From 41ac10a16fdf47fb567c338b6c93b2ba2272b4cc Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 28 Mar 2023 08:56:16 +0000 Subject: [PATCH] import curl-7.76.1-23.el9 --- SOURCES/0021-curl-7.76.1-CVE-2022-35252.patch | 136 ++++ SOURCES/0022-curl-7.76.1-CVE-2022-32221.patch | 251 +++++++ SOURCES/0023-curl-7.76.1-CVE-2022-43552.patch | 81 +++ SOURCES/0024-curl-7.76.1-CVE-2023-23916.patch | 678 ++++++++++++++++++ .../0105-curl-7.63.0-lib1560-valgrind.patch | 2 +- SPECS/curl.spec | 35 +- 6 files changed, 1181 insertions(+), 2 deletions(-) create mode 100644 SOURCES/0021-curl-7.76.1-CVE-2022-35252.patch create mode 100644 SOURCES/0022-curl-7.76.1-CVE-2022-32221.patch create mode 100644 SOURCES/0023-curl-7.76.1-CVE-2022-43552.patch create mode 100644 SOURCES/0024-curl-7.76.1-CVE-2023-23916.patch diff --git a/SOURCES/0021-curl-7.76.1-CVE-2022-35252.patch b/SOURCES/0021-curl-7.76.1-CVE-2022-35252.patch new file mode 100644 index 0000000..1ccd455 --- /dev/null +++ b/SOURCES/0021-curl-7.76.1-CVE-2022-35252.patch @@ -0,0 +1,136 @@ +From fbc2ac6f06ec13cc872ce7adb870f4d7c7d5dded Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 29 Aug 2022 00:09:17 +0200 +Subject: [PATCH 1/2] cookie: reject cookies with "control bytes" + +Rejects 0x01 - 0x1f (except 0x09) plus 0x7f + +Reported-by: Axel Chong + +Bug: https://curl.se/docs/CVE-2022-35252.html + +CVE-2022-35252 + +Closes #9381 + +Upstream-commit: 8dfc93e573ca740544a2d79ebb0ed786592c65c3 +Signed-off-by: Kamil Dudka +--- + lib/cookie.c | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +diff --git a/lib/cookie.c b/lib/cookie.c +index cb0c03b..e0470a1 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -383,6 +383,30 @@ static void strstore(char **str, const char *newstr) + *str = strdup(newstr); + } + ++/* ++ RFC 6265 section 4.1.1 says a server should accept this range: ++ ++ cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E ++ ++ But Firefox and Chrome as of June 2022 accept space, comma and double-quotes ++ fine. The prime reason for filtering out control bytes is that some HTTP ++ servers return 400 for requests that contain such. ++*/ ++static int invalid_octets(const char *p) ++{ ++ /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */ ++ static const char badoctets[] = { ++ "\x01\x02\x03\x04\x05\x06\x07\x08\x0a" ++ "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14" ++ "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f" ++ }; ++ size_t vlen, len; ++ /* scan for all the octets that are *not* in cookie-octet */ ++ len = strcspn(p, badoctets); ++ vlen = strlen(p); ++ return (len != vlen); ++} ++ + /* + * remove_expired() removes expired cookies. + */ +@@ -567,6 +591,11 @@ Curl_cookie_add(struct Curl_easy *data, + badcookie = TRUE; + break; + } ++ if(invalid_octets(whatptr) || invalid_octets(name)) { ++ infof(data, "invalid octets in name/value, cookie dropped"); ++ badcookie = TRUE; ++ break; ++ } + } + else if(!len) { + /* this was a "=" with no content, and we must allow +-- +2.37.1 + + +From 1a3e2bd48572761236934651091c899a4d460ef5 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 29 Aug 2022 00:09:17 +0200 +Subject: [PATCH 2/2] test8: verify that "ctrl-byte cookies" are ignored + +Upstream-commit: 2fc031d834d488854ffc58bf7dbcef7fa7c1fc28 +Signed-off-by: Kamil Dudka +--- + tests/data/test8 | 32 +++++++++++++++++++++++++++++++- + 1 file changed, 31 insertions(+), 1 deletion(-) + +diff --git a/tests/data/test8 b/tests/data/test8 +index a8548e6..8587611 100644 +--- a/tests/data/test8 ++++ b/tests/data/test8 +@@ -46,6 +46,36 @@ Set-Cookie: trailingspace = removed; path=/we/want; + Set-Cookie: nocookie=yes; path=/WE; + Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad; + Set-Cookie: partialip=nono; domain=.0.0.1; ++Set-Cookie: cookie1=%hex[%01-junk]hex% ++Set-Cookie: cookie2=%hex[%02-junk]hex% ++Set-Cookie: cookie3=%hex[%03-junk]hex% ++Set-Cookie: cookie4=%hex[%04-junk]hex% ++Set-Cookie: cookie5=%hex[%05-junk]hex% ++Set-Cookie: cookie6=%hex[%06-junk]hex% ++Set-Cookie: