import UBI curl-7.76.1-26.el9_3.2

2023-11-07 13:40:05 +00:00 · 2023-11-07 13:40:05 +00:00 · d4ccb545ea
commit d4ccb545ea
parent 559781d385
9 changed files with 1239 additions and 13 deletions
--- a/SOURCES/0025-curl-7.76.1-CVE-2023-27533.patch
+++ b/SOURCES/0025-curl-7.76.1-CVE-2023-27533.patch
@ -0,0 +1,59 @@
+From c9828d86040737a47da862197b5def7ff6b0e3c4 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 6 Mar 2023 12:07:33 +0100
+Subject: [PATCH] telnet: only accept option arguments in ascii
+
+To avoid embedded telnet negotiation commands etc.
+
+Reported-by: Harry Sintonen
+Closes #10728
+
+Upstream-commit: 538b1e79a6e7b0bb829ab4cecc828d32105d0684
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/telnet.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/lib/telnet.c b/lib/telnet.c
+index 22bc81e..baea885 100644
+--- a/lib/telnet.c
+++ b/lib/telnet.c
+@@ -770,6 +770,17 @@ static void printsub(struct Curl_easy *data,
+   }
+ }
+ 
+static bool str_is_nonascii(const char *str)
+{
+  size_t len = strlen(str);
+  while(len--) {
+    if(*str & 0x80)
+      return TRUE;
+    str++;
+  }
+  return FALSE;
+}
+
+ static CURLcode check_telnet_options(struct Curl_easy *data)
+ {
+   struct curl_slist *head;
+@@ -784,6 +795,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data)
+   /* Add the user name as an environment variable if it
+      was given on the command line */
+   if(conn->bits.user_passwd) {
+    if(str_is_nonascii(data->conn->user))
+      return CURLE_BAD_FUNCTION_ARGUMENT;
+     msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user);
+     beg = curl_slist_append(tn->telnet_vars, option_arg);
+     if(!beg) {
+@@ -798,6 +811,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data)
+   for(head = data->set.telnet_options; head; head = head->next) {
+     if(sscanf(head->data, "%127[^= ]%*[ =]%255s",
+               option_keyword, option_arg) == 2) {
+      if(str_is_nonascii(option_arg))
+        continue;
+ 
+       /* Terminal type */
+       if(strcasecompare(option_keyword, "TTYPE")) {
+-- 
+2.39.2
+
--- a/SOURCES/0026-curl-7.76.1-CVE-2023-27534.patch
+++ b/SOURCES/0026-curl-7.76.1-CVE-2023-27534.patch
--- a/SOURCES/0028-curl-7.76.1-CVE-2023-27536.patch
+++ b/SOURCES/0028-curl-7.76.1-CVE-2023-27536.patch
@ -0,0 +1,54 @@
+From 9d6dd7bc1dea42ae8e710aeae714e2a2c290de61 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 10 Mar 2023 09:22:43 +0100
+Subject: [PATCH] url: only reuse connections with same GSS delegation
+
+Reported-by: Harry Sintonen
+Closes #10731
+
+Upstream-commit: cb49e67303dbafbab1cebf4086e3ec15b7d56ee5
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/url.c     | 6 ++++++
+ lib/urldata.h | 1 +
+ 2 files changed, 7 insertions(+)
+
+diff --git a/lib/url.c b/lib/url.c
+index 3b11b7e..cbbc7f3 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -1325,6 +1325,11 @@ ConnectionExists(struct Curl_easy *data,
+         }
+       }
+ 
+      /* GSS delegation differences do not actually affect every connection
+         and auth method, but this check takes precaution before efficiency */
+      if(needle->gssapi_delegation != check->gssapi_delegation)
+        continue;
+
+       if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
+         if(!ssh_config_matches(needle, check))
+           continue;
+@@ -1785,6 +1790,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
+   conn->fclosesocket = data->set.fclosesocket;
+   conn->closesocket_client = data->set.closesocket_client;
+   conn->lastused = Curl_now(); /* used now */
+  conn->gssapi_delegation = data->set.gssapi_delegation;
+ 
+   return conn;
+   error:
+diff --git a/lib/urldata.h b/lib/urldata.h
+index ce90304..9e16f26 100644
+--- a/lib/urldata.h
+++ b/lib/urldata.h
+@@ -995,6 +995,7 @@ struct connectdata {
+   char *sasl_authzid;     /* authorisation identity string, allocated */
+   char *oauth_bearer; /* OAUTH2 bearer, allocated */
+   unsigned char httpversion; /* the HTTP version*10 reported by the server */
+  unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */
+   struct curltime now;     /* "current" time */
+   struct curltime created; /* creation time */
+   struct curltime lastused; /* when returned to the connection cache */
+-- 
+2.39.2
+
--- a/SOURCES/0029-curl-7.76.1-CVE-2023-27538.patch
+++ b/SOURCES/0029-curl-7.76.1-CVE-2023-27538.patch
@ -0,0 +1,30 @@
+From 133e25afe4b8961b9c12334ee0bd3374db9a1fd4 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 10 Mar 2023 08:22:51 +0100
+Subject: [PATCH] url: fix the SSH connection reuse check
+
+Reported-by: Harry Sintonen
+Closes #10735
+
+Upstream-commit: af369db4d3833272b8ed443f7fcc2e757a0872eb
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index 0c31486..3b11b7e 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -1330,7 +1330,7 @@ ConnectionExists(struct Curl_easy *data,
+       if(needle->gssapi_delegation != check->gssapi_delegation)
+         continue;
+ 
+-      if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
+      if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) {
+         if(!ssh_config_matches(needle, check))
+           continue;
+       }
+-- 
+2.39.2
+
--- a/SOURCES/0030-curl-7.76.1-CVE-2023-28322.patch
+++ b/SOURCES/0030-curl-7.76.1-CVE-2023-28322.patch
--- a/SOURCES/0031-curl-7.76.1-CVE-2023-28321.patch
+++ b/SOURCES/0031-curl-7.76.1-CVE-2023-28321.patch
@ -143,7 +143,7 @@ index 84f962abebee3..f31b2c2a3f330 100644
 </keywords>
 </info>
 
