import curl-7.76.1-14.el9
This commit is contained in:
commit
b1c2dcdbd7
1
.curl.metadata
Normal file
1
.curl.metadata
Normal file
@ -0,0 +1 @@
|
|||||||
|
d38ab79ef7a6d92df91ca8dfcf9a5eaf7e25b725 SOURCES/curl-7.76.1.tar.xz
|
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
SOURCES/curl-7.76.1.tar.xz
|
133
SOURCES/0001-curl-7.76.1-resource-leaks.patch
Normal file
133
SOURCES/0001-curl-7.76.1-resource-leaks.patch
Normal file
@ -0,0 +1,133 @@
|
|||||||
|
From 2281afef6757ed66c9e8a9a737aa91cb9e2950ef Mon Sep 17 00:00:00 2001
|
||||||
|
From: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
Date: Fri, 30 Apr 2021 18:14:45 +0200
|
||||||
|
Subject: [PATCH 1/2] http2: fix resource leaks in set_transfer_url()
|
||||||
|
|
||||||
|
... detected by Coverity:
|
||||||
|
|
||||||
|
Error: RESOURCE_LEAK (CWE-772):
|
||||||
|
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
|
||||||
|
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
|
||||||
|
lib/http2.c:486: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
|
||||||
|
lib/http2.c:488: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
|
||||||
|
|
||||||
|
Error: RESOURCE_LEAK (CWE-772):
|
||||||
|
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
|
||||||
|
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
|
||||||
|
lib/http2.c:493: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
|
||||||
|
lib/http2.c:495: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
|
||||||
|
|
||||||
|
Error: RESOURCE_LEAK (CWE-772):
|
||||||
|
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
|
||||||
|
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
|
||||||
|
lib/http2.c:500: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
|
||||||
|
lib/http2.c:502: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
|
||||||
|
|
||||||
|
Error: RESOURCE_LEAK (CWE-772):
|
||||||
|
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
|
||||||
|
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
|
||||||
|
lib/http2.c:505: noescape: Resource "u" is not freed or pointed-to in "curl_url_get". [Note: The source code implementation of the function has been overridden by a builtin model.]
|
||||||
|
lib/http2.c:507: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
|
||||||
|
|
||||||
|
Closes #6986
|
||||||
|
|
||||||
|
Upstream-commit: 31931704707324af4b4edb24cc877829f7e9949e
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/http2.c | 24 +++++++++++++++++-------
|
||||||
|
1 file changed, 17 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/http2.c b/lib/http2.c
|
||||||
|
index ce9a0d3..d5ba89b 100644
|
||||||
|
--- a/lib/http2.c
|
||||||
|
+++ b/lib/http2.c
|
||||||
|
@@ -500,32 +500,42 @@ static int set_transfer_url(struct Curl_easy *data,
|
||||||
|
CURLU *u = curl_url();
|
||||||
|
CURLUcode uc;
|
||||||
|
char *url;
|
||||||
|
+ int rc = 0;
|
||||||
|
|
||||||
|
v = curl_pushheader_byname(hp, ":scheme");
|
||||||
|
if(v) {
|
||||||
|
uc = curl_url_set(u, CURLUPART_SCHEME, v, 0);
|
||||||
|
- if(uc)
|
||||||
|
- return 1;
|
||||||
|
+ if(uc) {
|
||||||
|
+ rc = 1;
|
||||||
|
+ goto fail;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
v = curl_pushheader_byname(hp, ":authority");
|
||||||
|
if(v) {
|
||||||
|
uc = curl_url_set(u, CURLUPART_HOST, v, 0);
|
||||||
|
- if(uc)
|
||||||
|
- return 2;
|
||||||
|
+ if(uc) {
|
||||||
|
+ rc = 2;
|
||||||
|
+ goto fail;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
v = curl_pushheader_byname(hp, ":path");
|
||||||
|
if(v) {
|
||||||
|
uc = curl_url_set(u, CURLUPART_PATH, v, 0);
|
||||||
|
- if(uc)
|
||||||
|
- return 3;
|
||||||
|
+ if(uc) {
|
||||||
|
+ rc = 3;
|
||||||
|
+ goto fail;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
uc = curl_url_get(u, CURLUPART_URL, &url, 0);
|
||||||
|
if(uc)
|
||||||
|
- return 4;
|
||||||
|
+ rc = 4;
|
||||||
|
+ fail:
|
||||||
|
curl_url_cleanup(u);
|
||||||
|
+ if(rc)
|
||||||
|
+ return rc;
|
||||||
|
|
||||||
|
if(data->state.url_alloc)
|
||||||
|
free(data->state.url);
|
||||||
|
--
|
||||||
|
2.30.2
|
||||||
|
|
||||||
|
|
||||||
|
From 92ad72983f8462be1d5a5228672657ddf4d7ed72 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
Date: Fri, 30 Apr 2021 18:18:02 +0200
|
||||||
|
Subject: [PATCH 2/2] http2: fix a resource leak in push_promise()
|
||||||
|
|
||||||
|
... detected by Coverity:
|
||||||
|
|
||||||
|
Error: RESOURCE_LEAK (CWE-772):
|
||||||
|
lib/http2.c:532: alloc_fn: Storage is returned from allocation function "duphandle".
|
||||||
|
lib/http2.c:532: var_assign: Assigning: "newhandle" = storage returned from "duphandle(data)".
|
||||||
|
lib/http2.c:552: noescape: Resource "newhandle" is not freed or pointed-to in "set_transfer_url".
|
||||||
|
lib/http2.c:555: leaked_storage: Variable "newhandle" going out of scope leaks the storage it points to.
|
||||||
|
|
||||||
|
Closes #6986
|
||||||
|
|
||||||
|
Upstream-commit: 3a6058cb976981ec1db870f9657c73c9a1162822
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/http2.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/lib/http2.c b/lib/http2.c
|
||||||
|
index d5ba89b..d0f69ea 100644
|
||||||
|
--- a/lib/http2.c
|
||||||
|
+++ b/lib/http2.c
|
||||||
|
@@ -581,6 +581,7 @@ static int push_promise(struct Curl_easy *data,
|
||||||
|
|
||||||
|
rv = set_transfer_url(newhandle, &heads);
|
||||||
|
if(rv) {
|
||||||
|
+ (void)Curl_close(&newhandle);
|
||||||
|
rv = CURL_PUSH_DENY;
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.30.2
|
||||||
|
|
31
SOURCES/0002-curl-7.76.1-CVE-2021-22898.patch
Normal file
31
SOURCES/0002-curl-7.76.1-CVE-2021-22898.patch
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
From 886f7458bbf005299f3f8224103d1903cd6fa7a4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Harry Sintonen <sintonen@iki.fi>
|
||||||
|
Date: Fri, 7 May 2021 13:09:57 +0200
|
||||||
|
Subject: [PATCH] telnet: check sscanf() for correct number of matches
|
||||||
|
|
||||||
|
CVE-2021-22898
|
||||||
|
|
||||||
|
Bug: https://curl.se/docs/CVE-2021-22898.html
|
||||||
|
|
||||||
|
Upstream-commit: 39ce47f219b09c380b81f89fe54ac586c8db6bde
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/telnet.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/telnet.c b/lib/telnet.c
|
||||||
|
index f96a4cb..4551435 100644
|
||||||
|
--- a/lib/telnet.c
|
||||||
|
+++ b/lib/telnet.c
|
||||||
|
@@ -921,7 +921,7 @@ static void suboption(struct Curl_easy *data)
|
||||||
|
size_t tmplen = (strlen(v->data) + 1);
|
||||||
|
/* Add the variable only if it fits */
|
||||||
|
if(len + tmplen < (int)sizeof(temp)-6) {
|
||||||
|
- if(sscanf(v->data, "%127[^,],%127s", varname, varval)) {
|
||||||
|
+ if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
|
||||||
|
msnprintf((char *)&temp[len], sizeof(temp) - len,
|
||||||
|
"%c%s%c%s", CURL_NEW_ENV_VAR, varname,
|
||||||
|
CURL_NEW_ENV_VALUE, varval);
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
1012
SOURCES/0003-curl-7.76.1-CVE-2021-22901.patch
Normal file
1012
SOURCES/0003-curl-7.76.1-CVE-2021-22901.patch
Normal file
File diff suppressed because it is too large
Load Diff
44
SOURCES/0004-curl-7.76.1-ldaps-segv.patch
Normal file
44
SOURCES/0004-curl-7.76.1-ldaps-segv.patch
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
From 39b68b3f82535d06e50443db4c191dbaa00df4eb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Patrick Monnerat <patrick@monnerat.net>
|
||||||
|
Date: Fri, 23 Apr 2021 00:33:46 +0200
|
||||||
|
Subject: [PATCH] vtls: reset ssl use flag upon negotiation failure
|
||||||
|
|
||||||
|
Fixes the segfault in ldaps disconnect.
