rpms/curl
8
0
Fork 1
Code Issues Pull Requests Releases Activity

import CS curl-7.76.1-31.el9

Browse Source
This commit is contained in:
eabdullin 2024-09-30 15:18:51 +00:00
parent e74b4d7f86
commit 32275fb297
6 changed files with 362 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

123
SOURCES/0034-curl-7.76.1-CVE-2023-38546.patch Normal file
View File

@ -0,0 +1,123 @@
From 61275672b46d9abb3285740467b882e22ed75da8 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 14 Sep 2023 23:28:32 +0200
Subject: [PATCH] cookie: remove unnecessary struct fields
Plus: reduce the hash table size from 256 to 63. It seems unlikely to
make much of a speed difference for most use cases but saves 1.5KB of
data per instance.
Closes #11862
---
lib/cookie.c | 13 +------------
lib/cookie.h | 13 ++++---------
lib/easy.c | 4 +---
3 files changed, 6 insertions(+), 24 deletions(-)
diff --git a/lib/cookie.c b/lib/cookie.c
index 4345a84c6fd9d..e39c89a94a960 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -119,7 +119,6 @@ static void freecookie(struct Cookie *co)
free(co->name);
free(co->value);
free(co->maxage);
- free(co->version);
free(co);
}
@@ -717,11 +716,7 @@ Curl_cookie_add(struct Curl_easy *data,
}
}
else if(strcasecompare("version", name)) {
- strstore(&co->version, whatptr);
- if(!co->version) {
- badcookie = TRUE;
- break;
- }
+ /* just ignore */
}
else if(strcasecompare("max-age", name)) {
/* Defined in RFC2109:
@@ -1159,7 +1154,6 @@ Curl_cookie_add(struct Curl_easy *data,
free(clist->path);
free(clist->spath);
free(clist->expirestr);
- free(clist->version);
free(clist->maxage);
*clist = *co; /* then store all the new data */
@@ -1223,9 +1217,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data,
c = calloc(1, sizeof(struct CookieInfo));
if(!c)
return NULL; /* failed to get memory */
- c->filename = strdup(file?file:"none"); /* copy the name just in case */
- if(!c->filename)
- goto fail; /* failed to get memory */
}
else {
/* we got an already existing one, use that */
@@ -1378,7 +1369,6 @@ static struct Cookie *dup_cookie(struct Cookie *src)
CLONE(name);
CLONE(value);
CLONE(maxage);
- CLONE(version);
d->expires = src->expires;
d->tailmatch = src->tailmatch;
d->secure = src->secure;
@@ -1595,7 +1585,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c)
{
if(c) {
unsigned int i;
- free(c->filename);
for(i = 0; i < COOKIE_HASH_SIZE; i++)
Curl_cookie_freelist(c->cookies[i]);
free(c); /* free the base struct as well */
diff --git a/lib/cookie.h b/lib/cookie.h
index b3c0063b2cfb2..41e9e7a6914e0 100644
--- a/lib/cookie.h
+++ b/lib/cookie.h
@@ -36,11 +36,7 @@ struct Cookie {
char *domain; /* domain = <this> */
curl_off_t expires; /* expires = <this> */
char *expirestr; /* the plain text version */
-
- /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */
- char *version; /* Version = <value> */
char *maxage; /* Max-Age = <value> */
-
bool tailmatch; /* whether we do tail-matching of the domain name */
bool secure; /* whether the 'secure' keyword was used */
bool livecookie; /* updated from a server, not a stored file */
@@ -56,14 +52,13 @@ struct Cookie {
#define COOKIE_PREFIX__SECURE (1<<0)
#define COOKIE_PREFIX__HOST (1<<1)
-#define COOKIE_HASH_SIZE 256
+#define COOKIE_HASH_SIZE 63
struct CookieInfo {
/* linked list of cookies we know of */
struct Cookie *cookies[COOKIE_HASH_SIZE];
- char *filename; /* file we read from/write to */
- long numcookies; /* number of cookies in the "jar" */
+ int numcookies; /* number of cookies in the "jar" */
bool running; /* state info, for cookie adding information */
bool newsession; /* new session, discard session cookies on load */
int lastct; /* last creation-time used in the jar */
diff --git a/lib/easy.c b/lib/easy.c
index 16bbd35251d40..03195481f9780 100644
--- a/lib/easy.c
+++ b/lib/easy.c
@@ -925,9 +925,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data)
if(data->cookies) {
/* If cookies are enabled in the parent handle, we enable them
in the clone as well! */
- outcurl->cookies = Curl_cookie_init(data,
- data->cookies->filename,
- outcurl->cookies,
+ outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies,
data->set.cookiesession);
if(!outcurl->cookies)
goto fail;

