import curl-7.61.1-18.el8
This commit is contained in:
		
							parent
							
								
									61739d7929
								
							
						
					
					
						commit
						ce421a6291
					
				
							
								
								
									
										33
									
								
								SOURCES/0020-curl-7.61.1-openssl-engines.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										33
									
								
								SOURCES/0020-curl-7.61.1-openssl-engines.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,33 @@ | ||||
| From 032843be4cefcb163d15573d15a228680e771106 Mon Sep 17 00:00:00 2001 | ||||
| From: Daniel Stenberg <daniel@haxx.se> | ||||
| Date: Mon, 24 Sep 2018 08:26:58 +0200 | ||||
| Subject: [PATCH] openssl: load built-in engines too | ||||
| 
 | ||||
| Regression since 38203f1 | ||||
| 
 | ||||
| Reported-by: Jean Fabrice | ||||
| Fixes #3023 | ||||
| Closes #3040 | ||||
| 
 | ||||
| Upstream-commit: e2dd435d473cdc97785df95d032276fafb4b7746 | ||||
| Signed-off-by: Kamil Dudka <kdudka@redhat.com> | ||||
| ---
 | ||||
|  lib/vtls/openssl.c | 2 +- | ||||
|  1 file changed, 1 insertion(+), 1 deletion(-) | ||||
| 
 | ||||
| diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
 | ||||
| index 78970d1..d8bcc4f 100644
 | ||||
| --- a/lib/vtls/openssl.c
 | ||||
| +++ b/lib/vtls/openssl.c
 | ||||
| @@ -979,7 +979,7 @@ static int Curl_ossl_init(void)
 | ||||
|   | ||||
|    OPENSSL_load_builtin_modules(); | ||||
|   | ||||
| -#ifdef HAVE_ENGINE_LOAD_BUILTIN_ENGINES
 | ||||
| +#ifdef USE_OPENSSL_ENGINE
 | ||||
|    ENGINE_load_builtin_engines(); | ||||
|  #endif | ||||
|   | ||||
| -- 
 | ||||
| 2.25.4 | ||||
| 
 | ||||
							
								
								
									
										59
									
								
								SOURCES/0021-curl-7.61.1-CVE-2020-8177.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										59
									
								
								SOURCES/0021-curl-7.61.1-CVE-2020-8177.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,59 @@ | ||||
| From a6fcd8a32f3b1c5d80e524f8b2c1de32e6ecdb2b Mon Sep 17 00:00:00 2001 | ||||
| From: Daniel Stenberg <daniel@haxx.se> | ||||
| Date: Sun, 31 May 2020 23:09:59 +0200 | ||||
| Subject: [PATCH] tool_getparam: -i is not OK if -J is used | ||||
| 
 | ||||
| Reported-by: sn on hackerone | ||||
| Bug: https://curl.haxx.se/docs/CVE-2020-8177.html | ||||
| 
 | ||||
| Upstream-commit: 8236aba58542c5f89f1d41ca09d84579efb05e22 | ||||
| Signed-off-by: Kamil Dudka <kdudka@redhat.com> | ||||
| ---
 | ||||
|  src/tool_cb_hdr.c   | 13 ++++--------- | ||||
|  src/tool_getparam.c |  5 +++++ | ||||
|  2 files changed, 9 insertions(+), 9 deletions(-) | ||||
| 
 | ||||
| diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c
 | ||||
| index 3b10238..b80707f 100644
 | ||||
| --- a/src/tool_cb_hdr.c
 | ||||
| +++ b/src/tool_cb_hdr.c
 | ||||
| @@ -132,16 +132,11 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata)
 | ||||
|        filename = parse_filename(p, len); | ||||
|        if(filename) { | ||||
|          if(outs->stream) { | ||||
| -          /* already opened and possibly written to */
 | ||||
| -          if(outs->fopened)
 | ||||
| -            fclose(outs->stream);
 | ||||
| -          outs->stream = NULL;
 | ||||
| -
 | ||||
| -          /* rename the initial file name to the new file name */
 | ||||
| -          rename(outs->filename, filename);
 | ||||
| -          if(outs->alloc_filename)
 | ||||
| -            free(outs->filename);
 | ||||
| +          /* indication of problem, get out! */
 | ||||
| +          free(filename);
 | ||||
| +          return failure;
 | ||||
|          } | ||||
| +
 | ||||
|          outs->is_cd_filename = TRUE; | ||||
|          outs->s_isreg = TRUE; | ||||
|          outs->fopened = FALSE; | ||||
| diff --git a/src/tool_getparam.c b/src/tool_getparam.c
 | ||||
| index 764caa2..c5c7429 100644
 | ||||
| --- a/src/tool_getparam.c
 | ||||
| +++ b/src/tool_getparam.c
 | ||||
| @@ -1745,6 +1745,11 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
 | ||||
|        } | ||||
|        break; | ||||
|      case 'i': | ||||
| +      if(config->content_disposition) {
 | ||||
| +        warnf(global,
 | ||||
| +              "--include and --remote-header-name cannot be combined.\n");
 | ||||
| +        return PARAM_BAD_USE;
 | ||||
| +      }
 | ||||
|        config->show_headers = toggle; /* show the headers as well in the | ||||
|                                          general output stream */ | ||||
|        break; | ||||
| -- 
 | ||||
| 2.21.3 | ||||
| 
 | ||||
							
								
								
									
										143
									
								
								SOURCES/0022-curl-7.61.1-CVE-2020-8231.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										143
									
								
								SOURCES/0022-curl-7.61.1-CVE-2020-8231.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,143 @@ | ||||
| From 7a26092a9e21f1e0dc3cad69a580a7e2c7822ad0 Mon Sep 17 00:00:00 2001 | ||||
| From: Daniel Stenberg <daniel@haxx.se> | ||||
| Date: Sun, 16 Aug 2020 11:34:35 +0200 | ||||
| Subject: [PATCH] Curl_easy: remember last connection by id, not by pointer | ||||
| 
 | ||||
| CVE-2020-8231 | ||||
| 
 | ||||
| Bug: https://curl.haxx.se/docs/CVE-2020-8231.html | ||||
| 
 | ||||
| Reported-by: Marc Aldorasi | ||||
| Closes #5824 | ||||
| 
 | ||||
| Upstream-commit: 3c9e021f86872baae412a427e807fbfa2f3e8a22 | ||||
| Signed-off-by: Kamil Dudka <kdudka@redhat.com> | ||||
| ---
 | ||||
|  lib/connect.c | 19 ++++++++++--------- | ||||
|  lib/easy.c    |  3 +-- | ||||
|  lib/multi.c   |  5 +++-- | ||||
|  lib/url.c     |  2 +- | ||||
|  lib/urldata.h |  2 +- | ||||
|  5 files changed, 16 insertions(+), 15 deletions(-) | ||||
| 
 | ||||
| diff --git a/lib/connect.c b/lib/connect.c
 | ||||
| index 41f2202..f724646 100644
 | ||||
| --- a/lib/connect.c
 | ||||
| +++ b/lib/connect.c
 | ||||
| @@ -1214,15 +1214,15 @@ CURLcode Curl_connecthost(struct connectdata *conn,  /* context */
 | ||||
|  } | ||||
|   | ||||
|  struct connfind { | ||||
| -  struct connectdata *tofind;
 | ||||
| -  bool found;
 | ||||
| +  long id_tofind;
 | ||||
| +  struct connectdata *found;
 | ||||
|  }; | ||||
|   | ||||
|  static int conn_is_conn(struct connectdata *conn, void *param) | ||||
|  { | ||||
|    struct connfind *f = (struct connfind *)param; | ||||
| -  if(conn == f->tofind) {
 | ||||
| -    f->found = TRUE;
 | ||||
| +  if(conn->connection_id == f->id_tofind) {
 | ||||
| +    f->found = conn;
 | ||||
|      return 1; | ||||
|    } | ||||
|    return 0; | ||||
| @@ -1244,21 +1244,22 @@ curl_socket_t Curl_getconnectinfo(struct Curl_easy *data,
 | ||||
|     * - that is associated with a multi handle, and whose connection | ||||
|     *   was detached with CURLOPT_CONNECT_ONLY | ||||
|     */ | ||||
| -  if(data->state.lastconnect && (data->multi_easy || data->multi)) {
 | ||||
| -    struct connectdata *c = data->state.lastconnect;
 | ||||
| +  if((data->state.lastconnect_id != -1) && (data->multi_easy || data->multi)) {
 | ||||
| +    struct connectdata *c;
 | ||||
|      struct connfind find; | ||||
| -    find.tofind = data->state.lastconnect;
 | ||||
| -    find.found = FALSE;
 | ||||
| +    find.id_tofind = data->state.lastconnect_id;
 | ||||
| +    find.found = NULL;
 | ||||
|   | ||||
|      Curl_conncache_foreach(data, data->multi_easy? | ||||
|                             &data->multi_easy->conn_cache: | ||||
|                             &data->multi->conn_cache, &find, conn_is_conn); | ||||
|   | ||||
|      if(!find.found) { | ||||
| -      data->state.lastconnect = NULL;
 | ||||
| +      data->state.lastconnect_id = -1;
 | ||||
|        return CURL_SOCKET_BAD; | ||||
|      } | ||||
|   | ||||
| +    c = find.found;
 | ||||
|      if(connp) { | ||||
|        /* only store this if the caller cares for it */ | ||||
|        *connp = c; | ||||
| diff --git a/lib/easy.c b/lib/easy.c
 | ||||
| index 027d0be..fe61cdd 100644
 | ||||
| --- a/lib/easy.c
 | ||||
| +++ b/lib/easy.c
 | ||||
| @@ -919,8 +919,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data)
 | ||||
|   | ||||
|    /* the connection cache is setup on demand */ | ||||
|    outcurl->state.conn_cache = NULL; | ||||
| -
 | ||||
| -  outcurl->state.lastconnect = NULL;
 | ||||
| +  outcurl->state.lastconnect_id = -1;
 | ||||
|   | ||||
|    outcurl->progress.flags    = data->progress.flags; | ||||
|    outcurl->progress.callback = data->progress.callback; | ||||
| diff --git a/lib/multi.c b/lib/multi.c
 | ||||
| index 0caf943..0f57fd5 100644
 | ||||
| --- a/lib/multi.c
 | ||||
| +++ b/lib/multi.c
 | ||||
| @@ -427,6 +427,7 @@ CURLMcode curl_multi_add_handle(struct Curl_multi *multi,
 | ||||
|      data->state.conn_cache = &data->share->conn_cache; | ||||
|    else | ||||
|      data->state.conn_cache = &multi->conn_cache; | ||||
| +  data->state.lastconnect_id = -1;
 | ||||
|   | ||||
|  #ifdef USE_LIBPSL | ||||
|    /* Do the same for PSL. */ | ||||
| @@ -644,11 +645,11 @@ static CURLcode multi_done(struct connectdata **connp,
 | ||||
|      /* the connection is no longer in use by this transfer */ | ||||
|      if(Curl_conncache_return_conn(conn)) { | ||||
|        /* remember the most recently used connection */ | ||||
| -      data->state.lastconnect = conn;
 | ||||
| +      data->state.lastconnect_id = conn->connection_id;
 | ||||
|        infof(data, "%s\n", buffer); | ||||
|      } | ||||
|      else | ||||
| -      data->state.lastconnect = NULL;
 | ||||
| +      data->state.lastconnect_id = -1;
 | ||||
|    } | ||||
|   | ||||
|    *connp = NULL; /* to make the caller of this function better detect that | ||||
| diff --git a/lib/url.c b/lib/url.c
 | ||||
| index dcc6cc8..d65d17d 100644
 | ||||
| --- a/lib/url.c
 | ||||
| +++ b/lib/url.c
 | ||||
| @@ -592,7 +592,7 @@ CURLcode Curl_open(struct Curl_easy **curl)
 | ||||
|        Curl_initinfo(data); | ||||
|   | ||||
|        /* most recent connection is not yet defined */ | ||||
| -      data->state.lastconnect = NULL;
 | ||||
| +      data->state.lastconnect_id = -1;
 | ||||
|   | ||||
|        data->progress.flags |= PGRS_HIDE; | ||||
|        data->state.current_speed = -1; /* init to negative == impossible */ | ||||
| diff --git a/lib/urldata.h b/lib/urldata.h
 | ||||
| index 67db3b2..4b70cc5 100644
 | ||||
| --- a/lib/urldata.h
 | ||||
| +++ b/lib/urldata.h
 | ||||
| @@ -1219,7 +1219,7 @@ struct UrlState {
 | ||||
|    /* buffers to store authentication data in, as parsed from input options */ | ||||
|    struct curltime keeps_speed; /* for the progress meter really */ | ||||
|   | ||||
| -  struct connectdata *lastconnect; /* The last connection, NULL if undefined */
 | ||||
| +  long lastconnect_id; /* The last connection, -1 if undefined */
 | ||||
|   | ||||
|    char *headerbuff; /* allocated buffer to store headers in */ | ||||
|    size_t headersize;   /* size of the allocation */ | ||||
| -- 
 | ||||
| 2.25.4 | ||||
| 
 | ||||
							
