diff --git a/backport-001-CVE-2022-27774.patch b/backport-001-CVE-2022-27774.patch deleted file mode 100644 index 7c859de..0000000 --- a/backport-001-CVE-2022-27774.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 620ea21410030a9977396b4661806bc187231b79 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 25 Apr 2022 16:24:33 +0200 -Subject: [PATCH] transfer: redirects to other protocols or ports clear auth - -... unless explicitly permitted. - -Bug: https://curl.se/docs/CVE-2022-27774.html -Reported-by: Harry Sintonen -Closes #8748 ---- - lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 48 insertions(+), 1 deletion(-) - -diff --git a/lib/transfer.c b/lib/transfer.c -index 53ef0b03b8e0..315da876c4a8 100644 ---- a/lib/transfer.c -+++ b/lib/transfer.c -@@ -1611,10 +1611,57 @@ CURLcode Curl_follow(struct Curl_easy *data, - return CURLE_OUT_OF_MEMORY; - } - else { -- - uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0); - if(uc) - return Curl_uc_to_curlcode(uc); -+ -+ /* Clear auth if this redirects to a different port number or protocol, -+ unless permitted */ -+ if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) { -+ char *portnum; -+ int port; -+ bool clear = FALSE; -+ -+ if(data->set.use_port && data->state.allow_port) -+ /* a custom port is used */ -+ port = (int)data->set.use_port; -+ else { -+ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum, -+ CURLU_DEFAULT_PORT); -+ if(uc) { -+ free(newurl); -+ return Curl_uc_to_curlcode(uc); -+ } -+ port = atoi(portnum); -+ free(portnum); -+ } -+ if(port != data->info.conn_remote_port) { -+ infof(data, "Clear auth, redirects to port from %u to %u", -+ data->info.conn_remote_port, port); -+ clear = TRUE; -+ } -+ else { -+ char *scheme; -+ const struct Curl_handler *p; -+ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0); -+ if(uc) { -+ free(newurl); -+ return Curl_uc_to_curlcode(uc); -+ } -+ -+ p = Curl_builtin_scheme(scheme); -+ if(p && (p->protocol != data->info.conn_protocol)) { -+ infof(data, "Clear auth, redirects scheme from %s to %s", -+ data->info.conn_scheme, scheme); -+ clear = TRUE; -+ } -+ free(scheme); -+ } -+ if(clear) { -+ Curl_safefree(data->state.aptr.user); -+ Curl_safefree(data->state.aptr.passwd); -+ } -+ } - } - - if(type == FOLLOW_FAKE) { diff --git a/backport-002-CVE-2022-27774.patch b/backport-002-CVE-2022-27774.patch deleted file mode 100644 index 4021d7c..0000000 --- a/backport-002-CVE-2022-27774.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 25 Apr 2022 17:59:15 +0200 -Subject: [PATCH] openssl: don't leak the SRP credentials in redirects either - -Follow-up to 620ea21410030 - -Reported-by: Harry Sintonen -Closes #8751 ---- - lib/http.c | 10 +++++----- - lib/http.h | 6 ++++++ - lib/vtls/openssl.c | 3 ++- - 3 files changed, 13 insertions(+), 6 deletions(-) - -diff --git a/lib/http.c b/lib/http.c -index f0476f3b9272..0d5c449bc72a 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data, - } - - /* -- * allow_auth_to_host() tells if autentication, cookies or other "sensitive -- * data" can (still) be sent to this host. -+ * Curl_allow_auth_to_host() tells if authentication, cookies or other -+ * "sensitive data" can (still) be sent to this host. - */ --static bool allow_auth_to_host(struct Curl_easy *data) -+bool Curl_allow_auth_to_host(struct Curl_easy *data) - { - struct connectdata *conn = data->conn; - return (!data->state.this_is_a_follow || -@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data, - - /* To prevent the user+password to get sent to other than the original host - due to a location-follow */ -- if(allow_auth_to_host(data) -+ if(Curl_allow_auth_to_host(data) - #ifndef CURL_DISABLE_NETRC - || conn->bits.netrc - #endif -@@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, - checkprefix("Cookie:", compare)) && - /* be careful of sending this potentially sensitive header to - other hosts */ -- !allow_auth_to_host(data)) -+ !Curl_allow_auth_to_host(data)) - ; - else { - #ifdef USE_HYPER -diff --git a/lib/http.h b/lib/http.h -index 0972261e63bd..c4ab3c22dec9 100644 ---- a/lib/http.h -+++ b/lib/http.h -@@ -364,4 +364,10 @@ Curl_http_output_auth(struct Curl_easy *data, - bool proxytunnel); /* TRUE if this is the request setting - up the proxy tunnel */ - -+/* -+ * Curl_allow_auth_to_host() tells if authentication, cookies or other -+ * "sensitive data" can (still) be sent to this host. -+ */ -+bool Curl_allow_auth_to_host(struct Curl_easy *data); -+ - #endif /* HEADER_CURL_HTTP_H */ -diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c -index 5d8e2d39d8e2..3722005d44e9 100644 ---- a/lib/vtls/openssl.c -+++ b/lib/vtls/openssl.c -@@ -2924,7 +2924,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, - #endif - - #ifdef USE_OPENSSL_SRP -- if(ssl_authtype == CURL_TLSAUTH_SRP) { -+ if((ssl_authtype == CURL_TLSAUTH_SRP) && -+ Curl_allow_auth_to_host(data)) { - char * const ssl_username = SSL_SET_OPTION(username); - - infof(data, "Using TLS-SRP username: %s", ssl_username); diff --git a/backport-0101-curl-7.32.0-multilib.patch b/backport-0101-curl-7.32.0-multilib.patch index b22af55..07d2a31 100644 --- a/backport-0101-curl-7.32.0-multilib.patch +++ b/backport-0101-curl-7.32.0-multilib.patch @@ -44,7 +44,7 @@ index 150004d..95d0759 100644 --static-libs) - if test "X@ENABLE_STATIC@" != "Xno" ; then -- echo @libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_LIBS@ +- echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_LIBS@ - else - echo "curl was built with static libraries disabled" >&2 - exit 1 diff --git a/backport-CVE-2022-22576.patch b/backport-CVE-2022-22576.patch deleted file mode 100644 index 99d1525..0000000 --- a/backport-CVE-2022-22576.patch +++ /dev/null @@ -1,142 +0,0 @@ -From 