rpms/curl
8
0
Fork 1
Code Issues Pull Requests Releases Activity

import CS curl-7.76.1-40.el9

Browse Source
This commit is contained in:
AlmaLinux RelEng Bot 2026-03-30 11:19:25 -04:00
parent 5c20f87018
commit 0fca99c9f8
4 changed files with 233 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
SOURCES/0041-curl-7.76.1-CVE-2025-9086.patch Normal file
View File

@ -0,0 +1,48 @@
From c6ae07c6a541e0e96d0040afb62b45dd37711300 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 11 Aug 2025 20:23:05 +0200
Subject: [PATCH] cookie: don't treat the leading slash as trailing
If there is only a leading slash in the path, keep that. Also add an
assert to make sure the path is never blank.
Reported-by: Google Big Sleep
Closes #18266
---
lib/cookie.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/lib/cookie.c b/lib/cookie.c
index 914a4aca12ac..b72dd99bce9b 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -296,7 +296,7 @@ static char *sanitize_cookie_path(const char *cookie_path)
}
/* convert /hoge/ to /hoge */
- if(len && new_path[len - 1] == '/') {
+ if(len > 1 && new_path[len - 1] == '/') {
new_path[len - 1] = 0x0;
}
@@ -965,7 +965,7 @@ replace_existing(struct Curl_easy *data,
if(clist->spath && co->spath) {
if(clist->secure && !co->secure && !secure) {
size_t cllen;
- const char *sep;
+ const char *sep = NULL;
/*
* A non-secure cookie may not overlay an existing secure cookie.
@@ -974,8 +974,9 @@ replace_existing(struct Curl_easy *data,
* "/loginhelper" is ok.
*/
- sep = strchr(clist->spath + 1, '/');
-
+ DEBUGASSERT(clist->spath[0]);
+ if(clist->spath[0])
+ sep = strchr(clist->spath + 1, '/');
if(sep)
cllen = sep - clist->spath;
else

110
SOURCES/0042-curl-7.76.1-respect-system-crypto-policy.patch Normal file
View File

@ -0,0 +1,110 @@
From: Jacek Migacz <jmigacz@redhat.com>
Date: Mon, 4 Nov 2025 10:00:00 +0100
Subject: [PATCH] openssl: respect system crypto policy for TLS max version
Implement a compromise between application control and system security
policy for TLS maximum version:
- When user explicitly sets --tls-max: honor user choice (app control)
- When user accepts default: respect OpenSSL crypto-policy (system policy)
This allows:
curl --tls-max 1.3 https://... # Uses TLS 1.3 (overrides policy)
curl https://... # Respects crypto-policy
Previously, curl called SSL_CTX_set_max_proto_version(ctx, 0) even when
user didn't specify --tls-max, which overrides system crypto-policy and
enables all TLS versions up to the highest supported.
This breaks FIPS/Common Criteria compliance systems where security
policies are mandatory:
- Package managers (dnf/yum) completely break on FIPS systems
- RHEL/Fedora cannot achieve government certifications
- System administrators cannot enforce TLS version restrictions
The fix: when user explicitly requests a specific maximum version, honor it.
Otherwise, query the current crypto-policy setting. If the policy restricts
TLS to a version lower than 1.3, respect that restriction. If the policy
allows TLS 1.3 (the highest), use 0 to maintain the original behavior.
This approach:
- Respects crypto-policy when it actually restricts TLS versions
- Maintains original behavior (calling with 0) when no restriction applies
- Preserves compatibility with other libraries like libssh (bz2091512)
- Ensures SSL_CTX_set_max_proto_version() is always called (RHEL-134721)
Note: Previous versions had issues:
- v1: Skipped calling SSL_CTX_set_max_proto_version() entirely, breaking libssh
- v2: Always called with policy_max value, but on DEFAULT policy this returns
TLS1_3_VERSION instead of 0, which differs from original behavior and
still caused libssh regression
This v3 fix preserves original behavior (call with 0) when crypto-policy
allows TLS 1.3, and only applies restrictions for FIPS/restrictive policies.
This mirrors the intended behavior of the minimum version logic, where
explicit user choice overrides defaults, but system configuration is
respected otherwise.
---
lib/vtls/openssl.c | 50 +++++++++++++++++++++++++++++++++++-------------
1 file changed, 37 insertions(+), 13 deletions(-)
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 1234567890..abcdef1234 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2354,19 +2354,43 @@
ossl_ssl_version_max = TLS1_3_VERSION;
break;
#endif
- case CURL_SSLVERSION_MAX_NONE: /* none selected */
- case CURL_SSLVERSION_MAX_DEFAULT: /* max selected */
- default:
- /* SSL_CTX_set_max_proto_version states that:
- setting the maximum to 0 will enable
- protocol versions up to the highest version
- supported by the library */
- ossl_ssl_version_max = 0;
- break;
}
- if(!SSL_CTX_set_max_proto_version(ctx, ossl_ssl_version_max)) {
- return CURLE_SSL_CONNECT_ERROR;
+ /* Set max version based on user choice or crypto-policy.
+
+ When user explicitly sets --tls-max, honor that choice (app control).
+ When user accepts default, respect crypto-policy (system policy).
+
+ IMPORTANT: We always call SSL_CTX_set_max_proto_version() to maintain
+ compatibility with other libraries like libssh. Skipping this call
+ or calling with different values can affect libraries that depend on
+ specific OpenSSL initialization sequences. See RHEL-134721. */
+ if(curl_ssl_version_max != CURL_SSLVERSION_MAX_NONE &&
+ curl_ssl_version_max != CURL_SSLVERSION_MAX_DEFAULT) {
+ /* User explicitly requested a specific max version - honor it */
+ if(!SSL_CTX_set_max_proto_version(ctx, ossl_ssl_version_max)) {
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+ }
+ else {
+ /* User didn't specify - check crypto-policy.
+ Query the current max version setting from crypto-policy config.
+ If policy restricts to below TLS 1.3, respect that restriction.
+ Otherwise, use 0 (highest available) to maintain original behavior
+ which is required for libssh compatibility (bz2091512). */
+ long policy_max = SSL_CTX_get_max_proto_version(ctx);
+#ifdef TLS1_3_VERSION
+ if(policy_max == 0 || policy_max >= TLS1_3_VERSION) {
+ /* No restriction or TLS 1.3 allowed - use original behavior */
+ policy_max = 0;
+ }
+ /* else: policy restricts to TLS 1.2 or lower, respect it */
+#else
+ policy_max = 0;
+#endif
+ if(!SSL_CTX_set_max_proto_version(ctx, policy_max)) {
+ return CURLE_SSL_CONNECT_ERROR;
+ }
}
return CURLE_OK;

