From 2b88f304a29e1470fdcb2e59c08a58aa3ba505a2 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 28 Apr 2022 09:52:56 +0200 Subject: [PATCH 01/17] Resolves: CVE-2022-22576 - fix OAUTH2 bearer bypass in connection re-use --- 0002-curl-7.82.0-CVE-2022-22576.patch | 148 ++++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 156 insertions(+), 1 deletion(-) create mode 100644 0002-curl-7.82.0-CVE-2022-22576.patch diff --git a/0002-curl-7.82.0-CVE-2022-22576.patch b/0002-curl-7.82.0-CVE-2022-22576.patch new file mode 100644 index 0000000..bf5eac2 --- /dev/null +++ b/0002-curl-7.82.0-CVE-2022-22576.patch @@ -0,0 +1,148 @@ +From 85d1103c2fc0c9b1bdfae470dbafd45758e1c2f0 Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat +Date: Mon, 25 Apr 2022 11:44:05 +0200 +Subject: [PATCH] url: check sasl additional parameters for connection reuse. + +Also move static function safecmp() as non-static Curl_safecmp() since +its purpose is needed at several places. + +Bug: https://curl.se/docs/CVE-2022-22576.html + +CVE-2022-22576 + +Closes #8746 + +Upstream-commit: 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425 +Signed-off-by: Kamil Dudka +--- + lib/strcase.c | 10 ++++++++++ + lib/strcase.h | 2 ++ + lib/url.c | 13 ++++++++++++- + lib/urldata.h | 1 + + lib/vtls/vtls.c | 21 ++++++--------------- + 5 files changed, 31 insertions(+), 16 deletions(-) + +diff --git a/lib/strcase.c b/lib/strcase.c +index dd46ca1..692a3f1 100644 +--- a/lib/strcase.c ++++ b/lib/strcase.c +@@ -251,6 +251,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n) + } while(*src++ && --n); + } + ++/* Compare case-sensitive NUL-terminated strings, taking care of possible ++ * null pointers. Return true if arguments match. ++ */ ++bool Curl_safecmp(char *a, char *b) ++{ ++ if(a && b) ++ return !strcmp(a, b); ++ return !a && !b; ++} ++ + /* --- public functions --- */ + + int curl_strequal(const char *first, const char *second) +diff --git a/lib/strcase.h b/lib/strcase.h +index b628656..382b80a 100644 +--- a/lib/strcase.h ++++ b/lib/strcase.h +@@ -48,4 +48,6 @@ char Curl_raw_toupper(char in); + void Curl_strntoupper(char *dest, const char *src, size_t n); + void Curl_strntolower(char *dest, const char *src, size_t n); + ++bool Curl_safecmp(char *a, char *b); ++ + #endif /* HEADER_CURL_STRCASE_H */ +diff --git a/lib/url.c b/lib/url.c +index adef2cd..94e3406 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -784,6 +784,7 @@ static void conn_free(struct connectdata *conn) + Curl_safefree(conn->passwd); + Curl_safefree(conn->sasl_authzid); + Curl_safefree(conn->options); ++ Curl_safefree(conn->oauth_bearer); + Curl_dyn_free(&conn->trailer); + Curl_safefree(conn->host.rawalloc); /* host name buffer */ + Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */ +@@ -1332,7 +1333,9 @@ ConnectionExists(struct Curl_easy *data, + /* This protocol requires credentials per connection, + so verify that we're using the same name and password as well */ + if(strcmp(needle->user, check->user) || +- strcmp(needle->passwd, check->passwd)) { ++ strcmp(needle->passwd, check->passwd) || ++ !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) || ++ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) { + /* one of them was different */ + continue; + } +@@ -3596,6 +3599,14 @@ static CURLcode create_conn(struct Curl_easy *data, + } + } + ++ if(data->set.str[STRING_BEARER]) { ++ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]); ++ if(!conn->oauth_bearer) { ++ result = CURLE_OUT_OF_MEMORY; ++ goto out; ++ } ++ } ++ + #ifdef USE_UNIX_SOCKETS + if(data->set.str[STRING_UNIX_SOCKET_PATH]) { + conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]); +diff --git a/lib/urldata.h b/lib/urldata.h +index cc8a600..03da59a 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -980,6 +980,7 @@ struct connectdata { + char *passwd; /* password string, allocated */ + char *options; /* options string, allocated */ + char *sasl_authzid; /* authorisation identity string, allocated */ ++ char *oauth_bearer; /* OAUTH2 bearer, allocated */ + unsigned char httpversion; /* the HTTP version*10 reported by the server */ + struct curltime now; /* "current" time */ + struct curltime created; /* creation time */ +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index 03b85ba..a40ac06 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second) + return !memcmp(first->data, second->data, first->len); /* same data */ + } + +-static bool safecmp(char *a, char *b) +-{ +- if(a && b) +- return !strcmp(a, b); +- else if(!a && !b) +- return TRUE; /* match */ +- return FALSE; /* no match */ +-} +- + + bool + Curl_ssl_config_matches(struct ssl_primary_config *data, +@@ -147,12 +138,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, + blobcmp(data->cert_blob, needle->cert_blob) && + blobcmp(data->ca_info_blob, needle->ca_info_blob) && + blobcmp(data->issuercert_blob, needle->issuercert_blob) && +- safecmp(data->CApath, needle->CApath) && +- safecmp(data->CAfile, needle->CAfile) && +- safecmp(data->issuercert, needle->issuercert) && +- safecmp(data->clientcert, needle->clientcert) && +- safecmp(data->random_file, needle->random_file) && +- safecmp(data->egdsocket, needle->egdsocket) && ++ Curl_safecmp(data->CApath, needle->CApath) && ++ Curl_safecmp(data->CAfile, needle->CAfile) && ++ Curl_safecmp(data->issuercert, needle->issuercert) && ++ Curl_safecmp(data->clientcert, needle->clientcert) && ++ Curl_safecmp(data->random_file, needle->random_file) && ++ Curl_safecmp(data->egdsocket, needle->egdsocket) && + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && + Curl_safe_strcasecompare(data->curves, needle->curves) && +-- +2.34.1 + diff --git a/curl.spec b/curl.spec index 33018c5..b01ff0f 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.79.1 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,6 +10,9 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576) +Patch2: 0002-curl-7.82.0-CVE-2022-22576.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -183,6 +186,7 @@ be installed. %setup -q # upstream patches +%patch2 -p1 # Fedora patches %patch101 -p1 @@ -368,6 +372,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Apr 28 2022 Kamil Dudka - 7.79.1-2 +- fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576) + * Wed Sep 22 2021 Kamil Dudka - 7.79.1-1 - new upstream release From ec60169f0be0d8729aa66136ff3615b7bc39dd81 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 28 Apr 2022 09:54:37 +0200 Subject: [PATCH 02/17] Resolves: CVE-2022-27775 - fix bad local IPv6 connection reuse --- 0003-curl-7.82.0-CVE-2022-27775.patch | 40 +++++++++++++++++++++++++++ curl.spec | 5 ++++ 2 files changed, 45 insertions(+) create mode 100644 0003-curl-7.82.0-CVE-2022-27775.patch diff --git a/0003-curl-7.82.0-CVE-2022-27775.patch b/0003-curl-7.82.0-CVE-2022-27775.patch new file mode 100644 index 0000000..5712ccf --- /dev/null +++ b/0003-curl-7.82.0-CVE-2022-27775.patch @@ -0,0 +1,40 @@ +From 187d0795030ccb4f410eb6089e265ac3571e56dd Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 11:48:00 +0200 +Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey + +Make connections to two separate IPv6 zone ids create separate +connections. + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27775.html +Closes #8747 + +Upstream-commit: 058f98dc3fe595f21dc26a5b9b1699e519ba5705 +Signed-off-by: Kamil Dudka +--- + lib/conncache.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/lib/conncache.c b/lib/conncache.c +index cd5756a..9b9f683 100644 +--- a/lib/conncache.c ++++ b/lib/conncache.c +@@ -160,8 +160,12 @@ static void hashkey(struct connectdata *conn, char *buf, + /* report back which name we used */ + *hostp = hostname; + +- /* put the number first so that the hostname gets cut off if too long */ +- msnprintf(buf, len, "%ld%s", port, hostname); ++ /* put the numbers first so that the hostname gets cut off if too long */ ++#ifdef ENABLE_IPV6 ++ msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname); ++#else ++ msnprintf(buf, len, "%ld/%s", port, hostname); ++#endif + Curl_strntolower(buf, buf, len); + } + +-- +2.34.1 + diff --git a/curl.spec b/curl.spec index b01ff0f..b62a8ec 100644 --- a/curl.spec +++ b/curl.spec @@ -13,6 +13,9 @@ Source2: mykey.asc # fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576) Patch2: 0002-curl-7.82.0-CVE-2022-22576.patch +# fix bad local IPv6 connection reuse (CVE-2022-27775) +Patch3: 0003-curl-7.82.0-CVE-2022-27775.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -187,6 +190,7 @@ be installed. # upstream patches %patch2 -p1 +%patch3 -p1 # Fedora patches %patch101 -p1 @@ -373,6 +377,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Thu Apr 28 2022 Kamil Dudka - 7.79.1-2 +- fix bad local IPv6 connection reuse (CVE-2022-27775) - fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576) * Wed Sep 22 2021 Kamil Dudka - 7.79.1-1 From ed9dd88599f330f6c8da029311c058a1f91fda53 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 28 Apr 2022 09:57:23 +0200 Subject: [PATCH 03/17] Resolves: CVE-2022-27776 - fix auth/cookie leak on redirect --- 0004-curl-7.82.0-CVE-2022-27776.patch | 246 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 251 insertions(+) create mode 100644 0004-curl-7.82.0-CVE-2022-27776.patch diff --git a/0004-curl-7.82.0-CVE-2022-27776.patch b/0004-curl-7.82.0-CVE-2022-27776.patch new file mode 100644 index 0000000..409a660 --- /dev/null +++ b/0004-curl-7.82.0-CVE-2022-27776.patch @@ -0,0 +1,246 @@ +From 2be87227d4b4024c91ff6c856520cac9c9619555 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 13:05:40 +0200 +Subject: [PATCH 1/2] http: avoid auth/cookie on redirects same host diff port + +CVE-2022-27776 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27776.html +Closes #8749 + +Upstream-commit: 6e659993952aa5f90f48864be84a1bbb047fc258 +Signed-off-by: Kamil Dudka +--- + lib/http.c | 34 ++++++++++++++++++++++------------ + lib/urldata.h | 16 +++++++++------- + 2 files changed, 31 insertions(+), 19 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index 799d4fb..0791dcf 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -775,6 +775,21 @@ output_auth_headers(struct Curl_easy *data, + return CURLE_OK; + } + ++/* ++ * allow_auth_to_host() tells if autentication, cookies or other "sensitive ++ * data" can (still) be sent to this host. ++ */ ++static bool allow_auth_to_host(struct Curl_easy *data) ++{ ++ struct connectdata *conn = data->conn; ++ return (!data->state.this_is_a_follow || ++ data->set.allow_auth_to_other_hosts || ++ (data->state.first_host && ++ strcasecompare(data->state.first_host, conn->host.name) && ++ (data->state.first_remote_port == conn->remote_port) && ++ (data->state.first_remote_protocol == conn->handler->protocol))); ++} ++ + /** + * Curl_http_output_auth() setups the authentication headers for the + * host/proxy and the correct authentication +@@ -847,17 +862,14 @@ Curl_http_output_auth(struct Curl_easy *data, + with it */ + authproxy->done = TRUE; + +- /* To prevent the user+password to get sent to other than the original +- host due to a location-follow, we do some weirdo checks here */ +- if(!data->state.this_is_a_follow || ++ /* To prevent the user+password to get sent to other than the original host ++ due to a location-follow */ ++ if(allow_auth_to_host(data) + #ifndef CURL_DISABLE_NETRC +- conn->bits.netrc || ++ || conn->bits.netrc + #endif +- !data->state.first_host || +- data->set.allow_auth_to_other_hosts || +- strcasecompare(data->state.first_host, conn->host.name)) { ++ ) + result = output_auth_headers(data, conn, authhost, request, path, FALSE); +- } + else + authhost->done = TRUE; + +@@ -1913,10 +1925,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, + checkprefix("Cookie:", compare)) && + /* be careful of sending this potentially sensitive header to + other hosts */ +- (data->state.this_is_a_follow && +- data->state.first_host && +- !data->set.allow_auth_to_other_hosts && +- !strcasecompare(data->state.first_host, conn->host.name))) ++ !allow_auth_to_host(data)) + ; + else { + #ifdef USE_HYPER +@@ -2088,6 +2097,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn) + return CURLE_OUT_OF_MEMORY; + + data->state.first_remote_port = conn->remote_port; ++ data->state.first_remote_protocol = conn->handler->protocol; + } + Curl_safefree(data->state.aptr.host); + +diff --git a/lib/urldata.h b/lib/urldata.h +index 03da59a..f92052a 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1325,14 +1325,16 @@ struct UrlState { + char *ulbuf; /* allocated upload buffer or NULL */ + curl_off_t current_speed; /* the ProgressShow() function sets this, + bytes / second */ +- char *first_host; /* host name of the first (not followed) request. +- if set, this should be the host name that we will +- sent authorization to, no else. Used to make Location: +- following not keep sending user+password... This is +- strdup() data. +- */ ++ ++ /* host name, port number and protocol of the first (not followed) request. ++ if set, this should be the host name that we will sent authorization to, ++ no else. Used to make Location: following not keep sending user+password. ++ This is strdup()ed data. */ ++ char *first_host; ++ int first_remote_port; ++ unsigned int first_remote_protocol; ++ + int retrycount; /* number of retries on a new connection */ +- int first_remote_port; /* remote port of the first (not followed) request */ + struct Curl_ssl_session *session; /* array of 'max_ssl_sessions' size */ + long sessionage; /* number of the most recent session */ + struct tempbuf tempwrite[3]; /* BOTH, HEADER, BODY */ +-- +2.34.1 + + +From c0d12f1634785596746e5d461319dcb95b5b6ae8 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 13:05:47 +0200 +Subject: [PATCH 2/2] test898: verify the fix for CVE-2022-27776 + +Do not pass on Authorization headers on redirects to another port + +Upstream-commit: afe752e0504ab60bf63787ede0b992cbe1065f78 +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 2 +- + tests/data/test898 | 90 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 91 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test898 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 59d46bc..7ae2cf8 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -106,7 +106,7 @@ test854 test855 test856 test857 test858 test859 test860 test861 test862 \ + test863 test864 test865 test866 test867 test868 test869 test870 test871 \ + test872 test873 test874 test875 test876 test877 test878 test879 test880 \ + test881 test882 test883 test884 test885 test886 test887 test888 test889 \ +-test890 test891 test892 test893 test894 test895 test896 test897 \ ++test890 test891 test892 test893 test894 test895 test896 test897 test898 \ + \ + test900 test901 test902 test903 test904 test905 test906 test907 test908 \ + test909 test910 test911 test912 test913 test914 test915 test916 test917 \ +diff --git a/tests/data/test898 b/tests/data/test898 +new file mode 100644 +index 0000000..5cbb7d8 +--- /dev/null ++++ b/tests/data/test898 +@@ -0,0 +1,90 @@ ++ ++ ++ ++HTTP ++--location ++Authorization ++Cookie ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 ++ ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Connection: close ++Content-Type: text/html ++ ++hey ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Connection: close ++Content-Type: text/html ++ ++hey ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++HTTP with custom auth and cookies redirected to HTTP on a diff port ++ ++ ++-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -H "Authorization: Basic am9lOnNlY3JldA==" -H "Cookie: userpwd=am9lOnNlY3JldA==" ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET http://firsthost.com/ HTTP/1.1 ++Host: firsthost.com ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++Authorization: Basic am9lOnNlY3JldA== ++Cookie: userpwd=am9lOnNlY3JldA== ++ ++GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1 ++Host: firsthost.com:9999 ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +-- +2.34.1 + diff --git a/curl.spec b/curl.spec index b62a8ec..7fc906b 100644 --- a/curl.spec +++ b/curl.spec @@ -16,6 +16,9 @@ Patch2: 0002-curl-7.82.0-CVE-2022-22576.patch # fix bad local IPv6 connection reuse (CVE-2022-27775) Patch3: 0003-curl-7.82.0-CVE-2022-27775.patch +# fix auth/cookie leak on redirect (CVE-2022-27776) +Patch4: 0004-curl-7.82.0-CVE-2022-27776.