								
								
									
										60
									
								
								SOURCES/0023-curl-7.61.1-no-https-proxy-crash.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										60
									
								
								SOURCES/0023-curl-7.61.1-no-https-proxy-crash.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,60 @@ | ||||
| From 9d5903ebcbcbcc4f3a997ec7d5552721c5383b9f Mon Sep 17 00:00:00 2001 | ||||
| From: =?UTF-8?q?Martin=20Ba=C5=A1ti?= <mbasti@redhat.com> | ||||
| Date: Thu, 27 Aug 2020 23:09:56 +0200 | ||||
| Subject: [PATCH] http_proxy: do not crash with HTTPS_PROXY and NO_PROXY set | ||||
| 
 | ||||
| ... in case NO_PROXY takes an effect | ||||
| 
 | ||||
| Without this patch, the following command crashes: | ||||
| 
 | ||||
|     $ GIT_CURL_VERBOSE=1 NO_PROXY=github.com HTTPS_PROXY=https://example.com \ | ||||
|         git clone https://github.com/curl/curl.git | ||||
| 
 | ||||
| Minimal libcurl-based reproducer: | ||||
| 
 | ||||
|     #include <curl/curl.h> | ||||
| 
 | ||||
|     int main() { | ||||
|       CURL *curl = curl_easy_init(); | ||||
|       if(curl) { | ||||
|         CURLcode ret; | ||||
|         curl_easy_setopt(curl, CURLOPT_URL, "https://github.com/"); | ||||
|         curl_easy_setopt(curl, CURLOPT_PROXY, "example.com"); | ||||
|         /* set the proxy type */ | ||||
|         curl_easy_setopt(curl, CURLOPT_PROXYTYPE, CURLPROXY_HTTPS); | ||||
|         curl_easy_setopt(curl, CURLOPT_NOPROXY, "github.com"); | ||||
|         curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); | ||||
|         ret = curl_easy_perform(curl); | ||||
|         curl_easy_cleanup(curl); | ||||
|         return ret; | ||||
|       } | ||||
|       return -1; | ||||
|     } | ||||
| 
 | ||||
| Assisted-by: Kamil Dudka | ||||
| Bug: https://bugzilla.redhat.com/1873327 | ||||
| Closes #5902 | ||||
| 
 | ||||
| Upstream-commit: 3eff1c5092e542819ac7e6454a70c94b36ab2a40 | ||||
| Signed-off-by: Kamil Dudka <kdudka@redhat.com> | ||||
| ---
 | ||||
|  lib/url.c | 3 +++ | ||||
|  1 file changed, 3 insertions(+) | ||||
| 
 | ||||
| diff --git a/lib/url.c b/lib/url.c
 | ||||
| index d65d17d..e77f391 100644
 | ||||
| --- a/lib/url.c
 | ||||
| +++ b/lib/url.c
 | ||||
| @@ -3074,6 +3074,9 @@ static CURLcode create_conn_helper_init_proxy(struct connectdata *conn)
 | ||||
|      conn->bits.socksproxy = FALSE; | ||||
|      conn->bits.proxy_user_passwd = FALSE; | ||||
|      conn->bits.tunnel_proxy = FALSE; | ||||
| +    /* CURLPROXY_HTTPS does not have its own flag in conn->bits, yet we need
 | ||||
| +       to signal that CURLPROXY_HTTPS is not used for this connection */
 | ||||
| +    conn->http_proxy.proxytype = CURLPROXY_HTTP;
 | ||||
|    } | ||||
|   | ||||
|  out: | ||||
| -- 
 | ||||
| 2.25.4 | ||||
| 
 | ||||
							
								
								
									
										291
									
								
								SOURCES/0024-curl-7.61.1-openssl-partial-chain.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										291
									
