import curl-7.61.1-30.el8_8.2

SOURCES/0048-curl-7.61.1-CVE-2023-27535.patch

@@ -0,0 +1,231 @@
+From e8705acd69383c13191c9dd4867d5118e58c54ba Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 6 Oct 2022 00:49:10 +0200
+Subject: [PATCH 1/2] strcase: add Curl_timestrcmp
+
+This is a strcmp() alternative function for comparing "secrets",
+designed to take the same time no matter the content to not leak
+match/non-match info to observers based on how fast it is.
+
+The time this function takes is only a function of the shortest input
+string.
+
+Reported-by: Trail of Bits
+
+Closes #9658
+
+Upstream-commit: ed5095ed94281989e103c72e032200b83be37878
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/strcase.c | 22 ++++++++++++++++++++++
+ lib/strcase.h |  1 +
+ 2 files changed, 23 insertions(+)
+
+diff --git a/lib/strcase.c b/lib/strcase.c
+index f932485..c73907d 100644
+--- a/lib/strcase.c
++++ b/lib/strcase.c
+@@ -175,6 +175,28 @@ bool Curl_safecmp(char *a, char *b)
+   return !a && !b;
+ }
+ 
++/*
++ * Curl_timestrcmp() returns 0 if the two strings are identical. The time this
++ * function spends is a function of the shortest string, not of the contents.
++ */
++int Curl_timestrcmp(const char *a, const char *b)
++{
++  int match = 0;
++  int i = 0;
++
++  if(a && b) {
++    while(1) {
++      match |= a[i]^b[i];
++      if(!a[i] || !b[i])
++        break;
++      i++;
++    }
++  }
++  else
++    return a || b;
++  return match;
++}
++
+ /* --- public functions --- */
+ 
+ int curl_strequal(const char *first, const char *second)
+diff --git a/lib/strcase.h b/lib/strcase.h
+index d245929..11a67a1 100644
+--- a/lib/strcase.h
++++ b/lib/strcase.h
+@@ -48,5 +48,6 @@ char Curl_raw_toupper(char in);
+ void Curl_strntoupper(char *dest, const char *src, size_t n);
+ 
+ bool Curl_safecmp(char *a, char *b);
++int Curl_timestrcmp(const char *first, const char *second);
+ 
+ #endif /* HEADER_CURL_STRCASE_H */
+-- 
+2.39.2
+
+
+From 9cfaea212ff347937a38f6b5d6b885ed8ba1b931 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 9 Mar 2023 17:47:06 +0100
+Subject: [PATCH 2/2] ftp: add more conditions for connection reuse
+
+Reported-by: Harry Sintonen
+Closes #10730
+
+Upstream-commit: 8f4608468b890dce2dad9f91d5607ee7e9c1aba1
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/ftp.c     | 28 ++++++++++++++++++++++++++--
+ lib/ftp.h     |  5 +++++
+ lib/setopt.c  |  2 +-
+ lib/url.c     | 13 ++++++++++++-
+ lib/urldata.h |  4 ++--
+ 5 files changed, 46 insertions(+), 6 deletions(-)
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 9442832..df15bc0 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -4080,6 +4080,8 @@ static CURLcode ftp_disconnect(struct connectdata *conn, bool dead_connection)
+   }
+ 
+   freedirs(ftpc);
++  Curl_safefree(ftpc->account);
++  Curl_safefree(ftpc->alternative_to_user);
+   free(ftpc->prevpath);
+   ftpc->prevpath = NULL;
+   free(ftpc->server_os);
+@@ -4391,11 +4393,31 @@ static CURLcode ftp_setup_connection(struct connectdata *conn)
+   struct Curl_easy *data = conn->data;
+   char *type;
+   struct FTP *ftp;
++  struct ftp_conn *ftpc = &conn->proto.ftpc;
+ 
+-  conn->data->req.protop = ftp = malloc(sizeof(struct FTP));
++  ftp = calloc(sizeof(struct FTP), 1);
+   if(NULL == ftp)
+     return CURLE_OUT_OF_MEMORY;
+ 
++  /* clone connection related data that is FTP specific */
++  if(data->set.str[STRING_FTP_ACCOUNT]) {
++    ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]);
++    if(!ftpc->account) {
++      free(ftp);
++      return CURLE_OUT_OF_MEMORY;
++    }
++  }
++  if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]) {
++    ftpc->alternative_to_user =
++      strdup(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]);
++    if(!ftpc->alternative_to_user) {
++      Curl_safefree(ftpc->account);
++      free(ftp);
++      return CURLE_OUT_OF_MEMORY;
++    }
++  }
++  data->req.protop = ftp;
++
+   data->state.path++;   /* don't include the initial slash */
+   data->state.slash_removed = TRUE; /* we've skipped the slash */
+ 
+@@ -4445,7 +4467,9 @@ static CURLcode ftp_setup_connection(struct connectdata *conn)
+   if(isBadFtpString(ftp->passwd))
+     return CURLE_URL_MALFORMAT;
