From 897deaff421b574b482353a81e949b1b0618f8ad Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 13 Sep 2023 13:32:33 +0200 Subject: [PATCH 1/8] Resolves: CVE-2023-38039 - fix HTTP headers eat all memory --- 0001-curl-8.2.1-CVE-2023-38039.patch | 217 +++++++++++++++++++++++++++ curl.spec | 8 +- 2 files changed, 224 insertions(+), 1 deletion(-) create mode 100644 0001-curl-8.2.1-CVE-2023-38039.patch diff --git a/0001-curl-8.2.1-CVE-2023-38039.patch b/0001-curl-8.2.1-CVE-2023-38039.patch new file mode 100644 index 0000000..9e42c90 --- /dev/null +++ b/0001-curl-8.2.1-CVE-2023-38039.patch @@ -0,0 +1,217 @@ +From 831c077c6d3a9466417f8a7b310177fca946a4cc Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 2 Aug 2023 23:34:48 +0200 +Subject: [PATCH] http: return error when receiving too large header set + +To avoid abuse. The limit is set to 300 KB for the accumulated size of +all received HTTP headers for a single response. Incomplete research +suggests that Chrome uses a 256-300 KB limit, while Firefox allows up to +1MB. + +Closes #11582 + +(cherry picked from commit 3ee79c1674fd6f99e8efca52cd7510e08b766770) +Signed-off-by: Jan Macku +--- + lib/c-hyper.c | 12 +++++++----- + lib/cf-h1-proxy.c | 4 +++- + lib/http.c | 34 ++++++++++++++++++++++++++++++---- + lib/http.h | 9 +++++++++ + lib/pingpong.c | 4 +++- + lib/urldata.h | 17 ++++++++--------- + 6 files changed, 60 insertions(+), 20 deletions(-) + +diff --git a/lib/c-hyper.c b/lib/c-hyper.c +index c29983c0b..0b9d9ab47 100644 +--- a/lib/c-hyper.c ++++ b/lib/c-hyper.c +@@ -182,8 +182,11 @@ static int hyper_each_header(void *userdata, + } + } + +- data->info.header_size += (curl_off_t)len; +- data->req.headerbytecount += (curl_off_t)len; ++ result = Curl_bump_headersize(data, len, FALSE); ++ if(result) { ++ data->state.hresult = result; ++ return HYPER_ITER_BREAK; ++ } + return HYPER_ITER_CONTINUE; + } + +@@ -313,9 +316,8 @@ static CURLcode status_line(struct Curl_easy *data, + if(result) + return result; + } +- data->info.header_size += (curl_off_t)len; +- data->req.headerbytecount += (curl_off_t)len; +- return CURLE_OK; ++ result = Curl_bump_headersize(data, len, FALSE); ++ return result; + } + + /* +diff --git a/lib/cf-h1-proxy.c b/lib/cf-h1-proxy.c +index c9b157c9b..b1d8cb618 100644 +--- a/lib/cf-h1-proxy.c ++++ b/lib/cf-h1-proxy.c +@@ -587,7 +587,9 @@ static CURLcode recv_CONNECT_resp(struct Curl_cfilter *cf, + return result; + } + +- data->info.header_size += (long)perline; ++ result = Curl_bump_headersize(data, perline, TRUE); ++ if(result) ++ return result; + + /* Newlines are CRLF, so the CR is ignored as the line isn't + really terminated until the LF comes. Treat a following CR +diff --git a/lib/http.c b/lib/http.c +index e611d2789..ebf48660d 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -3918,6 +3918,29 @@ static CURLcode verify_header(struct Curl_easy *data) + return CURLE_OK; + } + ++CURLcode Curl_bump_headersize(struct Curl_easy *data, ++ size_t delta, ++ bool connect_only) ++{ ++ size_t bad = 0; ++ if(delta < MAX_HTTP_RESP_HEADER_SIZE) { ++ if(!connect_only) ++ data->req.headerbytecount += (unsigned int)delta; ++ data->info.header_size += (unsigned int)delta; ++ if(data->info.header_size > MAX_HTTP_RESP_HEADER_SIZE) ++ bad = data->info.header_size; ++ } ++ else ++ bad = data->info.header_size + delta; ++ if(bad) { ++ failf(data, "Too large response headers: %zu > %zu", ++ bad, MAX_HTTP_RESP_HEADER_SIZE); ++ return CURLE_RECV_ERROR; ++ } ++ return CURLE_OK; ++} ++ ++ + /* + * Read any HTTP header lines from the server and pass them to the client app. + */ +@@ -4165,8 +4188,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, + if(result) + return result; + +- data->info.header_size += (long)headerlen; +- data->req.headerbytecount += (long)headerlen; ++ result = Curl_bump_headersize(data, headerlen, FALSE); ++ if(result) ++ return result; + + /* + * When all the headers have been parsed, see if we should give +@@ -4488,8 +4512,10 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, + if(result) + return result; + +- data->info.header_size += Curl_dyn_len(&data->state.headerb); +- data->req.headerbytecount += Curl_dyn_len(&data->state.headerb); ++ result = Curl_bump_headersize(data, Curl_dyn_len(&data->state.headerb), ++ FALSE); ++ if(result) ++ return result; + + Curl_dyn_reset(&data->state.headerb); + } +diff --git a/lib/http.h b/lib/http.h +index df3b4e38b..4aeabc345 100644 +--- a/lib/http.h ++++ b/lib/http.h +@@ -64,6 +64,10 @@ extern const struct Curl_handler Curl_handler_wss; + + struct dynhds; + ++CURLcode Curl_bump_headersize(struct Curl_easy *data, ++ size_t delta, ++ bool connect_only); ++ + /* Header