new upstream release - 7.59.0
Resolves: CVE-2018-1000120 - FTP path trickery leads to NIL byte out of bounds write Resolves: CVE-2018-1000121 - LDAP NULL pointer dereference Resolves: CVE-2018-1000122 - RTSP RTP buffer over-read
This commit is contained in:
parent
43b81665b0
commit
bdef0a1bf6
@ -1,206 +0,0 @@
|
|||||||
From d9a3018050ce24e1ee416c33f4907f238e860ce3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
|
||||||
Date: Sat, 10 Mar 2018 23:48:43 +0100
|
|
||||||
Subject: [PATCH] http2: mark the connection for close on GOAWAY
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
... don't consider it an error!
|
|
||||||
|
|
||||||
Assisted-by: Jay Satiro
|
|
||||||
Reported-by: Łukasz Domeradzki
|
|
||||||
Fixes #2365
|
|
||||||
Closes #2375
|
|
||||||
|
|
||||||
Upstream-commit: 8b498a875c975294545581282289991bbcfeabf4
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
lib/http.h | 5 ++---
|
|
||||||
lib/http2.c | 33 +++++++++++++++++++++------------
|
|
||||||
lib/multi.c | 9 +++------
|
|
||||||
3 files changed, 26 insertions(+), 21 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/http.h b/lib/http.h
|
|
||||||
index d2781bc..2ce44bb 100644
|
|
||||||
--- a/lib/http.h
|
|
||||||
+++ b/lib/http.h
|
|
||||||
@@ -7,7 +7,7 @@
|
|
||||||
* | (__| |_| | _ <| |___
|
|
||||||
* \___|\___/|_| \_\_____|
|
|
||||||
*
|
|
||||||
- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
||||||
+ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
||||||
*
|
|
||||||
* This software is licensed as described in the file COPYING, which
|
|
||||||
* you should have received as part of this distribution. The terms
|
|
||||||
@@ -172,8 +172,6 @@ struct HTTP {
|
|
||||||
size_t pauselen; /* the number of bytes left in data */
|
|
||||||
bool closed; /* TRUE on HTTP2 stream close */
|
|
||||||
bool close_handled; /* TRUE if stream closure is handled by libcurl */
|
|
||||||
- uint32_t error_code; /* HTTP/2 error code */
|
|
||||||
-
|
|
||||||
char *mem; /* points to a buffer in memory to store received data */
|
|
||||||
size_t len; /* size of the buffer 'mem' points to */
|
|
||||||
size_t memlen; /* size of data copied to mem */
|
|
||||||
@@ -226,6 +224,7 @@ struct http_conn {
|
|
||||||
/* list of settings that will be sent */
|
|
||||||
nghttp2_settings_entry local_settings[3];
|
|
||||||
size_t local_settings_num;
|
|
||||||
+ uint32_t error_code; /* HTTP/2 error code */
|
|
||||||
#else
|
|
||||||
int unused; /* prevent a compiler warning */
|
|
||||||
#endif
|
|
||||||
diff --git a/lib/http2.c b/lib/http2.c
|
|
||||||
index 6992879..13a79d1 100644
|
|
||||||
--- a/lib/http2.c
|
|
||||||
+++ b/lib/http2.c
|
|
||||||
@@ -204,7 +204,6 @@ void Curl_http2_setup_req(struct Curl_easy *data)
|
|
||||||
http->status_code = -1;
|
|
||||||
http->pausedata = NULL;
|
|
||||||
http->pauselen = 0;
|
|
||||||
- http->error_code = NGHTTP2_NO_ERROR;
|
|
||||||
http->closed = FALSE;
|
|
||||||
http->close_handled = FALSE;
|
|
||||||
http->mem = data->state.buffer;
|
|
||||||
@@ -217,6 +216,7 @@ void Curl_http2_setup_conn(struct connectdata *conn)
|
|
||||||
{
|
|
||||||
conn->proto.httpc.settings.max_concurrent_streams =
|
|
||||||
DEFAULT_MAX_CONCURRENT_STREAMS;
|
|
||||||
+ conn->proto.httpc.error_code = NGHTTP2_NO_ERROR;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -777,6 +777,7 @@ static int on_stream_close(nghttp2_session *session, int32_t stream_id,
|
|
||||||
(void)stream_id;
|
|
||||||
|
|
||||||
if(stream_id) {
|
|
||||||
+ struct http_conn *httpc;
|
|
||||||
/* get the stream from the hash based on Stream ID, stream ID zero is for
|
|
||||||
connection-oriented stuff */
|
|
||||||
data_s = nghttp2_session_get_stream_user_data(session, stream_id);
|
|
||||||
@@ -791,10 +792,11 @@ static int on_stream_close(nghttp2_session *session, int32_t stream_id,
|
|
||||||
if(!stream)
|
|
||||||
