal/libcurl.m4 + +%files -n curl-minimal +%{_bindir}/curl.minimal +%{_mandir}/man1/curl.1* + +%files -n libcurl-minimal +%license COPYING +%{_libdir}/libcurl.so.4.minimal +%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal + +%changelog +* Wed Feb 15 2023 Kamil Dudka - 7.76.1-23 +- fix HTTP multi-header compression denial of service (CVE-2023-23916) + +* Wed Dec 21 2022 Kamil Dudka - 7.76.1-22 +- smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552) + +* Wed Oct 26 2022 Kamil Dudka - 7.76.1-21 +- fix POST following PUT confusion (CVE-2022-32221) + +* Fri Sep 02 2022 Kamil Dudka - 7.76.1-20 +- control code in cookie denial of service (CVE-2022-35252) + +* Wed Jun 29 2022 Kamil Dudka - 7.76.1-19 +- fix unpreserved file permissions (CVE-2022-32207) +- fix HTTP compression denial of service (CVE-2022-32206) +- fix FTP-KRB bad message verification (CVE-2022-32208) + +* Wed May 11 2022 Kamil Dudka - 7.76.1-18 +- fix too eager reuse of TLS and SSH connections (CVE-2022-27782) + +* Mon May 02 2022 Kamil Dudka - 7.76.1-17 +- fix leak of SRP credentials in redirects (CVE-2022-27774) + +* Fri Apr 29 2022 Kamil Dudka - 7.76.1-16 +- add missing tests to Makefile + +* Thu Apr 28 2022 Kamil Dudka - 7.76.1-15 +- fix credential leak on redirect (CVE-2022-27774) +- fix auth/cookie leak on redirect (CVE-2022-27776) +- fix bad local IPv6 connection reuse (CVE-2022-27775) +- fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576) + +* Tue Oct 26 2021 Kamil Dudka - 7.76.1-14 +- re-disable HSTS in libcurl as an experimental feature (#2005874) + +* Mon Oct 04 2021 Kamil Dudka - 7.76.1-13 +- disable more protocols and features in libcurl-minimal (#2005874) + +* Fri Sep 17 2021 Kamil Dudka - 7.76.1-12 +- fix STARTTLS protocol injection via MITM (CVE-2021-22947) +- fix protocol downgrade required TLS bypass (CVE-2021-22946) +- fix use-after-free and double-free in MQTT sending (CVE-2021-22945) + +* Mon Aug 09 2021 Mohan Boddu - 7.76.1-11 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Wed Jul 28 2021 Florian Weimer - 7.76.1-10 +- Rebuild to pick up OpenSSL 3.0 Beta ABI (#1984097) + +* Fri Jul 23 2021 Kamil Dudka - 7.76.1-9 +- make explicit dependency on openssl work with alpha/beta builds of openssl + +* Wed Jul 21 2021 Kamil Dudka - 7.76.1-8 +- fix TELNET stack contents disclosure again (CVE-2021-22925) +- fix bad connection reuse due to flawed path name checks (CVE-2021-22924) + +* Tue Jun 15 2021 Mohan Boddu - 7.76.1-6 +- Rebuilt for RHEL 9 BETA for openssl 3.0 Related: rhbz#1971065 + +* Wed Jun 02 2021 Kamil Dudka - 7.77.0-5 +- build the curl tool without metalink support (#1967213) + +* Wed Jun 02 2021 Kamil Dudka - 7.76.1-4 +- fix SIGSEGV upon disconnect of a ldaps:// transfer (#1941925) + +* Wed May 26 2021 Kamil Dudka - 7.76.1-3 +- fix TLS session caching disaster (CVE-2021-22901) +- fix TELNET stack contents disclosure (CVE-2021-22898) + +* Mon May 03 2021 Kamil Dudka - 7.76.1-2 +- http2: fix resource leaks detected by Coverity + +* Fri Apr 23 2021 Kamil Dudka - 7.76.1-1 +- new upstream release + +* Fri Apr 23 2021 Kamil Dudka - 7.76.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2021-22890 - TLS 1.3 session ticket proxy host mixup + CVE-2021-22876 - Automatic referer leaks credentials + +* Thu Apr 15 2021 Mohan Boddu - 7.75.0-4 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Wed Mar 24 2021 Kamil Dudka - 7.75.0-3 +- fix SIGSEGV upon disconnect of a ldaps:// transfer (#1941925) + +* Tue Feb 23 2021 Kamil Dudka - 7.75.0-2 +- build-require python3-impacket only on Fedora + +* Wed Feb 03 2021 Kamil Dudka - 7.75.0-1 +- new upstream release + +* Tue Jan 26 2021 Kamil Dudka - 7.74.0-4 +- do not use stunnel for tests on s390x builds to avoid spurious failures + +* Tue Jan 26 2021 Fedora Release Engineering - 7.74.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Dec 09 2020 Kamil Dudka - 7.74.0-2 +- do not rewrite shebangs in test-suite to use python3 explicitly + +* Wed Dec 09 2020 Kamil Dudka - 7.74.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2020-8286 - curl: Inferior OCSP verification + CVE-2020-8285 - libcurl: FTP wildcard stack overflow + CVE-2020-8284 - curl: trusting FTP PASV responses + +* Wed Oct 14 2020 Kamil Dudka - 7.73.0-2 +- prevent upstream test 1451 from being skipped + +* Wed Oct 14 2020 Kamil Dudka - 7.73.0-1 +- new upstream release + +* Thu Sep 10 2020 Jinoh Kang - 7.72.0-2 +- fix multiarch conflicts in libcurl-minimal (#1877671) + +* Wed Aug 19 2020 Kamil Dudka - 7.72.0-1 +- new upstream release, which fixes the following vulnerability + CVE-2020-8231 - libcurl: wrong connect-only connection + +* Thu Aug 06 2020 Kamil Dudka - 7.71.1-5 +- setopt: unset NOBODY switches to GET if still HEAD + +* Mon Jul 27 2020 Fedora Release Engineering - 7.71.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon Jul 13 2020 Tom Stellard - 7.71.1-3 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro + +* Fri Jul 03 2020 Kamil Dudka - 7.71.1-2 +- curl: make the --krb option work again (#1833193) + +* Wed Jul 01 2020 Kamil Dudka - 7.71.1-1 +- new upstream release + +* Wed Jun 24 2020 Kamil Dudka - 7.71.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2020-8169 - curl: Partial password leak over DNS on HTTP redirect + CVE-2020-8177 - curl: overwrite local file with -J + +* Wed Apr 29 2020 Kamil Dudka - 7.70.0-1 +- new upstream release + +* Mon Apr 20 2020 Kamil Dudka - 7.69.1-3 +- SSH: use new ECDSA key types to check known hosts (#1824926) + +* Fri Apr 17 2020 Tom Stellard - 7.69.1-2 +- Prevent discarding of -g when compiling with clang + +* Wed Mar 11 2020 Kamil Dudka - 7.69.1-1 +- new upstream release + +* Mon Mar 09 2020 Kamil Dudka - 7.69.0-2 +- make Flatpak work again (#1810989) + +* Wed Mar 04 2020 Kamil Dudka - 7.69.0-1 +- new upstream release + +* Tue Jan 28 2020 Fedora Release Engineering - 7.68.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Jan 08 2020 Kamil Dudka - 7.68.0-1 +- new upstream release + +* Thu Nov 14 2019 Kamil Dudka - 7.67.0-2 +- fix infinite loop on upload using a glob (#1771025) + +* Wed Nov 06 2019 Kamil Dudka - 7.67.0-1 +- new upstream release + +* Wed Sep 11 2019 Kamil Dudka - 7.66.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2019-5481 - double free due to subsequent call of realloc() + CVE-2019-5482 - heap buffer overflow in function tftp_receive_packet() + +* Tue Aug 27 2019 Kamil Dudka - 7.65.3-4 +- avoid reporting spurious error in the HTTP2 framing layer (#1690971) + +* Thu Aug 01 2019 Kamil Dudka - 7.65.3-3 +- improve handling of gss_init_sec_context() failures + +* Wed Jul 24 2019 Fedora Release Engineering - 7.65.