Skip to content
Snippets Groups Projects
Commit 676fb20c authored by Rocky Automation's avatar Rocky Automation :tv:
Browse files

import curl-7.76.1-29.el9_4

parent 682eba02
No related branches found
Tags imports/r8/curl-7.61.1-34.el8_10.2
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 541 additions and 2 deletions
.curl.checksum
+ 1
1
View file @ 676fb20c
a50c2a09321bc05b955a258e4c74368344384576891dd5905cf0806d7ed98e34
5a1c0c7eef989f9f7060184ba577089ba2bb7846a736b629eabeceaffa66ad1d
SOURCES/0032-curl-7.76.1-password-when-keyboard-interactive-fails.patch 0 → 100644
+ 169
0
View file @ 676fb20c
From be17dc9d31e805c03372b690dde67838b3bfc12d Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 24 May 2023 16:34:11 +0200
Subject: [PATCH] libssh: when keyboard-interactive auth fails, try password
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The state machine had a mistake in that it would not carry on to that
next step.
This also adds a verbose output what methods that are available from the
server and renames the macros that change to the next auth methods to
try.
Reported-by: 左潇峰
Fixes #11196
Closes #11197
---
lib/vssh/libssh.c | 43 +++++++++++++++++++++++++++----------------
1 file changed, 27 insertions(+), 16 deletions(-)
diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c
index 7ebe61321419f..1cecb649cb623 100644
--- a/lib/vssh/libssh.c
+++ b/lib/vssh/libssh.c
@@ -565,7 +565,7 @@ static int myssh_is_known(struct Curl_easy *data)
break; \
}
-#define MOVE_TO_LAST_AUTH \
+#define MOVE_TO_PASSWD_AUTH \
if(sshc->auth_methods & SSH_AUTH_METHOD_PASSWORD) { \
rc = SSH_OK; \
state(data, SSH_AUTH_PASS_INIT); \
@@ -575,25 +575,25 @@ static int myssh_is_known(struct Curl_easy *data)
MOVE_TO_ERROR_STATE(CURLE_LOGIN_DENIED); \
}
-#define MOVE_TO_TERTIARY_AUTH \
+#define MOVE_TO_KEY_AUTH \
if(sshc->auth_methods & SSH_AUTH_METHOD_INTERACTIVE) { \
rc = SSH_OK; \
state(data, SSH_AUTH_KEY_INIT); \
break; \
} \
else { \
- MOVE_TO_LAST_AUTH; \
+ MOVE_TO_PASSWD_AUTH; \
}
-#define MOVE_TO_SECONDARY_AUTH \
+#define MOVE_TO_GSSAPI_AUTH \
if(sshc->auth_methods & SSH_AUTH_METHOD_GSSAPI_MIC) { \
rc = SSH_OK; \
state(data, SSH_AUTH_GSSAPI); \
break; \
} \
else { \
- MOVE_TO_TERTIARY_AUTH; \
+ MOVE_TO_KEY_AUTH; \
}
static
int myssh_auth_interactive(struct connectdata *conn)
@@ -740,6 +740,16 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
}
sshc->auth_methods = ssh_userauth_list(sshc->ssh_session, NULL);
+ if(sshc->auth_methods)
+ infof(data, "SSH authentication methods available: %s%s%s%s",
+ sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY ?
+ "public key, ": "",
+ sshc->auth_methods & SSH_AUTH_METHOD_GSSAPI_MIC ?
+ "GSSAPI, " : "",
+ sshc->auth_methods & SSH_AUTH_METHOD_INTERACTIVE ?
+ "keyboard-interactive, " : "",
+ sshc->auth_methods & SSH_AUTH_METHOD_PASSWORD ?