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -191,6 +194,7 @@ be installed. # upstream patches %patch2 -p1 %patch3 -p1 +%patch4 -p1 # Fedora patches %patch101 -p1 @@ -377,6 +381,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Thu Apr 28 2022 Kamil Dudka - 7.79.1-2 +- fix auth/cookie leak on redirect (CVE-2022-27776) - fix bad local IPv6 connection reuse (CVE-2022-27775) - fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576) From a82a79e338a44c002b60e36519431cc2bf3e8775 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 28 Apr 2022 09:59:08 +0200 Subject: [PATCH 04/17] Resolves: CVE-2022-27774 - fix credential leak on redirect --- 0005-curl-7.82.0-CVE-2022-27774.patch | 548 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 553 insertions(+) create mode 100644 0005-curl-7.82.0-CVE-2022-27774.patch diff --git a/0005-curl-7.82.0-CVE-2022-27774.patch b/0005-curl-7.82.0-CVE-2022-27774.patch new file mode 100644 index 0000000..ecbe25d --- /dev/null +++ b/0005-curl-7.82.0-CVE-2022-27774.patch @@ -0,0 +1,548 @@ +From ecee0926868d138312e9608531b232f697e50cad Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 16:24:33 +0200 +Subject: [PATCH 1/3] connect: store "conn_remote_port" in the info struct + +To make it available after the connection ended. + +Upstream-commit: 08b8ef4e726ba10f45081ecda5b3cea788d3c839 +Signed-off-by: Kamil Dudka +--- + lib/connect.c | 1 + + lib/urldata.h | 6 +++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/connect.c b/lib/connect.c +index 64f9511..7518807 100644 +--- a/lib/connect.c ++++ b/lib/connect.c +@@ -617,6 +617,7 @@ void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn, + data->info.conn_scheme = conn->handler->scheme; + data->info.conn_protocol = conn->handler->protocol; + data->info.conn_primary_port = conn->port; ++ data->info.conn_remote_port = conn->remote_port; + data->info.conn_local_port = local_port; + } + +diff --git a/lib/urldata.h b/lib/urldata.h +index f92052a..5218f76 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1156,7 +1156,11 @@ struct PureInfo { + reused, in the connection cache. */ + + char conn_primary_ip[MAX_IPADR_LEN]; +- int conn_primary_port; ++ int conn_primary_port; /* this is the destination port to the connection, ++ which might have been a proxy */ ++ int conn_remote_port; /* this is the "remote port", which is the port ++ number of the used URL, independent of proxy or ++ not */ + char conn_local_ip[MAX_IPADR_LEN]; + int conn_local_port; + const char *conn_scheme; +-- +2.34.1 + + +From 12c129f8d0b165d83ed954f68717d88ffc1cfc5f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 16:24:33 +0200 +Subject: [PATCH 2/3] transfer: redirects to other protocols or ports clear + auth + +... unless explicitly permitted. + +Bug: https://curl.se/docs/CVE-2022-27774.html +Reported-by: Harry Sintonen +Closes #8748 + +Upstream-commit: 620ea21410030a9977396b4661806bc187231b79 +Signed-off-by: Kamil Dudka +--- + lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 48 insertions(+), 1 deletion(-) + +diff --git a/lib/transfer.c b/lib/transfer.c +index 1f8019b..752fe14 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1652,10 +1652,57 @@ CURLcode Curl_follow(struct Curl_easy *data, + return CURLE_OUT_OF_MEMORY; + } + else { +- + uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0); + if(uc) + return Curl_uc_to_curlcode(uc); ++ ++ /* Clear auth if this redirects to a different port number or protocol, ++ unless permitted */ ++ if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) { ++ char *portnum; ++ int port; ++ bool clear = FALSE; ++ ++ if(data->set.use_port && data->state.allow_port) ++ /* a custom port is used */ ++ port = (int)data->set.use_port; ++ else { ++ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum, ++ CURLU_DEFAULT_PORT); ++ if(uc) { ++ free(newurl); ++ return Curl_uc_to_curlcode(uc); ++ } ++ port = atoi(portnum); ++ free(portnum); ++ } ++ if(port != data->info.conn_remote_port) { ++ infof(data, "Clear auth, redirects to port from %u to %u", ++ data->info.conn_remote_port, port); ++ clear = TRUE; ++ } ++ else { ++ char *scheme; ++ const struct Curl_handler *p; ++ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0); ++ if(uc) { ++ free(newurl); ++ return Curl_uc_to_curlcode(uc); ++ } ++ ++ p = Curl_builtin_scheme(scheme); ++ if(p && (p->protocol != data->info.conn_protocol)) { ++ infof(data, "Clear auth, redirects scheme from %s to %s", ++ data->info.conn_scheme, scheme); ++ clear = TRUE; ++ } ++ free(scheme); ++ } ++ if(clear) { ++ Curl_safefree(data->state.aptr.user); ++ Curl_safefree(data->state.aptr.passwd); ++ } ++ } + } + + if(type == FOLLOW_FAKE) { +-- +2.34.1 + + +From 83bf4314d88cc16469afeaaefd6686a50371d1b7 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 16:24:33 +0200 +Subject: [PATCH 3/3] tests: verify the fix for CVE-2022-27774 + + - Test 973 redirects from HTTP to FTP, clear auth + - Test 974 redirects from HTTP to HTTP different port, clear auth + - Test 975 redirects from HTTP to FTP, permitted to keep auth + - Test 976 redirects from HTTP to HTTP different port, permitted to keep + auth + +Upstream-commit: 5295e8d64ac6949ecb3f9e564317a608f51b90d8 +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 2 +- + tests/data/test973 | 88 +++++++++++++++++++++++++++++++++++++++++ + tests/data/test974 | 87 ++++++++++++++++++++++++++++++++++++++++ + tests/data/test975 | 88 +++++++++++++++++++++++++++++++++++++++++ + tests/data/test976 | 88 +++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 352 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test973 + create mode 100644 tests/data/test974 + create mode 100644 tests/data/test975 + create mode 100644 tests/data/test976 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 7ae2cf8..175fc43 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -116,7 +116,7 @@ test936 test937 test938 test939 test940 test941 test942 test943 test944 \ + test945 test946 test947 test948 test949 test950 test951 test952 test953 \ + test954 test955 test956 test957 test958 test959 test960 test961 test962 \ + test963 test964 test965 test966 test967 test968 test969 test970 test971 \ +-test972 \ ++test972 test973 test974 test975 test976 \ + \ + test980 test981 test982 test983 test984 test985 test986 \ + \ +diff --git a/tests/data/test973 b/tests/data/test973 +new file mode 100644 +index 0000000..6ced107 +--- /dev/null ++++ b/tests/data/test973 +@@ -0,0 +1,88 @@ ++ ++ ++ ++HTTP ++FTP ++--location ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002 ++ ++ ++ ++data ++ to ++ see ++that FTP ++works ++ so does it? ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002 ++ ++data ++ to ++ see ++that FTP ++works ++ so does it? ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ftp ++ ++ ++HTTP with auth redirected to FTP w/o auth ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -L -u joe:secret ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Basic am9lOnNlY3JldA== ++User-Agent: curl/%VERSION ++Accept: */* ++ ++USER anonymous ++PASS ftp@example.com ++PWD ++CWD a ++CWD path ++EPSV ++TYPE I ++SIZE %TESTNUMBER0002 ++RETR %TESTNUMBER0002 ++QUIT ++ ++ ++ +diff --git a/tests/data/test974 b/tests/data/test974 +new file mode 100644 +index 0000000..ac4e641 +--- /dev/null ++++ b/tests/data/test974 +@@ -0,0 +1,87 @@ ++ ++ ++ ++HTTP ++--location ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 ++ ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Connection: close ++Content-Type: text/html ++ ++hey ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Connection: close ++Content-Type: text/html ++ ++hey ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++HTTP with auth redirected to HTTP on a diff port w/o auth ++ ++ ++-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -u joe:secret ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET http://firsthost.com/ HTTP/1.1 ++Host: firsthost.com ++Authorization: Basic am9lOnNlY3JldA== ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1 ++Host: firsthost.com:9999 ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +diff --git a/tests/data/test975 b/tests/data/test975 +new file mode 100644 +index 0000000..85e03e4 +--- /dev/null ++++ b/tests/data/test975 +@@ -0,0 +1,88 @@ ++ ++ ++ ++HTTP ++FTP ++--location-trusted ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002 ++ ++ ++ ++data ++ to ++ see ++that FTP ++works ++ so does it? ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002 ++ ++data ++ to ++ see ++that FTP ++works ++ so does it? ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ftp ++ ++ ++HTTP with auth redirected to FTP allowing auth to continue ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER --location-trusted -u joe:secret ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Basic am9lOnNlY3JldA== ++User-Agent: curl/%VERSION ++Accept: */* ++ ++USER joe ++PASS secret ++PWD ++CWD a ++CWD path ++EPSV ++TYPE I ++SIZE %TESTNUMBER0002 ++RETR %TESTNUMBER0002 ++QUIT ++ ++ ++ +diff --git a/tests/data/test976 b/tests/data/test976 +new file mode 100644 +index 0000000..c4dd61e +--- /dev/null ++++ b/tests/data/test976 +@@ -0,0 +1,88 @@ ++ ++ ++ ++HTTP ++--location-trusted ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 ++ ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Connection: close ++Content-Type: text/html ++ ++hey ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Connection: close ++Content-Type: text/html ++ ++hey ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++HTTP with auth redirected to HTTP on a diff port --location-trusted ++ ++ ++-x http://%HOSTIP:%HTTPPORT http://firsthost.com --location-trusted -u joe:secret ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET http://firsthost.com/ HTTP/1.1 ++Host: firsthost.com ++Authorization: Basic am9lOnNlY3JldA== ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1 ++Host: firsthost.com:9999 ++Authorization: Basic am9lOnNlY3JldA== ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +-- +2.34.1 + diff --git a/curl.spec b/curl.spec index 7fc906b..3478335 100644 --- a/curl.spec +++ b/curl.spec @@ -19,6 +19,9 @@ Patch3: 0003-curl-7.82.0-CVE-2022-27775.patch # fix auth/cookie leak on redirect (CVE-2022-27776) Patch4: 0004-curl-7.82.0-CVE-2022-27776.patch +# fix credential leak on redirect (CVE-2022-27774) +Patch5: 0005-curl-7.82.0-CVE-2022-27774.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -195,6 +198,7 @@ be installed. %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 # Fedora patches %patch101 -p1 @@ -381,6 +385,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Thu Apr 28 2022 Kamil Dudka - 7.79.1-2 +- fix credential leak on redirect (CVE-2022-27774) - fix auth/cookie leak on redirect (CVE-2022-27776) - fix bad local IPv6 connection reuse (CVE-2022-27775) - fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576) From 721c210a3ca1dca0cbf298c0fc7f1b5a3f36e53e Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 2 May 2022 10:00:34 +0200 Subject: [PATCH 05/17] Resolves: CVE-2022-27774 - fix leak of SRP credentials in redirects --- 0005-curl-7.82.0-CVE-2022-27774.patch | 94 ++++++++++++++++++++++++++- curl.spec | 5 +- 2 files changed, 95 insertions(+), 4 deletions(-) diff --git a/0005-curl-7.82.0-CVE-2022-27774.patch b/0005-curl-7.82.0-CVE-2022-27774.patch index ecbe25d..79c1b40 100644 --- a/0005-curl-7.82.0-CVE-2022-27774.patch +++ b/0005-curl-7.82.0-CVE-2022-27774.patch @@ -1,7 +1,7 @@ From ecee0926868d138312e9608531b232f697e50cad Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 25 Apr 2022 16:24:33 +0200 -Subject: [PATCH 1/3] connect: store "conn_remote_port" in the info struct +Subject: [PATCH 1/4] connect: store "conn_remote_port" in the info struct To make it available after the connection ended. @@ -48,7 +48,7 @@ index f92052a..5218f76 100644 From 12c129f8d0b165d83ed954f68717d88ffc1cfc5f Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 25 Apr 2022 16:24:33 +0200 -Subject: [PATCH 2/3] transfer: redirects to other protocols or ports clear +Subject: [PATCH 2/4] transfer: redirects to other protocols or ports clear auth ... unless explicitly permitted. @@ -133,7 +133,7 @@ index 1f8019b..752fe14 100644 From 83bf4314d88cc16469afeaaefd6686a50371d1b7 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 25 Apr 2022 16:24:33 +0200 -Subject: [PATCH 3/3] tests: verify the fix for CVE-2022-27774 +Subject: [PATCH 3/4] tests: verify the fix for CVE-2022-27774 - Test 973 redirects from HTTP to FTP, clear auth - Test 974 redirects from HTTP to HTTP different port, clear auth @@ -546,3 +546,91 @@ index 0000000..c4dd61e -- 2.34.1 + +From 443ce415aa60caaf8b1c9b0b71fff8d26263daca Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 17:59:15 +0200 +Subject: [PATCH 4/4] openssl: don't leak the SRP credentials in redirects + either + +Follow-up to 620ea21410030 + +Reported-by: Harry Sintonen +Closes #8751 + +Upstream-commit: 139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08 +Signed-off-by: Kamil Dudka +--- + lib/http.c | 10 +++++----- + lib/http.h | 6 ++++++ + lib/vtls/openssl.c | 3 ++- + 3 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index 0791dcf..4433824 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data, + } + + /* +- * allow_auth_to_host() tells if autentication, cookies or other "sensitive +- * data" can (still) be sent to this host. ++ * Curl_allow_auth_to_host() tells if authentication, cookies or other ++ * "sensitive data" can (still) be sent to this host. + */ +-static bool allow_auth_to_host(struct Curl_easy *data) ++bool Curl_allow_auth_to_host(struct Curl_easy *data) + { + struct connectdata *conn = data->conn; + return (!data->state.this_is_a_follow || +@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data, + + /* To prevent the user+password to get sent to other than the original host + due to a location-follow */ +- if(allow_auth_to_host(data) ++ if(Curl_allow_auth_to_host(data) + #ifndef CURL_DISABLE_NETRC + || conn->bits.netrc + #endif +@@ -1925,7 +1925,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, + checkprefix("Cookie:", compare)) && + /* be careful of sending this potentially sensitive header to + other hosts */ +- !allow_auth_to_host(data)) ++ !Curl_allow_auth_to_host(data)) + ; + else { + #ifdef USE_HYPER +diff --git a/lib/http.h b/lib/http.h +index 07e963d..9000bae 100644 +--- a/lib/http.h ++++ b/lib/http.h +@@ -319,4 +319,10 @@ Curl_http_output_auth(struct Curl_easy *data, + bool proxytunnel); /* TRUE if this is the request setting + up the proxy tunnel */ + ++/* ++ * Curl_allow_auth_to_host() tells if authentication, cookies or other ++ * "sensitive data" can (still) be sent to this host. ++ */ ++bool Curl_allow_auth_to_host(struct Curl_easy *data); ++ + #endif /* HEADER_CURL_HTTP_H */ +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 1bafe96..97c5666 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -2869,7 +2869,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + #endif + + #ifdef USE_OPENSSL_SRP +- if(ssl_authtype == CURL_TLSAUTH_SRP) { ++ if((ssl_authtype == CURL_TLSAUTH_SRP) && ++ Curl_allow_auth_to_host(data)) { + char * const ssl_username = SSL_SET_OPTION(username); + + infof(data, "Using TLS-SRP username: %s", ssl_username); +-- +2.34.1 + diff --git a/curl.spec b/curl.spec index 3478335..a822190 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.79.1 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -384,6 +384,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon May 02 2022 Kamil Dudka - 7.79.1-3 +- fix leak of SRP credentials in redirects (CVE-2022-27774) + * Thu Apr 28 2022 Kamil Dudka - 7.79.1-2 - fix credential leak on redirect (CVE-2022-27774) - fix auth/cookie leak on redirect (CVE-2022-27776) From ef008d18d94dd3e21f922b6d211992c16567bc25 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 11 May 2022 10:56:40 +0200 Subject: [PATCH 06/17] Resolves: CVE-2022-27782 - fix too eager reuse of TLS and SSH connections --- 0009-curl-7.82.0-CVE-2022-27782.patch | 566 ++++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 574 insertions(+), 1 deletion(-) create mode 100644 0009-curl-7.82.0-CVE-2022-27782.patch diff --git a/0009-curl-7.82.0-CVE-2022-27782.patch b/0009-curl-7.82.0-CVE-2022-27782.patch new file mode 100644 index 0000000..f10d1ba --- /dev/null +++ b/0009-curl-7.82.0-CVE-2022-27782.patch @@ -0,0 +1,566 @@ +From 50481ac42b4beae6ea85345e37b051124ac00f11 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 28 Jan 2022 16:48:38 +0100 +Subject: [PATCH 1/3] setopt: fix the TLSAUTH #ifdefs for proxy-disabled builds + +Closes #8350 + +Upstream-commit: 96629ba2c212cda2bd1b7b04e2a9fc01ef70b75d +Signed-off-by: Kamil Dudka +--- + lib/setopt.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/lib/setopt.c b/lib/setopt.c +index 08827d1..9eaa187 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2021, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -2743,30 +2743,30 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) + data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + break; ++#ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_TLSAUTH_USERNAME: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY], + va_arg(param, char *)); +-#ifndef CURL_DISABLE_PROXY + if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && + !data->set.proxy_ssl.authtype) + data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ +-#endif + break; ++#endif + case CURLOPT_TLSAUTH_PASSWORD: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD], + va_arg(param, char *)); + if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) + data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + break; ++#ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_TLSAUTH_PASSWORD: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY], + va_arg(param, char *)); +-#ifndef CURL_DISABLE_PROXY + if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && + !data->set.proxy_ssl.authtype) + data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ +-#endif + break; ++#endif + case CURLOPT_TLSAUTH_TYPE: + argptr = va_arg(param, char *); + if(!argptr || +-- +2.34.1 + + +From 931fbabcae0b5d1a91657e6bb85f4f23fce7ac3d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 9 May 2022 23:13:53 +0200 +Subject: [PATCH 2/3] tls: check more TLS details for connection reuse + +CVE-2022-27782 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27782.html +Closes #8825 + +Upstream-commit: f18af4f874cecab82a9797e8c7541e0990c7a64c +Signed-off-by: Kamil Dudka +--- + lib/setopt.c | 29 +++++++++++++++++------------ + lib/url.c | 23 ++++++++++++++++------- + lib/urldata.h | 13 +++++++------ + lib/vtls/gtls.c | 19 ++++++++++--------- + lib/vtls/mbedtls.c | 2 +- + lib/vtls/nss.c | 6 +++--- + lib/vtls/openssl.c | 10 +++++----- + lib/vtls/vtls.c | 21 +++++++++++++++++++++ + 8 files changed, 80 insertions(+), 43 deletions(-) + +diff --git a/lib/setopt.c b/lib/setopt.c +index 8e1bf12..7aa6fdb 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -2311,6 +2311,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + + case CURLOPT_SSL_OPTIONS: + arg = va_arg(param, long); ++ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff); + data->set.ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); + data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); + data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); +@@ -2324,6 +2325,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + #ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_SSL_OPTIONS: + arg = va_arg(param, long); ++ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff); + data->set.proxy_ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); + data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); + data->set.proxy_ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); +@@ -2740,49 +2742,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + case CURLOPT_TLSAUTH_USERNAME: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME], + va_arg(param, char *)); +- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ if(data->set.str[STRING_TLSAUTH_USERNAME] && ++ !data->set.ssl.primary.authtype) ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + break; + #ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_TLSAUTH_USERNAME: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY], + va_arg(param, char *)); + if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && +- !data->set.proxy_ssl.authtype) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ !data->set.proxy_ssl.primary.authtype) ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to ++ SRP */ + break; + #endif + case CURLOPT_TLSAUTH_PASSWORD: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD], + va_arg(param, char *)); +- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ if(data->set.str[STRING_TLSAUTH_USERNAME] && ++ !data->set.ssl.primary.authtype) ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ + break; + #ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_TLSAUTH_PASSWORD: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY], + va_arg(param, char *)); + if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && +- !data->set.proxy_ssl.authtype) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ !data->set.proxy_ssl.primary.authtype) ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ + break; + #endif + case CURLOPT_TLSAUTH_TYPE: + argptr = va_arg(param, char *); + if(!argptr || + strncasecompare(argptr, "SRP", strlen("SRP"))) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; + else +- data->set.ssl.authtype = CURL_TLSAUTH_NONE; ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE; + break; + #ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_TLSAUTH_TYPE: + argptr = va_arg(param, char *); + if(!argptr || + strncasecompare(argptr, "SRP", strlen("SRP"))) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; + else +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE; ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE; + break; + #endif + #endif +diff --git a/lib/url.c b/lib/url.c +index 94e3406..5ebf5e2 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -547,7 +547,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) + set->ssl.primary.verifypeer = TRUE; + set->ssl.primary.verifyhost = TRUE; + #ifdef USE_TLS_SRP +- set->ssl.authtype = CURL_TLSAUTH_NONE; ++ set->ssl.primary.authtype = CURL_TLSAUTH_NONE; + #endif + set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth + type */ +@@ -1748,11 +1748,17 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) + conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus; + conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer; + conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost; ++ conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options; ++#ifdef USE_TLS_SRP ++#endif + #ifndef CURL_DISABLE_PROXY + conn->proxy_ssl_config.verifystatus = + data->set.proxy_ssl.primary.verifystatus; + conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer; + conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost; ++ conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options; ++#ifdef USE_TLS_SRP ++#endif + #endif + conn->ip_version = data->set.ipver; + conn->bits.connect_only = data->set.connect_only; +@@ -3809,7 +3815,8 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.str[STRING_SSL_ISSUERCERT_PROXY]; + data->set.proxy_ssl.primary.issuercert_blob = + data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY]; +- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; ++ data->set.proxy_ssl.primary.CRLfile = ++ data->set.str[STRING_SSL_CRLFILE_PROXY]; + data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY]; + data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY]; + data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY]; +@@ -3817,18 +3824,20 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY]; + data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY]; + #endif +- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE]; ++ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE]; + data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE]; + data->set.ssl.key = data->set.str[STRING_KEY]; + data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE]; + data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD]; + data->set.ssl.primary.clientcert = data->set.str[STRING_CERT]; + #ifdef USE_TLS_SRP +- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME]; +- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD]; ++ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME]; ++ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD]; + #ifndef CURL_DISABLE_PROXY +- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; +- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; ++ data->set.proxy_ssl.primary.username = ++ data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; ++ data->set.proxy_ssl.primary.password = ++ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; + #endif + #endif + data->set.ssl.key_blob = data->set.blobs[BLOB_KEY]; +diff --git a/lib/urldata.h b/lib/urldata.h +index 5218f76..e006495 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -253,10 +253,17 @@ struct ssl_primary_config { + char *cipher_list; /* list of ciphers to use */ + char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ + char *pinned_key; ++ char *CRLfile; /* CRL to check certificate revocation */ + struct curl_blob *cert_blob; + struct curl_blob *ca_info_blob; + struct curl_blob *issuercert_blob; ++#ifdef USE_TLS_SRP ++ char *username; /* TLS username (for, e.g., SRP) */ ++ char *password; /* TLS password (for, e.g., SRP) */ ++ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ ++#endif + char *curves; /* list of curves to use */ ++ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */ + BIT(verifypeer); /* set TRUE if this is desired */ + BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */ + BIT(verifystatus); /* set TRUE if certificate status must be checked */ +@@ -266,7 +273,6 @@ struct ssl_primary_config { + struct ssl_config_data { + struct ssl_primary_config primary; + long certverifyresult; /* result from the certificate verification */ +- char *CRLfile; /* CRL to check certificate revocation */ + curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ + void *fsslctxp; /* parameter for call back */ + char *cert_type; /* format for certificate (default: PEM)*/ +@@ -274,11 +280,6 @@ struct ssl_config_data { + struct curl_blob *key_blob; + char *key_type; /* format for private key (default: PEM) */ + char *key_passwd; /* plain text private key password */ +-#ifdef USE_TLS_SRP +- char *username; /* TLS username (for, e.g., SRP) */ +- char *password; /* TLS password (for, e.g., SRP) */ +- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ +-#endif + BIT(certinfo); /* gather lots of certificate info */ + BIT(falsestart); + BIT(enable_beast); /* allow this flaw for interoperability's sake*/ +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 5749376..ec6be16 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -443,8 +443,8 @@ gtls_connect_step1(struct Curl_easy *data, + } + + rc = gnutls_srp_set_client_credentials(backend->srp_client_cred, +- SSL_SET_OPTION(username), +- SSL_SET_OPTION(password)); ++ SSL_SET_OPTION(primary.username), ++ SSL_SET_OPTION(primary.password)); + if(rc != GNUTLS_E_SUCCESS) { + failf(data, "gnutls_srp_set_client_cred() failed: %s", + gnutls_strerror(rc)); +@@ -500,19 +500,19 @@ gtls_connect_step1(struct Curl_easy *data, + } + #endif + +- if(SSL_SET_OPTION(CRLfile)) { ++ if(SSL_SET_OPTION(primary.CRLfile)) { + /* set the CRL list file */ + rc = gnutls_certificate_set_x509_crl_file(backend->cred, +- SSL_SET_OPTION(CRLfile), ++ SSL_SET_OPTION(primary.CRLfile), + GNUTLS_X509_FMT_PEM); + if(rc < 0) { + failf(data, "error reading crl file %s (%s)", +- SSL_SET_OPTION(CRLfile), gnutls_strerror(rc)); ++ SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc)); + return CURLE_SSL_CRL_BADFILE; + } + else + infof(data, "found %d CRL in %s", +- rc, SSL_SET_OPTION(CRLfile)); ++ rc, SSL_SET_OPTION(primary.CRLfile)); + } + + /* Initialize TLS session as a client */ +@@ -585,7 +585,7 @@ gtls_connect_step1(struct Curl_easy *data, + #ifdef HAVE_GNUTLS_SRP + /* Only add SRP to the cipher list if SRP is requested. Otherwise + * GnuTLS will disable TLS 1.3 support. */ +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { + size_t len = strlen(prioritylist); + + char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1); +@@ -677,7 +677,7 @@ gtls_connect_step1(struct Curl_easy *data, + + #ifdef HAVE_GNUTLS_SRP + /* put the credentials to the current session */ +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { + rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, + backend->srp_client_cred); + if(rc != GNUTLS_E_SUCCESS) { +@@ -917,7 +917,8 @@ gtls_connect_step3(struct Curl_easy *data, + failf(data, "server certificate verification failed. CAfile: %s " + "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile): + "none", +- SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none"); ++ SSL_SET_OPTION(primary.CRLfile) ? ++ SSL_SET_OPTION(primary.CRLfile) : "none"); + return CURLE_PEER_FAILED_VERIFICATION; + } + else +diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c +index b9fd26a..bd4ad8f 100644 +--- a/lib/vtls/mbedtls.c ++++ b/lib/vtls/mbedtls.c +@@ -275,7 +275,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, + const char * const ssl_capath = SSL_CONN_CONFIG(CApath); + char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); + const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); +- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); ++ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); + const char * const hostname = SSL_HOST_NAME(); + #ifndef CURL_DISABLE_VERBOSE_STRINGS + const long int port = SSL_HOST_PORT(); +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index 558e3be..892e7d8 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -1986,13 +1986,13 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, + } + } + +- if(SSL_SET_OPTION(CRLfile)) { +- const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile)); ++ if(SSL_SET_OPTION(primary.CRLfile)) { ++ const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile)); + if(rv) { + result = rv; + goto error; + } +- infof(data, " CRLfile: %s", SSL_SET_OPTION(CRLfile)); ++ infof(data, " CRLfile: %s", SSL_SET_OPTION(primary.CRLfile)); + } + + if(SSL_SET_OPTION(primary.clientcert)) { +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 97c5666..a4ef9d1 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -2609,7 +2609,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + #endif + const long int ssl_version = SSL_CONN_CONFIG(version); + #ifdef USE_OPENSSL_SRP +- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype); ++ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype); + #endif + char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); + const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); +@@ -2620,7 +2620,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + (ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile)); + const char * const ssl_capath = SSL_CONN_CONFIG(CApath); + const bool verifypeer = SSL_CONN_CONFIG(verifypeer); +- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); ++ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); + char error_buffer[256]; + struct ssl_backend_data *backend = connssl->backend; + bool imported_native_ca = false; +@@ -2871,15 +2871,15 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + #ifdef USE_OPENSSL_SRP + if((ssl_authtype == CURL_TLSAUTH_SRP) && + Curl_allow_auth_to_host(data)) { +- char * const ssl_username = SSL_SET_OPTION(username); +- ++ char * const ssl_username = SSL_SET_OPTION(primary.username); ++ char * const ssl_password = SSL_SET_OPTION(primary.password); + infof(data, "Using TLS-SRP username: %s", ssl_username); + + if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) { + failf(data, "Unable to set SRP user name"); + return CURLE_BAD_FUNCTION_ARGUMENT; + } +- if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) { ++ if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) { + failf(data, "failed setting SRP password"); + return CURLE_BAD_FUNCTION_ARGUMENT; + } +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index a40ac06..e2d3438 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, + { + if((data->version == needle->version) && + (data->version_max == needle->version_max) && ++ (data->ssl_options == needle->ssl_options) && + (data->verifypeer == needle->verifypeer) && + (data->verifyhost == needle->verifyhost) && + (data->verifystatus == needle->verifystatus) && +@@ -144,9 +145,15 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, + Curl_safecmp(data->clientcert, needle->clientcert) && + Curl_safecmp(data->random_file, needle->random_file) && + Curl_safecmp(data->egdsocket, needle->egdsocket) && ++#ifdef USE_TLS_SRP ++ Curl_safecmp(data->username, needle->username) && ++ Curl_safecmp(data->password, needle->password) && ++ (data->authtype == needle->authtype) && ++#endif + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && + Curl_safe_strcasecompare(data->curves, needle->curves) && ++ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) && + Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) + return TRUE; + +@@ -163,6 +170,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, + dest->verifyhost = source->verifyhost; + dest->verifystatus = source->verifystatus; + dest->sessionid = source->sessionid; ++ dest->ssl_options = source->ssl_options; ++#ifdef USE_TLS_SRP ++ dest->authtype = source->authtype; ++#endif + + CLONE_BLOB(cert_blob); + CLONE_BLOB(ca_info_blob); +@@ -177,6 +188,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, + CLONE_STRING(cipher_list13); + CLONE_STRING(pinned_key); + CLONE_STRING(curves); ++ CLONE_STRING(CRLfile); ++#ifdef USE_TLS_SRP ++ CLONE_STRING(username); ++ CLONE_STRING(password); ++#endif + + return TRUE; + } +@@ -196,6 +212,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) + Curl_safefree(sslc->ca_info_blob); + Curl_safefree(sslc->issuercert_blob); + Curl_safefree(sslc->curves); ++ Curl_safefree(sslc->CRLfile); ++#ifdef USE_TLS_SRP ++ Curl_safefree(sslc->username); ++ Curl_safefree(sslc->password); ++#endif + } + + #ifdef USE_SSL +-- +2.34.1 + + +From 5e9832048b30492e02dd222cd8bfe997e03cffa1 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 9 May 2022 23:13:53 +0200 +Subject: [PATCH 3/3] url: check SSH config match on connection reuse + +CVE-2022-27782 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27782.html +Closes #8825 + +Upstream-commit: 1645e9b44505abd5cbaf65da5282c3f33b5924a5 +Signed-off-by: Kamil Dudka +--- + lib/url.c | 11 +++++++++++ + lib/vssh/ssh.h | 6 +++--- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index 5ebf5e2..c713e54 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1089,6 +1089,12 @@ static void prune_dead_connections(struct Curl_easy *data) + } + } + ++static bool ssh_config_matches(struct connectdata *one, ++ struct connectdata *two) ++{ ++ return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) && ++ Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub)); ++} + /* + * Given one filled in connection struct (named needle), this function should + * detect if there already is one that has all the significant details +@@ -1348,6 +1354,11 @@ ConnectionExists(struct Curl_easy *data, + (data->state.httpwant < CURL_HTTP_VERSION_2_0)) + continue; + ++ if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { ++ if(!ssh_config_matches(needle, check)) ++ continue; ++ } ++ + if((needle->handler->flags&PROTOPT_SSL) + #ifndef CURL_DISABLE_PROXY + || !needle->bits.httpproxy || needle->bits.tunnel_proxy +diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h +index 7972081..30d82e5 100644 +--- a/lib/vssh/ssh.h ++++ b/lib/vssh/ssh.h +@@ -7,7 +7,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2021, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -131,8 +131,8 @@ struct ssh_conn { + + /* common */ + const char *passphrase; /* pass-phrase to use */ +- char *rsa_pub; /* path name */ +- char *rsa; /* path name */ ++ char *rsa_pub; /* strdup'ed public key file */ ++ char *rsa; /* strdup'ed private key file */ + bool authed; /* the connection has been authenticated fine */ + bool acceptfail; /* used by the SFTP_QUOTE (continue if + quote command fails) */ +-- +2.34.1 + diff --git a/curl.spec b/curl.spec index a822190..b86da0d 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.79.1 -Release: 3%{?dist} +Release: 4%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -22,6 +22,9 @@ Patch4: 0004-curl-7.82.0-CVE-2022-27776.patch # fix credential leak on redirect (CVE-2022-27774) Patch5: 0005-curl-7.82.0-CVE-2022-27774.patch +# fix too eager reuse of TLS and SSH connections (CVE-2022-27782) +Patch9: 0009-curl-7.82.0-CVE-2022-27782.