From b7d7dc2a7ab1b15e9d88e4deed91098eabbc42a2 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 26 Oct 2022 14:44:22 +0200 Subject: [PATCH 01/26] Resolves: CVE-2022-32221 - fix POST following PUT confusion --- 0001-curl-7.85.0-CVE-2022-32221.patch | 253 ++++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 261 insertions(+), 1 deletion(-) create mode 100644 0001-curl-7.85.0-CVE-2022-32221.patch diff --git a/0001-curl-7.85.0-CVE-2022-32221.patch b/0001-curl-7.85.0-CVE-2022-32221.patch new file mode 100644 index 0000000..4060fea --- /dev/null +++ b/0001-curl-7.85.0-CVE-2022-32221.patch @@ -0,0 +1,253 @@ +From 08a53016db649bdf4f65c42a9704d35e052be7eb Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 15 Sep 2022 09:22:45 +0200 +Subject: [PATCH 1/2] setopt: when POST is set, reset the 'upload' field + +Reported-by: RobBotic1 on github +Fixes #9507 +Closes #9511 + +Upstream-commit: a64e3e59938abd7d667e4470a18072a24d7e9de9 +Signed-off-by: Kamil Dudka +--- + lib/setopt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/setopt.c b/lib/setopt.c +index d5e3b50..b8793b4 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -696,6 +696,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + } + else + data->set.method = HTTPREQ_GET; ++ data->set.upload = FALSE; + break; + + case CURLOPT_HTTPPOST: +-- +2.37.3 + + +From a5e36349807b98d31a16bd220f6434289465e16a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 15 Sep 2022 09:23:33 +0200 +Subject: [PATCH 2/2] test1948: verify PUT + POST reusing the same handle + +Reproduced #9507, verifies the fix + +Upstream-commit: 1edb15925e350be3b891f8a8de86600b22c0bb20 +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 2 +- + tests/data/test1948 | 73 +++++++++++++++++++++++++++++++++++ + tests/libtest/Makefile.inc | 6 ++- + tests/libtest/lib1948.c | 79 ++++++++++++++++++++++++++++++++++++++ + 4 files changed, 158 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test1948 + create mode 100644 tests/libtest/lib1948.c + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 818ee08..0cfab9b 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -224,7 +224,7 @@ test1908 test1909 test1910 test1911 test1912 test1913 test1914 test1915 \ + test1916 test1917 test1918 test1919 \ + \ + test1933 test1934 test1935 test1936 test1937 test1938 test1939 test1940 \ +-test1941 test1942 test1943 test1944 test1945 test1946 \ ++test1941 test1942 test1943 test1944 test1945 test1946 test1948 \ + \ + test2000 test2001 test2002 test2003 test2004 \ + \ +diff --git a/tests/data/test1948 b/tests/data/test1948 +new file mode 100644 +index 0000000..639523d +--- /dev/null ++++ b/tests/data/test1948 +@@ -0,0 +1,73 @@ ++ ++ ++ ++HTTP ++HTTP POST ++HTTP PUT ++ ++ ++ ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Date: Thu, 01 Nov 2001 14:49:00 GMT ++Content-Type: text/html ++Content-Length: 6 ++ ++hello ++ ++ ++HTTP/1.1 200 OK ++Date: Thu, 01 Nov 2001 14:49:00 GMT ++Content-Type: text/html ++Content-Length: 6 ++ ++hello ++HTTP/1.1 200 OK ++Date: Thu, 01 Nov 2001 14:49:00 GMT ++Content-Type: text/html ++Content-Length: 6 ++ ++hello ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++ ++CURLOPT_POST after CURLOPT_UPLOAD reusing handle ++ ++ ++lib%TESTNUMBER ++ ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++PUT /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Accept: */* ++Content-Length: 22 ++Expect: 100-continue ++ ++This is test PUT data ++POST /1948 HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Accept: */* ++Content-Length: 22 ++Content-Type: application/x-www-form-urlencoded ++ ++This is test PUT data ++ ++ ++ +diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc +index 83a8af4..3192eca 100644 +--- a/tests/libtest/Makefile.inc ++++ b/tests/libtest/Makefile.inc +@@ -64,7 +64,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect \ + lib1905 lib1906 lib1907 lib1908 lib1910 lib1911 lib1912 lib1913 \ + lib1915 lib1916 lib1917 lib1918 lib1919 \ + lib1933 lib1934 lib1935 lib1936 lib1937 lib1938 lib1939 lib1940 \ +- lib1945 lib1946 \ ++ lib1945 lib1946 lib1948 \ + lib3010 lib3025 lib3026 + + chkdecimalpoint_SOURCES = chkdecimalpoint.c ../../lib/mprintf.c \ +@@ -748,6 +748,10 @@ lib1946_SOURCES = lib1940.c $(SUPPORTFILES) + lib1946_LDADD = $(TESTUTIL_LIBS) + lib1946_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1946 + ++lib1948_SOURCES = lib1948.c $(SUPPORTFILES) ++lib1948_LDADD = $(TESTUTIL_LIBS) ++lib1948_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1948 ++ + lib3010_SOURCES = lib3010.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib3010_LDADD = $(TESTUTIL_LIBS) + lib3010_CPPFLAGS = $(AM_CPPFLAGS) +diff --git a/tests/libtest/lib1948.c b/tests/libtest/lib1948.c +new file mode 100644 +index 0000000..7c891a2 +--- /dev/null ++++ b/tests/libtest/lib1948.c +@@ -0,0 +1,79 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.haxx.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++ ++#include "test.h" ++ ++typedef struct ++{ ++ char *buf; ++ size_t len; ++} put_buffer; ++ ++static size_t put_callback(char *ptr, size_t size, size_t nmemb, void *stream) ++{ ++ put_buffer *putdata = (put_buffer *)stream; ++ size_t totalsize = size * nmemb; ++ size_t tocopy = (putdata->len < totalsize) ? putdata->len : totalsize; ++ memcpy(ptr, putdata->buf, tocopy); ++ putdata->len -= tocopy; ++ putdata->buf += tocopy; ++ return tocopy; ++} ++ ++int test(char *URL) ++{ ++ CURL *curl; ++ CURLcode res = CURLE_OUT_OF_MEMORY; ++ ++ curl_global_init(CURL_GLOBAL_DEFAULT); ++ ++ curl = curl_easy_init(); ++ if(curl) { ++ const char *testput = "This is test PUT data\n"; ++ put_buffer pbuf; ++ ++ /* PUT */ ++ curl_easy_setopt(curl, CURLOPT_UPLOAD, 1L); ++ curl_easy_setopt(curl, CURLOPT_HEADER, 1L); ++ curl_easy_setopt(curl, CURLOPT_READFUNCTION, put_callback); ++ pbuf.buf = (char *)testput; ++ pbuf.len = strlen(testput); ++ curl_easy_setopt(curl, CURLOPT_READDATA, &pbuf); ++ curl_easy_setopt(curl, CURLOPT_INFILESIZE, (long)strlen(testput)); ++ res = curl_easy_setopt(curl, CURLOPT_URL, URL); ++ if(!res) ++ res = curl_easy_perform(curl); ++ if(!res) { ++ /* POST */ ++ curl_easy_setopt(curl, CURLOPT_POST, 1L); ++ curl_easy_setopt(curl, CURLOPT_POSTFIELDS, testput); ++ curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, (long)strlen(testput)); ++ res = curl_easy_perform(curl); ++ } ++ curl_easy_cleanup(curl); ++ } ++ ++ curl_global_cleanup(); ++ return (int)res; ++} +-- +2.37.3 + diff --git a/curl.spec b/curl.spec index 6625b13..0394245 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.85.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,6 +10,9 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# fix POST following PUT confusion (CVE-2022-32221) +Patch1: 0001-curl-7.85.0-CVE-2022-32221.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -188,6 +191,7 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 @@ -421,6 +425,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Oct 26 2022 Kamil Dudka - 7.85.0-2 +- fix POST following PUT confusion (CVE-2022-32221) + * Thu Sep 01 2022 Kamil Dudka - 7.85.0-1 - new upstream release, which fixes the following vulnerability CVE-2022-35252 - control code in cookie denial of service From 58e84257fd816029e95533205c7854d120126831 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 26 Oct 2022 14:53:25 +0200 Subject: [PATCH 02/26] Resolves: CVE-2022-35260 - netrc: replace fgets with Curl_get_line --- 0002-curl-7.85.0-CVE-2022-35260.patch | 76 +++++++++++++++++++++++++++ curl.spec | 5 ++ 2 files changed, 81 insertions(+) create mode 100644 0002-curl-7.85.0-CVE-2022-35260.patch diff --git a/0002-curl-7.85.0-CVE-2022-35260.patch b/0002-curl-7.85.0-CVE-2022-35260.patch new file mode 100644 index 0000000..f8bdcf7 --- /dev/null +++ b/0002-curl-7.85.0-CVE-2022-35260.patch @@ -0,0 +1,76 @@ +From 54dcd2334220ad965ef81130ba8ddf90b30c987c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 4 Oct 2022 14:37:24 +0200 +Subject: [PATCH] netrc: replace fgets with Curl_get_line + +Make the parser only accept complete lines and avoid problems with +overly long lines. + +Reported-by: Hiroki Kurosawa + +Closes #9789 + +Upstream-commit: c97ec984fb2bc919a3aa863e0476dffa377b184c +Signed-off-by: Kamil Dudka +--- + lib/curl_get_line.c | 6 +++--- + lib/netrc.c | 5 +++-- + 2 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/lib/curl_get_line.c b/lib/curl_get_line.c +index 6a26bb2..22e3705 100644 +--- a/lib/curl_get_line.c ++++ b/lib/curl_get_line.c +@@ -25,7 +25,7 @@ + #include "curl_setup.h" + + #if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) || \ +- !defined(CURL_DISABLE_HSTS) ++ !defined(CURL_DISABLE_HSTS) || !defined(CURL_DISABLE_NETRC) + + #include "curl_get_line.h" + #include "curl_memory.h" +@@ -33,8 +33,8 @@ + #include "memdebug.h" + + /* +- * get_line() makes sure to only return complete whole lines that fit in 'len' +- * bytes and end with a newline. ++ * Curl_get_line() makes sure to only return complete whole lines that fit in ++ * 'len' bytes and end with a newline. + */ + char *Curl_get_line(char *buf, int len, FILE *input) + { +diff --git a/lib/netrc.c b/lib/netrc.c +index 62a6a10..5d17482 100644 +--- a/lib/netrc.c ++++ b/lib/netrc.c +@@ -33,6 +33,7 @@ + #include "netrc.h" + #include "strtok.h" + #include "strcase.h" ++#include "curl_get_line.h" + + /* The last 3 #include files should be in this order */ + #include "curl_printf.h" +@@ -84,7 +85,7 @@ static int parsenetrc(const char *host, + char netrcbuffer[4096]; + int netrcbuffsize = (int)sizeof(netrcbuffer); + +- while(!done && fgets(netrcbuffer, netrcbuffsize, file)) { ++ while(!done && Curl_get_line(netrcbuffer, netrcbuffsize, file)) { + char *tok; + char *tok_end; + bool quoted; +@@ -243,7 +244,7 @@ static int parsenetrc(const char *host, + } /* switch (state) */ + tok = ++tok_end; + } +- } /* while fgets() */ ++ } /* while Curl_get_line() */ + + out: + if(!retcode) { +-- +2.37.3 + diff --git a/curl.spec b/curl.spec index 0394245..1f5c6e9 100644 --- a/curl.spec +++ b/curl.spec @@ -13,6 +13,9 @@ Source2: mykey.asc # fix POST following PUT confusion (CVE-2022-32221) Patch1: 0001-curl-7.85.0-CVE-2022-32221.patch +# netrc: replace fgets with Curl_get_line (CVE-2022-35260) +Patch2: 0002-curl-7.85.0-CVE-2022-35260.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -192,6 +195,7 @@ be installed. # upstream patches %patch1 -p1 +%patch2 -p1 # Fedora patches %patch101 -p1 @@ -426,6 +430,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Oct 26 2022 Kamil Dudka - 7.85.0-2 +- netrc: replace fgets with Curl_get_line (CVE-2022-35260) - fix POST following PUT confusion (CVE-2022-32221) * Thu Sep 01 2022 Kamil Dudka - 7.85.0-1 From e5b8be4130c7177b7529d200383892da1e605b4a Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 26 Oct 2022 14:58:41 +0200 Subject: [PATCH 03/26] Resolves: CVE-2022-42915 - http_proxy: restore the protocol pointer on error --- 0003-curl-7.85.0-CVE-2022-42915.patch | 154 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 159 insertions(+) create mode 100644 0003-curl-7.85.0-CVE-2022-42915.patch diff --git a/0003-curl-7.85.0-CVE-2022-42915.patch b/0003-curl-7.85.0-CVE-2022-42915.patch new file mode 100644 index 0000000..08653f1 --- /dev/null +++ b/0003-curl-7.85.0-CVE-2022-42915.patch @@ -0,0 +1,154 @@ +From 3c54eaf986d62a1f7482b8d5fff2d6ac42d19f23 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 6 Oct 2022 14:13:36 +0200 +Subject: [PATCH 1/2] http_proxy: restore the protocol pointer on error + +Reported-by: Trail of Bits + +Closes #9790 + +Upstream-commit: 55e1875729f9d9fc7315cec611bffbd2c817ad89 +Signed-off-by: Kamil Dudka +--- + lib/http_proxy.c | 6 ++---- + lib/url.c | 9 --------- + 2 files changed, 2 insertions(+), 13 deletions(-) + +diff --git a/lib/http_proxy.c b/lib/http_proxy.c +index 1f87f6c..cc20b3a 100644 +--- a/lib/http_proxy.c ++++ b/lib/http_proxy.c +@@ -212,10 +212,8 @@ void Curl_connect_done(struct Curl_easy *data) + Curl_dyn_free(&s->rcvbuf); + Curl_dyn_free(&s->req); + +- /* restore the protocol pointer, if not already done */ +- if(s->prot_save) +- data->req.p.http = s->prot_save; +- s->prot_save = NULL; ++ /* restore the protocol pointer */ ++ data->req.p.http = s->prot_save; + data->info.httpcode = 0; /* clear it as it might've been used for the + proxy */ + data->req.ignorebody = FALSE; +diff --git a/lib/url.c b/lib/url.c +index bfc784f..61c99d2 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -746,15 +746,6 @@ static void conn_shutdown(struct Curl_easy *data, struct connectdata *conn) + DEBUGASSERT(data); + infof(data, "Closing connection %ld", conn->connection_id); + +-#ifndef USE_HYPER +- if(conn->connect_state && conn->connect_state->prot_save) { +- /* If this was closed with a CONNECT in progress, cleanup this temporary +- struct arrangement */ +- data->req.p.http = NULL; +- Curl_safefree(conn->connect_state->prot_save); +- } +-#endif +- + /* possible left-overs from the async name resolvers */ + Curl_resolver_cancel(data); + +-- +2.37.3 + + +From 5fdb5e8433c132dbb1e31a48d39a4a54ba4d7a9e Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 6 Oct 2022 14:14:25 +0200 +Subject: [PATCH 2/2] test445: verifies the protocols-over-http-proxy flaw and + fix + +Upstream-commit: 038bfb8522a93328b7e65bd2b6b8387c974b9ac8 +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 2 +- + tests/data/test445 | 61 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 62 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test445 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 0cfab9b..14c1b0c 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -71,7 +71,7 @@ test408 test409 test410 test411 test412 test413 test414 \ + \ + test430 test431 test432 test433 test434 test435 test436 \ + \ +-test440 test441 test442 test443 test444 \ ++test440 test441 test442 test443 test444 test445 \ + \ + test490 test491 test492 test493 test494 \ + \ +diff --git a/tests/data/test445 b/tests/data/test445 +new file mode 100644 +index 0000000..0406c0f +--- /dev/null ++++ b/tests/data/test445 +@@ -0,0 +1,61 @@ ++ ++ ++ ++HTTP ++HTTP proxy ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 503 no just no ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++ ++-foo- ++ ++ ++ ++# ++# Client-side ++ ++ ++gopher ++dict ++http ++ftp ++imap ++ldap ++mqtt ++pop3 ++rtsp ++scp ++sftp ++smb ++smtp ++ ++ ++http-proxy ++ ++ ++Refuse tunneling protocols through HTTP proxy ++ ++ ++-x http://%HOSTIP:%PROXYPORT/%TESTNUMBER -p gopher://127.0.0.1 dict://127.0.0.1 http://moo https://example telnet://another ftp://yes ftps://again imap://more ldap://perhaps mqtt://yes pop3://mail rtsp://harder scp://copy sftp://files smb://wird smtp://send ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++# refused in the CONNECT ++ ++56 ++ ++ ++ +-- +2.37.3 + diff --git a/curl.spec b/curl.spec index 1f5c6e9..68c3749 100644 --- a/curl.spec +++ b/curl.spec @@ -16,6 +16,9 @@ Patch1: 0001-curl-7.85.0-CVE-2022-32221.patch # netrc: replace fgets with Curl_get_line (CVE-2022-35260) Patch2: 0002-curl-7.85.0-CVE-2022-35260.patch +# http_proxy: restore the protocol pointer on error (CVE-2022-42915) +Patch3: 0003-curl-7.85.0-CVE-2022-42915.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -196,6 +199,7 @@ be installed. # upstream patches %patch1 -p1 %patch2 -p1 +%patch3 -p1 # Fedora patches %patch101 -p1 @@ -430,6 +434,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Oct 26 2022 Kamil Dudka - 7.85.0-2 +- http_proxy: restore the protocol pointer on error (CVE-2022-42915) - netrc: replace fgets with Curl_get_line (CVE-2022-35260) - fix POST following PUT confusion (CVE-2022-32221) From be756f3365ad749974618579dfd32dfbf644a53b Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 26 Oct 2022 15:02:16 +0200 Subject: [PATCH 04/26] Resolves: CVE-2022-42916 - url: use IDN decoded names for HSTS checks --- 0004-curl-7.85.0-CVE-2022-42916.patch | 137 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 142 insertions(+) create mode 100644 0004-curl-7.85.0-CVE-2022-42916.patch diff --git a/0004-curl-7.85.0-CVE-2022-42916.patch b/0004-curl-7.85.0-CVE-2022-42916.patch new file mode 100644 index 0000000..98642cb --- /dev/null +++ b/0004-curl-7.85.0-CVE-2022-42916.patch @@ -0,0 +1,137 @@ +From 8c1f295ec343bad073a41f62de5f4c4ddd579e41 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 12 Oct 2022 10:47:59 +0200 +Subject: [PATCH] url: use IDN decoded names for HSTS checks + +Reported-by: Hiroki Kurosawa + +Closes #9791 + +Upstream-commit: 53bcf55b4538067e6dc36242168866becb987bb7 +Signed-off-by: Kamil Dudka +--- + lib/url.c | 91 ++++++++++++++++++++++++++++--------------------------- + 1 file changed, 47 insertions(+), 44 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index 61c99d2..6426fa7 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -2024,10 +2024,56 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, + failf(data, "Too long host name (maximum is %d)", MAX_URL_LEN); + return CURLE_URL_MALFORMAT; + } ++ hostname = data->state.up.hostname; ++ ++ if(hostname && hostname[0] == '[') { ++ /* This looks like an IPv6 address literal. See if there is an address ++ scope. */ ++ size_t hlen; ++ conn->bits.ipv6_ip = TRUE; ++ /* cut off the brackets! */ ++ hostname++; ++ hlen = strlen(hostname); ++ hostname[hlen - 1] = 0; ++ ++ zonefrom_url(uh, data, conn); ++ } ++ ++ /* make sure the connect struct gets its own copy of the host name */ ++ conn->host.rawalloc = strdup(hostname ? hostname : ""); ++ if(!conn->host.rawalloc) ++ return CURLE_OUT_OF_MEMORY; ++ conn->host.name = conn->host.rawalloc; ++ ++ /************************************************************* ++ * IDN-convert the hostnames ++ *************************************************************/ ++ result = Curl_idnconvert_hostname(data, &conn->host); ++ if(result) ++ return result; ++ if(conn->bits.conn_to_host) { ++ result = Curl_idnconvert_hostname(data, &conn->conn_to_host); ++ if(result) ++ return result; ++ } ++#ifndef CURL_DISABLE_PROXY ++ if(conn->bits.httpproxy) { ++ result = Curl_idnconvert_hostname(data, &conn->http_proxy.host); ++ if(result) ++ return result; ++ } ++ if(conn->bits.socksproxy) { ++ result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host); ++ if(result) ++ return result; ++ } ++#endif + + #ifndef CURL_DISABLE_HSTS ++ /* HSTS upgrade */ + if(data->hsts && strcasecompare("http", data->state.up.scheme)) { +- if(Curl_hsts(data->hsts, data->state.up.hostname, TRUE)) { ++ /* This MUST use the IDN decoded name */ ++ if(Curl_hsts(data->hsts, conn->host.name, TRUE)) { + char *url; + Curl_safefree(data->state.up.scheme); + uc = curl_url_set(uh, CURLUPART_SCHEME, "https", 0); +@@ -2133,26 +2179,6 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, + + (void)curl_url_get(uh, CURLUPART_QUERY, &data->state.up.query, 0); + +- hostname = data->state.up.hostname; +- if(hostname && hostname[0] == '[') { +- /* This looks like an IPv6 address literal. See if there is an address +- scope. */ +- size_t hlen; +- conn->bits.ipv6_ip = TRUE; +- /* cut off the brackets! */ +- hostname++; +- hlen = strlen(hostname); +- hostname[hlen - 1] = 0; +- +- zonefrom_url(uh, data, conn); +- } +- +- /* make sure the connect struct gets its own copy of the host name */ +- conn->host.rawalloc = strdup(hostname ? hostname : ""); +- if(!conn->host.rawalloc) +- return CURLE_OUT_OF_MEMORY; +- conn->host.name = conn->host.rawalloc; +- + #ifdef ENABLE_IPV6 + if(data->set.scope_id) + /* Override any scope that was set above. */ +@@ -3781,29 +3807,6 @@ static CURLcode create_conn(struct Curl_easy *data, + if(result) + goto out; + +- /************************************************************* +- * IDN-convert the hostnames +- *************************************************************/ +- result = Curl_idnconvert_hostname(data, &conn->host); +- if(result) +- goto out; +- if(conn->bits.conn_to_host) { +- result = Curl_idnconvert_hostname(data, &conn->conn_to_host); +- if(result) +- goto out; +- } +-#ifndef CURL_DISABLE_PROXY +- if(conn->bits.httpproxy) { +- result = Curl_idnconvert_hostname(data, &conn->http_proxy.host); +- if(result) +- goto out; +- } +- if(conn->bits.socksproxy) { +- result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host); +- if(result) +- goto out; +- } +-#endif + + /************************************************************* + * Check whether the host and the "connect to host" are equal. +-- +2.37.3 + diff --git a/curl.spec b/curl.spec index 68c3749..76ea100 100644 --- a/curl.spec +++ b/curl.spec @@ -19,6 +19,9 @@ Patch2: 0002-curl-7.85.0-CVE-2022-35260.patch # http_proxy: restore the protocol pointer on error (CVE-2022-42915) Patch3: 0003-curl-7.85.0-CVE-2022-42915.patch +# url: use IDN decoded names for HSTS checks (CVE-2022-42916) +Patch4: 0004-curl-7.85.0-CVE-2022-42916.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -200,6 +203,7 @@ be installed. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 # Fedora patches %patch101 -p1 @@ -434,6 +438,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Oct 26 2022 Kamil Dudka - 7.85.0-2 +- url: use IDN decoded names for HSTS checks (CVE-2022-42916) - http_proxy: restore the protocol pointer on error (CVE-2022-42915) - netrc: replace fgets with Curl_get_line (CVE-2022-35260) - fix POST following PUT confusion (CVE-2022-32221) From 667e37e0a332795175e2b87e3320ecd199e9e1b1 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 21 Nov 2022 14:21:29 +0100 Subject: [PATCH 05/26] Resolves: #2144277 - http2: make nghttp2 less picky about field whitespace --- 0005-curl-7.85.0-http2-whitespace.patch | 66 +++++++++++++++++++++++++ curl.spec | 9 +++- 2 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 0005-curl-7.85.0-http2-whitespace.patch diff --git a/0005-curl-7.85.0-http2-whitespace.patch b/0005-curl-7.85.0-http2-whitespace.patch new file mode 100644 index 0000000..c6e90de --- /dev/null +++ b/0005-curl-7.85.0-http2-whitespace.patch @@ -0,0 +1,66 @@ +From a1eaad81dc6c8d1e562b685d3136f24aeb12dcb4 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 7 Sep 2022 15:41:03 +0200 +Subject: [PATCH] http2: make nghttp2 less picky about field whitespace + +In nghttp2 1.49.0 it returns error on leading and trailing whitespace in +header fields according to language in the recently shipped RFC 9113. + +nghttp2 1.50.0 introduces an option to switch off this strict check and +this change enables this option by default which should make curl behave +more similar to how it did with nghttp2 1.48.0 and earlier. + +We might want to consider making this an option in the future. + +Closes #9448 + +Upstream-commit: eafc2b14ac9e40377168b46cab3f1d90c3f32f45 +Signed-off-by: Kamil Dudka +--- + lib/http2.