specific functions */ + bool Curl_compareheader(const char *headerline, /* line to check */ + const char *header, /* header keyword _with_ colon */ +@@ -183,6 +187,11 @@ CURLcode Curl_http_auth_act(struct Curl_easy *data); + #define EXPECT_100_THRESHOLD (1024*1024) + #endif + ++/* MAX_HTTP_RESP_HEADER_SIZE is the maximum size of all response headers ++ combined that libcurl allows for a single HTTP response, any HTTP ++ version. This count includes CONNECT response headers. */ ++#define MAX_HTTP_RESP_HEADER_SIZE (300*1024) ++ + #endif /* CURL_DISABLE_HTTP */ + + /**************************************************************************** +diff --git a/lib/pingpong.c b/lib/pingpong.c +index f3f7cb93c..523bbec18 100644 +--- a/lib/pingpong.c ++++ b/lib/pingpong.c +@@ -341,7 +341,9 @@ CURLcode Curl_pp_readresp(struct Curl_easy *data, + ssize_t clipamount = 0; + bool restart = FALSE; + +- data->req.headerbytecount += (long)gotbytes; ++ result = Curl_bump_headersize(data, gotbytes, FALSE); ++ if(result) ++ return result; + + pp->nread_resp += gotbytes; + for(i = 0; i < gotbytes; ptr++, i++) { +diff --git a/lib/urldata.h b/lib/urldata.h +index c45913b31..ddb2938d7 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -629,17 +629,16 @@ struct SingleRequest { + curl_off_t bytecount; /* total number of bytes read */ + curl_off_t writebytecount; /* number of bytes written */ + +- curl_off_t headerbytecount; /* only count received headers */ +- curl_off_t deductheadercount; /* this amount of bytes doesn't count when we +- check if anything has been transferred at +- the end of a connection. We use this +- counter to make only a 100 reply (without a +- following second response code) result in a +- CURLE_GOT_NOTHING error code */ +- + curl_off_t pendingheader; /* this many bytes left to send is actually + header and not body */ + struct curltime start; /* transfer started at this time */ ++ unsigned int headerbytecount; /* only count received headers */ ++ unsigned int deductheadercount; /* this amount of bytes doesn't count when ++ we check if anything has been transferred ++ at the end of a connection. We use this ++ counter to make only a 100 reply (without ++ a following second response code) result ++ in a CURLE_GOT_NOTHING error code */ + enum { + HEADER_NORMAL, /* no bad header at all */ + HEADER_PARTHEADER, /* part of the chunk is a bad header, the rest +@@ -1089,7 +1088,6 @@ struct PureInfo { + int httpversion; /* the http version number X.Y = X*10+Y */ + time_t filetime; /* If requested, this is might get set. Set to -1 if the + time was unretrievable. */ +- curl_off_t header_size; /* size of read header(s) in bytes */ + curl_off_t request_size; /* the amount of bytes sent in the request(s) */ + unsigned long proxyauthavail; /* what proxy auth types were announced */ + unsigned long httpauthavail; /* what host auth types were announced */ +@@ -1097,6 +1095,7 @@ struct PureInfo { + char *contenttype; /* the content type of the object */ + char *wouldredirect; /* URL this would've been redirected to if asked to */ + curl_off_t retry_after; /* info from Retry-After: header */ ++ unsigned int header_size; /* size of read header(s) in bytes */ + + /* PureInfo members 'conn_primary_ip', 'conn_primary_port', 'conn_local_ip' + and, 'conn_local_port' are copied over from the connectdata struct in +-- +2.41.0 + diff --git a/curl.spec b/curl.spec index 66f9da5..02c4c0c 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.2.1 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,6 +10,9 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# fix HTTP headers eat all memory (CVE-2023-38039) +Patch1: 0001-curl-8.2.1-CVE-2023-38039.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -408,6 +411,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 13 2023 Jan Macku - 8.2.1-2 +- fix HTTP headers eat all memory (CVE-2023-38039) + * Wed Jul 26 2023 Lukáš Zaoral - 8.2.1-1 - new upstream release (rhbz#2226659) From e8a6b6ab33be0fdce90876ed5634820804ce6595 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Zaoral?= Date: Mon, 9 Oct 2023 10:39:43 +0200 Subject: [PATCH 2/8] tests: use newer Fedora URLs for testing ... because F36 URLs are no longer available. --- tests/non-root-user-download/runtest.