diff --git a/SOURCES/0025-curl-7.76.1-CVE-2023-27533.patch b/SOURCES/0025-curl-7.76.1-CVE-2023-27533.patch new file mode 100644 index 0000000..591c1cd --- /dev/null +++ b/SOURCES/0025-curl-7.76.1-CVE-2023-27533.patch @@ -0,0 +1,59 @@ +From c9828d86040737a47da862197b5def7ff6b0e3c4 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 6 Mar 2023 12:07:33 +0100 +Subject: [PATCH] telnet: only accept option arguments in ascii + +To avoid embedded telnet negotiation commands etc. + +Reported-by: Harry Sintonen +Closes #10728 + +Upstream-commit: 538b1e79a6e7b0bb829ab4cecc828d32105d0684 +Signed-off-by: Kamil Dudka +--- + lib/telnet.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/lib/telnet.c b/lib/telnet.c +index 22bc81e..baea885 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -770,6 +770,17 @@ static void printsub(struct Curl_easy *data, + } + } + ++static bool str_is_nonascii(const char *str) ++{ ++ size_t len = strlen(str); ++ while(len--) { ++ if(*str & 0x80) ++ return TRUE; ++ str++; ++ } ++ return FALSE; ++} ++ + static CURLcode check_telnet_options(struct Curl_easy *data) + { + struct curl_slist *head; +@@ -784,6 +795,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data) + /* Add the user name as an environment variable if it + was given on the command line */ + if(conn->bits.user_passwd) { ++ if(str_is_nonascii(data->conn->user)) ++ return CURLE_BAD_FUNCTION_ARGUMENT; + msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user); + beg = curl_slist_append(tn->telnet_vars, option_arg); + if(!beg) { +@@ -798,6 +811,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data) + for(head = data->set.telnet_options; head; head = head->next) { + if(sscanf(head->data, "%127[^= ]%*[ =]%255s", + option_keyword, option_arg) == 2) { ++ if(str_is_nonascii(option_arg)) ++ continue; + + /* Terminal type */ + if(strcasecompare(option_keyword, "TTYPE")) { +-- +2.39.2 + diff --git a/SOURCES/0026-curl-7.76.1-CVE-2023-27534.patch b/SOURCES/0026-curl-7.76.1-CVE-2023-27534.patch new file mode 100644 index 0000000..f9cff95 --- /dev/null +++ b/SOURCES/0026-curl-7.76.1-CVE-2023-27534.patch @@ -0,0 +1,1060 @@ +From 5085070dd92fe08f1de2c751fe54f52203ad3160 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 16 Oct 2022 18:09:14 +0200 +Subject: [PATCH 1/4] curl_path: return error if given a NULL homedir + +Closes #9740 + +Upstream-commit: 025bad1182ff87facbddd280dd07a0fc26b99f45 +Signed-off-by: Kamil Dudka +--- + lib/curl_path.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/curl_path.c b/lib/curl_path.c +index 6100d77..35ea5b3 100644 +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -120,7 +120,8 @@ CURLcode Curl_get_pathname(const char **cpp, char **path, char *homedir) + bool relativePath = false; + static const char WHITESPACE[] = " \t\r\n"; + +- if(!*cp) { ++ DEBUGASSERT(homedir); ++ if(!*cp || !homedir) { + *cpp = NULL; + *path = NULL; + return CURLE_QUOTE_ERROR; +-- +2.39.2 + + +From 69d0f1ba04c9c57d04f8e546e663ef9e9dba4542 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 30 Oct 2022 17:38:16 +0100 +Subject: [PATCH 2/4] style: use space after comment start and before comment + end + +/* like this */ + +/*not this*/ + +checksrc is updated accordingly + +Closes #9828 + +Upstream-commit: 52cc4a85fd7e5265ba8ff0f08adf4858f6773a11 +Signed-off-by: Kamil Dudka +--- + docs/examples/ephiperfifo.c | 4 +- + docs/examples/usercertinmem.c | 4 +- + include/curl/curl.h | 10 +-- + include/curl/typecheck-gcc.h | 2 +- + lib/curl_path.c | 4 - + lib/curl_rtmp.c | 12 +-- + lib/curl_setup.h | 2 +- + lib/dict.c | 2 +- + lib/file.c | 2 +- + lib/ftp.c | 2 +- + lib/gopher.c | 2 +- + lib/http.c | 4 +- + lib/http_chunks.c | 2 +- + lib/rtsp.c | 4 +- + lib/rtsp.h | 2 +- + lib/telnet.c | 2 +- + lib/urldata.h | 4 +- + lib/vauth/digest.c | 4 +- + lib/vauth/krb5_sspi.c | 2 +- + lib/vssh/libssh2.c | 4 +- + lib/vtls/schannel.c | 4 +- + lib/vtls/sectransp.c | 2 - + src/tool_cfgable.h | 5 +- + src/tool_getparam.c | 4 +- + tests/libtest/lib1525.c | 2 +- + tests/libtest/lib1526.c | 2 +- + tests/libtest/lib1527.c | 2 +- + tests/libtest/lib1528.c | 2 +- + tests/libtest/lib1591.c | 2 +- + tests/libtest/lib506.c | 2 +- + tests/libtest/lib557.c | 2 +- + tests/libtest/lib586.c | 2 +- + tests/libtest/stub_gssapi.h | 160 +++++++++++++++++----------------- + tests/server/tftp.h | 2 +- + tests/server/util.c | 2 +- + tests/unit/unit1300.c | 4 +- + 36 files changed, 132 insertions(+), 141 deletions(-) + +diff --git a/docs/examples/ephiperfifo.c b/docs/examples/ephiperfifo.c +index 11761b9..75336a4 100644 +--- a/docs/examples/ephiperfifo.c ++++ b/docs/examples/ephiperfifo.c +@@ -164,7 +164,7 @@ static int multi_timer_cb(CURLM *multi, long timeout_ms, GlobalInfo *g) + memset(&its, 0, sizeof(struct itimerspec)); + } + +- timerfd_settime(g->tfd, /*flags=*/0, &its, NULL); ++ timerfd_settime(g->tfd, /* flags= */0, &its, NULL); + return 0; + } + +@@ -195,7 +195,7 @@ static void check_multi_info(GlobalInfo *g) + } + } + +-/* Called by libevent when we get action on a multi socket filedescriptor*/ ++/* Called by libevent when we get action on a multi socket filedescriptor */ + static void event_cb(GlobalInfo *g, int fd, int revents) + { + CURLMcode rc; +diff --git a/docs/examples/usercertinmem.c b/docs/examples/usercertinmem.c +index 35218bd..79d3aef 100644 +--- a/docs/examples/usercertinmem.c ++++ b/docs/examples/usercertinmem.c +@@ -92,7 +92,7 @@ static CURLcode sslctx_function(CURL *curl, void *sslctx, void *parm) + "omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD\n"\ + "-----END CERTIFICATE-----\n"; + +-/*replace the XXX with the actual RSA key*/ ++/* replace the XXX with the actual RSA key */ + const char *mykey = + "-----BEGIN RSA PRIVATE KEY-----\n"\ + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n"\ +@@ -190,7 +190,7 @@ int main(void) + curl_easy_setopt(ch, CURLOPT_SSLCERTTYPE, "PEM"); + + /* both VERIFYPEER and VERIFYHOST are set to 0 in this case because there is +- no CA certificate*/ ++ no CA certificate */ + + curl_easy_setopt(ch, CURLOPT_SSL_VERIFYPEER, 0L); + curl_easy_setopt(ch, CURLOPT_SSL_VERIFYHOST, 0L); +diff --git a/include/curl/curl.h b/include/curl/curl.h +index bed8068..680303b 100644 +--- a/include/curl/curl.h ++++ b/include/curl/curl.h +@@ -371,7 +371,7 @@ typedef int (*curl_seek_callback)(void *instream, + #define CURL_READFUNC_PAUSE 0x10000001 + + /* Return code for when the trailing headers' callback has terminated +- without any errors*/ ++ without any errors */ + #define CURL_TRAILERFUNC_OK 0 + /* Return code for when was an error in the trailing header's list and we + want to abort the request */ +@@ -453,7 +453,7 @@ typedef void *(*curl_calloc_callback)(size_t nmemb, size_t size); + #define CURL_DID_MEMORY_FUNC_TYPEDEFS + #endif + +-/* the kind of data that is passed to information_callback*/ ++/* the kind of data that is passed to information_callback */ + typedef enum { + CURLINFO_TEXT = 0, + CURLINFO_HEADER_IN, /* 1 */ +@@ -689,7 +689,7 @@ typedef enum { + #define CURLOPT_WRITEINFO CURLOPT_OBSOLETE40 + #define CURLOPT_CLOSEPOLICY CURLOPT_OBSOLETE72 + +-#endif /*!CURL_NO_OLDIES*/ ++#endif /* !CURL_NO_OLDIES */ + + /* + * Proxy error codes. Returned in CURLINFO_PROXY_ERROR if CURLE_PROXY was +@@ -834,7 +834,7 @@ enum curl_khstat { + CURLKHSTAT_DEFER, /* do not accept it, but we can't answer right now so + this causes a CURLE_DEFER error but otherwise the + connection will be left intact etc */ +- CURLKHSTAT_FINE_REPLACE, /* accept and replace the wrong key*/ ++ CURLKHSTAT_FINE_REPLACE, /* accept and replace the wrong key */ + CURLKHSTAT_LAST /* not for use, only a marker for last-in-list */ + }; + +@@ -908,7 +908,7 @@ typedef enum { + #define CURLFTPSSL_ALL CURLUSESSL_ALL + #define CURLFTPSSL_LAST CURLUSESSL_LAST + #define curl_ftpssl curl_usessl +-#endif /*!CURL_NO_OLDIES*/ ++#endif /* !CURL_NO_OLDIES */ + + /* parameter for the CURLOPT_FTP_SSL_CCC option */ + typedef enum { +diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h +index 34d0267..9e6fafd 100644 +--- a/include/curl/typecheck-gcc.h ++++ b/include/curl/typecheck-gcc.h +@@ -429,7 +429,7 @@ CURLWARNING(_curl_easy_getinfo_err_curl_off_t, + (CURLINFO_OFF_T < (info)) + + +-/* typecheck helpers -- check whether given expression has requested type*/ ++/* typecheck helpers -- check whether given expression has requested type */ + + /* For pointers, you can use the curlcheck_ptr/curlcheck_arr macros, + * otherwise define a new macro. Search for __builtin_types_compatible_p +diff --git a/lib/curl_path.c b/lib/curl_path.c +index 35ea5b3..649da7d 100644 +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -146,15 +146,12 @@ CURLcode Curl_get_pathname(const char **cpp, char **path, char *homedir) + break; + } + if(cp[i] == '\0') { /* End of string */ +- /*error("Unterminated quote");*/ + goto fail; + } + if(cp[i] == '\\') { /* Escaped characters */ + i++; + if(cp[i] != '\'' && cp[i] != '\"' && + cp[i] != '\\') { +- /*error("Bad escaped character '\\%c'", +- cp[i]);*/ + goto fail; + } + } +@@ -162,7 +159,6 @@ CURLcode Curl_get_pathname(const char **cpp, char **path, char *homedir) + } + + if(j == 0) { +- /*error("Empty quotes");*/ + goto fail; + } + *cpp = cp + i + strspn(cp + i, WHITESPACE); +diff --git a/lib/curl_rtmp.c b/lib/curl_rtmp.c +index 2fa0267..8caba76 100644 +--- a/lib/curl_rtmp.c ++++ b/lib/curl_rtmp.c +@@ -83,7 +83,7 @@ const struct Curl_handler Curl_handler_rtmp = { + PORT_RTMP, /* defport */ + CURLPROTO_RTMP, /* protocol */ + CURLPROTO_RTMP, /* family */ +- PROTOPT_NONE /* flags*/ ++ PROTOPT_NONE /* flags */ + }; + + const struct Curl_handler Curl_handler_rtmpt = { +@@ -106,7 +106,7 @@ const struct Curl_handler Curl_handler_rtmpt = { + PORT_RTMPT, /* defport */ + CURLPROTO_RTMPT, /* protocol */ + CURLPROTO_RTMPT, /* family */ +- PROTOPT_NONE /* flags*/ ++ PROTOPT_NONE /* flags */ + }; + + const struct Curl_handler Curl_handler_rtmpe = { +@@ -129,7 +129,7 @@ const struct Curl_handler Curl_handler_rtmpe = { + PORT_RTMP, /* defport */ + CURLPROTO_RTMPE, /* protocol */ + CURLPROTO_RTMPE, /* family */ +- PROTOPT_NONE /* flags*/ ++ PROTOPT_NONE /* flags */ + }; + + const struct Curl_handler Curl_handler_rtmpte = { +@@ -152,7 +152,7 @@ const struct Curl_handler Curl_handler_rtmpte = { + PORT_RTMPT, /* defport */ + CURLPROTO_RTMPTE, /* protocol */ + CURLPROTO_RTMPTE, /* family */ +- PROTOPT_NONE /* flags*/ ++ PROTOPT_NONE /* flags */ + }; + + const struct Curl_handler Curl_handler_rtmps = { +@@ -175,7 +175,7 @@ const struct Curl_handler Curl_handler_rtmps = { + PORT_RTMPS, /* defport */ + CURLPROTO_RTMPS, /* protocol */ + CURLPROTO_RTMP, /* family */ +- PROTOPT_NONE /* flags*/ ++ PROTOPT_NONE /* flags */ + }; + + const struct Curl_handler Curl_handler_rtmpts = { +@@ -198,7 +198,7 @@ const struct Curl_handler Curl_handler_rtmpts = { + PORT_RTMPS, /* defport */ + CURLPROTO_RTMPTS, /* protocol */ + CURLPROTO_RTMPT, /* family */ +- PROTOPT_NONE /* flags*/ ++ PROTOPT_NONE /* flags */ + }; + + static CURLcode rtmp_setup_connection(struct Curl_easy *data, +diff --git a/lib/curl_setup.h b/lib/curl_setup.h +index cf1c26a..1d81141 100644 +--- a/lib/curl_setup.h ++++ b/lib/curl_setup.h +@@ -680,7 +680,7 @@ int netware_init(void); + # define UNUSED_PARAM __attribute__((__unused__)) + # define WARN_UNUSED_RESULT __attribute__((warn_unused_result)) + #else +-# define UNUSED_PARAM /*NOTHING*/ ++# define UNUSED_PARAM /* NOTHING */ + # define WARN_UNUSED_RESULT + #endif + +diff --git a/lib/dict.c b/lib/dict.c +index 7b27f79..0ccfc0e 100644 +--- a/lib/dict.c ++++ b/lib/dict.c +@@ -321,4 +321,4 @@ static CURLcode dict_do(struct Curl_easy *data, bool *done) + + return CURLE_OK; + } +-#endif /*CURL_DISABLE_DICT*/ ++#endif /* CURL_DISABLE_DICT */ +diff --git a/lib/file.c b/lib/file.c +index 10d8f05..8b67c12 100644 +--- a/lib/file.c ++++ b/lib/file.c +@@ -311,7 +311,7 @@ static CURLcode file_upload(struct Curl_easy *data) + + nread = readcount; + +- /*skip bytes before resume point*/ ++ /* skip bytes before resume point */ + if(data->state.resume_from) { + if((curl_off_t)nread <= data->state.resume_from) { + data->state.resume_from -= nread; +diff --git a/lib/ftp.c b/lib/ftp.c +index e920138..6043dea 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -1166,7 +1166,7 @@ static CURLcode ftp_state_use_port(struct Curl_easy *data, + port++; + } + +- /* maybe all ports were in use already*/ ++ /* maybe all ports were in use already */ + if(port > port_max) { + failf(data, "bind() failed, we ran out of ports!"); + Curl_closesocket(data, conn, portsock); +diff --git a/lib/gopher.c b/lib/gopher.c +index f61232f..bdd6420 100644 +--- a/lib/gopher.c ++++ b/lib/gopher.c +@@ -234,4 +234,4 @@ static CURLcode gopher_do(struct Curl_easy *data, bool *done) + Curl_setup_transfer(data, FIRSTSOCKET, -1, FALSE, -1); + return CURLE_OK; + } +-#endif /*CURL_DISABLE_GOPHER*/ ++#endif /* CURL_DISABLE_GOPHER */ +diff --git a/lib/http.c b/lib/http.c +index 28ef8dd..9a908fe 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2081,7 +2081,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn) + { + const char *ptr; + if(!data->state.this_is_a_follow) { +- /* Free to avoid leaking memory on multiple requests*/ ++ /* Free to avoid leaking memory on multiple requests */ + free(data->state.first_host); + + data->state.first_host = strdup(conn->host.name); +@@ -2999,7 +2999,7 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done) + /* continue with HTTP/1.1 when explicitly requested */ + break; + default: +- /* Check if user wants to use HTTP/2 with clear TCP*/ ++ /* Check if user wants to use HTTP/2 with clear TCP */ + #ifdef USE_NGHTTP2 + if(data->state.httpwant == CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE) { + #ifndef CURL_DISABLE_PROXY +diff --git a/lib/http_chunks.c b/lib/http_chunks.c +index beb9695..2c8b6c0 100644 +--- a/lib/http_chunks.c ++++ b/lib/http_chunks.c +@@ -124,7 +124,7 @@ CHUNKcode Curl_httpchunk_read(struct Curl_easy *data, + *wrote = 0; /* nothing's written yet */ + + /* the original data is written to the client, but we go on with the +- chunk read process, to properly calculate the content length*/ ++ chunk read process, to properly calculate the content length */ + if(data->set.http_te_skip && !k->ignorebody) { + result = Curl_client_write(data, CLIENTWRITE_BODY, datap, datalen); + if(result) { +diff --git a/lib/rtsp.c b/lib/rtsp.c +index cdd49dc..3391a8e 100644 +--- a/lib/rtsp.c ++++ b/lib/rtsp.c +@@ -309,7 +309,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done) + break; + case RTSPREQ_RECEIVE: + p_request = ""; +- /* Treat interleaved RTP as body*/ ++ /* Treat interleaved RTP as body */ + data->set.opt_no_body = FALSE; + break; + case RTSPREQ_LAST: +@@ -645,7 +645,7 @@ static CURLcode rtsp_rtp_readwrite(struct Curl_easy *data, + rtp_length = RTP_PKT_LENGTH(rtp); + + if(rtp_dataleft < rtp_length + 4) { +- /* Need more - incomplete payload*/ ++ /* Need more - incomplete payload */ + *readmore = TRUE; + break; + } +diff --git a/lib/rtsp.h b/lib/rtsp.h +index 1e9cb7d..2776359 100644 +--- a/lib/rtsp.h ++++ b/lib/rtsp.h +@@ -60,7 +60,7 @@ struct RTSP { + * HTTP functions can safely treat this as an HTTP struct, but RTSP aware + * functions can also index into the later elements. + */ +- struct HTTP http_wrapper; /*wrap HTTP to do the heavy lifting */ ++ struct HTTP http_wrapper; /* wrap HTTP to do the heavy lifting */ + + long CSeq_sent; /* CSeq of this request */ + long CSeq_recv; /* CSeq received */ +diff --git a/lib/telnet.c b/lib/telnet.c +index 803d4c5..82fde7d 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -569,7 +569,7 @@ void rec_do(struct Curl_easy *data, int option) + sendsuboption(data, option); + } + else if(tn->subnegotiation[option] == CURL_YES) { +- /* send information to achieve this option*/ ++ /* send information to achieve this option */ + tn->us[option] = CURL_YES; + send_negotiation(data, CURL_WILL, option); + sendsuboption(data, option); +diff --git a/lib/urldata.h b/lib/urldata.h +index 52e4583..c9a52ab 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -243,7 +243,7 @@ struct ssl_connect_data { + + struct ssl_primary_config { + long version; /* what version the client wants to use */ +- long version_max; /* max supported version the client wants to use*/ ++ long version_max; /* max supported version the client wants to use */ + char *CApath; /* certificate dir (doesn't work on windows) */ + char *CAfile; /* certificate to verify peer against */ + char *issuercert; /* optional issuer certificate filename */ +@@ -281,7 +281,7 @@ struct ssl_config_data { + char *key_passwd; /* plain text private key password */ + BIT(certinfo); /* gather lots of certificate info */ + BIT(falsestart); +- BIT(enable_beast); /* allow this flaw for interoperability's sake*/ ++ BIT(enable_beast); /* allow this flaw for interoperability's sake */ + BIT(no_revoke); /* disable SSL certificate revocation checks */ + BIT(no_partialchain); /* don't accept partial certificate chains */ + BIT(revoke_best_effort); /* ignore SSL revocation offline/missing revocation +diff --git a/lib/vauth/digest.c b/lib/vauth/digest.c +index 559852f..3fc4e50 100644 +--- a/lib/vauth/digest.c ++++ b/lib/vauth/digest.c +@@ -139,7 +139,7 @@ bool Curl_auth_digest_get_pair(const char *str, char *value, char *content, + } + + #if !defined(USE_WINDOWS_SSPI) +-/* Convert md5 chunk to RFC2617 (section 3.1.3) -suitable ascii string*/ ++/* Convert md5 chunk to RFC2617 (section 3.1.3) -suitable ascii string */ + static void auth_digest_md5_to_ascii(unsigned char *source, /* 16 bytes */ + unsigned char *dest) /* 33 bytes */ + { +@@ -148,7 +148,7 @@ static void auth_digest_md5_to_ascii(unsigned char *source, /* 16 bytes */ + msnprintf((char *) &dest[i * 2], 3, "%02x", source[i]); + } + +-/* Convert sha256 chunk to RFC7616 -suitable ascii string*/ ++/* Convert sha256 chunk to RFC7616 -suitable ascii string */ + static void auth_digest_sha256_to_ascii(unsigned char *source, /* 32 bytes */ + unsigned char *dest) /* 65 bytes */ + { +diff --git a/lib/vauth/krb5_sspi.c b/lib/vauth/krb5_sspi.c +index b2d1635..26bb794 100644 +--- a/lib/vauth/krb5_sspi.c ++++ b/lib/vauth/krb5_sspi.c +@@ -530,4 +530,4 @@ void Curl_auth_cleanup_gssapi(struct kerberos5data *krb5) + krb5->token_max = 0; + } + +-#endif /* USE_WINDOWS_SSPI && USE_KERBEROS5*/ ++#endif /* USE_WINDOWS_SSPI && USE_KERBEROS5 */ +diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c +index 0a468dd..e1c55b0 100644 +--- a/lib/vssh/libssh2.c ++++ b/lib/vssh/libssh2.c +@@ -571,9 +571,9 @@ static CURLcode ssh_knownhost(struct Curl_easy *data) + /* remove old host+key that doesn't match */ + if(host) + libssh2_knownhost_del(sshc->kh, host); +- /*FALLTHROUGH*/ ++ /* FALLTHROUGH */ + case CURLKHSTAT_FINE: +- /*FALLTHROUGH*/ ++ /* FALLTHROUGH */ + case CURLKHSTAT_FINE_ADD_TO_FILE: + /* proceed */ + if(keycheck != LIBSSH2_KNOWNHOST_CHECK_MATCH) { +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c +index a80eb50..61f4abf 100644 +--- a/lib/vtls/schannel.c ++++ b/lib/vtls/schannel.c +@@ -195,7 +195,7 @@ set_ssl_version_min_max(SCHANNEL_CRED *schannel_cred, struct Curl_easy *data, + return CURLE_OK; + } + +-/*longest is 26, buffer is slightly bigger*/ ++/* longest is 26, buffer is slightly bigger */ + #define LONGEST_ALG_ID 32 + #define CIPHEROPTION(X) \ + if(strcmp(#X, tmp) == 0) \ +@@ -218,7 +218,7 @@ get_alg_id_by_name(char *name) + CIPHEROPTION(CALG_MAC); + CIPHEROPTION(CALG_RSA_SIGN); + CIPHEROPTION(CALG_DSS_SIGN); +-/*ifdefs for the options that are defined conditionally in wincrypt.h*/ ++/* ifdefs for the options that are defined conditionally in wincrypt.h */ + #ifdef CALG_NO_SIGN + CIPHEROPTION(CALG_NO_SIGN); + #endif +diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c +index f2d7835..febf51a 100644 +--- a/lib/vtls/sectransp.c ++++ b/lib/vtls/sectransp.c +@@ -197,7 +197,6 @@ static OSStatus SocketRead(SSLConnectionRef connection, + size_t bytesToGo = *dataLength; + size_t initLen = bytesToGo; + UInt8 *currData = (UInt8 *)data; +- /*int sock = *(int *)connection;*/ + struct ssl_connect_data *connssl = (struct ssl_connect_data *)connection; + struct ssl_backend_data *backend = connssl->backend; + int sock = backend->ssl_sockfd; +@@ -258,7 +257,6 @@ static OSStatus SocketWrite(SSLConnectionRef connection, + size_t *dataLength) /* IN/OUT */ + { + size_t bytesSent = 0; +- /*int sock = *(int *)connection;*/ + struct ssl_connect_data *connssl = (struct ssl_connect_data *)connection; + struct ssl_backend_data *backend = connssl->backend; + int sock = backend->ssl_sockfd; +diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h +index 95c66d0..5046772 100644 +--- a/src/tool_cfgable.h ++++ b/src/tool_cfgable.h +@@ -258,11 +258,8 @@ struct OperationConfig { + bool xattr; /* store metadata in extended attributes */ + long gssapi_delegation; + bool ssl_allow_beast; /* allow this SSL vulnerability */ +- bool proxy_ssl_allow_beast; /* allow this SSL vulnerability for proxy*/ +- ++ bool proxy_ssl_allow_beast; /* allow this SSL vulnerability for proxy */ + bool ssl_no_revoke; /* disable SSL certificate revocation checks */ +- /*bool proxy_ssl_no_revoke; */ +- + bool ssl_revoke_best_effort; /* ignore SSL revocation offline/missing + revocation list errors */ + +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index f1393c3..51232ba 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -1064,7 +1064,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + /* This specifies the noproxy list */ + GetStr(&config->noproxy, nextarg); + break; +- case '7': /* --socks5-gssapi-nec*/ ++ case '7': /* --socks5-gssapi-nec */ + config->socks5_gssapi_nec = toggle; + break; + case '8': /* --proxy1.0 */ +@@ -1230,7 +1230,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + config->httpversion = CURL_HTTP_VERSION_2_0; + break; + case '3': /* --http2-prior-knowledge */ +- /* HTTP version 2.0 over clean TCP*/ ++ /* HTTP version 2.0 over clean TCP */ + config->httpversion = CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE; + break; + case '4': /* --http3 */ +diff --git a/tests/libtest/lib1525.c b/tests/libtest/lib1525.c +index a2a4db2..912372f 100644 +--- a/tests/libtest/lib1525.c ++++ b/tests/libtest/lib1525.c +@@ -48,7 +48,7 @@ int test(char *URL) + { + CURL *curl = NULL; + CURLcode res = CURLE_FAILED_INIT; +- /* http and proxy header list*/ ++ /* http and proxy header list */ + struct curl_slist *hhl = NULL; + + if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { +diff --git a/tests/libtest/lib1526.c b/tests/libtest/lib1526.c +index 37abc61..b287277 100644 +--- a/tests/libtest/lib1526.c ++++ b/tests/libtest/lib1526.c +@@ -46,7 +46,7 @@ int test(char *URL) + { + CURL *curl = NULL; + CURLcode res = CURLE_FAILED_INIT; +- /* http and proxy header list*/ ++ /* http and proxy header list */ + struct curl_slist *hhl = NULL, *phl = NULL, *tmp = NULL; + + if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { +diff --git a/tests/libtest/lib1527.c b/tests/libtest/lib1527.c +index 9e0e452..2f7c91b 100644 +--- a/tests/libtest/lib1527.c ++++ b/tests/libtest/lib1527.c +@@ -47,7 +47,7 @@ int test(char *URL) + { + CURL *curl = NULL; + CURLcode res = CURLE_FAILED_INIT; +- /* http header list*/ ++ /* http header list */ + struct curl_slist *hhl = NULL, *tmp = NULL; + + if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { +diff --git a/tests/libtest/lib1528.c b/tests/libtest/lib1528.c +index 98a332c..52dc0a0 100644 +--- a/tests/libtest/lib1528.c ++++ b/tests/libtest/lib1528.c +@@ -28,7 +28,7 @@ int test(char *URL) + { + CURL *curl = NULL; + CURLcode res = CURLE_FAILED_INIT; +- /* http header list*/ ++ /* http header list */ + struct curl_slist *hhl = NULL; + struct curl_slist *phl = NULL; + +diff --git a/tests/libtest/lib1591.c b/tests/libtest/lib1591.c +index 8349b1d..f7149cf 100644 +--- a/tests/libtest/lib1591.c ++++ b/tests/libtest/lib1591.c +@@ -75,7 +75,7 @@ int test(char *URL) + { + CURL *curl = NULL; + CURLcode res = CURLE_FAILED_INIT; +- /* http and proxy header list*/ ++ /* http and proxy header list */ + struct curl_slist *hhl = NULL; + + if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { +diff --git a/tests/libtest/lib506.c b/tests/libtest/lib506.c +index 559e731..acea39a 100644 +--- a/tests/libtest/lib506.c ++++ b/tests/libtest/lib506.c +@@ -347,7 +347,7 @@ int test(char *URL) + printf("-----------------\n"); + curl_slist_free_all(cookies); + +- /* try to free share, expect to fail because share is in use*/ ++ /* try to free share, expect to fail because share is in use */ + printf("try SHARE_CLEANUP...\n"); + scode = curl_share_cleanup(share); + if(scode == CURLSHE_OK) { +diff --git a/tests/libtest/lib557.c b/tests/libtest/lib557.c +index 00fbca3..4105a76 100644 +--- a/tests/libtest/lib557.c ++++ b/tests/libtest/lib557.c +@@ -1494,7 +1494,7 @@ static int test_weird_arguments(void) + "0123456789" /* 10 7 */ + "0123456789" /* 10 8 */ + "0123456789" /* 10 9 */ +- "0123456789" /* 10 10*/ ++ "0123456789" /* 10 10 */ + "0123456789" /* 10 11 */ + "01234567" /* 8 */ + ); +diff --git a/tests/libtest/lib586.c b/tests/libtest/lib586.c +index da63e7c..8d7822d 100644 +--- a/tests/libtest/lib586.c ++++ b/tests/libtest/lib586.c +@@ -215,7 +215,7 @@ int test(char *URL) + printf("PERFORM\n"); + curl_easy_perform(curl); + +- /* try to free share, expect to fail because share is in use*/ ++ /* try to free share, expect to fail because share is in use */ + printf("try SHARE_CLEANUP...\n"); + scode = curl_share_cleanup(share); + if(scode == CURLSHE_OK) { +diff --git a/tests/libtest/stub_gssapi.h b/tests/libtest/stub_gssapi.h +index 5a89102..735630c 100644 +--- a/tests/libtest/stub_gssapi.h ++++ b/tests/libtest/stub_gssapi.h +@@ -98,85 +98,85 @@ typedef struct gss_channel_bindings_struct { + gss_buffer_desc application_data; + } *gss_channel_bindings_t; + +-OM_uint32 gss_release_buffer(OM_uint32 * /*minor_status*/, +- gss_buffer_t /*buffer*/); +- +-OM_uint32 gss_init_sec_context(OM_uint32 * /*minor_status*/, +- gss_const_cred_id_t /*initiator_cred_handle*/, +- gss_ctx_id_t * /*context_handle*/, +- gss_const_name_t /*target_name*/, +- const gss_OID /*mech_type*/, +- OM_uint32 /*req_flags*/, +- OM_uint32 /*time_req*/, +- const gss_channel_bindings_t /*input_chan_bindings*/, +- const gss_buffer_t /*input_token*/, +- gss_OID * /*actual_mech_type*/, +- gss_buffer_t /*output_token*/, +- OM_uint32 * /*ret_flags*/, +- OM_uint32 * /*time_rec*/); +- +-OM_uint32 gss_delete_sec_context(OM_uint32 * /*minor_status*/, +- gss_ctx_id_t * /*context_handle*/, +- gss_buffer_t /*output_token*/); +- +-OM_uint32 gss_inquire_context(OM_uint32 * /*minor_status*/, +- gss_const_ctx_id_t /*context_handle*/, +- gss_name_t * /*src_name*/, +- gss_name_t * /*targ_name*/, +- OM_uint32 * /*lifetime_rec*/, +- gss_OID * /*mech_type*/, +- OM_uint32 * /*ctx_flags*/, +- int * /*locally_initiated*/, +- int * /*open_context*/); +- +-OM_uint32 gss_wrap(OM_uint32 * /*minor_status*/, +- gss_const_ctx_id_t /*context_handle*/, +- int /*conf_req_flag*/, +- gss_qop_t /*qop_req*/, +- const gss_buffer_t /*input_message_buffer*/, +- int * /*conf_state*/, +- gss_buffer_t /*output_message_buffer*/); +- +-OM_uint32 gss_unwrap(OM_uint32 * /*minor_status*/, +- gss_const_ctx_id_t /*context_handle*/, +- const gss_buffer_t /*input_message_buffer*/, +- gss_buffer_t /*output_message_buffer*/, +- int * /*conf_state*/, +- gss_qop_t * /*qop_state*/); +- +-OM_uint32 gss_seal(OM_uint32 * /*minor_status*/, +- gss_ctx_id_t /*context_handle*/, +- int /*conf_req_flag*/, +- int /*qop_req*/, +- gss_buffer_t /*input_message_buffer*/, +- int * /*conf_state*/, +- gss_buffer_t /*output_message_buffer*/); +- +-OM_uint32 gss_unseal(OM_uint32 * /*minor_status*/, +- gss_ctx_id_t /*context_handle*/, +- gss_buffer_t /*input_message_buffer*/, +- gss_buffer_t /*output_message_buffer*/, +- int * /*conf_state*/, +- int * /*qop_state*/); +- +-OM_uint32 gss_import_name(OM_uint32 * /*minor_status*/, +- const gss_buffer_t /*input_name_buffer*/, +- const gss_OID /*input_name_type*/, +- gss_name_t * /*output_name*/); +- +-OM_uint32 gss_release_name(OM_uint32 * /*minor_status*/, +- gss_name_t * /*input_name*/); +- +-OM_uint32 gss_display_name(OM_uint32 * /*minor_status*/, +- gss_const_name_t /*input_name*/, +- gss_buffer_t /*output_name_buffer*/, +- gss_OID * /*output_name_type*/); +- +-OM_uint32 gss_display_status(OM_uint32 * /*minor_status*/, +- OM_uint32 /*status_value*/, +- int /*status_type*/, +- const gss_OID /*mech_type*/, +- OM_uint32 * /*message_context*/, +- gss_buffer_t /*status_string*/); ++OM_uint32 gss_release_buffer(OM_uint32 * /* minor_status */, ++ gss_buffer_t /* buffer */); ++ ++OM_uint32 gss_init_sec_context(OM_uint32 * /* minor_status */, ++ gss_const_cred_id_t /* initiator_cred_handle */, ++ gss_ctx_id_t * /* context_handle */, ++ gss_const_name_t /* target_name */, ++ const gss_OID /* mech_type */, ++ OM_uint32 /* req_flags */, ++ OM_uint32 /* time_req */, ++ const gss_channel_bindings_t /* input_chan_bindings */, ++ const gss_buffer_t /* input_token */, ++ gss_OID * /* actual_mech_type */, ++ gss_buffer_t /* output_token */, ++ OM_uint32 * /* ret_flags */, ++ OM_uint32 * /* time_rec */); ++ ++OM_uint32 gss_delete_sec_context(OM_uint32 * /* minor_status */, ++ gss_ctx_id_t * /* context_handle */, ++ gss_buffer_t /* output_token */); ++ ++OM_uint32 gss_inquire_context(OM_uint32 * /* minor_status */, ++ gss_const_ctx_id_t /* context_handle */, ++ gss_name_t * /* src_name */, ++ gss_name_t * /* targ_name */, ++ OM_uint32 * /* lifetime_rec */, ++ gss_OID * /* mech_type */, ++ OM_uint32 * /* ctx_flags */, ++ int * /* locally_initiated */, ++ int * /* open_context */); ++ ++OM_uint32 gss_wrap(OM_uint32 * /* minor_status */, ++ gss_const_ctx_id_t /* context_handle */, ++ int /* conf_req_flag */, ++ gss_qop_t /* qop_req */, ++ const gss_buffer_t /* input_message_buffer */, ++ int * /* conf_state */, ++ gss_buffer_t /* output_message_buffer */); ++ ++OM_uint32 gss_unwrap(OM_uint32 * /* minor_status */, ++ gss_const_ctx_id_t /* context_handle */, ++ const gss_buffer_t /* input_message_buffer */, ++ gss_buffer_t /* output_message_buffer */, ++ int * /* conf_state */, ++ gss_qop_t * /* qop_state */); ++ ++OM_uint32 gss_seal(OM_uint32 * /* minor_status */, ++ gss_ctx_id_t /* context_handle n */, ++ int /* conf_req_flag */, ++ int /* qop_req */, ++ gss_buffer_t /* input_message_buffer */, ++ int * /* conf_state */, ++ gss_buffer_t /* output_message_buffer */); ++ ++OM_uint32 gss_unseal(OM_uint32 * /* minor_status */, ++ gss_ctx_id_t /* context_handle */, ++ gss_buffer_t /* input_message_buffer */, ++ gss_buffer_t /* output_message_buffer */, ++ int * /* conf_state */, ++ int * /* qop_state */); ++ ++OM_uint32 gss_import_name(OM_uint32 * /* minor_status */, ++ const gss_buffer_t /* input_name_buffer */, ++ const gss_OID /* input_name_type */, ++ gss_name_t * /* output_name */); ++ ++OM_uint32 gss_release_name(OM_uint32 * /* minor_status */, ++ gss_name_t * /* input_name */); ++ ++OM_uint32 gss_display_name(OM_uint32 * /* minor_status */, ++ gss_const_name_t /* input_name */, ++ gss_buffer_t /* output_name_buffer */, ++ gss_OID * /* output_name_type */); ++ ++OM_uint32 gss_display_status(OM_uint32 * /* minor_status */, ++ OM_uint32 /* status_value */, ++ int /* status_type */, ++ const gss_OID /* mech_type */, ++ OM_uint32 * /* message_context */, ++ gss_buffer_t /* status_string */); + + #endif /* HEADER_CURL_GSSAPI_STUBS_H */ +diff --git a/tests/server/tftp.h b/tests/server/tftp.h +index 5699672..ab59575 100644 +--- a/tests/server/tftp.h ++++ b/tests/server/tftp.h +@@ -32,7 +32,7 @@ + ((__GNUC__ == 2) && defined(__GNUC_MINOR__) && (__GNUC_MINOR__ >= 7))) + # define PACKED_STRUCT __attribute__((__packed__)) + #else +-# define PACKED_STRUCT /*NOTHING*/ ++# define PACKED_STRUCT /* NOTHING */ + #endif + + /* Using a packed struct as binary in a program is begging for problems, but +diff --git a/tests/server/util.c b/tests/server/util.c +index c4f16e4..a0dec98 100644 +--- a/tests/server/util.c ++++ b/tests/server/util.c +@@ -65,7 +65,7 @@ + ((__W32API_MAJOR_VERSION == 3) && (__W32API_MINOR_VERSION < 6)) + const struct in6_addr in6addr_any = {{ IN6ADDR_ANY_INIT }}; + #endif /* w32api < 3.6 */ +-#endif /* ENABLE_IPV6 && __MINGW32__*/ ++#endif /* ENABLE_IPV6 && __MINGW32__ */ + + static struct timeval tvnow(void); + +diff --git a/tests/unit/unit1300.c b/tests/unit/unit1300.c +index aba068a..936c77e 100644 +--- a/tests/unit/unit1300.c ++++ b/tests/unit/unit1300.c +@@ -91,10 +91,10 @@ UNITTEST_START + + fail_unless(Curl_llist_count(&llist) == 1, + "List size should be 1 after adding a new element"); +- /*test that the list head data holds my unusedData */ ++ /* test that the list head data holds my unusedData */ + fail_unless(llist.head->ptr == &unusedData_case1, + "head ptr should be first entry"); +- /*same goes for the list tail */ ++ /* same goes for the list tail */ + fail_unless(llist.tail == llist.head, + "tail and head should be the same"); + +-- +2.39.2 + + +From ab44f4893b87cb3ef567be525a393bc174b031e7 Mon Sep 17 00:00:00 2001 +From: Eric Vigeant +Date: Wed, 2 Nov 2022 11:47:09 -0400 +Subject: [PATCH 3/4] cur_path: do not add '/' if homedir ends with one + +When using SFTP and a path relative to the user home, do not add a +trailing '/' to the user home dir if it already ends with one. + +Closes #9844 + +Upstream-commit: 6c51adeb71da076c5c40a45e339e06bb4394a86b +Signed-off-by: Kamil Dudka +--- + lib/curl_path.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/lib/curl_path.c b/lib/curl_path.c +index 649da7d..5be6637 100644 +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -69,10 +69,14 @@ CURLcode Curl_getworkingpath(struct Curl_easy *data, + /* It is referenced to the home directory, so strip the + leading '/' */ + memcpy(real_path, homedir, homelen); +- real_path[homelen] = '/'; +- real_path[homelen + 1] = '\0'; ++ /* Only add a trailing '/' if homedir does not end with one */ ++ if(homelen == 0 || real_path[homelen - 1] != '/') { ++ real_path[homelen] = '/'; ++ homelen++; ++ real_path[homelen] = '\0'; ++ } + if(working_path_len > 3) { +- memcpy(real_path + homelen + 1, working_path + 3, ++ memcpy(real_path + homelen, working_path + 3, + 1 + working_path_len -3); + } + } +-- +2.39.2 + + +From a0b0e531267239c2beb4aeca15a0581a411d9c7b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 