From 676fb20c38f0a6069bc64d044786f6f2e9ef671d Mon Sep 17 00:00:00 2001
From: Peridot Bot <rockyautomation@rockylinux.org>
Date: Wed, 24 Apr 2024 02:03:03 +0000
Subject: [PATCH] import curl-7.76.1-29.el9_4
---
.curl.checksum | 2 +-
...word-when-keyboard-interactive-fails.patch | 169 ++++++++++++++++++
SOURCES/0033-curl-7.76.1-CVE-2023-38545.patch | 136 ++++++++++++++
SOURCES/0034-curl-7.76.1-CVE-2023-38546.patch | 123 +++++++++++++
SOURCES/0035-curl-7.76.1-64K-sftp.patch | 31 ++++
SOURCES/0036-curl-7.76.1-CVE-2023-46218.patch | 48 +++++
SPECS/curl.spec | 34 +++-
7 files changed, 541 insertions(+), 2 deletions(-)
create mode 100644 SOURCES/0032-curl-7.76.1-password-when-keyboard-interactive-fails.patch
create mode 100644 SOURCES/0033-curl-7.76.1-CVE-2023-38545.patch
create mode 100644 SOURCES/0034-curl-7.76.1-CVE-2023-38546.patch
create mode 100644 SOURCES/0035-curl-7.76.1-64K-sftp.patch
create mode 100644 SOURCES/0036-curl-7.76.1-CVE-2023-46218.patch
diff --git a/.curl.checksum b/.curl.checksum
index cc806fb..b78365f 100644
--- a/.curl.checksum
+++ b/.curl.checksum
@@ -1 +1 @@
-a50c2a09321bc05b955a258e4c74368344384576891dd5905cf0806d7ed98e34
+5a1c0c7eef989f9f7060184ba577089ba2bb7846a736b629eabeceaffa66ad1d
diff --git a/SOURCES/0032-curl-7.76.1-password-when-keyboard-interactive-fails.patch b/SOURCES/0032-curl-7.76.1-password-when-keyboard-interactive-fails.patch
new file mode 100644
index 0000000..e2b4ac1
--- /dev/null
+++ b/SOURCES/0032-curl-7.76.1-password-when-keyboard-interactive-fails.patch
@@ -0,0 +1,169 @@
+From be17dc9d31e805c03372b690dde67838b3bfc12d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 24 May 2023 16:34:11 +0200
+Subject: [PATCH] libssh: when keyboard-interactive auth fails, try password
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The state machine had a mistake in that it would not carry on to that
+next step.
+
+This also adds a verbose output what methods that are available from the
+server and renames the macros that change to the next auth methods to
+try.
+
+Reported-by: 左潇峰
+Fixes #11196
+Closes #11197
+---
+ lib/vssh/libssh.c | 43 +++++++++++++++++++++++++++----------------
+ 1 file changed, 27 insertions(+), 16 deletions(-)
+
+diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c
+index 7ebe61321419f..1cecb649cb623 100644
+--- a/lib/vssh/libssh.c
++++ b/lib/vssh/libssh.c
+@@ -565,7 +565,7 @@ static int myssh_is_known(struct Curl_easy *data)
+ break; \
+ }
+
+-#define MOVE_TO_LAST_AUTH \
++#define MOVE_TO_PASSWD_AUTH \
+ if(sshc->auth_methods & SSH_AUTH_METHOD_PASSWORD) { \
+ rc = SSH_OK; \
+ state(data, SSH_AUTH_PASS_INIT); \
+@@ -575,25 +575,25 @@ static int myssh_is_known(struct Curl_easy *data)
+ MOVE_TO_ERROR_STATE(CURLE_LOGIN_DENIED); \
+ }
+
+-#define MOVE_TO_TERTIARY_AUTH \
++#define MOVE_TO_KEY_AUTH \
+ if(sshc->auth_methods & SSH_AUTH_METHOD_INTERACTIVE) { \
+ rc = SSH_OK; \
+ state(data, SSH_AUTH_KEY_INIT); \
+ break; \
+ } \
+ else { \
+- MOVE_TO_LAST_AUTH; \
++ MOVE_TO_PASSWD_AUTH; \
+ }
+
+-#define MOVE_TO_SECONDARY_AUTH \
++#define MOVE_TO_GSSAPI_AUTH \
+ if(sshc->auth_methods & SSH_AUTH_METHOD_GSSAPI_MIC) { \
+ rc = SSH_OK; \
+ state(data, SSH_AUTH_GSSAPI); \
+ break; \
+ } \
+ else { \
+- MOVE_TO_TERTIARY_AUTH; \
++ MOVE_TO_KEY_AUTH; \
+ }
+
+ static
+ int myssh_auth_interactive(struct connectdata *conn)
+@@ -740,6 +740,16 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
+ }
+
+ sshc->auth_methods = ssh_userauth_list(sshc->ssh_session, NULL);
++ if(sshc->auth_methods)
++ infof(data, "SSH authentication methods available: %s%s%s%s",
++ sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY ?