								
								SOURCES/0024-curl-7.61.1-openssl-partial-chain.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,291 @@ | ||||
| From 673adb0a7a21ca3a877ee03dc9e197d5be15a9d3 Mon Sep 17 00:00:00 2001 | ||||
| From: Daniel Stenberg <daniel@haxx.se> | ||||
| Date: Mon, 2 Dec 2019 10:45:55 +0100 | ||||
| Subject: [PATCH 1/3] openssl: set X509_V_FLAG_PARTIAL_CHAIN | ||||
| 
 | ||||
| Have intermediate certificates in the trust store be treated as | ||||
| trust-anchors, in the same way as self-signed root CA certificates | ||||
| are. This allows users to verify servers using the intermediate cert | ||||
| only, instead of needing the whole chain. | ||||
| 
 | ||||
| Other TLS backends already accept partial chains. | ||||
| 
 | ||||
| Reported-by: Jeffrey Walton | ||||
| Bug: https://curl.haxx.se/mail/lib-2019-11/0094.html | ||||
| 
 | ||||
| Upstream-commit: 94f1f771586913addf5c68f9219e176036c50115 | ||||
| Signed-off-by: Kamil Dudka <kdudka@redhat.com> | ||||
| ---
 | ||||
|  lib/vtls/openssl.c | 26 +++++++++++++++++--------- | ||||
|  1 file changed, 17 insertions(+), 9 deletions(-) | ||||
| 
 | ||||
| diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
 | ||||
| index d8bcc4f..8e791b9 100644
 | ||||
| --- a/lib/vtls/openssl.c
 | ||||
| +++ b/lib/vtls/openssl.c
 | ||||
| @@ -2551,19 +2551,27 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
 | ||||
|      infof(data, "  CRLfile: %s\n", ssl_crlfile); | ||||
|    } | ||||
|   | ||||
| -  /* Try building a chain using issuers in the trusted store first to avoid
 | ||||
| -  problems with server-sent legacy intermediates.
 | ||||
| -  Newer versions of OpenSSL do alternate chain checking by default which
 | ||||
| -  gives us the same fix without as much of a performance hit (slight), so we
 | ||||
| -  prefer that if available.
 | ||||
| -  https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
 | ||||
| -  */
 | ||||
| -#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
 | ||||
|    if(verifypeer) { | ||||
| +    /* Try building a chain using issuers in the trusted store first to avoid
 | ||||
| +       problems with server-sent legacy intermediates.  Newer versions of
 | ||||
| +       OpenSSL do alternate chain checking by default which gives us the same
 | ||||
| +       fix without as much of a performance hit (slight), so we prefer that if
 | ||||
| +       available.
 | ||||
| +       https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
 | ||||
| +    */
 | ||||
| +#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
 | ||||
|      X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx), | ||||
|                           X509_V_FLAG_TRUSTED_FIRST); | ||||
| -  }
 | ||||
|  #endif | ||||
| +#ifdef X509_V_FLAG_PARTIAL_CHAIN
 | ||||
| +    /* Have intermediate certificates in the trust store be treated as
 | ||||
| +       trust-anchors, in the same way as self-signed root CA certificates
 | ||||
| +       are. This allows users to verify servers using the intermediate cert
 | ||||
| +       only, instead of needing the whole chain. */
 | ||||
| +    X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
 | ||||
| +                         X509_V_FLAG_PARTIAL_CHAIN);
 | ||||
| +#endif
 | ||||
| +  }
 | ||||
|   | ||||
|    /* SSL always tries to verify the peer, this only says whether it should | ||||
|     * fail to connect if the verification fails, or if it should continue | ||||
| -- 
 | ||||
| 2.26.2 | ||||
| 
 | ||||
| 
 | ||||
| From b2e6e39b60e1722aecf250ff79a69867df5d3aa8 Mon Sep 17 00:00:00 2001 | ||||
| From: Daniel Stenberg <daniel@haxx.se> | ||||
| Date: Mon, 2 Dec 2019 10:55:33 +0100 | ||||
| Subject: [PATCH 2/3] openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial | ||||
|  cert chains | ||||
| 
 | ||||
| Closes #4655 | ||||
| 
 | ||||
| Upstream-commit: 564d88a8bd190a21b362d6da535fccf74d33394d | ||||
| Signed-off-by: Kamil Dudka <kdudka@redhat.com> | ||||
| ---
 | ||||
|  docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3 | 40 +++++++++++++------------ | ||||
|  docs/libcurl/symbols-in-versions        |  1 + | ||||
|  include/curl/curl.h                     |  4 +++ | ||||
|  lib/setopt.c                            |  1 + | ||||
|  lib/urldata.h                           |  1 + | ||||
|  lib/vtls/openssl.c                      | 14 +++++---- | ||||
|  6 files changed, 36 insertions(+), 25 deletions(-) | ||||
| 
 | ||||
| diff --git a/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3 b/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
 | ||||
| index d781434..6286a64 100644
 | ||||
| --- a/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
 | ||||
| +++ b/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
 | ||||
| @@ -29,25 +29,27 @@ CURLOPT_SSL_OPTIONS \- set SSL behavior options
 | ||||
|   | ||||
|  CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSL_OPTIONS, long bitmask); | ||||
|  .SH DESCRIPTION | ||||
| -Pass a long with a bitmask to tell libcurl about specific SSL behaviors.
 | ||||
| -
 | ||||
| -\fICURLSSLOPT_ALLOW_BEAST\fP tells libcurl to not attempt to use any
 | ||||
| -workarounds for a security flaw in the SSL3 and TLS1.0 protocols.  If this
 | ||||
| -option isn't used or this bit is set to 0, the SSL layer libcurl uses may use a
 | ||||
| -work-around for this flaw although it might cause interoperability problems
 | ||||
| -with some (older) SSL implementations. WARNING: avoiding this work-around
 | ||||
| -lessens the security, and by setting this option to 1 you ask for exactly that.
 | ||||
| -This option is only supported for DarwinSSL, NSS and OpenSSL.
 | ||||
| -
 | ||||
| -Added in 7.44.0:
 | ||||
| -
 | ||||
| -\fICURLSSLOPT_NO_REVOKE\fP tells libcurl to disable certificate revocation
 | ||||
| -checks for those SSL backends where such behavior is present. \fBCurrently this
 | ||||
| -option is only supported for WinSSL (the native Windows SSL library), with an
 | ||||
| -exception in the case of Windows' Untrusted Publishers blacklist which it seems
 | ||||
| -can't be bypassed.\fP This option may have broader support to accommodate other
 | ||||
| -SSL backends in the future.
 | ||||
| -https://curl.haxx.se/docs/ssl-compared.html
 | ||||
| +Pass a long with a bitmask to tell libcurl about specific SSL
 | ||||
| +behaviors. Available bits:
 | ||||
| +.IP CURLSSLOPT_ALLOW_BEAST
 | ||||
| +Tells libcurl to not attempt to use any workarounds for a security flaw in the
 | ||||
| +SSL3 and TLS1.0 protocols.  If this option isn't used or this bit is set to 0,
 | ||||
| +the SSL layer libcurl uses may use a work-around for this flaw although it
 | ||||
| +might cause interoperability problems with some (older) SSL
 | ||||
| +implementations. WARNING: avoiding this work-around lessens the security, and
 | ||||
| +by setting this option to 1 you ask for exactly that.  This option is only
 | ||||
| +supported for DarwinSSL, NSS and OpenSSL.
 | ||||
| +.IP CURLSSLOPT_NO_REVOKE
 | ||||
| +Tells libcurl to disable certificate revocation checks for those SSL backends
 | ||||
| +where such behavior is present. This option is only supported for Schannel
 | ||||
| +(the native Windows SSL library), with an exception in the case of Windows'
 | ||||
| +Untrusted Publishers blacklist which it seems can't be bypassed. (Added in
 | ||||
| +7.44.0)
 | ||||
| +.IP CURLSSLOPT_NO_PARTIALCHAIN
 | ||||
| +Tells libcurl to not accept "partial" certificate chains, which it otherwise
 | ||||
| +does by default. This option is only supported for OpenSSL and will fail the
 | ||||
| +certificate verification if the chain ends with an intermediate certificate
 | ||||
| +and not with a root cert. (Added in 7.68.0)
 | ||||
|  .SH DEFAULT | ||||
|  0 | ||||
|  .SH PROTOCOLS | ||||
| diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
 | ||||
| index 3b3861f..54923d0 100644
 | ||||
| --- a/docs/libcurl/symbols-in-versions
 | ||||
| +++ b/docs/libcurl/symbols-in-versions
 | ||||
