From 36f3729c77781afe79faa14bba2c1161d6dbd7eb Mon Sep 17 00:00:00 2001
From: sherlock2010 <15151851377@163.com>
Date: Thu, 20 Jul 2023 11:35:21 +0000
Subject: [PATCH] fix CVE-2023-32001

---
 backport-CVE-2023-32001.patch | 37 +++++++++++++++++++++++++++++++++++
 curl.spec                     |  9 ++++++++-
 2 files changed, 45 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2023-32001.patch

diff --git a/backport-CVE-2023-32001.patch b/backport-CVE-2023-32001.patch
new file mode 100644
index 0000000..8827596
--- /dev/null
+++ b/backport-CVE-2023-32001.patch
@@ -0,0 +1,37 @@
+From 0c667188e0c6cda615a036b8a2b4125f2c404dde Mon Sep 17 00:00:00 2001
+From: SaltyMilk <soufiane.elmelcaoui@gmail.com>
+Date: Mon, 10 Jul 2023 21:43:28 +0200
+Subject: [PATCH] fopen: optimize
+
+Closes #11419
+---
+ lib/fopen.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/lib/fopen.c b/lib/fopen.c
+index c9c9e3d6e..b6e3caddd 100644
+--- a/lib/fopen.c
++++ b/lib/fopen.c
+@@ -56,13 +56,13 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
+   int fd = -1;
+   *tempname = NULL;
+ 
+-  if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) {
+-    /* a non-regular file, fallback to direct fopen() */
+-    *fh = fopen(filename, FOPEN_WRITETEXT);
+-    if(*fh)
+-      return CURLE_OK;
++  *fh = fopen(filename, FOPEN_WRITETEXT);
++  if(!*fh)
+     goto fail;
+-  }
++  if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode))
++    return CURLE_OK;
++  fclose(*fh);
++  *fh = NULL;
+ 
+   result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix));
+   if(result)
+-- 
+2.33.0
+
diff --git a/curl.spec b/curl.spec
index d22d3d0..5c88cd8 100644
--- a/curl.spec
+++ b/curl.spec
@@ -6,7 +6,7 @@
 
 Name:           curl
 Version:        8.1.2
-Release:        1
+Release:        2
 Summary:        Curl is used in command lines or scripts to transfer data
 License:        curl
 URL:            https://curl.se/
@@ -15,6 +15,7 @@ Source:         https://curl.se/download/curl-%{version}.tar.xz
 Patch1:         backport-0101-curl-7.32.0-multilib.patch
 Patch2:         backport-curl-7.84.0-test3026.patch
 Patch4:         backport-curl-7.88.0-tests-warnings.patch
+Patch5:         backport-CVE-2023-32001.patch
 
 BuildRequires:  automake brotli-devel coreutils gcc groff krb5-devel
 BuildRequires:  libidn2-devel libnghttp2-devel libpsl-devel
@@ -199,6 +200,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_mandir}/man3/*
 
 %changelog
+* Thu Jul 20 2023 zhouyihang <zhouyihang3@h-partners.com> - 8.1.2-2
+- Type:CVE
+- CVE:CVE-2023-32001
+- SUG:NA
+- DESC:fix CVE-2023-32001
+
 * Sat Jul 15 2023 gaihuiying <eaglegai@163.com> - 8.1.2-1
 - Type:requirement
 - CVE:NA