cookie7=%hex[%07-junk]hex% ++Set-Cookie: cookie8=%hex[%08-junk]hex% ++Set-Cookie: cookie9=%hex[junk-%09-]hex% ++Set-Cookie: cookie11=%hex[%0b-junk]hex% ++Set-Cookie: cookie12=%hex[%0c-junk]hex% ++Set-Cookie: cookie14=%hex[%0e-junk]hex% ++Set-Cookie: cookie15=%hex[%0f-junk]hex% ++Set-Cookie: cookie16=%hex[%10-junk]hex% ++Set-Cookie: cookie17=%hex[%11-junk]hex% ++Set-Cookie: cookie18=%hex[%12-junk]hex% ++Set-Cookie: cookie19=%hex[%13-junk]hex% ++Set-Cookie: cookie20=%hex[%14-junk]hex% ++Set-Cookie: cookie21=%hex[%15-junk]hex% ++Set-Cookie: cookie22=%hex[%16-junk]hex% ++Set-Cookie: cookie23=%hex[%17-junk]hex% ++Set-Cookie: cookie24=%hex[%18-junk]hex% ++Set-Cookie: cookie25=%hex[%19-junk]hex% ++Set-Cookie: cookie26=%hex[%1a-junk]hex% ++Set-Cookie: cookie27=%hex[%1b-junk]hex% ++Set-Cookie: cookie28=%hex[%1c-junk]hex% ++Set-Cookie: cookie29=%hex[%1d-junk]hex% ++Set-Cookie: cookie30=%hex[%1e-junk]hex% ++Set-Cookie: cookie31=%hex[%1f-junk]hex% ++Set-Cookie: cookie31=%hex[%7f-junk]hex% + + + +@@ -60,7 +90,7 @@ GET /we/want/%TESTNUMBER HTTP/1.1 + Host: %HOSTIP:%HTTPPORT + User-Agent: curl/%VERSION + Accept: */* +-Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes ++Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes; cookie9=junk- - + + + +-- +2.37.1 + diff --git a/SOURCES/0022-curl-7.76.1-CVE-2022-32221.patch b/SOURCES/0022-curl-7.76.1-CVE-2022-32221.patch new file mode 100644 index 0000000..4359c47 --- /dev/null +++ b/SOURCES/0022-curl-7.76.1-CVE-2022-32221.patch @@ -0,0 +1,251 @@ +From 08a53016db649bdf4f65c42a9704d35e052be7eb Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 15 Sep 2022 09:22:45 +0200 +Subject: [PATCH 1/2] setopt: when POST is set, reset the 'upload' field + +Reported-by: RobBotic1 on github +Fixes #9507 +Closes #9511 + +Upstream-commit: a64e3e59938abd7d667e4470a18072a24d7e9de9 +Signed-off-by: Kamil Dudka +--- + lib/setopt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/setopt.c b/lib/setopt.c +index d5e3b50..b8793b4 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -628,6 +628,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + } + else + data->set.method = HTTPREQ_GET; ++ data->set.upload = FALSE; + break; + + case CURLOPT_HTTPPOST: +-- +2.37.3 + + +From a5e36349807b98d31a16bd220f6434289465e16a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 15 Sep 2022 09:23:33 +0200 +Subject: [PATCH 2/2] test1948: verify PUT + POST reusing the same handle + +Reproduced #9507, verifies the fix + +Upstream-commit: 1edb15925e350be3b891f8a8de86600b22c0bb20 +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 1 + + tests/data/test1948 | 73 +++++++++++++++++++++++++++++++++++ + tests/libtest/Makefile.inc | 5 +++ + tests/libtest/lib1948.c | 79 ++++++++++++++++++++++++++++++++++++++ + 4 files changed, 158 insertions(+) + create mode 100644 tests/data/test1948 + create mode 100644 tests/libtest/lib1948.c + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 818ee08..0cfab9b 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -217,6 +217,7 @@ test1908 test1909 test1910 test1911 test1912 test1913 test1914 test1915 \ + test1916 test1917 test1918 \ + \ + test1933 test1934 test1935 test1936 \ ++test1948 \ + \ + test2000 test2001 test2002 test2003 test2004 test2005 test2006 test2007 \ + test2008 test2009 test2010 test2011 test2012 test2013 test2014 test2015 \ +diff --git a/tests/data/test1948 b/tests/data/test1948 +new file mode 100644 +index 0000000..639523d +--- /dev/null ++++ b/tests/data/test1948 +@@ -0,0 +1,73 @@ ++ ++ ++ ++HTTP ++HTTP POST ++HTTP PUT ++ ++ ++ ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Date: Thu, 01 Nov 2001 14:49:00 GMT ++Content-Type: text/html ++Content-Length: 6 ++ ++hello ++ ++ ++HTTP/1.1 200 OK ++Date: Thu, 01 Nov 2001 14:49:00 GMT ++Content-Type: text/html ++Content-Length: 6 ++ ++hello ++HTTP/1.1 200 OK ++Date: Thu, 01 Nov 2001 14:49:00 GMT ++Content-Type: text/html ++Content-Length: 6 ++ ++hello ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++ ++CURLOPT_POST after CURLOPT_UPLOAD reusing handle ++ ++ ++lib%TESTNUMBER ++ ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++PUT /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Accept: */* ++Content-Length: 22 ++Expect: 100-continue ++ ++This is test PUT data ++POST /1948 HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Accept: */* ++Content-Length: 22 ++Content-Type: application/x-www-form-urlencoded ++ ++This is test PUT data ++ ++ ++ +diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc +index 83a8af4..3192eca 100644 +--- a/tests/libtest/Makefile.inc ++++ b/tests/libtest/Makefile.inc +@@ -61,6 +61,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect \ + lib1591 lib1592 lib1593 lib1594 lib1596 \ + lib1905 lib1906 lib1907 lib1908 lib1910 lib1911 lib1912 lib1913 \ + lib1915 lib1916 lib1917 lib1918 lib1933 lib1934 lib1935 lib1936 \ ++ lib1948 \ + lib3010 + + chkdecimalpoint_SOURCES = chkdecimalpoint.c ../../lib/mprintf.c \ +@@ -690,6 +691,10 @@ lib1936_SOURCES = lib1936.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib1936_LDADD = $(TESTUTIL_LIBS) + lib1936_CPPFLAGS = $(AM_CPPFLAGS) + ++lib1948_SOURCES = lib1948.c $(SUPPORTFILES) ++lib1948_LDADD = $(TESTUTIL_LIBS) ++lib1948_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1948 ++ + lib3010_SOURCES = lib3010.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib3010_LDADD = $(TESTUTIL_LIBS) + lib3010_CPPFLAGS = $(AM_CPPFLAGS) +diff --git a/tests/libtest/lib1948.c b/tests/libtest/lib1948.c +new file mode 100644 +index 0000000..7c891a2 +--- /dev/null ++++ b/tests/libtest/lib1948.c +@@ -0,0 +1,79 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.haxx.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++ ++#include "test.h" ++ ++typedef struct ++{ ++ char *buf; ++ size_t len; ++} put_buffer; ++ ++static size_t put_callback(char *ptr, size_t size, size_t nmemb, void *stream) ++{ ++ put_buffer *putdata = (put_buffer *)stream; ++ size_t totalsize = size * nmemb; ++ size_t tocopy = (putdata->len < totalsize) ? putdata->len : totalsize; ++ memcpy(ptr, putdata->buf, tocopy); ++ putdata->len -= tocopy; ++ putdata->buf += tocopy; ++ return tocopy; ++} ++ ++int test(char *URL) ++{ ++ CURL *curl; ++ CURLcode res = CURLE_OUT_OF_MEMORY; ++ ++ curl_global_init(CURL_GLOBAL_DEFAULT); ++ ++ curl = curl_easy_init(); ++ if(curl) { ++ const char *testput = "This is test PUT data\n"; ++ put_buffer pbuf; ++ ++ /* PUT */ ++ curl_easy_setopt(curl, CURLOPT_UPLOAD, 1L); ++ curl_easy_setopt(curl, CURLOPT_HEADER, 1L); ++ curl_easy_setopt(curl, CURLOPT_READFUNCTION, put_callback); ++ pbuf.buf = (char *)testput; ++ pbuf.len = strlen(testput); ++ curl_easy_setopt(curl, CURLOPT_READDATA, &pbuf); ++ curl_easy_setopt(curl, CURLOPT_INFILESIZE, (long)strlen(testput)); ++ res = curl_easy_setopt(curl, CURLOPT_URL, URL); ++ if(!res) ++ res = curl_easy_perform(curl); ++ if(!res) { ++ /* POST */ ++ curl_easy_setopt(curl, CURLOPT_POST, 1L); ++ curl_easy_setopt(curl, CURLOPT_POSTFIELDS, testput); ++ curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, (long)strlen(testput)); ++ res = curl_easy_perform(curl); ++ } ++ curl_easy_cleanup(curl); ++ } ++ ++ curl_global_cleanup(); ++ return (int)res; ++} +-- +2.37.3 + diff --git a/SOURCES/0023-curl-7.76.1-CVE-2022-43552.patch b/SOURCES/0023-curl-7.76.1-CVE-2022-43552.patch new file mode 100644 index 0000000..bbc1b1b --- /dev/null +++ b/SOURCES/0023-curl-7.76.1-CVE-2022-43552.patch @@ -0,0 +1,81 @@ +From 5cdcf1dbd39c64e18a81fc912a36942a3ec87565 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 19 Dec 2022 08:38:37 +0100 +Subject: [PATCH] smb/telnet: do not free the protocol struct in *_done() + +It is managed by the generic layer. + +Reported-by: Trail of Bits + +Closes #10112 + +Upstream-commit: 4f20188ac644afe174be6005ef4f6ffba232b8b2 +Signed-off-by: Kamil Dudka +--- + lib/smb.c | 14 ++------------ + lib/telnet.c | 3 --- + 2 files changed, 2 insertions(+), 15 deletions(-) + +diff --git a/lib/smb.c b/lib/smb.c +index 039d680..f682c1f 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -60,8 +60,6 @@ static CURLcode smb_connect(struct