31
SOURCES/0035-curl-7.76.1-64K-sftp.patch Normal file
View File

@ -0,0 +1,31 @@
From 35eb2614d86316ba9f5a6806ce64f56680fa1e97 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 5 Sep 2023 17:33:41 +0200
Subject: [PATCH] libssh: cap SFTP packet size sent
Due to libssh limitations
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Closes #11804
---
lib/vssh/libssh.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c
index dea0084575859b..7c6a2e53f338fa 100644
--- a/lib/vssh/libssh.c
+++ b/lib/vssh/libssh.c
@@ -2567,6 +2567,12 @@ static ssize_t sftp_send(struct Curl_easy *data, int sockindex,
struct connectdata *conn = data->conn;
(void)sockindex;
+ /* limit the writes to the maximum specified in Section 3 of
+ * https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-02
+ */
+ if(len > 32768)
+ len = 32768;
+
nwrite = sftp_write(conn->proto.sshc.sftp_file, mem, len);
myssh_block2waitfor(conn, FALSE);

48
SOURCES/0036-curl-7.76.1-CVE-2023-46218.patch Normal file
View File

@ -0,0 +1,48 @@
From 2b0994c29a721c91c572cff7808c572a24d251eb Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 23 Nov 2023 08:15:47 +0100
Subject: [PATCH] cookie: lowercase the domain names before PSL checks
Reported-by: Harry Sintonen
Closes #12387
---
lib/cookie.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/lib/cookie.c b/lib/cookie.c
index 568cf537ad1b1f..9095cea3e97f22 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -1027,15 +1027,23 @@ Curl_cookie_add(struct Curl_easy *data,
* dereference it.
*/
if(data && (domain && co->domain && !isip(co->domain))) {
- const psl_ctx_t *psl = Curl_psl_use(data);
- int acceptable;
-
- if(psl) {
- acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain);
- Curl_psl_release(data);
+ bool acceptable = FALSE;
+ char lcase[256];
+ char lcookie[256];
+ size_t dlen = strlen(domain);
+ size_t clen = strlen(co->domain);
+ if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) {
+ const psl_ctx_t *psl = Curl_psl_use(data);
+ if(psl) {
+ /* the PSL check requires lowercase domain name and pattern */
+ Curl_strntolower(lcase, domain, dlen + 1);
+ Curl_strntolower(lcookie, co->domain, clen + 1);
+ acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie);
+ Curl_psl_release(data);
+ }
+ else
+ acceptable = !bad_domain(domain);
}
- else
- acceptable = !bad_domain(domain);
if(!acceptable) {
infof(data, "cookie '%s' dropped, domain '%s' must not "

14
SOURCES/0037-curl-7.76.1-ignore-unexpected-eof.patch Normal file
View File

@ -0,0 +1,14 @@
diff -up curl-7.76.1/lib/vtls/openssl.c.ignore_unexpected_eof curl-7.76.1/lib/vtls/openssl.c
--- curl-7.76.1/lib/vtls/openssl.c.ignore_unexpected_eof 2024-06-17 07:03:17.428620354 +0200
+++ curl-7.76.1/lib/vtls/openssl.c 2024-06-17 07:03:54.125799894 +0200
@@ -2761,6 +2761,10 @@ static CURLcode ossl_connect_step1(struc
return CURLE_SSL_CONNECT_ERROR;
}
+#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
+ ctx_options |= SSL_OP_IGNORE_UNEXPECTED_EOF;
+#endif
+
SSL_CTX_set_options(backend->ctx, ctx_options);
#ifdef HAS_NPN

