From 5dee6fb8b33f1ef9ea84f54394da4aaee390ed25 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 18 May 2018 16:17:51 +0200 Subject: [PATCH 01/14] Resolves: CVE-2018-1000301 - http: restore buffer ptr when bad response-line is parsed --- 0002-curl-7.59.0-CVE-2018-1000301.patch | 48 +++++++++++++++++++++++++ curl.spec | 9 ++++- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 0002-curl-7.59.0-CVE-2018-1000301.patch diff --git a/0002-curl-7.59.0-CVE-2018-1000301.patch b/0002-curl-7.59.0-CVE-2018-1000301.patch new file mode 100644 index 0000000..b733979 --- /dev/null +++ b/0002-curl-7.59.0-CVE-2018-1000301.patch @@ -0,0 +1,48 @@ +From 5815730864a2010872840bae24797983e892eb90 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 24 Mar 2018 23:47:41 +0100 +Subject: [PATCH 1/2] http: restore buffer pointer when bad response-line is + parsed + +... leaving the k->str could lead to buffer over-reads later on. + +CVE: CVE-2018-1000301 +Assisted-by: Max Dymond + +Detected by OSS-Fuzz. +Bug: https://curl.haxx.se/docs/adv_2018-b138.html +Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105 + +Upstream-commit: 8c7b3737d29ed5c0575bf592063de8a51450812d +Signed-off-by: Kamil Dudka +--- + lib/http.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/http.c b/lib/http.c +index 841f6cc..dc10f5f 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2966,6 +2966,8 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, + { + CURLcode result; + struct SingleRequest *k = &data->req; ++ ssize_t onread = *nread; ++ char *ostr = k->str; + + /* header line within buffer loop */ + do { +@@ -3030,7 +3032,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, + else { + /* this was all we read so it's all a bad header */ + k->badheader = HEADER_ALLBAD; +- *nread = (ssize_t)rest_length; ++ *nread = onread; ++ k->str = ostr; ++ return CURLE_OK; + } + break; + } +-- +2.14.3 + diff --git a/curl.spec b/curl.spec index d722f07..4bdc523 100644 --- a/curl.spec +++ b/curl.spec @@ -1,13 +1,16 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.59.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz # ftp: fix typo in recursive callback detection for seeking Patch1: 0001-curl-7.58.0-ftp-typo-in-recursive-callback-detection.patch +# fix RTSP bad headers buffer over-read (CVE-2018-1000301) +Patch2: 0002-curl-7.59.0-CVE-2018-1000301.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -155,6 +158,7 @@ be installed. # upstream patches %patch1 -p1 +%patch2 -p1 # Fedora patches %patch101 -p1 @@ -300,6 +304,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri May 18 2018 Kamil Dudka - 7.59.0-3 +- fix RTSP bad headers buffer over-read (CVE-2018-1000301) + * Wed Mar 14 2018 Kamil Dudka - 7.59.0-2 - ftp: fix typo in recursive callback detection for seeking From 73d6b73380f22edd6565e870ac6aa169c74b6e3f Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 18 May 2018 16:20:36 +0200 Subject: [PATCH 02/14] Resolves: CVE-2018-1000300 - fix FTP shutdown response buffer overflow --- 0003-curl-7.59.0-CVE-2018-1000300.patch | 39 +++++++++++++++++++++++++ curl.spec | 5 ++++ 2 files changed, 44 insertions(+) create mode 100644 0003-curl-7.59.0-CVE-2018-1000300.patch diff --git a/0003-curl-7.59.0-CVE-2018-1000300.patch b/0003-curl-7.59.0-CVE-2018-1000300.patch new file mode 100644 index 0000000..fb4d15b --- /dev/null +++ b/0003-curl-7.59.0-CVE-2018-1000300.patch @@ -0,0 +1,39 @@ +From 9b757a9a431f6859807d9f6e697cc2d2a120098d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 23 Mar 2018 23:30:04 +0100 +Subject: [PATCH 2/2] pingpong: fix response cache memcpy overflow + +Response data for a handle with a large buffer might be cached and then +used with the "closure" handle when it has a smaller buffer and then the +larger cache will be copied and overflow the new smaller heap based +buffer. + +Reported-by: Dario Weisser +CVE: CVE-2018-1000300 +Bug: https://curl.haxx.se/docs/adv_2018-82c2.html + +Upstream-commit: 583b42cb3b809b1bf597af160468ccba728c2248 +Signed-off-by: Kamil Dudka +--- + lib/pingpong.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/lib/pingpong.c b/lib/pingpong.c +index 438856a..ad370ee 100644 +--- a/lib/pingpong.c ++++ b/lib/pingpong.c +@@ -304,7 +304,10 @@ CURLcode Curl_pp_readresp(curl_socket_t sockfd, + * it would have been populated with something of size int to begin + * with, even though its datatype may be larger than an int. + */ +- DEBUGASSERT((ptr + pp->cache_size) <= (buf + data->set.buffer_size + 1)); ++ if((ptr + pp->cache_size) > (buf + data->set.buffer_size + 1)) { ++ failf(data, "cached response data too big to handle"); ++ return CURLE_RECV_ERROR; ++ } + memcpy(ptr, pp->cache, pp->cache_size); + gotbytes = (ssize_t)pp->cache_size; + free(pp->cache); /* free the cache */ +-- +2.14.3 + diff --git a/curl.spec b/curl.spec index 4bdc523..904ba10 100644 --- a/curl.spec +++ b/curl.spec @@ -11,6 +11,9 @@ Patch1: 0001-curl-7.58.0-ftp-typo-in-recursive-callback-detection.patch # fix RTSP bad headers buffer over-read (CVE-2018-1000301) Patch2: 0002-curl-7.59.0-CVE-2018-1000301.patch +# fix FTP shutdown response buffer overflow (CVE-2018-1000300) +Patch3: 0003-curl-7.59.0-CVE-2018-1000300.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -159,6 +162,7 @@ be installed. # upstream patches %patch1 -p1 %patch2 -p1 +%patch3 -p1 # Fedora patches %patch101 -p1 @@ -305,6 +309,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Fri May 18 2018 Kamil Dudka - 7.59.0-3 +- fix FTP shutdown response buffer overflow (CVE-2018-1000300) - fix RTSP bad headers buffer over-read (CVE-2018-1000301) * Wed Mar 14 2018 Kamil Dudka - 7.59.0-2 From 67e93f67b8904524e2013cef126d5f6d7e5b18e4 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 5 Jun 2018 15:10:20 +0200 Subject: [PATCH 03/14] Resolves: #1585797 - http2: handle GOAWAY properly --- 0004-curl-7.59.0-http2-GOAWAY.patch | 137 ++++++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 145 insertions(+), 1 deletion(-) create mode 100644 0004-curl-7.59.0-http2-GOAWAY.patch diff --git a/0004-curl-7.59.0-http2-GOAWAY.patch b/0004-curl-7.59.0-http2-GOAWAY.patch new file mode 100644 index 0000000..0e76a6e --- /dev/null +++ b/0004-curl-7.59.0-http2-GOAWAY.patch @@ -0,0 +1,137 @@ +From 84ddda3994c1f12d79946780dee9111b3cf1c308 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 19 Apr 2018 20:03:30 +0200 +Subject: [PATCH] http2: handle GOAWAY properly + +When receiving REFUSED_STREAM, mark the connection for close and retry +streams accordingly on another/fresh connection. + +Reported-by: Terry Wu +Fixes #2416 +Fixes #1618 +Closes #2510 + +Upstream-commit: d122df5972fc01e39ae28e6bca705237d7e3318a +Signed-off-by: Kamil Dudka +--- + lib/http2.c | 17 ++++++++++++----- + lib/multi.c | 4 +++- + lib/transfer.c | 17 +++++++++++++++-- + lib/urldata.h | 2 +- + 4 files changed, 31 insertions(+), 9 deletions(-) + +diff --git a/lib/http2.c b/lib/http2.c +index b2c34e9..fba4d70 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -1078,7 +1078,6 @@ void Curl_http2_done(struct connectdata *conn, bool premature) + struct http_conn *httpc = &conn->proto.httpc; + + if(http->header_recvbuf) { +- H2BUGF(infof(data, "free header_recvbuf!!