Curl_easy *data, bool *done); + static CURLcode smb_connection_state(struct Curl_easy *data, bool *done); + static CURLcode smb_do(struct Curl_easy *data, bool *done); + static CURLcode smb_request_state(struct Curl_easy *data, bool *done); +-static CURLcode smb_done(struct Curl_easy *data, CURLcode status, +- bool premature); + static CURLcode smb_disconnect(struct Curl_easy *data, + struct connectdata *conn, bool dead); + static int smb_getsock(struct Curl_easy *data, struct connectdata *conn, +@@ -76,7 +74,7 @@ const struct Curl_handler Curl_handler_smb = { + "SMB", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -103,7 +101,7 @@ const struct Curl_handler Curl_handler_smbs = { + "SMBS", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -941,14 +939,6 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done) + return CURLE_OK; + } + +-static CURLcode smb_done(struct Curl_easy *data, CURLcode status, +- bool premature) +-{ +- (void) premature; +- Curl_safefree(data->req.p.smb); +- return status; +-} +- + static CURLcode smb_disconnect(struct Curl_easy *data, + struct connectdata *conn, bool dead) + { +diff --git a/lib/telnet.c b/lib/telnet.c +index 923c7f8..48cd0d7 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -1248,9 +1248,6 @@ static CURLcode telnet_done(struct Curl_easy *data, + + curl_slist_free_all(tn->telnet_vars); + tn->telnet_vars = NULL; +- +- Curl_safefree(data->req.p.telnet); +- + return CURLE_OK; + } + +-- +2.38.1 + diff --git a/SOURCES/0024-curl-7.76.1-CVE-2023-23916.patch b/SOURCES/0024-curl-7.76.1-CVE-2023-23916.patch new file mode 100644 index 0000000..755b2b3 --- /dev/null +++ b/SOURCES/0024-curl-7.76.1-CVE-2023-23916.patch @@ -0,0 +1,678 @@ +From 95f873ff983a1ae57415b3c16a881e74432cf8b8 Mon Sep 17 00:00:00 2001 +From: Fabian Keil +Date: Tue, 9 Feb 2021 14:04:32 +0100 +Subject: [PATCH 1/4] runtests.pl: support the nonewline attribute for the data + part + +Added to FILEFORMAT + +Closes #8239 + +Upstream-commit: 736847611a40c01e7c290407e22e2f0f5f8efd6a +Signed-off-by: Kamil Dudka +--- + tests/FILEFORMAT.md | 5 ++++- + tests/runtests.pl | 7 +++++++ + tests/server/getpart.c | 11 ++++++++++- + 3 files changed, 21 insertions(+), 2 deletions(-) + +diff --git a/tests/FILEFORMAT.md b/tests/FILEFORMAT.md +index b75a02a..0b98787 100644 +--- a/tests/FILEFORMAT.md ++++ b/tests/FILEFORMAT.md +@@ -185,7 +185,7 @@ which are treated together as a single identifier. + + ## `` + +-### `` ++### `` + + data to be sent to the client on its request and later verified that it + arrived safely. Set `nocheck="yes"` to prevent the test script from verifying +@@ -211,6 +211,9 @@ much sense for other sections than "data"). + `hex=yes` means that the data is a sequence of hex pairs. It will get decoded + and used as "raw" data. + ++`nonewline=yes` means that the last byte (the trailing newline character) ++should be cut off from the data before sending or comparing it. ++ + For FTP file listings, the `` section will be used *only* if you make + sure that there has been a CWD done first to a directory named `test-[num]` + where [num] is the test case number. Otherwise the ftp server can't know from +diff --git a/tests/runtests.pl b/tests/runtests.pl +index 40315aa..2e1500d 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -3837,6 +3837,13 @@ sub singletest { + else { + # check against the data section + @reply = getpart("reply", "data"); ++ if(@reply) { ++ my %hash = getpartattr("reply", "data"); ++ if($hash{'nonewline'}) { ++ # cut off the final newline from the final line of the data ++ chomp($reply[$#reply]); ++ } ++ } + # get the mode attribute + my $filemode=$replyattr{'mode'}; + if($filemode && ($filemode eq "text") && $has_textaware) { +diff --git a/tests/server/getpart.c b/tests/server/getpart.c +index 32b55bc..f8fe3f6 100644 +--- a/tests/server/getpart.c ++++ b/tests/server/getpart.