From 7032379b117e7172f23d3f5e19288da1a7a7e04d Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Thu, 12 Aug 2021 04:19:18 +0000 Subject: [PATCH] import curl-7.61.1-18.el8_4.1 --- SOURCES/0031-curl-7.61.1-CVE-2021-22924.patch | 662 ++++++++++++++++++ SPECS/curl.spec | 16 +- 2 files changed, 674 insertions(+), 4 deletions(-) create mode 100644 SOURCES/0031-curl-7.61.1-CVE-2021-22924.patch diff --git a/SOURCES/0031-curl-7.61.1-CVE-2021-22924.patch b/SOURCES/0031-curl-7.61.1-CVE-2021-22924.patch new file mode 100644 index 0000000..990d32f --- /dev/null +++ b/SOURCES/0031-curl-7.61.1-CVE-2021-22924.patch @@ -0,0 +1,662 @@ +From 74ba80e293eb2521d28916b24c3be59b3baf688a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 18 Feb 2021 10:13:56 +0100 +Subject: [PATCH 1/2] urldata: remove the _ORIG suffix from string names + +It doesn't provide any useful info but only makes the names longer. + +Closes #6624 + +Upstream-commit: 70472a44deaff387cf8c8c197e04f3add2a96e2e +Signed-off-by: Kamil Dudka +--- + lib/setopt.c | 32 ++++++++++++++++---------------- + lib/url.c | 32 ++++++++++++++++---------------- + lib/urldata.h | 28 ++++++++++++++-------------- + lib/vtls/cyassl.c | 2 +- + lib/vtls/darwinssl.c | 4 ++-- + lib/vtls/gskit.c | 2 +- + lib/vtls/gtls.c | 2 +- + lib/vtls/mbedtls.c | 2 +- + lib/vtls/nss.c | 2 +- + lib/vtls/openssl.c | 2 +- + lib/vtls/polarssl.c | 2 +- + lib/vtls/schannel.c | 2 +- + 12 files changed, 56 insertions(+), 56 deletions(-) + +diff --git a/lib/setopt.c b/lib/setopt.c +index 4f04962..b07ccfe 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -133,7 +133,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + break; + case CURLOPT_SSL_CIPHER_LIST: + /* set a list of cipher we want to use in the SSL connection */ +- result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER_LIST_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER_LIST], + va_arg(param, char *)); + break; + case CURLOPT_PROXY_SSL_CIPHER_LIST: +@@ -145,7 +145,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + case CURLOPT_TLS13_CIPHERS: + if(Curl_ssl_tls13_ciphersuites()) { + /* set preferred list of TLS 1.3 cipher suites */ +- result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST], + va_arg(param, char *)); + } + else +@@ -1532,7 +1532,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + /* + * String that holds file name of the SSL certificate to use + */ +- result = Curl_setstropt(&data->set.str[STRING_CERT_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_CERT], + va_arg(param, char *)); + break; + case CURLOPT_PROXY_SSLCERT: +@@ -1546,7 +1546,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + /* + * String that holds file type of the SSL certificate to use + */ +- result = Curl_setstropt(&data->set.str[STRING_CERT_TYPE_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_CERT_TYPE], + va_arg(param, char *)); + break; + case CURLOPT_PROXY_SSLCERTTYPE: +@@ -1560,7 +1560,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + /* + * String that holds file name of the SSL key to use + */ +- result = Curl_setstropt(&data->set.str[STRING_KEY_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_KEY], + va_arg(param, char *)); + break; + case CURLOPT_PROXY_SSLKEY: +@@ -1574,7 +1574,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + /* + * String that holds file type of the SSL key to use + */ +- result = Curl_setstropt(&data->set.str[STRING_KEY_TYPE_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_KEY_TYPE], + va_arg(param, char *)); + break; + case CURLOPT_PROXY_SSLKEYTYPE: +@@ -1588,7 +1588,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + /* + * String that holds the SSL or SSH private key password. + */ +- result = Curl_setstropt(&data->set.str[STRING_KEY_PASSWD_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_KEY_PASSWD], + va_arg(param, char *)); + break; + case CURLOPT_PROXY_KEYPASSWD: +@@ -1815,7 +1815,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + */ + #ifdef USE_SSL + if(Curl_ssl->supports & SSLSUPP_PINNEDPUBKEY) +- result = Curl_setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY], + va_arg(param, char *)); + else + #endif +@@ -1838,7 +1838,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + /* + * Set CA info for SSL connection. Specify file name of the CA certificate + */ +- result = Curl_setstropt(&data->set.str[STRING_SSL_CAFILE_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_SSL_CAFILE], + va_arg(param, char *)); + break; + case CURLOPT_PROXY_CAINFO: +@@ -1857,7 +1857,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + #ifdef USE_SSL + if(Curl_ssl->supports & SSLSUPP_CA_PATH) + /* This does not work on windows. */ +- result = Curl_setstropt(&data->set.str[STRING_SSL_CAPATH_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_SSL_CAPATH], + va_arg(param, char *)); + else + #endif +@@ -1882,7 +1882,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + * Set CRL file info for SSL connection. Specify file name of the CRL + * to check certificates revocation + */ +- result = Curl_setstropt(&data->set.str[STRING_SSL_CRLFILE_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_SSL_CRLFILE], + va_arg(param, char *)); + break; + case CURLOPT_PROXY_CRLFILE: +@@ -1898,7 +1898,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + * Set Issuer certificate file + * to check certificates issuer + */ +- result = Curl_setstropt(&data->set.str[STRING_SSL_ISSUERCERT_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_SSL_ISSUERCERT], + va_arg(param, char *)); + break; + case CURLOPT_TELNETOPTIONS: +@@ -2449,9 +2449,9 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + break; + #ifdef USE_TLS_SRP + case CURLOPT_TLSAUTH_USERNAME: +- result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME], + va_arg(param, char *)); +- if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype) ++ if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) + data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + break; + case CURLOPT_PROXY_TLSAUTH_USERNAME: +@@ -2462,9 +2462,9 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + break; + case CURLOPT_TLSAUTH_PASSWORD: +- result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD], + va_arg(param, char *)); +- if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype) ++ if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) + data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + break; + case CURLOPT_PROXY_TLSAUTH_PASSWORD: +diff --git a/lib/url.c b/lib/url.c +index bb9d107..a6bc012 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -496,7 +496,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) + */ + if(Curl_ssl_backend() != CURLSSLBACKEND_SCHANNEL) { + #if defined(CURL_CA_BUNDLE) +- result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_ORIG], CURL_CA_BUNDLE); ++ result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], CURL_CA_BUNDLE); + if(result) + return result; + +@@ -506,7 +506,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) + return result; + #endif + #if defined(CURL_CA_PATH) +- result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_ORIG], CURL_CA_PATH); ++ result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], CURL_CA_PATH); + if(result) + return result; + +@@ -4333,9 +4333,9 @@ static CURLcode create_conn(struct Curl_easy *data, + that will be freed as part of the Curl_easy struct, but all cloned + copies will be separately allocated. + */ +- data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_ORIG]; ++ data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH]; + data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY]; +- data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_ORIG]; ++ data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE]; + data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY]; + data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE]; + data->set.proxy_ssl.primary.random_file = +@@ -4343,34 +4343,34 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET]; + data->set.proxy_ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET]; + data->set.ssl.primary.cipher_list = +- data->set.str[STRING_SSL_CIPHER_LIST_ORIG]; ++ data->set.str[STRING_SSL_CIPHER_LIST]; + data->set.proxy_ssl.primary.cipher_list = + data->set.str[STRING_SSL_CIPHER_LIST_PROXY]; + data->set.ssl.primary.cipher_list13 = +- data->set.str[STRING_SSL_CIPHER13_LIST_ORIG]; ++ data->set.str[STRING_SSL_CIPHER13_LIST]; + data->set.proxy_ssl.primary.cipher_list13 = + data->set.str[STRING_SSL_CIPHER13_LIST_PROXY]; + +- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG]; ++ data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE]; + data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; +- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG]; ++ data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT]; + data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY]; +- data->set.ssl.cert = data->set.str[STRING_CERT_ORIG]; ++ data->set.ssl.cert = data->set.str[STRING_CERT]; + data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY]; +- data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG]; ++ data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE]; + data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY]; +- data->set.ssl.key = data->set.str[STRING_KEY_ORIG]; ++ data->set.ssl.key = data->set.str[STRING_KEY]; + data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY]; +- data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE_ORIG]; ++ data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE]; + data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY]; +- data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD_ORIG]; ++ data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD]; + data->set.proxy_ssl.key_passwd = data->set.str[STRING_KEY_PASSWD_PROXY]; +- data->set.ssl.primary.clientcert = data->set.str[STRING_CERT_ORIG]; ++ data->set.ssl.primary.clientcert = data->set.str[STRING_CERT]; + data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY]; + #ifdef USE_TLS_SRP +- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG]; ++ data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME]; + data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; +- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG]; ++ data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD]; + data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; + #endif + +diff --git a/lib/urldata.h b/lib/urldata.h +index c70290a..1f8f364 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1366,9 +1366,9 @@ struct DynamicStatic { + struct Curl_multi; /* declared and used only in multi.c */ + + enum dupstring { +- STRING_CERT_ORIG, /* client certificate file name */ ++ STRING_CERT, /* client certificate file name */ + STRING_CERT_PROXY, /* client certificate file name */ +- STRING_CERT_TYPE_ORIG, /* format for certificate (default: PEM)*/ ++ STRING_CERT_TYPE, /* format for certificate (default: PEM)*/ + STRING_CERT_TYPE_PROXY, /* format for certificate (default: PEM)*/ + STRING_COOKIE, /* HTTP cookie string to send */ + STRING_COOKIEJAR, /* dump all cookies to this file */ +@@ -1379,11 +1379,11 @@ enum dupstring { + STRING_FTP_ACCOUNT, /* ftp account data */ + STRING_FTP_ALTERNATIVE_TO_USER, /* command to send if USER/PASS fails */ + STRING_FTPPORT, /* port to send with the FTP PORT command */ +- STRING_KEY_ORIG, /* private key file name */ ++ STRING_KEY, /* private key file name */ + STRING_KEY_PROXY, /* private key file name */ +- STRING_KEY_PASSWD_ORIG, /* plain text private key password */ ++ STRING_KEY_PASSWD, /* plain text private key password */ + STRING_KEY_PASSWD_PROXY, /* plain text private key password */ +- STRING_KEY_TYPE_ORIG, /* format for private key (default: PEM) */ ++ STRING_KEY_TYPE, /* format for private key (default: PEM) */ + STRING_KEY_TYPE_PROXY, /* format for private key (default: PEM) */ + STRING_KRB_LEVEL, /* krb security level */ + STRING_NETRC_FILE, /* if not NULL, use this instead of trying to find +@@ -1393,22 +1393,22 @@ enum dupstring { + STRING_SET_RANGE, /* range, if used */ + STRING_SET_REFERER, /* custom string for the HTTP referer field */ + STRING_SET_URL, /* what original URL to work on */ +- STRING_SSL_CAPATH_ORIG, /* CA directory name (doesn't work on windows) */ ++ STRING_SSL_CAPATH, /* CA directory name (doesn't work on windows) */ + STRING_SSL_CAPATH_PROXY, /* CA directory name (doesn't work on windows) */ +- STRING_SSL_CAFILE_ORIG, /* certificate file to verify peer against */ ++ STRING_SSL_CAFILE, /* certificate file to verify peer against */ + STRING_SSL_CAFILE_PROXY, /* certificate file to verify peer against */ +- STRING_SSL_PINNEDPUBLICKEY_ORIG, /* public key file to verify peer against */ ++ STRING_SSL_PINNEDPUBLICKEY, /* public key file to verify peer against */ + STRING_SSL_PINNEDPUBLICKEY_PROXY, /* public key file to verify proxy */ +- STRING_SSL_CIPHER_LIST_ORIG, /* list of ciphers to use */ ++ STRING_SSL_CIPHER_LIST, /* list of ciphers to use */ + STRING_SSL_CIPHER_LIST_PROXY, /* list of ciphers to use */ +- STRING_SSL_CIPHER13_LIST_ORIG, /* list of TLS 1.3 ciphers to use */ ++ STRING_SSL_CIPHER13_LIST, /* list of TLS 1.3 ciphers to use */ + STRING_SSL_CIPHER13_LIST_PROXY, /* list of TLS 1.3 ciphers to use */ + STRING_SSL_EGDSOCKET, /* path to file containing the EGD daemon socket */ + STRING_SSL_RANDOM_FILE, /* path to file containing "random" data */ + STRING_USERAGENT, /* User-Agent string */ +- STRING_SSL_CRLFILE_ORIG, /* crl file to check certificate */ ++ STRING_SSL_CRLFILE, /* crl file to check certificate */ + STRING_SSL_CRLFILE_PROXY, /* crl file to check certificate */ +- STRING_SSL_ISSUERCERT_ORIG, /* issuer cert file to check certificate */ ++ STRING_SSL_ISSUERCERT, /* issuer cert file to check certificate */ + STRING_SSL_ISSUERCERT_PROXY, /* issuer cert file to check certificate */ + STRING_SSL_ENGINE, /* name of ssl engine */ + STRING_USERNAME, /* , if used */ +@@ -1433,9 +1433,9 @@ enum dupstring { + STRING_MAIL_AUTH, + + #ifdef USE_TLS_SRP +- STRING_TLSAUTH_USERNAME_ORIG, /* TLS auth */ ++ STRING_TLSAUTH_USERNAME, /* TLS auth */ + STRING_TLSAUTH_USERNAME_PROXY, /* TLS auth */ +- STRING_TLSAUTH_PASSWORD_ORIG, /* TLS auth */ ++ STRING_TLSAUTH_PASSWORD, /* TLS auth */ + STRING_TLSAUTH_PASSWORD_PROXY, /* TLS auth */ + #endif + STRING_BEARER, /* , if used */ +diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c +index e10398a..ffd116d 100644 +--- a/lib/vtls/cyassl.c ++++ b/lib/vtls/cyassl.c +@@ -474,7 +474,7 @@ cyassl_connect_step2(struct connectdata *conn, + conn->http_proxy.host.dispname : conn->host.dispname; + const char * const pinnedpubkey = SSL_IS_PROXY() ? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : +- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + + conn->recv[sockindex] = cyassl_recv; + conn->send[sockindex] = cyassl_send; +diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c +index 1aea0dc..572e8bf 100644 +--- a/lib/vtls/darwinssl.c ++++ b/lib/vtls/darwinssl.c +@@ -2449,9 +2449,9 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex) + connssl->connecting_state = ssl_connect_3; + + #ifdef DARWIN_SSL_PINNEDPUBKEY +- if(data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]) { ++ if(data->set.str[STRING_SSL_PINNEDPUBLICKEY]) { + CURLcode result = pkp_pin_peer_pubkey(data, BACKEND->ssl_ctx, +- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]); ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]); + if(result) { + failf(data, "SSL: public key does not match pinned public key!"); + return result; +diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c +index a0b4960..b4c7b8a 100644 +--- a/lib/vtls/gskit.c ++++ b/lib/vtls/gskit.c +@@ -1136,7 +1136,7 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex) + + /* Check pinned public key. */ + ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : +- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + if(!result && ptr) { + curl_X509certificate x509; + curl_asn1Element *p; +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 207b0fd..c5eb948 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -1329,7 +1329,7 @@ gtls_connect_step3(struct connectdata *conn, + } + + ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : +- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + if(ptr) { + result = pkp_pin_peer_pubkey(data, x509_cert, ptr); + if(result != CURLE_OK) { +diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c +index d7759dc..48010ae 100644 +--- a/lib/vtls/mbedtls.c ++++ b/lib/vtls/mbedtls.c +@@ -540,7 +540,7 @@ mbed_connect_step2(struct connectdata *conn, + const mbedtls_x509_crt *peercert; + const char * const pinnedpubkey = SSL_IS_PROXY() ? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : +- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + + #ifdef HAS_ALPN + const char *next_protocol; +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index 89f8183..366bf9e 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -2067,7 +2067,7 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex) + &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult; + const char * const pinnedpubkey = SSL_IS_PROXY() ? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : +- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + + + /* check timeout situation */ +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 35cd652..8c97c1d 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -3388,7 +3388,7 @@ static CURLcode servercert(struct connectdata *conn, + result = CURLE_OK; + + ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : +- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + if(!result && ptr) { + result = pkp_pin_peer_pubkey(data, BACKEND->server_cert, ptr); + if(result) +diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c +index 604cb4c..f284ad1 100644 +--- a/lib/vtls/polarssl.c ++++ b/lib/vtls/polarssl.c +@@ -459,7 +459,7 @@ polarssl_connect_step2(struct connectdata *conn, + char buffer[1024]; + const char * const pinnedpubkey = SSL_IS_PROXY() ? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : +- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + + + char errorbuf[128]; +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c +index 8f6c301..95c060b 100644 +--- a/lib/vtls/schannel.c ++++ b/lib/vtls/schannel.c +@@ -1060,7 +1060,7 @@ schannel_connect_step2(struct connectdata *conn, int sockindex) + + pubkey_ptr = SSL_IS_PROXY() ? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : +- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + if(pubkey_ptr) { + result = pkp_pin_peer_pubkey(conn, sockindex, pubkey_ptr); + if(result) { +-- +2.31.1 + + +From 040fa4f60f9b809972d51184dfa4980ba44d8b6b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 19 Jun 2021 00:42:28 +0200 +Subject: [PATCH 2/2] vtls: fix connection reuse checks for issuer cert and + case sensitivity + +CVE-2021-22924 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2021-22924.html + +Upstream-commit: 5ea3145850ebff1dc2b13d17440300a01ca38161 +Signed-off-by: Kamil Dudka +--- + lib/url.c | 5 +++-- + lib/urldata.h | 2 +- + lib/vtls/gtls.c | 10 +++++----- + lib/vtls/nss.c | 4 ++-- + lib/vtls/openssl.c | 12 ++++++------ + lib/vtls/vtls.c | 21 ++++++++++++++++----- + 6 files changed, 33 insertions(+), 21 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index a6bc012..4803653 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -4337,6 +4337,9 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY]; + data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE]; + data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY]; ++ data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT]; ++ data->set.proxy_ssl.primary.issuercert = ++ data->set.str[STRING_SSL_ISSUERCERT_PROXY]; + data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE]; + data->set.proxy_ssl.primary.random_file = + data->set.str[STRING_SSL_RANDOM_FILE]; +@@ -4353,8 +4356,6 @@ static CURLcode create_conn(struct Curl_easy *data, + + data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE]; + data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; +- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT]; +- data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY]; + data->set.ssl.cert = data->set.str[STRING_CERT]; + data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY]; + data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE]; +diff --git a/lib/urldata.h b/lib/urldata.h +index 1f8f364..72a36fb 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -223,6 +223,7 @@ struct ssl_primary_config { + bool sessionid; /* cache session IDs or not */ + char *CApath; /* certificate dir (doesn't work on windows) */ + char *CAfile; /* certificate to verify peer against */ ++ char *issuercert; /* optional issuer certificate filename */ + char *clientcert; + char *random_file; /* path to file containing "random" data */ + char *egdsocket; /* path to file containing the EGD daemon socket */ +@@ -238,7 +239,6 @@ struct ssl_config_data { + bool no_partialchain; /* don't accept partial certificate chains */ + long certverifyresult; /* result from the certificate verification */ + char *CRLfile; /* CRL to check certificate revocation */ +- char *issuercert;/* optional issuer certificate filename */ + curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ + void *fsslctxp; /* parameter for call back */ + bool certinfo; /* gather lots of certificate info */ +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index c5eb948..0cb59c8 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -1002,7 +1002,7 @@ gtls_connect_step3(struct connectdata *conn, + if(!chainp) { + if(SSL_CONN_CONFIG(verifypeer) || + SSL_CONN_CONFIG(verifyhost) || +- SSL_SET_OPTION(issuercert)) { ++ SSL_CONN_CONFIG(issuercert)) { + #ifdef USE_TLS_SRP + if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP + && SSL_SET_OPTION(username) != NULL +@@ -1184,21 +1184,21 @@ gtls_connect_step3(struct connectdata *conn, + gnutls_x509_crt_t format */ + gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER); + +- if(SSL_SET_OPTION(issuercert)) { ++ if(SSL_CONN_CONFIG(issuercert)) { + gnutls_x509_crt_init(&x509_issuer); +- issuerp = load_file(SSL_SET_OPTION(issuercert)); ++ issuerp = load_file(SSL_CONN_CONFIG(issuercert)); + gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM); + rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer); + gnutls_x509_crt_deinit(x509_issuer); + unload_file(issuerp); + if(rc <= 0) { + failf(data, "server certificate issuer check failed (IssuerCert: %s)", +- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none"); ++ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); + gnutls_x509_crt_deinit(x509_cert); + return CURLE_SSL_ISSUER_ERROR; + } + infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n", +- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none"); ++ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); + } + + size = sizeof(certbuf); +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index 366bf9e..2d9581d 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -2095,9 +2095,9 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex) + if(result) + goto error; + +- if(SSL_SET_OPTION(issuercert)) { ++ if(SSL_CONN_CONFIG(issuercert)) { + SECStatus ret = SECFailure; +- char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert)); ++ char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert)); + if(nickname) { + /* we support only nicknames in case of issuercert for now */ + ret = check_issuer_cert(BACKEND->handle, nickname); +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 8c97c1d..28eaa6d 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -3311,11 +3311,11 @@ static CURLcode servercert(struct connectdata *conn, + deallocating the certificate. */ + + /* e.g. match issuer name with provided issuer certificate */ +- if(SSL_SET_OPTION(issuercert)) { +- if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) { ++ if(SSL_CONN_CONFIG(issuercert)) { ++ if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) { + if(strict) + failf(data, "SSL: Unable to open issuer cert (%s)", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(BACKEND->server_cert); + BACKEND->server_cert = NULL; +@@ -3326,7 +3326,7 @@ static CURLcode servercert(struct connectdata *conn, + if(!issuer) { + if(strict) + failf(data, "SSL: Unable to read issuer cert (%s)", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(issuer); + X509_free(BACKEND->server_cert); +@@ -3337,7 +3337,7 @@ static CURLcode servercert(struct connectdata *conn, + if(X509_check_issued(issuer, BACKEND->server_cert) != X509_V_OK) { + if(strict) + failf(data, "SSL: Certificate issuer check failed (%s)", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(issuer); + X509_free(BACKEND->server_cert); +@@ -3346,7 +3346,7 @@ static CURLcode servercert(struct connectdata *conn, + } + + infof(data, " SSL