\n")); + Curl_add_buffer_free(http->header_recvbuf); + http->header_recvbuf = NULL; /* clear the pointer */ + Curl_add_buffer_free(http->trailer_recvbuf); +@@ -1351,7 +1350,15 @@ static ssize_t http2_handle_stream_close(struct connectdata *conn, + + /* Reset to FALSE to prevent infinite loop in readwrite_data function. */ + stream->closed = FALSE; +- if(httpc->error_code != NGHTTP2_NO_ERROR) { ++ if(httpc->error_code == NGHTTP2_REFUSED_STREAM) { ++ H2BUGF(infof(data, "REFUSED_STREAM (%d), try again on a new connection!\n", ++ stream->stream_id)); ++ connclose(conn, "REFUSED_STREAM"); /* don't use this anymore */ ++ data->state.refused_stream = TRUE; ++ *err = CURLE_RECV_ERROR; /* trigger Curl_retry_request() later */ ++ return -1; ++ } ++ else if(httpc->error_code != NGHTTP2_NO_ERROR) { + failf(data, "HTTP/2 stream %u was not closed cleanly: %s (err %d)", + stream->stream_id, Curl_http2_strerror(httpc->error_code), + httpc->error_code); +@@ -1579,9 +1586,9 @@ static ssize_t http2_recv(struct connectdata *conn, int sockindex, + } + + if(nread == 0) { +- failf(data, "Unexpected EOF"); +- *err = CURLE_RECV_ERROR; +- return -1; ++ H2BUGF(infof(data, "end of stream\n")); ++ *err = CURLE_OK; ++ return 0; + } + + H2BUGF(infof(data, "nread=%zd\n", nread)); +diff --git a/lib/multi.c b/lib/multi.c +index 98e5fca..d69e5f9 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -541,7 +541,9 @@ static CURLcode multi_done(struct connectdata **connp, + if(conn->send_pipe.size || conn->recv_pipe.size) { + /* Stop if pipeline is not empty . */ + data->easy_conn = NULL; +- DEBUGF(infof(data, "Connection still in use, no more multi_done now!\n")); ++ DEBUGF(infof(data, "Connection still in use %d/%d, " ++ "no more multi_done now!\n", ++ conn->send_pipe.size, conn->recv_pipe.size)); + return CURLE_OK; + } + +diff --git a/lib/transfer.c b/lib/transfer.c +index fd9af31..5c29cc9 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1926,7 +1926,7 @@ CURLcode Curl_retry_request(struct connectdata *conn, + char **url) + { + struct Curl_easy *data = conn->data; +- ++ bool retry = FALSE; + *url = NULL; + + /* if we're talking upload, we can't do the checks below, unless the protocol +@@ -1939,7 +1939,7 @@ CURLcode Curl_retry_request(struct connectdata *conn, + conn->bits.reuse && + (!data->set.opt_no_body + || (conn->handler->protocol & PROTO_FAMILY_HTTP)) && +- (data->set.rtspreq != RTSPREQ_RECEIVE)) { ++ (data->set.rtspreq != RTSPREQ_RECEIVE)) + /* We got no data, we attempted to re-use a connection. For HTTP this + can be a retry so we try again regardless if we expected a body. + For other protocols we only try again only if we expected a body. +@@ -1947,6 +1947,19 @@ CURLcode Curl_retry_request(struct connectdata *conn, + This might happen if the connection was left alive when we were + done using it before, but that was closed when we wanted to read from + it again. Bad luck. Retry the same request on a fresh connect! */ ++ retry = TRUE; ++ else if(data->state.refused_stream && ++ (data->req.bytecount + data->req.headerbytecount == 0) ) { ++ /* This was sent on a refused stream, safe to rerun. A refused stream ++ error can typically only happen on HTTP/2 level if the stream is safe ++ to issue again, but the nghttp2 API can deliver the message to other ++ streams as well, which is why this adds the check the data counters ++ too. */ ++ infof(conn->data, "REFUSED_STREAM, retrying a fresh connect\n"); ++ data->state.refused_stream = FALSE; /* clear again */ ++ retry = TRUE; ++ } ++ if(retry) { + infof(conn->data, "Connection died, retrying a fresh connect\n"); + *url = strdup(conn->data->change.url); + if(!*url) +diff --git a/lib/urldata.h b/lib/urldata.h +index 3d7b9e5..6a36ee9 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1225,7 +1225,7 @@ struct UrlState { + curl_off_t current_speed; /* the ProgressShow() function sets this, + bytes / second */ + bool this_is_a_follow; /* this is a followed Location: request */ +- ++ bool refused_stream; /* this was refused, try again */ + char *first_host; /* host name of the first (not followed) request. + if set, this should be the host name that we will + sent authorization to, no else. Used to make Location: +-- +2.14.4 + diff --git a/curl.spec b/curl.spec index 904ba10..abf84a4 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.59.0 -Release: 3%{?dist} +Release: 4%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -14,6 +14,9 @@ Patch2: 0002-curl-7.59.0-CVE-2018-1000301.patch # fix FTP shutdown response buffer overflow (CVE-2018-1000300) Patch3: 0003-curl-7.59.0-CVE-2018-1000300.patch +# http2: handle GOAWAY properly (#1585797) +Patch4: 0004-curl-7.59.0-http2-GOAWAY.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -163,6 +166,7 @@ be installed. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 # Fedora patches %patch101 -p1 @@ -308,6 +312,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Jun 05 2018 Kamil Dudka - 7.59.0-4 +- http2: handle GOAWAY properly (#1585797) + * Fri May 18 2018 Kamil Dudka - 7.59.0-3 - fix FTP shutdown response buffer overflow (CVE-2018-1000300) - fix RTSP bad headers buffer over-read (CVE-2018-1000301) From c79dff9b8baa2cb7ca51060f7303d91092fb7d0a Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 11 Jul 2018 17:51:58 +0200 Subject: [PATCH 04/14] Resolves: CVE-2018-0500 - fix heap buffer overflow in SMTP send --- 0005-curl-7.59.0-CVE-2018-0500.patch | 40 ++++++++++++++++++++++++++++ curl.spec | 9 ++++++- 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 0005-curl-7.59.0-CVE-2018-0500.patch diff --git a/0005-curl-7.59.0-CVE-2018-0500.patch b/0005-curl-7.59.0-CVE-2018-0500.patch new file mode 100644 index 0000000..221c05f --- /dev/null +++ b/0005-curl-7.59.0-CVE-2018-0500.patch @@ -0,0 +1,40 @@ +From 7a5d2b67b8bee753735d4b03f66c4054d9b812f9 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 13 Jun 2018 12:24:40 +0200 +Subject: [PATCH] smtp: use the upload buffer size for scratch buffer malloc + +... not the read buffer size, as that can be set smaller and thus cause +a buffer overflow! CVE-2018-0500 + +Reported-by: Peter Wu +Bug: https://curl.haxx.se/docs/adv_2018-70a2.html + +Upstream-commit: ba1dbd78e5f1ed67c1b8d37ac89d90e5e330b628 +Signed-off-by: Kamil Dudka +--- + lib/smtp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/smtp.c b/lib/smtp.c +index 3f3b45a..400ad54 100644 +--- a/lib/smtp.c ++++ b/lib/smtp.c +@@ -1563,13 +1563,14 @@ CURLcode Curl_smtp_escape_eob(struct connectdata *conn, const ssize_t nread) + if(!scratch || data->set.crlf) { + oldscratch = scratch; + +- scratch = newscratch = malloc(2 * data->set.buffer_size); ++ scratch = newscratch = malloc(2 * UPLOAD_BUFSIZE); + if(!newscratch) { + failf(data, "Failed to alloc scratch buffer!"); + + return CURLE_OUT_OF_MEMORY; + } + } ++ DEBUGASSERT(UPLOAD_BUFSIZE >= nread); + + /* Have we already sent part of the EOB? */ + eob_sent = smtp->eob; +-- +2.14.4 + diff --git a/curl.spec b/curl.spec index abf84a4..008dd3f 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.59.0 -Release: 4%{?dist} +Release: 5%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -17,6 +17,9 @@ Patch3: 0003-curl-7.59.0-CVE-2018-1000300.patch # http2: handle GOAWAY properly (#1585797) Patch4: 0004-curl-7.59.0-http2-GOAWAY.patch +# fix heap buffer overflow in SMTP send (CVE-2018-0500) +Patch5: 0005-curl-7.59.0-CVE-2018-0500.