new upstream release - 8.0.0

Resolves: CVE-2023-27538 - SSH connection too eager reuse still Resolves: CVE-2023-27537 - HSTS double-free Resolves: CVE-2023-27536 - GSS delegation too eager connection re-use Resolves: CVE-2023-27535 - FTP too eager connection reuse Resolves: CVE-2023-27534 - SFTP path ~ resolving discrepancy Resolves: CVE-2023-27533 - TELNET option IAC injection
2023-03-20 10:08:53 +01:00 · 2023-03-20 10:08:53 +01:00 · 7b0a4d3dfc
commit 7b0a4d3dfc
parent d5c1163ef3
3 changed files with 247 additions and 3 deletions
--- a/0001-curl-8.0.0-revert-multi-remove.patch
+++ b/0001-curl-8.0.0-revert-multi-remove.patch
@ -0,0 +1,230 @@
 From d7c75c3608d6002cfb46a2612efa507d9a8ba66e Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Mon, 20 Mar 2023 12:51:05 +0100
 Subject: [PATCH] Revert "multi: remove PENDING + MSGSENT handles from the main
 linked list"
 This reverts commit f6d6f3ce01e377932f1ce7c24ee34d45a36950b8.
 The commits caused issues in the 8.0.0 release. Needs a retake.
 Upstream-commit: cf1eebc68a28cb18bffde5a0a0d2f02bf7b183ec
 Signed-off-by: Kamil Dudka <kdudka@redhat.com>
 ---
 lib/multi.c       | 73 +++++++++++++++++++----------------------------
 lib/multihandle.h |  2 --
 lib/urldata.h     |  3 +-
 3 files changed, 31 insertions(+), 47 deletions(-)
 diff --git a/lib/multi.c b/lib/multi.c
 index 0967500d0..731b2598f 100644
 --- a/lib/multi.c
 +++ b/lib/multi.c
@@ -383,10 +383,12 @@ static void sh_init(struct Curl_hash *hash, int hashsize)
  * Called when a transfer is completed. Adds the given msg pointer to
  * the list kept in the multi handle.
  */
 -static void multi_addmsg(struct Curl_multi *multi, struct Curl_message *msg)
 +static CURLMcode multi_addmsg(struct Curl_multi *multi,
 +                              struct Curl_message *msg)
 {
   Curl_llist_insert_next(&multi->msglist, multi->msglist.tail, msg,
                          &msg->list);
 +  return CURLM_OK;
 }
 struct Curl_multi *Curl_multi_handle(int hashsize, /* socket hash */
@@ -409,7 +411,6 @@ struct Curl_multi *Curl_multi_handle(int hashsize, /* socket hash */
   Curl_llist_init(&multi->msglist, NULL);
   Curl_llist_init(&multi->pending, NULL);
 -  Curl_llist_init(&multi->msgsent, NULL);
   multi->multiplexing = TRUE;
@@ -455,14 +456,6 @@ struct Curl_multi *curl_multi_init(void)
                            CURL_DNS_HASH_SIZE);
 }
 -/* returns TRUE if the easy handle is supposed to be present in the main link
 -   list */
 -static bool in_main_list(struct Curl_easy *data)
 -{
 -  return ((data->mstate != MSTATE_PENDING) &&
 -          (data->mstate != MSTATE_MSGSENT));
 -}
 -
 static void link_easy(struct Curl_multi *multi,
                       struct Curl_easy *data)
 {
@@ -496,8 +489,6 @@ static void unlink_easy(struct Curl_multi *multi,
     data->next->prev = data->prev;
   else
     multi->easylp = data->prev; /* point to last node */
 -
 -  data->prev = data->next = NULL;
 }
@@ -857,16 +848,10 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi,
      called. Do it after multi_done() in case that sets another time! */
   Curl_expire_clear(data);
 -  if(data->connect_queue.ptr) {
 -    /* the handle is in the pending or msgsent lists, so go ahead and remove
 -       it */
 -    if(data->mstate == MSTATE_PENDING)
 -      Curl_llist_remove(&multi->pending, &data->connect_queue, NULL);
 -    else
 -      Curl_llist_remove(&multi->msgsent, &data->connect_queue, NULL);
 -  }
 -  if(in_main_list(data))
 -    unlink_easy(multi, data);
 +  if(data->connect_queue.ptr)
 +    /* the handle was in the pending list waiting for an available connection,
 +       so go ahead and remove it */
 +    Curl_llist_remove(&multi->pending, &data->connect_queue, NULL);
   if(data->dns.hostcachetype == HCACHE_MULTI) {
     /* stop using the multi handle's DNS cache, *after* the possible
@@ -927,6 +912,7 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi,
   /* make sure there's no pending message in the queue sent from this easy
      handle */
 +
   for(e = multi->msglist.head; e; e = e->next) {
     struct Curl_message *msg = e->ptr;
@@ -937,6 +923,19 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi,
     }
   }
 +  /* Remove from the pending list if it is there. Otherwise this will
 +     remain on the pending list forever due to the state change. */
 +  for(e = multi->pending.head; e; e = e->next) {
 +    struct Curl_easy *curr_data = e->ptr;
 +
 +    if(curr_data == data) {
 +      Curl_llist_remove(&multi->pending, e, NULL);
 +      break;
 +    }
 +  }
 +
 +  unlink_easy(multi, data);
 +
   /* NOTE NOTE NOTE
      We do not touch the easy handle here! */
   multi->num_easy--; /* one less to care about now */