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/non-root-user-download/runtest.sh b/tests/non-root-user-download/runtest.sh index 0529a12..4d51e62 100755 --- a/tests/non-root-user-download/runtest.sh +++ b/tests/non-root-user-download/runtest.sh @@ -31,9 +31,9 @@ PACKAGE="curl" -FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM -HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM -CONTENT=85cb450443d68d513b41e57b0bd818a740279dac5dfc09c68e681ff8a3006404 +FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM +HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM +CONTENT=4d042dedc8886856db10bc882074b84dcce52f829ea7b3f31d8031db8d84df20 PASSWORD=pAssw0rd OPTIONS="" rlIsRHEL 7 && OPTIONS="--insecure" From 12e5c7dfbba9aa69f60af5aa7e905ff7b937f835 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 11 Oct 2023 16:15:27 +0200 Subject: [PATCH 3/8] Resolves: CVE-2023-38545 - SOCKS5 heap buffer overflow --- 0002-curl-8.2.1-CVE-2023-38545.patch | 135 +++++++++++++++++++++++++++ curl.spec | 8 +- 2 files changed, 142 insertions(+), 1 deletion(-) create mode 100644 0002-curl-8.2.1-CVE-2023-38545.patch diff --git a/0002-curl-8.2.1-CVE-2023-38545.patch b/0002-curl-8.2.1-CVE-2023-38545.patch new file mode 100644 index 0000000..77be7ef --- /dev/null +++ b/0002-curl-8.2.1-CVE-2023-38545.patch @@ -0,0 +1,135 @@ +From 6b313d6d3520eb4c7429723babd59dbb63681bcd Mon Sep 17 00:00:00 2001 +From: Jay Satiro +Date: Wed, 11 Oct 2023 07:34:19 +0200 +Subject: [PATCH 1/2] socks: return error if hostname too long for remote + resolve + +Prior to this change the state machine attempted to change the remote +resolve to a local resolve if the hostname was longer than 255 +characters. Unfortunately that did not work as intended and caused a +security issue. + +Bug: https://curl.se/docs/CVE-2023-38545.html + +(cherry picked from commit fb4415d8aee6c1045be932a34fe6107c2f5ed147) + +Signed-off-by: Jan Macku +--- + lib/socks.c | 8 +++--- + tests/data/Makefile.inc | 2 +- + tests/data/test728 | 64 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 69 insertions(+), 5 deletions(-) + create mode 100644 tests/data/test728 + +diff --git a/lib/socks.c b/lib/socks.c +index c492d663c..a7b5ab07e 100644 +--- a/lib/socks.c ++++ b/lib/socks.c +@@ -587,9 +587,9 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf, + + /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */ + if(!socks5_resolve_local && hostname_len > 255) { +- infof(data, "SOCKS5: server resolving disabled for hostnames of " +- "length > 255 [actual len=%zu]", hostname_len); +- socks5_resolve_local = TRUE; ++ failf(data, "SOCKS5: the destination hostname is too long to be " ++ "resolved remotely by the proxy."); ++ return CURLPX_LONG_HOSTNAME; + } + + if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI)) +@@ -903,7 +903,7 @@ CONNECT_RESOLVE_REMOTE: + } + else { + socksreq[len++] = 3; +- socksreq[len++] = (char) hostname_len; /* one byte address length */ ++ socksreq[len++] = (unsigned char) hostname_len; /* one byte length */ + memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */ + len += hostname_len; + } +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index a253b5c6e..cd22f937f 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -100,7 +100,7 @@ test679 test680 test681 test682 test683 test684 test685 test686 \ + \ + test700 test701 test702 test703 test704 test705 test706 test707 test708 \ + test709 test710 test711 test712 test713 test714 test715 test716 test717 \ +-test718 test719 test720 test721 \ ++test718 test719 test720 test721 test728 \ + \ + test799 test800 test801 test802 test803 test804 test805 test806 test807 \ + test808 test809 test810 test811 test812 test813 test814 test815 test816 \ +diff --git a/tests/data/test728 b/tests/data/test728 +new file mode 100644 +index 000000000..05bcf2883 +--- /dev/null ++++ b/tests/data/test728 +@@ -0,0 +1,64 @@ ++ ++ ++ ++HTTP ++HTTP GET ++SOCKS5 ++SOCKS5h ++followlocation ++ ++ ++ ++# ++# Server-side ++ ++# The hostname in this redirect is 256 characters and too long (> 255) for ++# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case. ++ ++HTTP/1.1 301 Moved Permanently ++Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ ++Content-Length: 0 ++Connection: close ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++proxy ++ ++ ++http ++socks5 ++ ++ ++SOCKS5h with HTTP redirect to hostname too long ++ ++ ++--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/%TESTNUMBER ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++ ++ ++97 ++ ++# the error message is verified because error code CURLE_PROXY (97) may be ++# returned for any number of reasons and we need to make sure it is ++# specifically for the reason below so that we know the check is working. ++ ++curl: (97) SOCKS5: the destination hostname is too long to be resolved remotely by the proxy. ++ ++ ++ +-- +2.41.0 + diff --git a/curl.spec b/curl.spec index 02c4c0c..c7489b6 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.2.1 -Release: 2%{?dist} +Release: 3%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -13,6 +13,9 @@ Source2: mykey.asc # fix HTTP headers eat all memory (CVE-2023-38039) Patch1: 0001-curl-8.2.1-CVE-2023-38039.patch +# fix SOCKS5 heap buffer overflow (CVE-2023-38545) +Patch2: 0002-curl-8.2.1-CVE-2023-38545.