import UBI curl-7.76.1-26.el9_3.2

2023-11-07 13:40:05 +00:00 · 2023-11-07 13:40:05 +00:00 · d4ccb545ea
commit d4ccb545ea
parent 559781d385
9 changed files with 1239 additions and 13 deletions
--- a/SOURCES/0025-curl-7.76.1-CVE-2023-27533.patch
+++ b/SOURCES/0025-curl-7.76.1-CVE-2023-27533.patch
@ -0,0 +1,59 @@
 From c9828d86040737a47da862197b5def7ff6b0e3c4 Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Mon, 6 Mar 2023 12:07:33 +0100
 Subject: [PATCH] telnet: only accept option arguments in ascii
 To avoid embedded telnet negotiation commands etc.
 Reported-by: Harry Sintonen
 Closes #10728
 Upstream-commit: 538b1e79a6e7b0bb829ab4cecc828d32105d0684
 Signed-off-by: Kamil Dudka <kdudka@redhat.com>
 ---
 lib/telnet.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 diff --git a/lib/telnet.c b/lib/telnet.c
 index 22bc81e..baea885 100644
 --- a/lib/telnet.c
 +++ b/lib/telnet.c
@@ -770,6 +770,17 @@ static void printsub(struct Curl_easy *data,
   }
 }
 +static bool str_is_nonascii(const char *str)
 +{
 +  size_t len = strlen(str);
 +  while(len--) {
 +    if(*str & 0x80)
 +      return TRUE;
 +    str++;
 +  }
 +  return FALSE;
 +}
 +
 static CURLcode check_telnet_options(struct Curl_easy *data)
 {
   struct curl_slist *head;
@@ -784,6 +795,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data)
   /* Add the user name as an environment variable if it
      was given on the command line */
   if(conn->bits.user_passwd) {
 +    if(str_is_nonascii(data->conn->user))
 +      return CURLE_BAD_FUNCTION_ARGUMENT;
     msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user);
     beg = curl_slist_append(tn->telnet_vars, option_arg);
     if(!beg) {
@@ -798,6 +811,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data)
   for(head = data->set.telnet_options; head; head = head->next) {
     if(sscanf(head->data, "%127[^= ]%*[ =]%255s",
               option_keyword, option_arg) == 2) {
 +      if(str_is_nonascii(option_arg))
 +        continue;
       /* Terminal type */
       if(strcasecompare(option_keyword, "TTYPE")) {
 -- 
 2.39.2
--- a/SOURCES/0026-curl-7.76.1-CVE-2023-27534.patch
+++ b/SOURCES/0026-curl-7.76.1-CVE-2023-27534.patch
--- a/SOURCES/0028-curl-7.76.1-CVE-2023-27536.patch
+++ b/SOURCES/0028-curl-7.76.1-CVE-2023-27536.patch
@ -0,0 +1,54 @@
 From 9d6dd7bc1dea42ae8e710aeae714e2a2c290de61 Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Fri, 10 Mar 2023 09:22:43 +0100
 Subject: [PATCH] url: only reuse connections with same GSS delegation
 Reported-by: Harry Sintonen
 Closes #10731
 Upstream-commit: cb49e67303dbafbab1cebf4086e3ec15b7d56ee5
 Signed-off-by: Kamil Dudka <kdudka@redhat.com>
 ---
 lib/url.c     | 6 ++++++
 lib/urldata.h | 1 +
 2 files changed, 7 insertions(+)
 diff --git a/lib/url.c b/lib/url.c
 index 3b11b7e..cbbc7f3 100644
 --- a/lib/url.c
 +++ b/lib/url.c
@@ -1325,6 +1325,11 @@ ConnectionExists(struct Curl_easy *data,
         }
       }
 +      /* GSS delegation differences do not actually affect every connection
 +         and auth method, but this check takes precaution before efficiency */
 +      if(needle->gssapi_delegation != check->gssapi_delegation)
 +        continue;
 +
       if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
         if(!ssh_config_matches(needle, check))
           continue;
@@ -1785,6 +1790,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
   conn->fclosesocket = data->set.fclosesocket;
   conn->closesocket_client = data->set.closesocket_client;
   conn->lastused = Curl_now(); /* used now */
 +  conn->gssapi_delegation = data->set.gssapi_delegation;
   return conn;
   error:
 diff --git a/lib/urldata.h b/lib/urldata.h
 index ce90304..9e16f26 100644
 --- a/lib/urldata.h
 +++ b/lib/urldata.h
@@ -995,6 +995,7 @@ struct connectdata {
   char *sasl_authzid;     /* authorisation identity string, allocated */
   char *oauth_bearer; /* OAUTH2 bearer, allocated */
   unsigned char httpversion; /* the HTTP version*10 reported by the server */
 +  unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */
   struct curltime now;     /* "current" time */
   struct curltime created; /* creation time */
   struct curltime lastused; /* when returned to the connection cache */
 -- 
 2.39.2
--- a/SOURCES/0029-curl-7.76.1-CVE-2023-27538.patch
+++ b/SOURCES/0029-curl-7.76.1-CVE-2023-27538.patch
@ -0,0 +1,30 @@
 From 133e25afe4b8961b9c12334ee0bd3374db9a1fd4 Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Fri, 10 Mar 2023 08:22:51 +0100
 Subject: [PATCH] url: fix the SSH connection reuse check
 Reported-by: Harry Sintonen
 Closes #10735
 Upstream-commit: af369db4d3833272b8ed443f7fcc2e757a0872eb