certificate issuer check ok (%s)\n", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + X509_free(issuer); + } + +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index b61c640..18672a5 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -82,6 +82,15 @@ + else \ + dest->var = NULL; + ++static bool safecmp(char *a, char *b) ++{ ++ if(a && b) ++ return !strcmp(a, b); ++ else if(!a && !b) ++ return TRUE; /* match */ ++ return FALSE; /* no match */ ++} ++ + bool + Curl_ssl_config_matches(struct ssl_primary_config* data, + struct ssl_primary_config* needle) +@@ -91,11 +100,11 @@ Curl_ssl_config_matches(struct ssl_primary_config* data, + (data->verifypeer == needle->verifypeer) && + (data->verifyhost == needle->verifyhost) && + (data->verifystatus == needle->verifystatus) && +- Curl_safe_strcasecompare(data->CApath, needle->CApath) && +- Curl_safe_strcasecompare(data->CAfile, needle->CAfile) && +- Curl_safe_strcasecompare(data->clientcert, needle->clientcert) && +- Curl_safe_strcasecompare(data->random_file, needle->random_file) && +- Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) && ++ safecmp(data->CApath, needle->CApath) && ++ safecmp(data->CAfile, needle->CAfile) && ++ safecmp(data->clientcert, needle->clientcert) && ++ safecmp(data->random_file, needle->random_file) && ++ safecmp(data->egdsocket, needle->egdsocket) && + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13)) + return TRUE; +@@ -116,6 +125,7 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, + + CLONE_STRING(CApath); + CLONE_STRING(CAfile); ++ CLONE_STRING(issuercert); + CLONE_STRING(clientcert); + CLONE_STRING(random_file); + CLONE_STRING(egdsocket); +@@ -129,6 +139,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc) + { + Curl_safefree(sslc->CApath); + Curl_safefree(sslc->CAfile); ++ Curl_safefree(sslc->issuercert); + Curl_safefree(sslc->clientcert); + Curl_safefree(sslc->random_file); + Curl_safefree(sslc->egdsocket); +-- +2.31.1 + diff --git a/SPECS/curl.spec b/SPECS/curl.spec index 8f28ad1..b29023a 100644 --- a/SPECS/curl.spec +++ b/SPECS/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.61.1 -Release: 18%{?dist} +Release: 18%{?dist}.1 License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -79,6 +79,9 @@ Patch27: 0027-curl-7.61.1-CVE-2020-8286.patch # http: send payload when (proxy) authentication is done (#1918692) Patch28: 0028-curl-7.61.1-http-auth-payload.patch +# fix bad connection reuse due to flawed path name checks (CVE-2021-22924) +Patch31: 0031-curl-7.61.1-CVE-2021-22924.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -104,7 +107,6 @@ BuildRequires: gcc BuildRequires: groff BuildRequires: krb5-devel BuildRequires: libidn2-devel -BuildRequires: libmetalink-devel BuildRequires: libnghttp2-devel BuildRequires: libpsl-devel BuildRequires: libssh-devel @@ -278,6 +280,7 @@ sed -e 's|%%HTTPPORT|%{?__isa_bits}90|g' -i tests/data/test1448 %patch26 -p1 %patch27 -p1 %patch28 -p1 +%patch31 -p1 # make tests/*.py use Python 3 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py @@ -314,6 +317,7 @@ export common_configure_opts=" \ --enable-symbol-hiding \ --enable-ipv6 \ --enable-threaded-resolver \ + --without-libmetalink \ --with-gssapi \ --with-nghttp2 \ --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt" @@ -329,7 +333,6 @@ export common_configure_opts=" \ --disable-manual \ --without-brotli \ --without-libidn2 \ - --without-libmetalink \ --without-libpsl \ --without-libssh ) @@ -343,7 +346,6 @@ export common_configure_opts=" \ --enable-manual \ --with-brotli \ --with-libidn2 \ - --with-libmetalink \ --with-libpsl \ --with-libssh ) @@ -441,6 +443,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Aug 05 2021 Kamil Dudka - 7.61.1-18.el8_4.1 +- fix bad connection reuse due to flawed path name checks (CVE-2021-22924) +- disable metalink support to fix the following vulnerabilities + CVE-2021-22923 - metalink download sends credentials + CVE-2021-22922 - wrong content via metalink not discarded + * Thu Jan 28 2021 Kamil Dudka - 7.61.1-18 - http: send payload when (proxy) authentication is done (#1918692) - curl: Inferior OCSP verification (CVE-2020-8286)