diff --git a/0001-curl-7.64.0-zsh-completion.patch b/0001-curl-7.64.0-zsh-completion.patch deleted file mode 100644 index 770a15b..0000000 --- a/0001-curl-7.64.0-zsh-completion.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 082034e2334b2d0795b2b324ff3e0635bb7d2b86 Mon Sep 17 00:00:00 2001 -From: Alessandro Ghedini -Date: Tue, 5 Feb 2019 20:44:14 +0000 -Subject: [PATCH 1/2] zsh.pl: update regex to better match curl -h output - -The current regex fails to match '<...>' arguments properly (e.g. those -with spaces in them), which causes an completion script with wrong -descriptions for some options. - -The problem can be reproduced as follows: - -% curl --reso - -Upstream-commit: dbd32f3241b297b96ee11a51da1a661f528ca026 -Signed-off-by: Kamil Dudka ---- - scripts/zsh.pl | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/scripts/zsh.pl b/scripts/zsh.pl -index 1257190..941b322 100755 ---- a/scripts/zsh.pl -+++ b/scripts/zsh.pl -@@ -7,7 +7,7 @@ use warnings; - - my $curl = $ARGV[0] || 'curl'; - --my $regex = '\s+(?:(-[^\s]+),\s)?(--[^\s]+)\s([^\s.]+)?\s+(.*)'; -+my $regex = '\s+(?:(-[^\s]+),\s)?(--[^\s]+)\s*(\<.+?\>)?\s+(.*)'; - my @opts = parse_main_opts('--help', $regex); - - my $opts_str; --- -2.17.2 - - -From 45abc785e101346f19599aa5f9fa1617e525ec4d Mon Sep 17 00:00:00 2001 -From: Alessandro Ghedini -Date: Tue, 5 Feb 2019 21:06:26 +0000 -Subject: [PATCH 2/2] zsh.pl: escape ':' character - -':' is interpreted as separator by zsh, so if used as part of the argument -or option's description it needs to be escaped. - -The problem can be reproduced as follows: - -% curl -E - -Bug: https://bugs.debian.org/921452 - -Upstream-commit: b3cc8017b7364f588365be2b2629c49c142efdb7 -Signed-off-by: Kamil Dudka ---- - scripts/zsh.pl | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/scripts/zsh.pl b/scripts/zsh.pl -index 941b322..0f9cbec 100755 ---- a/scripts/zsh.pl -+++ b/scripts/zsh.pl -@@ -45,9 +45,12 @@ sub parse_main_opts { - - my $option = ''; - -+ $arg =~ s/\:/\\\:/g if defined $arg; -+ - $desc =~ s/'/'\\''/g if defined $desc; - $desc =~ s/\[/\\\[/g if defined $desc; - $desc =~ s/\]/\\\]/g if defined $desc; -+ $desc =~ s/\:/\\\:/g if defined $desc; - - $option .= '{' . trim($short) . ',' if defined $short; - $option .= trim($long) if defined $long; --- -2.17.2 - diff --git a/0001-curl-7.65.3-negotiate-fails.patch b/0001-curl-7.65.3-negotiate-fails.patch new file mode 100644 index 0000000..9cfae77 --- /dev/null +++ b/0001-curl-7.65.3-negotiate-fails.patch @@ -0,0 +1,166 @@ +From 90f7ca7bec18b49bf2706430aa6493eda7d7a573 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 30 Jul 2019 12:59:35 +0200 +Subject: [PATCH] http_negotiate: improve handling of gss_init_sec_context() + failures + +If HTTPAUTH_GSSNEGOTIATE was used for a POST request and +gss_init_sec_context() failed, the POST request was sent +with empty body. This commit also restores the original +behavior of `curl --fail --negotiate`, which was changed +by commit 6c6035532383e300c712e4c1cd9fdd749ed5cf59. + +Add regression tests 2077 and 2078 to cover this. + +Fixes #3992 +Closes #4171 + +Upstream-commit: 4c187043c5aac57f354ebb96cc6ff3263411e98d +Signed-off-by: Kamil Dudka +--- + lib/http_negotiate.c | 2 +- + tests/data/Makefile.inc | 3 ++- + tests/data/test2077 | 42 ++++++++++++++++++++++++++++++++ + tests/data/test2078 | 54 +++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 99 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test2077 + create mode 100644 tests/data/test2078 + +diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c +index c8f406444..fe15dcefb 100644 +--- a/lib/http_negotiate.c ++++ b/lib/http_negotiate.c +@@ -151,7 +151,7 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy) + if(result == CURLE_LOGIN_DENIED) { + /* negotiate auth failed, let's continue unauthenticated to stay + * compatible with the behavior before curl-7_64_0-158-g6c6035532 */ +- conn->data->state.authproblem = TRUE; ++ authp->done = TRUE; + return CURLE_OK; + } + else if(result) +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 693e53d7c..3ed4a03e4 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -199,7 +199,8 @@ test2040 test2041 test2042 test2043 test2044 test2045 test2046 test2047 \ + test2048 test2049 