+ 
+-  conn->proto.ftpc.known_filesize = -1; /* unknown size for now */
++  ftpc->known_filesize = -1; /* unknown size for now */
++  ftpc->use_ssl = data->set.use_ssl;
++  ftpc->ccc = data->set.ftp_ccc;
+ 
+   return CURLE_OK;
+ }
+diff --git a/lib/ftp.h b/lib/ftp.h
+index 7f6f432..3f33e27 100644
+--- a/lib/ftp.h
++++ b/lib/ftp.h
+@@ -117,6 +117,8 @@ struct FTP {
+    struct */
+ struct ftp_conn {
+   struct pingpong pp;
++  char *account;
++  char *alternative_to_user;
+   char *entrypath; /* the PWD reply when we logged on */
+   char **dirs;   /* realloc()ed array for path components */
+   int dirdepth;  /* number of entries used in the 'dirs' array */
+@@ -144,6 +146,9 @@ struct ftp_conn {
+   ftpstate state; /* always use ftp.c:state() to change state! */
+   ftpstate state_saved; /* transfer type saved to be reloaded after
+                            data connection is established */
++  unsigned char use_ssl;   /* if AUTH TLS is to be attempted etc, for FTP or
++                              IMAP or POP3 or others! (type: curl_usessl)*/
++  unsigned char ccc;       /* ccc level for this connection */
+   curl_off_t retr_size_saved; /* Size of retrieved file saved */
+   char *server_os;     /* The target server operating system. */
+   curl_off_t known_filesize; /* file size is different from -1, if wildcard
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 3339a67..6fc111d 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -2039,7 +2039,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
+     arg = va_arg(param, long);
+     if((arg < CURLUSESSL_NONE) || (arg > CURLUSESSL_ALL))
+       return CURLE_BAD_FUNCTION_ARGUMENT;
+-    data->set.use_ssl = (curl_usessl)arg;
++    data->set.use_ssl = (unsigned char)arg;
+     break;
+ 
+   case CURLOPT_SSL_OPTIONS:
+diff --git a/lib/url.c b/lib/url.c
+index 61ba832..4e21838 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1309,7 +1309,18 @@ ConnectionExists(struct Curl_easy *data,
+         if(!ssh_config_matches(needle, check))
+           continue;
+       }
+-
++#ifndef CURL_DISABLE_FTP
++      if(needle->handler->protocol & (CURLPROTO_FTP|CURLPROTO_FTPS)) {
++        /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */
++        if(Curl_timestrcmp(needle->proto.ftpc.account,
++                           check->proto.ftpc.account) ||
++           Curl_timestrcmp(needle->proto.ftpc.alternative_to_user,
++                           check->proto.ftpc.alternative_to_user) ||
++           (needle->proto.ftpc.use_ssl != check->proto.ftpc.use_ssl) ||
++           (needle->proto.ftpc.ccc != check->proto.ftpc.ccc))
++          continue;
++      }
++#endif
+       if(!needle->bits.httpproxy || (needle->handler->flags&PROTOPT_SSL) ||
+          needle->bits.tunnel_proxy) {
+         /* The requested connection does not use a HTTP proxy or it uses SSL or
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 9d9ca92..4e2f5b9 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1498,6 +1498,8 @@ struct UserDefined {
+   curl_write_callback fwrite_header; /* function that stores headers */
+   curl_write_callback fwrite_rtp;    /* function that stores interleaved RTP */
+   curl_read_callback fread_func_set; /* function that reads the input */
++  unsigned char use_ssl;   /* if AUTH TLS is to be attempted etc, for FTP or
++                              IMAP or POP3 or others! (type: curl_usessl)*/
+   int is_fread_set; /* boolean, has read callback been set to non-NULL? */
+   int is_fwrite_set; /* boolean, has write callback been set to non-NULL? */
+   curl_progress_callback fprogress; /* OLD and deprecated progress callback  */
+@@ -1622,8 +1624,6 @@ struct UserDefined {
+   bool ftp_use_eprt;     /* if EPRT is to be attempted or not */
+   bool ftp_use_pret;     /* if PRET is to be used before PASV or not */
+ 
+-  curl_usessl use_ssl;   /* if AUTH TLS is to be attempted etc, for FTP or
+-                            IMAP or POP3 or others! */
+   curl_ftpauth ftpsslauth; /* what AUTH XXX to be attempted */
+   curl_ftpccc ftp_ccc;   /* FTP CCC options */
+   bool no_signal;        /* do not use any signal/alarm handler */
+-- 
+2.39.2
+

