fix CVE-2022-27781 CVE-2022-27782

backport-CVE-2022-27781.patch

@@ -0,0 +1,43 @@
+From 5c7da89d404bf59c8dd82a001119a16d18365917 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 May 2022 10:07:15 +0200
+Subject: [PATCH] nss: return error if seemingly stuck in a cert loop
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2022-27781
+
+Reported-by: Florian Kohnhäuser
+Bug: https://curl.se/docs/CVE-2022-27781.html
+Closes #8822
+---
+ lib/vtls/nss.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index 5b7de9f81895..569c0628feb5 100644
+--- a/lib/vtls/nss.c
++++ b/lib/vtls/nss.c
+@@ -983,6 +983,9 @@ static void display_cert_info(struct Curl_easy *data,
+   PR_Free(common_name);
+ }
+ 
++/* A number of certs that will never occur in a real server handshake */
++#define TOO_MANY_CERTS 300
++
+ static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock)
+ {
+   CURLcode result = CURLE_OK;
+@@ -1018,6 +1021,11 @@ static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock)
+         cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA);
+         while(cert2) {
+           i++;
++          if(i >= TOO_MANY_CERTS) {
++            CERT_DestroyCertificate(cert2);
++            failf(data, "certificate loop");
++            return CURLE_SSL_CERTPROBLEM;
++          }
+           if(cert2->isRoot) {
+             CERT_DestroyCertificate(cert2);
+             break;