test2050 test2051 test2052 test2053 test2054 test2055 \ + test2056 test2057 test2058 test2059 test2060 test2061 test2062 test2063 \ + test2064 test2065 test2066 test2067 test2068 test2069 \ +- test2071 test2072 test2073 test2074 test2075 test2076 \ ++ test2071 test2072 test2073 test2074 test2075 test2076 test2077 \ ++test2078 \ + test2080 \ + test2100 \ + \ +diff --git a/tests/data/test2077 b/tests/data/test2077 +new file mode 100644 +index 000000000..0c600f5c3 +--- /dev/null ++++ b/tests/data/test2077 +@@ -0,0 +1,42 @@ ++ ++ ++ ++HTTP ++HTTP GET ++GSS-API ++ ++ ++ ++# Server-side ++ ++ ++HTTP/1.1 200 OK swsclose ++Content-Length: 23 ++ ++This IS the real page! ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++GSS-API ++ ++ ++curl --fail --negotiate to unauthenticated service fails ++ ++ ++http://%HOSTIP:%HTTPPORT/2077 -u : --fail --negotiate ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++0 ++ ++ ++ +diff --git a/tests/data/test2078 b/tests/data/test2078 +new file mode 100644 +index 000000000..99bc2dbee +--- /dev/null ++++ b/tests/data/test2078 +@@ -0,0 +1,54 @@ ++ ++ ++ ++HTTP ++HTTP GET ++GSS-API ++ ++ ++ ++# Server-side ++ ++ ++HTTP/1.1 200 OK swsclose ++Content-Length: 23 ++ ++This IS the real page! ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++GSS-API ++ ++ ++curl --negotiate should not send empty POST request only ++ ++ ++http://%HOSTIP:%HTTPPORT/2078 -u : --negotiate --data name=value ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++0 ++ ++ ++^User-Agent:.* ++ ++ ++POST /2078 HTTP/1.1 ++Host: 127.0.0.1:8990 ++Accept: */* ++Content-Length: 10 ++Content-Type: application/x-www-form-urlencoded ++ ++name=value ++ ++ ++ +-- +2.20.1 + diff --git a/0002-curl-7.64.0-nm-fd-leak.patch b/0002-curl-7.64.0-nm-fd-leak.patch deleted file mode 100644 index 681e58f..0000000 --- a/0002-curl-7.64.0-nm-fd-leak.patch +++ /dev/null @@ -1,162 +0,0 @@ -From 377101f138873bfa481785cb7d04c326006f0b5d Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 11 Feb 2019 07:56:00 +0100 -Subject: [PATCH 1/3] connection_check: set ->data to the transfer doing the - check - -The http2 code for connection checking needs a transfer to use. Make -sure a working one is set before handler->connection_check() is called. - -Reported-by: jnbr on github -Fixes #3541 -Closes #3547 - -Upstream-commit: 38d8e1bd4ed1ae52930ae466ecbac78e888b142f -Signed-off-by: Kamil Dudka ---- - lib/url.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/lib/url.c b/lib/url.c -index d5a9820..229c655 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -965,6 +965,7 @@ static bool extract_if_dead(struct connectdata *conn, - /* The protocol has a special method for checking the state of the - connection. Use it to check if the connection is dead. */ - unsigned int state; -+ conn->data = data; /* use this transfer for now */ - state = conn->handler->connection_check(conn, CONNCHECK_ISDEAD); - dead = (state & CONNRESULT_DEAD); - } --- -2.17.2 - - -From 287f5d70395b3833f8901a57b29a48b87d84a9fe Mon Sep 17 00:00:00 2001 -From: Jay Satiro -Date: Mon, 11 Feb 2019 23:00:00 -0500 -Subject: [PATCH 2/3] connection_check: restore original conn->data after the - check - -- Save the original conn->data before it's changed to the specified - data transfer for the connection check and then restore it afterwards. - -This is a follow-up to 38d8e1b 2019-02-11. - -History: - -It was discovered a month ago that before checking whether to extract a -dead connection that that connection should be associated with a "live" -transfer for the check (ie original conn->data ignored and set to the -passed in data). A fix was landed in 54b201b which did that and also -cleared conn->data after the check. The original conn->data was not -restored, so presumably it was thought that a valid conn->data was no -longer needed. - -Several days later it was discovered that a valid conn->data was needed -after the check and follow-up fix was landed in bbae24c which partially -reverted the original fix and attempted to limit the scope of when -conn->data was changed to only when pruning dead connections. In that -case conn->data was not cleared and the original conn->data not -restored. - -A month later it was discovered that the original fix was somewhat -correct; a "live" transfer is needed for the check in all cases -because original conn->data could be null which could cause a bad deref -at arbitrary points in the check. A fix was landed in 38d8e1b which -expanded the scope to all cases. conn->data was not cleared and the -original conn->data not restored. - -A day later it was discovered that not restoring the original conn->data -may lead to busy loops in applications that use the event interface, and -given this observation it's a pretty safe assumption that there is some -code path that still needs the original conn->data. This commit is the -follow-up fix for that, it restores the original conn->data after the -connection check. - -Assisted-by: tholin@users.noreply.github.com -Reported-by: tholin@users.noreply.github.com - -Fixes https://github.com/curl/curl/issues/3542 -Closes #3559 - -Upstream-commit: 4015fae044ce52a639c9358e22a9e948f287c89f -Signed-off-by: Kamil Dudka ---- - lib/url.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/lib/url.c b/lib/url.c -index 229c655..a77e92d 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -965,8 +965,10 @@ static bool extract_if_dead(struct connectdata *conn, - /* The protocol has a special method for checking the state of the - connection. Use it to check if the connection is dead. */ - unsigned int state; -+ struct Curl_easy *olddata = conn->data; - conn->data = data; /* use this transfer for now */ - state = conn->handler->connection_check(conn, CONNCHECK_ISDEAD); -+ conn->data = olddata; - dead = (state & CONNRESULT_DEAD); - } - else { -@@ -995,7 +997,6 @@ struct prunedead { - static int call_extract_if_dead(struct connectdata *conn, void *param) - { - struct prunedead *p = (struct prunedead *)param; -- conn->data = p->data; /* transfer to use for this check */ - if(extract_if_dead(conn, p->data)) { - /* stop the iteration here, pass back the connection that was extracted */ - p->extracted = conn; --- -2.17.2 - - -From 15e3f2eef87bff1210f43921cb15f03c68be59f7 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Tue, 19 Feb 2019 15:56:54 +0100 -Subject: [PATCH 3/3] singlesocket: fix the 'sincebefore' placement - -The variable wasn't properly reset within the loop and thus could remain -set for sockets that hadn't been set before and miss notifying the app. - -This is a follow-up to 4c35574 (shipped in curl 7.64.0) - -Reported-by: buzo-ffm on github -Detected-by: Jan Alexander Steffens -Fixes #3585 -Closes #3589 - -Upstream-commit: afc00e047c773faeaa60a5f86a246cbbeeba5819 -Signed-off-by: Kamil Dudka ---- - lib/multi.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/lib/multi.c b/lib/multi.c -index 130226f..28f4c47 100644 ---- a/lib/multi.c -+++ b/lib/multi.c -@@ -2360,8 +2360,6 @@ static CURLMcode singlesocket(struct Curl_multi *multi, - int num; - unsigned int curraction; - int actions[MAX_SOCKSPEREASYHANDLE]; -- unsigned int comboaction; -- bool sincebefore = FALSE; - - for(i = 0; i< MAX_SOCKSPEREASYHANDLE; i++) - socks[i] = CURL_SOCKET_BAD; -@@ -2380,6 +2378,8 @@ static CURLMcode singlesocket(struct Curl_multi *multi, - i++) { - unsigned int action = CURL_POLL_NONE; - unsigned int prevaction = 0; -+ unsigned int comboaction; -+ bool sincebefore = FALSE; - - s = socks[i]; - --- -2.17.2 - diff --git a/0002-curl-7.65.3-h2-framing-layer-error.patch b/0002-curl-7.65.3-h2-framing-layer-error.patch new file mode 100644 index 0000000..24db142 --- /dev/null +++ b/0002-curl-7.65.3-h2-framing-layer-error.patch @@ -0,0 +1,37 @@ +From 98d59387c749256c2421b22dc3419b94d381986a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 26 Aug 2019 16:00:05 +0200 +Subject: [PATCH] http2: when marked for closure and wanted to close == OK + +It could otherwise return an error even when closed correctly if GOAWAY +had been received previously. + +Reported-by: Tom van der Woerdt +Fixes #4267 +Closes #4268 + +Upstream-commit: c1b6a384f9c8a91197c20adb49d43f30dc0e917d +Signed-off-by: Kamil Dudka +--- + lib/http2.