@@ -1944,6 +1943,11 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi,
       }
       break;
 +    case MSTATE_PENDING:
 +      /* We will stay here until there is a connection available. Then
 +         we try again in the MSTATE_CONNECT state. */
 +      break;
 +
     case MSTATE_CONNECT:
       /* Connect. We want to get a connection identifier filled in. */
       /* init this transfer. */
@@ -1967,8 +1971,6 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi,
         /* add this handle to the list of connect-pending handles */
         Curl_llist_insert_next(&multi->pending, multi->pending.tail, data,
                                &data->connect_queue);
 -        /* unlink from the main list */
 -        unlink_easy(multi, data);
         result = CURLE_OK;
         break;
       }
@@ -2595,11 +2597,9 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi,
     case MSTATE_COMPLETED:
       break;
 -    case MSTATE_PENDING:
     case MSTATE_MSGSENT:
 -      /* handles in these states should NOT be in this list */
 -      DEBUGASSERT(0);
 -      break;
 +      data->result = result;
 +      return CURLM_OK; /* do nothing */
     default:
       return CURLM_INTERNAL_ERROR;
@@ -2687,17 +2687,10 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi,
         msg->extmsg.easy_handle = data;
         msg->extmsg.data.result = result;
 -        multi_addmsg(multi, msg);
 +        rc = multi_addmsg(multi, msg);
         DEBUGASSERT(!data->conn);
       }
       multistate(data, MSTATE_MSGSENT);
 -
 -      /* add this handle to the list of msgsent handles */
 -      Curl_llist_insert_next(&multi->msgsent, multi->msgsent.tail, data,
 -                             &data->connect_queue);
 -      /* unlink from the main list */
 -      unlink_easy(multi, data);
 -      return CURLM_OK;
     }
   } while((rc == CURLM_CALL_MULTI_PERFORM) || multi_ischanged(multi, FALSE));
@@ -2728,9 +2721,6 @@ CURLMcode curl_multi_perform(struct Curl_multi *multi, int *running_handles)
     /* Do the loop and only alter the signal ignore state if the next handle
        has a different NO_SIGNAL state than the previous */
     do {
 -      /* the current node might be unlinked in multi_runsingle(), get the next
 -         pointer now */
 -      struct Curl_easy *datanext = data->next;
       if(data->set.no_signal != nosig) {
         sigpipe_restore(&pipe_st);
         sigpipe_ignore(data, &pipe_st);
@@ -2739,7 +2729,7 @@ CURLMcode curl_multi_perform(struct Curl_multi *multi, int *running_handles)
       result = multi_runsingle(multi, &now, data);
       if(result)
         returncode = result;
 -      data = datanext; /* operate on next handle */
 +      data = data->next; /* operate on next handle */
     } while(data);
     sigpipe_restore(&pipe_st);
   }
@@ -3720,9 +3710,6 @@ static void process_pending_handles(struct Curl_multi *multi)
     DEBUGASSERT(data->mstate == MSTATE_PENDING);
 -    /* put it back into the main list */
 -    link_easy(multi, data);
 -
     multistate(data, MSTATE_CONNECT);
     /* Remove this node from the list */
 diff --git a/lib/multihandle.h b/lib/multihandle.h
 index 5b16bb605..6cda65d44 100644
 --- a/lib/multihandle.h
 +++ b/lib/multihandle.h
@@ -101,8 +101,6 @@ struct Curl_multi {
   struct Curl_llist pending; /* Curl_easys that are in the
                                 MSTATE_PENDING state */
 -  struct Curl_llist msgsent; /* Curl_easys that are in the
 -                                MSTATE_MSGSENT state */
   /* callback function and user data pointer for the *socket() API */
   curl_socket_callback socket_cb;
 diff --git a/lib/urldata.h b/lib/urldata.h
 index 4e07bcd60..8b54518d2 100644
 --- a/lib/urldata.h
 +++ b/lib/urldata.h
@@ -1894,8 +1894,7 @@ struct Curl_easy {
   struct Curl_easy *prev;
   struct connectdata *conn;
 -  struct Curl_llist_element connect_queue; /* for the pending and msgsent
 -                                              lists */
 +  struct Curl_llist_element connect_queue;
   struct Curl_llist_element conn_queue; /* list per connectdata */
   CURLMstate mstate;  /* the handle's state */
 -- 
 2.40.0
--- a/curl.spec
+++ b/curl.spec
@ -1,6 +1,6 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 7.88.1
+Version: 8.0.0
 Release: 1%{?dist}
 License: MIT
 Source0: https://curl.se/download/%{name}-%{version}.tar.xz
@ -10,6 +10,10 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
 # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc
 Source2: mykey.asc
 # revert a commit that caused issues in the 8.0.0 release
 # https://github.com/curl/curl/pull/10795
 Patch1:   0001-curl-8.0.0-revert-multi-remove.patch
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
@ -203,6 +207,7 @@ be installed.