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +diff --git a/lib/http2.c b/lib/http2.c +index f6364d0..3a70528 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -1277,6 +1277,27 @@ void Curl_http2_done(struct Curl_easy *data, bool premature) + } + } + ++static int client_new(struct connectdata *conn, ++ nghttp2_session_callbacks *callbacks) ++{ ++#if NGHTTP2_VERSION_NUM < 0x013200 ++ /* before 1.50.0 */ ++ return nghttp2_session_client_new(&conn->proto.httpc.h2, callbacks, conn); ++#else ++ nghttp2_option *o; ++ int rc = nghttp2_option_new(&o); ++ if(rc) ++ return rc; ++ /* turn off RFC 9113 leading and trailing white spaces validation against ++ HTTP field value. */ ++ nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation(o, 1); ++ rc = nghttp2_session_client_new2(&conn->proto.httpc.h2, callbacks, conn, ++ o); ++ nghttp2_option_del(o); ++ return rc; ++#endif ++} ++ + /* + * Initialize nghttp2 for a Curl connection + */ +@@ -1317,7 +1338,7 @@ static CURLcode http2_init(struct Curl_easy *data, struct connectdata *conn) + nghttp2_session_callbacks_set_error_callback(callbacks, error_callback); + + /* The nghttp2 session is not yet setup, do it */ +- rc = nghttp2_session_client_new(&conn->proto.httpc.h2, callbacks, conn); ++ rc = client_new(conn, callbacks); + + nghttp2_session_callbacks_del(callbacks); + +-- +2.37.3 + diff --git a/curl.spec b/curl.spec index 76ea100..38772fb 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.85.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -22,6 +22,9 @@ Patch3: 0003-curl-7.85.0-CVE-2022-42915.patch # url: use IDN decoded names for HSTS checks (CVE-2022-42916) Patch4: 0004-curl-7.85.0-CVE-2022-42916.patch +# http2: make nghttp2 less picky about field whitespace (#2144277) +Patch5: 0005-curl-7.85.0-http2-whitespace.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -204,6 +207,7 @@ be installed. %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 # Fedora patches %patch101 -p1 @@ -437,6 +441,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Nov 21 2022 Kamil Dudka - 7.85.0-3 +- http2: make nghttp2 less picky about field whitespace (#2144277) + * Wed Oct 26 2022 Kamil Dudka - 7.85.0-2 - url: use IDN decoded names for HSTS checks (CVE-2022-42916) - http_proxy: restore the protocol pointer on error (CVE-2022-42915) From c484960a5347f235fe73463d1681bc40d65c8e03 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 24 Nov 2022 16:25:47 +0100 Subject: [PATCH 06/26] Related: #2144277 - enforce versioned libnghttp2 dependency for libcurl --- curl.spec | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 38772fb..d93c695 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.85.0 -Release: 3%{?dist} +Release: 4%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -116,6 +116,10 @@ BuildRequires: stunnel # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION Requires: libcurl%{?_isa} >= %{version}-%{release} +# require at least the version of libnghttp2 that we were built against, +# to ensure that we have the necessary symbols available (#2144277) +%global libnghttp2_version %(pkg-config --modversion libnghttp2 2>/dev/null || echo 0) + # require at least the version of libpsl that we were built against, # to ensure that we have the necessary symbols available (#1631804) %global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0) @@ -139,6 +143,7 @@ resume, proxy tunneling and a busload of other useful tricks. %package -n libcurl Summary: A library for getting files from web servers +Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} Requires: libpsl%{?_isa} >= %{libpsl_version} Requires: libssh%{?_isa} >= %{libssh_version} Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} @@ -184,6 +189,7 @@ be installed. %package -n libcurl-minimal Summary: Conservatively configured build of libcurl for minimal installations +Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} Provides: libcurl = %{version}-%{release} Provides: libcurl%{?_isa} = %{version}-%{release} @@ -441,6 +447,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Nov 24 2022 Kamil Dudka - 7.85.0-4 +- enforce versioned libnghttp2 dependency for libcurl (#2144277) + * Mon Nov 21 2022 Kamil Dudka - 7.85.0-3 - http2: make nghttp2 less picky about field whitespace (#2144277) From d005afd54c8208750838486b1d7d140554ab65f1 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 21 Dec 2022 15:26:26 +0100 Subject: [PATCH 07/26] Resolves: CVE-2022-43551 - http: use the IDN decoded name in HSTS checks --- 0020-curl-7.85.0-CVE-2022-43551.patch | 35 +++++++++++++++++++++++++++ curl.spec | 9 ++++++- 2 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 0020-curl-7.85.0-CVE-2022-43551.patch diff --git a/0020-curl-7.85.0-CVE-2022-43551.patch b/0020-curl-7.85.0-CVE-2022-43551.patch new file mode 100644 index 0000000..dbcf98b --- /dev/null +++ b/0020-curl-7.85.0-CVE-2022-43551.patch @@ -0,0 +1,35 @@ +From 3fe91ee75b9f663b7a303ef14e07e28184d1450c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 19 Dec 2022 08:36:55 +0100 +Subject: [PATCH] http: use the IDN decoded name in HSTS checks + +Otherwise it stores the info HSTS into the persistent cache for the IDN +name which will not match when the HSTS status is later checked for +using the decoded name. + +Reported-by: Hiroki Kurosawa + +Closes #10111 + +Upstream-commit: 9e71901634e276dd050481c4320f046bebb1bc28 +Signed-off-by: Kamil Dudka +--- + lib/http.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/http.c b/lib/http.c +index b0ad28e..8b18e8d 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -3654,7 +3654,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn, + else if(data->hsts && checkprefix("Strict-Transport-Security:", headp) && + (conn->handler->flags & PROTOPT_SSL)) { + CURLcode check = +- Curl_hsts_parse(data->hsts, data->state.up.hostname, ++ Curl_hsts_parse(data->hsts, conn->host.name, + headp + strlen("Strict-Transport-Security:")); + if(check) + infof(data, "Illegal STS header skipped"); +-- +2.38.1 + diff --git a/curl.spec b/curl.spec index d93c695..01f684b 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.85.0 -Release: 4%{?dist} +Release: 5%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -25,6 +25,9 @@ Patch4: 0004-curl-7.85.0-CVE-2022-42916.patch # http2: make nghttp2 less picky about field whitespace (#2144277) Patch5: 0005-curl-7.85.0-http2-whitespace.patch +# http: use the IDN decoded name in HSTS checks (CVE-2022-43551) +Patch20: 0020-curl-7.85.0-CVE-2022-43551.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -214,6 +217,7 @@ be installed. %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch20 -p1 # Fedora patches %patch101 -p1 @@ -447,6 +451,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Dec 21 2022 Kamil Dudka - 7.85.0-5 +- http: use the IDN decoded name in HSTS checks (CVE-2022-43551) + * Thu Nov 24 2022 Kamil Dudka - 7.85.0-4 - enforce versioned libnghttp2 dependency for libcurl (#2144277) From baf15ab7ea59a8758643e201ab6a8dd545f712a2 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 21 Dec 2022 15:31:04 +0100 Subject: [PATCH 08/26] Resolves: CVE-2022-43552 - smb/telnet: fix use-after-free when HTTP proxy denies tunnel --- 0021-curl-7.85.0-CVE-2022-43552.patch | 81 +++++++++++++++++++++++++++ curl.spec | 5 ++ 2 files changed, 86 insertions(+) create mode 100644 0021-curl-7.85.0-CVE-2022-43552.patch diff --git a/0021-curl-7.85.0-CVE-2022-43552.patch b/0021-curl-7.85.0-CVE-2022-43552.patch new file mode 100644 index 0000000..3548d14 --- /dev/null +++ b/0021-curl-7.85.0-CVE-2022-43552.patch @@ -0,0 +1,81 @@ +From 5cdcf1dbd39c64e18a81fc912a36942a3ec87565 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 19 Dec 2022 08:38:37 +0100 +Subject: [PATCH] smb/telnet: do not free the protocol struct in *_done() + +It is managed by the generic layer. + +Reported-by: Trail of Bits + +Closes #10112 + +Upstream-commit: 4f20188ac644afe174be6005ef4f6ffba232b8b2 +Signed-off-by: Kamil Dudka +--- + lib/smb.c | 14 ++------------ + lib/telnet.c | 3 --- + 2 files changed, 2 insertions(+), 15 deletions(-) + +diff --git a/lib/smb.c b/lib/smb.c +index 039d680..f682c1f 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -62,8 +62,6 @@ static CURLcode smb_connect(struct Curl_easy *data, bool *done); + static CURLcode smb_connection_state(struct Curl_easy *data, bool *done); + static CURLcode smb_do(struct Curl_easy *data, bool *done); + static CURLcode smb_request_state(struct Curl_easy *data, bool *done); +-static CURLcode smb_done(struct Curl_easy *data, CURLcode status, +- bool premature); + static CURLcode smb_disconnect(struct Curl_easy *data, + struct connectdata *conn, bool dead); + static int smb_getsock(struct Curl_easy *data, struct connectdata *conn, +@@ -78,7 +76,7 @@ const struct Curl_handler Curl_handler_smb = { + "SMB", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -105,7 +103,7 @@ const struct Curl_handler Curl_handler_smbs = { + "SMBS", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -941,14 +939,6 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done) + return CURLE_OK; + } + +-static CURLcode smb_done(struct Curl_easy *data, CURLcode status, +- bool premature) +-{ +- (void) premature; +- Curl_safefree(data->req.p.smb); +- return status; +-} +- + static CURLcode smb_disconnect(struct Curl_easy *data, + struct connectdata *conn, bool dead) + { +diff --git a/lib/telnet.c b/lib/telnet.c +index 923c7f8..48cd0d7 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -1248,9 +1248,6 @@ static CURLcode telnet_done(struct Curl_easy *data, + + curl_slist_free_all(tn->telnet_vars); + tn->telnet_vars = NULL; +- +- Curl_safefree(data->req.p.telnet); +- + return CURLE_OK; + } + +-- +2.38.1 + diff --git a/curl.spec b/curl.spec index 01f684b..4d8485a 100644 --- a/curl.spec +++ b/curl.spec @@ -28,6 +28,9 @@ Patch5: 0005-curl-7.85.0-http2-whitespace.patch # http: use the IDN decoded name in HSTS checks (CVE-2022-43551) Patch20: 0020-curl-7.85.0-CVE-2022-43551.patch +# smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552) +Patch21: 0021-curl-7.85.0-CVE-2022-43552.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -218,6 +221,7 @@ be installed. %patch4 -p1 %patch5 -p1 %patch20 -p1 +%patch21 -p1 # Fedora patches %patch101 -p1 @@ -452,6 +456,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Dec 21 2022 Kamil Dudka - 7.85.0-5 +- smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552) - http: use the IDN decoded name in HSTS checks (CVE-2022-43551) * Thu Nov 24 2022 Kamil Dudka - 7.85.0-4 From 14b5d9ee060f52e6a299b96a98e3778856d57bd9 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 15 Feb 2023 14:51:53 +0100 Subject: [PATCH 09/26] share HSTS between handles Resolves: CVE-2023-23915 - HSTS amnesia with --parallel Resolves: CVE-2023-23914 - HSTS ignored on multiple requests --- 0006-curl-7.85.0-hsts-CVEs.patch | 843 +++++++++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 851 insertions(+), 1 deletion(-) create mode 100644 0006-curl-7.85.0-hsts-CVEs.patch diff --git a/0006-curl-7.85.0-hsts-CVEs.patch b/0006-curl-7.85.0-hsts-CVEs.patch new file mode 100644 index 0000000..6e208c2 --- /dev/null +++ b/0006-curl-7.85.0-hsts-CVEs.patch @@ -0,0 +1,843 @@ +From fcd651bcfe1982f55e591d47521f509a2ee98975 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 1 Dec 2022 09:21:04 +0100 +Subject: [PATCH 1/6] runtests: do CRLF replacements per section only + +The `crlf="yes"` attribute and "hyper mode" are now only applied on a +subset of dedicated sections: data, datacheck, stdout and protocol. + +Updated test 2500 accordingly. + +Also made test1 use crlf="yes" for , mostly because it is +often used as a template test case. Going forward, using this attribute +we should be able to write test cases using linefeeds only and avoid +mixed line ending encodings. + +Follow-up to ca15b7512e8d11 + +Fixes #10009 +Closes #10010 + +Upstream-commit: 2f34a7347f315513bfda9ef14770d287fb246bcd +Signed-off-by: Kamil Dudka +--- + tests/FILEFORMAT.md | 22 ++++++++++++++------ + tests/data/test1 | 14 ++++++------- + tests/runtests.pl | 49 +++++++++++++++++++++++++++++++++++++++++---- + 3 files changed, 68 insertions(+), 17 deletions(-) + +diff --git a/tests/FILEFORMAT.md b/tests/FILEFORMAT.md +index dc1092b..159a3cf 100644 +--- a/tests/FILEFORMAT.md ++++ b/tests/FILEFORMAT.md +@@ -195,7 +195,7 @@ When using curl built with Hyper, the keywords must include HTTP or HTTPS for + 'hyper mode' to kick in and make line ending checks work for tests. + ## `` + +-### `` ++### `` + + data to be sent to the client on its request and later verified that it + arrived safely. Set `nocheck="yes"` to prevent the test script from verifying +@@ -224,12 +224,16 @@ and used as "raw" data. + `nonewline=yes` means that the last byte (the trailing newline character) + should be cut off from the data before sending or comparing it. + ++`crlf=yes` forces *header* newlines to become CRLF even if not written so in ++the source file. Note that this makes runtests.pl parse and "guess" what is a ++header and what is not in order to apply the CRLF line endings appropriately. ++ + For FTP file listings, the `` section will be used *only* if you make + sure that there has been a CWD done first to a directory named `test-[num]` + where [num] is the test case number. Otherwise the ftp server can't know from + which test file to load the list content. + +-### `` ++### `` + + Send back this contents instead of the one. The num is set by: + +@@ -256,7 +260,7 @@ a connect prefix. + ### `` + Address type and address details as logged by the SOCKS proxy. + +-### `` ++### `` + if the data is sent but this is what should be checked afterwards. If + `nonewline=yes` is set, runtests will cut off the trailing newline from the + data before comparing with the one actually received by the client. +@@ -264,7 +268,7 @@ data before comparing with the one actually received by the client. + Use the `mode="text"` attribute if the output is in text mode on platforms + that have a text/binary difference. + +-### `` ++### `` + The contents of numbered datacheck sections are appended to the non-numbered + one. + +@@ -549,13 +553,16 @@ changing protocol data such as port numbers or user-agent strings. + One perl op per line that operates on the protocol dump. This is pretty + advanced. Example: `s/^EPRT .*/EPRT stripped/`. + +-### `` ++### `` + + the protocol dump curl should transmit, if 'nonewline' is set, we will cut off + the trailing newline of this given data before comparing with the one actually + sent by the client The `` and `` rules are applied before + comparisons are made. + ++`crlf=yes` forces the newlines to become CRLF even if not written so in the ++test. ++ + ### `` + + The protocol dump curl should transmit to a HTTP proxy (when the http-proxy +@@ -572,7 +579,7 @@ have a text/binary difference. + If 'nonewline' is set, we will cut off the trailing newline of this given data + before comparing with the one actually received by the client + +-### `` ++### `` + This verifies that this data was passed to stdout. + + Use the mode="text" attribute if the output is in text mode on platforms that +@@ -581,6 +588,9 @@ have a text/binary difference. + If 'nonewline' is set, we will cut off the trailing newline of this given data + before comparing with the one actually received by the client + ++`crlf=yes` forces the newlines to become CRLF even if not written so in the ++test. ++ + ### `` + The file's contents must be identical to this after the test is complete. Use + the mode="text" attribute if the output is in text mode on platforms that have +diff --git a/tests/data/test1 b/tests/data/test1 +index f39a08b..700bed8 100644 +--- a/tests/data/test1 ++++ b/tests/data/test1 +@@ -9,7 +9,7 @@ HTTP GET + # + # Server-side + +- ++ + HTTP/1.1 200 OK + Date: Tue, 09 Nov 2010 14:49:00 GMT + Server: test-server/fake +@@ -42,12 +42,12 @@ http://%HOSTIP:%HTTPPORT/%TESTNUMBER + # + # Verify data after the test has been "shot" + +- +-GET /%TESTNUMBER HTTP/1.1 +-Host: %HOSTIP:%HTTPPORT +-User-Agent: curl/%VERSION +-Accept: */* +- ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ + + + +diff --git a/tests/runtests.pl b/tests/runtests.pl +index 7eeabfc..88fc799 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -3501,7 +3501,13 @@ sub subBase64 { + + my $prevupdate; + sub subNewlines { +- my ($thing) = @_; ++ my ($force, $thing) = @_; ++ ++ if($force) { ++ # enforce CRLF newline ++ $$thing =~ s/\x0d*\x0a/\x0d\x0a/; ++ return; ++ } + + # When curl is built with Hyper, it gets all response headers delivered as + # name/value pairs and curl "invents" the newlines when it saves the +@@ -3515,7 +3521,7 @@ sub subNewlines { + # skip curl error messages + ($$thing !~ /^curl: \(\d+\) /))) { + # enforce CRLF newline +- $$thing =~ s/\x0a/\x0d\x0a/; ++ $$thing =~ s/\x0d*\x0a/\x0d\x0a/; + $prevupdate = 1; + } + else { +@@ -3587,6 +3593,7 @@ sub prepro { + my (@entiretest) = @_; + my $show = 1; + my @out; ++ my $data_crlf; + for my $s (@entiretest) { + my $f = $s; + if($s =~ /^ *%if (.*)/) { +@@ -3610,10 +3617,19 @@ sub prepro { + next; + } + if($show) { ++ # The processor does CRLF replacements in the sections if ++ # necessary since those parts might be read by separate servers. ++ if($s =~ /^ */) { ++ if($1 =~ /crlf="yes"/ || $has_hyper) { ++ $data_crlf = 1; ++ } ++ } ++ elsif(($s =~ /^ *<\/data/) && $data_crlf) { ++ $data_crlf = 0; ++ } + subVariables(\$s, $testnum, "%"); + subBase64(\$s); +- subNewlines(\$s) if($has_hyper && ($keywords{"HTTP"} || +- $keywords{"HTTPS"})); ++ subNewlines(0, \$s) if($data_crlf); + push @out, $s; + } + } +@@ -3929,6 +3945,11 @@ sub singletest { + # of the datacheck + chomp($replycheckpart[$#replycheckpart]); + } ++ if($replycheckpartattr{'crlf'} || ++ ($has_hyper && ($keywords{"HTTP"} ++ || $keywords{"HTTPS"}))) { ++ map subNewlines(0, \$_), @replycheckpart; ++ } + push(@reply, @replycheckpart); + } + } +@@ -3950,6 +3971,11 @@ sub singletest { + map s/\r\n/\n/g, @reply; + map s/\n/\r\n/g, @reply; + } ++ if($replyattr{'crlf'} || ++ ($has_hyper && ($keywords{"HTTP"} ++ || $keywords{"HTTPS"}))) { ++ map subNewlines(0, \$_), @reply; ++ } + } + + # this is the valid protocol blurb curl should generate +@@ -4406,6 +4432,12 @@ sub singletest { + chomp($validstdout[$#validstdout]); + } + ++ if($hash{'crlf'} || ++ ($has_hyper && ($keywords{"HTTP"} ++ || $keywords{"HTTPS"}))) { ++ map subNewlines(0, \$_), @validstdout; ++ } ++ + $res = compare($testnum, $testname, "stdout", \@actual, \@validstdout); + if($res) { + return $errorreturncode; +@@ -4506,6 +4538,10 @@ sub singletest { + } + } + ++ if($hash{'crlf'}) { ++ map subNewlines(1, \$_), @protstrip; ++ } ++ + if((!$out[0] || ($out[0] eq "")) && $protstrip[0]) { + logmsg "\n $testnum: protocol FAILED!\n". + " There was no content at all in the file $SERVERIN.\n". +@@ -4637,6 +4673,11 @@ sub singletest { + map s/\r\n/\n/g, @outfile; + map s/\n/\r\n/g, @outfile; + } ++ if($hash{'crlf'} || ++ ($has_hyper && ($keywords{"HTTP"} ++ || $keywords{"HTTPS"}))) { ++ map subNewlines(0, \$_), @outfile; ++ } + + my $strip; + for $strip (@stripfile) { +-- +2.39.1 + + +From 117fce3d4fe11c36a20403cd4d6850e5b8771b41 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 27 Dec 2022 11:50:20 +0100 +Subject: [PATCH 2/6] share: add sharing of HSTS cache among handles + +Closes #10138 + +Upstream-commit: 076a2f629119222aeeb50f5a03bf9f9052fabb9a +Signed-off-by: Kamil Dudka +--- + docs/libcurl/opts/CURLSHOPT_SHARE.3 | 4 +++ + docs/libcurl/symbols-in-versions | 1 + + include/curl/curl.h | 1 + + lib/hsts.c | 15 +++++++++ + lib/hsts.h | 2 ++ + lib/setopt.c | 48 ++++++++++++++++++++++++----- + lib/share.c | 32 +++++++++++++++++-- + lib/share.h | 6 +++- + lib/transfer.c | 3 ++ + lib/url.c | 6 +++- + lib/urldata.h | 2 ++ + 11 files changed, 109 insertions(+), 11 deletions(-) + +diff --git a/docs/libcurl/opts/CURLSHOPT_SHARE.3 b/docs/libcurl/opts/CURLSHOPT_SHARE.3 +index 92783b6..b15af82 100644 +--- a/docs/libcurl/opts/CURLSHOPT_SHARE.3 ++++ b/docs/libcurl/opts/CURLSHOPT_SHARE.3 +@@ -79,6 +79,10 @@ Added in 7.61.0. + + Note that when you use the multi interface, all easy handles added to the same + multi handle will share PSL cache by default without using this option. ++.IP CURL_LOCK_DATA_HSTS ++The in-memory HSTS cache. ++ ++Added in 7.88.0 + .SH PROTOCOLS + All + .SH EXAMPLE +diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions +index 5ee245d..41fffc3 100644 +--- a/docs/libcurl/symbols-in-versions ++++ b/docs/libcurl/symbols-in-versions +@@ -67,6 +67,7 @@ CURL_LOCK_ACCESS_SINGLE 7.10.3 + CURL_LOCK_DATA_CONNECT 7.10.3 + CURL_LOCK_DATA_COOKIE 7.10.3 + CURL_LOCK_DATA_DNS 7.10.3 ++CURL_LOCK_DATA_HSTS 7.88.0 + CURL_LOCK_DATA_NONE 7.10.3 + CURL_LOCK_DATA_PSL 7.61.0 + CURL_LOCK_DATA_SHARE 7.10.4 +diff --git a/include/curl/curl.h b/include/curl/curl.h +index 139df99..5758e3b 100644 +--- a/include/curl/curl.h ++++ b/include/curl/curl.h +@@ -2882,6 +2882,7 @@ typedef enum { + CURL_LOCK_DATA_SSL_SESSION, + CURL_LOCK_DATA_CONNECT, + CURL_LOCK_DATA_PSL, ++ CURL_LOCK_DATA_HSTS, + CURL_LOCK_DATA_LAST + } curl_lock_data; + +diff --git a/lib/hsts.c b/lib/hsts.c +index c449120..339237b 100644 +--- a/lib/hsts.c ++++ b/lib/hsts.c +@@ -39,6 +39,7 @@ + #include "parsedate.h" + #include "fopen.h" + #include "rename.h" ++#include "share.h" + #include "strtoofft.h" + + /* The last 3 #include files should be in this order */ +@@ -552,4 +553,18 @@ CURLcode Curl_hsts_loadcb(struct Curl_easy *data, struct hsts *h) + return CURLE_OK; + } + ++void Curl_hsts_loadfiles(struct Curl_easy *data) ++{ ++ struct curl_slist *l = data->set.hstslist; ++ if(l) { ++ Curl_share_lock(data, CURL_LOCK_DATA_HSTS, CURL_LOCK_ACCESS_SINGLE); ++ ++ while(l) { ++ (void)Curl_hsts_loadfile(data, data->hsts, l->data); ++ l = l->next; ++ } ++ Curl_share_unlock(data, CURL_LOCK_DATA_HSTS); ++ } ++} ++ + #endif /* CURL_DISABLE_HTTP || CURL_DISABLE_HSTS */ +diff --git a/lib/hsts.h b/lib/hsts.h +index 0e36a77..3da7574 100644 +--- a/lib/hsts.h ++++ b/lib/hsts.h +@@ -59,9 +59,11 @@ CURLcode Curl_hsts_loadfile(struct Curl_easy *data, + struct hsts *h, const char *file); + CURLcode Curl_hsts_loadcb(struct Curl_easy *data, + struct hsts *h); ++void Curl_hsts_loadfiles(struct Curl_easy *data); + #else + #define Curl_hsts_cleanup(x) + #define Curl_hsts_loadcb(x,y) CURLE_OK + #define Curl_hsts_save(x,y,z) ++#define Curl_hsts_loadfiles(x) + #endif /* CURL_DISABLE_HTTP || CURL_DISABLE_HSTS */ + #endif /* HEADER_CURL_HSTS_H */ +diff --git a/lib/setopt.c b/lib/setopt.c +index b77e95b..f71a606 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -2283,9 +2283,14 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + data->cookies = NULL; + #endif + ++#ifndef CURL_DISABLE_HSTS ++ if(data->share->hsts == data->hsts) ++ data->hsts = NULL; ++#endif ++#ifdef USE_SSL + if(data->share->sslsession == data->state.session) + data->state.session = NULL; +- ++#endif + #ifdef USE_LIBPSL + if(data->psl == &data->share->psl) + data->psl = data->multi? &data->multi->psl: NULL; +@@ -2319,10 +2324,19 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + data->cookies = data->share->cookies; + } + #endif /* CURL_DISABLE_HTTP */ ++#ifndef CURL_DISABLE_HSTS ++ if(data->share->hsts) { ++ /* first free the private one if any */ ++ Curl_hsts_cleanup(&data->hsts); ++ data->hsts = data->share->hsts; ++ } ++#endif /* CURL_DISABLE_HTTP */ ++#ifdef USE_SSL + if(data->share->sslsession) { + data->set.general_ssl.max_ssl_sessions = data->share->max_ssl_sessions; + data->state.session = data->share->sslsession; + } ++#endif + #ifdef USE_LIBPSL + if(data->share->specifier & (1 << CURL_LOCK_DATA_PSL)) + data->psl = &data->share->psl; +@@ -3071,19 +3085,39 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + case CURLOPT_HSTSWRITEDATA: + data->set.hsts_write_userp = va_arg(param, void *); + break; +- case CURLOPT_HSTS: ++ case CURLOPT_HSTS: { ++ struct curl_slist *h; + if(!data->hsts) { + data->hsts = Curl_hsts_init(); + if(!data->hsts) + return CURLE_OUT_OF_MEMORY; + } + argptr = va_arg(param, char *); +- result = Curl_setstropt(&data->set.str[STRING_HSTS], argptr); +- if(result) +- return result; +- if(argptr) +- (void)Curl_hsts_loadfile(data, data->hsts, argptr); ++ if(argptr) { ++ result = Curl_setstropt(&data->set.str[STRING_HSTS], argptr); ++ if(result) ++ return result; ++ /* this needs to build a list of file names to read from, so that it can ++ read them later, as we might get a shared HSTS handle to load them ++ into */ ++ h = curl_slist_append(data->set.hstslist, argptr); ++ if(!h) { ++ curl_slist_free_all(data->set.hstslist); ++ data->set.hstslist = NULL; ++ return CURLE_OUT_OF_MEMORY; ++ } ++ data->set.hstslist = h; /* store the list for later use */ ++ } ++ else { ++ /* clear the list of HSTS files */ ++ curl_slist_free_all(data->set.hstslist); ++ data->set.hstslist = NULL; ++ if(!data->share || !data->share->hsts) ++ /* throw away the HSTS cache unless shared */ ++ Curl_hsts_cleanup(&data->hsts); ++ } + break; ++ } + case CURLOPT_HSTS_CTRL: + arg = va_arg(param, long); + if(arg & CURLHSTS_ENABLE) { +diff --git a/lib/share.c b/lib/share.c +index 1a083e7..69ee00b 100644 +--- a/lib/share.c ++++ b/lib/share.c +@@ -29,9 +29,11 @@ + #include "share.h" + #include "psl.h" + #include "vtls/vtls.h" +-#include "curl_memory.h" ++#include "hsts.h" + +-/* The last #include file should be: */ ++/* The last 3 #include files should be in this order */ ++#include "curl_printf.h" ++#include "curl_memory.h" + #include "memdebug.h" + + struct Curl_share * +@@ -89,6 +91,18 @@ curl_share_setopt(struct Curl_share *share, CURLSHoption option, ...) + #endif + break; + ++ case CURL_LOCK_DATA_HSTS: ++#ifndef CURL_DISABLE_HSTS ++ if(!share->hsts) { ++ share->hsts = Curl_hsts_init(); ++ if(!share->hsts) ++ res = CURLSHE_NOMEM; ++ } ++#else /* CURL_DISABLE_HSTS */ ++ res = CURLSHE_NOT_BUILT_IN; ++#endif ++ break; ++ + case CURL_LOCK_DATA_SSL_SESSION: + #ifdef USE_SSL + if(!share->sslsession) { +@@ -141,6 +155,16 @@ curl_share_setopt(struct Curl_share *share, CURLSHoption option, ...) + #endif + break; + ++ case CURL_LOCK_DATA_HSTS: ++#ifndef CURL_DISABLE_HSTS ++ if(share->hsts) { ++ Curl_hsts_cleanup(&share->hsts); ++ } ++#else /* CURL_DISABLE_HSTS */ ++ res = CURLSHE_NOT_BUILT_IN; ++#endif ++ break; ++ + case CURL_LOCK_DATA_SSL_SESSION: + #ifdef USE_SSL + Curl_safefree(share->sslsession); +@@ -207,6 +231,10 @@ curl_share_cleanup(struct Curl_share *share) + Curl_cookie_cleanup(share->cookies); + #endif + ++#ifndef CURL_DISABLE_HSTS ++ Curl_hsts_cleanup(&share->hsts); ++#endif ++ + #ifdef USE_SSL + if(share->sslsession) { + size_t i; +diff --git a/lib/share.h b/lib/share.h +index 32be416..2449730 100644 +--- a/lib/share.h ++++ b/lib/share.h +@@ -59,10 +59,14 @@ struct Curl_share { + #ifdef USE_LIBPSL + struct PslCache psl; + #endif +- ++#ifndef CURL_DISABLE_HSTS ++ struct hsts *hsts; ++#endif ++#ifdef USE_SSL + struct Curl_ssl_session *sslsession; + size_t max_ssl_sessions; + long sessionage; ++#endif + }; + + CURLSHcode Curl_share_lock(struct Curl_easy *, curl_lock_data, +diff --git a/lib/transfer.c b/lib/transfer.c +index ba0410f..d433117 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1469,6 +1469,9 @@ CURLcode Curl_pretransfer(struct Curl_easy *data) + if(data->state.resolve) + result = Curl_loadhostpairs(data); + ++ /* If there is a list of hsts files to read */ ++ Curl_hsts_loadfiles(data); ++ + if(!result) { + /* Allow data->set.use_port to set which port to use. This needs to be + * disabled for example when we follow Location: headers to URLs using +diff --git a/lib/url.c b/lib/url.c +index 3ab63a0..831ae06 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -435,7 +435,11 @@ CURLcode Curl_close(struct Curl_easy **datap) + Curl_altsvc_save(data, data->asi, data->set.str[STRING_ALTSVC]); + Curl_altsvc_cleanup(&data->asi); + Curl_hsts_save(data, data->hsts, data->set.str[STRING_HSTS]); +- Curl_hsts_cleanup(&data->hsts); ++#ifndef CURL_DISABLE_HSTS ++ if(!data->share || !data->share->hsts) ++ Curl_hsts_cleanup(&data->hsts); ++ curl_slist_free_all(data->set.hstslist); /* clean up list */ ++#endif + #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH) + Curl_http_auth_cleanup_digest(data); + #endif +diff --git a/lib/urldata.h b/lib/urldata.h +index 3d7545c..5b4b34f 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1672,6 +1672,8 @@ struct UserDefined { + + void *seek_client; /* pointer to pass to the seek callback */ + #ifndef CURL_DISABLE_HSTS ++ struct curl_slist *hstslist; /* list of HSTS files set by ++ curl_easy_setopt(HSTS) calls */ + curl_hstsread_callback hsts_read; + void *hsts_read_userp; + curl_hstswrite_callback hsts_write; +-- +2.39.1 + + +From 32066a5fa8f649da2aa7a4e4e86bc0b73d32212f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 27 Dec 2022 11:50:23 +0100 +Subject: [PATCH 3/6] tool_operate: share HSTS between handles + +Upstream-commit: 0bf8b796a0ea98395b390c7807187982215f5c11 +Signed-off-by: Kamil Dudka +--- + src/tool_operate.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/tool_operate.c b/src/tool_operate.c +index 79db063..a5b024e 100644 +--- a/src/tool_operate.c ++++ b/src/tool_operate.c +@@ -2698,6 +2698,7 @@ CURLcode operate(struct GlobalConfig *global, int argc, argv_item_t argv[]) + curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_SSL_SESSION); + curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_CONNECT); + curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_PSL); ++ curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_HSTS); + + /* Get the required arguments for each operation */ + do { +-- +2.39.1 + + +From fe6b64ac33a0994e5f50ef8b3d0916b3a248a7e8 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 27 Dec 2022 11:50:23 +0100 +Subject: [PATCH 4/6] hsts: handle adding the same host name again + +It will then use the largest expire time of the two entries. + +Upstream-commit: ca02a77f05bd5cef20618c8f741aa48b7be0a648 +Signed-off-by: Kamil Dudka +--- + lib/hsts.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/lib/hsts.c b/lib/hsts.c +index 339237b..8d6723e 100644 +--- a/lib/hsts.c ++++ b/lib/hsts.c +@@ -427,14 +427,23 @@ static CURLcode hsts_add(struct hsts *h, char *line) + if(2 == rc) { + time_t expires = strcmp(date, UNLIMITED) ? Curl_getdate_capped(date) : + TIME_T_MAX; +- CURLcode result; ++ CURLcode result = CURLE_OK; + char *p = host; + bool subdomain = FALSE; ++ struct stsentry *e; + if(p[0] == '.') { + p++; + subdomain = TRUE; + } +- result = hsts_create(h, p, subdomain, expires); ++ /* only add it if not already present */ ++ e = Curl_hsts(h, p, subdomain); ++ if(!e) ++ result = hsts_create(h, p, subdomain, expires); ++ else { ++ /* the same host name, use the largest expire time */ ++ if(expires > e->expires) ++ e->expires = expires; ++ } + if(result) + return result; + } +-- +2.39.1 + + +From c52b93434c65ec8a44193a6f2b833a1efec8f643 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 27 Dec 2022 11:50:23 +0100 +Subject: [PATCH 5/6] runtests: support crlf="yes" for verify/proxy + +Upstream-commit: dc0725244a3163f1e2d5f51165db3a1a430f3ba0 +Signed-off-by: Kamil Dudka +--- + tests/FILEFORMAT.md | 4 ++-- + tests/runtests.pl | 5 +++++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/tests/FILEFORMAT.md b/tests/FILEFORMAT.md +index 8143967..be11167 100644 +--- a/tests/FILEFORMAT.md ++++ b/tests/FILEFORMAT.md +@@ -553,7 +553,7 @@ changing protocol data such as port numbers or user-agent strings. + One perl op per line that operates on the protocol dump. This is pretty + advanced. Example: `s/^EPRT .*/EPRT stripped/`. + +-### `` ++### `` + + the protocol dump curl should transmit, if 'nonewline' is set, we will cut off + the trailing newline of this given data before comparing with the one actually +@@ -563,7 +563,7 @@ comparisons are made. + `crlf=yes` forces the newlines to become CRLF even if not written so in the + test. + +-### `` ++### `` + + The protocol dump curl should transmit to a HTTP proxy (when the http-proxy + server is used), if 'nonewline' is set, we will cut off the trailing newline +diff --git a/tests/runtests.pl b/tests/runtests.pl +index c6a739e..f49e385 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -4634,6 +4634,11 @@ sub singletest { + } + } + ++ if($hash{'crlf'} || ++ ($has_hyper && ($keywords{"HTTP"} || $keywords{"HTTPS"}))) { ++ map subNewlines(0, \$_), @protstrip; ++ } ++ + $res = compare($testnum, $testname, "proxy", \@out, \@protstrip); + if($res) { + return $errorreturncode; +-- +2.39.1 + + +From e428f66157caedc1f58ff5206915842937b0950e Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 27 Dec 2022 11:50:23 +0100 +Subject: [PATCH 6/6] test446: verify hsts with two URLs + +Upstream-commit: ea5aaaa5ede53819f8bc7ae767fc2d13d3704d37 +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 2 +- + tests/data/test446 | 84 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 85 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test446 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 3e0221a..fb51cd6 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -71,7 +71,7 @@ test408 test409 test410 test411 test412 test413 test414 \ + \ + test430 test431 test432 test433 test434 test435 test436 \ + \ +-test440 test441 test442 test443 test444 test445 \ ++test440 test441 test442 test443 test444 test445 test446 \ + \ + test490 test491 test492 test493 test494 \ + \ +diff --git a/tests/data/test446 b/tests/data/test446 +new file mode 100644 +index 0000000..0e2dfdc +--- /dev/null ++++ b/tests/data/test446 +@@ -0,0 +1,84 @@ ++ ++ ++ ++ ++HTTP ++HTTP proxy ++HSTS ++trailing-dot ++ ++ ++ ++ ++ ++# we use this as response to a CONNECT ++ ++HTTP/1.1 200 OK ++ ++ ++ ++HTTP/1.1 200 OK ++Content-Length: 6 ++Strict-Transport-Security: max-age=604800 ++ ++-foo- ++ ++ ++HTTP/1.1 200 OK ++Content-Length: 6 ++Strict-Transport-Security: max-age=6048000 ++ ++-baa- ++ ++ ++ ++ ++ ++https ++http-proxy ++ ++ ++HSTS ++proxy ++https ++debug ++ ++ ++CURL_HSTS_HTTP=yes ++CURL_TIME=2000000000 ++ ++ ++ ++HSTS with two URLs ++ ++ ++-x http://%HOSTIP:%PROXYPORT --hsts log/hsts%TESTNUMBER http://this.hsts.example./%TESTNUMBER http://another.example.com/%TESTNUMBER0002 ++ ++ ++ ++ ++# we let it CONNECT to the server to confirm HSTS but deny from there ++ ++GET http://this.hsts.example./%TESTNUMBER HTTP/1.1 ++Host: this.hsts.example. ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://another.example.com/%TESTNUMBER0002 HTTP/1.1 ++Host: another.example.com ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ ++# Your HSTS cache. https://curl.se/docs/hsts.html ++# This file was generated by libcurl! Edit at your own risk. ++this.hsts.example "20330525 03:33:20" ++another.example.com "20330727 03:33:20" ++ ++ ++ ++ +-- +2.39.1 + diff --git a/curl.spec b/curl.spec index 4d8485a..9c75053 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.85.0 -Release: 5%{?dist} +Release: 6%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -25,6 +25,9 @@ Patch4: 0004-curl-7.85.0-CVE-2022-42916.patch # http2: make nghttp2 less picky about field whitespace (#2144277) Patch5: 0005-curl-7.85.0-http2-whitespace.patch +# share HSTS between handles (CVE-2023-23915 CVE-2023-23914) +Patch6: 0006-curl-7.85.0-hsts-CVEs.patch + # http: use the IDN decoded name in HSTS checks (CVE-2022-43551) Patch20: 0020-curl-7.85.0-CVE-2022-43551.patch @@ -220,6 +223,7 @@ be installed. %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %patch20 -p1 %patch21 -p1 @@ -455,6 +459,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Feb 15 2023 Kamil Dudka - 7.85.0-6 +- share HSTS between handles (CVE-2023-23915 CVE-2023-23914) + * Wed Dec 21 2022 Kamil Dudka - 7.85.0-5 - smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552) - http: use the IDN decoded name in HSTS checks (CVE-2022-43551) From d8d0b91700e2e0fe7b9710e2abc7eaa924e95b96 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 15 Feb 2023 18:01:30 +0100 Subject: [PATCH 10/26] Resolves: CVE-2023-23916 - fix HTTP multi-header compression denial of service --- 0007-curl-7.85.0-CVE-2023-23916.patch | 243 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 248 insertions(+) create mode 100644 0007-curl-7.85.0-CVE-2023-23916.patch diff --git a/0007-curl-7.85.0-CVE-2023-23916.patch b/0007-curl-7.85.0-CVE-2023-23916.patch new file mode 100644 index 0000000..3cc752a --- /dev/null +++ b/0007-curl-7.85.0-CVE-2023-23916.patch @@ -0,0 +1,243 @@ +From bc5fc958b017895728962c9d44c469418cbec1a0 Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat +Date: Mon, 13 Feb 2023 08:33:09 +0100 +Subject: [PATCH] content_encoding: do not reset stage counter for each header + +Test 418 verifies + +Closes #10492 + +Upstream-commit: 119fb187192a9ea13dc90d9d20c215fc82799ab9 +Signed-off-by: Kamil Dudka +--- + lib/content_encoding.c | 7 +- + lib/urldata.h | 1 + + tests/data/Makefile.inc | 1 + + tests/data/test387 | 2 +- + tests/data/test418 | 152 ++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 158 insertions(+), 5 deletions(-) + create mode 100644 tests/data/test418 + +diff --git a/lib/content_encoding.c b/lib/content_encoding.c +index bfc13e2..94344d6 100644 +--- a/lib/content_encoding.c ++++ b/lib/content_encoding.c +@@ -1037,7 +1037,6 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, + const char *enclist, int maybechunked) + { + struct SingleRequest *k = &data->req; +- int counter = 0; + + do { + const char *name; +@@ -1072,9 +1071,9 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, + if(!encoding) + encoding = &error_encoding; /* Defer error at stack use. */ + +- if(++counter >= MAX_ENCODE_STACK) { +- failf(data, "Reject response due to %u content encodings", +- counter); ++ if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) { ++ failf(data, "Reject response due to more than %u content encodings", ++ MAX_ENCODE_STACK); + return CURLE_BAD_CONTENT_ENCODING; + } + /* Stack the unencoding stage. */ +diff --git a/lib/urldata.h b/lib/urldata.h +index 5b4b34f..8c8c20b 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -682,6 +682,7 @@ struct SingleRequest { + struct dohdata *doh; /* DoH specific data for this request */ + #endif + unsigned char setcookies; ++ unsigned char writer_stack_depth; /* Unencoding stack depth. */ + BIT(header); /* incoming data has HTTP header */ + BIT(content_range); /* set TRUE if Content-Range: was found */ + BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index fb51cd6..86b6f85 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -68,6 +68,7 @@ test380 test381 test383 test384 test385 test386 test387 test388 test389 \ + test390 test391 test392 test393 test394 test395 test396 test397 test398 \ + test399 test400 test401 test402 test403 test404 test405 test406 test407 \ + test408 test409 test410 test411 test412 test413 test414 \ ++ test418 \ + \ + test430 test431 test432 test433 test434 test435 test436 \ + \ +diff --git a/tests/data/test387 b/tests/data/test387 +index 015ec25..644fc7f 100644 +--- a/tests/data/test387 ++++ b/tests/data/test387 +@@ -47,7 +47,7 @@ Accept: */* + 61 + + +-curl: (61) Reject response due to 5 content encodings ++curl: (61) Reject response due to more than 5 content encodings + + + +diff --git a/tests/data/test418 b/tests/data/test418 +new file mode 100644 +index 0000000..50e974e +--- /dev/null ++++ b/tests/data/test418 +@@ -0,0 +1,152 @@ ++ ++ ++ ++HTTP ++gzip ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++ ++-foo- ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++Response with multiple Transfer-Encoding headers ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++ ++ ++# CURLE_BAD_CONTENT_ENCODING is 61 ++ ++61 ++ ++ ++curl: (61) Reject response due to more than 5 content encodings ++ ++ ++ +-- +2.39.1 + diff --git a/curl.spec b/curl.spec index 9c75053..e3f8078 100644 --- a/curl.spec +++ b/curl.spec @@ -28,6 +28,9 @@ Patch5: 0005-curl-7.85.0-http2-whitespace.patch # share HSTS between handles (CVE-2023-23915 CVE-2023-23914) Patch6: 0006-curl-7.85.0-hsts-CVEs.patch +# fix HTTP multi-header compression denial of service (CVE-2023-23916) +Patch7: 0007-curl-7.85.0-CVE-2023-23916.patch + # http: use the IDN decoded name in HSTS checks (CVE-2022-43551) Patch20: 0020-curl-7.85.0-CVE-2022-43551.patch @@ -224,6 +227,7 @@ be installed. %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 %patch20 -p1 %patch21 -p1 @@ -460,6 +464,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Feb 15 2023 Kamil Dudka - 7.85.0-6 +- fix HTTP multi-header compression denial of service (CVE-2023-23916) - share HSTS between handles (CVE-2023-23915 CVE-2023-23914) * Wed Dec 21 2022 Kamil Dudka - 7.85.0-5 From 1a7eeed4d34cd857ae0b86c4b2efeedf75e2b889 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 16 Feb 2023 16:08:49 +0100 Subject: [PATCH 11/26] check: temporarily disable test3000 on ppc64le --- curl.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index e3f8078..6e73877 100644 --- a/curl.spec +++ b/curl.spec @@ -245,9 +245,9 @@ printf "1112\n1455\n1184\n1801\n" >> tests/data/DISABLED echo "1319" >> tests/data/DISABLED %endif -# disable tests 320..322 on ppc64le where it started to hang/fail +# disable tests 320..322 and 3000 on ppc64le where it started to hang/fail %ifarch ppc64le -printf "320\n321\n322\n" >> tests/data/DISABLED +printf "320\n321\n322\n3000\n" >> tests/data/DISABLED %endif # temporarily disable tests 582 and 1452 on s390x (client times out) From 77d1ff03c7b43645226ece48306f0526f2525fee Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 17 Feb 2023 09:38:29 +0100 Subject: [PATCH 12/26] check: temporarily disable test3001 on ppc64le --- curl.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index 6e73877..682ffcb 100644 --- a/curl.spec +++ b/curl.spec @@ -245,9 +245,9 @@ printf "1112\n1455\n1184\n1801\n" >> tests/data/DISABLED echo "1319" >> tests/data/DISABLED %endif -# disable tests 320..322 and 3000 on ppc64le where it started to hang/fail +# disable tests 32{0..2} and 300{0..1} on ppc64le where it started to hang/fail %ifarch ppc64le -printf "320\n321\n322\n3000\n" >> tests/data/DISABLED +printf "320\n321\n322\n3000\n3001\n" >> tests/data/DISABLED %endif # temporarily disable tests 582 and 1452 on s390x (client times out) From ad400d6dddabfb99aec78004b4c197ff17eb281a Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 27 Feb 2023 10:05:37 +0100 Subject: [PATCH 13/26] Resolves: #2173299 - header: define public API functions as extern C --- 0008-curl-7.85.0-extern-c-header.patch | 46 ++++++++++++++++++++++++++ curl.spec | 9 ++++- 2 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 0008-curl-7.85.0-extern-c-header.patch diff --git a/0008-curl-7.85.0-extern-c-header.patch b/0008-curl-7.85.0-extern-c-header.patch new file mode 100644 index 0000000..a3df328 --- /dev/null +++ b/0008-curl-7.85.0-extern-c-header.patch @@ -0,0 +1,46 @@ +From ff61b969e41a4c9c7f337c905712d84d9ae1da5b Mon Sep 17 00:00:00 2001 +From: Jay Satiro +Date: Wed, 7 Sep 2022 03:07:28 -0400 +Subject: [PATCH] header: define public API functions as extern c + +Prior to this change linker errors would occur if curl_easy_header or +curl_easy_nextheader was called from a C++ unit. + +Bug: https://github.com/curl/curl/issues/9424#issuecomment-1238818007 +Reported-by: Andrew Lambert + +Closes https://github.com/curl/curl/pull/9446 + +Upstream-commit: 9c822a99944fd185ba58d8bca935ad5c5e6cd3e1 +Signed-off-by: Kamil Dudka +--- + include/curl/header.h | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/include/curl/header.h b/include/curl/header.h +index 6af29c0..1598c6f 100644 +--- a/include/curl/header.h ++++ b/include/curl/header.h +@@ -24,6 +24,10 @@ + * + ***************************************************************************/ + ++#ifdef __cplusplus ++extern "C" { ++#endif ++ + struct curl_header { + char *name; /* this might not use the same case */ + char *value; +@@ -63,4 +67,8 @@ CURL_EXTERN struct curl_header *curl_easy_nextheader(CURL *easy, + int request, + struct curl_header *prev); + ++#ifdef __cplusplus ++} /* end of extern "C" */ ++#endif ++ + #endif /* CURLINC_HEADER_H */ +-- +2.39.2 + diff --git a/curl.spec b/curl.spec index 682ffcb..ab506f4 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.85.0 -Release: 6%{?dist} +Release: 7%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -31,6 +31,9 @@ Patch6: 0006-curl-7.85.0-hsts-CVEs.patch # fix HTTP multi-header compression denial of service (CVE-2023-23916) Patch7: 0007-curl-7.85.0-CVE-2023-23916.patch +# header: define public API functions as extern C (#2173299) +Patch8: 0008-curl-7.85.0-extern-c-header.patch + # http: use the IDN decoded name in HSTS checks (CVE-2022-43551) Patch20: 0020-curl-7.85.0-CVE-2022-43551.patch @@ -228,6 +231,7 @@ be installed. %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 %patch20 -p1 %patch21 -p1 @@ -463,6 +467,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Feb 27 2023 Kamil Dudka - 7.85.0-7 +- header: define public API functions as extern C (#2173299) + * Wed Feb 15 2023 Kamil Dudka - 7.85.0-6 - fix HTTP multi-header compression denial of service (CVE-2023-23916) - share HSTS between handles (CVE-2023-23915 CVE-2023-23914) From fdc14f085c4e216fbe3121b8d5c1592297ebc847 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 24 Mar 2023 13:14:43 +0100 Subject: [PATCH 14/26] Resolves: CVE-2023-27533 - fix TELNET option IAC injection --- 0023-curl-7.87.0-CVE-2023-27533.patch | 59 +++++++++++++++++++++++++++ curl.spec | 9 +++- 2 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 0023-curl-7.87.0-CVE-2023-27533.patch diff --git a/0023-curl-7.87.0-CVE-2023-27533.patch b/0023-curl-7.87.0-CVE-2023-27533.patch new file mode 100644 index 0000000..8810c27 --- /dev/null +++ b/0023-curl-7.87.0-CVE-2023-27533.patch @@ -0,0 +1,59 @@ +From c9828d86040737a47da862197b5def7ff6b0e3c4 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 6 Mar 2023 12:07:33 +0100 +Subject: [PATCH] telnet: only accept option arguments in ascii + +To avoid embedded telnet negotiation commands etc. + +Reported-by: Harry Sintonen +Closes #10728 + +Upstream-commit: 538b1e79a6e7b0bb829ab4cecc828d32105d0684 +Signed-off-by: Kamil Dudka +--- + lib/telnet.