backport-CVE-2022-27782.patch

@@ -0,0 +1,489 @@
+Backport of:
+
+From 222b896a07ed1e183e7eacd6df10fc23264bd820 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 6 May 2022 10:48:58 +0200
+Subject: [PATCH 1/2] tls: check more TLS details for connection reuse
+
+CVE-2022-27782
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2022-27782.html
+---
+ lib/setopt.c       | 29 +++++++++++++++++------------
+ lib/url.c          | 23 ++++++++++++++++-------
+ lib/urldata.h      | 13 +++++++------
+ lib/vtls/gtls.c    | 32 +++++++++++++++++---------------
+ lib/vtls/mbedtls.c |  2 +-
+ lib/vtls/nss.c     |  6 +++---
+ lib/vtls/openssl.c | 10 +++++-----
+ lib/vtls/vtls.c    | 21 +++++++++++++++++++++
+ 8 files changed, 87 insertions(+), 49 deletions(-)
+
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -2317,6 +2317,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *
+ 
+   case CURLOPT_SSL_OPTIONS:
+     arg = va_arg(param, long);
++    data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
+     data->set.ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST);
+     data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
+     data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
+@@ -2330,6 +2331,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *
+ #ifndef CURL_DISABLE_PROXY
+   case CURLOPT_PROXY_SSL_OPTIONS:
+     arg = va_arg(param, long);
++    data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
+     data->set.proxy_ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST);
+     data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
+     data->set.proxy_ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
+@@ -2766,49 +2768,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *
+   case CURLOPT_TLSAUTH_USERNAME:
+     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME],
+                             va_arg(param, char *));
+-    if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
+-      data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
++    if(data->set.str[STRING_TLSAUTH_USERNAME] &&
++       !data->set.ssl.primary.authtype)
++      data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+     break;
+   case CURLOPT_PROXY_TLSAUTH_USERNAME:
+     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY],
+                             va_arg(param, char *));
+ #ifndef CURL_DISABLE_PROXY
+     if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
+-       !data->set.proxy_ssl.authtype)
+-      data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
++       !data->set.proxy_ssl.primary.authtype)
++      data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to
++                                                                  SRP */
+ #endif
+     break;
+   case CURLOPT_TLSAUTH_PASSWORD:
+     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD],
+                             va_arg(param, char *));
+-    if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
+-      data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
++    if(data->set.str[STRING_TLSAUTH_USERNAME] &&
++       !data->set.ssl.primary.authtype)
++      data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
+     break;
+   case CURLOPT_PROXY_TLSAUTH_PASSWORD:
+     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY],
+                             va_arg(param, char *));
+ #ifndef CURL_DISABLE_PROXY
+     if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
+-       !data->set.proxy_ssl.authtype)
+-      data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
++       !data->set.proxy_ssl.primary.authtype)
++      data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
+ #endif
+     break;
+   case CURLOPT_TLSAUTH_TYPE:
+     argptr = va_arg(param, char *);
+     if(!argptr ||
+        strncasecompare(argptr, "SRP", strlen("SRP")))
+-      data->set.ssl.authtype = CURL_TLSAUTH_SRP;
++      data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP;
+     else
+-      data->set.ssl.authtype = CURL_TLSAUTH_NONE;
++      data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE;
+     break;
+ #ifndef CURL_DISABLE_PROXY
+   case CURLOPT_PROXY_TLSAUTH_TYPE:
+     argptr = va_arg(param, char *);
+     if(!argptr ||
+        strncasecompare(argptr, "SRP", strlen("SRP")))
+-      data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP;
++      data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP;
+     else
+-      data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE;
++      data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE;
+     break;
+ #endif
+ #endif
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -556,7 +556,7 @@ CURLcode Curl_init_userdefined(struct Cu
+   set->ssl.primary.verifypeer = TRUE;
+   set->ssl.primary.verifyhost = TRUE;
+ #ifdef USE_TLS_SRP
+-  set->ssl.authtype = CURL_TLSAUTH_NONE;
++  set->ssl.primary.authtype = CURL_TLSAUTH_NONE;
+ #endif
+   set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
+                                                       type */
+@@ -1114,6 +1114,12 @@ static void prune_dead_connections(struc
+   }
+ }
+ 
++static bool ssh_config_matches(struct connectdata *one,
++                               struct connectdata *two)
++{
++  return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) &&
++          Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub));
++}
+ /*
+  * Given one filled in connection struct (named needle), this function should
+  * detect if there already is one that has all the significant details
+@@ -1372,6 +1378,11 @@ ConnectionExists(struct Curl_easy *data,
+          (data->state.httpwant < CURL_HTTP_VERSION_2_0))
+         continue;
+ 
++      if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
++        if(!ssh_config_matches(needle, check))
++          continue;
++      }
++
+       if((needle->handler->flags&PROTOPT_SSL)
+ #ifndef CURL_DISABLE_PROXY
+          || !needle->bits.httpproxy || needle->bits.tunnel_proxy
+@@ -1772,11 +1783,17 @@ static struct connectdata *allocate_conn
+   conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus;
+   conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer;
+   conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost;
++  conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options;
++#ifdef USE_TLS_SRP
++#endif
+ #ifndef CURL_DISABLE_PROXY
+   conn->proxy_ssl_config.verifystatus =
+     data->set.proxy_ssl.primary.verifystatus;
+   conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer;
+   conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost;
++  conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options;
++#ifdef USE_TLS_SRP
++#endif
+ #endif
+   conn->ip_version = data->set.ipver;
+   conn->bits.connect_only = data->set.connect_only;
+@@ -3839,7 +3856,8 @@ static CURLcode create_conn(struct Curl_
+     data->set.str[STRING_SSL_ISSUERCERT_PROXY];
+   data->set.proxy_ssl.primary.issuercert_blob =
