diff --git a/SOURCES/0034-curl-7.76.1-CVE-2023-38546.patch b/SOURCES/0034-curl-7.76.1-CVE-2023-38546.patch new file mode 100644 index 0000000..36b9afc --- /dev/null +++ b/SOURCES/0034-curl-7.76.1-CVE-2023-38546.patch @@ -0,0 +1,123 @@ +From 61275672b46d9abb3285740467b882e22ed75da8 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 14 Sep 2023 23:28:32 +0200 +Subject: [PATCH] cookie: remove unnecessary struct fields + +Plus: reduce the hash table size from 256 to 63. It seems unlikely to +make much of a speed difference for most use cases but saves 1.5KB of +data per instance. + +Closes #11862 +--- + lib/cookie.c | 13 +------------ + lib/cookie.h | 13 ++++--------- + lib/easy.c | 4 +--- + 3 files changed, 6 insertions(+), 24 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index 4345a84c6fd9d..e39c89a94a960 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -119,7 +119,6 @@ static void freecookie(struct Cookie *co) + free(co->name); + free(co->value); + free(co->maxage); +- free(co->version); + free(co); + } + +@@ -717,11 +716,7 @@ Curl_cookie_add(struct Curl_easy *data, + } + } + else if(strcasecompare("version", name)) { +- strstore(&co->version, whatptr); +- if(!co->version) { +- badcookie = TRUE; +- break; +- } ++ /* just ignore */ + } + else if(strcasecompare("max-age", name)) { + /* Defined in RFC2109: +@@ -1159,7 +1154,6 @@ Curl_cookie_add(struct Curl_easy *data, + free(clist->path); + free(clist->spath); + free(clist->expirestr); +- free(clist->version); + free(clist->maxage); + + *clist = *co; /* then store all the new data */ +@@ -1223,9 +1217,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data, + c = calloc(1, sizeof(struct CookieInfo)); + if(!c) + return NULL; /* failed to get memory */ +- c->filename = strdup(file?file:"none"); /* copy the name just in case */ +- if(!c->filename) +- goto fail; /* failed to get memory */ + } + else { + /* we got an already existing one, use that */ +@@ -1378,7 +1369,6 @@ static struct Cookie *dup_cookie(struct Cookie *src) + CLONE(name); + CLONE(value); + CLONE(maxage); +- CLONE(version); + d->expires = src->expires; + d->tailmatch = src->tailmatch; + d->secure = src->secure; +@@ -1595,7 +1585,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c) + { + if(c) { + unsigned int i; +- free(c->filename); + for(i = 0; i < COOKIE_HASH_SIZE; i++) + Curl_cookie_freelist(c->cookies[i]); + free(c); /* free the base struct as well */ +diff --git a/lib/cookie.h b/lib/cookie.h +index b3c0063b2cfb2..41e9e7a6914e0 100644 +--- a/lib/cookie.h ++++ b/lib/cookie.h +@@ -36,11 +36,7 @@ struct Cookie { + char *domain; /* domain = */ + curl_off_t expires; /* expires = */ + char *expirestr; /* the plain text version */ +- +- /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */ +- char *version; /* Version = */ + char *maxage; /* Max-Age = */ +- + bool tailmatch; /* whether we do tail-matching of the domain name */ + bool secure; /* whether the 'secure' keyword was used */ + bool livecookie; /* updated from a server, not a stored file */ +@@ -56,14 +52,13 @@ struct Cookie { + #define COOKIE_PREFIX__SECURE (1<<0) + #define COOKIE_PREFIX__HOST (1<<1) + +-#define COOKIE_HASH_SIZE 256 ++#define COOKIE_HASH_SIZE 63 + + struct CookieInfo { + /* linked list of cookies we know of */ + struct Cookie *cookies[COOKIE_HASH_SIZE]; + +- char *filename; /* file we read from/write to */ +- long numcookies; /* number of cookies in the "jar" */ ++ int numcookies; /* number of cookies in the "jar" */ + bool running; /* state info, for cookie adding information */ + bool newsession; /* new session, discard session cookies on load */ + int lastct; /* last creation-time