From 2cf47cbfbda8f7cbdecf33d2a87799146cbdf82f Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 16 May 2023 06:22:51 +0000 Subject: [PATCH] import curl-7.61.1-30.el8 --- SOURCES/0043-curl-7.61.1-CVE-2022-35252.patch | 171 ++++++++++++++++++ SOURCES/0045-curl-7.61.1-CVE-2022-43552.patch | 81 +++++++++ SPECS/curl.spec | 22 ++- 3 files changed, 270 insertions(+), 4 deletions(-) create mode 100644 SOURCES/0043-curl-7.61.1-CVE-2022-35252.patch create mode 100644 SOURCES/0045-curl-7.61.1-CVE-2022-43552.patch diff --git a/SOURCES/0043-curl-7.61.1-CVE-2022-35252.patch b/SOURCES/0043-curl-7.61.1-CVE-2022-35252.patch new file mode 100644 index 0000000..f2eedd8 --- /dev/null +++ b/SOURCES/0043-curl-7.61.1-CVE-2022-35252.patch @@ -0,0 +1,171 @@ +From 005d3f387bc5c3b2ee94d0597b5e202644c825f5 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 31 Oct 2018 11:08:49 +0100 +Subject: [PATCH 1/3] runtests: use the local curl for verifying + +... revert the mistaken change brought in commit 8440616f53. + +Reported-by: Alessandro Ghedini +Bug: https://curl.haxx.se/mail/lib-2018-10/0118.html + +Closes #3198 + +Upstream-commit: 8effa8c2b09906a2f00a3f08322dc5da35245b0a +Signed-off-by: Kamil Dudka +--- + tests/runtests.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/runtests.pl b/tests/runtests.pl +index 8d8ed81..d62fa40 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -152,7 +152,7 @@ my $NEGTELNETPORT; # TELNET server port with negotiation + + my $srcdir = $ENV{'srcdir'} || '.'; + my $CURL="../src/curl".exe_ext(); # what curl executable to run on the tests +-my $VCURL="curl"; # what curl binary to use to verify the servers with ++my $VCURL=$CURL; # what curl binary to use to verify the servers with + # VCURL is handy to set to the system one when the one you + # just built hangs or crashes and thus prevent verification + my $DBGCURL=$CURL; #"../src/.libs/curl"; # alternative for debugging +-- +2.37.3 + + +From fbc2ac6f06ec13cc872ce7adb870f4d7c7d5dded Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 29 Aug 2022 00:09:17 +0200 +Subject: [PATCH 2/3] cookie: reject cookies with "control bytes" + +Rejects 0x01 - 0x1f (except 0x09) plus 0x7f + +Reported-by: Axel Chong + +Bug: https://curl.se/docs/CVE-2022-35252.html + +CVE-2022-35252 + +Closes #9381 + +Upstream-commit: 8dfc93e573ca740544a2d79ebb0ed786592c65c3 +Signed-off-by: Kamil Dudka +--- + lib/cookie.c | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +diff --git a/lib/cookie.c b/lib/cookie.c +index cb0c03b..e0470a1 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -371,6 +371,30 @@ static void strstore(char **str, const char *newstr) + *str = strdup(newstr); + } + ++/* ++ RFC 6265 section 4.1.1 says a server should accept this range: ++ ++ cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E ++ ++ But Firefox and Chrome as of June 2022 accept space, comma and double-quotes ++ fine. The prime reason for filtering out control bytes is that some HTTP ++ servers return 400 for requests that contain such. ++*/ ++static int invalid_octets(const char *p) ++{ ++ /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */ ++ static const char badoctets[] = { ++ "\x01\x02\x03\x04\x05\x06\x07\x08\x0a" ++ "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14" ++ "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f" ++ }; ++ size_t vlen, len; ++ /* scan for all the octets that are *not* in cookie-octet */ ++ len = strcspn(p, badoctets); ++ vlen = strlen(p); ++ return (len != vlen); ++} ++ + /* + * remove_expired() removes expired cookies. + */ +@@ -541,6 +565,11 @@ Curl_cookie_add(struct Curl_easy *data, + badcookie = TRUE; + break; + } ++ if(invalid_octets(whatptr) || invalid_octets(name)) { ++ infof(data, "invalid octets in name/value, cookie dropped"); ++ badcookie = TRUE; ++ break; ++ } + } + else if(!len) { + /* this was a "=" with no content, and we must allow +-- +2.37.1 + + +From 1a3e2bd48572761236934651091c899a4d460ef5 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 29 Aug 2022 00:09:17 +0200 +Subject: [PATCH 3/3] test8: verify that "ctrl-byte cookies" are ignored + +Upstream-commit: 2fc031d834d488854ffc58bf7dbcef7fa7c1fc28 +Signed-off-by: Kamil Dudka +--- + tests/data/test8 | 32 +++++++++++++++++++++++++++++++- + 1 file changed, 31 insertions(+), 1 deletion(-) + +diff --git a/tests/data/test8 b/tests/data/test8 +index a8548e6..8587611 100644 +--- a/tests/data/test8 ++++ b/tests/data/test8 +@@ -46,6 +46,36 @@ Set-Cookie: trailingspace = removed; path=/we/want; + Set-Cookie: nocookie=yes; path=/WE; + Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad; + Set-Cookie: partialip=nono; domain=.0.0.1; ++Set-Cookie: cookie1=-junk ++Set-Cookie: cookie2=-junk ++Set-Cookie: cookie3=-junk ++Set-Cookie: cookie4=-junk ++Set-Cookie: cookie5=-junk ++Set-Cookie: cookie6=-junk ++Set-Cookie: cookie7=-junk ++Set-Cookie: cookie8=-junk ++Set-Cookie: cookie9=junk- - ++Set-Cookie: cookie11= -junk ++Set-Cookie: cookie12= -junk ++Set-Cookie: cookie14=-junk ++Set-Cookie: cookie15=-junk ++Set-Cookie: cookie16=-junk ++Set-Cookie: cookie17=-junk ++Set-Cookie: cookie18=-junk ++Set-Cookie: cookie19=-junk ++Set-Cookie: cookie20=-junk ++Set-Cookie: cookie21=-junk ++Set-Cookie: cookie22=-junk ++Set-Cookie: cookie23=-junk ++Set-Cookie: cookie24=-junk ++Set-Cookie: cookie25=-junk ++Set-Cookie: cookie26=-junk ++Set-Cookie: cookie27=-junk ++Set-Cookie: cookie28=-junk ++Set-Cookie: cookie29=-junk ++Set-Cookie: cookie30=-junk ++Set-Cookie: cookie31=-junk ++Set-Cookie: cookie31=-junk + + + +@@ -62,7 +92,7 @@ perl -e 'if ("%HOSTIP" !~ /\.0\.0\.1$/) {print "Test only works for HOSTIPs endi + GET /we/want/8 HTTP/1.1 + Host: %HOSTIP:%HTTPPORT + Accept: */* +-Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes ++Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes; cookie9=junk- - + + + +-- +2.37.1 + diff --git a/SOURCES/0045-curl-7.61.1-CVE-2022-43552.patch b/SOURCES/0045-curl-7.61.1-CVE-2022-43552.patch new file mode 100644 index 0000000..3ffacc5 --- /dev/null +++ b/SOURCES/0045-curl-7.61.1-CVE-2022-43552.patch @@ -0,0 +1,81 @@ +From 5cdcf1dbd39c64e18a81fc912a36942a3ec87565 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 19 Dec 2022 08:38:37 +0100 +Subject: [PATCH] smb/telnet: do not free the protocol struct in *_done() + +It is managed by the generic layer. + +Reported-by: Trail of Bits + +Closes #10112 + +Upstream-commit: 4f20188ac644afe174be6005ef4f6ffba232b8b2 +Signed-off-by: Kamil Dudka +--- + lib/smb.c | 14 ++------------ + lib/telnet.c | 3 --- + 2 files changed, 2 insertions(+), 15 deletions(-) + +diff --git a/lib/smb.c b/lib/smb.c +index 039d680..f682c1f 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -61,8 +61,6 @@ static CURLcode smb_connect(struct connectdata *conn, bool *done); + static CURLcode smb_connection_state(struct connectdata *conn, bool *done); + static