| @@ -713,6 +713,7 @@ CURLSSLBACKEND_QSOSSL           7.34.0        -           7.38.1
 | ||||
|  CURLSSLBACKEND_SCHANNEL         7.34.0 | ||||
|  CURLSSLBACKEND_WOLFSSL          7.49.0 | ||||
|  CURLSSLOPT_ALLOW_BEAST          7.25.0 | ||||
| +CURLSSLOPT_NO_PARTIALCHAIN      7.68.0
 | ||||
|  CURLSSLOPT_NO_REVOKE            7.44.0 | ||||
|  CURLSSLSET_NO_BACKENDS          7.56.0 | ||||
|  CURLSSLSET_OK                   7.56.0 | ||||
| diff --git a/include/curl/curl.h b/include/curl/curl.h
 | ||||
| index 8f473e2..75f9384 100644
 | ||||
| --- a/include/curl/curl.h
 | ||||
| +++ b/include/curl/curl.h
 | ||||
| @@ -795,6 +795,10 @@ typedef enum {
 | ||||
|     SSL backends where such behavior is present. */ | ||||
|  #define CURLSSLOPT_NO_REVOKE (1<<1) | ||||
|   | ||||
| +/* - NO_PARTIALCHAIN tells libcurl to *NOT* accept a partial certificate chain
 | ||||
| +   if possible. The OpenSSL backend has this ability. */
 | ||||
| +#define CURLSSLOPT_NO_PARTIALCHAIN (1<<2)
 | ||||
| +
 | ||||
|  /* The default connection attempt delay in milliseconds for happy eyeballs. | ||||
|     CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.3 and happy-eyeballs-timeout-ms.d document | ||||
|     this value, keep them in sync. */ | ||||
| diff --git a/lib/setopt.c b/lib/setopt.c
 | ||||
| index 5c5f4b3..4f04962 100644
 | ||||
| --- a/lib/setopt.c
 | ||||
| +++ b/lib/setopt.c
 | ||||
| @@ -2046,6 +2046,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
 | ||||
|      arg = va_arg(param, long); | ||||
|      data->set.ssl.enable_beast = arg&CURLSSLOPT_ALLOW_BEAST?TRUE:FALSE; | ||||
|      data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); | ||||
| +    data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
 | ||||
|      break; | ||||
|   | ||||
|    case CURLOPT_PROXY_SSL_OPTIONS: | ||||
| diff --git a/lib/urldata.h b/lib/urldata.h
 | ||||
| index 4b70cc5..c70290a 100644
 | ||||
| --- a/lib/urldata.h
 | ||||
| +++ b/lib/urldata.h
 | ||||
| @@ -235,6 +235,7 @@ struct ssl_config_data {
 | ||||
|    bool enable_beast; /* especially allow this flaw for interoperability's | ||||
|                          sake*/ | ||||
|    bool no_revoke;    /* disable SSL certificate revocation checks */ | ||||
| +  bool no_partialchain;  /* don't accept partial certificate chains */
 | ||||
|    long certverifyresult; /* result from the certificate verification */ | ||||
|    char *CRLfile;   /* CRL to check certificate revocation */ | ||||
|    char *issuercert;/* optional issuer certificate filename */ | ||||
| diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
 | ||||
| index 8e791b9..87f6c4c 100644
 | ||||
| --- a/lib/vtls/openssl.c
 | ||||
| +++ b/lib/vtls/openssl.c
 | ||||
| @@ -2564,12 +2564,14 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
 | ||||
|                           X509_V_FLAG_TRUSTED_FIRST); | ||||
|  #endif | ||||
|  #ifdef X509_V_FLAG_PARTIAL_CHAIN | ||||
| -    /* Have intermediate certificates in the trust store be treated as
 | ||||
| -       trust-anchors, in the same way as self-signed root CA certificates
 | ||||
| -       are. This allows users to verify servers using the intermediate cert
 | ||||
| -       only, instead of needing the whole chain. */
 | ||||
| -    X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
 | ||||
| -                         X509_V_FLAG_PARTIAL_CHAIN);
 | ||||
| +    if(!SSL_SET_OPTION(no_partialchain)) {
 | ||||
| +      /* Have intermediate certificates in the trust store be treated as
 | ||||
| +         trust-anchors, in the same way as self-signed root CA certificates
 | ||||
| +         are. This allows users to verify servers using the intermediate cert
 | ||||
| +         only, instead of needing the whole chain. */
 | ||||
| +      X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
 | ||||
| +                           X509_V_FLAG_PARTIAL_CHAIN);
 | ||||
| +    }
 | ||||
|  #endif | ||||
|    } | ||||
|   | ||||
| -- 
 | ||||
| 2.26.2 | ||||
| 
 | ||||
| 
 | ||||
| From d149ba12f302e5275b408d82ffb349eac16b9226 Mon Sep 17 00:00:00 2001 | ||||
| From: Daniel Stenberg <daniel@haxx.se> | ||||
| Date: Mon, 11 May 2020 23:00:31 +0200 | ||||
| Subject: [PATCH 3/3] OpenSSL: have CURLOPT_CRLFILE imply | ||||
|  CURLSSLOPT_NO_PARTIALCHAIN | ||||
| 
 | ||||
| ... to avoid an OpenSSL bug that otherwise makes the CRL check to fail. | ||||
| 
 | ||||
| Reported-by: Michael Kaufmann | ||||
| Fixes #5374 | ||||
| Closes #5376 | ||||
| 
 | ||||
| Upstream-commit: 81a54b12c631e8126e3eb484c74040b991e78f0c | ||||
| Signed-off-by: Kamil Dudka <kdudka@redhat.com> | ||||
| ---
 | ||||
|  docs/libcurl/opts/CURLOPT_CRLFILE.3 | 13 ++++++++----- | ||||
|  lib/vtls/openssl.c                  |  8 ++++++-- | ||||
|  2 files changed, 14 insertions(+), 7 deletions(-) | ||||
| 
 | ||||
| diff --git a/docs/libcurl/opts/CURLOPT_CRLFILE.3 b/docs/libcurl/opts/CURLOPT_CRLFILE.3
 | ||||
| index 080caa7..f111585 100644
 | ||||
| --- a/docs/libcurl/opts/CURLOPT_CRLFILE.3
 | ||||
| +++ b/docs/libcurl/opts/CURLOPT_CRLFILE.3
 | ||||
| @@ -5,7 +5,7 @@
 | ||||
|  .\" *                            | (__| |_| |  _ <| |___ | ||||
|  .\" *                             \___|\___/|_| \_\_____| | ||||
|  .\" * | ||||
| -.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
 | ||||
| +.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
 | ||||
|  .\" * | ||||
|  .\" * This software is licensed as described in the file COPYING, which | ||||
|  .\" * you should have received as part of this distribution. The terms | ||||
| @@ -34,10 +34,13 @@ concatenation of CRL (in PEM format) to use in the certificate validation that
 | ||||
|  occurs during the SSL exchange. | ||||
|   | ||||
|  When curl is built to use NSS or GnuTLS, there is no way to influence the use | ||||
| -of CRL passed to help in the verification process. When libcurl is built with
 | ||||
| -OpenSSL support, X509_V_FLAG_CRL_CHECK and X509_V_FLAG_CRL_CHECK_ALL are both
 | ||||
| -set, requiring CRL check against all the elements of the certificate chain if
 | ||||
| -a CRL file is passed.
 | ||||
| +of CRL passed to help in the verification process.
 | ||||
| +
 | ||||
| +When libcurl is built with OpenSSL support, X509_V_FLAG_CRL_CHECK and
 | ||||
| +X509_V_FLAG_CRL_CHECK_ALL are both set, requiring CRL check against all the
 | ||||
| +elements of the certificate chain if a CRL file is passed. Also note that
 | ||||
| +\fICURLOPT_CRLFILE(3)\fP will imply \fBCURLSSLOPT_NO_PARTIALCHAIN\fP (see
 | ||||
| +\fICURLOPT_SSL_OPTIONS(3)\fP) since curl 7.71.0 due to an OpenSSL bug.
 | ||||
|   | ||||
|  This option makes sense only when used in combination with the | ||||
|  \fICURLOPT_SSL_VERIFYPEER(3)\fP option. | ||||
| diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
 | ||||
| index 87f6c4c..9476773 100644
 | ||||
| --- a/lib/vtls/openssl.c
 | ||||
| +++ b/lib/vtls/openssl.c
 | ||||
| @@ -2564,11 +2564,15 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
 | ||||
|                           X509_V_FLAG_TRUSTED_FIRST); | ||||
|  #endif | ||||
|  #ifdef X509_V_FLAG_PARTIAL_CHAIN | ||||
| -    if(!SSL_SET_OPTION(no_partialchain)) {
 | ||||
| +    if(!SSL_SET_OPTION(no_partialchain) && !ssl_crlfile) {
 | ||||
|        /* Have intermediate certificates in the trust store be treated as | ||||
|           trust-anchors, in the same way as self-signed root CA certificates | ||||
|           are. This allows users to verify servers using the intermediate cert | ||||
| -         only, instead of needing the whole chain. */
 | ||||
| +         only, instead of needing the whole chain.
 | ||||
| +
 | ||||
| +         Due to OpenSSL bug https://github.com/openssl/openssl/issues/5081 we
 | ||||
| +         cannot do partial chains with CRL check.
 | ||||
| +      */
 | ||||
|        X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx), | ||||
|                             X509_V_FLAG_PARTIAL_CHAIN); | ||||
|      } | ||||
| -- 
 | ||||
| 2.26.2 | ||||
| 
 | ||||
							
