From 60cc0c557430b240f7fb79d33ed6bd932db63b36 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 21 Dec 2022 13:48:45 +0100 Subject: [PATCH] new upstream release - 7.87.0 Resolves: CVE-2022-43552 - HTTP Proxy deny use-after-free Resolves: CVE-2022-43551 - Another HSTS bypass via IDN --- 0001-curl-7.86.0-noproxy.patch | 297 -------------------------------- 0102-curl-7.84.0-test3026.patch | 2 +- curl.spec | 13 +- sources | 4 +- 4 files changed, 10 insertions(+), 306 deletions(-) delete mode 100644 0001-curl-7.86.0-noproxy.patch diff --git a/0001-curl-7.86.0-noproxy.patch b/0001-curl-7.86.0-noproxy.patch deleted file mode 100644 index 8f36502..0000000 --- a/0001-curl-7.86.0-noproxy.patch +++ /dev/null @@ -1,297 +0,0 @@ -From b0ff1fd270924c5eaec09687e3d279130123671a Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 27 Oct 2022 13:54:27 +0200 -Subject: [PATCH 1/3] noproxy: also match with adjacent comma - -If the host name is an IP address and the noproxy string contained that -IP address with a following comma, it would erroneously not match. - -Extended test 1614 to verify this combo as well. - -Reported-by: Henning Schild - -Fixes #9813 -Closes #9814 - -Upstream-commit: efc286b7a62af0568fdcbf3c68791c9955182128 -Signed-off-by: Kamil Dudka ---- - lib/noproxy.c | 20 ++++++++++++-------- - tests/data/test1614 | 2 +- - tests/unit/unit1614.c | 14 ++++++++++++++ - 3 files changed, 27 insertions(+), 9 deletions(-) - -diff --git a/lib/noproxy.c b/lib/noproxy.c -index 81f1e09..d08a16b 100644 ---- a/lib/noproxy.c -+++ b/lib/noproxy.c -@@ -188,18 +188,22 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy) - /* FALLTHROUGH */ - case TYPE_IPV6: { - const char *check = token; -- char *slash = strchr(check, '/'); -+ char *slash; - unsigned int bits = 0; - char checkip[128]; -+ if(tokenlen >= sizeof(checkip)) -+ /* this cannot match */ -+ break; -+ /* copy the check name to a temp buffer */ -+ memcpy(checkip, check, tokenlen); -+ checkip[tokenlen] = 0; -+ check = checkip; -+ -+ slash = strchr(check, '/'); - /* if the slash is part of this token, use it */ -- if(slash && (slash < &check[tokenlen])) { -+ if(slash) { - bits = atoi(slash + 1); -- /* copy the check name to a temp buffer */ -- if(tokenlen >= sizeof(checkip)) -- break; -- memcpy(checkip, check, tokenlen); -- checkip[ slash - check ] = 0; -- check = checkip; -+ *slash = 0; /* null terminate there */ - } - if(type == TYPE_IPV6) - match = Curl_cidr6_match(name, check, bits); -diff --git a/tests/data/test1614 b/tests/data/test1614 -index 4a9d54e..73bdbb4 100644 ---- a/tests/data/test1614 -+++ b/tests/data/test1614 -@@ -16,7 +16,7 @@ unittest - proxy - - --cidr comparisons -+noproxy and cidr comparisons - - - -diff --git a/tests/unit/unit1614.c b/tests/unit/unit1614.c -index 6028545..c2f563a 100644 ---- a/tests/unit/unit1614.c -+++ b/tests/unit/unit1614.c -@@ -77,6 +77,20 @@ UNITTEST_START - { NULL, NULL, 0, FALSE} /* end marker */ - }; - struct noproxy list[]= { -+ { "127.0.0.1", "127.0.0.1,localhost", TRUE}, -+ { "127.0.0.1", "127.0.0.1,localhost,", TRUE}, -+ { "127.0.0.1", "127.0.0.1/8,localhost,", TRUE}, -+ { "127.0.0.1", "127.0.0.1/28,localhost,", TRUE}, -+ { "127.0.0.1", "127.0.0.1/31,localhost,", TRUE}, -+ { "127.0.0.1", "localhost,127.0.0.1", TRUE}, -+ { "127.0.0.1", "localhost,127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1." -+ "127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127." -+ "0.0.1.127.0.0.1.127.0.0." /* 128 bytes "address" */, FALSE}, -+ { "127.0.0.1", "localhost,127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1." -+ "127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127." -+ "0.0.1.127.0.0.1.127.0.0" /* 127 bytes "address" */, FALSE}, -+ { "localhost", "localhost,127.0.0.1", TRUE}, -+ { "localhost", "127.0.0.1,localhost", TRUE}, - { "foobar", "barfoo", FALSE}, - { "foobar", "foobar", TRUE}, - { "192.168.0.1", "foobar", FALSE}, --- -2.37.3 - - -From d539fd9f11e2a244dbab6b9171f5a9e5c86cc417 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Fri, 28 Oct 2022 10:51:49 +0200 -Subject: [PATCH 2/3] noproxy: fix tail-matching - -Also ignore trailing dots in both host name and comparison pattern. - -Regression in 7.86.0 (from 1e9a538e05c0) - -Extended test 1614 to verify better. - -Reported-by: Henning Schild -Fixes #9821 -Closes #9822 - -Upstream-commit: b830f9ba9e94acf672cd191993ff679fa888838b -Signed-off-by: Kamil Dudka ---- - lib/noproxy.c | 30 +++++++++++++++++++++++------- - tests/unit/unit1614.c | 9 +++++++++ - 2 files changed, 32 insertions(+), 7 deletions(-) - -diff --git a/lib/noproxy.c b/lib/noproxy.c -index d08a16b..01f8f47 100644 ---- a/lib/noproxy.c -+++ b/lib/noproxy.c -@@ -149,9 +149,14 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy) - } - else { - unsigned int address; -+ namelen = strlen(name); - if(1 == Curl_inet_pton(AF_INET, name, &address)) - type = TYPE_IPV4; -- namelen = strlen(name); -+ else { -+ /* ignore trailing dots in the host name */ -+ if(name[namelen - 1] == '.') -+ namelen--; -+ } - } - - while(*p) { -@@ -173,12 +178,23 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy) - if(tokenlen) { - switch(type) { - case TYPE_HOST: -- if(*token == '.') { -- ++token; -- --tokenlen; -- /* tailmatch */ -- match = (tokenlen <= namelen) && -- strncasecompare(token, name + (namelen - tokenlen), namelen); -+ /* ignore trailing dots in the token to check */ -+ if(token[tokenlen - 1] == '.') -+ tokenlen--; -+ -+ if(tokenlen && (*token == '.')) { -+ /* A: example.com matches '.example.com' -+ B: www.example.com matches '.example.com' -+ C: nonexample.com DOES NOT match '.example.com' -+ */ -+ if((tokenlen - 1) == namelen) -+ /* case A, exact match without leading dot */ -+ match = strncasecompare(token + 1, name, namelen); -+ else if(tokenlen < namelen) -+ /* case B, tailmatch with leading dot */ -+ match = strncasecompare(token, name + (namelen - tokenlen), -+ tokenlen); -+ /* case C passes through, not a match */ - } - else - match = (tokenlen == namelen) && -diff --git a/tests/unit/unit1614.c b/tests/unit/unit1614.c -index c2f563a..8f62b70 100644 ---- a/tests/unit/unit1614.c -+++ b/tests/unit/unit1614.c -@@ -77,6 +77,15 @@ UNITTEST_START - { NULL, NULL, 0, FALSE} /* end marker */ - }; - struct noproxy list[]= { -+ { "www.example.com", "localhost,.example.com,.example.de", TRUE}, -+ { "www.example.com.", "localhost,.example.com,.example.de", TRUE}, -+ { "example.com", "localhost,.example.com,.example.de", TRUE}, -+ { "example.com.", "localhost,.example.com,.example.de", TRUE}, -+ { "www.example.com", "localhost,.example.com.,.example.de", TRUE}, -+ { "www.example.com", "localhost,www.example.com.,.example.de", TRUE}, -+ { "example.com", "localhost,example.com,.example.de", TRUE}, -+ { "example.com.", "localhost,example.com,.example.de", TRUE}, -+ { "www.example.com", "localhost,example.com,.example.de", FALSE}, - { "127.0.0.1", "127.0.0.1,localhost", TRUE}, - { "127.0.0.1", "127.0.0.1,localhost,", TRUE}, - { "127.0.0.1", "127.0.0.1/8,localhost,", TRUE}, --- -2.37.3 - - -From 560b593cb9ba261169df5ea18ac8d0c188e239cd Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Sun, 6 Nov 2022 23:19:51 +0100 -Subject: [PATCH 3/3] noproxy: tailmatch like in 7.85.0 and earlier - -A regfression in 7.86.0 (via 1e9a538e05c010) made the tailmatch work -differently than before. This restores the logic to how it used to work: - -All names listed in NO_PROXY are tailmatched against the used domain -name, if the lengths are identical it needs a full match. - -Update the docs, update test 1614. - -Reported-by: Stuart Henderson -Fixes #9842 -Closes #9858 - -Upstream-commit: b1953c1933b369b1217ef0f16053e26da63488c3 -Signed-off-by: Kamil Dudka ---- - docs/libcurl/opts/CURLOPT_NOPROXY.3 | 4 ---- - lib/noproxy.c | 32 +++++++++++++++-------------- - tests/unit/unit1614.c | 3 ++- - 3 files changed, 19 insertions(+), 20 deletions(-) - -diff --git a/docs/libcurl/opts/CURLOPT_NOPROXY.3 b/docs/libcurl/opts/CURLOPT_NOPROXY.3 -index 149eaac..98c7920 100644 ---- a/docs/libcurl/opts/CURLOPT_NOPROXY.3 -+++ b/docs/libcurl/opts/CURLOPT_NOPROXY.3 -@@ -41,10 +41,6 @@ list is matched as either a domain which contains the hostname, or the - hostname itself. For example, "ample.com" would match ample.com, ample.com:80, - and www.ample.com, but not www.example.com or ample.com.org. - --If the name in the \fInoproxy\fP list has a leading period, it is a domain --match against the provided host name. This way ".example.com" will switch off --proxy use for both "www.example.com" as well as for "foo.example.com". -- - Setting the \fInoproxy\fP string to "" (an empty string) will explicitly - enable the proxy for all host names, even if there is an environment variable - set for it. -diff --git a/lib/noproxy.c b/lib/noproxy.c -index 01f8f47..31d1ca7 100644 ---- a/lib/noproxy.c -+++ b/lib/noproxy.c -@@ -183,22 +183,24 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy) - tokenlen--; - - if(tokenlen && (*token == '.')) { -- /* A: example.com matches '.example.com' -- B: www.example.com matches '.example.com' -- C: nonexample.com DOES NOT match '.example.com' -- */ -- if((tokenlen - 1) == namelen) -- /* case A, exact match without leading dot */ -- match = strncasecompare(token + 1, name, namelen); -- else if(tokenlen < namelen) -- /* case B, tailmatch with leading dot */ -- match = strncasecompare(token, name + (namelen - tokenlen), -- tokenlen); -- /* case C passes through, not a match */ -+ /* ignore leading token dot as well */ -+ token++; -+ tokenlen--; - } -- else -- match = (tokenlen == namelen) && -- strncasecompare(token, name, namelen); -+ /* A: example.com matches 'example.com' -+ B: www.example.com matches 'example.com' -+ C: nonexample.com DOES NOT match 'example.com' -+ */ -+ if(tokenlen == namelen) -+ /* case A, exact match */ -+ match = strncasecompare(token, name, namelen); -+ else if(tokenlen < namelen) { -+ /* case B, tailmatch domain */ -+ match = (name[namelen - tokenlen - 1] == '.') && -+ strncasecompare(token, name + (namelen - tokenlen), -+ tokenlen); -+ } -+ /* case C passes through, not a match */ - break; - case TYPE_IPV4: - /* FALLTHROUGH */ -diff --git a/tests/unit/unit1614.c b/tests/unit/unit1614.c -index 8f62b70..523d102 100644 ---- a/tests/unit/unit1614.c -+++ b/tests/unit/unit1614.c -@@ -85,7 +85,8 @@ UNITTEST_START - { "www.example.com", "localhost,www.example.com.,.example.de", TRUE}, - { "example.com", "localhost,example.com,.example.de", TRUE}, - { "example.com.", "localhost,example.com,.example.de", TRUE}, -- { "www.example.com", "localhost,example.com,.example.de", FALSE}, -+ { "nexample.com", "localhost,example.com,.example.de", FALSE}, -+ { "www.example.com", "localhost,example.com,.example.de", TRUE}, - { "127.0.0.1", "127.0.0.1,localhost", TRUE}, - { "127.0.0.1", "127.0.0.1,localhost,", TRUE}, - { "127.0.0.1", "127.0.0.1/8,localhost,", TRUE}, --- -2.37.3 - diff --git a/0102-curl-7.84.0-test3026.patch b/0102-curl-7.84.0-test3026.patch index 56b10c6..1098583 100644 --- a/0102-curl-7.84.0-test3026.patch +++ b/0102-curl-7.84.0-test3026.patch @@ -55,7 +55,7 @@ diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c index 43fe335..70cd7a4 100644 --- a/tests/libtest/lib3026.c +++ b/tests/libtest/lib3026.c -@@ -139,8 +139,8 @@ int test(char *URL) +@@ -147,8 +147,8 @@ int test(char *URL) results[i] = CURL_LAST; /* initialize with invalid value */ res = pthread_create(&tids[i], NULL, run_thread, &results[i]); if(res) { diff --git a/curl.spec b/curl.spec index 68bd41e..76374f2 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.86.0 -Release: 4%{?dist} +Version: 7.87.0 +Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,9 +10,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# fix regression in noproxy matching -Patch1: 0001-curl-7.86.0-noproxy.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -197,7 +194,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 # Fedora patches %patch101 -p1 @@ -431,6 +427,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Dec 21 2022 Kamil Dudka - 7.87.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2022-43552 - HTTP Proxy deny use-after-free + CVE-2022-43551 - Another HSTS bypass via IDN + * Tue Nov 29 2022 Kamil Dudka - 7.86.0-4 - noproxy: tailmatch like in 7.85.0 and earlier (#2149224) diff --git a/sources b/sources index 45ced88..7906eb7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-7.86.0.tar.xz) = 18e03a3c00f22125e07bddb18becbf5acdca22baeb7b29f45ef189a5c56f95b2d51247813f7a9a90f04eb051739e9aa7d3a1c5be397bae75d763a2b918d1b656 -SHA512 (curl-7.86.0.tar.xz.asc) = 9e97d5f44b3c856f401fe30ba713e1ca1f74edfc693dc42f1ce8e43f9f6dd4bf6998c579bc9c5d0f749f475a7d67d232e92ab6f89b95141acdb53e149f2312f0 +SHA512 (curl-7.87.0.tar.xz) = aa125991592667280dce3788aabe81487cf8c55b0afc59d675cc30b76055bb7114f5380b4a0e3b6461a8f81bf9812fa26d493a85f7e01d84263d484a0d699ee7 +SHA512 (curl-7.87.0.tar.xz.asc) = 0bcc12bafc4ae50d80128af2cf4bf1a1ec6018ebb8d5b9c49f52b51c0c25acc77e820858965656549ef43c1f923f4e5fe75b0a3523623154b4cfb9dc8a1d76e4