|
||||||
|
|
||||||
|
Reported-by: Illarion Taev
|
||||||
|
Fixes #6934
|
||||||
|
Closes #6937
|
||||||
|
|
||||||
|
Upstream-commit: a4554b2c5e7c5788c8198001598818599c60ff7d
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/vtls/vtls.c | 6 +++++-
|
||||||
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
|
||||||
|
index 22cfb88..fa8a6fa 100644
|
||||||
|
--- a/lib/vtls/vtls.c
|
||||||
|
+++ b/lib/vtls/vtls.c
|
||||||
|
@@ -315,6 +315,8 @@ Curl_ssl_connect(struct Curl_easy *data, struct connectdata *conn,
|
||||||
|
|
||||||
|
if(!result)
|
||||||
|
Curl_pgrsTime(data, TIMER_APPCONNECT); /* SSL is connected */
|
||||||
|
+ else
|
||||||
|
+ conn->ssl[sockindex].use = FALSE;
|
||||||
|
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
@@ -338,7 +340,9 @@ Curl_ssl_connect_nonblocking(struct Curl_easy *data, struct connectdata *conn,
|
||||||
|
/* mark this is being ssl requested from here on. */
|
||||||
|
conn->ssl[sockindex].use = TRUE;
|
||||||
|
result = Curl_ssl->connect_nonblocking(data, conn, sockindex, done);
|
||||||
|
- if(!result && *done)
|
||||||
|
+ if(result)
|
||||||
|
+ conn->ssl[sockindex].use = FALSE;
|
||||||
|
+ else if(*done)
|
||||||
|
Curl_pgrsTime(data, TIMER_APPCONNECT); /* SSL is connected */
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
279
SOURCES/0005-curl-7.76.1-CVE-2021-22924.patch
Normal file
279
SOURCES/0005-curl-7.76.1-CVE-2021-22924.patch
Normal file
@ -0,0 +1,279 @@
|
|||||||
|
From 30c7b4dd01734b6ba20bfc7790b9fe8bc0500214 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Sat, 19 Jun 2021 00:42:28 +0200
|
||||||
|
Subject: [PATCH] vtls: fix connection reuse checks for issuer cert and case
|
||||||
|
sensitivity
|
||||||
|
|
||||||
|
CVE-2021-22924
|
||||||
|
|
||||||
|
Reported-by: Harry Sintonen
|
||||||
|
Bug: https://curl.se/docs/CVE-2021-22924.html
|
||||||
|
|
||||||
|
Upstream-commit: 5ea3145850ebff1dc2b13d17440300a01ca38161
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/url.c | 10 ++++++----
|
||||||
|
lib/urldata.h | 4 ++--
|
||||||
|
lib/vtls/gtls.c | 10 +++++-----
|
||||||
|
lib/vtls/nss.c | 4 ++--
|
||||||
|
lib/vtls/openssl.c | 18 +++++++++---------
|
||||||
|
lib/vtls/vtls.c | 26 +++++++++++++++++++++-----
|
||||||
|
6 files changed, 45 insertions(+), 27 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/url.c b/lib/url.c
|
||||||
|
index 9f2c9f2..bdcb095 100644
|
||||||
|
--- a/lib/url.c
|
||||||
|
+++ b/lib/url.c
|
||||||
|
@@ -3723,6 +3723,8 @@ static CURLcode create_conn(struct Curl_easy *data,
|
||||||
|
*/
|
||||||
|
data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH];
|
||||||
|
data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE];
|
||||||
|
+ data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
|
||||||
|
+ data->set.ssl.primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
|
||||||
|
data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
|
||||||
|
data->set.ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET];
|
||||||
|
data->set.ssl.primary.cipher_list =
|
||||||
|
@@ -3747,8 +3749,11 @@ static CURLcode create_conn(struct Curl_easy *data,
|
||||||
|
data->set.proxy_ssl.primary.pinned_key =
|
||||||
|
data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY];
|
||||||
|
data->set.proxy_ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_PROXY];
|
||||||
|
+ data->set.proxy_ssl.primary.issuercert =
|
||||||
|
+ data->set.str[STRING_SSL_ISSUERCERT_PROXY];
|
||||||
|
+ data->set.proxy_ssl.primary.issuercert_blob =
|
||||||
|
+ data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
|
||||||
|
data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
|
||||||
|
- data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];
|
||||||
|
data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
|
||||||
|
data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
|
||||||
|
data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
|
||||||
|
@@ -3757,7 +3762,6 @@ static CURLcode create_conn(struct Curl_easy *data,
|
||||||
|
data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
|
||||||
|
#endif
|
||||||
|
data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
|
||||||
|
- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
|
||||||
|
data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
|
||||||
|
data->set.ssl.key = data->set.str[STRING_KEY];
|
||||||
|
data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
|
||||||
|
@@ -3771,9 +3775,7 @@ static CURLcode create_conn(struct Curl_easy *data,
|
||||||
|
data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
|
||||||
|
#endif
|
||||||
|
#endif
|
||||||
|
-
|
||||||
|
data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
|
||||||
|
- data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
|
||||||
|
|
||||||
|
if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary,
|
||||||
|
&conn->ssl_config)) {
|
||||||
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||||
|
index 2bb7d81..7cf63d0 100644
|
||||||
|
--- a/lib/urldata.h
|
||||||
|
+++ b/lib/urldata.h
|
||||||
|
@@ -246,6 +246,7 @@ struct ssl_primary_config {
|
||||||
|
long version_max; /* max supported version the client wants to use*/
|
||||||
|
char *CApath; /* certificate dir (doesn't work on windows) */
|
||||||
|
char *CAfile; /* certificate to verify peer against */
|
||||||
|
+ char *issuercert; /* optional issuer certificate filename */
|
||||||
|
char *clientcert;
|
||||||
|
char *random_file; /* path to file containing "random" data */
|
||||||
|
char *egdsocket; /* path to file containing the EGD daemon socket */
|
||||||
|
@@ -253,6 +254,7 @@ struct ssl_primary_config {
|
||||||
|
char *cipher_list13; /* list of TLS 1.3 cipher suites to use */
|
||||||
|
char *pinned_key;
|
||||||
|
struct curl_blob *cert_blob;
|
||||||
|
+ struct curl_blob *issuercert_blob;
|
||||||
|
char *curves; /* list of curves to use */
|
||||||
|
BIT(verifypeer); /* set TRUE if this is desired */
|
||||||
|
BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */
|
||||||
|
@@ -264,8 +266,6 @@ struct ssl_config_data {
|
||||||
|
struct ssl_primary_config primary;
|
||||||
|
long certverifyresult; /* result from the certificate verification */
|
||||||
|
char *CRLfile; /* CRL to check certificate revocation */
|
||||||
|
- char *issuercert;/* optional issuer certificate filename */
|
||||||
|
- struct curl_blob *issuercert_blob;
|
||||||
|
curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
|
||||||
|
void *fsslctxp; /* parameter for call back */
|
||||||
|
char *cert_type; /* format for certificate (default: PEM)*/
|
||||||
|
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
|
||||||
|
index ea54fe3..ccc5ce8 100644
|
||||||
|
--- a/lib/vtls/gtls.c
|
||||||
|
+++ b/lib/vtls/gtls.c
|
||||||
|
@@ -849,7 +849,7 @@ gtls_connect_step3(struct Curl_easy *data,
|
||||||
|
if(!chainp) {
|
||||||
|
if(SSL_CONN_CONFIG(verifypeer) ||
|
||||||
|
SSL_CONN_CONFIG(verifyhost) ||
|
||||||
|
- SSL_SET_OPTION(issuercert)) {
|
||||||
|
+ SSL_CONN_CONFIG(issuercert)) {
|
||||||
|
#ifdef HAVE_GNUTLS_SRP
|
||||||
|
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
|
||||||
|
&& SSL_SET_OPTION(username) != NULL
|
||||||
|
@@ -1033,21 +1033,21 @@ gtls_connect_step3(struct Curl_easy *data,
|
||||||
|
gnutls_x509_crt_t format */
|
||||||
|
gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER);
|
||||||
|
|
||||||
|
