new upstream release - 7.66.0
Resolves: CVE-2019-5481 - double free due to subsequent call of realloc() Resolves: CVE-2019-5482 - heap buffer overflow in function tftp_receive_packet()
This commit is contained in:
parent
91c50ee6d4
commit
da9af16256
@ -1,166 +0,0 @@
|
|||||||
From 90f7ca7bec18b49bf2706430aa6493eda7d7a573 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
Date: Tue, 30 Jul 2019 12:59:35 +0200
|
|
||||||
Subject: [PATCH] http_negotiate: improve handling of gss_init_sec_context()
|
|
||||||
failures
|
|
||||||
|
|
||||||
If HTTPAUTH_GSSNEGOTIATE was used for a POST request and
|
|
||||||
gss_init_sec_context() failed, the POST request was sent
|
|
||||||
with empty body. This commit also restores the original
|
|
||||||
behavior of `curl --fail --negotiate`, which was changed
|
|
||||||
by commit 6c6035532383e300c712e4c1cd9fdd749ed5cf59.
|
|
||||||
|
|
||||||
Add regression tests 2077 and 2078 to cover this.
|
|
||||||
|
|
||||||
Fixes #3992
|
|
||||||
Closes #4171
|
|
||||||
|
|
||||||
Upstream-commit: 4c187043c5aac57f354ebb96cc6ff3263411e98d
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
lib/http_negotiate.c | 2 +-
|
|
||||||
tests/data/Makefile.inc | 3 ++-
|
|
||||||
tests/data/test2077 | 42 ++++++++++++++++++++++++++++++++
|
|
||||||
tests/data/test2078 | 54 +++++++++++++++++++++++++++++++++++++++++
|
|
||||||
4 files changed, 99 insertions(+), 2 deletions(-)
|
|
||||||
create mode 100644 tests/data/test2077
|
|
||||||
create mode 100644 tests/data/test2078
|
|
||||||
|
|
||||||
diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
|
|
||||||
index c8f406444..fe15dcefb 100644
|
|
||||||
--- a/lib/http_negotiate.c
|
|
||||||
+++ b/lib/http_negotiate.c
|
|
||||||
@@ -151,7 +151,7 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
|
|
||||||
if(result == CURLE_LOGIN_DENIED) {
|
|
||||||
/* negotiate auth failed, let's continue unauthenticated to stay
|
|
||||||
* compatible with the behavior before curl-7_64_0-158-g6c6035532 */
|
|
||||||
- conn->data->state.authproblem = TRUE;
|
|
||||||
+ authp->done = TRUE;
|
|
||||||
return CURLE_OK;
|
|
||||||
}
|
|
||||||
else if(result)
|
|
||||||
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
|
||||||
index 693e53d7c..3ed4a03e4 100644
|
|
||||||
--- a/tests/data/Makefile.inc
|
|
||||||
+++ b/tests/data/Makefile.inc
|
|
||||||
@@ -199,7 +199,8 @@ test2040 test2041 test2042 test2043 test2044 test2045 test2046 test2047 \
|
|
||||||
test2048 test2049 test2050 test2051 test2052 test2053 test2054 test2055 \
|
|
||||||
test2056 test2057 test2058 test2059 test2060 test2061 test2062 test2063 \
|
|
||||||
test2064 test2065 test2066 test2067 test2068 test2069 \
|
|
||||||
- test2071 test2072 test2073 test2074 test2075 test2076 \
|
|
||||||
+ test2071 test2072 test2073 test2074 test2075 test2076 test2077 \
|
|
||||||
+test2078 \
|
|
||||||
test2080 \
|
|
||||||
test2100 \
|
|
||||||
\
|
|
||||||
diff --git a/tests/data/test2077 b/tests/data/test2077
|
|
||||||
new file mode 100644
|
|
||||||
index 000000000..0c600f5c3
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/data/test2077
|
|
||||||
@@ -0,0 +1,42 @@
|
|
||||||
+<testcase>
|
|
||||||
+<info>
|
|
||||||
+<keywords>
|
|
||||||
+HTTP
|
|
||||||
+HTTP GET
|
|
||||||
+GSS-API
|
|
||||||
+</keywords>
|
|
||||||
+</info>
|
|
||||||
+
|
|
||||||
+# Server-side
|
|
||||||
+<reply>
|
|
||||||
+<data>
|
|
||||||
+HTTP/1.1 200 OK swsclose
|
|
||||||
+Content-Length: 23
|
|
||||||
+
|
|
||||||
+This IS the real page!