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425 Mon Sep 17 00:00:00 2001 -From: Patrick Monnerat -Date: Mon, 25 Apr 2022 11:44:05 +0200 -Subject: [PATCH] url: check sasl additional parameters for connection reuse. - -Also move static function safecmp() as non-static Curl_safecmp() since -its purpose is needed at several places. - -Bug: https://curl.se/docs/CVE-2022-22576.html - -CVE-2022-22576 - -Closes #8746 ---- - lib/strcase.c | 10 ++++++++++ - lib/strcase.h | 2 ++ - lib/url.c | 13 ++++++++++++- - lib/urldata.h | 1 + - lib/vtls/vtls.c | 21 ++++++--------------- - 5 files changed, 31 insertions(+), 16 deletions(-) - -diff --git a/lib/strcase.c b/lib/strcase.c -index dd46ca1ba0e5..692a3f14aee7 100644 ---- a/lib/strcase.c -+++ b/lib/strcase.c -@@ -131,6 +131,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n) - } while(*src++ && --n); - } - -+/* Compare case-sensitive NUL-terminated strings, taking care of possible -+ * null pointers. Return true if arguments match. -+ */ -+bool Curl_safecmp(char *a, char *b) -+{ -+ if(a && b) -+ return !strcmp(a, b); -+ return !a && !b; -+} -+ - /* --- public functions --- */ - - int curl_strequal(const char *first, const char *second) -diff --git a/lib/strcase.h b/lib/strcase.h -index b234d3815220..2635f5117e99 100644 ---- a/lib/strcase.h -+++ b/lib/strcase.h -@@ -49,4 +49,6 @@ char Curl_raw_toupper(char in); - void Curl_strntoupper(char *dest, const char *src, size_t n); - void Curl_strntolower(char *dest, const char *src, size_t n); - -+bool Curl_safecmp(char *a, char *b); -+ - #endif /* HEADER_CURL_STRCASE_H */ -diff --git a/lib/url.c b/lib/url.c -index 9a988b4d58d8..e1647b133854 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -781,6 +781,7 @@ static void conn_free(struct connectdata *conn) - Curl_safefree(conn->passwd); - Curl_safefree(conn->sasl_authzid); - Curl_safefree(conn->options); -+ Curl_safefree(conn->oauth_bearer); - Curl_dyn_free(&conn->trailer); - Curl_safefree(conn->host.rawalloc); /* host name buffer */ - Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */ -@@ -1342,7 +1343,9 @@ ConnectionExists(struct Curl_easy *data, - /* This protocol requires credentials per connection, - so verify that we're using the same name and password as well */ - if(strcmp(needle->user, check->user) || -- strcmp(needle->passwd, check->passwd)) { -+ strcmp(needle->passwd, check->passwd) || -+ !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) || -+ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) { - /* one of them was different */ - continue; - } -@@ -3637,6 +3640,14 @@ static CURLcode create_conn(struct Curl_easy *data, - } - } - -+ if(data->set.str[STRING_BEARER]) { -+ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]); -+ if(!conn->oauth_bearer) { -+ result = CURLE_OUT_OF_MEMORY; -+ goto out; -+ } -+ } -+ - #ifdef USE_UNIX_SOCKETS - if(data->set.str[STRING_UNIX_SOCKET_PATH]) { - conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]); -diff --git a/lib/urldata.h b/lib/urldata.h -index 07eb19b87034..1d89b8d7fa68 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -984,6 +984,7 @@ struct connectdata { - char *passwd; /* password string, allocated */ - char *options; /* options string, allocated */ - char *sasl_authzid; /* authorisation identity string, allocated */ -+ char *oauth_bearer; /* OAUTH2 bearer, allocated */ - unsigned char httpversion; /* the HTTP version*10 reported by the server */ - struct curltime now; /* "current" time */ - struct curltime created; /* creation time */ -diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c -index 03b85ba065e5..a40ac06f684f 100644 ---- a/lib/vtls/vtls.c -+++ b/lib/vtls/vtls.c -@@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second) - return !memcmp(first->data, second->data, first->len); /* same data */ - } - --static bool safecmp(char *a, char *b) --{ -- if(a && b) -- return !strcmp(a, b); -- else if(!a && !b) -- return TRUE; /* match */ -- return FALSE; /* no match */ --} -- - - bool - Curl_ssl_config_matches(struct ssl_primary_config *data, -@@ -147,12 +138,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, - blobcmp(data->cert_blob, needle->cert_blob) && - blobcmp(data->ca_info_blob, needle->ca_info_blob) && - blobcmp(data->issuercert_blob, needle->issuercert_blob) && -- safecmp(data->CApath, needle->CApath) && -- safecmp(data->CAfile, needle->CAfile) && -- safecmp(data->issuercert, needle->issuercert) && -- safecmp(data->clientcert, needle->clientcert) && -- safecmp(data->random_file, needle->random_file) && -- safecmp(data->egdsocket, needle->egdsocket) && -+ Curl_safecmp(data->CApath, needle->CApath) && -+ Curl_safecmp(data->CAfile, needle->CAfile) && -+ Curl_safecmp(data->issuercert, needle->issuercert) && -+ Curl_safecmp(data->clientcert, needle->clientcert) && -+ Curl_safecmp(data->random_file, needle->random_file) && -+ Curl_safecmp(data->egdsocket, needle->egdsocket) && - Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && - Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && - Curl_safe_strcasecompare(data->curves, needle->curves) && diff --git a/backport-CVE-2022-27775.patch b/backport-CVE-2022-27775.patch deleted file mode 100644 index 606ba9c..0000000 --- a/backport-CVE-2022-27775.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 058f98dc3fe595f21dc26a5b9b1699e519ba5705 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 25 Apr 2022 11:48:00 +0200 -Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey - -Make connections to two separate IPv6 zone ids create separate -connections. - -Reported-by: Harry Sintonen -Bug: https://curl.se/docs/CVE-2022-27775.html -Closes #8747 ---- - lib/conncache.