import curl-7.76.1-23.el9

debe9841 · Rocky Automation · a2139f7c · debe9841 · debe9841 · debe9841
Commit debe9841 authored 1 year ago by Rocky Automation
--- a/SOURCES/0021-curl-7.76.1-CVE-2022-35252.patch
+++ b/SOURCES/0021-curl-7.76.1-CVE-2022-35252.patch
+From fbc2ac6f06ec13cc872ce7adb870f4d7c7d5dded Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 29 Aug 2022 00:09:17 +0200
+Subject: [PATCH 1/2] cookie: reject cookies with "control bytes"
+
+Rejects 0x01 - 0x1f (except 0x09) plus 0x7f
+
+Reported-by: Axel Chong
+
+Bug: https://curl.se/docs/CVE-2022-35252.html
+
+CVE-2022-35252
+
+Closes #9381
+
+Upstream-commit: 8dfc93e573ca740544a2d79ebb0ed786592c65c3
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/cookie.c | 29 +++++++++++++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index cb0c03b..e0470a1 100644
+--- a/lib/cookie.c
+++ b/lib/cookie.c
+@@ -383,6 +383,30 @@ static void strstore(char **str, const char *newstr)
+   *str = strdup(newstr);
+ }
+ 
+/*
+  RFC 6265 section 4.1.1 says a server should accept this range:
+
+  cookie-octet    = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
+
+  But Firefox and Chrome as of June 2022 accept space, comma and double-quotes
+  fine. The prime reason for filtering out control bytes is that some HTTP
+  servers return 400 for requests that contain such.
+*/
+static int invalid_octets(const char *p)
+{
+  /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */
+  static const char badoctets[] = {
+    "\x01\x02\x03\x04\x05\x06\x07\x08\x0a"
+    "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
+    "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f"
+  };
+  size_t vlen, len;
+  /* scan for all the octets that are *not* in cookie-octet */
+  len = strcspn(p, badoctets);
+  vlen = strlen(p);
+  return (len != vlen);
+}
+
+ /*
+  * remove_expired() removes expired cookies.
+  */
+@@ -567,6 +591,11 @@ Curl_cookie_add(struct Curl_easy *data,
+             badcookie = TRUE;
+             break;
+           }
+          if(invalid_octets(whatptr) || invalid_octets(name)) {
+            infof(data, "invalid octets in name/value, cookie dropped");
+            badcookie = TRUE;
+            break;
+          }
+         }
+         else if(!len) {
+           /* this was a "<name>=" with no content, and we must allow
+-- 
+2.37.1
+
+
+From 1a3e2bd48572761236934651091c899a4d460ef5 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 29 Aug 2022 00:09:17 +0200
+Subject: [PATCH 2/2] test8: verify that "ctrl-byte cookies" are ignored
+
+Upstream-commit: 2fc031d834d488854ffc58bf7dbcef7fa7c1fc28
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/test8 | 32 +++++++++++++++++++++++++++++++-
+ 1 file changed, 31 insertions(+), 1 deletion(-)
+
+diff --git a/tests/data/test8 b/tests/data/test8
+index a8548e6..8587611 100644
+--- a/tests/data/test8
+++ b/tests/data/test8
+@@ -46,6 +46,36 @@ Set-Cookie: trailingspace    = removed; path=/we/want;
+ Set-Cookie: nocookie=yes; path=/WE;
+ Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad;
+ Set-Cookie: partialip=nono; domain=.0.0.1;
+Set-Cookie: cookie1=%hex[%01-junk]hex%
+Set-Cookie: cookie2=%hex[%02-junk]hex%
+Set-Cookie: cookie3=%hex[%03-junk]hex%
+Set-Cookie: cookie4=%hex[%04-junk]hex%
+Set-Cookie: cookie5=%hex[%05-junk]hex%
+Set-Cookie: cookie6=%hex[%06-junk]hex%
+Set-Cookie: cookie7=%hex[%07-junk]hex%
+Set-Cookie: cookie8=%hex[%08-junk]hex%
+Set-Cookie: cookie9=%hex[junk-%09-]hex%
+Set-Cookie: cookie11=%hex[%0b-junk]hex%
+Set-Cookie: cookie12=%hex[%0c-junk]hex%
+Set-Cookie: cookie14=%hex[%0e-junk]hex%
+Set-Cookie: cookie15=%hex[%0f-junk]hex%