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2021, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -295,6 +295,7 @@ int getpart(char **outbuf, size_t *outlen, + size_t outalloc = 256; + int in_wanted_part = 0; + int base64 = 0; ++ int nonewline = 0; + int error; + + enum { +@@ -360,6 +361,8 @@ int getpart(char **outbuf, size_t *outlen, + if(error) + return error; + } ++ if(nonewline) ++ (*outlen)--; + break; + } + } +@@ -377,6 +380,8 @@ int getpart(char **outbuf, size_t *outlen, + if(error) + return error; + } ++ if(nonewline) ++ (*outlen)--; + break; + } + } +@@ -451,6 +456,10 @@ int getpart(char **outbuf, size_t *outlen, + /* bit rough test, but "mostly" functional, */ + /* treat wanted part data as base64 encoded */ + base64 = 1; ++ if(strstr(patt, "nonewline=")) { ++ show(("* setting nonewline\n")); ++ nonewline = 1; ++ } + } + continue; + } +-- +2.39.1 + + +From 6e244e1bcb04012e11c537253e76e6f968d8bb72 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 1 Dec 2022 09:21:04 +0100 +Subject: [PATCH 2/4] runtests: do CRLF replacements per section only + +The `crlf="yes"` attribute and "hyper mode" are now only applied on a +subset of dedicated sections: data, datacheck, stdout and protocol. + +Updated test 2500 accordingly. + +Also made test1 use crlf="yes" for , mostly because it is +often used as a template test case. Going forward, using this attribute +we should be able to write test cases using linefeeds only and avoid +mixed line ending encodings. + +Follow-up to ca15b7512e8d11 + +Fixes #10009 +Closes #10010 + +Upstream-commit: 2f34a7347f315513bfda9ef14770d287fb246bcd +Signed-off-by: Kamil Dudka +--- + tests/FILEFORMAT.md | 22 +++++++++++++++------ + tests/data/test1 | 14 ++++++------- + tests/runtests.pl | 48 ++++++++++++++++++++++++++++++++++++++++++--- + 3 files changed, 68 insertions(+), 16 deletions(-) + +diff --git a/tests/FILEFORMAT.md b/tests/FILEFORMAT.md +index c1fbc57..dcb5695 100644 +--- a/tests/FILEFORMAT.md ++++ b/tests/FILEFORMAT.md +@@ -185,7 +185,7 @@ which are treated together as a single identifier. + + ## `` + +-### `` ++### `` + + data to be sent to the client on its request and later verified that it + arrived safely. Set `nocheck="yes"` to prevent the test script from verifying +@@ -214,12 +214,16 @@ and used as "raw" data. + `nonewline=yes` means that the last byte (the trailing newline character) + should be cut off from the data before sending or comparing it. + ++`crlf=yes` forces *header* newlines to become CRLF even if not written so in ++the source file. Note that this makes runtests.pl parse and "guess" what is a ++header and what is not in order to apply the CRLF line endings appropriately. ++ + For FTP file listings, the `` section will be used *only* if you make + sure that there has been a CWD done first to a directory named `test-[num]` + where [num] is the test case number. Otherwise the ftp server can't know from + which test file to load the list content. + +-### `` ++### `` + + Send back this contents instead of the one. The num is set by: + +@@ -243,7 +247,7 @@ The connect section is used instead of the 'data' for all CONNECT + requests. The remainder of the rules for the data section then apply but with + a connect prefix. + +-### `` ++### `` + if the data is sent but this is what should be checked afterwards. If + `nonewline=yes` is set, runtests will cut off the trailing newline from the + data before comparing with the one actually received by the client. +@@ -251,7 +255,7 @@ data before comparing with the one actually received by the client. + Use the `mode="text"` attribute if the output is in text mode on platforms + that have a text/binary difference. + +-### `` ++### `` + The contents of numbered datacheck sections are appended to the non-numbered + one. + +@@ -528,13 +532,16 @@ changing protocol data such as port numbers or user-agent strings. + One perl op per line that operates on the protocol dump. This is pretty + advanced. Example: `s/^EPRT .