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sat Jul 20 2019 Paul Howarth - 7.65.3-1 +- new upstream release + +* Wed Jul 17 2019 Kamil Dudka - 7.65.2-1 +- new upstream release + +* Wed Jun 05 2019 Kamil Dudka - 7.65.1-1 +- new upstream release + +* Thu May 30 2019 Kamil Dudka - 7.65.0-2 +- fix spurious timeout events with speed-limit (#1714893) + +* Wed May 22 2019 Kamil Dudka - 7.65.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2019-5436 - TFTP receive buffer overflow + CVE-2019-5435 - integer overflows in curl_url_set() + +* Thu May 09 2019 Kamil Dudka - 7.64.1-2 +- do not treat failure of gss_init_sec_context() with --negotiate as fatal + +* Wed Mar 27 2019 Kamil Dudka - 7.64.1-1 +- new upstream release + +* Mon Mar 25 2019 Kamil Dudka - 7.64.0-6 +- remove verbose "Expire in" ... messages (#1690971) + +* Thu Mar 21 2019 Kamil Dudka - 7.64.0-5 +- avoid spurious "Could not resolve host: [host name]" error messages + +* Wed Feb 27 2019 Kamil Dudka - 7.64.0-4 +- fix NULL dereference if flushing cookies with no CookieInfo set (#1683676) + +* Mon Feb 25 2019 Kamil Dudka - 7.64.0-3 +- prevent NetworkManager from leaking file descriptors (#1680198) + +* Mon Feb 11 2019 Kamil Dudka - 7.64.0-2 +- make zsh completion work again + +* Wed Feb 06 2019 Kamil Dudka - 7.64.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2019-3823 - SMTP end-of-response out-of-bounds read + CVE-2019-3822 - NTLMv2 type-3 header stack buffer overflow + CVE-2018-16890 - NTLM type-2 out-of-bounds buffer read + +* Mon Feb 04 2019 Kamil Dudka - 7.63.0-7 +- prevent valgrind from reporting false positives on x86_64 + +* Thu Jan 31 2019 Fedora Release Engineering - 7.63.0-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Jan 21 2019 Kamil Dudka - 7.63.0-5 +- xattr: strip credentials from any URL that is stored (CVE-2018-20483) + +* Fri Jan 04 2019 Kamil Dudka - 7.63.0-4 +- replace 0105-curl-7.63.0-libstubgss-ldadd.patch by upstream patch + +* Wed Dec 19 2018 Kamil Dudka - 7.63.0-3 +- curl -J: do not append to the destination file (#1658574) + +* Fri Dec 14 2018 Kamil Dudka - 7.63.0-2 +- revert an upstream commit that broke `fedpkg new-sources` (#1659329) + +* Wed Dec 12 2018 Kamil Dudka - 7.63.0-1 +- new upstream release + +* Wed Oct 31 2018 Kamil Dudka - 7.62.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2018-16839 - SASL password overflow via integer overflow + CVE-2018-16840 - use-after-free in handle close + CVE-2018-16842 - warning message out-of-buffer read + +* Thu Oct 11 2018 Kamil Dudka - 7.61.1-3 +- enable TLS 1.3 post-handshake auth in OpenSSL +- update the documentation of --tlsv1.0 in curl(1) man page + +* Thu Oct 04 2018 Kamil Dudka - 7.61.1-2 +- enforce versioned libpsl dependency for libcurl (#1631804) +- test320: update expected output for gnutls-3.6.4 +- drop 0105-curl-7.61.0-tests-ssh-keygen.patch no longer needed (#1622594) + +* Wed Sep 05 2018 Kamil Dudka - 7.61.1-1 +- new upstream release, which fixes the following vulnerability + CVE-2018-14618 - NTLM password overflow via integer overflow + +* Tue Sep 04 2018 Kamil Dudka - 7.61.0-8 +- make the --tls13-ciphers option work + +* Mon Aug 27 2018 Kamil Dudka - 7.61.0-7 +- tests: make ssh-keygen always produce PEM format (#1622594) + +* Wed Aug 15 2018 Kamil Dudka - 7.61.0-6 +- scp/sftp: fix infinite connect loop on invalid private key (#1595135) + +* Thu Aug 09 2018 Kamil Dudka - 7.61.0-5 +- ssl: set engine implicitly when a PKCS#11 URI is provided (#1219544) + +* Tue Aug 07 2018 Kamil Dudka - 7.61.0-4 +- relax crypto policy for the test-suite to make it pass again (#1610888) + +* Tue Jul 31 2018 Kamil Dudka - 7.61.0-3 +- disable flaky test 1900, which covers deprecated HTTP pipelining +- adapt test 323 for updated OpenSSL + +* Thu Jul 12 2018 Fedora Release Engineering - 7.61.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Jul 11 2018 Kamil Dudka - 7.61.0-1 +- new upstream release, which fixes the following vulnerability + CVE-2018-0500 - SMTP send heap buffer overflow + +* Tue Jul 10 2018 Kamil Dudka - 7.60.0-3 +- enable support for brotli compression in libcurl-full + +* Wed Jul 04 2018 Kamil Dudka - 7.60.0-2 +- do not hard-wire path of the Python 3 interpreter + +* Wed May 16 2018 Kamil Dudka - 7.60.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2018-1000300 - FTP shutdown response buffer overflow + CVE-2018-1000301 - RTSP bad headers buffer over-read + +* Thu Mar 15 2018 Kamil Dudka - 7.59.0-3 +- make the test-suite use Python 3 + +* Wed Mar 14 2018 Kamil Dudka - 7.59.0-2 +- ftp: fix typo in recursive callback detection for seeking + +* Wed Mar 14 2018 Kamil Dudka - 7.59.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2018-1000120 - FTP path trickery leads to NIL byte out of bounds write + CVE-2018-1000121 - LDAP NULL pointer dereference + CVE-2018-1000122 - RTSP RTP buffer over-read + +* Mon Mar 12 2018 Kamil Dudka - 7.58.0-8 +- http2: mark the connection for close on GOAWAY + +* Mon Feb 19 2018 Paul Howarth - 7.58.0-7 +- Add explicity-used build requirements +- Fix libcurl soname version number in %%files list to avoid accidental soname + bumps + +* Thu Feb 15 2018 Paul Howarth - 7.58.0-6 +- switch to %%ldconfig_scriptlets +- drop legacy BuildRoot: and Group: tags +- enforce versioned libssh dependency for libcurl + +* Tue Feb 13 2018 Kamil Dudka - 7.58.0-5 +- drop temporary workaround for #1540549 + +* Wed Feb 07 2018 Fedora Release Engineering - 7.58.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Jan 31 2018 Kamil Dudka - 7.58.0-3 +- temporarily work around internal compiler error on x86_64 (#1540549) +- disable brp-ldconfig to make RemovePathPostfixes work with shared libs again + +* Wed Jan 24 2018 Andreas Schneider - 7.58.0-2 +- use libssh (instead of libssh2) to implement SCP/SFTP in libcurl (#1531483) + +* Wed Jan 24 2018 Kamil Dudka - 7.58.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2018-1000005 - curl: HTTP/2 trailer out-of-bounds read + CVE-2018-1000007 - curl: HTTP authentication leak in redirects + +* Wed Nov 29 2017 Kamil Dudka - 7.57.