+Set-Cookie: cookie16=%hex[%10-junk]hex%
+Set-Cookie: cookie17=%hex[%11-junk]hex%
+Set-Cookie: cookie18=%hex[%12-junk]hex%
+Set-Cookie: cookie19=%hex[%13-junk]hex%
+Set-Cookie: cookie20=%hex[%14-junk]hex%
+Set-Cookie: cookie21=%hex[%15-junk]hex%
+Set-Cookie: cookie22=%hex[%16-junk]hex%
+Set-Cookie: cookie23=%hex[%17-junk]hex%
+Set-Cookie: cookie24=%hex[%18-junk]hex%
+Set-Cookie: cookie25=%hex[%19-junk]hex%
+Set-Cookie: cookie26=%hex[%1a-junk]hex%
+Set-Cookie: cookie27=%hex[%1b-junk]hex%
+Set-Cookie: cookie28=%hex[%1c-junk]hex%
+Set-Cookie: cookie29=%hex[%1d-junk]hex%
+Set-Cookie: cookie30=%hex[%1e-junk]hex%
+Set-Cookie: cookie31=%hex[%1f-junk]hex%
+Set-Cookie: cookie31=%hex[%7f-junk]hex%
+ 
+ </file>
+ <precheck>
+@@ -60,7 +90,7 @@ GET /we/want/%TESTNUMBER HTTP/1.1
+ Host: %HOSTIP:%HTTPPORT
+ User-Agent: curl/%VERSION
+ Accept: */*
+-Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes
+Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes; cookie9=junk-	-
+ 
+ </protocol>
+ </verify>
+-- 
+2.37.1
+
--- a/SOURCES/0022-curl-7.76.1-CVE-2022-32221.patch
+++ b/SOURCES/0022-curl-7.76.1-CVE-2022-32221.patch
+From 08a53016db649bdf4f65c42a9704d35e052be7eb Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 15 Sep 2022 09:22:45 +0200
+Subject: [PATCH 1/2] setopt: when POST is set, reset the 'upload' field
+
+Reported-by: RobBotic1 on github
+Fixes #9507
+Closes #9511
+
+Upstream-commit: a64e3e59938abd7d667e4470a18072a24d7e9de9
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/setopt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/setopt.c b/lib/setopt.c
+index d5e3b50..b8793b4 100644
+--- a/lib/setopt.c
+++ b/lib/setopt.c
+@@ -628,6 +628,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+     }
+     else
+       data->set.method = HTTPREQ_GET;
+    data->set.upload = FALSE;
+     break;
+ 
+   case CURLOPT_HTTPPOST:
+-- 
+2.37.3
+
+
+From a5e36349807b98d31a16bd220f6434289465e16a Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 15 Sep 2022 09:23:33 +0200
+Subject: [PATCH 2/2] test1948: verify PUT + POST reusing the same handle
+
+Reproduced #9507, verifies the fix
+
+Upstream-commit: 1edb15925e350be3b891f8a8de86600b22c0bb20
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/Makefile.inc    |  1 +
+ tests/data/test1948        | 73 +++++++++++++++++++++++++++++++++++
+ tests/libtest/Makefile.inc |  5 +++
+ tests/libtest/lib1948.c    | 79 ++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 158 insertions(+)
+ create mode 100644 tests/data/test1948
+ create mode 100644 tests/libtest/lib1948.c
+
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 818ee08..0cfab9b 100644
+--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
+@@ -217,6 +217,7 @@ test1908 test1909 test1910 test1911 test1912 test1913 test1914 test1915 \
+ test1916 test1917 test1918 \
+ \
+ test1933 test1934 test1935 test1936 \
+test1948 \
+ \
+ test2000 test2001 test2002 test2003 test2004 test2005 test2006 test2007 \
+ test2008 test2009 test2010 test2011 test2012 test2013 test2014 test2015 \
+diff --git a/tests/data/test1948 b/tests/data/test1948
+new file mode 100644
+index 0000000..639523d
+--- /dev/null
+++ b/tests/data/test1948
+@@ -0,0 +1,73 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP POST
+HTTP PUT
+</keywords>
+</info>
+
+# Server-side
+<reply>
+<data>
+HTTP/1.1 200 OK
+Date: Thu, 01 Nov 2001 14:49:00 GMT
+Content-Type: text/html
+Content-Length: 6
+
+hello
+</data>
+<datacheck>
+HTTP/1.1 200 OK
+Date: Thu, 01 Nov 2001 14:49:00 GMT
+Content-Type: text/html
+Content-Length: 6
+
+hello
+HTTP/1.1 200 OK
+Date: Thu, 01 Nov 2001 14:49:00 GMT
+Content-Type: text/html
+Content-Length: 6