++ "public key, ": "",
++ sshc->auth_methods & SSH_AUTH_METHOD_GSSAPI_MIC ?
++ "GSSAPI, " : "",
++ sshc->auth_methods & SSH_AUTH_METHOD_INTERACTIVE ?
++ "keyboard-interactive, " : "",
++ sshc->auth_methods & SSH_AUTH_METHOD_PASSWORD ?
++ "password": "");
+ if(sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) {
+ state(data, SSH_AUTH_PKEY_INIT);
+ infof(data, "Authentication using SSH public key file\n");
+@@ -761,8 +761,8 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
+ }
+ case SSH_AUTH_PKEY_INIT:
+ if(!(data->set.ssh_auth_types & CURLSSH_AUTH_PUBLICKEY)) {
+- MOVE_TO_SECONDARY_AUTH;
++ MOVE_TO_GSSAPI_AUTH;
+ }
+
+ /* Two choices, (1) private key was given on CMD,
+ * (2) use the "default" keys. */
+@@ -776,7 +776,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
+ }
+
+ if(rc != SSH_OK) {
+- MOVE_TO_SECONDARY_AUTH;
++ MOVE_TO_GSSAPI_AUTH;
+ }
+ }
+
+@@ -826,7 +836,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
+ break;
+ }
+
+- MOVE_TO_SECONDARY_AUTH;
++ MOVE_TO_GSSAPI_AUTH;
+ }
+ break;
+ case SSH_AUTH_PKEY:
+@@ -828,13 +828,13 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
+ }
+ else {
+ infof(data, "Failed public key authentication (rc: %d)\n", rc);
+- MOVE_TO_SECONDARY_AUTH;
++ MOVE_TO_GSSAPI_AUTH;
+ }
+ break;
+
+ case SSH_AUTH_GSSAPI:
+ if(!(data->set.ssh_auth_types & CURLSSH_AUTH_GSSAPI)) {
+- MOVE_TO_TERTIARY_AUTH;
++ MOVE_TO_KEY_AUTH;
+ }
+
+ rc = ssh_userauth_gssapi(sshc->ssh_session);
+@@ -851,7 +851,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
+ break;
+ }
+
+- MOVE_TO_TERTIARY_AUTH;
++ MOVE_TO_KEY_AUTH;
+ break;
+
+ case SSH_AUTH_KEY_INIT:
+@@ -859,13 +859,12 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
+ state(data, SSH_AUTH_KEY);
+ }
+ else {
+- MOVE_TO_LAST_AUTH;
++ MOVE_TO_PASSWD_AUTH;
+ }
+ break;
+
+ case SSH_AUTH_KEY:
+-
+- /* Authentication failed. Continue with keyboard-interactive now. */
++ /* keyboard-interactive authentication */
+ rc = myssh_auth_interactive(conn);
+ if(rc == SSH_AGAIN) {
+ break;
+@@ -873,13 +873,15 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
+ if(rc == SSH_OK) {
+ sshc->authed = TRUE;
+ infof(data, "completed keyboard interactive authentication\n");
++ state(data, SSH_AUTH_DONE);
++ }
++ else {
++ MOVE_TO_PASSWD_AUTH;
+ }
+- state(data, SSH_AUTH_DONE);
+ break;
+
+ case SSH_AUTH_PASS_INIT:
+ if(!(data->set.ssh_auth_types & CURLSSH_AUTH_PASSWORD)) {
+- /* Host key authentication is intentionally not implemented */
+ MOVE_TO_ERROR_STATE(CURLE_LOGIN_DENIED);
+ }
+ state(data, SSH_AUTH_PASS);
diff --git a/SOURCES/0033-curl-7.76.1-CVE-2023-38545.patch b/SOURCES/0033-curl-7.76.1-CVE-2023-38545.patch
new file mode 100644
index 0000000..b3a5487
--- /dev/null
+++ b/SOURCES/0033-curl-7.76.1-CVE-2023-38545.patch
@@ -0,0 +1,136 @@
+From 1d66562c67fc0099d0fd882c693e51dd0b10c45c Mon Sep 17 00:00:00 2001
+From: Jay Satiro <raysatiro@yahoo.com>
+Date: Sat, 30 Sep 2023 03:40:02 -0400