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/lib/conncache.c b/lib/conncache.c -index ec669b971dc3..8948b53fa500 100644 ---- a/lib/conncache.c -+++ b/lib/conncache.c -@@ -155,8 +155,12 @@ static void hashkey(struct connectdata *conn, char *buf, - /* report back which name we used */ - *hostp = hostname; - -- /* put the number first so that the hostname gets cut off if too long */ -- msnprintf(buf, len, "%ld%s", port, hostname); -+ /* put the numbers first so that the hostname gets cut off if too long */ -+#ifdef ENABLE_IPV6 -+ msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname); -+#else -+ msnprintf(buf, len, "%ld/%s", port, hostname); -+#endif - Curl_strntolower(buf, buf, len); - } - diff --git a/backport-CVE-2022-27776.patch b/backport-CVE-2022-27776.patch deleted file mode 100644 index e1f169e..0000000 --- a/backport-CVE-2022-27776.patch +++ /dev/null @@ -1,112 +0,0 @@ -From 6e659993952aa5f90f48864be84a1bbb047fc258 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 25 Apr 2022 13:05:40 +0200 -Subject: [PATCH] http: avoid auth/cookie on redirects same host diff port - -CVE-2022-27776 - -Reported-by: Harry Sintonen -Bug: https://curl.se/docs/CVE-2022-27776.html -Closes #8749 ---- - lib/http.c | 34 ++++++++++++++++++++++------------ - lib/urldata.h | 16 +++++++++------- - 2 files changed, 31 insertions(+), 19 deletions(-) - -diff --git a/lib/http.c b/lib/http.c -index ce79fc4e31c8..f0476f3b9272 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -775,6 +775,21 @@ output_auth_headers(struct Curl_easy *data, - return CURLE_OK; - } - -+/* -+ * allow_auth_to_host() tells if autentication, cookies or other "sensitive -+ * data" can (still) be sent to this host. -+ */ -+static bool allow_auth_to_host(struct Curl_easy *data) -+{ -+ struct connectdata *conn = data->conn; -+ return (!data->state.this_is_a_follow || -+ data->set.allow_auth_to_other_hosts || -+ (data->state.first_host && -+ strcasecompare(data->state.first_host, conn->host.name) && -+ (data->state.first_remote_port == conn->remote_port) && -+ (data->state.first_remote_protocol == conn->handler->protocol))); -+} -+ - /** - * Curl_http_output_auth() setups the authentication headers for the - * host/proxy and the correct authentication -@@ -847,17 +862,14 @@ Curl_http_output_auth(struct Curl_easy *data, - with it */ - authproxy->done = TRUE; - -- /* To prevent the user+password to get sent to other than the original -- host due to a location-follow, we do some weirdo checks here */ -- if(!data->state.this_is_a_follow || -+ /* To prevent the user+password to get sent to other than the original host -+ due to a location-follow */ -+ if(allow_auth_to_host(data) - #ifndef CURL_DISABLE_NETRC -- conn->bits.netrc || -+ || conn->bits.netrc - #endif -- !data->state.first_host || -- data->set.allow_auth_to_other_hosts || -- strcasecompare(data->state.first_host, conn->host.name)) { -+ ) - result = output_auth_headers(data, conn, authhost, request, path, FALSE); -- } - else - authhost->done = TRUE; - -@@ -1905,10 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, - checkprefix("Cookie:", compare)) && - /* be careful of sending this potentially sensitive header to - other hosts */ -- (data->state.this_is_a_follow && -- data->state.first_host && -- !data->set.allow_auth_to_other_hosts && -- !strcasecompare(data->state.first_host, conn->host.name))) -+ !allow_auth_to_host(data)) - ; - else { - #ifdef USE_HYPER -@@ -2084,6 +2093,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn) - return CURLE_OUT_OF_MEMORY; - - data->state.first_remote_port = conn->remote_port; -+ data->state.first_remote_protocol = conn->handler->protocol; - } - Curl_safefree(data->state.aptr.host); - -diff --git a/lib/urldata.h b/lib/urldata.h -index 1d89b8d7fa68..ef2174d9e727 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -1329,14 +1329,16 @@ struct UrlState { - char *ulbuf; /* allocated upload buffer or NULL */ - curl_off_t current_speed; /* the ProgressShow() function sets this, - bytes / second */ -- char *first_host; /* host name of the first (not followed) request. -- if set, this should be the host name that we will -- sent authorization to, no else. Used to make Location: -- following not keep sending user+password... This is -- strdup() data. -- */ -+ -+ /* host name, port number and protocol of the first (not followed) request. -+ if set, this should be the host name that we will sent authorization to, -+ no else. Used to make Location: following not keep sending user+password. -+ This is strdup()ed data. */ -+ char *first_host; -+ int first_remote_port; -+ unsigned int first_remote_protocol; -+ - int retrycount; /* number of retries on a new connection */ -- int first_remote_port; /* remote port of the first (not followed) request */ - struct Curl_ssl_session *session; /* array of 'max_ssl_sessions' size */ - long sessionage; /* number of the most recent session */ - struct tempbuf tempwrite[3]; /* BOTH, HEADER, BODY */ diff --git a/backport-CVE-2022-27781.patch b/backport-CVE-2022-27781.patch deleted file mode 100644 index a3aabe6..0000000 --- a/backport-CVE-2022-27781.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 5c7da89d404bf59c8dd82a001119a16d18365917 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 9 May 2022 10:07:15 +0200 -Subject: [PATCH] nss: return error if seemingly stuck in a cert loop -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -CVE-2022-27781 - -Reported-by: Florian Kohnhäuser -Bug: https://curl.se/docs/CVE-2022-27781.html -Closes #8822 ---- - lib/vtls/nss.