+     data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
+-  data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
++  data->set.proxy_ssl.primary.CRLfile =
++    data->set.str[STRING_SSL_CRLFILE_PROXY];
+   data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
+   data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
+   data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
+@@ -3847,18 +3865,20 @@ static CURLcode create_conn(struct Curl_
+   data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY];
+   data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
+ #endif
+-  data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
++  data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE];
+   data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
+   data->set.ssl.key = data->set.str[STRING_KEY];
+   data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
+   data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD];
+   data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];
+ #ifdef USE_TLS_SRP
+-  data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME];
+-  data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD];
++  data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME];
++  data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD];
+ #ifndef CURL_DISABLE_PROXY
+-  data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
+-  data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
++  data->set.proxy_ssl.primary.username =
++    data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
++  data->set.proxy_ssl.primary.password =
++    data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
+ #endif
+ #endif
+   data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -253,10 +253,17 @@ struct ssl_primary_config {
+   char *cipher_list;     /* list of ciphers to use */
+   char *cipher_list13;   /* list of TLS 1.3 cipher suites to use */
+   char *pinned_key;
++  char *CRLfile;         /* CRL to check certificate revocation */
+   struct curl_blob *cert_blob;
+   struct curl_blob *ca_info_blob;
+   struct curl_blob *issuercert_blob;
++#ifdef USE_TLS_SRP
++  char *username; /* TLS username (for, e.g., SRP) */
++  char *password; /* TLS password (for, e.g., SRP) */
++  enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
++#endif
+   char *curves;          /* list of curves to use */
++  unsigned char ssl_options;  /* the CURLOPT_SSL_OPTIONS bitmask */
+   BIT(verifypeer);       /* set TRUE if this is desired */
+   BIT(verifyhost);       /* set TRUE if CN/SAN must match hostname */
+   BIT(verifystatus);     /* set TRUE if certificate status must be checked */
+@@ -266,7 +273,6 @@ struct ssl_primary_config {
+ struct ssl_config_data {
+   struct ssl_primary_config primary;
+   long certverifyresult; /* result from the certificate verification */
+-  char *CRLfile;   /* CRL to check certificate revocation */
+   curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
+   void *fsslctxp;        /* parameter for call back */
+   char *cert_type; /* format for certificate (default: PEM)*/
+@@ -274,11 +280,6 @@ struct ssl_config_data {
+   struct curl_blob *key_blob;
+   char *key_type; /* format for private key (default: PEM) */
+   char *key_passwd; /* plain text private key password */
+-#ifdef USE_TLS_SRP
+-  char *username; /* TLS username (for, e.g., SRP) */
+-  char *password; /* TLS password (for, e.g., SRP) */
+-  enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
+-#endif
+   BIT(certinfo);     /* gather lots of certificate info */
+   BIT(falsestart);
+   BIT(enable_beast); /* allow this flaw for interoperability's sake*/
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -432,9 +432,10 @@ gtls_connect_step1(struct Curl_easy *dat
+   }
+ 
+ #ifdef HAVE_GNUTLS_SRP
+-  if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) &&
++  if((SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) &&
+      Curl_allow_auth_to_host(data)) {
+-    infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username));
++    infof(data, "Using TLS-SRP username: %s",
++          SSL_SET_OPTION(primary.username));
+ 
+     rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred);
+     if(rc != GNUTLS_E_SUCCESS) {
+@@ -444,8 +445,8 @@ gtls_connect_step1(struct Curl_easy *dat
+     }
+ 
+     rc = gnutls_srp_set_client_credentials(backend->srp_client_cred,
+-                                           SSL_SET_OPTION(username),
+-                                           SSL_SET_OPTION(password));
++                                           SSL_SET_OPTION(primary.username),
++                                           SSL_SET_OPTION(primary.password));
+     if(rc != GNUTLS_E_SUCCESS) {
+       failf(data, "gnutls_srp_set_client_cred() failed: %s",
+             gnutls_strerror(rc));
+@@ -502,19 +503,19 @@ gtls_connect_step1(struct Curl_easy *dat
+   }
+ #endif
+ 
+-  if(SSL_SET_OPTION(CRLfile)) {
++  if(SSL_SET_OPTION(primary.CRLfile)) {
+     /* set the CRL list file */
+     rc = gnutls_certificate_set_x509_crl_file(backend->cred,
+-                                              SSL_SET_OPTION(CRLfile),
++                                              SSL_SET_OPTION(primary.CRLfile),
+                                               GNUTLS_X509_FMT_PEM);
+     if(rc < 0) {
+       failf(data, "error reading crl file %s (%s)",
+-            SSL_SET_OPTION(CRLfile), gnutls_strerror(rc));
++            SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc));
+       return CURLE_SSL_CRL_BADFILE;
+     }
+     else
+       infof(data, "found %d CRL in %s",
+-            rc, SSL_SET_OPTION(CRLfile));
++            rc, SSL_SET_OPTION(primary.CRLfile));
+   }
+ 
+   /* Initialize TLS session as a client */
+@@ -581,7 +582,7 @@ gtls_connect_step1(struct Curl_easy *dat
+ #ifdef HAVE_GNUTLS_SRP
+   /* Only add SRP to the cipher list if SRP is requested. Otherwise
+    * GnuTLS will disable TLS 1.3 support. */
+-  if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
++  if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
+     size_t len = strlen(prioritylist);
+ 
+     char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1);
+@@ -676,7 +677,7 @@ gtls_connect_step1(struct Curl_easy *dat
+ 
+ #ifdef HAVE_GNUTLS_SRP
+   /* put the credentials to the current session */
+-  if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
++  if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
+     rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP,
+                                 backend->srp_client_cred);
+     if(rc != GNUTLS_E_SUCCESS) {
+@@ -855,8 +856,8 @@ Curl_gtls_verifyserver(struct Curl_easy
+        SSL_CONN_CONFIG(verifyhost) ||
+        SSL_CONN_CONFIG(issuercert)) {
+ #ifdef HAVE_GNUTLS_SRP
+-      if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
+-         && SSL_SET_OPTION(username) != NULL
++      if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP
++         && SSL_SET_OPTION(primary.username)