+Subject: [PATCH] socks: return error if hostname too long for remote resolve
+
+Prior to this change the state machine attempted to change the remote
+resolve to a local resolve if the hostname was longer than 255
+characters. Unfortunately that did not work as intended and caused a
+security issue.
+
+Name resolvers cannot resolve hostnames longer than 255 characters.
+
+Bug: https://curl.se/docs/CVE-2023-38545.html
+---
+ lib/socks.c | 8 +++---
+ tests/data/Makefile.inc | 2 +-
+ tests/data/test728 | 64 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 69 insertions(+), 5 deletions(-)
+ create mode 100644 tests/data/test728
+
+diff --git a/lib/socks.c b/lib/socks.c
+index c492d663c..a7b5ab07e 100644
+--- a/lib/socks.c
++++ b/lib/socks.c
+@@ -531,13 +531,13 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user,
+ infof(data, "SOCKS5: connecting to HTTP proxy %s port %d\n",
+ hostname, remote_port);
+
+ /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
+ if(!socks5_resolve_local && hostname_len > 255) {
+- infof(data, "SOCKS5: server resolving disabled for hostnames of "
+- "length > 255 [actual len=%zu]\n", hostname_len);
+- socks5_resolve_local = TRUE;
++ failf(data, "SOCKS5: the destination hostname is too long to be "
++ "resolved remotely by the proxy.");
++ return CURLPX_LONG_HOSTNAME;
+ }
+
+ if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI))
+ infof(data,
+ "warning: unsupported value passed to CURLOPT_SOCKS5_AUTH: %lu\n",
+@@ -855,7 +855,7 @@ CONNECT_RESOLVE_REMOTE:
+
+ if(!socks5_resolve_local) {
+ socksreq[len++] = 3; /* ATYP: domain name = 3 */
+- socksreq[len++] = (char) hostname_len; /* one byte address length */
++ socksreq[len++] = (unsigned char) hostname_len; /* one byte length */
+ memcpy(&socksreq[len], hostname, hostname_len); /* address w/o NULL */
+ len += hostname_len;
+ infof(data, "SOCKS5 connect to %s:%d (remotely resolved)\n",
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 081e344d4..62ee53578 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -99,7 +99,7 @@ test672 test673 test674 test675 test676 test677 test678 test679 test680 \
+ \
+ test700 test701 test702 test703 test704 test705 test706 test707 test708 \
+ test709 test710 test711 test712 test713 test714 test715 test716 test717 \
+-test718 \
++test718 test728 \
+ \
+ test800 test801 test802 test803 test804 test805 test806 test807 test808 \
+ test809 test810 test811 test812 test813 test814 test815 test816 test817 \
+diff --git a/tests/data/test728 b/tests/data/test728
+new file mode 100644
+index 000000000..05bcf2883
+--- /dev/null
++++ b/tests/data/test728
+@@ -0,0 +1,64 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP GET
++SOCKS5
++SOCKS5h
++followlocation
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++# The hostname in this redirect is 256 characters and too long (> 255) for
++# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case.