- if(SSL_SET_OPTION(issuercert)) {
|
||||||
|
+ if(SSL_CONN_CONFIG(issuercert)) {
|
||||||
|
gnutls_x509_crt_init(&x509_issuer);
|
||||||
|
- issuerp = load_file(SSL_SET_OPTION(issuercert));
|
||||||
|
+ issuerp = load_file(SSL_CONN_CONFIG(issuercert));
|
||||||
|
gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM);
|
||||||
|
rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer);
|
||||||
|
gnutls_x509_crt_deinit(x509_issuer);
|
||||||
|
unload_file(issuerp);
|
||||||
|
if(rc <= 0) {
|
||||||
|
failf(data, "server certificate issuer check failed (IssuerCert: %s)",
|
||||||
|
- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
|
||||||
|
+ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
|
||||||
|
gnutls_x509_crt_deinit(x509_cert);
|
||||||
|
return CURLE_SSL_ISSUER_ERROR;
|
||||||
|
}
|
||||||
|
infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n",
|
||||||
|
- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
|
||||||
|
+ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
|
||||||
|
}
|
||||||
|
|
||||||
|
size = sizeof(certname);
|
||||||
|
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
|
||||||
|
index ae3945c..b0b1e8c 100644
|
||||||
|
--- a/lib/vtls/nss.c
|
||||||
|
+++ b/lib/vtls/nss.c
|
||||||
|
@@ -2156,9 +2156,9 @@ static CURLcode nss_do_connect(struct Curl_easy *data,
|
||||||
|
if(result)
|
||||||
|
goto error;
|
||||||
|
|
||||||
|
- if(SSL_SET_OPTION(issuercert)) {
|
||||||
|
+ if(SSL_CONN_CONFIG(issuercert)) {
|
||||||
|
SECStatus ret = SECFailure;
|
||||||
|
- char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert));
|
||||||
|
+ char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert));
|
||||||
|
if(nickname) {
|
||||||
|
/* we support only nicknames in case of issuercert for now */
|
||||||
|
ret = check_issuer_cert(backend->handle, nickname);
|
||||||
|
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||||||
|
index 2404393..be7b811 100644
|
||||||
|
--- a/lib/vtls/openssl.c
|
||||||
|
+++ b/lib/vtls/openssl.c
|
||||||
|
@@ -3872,10 +3872,10 @@ static CURLcode servercert(struct Curl_easy *data,
|
||||||
|
deallocating the certificate. */
|
||||||
|
|
||||||
|
/* e.g. match issuer name with provided issuer certificate */
|
||||||
|
- if(SSL_SET_OPTION(issuercert) || SSL_SET_OPTION(issuercert_blob)) {
|
||||||
|
- if(SSL_SET_OPTION(issuercert_blob))
|
||||||
|
- fp = BIO_new_mem_buf(SSL_SET_OPTION(issuercert_blob)->data,
|
||||||
|
- (int)SSL_SET_OPTION(issuercert_blob)->len);
|
||||||
|
+ if(SSL_CONN_CONFIG(issuercert) || SSL_CONN_CONFIG(issuercert_blob)) {
|
||||||
|
+ if(SSL_CONN_CONFIG(issuercert_blob))
|
||||||
|
+ fp = BIO_new_mem_buf(SSL_CONN_CONFIG(issuercert_blob)->data,
|
||||||
|
+ (int)SSL_CONN_CONFIG(issuercert_blob)->len);
|
||||||
|
else {
|
||||||
|
fp = BIO_new(BIO_s_file());
|
||||||
|
if(fp == NULL) {
|
||||||
|
@@ -3889,10 +3889,10 @@ static CURLcode servercert(struct Curl_easy *data,
|
||||||
|
return CURLE_OUT_OF_MEMORY;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) {
|
||||||
|
+ if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) {
|
||||||
|
if(strict)
|
||||||
|
failf(data, "SSL: Unable to open issuer cert (%s)",
|
||||||
|
- SSL_SET_OPTION(issuercert));
|
||||||
|
+ SSL_CONN_CONFIG(issuercert));
|
||||||
|
BIO_free(fp);
|
||||||
|
X509_free(backend->server_cert);
|
||||||
|
backend->server_cert = NULL;
|
||||||
|
@@ -3904,7 +3904,7 @@ static CURLcode servercert(struct Curl_easy *data,
|
||||||
|
if(!issuer) {
|
||||||
|
if(strict)
|
||||||
|
failf(data, "SSL: Unable to read issuer cert (%s)",
|
||||||
|
- SSL_SET_OPTION(issuercert));
|
||||||
|
+ SSL_CONN_CONFIG(issuercert));
|
||||||
|
BIO_free(fp);
|
||||||
|
X509_free(issuer);
|
||||||
|
X509_free(backend->server_cert);
|
||||||
|
@@ -3915,7 +3915,7 @@ static CURLcode servercert(struct Curl_easy *data,
|
||||||
|
if(X509_check_issued(issuer, backend->server_cert) != X509_V_OK) {
|
||||||
|
if(strict)
|
||||||
|
failf(data, "SSL: Certificate issuer check failed (%s)",
|
||||||
|
- SSL_SET_OPTION(issuercert));
|
||||||
|
+ SSL_CONN_CONFIG(issuercert));
|
||||||
|
BIO_free(fp);
|
||||||
|
X509_free(issuer);
|
||||||
|
X509_free(backend->server_cert);
|
||||||
|
@@ -3924,7 +3924,7 @@ static CURLcode servercert(struct Curl_easy *data,
|
||||||
|
}
|
||||||
|
|
||||||
|
infof(data, " SSL certificate issuer check ok (%s)\n",
|
||||||
|
- SSL_SET_OPTION(issuercert));
|
||||||
|
+ SSL_CONN_CONFIG(issuercert));
|
||||||
|
BIO_free(fp);
|
||||||
|
X509_free(issuer);
|
||||||
|
}
|
||||||
|
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
|
||||||
|
index fa8a6fa..1aa6fc8 100644
|
||||||
|
--- a/lib/vtls/vtls.c
|
||||||
|
+++ b/lib/vtls/vtls.c
|
||||||
|
@@ -125,6 +125,16 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
|
||||||
|
return !memcmp(first->data, second->data, first->len); /* same data */
|
||||||
|
}
|
||||||
|
|
||||||
|
+static bool safecmp(char *a, char *b)
|
||||||
|
+{
|
||||||
|
+ if(a && b)
|
||||||
|
+ return !strcmp(a, b);
|
||||||
|
+ else if(!a && !b)
|
||||||
|
+ return TRUE; /* match */
|
||||||
|
+ return FALSE; /* no match */
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
bool
|
||||||
|
Curl_ssl_config_matches(struct ssl_primary_config *data,
|
||||||
|
struct ssl_primary_config *needle)
|
||||||
|
@@ -135,11 +145,13 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
|
||||||
|
(data->verifyhost == needle->verifyhost) &&
|
||||||
|
(data->verifystatus == needle->verifystatus) &&
|
||||||
|
blobcmp(data->cert_blob, needle->cert_blob) &&
|
||||||
|
- Curl_safe_strcasecompare(data->CApath, needle->CApath) &&
|
||||||
|
- Curl_safe_strcasecompare(data->CAfile, needle->CAfile) &&
|
||||||
|
- Curl_safe_strcasecompare(data->clientcert, needle->clientcert) &&
|
||||||
|
- Curl_safe_strcasecompare(data->random_file, needle->random_file) &&
|
||||||
|
- Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&
|
||||||
|
+ blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
|
||||||
|
+ safecmp(data->CApath, needle->CApath) &&
|
||||||
|
+ safecmp(data->CAfile, needle->CAfile) &&
|
||||||
|
+ safecmp(data->issuercert, needle->issuercert) &&
|
||||||
|
+ safecmp(data->clientcert, needle->clientcert) &&
|
||||||
|
+ safecmp(data->random_file, needle->random_file) &&
|
||||||
|
+ safecmp(data->egdsocket, needle->egdsocket) &&
|
||||||
|
Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
|
||||||
|
Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
|
||||||
|
Curl_safe_strcasecompare(data->curves, needle->curves) &&
|
||||||
|
@@ -161,8 +173,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
|
||||||
|
dest->sessionid = source->sessionid;
|
||||||
|
|
||||||
|
CLONE_BLOB(cert_blob);
|
||||||
|
+ CLONE_BLOB(issuercert_blob);
|
||||||
|
CLONE_STRING(CApath);
|
||||||
|
CLONE_STRING(CAfile);
|
||||||
|
+ CLONE_STRING(issuercert);
|
||||||
|
CLONE_STRING(clientcert);
|
||||||
|
CLONE_STRING(random_file);
|
||||||
|
CLONE_STRING(egdsocket);
|
||||||
|
@@ -178,6 +192,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
|
||||||
|
{
|
||||||
|
Curl_safefree(sslc->CApath);
|
||||||
|
Curl_safefree(sslc->CAfile);
|
||||||
|
+ Curl_safefree(sslc->issuercert);
|
||||||
|
Curl_safefree(sslc->clientcert);
|
||||||
|
Curl_safefree(sslc->random_file);
|
||||||
|
Curl_safefree(sslc->egdsocket);
|
||||||
|
@@ -185,6 +200,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
|
||||||
|
