From 3c7950da770ba435d85bfada130f9d0c512df60b Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 22 May 2019 10:37:45 +0200 Subject: [PATCH] new upstream release - 7.65.0 Resolves: CVE-2019-5436 - TFTP receive buffer overflow Resolves: CVE-2019-5435 - integer overflows in curl_url_set() --- ...curl-7.64.1-negotiate-without-ticket.patch | 68 ------------------- 0105-curl-7.63.0-lib1560-valgrind.patch | 4 +- curl-7.64.1.tar.xz.asc | 11 --- curl-7.65.0.tar.xz.asc | 11 +++ curl.spec | 13 ++-- sources | 2 +- 6 files changed, 21 insertions(+), 88 deletions(-) delete mode 100644 0001-curl-7.64.1-negotiate-without-ticket.patch delete mode 100644 curl-7.64.1.tar.xz.asc create mode 100644 curl-7.65.0.tar.xz.asc diff --git a/0001-curl-7.64.1-negotiate-without-ticket.patch b/0001-curl-7.64.1-negotiate-without-ticket.patch deleted file mode 100644 index 125ee54..0000000 --- a/0001-curl-7.64.1-negotiate-without-ticket.patch +++ /dev/null @@ -1,68 +0,0 @@ -From f7c66081721ac54f68457f07994487f416db383f Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 6 May 2019 14:16:35 +0200 -Subject: [PATCH] spnego_gssapi: fix return code on gss_init_sec_context() - failure - -Fixes #3726 -Closes #3849 - -Upstream-commit: f65845c1eccc02385cdfb22bf2e521e670f7b295 -Signed-off-by: Kamil Dudka ---- - lib/vauth/spnego_gssapi.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/vauth/spnego_gssapi.c b/lib/vauth/spnego_gssapi.c -index 7c4bd4b59..de8bde2ba 100644 ---- a/lib/vauth/spnego_gssapi.c -+++ b/lib/vauth/spnego_gssapi.c -@@ -170,7 +170,7 @@ CURLcode Curl_auth_decode_spnego_message(struct Curl_easy *data, - Curl_gss_log_error(data, "gss_init_sec_context() failed: ", - major_status, minor_status); - -- return CURLE_OUT_OF_MEMORY; -+ return CURLE_LOGIN_DENIED; - } - - if(!output_token.value || !output_token.length) { --- -2.20.1 - -From ce0dbcf6f028c84adf4ff3704c04a09d4450a596 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 6 May 2019 14:32:00 +0200 -Subject: [PATCH] http_negotiate: do not treat failure of - gss_init_sec_context() as fatal - -Fixes #3726 -Closes #3849 - -Upstream-commit: f4603708af08f454bca8b74095d0af40a4516512 -Signed-off-by: Kamil Dudka ---- - lib/http_negotiate.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c -index 9415236fb..201c3a785 100644 ---- a/lib/http_negotiate.c -+++ b/lib/http_negotiate.c -@@ -143,7 +143,13 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy) - } - if(!neg_ctx->context) { - result = Curl_input_negotiate(conn, proxy, "Negotiate"); -- if(result) -+ if(result == CURLE_LOGIN_DENIED) { -+ /* negotiate auth failed, let's continue unauthenticated to stay -+ * compatible with the behavior before curl-7_64_0-158-g6c6035532 */ -+ conn->data->state.authproblem = TRUE; -+ return CURLE_OK; -+ } -+ else if(result) - return result; - } - --- -2.20.1 - diff --git a/0105-curl-7.63.0-lib1560-valgrind.patch b/0105-curl-7.63.0-lib1560-valgrind.patch index 84a6ee7..652739c 100644 --- a/0105-curl-7.63.0-lib1560-valgrind.patch +++ b/0105-curl-7.63.0-lib1560-valgrind.patch @@ -26,8 +26,8 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc index 080421b..ea3b806 100644 --- a/tests/libtest/Makefile.inc +++ b/tests/libtest/Makefile.inc -@@ -530,6 +530,7 @@ lib1558_SOURCES = lib1558.