From c8f5ee33a6e1b0042fc0f30f7cc96fb90f6624a2 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Sat, 5 Mar 2022 11:15:03 +0100 Subject: [PATCH 01/34] new upstream release - 7.82.0 --- curl-7.81.0.tar.xz.asc | 11 ----------- curl-7.82.0.tar.xz.asc | 11 +++++++++++ curl.spec | 7 +++++-- sources | 2 +- 4 files changed, 17 insertions(+), 14 deletions(-) delete mode 100644 curl-7.81.0.tar.xz.asc create mode 100644 curl-7.82.0.tar.xz.asc diff --git a/curl-7.81.0.tar.xz.asc b/curl-7.81.0.tar.xz.asc deleted file mode 100644 index 08aa7ea..0000000 --- a/curl-7.81.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmHVTjsACgkQXMkI/bce -EsLAggf/dMpvzTs3GEKddYzD/73UGJt5rqSYEc93KilASwUGWC3LnZ1hwY+wunmf -z04ULsN6VkUFLDlbVaQvfMA6XyWBXS5QI34ztfHbiTsAtLwqHBtHBAL0uPn+y2bB -+r6O/rOtd5isPgm5H+MIfPphQWOj5va0vQ9r3e2sr8+Nma8Th1qtFALoCQi6kftK -6Aa9ZI2BYyosDUwT5PNsrZ941wFHtQJQpcVb1SaEwIWiMUSkTkUKk6dHxFnT9mkV -uakgAd2AmyJ6O5cAeGlYX7IZxvdhKqd6/+KkmKD4zzgQLKEl2pUtaieTJqsp1zSU -9kyUFaMR4XzSjdCOtVh5RCxURzMNhg== -=kV6S ------END PGP SIGNATURE----- diff --git a/curl-7.82.0.tar.xz.asc b/curl-7.82.0.tar.xz.asc new file mode 100644 index 0000000..507084c --- /dev/null +++ b/curl-7.82.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmIjIysACgkQXMkI/bce +EsK2qQf/bcLm7LXO+Cvh0gbbIS9S5uT2/8g8AJ3/dFijs/BvqW85ajsfSCx9Z4+4 +Bad/CfZvuHoBMKKsSC9uSyBzv3UmupEHxYlIw0oik97Q0NDml5czsLJznGEtRiwh +DzOSl8hwLg3OhHXD/G239oSPk2b7ys1P7KQsdxadaxHaoVjFMT4qI0/1DQBKBb/C +AnzXcQUii3HEsPwnS7OmTvbXcDR6HS0Pq4b0Usop1YVppUlP5rG/gV6o7ogA13Cv +yssbfL8fGN3pSgJWtCLoxbIyZbRUROvR74u0ymlf5oLs4bCWzLR9pGKt+oM9YBGq +m9LkqrxKUEOp36vdLN4UgqGdWLa5zQ== +=/k1v +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index 83070a1..b3ed447 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.81.0 -Release: 2%{?dist} +Version: 7.82.0 +Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -411,6 +411,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Sat Mar 05 2022 Kamil Dudka - 7.82.0-1 +- new upstream release + * Thu Jan 20 2022 Fedora Release Engineering - 7.81.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild diff --git a/sources b/sources index eb1e3bc..7c44f53 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.81.0.tar.xz) = 38355aaee38db04bb2babdc5fd7a88284580c836d15df754f42b104997dd344b7841be8e53b4fc91aea31db170a7d6967c4976833eb4bfe0d265c7275c4800df +SHA512 (curl-7.82.0.tar.xz) = a977d69360d1793f8872096a21f5c0271e7ad145cd69ad45f4056a0657772f0f298b04bdb41aefd4ea5c4478352c60d80b5a118642280a07a7198aa80ffb1d57 From 321dbf8171b5f628e58692259ced3691ba78e6b3 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 15 Mar 2022 12:53:45 +0100 Subject: [PATCH 02/34] openssl: fix incorrect CURLE_OUT_OF_MEMORY error ... on CN check failure, which was breaking the test-suite of pycurl. Reported-by: Lukas Zaoral --- 0001-curl-7.82.0-openssl-spurious-oom.patch | 36 +++++++++++++++++++++ curl.spec | 9 +++++- 2 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 0001-curl-7.82.0-openssl-spurious-oom.patch diff --git a/0001-curl-7.82.0-openssl-spurious-oom.patch b/0001-curl-7.82.0-openssl-spurious-oom.patch new file mode 100644 index 0000000..186134d --- /dev/null +++ b/0001-curl-7.82.0-openssl-spurious-oom.patch @@ -0,0 +1,36 @@ +From 58781adaaff911303f69876236918b9049dde926 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 8 Mar 2022 13:38:13 +0100 +Subject: [PATCH] openssl: fix CN check error code + +Due to a missing 'else' this returns error too easily. + +Regressed in: d15692ebb + +Reported-by: Kristoffer Gleditsch +Fixes #8559 +Closes #8560 + +Upstream-commit: 911714d617c106ed5d553bf003e34ec94ab6a136 +Signed-off-by: Kamil Dudka +--- + lib/vtls/openssl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 616a510..1bafe96 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -1808,7 +1808,8 @@ CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn, + memcpy(peer_CN, ASN1_STRING_get0_data(tmp), peerlen); + peer_CN[peerlen] = '\0'; + } +- result = CURLE_OUT_OF_MEMORY; ++ else ++ result = CURLE_OUT_OF_MEMORY; + } + } + else /* not a UTF8 name */ +-- +2.34.1 + diff --git a/curl.spec b/curl.spec index b3ed447..67f9c9a 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.82.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,6 +10,9 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# openssl: fix incorrect CURLE_OUT_OF_MEMORY error on CN check failure +Patch1: 0001-curl-7.82.0-openssl-spurious-oom.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -184,6 +187,7 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 @@ -411,6 +415,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Mar 15 2022 Kamil Dudka - 7.82.0-2 +- openssl: fix incorrect CURLE_OUT_OF_MEMORY error on CN check failure + * Sat Mar 05 2022 Kamil Dudka - 7.82.0-1 - new upstream release From fd4baaca6fa2eb76ddabf28cd7ef9427c6c558a2 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 28 Apr 2022 09:52:56 +0200 Subject: [PATCH 03/34] Resolves: CVE-2022-22576 - fix OAUTH2 bearer bypass in connection re-use --- 0002-curl-7.82.0-CVE-2022-22576.patch | 148 ++++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 156 insertions(+), 1 deletion(-) create mode 100644 0002-curl-7.82.0-CVE-2022-22576.patch diff --git a/0002-curl-7.82.0-CVE-2022-22576.patch b/0002-curl-7.82.0-CVE-2022-22576.patch new file mode 100644 index 0000000..51e9f86 --- /dev/null +++ b/0002-curl-7.82.0-CVE-2022-22576.patch @@ -0,0 +1,148 @@ +From 85d1103c2fc0c9b1bdfae470dbafd45758e1c2f0 Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat +Date: Mon, 25 Apr 2022 11:44:05 +0200 +Subject: [PATCH] url: check sasl additional parameters for connection reuse. + +Also move static function safecmp() as non-static Curl_safecmp() since +its purpose is needed at several places. + +Bug: https://curl.se/docs/CVE-2022-22576.html + +CVE-2022-22576 + +Closes #8746 + +Upstream-commit: 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425 +Signed-off-by: Kamil Dudka +--- + lib/strcase.c | 10 ++++++++++ + lib/strcase.h | 2 ++ + lib/url.c | 13 ++++++++++++- + lib/urldata.h | 1 + + lib/vtls/vtls.c | 21 ++++++--------------- + 5 files changed, 31 insertions(+), 16 deletions(-) + +diff --git a/lib/strcase.c b/lib/strcase.c +index dd46ca1..692a3f1 100644 +--- a/lib/strcase.c ++++ b/lib/strcase.c +@@ -131,6 +131,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n) + } while(*src++ && --n); + } + ++/* Compare case-sensitive NUL-terminated strings, taking care of possible ++ * null pointers. Return true if arguments match. ++ */ ++bool Curl_safecmp(char *a, char *b) ++{ ++ if(a && b) ++ return !strcmp(a, b); ++ return !a && !b; ++} ++ + /* --- public functions --- */ + + int curl_strequal(const char *first, const char *second) +diff --git a/lib/strcase.h b/lib/strcase.h +index b628656..382b80a 100644 +--- a/lib/strcase.h ++++ b/lib/strcase.h +@@ -47,4 +47,6 @@ char Curl_raw_toupper(char in); + void Curl_strntoupper(char *dest, const char *src, size_t n); + void Curl_strntolower(char *dest, const char *src, size_t n); + ++bool Curl_safecmp(char *a, char *b); ++ + #endif /* HEADER_CURL_STRCASE_H */ +diff --git a/lib/url.c b/lib/url.c +index adef2cd..94e3406 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -779,6 +779,7 @@ static void conn_free(struct connectdata *conn) + Curl_safefree(conn->passwd); + Curl_safefree(conn->sasl_authzid); + Curl_safefree(conn->options); ++ Curl_safefree(conn->oauth_bearer); + Curl_dyn_free(&conn->trailer); + Curl_safefree(conn->host.rawalloc); /* host name buffer */ + Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */ +@@ -1340,7 +1341,9 @@ ConnectionExists(struct Curl_easy *data, + /* This protocol requires credentials per connection, + so verify that we're using the same name and password as well */ + if(strcmp(needle->user, check->user) || +- strcmp(needle->passwd, check->passwd)) { ++ strcmp(needle->passwd, check->passwd) || ++ !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) || ++ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) { + /* one of them was different */ + continue; + } +@@ -3635,6 +3638,14 @@ static CURLcode create_conn(struct Curl_easy *data, + } + } + ++ if(data->set.str[STRING_BEARER]) { ++ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]); ++ if(!conn->oauth_bearer) { ++ result = CURLE_OUT_OF_MEMORY; ++ goto out; ++ } ++ } ++ + #ifdef USE_UNIX_SOCKETS + if(data->set.str[STRING_UNIX_SOCKET_PATH]) { + conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]); +diff --git a/lib/urldata.h b/lib/urldata.h +index cc8a600..03da59a 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -984,6 +984,7 @@ struct connectdata { + char *passwd; /* password string, allocated */ + char *options; /* options string, allocated */ + char *sasl_authzid; /* authorisation identity string, allocated */ ++ char *oauth_bearer; /* OAUTH2 bearer, allocated */ + unsigned char httpversion; /* the HTTP version*10 reported by the server */ + struct curltime now; /* "current" time */ + struct curltime created; /* creation time */ +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index 03b85ba..a40ac06 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second) + return !memcmp(first->data, second->data, first->len); /* same data */ + } + +-static bool safecmp(char *a, char *b) +-{ +- if(a && b) +- return !strcmp(a, b); +- else if(!a && !b) +- return TRUE; /* match */ +- return FALSE; /* no match */ +-} +- + + bool + Curl_ssl_config_matches(struct ssl_primary_config *data, +@@ -147,12 +138,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, + blobcmp(data->cert_blob, needle->cert_blob) && + blobcmp(data->ca_info_blob, needle->ca_info_blob) && + blobcmp(data->issuercert_blob, needle->issuercert_blob) && +- safecmp(data->CApath, needle->CApath) && +- safecmp(data->CAfile, needle->CAfile) && +- safecmp(data->issuercert, needle->issuercert) && +- safecmp(data->clientcert, needle->clientcert) && +- safecmp(data->random_file, needle->random_file) && +- safecmp(data->egdsocket, needle->egdsocket) && ++ Curl_safecmp(data->CApath, needle->CApath) && ++ Curl_safecmp(data->CAfile, needle->CAfile) && ++ Curl_safecmp(data->issuercert, needle->issuercert) && ++ Curl_safecmp(data->clientcert, needle->clientcert) && ++ Curl_safecmp(data->random_file, needle->random_file) && ++ Curl_safecmp(data->egdsocket, needle->egdsocket) && + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && + Curl_safe_strcasecompare(data->curves, needle->curves) && +-- +2.34.1 + diff --git a/curl.spec b/curl.spec index 67f9c9a..b4cf3f4 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.82.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -13,6 +13,9 @@ Source2: mykey.asc # openssl: fix incorrect CURLE_OUT_OF_MEMORY error on CN check failure Patch1: 0001-curl-7.82.0-openssl-spurious-oom.patch +# fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576) +Patch2: 0002-curl-7.82.0-CVE-2022-22576.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -188,6 +191,7 @@ be installed. # upstream patches %patch1 -p1 +%patch2 -p1 # Fedora patches %patch101 -p1 @@ -415,6 +419,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Apr 28 2022 Kamil Dudka - 7.82.0-3 +- fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576) + * Tue Mar 15 2022 Kamil Dudka - 7.82.0-2 - openssl: fix incorrect CURLE_OUT_OF_MEMORY error on CN check failure From 159cab915b58bfc05196919cc9517625d21e4473 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 28 Apr 2022 09:54:37 +0200 Subject: [PATCH 04/34] Resolves: CVE-2022-27775 - fix bad local IPv6 connection reuse --- 0003-curl-7.82.0-CVE-2022-27775.patch | 40 +++++++++++++++++++++++++++ curl.spec | 5 ++++ 2 files changed, 45 insertions(+) create mode 100644 0003-curl-7.82.0-CVE-2022-27775.patch diff --git a/0003-curl-7.82.0-CVE-2022-27775.patch b/0003-curl-7.82.0-CVE-2022-27775.patch new file mode 100644 index 0000000..d1ad8b9 --- /dev/null +++ b/0003-curl-7.82.0-CVE-2022-27775.patch @@ -0,0 +1,40 @@ +From 187d0795030ccb4f410eb6089e265ac3571e56dd Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 11:48:00 +0200 +Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey + +Make connections to two separate IPv6 zone ids create separate +connections. + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27775.html +Closes #8747 + +Upstream-commit: 058f98dc3fe595f21dc26a5b9b1699e519ba5705 +Signed-off-by: Kamil Dudka +--- + lib/conncache.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/lib/conncache.c b/lib/conncache.c +index cd5756a..9b9f683 100644 +--- a/lib/conncache.c ++++ b/lib/conncache.c +@@ -155,8 +155,12 @@ static void hashkey(struct connectdata *conn, char *buf, + /* report back which name we used */ + *hostp = hostname; + +- /* put the number first so that the hostname gets cut off if too long */ +- msnprintf(buf, len, "%ld%s", port, hostname); ++ /* put the numbers first so that the hostname gets cut off if too long */ ++#ifdef ENABLE_IPV6 ++ msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname); ++#else ++ msnprintf(buf, len, "%ld/%s", port, hostname); ++#endif + Curl_strntolower(buf, buf, len); + } + +-- +2.34.1 + diff --git a/curl.spec b/curl.spec index b4cf3f4..122ad64 100644 --- a/curl.spec +++ b/curl.spec @@ -16,6 +16,9 @@ Patch1: 0001-curl-7.82.0-openssl-spurious-oom.patch # fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576) Patch2: 0002-curl-7.82.0-CVE-2022-22576.patch +# fix bad local IPv6 connection reuse (CVE-2022-27775) +Patch3: 0003-curl-7.82.0-CVE-2022-27775.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -192,6 +195,7 @@ be installed. # upstream patches %patch1 -p1 %patch2 -p1 +%patch3 -p1 # Fedora patches %patch101 -p1 @@ -420,6 +424,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Thu Apr 28 2022 Kamil Dudka - 7.82.0-3 +- fix bad local IPv6 connection reuse (CVE-2022-27775) - fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576) * Tue Mar 15 2022 Kamil Dudka - 7.82.0-2 From ee9c88927d56e2447ce63f22639c1ac27d6174c6 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 28 Apr 2022 09:57:23 +0200 Subject: [PATCH 05/34] Resolves: CVE-2022-27776 - fix auth/cookie leak on redirect --- 0004-curl-7.82.0-CVE-2022-27776.patch | 246 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 251 insertions(+) create mode 100644 0004-curl-7.82.0-CVE-2022-27776.patch diff --git a/0004-curl-7.82.0-CVE-2022-27776.patch b/0004-curl-7.82.0-CVE-2022-27776.patch new file mode 100644 index 0000000..523b3e7 --- /dev/null +++ b/0004-curl-7.82.0-CVE-2022-27776.patch @@ -0,0 +1,246 @@ +From 2be87227d4b4024c91ff6c856520cac9c9619555 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 13:05:40 +0200 +Subject: [PATCH 1/2] http: avoid auth/cookie on redirects same host diff port + +CVE-2022-27776 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27776.html +Closes #8749 + +Upstream-commit: 6e659993952aa5f90f48864be84a1bbb047fc258 +Signed-off-by: Kamil Dudka +--- + lib/http.c | 34 ++++++++++++++++++++++------------ + lib/urldata.h | 16 +++++++++------- + 2 files changed, 31 insertions(+), 19 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index 799d4fb..0791dcf 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -775,6 +775,21 @@ output_auth_headers(struct Curl_easy *data, + return CURLE_OK; + } + ++/* ++ * allow_auth_to_host() tells if autentication, cookies or other "sensitive ++ * data" can (still) be sent to this host. ++ */ ++static bool allow_auth_to_host(struct Curl_easy *data) ++{ ++ struct connectdata *conn = data->conn; ++ return (!data->state.this_is_a_follow || ++ data->set.allow_auth_to_other_hosts || ++ (data->state.first_host && ++ strcasecompare(data->state.first_host, conn->host.name) && ++ (data->state.first_remote_port == conn->remote_port) && ++ (data->state.first_remote_protocol == conn->handler->protocol))); ++} ++ + /** + * Curl_http_output_auth() setups the authentication headers for the + * host/proxy and the correct authentication +@@ -847,17 +862,14 @@ Curl_http_output_auth(struct Curl_easy *data, + with it */ + authproxy->done = TRUE; + +- /* To prevent the user+password to get sent to other than the original +- host due to a location-follow, we do some weirdo checks here */ +- if(!data->state.this_is_a_follow || ++ /* To prevent the user+password to get sent to other than the original host ++ due to a location-follow */ ++ if(allow_auth_to_host(data) + #ifndef CURL_DISABLE_NETRC +- conn->bits.netrc || ++ || conn->bits.netrc + #endif +- !data->state.first_host || +- data->set.allow_auth_to_other_hosts || +- strcasecompare(data->state.first_host, conn->host.name)) { ++ ) + result = output_auth_headers(data, conn, authhost, request, path, FALSE); +- } + else + authhost->done = TRUE; + +@@ -1905,10 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, + checkprefix("Cookie:", compare)) && + /* be careful of sending this potentially sensitive header to + other hosts */ +- (data->state.this_is_a_follow && +- data->state.first_host && +- !data->set.allow_auth_to_other_hosts && +- !strcasecompare(data->state.first_host, conn->host.name))) ++ !allow_auth_to_host(data)) + ; + else { + #ifdef USE_HYPER +@@ -2084,6 +2093,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn) + return CURLE_OUT_OF_MEMORY; + + data->state.first_remote_port = conn->remote_port; ++ data->state.first_remote_protocol = conn->handler->protocol; + } + Curl_safefree(data->state.aptr.host); + +diff --git a/lib/urldata.h b/lib/urldata.h +index 03da59a..f92052a 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1329,14 +1329,16 @@ struct UrlState { + char *ulbuf; /* allocated upload buffer or NULL */ + curl_off_t current_speed; /* the ProgressShow() function sets this, + bytes / second */ +- char *first_host; /* host name of the first (not followed) request. +- if set, this should be the host name that we will +- sent authorization to, no else. Used to make Location: +- following not keep sending user+password... This is +- strdup() data. +- */ ++ ++ /* host name, port number and protocol of the first (not followed) request. ++ if set, this should be the host name that we will sent authorization to, ++ no else. Used to make Location: following not keep sending user+password. ++ This is strdup()ed data. */ ++ char *first_host; ++ int first_remote_port; ++ unsigned int first_remote_protocol; ++ + int retrycount; /* number of retries on a new connection */ +- int first_remote_port; /* remote port of the first (not followed) request */ + struct Curl_ssl_session *session; /* array of 'max_ssl_sessions' size */ + long sessionage; /* number of the most recent session */ + struct tempbuf tempwrite[3]; /* BOTH, HEADER, BODY */ +-- +2.34.1 + + +From c0d12f1634785596746e5d461319dcb95b5b6ae8 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 13:05:47 +0200 +Subject: [PATCH 2/2] test898: verify the fix for CVE-2022-27776 + +Do not pass on Authorization headers on redirects to another port + +Upstream-commit: afe752e0504ab60bf63787ede0b992cbe1065f78 +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 2 +- + tests/data/test898 | 90 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 91 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test898 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 59d46bc..7ae2cf8 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -109,7 +109,7 @@ test854 test855 test856 test857 test858 test859 test860 test861 test862 \ + test863 test864 test865 test866 test867 test868 test869 test870 test871 \ + test872 test873 test874 test875 test876 test877 test878 test879 test880 \ + test881 test882 test883 test884 test885 test886 test887 test888 test889 \ +-test890 test891 test892 test893 test894 test895 test896 test897 \ ++test890 test891 test892 test893 test894 test895 test896 test897 test898 \ + \ + test900 test901 test902 test903 test904 test905 test906 test907 test908 \ + test909 test910 test911 test912 test913 test914 test915 test916 test917 \ +diff --git a/tests/data/test898 b/tests/data/test898 +new file mode 100644 +index 0000000..5cbb7d8 +--- /dev/null ++++ b/tests/data/test898 +@@ -0,0 +1,90 @@ ++ ++ ++ ++HTTP ++--location ++Authorization ++Cookie ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 ++ ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Connection: close ++Content-Type: text/html ++ ++hey ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Connection: close ++Content-Type: text/html ++ ++hey ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++HTTP with custom auth and cookies redirected to HTTP on a diff port ++ ++ ++-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -H "Authorization: Basic am9lOnNlY3JldA==" -H "Cookie: userpwd=am9lOnNlY3JldA==" ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET http://firsthost.com/ HTTP/1.1 ++Host: firsthost.com ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++Authorization: Basic am9lOnNlY3JldA== ++Cookie: userpwd=am9lOnNlY3JldA== ++ ++GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1 ++Host: firsthost.com:9999 ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +-- +2.34.1 + diff --git a/curl.spec b/curl.spec index 122ad64..2a2f9cf 100644 --- a/curl.spec +++ b/curl.spec @@ -19,6 +19,9 @@ Patch2: 0002-curl-7.82.0-CVE-2022-22576.patch # fix bad local IPv6 connection reuse (CVE-2022-27775) Patch3: 0003-curl-7.82.0-CVE-2022-27775.patch +# fix auth/cookie leak on redirect (CVE-2022-27776) +Patch4: 0004-curl-7.82.0-CVE-2022-27776.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -196,6 +199,7 @@ be installed. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 # Fedora patches %patch101 -p1 @@ -424,6 +428,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Thu Apr 28 2022 Kamil Dudka - 7.82.0-3 +- fix auth/cookie leak on redirect (CVE-2022-27776) - fix bad local IPv6 connection reuse (CVE-2022-27775) - fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576) From 02810cd68eea17a8f951f5882bf1bc43996cc96e Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 28 Apr 2022 09:59:08 +0200 Subject: [PATCH 06/34] Resolves: CVE-2022-27774 - fix credential leak on redirect --- 0005-curl-7.82.0-CVE-2022-27774.patch | 548 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 553 insertions(+) create mode 100644 0005-curl-7.82.0-CVE-2022-27774.patch diff --git a/0005-curl-7.82.0-CVE-2022-27774.patch b/0005-curl-7.82.0-CVE-2022-27774.patch new file mode 100644 index 0000000..d3c81b8 --- /dev/null +++ b/0005-curl-7.82.0-CVE-2022-27774.patch @@ -0,0 +1,548 @@ +From ecee0926868d138312e9608531b232f697e50cad Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 16:24:33 +0200 +Subject: [PATCH 1/3] connect: store "conn_remote_port" in the info struct + +To make it available after the connection ended. + +Upstream-commit: 08b8ef4e726ba10f45081ecda5b3cea788d3c839 +Signed-off-by: Kamil Dudka +--- + lib/connect.c | 1 + + lib/urldata.h | 6 +++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/connect.c b/lib/connect.c +index 64f9511..7518807 100644 +--- a/lib/connect.c ++++ b/lib/connect.c +@@ -623,6 +623,7 @@ void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn, + data->info.conn_scheme = conn->handler->scheme; + data->info.conn_protocol = conn->handler->protocol; + data->info.conn_primary_port = conn->port; ++ data->info.conn_remote_port = conn->remote_port; + data->info.conn_local_port = local_port; + } + +diff --git a/lib/urldata.h b/lib/urldata.h +index f92052a..5218f76 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1160,7 +1160,11 @@ struct PureInfo { + reused, in the connection cache. */ + + char conn_primary_ip[MAX_IPADR_LEN]; +- int conn_primary_port; ++ int conn_primary_port; /* this is the destination port to the connection, ++ which might have been a proxy */ ++ int conn_remote_port; /* this is the "remote port", which is the port ++ number of the used URL, independent of proxy or ++ not */ + char conn_local_ip[MAX_IPADR_LEN]; + int conn_local_port; + const char *conn_scheme; +-- +2.34.1 + + +From 12c129f8d0b165d83ed954f68717d88ffc1cfc5f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 16:24:33 +0200 +Subject: [PATCH 2/3] transfer: redirects to other protocols or ports clear + auth + +... unless explicitly permitted. + +Bug: https://curl.se/docs/CVE-2022-27774.html +Reported-by: Harry Sintonen +Closes #8748 + +Upstream-commit: 620ea21410030a9977396b4661806bc187231b79 +Signed-off-by: Kamil Dudka +--- + lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 48 insertions(+), 1 deletion(-) + +diff --git a/lib/transfer.c b/lib/transfer.c +index 1f8019b..752fe14 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1608,10 +1608,57 @@ CURLcode Curl_follow(struct Curl_easy *data, + return CURLE_OUT_OF_MEMORY; + } + else { +- + uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0); + if(uc) + return Curl_uc_to_curlcode(uc); ++ ++ /* Clear auth if this redirects to a different port number or protocol, ++ unless permitted */ ++ if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) { ++ char *portnum; ++ int port; ++ bool clear = FALSE; ++ ++ if(data->set.use_port && data->state.allow_port) ++ /* a custom port is used */ ++ port = (int)data->set.use_port; ++ else { ++ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum, ++ CURLU_DEFAULT_PORT); ++ if(uc) { ++ free(newurl); ++ return Curl_uc_to_curlcode(uc); ++ } ++ port = atoi(portnum); ++ free(portnum); ++ } ++ if(port != data->info.conn_remote_port) { ++ infof(data, "Clear auth, redirects to port from %u to %u", ++ data->info.conn_remote_port, port); ++ clear = TRUE; ++ } ++ else { ++ char *scheme; ++ const struct Curl_handler *p; ++ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0); ++ if(uc) { ++ free(newurl); ++ return Curl_uc_to_curlcode(uc); ++ } ++ ++ p = Curl_builtin_scheme(scheme); ++ if(p && (p->protocol != data->info.conn_protocol)) { ++ infof(data, "Clear auth, redirects scheme from %s to %s", ++ data->info.conn_scheme, scheme); ++ clear = TRUE; ++ } ++ free(scheme); ++ } ++ if(clear) { ++ Curl_safefree(data->state.aptr.user); ++ Curl_safefree(data->state.aptr.passwd); ++ } ++ } + } + + if(type == FOLLOW_FAKE) { +-- +2.34.1 + + +From 83bf4314d88cc16469afeaaefd6686a50371d1b7 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 16:24:33 +0200 +Subject: [PATCH 3/3] tests: verify the fix for CVE-2022-27774 + + - Test 973 redirects from HTTP to FTP, clear auth + - Test 974 redirects from HTTP to HTTP different port, clear auth + - Test 975 redirects from HTTP to FTP, permitted to keep auth + - Test 976 redirects from HTTP to HTTP different port, permitted to keep + auth + +Upstream-commit: 5295e8d64ac6949ecb3f9e564317a608f51b90d8 +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 2 +- + tests/data/test973 | 88 +++++++++++++++++++++++++++++++++++++++++ + tests/data/test974 | 87 ++++++++++++++++++++++++++++++++++++++++ + tests/data/test975 | 88 +++++++++++++++++++++++++++++++++++++++++ + tests/data/test976 | 88 +++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 352 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test973 + create mode 100644 tests/data/test974 + create mode 100644 tests/data/test975 + create mode 100644 tests/data/test976 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 7ae2cf8..175fc43 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -119,7 +119,7 @@ test936 test937 test938 test939 test940 test941 test942 test943 test944 \ + test945 test946 test947 test948 test949 test950 test951 test952 test953 \ + test954 test955 test956 test957 test958 test959 test960 test961 test962 \ + test963 test964 test965 test966 test967 test968 test969 test970 test971 \ +-test972 \ ++test972 test973 test974 test975 test976 \ + \ + test980 test981 test982 test983 test984 test985 test986 \ + \ +diff --git a/tests/data/test973 b/tests/data/test973 +new file mode 100644 +index 0000000..6ced107 +--- /dev/null ++++ b/tests/data/test973 +@@ -0,0 +1,88 @@ ++ ++ ++ ++HTTP ++FTP ++--location ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002 ++ ++ ++ ++data ++ to ++ see ++that FTP ++works ++ so does it? ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002 ++ ++data ++ to ++ see ++that FTP ++works ++ so does it? ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ftp ++ ++ ++HTTP with auth redirected to FTP w/o auth ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -L -u joe:secret ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Basic am9lOnNlY3JldA== ++User-Agent: curl/%VERSION ++Accept: */* ++ ++USER anonymous ++PASS ftp@example.com ++PWD ++CWD a ++CWD path ++EPSV ++TYPE I ++SIZE %TESTNUMBER0002 ++RETR %TESTNUMBER0002 ++QUIT ++ ++ ++ +diff --git a/tests/data/test974 b/tests/data/test974 +new file mode 100644 +index 0000000..ac4e641 +--- /dev/null ++++ b/tests/data/test974 +@@ -0,0 +1,87 @@ ++ ++ ++ ++HTTP ++--location ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 ++ ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Connection: close ++Content-Type: text/html ++ ++hey ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Connection: close ++Content-Type: text/html ++ ++hey ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++HTTP with auth redirected to HTTP on a diff port w/o auth ++ ++ ++-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -u joe:secret ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET http://firsthost.com/ HTTP/1.1 ++Host: firsthost.com ++Authorization: Basic am9lOnNlY3JldA== ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1 ++Host: firsthost.com:9999 ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +diff --git a/tests/data/test975 b/tests/data/test975 +new file mode 100644 +index 0000000..85e03e4 +--- /dev/null ++++ b/tests/data/test975 +@@ -0,0 +1,88 @@ ++ ++ ++ ++HTTP ++FTP ++--location-trusted ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002 ++ ++ ++ ++data ++ to ++ see ++that FTP ++works ++ so does it? ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002 ++ ++data ++ to ++ see ++that FTP ++works ++ so does it? ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ftp ++ ++ ++HTTP with auth redirected to FTP allowing auth to continue ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER --location-trusted -u joe:secret ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Basic am9lOnNlY3JldA== ++User-Agent: curl/%VERSION ++Accept: */* ++ ++USER joe ++PASS secret ++PWD ++CWD a ++CWD path ++EPSV ++TYPE I ++SIZE %TESTNUMBER0002 ++RETR %TESTNUMBER0002 ++QUIT ++ ++ ++ +diff --git a/tests/data/test976 b/tests/data/test976 +new file mode 100644 +index 0000000..c4dd61e +--- /dev/null ++++ b/tests/data/test976 +@@ -0,0 +1,88 @@ ++ ++ ++ ++HTTP ++--location-trusted ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 ++ ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Connection: close ++Content-Type: text/html ++ ++hey ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Connection: close ++Content-Type: text/html ++ ++hey ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++HTTP with auth redirected to HTTP on a diff port --location-trusted ++ ++ ++-x http://%HOSTIP:%HTTPPORT http://firsthost.com --location-trusted -u joe:secret ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET http://firsthost.com/ HTTP/1.1 ++Host: firsthost.com ++Authorization: Basic am9lOnNlY3JldA== ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1 ++Host: firsthost.com:9999 ++Authorization: Basic am9lOnNlY3JldA== ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +-- +2.34.1 + diff --git a/curl.spec b/curl.spec index 2a2f9cf..742c5fd 100644 --- a/curl.spec +++ b/curl.spec @@ -22,6 +22,9 @@ Patch3: 0003-curl-7.82.0-CVE-2022-27775.patch # fix auth/cookie leak on redirect (CVE-2022-27776) Patch4: 0004-curl-7.82.0-CVE-2022-27776.patch +# fix credential leak on redirect (CVE-2022-27774) +Patch5: 0005-curl-7.82.0-CVE-2022-27774.