Curl_safefree(sslc->cipher_list13);
|
||||||
|
Curl_safefree(sslc->pinned_key);
|
||||||
|
Curl_safefree(sslc->cert_blob);
|
||||||
|
+ Curl_safefree(sslc->issuercert_blob);
|
||||||
|
Curl_safefree(sslc->curves);
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
47
SOURCES/0006-curl-7.76.1-CVE-2021-22925.patch
Normal file
47
SOURCES/0006-curl-7.76.1-CVE-2021-22925.patch
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
From 3dbac7fb8b39a4f9aa871401d9d2790f0583ba01 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Sat, 12 Jun 2021 18:25:15 +0200
|
||||||
|
Subject: [PATCH] telnet: fix option parser to not send uninitialized contents
|
||||||
|
|
||||||
|
CVE-2021-22925
|
||||||
|
|
||||||
|
Reported-by: Red Hat Product Security
|
||||||
|
Bug: https://curl.se/docs/CVE-2021-22925.html
|
||||||
|
|
||||||
|
Upstream-commit: 894f6ec730597eb243618d33cc84d71add8d6a8a
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/telnet.c | 17 +++++++++++------
|
||||||
|
1 file changed, 11 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/telnet.c b/lib/telnet.c
|
||||||
|
index fdd137f..567c22c 100644
|
||||||
|
--- a/lib/telnet.c
|
||||||
|
+++ b/lib/telnet.c
|
||||||
|
@@ -922,12 +922,17 @@ static void suboption(struct Curl_easy *data)
|
||||||
|
size_t tmplen = (strlen(v->data) + 1);
|
||||||
|
/* Add the variable only if it fits */
|
||||||
|
if(len + tmplen < (int)sizeof(temp)-6) {
|
||||||
|
- if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
|
||||||
|
- msnprintf((char *)&temp[len], sizeof(temp) - len,
|
||||||
|
- "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
|
||||||
|
- CURL_NEW_ENV_VALUE, varval);
|
||||||
|
- len += tmplen;
|
||||||
|
- }
|
||||||
|
+ int rv;
|
||||||
|
+ char sep[2] = "";
|
||||||
|
+ varval[0] = 0;
|
||||||
|
+ rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval);
|
||||||
|
+ if(rv == 1)
|
||||||
|
+ len += msnprintf((char *)&temp[len], sizeof(temp) - len,
|
||||||
|
+ "%c%s", CURL_NEW_ENV_VAR, varname);
|
||||||
|
+ else if(rv >= 2)
|
||||||
|
+ len += msnprintf((char *)&temp[len], sizeof(temp) - len,
|
||||||
|
+ "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
|
||||||
|
+ CURL_NEW_ENV_VALUE, varval);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
msnprintf((char *)&temp[len], sizeof(temp) - len,
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
33
SOURCES/0007-curl-7.76.1-CVE-2021-22945.patch
Normal file
33
SOURCES/0007-curl-7.76.1-CVE-2021-22945.patch
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
From bb7619897e53ed424e0712ca5a4c93d5fae99715 Mon Sep 17 00:00:00 2001
|
||||||
|
From: z2_ on hackerone <>
|
||||||
|
Date: Tue, 24 Aug 2021 09:50:33 +0200
|
||||||
|
Subject: [PATCH] mqtt: clear the leftovers pointer when sending succeeds
|
||||||
|
|
||||||
|
CVE-2021-22945
|
||||||
|
|
||||||
|
Bug: https://curl.se/docs/CVE-2021-22945.html
|
||||||
|
|
||||||
|
Upstream-commit: 43157490a5054bd24256fe12876931e8abc9df49
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/mqtt.c | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/lib/mqtt.c b/lib/mqtt.c
|
||||||
|
index d88fa73..f3fc045 100644
|
||||||
|
--- a/lib/mqtt.c
|
||||||
|
+++ b/lib/mqtt.c
|
||||||
|
@@ -128,6 +128,10 @@ static CURLcode mqtt_send(struct Curl_easy *data,
|
||||||
|
mq->sendleftovers = sendleftovers;
|
||||||
|
mq->nsend = nsend;
|
||||||
|
}
|
||||||
|
+ else {
|
||||||
|
+ mq->sendleftovers = NULL;
|
||||||
|
+ mq->nsend = 0;
|
||||||
|
+ }
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
331
SOURCES/0008-curl-7.76.1-CVE-2021-22946.patch
Normal file
331
SOURCES/0008-curl-7.76.1-CVE-2021-22946.patch
Normal file
@ -0,0 +1,331 @@
|
|||||||
|
From 64f8bdbf7da9e6b65716ce0d020c6c01d0aba77d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Patrick Monnerat <patrick@monnerat.net>
|
||||||
|
Date: Wed, 8 Sep 2021 11:56:22 +0200
|
||||||
|
Subject: [PATCH] ftp,imap,pop3: do not ignore --ssl-reqd
|
||||||
|
|
||||||
|
In imap and pop3, check if TLS is required even when capabilities
|
||||||
|
request has failed.
|
||||||
|
|
||||||
|
In ftp, ignore preauthentication (230 status of server greeting) if TLS
|
||||||
|
is required.
|
||||||
|
|
||||||
|
Bug: https://curl.se/docs/CVE-2021-22946.html
|
||||||
|
|
||||||
|
CVE-2021-22946
|
||||||
|
|
||||||
|
Upstream-commit: 364f174724ef115c63d5e5dc1d3342c8a43b1cca
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/ftp.c | 9 ++++---
|
||||||
|
lib/imap.c | 24 ++++++++----------
|
||||||
|
lib/pop3.c | 33 +++++++++++-------------
|
||||||
|
tests/data/Makefile.inc | 2 ++
|
||||||
|
tests/data/test984 | 56 +++++++++++++++++++++++++++++++++++++++++
|
||||||
|
tests/data/test985 | 54 +++++++++++++++++++++++++++++++++++++++
|
||||||
|
tests/data/test986 | 53 ++++++++++++++++++++++++++++++++++++++
|
||||||
|
7 files changed, 195 insertions(+), 36 deletions(-)
|
||||||
|
create mode 100644 tests/data/test984
|
||||||
|
create mode 100644 tests/data/test985
|
||||||
|
create mode 100644 tests/data/test986
|
||||||
|
|
||||||
|
diff --git a/lib/ftp.c b/lib/ftp.c
|
||||||
|
index 5ef1e2e..71f998e 100644
|
||||||
|
--- a/lib/ftp.c
|
||||||
|
+++ b/lib/ftp.c
|
||||||
|
@@ -2678,9 +2678,12 @@ static CURLcode ftp_statemachine(struct Curl_easy *data,
|
||||||
|
/* we have now received a full FTP server response */
|
||||||
|
switch(ftpc->state) {
|
||||||
|
case FTP_WAIT220:
|
||||||
|
- if(ftpcode == 230)
|
||||||
|
- /* 230 User logged in - already! */
|
||||||
|
- return ftp_state_user_resp(data, ftpcode, ftpc->state);
|
||||||
|
+ if(ftpcode == 230) {
|
||||||
|
+ /* 230 User logged in - already! Take as 220 if TLS required. */
|
||||||
|
+ if(data->set.use_ssl <= CURLUSESSL_TRY ||
|
||||||
|
+ conn->bits.ftp_use_control_ssl)
|
||||||
|
+ return ftp_state_user_resp(data, ftpcode, ftpc->state);
|
||||||
|
+ }
|
||||||
|
else if(ftpcode != 220) {
|
||||||
|
failf(data, "Got a %03d ftp-server response when 220 was expected",
|
||||||
|
ftpcode);
|
||||||
|
diff --git a/lib/imap.c b/lib/imap.c
|
||||||
|
index e50d7fd..feb7445 100644
|
||||||
|
--- a/lib/imap.c
|
||||||
|
+++ b/lib/imap.c
|
||||||
|
@@ -935,22 +935,18 @@ static CURLcode imap_state_capability_resp(struct Curl_easy *data,
|
||||||
|
line += wordlen;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- else if(imapcode == IMAP_RESP_OK) {
|
||||||
|
- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
|
||||||
|
- /* We don't have a SSL/TLS connection yet, but SSL is requested */
|
||||||
|
- if(imapc->tls_supported)
|
||||||
|
- /* Switch to TLS connection now */
|
||||||
|
- result = imap_perform_starttls(data, conn);
|
||||||
|
- else if(data->set.use_ssl == CURLUSESSL_TRY)
|
||||||
|
- /* Fallback and carry on with authentication */
|
||||||
|
- result = imap_perform_authentication(data, conn);
|
||||||
|
- else {
|
||||||
|
- failf(data, "STARTTLS not supported.");
|
||||||
|
- result = CURLE_USE_SSL_FAILED;
|
||||||
|
- }
|
||||||
|
+ else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
|
||||||
|
+ /* PREAUTH is not compatible with STARTTLS. */
|
||||||
|
+ if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) {
|
||||||
|
+ /* Switch to TLS connection now */
|
||||||
|
+ result = imap_perform_starttls(data, conn);
|
||||||
|
}
|
||||||
|
- else
|
||||||
|
+ else if(data->set.use_ssl <= CURLUSESSL_TRY)
|
||||||
|
result = imap_perform_authentication(data, conn);
|
||||||
|
+ else {
|
