Make up incomplete patch for host name wildcard checking

Resolves: RHEL-5675
2024-12-17 20:29:09 +01:00 · 2024-12-17 20:29:09 +01:00 · c2418f1822
commit c2418f1822
parent e0200bae40
2 changed files with 14 additions and 9 deletions
--- a/0031-curl-7.76.1-CVE-2023-28321.patch
+++ b/0031-curl-7.76.1-CVE-2023-28321.patch
@ -41,7 +41,7 @@ index e827dc58f378c..d061c6356f97f 100644
 /*
  * Match a hostname against a wildcard pattern.
  * E.g.
-@@ -65,26 +76,27 @@
+@@ -65,26 +76,31 @@
 
 static int hostmatch(char *hostname, char *pattern)
 {
@ -73,10 +73,14 @@ index e827dc58f378c..d061c6356f97f 100644
 -  if(pattern_wildcard == NULL)
 -    return strcasecompare(pattern, hostname) ?
 -      CURL_HOST_MATCH : CURL_HOST_NOMATCH;
-+  if(hostname[hostlen-1]=='.')
+  if(hostname[hostlen-1]=='.') {
 +    hostname[hostlen-1] = 0;
-+  if(pattern[patternlen-1]=='.')
+    hostlen--;
+  }
+  if(pattern[patternlen-1]=='.') {
 +    pattern[patternlen-1] = 0;
+    patternlen--;
+  }
 +
 +  if(strncmp(pattern, "*.", 2))
 +    return pmatch(hostname, hostlen, pattern, patternlen);
@ -143,7 +147,7 @@ index 84f962abebee3..f31b2c2a3f330 100644
 </keywords>
 </info>
 
-@@ -15,9 +14,9 @@ none
+@@ -14,9 +13,9 @@ none
 <features>
 unittest
 </features>
@ -154,7 +158,7 @@ index 84f962abebee3..f31b2c2a3f330 100644
 +Curl_cert_hostcheck unit tests
 +</name>
 </client>
- 
+
 </testcase>
 diff --git a/tests/unit/unit1397.c b/tests/unit/unit1397.c
 index 2f3d3aa4d09e1..3ae75618d5d10 100644
@ -169,7 +173,7 @@ index 2f3d3aa4d09e1..3ae75618d5d10 100644
 static CURLcode unit_setup(void)
 {
   return CURLE_OK;
-@@ -30,50 +28,93 @@ static CURLcode unit_setup(void)
+@@ -30,50 +28,91 @@ static CURLcode unit_setup(void)
 
 static void unit_stop(void)
 {
@ -280,9 +284,7 @@ index 2f3d3aa4d09e1..3ae75618d5d10 100644
 +  int i;
 +  for(i = 0; tests[i].host; i++) {
 +    if(tests[i].match != Curl_cert_hostcheck(tests[i].pattern,
-+                                             strlen(tests[i].pattern),
-+                                             tests[i].host,
-+                                             strlen(tests[i].host))) {
+                                             tests[i].host)) {
 +      fprintf(stderr,
 +              "HOST: %s\n"
 +              "PTRN: %s\n"
--- a/curl.spec
+++ b/curl.spec
@ -586,6 +586,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal

 %changelog
+* Tue Dec 17 2024 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-32
+- make up incomplete patch for host name wildcard checking (RHEL-5675)
+
 * Thu Aug 22 2024 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-31
 - provide common cleanup method for push headers (CVE-2024-2398)