+          && !SSL_CONN_CONFIG(verifypeer)
+          && gnutls_cipher_get(session)) {
+         /* no peer cert, but auth is ok if we have SRP user and cipher and no
+@@ -914,7 +915,8 @@ Curl_gtls_verifyserver(struct Curl_easy
+         failf(data, "server certificate verification failed. CAfile: %s "
+               "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile):
+               "none",
+-              SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none");
++              SSL_SET_OPTION(primary.CRLfile) ?
++              SSL_SET_OPTION(primary.CRLfile) : "none");
+         return CURLE_PEER_FAILED_VERIFICATION;
+       }
+       else
+@@ -1531,8 +1533,8 @@ static int gtls_shutdown(struct Curl_eas
+   gnutls_certificate_free_credentials(backend->cred);
+ 
+ #ifdef HAVE_GNUTLS_SRP
+-  if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
+-     && SSL_SET_OPTION(username) != NULL)
++  if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP
++     && SSL_SET_OPTION(primary.username) != NULL)
+     gnutls_srp_free_client_credentials(backend->srp_client_cred);
+ #endif
+ 
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -2653,7 +2653,7 @@ static CURLcode ossl_connect_step1(struc
+ #endif
+   const long int ssl_version = SSL_CONN_CONFIG(version);
+ #ifdef USE_OPENSSL_SRP
+-  const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype);
++  const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype);
+ #endif
+   char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
+   const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
+@@ -2664,7 +2664,7 @@ static CURLcode ossl_connect_step1(struc
+     (ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile));
+   const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
+   const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
+-  const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
++  const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
+   char error_buffer[256];
+   struct ssl_backend_data *backend = connssl->backend;
+   bool imported_native_ca = false;
+@@ -2914,15 +2914,15 @@ static CURLcode ossl_connect_step1(struc
+ #ifdef USE_OPENSSL_SRP
+   if((ssl_authtype == CURL_TLSAUTH_SRP) &&
+      Curl_allow_auth_to_host(data)) {
+-    char * const ssl_username = SSL_SET_OPTION(username);
+-
++    char * const ssl_username = SSL_SET_OPTION(primary.username);
++    char * const ssl_password = SSL_SET_OPTION(primary.password);
+     infof(data, "Using TLS-SRP username: %s", ssl_username);
+ 
+     if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) {
+       failf(data, "Unable to set SRP user name");
+       return CURLE_BAD_FUNCTION_ARGUMENT;
+     }
+-    if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) {
++    if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) {
+       failf(data, "failed setting SRP password");
+       return CURLE_BAD_FUNCTION_ARGUMENT;
+     }
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_prima
+ {
+   if((data->version == needle->version) &&
+      (data->version_max == needle->version_max) &&
++     (data->ssl_options == needle->ssl_options) &&
+      (data->verifypeer == needle->verifypeer) &&
+      (data->verifyhost == needle->verifyhost) &&
+      (data->verifystatus == needle->verifystatus) &&
+@@ -144,9 +145,15 @@ Curl_ssl_config_matches(struct ssl_prima
+      Curl_safecmp(data->clientcert, needle->clientcert) &&
+      Curl_safecmp(data->random_file, needle->random_file) &&
+      Curl_safecmp(data->egdsocket, needle->egdsocket) &&
++#ifdef USE_TLS_SRP
++     Curl_safecmp(data->username, needle->username) &&
++     Curl_safecmp(data->password, needle->password) &&
++     (data->authtype == needle->authtype) &&
++#endif
+      Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
+      Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
+      Curl_safe_strcasecompare(data->curves, needle->curves) &&
++     Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) &&
+      Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
+     return TRUE;
+ 
+@@ -163,6 +170,10 @@ Curl_clone_primary_ssl_config(struct ssl
+   dest->verifyhost = source->verifyhost;
+   dest->verifystatus = source->verifystatus;
+   dest->sessionid = source->sessionid;
++  dest->ssl_options = source->ssl_options;
++#ifdef USE_TLS_SRP
++  dest->authtype = source->authtype;
++#endif
+ 
+   CLONE_BLOB(cert_blob);
+   CLONE_BLOB(ca_info_blob);
+@@ -177,6 +188,11 @@ Curl_clone_primary_ssl_config(struct ssl
+   CLONE_STRING(cipher_list13);
+   CLONE_STRING(pinned_key);
+   CLONE_STRING(curves);
++  CLONE_STRING(CRLfile);
++#ifdef USE_TLS_SRP
++  CLONE_STRING(username);
++  CLONE_STRING(password);
++#endif
+ 
+   return TRUE;
+ }
+@@ -196,6 +212,11 @@ void Curl_free_primary_ssl_config(struct
+   Curl_safefree(sslc->ca_info_blob);
+   Curl_safefree(sslc->issuercert_blob);
+   Curl_safefree(sslc->curves);
++  Curl_safefree(sslc->CRLfile);
++#ifdef USE_TLS_SRP
++  Curl_safefree(sslc->username);
++  Curl_safefree(sslc->password);
++#endif
+ }
+ 
+ #ifdef USE_SSL
+--- a/lib/vssh/ssh.h
++++ b/lib/vssh/ssh.h
+@@ -7,7 +7,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -131,8 +131,8 @@ struct ssh_conn {
+ 
+   /* common */
+   const char *passphrase;     /* pass-phrase to use */
+-  char *rsa_pub;              /* path name */
+-  char *rsa;                  /* path name */
++  char *rsa_pub;              /* strdup'ed public key file */
++  char *rsa;                  /* strdup'ed private key file */
+   bool authed;                /* the connection has been authenticated fine */
+   bool acceptfail;            /* used by the SFTP_QUOTE (continue if
+                                  quote command fails) */
+--- a/lib/vtls/nss.c
++++ b/lib/vtls/nss.c
+@@ -1996,13 +1996,13 @@ static CURLcode nss_setup_connect(struct
+     }
+   }
+ 
+-  if(SSL_SET_OPTION(CRLfile)) {
+-    const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile));
++  if(SSL_SET_OPTION(primary.CRLfile)) {
++    const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile));
+     if(rv) {
+       result = rv;
+       goto error;
+     }
+-    infof(data, "  CRLfile: %s", SSL_SET_OPTION(CRLfile));
++    infof(data, "  CRLfile: %s", SSL_SET_OPTION(primary.CRLfile));
+   }
+ 
+   if(SSL_SET_OPTION(primary.clientcert)) {
+diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
+index 975094f4fa795..b60b9cac50d4f 100644
+--- a/lib/vtls/mbedtls.c
++++ b/lib/vtls/mbedtls.c
+@@ -279,7 +279,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
+   const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
+   char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
+   const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
+-  const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
++  const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
+   const char * const hostname = SSL_HOST_NAME();
+ #ifndef CURL_DISABLE_VERBOSE_STRINGS
+   const long int port = SSL_HOST_PORT();