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) - lib1558_LDADD = $(TESTUTIL_LIBS) +@@ -528,6 +528,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib1559_LDADD = $(TESTUTIL_LIBS) lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) +lib1560_CFLAGS = $(AM_CFLAGS) -fno-builtin-strcmp diff --git a/curl-7.64.1.tar.xz.asc b/curl-7.64.1.tar.xz.asc deleted file mode 100644 index d0dc784..0000000 --- a/curl-7.64.1.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlybHwMACgkQXMkI/bce -EsIlxQf+LUj/zeWzTgxXIFgtfba+RKb66RpWhgzKLBpiGFQjhckILFJ+Li625SE3 -9fCrIslGuY2S4G6fRH1qEIZVglpA185sTeY241/JK788ftJFFQd2GtM/+Ysrla5h -zc2wD3amDXcROWI+QIl/dBy7xRnW8TSTMu2sEPLarsNtXK9EC+h/WIkeYW1amMf2 -a8vRFwXFZ7OrEiq7A0avvmbrQVgIIGP/zyz44ZN00PPgLm40c1rngHGBJJzEMVSS -ClZ+wUQ+AyamL3Ls9a+V3SF3IuVrFInjv5Y1OshPULaqL2VxPsCVw67sCVouePMS -J0u3GZPsE+sVbx7cHCfZFdSnutFBKQ== -=WUio ------END PGP SIGNATURE----- diff --git a/curl-7.65.0.tar.xz.asc b/curl-7.65.0.tar.xz.asc new file mode 100644 index 0000000..21f3b0b --- /dev/null +++ b/curl-7.65.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlzk438ACgkQXMkI/bce +EsITWggAgk129Kxp4Br7Nn2+vyygKwv3dDEm87wJVuQka8gT2pZ9ZVQ6rEX9j0sR +RETf8KrEbSlOBgl2EJpgToL5kgiMCweTXced3VY2szVVibenBa2Zd9MpSl5Sf7hH +axinhdvEPNH+w8WuprEqZh+d/T5grAxChPJz4bLqKQI5fw5T3IuMfYTjZqx8DkOt +4FekihWCr6N/nW9BFOz8H19GFtotYSwoPvQJ+RmB7+Zt7ruHjRgyINCgxbWPvs4P +eZNWykqQ9FaXLSoJQYjLvEx0smye0bxSu3EIYBeL60fiFWJaSHQPyfBgC3JC+dD6 +ufxhEk814I4XzPaRFTLjgzjmTqRMPw== +=4VIp +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index 4f4198d..cb35ee2 100644 --- a/curl.spec +++ b/curl.spec @@ -1,13 +1,10 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.64.1 -Release: 2%{?dist} +Version: 7.65.0 +Release: 1%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz -# do not treat failure of gss_init_sec_context() with --negotiate as fatal -Patch1: 0001-curl-7.64.1-negotiate-without-ticket.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -174,7 +171,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 # Fedora patches %patch101 -p1 @@ -350,6 +346,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed May 22 2019 Kamil Dudka - 7.65.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2019-5436 - TFTP receive buffer overflow + CVE-2019-5435 - integer overflows in curl_url_set() + * Thu May 09 2019 Kamil Dudka - 7.64.1-2 - do not treat failure of gss_init_sec_context() with --negotiate as fatal diff --git a/sources b/sources index 1c4276d..36347c9 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.64.1.tar.xz) = 1629ba154691bf9d936e0bce69ec8fb54991a40d34bc16ffdfb117f91e3faa93164154fc9ae9043e963955862e69515018673b7239f2fd625684a59cdd1db81c +SHA512 (curl-7.65.0.tar.xz) = 032c065c1d4bd07ba028625f8fab6a09e7cb8505a5f19339b3abdee5a9cda7d091c11f075fe3fc227d082690a66c558c770a4cd9fb17b52acc13794976a770c5