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -199,6 +202,7 @@ be installed. %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch9 -p1 # Fedora patches %patch101 -p1 @@ -384,6 +388,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed May 11 2022 Kamil Dudka - 7.79.1-4 +- fix too eager reuse of TLS and SSH connections (CVE-2022-27782) + * Mon May 02 2022 Kamil Dudka - 7.79.1-3 - fix leak of SRP credentials in redirects (CVE-2022-27774) From 6f4745f54a09c6e6f35eb3d53b8353f89ba6b670 Mon Sep 17 00:00:00 2001 From: Miroslav Vadkerti Date: Mon, 4 Oct 2021 22:40:37 +0200 Subject: [PATCH 07/17] Migrate tests to tmt Signed-off-by: Miroslav Vadkerti --- .fmf/version | 1 + ci.fmf | 9 +++ tests/non-root-user-download/Makefile | 63 -------------------- tests/non-root-user-download/PURPOSE | 3 - tests/non-root-user-download/main.fmf | 17 ++++++ tests/non-root-user-download/runtest.sh | 1 - tests/non-root-user-download/runtest.yml | 64 --------------------- tests/scp-and-sftp-download-test/Makefile | 63 -------------------- tests/scp-and-sftp-download-test/PURPOSE | 12 ---- tests/scp-and-sftp-download-test/main.fmf | 20 +++++++ tests/scp-and-sftp-download-test/runtest.sh | 3 +- tests/tests.yml | 26 --------- 12 files changed, 48 insertions(+), 234 deletions(-) create mode 100644 .fmf/version create mode 100644 ci.fmf delete mode 100644 tests/non-root-user-download/Makefile delete mode 100644 tests/non-root-user-download/PURPOSE create mode 100644 tests/non-root-user-download/main.fmf mode change 100644 => 100755 tests/non-root-user-download/runtest.sh delete mode 100644 tests/non-root-user-download/runtest.yml delete mode 100644 tests/scp-and-sftp-download-test/Makefile delete mode 100644 tests/scp-and-sftp-download-test/PURPOSE create mode 100644 tests/scp-and-sftp-download-test/main.fmf mode change 100644 => 100755 tests/scp-and-sftp-download-test/runtest.sh delete mode 100644 tests/tests.yml diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/ci.fmf b/ci.fmf new file mode 100644 index 0000000..d3546e9 --- /dev/null +++ b/ci.fmf @@ -0,0 +1,9 @@ +discover: + how: fmf +prepare: + how: install + exclude: + - libcurl-minimal + - curl-minimal +execute: + how: tmt diff --git a/tests/non-root-user-download/Makefile b/tests/non-root-user-download/Makefile deleted file mode 100644 index 9746b63..0000000 --- a/tests/non-root-user-download/Makefile +++ /dev/null @@ -1,63 +0,0 @@ -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Makefile of /CoreOS/curl/Sanity/non-root-user-download -# Description: various download methods with non-root user -# Author: Karel Srot -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Copyright (c) 2013 Red Hat, Inc. All rights reserved. -# -# This copyrighted material is made available to anyone wishing -# to use, modify, copy, or redistribute it subject to the terms -# and conditions of the GNU General Public License version 2. -# -# This program is distributed in the hope that it will be -# useful, but WITHOUT ANY WARRANTY; without even the implied -# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -# PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public -# License along with this program; if not, write to the Free -# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, -# Boston, MA 02110-1301, USA. -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -export TEST=/CoreOS/curl/Sanity/non-root-user-download -export TESTVERSION=1.0 - -BUILT_FILES= - -FILES=$(METADATA) runtest.sh Makefile PURPOSE - -.PHONY: all install download clean - -run: $(FILES) build - ./runtest.sh - -build: $(BUILT_FILES) - test -x runtest.sh || chmod a+x runtest.sh - -clean: - rm -f *~ $(BUILT_FILES) - - -include /usr/share/rhts/lib/rhts-make.include - -$(METADATA): Makefile - @echo "Owner: Karel Srot " > $(METADATA) - @echo "Name: $(TEST)" >> $(METADATA) - @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) - @echo "Path: $(TEST_DIR)" >> $(METADATA) - @echo "Description: various download methods with non-root user" >> $(METADATA) - @echo "Type: Sanity" >> $(METADATA) - @echo "TestTime: 5m" >> $(METADATA) - @echo "RunFor: curl" >> $(METADATA) - @echo "Requires: curl" >> $(METADATA) - @echo "Priority: Normal" >> $(METADATA) - @echo "License: GPLv2" >> $(METADATA) - @echo "Confidential: no" >> $(METADATA) - @echo "Destructive: no" >> $(METADATA) - - rhts-lint $(METADATA) diff --git a/tests/non-root-user-download/PURPOSE b/tests/non-root-user-download/PURPOSE deleted file mode 100644 index 048ed68..0000000 --- a/tests/non-root-user-download/PURPOSE +++ /dev/null @@ -1,3 +0,0 @@ -PURPOSE of /CoreOS/curl/Sanity/non-root-user-download -Description: various download methods with non-root user -Author: Karel Srot diff --git a/tests/non-root-user-download/main.fmf b/tests/non-root-user-download/main.fmf new file mode 100644 index 0000000..15c0c12 --- /dev/null +++ b/tests/non-root-user-download/main.fmf @@ -0,0 +1,17 @@ +summary: various download methods with non-root user +description: '' +contact: Daniel Rusek +component: + - curl +require: + - findutils + - libselinux-utils + - openssh-clients + - passwd +test: ./runtest.sh +framework: beakerlib +duration: 5m +enabled: true +tier: '1' +link: + - relates: https://bugzilla.redhat.com/show_bug.cgi?id=1049921 diff --git a/tests/non-root-user-download/runtest.sh b/tests/non-root-user-download/runtest.sh old mode 100644 new mode 100755 index 1b5f8f1..fd5f375 --- a/tests/non-root-user-download/runtest.sh +++ b/tests/non-root-user-download/runtest.sh @@ -27,7 +27,6 @@ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Include Beaker environment -. /usr/bin/rhts-environment.sh || exit 1 . /usr/share/beakerlib/beakerlib.sh || exit 1 PACKAGE="curl" diff --git a/tests/non-root-user-download/runtest.yml b/tests/non-root-user-download/runtest.yml deleted file mode 100644 index c03e729..0000000 --- a/tests/non-root-user-download/runtest.yml +++ /dev/null @@ -1,64 +0,0 @@ -- hosts: '{{ hosts | default("localhost") }}' - vars: - package: "curl" - tasks: - - name: "Set Content variables" - set_fact: - content: "a276e06d244e04b765f0a35532d9036ad84f340b0bdcc32e0233a8fbc31d5bed" - password: "pAssw0rd" - crypt_password: "$6$/5GE87XLYLLfB3qx$w84Kct34UZG/4buTSXWkaaVIsw2xGXSAdmnS2QYdG8TtRgTsBnHdFdSkhoy.tKIE6A6LKlxczIZjQbpB19k7B1" - - name: "Create user curltester" - user: - name: "curltester" - password: "{{ crypt_password }}" - - name: "Copy testfile" - copy: - dest: "/home/curltester/testfile" - content: "{{ content }}" - - block: - - name: "http download" - command: "curl https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM" - args: - warn: false - register: http - become: yes - become_user: curltester - - name: "Compare http output" - fail: - msg: "{{ content }} not in {{ http.stdout }}" - when: content not in http.stdout - - name: "ftp download" - command: "curl ftp://ftp.scientificlinux.org/linux/fedora/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM" - args: - warn: false - register: ftp - become: yes - become_user: curltester - - name: "Compare ftp output" - fail: - msg: "{{ content }} not in {{ ftp.stdout }}" - when: content not in ftp.stdout - - name: "scp download" - command: "curl -u curltester:{{ password }} --insecure scp://localhost/home/curltester/testfile" - args: - warn: false - register: scp - - name: "Compare scp output" - fail: - msg: "{{ content }} not in {{ scp.stdout }}" - when: content not in scp.stdout - - name: "sftp download" - command: "curl -u curltester:{{ password }} --insecure sftp://localhost/home/curltester/testfile" - args: - warn: false - register: sftp - - name: "Compare sftp output" - fail: - msg: "{{ content }} not in {{ sftp.stdout }}" - when: content not in sftp.stdout - always: - - name: "Remove user curltester" - user: - name: "curltester" - remove: yes - state: absent diff --git a/tests/scp-and-sftp-download-test/Makefile b/tests/scp-and-sftp-download-test/Makefile deleted file mode 100644 index b4d1c52..0000000 --- a/tests/scp-and-sftp-download-test/Makefile +++ /dev/null @@ -1,63 +0,0 @@ -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Makefile of /CoreOS/curl/Sanity/scp-and-sftp-download-test -# Description: downloads test file through scp and sftp -# Author: Karel Srot -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Copyright (c) 2012 Red Hat, Inc. All rights reserved. -# -# This copyrighted material is made available to anyone wishing -# to use, modify, copy, or redistribute it subject to the terms -# and conditions of the GNU General Public License version 2. -# -# This program is distributed in the hope that it will be -# useful, but WITHOUT ANY WARRANTY; without even the implied -# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -# PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public -# License along with this program; if not, write to the Free -# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, -# Boston, MA 02110-1301, USA. -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -export TEST=/CoreOS/curl/Sanity/scp-and-sftp-download-test -export TESTVERSION=1.0 - -BUILT_FILES= - -FILES=$(METADATA) runtest.sh Makefile PURPOSE - -.PHONY: all install download clean - -run: $(FILES) build - ./runtest.sh - -build: $(BUILT_FILES) - test -x runtest.sh || chmod a+x runtest.sh - -clean: - rm -f *~ $(BUILT_FILES) - - -include /usr/share/rhts/lib/rhts-make.include - -$(METADATA): Makefile - @echo "Owner: Karel Srot " > $(METADATA) - @echo "Name: $(TEST)" >> $(METADATA) - @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) - @echo "Path: $(TEST_DIR)" >> $(METADATA) - @echo "Description: downloads test file through scp and sftp" >> $(METADATA) - @echo "Type: Sanity" >> $(METADATA) - @echo "TestTime: 10m" >> $(METADATA) - @echo "RunFor: curl" >> $(METADATA) - @echo "Requires: curl openssh" >> $(METADATA) - @echo "Priority: Normal" >> $(METADATA) - @echo "License: GPLv2" >> $(METADATA) - @echo "Confidential: no" >> $(METADATA) - @echo "Destructive: no" >> $(METADATA) - - rhts-lint $(METADATA) diff --git a/tests/scp-and-sftp-download-test/PURPOSE b/tests/scp-and-sftp-download-test/PURPOSE deleted file mode 100644 index 03adc4c..0000000 --- a/tests/scp-and-sftp-download-test/PURPOSE +++ /dev/null @@ -1,12 +0,0 @@ -PURPOSE of /CoreOS/curl/Sanity/scp-and-sftp-download-test -Description: downloads test file through scp and sftp -Author: Karel Srot - -Test scenario: -- scp download -- sftp download -- scp upload -- sftp upload - -When PUBKEY_PARAM global variable is set to 'empty' or 'none', scenarios are executed -with empty --pubkey parameter (--pubkey "") or with the paramiter omitted diff --git a/tests/scp-and-sftp-download-test/main.fmf b/tests/scp-and-sftp-download-test/main.fmf new file mode 100644 index 0000000..b69aff6 --- /dev/null +++ b/tests/scp-and-sftp-download-test/main.fmf @@ -0,0 +1,20 @@ +summary: downloads test file through scp and sftp +description: | + Test scenario: + - scp download + - sftp download + - scp upload + - sftp upload + + When PUBKEY_PARAM global variable is set to 'empty' or 'none', scenarios are executed + with empty --pubkey parameter (--pubkey "") or with the paramiter omitted +contact: Daniel Rusek +require: + - findutils +component: + - curl +test: ./runtest.sh +path: /tests/scp-and-sftp-download-test +framework: beakerlib +duration: 10m +enabled: true diff --git a/tests/scp-and-sftp-download-test/runtest.sh b/tests/scp-and-sftp-download-test/runtest.sh old mode 100644 new mode 100755 index 6e5d748..9cf9a2c --- a/tests/scp-and-sftp-download-test/runtest.sh +++ b/tests/scp-and-sftp-download-test/runtest.sh @@ -27,8 +27,7 @@ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Include Beaker environment -. /usr/bin/rhts-environment.sh -. /usr/lib/beakerlib/beakerlib.sh +. /usr/share/beakerlib/beakerlib.sh || exit 1 PACKAGE="curl" diff --git a/tests/tests.yml b/tests/tests.yml deleted file mode 100644 index 819d636..0000000 --- a/tests/tests.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# Tests for Classic -- hosts: localhost - roles: - - role: standard-test-beakerlib - tags: - - classic - tests: - - scp-and-sftp-download-test - - non-root-user-download - required_packages: - - findutils # non-root-user-download needs find command - # scp-and-sftp-download-test needs find command - - passwd # non-root-user-download needs passwd command - - openssh-clients # non-root-user-download needs ssh-keyscan command - -# Tests for Atomic -- hosts: localhost - roles: - - role: standard-test-beakerlib - tags: - - atomic - tests: - - scp-and-sftp-download-test - - non-root-user-download - From a85bec4b3428244a4e8d0f109beb4a16c970aa60 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Zaoral?= Date: Thu, 12 May 2022 10:15:57 +0200 Subject: [PATCH 08/17] tests/non-root-user-download: fix test failures --- tests/non-root-user-download/main.fmf | 1 + tests/non-root-user-download/runtest.sh | 14 ++++++++------ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/tests/non-root-user-download/main.fmf b/tests/non-root-user-download/main.fmf index 15c0c12..2e3980f 100644 --- a/tests/non-root-user-download/main.fmf +++ b/tests/non-root-user-download/main.fmf @@ -7,6 +7,7 @@ require: - findutils - libselinux-utils - openssh-clients + - openssh-server - passwd test: ./runtest.sh framework: beakerlib diff --git a/tests/non-root-user-download/runtest.sh b/tests/non-root-user-download/runtest.sh index fd5f375..0529a12 100755 --- a/tests/non-root-user-download/runtest.sh +++ b/tests/non-root-user-download/runtest.sh @@ -31,9 +31,9 @@ PACKAGE="curl" -FTP_URL=ftp://ftp.scientificlinux.org/linux/fedora/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM -HTTP_URL=https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM -CONTENT=a276e06d244e04b765f0a35532d9036ad84f340b0bdcc32e0233a8fbc31d5bed +FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM +HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM +CONTENT=85cb450443d68d513b41e57b0bd818a740279dac5dfc09c68e681ff8a3006404 PASSWORD=pAssw0rd OPTIONS="" rlIsRHEL 7 && OPTIONS="--insecure" @@ -46,9 +46,11 @@ rlJournalStart rlRun "useradd -m curltester" 0 "Adding the test user" rlRun "echo $PASSWORD | passwd --stdin curltester" 0 "Setting the password for the test user" rlRun "su - curltester -c 'echo $CONTENT > ~/testfile'" 0 "Creating ~curltester/testfile" + rlFileBackup --clean --missing-ok $HOME/.ssh /etc/hosts + rlRun "rm -f $HOME/.ssh/*" [ -d $HOME/.ssh ] || ( mkdir $HOME/.ssh && restorecon HOME/.ssh ) - rlFileBackup $HOME/.ssh/known_hosts /etc/hosts - ssh-keygen -F localhost -f $HOME/.ssh/known_hosts || rlRun "ssh-keyscan localhost >> $HOME/.ssh/known_hosts" + rlRun "rlServiceStart sshd" + rlRun "ssh-keyscan localhost >> $HOME/.ssh/known_hosts" rlPhaseEnd rlPhaseStartTest "http download" @@ -81,7 +83,7 @@ if ! rlIsRHEL 5; then fi rlPhaseStartCleanup - rlRun "rm -f $HOME/.ssh/known_hosts" + rlRun "rlServiceRestore" rlFileRestore rlRun "popd" rlRun "rm -r $TmpDir" 0 "Removing tmp directory" From dd1280a12487840e0dd82a521f00024256d2910e Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 29 Jun 2022 10:56:13 +0200 Subject: [PATCH 09/17] Resolves: CVE-2022-32208 - fix FTP-KRB bad message verification --- 0010-curl-7.82.0-CVE-2022-32208.patch | 70 +++++++++++++++++++++++++++ curl.spec | 9 +++- 2 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 0010-curl-7.82.0-CVE-2022-32208.patch diff --git a/0010-curl-7.82.0-CVE-2022-32208.patch b/0010-curl-7.82.0-CVE-2022-32208.patch new file mode 100644 index 0000000..0821194 --- /dev/null +++ b/0010-curl-7.82.0-CVE-2022-32208.patch @@ -0,0 +1,70 @@ +From d36661703e16bd740a3a928041b1e697a6617b98 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 9 Jun 2022 09:27:24 +0200 +Subject: [PATCH] krb5: return error properly on decode errors + +Bug: https://curl.se/docs/CVE-2022-32208.html +CVE-2022-32208 +Reported-by: Harry Sintonen +Closes #9051 + +Upstream-commit: 6ecdf5136b52af747e7bda08db9a748256b1cd09 +Signed-off-by: Kamil Dudka +--- + lib/krb5.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/lib/krb5.c b/lib/krb5.c +index 787137c..6f9e1f7 100644 +--- a/lib/krb5.c ++++ b/lib/krb5.c +@@ -146,11 +146,8 @@ krb5_decode(void *app_data, void *buf, int len, + enc.value = buf; + enc.length = len; + maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL); +- if(maj != GSS_S_COMPLETE) { +- if(len >= 4) +- strcpy(buf, "599 "); ++ if(maj != GSS_S_COMPLETE) + return -1; +- } + + memcpy(buf, dec.value, dec.length); + len = curlx_uztosi(dec.length); +@@ -512,6 +509,7 @@ static CURLcode read_data(struct connectdata *conn, + { + int len; + CURLcode result; ++ int nread; + + result = socket_read(fd, &len, sizeof(len)); + if(result) +@@ -520,7 +518,10 @@ static CURLcode read_data(struct connectdata *conn, + if(len) { + /* only realloc if there was a length */ + len = ntohl(len); +- buf->data = Curl_saferealloc(buf->data, len); ++ if(len > CURL_MAX_INPUT_LENGTH) ++ len = 0; ++ else ++ buf->data = Curl_saferealloc(buf->data, len); + } + if(!len || !buf->data) + return CURLE_OUT_OF_MEMORY; +@@ -528,8 +529,11 @@ static CURLcode read_data(struct connectdata *conn, + result = socket_read(fd, buf->data, len); + if(result) + return result; +- buf->size = conn->mech->decode(conn->app_data, buf->data, len, +- conn->data_prot, conn); ++ nread = conn->mech->decode(conn->app_data, buf->data, len, ++ conn->data_prot, conn); ++ if(nread < 0) ++ return CURLE_RECV_ERROR; ++ buf->size = (size_t)nread; + buf->index = 0; + return CURLE_OK; + } +-- +2.35.3 + diff --git a/curl.spec b/curl.spec index b86da0d..4b36f34 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.79.1 -Release: 4%{?dist} +Release: 5%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -25,6 +25,9 @@ Patch5: 0005-curl-7.82.0-CVE-2022-27774.patch # fix too eager reuse of TLS and SSH connections (CVE-2022-27782) Patch9: 0009-curl-7.82.0-CVE-2022-27782.patch +# fix FTP-KRB bad message verification (CVE-2022-32208) +Patch10: 0010-curl-7.82.0-CVE-2022-32208.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -203,6 +206,7 @@ be installed. %patch4 -p1 %patch5 -p1 %patch9 -p1 +%patch10 -p1 # Fedora patches %patch101 -p1 @@ -388,6 +392,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jun 29 2022 Kamil Dudka - 7.79.1-5 +- fix FTP-KRB bad message verification (CVE-2022-32208) + * Wed May 11 2022 Kamil Dudka - 7.79.1-4 - fix too eager reuse of TLS and SSH connections (CVE-2022-27782) From ae59fb949a923f090373d4832f4fa3c55f409a7a Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 29 Jun 2022 11:04:02 +0200 Subject: [PATCH 10/17] Resolves: CVE-2022-32206 - fix HTTP compression denial of service --- 0011-curl-7.82.0-CVE-2022-32206.patch | 144 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 149 insertions(+) create mode 100644 0011-curl-7.82.0-CVE-2022-32206.patch diff --git a/0011-curl-7.82.0-CVE-2022-32206.patch b/0011-curl-7.82.0-CVE-2022-32206.patch new file mode 100644 index 0000000..5ce1c6c --- /dev/null +++ b/0011-curl-7.82.0-CVE-2022-32206.patch @@ -0,0 +1,144 @@ +From 24dedf9b260eebb7feae6fc273208b551fe54a79 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 16 May 2022 16:28:13 +0200 +Subject: [PATCH 1/2] content_encoding: return error on too many compression + steps + +The max allowed steps is arbitrarily set to 5. + +Bug: https://curl.se/docs/CVE-2022-32206.html +CVE-2022-32206 +Reported-by: Harry Sintonen +Closes #9049 + +Upstream-commit: 3a09fbb7f264c67c438d01a30669ce325aa508e2 +Signed-off-by: Kamil Dudka +--- + lib/content_encoding.