diff --git a/0025-curl-7.76.1-CVE-2023-27533.patch b/0025-curl-7.76.1-CVE-2023-27533.patch new file mode 100644 index 0000000..591c1cd --- /dev/null +++ b/0025-curl-7.76.1-CVE-2023-27533.patch @@ -0,0 +1,59 @@ +From c9828d86040737a47da862197b5def7ff6b0e3c4 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 6 Mar 2023 12:07:33 +0100 +Subject: [PATCH] telnet: only accept option arguments in ascii + +To avoid embedded telnet negotiation commands etc. + +Reported-by: Harry Sintonen +Closes #10728 + +Upstream-commit: 538b1e79a6e7b0bb829ab4cecc828d32105d0684 +Signed-off-by: Kamil Dudka +--- + lib/telnet.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/lib/telnet.c b/lib/telnet.c +index 22bc81e..baea885 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -770,6 +770,17 @@ static void printsub(struct Curl_easy *data, + } + } + ++static bool str_is_nonascii(const char *str) ++{ ++ size_t len = strlen(str); ++ while(len--) { ++ if(*str & 0x80) ++ return TRUE; ++ str++; ++ } ++ return FALSE; ++} ++ + static CURLcode check_telnet_options(struct Curl_easy *data) + { + struct curl_slist *head; +@@ -784,6 +795,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data) + /* Add the user name as an environment variable if it + was given on the command line */ + if(conn->bits.user_passwd) { ++ if(str_is_nonascii(data->conn->user)) ++ return CURLE_BAD_FUNCTION_ARGUMENT; + msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user); + beg = curl_slist_append(tn->telnet_vars, option_arg); + if(!beg) { +@@ -798,6 +811,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data) + for(head = data->set.telnet_options; head; head = head->next) { + if(sscanf(head->data, "%127[^= ]%*[ =]%255s", + option_keyword, option_arg) == 2) { ++ if(str_is_nonascii(option_arg)) ++ continue; + + /* Terminal type */ + if(strcasecompare(option_keyword, "TTYPE")) { +-- +2.39.2 + diff --git a/curl.spec b/curl.spec index f84d473..28fecf2 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.76.1 -Release: 23%{?dist} +Release: 24%{?dist} License: MIT Source: https://curl.se/download/%{name}-%{version}.tar.xz @@ -74,6 +74,9 @@ Patch23: 0023-curl-7.76.1-CVE-2022-43552.patch # fix HTTP multi-header compression denial of service (CVE-2023-23916) Patch24: 0024-curl-7.76.1-CVE-2023-23916.patch +# fix TELNET option IAC injection (CVE-2023-27533) +Patch25: 0025-curl-7.76.1-CVE-2023-27533.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -272,6 +275,7 @@ be installed. %patch22 -p1 %patch23 -p1 %patch24 -p1 +%patch25 -p1 # Fedora patches %patch101 -p1 @@ -497,6 +501,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Mar 24 2023 Kamil Dudka - 7.76.1-24 +- fix TELNET option IAC injection (CVE-2023-27533) + * Wed Feb 15 2023 Kamil Dudka - 7.76.1-23 - fix HTTP multi-header compression denial of service (CVE-2023-23916)