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -200,6 +203,7 @@ be installed. %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 # Fedora patches %patch101 -p1 @@ -428,6 +432,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Thu Apr 28 2022 Kamil Dudka - 7.82.0-3 +- fix credential leak on redirect (CVE-2022-27774) - fix auth/cookie leak on redirect (CVE-2022-27776) - fix bad local IPv6 connection reuse (CVE-2022-27775) - fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576) From 43690cb3afe31bf2936a8885913f75e43e023ee1 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 2 May 2022 10:00:34 +0200 Subject: [PATCH 07/34] Resolves: CVE-2022-27774 - fix leak of SRP credentials in redirects --- 0005-curl-7.82.0-CVE-2022-27774.patch | 94 ++++++++++++++++++++++++++- curl.spec | 5 +- 2 files changed, 95 insertions(+), 4 deletions(-) diff --git a/0005-curl-7.82.0-CVE-2022-27774.patch b/0005-curl-7.82.0-CVE-2022-27774.patch index d3c81b8..86d0b45 100644 --- a/0005-curl-7.82.0-CVE-2022-27774.patch +++ b/0005-curl-7.82.0-CVE-2022-27774.patch @@ -1,7 +1,7 @@ From ecee0926868d138312e9608531b232f697e50cad Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 25 Apr 2022 16:24:33 +0200 -Subject: [PATCH 1/3] connect: store "conn_remote_port" in the info struct +Subject: [PATCH 1/4] connect: store "conn_remote_port" in the info struct To make it available after the connection ended. @@ -48,7 +48,7 @@ index f92052a..5218f76 100644 From 12c129f8d0b165d83ed954f68717d88ffc1cfc5f Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 25 Apr 2022 16:24:33 +0200 -Subject: [PATCH 2/3] transfer: redirects to other protocols or ports clear +Subject: [PATCH 2/4] transfer: redirects to other protocols or ports clear auth ... unless explicitly permitted. @@ -133,7 +133,7 @@ index 1f8019b..752fe14 100644 From 83bf4314d88cc16469afeaaefd6686a50371d1b7 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 25 Apr 2022 16:24:33 +0200 -Subject: [PATCH 3/3] tests: verify the fix for CVE-2022-27774 +Subject: [PATCH 3/4] tests: verify the fix for CVE-2022-27774 - Test 973 redirects from HTTP to FTP, clear auth - Test 974 redirects from HTTP to HTTP different port, clear auth @@ -546,3 +546,91 @@ index 0000000..c4dd61e -- 2.34.1 + +From 443ce415aa60caaf8b1c9b0b71fff8d26263daca Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 17:59:15 +0200 +Subject: [PATCH 4/4] openssl: don't leak the SRP credentials in redirects + either + +Follow-up to 620ea21410030 + +Reported-by: Harry Sintonen +Closes #8751 + +Upstream-commit: 139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08 +Signed-off-by: Kamil Dudka +--- + lib/http.c | 10 +++++----- + lib/http.h | 6 ++++++ + lib/vtls/openssl.c | 3 ++- + 3 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index 0791dcf..4433824 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data, + } + + /* +- * allow_auth_to_host() tells if autentication, cookies or other "sensitive +- * data" can (still) be sent to this host. ++ * Curl_allow_auth_to_host() tells if authentication, cookies or other ++ * "sensitive data" can (still) be sent to this host. + */ +-static bool allow_auth_to_host(struct Curl_easy *data) ++bool Curl_allow_auth_to_host(struct Curl_easy *data) + { + struct connectdata *conn = data->conn; + return (!data->state.this_is_a_follow || +@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data, + + /* To prevent the user+password to get sent to other than the original host + due to a location-follow */ +- if(allow_auth_to_host(data) ++ if(Curl_allow_auth_to_host(data) + #ifndef CURL_DISABLE_NETRC + || conn->bits.netrc + #endif +@@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, + checkprefix("Cookie:", compare)) && + /* be careful of sending this potentially sensitive header to + other hosts */ +- !allow_auth_to_host(data)) ++ !Curl_allow_auth_to_host(data)) + ; + else { + #ifdef USE_HYPER +diff --git a/lib/http.h b/lib/http.h +index 07e963d..9000bae 100644 +--- a/lib/http.h ++++ b/lib/http.h +@@ -320,4 +320,10 @@ Curl_http_output_auth(struct Curl_easy *data, + bool proxytunnel); /* TRUE if this is the request setting + up the proxy tunnel */ + ++/* ++ * Curl_allow_auth_to_host() tells if authentication, cookies or other ++ * "sensitive data" can (still) be sent to this host. ++ */ ++bool Curl_allow_auth_to_host(struct Curl_easy *data); ++ + #endif /* HEADER_CURL_HTTP_H */ +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 1bafe96..97c5666 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -2894,7 +2894,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + #endif + + #ifdef USE_OPENSSL_SRP +- if(ssl_authtype == CURL_TLSAUTH_SRP) { ++ if((ssl_authtype == CURL_TLSAUTH_SRP) && ++ Curl_allow_auth_to_host(data)) { + char * const ssl_username = SSL_SET_OPTION(username); + + infof(data, "Using TLS-SRP username: %s", ssl_username); +-- +2.34.1 + diff --git a/curl.spec b/curl.spec index 742c5fd..8424624 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.82.0 -Release: 3%{?dist} +Release: 4%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -431,6 +431,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon May 02 2022 Kamil Dudka - 7.82.0-4 +- fix leak of SRP credentials in redirects (CVE-2022-27774) + * Thu Apr 28 2022 Kamil Dudka - 7.82.0-3 - fix credential leak on redirect (CVE-2022-27774) - fix auth/cookie leak on redirect (CVE-2022-27776) From f35a1d48bb72b091fd93072595ecf9a76e38b90e Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 11 May 2022 10:52:16 +0200 Subject: [PATCH 08/34] Resolves: CVE-2022-27780 - reject percent-encoded path separator in URL host --- 0006-curl-7.82.0-CVE-2022-27780.patch | 69 +++++++++++++++++++++++++++ curl.spec | 9 +++- 2 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 0006-curl-7.82.0-CVE-2022-27780.patch diff --git a/0006-curl-7.82.0-CVE-2022-27780.patch b/0006-curl-7.82.0-CVE-2022-27780.patch new file mode 100644 index 0000000..b1c1cf6 --- /dev/null +++ b/0006-curl-7.82.0-CVE-2022-27780.patch @@ -0,0 +1,69 @@ +From 52684f4ad348deee05ce49c65b2446f68f4dc1a8 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 9 May 2022 08:19:38 +0200 +Subject: [PATCH 1/2] urlapi: reject percent-decoding host name into separator + bytes + +CVE-2022-27780 + +Reported-by: Axel Chong +Bug: https://curl.se/docs/CVE-2022-27780.html +Closes #8826 + +Upstream-commit: 914aaab9153764ef8fa4178215b8ad89d3ac263a +Signed-off-by: Kamil Dudka +--- + lib/urlapi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/urlapi.c b/lib/urlapi.c +index ff00ee4..00222fc 100644 +--- a/lib/urlapi.c ++++ b/lib/urlapi.c +@@ -678,8 +678,8 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname) + #endif + } + else { +- /* letters from the second string is not ok */ +- len = strcspn(hostname, " \r\n"); ++ /* letters from the second string are not ok */ ++ len = strcspn(hostname, " \r\n\t/:#?!@"); + if(hlen != len) + /* hostname with bad content */ + return CURLUE_BAD_HOSTNAME; +-- +2.34.1 + + +From f69fa599b12737aebc4bacee7608807620ff42cf Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 9 May 2022 08:19:38 +0200 +Subject: [PATCH 2/2] libtest/lib1560: verify the host name percent decode fix + +Upstream-commit: cfa47974fea04753d1131cac701e331cd91bec6f +Signed-off-by: Kamil Dudka +--- + tests/libtest/lib1560.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/tests/libtest/lib1560.c b/tests/libtest/lib1560.c +index 7614849..84ee933 100644 +--- a/tests/libtest/lib1560.c ++++ b/tests/libtest/lib1560.c +@@ -374,6 +374,13 @@ static const struct testcase get_parts_list[] ={ + + static const struct urltestcase get_url_list[] = { + /* percent encoded host names */ ++ {"http://example.com%40127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME}, ++ {"http://example.com%21127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME}, ++ {"http://example.com%3f127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME}, ++ {"http://example.com%23127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME}, ++ {"http://example.com%3a127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME}, ++ {"http://example.com%09127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME}, ++ {"http://example.com%2F127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME}, + {"https://%this", "https://%25this/", 0, 0, CURLUE_OK}, + {"https://h%c", "https://h%25c/", 0, 0, CURLUE_OK}, + {"https://%%%%%%", "https://%25%25%25%25%25%25/", 0, 0, CURLUE_OK}, +-- +2.34.1 + diff --git a/curl.spec b/curl.spec index 8424624..4508ffe 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.82.0 -Release: 4%{?dist} +Release: 5%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -25,6 +25,9 @@ Patch4: 0004-curl-7.82.0-CVE-2022-27776.patch # fix credential leak on redirect (CVE-2022-27774) Patch5: 0005-curl-7.82.0-CVE-2022-27774.patch +# reject percent-encoded path separator in URL host (CVE-2022-27780) +Patch6: 0006-curl-7.82.0-CVE-2022-27780.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -204,6 +207,7 @@ be installed. %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 # Fedora patches %patch101 -p1 @@ -431,6 +435,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed May 11 2022 Kamil Dudka - 7.82.0-5 +- reject percent-encoded path separator in URL host (CVE-2022-27780) + * Mon May 02 2022 Kamil Dudka - 7.82.0-4 - fix leak of SRP credentials in redirects (CVE-2022-27774) From d8e56f956c2f8badc06cf3b0d7ed4385b1668f05 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 11 May 2022 10:53:45 +0200 Subject: [PATCH 09/34] Resolves: CVE-2022-30115 - hsts: ignore trailing dots when comparing hosts names --- 0007-curl-7.82.0-CVE-2022-30115.patch | 273 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 278 insertions(+) create mode 100644 0007-curl-7.82.0-CVE-2022-30115.patch diff --git a/0007-curl-7.82.0-CVE-2022-30115.patch b/0007-curl-7.82.0-CVE-2022-30115.patch new file mode 100644 index 0000000..916c55a --- /dev/null +++ b/0007-curl-7.82.0-CVE-2022-30115.patch @@ -0,0 +1,273 @@ +From c8c0db4fc5459c47cb422407cfd3ee3406c40734 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 9 May 2022 08:13:54 +0200 +Subject: [PATCH 1/2] test440/441: verify HSTS with trailing dots + +Upstream-commit: ff3ee510c328db03bf171cae6179bb9463fb054f +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 2 ++ + tests/data/test440 | 72 +++++++++++++++++++++++++++++++++++++++++ + tests/data/test441 | 72 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 146 insertions(+) + create mode 100644 tests/data/test440 + create mode 100644 tests/data/test441 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 175fc43..a5b8dc2 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -72,6 +72,8 @@ test409 test410 \ + \ + test430 test431 test432 test433 test434 test435 test436 \ + \ ++test440 test441 \ ++\ + test490 test491 test492 test493 test494 \ + \ + test500 test501 test502 test503 test504 test505 test506 test507 test508 \ +diff --git a/tests/data/test440 b/tests/data/test440 +new file mode 100644 +index 0000000..c640b02 +--- /dev/null ++++ b/tests/data/test440 +@@ -0,0 +1,72 @@ ++ ++ ++ ++HTTP ++HSTS ++trailing-dot ++ ++ ++ ++ ++ ++# we use this as response to a CONNECT ++ ++HTTP/1.1 403 not OK at all ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 6 ++Connection: close ++Funny-head: yesyes ++ ++-foo- ++ ++ ++ ++ ++ ++http ++ ++ ++HSTS ++proxy ++https ++ ++ ++# no trailing dot in the file only in the URL ++ ++this.hsts.example "99991001 04:47:41" ++ ++ ++ ++HSTS with trailing-dot host name in URL but none in hsts file ++ ++ ++-x http://%HOSTIP:%HTTPPORT http://this.hsts.example./%TESTNUMBER --hsts log/input%TESTNUMBER -w '%{url_effective}\n' ++ ++ ++ ++ ++# we let it CONNECT to the server to confirm HSTS but deny from there ++ ++CONNECT this.hsts.example.:443 HTTP/1.1 ++Host: this.hsts.example.:443 ++User-Agent: curl/%VERSION ++Proxy-Connection: Keep-Alive ++ ++ ++ ++HTTP/1.1 403 not OK at all ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 6 ++Connection: close ++Funny-head: yesyes ++ ++https://this.hsts.example./%TESTNUMBER ++ ++# Proxy CONNECT aborted ++ ++56 ++ ++ ++ +diff --git a/tests/data/test441 b/tests/data/test441 +new file mode 100644 +index 0000000..7f5245b +--- /dev/null ++++ b/tests/data/test441 +@@ -0,0 +1,72 @@ ++ ++ ++ ++HTTP ++HSTS ++trailing-dot ++ ++ ++ ++ ++ ++# we use this as response to a CONNECT ++ ++HTTP/1.1 403 not OK at all ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 6 ++Connection: close ++Funny-head: yesyes ++ ++-foo- ++ ++ ++ ++ ++ ++http ++ ++ ++HSTS ++proxy ++https ++ ++ ++# no trailing dot in the file only in the URL ++ ++this.hsts.example. "99991001 04:47:41" ++ ++ ++ ++HSTS with no t-dot host name in URL but t-dot in file ++ ++ ++-x http://%HOSTIP:%HTTPPORT http://this.hsts.example/%TESTNUMBER --hsts log/input%TESTNUMBER -w '%{url_effective}\n' ++ ++ ++ ++ ++# we let it CONNECT to the server to confirm HSTS but deny from there ++ ++CONNECT this.hsts.example:443 HTTP/1.1 ++Host: this.hsts.example:443 ++User-Agent: curl/%VERSION ++Proxy-Connection: Keep-Alive ++ ++ ++ ++HTTP/1.1 403 not OK at all ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 6 ++Connection: close ++Funny-head: yesyes ++ ++https://this.hsts.example/%TESTNUMBER ++ ++# Proxy CONNECT aborted ++ ++56 ++ ++ ++ +-- +2.34.1 + + +From fa4a1193f9bb9970b925cc7795d481c8ee9a0a4a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 9 May 2022 08:13:55 +0200 +Subject: [PATCH 2/2] hsts: ignore trailing dots when comparing hosts names + +CVE-2022-30115 + +Reported-by: Axel Chong +Bug: https://curl.se/docs/CVE-2022-30115.html +Closes #8821 + +Upstream-commit: fae6fea209a2d4db1582f608bd8cc8000721733a +Signed-off-by: Kamil Dudka +--- + lib/hsts.c | 30 +++++++++++++++++++++++++----- + 1 file changed, 25 insertions(+), 5 deletions(-) + +diff --git a/lib/hsts.c b/lib/hsts.c +index 03fcc9e..b9fa6f7 100644 +--- a/lib/hsts.c ++++ b/lib/hsts.c +@@ -114,16 +114,25 @@ static CURLcode hsts_create(struct hsts *h, + curl_off_t expires) + { + struct stsentry *sts = hsts_entry(); ++ char *duphost; ++ size_t hlen; + if(!sts) + return CURLE_OUT_OF_MEMORY; + +- sts->expires = expires; +- sts->includeSubDomains = subdomains; +- sts->host = strdup(hostname); +- if(!sts->host) { ++ duphost = strdup(hostname); ++ if(!duphost) { + free(sts); + return CURLE_OUT_OF_MEMORY; + } ++ ++ hlen = strlen(duphost); ++ if(duphost[hlen - 1] == '.') ++ /* strip off trailing any dot */ ++ duphost[--hlen] = 0; ++ ++ sts->host = duphost; ++ sts->expires = expires; ++ sts->includeSubDomains = subdomains; + Curl_llist_insert_next(&h->list, h->list.tail, sts, &sts->node); + return CURLE_OK; + } +@@ -238,10 +247,21 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname, + bool subdomain) + { + if(h) { ++ char buffer[MAX_HSTS_HOSTLEN + 1]; + time_t now = time(NULL); + size_t hlen = strlen(hostname); + struct Curl_llist_element *e; + struct Curl_llist_element *n; ++ ++ if((hlen > MAX_HSTS_HOSTLEN) || !hlen) ++ return NULL; ++ memcpy(buffer, hostname, hlen); ++ if(hostname[hlen-1] == '.') ++ /* remove the trailing dot */ ++ --hlen; ++ buffer[hlen] = 0; ++ hostname = buffer; ++ + for(e = h->list.head; e; e = n) { + struct stsentry *sts = e->ptr; + n = e->next; +@@ -440,7 +460,7 @@ static CURLcode hsts_pull(struct Curl_easy *data, struct hsts *h) + CURLSTScode sc; + DEBUGASSERT(h); + do { +- char buffer[257]; ++ char buffer[MAX_HSTS_HOSTLEN + 1]; + struct curl_hstsentry e; + e.name = buffer; + e.namelen = sizeof(buffer)-1; +-- +2.34.1 + diff --git a/curl.spec b/curl.spec index 4508ffe..3277682 100644 --- a/curl.spec +++ b/curl.spec @@ -28,6 +28,9 @@ Patch5: 0005-curl-7.82.0-CVE-2022-27774.patch # reject percent-encoded path separator in URL host (CVE-2022-27780) Patch6: 0006-curl-7.82.0-CVE-2022-27780.patch +# hsts: ignore trailing dots when comparing hosts names (CVE-2022-30115) +Patch7: 0007-curl-7.82.0-CVE-2022-30115.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -208,6 +211,7 @@ be installed. %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 # Fedora patches %patch101 -p1 @@ -436,6 +440,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed May 11 2022 Kamil Dudka - 7.82.0-5 +- hsts: ignore trailing dots when comparing hosts names (CVE-2022-30115) - reject percent-encoded path separator in URL host (CVE-2022-27780) * Mon May 02 2022 Kamil Dudka - 7.82.0-4 From bd1119154cd8420e15c0a80f994c3c1c4ef67fc5 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 11 May 2022 10:54:59 +0200 Subject: [PATCH 10/34] Resolves: CVE-2022-27779 - do not accept cookies for TLD with trailing dot --- 0008-curl-7.82.0-CVE-2022-27779.patch | 144 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 149 insertions(+) create mode 100644 0008-curl-7.82.0-CVE-2022-27779.patch diff --git a/0008-curl-7.82.0-CVE-2022-27779.patch b/0008-curl-7.82.0-CVE-2022-27779.patch new file mode 100644 index 0000000..fad8119 --- /dev/null +++ b/0008-curl-7.82.0-CVE-2022-27779.patch @@ -0,0 +1,144 @@ +From 755d4386dabf1b29dd8c44a3505567eeed9a5b99 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 9 May 2022 16:47:06 +0200 +Subject: [PATCH 1/2] test977: reproduce ability to set cookie on TLD + +When PSL is not enabled + +Upstream-commit: f8cb6c610a8e1576f1f615918a8b0a8fbd0e4e85 +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 2 +- + tests/data/test977 | 60 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 61 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test977 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index a5b8dc2..98d5516 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -121,7 +121,7 @@ test936 test937 test938 test939 test940 test941 test942 test943 test944 \ + test945 test946 test947 test948 test949 test950 test951 test952 test953 \ + test954 test955 test956 test957 test958 test959 test960 test961 test962 \ + test963 test964 test965 test966 test967 test968 test969 test970 test971 \ +-test972 test973 test974 test975 test976 \ ++test972 test973 test974 test975 test976 test977 \ + \ + test980 test981 test982 test983 test984 test985 test986 \ + \ +diff --git a/tests/data/test977 b/tests/data/test977 +new file mode 100644 +index 0000000..11ff1b7 +--- /dev/null ++++ b/tests/data/test977 +@@ -0,0 +1,60 @@ ++ ++ ++ ++HTTP ++cookies ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Set-Cookie: a=b; Domain=.me.; ++ ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++proxy ++ ++ ++http ++ ++ ++URL with trailing dot and receiving a cookie for the TLD with dot ++ ++ ++-x http://%HOSTIP:%HTTPPORT http://firsthost.me. -c log/cookies%TESTNUMBER ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET http://firsthost.me./ HTTP/1.1 ++Host: firsthost.me. ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++# Netscape HTTP Cookie File ++# https://curl.se/docs/http-cookies.html ++# This file was generated by libcurl! Edit at your own risk. ++ ++ ++ ++ +-- +2.34.1 + + +From 49307bc15142cda9a7f4eff4cdb82111344d865a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 9 May 2022 16:47:06 +0200 +Subject: [PATCH 2/2] cookies: make bad_domain() not consider a trailing dot + fine + +The check for a dot in the domain must not consider a single trailing +dot to be fine, as then TLD + trailing dot is fine and curl will accept +setting cookies for it. + +CVE-2022-27779 + +Reported-by: Axel Chong +Bug: https://curl.se/docs/CVE-2022-27779.html +Closes #8820 + +Upstream-commit: 7e92d12b4e6911f424678a133b19de670e183a59 +Signed-off-by: Kamil Dudka +--- + lib/cookie.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index d418efa..1b8c8f9 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -427,7 +427,15 @@ static void remove_expired(struct CookieInfo *cookies) + /* Make sure domain contains a dot or is localhost. */ + static bool bad_domain(const char *domain) + { +- return !strchr(domain, '.') && !strcasecompare(domain, "localhost"); ++ if(strcasecompare(domain, "localhost")) ++ return FALSE; ++ else { ++ /* there must be a dot present, but that dot must not be a trailing dot */ ++ char *dot = strchr(domain, '.'); ++ if(dot) ++ return dot[1] ? FALSE : TRUE; ++ } ++ return TRUE; + } + + /* +-- +2.34.1 + diff --git a/curl.spec b/curl.spec index 3277682..3c32076 100644 --- a/curl.spec +++ b/curl.spec @@ -31,6 +31,9 @@ Patch6: 0006-curl-7.82.0-CVE-2022-27780.patch # hsts: ignore trailing dots when comparing hosts names (CVE-2022-30115) Patch7: 0007-curl-7.82.0-CVE-2022-30115.patch +# do not accept cookies for TLD with trailing dot (CVE-2022-27779) +Patch8: 0008-curl-7.82.0-CVE-2022-27779.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -212,6 +215,7 @@ be installed. %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 # Fedora patches %patch101 -p1 @@ -440,6 +444,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed May 11 2022 Kamil Dudka - 7.82.0-5 +- do not accept cookies for TLD with trailing dot (CVE-2022-27779) - hsts: ignore trailing dots when comparing hosts names (CVE-2022-30115) - reject percent-encoded path separator in URL host (CVE-2022-27780) From a28fa4e5f02f441db9ae7b9f1b3f3f342ddc9c2d Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 11 May 2022 10:56:40 +0200 Subject: [PATCH 11/34] Resolves: CVE-2022-27782 - fix too eager reuse of TLS and SSH connections --- 0009-curl-7.82.0-CVE-2022-27782.patch | 501 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 506 insertions(+) create mode 100644 0009-curl-7.82.0-CVE-2022-27782.patch diff --git a/0009-curl-7.82.0-CVE-2022-27782.patch b/0009-curl-7.82.0-CVE-2022-27782.patch new file mode 100644 index 0000000..0c9d21c --- /dev/null +++ b/0009-curl-7.82.0-CVE-2022-27782.patch @@ -0,0 +1,501 @@ +From 931fbabcae0b5d1a91657e6bb85f4f23fce7ac3d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 9 May 2022 23:13:53 +0200 +Subject: [PATCH 1/2] tls: check more TLS details for connection reuse + +CVE-2022-27782 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27782.html +Closes #8825 + +Upstream-commit: f18af4f874cecab82a9797e8c7541e0990c7a64c +Signed-off-by: Kamil Dudka +--- + lib/setopt.c | 29 +++++++++++++++++------------ + lib/url.c | 23 ++++++++++++++++------- + lib/urldata.h | 13 +++++++------ + lib/vtls/gtls.c | 19 ++++++++++--------- + lib/vtls/mbedtls.c | 2 +- + lib/vtls/nss.c | 6 +++--- + lib/vtls/openssl.c | 10 +++++----- + lib/vtls/vtls.c | 21 +++++++++++++++++++++ + 8 files changed, 80 insertions(+), 43 deletions(-) + +diff --git a/lib/setopt.c b/lib/setopt.c +index 8e1bf12..7aa6fdb 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -2294,6 +2294,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + + case CURLOPT_SSL_OPTIONS: + arg = va_arg(param, long); ++ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff); + data->set.ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); + data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); + data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); +@@ -2307,6 +2308,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + #ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_SSL_OPTIONS: + arg = va_arg(param, long); ++ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff); + data->set.proxy_ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); + data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); + data->set.proxy_ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); +@@ -2745,49 +2747,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + case CURLOPT_TLSAUTH_USERNAME: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME], + va_arg(param, char *)); +- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ if(data->set.str[STRING_TLSAUTH_USERNAME] && ++ !data->set.ssl.primary.authtype) ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + break; + #ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_TLSAUTH_USERNAME: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY], + va_arg(param, char *)); + if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && +- !data->set.proxy_ssl.authtype) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ !data->set.proxy_ssl.primary.authtype) ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to ++ SRP */ + break; + #endif + case CURLOPT_TLSAUTH_PASSWORD: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD], + va_arg(param, char *)); +- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ if(data->set.str[STRING_TLSAUTH_USERNAME] && ++ !data->set.ssl.primary.authtype) ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ + break; + #ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_TLSAUTH_PASSWORD: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY], + va_arg(param, char *)); + if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && +- !data->set.proxy_ssl.authtype) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ !data->set.proxy_ssl.primary.authtype) ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ + break; + #endif + case CURLOPT_TLSAUTH_TYPE: + argptr = va_arg(param, char *); + if(!argptr || + strncasecompare(argptr, "SRP", strlen("SRP"))) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; + else +- data->set.ssl.authtype = CURL_TLSAUTH_NONE; ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE; + break; + #ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_TLSAUTH_TYPE: + argptr = va_arg(param, char *); + if(!argptr || + strncasecompare(argptr, "SRP", strlen("SRP"))) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; + else +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE; ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE; + break; + #endif + #endif +diff --git a/lib/url.c b/lib/url.c +index 94e3406..5ebf5e2 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -540,7 +540,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) + set->ssl.primary.verifypeer = TRUE; + set->ssl.primary.verifyhost = TRUE; + #ifdef USE_TLS_SRP +- set->ssl.authtype = CURL_TLSAUTH_NONE; ++ set->ssl.primary.authtype = CURL_TLSAUTH_NONE; + #endif + set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth + type */ +@@ -1758,11 +1758,17 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) + conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus; + conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer; + conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost; ++ conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options; ++#ifdef USE_TLS_SRP ++#endif + #ifndef CURL_DISABLE_PROXY + conn->proxy_ssl_config.verifystatus = + data->set.proxy_ssl.primary.verifystatus; + conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer; + conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost; ++ conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options; ++#ifdef USE_TLS_SRP ++#endif + #endif + conn->ip_version = data->set.ipver; + conn->bits.connect_only = data->set.connect_only; +@@ -3848,7 +3854,8 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.str[STRING_SSL_ISSUERCERT_PROXY]; + data->set.proxy_ssl.primary.issuercert_blob = + data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY]; +- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; ++ data->set.proxy_ssl.primary.CRLfile = ++ data->set.str[STRING_SSL_CRLFILE_PROXY]; + data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY]; + data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY]; + data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY]; +@@ -3856,18 +3863,20 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY]; + data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY]; + #endif +- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE]; ++ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE]; + data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE]; + data->set.ssl.key = data->set.str[STRING_KEY]; + data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE]; + data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD]; + data->set.ssl.primary.clientcert = data->set.str[STRING_CERT]; + #ifdef USE_TLS_SRP +- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME]; +- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD]; ++ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME]; ++ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD]; + #ifndef CURL_DISABLE_PROXY +- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; +- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; ++ data->set.proxy_ssl.primary.username = ++ data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; ++ data->set.proxy_ssl.primary.password = ++ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; + #endif + #endif + data->set.ssl.key_blob = data->set.blobs[BLOB_KEY]; +diff --git a/lib/urldata.h b/lib/urldata.h +index 5218f76..e006495 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -253,10 +253,17 @@ struct ssl_primary_config { + char *cipher_list; /* list of ciphers to use */ + char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ + char *pinned_key; ++ char *CRLfile; /* CRL to check certificate revocation */ + struct curl_blob *cert_blob; + struct curl_blob *ca_info_blob; + struct curl_blob *issuercert_blob; ++#ifdef USE_TLS_SRP ++ char *username; /* TLS username (for, e.g., SRP) */ ++ char *password; /* TLS password (for, e.g., SRP) */ ++ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ ++#endif + char *curves; /* list of curves to use */ ++ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */ + BIT(verifypeer); /* set TRUE if this is desired */ + BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */ + BIT(verifystatus); /* set TRUE if certificate status must be checked */ +@@ -266,7 +273,6 @@ struct ssl_primary_config { + struct ssl_config_data { + struct ssl_primary_config primary; + long certverifyresult; /* result from the certificate verification */ +- char *CRLfile; /* CRL to check certificate revocation */ + curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ + void *fsslctxp; /* parameter for call back */ + char *cert_type; /* format for certificate (default: PEM)*/ +@@ -274,11 +280,6 @@ struct ssl_config_data { + struct curl_blob *key_blob; + char *key_type; /* format for private key (default: PEM) */ + char *key_passwd; /* plain text private key password */ +-#ifdef USE_TLS_SRP +- char *username; /* TLS username (for, e.g., SRP) */ +- char *password; /* TLS password (for, e.g., SRP) */ +- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ +-#endif + BIT(certinfo); /* gather lots of certificate info */ + BIT(falsestart); + BIT(enable_beast); /* allow this flaw for interoperability's sake*/ +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 5749376..ec6be16 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -449,8 +449,8 @@ gtls_connect_step1(struct Curl_easy *data, + } + + rc = gnutls_srp_set_client_credentials(backend->srp_client_cred, +- SSL_SET_OPTION(username), +- SSL_SET_OPTION(password)); ++ SSL_SET_OPTION(primary.username), ++ SSL_SET_OPTION(primary.password)); + if(rc != GNUTLS_E_SUCCESS) { + failf(data, "gnutls_srp_set_client_cred() failed: %s", + gnutls_strerror(rc)); +@@ -507,19 +507,19 @@ gtls_connect_step1(struct Curl_easy *data, + } + #endif + +- if(SSL_SET_OPTION(CRLfile)) { ++ if(SSL_SET_OPTION(primary.CRLfile)) { + /* set the CRL list file */ + rc = gnutls_certificate_set_x509_crl_file(backend->cred, +- SSL_SET_OPTION(CRLfile), ++ SSL_SET_OPTION(primary.CRLfile), + GNUTLS_X509_FMT_PEM); + if(rc < 0) { + failf(data, "error reading crl file %s (%s)", +- SSL_SET_OPTION(CRLfile), gnutls_strerror(rc)); ++ SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc)); + return CURLE_SSL_CRL_BADFILE; + } + else + infof(data, "found %d CRL in %s", +- rc, SSL_SET_OPTION(CRLfile)); ++ rc, SSL_SET_OPTION(primary.CRLfile)); + } + + /* Initialize TLS session as a client */ +@@ -590,7 +590,7 @@ gtls_connect_step1(struct Curl_easy *data, + #ifdef HAVE_GNUTLS_SRP + /* Only add SRP to the cipher list if SRP is requested. Otherwise + * GnuTLS will disable TLS 1.3 support. */ +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { + size_t len = strlen(prioritylist); + + char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1); +@@ -685,7 +685,7 @@ gtls_connect_step1(struct Curl_easy *data, + + #ifdef HAVE_GNUTLS_SRP + /* put the credentials to the current session */ +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { + rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, + backend->srp_client_cred); + if(rc != GNUTLS_E_SUCCESS) { +@@ -926,7 +926,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, + failf(data, "server certificate verification failed. CAfile: %s " + "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile): + "none", +- SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none"); ++ SSL_SET_OPTION(primary.CRLfile) ? ++ SSL_SET_OPTION(primary.CRLfile) : "none"); + return CURLE_PEER_FAILED_VERIFICATION; + } + else +diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c +index b9fd26a..bd4ad8f 100644 +--- a/lib/vtls/mbedtls.c ++++ b/lib/vtls/mbedtls.c +@@ -279,7 +279,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, + const char * const ssl_capath = SSL_CONN_CONFIG(CApath); + char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); + const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); +- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); ++ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); + const char * const hostname = SSL_HOST_NAME(); + #ifndef CURL_DISABLE_VERBOSE_STRINGS + const long int port = SSL_HOST_PORT(); +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index 558e3be..892e7d8 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -2027,13 +2027,13 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, + } + } + +- if(SSL_SET_OPTION(CRLfile)) { +- const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile)); ++ if(SSL_SET_OPTION(primary.CRLfile)) { ++ const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile)); + if(rv) { + result = rv; + goto error; + } +- infof(data, " CRLfile: %s", SSL_SET_OPTION(CRLfile)); ++ infof(data, " CRLfile: %s", SSL_SET_OPTION(primary.CRLfile)); + } + + if(SSL_SET_OPTION(primary.clientcert)) { +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 97c5666..a4ef9d1 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -2633,7 +2633,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + #endif + const long int ssl_version = SSL_CONN_CONFIG(version); + #ifdef USE_OPENSSL_SRP +- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype); ++ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype); + #endif + char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); + const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); +@@ -2644,7 +2644,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + (ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile)); + const char * const ssl_capath = SSL_CONN_CONFIG(CApath); + const bool verifypeer = SSL_CONN_CONFIG(verifypeer); +- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); ++ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); + char error_buffer[256]; + struct ssl_backend_data *backend = connssl->backend; + bool imported_native_ca = false; +@@ -2896,15 +2896,15 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + #ifdef USE_OPENSSL_SRP + if((ssl_authtype == CURL_TLSAUTH_SRP) && + Curl_allow_auth_to_host(data)) { +- char * const ssl_username = SSL_SET_OPTION(username); +- ++ char * const ssl_username = SSL_SET_OPTION(primary.username); ++ char * const ssl_password = SSL_SET_OPTION(primary.password); + infof(data, "Using TLS-SRP username: %s", ssl_username); + + if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) { + failf(data, "Unable to set SRP user name"); + return CURLE_BAD_FUNCTION_ARGUMENT; + } +- if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) { ++ if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) { + failf(data, "failed setting SRP password"); + return CURLE_BAD_FUNCTION_ARGUMENT; + } +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index a40ac06..e2d3438 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, + { + if((data->version == needle->version) && + (data->version_max == needle->version_max) && ++ (data->ssl_options == needle->ssl_options) && + (data->verifypeer == needle->verifypeer) && + (data->verifyhost == needle->verifyhost) && + (data->verifystatus == needle->verifystatus) && +@@ -144,9 +145,15 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, + Curl_safecmp(data->clientcert, needle->clientcert) && + Curl_safecmp(data->random_file, needle->random_file) && + Curl_safecmp(data->egdsocket, needle->egdsocket) && ++#ifdef USE_TLS_SRP ++ Curl_safecmp(data->username, needle->username) && ++ Curl_safecmp(data->password, needle->password) && ++ (data->authtype == needle->authtype) && ++#endif + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && + Curl_safe_strcasecompare(data->curves, needle->curves) && ++ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) && + Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) + return TRUE; + +@@ -163,6 +170,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, + dest->verifyhost = source->verifyhost; + dest->verifystatus = source->verifystatus; + dest->sessionid = source->sessionid; ++ dest->ssl_options = source->ssl_options; ++#ifdef USE_TLS_SRP ++ dest->authtype = source->authtype; ++#endif + + CLONE_BLOB(cert_blob); + CLONE_BLOB(ca_info_blob); +@@ -177,6 +188,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, + CLONE_STRING(cipher_list13); + CLONE_STRING(pinned_key); + CLONE_STRING(curves); ++ CLONE_STRING(CRLfile); ++#ifdef USE_TLS_SRP ++ CLONE_STRING(username); ++ CLONE_STRING(password); ++#endif + + return TRUE; + } +@@ -196,6 +212,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) + Curl_safefree(sslc->ca_info_blob); + Curl_safefree(sslc->issuercert_blob); + Curl_safefree(sslc->curves); ++ Curl_safefree(sslc->CRLfile); ++#ifdef USE_TLS_SRP ++ Curl_safefree(sslc->username); ++ Curl_safefree(sslc->password); ++#endif + } + + #ifdef USE_SSL +-- +2.34.1 + + +From 5e9832048b30492e02dd222cd8bfe997e03cffa1 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 9 May 2022 23:13:53 +0200 +Subject: [PATCH 2/2] url: check SSH config match on connection reuse + +CVE-2022-27782 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27782.html +Closes #8825 + +Upstream-commit: 1645e9b44505abd5cbaf65da5282c3f33b5924a5 +Signed-off-by: Kamil Dudka +--- + lib/url.c | 11 +++++++++++ + lib/vssh/ssh.h | 6 +++--- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index 5ebf5e2..c713e54 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1098,6 +1098,12 @@ static void prune_dead_connections(struct Curl_easy *data) + } + } + ++static bool ssh_config_matches(struct connectdata *one, ++ struct connectdata *two) ++{ ++ return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) && ++ Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub)); ++} + /* + * Given one filled in connection struct (named needle), this function should + * detect if there already is one that has all the significant details +@@ -1356,6 +1362,11 @@ ConnectionExists(struct Curl_easy *data, + (data->state.httpwant < CURL_HTTP_VERSION_2_0)) + continue; + ++ if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { ++ if(!ssh_config_matches(needle, check)) ++ continue; ++ } ++ + if((needle->handler->flags&PROTOPT_SSL) + #ifndef CURL_DISABLE_PROXY + || !needle->bits.httpproxy || needle->bits.tunnel_proxy +diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h +index 7972081..30d82e5 100644 +--- a/lib/vssh/ssh.h ++++ b/lib/vssh/ssh.h +@@ -7,7 +7,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2021, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -131,8 +131,8 @@ struct ssh_conn { + + /* common */ + const char *passphrase; /* pass-phrase to use */ +- char *rsa_pub; /* path name */ +- char *rsa; /* path name */ ++ char *rsa_pub; /* strdup'ed public key file */ ++ char *rsa; /* strdup'ed private key file */ + bool authed; /* the connection has been authenticated fine */ + bool acceptfail; /* used by the SFTP_QUOTE (continue if + quote command fails) */ +-- +2.34.1 + diff --git a/curl.spec b/curl.spec index 3c32076..900ce65 100644 --- a/curl.spec +++ b/curl.spec @@ -34,6 +34,9 @@ Patch7: 0007-curl-7.82.0-CVE-2022-30115.patch # do not accept cookies for TLD with trailing dot (CVE-2022-27779) Patch8: 0008-curl-7.82.0-CVE-2022-27779.patch +# fix too eager reuse of TLS and SSH connections (CVE-2022-27782) +Patch9: 0009-curl-7.82.0-CVE-2022-27782.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -216,6 +219,7 @@ be installed. %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 # Fedora patches %patch101 -p1 @@ -444,6 +448,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed May 11 2022 Kamil Dudka - 7.82.0-5 +- fix too eager reuse of TLS and SSH connections (CVE-2022-27782) - do not accept cookies for TLD with trailing dot (CVE-2022-27779) - hsts: ignore trailing dots when comparing hosts names (CVE-2022-30115) - reject percent-encoded path separator in URL host (CVE-2022-27780) From c637ed663bac76ad9f2103a611175dbb346df841 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Zaoral?= Date: Thu, 12 May 2022 10:15:57 +0200 Subject: [PATCH 12/34] tests/non-root-user-download: fix test failures --- tests/non-root-user-download/main.fmf | 1 + tests/non-root-user-download/runtest.sh | 14 ++++++++------ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/tests/non-root-user-download/main.fmf b/tests/non-root-user-download/main.fmf index 15c0c12..2e3980f 100644 --- a/tests/non-root-user-download/main.fmf +++ b/tests/non-root-user-download/main.fmf @@ -7,6 +7,7 @@ require: - findutils - libselinux-utils - openssh-clients + - openssh-server - passwd test: ./runtest.sh framework: beakerlib diff --git a/tests/non-root-user-download/runtest.sh b/tests/non-root-user-download/runtest.sh index fd5f375..0529a12 100755 --- a/tests/non-root-user-download/runtest.sh +++ b/tests/non-root-user-download/runtest.sh @@ -31,9 +31,9 @@ PACKAGE="curl" -FTP_URL=ftp://ftp.scientificlinux.org/linux/fedora/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM -HTTP_URL=https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM -CONTENT=a276e06d244e04b765f0a35532d9036ad84f340b0bdcc32e0233a8fbc31d5bed +FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM +HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM +CONTENT=85cb450443d68d513b41e57b0bd818a740279dac5dfc09c68e681ff8a3006404 PASSWORD=pAssw0rd OPTIONS="" rlIsRHEL 7 && OPTIONS="--insecure" @@ -46,9 +46,11 @@ rlJournalStart rlRun "useradd -m curltester" 0 "Adding the test user" rlRun "echo $PASSWORD | passwd --stdin curltester" 0 "Setting the password for the test user" rlRun "su - curltester -c 'echo $CONTENT > ~/testfile'" 0 "Creating ~curltester/testfile" + rlFileBackup --clean --missing-ok $HOME/.ssh /etc/hosts + rlRun "rm -f $HOME/.ssh/*" [ -d $HOME/.ssh ] || ( mkdir $HOME/.ssh && restorecon HOME/.ssh ) - rlFileBackup $HOME/.ssh/known_hosts /etc/hosts - ssh-keygen -F localhost -f $HOME/.ssh/known_hosts || rlRun "ssh-keyscan localhost >> $HOME/.ssh/known_hosts" + rlRun "rlServiceStart sshd" + rlRun "ssh-keyscan localhost >> $HOME/.ssh/known_hosts" rlPhaseEnd rlPhaseStartTest "http download" @@ -81,7 +83,7 @@ if ! rlIsRHEL 5; then fi rlPhaseStartCleanup - rlRun "rm -f $HOME/.ssh/known_hosts" + rlRun "rlServiceRestore" rlFileRestore rlRun "popd" rlRun "rm -r $TmpDir" 0 "Removing tmp directory" From 424d9c193f3c3084e6bd5c68aae7ea630e74a461 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 29 Jun 2022 10:56:13 +0200 Subject: [PATCH 13/34] Resolves: CVE-2022-32208 - fix FTP-KRB bad message verification --- 0010-curl-7.82.0-CVE-2022-32208.patch | 70 +++++++++++++++++++++++++++ curl.spec | 9 +++- 2 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 0010-curl-7.82.0-CVE-2022-32208.patch diff --git a/0010-curl-7.82.0-CVE-2022-32208.patch b/0010-curl-7.82.0-CVE-2022-32208.patch new file mode 100644 index 0000000..34e7d2e --- /dev/null +++ b/0010-curl-7.82.0-CVE-2022-32208.patch @@ -0,0 +1,70 @@ +From d36661703e16bd740a3a928041b1e697a6617b98 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 9 Jun 2022 09:27:24 +0200 +Subject: [PATCH] krb5: return error properly on decode errors + +Bug: https://curl.se/docs/CVE-2022-32208.html +CVE-2022-32208 +Reported-by: Harry Sintonen +Closes #9051 + +Upstream-commit: 6ecdf5136b52af747e7bda08db9a748256b1cd09 +Signed-off-by: Kamil Dudka +--- + lib/krb5.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/lib/krb5.c b/lib/krb5.c +index 787137c..6f9e1f7 100644 +--- a/lib/krb5.c ++++ b/lib/krb5.c +@@ -140,11 +140,8 @@ krb5_decode(void *app_data, void *buf, int len, + enc.value = buf; + enc.length = len; + maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL); +- if(maj != GSS_S_COMPLETE) { +- if(len >= 4) +- strcpy(buf, "599 "); ++ if(maj != GSS_S_COMPLETE) + return -1; +- } + + memcpy(buf, dec.value, dec.length); + len = curlx_uztosi(dec.length); +@@ -506,6 +503,7 @@ static CURLcode read_data(struct connectdata *conn, + { + int len; + CURLcode result; ++ int nread; + + result = socket_read(fd, &len, sizeof(len)); + if(result) +@@ -514,7 +512,10 @@ static CURLcode read_data(struct connectdata *conn, + if(len) { + /* only realloc if there was a length */ + len = ntohl(len); +- buf->data = Curl_saferealloc(buf->data, len); ++ if(len > CURL_MAX_INPUT_LENGTH) ++ len = 0; ++ else ++ buf->data = Curl_saferealloc(buf->data, len); + } + if(!len || !buf->data) + return CURLE_OUT_OF_MEMORY; +@@ -522,8 +523,11 @@ static CURLcode read_data(struct connectdata *conn, + result = socket_read(fd, buf->data, len); + if(result) + return result; +- buf->size = conn->mech->decode(conn->app_data, buf->data, len, +- conn->data_prot, conn); ++ nread = conn->mech->decode(conn->app_data, buf->data, len, ++ conn->data_prot, conn); ++ if(nread < 0) ++ return CURLE_RECV_ERROR; ++ buf->size = (size_t)nread; + buf->index = 0; + return CURLE_OK; + } +-- +2.35.3 + diff --git a/curl.spec b/curl.spec index 900ce65..e5bed52 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.82.0 -Release: 5%{?dist} +Release: 6%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -37,6 +37,9 @@ Patch8: 0008-curl-7.82.0-CVE-2022-27779.patch # fix too eager reuse of TLS and SSH connections (CVE-2022-27782) Patch9: 0009-curl-7.82.0-CVE-2022-27782.patch +# fix FTP-KRB bad message verification (CVE-2022-32208) +Patch10: 0010-curl-7.82.0-CVE-2022-32208.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -220,6 +223,7 @@ be installed. %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 # Fedora patches %patch101 -p1 @@ -447,6 +451,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jun 29 2022 Kamil Dudka - 7.82.0-6 +- fix FTP-KRB bad message verification (CVE-2022-32208) + * Wed May 11 2022 Kamil Dudka - 7.82.0-5 - fix too eager reuse of TLS and SSH connections (CVE-2022-27782) - do not accept cookies for TLD with trailing dot (CVE-2022-27779) From c76b2a1a9f10cb809cdaa0775f2742e0bc73623e Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 29 Jun 2022 11:04:02 +0200 Subject: [PATCH 14/34] Resolves: CVE-2022-32206 - fix HTTP compression denial of service --- 0011-curl-7.82.0-CVE-2022-32206.patch | 144 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 149 insertions(+) create mode 100644 0011-curl-7.82.0-CVE-2022-32206.patch diff --git a/0011-curl-7.82.0-CVE-2022-32206.patch b/0011-curl-7.82.0-CVE-2022-32206.patch new file mode 100644 index 0000000..07c7fdf --- /dev/null +++ b/0011-curl-7.82.0-CVE-2022-32206.patch @@ -0,0 +1,144 @@ +From 24dedf9b260eebb7feae6fc273208b551fe54a79 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 16 May 2022 16:28:13 +0200 +Subject: [PATCH 1/2] content_encoding: return error on too many compression + steps + +The max allowed steps is arbitrarily set to 5. + +Bug: https://curl.se/docs/CVE-2022-32206.html +CVE-2022-32206 +Reported-by: Harry Sintonen +Closes #9049 + +Upstream-commit: 3a09fbb7f264c67c438d01a30669ce325aa508e2 +Signed-off-by: Kamil Dudka +--- + lib/content_encoding.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/lib/content_encoding.c b/lib/content_encoding.c +index c03637a..6f994b3 100644 +--- a/lib/content_encoding.c ++++ b/lib/content_encoding.c +@@ -1026,12 +1026,16 @@ static const struct content_encoding *find_encoding(const char *name, + return NULL; + } + ++/* allow no more than 5 "chained" compression steps */ ++#define MAX_ENCODE_STACK 5 ++ + /* Set-up the unencoding stack from the Content-Encoding header value. + * See RFC 7231 section 3.1.2.2. */ + CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, + const char *enclist, int maybechunked) + { + struct SingleRequest *k = &data->req; ++ int counter = 0; + + do { + const char *name; +@@ -1066,6 +1070,11 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, + if(!encoding) + encoding = &error_encoding; /* Defer error at stack use. */ + ++ if(++counter >= MAX_ENCODE_STACK) { ++ failf(data, "Reject response due to %u content encodings", ++ counter); ++ return CURLE_BAD_CONTENT_ENCODING; ++ } + /* Stack the unencoding stage. */ + writer = new_unencoding_writer(data, encoding, k->writer_stack); + if(!writer) +-- +2.35.3 + + +From b3cd74f01871281f0989860e04c546d896f0e72f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 16 May 2022 16:29:07 +0200 +Subject: [PATCH 2/2] test387: verify rejection of compression chain attack + +Upstream-commit: 7230b19a2e17a164f61f82e4e409a9777ea2421a +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 2 +- + tests/data/test387 | 53 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 54 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test387 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 98d5516..9b5f4fb 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -63,7 +63,7 @@ test352 test353 test354 test355 test356 test357 test358 test359 test360 \ + test361 test362 test363 test364 test365 test366 test367 test368 test369 \ + test370 test371 test372 test373 test374 \ + \ +-test380 test381 test383 test384 test385 test386 \ ++test380 test381 test383 test384 test385 test386 test387 \ + \ + test392 test393 test394 test395 test396 test397 \ + \ +diff --git a/tests/data/test387 b/tests/data/test387 +new file mode 100644 +index 0000000..015ec25 +--- /dev/null ++++ b/tests/data/test387 +@@ -0,0 +1,53 @@ ++ ++ ++ ++HTTP ++gzip ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Transfer-Encoding: gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip ++ ++-foo- ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++Response with overly long compression chain ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++ ++ ++# CURLE_BAD_CONTENT_ENCODING is 61 ++ ++61 ++ ++ ++curl: (61) Reject response due to 5 content encodings ++ ++ ++ +-- +2.35.3 + diff --git a/curl.spec b/curl.spec index e5bed52..78042fa 100644 --- a/curl.spec +++ b/curl.spec @@ -40,6 +40,9 @@ Patch9: 0009-curl-7.82.0-CVE-2022-27782.patch # fix FTP-KRB bad message verification (CVE-2022-32208) Patch10: 0010-curl-7.82.0-CVE-2022-32208.patch +# fix HTTP compression denial of service (CVE-2022-32206) +Patch11: 0011-curl-7.82.0-CVE-2022-32206.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -224,6 +227,7 @@ be installed. %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 # Fedora patches %patch101 -p1 @@ -452,6 +456,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Jun 29 2022 Kamil Dudka - 7.82.0-6 +- fix HTTP compression denial of service (CVE-2022-32206) - fix FTP-KRB bad message verification (CVE-2022-32208) * Wed May 11 2022 Kamil Dudka - 7.82.0-5 From 45b18a48b433d203b1c8a13bcc4777d8f57fcfb8 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 29 Jun 2022 11:05:48 +0200 Subject: [PATCH 15/34] Resolves: CVE-2022-32205 - fix Set-Cookie denial of service --- 0012-curl-7.82.0-CVE-2022-32205.patch | 740 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 745 insertions(+) create mode 100644 0012-curl-7.82.0-CVE-2022-32205.patch diff --git a/0012-curl-7.82.0-CVE-2022-32205.patch b/0012-curl-7.82.0-CVE-2022-32205.patch new file mode 100644 index 0000000..9d78480 --- /dev/null +++ b/0012-curl-7.82.0-CVE-2022-32205.patch @@ -0,0 +1,740 @@ +From 64ecb3818ca335ce79ef539e962ee5d02f6fb365 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 26 Jun 2022 11:00:48 +0200 +Subject: [PATCH 1/3] cookie: apply limits + +- Send no more than 150 cookies per request +- Cap the max length used for a cookie: header to 8K +- Cap the max number of received Set-Cookie: headers to 50 + +Bug: https://curl.se/docs/CVE-2022-32205.html +CVE-2022-32205 +Reported-by: Harry Sintonen +Closes #9048 + +Upstream-commit: 48d7064a49148f03942380967da739dcde1cdc24 +Signed-off-by: Kamil Dudka +--- + lib/cookie.c | 14 ++++++++++++-- + lib/cookie.h | 21 +++++++++++++++++++-- + lib/http.c | 13 +++++++++++-- + lib/urldata.h | 1 + + 4 files changed, 43 insertions(+), 6 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index 1b8c8f9..8a6aa1a 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -477,6 +477,10 @@ Curl_cookie_add(struct Curl_easy *data, + (void)data; + #endif + ++ DEBUGASSERT(MAX_SET_COOKIE_AMOUNT <= 255); /* counter is an unsigned char */ ++ if(data->req.setcookies >= MAX_SET_COOKIE_AMOUNT) ++ return NULL; ++ + /* First, alloc and init a new struct for it */ + co = calloc(1, sizeof(struct Cookie)); + if(!co) +@@ -816,7 +820,7 @@ Curl_cookie_add(struct Curl_easy *data, + freecookie(co); + return NULL; + } +- ++ data->req.setcookies++; + } + else { + /* +@@ -1354,7 +1358,8 @@ static struct Cookie *dup_cookie(struct Cookie *src) + * + * It shall only return cookies that haven't expired. + */ +-struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, ++struct Cookie *Curl_cookie_getlist(struct Curl_easy *data, ++ struct CookieInfo *c, + const char *host, const char *path, + bool secure) + { +@@ -1409,6 +1414,11 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, + mainco = newco; + + matches++; ++ if(matches >= MAX_COOKIE_SEND_AMOUNT) { ++ infof(data, "Included max number of cookies (%u) in request!", ++ matches); ++ break; ++ } + } + else + goto fail; +diff --git a/lib/cookie.h b/lib/cookie.h +index 0ffe08e..7411980 100644 +--- a/lib/cookie.h ++++ b/lib/cookie.h +@@ -81,10 +81,26 @@ struct CookieInfo { + */ + #define MAX_COOKIE_LINE 5000 + +-/* This is the maximum length of a cookie name or content we deal with: */ ++/* Maximum length of an incoming cookie name or content we deal with. Longer ++ cookies are ignored. */ + #define MAX_NAME 4096 + #define MAX_NAME_TXT "4095" + ++/* Maximum size for an outgoing cookie line libcurl will use in an http ++ request. This is the default maximum length used in some versions of Apache ++ httpd. */ ++#define MAX_COOKIE_HEADER_LEN 8190 ++ ++/* Maximum number of cookies libcurl will send in a single request, even if ++ there might be more cookies that match. One reason to cap the number is to ++ keep the maximum HTTP request within the maximum allowed size. */ ++#define MAX_COOKIE_SEND_AMOUNT 150 ++ ++/* Maximum number of Set-Cookie: lines accepted in a single response. If more ++ such header lines are received, they are ignored. This value must be less ++ than 256 since an unsigned char is used to count. */ ++#define MAX_SET_COOKIE_AMOUNT 50 ++ + struct Curl_easy; + /* + * Add a cookie to the internal list of cookies. The domain and path arguments +@@ -97,7 +113,8 @@ struct Cookie *Curl_cookie_add(struct Curl_easy *data, + const char *domain, const char *path, + bool secure); + +-struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, const char *host, ++struct Cookie *Curl_cookie_getlist(struct Curl_easy *data, ++ struct CookieInfo *c, const char *host, + const char *path, bool secure); + void Curl_cookie_freelist(struct Cookie *cookies); + void Curl_cookie_clearall(struct CookieInfo *cookies); +diff --git a/lib/http.c b/lib/http.c +index 4433824..2c8b0c4 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2709,12 +2709,14 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn, + } + + #if !defined(CURL_DISABLE_COOKIES) ++ + CURLcode Curl_http_cookies(struct Curl_easy *data, + struct connectdata *conn, + struct dynbuf *r) + { + CURLcode result = CURLE_OK; + char *addcookies = NULL; ++ bool linecap = FALSE; + if(data->set.str[STRING_COOKIE] && + !Curl_checkheaders(data, STRCONST("Cookie"))) + addcookies = data->set.str[STRING_COOKIE]; +@@ -2732,7 +2734,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, + !strcmp(host, "127.0.0.1") || + !strcmp(host, "[::1]") ? TRUE : FALSE; + Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE); +- co = Curl_cookie_getlist(data->cookies, host, data->state.up.path, ++ co = Curl_cookie_getlist(data, data->cookies, host, data->state.up.path, + secure_context); + Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE); + } +@@ -2746,6 +2748,13 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, + if(result) + break; + } ++ if((Curl_dyn_len(r) + strlen(co->name) + strlen(co->value) + 1) >= ++ MAX_COOKIE_HEADER_LEN) { ++ infof(data, "Restricted outgoing cookies due to header size, " ++ "'%s' not sent", co->name); ++ linecap = TRUE; ++ break; ++ } + result = Curl_dyn_addf(r, "%s%s=%s", count?"; ":"", + co->name, co->value); + if(result) +@@ -2756,7 +2765,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, + } + Curl_cookie_freelist(store); + } +- if(addcookies && !result) { ++ if(addcookies && !result && !linecap) { + if(!count) + result = Curl_dyn_addn(r, STRCONST("Cookie: ")); + if(!result) { +diff --git a/lib/urldata.h b/lib/urldata.h +index e006495..54faf7d 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -707,6 +707,7 @@ struct SingleRequest { + #ifndef CURL_DISABLE_DOH + struct dohdata *doh; /* DoH specific data for this request */ + #endif ++ unsigned char setcookies; + BIT(header); /* incoming data has HTTP header */ + BIT(content_range); /* set TRUE if Content-Range: was found */ + BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding +-- +2.35.3 + + +From 2aa646531df114b99d19b33071ff53cebbd689ce Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 26 Jun 2022 11:01:01 +0200 +Subject: [PATCH 2/3] test442/443: test cookie caps + +442 - verify that only 150 cookies are sent +443 - verify that the cookie: header remains less than 8K in size + +Upstream-commit: ff2b2bcf687572d173688832f0913a43de1a2bf8 +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 2 +- + tests/data/test442 | 209 ++++++++++++++++++++++++++++++++++++++++ + tests/data/test443 | 78 +++++++++++++++ + 3 files changed, 288 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test442 + create mode 100644 tests/data/test443 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 9b5f4fb..fe04fee 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -72,7 +72,7 @@ test409 test410 \ + \ + test430 test431 test432 test433 test434 test435 test436 \ + \ +-test440 test441 \ ++test440 test441 test442 test443 \ + \ + test490 test491 test492 test493 test494 \ + \ +diff --git a/tests/data/test442 b/tests/data/test442 +new file mode 100644 +index 0000000..1b00d20 +--- /dev/null ++++ b/tests/data/test442 +@@ -0,0 +1,209 @@ ++# perl: ++# ++# for(1 .. 151) { ++# print join("\t", ++# "attack.invalid", "TRUE", "/", "FALSE", "0", ++# "name$_", "could-be-large-$_")."\n"; ++# } ++# ++ ++ ++ ++HTTP ++cookies ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 6 ++ ++-foo- ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++Send capped huge number of matching cookies ++ ++ ++http://attack.invalid:%HTTPPORT/a/b/%TESTNUMBER -b log/cookie%TESTNUMBER --resolve attack.invalid:%HTTPPORT:%HOSTIP -L ++ ++ ++attack.invalid TRUE / FALSE 0 name1 could-be-large-1 ++attack.invalid TRUE / FALSE 0 name2 could-be-large-2 ++attack.invalid TRUE / FALSE 0 name3 could-be-large-3 ++attack.invalid TRUE / FALSE 0 name4 could-be-large-4 ++attack.invalid TRUE / FALSE 0 name5 could-be-large-5 ++attack.invalid TRUE / FALSE 0 name6 could-be-large-6 ++attack.invalid TRUE / FALSE 0 name7 could-be-large-7 ++attack.invalid TRUE / FALSE 0 name8 could-be-large-8 ++attack.invalid TRUE / FALSE 0 name9 could-be-large-9 ++attack.invalid TRUE / FALSE 0 name10 could-be-large-10 ++attack.invalid TRUE / FALSE 0 name11 could-be-large-11 ++attack.invalid TRUE / FALSE 0 name12 could-be-large-12 ++attack.invalid TRUE / FALSE 0 name13 could-be-large-13 ++attack.invalid TRUE / FALSE 0 name14 could-be-large-14 ++attack.invalid TRUE / FALSE 0 name15 could-be-large-15 ++attack.invalid TRUE / FALSE 0 name16 could-be-large-16 ++attack.invalid TRUE / FALSE 0 name17 could-be-large-17 ++attack.invalid TRUE / FALSE 0 name18 could-be-large-18 ++attack.invalid TRUE / FALSE 0 name19 could-be-large-19 ++attack.invalid TRUE / FALSE 0 name20 could-be-large-20 ++attack.invalid TRUE / FALSE 0 name21 could-be-large-21 ++attack.invalid TRUE / FALSE 0 name22 could-be-large-22 ++attack.invalid TRUE / FALSE 0 name23 could-be-large-23 ++attack.invalid TRUE / FALSE 0 name24 could-be-large-24 ++attack.invalid TRUE / FALSE 0 name25 could-be-large-25 ++attack.invalid TRUE / FALSE 0 name26 could-be-large-26 ++attack.invalid TRUE / FALSE 0 name27 could-be-large-27 ++attack.invalid TRUE / FALSE 0 name28 could-be-large-28 ++attack.invalid TRUE / FALSE 0 name29 could-be-large-29 ++attack.invalid TRUE / FALSE 0 name30 could-be-large-30 ++attack.invalid TRUE / FALSE 0 name31 could-be-large-31 ++attack.invalid TRUE / FALSE 0 name32 could-be-large-32 ++attack.invalid TRUE / FALSE 0 name33 could-be-large-33 ++attack.invalid TRUE / FALSE 0 name34 could-be-large-34 ++attack.invalid TRUE / FALSE 0 name35 could-be-large-35 ++attack.invalid TRUE / FALSE 0 name36 could-be-large-36 ++attack.invalid TRUE / FALSE 0 name37 could-be-large-37 ++attack.invalid TRUE / FALSE 0 name38 could-be-large-38 ++attack.invalid TRUE / FALSE 0 name39 could-be-large-39 ++attack.invalid TRUE / FALSE 0 name40 could-be-large-40 ++attack.invalid TRUE / FALSE 0 name41 could-be-large-41 ++attack.invalid TRUE / FALSE 0 name42 could-be-large-42 ++attack.invalid TRUE / FALSE 0 name43 could-be-large-43 ++attack.invalid TRUE / FALSE 0 name44 could-be-large-44 ++attack.invalid TRUE / FALSE 0 name45 could-be-large-45 ++attack.invalid TRUE / FALSE 0 name46 could-be-large-46 ++attack.invalid TRUE / FALSE 0 name47 could-be-large-47 ++attack.invalid TRUE / FALSE 0 name48 could-be-large-48 ++attack.invalid TRUE / FALSE 0 name49 could-be-large-49 ++attack.invalid TRUE / FALSE 0 name50 could-be-large-50 ++attack.invalid TRUE / FALSE 0 name51 could-be-large-51 ++attack.invalid TRUE / FALSE 0 name52 could-be-large-52 ++attack.invalid TRUE / FALSE 0 name53 could-be-large-53 ++attack.invalid TRUE / FALSE 0 name54 could-be-large-54 ++attack.invalid TRUE / FALSE 0 name55 could-be-large-55 ++attack.invalid TRUE / FALSE 0 name56 could-be-large-56 ++attack.invalid TRUE / FALSE 0 name57 could-be-large-57 ++attack.invalid TRUE / FALSE 0 name58 could-be-large-58 ++attack.invalid TRUE / FALSE 0 name59 could-be-large-59 ++attack.invalid TRUE / FALSE 0 name60 could-be-large-60 ++attack.invalid TRUE / FALSE 0 name61 could-be-large-61 ++attack.invalid TRUE / FALSE 0 name62 could-be-large-62 ++attack.invalid TRUE / FALSE 0 name63 could-be-large-63 ++attack.invalid TRUE / FALSE 0 name64 could-be-large-64 ++attack.invalid TRUE / FALSE 0 name65 could-be-large-65 ++attack.invalid TRUE / FALSE 0 name66 could-be-large-66 ++attack.invalid TRUE / FALSE 0 name67 could-be-large-67 ++attack.invalid TRUE / FALSE 0 name68 could-be-large-68 ++attack.invalid TRUE / FALSE 0 name69 could-be-large-69 ++attack.invalid TRUE / FALSE 0 name70 could-be-large-70 ++attack.invalid TRUE / FALSE 0 name71 could-be-large-71 ++attack.invalid TRUE / FALSE 0 name72 could-be-large-72 ++attack.invalid TRUE / FALSE 0 name73 could-be-large-73 ++attack.invalid TRUE / FALSE 0 name74 could-be-large-74 ++attack.invalid TRUE / FALSE 0 name75 could-be-large-75 ++attack.invalid TRUE / FALSE 0 name76 could-be-large-76 ++attack.invalid TRUE / FALSE 0 name77 could-be-large-77 ++attack.invalid TRUE / FALSE 0 name78 could-be-large-78 ++attack.invalid TRUE / FALSE 0 name79 could-be-large-79 ++attack.invalid TRUE / FALSE 0 name80 could-be-large-80 ++attack.invalid TRUE / FALSE 0 name81 could-be-large-81 ++attack.invalid TRUE / FALSE 0 name82 could-be-large-82 ++attack.invalid TRUE / FALSE 0 name83 