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -167,6 +170,7 @@ be installed. %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 # Fedora patches %patch101 -p1 @@ -312,6 +316,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 11 2018 Kamil Dudka - 7.59.0-5 +- fix heap buffer overflow in SMTP send (CVE-2018-0500) + * Tue Jun 05 2018 Kamil Dudka - 7.59.0-4 - http2: handle GOAWAY properly (#1585797) From ab86f69980d8f5936b4fcfa98669c1bb8bfc1265 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 9 Aug 2018 13:37:25 +0200 Subject: [PATCH 05/14] Resolves: #1219544 - ssl: set engine implicitly when a PKCS#11 URI is provided --- 0006-curl-7.59.0-pkcs11.patch | 225 ++++++++++++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 233 insertions(+), 1 deletion(-) create mode 100644 0006-curl-7.59.0-pkcs11.patch diff --git a/0006-curl-7.59.0-pkcs11.patch b/0006-curl-7.59.0-pkcs11.patch new file mode 100644 index 0000000..d0f8ff1 --- /dev/null +++ b/0006-curl-7.59.0-pkcs11.patch @@ -0,0 +1,225 @@ +From cf48e08b1a7c480e43d6e66154e94c5029c0d335 Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Mon, 19 Feb 2018 14:31:06 +0100 +Subject: [PATCH] ssl: set engine implicitly when a PKCS#11 URI is provided + +This allows the use of PKCS#11 URI for certificates and keys without +setting the corresponding type as "ENG" and the engine as "pkcs11" +explicitly. If a PKCS#11 URI is provided for certificate, key, +proxy_certificate or proxy_key, the corresponding type is set as "ENG" +if not provided and the engine is set to "pkcs11" if not provided. + +Acked-by: Nikos Mavrogiannopoulos +Closes #2333 + +Upstream-commit: 298d2565e2a2f06a859b7f5a1cc24ba7c87a8ce2 +Signed-off-by: Kamil Dudka +--- + docs/cmdline-opts/cert.d | 7 ++++++ + docs/cmdline-opts/key.d | 7 ++++++ + lib/vtls/openssl.c | 38 ++++++++++++++++++++++++++++ + src/tool_getparam.c | 2 +- + src/tool_operate.c | 53 ++++++++++++++++++++++++++++++++++++++++ + tests/unit/unit1394.c | 3 +++ + 6 files changed, 109 insertions(+), 1 deletion(-) + +diff --git a/docs/cmdline-opts/cert.d b/docs/cmdline-opts/cert.d +index 0cd5d53..ae6fe2f 100644 +--- a/docs/cmdline-opts/cert.d ++++ b/docs/cmdline-opts/cert.d +@@ -23,6 +23,13 @@ nickname contains ":", it needs to be preceded by "\\" so that it is not + recognized as password delimiter. If the nickname contains "\\", it needs to + be escaped as "\\\\" so that it is not recognized as an escape character. + ++If curl is built against OpenSSL library, and the engine pkcs11 is available, ++then a PKCS#11 URI (RFC 7512) can be used to specify a certificate located in ++a PKCS#11 device. A string beginning with "pkcs11:" will be interpreted as a ++PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set ++as "pkcs11" if none was provided and the --cert-type option will be set as ++"ENG" if none was provided. ++ + (iOS and macOS only) If curl is built against Secure Transport, then the + certificate string can either be the name of a certificate/private key in the + system or user keychain, or the path to a PKCS#12-encoded certificate and +diff --git a/docs/cmdline-opts/key.d b/docs/cmdline-opts/key.d +index fbf583a..4877b42 100644 +--- a/docs/cmdline-opts/key.d ++++ b/docs/cmdline-opts/key.d +@@ -7,4 +7,11 @@ Private key file name. Allows you to provide your private key in this separate + file. For SSH, if not specified, curl tries the following candidates in order: + '~/.ssh/id_rsa', '~/.ssh/id_dsa', './id_rsa', './id_dsa'. + ++If curl is built against OpenSSL library, and the engine pkcs11 is available, ++then a PKCS#11 URI (RFC 7512) can be used to specify a private key located in a ++PKCS#11 device. A string beginning with "pkcs11:" will be interpreted as a ++PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set ++as "pkcs11" if none was provided and the --key-type option will be set as ++"ENG" if none was provided. ++ + If this option is used several times, the last one will be used. +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 2a6b3cf..5f16dbd 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -532,8 +532,25 @@ static int ssl_ui_writer(UI *ui, UI_STRING *uis) + } + return (UI_method_get_writer(UI_OpenSSL()))(ui, uis); + } ++ ++/* ++ * Check if a given string is a PKCS#11 URI ++ */ ++static bool is_pkcs11_uri(const char *string) ++{ ++ if(strncasecompare(string, "pkcs11:", 7)) { ++ return TRUE; ++ } ++ else { ++ return FALSE; ++ } ++} ++ + #endif + ++static CURLcode Curl_ossl_set_engine(struct Curl_easy *data, ++ const char *engine); ++ + static + int cert_stuff(struct connectdata *conn, + SSL_CTX* ctx, +@@ -596,6 +613,16 @@ int cert_stuff(struct connectdata *conn, + case SSL_FILETYPE_ENGINE: + #if defined(HAVE_OPENSSL_ENGINE_H) && defined(ENGINE_CTRL_GET_CMD_FROM_NAME) + { ++ /* Implicitly use pkcs11 engine if none was provided and the ++ * cert_file is a PKCS#11 URI */ ++ if(!data->state.engine) { ++ if(is_pkcs11_uri(cert_file)) { ++ if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) { ++ return 0; ++ } ++ } ++ } ++ + if(data->state.engine) { + const char *cmd_name = "LOAD_CERT_CTRL"; + struct { +@@ -762,6 +789,17 @@ int cert_stuff(struct connectdata *conn, + #ifdef HAVE_OPENSSL_ENGINE_H + { /* XXXX still needs some work */ + EVP_PKEY *priv_key = NULL; ++ ++ /* Implicitly use pkcs11 engine if none was provided and the ++ * key_file is a PKCS#11 URI */ ++ if(!data->state.engine) { ++ if(is_pkcs11_uri(key_file)) { ++ if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) { ++ return 0; ++ } ++ } ++ } ++ + if(data->state.engine) { + UI_METHOD *ui_method = + UI_create_method((char *)"curl user interface"); +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index 7ce9c28..6628247 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -337,7 +337,7 @@ void parse_cert_parameter(const char *cert_parameter, + * looks like a RFC7512 PKCS#11 URI which can