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/lib/telnet.c b/lib/telnet.c +index 22bc81e..baea885 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -770,6 +770,17 @@ static void printsub(struct Curl_easy *data, + } + } + ++static bool str_is_nonascii(const char *str) ++{ ++ size_t len = strlen(str); ++ while(len--) { ++ if(*str & 0x80) ++ return TRUE; ++ str++; ++ } ++ return FALSE; ++} ++ + static CURLcode check_telnet_options(struct Curl_easy *data) + { + struct curl_slist *head; +@@ -784,6 +795,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data) + /* Add the user name as an environment variable if it + was given on the command line */ + if(data->state.aptr.user) { ++ if(str_is_nonascii(data->conn->user)) ++ return CURLE_BAD_FUNCTION_ARGUMENT; + msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user); + beg = curl_slist_append(tn->telnet_vars, option_arg); + if(!beg) { +@@ -798,6 +811,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data) + for(head = data->set.telnet_options; head; head = head->next) { + if(sscanf(head->data, "%127[^= ]%*[ =]%255s", + option_keyword, option_arg) == 2) { ++ if(str_is_nonascii(option_arg)) ++ continue; + + /* Terminal type */ + if(strcasecompare(option_keyword, "TTYPE")) { +-- +2.39.2 + diff --git a/curl.spec b/curl.spec index ab506f4..f674415 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.85.0 -Release: 7%{?dist} +Release: 8%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -40,6 +40,9 @@ Patch20: 0020-curl-7.85.0-CVE-2022-43551.patch # smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552) Patch21: 0021-curl-7.85.0-CVE-2022-43552.patch +# fix TELNET option IAC injection (CVE-2023-27533) +Patch23: 0023-curl-7.87.0-CVE-2023-27533.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -234,6 +237,7 @@ be installed. %patch8 -p1 %patch20 -p1 %patch21 -p1 +%patch23 -p1 # Fedora patches %patch101 -p1 @@ -467,6 +471,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Mar 24 2023 Kamil Dudka - 7.85.0-8 +- fix TELNET option IAC injection (CVE-2023-27533) + * Mon Feb 27 2023 Kamil Dudka - 7.85.0-7 - header: define public API functions as extern C (#2173299) From 50e4a8af9ad79aa277d4566145e382a9953eebdc Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 24 Mar 2023 13:16:13 +0100 Subject: [PATCH 15/26] Resolves: CVE-2023-27534 - fix SFTP path ~ resolving discrepancy --- 0024-curl-7.85.0-CVE-2023-27534.patch | 1226 +++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 1231 insertions(+) create mode 100644 0024-curl-7.85.0-CVE-2023-27534.patch diff --git a/0024-curl-7.85.0-CVE-2023-27534.patch b/0024-curl-7.85.0-CVE-2023-27534.patch new file mode 100644 index 0000000..413cfbd --- /dev/null +++ b/0024-curl-7.85.0-CVE-2023-27534.patch @@ -0,0 +1,1226 @@ +From 59f573f2d00c143ea2cc9cd5edca7625e7f7b6a2 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 16 Oct 2022 18:09:14 +0200 +Subject: [PATCH 1/4] curl_path: return error if given a NULL homedir + +Closes #9740 + +Upstream-commit: 025bad1182ff87facbddd280dd07a0fc26b99f45 +Signed-off-by: Kamil Dudka +--- + lib/curl_path.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/curl_path.c b/lib/curl_path.c +index 2598375..b55e830 100644 +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -122,7 +122,8 @@ CURLcode Curl_get_pathname(const char **cpp, char **path, char *homedir) + bool relativePath = false; + static const char WHITESPACE[] = " \t\r\n"; + +- if(!*cp) { ++ DEBUGASSERT(homedir); ++ if(!*cp || !homedir) { + *cpp = NULL; + *path = NULL; + return CURLE_QUOTE_ERROR; +-- +2.39.2 + + +From 0ff48fd60ad80b6b0c404d46bc4c9ba6c1c479be Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 30 Oct 2022 17:38:16 +0100 +Subject: [PATCH 2/4] style: use space after comment start and before comment + end + +/* like this */ + +/*not this*/ + +checksrc is updated accordingly + +Closes #9828 + +Upstream-commit: 52cc4a85fd7e5265ba8ff0f08adf4858f6773a11 +Signed-off-by: Kamil Dudka +--- + docs/examples/ephiperfifo.c | 4 +- + docs/examples/usercertinmem.c | 12 +-- + include/curl/curl.h | 20 ++--- + include/curl/typecheck-gcc.h | 2 +- + lib/c-hyper.c | 4 +- + lib/curl_path.c | 4 - + lib/curl_rtmp.c | 12 +-- + lib/curl_setup.h | 2 +- + lib/curl_sha256.h | 2 +- + lib/dict.c | 2 +- + lib/file.c | 2 +- + lib/ftp.c | 2 +- + lib/gopher.c | 2 +- + lib/http.c | 4 +- + lib/http_chunks.c | 2 +- + lib/mqtt.c | 4 +- + lib/rtsp.c | 4 +- + lib/rtsp.h | 2 +- + lib/telnet.c | 2 +- + lib/urldata.h | 4 +- + lib/vauth/digest.c | 4 +- + lib/vauth/krb5_sspi.c | 2 +- + lib/vssh/libssh2.c | 6 +- + lib/vtls/schannel.c | 4 +- + lib/vtls/sectransp.c | 2 - + scripts/checksrc.pl | 15 ++++ + src/tool_cfgable.h | 5 +- + src/tool_getparam.c | 4 +- + tests/libtest/lib1156.c | 2 +- + tests/libtest/lib1525.c | 2 +- + tests/libtest/lib1526.c | 2 +- + tests/libtest/lib1527.c | 2 +- + tests/libtest/lib1528.c | 2 +- + tests/libtest/lib1591.c | 2 +- + tests/libtest/lib506.c | 2 +- + tests/libtest/lib557.c | 2 +- + tests/libtest/lib586.c | 2 +- + tests/libtest/stub_gssapi.h | 160 +++++++++++++++++----------------- + tests/server/tftp.h | 2 +- + tests/server/util.c | 2 +- + tests/unit/unit1300.c | 4 +- + 41 files changed, 163 insertions(+), 157 deletions(-) + +diff --git a/docs/examples/ephiperfifo.c b/docs/examples/ephiperfifo.c +index 7079846..268f9a9 100644 +--- a/docs/examples/ephiperfifo.c ++++ b/docs/examples/ephiperfifo.c +@@ -166,7 +166,7 @@ static int multi_timer_cb(CURLM *multi, long timeout_ms, GlobalInfo *g) + memset(&its, 0, sizeof(struct itimerspec)); + } + +- timerfd_settime(g->tfd, /*flags=*/0, &its, NULL); ++ timerfd_settime(g->tfd, /* flags= */0, &its, NULL); + return 0; + } + +@@ -197,7 +197,7 @@ static void check_multi_info(GlobalInfo *g) + } + } + +-/* Called by libevent when we get action on a multi socket filedescriptor*/ ++/* Called by libevent when we get action on a multi socket filedescriptor */ + static void event_cb(GlobalInfo *g, int fd, int revents) + { + CURLMcode rc; +diff --git a/docs/examples/usercertinmem.c b/docs/examples/usercertinmem.c +index 89a0c3c..f8fada4 100644 +--- a/docs/examples/usercertinmem.c ++++ b/docs/examples/usercertinmem.c +@@ -94,7 +94,7 @@ static CURLcode sslctx_function(CURL *curl, void *sslctx, void *parm) + "omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD\n"\ + "-----END CERTIFICATE-----\n"; + +-/*replace the XXX with the actual RSA key*/ ++/* replace the XXX with the actual RSA key */ + const char *mykey = + "-----BEGIN RSA PRIVATE KEY-----\n"\ + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n"\ +@@ -133,25 +133,25 @@ static CURLcode sslctx_function(CURL *curl, void *sslctx, void *parm) + printf("PEM_read_bio_X509 failed...\n"); + } + +- /*tell SSL to use the X509 certificate*/ ++ /* tell SSL to use the X509 certificate */ + ret = SSL_CTX_use_certificate((SSL_CTX*)sslctx, cert); + if(ret != 1) { + printf("Use certificate failed\n"); + } + +- /*create a bio for the RSA key*/ ++ /* create a bio for the RSA key */ + kbio = BIO_new_mem_buf((char *)mykey, -1); + if(!kbio) { + printf("BIO_new_mem_buf failed\n"); + } + +- /*read the key bio into an RSA object*/ ++ /* read the key bio into an RSA object */ + rsa = PEM_read_bio_RSAPrivateKey(kbio, NULL, 0, NULL); + if(!rsa) { + printf("Failed to create key bio\n"); + } + +- /*tell SSL to use the RSA key from memory*/ ++ /* tell SSL to use the RSA key from memory */ + ret = SSL_CTX_use_RSAPrivateKey((SSL_CTX*)sslctx, rsa); + if(ret != 1) { + printf("Use Key failed\n"); +@@ -192,7 +192,7 @@ int main(void) + curl_easy_setopt(ch, CURLOPT_SSLCERTTYPE, "PEM"); + + /* both VERIFYPEER and VERIFYHOST are set to 0 in this case because there is +- no CA certificate*/ ++ no CA certificate */ + + curl_easy_setopt(ch, CURLOPT_SSL_VERIFYPEER, 0L); + curl_easy_setopt(ch, CURLOPT_SSL_VERIFYHOST, 0L); +diff --git a/include/curl/curl.h b/include/curl/curl.h +index 4d25644..0887e3c 100644 +--- a/include/curl/curl.h ++++ b/include/curl/curl.h +@@ -368,7 +368,7 @@ typedef int (*curl_seek_callback)(void *instream, + #define CURL_READFUNC_PAUSE 0x10000001 + + /* Return code for when the trailing headers' callback has terminated +- without any errors*/ ++ without any errors */ + #define CURL_TRAILERFUNC_OK 0 + /* Return code for when was an error in the trailing header's list and we + want to abort the request */ +@@ -450,7 +450,7 @@ typedef void *(*curl_calloc_callback)(size_t nmemb, size_t size); + #define CURL_DID_MEMORY_FUNC_TYPEDEFS + #endif + +-/* the kind of data that is passed to information_callback*/ ++/* the kind of data that is passed to information_callback */ + typedef enum { + CURLINFO_TEXT = 0, + CURLINFO_HEADER_IN, /* 1 */ +@@ -698,7 +698,7 @@ typedef enum { + #define CURLOPT_WRITEINFO CURLOPT_OBSOLETE40 + #define CURLOPT_CLOSEPOLICY CURLOPT_OBSOLETE72 + +-#endif /*!CURL_NO_OLDIES*/ ++#endif /* !CURL_NO_OLDIES */ + + /* + * Proxy error codes. Returned in CURLINFO_PROXY_ERROR if CURLE_PROXY was +@@ -843,7 +843,7 @@ enum curl_khstat { + CURLKHSTAT_DEFER, /* do not accept it, but we can't answer right now so + this causes a CURLE_DEFER error but otherwise the + connection will be left intact etc */ +- CURLKHSTAT_FINE_REPLACE, /* accept and replace the wrong key*/ ++ CURLKHSTAT_FINE_REPLACE, /* accept and replace the wrong key */ + CURLKHSTAT_LAST /* not for use, only a marker for last-in-list */ + }; + +@@ -864,13 +864,13 @@ typedef int + /* CURLOPT_SSH_KEYDATA */ + + typedef int +- (*curl_sshhostkeycallback) (void *clientp,/* custom pointer passed*/ ++ (*curl_sshhostkeycallback) (void *clientp,/* custom pointer passed */ + /* with CURLOPT_SSH_HOSTKEYDATA */ + int keytype, /* CURLKHTYPE */ +- const char *key, /*hostkey to check*/ +- size_t keylen); /*length of the key*/ +- /*return CURLE_OK to accept*/ +- /*or something else to refuse*/ ++ const char *key, /* hostkey to check */ ++ size_t keylen); /* length of the key */ ++ /* return CURLE_OK to accept */ ++ /* or something else to refuse */ + + + /* parameter for the CURLOPT_USE_SSL option */ +@@ -932,7 +932,7 @@ typedef enum { + #define CURLFTPSSL_ALL CURLUSESSL_ALL + #define CURLFTPSSL_LAST CURLUSESSL_LAST + #define curl_ftpssl curl_usessl +-#endif /*!CURL_NO_OLDIES*/ ++#endif /* !CURL_NO_OLDIES */ + + /* parameter for the CURLOPT_FTP_SSL_CCC option */ + typedef enum { +diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h +index 2dabcb4..00961db 100644 +--- a/include/curl/typecheck-gcc.h ++++ b/include/curl/typecheck-gcc.h +@@ -436,7 +436,7 @@ CURLWARNING(_curl_easy_getinfo_err_curl_off_t, + (CURLINFO_OFF_T < (info)) + + +-/* typecheck helpers -- check whether given expression has requested type*/ ++/* typecheck helpers -- check whether given expression has requested type */ + + /* For pointers, you can use the curlcheck_ptr/curlcheck_arr macros, + * otherwise define a new macro. Search for __builtin_types_compatible_p +diff --git a/lib/c-hyper.c b/lib/c-hyper.c +index d034900..5895793 100644 +--- a/lib/c-hyper.c ++++ b/lib/c-hyper.c +@@ -660,7 +660,7 @@ static int uploadpostfields(void *userdata, hyper_context *ctx, + return HYPER_POLL_ERROR; + } + /* increasing the writebytecount here is a little premature but we +- don't know exactly when the body is sent*/ ++ don't know exactly when the body is sent */ + data->req.writebytecount += (size_t)data->req.p.http->postsize; + Curl_pgrsSetUploadCounter(data, data->req.writebytecount); + data->req.upload_done = TRUE; +@@ -713,7 +713,7 @@ static int uploadstreamed(void *userdata, hyper_context *ctx, + return HYPER_POLL_ERROR; + } + /* increasing the writebytecount here is a little premature but we +- don't know exactly when the body is sent*/ ++ don't know exactly when the body is sent */ + data->req.writebytecount += fillcount; + Curl_pgrsSetUploadCounter(data, fillcount); + } +diff --git a/lib/curl_path.c b/lib/curl_path.c +index b55e830..27ff96d 100644 +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -148,15 +148,12 @@ CURLcode Curl_get_pathname(const char **cpp, char **path, char *homedir) + break; + } + if(cp[i] == '\0') { /* End of string */ +- /*error("Unterminated quote");*/ + goto fail; + } + if(cp[i] == '\\') { /* Escaped characters */ + i++; + if(cp[i] != '\'' && cp[i] != '\"' && + cp[i] != '\\') { +- /*error("Bad escaped character '\\%c'", +- cp[i]);*/ + goto fail; + } + } +@@ -164,7 +161,6 @@ CURLcode Curl_get_pathname(const char **cpp, char **path, char *homedir) + } + + if(j == 0) { +- /*error("Empty quotes");*/ + goto fail; + } + *cpp = cp + i + strspn(cp + i, WHITESPACE); +diff --git a/lib/curl_rtmp.c b/lib/curl_rtmp.c +index b0c3710..1932cb4 100644 +--- a/lib/curl_rtmp.c ++++ b/lib/curl_rtmp.c +@@ -85,7 +85,7 @@ const struct Curl_handler Curl_handler_rtmp = { + PORT_RTMP, /* defport */ + CURLPROTO_RTMP, /* protocol */ + CURLPROTO_RTMP, /* family */ +- PROTOPT_NONE /* flags*/ ++ PROTOPT_NONE /* flags */ + }; + + const struct Curl_handler Curl_handler_rtmpt = { +@@ -108,7 +108,7 @@ const struct Curl_handler Curl_handler_rtmpt = { + PORT_RTMPT, /* defport */ + CURLPROTO_RTMPT, /* protocol */ + CURLPROTO_RTMPT, /* family */ +- PROTOPT_NONE /* flags*/ ++ PROTOPT_NONE /* flags */ + }; + + const struct Curl_handler Curl_handler_rtmpe = { +@@ -131,7 +131,7 @@ const struct Curl_handler Curl_handler_rtmpe = { + PORT_RTMP, /* defport */ + CURLPROTO_RTMPE, /* protocol */ + CURLPROTO_RTMPE, /* family */ +- PROTOPT_NONE /* flags*/ ++ PROTOPT_NONE /* flags */ + }; + + const struct Curl_handler Curl_handler_rtmpte = { +@@ -154,7 +154,7 @@ const struct Curl_handler Curl_handler_rtmpte = { + PORT_RTMPT, /* defport */ + CURLPROTO_RTMPTE, /* protocol */ + CURLPROTO_RTMPTE, /* family */ +- PROTOPT_NONE /* flags*/ ++ PROTOPT_NONE /* flags */ + }; + + const struct Curl_handler Curl_handler_rtmps = { +@@ -177,7 +177,7 @@ const struct Curl_handler Curl_handler_rtmps = { + PORT_RTMPS, /* defport */ + CURLPROTO_RTMPS, /* protocol */ + CURLPROTO_RTMP, /* family */ +- PROTOPT_NONE /* flags*/ ++ PROTOPT_NONE /* flags */ + }; + + const struct Curl_handler Curl_handler_rtmpts = { +@@ -200,7 +200,7 @@ const struct Curl_handler Curl_handler_rtmpts = { + PORT_RTMPS, /* defport */ + CURLPROTO_RTMPTS, /* protocol */ + CURLPROTO_RTMPT, /* family */ +- PROTOPT_NONE /* flags*/ ++ PROTOPT_NONE /* flags */ + }; + + static CURLcode rtmp_setup_connection(struct Curl_easy *data, +diff --git a/lib/curl_setup.h b/lib/curl_setup.h +index e5356dc..7690f80 100644 +--- a/lib/curl_setup.h ++++ b/lib/curl_setup.h +@@ -691,7 +691,7 @@ + # define UNUSED_PARAM __attribute__((__unused__)) + # define WARN_UNUSED_RESULT __attribute__((warn_unused_result)) + #else +-# define UNUSED_PARAM /*NOTHING*/ ++# define UNUSED_PARAM /* NOTHING */ + # define WARN_UNUSED_RESULT + #endif + +diff --git a/lib/curl_sha256.h b/lib/curl_sha256.h +index 82fcdff..0f1b073 100644 +--- a/lib/curl_sha256.h ++++ b/lib/curl_sha256.h +@@ -32,7 +32,7 @@ extern const struct HMAC_params Curl_HMAC_SHA256[1]; + + #ifdef USE_WOLFSSL + /* SHA256_DIGEST_LENGTH is an enum value in wolfSSL. Need to import it from +- * sha.h*/ ++ * sha.h */ + #include + #include + #else +diff --git a/lib/dict.c b/lib/dict.c +index 6f7678f..993373e 100644 +--- a/lib/dict.c ++++ b/lib/dict.c +@@ -319,4 +319,4 @@ static CURLcode dict_do(struct Curl_easy *data, bool *done) + + return CURLE_OK; + } +-#endif /*CURL_DISABLE_DICT*/ ++#endif /* CURL_DISABLE_DICT */ +diff --git a/lib/file.c b/lib/file.c +index d82d57b..4ed7078 100644 +--- a/lib/file.c ++++ b/lib/file.c +@@ -340,7 +340,7 @@ static CURLcode file_upload(struct Curl_easy *data) + + nread = readcount; + +- /*skip bytes before resume point*/ ++ /* skip bytes before resume point */ + if(data->state.resume_from) { + if((curl_off_t)nread <= data->state.resume_from) { + data->state.resume_from -= nread; +diff --git a/lib/ftp.c b/lib/ftp.c +index 0473a8a..9442832 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -1167,7 +1167,7 @@ static CURLcode ftp_state_use_port(struct Curl_easy *data, + port++; + } + +- /* maybe all ports were in use already*/ ++ /* maybe all ports were in use already */ + if(port > port_max) { + failf(data, "bind() failed, we ran out of ports"); + Curl_closesocket(data, conn, portsock); +diff --git a/lib/gopher.c b/lib/gopher.c +index 01f4bde..ac2018e 100644 +--- a/lib/gopher.c ++++ b/lib/gopher.c +@@ -236,4 +236,4 @@ static CURLcode gopher_do(struct Curl_easy *data, bool *done) + Curl_setup_transfer(data, FIRSTSOCKET, -1, FALSE, -1); + return CURLE_OK; + } +-#endif /*CURL_DISABLE_GOPHER*/ ++#endif /* CURL_DISABLE_GOPHER */ +diff --git a/lib/http.c b/lib/http.c +index 8b18e8d..aab1a87 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2087,7 +2087,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn) + { + const char *ptr; + if(!data->state.this_is_a_follow) { +- /* Free to avoid leaking memory on multiple requests*/ ++ /* Free to avoid leaking memory on multiple requests */ + free(data->state.first_host); + + data->state.first_host = strdup(conn->host.name); +@@ -3056,7 +3056,7 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done) + /* continue with HTTP/1.1 when explicitly requested */ + break; + default: +- /* Check if user wants to use HTTP/2 with clear TCP*/ ++ /* Check if user wants to use HTTP/2 with clear TCP */ + #ifdef USE_NGHTTP2 + if(data->state.httpwant == CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE) { + #ifndef CURL_DISABLE_PROXY +diff --git a/lib/http_chunks.c b/lib/http_chunks.c +index 290dbe8..b694b18 100644 +--- a/lib/http_chunks.c ++++ b/lib/http_chunks.c +@@ -113,7 +113,7 @@ CHUNKcode Curl_httpchunk_read(struct Curl_easy *data, + *wrote = 0; /* nothing's written yet */ + + /* the original data is written to the client, but we go on with the +- chunk read process, to properly calculate the content length*/ ++ chunk read process, to properly calculate the content length */ + if(data->set.http_te_skip && !k->ignorebody) { + result = Curl_client_write(data, CLIENTWRITE_BODY, datap, datalen); + if(result) { +diff --git a/lib/mqtt.c b/lib/mqtt.c +index 7320747..0d102aa 100644 +--- a/lib/mqtt.c ++++ b/lib/mqtt.c +@@ -242,7 +242,7 @@ static int init_connpack(char *packet, char *remain, int remain_pos) + /* keep-alive 0 = disabled */ + packet[remain_pos + 9] = 0x00; + packet[remain_pos + 10] = 0x3c; +- /*end of variable header*/ ++ /* end of variable header */ + return remain_pos + 10; + } + +@@ -251,7 +251,7 @@ static CURLcode mqtt_connect(struct Curl_easy *data) + CURLcode result = CURLE_OK; + int pos = 0; + int rc = 0; +- /*remain length*/ ++ /* remain length */ + int remain_pos = 0; + char remain[4] = {0}; + size_t packetlen = 0; +diff --git a/lib/rtsp.c b/lib/rtsp.c +index 5a6644b..b4edac7 100644 +--- a/lib/rtsp.c ++++ b/lib/rtsp.c +@@ -311,7 +311,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done) + break; + case RTSPREQ_RECEIVE: + p_request = ""; +- /* Treat interleaved RTP as body*/ ++ /* Treat interleaved RTP as body */ + data->set.opt_no_body = FALSE; + break; + case RTSPREQ_LAST: +@@ -650,7 +650,7 @@ static CURLcode rtsp_rtp_readwrite(struct Curl_easy *data, + rtp_length = RTP_PKT_LENGTH(rtp); + + if(rtp_dataleft < rtp_length + 4) { +- /* Need more - incomplete payload*/ ++ /* Need more - incomplete payload */ + *readmore = TRUE; + break; + } +diff --git a/lib/rtsp.h b/lib/rtsp.h +index 377c828..fa6606a 100644 +--- a/lib/rtsp.h ++++ b/lib/rtsp.h +@@ -62,7 +62,7 @@ struct RTSP { + * HTTP functions can safely treat this as an HTTP struct, but RTSP aware + * functions can also index into the later elements. + */ +- struct HTTP http_wrapper; /*wrap HTTP to do the heavy lifting */ ++ struct HTTP http_wrapper; /* wrap HTTP to do the heavy lifting */ + + long CSeq_sent; /* CSeq of this request */ + long CSeq_recv; /* CSeq received */ +diff --git a/lib/telnet.c b/lib/telnet.c +index ff15701..c526ae6 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -571,7 +571,7 @@ void rec_do(struct Curl_easy *data, int option) + sendsuboption(data, option); + } + else if(tn->subnegotiation[option] == CURL_YES) { +- /* send information to achieve this option*/ ++ /* send information to achieve this option */ + tn->us[option] = CURL_YES; + send_negotiation(data, CURL_WILL, option); + sendsuboption(data, option); +diff --git a/lib/urldata.h b/lib/urldata.h +index 874d583..9d9ca92 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -236,7 +236,7 @@ struct ssl_connect_data { + + struct ssl_primary_config { + long version; /* what version the client wants to use */ +- long version_max; /* max supported version the client wants to use*/ ++ long version_max; /* max supported version the client wants to use */ + char *CApath; /* certificate dir (doesn't work on windows) */ + char *CAfile; /* certificate to verify peer against */ + char *issuercert; /* optional issuer certificate filename */ +@@ -273,7 +273,7 @@ struct ssl_config_data { + char *key_passwd; /* plain text private key password */ + BIT(certinfo); /* gather lots of certificate info */ + BIT(falsestart); +- BIT(enable_beast); /* allow this flaw for interoperability's sake*/ ++ BIT(enable_beast); /* allow this flaw for interoperability's sake */ + BIT(no_revoke); /* disable SSL certificate revocation checks */ + BIT(no_partialchain); /* don't accept partial certificate chains */ + BIT(revoke_best_effort); /* ignore SSL revocation offline/missing revocation +diff --git a/lib/vauth/digest.c b/lib/vauth/digest.c +index 962aa62..d24c10e 100644 +--- a/lib/vauth/digest.c ++++ b/lib/vauth/digest.c +@@ -142,7 +142,7 @@ bool Curl_auth_digest_get_pair(const char *str, char *value, char *content, + } + + #if !defined(USE_WINDOWS_SSPI) +-/* Convert md5 chunk to RFC2617 (section 3.1.3) -suitable ascii string*/ ++/* Convert md5 chunk to RFC2617 (section 3.1.3) -suitable ascii string */ + static void auth_digest_md5_to_ascii(unsigned char *source, /* 16 bytes */ + unsigned char *dest) /* 33 bytes */ + { +@@ -151,7 +151,7 @@ static void auth_digest_md5_to_ascii(unsigned char *source, /* 16 bytes */ + msnprintf((char *) &dest[i * 2], 3, "%02x", source[i]); + } + +-/* Convert sha256 chunk to RFC7616 -suitable ascii string*/ ++/* Convert sha256 chunk to RFC7616 -suitable ascii string */ + static void auth_digest_sha256_to_ascii(unsigned char *source, /* 32 bytes */ + unsigned char *dest) /* 65 bytes */ + { +diff --git a/lib/vauth/krb5_sspi.c b/lib/vauth/krb5_sspi.c +index 895b4a1..015bc66 100644 +--- a/lib/vauth/krb5_sspi.c ++++ b/lib/vauth/krb5_sspi.c +@@ -471,4 +471,4 @@ void Curl_auth_cleanup_gssapi(struct kerberos5data *krb5) + krb5->token_max = 0; + } + +-#endif /* USE_WINDOWS_SSPI && USE_KERBEROS5*/ ++#endif /* USE_WINDOWS_SSPI && USE_KERBEROS5 */ +diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c +index 02030c1..74b5d10 100644 +--- a/lib/vssh/libssh2.c ++++ b/lib/vssh/libssh2.c +@@ -610,9 +610,9 @@ static CURLcode ssh_knownhost(struct Curl_easy *data) + /* remove old host+key that doesn't match */ + if(host) + libssh2_knownhost_del(sshc->kh, host); +- /*FALLTHROUGH*/ ++ /* FALLTHROUGH */ + case CURLKHSTAT_FINE: +- /*FALLTHROUGH*/ ++ /* FALLTHROUGH */ + case CURLKHSTAT_FINE_ADD_TO_FILE: + /* proceed */ + if(keycheck != LIBSSH2_KNOWNHOST_CHECK_MATCH) { +@@ -785,7 +785,7 @@ static CURLcode ssh_check_fingerprint(struct Curl_easy *data) + size_t keylen = 0; + int sshkeytype = 0; + int rc = 0; +- /* we handle the process to the callback*/ ++ /* we handle the process to the callback */ + const char *remotekey = libssh2_session_hostkey(sshc->ssh_session, + &keylen, &sshkeytype); + if(remotekey) { +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c +index 32abcaa..c49b86c 100644 +--- a/lib/vtls/schannel.c ++++ b/lib/vtls/schannel.c +@@ -263,7 +263,7 @@ set_ssl_version_min_max(DWORD *enabled_protocols, struct Curl_easy *data, + return CURLE_OK; + } + +-/*longest is 26, buffer is slightly bigger*/ ++/* longest is 26, buffer is slightly bigger */ + #define LONGEST_ALG_ID 32 + #define CIPHEROPTION(X) \ + if(strcmp(#X, tmp) == 0) \ +@@ -290,7 +290,7 @@ get_alg_id_by_name(char *name) + CIPHEROPTION(CALG_MAC); + CIPHEROPTION(CALG_RSA_SIGN); + CIPHEROPTION(CALG_DSS_SIGN); +-/*ifdefs for the options that are defined conditionally in wincrypt.h*/ ++/* ifdefs for the options that are defined conditionally in wincrypt.h */ + #ifdef CALG_NO_SIGN + CIPHEROPTION(CALG_NO_SIGN); + #endif +diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c +index a18ca4e..1123001 100644 +--- a/lib/vtls/sectransp.c ++++ b/lib/vtls/sectransp.c +@@ -836,7 +836,6 @@ static OSStatus SocketRead(SSLConnectionRef connection, + size_t bytesToGo = *dataLength; + size_t initLen = bytesToGo; + UInt8 *currData = (UInt8 *)data; +- /*int sock = *(int *)connection;*/ + struct ssl_connect_data *connssl = (struct ssl_connect_data *)connection; + struct ssl_backend_data *backend = connssl->backend; + int sock; +@@ -899,7 +898,6 @@ static OSStatus SocketWrite(SSLConnectionRef connection, + size_t *dataLength) /* IN/OUT */ + { + size_t bytesSent = 0; +- /*int sock = *(int *)connection;*/ + struct ssl_connect_data *connssl = (struct ssl_connect_data *)connection; + struct ssl_backend_data *backend = connssl->backend; + int sock; +diff --git a/scripts/checksrc.pl b/scripts/checksrc.pl +index 651b4b7..b7b6baf 100755 +--- a/scripts/checksrc.pl ++++ b/scripts/checksrc.pl +@@ -91,6 +91,9 @@ my %warnings = ( + 'EMPTYLINEBRACE' => 'Empty line before the open brace', + 'EQUALSNULL' => 'if/while comparison with == NULL', + 'NOTEQUALSZERO', => 'if/while comparison with != 0', ++ 'INCLUDEDUP', => 'same file is included again', ++ 'COMMENTNOSPACESTART' => 'no space following /*', ++ 'COMMENTNOSPACEEND' => 'no space before */', + ); + + sub readskiplist { +@@ -423,6 +426,18 @@ sub scanfile { + $line, length($1), $file, $l, "Trailing whitespace"); + } + ++ # no space after comment start ++ if($l =~ /^(.