-@@ -14,9 +13,9 @@ none
+@@ -15,9 +14,9 @@ none
 <features>
 unittest
 </features>
--- a/SOURCES/0032-curl-7.76.1-CVE-2023-38545.patch
+++ b/SOURCES/0032-curl-7.76.1-CVE-2023-38545.patch
--- a/SOURCES/0033-curl-7.61.1-CVE-2023-38546.patch
+++ b/SOURCES/0033-curl-7.61.1-CVE-2023-38546.patch
--- a/SPECS/curl.spec
+++ b/SPECS/curl.spec
@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.76.1
-Release: 23%{?dist}.4
+Release: 26%{?dist}.2
 License: MIT
 Source: https://curl.se/download/%{name}-%{version}.tar.xz

@ -74,20 +74,32 @@ Patch23:  0023-curl-7.76.1-CVE-2022-43552.patch
 # fix HTTP multi-header compression denial of service (CVE-2023-23916)
 Patch24:  0024-curl-7.76.1-CVE-2023-23916.patch

+# fix TELNET option IAC injection (CVE-2023-27533)
+Patch25:  0025-curl-7.76.1-CVE-2023-27533.patch
+
+# fix SFTP path ~ resolving discrepancy (CVE-2023-27534)
+Patch26:  0026-curl-7.76.1-CVE-2023-27534.patch
+
 # fix FTP too eager connection reuse (CVE-2023-27535)
 Patch27:  0027-curl-7.76.1-CVE-2023-27535.patch

-# fix host name wildcard checking (CVE-2023-28321)
-Patch28:  0028-curl-7.76.1-CVE-2023-28321.patch
+# fix GSS delegation too eager connection re-use (CVE-2023-27536)
+Patch28:  0028-curl-7.76.1-CVE-2023-27536.patch
+
+# fix SSH connection too eager reuse still (CVE-2023-27538)
+Patch29:  0029-curl-7.76.1-CVE-2023-27538.patch

 # unify the upload/method handling (CVE-2023-28322)
-Patch29:  0029-curl-7.76.1-CVE-2023-28322.patch
+Patch30:  0030-curl-7.76.1-CVE-2023-28322.patch
+
+# fix host name wildcard checking
+Patch31:  0031-curl-7.76.1-CVE-2023-28321.patch

 # return error if hostname too long for remote resolve (CVE-2023-38545)
-Patch30:  0030-curl-7.76.1-CVE-2023-38545.patch
+Patch32:  0032-curl-7.76.1-CVE-2023-38545.patch

 # fix cookie injection with none file (CVE-2023-38546)
-Patch31:  0031-curl-7.61.1-CVE-2023-38546.patch
+Patch33:  0033-curl-7.61.1-CVE-2023-38546.patch

 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
@ -287,11 +299,15 @@ be installed.
 %patch22 -p1
 %patch23 -p1
 %patch24 -p1
+%patch25 -p1
+%patch26 -p1
 %patch27 -p1
 %patch28 -p1
 %patch29 -p1
 %patch30 -p1
 %patch31 -p1
+%patch32 -p1
+%patch33 -p1

 # Fedora patches
 %patch101 -p1
@ -517,18 +533,25 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal

 %changelog
-* Thu Oct 12 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-23.el9_2.4
+* Thu Oct 12 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-26.el9_3.2
 - fix cookie injection with none file (CVE-2023-38546)

-* Tue Oct 10 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-23.el9_2.3
- return error if hostname too long for remote resolve (CVE-2023-38545)
+* Tue Oct 10 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-26.el9_3.1
+- socks: return error if hostname too long for remote resolve (CVE-2023-38545)

-* Tue Jun 27 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-23.el9_2.2
- fix host name wildcard checking (CVE-2023-28321)
+* Mon Jun 12 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-26
 - unify the upload/method handling (CVE-2023-28322)
+- fix host name wildcard checking (CVE-2023-28321)

-* Fri Mar 24 2023 Kamil Dudka <kdudka@redhat.com> - 7.76.1-23.el9_2.1
+* Wed Apr 12 2023 Kamil Dudka <kdudka@redhat.com> - 7.76.1-25
+- adapt the fix of CVE-2023-27535 for RHEL 9 curl
+
+* Fri Mar 24 2023 Kamil Dudka <kdudka@redhat.com> - 7.76.1-24
+- fix SSH connection too eager reuse still (CVE-2023-27538)
+- fix GSS delegation too eager connection re-use (CVE-2023-27536)
 - fix FTP too eager connection reuse (CVE-2023-27535)
+- fix SFTP path ~ resolving discrepancy (CVE-2023-27534)
+- fix TELNET option IAC injection (CVE-2023-27533)

 * Wed Feb 15 2023 Kamil Dudka <kdudka@redhat.com> - 7.76.1-23
 - fix HTTP multi-header compression denial of service (CVE-2023-23916)