be used as-is. + * Also if cert_parameter contains no colon nor backslash, this + * means no passphrase was given and no characters escaped */ +- if(!strncmp(cert_parameter, "pkcs11:", 7) || ++ if(curl_strnequal(cert_parameter, "pkcs11:", 7) || + !strpbrk(cert_parameter, ":\\")) { + *certname = strdup(cert_parameter); + return; +diff --git a/src/tool_operate.c b/src/tool_operate.c +index e8b434a..fa44c70 100644 +--- a/src/tool_operate.c ++++ b/src/tool_operate.c +@@ -113,6 +113,19 @@ static bool is_fatal_error(CURLcode code) + return FALSE; + } + ++/* ++ * Check if a given string is a PKCS#11 URI ++ */ ++static bool is_pkcs11_uri(const char *string) ++{ ++ if(curl_strnequal(string, "pkcs11:", 7)) { ++ return TRUE; ++ } ++ else { ++ return FALSE; ++ } ++} ++ + #ifdef __VMS + /* + * get_vms_file_size does what it takes to get the real size of the file +@@ -1057,6 +1070,46 @@ static CURLcode operate_do(struct GlobalConfig *global, + my_setopt_str(curl, CURLOPT_PINNEDPUBLICKEY, config->pinnedpubkey); + + if(curlinfo->features & CURL_VERSION_SSL) { ++ /* Check if config->cert is a PKCS#11 URI and set the ++ * config->cert_type if necessary */ ++ if(config->cert) { ++ if(!config->cert_type) { ++ if(is_pkcs11_uri(config->cert)) { ++ config->cert_type = strdup("ENG"); ++ } ++ } ++ } ++ ++ /* Check if config->key is a PKCS#11 URI and set the ++ * config->key_type if necessary */ ++ if(config->key) { ++ if(!config->key_type) { ++ if(is_pkcs11_uri(config->key)) { ++ config->key_type = strdup("ENG"); ++ } ++ } ++ } ++ ++ /* Check if config->proxy_cert is a PKCS#11 URI and set the ++ * config->proxy_type if necessary */ ++ if(config->proxy_cert) { ++ if(!config->proxy_cert_type) { ++ if(is_pkcs11_uri(config->proxy_cert)) { ++ config->proxy_cert_type = strdup("ENG"); ++ } ++ } ++ } ++ ++ /* Check if config->proxy_key is a PKCS#11 URI and set the ++ * config->proxy_key_type if necessary */ ++ if(config->proxy_key) { ++ if(!config->proxy_key_type) { ++ if(is_pkcs11_uri(config->proxy_key)) { ++ config->proxy_key_type = strdup("ENG"); ++ } ++ } ++ } ++ + my_setopt_str(curl, CURLOPT_SSLCERT, config->cert); + my_setopt_str(curl, CURLOPT_PROXY_SSLCERT, config->proxy_cert); + my_setopt_str(curl, CURLOPT_SSLCERTTYPE, config->cert_type); +diff --git a/tests/unit/unit1394.c b/tests/unit/unit1394.c +index 667991d..010f052 100644 +--- a/tests/unit/unit1394.c ++++ b/tests/unit/unit1394.c +@@ -56,6 +56,9 @@ UNITTEST_START + "foo:bar\\\\", "foo", "bar\\\\", + "foo:bar:", "foo", "bar:", + "foo\\::bar\\:", "foo:", "bar\\:", ++ "pkcs11:foobar", "pkcs11:foobar", NULL, ++ "PKCS11:foobar", "PKCS11:foobar", NULL, ++ "PkCs11:foobar", "PkCs11:foobar", NULL, + #ifdef WIN32 + "c:\\foo:bar:baz", "c:\\foo", "bar:baz", + "c:\\foo\\:bar:baz", "c:\\foo:bar", "baz", +-- +2.17.1 + diff --git a/curl.spec b/curl.spec index 008dd3f..a49e005 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.59.0 -Release: 5%{?dist} +Release: 6%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -20,6 +20,9 @@ Patch4: 0004-curl-7.59.0-http2-GOAWAY.patch # fix heap buffer overflow in SMTP send (CVE-2018-0500) Patch5: 0005-curl-7.59.0-CVE-2018-0500.patch +# ssl: set engine implicitly when a PKCS#11 URI is provided (#1219544) +Patch6: 0006-curl-7.59.0-pkcs11.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -171,6 +174,7 @@ be installed. %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 # Fedora patches %patch101 -p1 @@ -316,6 +320,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Aug 09 2018 Kamil Dudka - 7.59.0-6 +- ssl: set engine implicitly when a PKCS#11 URI is provided (#1219544) + * Wed Jul 11 2018 Kamil Dudka - 7.59.0-5 - fix heap buffer overflow in SMTP send (CVE-2018-0500) From 964e6fe0a35b78324a7c2b9618192029dabf2726 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 15 Aug 2018 13:56:12 +0200 Subject: [PATCH 06/14] Resolves: #1595135 - scp/sftp: fix infinite connect loop on invalid private key --- 0007-curl-7.61.0-libssh.patch | 133 ++++++++++++++++++++++++++++++++++ curl.spec | 16 +++- 2 files changed, 145 insertions(+), 4 deletions(-) create mode 100644 0007-curl-7.61.0-libssh.patch diff --git a/0007-curl-7.61.0-libssh.patch b/0007-curl-7.61.0-libssh.patch new file mode 100644 index 0000000..496e9b1 --- /dev/null +++ b/0007-curl-7.61.0-libssh.patch @@ -0,0 +1,133 @@ +From 155d4ffb7d40daf2afa0102f91f810675220ab6e Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 14 Aug 2018 13:14:49 +0200 +Subject: [PATCH 1/2] ssh-libssh: reduce excessive verbose output about pubkey + auth + +The verbose message "Authentication using SSH public key file" was +printed each time the ssh_userauth_publickey_auto() was called, which +meant each time a packet was transferred over network because the API +operates in non-blocking mode. + +This patch makes sure that the verbose message is printed just once +(when the authentication state is entered by the SSH state machine). + +Upstream-commit: 1e843a31a49484aeddf8f358e71392205f5fd6b1 +Signed-off-by: Kamil Dudka +--- + lib/ssh-libssh.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c +index cecf477ac..f40f074b9 100644 +--- a/lib/ssh-libssh.c ++++ b/lib/ssh-libssh.c +@@ -607,6 +607,7 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block) + sshc->auth_methods = ssh_userauth_list(sshc->ssh_session, NULL); + if(sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) { + state(conn, SSH_AUTH_PKEY_INIT); ++ infof(data, "Authentication using SSH public key file\n"); + } + else if(sshc->auth_methods & SSH_AUTH_METHOD_GSSAPI_MIC) { + state(conn, SSH_AUTH_GSSAPI); +@@ -659,8 +660,6 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block) + + } + else { +- infof(data, "Authentication using SSH public key file\n"); +- + rc = ssh_userauth_publickey_auto(sshc->ssh_session, NULL, + data->set.ssl.key_passwd); + if(rc == SSH_AUTH_AGAIN) { +-- +2.17.1 + + +From 4b445519694ab620bd6376066844a7076e8ce4ab Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 14 Aug 2018 12:47:18 +0200 +Subject: [PATCH 2/2] ssh-libssh: fix infinite connect loop on invalid private + key + +Added test 656 (based on test 604) to verify the fix. + +Bug: https://bugzilla.redhat.com/1595135 + +Closes #2879 + +Upstream-commit: a4c7911a48dadb4f68ba6b38bb1bf3f061b747f6 +Signed-off-by: Kamil Dudka +--- + lib/ssh-libssh.c | 1 + + tests/data/Makefile.inc | 2 +- + tests/data/test656 | 33 +++++++++++++++++++++++++++++++++ + 3 files changed, 35 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test656 + +diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c +index f40f074b9..12d618cfe 100644 +--- a/lib/ssh-libssh.c ++++ b/lib/ssh-libssh.c +@@ -652,6 +652,7 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block) + if(rc != SSH_OK) { + failf(data, "Could not load private key file %s", + data->set.str[STRING_SSH_PRIVATE_KEY]); ++ MOVE_TO_ERROR_STATE(CURLE_LOGIN_DENIED); + break; + } + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 20274b37c..518a5a543 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -83,7 +83,7 @@ test617 test618 test619 test620 test621 test622 test623 test624 test625 \ + test626 test627 test628 test629 test630 test631 test632 test633 test634 \ + test635 test636 test637 test638 test639 test640 test641 test642 \ + test643 test644 test645 test646 test647 test648 test649 test650 test651 \ +-test652 test653 test654 test655 \ ++test652 test653 test654 test655 test656 \ + \ + test700 test701 test702 test703 test704 test705 test706 test707 test708 \ + test709 test710 test711 test712 test713 test714 test715 \ +diff --git a/tests/data/test656 b/tests/data/test656 +new file mode 100644 +index 000000000..4107d3d17 +--- /dev/null ++++ b/tests/data/test656 +@@ -0,0 +1,33 @@ ++ ++ ++ ++SFTP ++FAILURE ++ ++ ++ ++# ++# Client-side ++ ++ ++sftp ++ ++ ++SFTP retrieval with nonexistent private key file ++ ++ ++--key DOES_NOT_EXIST --pubkey curl_client_key.pub -u %USER: sftp://%HOSTIP:%SSHPORT%PWD/not-a-valid-file-moooo --insecure --connect-timeout 8 ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++disable ++ ++ ++67 ++ ++ ++ +-- +2.17.1 + diff --git a/curl.spec b/curl.spec index a49e005..1e7aff0 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.59.0 -Release: 6%{?dist} +Release: 7%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -23,6 +23,9 @@ Patch5: 0005-curl-7.59.0-CVE-2018-0500.patch # ssl: set engine implicitly when a PKCS#11 URI is provided (#1219544) Patch6: 0006-curl-7.59.0-pkcs11.patch +# scp/sftp: fix infinite connect loop on invalid private key (#1595135) +Patch7: 0007-curl-7.61.0-libssh.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -35,7 +38,8 @@ Patch104: 0104-curl-7.19.7-localhost6.patch Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.haxx.se/ -#BuildRequires: automake + +BuildRequires: automake BuildRequires: coreutils BuildRequires: gcc BuildRequires: groff @@ -175,6 +179,7 @@ be installed. %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 # Fedora patches %patch101 -p1 @@ -182,8 +187,8 @@ be installed. %patch104 -p1 # regenerate Makefile.in files -#aclocal -I m4 -#automake +aclocal -I m4 +automake # disable test 1112 (#565305) and test 1801 # @@ -320,6 +325,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 05 2018 Kamil Dudka - 7.59.0-7 +- scp/sftp: fix infinite connect loop on invalid private key (#1595135) + * Thu Aug 09 2018 Kamil Dudka - 7.59.0-6 - ssl: set engine implicitly when a PKCS#11 URI is provided (#1219544) From 503408095bf15813c472c371f8b4c2fd23b59d60 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 27 Aug 2018 15:58:33 +0200 Subject: [PATCH 07/14] Related: #1622594 - tests: make ssh-keygen always produce PEM format The default format produced by openssh-7.8p1 cannot be consumed by currently available versions of libssh and libssh2. --- 0105-curl-7.61.0-tests-ssh-keygen.patch | 33 +++++++++++++++++++++++++ curl.spec | 5 ++++ 2 files changed, 38 insertions(+) create mode 100644 0105-curl-7.61.0-tests-ssh-keygen.patch diff --git a/0105-curl-7.61.0-tests-ssh-keygen.patch b/0105-curl-7.61.0-tests-ssh-keygen.patch new file mode 100644 index 0000000..b8b9ffb --- /dev/null +++ b/0105-curl-7.61.0-tests-ssh-keygen.patch @@ -0,0 +1,33 @@ +From daded1aff280104d16e405fcd1be1a857c74b191 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 27 Aug 2018 15:53:35 +0200 +Subject: [PATCH] tests: make ssh-keygen always produce PEM format + +The default format produced by openssh-7.8p1 cannot be consumed +by currently available versions of libssh and libssh2. +--- + tests/sshserver.pl | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tests/sshserver.pl b/tests/sshserver.pl +index 9b3d122..d477a02 100755 +--- a/tests/sshserver.pl ++++ b/tests/sshserver.pl +@@ -372,12 +372,12 @@ if((! -e $hstprvkeyf) || (! -s $hstprvkeyf) || + # Make sure all files are gone so ssh-keygen doesn't complain + unlink($hstprvkeyf, $hstpubkeyf, $cliprvkeyf, $clipubkeyf); + logmsg 'generating host keys...' if($verbose); +- if(system "\"$sshkeygen\" -q -t rsa -f $hstprvkeyf -C 'curl test server' -N ''") { ++ if(system "\"$sshkeygen\" -q -t rsa -f $hstprvkeyf -C 'curl test server' -N '' -m PEM") { + logmsg 'Could not generate host key'; + exit 1; + } + logmsg 'generating client keys...' if($verbose); +- if(system "\"$sshkeygen\" -q -t rsa -f $cliprvkeyf -C 'curl test client' -N ''") { ++ if(system "\"$sshkeygen\" -q -t rsa -f $cliprvkeyf -C 'curl test client' -N '' -m PEM") { + logmsg 'Could not generate client key'; + exit 1; + } +-- +2.17.1 + diff --git a/curl.spec b/curl.spec index 1e7aff0..c0d7575 100644 --- a/curl.spec +++ b/curl.spec @@ -35,6 +35,9 @@ Patch102: 0102-curl-7.36.0-debug.patch # use localhost6 instead of ip6-localhost in the curl test-suite Patch104: 0104-curl-7.19.7-localhost6.patch +# tests: make ssh-keygen always produce PEM format (#1622594) +Patch105: 0105-curl-7.61.0-tests-ssh-keygen.patch + Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.haxx.se/ @@ -185,6 +188,7 @@ be installed. %patch101 -p1 %patch102 -p1 %patch104 -p1 +%patch105 -p1 # regenerate Makefile.in files aclocal -I m4 @@ -326,6 +330,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Sep 05 2018 Kamil Dudka - 7.59.0-7 +- tests: make ssh-keygen always produce PEM format (#1622594) - scp/sftp: fix infinite connect loop on invalid private key (#1595135) * Thu Aug 09 2018 Kamil Dudka - 7.59.0-6 From 5f4e92def348a7733bdce0d2aeb7d57b2a42000e Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 5 Sep 2018 13:03:52 +0200 Subject: [PATCH 08/14] Resolves: CVE-2018-14618 - fix NTLM password overflow via integer overflow --- 0008-curl-7.59.0-CVE-2018-14618.patch | 72 +++++++++++++++++++++++++++ curl.spec | 5 ++ 2 files changed, 77 insertions(+) create mode 100644 0008-curl-7.59.0-CVE-2018-14618.patch diff --git a/0008-curl-7.59.0-CVE-2018-14618.patch b/0008-curl-7.59.0-CVE-2018-14618.patch new file mode 100644 index 0000000..e9ed142 --- /dev/null +++ b/0008-curl-7.59.0-CVE-2018-14618.patch @@ -0,0 +1,72 @@ +From 114b31ab5b7e6965b629697020a7ce4b6cea340e Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 13 Aug 2018 10:35:52 +0200 +Subject: [PATCH] Curl_ntlm_core_mk_nt_hash: return error on too long password + +... since it would cause an integer overflow if longer than (max size_t +/ 2). + +This is CVE-2018-14618 + +Bug: https://curl.haxx.se/docs/CVE-2018-14618.html +Closes #2756 +Reported-by: Zhaoyang Wu + +Upstream-commit: 57d299a499155d4b327e341c6024e293b0418243 +Signed-off-by: Kamil Dudka +--- + lib/curl_ntlm_core.