return NGHTTP2_ERR_CALLBACK_FAILURE;
|
|
||||||
|
|
||||||
- stream->error_code = error_code;
|
|
||||||
stream->closed = TRUE;
|
|
||||||
data_s->state.drain++;
|
|
||||||
- conn->proto.httpc.drain_total++;
|
|
||||||
+ httpc = &conn->proto.httpc;
|
|
||||||
+ httpc->drain_total++;
|
|
||||||
+ httpc->error_code = error_code;
|
|
||||||
|
|
||||||
/* remove the entry from the hash as the stream is now gone */
|
|
||||||
nghttp2_session_set_stream_user_data(session, stream_id, 0);
|
|
||||||
@@ -1225,13 +1227,14 @@ static int h2_session_send(struct Curl_easy *data,
|
|
||||||
* This function returns 0 if it succeeds, or -1 and error code will
|
|
||||||
* be assigned to *err.
|
|
||||||
*/
|
|
||||||
-static int h2_process_pending_input(struct Curl_easy *data,
|
|
||||||
+static int h2_process_pending_input(struct connectdata *conn,
|
|
||||||
struct http_conn *httpc,
|
|
||||||
CURLcode *err)
|
|
||||||
{
|
|
||||||
ssize_t nread;
|
|
||||||
char *inbuf;
|
|
||||||
ssize_t rv;
|
|
||||||
+ struct Curl_easy *data = conn->data;
|
|
||||||
|
|
||||||
nread = httpc->inbuflen - httpc->nread_inbuf;
|
|
||||||
inbuf = httpc->inbuf + httpc->nread_inbuf;
|
|
||||||
@@ -1269,7 +1272,13 @@ static int h2_process_pending_input(struct Curl_easy *data,
|
|
||||||
if(should_close_session(httpc)) {
|
|
||||||
DEBUGF(infof(data,
|
|
||||||
"h2_process_pending_input: nothing to do in this session\n"));
|
|
||||||
- *err = CURLE_HTTP2;
|
|
||||||
+ if(httpc->error_code)
|
|
||||||
+ *err = CURLE_HTTP2;
|
|
||||||
+ else {
|
|
||||||
+ /* not an error per se, but should still close the connection */
|
|
||||||
+ connclose(conn, "GOAWAY received");
|
|
||||||
+ *err = CURLE_OK;
|
|
||||||
+ }
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1300,7 +1309,7 @@ CURLcode Curl_http2_done_sending(struct connectdata *conn)
|
|
||||||
that it can signal EOF to nghttp2 */
|
|
||||||
(void)nghttp2_session_resume_data(h2, stream->stream_id);
|
|
||||||
|
|
||||||
- (void)h2_process_pending_input(conn->data, httpc, &result);
|
|
||||||
+ (void)h2_process_pending_input(conn, httpc, &result);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return result;
|
|
||||||
@@ -1324,7 +1333,7 @@ static ssize_t http2_handle_stream_close(struct connectdata *conn,
|
|
||||||
data->state.drain = 0;
|
|
||||||
|
|
||||||
if(httpc->pause_stream_id == 0) {
|
|
||||||
- if(h2_process_pending_input(data, httpc, err) != 0) {
|
|
||||||
+ if(h2_process_pending_input(conn, httpc, err) != 0) {
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1333,10 +1342,10 @@ static ssize_t http2_handle_stream_close(struct connectdata *conn,
|
|
||||||
|
|
||||||
/* Reset to FALSE to prevent infinite loop in readwrite_data function. */
|
|
||||||
stream->closed = FALSE;
|
|
||||||
- if(stream->error_code != NGHTTP2_NO_ERROR) {
|
|
||||||
+ if(httpc->error_code != NGHTTP2_NO_ERROR) {
|
|
||||||
failf(data, "HTTP/2 stream %u was not closed cleanly: %s (err %d)",
|
|
||||||
- stream->stream_id, Curl_http2_strerror(stream->error_code),
|
|
||||||
- stream->error_code);
|
|
||||||
+ stream->stream_id, Curl_http2_strerror(httpc->error_code),
|
|
||||||
+ httpc->error_code);
|
|
||||||
*err = CURLE_HTTP2_STREAM;
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
@@ -1484,7 +1493,7 @@ static ssize_t http2_recv(struct connectdata *conn, int sockindex,
|
|
||||||
/* We have paused nghttp2, but we have no pause data (see
|
|
||||||
on_data_chunk_recv). */
|
|
||||||
httpc->pause_stream_id = 0;
|
|
||||||
- if(h2_process_pending_input(data, httpc, &result) != 0) {
|
|
||||||
+ if(h2_process_pending_input(conn, httpc, &result) != 0) {
|
|
||||||
*err = result;
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
@@ -1514,7 +1523,7 @@ static ssize_t http2_recv(struct connectdata *conn, int sockindex,
|
|
||||||
frames, then we have to call it again with 0-length data.