backport-pre-CVE-2022-27782.patch

@@ -0,0 +1,32 @@
+From 093531556203decd92d92bccd431edbe5561781c Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 26 Apr 2022 07:46:19 +0200
+Subject: [PATCH] gnutls: don't leak the SRP credentials in redirects
+
+Follow-up to 620ea21410030 and 139a54ed0a172a
+
+Reported-by: Harry Sintonen
+Closes #8752
+---
+ lib/vtls/gtls.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index 9c3a68f0ac6b..0535011911d5 100644
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -445,11 +445,11 @@ gtls_connect_step1(struct Curl_easy *data,
+   }
+ 
+ #ifdef HAVE_GNUTLS_SRP
+-  if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
++  if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) &&
++     Curl_allow_auth_to_host(data)) {
+     infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username));
+ 
+-    rc = gnutls_srp_allocate_client_credentials(
+-           &backend->srp_client_cred);
++    rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred);
+     if(rc != GNUTLS_E_SUCCESS) {
+       failf(data, "gnutls_srp_allocate_client_cred() failed: %s",
+             gnutls_strerror(rc));

curl.spec

@@ -6,7 +6,7 @@
 
 Name:           curl
 Version:        7.79.1
-Release:        4
+Release:        5
 Summary:        Curl is used in command lines or scripts to transfer data
 License:        MIT
 URL:            https://curl.haxx.se/
@@ -19,6 +19,9 @@ Patch4:         backport-CVE-2022-27776.patch
 Patch5:         backport-pre-CVE-2022-27774.patch
 Patch6:         backport-001-CVE-2022-27774.patch
 Patch7:         backport-002-CVE-2022-27774.patch
+Patch8:         backport-CVE-2022-27781.patch
+Patch9:         backport-pre-CVE-2022-27782.patch
+Patch10:        backport-CVE-2022-27782.patch
 
 BuildRequires:  automake brotli-devel coreutils gcc groff krb5-devel
 BuildRequires:  libidn2-devel libnghttp2-devel libpsl-devel
@@ -193,6 +196,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_mandir}/man3/*
 
 %changelog
+* Tue May 17 2022 gaihuiying <eaglegai@163.com> - 7.79.1-5
+- Type:cves
+- CVE:CVE-2022-27781 CVE-2022-27782
+- SUG:NA
+- DESC:fix CVE-2022-27781 CVE-2022-27782
+
 * Sat May 14 2022 gaoxingwang <gaoxingwang1@huawei.com> - 7.79.1-4
 - Type:bugfix
 - CVE:NA