could-be-large-83 ++attack.invalid TRUE / FALSE 0 name84 could-be-large-84 ++attack.invalid TRUE / FALSE 0 name85 could-be-large-85 ++attack.invalid TRUE / FALSE 0 name86 could-be-large-86 ++attack.invalid TRUE / FALSE 0 name87 could-be-large-87 ++attack.invalid TRUE / FALSE 0 name88 could-be-large-88 ++attack.invalid TRUE / FALSE 0 name89 could-be-large-89 ++attack.invalid TRUE / FALSE 0 name90 could-be-large-90 ++attack.invalid TRUE / FALSE 0 name91 could-be-large-91 ++attack.invalid TRUE / FALSE 0 name92 could-be-large-92 ++attack.invalid TRUE / FALSE 0 name93 could-be-large-93 ++attack.invalid TRUE / FALSE 0 name94 could-be-large-94 ++attack.invalid TRUE / FALSE 0 name95 could-be-large-95 ++attack.invalid TRUE / FALSE 0 name96 could-be-large-96 ++attack.invalid TRUE / FALSE 0 name97 could-be-large-97 ++attack.invalid TRUE / FALSE 0 name98 could-be-large-98 ++attack.invalid TRUE / FALSE 0 name99 could-be-large-99 ++attack.invalid TRUE / FALSE 0 name100 could-be-large-100 ++attack.invalid TRUE / FALSE 0 name101 could-be-large-101 ++attack.invalid TRUE / FALSE 0 name102 could-be-large-102 ++attack.invalid TRUE / FALSE 0 name103 could-be-large-103 ++attack.invalid TRUE / FALSE 0 name104 could-be-large-104 ++attack.invalid TRUE / FALSE 0 name105 could-be-large-105 ++attack.invalid TRUE / FALSE 0 name106 could-be-large-106 ++attack.invalid TRUE / FALSE 0 name107 could-be-large-107 ++attack.invalid TRUE / FALSE 0 name108 could-be-large-108 ++attack.invalid TRUE / FALSE 0 name109 could-be-large-109 ++attack.invalid TRUE / FALSE 0 name110 could-be-large-110 ++attack.invalid TRUE / FALSE 0 name111 could-be-large-111 ++attack.invalid TRUE / FALSE 0 name112 could-be-large-112 ++attack.invalid TRUE / FALSE 0 name113 could-be-large-113 ++attack.invalid TRUE / FALSE 0 name114 could-be-large-114 ++attack.invalid TRUE / FALSE 0 name115 could-be-large-115 ++attack.invalid TRUE / FALSE 0 name116 could-be-large-116 ++attack.invalid TRUE / FALSE 0 name117 could-be-large-117 ++attack.invalid TRUE / FALSE 0 name118 could-be-large-118 ++attack.invalid TRUE / FALSE 0 name119 could-be-large-119 ++attack.invalid TRUE / FALSE 0 name120 could-be-large-120 ++attack.invalid TRUE / FALSE 0 name121 could-be-large-121 ++attack.invalid TRUE / FALSE 0 name122 could-be-large-122 ++attack.invalid TRUE / FALSE 0 name123 could-be-large-123 ++attack.invalid TRUE / FALSE 0 name124 could-be-large-124 ++attack.invalid TRUE / FALSE 0 name125 could-be-large-125 ++attack.invalid TRUE / FALSE 0 name126 could-be-large-126 ++attack.invalid TRUE / FALSE 0 name127 could-be-large-127 ++attack.invalid TRUE / FALSE 0 name128 could-be-large-128 ++attack.invalid TRUE / FALSE 0 name129 could-be-large-129 ++attack.invalid TRUE / FALSE 0 name130 could-be-large-130 ++attack.invalid TRUE / FALSE 0 name131 could-be-large-131 ++attack.invalid TRUE / FALSE 0 name132 could-be-large-132 ++attack.invalid TRUE / FALSE 0 name133 could-be-large-133 ++attack.invalid TRUE / FALSE 0 name134 could-be-large-134 ++attack.invalid TRUE / FALSE 0 name135 could-be-large-135 ++attack.invalid TRUE / FALSE 0 name136 could-be-large-136 ++attack.invalid TRUE / FALSE 0 name137 could-be-large-137 ++attack.invalid TRUE / FALSE 0 name138 could-be-large-138 ++attack.invalid TRUE / FALSE 0 name139 could-be-large-139 ++attack.invalid TRUE / FALSE 0 name140 could-be-large-140 ++attack.invalid TRUE / FALSE 0 name141 could-be-large-141 ++attack.invalid TRUE / FALSE 0 name142 could-be-large-142 ++attack.invalid TRUE / FALSE 0 name143 could-be-large-143 ++attack.invalid TRUE / FALSE 0 name144 could-be-large-144 ++attack.invalid TRUE / FALSE 0 name145 could-be-large-145 ++attack.invalid TRUE / FALSE 0 name146 could-be-large-146 ++attack.invalid TRUE / FALSE 0 name147 could-be-large-147 ++attack.invalid TRUE / FALSE 0 name148 could-be-large-148 ++attack.invalid TRUE / FALSE 0 name149 could-be-large-149 ++attack.invalid TRUE / FALSE 0 name150 could-be-large-150 ++attack.invalid TRUE / FALSE 0 name151 could-be-large-151 ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /a/b/%TESTNUMBER HTTP/1.1 ++Host: attack.invalid:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++Cookie: name150=could-be-large-150; name149=could-be-large-149; name148=could-be-large-148; name147=could-be-large-147; name146=could-be-large-146; name145=could-be-large-145; name144=could-be-large-144; name143=could-be-large-143; name142=could-be-large-142; name141=could-be-large-141; name140=could-be-large-140; name139=could-be-large-139; name138=could-be-large-138; name137=could-be-large-137; name136=could-be-large-136; name135=could-be-large-135; name134=could-be-large-134; name133=could-be-large-133; name132=could-be-large-132; name131=could-be-large-131; name130=could-be-large-130; name129=could-be-large-129; name128=could-be-large-128; name127=could-be-large-127; name126=could-be-large-126; name125=could-be-large-125; name124=could-be-large-124; name123=could-be-large-123; name122=could-be-large-122; name121=could-be-large-121; name120=could-be-large-120; name119=could-be-large-119; name118=could-be-large-118; name117=could-be-large-117; name116=could-be-large-116; name115=could-be-large-115; name114=could-be-large-114; name113=could-be-large-113; name112=could-be-large-112; name111=could-be-large-111; name110=could-be-large-110; name109=could-be-large-109; name108=could-be-large-108; name107=could-be-large-107; name106=could-be-large-106; name105=could-be-large-105; name104=could-be-large-104; name103=could-be-large-103; name102=could-be-large-102; name101=could-be-large-101; name100=could-be-large-100; name99=could-be-large-99; name98=could-be-large-98; name97=could-be-large-97; name96=could-be-large-96; name95=could-be-large-95; name94=could-be-large-94; name93=could-be-large-93; name92=could-be-large-92; name91=could-be-large-91; name90=could-be-large-90; name89=could-be-large-89; name88=could-be-large-88; name87=could-be-large-87; name86=could-be-large-86; name85=could-be-large-85; name84=could-be-large-84; name83=could-be-large-83; name82=could-be-large-82; name81=could-be-large-81; name80=could-be-large-80; name79=could-be-large-79; name78=could-be-large-78; name77=could-be-large-77; name76=could-be-large-76; name75=could-be-large-75; name74=could-be-large-74; name73=could-be-large-73; name72=could-be-large-72; name71=could-be-large-71; name70=could-be-large-70; name69=could-be-large-69; name68=could-be-large-68; name67=could-be-large-67; name66=could-be-large-66; name65=could-be-large-65; name64=could-be-large-64; name63=could-be-large-63; name62=could-be-large-62; name61=could-be-large-61; name60=could-be-large-60; name59=could-be-large-59; name58=could-be-large-58; name57=could-be-large-57; name56=could-be-large-56; name55=could-be-large-55; name54=could-be-large-54; name53=could-be-large-53; name52=could-be-large-52; name51=could-be-large-51; name50=could-be-large-50; name49=could-be-large-49; name48=could-be-large-48; name47=could-be-large-47; name46=could-be-large-46; name45=could-be-large-45; name44=could-be-large-44; name43=could-be-large-43; name42=could-be-large-42; name41=could-be-large-41; name40=could-be-large-40; name39=could-be-large-39; name38=could-be-large-38; name37=could-be-large-37; name36=could-be-large-36; name35=could-be-large-35; name34=could-be-large-34; name33=could-be-large-33; name32=could-be-large-32; name31=could-be-large-31; name30=could-be-large-30; name29=could-be-large-29; name28=could-be-large-28; name27=could-be-large-27; name26=could-be-large-26; name25=could-be-large-25; name24=could-be-large-24; name23=could-be-large-23; name22=could-be-large-22; name21=could-be-large-21; name20=could-be-large-20; name19=could-be-large-19; name18=could-be-large-18; name17=could-be-large-17; name16=could-be-large-16; name15=could-be-large-15; name14=could-be-large-14; name13=could-be-large-13; name12=could-be-large-12; name11=could-be-large-11; name10=could-be-large-10; name9=could-be-large-9; name8=could-be-large-8; name7=could-be-large-7; name6=could-be-large-6; name5=could-be-large-5; name4=could-be-large-4; name3=could-be-large-3; name2=could-be-large-2; name1=could-be-large-1 ++ ++ ++ ++ +diff --git a/tests/data/test443 b/tests/data/test443 +new file mode 100644 +index 0000000..996b1d3 +--- /dev/null ++++ b/tests/data/test443 +@@ -0,0 +1,78 @@ ++# perl: ++# ++#for(1 .. 20) { ++# print join("\t", ++# "attack.invalid", "TRUE", "/", "FALSE", "0", ++# "huge-$_", ('a' x 500)."-$_")."\n"; ++#} ++# ++ ++ ++ ++HTTP ++cookies ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 6 ++ ++-foo- ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++Cookie header in request no longer than 8K ++ ++ ++http://attack.invalid:%HTTPPORT/a/b/%TESTNUMBER -b log/cookie%TESTNUMBER --resolve attack.invalid:%HTTPPORT:%HOSTIP -L ++ ++ ++attack.invalid TRUE / FALSE 0 huge-1 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-1 ++attack.invalid TRUE / FALSE 0 huge-2 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-2 ++attack.invalid TRUE / FALSE 0 huge-3 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-3 ++attack.invalid TRUE / FALSE 0 huge-4 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-4 ++attack.invalid TRUE / FALSE 0 huge-5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-5 ++attack.invalid TRUE / FALSE 0 huge-6 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-6 ++attack.invalid TRUE / FALSE 0 huge-7 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-7 ++attack.invalid TRUE / FALSE 0 huge-8 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-8 ++attack.invalid TRUE / FALSE 0 huge-9 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-9 ++attack.invalid TRUE / FALSE 0 huge-10 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-10 ++attack.invalid TRUE / FALSE 0 huge-11 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-11 ++attack.invalid TRUE / FALSE 0 huge-12 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-12 ++attack.invalid TRUE / FALSE 0 huge-13 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-13 ++attack.invalid TRUE / FALSE 0 huge-14 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-14 ++attack.invalid TRUE / FALSE 0 huge-15 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-15 ++attack.invalid TRUE / FALSE 0 huge-16 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-16 ++attack.invalid TRUE / FALSE 0 huge-17 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-17 ++attack.invalid TRUE / FALSE 0 huge-18 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-18 ++attack.invalid TRUE / FALSE 0 huge-19 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-19 ++attack.invalid TRUE / FALSE 0 huge-20 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-20 ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /a/b/%TESTNUMBER HTTP/1.1 ++Host: attack.invalid:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++Cookie: huge-20=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-20; huge-19=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-19; huge-18=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-18; huge-17=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-17; huge-16=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-16; huge-15=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-15; huge-14=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-14; huge-13=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-13; huge-12=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-12; huge-11=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-11; huge-10=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-10; huge-9=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-9; huge-8=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-8; huge-7=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-7; huge-6=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-6 ++ ++ ++ ++ +-- +2.35.3 + + +From a09261fa4976562735320e4e953ca4f4c81ec452 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 26 Jun 2022 11:01:01 +0200 +Subject: [PATCH 3/3] test444: test many received Set-Cookie: + +The amount of sent cookies in the test is limited to 80 because hyper +has its own strict limits in how many headers it allows to be received +which triggers at some point beyond this number. + +Upstream-commit: 46f8911d3942dc06fdd67e9f6f3908982e5d2fb4 +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 2 +- + tests/data/test444 | 189 ++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 190 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test444 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index fe04fee..c38f2d2 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -72,7 +72,7 @@ test409 test410 \ + \ + test430 test431 test432 test433 test434 test435 test436 \ + \ +-test440 test441 test442 test443 \ ++test440 test441 test442 test443 test444 \ + \ + test490 test491 test492 test493 test494 \ + \ +diff --git a/tests/data/test444 b/tests/data/test444 +new file mode 100644 +index 0000000..9bdd4a7 +--- /dev/null ++++ b/tests/data/test444 +@@ -0,0 +1,189 @@ ++# perl: ++# ++#for(1 .. 200) { ++# ++#} ++# ++ ++ ++ ++HTTP ++cookies ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 6 ++Set-Cookie: cookie-1=yes; ++Set-Cookie: cookie-2=yes; ++Set-Cookie: cookie-3=yes; ++Set-Cookie: cookie-4=yes; ++Set-Cookie: cookie-5=yes; ++Set-Cookie: cookie-6=yes; ++Set-Cookie: cookie-7=yes; ++Set-Cookie: cookie-8=yes; ++Set-Cookie: cookie-9=yes; ++Set-Cookie: cookie-10=yes; ++Set-Cookie: cookie-11=yes; ++Set-Cookie: cookie-12=yes; ++Set-Cookie: cookie-13=yes; ++Set-Cookie: cookie-14=yes; ++Set-Cookie: cookie-15=yes; ++Set-Cookie: cookie-16=yes; ++Set-Cookie: cookie-17=yes; ++Set-Cookie: cookie-18=yes; ++Set-Cookie: cookie-19=yes; ++Set-Cookie: cookie-20=yes; ++Set-Cookie: cookie-21=yes; ++Set-Cookie: cookie-22=yes; ++Set-Cookie: cookie-23=yes; ++Set-Cookie: cookie-24=yes; ++Set-Cookie: cookie-25=yes; ++Set-Cookie: cookie-26=yes; ++Set-Cookie: cookie-27=yes; ++Set-Cookie: cookie-28=yes; ++Set-Cookie: cookie-29=yes; ++Set-Cookie: cookie-30=yes; ++Set-Cookie: cookie-31=yes; ++Set-Cookie: cookie-32=yes; ++Set-Cookie: cookie-33=yes; ++Set-Cookie: cookie-34=yes; ++Set-Cookie: cookie-35=yes; ++Set-Cookie: cookie-36=yes; ++Set-Cookie: cookie-37=yes; ++Set-Cookie: cookie-38=yes; ++Set-Cookie: cookie-39=yes; ++Set-Cookie: cookie-40=yes; ++Set-Cookie: cookie-41=yes; ++Set-Cookie: cookie-42=yes; ++Set-Cookie: cookie-43=yes; ++Set-Cookie: cookie-44=yes; ++Set-Cookie: cookie-45=yes; ++Set-Cookie: cookie-46=yes; ++Set-Cookie: cookie-47=yes; ++Set-Cookie: cookie-48=yes; ++Set-Cookie: cookie-49=yes; ++Set-Cookie: cookie-50=yes; ++Set-Cookie: cookie-51=yes; ++Set-Cookie: cookie-52=yes; ++Set-Cookie: cookie-53=yes; ++Set-Cookie: cookie-54=yes; ++Set-Cookie: cookie-55=yes; ++Set-Cookie: cookie-56=yes; ++Set-Cookie: cookie-57=yes; ++Set-Cookie: cookie-58=yes; ++Set-Cookie: cookie-59=yes; ++Set-Cookie: cookie-60=yes; ++Set-Cookie: cookie-61=yes; ++Set-Cookie: cookie-62=yes; ++Set-Cookie: cookie-63=yes; ++Set-Cookie: cookie-64=yes; ++Set-Cookie: cookie-65=yes; ++Set-Cookie: cookie-66=yes; ++Set-Cookie: cookie-67=yes; ++Set-Cookie: cookie-68=yes; ++Set-Cookie: cookie-69=yes; ++Set-Cookie: cookie-70=yes; ++Set-Cookie: cookie-71=yes; ++Set-Cookie: cookie-72=yes; ++Set-Cookie: cookie-73=yes; ++Set-Cookie: cookie-74=yes; ++Set-Cookie: cookie-75=yes; ++Set-Cookie: cookie-76=yes; ++Set-Cookie: cookie-77=yes; ++Set-Cookie: cookie-78=yes; ++Set-Cookie: cookie-79=yes; ++Set-Cookie: cookie-80=yes; ++ ++-foo- ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++Many Set-Cookie response headers ++ ++ ++http://attack.invalid:%HTTPPORT/a/b/%TESTNUMBER -c log/cookie%TESTNUMBER --resolve attack.invalid:%HTTPPORT:%HOSTIP ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /a/b/%TESTNUMBER HTTP/1.1 ++Host: attack.invalid:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++ ++ ++# Netscape HTTP Cookie File ++# https://curl.se/docs/http-cookies.html ++# This file was generated by libcurl! Edit at your own risk. ++ ++attack.invalid FALSE /a/b/ FALSE 0 cookie-50 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-49 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-48 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-47 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-46 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-45 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-44 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-43 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-42 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-41 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-40 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-39 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-38 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-37 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-36 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-35 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-34 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-33 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-32 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-31 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-30 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-29 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-28 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-27 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-26 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-25 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-24 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-23 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-22 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-21 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-20 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-19 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-18 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-17 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-16 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-15 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-14 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-13 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-12 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-11 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-10 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-9 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-8 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-7 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-6 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-5 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-4 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-3 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-2 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-1 yes ++ ++ ++ +-- +2.35.3 + diff --git a/curl.spec b/curl.spec index 78042fa..f6847df 100644 --- a/curl.spec +++ b/curl.spec @@ -43,6 +43,9 @@ Patch10: 0010-curl-7.82.0-CVE-2022-32208.patch # fix HTTP compression denial of service (CVE-2022-32206) Patch11: 0011-curl-7.82.0-CVE-2022-32206.patch +# fix Set-Cookie denial of service (CVE-2022-32205) +Patch12: 0012-curl-7.82.0-CVE-2022-32205.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -228,6 +231,7 @@ be installed. %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 # Fedora patches %patch101 -p1 @@ -456,6 +460,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Jun 29 2022 Kamil Dudka - 7.82.0-6 +- fix Set-Cookie denial of service (CVE-2022-32205) - fix HTTP compression denial of service (CVE-2022-32206) - fix FTP-KRB bad message verification (CVE-2022-32208) From 9b0815299880833dcc0442aec54511055927710b Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 29 Jun 2022 11:06:56 +0200 Subject: [PATCH 16/34] Resolves: CVE-2022-32207 - fix unpreserved file permissions --- 0013-curl-7.82.0-CVE-2022-32207.patch | 428 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 433 insertions(+) create mode 100644 0013-curl-7.82.0-CVE-2022-32207.patch diff --git a/0013-curl-7.82.0-CVE-2022-32207.patch b/0013-curl-7.82.0-CVE-2022-32207.patch new file mode 100644 index 0000000..4f825a9 --- /dev/null +++ b/0013-curl-7.82.0-CVE-2022-32207.patch @@ -0,0 +1,428 @@ +From 36b47377c2d1a8d141d1ef810102748f27384f5c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 25 May 2022 10:09:53 +0200 +Subject: [PATCH 1/3] fopen: add Curl_fopen() for better overwriting of files + +Bug: https://curl.se/docs/CVE-2022-32207.html +CVE-2022-32207 +Reported-by: Harry Sintonen +Closes #9050 + +Upstream-commit: 20f9dd6bae50b7223171b17ba7798946e74f877f +Signed-off-by: Kamil Dudka +--- + CMakeLists.txt | 1 + + configure.ac | 1 + + lib/Makefile.inc | 2 + + lib/cookie.c | 19 ++----- + lib/curl_config.h.cmake | 3 ++ + lib/fopen.c | 113 ++++++++++++++++++++++++++++++++++++++++ + lib/fopen.h | 30 +++++++++++ + 7 files changed, 154 insertions(+), 15 deletions(-) + create mode 100644 lib/fopen.c + create mode 100644 lib/fopen.h + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index b77de6d..a0bfaad 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -1027,6 +1027,7 @@ elseif(HAVE_LIBSOCKET) + set(CMAKE_REQUIRED_LIBRARIES socket) + endif() + ++check_symbol_exists(fchmod "${CURL_INCLUDES}" HAVE_FCHMOD) + check_symbol_exists(basename "${CURL_INCLUDES}" HAVE_BASENAME) + check_symbol_exists(socket "${CURL_INCLUDES}" HAVE_SOCKET) + check_symbol_exists(select "${CURL_INCLUDES}" HAVE_SELECT) +diff --git a/configure.ac b/configure.ac +index d431870..7433bb9 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -3351,6 +3351,7 @@ AC_CHECK_DECLS([getpwuid_r], [], [AC_DEFINE(HAVE_DECL_GETPWUID_R_MISSING, 1, "Se + + + AC_CHECK_FUNCS([fnmatch \ ++ fchmod \ + geteuid \ + getpass_r \ + getppid \ +diff --git a/lib/Makefile.inc b/lib/Makefile.inc +index e8f110f..5139b03 100644 +--- a/lib/Makefile.inc ++++ b/lib/Makefile.inc +@@ -133,6 +133,7 @@ LIB_CFILES = \ + escape.c \ + file.c \ + fileinfo.c \ ++ fopen.c \ + formdata.c \ + ftp.c \ + ftplistparser.c \ +@@ -263,6 +264,7 @@ LIB_HFILES = \ + escape.h \ + file.h \ + fileinfo.h \ ++ fopen.h \ + formdata.h \ + ftp.h \ + ftplistparser.h \ +diff --git a/lib/cookie.c b/lib/cookie.c +index 8a6aa1a..cb0c03b 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -96,8 +96,8 @@ Example set of cookies: + #include "curl_get_line.h" + #include "curl_memrchr.h" + #include "parsedate.h" +-#include "rand.h" + #include "rename.h" ++#include "fopen.h" + + /* The last 3 #include files should be in this order */ + #include "curl_printf.h" +@@ -1620,20 +1620,9 @@ static CURLcode cookie_output(struct Curl_easy *data, + use_stdout = TRUE; + } + else { +- unsigned char randsuffix[9]; +- +- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix))) +- return 2; +- +- tempstore = aprintf("%s.%s.tmp", filename, randsuffix); +- if(!tempstore) +- return CURLE_OUT_OF_MEMORY; +- +- out = fopen(tempstore, FOPEN_WRITETEXT); +- if(!out) { +- error = CURLE_WRITE_ERROR; ++ error = Curl_fopen(data, filename, &out, &tempstore); ++ if(error) + goto error; +- } + } + + fputs("# Netscape HTTP Cookie File\n" +@@ -1680,7 +1669,7 @@ static CURLcode cookie_output(struct Curl_easy *data, + if(!use_stdout) { + fclose(out); + out = NULL; +- if(Curl_rename(tempstore, filename)) { ++ if(tempstore && Curl_rename(tempstore, filename)) { + unlink(tempstore); + error = CURLE_WRITE_ERROR; + goto error; +diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake +index d2a0f43..c254359 100644 +--- a/lib/curl_config.h.cmake ++++ b/lib/curl_config.h.cmake +@@ -157,6 +157,9 @@ + /* Define to 1 if you have the header file. */ + #cmakedefine HAVE_ASSERT_H 1 + ++/* Define to 1 if you have the `fchmod' function. */ ++#cmakedefine HAVE_FCHMOD 1 ++ + /* Define to 1 if you have the `basename' function. */ + #cmakedefine HAVE_BASENAME 1 + +diff --git a/lib/fopen.c b/lib/fopen.c +new file mode 100644 +index 0000000..ad3691b +--- /dev/null ++++ b/lib/fopen.c +@@ -0,0 +1,113 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++ ++#include "curl_setup.h" ++ ++#if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) || \ ++ !defined(CURL_DISABLE_HSTS) ++ ++#ifdef HAVE_FCNTL_H ++#include ++#endif ++ ++#include "urldata.h" ++#include "rand.h" ++#include "fopen.h" ++/* The last 3 #include files should be in this order */ ++#include "curl_printf.h" ++#include "curl_memory.h" ++#include "memdebug.h" ++ ++/* ++ * Curl_fopen() opens a file for writing with a temp name, to be renamed ++ * to the final name when completed. If there is an existing file using this ++ * name at the time of the open, this function will clone the mode from that ++ * file. if 'tempname' is non-NULL, it needs a rename after the file is ++ * written. ++ */ ++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, ++ FILE **fh, char **tempname) ++{ ++ CURLcode result = CURLE_WRITE_ERROR; ++ unsigned char randsuffix[9]; ++ char *tempstore = NULL; ++ struct_stat sb; ++ int fd = -1; ++ *tempname = NULL; ++ ++ if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) { ++ /* a non-regular file, fallback to direct fopen() */ ++ *fh = fopen(filename, FOPEN_WRITETEXT); ++ if(*fh) ++ return CURLE_OK; ++ goto fail; ++ } ++ ++ result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix)); ++ if(result) ++ goto fail; ++ ++ tempstore = aprintf("%s.%s.tmp", filename, randsuffix); ++ if(!tempstore) { ++ result = CURLE_OUT_OF_MEMORY; ++ goto fail; ++ } ++ ++ result = CURLE_WRITE_ERROR; ++ fd = open(tempstore, O_WRONLY | O_CREAT | O_EXCL, 0600); ++ if(fd == -1) ++ goto fail; ++ ++#ifdef HAVE_FCHMOD ++ { ++ struct_stat nsb; ++ if((fstat(fd, &nsb) != -1) && ++ (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) { ++ /* if the user and group are the same, clone the original mode */ ++ if(fchmod(fd, sb.st_mode) == -1) ++ goto fail; ++ } ++ } ++#endif ++ ++ *fh = fdopen(fd, FOPEN_WRITETEXT); ++ if(!*fh) ++ goto fail; ++ ++ *tempname = tempstore; ++ return CURLE_OK; ++ ++fail: ++ if(fd != -1) { ++ close(fd); ++ unlink(tempstore); ++ } ++ ++ free(tempstore); ++ ++ *tempname = NULL; ++ return result; ++} ++ ++#endif /* ! disabled */ +diff --git a/lib/fopen.h b/lib/fopen.h +new file mode 100644 +index 0000000..289e55f +--- /dev/null ++++ b/lib/fopen.h +@@ -0,0 +1,30 @@ ++#ifndef HEADER_CURL_FOPEN_H ++#define HEADER_CURL_FOPEN_H ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++ ++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, ++ FILE **fh, char **tempname); ++ ++#endif +-- +2.35.3 + + +From bd7af48238b058e9b46fdf2e1333b355920c341c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 25 May 2022 10:09:53 +0200 +Subject: [PATCH 2/3] altsvc: use Curl_fopen() + +Upstream-commit: fab970a5d19c1faa2052239ec1e2602b892cbeb2 +Signed-off-by: Kamil Dudka +--- + lib/altsvc.c | 22 ++++++---------------- + 1 file changed, 6 insertions(+), 16 deletions(-) + +diff --git a/lib/altsvc.c b/lib/altsvc.c +index 242733b..4dc4078 100644 +--- a/lib/altsvc.c ++++ b/lib/altsvc.c +@@ -34,7 +34,7 @@ + #include "parsedate.h" + #include "sendf.h" + #include "warnless.h" +-#include "rand.h" ++#include "fopen.h" + #include "rename.h" + + /* The last 3 #include files should be in this order */ +@@ -329,8 +329,7 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data, + struct Curl_llist_element *n; + CURLcode result = CURLE_OK; + FILE *out; +- char *tempstore; +- unsigned char randsuffix[9]; ++ char *tempstore = NULL; + + if(!altsvc) + /* no cache activated */ +@@ -344,17 +343,8 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data, + /* marked as read-only, no file or zero length file name */ + return CURLE_OK; + +- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix))) +- return CURLE_FAILED_INIT; +- +- tempstore = aprintf("%s.%s.tmp", file, randsuffix); +- if(!tempstore) +- return CURLE_OUT_OF_MEMORY; +- +- out = fopen(tempstore, FOPEN_WRITETEXT); +- if(!out) +- result = CURLE_WRITE_ERROR; +- else { ++ result = Curl_fopen(data, file, &out, &tempstore); ++ if(!result) { + fputs("# Your alt-svc cache. https://curl.se/docs/alt-svc.html\n" + "# This file was generated by libcurl! Edit at your own risk.\n", + out); +@@ -366,10 +356,10 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data, + break; + } + fclose(out); +- if(!result && Curl_rename(tempstore, file)) ++ if(!result && tempstore && Curl_rename(tempstore, file)) + result = CURLE_WRITE_ERROR; + +- if(result) ++ if(result && tempstore) + unlink(tempstore); + } + free(tempstore); +-- +2.35.3 + + +From 2011622a36fa715f38277422241e77e25dfdf0d0 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 25 May 2022 10:09:54 +0200 +Subject: [PATCH 3/3] hsts: use Curl_fopen() + +Upstream-commit: d64115d7bb8ae4c136b620912da523c063f1d2ee +Signed-off-by: Kamil Dudka +--- + lib/hsts.c | 22 ++++++---------------- + 1 file changed, 6 insertions(+), 16 deletions(-) + +diff --git a/lib/hsts.c b/lib/hsts.c +index b9fa6f7..9d54c82 100644 +--- a/lib/hsts.c ++++ b/lib/hsts.c +@@ -35,7 +35,7 @@ + #include "sendf.h" + #include "strtoofft.h" + #include "parsedate.h" +-#include "rand.h" ++#include "fopen.h" + #include "rename.h" + #include "strtoofft.h" + +@@ -354,8 +354,7 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h, + struct Curl_llist_element *n; + CURLcode result = CURLE_OK; + FILE *out; +- char *tempstore; +- unsigned char randsuffix[9]; ++ char *tempstore = NULL; + + if(!h) + /* no cache activated */ +@@ -369,17 +368,8 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h, + /* marked as read-only, no file or zero length file name */ + goto skipsave; + +- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix))) +- return CURLE_FAILED_INIT; +- +- tempstore = aprintf("%s.%s.tmp", file, randsuffix); +- if(!tempstore) +- return CURLE_OUT_OF_MEMORY; +- +- out = fopen(tempstore, FOPEN_WRITETEXT); +- if(!out) +- result = CURLE_WRITE_ERROR; +- else { ++ result = Curl_fopen(data, file, &out, &tempstore); ++ if(!result) { + fputs("# Your HSTS cache. https://curl.se/docs/hsts.html\n" + "# This file was generated by libcurl! Edit at your own risk.\n", + out); +@@ -391,10 +381,10 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h, + break; + } + fclose(out); +- if(!result && Curl_rename(tempstore, file)) ++ if(!result && tempstore && Curl_rename(tempstore, file)) + result = CURLE_WRITE_ERROR; + +- if(result) ++ if(result && tempstore) + unlink(tempstore); + } + free(tempstore); +-- +2.35.3 + diff --git a/curl.spec b/curl.spec index f6847df..38436c2 100644 --- a/curl.spec +++ b/curl.spec @@ -46,6 +46,9 @@ Patch11: 0011-curl-7.82.0-CVE-2022-32206.patch # fix Set-Cookie denial of service (CVE-2022-32205) Patch12: 0012-curl-7.82.0-CVE-2022-32205.patch +# fix unpreserved file permissions (CVE-2022-32207) +Patch13: 0013-curl-7.82.0-CVE-2022-32207.