From f907a3210a517948b9be7b6385868f0047aa8b26 Mon Sep 17 00:00:00 2001 From: yangl777 Date: Wed, 6 Sep 2023 14:30:24 +0800 Subject: [PATCH] backport some patches from community --- ...-zoneid-is-also-duplicated-in-curl_u.patch | 112 ++++++++++++++++++ ...oid-memory-leak-if-sha256-call-fails.patch | 41 +++++++ curl.spec | 11 +- 3 files changed, 163 insertions(+), 1 deletion(-) create mode 100644 backport-urlapi-make-sure-zoneid-is-also-duplicated-in-curl_u.patch create mode 100644 backport-vtls-avoid-memory-leak-if-sha256-call-fails.patch diff --git a/backport-urlapi-make-sure-zoneid-is-also-duplicated-in-curl_u.patch b/backport-urlapi-make-sure-zoneid-is-also-duplicated-in-curl_u.patch new file mode 100644 index 0000000..129e9ce --- /dev/null +++ b/backport-urlapi-make-sure-zoneid-is-also-duplicated-in-curl_u.patch @@ -0,0 +1,112 @@ +From 49e244318672c688097c1bf601a110005cd9a6a8 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 31 Jul 2023 10:07:35 +0200 +Subject: [PATCH] urlapi: make sure zoneid is also duplicated in curl_url_dup + +Add several curl_url_dup() tests to the general lib1560 test. + +Reported-by: Rutger Broekhoff +Bug: https://curl.se/mail/lib-2023-07/0047.html +Closes #11549 + +Conflict: tests/libtest/lib1560.c for context adapt +Reference: https://github.com/curl/curl/commit/49e244318672c688097c1bf601a110005cd9a6a8 +--- + lib/urlapi.c | 1 + + tests/libtest/lib1560.c | 67 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 68 insertions(+) + +diff --git a/lib/urlapi.c b/lib/urlapi.c +index cd423c335d88f..b1a126d548213 100644 +--- a/lib/urlapi.c ++++ b/lib/urlapi.c +@@ -1385,6 +1385,7 @@ CURLU *curl_url_dup(const CURLU *in) + DUP(u, in, path); + DUP(u, in, query); + DUP(u, in, fragment); ++ DUP(u, in, zoneid); + u->portnum = in->portnum; + } + return u; +diff --git a/tests/libtest/lib1560.c b/tests/libtest/lib1560.c +index 0eca0fda72d0b..ff03bec9391a4 100644 +--- a/tests/libtest/lib1560.c ++++ b/tests/libtest/lib1560.c +@@ -1672,10 +1672,77 @@ static int huge(void) + return error; + } + ++static int urldup(void) ++{ ++ const char *url[] = { ++ "http://" ++ "user:pwd@" ++ "[2a04:4e42:e00::347%25eth0]" ++ ":80" ++ "/path" ++ "?query" ++ "#fraggie", ++ "https://example.com", ++ "https://user@example.com", ++ "https://user.pwd@example.com", ++ "https://user.pwd@example.com:1234", ++ "https://example.com:1234", ++ "example.com:1234", ++ "https://user.pwd@example.com:1234/path?query#frag", ++ NULL ++ }; ++ CURLU *copy = NULL; ++ char *h_str = NULL, *copy_str = NULL; ++ CURLU *h = curl_url(); ++ int i; ++ ++ if(!h) ++ goto err; ++ ++ for(i = 0; url[i]; i++) { ++ CURLUcode rc = curl_url_set(h, CURLUPART_URL, url[i], ++ CURLU_GUESS_SCHEME); ++ if(rc) ++ goto err; ++ copy = curl_url_dup(h); ++ ++ rc = curl_url_get(h, CURLUPART_URL, &h_str, 0); ++ if(rc) ++ goto err; ++ ++ rc = curl_url_get(copy, CURLUPART_URL, ©_str, 0); ++ if(rc) ++ goto err; ++ ++ if(strcmp(h_str, copy_str)) { ++ printf("Original: %s\nParsed: %s\nCopy: %s\n", ++ url[i], h_str, copy_str); ++ goto err; ++ } ++ curl_free(copy_str); ++ curl_free(h_str); ++ curl_url_cleanup(copy); ++ copy_str = NULL; ++ h_str = NULL; ++ copy = NULL; ++ } ++ curl_url_cleanup(h); ++ return 0; ++err: ++ curl_free(copy_str); ++ curl_free(h_str); ++ curl_url_cleanup(copy); ++ curl_url_cleanup(h); ++ return 1; ++} ++ + int test(char *URL) + { + (void)URL; /* not used */ + ++ if(urldup()) ++ return 11; ++ + if(get_url()) + return 3; + diff --git a/backport-vtls-avoid-memory-leak-if-sha256-call-fails.patch b/backport-vtls-avoid-memory-leak-if-sha256-call-fails.patch new file mode 100644 index 0000000..bf475bc --- /dev/null +++ b/backport-vtls-avoid-memory-leak-if-sha256-call-fails.patch @@ -0,0 +1,41 @@ +From a4a5e438ae533c9af5e97457ae424c9189545105 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 12 Jun 2023 14:10:37 +0200 +Subject: [PATCH] vtls: avoid memory leak if sha256 call fails + +... in the pinned public key handling function. + +Reported-by: lizhuang0630 on github +Fixes #11306 +Closes #11307 + +Conflict: NA +Reference: https://github.com/curl/curl/commit/a4a5e438ae533c9af5e97457ae424c9189545105 +--- + lib/vtls/vtls.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index a4ff7d61a6193..cdd3a4fdc1c14 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -907,14 +907,12 @@ CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data, + if(!sha256sumdigest) + return CURLE_OUT_OF_MEMORY; + encode = Curl_ssl->sha256sum(pubkey, pubkeylen, +- sha256sumdigest, CURL_SHA256_DIGEST_LENGTH); ++ sha256sumdigest, CURL_SHA256_DIGEST_LENGTH); + +- if(encode != CURLE_OK) +- return encode; +- +- encode = Curl_base64_encode((char *)sha256sumdigest, +- CURL_SHA256_DIGEST_LENGTH, &encoded, +- &encodedlen); ++ if(!encode) ++ encode = Curl_base64_encode((char *)sha256sumdigest, ++ CURL_SHA256_DIGEST_LENGTH, &encoded, ++ &encodedlen); + Curl_safefree(sha256sumdigest); + + if(encode) diff --git a/curl.spec b/curl.spec index 5c88cd8..0ce9cb8 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Name: curl Version: 8.1.2 -Release: 2 +Release: 3 Summary: Curl is used in command lines or scripts to transfer data License: curl URL: https://curl.se/ @@ -16,6 +16,8 @@ Patch1: backport-0101-curl-7.32.0-multilib.patch Patch2: backport-curl-7.84.0-test3026.patch Patch4: backport-curl-7.88.0-tests-warnings.patch Patch5: backport-CVE-2023-32001.patch +Patch6: backport-vtls-avoid-memory-leak-if-sha256-call-fails.patch +Patch7: backport-urlapi-make-sure-zoneid-is-also-duplicated-in-curl_u.patch BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel BuildRequires: libidn2-devel libnghttp2-devel libpsl-devel @@ -200,6 +202,13 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_mandir}/man3/* %changelog +* Wed Sep 06 2023 yanglu - 8.1.2-3 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:vtls:avoid memory leak if sha256 call fails + urlapi:make sure zoneid is also duplicated in curl_url_dup + * Thu Jul 20 2023 zhouyihang - 8.1.2-2 - Type:CVE - CVE:CVE-2023-32001