1
0
forked from rpms/curl

import UBI curl-7.76.1-26.el9_3.2

This commit is contained in:
eabdullin 2023-11-07 13:40:05 +00:00
parent 559781d385
commit d4ccb545ea
9 changed files with 1239 additions and 13 deletions

View File

@ -0,0 +1,59 @@
From c9828d86040737a47da862197b5def7ff6b0e3c4 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 6 Mar 2023 12:07:33 +0100
Subject: [PATCH] telnet: only accept option arguments in ascii
To avoid embedded telnet negotiation commands etc.
Reported-by: Harry Sintonen
Closes #10728
Upstream-commit: 538b1e79a6e7b0bb829ab4cecc828d32105d0684
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/telnet.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/lib/telnet.c b/lib/telnet.c
index 22bc81e..baea885 100644
--- a/lib/telnet.c
+++ b/lib/telnet.c
@@ -770,6 +770,17 @@ static void printsub(struct Curl_easy *data,
}
}
+static bool str_is_nonascii(const char *str)
+{
+ size_t len = strlen(str);
+ while(len--) {
+ if(*str & 0x80)
+ return TRUE;
+ str++;
+ }
+ return FALSE;
+}
+
static CURLcode check_telnet_options(struct Curl_easy *data)
{
struct curl_slist *head;
@@ -784,6 +795,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data)
/* Add the user name as an environment variable if it
was given on the command line */
if(conn->bits.user_passwd) {
+ if(str_is_nonascii(data->conn->user))
+ return CURLE_BAD_FUNCTION_ARGUMENT;
msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user);
beg = curl_slist_append(tn->telnet_vars, option_arg);
if(!beg) {
@@ -798,6 +811,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data)
for(head = data->set.telnet_options; head; head = head->next) {
if(sscanf(head->data, "%127[^= ]%*[ =]%255s",
option_keyword, option_arg) == 2) {
+ if(str_is_nonascii(option_arg))
+ continue;
/* Terminal type */
if(strcasecompare(option_keyword, "TTYPE")) {
--
2.39.2

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,54 @@
From 9d6dd7bc1dea42ae8e710aeae714e2a2c290de61 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 10 Mar 2023 09:22:43 +0100
Subject: [PATCH] url: only reuse connections with same GSS delegation
Reported-by: Harry Sintonen
Closes #10731
Upstream-commit: cb49e67303dbafbab1cebf4086e3ec15b7d56ee5
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/url.c | 6 ++++++
lib/urldata.h | 1 +
2 files changed, 7 insertions(+)
diff --git a/lib/url.c b/lib/url.c
index 3b11b7e..cbbc7f3 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -1325,6 +1325,11 @@ ConnectionExists(struct Curl_easy *data,
}
}
+ /* GSS delegation differences do not actually affect every connection
+ and auth method, but this check takes precaution before efficiency */
+ if(needle->gssapi_delegation != check->gssapi_delegation)
+ continue;
+
if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
if(!ssh_config_matches(needle, check))
continue;
@@ -1785,6 +1790,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
conn->fclosesocket = data->set.fclosesocket;
conn->closesocket_client = data->set.closesocket_client;
conn->lastused = Curl_now(); /* used now */
+ conn->gssapi_delegation = data->set.gssapi_delegation;
return conn;
error:
diff --git a/lib/urldata.h b/lib/urldata.h
index ce90304..9e16f26 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -995,6 +995,7 @@ struct connectdata {
char *sasl_authzid; /* authorisation identity string, allocated */
char *oauth_bearer; /* OAUTH2 bearer, allocated */
unsigned char httpversion; /* the HTTP version*10 reported by the server */
+ unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */
struct curltime now; /* "current" time */
struct curltime created; /* creation time */
struct curltime lastused; /* when returned to the connection cache */
--
2.39.2

View File

@ -0,0 +1,30 @@
From 133e25afe4b8961b9c12334ee0bd3374db9a1fd4 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 10 Mar 2023 08:22:51 +0100
Subject: [PATCH] url: fix the SSH connection reuse check
Reported-by: Harry Sintonen
Closes #10735
Upstream-commit: af369db4d3833272b8ed443f7fcc2e757a0872eb
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/url.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/url.c b/lib/url.c
index 0c31486..3b11b7e 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -1330,7 +1330,7 @@ ConnectionExists(struct Curl_easy *data,
if(needle->gssapi_delegation != check->gssapi_delegation)
continue;
- if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
+ if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) {
if(!ssh_config_matches(needle, check))
continue;
}
--
2.39.2