9 Mar 2023 16:22:11 +0100 +Subject: [PATCH 4/4] curl_path: create the new path with dynbuf + +Closes #10729 + +Upstream-commit: 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 +Signed-off-by: Kamil Dudka +--- + lib/curl_path.c | 75 +++++++++++++++++++++++-------------------------- + 1 file changed, 35 insertions(+), 40 deletions(-) + +diff --git a/lib/curl_path.c b/lib/curl_path.c +index 5be6637..b654aff 100644 +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -30,70 +30,65 @@ + #include "escape.h" + #include "memdebug.h" + ++#define MAX_SSHPATH_LEN 100000 /* arbitrary */ ++ + /* figure out the path to work with in this particular request */ + CURLcode Curl_getworkingpath(struct Curl_easy *data, + char *homedir, /* when SFTP is used */ + char **path) /* returns the allocated + real path to work with */ + { +- char *real_path = NULL; + char *working_path; + size_t working_path_len; ++ struct dynbuf npath; + CURLcode result = + Curl_urldecode(data, data->state.up.path, 0, &working_path, + &working_path_len, REJECT_ZERO); + if(result) + return result; + ++ /* new path to switch to in case we need to */ ++ Curl_dyn_init(&npath, MAX_SSHPATH_LEN); ++ + /* Check for /~/, indicating relative to the user's home directory */ +- if(data->conn->handler->protocol & CURLPROTO_SCP) { +- real_path = malloc(working_path_len + 1); +- if(real_path == NULL) { ++ if((data->conn->handler->protocol & CURLPROTO_SCP) && ++ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) { ++ /* It is referenced to the home directory, so strip the leading '/~/' */ ++ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) { + free(working_path); + return CURLE_OUT_OF_MEMORY; + } +- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) +- /* It is referenced to the home directory, so strip the leading '/~/' */ +- memcpy(real_path, working_path + 3, working_path_len - 2); +- else +- memcpy(real_path, working_path, 1 + working_path_len); + } +- else if(data->conn->handler->protocol & CURLPROTO_SFTP) { +- if((working_path_len > 1) && (working_path[1] == '~')) { +- size_t homelen = strlen(homedir); +- real_path = malloc(homelen + working_path_len + 1); +- if(real_path == NULL) { +- free(working_path); +- return CURLE_OUT_OF_MEMORY; +- } +- /* It is referenced to the home directory, so strip the +- leading '/' */ +- memcpy(real_path, homedir, homelen); +- /* Only add a trailing '/' if homedir does not end with one */ +- if(homelen == 0 || real_path[homelen - 1] != '/') { +- real_path[homelen] = '/'; +- homelen++; +- real_path[homelen] = '\0'; +- } +- if(working_path_len > 3) { +- memcpy(real_path + homelen, working_path + 3, +- 1 + working_path_len -3); +- } ++ else if((data->conn->handler->protocol & CURLPROTO_SFTP) && ++ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { ++ size_t len; ++ const char *p; ++ int copyfrom = 3; ++ if(Curl_dyn_add(&npath, homedir)) { ++ free(working_path); ++ return CURLE_OUT_OF_MEMORY; + } +- else { +- real_path = malloc(working_path_len + 1); +- if(real_path == NULL) { +- free(working_path); +- return CURLE_OUT_OF_MEMORY; +- } +- memcpy(real_path, working_path, 1 + working_path_len); ++ /* Copy a separating '/' if homedir does not end with one */ ++ len = Curl_dyn_len(&npath); ++ p = Curl_dyn_ptr(&npath); ++ if(len && (p[len-1] != '/')) ++ copyfrom = 2; ++ ++ if(Curl_dyn_addn(&npath, ++ &working_path[copyfrom], working_path_len - copyfrom)) { ++ free(working_path); ++ return CURLE_OUT_OF_MEMORY; + } + } + +- free(working_path); ++ if(Curl_dyn_len(&npath)) { ++ free(working_path); + +- /* store the pointer for the caller to receive */ +- *path = real_path; ++ /* store the pointer for the caller to receive */ ++ *path = Curl_dyn_ptr(&npath); ++ } ++ else ++ *path = working_path; + + return CURLE_OK; + } +-- +2.39.2 + diff --git a/SOURCES/0028-curl-7.76.1-CVE-2023-27536.patch b/SOURCES/0028-curl-7.76.1-CVE-2023-27536.patch new file mode 100644 index 0000000..7888e19 --- /dev/null +++ b/SOURCES/0028-curl-7.76.1-CVE-2023-27536.patch @@ -0,0 +1,54 @@ +From 9d6dd7bc1dea42ae8e710aeae714e2a2c290de61 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 10 Mar 2023 09:22:43 +0100 +Subject: [PATCH] url: only reuse connections with same GSS delegation + +Reported-by: Harry Sintonen +Closes #10731 + +Upstream-commit: cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 +Signed-off-by: Kamil Dudka +--- + lib/url.c | 6 ++++++ + lib/urldata.h | 1 + + 2 files changed, 7 insertions(+) + +diff --git a/lib/url.c b/lib/url.c +index 3b11b7e..cbbc7f3 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1325,6 +1325,11 @@ ConnectionExists(struct Curl_easy *data, + } + } + ++ /* GSS delegation differences do not actually affect every connection ++ and auth method, but this check takes precaution before efficiency */ ++ if(needle->gssapi_delegation != check->gssapi_delegation) ++ continue; ++ + if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { + if(!ssh_config_matches(needle, check)) + continue; +@@ -1785,6 +1790,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) + conn->fclosesocket = data->set.fclosesocket; + conn->closesocket_client = data->set.closesocket_client; + conn->lastused = Curl_now(); /* used now */ ++ conn->gssapi_delegation = data->set.gssapi_delegation; + + return conn; + error: +diff --git a/lib/urldata.h b/lib/urldata.h +index ce90304..9e16f26 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -995,6 +995,7 @@ struct connectdata { + char *sasl_authzid; /* authorisation identity string, allocated */ + char *oauth_bearer; /* OAUTH2 bearer, allocated */ + unsigned char httpversion; /* the HTTP version*10 reported by the server */ ++ unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */ + struct curltime now; /* "current" time */ + struct curltime created; /* creation time */ + struct curltime lastused; /* when returned to the connection cache */ +-- +2.39.2 + diff --git a/SOURCES/0029-curl-7.76.1-CVE-2023-27538.patch b/SOURCES/0029-curl-7.76.1-CVE-2023-27538.patch new file mode 100644 index 0000000..030b6bb --- /dev/null +++ b/SOURCES/0029-curl-7.76.1-CVE-2023-27538.patch @@ -0,0 +1,30 @@ +From 133e25afe4b8961b9c12334ee0bd3374db9a1fd4 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 10 Mar 2023 08:22:51 +0100 +Subject: [PATCH] url: fix the SSH connection reuse check + +Reported-by: Harry Sintonen +Closes #10735 + +Upstream-commit: af369db4d3833272b8ed443f7fcc2e757a0872eb +Signed-off-by: Kamil Dudka +--- + lib/url.