import UBI curl-7.76.1-23.el9_2.4

2023-10-17 09:49:00 +00:00 · 2023-10-17 09:49:00 +00:00 · 559781d385
commit 559781d385
parent 79f5d05c5c
3 changed files with 274 additions and 1 deletions
--- a/SOURCES/0030-curl-7.76.1-CVE-2023-38545.patch
+++ b/SOURCES/0030-curl-7.76.1-CVE-2023-38545.patch
@ -0,0 +1,136 @@
 From 1d66562c67fc0099d0fd882c693e51dd0b10c45c Mon Sep 17 00:00:00 2001
 From: Jay Satiro <raysatiro@yahoo.com>
 Date: Sat, 30 Sep 2023 03:40:02 -0400
 Subject: [PATCH] socks: return error if hostname too long for remote resolve
 Prior to this change the state machine attempted to change the remote
 resolve to a local resolve if the hostname was longer than 255
 characters. Unfortunately that did not work as intended and caused a
 security issue.
 Name resolvers cannot resolve hostnames longer than 255 characters.
 Bug: https://curl.se/docs/CVE-2023-38545.html
 ---
 lib/socks.c             |  8 +++---
 tests/data/Makefile.inc |  2 +-
 tests/data/test728      | 64 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 69 insertions(+), 5 deletions(-)
 create mode 100644 tests/data/test728
 diff --git a/lib/socks.c b/lib/socks.c
 index c492d663c..a7b5ab07e 100644
 --- a/lib/socks.c
 +++ b/lib/socks.c
@@ -531,13 +531,13 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user,
       infof(data, "SOCKS5: connecting to HTTP proxy %s port %d\n",
             hostname, remote_port);
     /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
     if(!socks5_resolve_local && hostname_len > 255) {
 -      infof(data, "SOCKS5: server resolving disabled for hostnames of "
 -            "length > 255 [actual len=%zu]\n", hostname_len);
 -      socks5_resolve_local = TRUE;
 +      failf(data, "SOCKS5: the destination hostname is too long to be "
 +            "resolved remotely by the proxy.");
 +      return CURLPX_LONG_HOSTNAME;
     }
     if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI))
       infof(data,
             "warning: unsupported value passed to CURLOPT_SOCKS5_AUTH: %lu\n",
@@ -855,7 +855,7 @@ CONNECT_RESOLVE_REMOTE:
     if(!socks5_resolve_local) {
       socksreq[len++] = 3; /* ATYP: domain name = 3 */
 -      socksreq[len++] = (char) hostname_len; /* one byte address length */
 +      socksreq[len++] = (unsigned char) hostname_len; /* one byte length */
       memcpy(&socksreq[len], hostname, hostname_len); /* address w/o NULL */
       len += hostname_len;
       infof(data, "SOCKS5 connect to %s:%d (remotely resolved)\n",
 diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
 index 081e344d4..62ee53578 100644
 --- a/tests/data/Makefile.inc
 +++ b/tests/data/Makefile.inc
@@ -99,7 +99,7 @@ test672 test673 test674 test675 test676 test677 test678 test679 test680 \
 \
 test700 test701 test702 test703 test704 test705 test706 test707 test708 \
 test709 test710 test711 test712 test713 test714 test715 test716 test717 \
 -test718 \
 +test718 test728 \
 \
 test800 test801 test802 test803 test804 test805 test806 test807 test808 \
 test809 test810 test811 test812 test813 test814 test815 test816 test817 \
 diff --git a/tests/data/test728 b/tests/data/test728
 new file mode 100644
 index 000000000..05bcf2883
 --- /dev/null
 +++ b/tests/data/test728
@@ -0,0 +1,64 @@
 +<testcase>
 +<info>
 +<keywords>
 +HTTP
 +HTTP GET
 +SOCKS5
 +SOCKS5h
 +followlocation
 +</keywords>
 +</info>
 +
 +#
 +# Server-side
 +<reply>
 +# The hostname in this redirect is 256 characters and too long (> 255) for
 +# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case.