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c -index 5b7de9f81895..569c0628feb5 100644 ---- a/lib/vtls/nss.c -+++ b/lib/vtls/nss.c -@@ -983,6 +983,9 @@ static void display_cert_info(struct Curl_easy *data, - PR_Free(common_name); - } - -+/* A number of certs that will never occur in a real server handshake */ -+#define TOO_MANY_CERTS 300 -+ - static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) - { - CURLcode result = CURLE_OK; -@@ -1018,6 +1021,11 @@ static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) - cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA); - while(cert2) { - i++; -+ if(i >= TOO_MANY_CERTS) { -+ CERT_DestroyCertificate(cert2); -+ failf(data, "certificate loop"); -+ return CURLE_SSL_CERTPROBLEM; -+ } - if(cert2->isRoot) { - CERT_DestroyCertificate(cert2); - break; diff --git a/backport-CVE-2022-27782.patch b/backport-CVE-2022-27782.patch deleted file mode 100644 index 093cdf9..0000000 --- a/backport-CVE-2022-27782.patch +++ /dev/null @@ -1,489 +0,0 @@ -Backport of: - -From 222b896a07ed1e183e7eacd6df10fc23264bd820 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Fri, 6 May 2022 10:48:58 +0200 -Subject: [PATCH 1/2] tls: check more TLS details for connection reuse - -CVE-2022-27782 - -Reported-by: Harry Sintonen -Bug: https://curl.se/docs/CVE-2022-27782.html ---- - lib/setopt.c | 29 +++++++++++++++++------------ - lib/url.c | 23 ++++++++++++++++------- - lib/urldata.h | 13 +++++++------ - lib/vtls/gtls.c | 32 +++++++++++++++++--------------- - lib/vtls/mbedtls.c | 2 +- - lib/vtls/nss.c | 6 +++--- - lib/vtls/openssl.c | 10 +++++----- - lib/vtls/vtls.c | 21 +++++++++++++++++++++ - 8 files changed, 87 insertions(+), 49 deletions(-) - ---- a/lib/setopt.c -+++ b/lib/setopt.c -@@ -2317,6 +2317,7 @@ CURLcode Curl_vsetopt(struct Curl_easy * - - case CURLOPT_SSL_OPTIONS: - arg = va_arg(param, long); -+ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff); - data->set.ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); - data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); - data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); -@@ -2330,6 +2331,7 @@ CURLcode Curl_vsetopt(struct Curl_easy * - #ifndef CURL_DISABLE_PROXY - case CURLOPT_PROXY_SSL_OPTIONS: - arg = va_arg(param, long); -+ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff); - data->set.proxy_ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); - data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); - data->set.proxy_ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); -@@ -2766,49 +2768,52 @@ CURLcode Curl_vsetopt(struct Curl_easy * - case CURLOPT_TLSAUTH_USERNAME: - result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME], - va_arg(param, char *)); -- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) -- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ -+ if(data->set.str[STRING_TLSAUTH_USERNAME] && -+ !data->set.ssl.primary.authtype) -+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ - break; - case CURLOPT_PROXY_TLSAUTH_USERNAME: - result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY], - va_arg(param, char *)); - #ifndef CURL_DISABLE_PROXY - if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && -- !data->set.proxy_ssl.authtype) -- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ -+ !data->set.proxy_ssl.primary.authtype) -+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to -+ SRP */ - #endif - break; - case CURLOPT_TLSAUTH_PASSWORD: - result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD], - va_arg(param, char *)); -- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) -- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ -+ if(data->set.str[STRING_TLSAUTH_USERNAME] && -+ !data->set.ssl.primary.authtype) -+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ - break; - case CURLOPT_PROXY_TLSAUTH_PASSWORD: - result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY], - va_arg(param, char *)); - #ifndef CURL_DISABLE_PROXY - if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && -- !data->set.proxy_ssl.authtype) -- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ -+ !data->set.proxy_ssl.primary.authtype) -+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ - #endif - break; - case CURLOPT_TLSAUTH_TYPE: - argptr = va_arg(param, char *); - if(!argptr || - strncasecompare(argptr, "SRP", strlen("SRP"))) -- data->set.ssl.authtype = CURL_TLSAUTH_SRP; -+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; - else -- data->set.ssl.authtype = CURL_TLSAUTH_NONE; -+ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE; - break; - #ifndef CURL_DISABLE_PROXY - case CURLOPT_PROXY_TLSAUTH_TYPE: - argptr = va_arg(param, char *); - if(!argptr || - strncasecompare(argptr, "SRP", strlen("SRP"))) -- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; -+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; - else -- data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE; -+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE; - break; - #endif - #endif ---- a/lib/url.c -+++ b/lib/url.c -@@ -556,7 +556,7 @@ CURLcode Curl_init_userdefined(struct Cu - set->ssl.primary.verifypeer = TRUE; - set->ssl.primary.verifyhost = TRUE; - #ifdef USE_TLS_SRP -- set->ssl.authtype = CURL_TLSAUTH_NONE; -+ set->ssl.primary.authtype = CURL_TLSAUTH_NONE; - #endif - set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth - type */ -@@ -1114,6 +1114,12 @@ static void prune_dead_connections(struc - } - } - -+static bool ssh_config_matches(struct connectdata *one, -+ struct connectdata *two) -+{ -+ return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) && -+ Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub)); -+} - /* - * Given one filled in connection struct (named needle), this function should - * detect if there already is one that has all the significant details -@@ -1372,6 +1378,11 @@ ConnectionExists(struct Curl_easy *data, - (data->state.httpwant < CURL_HTTP_VERSION_2_0)) - continue; - -+ if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { -+ if(!ssh_config_matches(needle, check)) -+ continue; -+ } -+ - if((needle->handler->flags&PROTOPT_SSL) - #ifndef CURL_DISABLE_PROXY - || !needle->bits.httpproxy || needle->bits.tunnel_proxy -@@ -1772,11 +1783,17 @@ static struct connectdata *allocate_conn - conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus; - conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer; - conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost; -+ conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options; -+#ifdef USE_TLS_SRP -+#endif - #ifndef CURL_DISABLE_PROXY - conn->proxy_ssl_config.verifystatus = - data->set.proxy_ssl.primary.verifystatus; - conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer; - conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost; -+ conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options; -+#ifdef USE_TLS_SRP -+#endif - #endif - conn->ip_version = data->set.ipver; - conn->bits.connect_only = data->set.connect_only; -@@ -3839,7 +3856,8 @@ static CURLcode create_conn(struct Curl_ - data->set.str[STRING_SSL_ISSUERCERT_PROXY]; - data->set.proxy_ssl.primary.issuercert_blob = - data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY]; -- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; -+ data->set.proxy_ssl.primary.CRLfile = -+ data->set.str[STRING_SSL_CRLFILE_PROXY]; - data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY]; - data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY]; - data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY]; -@@ -3847,18 +3865,20 @@ static CURLcode create_conn(struct Curl_ - data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY]; - data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY]; - #endif -- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE]; -+ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE]; - data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE]; - data->set.ssl.key = data->set.str[STRING_KEY]; - data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE]; - data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD]; - data->set.ssl.primary.clientcert = data->set.str[STRING_CERT]; - #ifdef USE_TLS_SRP -- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME]; -- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD]; -+ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME]; -+ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD]; - #ifndef CURL_DISABLE_PROXY -- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; -- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; -+ data->set.proxy_ssl.primary.username = -+ data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; -+ data->set.proxy_ssl.primary.password = -+ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; - #endif - #endif - data->set.ssl.key_blob = data->set.blobs[BLOB_KEY]; ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -253,10 +253,17 @@ struct ssl_primary_config { - char *cipher_list; /* list of ciphers to use */ - char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ - char *pinned_key; -+ char *CRLfile; /* CRL to check certificate revocation */ - struct curl_blob *cert_blob; - struct curl_blob *ca_info_blob; - struct curl_blob *issuercert_blob; -+#ifdef USE_TLS_SRP -+ char *username; /* TLS username (for, e.g., SRP) */ -+ char *password; /* TLS password (for, e.g., SRP) */ -+ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ -+#endif - char *curves; /* list of curves to use */ -+ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */ - BIT(verifypeer); /* set TRUE if this is desired */ - BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */ - BIT(verifystatus); /* set TRUE if certificate status must be checked */ -@@ -266,7 +273,6 @@ struct ssl_primary_config { - struct ssl_config_data { - struct ssl_primary_config primary; - long certverifyresult; /* result from the certificate verification */ -- char *CRLfile; /* CRL to check certificate revocation */ - curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ - void *fsslctxp; /* parameter for call back */ - char *cert_type; /* format for certificate (default: PEM)*/ -@@ -274,11 +280,6 @@ struct ssl_config_data { - struct curl_blob *key_blob; - char *key_type; /* format for private key (default: PEM) */ - char *key_passwd; /* plain text private key password */ --#ifdef USE_TLS_SRP -- char *username; /* TLS username (for, e.g., SRP) */ -- char *password; /* TLS password (for, e.g., SRP) */ -- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ --#endif - BIT(certinfo); /* gather lots of certificate info */ - BIT(falsestart); - BIT(enable_beast); /* allow this flaw for interoperability's sake*/ ---- a/lib/vtls/gtls.c -+++ b/lib/vtls/gtls.c -@@ -432,9 +432,10 @@ gtls_connect_step1(struct Curl_easy *dat - } - - #ifdef HAVE_GNUTLS_SRP -- if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && -+ if((SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) && - Curl_allow_auth_to_host(data)) { -- infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username)); -+ infof(data, "Using TLS-SRP username: %s", -+ SSL_SET_OPTION(primary.username)); - - rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred); - if(rc != GNUTLS_E_SUCCESS) { -@@ -444,8 +445,8 @@ gtls_connect_step1(struct Curl_easy *dat - } - - rc = gnutls_srp_set_client_credentials(backend->srp_client_cred, -- SSL_SET_OPTION(username), -- SSL_SET_OPTION(password)); -+ SSL_SET_OPTION(primary.username), -+ SSL_SET_OPTION(primary.password)); - if(rc != GNUTLS_E_SUCCESS) { - failf(data, "gnutls_srp_set_client_cred() failed: %s", - gnutls_strerror(rc)); -@@ -502,19 +503,19 @@ gtls_connect_step1(struct Curl_easy *dat - } - #endif - -- if(SSL_SET_OPTION(CRLfile)) { -+ if(SSL_SET_OPTION(primary.CRLfile)) { - /* set