80
SOURCES/0038-curl-7.76.1-CVE-2024-2398.patch Normal file
View File

@ -0,0 +1,80 @@
From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Wed, 6 Mar 2024 09:36:08 +0100
Subject: [PATCH] http2: push headers better cleanup
- provide common cleanup method for push headers
Closes #13054
---
lib/http2.c | 34 +++++++++++++++-------------------
1 file changed, 15 insertions(+), 19 deletions(-)
diff --git a/lib/http2.c b/lib/http2.c
index c63ecd38371ab4..96868728a53a1f 100644
--- a/lib/http2.c
+++ b/lib/http2.c
@@ -271,6 +271,15 @@ static CURLcode http2_data_setup(struct Curl_cfilter *cf,
return bitmap;
}
+static void free_push_headers(struct HTTP *http)
+{
+ size_t i;
+ for(i = 0; i<http->push_headers_used; i++)
+ free(http->push_headers[i]);
+ Curl_safefree(http->push_headers);
+ http->push_headers_used = 0;
+}
+
/*
* http2_stream_free() free HTTP2 stream related data
*/
@@ -306,11 +315,7 @@ static void http2_data_done(struct Curl_cfilter *cf,
{
if(http) {
Curl_dyn_free(&http->header_recvbuf);
- for(; http->push_headers_used > 0; --http->push_headers_used) {
- free(http->push_headers[http->push_headers_used - 1]);
- }
- free(http->push_headers);
- http->push_headers = NULL;
+ free_push_headers(http);
}
}
@@ -860,7 +861,6 @@ static int push_promise(struct Curl_cfilter *cf,
struct curl_pushheaders heads;
CURLMcode rc;
struct http_conn *httpc;
- size_t i;
/* clone the parent */
struct Curl_easy *newhandle = duphandle(data);
if(!newhandle) {
@@ -905,11 +905,7 @@ static int push_promise(struct Curl_cfilter *cf,
Curl_set_in_callback(data, false);
/* free the headers again */
- for(i = 0; i<stream->push_headers_used; i++)
- free(stream->push_headers[i]);
- free(stream->push_headers);
- stream->push_headers = NULL;
- stream->push_headers_used = 0;
+ free_push_headers(stream);
if(rv) {
DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT));
@@ -1426,10 +1422,10 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame,
stream->push_headers_alloc) {
char **headp;
stream->push_headers_alloc *= 2;
- headp = Curl_saferealloc(stream->push_headers,
- stream->push_headers_alloc * sizeof(char *));
+ headp = realloc(stream->push_headers,
+ stream->push_headers_alloc * sizeof(char *));
if(!headp) {
- stream->push_headers = NULL;
+ free_push_headers(stream);
return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
}
stream->push_headers = headp;

