fix CVE-2021-22925 CVE-2021-22926

backport-CVE-2021-22925.patch

@@ -0,0 +1,41 @@
+From 894f6ec730597eb243618d33cc84d71add8d6a8a Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 12 Jun 2021 18:25:15 +0200
+Subject: [PATCH] telnet: fix option parser to not send uninitialized contents
+
+CVS-2021-22925
+
+Reported-by: Red Hat Product Security
+Bug: https://curl.se/docs/CVE-2021-22925.html
+---
+ lib/telnet.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/lib/telnet.c b/lib/telnet.c
+index 1d3024ec4d3e..a81bb81c3675 100644
+--- a/lib/telnet.c
++++ b/lib/telnet.c
+@@ -920,12 +920,17 @@ static void suboption(struct Curl_easy *data)
+         size_t tmplen = (strlen(v->data) + 1);
+         /* Add the variable only if it fits */
+         if(len + tmplen < (int)sizeof(temp)-6) {
+-          if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
+-            msnprintf((char *)&temp[len], sizeof(temp) - len,
+-                      "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
+-                      CURL_NEW_ENV_VALUE, varval);
+-            len += tmplen;
+-          }
++          int rv;
++          char sep[2] = "";
++          varval[0] = 0;
++          rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval);
++          if(rv == 1)
++            len += msnprintf((char *)&temp[len], sizeof(temp) - len,
++                             "%c%s", CURL_NEW_ENV_VAR, varname);
++          else if(rv >= 2)
++            len += msnprintf((char *)&temp[len], sizeof(temp) - len,
++                             "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
++                             CURL_NEW_ENV_VALUE, varval);
+         }
+       }
+       msnprintf((char *)&temp[len], sizeof(temp) - len,

backport-CVE-2021-22926.patch

@@ -0,0 +1,70 @@
+From fd9b40bf8dfd43edcbc0d254d613d95a11061c05 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 21 Jun 2021 10:35:09 +0200
+Subject: [PATCH] sectransp: check for client certs by name first, then file
+
+CVE-2021-22926
+
+Bug: https://curl.se/docs/CVE-2021-22926.html
+
+Assisted-by: Daniel Gustafsson
+Reported-by: Harry Sintonen
+---
+ lib/vtls/sectransp.c | 33 +++++++++++++++++++--------------
+ 1 file changed, 19 insertions(+), 14 deletions(-)
+
+diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c
+index 21ca0824bdf6..26b833dd2ac7 100644
+--- a/lib/vtls/sectransp.c
++++ b/lib/vtls/sectransp.c
+@@ -32,6 +32,7 @@
+ #include "curl_base64.h"
+ #include "strtok.h"
+ #include "multiif.h"
++#include "strcase.h"
+ 
+ #ifdef USE_SECTRANSP
+ 
+@@ -1869,24 +1870,28 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
+     bool is_cert_file = (!is_cert_data) && is_file(ssl_cert);
+     SecIdentityRef cert_and_key = NULL;
+ 
+-    /* User wants to authenticate with a client cert. Look for it:
+-       If we detect that this is a file on disk, then let's load it.
+-       Otherwise, assume that the user wants to use an identity loaded
+-       from the Keychain. */
+-    if(is_cert_file || is_cert_data) {
++    /* User wants to authenticate with a client cert. Look for it. Assume that
++       the user wants to use an identity loaded from the Keychain. If not, try
++       it as a file on disk */
++
++    if(!is_cert_data)
++      err = CopyIdentityWithLabel(ssl_cert, &cert_and_key);
++    else
++      err = !noErr;
++    if((err != noErr) && (is_cert_file || is_cert_data)) {
+       if(!SSL_SET_OPTION(cert_type))
+-        infof(data, "WARNING: SSL: Certificate type not set, assuming "
+-                    "PKCS#12 format.\n");
+-      else if(strncmp(SSL_SET_OPTION(cert_type), "P12",
+-        strlen(SSL_SET_OPTION(cert_type))) != 0)
+-        infof(data, "WARNING: SSL: The Security framework only supports "
+-                    "loading identities that are in PKCS#12 format.\n");
++        infof(data, "SSL: Certificate type not set, assuming "
++              "PKCS#12 format.");
++      else if(!strcasecompare(SSL_SET_OPTION(cert_type), "P12")) {
++        failf(data, "SSL: The Security framework only supports "
++              "loading identities that are in PKCS#12 format.");
++        return CURLE_SSL_CERTPROBLEM;
++      }
+ 
+       err = CopyIdentityFromPKCS12File(ssl_cert, ssl_cert_blob,
+-        SSL_SET_OPTION(key_passwd), &cert_and_key);
++                                       SSL_SET_OPTION(key_passwd),
++                                       &cert_and_key);
+     }
+-    else
+-      err = CopyIdentityWithLabel(ssl_cert, &cert_and_key);
+ 
+     if(err == noErr && cert_and_key) {
+       SecCertificateRef cert = NULL;

curl.spec

@@ -6,7 +6,7 @@
 
 Name:           curl
 Version:        7.77.0
-Release:        1
+Release:        2
 Summary:        Curl is used in command lines or scripts to transfer data
 License:        MIT
 URL:            https://curl.haxx.se/
@@ -16,6 +16,8 @@ Patch101:       0101-curl-7.32.0-multilib.patch
 Patch102:       0102-curl-7.36.0-debug.patch
 Patch105:       0105-curl-7.63.0-lib1560-valgrind.patch
 Patch106:       0106-curl-fix-CVE-2019-15601.patch
+Patch107:       backport-CVE-2021-22925.patch
+Patch108:       backport-CVE-2021-22926.patch
 
 BuildRequires:  automake brotli-devel coreutils gcc groff krb5-devel
 BuildRequires:  libidn2-devel libmetalink-devel libnghttp2-devel libpsl-devel
@@ -165,6 +167,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_mandir}/man3/*
 
 %changelog
+* Fri Aug 13 2021 gaihuiying <gaihuiying1@huawei.com> - 7.77.0-2
+- Type:CVE
+- CVE:CVE-2021-22925 CVE-2021-22926
+- SUG:NA
+- DESC:fix CVE-2021-22925 CVE-2021-22926
+
 * Thu Jul 8 2021 gaihuiying <gaihuiying1@huawei.com> - 7.77.0-1
 - Type:requirement
 - CVE:NA