View File

@ -143,7 +143,7 @@ index 84f962abebee3..f31b2c2a3f330 100644
</keywords>
</info>
@@ -14,9 +13,9 @@ none
@@ -15,9 +14,9 @@ none
<features>
unittest
</features>

View File

@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.76.1
Release: 23%{?dist}.4
Release: 26%{?dist}.2
License: MIT
Source: https://curl.se/download/%{name}-%{version}.tar.xz
@ -74,20 +74,32 @@ Patch23: 0023-curl-7.76.1-CVE-2022-43552.patch
# fix HTTP multi-header compression denial of service (CVE-2023-23916)
Patch24: 0024-curl-7.76.1-CVE-2023-23916.patch
# fix TELNET option IAC injection (CVE-2023-27533)
Patch25: 0025-curl-7.76.1-CVE-2023-27533.patch
# fix SFTP path ~ resolving discrepancy (CVE-2023-27534)
Patch26: 0026-curl-7.76.1-CVE-2023-27534.patch
# fix FTP too eager connection reuse (CVE-2023-27535)
Patch27: 0027-curl-7.76.1-CVE-2023-27535.patch
# fix host name wildcard checking (CVE-2023-28321)
Patch28: 0028-curl-7.76.1-CVE-2023-28321.patch
# fix GSS delegation too eager connection re-use (CVE-2023-27536)
Patch28: 0028-curl-7.76.1-CVE-2023-27536.patch
# fix SSH connection too eager reuse still (CVE-2023-27538)
Patch29: 0029-curl-7.76.1-CVE-2023-27538.patch
# unify the upload/method handling (CVE-2023-28322)
Patch29: 0029-curl-7.76.1-CVE-2023-28322.patch
Patch30: 0030-curl-7.76.1-CVE-2023-28322.patch
# fix host name wildcard checking
Patch31: 0031-curl-7.76.1-CVE-2023-28321.patch
# return error if hostname too long for remote resolve (CVE-2023-38545)
Patch30: 0030-curl-7.76.1-CVE-2023-38545.patch
Patch32: 0032-curl-7.76.1-CVE-2023-38545.patch
# fix cookie injection with none file (CVE-2023-38546)
Patch31: 0031-curl-7.61.1-CVE-2023-38546.patch
Patch33: 0033-curl-7.61.1-CVE-2023-38546.patch
# patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch
@ -287,11 +299,15 @@ be installed.
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch25 -p1
%patch26 -p1
%patch27 -p1
%patch28 -p1
%patch29 -p1
%patch30 -p1
%patch31 -p1
%patch32 -p1
%patch33 -p1
# Fedora patches
%patch101 -p1
@ -517,18 +533,25 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog
* Thu Oct 12 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-23.el9_2.4
* Thu Oct 12 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-26.el9_3.2
- fix cookie injection with none file (CVE-2023-38546)
* Tue Oct 10 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-23.el9_2.3
- return error if hostname too long for remote resolve (CVE-2023-38545)
* Tue Oct 10 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-26.el9_3.1
- socks: return error if hostname too long for remote resolve (CVE-2023-38545)
* Tue Jun 27 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-23.el9_2.2
- fix host name wildcard checking (CVE-2023-28321)
* Mon Jun 12 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-26
- unify the upload/method handling (CVE-2023-28322)
- fix host name wildcard checking (CVE-2023-28321)
* Fri Mar 24 2023 Kamil Dudka <kdudka@redhat.com> - 7.76.1-23.el9_2.1
* Wed Apr 12 2023 Kamil Dudka <kdudka@redhat.com> - 7.76.1-25
- adapt the fix of CVE-2023-27535 for RHEL 9 curl
* Fri Mar 24 2023 Kamil Dudka <kdudka@redhat.com> - 7.76.1-24
- fix SSH connection too eager reuse still (CVE-2023-27538)
- fix GSS delegation too eager connection re-use (CVE-2023-27536)
- fix FTP too eager connection reuse (CVE-2023-27535)
- fix SFTP path ~ resolving discrepancy (CVE-2023-27534)
- fix TELNET option IAC injection (CVE-2023-27533)
* Wed Feb 15 2023 Kamil Dudka <kdudka@redhat.com> - 7.76.1-23
- fix HTTP multi-header compression denial of service (CVE-2023-23916)