||||||
|
+ failf(data, "STARTTLS not available.");
|
||||||
|
+ result = CURLE_USE_SSL_FAILED;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
else
|
||||||
|
result = imap_perform_authentication(data, conn);
|
||||||
|
diff --git a/lib/pop3.c b/lib/pop3.c
|
||||||
|
index 6168b12..7698d1c 100644
|
||||||
|
--- a/lib/pop3.c
|
||||||
|
+++ b/lib/pop3.c
|
||||||
|
@@ -740,28 +740,23 @@ static CURLcode pop3_state_capa_resp(struct Curl_easy *data, int pop3code,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- else if(pop3code == '+') {
|
||||||
|
- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
|
||||||
|
- /* We don't have a SSL/TLS connection yet, but SSL is requested */
|
||||||
|
- if(pop3c->tls_supported)
|
||||||
|
- /* Switch to TLS connection now */
|
||||||
|
- result = pop3_perform_starttls(data, conn);
|
||||||
|
- else if(data->set.use_ssl == CURLUSESSL_TRY)
|
||||||
|
- /* Fallback and carry on with authentication */
|
||||||
|
- result = pop3_perform_authentication(data, conn);
|
||||||
|
- else {
|
||||||
|
- failf(data, "STLS not supported.");
|
||||||
|
- result = CURLE_USE_SSL_FAILED;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- else
|
||||||
|
- result = pop3_perform_authentication(data, conn);
|
||||||
|
- }
|
||||||
|
else {
|
||||||
|
/* Clear text is supported when CAPA isn't recognised */
|
||||||
|
- pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
|
||||||
|
+ if(pop3code != '+')
|
||||||
|
+ pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
|
||||||
|
|
||||||
|
- result = pop3_perform_authentication(data, conn);
|
||||||
|
+ if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use)
|
||||||
|
+ result = pop3_perform_authentication(data, conn);
|
||||||
|
+ else if(pop3code == '+' && pop3c->tls_supported)
|
||||||
|
+ /* Switch to TLS connection now */
|
||||||
|
+ result = pop3_perform_starttls(data, conn);
|
||||||
|
+ else if(data->set.use_ssl <= CURLUSESSL_TRY)
|
||||||
|
+ /* Fallback and carry on with authentication */
|
||||||
|
+ result = pop3_perform_authentication(data, conn);
|
||||||
|
+ else {
|
||||||
|
+ failf(data, "STLS not supported.");
|
||||||
|
+ result = CURLE_USE_SSL_FAILED;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
return result;
|
||||||
|
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||||||
|
index d083baf..163ce59 100644
|
||||||
|
--- a/tests/data/Makefile.inc
|
||||||
|
+++ b/tests/data/Makefile.inc
|
||||||
|
@@ -117,6 +117,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
|
||||||
|
test954 test955 test956 test957 test958 test959 test960 test961 test962 \
|
||||||
|
test963 test964 test965 test966 test967 test968 test969 test970 test971 \
|
||||||
|
\
|
||||||
|
+test984 test985 test986 \
|
||||||
|
+\
|
||||||
|
test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
|
||||||
|
test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
|
||||||
|
test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \
|
||||||
|
diff --git a/tests/data/test984 b/tests/data/test984
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..e573f23
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/test984
|
||||||
|
@@ -0,0 +1,56 @@
|
||||||
|
+<testcase>
|
||||||
|
+<info>
|
||||||
|
+<keywords>
|
||||||
|
+IMAP
|
||||||
|
+STARTTLS
|
||||||
|
+</keywords>
|
||||||
|
+</info>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Server-side
|
||||||
|
+<reply>
|
||||||
|
+<servercmd>
|
||||||
|
+REPLY CAPABILITY A001 BAD Not implemented
|
||||||
|
+</servercmd>
|
||||||
|
+</reply>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Client-side
|
||||||
|
+<client>
|
||||||
|
+<features>
|
||||||
|
+SSL
|
||||||
|
+</features>
|
||||||
|
+<server>
|
||||||
|
+imap
|
||||||
|
+</server>
|
||||||
|
+ <name>
|
||||||
|
+IMAP require STARTTLS with failing capabilities
|
||||||
|
+ </name>
|
||||||
|
+ <command>
|
||||||
|
+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd
|
||||||
|
+</command>
|
||||||
|
+<file name="log/upload%TESTNUMBER">
|
||||||
|
+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
|
||||||
|
+From: Fred Foobar <foobar@example.COM>
|
||||||
|
+Subject: afternoon meeting
|
||||||
|
+To: joe@example.com
|
||||||
|
+Message-Id: <B27397-0100000@example.COM>
|
||||||
|
+MIME-Version: 1.0
|
||||||
|
+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
|
||||||
|
+
|
||||||
|
+Hello Joe, do you think we can meet at 3:30 tomorrow?
|
||||||
|
+</file>
|
||||||
|
+</client>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Verify data after the test has been "shot"
|
||||||
|
+<verify>
|
||||||
|
+# 64 is CURLE_USE_SSL_FAILED
|
||||||
|
+<errorcode>
|
||||||
|
+64
|
||||||
|
+</errorcode>
|
||||||
|
+<protocol>
|
||||||
|
+A001 CAPABILITY
|
||||||
|
+</protocol>
|
||||||
|
+</verify>
|
||||||
|
+</testcase>
|
||||||
|
diff --git a/tests/data/test985 b/tests/data/test985
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..d0db4aa
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/test985
|
||||||
|
@@ -0,0 +1,54 @@
|
||||||
|
+<testcase>
|
||||||
|
+<info>
|
||||||
|
+<keywords>
|
||||||
|
+POP3
|
||||||
|
+STARTTLS
|
||||||
|
+</keywords>
|
||||||
|
+</info>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Server-side
|
||||||
|
+<reply>
|
||||||
|
+<servercmd>
|
||||||
|
+REPLY CAPA -ERR Not implemented
|
||||||
|
+</servercmd>
|
||||||
|
+<data nocheck="yes">
|
||||||
|
+From: me@somewhere
|
||||||
|
+To: fake@nowhere
|
||||||
|
+
|
||||||
|
+body
|
||||||
|
+
|
||||||
|
+--
|
||||||
|
+ yours sincerely
|
||||||
|
+</data>
|
||||||
|
+</reply>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Client-side
|
||||||
|
+<client>
|
||||||
|
+<features>
|
||||||
|
+SSL
|
||||||
|
+</features>
|
||||||
|
+<server>
|
||||||
|
+pop3
|
||||||
|
+</server>
|
||||||
|
+ <name>
|
||||||
|
+POP3 require STARTTLS with failing capabilities
|
||||||
|
+ </name>
|
||||||
|
+ <command>
|
||||||
|
+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd
|
||||||
|
+ </command>
|
||||||
|
+</client>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Verify data after the test has been "shot"
|
||||||
|
+<verify>
|
||||||
|
+# 64 is CURLE_USE_SSL_FAILED
|
||||||
|
+<errorcode>
|
||||||
|
+64
|
||||||
|
+</errorcode>
|
||||||
|
+<protocol>
|
||||||
|
+CAPA
|
||||||
|
+</protocol>
|
||||||
|
+</verify>
|
||||||
|
+</testcase>
|
||||||
|
diff --git a/tests/data/test986 b/tests/data/test986
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..a709437
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/test986
|
||||||
|
@@ -0,0 +1,53 @@
|
||||||
|
+<testcase>
|
||||||
|
+<info>
|
||||||
|
+<keywords>
|
||||||
|
+FTP
|
||||||
|
+STARTTLS
|
||||||
|
+</keywords>
|
||||||
|
+</info>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Server-side
|
||||||
|
+<reply>
|
||||||
|
+<servercmd>
|
||||||
|
+REPLY welcome 230 Welcome
|
||||||
|
+REPLY AUTH 500 unknown command
|
||||||
|
+</servercmd>
|
||||||
|
+</reply>
|
||||||
|
+
|
||||||
|
+# Client-side
|
||||||
|
+<client>
|
||||||
|
+<features>
|
||||||
|
+SSL
|
||||||
|
+</features>
|
||||||
|
+<server>
|
||||||
|
+ftp
|
||||||
|
+</server>
|
||||||
|
+ <name>
|
||||||
|
+FTP require STARTTLS while preauthenticated
|
||||||
|
+ </name>
|
||||||
|
+<file name="log/test%TESTNUMBER.txt">
|
||||||
|
+data
|
||||||
|
+ to
|
||||||
|
+ see
|
||||||
|
+that FTPS
|
||||||
|
+works
|
||||||
|
+ so does it?
