From 324a6e1c46d08cf5a290cf17e308bc6f8c1ec0d7 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 15 Dec 2020 10:59:37 -0500 Subject: [PATCH] import curl-7.61.1-14.el8_3.1 --- ...023-curl-7.61.1-no-https-proxy-crash.patch | 60 +++++++++++++++++++ SPECS/curl.spec | 9 ++- 2 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0023-curl-7.61.1-no-https-proxy-crash.patch diff --git a/SOURCES/0023-curl-7.61.1-no-https-proxy-crash.patch b/SOURCES/0023-curl-7.61.1-no-https-proxy-crash.patch new file mode 100644 index 0000000..f6bcb01 --- /dev/null +++ b/SOURCES/0023-curl-7.61.1-no-https-proxy-crash.patch @@ -0,0 +1,60 @@ +From 9d5903ebcbcbcc4f3a997ec7d5552721c5383b9f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Martin=20Ba=C5=A1ti?= +Date: Thu, 27 Aug 2020 23:09:56 +0200 +Subject: [PATCH] http_proxy: do not crash with HTTPS_PROXY and NO_PROXY set + +... in case NO_PROXY takes an effect + +Without this patch, the following command crashes: + + $ GIT_CURL_VERBOSE=1 NO_PROXY=github.com HTTPS_PROXY=https://example.com \ + git clone https://github.com/curl/curl.git + +Minimal libcurl-based reproducer: + + #include + + int main() { + CURL *curl = curl_easy_init(); + if(curl) { + CURLcode ret; + curl_easy_setopt(curl, CURLOPT_URL, "https://github.com/"); + curl_easy_setopt(curl, CURLOPT_PROXY, "example.com"); + /* set the proxy type */ + curl_easy_setopt(curl, CURLOPT_PROXYTYPE, CURLPROXY_HTTPS); + curl_easy_setopt(curl, CURLOPT_NOPROXY, "github.com"); + curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); + ret = curl_easy_perform(curl); + curl_easy_cleanup(curl); + return ret; + } + return -1; + } + +Assisted-by: Kamil Dudka +Bug: https://bugzilla.redhat.com/1873327 +Closes #5902 + +Upstream-commit: 3eff1c5092e542819ac7e6454a70c94b36ab2a40 +Signed-off-by: Kamil Dudka +--- + lib/url.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/url.c b/lib/url.c +index d65d17d..e77f391 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -3074,6 +3074,9 @@ static CURLcode create_conn_helper_init_proxy(struct connectdata *conn) + conn->bits.socksproxy = FALSE; + conn->bits.proxy_user_passwd = FALSE; + conn->bits.tunnel_proxy = FALSE; ++ /* CURLPROXY_HTTPS does not have its own flag in conn->bits, yet we need ++ to signal that CURLPROXY_HTTPS is not used for this connection */ ++ conn->http_proxy.proxytype = CURLPROXY_HTTP; + } + + out: +-- +2.25.4 + diff --git a/SPECS/curl.spec b/SPECS/curl.spec index 78b2cd3..35f1206 100644 --- a/SPECS/curl.spec +++ b/SPECS/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.61.1 -Release: 14%{?dist} +Release: 14%{?dist}.1 License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -58,6 +58,9 @@ Patch20: 0020-curl-7.61.1-openssl-engines.patch # avoid overwriting a local file with -J (CVE-2020-8177) Patch21: 0021-curl-7.61.1-CVE-2020-8177.patch +# do not crash when HTTPS_PROXY and NO_PROXY are used together (#1873327) +Patch23: 0023-curl-7.61.1-no-https-proxy-crash.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -242,6 +245,7 @@ git apply %{PATCH4} %patch19 -p1 %patch20 -p1 %patch21 -p1 +%patch23 -p1 # make tests/*.py use Python 3 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py @@ -402,6 +406,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Nov 23 2020 Kamil Dudka - 7.61.1-14.el8_3.1 +- do not crash when HTTPS_PROXY and NO_PROXY are used together (#1873327) + * Tue Jul 28 2020 Kamil Dudka - 7.61.1-14 - avoid overwriting a local file with -J (CVE-2020-8177)