+ "password": "");
if(sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) {
state(data, SSH_AUTH_PKEY_INIT);
infof(data, "Authentication using SSH public key file\n");
@@ -761,8 +761,8 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
}
case SSH_AUTH_PKEY_INIT:
if(!(data->set.ssh_auth_types & CURLSSH_AUTH_PUBLICKEY)) {
- MOVE_TO_SECONDARY_AUTH;
+ MOVE_TO_GSSAPI_AUTH;
}
/* Two choices, (1) private key was given on CMD,
* (2) use the "default" keys. */
@@ -776,7 +776,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
}
if(rc != SSH_OK) {
- MOVE_TO_SECONDARY_AUTH;
+ MOVE_TO_GSSAPI_AUTH;
}
}
@@ -826,7 +836,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
break;
}
- MOVE_TO_SECONDARY_AUTH;
+ MOVE_TO_GSSAPI_AUTH;
}
break;
case SSH_AUTH_PKEY:
@@ -828,13 +828,13 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
}
else {
infof(data, "Failed public key authentication (rc: %d)\n", rc);
- MOVE_TO_SECONDARY_AUTH;
+ MOVE_TO_GSSAPI_AUTH;
}
break;
case SSH_AUTH_GSSAPI:
if(!(data->set.ssh_auth_types & CURLSSH_AUTH_GSSAPI)) {
- MOVE_TO_TERTIARY_AUTH;
+ MOVE_TO_KEY_AUTH;
}
rc = ssh_userauth_gssapi(sshc->ssh_session);
@@ -851,7 +851,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
break;
}
- MOVE_TO_TERTIARY_AUTH;
+ MOVE_TO_KEY_AUTH;
break;
case SSH_AUTH_KEY_INIT:
@@ -859,13 +859,12 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
state(data, SSH_AUTH_KEY);
}
else {
- MOVE_TO_LAST_AUTH;
+ MOVE_TO_PASSWD_AUTH;
}
break;
case SSH_AUTH_KEY:
-
- /* Authentication failed. Continue with keyboard-interactive now. */
+ /* keyboard-interactive authentication */
rc = myssh_auth_interactive(conn);
if(rc == SSH_AGAIN) {
break;
@@ -873,13 +873,15 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
if(rc == SSH_OK) {
sshc->authed = TRUE;
infof(data, "completed keyboard interactive authentication\n");
+ state(data, SSH_AUTH_DONE);
+ }
+ else {
+ MOVE_TO_PASSWD_AUTH;
}
- state(data, SSH_AUTH_DONE);
break;
case SSH_AUTH_PASS_INIT:
if(!(data->set.ssh_auth_types & CURLSSH_AUTH_PASSWORD)) {
- /* Host key authentication is intentionally not implemented */
MOVE_TO_ERROR_STATE(CURLE_LOGIN_DENIED);
}
state(data, SSH_AUTH_PASS);
SOURCES/0033-curl-7.76.1-CVE-2023-38545.patch 0 → 100644
+ 136
0
View file @ 676fb20c
From 1d66562c67fc0099d0fd882c693e51dd0b10c45c Mon Sep 17 00:00:00 2001
From: Jay Satiro <raysatiro@yahoo.com>
Date: Sat, 30 Sep 2023 03:40:02 -0400
Subject: [PATCH] socks: return error if hostname too long for remote resolve
Prior to this change the state machine attempted to change the remote
resolve to a local resolve if the hostname was longer than 255
characters. Unfortunately that did not work as intended and caused a
security issue.
Name resolvers cannot resolve hostnames longer than 255 characters.