|
||||||
|
+</file>
|
||||||
|
+ <command>
|
||||||
|
+--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret
|
||||||
|
+</command>
|
||||||
|
+</client>
|
||||||
|
+
|
||||||
|
+# Verify data after the test has been "shot"
|
||||||
|
+<verify>
|
||||||
|
+# 64 is CURLE_USE_SSL_FAILED
|
||||||
|
+<errorcode>
|
||||||
|
+64
|
||||||
|
+</errorcode>
|
||||||
|
+<protocol>
|
||||||
|
+AUTH SSL
|
||||||
|
+AUTH TLS
|
||||||
|
+</protocol>
|
||||||
|
+</verify>
|
||||||
|
+</testcase>
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
354
SOURCES/0009-curl-7.76.1-CVE-2021-22947.patch
Normal file
354
SOURCES/0009-curl-7.76.1-CVE-2021-22947.patch
Normal file
@ -0,0 +1,354 @@
|
|||||||
|
From a1ec463c8207bde97b3575d12e396e999a55a8d0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Patrick Monnerat <patrick@monnerat.net>
|
||||||
|
Date: Tue, 7 Sep 2021 13:26:42 +0200
|
||||||
|
Subject: [PATCH] ftp,imap,pop3,smtp: reject STARTTLS server response
|
||||||
|
pipelining
|
||||||
|
|
||||||
|
If a server pipelines future responses within the STARTTLS response, the
|
||||||
|
former are preserved in the pingpong cache across TLS negotiation and
|
||||||
|
used as responses to the encrypted commands.
|
||||||
|
|
||||||
|
This fix detects pipelined STARTTLS responses and rejects them with an
|
||||||
|
error.
|
||||||
|
|
||||||
|
CVE-2021-22947
|
||||||
|
|
||||||
|
Bug: https://curl.se/docs/CVE-2021-22947.html
|
||||||
|
|
||||||
|
Upstream-commit: 8ef147c43646e91fdaad5d0e7b60351f842e5c68
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/ftp.c | 3 +++
|
||||||
|
lib/imap.c | 4 +++
|
||||||
|
lib/pop3.c | 4 +++
|
||||||
|
lib/smtp.c | 4 +++
|
||||||
|
tests/data/Makefile.inc | 2 +-
|
||||||
|
tests/data/test980 | 52 ++++++++++++++++++++++++++++++++++++
|
||||||
|
tests/data/test981 | 59 +++++++++++++++++++++++++++++++++++++++++
|
||||||
|
tests/data/test982 | 57 +++++++++++++++++++++++++++++++++++++++
|
||||||
|
tests/data/test983 | 52 ++++++++++++++++++++++++++++++++++++
|
||||||
|
9 files changed, 236 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 tests/data/test980
|
||||||
|
create mode 100644 tests/data/test981
|
||||||
|
create mode 100644 tests/data/test982
|
||||||
|
create mode 100644 tests/data/test983
|
||||||
|
|
||||||
|
diff --git a/lib/ftp.c b/lib/ftp.c
|
||||||
|
index 71f998e..e920138 100644
|
||||||
|
--- a/lib/ftp.c
|
||||||
|
+++ b/lib/ftp.c
|
||||||
|
@@ -2740,6 +2740,9 @@ static CURLcode ftp_statemachine(struct Curl_easy *data,
|
||||||
|
case FTP_AUTH:
|
||||||
|
/* we have gotten the response to a previous AUTH command */
|
||||||
|
|
||||||
|
+ if(pp->cache_size)
|
||||||
|
+ return CURLE_WEIRD_SERVER_REPLY; /* Forbid pipelining in response. */
|
||||||
|
+
|
||||||
|
/* RFC2228 (page 5) says:
|
||||||
|
*
|
||||||
|
* If the server is willing to accept the named security mechanism,
|
||||||
|
diff --git a/lib/imap.c b/lib/imap.c
|
||||||
|
index feb7445..09bc5d6 100644
|
||||||
|
--- a/lib/imap.c
|
||||||
|
+++ b/lib/imap.c
|
||||||
|
@@ -964,6 +964,10 @@ static CURLcode imap_state_starttls_resp(struct Curl_easy *data,
|
||||||
|
|
||||||
|
(void)instate; /* no use for this yet */
|
||||||
|
|
||||||
|
+ /* Pipelining in response is forbidden. */
|
||||||
|
+ if(data->conn->proto.imapc.pp.cache_size)
|
||||||
|
+ return CURLE_WEIRD_SERVER_REPLY;
|
||||||
|
+
|
||||||
|
if(imapcode != IMAP_RESP_OK) {
|
||||||
|
if(data->set.use_ssl != CURLUSESSL_TRY) {
|
||||||
|
failf(data, "STARTTLS denied");
|
||||||
|
diff --git a/lib/pop3.c b/lib/pop3.c
|
||||||
|
index 7698d1c..dccfced 100644
|
||||||
|
--- a/lib/pop3.c
|
||||||
|
+++ b/lib/pop3.c
|
||||||
|
@@ -771,6 +771,10 @@ static CURLcode pop3_state_starttls_resp(struct Curl_easy *data,
|
||||||
|
CURLcode result = CURLE_OK;
|
||||||
|
(void)instate; /* no use for this yet */
|
||||||
|
|
||||||
|
+ /* Pipelining in response is forbidden. */
|
||||||
|
+ if(data->conn->proto.pop3c.pp.cache_size)
|
||||||
|
+ return CURLE_WEIRD_SERVER_REPLY;
|
||||||
|
+
|
||||||
|
if(pop3code != '+') {
|
||||||
|
if(data->set.use_ssl != CURLUSESSL_TRY) {
|
||||||
|
failf(data, "STARTTLS denied");
|
||||||
|
diff --git a/lib/smtp.c b/lib/smtp.c
|
||||||
|
index 1defb25..1f89777 100644
|
||||||
|
--- a/lib/smtp.c
|
||||||
|
+++ b/lib/smtp.c
|
||||||
|
@@ -834,6 +834,10 @@ static CURLcode smtp_state_starttls_resp(struct Curl_easy *data,
|
||||||
|
CURLcode result = CURLE_OK;
|
||||||
|
(void)instate; /* no use for this yet */
|
||||||
|
|
||||||
|
+ /* Pipelining in response is forbidden. */
|
||||||
|
+ if(data->conn->proto.smtpc.pp.cache_size)
|
||||||
|
+ return CURLE_WEIRD_SERVER_REPLY;
|
||||||
|
+
|
||||||
|
if(smtpcode != 220) {
|
||||||
|
if(data->set.use_ssl != CURLUSESSL_TRY) {
|
||||||
|
failf(data, "STARTTLS denied, code %d", smtpcode);
|
||||||
|
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||||||
|
index 163ce59..42b0569 100644
|
||||||
|
--- a/tests/data/Makefile.inc
|
||||||
|
+++ b/tests/data/Makefile.inc
|
||||||
|
@@ -117,7 +117,7 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
|
||||||
|
test954 test955 test956 test957 test958 test959 test960 test961 test962 \
|
||||||
|
test963 test964 test965 test966 test967 test968 test969 test970 test971 \
|
||||||
|
\
|
||||||
|
-test984 test985 test986 \
|
||||||
|
+test980 test981 test982 test983 test984 test985 test986 \
|
||||||
|
\
|
||||||
|
test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
|
||||||
|
test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
|
||||||
|
diff --git a/tests/data/test980 b/tests/data/test980
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..97567f8
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/test980
|
||||||
|
@@ -0,0 +1,52 @@
|
||||||
|
+<testcase>
|
||||||
|
+<info>
|
||||||
|
+<keywords>
|
||||||
|
+SMTP
|
||||||
|
+STARTTLS
|
||||||
|
+</keywords>
|
||||||
|
+</info>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Server-side
|
||||||
|
+<reply>
|
||||||
|
+<servercmd>
|
||||||
|
+CAPA STARTTLS
|
||||||
|
+AUTH PLAIN
|
||||||
|
+REPLY STARTTLS 454 currently unavailable\r\n235 Authenticated\r\n250 2.1.0 Sender ok\r\n250 2.1.5 Recipient ok\r\n354 Enter mail\r\n250 2.0.0 Accepted
|
||||||
|
+REPLY AUTH 535 5.7.8 Authentication credentials invalid
|
||||||
|
+</servercmd>
|
||||||
|
+</reply>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Client-side
|
||||||
|
+<client>
|
||||||
|
+<features>
|
||||||
|
+SSL
|
||||||
|
+</features>
|
||||||
|
+<server>
|
||||||
|
+smtp
|
||||||
|
+</server>
|
||||||
|
+ <name>
|
||||||
|
+SMTP STARTTLS pipelined server response
|
||||||
|
+ </name>
|
||||||
|
+<stdin>
|
||||||
|
+mail body
|
||||||
|
+</stdin>
|
||||||
|
+ <command>
|
||||||
|
+smtp://%HOSTIP:%SMTPPORT/%TESTNUMBER --mail-rcpt recipient@example.com --mail-from sender@example.com -u user:secret --ssl --sasl-ir -T -
|
||||||
|
+</command>
|
||||||
|
+</client>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Verify data after the test has been "shot"
|
||||||
|
+<verify>
|
||||||
|
+# 8 is CURLE_WEIRD_SERVER_REPLY
|
||||||
|
+<errorcode>
|
||||||
|
+8
|
||||||
|
+</errorcode>
|
||||||
|
+<protocol>
|
||||||
|
+EHLO %TESTNUMBER
|
||||||
|
+STARTTLS
|
||||||
|
+</protocol>
|
||||||
|
+</verify>
|
||||||
|
+</testcase>
|
||||||
|
diff --git a/tests/data/test981 b/tests/data/test981
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..2b98ce4
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/test981
|
||||||
|
@@ -0,0 +1,59 @@
|
||||||
|
+<testcase>
|
||||||
|
+<info>
|
||||||
|
+<keywords>
|
||||||
|
+IMAP
|
||||||
|
+STARTTLS
|
||||||
|
+</keywords>
|
||||||
|
+</info>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Server-side
|
||||||
|
+<reply>
|
||||||
|
+<servercmd>
|
||||||
|
+CAPA STARTTLS
|
||||||
|
+REPLY STARTTLS A002 BAD currently unavailable\r\nA003 OK Authenticated\r\nA004 OK Accepted
|
||||||
|
+REPLY LOGIN A003 BAD Authentication credentials invalid
|
||||||
|
+</servercmd>
|
||||||
|
+</reply>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Client-side
|
||||||
|
+<client>
|
||||||
|
+<features>
|
||||||
|
+SSL
|
||||||
|
+</features>
|
||||||
|
+<server>
|
||||||
|
+imap
|
||||||
|
+</server>
|
||||||
|
+ <name>
|
||||||
|
+IMAP STARTTLS pipelined server response
|
||||||
|
+ </name>
|
||||||
|
+ <command>
|
||||||
|
+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl
|
||||||
|
+</command>
|
||||||
|
+<file name="log/upload%TESTNUMBER">
|
||||||
|
+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
|
||||||
|
+From: Fred Foobar <foobar@example.COM>
|
||||||
|
+Subject: afternoon meeting
|
||||||
|
+To: joe@example.com
|
||||||
|
+Message-Id: <B27397-0100000@example.COM>
|
||||||
|
+MIME-Version: 1.0
|
||||||
|
+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
|
||||||
|
+
|
||||||
|
+Hello Joe, do you think we can meet at 3:30 tomorrow?