++<data>
++HTTP/1.1 301 Moved Permanently
++Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/
++Content-Length: 0
++Connection: close
++
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++proxy
++</features>
++<server>
++http
++socks5
++</server>
++ <name>
++SOCKS5h with HTTP redirect to hostname too long
++ </name>
++ <command>
++--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/%TESTNUMBER
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol crlf="yes">
++GET /%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++User-Agent: curl/%VERSION
++Accept: */*
++
++</protocol>
++<errorcode>
++97
++</errorcode>
++# the error message is verified because error code CURLE_PROXY (97) may be
++# returned for any number of reasons and we need to make sure it is
++# specifically for the reason below so that we know the check is working.
++<stderr mode="text">
++curl: (97) SOCKS5: the destination hostname is too long to be resolved remotely by the proxy.
++</stderr>
++</verify>
++</testcase>
+--
+2.42.0
+
diff --git a/SOURCES/0034-curl-7.76.1-CVE-2023-38546.patch b/SOURCES/0034-curl-7.76.1-CVE-2023-38546.patch
new file mode 100644
index 0000000..36b9afc
--- /dev/null
+++ b/SOURCES/0034-curl-7.76.1-CVE-2023-38546.patch
@@ -0,0 +1,123 @@
+From 61275672b46d9abb3285740467b882e22ed75da8 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 14 Sep 2023 23:28:32 +0200
+Subject: [PATCH] cookie: remove unnecessary struct fields
+
+Plus: reduce the hash table size from 256 to 63. It seems unlikely to
+make much of a speed difference for most use cases but saves 1.5KB of
+data per instance.
+
+Closes #11862
+---
+ lib/cookie.c | 13 +------------
+ lib/cookie.h | 13 ++++---------
+ lib/easy.c | 4 +---
+ 3 files changed, 6 insertions(+), 24 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 4345a84c6fd9d..e39c89a94a960 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -119,7 +119,6 @@ static void freecookie(struct Cookie *co)
+ free(co->name);
+ free(co->value);
+ free(co->maxage);
+- free(co->version);
+ free(co);
+ }
+
+@@ -717,11 +716,7 @@ Curl_cookie_add(struct Curl_easy *data,
+ }
+ }
+ else if(strcasecompare("version", name)) {
+- strstore(&co->version, whatptr);
+- if(!co->version) {
+- badcookie = TRUE;
+- break;
+- }
++ /* just ignore */
+ }
+ else if(strcasecompare("max-age", name)) {
+ /* Defined in RFC2109:
+@@ -1159,7 +1154,6 @@ Curl_cookie_add(struct Curl_easy *data,
+ free(clist->path);
+ free(clist->spath);
+ free(clist->expirestr);
+- free(clist->version);
+ free(clist->maxage);
+
+ *clist = *co; /* then store all the new data */
+@@ -1223,9 +1217,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data,
+ c = calloc(1, sizeof(struct CookieInfo));
+ if(!c)
+ return NULL; /* failed to get memory */
+- c->filename = strdup(file?file:"none"); /* copy the name just in case */
+- if(!c->filename)
+- goto fail; /* failed to get memory */
+ }
+ else {
+ /* we got an already existing one, use that */
+@@ -1378,7 +1369,6 @@ static struct Cookie *dup_cookie(struct Cookie *src)
+ CLONE(name);
+ CLONE(value);
+ CLONE(maxage);
+- CLONE(version);
+ d->expires = src->expires;
+ d->tailmatch = src->tailmatch;
+ d->secure = src->secure;
+@@ -1595,7 +1585,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c)
+ {
+ if(c) {
+ unsigned int i;
+- free(c->filename);
+ for(i = 0; i < COOKIE_HASH_SIZE; i++)
+ Curl_cookie_freelist(c->cookies[i]);
+ free(c); /* free the base struct as well */
+diff --git a/lib/cookie.h b/lib/cookie.h
+index b3c0063b2cfb2..41e9e7a6914e0 100644