								
								
									
										208
									
								
								SOURCES/0025-curl-7.61.1-CVE-2020-8284.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										208
									
								
								SOURCES/0025-curl-7.61.1-CVE-2020-8284.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,208 @@ | ||||
| From 2629f42d4cfdd04df0544007b03161e3d5d52d54 Mon Sep 17 00:00:00 2001 | ||||
| From: Daniel Stenberg <daniel@haxx.se> | ||||
| Date: Tue, 24 Nov 2020 14:56:57 +0100 | ||||
| Subject: [PATCH] ftp: CURLOPT_FTP_SKIP_PASV_IP by default | ||||
| 
 | ||||
| The command line tool also independently sets --ftp-skip-pasv-ip by | ||||
| default. | ||||
| 
 | ||||
| Ten test cases updated to adapt the modified --libcurl output. | ||||
| 
 | ||||
| Bug: https://curl.se/docs/CVE-2020-8284.html | ||||
| CVE-2020-8284 | ||||
| 
 | ||||
| Reported-by: Varnavas Papaioannou | ||||
| 
 | ||||
| Upstream-commit: ec9cc725d598ac77de7b6df8afeec292b3c8ad46 | ||||
| Signed-off-by: Kamil Dudka <kdudka@redhat.com> | ||||
| ---
 | ||||
|  docs/cmdline-opts/ftp-skip-pasv-ip.d         | 2 ++ | ||||
|  docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 | 8 +++++--- | ||||
|  lib/url.c                                    | 1 + | ||||
|  src/tool_cfgable.c                           | 1 + | ||||
|  tests/data/test1400                          | 1 + | ||||
|  tests/data/test1401                          | 1 + | ||||
|  tests/data/test1402                          | 1 + | ||||
|  tests/data/test1403                          | 1 + | ||||
|  tests/data/test1404                          | 1 + | ||||
|  tests/data/test1405                          | 1 + | ||||
|  tests/data/test1406                          | 1 + | ||||
|  tests/data/test1407                          | 1 + | ||||
|  tests/data/test1420                          | 1 + | ||||
|  13 files changed, 18 insertions(+), 3 deletions(-) | ||||
| 
 | ||||
| diff --git a/docs/cmdline-opts/ftp-skip-pasv-ip.d b/docs/cmdline-opts/ftp-skip-pasv-ip.d
 | ||||
| index da6ab11..4be8b43 100644
 | ||||
| --- a/docs/cmdline-opts/ftp-skip-pasv-ip.d
 | ||||
| +++ b/docs/cmdline-opts/ftp-skip-pasv-ip.d
 | ||||
| @@ -9,4 +9,6 @@ to curl's PASV command when curl connects the data connection. Instead curl
 | ||||
|  will re-use the same IP address it already uses for the control | ||||
|  connection. | ||||
|   | ||||
| +Since curl 7.74.0 this option is enabled by default.
 | ||||
| +
 | ||||
|  This option has no effect if PORT, EPRT or EPSV is used instead of PASV. | ||||
| diff --git a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
 | ||||
| index 4d3026a..4227ed6 100644
 | ||||
| --- a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
 | ||||
| +++ b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
 | ||||
| @@ -5,7 +5,7 @@
 | ||||
|  .\" *                            | (__| |_| |  _ <| |___ | ||||
|  .\" *                             \___|\___/|_| \_\_____| | ||||
|  .\" * | ||||
| -.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
 | ||||
| +.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
 | ||||
|  .\" * | ||||
|  .\" * This software is licensed as described in the file COPYING, which | ||||
|  .\" * you should have received as part of this distribution. The terms | ||||
| @@ -36,11 +36,13 @@ address it already uses for the control connection. But it will use the port
 | ||||
|  number from the 227-response. | ||||
|   | ||||
|  This option thus allows libcurl to work around broken server installations | ||||
| -that due to NATs, firewalls or incompetence report the wrong IP address back.
 | ||||
| +that due to NATs, firewalls or incompetence report the wrong IP address
 | ||||
| +back. Setting the option also reduces the risk for various sorts of client
 | ||||
| +abuse by malicious servers.
 | ||||
|   | ||||
|  This option has no effect if PORT, EPRT or EPSV is used instead of PASV. | ||||
|  .SH DEFAULT | ||||
| -0
 | ||||
| +1 since 7.74.0, was 0 before then.
 | ||||
|  .SH PROTOCOLS | ||||
|  FTP | ||||
|  .SH EXAMPLE | ||||
| diff --git a/lib/url.c b/lib/url.c
 | ||||
| index e77f391..b18db25 100644
 | ||||
| --- a/lib/url.c
 | ||||
| +++ b/lib/url.c
 | ||||
| @@ -434,6 +434,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
 | ||||
|    set->ftp_use_eprt = TRUE;   /* FTP defaults to EPRT operations */ | ||||
|    set->ftp_use_pret = FALSE;  /* mainly useful for drftpd servers */ | ||||
|    set->ftp_filemethod = FTPFILE_MULTICWD; | ||||
| +  set->ftp_skip_ip = TRUE;    /* skip PASV IP by default */
 | ||||
|   | ||||
|    set->dns_cache_timeout = 60; /* Timeout every 60 seconds by default */ | ||||
|   | ||||
| diff --git a/src/tool_cfgable.c b/src/tool_cfgable.c
 | ||||
| index 81e16c1..110191e 100644
 | ||||
| --- a/src/tool_cfgable.c
 | ||||
| +++ b/src/tool_cfgable.c
 | ||||
| @@ -43,6 +43,7 @@ void config_init(struct OperationConfig* config)
 | ||||
|    config->proto_default = NULL; | ||||
|    config->tcp_nodelay = TRUE; /* enabled by default */ | ||||
|    config->happy_eyeballs_timeout_ms = CURL_HET_DEFAULT; | ||||
| +  config->ftp_skip_ip = TRUE;
 | ||||
|  } | ||||
|   | ||||
|  static void free_config_fields(struct OperationConfig *config) | ||||
| diff --git a/tests/data/test1400 b/tests/data/test1400
 | ||||
| index 10faef3..9d18a30 100644
 | ||||
| --- a/tests/data/test1400
 | ||||
| +++ b/tests/data/test1400
 | ||||
| @@ -73,6 +73,7 @@ int main(int argc, char *argv[])
 | ||||
|    curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped"); | ||||
|    curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); | ||||
|    curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); | ||||
| +  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
 | ||||
|    curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); | ||||
|   | ||||
|    /* Here is a list of options the curl code used that cannot get generated | ||||
| diff --git a/tests/data/test1401 b/tests/data/test1401
 | ||||
| index f330931..99cb0cb 100644
 | ||||
| --- a/tests/data/test1401
 | ||||
| +++ b/tests/data/test1401
 | ||||
| @@ -89,6 +89,7 @@ int main(int argc, char *argv[])
 | ||||
|    curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); | ||||
|    curl_easy_setopt(hnd, CURLOPT_COOKIE, "chocolate=chip"); | ||||
|    curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); | ||||
| +  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
 | ||||
|    curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); | ||||
|    curl_easy_setopt(hnd, CURLOPT_PROTOCOLS, (long)CURLPROTO_FILE | | ||||
|                                             (long)CURLPROTO_FTP | | ||||
| diff --git a/tests/data/test1402 b/tests/data/test1402
 | ||||
| index 9a94283..ef55bd6 100644
 | ||||
| --- a/tests/data/test1402
 | ||||
| +++ b/tests/data/test1402
 | ||||
| @@ -80,6 +80,7 @@ int main(int argc, char *argv[])
 | ||||
|    curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped"); | ||||
|    curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); | ||||
|    curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); | ||||
| +  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
 | ||||
|    curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); | ||||
|   | ||||
|    /* Here is a list of options the curl code used that cannot get generated | ||||
| diff --git a/tests/data/test1403 b/tests/data/test1403
 | ||||
| index 79cdf49..78932c2 100644
 | ||||
| --- a/tests/data/test1403
 | ||||
| +++ b/tests/data/test1403
 | ||||
| @@ -75,6 +75,7 @@ int main(int argc, char *argv[])
 | ||||
|    curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped"); | ||||
|    curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); | ||||
|    curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); | ||||
| +  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
 | ||||
|    curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); | ||||
|   | ||||
|    /* Here is a list of options the curl code used that cannot get generated | ||||
| diff --git a/tests/data/test1404 b/tests/data/test1404
 | ||||
| index 9c6f2e7..8ea5e04 100644
 | ||||
| --- a/tests/data/test1404
 | ||||
| +++ b/tests/data/test1404
 | ||||
| @@ -144,6 +144,7 @@ int main(int argc, char *argv[])
 | ||||
|    curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped"); | ||||
|    curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); | ||||
|    curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); | ||||
| +  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
 | ||||
|    curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); | ||||
|   | ||||
|    /* Here is a list of options the curl code used that cannot get generated | ||||
| diff --git a/tests/data/test1405 b/tests/data/test1405
 | ||||
| index 73769ee..5a83b6e 100644
 | ||||
| --- a/tests/data/test1405
 | ||||
| +++ b/tests/data/test1405
 | ||||
| @@ -89,6 +89,7 @@ int main(int argc, char *argv[])
 | ||||
|    curl_easy_setopt(hnd, CURLOPT_POSTQUOTE, slist2); | ||||
|    curl_easy_setopt(hnd, CURLOPT_PREQUOTE, slist3); | ||||
|    curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); | ||||
| +  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
 | ||||
|    curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); | ||||
|   | ||||
|    /* Here is a list of options the curl code used that cannot get generated | ||||
| diff --git a/tests/data/test1406 b/tests/data/test1406
 | ||||
| index 796dd22..c941e00 100644
 | ||||
| --- a/tests/data/test1406
 | ||||
| +++ b/tests/data/test1406
 | ||||
| @@ -80,6 +80,7 @@ int main(int argc, char *argv[])
 | ||||
|    curl_easy_setopt(hnd, CURLOPT_URL, "smtp://%HOSTIP:%SMTPPORT/1406"); | ||||
|    curl_easy_setopt(hnd, CURLOPT_UPLOAD, 1L); | ||||
|    curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); | ||||
| +  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
 | ||||
|    curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); | ||||
|    curl_easy_setopt(hnd, CURLOPT_MAIL_FROM, "sender@example.com"); | ||||
|    curl_easy_setopt(hnd, CURLOPT_MAIL_RCPT, slist1); | ||||
| diff --git a/tests/data/test1407 b/tests/data/test1407
 | ||||
| index 9800eee..ddba7b7 100644
 | ||||
| --- a/tests/data/test1407
 | ||||
| +++ b/tests/data/test1407
 | ||||
| @@ -62,6 +62,7 @@ int main(int argc, char *argv[])
 | ||||
|    curl_easy_setopt(hnd, CURLOPT_DIRLISTONLY, 1L); | ||||
|    curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret"); | ||||
|    curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); | ||||
| +  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
 | ||||
|    curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); | ||||
|   | ||||
|    /* Here is a list of options the curl code used that cannot get generated | ||||
| diff --git a/tests/data/test1420 b/tests/data/test1420
 | ||||
| index a5e1c52..72fb353 100644
 | ||||
| --- a/tests/data/test1420
 | ||||
| +++ b/tests/data/test1420
 | ||||
| @@ -67,6 +67,7 @@ int main(int argc, char *argv[])
 | ||||
|    curl_easy_setopt(hnd, CURLOPT_URL, "imap://%HOSTIP:%IMAPPORT/1420/;UID=1"); | ||||
|    curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret"); | ||||
|    curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); | ||||
| +  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
 | ||||
|    curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); | ||||
|   | ||||
|    /* Here is a list of options the curl code used that cannot get generated | ||||
| -- 
 | ||||
| 2.26.2 | ||||
| 
 | ||||
							
