import curl-7.61.1-25.el8

SOURCES/0040-curl-7.61.1-CVE-2022-32208.patch

@@ -0,0 +1,86 @@
+From d36661703e16bd740a3a928041b1e697a6617b98 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 9 Jun 2022 09:27:24 +0200
+Subject: [PATCH] krb5: return error properly on decode errors
+
+Bug: https://curl.se/docs/CVE-2022-32208.html
+CVE-2022-32208
+Reported-by: Harry Sintonen
+Closes #9051
+
+Upstream-commit: 6ecdf5136b52af747e7bda08db9a748256b1cd09
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/krb5.c     |  5 +----
+ lib/security.c | 19 +++++++++++++++----
+ 2 files changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/lib/krb5.c b/lib/krb5.c
+index 787137c..6f9e1f7 100644
+--- a/lib/krb5.c
++++ b/lib/krb5.c
+@@ -86,11 +86,8 @@ krb5_decode(void *app_data, void *buf, int len,
+   enc.value = buf;
+   enc.length = len;
+   maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
+-  if(maj != GSS_S_COMPLETE) {
+-    if(len >= 4)
+-      strcpy(buf, "599 ");
++  if(maj != GSS_S_COMPLETE)
+     return -1;
+-  }
+ 
+   memcpy(buf, dec.value, dec.length);
+   len = curlx_uztosi(dec.length);
+diff --git a/lib/security.c b/lib/security.c
+index 52cce97..c95f290 100644
+--- a/lib/security.c
++++ b/lib/security.c
+@@ -64,6 +64,10 @@
+ /* The last #include file should be: */
+ #include "memdebug.h"
+ 
++/* Max string input length is a precaution against abuse and to detect junk
++   input easier and better. */
++#define CURL_MAX_INPUT_LENGTH 8000000
++
+ static const struct {
+   enum protection_level level;
+   const char *name;
+@@ -192,6 +196,7 @@ static CURLcode read_data(struct connectdata *conn,
+ {
+   int len;
+   CURLcode result;
++  int nread;
+ 
+   result = socket_read(fd, &len, sizeof(len));
+   if(result)
+@@ -200,7 +205,10 @@ static CURLcode read_data(struct connectdata *conn,
+   if(len) {
+     /* only realloc if there was a length */
+     len = ntohl(len);
+-    buf->data = Curl_saferealloc(buf->data, len);
++    if(len > CURL_MAX_INPUT_LENGTH)
++      len = 0;
++    else
++      buf->data = Curl_saferealloc(buf->data, len);
+   }
+   if(!len || !buf->data)
+     return CURLE_OUT_OF_MEMORY;
+@@ -208,8 +216,11 @@ static CURLcode read_data(struct connectdata *conn,
+   result = socket_read(fd, buf->data, len);
+   if(result)
+     return result;
+-  buf->size = conn->mech->decode(conn->app_data, buf->data, len,
+-                                 conn->data_prot, conn);
++  nread = conn->mech->decode(conn->app_data, buf->data, len,
++                             conn->data_prot, conn);
++  if(nread < 0)
++    return CURLE_RECV_ERROR;
++  buf->size = (size_t)nread;
+   buf->index = 0;
+   return CURLE_OK;
+ }
+-- 
+2.35.3
+

SOURCES/0041-curl-7.61.1-CVE-2022-32206.patch

@@ -0,0 +1,144 @@
+From 24dedf9b260eebb7feae6fc273208b551fe54a79 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 16 May 2022 16:28:13 +0200
+Subject: [PATCH 1/2] content_encoding: return error on too many compression
+ steps
+
+The max allowed steps is arbitrarily set to 5.
+
+Bug: https://curl.se/docs/CVE-2022-32206.html
+CVE-2022-32206
+Reported-by: Harry Sintonen
+Closes #9049
+
+Upstream-commit: 3a09fbb7f264c67c438d01a30669ce325aa508e2
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/content_encoding.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/lib/content_encoding.c b/lib/content_encoding.c
+index c03637a..6f994b3 100644
+--- a/lib/content_encoding.c
++++ b/lib/content_encoding.c
+@@ -934,6 +934,9 @@ static const content_encoding *find_encoding(const char *name, size_t len)
+   return NULL;
+ }
+ 
++/* allow no more than 5 "chained" compression steps */
++#define MAX_ENCODE_STACK 5
++
+ /* Set-up the unencoding stack from the Content-Encoding header value.
+  * See RFC 7231 section 3.1.2.2. */
+ CURLcode Curl_build_unencoding_stack(struct connectdata *conn,
+@@ -941,6 +944,7 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn,
+ {
+   struct Curl_easy *data = conn->data;
+   struct SingleRequest *k = &data->req;
++  int counter = 0;
+ 
+   do {
+     const char *name;
+@@ -975,6 +979,11 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn,
+       if(!encoding)
+         encoding = &error_encoding;  /* Defer error at stack use. */
+ 
++      if(++counter >= MAX_ENCODE_STACK) {
++        failf(data, "Reject response due to %u content encodings",
++              counter);
++        return CURLE_BAD_CONTENT_ENCODING;
++      }
+       /* Stack the unencoding stage. */
+       writer = new_unencoding_writer(conn, encoding, k->writer_stack);
+       if(!writer)
+-- 
+2.35.3
+
+
+From b3cd74f01871281f0989860e04c546d896f0e72f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 16 May 2022 16:29:07 +0200
+Subject: [PATCH 2/2] test387: verify rejection of compression chain attack
+
+Upstream-commit: 7230b19a2e17a164f61f82e4e409a9777ea2421a
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/Makefile.inc |  1 +
+ tests/data/test387      | 53 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 54 insertions(+)
+ create mode 100644 tests/data/test387
+
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 98d5516..9b5f4fb 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -61,6 +61,7 @@ test325 test326 test330 \
+ test340 \
+ \
+ test350 test351 test352 test353 test354 \
++test387 \
+ test393 test394 test395 \
+ \
+ test400 test401 test402 test403 test404 test405 test406 test407 test408 \
+diff --git a/tests/data/test387 b/tests/data/test387
+new file mode 100644
+index 0000000..015ec25
+--- /dev/null
++++ b/tests/data/test387
+@@ -0,0 +1,53 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++gzip
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data nocheck="yes">
++HTTP/1.1 200 OK
++Transfer-Encoding: gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip
++
++-foo-
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++</server>
++ <name>
++Response with overly long compression chain
++ </name>
++ <command>
++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol>
++GET /%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++User-Agent: curl/7.61.1
++Accept: */*
++
++</protocol>
++
++# CURLE_BAD_CONTENT_ENCODING is 61
++<errorcode>
++61
++</errorcode>
++<stderr mode="text">
++curl: (61) Reject response due to 5 content encodings
++</stderr>
++</verify>
++</testcase>
+-- 
+2.35.3
+