+
+hello
+</datacheck>
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+
+<name>
+CURLOPT_POST after CURLOPT_UPLOAD reusing handle
+</name>
+<tool>
+lib%TESTNUMBER
+</tool>
+
+<command>
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+PUT /%TESTNUMBER HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Accept: */*
+Content-Length: 22
+Expect: 100-continue
+
+This is test PUT data
+POST /1948 HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Accept: */*
+Content-Length: 22
+Content-Type: application/x-www-form-urlencoded
+
+This is test PUT data
+</protocol>
+</verify>
+</testcase>
+diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
+index 83a8af4..3192eca 100644
+--- a/tests/libtest/Makefile.inc
+++ b/tests/libtest/Makefile.inc
+@@ -61,6 +61,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect                \
+  lib1591 lib1592 lib1593 lib1594 lib1596 \
+          lib1905 lib1906 lib1907 lib1908 lib1910 lib1911 lib1912 lib1913 \
+          lib1915 lib1916 lib1917 lib1918 lib1933 lib1934 lib1935 lib1936 \
+ lib1948 \
+          lib3010
+ 
+ chkdecimalpoint_SOURCES = chkdecimalpoint.c ../../lib/mprintf.c \
+@@ -690,6 +691,10 @@ lib1936_SOURCES = lib1936.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+ lib1936_LDADD = $(TESTUTIL_LIBS)
+ lib1936_CPPFLAGS = $(AM_CPPFLAGS)
+ 
+lib1948_SOURCES = lib1948.c $(SUPPORTFILES)
+lib1948_LDADD = $(TESTUTIL_LIBS)
+lib1948_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1948
+
+ lib3010_SOURCES = lib3010.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+ lib3010_LDADD = $(TESTUTIL_LIBS)
+ lib3010_CPPFLAGS = $(AM_CPPFLAGS)
+diff --git a/tests/libtest/lib1948.c b/tests/libtest/lib1948.c
+new file mode 100644
+index 0000000..7c891a2
+--- /dev/null
+++ b/tests/libtest/lib1948.c
+@@ -0,0 +1,79 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.haxx.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ * SPDX-License-Identifier: curl
+ *
+ ***************************************************************************/
+
+#include "test.h"
+
+typedef struct
+{
+  char *buf;
+  size_t len;
+} put_buffer;
+
+static size_t put_callback(char *ptr, size_t size, size_t nmemb, void *stream)
+{
+  put_buffer *putdata = (put_buffer *)stream;
+  size_t totalsize = size * nmemb;
+  size_t tocopy = (putdata->len < totalsize) ? putdata->len : totalsize;
+  memcpy(ptr, putdata->buf, tocopy);
+  putdata->len -= tocopy;
+  putdata->buf += tocopy;
+  return tocopy;
+}
+
+int test(char *URL)
+{
+  CURL *curl;
+  CURLcode res = CURLE_OUT_OF_MEMORY;
+
+  curl_global_init(CURL_GLOBAL_DEFAULT);
+
+  curl = curl_easy_init();
+  if(curl) {
+    const char *testput = "This is test PUT data\n";
+    put_buffer pbuf;
+
+    /* PUT */
+    curl_easy_setopt(curl, CURLOPT_UPLOAD, 1L);
+    curl_easy_setopt(curl, CURLOPT_HEADER, 1L);
+    curl_easy_setopt(curl, CURLOPT_READFUNCTION, put_callback);
+    pbuf.buf = (char *)testput;
+    pbuf.len = strlen(testput);
+    curl_easy_setopt(curl, CURLOPT_READDATA, &pbuf);
+    curl_easy_setopt(curl, CURLOPT_INFILESIZE, (long)strlen(testput));
+    res = curl_easy_setopt(curl, CURLOPT_URL, URL);
+    if(!res)
+      res = curl_easy_perform(curl);
+    if(!res) {
+      /* POST */
+      curl_easy_setopt(curl, CURLOPT_POST, 1L);
+      curl_easy_setopt(curl, CURLOPT_POSTFIELDS, testput);
+      curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, (long)strlen(testput));
+      res = curl_easy_perform(curl);
+    }
+    curl_easy_cleanup(curl);
+  }
+
+  curl_global_cleanup();
+  return (int)res;
+}
+-- 
+2.37.3
+
--- a/SOURCES/0023-curl-7.76.1-CVE-2022-43552.patch
