diff --git a/SOURCES/0051-curl-7.61.1-CVE-2023-27536.patch b/SOURCES/0049-curl-7.61.1-CVE-2023-27536.patch similarity index 59% rename from SOURCES/0051-curl-7.61.1-CVE-2023-27536.patch rename to SOURCES/0049-curl-7.61.1-CVE-2023-27536.patch index 50b8005..1b266d3 100644 --- a/SOURCES/0051-curl-7.61.1-CVE-2023-27536.patch +++ b/SOURCES/0049-curl-7.61.1-CVE-2023-27536.patch @@ -1,17 +1,20 @@ -From cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 Mon Sep 17 00:00:00 2001 +From 9d6dd7bc1dea42ae8e710aeae714e2a2c290de61 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 10 Mar 2023 09:22:43 +0100 Subject: [PATCH] url: only reuse connections with same GSS delegation Reported-by: Harry Sintonen Closes #10731 + +Upstream-commit: cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 +Signed-off-by: Kamil Dudka --- lib/url.c | 6 ++++++ - lib/urldata.h | 1 + - 2 files changed, 7 insertions(+) + lib/urldata.h | 2 ++ + 2 files changed, 8 insertions(+) diff --git a/lib/url.c b/lib/url.c -index df6ef1213..cc2f427dc 100644 +index 3b11b7e..cbbc7f3 100644 --- a/lib/url.c +++ b/lib/url.c @@ -1305,6 +1305,11 @@ ConnectionExists(struct Curl_easy *data, @@ -26,7 +29,8 @@ index df6ef1213..cc2f427dc 100644 if(needle->handler->protocol & (CURLPROTO_SCP|CURLPROTO_SFTP)) { if(!ssh_config_matches(needle, check)) continue; -@@ -1950,5 +1950,6 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) +@@ -1949,6 +1954,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) + it may live on without (this specific) Curl_easy */ conn->fclosesocket = data->set.fclosesocket; conn->closesocket_client = data->set.closesocket_client; + conn->gssapi_delegation = data->set.gssapi_delegation; @@ -34,18 +38,18 @@ index df6ef1213..cc2f427dc 100644 return conn; error: diff --git a/lib/urldata.h b/lib/urldata.h -index bf5daaf50..da5de5ba9 100644 +index ce90304..9e16f26 100644 --- a/lib/urldata.h +++ b/lib/urldata.h -@@ -1061,6 +1061,8 @@ struct connectdata { - char *unix_domain_socket; - bool abstract_unix_socket; - #endif -+ -+ unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */ - }; +@@ -856,6 +856,8 @@ struct connectdata { + int httpversion; /* the HTTP version*10 reported by the server */ + int rtspversion; /* the RTSP version*10 reported by the server */ - /* The end of connectdata. */ ++ unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */ ++ + struct curltime now; /* "current" time */ + struct curltime created; /* creation time */ + curl_socket_t sock[2]; /* two sockets, the second is used for the data -- -2.40.1 +2.39.2 diff --git a/SOURCES/0053-curl-7.61.1-CVE-2023-28321.patch b/SOURCES/0051-curl-7.61.1-CVE-2023-28321.patch similarity index 100% rename from SOURCES/0053-curl-7.61.1-CVE-2023-28321.patch rename to SOURCES/0051-curl-7.61.1-CVE-2023-28321.patch diff --git a/SOURCES/0052-curl-7.61.1-rebuilt-certs.patch b/SOURCES/0052-curl-7.61.1-certs.patch similarity index 100% rename from SOURCES/0052-curl-7.61.1-rebuilt-certs.patch rename to SOURCES/0052-curl-7.61.1-certs.patch diff --git a/SPECS/curl.spec b/SPECS/curl.spec index 74a23c0..839a8e6 100644 --- a/SPECS/curl.spec +++ b/SPECS/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.61.1 -Release: 30%{?dist}.3 +Release: 33%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -139,17 +139,17 @@ Patch47: 0047-curl-7.61.1-CVE-2023-23916.patch # fix FTP too eager connection reuse (CVE-2023-27535) Patch48: 0048-curl-7.61.1-CVE-2023-27535.patch +# fix GSS delegation too eager connection re-use (CVE-2023-27536) +Patch49: 0049-curl-7.61.1-CVE-2023-27536.patch + # sftp: do not specify O_APPEND when not in append mode (#2187717) Patch50: 0050-curl-7.61.1-sftp-upload-flags.patch -# fix GSS delegation too eager connection re-use -Patch51: 0051-curl-7.61.1-CVE-2023-27536.patch +# fix host name wildcard checking (CVE-2023-28321) +Patch51: 0051-curl-7.61.1-CVE-2023-28321.patch # rebuild certs with 2048-bit RSA keys -Patch52: 0052-curl-7.61.1-rebuilt-certs.patch - -# fix host name wildcard checking -Patch53: 0053-curl-7.61.1-CVE-2023-28321.patch +Patch52: 0052-curl-7.61.1-certs.patch # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -372,10 +372,10 @@ sed -e 's|:8992/|:%{?__isa_bits}92/|g' -i tests/data/test97{3..6} %patch46 -p1 %patch47 -p1 %patch48 -p1 +%patch49 -p1 %patch50 -p1 %patch51 -p1 git apply %{PATCH52} -%patch53 -p1 # make tests/*.py use Python 3 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py @@ -538,15 +538,15 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog -* Tue Jun 13 2023 Jacek Migacz - 7.61.1-30.el8_8.3 -- fix GSS delegation too eager connection re-use (CVE-2023-27536) -- rebuild certs with 2048-bit RSA keys +* Tue Jun 27 2023 Jacek Migacz - 7.61.1-33 - fix host name wildcard checking (CVE-2023-28321) +- rebuild certs with 2048-bit RSA keys -* Thu Apr 20 2023 Kamil Dudka - 7.61.1-30.el8_8.2 +* Thu Apr 20 2023 Kamil Dudka - 7.61.1-32 - sftp: do not specify O_APPEND when not in append mode (#2187717) -* Fri Mar 24 2023 Kamil Dudka - 7.61.1-30.el8_8.1 +* Fri Mar 24 2023 Kamil Dudka - 7.61.1-31 +- fix GSS delegation too eager connection re-use (CVE-2023-27536) - fix FTP too eager connection reuse (CVE-2023-27535) * Wed Feb 15 2023 Kamil Dudka - 7.61.1-30