 %setup -q
 # upstream patches
 %patch1 -p1
 # Fedora patches
 %patch101 -p1
@ -438,6 +443,15 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 %changelog
 * Mon Mar 20 2023 Kamil Dudka <kdudka@redhat.com> - 8.0.0-1
 - new upstream release, which fixes the following vulnerabilities
    CVE-2023-27538 - SSH connection too eager reuse still
    CVE-2023-27537 - HSTS double-free
    CVE-2023-27536 - GSS delegation too eager connection re-use
    CVE-2023-27535 - FTP too eager connection reuse
    CVE-2023-27534 - SFTP path ~ resolving discrepancy
    CVE-2023-27533 - TELNET option IAC injection
 * Mon Feb 20 2023 Kamil Dudka <kdudka@redhat.com> - 7.88.1-1
 - new upstream release
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (curl-7.88.1.tar.xz) = b8d30c52a6d1c3e272608a7a8db78dfd79aef21330f34d6f1df43839a400e13ac6aac72a383526db0b711a70ecbec89a3b934677d7ecf5094fd64d3dbcb3492f
+SHA512 (curl-8.0.0.tar.xz) = 7141e0e2ed065ba14a7fd7e080bc78cadfcf0c7e4054384f17bfbe24caa0bf512d1feaac89dabb9bebc30c2ba40e78ea4e77ac16ce07515f1e9d6b0f05098c9c
-SHA512 (curl-7.88.1.tar.xz.asc) = d6dc720533004c4d533cc4fb3dd33ac28d95e114f440ec011e4b58f65d1f4c40cfa10ba26d2e2f2f1f9de99511632578b4758c5e79593c7c30d29788fdf1cbb6
+SHA512 (curl-8.0.0.tar.xz.asc) = ab741ce5a93e8729bb280c38a109dd11c6f07bc5d955368171dd0c26641d117c62945c13cdc8ff66e32e98fa027cc8ae08aba833a3ee702a2a06c7cef5b8f4ea
`@ -1,2 +1,2 @@`
	`SHA512 (curl-7.88.1.tar.xz) = b8d30c52a6d1c3e272608a7a8db78dfd79aef21330f34d6f1df43839a400e13ac6aac72a383526db0b711a70ecbec89a3b934677d7ecf5094fd64d3dbcb3492f`	`SHA512 (curl-8.0.0.tar.xz) = 7141e0e2ed065ba14a7fd7e080bc78cadfcf0c7e4054384f17bfbe24caa0bf512d1feaac89dabb9bebc30c2ba40e78ea4e77ac16ce07515f1e9d6b0f05098c9c`
	`SHA512 (curl-7.88.1.tar.xz.asc) = d6dc720533004c4d533cc4fb3dd33ac28d95e114f440ec011e4b58f65d1f4c40cfa10ba26d2e2f2f1f9de99511632578b4758c5e79593c7c30d29788fdf1cbb6`	`SHA512 (curl-8.0.0.tar.xz.asc) = ab741ce5a93e8729bb280c38a109dd11c6f07bc5d955368171dd0c26641d117c62945c13cdc8ff66e32e98fa027cc8ae08aba833a3ee702a2a06c7cef5b8f4ea`