+++ b/SOURCES/0023-curl-7.76.1-CVE-2022-43552.patch
+From 5cdcf1dbd39c64e18a81fc912a36942a3ec87565 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 19 Dec 2022 08:38:37 +0100
+Subject: [PATCH] smb/telnet: do not free the protocol struct in *_done()
+
+It is managed by the generic layer.
+
+Reported-by: Trail of Bits
+
+Closes #10112
+
+Upstream-commit: 4f20188ac644afe174be6005ef4f6ffba232b8b2
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/smb.c    | 14 ++------------
+ lib/telnet.c |  3 ---
+ 2 files changed, 2 insertions(+), 15 deletions(-)
+
+diff --git a/lib/smb.c b/lib/smb.c
+index 039d680..f682c1f 100644
+--- a/lib/smb.c
+++ b/lib/smb.c
+@@ -60,8 +60,6 @@ static CURLcode smb_connect(struct Curl_easy *data, bool *done);
+ static CURLcode smb_connection_state(struct Curl_easy *data, bool *done);
+ static CURLcode smb_do(struct Curl_easy *data, bool *done);
+ static CURLcode smb_request_state(struct Curl_easy *data, bool *done);
+-static CURLcode smb_done(struct Curl_easy *data, CURLcode status,
+-                         bool premature);
+ static CURLcode smb_disconnect(struct Curl_easy *data,
+                                struct connectdata *conn, bool dead);
+ static int smb_getsock(struct Curl_easy *data, struct connectdata *conn,
+@@ -76,7 +74,7 @@ const struct Curl_handler Curl_handler_smb = {
+   "SMB",                                /* scheme */
+   smb_setup_connection,                 /* setup_connection */
+   smb_do,                               /* do_it */
+-  smb_done,                             /* done */
+  ZERO_NULL,                            /* done */
+   ZERO_NULL,                            /* do_more */
+   smb_connect,                          /* connect_it */
+   smb_connection_state,                 /* connecting */
+@@ -103,7 +101,7 @@ const struct Curl_handler Curl_handler_smbs = {
+   "SMBS",                               /* scheme */
+   smb_setup_connection,                 /* setup_connection */
+   smb_do,                               /* do_it */
+-  smb_done,                             /* done */
+  ZERO_NULL,                            /* done */
+   ZERO_NULL,                            /* do_more */
+   smb_connect,                          /* connect_it */
+   smb_connection_state,                 /* connecting */
+@@ -941,14 +939,6 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done)
+   return CURLE_OK;
+ }
+ 
+-static CURLcode smb_done(struct Curl_easy *data, CURLcode status,
+-                         bool premature)
+-{
+-  (void) premature;
+-  Curl_safefree(data->req.p.smb);
+-  return status;
+-}
+-
+ static CURLcode smb_disconnect(struct Curl_easy *data,
+                                struct connectdata *conn, bool dead)
+ {
+diff --git a/lib/telnet.c b/lib/telnet.c
+index 923c7f8..48cd0d7 100644
+--- a/lib/telnet.c
+++ b/lib/telnet.c
+@@ -1248,9 +1248,6 @@ static CURLcode telnet_done(struct Curl_easy *data,
+ 
+   curl_slist_free_all(tn->telnet_vars);
+   tn->telnet_vars = NULL;
+-
+-  Curl_safefree(data->req.p.telnet);
+-
+   return CURLE_OK;
+ }
+ 
+-- 
+2.38.1
+
--- a/SOURCES/0024-curl-7.76.1-CVE-2023-23916.patch
+++ b/SOURCES/0024-curl-7.76.1-CVE-2023-23916.patch
--- a/SOURCES/0105-curl-7.63.0-lib1560-valgrind.patch
+++ b/SOURCES/0105-curl-7.63.0-lib1560-valgrind.patch
@@ -26,7 +26,7 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
 index 080421b..ea3b806 100644
 --- a/tests/libtest/Makefile.inc
 +++ b/tests/libtest/Makefile.inc
-@@ -592,6 +592,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+@@ -593,6 +593,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
 lib1559_LDADD = $(TESTUTIL_LIBS)
 
 lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)

--- a/SPECS/curl.spec
+++ b/SPECS/curl.spec
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.76.1
-Release: 19%{?dist}
+Release: 23%{?dist}
 License: MIT
 Source: https://curl.se/download/%{name}-%{version}.tar.xz

@@ -62,6 +62,18 @@ Patch19:  0019-curl-7.76.1-CVE-2022-32207.patch
 # fix build failure caused by openldap rebase (#2094159)
 Patch20:  0020-curl-7.76.1-openldap-rebase.patch

+# control code in cookie denial of service (CVE-2022-35252)
+Patch21:  0021-curl-7.76.1-CVE-2022-35252.patch
+
+# fix POST following PUT confusion (CVE-2022-32221)
+Patch22:  0022-curl-7.76.1-CVE-2022-32221.patch
+
+# smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552)
+Patch23:  0023-curl-7.76.1-CVE-2022-43552.patch
+
+# fix HTTP multi-header compression denial of service (CVE-2023-23916)
+Patch24:  0024-curl-7.76.1-CVE-2023-23916.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch

@@ -256,6 +268,10 @@ be installed.
 %patch17 -p1
 %patch19 -p1
 %patch20 -p1
+%patch21 -p1
+%patch22 -p1
+%patch23 -p1
+%patch24 -p1

 # Fedora patches
 %patch101 -p1
@@ -282,6 +298,11 @@ echo "582" >> tests/data/DISABLED
 printf "702\n703\n716\n" >> tests/data/DISABLED
 %endif

+# temporarily disable tests 2034 2037 2041 on aarch64
+%ifarch aarch64
+printf "2034\n2037\n2041\n" >> tests/data/DISABLED
+%endif
+
 # adapt test 323 for updated OpenSSL
 sed -e 's|^35$|35,52|' -i tests/data/test323

@@ -476,6 +497,18 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal

 %changelog
+* Wed Feb 15 2023 Kamil Dudka <kdudka@redhat.com> - 7.76.1-23
+- fix HTTP multi-header compression denial of service (CVE-2023-23916)
+
+* Wed Dec 21 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-22
+- smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552)
+
+* Wed Oct 26 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-21
+- fix POST following PUT confusion (CVE-2022-32221)
+
+* Fri Sep 02 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-20
+- control code in cookie denial of service (CVE-2022-35252)
+
 * Wed Jun 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-19
 - fix unpreserved file permissions (CVE-2022-32207)
 - fix HTTP compression denial of service (CVE-2022-32206)