import curl-7.61.1-14.el8

2020-11-03 06:51:11 -05:00 · 2020-11-03 06:51:11 -05:00 · 239d821966
commit 239d821966
parent 2f86b67ef9
3 changed files with 107 additions and 1 deletions
--- a/SOURCES/0020-curl-7.61.1-openssl-engines.patch
+++ b/SOURCES/0020-curl-7.61.1-openssl-engines.patch
@ -0,0 +1,33 @@
+From 032843be4cefcb163d15573d15a228680e771106 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 24 Sep 2018 08:26:58 +0200
+Subject: [PATCH] openssl: load built-in engines too
+
+Regression since 38203f1
+
+Reported-by: Jean Fabrice
+Fixes #3023
+Closes #3040
+
+Upstream-commit: e2dd435d473cdc97785df95d032276fafb4b7746
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/vtls/openssl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 78970d1..d8bcc4f 100644
+--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
+@@ -979,7 +979,7 @@ static int Curl_ossl_init(void)
+ 
+   OPENSSL_load_builtin_modules();
+ 
+-#ifdef HAVE_ENGINE_LOAD_BUILTIN_ENGINES
+#ifdef USE_OPENSSL_ENGINE
+   ENGINE_load_builtin_engines();
+ #endif
+ 
+-- 
+2.25.4
+
--- a/SOURCES/0021-curl-7.61.1-CVE-2020-8177.patch
+++ b/SOURCES/0021-curl-7.61.1-CVE-2020-8177.patch
@ -0,0 +1,59 @@
+From a6fcd8a32f3b1c5d80e524f8b2c1de32e6ecdb2b Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 31 May 2020 23:09:59 +0200
+Subject: [PATCH] tool_getparam: -i is not OK if -J is used
+
+Reported-by: sn on hackerone
+Bug: https://curl.haxx.se/docs/CVE-2020-8177.html
+
+Upstream-commit: 8236aba58542c5f89f1d41ca09d84579efb05e22
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/tool_cb_hdr.c   | 13 ++++---------
+ src/tool_getparam.c |  5 +++++
+ 2 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c
+index 3b10238..b80707f 100644
+--- a/src/tool_cb_hdr.c
+++ b/src/tool_cb_hdr.c
+@@ -132,16 +132,11 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata)
+       filename = parse_filename(p, len);
+       if(filename) {
+         if(outs->stream) {
+-          /* already opened and possibly written to */
+-          if(outs->fopened)
+-            fclose(outs->stream);
+-          outs->stream = NULL;
+-
+-          /* rename the initial file name to the new file name */
+-          rename(outs->filename, filename);
+-          if(outs->alloc_filename)
+-            free(outs->filename);
+          /* indication of problem, get out! */
+          free(filename);
+          return failure;
+         }
+
+         outs->is_cd_filename = TRUE;
+         outs->s_isreg = TRUE;
+         outs->fopened = FALSE;
+diff --git a/src/tool_getparam.c b/src/tool_getparam.c
+index 764caa2..c5c7429 100644
+--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
+@@ -1745,6 +1745,11 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
+       }
+       break;
+     case 'i':
+      if(config->content_disposition) {
+        warnf(global,
+              "--include and --remote-header-name cannot be combined.\n");
+        return PARAM_BAD_USE;
+      }
+       config->show_headers = toggle; /* show the headers as well in the
+                                         general output stream */
+       break;
+-- 
+2.21.3
+
--- a/SPECS/curl.spec
+++ b/SPECS/curl.spec
@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.61.1
-Release: 12%{?dist}
+Release: 14%{?dist}
 License: MIT
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz

@ -52,6 +52,12 @@ Patch18:  0018-curl-7.65.3-CVE-2019-5482.patch
 # double free due to subsequent call of realloc() (CVE-2019-5481)
 Patch19:  0019-curl-7.65.3-CVE-2019-5481.patch

+# load built-in openssl engines (#1854369)
+Patch20:  0020-curl-7.61.1-openssl-engines.patch
+
+# avoid overwriting a local file with -J (CVE-2020-8177)
+Patch21:  0021-curl-7.61.1-CVE-2020-8177.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch

@ -234,6 +240,8 @@ git apply %{PATCH4}
 %patch17 -p1
 %patch18 -p1
 %patch19 -p1
+%patch20 -p1
+%patch21 -p1

 # make tests/*.py use Python 3
 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
@ -394,6 +402,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal

 %changelog
+* Tue Jul 28 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-14
+- avoid overwriting a local file with -J (CVE-2020-8177)
+
+* Wed Jul 15 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-13
+- load built-in openssl engines (#1854369)
+
 * Wed Sep 11 2019 Kamil Dudka <kdudka@redhat.com> - 7.61.1-12
 - double free due to subsequent call of realloc() (CVE-2019-5481)
 - fix heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482)