Resolves: CVE-2023-27535 - adapt the fix for RHEL 9 curl

... where USE_SSH is not defined. The problem with the backport was detected by OpenScanHub: https://cov01.lab.eng.brq2.redhat.com/covscanhub/task/279249//log/added.html
2023-04-12 16:34:17 +02:00 · 2023-04-12 16:34:17 +02:00 · 40387c061f
commit 40387c061f
parent d35c512f12
4 changed files with 14 additions and 18 deletions
--- a/0027-curl-7.76.1-CVE-2023-27535.patch
+++ b/0027-curl-7.76.1-CVE-2023-27535.patch
@ -83,9 +83,9 @@ Signed-off-by: Kamil Dudka <kdudka@redhat.com>
 lib/ftp.c     | 28 ++++++++++++++++++++++++++--
 lib/ftp.h     |  5 +++++
 lib/setopt.c  |  2 +-
- lib/url.c     | 16 +++++++++++++++-
+ lib/url.c     | 12 ++++++++++++
 lib/urldata.h |  4 ++--
- 5 files changed, 49 insertions(+), 6 deletions(-)
+ 5 files changed, 46 insertions(+), 5 deletions(-)
 diff --git a/lib/ftp.c b/lib/ftp.c
 index 9442832..df15bc0 100644
@ -184,17 +184,10 @@ diff --git a/lib/url.c b/lib/url.c
 index 61ba832..4e21838 100644
 --- a/lib/url.c
 +++ b/lib/url.c
-@@ -1325,10 +1325,24 @@ ConnectionExists(struct Curl_easy *data,
+@@ -1329,6 +1329,18 @@ ConnectionExists(struct Curl_easy *data,
         }
       }
 -      if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
 +#ifdef USE_SSH
 +      else if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
         if(!ssh_config_matches(needle, check))
           continue;
       }
 +#endif
 +#ifndef CURL_DISABLE_FTP
 +      else if(get_protocol_family(needle->handler) & PROTO_FAMILY_FTP) {
 +        /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */
--- a/0028-curl-7.76.1-CVE-2023-27536.patch
+++ b/0028-curl-7.76.1-CVE-2023-27536.patch
@ -26,10 +26,10 @@ index 3b11b7e..cbbc7f3 100644
 +      if(needle->gssapi_delegation != check->gssapi_delegation)
 +        continue;
 +
- #ifdef USE_SSH
+       if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
       else if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
         if(!ssh_config_matches(needle, check))
-@@ -1787,6 +1792,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
+           continue;
@@ -1785,6 +1790,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
   conn->fclosesocket = data->set.fclosesocket;
   conn->closesocket_client = data->set.closesocket_client;
   conn->lastused = Curl_now(); /* used now */
--- a/0029-curl-7.76.1-CVE-2023-27538.patch
+++ b/0029-curl-7.76.1-CVE-2023-27538.patch
@ -16,12 +16,12 @@ diff --git a/lib/url.c b/lib/url.c
 index 0c31486..3b11b7e 100644
 --- a/lib/url.c
 +++ b/lib/url.c
-@@ -1331,7 +1331,7 @@ ConnectionExists(struct Curl_easy *data,
+@@ -1330,7 +1330,7 @@ ConnectionExists(struct Curl_easy *data,
       if(needle->gssapi_delegation != check->gssapi_delegation)
         continue;
- #ifdef USE_SSH
+-      if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
-      else if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
+      if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) {
 +      else if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) {
         if(!ssh_config_matches(needle, check))
           continue;
       }
--- a/curl.spec
+++ b/curl.spec
@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.76.1
-Release: 24%{?dist}
+Release: 25%{?dist}
 License: MIT
 Source: https://curl.se/download/%{name}-%{version}.tar.xz
@ -517,6 +517,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 %changelog
 * Wed Apr 12 2023 Kamil Dudka <kdudka@redhat.com> - 7.76.1-25
 - adapt the fix of CVE-2023-27535 for RHEL 9 curl
 * Fri Mar 24 2023 Kamil Dudka <kdudka@redhat.com> - 7.76.1-24
 - fix SSH connection too eager reuse still (CVE-2023-27538)
 - fix GSS delegation too eager connection re-use (CVE-2023-27536)