|
||||||
|
+</file>
|
||||||
|
+</client>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Verify data after the test has been "shot"
|
||||||
|
+<verify>
|
||||||
|
+# 8 is CURLE_WEIRD_SERVER_REPLY
|
||||||
|
+<errorcode>
|
||||||
|
+8
|
||||||
|
+</errorcode>
|
||||||
|
+<protocol>
|
||||||
|
+A001 CAPABILITY
|
||||||
|
+A002 STARTTLS
|
||||||
|
+</protocol>
|
||||||
|
+</verify>
|
||||||
|
+</testcase>
|
||||||
|
diff --git a/tests/data/test982 b/tests/data/test982
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..9e07cc0
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/test982
|
||||||
|
@@ -0,0 +1,57 @@
|
||||||
|
+<testcase>
|
||||||
|
+<info>
|
||||||
|
+<keywords>
|
||||||
|
+POP3
|
||||||
|
+STARTTLS
|
||||||
|
+</keywords>
|
||||||
|
+</info>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Server-side
|
||||||
|
+<reply>
|
||||||
|
+<servercmd>
|
||||||
|
+CAPA STLS USER
|
||||||
|
+REPLY STLS -ERR currently unavailable\r\n+OK user accepted\r\n+OK authenticated
|
||||||
|
+REPLY PASS -ERR Authentication credentials invalid
|
||||||
|
+</servercmd>
|
||||||
|
+<data nocheck="yes">
|
||||||
|
+From: me@somewhere
|
||||||
|
+To: fake@nowhere
|
||||||
|
+
|
||||||
|
+body
|
||||||
|
+
|
||||||
|
+--
|
||||||
|
+ yours sincerely
|
||||||
|
+</data>
|
||||||
|
+</reply>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Client-side
|
||||||
|
+<client>
|
||||||
|
+<features>
|
||||||
|
+SSL
|
||||||
|
+</features>
|
||||||
|
+<server>
|
||||||
|
+pop3
|
||||||
|
+</server>
|
||||||
|
+ <name>
|
||||||
|
+POP3 STARTTLS pipelined server response
|
||||||
|
+ </name>
|
||||||
|
+ <command>
|
||||||
|
+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl
|
||||||
|
+ </command>
|
||||||
|
+</client>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Verify data after the test has been "shot"
|
||||||
|
+<verify>
|
||||||
|
+# 8 is CURLE_WEIRD_SERVER_REPLY
|
||||||
|
+<errorcode>
|
||||||
|
+8
|
||||||
|
+</errorcode>
|
||||||
|
+<protocol>
|
||||||
|
+CAPA
|
||||||
|
+STLS
|
||||||
|
+</protocol>
|
||||||
|
+</verify>
|
||||||
|
+</testcase>
|
||||||
|
diff --git a/tests/data/test983 b/tests/data/test983
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..300ec45
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/test983
|
||||||
|
@@ -0,0 +1,52 @@
|
||||||
|
+<testcase>
|
||||||
|
+<info>
|
||||||
|
+<keywords>
|
||||||
|
+FTP
|
||||||
|
+STARTTLS
|
||||||
|
+</keywords>
|
||||||
|
+</info>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Server-side
|
||||||
|
+<reply>
|
||||||
|
+<servercmd>
|
||||||
|
+REPLY AUTH 500 unknown command\r\n500 unknown command\r\n331 give password\r\n230 Authenticated\r\n257 "/"\r\n200 OK\r\n200 OK\r\n200 OK\r\n226 Transfer complete
|
||||||
|
+REPLY PASS 530 Login incorrect
|
||||||
|
+</servercmd>
|
||||||
|
+</reply>
|
||||||
|
+
|
||||||
|
+# Client-side
|
||||||
|
+<client>
|
||||||
|
+<features>
|
||||||
|
+SSL
|
||||||
|
+</features>
|
||||||
|
+<server>
|
||||||
|
+ftp
|
||||||
|
+</server>
|
||||||
|
+ <name>
|
||||||
|
+FTP STARTTLS pipelined server response
|
||||||
|
+ </name>
|
||||||
|
+<file name="log/test%TESTNUMBER.txt">
|
||||||
|
+data
|
||||||
|
+ to
|
||||||
|
+ see
|
||||||
|
+that FTPS
|
||||||
|
+works
|
||||||
|
+ so does it?
|
||||||
|
+</file>
|
||||||
|
+ <command>
|
||||||
|
+--ssl --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret -P %CLIENTIP
|
||||||
|
+</command>
|
||||||
|
+</client>
|
||||||
|
+
|
||||||
|
+# Verify data after the test has been "shot"
|
||||||
|
+<verify>
|
||||||
|
+# 8 is CURLE_WEIRD_SERVER_REPLY
|
||||||
|
+<errorcode>
|
||||||
|
+8
|
||||||
|
+</errorcode>
|
||||||
|
+<protocol>
|
||||||
|
+AUTH SSL
|
||||||
|
+</protocol>
|
||||||
|
+</verify>
|
||||||
|
+</testcase>
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
91
SOURCES/0101-curl-7.32.0-multilib.patch
Normal file
91
SOURCES/0101-curl-7.32.0-multilib.patch
Normal file
@ -0,0 +1,91 @@
|
|||||||
|
From 2a4754a3a7cf60ecc36d83cbe50b8c337cb87632 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
Date: Fri, 12 Apr 2013 12:04:05 +0200
|
||||||
|
Subject: [PATCH] prevent multilib conflicts on the curl-config script
|
||||||
|
|
||||||
|
---
|
||||||
|
curl-config.in | 23 +++++------------------
|
||||||
|
docs/curl-config.1 | 4 +++-
|
||||||
|
libcurl.pc.in | 1 +
|
||||||
|
3 files changed, 9 insertions(+), 19 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/curl-config.in b/curl-config.in
|
||||||
|
index 150004d..95d0759 100644
|
||||||
|
--- a/curl-config.in
|
||||||
|
+++ b/curl-config.in
|
||||||
|
@@ -76,7 +76,7 @@ while test $# -gt 0; do
|
||||||
|
;;
|
||||||
|
|
||||||
|
--cc)
|
||||||
|
- echo "@CC@"
|
||||||
|
+ echo "gcc"
|
||||||
|
;;
|
||||||
|
|
||||||
|
--prefix)
|
||||||
|
@@ -155,32 +155,19 @@ while test $# -gt 0; do
|
||||||
|
;;
|
||||||
|
|
||||||
|
--libs)
|
||||||
|
- if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then
|
||||||
|
- CURLLIBDIR="-L@libdir@ "
|
||||||
|
- else
|
||||||
|
- CURLLIBDIR=""
|
||||||
|
- fi
|
||||||
|
- if test "X@ENABLE_SHARED@" = "Xno"; then
|
||||||
|
- echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@
|
||||||
|
- else
|
||||||
|
- echo ${CURLLIBDIR}-lcurl
|
||||||
|
- fi
|
||||||
|
+ echo -lcurl
|
||||||
|
;;
|
||||||
|
--ssl-backends)
|
||||||
|
echo "@SSL_BACKENDS@"
|
||||||
|
;;
|
||||||
|
|
||||||
|
--static-libs)
|
||||||
|
- if test "X@ENABLE_STATIC@" != "Xno" ; then
|
||||||
|
- echo @libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_LIBS@
|
||||||
|
- else
|
||||||
|
- echo "curl was built with static libraries disabled" >&2
|
||||||
|
- exit 1
|
||||||
|
- fi
|
||||||
|
+ echo "curl was built with static libraries disabled" >&2
|
||||||
|
+ exit 1
|
||||||
|
;;
|
||||||
|
|
||||||
|
--configure)
|
||||||
|
- echo @CONFIGURE_OPTIONS@
|
||||||
|
+ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//'
|
||||||
|
;;
|
||||||
|
|
||||||
|
*)
|
||||||
|
diff --git a/docs/curl-config.1 b/docs/curl-config.1
|
||||||
|
index 14a9d2b..ffcc004 100644
|
||||||
|
--- a/docs/curl-config.1
|
||||||
|
+++ b/docs/curl-config.1
|
||||||
|
@@ -70,7 +70,9 @@ no, one or several names. If more than one name, they will appear
|
||||||
|
comma-separated. (Added in 7.58.0)
|
||||||
|
.IP "--static-libs"
|
||||||
|
Shows the complete set of libs and other linker options you will need in order
|
||||||
|
-to link your application with libcurl statically. (Added in 7.17.1)
|
||||||
|
+to link your application with libcurl statically. Note that Fedora/RHEL libcurl
|
||||||
|
+packages do not provide any static libraries, thus cannot be linked statically.