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2017-8816 - curl: NTLM buffer overflow via integer overflow + CVE-2017-8817 - curl: FTP wildcard out of bounds read + CVE-2017-8818 - curl: SSL out of buffer access + +* Mon Oct 23 2017 Kamil Dudka - 7.56.1-1 +- new upstream release (fixes CVE-2017-1000257) + +* Wed Oct 04 2017 Kamil Dudka - 7.56.0-1 +- new upstream release (fixes CVE-2017-1000254) + +* Mon Aug 28 2017 Kamil Dudka - 7.55.1-5 +- apply the patch for the previous commit and fix its name (#1485702) + +* Mon Aug 28 2017 Bastien Nocera - 7.55.1-4 +- Fix NetworkManager connectivity check not working (#1485702) + +* Tue Aug 22 2017 Kamil Dudka 7.55.1-3 +- utilize system wide crypto policies for TLS (#1483972) + +* Tue Aug 15 2017 Kamil Dudka 7.55.1-2 +- make zsh completion work again + +* Mon Aug 14 2017 Kamil Dudka 7.55.1-1 +- new upstream release + +* Wed Aug 09 2017 Kamil Dudka 7.55.0-1 +- drop multilib fix for libcurl header files no longer needed +- new upstream release, which fixes the following vulnerabilities + CVE-2017-1000099 - FILE buffer read out of bounds + CVE-2017-1000100 - TFTP sends more than buffer size + CVE-2017-1000101 - URL globbing out of bounds read + +* Wed Aug 02 2017 Fedora Release Engineering - 7.54.1-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Fri Jul 28 2017 Florian Weimer - 7.54.1-7 +- Rebuild with fixed binutils (#1475636) + +* Fri Jul 28 2017 Igor Gnatenko - 7.54.1-6 +- Enable separate debuginfo back + +* Thu Jul 27 2017 Kamil Dudka 7.54.1-5 +- rebuild to fix broken linkage of cmake on ppc64le + +* Wed Jul 26 2017 Kamil Dudka 7.54.1-4 +- avoid build failure caused broken RPM code that produces debuginfo packages + +* Wed Jul 26 2017 Fedora Release Engineering - 7.54.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Mon Jun 19 2017 Kamil Dudka 7.54.1-2 +- enforce versioned openssl-libs dependency for libcurl (#1462184) + +* Wed Jun 14 2017 Kamil Dudka 7.54.1-1 +- new upstream release + +* Tue May 16 2017 Kamil Dudka 7.54.0-5 +- add *-full provides for curl and libcurl to make them explicitly installable + +* Thu May 04 2017 Kamil Dudka 7.54.0-4 +- make curl-minimal require a new enough version of libcurl + +* Thu Apr 27 2017 Kamil Dudka 7.54.0-3 +- switch the TLS backend back to OpenSSL (#1445153) + +* Tue Apr 25 2017 Kamil Dudka 7.54.0-2 +- nss: use libnssckbi.so as the default source of trust +- nss: do not leak PKCS #11 slot while loading a key (#1444860) + +* Thu Apr 20 2017 Kamil Dudka 7.54.0-1 +- new upstream release (fixes CVE-2017-7468) + +* Thu Apr 13 2017 Paul Howarth 7.53.1-7 +- add %%post and %%postun scriptlets for libcurl-minimal +- libcurl-minimal provides both libcurl and libcurl%%{?_isa} +- remove some legacy spec file cruft + +* Wed Apr 12 2017 Kamil Dudka 7.53.1-6 +- provide (lib)curl-minimal subpackages with lightweight build of (lib)curl + +* Mon Apr 10 2017 Kamil Dudka 7.53.1-5 +- disable upstream test 2033 (flaky test for HTTP/1 pipelining) + +* Fri Apr 07 2017 Kamil Dudka 7.53.1-4 +- fix out of bounds read in curl --write-out (CVE-2017-7407) + +* Mon Mar 06 2017 Kamil Dudka 7.53.1-3 +- make the dependency on nss-pem arch-specific (#1428550) + +* Thu Mar 02 2017 Kamil Dudka 7.53.1-2 +- re-enable valgrind on ix86 because sqlite is fixed (#1428286) + +* Fri Feb 24 2017 Kamil Dudka 7.53.1-1 +- new upstream release + +* Wed Feb 22 2017 Kamil Dudka 7.53.0-1 +- do not use valgrind on ix86 until sqlite is rebuilt by patched GCC (#1423434) +- new upstream release (fixes CVE-2017-2629) + +* Fri Feb 10 2017 Fedora Release Engineering - 7.52.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Dec 23 2016 Kamil Dudka 7.52.1-1 +- new upstream release (fixes CVE-2016-9586) + +* Mon Nov 21 2016 Kamil Dudka 7.51.0-3 +- map CURL_SSLVERSION_DEFAULT to NSS default, add support for TLS 1.3 (#1396719) + +* Tue Nov 15 2016 Kamil Dudka 7.51.0-2 +- stricter host name checking for file:// URLs +- ssh: check md5 fingerprints case insensitively + +* Wed Nov 02 2016 Kamil Dudka 7.51.0-1 +- temporarily disable failing libidn2 test-cases +- new upstream release, which fixes the following vulnerabilities + CVE-2016-8615 - Cookie injection for other servers + CVE-2016-8616 - Case insensitive password comparison + CVE-2016-8617 - Out-of-bounds write via unchecked multiplication + CVE-2016-8618 - Double-free in curl_maprintf + CVE-2016-8619 - Double-free in krb5 code + CVE-2016-8620 - Glob parser write/read out of bounds + CVE-2016-8621 - curl_getdate out-of-bounds read + CVE-2016-8622 - URL unescape heap overflow via integer truncation + CVE-2016-8623 - Use-after-free via shared cookies + CVE-2016-8624 - Invalid URL parsing with '#' + CVE-2016-8625 - IDNA 2003 makes curl use wrong host + +* Thu Oct 20 2016 Kamil Dudka 7.50.3-3 +- drop 0103-curl-7.50.0-stunnel.patch no longer needed + +* Fri Oct 07 2016 Kamil Dudka 7.50.3-2 +- use the just built version of libcurl while generating zsh completion + +* Wed Sep 14 2016 Kamil Dudka 7.50.3-1 +- new upstream release (fixes CVE-2016-7167) + +* Wed Sep 07 2016 Kamil Dudka 7.50.2-1 +- new upstream release + +* Fri Aug 26 2016 Kamil Dudka 7.50.1-2 +- work around race condition in PK11_FindSlotByName() +- fix incorrect use of a previously loaded certificate from file + (related to CVE-2016-5420) + +* Wed Aug 03 2016 Kamil Dudka 7.50.1-1 +- new upstream release (fixes CVE-2016-5419, CVE-2016-5420, and CVE-2016-5421) + +* Tue Jul 26 2016 Kamil Dudka 7.50.0-2 +- run HTTP/2 tests on all architectures (#1360319 now worked around in nghttp2) + +* Thu Jul 21 2016 Kamil Dudka 7.50.0-1 +- run HTTP/2 tests only on Intel for now to work around #1358845 +- require nss-pem because it is no longer included in the nss package (#1347336) +- fix HTTPS and FTPS tests (work around stunnel bug #1358810) +- new upstream release + +* Fri Jun 17 2016 Kamil Dudka 7.49.1-3 +- use multilib-rpm-config to install arch-dependent header files + +* Fri Jun 03 2016 Kamil Dudka 7.49.1-2 +- fix SIGSEGV of the curl tool while parsing URL with too many globs (#1340757) + +* Mon May 30 2016 Kamil Dudka 7.49.1-1 +- new upstream release + +* Wed May 18 2016 Kamil Dudka 7.49.0-1 +- new upstream release + +* Wed Mar 23 2016 Kamil Dudka 7.48.0-1 +- new upstream release + +* Wed Mar 02 2016 Kamil Dudka 7.47.1-4 +- do not refuse cookies for localhost (#1308791) + +* Wed Feb 17 2016 Kamil Dudka 7.47.1-3 +- make SCP and SFTP test-cases work with up2date OpenSSH + +* Wed Feb 10 2016 Kamil Dudka 7.47.1-2 +- enable support for Public Suffix List (#1305701) + +* Mon Feb 08 2016 Kamil Dudka 7.47.1-1 +- new upstream release + +* Wed Feb 03 2016 Fedora Release Engineering - 7.47.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jan 27 2016 Kamil Dudka 7.47.0-1 +- new upstream release (fixes CVE-2016-0755) + +* Fri Dec 4 2015 Kamil Dudka 7.46.0-2 +- own /usr/share/zsh/site-functions instead of requiring zsh (#1288529) + +* Wed Dec 2 2015 Kamil Dudka 7.46.0-1 +- disable silent builds (suggested by Paul Howarth) +- use default port numbers when running the upstream test-suite +- install zsh completion script +- new upstream release + +* Wed Oct 7 2015 Paul Howarth 7.45.0-1 +- new upstream release +- drop %%defattr, redundant since rpm 4.4 + +* Fri Sep 18 2015 Kamil Dudka 7.44.0-2 +- prevent NSS from incorrectly re-using a session (#1104597) + +* Wed Aug 12 2015 Kamil Dudka 7.44.0-1 +- new upstream release + +* Thu Jul 30 2015 Kamil Dudka 7.43.0-3 +- prevent dnf from crashing when using both FTP and HTTP (#1248389) + +* Thu Jul 16 2015 Kamil Dudka 7.43.0-2 +- build support for the HTTP/2 protocol + +* Wed Jun 17 2015 Kamil Dudka 7.43.0-1 +- new upstream release (fixes CVE-2015-3236 and CVE-2015-3237) + +* Wed Jun 17 2015 Fedora Release Engineering - 7.42.