								
								
									
										258
									
								
								SOURCES/0026-curl-7.61.1-CVE-2020-8285.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										258
									
								
								SOURCES/0026-curl-7.61.1-CVE-2020-8285.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,258 @@ | ||||
| From 22b3d1cf0216f4369f01678c587da265c2e465af Mon Sep 17 00:00:00 2001 | ||||
| From: Daniel Stenberg <daniel@haxx.se> | ||||
| Date: Sat, 28 Nov 2020 00:27:21 +0100 | ||||
| Subject: [PATCH] ftp: make wc_statemach loop instead of recurse | ||||
| 
 | ||||
| CVE-2020-8285 | ||||
| 
 | ||||
| Fixes #6255 | ||||
| Bug: https://curl.se/docs/CVE-2020-8285.html | ||||
| Reported-by: xnynx on github | ||||
| 
 | ||||
| Upstream-commit: 69a358f2186e04cf44698b5100332cbf1ee7f01d | ||||
| Signed-off-by: Kamil Dudka <kdudka@redhat.com> | ||||
| ---
 | ||||
|  lib/ftp.c | 204 +++++++++++++++++++++++++++--------------------------- | ||||
|  1 file changed, 103 insertions(+), 101 deletions(-) | ||||
| 
 | ||||
| diff --git a/lib/ftp.c b/lib/ftp.c
 | ||||
| index 7dbf080..482ab3a 100644
 | ||||
| --- a/lib/ftp.c
 | ||||
| +++ b/lib/ftp.c
 | ||||
| @@ -3786,130 +3786,132 @@ static CURLcode init_wc_data(struct connectdata *conn)
 | ||||
|    return result; | ||||
|  } | ||||
|   | ||||
| -/* This is called recursively */
 | ||||
|  static CURLcode wc_statemach(struct connectdata *conn) | ||||
|  { | ||||
|    struct WildcardData * const wildcard = &(conn->data->wildcard); | ||||
|    CURLcode result = CURLE_OK; | ||||
|   | ||||
| -  switch(wildcard->state) {
 | ||||
| -  case CURLWC_INIT:
 | ||||
| -    result = init_wc_data(conn);
 | ||||
| -    if(wildcard->state == CURLWC_CLEAN)
 | ||||
| -      /* only listing! */
 | ||||
| -      break;
 | ||||
| -    wildcard->state = result ? CURLWC_ERROR : CURLWC_MATCHING;
 | ||||
| -    break;
 | ||||
| +  for(;;) {
 | ||||
| +    switch(wildcard->state) {
 | ||||
| +    case CURLWC_INIT:
 | ||||
| +      result = init_wc_data(conn);
 | ||||
| +      if(wildcard->state == CURLWC_CLEAN)
 | ||||
| +        /* only listing! */
 | ||||
| +        return result;
 | ||||
| +      wildcard->state = result ? CURLWC_ERROR : CURLWC_MATCHING;
 | ||||
| +      return result;
 | ||||
|   | ||||
| -  case CURLWC_MATCHING: {
 | ||||
| -    /* In this state is LIST response successfully parsed, so lets restore
 | ||||
| -       previous WRITEFUNCTION callback and WRITEDATA pointer */
 | ||||
| -    struct ftp_wc *ftpwc = wildcard->protdata;
 | ||||
| -    conn->data->set.fwrite_func = ftpwc->backup.write_function;
 | ||||
| -    conn->data->set.out = ftpwc->backup.file_descriptor;
 | ||||
| -    ftpwc->backup.write_function = ZERO_NULL;
 | ||||
| -    ftpwc->backup.file_descriptor = NULL;
 | ||||
| -    wildcard->state = CURLWC_DOWNLOADING;
 | ||||
| -
 | ||||
| -    if(Curl_ftp_parselist_geterror(ftpwc->parser)) {
 | ||||
| -      /* error found in LIST parsing */
 | ||||
| -      wildcard->state = CURLWC_CLEAN;
 | ||||
| -      return wc_statemach(conn);
 | ||||
| -    }
 | ||||
| -    if(wildcard->filelist.size == 0) {
 | ||||
| -      /* no corresponding file */
 | ||||
| -      wildcard->state = CURLWC_CLEAN;
 | ||||
| -      return CURLE_REMOTE_FILE_NOT_FOUND;
 | ||||
| +    case CURLWC_MATCHING: {
 | ||||
| +      /* In this state is LIST response successfully parsed, so lets restore
 | ||||
| +         previous WRITEFUNCTION callback and WRITEDATA pointer */
 | ||||
| +      struct ftp_wc *ftpwc = wildcard->protdata;
 | ||||
| +      conn->data->set.fwrite_func = ftpwc->backup.write_function;
 | ||||
| +      conn->data->set.out = ftpwc->backup.file_descriptor;
 | ||||
| +      ftpwc->backup.write_function = ZERO_NULL;
 | ||||
| +      ftpwc->backup.file_descriptor = NULL;
 | ||||
| +      wildcard->state = CURLWC_DOWNLOADING;
 | ||||
| +
 | ||||
| +      if(Curl_ftp_parselist_geterror(ftpwc->parser)) {
 | ||||
| +        /* error found in LIST parsing */
 | ||||
| +        wildcard->state = CURLWC_CLEAN;
 | ||||
| +        continue;
 | ||||
| +      }
 | ||||
| +      if(wildcard->filelist.size == 0) {
 | ||||
| +        /* no corresponding file */
 | ||||
| +        wildcard->state = CURLWC_CLEAN;
 | ||||
| +        return CURLE_REMOTE_FILE_NOT_FOUND;
 | ||||
| +      }
 | ||||
| +      continue;
 | ||||
|      } | ||||
| -    return wc_statemach(conn);
 | ||||
| -  }
 | ||||
|   | ||||
| -  case CURLWC_DOWNLOADING: {
 | ||||
| -    /* filelist has at least one file, lets get first one */
 | ||||
| -    struct ftp_conn *ftpc = &conn->proto.ftpc;
 | ||||
| -    struct curl_fileinfo *finfo = wildcard->filelist.head->ptr;
 | ||||
| +    case CURLWC_DOWNLOADING: {
 | ||||
| +      /* filelist has at least one file, lets get first one */
 | ||||
| +      struct ftp_conn *ftpc = &conn->proto.ftpc;
 | ||||
| +      struct curl_fileinfo *finfo = wildcard->filelist.head->ptr;
 | ||||
|   | ||||
| -    char *tmp_path = aprintf("%s%s", wildcard->path, finfo->filename);
 | ||||
| -    if(!tmp_path)
 | ||||
| -      return CURLE_OUT_OF_MEMORY;
 | ||||
| +      char *tmp_path = aprintf("%s%s", wildcard->path, finfo->filename);
 | ||||
| +      if(!tmp_path)
 | ||||
| +        return CURLE_OUT_OF_MEMORY;
 | ||||
|   | ||||
| -    /* switch default "state.pathbuffer" and tmp_path, good to see
 | ||||
| -       ftp_parse_url_path function to understand this trick */
 | ||||
| -    Curl_safefree(conn->data->state.pathbuffer);
 | ||||
| -    conn->data->state.pathbuffer = tmp_path;
 | ||||
| -    conn->data->state.path = tmp_path;
 | ||||
| -
 | ||||
| -    infof(conn->data, "Wildcard - START of \"%s\"\n", finfo->filename);
 | ||||
| -    if(conn->data->set.chunk_bgn) {
 | ||||
| -      long userresponse;
 | ||||
| -      Curl_set_in_callback(conn->data, true);
 | ||||
| -      userresponse = conn->data->set.chunk_bgn(
 | ||||
| -        finfo, wildcard->customptr, (int)wildcard->filelist.size);
 | ||||
| -      Curl_set_in_callback(conn->data, false);
 | ||||
| -      switch(userresponse) {
 | ||||
| -      case CURL_CHUNK_BGN_FUNC_SKIP:
 | ||||
| -        infof(conn->data, "Wildcard - \"%s\" skipped by user\n",
 | ||||
| -              finfo->filename);
 | ||||
| -        wildcard->state = CURLWC_SKIP;
 | ||||
| -        return wc_statemach(conn);
 | ||||
| -      case CURL_CHUNK_BGN_FUNC_FAIL:
 | ||||
| -        return CURLE_CHUNK_FAILED;
 | ||||
| +      /* switch default "state.pathbuffer" and tmp_path, good to see
 | ||||
| +         ftp_parse_url_path function to understand this trick */
 | ||||
| +      Curl_safefree(conn->data->state.pathbuffer);
 | ||||
| +      conn->data->state.pathbuffer = tmp_path;
 | ||||
| +      conn->data->state.path = tmp_path;
 | ||||
| +
 | ||||
| +      infof(conn->data, "Wildcard - START of \"%s\"\n", finfo->filename);
 | ||||
| +      if(conn->data->set.chunk_bgn) {
 | ||||
| +        long userresponse;
 | ||||
| +        Curl_set_in_callback(conn->data, true);
 | ||||
| +        userresponse = conn->data->set.chunk_bgn(
 | ||||
| +          finfo, wildcard->customptr, (int)wildcard->filelist.size);
 | ||||
| +        Curl_set_in_callback(conn->data, false);
 | ||||
| +        switch(userresponse) {
 | ||||
| +        case CURL_CHUNK_BGN_FUNC_SKIP:
 | ||||
| +          infof(conn->data, "Wildcard - \"%s\" skipped by user\n",
 | ||||
| +                finfo->filename);
 | ||||
| +          wildcard->state = CURLWC_SKIP;
 | ||||
| +          continue;
 | ||||
| +        case CURL_CHUNK_BGN_FUNC_FAIL:
 | ||||
| +          return CURLE_CHUNK_FAILED;
 | ||||
| +        }
 | ||||
|        } | ||||
| -    }
 | ||||
|   | ||||
| -    if(finfo->filetype != CURLFILETYPE_FILE) {
 | ||||
| -      wildcard->state = CURLWC_SKIP;
 | ||||
| -      return wc_statemach(conn);
 | ||||
| -    }
 | ||||
| +      if(finfo->filetype != CURLFILETYPE_FILE) {
 | ||||
| +        wildcard->state = CURLWC_SKIP;
 | ||||
| +        continue;
 | ||||
| +      }
 | ||||
|   | ||||
| -    if(finfo->flags & CURLFINFOFLAG_KNOWN_SIZE)
 | ||||
| -      ftpc->known_filesize = finfo->size;
 | ||||
| +      if(finfo->flags & CURLFINFOFLAG_KNOWN_SIZE)
 | ||||
| +        ftpc->known_filesize = finfo->size;
 | ||||
|   | ||||
| -    result = ftp_parse_url_path(conn);
 | ||||
| -    if(result)
 | ||||
| -      return result;
 | ||||
| +      result = ftp_parse_url_path(conn);
 | ||||
| +      if(result)
 | ||||
| +        return result;
 | ||||
|   | ||||
| -    /* we don't need the Curl_fileinfo of first file anymore */
 | ||||
| -    Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL);
 | ||||
| +      /* we don't need the Curl_fileinfo of first file anymore */
 | ||||
| +      Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL);
 | ||||
|   | ||||
| -    if(wildcard->filelist.size == 0) { /* remains only one file to down. */
 | ||||
| -      wildcard->state = CURLWC_CLEAN;
 | ||||
| -      /* after that will be ftp_do called once again and no transfer
 | ||||
| -         will be done because of CURLWC_CLEAN state */
 | ||||
| -      return CURLE_OK;
 | ||||
| +      if(wildcard->filelist.size == 0) { /* remains only one file to down. */
 | ||||
| +        wildcard->state = CURLWC_CLEAN;
 | ||||
| +        /* after that will be ftp_do called once again and no transfer
 | ||||
| +           will be done because of CURLWC_CLEAN state */
 | ||||
| +        return CURLE_OK;
 | ||||
| +      }
 | ||||
| +      return result;
 | ||||
|      } | ||||
| -  } break;
 | ||||
|   | ||||
| -  case CURLWC_SKIP: {
 | ||||
| -    if(conn->data->set.chunk_end) {
 | ||||
| -      Curl_set_in_callback(conn->data, true);
 | ||||
| -      conn->data->set.chunk_end(conn->data->wildcard.customptr);
 | ||||
| -      Curl_set_in_callback(conn->data, false);
 | ||||
| +    case CURLWC_SKIP: {
 | ||||
| +      if(conn->data->set.chunk_end) {
 | ||||
| +        Curl_set_in_callback(conn->data, true);
 | ||||
| +        conn->data->set.chunk_end(conn->data->wildcard.customptr);
 | ||||
| +        Curl_set_in_callback(conn->data, false);
 | ||||
| +      }
 | ||||
| +      Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL);
 | ||||
| +      wildcard->state = (wildcard->filelist.size == 0) ?
 | ||||
| +        CURLWC_CLEAN : CURLWC_DOWNLOADING;
 | ||||
| +      continue;
 | ||||
|      } | ||||
| -    Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL);
 | ||||
| -    wildcard->state = (wildcard->filelist.size == 0) ?
 | ||||
| -                      CURLWC_CLEAN : CURLWC_DOWNLOADING;
 | ||||
| -    return wc_statemach(conn);
 | ||||
| -  }
 | ||||
|   | ||||
| -  case CURLWC_CLEAN: {
 | ||||
| -    struct ftp_wc *ftpwc = wildcard->protdata;
 | ||||
| -    result = CURLE_OK;
 | ||||
| -    if(ftpwc)
 | ||||
| -      result = Curl_ftp_parselist_geterror(ftpwc->parser);
 | ||||
| +    case CURLWC_CLEAN: {
 | ||||
| +      struct ftp_wc *ftpwc = wildcard->protdata;
 | ||||
| +      result = CURLE_OK;
 | ||||
| +      if(ftpwc)
 | ||||
| +        result = Curl_ftp_parselist_geterror(ftpwc->parser);
 | ||||
|   | ||||
| -    wildcard->state = result ? CURLWC_ERROR : CURLWC_DONE;
 | ||||
| -  } break;
 | ||||
| +      wildcard->state = result ? CURLWC_ERROR : CURLWC_DONE;
 | ||||
| +      return result;
 | ||||
| +    }
 | ||||
|   | ||||
| -  case CURLWC_DONE:
 | ||||
| -  case CURLWC_ERROR:
 | ||||
| -  case CURLWC_CLEAR:
 | ||||
| -    if(wildcard->dtor)
 | ||||
| -      wildcard->dtor(wildcard->protdata);
 | ||||
| -    break;
 | ||||
| +    case CURLWC_DONE:
 | ||||
| +    case CURLWC_ERROR:
 | ||||
| +    case CURLWC_CLEAR:
 | ||||
| +      if(wildcard->dtor)
 | ||||
| +        wildcard->dtor(wildcard->protdata);
 | ||||
| +      return result;
 | ||||
| +    }
 | ||||
|    } | ||||
| -
 | ||||
| -  return result;
 | ||||
| +  /* UNREACHABLE */
 | ||||
|  } | ||||
|   | ||||
|  /*********************************************************************** | ||||
| -- 
 | ||||
| 2.26.2 | ||||
| 
 | ||||
							
								
								
									
										129
									
								
								SOURCES/0027-curl-7.61.1-CVE-2020-8286.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										129
									