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -411,6 +414,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Oct 11 2023 Jan Macku - 8.2.1-3 +- fix SOCKS5 heap buffer overflow (CVE-2023-38545) + * Wed Sep 13 2023 Jan Macku - 8.2.1-2 - fix HTTP headers eat all memory (CVE-2023-38039) From 090687748e417b5603e7f8517047ac27db57db66 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 11 Oct 2023 16:29:04 +0200 Subject: [PATCH 4/8] Resolves: CVE-2023-38546 - cookie injection with none file --- 0003-curl-8.2.1-CVE-2023-38546.patch | 134 +++++++++++++++++++++++++++ curl.spec | 4 + 2 files changed, 138 insertions(+) create mode 100644 0003-curl-8.2.1-CVE-2023-38546.patch diff --git a/0003-curl-8.2.1-CVE-2023-38546.patch b/0003-curl-8.2.1-CVE-2023-38546.patch new file mode 100644 index 0000000..582f62a --- /dev/null +++ b/0003-curl-8.2.1-CVE-2023-38546.patch @@ -0,0 +1,134 @@ +From 9b837dd18c44bedf28054ba498e94740e1533d69 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 14 Sep 2023 23:28:32 +0200 +Subject: [PATCH 2/2] cookie: remove unnecessary struct fields + +Plus: reduce the hash table size from 256 to 63. It seems unlikely to +make much of a speed difference for most use cases but saves 1.5KB of +data per instance. + +Closes #11862 + +(cherry picked from commit 61275672b46d9abb3285740467b882e22ed75da8) +Signed-off-by: Jan Macku +--- + lib/cookie.c | 13 +------------ + lib/cookie.h | 13 ++++--------- + lib/easy.c | 4 +--- + 3 files changed, 6 insertions(+), 24 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index 4345a84c6..e39c89a94 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -119,7 +119,6 @@ static void freecookie(struct Cookie *co) + free(co->name); + free(co->value); + free(co->maxage); +- free(co->version); + free(co); + } + +@@ -718,11 +717,7 @@ Curl_cookie_add(struct Curl_easy *data, + } + } + else if((nlen == 7) && strncasecompare("version", namep, 7)) { +- strstore(&co->version, valuep, vlen); +- if(!co->version) { +- badcookie = TRUE; +- break; +- } ++ /* just ignore */ + } + else if((nlen == 7) && strncasecompare("max-age", namep, 7)) { + /* +@@ -1160,7 +1155,6 @@ Curl_cookie_add(struct Curl_easy *data, + free(clist->path); + free(clist->spath); + free(clist->expirestr); +- free(clist->version); + free(clist->maxage); + + *clist = *co; /* then store all the new data */ +@@ -1224,9 +1218,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data, + c = calloc(1, sizeof(struct CookieInfo)); + if(!c) + return NULL; /* failed to get memory */ +- c->filename = strdup(file?file:"none"); /* copy the name just in case */ +- if(!c->filename) +- goto fail; /* failed to get memory */ + /* + * Initialize the next_expiration time to signal that we don't have enough + * information yet. +@@ -1378,7 +1369,6 @@ static struct Cookie *dup_cookie(struct Cookie *src) + CLONE(name); + CLONE(value); + CLONE(maxage); +- CLONE(version); + d->expires = src->expires; + d->tailmatch = src->tailmatch; + d->secure = src->secure; +@@ -1595,7 +1585,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c) + { + if(c) { + unsigned int i; +- free(c->filename); + for(i = 0; i < COOKIE_HASH_SIZE; i++) + Curl_cookie_freelist(c->cookies[i]); + free(c); /* free the base struct as well */ +diff --git a/lib/cookie.h b/lib/cookie.h +index b3c0063b2..41e9e7a69 100644 +--- a/lib/cookie.h ++++ b/lib/cookie.h +@@ -36,11 +36,7 @@ struct Cookie { + char *domain; /* domain = */ + curl_off_t expires; /* expires = */ + char *expirestr; /* the plain text version */ +- +- /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */ +- char *version; /* Version = */ + char *maxage; /* Max-Age = */ +- + bool tailmatch; /* whether we do tail-matching of the domain name */ + bool secure; /* whether the 'secure' keyword was used */ + bool livecookie; /* updated from a server, not a stored file */ +@@ -56,17 +52,16 @@ struct Cookie { + #define COOKIE_PREFIX__SECURE (1<<0) + #define COOKIE_PREFIX__HOST (1<<1) + +-#define COOKIE_HASH_SIZE 256 ++#define COOKIE_HASH_SIZE 63 + + struct CookieInfo { + /* linked list of cookies we know of */ + struct Cookie *cookies[COOKIE_HASH_SIZE]; +- char *filename; /* file we read from/write to */ +- long numcookies; /* number of cookies in the "jar" */ ++ curl_off_t next_expiration; /* the next time at which expiration happens */ ++ int numcookies; /* number of cookies in the "jar" */ ++ int lastct; /* last creation-time used in the jar */ + bool running; /* state info, for cookie adding information */ + bool newsession; /* new session, discard session cookies on load */ +- int lastct; /* last creation-time used in the jar */ +- curl_off_t next_expiration; /* the next time at which expiration happens */ + }; + + /* The maximum sizes we accept for cookies. RFC 6265 section 6.1 says +diff --git a/lib/easy.c b/lib/easy.c +index d034629b5..2c621963d 100644 +--- a/lib/easy.c ++++ b/lib/easy.c +@@ -909,9 +909,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data) + if(data->cookies) { + /* If cookies are enabled in the parent handle, we enable them + in the clone as well! */ +- outcurl->cookies = Curl_cookie_init(data, +- data->cookies->filename, +- outcurl->cookies, ++ outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies, + data->set.cookiesession); + if(!outcurl->cookies) + goto fail; +-- +2.41.0 + diff --git a/curl.spec b/curl.spec index c7489b6..c45cbb0 100644 --- a/curl.spec +++ b/curl.spec @@ -16,6 +16,9 @@ Patch1: 0001-curl-8.2.1-CVE-2023-38039.patch # fix SOCKS5 heap buffer overflow (CVE-2023-38545) Patch2: 0002-curl-8.2.1-CVE-2023-38545.patch +# fix cookie injection with none file (CVE-2023-38546) +Patch3: 0003-curl-8.2.1-CVE-2023-38546.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -415,6 +418,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Oct 11 2023 Jan Macku - 8.2.1-3 +- fix cookie injection with none file (CVE-2023-38546) - fix SOCKS5 heap buffer overflow (CVE-2023-38545) * Wed Sep 13 2023 Jan Macku - 8.2.1-2 From 5ef34fcaafdaf3f44bbbdcbce5fb9ef699c0f153 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 6 Dec 2023 14:22:08 +0100 Subject: [PATCH 5/8] Resolves: CVE-2023-46218 - cookie mixed case PSL bypass --- 0004-curl-8.2.1-CVE-2023-46218.patch | 55 ++++++++++++++++++++++++++++ curl.spec | 8 +++- 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 0004-curl-8.2.1-CVE-2023-46218.patch diff --git a/0004-curl-8.2.1-CVE-2023-46218.patch b/0004-curl-8.2.1-CVE-2023-46218.patch new file mode 100644 index 0000000..082d714 --- /dev/null +++ b/0004-curl-8.2.1-CVE-2023-46218.patch @@ -0,0 +1,55 @@ +From 053b0d4eb6768563adc55fa936bbb32d19114d49 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 23 Nov 2023 08:15:47 +0100 +Subject: [PATCH 1/2] cookie: lowercase the domain names before PSL checks + +Reported-by: Harry Sintonen + +Closes #12387 + +(cherry picked from commit 2b0994c29a721c91c572cff7808c572a24d251eb) + +Signed-off-by: Jan Macku +--- + lib/cookie.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index e39c89a94..18ed4bb7e 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -1036,15 +1036,23 @@ Curl_cookie_add(struct Curl_easy *data, + * dereference it. + */ + if(data && (domain && co->domain && !Curl_host_is_ipnum(co->domain))) { +- const psl_ctx_t *psl = Curl_psl_use(data); +- int acceptable; +- +- if(psl) { +- acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain); +- Curl_psl_release(data); ++ bool acceptable = FALSE; ++ char lcase[256]; ++ char lcookie[256]; ++ size_t dlen = strlen(domain); ++ size_t clen = strlen(co->domain); ++ if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) { ++ const psl_ctx_t *psl = Curl_psl_use(data); ++ if(psl) { ++ /* the PSL check requires lowercase domain name and pattern */ ++ Curl_strntolower(lcase, domain, dlen + 1); ++ Curl_strntolower(lcookie, co->domain, clen + 1); ++ acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie); ++ Curl_psl_release(data); ++ } ++ else ++ acceptable = !bad_domain(domain, strlen(domain)); + } +- else +- acceptable = !bad_domain(domain, strlen(domain)); + + if(!acceptable) { + infof(data, "cookie '%s' dropped, domain '%s' must not " +-- +2.43.0 + diff --git a/curl.spec b/curl.spec index c45cbb0..9fb1f12 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.2.1 -Release: 3%{?dist} +Release: 4%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -19,6 +19,9 @@ Patch2: 0002-curl-8.2.1-CVE-2023-38545.patch # fix cookie injection with none file (CVE-2023-38546) Patch3: 0003-curl-8.2.1-CVE-2023-38546.patch +# fix cookie mixed case PSL bypass (CVE-2023-46218) +Patch4: 0004-curl-8.2.1-CVE-2023-46218.