67
SPECS/curl.spec
View File

@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.76.1
Release: 28%{?dist}
Release: 31%{?dist}
License: MIT
Source: https://curl.se/download/%{name}-%{version}.tar.xz
@ -101,6 +101,21 @@ Patch32: 0032-curl-7.76.1-password-when-keyboard-interactive-fails.patch
# return error if hostname too long for remote resolve
Patch33: 0033-curl-7.76.1-CVE-2023-38545.patch
# fix cookie injection with none file (CVE-2023-38546)
Patch34: 0034-curl-7.76.1-CVE-2023-38546.patch
# cap SFTP packet size sent (RHEL-14697)
Patch35: 0035-curl-7.76.1-64K-sftp.patch
# lowercase the domain names before PSL checks (CVE-2023-46218)
Patch36: 0036-curl-7.76.1-CVE-2023-46218.patch
# ignore unexpected EOF (RHEL-39995)
Patch37: 0037-curl-7.76.1-ignore-unexpected-eof.patch
# provide common cleanup method for push headers (CVE-2024-2398)
Patch38: 0038-curl-7.76.1-CVE-2024-2398.patch
# patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch
@ -308,6 +323,11 @@ be installed.
%patch31 -p1
%patch32 -p1
%patch33 -p1
%patch34 -p1
%patch35 -p1
%patch36 -p1
%patch37 -p1
%patch38 -p1
# Fedora patches
%patch101 -p1
@ -339,6 +359,39 @@ printf "702\n703\n716\n" >> tests/data/DISABLED
printf "2034\n2037\n2041\n" >> tests/data/DISABLED
%endif
# temporarily (really!, not like these above) disable tests related to openssl
# and reported by valgrind. All of it are failing with similar stack trace:
#=== Start of file valgrind3000
# ==92709== Syscall param openat(filename) points to unaddressable byte(s)
# ==92709== at 0x49D9784: open (open64.c:48)
# ==92709== by 0x495E095: _IO_file_open (fileops.c:189)
# ==92709== by 0x495E26A: _IO_file_fopen@@GLIBC_2.2.5 (fileops.c:281)
# ==92709== by 0x49524CC: __fopen_internal (iofopen.c:75)
# ==92709== by 0x4B37F2E: load_system_str (ssl_ciph.c:1472)
# ==92709== by 0x4B43118: ssl_create_cipher_list (ssl_ciph.c:1528)
# ==92709== by 0x4B4FCFF: UnknownInlinedFun (ssl_lib.c:3938)
# ==92709== by 0x4B4FCFF: SSL_CTX_new_ex (ssl_lib.c:3823)
# ==92709== by 0x48ABFA1: ossl_connect_step1.lto_priv.0 (openssl.c:2621)
# ==92709== by 0x48BAF16: ossl_connect_common (openssl.c:4042)
# ==92709== by 0x48B3D16: UnknownInlinedFun (vtls.c:370)
# ==92709== by 0x48B3D16: Curl_ssl_connect_nonblocking (vtls.c:353)
# ==92709== by 0x48873BB: UnknownInlinedFun (http.c:1595)
# ==92709== by 0x48873BB: Curl_http_connect (http.c:1518)
# ==92709== by 0x4895575: UnknownInlinedFun (multi.c:1514)
# ==92709== by 0x4895575: multi_runsingle (multi.c:1847)
# ==92709== by 0x48978AD: curl_multi_perform (multi.c:2403)
# ==92709== by 0x4874152: UnknownInlinedFun (easy.c:606)
# ==92709== by 0x4874152: UnknownInlinedFun (easy.c:696)
# ==92709== by 0x4874152: curl_easy_perform (easy.c:715)
# ==92709== by 0x11478B: UnknownInlinedFun (tool_operate.c:2379)
# ==92709== by 0x11478B: UnknownInlinedFun (tool_operate.c:2553)
# ==92709== by 0x11478B: UnknownInlinedFun (tool_operate.c:2669)
# ==92709== by 0x11478B: main (tool_main.c:277)
# ==92709== Address 0xffffffffff000804 is not stack'd, malloc'd or (recently) free'd
# ==92709==
#=== End of file valgrind3000
printf "300\n301\n303\n304\n305\n306\n309\n310\n311\n312\n313\n320\n321\n322\n324\n325\n400\n401\n403\n404\n405\n406\n407\n408\n409\n410\n560\n1272\n1561\n1562\n1630\n1631\n1632\n2034\n2035\n2037\n2038\n2041\n2042\n2048\n3000\n3001\n" >> tests/data/DISABLED
# adapt test 323 for updated OpenSSL
sed -e 's|^35$|35,52|' -i tests/data/test323
@ -533,8 +586,20 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog
* Thu Aug 22 2024 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-31
- provide common cleanup method for push headers (CVE-2024-2398)
* Tue Jun 18 2024 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-30
- ignore unexpected EOF (RHEL-39995)
* Wed Mar 6 2024 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-29
- rebuild for 9.4 GA
* Tue Oct 10 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-28
- return error if hostname too long for remote resolve (CVE-2023-38545)
- fix cookie injection with none file (CVE-2023-38546)
- cap SFTP packet size sent (RHEL-14697)
- lowercase the domain names before PSL checks (CVE-2023-46218)
* Tue Sep 12 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-27
- when keyboard-interactive auth fails, try password (#2229800)