Bug: https://curl.se/docs/CVE-2023-38545.html
---
lib/socks.c | 8 +++---
tests/data/Makefile.inc | 2 +-
tests/data/test728 | 64 +++++++++++++++++++++++++++++++++++++++++
3 files changed, 69 insertions(+), 5 deletions(-)
create mode 100644 tests/data/test728
diff --git a/lib/socks.c b/lib/socks.c
index c492d663c..a7b5ab07e 100644
--- a/lib/socks.c
+++ b/lib/socks.c
@@ -531,13 +531,13 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user,
infof(data, "SOCKS5: connecting to HTTP proxy %s port %d\n",
hostname, remote_port);
/* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
if(!socks5_resolve_local && hostname_len > 255) {
- infof(data, "SOCKS5: server resolving disabled for hostnames of "
- "length > 255 [actual len=%zu]\n", hostname_len);
- socks5_resolve_local = TRUE;
+ failf(data, "SOCKS5: the destination hostname is too long to be "
+ "resolved remotely by the proxy.");
+ return CURLPX_LONG_HOSTNAME;
}
if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI))
infof(data,
"warning: unsupported value passed to CURLOPT_SOCKS5_AUTH: %lu\n",
@@ -855,7 +855,7 @@ CONNECT_RESOLVE_REMOTE:
if(!socks5_resolve_local) {
socksreq[len++] = 3; /* ATYP: domain name = 3 */
- socksreq[len++] = (char) hostname_len; /* one byte address length */
+ socksreq[len++] = (unsigned char) hostname_len; /* one byte length */
memcpy(&socksreq[len], hostname, hostname_len); /* address w/o NULL */
len += hostname_len;
infof(data, "SOCKS5 connect to %s:%d (remotely resolved)\n",
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index 081e344d4..62ee53578 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -99,7 +99,7 @@ test672 test673 test674 test675 test676 test677 test678 test679 test680 \
\
test700 test701 test702 test703 test704 test705 test706 test707 test708 \
test709 test710 test711 test712 test713 test714 test715 test716 test717 \
-test718 \
+test718 test728 \
\
test800 test801 test802 test803 test804 test805 test806 test807 test808 \
test809 test810 test811 test812 test813 test814 test815 test816 test817 \
diff --git a/tests/data/test728 b/tests/data/test728
new file mode 100644
index 000000000..05bcf2883
--- /dev/null
+++ b/tests/data/test728
@@ -0,0 +1,64 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+SOCKS5
+SOCKS5h
+followlocation
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+# The hostname in this redirect is 256 characters and too long (> 255) for
+# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case.
+<data>
+HTTP/1.1 301 Moved Permanently
+Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/
+Content-Length: 0
+Connection: close
+
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<features>
+proxy
+</features>
+<server>
+http
+socks5
+</server>
+ <name>
+SOCKS5h with HTTP redirect to hostname too long
+ </name>
+ <command>
+--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/%TESTNUMBER
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol crlf="yes">
+GET /%TESTNUMBER HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+User-Agent: curl/%VERSION
+Accept: */*
+
+</protocol>
+<errorcode>
+97
+</errorcode>
+# the error message is verified because error code CURLE_PROXY (97) may be
+# returned for any number of reasons and we need to make sure it is
+# specifically for the reason below so that we know the check is working.
+<stderr mode="text">
+curl: (97) SOCKS5: the destination hostname is too long to be resolved remotely by the proxy.
+</stderr>
+</verify>
+</testcase>
--
2.42.0
SOURCES/0034-curl-7.76.1-CVE-2023-38546.patch 0 → 100644
+ 123
0
View file @ 676fb20c
From 61275672b46d9abb3285740467b882e22ed75da8 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 14 Sep 2023 23:28:32 +0200
Subject: [PATCH] cookie: remove unnecessary struct fields
Plus: reduce the hash table size from 256 to 63. It seems unlikely to
make much of a speed difference for most use cases but saves 1.5KB of
data per instance.