*/EPRT stripped/`. + +-### `` ++### `` + + the protocol dump curl should transmit, if 'nonewline' is set, we will cut off + the trailing newline of this given data before comparing with the one actually + sent by the client The `` and `` rules are applied before + comparisons are made. + ++`crlf=yes` forces the newlines to become CRLF even if not written so in the ++test. ++ + ### `` + + The protocol dump curl should transmit to a HTTP proxy (when the http-proxy +@@ -551,7 +558,7 @@ have a text/binary difference. + If 'nonewline' is set, we will cut off the trailing newline of this given data + before comparing with the one actually received by the client + +-### `` ++### `` + This verifies that this data was passed to stdout. + + Use the mode="text" attribute if the output is in text mode on platforms that +@@ -560,6 +567,9 @@ have a text/binary difference. + If 'nonewline' is set, we will cut off the trailing newline of this given data + before comparing with the one actually received by the client + ++`crlf=yes` forces the newlines to become CRLF even if not written so in the ++test. ++ + ### `` + The file's contents must be identical to this after the test is complete. Use + the mode="text" attribute if the output is in text mode on platforms that have +diff --git a/tests/data/test1 b/tests/data/test1 +index f39a08b..700bed8 100644 +--- a/tests/data/test1 ++++ b/tests/data/test1 +@@ -9,7 +9,7 @@ HTTP GET + # + # Server-side + +- ++ + HTTP/1.1 200 OK + Date: Tue, 09 Nov 2010 14:49:00 GMT + Server: test-server/fake +@@ -42,12 +42,12 @@ http://%HOSTIP:%HTTPPORT/%TESTNUMBER + # + # Verify data after the test has been "shot" + +- +-GET /%TESTNUMBER HTTP/1.1 +-Host: %HOSTIP:%HTTPPORT +-User-Agent: curl/%VERSION +-Accept: */* +- ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ + + + +diff --git a/tests/runtests.pl b/tests/runtests.pl +index 72a9989..b12a42d 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -3410,7 +3410,13 @@ sub subBase64 { + + my $prevupdate; + sub subNewlines { +- my ($thing) = @_; ++ my ($force, $thing) = @_; ++ ++ if($force) { ++ # enforce CRLF newline ++ $$thing =~ s/\x0d*\x0a/\x0d\x0a/; ++ return; ++ } + + # When curl is built with Hyper, it gets all response headers delivered as + # name/value pairs and curl "invents" the newlines when it saves the +@@ -3424,7 +3430,7 @@ sub subNewlines { + # skip curl error messages + ($$thing !~ /^curl: \(\d+\) /))) { + # enforce CRLF newline +- $$thing =~ s/\x0a/\x0d\x0a/; ++ $$thing =~ s/\x0d*\x0a/\x0d\x0a/; + $prevupdate = 1; + } + else { +@@ -3496,6 +3502,7 @@ sub prepro { + my (@entiretest) = @_; + my $show = 1; + my @out; ++ my $data_crlf; + for my $s (@entiretest) { + my $f = $s; + if($s =~ /^ *%if (.*)/) { +@@ -3519,9 +3526,19 @@ sub prepro { + next; + } + if($show) { ++ # The processor does CRLF replacements in the sections if ++ # necessary since those parts might be read by separate servers. ++ if($s =~ /^ */) { ++ if($1 =~ /crlf="yes"/ || $has_hyper) { ++ $data_crlf = 1; ++ } ++ } ++ elsif(($s =~ /^ *<\/data/) && $data_crlf) { ++ $data_crlf = 0; ++ } + subVariables(\$s, $testnum, "%"); + subBase64(\$s); +- subNewlines(\$s) if($has_hyper); ++ subNewlines(0, \$s) if($data_crlf); + push @out, $s; + } + } +@@ -3830,6 +3847,11 @@ sub singletest { + # of the datacheck + chomp($replycheckpart[$#replycheckpart]); + } ++ if($replycheckpartattr{'crlf'} || ++ ($has_hyper && ($keywords{"HTTP"} ++ || $keywords{"HTTPS"}))) { ++ map subNewlines(0, \$_), @replycheckpart; ++ } + push(@reply, @replycheckpart); + } + } +@@ -3851,6 +3873,11 @@ sub singletest { + map s/\r\n/\n/g, @reply; + map s/\n/\r\n/g, @reply; + } ++ if($replyattr{'crlf'} || ++ ($has_hyper && ($keywords{"HTTP"} ++ || $keywords{"HTTPS"}))) { ++ map subNewlines(0, \$_), @reply; ++ } + } + + # this is the valid protocol blurb curl should generate +@@ -4287,6 +4314,12 @@ sub singletest { + chomp($validstdout[$#validstdout]); + } + ++ if($hash{'crlf'} || ++ ($has_hyper && ($keywords{"HTTP"} ++ || $keywords{"HTTPS"}))) { ++ map subNewlines(0, \$_), @validstdout; ++ } ++ + $res = compare($testnum, $testname, "stdout", \@actual, \@validstdout); + if($res) { + return $errorreturncode; +@@ -4381,6 +4414,10 @@ sub singletest { + } + } + ++ if($hash{'crlf'}) { ++ map subNewlines(1, \$_), @protstrip; ++ } ++ + if((!