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -232,6 +235,7 @@ be installed. %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 # Fedora patches %patch101 -p1 @@ -460,6 +464,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Jun 29 2022 Kamil Dudka - 7.82.0-6 +- fix unpreserved file permissions (CVE-2022-32207) - fix Set-Cookie denial of service (CVE-2022-32205) - fix HTTP compression denial of service (CVE-2022-32206) - fix FTP-KRB bad message verification (CVE-2022-32208) From f5e50137446cf90d988516e738df49c708e18e48 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 18 Jul 2022 12:16:31 +0200 Subject: [PATCH 17/34] fix build failure with gnutls backend enabled Although Fedora curl packages are compiled with OpenSSL backend, some developers rebuild them with gnutls backend in their own COPRs. This commit makes the source code compile again with gnutls while it does not affect the official Fedora (binary) RPMs. --- 0009-curl-7.82.0-CVE-2022-27782.patch | 180 ++++++++++++++++++++++++-- curl.spec | 5 +- 2 files changed, 173 insertions(+), 12 deletions(-) diff --git a/0009-curl-7.82.0-CVE-2022-27782.patch b/0009-curl-7.82.0-CVE-2022-27782.patch index 0c9d21c..b6b55d2 100644 --- a/0009-curl-7.82.0-CVE-2022-27782.patch +++ b/0009-curl-7.82.0-CVE-2022-27782.patch @@ -1,7 +1,131 @@ +From 505c04ea93c3db64747e0f776c531e5d63a5acfe Mon Sep 17 00:00:00 2001 +From: Jay Satiro +Date: Thu, 17 Mar 2022 15:31:10 -0400 +Subject: [PATCH 1/3] gtls: fix build for disabled TLS-SRP + +Prior to this change if, at build time, the GnuTLS backend was found to +have TLS-SRP support (HAVE_GNUTLS_SRP) but TLS-SRP was disabled in curl +via --disable-tls-srp (!USE_TLS_SRP) then a build error would occur. + +Bug: https://curl.se/mail/lib-2022-03/0046.html +Reported-by: Robert Brose + +Closes https://github.com/curl/curl/pull/8604 + +Upstream-commit: 8b1cae63b77ecfbdb372b5fafb0eb4c273ec887a +Signed-off-by: Kamil Dudka +--- + lib/vtls/gtls.c | 26 +++++++++++++++++--------- + 1 file changed, 17 insertions(+), 9 deletions(-) + +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 5749376..bc8ef68 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -55,6 +55,14 @@ + /* The last #include file should be: */ + #include "memdebug.h" + ++#ifdef HAVE_GNUTLS_SRP ++/* the function exists */ ++#ifdef USE_TLS_SRP ++/* the functionality is not disabled */ ++#define USE_GNUTLS_SRP ++#endif ++#endif ++ + /* Enable GnuTLS debugging by defining GTLSDEBUG */ + /*#define GTLSDEBUG */ + +@@ -75,7 +83,7 @@ static bool gtls_inited = FALSE; + struct ssl_backend_data { + gnutls_session_t session; + gnutls_certificate_credentials_t cred; +-#ifdef HAVE_GNUTLS_SRP ++#ifdef USE_GNUTLS_SRP + gnutls_srp_client_credentials_t srp_client_cred; + #endif + }; +@@ -436,7 +444,7 @@ gtls_connect_step1(struct Curl_easy *data, + return CURLE_SSL_CONNECT_ERROR; + } + +-#ifdef HAVE_GNUTLS_SRP ++#ifdef USE_GNUTLS_SRP + if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { + infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username)); + +@@ -587,7 +595,7 @@ gtls_connect_step1(struct Curl_easy *data, + if(result) + return result; + +-#ifdef HAVE_GNUTLS_SRP ++#ifdef USE_GNUTLS_SRP + /* Only add SRP to the cipher list if SRP is requested. Otherwise + * GnuTLS will disable TLS 1.3 support. */ + if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { +@@ -609,7 +617,7 @@ gtls_connect_step1(struct Curl_easy *data, + #endif + infof(data, "GnuTLS ciphers: %s", prioritylist); + rc = gnutls_priority_set_direct(session, prioritylist, &err); +-#ifdef HAVE_GNUTLS_SRP ++#ifdef USE_GNUTLS_SRP + } + #endif + +@@ -683,7 +691,7 @@ gtls_connect_step1(struct Curl_easy *data, + } + } + +-#ifdef HAVE_GNUTLS_SRP ++#ifdef USE_GNUTLS_SRP + /* put the credentials to the current session */ + if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { + rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, +@@ -866,7 +874,7 @@ Curl_gtls_verifyserver(struct Curl_easy *data, + if(SSL_CONN_CONFIG(verifypeer) || + SSL_CONN_CONFIG(verifyhost) || + SSL_CONN_CONFIG(issuercert)) { +-#ifdef HAVE_GNUTLS_SRP ++#ifdef USE_GNUTLS_SRP + if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP + && SSL_SET_OPTION(username) != NULL + && !SSL_CONN_CONFIG(verifypeer) +@@ -879,7 +887,7 @@ Curl_gtls_verifyserver(struct Curl_easy *data, + failf(data, "failed to get server cert"); + *certverifyresult = GNUTLS_E_NO_CERTIFICATE_FOUND; + return CURLE_PEER_FAILED_VERIFICATION; +-#ifdef HAVE_GNUTLS_SRP ++#ifdef USE_GNUTLS_SRP + } + #endif + } +@@ -1469,7 +1477,7 @@ static void close_one(struct ssl_connect_data *connssl) + gnutls_certificate_free_credentials(backend->cred); + backend->cred = NULL; + } +-#ifdef HAVE_GNUTLS_SRP ++#ifdef USE_GNUTLS_SRP + if(backend->srp_client_cred) { + gnutls_srp_free_client_credentials(backend->srp_client_cred); + backend->srp_client_cred = NULL; +@@ -1555,7 +1563,7 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn, + } + gnutls_certificate_free_credentials(backend->cred); + +-#ifdef HAVE_GNUTLS_SRP ++#ifdef USE_GNUTLS_SRP + if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP + && SSL_SET_OPTION(username) != NULL) + gnutls_srp_free_client_credentials(backend->srp_client_cred); +-- +2.35.3 + + From 931fbabcae0b5d1a91657e6bb85f4f23fce7ac3d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 9 May 2022 23:13:53 +0200 -Subject: [PATCH 1/2] tls: check more TLS details for connection reuse +Subject: [PATCH 2/3] tls: check more TLS details for connection reuse CVE-2022-27782 @@ -15,12 +139,12 @@ Signed-off-by: Kamil Dudka lib/setopt.c | 29 +++++++++++++++++------------ lib/url.c | 23 ++++++++++++++++------- lib/urldata.h | 13 +++++++------ - lib/vtls/gtls.c | 19 ++++++++++--------- + lib/vtls/gtls.c | 32 +++++++++++++++++--------------- lib/vtls/mbedtls.c | 2 +- lib/vtls/nss.c | 6 +++--- lib/vtls/openssl.c | 10 +++++----- lib/vtls/vtls.c | 21 +++++++++++++++++++++ - 8 files changed, 80 insertions(+), 43 deletions(-) + 8 files changed, 87 insertions(+), 49 deletions(-) diff --git a/lib/setopt.c b/lib/setopt.c index 8e1bf12..7aa6fdb 100644 @@ -220,7 +344,19 @@ diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index 5749376..ec6be16 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c -@@ -449,8 +449,8 @@ gtls_connect_step1(struct Curl_easy *data, +@@ -445,8 +445,9 @@ gtls_connect_step1(struct Curl_easy *data, + } + + #ifdef USE_GNUTLS_SRP +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { +- infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username)); ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { ++ infof(data, "Using TLS-SRP username: %s", ++ SSL_SET_OPTION(primary.username)); + + rc = gnutls_srp_allocate_client_credentials( + &backend->srp_client_cred); +@@ -457,8 +458,8 @@ gtls_connect_step1(struct Curl_easy *data, } rc = gnutls_srp_set_client_credentials(backend->srp_client_cred, @@ -231,7 +367,7 @@ index 5749376..ec6be16 100644 if(rc != GNUTLS_E_SUCCESS) { failf(data, "gnutls_srp_set_client_cred() failed: %s", gnutls_strerror(rc)); -@@ -507,19 +507,19 @@ gtls_connect_step1(struct Curl_easy *data, +@@ -515,19 +516,19 @@ gtls_connect_step1(struct Curl_easy *data, } #endif @@ -255,8 +391,8 @@ index 5749376..ec6be16 100644 } /* Initialize TLS session as a client */ -@@ -590,7 +590,7 @@ gtls_connect_step1(struct Curl_easy *data, - #ifdef HAVE_GNUTLS_SRP +@@ -598,7 +599,7 @@ gtls_connect_step1(struct Curl_easy *data, + #ifdef USE_GNUTLS_SRP /* Only add SRP to the cipher list if SRP is requested. Otherwise * GnuTLS will disable TLS 1.3 support. */ - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { @@ -264,16 +400,27 @@ index 5749376..ec6be16 100644 size_t len = strlen(prioritylist); char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1); -@@ -685,7 +685,7 @@ gtls_connect_step1(struct Curl_easy *data, +@@ -693,7 +694,7 @@ gtls_connect_step1(struct Curl_easy *data, - #ifdef HAVE_GNUTLS_SRP + #ifdef USE_GNUTLS_SRP /* put the credentials to the current session */ - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { + if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, backend->srp_client_cred); if(rc != GNUTLS_E_SUCCESS) { -@@ -926,7 +926,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, +@@ -875,8 +876,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, + SSL_CONN_CONFIG(verifyhost) || + SSL_CONN_CONFIG(issuercert)) { + #ifdef USE_GNUTLS_SRP +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP +- && SSL_SET_OPTION(username) != NULL ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP ++ && SSL_SET_OPTION(primary.username) != NULL + && !SSL_CONN_CONFIG(verifypeer) + && gnutls_cipher_get(session)) { + /* no peer cert, but auth is ok if we have SRP user and cipher and no +@@ -934,7 +935,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, failf(data, "server certificate verification failed. CAfile: %s " "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile): "none", @@ -283,6 +430,17 @@ index 5749376..ec6be16 100644 return CURLE_PEER_FAILED_VERIFICATION; } else +@@ -1564,8 +1566,8 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn, + gnutls_certificate_free_credentials(backend->cred); + + #ifdef USE_GNUTLS_SRP +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP +- && SSL_SET_OPTION(username) != NULL) ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP ++ && SSL_SET_OPTION(primary.username) != NULL) + gnutls_srp_free_client_credentials(backend->srp_client_cred); + #endif + diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index b9fd26a..bd4ad8f 100644 --- a/lib/vtls/mbedtls.c @@ -428,7 +586,7 @@ index a40ac06..e2d3438 100644 From 5e9832048b30492e02dd222cd8bfe997e03cffa1 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 9 May 2022 23:13:53 +0200 -Subject: [PATCH 2/2] url: check SSH config match on connection reuse +Subject: [PATCH 3/3] url: check SSH config match on connection reuse CVE-2022-27782 diff --git a/curl.spec b/curl.spec index 38436c2..4af70aa 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.82.0 -Release: 6%{?dist} +Release: 7%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -463,6 +463,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Jul 18 2022 Kamil Dudka - 7.82.0-7 +- fix build failure with gnutls backend enabled + * Wed Jun 29 2022 Kamil Dudka - 7.82.0-6 - fix unpreserved file permissions (CVE-2022-32207) - fix Set-Cookie denial of service (CVE-2022-32205) From 0bb496969f7142817d923d787f3f8c64ac924db4 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 2 Sep 2022 10:35:00 +0200 Subject: [PATCH 18/34] Resolves: CVE-2022-35252 - control code in cookie denial of service --- 0014-curl-7.82.0-CVE-2022-35252.patch | 136 ++++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 144 insertions(+), 1 deletion(-) create mode 100644 0014-curl-7.82.0-CVE-2022-35252.patch diff --git a/0014-curl-7.82.0-CVE-2022-35252.patch b/0014-curl-7.82.0-CVE-2022-35252.patch new file mode 100644 index 0000000..b9d599b --- /dev/null +++ b/0014-curl-7.82.0-CVE-2022-35252.patch @@ -0,0 +1,136 @@ +From fbc2ac6f06ec13cc872ce7adb870f4d7c7d5dded Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 29 Aug 2022 00:09:17 +0200 +Subject: [PATCH 1/2] cookie: reject cookies with "control bytes" + +Rejects 0x01 - 0x1f (except 0x09) plus 0x7f + +Reported-by: Axel Chong + +Bug: https://curl.se/docs/CVE-2022-35252.html + +CVE-2022-35252 + +Closes #9381 + +Upstream-commit: 8dfc93e573ca740544a2d79ebb0ed786592c65c3 +Signed-off-by: Kamil Dudka +--- + lib/cookie.c | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +diff --git a/lib/cookie.c b/lib/cookie.c +index cb0c03b..e0470a1 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -438,6 +438,30 @@ static bool bad_domain(const char *domain) + return TRUE; + } + ++/* ++ RFC 6265 section 4.1.1 says a server should accept this range: ++ ++ cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E ++ ++ But Firefox and Chrome as of June 2022 accept space, comma and double-quotes ++ fine. The prime reason for filtering out control bytes is that some HTTP ++ servers return 400 for requests that contain such. ++*/ ++static int invalid_octets(const char *p) ++{ ++ /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */ ++ static const char badoctets[] = { ++ "\x01\x02\x03\x04\x05\x06\x07\x08\x0a" ++ "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14" ++ "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f" ++ }; ++ size_t vlen, len; ++ /* scan for all the octets that are *not* in cookie-octet */ ++ len = strcspn(p, badoctets); ++ vlen = strlen(p); ++ return (len != vlen); ++} ++ + /* + * Curl_cookie_add + * +@@ -590,6 +614,11 @@ Curl_cookie_add(struct Curl_easy *data, + badcookie = TRUE; + break; + } ++ if(invalid_octets(whatptr) || invalid_octets(name)) { ++ infof(data, "invalid octets in name/value, cookie dropped"); ++ badcookie = TRUE; ++ break; ++ } + } + else if(!len) { + /* +-- +2.37.1 + + +From 1a3e2bd48572761236934651091c899a4d460ef5 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 29 Aug 2022 00:09:17 +0200 +Subject: [PATCH 2/2] test8: verify that "ctrl-byte cookies" are ignored + +Upstream-commit: 2fc031d834d488854ffc58bf7dbcef7fa7c1fc28 +Signed-off-by: Kamil Dudka +--- + tests/data/test8 | 32 +++++++++++++++++++++++++++++++- + 1 file changed, 31 insertions(+), 1 deletion(-) + +diff --git a/tests/data/test8 b/tests/data/test8 +index a8548e6..8587611 100644 +--- a/tests/data/test8 ++++ b/tests/data/test8 +@@ -46,6 +46,36 @@ Set-Cookie: trailingspace = removed; path=/we/want; + Set-Cookie: nocookie=yes; path=/WE; + Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad; + Set-Cookie: partialip=nono; domain=.0.0.1; ++Set-Cookie: cookie1=%hex[%01-junk]hex% ++Set-Cookie: cookie2=%hex[%02-junk]hex% ++Set-Cookie: cookie3=%hex[%03-junk]hex% ++Set-Cookie: cookie4=%hex[%04-junk]hex% ++Set-Cookie: cookie5=%hex[%05-junk]hex% ++Set-Cookie: cookie6=%hex[%06-junk]hex% ++Set-Cookie: cookie7=%hex[%07-junk]hex% ++Set-Cookie: cookie8=%hex[%08-junk]hex% ++Set-Cookie: cookie9=%hex[junk-%09-]hex% ++Set-Cookie: cookie11=%hex[%0b-junk]hex% ++Set-Cookie: cookie12=%hex[%0c-junk]hex% ++Set-Cookie: cookie14=%hex[%0e-junk]hex% ++Set-Cookie: cookie15=%hex[%0f-junk]hex% ++Set-Cookie: cookie16=%hex[%10-junk]hex% ++Set-Cookie: cookie17=%hex[%11-junk]hex% ++Set-Cookie: cookie18=%hex[%12-junk]hex% ++Set-Cookie: cookie19=%hex[%13-junk]hex% ++Set-Cookie: cookie20=%hex[%14-junk]hex% ++Set-Cookie: cookie21=%hex[%15-junk]hex% ++Set-Cookie: cookie22=%hex[%16-junk]hex% ++Set-Cookie: cookie23=%hex[%17-junk]hex% ++Set-Cookie: cookie24=%hex[%18-junk]hex% ++Set-Cookie: cookie25=%hex[%19-junk]hex% ++Set-Cookie: cookie26=%hex[%1a-junk]hex% ++Set-Cookie: cookie27=%hex[%1b-junk]hex% ++Set-Cookie: cookie28=%hex[%1c-junk]hex% ++Set-Cookie: cookie29=%hex[%1d-junk]hex% ++Set-Cookie: cookie30=%hex[%1e-junk]hex% ++Set-Cookie: cookie31=%hex[%1f-junk]hex% ++Set-Cookie: cookie31=%hex[%7f-junk]hex% + + + +@@ -60,7 +90,7 @@ GET /we/want/%TESTNUMBER HTTP/1.1 + Host: %HOSTIP:%HTTPPORT + User-Agent: curl/%VERSION + Accept: */* +-Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes ++Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes; cookie9=junk- - + + + +-- +2.37.1 + diff --git a/curl.spec b/curl.spec index 4af70aa..07528a2 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.82.0 -Release: 7%{?dist} +Release: 8%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -49,6 +49,9 @@ Patch12: 0012-curl-7.82.0-CVE-2022-32205.patch # fix unpreserved file permissions (CVE-2022-32207) Patch13: 0013-curl-7.82.0-CVE-2022-32207.patch +# control code in cookie denial of service (CVE-2022-35252) +Patch14: 0014-curl-7.82.0-CVE-2022-35252.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -236,6 +239,7 @@ be installed. %patch11 -p1 %patch12 -p1 %patch13 -p1 +%patch14 -p1 # Fedora patches %patch101 -p1 @@ -463,6 +467,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Sep 02 2022 Kamil Dudka - 7.82.0-8 +- control code in cookie denial of service (CVE-2022-35252) + * Mon Jul 18 2022 Kamil Dudka - 7.82.0-7 - fix build failure with gnutls backend enabled From 42161392e9f0fd1c9cc538a3f8b0007eccbc9538 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 26 Oct 2022 14:44:22 +0200 Subject: [PATCH 19/34] Resolves: CVE-2022-32221 - fix POST following PUT confusion --- 0015-curl-7.82.0-CVE-2022-32221.patch | 251 ++++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 259 insertions(+), 1 deletion(-) create mode 100644 0015-curl-7.82.0-CVE-2022-32221.patch diff --git a/0015-curl-7.82.0-CVE-2022-32221.patch b/0015-curl-7.82.0-CVE-2022-32221.patch new file mode 100644 index 0000000..e608abd --- /dev/null +++ b/0015-curl-7.82.0-CVE-2022-32221.patch @@ -0,0 +1,251 @@ +From 08a53016db649bdf4f65c42a9704d35e052be7eb Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 15 Sep 2022 09:22:45 +0200 +Subject: [PATCH 1/2] setopt: when POST is set, reset the 'upload' field + +Reported-by: RobBotic1 on github +Fixes #9507 +Closes #9511 + +Upstream-commit: a64e3e59938abd7d667e4470a18072a24d7e9de9 +Signed-off-by: Kamil Dudka +--- + lib/setopt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/setopt.c b/lib/setopt.c +index d5e3b50..b8793b4 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -625,6 +625,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + } + else + data->set.method = HTTPREQ_GET; ++ data->set.upload = FALSE; + break; + + case CURLOPT_HTTPPOST: +-- +2.37.3 + + +From a5e36349807b98d31a16bd220f6434289465e16a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 15 Sep 2022 09:23:33 +0200 +Subject: [PATCH 2/2] test1948: verify PUT + POST reusing the same handle + +Reproduced #9507, verifies the fix + +Upstream-commit: 1edb15925e350be3b891f8a8de86600b22c0bb20 +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 1 + + tests/data/test1948 | 73 +++++++++++++++++++++++++++++++++++ + tests/libtest/Makefile.inc | 5 +++ + tests/libtest/lib1948.c | 79 ++++++++++++++++++++++++++++++++++++++ + 4 files changed, 158 insertions(+) + create mode 100644 tests/data/test1948 + create mode 100644 tests/libtest/lib1948.c + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 818ee08..0cfab9b 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -220,6 +220,7 @@ test1908 test1909 test1910 test1911 test1912 test1913 test1914 test1915 \ + test1916 test1917 test1918 \ + \ + test1933 test1934 test1935 test1936 test1937 test1938 test1939 \ ++test1948 \ + \ + test2000 test2001 test2002 test2003 test2004 \ + \ +diff --git a/tests/data/test1948 b/tests/data/test1948 +new file mode 100644 +index 0000000..639523d +--- /dev/null ++++ b/tests/data/test1948 +@@ -0,0 +1,73 @@ ++ ++ ++ ++HTTP ++HTTP POST ++HTTP PUT ++ ++ ++ ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Date: Thu, 01 Nov 2001 14:49:00 GMT ++Content-Type: text/html ++Content-Length: 6 ++ ++hello ++ ++ ++HTTP/1.1 200 OK ++Date: Thu, 01 Nov 2001 14:49:00 GMT ++Content-Type: text/html ++Content-Length: 6 ++ ++hello ++HTTP/1.1 200 OK ++Date: Thu, 01 Nov 2001 14:49:00 GMT ++Content-Type: text/html ++Content-Length: 6 ++ ++hello ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++ ++CURLOPT_POST after CURLOPT_UPLOAD reusing handle ++ ++ ++lib%TESTNUMBER ++ ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++PUT /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Accept: */* ++Content-Length: 22 ++Expect: 100-continue ++ ++This is test PUT data ++POST /1948 HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Accept: */* ++Content-Length: 22 ++Content-Type: application/x-www-form-urlencoded ++ ++This is test PUT data ++ ++ ++ +diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc +index 83a8af4..3192eca 100644 +--- a/tests/libtest/Makefile.inc ++++ b/tests/libtest/Makefile.inc +@@ -62,6 +62,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect \ + lib1905 lib1906 lib1907 lib1908 lib1910 lib1911 lib1912 lib1913 \ + lib1915 lib1916 lib1917 lib1918 lib1933 lib1934 lib1935 lib1936 \ + lib1937 lib1938 lib1939 \ ++ lib1948 \ + lib3010 lib3025 + + chkdecimalpoint_SOURCES = chkdecimalpoint.c ../../lib/mprintf.c \ +@@ -724,6 +725,10 @@ lib1939_SOURCES = lib1939.c $(SUPPORTFILES) + lib1939_LDADD = $(TESTUTIL_LIBS) + lib1939_CPPFLAGS = $(AM_CPPFLAGS) + ++lib1948_SOURCES = lib1948.c $(SUPPORTFILES) ++lib1948_LDADD = $(TESTUTIL_LIBS) ++lib1948_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1948 ++ + lib3010_SOURCES = lib3010.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib3010_LDADD = $(TESTUTIL_LIBS) + lib3010_CPPFLAGS = $(AM_CPPFLAGS) +diff --git a/tests/libtest/lib1948.c b/tests/libtest/lib1948.c +new file mode 100644 +index 0000000..7c891a2 +--- /dev/null ++++ b/tests/libtest/lib1948.c +@@ -0,0 +1,79 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.haxx.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++ ++#include "test.h" ++ ++typedef struct ++{ ++ char *buf; ++ size_t len; ++} put_buffer; ++ ++static size_t put_callback(char *ptr, size_t size, size_t nmemb, void *stream) ++{ ++ put_buffer *putdata = (put_buffer *)stream; ++ size_t totalsize = size * nmemb; ++ size_t tocopy = (putdata->len < totalsize) ? putdata->len : totalsize; ++ memcpy(ptr, putdata->buf, tocopy); ++ putdata->len -= tocopy; ++ putdata->buf += tocopy; ++ return tocopy; ++} ++ ++int test(char *URL) ++{ ++ CURL *curl; ++ CURLcode res = CURLE_OUT_OF_MEMORY; ++ ++ curl_global_init(CURL_GLOBAL_DEFAULT); ++ ++ curl = curl_easy_init(); ++ if(curl) { ++ const char *testput = "This is test PUT data\n"; ++ put_buffer pbuf; ++ ++ /* PUT */ ++ curl_easy_setopt(curl, CURLOPT_UPLOAD, 1L); ++ curl_easy_setopt(curl, CURLOPT_HEADER, 1L); ++ curl_easy_setopt(curl, CURLOPT_READFUNCTION, put_callback); ++ pbuf.buf = (char *)testput; ++ pbuf.len = strlen(testput); ++ curl_easy_setopt(curl, CURLOPT_READDATA, &pbuf); ++ curl_easy_setopt(curl, CURLOPT_INFILESIZE, (long)strlen(testput)); ++ res = curl_easy_setopt(curl, CURLOPT_URL, URL); ++ if(!res) ++ res = curl_easy_perform(curl); ++ if(!res) { ++ /* POST */ ++ curl_easy_setopt(curl, CURLOPT_POST, 1L); ++ curl_easy_setopt(curl, CURLOPT_POSTFIELDS, testput); ++ curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, (long)strlen(testput)); ++ res = curl_easy_perform(curl); ++ } ++ curl_easy_cleanup(curl); ++ } ++ ++ curl_global_cleanup(); ++ return (int)res; ++} +-- +2.37.3 + diff --git a/curl.spec b/curl.spec index 07528a2..147259c 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.82.0 -Release: 8%{?dist} +Release: 9%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -52,6 +52,9 @@ Patch13: 0013-curl-7.82.0-CVE-2022-32207.patch # control code in cookie denial of service (CVE-2022-35252) Patch14: 0014-curl-7.82.0-CVE-2022-35252.patch +# fix POST following PUT confusion (CVE-2022-32221) +Patch15: 0015-curl-7.82.0-CVE-2022-32221.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -240,6 +243,7 @@ be installed. %patch12 -p1 %patch13 -p1 %patch14 -p1 +%patch15 -p1 # Fedora patches %patch101 -p1 @@ -467,6 +471,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Oct 26 2022 Kamil Dudka - 7.82.0-9 +- fix POST following PUT confusion (CVE-2022-32221) + * Fri Sep 02 2022 Kamil Dudka - 7.82.0-8 - control code in cookie denial of service (CVE-2022-35252) From ed6e4aba43516bfc01df5e8caf84ffea347badd7 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 26 Oct 2022 14:53:25 +0200 Subject: [PATCH 20/34] Resolves: CVE-2022-35260 - netrc: replace fgets with Curl_get_line --- 0016-curl-7.82.0-CVE-2022-35260.patch | 76 +++++++++++++++++++++++++++ curl.spec | 5 ++ 2 files changed, 81 insertions(+) create mode 100644 0016-curl-7.82.0-CVE-2022-35260.patch diff --git a/0016-curl-7.82.0-CVE-2022-35260.patch b/0016-curl-7.82.0-CVE-2022-35260.patch new file mode 100644 index 0000000..0e969b9 --- /dev/null +++ b/0016-curl-7.82.0-CVE-2022-35260.patch @@ -0,0 +1,76 @@ +From 54dcd2334220ad965ef81130ba8ddf90b30c987c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 4 Oct 2022 14:37:24 +0200 +Subject: [PATCH] netrc: replace fgets with Curl_get_line + +Make the parser only accept complete lines and avoid problems with +overly long lines. + +Reported-by: Hiroki Kurosawa + +Closes #9789 + +Upstream-commit: c97ec984fb2bc919a3aa863e0476dffa377b184c +Signed-off-by: Kamil Dudka +--- + lib/curl_get_line.c | 6 +++--- + lib/netrc.c | 5 +++-- + 2 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/lib/curl_get_line.c b/lib/curl_get_line.c +index 6a26bb2..22e3705 100644 +--- a/lib/curl_get_line.c ++++ b/lib/curl_get_line.c +@@ -23,7 +23,7 @@ + #include "curl_setup.h" + + #if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) || \ +- !defined(CURL_DISABLE_HSTS) ++ !defined(CURL_DISABLE_HSTS) || !defined(CURL_DISABLE_NETRC) + + #include "curl_get_line.h" + #include "curl_memory.h" +@@ -31,8 +31,8 @@ + #include "memdebug.h" + + /* +- * get_line() makes sure to only return complete whole lines that fit in 'len' +- * bytes and end with a newline. ++ * Curl_get_line() makes sure to only return complete whole lines that fit in ++ * 'len' bytes and end with a newline. + */ + char *Curl_get_line(char *buf, int len, FILE *input) + { +diff --git a/lib/netrc.c b/lib/netrc.c +index 62a6a10..5d17482 100644 +--- a/lib/netrc.c ++++ b/lib/netrc.c +@@ -31,6 +31,7 @@ + #include "netrc.h" + #include "strtok.h" + #include "strcase.h" ++#include "curl_get_line.h" + + /* The last 3 #include files should be in this order */ + #include "curl_printf.h" +@@ -84,7 +85,7 @@ static int parsenetrc(const char *host, + char netrcbuffer[4096]; + int netrcbuffsize = (int)sizeof(netrcbuffer); + +- while(!done && fgets(netrcbuffer, netrcbuffsize, file)) { ++ while(!done && Curl_get_line(netrcbuffer, netrcbuffsize, file)) { + if(state == MACDEF) { + if((netrcbuffer[0] == '\n') || (netrcbuffer[0] == '\r')) + state = NOTHING; +@@ -186,7 +187,7 @@ static int parsenetrc(const char *host, + + tok = strtok_r(NULL, " \t\n", &tok_buf); + } /* while(tok) */ +- } /* while fgets() */ ++ } /* while Curl_get_line() */ + + out: + if(!retcode) { +-- +2.37.3 + diff --git a/curl.spec b/curl.spec index 147259c..f4116b1 100644 --- a/curl.spec +++ b/curl.spec @@ -55,6 +55,9 @@ Patch14: 0014-curl-7.82.0-CVE-2022-35252.patch # fix POST following PUT confusion (CVE-2022-32221) Patch15: 0015-curl-7.82.0-CVE-2022-32221.patch +# netrc: replace fgets with Curl_get_line (CVE-2022-35260) +Patch16: 0016-curl-7.82.0-CVE-2022-35260.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -244,6 +247,7 @@ be installed. %patch13 -p1 %patch14 -p1 %patch15 -p1 +%patch16 -p1 # Fedora patches %patch101 -p1 @@ -472,6 +476,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Oct 26 2022 Kamil Dudka - 7.82.0-9 +- netrc: replace fgets with Curl_get_line (CVE-2022-35260) - fix POST following PUT confusion (CVE-2022-32221) * Fri Sep 02 2022 Kamil Dudka - 7.82.0-8 From ba028ab793fa78a0d840d3c56b5d6ca609d8e40f Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 26 Oct 2022 14:58:41 +0200 Subject: [PATCH 21/34] Resolves: CVE-2022-42915 - http_proxy: restore the protocol pointer on error --- 0017-curl-7.82.0-CVE-2022-42915.patch | 154 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 159 insertions(+) create mode 100644 0017-curl-7.82.0-CVE-2022-42915.patch diff --git a/0017-curl-7.82.0-CVE-2022-42915.patch b/0017-curl-7.82.0-CVE-2022-42915.patch new file mode 100644 index 0000000..db3c235 --- /dev/null +++ b/0017-curl-7.82.0-CVE-2022-42915.patch @@ -0,0 +1,154 @@ +From 3c54eaf986d62a1f7482b8d5fff2d6ac42d19f23 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 6 Oct 2022 14:13:36 +0200 +Subject: [PATCH 1/2] http_proxy: restore the protocol pointer on error + +Reported-by: Trail of Bits + +Closes #9790 + +Upstream-commit: 55e1875729f9d9fc7315cec611bffbd2c817ad89 +Signed-off-by: Kamil Dudka +--- + lib/http_proxy.c | 6 ++---- + lib/url.c | 9 --------- + 2 files changed, 2 insertions(+), 13 deletions(-) + +diff --git a/lib/http_proxy.c b/lib/http_proxy.c +index 1f87f6c..cc20b3a 100644 +--- a/lib/http_proxy.c ++++ b/lib/http_proxy.c +@@ -210,10 +210,8 @@ void Curl_connect_done(struct Curl_easy *data) + Curl_dyn_free(&s->rcvbuf); + Curl_dyn_free(&s->req); + +- /* restore the protocol pointer, if not already done */ +- if(s->prot_save) +- data->req.p.http = s->prot_save; +- s->prot_save = NULL; ++ /* restore the protocol pointer */ ++ data->req.p.http = s->prot_save; + data->info.httpcode = 0; /* clear it as it might've been used for the + proxy */ + data->req.ignorebody = FALSE; +diff --git a/lib/url.c b/lib/url.c +index bfc784f..61c99d2 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -728,15 +728,6 @@ static void conn_shutdown(struct Curl_easy *data, struct connectdata *conn) + DEBUGASSERT(data); + infof(data, "Closing connection %ld", conn->connection_id); + +-#ifndef USE_HYPER +- if(conn->connect_state && conn->connect_state->prot_save) { +- /* If this was closed with a CONNECT in progress, cleanup this temporary +- struct arrangement */ +- data->req.p.http = NULL; +- Curl_safefree(conn->connect_state->prot_save); +- } +-#endif +- + /* possible left-overs from the async name resolvers */ + Curl_resolver_cancel(data); + +-- +2.37.3 + + +From 5fdb5e8433c132dbb1e31a48d39a4a54ba4d7a9e Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 6 Oct 2022 14:14:25 +0200 +Subject: [PATCH 2/2] test445: verifies the protocols-over-http-proxy flaw and + fix + +Upstream-commit: 038bfb8522a93328b7e65bd2b6b8387c974b9ac8 +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 2 +- + tests/data/test445 | 61 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 62 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test445 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 0cfab9b..14c1b0c 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -72,7 +72,7 @@ test409 test410 \ + \ + test430 test431 test432 test433 test434 test435 test436 \ + \ +-test440 test441 test442 test443 test444 \ ++test440 test441 test442 test443 test444 test445 \ + \ + test490 test491 test492 test493 test494 \ + \ +diff --git a/tests/data/test445 b/tests/data/test445 +new file mode 100644 +index 0000000..0406c0f +--- /dev/null ++++ b/tests/data/test445 +@@ -0,0 +1,61 @@ ++ ++ ++ ++HTTP ++HTTP proxy ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 503 no just no ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++ ++-foo- ++ ++ ++ ++# ++# Client-side ++ ++ ++gopher ++dict ++http ++ftp ++imap ++ldap ++mqtt ++pop3 ++rtsp ++scp ++sftp ++smb ++smtp ++ ++ ++http-proxy ++ ++ ++Refuse tunneling protocols through HTTP proxy ++ ++ ++-x http://%HOSTIP:%PROXYPORT/%TESTNUMBER -p gopher://127.0.0.1 dict://127.0.0.1 http://moo https://example telnet://another ftp://yes ftps://again imap://more ldap://perhaps mqtt://yes pop3://mail rtsp://harder scp://copy sftp://files smb://wird smtp://send ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++# refused in the CONNECT ++ ++56 ++ ++ ++ +-- +2.37.3 + diff --git a/curl.spec b/curl.spec index f4116b1..465ca01 100644 --- a/curl.spec +++ b/curl.spec @@ -58,6 +58,9 @@ Patch15: 0015-curl-7.82.0-CVE-2022-32221.patch # netrc: replace fgets with Curl_get_line (CVE-2022-35260) Patch16: 0016-curl-7.82.0-CVE-2022-35260.patch +# http_proxy: restore the protocol pointer on error (CVE-2022-42915) +Patch17: 0017-curl-7.82.0-CVE-2022-42915.