rpms/curl
6
0
Fork 1
Code Issues Pull Requests Releases Activity

Resolves: #2187717 - sftp: do not specify O_APPEND when not in append mode

Browse Source
This commit is contained in:
Kamil Dudka 2023-04-20 09:47:37 +02:00
parent 4a9d75cd21
commit a9712389ac
2 changed files with 42 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
0050-curl-7.61.1-sftp-upload-flags.patch Normal file
View File

@ -0,0 +1,34 @@
From cc52b2d89397ff26b01d791cd1c605cba741aaa4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20H=C3=A4dicke?= <felixhaedicke@web.de>
Date: Wed, 24 Jul 2019 11:47:51 +0200
Subject: [PATCH] ssh-libssh: do not specify O_APPEND when not in append mode
Specifying O_APPEND in conjunction with O_TRUNC and O_CREAT does not
make much sense. And this combination of flags is not accepted by all
SFTP servers (at least not Apache SSHD).
Fixes #4147
Closes #4148
Upstream-commit: 62617495102c60124db8a909f592f063e38a89aa
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/ssh-libssh.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c
index 4110be2..2414173 100644
--- a/lib/ssh-libssh.c
+++ b/lib/ssh-libssh.c
@@ -1112,7 +1112,7 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block)
flags = O_WRONLY|O_APPEND;
else
/* Clear file before writing (normal behaviour) */
- flags = O_WRONLY|O_APPEND|O_CREAT|O_TRUNC;
+ flags = O_WRONLY|O_CREAT|O_TRUNC;
if(sshc->sftp_file)
sftp_close(sshc->sftp_file);
--
2.39.2

9
curl.spec
View File

@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl Name: curl
Version: 7.61.1 Version: 7.61.1
Release: 31%{?dist} Release: 32%{?dist}
License: MIT License: MIT
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
@ -142,6 +142,9 @@ Patch48: 0048-curl-7.61.1-CVE-2023-27535.patch
# fix GSS delegation too eager connection re-use (CVE-2023-27536) # fix GSS delegation too eager connection re-use (CVE-2023-27536)
Patch49: 0049-curl-7.61.1-CVE-2023-27536.patch Patch49: 0049-curl-7.61.1-CVE-2023-27536.patch
# sftp: do not specify O_APPEND when not in append mode (#2187717)
Patch50: 0050-curl-7.61.1-sftp-upload-flags.patch
# patch making libcurl multilib ready # patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch Patch101: 0101-curl-7.32.0-multilib.patch
@ -364,6 +367,7 @@ sed -e 's|:8992/|:%{?__isa_bits}92/|g' -i tests/data/test97{3..6}
%patch47 -p1 %patch47 -p1
%patch48 -p1 %patch48 -p1
%patch49 -p1 %patch49 -p1
%patch50 -p1
# make tests/*.py use Python 3 # make tests/*.py use Python 3
sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
@ -526,6 +530,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog %changelog
* Thu Apr 20 2023 Kamil Dudka <kdudka@redhat.com> - 7.61.1-32
- sftp: do not specify O_APPEND when not in append mode (#2187717)
* Fri Mar 24 2023 Kamil Dudka <kdudka@redhat.com> - 7.61.1-31 * Fri Mar 24 2023 Kamil Dudka <kdudka@redhat.com> - 7.61.1-31
- fix GSS delegation too eager connection re-use (CVE-2023-27536) - fix GSS delegation too eager connection re-use (CVE-2023-27536)
- fix FTP too eager connection reuse (CVE-2023-27535) - fix FTP too eager connection reuse (CVE-2023-27535)