|
|
||||||
Without this, on_stream_close callback will not be called,
|
|
||||||
and stream could be hanged. */
|
|
||||||
- if(h2_process_pending_input(data, httpc, &result) != 0) {
|
|
||||||
+ if(h2_process_pending_input(conn, httpc, &result) != 0) {
|
|
||||||
*err = result;
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
diff --git a/lib/multi.c b/lib/multi.c
|
|
||||||
index 43823cc..50f4d87 100644
|
|
||||||
--- a/lib/multi.c
|
|
||||||
+++ b/lib/multi.c
|
|
||||||
@@ -5,7 +5,7 @@
|
|
||||||
* | (__| |_| | _ <| |___
|
|
||||||
* \___|\___/|_| \_\_____|
|
|
||||||
*
|
|
||||||
- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
||||||
+ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
||||||
*
|
|
||||||
* This software is licensed as described in the file COPYING, which
|
|
||||||
* you should have received as part of this distribution. The terms
|
|
||||||
@@ -535,11 +535,8 @@ static CURLcode multi_done(struct connectdata **connp,
|
|
||||||
result = CURLE_ABORTED_BY_CALLBACK;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if(conn->send_pipe.size + conn->recv_pipe.size != 0 &&
|
|
||||||
- !data->set.reuse_forbid &&
|
|
||||||
- !conn->bits.close) {
|
|
||||||
- /* Stop if pipeline is not empty and we do not have to close
|
|
||||||
- connection. */
|
|
||||||
+ if(conn->send_pipe.size || conn->recv_pipe.size) {
|
|
||||||
+ /* Stop if pipeline is not empty . */
|
|
||||||
data->easy_conn = NULL;
|
|
||||||
DEBUGF(infof(data, "Connection still in use, no more multi_done now!\n"));
|
|
||||||
return CURLE_OK;
|
|
||||||
--
|
|
||||||
2.14.3
|
|
||||||
|
|
@ -12,7 +12,7 @@ diff --git a/configure b/configure
|
|||||||
index 8f079a3..53b4774 100755
|
index 8f079a3..53b4774 100755
|
||||||
--- a/configure
|
--- a/configure
|
||||||
+++ b/configure
|
+++ b/configure
|
||||||
@@ -16523,18 +16523,11 @@ $as_echo "yes" >&6; }
|
@@ -16524,18 +16524,11 @@ $as_echo "yes" >&6; }
|
||||||
gccvhi=`echo $gccver | cut -d . -f1`
|
gccvhi=`echo $gccver | cut -d . -f1`
|
||||||
gccvlo=`echo $gccver | cut -d . -f2`
|
gccvlo=`echo $gccver | cut -d . -f2`
|
||||||
compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
|
compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
|
||||||
|
@ -1,11 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlpoMGsACgkQXMkI/bce
|
|
||||||
EsIxtwgAnazhBf4KjF3bw1XNxgjkWVUwqLlLwEElg4tD6g/uYw9VeZQyy2wQGmgc
|
|
||||||
yKx2WrfqLDmE1gAqKgvGLdS6qvMtv0x/3gNjOy4/LVYBlVqP+k5p0XZhV3jcg929
|
|
||||||
Hkv/Fgp1yvtks98CGEIp6xJSjlnL3x5VEsMslXO7dpfq+6gvnbBVBP7QUOb/CYDg
|
|
||||||
LHHAIZFSQuTeLKAvvl1koZAZnZ5zD3dtwL8rK4CVD0ugwJplJvGbvoIMNu9uagUZ
|
|
||||||
CpBV0Pyv0AUsMTohszyOovi/RizHWl8xTynreJh+sx++NZEX2KjsnISpZAxmD6r5
|
|
||||||
dtt21mdhrRSsAXmHD8q5LnbrKosbvQ==
|
|
||||||
=ZqfQ
