packages/curl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2025-0167 CVE-2025-0725

Browse Source
This commit is contained in:
sherlock2010 2025-02-08 08:59:27 +00:00
parent 2ca2d5cf7a
commit 6ec50c4d45
3 changed files with 503 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

170
backport-CVE-2025-0167.patch Normal file
View File

@ -0,0 +1,170 @@
From 0e120c5b925e8ca75d5319e319e5ce4b8080d8eb Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 3 Jan 2025 16:22:27 +0100
Subject: [PATCH] netrc: 'default' with no credentials is not a match
Test 486 verifies.
Reported-by: Yihang Zhou
Closes #15908
Conflict:context adapt
Reference:https://github.com/curl/curl/commit/0e120c5b925e8ca75d5319e
---
lib/netrc.c | 15 ++++--
tests/data/Makefile.inc | 2 +-
tests/data/test486 | 105 +++++++++++++++++++++++++++++++++++++++++
3 files changed, 116 insertions(+), 6 deletions(-)
create mode 100644 tests/data/test486
diff --git a/lib/netrc.c b/lib/netrc.c
index b517c1dfab67..7ad81ece229f 100644
--- a/lib/netrc.c
+++ b/lib/netrc.c
@@ -316,11 +316,16 @@ static int parsenetrc(struct store_netrc *store,
out:
Curl_dyn_free(&token);
- if(!retcode && !password && our_login) {
- /* success without a password, set a blank one */
- password = strdup("");
- if(!password)
- retcode = 1; /* out of memory */
+ if(!retcode) {
+ if(!password && our_login) {
+ /* success without a password, set a blank one */
+ password = strdup("");
+ if(!password)
+ retcode = 1; /* out of memory */
+ }
+ else if(!login && !password)
+ /* a default with no credentials */
+ retcode = NETRC_FILE_MISSING;
}
if(!retcode) {
/* success */
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index 9ec101a7c74b..fc5e4cef5668 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -78,7 +78,7 @@ test426 test427 test428 test429 test430 test431 test432 test433 test434 \
test435 test436 test437 test438 test439 test440 test441 test442 test443 \
test444 test445 test446 test447 test448 test449 test450 test451 test452 \
test453 test454 test455 test456 test457 test458 \
-test478 test479 test480 \
+test478 test479 test480 test486 \
\
test490 test491 test492 test493 test494 test495 test496 test497 test498 \
\
diff --git a/tests/data/test486 b/tests/data/test486
new file mode 100644
index 000000000000..53efae597a1b
--- /dev/null
+++ b/tests/data/test486
@@ -0,0 +1,105 @@
+<testcase>
+<info>
+<keywords>
+netrc
+HTTP
+</keywords>
+</info>
+#
+# Server-side
+<reply>
+<data crlf="yes">
+HTTP/1.1 301 Follow this you fool
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+ETag: "21025-dc7-39462498"
+Accept-Ranges: bytes
+Content-Length: 6
+Connection: close
+Location: http://b.com/%TESTNUMBER0002
+
+-foo-
+</data>
+
+<data2 crlf="yes">
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+ETag: "21025-dc7-39462498"
+Accept-Ranges: bytes
+Content-Length: 7
+Connection: close
+
+target
+</data2>
+
+<datacheck crlf="yes">
+HTTP/1.1 301 Follow this you fool
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+ETag: "21025-dc7-39462498"
+Accept-Ranges: bytes
+Content-Length: 6
+Connection: close
+Location: http://b.com/%TESTNUMBER0002
+
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+ETag: "21025-dc7-39462498"
+Accept-Ranges: bytes
+Content-Length: 7
+Connection: close
+
+target
+</datacheck>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+</server>
+<features>
+proxy
+</features>
+<name>
+.netrc with redirect and "default" with no password or login
+</name>
+<command>
+--netrc --netrc-file %LOGDIR/netrc%TESTNUMBER -L -x http://%HOSTIP:%HTTPPORT/ http://a.com/
+</command>
+<file name="%LOGDIR/netrc%TESTNUMBER" >
+
+machine a.com
+ login alice
+ password alicespassword
+
+default
+
+</file>
+</client>
+
+<verify>
+<protocol>
+GET http://a.com/ HTTP/1.1
+Host: a.com
+Authorization: Basic %b64[alice:alicespassword]b64%
+User-Agent: curl/%VERSION
+Accept: */*
+Proxy-Connection: Keep-Alive
+
+GET http://b.com/%TESTNUMBER0002 HTTP/1.1
+Host: b.com
+User-Agent: curl/%VERSION
+Accept: */*
+Proxy-Connection: Keep-Alive
+
+</protocol>
+</verify>
+</testcase>