								
								SOURCES/0027-curl-7.61.1-CVE-2020-8286.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,129 @@ | ||||
| From 2470bc91f62cc9b0ab1deac60a67f87b7cc95f6e Mon Sep 17 00:00:00 2001 | ||||
| From: Daniel Stenberg <daniel@haxx.se> | ||||
| Date: Wed, 2 Dec 2020 23:01:11 +0100 | ||||
| Subject: [PATCH] openssl: make the OCSP verification verify the certificate id | ||||
| 
 | ||||
| CVE-2020-8286 | ||||
| 
 | ||||
| Reported by anonymous | ||||
| 
 | ||||
| Bug: https://curl.se/docs/CVE-2020-8286.html | ||||
| 
 | ||||
| Upstream-commit: d9d01672785b8ac04aab1abb6de95fe3072ae199 | ||||
| Signed-off-by: Kamil Dudka <kdudka@redhat.com> | ||||
| ---
 | ||||
|  lib/vtls/openssl.c | 83 ++++++++++++++++++++++++++++++---------------- | ||||
|  1 file changed, 54 insertions(+), 29 deletions(-) | ||||
| 
 | ||||
| diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
 | ||||
| index 9476773..35cd652 100644
 | ||||
| --- a/lib/vtls/openssl.c
 | ||||
| +++ b/lib/vtls/openssl.c
 | ||||
| @@ -1659,6 +1659,11 @@ static CURLcode verifystatus(struct connectdata *conn,
 | ||||
|    OCSP_BASICRESP *br = NULL; | ||||
|    X509_STORE     *st = NULL; | ||||
|    STACK_OF(X509) *ch = NULL; | ||||
| +  X509 *cert;
 | ||||
| +  OCSP_CERTID *id = NULL;
 | ||||
| +  int cert_status, crl_reason;
 | ||||
| +  ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
 | ||||
| +  int ret;
 | ||||
|   | ||||
|    long len = SSL_get_tlsext_status_ocsp_resp(BACKEND->handle, &p); | ||||
|   | ||||
| @@ -1727,43 +1732,63 @@ static CURLcode verifystatus(struct connectdata *conn,
 | ||||
|      goto end; | ||||
|    } | ||||
|   | ||||
| -  for(i = 0; i < OCSP_resp_count(br); i++) {
 | ||||
| -    int cert_status, crl_reason;
 | ||||
| -    OCSP_SINGLERESP *single = NULL;
 | ||||
| -
 | ||||
| -    ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
 | ||||
| +  /* Compute the certificate's ID */
 | ||||
| +  cert = SSL_get_peer_certificate(BACKEND->handle);
 | ||||
| +  if(!cert) {
 | ||||
| +    failf(data, "Error getting peer certficate");
 | ||||
| +    result = CURLE_SSL_INVALIDCERTSTATUS;
 | ||||
| +    goto end;
 | ||||
| +  }
 | ||||
|   | ||||
| -    single = OCSP_resp_get0(br, i);
 | ||||
| -    if(!single)
 | ||||
| -      continue;
 | ||||
| +  for(i = 0; i < sk_X509_num(ch); i++) {
 | ||||
| +    X509 *issuer = sk_X509_value(ch, i);
 | ||||
| +    if(X509_check_issued(issuer, cert) == X509_V_OK) {
 | ||||
| +      id = OCSP_cert_to_id(EVP_sha1(), cert, issuer);
 | ||||
| +      break;
 | ||||
| +    }
 | ||||
| +  }
 | ||||
| +  X509_free(cert);
 | ||||
|   | ||||
| -    cert_status = OCSP_single_get0_status(single, &crl_reason, &rev,
 | ||||
| -                                          &thisupd, &nextupd);
 | ||||
| +  if(!id) {
 | ||||
| +    failf(data, "Error computing OCSP ID");
 | ||||
| +    result = CURLE_SSL_INVALIDCERTSTATUS;
 | ||||
| +    goto end;
 | ||||
| +  }
 | ||||
|   | ||||
| -    if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
 | ||||
| -      failf(data, "OCSP response has expired");
 | ||||
| -      result = CURLE_SSL_INVALIDCERTSTATUS;
 | ||||
| -      goto end;
 | ||||
| -    }
 | ||||
| +  /* Find the single OCSP response corresponding to the certificate ID */
 | ||||
| +  ret = OCSP_resp_find_status(br, id, &cert_status, &crl_reason, &rev,
 | ||||
| +                              &thisupd, &nextupd);
 | ||||
| +  OCSP_CERTID_free(id);
 | ||||
| +  if(ret != 1) {
 | ||||
| +    failf(data, "Could not find certificate ID in OCSP response");
 | ||||
| +    result = CURLE_SSL_INVALIDCERTSTATUS;
 | ||||
| +    goto end;
 | ||||
| +  }
 | ||||
|   | ||||
| -    infof(data, "SSL certificate status: %s (%d)\n",
 | ||||
| -          OCSP_cert_status_str(cert_status), cert_status);
 | ||||
| +  /* Validate the corresponding single OCSP response */
 | ||||
| +  if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
 | ||||
| +    failf(data, "OCSP response has expired");
 | ||||
| +    result = CURLE_SSL_INVALIDCERTSTATUS;
 | ||||
| +    goto end;
 | ||||
| +  }
 | ||||
|   | ||||
| -    switch(cert_status) {
 | ||||
| -      case V_OCSP_CERTSTATUS_GOOD:
 | ||||
| -        break;
 | ||||
| +  infof(data, "SSL certificate status: %s (%d)\n",
 | ||||
| +        OCSP_cert_status_str(cert_status), cert_status);
 | ||||
|   | ||||
| -      case V_OCSP_CERTSTATUS_REVOKED:
 | ||||
| -        result = CURLE_SSL_INVALIDCERTSTATUS;
 | ||||
| +  switch(cert_status) {
 | ||||
| +  case V_OCSP_CERTSTATUS_GOOD:
 | ||||
| +    break;
 | ||||
|   | ||||
| -        failf(data, "SSL certificate revocation reason: %s (%d)",
 | ||||
| -              OCSP_crl_reason_str(crl_reason), crl_reason);
 | ||||
| -        goto end;
 | ||||
| +  case V_OCSP_CERTSTATUS_REVOKED:
 | ||||
| +    result = CURLE_SSL_INVALIDCERTSTATUS;
 | ||||
| +    failf(data, "SSL certificate revocation reason: %s (%d)",
 | ||||
| +          OCSP_crl_reason_str(crl_reason), crl_reason);
 | ||||
| +    goto end;
 | ||||
|   | ||||
| -      case V_OCSP_CERTSTATUS_UNKNOWN:
 | ||||
| -        result = CURLE_SSL_INVALIDCERTSTATUS;
 | ||||
| -        goto end;
 | ||||
| -    }
 | ||||
| +  case V_OCSP_CERTSTATUS_UNKNOWN:
 | ||||
| +  default:
 | ||||
| +    result = CURLE_SSL_INVALIDCERTSTATUS;
 | ||||
| +    goto end;
 | ||||
|    } | ||||
|   | ||||
|  end: | ||||
| -- 
 | ||||
| 2.26.2 | ||||
| 
 | ||||
							
								
								
									
										63
									
								
								SOURCES/0028-curl-7.61.1-http-auth-payload.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										63
									
								
								SOURCES/0028-curl-7.61.1-http-auth-payload.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,63 @@ | ||||
| From 5a51924c2505c1d5616904aa732fdaedd74d3ffe Mon Sep 17 00:00:00 2001 | ||||
| From: Marc Schlatter <mschlatter@gestour.com> | ||||
| Date: Mon, 11 Mar 2019 17:15:34 +0100 | ||||
| Subject: [PATCH] http: send payload when (proxy) authentication is done | ||||
| 
 | ||||
| The check that prevents payload from sending in case of authentication | ||||
| doesn't check properly if the authentication is done or not. | ||||
| 
 | ||||
| They're cases where the proxy respond "200 OK" before sending | ||||
| authentication challenge. This change takes care of that. | ||||
| 
 | ||||
| Fixes #2431 | ||||
| Closes #3669 | ||||
| 
 | ||||
| Upstream-commit: dd8a19f8a05b59394d1ab33c09497e8db884742a | ||||
| Signed-off-by: Kamil Dudka <kdudka@redhat.com> | ||||
| ---
 | ||||
|  lib/http.c          | 3 ++- | ||||
|  tests/data/test1097 | 5 +++-- | ||||
|  2 files changed, 5 insertions(+), 3 deletions(-) | ||||
| 
 | ||||
| diff --git a/lib/http.c b/lib/http.c
 | ||||
| index e727ed8..26eb52d 100644
 | ||||
| --- a/lib/http.c
 | ||||
| +++ b/lib/http.c
 | ||||
| @@ -1991,7 +1991,8 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
 | ||||
|    if(result) | ||||
|      return result; | ||||
|   | ||||
| -  if((data->state.authhost.multipass || data->state.authproxy.multipass) &&
 | ||||
| +  if(((data->state.authhost.multipass && !data->state.authhost.done)
 | ||||
| +      || (data->state.authproxy.multipass && !data->state.authproxy.done)) &&
 | ||||
|       (httpreq != HTTPREQ_GET) && | ||||
|       (httpreq != HTTPREQ_HEAD)) { | ||||
|      /* Auth is required and we are not authenticated yet. Make a PUT or POST | ||||
| diff --git a/tests/data/test1097 b/tests/data/test1097
 | ||||
| index 7512a2e..7eb7b5f 100644
 | ||||
| --- a/tests/data/test1097
 | ||||
| +++ b/tests/data/test1097
 | ||||
| @@ -60,7 +60,7 @@ http://test.a.galaxy.far.far.away.1097:%HTTPPORT/1097 --proxy http://%HOSTIP:%HT
 | ||||
|  <strip> | ||||
|  ^User-Agent: curl/.* | ||||
|  </strip> | ||||
| -<protocol>
 | ||||
| +<protocol nonewline="yes">
 | ||||
|  CONNECT test.a.galaxy.far.far.away.1097:%HTTPPORT HTTP/1.1 | ||||
|  Host: test.a.galaxy.far.far.away.1097:%HTTPPORT | ||||
|  Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA= | ||||
| @@ -71,9 +71,10 @@ POST /1097 HTTP/1.1
 | ||||
|  User-Agent: curl/7.19.5-CVS (i686-pc-linux-gnu) libcurl/7.19.5-CVS OpenSSL/0.9.8g zlib/1.2.3.3 c-ares/1.6.1-CVS libidn/1.12 libssh2/1.0.1_CVS | ||||
|  Host: test.a.galaxy.far.far.away.1097:%HTTPPORT | ||||
|  Accept: */* | ||||
| -Content-Length: 0
 | ||||
| +Content-Length: 11
 | ||||
|  Content-Type: application/x-www-form-urlencoded | ||||
|   | ||||
| +dummy=value
 | ||||
|  </protocol> | ||||
|   | ||||
|  </verify> | ||||
| -- 
 | ||||
| 2.26.2 | ||||
| 
 | ||||
							
								
								
									
										71
									
								
								SOURCES/0105-curl-7.61.1-test-ports.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										71
									