 +<data>
 +HTTP/1.1 301 Moved Permanently
 +Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/
 +Content-Length: 0
 +Connection: close
 +
 +</data>
 +</reply>
 +
 +#
 +# Client-side
 +<client>
 +<features>
 +proxy
 +</features>
 +<server>
 +http
 +socks5
 +</server>
 + <name>
 +SOCKS5h with HTTP redirect to hostname too long
 + </name>
 + <command>
 +--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/%TESTNUMBER
 +</command>
 +</client>
 +
 +#
 +# Verify data after the test has been "shot"
 +<verify>
 +<protocol crlf="yes">
 +GET /%TESTNUMBER HTTP/1.1
 +Host: %HOSTIP:%HTTPPORT
 +User-Agent: curl/%VERSION
 +Accept: */*
 +
 +</protocol>
 +<errorcode>
 +97
 +</errorcode>
 +# the error message is verified because error code CURLE_PROXY (97) may be
 +# returned for any number of reasons and we need to make sure it is
 +# specifically for the reason below so that we know the check is working.
 +<stderr mode="text">
 +curl: (97) SOCKS5: the destination hostname is too long to be resolved remotely by the proxy.
 +</stderr>
 +</verify>
 +</testcase>
 -- 
 2.42.0
--- a/SOURCES/0031-curl-7.61.1-CVE-2023-38546.patch
+++ b/SOURCES/0031-curl-7.61.1-CVE-2023-38546.patch
@ -0,0 +1,123 @@
 From 61275672b46d9abb3285740467b882e22ed75da8 Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Thu, 14 Sep 2023 23:28:32 +0200
 Subject: [PATCH] cookie: remove unnecessary struct fields
 Plus: reduce the hash table size from 256 to 63. It seems unlikely to
 make much of a speed difference for most use cases but saves 1.5KB of
 data per instance.
 Closes #11862
 ---
 lib/cookie.c | 13 +------------
 lib/cookie.h | 13 ++++---------
 lib/easy.c   |  4 +---
 3 files changed, 6 insertions(+), 24 deletions(-)
 diff --git a/lib/cookie.c b/lib/cookie.c
 index 4345a84c6fd9d..e39c89a94a960 100644
 --- a/lib/cookie.c
 +++ b/lib/cookie.c
@@ -119,7 +119,6 @@ static void freecookie(struct Cookie *co)
   free(co->name);
   free(co->value);
   free(co->maxage);
 -  free(co->version);
   free(co);
 }
@@ -717,11 +716,7 @@ Curl_cookie_add(struct Curl_easy *data,
           }
         }
         else if(strcasecompare("version", name)) {
 -          strstore(&co->version, whatptr);
 -          if(!co->version) {
 -            badcookie = TRUE;
 -            break;
 -          }
 +          /* just ignore */
         }
         else if(strcasecompare("max-age", name)) {
           /* Defined in RFC2109:
@@ -1159,7 +1154,6 @@ Curl_cookie_add(struct Curl_easy *data,
         free(clist->path);
         free(clist->spath);
         free(clist->expirestr);
 -        free(clist->version);
         free(clist->maxage);
         *clist = *co;  /* then store all the new data */
@@ -1223,9 +1217,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data,
     c = calloc(1, sizeof(struct CookieInfo));
     if(!c)
       return NULL; /* failed to get memory */
 -    c->filename = strdup(file?file:"none"); /* copy the name just in case */
 -    if(!c->filename)
 -      goto fail; /* failed to get memory */
   }
   else {
     /* we got an already existing one, use that */
@@ -1378,7 +1369,6 @@ static struct Cookie *dup_cookie(struct Cookie *src)
     CLONE(name);
     CLONE(value);
     CLONE(maxage);
 -    CLONE(version);
     d->expires = src->expires;
     d->tailmatch = src->tailmatch;
     d->secure = src->secure;
@@ -1595,7 +1585,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c)
 {
   if(c) {
     unsigned int i;
 -    free(c->filename);