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/url.c b/lib/url.c +index 0c31486..3b11b7e 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1330,7 +1330,7 @@ ConnectionExists(struct Curl_easy *data, + if(needle->gssapi_delegation != check->gssapi_delegation) + continue; + +- if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { ++ if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) { + if(!ssh_config_matches(needle, check)) + continue; + } +-- +2.39.2 + diff --git a/SOURCES/0029-curl-7.76.1-CVE-2023-28322.patch b/SOURCES/0030-curl-7.76.1-CVE-2023-28322.patch similarity index 100% rename from SOURCES/0029-curl-7.76.1-CVE-2023-28322.patch rename to SOURCES/0030-curl-7.76.1-CVE-2023-28322.patch diff --git a/SOURCES/0028-curl-7.76.1-CVE-2023-28321.patch b/SOURCES/0031-curl-7.76.1-CVE-2023-28321.patch similarity index 99% rename from SOURCES/0028-curl-7.76.1-CVE-2023-28321.patch rename to SOURCES/0031-curl-7.76.1-CVE-2023-28321.patch index 0ca45f7..b306e91 100644 --- a/SOURCES/0028-curl-7.76.1-CVE-2023-28321.patch +++ b/SOURCES/0031-curl-7.76.1-CVE-2023-28321.patch @@ -143,7 +143,7 @@ index 84f962abebee3..f31b2c2a3f330 100644 -@@ -14,9 +13,9 @@ none +@@ -15,9 +14,9 @@ none unittest diff --git a/SOURCES/0030-curl-7.76.1-CVE-2023-38545.patch b/SOURCES/0032-curl-7.76.1-CVE-2023-38545.patch similarity index 100% rename from SOURCES/0030-curl-7.76.1-CVE-2023-38545.patch rename to SOURCES/0032-curl-7.76.1-CVE-2023-38545.patch diff --git a/SOURCES/0031-curl-7.61.1-CVE-2023-38546.patch b/SOURCES/0033-curl-7.61.1-CVE-2023-38546.patch similarity index 100% rename from SOURCES/0031-curl-7.61.1-CVE-2023-38546.patch rename to SOURCES/0033-curl-7.61.1-CVE-2023-38546.patch diff --git a/SPECS/curl.spec b/SPECS/curl.spec index fb0b4fd..f2c0c82 100644 --- a/SPECS/curl.spec +++ b/SPECS/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.76.1 -Release: 23%{?dist}.4 +Release: 26%{?dist}.2 License: MIT Source: https://curl.se/download/%{name}-%{version}.tar.xz @@ -74,20 +74,32 @@ Patch23: 0023-curl-7.76.1-CVE-2022-43552.patch # fix HTTP multi-header compression denial of service (CVE-2023-23916) Patch24: 0024-curl-7.76.1-CVE-2023-23916.patch +# fix TELNET option IAC injection (CVE-2023-27533) +Patch25: 0025-curl-7.76.1-CVE-2023-27533.patch + +# fix SFTP path ~ resolving discrepancy (CVE-2023-27534) +Patch26: 0026-curl-7.76.1-CVE-2023-27534.patch + # fix FTP too eager connection reuse (CVE-2023-27535) Patch27: 0027-curl-7.76.1-CVE-2023-27535.patch -# fix host name wildcard checking (CVE-2023-28321) -Patch28: 0028-curl-7.76.1-CVE-2023-28321.patch +# fix GSS delegation too eager connection re-use (CVE-2023-27536) +Patch28: 0028-curl-7.76.1-CVE-2023-27536.patch + +# fix SSH connection too eager reuse still (CVE-2023-27538) +Patch29: 0029-curl-7.76.1-CVE-2023-27538.patch # unify the upload/method handling (CVE-2023-28322) -Patch29: 0029-curl-7.76.1-CVE-2023-28322.patch +Patch30: 0030-curl-7.76.1-CVE-2023-28322.patch + +# fix host name wildcard checking +Patch31: 0031-curl-7.76.1-CVE-2023-28321.patch # return error if hostname too long for remote resolve (CVE-2023-38545) -Patch30: 0030-curl-7.76.1-CVE-2023-38545.patch +Patch32: 0032-curl-7.76.1-CVE-2023-38545.patch # fix cookie injection with none file (CVE-2023-38546) -Patch31: 0031-curl-7.61.1-CVE-2023-38546.patch +Patch33: 0033-curl-7.61.1-CVE-2023-38546.patch # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -287,11 +299,15 @@ be installed. %patch22 -p1 %patch23 -p1 %patch24 -p1 +%patch25 -p1 +%patch26 -p1 %patch27 -p1 %patch28 -p1 %patch29 -p1 %patch30 -p1 %patch31 -p1 +%patch32 -p1 +%patch33 -p1 # Fedora patches %patch101 -p1 @@ -517,18 +533,25 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog -* Thu Oct 12 2023 Jacek Migacz - 7.76.1-23.el9_2.4 +* Thu Oct 12 2023 Jacek Migacz - 7.76.1-26.el9_3.2 - fix cookie injection with none file (CVE-2023-38546) -* Tue Oct 10 2023 Jacek Migacz - 7.76.1-23.el9_2.3 -- return error if hostname too long for remote resolve (CVE-2023-38545) +* Tue Oct 10 2023 Jacek Migacz - 7.76.1-26.el9_3.1 +- socks: return error if hostname too long for remote resolve (CVE-2023-38545) -* Tue Jun 27 2023 Jacek Migacz - 7.76.1-23.el9_2.2 -- fix host name wildcard checking (CVE-2023-28321) +* Mon Jun 12 2023 Jacek Migacz - 7.76.1-26 - unify the upload/method handling (CVE-2023-28322) +- fix host name wildcard checking (CVE-2023-28321) -* Fri Mar 24 2023 Kamil Dudka - 7.76.1-23.el9_2.1 +* Wed Apr 12 2023 Kamil Dudka - 7.76.1-25 +- adapt the fix of CVE-2023-27535 for RHEL 9 curl + +* Fri Mar 24 2023 Kamil Dudka - 7.76.1-24 +- fix SSH connection too eager reuse still (CVE-2023-27538) +- fix GSS delegation too eager connection re-use (CVE-2023-27536) - fix FTP too eager connection reuse (CVE-2023-27535) +- fix SFTP path ~ resolving discrepancy (CVE-2023-27534) +- fix TELNET option IAC injection (CVE-2023-27533) * Wed Feb 15 2023 Kamil Dudka - 7.76.1-23 - fix HTTP multi-header compression denial of service (CVE-2023-23916)