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/lib/content_encoding.c b/lib/content_encoding.c +index c03637a..6f994b3 100644 +--- a/lib/content_encoding.c ++++ b/lib/content_encoding.c +@@ -1025,12 +1025,16 @@ static const struct content_encoding *find_encoding(const char *name, + return NULL; + } + ++/* allow no more than 5 "chained" compression steps */ ++#define MAX_ENCODE_STACK 5 ++ + /* Set-up the unencoding stack from the Content-Encoding header value. + * See RFC 7231 section 3.1.2.2. */ + CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, + const char *enclist, int maybechunked) + { + struct SingleRequest *k = &data->req; ++ int counter = 0; + + do { + const char *name; +@@ -1065,6 +1069,11 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, + if(!encoding) + encoding = &error_encoding; /* Defer error at stack use. */ + ++ if(++counter >= MAX_ENCODE_STACK) { ++ failf(data, "Reject response due to %u content encodings", ++ counter); ++ return CURLE_BAD_CONTENT_ENCODING; ++ } + /* Stack the unencoding stage. */ + writer = new_unencoding_writer(data, encoding, k->writer_stack); + if(!writer) +-- +2.35.3 + + +From b3cd74f01871281f0989860e04c546d896f0e72f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 16 May 2022 16:29:07 +0200 +Subject: [PATCH 2/2] test387: verify rejection of compression chain attack + +Upstream-commit: 7230b19a2e17a164f61f82e4e409a9777ea2421a +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 2 +- + tests/data/test387 | 53 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 54 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test387 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 98d5516..9b5f4fb 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -61,7 +61,7 @@ test334 test335 test336 test337 test338 test339 test340 test341 test342 \ + test343 test344 test345 test346 test347 test348 test349 test350 test351 \ + test352 test353 test354 test355 test356 test357 test358 test359 test360 \ + test361 test362 test363 test364 test365 test366 \ +-\ ++test387 \ + test392 test393 test394 test395 test396 test397 \ + \ + test400 test401 test402 test403 test404 test405 test406 test407 test408 \ +diff --git a/tests/data/test387 b/tests/data/test387 +new file mode 100644 +index 0000000..015ec25 +--- /dev/null ++++ b/tests/data/test387 +@@ -0,0 +1,53 @@ ++ ++ ++ ++HTTP ++gzip ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Transfer-Encoding: gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip ++ ++-foo- ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++Response with overly long compression chain ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++ ++ ++# CURLE_BAD_CONTENT_ENCODING is 61 ++ ++61 ++ ++ ++curl: (61) Reject response due to 5 content encodings ++ ++ ++ +-- +2.35.3 + diff --git a/curl.spec b/curl.spec index 4b36f34..b576b82 100644 --- a/curl.spec +++ b/curl.spec @@ -28,6 +28,9 @@ Patch9: 0009-curl-7.82.0-CVE-2022-27782.patch # fix FTP-KRB bad message verification (CVE-2022-32208) Patch10: 0010-curl-7.82.0-CVE-2022-32208.patch +# fix HTTP compression denial of service (CVE-2022-32206) +Patch11: 0011-curl-7.82.0-CVE-2022-32206.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -207,6 +210,7 @@ be installed. %patch5 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 # Fedora patches %patch101 -p1 @@ -393,6 +397,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Jun 29 2022 Kamil Dudka - 7.79.1-5 +- fix HTTP compression denial of service (CVE-2022-32206) - fix FTP-KRB bad message verification (CVE-2022-32208) * Wed May 11 2022 Kamil Dudka - 7.79.1-4 From 1c4e2d9f3cdf2937623e81cb03ca83af83036e8a Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 29 Jun 2022 11:05:48 +0200 Subject: [PATCH 11/17] Resolves: CVE-2022-32205 - fix Set-Cookie denial of service --- 0012-curl-7.82.0-CVE-2022-32205.patch | 740 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 745 insertions(+) create mode 100644 0012-curl-7.82.0-CVE-2022-32205.patch diff --git a/0012-curl-7.82.0-CVE-2022-32205.patch b/0012-curl-7.82.0-CVE-2022-32205.patch new file mode 100644 index 0000000..ead7bf9 --- /dev/null +++ b/0012-curl-7.82.0-CVE-2022-32205.patch @@ -0,0 +1,740 @@ +From 64ecb3818ca335ce79ef539e962ee5d02f6fb365 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 26 Jun 2022 11:00:48 +0200 +Subject: [PATCH 1/3] cookie: apply limits + +- Send no more than 150 cookies per request +- Cap the max length used for a cookie: header to 8K +- Cap the max number of received Set-Cookie: headers to 50 + +Bug: https://curl.se/docs/CVE-2022-32205.html +CVE-2022-32205 +Reported-by: Harry Sintonen +Closes #9048 + +Upstream-commit: 48d7064a49148f03942380967da739dcde1cdc24 +Signed-off-by: Kamil Dudka +--- + lib/cookie.c | 14 ++++++++++++-- + lib/cookie.h | 21 +++++++++++++++++++-- + lib/http.c | 13 +++++++++++-- + lib/urldata.h | 1 + + 4 files changed, 43 insertions(+), 6 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index 1b8c8f9..8a6aa1a 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -469,6 +469,10 @@ Curl_cookie_add(struct Curl_easy *data, + (void)data; + #endif + ++ DEBUGASSERT(MAX_SET_COOKIE_AMOUNT <= 255); /* counter is an unsigned char */ ++ if(data->req.setcookies >= MAX_SET_COOKIE_AMOUNT) ++ return NULL; ++ + /* First, alloc and init a new struct for it */ + co = calloc(1, sizeof(struct Cookie)); + if(!co) +@@ -808,7 +812,7 @@ Curl_cookie_add(struct Curl_easy *data, + freecookie(co); + return NULL; + } +- ++ data->req.setcookies++; + } + else { + /* +@@ -1346,7 +1350,8 @@ static struct Cookie *dup_cookie(struct Cookie *src) + * + * It shall only return cookies that haven't expired. + */ +-struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, ++struct Cookie *Curl_cookie_getlist(struct Curl_easy *data, ++ struct CookieInfo *c, + const char *host, const char *path, + bool secure) + { +@@ -1401,6 +1406,11 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, + mainco = newco; + + matches++; ++ if(matches >= MAX_COOKIE_SEND_AMOUNT) { ++ infof(data, "Included max number of cookies (%u) in request!", ++ matches); ++ break; ++ } + } + else + goto fail; +diff --git a/lib/cookie.h b/lib/cookie.h +index 0ffe08e..7411980 100644 +--- a/lib/cookie.h ++++ b/lib/cookie.h +@@ -81,10 +81,26 @@ struct CookieInfo { + */ + #define MAX_COOKIE_LINE 5000 + +-/* This is the maximum length of a cookie name or content we deal with: */ ++/* Maximum length of an incoming cookie name or content we deal with. Longer ++ cookies are ignored. */ + #define MAX_NAME 4096 + #define MAX_NAME_TXT "4095" + ++/* Maximum size for an outgoing cookie line libcurl will use in an http ++ request. This is the default maximum length used in some versions of Apache ++ httpd. */ ++#define MAX_COOKIE_HEADER_LEN 8190 ++ ++/* Maximum number of cookies libcurl will send in a single request, even if ++ there might be more cookies that match. One reason to cap the number is to ++ keep the maximum HTTP request within the maximum allowed size. */ ++#define MAX_COOKIE_SEND_AMOUNT 150 ++ ++/* Maximum number of Set-Cookie: lines accepted in a single response. If more ++ such header lines are received, they are ignored. This value must be less ++ than 256 since an unsigned char is used to count. */ ++#define MAX_SET_COOKIE_AMOUNT 50 ++ + struct Curl_easy; + /* + * Add a cookie to the internal list of cookies. The domain and path arguments +@@ -97,7 +113,8 @@ struct Cookie *Curl_cookie_add(struct Curl_easy *data, + const char *domain, const char *path, + bool secure); + +-struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, const char *host, ++struct Cookie *Curl_cookie_getlist(struct Curl_easy *data, ++ struct CookieInfo *c, const char *host, + const char *path, bool secure); + void Curl_cookie_freelist(struct Cookie *cookies); + void Curl_cookie_clearall(struct CookieInfo *cookies); +diff --git a/lib/http.c b/lib/http.c +index 4433824..2c8b0c4 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2707,12 +2707,14 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn, + } + + #if !defined(CURL_DISABLE_COOKIES) ++ + CURLcode Curl_http_cookies(struct Curl_easy *data, + struct connectdata *conn, + struct dynbuf *r) + { + CURLcode result = CURLE_OK; + char *addcookies = NULL; ++ bool linecap = FALSE; + if(data->set.str[STRING_COOKIE] && !Curl_checkheaders(data, "Cookie")) + addcookies = data->set.str[STRING_COOKIE]; + +@@ -2729,7 +2731,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, + !strcmp(host, "127.0.0.1") || + !strcmp(host, "[::1]") ? TRUE : FALSE; + Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE); +- co = Curl_cookie_getlist(data->cookies, host, data->state.up.path, ++ co = Curl_cookie_getlist(data, data->cookies, host, data->state.up.path, + secure_context); + Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE); + } +@@ -2743,6 +2745,13 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, + if(result) + break; + } ++ if((Curl_dyn_len(r) + strlen(co->name) + strlen(co->value) + 1) >= ++ MAX_COOKIE_HEADER_LEN) { ++ infof(data, "Restricted outgoing cookies due to header size, " ++ "'%s' not sent", co->name); ++ linecap = TRUE; ++ break; ++ } + result = Curl_dyn_addf(r, "%s%s=%s", count?"; ":"", + co->name, co->value); + if(result) +@@ -2753,7 +2762,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, + } + Curl_cookie_freelist(store); + } +- if(addcookies && !result) { ++ if(addcookies && !result && !linecap) { + if(!count) + result = Curl_dyn_add(r, "Cookie: "); + if(!result) { +diff --git a/lib/urldata.h b/lib/urldata.h +index e006495..54faf7d 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -705,6 +705,7 @@ struct SingleRequest { + #ifndef CURL_DISABLE_DOH + struct dohdata *doh; /* DoH specific data for this request */ + #endif ++ unsigned char setcookies; + BIT(header); /* incoming data has HTTP header */ + BIT(content_range); /* set TRUE if Content-Range: was found */ + BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding +-- +2.35.3 + + +From 2aa646531df114b99d19b33071ff53cebbd689ce Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 26 Jun 2022 11:01:01 +0200 +Subject: [PATCH 2/3] test442/443: test cookie caps + +442 - verify that only 150 cookies are sent +443 - verify that the cookie: header remains less than 8K in size + +Upstream-commit: ff2b2bcf687572d173688832f0913a43de1a2bf8 +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 2 + + tests/data/test442 | 209 ++++++++++++++++++++++++++++++++++++++++ + tests/data/test443 | 78 +++++++++++++++ + 3 files changed, 289 insertions(+) + create mode 100644 tests/data/test442 + create mode 100644 tests/data/test443 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 9b5f4fb..fe04fee 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -69,6 +69,8 @@ test409 test410 \ + \ + test430 test431 test432 test433 test434 test435 \ + \ ++test442 test443 \ ++\ + test490 test491 test492 test493 test494 \ + \ + test500 test501 test502 test503 test504 test505 test506 test507 test508 \ +diff --git a/tests/data/test442 b/tests/data/test442 +new file mode 100644 +index 0000000..1b00d20 +--- /dev/null ++++ b/tests/data/test442 +@@ -0,0 +1,209 @@ ++# perl: ++# ++# for(1 .. 151) { ++# print join("\t", ++# "attack.invalid", "TRUE", "/", "FALSE", "0", ++# "name$_", "could-be-large-$_")."\n"; ++# } ++# ++ ++ ++ ++HTTP ++cookies ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 6 ++ ++-foo- ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++Send capped huge number of matching cookies ++ ++ ++http://attack.invalid:%HTTPPORT/a/b/%TESTNUMBER -b log/cookie%TESTNUMBER --resolve attack.invalid:%HTTPPORT:%HOSTIP -L ++ ++ ++attack.invalid TRUE / FALSE 0 name1 could-be-large-1 ++attack.invalid TRUE / FALSE 0 name2 could-be-large-2 ++attack.invalid TRUE / FALSE 0 name3 could-be-large-3 ++attack.invalid TRUE / FALSE 0 name4 could-be-large-4 ++attack.invalid TRUE / FALSE 0 name5 could-be-large-5 ++attack.invalid TRUE / FALSE 0 name6 could-be-large-6 ++attack.invalid TRUE / FALSE 0 name7 could-be-large-7 ++attack.invalid TRUE / FALSE 0 name8 could-be-large-8 ++attack.invalid TRUE / FALSE 0 name9 could-be-large-9 ++attack.invalid TRUE / FALSE 0 name10 could-be-large-10 ++attack.invalid TRUE / FALSE 0 name11 could-be-large-11 ++attack.invalid TRUE / FALSE 0 name12 could-be-large-12 ++attack.invalid TRUE / FALSE 0 name13 could-be-large-13 ++attack.invalid TRUE / FALSE 0 name14 could-be-large-14 ++attack.invalid TRUE / FALSE 0 name15 could-be-large-15 ++attack.invalid TRUE / FALSE 0 name16 could-be-large-16 ++attack.invalid TRUE / FALSE 0 name17 could-be-large-17 ++attack.invalid TRUE / FALSE 0 name18 could-be-large-18 ++attack.invalid TRUE / FALSE 0 name19 could-be-large-19 ++attack.invalid TRUE / FALSE 0 name20 could-be-large-20 ++attack.invalid TRUE / FALSE 0 name21 could-be-large-21 ++attack.invalid TRUE / FALSE 0 name22 could-be-large-22 ++attack.invalid TRUE / FALSE 0 name23 could-be-large-23 ++attack.invalid TRUE / FALSE 0 name24 could-be-large-24 ++attack.invalid TRUE / FALSE 0 name25 could-be-large-25 ++attack.invalid TRUE / FALSE 0 name26 could-be-large-26 ++attack.invalid TRUE / FALSE 0 name27 could-be-large-27 ++attack.invalid TRUE / FALSE 0 name28 could-be-large-28 ++attack.invalid TRUE / FALSE 0 name29 could-be-large-29 ++attack.invalid TRUE / FALSE 0 name30 could-be-large-30 ++attack.invalid TRUE / FALSE 0 name31 could-be-large-31 ++attack.invalid TRUE / FALSE 0 name32 could-be-large-32 ++attack.invalid TRUE / FALSE 0 name33 could-be-large-33 ++attack.invalid TRUE / FALSE 0 name34 could-be-large-34 ++attack.invalid TRUE / FALSE 0 name35 could-be-large-35 ++attack.invalid TRUE / FALSE 0 name36 could-be-large-36 ++attack.invalid TRUE / FALSE 0 name37 could-be-large-37 ++attack.invalid TRUE / FALSE 0 name38 could-be-large-38 ++attack.invalid TRUE / FALSE 0 name39 could-be-large-39 ++attack.invalid TRUE / FALSE 0 name40 could-be-large-40 ++attack.invalid TRUE / FALSE 0 name41 could-be-large-41 ++attack.invalid TRUE / FALSE 0 name42 could-be-large-42 ++attack.invalid TRUE / FALSE 0 name43 could-be-large-43 ++attack.invalid TRUE / FALSE 0 name44 could-be-large-44 ++attack.invalid TRUE / FALSE 0 name45 could-be-large-45 ++attack.invalid TRUE / FALSE 0 name46 could-be-large-46 ++attack.invalid TRUE / FALSE 0 name47 could-be-large-47 ++attack.invalid TRUE / FALSE 0 name48 could-be-large-48 ++attack.invalid TRUE / FALSE 0 name49 could-be-large-49 ++attack.invalid TRUE / FALSE 0 name50 could-be-large-50 ++attack.invalid TRUE / FALSE 0 name51 could-be-large-51 ++attack.invalid TRUE / FALSE 0 name52 could-be-large-52 ++attack.invalid TRUE / FALSE 0 name53 could-be-large-53 ++attack.invalid TRUE / FALSE 0 name54 could-be-large-54 ++attack.invalid TRUE / FALSE 0 name55 could-be-large-55 ++attack.invalid TRUE / FALSE 0 name56 could-be-large-56 ++attack.invalid TRUE / FALSE 0 name57 could-be-large-57 ++attack.invalid TRUE / FALSE 0 name58 could-be-large-58 ++attack.invalid TRUE / FALSE 0 name59 could-be-large-59 ++attack.invalid TRUE / FALSE 0 name60 could-be-large-60 ++attack.invalid TRUE / FALSE 0 name61 could-be-large-61 ++attack.invalid TRUE / FALSE 0 name62 could-be-large-62 ++attack.invalid TRUE / FALSE 0 name63 could-be-large-63 ++attack.invalid TRUE / FALSE 0 name64 could-be-large-64 ++attack.invalid TRUE / FALSE 0 name65 could-be-large-65 ++attack.invalid TRUE / FALSE 0 name66 could-be-large-66 ++attack.invalid TRUE / FALSE 0 name67 could-be-large-67 ++attack.invalid TRUE / FALSE 0 name68 could-be-large-68 ++attack.invalid TRUE / FALSE 0 name69 could-be-large-69 ++attack.invalid TRUE / FALSE 0 name70 could-be-large-70 ++attack.invalid TRUE / FALSE 0 name71 could-be-large-71 ++attack.invalid TRUE / FALSE 0 name72 could-be-large-72 ++attack.invalid TRUE / FALSE 0 name73 could-be-large-73 ++attack.invalid TRUE / FALSE 0 name74 could-be-large-74 ++attack.invalid TRUE / FALSE 0 name75 could-be-large-75 ++attack.invalid TRUE / FALSE 0 name76 could-be-large-76 ++attack.invalid TRUE / FALSE 0 name77 could-be-large-77 ++attack.invalid TRUE / FALSE 0 name78 could-be-large-78 ++attack.invalid TRUE / FALSE 0 name79 could-be-large-79 ++attack.invalid TRUE / FALSE 0 name80 could-be-large-80 ++attack.invalid TRUE / FALSE 0 name81 could-be-large-81 ++attack.invalid TRUE / FALSE 0 name82 could-be-large-82 ++attack.invalid TRUE / FALSE 0 name83 could-be-large-83 ++attack.invalid TRUE / FALSE 0 name84 could-be-large-84 ++attack.invalid TRUE / FALSE 0 name85 could-be-large-85 ++attack.invalid TRUE / FALSE 0 name86 could-be-large-86 ++attack.invalid TRUE / FALSE 0 name87 could-be-large-87 ++attack.invalid TRUE / FALSE 0 name88 could-be-large-88 ++attack.invalid TRUE / FALSE 0 name89 could-be-large-89 ++attack.invalid TRUE / FALSE 0 name90 could-be-large-90 ++attack.invalid TRUE / FALSE 0 name91 could-be-large-91 ++attack.invalid TRUE / FALSE 0 name92 could-be-large-92 ++attack.invalid TRUE / FALSE 0 name93 could-be-large-93 ++attack.invalid TRUE / FALSE 0 name94 could-be-large-94 ++attack.invalid TRUE / FALSE 0 name95 could-be-large-95 ++attack.invalid TRUE / FALSE 0 name96 could-be-large-96 ++attack.invalid TRUE / FALSE 0 name97 could-be-large-97 ++attack.invalid TRUE / FALSE 0 name98 could-be-large-98 ++attack.invalid TRUE / FALSE 0 name99 could-be-large-99 ++attack.invalid TRUE / FALSE 0 name100 could-be-large-100 ++attack.invalid TRUE / FALSE 0 name101 could-be-large-101 ++attack.invalid TRUE / FALSE 0 name102 could-be-large-102 ++attack.invalid TRUE / FALSE 0 name103 could-be-large-103 ++attack.invalid TRUE / FALSE 0 name104 could-be-large-104 ++attack.invalid TRUE / FALSE 0 name105 could-be-large-105 ++attack.invalid TRUE / FALSE 0 name106 could-be-large-106 ++attack.invalid TRUE / FALSE 0 name107 could-be-large-107 ++attack.invalid TRUE / FALSE 0 name108 could-be-large-108 ++attack.invalid TRUE / FALSE 0 name109 could-be-large-109 ++attack.invalid TRUE / FALSE 0 name110 could-be-large-110 ++attack.invalid TRUE / FALSE 0 name111 could-be-large-111 ++attack.invalid TRUE / FALSE 0 name112 could-be-large-112 ++attack.invalid TRUE / FALSE 0 name113 could-be-large-113 ++attack.invalid TRUE / FALSE 0 name114 could-be-large-114 ++attack.invalid TRUE / FALSE 0 name115 could-be-large-115 ++attack.invalid TRUE / FALSE 0 name116 could-be-large-116 ++attack.invalid TRUE / FALSE 0 name117 could-be-large-117 ++attack.invalid TRUE / FALSE 0 name118 could-be-large-118 ++attack.invalid TRUE / FALSE 0 name119 could-be-large-119 ++attack.invalid TRUE / FALSE 0 name120 could-be-large-120 ++attack.invalid TRUE / FALSE 0 name121 could-be-large-121 ++attack.invalid TRUE / FALSE 0 name122 could-be-large-122 ++attack.invalid TRUE / FALSE 0 name123 could-be-large-123 ++attack.invalid TRUE / FALSE 0 name124 could-be-large-124 ++attack.invalid TRUE / FALSE 0 name125 could-be-large-125 ++attack.invalid TRUE / FALSE 0 name126 could-be-large-126 ++attack.invalid TRUE / FALSE 0 name127 could-be-large-127 ++attack.invalid TRUE / FALSE 0 name128 could-be-large-128 ++attack.invalid TRUE / FALSE 0 name129 could-be-large-129 ++attack.invalid TRUE / FALSE 0 name130 could-be-large-130 ++attack.invalid TRUE / FALSE 0 name131 could-be-large-131 ++attack.invalid TRUE / FALSE 0 name132 could-be-large-132 ++attack.invalid