|
|
||||||
-----END PGP SIGNATURE-----
|
|
11
curl-7.59.0.tar.xz.asc
Normal file
11
curl-7.59.0.tar.xz.asc
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlqoxTwACgkQXMkI/bce
|
||||||
|
EsJrHQf7B0ik8F5dfGYumYWkXHc9poJU+dJ0o6pwzg4QsP+4mwVTw/gnrXDm1hVk
|
||||||
|
iFPIAdgTkxiIDZi+6mDfZA9dZ8Aq38XbYjRIwXTW4KrjTtEFQXtwlEClrHrJyXfl
|
||||||
|
+2YC52BcY0D2JVDqUAB9cVSSgaHHf1jd4h32a8YMrwco4jP5rSxbmZe4psU2m8TC
|
||||||
|
skaZEoSIRJzg5oV+AgDSQMrq+fLsc5lIDKTl+7v6sjnGlcYeRC1SiBePyrh5g/o5
|
||||||
|
w4JJH839MyjrYvi6MyCBHeyCFYDrxKvQw8zRwivfZ1oipM2SaSVq8c60PdR85Zw5
|
||||||
|
/SNOU/7Qpvhua0GhAfaI/CTwwewy6w==
|
||||||
|
=OcVv
|
||||||
|
-----END PGP SIGNATURE-----
|
14
curl.spec
14
curl.spec
@ -1,13 +1,10 @@
|
|||||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||||
Name: curl
|
Name: curl
|
||||||
Version: 7.58.0
|
Version: 7.59.0
|
||||||
Release: 8%{?dist}
|
Release: 1%{?dist}
|
||||||
License: MIT
|
License: MIT
|
||||||
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
|
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
|
||||||
|
|
||||||
# http2: mark the connection for close on GOAWAY
|
|
||||||
Patch1: 0001-curl-7.58.0-h2-goaway.patch
|
|
||||||
|
|
||||||
# patch making libcurl multilib ready
|
# patch making libcurl multilib ready
|
||||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||||
|
|
||||||
@ -154,7 +151,6 @@ be installed.
|
|||||||
%setup -q
|
%setup -q
|
||||||
|
|
||||||
# upstream patches
|
# upstream patches
|
||||||
%patch1 -p1
|
|
||||||
|
|
||||||
# Fedora patches
|
# Fedora patches
|
||||||
%patch101 -p1
|
%patch101 -p1
|
||||||
@ -300,6 +296,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
|||||||
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Mar 14 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-1
|
||||||
|
- new upstream release, which fixes the following vulnerabilities
|
||||||
|
CVE-2018-1000120 - FTP path trickery leads to NIL byte out of bounds write
|
||||||
|
CVE-2018-1000121 - LDAP NULL pointer dereference
|
||||||
|
CVE-2018-1000122 - RTSP RTP buffer over-read
|
||||||
|
|
||||||
* Mon Mar 12 2018 Kamil Dudka <kdudka@redhat.com> - 7.58.0-8
|
* Mon Mar 12 2018 Kamil Dudka <kdudka@redhat.com> - 7.58.0-8
|
||||||
- http2: mark the connection for close on GOAWAY
|
- http2: mark the connection for close on GOAWAY
|
||||||
|
|
||||||
|
2
sources
2
sources
@ -1 +1 @@
|
|||||||
SHA512 (curl-7.58.0.tar.xz) = 965affc74ab8f8c94d1b79ebb8012ca4c1a482c7a3282f2661f6382163e47e3ea657398c1a4202008d0c683a3d2266a05a64a26bd514a64a08e4fe83929dcae5
|
SHA512 (curl-7.59.0.tar.xz) = 6982a5950b564d6b2a4f4b96296b6db3db24a096acc68aa96966821b57f66362f5a69d9f2da762b5d2b1011a4a47478ebacaf05e26604f78bb013098749dd8a6
|
||||||
|
Loading…
Reference in New Issue
Block a user