324
backport-CVE-2025-0725.patch Normal file
View File

@ -0,0 +1,324 @@
From 76f83f0db23846e254d940ec7fe141010077eb88 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 24 Jan 2025 11:13:24 +0100
Subject: [PATCH] content_encoding: drop support for zlib before 1.2.0.4
zlib 1.2.0.4 was released on 10 August 2003
Closes #16079
Conflict:context adapt
Reference:https://github.com/curl/curl/commit/76f83f0db23846e254d940ec7
---
docs/INTERNALS.md | 2 +-
lib/content_encoding.c | 232 ++---------------------------------------
2 files changed, 8 insertions(+), 226 deletions(-)
diff --git a/docs/INTERNALS.md b/docs/INTERNALS.md
index d7513a8..f8aba15 100644
--- a/docs/INTERNALS.md
+++ b/docs/INTERNALS.md
@@ -20,7 +20,7 @@ versions of libs and build tools.
- OpenSSL 0.9.7
- GnuTLS 3.1.10
- - zlib 1.1.4
+ - zlib 1.2.0.4
- libssh2 1.0
- c-ares 1.16.0
- libidn2 2.0.0
diff --git a/lib/content_encoding.c b/lib/content_encoding.c
index be7c075..7fc418e 100644
--- a/lib/content_encoding.c
+++ b/lib/content_encoding.c
@@ -65,31 +65,13 @@
#define DSIZ CURL_MAX_WRITE_SIZE /* buffer size for decompressed data */
-
#ifdef HAVE_LIBZ
-/* Comment this out if zlib is always going to be at least ver. 1.2.0.4
- (doing so will reduce code size slightly). */
-#define OLD_ZLIB_SUPPORT 1
-
-#define GZIP_MAGIC_0 0x1f
-#define GZIP_MAGIC_1 0x8b
-
-/* gzip flag byte */
-#define ASCII_FLAG 0x01 /* bit 0 set: file probably ascii text */
-#define HEAD_CRC 0x02 /* bit 1 set: header CRC present */
-#define EXTRA_FIELD 0x04 /* bit 2 set: extra field present */
-#define ORIG_NAME 0x08 /* bit 3 set: original file name present */
-#define COMMENT 0x10 /* bit 4 set: file comment present */
-#define RESERVED 0xE0 /* bits 5..7: reserved */
-
typedef enum {
ZLIB_UNINIT, /* uninitialized */
ZLIB_INIT, /* initialized */
ZLIB_INFLATING, /* inflating started. */
ZLIB_EXTERNAL_TRAILER, /* reading external trailer */
- ZLIB_GZIP_HEADER, /* reading gzip header */
- ZLIB_GZIP_INFLATING, /* inflating gzip stream */
ZLIB_INIT_GZIP /* initialized in transparent gzip mode */
} zlibInitState;
@@ -134,9 +116,6 @@ static CURLcode
exit_zlib(struct Curl_easy *data,
z_stream *z, zlibInitState *zlib_init, CURLcode result)
{
- if(*zlib_init == ZLIB_GZIP_HEADER)
- Curl_safefree(z->next_in);
-
if(*zlib_init != ZLIB_UNINIT) {
if(inflateEnd(z) != Z_OK && result == CURLE_OK)
result = process_zlib_error(data, z);
@@ -185,8 +164,7 @@ static CURLcode inflate_stream(struct Curl_easy *data,
/* Check state. */
if(zp->zlib_init != ZLIB_INIT &&
zp->zlib_init != ZLIB_INFLATING &&
- zp->zlib_init != ZLIB_INIT_GZIP &&
- zp->zlib_init != ZLIB_GZIP_INFLATING)
+ zp->zlib_init != ZLIB_INIT_GZIP)
return exit_zlib(data, z, &zp->zlib_init, CURLE_WRITE_ERROR);
/* Dynamically allocate a buffer for decompression because it's uncommonly
@@ -333,114 +311,27 @@ static CURLcode gzip_init_writer(struct Curl_easy *data,
{
struct zlib_writer *zp = (struct zlib_writer *) writer;
z_stream *z = &zp->z; /* zlib state structure */
+ const char *v = zlibVersion();
/* Initialize zlib */
z->zalloc = (alloc_func) zalloc_cb;
z->zfree = (free_func) zfree_cb;
- if(strcmp(zlibVersion(), "1.2.0.4") >= 0) {
- /* zlib ver. >= 1.2.0.4 supports transparent gzip decompressing */
+ if(strcmp(v, "1.2.0.4") >= 0) {
+ /* zlib version >= 1.2.0.4 supports transparent gzip decompressing */
if(inflateInit2(z, MAX_WBITS + 32) != Z_OK) {