used in the jar */ +diff --git a/lib/easy.c b/lib/easy.c +index 16bbd35251d40..03195481f9780 100644 +--- a/lib/easy.c ++++ b/lib/easy.c +@@ -925,9 +925,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data) + if(data->cookies) { + /* If cookies are enabled in the parent handle, we enable them + in the clone as well! */ +- outcurl->cookies = Curl_cookie_init(data, +- data->cookies->filename, +- outcurl->cookies, ++ outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies, + data->set.cookiesession); + if(!outcurl->cookies) + goto fail; diff --git a/SOURCES/0035-curl-7.76.1-64K-sftp.patch b/SOURCES/0035-curl-7.76.1-64K-sftp.patch new file mode 100644 index 0000000..59e1248 --- /dev/null +++ b/SOURCES/0035-curl-7.76.1-64K-sftp.patch @@ -0,0 +1,31 @@ +From 35eb2614d86316ba9f5a6806ce64f56680fa1e97 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 5 Sep 2023 17:33:41 +0200 +Subject: [PATCH] libssh: cap SFTP packet size sent + +Due to libssh limitations + +Signed-off-by: Jakub Jelen + +Closes #11804 +--- + lib/vssh/libssh.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c +index dea0084575859b..7c6a2e53f338fa 100644 +--- a/lib/vssh/libssh.c ++++ b/lib/vssh/libssh.c +@@ -2567,6 +2567,12 @@ static ssize_t sftp_send(struct Curl_easy *data, int sockindex, + struct connectdata *conn = data->conn; + (void)sockindex; + ++ /* limit the writes to the maximum specified in Section 3 of ++ * https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-02 ++ */ ++ if(len > 32768) ++ len = 32768; ++ + nwrite = sftp_write(conn->proto.sshc.sftp_file, mem, len); + + myssh_block2waitfor(conn, FALSE); diff --git a/SOURCES/0036-curl-7.76.1-CVE-2023-46218.patch b/SOURCES/0036-curl-7.76.1-CVE-2023-46218.patch new file mode 100644 index 0000000..b7ec7bd --- /dev/null +++ b/SOURCES/0036-curl-7.76.1-CVE-2023-46218.patch @@ -0,0 +1,48 @@ +From 2b0994c29a721c91c572cff7808c572a24d251eb Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 23 Nov 2023 08:15:47 +0100 +Subject: [PATCH] cookie: lowercase the domain names before PSL checks + +Reported-by: Harry Sintonen + +Closes #12387 +--- + lib/cookie.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index 568cf537ad1b1f..9095cea3e97f22 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -1027,15 +1027,23 @@ Curl_cookie_add(struct Curl_easy *data, + * dereference it. + */ + if(data && (domain && co->domain && !isip(co->domain))) { +- const psl_ctx_t *psl = Curl_psl_use(data); +- int acceptable; +- +- if(psl) { +- acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain); +- Curl_psl_release(data); ++ bool acceptable = FALSE; ++ char lcase[256]; ++ char lcookie[256]; ++ size_t dlen = strlen(domain); ++ size_t clen = strlen(co->domain); ++ if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) { ++ const psl_ctx_t *psl = Curl_psl_use(data); ++ if(psl) { ++ /* the PSL check requires lowercase domain name and pattern */ ++ Curl_strntolower(lcase, domain, dlen + 1); ++ Curl_strntolower(lcookie, co->domain, clen + 1); ++ acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie); ++ Curl_psl_release(data); ++ } ++ else ++ acceptable = !bad_domain(domain); + } +- else +- acceptable = !bad_domain(domain); + + if(!acceptable) { + infof(data, "cookie '%s' dropped, domain '%s' must not " diff --git a/SOURCES/0037-curl-7.76.1-ignore-unexpected-eof.patch b/SOURCES/0037-curl-7.76.1-ignore-unexpected-eof.patch new file mode 100644 index 0000000..94f2183 --- /dev/null +++ b/SOURCES/0037-curl-7.76.1-ignore-unexpected-eof.patch @@ -0,0 +1,14 @@ +diff -up curl-7.76.1/lib/vtls/openssl.c.ignore_unexpected_eof curl-7.76.1/lib/vtls/openssl.c +--- curl-7.76.1/lib/vtls/openssl.c.ignore_unexpected_eof 