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -248,6 +251,7 @@ be installed. %patch14 -p1 %patch15 -p1 %patch16 -p1 +%patch17 -p1 # Fedora patches %patch101 -p1 @@ -476,6 +480,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Oct 26 2022 Kamil Dudka - 7.82.0-9 +- http_proxy: restore the protocol pointer on error (CVE-2022-42915) - netrc: replace fgets with Curl_get_line (CVE-2022-35260) - fix POST following PUT confusion (CVE-2022-32221) From 80974e87a005594fb0d63d4be985df1258d0164f Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 26 Oct 2022 15:02:16 +0200 Subject: [PATCH 22/34] Resolves: CVE-2022-42916 - url: use IDN decoded names for HSTS checks --- 0018-curl-7.82.0-CVE-2022-42916.patch | 137 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 142 insertions(+) create mode 100644 0018-curl-7.82.0-CVE-2022-42916.patch diff --git a/0018-curl-7.82.0-CVE-2022-42916.patch b/0018-curl-7.82.0-CVE-2022-42916.patch new file mode 100644 index 0000000..a2234b5 --- /dev/null +++ b/0018-curl-7.82.0-CVE-2022-42916.patch @@ -0,0 +1,137 @@ +From 8c1f295ec343bad073a41f62de5f4c4ddd579e41 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 12 Oct 2022 10:47:59 +0200 +Subject: [PATCH] url: use IDN decoded names for HSTS checks + +Reported-by: Hiroki Kurosawa + +Closes #9791 + +Upstream-commit: 53bcf55b4538067e6dc36242168866becb987bb7 +Signed-off-by: Kamil Dudka +--- + lib/url.c | 91 ++++++++++++++++++++++++++++--------------------------- + 1 file changed, 47 insertions(+), 44 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index 61c99d2..6426fa7 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -2003,10 +2003,56 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, + if(!strcasecompare("file", data->state.up.scheme)) + return CURLE_OUT_OF_MEMORY; + } ++ hostname = data->state.up.hostname; ++ ++ if(hostname && hostname[0] == '[') { ++ /* This looks like an IPv6 address literal. See if there is an address ++ scope. */ ++ size_t hlen; ++ conn->bits.ipv6_ip = TRUE; ++ /* cut off the brackets! */ ++ hostname++; ++ hlen = strlen(hostname); ++ hostname[hlen - 1] = 0; ++ ++ zonefrom_url(uh, data, conn); ++ } ++ ++ /* make sure the connect struct gets its own copy of the host name */ ++ conn->host.rawalloc = strdup(hostname ? hostname : ""); ++ if(!conn->host.rawalloc) ++ return CURLE_OUT_OF_MEMORY; ++ conn->host.name = conn->host.rawalloc; ++ ++ /************************************************************* ++ * IDN-convert the hostnames ++ *************************************************************/ ++ result = Curl_idnconvert_hostname(data, &conn->host); ++ if(result) ++ return result; ++ if(conn->bits.conn_to_host) { ++ result = Curl_idnconvert_hostname(data, &conn->conn_to_host); ++ if(result) ++ return result; ++ } ++#ifndef CURL_DISABLE_PROXY ++ if(conn->bits.httpproxy) { ++ result = Curl_idnconvert_hostname(data, &conn->http_proxy.host); ++ if(result) ++ return result; ++ } ++ if(conn->bits.socksproxy) { ++ result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host); ++ if(result) ++ return result; ++ } ++#endif + + #ifndef CURL_DISABLE_HSTS ++ /* HSTS upgrade */ + if(data->hsts && strcasecompare("http", data->state.up.scheme)) { +- if(Curl_hsts(data->hsts, data->state.up.hostname, TRUE)) { ++ /* This MUST use the IDN decoded name */ ++ if(Curl_hsts(data->hsts, conn->host.name, TRUE)) { + char *url; + Curl_safefree(data->state.up.scheme); + uc = curl_url_set(uh, CURLUPART_SCHEME, "https", 0); +@@ -2111,26 +2157,6 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, + + (void)curl_url_get(uh, CURLUPART_QUERY, &data->state.up.query, 0); + +- hostname = data->state.up.hostname; +- if(hostname && hostname[0] == '[') { +- /* This looks like an IPv6 address literal. See if there is an address +- scope. */ +- size_t hlen; +- conn->bits.ipv6_ip = TRUE; +- /* cut off the brackets! */ +- hostname++; +- hlen = strlen(hostname); +- hostname[hlen - 1] = 0; +- +- zonefrom_url(uh, data, conn); +- } +- +- /* make sure the connect struct gets its own copy of the host name */ +- conn->host.rawalloc = strdup(hostname ? hostname : ""); +- if(!conn->host.rawalloc) +- return CURLE_OUT_OF_MEMORY; +- conn->host.name = conn->host.rawalloc; +- + #ifdef ENABLE_IPV6 + if(data->set.scope_id) + /* Override any scope that was set above. */ +@@ -3705,29 +3731,6 @@ static CURLcode create_conn(struct Curl_easy *data, + if(result) + goto out; + +- /************************************************************* +- * IDN-convert the hostnames +- *************************************************************/ +- result = Curl_idnconvert_hostname(data, &conn->host); +- if(result) +- goto out; +- if(conn->bits.conn_to_host) { +- result = Curl_idnconvert_hostname(data, &conn->conn_to_host); +- if(result) +- goto out; +- } +-#ifndef CURL_DISABLE_PROXY +- if(conn->bits.httpproxy) { +- result = Curl_idnconvert_hostname(data, &conn->http_proxy.host); +- if(result) +- goto out; +- } +- if(conn->bits.socksproxy) { +- result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host); +- if(result) +- goto out; +- } +-#endif + + /************************************************************* + * Check whether the host and the "connect to host" are equal. +-- +2.37.3 + diff --git a/curl.spec b/curl.spec index 465ca01..cdf1413 100644 --- a/curl.spec +++ b/curl.spec @@ -61,6 +61,9 @@ Patch16: 0016-curl-7.82.0-CVE-2022-35260.patch # http_proxy: restore the protocol pointer on error (CVE-2022-42915) Patch17: 0017-curl-7.82.0-CVE-2022-42915.patch +# url: use IDN decoded names for HSTS checks (CVE-2022-42916) +Patch18: 0018-curl-7.82.0-CVE-2022-42916.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -252,6 +255,7 @@ be installed. %patch15 -p1 %patch16 -p1 %patch17 -p1 +%patch18 -p1 # Fedora patches %patch101 -p1 @@ -480,6 +484,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Oct 26 2022 Kamil Dudka - 7.82.0-9 +- url: use IDN decoded names for HSTS checks (CVE-2022-42916) - http_proxy: restore the protocol pointer on error (CVE-2022-42915) - netrc: replace fgets with Curl_get_line (CVE-2022-35260) - fix POST following PUT confusion (CVE-2022-32221) From 426affc3676469211cbad6d51bdd75c177f65511 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 21 Nov 2022 14:21:29 +0100 Subject: [PATCH 23/34] Resolves: #2144277 - http2: make nghttp2 less picky about field whitespace --- 0019-curl-7.82.0-http2-whitespace.patch | 103 ++++++++++++++++++++++++ curl.spec | 9 ++- 2 files changed, 111 insertions(+), 1 deletion(-) create mode 100644 0019-curl-7.82.0-http2-whitespace.patch diff --git a/0019-curl-7.82.0-http2-whitespace.patch b/0019-curl-7.82.0-http2-whitespace.patch new file mode 100644 index 0000000..dc5b806 --- /dev/null +++ b/0019-curl-7.82.0-http2-whitespace.patch @@ -0,0 +1,103 @@ +From 99e014bfacfb1f572d3fd710e567faee38bf1c2f Mon Sep 17 00:00:00 2001 +From: lwthiker +Date: Sun, 17 Jul 2022 19:11:33 +0300 +Subject: [PATCH 1/2] h2h3: fix overriding the 'TE: Trailers' header + +A 'TE: Trailers' header is explicitly replaced by 'te: trailers' +(lowercase) in Curl_pseudo_headers() when building the list of HTTP/2 or +HTTP/3 headers. However, this is then replaced again by the original +value due to a bug, resulting in the uppercased version being sent. Some +HTTP/2 servers reject the whole HTTP/2 stream when this is the case. + +Closes #9170 + +Upstream-commit: b9b6148c45a00d675d5bb261bf4cbb45468ad807 +Signed-off-by: Kamil Dudka +--- + lib/h2h3.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/lib/h2h3.c b/lib/h2h3.c +index cf8d156..bbf4ae5 100644 +--- a/lib/h2h3.c ++++ b/lib/h2h3.c +@@ -256,9 +256,6 @@ CURLcode Curl_pseudo_headers(struct Curl_easy *data, + nva[i].valuelen = (end - hdbuf); + } + +- nva[i].value = hdbuf; +- nva[i].valuelen = (end - hdbuf); +- + ++i; + } + +-- +2.37.3 + + +From a1eaad81dc6c8d1e562b685d3136f24aeb12dcb4 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 7 Sep 2022 15:41:03 +0200 +Subject: [PATCH 2/2] http2: make nghttp2 less picky about field whitespace + +In nghttp2 1.49.0 it returns error on leading and trailing whitespace in +header fields according to language in the recently shipped RFC 9113. + +nghttp2 1.50.0 introduces an option to switch off this strict check and +this change enables this option by default which should make curl behave +more similar to how it did with nghttp2 1.48.0 and earlier. + +We might want to consider making this an option in the future. + +Closes #9448 + +Upstream-commit: eafc2b14ac9e40377168b46cab3f1d90c3f32f45 +Signed-off-by: Kamil Dudka +--- + lib/http2.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +diff --git a/lib/http2.c b/lib/http2.c +index f6364d0..3a70528 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -1258,6 +1258,27 @@ void Curl_http2_done(struct Curl_easy *data, bool premature) + } + } + ++static int client_new(struct connectdata *conn, ++ nghttp2_session_callbacks *callbacks) ++{ ++#if NGHTTP2_VERSION_NUM < 0x013200 ++ /* before 1.50.0 */ ++ return nghttp2_session_client_new(&conn->proto.httpc.h2, callbacks, conn); ++#else ++ nghttp2_option *o; ++ int rc = nghttp2_option_new(&o); ++ if(rc) ++ return rc; ++ /* turn off RFC 9113 leading and trailing white spaces validation against ++ HTTP field value. */ ++ nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation(o, 1); ++ rc = nghttp2_session_client_new2(&conn->proto.httpc.h2, callbacks, conn, ++ o); ++ nghttp2_option_del(o); ++ return rc; ++#endif ++} ++ + /* + * Initialize nghttp2 for a Curl connection + */ +@@ -1298,7 +1319,7 @@ static CURLcode http2_init(struct Curl_easy *data, struct connectdata *conn) + nghttp2_session_callbacks_set_error_callback(callbacks, error_callback); + + /* The nghttp2 session is not yet setup, do it */ +- rc = nghttp2_session_client_new(&conn->proto.httpc.h2, callbacks, conn); ++ rc = client_new(conn, callbacks); + + nghttp2_session_callbacks_del(callbacks); + +-- +2.37.3 + diff --git a/curl.spec b/curl.spec index cdf1413..a8e2b35 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.82.0 -Release: 9%{?dist} +Release: 10%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -64,6 +64,9 @@ Patch17: 0017-curl-7.82.0-CVE-2022-42915.patch # url: use IDN decoded names for HSTS checks (CVE-2022-42916) Patch18: 0018-curl-7.82.0-CVE-2022-42916.patch +# http2: make nghttp2 less picky about field whitespace (#2144277) +Patch19: 0019-curl-7.82.0-http2-whitespace.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -256,6 +259,7 @@ be installed. %patch16 -p1 %patch17 -p1 %patch18 -p1 +%patch19 -p1 # Fedora patches %patch101 -p1 @@ -483,6 +487,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Nov 21 2022 Kamil Dudka - 7.82.0-10 +- http2: make nghttp2 less picky about field whitespace (#2144277) + * Wed Oct 26 2022 Kamil Dudka - 7.82.0-9 - url: use IDN decoded names for HSTS checks (CVE-2022-42916) - http_proxy: restore the protocol pointer on error (CVE-2022-42915) From c4c3c415e74bbc3fd169a132eeb254897022fbd0 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 24 Nov 2022 13:07:48 +0100 Subject: [PATCH 24/34] Related: #2144277 - tests: fix http2 tests to use CRLF headers --- 0019-curl-7.82.0-http2-whitespace.patch | 167 +++++++++++++++++++++++- 1 file changed, 165 insertions(+), 2 deletions(-) diff --git a/0019-curl-7.82.0-http2-whitespace.patch b/0019-curl-7.82.0-http2-whitespace.patch index dc5b806..40389bb 100644 --- a/0019-curl-7.82.0-http2-whitespace.patch +++ b/0019-curl-7.82.0-http2-whitespace.patch @@ -1,7 +1,7 @@ From 99e014bfacfb1f572d3fd710e567faee38bf1c2f Mon Sep 17 00:00:00 2001 From: lwthiker Date: Sun, 17 Jul 2022 19:11:33 +0300 -Subject: [PATCH 1/2] h2h3: fix overriding the 'TE: Trailers' header +Subject: [PATCH 1/3] h2h3: fix overriding the 'TE: Trailers' header A 'TE: Trailers' header is explicitly replaced by 'te: trailers' (lowercase) in Curl_pseudo_headers() when building the list of HTTP/2 or @@ -35,10 +35,173 @@ index cf8d156..bbf4ae5 100644 2.37.3 +From 239ed36b2dcb0234ab1c98fce4abf40fe6ec86b5 Mon Sep 17 00:00:00 2001 +From: Jay Satiro +Date: Thu, 25 Aug 2022 03:46:42 -0400 +Subject: [PATCH 2/3] tests: fix http2 tests to use CRLF headers + +Prior to this change some tests that rely on nghttpx proxy did not use +CRLF headers everywhere. A recent change in nghttp2, which updated its +version of llhttp (HTTP parser), requires curl's HTTP/1.1 test server to +use CRLF headers. + +Ref: https://github.com/nghttp2/nghttp2/commit/9d389e8 + +Fixes https://github.com/curl/curl/issues/9364 +Closes https://github.com/curl/curl/pull/9365 + +Upstream-commit: ef121401d6eabed204a716f16b2776ededc75c0e +Signed-off-by: Kamil Dudka +--- + tests/data/test1700 | 34 +++++++++++++++++----------------- + tests/data/test1701 | 22 +++++++++++----------- + tests/data/test358 | 16 ++++++++-------- + tests/data/test359 | 16 ++++++++-------- + 4 files changed, 44 insertions(+), 44 deletions(-) + +diff --git a/tests/data/test1700 b/tests/data/test1700 +index 9cf8739..2815775 100644 +--- a/tests/data/test1700 ++++ b/tests/data/test1700 +@@ -11,26 +11,26 @@ HTTP/2 + # Server-side + + +-HTTP/1.1 200 OK +-Date: Tue, 09 Nov 2010 14:49:00 GMT +-Server: test-server/fake +-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT +-ETag: "21025-dc7-39462498" +-Accept-Ranges: bytes +-Content-Length: 6 +-Connection: close +-Content-Type: text/html +-Funny-head: yesyes +- ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Content-Type: text/html ++Funny-head: yesyes ++ + -foo- + + +-HTTP/1.1 200 OK +-Date: Tue, 09 Nov 2010 14:49:00 GMT +-Content-Length: 6 +-Connection: close +-Content-Type: text/html +- ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Content-Length: 6 ++Connection: close ++Content-Type: text/html ++ + -maa- + + +diff --git a/tests/data/test1701 b/tests/data/test1701 +index c4687d9..5859cff 100644 +--- a/tests/data/test1701 ++++ b/tests/data/test1701 +@@ -11,17 +11,17 @@ HTTP/2 + # Server-side + + +-HTTP/1.1 200 OK +-Date: Tue, 09 Nov 2010 14:49:00 GMT +-Server: test-server/fake +-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT +-ETag: "21025-dc7-39462498" +-Accept-Ranges: bytes +-Content-Length: 6 +-Connection: close +-Content-Type: text/html +-Funny-head: yesyes +- ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Content-Type: text/html ++Funny-head: yesyes ++ + -foo- + + +diff --git a/tests/data/test358 b/tests/data/test358 +index d1ddc1b..ce20b17 100644 +--- a/tests/data/test358 ++++ b/tests/data/test358 +@@ -12,14 +12,14 @@ HTTP/2 + # Server-side + + +-HTTP/1.1 200 OK +-Date: Tue, 09 Nov 2010 14:49:00 GMT +-Content-Length: 6 +-Connection: close +-Content-Type: text/html +-Funny-head: yesyes +-Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0 +- ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Content-Length: 6 ++Connection: close ++Content-Type: text/html ++Funny-head: yesyes ++Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0 ++ + -foo- + + +diff --git a/tests/data/test359 b/tests/data/test359 +index c1b1cb8..e624f7d 100644 +--- a/tests/data/test359 ++++ b/tests/data/test359 +@@ -12,14 +12,14 @@ HTTP/2 + # Server-side + + +-HTTP/1.1 200 OK +-Date: Tue, 09 Nov 2010 14:49:00 GMT +-Content-Length: 6 +-Connection: close +-Content-Type: text/html +-Funny-head: yesyes +-Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0 +- ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Content-Length: 6 ++Connection: close ++Content-Type: text/html ++Funny-head: yesyes ++Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0 ++ + -foo- + + +-- +2.37.3 + + From a1eaad81dc6c8d1e562b685d3136f24aeb12dcb4 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 7 Sep 2022 15:41:03 +0200 -Subject: [PATCH 2/2] http2: make nghttp2 less picky about field whitespace +Subject: [PATCH 3/3] http2: make nghttp2 less picky about field whitespace In nghttp2 1.49.0 it returns error on leading and trailing whitespace in header fields according to language in the recently shipped RFC 9113. From a7aa3da71c0b6338e1b4f5633aaff5c0255af01b Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 24 Nov 2022 16:25:47 +0100 Subject: [PATCH 25/34] Related: #2144277 - enforce versioned libnghttp2 dependency for libcurl --- curl.spec | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index a8e2b35..441e577 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.82.0 -Release: 10%{?dist} +Release: 11%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -155,6 +155,10 @@ BuildRequires: stunnel # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION Requires: libcurl%{?_isa} >= %{version}-%{release} +# require at least the version of libnghttp2 that we were built against, +# to ensure that we have the necessary symbols available (#2144277) +%global libnghttp2_version %(pkg-config --modversion libnghttp2 2>/dev/null || echo 0) + # require at least the version of libpsl that we were built against, # to ensure that we have the necessary symbols available (#1631804) %global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0) @@ -178,6 +182,7 @@ resume, proxy tunneling and a busload of other useful tricks. %package -n libcurl Summary: A library for getting files from web servers +Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} Requires: libpsl%{?_isa} >= %{libpsl_version} Requires: libssh%{?_isa} >= %{libssh_version} Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} @@ -222,6 +227,7 @@ be installed. %package -n libcurl-minimal Summary: Conservatively configured build of libcurl for minimal installations +Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} Provides: libcurl = %{version}-%{release} Provides: libcurl%{?_isa} = %{version}-%{release} @@ -487,6 +493,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Nov 24 2022 Kamil Dudka - 7.82.0-11 +- enforce versioned libnghttp2 dependency for libcurl (#2144277) + * Mon Nov 21 2022 Kamil Dudka - 7.82.0-10 - http2: make nghttp2 less picky about field whitespace (#2144277) From 484461c3e4613272867db1b373fe0c612657b666 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 24 Nov 2022 21:31:07 +0100 Subject: [PATCH 26/34] Related: #2144277 - make the package build again on ppc64le ... by disabling flaky upstream tests --- curl.spec | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 441e577..eeb566d 100644 --- a/curl.spec +++ b/curl.spec @@ -285,10 +285,8 @@ echo "1319" >> tests/data/DISABLED printf "320\n321\n322\n" >> tests/data/DISABLED %endif -# temporarily disable tests 582 and 1452 on s390x (client times out) -%ifarch s390x +# temporarily disable flaky tests 582 and 1452 (client times out) printf "582\n1452\n" >> tests/data/DISABLED -%endif # temporarily disable tests 702 703 716 on armv7hl (#1829180) %ifarch armv7hl From d59c430b6a16ab47bbed8043f4ea483acaff2d28 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 21 Dec 2022 15:26:26 +0100 Subject: [PATCH 27/34] Resolves: CVE-2022-43551 - http: use the IDN decoded name in HSTS checks --- 0020-curl-7.85.0-CVE-2022-43551.patch | 35 +++++++++++++++++++++++++++ curl.spec | 9 ++++++- 2 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 0020-curl-7.85.0-CVE-2022-43551.patch diff --git a/0020-curl-7.85.0-CVE-2022-43551.patch b/0020-curl-7.85.0-CVE-2022-43551.patch new file mode 100644 index 0000000..a55f3cc --- /dev/null +++ b/0020-curl-7.85.0-CVE-2022-43551.patch @@ -0,0 +1,35 @@ +From 3fe91ee75b9f663b7a303ef14e07e28184d1450c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 19 Dec 2022 08:36:55 +0100 +Subject: [PATCH] http: use the IDN decoded name in HSTS checks + +Otherwise it stores the info HSTS into the persistent cache for the IDN +name which will not match when the HSTS status is later checked for +using the decoded name. + +Reported-by: Hiroki Kurosawa + +Closes #10111 + +Upstream-commit: 9e71901634e276dd050481c4320f046bebb1bc28 +Signed-off-by: Kamil Dudka +--- + lib/http.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/http.c b/lib/http.c +index b0ad28e..8b18e8d 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -3652,7 +3652,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn, + else if(data->hsts && checkprefix("Strict-Transport-Security:", headp) && + (conn->handler->flags & PROTOPT_SSL)) { + CURLcode check = +- Curl_hsts_parse(data->hsts, data->state.up.hostname, ++ Curl_hsts_parse(data->hsts, conn->host.name, + headp + strlen("Strict-Transport-Security:")); + if(check) + infof(data, "Illegal STS header skipped"); +-- +2.38.1 + diff --git a/curl.spec b/curl.spec index eeb566d..0e5f135 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.82.0 -Release: 11%{?dist} +Release: 12%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -67,6 +67,9 @@ Patch18: 0018-curl-7.82.0-CVE-2022-42916.patch # http2: make nghttp2 less picky about field whitespace (#2144277) Patch19: 0019-curl-7.82.0-http2-whitespace.patch +# http: use the IDN decoded name in HSTS checks (CVE-2022-43551) +Patch20: 0020-curl-7.85.0-CVE-2022-43551.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -266,6 +269,7 @@ be installed. %patch17 -p1 %patch18 -p1 %patch19 -p1 +%patch20 -p1 # Fedora patches %patch101 -p1 @@ -491,6 +495,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Dec 21 2022 Kamil Dudka - 7.82.0-12 +- http: use the IDN decoded name in HSTS checks (CVE-2022-43551) + * Thu Nov 24 2022 Kamil Dudka - 7.82.0-11 - enforce versioned libnghttp2 dependency for libcurl (#2144277) From 739873039294b353fe6d39ddde40bce94390b62b Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 21 Dec 2022 15:31:04 +0100 Subject: [PATCH 28/34] Resolves: CVE-2022-43552 - smb/telnet: fix use-after-free when HTTP proxy denies tunnel --- 0021-curl-7.85.0-CVE-2022-43552.patch | 81 +++++++++++++++++++++++++++ curl.spec | 5 ++ 2 files changed, 86 insertions(+) create mode 100644 0021-curl-7.85.0-CVE-2022-43552.patch diff --git a/0021-curl-7.85.0-CVE-2022-43552.patch b/0021-curl-7.85.0-CVE-2022-43552.patch new file mode 100644 index 0000000..10b51ef --- /dev/null +++ b/0021-curl-7.85.0-CVE-2022-43552.patch @@ -0,0 +1,81 @@ +From 5cdcf1dbd39c64e18a81fc912a36942a3ec87565 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 19 Dec 2022 08:38:37 +0100 +Subject: [PATCH] smb/telnet: do not free the protocol struct in *_done() + +It is managed by the generic layer. + +Reported-by: Trail of Bits + +Closes #10112 + +Upstream-commit: 4f20188ac644afe174be6005ef4f6ffba232b8b2 +Signed-off-by: Kamil Dudka +--- + lib/smb.c | 14 ++------------ + lib/telnet.c | 3 --- + 2 files changed, 2 insertions(+), 15 deletions(-) + +diff --git a/lib/smb.c b/lib/smb.c +index 039d680..f682c1f 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -60,8 +60,6 @@ static CURLcode smb_connect(struct Curl_easy *data, bool *done); + static CURLcode smb_connection_state(struct Curl_easy *data, bool *done); + static CURLcode smb_do(struct Curl_easy *data, bool *done); + static CURLcode smb_request_state(struct Curl_easy *data, bool *done); +-static CURLcode smb_done(struct Curl_easy *data, CURLcode status, +- bool premature); + static CURLcode smb_disconnect(struct Curl_easy *data, + struct connectdata *conn, bool dead); + static int smb_getsock(struct Curl_easy *data, struct connectdata *conn, +@@ -76,7 +74,7 @@ const struct Curl_handler Curl_handler_smb = { + "SMB", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -103,7 +101,7 @@ const struct Curl_handler Curl_handler_smbs = { + "SMBS", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -939,14 +937,6 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done) + return CURLE_OK; + } + +-static CURLcode smb_done(struct Curl_easy *data, CURLcode status, +- bool premature) +-{ +- (void) premature; +- Curl_safefree(data->req.p.smb); +- return status; +-} +- + static CURLcode smb_disconnect(struct Curl_easy *data, + struct connectdata *conn, bool dead) + { +diff --git a/lib/telnet.c b/lib/telnet.c +index 923c7f8..48cd0d7 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -1246,9 +1246,6 @@ static CURLcode telnet_done(struct Curl_easy *data, + + curl_slist_free_all(tn->telnet_vars); + tn->telnet_vars = NULL; +- +- Curl_safefree(data->req.p.telnet); +- + return CURLE_OK; + } + +-- +2.38.1 + diff --git a/curl.spec b/curl.spec index 0e5f135..296692b 100644 --- a/curl.spec +++ b/curl.spec @@ -70,6 +70,9 @@ Patch19: 0019-curl-7.82.0-http2-whitespace.patch # http: use the IDN decoded name in HSTS checks (CVE-2022-43551) Patch20: 0020-curl-7.85.0-CVE-2022-43551.patch +# smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552) +Patch21: 0021-curl-7.85.0-CVE-2022-43552.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -270,6 +273,7 @@ be installed. %patch18 -p1 %patch19 -p1 %patch20 -p1 +%patch21 -p1 # Fedora patches %patch101 -p1 @@ -496,6 +500,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Dec 21 2022 Kamil Dudka - 7.82.0-12 +- smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552) - http: use the IDN decoded name in HSTS checks (CVE-2022-43551) * Thu Nov 24 2022 Kamil Dudka - 7.82.0-11 From 982e2f02150b967c6af3efade4353889198f8fdd Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 15 Feb 2023 18:01:30 +0100 Subject: [PATCH 29/34] Resolves: CVE-2023-23916 - fix HTTP multi-header compression denial of service --- 0022-curl-7.82.0-CVE-2023-23916.patch | 566 ++++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 574 insertions(+), 1 deletion(-) create mode 100644 0022-curl-7.82.0-CVE-2023-23916.patch diff --git a/0022-curl-7.82.0-CVE-2023-23916.patch b/0022-curl-7.82.0-CVE-2023-23916.patch new file mode 100644 index 0000000..07e0ec5 --- /dev/null +++ b/0022-curl-7.82.0-CVE-2023-23916.patch @@ -0,0 +1,566 @@ +From 6e244e1bcb04012e11c537253e76e6f968d8bb72 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 1 Dec 2022 09:21:04 +0100 +Subject: [PATCH 1/3] runtests: do CRLF replacements per section only + +The `crlf="yes"` attribute and "hyper mode" are now only applied on a +subset of dedicated sections: data, datacheck, stdout and protocol. + +Updated test 2500 accordingly. + +Also made test1 use crlf="yes" for , mostly because it is +often used as a template test case. Going forward, using this attribute +we should be able to write test cases using linefeeds only and avoid +mixed line ending encodings. + +Follow-up to ca15b7512e8d11 + +Fixes #10009 +Closes #10010 + +Upstream-commit: 2f34a7347f315513bfda9ef14770d287fb246bcd +Signed-off-by: Kamil Dudka +--- + tests/FILEFORMAT.md | 22 ++++++++++++++------ + tests/data/test1 | 14 ++++++------- + tests/runtests.pl | 49 +++++++++++++++++++++++++++++++++++++++++---- + 3 files changed, 68 insertions(+), 17 deletions(-) + +diff --git a/tests/FILEFORMAT.md b/tests/FILEFORMAT.md +index c1fbc57..dcb5695 100644 +--- a/tests/FILEFORMAT.md ++++ b/tests/FILEFORMAT.md +@@ -188,7 +188,7 @@ When using curl built with Hyper, the keywords must include HTTP or HTTPS for + 'hyper mode' to kick in and make line ending checks work for tests. + ## `` + +-### `` ++### `` + + data to be sent to the client on its request and later verified that it + arrived safely. Set `nocheck="yes"` to prevent the test script from verifying +@@ -217,12 +217,16 @@ and used as "raw" data. + `nonewline=yes` means that the last byte (the trailing newline character) + should be cut off from the data before sending or comparing it. + ++`crlf=yes` forces *header* newlines to become CRLF even if not written so in ++the source file. Note that this makes runtests.pl parse and "guess" what is a ++header and what is not in order to apply the CRLF line endings appropriately. ++ + For FTP file listings, the `` section will be used *only* if you make + sure that there has been a CWD done first to a directory named `test-[num]` + where [num] is the test case number. Otherwise the ftp server can't know from + which test file to load the list content. + +-### `` ++### `` + + Send back this contents instead of the one. The num is set by: + +@@ -249,7 +253,7 @@ a connect prefix. + ### `` + Address type and address details as logged by the SOCKS proxy. + +-### `` ++### `` + if the data is sent but this is what should be checked afterwards. If + `nonewline=yes` is set, runtests will cut off the trailing newline from the + data before comparing with the one actually received by the client. +@@ -257,7 +261,7 @@ data before comparing with the one actually received by the client. + Use the `mode="text"` attribute if the output is in text mode on platforms + that have a text/binary difference. + +-### `` ++### `` + The contents of numbered datacheck sections are appended to the non-numbered + one. + +@@ -540,13 +544,16 @@ changing protocol data such as port numbers or user-agent strings. + One perl op per line that operates on the protocol dump. This is pretty + advanced. Example: `s/^EPRT .*/EPRT stripped/`. + +-### `` ++### `` + + the protocol dump curl should transmit, if 'nonewline' is set, we will cut off + the trailing newline of this given data before comparing with the one actually + sent by the client The `` and `` rules are applied before + comparisons are made. + ++`crlf=yes` forces the newlines to become CRLF even if not written so in the ++test. ++ + ### `` + + The protocol dump curl should transmit to a HTTP proxy (when the http-proxy +@@ -563,7 +570,7 @@ have a text/binary difference. + If 'nonewline' is set, we will cut off the trailing newline of this given data + before comparing with the one actually received by the client + +-### `` ++### `` + This verifies that this data was passed to stdout. + + Use the mode="text" attribute if the output is in text mode on platforms that +@@ -572,6 +579,9 @@ have a text/binary difference. + If 'nonewline' is set, we will cut off the trailing newline of this given data + before comparing with the one actually received by the client + ++`crlf=yes` forces the newlines to become CRLF even if not written so in the ++test. ++ + ### `` + The file's contents must be identical to this after the test is complete. Use + the mode="text" attribute if the output is in text mode on platforms that have +diff --git a/tests/data/test1 b/tests/data/test1 +index f39a08b..700bed8 100644 +--- a/tests/data/test1 ++++ b/tests/data/test1 +@@ -9,7 +9,7 @@ HTTP GET + # + # Server-side + +- ++ + HTTP/1.1 200 OK + Date: Tue, 09 Nov 2010 14:49:00 GMT + Server: test-server/fake +@@ -42,12 +42,12 @@ http://%HOSTIP:%HTTPPORT/%TESTNUMBER + # + # Verify data after the test has been "shot" + +- +-GET /%TESTNUMBER HTTP/1.1 +-Host: %HOSTIP:%HTTPPORT +-User-Agent: curl/%VERSION +-Accept: */* +- ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ + + + +diff --git a/tests/runtests.pl b/tests/runtests.pl +index 72a9989..b12a42d 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -3462,7 +3462,13 @@ sub subBase64 { + + my $prevupdate; + sub subNewlines { +- my ($thing) = @_; ++ my ($force, $thing) = @_; ++ ++ if($force) { ++ # enforce CRLF newline ++ $$thing =~ s/\x0d*\x0a/\x0d\x0a/; ++ return; ++ } + + # When curl is built with Hyper, it gets all response headers delivered as + # name/value pairs and curl "invents" the newlines when it saves the +@@ -3476,7 +3482,7 @@ sub subNewlines { + # skip curl error messages + ($$thing !~ /^curl: \(\d+\) /))) { + # enforce CRLF newline +- $$thing =~ s/\x0a/\x0d\x0a/; ++ $$thing =~ s/\x0d*\x0a/\x0d\x0a/; + $prevupdate = 1; + } + else { +@@ -3548,6 +3554,7 @@ sub prepro { + my (@entiretest) = @_; + my $show = 1; + my @out; ++ my $data_crlf; + for my $s (@entiretest) { + my $f = $s; + if($s =~ /^ *%if (.*)/) { +@@ -3571,10 +3578,19 @@ sub prepro { + next; + } + if($show) { ++ # The processor does CRLF replacements in the sections if ++ # necessary since those parts might be read by separate servers. ++ if($s =~ /^ */) { ++ if($1 =~ /crlf="yes"/ || $has_hyper) { ++ $data_crlf = 1; ++ } ++ } ++ elsif(($s =~ /^ *<\/data/) && $data_crlf) { ++ $data_crlf = 0; ++ } + subVariables(\$s, $testnum, "%"); + subBase64(\$s); +- subNewlines(\$s) if($has_hyper && ($keywords{"HTTP"} || +- $keywords{"HTTPS"})); ++ subNewlines(0, \$s) if($data_crlf); + push @out, $s; + } + } +@@ -3890,6 +3906,11 @@ sub singletest { + # of the datacheck + chomp($replycheckpart[$#replycheckpart]); + } ++ if($replycheckpartattr{'crlf'} || ++ ($has_hyper && ($keywords{"HTTP"} ++ || $keywords{"HTTPS"}))) { ++ map subNewlines(0, \$_), @replycheckpart; ++ } + push(@reply, @replycheckpart); + } + } +@@ -3911,6 +3932,11 @@ sub singletest { + map s/\r\n/\n/g, @reply; + map s/\n/\r\n/g, @reply; + } ++ if($replyattr{'crlf'} || ++ ($has_hyper && ($keywords{"HTTP"} ++ || $keywords{"HTTPS"}))) { ++ map subNewlines(0, \$_), @reply; ++ } + } + + # this is the valid protocol blurb curl should generate +@@ -4366,6 +4392,12 @@ sub singletest { + chomp($validstdout[$#validstdout]); + } + ++ if($hash{'crlf'} || ++ ($has_hyper && ($keywords{"HTTP"} ++ || $keywords{"HTTPS"}))) { ++ map subNewlines(0, \$_), @validstdout; ++ } ++ + $res = compare($testnum, $testname, "stdout", \@actual, \@validstdout); + if($res) { + return $errorreturncode; +@@ -4466,6 +4498,10 @@ sub singletest { + } + } + ++ if($hash{'crlf'}) { ++ map subNewlines(1, \$_), @protstrip; ++ } ++ + if((!$out[0] || ($out[0] eq "")) && $protstrip[0]) { + logmsg "\n $testnum: protocol FAILED!\n". + " There was no content at all in the file $SERVERIN.\n". +@@ -4597,6 +4633,11 @@ sub singletest { + map s/\r\n/\n/g, @outfile; + map s/\n/\r\n/g, @outfile; + } ++ if($hash{'crlf'} || ++ ($has_hyper && ($keywords{"HTTP"} ++ || $keywords{"HTTPS"}))) { ++ map subNewlines(0, \$_), @outfile; ++ } + + my $strip; + for $strip (@stripfile) { +-- +2.39.1 + + +From 228ed11bf33c63d9208a3fb38fe5a0d19c0764bd Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 27 Dec 2022 11:50:23 +0100 +Subject: [PATCH 2/3] runtests: support crlf="yes" for verify/proxy + +Upstream-commit: dc0725244a3163f1e2d5f51165db3a1a430f3ba0 +Signed-off-by: Kamil Dudka +--- + tests/FILEFORMAT.md | 4 ++-- + tests/runtests.pl | 5 +++++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/tests/FILEFORMAT.md b/tests/FILEFORMAT.md +index dcb5695..6646793 100644 +--- a/tests/FILEFORMAT.md ++++ b/tests/FILEFORMAT.md +@@ -544,7 +544,7 @@ changing protocol data such as port numbers or user-agent strings. + One perl op per line that operates on the protocol dump. This is pretty + advanced. Example: `s/^EPRT .