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Fri Jun 05 2015 Kamil Dudka 7.42.1-2 +- curl-config --libs now works on x86_64 without libcurl-devel.x86_64 (#1228363) + +* Wed Apr 29 2015 Kamil Dudka 7.42.1-1 +- new upstream release (fixes CVE-2015-3153) + +* Wed Apr 22 2015 Kamil Dudka 7.42.0-1 +- new upstream release (fixes CVE-2015-3143, CVE-2015-3144, CVE-2015-3145, + and CVE-2015-3148) +- implement public key pinning for NSS backend (#1195771) +- do not run flaky test-cases in %%check + +* Wed Feb 25 2015 Kamil Dudka 7.41.0-1 +- new upstream release +- include extern-scan.pl to make test1135 succeed (upstream commit 1514b718) + +* Mon Feb 23 2015 Kamil Dudka 7.40.0-3 +- fix a spurious connect failure on dual-stacked hosts (#1187531) + +* Sat Feb 21 2015 Till Maas - 7.40.0-2 +- Rebuilt for Fedora 23 Change + https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code + +* Thu Jan 08 2015 Kamil Dudka 7.40.0-1 +- new upstream release (fixes CVE-2014-8150) + +* Wed Nov 05 2014 Kamil Dudka 7.39.0-1 +- new upstream release (fixes CVE-2014-3707) + +* Tue Oct 21 2014 Kamil Dudka 7.38.0-2 +- fix a connection failure when FTPS handle is reused + +* Wed Sep 10 2014 Kamil Dudka 7.38.0-1 +- new upstream release (fixes CVE-2014-3613 and CVE-2014-3620) + +* Sat Aug 16 2014 Fedora Release Engineering - 7.37.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Wed Aug 13 2014 Rex Dieter 7.37.1-2 +- include arch'd Requires/Provides + +* Wed Jul 16 2014 Kamil Dudka 7.37.1-1 +- new upstream release +- fix endless loop with GSSAPI proxy auth (patches by David Woodhouse, #1118751) + +* Fri Jul 11 2014 Tom Callaway 7.37.0-4 +- fix license handling + +* Fri Jul 04 2014 Kamil Dudka 7.37.0-3 +- various SSL-related fixes (mainly crash on connection failure) + +* Sat Jun 07 2014 Fedora Release Engineering - 7.37.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed May 21 2014 Kamil Dudka 7.37.0-1 +- new upstream release + +* Fri May 09 2014 Kamil Dudka 7.36.0-4 +- auth failure on duplicated 'WWW-Authenticate: Negotiate' header (#1093348) + +* Fri Apr 25 2014 Kamil Dudka 7.36.0-3 +- nss: implement non-blocking SSL handshake + +* Wed Apr 02 2014 Kamil Dudka 7.36.0-2 +- extend URL parser to support IPv6 zone identifiers (#680996) + +* Wed Mar 26 2014 Kamil Dudka 7.36.0-1 +- new upstream release (fixes CVE-2014-0138) + +* Mon Mar 17 2014 Paul Howarth 7.35.0-5 +- add all perl build requirements for the test suite, in a portable way + +* Mon Mar 17 2014 Kamil Dudka 7.35.0-4 +- add BR for perl-Digest-MD5, which is required by the test-suite + +* Wed Mar 05 2014 Kamil Dudka 7.35.0-3 +- avoid spurious failure of test1086 on s390(x) koji builders (#1072273) + +* Tue Feb 25 2014 Kamil Dudka 7.35.0-2 +- refresh expired cookie in test172 from upstream test-suite (#1068967) + +* Wed Jan 29 2014 Kamil Dudka 7.35.0-1 +- new upstream release (fixes CVE-2014-0015) + +* Wed Dec 18 2013 Kamil Dudka 7.34.0-1 +- new upstream release + +* Mon Dec 02 2013 Kamil Dudka 7.33.0-2 +- allow to use TLS > 1.0 if built against recent NSS + +* Mon Oct 14 2013 Kamil Dudka 7.33.0-1 +- new upstream release +- fix missing initialization in NTLM code causing test 906 to fail +- fix missing initialization in SSH code causing test 619 to fail + +* Fri Oct 11 2013 Kamil Dudka 7.32.0-3 +- do not limit the speed of SCP upload on a fast connection + +* Mon Sep 09 2013 Kamil Dudka 7.32.0-2 +- avoid delay if FTP is aborted in CURLOPT_HEADERFUNCTION callback (#1005686) + +* Mon Aug 12 2013 Kamil Dudka 7.32.0-1 +- new upstream release +- make sure that NSS is initialized prior to calling PK11_GenerateRandom() + +* Sat Aug 03 2013 Fedora Release Engineering - 7.31.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Tue Jul 09 2013 Kamil Dudka 7.31.0-4 +- mention all option listed in 'curl --help' in curl.1 man page + +* Tue Jul 02 2013 Kamil Dudka 7.31.0-3 +- restore the functionality of 'curl -u :' + +* Wed Jun 26 2013 Kamil Dudka 7.31.0-2 +- build the curl tool with metalink support + +* Sat Jun 22 2013 Kamil Dudka 7.31.0-1 +- new upstream release (fixes CVE-2013-2174) + +* Fri Apr 26 2013 Kamil Dudka 7.30.0-2 +- prevent an artificial timeout event due to stale speed-check data (#906031) + +* Fri Apr 12 2013 Kamil Dudka 7.30.0-1 +- new upstream release (fixes CVE-2013-1944) +- prevent test-suite failure due to using non-default port ranges in tests + +* Tue Mar 12 2013 Kamil Dudka 7.29.0-4 +- do not ignore poll() failures other than EINTR (#919127) +- curl_global_init() now accepts the CURL_GLOBAL_ACK_EINTR flag (#919127) + +* Wed Mar 06 2013 Kamil Dudka 7.29.0-3 +- switch SSL socket into non-blocking mode after handshake +- drop the hide_selinux.c hack no longer needed in %%check + +* Fri Feb 22 2013 Kamil Dudka 7.29.0-2 +- fix a SIGSEGV when closing an unused multi handle (#914411) + +* Wed Feb 06 2013 Kamil Dudka 7.29.0-1 +- new upstream release (fixes CVE-2013-0249) + +* Tue Jan 15 2013 Kamil Dudka 7.28.1-3 +- require valgrind for build only on i386 and x86_64 (#886891) + +* Tue Jan 15 2013 Kamil Dudka 7.28.1-2 +- prevent NSS from crashing on client auth hook failure +- clear session cache if a client cert from file is used +- fix error messages for CURLE_SSL_{CACERT,CRL}_BADFILE + +* Tue Nov 20 2012 Kamil Dudka 7.28.1-1 +- new upstream release + +* Wed Oct 31 2012 Kamil Dudka 7.28.0-1 +- new upstream release + +* Mon Oct 01 2012 Kamil Dudka 7.27.0-3 +- use the upstream facility to disable problematic tests +- do not crash if MD5 fingerprint is not provided by libssh2 + +* Wed Aug 01 2012 Kamil Dudka 7.27.0-2 +- eliminate unnecessary inotify events on upload via file protocol (#844385) + +* Sat Jul 28 2012 Kamil Dudka 7.27.0-1 +- new upstream release + +* Mon Jul 23 2012 Kamil Dudka 7.26.0-6 +- print reason phrase from HTTP status line on error (#676596) + +* Wed Jul 18 2012 Fedora Release Engineering - 7.26.