+--- a/lib/cookie.h
++++ b/lib/cookie.h
+@@ -36,11 +36,7 @@ struct Cookie {
+ char *domain; /* domain = <this> */
+ curl_off_t expires; /* expires = <this> */
+ char *expirestr; /* the plain text version */
+-
+- /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */
+- char *version; /* Version = <value> */
+ char *maxage; /* Max-Age = <value> */
+-
+ bool tailmatch; /* whether we do tail-matching of the domain name */
+ bool secure; /* whether the 'secure' keyword was used */
+ bool livecookie; /* updated from a server, not a stored file */
+@@ -56,14 +52,13 @@ struct Cookie {
+ #define COOKIE_PREFIX__SECURE (1<<0)
+ #define COOKIE_PREFIX__HOST (1<<1)
+
+-#define COOKIE_HASH_SIZE 256
++#define COOKIE_HASH_SIZE 63
+
+ struct CookieInfo {
+ /* linked list of cookies we know of */
+ struct Cookie *cookies[COOKIE_HASH_SIZE];
+
+- char *filename; /* file we read from/write to */
+- long numcookies; /* number of cookies in the "jar" */
++ int numcookies; /* number of cookies in the "jar" */
+ bool running; /* state info, for cookie adding information */
+ bool newsession; /* new session, discard session cookies on load */
+ int lastct; /* last creation-time used in the jar */
+diff --git a/lib/easy.c b/lib/easy.c
+index 16bbd35251d40..03195481f9780 100644
+--- a/lib/easy.c
++++ b/lib/easy.c
+@@ -925,9 +925,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data)
+ if(data->cookies) {
+ /* If cookies are enabled in the parent handle, we enable them
+ in the clone as well! */
+- outcurl->cookies = Curl_cookie_init(data,
+- data->cookies->filename,
+- outcurl->cookies,
++ outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies,
+ data->set.cookiesession);
+ if(!outcurl->cookies)
+ goto fail;
diff --git a/SOURCES/0035-curl-7.76.1-64K-sftp.patch b/SOURCES/0035-curl-7.76.1-64K-sftp.patch
new file mode 100644
index 0000000..59e1248
--- /dev/null
+++ b/SOURCES/0035-curl-7.76.1-64K-sftp.patch
@@ -0,0 +1,31 @@
+From 35eb2614d86316ba9f5a6806ce64f56680fa1e97 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 5 Sep 2023 17:33:41 +0200
+Subject: [PATCH] libssh: cap SFTP packet size sent
+
+Due to libssh limitations
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+
+Closes #11804
+---
+ lib/vssh/libssh.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c
+index dea0084575859b..7c6a2e53f338fa 100644
+--- a/lib/vssh/libssh.c
++++ b/lib/vssh/libssh.c
+@@ -2567,6 +2567,12 @@ static ssize_t sftp_send(struct Curl_easy *data, int sockindex,
+ struct connectdata *conn = data->conn;
+ (void)sockindex;
+
++ /* limit the writes to the maximum specified in Section 3 of
++ * https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-02
++ */
++ if(len > 32768)
++ len = 32768;
++
+ nwrite = sftp_write(conn->proto.sshc.sftp_file, mem, len);
+
+ myssh_block2waitfor(conn, FALSE);
diff --git a/SOURCES/0036-curl-7.76.1-CVE-2023-46218.patch b/SOURCES/0036-curl-7.76.1-CVE-2023-46218.patch
new file mode 100644
index 0000000..b7ec7bd
--- /dev/null
+++ b/SOURCES/0036-curl-7.76.1-CVE-2023-46218.patch
@@ -0,0 +1,48 @@
+From 2b0994c29a721c91c572cff7808c572a24d251eb Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 23 Nov 2023 08:15:47 +0100
+Subject: [PATCH] cookie: lowercase the domain names before PSL checks
+
+Reported-by: Harry Sintonen
+
+Closes #12387
+---
+ lib/cookie.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 568cf537ad1b1f..9095cea3e97f22 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -1027,15 +1027,23 @@ Curl_cookie_add(struct Curl_easy *data,
+ * dereference it.