CURLcode smb_do(struct connectdata *conn, bool *done); + static CURLcode smb_request_state(struct connectdata *conn, bool *done); +-static CURLcode smb_done(struct connectdata *conn, CURLcode status, +- bool premature); + static CURLcode smb_disconnect(struct connectdata *conn, bool dead); + static int smb_getsock(struct connectdata *conn, curl_socket_t *socks, + int numsocks); +@@ -75,7 +73,7 @@ const struct Curl_handler Curl_handler_smb = { + "SMB", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -100,7 +98,7 @@ const struct Curl_handler Curl_handler_smbs = { + "SMBS", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -915,14 +913,6 @@ static CURLcode smb_request_state(struct connectdata *conn, bool *done) + return CURLE_OK; + } + +-static CURLcode smb_done(struct connectdata *conn, CURLcode status, +- bool premature) +-{ +- (void) premature; +- Curl_safefree(conn->data->req.protop); +- return status; +-} +- + static CURLcode smb_disconnect(struct connectdata *conn, bool dead) + { + struct smb_conn *smbc = &conn->proto.smbc; +diff --git a/lib/telnet.c b/lib/telnet.c +index 923c7f8..48cd0d7 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -1294,9 +1294,6 @@ static CURLcode telnet_done(struct connectdata *conn, + + curl_slist_free_all(tn->telnet_vars); + tn->telnet_vars = NULL; +- +- Curl_safefree(conn->data->req.protop); +- + return CURLE_OK; + } + +-- +2.38.1 + diff --git a/SPECS/curl.spec b/SPECS/curl.spec index fed4cad..e3d5c98 100644 --- a/SPECS/curl.spec +++ b/SPECS/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.61.1 -Release: 25%{?dist}.3 +Release: 30%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -121,9 +121,15 @@ Patch41: 0041-curl-7.61.1-CVE-2022-32206.patch # setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION (#2063703) Patch42: 0042-curl-7.61.1-ssh-known-hosts.patch +# control code in cookie denial of service (CVE-2022-35252) +Patch43: 0043-curl-7.61.1-CVE-2022-35252.patch + # upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1 (#2139337) Patch44: 0044-curl-7.61.1-retry-http11.patch +# smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552) +Patch45: 0045-curl-7.61.1-CVE-2022-43552.patch + # h2: lower initial window size to 32 MiB (#2166254) Patch46: 0046-curl-7.61.1-h2-window-size.patch @@ -345,7 +351,9 @@ sed -e 's|:8992/|:%{?__isa_bits}92/|g' -i tests/data/test97{3..6} %patch40 -p1 %patch41 -p1 %patch42 -p1 +%patch43 -p1 %patch44 -p1 +%patch45 -p1 %patch46 -p1 %patch47 -p1 @@ -510,15 +518,21 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog -* Wed Feb 15 2023 Kamil Dudka - 7.61.1-25.el8_7.3 +* Wed Feb 15 2023 Kamil Dudka - 7.61.1-30 - fix HTTP multi-header compression denial of service (CVE-2023-23916) -* Tue Feb 07 2023 Kamil Dudka - 7.61.1-25.el8_7.2 +* Tue Feb 07 2023 Kamil Dudka - 7.61.1-29 - h2: lower initial window size to 32 MiB (#2166254) -* Fri Nov 18 2022 Kamil Dudka - 7.61.1-25.el8_7.1 +* Wed Dec 21 2022 Kamil Dudka - 7.61.1-28 +- smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552) + +* Fri Nov 18 2022 Kamil Dudka - 7.61.1-27 - upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1 (#2139337) +* Fri Sep 02 2022 Kamil Dudka - 7.61.1-26 +- control code in cookie denial of service (CVE-2022-35252) + * Wed Jun 29 2022 Kamil Dudka - 7.61.1-25 - setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION (#2063703) - fix HTTP compression denial of service (CVE-2022-32206)