From 41e53af0b6acfaeadef443d340b5953414533ded Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 24 Aug 2021 22:25:02 +0000 Subject: [PATCH] import curl-7.61.1-21.el8 --- SOURCES/0029-curl-7.61.1-CVE-2021-22876.patch | 116 +++ SOURCES/0030-curl-7.61.1-file-head.patch | 693 ++++++++++++++++++ SOURCES/0032-curl-7.61.1-CVE-2021-22898.patch | 31 + SOURCES/0033-curl-7.61.1-CVE-2021-22925.patch | 47 ++ SPECS/curl.spec | 29 +- 5 files changed, 914 insertions(+), 2 deletions(-) create mode 100644 SOURCES/0029-curl-7.61.1-CVE-2021-22876.patch create mode 100644 SOURCES/0030-curl-7.61.1-file-head.patch create mode 100644 SOURCES/0032-curl-7.61.1-CVE-2021-22898.patch create mode 100644 SOURCES/0033-curl-7.61.1-CVE-2021-22925.patch diff --git a/SOURCES/0029-curl-7.61.1-CVE-2021-22876.patch b/SOURCES/0029-curl-7.61.1-CVE-2021-22876.patch new file mode 100644 index 0000000..dbd2496 --- /dev/null +++ b/SOURCES/0029-curl-7.61.1-CVE-2021-22876.patch @@ -0,0 +1,116 @@ +From 239f8d93866605b05f4e6b551f4327dc7fcb922b Mon Sep 17 00:00:00 2001 +From: Viktor Szakats +Date: Tue, 23 Feb 2021 14:54:46 +0100 +Subject: [PATCH 1/2] transfer: strip credentials from the auto-referer header + field + +Added test 2081 to verify. + +CVE-2021-22876 + +Bug: https://curl.se/docs/CVE-2021-22876.html + +Upstream-commit: 7214288898f5625a6cc196e22a74232eada7861c +Signed-off-by: Kamil Dudka +--- + lib/transfer.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +diff --git a/lib/transfer.c b/lib/transfer.c +index ecd1063..263b178 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1473,6 +1473,7 @@ CURLcode Curl_follow(struct Curl_easy *data, + /* Location: redirect */ + bool disallowport = FALSE; + bool reachedmax = FALSE; ++ CURLUcode uc; + + if(type == FOLLOW_REDIR) { + if((data->set.maxredirs != -1) && +@@ -1488,6 +1489,9 @@ CURLcode Curl_follow(struct Curl_easy *data, + data->set.followlocation++; /* count location-followers */ + + if(data->set.http_auto_referer) { ++ CURLU *u; ++ char *referer; ++ + /* We are asked to automatically set the previous URL as the referer + when we get the next URL. We pick the ->url field, which may or may + not be 100% correct */ +@@ -1497,9 +1501,26 @@ CURLcode Curl_follow(struct Curl_easy *data, + data->change.referer_alloc = FALSE; + } + +- data->change.referer = strdup(data->change.url); +- if(!data->change.referer) ++ /* Make a copy of the URL without crenditals and fragment */ ++ u = curl_url(); ++ if(!u) ++ return CURLE_OUT_OF_MEMORY; ++ ++ uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0); ++ if(!uc) ++ uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0); ++ if(!uc) ++ uc = curl_url_set(u, CURLUPART_USER, NULL, 0); ++ if(!uc) ++ uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0); ++ if(!uc) ++ uc = curl_url_get(u, CURLUPART_URL, &referer, 0); ++ ++ curl_url_cleanup(u); ++ ++ if(uc || referer == NULL) + return CURLE_OUT_OF_MEMORY; ++ data->change.referer = referer; + data->change.referer_alloc = TRUE; /* yes, free this later */ + } + } +-- +2.30.2 + + +From f7d1d478b87499ce31d6aa3251830b78447ad952 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 29 Mar 2021 09:32:14 +0200 +Subject: [PATCH 2/2] transfer: clear 'referer' in declaration + +To silence (false positive) compiler warnings about it. + +Follow-up to 7214288898f5625 + +Reviewed-by: Marcel Raad +Closes #6810 + +Upstream-commit: 6bb028dbda6cbfe83f66de773544f71e4813160f +Signed-off-by: Kamil Dudka +--- + lib/transfer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/transfer.c b/lib/transfer.c +index 263b178..ad5a7ba 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1490,7 +1490,7 @@ CURLcode Curl_follow(struct Curl_easy *data, + + if(data->set.http_auto_referer) { + CURLU *u; +- char *referer; ++ char *referer = NULL; + + /* We are asked to automatically set the previous URL as the referer + when we get the next URL. We pick the ->url field, which may or may +@@ -1518,7 +1518,7 @@ CURLcode Curl_follow(struct Curl_easy *data, + + curl_url_cleanup(u); + +- if(uc || referer == NULL) ++ if(uc || !referer) + return CURLE_OUT_OF_MEMORY; + data->change.referer = referer; + data->change.referer_alloc = TRUE; /* yes, free this later */ +-- +2.30.2 + diff --git a/SOURCES/0030-curl-7.61.1-file-head.patch b/SOURCES/0030-curl-7.61.1-file-head.patch new file mode 100644 index 0000000..e545e8e --- /dev/null +++ b/SOURCES/0030-curl-7.61.1-file-head.patch @@ -0,0 +1,693 @@ +From 87e3d094e0dc00efc1abeb2b142d453024cbca69 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 4 Oct 2018 23:53:32 +0200 +Subject: [PATCH] FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output + +Now FILE transfers send headers to the header callback like HTTP and +other protocols. Also made curl_easy_getinfo(...CURLINFO_PROTOCOL...) +work for FILE in the callbacks. + +Makes "curl -i file://.." and "curl -I file://.." work like before +again. Applied the bold header logic to them too. + +Regression from c1c2762 (7.61.0) + +Reported-by: Shaun Jackman +Fixes #3083 +Closes #3101 + +Upstream-commit: e50a2002bd450a4800a165d2874ed79c95b33a07 +Signed-off-by: Kamil Dudka +--- + lib/file.c | 27 +++++++++++++-------------- + lib/getinfo.c | 1 - + lib/url.c | 1 + + src/tool_cb_hdr.c | 5 +++-- + tests/data/test1016 | 2 +- + tests/data/test1017 | 2 +- + tests/data/test1018 | 2 +- + tests/data/test1019 | 2 +- + tests/data/test1020 | 2 +- + tests/data/test1029 | 2 +- + tests/data/test1146 | 2 +- + tests/data/test1220 | 2 +- + tests/data/test200 | 2 +- + tests/data/test2000 | 2 +- + tests/data/test2001 | 13 +------------ + tests/data/test2002 | 13 +------------ + tests/data/test2003 | 26 ++------------------------ + tests/data/test2004 | 2 +- + tests/data/test2006 | 8 ++++++++ + tests/data/test2007 | 8 ++++++++ + tests/data/test2008 | 8 ++++++++ + tests/data/test2009 | 8 ++++++++ + tests/data/test2010 | 8 ++++++++ + tests/data/test202 | 2 +- + tests/data/test203 | 2 +- + tests/data/test204 | 2 +- + tests/data/test205 | 2 +- + tests/data/test2070 | 2 +- + tests/data/test2071 | 2 +- + tests/data/test2072 | 2 +- + tests/data/test210 | 2 +- + tests/data/test231 | 2 +- + tests/data/test288 | 2 +- + 33 files changed, 82 insertions(+), 86 deletions(-) + +diff --git a/lib/file.c b/lib/file.c +index e50e988..f780658 100644 +--- a/lib/file.c ++++ b/lib/file.c +@@ -386,7 +386,6 @@ static CURLcode file_do(struct connectdata *conn, bool *done) + + *done = TRUE; /* unconditionally */ + +- Curl_initinfo(data); + Curl_pgrsStartNow(data); + + if(data->set.upload) +@@ -413,21 +412,18 @@ static CURLcode file_do(struct connectdata *conn, bool *done) + } + } + +- /* If we have selected