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c +index e896276..e5c785d 100644 +--- a/lib/curl_ntlm_core.c ++++ b/lib/curl_ntlm_core.c +@@ -143,6 +143,15 @@ + #define NTLMv2_BLOB_SIGNATURE "\x01\x01\x00\x00" + #define NTLMv2_BLOB_LEN (44 -16 + ntlm->target_info_len + 4) + ++#ifndef SIZE_T_MAX ++/* some limits.h headers have this defined, some don't */ ++#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) ++#define SIZE_T_MAX 18446744073709551615U ++#else ++#define SIZE_T_MAX 4294967295U ++#endif ++#endif ++ + /* + * Turns a 56-bit key into being 64-bit wide. + */ +@@ -557,8 +566,11 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct Curl_easy *data, + unsigned char *ntbuffer /* 21 bytes */) + { + size_t len = strlen(password); +- unsigned char *pw = len ? malloc(len * 2) : strdup(""); ++ unsigned char *pw; + CURLcode result; ++ if(len > SIZE_T_MAX/2) /* avoid integer overflow */ ++ return CURLE_OUT_OF_MEMORY; ++ pw = len ? malloc(len * 2) : strdup(""); + if(!pw) + return CURLE_OUT_OF_MEMORY; + +@@ -646,15 +658,6 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen, + return CURLE_OK; + } + +-#ifndef SIZE_T_MAX +-/* some limits.h headers have this defined, some don't */ +-#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) +-#define SIZE_T_MAX 18446744073709551615U +-#else +-#define SIZE_T_MAX 4294967295U +-#endif +-#endif +- + /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode + * (uppercase UserName + Domain) as the data + */ +-- +2.17.1 + diff --git a/curl.spec b/curl.spec index c0d7575..b7041ad 100644 --- a/curl.spec +++ b/curl.spec @@ -26,6 +26,9 @@ Patch6: 0006-curl-7.59.0-pkcs11.patch # scp/sftp: fix infinite connect loop on invalid private key (#1595135) Patch7: 0007-curl-7.61.0-libssh.patch +# fix NTLM password overflow via integer overflow (CVE-2018-14618) +Patch8: 0008-curl-7.59.0-CVE-2018-14618.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -183,6 +186,7 @@ be installed. %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 # Fedora patches %patch101 -p1 @@ -330,6 +334,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Sep 05 2018 Kamil Dudka - 7.59.0-7 +- fix NTLM password overflow via integer overflow (CVE-2018-14618) - tests: make ssh-keygen always produce PEM format (#1622594) - scp/sftp: fix infinite connect loop on invalid private key (#1595135) From 6c95600feddc0b86189ebf037d2099ad84a94835 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 4 Oct 2018 15:40:31 +0200 Subject: [PATCH 09/14] test320: update expected output for gnutls-3.6.4 --- 0009-curl-7.59.0-test320-gnutls.patch | 63 +++++++++++++++++++++++++++ curl.spec | 9 +++- 2 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 0009-curl-7.59.0-test320-gnutls.patch diff --git a/0009-curl-7.59.0-test320-gnutls.patch b/0009-curl-7.59.0-test320-gnutls.patch new file mode 100644 index 0000000..a9cbaac --- /dev/null +++ b/0009-curl-7.59.0-test320-gnutls.patch @@ -0,0 +1,63 @@ +From 3cd5b375e31fb98e4782dc3a77e7316ad9eb26cf Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 4 Oct 2018 15:34:13 +0200 +Subject: [PATCH] test320: strip out more HTML when comparing + +To make the test case work with different gnutls-serv versions better. + +Reported-by: Kamil Dudka +Fixes #3093 +Closes #3094 + +Upstream-commit: 94ad57b0246b5658c2a9139dbe6a80efa4c4e2f3 +Signed-off-by: Kamil Dudka +--- + tests/data/test320 | 24 ++++-------------------- + 1 file changed, 4 insertions(+), 20 deletions(-) + +diff --git a/tests/data/test320 b/tests/data/test320 +index 457a11eb2..87311d4f2 100644 +--- a/tests/data/test320 ++++ b/tests/data/test320 +@@ -62,34 +62,18 @@ simple TLS-SRP HTTPS GET, check user in response + HTTP/1.0 200 OK + Content-type: text/html + +- +- +-

This is GnuTLS

+- +- +- +-
If your browser supports session resuming, then you should see the same session ID, when you press the reload button.
+-

Connected as user 'jsmith'.

+-

+- +- +- +- +- +-

Key Exchange:SRP
CompressionNULL
CipherAES-NNN-CBC
MACSHA1
CiphersuiteSRP_SHA_AES_NNN_CBC_SHA1
+-

Your HTTP header was:

Host: %HOSTIP:%HTTPTLSPORT
++FINE
+ User-Agent: curl-test-suite
+ Accept: */*
+ 
+-

+- +- + + +-s/^

Session ID:.*// ++s/^

Connected as user 'jsmith'.*/FINE/ + s/Protocol version:.*[0-9]// + s/GNUTLS/GnuTLS/ + s/(AES[-_])\d\d\d([-_]CBC)/$1NNN$2/ ++s/^<.*\n// ++s/^\n// + + + +-- +2.17.1 + diff --git a/curl.spec b/curl.spec index b7041ad..f031f2e 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.59.0 -Release: 7%{?dist} +Release: 8%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -29,6 +29,9 @@ Patch7: 0007-curl-7.61.0-libssh.patch # fix NTLM password overflow via integer overflow (CVE-2018-14618) Patch8: 0008-curl-7.59.0-CVE-2018-14618.patch +# test320: update expected output for gnutls-3.6.4 +Patch9: 0009-curl-7.59.0-test320-gnutls.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -187,6 +190,7 @@ be installed. %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 # Fedora patches %patch101 -p1 @@ -333,6 +337,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Nov 01 2018 Kamil Dudka - 7.59.0-8 +- test320: update expected output for gnutls-3.6.4 + * Wed Sep 05 2018 Kamil Dudka - 7.59.0-7 - fix NTLM password overflow via integer overflow (CVE-2018-14618) - tests: make ssh-keygen always produce PEM format (#1622594) From 796d905297bafdca5ff3bbfb51bf57620b48227d Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 1 Nov 2018 09:45:48 +0100 Subject: [PATCH 10/14] Resolves: CVE-2018-16842 - fix bad arethmetic when outputting warnings to stderr Use `git apply` to apply the patch because `patch` would fail with: File tests/data/test2080: git binary diffs are not supported. --- 0010-curl-7.59.0-CVE-2018-16842.patch | 78 +++++++++++++++++++++++++++ curl.spec | 7 +++ 2 files changed, 85 insertions(+) create mode 100644 0010-curl-7.59.0-CVE-2018-16842.patch diff --git a/0010-curl-7.59.0-CVE-2018-16842.patch b/0010-curl-7.59.0-CVE-2018-16842.patch new file mode 100644 index 0000000..6903ad6 --- /dev/null +++ b/0010-curl-7.59.0-CVE-2018-16842.patch @@ -0,0 +1,78 @@ +From 27d6c92acdac671ddf8f77f72956b2181561f774 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 28 Oct 2018 01:33:23 +0200 +Subject: [PATCH 1/2] voutf: fix bad arethmetic when outputting warnings to + stderr + +CVE-2018-16842 +Reported-by: Brian Carpenter +Bug: https://curl.haxx.se/docs/CVE-2018-16842.html + +Upstream-commit: d530e92f59ae9bb2d47066c3c460b25d2ffeb211 +Signed-off-by: Kamil Dudka +--- + src/tool_msgs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tool_msgs.c b/src/tool_msgs.c +index 9cce806..05bec39 100644 +--- a/src/tool_msgs.c ++++ b/src/tool_msgs.c +@@ -67,7 +67,7 @@ static void voutf(struct GlobalConfig *config, + (void)fwrite(ptr, cut + 1, 1, config->errors); + fputs("\n", config->errors); + ptr += cut + 1; /* skip the space too */ +- len -= cut; ++ len -= cut + 1; + } + else { + fputs(ptr, config->errors); +-- +2.17.2 + + +From 23f8c641b02e6c302d0e8cc5a5ee225a33b01f28 