+ */
+ if(data && (domain && co->domain && !isip(co->domain))) {
+- const psl_ctx_t *psl = Curl_psl_use(data);
+- int acceptable;
+-
+- if(psl) {
+- acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain);
+- Curl_psl_release(data);
++ bool acceptable = FALSE;
++ char lcase[256];
++ char lcookie[256];
++ size_t dlen = strlen(domain);
++ size_t clen = strlen(co->domain);
++ if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) {
++ const psl_ctx_t *psl = Curl_psl_use(data);
++ if(psl) {
++ /* the PSL check requires lowercase domain name and pattern */
++ Curl_strntolower(lcase, domain, dlen + 1);
++ Curl_strntolower(lcookie, co->domain, clen + 1);
++ acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie);
++ Curl_psl_release(data);
++ }
++ else
++ acceptable = !bad_domain(domain);
+ }
+- else
+- acceptable = !bad_domain(domain);
+
+ if(!acceptable) {
+ infof(data, "cookie '%s' dropped, domain '%s' must not "
diff --git a/SPECS/curl.spec b/SPECS/curl.spec
index 7d29f90..4ab8cee 100644
--- a/SPECS/curl.spec
+++ b/SPECS/curl.spec
@@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.76.1
-Release: 26%{?dist}
+Release: 29%{?dist}
License: MIT
Source: https://curl.se/download/%{name}-%{version}.tar.xz
@@ -95,6 +95,21 @@ Patch30: 0030-curl-7.76.1-CVE-2023-28322.patch
# fix host name wildcard checking
Patch31: 0031-curl-7.76.1-CVE-2023-28321.patch
+# when keyboard-interactive auth fails, try password
+Patch32: 0032-curl-7.76.1-password-when-keyboard-interactive-fails.patch
+
+# return error if hostname too long for remote resolve
+Patch33: 0033-curl-7.76.1-CVE-2023-38545.patch
+
+# fix cookie injection with none file (CVE-2023-38546)
+Patch34: 0034-curl-7.76.1-CVE-2023-38546.patch
+
+# cap SFTP packet size sent (RHEL-14697)
+Patch35: 0035-curl-7.76.1-64K-sftp.patch
+
+# lowercase the domain names before PSL checks (CVE-2023-46218)
+Patch36: 0036-curl-7.76.1-CVE-2023-46218.patch
+
# patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch
@@ -300,6 +315,11 @@ be installed.
%patch29 -p1
%patch30 -p1
%patch31 -p1
+%patch32 -p1
+%patch33 -p1
+%patch34 -p1
+%patch35 -p1
+%patch36 -p1
# Fedora patches
%patch101 -p1
@@ -525,6 +545,18 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog
+* Wed Mar 6 2024 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-29
+- rebuild for 9.4 GA
+
+* Tue Oct 10 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-28
+- return error if hostname too long for remote resolve (CVE-2023-38545)
+- fix cookie injection with none file (CVE-2023-38546)
+- cap SFTP packet size sent (RHEL-14697)
+- lowercase the domain names before PSL checks (CVE-2023-46218)
+
+* Tue Sep 12 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-27
+- when keyboard-interactive auth fails, try password (#2229800)
+
* Mon Jun 12 2023 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-26
- unify the upload/method handling (CVE-2023-28322)
- fix host name wildcard checking (CVE-2023-28321)
--
GitLab