*)\/\*\w/) { ++ checkwarn("COMMENTNOSPACESTART", ++ $line, length($1) + 2, $file, $l, ++ "Missing space after comment start"); ++ } ++ # no space at comment end ++ if($l =~ /^(.*)\w\*\//) { ++ checkwarn("COMMENTNOSPACEEND", ++ $line, length($1) + 1, $file, $l, ++ "Missing space end comment end"); ++ } + # ------------------------------------------------------------ + # Above this marker, the checks were done on lines *including* + # comments +diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h +index ec26eeb..30fb2b4 100644 +--- a/src/tool_cfgable.h ++++ b/src/tool_cfgable.h +@@ -254,11 +254,8 @@ struct OperationConfig { + bool xattr; /* store metadata in extended attributes */ + long gssapi_delegation; + bool ssl_allow_beast; /* allow this SSL vulnerability */ +- bool proxy_ssl_allow_beast; /* allow this SSL vulnerability for proxy*/ +- ++ bool proxy_ssl_allow_beast; /* allow this SSL vulnerability for proxy */ + bool ssl_no_revoke; /* disable SSL certificate revocation checks */ +- /*bool proxy_ssl_no_revoke; */ +- + bool ssl_revoke_best_effort; /* ignore SSL revocation offline/missing + revocation list errors */ + +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index e6c6a27..62def3b 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -1179,7 +1179,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + /* This specifies the noproxy list */ + GetStr(&config->noproxy, nextarg); + break; +- case '7': /* --socks5-gssapi-nec*/ ++ case '7': /* --socks5-gssapi-nec */ + config->socks5_gssapi_nec = toggle; + break; + case '8': /* --proxy1.0 */ +@@ -1328,7 +1328,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + config->httpversion = CURL_HTTP_VERSION_2_0; + break; + case '3': /* --http2-prior-knowledge */ +- /* HTTP version 2.0 over clean TCP*/ ++ /* HTTP version 2.0 over clean TCP */ + config->httpversion = CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE; + break; + case '4': /* --http3 */ +diff --git a/tests/libtest/lib1156.c b/tests/libtest/lib1156.c +index 23e3d94..aa2bf1e 100644 +--- a/tests/libtest/lib1156.c ++++ b/tests/libtest/lib1156.c +@@ -129,7 +129,7 @@ static int onetest(CURL *curl, const char *url, const struct testparams *p, + } + + /* for debugging: */ +-/*#define SINGLETEST 9*/ ++/* #define SINGLETEST 9 */ + + int test(char *URL) + { +diff --git a/tests/libtest/lib1525.c b/tests/libtest/lib1525.c +index 44c52ff..0fedf25 100644 +--- a/tests/libtest/lib1525.c ++++ b/tests/libtest/lib1525.c +@@ -50,7 +50,7 @@ int test(char *URL) + { + CURL *curl = NULL; + CURLcode res = CURLE_FAILED_INIT; +- /* http and proxy header list*/ ++ /* http and proxy header list */ + struct curl_slist *hhl = NULL; + + if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { +diff --git a/tests/libtest/lib1526.c b/tests/libtest/lib1526.c +index d9f11f5..69325fe 100644 +--- a/tests/libtest/lib1526.c ++++ b/tests/libtest/lib1526.c +@@ -48,7 +48,7 @@ int test(char *URL) + { + CURL *curl = NULL; + CURLcode res = CURLE_FAILED_INIT; +- /* http and proxy header list*/ ++ /* http and proxy header list */ + struct curl_slist *hhl = NULL, *phl = NULL, *tmp = NULL; + + if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { +diff --git a/tests/libtest/lib1527.c b/tests/libtest/lib1527.c +index 6f4d7fe..f3918a2 100644 +--- a/tests/libtest/lib1527.c ++++ b/tests/libtest/lib1527.c +@@ -49,7 +49,7 @@ int test(char *URL) + { + CURL *curl = NULL; + CURLcode res = CURLE_FAILED_INIT; +- /* http header list*/ ++ /* http header list */ + struct curl_slist *hhl = NULL, *tmp = NULL; + + if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { +diff --git a/tests/libtest/lib1528.c b/tests/libtest/lib1528.c +index 3401f65..c852574 100644 +--- a/tests/libtest/lib1528.c ++++ b/tests/libtest/lib1528.c +@@ -30,7 +30,7 @@ int test(char *URL) + { + CURL *curl = NULL; + CURLcode res = CURLE_FAILED_INIT; +- /* http header list*/ ++ /* http header list */ + struct curl_slist *hhl = NULL; + struct curl_slist *phl = NULL; + +diff --git a/tests/libtest/lib1591.c b/tests/libtest/lib1591.c +index 1a6f7c2..e02bba2 100644 +--- a/tests/libtest/lib1591.c ++++ b/tests/libtest/lib1591.c +@@ -77,7 +77,7 @@ int test(char *URL) + { + CURL *curl = NULL; + CURLcode res = CURLE_FAILED_INIT; +- /* http and proxy header list*/ ++ /* http and proxy header list */ + struct curl_slist *hhl = NULL; + + if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { +diff --git a/tests/libtest/lib506.c b/tests/libtest/lib506.c +index b44a275..97be2f2 100644 +--- a/tests/libtest/lib506.c ++++ b/tests/libtest/lib506.c +@@ -349,7 +349,7 @@ int test(char *URL) + printf("-----------------\n"); + curl_slist_free_all(cookies); + +- /* try to free share, expect to fail because share is in use*/ ++ /* try to free share, expect to fail because share is in use */ + printf("try SHARE_CLEANUP...\n"); + scode = curl_share_cleanup(share); + if(scode == CURLSHE_OK) { +diff --git a/tests/libtest/lib557.c b/tests/libtest/lib557.c +index 578ab71..c51f25d 100644 +--- a/tests/libtest/lib557.c ++++ b/tests/libtest/lib557.c +@@ -1345,7 +1345,7 @@ static int test_weird_arguments(void) + "0123456789" /* 10 7 */ + "0123456789" /* 10 8 */ + "0123456789" /* 10 9 */ +- "0123456789" /* 10 10*/ ++ "0123456789" /* 10 10 */ + "0123456789" /* 10 11 */ + "01234567" /* 8 */ + ); +diff --git a/tests/libtest/lib586.c b/tests/libtest/lib586.c +index 8f14869..753f4ef 100644 +--- a/tests/libtest/lib586.c ++++ b/tests/libtest/lib586.c +@@ -217,7 +217,7 @@ int test(char *URL) + printf("PERFORM\n"); + curl_easy_perform(curl); + +- /* try to free share, expect to fail because share is in use*/ ++ /* try to free share, expect to fail because share is in use */ + printf("try SHARE_CLEANUP...\n"); + scode = curl_share_cleanup(share); + if(scode == CURLSHE_OK) { +diff --git a/tests/libtest/stub_gssapi.h b/tests/libtest/stub_gssapi.h +index 36460e9..ad30553 100644 +--- a/tests/libtest/stub_gssapi.h ++++ b/tests/libtest/stub_gssapi.h +@@ -100,85 +100,85 @@ typedef struct gss_channel_bindings_struct { + gss_buffer_desc application_data; + } *gss_channel_bindings_t; + +-OM_uint32 gss_release_buffer(OM_uint32 * /*minor_status*/, +- gss_buffer_t /*buffer*/); +- +-OM_uint32 gss_init_sec_context(OM_uint32 * /*minor_status*/, +- gss_const_cred_id_t /*initiator_cred_handle*/, +- gss_ctx_id_t * /*context_handle*/, +- gss_const_name_t /*target_name*/, +- const gss_OID /*mech_type*/, +- OM_uint32 /*req_flags*/, +- OM_uint32 /*time_req*/, +- const gss_channel_bindings_t /*input_chan_bindings*/, +- const gss_buffer_t /*input_token*/, +- gss_OID * /*actual_mech_type*/, +- gss_buffer_t /*output_token*/, +- OM_uint32 * /*ret_flags*/, +- OM_uint32 * /*time_rec*/); +- +-OM_uint32 gss_delete_sec_context(OM_uint32 * /*minor_status*/, +- gss_ctx_id_t * /*context_handle*/, +- gss_buffer_t /*output_token*/); +- +-OM_uint32 gss_inquire_context(OM_uint32 * /*minor_status*/, +- gss_const_ctx_id_t /*context_handle*/, +- gss_name_t * /*src_name*/, +- gss_name_t * /*targ_name*/, +- OM_uint32 * /*lifetime_rec*/, +- gss_OID * /*mech_type*/, +- OM_uint32 * /*ctx_flags*/, +- int * /*locally_initiated*/, +- int * /*open_context*/); +- +-OM_uint32 gss_wrap(OM_uint32 * /*minor_status*/, +- gss_const_ctx_id_t /*context_handle*/, +- int /*conf_req_flag*/, +- gss_qop_t /*qop_req*/, +- const gss_buffer_t /*input_message_buffer*/, +- int * /*conf_state*/, +- gss_buffer_t /*output_message_buffer*/); +- +-OM_uint32 gss_unwrap(OM_uint32 * /*minor_status*/, +- gss_const_ctx_id_t /*context_handle*/, +- const gss_buffer_t /*input_message_buffer*/, +- gss_buffer_t /*output_message_buffer*/, +- int * /*conf_state*/, +- gss_qop_t * /*qop_state*/); +- +-OM_uint32 gss_seal(OM_uint32 * /*minor_status*/, +- gss_ctx_id_t /*context_handle*/, +- int /*conf_req_flag*/, +- int /*qop_req*/, +- gss_buffer_t /*input_message_buffer*/, +- int * /*conf_state*/, +- gss_buffer_t /*output_message_buffer*/); +- +-OM_uint32 gss_unseal(OM_uint32 * /*minor_status*/, +- gss_ctx_id_t /*context_handle*/, +- gss_buffer_t /*input_message_buffer*/, +- gss_buffer_t /*output_message_buffer*/, +- int * /*conf_state*/, +- int * /*qop_state*/); +- +-OM_uint32 gss_import_name(OM_uint32 * /*minor_status*/, +- const gss_buffer_t /*input_name_buffer*/, +- const gss_OID /*input_name_type*/, +- gss_name_t * /*output_name*/); +- +-OM_uint32 gss_release_name(OM_uint32 * /*minor_status*/, +- gss_name_t * /*input_name*/); +- +-OM_uint32 gss_display_name(OM_uint32 * /*minor_status*/, +- gss_const_name_t /*input_name*/, +- gss_buffer_t /*output_name_buffer*/, +- gss_OID * /*output_name_type*/); +- +-OM_uint32 gss_display_status(OM_uint32 * /*minor_status*/, +- OM_uint32 /*status_value*/, +- int /*status_type*/, +- const gss_OID /*mech_type*/, +- OM_uint32 * /*message_context*/, +- gss_buffer_t /*status_string*/); ++OM_uint32 gss_release_buffer(OM_uint32 * /* minor_status */, ++ gss_buffer_t /* buffer */); ++ ++OM_uint32 gss_init_sec_context(OM_uint32 * /* minor_status */, ++ gss_const_cred_id_t /* initiator_cred_handle */, ++ gss_ctx_id_t * /* context_handle */, ++ gss_const_name_t /* target_name */, ++ const gss_OID /* mech_type */, ++ OM_uint32 /* req_flags */, ++ OM_uint32 /* time_req */, ++ const gss_channel_bindings_t /* input_chan_bindings */, ++ const gss_buffer_t /* input_token */, ++ gss_OID * /* actual_mech_type */, ++ gss_buffer_t /* output_token */, ++ OM_uint32 * /* ret_flags */, ++ OM_uint32 * /* time_rec */); ++ ++OM_uint32 gss_delete_sec_context(OM_uint32 * /* minor_status */, ++ gss_ctx_id_t * /* context_handle */, ++ gss_buffer_t /* output_token */); ++ ++OM_uint32 gss_inquire_context(OM_uint32 * /* minor_status */, ++ gss_const_ctx_id_t /* context_handle */, ++ gss_name_t * /* src_name */, ++ gss_name_t * /* targ_name */, ++ OM_uint32 * /* lifetime_rec */, ++ gss_OID * /* mech_type */, ++ OM_uint32 * /* ctx_flags */, ++ int * /* locally_initiated */, ++ int * /* open_context */); ++ ++OM_uint32 gss_wrap(OM_uint32 * /* minor_status */, ++ gss_const_ctx_id_t /* context_handle */, ++ int /* conf_req_flag */, ++ gss_qop_t /* qop_req */, ++ const gss_buffer_t /* input_message_buffer */, ++ int * /* conf_state */, ++ gss_buffer_t /* output_message_buffer */); ++ ++OM_uint32 gss_unwrap(OM_uint32 * /* minor_status */, ++ gss_const_ctx_id_t /* context_handle */, ++ const gss_buffer_t /* input_message_buffer */, ++ gss_buffer_t /* output_message_buffer */, ++ int * /* conf_state */, ++ gss_qop_t * /* qop_state */); ++ ++OM_uint32 gss_seal(OM_uint32 * /* minor_status */, ++ gss_ctx_id_t /* context_handle n */, ++ int /* conf_req_flag */, ++ int /* qop_req */, ++ gss_buffer_t /* input_message_buffer */, ++ int * /* conf_state */, ++ gss_buffer_t /* output_message_buffer */); ++ ++OM_uint32 gss_unseal(OM_uint32 * /* minor_status */, ++ gss_ctx_id_t /* context_handle */, ++ gss_buffer_t /* input_message_buffer */, ++ gss_buffer_t /* output_message_buffer */, ++ int * /* conf_state */, ++ int * /* qop_state */); ++ ++OM_uint32 gss_import_name(OM_uint32 * /* minor_status */, ++ const gss_buffer_t /* input_name_buffer */, ++ const gss_OID /* input_name_type */, ++ gss_name_t * /* output_name */); ++ ++OM_uint32 gss_release_name(OM_uint32 * /* minor_status */, ++ gss_name_t * /* input_name */); ++ ++OM_uint32 gss_display_name(OM_uint32 * /* minor_status */, ++ gss_const_name_t /* input_name */, ++ gss_buffer_t /* output_name_buffer */, ++ gss_OID * /* output_name_type */); ++ ++OM_uint32 gss_display_status(OM_uint32 * /* minor_status */, ++ OM_uint32 /* status_value */, ++ int /* status_type */, ++ const gss_OID /* mech_type */, ++ OM_uint32 * /* message_context */, ++ gss_buffer_t /* status_string */); + + #endif /* HEADER_CURL_GSSAPI_STUBS_H */ +diff --git a/tests/server/tftp.h b/tests/server/tftp.h +index d8328dc..1ccd219 100644 +--- a/tests/server/tftp.h ++++ b/tests/server/tftp.h +@@ -34,7 +34,7 @@ + ((__GNUC__ == 2) && defined(__GNUC_MINOR__) && (__GNUC_MINOR__ >= 7))) + # define PACKED_STRUCT __attribute__((__packed__)) + #else +-# define PACKED_STRUCT /*NOTHING*/ ++# define PACKED_STRUCT /* NOTHING */ + #endif + + /* Using a packed struct as binary in a program is begging for problems, but +diff --git a/tests/server/util.c b/tests/server/util.c +index 9af7305..3c25dfe 100644 +--- a/tests/server/util.c ++++ b/tests/server/util.c +@@ -67,7 +67,7 @@ + ((__W32API_MAJOR_VERSION == 3) && (__W32API_MINOR_VERSION < 6)) + const struct in6_addr in6addr_any = {{ IN6ADDR_ANY_INIT }}; + #endif /* w32api < 3.6 */ +-#endif /* ENABLE_IPV6 && __MINGW32__*/ ++#endif /* ENABLE_IPV6 && __MINGW32__ */ + + static struct timeval tvnow(void); + +diff --git a/tests/unit/unit1300.c b/tests/unit/unit1300.c +index 493a2f1..db0d5c5 100644 +--- a/tests/unit/unit1300.c ++++ b/tests/unit/unit1300.c +@@ -93,10 +93,10 @@ UNITTEST_START + + fail_unless(Curl_llist_count(&llist) == 1, + "List size should be 1 after adding a new element"); +- /*test that the list head data holds my unusedData */ ++ /* test that the list head data holds my unusedData */ + fail_unless(llist.head->ptr == &unusedData_case1, + "head ptr should be first entry"); +- /*same goes for the list tail */ ++ /* same goes for the list tail */ + fail_unless(llist.tail == llist.head, + "tail and head should be the same"); + +-- +2.39.2 + + +From 557a037ef9c83ee60d965bac9d185b1d36e867a5 Mon Sep 17 00:00:00 2001 +From: Eric Vigeant +Date: Wed, 2 Nov 2022 11:47:09 -0400 +Subject: [PATCH 3/4] cur_path: do not add '/' if homedir ends with one + +When using SFTP and a path relative to the user home, do not add a +trailing '/' to the user home dir if it already ends with one. + +Closes #9844 + +Upstream-commit: 6c51adeb71da076c5c40a45e339e06bb4394a86b +Signed-off-by: Kamil Dudka +--- + lib/curl_path.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/lib/curl_path.c b/lib/curl_path.c +index 27ff96d..f00e3ee 100644 +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -71,10 +71,14 @@ CURLcode Curl_getworkingpath(struct Curl_easy *data, + /* It is referenced to the home directory, so strip the + leading '/' */ + memcpy(real_path, homedir, homelen); +- real_path[homelen] = '/'; +- real_path[homelen + 1] = '\0'; ++ /* Only add a trailing '/' if homedir does not end with one */ ++ if(homelen == 0 || real_path[homelen - 1] != '/') { ++ real_path[homelen] = '/'; ++ homelen++; ++ real_path[homelen] = '\0'; ++ } + if(working_path_len > 3) { +- memcpy(real_path + homelen + 1, working_path + 3, ++ memcpy(real_path + homelen, working_path + 3, + 1 + working_path_len -3); + } + } +-- +2.39.2 + + +From a64c5d4503cdd694e814645a8485af990edf94ca Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 9 Mar 2023 16:22:11 +0100 +Subject: [PATCH 4/4] curl_path: create the new path with dynbuf + +Closes #10729 + +Upstream-commit: 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 +Signed-off-by: Kamil Dudka +--- + lib/curl_path.c | 75 +++++++++++++++++++++++-------------------------- + 1 file changed, 35 insertions(+), 40 deletions(-) + +diff --git a/lib/curl_path.c b/lib/curl_path.c +index f00e3ee..8106042 100644 +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -32,70 +32,65 @@ + #include "escape.h" + #include "memdebug.h" + ++#define MAX_SSHPATH_LEN 100000 /* arbitrary */ ++ + /* figure out the path to work with in this particular request */ + CURLcode Curl_getworkingpath(struct Curl_easy *data, + char *homedir, /* when SFTP is used */ + char **path) /* returns the allocated + real path to work with */ + { +- char *real_path = NULL; + char *working_path; + size_t working_path_len; ++ struct dynbuf npath; + CURLcode result = + Curl_urldecode(data->state.up.path, 0, &working_path, + &working_path_len, REJECT_ZERO); + if(result) + return result; + ++ /* new path to switch to in case we need to */ ++ Curl_dyn_init(&npath, MAX_SSHPATH_LEN); ++ + /* Check for /~/, indicating relative to the user's home directory */ +- if(data->conn->handler->protocol & CURLPROTO_SCP) { +- real_path = malloc(working_path_len + 1); +- if(!real_path) { ++ if((data->conn->handler->protocol & CURLPROTO_SCP) && ++ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) { ++ /* It is referenced to the home directory, so strip the leading '/~/' */ ++ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) { + free(working_path); + return CURLE_OUT_OF_MEMORY; + } +- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) +- /* It is referenced to the home directory, so strip the leading '/~/' */ +- memcpy(real_path, working_path + 3, working_path_len - 2); +- else +- memcpy(real_path, working_path, 1 + working_path_len); + } +- else if(data->conn->handler->protocol & CURLPROTO_SFTP) { +- if((working_path_len > 1) && (working_path[1] == '~')) { +- size_t homelen = strlen(homedir); +- real_path = malloc(homelen + working_path_len + 1); +- if(!real_path) { +- free(working_path); +- return CURLE_OUT_OF_MEMORY; +- } +- /* It is referenced to the home directory, so strip the +- leading '/' */ +- memcpy(real_path, homedir, homelen); +- /* Only add a trailing '/' if homedir does not end with one */ +- if(homelen == 0 || real_path[homelen - 1] != '/') { +- real_path[homelen] = '/'; +- homelen++; +- real_path[homelen] = '\0'; +- } +- if(working_path_len > 3) { +- memcpy(real_path + homelen, working_path + 3, +- 1 + working_path_len -3); +- } ++ else if((data->conn->handler->protocol & CURLPROTO_SFTP) && ++ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { ++ size_t len; ++ const char *p; ++ int copyfrom = 3; ++ if(Curl_dyn_add(&npath, homedir)) { ++ free(working_path); ++ return CURLE_OUT_OF_MEMORY; + } +- else { +- real_path = malloc(working_path_len + 1); +- if(!real_path) { +- free(working_path); +- return CURLE_OUT_OF_MEMORY; +- } +- memcpy(real_path, working_path, 1 + working_path_len); ++ /* Copy a separating '/' if homedir does not end with one */ ++ len = Curl_dyn_len(&npath); ++ p = Curl_dyn_ptr(&npath); ++ if(len && (p[len-1] != '/')) ++ copyfrom = 2; ++ ++ if(Curl_dyn_addn(&npath, ++ &working_path[copyfrom], working_path_len - copyfrom)) { ++ free(working_path); ++ return CURLE_OUT_OF_MEMORY; + } + } + +- free(working_path); ++ if(Curl_dyn_len(&npath)) { ++ free(working_path); + +- /* store the pointer for the caller to receive */ +- *path = real_path; ++ /* store the pointer for the caller to receive */ ++ *path = Curl_dyn_ptr(&npath); ++ } ++ else ++ *path = working_path; + + return CURLE_OK; + } +-- +2.39.2 + diff --git a/curl.spec b/curl.spec index f674415..6c3a5ba 100644 --- a/curl.spec +++ b/curl.spec @@ -43,6 +43,9 @@ Patch21: 0021-curl-7.85.0-CVE-2022-43552.patch # fix TELNET option IAC injection (CVE-2023-27533) Patch23: 0023-curl-7.87.0-CVE-2023-27533.patch +# fix SFTP path ~ resolving discrepancy (CVE-2023-27534) +Patch24: 0024-curl-7.85.0-CVE-2023-27534.