SOURCES/0042-curl-7.61.1-ssh-known-hosts.patch

@@ -0,0 +1,43 @@
+From 9ea407a0476d22cde575826c18b5aa56b57ac9b4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Felix=20H=C3=A4dicke?= <felixhaedicke@web.de>
+Date: Wed, 23 Jan 2019 23:10:39 +0100
+Subject: [PATCH] setopt: enable CURLOPT_SSH_KNOWNHOSTS and
+ CURLOPT_SSH_KEYFUNCTION for libssh
+
+CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION are supported for
+libssh as well. So accepting these options only when compiling with
+libssh2 is wrong here.
+
+Fixes #3493
+Closes #3494
+
+Upstream-commit: 3cbf731d9ec7146f9f1a6ac0fbd9af7fe358f5bb
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/setopt.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/lib/setopt.c b/lib/setopt.c
+index b07ccfe..88a05ff 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -2208,7 +2208,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
+     result = Curl_setstropt(&data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5],
+                             va_arg(param, char *));
+     break;
+-#ifdef HAVE_LIBSSH2_KNOWNHOST_API
++
+   case CURLOPT_SSH_KNOWNHOSTS:
+     /*
+      * Store the file name to read known hosts from.
+@@ -2229,7 +2229,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
+      */
+     data->set.ssh_keyfunc_userp = va_arg(param, void *);
+     break;
+-#endif /* HAVE_LIBSSH2_KNOWNHOST_API */
+ #endif /* USE_LIBSSH2 */
+ 
+   case CURLOPT_HTTP_TRANSFER_DECODING:
+-- 
+2.34.1
+

SPECS/curl.spec

@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.61.1
-Release: 22%{?dist}.3
+Release: 25%{?dist}
 License: MIT
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
 
@@ -112,6 +112,15 @@ Patch38:  0038-curl-7.61.1-CVE-2022-27774.patch
 # fix too eager reuse of TLS and SSH connections (CVE-2022-27782)
 Patch39:  0039-curl-7.61.1-CVE-2022-27782.patch
 
+# fix FTP-KRB bad message verification (CVE-2022-32208)
+Patch40:  0040-curl-7.61.1-CVE-2022-32208.patch
+
+# fix HTTP compression denial of service (CVE-2022-32206)
+Patch41:  0041-curl-7.61.1-CVE-2022-32206.patch
+
+# setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION (#2063703)
+Patch42:  0042-curl-7.61.1-ssh-known-hosts.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -324,6 +333,9 @@ sed -e 's|%%HTTPPORT|%{?__isa_bits}90|g' -i tests/data/test1448
 sed -e 's|:8992/|:%{?__isa_bits}92/|g' -i tests/data/test97{3..6}
 
 %patch39 -p1
+%patch40 -p1
+%patch41 -p1
+%patch42 -p1
 
 # make tests/*.py use Python 3
 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
@@ -486,13 +498,16 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
-* Wed May 11 2022 Kamil Dudka <kdudka@redhat.com> - 7.61.1-22.el8_6.3
+* Wed Jun 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.61.1-25
-- fix too eager reuse of TLS and SSH connections (CVE-2022-27782)
+- setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION (#2063703)
+- fix HTTP compression denial of service (CVE-2022-32206)
+- fix FTP-KRB bad message verification (CVE-2022-32208)
 
-* Tue May 04 2022 Kamil Dudka <kdudka@redhat.com> - 7.61.1-22.el8_6.2
+* Wed May 11 2022 Kamil Dudka <kdudka@redhat.com> - 7.61.1-24
+- fix too eager reuse of TLS and SSH connections (CVE-2022-27782)
 - fix invalid type in printf() argument detected by Coverity
 
-* Thu Apr 28 2022 Kamil Dudka <kdudka@redhat.com> - 7.61.1-22.el8_6.1
+* Thu Apr 28 2022 Kamil Dudka <kdudka@redhat.com> - 7.61.1-23
 - fix credential leak on redirect (CVE-2022-27774)
 - fix auth/cookie leak on redirect (CVE-2022-27776)
 - fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)