2024-06-17 07:03:17.428620354 +0200 ++++ curl-7.76.1/lib/vtls/openssl.c 2024-06-17 07:03:54.125799894 +0200 +@@ -2761,6 +2761,10 @@ static CURLcode ossl_connect_step1(struc + return CURLE_SSL_CONNECT_ERROR; + } + ++#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF ++ ctx_options |= SSL_OP_IGNORE_UNEXPECTED_EOF; ++#endif ++ + SSL_CTX_set_options(backend->ctx, ctx_options); + + #ifdef HAS_NPN diff --git a/SOURCES/0038-curl-7.76.1-CVE-2024-2398.patch b/SOURCES/0038-curl-7.76.1-CVE-2024-2398.patch new file mode 100644 index 0000000..0b2db4f --- /dev/null +++ b/SOURCES/0038-curl-7.76.1-CVE-2024-2398.patch @@ -0,0 +1,80 @@ +From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Wed, 6 Mar 2024 09:36:08 +0100 +Subject: [PATCH] http2: push headers better cleanup + +- provide common cleanup method for push headers + +Closes #13054 +--- + lib/http2.c | 34 +++++++++++++++------------------- + 1 file changed, 15 insertions(+), 19 deletions(-) + +diff --git a/lib/http2.c b/lib/http2.c +index c63ecd38371ab4..96868728a53a1f 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -271,6 +271,15 @@ static CURLcode http2_data_setup(struct Curl_cfilter *cf, + return bitmap; + } + ++static void free_push_headers(struct HTTP *http) ++{ ++ size_t i; ++ for(i = 0; ipush_headers_used; i++) ++ free(http->push_headers[i]); ++ Curl_safefree(http->push_headers); ++ http->push_headers_used = 0; ++} ++ + /* + * http2_stream_free() free HTTP2 stream related data + */ +@@ -306,11 +315,7 @@ static void http2_data_done(struct Curl_cfilter *cf, + { + if(http) { + Curl_dyn_free(&http->header_recvbuf); +- for(; http->push_headers_used > 0; --http->push_headers_used) { +- free(http->push_headers[http->push_headers_used - 1]); +- } +- free(http->push_headers); +- http->push_headers = NULL; ++ free_push_headers(http); + } + } + +@@ -860,7 +861,6 @@ static int push_promise(struct Curl_cfilter *cf, + struct curl_pushheaders heads; + CURLMcode rc; + struct http_conn *httpc; +- size_t i; + /* clone the parent */ + struct Curl_easy *newhandle = duphandle(data); + if(!newhandle) { +@@ -905,11 +905,7 @@ static int push_promise(struct Curl_cfilter *cf, + Curl_set_in_callback(data, false); + + /* free the headers again */ +- for(i = 0; ipush_headers_used; i++) +- free(stream->push_headers[i]); +- free(stream->push_headers); +- stream->push_headers = NULL; +- stream->push_headers_used = 0; ++ free_push_headers(stream); + + if(rv) { + DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT)); +@@ -1426,10 +1422,10 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame, + stream->push_headers_alloc) { + char **headp; + stream->push_headers_alloc *= 2; +- headp = Curl_saferealloc(stream->push_headers, +- stream->push_headers_alloc * sizeof(char *)); ++ headp = realloc(stream->push_headers, ++ stream->push_headers_alloc * sizeof(char *)); + if(!headp) { +- stream->push_headers = NULL; ++ free_push_headers(stream); + return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + } + stream->push_headers = headp; diff --git a/SPECS/curl.spec b/SPECS/curl.spec index 7f4a68d..a8a96a6 100644 --- a/SPECS/curl.spec +++ b/SPECS/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.76.1 -Release: 28%{?dist} +Release: 31%{?dist} License: MIT Source: https://curl.se/download/%{name}-%{version}.tar.xz @@ -101,6 +101,21 @@ Patch32: 0032-curl-7.76.1-password-when-keyboard-interactive-fails.patch # return error if hostname too long for remote resolve Patch33: 0033-curl-7.76.1-CVE-2023-38545.patch +# fix cookie injection with none file (CVE-2023-38546) +Patch34: 0034-curl-7.76.1-CVE-2023-38546.patch + +# cap SFTP packet size sent (RHEL-14697) +Patch35: 0035-curl-7.76.1-64K-sftp.patch + +# lowercase the domain names before PSL checks (CVE-2023-46218) +Patch36: 0036-curl-7.76.1-CVE-2023-46218.patch + +# ignore unexpected EOF (RHEL-39995) +Patch37: 0037-curl-7.76.1-ignore-unexpected-eof.patch + +# provide common cleanup method for push headers (CVE-2024-2398) +Patch38: 0038-curl-7.76.1-CVE-2024-2398.