								
								SOURCES/0105-curl-7.61.1-test-ports.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,71 @@ | ||||
| From e6507a9abbfd4ac93ea3053c8f3385a2405f19d8 Mon Sep 17 00:00:00 2001 | ||||
| From: Kamil Dudka <kdudka@redhat.com> | ||||
| Date: Fri, 29 Jan 2021 11:34:49 +0100 | ||||
| Subject: [PATCH] tests: do not hard-wire ports of test servers | ||||
| 
 | ||||
| ---
 | ||||
|  tests/data/test1448 | 4 ++-- | ||||
|  tests/data/test651  | 2 +- | ||||
|  tests/data/test653  | 4 ++-- | ||||
|  3 files changed, 5 insertions(+), 5 deletions(-) | ||||
| 
 | ||||
| diff --git a/tests/data/test1448 b/tests/data/test1448
 | ||||
| index e04f47b..5022ef9 100644
 | ||||
| --- a/tests/data/test1448
 | ||||
| +++ b/tests/data/test1448
 | ||||
| @@ -17,7 +17,7 @@ HTTP/1.1 302 OK swsbounce
 | ||||
|  Date: Thu, 09 Nov 2010 14:49:00 GMT | ||||
|  Content-Length: 9 | ||||
|  Content-Type: text/plain | ||||
| -Location: http://åäö.se:8990/14480001
 | ||||
| +Location: http://åäö.se:%HTTPPORT/14480001
 | ||||
|   | ||||
|  redirect | ||||
|  </data> | ||||
| @@ -52,7 +52,7 @@ Redirect following to UTF-8 IDN host name
 | ||||
|   </name> | ||||
|   | ||||
|   <command> | ||||
| -http://åäö.se:%HTTPPORT/1448 --resolve xn--4cab6c.se:%HTTPPORT:%HOSTIP -L --connect-to %HOSTIP:8990:%HOSTIP:%HTTPPORT
 | ||||
| +http://åäö.se:%HTTPPORT/1448 --resolve xn--4cab6c.se:%HTTPPORT:%HOSTIP -L --connect-to %HOSTIP:%HTTPPORT:%HOSTIP:%HTTPPORT
 | ||||
|  </command> | ||||
|  </client> | ||||
|   | ||||
| diff --git a/tests/data/test651 b/tests/data/test651
 | ||||
| index b00ca5d..8d47c9f 100644
 | ||||
| --- a/tests/data/test651
 | ||||
| +++ b/tests/data/test651
 | ||||
| @@ -57,7 +57,7 @@ s/boundary=------------------------[a-z0-9]*/boundary=--------------------------
 | ||||
|  # (5*12) == 60 bytes less | ||||
|  <protocol> | ||||
|  POST /651 HTTP/1.1 | ||||
| -Host: 127.0.0.1:8990
 | ||||
| +Host: 127.0.0.1:%HTTPPORT
 | ||||
|  Accept: */* | ||||
|  Content-Length: 17139 | ||||
|  Content-Type: multipart/form-data; boundary=---------------------------- | ||||
| diff --git a/tests/data/test653 b/tests/data/test653
 | ||||
| index d620b57..492d551 100644
 | ||||
| --- a/tests/data/test653
 | ||||
| +++ b/tests/data/test653
 | ||||
| @@ -67,7 +67,7 @@ s/boundary=------------------------[a-z0-9]*/boundary=--------------------------
 | ||||
|  # (5*12) == 60 bytes less | ||||
|  <protocol> | ||||
|  POST /653 HTTP/1.1 | ||||
| -Host: 127.0.0.1:8990
 | ||||
| +Host: 127.0.0.1:%HTTPPORT
 | ||||
|  Accept: */* | ||||
|  Content-Length: 150 | ||||
|  Content-Type: multipart/form-data; boundary=---------------------------- | ||||
| @@ -78,7 +78,7 @@ Content-Disposition: form-data; name="name"
 | ||||
|  short value | ||||
|  -------------------------------- | ||||
|  POST /653 HTTP/1.1 | ||||
| -Host: 127.0.0.1:8990
 | ||||
| +Host: 127.0.0.1:%HTTPPORT
 | ||||
|  Accept: */* | ||||
|  Content-Length: 167 | ||||
|  Content-Type: multipart/form-data; boundary=---------------------------- | ||||
| -- 
 | ||||
| 2.26.2 | ||||
| 
 | ||||
| @ -1,7 +1,7 @@ | ||||
| Summary: A utility for getting files from remote servers (FTP, HTTP, and others) | ||||
| Name: curl | ||||
| Version: 7.61.1 | ||||
| Release: 12%{?dist} | ||||
| Release: 18%{?dist} | ||||
| License: MIT | ||||
| Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz | ||||
| 
 | ||||
| @ -52,6 +52,33 @@ Patch18:  0018-curl-7.65.3-CVE-2019-5482.patch | ||||
| # double free due to subsequent call of realloc() (CVE-2019-5481) | ||||
| Patch19:  0019-curl-7.65.3-CVE-2019-5481.patch | ||||
| 
 | ||||
| # load built-in openssl engines (#1854369) | ||||
| Patch20:  0020-curl-7.61.1-openssl-engines.patch | ||||
| 
 | ||||
| # avoid overwriting a local file with -J (CVE-2020-8177) | ||||
| Patch21:  0021-curl-7.61.1-CVE-2020-8177.patch | ||||
| 
 | ||||
| # libcurl: wrong connect-only connection (CVE-2020-8231) | ||||
| Patch22:  0022-curl-7.61.1-CVE-2020-8231.patch | ||||
| 
 | ||||
| # do not crash when HTTPS_PROXY and NO_PROXY are used together (#1873327) | ||||
| Patch23:  0023-curl-7.61.1-no-https-proxy-crash.patch | ||||
| 
 | ||||
| # validate an ssl connection using an intermediate certificate (#1895355) | ||||
| Patch24:  0024-curl-7.61.1-openssl-partial-chain.patch | ||||
| 
 | ||||
| # curl: trusting FTP PASV responses (CVE-2020-8284) | ||||
| Patch25:  0025-curl-7.61.1-CVE-2020-8284.patch | ||||
| 
 | ||||
| # libcurl: FTP wildcard stack overflow (CVE-2020-8285) | ||||
| Patch26:  0026-curl-7.61.1-CVE-2020-8285.patch | ||||
| 
 | ||||
| # curl: Inferior OCSP verification (CVE-2020-8286) | ||||
| Patch27:  0027-curl-7.61.1-CVE-2020-8286.patch | ||||
| 
 | ||||
| # http: send payload when (proxy) authentication is done (#1918692) | ||||
| Patch28:  0028-curl-7.61.1-http-auth-payload.patch | ||||
| 
 | ||||
| # patch making libcurl multilib ready | ||||
| Patch101: 0101-curl-7.32.0-multilib.patch | ||||
| 
 | ||||
| @ -64,6 +91,9 @@ Patch103: 0103-curl-7.59.0-python3.patch | ||||
| # use localhost6 instead of ip6-localhost in the curl test-suite | ||||
| Patch104: 0104-curl-7.19.7-localhost6.patch | ||||
| 
 | ||||
| # tests: do not hard-wire ports of test servers | ||||
| Patch105: 0105-curl-7.61.1-test-ports.patch | ||||
| 
 | ||||
| Provides: curl-full = %{version}-%{release} | ||||
| Provides: webclient | ||||
| URL: https://curl.haxx.se/ | ||||
| @ -195,7 +225,7 @@ Summary: Conservatively configured build of libcurl for minimal installations | ||||
| Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} | ||||
| Provides: libcurl = %{version}-%{release} | ||||
| Provides: libcurl%{?_isa} = %{version}-%{release} | ||||
| Conflicts: libcurl | ||||
| Conflicts: libcurl%{?_isa} | ||||
| RemovePathPostfixes: .minimal | ||||
| # needed for RemovePathPostfixes to work with shared libraries | ||||
| %undefine __brp_ldconfig | ||||
| @ -230,10 +260,24 @@ git apply %{PATCH4} | ||||
| %patch103 -p1 | ||||
| %patch104 -p1 | ||||
| 
 | ||||
| # use different port range for 32bit and 64bit builds, thus make it possible | ||||
| # to run both the builds in parallel on the same machine | ||||
| %patch105 -p1 | ||||
| sed -e 's|%%HTTPPORT|%{?__isa_bits}90|g' -i tests/data/test1448 | ||||
| 
 | ||||
| # upstream patches | ||||
| %patch17 -p1 | ||||
| %patch18 -p1 | ||||
| %patch19 -p1 | ||||
| %patch20 -p1 | ||||
| %patch21 -p1 | ||||
| %patch22 -p1 | ||||
| %patch23 -p1 | ||||
| %patch24 -p1 | ||||
| %patch25 -p1 | ||||
| %patch26 -p1 | ||||
| %patch27 -p1 | ||||
| %patch28 -p1 | ||||
| 
 | ||||
| # make tests/*.py use Python 3 | ||||
| sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py | ||||
| @ -326,7 +370,10 @@ export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=XXX | ||||
| export OPENSSL_CONF= | ||||
| 
 | ||||
| # run the upstream test-suite | ||||
| srcdir=../../tests perl -I../../tests ../../tests/runtests.pl -a -p -v '!flaky' | ||||
| # use different port range for 32bit and 64bit builds, thus make it possible | ||||
| # to run both the builds in parallel on the same machine | ||||
| export srcdir=../../tests | ||||
| perl -I${srcdir} ${srcdir}/runtests.pl -b%{?__isa_bits}90 -a -p -v '!flaky' | ||||
| 
 | ||||
| %install | ||||
| # install and rename the library that will be packaged as libcurl-minimal | ||||
| @ -394,6 +441,28 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la | ||||
| %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal | ||||
| 
 | ||||
| %changelog | ||||
| * Thu Jan 28 2021 Kamil Dudka <kdudka@redhat.com> - 7.61.1-18 | ||||
| - http: send payload when (proxy) authentication is done (#1918692) | ||||
| - curl: Inferior OCSP verification (CVE-2020-8286) | ||||
| - libcurl: FTP wildcard stack overflow (CVE-2020-8285) | ||||
| - curl: trusting FTP PASV responses (CVE-2020-8284) | ||||
| 
 | ||||
| * Thu Nov 12 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-17 | ||||
| - validate an ssl connection using an intermediate certificate (#1895355) | ||||
| 
 | ||||
| * Fri Nov 06 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-16 | ||||
| - fix multiarch conflicts in libcurl-minimal (#1895391) | ||||
| 
 | ||||
| * Tue Nov 03 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-15 | ||||
| - do not crash when HTTPS_PROXY and NO_PROXY are used together (#1873327) | ||||
| - libcurl: wrong connect-only connection (CVE-2020-8231) | ||||
| 
 | ||||
| * Tue Jul 28 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-14 | ||||
| - avoid overwriting a local file with -J (CVE-2020-8177) | ||||
| 
 | ||||
| * Wed Jul 15 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-13 | ||||
| - load built-in openssl engines (#1854369) | ||||
| 
 | ||||
| * Wed Sep 11 2019 Kamil Dudka <kdudka@redhat.com> - 7.61.1-12 | ||||
| - double free due to subsequent call of realloc() (CVE-2019-5481) | ||||
| - fix heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482) | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user