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -238,6 +241,7 @@ be installed. %patch20 -p1 %patch21 -p1 %patch23 -p1 +%patch24 -p1 # Fedora patches %patch101 -p1 @@ -472,6 +476,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Fri Mar 24 2023 Kamil Dudka - 7.85.0-8 +- fix SFTP path ~ resolving discrepancy (CVE-2023-27534) - fix TELNET option IAC injection (CVE-2023-27533) * Mon Feb 27 2023 Kamil Dudka - 7.85.0-7 From ca55133f27225031b8115b866f1f38e3f8ce3b31 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 24 Mar 2023 13:24:04 +0100 Subject: [PATCH 16/26] Resolves: CVE-2023-27535 - fix FTP too eager connection reuse --- 0025-curl-7.85.0-CVE-2023-27535.patch | 237 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 242 insertions(+) create mode 100644 0025-curl-7.85.0-CVE-2023-27535.patch diff --git a/0025-curl-7.85.0-CVE-2023-27535.patch b/0025-curl-7.85.0-CVE-2023-27535.patch new file mode 100644 index 0000000..2465b98 --- /dev/null +++ b/0025-curl-7.85.0-CVE-2023-27535.patch @@ -0,0 +1,237 @@ +From e8705acd69383c13191c9dd4867d5118e58c54ba Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 6 Oct 2022 00:49:10 +0200 +Subject: [PATCH 1/2] strcase: add Curl_timestrcmp + +This is a strcmp() alternative function for comparing "secrets", +designed to take the same time no matter the content to not leak +match/non-match info to observers based on how fast it is. + +The time this function takes is only a function of the shortest input +string. + +Reported-by: Trail of Bits + +Closes #9658 + +Upstream-commit: ed5095ed94281989e103c72e032200b83be37878 +Signed-off-by: Kamil Dudka +--- + lib/strcase.c | 22 ++++++++++++++++++++++ + lib/strcase.h | 1 + + 2 files changed, 23 insertions(+) + +diff --git a/lib/strcase.c b/lib/strcase.c +index f932485..c73907d 100644 +--- a/lib/strcase.c ++++ b/lib/strcase.c +@@ -179,6 +179,28 @@ bool Curl_safecmp(char *a, char *b) + return !a && !b; + } + ++/* ++ * Curl_timestrcmp() returns 0 if the two strings are identical. The time this ++ * function spends is a function of the shortest string, not of the contents. ++ */ ++int Curl_timestrcmp(const char *a, const char *b) ++{ ++ int match = 0; ++ int i = 0; ++ ++ if(a && b) { ++ while(1) { ++ match |= a[i]^b[i]; ++ if(!a[i] || !b[i]) ++ break; ++ i++; ++ } ++ } ++ else ++ return a || b; ++ return match; ++} ++ + /* --- public functions --- */ + + int curl_strequal(const char *first, const char *second) +diff --git a/lib/strcase.h b/lib/strcase.h +index d245929..11a67a1 100644 +--- a/lib/strcase.h ++++ b/lib/strcase.h +@@ -52,5 +52,6 @@ void Curl_strntoupper(char *dest, const char *src, size_t n); + void Curl_strntolower(char *dest, const char *src, size_t n); + + bool Curl_safecmp(char *a, char *b); ++int Curl_timestrcmp(const char *first, const char *second); + + #endif /* HEADER_CURL_STRCASE_H */ +-- +2.39.2 + + +From 9cfaea212ff347937a38f6b5d6b885ed8ba1b931 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 9 Mar 2023 17:47:06 +0100 +Subject: [PATCH 2/2] ftp: add more conditions for connection reuse + +Reported-by: Harry Sintonen +Closes #10730 + +Upstream-commit: 8f4608468b890dce2dad9f91d5607ee7e9c1aba1 +Signed-off-by: Kamil Dudka +--- + lib/ftp.c | 28 ++++++++++++++++++++++++++-- + lib/ftp.h | 5 +++++ + lib/setopt.c | 2 +- + lib/url.c | 16 +++++++++++++++- + lib/urldata.h | 4 ++-- + 5 files changed, 49 insertions(+), 6 deletions(-) + +diff --git a/lib/ftp.c b/lib/ftp.c +index 9442832..df15bc0 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -4107,6 +4107,8 @@ static CURLcode ftp_disconnect(struct Curl_easy *data, + } + + freedirs(ftpc); ++ Curl_safefree(ftpc->account); ++ Curl_safefree(ftpc->alternative_to_user); + Curl_safefree(ftpc->prevpath); + Curl_safefree(ftpc->server_os); + Curl_pp_disconnect(pp); +@@ -4374,11 +4376,31 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data, + { + char *type; + struct FTP *ftp; ++ struct ftp_conn *ftpc = &conn->proto.ftpc; + +- data->req.p.ftp = ftp = calloc(sizeof(struct FTP), 1); ++ ftp = calloc(sizeof(struct FTP), 1); + if(!ftp) + return CURLE_OUT_OF_MEMORY; + ++ /* clone connection related data that is FTP specific */ ++ if(data->set.str[STRING_FTP_ACCOUNT]) { ++ ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]); ++ if(!ftpc->account) { ++ free(ftp); ++ return CURLE_OUT_OF_MEMORY; ++ } ++ } ++ if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]) { ++ ftpc->alternative_to_user = ++ strdup(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]); ++ if(!ftpc->alternative_to_user) { ++ Curl_safefree(ftpc->account); ++ free(ftp); ++ return CURLE_OUT_OF_MEMORY; ++ } ++ } ++ data->req.p.ftp = ftp; ++ + ftp->path = &data->state.up.path[1]; /* don't include the initial slash */ + + /* FTP URLs support an extension like ";type=" that +@@ -4413,7 +4435,9 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data, + /* get some initial data into the ftp struct */ + ftp->transfer = PPTRANSFER_BODY; + ftp->downloadsize = 0; +- conn->proto.ftpc.known_filesize = -1; /* unknown size for now */ ++ ftpc->known_filesize = -1; /* unknown size for now */ ++ ftpc->use_ssl = data->set.use_ssl; ++ ftpc->ccc = data->set.ftp_ccc; + + return CURLE_OK; + } +diff --git a/lib/ftp.h b/lib/ftp.h +index 7f6f432..3f33e27 100644 +--- a/lib/ftp.h ++++ b/lib/ftp.h +@@ -119,6 +119,8 @@ struct FTP { + struct */ + struct ftp_conn { + struct pingpong pp; ++ char *account; ++ char *alternative_to_user; + char *entrypath; /* the PWD reply when we logged on */ + char *file; /* url-decoded file name (or path) */ + char **dirs; /* realloc()ed array for path components */ +@@ -148,6 +150,9 @@ struct ftp_conn { + ftpstate state; /* always use ftp.c:state() to change state! */ + ftpstate state_saved; /* transfer type saved to be reloaded after + data connection is established */ ++ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or ++ IMAP or POP3 or others! (type: curl_usessl)*/ ++ unsigned char ccc; /* ccc level for this connection */ + curl_off_t retr_size_saved; /* Size of retrieved file saved */ + char *server_os; /* The target server operating system. */ + curl_off_t known_filesize; /* file size is different from -1, if wildcard +diff --git a/lib/setopt.c b/lib/setopt.c +index 3339a67..6fc111d 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -2374,7 +2374,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + arg = va_arg(param, long); + if((arg < CURLUSESSL_NONE) || (arg >= CURLUSESSL_LAST)) + return CURLE_BAD_FUNCTION_ARGUMENT; +- data->set.use_ssl = (curl_usessl)arg; ++ data->set.use_ssl = (unsigned char)arg; + break; + + case CURLOPT_SSL_OPTIONS: +diff --git a/lib/url.c b/lib/url.c +index 61ba832..4e21838 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1378,10 +1378,24 @@ ConnectionExists(struct Curl_easy *data, + (data->state.httpwant < CURL_HTTP_VERSION_2_0)) + continue; + +- if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { ++#ifdef USE_SSH ++ else if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { + if(!ssh_config_matches(needle, check)) + continue; + } ++#endif ++#ifndef CURL_DISABLE_FTP ++ else if(get_protocol_family(needle->handler) & PROTO_FAMILY_FTP) { ++ /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */ ++ if(Curl_timestrcmp(needle->proto.ftpc.account, ++ check->proto.ftpc.account) || ++ Curl_timestrcmp(needle->proto.ftpc.alternative_to_user, ++ check->proto.ftpc.alternative_to_user) || ++ (needle->proto.ftpc.use_ssl != check->proto.ftpc.use_ssl) || ++ (needle->proto.ftpc.ccc != check->proto.ftpc.ccc)) ++ continue; ++ } ++#endif + + if((needle->handler->flags&PROTOPT_SSL) + #ifndef CURL_DISABLE_PROXY +diff --git a/lib/urldata.h b/lib/urldata.h +index 9d9ca92..4e2f5b9 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1760,8 +1760,6 @@ struct UserDefined { + #ifndef CURL_DISABLE_NETRC + unsigned char use_netrc; /* enum CURL_NETRC_OPTION values */ + #endif +- curl_usessl use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or +- IMAP or POP3 or others! */ + unsigned int new_file_perms; /* when creating remote files */ + unsigned int new_directory_perms; /* when creating remote dirs */ + int ssh_auth_types; /* allowed SSH auth types */ +@@ -1820,6 +1818,8 @@ struct UserDefined { + BIT(mail_rcpt_allowfails); /* allow RCPT TO command to fail for some + recipients */ + #endif ++ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or ++ IMAP or POP3 or others! (type: curl_usessl)*/ + BIT(is_fread_set); /* has read callback been set to non-NULL? */ + #ifndef CURL_DISABLE_TFTP + BIT(tftp_no_options); /* do not send TFTP options requests */ +-- +2.39.2 + diff --git a/curl.spec b/curl.spec index 6c3a5ba..25731e1 100644 --- a/curl.spec +++ b/curl.spec @@ -46,6 +46,9 @@ Patch23: 0023-curl-7.87.0-CVE-2023-27533.patch # fix SFTP path ~ resolving discrepancy (CVE-2023-27534) Patch24: 0024-curl-7.85.0-CVE-2023-27534.patch +# fix FTP too eager connection reuse (CVE-2023-27535) +Patch25: 0025-curl-7.85.0-CVE-2023-27535.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -242,6 +245,7 @@ be installed. %patch21 -p1 %patch23 -p1 %patch24 -p1 +%patch25 -p1 # Fedora patches %patch101 -p1 @@ -476,6 +480,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Fri Mar 24 2023 Kamil Dudka - 7.85.0-8 +- fix FTP too eager connection reuse (CVE-2023-27535) - fix SFTP path ~ resolving discrepancy (CVE-2023-27534) - fix TELNET option IAC injection (CVE-2023-27533) From 08ada4d6f553a60e6f4694db1378105e446e00da Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 24 Mar 2023 13:25:23 +0100 Subject: [PATCH 17/26] Resolves: CVE-2023-27536 - fix GSS delegation too eager connection re-use --- 0026-curl-7.85.0-CVE-2023-27536.patch | 54 +++++++++++++++++++++++++++ curl.spec | 5 +++ 2 files changed, 59 insertions(+) create mode 100644 0026-curl-7.85.0-CVE-2023-27536.patch diff --git a/0026-curl-7.85.0-CVE-2023-27536.patch b/0026-curl-7.85.0-CVE-2023-27536.patch new file mode 100644 index 0000000..27fefb5 --- /dev/null +++ b/0026-curl-7.85.0-CVE-2023-27536.patch @@ -0,0 +1,54 @@ +From 9d6dd7bc1dea42ae8e710aeae714e2a2c290de61 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 10 Mar 2023 09:22:43 +0100 +Subject: [PATCH] url: only reuse connections with same GSS delegation + +Reported-by: Harry Sintonen +Closes #10731 + +Upstream-commit: cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 +Signed-off-by: Kamil Dudka +--- + lib/url.c | 6 ++++++ + lib/urldata.h | 1 + + 2 files changed, 7 insertions(+) + +diff --git a/lib/url.c b/lib/url.c +index 3b11b7e..cbbc7f3 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1371,6 +1371,11 @@ ConnectionExists(struct Curl_easy *data, + } + } + ++ /* GSS delegation differences do not actually affect every connection ++ and auth method, but this check takes precaution before efficiency */ ++ if(needle->gssapi_delegation != check->gssapi_delegation) ++ continue; ++ + /* If multiplexing isn't enabled on the h2 connection and h1 is + explicitly requested, handle it: */ + if((needle->handler->protocol & PROTO_FAMILY_HTTP) && +@@ -1838,6 +1843,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) + conn->fclosesocket = data->set.fclosesocket; + conn->closesocket_client = data->set.closesocket_client; + conn->lastused = Curl_now(); /* used now */ ++ conn->gssapi_delegation = data->set.gssapi_delegation; + + return conn; + error: +diff --git a/lib/urldata.h b/lib/urldata.h +index ce90304..9e16f26 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1124,6 +1124,7 @@ struct connectdata { + unsigned char transport; /* one of the TRNSPRT_* defines */ + unsigned char ip_version; /* copied from the Curl_easy at creation time */ + unsigned char httpversion; /* the HTTP version*10 reported by the server */ ++ unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */ + }; + + /* The end of connectdata. */ +-- +2.39.2 + diff --git a/curl.spec b/curl.spec index 25731e1..4d60826 100644 --- a/curl.spec +++ b/curl.spec @@ -49,6 +49,9 @@ Patch24: 0024-curl-7.85.0-CVE-2023-27534.patch # fix FTP too eager connection reuse (CVE-2023-27535) Patch25: 0025-curl-7.85.0-CVE-2023-27535.patch +# fix GSS delegation too eager connection re-use (CVE-2023-27536) +Patch26: 0026-curl-7.85.0-CVE-2023-27536.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -246,6 +249,7 @@ be installed. %patch23 -p1 %patch24 -p1 %patch25 -p1 +%patch26 -p1 # Fedora patches %patch101 -p1 @@ -480,6 +484,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Fri Mar 24 2023 Kamil Dudka - 7.85.0-8 +- fix GSS delegation too eager connection re-use (CVE-2023-27536) - fix FTP too eager connection reuse (CVE-2023-27535) - fix SFTP path ~ resolving discrepancy (CVE-2023-27534) - fix TELNET option IAC injection (CVE-2023-27533) From 6c740d77c5d4ad9449dfd56a2d69603ac015846e Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 24 Mar 2023 13:26:50 +0100 Subject: [PATCH 18/26] Resolves: CVE-2023-27537 - fix HSTS double-free --- 0027-curl-7.87.0-CVE-2023-27537.patch | 40 +++++++++++++++++++++++++++ curl.spec | 5 ++++ 2 files changed, 45 insertions(+) create mode 100644 0027-curl-7.87.0-CVE-2023-27537.patch diff --git a/0027-curl-7.87.0-CVE-2023-27537.patch b/0027-curl-7.87.0-CVE-2023-27537.patch new file mode 100644 index 0000000..df90d49 --- /dev/null +++ b/0027-curl-7.87.0-CVE-2023-27537.patch @@ -0,0 +1,40 @@ +From ed7451520fd1b5da62a5371c07db69bed36a5486 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 9 Mar 2023 18:01:34 +0100 +Subject: [PATCH] CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe + +Reported-by: Hiroki Kurosawa +Closes #10732 + +Upstream-commit: dca4cdf071be095bcdc7126eaa77a8946ea4790b +Signed-off-by: Kamil Dudka +--- + docs/libcurl/opts/CURLSHOPT_SHARE.3 | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/docs/libcurl/opts/CURLSHOPT_SHARE.3 b/docs/libcurl/opts/CURLSHOPT_SHARE.3 +index b15af82..4544160 100644 +--- a/docs/libcurl/opts/CURLSHOPT_SHARE.3 ++++ b/docs/libcurl/opts/CURLSHOPT_SHARE.3 +@@ -57,8 +57,7 @@ implemented until 7.23.0. + Put the connection cache in the share object and make all easy handles using + this share object share the connection cache. + +-Note that due to a known bug, it is not safe to share connections this way +-between multiple concurrent threads. ++It is not supported to share connections between multiple concurrent threads. + + Connections that are used for HTTP/1.1 Pipelining or HTTP/2 multiplexing only + get additional transfers added to them if the existing connection is held by +@@ -82,6 +81,8 @@ multi handle will share PSL cache by default without using this option. + .IP CURL_LOCK_DATA_HSTS + The in-memory HSTS cache. + ++It is not supported to share the HSTS between multiple concurrent threads. ++ + Added in 7.88.0 + .SH PROTOCOLS + All +-- +2.39.2 + diff --git a/curl.spec b/curl.spec index 4d60826..1ed5416 100644 --- a/curl.spec +++ b/curl.spec @@ -52,6 +52,9 @@ Patch25: 0025-curl-7.85.0-CVE-2023-27535.patch # fix GSS delegation too eager connection re-use (CVE-2023-27536) Patch26: 0026-curl-7.85.0-CVE-2023-27536.patch +# fix HSTS double-free (CVE-2023-27537) +Patch27: 0027-curl-7.87.0-CVE-2023-27537.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -250,6 +253,7 @@ be installed. %patch24 -p1 %patch25 -p1 %patch26 -p1 +%patch27 -p1 # Fedora patches %patch101 -p1 @@ -484,6 +488,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Fri Mar 24 2023 Kamil Dudka - 7.85.0-8 +- fix HSTS double-free (CVE-2023-27537) - fix GSS delegation too eager connection re-use (CVE-2023-27536) - fix FTP too eager connection reuse (CVE-2023-27535) - fix SFTP path ~ resolving discrepancy (CVE-2023-27534) From 1e24d5616d3be939b9069fd93b964e42f5a56583 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 24 Mar 2023 13:28:18 +0100 Subject: [PATCH 19/26] Resolves: CVE-2023-27538 - fix SSH connection too eager reuse still --- 0028-curl-7.87.0-CVE-2023-27538.patch | 30 +++++++++++++++++++++++++++ curl.spec | 5 +++++ 2 files changed, 35 insertions(+) create mode 100644 0028-curl-7.87.0-CVE-2023-27538.patch diff --git a/0028-curl-7.87.0-CVE-2023-27538.patch b/0028-curl-7.87.0-CVE-2023-27538.patch new file mode 100644 index 0000000..11c2033 --- /dev/null +++ b/0028-curl-7.87.0-CVE-2023-27538.patch @@ -0,0 +1,30 @@ +From 133e25afe4b8961b9c12334ee0bd3374db9a1fd4 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 10 Mar 2023 08:22:51 +0100 +Subject: [PATCH] url: fix the SSH connection reuse check + +Reported-by: Harry Sintonen +Closes #10735 + +Upstream-commit: af369db4d3833272b8ed443f7fcc2e757a0872eb +Signed-off-by: Kamil Dudka +--- + lib/url.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/url.c b/lib/url.c +index 0c31486..3b11b7e 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1384,7 +1384,7 @@ ConnectionExists(struct Curl_easy *data, + continue; + + #ifdef USE_SSH +- else if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { ++ else if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) { + if(!ssh_config_matches(needle, check)) + continue; + } +-- +2.39.2 + diff --git a/curl.spec b/curl.spec index 1ed5416..4676b8a 100644 --- a/curl.spec +++ b/curl.spec @@ -55,6 +55,9 @@ Patch26: 0026-curl-7.85.0-CVE-2023-27536.patch # fix HSTS double-free (CVE-2023-27537) Patch27: 0027-curl-7.87.0-CVE-2023-27537.patch +# fix SSH connection too eager reuse still (CVE-2023-27538) +Patch28: 0028-curl-7.87.0-CVE-2023-27538.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -254,6 +257,7 @@ be installed. %patch25 -p1 %patch26 -p1 %patch27 -p1 +%patch28 -p1 # Fedora patches %patch101 -p1 @@ -488,6 +492,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Fri Mar 24 2023 Kamil Dudka - 7.85.0-8 +- fix SSH connection too eager reuse still (CVE-2023-27538) - fix HSTS double-free (CVE-2023-27537) - fix GSS delegation too eager connection re-use (CVE-2023-27536) - fix FTP too eager connection reuse (CVE-2023-27535) From f105422999a35b99e057576a15631a98355088b9 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 5 Jun 2023 09:33:54 +0200 Subject: [PATCH 20/26] Resolves: CVE-2023-28322 - fix more POST-after-PUT confusion --- 0029-curl-7.87.0-CVE-2023-28322.patch | 428 ++++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 436 insertions(+), 1 deletion(-) create mode 100644 0029-curl-7.87.0-CVE-2023-28322.patch diff --git a/0029-curl-7.87.0-CVE-2023-28322.patch b/0029-curl-7.87.0-CVE-2023-28322.patch new file mode 100644 index 0000000..75e1407 --- /dev/null +++ b/0029-curl-7.87.0-CVE-2023-28322.patch @@ -0,0 +1,428 @@ +From 0df9793819c58172595c85c913029e6ae434f6a2 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 25 Apr 2023 08:28:01 +0200 +Subject: [PATCH 1/2] lib: unify the upload/method handling + +By making sure we set state.upload based on the set.method value and not +independently as set.upload, we reduce confusion and mixup risks, both +internally and externally. + +Closes #11017 + +(cherry picked from commit 7815647d6582c0a4900be2e1de6c5e61272c496b) +Signed-off-by: Jan Macku +--- + lib/curl_rtmp.c | 4 ++-- + lib/file.c | 4 ++-- + lib/ftp.c | 8 ++++---- + lib/http.c | 4 ++-- + lib/imap.c | 6 +++--- + lib/rtsp.c | 4 ++-- + lib/setopt.c | 6 ++---- + lib/smb.c | 4 ++-- + lib/smtp.c | 4 ++-- + lib/tftp.c | 8 ++++---- + lib/transfer.c | 4 ++-- + lib/urldata.h | 2 +- + lib/vssh/libssh.c | 6 +++--- + lib/vssh/libssh2.c | 6 +++--- + lib/vssh/wolfssh.c | 2 +- + 15 files changed, 35 insertions(+), 37 deletions(-) + +diff --git a/lib/curl_rtmp.c b/lib/curl_rtmp.c +index 1932cb4ec..aeb6ed273 100644 +--- a/lib/curl_rtmp.c ++++ b/lib/curl_rtmp.c +@@ -231,7 +231,7 @@ static CURLcode rtmp_connect(struct Curl_easy *data, bool *done) + /* We have to know if it's a write before we send the + * connect request packet + */ +- if(data->set.upload) ++ if(data->state.upload) + r->Link.protocol |= RTMP_FEATURE_WRITE; + + /* For plain streams, use the buffer toggle trick to keep data flowing */ +@@ -263,7 +263,7 @@ static CURLcode rtmp_do(struct Curl_easy *data, bool *done) + if(!RTMP_ConnectStream(r, 0)) + return CURLE_FAILED_INIT; + +- if(data->set.upload) { ++ if(data->state.upload) { + Curl_pgrsSetUploadSize(data, data->state.infilesize); + Curl_setup_transfer(data, -1, -1, FALSE, FIRSTSOCKET); + } +diff --git a/lib/file.c b/lib/file.c +index 4ed707883..efb32a5e5 100644 +--- a/lib/file.c ++++ b/lib/file.c +@@ -229,7 +229,7 @@ static CURLcode file_connect(struct Curl_easy *data, bool *done) + file->freepath = real_path; /* free this when done */ + + file->fd = fd; +- if(!data->set.upload && (fd == -1)) { ++ if(!data->state.upload && (fd == -1)) { + failf(data, "Couldn't open file %s", data->state.up.path); + file_done(data, CURLE_FILE_COULDNT_READ_FILE, FALSE); + return CURLE_FILE_COULDNT_READ_FILE; +@@ -411,7 +411,7 @@ static CURLcode file_do(struct Curl_easy *data, bool *done) + + Curl_pgrsStartNow(data); + +- if(data->set.upload) ++ if(data->state.upload) + return file_upload(data); + + file = data->req.p.file; +diff --git a/lib/ftp.c b/lib/ftp.c +index ad85f74f1..9bb465f39 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -1382,7 +1382,7 @@ static CURLcode ftp_state_prepare_transfer(struct Curl_easy *data) + data->set.str[STRING_CUSTOMREQUEST]? + data->set.str[STRING_CUSTOMREQUEST]: + (data->state.list_only?"NLST":"LIST")); +- else if(data->set.upload) ++ else if(data->state.upload) + result = Curl_pp_sendf(data, &ftpc->pp, "PRET STOR %s", + conn->proto.ftpc.file); + else +@@ -3379,7 +3379,7 @@ static CURLcode ftp_done(struct Curl_easy *data, CURLcode status, + /* the response code from the transfer showed an error already so no + use checking further */ + ; +- else if(data->set.upload) { ++ else if(data->state.upload) { + if((-1 != data->state.infilesize) && + (data->state.infilesize != data->req.writebytecount) && + !data->set.crlf && +@@ -3656,7 +3656,7 @@ static CURLcode ftp_do_more(struct Curl_easy *data, int *completep) + connected back to us */ + } + } +- else if(data->set.upload) { ++ else if(data->state.upload) { + result = ftp_nb_type(data, conn, data->state.prefer_ascii, + FTP_STOR_TYPE); + if(result) +@@ -4245,7 +4245,7 @@ CURLcode ftp_parse_url_path(struct Curl_easy *data) + ftpc->file = NULL; /* instead of point to a zero byte, + we make it a NULL pointer */ + +- if(data->set.upload && !ftpc->file && (ftp->transfer == PPTRANSFER_BODY)) { ++ if(data->state.upload && !ftpc->file && (ftp->transfer == PPTRANSFER_BODY)) { + /* We need a file name when uploading. Return error! */ + failf(data, "Uploading to a URL without a file name"); + free(rawPath); +diff --git a/lib/http.c b/lib/http.c +index aab1a8726..f177c0ef5 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2035,7 +2035,7 @@ void Curl_http_method(struct Curl_easy *data, struct connectdata *conn, + Curl_HttpReq httpreq = (Curl_HttpReq)data->state.httpreq; + const char *request; + if((conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_FTP)) && +- data->set.upload) ++ data->state.upload) + httpreq = HTTPREQ_PUT; + + /* Now set the 'request' pointer to the proper request string */ +@@ -2352,7 +2352,7 @@ CURLcode Curl_http_body(struct Curl_easy *data, struct connectdata *conn, + if((conn->handler->protocol & PROTO_FAMILY_HTTP) && + (((httpreq == HTTPREQ_POST_MIME || httpreq == HTTPREQ_POST_FORM) && + http->postsize < 0) || +- ((data->set.upload || httpreq == HTTPREQ_POST) && ++ ((data->state.upload || httpreq == HTTPREQ_POST) && + data->state.infilesize == -1))) { + if(conn->bits.authneg) + /* don't enable chunked during auth neg */ +diff --git a/lib/imap.c b/lib/imap.c +index 12ee2a47e..8e9e93181 100644 +--- a/lib/imap.c ++++ b/lib/imap.c +@@ -1507,11 +1507,11 @@ static CURLcode imap_done(struct Curl_easy *data, CURLcode status, + result = status; /* use the already set error code */ + } + else if(!data->set.connect_only && !imap->custom && +- (imap->uid || imap->mindex || data->set.upload || ++ (imap->uid || imap->mindex || data->state.upload || + data->set.mimepost.kind != MIMEKIND_NONE)) { + /* Handle responses after FETCH or APPEND transfer has finished */ + +- if(!data->set.upload && data->set.mimepost.kind == MIMEKIND_NONE) ++ if(!data->state.upload && data->set.mimepost.kind == MIMEKIND_NONE) + state(data, IMAP_FETCH_FINAL); + else { + /* End the APPEND command first by sending an empty line */ +@@ -1577,7 +1577,7 @@ static CURLcode imap_perform(struct Curl_easy *data, bool *connected, + selected = TRUE; + + /* Start the first command in the DO phase */ +- if(data->set.upload || data->set.mimepost.kind != MIMEKIND_NONE) ++ if(data->state.upload || data->set.mimepost.kind != MIMEKIND_NONE) + /* APPEND can be executed directly */ + result = imap_perform_append(data); + else if(imap->custom && (selected || !imap->mailbox)) +diff --git a/lib/rtsp.c b/lib/rtsp.c +index b4edac790..3d73721c7 100644 +--- a/lib/rtsp.c ++++ b/lib/rtsp.c +@@ -511,7 +511,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done) + rtspreq == RTSPREQ_SET_PARAMETER || + rtspreq == RTSPREQ_GET_PARAMETER) { + +- if(data->set.upload) { ++ if(data->state.upload) { + putsize = data->state.infilesize; + data->state.httpreq = HTTPREQ_PUT; + +@@ -530,7 +530,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done) + result = + Curl_dyn_addf(&req_buffer, + "Content-Length: %" CURL_FORMAT_CURL_OFF_T"\r\n", +- (data->set.upload ? putsize : postsize)); ++ (data->state.upload ? putsize : postsize)); + if(result) + return result; + } +diff --git a/lib/setopt.c b/lib/setopt.c +index 6fc111dc7..d3d96eb43 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -365,8 +365,8 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + * We want to sent data to the remote host. If this is HTTP, that equals + * using the PUT request. + */ +- data->set.upload = (0 != va_arg(param, long)) ? TRUE : FALSE; +- if(data->set.upload) { ++ arg = va_arg(param, long); ++ if(arg) { + /* If this is HTTP, PUT is what's needed to "upload" */ + data->set.method = HTTPREQ_PUT; + data->set.opt_no_body = FALSE; /* this is implied */ +@@ -696,7 +696,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + } + else + data->set.method = HTTPREQ_GET; +- data->set.upload = FALSE; + break; + + case CURLOPT_HTTPPOST: +@@ -944,7 +943,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + */ + if(va_arg(param, long)) { + data->set.method = HTTPREQ_GET; +- data->set.upload = FALSE; /* switch off upload */ + data->set.opt_no_body = FALSE; /* this is implied */ + } + break; +diff --git a/lib/smb.c b/lib/smb.c +index f682c1fbc..28790826f 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -535,7 +535,7 @@ static CURLcode smb_send_open(struct Curl_easy *data) + byte_count = strlen(req->path); + msg.name_length = smb_swap16((unsigned short)byte_count); + msg.share_access = smb_swap32(SMB_FILE_SHARE_ALL); +- if(data->set.upload) { ++ if(data->state.upload) { + msg.access = smb_swap32(SMB_GENERIC_READ | SMB_GENERIC_WRITE); + msg.create_disposition = smb_swap32(SMB_FILE_OVERWRITE_IF); + } +@@ -814,7 +814,7 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done) + smb_m = (const struct smb_nt_create_response*) msg; + req->fid = smb_swap16(smb_m->fid); + data->req.offset = 0; +- if(data->set.upload) { ++ if(data->state.upload) { + data->req.size = data->state.infilesize; + Curl_pgrsSetUploadSize(data, data->req.size); + next_state = SMB_UPLOAD; +diff --git a/lib/smtp.c b/lib/smtp.c +index 6ebb41af6..fa70cefff 100644 +--- a/lib/smtp.c ++++ b/lib/smtp.c +@@ -1413,7 +1413,7 @@ static CURLcode smtp_done(struct Curl_easy *data, CURLcode status, + result = status; /* use the already set error code */ + } + else if(!data->set.connect_only && data->set.mail_rcpt && +- (data->set.upload || data->set.mimepost.kind)) { ++ (data->state.upload || data->set.mimepost.kind)) { + /* Calculate the EOB taking into account any terminating CRLF from the + previous line of the email or the CRLF of the DATA command when there + is "no mail data". RFC-5321, sect. 4.1.1.4. +@@ -1506,7 +1506,7 @@ static CURLcode smtp_perform(struct Curl_easy *data, bool *connected, + smtp->eob = 2; + + /* Start the first command in the DO phase */ +- if((data->set.upload || data->set.mimepost.kind) && data->set.mail_rcpt) ++ if((data->state.upload || data->set.mimepost.kind) && data->set.mail_rcpt) + /* MAIL transfer */ + result = smtp_perform_mail(data); + else +diff --git a/lib/tftp.c b/lib/tftp.c +index 9e6d9490e..8faec9fe6 100644 +--- a/lib/tftp.c ++++ b/lib/tftp.c +@@ -369,7 +369,7 @@ static CURLcode tftp_parse_option_ack(struct tftp_state_data *state, + + /* tsize should be ignored on upload: Who cares about the size of the + remote file? */ +- if(!data->set.upload) { ++ if(!data->state.upload) { + if(!tsize) { + failf(data, "invalid tsize -:%s:- value in OACK packet", value); + return CURLE_TFTP_ILLEGAL; +@@ -450,7 +450,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state, + return result; + } + +- if(data->set.upload) { ++ if(data->state.upload) { + /* If we are uploading, send an WRQ */ + setpacketevent(&state->spacket, TFTP_EVENT_WRQ); + state->data->req.upload_fromhere = +@@ -485,7 +485,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state, + if(!data->set.tftp_no_options) { + char buf[64]; + /* add tsize option */ +- if(data->set.upload && (data->state.infilesize != -1)) ++ if(data->state.upload && (data->state.infilesize != -1)) + msnprintf(buf, sizeof(buf), "%" CURL_FORMAT_CURL_OFF_T, + data->state.infilesize); + else +@@ -539,7 +539,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state, + break; + + case TFTP_EVENT_OACK: +- if(data->set.upload) { ++ if(data->state.upload) { + result = tftp_connect_for_tx(state, event); + } + else { +diff --git a/lib/transfer.c b/lib/transfer.c +index 620a4ef8f..9f19af7eb 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1392,6 +1392,7 @@ void Curl_init_CONNECT(struct Curl_easy *data) + { + data->state.fread_func = data->set.fread_func_set; + data->state.in = data->set.in_set; ++ data->state.upload = (data->state.httpreq == HTTPREQ_PUT); + } + + /* +@@ -1820,7 +1821,6 @@ CURLcode Curl_follow(struct Curl_easy *data, + data->state.httpreq != HTTPREQ_POST_MIME) || + !(data->set.keep_post & CURL_REDIR_POST_303))) { + data->state.httpreq = HTTPREQ_GET; +- data->set.upload = false; + infof(data, "Switch to %s", + data->set.opt_no_body?"HEAD":"GET"); + } +@@ -1858,7 +1858,7 @@ CURLcode Curl_retry_request(struct Curl_easy *data, char **url) + + /* if we're talking upload, we can't do the checks below, unless the protocol + is HTTP as when uploading over HTTP we will still get a response */ +- if(data->set.upload && ++ if(data->state.upload && + !(conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_RTSP))) + return CURLE_OK; + +diff --git a/lib/urldata.h b/lib/urldata.h +index 547e69cc4..69c14eb54 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1494,6 +1494,7 @@ struct UrlState { + BIT(url_alloc); /* URL string is malloc()'ed */ + BIT(referer_alloc); /* referer string is malloc()ed */ + BIT(wildcard_resolve); /* Set to true if any resolve change is a wildcard */ ++ BIT(upload); /* upload request */ + }; + + /* +@@ -1858,7 +1859,6 @@ struct UserDefined { + BIT(http_auto_referer); /* set "correct" referer when following + location: */ + BIT(opt_no_body); /* as set with CURLOPT_NOBODY */ +- BIT(upload); /* upload request */ + BIT(verbose); /* output verbosity */ + BIT(krb); /* Kerberos connection requested */ + BIT(reuse_forbid); /* forbidden to be reused, close after use */ +diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c +index a078c464d..33581367b 100644 +--- a/lib/vssh/libssh.c ++++ b/lib/vssh/libssh.c +@@ -1215,7 +1215,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) + } + + case SSH_SFTP_TRANS_INIT: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SFTP_UPLOAD_INIT); + else { + if(protop->path[strlen(protop->path)-1] == '/') +@@ -1828,7 +1828,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) + /* Functions from the SCP subsystem cannot handle/return SSH_AGAIN */ + ssh_set_blocking(sshc->ssh_session, 1); + +- if(data->set.upload) { ++ if(data->state.upload) { + if(data->state.infilesize < 0) { + failf(data, "SCP requires a known file size for upload"); + sshc->actualcode = CURLE_UPLOAD_FAILED; +@@ -1933,7 +1933,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) + break; + } + case SSH_SCP_DONE: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SCP_SEND_EOF); + else + state(data, SSH_SCP_CHANNEL_FREE); +diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c +index 74b5d1093..2e08b0717 100644 +--- a/lib/vssh/libssh2.c ++++ b/lib/vssh/libssh2.c +@@ -2004,7 +2004,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block) + } + + case SSH_SFTP_TRANS_INIT: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SFTP_UPLOAD_INIT); + else { + if(sshp->path[strlen(sshp->path)-1] == '/') +@@ -2677,7 +2677,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block) + break; + } + +- if(data->set.upload) { ++ if(data->state.upload) { + if(data->state.infilesize < 0) { + failf(data, "SCP requires a known file size for upload"); + sshc->actualcode = CURLE_UPLOAD_FAILED; +@@ -2817,7 +2817,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block) + break; + + case SSH_SCP_DONE: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SCP_SEND_EOF); + else + state(data, SSH_SCP_CHANNEL_FREE); +diff --git a/lib/vssh/wolfssh.c b/lib/vssh/wolfssh.c +index c2f85f3fe..36ccb1bf9 100644 +--- a/lib/vssh/wolfssh.c ++++ b/lib/vssh/wolfssh.c +@@ -556,7 +556,7 @@ static CURLcode wssh_statemach_act(struct Curl_easy *data, bool *block) + } + break; + case SSH_SFTP_TRANS_INIT: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SFTP_UPLOAD_INIT); + else { + if(sftp_scp->path[strlen(sftp_scp->path)-1] == '/') +-- +2.40.1 + diff --git a/curl.spec b/curl.spec index 4676b8a..0ac2f78 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.85.0 -Release: 8%{?dist} +Release: 9%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -58,6 +58,9 @@ Patch27: 0027-curl-7.87.0-CVE-2023-27537.patch # fix SSH connection too eager reuse still (CVE-2023-27538) Patch28: 0028-curl-7.87.0-CVE-2023-27538.patch +# fix more POST-after-PUT confusion (CVE-2023-28322) +Patch29: 0029-curl-7.87.0-CVE-2023-28322.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -258,6 +261,7 @@ be installed. %patch26 -p1 %patch27 -p1 %patch28 -p1 +%patch29 -p1 # Fedora patches %patch101 -p1 @@ -491,6 +495,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Jun 05 2023 Jan Macku - 7.85.0-9 +- fix more POST-after-PUT confusion (CVE-2023-28322) + * Fri Mar 24 2023 Kamil Dudka - 7.85.0-8 - fix SSH connection too eager reuse still (CVE-2023-27538) - fix HSTS double-free (CVE-2023-27537) From cee9fc3463235dfa7a75924018b0baf918ae54f0 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 5 Jun 2023 09:37:11 +0200 Subject: [PATCH 21/26] Resolves: CVE-2023-28321 - fix IDN wildcard match --- 0030-curl-7.87.0-CVE-2023-28321.patch | 333 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 338 insertions(+) create mode 100644 0030-curl-7.87.0-CVE-2023-28321.patch diff --git a/0030-curl-7.87.0-CVE-2023-28321.patch b/0030-curl-7.87.0-CVE-2023-28321.patch new file mode 100644 index 0000000..52c5197 --- /dev/null +++ b/0030-curl-7.87.0-CVE-2023-28321.patch @@ -0,0 +1,333 @@ +From 2ab6fd56c7e9f71a6771cc815ba1a960c9e3acd9 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 24 Apr 2023 21:07:02 +0200 +Subject: [PATCH 2/2] hostcheck: fix host name wildcard checking + +The leftmost "label" of the host name can now only match against single +'*'. Like the browsers have worked for a long time. + +- extended unit test 1397 for this +- move some SOURCE variables from unit/Makefile.am to unit/Makefile.inc + +Reported-by: Hiroki Kurosawa +Closes #11018 + +(cherry picked from commit 199f2d440d8659b42670c1b796220792b01a97bf) +Signed-off-by: Jan Macku +--- + lib/vtls/hostcheck.c | 50 +++++++-------- + tests/data/test1397 | 10 ++- + tests/unit/Makefile.inc | 19 +++++- + tests/unit/unit1397.c | 134 ++++++++++++++++++++++++---------------- + 4 files changed, 126 insertions(+), 87 deletions(-) + +diff --git a/lib/vtls/hostcheck.c b/lib/vtls/hostcheck.c +index 2a648f20a..fa66e272e 100644 +--- a/lib/vtls/hostcheck.c ++++ b/lib/vtls/hostcheck.c +@@ -71,7 +71,12 @@ static bool pmatch(const char *hostname, size_t hostlen, + * apparent distinction between a name and an IP. We need to detect the use of + * an IP address and not wildcard match on such names. + * ++ * Only match on "*" being used for the leftmost label, not "a*", "a*b" nor ++ * "*b". ++ * + * Return TRUE on a match. FALSE if not. ++ * ++ * @unittest: 1397 + */ + + static bool hostmatch(const char *hostname, +@@ -79,53 +84,42 @@ static bool hostmatch(const char *hostname, + const char *pattern, + size_t patternlen) + { +- const char *pattern_label_end, *wildcard, *hostname_label_end; +- size_t prefixlen, suffixlen; ++ const char *pattern_label_end; + +- /* normalize pattern and hostname by stripping off trailing dots */ ++ DEBUGASSERT(pattern); + DEBUGASSERT(patternlen); ++ DEBUGASSERT(hostname); ++ DEBUGASSERT(hostlen); ++ ++ /* normalize pattern and hostname by stripping off trailing dots */ + if(hostname[hostlen-1]=='.') + hostlen--; + if(pattern[patternlen-1]=='.') + patternlen--; + +- wildcard = memchr(pattern, '*', patternlen); +- if(!wildcard) ++ if(strncmp(pattern, "*.", 2)) + return pmatch(hostname, hostlen, pattern, patternlen); + + /* detect IP address as hostname and fail the match if so */ +- if(Curl_host_is_ipnum(hostname)) ++ else if(Curl_host_is_ipnum(hostname)) + return FALSE; + + /* We require at least 2 dots in the pattern to avoid too wide wildcard + match. */ + pattern_label_end = memchr(pattern, '.', patternlen); + if(!pattern_label_end || +- (memrchr(pattern, '.', patternlen) == pattern_label_end) || +- strncasecompare(pattern, "xn--", 4)) ++ (memrchr(pattern, '.', patternlen) == pattern_label_end)) + return pmatch(hostname, hostlen, pattern, patternlen); +- +- hostname_label_end = memchr(hostname, '.', hostlen); +- if(!hostname_label_end) +- return FALSE; + else { +- size_t skiphost = hostname_label_end - hostname; +- size_t skiplen = pattern_label_end - pattern; +- if(!pmatch(hostname_label_end, hostlen - skiphost, +- pattern_label_end, patternlen - skiplen)) +- return FALSE; ++ const char *hostname_label_end = memchr(hostname, '.', hostlen); ++ if(hostname_label_end) { ++ size_t skiphost = hostname_label_end - hostname; ++ size_t skiplen = pattern_label_end - pattern; ++ return pmatch(hostname_label_end, hostlen - skiphost, ++ pattern_label_end, patternlen - skiplen); ++ } + } +- /* The wildcard must match at least one character, so the left-most +- label of the hostname is at least as large as the left-most label +- of the pattern. */ +- if(hostname_label_end - hostname < pattern_label_end - pattern) +- return FALSE; +- +- prefixlen = wildcard - pattern; +- suffixlen = pattern_label_end - (wildcard + 1); +- return strncasecompare(pattern, hostname, prefixlen) && +- strncasecompare(wildcard + 1, hostname_label_end - suffixlen, +- suffixlen) ? TRUE : FALSE; ++ return FALSE; + } + + /* +diff --git a/tests/data/test1397 b/tests/data/test1397 +index 84f962abe..f31b2c2a3 100644 +--- a/tests/data/test1397 ++++ b/tests/data/test1397 +@@ -2,8 +2,7 @@ + + + unittest +-ssl +-wildcard ++Curl_cert_hostcheck + + + +@@ -16,9 +15,8 @@ none + + unittest + +- +-Check wildcard certificate matching function Curl_cert_hostcheck +- ++ ++Curl_cert_hostcheck unit tests ++ + +- + +diff --git a/tests/unit/Makefile.inc b/tests/unit/Makefile.inc +index f86cb7c39..1a67c4eca 100644 +--- a/tests/unit/Makefile.inc ++++ b/tests/unit/Makefile.inc +@@ -37,7 +37,9 @@ UNITPROGS = unit1300 unit1301 unit1302 unit1303 unit1304 unit1305 unit1307 \ + unit1608 unit1609 unit1610 unit1611 unit1612 \ + unit1620 unit1621 \ + unit1650 unit1651 unit1652 unit1653 unit1654 unit1655 \ +- unit1660 unit1661 ++ unit1660 unit1661 \ ++ unit2600 unit2601 unit2602 unit2603 \ ++ unit3200 + + unit1300_SOURCES = unit1300.c $(UNITFILES) + unit1300_CPPFLAGS = $(AM_CPPFLAGS) +@@ -162,3 +164,18 @@ unit1660_CPPFLAGS = $(AM_CPPFLAGS) + + unit1661_SOURCES = unit1661.c $(UNITFILES) + unit1661_CPPFLAGS = $(AM_CPPFLAGS) ++ ++unit2600_SOURCES = unit2600.c $(UNITFILES) ++unit2600_CPPFLAGS = $(AM_CPPFLAGS) ++ ++unit2601_SOURCES = unit2601.c $(UNITFILES) ++unit2601_CPPFLAGS = $(AM_CPPFLAGS) ++ ++unit2602_SOURCES = unit2602.c $(UNITFILES) ++unit2602_CPPFLAGS = $(AM_CPPFLAGS) ++ ++unit2603_SOURCES = unit2603.c $(UNITFILES) ++unit2603_CPPFLAGS = $(AM_CPPFLAGS) ++ ++unit3200_SOURCES = unit3200.c $(UNITFILES) ++unit3200_CPPFLAGS = $(AM_CPPFLAGS) +diff --git a/tests/unit/unit1397.c b/tests/unit/unit1397.c +index 90ec31c68..0f27fa3d3 100644 +--- a/tests/unit/unit1397.c ++++ b/tests/unit/unit1397.c +@@ -23,7 +23,6 @@ + ***************************************************************************/ + #include "curlcheck.h" + +-#include "vtls/hostcheck.h" /* from the lib dir */ + + static CURLcode unit_setup(void) + { +@@ -32,63 +31,94 @@ static CURLcode unit_setup(void) + + static void unit_stop(void) + { +- /* done before shutting down and exiting */ + } + +-UNITTEST_START +- + /* only these backends define the tested functions */ +-#if defined(USE_OPENSSL) || defined(USE_GSKIT) +- +- /* here you start doing things and checking that the results are good */ ++#if defined(USE_OPENSSL) || defined(USE_GSKIT) || defined(USE_SCHANNEL) ++#include "vtls/hostcheck.h" ++struct testcase { ++ const char *host; ++ const char *pattern; ++ bool match; ++}; + +-fail_unless(Curl_cert_hostcheck(STRCONST("www.example.com"), +- STRCONST("www.example.com")), "good 1"); +-fail_unless(Curl_cert_hostcheck(STRCONST("*.example.com"), +- STRCONST("www.example.com")), +- "good 2"); +-fail_unless(Curl_cert_hostcheck(STRCONST("xxx*.example.com"), +- STRCONST("xxxwww.example.com")), "good 3"); +-fail_unless(Curl_cert_hostcheck(STRCONST("f*.example.com"), +- STRCONST("foo.example.com")), "good 4"); +-fail_unless(Curl_cert_hostcheck(STRCONST("192.168.0.0"), +- STRCONST("192.168.0.0")), "good 5"); ++static struct testcase tests[] = { ++ {"", "", FALSE}, ++ {"a", "", FALSE}, ++ {"", "b", FALSE}, ++ {"a", "b", FALSE}, ++ {"aa", "bb", FALSE}, ++ {"\xff", "\xff", TRUE}, ++ {"aa.aa.aa", "aa.aa.bb", FALSE}, ++ {"aa.aa.aa", "aa.aa.aa", TRUE}, ++ {"aa.aa.aa", "*.aa.bb", FALSE}, ++ {"aa.aa.aa", "*.aa.aa", TRUE}, ++ {"192.168.0.1", "192.168.0.1", TRUE}, ++ {"192.168.0.1", "*.168.0.1", FALSE}, ++ {"192.168.0.1", "*.0.1", FALSE}, ++ {"h.ello", "*.ello", FALSE}, ++ {"h.ello.", "*.ello", FALSE}, ++ {"h.ello", "*.ello.", FALSE}, ++ {"h.e.llo", "*.e.llo", TRUE}, ++ {"h.e.llo", " *.e.llo", FALSE}, ++ {" h.e.llo", "*.e.llo", TRUE}, ++ {"h.e.llo.", "*.e.llo", TRUE}, ++ {"*.e.llo.", "*.e.llo", TRUE}, ++ {"************.e.llo.", "*.e.llo", TRUE}, ++ {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ++ "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" ++ "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC" ++ "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" ++ "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" ++ ".e.llo.", "*.e.llo", TRUE}, ++ {"\xfe\xfe.e.llo.", "*.e.llo", TRUE}, ++ {"h.e.llo.", "*.e.llo.", TRUE}, ++ {"h.e.llo", "*.e.llo.", TRUE}, ++ {".h.e.llo", "*.e.llo.", FALSE}, ++ {"h.e.llo", "*.*.llo.", FALSE}, ++ {"h.e.llo", "h.*.llo", FALSE}, ++ {"h.e.llo", "h.e.*", FALSE}, ++ {"hello", "*.ello", FALSE}, ++ {"hello", "**llo", FALSE}, ++ {"bar.foo.example.com", "*.example.com", FALSE}, ++ {"foo.example.com", "*.example.com", TRUE}, ++ {"baz.example.net", "b*z.example.net", FALSE}, ++ {"foobaz.example.net", "*baz.example.net", FALSE}, ++ {"xn--l8j.example.local", "x*.example.local", FALSE}, ++ {"xn--l8j.example.net", "*.example.net", TRUE}, ++ {"xn--l8j.example.net", "*j.example.net", FALSE}, ++ {"xn--l8j.example.net", "xn--l8j.example.net", TRUE}, ++ {"xn--l8j.example.net", "xn--l8j.*.net", FALSE}, ++ {"xl8j.example.net", "*.example.net", TRUE}, ++ {"fe80::3285:a9ff:fe46:b619", "*::3285:a9ff:fe46:b619", FALSE}, ++ {"fe80::3285:a9ff:fe46:b619", "fe80::3285:a9ff:fe46:b619", TRUE}, ++ {NULL, NULL, FALSE} ++}; + +-fail_if(Curl_cert_hostcheck(STRCONST("xxx.example.com"), +- STRCONST("www.example.com")), "bad 1"); +-fail_if(Curl_cert_hostcheck(STRCONST("*"), +- STRCONST("www.example.com")),"bad 2"); +-fail_if(Curl_cert_hostcheck(STRCONST("*.*.com"), +- STRCONST("www.example.com")), "bad 3"); +-fail_if(Curl_cert_hostcheck(STRCONST("*.example.com"), +- STRCONST("baa.foo.example.com")), "bad 4"); +-fail_if(Curl_cert_hostcheck(STRCONST("f*.example.com"), +- STRCONST("baa.example.com")), "bad 5"); +-fail_if(Curl_cert_hostcheck(STRCONST("*.com"), +- STRCONST("example.com")), "bad 6"); +-fail_if(Curl_cert_hostcheck(STRCONST("*fail.com"), +- STRCONST("example.com")), "bad 7"); +-fail_if(Curl_cert_hostcheck(STRCONST("*.example."), +- STRCONST("www.example.")), "bad 8"); +-fail_if(Curl_cert_hostcheck(STRCONST("*.example."), +- STRCONST("www.example")), "bad 9"); +-fail_if(Curl_cert_hostcheck(STRCONST(""), STRCONST("www")), "bad 10"); +-fail_if(Curl_cert_hostcheck(STRCONST("*"), STRCONST("www")), "bad 11"); +-fail_if(Curl_cert_hostcheck(STRCONST("*.168.0.0"), +- STRCONST("192.168.0.0")), "bad 12"); +-fail_if(Curl_cert_hostcheck(STRCONST("www.example.com"), +- STRCONST("192.168.0.0")), "bad 13"); +- +-#ifdef ENABLE_IPV6 +-fail_if(Curl_cert_hostcheck(STRCONST("*::3285:a9ff:fe46:b619"), +- STRCONST("fe80::3285:a9ff:fe46:b619")), "bad 14"); +-fail_unless(Curl_cert_hostcheck(STRCONST("fe80::3285:a9ff:fe46:b619"), +- STRCONST("fe80::3285:a9ff:fe46:b619")), +- "good 6"); +-#endif ++UNITTEST_START ++{ ++ int i; ++ for(i = 0; tests[i].host; i++) { ++ if(tests[i].match != Curl_cert_hostcheck(tests[i].pattern, ++ strlen(tests[i].pattern), ++ tests[i].host, ++ strlen(tests[i].host))) { ++ fprintf(stderr, ++ "HOST: %s\n" ++ "PTRN: %s\n" ++ "did %sMATCH\n", ++ tests[i].host, ++ tests[i].pattern, ++ tests[i].match ? "NOT ": ""); ++ unitfail++; ++ } ++ } ++} + +-#endif ++UNITTEST_STOP ++#else + +- /* you end the test code like this: */ ++UNITTEST_START + + UNITTEST_STOP ++#endif +-- +2.40.1 + diff --git a/curl.spec b/curl.spec index 0ac2f78..f26d175 100644 --- a/curl.spec +++ b/curl.spec @@ -61,6 +61,9 @@ Patch28: 0028-curl-7.87.0-CVE-2023-27538.patch # fix more POST-after-PUT confusion (CVE-2023-28322) Patch29: 0029-curl-7.87.0-CVE-2023-28322.patch +# fix IDN wildcard match (CVE-2023-28321) +Patch30: 0030-curl-7.87.0-CVE-2023-28321.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -262,6 +265,7 @@ be installed. %patch27 -p1 %patch28 -p1 %patch29 -p1 +%patch30 -p1 # Fedora patches %patch101 -p1 @@ -497,6 +501,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Mon Jun 05 2023 Jan Macku - 7.85.0-9 - fix more POST-after-PUT confusion (CVE-2023-28322) +- fix IDN wildcard match (CVE-2023-28321) * Fri Mar 24 2023 Kamil Dudka - 7.85.0-8 - fix SSH connection too eager reuse still (CVE-2023-27538) From 9e4fbeded143c8c469fb9b135fd9b1850f0b8c06 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 20 Jul 2023 09:53:40 +0200 Subject: [PATCH 22/26] Resolves: CVE-2023-32001 - fix fopen race condition --- 0031-curl-7.87.0-CVE-2023-32001.patch | 40 +++++++++++++++++++++++++++ curl.spec | 9 +++++- 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 0031-curl-7.87.0-CVE-2023-32001.patch diff --git a/0031-curl-7.87.0-CVE-2023-32001.patch b/0031-curl-7.87.0-CVE-2023-32001.patch new file mode 100644 index 0000000..f2ade5b --- /dev/null +++ b/0031-curl-7.87.0-CVE-2023-32001.patch @@ -0,0 +1,40 @@ +From c521ed354ea94b0658a030839df41675fd4913b0 Mon Sep 17 00:00:00 2001 +From: SaltyMilk +Date: Mon, 10 Jul 2023 21:43:28 +0200 +Subject: [PATCH] fopen: optimize + +Closes #11419 + +(cherry picked from commit 0c667188e0c6cda615a036b8a2b4125f2c404dde) +Signed-off-by: Jan Macku +--- + lib/fopen.