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/lib/http2.c b/lib/http2.c +index 930e85165..31d2d698a 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -1566,6 +1566,11 @@ static ssize_t http2_recv(struct connectdata *conn, int sockindex, + if(should_close_session(httpc)) { + H2BUGF(infof(data, + "http2_recv: nothing to do in this session\n")); ++ if(conn->bits.close) { ++ /* already marked for closure, return OK and we're done */ ++ *err = CURLE_OK; ++ return 0; ++ } + *err = CURLE_HTTP2; + return -1; + } +-- +2.20.1 + diff --git a/0003-curl-7.64.0-cookie-segfault.patch b/0003-curl-7.64.0-cookie-segfault.patch deleted file mode 100644 index 9539efa..0000000 --- a/0003-curl-7.64.0-cookie-segfault.patch +++ /dev/null @@ -1,42 +0,0 @@ -From d73dc8d3e70bde0ef999ecf7bcd5585b9892371c Mon Sep 17 00:00:00 2001 -From: Michael Wallner -Date: Mon, 25 Feb 2019 19:05:02 +0100 -Subject: [PATCH] cookies: fix NULL dereference if flushing cookies with no - CookieInfo set - -Regression brought by a52e46f3900fb0 (shipped in 7.63.0) - -Closes #3613 - -Upstream-commit: 8eddb8f4259193633cfc95a42603958a89b31de5 -Signed-off-by: Kamil Dudka ---- - lib/cookie.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/lib/cookie.c b/lib/cookie.c -index 4fb992a..d535170 100644 ---- a/lib/cookie.c -+++ b/lib/cookie.c -@@ -1504,7 +1504,8 @@ static int cookie_output(struct CookieInfo *c, const char *dumphere) - struct Cookie **array; - - /* at first, remove expired cookies */ -- remove_expired(c); -+ if(c) -+ remove_expired(c); - - if(!strcmp("-", dumphere)) { - /* use stdout */ -@@ -1523,7 +1524,7 @@ static int cookie_output(struct CookieInfo *c, const char *dumphere) - "# This file was generated by libcurl! Edit at your own risk.\n\n", - out); - -- if(c->numcookies) { -+ if(c && c->numcookies) { - array = malloc(sizeof(struct Cookie *) * c->numcookies); - if(!array) { - if(!use_stdout) --- -2.17.2 - diff --git a/0004-curl-7.64.0-spurious-resolver-error.patch b/0004-curl-7.64.0-spurious-resolver-error.patch deleted file mode 100644 index 3e05ad5..0000000 --- a/0004-curl-7.64.0-spurious-resolver-error.patch +++ /dev/null @@ -1,118 +0,0 @@ -From 5ddabe85b2e3e4fd08d06980719d71a2aed77a5b Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 28 Feb 2019 20:34:36 +0100 -Subject: [PATCH] threaded-resolver: shutdown the resolver thread without error - message - -When a transfer is done, the resolver thread will be brought down. That -could accidentally generate an error message in the error buffer even -though this is not an error situationand the transfer would still return -OK. An application that still reads the error buffer could find a -"Could not resolve host: [host name]" message there and get confused. - -Reported-by: Michael Schmid -Fixes #3629 -Closes #3630 - -Upstream-commit: 754ae103989a6ad0869d23a6a427d652b5b4a2fe -Signed-off-by: Kamil Dudka ---- - lib/asyn-thread.c | 68 ++++++++++++++++++++++++++--------------------- - 1 file changed, 38 insertions(+), 30 deletions(-) - -diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c -index a9679d0..55e0811 100644 ---- a/lib/asyn-thread.c -+++ b/lib/asyn-thread.c -@@ -461,6 +461,42 @@ static CURLcode resolver_error(struct connectdata *conn) - return result; - } - -+static CURLcode thread_wait_resolv(struct connectdata *conn, -+ struct Curl_dns_entry **entry, -+ bool report) -+{ -+ struct thread_data *td = (struct thread_data*) conn->async.os_specific; -+ CURLcode result = CURLE_OK; -+ -+ DEBUGASSERT(conn && td); -+ DEBUGASSERT(td->thread_hnd != curl_thread_t_null); -+ -+ /* wait for the thread to resolve the name */ -+ if(Curl_thread_join(&td->thread_hnd)) { -+ if(entry) -+ result = getaddrinfo_complete(conn); -+ } -+ else -+ DEBUGASSERT(0); -+ -+ conn->async.done = TRUE; -+ -+ if(entry) -+ *entry = conn->async.dns; -+ -+ if(!conn->async.dns && report) -+ /* a name was not resolved, report error */ -+ result = resolver_error(conn); -+ -+ destroy_async_data(&conn->async); -+ -+ if(!conn->async.dns && report) -+ connclose(conn, "asynch resolve failed"); -+ -+ return result; -+} -+ -+ - /* - * Until we gain a way to signal the resolver threads to stop early, we must - * simply wait for them and ignore their results. -@@ -473,7 +509,7 @@ void Curl_resolver_kill(struct connectdata *conn) - unfortunately. Otherwise, we can simply cancel to clean up any resolver - data. */ - if(td && td->thread_hnd != curl_thread_t_null) -- (void)Curl_resolver_wait_resolv(conn, NULL); -+ (void)thread_wait_resolv(conn, NULL, FALSE); - else - Curl_resolver_cancel(conn); - } -@@ -494,35 +530,7 @@ void Curl_resolver_kill(struct connectdata *conn) - CURLcode Curl_resolver_wait_resolv(struct connectdata *conn, - struct Curl_dns_entry **entry) - { -- struct thread_data *td = (struct thread_data*) conn->async.os_specific; -- CURLcode result = CURLE_OK; -- -- DEBUGASSERT(conn && td); -- DEBUGASSERT(td->thread_hnd != curl_thread_t_null); -- -- /* wait for the thread to resolve the name */ -- if(Curl_thread_join(&td->thread_hnd)) { -- if(entry) -- result = getaddrinfo_complete(conn); -- } -- else -- DEBUGASSERT(0); -- -- conn->async.done = TRUE; -- -- if(entry) -- *entry = conn->async.dns; -- -- if(!conn->async.dns) -- /* a name was not resolved, report error */ -- result = resolver_error(conn); -- -- destroy_async_data(&conn->async); -- -- if(!conn->async.dns) -- connclose(conn, "asynch resolve failed"); -- -- return result; -+ return thread_wait_resolv(conn, entry, TRUE); - } - - /* --- -2.17.2 - diff --git a/0005-curl-7.64.0-expire-in-verbose-msgs.patch b/0005-curl-7.64.0-expire-in-verbose-msgs.patch deleted file mode 100644 index 43d3573..0000000 --- a/0005-curl-7.64.0-expire-in-verbose-msgs.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 2e8f4d01cdd07779e0582257cb6b53c5a91d6504 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 11 Feb 2019 22:57:33 +0100 -Subject: [PATCH] multi: remove verbose "Expire in" ... messages - -Reported-by: James Brown -Bug: https://curl.haxx.se/mail/archive-2019-02/0013.html -Closes #3558 - -Upstream-commit: aabc7ae5ecf70973add429b5acbc86d6a57e4da5 -Signed-off-by: Kamil Dudka ---- - lib/multi.c | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/lib/multi.c b/lib/multi.c -index 28f4c47..856cc22 100644 ---- a/lib/multi.c -+++ b/lib/multi.c -@@ -3028,9 +3028,6 @@ void Curl_expire(struct Curl_easy *data, time_t milli, expire_id id) - - DEBUGASSERT(id < EXPIRE_LAST); - -- infof(data, "Expire in %ld ms for %x (transfer %p)\n", -- (long)milli, id, data); -- - set = Curl_now(); - set.tv_sec += milli/1000; - set.tv_usec += (unsigned int)(milli%1000)*1000; --- -2.17.2 - diff --git a/0018-curl-7.65.3-CVE-2019-5482.patch b/0018-curl-7.65.3-CVE-2019-5482.patch new file mode 100644 index 0000000..1ccf973 --- /dev/null +++ b/0018-curl-7.65.3-CVE-2019-5482.patch @@ -0,0 +1,158 @@ +From 63f9837b4ccf600da79314e8667f91bda69988fc Mon Sep 17 00:00:00 2001 +From: Thomas Vegas <> +Date: Sat, 31 Aug 2019 16:59:56 +0200 +Subject: [PATCH 1/2] tftp: return error when packet is too small for options + +Upstream-commit: 82f3ba3806a34fe94dcf9e5c9b88deda6679ca1b +Signed-off-by: Kamil Dudka +--- + lib/tftp.c | 53 +++++++++++++++++++++++++++++++++-------------------- + 1 file changed, 33 insertions(+), 20 deletions(-) + +diff --git a/lib/tftp.c b/lib/tftp.c +index 289cda2..4532170 100644 +--- a/lib/tftp.c ++++ b/lib/tftp.c +@@ -404,13 +404,14 @@ static CURLcode tftp_parse_option_ack(tftp_state_data_t *state, + return CURLE_OK; + } + +-static size_t tftp_option_add(tftp_state_data_t *state, size_t csize, +- char *buf, const char *option) ++static CURLcode tftp_option_add(tftp_state_data_t *state, size_t *csize, ++ char *buf, const char *option) + { +- if(( strlen(option) + csize + 1) > (size_t)state->blksize) +- return 0; ++ if(( strlen(option) + *csize + 1) > (size_t)state->blksize) ++ return CURLE_TFTP_ILLEGAL; + strcpy(buf, option); +- return strlen(option) + 1; ++ *csize += strlen(option) + 1; ++ return CURLE_OK; + } + + static CURLcode tftp_connect_for_tx(tftp_state_data_t *state, +@@ -511,26 +512,38 @@ static CURLcode tftp_send_first(tftp_state_data_t *state, tftp_event_t event) + else + strcpy(buf, "0"); /* the destination is large enough */ + +- sbytes += tftp_option_add(state, sbytes, +- (char *)state->spacket.data + sbytes, +- TFTP_OPTION_TSIZE); +- sbytes += tftp_option_add(state, sbytes, +- (char *)state->spacket.data + sbytes, buf); ++ result = tftp_option_add(state, &sbytes, ++ (char *)state->spacket.data + sbytes, ++ TFTP_OPTION_TSIZE); ++ if(result == CURLE_OK) ++ result = tftp_option_add(state, &sbytes, ++ (char *)state->spacket.data + sbytes, buf); ++ + /* add blksize option */ + msnprintf(buf, sizeof(buf), "%d", state->requested_blksize); +- sbytes += tftp_option_add(state, sbytes, +- (char *)state->spacket.data + sbytes, +- TFTP_OPTION_BLKSIZE); +- sbytes += tftp_option_add(state, sbytes, +- (char *)state->spacket.data + sbytes, buf); ++ if(result == CURLE_OK) ++ result = tftp_option_add(state, &sbytes, ++ (char *)state->spacket.data + sbytes, ++ TFTP_OPTION_BLKSIZE); ++ if(result == CURLE_OK) ++ result = tftp_option_add(state, &sbytes, ++ (char *)state->spacket.data + sbytes, buf); + + /* add timeout option */ + msnprintf(buf, sizeof(buf), "%d", state->retry_time); +- sbytes += tftp_option_add(state, sbytes, +- (char *)state->spacket.data + sbytes, +- TFTP_OPTION_INTERVAL); +- sbytes += tftp_option_add(state, sbytes, +- (char *)state->spacket.data + sbytes, buf); ++ if(result == CURLE_OK) ++ result = tftp_option_add(state, &sbytes, ++ (char *)state->spacket.data + sbytes, ++ TFTP_OPTION_INTERVAL); ++ if(result == CURLE_OK) ++ result = tftp_option_add(state, &sbytes, ++ (char *)state->spacket.data + sbytes, buf); ++ ++ if(result != CURLE_OK) { ++ failf(data, "TFTP buffer too small for options"); ++ free(filename); ++ return CURLE_TFTP_ILLEGAL; ++ } + } + + /* the typecase for the 3rd argument is mostly for systems that do +-- +2.20.1 + + +From b6b12a4cfe00c4850a1d6cee4cf267f00dee5987 Mon Sep 17 00:00:00 2001 +From: Thomas Vegas <> +Date: Sat, 31 Aug 2019 17:30:51 +0200 +Subject: [PATCH 2/2] tftp: Alloc maximum blksize, and use default unless OACK + is received + +Fixes potential buffer overflow from 'recvfrom()', should the server +return an OACK without blksize. + +Bug: https://curl.haxx.se/docs/CVE-2019-5482.html +CVE-2019-5482 + +Upstream-commit: facb0e4662415b5f28163e853dc6742ac5fafb3d +Signed-off-by: Kamil Dudka +--- + lib/tftp.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/lib/tftp.c b/lib/tftp.c +index 4532170..5651b62 100644 +--- a/lib/tftp.c ++++ b/lib/tftp.c +@@ -986,6 +986,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done) + { + tftp_state_data_t *state; + int blksize; ++ int need_blksize; + + blksize = TFTP_BLKSIZE_DEFAULT; + +@@ -1000,15 +1001,20 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done) + return CURLE_TFTP_ILLEGAL; + } + ++ need_blksize = blksize; ++ /* default size is the fallback when no OACK is received */ ++ if(need_blksize < TFTP_BLKSIZE_DEFAULT) ++ need_blksize = TFTP_BLKSIZE_DEFAULT; ++ + if(!state->rpacket.data) { +- state->rpacket.data = calloc(1, blksize + 2 + 2); ++ state->rpacket.data = calloc(1, need_blksize + 2 + 2); + + if(!state->rpacket.data) + return CURLE_OUT_OF_MEMORY; + } + + if(!state->spacket.data) { +- state->spacket.data = calloc(1, blksize + 2 + 2); ++ state->spacket.data = calloc(1, need_blksize + 2 + 2); + + if(!state->spacket.data) + return CURLE_OUT_OF_MEMORY; +@@ -1022,7 +1028,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done) + state->sockfd = state->conn->sock[FIRSTSOCKET]; + state->state = TFTP_STATE_START; + state->error = TFTP_ERR_NONE; +- state->blksize = blksize; ++ state->blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */ + state->requested_blksize = blksize; + + ((struct sockaddr *)&state->local_addr)->sa_family = +-- +2.20.1 + diff --git a/0019-curl-7.65.3-CVE-2019-5481.patch b/0019-curl-7.65.3-CVE-2019-5481.patch new file mode 100644 index 0000000..2cd79df --- /dev/null +++ b/0019-curl-7.65.3-CVE-2019-5481.patch @@ -0,0 +1,46 @@ +From 13de299b112a59c373b330f0539166ecc9a7627b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 3 Sep 2019 22:59:32 +0200 +Subject: [PATCH] security:read_data fix bad realloc() + +... that could end up a double-free + +CVE-2019-5481 +Bug: https://curl.haxx.se/docs/CVE-2019-5481.html + +Upstream-commit: 9069838b30fb3b48af0123e39f664cea683254a5 +Signed-off-by: Kamil Dudka +--- + lib/security.