SOURCES/0050-curl-7.61.1-sftp-upload-flags.patch

@@ -0,0 +1,34 @@
+From cc52b2d89397ff26b01d791cd1c605cba741aaa4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Felix=20H=C3=A4dicke?= <felixhaedicke@web.de>
+Date: Wed, 24 Jul 2019 11:47:51 +0200
+Subject: [PATCH] ssh-libssh: do not specify O_APPEND when not in append mode
+
+Specifying O_APPEND in conjunction with O_TRUNC and O_CREAT does not
+make much sense. And this combination of flags is not accepted by all
+SFTP servers (at least not Apache SSHD).
+
+Fixes #4147
+Closes #4148
+
+Upstream-commit: 62617495102c60124db8a909f592f063e38a89aa
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/ssh-libssh.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c
+index 4110be2..2414173 100644
+--- a/lib/ssh-libssh.c
++++ b/lib/ssh-libssh.c
+@@ -1112,7 +1112,7 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block)
+         flags = O_WRONLY|O_APPEND;
+       else
+         /* Clear file before writing (normal behaviour) */
+-        flags = O_WRONLY|O_APPEND|O_CREAT|O_TRUNC;
++        flags = O_WRONLY|O_CREAT|O_TRUNC;
+ 
+       if(sshc->sftp_file)
+         sftp_close(sshc->sftp_file);
+-- 
+2.39.2
+

SPECS/curl.spec

@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.61.1
-Release: 30%{?dist}
+Release: 30%{?dist}.2
 License: MIT
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
 
@@ -136,6 +136,12 @@ Patch46:  0046-curl-7.61.1-h2-window-size.patch
 # fix HTTP multi-header compression denial of service (CVE-2023-23916)
 Patch47:  0047-curl-7.61.1-CVE-2023-23916.patch
 
+# fix FTP too eager connection reuse (CVE-2023-27535)
+Patch48:  0048-curl-7.61.1-CVE-2023-27535.patch
+
+# sftp: do not specify O_APPEND when not in append mode (#2187717)
+Patch50:  0050-curl-7.61.1-sftp-upload-flags.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -356,6 +362,8 @@ sed -e 's|:8992/|:%{?__isa_bits}92/|g' -i tests/data/test97{3..6}
 %patch45 -p1
 %patch46 -p1
 %patch47 -p1
+%patch48 -p1
+%patch50 -p1
 
 # make tests/*.py use Python 3
 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
@@ -518,6 +526,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
+* Thu Apr 20 2023 Kamil Dudka <kdudka@redhat.com> - 7.61.1-30.el8_8.2
+- sftp: do not specify O_APPEND when not in append mode (#2187717)
+
+* Fri Mar 24 2023 Kamil Dudka <kdudka@redhat.com> - 7.61.1-30.el8_8.1
+- fix FTP too eager connection reuse (CVE-2023-27535)
+
 * Wed Feb 15 2023 Kamil Dudka <kdudka@redhat.com> - 7.61.1-30
 - fix HTTP multi-header compression denial of service (CVE-2023-23916)