42
SOURCES/0043-curl-7.76.1-http-fix-crash-in-rate-limited-upload.patch Normal file
View File

@ -0,0 +1,42 @@
From ca8893468f3ca1bcd04a61691878e09b5824180c Mon Sep 17 00:00:00 2001
From: Jay Satiro <raysatiro@yahoo.com>
Date: Tue, 29 Jun 2021 11:43:35 -0400
Subject: [PATCH] http: fix crash in rate-limited upload
- Don't set the size of the piece of data to send to the rate limit if
that limit is larger than the buffer size that will hold the piece.
Prior to this change if CURLOPT_MAX_SEND_SPEED_LARGE
(curl tool: --limit-rate) was set then it was possible that a temporary
buffer used for uploading could be written to out of bounds. A likely
scenario for this would be a non-trivial amount of post data combined
with a rate limit larger than CURLOPT_UPLOAD_BUFFERSIZE (default 64k).
The bug was introduced in 24e469f which is in releases since 7.76.0.
perl -e "print '0' x 200000" > tmp
curl --limit-rate 128k -d @tmp httpbin.org/post
Reported-by: Richard Marion
Fixes https://github.com/curl/curl/issues/7308
Closes https://github.com/curl/curl/pull/7315
---
lib/http.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/http.c b/lib/http.c
index 6d5d8fb3b2..ac0301bc41 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -1177,6 +1177,7 @@ static size_t readmoredata(char *buffer,
data->req.forbidchunk = (http->sending == HTTPSEND_REQUEST)?TRUE:FALSE;
if(data->set.max_send_speed &&
+ (data->set.max_send_speed < (curl_off_t)fullsize) &&
(data->set.max_send_speed < http->postsize))
/* speed limit */
fullsize = (size_t)data->set.max_send_speed;
--
2.51.0

35
SPECS/curl.spec
View File

@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.76.1
Release: 34%{?dist}
Release: 40%{?dist}
License: MIT
Source: https://curl.se/download/%{name}-%{version}.tar.xz
@ -122,6 +122,15 @@ Patch39: 0039-curl-7.76.1-pause-on-http.patch
# noproxy: support proxies specified using cidr notation
Patch40: 0040-curl-7.76.1-noproxy-support-using-cidr.patch
# cookie: don't treat the leading slash as trailing (CVE-2025-9086)
Patch041: 0041-curl-7.76.1-CVE-2025-9086.patch
# openssl: respect system crypto policy for TLS max version
Patch042: 0042-curl-7.76.1-respect-system-crypto-policy.patch
# http: fix crash in rate-limited upload
Patch043: 0043-curl-7.76.1-http-fix-crash-in-rate-limited-upload.patch
# patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch
@ -336,6 +345,9 @@ be installed.
%patch -P 38 -p1
%patch -P 39 -p1
%patch -P 40 -p1
%patch -P 41 -p1
%patch -P 42 -p1
%patch -P 43 -p1
# Fedora patches
%patch -P 101 -p1
@ -561,7 +573,26 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog
* Mon Jul 23 2025 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-34
* Wed Jan 21 2026 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-40
- openssl: fix libssh compatibility by preserving original SSL_CTX behavior (RHEL-134721)
* Thu Dec 18 2025 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-39
- openssl: fix libssh compatibility in crypto-policy patch (RHEL-134721)
* Mon Dec 01 2025 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-38
- http: fix crash in rate-limited upload (RHEL-131696)
* Thu Nov 27 2025 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-37
- openssl: respect system crypto policy for TLS max version (RHEL-128914)
* Thu Nov 20 2025 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-36
- rebuild for c9s (RHEL-125838)
* Thu Oct 23 2025 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-35
- cookie: don't treat the leading slash as trailing (CVE-2025-9086)
Resolves: RHEL-121659
* Wed Jul 23 2025 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-34
- revert several disabled tests related to openssl/valgrind (RHEL-99465)
* Thu May 15 2025 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-33