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Sat Jun 09 2012 Kamil Dudka 7.26.0-4 +- fix duplicated SSL handshake with multi interface and proxy (#788526) + +* Wed May 30 2012 Karsten Hopp 7.26.0-3 +- disable test 1319 on ppc64, server times out + +* Mon May 28 2012 Kamil Dudka 7.26.0-2 +- use human-readable error messages provided by NSS (upstream commit 72f4b534) + +* Fri May 25 2012 Kamil Dudka 7.26.0-1 +- new upstream release + +* Wed Apr 25 2012 Karsten Hopp 7.25.0-3 +- valgrind on ppc64 works fine, disable ppc32 only + +* Wed Apr 25 2012 Karsten Hopp 7.25.0-3 +- drop BR valgrind on PPC(64) until bugzilla #810992 gets fixed + +* Fri Apr 13 2012 Kamil Dudka 7.25.0-2 +- use NSS_InitContext() to initialize NSS if available (#738456) +- provide human-readable names for NSS errors (upstream commit a60edcc6) + +* Fri Mar 23 2012 Paul Howarth 7.25.0-1 +- new upstream release (#806264) +- fix character encoding of docs with a patch rather than just iconv +- update debug and multilib patches +- don't use macros for commands +- reduce size of %%prep output for readability + +* Tue Jan 24 2012 Kamil Dudka 7.24.0-1 +- new upstream release (fixes CVE-2012-0036) + +* Thu Jan 05 2012 Paul Howarth 7.23.0-6 +- rebuild for gcc 4.7 + +* Mon Jan 02 2012 Kamil Dudka 7.23.0-5 +- upstream patch that allows to run FTPS tests with nss-3.13 (#760060) + +* Tue Dec 27 2011 Kamil Dudka 7.23.0-4 +- allow to run FTPS tests with nss-3.13 (#760060) + +* Sun Dec 25 2011 Kamil Dudka 7.23.0-3 +- avoid unnecessary timeout event when waiting for 100-continue (#767490) + +* Mon Nov 21 2011 Kamil Dudka 7.23.0-2 +- curl -JO now uses -O name if no C-D header comes (upstream commit c532604) + +* Wed Nov 16 2011 Kamil Dudka 7.23.0-1 +- new upstream release (#754391) + +* Mon Sep 19 2011 Kamil Dudka 7.22.0-2 +- nss: select client certificates by DER (#733657) + +* Tue Sep 13 2011 Kamil Dudka 7.22.0-1 +- new upstream release +- curl-config now provides dummy --static-libs option (#733956) + +* Sun Aug 21 2011 Paul Howarth 7.21.7-4 +- actually fix SIGSEGV of curl -O -J given more than one URL (#723075) + +* Mon Aug 15 2011 Kamil Dudka 7.21.7-3 +- fix SIGSEGV of curl -O -J given more than one URL (#723075) +- introduce the --delegation option of curl (#730444) +- initialize NSS with no database if the selected database is broken (#728562) + +* Wed Aug 03 2011 Kamil Dudka 7.21.7-2 +- add a new option CURLOPT_GSSAPI_DELEGATION (#719939) + +* Thu Jun 23 2011 Kamil Dudka 7.21.7-1 +- new upstream release (fixes CVE-2011-2192) + +* Wed Jun 08 2011 Kamil Dudka 7.21.6-2 +- avoid an invalid timeout event on a reused handle (#679709) + +* Sat Apr 23 2011 Paul Howarth 7.21.6-1 +- new upstream release + +* Mon Apr 18 2011 Kamil Dudka 7.21.5-2 +- fix the output of curl-config --version (upstream commit 82ecc85) + +* Mon Apr 18 2011 Kamil Dudka 7.21.5-1 +- new upstream release + +* Sat Apr 16 2011 Peter Robinson 7.21.4-4 +- no valgrind on ARMv5 arches + +* Sat Mar 05 2011 Dennis Gilmore 7.21.4-3 +- no valgrind on sparc arches + +* Tue Feb 22 2011 Kamil Dudka 7.21.4-2 +- do not ignore failure of SSL handshake (upstream commit 7aa2d10) + +* Fri Feb 18 2011 Kamil Dudka 7.21.4-1 +- new upstream release +- avoid memory leak on SSL connection failure (upstream commit a40f58d) +- work around valgrind bug (#678518) + +* Tue Feb 08 2011 Fedora Release Engineering - 7.21.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Jan 12 2011 Kamil Dudka 7.21.3-2 +- build libcurl with --enable-hidden-symbols + +* Thu Dec 16 2010 Paul Howarth 7.21.3-1 +- update to 7.21.3: + - added --noconfigure switch to testcurl.pl + - added --xattr option + - added CURLOPT_RESOLVE and --resolve + - added CURLAUTH_ONLY + - added version-check.pl to the examples dir + - check for libcurl features for some command line options + - Curl_setopt: disallow CURLOPT_USE_SSL without SSL support + - http_chunks: remove debug output + - URL-parsing: consider ? a divider + - SSH: avoid using the libssh2_ prefix + - SSH: use libssh2_session_handshake() to work on win64 + - ftp: prevent server from hanging on closed data connection when stopping + a transfer before the end of the full transfer (ranges) + - LDAP: detect non-binary attributes properly + - ftp: treat server's response 421 as CURLE_OPERATION_TIMEDOUT + - gnutls->handshake: improved timeout handling + - security: pass the right parameter to init + - krb5: use GSS_ERROR to check for error + - TFTP: resend the correct data + - configure: fix autoconf 2.68 warning: no AC_LANG_SOURCE call detected + - GnuTLS: now detects socket errors on Windows + - symbols-in-versions: updated en masse + - added a couple of examples that were missing from the tarball + - Curl_send/recv_plain: return errno on failure + - Curl_wait_for_resolv (for c-ares): correct timeout + - ossl_connect_common: detect connection re-use + - configure: prevent link errors with --librtmp + - openldap: use remote port in URL passed to ldap_init_fd() + - url: provide dead_connection flag in Curl_handler::disconnect + - lots of compiler warning fixes + - ssh: fix a download resume point calculation + - fix getinfo CURLINFO_LOCAL* for reused connections + - multi: the returned running handles counter could turn negative + - multi: only ever consider pipelining for connections doing HTTP(S) +- drop upstream patches now in tarball +- update bz650255 and disable-test1112 patches to apply against new codebase +- add workaround for false-positive glibc-detected buffer overflow in tftpd + test server with FORTIFY_SOURCE (similar to #515361) + +* Fri Nov 12 2010 Kamil Dudka 7.21.2-5 +- do not send QUIT to a dead FTP control connection (#650255) +- pull back glibc's implementation of str[n]casecmp(), #626470 appears fixed + +* Tue Nov 09 2010 Kamil Dudka 7.21.2-4 +- prevent FTP client from hanging on unrecognized ABOR response (#649347) +- return more appropriate error code in case FTP server session idle + timeout has exceeded (#650255) + +* Fri Oct 29 2010 Kamil Dudka 7.21.2-3 +- prevent FTP server from hanging on closed data connection (#643656) + +* Thu Oct 14 2010 Paul Howarth 7.21.2-2 +- enforce versioned libssh2 dependency for libcurl (#642796) + +* Wed Oct 13 2010 Kamil Dudka 7.21.2-1 +- new upstream release, drop applied patches +- make 0102-curl-7.21.2-debug.patch less intrusive + +* Wed Sep 29 2010 jkeating - 7.21.1-6 +- Rebuilt for gcc bug 634757 + +* Sat Sep 11 2010 Kamil Dudka 7.21.1-5 +- make it possible to run SCP/SFTP tests on x86_64 (#632914) + +* Tue Sep 07 2010 Kamil Dudka 7.21.1-4 +- work around glibc/valgrind problem on x86_64 (#631449) + +* Tue Aug 24 2010 Paul Howarth 7.21.1-3 +- fix up patches so there's no need to run autotools in the rpm build +- drop buildreq automake +- drop dependency on automake for devel package from F-14, where + %%{_datadir}/aclocal is included in the filesystem package +- drop dependency on pkgconfig for devel package from F-11, where + pkgconfig dependencies are auto-generated + +* Mon Aug 23 2010 Kamil Dudka 7.21.1-2 +- re-enable test575 on s390(x), already