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -417,6 +420,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Dec 06 2023 Jan Macku - 8.2.1-4 +- fix cookie mixed case PSL bypass (CVE-2023-46218) + * Wed Oct 11 2023 Jan Macku - 8.2.1-3 - fix cookie injection with none file (CVE-2023-38546) - fix SOCKS5 heap buffer overflow (CVE-2023-38545) From 7fba058121faee737417fb34a19b805908cf6fbd Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 6 Dec 2023 14:24:50 +0100 Subject: [PATCH 6/8] Resolves: CVE-2023-46219 - HSTS long file name clears contents --- 0005-curl-8.2.1-CVE-2023-46219.patch | 134 +++++++++++++++++++++++++++ curl.spec | 4 + 2 files changed, 138 insertions(+) create mode 100644 0005-curl-8.2.1-CVE-2023-46219.patch diff --git a/0005-curl-8.2.1-CVE-2023-46219.patch b/0005-curl-8.2.1-CVE-2023-46219.patch new file mode 100644 index 0000000..881ce2c --- /dev/null +++ b/0005-curl-8.2.1-CVE-2023-46219.patch @@ -0,0 +1,134 @@ +From cca676ef222399591f5a116e1c13889014fad624 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 23 Nov 2023 08:23:17 +0100 +Subject: [PATCH 2/2] fopen: create short(er) temporary file name + +Only using random letters in the name plus a ".tmp" extension. Not by +appending characters to the final file name. + +Reported-by: Maksymilian Arciemowicz + +Closes #12388 + +(cherry picked from commit 73b65e94f3531179de45c6f3c836a610e3d0a846) + +Signed-off-by: Jan Macku +--- + lib/fopen.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 60 insertions(+), 5 deletions(-) + +diff --git a/lib/fopen.c b/lib/fopen.c +index b6e3caddd..5cd4dde3e 100644 +--- a/lib/fopen.c ++++ b/lib/fopen.c +@@ -39,6 +39,51 @@ + #include "curl_memory.h" + #include "memdebug.h" + ++/* ++ The dirslash() function breaks a null-terminated pathname string into ++ directory and filename components then returns the directory component up ++ to, *AND INCLUDING*, a final '/'. If there is no directory in the path, ++ this instead returns a "" string. ++ ++ This function returns a pointer to malloc'ed memory. ++ ++ The input path to this function is expected to have a file name part. ++*/ ++ ++#ifdef _WIN32 ++#define PATHSEP "\\" ++#define IS_SEP(x) (((x) == '/') || ((x) == '\\')) ++#elif defined(MSDOS) || defined(__EMX__) || defined(OS2) ++#define PATHSEP "\\" ++#define IS_SEP(x) ((x) == '\\') ++#else ++#define PATHSEP "/" ++#define IS_SEP(x) ((x) == '/') ++#endif ++ ++static char *dirslash(const char *path) ++{ ++ size_t n; ++ struct dynbuf out; ++ DEBUGASSERT(path); ++ Curl_dyn_init(&out, CURL_MAX_INPUT_LENGTH); ++ n = strlen(path); ++ if(n) { ++ /* find the rightmost path separator, if any */ ++ while(n && !IS_SEP(path[n-1])) ++ --n; ++ /* skip over all the path separators, if any */ ++ while(n && IS_SEP(path[n-1])) ++ --n; ++ } ++ if(Curl_dyn_addn(&out, path, n)) ++ return NULL; ++ /* if there was a directory, append a single trailing slash */ ++ if(n && Curl_dyn_addn(&out, PATHSEP, 1)) ++ return NULL; ++ return Curl_dyn_ptr(&out); ++} ++ + /* + * Curl_fopen() opens a file for writing with a temp name, to be renamed + * to the final name when completed. If there is an existing file using this +@@ -50,25 +95,34 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, + FILE **fh, char **tempname) + { + CURLcode result = CURLE_WRITE_ERROR; +- unsigned char randsuffix[9]; ++ unsigned char randbuf[41]; + char *tempstore = NULL; + struct_stat sb; + int fd = -1; ++ char *dir; + *tempname = NULL; + ++ dir = dirslash(filename); ++ if(!dir) ++ goto fail; ++ + *fh = fopen(filename, FOPEN_WRITETEXT); + if(!*fh) + goto fail; +- if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode)) ++ if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode)) { ++ free(dir); + return CURLE_OK; ++ } + fclose(*fh); + *fh = NULL; + +- result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix)); ++ result = Curl_rand_hex(data, randbuf, sizeof(randbuf)); + if(result) + goto fail; + +- tempstore = aprintf("%s.%s.tmp", filename, randsuffix); ++ /* The temp file name should not end up too long for the target file ++ system */ ++ tempstore = aprintf("%s%s.tmp", dir, randbuf); + if(!tempstore) { + result = CURLE_OUT_OF_MEMORY; + goto fail; +@@ -95,6 +149,7 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, + if(!*fh) + goto fail; + ++ free(dir); + *tempname = tempstore; + return CURLE_OK; + +@@ -105,7 +160,7 @@ fail: + } + + free(tempstore); +- ++ free(dir); + return result; + } + +-- +2.43.0 + diff --git a/curl.spec b/curl.spec index 9fb1f12..a2af4f8 100644 --- a/curl.spec +++ b/curl.spec @@ -22,6 +22,9 @@ Patch3: 0003-curl-8.2.1-CVE-2023-38546.patch # fix cookie mixed case PSL bypass (CVE-2023-46218) Patch4: 0004-curl-8.2.1-CVE-2023-46218.patch +# fix HSTS long file name clears contents (CVE-2023-46219) +Patch5: 0005-curl-8.2.1-CVE-2023-46219.