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 28 Oct 2018 10:43:57 +0100 +Subject: [PATCH 2/2] test2080: verify the fix for CVE-2018-16842 + +Upstream-commit: 350306e4726b71b5b386fc30e3fecc039a807157 +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 3 ++- + tests/data/test2080 | Bin 0 -> 20659 bytes + 2 files changed, 2 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test2080 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index e045748..aa5fff0 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -194,4 +194,5 @@ test2048 test2049 test2050 test2051 test2052 test2053 test2054 test2055 \ + test2056 test2057 test2058 test2059 test2060 test2061 test2062 test2063 \ + test2064 test2065 test2066 test2067 test2068 test2069 \ + \ +-test2070 test2071 test2072 test2073 ++test2070 test2071 test2072 test2073 \ ++test2080 +diff --git a/tests/data/test2080 b/tests/data/test2080 +new file mode 100644 +index 0000000000000000000000000000000000000000..47e376ecb5d7879c0a98e392bff48ccc52e9db0a +GIT binary patch +literal 20659 +zcmeI)Pj3@35QkyT{uI*`iBshYE(n>u@JB+F3kdG+t~asjwJY0gl}``eO+)FONU8ef +zl6Ca+%A4K8~qdz +zd{+G6l*#ToY+DU||F9%J1n*+KPxQ;7MapuoQ!&MMQSXmpqMh0_yS6g=;N;HNjilBk +zY$c?)mULZxib{;$g~jw~nrs|8b@sJI)_QmS_4(WLrNld}2Y0LEO$e>m->_NA&o$n! +z9^YDZ>cvMs2q1s}0tg_000PG)@a?$9VHyMwKmY**5I_I{1Q0m1z~!MEP#*yV5I_I{ +z1Q0*~0R#|0009ILKmY**4ldvh-hl=PAb-+Xw`j-8D +zzg+g?Rt8(G*s;1Sb>n1S94H%G - 7.59.0-8 +- fix bad arethmetic when outputting warnings to stderr (CVE-2018-16842) - test320: update expected output for gnutls-3.6.4 * Wed Sep 05 2018 Kamil Dudka - 7.59.0-7 From 00c5d944d93e5ca4efc1776ec1419f79c1cb05f7 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 1 Nov 2018 09:59:22 +0100 Subject: [PATCH 11/14] Resolves: CVE-2018-16840 - fix use-after-free in handle close --- 0011-curl-7.59.0-CVE-2018-16840.patch | 39 +++++++++++++++++++++++++++ curl.spec | 5 ++++ 2 files changed, 44 insertions(+) create mode 100644 0011-curl-7.59.0-CVE-2018-16840.patch diff --git a/0011-curl-7.59.0-CVE-2018-16840.patch b/0011-curl-7.59.0-CVE-2018-16840.patch new file mode 100644 index 0000000..43f5eb2 --- /dev/null +++ b/0011-curl-7.59.0-CVE-2018-16840.patch @@ -0,0 +1,39 @@ +From 235f209a0e62edee654be441a50bb0c154edeaa5 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 18 Oct 2018 15:07:15 +0200 +Subject: [PATCH] Curl_close: clear data->multi_easy on free to avoid + use-after-free + +Regression from b46cfbc068 (7.59.0) +CVE-2018-16840 +Reported-by: Brian Carpenter (Geeknik Labs) + +Bug: https://curl.haxx.se/docs/CVE-2018-16840.html + +Upstream-commit: 81d135d67155c5295b1033679c606165d4e28f3f +Signed-off-by: Kamil Dudka +--- + lib/url.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/url.c b/lib/url.c +index f159008..dcc1ecc 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -320,10 +320,12 @@ CURLcode Curl_close(struct Curl_easy *data) + and detach this handle from there. */ + curl_multi_remove_handle(data->multi, data); + +- if(data->multi_easy) ++ if(data->multi_easy) { + /* when curl_easy_perform() is used, it creates its own multi handle to + use and this is the one */ + curl_multi_cleanup(data->multi_easy); ++ data->multi_easy = NULL; ++ } + + /* Destroy the timeout list that is held in the easy handle. It is + /normally/ done by curl_multi_remove_handle() but this is "just in +-- +2.17.2 + diff --git a/curl.spec b/curl.spec index 43e035e..6cd55a8 100644 --- a/curl.spec +++ b/curl.spec @@ -37,6 +37,9 @@ Patch10: 0010-curl-7.59.0-CVE-2018-16842.patch # we need `git apply` to apply this patch BuildRequires: git +# fix use-after-free in handle close (CVE-2018-16840) +Patch11: 0011-curl-7.59.0-CVE-2018-16840.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -197,6 +200,7 @@ be installed. %patch8 -p1 %patch9 -p1 git apply %{PATCH10} +%patch11 -p1 # Fedora patches %patch101 -p1 @@ -344,6 +348,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Thu Nov 01 2018 Kamil Dudka - 7.59.0-8 +- fix use-after-free in handle close (CVE-2018-16840) - fix bad arethmetic when outputting warnings to stderr (CVE-2018-16842) - test320: update expected output for gnutls-3.6.4 From a1bd4f84de03b8d4f0f1c65acba7914cd9c601ce Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 1 Nov 2018 10:07:35 +0100 Subject: [PATCH 12/14] Resolves: CVE-2018-16839 - SASL password overflow via integer overflow --- 0012-curl-7.59.0-CVE-2018-16839.patch | 136 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 141 insertions(+) create mode 100644 0012-curl-7.59.0-CVE-2018-16839.patch diff --git a/0012-curl-7.59.0-CVE-2018-16839.patch b/0012-curl-7.59.0-CVE-2018-16839.patch new file mode 100644 index 0000000..5570f44 --- /dev/null +++ b/0012-curl-7.59.0-CVE-2018-16839.patch @@ -0,0 +1,136 @@ +From 4df8ff21144236497fc92521d79fbca2dc079686 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 20 Mar 2018 15:15:14 +0100 +Subject: [PATCH 1/2] vauth/cleartext: fix integer overflow check + +Make the integer overflow check not rely on the undefined behavior that +a size_t wraps around on overflow. + +Detected by lgtm.com +Closes #2408 + +Upstream-commit: c1366571b609407cf0d4d9f4a2769d29e1313151 +Signed-off-by: Kamil Dudka +--- + lib/curl_ntlm_core.c | 11 +---------- + lib/curl_setup.h | 9 +++++++++ + lib/vauth/cleartext.c | 14 ++++---------- + 3 files changed, 14 insertions(+), 20 deletions(-) + +diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c +index e5c785d..b69c293 100644 +--- a/lib/curl_ntlm_core.c ++++ b/lib/curl_ntlm_core.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -143,15 +143,6 @@ + #define NTLMv2_BLOB_SIGNATURE "\x01\x01\x00\x00" + #define NTLMv2_BLOB_LEN (44 -16 + ntlm->target_info_len + 4) + +-#ifndef SIZE_T_MAX +-/* some limits.h headers have this defined, some don't */ +-#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) +-#define SIZE_T_MAX 18446744073709551615U +-#else +-#define SIZE_T_MAX 4294967295U +-#endif +-#endif +- + /* + * Turns a 56-bit key into being 64-bit wide. + */ +diff --git a/lib/curl_setup.h b/lib/curl_setup.h +index f128696..e4503c6 100644 +--- a/lib/curl_setup.h ++++ b/lib/curl_setup.h +@@ -447,6 +447,15 @@ + # endif + #endif + ++#ifndef SIZE_T_MAX ++/* some limits.h headers have this defined, some don't */ ++#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) ++#define SIZE_T_MAX 18446744073709551615U ++#else ++#define SIZE_T_MAX 4294967295U ++#endif ++#endif ++ + /* + * Arg 2 type for gethostname in case it hasn't been defined in config file. + */ +diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c +index a761ae7..5d61ce6 100644 +--- a/lib/vauth/cleartext.c ++++ b/lib/vauth/cleartext.