fixed (upstream commit d63bdba) +- modify system headers to work around gcc bug (#617757) +- curl -T now ignores file size of special files (#622520) +- fix kerberos proxy authentication for https (#625676) +- work around glibc/valgrind problem on x86_64 (#626470) + +* Thu Aug 12 2010 Kamil Dudka 7.21.1-1 +- new upstream release + +* Mon Jul 12 2010 Dan Horák 7.21.0-3 +- disable test 575 on s390(x) + +* Mon Jun 28 2010 Kamil Dudka 7.21.0-2 +- add support for NTLM authentication (#603783) + +* Wed Jun 16 2010 Kamil Dudka 7.21.0-1 +- new upstream release, drop applied patches +- update of %%description +- disable valgrind for certain test-cases (libssh2 problem) + +* Tue May 25 2010 Kamil Dudka 7.20.1-6 +- fix -J/--remote-header-name to strip CR-LF (upstream patch) + +* Wed Apr 28 2010 Kamil Dudka 7.20.1-5 +- CRL support now works again (#581926) +- make it possible to start a testing OpenSSH server when building with SELinux + in the enforcing mode (#521087) + +* Sat Apr 24 2010 Kamil Dudka 7.20.1-4 +- upstream patch preventing failure of test536 with threaded DNS resolver +- upstream patch preventing SSL handshake timeout underflow + +* Thu Apr 22 2010 Paul Howarth 7.20.1-3 +- replace Rawhide s390-sleep patch with a more targeted patch adding a + delay after tests 513 and 514 rather than after all tests + +* Wed Apr 21 2010 Kamil Dudka 7.20.1-2 +- experimentally enabled threaded DNS lookup +- make curl-config multilib ready again (#584107) + +* Mon Apr 19 2010 Kamil Dudka 7.20.1-1 +- new upstream release + +* Tue Mar 23 2010 Kamil Dudka 7.20.0-4 +- add missing quote in libcurl.m4 (#576252) + +* Fri Mar 19 2010 Kamil Dudka 7.20.0-3 +- throw CURLE_SSL_CERTPROBLEM in case peer rejects a certificate (#565972) +- valgrind temporarily disabled (#574889) +- kerberos installation prefix has been changed + +* Wed Feb 24 2010 Kamil Dudka 7.20.0-2 +- exclude test1112 from the test suite (#565305) + +* Thu Feb 11 2010 Kamil Dudka 7.20.0-1 +- new upstream release - added support for IMAP(S), POP3(S), SMTP(S) and RTSP +- dropped patches applied upstream +- dropped curl-7.16.0-privlibs.patch no longer useful +- a new patch forcing -lrt when linking the curl tool and test-cases + +* Fri Jan 29 2010 Kamil Dudka 7.19.7-11 +- upstream patch adding a new option -J/--remote-header-name +- dropped temporary workaround for #545779 + +* Thu Jan 14 2010 Chris Weyl 7.19.7-10 +- bump for libssh2 rebuild + +* Sun Dec 20 2009 Kamil Dudka 7.19.7-9 +- temporary workaround for #548269 + (restored behavior of 7.19.7-4) + +* Wed Dec 09 2009 Kamil Dudka 7.19.7-8 +- replace hard wired port numbers in the test suite + +* Wed Dec 09 2009 Kamil Dudka 7.19.7-7 +- use different port numbers for 32bit and 64bit builds +- temporary workaround for #545779 + +* Tue Dec 08 2009 Kamil Dudka 7.19.7-6 +- make it possible to run test241 +- re-enable SCP/SFTP tests (#539444) + +* Sat Dec 05 2009 Kamil Dudka 7.19.7-5 +- avoid use of uninitialized value in lib/nss.c +- suppress failure of test513 on s390 + +* Tue Dec 01 2009 Kamil Dudka 7.19.7-4 +- do not require valgrind on s390 and s390x +- temporarily disabled SCP/SFTP test-suite (#539444) + +* Thu Nov 12 2009 Kamil Dudka 7.19.7-3 +- fix crash on doubly closed NSPR descriptor, patch contributed + by Kevin Baughman (#534176) +- new version of patch for broken TLS servers (#525496, #527771) + +* Wed Nov 04 2009 Kamil Dudka 7.19.7-2 +- increased release number (CVS problem) + +* Wed Nov 04 2009 Kamil Dudka 7.19.7-1 +- new upstream release, dropped applied patches +- workaround for broken TLS servers (#525496, #527771) + +* Wed Oct 14 2009 Kamil Dudka 7.19.6-13 +- fix timeout issues and gcc warnings within lib/nss.c + +* Tue Oct 06 2009 Kamil Dudka 7.19.6-12 +- upstream patch for NSS support written by Guenter Knauf + +* Wed Sep 30 2009 Kamil Dudka 7.19.6-11 +- build libcurl with c-ares support (#514771) + +* Sun Sep 27 2009 Kamil Dudka 7.19.6-10 +- require libssh2>=1.2 properly (#525002) + +* Sat Sep 26 2009 Kamil Dudka 7.19.6-9 +- let curl test-suite use valgrind +- require libssh2>=1.2 (#525002) + +* Mon Sep 21 2009 Chris Weyl - 7.19.6-8 +- rebuild for libssh2 1.2 + +* Thu Sep 17 2009 Kamil Dudka 7.19.6-7 +- make curl test-suite more verbose + +* Wed Sep 16 2009 Kamil Dudka 7.19.6-6 +- update polling patch to the latest upstream version + +* Thu Sep 03 2009 Kamil Dudka 7.19.6-5 +- cover ssh and stunnel support by the test-suite + +* Wed Sep 02 2009 Kamil Dudka 7.19.6-4 +- use pkg-config to find nss and libssh2 if possible +- better patch (not only) for SCP/SFTP polling +- improve error message for not matching common name (#516056) + +* Fri Aug 21 2009 Kamil Dudka 7.19.6-3 +- avoid tight loop during a sftp upload +- http://permalink.gmane.org/gmane.comp.web.curl.library/24744 + +* Tue Aug 18 2009 Kamil Dudka 7.19.6-2 +- let curl package depend on the same version of libcurl + +* Fri Aug 14 2009 Kamil Dudka 7.19.6-1 +- new upstream release, dropped applied patches +- changed NSS code to not ignore the value of ssl.verifyhost and produce more + verbose error messages (#516056) + +* Wed Aug 12 2009 Ville Skyttä - 7.19.5-10 +- Use lzma compressed upstream tarball. + +* Fri Jul 24 2009 Fedora Release Engineering - 7.19.5-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Jul 22 2009 Kamil Dudka 7.19.5-8 +- do not pre-login to all PKCS11 slots, it causes problems with HW tokens +- try to select client certificate automatically when not specified, thanks + to Claes Jakobsson + +* Fri Jul 10 2009 Kamil Dudka 7.19.5-7 +- fix SIGSEGV when using NSS client certificates, thanks to Claes Jakobsson + +* Sun Jul 05 2009 Kamil Dudka 7.19.5-6 +- force test suite to use the just built libcurl, thanks to Paul Howarth + +* Thu Jul 02 2009 Kamil Dudka 7.19.5-5 +- run test suite after build +- enable built-in manual + +* Wed Jun 24 2009 Kamil Dudka 7.19.5-4 +- fix bug introduced by the last build (#504857) + +* Wed Jun 24 2009 Kamil Dudka 7.19.5-3 +- exclude curlbuild.h content from spec (#504857) + +* Wed Jun 10 2009 Kamil Dudka 7.19.5-2 +- avoid unguarded comparison in the spec file, thanks to R P Herrold (#504857) + +* Tue May 19 2009 Kamil Dudka 7.19.5-1 +- update to 7.19.5, dropped applied patches + +* Mon May 11 2009 Kamil Dudka 7.19.4-11 +- fix infinite loop while loading a private key, thanks to Michael Cronenworth + (#453612) + +* Mon Apr 27 2009 Kamil Dudka 7.19.4-10 +- fix curl/nss memory leaks while using client certificate (#453612, accepted + by upstream) + +* Wed Apr 22 2009 Kamil Dudka 7.19.4-9 +- add missing BuildRequire for autoconf + +* Wed Apr 22 2009 Kamil Dudka 7.19.4-8 +- fix configure.ac to not discard -g in CFLAGS (#496778) + +* Tue Apr 