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -421,6 +424,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Dec 06 2023 Jan Macku - 8.2.1-4 +- fix HSTS long file name clears contents (CVE-2023-46219) - fix cookie mixed case PSL bypass (CVE-2023-46218) * Wed Oct 11 2023 Jan Macku - 8.2.1-3 From e97fa5aa57e86244e588d027061fe9404d1a0e22 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 3 Apr 2024 15:09:46 +0200 Subject: [PATCH 7/8] Resolves: CVE-2024-2004 - Usage of disabled protocol --- 0006-curl-8.2.1-CVE-2024-2004.patch | 138 ++++++++++++++++++++++++++++ curl.spec | 8 +- 2 files changed, 145 insertions(+), 1 deletion(-) create mode 100644 0006-curl-8.2.1-CVE-2024-2004.patch diff --git a/0006-curl-8.2.1-CVE-2024-2004.patch b/0006-curl-8.2.1-CVE-2024-2004.patch new file mode 100644 index 0000000..e4dcad2 --- /dev/null +++ b/0006-curl-8.2.1-CVE-2024-2004.patch @@ -0,0 +1,138 @@ +From e614d4615943b9d43e4f6db8bc8223a20c66cd44 Mon Sep 17 00:00:00 2001 +From: Daniel Gustafsson +Date: Tue, 27 Feb 2024 15:43:56 +0100 +Subject: [PATCH 1/2] setopt: Fix disabling all protocols + +When disabling all protocols without enabling any, the resulting +set of allowed protocols remained the default set. Clearing the +allowed set before inspecting the passed value from --proto make +the set empty even in the errorpath of no protocols enabled. + +Co-authored-by: Dan Fandrich +Reported-by: Dan Fandrich +Reviewed-by: Daniel Stenberg +Closes: #13004 + +(cherry picked from commit 17d302e56221f5040092db77d4f85086e8a20e0e) +Signed-off-by: Jan Macku +--- + lib/setopt.c | 16 ++++++++-------- + tests/data/Makefile.inc | 1 + + tests/data/test1474 | 42 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 51 insertions(+), 8 deletions(-) + create mode 100644 tests/data/test1474 + +diff --git a/lib/setopt.c b/lib/setopt.c +index b05162a55..fb71b7fd4 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -154,6 +154,12 @@ static CURLcode setstropt_userpwd(char *option, char **userp, char **passwdp) + + static CURLcode protocol2num(const char *str, curl_prot_t *val) + { ++ /* ++ * We are asked to cherry-pick protocols, so play it safe and disallow all ++ * protocols to start with, and re-add the wanted ones back in. ++ */ ++ *val = 0; ++ + if(!str) + return CURLE_BAD_FUNCTION_ARGUMENT; + +@@ -162,8 +168,6 @@ static CURLcode protocol2num(const char *str, curl_prot_t *val) + return CURLE_OK; + } + +- *val = 0; +- + do { + const char *token = str; + size_t tlen; +@@ -2679,22 +2683,18 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + break; + + case CURLOPT_PROTOCOLS_STR: { +- curl_prot_t prot; + argptr = va_arg(param, char *); +- result = protocol2num(argptr, &prot); ++ result = protocol2num(argptr, &data->set.allowed_protocols); + if(result) + return result; +- data->set.allowed_protocols = prot; + break; + } + + case CURLOPT_REDIR_PROTOCOLS_STR: { +- curl_prot_t prot; + argptr = va_arg(param, char *); +- result = protocol2num(argptr, &prot); ++ result = protocol2num(argptr, &data->set.redir_protocols); + if(result) + return result; +- data->set.redir_protocols = prot; + break; + } + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index cd22f937f..da0e8bb0a 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -160,6 +160,7 @@ test1247 test1248 test1249 test1250 test1251 test1252 test1253 test1254 \ + test1255 test1256 test1257 test1258 test1259 test1260 test1261 test1262 \ + test1263 test1264 test1265 test1266 test1267 test1268 test1269 test1270 \ + test1271 test1272 test1273 test1274 test1275 test1276 test1277 test1278 \ ++test1474 \ + \ + test1280 test1281 test1282 test1283 test1284 test1285 test1286 test1287 \ + test1288 test1289 test1290 test1291 test1292 test1293 test1294 test1295 \ +diff --git a/tests/data/test1474 b/tests/data/test1474 +new file mode 100644 +index 000000000..c66fa2810 +--- /dev/null ++++ b/tests/data/test1474 +@@ -0,0 +1,42 @@ ++ ++ ++ ++HTTP ++HTTP GET ++--proto ++ ++ ++ ++# ++# Server-side ++ ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++none ++ ++ ++http ++ ++ ++--proto -all disables all protocols ++ ++ ++--proto -all http://%HOSTIP:%NOLISTENPORT/%TESTNUMBER ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++# 1 - Protocol "http" disabled ++ ++1 ++ ++ ++ +-- +2.44.0 + diff --git a/curl.spec b/curl.spec index a2af4f8..c303041 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.2.1 -Release: 4%{?dist} +Release: 5%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -25,6 +25,9 @@ Patch4: 0004-curl-8.2.1-CVE-2023-46218.patch # fix HSTS long file name clears contents (CVE-2023-46219) Patch5: 0005-curl-8.2.1-CVE-2023-46219.patch +# fix Usage of disabled protocol (CVE-2024-2004) +Patch6: 0006-curl-8.2.1-CVE-2024-2004.