TRUE / FALSE 0 name133 could-be-large-133 ++attack.invalid TRUE / FALSE 0 name134 could-be-large-134 ++attack.invalid TRUE / FALSE 0 name135 could-be-large-135 ++attack.invalid TRUE / FALSE 0 name136 could-be-large-136 ++attack.invalid TRUE / FALSE 0 name137 could-be-large-137 ++attack.invalid TRUE / FALSE 0 name138 could-be-large-138 ++attack.invalid TRUE / FALSE 0 name139 could-be-large-139 ++attack.invalid TRUE / FALSE 0 name140 could-be-large-140 ++attack.invalid TRUE / FALSE 0 name141 could-be-large-141 ++attack.invalid TRUE / FALSE 0 name142 could-be-large-142 ++attack.invalid TRUE / FALSE 0 name143 could-be-large-143 ++attack.invalid TRUE / FALSE 0 name144 could-be-large-144 ++attack.invalid TRUE / FALSE 0 name145 could-be-large-145 ++attack.invalid TRUE / FALSE 0 name146 could-be-large-146 ++attack.invalid TRUE / FALSE 0 name147 could-be-large-147 ++attack.invalid TRUE / FALSE 0 name148 could-be-large-148 ++attack.invalid TRUE / FALSE 0 name149 could-be-large-149 ++attack.invalid TRUE / FALSE 0 name150 could-be-large-150 ++attack.invalid TRUE / FALSE 0 name151 could-be-large-151 ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /a/b/%TESTNUMBER HTTP/1.1 ++Host: attack.invalid:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++Cookie: name150=could-be-large-150; name149=could-be-large-149; name148=could-be-large-148; name147=could-be-large-147; name146=could-be-large-146; name145=could-be-large-145; name144=could-be-large-144; name143=could-be-large-143; name142=could-be-large-142; name141=could-be-large-141; name140=could-be-large-140; name139=could-be-large-139; name138=could-be-large-138; name137=could-be-large-137; name136=could-be-large-136; name135=could-be-large-135; name134=could-be-large-134; name133=could-be-large-133; name132=could-be-large-132; name131=could-be-large-131; name130=could-be-large-130; name129=could-be-large-129; name128=could-be-large-128; name127=could-be-large-127; name126=could-be-large-126; name125=could-be-large-125; name124=could-be-large-124; name123=could-be-large-123; name122=could-be-large-122; name121=could-be-large-121; name120=could-be-large-120; name119=could-be-large-119; name118=could-be-large-118; name117=could-be-large-117; name116=could-be-large-116; name115=could-be-large-115; name114=could-be-large-114; name113=could-be-large-113; name112=could-be-large-112; name111=could-be-large-111; name110=could-be-large-110; name109=could-be-large-109; name108=could-be-large-108; name107=could-be-large-107; name106=could-be-large-106; name105=could-be-large-105; name104=could-be-large-104; name103=could-be-large-103; name102=could-be-large-102; name101=could-be-large-101; name100=could-be-large-100; name99=could-be-large-99; name98=could-be-large-98; name97=could-be-large-97; name96=could-be-large-96; name95=could-be-large-95; name94=could-be-large-94; name93=could-be-large-93; name92=could-be-large-92; name91=could-be-large-91; name90=could-be-large-90; name89=could-be-large-89; name88=could-be-large-88; name87=could-be-large-87; name86=could-be-large-86; name85=could-be-large-85; name84=could-be-large-84; name83=could-be-large-83; name82=could-be-large-82; name81=could-be-large-81; name80=could-be-large-80; name79=could-be-large-79; name78=could-be-large-78; name77=could-be-large-77; name76=could-be-large-76; name75=could-be-large-75; name74=could-be-large-74; name73=could-be-large-73; name72=could-be-large-72; name71=could-be-large-71; name70=could-be-large-70; name69=could-be-large-69; name68=could-be-large-68; name67=could-be-large-67; name66=could-be-large-66; name65=could-be-large-65; name64=could-be-large-64; name63=could-be-large-63; name62=could-be-large-62; name61=could-be-large-61; name60=could-be-large-60; name59=could-be-large-59; name58=could-be-large-58; name57=could-be-large-57; name56=could-be-large-56; name55=could-be-large-55; name54=could-be-large-54; name53=could-be-large-53; name52=could-be-large-52; name51=could-be-large-51; name50=could-be-large-50; name49=could-be-large-49; name48=could-be-large-48; name47=could-be-large-47; name46=could-be-large-46; name45=could-be-large-45; name44=could-be-large-44; name43=could-be-large-43; name42=could-be-large-42; name41=could-be-large-41; name40=could-be-large-40; name39=could-be-large-39; name38=could-be-large-38; name37=could-be-large-37; name36=could-be-large-36; name35=could-be-large-35; name34=could-be-large-34; name33=could-be-large-33; name32=could-be-large-32; name31=could-be-large-31; name30=could-be-large-30; name29=could-be-large-29; name28=could-be-large-28; name27=could-be-large-27; name26=could-be-large-26; name25=could-be-large-25; name24=could-be-large-24; name23=could-be-large-23; name22=could-be-large-22; name21=could-be-large-21; name20=could-be-large-20; name19=could-be-large-19; name18=could-be-large-18; name17=could-be-large-17; name16=could-be-large-16; name15=could-be-large-15; name14=could-be-large-14; name13=could-be-large-13; name12=could-be-large-12; name11=could-be-large-11; name10=could-be-large-10; name9=could-be-large-9; name8=could-be-large-8; name7=could-be-large-7; name6=could-be-large-6; name5=could-be-large-5; name4=could-be-large-4; name3=could-be-large-3; name2=could-be-large-2; name1=could-be-large-1 ++ ++ ++ ++ +diff --git a/tests/data/test443 b/tests/data/test443 +new file mode 100644 +index 0000000..996b1d3 +--- /dev/null ++++ b/tests/data/test443 +@@ -0,0 +1,78 @@ ++# perl: ++# ++#for(1 .. 20) { ++# print join("\t", ++# "attack.invalid", "TRUE", "/", "FALSE", "0", ++# "huge-$_", ('a' x 500)."-$_")."\n"; ++#} ++# ++ ++ ++ ++HTTP ++cookies ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 6 ++ ++-foo- ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++Cookie header in request no longer than 8K ++ ++ ++http://attack.invalid:%HTTPPORT/a/b/%TESTNUMBER -b log/cookie%TESTNUMBER --resolve attack.invalid:%HTTPPORT:%HOSTIP -L ++ ++ ++attack.invalid TRUE / FALSE 0 huge-1 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-1 ++attack.invalid TRUE / FALSE 0 huge-2 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-2 ++attack.invalid TRUE / FALSE 0 huge-3 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-3 ++attack.invalid TRUE / FALSE 0 huge-4 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-4 ++attack.invalid TRUE / FALSE 0 huge-5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-5 ++attack.invalid TRUE / FALSE 0 huge-6 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-6 ++attack.invalid TRUE / FALSE 0 huge-7 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-7 ++attack.invalid TRUE / FALSE 0 huge-8 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-8 ++attack.invalid TRUE / FALSE 0 huge-9 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-9 ++attack.invalid TRUE / FALSE 0 huge-10 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-10 ++attack.invalid TRUE / FALSE 0 huge-11 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-11 ++attack.invalid TRUE / FALSE 0 huge-12 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-12 ++attack.invalid TRUE / FALSE 0 huge-13 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-13 ++attack.invalid TRUE / FALSE 0 huge-14 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-14 ++attack.invalid TRUE / FALSE 0 huge-15 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-15 ++attack.invalid TRUE / FALSE 0 huge-16 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-16 ++attack.invalid TRUE / FALSE 0 huge-17 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-17 ++attack.invalid TRUE / FALSE 0 huge-18 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-18 ++attack.invalid TRUE / FALSE 0 huge-19 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-19 ++attack.invalid TRUE / FALSE 0 huge-20 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-20 ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /a/b/%TESTNUMBER HTTP/1.1 ++Host: attack.invalid:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++Cookie: huge-20=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-20; huge-19=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-19; huge-18=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-18; huge-17=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-17; huge-16=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-16; huge-15=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-15; huge-14=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-14; huge-13=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-13; huge-12=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-12; huge-11=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-11; huge-10=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-10; huge-9=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-9; huge-8=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-8; huge-7=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-7; huge-6=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-6 ++ ++ ++ ++ +-- +2.35.3 + + +From a09261fa4976562735320e4e953ca4f4c81ec452 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 26 Jun 2022 11:01:01 +0200 +Subject: [PATCH 3/3] test444: test many received Set-Cookie: + +The amount of sent cookies in the test is limited to 80 because hyper +has its own strict limits in how many headers it allows to be received +which triggers at some point beyond this number. + +Upstream-commit: 46f8911d3942dc06fdd67e9f6f3908982e5d2fb4 +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 2 +- + tests/data/test444 | 189 ++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 190 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test444 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index fe04fee..c38f2d2 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -69,7 +69,7 @@ test409 test410 \ + \ + test430 test431 test432 test433 test434 test435 \ + \ +-test442 test443 \ ++test442 test443 test444 \ + \ + test490 test491 test492 test493 test494 \ + \ +diff --git a/tests/data/test444 b/tests/data/test444 +new file mode 100644 +index 0000000..9bdd4a7 +--- /dev/null ++++ b/tests/data/test444 +@@ -0,0 +1,189 @@ ++# perl: ++# ++#for(1 .. 200) { ++# ++#} ++# ++ ++ ++ ++HTTP ++cookies ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 6 ++Set-Cookie: cookie-1=yes; ++Set-Cookie: cookie-2=yes; ++Set-Cookie: cookie-3=yes; ++Set-Cookie: cookie-4=yes; ++Set-Cookie: cookie-5=yes; ++Set-Cookie: cookie-6=yes; ++Set-Cookie: cookie-7=yes; ++Set-Cookie: cookie-8=yes; ++Set-Cookie: cookie-9=yes; ++Set-Cookie: cookie-10=yes; ++Set-Cookie: cookie-11=yes; ++Set-Cookie: cookie-12=yes; ++Set-Cookie: cookie-13=yes; ++Set-Cookie: cookie-14=yes; ++Set-Cookie: cookie-15=yes; ++Set-Cookie: cookie-16=yes; ++Set-Cookie: cookie-17=yes; ++Set-Cookie: cookie-18=yes; ++Set-Cookie: cookie-19=yes; ++Set-Cookie: cookie-20=yes; ++Set-Cookie: cookie-21=yes; ++Set-Cookie: cookie-22=yes; ++Set-Cookie: cookie-23=yes; ++Set-Cookie: cookie-24=yes; ++Set-Cookie: cookie-25=yes; ++Set-Cookie: cookie-26=yes; ++Set-Cookie: cookie-27=yes; ++Set-Cookie: cookie-28=yes; ++Set-Cookie: cookie-29=yes; ++Set-Cookie: cookie-30=yes; ++Set-Cookie: cookie-31=yes; ++Set-Cookie: cookie-32=yes; ++Set-Cookie: cookie-33=yes; ++Set-Cookie: cookie-34=yes; ++Set-Cookie: cookie-35=yes; ++Set-Cookie: cookie-36=yes; ++Set-Cookie: cookie-37=yes; ++Set-Cookie: cookie-38=yes; ++Set-Cookie: cookie-39=yes; ++Set-Cookie: cookie-40=yes; ++Set-Cookie: cookie-41=yes; ++Set-Cookie: cookie-42=yes; ++Set-Cookie: cookie-43=yes; ++Set-Cookie: cookie-44=yes; ++Set-Cookie: cookie-45=yes; ++Set-Cookie: cookie-46=yes; ++Set-Cookie: cookie-47=yes; ++Set-Cookie: cookie-48=yes; ++Set-Cookie: cookie-49=yes; ++Set-Cookie: cookie-50=yes; ++Set-Cookie: cookie-51=yes; ++Set-Cookie: cookie-52=yes; ++Set-Cookie: cookie-53=yes; ++Set-Cookie: cookie-54=yes; ++Set-Cookie: cookie-55=yes; ++Set-Cookie: cookie-56=yes; ++Set-Cookie: cookie-57=yes; ++Set-Cookie: cookie-58=yes; ++Set-Cookie: cookie-59=yes; ++Set-Cookie: cookie-60=yes; ++Set-Cookie: cookie-61=yes; ++Set-Cookie: cookie-62=yes; ++Set-Cookie: cookie-63=yes; ++Set-Cookie: cookie-64=yes; ++Set-Cookie: cookie-65=yes; ++Set-Cookie: cookie-66=yes; ++Set-Cookie: cookie-67=yes; ++Set-Cookie: cookie-68=yes; ++Set-Cookie: cookie-69=yes; ++Set-Cookie: cookie-70=yes; ++Set-Cookie: cookie-71=yes; ++Set-Cookie: cookie-72=yes; ++Set-Cookie: cookie-73=yes; ++Set-Cookie: cookie-74=yes; ++Set-Cookie: cookie-75=yes; ++Set-Cookie: cookie-76=yes; ++Set-Cookie: cookie-77=yes; ++Set-Cookie: cookie-78=yes; ++Set-Cookie: cookie-79=yes; ++Set-Cookie: cookie-80=yes; ++ ++-foo- ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++Many Set-Cookie response headers ++ ++ ++http://attack.invalid:%HTTPPORT/a/b/%TESTNUMBER -c log/cookie%TESTNUMBER --resolve attack.invalid:%HTTPPORT:%HOSTIP ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /a/b/%TESTNUMBER HTTP/1.1 ++Host: attack.invalid:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++ ++ ++# Netscape HTTP Cookie File ++# https://curl.se/docs/http-cookies.html ++# This file was generated by libcurl! Edit at your own risk. ++ ++attack.invalid FALSE /a/b/ FALSE 0 cookie-50 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-49 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-48 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-47 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-46 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-45 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-44 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-43 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-42 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-41 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-40 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-39 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-38 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-37 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-36 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-35 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-34 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-33 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-32 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-31 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-30 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-29 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-28 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-27 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-26 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-25 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-24 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-23 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-22 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-21 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-20 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-19 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-18 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-17 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-16 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-15 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-14 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-13 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-12 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-11 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-10 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-9 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-8 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-7 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-6 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-5 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-4 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-3 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-2 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-1 yes ++ ++ ++ +-- +2.35.3 + diff --git a/curl.spec b/curl.spec index b576b82..1cad78c 100644 --- a/curl.spec +++ b/curl.spec @@ -31,6 +31,9 @@ Patch10: 0010-curl-7.82.0-CVE-2022-32208.patch # fix HTTP compression denial of service (CVE-2022-32206) Patch11: 0011-curl-7.82.0-CVE-2022-32206.patch +# fix Set-Cookie denial of service (CVE-2022-32205) +Patch12: 0012-curl-7.82.0-CVE-2022-32205.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -211,6 +214,7 @@ be installed. %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 # Fedora patches %patch101 -p1 @@ -397,6 +401,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Jun 29 2022 Kamil Dudka - 7.79.1-5 +- fix Set-Cookie denial of service (CVE-2022-32205) - fix HTTP compression denial of service (CVE-2022-32206) - fix FTP-KRB bad message verification (CVE-2022-32208) From d8a70a25bf83e247a4edf1bb86cd50699ad19627 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 29 Jun 2022 11:06:56 +0200 Subject: [PATCH 12/17] Resolves: CVE-2022-32207 - fix unpreserved file permissions --- 0013-curl-7.82.0-CVE-2022-32207.patch | 428 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 433 insertions(+) create mode 100644 0013-curl-7.82.0-CVE-2022-32207.patch diff --git a/0013-curl-7.82.0-CVE-2022-32207.patch b/0013-curl-7.82.0-CVE-2022-32207.patch new file mode 100644 index 0000000..6e11cb0 --- /dev/null +++ b/0013-curl-7.82.0-CVE-2022-32207.patch @@ -0,0 +1,428 @@ +From 36b47377c2d1a8d141d1ef810102748f27384f5c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 25 May 2022 10:09:53 +0200 +Subject: [PATCH 1/3] fopen: add Curl_fopen() for better overwriting of files + +Bug: https://curl.se/docs/CVE-2022-32207.html +CVE-2022-32207 +Reported-by: Harry Sintonen +Closes #9050 + +Upstream-commit: 20f9dd6bae50b7223171b17ba7798946e74f877f +Signed-off-by: Kamil Dudka +--- + CMakeLists.txt | 1 + + configure.ac | 1 + + lib/Makefile.inc | 2 + + lib/cookie.c | 19 ++----- + lib/curl_config.h.cmake | 3 ++ + lib/fopen.c | 113 ++++++++++++++++++++++++++++++++++++++++ + lib/fopen.h | 30 +++++++++++ + 7 files changed, 154 insertions(+), 15 deletions(-) + create mode 100644 lib/fopen.c + create mode 100644 lib/fopen.h + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index b77de6d..a0bfaad 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -1013,6 +1013,7 @@ elseif(HAVE_LIBSOCKET) + set(CMAKE_REQUIRED_LIBRARIES socket) + endif() + ++check_symbol_exists(fchmod "${CURL_INCLUDES}" HAVE_FCHMOD) + check_symbol_exists(basename "${CURL_INCLUDES}" HAVE_BASENAME) + check_symbol_exists(socket "${CURL_INCLUDES}" HAVE_SOCKET) + check_symbol_exists(select "${CURL_INCLUDES}" HAVE_SELECT) +diff --git a/configure.ac b/configure.ac +index d431870..7433bb9 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -3320,6 +3320,7 @@ AC_CHECK_DECLS([getpwuid_r], [], [AC_DEFINE(HAVE_DECL_GETPWUID_R_MISSING, 1, "Se + + + AC_CHECK_FUNCS([fnmatch \ ++ fchmod \ + geteuid \ + getpass_r \ + getppid \ +diff --git a/lib/Makefile.inc b/lib/Makefile.inc +index e8f110f..5139b03 100644 +--- a/lib/Makefile.inc ++++ b/lib/Makefile.inc +@@ -131,6 +131,7 @@ LIB_CFILES = \ + escape.c \ + file.c \ + fileinfo.c \ ++ fopen.c \ + formdata.c \ + ftp.c \ + ftplistparser.c \ +@@ -263,6 +264,7 @@ LIB_HFILES = \ + escape.h \ + file.h \ + fileinfo.h \ ++ fopen.h \ + formdata.h \ + ftp.h \ + ftplistparser.h \ +diff --git a/lib/cookie.c b/lib/cookie.c +index 8a6aa1a..cb0c03b 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -96,8 +96,8 @@ Example set of cookies: + #include "curl_get_line.h" + #include "curl_memrchr.h" + #include "parsedate.h" +-#include "rand.h" + #include "rename.h" ++#include "fopen.h" + + /* The last 3 #include files should be in this order */ + #include "curl_printf.h" +@@ -1612,20 +1612,9 @@ static CURLcode cookie_output(struct Curl_easy *data, + use_stdout = TRUE; + } + else { +- unsigned char randsuffix[9]; +- +- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix))) +- return 2; +- +- tempstore = aprintf("%s.