NOBODY and HEADER, it means that we only want file +- information. Which for FILE can't be much more than the file size and +- date. */ +- if(data->set.opt_no_body && data->set.include_header && fstated) { ++ if(fstated) { + time_t filetime; + struct tm buffer; + const struct tm *tm = &buffer; + char header[80]; + snprintf(header, sizeof(header), + "Content-Length: %" CURL_FORMAT_CURL_OFF_T "\r\n", expected_size); +- result = Curl_client_write(conn, CLIENTWRITE_BOTH, header, 0); ++ result = Curl_client_write(conn, CLIENTWRITE_HEADER, header, 0); + if(result) + return result; + +- result = Curl_client_write(conn, CLIENTWRITE_BOTH, ++ result = Curl_client_write(conn, CLIENTWRITE_HEADER, + (char *)"Accept-ranges: bytes\r\n", 0); + if(result) + return result; +@@ -439,19 +435,22 @@ static CURLcode file_do(struct connectdata *conn, bool *done) + + /* format: "Tue, 15 Nov 1994 12:45:26 GMT" */ + snprintf(header, sizeof(header), +- "Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT\r\n", ++ "Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT\r\n%s", + Curl_wkday[tm->tm_wday?tm->tm_wday-1:6], + tm->tm_mday, + Curl_month[tm->tm_mon], + tm->tm_year + 1900, + tm->tm_hour, + tm->tm_min, +- tm->tm_sec); +- result = Curl_client_write(conn, CLIENTWRITE_BOTH, header, 0); +- if(!result) +- /* set the file size to make it available post transfer */ +- Curl_pgrsSetDownloadSize(data, expected_size); +- return result; ++ tm->tm_sec, ++ data->set.opt_no_body ? "": "\r\n"); ++ result = Curl_client_write(conn, CLIENTWRITE_HEADER, header, 0); ++ if(result) ++ return result; ++ /* set the file size to make it available post transfer */ ++ Curl_pgrsSetDownloadSize(data, expected_size); ++ if(data->set.opt_no_body) ++ return result; + } + + /* Check whether file range has been specified */ +diff --git a/lib/getinfo.c b/lib/getinfo.c +index 14b4562..54c2c2f 100644 +--- a/lib/getinfo.c ++++ b/lib/getinfo.c +@@ -85,7 +85,6 @@ CURLcode Curl_initinfo(struct Curl_easy *data) + #ifdef USE_SSL + Curl_ssl_free_certinfo(data); + #endif +- + return CURLE_OK; + } + +diff --git a/lib/url.c b/lib/url.c +index b18db25..bb9d107 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -4290,6 +4290,7 @@ static CURLcode create_conn(struct Curl_easy *data, + /* this is supposed to be the connect function so we better at least check + that the file is present here! */ + DEBUGASSERT(conn->handler->connect_it); ++ Curl_persistconninfo(conn); + result = conn->handler->connect_it(conn, &done); + + /* Setup a "faked" transfer that'll do nothing */ +diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c +index e91e8ac..4f21221 100644 +--- a/src/tool_cb_hdr.c ++++ b/src/tool_cb_hdr.c +@@ -153,8 +153,9 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata) + } + + if(hdrcbdata->config->show_headers && +- (protocol & (CURLPROTO_HTTP|CURLPROTO_HTTPS|CURLPROTO_RTSP))) { +- /* bold headers only happen for HTTP(S) and RTSP */ ++ (protocol & ++ (CURLPROTO_HTTP|CURLPROTO_HTTPS|CURLPROTO_RTSP|CURLPROTO_FILE))) { ++ /* bold headers only for selected protocols */ + char *value = NULL; + + if(!outs->stream && !tool_create_output_file(outs)) +diff --git a/tests/data/test1016 b/tests/data/test1016 +index b404cac..4927f9e 100644 +--- a/tests/data/test1016 ++++ b/tests/data/test1016 +@@ -22,7 +22,7 @@ file + + X-Y range on a file:// URL to stdout + +- ++ + -r 1-4 file://localhost/%PWD/log/test1016.txt + + +diff --git a/tests/data/test1017 b/tests/data/test1017 +index 6fbc38a..cfdd80f 100644 +--- a/tests/data/test1017 ++++ b/tests/data/test1017 +@@ -23,7 +23,7 @@ file + + 0-Y range on a file:// URL to stdout + +- ++ + -r 0-3 file://localhost/%PWD/log/test1017.txt + + +diff --git a/tests/data/test1018 b/tests/data/test1018 +index 28a7027..5748701 100644 +--- a/tests/data/test1018 ++++ b/tests/data/test1018 +@@ -22,7 +22,7 @@ file + + X-X range on a file:// URL to stdout + +- ++ + -r 4-4 file://localhost/%PWD/log/test1018.txt + + +diff --git a/tests/data/test1019 b/tests/data/test1019 +index 4d9872a..054e38d 100644 +--- a/tests/data/test1019 ++++ b/tests/data/test1019 +@@ -23,7 +23,7 @@ file + + X- range on a file:// URL to stdout + +- ++ + -r 7- file://localhost/%PWD/log/test1019.txt + + +diff --git a/tests/data/test1020 b/tests/data/test1020 +index 735871d..e924529 100644 +--- a/tests/data/test1020 ++++ b/tests/data/test1020 +@@ -23,7 +23,7 @@ file + + -Y range on a file:// URL to stdout + +- ++ + -r -9 file://localhost/%PWD/log/test1020.txt + + +diff --git a/tests/data/test1029 b/tests/data/test1029 +index 2ffc7c6..c77209c 100644 +--- a/tests/data/test1029 ++++ b/tests/data/test1029 +@@ -29,7 +29,7 @@ http + + HTTP Location: and 'redirect_url' check + +- ++ + http://%HOSTIP:%HTTPPORT/we/want/our/1029 -w '%{redirect_url}\n' + + +diff --git a/tests/data/test1146 b/tests/data/test1146 +index 43f33b7..636748e 100644 +--- a/tests/data/test1146 ++++ b/tests/data/test1146 +@@ -24,7 +24,7 @@ file + + --proto-default file + +- ++ + --proto-default file %PWD/log/test1146.txt + + +diff --git a/tests/data/test1220 b/tests/data/test1220 +index 959abbf..6752eb5 100644 +--- a/tests/data/test1220 ++++ b/tests/data/test1220 +@@ -20,7 +20,7 @@ file + + file:// URLs with query string + +- ++ + file://localhost/%PWD/log/test1220.txt?a_query=foobar#afragment + + +diff --git a/tests/data/test200 b/tests/data/test200 +index 8be1de0..c27f7c0 100644 +--- a/tests/data/test200 ++++ b/tests/data/test200 +@@ -23,7 +23,7 @@ file + + basic file:// file + +- ++ + file://localhost/%PWD/log/test200.txt + + +diff --git a/tests/data/test2000 b/tests/data/test2000 +index d3edb16..db1ba13 100644 +--- a/tests/data/test2000 ++++ b/tests/data/test2000 +@@ -31,7 +31,7 @@ file + + FTP RETR followed by FILE + +- ++ + ftp://%HOSTIP:%FTPPORT/2000 file://localhost/%PWD/log/test2000.txt + + +diff --git a/tests/data/test2001 b/tests/data/test2001 +index 68c0df7..88a258e 100644 +--- a/tests/data/test2001 ++++ b/tests/data/test2001 +@@ -48,7 +48,7 @@ file + + HTTP GET followed by FTP RETR followed by FILE + +- ++ + http://%HOSTIP:%HTTPPORT/20010001 ftp://%HOSTIP:%FTPPORT/20010002 file://localhost/%PWD/log/test2001.txt + + +@@ -81,17 +81,6 @@ RETR 20010002 + QUIT + + +-HTTP/1.1 200 OK +-Date: Thu, 09 Nov 2010 14:49:00 GMT +-Server: test-server/fake +-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT +-ETag: "21025-dc7-39462498" +-Accept-Ranges: bytes +-Content-Length: 6 +-Connection: close +-Content-Type: text/html +-Funny-head: yesyes +- + -foo- + data + to +diff --git a/tests/data/test2002 b/tests/data/test2002 +index db96bfe..6dd2f93 100644 +--- a/tests/data/test2002 ++++ b/tests/data/test2002 +@@ -57,7 +57,7 @@ tftp + + HTTP GET followed by FTP RETR followed by FILE followed by TFTP RRQ + +- ++ + http://%HOSTIP:%HTTPPORT/20020001 ftp://%HOSTIP:%FTPPORT/20020002 file://localhost/%PWD/log/test2002.txt tftp://%HOSTIP:%TFTPPORT//20020003 + + +@@ -96,17 +96,6 @@ filename: /20020003 + QUIT + + +-HTTP/1.1 200 OK +-Date: Thu, 09 Nov 2010 14:49:00 GMT +-Server: test-server/fake +-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT +-ETag: "21025-dc7-39462498" +-Accept-Ranges: bytes +-Content-Length: 6 +-Connection: close +-Content-Type: text/html +-Funny-head: yesyes +- + -foo- + data + to +diff --git a/tests/data/test2003 b/tests/data/test2003 +index 59a743f..09bee8e 100644 +--- a/tests/data/test2003 ++++ b/tests/data/test2003 +@@ -57,8 +57,8 @@ tftp + + HTTP GET followed by FTP RETR followed by FILE followed by TFTP RRQ then again in reverse order + +- +-http://%HOSTIP:%HTTPPORT/20030001 ftp://%HOSTIP:%FTPPORT/20030002 file://localhost/%PWD/log/test2003.txt tftp://%HOSTIP:%TFTPPORT//20030003 tftp://%HOSTIP:%TFTPPORT//20030003 file://localhost/%PWD/log/test2003.txt ftp://%HOSTIP:%FTPPORT/20030002 http://%HOSTIP:%HTTPPORT/20030001 ++ ++http://%HOSTIP:%HTTPPORT/20030001 ftp://%HOSTIP:%FTPPORT/20030002 file://localhost/%PWD/log/test2003.txt tftp://%HOSTIP:%TFTPPORT//20030003 tftp://%HOSTIP:%TFTPPORT//20030003 file://localhost/%PWD/log/test2003.txt ftp://%HOSTIP:%FTPPORT/20030002 http://%HOSTIP:%HTTPPORT/20030001 + + + foo +@@ -109,17 +109,6 @@ Accept: */* + QUIT + + +-HTTP/1.1 200 OK +-Date: Thu, 09 Nov 2010 14:49:00 GMT +-Server: test-server/fake +-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT +-ETag: "21025-dc7-39462498" +-Accept-Ranges: bytes +-Content-Length: 6 +-Connection: close +-Content-Type: text/html +-Funny-head: yesyes +- + -foo- + data + to +@@ -151,17 +140,6 @@ data + that FTP + works + so does it? +-HTTP/1.1 200 OK +-Date: Thu, 09 Nov 2010 14:49:00 GMT +-Server: test-server/fake +-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT +-ETag: "21025-dc7-39462498" +-Accept-Ranges: bytes +-Content-Length: 6 +-Connection: close +-Content-Type: text/html +-Funny-head: yesyes +- + -foo- + + +diff --git a/tests/data/test2004 b/tests/data/test2004 +index 4773f69..b17890b 100644 +--- a/tests/data/test2004 ++++ b/tests/data/test2004 +@@ -29,7 +29,7 @@ sftp + + TFTP RRQ followed by SFTP retrieval followed by FILE followed by SCP retrieval then again in reverse order + +- ++ + --key curl_client_key --pubkey curl_client_key.pub -u %USER: tftp://%HOSTIP:%TFTPPORT//2004 sftp://%HOSTIP:%SSHPORT%POSIX_PWD/log/test2004.txt file://localhost/%PWD/log/test2004.txt scp://%HOSTIP:%SSHPORT%POSIX_PWD/log/test2004.txt file://localhost/%PWD/log/test2004.txt sftp://%HOSTIP:%SSHPORT%POSIX_PWD/log/test2004.txt tftp://%HOSTIP:%TFTPPORT//2004 --insecure + + +diff --git a/tests/data/test2006 b/tests/data/test2006 +index e25556f..3acbdae 100644 +--- a/tests/data/test2006 ++++ b/tests/data/test2006 +@@ -4,6 +4,7 @@ + Metalink + HTTP + HTTP GET ++FILE + + + +@@ -85,6 +86,10 @@ Accept: */* + Some data delivered from an HTTP resource + + ++Content-Length: 496 ++Accept-ranges: bytes ++ ++ + HTTP/1.1 200 OK + Date: Thu, 21 Jun 2012 14:49:01 GMT + Server: test-server/fake +@@ -105,6 +110,9 @@ Metalink: fetching (log/download2006) from (http://%HOSTIP:%HTTPPORT/2006) OK + Metalink: validating (log/download2006)... + Metalink: validating (log/download2006) [sha-256] OK + ++ ++s/Last-Modified:.