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/lib/security.c b/lib/security.c +index 550ea2d..c5e4e13 100644 +--- a/lib/security.c ++++ b/lib/security.c +@@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn, + struct krb5buffer *buf) + { + int len; +- void *tmp = NULL; + CURLcode result; + + result = socket_read(fd, &len, sizeof(len)); +@@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn, + if(len) { + /* only realloc if there was a length */ + len = ntohl(len); +- tmp = Curl_saferealloc(buf->data, len); ++ buf->data = Curl_saferealloc(buf->data, len); + } +- if(tmp == NULL) ++ if(!len || !buf->data) + return CURLE_OUT_OF_MEMORY; + +- buf->data = tmp; + result = socket_read(fd, buf->data, len); + if(result) + return result; +-- +2.20.1 + diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch index 57c05c6..4f7991b 100644 --- a/0102-curl-7.36.0-debug.patch +++ b/0102-curl-7.36.0-debug.patch @@ -12,7 +12,7 @@ diff --git a/configure b/configure index 8f079a3..53b4774 100755 --- a/configure +++ b/configure -@@ -16250,18 +16250,11 @@ $as_echo "yes" >&6; } +@@ -16288,18 +16288,11 @@ $as_echo "yes" >&6; } gccvhi=`echo $gccver | cut -d . -f1` gccvlo=`echo $gccver | cut -d . -f2` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` diff --git a/0104-curl-7.19.7-localhost6.patch b/0104-curl-7.19.7-localhost6.patch index 4f664d3..caa8bc2 100644 --- a/0104-curl-7.19.7-localhost6.patch +++ b/0104-curl-7.19.7-localhost6.patch @@ -14,8 +14,8 @@ index e441278..b0958b6 100644 +-g "http://%HOST6IP:%HTTP6PORT/1083" --interface localhost6 --perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test server host address';} else {exec './server/resolve --ipv6 ip6-localhost'; print 'Cannot run precheck resolve';}" -+perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test server host address';} else {exec './server/resolve --ipv6 localhost6'; print 'Cannot run precheck resolve';}" +-perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test client host address';} else {exec './server/resolve --ipv6 ip6-localhost'; print 'Cannot run precheck resolve';}" ++perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test client host address';} else {exec './server/resolve --ipv6 localhost6'; print 'Cannot run precheck resolve';}" diff --git a/0105-curl-7.63.0-lib1560-valgrind.patch b/0105-curl-7.63.0-lib1560-valgrind.patch index 003655c..6d05c67 100644 --- a/0105-curl-7.63.0-lib1560-valgrind.patch +++ b/0105-curl-7.63.0-lib1560-valgrind.patch @@ -26,8 +26,8 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc index 080421b..ea3b806 100644 --- a/tests/libtest/Makefile.inc +++ b/tests/libtest/Makefile.inc -@@ -521,6 +521,7 @@ lib1558_SOURCES = lib1558.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) - lib1558_LDADD = $(TESTUTIL_LIBS) +@@ -531,6 +531,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib1559_LDADD = $(TESTUTIL_LIBS) lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) +lib1560_CFLAGS = $(AM_CFLAGS) -fno-builtin-strcmp diff --git a/curl-7.64.0.tar.xz.asc b/curl-7.64.0.tar.xz.asc deleted file mode 100644 index 21f7542..0000000 --- a/curl-7.64.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlxahccACgkQXMkI/bce -EsKdrAf+OoNH+Yz1HfJG5MtmEi2sgRC56iAvZBQujPG8SJYGnT3D2nLiuC2+bzA8 -eMCqisodW5f6lV/9JRvLmLS0dhxAfdf/NHlMOdtgSv+NzVGsggpHeYEZ7HucRHsQ -AKZ6/wx7rby8yZqrn2s7yWWB0qgiajWx30r+CJEYXpuw+YwZ2qZo5ecM7fa/J9ko -ESwb7BLF6KMkdSz1wSApwCdznB/BXOaPrUBMiOcwO7ftq/t1ZmqnUWLtdlSp8OoH -Tw832H1kCP2OFHcOFTQmZJLagRQtLBhC522wNsagXaMwak6uhoFApcAPqoPdm4Pm -PvTO6aAopZk+sX9VemdSQzx/4ysT3w== -=HOlc ------END PGP SIGNATURE----- diff --git a/curl-7.65.3.tar.xz.asc b/curl-7.65.3.tar.xz.asc new file mode 100644 index 0000000..1671b07 --- /dev/null +++ b/curl-7.65.3.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl0xj7oACgkQXMkI/bce +EsKYbgf9G41o5x73tc+2TOGt2QmJ7ukyHmd5Vq7XTSNdNU5dJ41Z3qh9Jm72x62i +b4kJMjWyoL2j031ml5JevycpMpNa1v784UlPW2tzzL2B7v6vcA4xknJRLWlPlcTJ +HOgub6r7g/zhOpdAeJh8o4jkBLUyN+S/HOyHLWcvdWDnhqUAmpZfIqtd8kjqzDul +XAkdj7MxWqKZ3wXWwlpp4j81jpfOj7KCC/ZpxlJ0KfefgYEzV23O2hcJzw57jqTy +SQZc39uTQOjbZPlBXJD55QeVISCwe53pn55aWQll90XfE3XRapuYZdiL8wLwtl/L +tjugTKjfoy9qqOGH5YB/4kHqoSJqow== +=Itbi +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index 6cf125f..54e8ea7 100644 --- a/curl.spec +++ b/curl.spec @@ -1,24 +1,21 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.64.0 -Release: 6%{?dist} +Version: 7.65.3 +Release: 4%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz -# make zsh completion work again -Patch1: 0001-curl-7.64.0-zsh-completion.patch +# improve handling of gss_init_sec_context() failures +Patch1: 0001-curl-7.65.3-negotiate-fails.patch -# prevent NetworkManager from leaking file descriptors (#1680198) -Patch2: 0002-curl-7.64.0-nm-fd-leak.patch +# avoid reporting spurious error in the HTTP2 framing layer (#1690971) +Patch2: 0002-curl-7.65.3-h2-framing-layer-error.patch -# fix NULL dereference if flushing cookies with no CookieInfo set (#1683676) -Patch3: 0003-curl-7.64.0-cookie-segfault.patch +# fix heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482) +Patch18: 0018-curl-7.65.3-CVE-2019-5482.patch -# avoid spurious "Could not resolve host: [host name]" error messages -Patch4: 0004-curl-7.64.0-spurious-resolver-error.patch - -# remove verbose "Expire in" ... messages (#1690971) -Patch5: 0005-curl-7.64.0-expire-in-verbose-msgs.patch +# double free due to subsequent call of realloc() (CVE-2019-5481) +Patch19: 0019-curl-7.65.3-CVE-2019-5481.patch # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -54,6 +51,7 @@ BuildRequires: openldap-devel BuildRequires: openssh-clients BuildRequires: openssh-server BuildRequires: openssl-devel +BuildRequires: perl-interpreter BuildRequires: pkgconfig BuildRequires: python3-devel BuildRequires: sed @@ -63,6 +61,12 @@ BuildRequires: zlib-devel # needed to compress content of tool_hugehelp.c after changing curl.1 man page BuildRequires: perl(IO::Compress::Gzip) +# needed for generation of shell completions +BuildRequires: perl(Getopt::Long) +BuildRequires: perl(Pod::Usage) +BuildRequires: perl(strict) +BuildRequires: perl(warnings) + # gnutls-serv is used by the upstream test-suite BuildRequires: gnutls-utils @@ -78,10 +82,8 @@ BuildRequires: perl(File::Copy) BuildRequires: perl(File::Spec) BuildRequires: perl(IPC::Open2) BuildRequires: perl(MIME::Base64) -BuildRequires: perl(strict) BuildRequires: perl(Time::Local) BuildRequires: perl(Time::HiRes) -BuildRequires: perl(warnings) BuildRequires: perl(vars) # The test-suite runs automatically through valgrind if valgrind is available @@ -183,9 +185,8 @@ be installed. # upstream patches %patch1 -p1 %patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 +%patch18 -p1 +%patch19 -p1 # Fedora patches %patch101 -p1 @@ -312,6 +313,10 @@ make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \ make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C scripts +# do not install /usr/share/fish/completions/curl.fish which is also installed +# by fish-3.0.2-1.module_f31+3716+57207597 and would trigger a conflict +rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish + rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %ldconfig_scriptlets -n libcurl @@ -319,13 +324,17 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %ldconfig_scriptlets -n libcurl-minimal %files -%doc CHANGES README* -%doc docs/BUGS docs/FAQ docs/FEATURES -%doc docs/MANUAL docs/RESOURCES -%doc docs/TheArtOfHttpScripting docs/TODO +%doc CHANGES +%doc README +%doc docs/BUGS +%doc docs/FAQ +%doc docs/FEATURES +%doc docs/RESOURCES +%doc docs/TODO +%doc docs/TheArtOfHttpScripting %{_bindir}/curl %{_mandir}/man1/curl.1* -%{_datadir}/zsh/site-functions +%{_datadir}/zsh %files -n libcurl %license COPYING @@ -353,6 +362,26 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 11 2019 Kamil Dudka - 7.65.3-4 +- double free due to subsequent call of realloc() (CVE-2019-5481) +- fix heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482) + +* Tue Aug 27 2019 Kamil Dudka - 7.65.3-3 +- avoid reporting spurious error in the HTTP2 framing layer (#1690971) + +* Thu Aug 01 2019 Kamil Dudka - 7.65.3-2 +- improve handling of gss_init_sec_context() failures + +* Mon Jul 22 2019 Kamil Dudka - 7.65.3-1 +- rebase to 7.65.3 to fix crashes of gnome and flatpak (#1697566) + +* Mon Jul 01 2019 Kamil Dudka - 7.64.0-8 +- prevent multi from crashing with many parallel transfers (#1697566, #1723242) + +* Wed May 22 2019 Kamil Dudka - 7.64.0-7 +- fix TFTP receive buffer overflow (CVE-2019-5436) +- fix integer overflows in curl_url_set() (CVE-2019-5435) + * Mon Mar 25 2019 Kamil Dudka - 7.64.0-6 - remove verbose "Expire in" ... messages (#1690971) diff --git a/sources b/sources index d5662be..e0d70dd 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.64.0.tar.xz) = 953f1f5336ce5dfd1b9f933624432d401552d91ee02d39ecde6f023c956f99ec6aae8d7746d7c34b6eb2d6452f114e67da4e64d9c8dd90b7644b7844e7b9b423 +SHA512 (curl-7.65.3.tar.xz) = fc4f041d3d6682378ce9eef2c6081e6ad83bb2502ea4c992c760266584c09e9ebca7c6d35958bd32a888702d9308cbce7aef69c431f97994107d7ff6b953941b