%s.tmp", filename, randsuffix); +- if(!tempstore) +- return CURLE_OUT_OF_MEMORY; +- +- out = fopen(tempstore, FOPEN_WRITETEXT); +- if(!out) { +- error = CURLE_WRITE_ERROR; ++ error = Curl_fopen(data, filename, &out, &tempstore); ++ if(error) + goto error; +- } + } + + fputs("# Netscape HTTP Cookie File\n" +@@ -1672,7 +1661,7 @@ static CURLcode cookie_output(struct Curl_easy *data, + if(!use_stdout) { + fclose(out); + out = NULL; +- if(Curl_rename(tempstore, filename)) { ++ if(tempstore && Curl_rename(tempstore, filename)) { + unlink(tempstore); + error = CURLE_WRITE_ERROR; + goto error; +diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake +index d2a0f43..c254359 100644 +--- a/lib/curl_config.h.cmake ++++ b/lib/curl_config.h.cmake +@@ -157,6 +157,9 @@ + /* Define to 1 if you have the header file. */ + #cmakedefine HAVE_ASSERT_H 1 + ++/* Define to 1 if you have the `fchmod' function. */ ++#cmakedefine HAVE_FCHMOD 1 ++ + /* Define to 1 if you have the `basename' function. */ + #cmakedefine HAVE_BASENAME 1 + +diff --git a/lib/fopen.c b/lib/fopen.c +new file mode 100644 +index 0000000..ad3691b +--- /dev/null ++++ b/lib/fopen.c +@@ -0,0 +1,113 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++ ++#include "curl_setup.h" ++ ++#if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) || \ ++ !defined(CURL_DISABLE_HSTS) ++ ++#ifdef HAVE_FCNTL_H ++#include ++#endif ++ ++#include "urldata.h" ++#include "rand.h" ++#include "fopen.h" ++/* The last 3 #include files should be in this order */ ++#include "curl_printf.h" ++#include "curl_memory.h" ++#include "memdebug.h" ++ ++/* ++ * Curl_fopen() opens a file for writing with a temp name, to be renamed ++ * to the final name when completed. If there is an existing file using this ++ * name at the time of the open, this function will clone the mode from that ++ * file. if 'tempname' is non-NULL, it needs a rename after the file is ++ * written. ++ */ ++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, ++ FILE **fh, char **tempname) ++{ ++ CURLcode result = CURLE_WRITE_ERROR; ++ unsigned char randsuffix[9]; ++ char *tempstore = NULL; ++ struct_stat sb; ++ int fd = -1; ++ *tempname = NULL; ++ ++ if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) { ++ /* a non-regular file, fallback to direct fopen() */ ++ *fh = fopen(filename, FOPEN_WRITETEXT); ++ if(*fh) ++ return CURLE_OK; ++ goto fail; ++ } ++ ++ result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix)); ++ if(result) ++ goto fail; ++ ++ tempstore = aprintf("%s.%s.tmp", filename, randsuffix); ++ if(!tempstore) { ++ result = CURLE_OUT_OF_MEMORY; ++ goto fail; ++ } ++ ++ result = CURLE_WRITE_ERROR; ++ fd = open(tempstore, O_WRONLY | O_CREAT | O_EXCL, 0600); ++ if(fd == -1) ++ goto fail; ++ ++#ifdef HAVE_FCHMOD ++ { ++ struct_stat nsb; ++ if((fstat(fd, &nsb) != -1) && ++ (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) { ++ /* if the user and group are the same, clone the original mode */ ++ if(fchmod(fd, sb.st_mode) == -1) ++ goto fail; ++ } ++ } ++#endif ++ ++ *fh = fdopen(fd, FOPEN_WRITETEXT); ++ if(!*fh) ++ goto fail; ++ ++ *tempname = tempstore; ++ return CURLE_OK; ++ ++fail: ++ if(fd != -1) { ++ close(fd); ++ unlink(tempstore); ++ } ++ ++ free(tempstore); ++ ++ *tempname = NULL; ++ return result; ++} ++ ++#endif /* ! disabled */ +diff --git a/lib/fopen.h b/lib/fopen.h +new file mode 100644 +index 0000000..289e55f +--- /dev/null ++++ b/lib/fopen.h +@@ -0,0 +1,30 @@ ++#ifndef HEADER_CURL_FOPEN_H ++#define HEADER_CURL_FOPEN_H ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++ ++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, ++ FILE **fh, char **tempname); ++ ++#endif +-- +2.35.3 + + +From bd7af48238b058e9b46fdf2e1333b355920c341c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 25 May 2022 10:09:53 +0200 +Subject: [PATCH 2/3] altsvc: use Curl_fopen() + +Upstream-commit: fab970a5d19c1faa2052239ec1e2602b892cbeb2 +Signed-off-by: Kamil Dudka +--- + lib/altsvc.c | 22 ++++++---------------- + 1 file changed, 6 insertions(+), 16 deletions(-) + +diff --git a/lib/altsvc.c b/lib/altsvc.c +index 242733b..4dc4078 100644 +--- a/lib/altsvc.c ++++ b/lib/altsvc.c +@@ -34,7 +34,7 @@ + #include "parsedate.h" + #include "sendf.h" + #include "warnless.h" +-#include "rand.h" ++#include "fopen.h" + #include "rename.h" + + /* The last 3 #include files should be in this order */ +@@ -329,8 +329,7 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data, + struct Curl_llist_element *n; + CURLcode result = CURLE_OK; + FILE *out; +- char *tempstore; +- unsigned char randsuffix[9]; ++ char *tempstore = NULL; + + if(!altsvc) + /* no cache activated */ +@@ -344,17 +343,8 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data, + /* marked as read-only, no file or zero length file name */ + return CURLE_OK; + +- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix))) +- return CURLE_FAILED_INIT; +- +- tempstore = aprintf("%s.%s.tmp", file, randsuffix); +- if(!tempstore) +- return CURLE_OUT_OF_MEMORY; +- +- out = fopen(tempstore, FOPEN_WRITETEXT); +- if(!out) +- result = CURLE_WRITE_ERROR; +- else { ++ result = Curl_fopen(data, file, &out, &tempstore); ++ if(!result) { + fputs("# Your alt-svc cache. https://curl.se/docs/alt-svc.html\n" + "# This file was generated by libcurl! Edit at your own risk.\n", + out); +@@ -366,10 +356,10 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data, + break; + } + fclose(out); +- if(!result && Curl_rename(tempstore, file)) ++ if(!result && tempstore && Curl_rename(tempstore, file)) + result = CURLE_WRITE_ERROR; + +- if(result) ++ if(result && tempstore) + unlink(tempstore); + } + free(tempstore); +-- +2.35.3 + + +From 2011622a36fa715f38277422241e77e25dfdf0d0 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 25 May 2022 10:09:54 +0200 +Subject: [PATCH 3/3] hsts: use Curl_fopen() + +Upstream-commit: d64115d7bb8ae4c136b620912da523c063f1d2ee +Signed-off-by: Kamil Dudka +--- + lib/hsts.c | 22 ++++++---------------- + 1 file changed, 6 insertions(+), 16 deletions(-) + +diff --git a/lib/hsts.c b/lib/hsts.c +index b9fa6f7..9d54c82 100644 +--- a/lib/hsts.c ++++ b/lib/hsts.c +@@ -35,7 +35,7 @@ + #include "sendf.h" + #include "strtoofft.h" + #include "parsedate.h" +-#include "rand.h" ++#include "fopen.h" + #include "rename.h" + #include "strtoofft.h" + +@@ -334,8 +334,7 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h, + struct Curl_llist_element *n; + CURLcode result = CURLE_OK; + FILE *out; +- char *tempstore; +- unsigned char randsuffix[9]; ++ char *tempstore = NULL; + + if(!h) + /* no cache activated */ +@@ -349,17 +348,8 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h, + /* marked as read-only, no file or zero length file name */ + goto skipsave; + +- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix))) +- return CURLE_FAILED_INIT; +- +- tempstore = aprintf("%s.%s.tmp", file, randsuffix); +- if(!tempstore) +- return CURLE_OUT_OF_MEMORY; +- +- out = fopen(tempstore, FOPEN_WRITETEXT); +- if(!out) +- result = CURLE_WRITE_ERROR; +- else { ++ result = Curl_fopen(data, file, &out, &tempstore); ++ if(!result) { + fputs("# Your HSTS cache. https://curl.se/docs/hsts.html\n" + "# This file was generated by libcurl! Edit at your own risk.\n", + out); +@@ -371,10 +361,10 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h, + break; + } + fclose(out); +- if(!result && Curl_rename(tempstore, file)) ++ if(!result && tempstore && Curl_rename(tempstore, file)) + result = CURLE_WRITE_ERROR; + +- if(result) ++ if(result && tempstore) + unlink(tempstore); + } + free(tempstore); +-- +2.35.3 + diff --git a/curl.spec b/curl.spec index 1cad78c..7a46a34 100644 --- a/curl.spec +++ b/curl.spec @@ -34,6 +34,9 @@ Patch11: 0011-curl-7.82.0-CVE-2022-32206.patch # fix Set-Cookie denial of service (CVE-2022-32205) Patch12: 0012-curl-7.82.0-CVE-2022-32205.patch +# fix unpreserved file permissions (CVE-2022-32207) +Patch13: 0013-curl-7.82.0-CVE-2022-32207.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -215,6 +218,7 @@ be installed. %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 # Fedora patches %patch101 -p1 @@ -401,6 +405,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Jun 29 2022 Kamil Dudka - 7.79.1-5 +- fix unpreserved file permissions (CVE-2022-32207) - fix Set-Cookie denial of service (CVE-2022-32205) - fix HTTP compression denial of service (CVE-2022-32206) - fix FTP-KRB bad message verification (CVE-2022-32208) From 6714934703ad1ba106796917f602d03bdd293dc0 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 2 Sep 2022 10:35:00 +0200 Subject: [PATCH 13/17] Resolves: CVE-2022-35252 - control code in cookie denial of service --- 0014-curl-7.82.0-CVE-2022-35252.patch | 136 ++++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 144 insertions(+), 1 deletion(-) create mode 100644 0014-curl-7.82.0-CVE-2022-35252.patch diff --git a/0014-curl-7.82.0-CVE-2022-35252.patch b/0014-curl-7.82.0-CVE-2022-35252.patch new file mode 100644 index 0000000..1f9ffa7 --- /dev/null +++ b/0014-curl-7.82.0-CVE-2022-35252.patch @@ -0,0 +1,136 @@ +From fbc2ac6f06ec13cc872ce7adb870f4d7c7d5dded Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 29 Aug 2022 00:09:17 +0200 +Subject: [PATCH 1/2] cookie: reject cookies with "control bytes" + +Rejects 0x01 - 0x1f (except 0x09) plus 0x7f + +Reported-by: Axel Chong + +Bug: https://curl.se/docs/CVE-2022-35252.html + +CVE-2022-35252 + +Closes #9381 + +Upstream-commit: 8dfc93e573ca740544a2d79ebb0ed786592c65c3 +Signed-off-by: Kamil Dudka +--- + lib/cookie.c | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +diff --git a/lib/cookie.c b/lib/cookie.c +index cb0c03b..e0470a1 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -430,6 +430,30 @@ static bool bad_domain(const char *domain) + return !strchr(domain, '.') && !strcasecompare(domain, "localhost"); + } + ++/* ++ RFC 6265 section 4.1.1 says a server should accept this range: ++ ++ cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E ++ ++ But Firefox and Chrome as of June 2022 accept space, comma and double-quotes ++ fine. The prime reason for filtering out control bytes is that some HTTP ++ servers return 400 for requests that contain such. ++*/ ++static int invalid_octets(const char *p) ++{ ++ /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */ ++ static const char badoctets[] = { ++ "\x01\x02\x03\x04\x05\x06\x07\x08\x0a" ++ "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14" ++ "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f" ++ }; ++ size_t vlen, len; ++ /* scan for all the octets that are *not* in cookie-octet */ ++ len = strcspn(p, badoctets); ++ vlen = strlen(p); ++ return (len != vlen); ++} ++ + /* + * Curl_cookie_add + * +@@ -582,6 +606,11 @@ Curl_cookie_add(struct Curl_easy *data, + badcookie = TRUE; + break; + } ++ if(invalid_octets(whatptr) || invalid_octets(name)) { ++ infof(data, "invalid octets in name/value, cookie dropped"); ++ badcookie = TRUE; ++ break; ++ } + } + else if(!len) { + /* +-- +2.37.1 + + +From 1a3e2bd48572761236934651091c899a4d460ef5 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 29 Aug 2022 00:09:17 +0200 +Subject: [PATCH 2/2] test8: verify that "ctrl-byte cookies" are ignored + +Upstream-commit: 2fc031d834d488854ffc58bf7dbcef7fa7c1fc28 +Signed-off-by: Kamil Dudka +--- + tests/data/test8 | 32 +++++++++++++++++++++++++++++++- + 1 file changed, 31 insertions(+), 1 deletion(-) + +diff --git a/tests/data/test8 b/tests/data/test8 +index a8548e6..8587611 100644 +--- a/tests/data/test8 ++++ b/tests/data/test8 +@@ -46,6 +46,36 @@ Set-Cookie: trailingspace = removed; path=/we/want; + Set-Cookie: nocookie=yes; path=/WE; + Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad; + Set-Cookie: partialip=nono; domain=.0.0.1; ++Set-Cookie: cookie1=%hex[%01-junk]hex% ++Set-Cookie: cookie2=%hex[%02-junk]hex% ++Set-Cookie: cookie3=%hex[%03-junk]hex% ++Set-Cookie: cookie4=%hex[%04-junk]hex% ++Set-Cookie: cookie5=%hex[%05-junk]hex% ++Set-Cookie: cookie6=%hex[%06-junk]hex% ++Set-Cookie: cookie7=%hex[%07-junk]hex% ++Set-Cookie: cookie8=%hex[%08-junk]hex% ++Set-Cookie: cookie9=%hex[junk-%09-]hex% ++Set-Cookie: cookie11=%hex[%0b-junk]hex% ++Set-Cookie: cookie12=%hex[%0c-junk]hex% ++Set-Cookie: cookie14=%hex[%0e-junk]hex% ++Set-Cookie: cookie15=%hex[%0f-junk]hex% ++Set-Cookie: cookie16=%hex[%10-junk]hex% ++Set-Cookie: cookie17=%hex[%11-junk]hex% ++Set-Cookie: cookie18=%hex[%12-junk]hex% ++Set-Cookie: cookie19=%hex[%13-junk]hex% ++Set-Cookie: cookie20=%hex[%14-junk]hex% ++Set-Cookie: cookie21=%hex[%15-junk]hex% ++Set-Cookie: cookie22=%hex[%16-junk]hex% ++Set-Cookie: cookie23=%hex[%17-junk]hex% ++Set-Cookie: cookie24=%hex[%18-junk]hex% ++Set-Cookie: cookie25=%hex[%19-junk]hex% ++Set-Cookie: cookie26=%hex[%1a-junk]hex% ++Set-Cookie: cookie27=%hex[%1b-junk]hex% ++Set-Cookie: cookie28=%hex[%1c-junk]hex% ++Set-Cookie: cookie29=%hex[%1d-junk]hex% ++Set-Cookie: cookie30=%hex[%1e-junk]hex% ++Set-Cookie: cookie31=%hex[%1f-junk]hex% ++Set-Cookie: cookie31=%hex[%7f-junk]hex% + + + +@@ -60,7 +90,7 @@ GET /we/want/%TESTNUMBER HTTP/1.1 + Host: %HOSTIP:%HTTPPORT + User-Agent: curl/%VERSION + Accept: */* +-Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes ++Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes; cookie9=junk- - + + + +-- +2.37.1 + diff --git a/curl.spec b/curl.spec index 7a46a34..30274ba 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.79.1 -Release: 5%{?dist} +Release: 6%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -37,6 +37,9 @@ Patch12: 0012-curl-7.82.0-CVE-2022-32205.patch # fix unpreserved file permissions (CVE-2022-32207) Patch13: 0013-curl-7.82.0-CVE-2022-32207.patch +# control code in cookie denial of service (CVE-2022-35252) +Patch14: 0014-curl-7.82.0-CVE-2022-35252.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -219,6 +222,7 @@ be installed. %patch11 -p1 %patch12 -p1 %patch13 -p1 +%patch14 -p1 # Fedora patches %patch101 -p1 @@ -404,6 +408,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Sep 02 2022 Kamil Dudka - 7.79.1-6 +- control code in cookie denial of service (CVE-2022-35252) + * Wed Jun 29 2022 Kamil Dudka - 7.79.1-5 - fix unpreserved file permissions (CVE-2022-32207) - fix Set-Cookie denial of service (CVE-2022-32205) From 6addf51e1740f3385e74f41b853e3e80f436f139 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 26 Oct 2022 14:44:22 +0200 Subject: [PATCH 14/17] Resolves: CVE-2022-32221 - fix POST following PUT confusion --- 0015-curl-7.82.0-CVE-2022-32221.patch | 251 ++++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 259 insertions(+), 1 deletion(-) create mode 100644 0015-curl-7.82.0-CVE-2022-32221.patch diff --git a/0015-curl-7.82.0-CVE-2022-32221.patch b/0015-curl-7.82.0-CVE-2022-32221.patch new file mode 100644 index 0000000..19bb000 --- /dev/null +++ b/0015-curl-7.82.0-CVE-2022-32221.patch @@ -0,0 +1,251 @@ +From 08a53016db649bdf4f65c42a9704d35e052be7eb Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 15 Sep 2022 09:22:45 +0200 +Subject: [PATCH 1/2] setopt: when POST is set, reset the 'upload' field + +Reported-by: RobBotic1 on github +Fixes #9507 +Closes #9511 + +Upstream-commit: a64e3e59938abd7d667e4470a18072a24d7e9de9 +Signed-off-by: Kamil Dudka +--- + lib/setopt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/setopt.c b/lib/setopt.c +index d5e3b50..b8793b4 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -630,6 +630,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + } + else + data->set.method = HTTPREQ_GET; ++ data->set.upload = FALSE; + break; + + case CURLOPT_HTTPPOST: +-- +2.37.3 + + +From a5e36349807b98d31a16bd220f6434289465e16a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 15 Sep 2022 09:23:33 +0200 +Subject: [PATCH 2/2] test1948: verify PUT + POST reusing the same handle + +Reproduced #9507, verifies the fix + +Upstream-commit: 1edb15925e350be3b891f8a8de86600b22c0bb20 +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 1 + + tests/data/test1948 | 73 +++++++++++++++++++++++++++++++++++ + tests/libtest/Makefile.inc | 5 +++ + tests/libtest/lib1948.c | 79 ++++++++++++++++++++++++++++++++++++++ + 4 files changed, 158 insertions(+) + create mode 100644 tests/data/test1948 + create mode 100644 tests/libtest/lib1948.c + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 818ee08..0cfab9b 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -218,6 +218,7 @@ test1908 test1909 test1910 test1911 test1912 test1913 test1914 test1915 \ + test1916 test1917 test1918 \ + \ + test1933 test1934 test1935 test1936 \ ++test1948 \ + \ + test2000 test2001 test2002 test2003 test2004 \ + \ +diff --git a/tests/data/test1948 b/tests/data/test1948 +new file mode 100644 +index 0000000..639523d +--- /dev/null ++++ b/tests/data/test1948 +@@ -0,0 +1,73 @@ ++ ++ ++ ++HTTP ++HTTP POST ++HTTP PUT ++ ++ ++ ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Date: Thu, 01 Nov 2001 14:49:00 GMT ++Content-Type: text/html ++Content-Length: 6 ++ ++hello ++ ++ ++HTTP/1.1 200 OK ++Date: Thu, 01 Nov 2001 14:49:00 GMT ++Content-Type: text/html ++Content-Length: 6 ++ ++hello ++HTTP/1.1 200 OK ++Date: Thu, 01 Nov 2001 14:49:00 GMT ++Content-Type: text/html ++Content-Length: 6 ++ ++hello ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++ ++CURLOPT_POST after CURLOPT_UPLOAD reusing handle ++ ++ ++lib%TESTNUMBER ++ ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++PUT /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Accept: */* ++Content-Length: 22 ++Expect: 100-continue ++ ++This is test PUT data ++POST /1948 HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Accept: */* ++Content-Length: 22 ++Content-Type: application/x-www-form-urlencoded ++ ++This is test PUT data ++ ++ ++ +diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc +index 83a8af4..3192eca 100644 +--- a/tests/libtest/Makefile.inc ++++ b/tests/libtest/Makefile.inc +@@ -61,6 +61,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect \ + lib1591 lib1592 lib1593 lib1594 lib1596 \ + lib1905 lib1906 lib1907 lib1908 lib1910 lib1911 lib1912 lib1913 \ + lib1915 lib1916 lib1917 lib1918 lib1933 lib1934 lib1935 lib1936 \ ++ lib1948 \ + lib3010 + + chkdecimalpoint_SOURCES = chkdecimalpoint.c ../../lib/mprintf.c \ +@@ -699,6 +700,10 @@ lib1936_SOURCES = lib1936.