*// ++ + + $_ = '' if (($_ !~ /^Metalink: /) && ($_ !~ /error/i) && ($_ !~ /warn/i)) + +diff --git a/tests/data/test2007 b/tests/data/test2007 +index cc4bd8c..b169c49 100644 +--- a/tests/data/test2007 ++++ b/tests/data/test2007 +@@ -5,6 +5,7 @@ Metalink + HTTP + HTTP GET + -J ++FILE + + + +@@ -85,7 +86,14 @@ Accept: */* + + Something delivered from an HTTP resource + ++ ++s/Last-Modified:.*// ++ + ++Content-Length: 496 ++Accept-ranges: bytes ++ ++ + HTTP/1.1 200 OK + Date: Thu, 21 Jun 2012 14:50:02 GMT + Server: test-server/fake +diff --git a/tests/data/test2008 b/tests/data/test2008 +index 5843792..012f221 100644 +--- a/tests/data/test2008 ++++ b/tests/data/test2008 +@@ -4,6 +4,7 @@ + Metalink + HTTP + HTTP GET ++FILE + + + +@@ -77,7 +78,14 @@ Accept: */* + + Some stuff delivered from an HTTP resource + ++ ++s/Last-Modified:.*// ++ + ++Content-Length: 496 ++Accept-ranges: bytes ++ ++ + HTTP/1.1 200 OK + Date: Thu, 21 Jun 2012 15:23:48 GMT + Server: test-server/fake +diff --git a/tests/data/test2009 b/tests/data/test2009 +index 84482ce..b0e5c6c 100644 +--- a/tests/data/test2009 ++++ b/tests/data/test2009 +@@ -5,6 +5,7 @@ Metalink + HTTP + HTTP GET + -J ++FILE + + + +@@ -78,7 +79,14 @@ Accept: */* + + Some contents delivered from an HTTP resource + ++ ++s/Last-Modified:.*// ++ + ++Content-Length: 496 ++Accept-ranges: bytes ++ ++ + HTTP/1.1 200 OK + Date: Thu, 21 Jun 2012 16:27:17 GMT + Server: test-server/fake +diff --git a/tests/data/test2010 b/tests/data/test2010 +index 91a83f4..33bb309 100644 +--- a/tests/data/test2010 ++++ b/tests/data/test2010 +@@ -4,6 +4,7 @@ + Metalink + HTTP + HTTP GET ++FILE + + + +@@ -77,7 +78,14 @@ Accept: */* + + Contents delivered from an HTTP resource + ++ ++s/Last-Modified:.*// ++ + ++Content-Length: 496 ++Accept-ranges: bytes ++ ++ + HTTP/1.1 200 OK + Date: Thu, 21 Jun 2012 17:37:27 GMT + Server: test-server/fake +diff --git a/tests/data/test202 b/tests/data/test202 +index f863ec5..0b324b1 100644 +--- a/tests/data/test202 ++++ b/tests/data/test202 +@@ -19,7 +19,7 @@ file + + two file:// URLs to stdout + +- ++ + file://localhost/%PWD/log/test202.txt FILE://localhost/%PWD/log/test202.txt + + +diff --git a/tests/data/test203 b/tests/data/test203 +index 366cc2c..3938426 100644 +--- a/tests/data/test203 ++++ b/tests/data/test203 +@@ -24,7 +24,7 @@ file + + file:/path URL with a single slash + +- ++ + file:%PWD/log/test203.txt + + +diff --git a/tests/data/test204 b/tests/data/test204 +index 9cc7b01..0ed9451 100644 +--- a/tests/data/test204 ++++ b/tests/data/test204 +@@ -15,7 +15,7 @@ file + + "upload" with file:// + +- ++ + file://localhost/%PWD/log/result204.txt -T log/upload204.txt + + +diff --git a/tests/data/test205 b/tests/data/test205 +index 4af93f6..f83c531 100644 +--- a/tests/data/test205 ++++ b/tests/data/test205 +@@ -16,7 +16,7 @@ file + + "upload" with file:// + +- ++ + file://localhost/%PWD/log/nonexisting/result205.txt -T log/upload205.txt + + +diff --git a/tests/data/test2070 b/tests/data/test2070 +index bc3898a..655cd8a 100644 +--- a/tests/data/test2070 ++++ b/tests/data/test2070 +@@ -23,7 +23,7 @@ file + + basic file:// file with no authority + +- ++ + file:%PWD/log/test2070.txt + + +diff --git a/tests/data/test2071 b/tests/data/test2071 +index 997dfff..eddfa4d 100644 +--- a/tests/data/test2071 ++++ b/tests/data/test2071 +@@ -23,7 +23,7 @@ file + + basic file:// file with "127.0.0.1" hostname + +- ++ + file://127.0.0.1/%PWD/log/test2070.txt + + +diff --git a/tests/data/test2072 b/tests/data/test2072 +index cd26f22..1bab158 100644 +--- a/tests/data/test2072 ++++ b/tests/data/test2072 +@@ -23,7 +23,7 @@ file + + file:// with unix path resolution behavior for the case of extra slashes + +- ++ + file:////%PWD/log/test2072.txt + + +diff --git a/tests/data/test210 b/tests/data/test210 +index e904567..c6fb703 100644 +--- a/tests/data/test210 ++++ b/tests/data/test210 +@@ -22,7 +22,7 @@ ftp + + Get two FTP files from the same remote dir: no second CWD + +- ++ + ftp://%HOSTIP:%FTPPORT/a/path/210 ftp://%HOSTIP:%FTPPORT/a/path/210 + + +diff --git a/tests/data/test231 b/tests/data/test231 +index 6994957..3d4bc77 100644 +--- a/tests/data/test231 ++++ b/tests/data/test231 +@@ -22,7 +22,7 @@ file + + file:// with resume + +- ++ + file://localhost/%PWD/log/test231.txt -C 10 + + +diff --git a/tests/data/test288 b/tests/data/test288 +index ff4db6a..9f8f6e1 100644 +--- a/tests/data/test288 ++++ b/tests/data/test288 +@@ -30,7 +30,7 @@ file:// with (unsupported) proxy, authentication and range + + all_proxy=http://fake:user@%HOSTIP:%HTTPPORT/ + +- ++ + file://localhost/%PWD/log/test288.txt + + +-- +2.30.2 + diff --git a/SOURCES/0032-curl-7.61.1-CVE-2021-22898.patch b/SOURCES/0032-curl-7.61.1-CVE-2021-22898.patch new file mode 100644 index 0000000..42e1ccd --- /dev/null +++ b/SOURCES/0032-curl-7.61.1-CVE-2021-22898.patch @@ -0,0 +1,31 @@ +From ae2dc830fb37e9243dbdaf8b92e41df91f43b3f2 Mon Sep 17 00:00:00 2001 +From: Harry Sintonen +Date: Fri, 7 May 2021 13:09:57 +0200 +Subject: [PATCH] telnet: check sscanf() for correct number of matches + +CVE-2021-22898 + +Bug: https://curl.se/docs/CVE-2021-22898.html + +Upstream-commit: 39ce47f219b09c380b81f89fe54ac586c8db6bde +Signed-off-by: Kamil Dudka +--- + lib/telnet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/telnet.c b/lib/telnet.c +index 1fc5af1..ea6bc71 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -967,7 +967,7 @@ static void suboption(struct connectdata *conn) + size_t tmplen = (strlen(v->data) + 1); + /* Add the variable only if it fits */ + if(len + tmplen < (int)sizeof(temp)-6) { +- if(sscanf(v->data, "%127[^,],%127s", varname, varval)) { ++ if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { + snprintf((char *)&temp[len], sizeof(temp) - len, + "%c%s%c%s", CURL_NEW_ENV_VAR, varname, + CURL_NEW_ENV_VALUE, varval); +-- +2.31.1 + diff --git a/SOURCES/0033-curl-7.61.1-CVE-2021-22925.patch b/SOURCES/0033-curl-7.61.1-CVE-2021-22925.patch new file mode 100644 index 0000000..391abbd --- /dev/null +++ b/SOURCES/0033-curl-7.61.1-CVE-2021-22925.patch @@ -0,0 +1,47 @@ +From 2fbbf282e42ae476459f7efe68a88dcb63dcc43b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 12 Jun 2021 18:25:15 +0200 +Subject: [PATCH] telnet: fix option parser to not send uninitialized contents + +CVE-2021-22925 + +Reported-by: Red Hat Product Security +Bug: https://curl.se/docs/CVE-2021-22925.html + +Upstream-commit: 894f6ec730597eb243618d33cc84d71add8d6a8a +Signed-off-by: Kamil Dudka +--- + lib/telnet.