*/EPRT stripped/`. + +-### `` ++### `` + + the protocol dump curl should transmit, if 'nonewline' is set, we will cut off + the trailing newline of this given data before comparing with the one actually +@@ -554,7 +554,7 @@ comparisons are made. + `crlf=yes` forces the newlines to become CRLF even if not written so in the + test. + +-### `` ++### `` + + The protocol dump curl should transmit to a HTTP proxy (when the http-proxy + server is used), if 'nonewline' is set, we will cut off the trailing newline +diff --git a/tests/runtests.pl b/tests/runtests.pl +index b12a42d..5cdc83d 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -4594,6 +4594,11 @@ sub singletest { + } + } + ++ if($hash{'crlf'} || ++ ($has_hyper && ($keywords{"HTTP"} || $keywords{"HTTPS"}))) { ++ map subNewlines(0, \$_), @protstrip; ++ } ++ + $res = compare($testnum, $testname, "proxy", \@out, \@protstrip); + if($res) { + return $errorreturncode; +-- +2.39.1 + + +From bc5fc958b017895728962c9d44c469418cbec1a0 Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat +Date: Mon, 13 Feb 2023 08:33:09 +0100 +Subject: [PATCH 3/3] content_encoding: do not reset stage counter for each + header + +Test 418 verifies + +Closes #10492 + +Upstream-commit: 119fb187192a9ea13dc90d9d20c215fc82799ab9 +Signed-off-by: Kamil Dudka +--- + lib/content_encoding.c | 7 +- + lib/urldata.h | 1 + + tests/data/Makefile.inc | 1 + + tests/data/test387 | 2 +- + tests/data/test418 | 152 ++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 158 insertions(+), 5 deletions(-) + create mode 100644 tests/data/test418 + +diff --git a/lib/content_encoding.c b/lib/content_encoding.c +index bfc13e2..94344d6 100644 +--- a/lib/content_encoding.c ++++ b/lib/content_encoding.c +@@ -1035,7 +1035,6 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, + const char *enclist, int maybechunked) + { + struct SingleRequest *k = &data->req; +- int counter = 0; + + do { + const char *name; +@@ -1070,9 +1069,9 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, + if(!encoding) + encoding = &error_encoding; /* Defer error at stack use. */ + +- if(++counter >= MAX_ENCODE_STACK) { +- failf(data, "Reject response due to %u content encodings", +- counter); ++ if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) { ++ failf(data, "Reject response due to more than %u content encodings", ++ MAX_ENCODE_STACK); + return CURLE_BAD_CONTENT_ENCODING; + } + /* Stack the unencoding stage. */ +diff --git a/lib/urldata.h b/lib/urldata.h +index 5b4b34f..8c8c20b 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -708,6 +708,7 @@ struct SingleRequest { + struct dohdata *doh; /* DoH specific data for this request */ + #endif + unsigned char setcookies; ++ unsigned char writer_stack_depth; /* Unencoding stack depth. */ + BIT(header); /* incoming data has HTTP header */ + BIT(content_range); /* set TRUE if Content-Range: was found */ + BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index fb51cd6..86b6f85 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -69,6 +69,7 @@ test392 test393 test394 test395 test396 test397 \ + \ + test400 test401 test402 test403 test404 test405 test406 test407 test408 \ + test409 test410 \ ++ test418 \ + \ + test430 test431 test432 test433 test434 test435 test436 \ + \ +diff --git a/tests/data/test387 b/tests/data/test387 +index 015ec25..644fc7f 100644 +--- a/tests/data/test387 ++++ b/tests/data/test387 +@@ -47,7 +47,7 @@ Accept: */* + 61 + + +-curl: (61) Reject response due to 5 content encodings ++curl: (61) Reject response due to more than 5 content encodings + + + +diff --git a/tests/data/test418 b/tests/data/test418 +new file mode 100644 +index 0000000..50e974e +--- /dev/null ++++ b/tests/data/test418 +@@ -0,0 +1,152 @@ ++ ++ ++ ++HTTP ++gzip ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++ ++-foo- ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++Response with multiple Transfer-Encoding headers ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++ ++ ++# CURLE_BAD_CONTENT_ENCODING is 61 ++ ++61 ++ ++ ++curl: (61) Reject response due to more than 5 content encodings ++ ++ ++ +-- +2.39.1 + diff --git a/curl.spec b/curl.spec index 296692b..f5660f9 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.82.0 -Release: 12%{?dist} +Release: 13%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -73,6 +73,9 @@ Patch20: 0020-curl-7.85.0-CVE-2022-43551.patch # smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552) Patch21: 0021-curl-7.85.0-CVE-2022-43552.patch +# fix HTTP multi-header compression denial of service (CVE-2023-23916) +Patch22: 0022-curl-7.82.0-CVE-2023-23916.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -274,6 +277,7 @@ be installed. %patch19 -p1 %patch20 -p1 %patch21 -p1 +%patch22 -p1 # Fedora patches %patch101 -p1 @@ -499,6 +503,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Feb 15 2023 Kamil Dudka - 7.82.0-13 +- fix HTTP multi-header compression denial of service (CVE-2023-23916) + * Wed Dec 21 2022 Kamil Dudka - 7.82.0-12 - smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552) - http: use the IDN decoded name in HSTS checks (CVE-2022-43551) From 41d09c25114ecaf49dcf9b6b48e90e1a562f1ad9 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 24 Mar 2023 13:14:43 +0100 Subject: [PATCH 30/34] Resolves: CVE-2023-27533 - fix TELNET option IAC injection --- 0023-curl-7.87.0-CVE-2023-27533.patch | 59 +++++++++++++++++++++++++++ curl.spec | 9 +++- 2 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 0023-curl-7.87.0-CVE-2023-27533.patch diff --git a/0023-curl-7.87.0-CVE-2023-27533.patch b/0023-curl-7.87.0-CVE-2023-27533.patch new file mode 100644 index 0000000..e8cc257 --- /dev/null +++ b/0023-curl-7.87.0-CVE-2023-27533.patch @@ -0,0 +1,59 @@ +From c9828d86040737a47da862197b5def7ff6b0e3c4 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 6 Mar 2023 12:07:33 +0100 +Subject: [PATCH] telnet: only accept option arguments in ascii + +To avoid embedded telnet negotiation commands etc. + +Reported-by: Harry Sintonen +Closes #10728 + +Upstream-commit: 538b1e79a6e7b0bb829ab4cecc828d32105d0684 +Signed-off-by: Kamil Dudka +--- + lib/telnet.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/lib/telnet.c b/lib/telnet.c +index 22bc81e..baea885 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -768,6 +768,17 @@ static void printsub(struct Curl_easy *data, + } + } + ++static bool str_is_nonascii(const char *str) ++{ ++ size_t len = strlen(str); ++ while(len--) { ++ if(*str & 0x80) ++ return TRUE; ++ str++; ++ } ++ return FALSE; ++} ++ + static CURLcode check_telnet_options(struct Curl_easy *data) + { + struct curl_slist *head; +@@ -782,6 +793,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data) + /* Add the user name as an environment variable if it + was given on the command line */ + if(data->state.aptr.user) { ++ if(str_is_nonascii(data->conn->user)) ++ return CURLE_BAD_FUNCTION_ARGUMENT; + msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user); + beg = curl_slist_append(tn->telnet_vars, option_arg); + if(!beg) { +@@ -796,6 +809,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data) + for(head = data->set.telnet_options; head; head = head->next) { + if(sscanf(head->data, "%127[^= ]%*[ =]%255s", + option_keyword, option_arg) == 2) { ++ if(str_is_nonascii(option_arg)) ++ continue; + + /* Terminal type */ + if(strcasecompare(option_keyword, "TTYPE")) { +-- +2.39.2 + diff --git a/curl.spec b/curl.spec index f5660f9..535fb6c 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.82.0 -Release: 13%{?dist} +Release: 14%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -76,6 +76,9 @@ Patch21: 0021-curl-7.85.0-CVE-2022-43552.patch # fix HTTP multi-header compression denial of service (CVE-2023-23916) Patch22: 0022-curl-7.82.0-CVE-2023-23916.patch +# fix TELNET option IAC injection (CVE-2023-27533) +Patch23: 0023-curl-7.87.0-CVE-2023-27533.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -278,6 +281,7 @@ be installed. %patch20 -p1 %patch21 -p1 %patch22 -p1 +%patch23 -p1 # Fedora patches %patch101 -p1 @@ -503,6 +507,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Mar 24 2023 Kamil Dudka - 7.82.0-14 +- fix TELNET option IAC injection (CVE-2023-27533) + * Wed Feb 15 2023 Kamil Dudka - 7.82.0-13 - fix HTTP multi-header compression denial of service (CVE-2023-23916) From 1b4a5368683f752d15a6768e20e730d628ac2c03 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 24 Mar 2023 13:16:13 +0100 Subject: [PATCH 31/34] Resolves: CVE-2023-27534 - fix SFTP path ~ resolving discrepancy --- 0024-curl-7.82.0-CVE-2023-27534.patch | 1164 +++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 1169 insertions(+) create mode 100644 0024-curl-7.82.0-CVE-2023-27534.patch diff --git a/0024-curl-7.82.0-CVE-2023-27534.patch b/0024-curl-7.82.0-CVE-2023-27534.patch new file mode 100644 index 0000000..ec75630 --- /dev/null +++ b/0024-curl-7.82.0-CVE-2023-27534.patch @@ -0,0 +1,1164 @@ +From 47000e434395d7f50b62df7b1183594d1d858f7d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 16 Oct 2022 18:09:14 +0200 +Subject: [PATCH 1/4] curl_path: return error if given a NULL homedir + +Closes #9740 + +Upstream-commit: 025bad1182ff87facbddd280dd07a0fc26b99f45 +Signed-off-by: Kamil Dudka +--- + lib/curl_path.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/curl_path.c b/lib/curl_path.c +index a1669d1..e69545d 100644 +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -120,7 +120,8 @@ CURLcode Curl_get_pathname(const char **cpp, char **path, char *homedir) + bool relativePath = false; + static const char WHITESPACE[] = " \t\r\n"; + +- if(!*cp) { ++ DEBUGASSERT(homedir); ++ if(!*cp || !homedir) { + *cpp = NULL; + *path = NULL; + return CURLE_QUOTE_ERROR; +-- +2.39.2 + + +From 602badf0069c7d52ff50976e35fa13b8c6b0f4ef Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 30 Oct 2022 17:38:16 +0100 +Subject: [PATCH 2/4] style: use space after comment start and before comment + end + +/* like this */ + +/*not this*/ + +checksrc is updated accordingly + +Closes #9828 + +Upstream-commit: 52cc4a85fd7e5265ba8ff0f08adf4858f6773a11 +Signed-off-by: Kamil Dudka +--- + docs/examples/ephiperfifo.c | 4 +- + docs/examples/usercertinmem.c | 12 +-- + include/curl/curl.h | 10 +-- + include/curl/typecheck-gcc.h | 2 +- + lib/c-hyper.c | 4 +- + lib/curl_path.c | 4 - + lib/curl_rtmp.c | 12 +-- + lib/curl_setup.h | 2 +- + lib/curl_sha256.h | 2 +- + lib/dict.c | 2 +- + lib/file.c | 2 +- + lib/ftp.c | 2 +- + lib/gopher.c | 2 +- + lib/http.c | 4 +- + lib/http_chunks.c | 2 +- + lib/mqtt.c | 4 +- + lib/rtsp.c | 4 +- + lib/rtsp.h | 2 +- + lib/telnet.c | 2 +- + lib/urldata.h | 4 +- + lib/vauth/digest.c | 4 +- + lib/vauth/krb5_sspi.c | 2 +- + lib/vssh/libssh2.c | 4 +- + lib/vtls/schannel.c | 4 +- + lib/vtls/sectransp.c | 2 - + src/tool_cfgable.h | 5 +- + src/tool_getparam.c | 4 +- + tests/libtest/lib1156.c | 2 +- + tests/libtest/lib1525.c | 2 +- + tests/libtest/lib1526.c | 2 +- + tests/libtest/lib1527.c | 2 +- + tests/libtest/lib1528.c | 2 +- + tests/libtest/lib1591.c | 2 +- + tests/libtest/lib506.c | 2 +- + tests/libtest/lib557.c | 2 +- + tests/libtest/lib586.c | 2 +- + tests/libtest/stub_gssapi.h | 160 +++++++++++++++++----------------- + tests/server/tftp.h | 2 +- + tests/server/util.c | 2 +- + tests/unit/unit1300.c | 4 +- + 40 files changed, 142 insertions(+), 151 deletions(-) + +diff --git a/docs/examples/ephiperfifo.c b/docs/examples/ephiperfifo.c +index af13169..c496200 100644 +--- a/docs/examples/ephiperfifo.c ++++ b/docs/examples/ephiperfifo.c +@@ -164,7 +164,7 @@ static int multi_timer_cb(CURLM *multi, long timeout_ms, GlobalInfo *g) + memset(&its, 0, sizeof(struct itimerspec)); + } + +- timerfd_settime(g->tfd, /*flags=*/0, &its, NULL); ++ timerfd_settime(g->tfd, /* flags= */0, &its, NULL); + return 0; + } + +@@ -195,7 +195,7 @@ static void check_multi_info(GlobalInfo *g) + } + } + +-/* Called by libevent when we get action on a multi socket filedescriptor*/ ++/* Called by libevent when we get action on a multi socket filedescriptor */ + static void event_cb(GlobalInfo *g, int fd, int revents) + { + CURLMcode rc; +diff --git a/docs/examples/usercertinmem.c b/docs/examples/usercertinmem.c +index a31cbfc..ab9f1d5 100644 +--- a/docs/examples/usercertinmem.c ++++ b/docs/examples/usercertinmem.c +@@ -92,7 +92,7 @@ static CURLcode sslctx_function(CURL *curl, void *sslctx, void *parm) + "omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD\n"\ + "-----END CERTIFICATE-----\n"; + +-/*replace the XXX with the actual RSA key*/ ++/* replace the XXX with the actual RSA key */ + const char *mykey = + "-----BEGIN RSA PRIVATE KEY-----\n"\ + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n"\ +@@ -131,25 +131,25 @@ static CURLcode sslctx_function(CURL *curl, void *sslctx, void *parm) + printf("PEM_read_bio_X509 failed...\n"); + } + +- /*tell SSL to use the X509 certificate*/ ++ /* tell SSL to use the X509 certificate */ + ret = SSL_CTX_use_certificate((SSL_CTX*)sslctx, cert); + if(ret != 1) { + printf("Use certificate failed\n"); + } + +- /*create a bio for the RSA key*/ ++ /* create a bio for the RSA key */ + kbio = BIO_new_mem_buf((char *)mykey, -1); + if(!kbio) { + printf("BIO_new_mem_buf failed\n"); + } + +- /*read the key bio into an RSA object*/ ++ /* read the key bio into an RSA object */ + rsa = PEM_read_bio_RSAPrivateKey(kbio, NULL, 0, NULL); + if(!rsa) { + printf("Failed to create key bio\n"); + } + +- /*tell SSL to use the RSA key from memory*/ ++ /* tell SSL to use the RSA key from memory */ + ret = SSL_CTX_use_RSAPrivateKey((SSL_CTX*)sslctx, rsa); + if(ret != 1) { + printf("Use Key failed\n"); +@@ -190,7 +190,7 @@ int main(void) + curl_easy_setopt(ch, CURLOPT_SSLCERTTYPE, "PEM"); + + /* both VERIFYPEER and VERIFYHOST are set to 0 in this case because there is +- no CA certificate*/ ++ no CA certificate */ + + curl_easy_setopt(ch, CURLOPT_SSL_VERIFYPEER, 0L); + curl_easy_setopt(ch, CURLOPT_SSL_VERIFYHOST, 0L); +diff --git a/include/curl/curl.h b/include/curl/curl.h +index 2e260d5..d74d0cd 100644 +--- a/include/curl/curl.h ++++ b/include/curl/curl.h +@@ -365,7 +365,7 @@ typedef int (*curl_seek_callback)(void *instream, + #define CURL_READFUNC_PAUSE 0x10000001 + + /* Return code for when the trailing headers' callback has terminated +- without any errors*/ ++ without any errors */ + #define CURL_TRAILERFUNC_OK 0 + /* Return code for when was an error in the trailing header's list and we + want to abort the request */ +@@ -447,7 +447,7 @@ typedef void *(*curl_calloc_callback)(size_t nmemb, size_t size); + #define CURL_DID_MEMORY_FUNC_TYPEDEFS + #endif + +-/* the kind of data that is passed to information_callback*/ ++/* the kind of data that is passed to information_callback */ + typedef enum { + CURLINFO_TEXT = 0, + CURLINFO_HEADER_IN, /* 1 */ +@@ -693,7 +693,7 @@ typedef enum { + #define CURLOPT_WRITEINFO CURLOPT_OBSOLETE40 + #define CURLOPT_CLOSEPOLICY CURLOPT_OBSOLETE72 + +-#endif /*!CURL_NO_OLDIES*/ ++#endif /* !CURL_NO_OLDIES */ + + /* + * Proxy error codes. Returned in CURLINFO_PROXY_ERROR if CURLE_PROXY was +@@ -838,7 +838,7 @@ enum curl_khstat { + CURLKHSTAT_DEFER, /* do not accept it, but we can't answer right now so + this causes a CURLE_DEFER error but otherwise the + connection will be left intact etc */ +- CURLKHSTAT_FINE_REPLACE, /* accept and replace the wrong key*/ ++ CURLKHSTAT_FINE_REPLACE, /* accept and replace the wrong key */ + CURLKHSTAT_LAST /* not for use, only a marker for last-in-list */ + }; + +@@ -916,7 +916,7 @@ typedef enum { + #define CURLFTPSSL_ALL CURLUSESSL_ALL + #define CURLFTPSSL_LAST CURLUSESSL_LAST + #define curl_ftpssl curl_usessl +-#endif /*!CURL_NO_OLDIES*/ ++#endif /* !CURL_NO_OLDIES */ + + /* parameter for the CURLOPT_FTP_SSL_CCC option */ + typedef enum { +diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h +index 9e14d8a..f63c481 100644 +--- a/include/curl/typecheck-gcc.h ++++ b/include/curl/typecheck-gcc.h +@@ -431,7 +431,7 @@ CURLWARNING(_curl_easy_getinfo_err_curl_off_t, + (CURLINFO_OFF_T < (info)) + + +-/* typecheck helpers -- check whether given expression has requested type*/ ++/* typecheck helpers -- check whether given expression has requested type */ + + /* For pointers, you can use the curlcheck_ptr/curlcheck_arr macros, + * otherwise define a new macro. Search for __builtin_types_compatible_p +diff --git a/lib/c-hyper.c b/lib/c-hyper.c +index 8015de2..57c5cc8 100644 +--- a/lib/c-hyper.c ++++ b/lib/c-hyper.c +@@ -653,7 +653,7 @@ static int uploadpostfields(void *userdata, hyper_context *ctx, + return HYPER_POLL_ERROR; + } + /* increasing the writebytecount here is a little premature but we +- don't know exactly when the body is sent*/ ++ don't know exactly when the body is sent */ + data->req.writebytecount += (size_t)data->req.p.http->postsize; + Curl_pgrsSetUploadCounter(data, data->req.writebytecount); + data->req.upload_done = TRUE; +@@ -697,7 +697,7 @@ static int uploadstreamed(void *userdata, hyper_context *ctx, + return HYPER_POLL_ERROR; + } + /* increasing the writebytecount here is a little premature but we +- don't know exactly when the body is sent*/ ++ don't know exactly when the body is sent */ + data->req.writebytecount += fillcount; + Curl_pgrsSetUploadCounter(data, fillcount); + } +diff --git a/lib/curl_path.c b/lib/curl_path.c +index e69545d..8dc9101 100644 +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -146,15 +146,12 @@ CURLcode Curl_get_pathname(const char **cpp, char **path, char *homedir) + break; + } + if(cp[i] == '\0') { /* End of string */ +- /*error("Unterminated quote");*/ + goto fail; + } + if(cp[i] == '\\') { /* Escaped characters */ + i++; + if(cp[i] != '\'' && cp[i] != '\"' && + cp[i] != '\\') { +- /*error("Bad escaped character '\\%c'", +- cp[i]);*/ + goto fail; + } + } +@@ -162,7 +159,6 @@ CURLcode Curl_get_pathname(const char **cpp, char **path, char *homedir) + } + + if(j == 0) { +- /*error("Empty quotes");*/ + goto fail; + } + *cpp = cp + i + strspn(cp + i, WHITESPACE); +diff --git a/lib/curl_rtmp.c b/lib/curl_rtmp.c +index 2fa0267..8caba76 100644 +--- a/lib/curl_rtmp.c ++++ b/lib/curl_rtmp.c +@@ -83,7 +83,7 @@ const struct Curl_handler Curl_handler_rtmp = { + PORT_RTMP, /* defport */ + CURLPROTO_RTMP, /* protocol */ + CURLPROTO_RTMP, /* family */ +- PROTOPT_NONE /* flags*/ ++ PROTOPT_NONE /* flags */ + }; + + const struct Curl_handler Curl_handler_rtmpt = { +@@ -106,7 +106,7 @@ const struct Curl_handler Curl_handler_rtmpt = { + PORT_RTMPT, /* defport */ + CURLPROTO_RTMPT, /* protocol */ + CURLPROTO_RTMPT, /* family */ +- PROTOPT_NONE /* flags*/ ++ PROTOPT_NONE /* flags */ + }; + + const struct Curl_handler Curl_handler_rtmpe = { +@@ -129,7 +129,7 @@ const struct Curl_handler Curl_handler_rtmpe = { + PORT_RTMP, /* defport */ + CURLPROTO_RTMPE, /* protocol */ + CURLPROTO_RTMPE, /* family */ +- PROTOPT_NONE /* flags*/ ++ PROTOPT_NONE /* flags */ + }; + + const struct Curl_handler Curl_handler_rtmpte = { +@@ -152,7 +152,7 @@ const struct Curl_handler Curl_handler_rtmpte = { + PORT_RTMPT, /* defport */ + CURLPROTO_RTMPTE, /* protocol */ + CURLPROTO_RTMPTE, /* family */ +- PROTOPT_NONE /* flags*/ ++ PROTOPT_NONE /* flags */ + }; + + const struct Curl_handler Curl_handler_rtmps = { +@@ -175,7 +175,7 @@ const struct Curl_handler Curl_handler_rtmps = { + PORT_RTMPS, /* defport */ + CURLPROTO_RTMPS, /* protocol */ + CURLPROTO_RTMP, /* family */ +- PROTOPT_NONE /* flags*/ ++ PROTOPT_NONE /* flags */ + }; + + const struct Curl_handler Curl_handler_rtmpts = { +@@ -198,7 +198,7 @@ const struct Curl_handler Curl_handler_rtmpts = { + PORT_RTMPS, /* defport */ + CURLPROTO_RTMPTS, /* protocol */ + CURLPROTO_RTMPT, /* family */ +- PROTOPT_NONE /* flags*/ ++ PROTOPT_NONE /* flags */ + }; + + static CURLcode rtmp_setup_connection(struct Curl_easy *data, +diff --git a/lib/curl_setup.h b/lib/curl_setup.h +index 25c6674..e6696b1 100644 +--- a/lib/curl_setup.h ++++ b/lib/curl_setup.h +@@ -658,7 +658,7 @@ + # define UNUSED_PARAM __attribute__((__unused__)) + # define WARN_UNUSED_RESULT __attribute__((warn_unused_result)) + #else +-# define UNUSED_PARAM /*NOTHING*/ ++# define UNUSED_PARAM /* NOTHING */ + # define WARN_UNUSED_RESULT + #endif + +diff --git a/lib/curl_sha256.h b/lib/curl_sha256.h +index 2b7890a..68ee7d3 100644 +--- a/lib/curl_sha256.h ++++ b/lib/curl_sha256.h +@@ -30,7 +30,7 @@ extern const struct HMAC_params Curl_HMAC_SHA256[1]; + + #ifdef USE_WOLFSSL + /* SHA256_DIGEST_LENGTH is an enum value in wolfSSL. Need to import it from +- * sha.h*/ ++ * sha.h */ + #include + #include + #else +diff --git a/lib/dict.c b/lib/dict.c +index e23e661..f16e53d 100644 +--- a/lib/dict.c ++++ b/lib/dict.c +@@ -317,4 +317,4 @@ static CURLcode dict_do(struct Curl_easy *data, bool *done) + + return CURLE_OK; + } +-#endif /*CURL_DISABLE_DICT*/ ++#endif /* CURL_DISABLE_DICT */ +diff --git a/lib/file.c b/lib/file.c +index 3da79a2..97efecb 100644 +--- a/lib/file.c ++++ b/lib/file.c +@@ -311,7 +311,7 @@ static CURLcode file_upload(struct Curl_easy *data) + + nread = readcount; + +- /*skip bytes before resume point*/ ++ /* skip bytes before resume point */ + if(data->state.resume_from) { + if((curl_off_t)nread <= data->state.resume_from) { + data->state.resume_from -= nread; +diff --git a/lib/ftp.c b/lib/ftp.c +index c6efaed..a43eadc 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -1163,7 +1163,7 @@ static CURLcode ftp_state_use_port(struct Curl_easy *data, + port++; + } + +- /* maybe all ports were in use already*/ ++ /* maybe all ports were in use already */ + if(port > port_max) { + failf(data, "bind() failed, we ran out of ports!"); + Curl_closesocket(data, conn, portsock); +diff --git a/lib/gopher.c b/lib/gopher.c +index 0a3ba8f..6227124 100644 +--- a/lib/gopher.c ++++ b/lib/gopher.c +@@ -234,4 +234,4 @@ static CURLcode gopher_do(struct Curl_easy *data, bool *done) + Curl_setup_transfer(data, FIRSTSOCKET, -1, FALSE, -1); + return CURLE_OK; + } +-#endif /*CURL_DISABLE_GOPHER*/ ++#endif /* CURL_DISABLE_GOPHER */ +diff --git a/lib/http.c b/lib/http.c +index 04afced..dfed5a0 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2085,7 +2085,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn) + { + const char *ptr; + if(!data->state.this_is_a_follow) { +- /* Free to avoid leaking memory on multiple requests*/ ++ /* Free to avoid leaking memory on multiple requests */ + free(data->state.first_host); + + data->state.first_host = strdup(conn->host.name); +@@ -3054,7 +3054,7 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done) + /* continue with HTTP/1.1 when explicitly requested */ + break; + default: +- /* Check if user wants to use HTTP/2 with clear TCP*/ ++ /* Check if user wants to use HTTP/2 with clear TCP */ + #ifdef USE_NGHTTP2 + if(data->state.httpwant == CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE) { + #ifndef CURL_DISABLE_PROXY +diff --git a/lib/http_chunks.c b/lib/http_chunks.c +index 7edfd64..913bf8e 100644 +--- a/lib/http_chunks.c ++++ b/lib/http_chunks.c +@@ -112,7 +112,7 @@ CHUNKcode Curl_httpchunk_read(struct Curl_easy *data, + *wrote = 0; /* nothing's written yet */ + + /* the original data is written to the client, but we go on with the +- chunk read process, to properly calculate the content length*/ ++ chunk read process, to properly calculate the content length */ + if(data->set.http_te_skip && !k->ignorebody) { + result = Curl_client_write(data, CLIENTWRITE_BODY, datap, datalen); + if(result) { +diff --git a/lib/mqtt.c b/lib/mqtt.c +index e79bd3b..de8a00b 100644 +--- a/lib/mqtt.c ++++ b/lib/mqtt.c +@@ -240,7 +240,7 @@ static int init_connpack(char *packet, char *remain, int remain_pos) + /* keep-alive 0 = disabled */ + packet[remain_pos + 9] = 0x00; + packet[remain_pos + 10] = 0x3c; +- /*end of variable header*/ ++ /* end of variable header */ + return remain_pos + 10; + } + +@@ -249,7 +249,7 @@ static CURLcode mqtt_connect(struct Curl_easy *data) + CURLcode result = CURLE_OK; + int pos = 0; + int rc = 0; +- /*remain length*/ ++ /* remain length */ + int remain_pos = 0; + char remain[4] = {0}; + size_t packetlen = 0; +diff --git a/lib/rtsp.c b/lib/rtsp.c +index f16e87c..7d41da8 100644 +--- a/lib/rtsp.c ++++ b/lib/rtsp.c +@@ -309,7 +309,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done) + break; + case RTSPREQ_RECEIVE: + p_request = ""; +- /* Treat interleaved RTP as body*/ ++ /* Treat interleaved RTP as body */ + data->set.opt_no_body = FALSE; + break; + case RTSPREQ_LAST: +@@ -648,7 +648,7 @@ static CURLcode rtsp_rtp_readwrite(struct Curl_easy *data, + rtp_length = RTP_PKT_LENGTH(rtp); + + if(rtp_dataleft < rtp_length + 4) { +- /* Need more - incomplete payload*/ ++ /* Need more - incomplete payload */ + *readmore = TRUE; + break; + } +diff --git a/lib/rtsp.h b/lib/rtsp.h +index da11ade..4771afb 100644 +--- a/lib/rtsp.h ++++ b/lib/rtsp.h +@@ -60,7 +60,7 @@ struct RTSP { + * HTTP functions can safely treat this as an HTTP struct, but RTSP aware + * functions can also index into the later elements. + */ +- struct HTTP http_wrapper; /*wrap HTTP to do the heavy lifting */ ++ struct HTTP http_wrapper; /* wrap HTTP to do the heavy lifting */ + + long CSeq_sent; /* CSeq of this request */ + long CSeq_recv; /* CSeq received */ +diff --git a/lib/telnet.c b/lib/telnet.c +index 7e217b6..bcf39bb 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -569,7 +569,7 @@ void rec_do(struct Curl_easy *data, int option) + sendsuboption(data, option); + } + else if(tn->subnegotiation[option] == CURL_YES) { +- /* send information to achieve this option*/ ++ /* send information to achieve this option */ + tn->us[option] = CURL_YES; + send_negotiation(data, CURL_WILL, option); + sendsuboption(data, option); +diff --git a/lib/urldata.h b/lib/urldata.h +index 251651f..94a9684 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -243,7 +243,7 @@ struct ssl_connect_data { + + struct ssl_primary_config { + long version; /* what version the client wants to use */ +- long version_max; /* max supported version the client wants to use*/ ++ long version_max; /* max supported version the client wants to use */ + char *CApath; /* certificate dir (doesn't work on windows) */ + char *CAfile; /* certificate to verify peer against */ + char *issuercert; /* optional issuer certificate filename */ +@@ -282,7 +282,7 @@ struct ssl_config_data { + char *key_passwd; /* plain text private key password */ + BIT(certinfo); /* gather lots of certificate info */ + BIT(falsestart); +- BIT(enable_beast); /* allow this flaw for interoperability's sake*/ ++ BIT(enable_beast); /* allow this flaw for interoperability's sake */ + BIT(no_revoke); /* disable SSL certificate revocation checks */ + BIT(no_partialchain); /* don't accept partial certificate chains */ + BIT(revoke_best_effort); /* ignore SSL revocation offline/missing revocation +diff --git a/lib/vauth/digest.c b/lib/vauth/digest.c +index d461609..8284da5 100644 +--- a/lib/vauth/digest.c ++++ b/lib/vauth/digest.c +@@ -125,7 +125,7 @@ bool Curl_auth_digest_get_pair(const char *str, char *value, char *content, + } + + #if !defined(USE_WINDOWS_SSPI) +-/* Convert md5 chunk to RFC2617 (section 3.1.3) -suitable ascii string*/ ++/* Convert md5 chunk to RFC2617 (section 3.1.3) -suitable ascii string */ + static void auth_digest_md5_to_ascii(unsigned char *source, /* 16 bytes */ + unsigned char *dest) /* 33 bytes */ + { +@@ -134,7 +134,7 @@ static void auth_digest_md5_to_ascii(unsigned char *source, /* 16 bytes */ + msnprintf((char *) &dest[i * 2], 3, "%02x", source[i]); + } + +-/* Convert sha256 chunk to RFC7616 -suitable ascii string*/ ++/* Convert sha256 chunk to RFC7616 -suitable ascii string */ + static void auth_digest_sha256_to_ascii(unsigned char *source, /* 32 bytes */ + unsigned char *dest) /* 65 bytes */ + { +diff --git a/lib/vauth/krb5_sspi.c b/lib/vauth/krb5_sspi.c +index c652fd7..deb6656 100644 +--- a/lib/vauth/krb5_sspi.c ++++ b/lib/vauth/krb5_sspi.c +@@ -469,4 +469,4 @@ void Curl_auth_cleanup_gssapi(struct kerberos5data *krb5) + krb5->token_max = 0; + } + +-#endif /* USE_WINDOWS_SSPI && USE_KERBEROS5*/ ++#endif /* USE_WINDOWS_SSPI && USE_KERBEROS5 */ +diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c +index db3967f..bf20607 100644 +--- a/lib/vssh/libssh2.c ++++ b/lib/vssh/libssh2.c +@@ -577,9 +577,9 @@ static CURLcode ssh_knownhost(struct Curl_easy *data) + /* remove old host+key that doesn't match */ + if(host) + libssh2_knownhost_del(sshc->kh, host); +- /*FALLTHROUGH*/ ++ /* FALLTHROUGH */ + case CURLKHSTAT_FINE: +- /*FALLTHROUGH*/ ++ /* FALLTHROUGH */ + case CURLKHSTAT_FINE_ADD_TO_FILE: + /* proceed */ + if(keycheck != LIBSSH2_KNOWNHOST_CHECK_MATCH) { +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c +index 04c8f3b..581dfae 100644 +--- a/lib/vtls/schannel.c ++++ b/lib/vtls/schannel.c +@@ -203,7 +203,7 @@ set_ssl_version_min_max(SCHANNEL_CRED *schannel_cred, struct Curl_easy *data, + return CURLE_OK; + } + +-/*longest is 26, buffer is slightly bigger*/ ++/* longest is 26, buffer is slightly bigger */ + #define LONGEST_ALG_ID 32 + #define CIPHEROPTION(X) \ + if(strcmp(#X, tmp) == 0) \ +@@ -226,7 +226,7 @@ get_alg_id_by_name(char *name) + CIPHEROPTION(CALG_MAC); + CIPHEROPTION(CALG_RSA_SIGN); + CIPHEROPTION(CALG_DSS_SIGN); +-/*ifdefs for the options that are defined conditionally in wincrypt.h*/ ++/* ifdefs for the options that are defined conditionally in wincrypt.h */ + #ifdef CALG_NO_SIGN + CIPHEROPTION(CALG_NO_SIGN); + #endif +diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c +index b2e1727..ae04133 100644 +--- a/lib/vtls/sectransp.c ++++ b/lib/vtls/sectransp.c +@@ -834,7 +834,6 @@ static OSStatus SocketRead(SSLConnectionRef connection, + size_t bytesToGo = *dataLength; + size_t initLen = bytesToGo; + UInt8 *currData = (UInt8 *)data; +- /*int sock = *(int *)connection;*/ + struct ssl_connect_data *connssl = (struct ssl_connect_data *)connection; + struct ssl_backend_data *backend = connssl->backend; + int sock; +@@ -897,7 +896,6 @@ static OSStatus SocketWrite(SSLConnectionRef connection, + size_t *dataLength) /* IN/OUT */ + { + size_t bytesSent = 0; +- /*int sock = *(int *)connection;*/ + struct ssl_connect_data *connssl = (struct ssl_connect_data *)connection; + struct ssl_backend_data *backend = connssl->backend; + int sock; +diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h +index a06ef60..4f03f36 100644 +--- a/src/tool_cfgable.h ++++ b/src/tool_cfgable.h +@@ -260,11 +260,8 @@ struct OperationConfig { + bool xattr; /* store metadata in extended attributes */ + long gssapi_delegation; + bool ssl_allow_beast; /* allow this SSL vulnerability */ +- bool proxy_ssl_allow_beast; /* allow this SSL vulnerability for proxy*/ +- ++ bool proxy_ssl_allow_beast; /* allow this SSL vulnerability for proxy */ + bool ssl_no_revoke; /* disable SSL certificate revocation checks */ +- /*bool proxy_ssl_no_revoke; */ +- + bool ssl_revoke_best_effort; /* ignore SSL revocation offline/missing + revocation list errors */ + +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index 5696439..29e58d0 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -1110,7 +1110,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + /* This specifies the noproxy list */ + GetStr(&config->noproxy, nextarg); + break; +- case '7': /* --socks5-gssapi-nec*/ ++ case '7': /* --socks5-gssapi-nec */ + config->socks5_gssapi_nec = toggle; + break; + case '8': /* --proxy1.0 */ +@@ -1255,7 +1255,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + config->httpversion = CURL_HTTP_VERSION_2_0; + break; + case '3': /* --http2-prior-knowledge */ +- /* HTTP version 2.0 over clean TCP*/ ++ /* HTTP version 2.0 over clean TCP */ + config->httpversion = CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE; + break; + case '4': /* --http3 */ +diff --git a/tests/libtest/lib1156.c b/tests/libtest/lib1156.c +index 21d4e87..27609d2 100644 +--- a/tests/libtest/lib1156.c ++++ b/tests/libtest/lib1156.c +@@ -127,7 +127,7 @@ static int onetest(CURL *curl, const char *url, const struct testparams *p, + } + + /* for debugging: */ +-/*#define SINGLETEST 9*/ ++/* #define SINGLETEST 9 */ + + int test(char *URL) + { +diff --git a/tests/libtest/lib1525.c b/tests/libtest/lib1525.c +index a2a4db2..912372f 100644 +--- a/tests/libtest/lib1525.c ++++ b/tests/libtest/lib1525.c +@@ -48,7 +48,7 @@ int test(char *URL) + { + CURL *curl = NULL; + CURLcode res = CURLE_FAILED_INIT; +- /* http and proxy header list*/ ++ /* http and proxy header list */ + struct curl_slist *hhl = NULL; + + if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { +diff --git a/tests/libtest/lib1526.c b/tests/libtest/lib1526.c +index 37abc61..b287277 100644 +--- a/tests/libtest/lib1526.c ++++ b/tests/libtest/lib1526.c +@@ -46,7 +46,7 @@ int test(char *URL) + { + CURL *curl = NULL; + CURLcode res = CURLE_FAILED_INIT; +- /* http and proxy header list*/ ++ /* http and proxy header list */ + struct curl_slist *hhl = NULL, *phl = NULL, *tmp = NULL; + + if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { +diff --git a/tests/libtest/lib1527.c b/tests/libtest/lib1527.c +index 9e0e452..2f7c91b 100644 +--- a/tests/libtest/lib1527.c ++++ b/tests/libtest/lib1527.c +@@ -47,7 +47,7 @@ int test(char *URL) + { + CURL *curl = NULL; + CURLcode res = CURLE_FAILED_INIT; +- /* http header list*/ ++ /* http header list */ + struct curl_slist *hhl = NULL, *tmp = NULL; + + if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { +diff --git a/tests/libtest/lib1528.c b/tests/libtest/lib1528.c +index 98a332c..52dc0a0 100644 +--- a/tests/libtest/lib1528.c ++++ b/tests/libtest/lib1528.c +@@ -28,7 +28,7 @@ int test(char *URL) + { + CURL *curl = NULL; + CURLcode res = CURLE_FAILED_INIT; +- /* http header list*/ ++ /* http header list */ + struct curl_slist *hhl = NULL; + struct curl_slist *phl = NULL; + +diff --git a/tests/libtest/lib1591.c b/tests/libtest/lib1591.c +index 8349b1d..f7149cf 100644 +--- a/tests/libtest/lib1591.c ++++ b/tests/libtest/lib1591.c +@@ -75,7 +75,7 @@ int test(char *URL) + { + CURL *curl = NULL; + CURLcode res = CURLE_FAILED_INIT; +- /* http and proxy header list*/ ++ /* http and proxy header list */ + struct curl_slist *hhl = NULL; + + if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { +diff --git a/tests/libtest/lib506.c b/tests/libtest/lib506.c +index 559e731..acea39a 100644 +--- a/tests/libtest/lib506.c ++++ b/tests/libtest/lib506.c +@@ -347,7 +347,7 @@ int test(char *URL) + printf("-----------------\n"); + curl_slist_free_all(cookies); + +- /* try to free share, expect to fail because share is in use*/ ++ /* try to free share, expect to fail because share is in use */ + printf("try SHARE_CLEANUP...\n"); + scode = curl_share_cleanup(share); + if(scode == CURLSHE_OK) { +diff --git a/tests/libtest/lib557.c b/tests/libtest/lib557.c +index c17fab2..8b94fdf 100644 +--- a/tests/libtest/lib557.c ++++ b/tests/libtest/lib557.c +@@ -1494,7 +1494,7 @@ static int test_weird_arguments(void) + "0123456789" /* 10 7 */ + "0123456789" /* 10 8 */ + "0123456789" /* 10 9 */ +- "0123456789" /* 10 10*/ ++ "0123456789" /* 10 10 */ + "0123456789" /* 10 11 */ + "01234567" /* 8 */ + ); +diff --git a/tests/libtest/lib586.c b/tests/libtest/lib586.c +index da63e7c..8d7822d 100644 +--- a/tests/libtest/lib586.c ++++ b/tests/libtest/lib586.c +@@ -215,7 +215,7 @@ int test(char *URL) + printf("PERFORM\n"); + curl_easy_perform(curl); + +- /* try to free share, expect to fail because share is in use*/ ++ /* try to free share, expect to fail because share is in use */ + printf("try SHARE_CLEANUP...\n"); + scode = curl_share_cleanup(share); + if(scode == CURLSHE_OK) { +diff --git a/tests/libtest/stub_gssapi.h b/tests/libtest/stub_gssapi.h +index 5a89102..735630c 100644 +--- a/tests/libtest/stub_gssapi.h ++++ b/tests/libtest/stub_gssapi.h +@@ -98,85 +98,85 @@ typedef struct gss_channel_bindings_struct { + gss_buffer_desc application_data; + } *gss_channel_bindings_t; + +-OM_uint32 gss_release_buffer(OM_uint32 * /*minor_status*/, +- gss_buffer_t /*buffer*/); +- +-OM_uint32 gss_init_sec_context(OM_uint32 * /*minor_status*/, +- gss_const_cred_id_t /*initiator_cred_handle*/, +- gss_ctx_id_t * /*context_handle*/, +- gss_const_name_t /*target_name*/, +- const gss_OID /*mech_type*/, +- OM_uint32 /*req_flags*/, +- OM_uint32 /*time_req*/, +- const gss_channel_bindings_t /*input_chan_bindings*/, +- const gss_buffer_t /*input_token*/, +- gss_OID * /*actual_mech_type*/, +- gss_buffer_t /*output_token*/, +- OM_uint32 * /*ret_flags*/, +- OM_uint32 * /*time_rec*/); +- +-OM_uint32 gss_delete_sec_context(OM_uint32 * /*minor_status*/, +- gss_ctx_id_t * /*context_handle*/, +- gss_buffer_t /*output_token*/); +- +-OM_uint32 gss_inquire_context(OM_uint32 * /*minor_status*/, +- gss_const_ctx_id_t /*context_handle*/, +- gss_name_t * /*src_name*/, +- gss_name_t * /*targ_name*/, +- OM_uint32 * /*lifetime_rec*/, +- gss_OID * /*mech_type*/, +- OM_uint32 * /*ctx_flags*/, +- int * /*locally_initiated*/, +- int * /*open_context*/); +- +-OM_uint32 gss_wrap(OM_uint32 * /*minor_status*/, +- gss_const_ctx_id_t /*context_handle*/, +- int /*conf_req_flag*/, +- gss_qop_t /*qop_req*/, +- const gss_buffer_t /*input_message_buffer*/, +- int * /*conf_state*/, +- gss_buffer_t /*output_message_buffer*/); +- +-OM_uint32 gss_unwrap(OM_uint32 * /*minor_status*/, +- gss_const_ctx_id_t /*context_handle*/, +- const gss_buffer_t /*input_message_buffer*/, +- gss_buffer_t /*output_message_buffer*/, +- int * /*conf_state*/, +- gss_qop_t * /*qop_state*/); +- +-OM_uint32 gss_seal(OM_uint32 * /*minor_status*/, +- gss_ctx_id_t /*context_handle*/, +- int /*conf_req_flag*/, +- int /*qop_req*/, +- gss_buffer_t /*input_message_buffer*/, +- int * /*conf_state*/, +- gss_buffer_t /*output_message_buffer*/); +- +-OM_uint32 gss_unseal(OM_uint32 * /*minor_status*/, +- gss_ctx_id_t /*context_handle*/, +- gss_buffer_t /*input_message_buffer*/, +- gss_buffer_t /*output_message_buffer*/, +- int * /*conf_state*/, +- int * /*qop_state*/); +- +-OM_uint32 gss_import_name(OM_uint32 * /*minor_status*/, +- const gss_buffer_t /*input_name_buffer*/, +- const gss_OID /*input_name_type*/, +- gss_name_t * /*output_name*/); +- +-OM_uint32 gss_release_name(OM_uint32 * /*minor_status*/, +- gss_name_t * /*input_name*/); +- +-OM_uint32 gss_display_name(OM_uint32 * /*minor_status*/, +- gss_const_name_t /*input_name*/, +- gss_buffer_t /*output_name_buffer*/, +- gss_OID * /*output_name_type*/); +- +-OM_uint32 gss_display_status(OM_uint32 * /*minor_status*/, +- OM_uint32 /*status_value*/, +- int /*status_type*/, +- const gss_OID /*mech_type*/, +- OM_uint32 * /*message_context*/, +- gss_buffer_t /*status_string*/); ++OM_uint32 gss_release_buffer(OM_uint32 * /* minor_status */, ++ gss_buffer_t /* buffer */); ++ ++OM_uint32 gss_init_sec_context(OM_uint32 * /* minor_status */, ++ gss_const_cred_id_t /* initiator_cred_handle */, ++ gss_ctx_id_t * /* context_handle */, ++ gss_const_name_t /* target_name */, ++ const gss_OID /* mech_type */, ++ OM_uint32 /* req_flags */, ++ OM_uint32 /* time_req */, ++ const gss_channel_bindings_t /* input_chan_bindings */, ++ const gss_buffer_t /* input_token */, ++ gss_OID * /* actual_mech_type */, ++ gss_buffer_t /* output_token */, ++ OM_uint32 * /* ret_flags */, ++ OM_uint32 * /* time_rec */); ++ ++OM_uint32 gss_delete_sec_context(OM_uint32 * /* minor_status */, ++ gss_ctx_id_t * /* context_handle */, ++ gss_buffer_t /* output_token */); ++ ++OM_uint32 gss_inquire_context(OM_uint32 * /* minor_status */, ++ gss_const_ctx_id_t /* context_handle */, ++ gss_name_t * /* src_name */, ++ gss_name_t * /* targ_name */, ++ OM_uint32 * /* lifetime_rec */, ++ gss_OID * /* mech_type */, ++ OM_uint32 * /* ctx_flags */, ++ int * /* locally_initiated */, ++ int * /* open_context */); ++ ++OM_uint32 gss_wrap(OM_uint32 * /* minor_status */, ++ gss_const_ctx_id_t /* context_handle */, ++ int /* conf_req_flag */, ++ gss_qop_t /* qop_req */, ++ const gss_buffer_t /* input_message_buffer */, ++ int * /* conf_state */, ++ gss_buffer_t /* output_message_buffer */); ++ ++OM_uint32 gss_unwrap(OM_uint32 * /* minor_status */, ++ gss_const_ctx_id_t /* context_handle */, ++ const gss_buffer_t /* input_message_buffer */, ++ gss_buffer_t /* output_message_buffer */, ++ int * /* conf_state */, ++ gss_qop_t * /* qop_state */); ++ ++OM_uint32 gss_seal(OM_uint32 * /* minor_status */, ++ gss_ctx_id_t /* context_handle n */, ++ int /* conf_req_flag */, ++ int /* qop_req */, ++ gss_buffer_t /* input_message_buffer */, ++ int * /* conf_state */, ++ gss_buffer_t /* output_message_buffer */); ++ ++OM_uint32 gss_unseal(OM_uint32 * /* minor_status */, ++ gss_ctx_id_t /* context_handle */, ++ gss_buffer_t /* input_message_buffer */, ++ gss_buffer_t /* output_message_buffer */, ++ int * /* conf_state */, ++ int * /* qop_state */); ++ ++OM_uint32 gss_import_name(OM_uint32 * /* minor_status */, ++ const gss_buffer_t /* input_name_buffer */, ++ const gss_OID /* input_name_type */, ++ gss_name_t * /* output_name */); ++ ++OM_uint32 gss_release_name(OM_uint32 * /* minor_status */, ++ gss_name_t * /* input_name */); ++ ++OM_uint32 gss_display_name(OM_uint32 * /* minor_status */, ++ gss_const_name_t /* input_name */, ++ gss_buffer_t /* output_name_buffer */, ++ gss_OID * /* output_name_type */); ++ ++OM_uint32 gss_display_status(OM_uint32 * /* minor_status */, ++ OM_uint32 /* status_value */, ++ int /* status_type */, ++ const gss_OID /* mech_type */, ++ OM_uint32 * /* message_context */, ++ gss_buffer_t /* status_string */); + + #endif /* HEADER_CURL_GSSAPI_STUBS_H */ +diff --git a/tests/server/tftp.h b/tests/server/tftp.h +index 5699672..ab59575 100644 +--- a/tests/server/tftp.h ++++ b/tests/server/tftp.h +@@ -32,7 +32,7 @@ + ((__GNUC__ == 2) && defined(__GNUC_MINOR__) && (__GNUC_MINOR__ >= 7))) + # define PACKED_STRUCT __attribute__((__packed__)) + #else +-# define PACKED_STRUCT /*NOTHING*/ ++# define PACKED_STRUCT /* NOTHING */ + #endif + + /* Using a packed struct as binary in a program is begging for problems, but +diff --git a/tests/server/util.c b/tests/server/util.c +index cfa8be2..692b20a 100644 +--- a/tests/server/util.c ++++ b/tests/server/util.c +@@ -65,7 +65,7 @@ + ((__W32API_MAJOR_VERSION == 3) && (__W32API_MINOR_VERSION < 6)) + const struct in6_addr in6addr_any = {{ IN6ADDR_ANY_INIT }}; + #endif /* w32api < 3.6 */ +-#endif /* ENABLE_IPV6 && __MINGW32__*/ ++#endif /* ENABLE_IPV6 && __MINGW32__ */ + + static struct timeval tvnow(void); + +diff --git a/tests/unit/unit1300.c b/tests/unit/unit1300.c +index aba068a..936c77e 100644 +--- a/tests/unit/unit1300.c ++++ b/tests/unit/unit1300.c +@@ -91,10 +91,10 @@ UNITTEST_START + + fail_unless(Curl_llist_count(&llist) == 1, + "List size should be 1 after adding a new element"); +- /*test that the list head data holds my unusedData */ ++ /* test that the list head data holds my unusedData */ + fail_unless(llist.head->ptr == &unusedData_case1, + "head ptr should be first entry"); +- /*same goes for the list tail */ ++ /* same goes for the list tail */ + fail_unless(llist.tail == llist.head, + "tail and head should be the same"); + +-- +2.39.2 + + +From 3823dc906acf117e19c9b6a1c995f3a095f79011 Mon Sep 17 00:00:00 2001 +From: Eric Vigeant +Date: Wed, 2 Nov 2022 11:47:09 -0400 +Subject: [PATCH 3/4] cur_path: do not add '/' if homedir ends with one + +When using SFTP and a path relative to the user home, do not add a +trailing '/' to the user home dir if it already ends with one. + +Closes #9844 + +Upstream-commit: 6c51adeb71da076c5c40a45e339e06bb4394a86b +Signed-off-by: Kamil Dudka +--- + lib/curl_path.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/lib/curl_path.c b/lib/curl_path.c +index 8dc9101..9eafbab 100644 +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -69,10 +69,14 @@ CURLcode Curl_getworkingpath(struct Curl_easy *data, + /* It is referenced to the home directory, so strip the + leading '/' */ + memcpy(real_path, homedir, homelen); +- real_path[homelen] = '/'; +- real_path[homelen + 1] = '\0'; ++ /* Only add a trailing '/' if homedir does not end with one */ ++ if(homelen == 0 || real_path[homelen - 1] != '/') { ++ real_path[homelen] = '/'; ++ homelen++; ++ real_path[homelen] = '\0'; ++ } + if(working_path_len > 3) { +- memcpy(real_path + homelen + 1, working_path + 3, ++ memcpy(real_path + homelen, working_path + 3, + 1 + working_path_len -3); + } + } +-- +2.39.2 + + +From 04879b844a5b554ddf73243cafcc221a0b71363f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 9 Mar 2023 16:22:11 +0100 +Subject: [PATCH 4/4] curl_path: create the new path with dynbuf + +Closes #10729 + +Upstream-commit: 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 +Signed-off-by: Kamil Dudka +--- + lib/curl_path.c | 75 +++++++++++++++++++++++-------------------------- + 1 file changed, 35 insertions(+), 40 deletions(-) + +diff --git a/lib/curl_path.c b/lib/curl_path.c +index 9eafbab..038f691 100644 +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -30,70 +30,65 @@ + #include "escape.h" + #include "memdebug.h" + ++#define MAX_SSHPATH_LEN 100000 /* arbitrary */ ++ + /* figure out the path to work with in this particular request */ + CURLcode Curl_getworkingpath(struct Curl_easy *data, + char *homedir, /* when SFTP is used */ + char **path) /* returns the allocated + real path to work with */ + { +- char *real_path = NULL; + char *working_path; + size_t working_path_len; ++ struct dynbuf npath; + CURLcode result = + Curl_urldecode(data->state.up.path, 0, &working_path, + &working_path_len, REJECT_ZERO); + if(result) + return result; + ++ /* new path to switch to in case we need to */ ++ Curl_dyn_init(&npath, MAX_SSHPATH_LEN); ++ + /* Check for /~/, indicating relative to the user's home directory */ +- if(data->conn->handler->protocol & CURLPROTO_SCP) { +- real_path = malloc(working_path_len + 1); +- if(!real_path) { ++ if((data->conn->handler->protocol & CURLPROTO_SCP) && ++ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) { ++ /* It is referenced to the home directory, so strip the leading '/~/' */ ++ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) { + free(working_path); + return CURLE_OUT_OF_MEMORY; + } +- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) +- /* It is referenced to the home directory, so strip the leading '/~/' */ +- memcpy(real_path, working_path + 3, working_path_len - 2); +- else +- memcpy(real_path, working_path, 1 + working_path_len); + } +- else if(data->conn->handler->protocol & CURLPROTO_SFTP) { +- if((working_path_len > 1) && (working_path[1] == '~')) { +- size_t homelen = strlen(homedir); +- real_path = malloc(homelen + working_path_len + 1); +- if(!real_path) { +- free(working_path); +- return CURLE_OUT_OF_MEMORY; +- } +- /* It is referenced to the home directory, so strip the +- leading '/' */ +- memcpy(real_path, homedir, homelen); +- /* Only add a trailing '/' if homedir does not end with one */ +- if(homelen == 0 || real_path[homelen - 1] != '/') { +- real_path[homelen] = '/'; +- homelen++; +- real_path[homelen] = '\0'; +- } +- if(working_path_len > 3) { +- memcpy(real_path + homelen, working_path + 3, +- 1 + working_path_len -3); +- } ++ else if((data->conn->handler->protocol & CURLPROTO_SFTP) && ++ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { ++ size_t len; ++ const char *p; ++ int copyfrom = 3; ++ if(Curl_dyn_add(&npath, homedir)) { ++ free(working_path); ++ return CURLE_OUT_OF_MEMORY; + } +- else { +- real_path = malloc(working_path_len + 1); +- if(!real_path) { +- free(working_path); +- return CURLE_OUT_OF_MEMORY; +- } +- memcpy(real_path, working_path, 1 + working_path_len); ++ /* Copy a separating '/' if homedir does not end with one */ ++ len = Curl_dyn_len(&npath); ++ p = Curl_dyn_ptr(&npath); ++ if(len && (p[len-1] != '/')) ++ copyfrom = 2; ++ ++ if(Curl_dyn_addn(&npath, ++ &working_path[copyfrom], working_path_len - copyfrom)) { ++ free(working_path); ++ return CURLE_OUT_OF_MEMORY; + } + } + +- free(working_path); ++ if(Curl_dyn_len(&npath)) { ++ free(working_path); + +- /* store the pointer for the caller to receive */ +- *path = real_path; ++ /* store the pointer for the caller to receive */ ++ *path = Curl_dyn_ptr(&npath); ++ } ++ else ++ *path = working_path; + + return CURLE_OK; + } +-- +2.39.2 + diff --git a/curl.spec b/curl.spec index 535fb6c..b6659d0 100644 --- a/curl.spec +++ b/curl.spec @@ -79,6 +79,9 @@ Patch22: 0022-curl-7.82.0-CVE-2023-23916.patch # fix TELNET option IAC injection (CVE-2023-27533) Patch23: 0023-curl-7.87.0-CVE-2023-27533.patch +# fix SFTP path ~ resolving discrepancy (CVE-2023-27534) +Patch24: 0024-curl-7.82.0-CVE-2023-27534.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -282,6 +285,7 @@ be installed. %patch21 -p1 %patch22 -p1 %patch23 -p1 +%patch24 -p1 # Fedora patches %patch101 -p1 @@ -508,6 +512,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Fri Mar 24 2023 Kamil Dudka - 7.82.0-14 +- fix SFTP path ~ resolving discrepancy (CVE-2023-27534) - fix TELNET option IAC injection (CVE-2023-27533) * Wed Feb 15 2023 Kamil Dudka - 7.82.0-13 From 992b4e3f2ae0efd62ed7cc718f2bf0b8d9380799 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 24 Mar 2023 13:24:04 +0100 Subject: [PATCH 32/34] Resolves: CVE-2023-27535 - fix FTP too eager connection reuse --- 0025-curl-7.82.0-CVE-2023-27535.patch | 237 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 242 insertions(+) create mode 100644 0025-curl-7.82.0-CVE-2023-27535.patch diff --git a/0025-curl-7.82.0-CVE-2023-27535.patch b/0025-curl-7.82.0-CVE-2023-27535.patch new file mode 100644 index 0000000..a92ca57 --- /dev/null +++ b/0025-curl-7.82.0-CVE-2023-27535.patch @@ -0,0 +1,237 @@ +From e8705acd69383c13191c9dd4867d5118e58c54ba Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 6 Oct 2022 00:49:10 +0200 +Subject: [PATCH 1/2] strcase: add Curl_timestrcmp + +This is a strcmp() alternative function for comparing "secrets", +designed to take the same time no matter the content to not leak +match/non-match info to observers based on how fast it is. + +The time this function takes is only a function of the shortest input +string. + +Reported-by: Trail of Bits + +Closes #9658 + +Upstream-commit: ed5095ed94281989e103c72e032200b83be37878 +Signed-off-by: Kamil Dudka +--- + lib/strcase.c | 22 ++++++++++++++++++++++ + lib/strcase.h | 1 + + 2 files changed, 23 insertions(+) + +diff --git a/lib/strcase.c b/lib/strcase.c +index f932485..c73907d 100644 +--- a/lib/strcase.c ++++ b/lib/strcase.c +@@ -141,6 +141,28 @@ bool Curl_safecmp(char *a, char *b) + return !a && !b; + } + ++/* ++ * Curl_timestrcmp() returns 0 if the two strings are identical. The time this ++ * function spends is a function of the shortest string, not of the contents. ++ */ ++int Curl_timestrcmp(const char *a, const char *b) ++{ ++ int match = 0; ++ int i = 0; ++ ++ if(a && b) { ++ while(1) { ++ match |= a[i]^b[i]; ++ if(!a[i] || !b[i]) ++ break; ++ i++; ++ } ++ } ++ else ++ return a || b; ++ return match; ++} ++ + /* --- public functions --- */ + + int curl_strequal(const char *first, const char *second) +diff --git a/lib/strcase.h b/lib/strcase.h +index d245929..11a67a1 100644 +--- a/lib/strcase.h ++++ b/lib/strcase.h +@@ -48,5 +48,6 @@ void Curl_strntoupper(char *dest, const char *src, size_t n); + void Curl_strntolower(char *dest, const char *src, size_t n); + + bool Curl_safecmp(char *a, char *b); ++int Curl_timestrcmp(const char *first, const char *second); + + #endif /* HEADER_CURL_STRCASE_H */ +-- +2.39.2 + + +From 9cfaea212ff347937a38f6b5d6b885ed8ba1b931 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 9 Mar 2023 17:47:06 +0100 +Subject: [PATCH 2/2] ftp: add more conditions for connection reuse + +Reported-by: Harry Sintonen +Closes #10730 + +Upstream-commit: 8f4608468b890dce2dad9f91d5607ee7e9c1aba1 +Signed-off-by: Kamil Dudka +--- + lib/ftp.c | 28 ++++++++++++++++++++++++++-- + lib/ftp.h | 5 +++++ + lib/setopt.c | 2 +- + lib/url.c | 16 +++++++++++++++- + lib/urldata.h | 4 ++-- + 5 files changed, 49 insertions(+), 6 deletions(-) + +diff --git a/lib/ftp.c b/lib/ftp.c +index 9442832..df15bc0 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -4097,6 +4097,8 @@ static CURLcode ftp_disconnect(struct Curl_easy *data, + } + + freedirs(ftpc); ++ Curl_safefree(ftpc->account); ++ Curl_safefree(ftpc->alternative_to_user); + Curl_safefree(ftpc->prevpath); + Curl_safefree(ftpc->server_os); + Curl_pp_disconnect(pp); +@@ -4364,11 +4366,31 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data, + { + char *type; + struct FTP *ftp; ++ struct ftp_conn *ftpc = &conn->proto.ftpc; + +- data->req.p.ftp = ftp = calloc(sizeof(struct FTP), 1); ++ ftp = calloc(sizeof(struct FTP), 1); + if(!ftp) + return CURLE_OUT_OF_MEMORY; + ++ /* clone connection related data that is FTP specific */ ++ if(data->set.str[STRING_FTP_ACCOUNT]) { ++ ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]); ++ if(!ftpc->account) { ++ free(ftp); ++ return CURLE_OUT_OF_MEMORY; ++ } ++ } ++ if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]) { ++ ftpc->alternative_to_user = ++ strdup(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]); ++ if(!ftpc->alternative_to_user) { ++ Curl_safefree(ftpc->account); ++ free(ftp); ++ return CURLE_OUT_OF_MEMORY; ++ } ++ } ++ data->req.p.ftp = ftp; ++ + ftp->path = &data->state.up.path[1]; /* don't include the initial slash */ + + /* FTP URLs support an extension like ";type=" that +@@ -4403,7 +4425,9 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data, + /* get some initial data into the ftp struct */ + ftp->transfer = PPTRANSFER_BODY; + ftp->downloadsize = 0; +- conn->proto.ftpc.known_filesize = -1; /* unknown size for now */ ++ ftpc->known_filesize = -1; /* unknown size for now */ ++ ftpc->use_ssl = data->set.use_ssl; ++ ftpc->ccc = data->set.ftp_ccc; + + return CURLE_OK; + } +diff --git a/lib/ftp.h b/lib/ftp.h +index 7f6f432..3f33e27 100644 +--- a/lib/ftp.h ++++ b/lib/ftp.h +@@ -115,6 +115,8 @@ struct FTP { + struct */ + struct ftp_conn { + struct pingpong pp; ++ char *account; ++ char *alternative_to_user; + char *entrypath; /* the PWD reply when we logged on */ + char *file; /* url-decoded file name (or path) */ + char **dirs; /* realloc()ed array for path components */ +@@ -144,6 +146,9 @@ struct ftp_conn { + ftpstate state; /* always use ftp.c:state() to change state! */ + ftpstate state_saved; /* transfer type saved to be reloaded after + data connection is established */ ++ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or ++ IMAP or POP3 or others! (type: curl_usessl)*/ ++ unsigned char ccc; /* ccc level for this connection */ + curl_off_t retr_size_saved; /* Size of retrieved file saved */ + char *server_os; /* The target server operating system. */ + curl_off_t known_filesize; /* file size is different from -1, if wildcard +diff --git a/lib/setopt.c b/lib/setopt.c +index 3339a67..6fc111d 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -2290,7 +2290,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + arg = va_arg(param, long); + if((arg < CURLUSESSL_NONE) || (arg >= CURLUSESSL_LAST)) + return CURLE_BAD_FUNCTION_ARGUMENT; +- data->set.use_ssl = (curl_usessl)arg; ++ data->set.use_ssl = (unsigned char)arg; + break; + + case CURLOPT_SSL_OPTIONS: +diff --git a/lib/url.c b/lib/url.c +index 61ba832..4e21838 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1353,10 +1353,24 @@ ConnectionExists(struct Curl_easy *data, + (data->state.httpwant < CURL_HTTP_VERSION_2_0)) + continue; + +- if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { ++#ifdef USE_SSH ++ else if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { + if(!ssh_config_matches(needle, check)) + continue; + } ++#endif ++#ifndef CURL_DISABLE_FTP ++ else if(get_protocol_family(needle->handler) & PROTO_FAMILY_FTP) { ++ /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */ ++ if(Curl_timestrcmp(needle->proto.ftpc.account, ++ check->proto.ftpc.account) || ++ Curl_timestrcmp(needle->proto.ftpc.alternative_to_user, ++ check->proto.ftpc.alternative_to_user) || ++ (needle->proto.ftpc.use_ssl != check->proto.ftpc.use_ssl) || ++ (needle->proto.ftpc.ccc != check->proto.ftpc.ccc)) ++ continue; ++ } ++#endif + + if((needle->handler->flags&PROTOPT_SSL) + #ifndef CURL_DISABLE_PROXY +diff --git a/lib/urldata.h b/lib/urldata.h +index 9d9ca92..4e2f5b9 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1746,8 +1746,6 @@ struct UserDefined { + enum CURL_NETRC_OPTION + use_netrc; /* defined in include/curl.h */ + #endif +- curl_usessl use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or +- IMAP or POP3 or others! */ + long new_file_perms; /* Permissions to use when creating remote files */ + long new_directory_perms; /* Permissions to use when creating remote dirs */ + long ssh_auth_types; /* allowed SSH auth types */ +@@ -1793,6 +1791,8 @@ struct UserDefined { + CURLU *uh; /* URL handle for the current parsed URL */ + void *trailer_data; /* pointer to pass to trailer data callback */ + curl_trailer_callback trailer_callback; /* trailing data callback */ ++ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or ++ IMAP or POP3 or others! (type: curl_usessl)*/ + BIT(is_fread_set); /* has read callback been set to non-NULL? */ + BIT(is_fwrite_set); /* has write callback been set to non-NULL? */ + BIT(free_referer); /* set TRUE if 'referer' points to a string we +-- +2.39.2 + diff --git a/curl.spec b/curl.spec index b6659d0..1756b07 100644 --- a/curl.spec +++ b/curl.spec @@ -82,6 +82,9 @@ Patch23: 0023-curl-7.87.0-CVE-2023-27533.patch # fix SFTP path ~ resolving discrepancy (CVE-2023-27534) Patch24: 0024-curl-7.82.0-CVE-2023-27534.patch +# fix FTP too eager connection reuse (CVE-2023-27535) +Patch25: 0025-curl-7.82.0-CVE-2023-27535.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -286,6 +289,7 @@ be installed. %patch22 -p1 %patch23 -p1 %patch24 -p1 +%patch25 -p1 # Fedora patches %patch101 -p1 @@ -512,6 +516,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Fri Mar 24 2023 Kamil Dudka - 7.82.0-14 +- fix FTP too eager connection reuse (CVE-2023-27535) - fix SFTP path ~ resolving discrepancy (CVE-2023-27534) - fix TELNET option IAC injection (CVE-2023-27533) From 96e0b571af6c27baa2ec5aad26fc587bc4f60293 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 24 Mar 2023 13:25:23 +0100 Subject: [PATCH 33/34] Resolves: CVE-2023-27536 - fix GSS delegation too eager connection re-use --- 0026-curl-7.82.0-CVE-2023-27536.patch | 54 +++++++++++++++++++++++++++ curl.spec | 5 +++ 2 files changed, 59 insertions(+) create mode 100644 0026-curl-7.82.0-CVE-2023-27536.patch diff --git a/0026-curl-7.82.0-CVE-2023-27536.patch b/0026-curl-7.82.0-CVE-2023-27536.patch new file mode 100644 index 0000000..db88a1c --- /dev/null +++ b/0026-curl-7.82.0-CVE-2023-27536.patch @@ -0,0 +1,54 @@ +From 9d6dd7bc1dea42ae8e710aeae714e2a2c290de61 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 10 Mar 2023 09:22:43 +0100 +Subject: [PATCH] url: only reuse connections with same GSS delegation + +Reported-by: Harry Sintonen +Closes #10731 + +Upstream-commit: cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 +Signed-off-by: Kamil Dudka +--- + lib/url.c | 6 ++++++ + lib/urldata.h | 1 + + 2 files changed, 7 insertions(+) + +diff --git a/lib/url.c b/lib/url.c +index 3b11b7e..cbbc7f3 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1346,6 +1346,11 @@ ConnectionExists(struct Curl_easy *data, + } + } + ++ /* GSS delegation differences do not actually affect every connection ++ and auth method, but this check takes precaution before efficiency */ ++ if(needle->gssapi_delegation != check->gssapi_delegation) ++ continue; ++ + /* If multiplexing isn't enabled on the h2 connection and h1 is + explicitly requested, handle it: */ + if((needle->handler->protocol & PROTO_FAMILY_HTTP) && +@@ -1817,6 +1822,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) + conn->fclosesocket = data->set.fclosesocket; + conn->closesocket_client = data->set.closesocket_client; + conn->lastused = Curl_now(); /* used now */ ++ conn->gssapi_delegation = data->set.gssapi_delegation; + + return conn; + error: +diff --git a/lib/urldata.h b/lib/urldata.h +index ce90304..9e16f26 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -989,6 +989,7 @@ struct connectdata { + char *sasl_authzid; /* authorisation identity string, allocated */ + char *oauth_bearer; /* OAUTH2 bearer, allocated */ + unsigned char httpversion; /* the HTTP version*10 reported by the server */ ++ unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */ + struct curltime now; /* "current" time */ + struct curltime created; /* creation time */ + struct curltime lastused; /* when returned to the connection cache */ +-- +2.39.2 + diff --git a/curl.spec b/curl.spec index 1756b07..cca2664 100644 --- a/curl.spec +++ b/curl.spec @@ -85,6 +85,9 @@ Patch24: 0024-curl-7.82.0-CVE-2023-27534.patch # fix FTP too eager connection reuse (CVE-2023-27535) Patch25: 0025-curl-7.82.0-CVE-2023-27535.patch +# fix GSS delegation too eager connection re-use (CVE-2023-27536) +Patch26: 0026-curl-7.82.0-CVE-2023-27536.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -290,6 +293,7 @@ be installed. %patch23 -p1 %patch24 -p1 %patch25 -p1 +%patch26 -p1 # Fedora patches %patch101 -p1 @@ -516,6 +520,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Fri Mar 24 2023 Kamil Dudka - 7.82.0-14 +- fix GSS delegation too eager connection re-use (CVE-2023-27536) - fix FTP too eager connection reuse (CVE-2023-27535) - fix SFTP path ~ resolving discrepancy (CVE-2023-27534) - fix TELNET option IAC injection (CVE-2023-27533) From b78b13595ec2246555a43393ca0b497bab6cc593 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 24 Mar 2023 13:28:18 +0100 Subject: [PATCH 34/34] Resolves: CVE-2023-27538 - fix SSH connection too eager reuse still --- 0028-curl-7.87.0-CVE-2023-27538.patch | 30 +++++++++++++++++++++++++++ curl.spec | 5 +++++ 2 files changed, 35 insertions(+) create mode 100644 0028-curl-7.87.0-CVE-2023-27538.patch diff --git a/0028-curl-7.87.0-CVE-2023-27538.patch b/0028-curl-7.87.0-CVE-2023-27538.patch new file mode 100644 index 0000000..c538b22 --- /dev/null +++ b/0028-curl-7.87.0-CVE-2023-27538.patch @@ -0,0 +1,30 @@ +From 133e25afe4b8961b9c12334ee0bd3374db9a1fd4 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 10 Mar 2023 08:22:51 +0100 +Subject: [PATCH] url: fix the SSH connection reuse check + +Reported-by: Harry Sintonen +Closes #10735 + +Upstream-commit: af369db4d3833272b8ed443f7fcc2e757a0872eb +Signed-off-by: Kamil Dudka +--- + lib/url.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/url.c b/lib/url.c +index 0c31486..3b11b7e 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1359,7 +1359,7 @@ ConnectionExists(struct Curl_easy *data, + continue; + + #ifdef USE_SSH +- else if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { ++ else if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) { + if(!ssh_config_matches(needle, check)) + continue; + } +-- +2.39.2 + diff --git a/curl.spec b/curl.spec index cca2664..a7c4423 100644 --- a/curl.spec +++ b/curl.spec @@ -88,6 +88,9 @@ Patch25: 0025-curl-7.82.0-CVE-2023-27535.patch # fix GSS delegation too eager connection re-use (CVE-2023-27536) Patch26: 0026-curl-7.82.0-CVE-2023-27536.patch +# fix SSH connection too eager reuse still (CVE-2023-27538) +Patch28: 0028-curl-7.87.0-CVE-2023-27538.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -294,6 +297,7 @@ be installed. %patch24 -p1 %patch25 -p1 %patch26 -p1 +%patch28 -p1 # Fedora patches %patch101 -p1 @@ -520,6 +524,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Fri Mar 24 2023 Kamil Dudka - 7.82.0-14 +- fix SSH connection too eager reuse still (CVE-2023-27538) - fix GSS delegation too eager connection re-use (CVE-2023-27536) - fix FTP too eager connection reuse (CVE-2023-27535) - fix SFTP path ~ resolving discrepancy (CVE-2023-27534)