$out[0] || ($out[0] eq "")) && $protstrip[0]) { + logmsg "\n $testnum: protocol FAILED!\n". + " There was no content at all in the file $SERVERIN.\n". +@@ -4512,6 +4549,11 @@ sub singletest { + map s/\r\n/\n/g, @outfile; + map s/\n/\r\n/g, @outfile; + } ++ if($hash{'crlf'} || ++ ($has_hyper && ($keywords{"HTTP"} ++ || $keywords{"HTTPS"}))) { ++ map subNewlines(0, \$_), @outfile; ++ } + + my $strip; + for $strip (@stripfile) { +-- +2.39.1 + + +From 228ed11bf33c63d9208a3fb38fe5a0d19c0764bd Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 27 Dec 2022 11:50:23 +0100 +Subject: [PATCH 3/4] runtests: support crlf="yes" for verify/proxy + +Upstream-commit: dc0725244a3163f1e2d5f51165db3a1a430f3ba0 +Signed-off-by: Kamil Dudka +--- + tests/FILEFORMAT.md | 4 ++-- + tests/runtests.pl | 5 +++++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/tests/FILEFORMAT.md b/tests/FILEFORMAT.md +index dcb5695..6646793 100644 +--- a/tests/FILEFORMAT.md ++++ b/tests/FILEFORMAT.md +@@ -532,7 +532,7 @@ changing protocol data such as port numbers or user-agent strings. + One perl op per line that operates on the protocol dump. This is pretty + advanced. Example: `s/^EPRT .*/EPRT stripped/`. + +-### `` ++### `` + + the protocol dump curl should transmit, if 'nonewline' is set, we will cut off + the trailing newline of this given data before comparing with the one actually +@@ -542,7 +542,7 @@ comparisons are made. + `crlf=yes` forces the newlines to become CRLF even if not written so in the + test. + +-### `` ++### `` + + The protocol dump curl should transmit to a HTTP proxy (when the http-proxy + server is used), if 'nonewline' is set, we will cut off the trailing newline +diff --git a/tests/runtests.pl b/tests/runtests.pl +index b12a42d..5cdc83d 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -4510,6 +4510,11 @@ sub singletest { + } + } + ++ if($hash{'crlf'} || ++ ($has_hyper && ($keywords{"HTTP"} || $keywords{"HTTPS"}))) { ++ map subNewlines(0, \$_), @protstrip; ++ } ++ + $res = compare($testnum, $testname, "proxy", \@out, \@protstrip); + if($res) { + return $errorreturncode; +-- +2.39.1 + + +From bc5fc958b017895728962c9d44c469418cbec1a0 Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat +Date: Mon, 13 Feb 2023 08:33:09 +0100 +Subject: [PATCH 4/4] content_encoding: do not reset stage counter for each + header + +Test 418 verifies + +Closes #10492 + +Upstream-commit: 119fb187192a9ea13dc90d9d20c215fc82799ab9 +Signed-off-by: Kamil Dudka +--- + lib/content_encoding.c | 7 +- + lib/urldata.h | 1 + + tests/data/Makefile.inc | 1 + + tests/data/test387 | 2 +- + tests/data/test418 | 152 ++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 158 insertions(+), 5 deletions(-) + create mode 100644 tests/data/test418 + +diff --git a/lib/content_encoding.c b/lib/content_encoding.c +index bfc13e2..94344d6 100644 +--- a/lib/content_encoding.c ++++ b/lib/content_encoding.c +@@ -1033,7 +1033,6 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, + const char *enclist, int maybechunked) + { + struct SingleRequest *k = &data->req; +- int counter = 0; + + do { + const char *name; +@@ -1068,9 +1067,9 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, + if(!encoding) + encoding = &error_encoding; /* Defer error at stack use. */ + +- if(++counter >= MAX_ENCODE_STACK) { +- failf(data, "Reject response due to %u content encodings", +- counter); ++ if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) { ++ failf(data, "Reject response due to more than %u content encodings", ++ MAX_ENCODE_STACK); + return CURLE_BAD_CONTENT_ENCODING; + } + /* Stack the unencoding stage. */ +diff --git a/lib/urldata.h b/lib/urldata.h +index 5b4b34f..8c8c20b 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -700,6 +700,7 @@ struct SingleRequest { + #ifndef CURL_DISABLE_DOH + struct dohdata *doh; /* DoH specific data for this request */ + #endif ++ unsigned char writer_stack_depth; /* Unencoding stack depth. */ + BIT(header); /* incoming data has HTTP header */ + BIT(content_range); /* set TRUE if Content-Range: was found */ + BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index fb51cd6..86b6f85 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -67,6 +67,7 @@ test393 test394 test395 test396 test397 \ + \ + test400 test401 test402 test403 test404 test405 test406 test407 test408 \ + test409 test410 \ ++ test418 \ + \ + test430 test431 test432 test433 test434 \ + \ +diff --git a/tests/data/test387 b/tests/data/test387 +index 015ec25..644fc7f 100644 +--- a/tests/data/test387 ++++ b/tests/data/test387 +@@ -47,7 +47,7 @@ Accept: */* + 61 + + +-curl: (61) Reject response due to 5 content encodings ++curl: (61) Reject response due to more than 5 content encodings + + + +diff --git a/tests/data/test418 b/tests/data/test418 +new file mode 100644 +index 0000000..50e974e +--- /dev/null ++++ b/tests/data/test418 +@@ -0,0 +1,152 @@ ++ ++ ++ ++HTTP ++gzip ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++ ++-foo- ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++Response with multiple Transfer-Encoding headers ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++ ++ ++# CURLE_BAD_CONTENT_ENCODING is 61 ++ ++61 ++ ++ ++curl: (61) Reject response due to more than 5 content encodings ++ ++ ++ +-- +2.39.1 + diff --git a/SOURCES/0105-curl-7.63.0-lib1560-valgrind.patch b/SOURCES/0105-curl-7.63.0-lib1560-valgrind.patch index f492ac5..ae24828 100644 --- a/SOURCES/0105-curl-7.63.0-lib1560-valgrind.patch +++ b/SOURCES/0105-curl-7.63.0-lib1560-valgrind.patch @@ -26,7 +26,7 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc index 080421b..ea3b806 100644 --- a/tests/libtest/Makefile.inc +++ b/tests/libtest/Makefile.inc -@@ -592,6 +592,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) +@@ -593,6 +593,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) lib1559_LDADD = $(TESTUTIL_LIBS) lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) diff --git a/SPECS/curl.spec b/SPECS/curl.spec index 3660f44..f84d473 100644 --- a/SPECS/curl.spec +++ b/SPECS/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.76.1 -Release: 19%{?dist} +Release: 23%{?dist} License: MIT Source: https://curl.se/download/%{name}-%{version}.tar.xz @@ -62,6 +62,18 @@ Patch19: 0019-curl-7.76.1-CVE-2022-32207.patch # fix build failure caused by openldap rebase (#2094159) Patch20: 0020-curl-7.76.1-openldap-rebase.patch +# control code in cookie denial of service (CVE-2022-35252) +Patch21: 0021-curl-7.76.1-CVE-2022-35252.patch + +# fix POST following PUT confusion (CVE-2022-32221) +Patch22: 0022-curl-7.76.1-CVE-2022-32221.patch + +# smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552) +Patch23: 0023-curl-7.76.1-CVE-2022-43552.patch + +# fix HTTP multi-header compression denial of service (CVE-2023-23916) +Patch24: 0024-curl-7.76.1-CVE-2023-23916.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -256,6 +268,10 @@ be installed. %patch17 -p1 %patch19 -p1 %patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 # Fedora patches %patch101 -p1 @@ -282,6 +298,11 @@ echo "582" >> tests/data/DISABLED printf "702\n703\n716\n" >> tests/data/DISABLED %endif +# temporarily disable tests 2034 2037 2041 on aarch64 +%ifarch aarch64 +printf "2034\n2037\n2041\n" >> tests/data/DISABLED +%endif + # adapt test 323 for updated OpenSSL sed -e 's|^35$|35,52|' -i tests/data/test323 @@ -476,6 +497,18 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Feb 15 2023 Kamil Dudka - 7.76.1-23 +- fix HTTP multi-header compression denial of service (CVE-2023-23916) + +* Wed Dec 21 2022 Kamil Dudka - 7.76.1-22 +- smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552) + +* Wed Oct 26 2022 Kamil Dudka - 7.76.1-21 +- fix POST following PUT confusion (CVE-2022-32221) + +* Fri Sep 02 2022 Kamil Dudka - 7.76.1-20 +- control code in cookie denial of service (CVE-2022-35252) + * Wed Jun 29 2022 Kamil Dudka - 7.76.1-19 - fix unpreserved file permissions (CVE-2022-32207) - fix HTTP compression denial of service (CVE-2022-32206)