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/lib/telnet.c b/lib/telnet.c +index ea6bc71..f8428b8 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -967,12 +967,17 @@ static void suboption(struct connectdata *conn) + size_t tmplen = (strlen(v->data) + 1); + /* Add the variable only if it fits */ + if(len + tmplen < (int)sizeof(temp)-6) { +- if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { +- snprintf((char *)&temp[len], sizeof(temp) - len, +- "%c%s%c%s", CURL_NEW_ENV_VAR, varname, +- CURL_NEW_ENV_VALUE, varval); +- len += tmplen; +- } ++ int rv; ++ char sep[2] = ""; ++ varval[0] = 0; ++ rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval); ++ if(rv == 1) ++ len += snprintf((char *)&temp[len], sizeof(temp) - len, ++ "%c%s", CURL_NEW_ENV_VAR, varname); ++ else if(rv >= 2) ++ len += snprintf((char *)&temp[len], sizeof(temp) - len, ++ "%c%s%c%s", CURL_NEW_ENV_VAR, varname, ++ CURL_NEW_ENV_VALUE, varval); + } + } + snprintf((char *)&temp[len], sizeof(temp) - len, +-- +2.31.1 + diff --git a/SPECS/curl.spec b/SPECS/curl.spec index b29023a..be2443a 100644 --- a/SPECS/curl.spec +++ b/SPECS/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.61.1 -Release: 18%{?dist}.1 +Release: 21%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -79,9 +79,21 @@ Patch27: 0027-curl-7.61.1-CVE-2020-8286.patch # http: send payload when (proxy) authentication is done (#1918692) Patch28: 0028-curl-7.61.1-http-auth-payload.patch +# prevent automatic referer from leaking credentials (CVE-2021-22876) +Patch29: 0029-curl-7.61.1-CVE-2021-22876.patch + +# make `curl --head file://` work as expected (#1947493) +Patch30: 0030-curl-7.61.1-file-head.patch + # fix bad connection reuse due to flawed path name checks (CVE-2021-22924) Patch31: 0031-curl-7.61.1-CVE-2021-22924.patch +# fix TELNET stack contents disclosure (CVE-2021-22898) +Patch32: 0032-curl-7.61.1-CVE-2021-22898.patch + +# fix TELNET stack contents disclosure again (CVE-2021-22925) +Patch33: 0033-curl-7.61.1-CVE-2021-22925.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -280,7 +292,11 @@ sed -e 's|%%HTTPPORT|%{?__isa_bits}90|g' -i tests/data/test1448 %patch26 -p1 %patch27 -p1 %patch28 -p1 +%patch29 -p1 +%patch30 -p1 %patch31 -p1 +%patch32 -p1 +%patch33 -p1 # make tests/*.py use Python 3 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py @@ -443,12 +459,21 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog -* Thu Aug 05 2021 Kamil Dudka - 7.61.1-18.el8_4.1 +* Thu Aug 05 2021 Kamil Dudka - 7.61.1-21 +- fix TELNET stack contents disclosure again (CVE-2021-22925) +- fix TELNET stack contents disclosure (CVE-2021-22898) - fix bad connection reuse due to flawed path name checks (CVE-2021-22924) - disable metalink support to fix the following vulnerabilities CVE-2021-22923 - metalink download sends credentials CVE-2021-22922 - wrong content via metalink not discarded +* Fri Apr 23 2021 Kamil Dudka - 7.61.1-20 +- fix a cppcheck's false positive in 0029-curl-7.61.1-CVE-2021-22876.patch + +* Fri Apr 23 2021 Kamil Dudka - 7.61.1-19 +- make `curl --head file://` work as expected (#1947493) +- prevent automatic referer from leaking credentials (CVE-2021-22876) + * Thu Jan 28 2021 Kamil Dudka - 7.61.1-18 - http: send payload when (proxy) authentication is done (#1918692) - curl: Inferior OCSP verification (CVE-2020-8286)