 Signed-off-by: Kamil Dudka <kdudka@redhat.com>
 ---
 lib/url.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/lib/url.c b/lib/url.c
 index 0c31486..3b11b7e 100644
 --- a/lib/url.c
 +++ b/lib/url.c
@@ -1330,7 +1330,7 @@ ConnectionExists(struct Curl_easy *data,
       if(needle->gssapi_delegation != check->gssapi_delegation)
         continue;
 -      if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
 +      if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) {
         if(!ssh_config_matches(needle, check))
           continue;
       }
 -- 
 2.39.2
--- a/SOURCES/0030-curl-7.76.1-CVE-2023-28322.patch
+++ b/SOURCES/0030-curl-7.76.1-CVE-2023-28322.patch
--- a/SOURCES/0031-curl-7.76.1-CVE-2023-28321.patch
+++ b/SOURCES/0031-curl-7.76.1-CVE-2023-28321.patch
@ -143,7 +143,7 @@ index 84f962abebee3..f31b2c2a3f330 100644
 </keywords>
 </info>
-@@ -14,9 +13,9 @@ none
+@@ -15,9 +14,9 @@ none
 <features>
 unittest
 </features>
--- a/SOURCES/0032-curl-7.76.1-CVE-2023-38545.patch
+++ b/SOURCES/0032-curl-7.76.1-CVE-2023-38545.patch
--- a/SOURCES/0033-curl-7.61.1-CVE-2023-38546.patch
+++ b/SOURCES/0033-curl-7.61.1-CVE-2023-38546.patch
--- a/SPECS/curl.spec
+++ b/SPECS/curl.spec
@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.76.1
-Release: 23%{?dist}.4
+Release: 26%{?dist}.2
 License: MIT
 Source: https://curl.se/download/%{name}-%{version}.tar.xz
@ -74,20 +74,32 @@ Patch23:  0023-curl-7.76.1-CVE-2022-43552.patch
 # fix HTTP multi-header compression denial of service (CVE-2023-23916)
 Patch24:  0024-curl-7.76.1-CVE-2023-23916.patch
 # fix TELNET option IAC injection (CVE-2023-27533)
 Patch25:  0025-curl-7.76.1-CVE-2023-27533.patch
 # fix SFTP path ~ resolving discrepancy (CVE-2023-27534)
 Patch26:  0026-curl-7.76.1-CVE-2023-27534.patch
 # fix FTP too eager connection reuse (CVE-2023-27535)
 Patch27:  0027-curl-7.76.1-CVE-2023-27535.patch
-# fix host name wildcard checking (CVE-2023-28321)
+# fix GSS delegation too eager connection re-use (CVE-2023-27536)
-Patch28:  0028-curl-7.76.1-CVE-2023-28321.patch
+Patch28:  0028-curl-7.76.1-CVE-2023-27536.patch
 # fix SSH connection too eager reuse still (CVE-2023-27538)
 Patch29:  0029-curl-7.76.1-CVE-2023-27538.patch
 # unify the upload/method handling (CVE-2023-28322)
-Patch29:  0029-curl-7.76.1-CVE-2023-28322.patch
+Patch30:  0030-curl-7.76.1-CVE-2023-28322.patch
 # fix host name wildcard checking
 Patch31:  0031-curl-7.76.1-CVE-2023-28321.patch
 # return error if hostname too long for remote resolve (CVE-2023-38545)
-Patch30:  0030-curl-7.76.1-CVE-2023-38545.patch
+Patch32:  0032-curl-7.76.1-CVE-2023-38545.patch
 # fix cookie injection with none file (CVE-2023-38546)
-Patch31:  0031-curl-7.61.1-CVE-2023-38546.patch
+Patch33:  0033-curl-7.61.1-CVE-2023-38546.patch
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
@ -287,11 +299,15 @@ be installed.
 %patch22 -p1
 %patch23 -p1
 %patch24 -p1
 %patch25 -p1
 %patch26 -p1
 %patch27 -p1
 %patch28 -p1
 %patch29 -p1
 %patch30 -p1
 %patch31 -p1
 %patch32 -p1
 %patch33 -p1
 # Fedora patches
 %patch101 -p1
@ -517,18 +533,25 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 %changelog
-* Thu Oct 12 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-23.el9_2.4
+* Thu Oct 12 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-26.el9_3.2
 - fix cookie injection with none file (CVE-2023-38546)
-* Tue Oct 10 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-23.el9_2.3
+* Tue Oct 10 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-26.el9_3.1
- return error if hostname too long for remote resolve (CVE-2023-38545)
+- socks: return error if hostname too long for remote resolve (CVE-2023-38545)
-* Tue Jun 27 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-23.el9_2.2
+* Mon Jun 12 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-26
 - fix host name wildcard checking (CVE-2023-28321)
 - unify the upload/method handling (CVE-2023-28322)
 - fix host name wildcard checking (CVE-2023-28321)
-* Fri Mar 24 2023 Kamil Dudka <kdudka@redhat.com> - 7.76.1-23.el9_2.1
+* Wed Apr 12 2023 Kamil Dudka <kdudka@redhat.com> - 7.76.1-25
 - adapt the fix of CVE-2023-27535 for RHEL 9 curl
 * Fri Mar 24 2023 Kamil Dudka <kdudka@redhat.com> - 7.76.1-24
 - fix SSH connection too eager reuse still (CVE-2023-27538)
 - fix GSS delegation too eager connection re-use (CVE-2023-27536)
 - fix FTP too eager connection reuse (CVE-2023-27535)
 - fix SFTP path ~ resolving discrepancy (CVE-2023-27534)
 - fix TELNET option IAC injection (CVE-2023-27533)
 * Wed Feb 15 2023 Kamil Dudka <kdudka@redhat.com> - 7.76.1-23
 - fix HTTP multi-header compression denial of service (CVE-2023-23916)