|
||||||
|
+(Added in 7.17.1)
|
||||||
|
.IP "--version"
|
||||||
|
Outputs version information about the installed libcurl.
|
||||||
|
.IP "--vernum"
|
||||||
|
diff --git a/libcurl.pc.in b/libcurl.pc.in
|
||||||
|
index 2ba9c39..f8f8b00 100644
|
||||||
|
--- a/libcurl.pc.in
|
||||||
|
+++ b/libcurl.pc.in
|
||||||
|
@@ -29,6 +29,7 @@ libdir=@libdir@
|
||||||
|
includedir=@includedir@
|
||||||
|
supported_protocols="@SUPPORT_PROTOCOLS@"
|
||||||
|
supported_features="@SUPPORT_FEATURES@"
|
||||||
|
+configure_options=@CONFIGURE_OPTIONS@
|
||||||
|
|
||||||
|
Name: libcurl
|
||||||
|
URL: https://curl.se/
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
61
SOURCES/0102-curl-7.36.0-debug.patch
Normal file
61
SOURCES/0102-curl-7.36.0-debug.patch
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
From 3602ee9dcc74683f91fe4f9ca228aa17a6474403 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
Date: Wed, 31 Oct 2012 11:38:30 +0100
|
||||||
|
Subject: [PATCH] prevent configure script from discarding -g in CFLAGS
|
||||||
|
(#496778)
|
||||||
|
|
||||||
|
---
|
||||||
|
m4/curl-compilers.m4 | 26 ++++++--------------------
|
||||||
|
1 file changed, 6 insertions(+), 20 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4
|
||||||
|
index c64db4bc6..d115a4aed 100644
|
||||||
|
--- a/m4/curl-compilers.m4
|
||||||
|
+++ b/m4/curl-compilers.m4
|
||||||
|
@@ -106,18 +106,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_CLANG], [
|
||||||
|
clangvhi=`echo $clangver | cut -d . -f1`
|
||||||
|
clangvlo=`echo $clangver | cut -d . -f2`
|
||||||
|
compiler_num=`(expr $clangvhi "*" 100 + $clangvlo) 2>/dev/null`
|
||||||
|
- flags_dbg_all="-g -g0 -g1 -g2 -g3"
|
||||||
|
- flags_dbg_all="$flags_dbg_all -ggdb"
|
||||||
|
- flags_dbg_all="$flags_dbg_all -gstabs"
|
||||||
|
- flags_dbg_all="$flags_dbg_all -gstabs+"
|
||||||
|
- flags_dbg_all="$flags_dbg_all -gcoff"
|
||||||
|
- flags_dbg_all="$flags_dbg_all -gxcoff"
|
||||||
|
- flags_dbg_all="$flags_dbg_all -gdwarf-2"
|
||||||
|
- flags_dbg_all="$flags_dbg_all -gvms"
|
||||||
|
+ flags_dbg_all=""
|
||||||
|
flags_dbg_yes="-g"
|
||||||
|
flags_dbg_off=""
|
||||||
|
- flags_opt_all="-O -O0 -O1 -O2 -Os -O3 -O4"
|
||||||
|
- flags_opt_yes="-Os"
|
||||||
|
+ flags_opt_all=""
|
||||||
|
+ flags_opt_yes=""
|
||||||
|
flags_opt_off="-O0"
|
||||||
|
else
|
||||||
|
AC_MSG_RESULT([no])
|
||||||
|
@@ -175,18 +168,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [
|
||||||
|
gccvhi=`echo $gccver | cut -d . -f1`
|
||||||
|
gccvlo=`echo $gccver | cut -d . -f2`
|
||||||
|
compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
|
||||||
|
- flags_dbg_all="-g -g0 -g1 -g2 -g3"
|
||||||
|
- flags_dbg_all="$flags_dbg_all -ggdb"
|
||||||
|
- flags_dbg_all="$flags_dbg_all -gstabs"
|
||||||
|
- flags_dbg_all="$flags_dbg_all -gstabs+"
|
||||||
|
- flags_dbg_all="$flags_dbg_all -gcoff"
|
||||||
|
- flags_dbg_all="$flags_dbg_all -gxcoff"
|
||||||
|
- flags_dbg_all="$flags_dbg_all -gdwarf-2"
|
||||||
|
- flags_dbg_all="$flags_dbg_all -gvms"
|
||||||
|
+ flags_dbg_all=""
|
||||||
|
flags_dbg_yes="-g"
|
||||||
|
flags_dbg_off=""
|
||||||
|
- flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast"
|
||||||
|
- flags_opt_yes="-O2"
|
||||||
|
+ flags_opt_all=""
|
||||||
|
+ flags_opt_yes=""
|
||||||
|
flags_opt_off="-O0"
|
||||||
|
CURL_CHECK_DEF([_WIN32], [], [silent])
|
||||||
|
else
|
||||||
|
--
|
||||||
|
1.7.1
|
||||||
|
|
39
SOURCES/0105-curl-7.63.0-lib1560-valgrind.patch
Normal file
39
SOURCES/0105-curl-7.63.0-lib1560-valgrind.patch
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
From f55cca0e86f59ec11ffafd5c0503c39ca3723e2e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
Date: Mon, 4 Feb 2019 17:32:56 +0100
|
||||||
|
Subject: [PATCH] libtest: compile lib1560.c with -fno-builtin-strcmp
|
||||||
|
|
||||||
|
... to prevent valgrind from reporting false positives on x86_64:
|
||||||
|
|
||||||
|
Conditional jump or move depends on uninitialised value(s)
|
||||||
|
at 0x10BCAA: part2id (lib1560.c:489)
|
||||||
|
by 0x10BCAA: updateurl (lib1560.c:521)
|
||||||
|
by 0x10BCAA: set_parts (lib1560.c:630)
|
||||||
|
by 0x10BCAA: test (lib1560.c:802)
|
||||||
|
by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so)
|
||||||
|
|
||||||
|
Conditional jump or move depends on uninitialised value(s)
|
||||||
|
at 0x10BCC3: part2id (lib1560.c:491)
|
||||||
|
by 0x10BCC3: updateurl (lib1560.c:521)
|
||||||
|
by 0x10BCC3: set_parts (lib1560.c:630)
|
||||||
|
by 0x10BCC3: test (lib1560.c:802)
|
||||||
|
by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so)
|
||||||
|
---
|
||||||
|
tests/libtest/Makefile.inc | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
|
||||||
|
index 080421b..ea3b806 100644
|
||||||
|
--- a/tests/libtest/Makefile.inc
|
||||||
|
+++ b/tests/libtest/Makefile.inc
|
||||||
|
@@ -592,6 +592,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
||||||
|
lib1559_LDADD = $(TESTUTIL_LIBS)
|
||||||
|
|
||||||
|
lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
||||||
|
+lib1560_CFLAGS = $(AM_CFLAGS) -fno-builtin-strcmp
|
||||||
|
lib1560_LDADD = $(TESTUTIL_LIBS)
|
||||||
|
|
||||||
|
lib1564_SOURCES = lib1564.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
||||||
|
--
|
||||||
|
2.17.2
|
||||||
|
|
1996
SPECS/curl.spec
Normal file
1996
SPECS/curl.spec
Normal file
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user