diff --git a/0061-curl-7.61.1-CVE-2024-2398.patch b/0061-curl-7.61.1-CVE-2024-2398.patch new file mode 100644 index 0000000..8c03455 --- /dev/null +++ b/0061-curl-7.61.1-CVE-2024-2398.patch @@ -0,0 +1,80 @@ +From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Wed, 6 Mar 2024 09:36:08 +0100 +Subject: [PATCH] http2: push headers better cleanup + +- provide common cleanup method for push headers + +Closes #13054 +--- + lib/http2.c | 34 +++++++++++++++------------------- + 1 file changed, 15 insertions(+), 19 deletions(-) + +diff --git a/lib/http2.c b/lib/http2.c +index c63ecd38371ab4..96868728a53a1f 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -271,6 +271,15 @@ static CURLcode http2_data_setup(struct Curl_cfilter *cf, + return http2_perform_getsock(conn, sock, numsocks); + } + ++static void free_push_headers(struct HTTP *http) ++{ ++ size_t i; ++ for(i = 0; ipush_headers_used; i++) ++ free(http->push_headers[i]); ++ Curl_safefree(http->push_headers); ++ http->push_headers_used = 0; ++} ++ + /* + * http2_stream_free() free HTTP2 stream related data + */ +@@ -306,11 +315,7 @@ static void http2_data_done(struct Curl_cfilter *cf, + http->header_recvbuf = NULL; /* clear the pointer */ + Curl_add_buffer_free(http->trailer_recvbuf); + http->trailer_recvbuf = NULL; /* clear the pointer */ +- for(; http->push_headers_used > 0; --http->push_headers_used) { +- free(http->push_headers[http->push_headers_used - 1]); +- } +- free(http->push_headers); +- http->push_headers = NULL; ++ free_push_headers(http); + } + } + +@@ -860,7 +861,6 @@ static int push_promise(struct Curl_cfilter *cf, + struct curl_pushheaders heads; + CURLMcode rc; + struct http_conn *httpc; +- size_t i; + /* clone the parent */ + struct Curl_easy *newhandle = duphandle(data); + if(!newhandle) { +@@ -904,11 +904,7 @@ static int push_promise(struct Curl_cfilter *cf, + Curl_set_in_callback(data, false); + + /* free the headers again */ +- for(i = 0; ipush_headers_used; i++) +- free(stream->push_headers[i]); +- free(stream->push_headers); +- stream->push_headers = NULL; +- stream->push_headers_used = 0; ++ free_push_headers(stream); + + if(rv) { + /* denied, kill off the new handle again */ +@@ -1426,10 +1422,10 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame, + stream->push_headers_alloc) { + char **headp; + stream->push_headers_alloc *= 2; +- headp = Curl_saferealloc(stream->push_headers, +- stream->push_headers_alloc * sizeof(char *)); ++ headp = realloc(stream->push_headers, ++ stream->push_headers_alloc * sizeof(char *)); + if(!headp) { +- stream->push_headers = NULL; ++ free_push_headers(stream); + return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + } + stream->push_headers = headp; diff --git a/curl.spec b/curl.spec index 53f4289..6a05e4d 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.61.1 -Release: 34%{?dist}.1 +Release: 34%{?dist}.2 License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -175,6 +175,9 @@ Patch59: 0059-curl-7.61.1-CVE-2023-46218.patch # lowercase headernames Patch60: 0060-curl-7.61.1-lowercase-headernames.patch +# provide common cleanup method for push headers (CVE-2024-2398) +Patch61: 0061-curl-7.61.1-CVE-2024-2398.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -408,6 +411,7 @@ git apply %{PATCH52} %patch58 -p1 %patch59 -p1 %patch60 -p1 +%patch61 -p1 # make tests/*.py use Python 3 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py @@ -570,6 +574,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Aug 14 2024 Jacek Migacz - 7.61.1-34.el8_10.2 +- provide common cleanup method for push headers (CVE-2024-2398) + * Tue Jun 25 2024 Jacek Migacz - 7.61.1-34.el8_10.1 - fix incorrect backport of bz2229800 (RHEL-44684)