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib1936_LDADD = $(TESTUTIL_LIBS) + lib1936_CPPFLAGS = $(AM_CPPFLAGS) + ++lib1948_SOURCES = lib1948.c $(SUPPORTFILES) ++lib1948_LDADD = $(TESTUTIL_LIBS) ++lib1948_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1948 ++ + lib3010_SOURCES = lib3010.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib3010_LDADD = $(TESTUTIL_LIBS) + lib3010_CPPFLAGS = $(AM_CPPFLAGS) +diff --git a/tests/libtest/lib1948.c b/tests/libtest/lib1948.c +new file mode 100644 +index 0000000..7c891a2 +--- /dev/null ++++ b/tests/libtest/lib1948.c +@@ -0,0 +1,79 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.haxx.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++ ++#include "test.h" ++ ++typedef struct ++{ ++ char *buf; ++ size_t len; ++} put_buffer; ++ ++static size_t put_callback(char *ptr, size_t size, size_t nmemb, void *stream) ++{ ++ put_buffer *putdata = (put_buffer *)stream; ++ size_t totalsize = size * nmemb; ++ size_t tocopy = (putdata->len < totalsize) ? putdata->len : totalsize; ++ memcpy(ptr, putdata->buf, tocopy); ++ putdata->len -= tocopy; ++ putdata->buf += tocopy; ++ return tocopy; ++} ++ ++int test(char *URL) ++{ ++ CURL *curl; ++ CURLcode res = CURLE_OUT_OF_MEMORY; ++ ++ curl_global_init(CURL_GLOBAL_DEFAULT); ++ ++ curl = curl_easy_init(); ++ if(curl) { ++ const char *testput = "This is test PUT data\n"; ++ put_buffer pbuf; ++ ++ /* PUT */ ++ curl_easy_setopt(curl, CURLOPT_UPLOAD, 1L); ++ curl_easy_setopt(curl, CURLOPT_HEADER, 1L); ++ curl_easy_setopt(curl, CURLOPT_READFUNCTION, put_callback); ++ pbuf.buf = (char *)testput; ++ pbuf.len = strlen(testput); ++ curl_easy_setopt(curl, CURLOPT_READDATA, &pbuf); ++ curl_easy_setopt(curl, CURLOPT_INFILESIZE, (long)strlen(testput)); ++ res = curl_easy_setopt(curl, CURLOPT_URL, URL); ++ if(!res) ++ res = curl_easy_perform(curl); ++ if(!res) { ++ /* POST */ ++ curl_easy_setopt(curl, CURLOPT_POST, 1L); ++ curl_easy_setopt(curl, CURLOPT_POSTFIELDS, testput); ++ curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, (long)strlen(testput)); ++ res = curl_easy_perform(curl); ++ } ++ curl_easy_cleanup(curl); ++ } ++ ++ curl_global_cleanup(); ++ return (int)res; ++} +-- +2.37.3 + diff --git a/curl.spec b/curl.spec index 30274ba..d744496 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.79.1 -Release: 6%{?dist} +Release: 7%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -40,6 +40,9 @@ Patch13: 0013-curl-7.82.0-CVE-2022-32207.patch # control code in cookie denial of service (CVE-2022-35252) Patch14: 0014-curl-7.82.0-CVE-2022-35252.patch +# fix POST following PUT confusion (CVE-2022-32221) +Patch15: 0015-curl-7.82.0-CVE-2022-32221.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -223,6 +226,7 @@ be installed. %patch12 -p1 %patch13 -p1 %patch14 -p1 +%patch15 -p1 # Fedora patches %patch101 -p1 @@ -408,6 +412,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Oct 26 2022 Kamil Dudka - 7.79.1-7 +- fix POST following PUT confusion (CVE-2022-32221) + * Fri Sep 02 2022 Kamil Dudka - 7.79.1-6 - control code in cookie denial of service (CVE-2022-35252) From 09ab321254a272dd820bc851c22afefff8cfe083 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 26 Oct 2022 14:53:25 +0200 Subject: [PATCH 15/17] Resolves: CVE-2022-35260 - netrc: replace fgets with Curl_get_line --- 0016-curl-7.82.0-CVE-2022-35260.patch | 76 +++++++++++++++++++++++++++ curl.spec | 5 ++ 2 files changed, 81 insertions(+) create mode 100644 0016-curl-7.82.0-CVE-2022-35260.patch diff --git a/0016-curl-7.82.0-CVE-2022-35260.patch b/0016-curl-7.82.0-CVE-2022-35260.patch new file mode 100644 index 0000000..0e969b9 --- /dev/null +++ b/0016-curl-7.82.0-CVE-2022-35260.patch @@ -0,0 +1,76 @@ +From 54dcd2334220ad965ef81130ba8ddf90b30c987c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 4 Oct 2022 14:37:24 +0200 +Subject: [PATCH] netrc: replace fgets with Curl_get_line + +Make the parser only accept complete lines and avoid problems with +overly long lines. + +Reported-by: Hiroki Kurosawa + +Closes #9789 + +Upstream-commit: c97ec984fb2bc919a3aa863e0476dffa377b184c +Signed-off-by: Kamil Dudka +--- + lib/curl_get_line.c | 6 +++--- + lib/netrc.c | 5 +++-- + 2 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/lib/curl_get_line.c b/lib/curl_get_line.c +index 6a26bb2..22e3705 100644 +--- a/lib/curl_get_line.c ++++ b/lib/curl_get_line.c +@@ -23,7 +23,7 @@ + #include "curl_setup.h" + + #if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) || \ +- !defined(CURL_DISABLE_HSTS) ++ !defined(CURL_DISABLE_HSTS) || !defined(CURL_DISABLE_NETRC) + + #include "curl_get_line.h" + #include "curl_memory.h" +@@ -31,8 +31,8 @@ + #include "memdebug.h" + + /* +- * get_line() makes sure to only return complete whole lines that fit in 'len' +- * bytes and end with a newline. ++ * Curl_get_line() makes sure to only return complete whole lines that fit in ++ * 'len' bytes and end with a newline. + */ + char *Curl_get_line(char *buf, int len, FILE *input) + { +diff --git a/lib/netrc.c b/lib/netrc.c +index 62a6a10..5d17482 100644 +--- a/lib/netrc.c ++++ b/lib/netrc.c +@@ -31,6 +31,7 @@ + #include "netrc.h" + #include "strtok.h" + #include "strcase.h" ++#include "curl_get_line.h" + + /* The last 3 #include files should be in this order */ + #include "curl_printf.h" +@@ -84,7 +85,7 @@ static int parsenetrc(const char *host, + char netrcbuffer[4096]; + int netrcbuffsize = (int)sizeof(netrcbuffer); + +- while(!done && fgets(netrcbuffer, netrcbuffsize, file)) { ++ while(!done && Curl_get_line(netrcbuffer, netrcbuffsize, file)) { + if(state == MACDEF) { + if((netrcbuffer[0] == '\n') || (netrcbuffer[0] == '\r')) + state = NOTHING; +@@ -186,7 +187,7 @@ static int parsenetrc(const char *host, + + tok = strtok_r(NULL, " \t\n", &tok_buf); + } /* while(tok) */ +- } /* while fgets() */ ++ } /* while Curl_get_line() */ + + out: + if(!retcode) { +-- +2.37.3 + diff --git a/curl.spec b/curl.spec index d744496..3ffb297 100644 --- a/curl.spec +++ b/curl.spec @@ -43,6 +43,9 @@ Patch14: 0014-curl-7.82.0-CVE-2022-35252.patch # fix POST following PUT confusion (CVE-2022-32221) Patch15: 0015-curl-7.82.0-CVE-2022-32221.patch +# netrc: replace fgets with Curl_get_line (CVE-2022-35260) +Patch16: 0016-curl-7.82.0-CVE-2022-35260.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -227,6 +230,7 @@ be installed. %patch13 -p1 %patch14 -p1 %patch15 -p1 +%patch16 -p1 # Fedora patches %patch101 -p1 @@ -413,6 +417,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Oct 26 2022 Kamil Dudka - 7.79.1-7 +- netrc: replace fgets with Curl_get_line (CVE-2022-35260) - fix POST following PUT confusion (CVE-2022-32221) * Fri Sep 02 2022 Kamil Dudka - 7.79.1-6 From cdc881c799b9ccfd5432d5a42608184c2aa212f0 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 26 Oct 2022 14:58:41 +0200 Subject: [PATCH 16/17] Resolves: CVE-2022-42915 - http_proxy: restore the protocol pointer on error --- 0017-curl-7.82.0-CVE-2022-42915.patch | 152 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 157 insertions(+) create mode 100644 0017-curl-7.82.0-CVE-2022-42915.patch diff --git a/0017-curl-7.82.0-CVE-2022-42915.patch b/0017-curl-7.82.0-CVE-2022-42915.patch new file mode 100644 index 0000000..d627c94 --- /dev/null +++ b/0017-curl-7.82.0-CVE-2022-42915.patch @@ -0,0 +1,152 @@ +From 3c54eaf986d62a1f7482b8d5fff2d6ac42d19f23 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 6 Oct 2022 14:13:36 +0200 +Subject: [PATCH 1/2] http_proxy: restore the protocol pointer on error + +Reported-by: Trail of Bits + +Closes #9790 + +Upstream-commit: 55e1875729f9d9fc7315cec611bffbd2c817ad89 +Signed-off-by: Kamil Dudka +--- + lib/http_proxy.c | 3 +-- + lib/url.c | 9 --------- + 2 files changed, 1 insertion(+), 11 deletions(-) + +diff --git a/lib/http_proxy.c b/lib/http_proxy.c +index 1f87f6c..cc20b3a 100644 +--- a/lib/http_proxy.c ++++ b/lib/http_proxy.c +@@ -207,9 +207,8 @@ static void connect_done(struct Curl_easy *data) + Curl_dyn_free(&s->rcvbuf); + Curl_dyn_free(&s->req); + +- /* retore the protocol pointer */ ++ /* restore the protocol pointer */ + data->req.p.http = s->prot_save; +- s->prot_save = NULL; + infof(data, "CONNECT phase completed!"); + } + } +diff --git a/lib/url.c b/lib/url.c +index bfc784f..61c99d2 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -735,15 +735,6 @@ static void conn_shutdown(struct Curl_easy *data, struct connectdata *conn) + DEBUGASSERT(data); + infof(data, "Closing connection %ld", conn->connection_id); + +-#ifndef USE_HYPER +- if(conn->connect_state && conn->connect_state->prot_save) { +- /* If this was closed with a CONNECT in progress, cleanup this temporary +- struct arrangement */ +- data->req.p.http = NULL; +- Curl_safefree(conn->connect_state->prot_save); +- } +-#endif +- + /* possible left-overs from the async name resolvers */ + Curl_resolver_cancel(data); + +-- +2.37.3 + + +From 5fdb5e8433c132dbb1e31a48d39a4a54ba4d7a9e Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 6 Oct 2022 14:14:25 +0200 +Subject: [PATCH 2/2] test445: verifies the protocols-over-http-proxy flaw and + fix + +Upstream-commit: 038bfb8522a93328b7e65bd2b6b8387c974b9ac8 +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 2 +- + tests/data/test445 | 61 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 62 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test445 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 0cfab9b..14c1b0c 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -69,7 +69,7 @@ test409 test410 \ + \ + test430 test431 test432 test433 test434 test435 \ + \ +-test442 test443 test444 \ ++test442 test443 test444 test445 \ + \ + test490 test491 test492 test493 test494 \ + \ +diff --git a/tests/data/test445 b/tests/data/test445 +new file mode 100644 +index 0000000..0406c0f +--- /dev/null ++++ b/tests/data/test445 +@@ -0,0 +1,61 @@ ++ ++ ++ ++HTTP ++HTTP proxy ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 503 no just no ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++ ++-foo- ++ ++ ++ ++# ++# Client-side ++ ++ ++gopher ++dict ++http ++ftp ++imap ++ldap ++mqtt ++pop3 ++rtsp ++scp ++sftp ++smb ++smtp ++ ++ ++http-proxy ++ ++ ++Refuse tunneling protocols through HTTP proxy ++ ++ ++-x http://%HOSTIP:%PROXYPORT/%TESTNUMBER -p gopher://127.0.0.1 dict://127.0.0.1 http://moo https://example telnet://another ftp://yes ftps://again imap://more ldap://perhaps mqtt://yes pop3://mail rtsp://harder scp://copy sftp://files smb://wird smtp://send ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++# refused in the CONNECT ++ ++56 ++ ++ ++ +-- +2.37.3 + diff --git a/curl.spec b/curl.spec index 3ffb297..720063a 100644 --- a/curl.spec +++ b/curl.spec @@ -46,6 +46,9 @@ Patch15: 0015-curl-7.82.0-CVE-2022-32221.patch # netrc: replace fgets with Curl_get_line (CVE-2022-35260) Patch16: 0016-curl-7.82.0-CVE-2022-35260.patch +# http_proxy: restore the protocol pointer on error (CVE-2022-42915) +Patch17: 0017-curl-7.82.0-CVE-2022-42915.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -231,6 +234,7 @@ be installed. %patch14 -p1 %patch15 -p1 %patch16 -p1 +%patch17 -p1 # Fedora patches %patch101 -p1 @@ -417,6 +421,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Oct 26 2022 Kamil Dudka - 7.79.1-7 +- http_proxy: restore the protocol pointer on error (CVE-2022-42915) - netrc: replace fgets with Curl_get_line (CVE-2022-35260) - fix POST following PUT confusion (CVE-2022-32221) From 99247b4b890d45da8d7d27897b01c10966431f91 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 26 Oct 2022 15:02:16 +0200 Subject: [PATCH 17/17] Resolves: CVE-2022-42916 - url: use IDN decoded names for HSTS checks --- 0018-curl-7.82.0-CVE-2022-42916.patch | 137 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 142 insertions(+) create mode 100644 0018-curl-7.82.0-CVE-2022-42916.patch diff --git a/0018-curl-7.82.0-CVE-2022-42916.patch b/0018-curl-7.82.0-CVE-2022-42916.patch new file mode 100644 index 0000000..d383435 --- /dev/null +++ b/0018-curl-7.82.0-CVE-2022-42916.patch @@ -0,0 +1,137 @@ +From 8c1f295ec343bad073a41f62de5f4c4ddd579e41 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 12 Oct 2022 10:47:59 +0200 +Subject: [PATCH] url: use IDN decoded names for HSTS checks + +Reported-by: Hiroki Kurosawa + +Closes #9791 + +Upstream-commit: 53bcf55b4538067e6dc36242168866becb987bb7 +Signed-off-by: Kamil Dudka +--- + lib/url.c | 91 ++++++++++++++++++++++++++++--------------------------- + 1 file changed, 47 insertions(+), 44 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index 61c99d2..6426fa7 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1988,10 +1988,56 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, + if(!strcasecompare("file", data->state.up.scheme)) + return CURLE_OUT_OF_MEMORY; + } ++ hostname = data->state.up.hostname; ++ ++ if(hostname && hostname[0] == '[') { ++ /* This looks like an IPv6 address literal. See if there is an address ++ scope. */ ++ size_t hlen; ++ conn->bits.ipv6_ip = TRUE; ++ /* cut off the brackets! */ ++ hostname++; ++ hlen = strlen(hostname); ++ hostname[hlen - 1] = 0; ++ ++ zonefrom_url(uh, data, conn); ++ } ++ ++ /* make sure the connect struct gets its own copy of the host name */ ++ conn->host.rawalloc = strdup(hostname ? hostname : ""); ++ if(!conn->host.rawalloc) ++ return CURLE_OUT_OF_MEMORY; ++ conn->host.name = conn->host.rawalloc; ++ ++ /************************************************************* ++ * IDN-convert the hostnames ++ *************************************************************/ ++ result = Curl_idnconvert_hostname(data, &conn->host); ++ if(result) ++ return result; ++ if(conn->bits.conn_to_host) { ++ result = Curl_idnconvert_hostname(data, &conn->conn_to_host); ++ if(result) ++ return result; ++ } ++#ifndef CURL_DISABLE_PROXY ++ if(conn->bits.httpproxy) { ++ result = Curl_idnconvert_hostname(data, &conn->http_proxy.host); ++ if(result) ++ return result; ++ } ++ if(conn->bits.socksproxy) { ++ result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host); ++ if(result) ++ return result; ++ } ++#endif + + #ifndef CURL_DISABLE_HSTS ++ /* HSTS upgrade */ + if(data->hsts && strcasecompare("http", data->state.up.scheme)) { +- if(Curl_hsts(data->hsts, data->state.up.hostname, TRUE)) { ++ /* This MUST use the IDN decoded name */ ++ if(Curl_hsts(data->hsts, conn->host.name, TRUE)) { + char *url; + Curl_safefree(data->state.up.scheme); + uc = curl_url_set(uh, CURLUPART_SCHEME, "https", 0); +@@ -2094,26 +2140,6 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, + + (void)curl_url_get(uh, CURLUPART_QUERY, &data->state.up.query, 0); + +- hostname = data->state.up.hostname; +- if(hostname && hostname[0] == '[') { +- /* This looks like an IPv6 address literal. See if there is an address +- scope. */ +- size_t hlen; +- conn->bits.ipv6_ip = TRUE; +- /* cut off the brackets! */ +- hostname++; +- hlen = strlen(hostname); +- hostname[hlen - 1] = 0; +- +- zonefrom_url(uh, data, conn); +- } +- +- /* make sure the connect struct gets its own copy of the host name */ +- conn->host.rawalloc = strdup(hostname ? hostname : ""); +- if(!conn->host.rawalloc) +- return CURLE_OUT_OF_MEMORY; +- conn->host.name = conn->host.rawalloc; +- + if(data->set.scope_id) + /* Override any scope that was set above. */ + conn->scope_id = data->set.scope_id; +@@ -3666,29 +3692,6 @@ static CURLcode create_conn(struct Curl_easy *data, + if(result) + goto out; + +- /************************************************************* +- * IDN-convert the hostnames +- *************************************************************/ +- result = Curl_idnconvert_hostname(data, &conn->host); +- if(result) +- goto out; +- if(conn->bits.conn_to_host) { +- result = Curl_idnconvert_hostname(data, &conn->conn_to_host); +- if(result) +- goto out; +- } +-#ifndef CURL_DISABLE_PROXY +- if(conn->bits.httpproxy) { +- result = Curl_idnconvert_hostname(data, &conn->http_proxy.host); +- if(result) +- goto out; +- } +- if(conn->bits.socksproxy) { +- result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host); +- if(result) +- goto out; +- } +-#endif + + /************************************************************* + * Check whether the host and the "connect to host" are equal. +-- +2.37.3 + diff --git a/curl.spec b/curl.spec index 720063a..ef1b0ae 100644 --- a/curl.spec +++ b/curl.spec @@ -49,6 +49,9 @@ Patch16: 0016-curl-7.82.0-CVE-2022-35260.patch # http_proxy: restore the protocol pointer on error (CVE-2022-42915) Patch17: 0017-curl-7.82.0-CVE-2022-42915.patch +# url: use IDN decoded names for HSTS checks (CVE-2022-42916) +Patch18: 0018-curl-7.82.0-CVE-2022-42916.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -235,6 +238,7 @@ be installed. %patch15 -p1 %patch16 -p1 %patch17 -p1 +%patch18 -p1 # Fedora patches %patch101 -p1 @@ -421,6 +425,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Oct 26 2022 Kamil Dudka - 7.79.1-7 +- url: use IDN decoded names for HSTS checks (CVE-2022-42916) - http_proxy: restore the protocol pointer on error (CVE-2022-42915) - netrc: replace fgets with Curl_get_line (CVE-2022-35260) - fix POST following PUT confusion (CVE-2022-32221)