|
|
||||||
+</data>
|
|
||||||
+</reply>
|
|
||||||
+
|
|
||||||
+# Client-side
|
|
||||||
+<client>
|
|
||||||
+<server>
|
|
||||||
+http
|
|
||||||
+</server>
|
|
||||||
+<features>
|
|
||||||
+GSS-API
|
|
||||||
+</features>
|
|
||||||
+<name>
|
|
||||||
+curl --fail --negotiate to unauthenticated service fails
|
|
||||||
+</name>
|
|
||||||
+<command>
|
|
||||||
+http://%HOSTIP:%HTTPPORT/2077 -u : --fail --negotiate
|
|
||||||
+</command>
|
|
||||||
+</client>
|
|
||||||
+
|
|
||||||
+# Verify data after the test has been "shot"
|
|
||||||
+<verify>
|
|
||||||
+<errorcode>
|
|
||||||
+0
|
|
||||||
+</errorcode>
|
|
||||||
+</verify>
|
|
||||||
+</testcase>
|
|
||||||
diff --git a/tests/data/test2078 b/tests/data/test2078
|
|
||||||
new file mode 100644
|
|
||||||
index 000000000..99bc2dbee
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/data/test2078
|
|
||||||
@@ -0,0 +1,54 @@
|
|
||||||
+<testcase>
|
|
||||||
+<info>
|
|
||||||
+<keywords>
|
|
||||||
+HTTP
|
|
||||||
+HTTP GET
|
|
||||||
+GSS-API
|
|
||||||
+</keywords>
|
|
||||||
+</info>
|
|
||||||
+
|
|
||||||
+# Server-side
|
|
||||||
+<reply>
|
|
||||||
+<data>
|
|
||||||
+HTTP/1.1 200 OK swsclose
|
|
||||||
+Content-Length: 23
|
|
||||||
+
|
|
||||||
+This IS the real page!
|
|
||||||
+</data>
|
|
||||||
+</reply>
|
|
||||||
+
|
|
||||||
+# Client-side
|
|
||||||
+<client>
|
|
||||||
+<server>
|
|
||||||
+http
|
|
||||||
+</server>
|
|
||||||
+<features>
|
|
||||||
+GSS-API
|
|
||||||
+</features>
|
|
||||||
+<name>
|
|
||||||
+curl --negotiate should not send empty POST request only
|
|
||||||
+</name>
|
|
||||||
+<command>
|
|
||||||
+http://%HOSTIP:%HTTPPORT/2078 -u : --negotiate --data name=value
|
|
||||||
+</command>
|
|
||||||
+</client>
|
|
||||||
+
|
|
||||||
+# Verify data after the test has been "shot"
|
|
||||||
+<verify>
|
|
||||||
+<errorcode>
|
|
||||||
+0
|
|
||||||
+</errorcode>
|
|
||||||
+<strip>
|
|
||||||
+^User-Agent:.*
|
|
||||||
+</strip>
|
|
||||||
+<protocol nonewline="yes">
|
|
||||||
+POST /2078 HTTP/1.1
|
|
||||||
+Host: 127.0.0.1:8990
|
|
||||||
+Accept: */*
|
|
||||||
+Content-Length: 10
|
|
||||||
+Content-Type: application/x-www-form-urlencoded
|
|
||||||
+
|
|
||||||
+name=value
|
|
||||||
+</protocol>
|
|
||||||
+</verify>
|
|
||||||
+</testcase>
|
|
||||||
--
|
|
||||||
2.20.1
|
|
||||||
|
|
@ -1,37 +0,0 @@
|
|||||||
From 98d59387c749256c2421b22dc3419b94d381986a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
|
||||||
Date: Mon, 26 Aug 2019 16:00:05 +0200
|
|
||||||
Subject: [PATCH] http2: when marked for closure and wanted to close == OK
|
|
||||||
|
|
||||||
It could otherwise return an error even when closed correctly if GOAWAY
|
|
||||||
had been received previously.