Closes #11862
---
lib/cookie.c | 13 +------------
lib/cookie.h | 13 ++++---------
lib/easy.c | 4 +---
3 files changed, 6 insertions(+), 24 deletions(-)
diff --git a/lib/cookie.c b/lib/cookie.c
index 4345a84c6fd9d..e39c89a94a960 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -119,7 +119,6 @@ static void freecookie(struct Cookie *co)
free(co->name);
free(co->value);
free(co->maxage);
- free(co->version);
free(co);
}
@@ -717,11 +716,7 @@ Curl_cookie_add(struct Curl_easy *data,
}
}
else if(strcasecompare("version", name)) {
- strstore(&co->version, whatptr);
- if(!co->version) {
- badcookie = TRUE;
- break;
- }
+ /* just ignore */
}
else if(strcasecompare("max-age", name)) {
/* Defined in RFC2109:
@@ -1159,7 +1154,6 @@ Curl_cookie_add(struct Curl_easy *data,
free(clist->path);
free(clist->spath);
free(clist->expirestr);
- free(clist->version);
free(clist->maxage);
*clist = *co; /* then store all the new data */
@@ -1223,9 +1217,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data,
c = calloc(1, sizeof(struct CookieInfo));
if(!c)
return NULL; /* failed to get memory */
- c->filename = strdup(file?file:"none"); /* copy the name just in case */
- if(!c->filename)
- goto fail; /* failed to get memory */
}
else {
/* we got an already existing one, use that */
@@ -1378,7 +1369,6 @@ static struct Cookie *dup_cookie(struct Cookie *src)
CLONE(name);
CLONE(value);
CLONE(maxage);
- CLONE(version);
d->expires = src->expires;
d->tailmatch = src->tailmatch;
d->secure = src->secure;
@@ -1595,7 +1585,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c)
{
if(c) {
unsigned int i;
- free(c->filename);
for(i = 0; i < COOKIE_HASH_SIZE; i++)
Curl_cookie_freelist(c->cookies[i]);
free(c); /* free the base struct as well */
diff --git a/lib/cookie.h b/lib/cookie.h
index b3c0063b2cfb2..41e9e7a6914e0 100644
--- a/lib/cookie.h
+++ b/lib/cookie.h
@@ -36,11 +36,7 @@ struct Cookie {
char *domain; /* domain = <this> */
curl_off_t expires; /* expires = <this> */
char *expirestr; /* the plain text version */
-
- /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */
- char *version; /* Version = <value> */
char *maxage; /* Max-Age = <value> */
-
bool tailmatch; /* whether we do tail-matching of the domain name */
bool secure; /* whether the 'secure' keyword was used */
bool livecookie; /* updated from a server, not a stored file */
@@ -56,14 +52,13 @@ struct Cookie {
#define COOKIE_PREFIX__SECURE (1<<0)
#define COOKIE_PREFIX__HOST (1<<1)
-#define COOKIE_HASH_SIZE 256
+#define COOKIE_HASH_SIZE 63
struct CookieInfo {
/* linked list of cookies we know of */
struct Cookie *cookies[COOKIE_HASH_SIZE];
- char *filename; /* file we read from/write to */
- long numcookies; /* number of cookies in the "jar" */
+ int numcookies; /* number of cookies in the "jar" */
bool running; /* state info, for cookie adding information */
bool newsession; /* new session, discard session cookies on load */
int lastct; /* last creation-time used in the jar */
diff --git a/lib/easy.c b/lib/easy.c
index 16bbd35251d40..03195481f9780 100644
--- a/lib/easy.c
+++ b/lib/easy.c
@@ -925,9 +925,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data)
if(data->cookies) {
/* If cookies are enabled in the parent handle, we enable them
in the clone as well! */
- outcurl->cookies = Curl_cookie_init(data,
- data->cookies->filename,
- outcurl->cookies,
+ outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies,
data->set.cookiesession);
if(!outcurl->cookies)
goto fail;
SOURCES/0035-curl-7.76.1-64K-sftp.patch 0 → 100644
+ 31
0
View file @ 676fb20c
From 35eb2614d86316ba9f5a6806ce64f56680fa1e97 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 5 Sep 2023 17:33:41 +0200
Subject: [PATCH] libssh: cap SFTP packet size sent
Due to libssh limitations
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Closes #11804
---
lib/vssh/libssh.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c
index dea0084575859b..7c6a2e53f338fa 100644
--- a/lib/vssh/libssh.c
+++ b/lib/vssh/libssh.c
@@ -2567,6 +2567,12 @@ static ssize_t sftp_send(struct Curl_easy *data, int sockindex,
struct connectdata *conn = data->conn;
(void)sockindex;
+ /* limit the writes to the maximum specified in Section 3 of
+ * https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-02
+ */
+ if(len > 32768)
+ len = 32768;
+
nwrite = sftp_write(conn->proto.sshc.sftp_file, mem, len);
myssh_block2waitfor(conn, FALSE);
SOURCES/0036-curl-7.76.1-CVE-2023-46218.patch 0 → 100644
+ 48
0
View file @ 676fb20c
From 2b0994c29a721c91c572cff7808c572a24d251eb Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 23 Nov 2023 08:15:47 +0100
Subject: [PATCH] cookie: lowercase the domain names before PSL checks
Reported-by: Harry Sintonen
Closes #12387
---
lib/cookie.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/lib/cookie.c b/lib/cookie.c
index 568cf537ad1b1f..9095cea3e97f22 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -1027,15 +1027,23 @@ Curl_cookie_add(struct Curl_easy *data,
* dereference it.