21 2009 Debarshi Ray 7.19.4-7 +- Fixed configure to respect the environment's CFLAGS and CPPFLAGS settings. + +* Tue Apr 14 2009 Kamil Dudka 7.19.4-6 +- upstream patch fixing memory leak in lib/nss.c (#453612) +- remove redundant dependency of libcurl-devel on libssh2-devel + +* Wed Mar 18 2009 Kamil Dudka 7.19.4-5 +- enable 6 additional crypto algorithms by default (#436781, + accepted by upstream) + +* Thu Mar 12 2009 Kamil Dudka 7.19.4-4 +- fix memory leak in src/main.c (accepted by upstream) +- avoid using %%ifarch + +* Wed Mar 11 2009 Kamil Dudka 7.19.4-3 +- make libcurl-devel multilib-ready (bug #488922) + +* Fri Mar 06 2009 Jindrich Novy 7.19.4-2 +- drop .easy-leak patch, causes problems in pycurl (#488791) +- fix libcurl-devel dependencies (#488895) + +* Tue Mar 03 2009 Jindrich Novy 7.19.4-1 +- update to 7.19.4 (fixes CVE-2009-0037) +- fix leak in curl_easy* functions, thanks to Kamil Dudka +- drop nss-fix patch, applied upstream + +* Tue Feb 24 2009 Fedora Release Engineering - 7.19.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Tue Feb 17 2009 Kamil Dudka 7.19.3-1 +- update to 7.19.3, dropped applied nss patches +- add patch fixing 7.19.3 curl/nss bugs + +* Mon Dec 15 2008 Jindrich Novy 7.18.2-9 +- rebuild for f10/rawhide cvs tag clashes + +* Sat Dec 06 2008 Jindrich Novy 7.18.2-8 +- use improved NSS patch, thanks to Rob Crittenden (#472489) + +* Tue Sep 09 2008 Jindrich Novy 7.18.2-7 +- update the thread safety patch, thanks to Rob Crittenden (#462217) + +* Wed Sep 03 2008 Warren Togami 7.18.2-6 +- add thread safety to libcurl NSS cleanup() functions (#459297) + +* Fri Aug 22 2008 Tom "spot" Callaway 7.18.2-5 +- undo mini libcurl.so.3 + +* Mon Aug 11 2008 Tom "spot" Callaway 7.18.2-4 +- make miniature library for libcurl.so.3 + +* Fri Jul 4 2008 Jindrich Novy 7.18.2-3 +- enable support for libssh2 (#453958) + +* Wed Jun 18 2008 Jindrich Novy 7.18.2-2 +- fix curl_multi_perform() over a proxy (#450140), thanks to + Rob Crittenden + +* Wed Jun 4 2008 Jindrich Novy 7.18.2-1 +- update to 7.18.2 + +* Wed May 7 2008 Jindrich Novy 7.18.1-2 +- spec cleanup, thanks to Paul Howarth (#225671) + - drop BR: libtool + - convert CHANGES and README to UTF-8 + - _GNU_SOURCE in CFLAGS is no more needed + - remove bogus rpath + +* Mon Mar 31 2008 Jindrich Novy 7.18.1-1 +- update to curl 7.18.1 (fixes #397911) +- add ABI docs for libcurl +- remove --static-libs from curl-config +- drop curl-config patch, obsoleted by @SSL_ENABLED@ autoconf + substitution (#432667) + +* Fri Feb 15 2008 Jindrich Novy 7.18.0-2 +- define _GNU_SOURCE so that NI_MAXHOST gets defined from glibc + +* Mon Jan 28 2008 Jindrich Novy 7.18.0-1 +- update to curl-7.18.0 +- drop sslgen patch -> applied upstream +- fix typo in description + +* Tue Jan 22 2008 Jindrich Novy 7.17.1-6 +- fix curl-devel obsoletes so that we don't break F8->F9 upgrade + path (#429612) + +* Tue Jan 8 2008 Jindrich Novy 7.17.1-5 +- do not attempt to close a bad socket (#427966), + thanks to Caolan McNamara + +* Tue Dec 4 2007 Jindrich Novy 7.17.1-4 +- rebuild because of the openldap soname bump +- remove old nsspem patch + +* Fri Nov 30 2007 Jindrich Novy 7.17.1-3 +- drop useless ldap library detection since curl doesn't + dlopen()s it but links to it -> BR: openldap-devel +- enable LDAPS support (#225671), thanks to Paul Howarth +- BR: krb5-devel to reenable GSSAPI support +- simplify build process +- update description + +* Wed Nov 21 2007 Jindrich Novy 7.17.1-2 +- update description to contain complete supported servers list (#393861) + +* Sat Nov 17 2007 Jindrich Novy 7.17.1-1 +- update to curl 7.17.1 +- include patch to enable SSL usage in NSS when a socket is opened + nonblocking, thanks to Rob Crittenden (rcritten@redhat.com) + +* Wed Oct 24 2007 Jindrich Novy 7.16.4-10 +- correctly provide/obsolete curl-devel (#130251) + +* Wed Oct 24 2007 Jindrich Novy 7.16.4-9 +- create libcurl and libcurl-devel subpackages (#130251) + +* Thu Oct 11 2007 Jindrich Novy 7.16.4-8 +- list features correctly when curl is compiled against NSS (#316191) + +* Mon Sep 17 2007 Jindrich Novy 7.16.4-7 +- add zlib-devel BR to enable gzip compressed transfers in curl (#292211) + +* Mon Sep 10 2007 Jindrich Novy 7.16.4-6 +- provide webclient (#225671) + +* Thu Sep 6 2007 Jindrich Novy 7.16.4-5 +- add support for the NSS PKCS#11 pem reader so the command-line is the + same for both OpenSSL and NSS by Rob Crittenden (rcritten@redhat.com) +- switch to NSS again + +* Mon Sep 3 2007 Jindrich Novy 7.16.4-4 +- revert back to use OpenSSL (#266021) + +* Mon Aug 27 2007 Jindrich Novy 7.16.4-3 +- don't use openssl, use nss instead + +* Fri Aug 10 2007 Jindrich Novy 7.16.4-2 +- fix anonymous ftp login (#251570), thanks to David Cantrell + +* Wed Jul 11 2007 Jindrich Novy 7.16.4-1 +- update to 7.16.4 + +* Mon Jun 25 2007 Jindrich Novy 7.16.3-1 +- update to 7.16.3 +- drop .print patch, applied upstream +- next series of merge review fixes by Paul Howarth +- remove aclocal stuff, no more needed +- simplify makefile arguments +- don't reference standard library paths in libcurl.pc +- include docs/CONTRIBUTE + +* Mon Jun 18 2007 Jindrich Novy 7.16.2-5 +- don't print like crazy (#236981), backported from upstream CVS + +* Fri Jun 15 2007 Jindrich Novy 7.16.2-4 +- another series of review fixes (#225671), + thanks to Paul Howarth +- check version of ldap library automatically +- don't use %%makeinstall and preserve timestamps +- drop useless patches + +* Fri May 11 2007 Jindrich Novy 7.16.2-3 +- add automake BR to curl-devel to fix aclocal dir. ownership, + thanks to Patrice Dumas + +* Thu May 10 2007 Jindrich Novy 7.16.2-2 +- package libcurl.m4 in curl-devel (#239664), thanks to Quy Tonthat + +* Wed Apr 11 2007 Jindrich Novy 7.16.2-1 +- update to 7.16.2 + +* Mon Feb 19 2007 Jindrich Novy 7.16.1-3 +- don't create/ship static libraries (#225671) + +* Mon Feb 5 2007 Jindrich Novy 7.16.1-2 +- merge review related spec fixes (#225671) + +* Mon Jan 29 2007 Jindrich Novy 7.16.1-1 +- update to 7.16.1 + +* Tue Jan 16 2007 Jindrich Novy 7.16.0-5 +- don't package generated makefiles for docs/examples to avoid + multilib conflicts + +* Mon Dec 18 2006 Jindrich Novy 7.16.0-4 +- convert spec to UTF-8 +- don't delete BuildRoot in %%prep phase +- rpmlint fixes + +* Thu Nov 16 2006 Jindrich Novy -7.16.0-3 +- prevent curl from dlopen()ing missing ldap libraries so that + ldap:// requests work (#215928) + +* Tue Oct 31 2006 Jindrich Novy - 7.16.0-2 +- fix BuildRoot +- add Requires: pkgconfig for curl-devel +- move LDFLAGS and LIBS to Libs.private in libcurl.pc.in (#213278) + +* Mon Oct 30 2006 Jindrich Novy - 7.16.0-1 +- update to curl-7.16.0 + +* Thu Aug 24 