|
|
||||||
|
|
||||||
Reported-by: Tom van der Woerdt
|
|
||||||
Fixes #4267
|
|
||||||
Closes #4268
|
|
||||||
|
|
||||||
Upstream-commit: c1b6a384f9c8a91197c20adb49d43f30dc0e917d
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
lib/http2.c | 5 +++++
|
|
||||||
1 file changed, 5 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/lib/http2.c b/lib/http2.c
|
|
||||||
index 930e85165..31d2d698a 100644
|
|
||||||
--- a/lib/http2.c
|
|
||||||
+++ b/lib/http2.c
|
|
||||||
@@ -1566,6 +1566,11 @@ static ssize_t http2_recv(struct connectdata *conn, int sockindex,
|
|
||||||
if(should_close_session(httpc)) {
|
|
||||||
H2BUGF(infof(data,
|
|
||||||
"http2_recv: nothing to do in this session\n"));
|
|
||||||
+ if(conn->bits.close) {
|
|
||||||
+ /* already marked for closure, return OK and we're done */
|
|
||||||
+ *err = CURLE_OK;
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
*err = CURLE_HTTP2;
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.20.1
|
|
||||||
|
|
@ -12,7 +12,7 @@ diff --git a/configure b/configure
|
|||||||
index 8f079a3..53b4774 100755
|
index 8f079a3..53b4774 100755
|
||||||
--- a/configure
|
--- a/configure
|
||||||
+++ b/configure
|
+++ b/configure
|
||||||
@@ -16288,18 +16288,11 @@ $as_echo "yes" >&6; }
|
@@ -16301,18 +16301,11 @@ $as_echo "yes" >&6; }
|
||||||
gccvhi=`echo $gccver | cut -d . -f1`
|
gccvhi=`echo $gccver | cut -d . -f1`
|
||||||
gccvlo=`echo $gccver | cut -d . -f2`
|
gccvlo=`echo $gccver | cut -d . -f2`
|
||||||
compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
|
compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
|
||||||
|
@ -1,11 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl0xj7oACgkQXMkI/bce
|
|
||||||
EsKYbgf9G41o5x73tc+2TOGt2QmJ7ukyHmd5Vq7XTSNdNU5dJ41Z3qh9Jm72x62i
|
|
||||||
b4kJMjWyoL2j031ml5JevycpMpNa1v784UlPW2tzzL2B7v6vcA4xknJRLWlPlcTJ
|
|
||||||
HOgub6r7g/zhOpdAeJh8o4jkBLUyN+S/HOyHLWcvdWDnhqUAmpZfIqtd8kjqzDul
|
|
||||||
XAkdj7MxWqKZ3wXWwlpp4j81jpfOj7KCC/ZpxlJ0KfefgYEzV23O2hcJzw57jqTy
|
|
||||||
SQZc39uTQOjbZPlBXJD55QeVISCwe53pn55aWQll90XfE3XRapuYZdiL8wLwtl/L
|
|
||||||
tjugTKjfoy9qqOGH5YB/4kHqoSJqow==
|
|
||||||
=Itbi
|
|
||||||
-----END PGP SIGNATURE-----
|
|
11
curl-7.66.0.tar.xz.asc
Normal file
11
curl-7.66.0.tar.xz.asc
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl14i4AACgkQXMkI/bce
|
||||||
|
EsJwgwf/WauX31s687pdOgpPE4ymPuxIrdVl+NovWdOBdQQfIA0c/4lu4onJYPAT
|
||||||
|
K6wq86me5y8fj/Q3ymqQ3H1EcJE2vTHPx/w+zEHNsEILtBMFHdm84CJzhdLlI1GC
|
||||||
|
9iBkjVKk/2s0tBOdC3HuskYLY2y02dHACvTvDJjx42nK4IbsdjoamVdMa7vep1TG
|
||||||
|
abmLRNHkOHKjioYWi0N04c5H5YDpdWOOjFY+EPO+m+YQuJlYkgw90nlmOaqiLcHL
|
||||||
|
3zGCMNXb209wxuNEVKenlhPQ/3FQZ9+8a4b6mMqBX7PDwhDiZLhqIJgVseWdw1r0
|
||||||
|
Qm2suW4eUtlC2DTqTMtusG7EMN8pag==
|
||||||
|
=pFLb
|
||||||
|
-----END PGP SIGNATURE-----
|
17
curl.spec
17
curl.spec
@ -1,16 +1,10 @@
|
|||||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||||
Name: curl
|
Name: curl
|
||||||
Version: 7.65.3
|
Version: 7.66.0
|
||||||
Release: 4%{?dist}
|
Release: 1%{?dist}
|
||||||
License: MIT
|
License: MIT
|
||||||
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
|
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
|
||||||
|
|
||||||
# improve handling of gss_init_sec_context() failures
|
|
||||||
Patch1: 0001-curl-7.65.3-negotiate-fails.patch
|
|
||||||
|
|
||||||
# avoid reporting spurious error in the HTTP2 framing layer (#1690971)
|
|
||||||
Patch2: 0002-curl-7.65.3-h2-framing-layer-error.patch
|
|
||||||
|
|
||||||
# patch making libcurl multilib ready
|
# patch making libcurl multilib ready
|
||||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||||
|
|
||||||
@ -177,8 +171,6 @@ be installed.
|
|||||||
%setup -q
|
%setup -q
|
||||||
|
|
||||||
# upstream patches
|
# upstream patches
|
||||||
%patch1 -p1
|
|
||||||
%patch2 -p1
|
|
||||||
|
|
||||||
# Fedora patches
|
# Fedora patches
|
||||||
%patch101 -p1
|
%patch101 -p1
|
||||||
@ -354,6 +346,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
|||||||
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Sep 11 2019 Kamil Dudka <kdudka@redhat.com> - 7.66.0-1
|
||||||
|
- new upstream release, which fixes the following vulnerabilities
|
||||||
|
CVE-2019-5481 - double free due to subsequent call of realloc()
|
||||||
|
CVE-2019-5482 - heap buffer overflow in function tftp_receive_packet()
|
||||||
|
|
||||||
* Tue Aug 27 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.3-4
|
* Tue Aug 27 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.3-4
|
||||||
- avoid reporting spurious error in the HTTP2 framing layer (#1690971)
|
- avoid reporting spurious error in the HTTP2 framing layer (#1690971)
|
||||||
|
|
||||||
|
2
sources
2
sources
@ -1 +1 @@
|
|||||||
SHA512 (curl-7.65.3.tar.xz) = fc4f041d3d6682378ce9eef2c6081e6ad83bb2502ea4c992c760266584c09e9ebca7c6d35958bd32a888702d9308cbce7aef69c431f97994107d7ff6b953941b
|
SHA512 (curl-7.66.0.tar.xz) = 81170e7e4fa9d99ee2038d96d7f2ab10dcf52435331c818c7565c1a733891720f845a08029915e52ba532c6a344c346e1678474624aac1cc333aea6d1eacde35
|
||||||
|
Loading…
Reference in New Issue
Block a user