*/
if(data && (domain && co->domain && !isip(co->domain))) {
- const psl_ctx_t *psl = Curl_psl_use(data);
- int acceptable;
-
- if(psl) {
- acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain);
- Curl_psl_release(data);
+ bool acceptable = FALSE;
+ char lcase[256];
+ char lcookie[256];
+ size_t dlen = strlen(domain);
+ size_t clen = strlen(co->domain);
+ if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) {
+ const psl_ctx_t *psl = Curl_psl_use(data);
+ if(psl) {
+ /* the PSL check requires lowercase domain name and pattern */
+ Curl_strntolower(lcase, domain, dlen + 1);
+ Curl_strntolower(lcookie, co->domain, clen + 1);
+ acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie);
+ Curl_psl_release(data);
+ }
+ else
+ acceptable = !bad_domain(domain);
}
- else
- acceptable = !bad_domain(domain);
if(!acceptable) {
infof(data, "cookie '%s' dropped, domain '%s' must not "
SPECS/curl.spec
+ 33
1
View file @ 676fb20c
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.76.1
Release: 26%{?dist}
Release: 29%{?dist}
License: MIT
Source: https://curl.se/download/%{name}-%{version}.tar.xz
......@@ -95,6 +95,21 @@ Patch30: 0030-curl-7.76.1-CVE-2023-28322.patch
# fix host name wildcard checking
Patch31: 0031-curl-7.76.1-CVE-2023-28321.patch
# when keyboard-interactive auth fails, try password
Patch32: 0032-curl-7.76.1-password-when-keyboard-interactive-fails.patch
# return error if hostname too long for remote resolve
Patch33: 0033-curl-7.76.1-CVE-2023-38545.patch
# fix cookie injection with none file (CVE-2023-38546)
Patch34: 0034-curl-7.76.1-CVE-2023-38546.patch
# cap SFTP packet size sent (RHEL-14697)
Patch35: 0035-curl-7.76.1-64K-sftp.patch
# lowercase the domain names before PSL checks (CVE-2023-46218)
Patch36: 0036-curl-7.76.1-CVE-2023-46218.patch
# patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch
......@@ -300,6 +315,11 @@ be installed.
%patch29 -p1
%patch30 -p1
%patch31 -p1
%patch32 -p1
%patch33 -p1
%patch34 -p1
%patch35 -p1
%patch36 -p1
# Fedora patches
%patch101 -p1
......@@ -525,6 +545,18 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog
* Wed Mar 6 2024 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-29
- rebuild for 9.4 GA
* Tue Oct 10 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-28
- return error if hostname too long for remote resolve (CVE-2023-38545)
- fix cookie injection with none file (CVE-2023-38546)
- cap SFTP packet size sent (RHEL-14697)
- lowercase the domain names before PSL checks (CVE-2023-46218)
* Tue Sep 12 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-27
- when keyboard-interactive auth fails, try password (#2229800)
* Mon Jun 12 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-26
- unify the upload/method handling (CVE-2023-28322)
- fix host name wildcard checking (CVE-2023-28321)
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment