Resolves: CVE-2020-8231 - libcurl: wrong connect-only connection

0002-curl-7.69.1-CVE-2020-8169.patch

@@ -0,0 +1,140 @@
+From 64e66ff04479bf76940916e09cc5094580b06e18 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 14 May 2020 14:37:12 +0200
+Subject: [PATCH] url: make the updated credentials URL-encoded in the URL
+
+Found-by: Gregory Jefferis
+Reported-by: Jeroen Ooms
+Added test 1168 to verify. Bug spotted when doing a redirect.
+Bug: https://github.com/jeroen/curl/issues/224
+Closes #5400
+
+Upstream-commit: 600a8cded447cd7118ed50142c576567c0cf5158
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/url.c               |  6 ++--
+ tests/data/Makefile.inc |  1 +
+ tests/data/test1168     | 78 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 83 insertions(+), 2 deletions(-)
+ create mode 100644 tests/data/test1168
+
+diff --git a/lib/url.c b/lib/url.c
+index 47fc66a..a826f8a 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -2712,12 +2712,14 @@ static CURLcode override_login(struct Curl_easy *data,
+ 
+   /* for updated strings, we update them in the URL */
+   if(user_changed) {
+-    uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp, 0);
++    uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp,
++                      CURLU_URLENCODE);
+     if(uc)
+       return Curl_uc_to_curlcode(uc);
+   }
+   if(passwd_changed) {
+-    uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp, 0);
++    uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp,
++                      CURLU_URLENCODE);
+     if(uc)
+       return Curl_uc_to_curlcode(uc);
+   }
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 3d8565c..f9535a6 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -130,6 +130,7 @@ test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
+ test1144 test1145 test1146 test1147 test1148 test1149 test1150 test1151 \
+ test1152 test1153 test1154 test1155 test1156 test1157 test1158 test1159 \
+ test1160 test1161 test1162 test1163 test1164 test1165 \
++test1168 \
+ test1170 test1171 test1172 test1173 test1174 \
+ \
+ test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
+diff --git a/tests/data/test1168 b/tests/data/test1168
+new file mode 100644
+index 0000000..283e91e
+--- /dev/null
++++ b/tests/data/test1168
+@@ -0,0 +1,78 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP GET
++followlocation
++</keywords>
++</info>
++# Server-side
++<reply>
++<data>
++HTTP/1.1 301 This is a weirdo text message swsclose
++Date: Thu, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Location: /data/11680002.txt
++Connection: close
++
++This server reply is for testing a simple Location: following
++
++</data>
++<data2>
++HTTP/1.1 200 Followed here fine swsclose
++Date: Thu, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 52
++
++If this is received, the location following worked
++
++</data2>
++<datacheck>
++HTTP/1.1 301 This is a weirdo text message swsclose
++Date: Thu, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Location: /data/11680002.txt
++Connection: close
++
++HTTP/1.1 200 Followed here fine swsclose
++Date: Thu, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Content-Length: 52
++
++If this is received, the location following worked
++
++</datacheck>
++</reply>
++
++# Client-side
++<client>
++<server>
++http
++</server>
++ <name>
++HTTP redirect with credentials using # in user and password
++ </name>
++ <command>
++http://%HOSTIP:%HTTPPORT/want/1168 -L -u "catmai#d:#DZaRJYrixKE*gFY"
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++<strip>
++^User-Agent:.*
++</strip>
++<protocol>
++GET /want/1168 HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++Authorization: Basic Y2F0bWFpI2Q6I0RaYVJKWXJpeEtFKmdGWQ==
++Accept: */*
++
++GET /data/11680002.txt HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++Authorization: Basic Y2F0bWFpI2Q6I0RaYVJKWXJpeEtFKmdGWQ==
++Accept: */*
++
++</protocol>
++</verify>
++</testcase>
+-- 
+2.21.3
+

0003-curl-7.69.1-CVE-2020-8177.patch

@@ -0,0 +1,68 @@
+From a6fcd8a32f3b1c5d80e524f8b2c1de32e6ecdb2b Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 31 May 2020 23:09:59 +0200
+Subject: [PATCH] tool_getparam: -i is not OK if -J is used
+
+Reported-by: sn on hackerone
+Bug: https://curl.haxx.se/docs/CVE-2020-8177.html
+
+Upstream-commit: 8236aba58542c5f89f1d41ca09d84579efb05e22
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/tool_cb_hdr.c   | 22 ++++------------------
+ src/tool_getparam.c |  5 +++++
+ 2 files changed, 9 insertions(+), 18 deletions(-)
+
+diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c
+index 3b10238..b80707f 100644
+--- a/src/tool_cb_hdr.c
++++ b/src/tool_cb_hdr.c
+@@ -134,25 +134,11 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata)
+       filename = parse_filename(p, len);
+       if(filename) {
+         if(outs->stream) {
+-          int rc;
+-          /* already opened and possibly written to */
+-          if(outs->fopened)
+-            fclose(outs->stream);
+-          outs->stream = NULL;
+-
+-          /* rename the initial file name to the new file name */
+-          rc = rename(outs->filename, filename);
+-          if(rc != 0) {
+-            warnf(outs->config->global, "Failed to rename %s -> %s: %s\n",
+-                  outs->filename, filename, strerror(errno));
+-          }
+-          if(outs->alloc_filename)
+-            Curl_safefree(outs->filename);
+-          if(rc != 0) {
+-            free(filename);
+-            return failure;
+-          }
++          /* indication of problem, get out! */
++          free(filename);
++          return failure;
+         }
++
+         outs->is_cd_filename = TRUE;
+         outs->s_isreg = TRUE;
+         outs->fopened = FALSE;
+diff --git a/src/tool_getparam.c b/src/tool_getparam.c
+index 764caa2..c5c7429 100644
+--- a/src/tool_getparam.c
++++ b/src/tool_getparam.c
+@@ -1784,6 +1784,11 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
+       }
+       break;
+     case 'i':
++      if(config->content_disposition) {
++        warnf(global,
++              "--include and --remote-header-name cannot be combined.\n");
++        return PARAM_BAD_USE;
++      }
+       config->show_headers = toggle; /* show the headers as well in the
+                                         general output stream */
+       break;
+-- 
+2.21.3
+

curl.spec

@@ -1,13 +1,22 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.66.0
-Release: 1%{?dist}
+Release: 3%{?dist}
 License: MIT
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
 
 # fix memory leaked by parse_metalink()
 Patch1:   0001-curl-7.66.0-metalink-memleak.patch
 
+# fix partial password leak over DNS on HTTP redirect (CVE-2020-8169)
+Patch2:   0002-curl-7.69.1-CVE-2020-8169.patch
+
+# avoid overwriting a local file with -J (CVE-2020-8177)
+Patch3:   0003-curl-7.69.1-CVE-2020-8177.patch
+
+# libcurl: wrong connect-only connection (CVE-2020-8231)
+Patch4:   0004-curl-7.66.0-CVE-2020-8231.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -175,6 +184,9 @@ be installed.
 
 # upstream patches
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -350,6 +362,13 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
+* Wed Aug 19 2020 Kamil Dudka <kdudka@redhat.com> - 7.66.0-3
+- libcurl: wrong connect-only connection (CVE-2020-8231)
+
+* Wed Jun 24 2020 Kamil Dudka <kdudka@redhat.com> - 7.66.0-2
+- avoid overwriting a local file with -J (CVE-2020-8177)
+- fix partial password leak over DNS on HTTP redirect (CVE-2020-8169)
+
 * Wed Sep 11 2019 Kamil Dudka <kdudka@redhat.com> - 7.66.0-1
 - new upstream release, which fixes the following vulnerabilities
     CVE-2019-5481 - double free due to subsequent call of realloc()