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -73,16 +73,10 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data, + ulen = strlen(userp); + plen = strlen(passwdp); + +- /* Compute binary message length, checking for overflows. */ +- plainlen = 2 * ulen; +- if(plainlen < ulen) +- return CURLE_OUT_OF_MEMORY; +- plainlen += plen; +- if(plainlen < plen) +- return CURLE_OUT_OF_MEMORY; +- plainlen += 2; +- if(plainlen < 2) ++ /* Compute binary message length. Check for overflows. */ ++ if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2))) + return CURLE_OUT_OF_MEMORY; ++ plainlen = 2 * ulen + plen + 2; + + plainauth = malloc(plainlen); + if(!plainauth) +-- +2.17.2 + + +From ad9943254ded9a983af7d581e8a1f3317e8a8781 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 28 Sep 2018 16:08:16 +0200 +Subject: [PATCH 2/2] Curl_auth_create_plain_message: fix too-large-input-check + +CVE-2018-16839 +Reported-by: Harry Sintonen +Bug: https://curl.haxx.se/docs/CVE-2018-16839.html + +Upstream-commit: f3a24d7916b9173c69a3e0ee790102993833d6c5 +Signed-off-by: Kamil Dudka +--- + lib/vauth/cleartext.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c +index 5d61ce6..1367143 100644 +--- a/lib/vauth/cleartext.c ++++ b/lib/vauth/cleartext.c +@@ -74,7 +74,7 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data, + plen = strlen(passwdp); + + /* Compute binary message length. Check for overflows. */ +- if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2))) ++ if((ulen > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2))) + return CURLE_OUT_OF_MEMORY; + plainlen = 2 * ulen + plen + 2; + +-- +2.17.2 + diff --git a/curl.spec b/curl.spec index 6cd55a8..d26bec3 100644 --- a/curl.spec +++ b/curl.spec @@ -40,6 +40,9 @@ BuildRequires: git # fix use-after-free in handle close (CVE-2018-16840) Patch11: 0011-curl-7.59.0-CVE-2018-16840.patch +# SASL password overflow via integer overflow (CVE-2018-16839) +Patch12: 0012-curl-7.59.0-CVE-2018-16839.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -201,6 +204,7 @@ be installed. %patch9 -p1 git apply %{PATCH10} %patch11 -p1 +%patch12 -p1 # Fedora patches %patch101 -p1 @@ -348,6 +352,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Thu Nov 01 2018 Kamil Dudka - 7.59.0-8 +- SASL password overflow via integer overflow (CVE-2018-16839) - fix use-after-free in handle close (CVE-2018-16840) - fix bad arethmetic when outputting warnings to stderr (CVE-2018-16842) - test320: update expected output for gnutls-3.6.4 From 58646f29ccd62a0703ed6cd56ca854328ca0b817 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 15 Nov 2018 15:32:09 +0100 Subject: [PATCH 13/14] Resolves: CVE-2018-16842 - make the patch for CVE-2018-16842 apply properly `git apply` fails silently unless `git init` is invoked first. --- curl.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index d26bec3..337ec68 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.59.0 -Release: 8%{?dist} +Release: 9%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -202,6 +202,7 @@ be installed. %patch7 -p1 %patch8 -p1 %patch9 -p1 +git init git apply %{PATCH10} %patch11 -p1 %patch12 -p1 @@ -351,6 +352,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Nov 15 2018 Kamil Dudka - 7.59.0-9 +- make the patch for CVE-2018-16842 apply properly (CVE-2018-16842) + * Thu Nov 01 2018 Kamil Dudka - 7.59.0-8 - SASL password overflow via integer overflow (CVE-2018-16839) - fix use-after-free in handle close (CVE-2018-16840) From 77901fea1dce2a28df17ec8a623709f82d4f307d Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 11 Feb 2019 13:22:07 +0100 Subject: [PATCH 14/14] make zsh completion work again --- 0013-curl-7.61.1-zsh-completion.patch | 76 +++++++++++++++++++++++++++ curl.spec | 9 +++- 2 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 0013-curl-7.61.1-zsh-completion.patch diff --git a/0013-curl-7.61.1-zsh-completion.patch b/0013-curl-7.61.1-zsh-completion.patch new file mode 100644 index 0000000..770a15b --- /dev/null +++ b/0013-curl-7.61.1-zsh-completion.patch @@ -0,0 +1,76 @@ +From 082034e2334b2d0795b2b324ff3e0635bb7d2b86 Mon Sep 17 00:00:00 2001 +From: Alessandro Ghedini +Date: Tue, 5 Feb 2019 20:44:14 +0000 +Subject: [PATCH 1/2] zsh.pl: update regex to better match curl -h output + +The current regex fails to match '<...>' arguments properly (e.g. those +with spaces in them), which causes an completion script with wrong +descriptions for some options. + +The problem can be reproduced as follows: + +% curl --reso + +Upstream-commit: dbd32f3241b297b96ee11a51da1a661f528ca026 +Signed-off-by: Kamil Dudka +--- + scripts/zsh.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/zsh.pl b/scripts/zsh.pl +index 1257190..941b322 100755 +--- a/scripts/zsh.pl ++++ b/scripts/zsh.pl +@@ -7,7 +7,7 @@ use warnings; + + my $curl = $ARGV[0] || 'curl'; + +-my $regex = '\s+(?:(-[^\s]+),\s)?(--[^\s]+)\s([^\s.]+)?\s+(.*)'; ++my $regex = '\s+(?:(-[^\s]+),\s)?(--[^\s]+)\s*(\<.+?\>)?\s+(.*)'; + my @opts = parse_main_opts('--help', $regex); + + my $opts_str; +-- +2.17.2 + + +From 45abc785e101346f19599aa5f9fa1617e525ec4d Mon Sep 17 00:00:00 2001 +From: Alessandro Ghedini +Date: Tue, 5 Feb 2019 21:06:26 +0000 +Subject: [PATCH 2/2] zsh.pl: escape ':' character + +':' is interpreted as separator by zsh, so if used as part of the argument +or option's description it needs to be escaped. + +The problem can be reproduced as follows: + +% curl -E + +Bug: https://bugs.debian.org/921452 + +Upstream-commit: b3cc8017b7364f588365be2b2629c49c142efdb7 +Signed-off-by: Kamil Dudka +--- + scripts/zsh.pl | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/scripts/zsh.pl b/scripts/zsh.pl +index 941b322..0f9cbec 100755 +--- a/scripts/zsh.pl ++++ b/scripts/zsh.pl +@@ -45,9 +45,12 @@ sub parse_main_opts { + + my $option = ''; + ++ $arg =~ s/\:/\\\:/g if defined $arg; ++ + $desc =~ s/'/'\\''/g if defined $desc; + $desc =~ s/\[/\\\[/g if defined $desc; + $desc =~ s/\]/\\\]/g if defined $desc; ++ $desc =~ s/\:/\\\:/g if defined $desc; + + $option .= '{' . trim($short) . ',' if defined $short; + $option .= trim($long) if defined $long; +-- +2.17.2 + diff --git a/curl.spec b/curl.spec index 337ec68..ad34021 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.59.0 -Release: 9%{?dist} +Release: 10%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -43,6 +43,9 @@ Patch11: 0011-curl-7.59.0-CVE-2018-16840.patch # SASL password overflow via integer overflow (CVE-2018-16839) Patch12: 0012-curl-7.59.0-CVE-2018-16839.patch +# make zsh completion work again +Patch13: 0013-curl-7.61.1-zsh-completion.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -206,6 +209,7 @@ git init git apply %{PATCH10} %patch11 -p1 %patch12 -p1 +%patch13 -p1 # Fedora patches %patch101 -p1 @@ -352,6 +356,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Feb 11 2019 Kamil Dudka - 7.61.1-10 +- make zsh completion work again + * Thu Nov 15 2018 Kamil Dudka - 7.59.0-9 - make the patch for CVE-2018-16842 apply properly (CVE-2018-16842)