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -308,6 +323,11 @@ be installed. %patch31 -p1 %patch32 -p1 %patch33 -p1 +%patch34 -p1 +%patch35 -p1 +%patch36 -p1 +%patch37 -p1 +%patch38 -p1 # Fedora patches %patch101 -p1 @@ -339,6 +359,39 @@ printf "702\n703\n716\n" >> tests/data/DISABLED printf "2034\n2037\n2041\n" >> tests/data/DISABLED %endif +# temporarily (really!, not like these above) disable tests related to openssl +# and reported by valgrind. All of it are failing with similar stack trace: +#=== Start of file valgrind3000 +# ==92709== Syscall param openat(filename) points to unaddressable byte(s) +# ==92709== at 0x49D9784: open (open64.c:48) +# ==92709== by 0x495E095: _IO_file_open (fileops.c:189) +# ==92709== by 0x495E26A: _IO_file_fopen@@GLIBC_2.2.5 (fileops.c:281) +# ==92709== by 0x49524CC: __fopen_internal (iofopen.c:75) +# ==92709== by 0x4B37F2E: load_system_str (ssl_ciph.c:1472) +# ==92709== by 0x4B43118: ssl_create_cipher_list (ssl_ciph.c:1528) +# ==92709== by 0x4B4FCFF: UnknownInlinedFun (ssl_lib.c:3938) +# ==92709== by 0x4B4FCFF: SSL_CTX_new_ex (ssl_lib.c:3823) +# ==92709== by 0x48ABFA1: ossl_connect_step1.lto_priv.0 (openssl.c:2621) +# ==92709== by 0x48BAF16: ossl_connect_common (openssl.c:4042) +# ==92709== by 0x48B3D16: UnknownInlinedFun (vtls.c:370) +# ==92709== by 0x48B3D16: Curl_ssl_connect_nonblocking (vtls.c:353) +# ==92709== by 0x48873BB: UnknownInlinedFun (http.c:1595) +# ==92709== by 0x48873BB: Curl_http_connect (http.c:1518) +# ==92709== by 0x4895575: UnknownInlinedFun (multi.c:1514) +# ==92709== by 0x4895575: multi_runsingle (multi.c:1847) +# ==92709== by 0x48978AD: curl_multi_perform (multi.c:2403) +# ==92709== by 0x4874152: UnknownInlinedFun (easy.c:606) +# ==92709== by 0x4874152: UnknownInlinedFun (easy.c:696) +# ==92709== by 0x4874152: curl_easy_perform (easy.c:715) +# ==92709== by 0x11478B: UnknownInlinedFun (tool_operate.c:2379) +# ==92709== by 0x11478B: UnknownInlinedFun (tool_operate.c:2553) +# ==92709== by 0x11478B: UnknownInlinedFun (tool_operate.c:2669) +# ==92709== by 0x11478B: main (tool_main.c:277) +# ==92709== Address 0xffffffffff000804 is not stack'd, malloc'd or (recently) free'd +# ==92709== +#=== End of file valgrind3000 +printf "300\n301\n303\n304\n305\n306\n309\n310\n311\n312\n313\n320\n321\n322\n324\n325\n400\n401\n403\n404\n405\n406\n407\n408\n409\n410\n560\n1272\n1561\n1562\n1630\n1631\n1632\n2034\n2035\n2037\n2038\n2041\n2042\n2048\n3000\n3001\n" >> tests/data/DISABLED + # adapt test 323 for updated OpenSSL sed -e 's|^35$|35,52|' -i tests/data/test323 @@ -533,8 +586,20 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Aug 22 2024 Jacek Migacz - 7.76.1-31 +- provide common cleanup method for push headers (CVE-2024-2398) + +* Tue Jun 18 2024 Jacek Migacz - 7.76.1-30 +- ignore unexpected EOF (RHEL-39995) + +* Wed Mar 6 2024 Jacek Migacz - 7.76.1-29 +- rebuild for 9.4 GA + * Tue Oct 10 2023 Jacek Migacz - 7.76.1-28 - return error if hostname too long for remote resolve (CVE-2023-38545) +- fix cookie injection with none file (CVE-2023-38546) +- cap SFTP packet size sent (RHEL-14697) +- lowercase the domain names before PSL checks (CVE-2023-46218) * Tue Sep 12 2023 Jacek Migacz - 7.76.1-27 - when keyboard-interactive auth fails, try password (#2229800)