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -423,6 +426,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Apr 03 2024 Jan Macku - 8.2.1-5 +- fix Usage of disabled protocol (CVE-2024-2004) + * Wed Dec 06 2023 Jan Macku - 8.2.1-4 - fix HSTS long file name clears contents (CVE-2023-46219) - fix cookie mixed case PSL bypass (CVE-2023-46218) From ee3d189853c4895aacd83f0b58058ea05e2ddab4 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 3 Apr 2024 15:11:40 +0200 Subject: [PATCH 8/8] Resolves: CVE-2024-2398 - HTTP/2 push headers memory-leak --- 0007-curl-8.2.1-CVE-2024-2398.patch | 95 +++++++++++++++++++++++++++++ curl.spec | 7 ++- 2 files changed, 101 insertions(+), 1 deletion(-) create mode 100644 0007-curl-8.2.1-CVE-2024-2398.patch diff --git a/0007-curl-8.2.1-CVE-2024-2398.patch b/0007-curl-8.2.1-CVE-2024-2398.patch new file mode 100644 index 0000000..7485a43 --- /dev/null +++ b/0007-curl-8.2.1-CVE-2024-2398.patch @@ -0,0 +1,95 @@ +From d8c8695a7d10c21c0fb5b871b032716ca9683903 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Wed, 6 Mar 2024 09:36:08 +0100 +Subject: [PATCH] http2: push headers better cleanup + +- provide common cleanup method for push headers + +Closes #13054 + +(cherry picked from commit deca8039991886a559b67bcd6701db800a5cf764) +Signed-off-by: Jan Macku +--- + lib/http2.c | 34 +++++++++++++++------------------- + 1 file changed, 15 insertions(+), 19 deletions(-) + +diff --git a/lib/http2.c b/lib/http2.c +index 6c09ec1..533237d 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -267,6 +267,15 @@ static CURLcode http2_data_setup(struct Curl_cfilter *cf, + return CURLE_OK; + } + ++static void free_push_headers(struct stream_ctx *stream) ++{ ++ size_t i; ++ for(i = 0; ipush_headers_used; i++) ++ free(stream->push_headers[i]); ++ Curl_safefree(stream->push_headers); ++ stream->push_headers_used = 0; ++} ++ + static void http2_data_done(struct Curl_cfilter *cf, + struct Curl_easy *data, bool premature) + { +@@ -313,15 +322,7 @@ static void http2_data_done(struct Curl_cfilter *cf, + Curl_bufq_free(&stream->sendbuf); + Curl_bufq_free(&stream->recvbuf); + Curl_dynhds_free(&stream->resp_trailers); +- if(stream->push_headers) { +- /* if they weren't used and then freed before */ +- for(; stream->push_headers_used > 0; --stream->push_headers_used) { +- free(stream->push_headers[stream->push_headers_used - 1]); +- } +- free(stream->push_headers); +- stream->push_headers = NULL; +- } +- ++ free_push_headers(stream); + free(stream); + H2_STREAM_LCTX(data) = NULL; + } +@@ -859,7 +860,6 @@ static int push_promise(struct Curl_cfilter *cf, + struct curl_pushheaders heads; + CURLMcode rc; + CURLcode result; +- size_t i; + /* clone the parent */ + struct Curl_easy *newhandle = h2_duphandle(cf, data); + if(!newhandle) { +@@ -904,11 +904,7 @@ static int push_promise(struct Curl_cfilter *cf, + Curl_set_in_callback(data, false); + + /* free the headers again */ +- for(i = 0; ipush_headers_used; i++) +- free(stream->push_headers[i]); +- free(stream->push_headers); +- stream->push_headers = NULL; +- stream->push_headers_used = 0; ++ free_push_headers(stream); + + if(rv) { + DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT)); +@@ -1357,14 +1353,14 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame, + if(stream->push_headers_alloc > 1000) { + /* this is beyond crazy many headers, bail out */ + failf(data_s, "Too many PUSH_PROMISE headers"); +- Curl_safefree(stream->push_headers); ++ free_push_headers(stream); + return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + } + stream->push_headers_alloc *= 2; +- headp = Curl_saferealloc(stream->push_headers, +- stream->push_headers_alloc * sizeof(char *)); ++ headp = realloc(stream->push_headers, ++ stream->push_headers_alloc * sizeof(char *)); + if(!headp) { +- stream->push_headers = NULL; ++ free_push_headers(stream); + return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + } + stream->push_headers = headp; +-- +2.44.0 + diff --git a/curl.spec b/curl.spec index c303041..69f4429 100644 --- a/curl.spec +++ b/curl.spec @@ -28,6 +28,9 @@ Patch5: 0005-curl-8.2.1-CVE-2023-46219.patch # fix Usage of disabled protocol (CVE-2024-2004) Patch6: 0006-curl-8.2.1-CVE-2024-2004.patch +# fix HTTP/2 push headers memory-leak +Patch7: 0007-curl-8.2.1-CVE-2024-2398.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -224,9 +227,10 @@ be installed. %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 +# disable test 420 # disable test 1801 # -echo "1801" >> tests/data/DISABLED +printf "420\n1801\n" >> tests/data/DISABLED # test3026: avoid pthread_create() failure due to resource exhaustion on i386 %ifarch %{ix86} @@ -428,6 +432,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Apr 03 2024 Jan Macku - 8.2.1-5 - fix Usage of disabled protocol (CVE-2024-2004) +- fix HTTP/2 push headers memory-leak (CVE-2024-2398) * Wed Dec 06 2023 Jan Macku - 8.2.1-4 - fix HSTS long file name clears contents (CVE-2023-46219)