     for(i = 0; i < COOKIE_HASH_SIZE; i++)
       Curl_cookie_freelist(c->cookies[i]);
     free(c); /* free the base struct as well */
 diff --git a/lib/cookie.h b/lib/cookie.h
 index b3c0063b2cfb2..41e9e7a6914e0 100644
 --- a/lib/cookie.h
 +++ b/lib/cookie.h
@@ -36,11 +36,7 @@ struct Cookie {
   char *domain;      /* domain = <this> */
   curl_off_t expires;  /* expires = <this> */
   char *expirestr;   /* the plain text version */
 -
 -  /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */
 -  char *version;     /* Version = <value> */
   char *maxage;      /* Max-Age = <value> */
 -
   bool tailmatch;    /* whether we do tail-matching of the domain name */
   bool secure;       /* whether the 'secure' keyword was used */
   bool livecookie;   /* updated from a server, not a stored file */
@@ -56,14 +52,13 @@ struct Cookie {
 #define COOKIE_PREFIX__SECURE (1<<0)
 #define COOKIE_PREFIX__HOST (1<<1)
 -#define COOKIE_HASH_SIZE 256
 +#define COOKIE_HASH_SIZE 63
 struct CookieInfo {
   /* linked list of cookies we know of */
   struct Cookie *cookies[COOKIE_HASH_SIZE];
 -  char *filename;  /* file we read from/write to */
 -  long numcookies; /* number of cookies in the "jar" */
 +  int numcookies;  /* number of cookies in the "jar" */
   bool running;    /* state info, for cookie adding information */
   bool newsession; /* new session, discard session cookies on load */
   int lastct;      /* last creation-time used in the jar */
 diff --git a/lib/easy.c b/lib/easy.c
 index 16bbd35251d40..03195481f9780 100644
 --- a/lib/easy.c
 +++ b/lib/easy.c
@@ -925,9 +925,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data)
   if(data->cookies) {
     /* If cookies are enabled in the parent handle, we enable them
        in the clone as well! */
 -    outcurl->cookies = Curl_cookie_init(data,
 -                                        data->cookies->filename,
 -                                        outcurl->cookies,
 +    outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies,
                                         data->set.cookiesession);
     if(!outcurl->cookies)
       goto fail;
--- a/SPECS/curl.spec
+++ b/SPECS/curl.spec
@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.76.1
-Release: 23%{?dist}.2
+Release: 23%{?dist}.4
 License: MIT
 Source: https://curl.se/download/%{name}-%{version}.tar.xz
@ -83,6 +83,12 @@ Patch28:  0028-curl-7.76.1-CVE-2023-28321.patch
 # unify the upload/method handling (CVE-2023-28322)
 Patch29:  0029-curl-7.76.1-CVE-2023-28322.patch
 # return error if hostname too long for remote resolve (CVE-2023-38545)
 Patch30:  0030-curl-7.76.1-CVE-2023-38545.patch
 # fix cookie injection with none file (CVE-2023-38546)
 Patch31:  0031-curl-7.61.1-CVE-2023-38546.patch
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
@ -284,6 +290,8 @@ be installed.
 %patch27 -p1
 %patch28 -p1
 %patch29 -p1
 %patch30 -p1
 %patch31 -p1
 # Fedora patches
 %patch101 -p1
@ -509,6 +517,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 %changelog
 * Thu Oct 12 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-23.el9_2.4
 - fix cookie injection with none file (CVE-2023-38546)
 * Tue Oct 10 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-23.el9_2.3
 - return error if hostname too long for remote resolve (CVE-2023-38545)
 * Tue Jun 27 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-23.el9_2.2
 - fix host name wildcard checking (CVE-2023-28321)
 - unify the upload/method handling (CVE-2023-28322)