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/lib/fopen.c b/lib/fopen.c +index ad3691ba9..92f39cf62 100644 +--- a/lib/fopen.c ++++ b/lib/fopen.c +@@ -56,13 +56,13 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, + int fd = -1; + *tempname = NULL; + +- if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) { +- /* a non-regular file, fallback to direct fopen() */ +- *fh = fopen(filename, FOPEN_WRITETEXT); +- if(*fh) +- return CURLE_OK; ++ *fh = fopen(filename, FOPEN_WRITETEXT); ++ if(!*fh) + goto fail; +- } ++ if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode)) ++ return CURLE_OK; ++ fclose(*fh); ++ *fh = NULL; + + result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix)); + if(result) +-- +2.41.0 + diff --git a/curl.spec b/curl.spec index f26d175..f324848 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.85.0 -Release: 9%{?dist} +Release: 10%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -64,6 +64,9 @@ Patch29: 0029-curl-7.87.0-CVE-2023-28322.patch # fix IDN wildcard match (CVE-2023-28321) Patch30: 0030-curl-7.87.0-CVE-2023-28321.patch +# fix fopen race condition (CVE-2023-32001) +Patch31: 0031-curl-7.87.0-CVE-2023-32001.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -266,6 +269,7 @@ be installed. %patch28 -p1 %patch29 -p1 %patch30 -p1 +%patch31 -p1 # Fedora patches %patch101 -p1 @@ -499,6 +503,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Jul 20 2023 Jan Macku - 7.85.0-10 +- fix fopen race condition (CVE-2023-32001) + * Mon Jun 05 2023 Jan Macku - 7.85.0-9 - fix more POST-after-PUT confusion (CVE-2023-28322) - fix IDN wildcard match (CVE-2023-28321) From 8b6cd901b1fccb7479863171e8996f1a61b6b342 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 13 Sep 2023 13:22:33 +0200 Subject: [PATCH 23/26] Resolves: CVE-2023-38039 - fix HTTP headers eat all memory --- 0032-curl-7.87.0-CVE-2023-38039.patch | 203 ++++++++++++++++++++++++++ curl.spec | 15 +- 2 files changed, 217 insertions(+), 1 deletion(-) create mode 100644 0032-curl-7.87.0-CVE-2023-38039.patch diff --git a/0032-curl-7.87.0-CVE-2023-38039.patch b/0032-curl-7.87.0-CVE-2023-38039.patch new file mode 100644 index 0000000..66dca86 --- /dev/null +++ b/0032-curl-7.87.0-CVE-2023-38039.patch @@ -0,0 +1,203 @@ +From e0ffb54555f4f5199613f7d2db8dd16ffb2d33b3 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 2 Aug 2023 23:34:48 +0200 +Subject: [PATCH] http: return error when receiving too large header set + +To avoid abuse. The limit is set to 300 KB for the accumulated size of +all received HTTP headers for a single response. Incomplete research +suggests that Chrome uses a 256-300 KB limit, while Firefox allows up to +1MB. + +Closes #11582 + +(cherry picked from commit 3ee79c1674fd6f99e8efca52cd7510e08b766770) +Signed-off-by: Jan Macku +--- + lib/c-hyper.c | 13 +++++++------ + lib/http.c | 34 ++++++++++++++++++++++++++++++---- + lib/http.h | 9 +++++++++ + lib/pingpong.c | 4 +++- + lib/urldata.h | 17 ++++++++--------- + 5 files changed, 57 insertions(+), 20 deletions(-) + +diff --git a/lib/c-hyper.c b/lib/c-hyper.c +index 58957934f..8fecf997d 100644 +--- a/lib/c-hyper.c ++++ b/lib/c-hyper.c +@@ -169,8 +169,11 @@ static int hyper_each_header(void *userdata, + } + } + +- data->info.header_size += (long)len; +- data->req.headerbytecount += (long)len; ++ result = Curl_bump_headersize(data, len, FALSE); ++ if(result) { ++ data->state.hresult = result; ++ return HYPER_ITER_BREAK; ++ } + return HYPER_ITER_CONTINUE; + } + +@@ -298,10 +301,8 @@ static CURLcode status_line(struct Curl_easy *data, + if(result) + return result; + } +- data->info.header_size += (long)len; +- data->req.headerbytecount += (long)len; +- data->req.httpcode = http_status; +- return CURLE_OK; ++ result = Curl_bump_headersize(data, len, FALSE); ++ return result; + } + + /* +diff --git a/lib/http.c b/lib/http.c +index f177c0ef5..76ccc5480 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -3824,6 +3824,29 @@ static CURLcode verify_header(struct Curl_easy *data) + return CURLE_OK; + } + ++CURLcode Curl_bump_headersize(struct Curl_easy *data, ++ size_t delta, ++ bool connect_only) ++{ ++ size_t bad = 0; ++ if(delta < MAX_HTTP_RESP_HEADER_SIZE) { ++ if(!connect_only) ++ data->req.headerbytecount += (unsigned int)delta; ++ data->info.header_size += (unsigned int)delta; ++ if(data->info.header_size > MAX_HTTP_RESP_HEADER_SIZE) ++ bad = data->info.header_size; ++ } ++ else ++ bad = data->info.header_size + delta; ++ if(bad) { ++ failf(data, "Too large response headers: %zu > %zu", ++ bad, MAX_HTTP_RESP_HEADER_SIZE); ++ return CURLE_RECV_ERROR; ++ } ++ return CURLE_OK; ++} ++ ++ + /* + * Read any HTTP header lines from the server and pass them to the client app. + */ +@@ -4057,8 +4080,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, + if(result) + return result; + +- data->info.header_size += (long)headerlen; +- data->req.headerbytecount += (long)headerlen; ++ result = Curl_bump_headersize(data, headerlen, FALSE); ++ if(result) ++ return result; + + /* + * When all the headers have been parsed, see if we should give +@@ -4358,8 +4382,10 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, + if(result) + return result; + +- data->info.header_size += Curl_dyn_len(&data->state.headerb); +- data->req.headerbytecount += Curl_dyn_len(&data->state.headerb); ++ result = Curl_bump_headersize(data, Curl_dyn_len(&data->state.headerb), ++ FALSE); ++ if(result) ++ return result; + + Curl_dyn_reset(&data->state.headerb); + } +diff --git a/lib/http.h b/lib/http.h +index 2ac287eca..bcf5e0609 100644 +--- a/lib/http.h ++++ b/lib/http.h +@@ -50,6 +50,10 @@ extern const struct Curl_handler Curl_handler_http; + extern const struct Curl_handler Curl_handler_https; + #endif + ++CURLcode Curl_bump_headersize(struct Curl_easy *data, ++ size_t delta, ++ bool connect_only); ++ + /* Header specific functions */ + bool Curl_compareheader(const char *headerline, /* line to check */ + const char *header, /* header keyword _with_ colon */ +@@ -163,6 +167,11 @@ CURLcode Curl_http_auth_act(struct Curl_easy *data); + #define EXPECT_100_THRESHOLD (1024*1024) + #endif + ++/* MAX_HTTP_RESP_HEADER_SIZE is the maximum size of all response headers ++ combined that libcurl allows for a single HTTP response, any HTTP ++ version. This count includes CONNECT response headers. */ ++#define MAX_HTTP_RESP_HEADER_SIZE (300*1024) ++ + #endif /* CURL_DISABLE_HTTP */ + + #ifdef USE_NGHTTP3 +diff --git a/lib/pingpong.c b/lib/pingpong.c +index 74a678a1a..aa536ec62 100644 +--- a/lib/pingpong.c ++++ b/lib/pingpong.c +@@ -340,7 +340,9 @@ CURLcode Curl_pp_readresp(struct Curl_easy *data, + ssize_t clipamount = 0; + bool restart = FALSE; + +- data->req.headerbytecount += (long)gotbytes; ++ result = Curl_bump_headersize(data, gotbytes, FALSE); ++ if(result) ++ return result; + + pp->nread_resp += gotbytes; + for(i = 0; i < gotbytes; ptr++, i++) { +diff --git a/lib/urldata.h b/lib/urldata.h +index 69c14eb54..512bae24c 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -612,18 +612,17 @@ struct SingleRequest { + curl_off_t bytecount; /* total number of bytes read */ + curl_off_t writebytecount; /* number of bytes written */ + +- curl_off_t headerbytecount; /* only count received headers */ +- curl_off_t deductheadercount; /* this amount of bytes doesn't count when we +- check if anything has been transferred at +- the end of a connection. We use this +- counter to make only a 100 reply (without a +- following second response code) result in a +- CURLE_GOT_NOTHING error code */ +- + curl_off_t pendingheader; /* this many bytes left to send is actually + header and not body */ + struct curltime start; /* transfer started at this time */ + struct curltime now; /* current time */ ++ unsigned int headerbytecount; /* only count received headers */ ++ unsigned int deductheadercount; /* this amount of bytes doesn't count when ++ we check if anything has been transferred ++ at the end of a connection. We use this ++ counter to make only a 100 reply (without ++ a following second response code) result ++ in a CURLE_GOT_NOTHING error code */ + enum { + HEADER_NORMAL, /* no bad header at all */ + HEADER_PARTHEADER, /* part of the chunk is a bad header, the rest +@@ -1139,7 +1138,6 @@ struct PureInfo { + int httpversion; /* the http version number X.Y = X*10+Y */ + time_t filetime; /* If requested, this is might get set. Set to -1 if the + time was unretrievable. */ +- curl_off_t header_size; /* size of read header(s) in bytes */ + curl_off_t request_size; /* the amount of bytes sent in the request(s) */ + unsigned long proxyauthavail; /* what proxy auth types were announced */ + unsigned long httpauthavail; /* what host auth types were announced */ +@@ -1147,6 +1145,7 @@ struct PureInfo { + char *contenttype; /* the content type of the object */ + char *wouldredirect; /* URL this would've been redirected to if asked to */ + curl_off_t retry_after; /* info from Retry-After: header */ ++ unsigned int header_size; /* size of read header(s) in bytes */ + + /* PureInfo members 'conn_primary_ip', 'conn_primary_port', 'conn_local_ip' + and, 'conn_local_port' are copied over from the connectdata struct in +-- +2.41.0 + diff --git a/curl.spec b/curl.spec index f324848..5a87baf 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.85.0 -Release: 10%{?dist} +Release: 11%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -67,6 +67,9 @@ Patch30: 0030-curl-7.87.0-CVE-2023-28321.patch # fix fopen race condition (CVE-2023-32001) Patch31: 0031-curl-7.87.0-CVE-2023-32001.patch +# fix HTTP headers eat all memory (CVE-2023-38039) +Patch32: 0032-curl-7.87.0-CVE-2023-38039.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -270,6 +273,7 @@ be installed. %patch29 -p1 %patch30 -p1 %patch31 -p1 +%patch32 -p1 # Fedora patches %patch101 -p1 @@ -305,6 +309,11 @@ printf "702\n703\n716\n" >> tests/data/DISABLED printf "3000\n3001\n" >> tests/data/DISABLED %endif +# temporarily disable test 678 on aarch64 (it suddently started crashing without any change in curl) +%ifarch aarch64 +printf "678\n" >> tests/data/DISABLED +%endif + # test3026: avoid pthread_create() failure due to resource exhaustion on i386 %ifarch %{ix86} sed -e 's|NUM_THREADS 1000$|NUM_THREADS 256|' \ @@ -503,6 +512,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 13 2023 Jan Macku - 7.85.0-11 +- fix HTTP headers eat all memory (CVE-2023-38039) +- temporarily disable test 678 on aarch64 (it suddently started crashing without any change in curl) + * Thu Jul 20 2023 Jan Macku - 7.85.0-10 - fix fopen race condition (CVE-2023-32001) From d6f65ea7df57f26b151d559c10151fa5ab613594 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Zaoral?= Date: Mon, 9 Oct 2023 10:39:43 +0200 Subject: [PATCH 24/26] tests: use newer Fedora URLs for testing ... because F36 URLs are no longer available. --- tests/non-root-user-download/runtest.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/non-root-user-download/runtest.sh b/tests/non-root-user-download/runtest.sh index 0529a12..4d51e62 100755 --- a/tests/non-root-user-download/runtest.sh +++ b/tests/non-root-user-download/runtest.sh @@ -31,9 +31,9 @@ PACKAGE="curl" -FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM -HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM -CONTENT=85cb450443d68d513b41e57b0bd818a740279dac5dfc09c68e681ff8a3006404 +FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM +HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM +CONTENT=4d042dedc8886856db10bc882074b84dcce52f829ea7b3f31d8031db8d84df20 PASSWORD=pAssw0rd OPTIONS="" rlIsRHEL 7 && OPTIONS="--insecure" From c932c1826e3161f47675bdf00756d54cc4a1c56d Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 12 Oct 2023 09:59:32 +0200 Subject: [PATCH 25/26] Resolves: CVE-2023-38545 - SOCKS5 heap buffer overflow --- 0033-curl-7.85.0-CVE-2023-38545.patch | 135 ++++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 143 insertions(+), 1 deletion(-) create mode 100644 0033-curl-7.85.0-CVE-2023-38545.patch diff --git a/0033-curl-7.85.0-CVE-2023-38545.patch b/0033-curl-7.85.0-CVE-2023-38545.patch new file mode 100644 index 0000000..73e64f6 --- /dev/null +++ b/0033-curl-7.85.0-CVE-2023-38545.patch @@ -0,0 +1,135 @@ +From 62a500e504dd361d7d271e23cbfa27ec0937cee1 Mon Sep 17 00:00:00 2001 +From: Jay Satiro +Date: Wed, 11 Oct 2023 07:34:19 +0200 +Subject: [PATCH 1/2] socks: return error if hostname too long for remote + resolve + +Prior to this change the state machine attempted to change the remote +resolve to a local resolve if the hostname was longer than 255 +characters. Unfortunately that did not work as intended and caused a +security issue. + +Bug: https://curl.se/docs/CVE-2023-38545.html + +(cherry picked from commit fb4415d8aee6c1045be932a34fe6107c2f5ed147) + +Signed-off-by: Jan Macku +--- + lib/socks.c | 8 +++--- + tests/data/Makefile.inc | 2 +- + tests/data/test728 | 64 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 69 insertions(+), 5 deletions(-) + create mode 100644 tests/data/test728 + +diff --git a/lib/socks.c b/lib/socks.c +index 52c29880a..63abff629 100644 +--- a/lib/socks.c ++++ b/lib/socks.c +@@ -538,9 +538,9 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user, + + /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */ + if(!socks5_resolve_local && hostname_len > 255) { +- infof(data, "SOCKS5: server resolving disabled for hostnames of " +- "length > 255 [actual len=%zu]", hostname_len); +- socks5_resolve_local = TRUE; ++ failf(data, "SOCKS5: the destination hostname is too long to be " ++ "resolved remotely by the proxy."); ++ return CURLPX_LONG_HOSTNAME; + } + + if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI)) +@@ -881,7 +881,7 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user, + } + else { + socksreq[len++] = 3; +- socksreq[len++] = (char) hostname_len; /* one byte address length */ ++ socksreq[len++] = (unsigned char) hostname_len; /* one byte length */ + memcpy(&socksreq[len], hostname, hostname_len); /* address w/o NULL */ + len += hostname_len; + } +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 0b1d18265..d669ef36e 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -100,7 +100,7 @@ test679 test680 test681 test682 test683 test684 test685 \ + \ + test700 test701 test702 test703 test704 test705 test706 test707 test708 \ + test709 test710 test711 test712 test713 test714 test715 test716 test717 \ +-test718 test719 test720 test721 \ ++test718 test719 test720 test721 test728 \ + \ + test800 test801 test802 test803 test804 test805 test806 test807 test808 \ + test809 test810 test811 test812 test813 test814 test815 test816 test817 \ +diff --git a/tests/data/test728 b/tests/data/test728 +new file mode 100644 +index 000000000..05bcf2883 +--- /dev/null ++++ b/tests/data/test728 +@@ -0,0 +1,64 @@ ++ ++ ++ ++HTTP ++HTTP GET ++SOCKS5 ++SOCKS5h ++followlocation ++ ++ ++ ++# ++# Server-side ++ ++# The hostname in this redirect is 256 characters and too long (> 255) for ++# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case. ++ ++HTTP/1.1 301 Moved Permanently ++Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ ++Content-Length: 0 ++Connection: close ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++proxy ++ ++ ++http ++socks5 ++ ++ ++SOCKS5h with HTTP redirect to hostname too long ++ ++ ++--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/%TESTNUMBER ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++ ++ ++97 ++ ++# the error message is verified because error code CURLE_PROXY (97) may be ++# returned for any number of reasons and we need to make sure it is ++# specifically for the reason below so that we know the check is working. ++ ++curl: (97) SOCKS5: the destination hostname is too long to be resolved remotely by the proxy. ++ ++ ++ +-- +2.41.0 + diff --git a/curl.spec b/curl.spec index 5a87baf..123b71c 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.85.0 -Release: 11%{?dist} +Release: 12%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -70,6 +70,9 @@ Patch31: 0031-curl-7.87.0-CVE-2023-32001.patch # fix HTTP headers eat all memory (CVE-2023-38039) Patch32: 0032-curl-7.87.0-CVE-2023-38039.patch +# fix SOCKS5 heap buffer overflow (CVE-2023-38545) +Patch33: 0033-curl-7.85.0-CVE-2023-38545.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -274,6 +277,7 @@ be installed. %patch30 -p1 %patch31 -p1 %patch32 -p1 +%patch33 -p1 # Fedora patches %patch101 -p1 @@ -512,6 +516,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Oct 12 2023 Jan Macku - 7.85.0-12 +- fix SOCKS5 heap buffer overflow (CVE-2023-38545) + * Wed Sep 13 2023 Jan Macku - 7.85.0-11 - fix HTTP headers eat all memory (CVE-2023-38039) - temporarily disable test 678 on aarch64 (it suddently started crashing without any change in curl) From e9444fa678b811db43338b6e7c92aaee62fcb9a8 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 12 Oct 2023 10:04:29 +0200 Subject: [PATCH 26/26] Resolves: CVE-2023-38546 - cookie injection with none file --- 0034-curl-7.85.0-CVE-2023-38546.patch | 136 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 141 insertions(+) create mode 100644 0034-curl-7.85.0-CVE-2023-38546.patch diff --git a/0034-curl-7.85.0-CVE-2023-38546.patch b/0034-curl-7.85.0-CVE-2023-38546.patch new file mode 100644 index 0000000..942c668 --- /dev/null +++ b/0034-curl-7.85.0-CVE-2023-38546.patch @@ -0,0 +1,136 @@ +From ab9756c96992c92637d2d40e7a406ac700972b8e Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 14 Sep 2023 23:28:32 +0200 +Subject: [PATCH 2/2] cookie: remove unnecessary struct fields + +Plus: reduce the hash table size from 256 to 63. It seems unlikely to +make much of a speed difference for most use cases but saves 1.5KB of +data per instance. + +Closes #11862 + +(cherry picked from commit 61275672b46d9abb3285740467b882e22ed75da8) + +Signed-off-by: Jan Macku +--- + lib/cookie.c | 13 +------------ + lib/cookie.h | 14 ++++---------- + lib/easy.c | 4 +--- + 3 files changed, 6 insertions(+), 25 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index ab790a1cd..a418fe8c3 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -118,7 +118,6 @@ static void freecookie(struct Cookie *co) + free(co->name); + free(co->value); + free(co->maxage); +- free(co->version); + free(co); + } + +@@ -712,11 +711,7 @@ Curl_cookie_add(struct Curl_easy *data, + } + } + else if(strcasecompare("version", name)) { +- strstore(&co->version, whatptr); +- if(!co->version) { +- badcookie = TRUE; +- break; +- } ++ /* just ignore */ + } + else if(strcasecompare("max-age", name)) { + /* +@@ -1164,7 +1159,6 @@ Curl_cookie_add(struct Curl_easy *data, + free(clist->path); + free(clist->spath); + free(clist->expirestr); +- free(clist->version); + free(clist->maxage); + + *clist = *co; /* then store all the new data */ +@@ -1228,9 +1222,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data, + c = calloc(1, sizeof(struct CookieInfo)); + if(!c) + return NULL; /* failed to get memory */ +- c->filename = strdup(file?file:"none"); /* copy the name just in case */ +- if(!c->filename) +- goto fail; /* failed to get memory */ + /* + * Initialize the next_expiration time to signal that we don't have enough + * information yet. +@@ -1384,7 +1375,6 @@ static struct Cookie *dup_cookie(struct Cookie *src) + CLONE(name); + CLONE(value); + CLONE(maxage); +- CLONE(version); + d->expires = src->expires; + d->tailmatch = src->tailmatch; + d->secure = src->secure; +@@ -1600,7 +1590,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c) + { + if(c) { + unsigned int i; +- free(c->filename); + for(i = 0; i < COOKIE_HASH_SIZE; i++) + Curl_cookie_freelist(c->cookies[i]); + free(c); /* free the base struct as well */ +diff --git a/lib/cookie.h b/lib/cookie.h +index abc0a2e8a..2093bbb58 100644 +--- a/lib/cookie.h ++++ b/lib/cookie.h +@@ -36,11 +36,7 @@ struct Cookie { + char *domain; /* domain = */ + curl_off_t expires; /* expires = */ + char *expirestr; /* the plain text version */ +- +- /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */ +- char *version; /* Version = */ + char *maxage; /* Max-Age = */ +- + bool tailmatch; /* whether we do tail-matching of the domain name */ + bool secure; /* whether the 'secure' keyword was used */ + bool livecookie; /* updated from a server, not a stored file */ +@@ -56,18 +52,16 @@ struct Cookie { + #define COOKIE_PREFIX__SECURE (1<<0) + #define COOKIE_PREFIX__HOST (1<<1) + +-#define COOKIE_HASH_SIZE 256 ++#define COOKIE_HASH_SIZE 63 + + struct CookieInfo { + /* linked list of cookies we know of */ + struct Cookie *cookies[COOKIE_HASH_SIZE]; +- +- char *filename; /* file we read from/write to */ +- long numcookies; /* number of cookies in the "jar" */ ++ curl_off_t next_expiration; /* the next time at which expiration happens */ ++ int numcookies; /* number of cookies in the "jar" */ ++ int lastct; /* last creation-time used in the jar */ + bool running; /* state info, for cookie adding information */ + bool newsession; /* new session, discard session cookies on load */ +- int lastct; /* last creation-time used in the jar */ +- curl_off_t next_expiration; /* the next time at which expiration happens */ + }; + + /* This is the maximum line length we accept for a cookie line. RFC 2109 +diff --git a/lib/easy.c b/lib/easy.c +index 978ea5ac3..660b99056 100644 +--- a/lib/easy.c ++++ b/lib/easy.c +@@ -905,9 +905,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data) + if(data->cookies) { + /* If cookies are enabled in the parent handle, we enable them + in the clone as well! */ +- outcurl->cookies = Curl_cookie_init(data, +- data->cookies->filename, +- outcurl->cookies, ++ outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies, + data->set.cookiesession); + if(!outcurl->cookies) + goto fail; +-- +2.41.0 + diff --git a/curl.spec b/curl.spec index 123b71c..0cc092c 100644 --- a/curl.spec +++ b/curl.spec @@ -73,6 +73,9 @@ Patch32: 0032-curl-7.87.0-CVE-2023-38039.patch # fix SOCKS5 heap buffer overflow (CVE-2023-38545) Patch33: 0033-curl-7.85.0-CVE-2023-38545.patch +# fix cookie injection with none file (CVE-2023-38546) +Patch34: 0034-curl-7.85.0-CVE-2023-38546.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -278,6 +281,7 @@ be installed. %patch31 -p1 %patch32 -p1 %patch33 -p1 +%patch34 -p1 # Fedora patches %patch101 -p1 @@ -517,6 +521,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Thu Oct 12 2023 Jan Macku - 7.85.0-12 +- fix cookie injection with none file (CVE-2023-38546) - fix SOCKS5 heap buffer overflow (CVE-2023-38545) * Wed Sep 13 2023 Jan Macku - 7.85.0-11