return process_zlib_error(data, z);
}
zp->zlib_init = ZLIB_INIT_GZIP; /* Transparent gzip decompress state */
}
else {
- /* we must parse the gzip header and trailer ourselves */
- if(inflateInit2(z, -MAX_WBITS) != Z_OK) {
- return process_zlib_error(data, z);
- }
- zp->trailerlen = 8; /* A CRC-32 and a 32-bit input size (RFC 1952, 2.2) */
- zp->zlib_init = ZLIB_INIT; /* Initial call state */
+ failf(data, "too old zlib version: %s", v);
+ return CURLE_FAILED_INIT;
}
return CURLE_OK;
}
-#ifdef OLD_ZLIB_SUPPORT
-/* Skip over the gzip header */
-static enum {
- GZIP_OK,
- GZIP_BAD,
- GZIP_UNDERFLOW
-} check_gzip_header(unsigned char const *data, ssize_t len, ssize_t *headerlen)
-{
- int method, flags;
- const ssize_t totallen = len;
-
- /* The shortest header is 10 bytes */
- if(len < 10)
- return GZIP_UNDERFLOW;
-
- if((data[0] != GZIP_MAGIC_0) || (data[1] != GZIP_MAGIC_1))
- return GZIP_BAD;
-
- method = data[2];
- flags = data[3];
-
- if(method != Z_DEFLATED || (flags & RESERVED) != 0) {
- /* Can't handle this compression method or unknown flag */
- return GZIP_BAD;
- }
-
- /* Skip over time, xflags, OS code and all previous bytes */
- len -= 10;
- data += 10;
-
- if(flags & EXTRA_FIELD) {
- ssize_t extra_len;
-
- if(len < 2)
- return GZIP_UNDERFLOW;
-
- extra_len = (data[1] << 8) | data[0];
-
- if(len < (extra_len + 2))
- return GZIP_UNDERFLOW;
-
- len -= (extra_len + 2);
- data += (extra_len + 2);
- }
-
- if(flags & ORIG_NAME) {
- /* Skip over NUL-terminated file name */
- while(len && *data) {
- --len;
- ++data;
- }
- if(!len || *data)
- return GZIP_UNDERFLOW;
-
- /* Skip over the NUL */
- --len;
- ++data;
- }
-
- if(flags & COMMENT) {
- /* Skip over NUL-terminated comment */
- while(len && *data) {
- --len;
- ++data;
- }
- if(!len || *data)
- return GZIP_UNDERFLOW;
-
- /* Skip over the NUL */
- --len;
- }
-
- if(flags & HEAD_CRC) {
- if(len < 2)
- return GZIP_UNDERFLOW;
-
- len -= 2;
- }
-
- *headerlen = totallen - len;
- return GZIP_OK;
-}
-#endif
-
static CURLcode gzip_unencode_write(struct Curl_easy *data,
struct contenc_writer *writer,
const char *buf, size_t nbytes)
@@ -456,117 +347,8 @@ static CURLcode gzip_unencode_write(struct Curl_easy *data,
return inflate_stream(data, writer, ZLIB_INIT_GZIP);
}
-#ifndef OLD_ZLIB_SUPPORT
- /* Support for old zlib versions is compiled away and we are running with
- an old version, so return an error. */
+ /* We are running with an old version: return error. */
return exit_zlib(data, z, &zp->zlib_init, CURLE_WRITE_ERROR);
-
-#else
- /* This next mess is to get around the potential case where there isn't
- * enough data passed in to skip over the gzip header. If that happens, we
- * malloc a block and copy what we have then wait for the next call. If
- * there still isn't enough (this is definitely a worst-case scenario), we
- * make the block bigger, copy the next part in and keep waiting.
- *
- * This is only required with zlib versions < 1.2.0.4 as newer versions
- * can handle the gzip header themselves.
- */
-
- switch(zp->zlib_init) {
- /* Skip over gzip header? */
- case ZLIB_INIT:
- {
- /* Initial call state */
- ssize_t hlen;
-
- switch(check_gzip_header((unsigned char *) buf, nbytes, &hlen)) {
- case GZIP_OK:
- z->next_in = (Bytef *) buf + hlen;
- z->avail_in = (uInt) (nbytes - hlen);
- zp->zlib_init = ZLIB_GZIP_INFLATING; /* Inflating stream state */
- break;
-
- case GZIP_UNDERFLOW:
- /* We need more data so we can find the end of the gzip header. It's
- * possible that the memory block we malloc here will never be freed if
- * the transfer abruptly aborts after this point. Since it's unlikely
- * that circumstances will be right for this code path to be followed in
- * the first place, and it's even more unlikely for a transfer to fail
- * immediately afterwards, it should seldom be a problem.
- */
- z->avail_in = (uInt) nbytes;
- z->next_in = malloc(z->avail_in);
- if(!z->next_in) {
- return exit_zlib(data, z, &zp->zlib_init, CURLE_OUT_OF_MEMORY);
- }
- memcpy(z->next_in, buf, z->avail_in);
- zp->zlib_init = ZLIB_GZIP_HEADER; /* Need more gzip header data state */
- /* We don't have any data to inflate yet */
- return CURLE_OK;
-
- case GZIP_BAD:
- default:
- return exit_zlib(data, z, &zp->zlib_init, process_zlib_error(data, z));
- }
-
- }
- break;
-
- case ZLIB_GZIP_HEADER:
- {
- /* Need more gzip header data state */
- ssize_t hlen;
- z->avail_in += (uInt) nbytes;
- z->next_in = Curl_saferealloc(z->next_in, z->avail_in);
- if(!z->next_in) {
- return exit_zlib(data, z, &zp->zlib_init, CURLE_OUT_OF_MEMORY);
- }
- /* Append the new block of data to the previous one */
- memcpy(z->next_in + z->avail_in - nbytes, buf, nbytes);
-
- switch(check_gzip_header(z->next_in, z->avail_in, &hlen)) {
- case GZIP_OK:
- /* This is the zlib stream data */
- free(z->next_in);
- /* Don't point into the malloced block since we just freed it */
- z->next_in = (Bytef *) buf + hlen + nbytes - z->avail_in;
- z->avail_in = (uInt) (z->avail_in - hlen);
- zp->zlib_init = ZLIB_GZIP_INFLATING; /* Inflating stream state */
- break;
-
- case GZIP_UNDERFLOW:
- /* We still don't have any data to inflate! */
- return CURLE_OK;
-
- case GZIP_BAD:
- default:
- return exit_zlib(data, z, &zp->zlib_init, process_zlib_error(data, z));
- }
-
- }
- break;
-
- case ZLIB_EXTERNAL_TRAILER:
- z->next_in = (Bytef *) buf;
- z->avail_in = (uInt) nbytes;
- return process_trailer(data, zp);
-
- case ZLIB_GZIP_INFLATING:
- default:
- /* Inflating stream state */
- z->next_in = (Bytef *) buf;
- z->avail_in = (uInt) nbytes;
- break;
- }
-
- if(z->avail_in == 0) {
- /* We don't have any data to inflate; wait until next time */
- return CURLE_OK;
- }
-
- /* We've parsed the header, now uncompress the data */
- return inflate_stream(data, writer, ZLIB_GZIP_INFLATING);
-#endif
}
static void gzip_close_writer(struct Curl_easy *data,

10
curl.spec
View File

@ -7,7 +7,7 @@
Name: curl
Version: 8.4.0
Release: 14
Release: 15
Summary: Curl is used in command lines or scripts to transfer data
License: curl
URL: https://curl.se/
@ -46,6 +46,8 @@ Patch37: backport-CVE-2024-11053-pre5.patch
Patch38: backport-CVE-2024-11053.patch
Patch39: backport-CVE-2024-11053-post1.patch
Patch40: backport-CVE-2024-11053-post2.patch
Patch41: backport-CVE-2025-0167.patch
Patch42: backport-CVE-2025-0725.patch
BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel
BuildRequires: libidn2-devel libnghttp2-devel libpsl-devel
@ -231,6 +233,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_mandir}/man3/*
%changelog
* Sat Feb 08 2025 zhouyihang <zhouyihang3@h-partners.com> - 8.4.0-15
- Type:CVE
- CVE:CVE-2025-0167 CVE-2025-0725
- SUG:NA
- DESC:fix CVE-2025-0167 CVE-2025-0725
* Tue Jan 07 2025 zhouyihang <zhouyihang3@h-partners.com> - 8.4.0-14
- Type:CVE
- CVE:CVE-2024-11053