2006 Jindrich Novy - 7.15.5-1.fc6 +- update to curl-7.15.5 +- use %%{?dist} + +* Fri Jun 30 2006 Ivana Varekova - 7.15.4-1 +- update to 7.15.4 + +* Mon Mar 20 2006 Ivana Varekova - 7.15.3-1 +- fix multilib problem using pkg-config +- update to 7.15.3 + +* Thu Feb 23 2006 Ivana Varekova - 7.15.1-2 +- fix multilib problem - #181290 - + curl-devel.i386 not installable together with curl-devel.x86-64 + +* Fri Feb 10 2006 Jesse Keating - 7.15.1-1.2.1 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 7.15.1-1.2 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Thu Dec 8 2005 Ivana Varekova 7.15.1-1 +- update to 7.15.1 (bug 175191) + +* Wed Nov 30 2005 Ivana Varekova 7.15.0-3 +- fix curl-config bug 174556 - missing vernum value + +* Wed Nov 9 2005 Ivana Varekova 7.15.0-2 +- rebuilt + +* Tue Oct 18 2005 Ivana Varekova 7.15.0-1 +- update to 7.15.0 + +* Thu Oct 13 2005 Ivana Varekova 7.14.1-1 +- update to 7.14.1 + +* Thu Jun 16 2005 Ivana Varekova 7.14.0-1 +- rebuild new version + +* Tue May 03 2005 Ivana Varekova 7.13.1-3 +- fix bug 150768 - curl-7.12.3-2 breaks basic authentication + used Daniel Stenberg patch + +* Mon Apr 25 2005 Joe Orton 7.13.1-2 +- update to use ca-bundle in /etc/pki +- mark License as MIT not MPL + +* Wed Mar 9 2005 Ivana Varekova 7.13.1-1 +- rebuilt (7.13.1) + +* Tue Mar 1 2005 Tomas Mraz 7.13.0-2 +- rebuild with openssl-0.9.7e + +* Sun Feb 13 2005 Florian La Roche +- 7.13.0 + +* Wed Feb 9 2005 Joe Orton 7.12.3-3 +- don't pass /usr to --with-libidn to remove "-L/usr/lib" from + 'curl-config --libs' output on x86_64. + +* Fri Jan 28 2005 Adrian Havill 7.12.3-1 +- Upgrade to 7.12.3, which uses poll() for FDSETSIZE limit (#134794) +- require libidn-devel for devel subpkg (#141341) +- remove proftpd kludge; included upstream + +* Wed Oct 06 2004 Adrian Havill 7.12.1-1 +- upgrade to 7.12.1 +- enable GSSAPI auth (#129353) +- enable I18N domain names (#134595) +- workaround for broken ProFTPD SSL auth (#134133). Thanks to + Aleksandar Milivojevic + +* Wed Sep 29 2004 Adrian Havill 7.12.0-4 +- move new docs position so defattr gets applied + +* Mon Sep 27 2004 Warren Togami 7.12.0-3 +- remove INSTALL, move libcurl docs to -devel + +* Mon Jul 26 2004 Jindrich Novy +- updated to 7.12.0 +- updated nousr patch + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Wed Apr 07 2004 Adrian Havill 7.11.1-1 +- upgraded; updated nousr patch +- added COPYING (#115956) +- + +* Tue Mar 02 2004 Elliot Lee +- rebuilt + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Sat Jan 31 2004 Florian La Roche +- update to 7.10.8 +- remove patch2, already upstream + +* Wed Oct 15 2003 Adrian Havill 7.10.6-7 +- aclocal before libtoolize +- move OpenLDAP license so it's present as a doc file, present in + both the source and binary as per conditions + +* Mon Oct 13 2003 Adrian Havill 7.10.6-6 +- add OpenLDAP copyright notice for usage of code, add OpenLDAP + license for this code + +* Tue Oct 07 2003 Adrian Havill 7.10.6-5 +- match serverAltName certs with SSL (#106168) + +* Tue Sep 16 2003 Adrian Havill 7.10.6-4.1 +- bump n-v-r for RHEL + +* Tue Sep 16 2003 Adrian Havill 7.10.6-4 +- restore ca cert bundle (#104400) +- require openssl, we want to use its ca-cert bundle + +* Sun Sep 7 2003 Joe Orton 7.10.6-3 +- rebuild + +* Fri Sep 5 2003 Joe Orton 7.10.6-2.2 +- fix to include libcurl.so + +* Mon Aug 25 2003 Adrian Havill 7.10.6-2.1 +- bump n-v-r for RHEL + +* Mon Aug 25 2003 Adrian Havill 7.10.6-2 +- devel subpkg needs openssl-devel as a Require (#102963) + +* Mon Jul 28 2003 Adrian Havill 7.10.6-1 +- bumped version + +* Tue Jul 01 2003 Adrian Havill 7.10.5-1 +- bumped version + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Sat Apr 12 2003 Florian La Roche +- update to 7.10.4 +- adapt nousr patch + +* Wed Jan 22 2003 Tim Powers +- rebuilt + +* Tue Jan 21 2003 Joe Orton 7.9.8-4 +- don't add -L/usr/lib to 'curl-config --libs' output + +* Tue Jan 7 2003 Nalin Dahyabhai 7.9.8-3 +- rebuild + +* Wed Nov 6 2002 Joe Orton 7.9.8-2 +- fix `curl-config --libs` output for libdir!=/usr/lib +- remove docs/LIBCURL from docs list; remove unpackaged libcurl.la +- libtoolize and reconf + +* Mon Jul 22 2002 Trond Eivind Glomsrød 7.9.8-1 +- 7.9.8 (# 69473) + +* Fri Jun 21 2002 Tim Powers +- automated rebuild + +* Sun May 26 2002 Tim Powers +- automated rebuild + +* Thu May 16 2002 Trond Eivind Glomsrød 7.9.7-1 +- 7.9.7 + +* Wed Apr 24 2002 Trond Eivind Glomsrød 7.9.6-1 +- 7.9.6 + +* Thu Mar 21 2002 Trond Eivind Glomsrød 7.9.5-2 +- Stop the curl-config script from printing -I/usr/include + and -L/usr/lib (#59497) + +* Fri Mar 8 2002 Trond Eivind Glomsrød 7.9.5-1 +- 7.9.5 + +* Tue Feb 26 2002 Trond Eivind Glomsrød 7.9.3-2 +- Rebuild + +* Wed Jan 23 2002 Nalin Dahyabhai 7.9.3-1 +- update to 7.9.3 + +* Wed Jan 09 2002 Tim Powers 7.9.2-2 +- automated rebuild + +* Wed Jan 9 2002 Trond Eivind Glomsrød 7.9.2-1 +- 7.9.2 + +* Fri Aug 17 2001 Nalin Dahyabhai +- include curl-config in curl-devel +- update to 7.8 to fix memory leak and strlcat() symbol pollution from libcurl + +* Wed Jul 18 2001 Crutcher Dunnavant +- added openssl-devel build req + +* Mon May 21 2001 Tim Powers +- built for the distro + +* Tue Apr 24 2001 Jeff Johnson +- upgrade to curl-7.7.2. +- enable IPv6. + +* Fri Mar 2 2001 Tim Powers +- rebuilt against openssl-0.9.6-1 + +* Thu Jan 4 2001 Tim Powers +- fixed mising ldconfigs +- updated to 7.5.2, bug fixes + +* Mon Dec 11 2000 Tim Powers +- updated to 7.5.1 + +* Mon Nov 6 2000 Tim Powers +- update to 7.4.1 to fix bug #20337, problems with curl -c +- not using patch anymore, it's included in the new source. Keeping + for reference + +* Fri Oct 20 2000 Nalin Dahyabhai +- fix bogus req in -devel package + +* Fri Oct 20 2000 Tim Powers +- devel package needed defattr so that root owns the files + +* Mon Oct 16 2000 Nalin Dahyabhai +- update to 7.3 +- apply vsprintf/vsnprintf patch from Colin Phipps via Debian + +* Mon Aug 21 2000 Nalin Dahyabhai +- enable SSL support +- fix packager tag +- move buildroot to %%{_tmppath} + +* Tue Aug 1 2000 Tim Powers +- fixed vendor tag for bug #15028 + +* Mon Jul 24 2000 Prospector +- rebuilt + +* Tue Jul 11 2000 Tim Powers +- workaround alpha build problems with optimizations + +* Mon Jul 10 2000 Tim Powers +- rebuilt + +* Mon Jun 5 2000 Tim Powers +- put man pages in correct place +- use %%makeinstall + +* Mon Apr 24 2000 Tim Powers +- updated to 6.5.2 + +* Wed Nov 3 1999 Tim Powers +- updated sources to 6.2 +- gzip man page + +* Mon Aug 30 1999 Tim Powers +- changed group + +* Thu Aug 26 1999 Tim Powers +- changelog started +- general cleanups, changed prefix to /usr, added manpage to files section +- including in Powertools