the CRL list file */ - rc = gnutls_certificate_set_x509_crl_file(backend->cred, -- SSL_SET_OPTION(CRLfile), -+ SSL_SET_OPTION(primary.CRLfile), - GNUTLS_X509_FMT_PEM); - if(rc < 0) { - failf(data, "error reading crl file %s (%s)", -- SSL_SET_OPTION(CRLfile), gnutls_strerror(rc)); -+ SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc)); - return CURLE_SSL_CRL_BADFILE; - } - else - infof(data, "found %d CRL in %s", -- rc, SSL_SET_OPTION(CRLfile)); -+ rc, SSL_SET_OPTION(primary.CRLfile)); - } - - /* Initialize TLS session as a client */ -@@ -581,7 +582,7 @@ gtls_connect_step1(struct Curl_easy *dat - #ifdef HAVE_GNUTLS_SRP - /* Only add SRP to the cipher list if SRP is requested. Otherwise - * GnuTLS will disable TLS 1.3 support. */ -- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { -+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { - size_t len = strlen(prioritylist); - - char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1); -@@ -676,7 +677,7 @@ gtls_connect_step1(struct Curl_easy *dat - - #ifdef HAVE_GNUTLS_SRP - /* put the credentials to the current session */ -- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { -+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { - rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, - backend->srp_client_cred); - if(rc != GNUTLS_E_SUCCESS) { -@@ -855,8 +856,8 @@ Curl_gtls_verifyserver(struct Curl_easy - SSL_CONN_CONFIG(verifyhost) || - SSL_CONN_CONFIG(issuercert)) { - #ifdef HAVE_GNUTLS_SRP -- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP -- && SSL_SET_OPTION(username) != NULL -+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP -+ && SSL_SET_OPTION(primary.username) - && !SSL_CONN_CONFIG(verifypeer) - && gnutls_cipher_get(session)) { - /* no peer cert, but auth is ok if we have SRP user and cipher and no -@@ -914,7 +915,8 @@ Curl_gtls_verifyserver(struct Curl_easy - failf(data, "server certificate verification failed. CAfile: %s " - "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile): - "none", -- SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none"); -+ SSL_SET_OPTION(primary.CRLfile) ? -+ SSL_SET_OPTION(primary.CRLfile) : "none"); - return CURLE_PEER_FAILED_VERIFICATION; - } - else -@@ -1531,8 +1533,8 @@ static int gtls_shutdown(struct Curl_eas - gnutls_certificate_free_credentials(backend->cred); - - #ifdef HAVE_GNUTLS_SRP -- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP -- && SSL_SET_OPTION(username) != NULL) -+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP -+ && SSL_SET_OPTION(primary.username) != NULL) - gnutls_srp_free_client_credentials(backend->srp_client_cred); - #endif - ---- a/lib/vtls/openssl.c -+++ b/lib/vtls/openssl.c -@@ -2653,7 +2653,7 @@ static CURLcode ossl_connect_step1(struc - #endif - const long int ssl_version = SSL_CONN_CONFIG(version); - #ifdef USE_OPENSSL_SRP -- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype); -+ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype); - #endif - char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); - const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); -@@ -2664,7 +2664,7 @@ static CURLcode ossl_connect_step1(struc - (ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile)); - const char * const ssl_capath = SSL_CONN_CONFIG(CApath); - const bool verifypeer = SSL_CONN_CONFIG(verifypeer); -- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); -+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); - char error_buffer[256]; - struct ssl_backend_data *backend = connssl->backend; - bool imported_native_ca = false; -@@ -2914,15 +2914,15 @@ static CURLcode ossl_connect_step1(struc - #ifdef USE_OPENSSL_SRP - if((ssl_authtype == CURL_TLSAUTH_SRP) && - Curl_allow_auth_to_host(data)) { -- char * const ssl_username = SSL_SET_OPTION(username); -- -+ char * const ssl_username = SSL_SET_OPTION(primary.username); -+ char * const ssl_password = SSL_SET_OPTION(primary.password); - infof(data, "Using TLS-SRP username: %s", ssl_username); - - if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) { - failf(data, "Unable to set SRP user name"); - return CURLE_BAD_FUNCTION_ARGUMENT; - } -- if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) { -+ if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) { - failf(data, "failed setting SRP password"); - return CURLE_BAD_FUNCTION_ARGUMENT; - } ---- a/lib/vtls/vtls.c -+++ b/lib/vtls/vtls.c -@@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_prima - { - if((data->version == needle->version) && - (data->version_max == needle->version_max) && -+ (data->ssl_options == needle->ssl_options) && - (data->verifypeer == needle->verifypeer) && - (data->verifyhost == needle->verifyhost) && - (data->verifystatus == needle->verifystatus) && -@@ -144,9 +145,15 @@ Curl_ssl_config_matches(struct ssl_prima - Curl_safecmp(data->clientcert, needle->clientcert) && - Curl_safecmp(data->random_file, needle->random_file) && - Curl_safecmp(data->egdsocket, needle->egdsocket) && -+#ifdef USE_TLS_SRP -+ Curl_safecmp(data->username, needle->username) && -+ Curl_safecmp(data->password, needle->password) && -+ (data->authtype == needle->authtype) && -+#endif - Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && - Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && - Curl_safe_strcasecompare(data->curves, needle->curves) && -+ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) && - Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) - return TRUE; - -@@ -163,6 +170,10 @@ Curl_clone_primary_ssl_config(struct ssl - dest->verifyhost = source->verifyhost; - dest->verifystatus = source->verifystatus; - dest->sessionid = source->sessionid; -+ dest->ssl_options = source->ssl_options; -+#ifdef USE_TLS_SRP -+ dest->authtype = source->authtype; -+#endif - - CLONE_BLOB(cert_blob); - CLONE_BLOB(ca_info_blob); -@@ -177,6 +188,11 @@ Curl_clone_primary_ssl_config(struct ssl - CLONE_STRING(cipher_list13); - CLONE_STRING(pinned_key); - CLONE_STRING(curves); -+ CLONE_STRING(CRLfile); -+#ifdef USE_TLS_SRP -+ CLONE_STRING(username); -+ CLONE_STRING(password); -+#endif - - return TRUE; - } -@@ -196,6 +212,11 @@ void Curl_free_primary_ssl_config(struct - Curl_safefree(sslc->ca_info_blob); - Curl_safefree(sslc->issuercert_blob); - Curl_safefree(sslc->curves); -+ Curl_safefree(sslc->CRLfile); -+#ifdef USE_TLS_SRP -+ Curl_safefree(sslc->username); -+ Curl_safefree(sslc->password); -+#endif - } - - #ifdef USE_SSL ---- a/lib/vssh/ssh.h -+++ b/lib/vssh/ssh.h -@@ -7,7 +7,7 @@ - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * -- * Copyright (C) 1998 - 2021, Daniel Stenberg, , et al. -+ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms -@@ -131,8 +131,8 @@ struct ssh_conn { - - /* common */ - const char *passphrase; /* pass-phrase to use */ -- char *rsa_pub; /* path name */ -- char *rsa; /* path name */ -+ char *rsa_pub; /* strdup'ed public key file */ -+ char *rsa; /* strdup'ed private key file */ - bool authed; /* the connection has been authenticated fine */ - bool acceptfail; /* used by the SFTP_QUOTE (continue if - quote command fails) */ ---- a/lib/vtls/nss.c -+++ b/lib/vtls/nss.c -@@ -1996,13 +1996,13 @@ static CURLcode nss_setup_connect(struct - } - } - -- if(SSL_SET_OPTION(CRLfile)) { -- const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile)); -+ if(SSL_SET_OPTION(primary.CRLfile)) { -+ const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile)); - if(rv) { - result = rv; - goto error; - } -- infof(data, " CRLfile: %s", SSL_SET_OPTION(CRLfile)); -+ infof(data, " CRLfile: %s", SSL_SET_OPTION(primary.CRLfile)); - } - - if(SSL_SET_OPTION(primary.clientcert)) { -diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c -index 975094f4fa795..b60b9cac50d4f 100644 ---- a/lib/vtls/mbedtls.c -+++ b/lib/vtls/mbedtls.c -@@ -279,7 +279,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, - const char * const ssl_capath = SSL_CONN_CONFIG(CApath); - char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); - const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); -- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); -+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); - const char * const hostname = SSL_HOST_NAME(); - #ifndef CURL_DISABLE_VERBOSE_STRINGS - const long int port = SSL_HOST_PORT(); diff --git a/backport-CVE-2022-32205.patch b/backport-CVE-2022-32205.patch deleted file mode 100644 index 5353162..0000000 --- a/backport-CVE-2022-32205.patch +++ /dev/null @@ -1,159 +0,0 @@ -From 631f95b7013ba017692d9512093746af93b4e327 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 19 May 2022 12:12:04 +0200 -Subject: [PATCH] cookie: apply limits - -- Send no more than 150 cookies per request -- Cap the max length used for a cookie: header to 8K -- Cap the max number of received Set-Cookie: headers to 50 -diff --git a/lib/cookie.c b/lib/cookie.c -index d418efa..51b3149 100644 ---- a/lib/cookie.c -+++ b/lib/cookie.c -@@ -469,6 +469,10 @@ Curl_cookie_add(struct Curl_easy *data, - (void)data; - #endif - -+ DEBUGASSERT(MAX_SET_COOKIE_AMOUNT <= 255); /* counter is an unsigned char */ -+ if(data->req.setcookies >= MAX_SET_COOKIE_AMOUNT) -+ return NULL; -+ - /* First, alloc and init a new struct for it */ - co = calloc(1, sizeof(struct Cookie)); - if(!co) -@@ -808,7 +812,7 @@ Curl_cookie_add(struct Curl_easy *data, - freecookie(co); - return NULL; - } -- -+ data->req.setcookies++; - } - else { - /* -@@ -1346,7 +1350,8 @@ static struct Cookie *dup_cookie(struct Cookie *src) - * - * It shall only return cookies that haven't expired. - */ --struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, -+struct Cookie *Curl_cookie_getlist(struct Curl_easy *data, -+ struct CookieInfo *c, - const char *host, const char *path, - bool secure) - { -@@ -1401,6 +1406,11 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, - mainco = newco; - - matches++; -+ if(matches >= MAX_COOKIE_SEND_AMOUNT) { -+ infof(data, "Included max number of cookies (%u) in request!", -+ matches); -+ break; -+ } - } - else - goto fail; -diff --git a/lib/cookie.h b/lib/cookie.h -index 0ffe08e..7411980 100644 ---- a/lib/cookie.h -+++ b/lib/cookie.h -@@ -81,10 +81,26 @@ struct CookieInfo { - */ - #define MAX_COOKIE_LINE 5000 - --/* This is the maximum length of a cookie name or content we deal with: */ -+/* Maximum length of an incoming cookie name or content we deal with. Longer -+ cookies are ignored. */ - #define MAX_NAME 4096 - #define MAX_NAME_TXT "4095" - -+/* Maximum size for an outgoing cookie line libcurl will use in an http -+ request. This is the default maximum length used in some versions of Apache -+ httpd. */ -+#define MAX_COOKIE_HEADER_LEN 8190 -+ -+/* Maximum number of cookies libcurl will send in a single request, even if -+ there might be more cookies that match. One reason to cap the number is to -+ keep the maximum HTTP request within the maximum allowed size. */ -+#define MAX_COOKIE_SEND_AMOUNT 150 -+ -+/* Maximum number of Set-Cookie: lines accepted in a single response. If more -+ such header lines are received, they are ignored. This value must be less -+ than 256 since an unsigned char is used to count. */ -+#define MAX_SET_COOKIE_AMOUNT 50 -+ - struct Curl_easy; - /* - * Add a cookie to the internal list of cookies. The domain and path arguments -@@ -97,7 +113,8 @@ struct Cookie *Curl_cookie_add(struct Curl_easy *data, - const char *domain, const char *path, - bool secure); - --struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, const char *host, -+struct Cookie *Curl_cookie_getlist(struct Curl_easy *data, -+ struct CookieInfo *c, const char *host, - const char *path, bool secure); - void Curl_cookie_freelist(struct Cookie *cookies); - void Curl_cookie_clearall(struct CookieInfo *cookies); -diff --git a/lib/http.c b/lib/http.c -index a07be0b..66c5645 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -2706,12 +2706,14 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn, - } - - #if !defined(CURL_DISABLE_COOKIES) -+ - CURLcode Curl_http_cookies(struct Curl_easy *data, - struct connectdata *conn, - struct dynbuf *r) - { - CURLcode result = CURLE_OK; - char *addcookies = NULL; -+ bool linecap = FALSE; - if(data->set.str[STRING_COOKIE] && !Curl_checkheaders(data, "Cookie")) - addcookies = data->set.str[STRING_COOKIE]; - -@@ -2728,7 +2730,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, - !strcmp(host, "127.0.0.1") || - !strcmp(host, "[::1]") ? TRUE : FALSE; - Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE); -- co = Curl_cookie_getlist(data->cookies, host, data->state.up.path, -+ co = Curl_cookie_getlist(data, data->cookies, host, data->state.up.path, - secure_context); - Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE); - } -@@ -2742,6 +2744,13 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, - if(result) - break; - } -+ if((Curl_dyn_len(r) + strlen(co->name) + strlen(co->value) + 1) >= -+ MAX_COOKIE_HEADER_LEN) { -+ infof(data, "Restricted outgoing cookies due to header size, " -+ "'%s' not sent", co->name); -+ linecap = TRUE; -+ break; -+ } - result = Curl_dyn_addf(r, "%s%s=%s", count?"; ":"", - co->name, co->value); - if(result) -@@ -2752,7 +2761,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, - } - Curl_cookie_freelist(store); - } -- if(addcookies && !result) { -+ if(addcookies && !result && !linecap) { - if(!count) - result = Curl_dyn_add(r, "Cookie: "); - if(!result) { -diff --git a/lib/urldata.h b/lib/urldata.h -index 9bd31b7..7060844 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -707,6 +707,7 @@ struct SingleRequest { - #ifndef CURL_DISABLE_DOH - struct dohdata *doh; /* DoH specific data for this request */ - #endif -+ unsigned char setcookies; - BIT(header); /* incoming data has HTTP header */ - BIT(content_range); /* set TRUE if Content-Range: was found */ - BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding diff --git a/backport-CVE-2022-32206.patch b/backport-CVE-2022-32206.patch deleted file mode 100644 index 4d8a47f..0000000 --- a/backport-CVE-2022-32206.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 7035676c3daa4f1c3766095561f12e7a0e82c736 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 16 May 2022 16:28:13 +0200 -Subject: [PATCH] content_encoding: return error on too many compression steps - -The max allowed steps is arbitrarily set to 5. ---- - lib/content_encoding.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -Index: curl-7.83.1/lib/content_encoding.c -=================================================================== ---- curl-7.83.1.orig/lib/content_encoding.c -+++ curl-7.83.1/lib/content_encoding.c -@@ -1026,12 +1026,16 @@ static const struct content_encoding *fi - return NULL; - } - -+/* allow no more than 5 "chained" compression steps */ -+#define MAX_ENCODE_STACK 5 -+ - /* Set-up the unencoding stack from the Content-Encoding header value. - * See RFC 7231 section 3.1.2.2. */ - CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, - const char *enclist, int maybechunked) - { - struct SingleRequest *k = &data->req; -+ int counter = 0; - - do { - const char *name; -@@ -1066,6 +1070,11 @@ CURLcode Curl_build_unencoding_stack(str - if(!encoding) - encoding = &error_encoding; /* Defer error at stack use. */ - -+ if(++counter >= MAX_ENCODE_STACK) { -+ failf(data, "Reject response due to %u content encodings", -+ counter); -+ return CURLE_BAD_CONTENT_ENCODING; -+ } - /* Stack the unencoding stage. */ - writer = new_unencoding_writer(data, encoding, k->writer_stack); - if(!writer) diff --git a/backport-CVE-2022-32207.patch b/backport-CVE-2022-32207.patch deleted file mode 100644 index 836cf16..0000000 --- a/backport-CVE-2022-32207.patch +++ /dev/null @@ -1,336 +0,0 @@ -From 3782dfda5fc4f45a19b1ce1b01ecf7206a3d304a Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Wed, 25 May 2022 10:09:53 +0200 -Subject: [PATCH 1/3] fopen: add Curl_fopen() for better overwriting of files - ---- - lib/Makefile.inc | 2 + - lib/cookie.c | 19 ++------- - lib/fopen.c | 106 +++++++++++++++++++++++++++++++++++++++++++++++ - lib/fopen.h | 28 +++++++++++++ - 4 files changed, 140 insertions(+), 15 deletions(-) - create mode 100644 lib/fopen.c - create mode 100644 lib/fopen.h - -Index: curl-7.81.0/lib/Makefile.inc -=================================================================== ---- curl-7.81.0.orig/lib/Makefile.inc -+++ curl-7.81.0/lib/Makefile.inc -@@ -131,6 +131,7 @@ LIB_CFILES = \ - escape.c \ - file.c \ - fileinfo.c \ -+ fopen.c \ - formdata.c \ - ftp.c \ - ftplistparser.c \ -@@ -263,6 +264,7 @@ LIB_HFILES = \ - escape.h \ - file.h \ - fileinfo.h \ -+ fopen.h \ - formdata.h \ - ftp.h \ - ftplistparser.h \ -Index: curl-7.81.0/lib/cookie.c -=================================================================== ---- curl-7.81.0.orig/lib/cookie.c -+++ curl-7.81.0/lib/cookie.c -@@ -96,8 +96,8 @@ Example set of cookies: - #include "curl_get_line.h" - #include "curl_memrchr.h" - #include "parsedate.h" --#include "rand.h" - #include "rename.h" -+#include "fopen.h" - - /* The last 3 #include files should be in this order */ - #include "curl_printf.h" -@@ -1612,20 +1612,9 @@ static CURLcode cookie_output(struct Cur - use_stdout = TRUE; - } - else { -- unsigned char randsuffix[9]; -- -- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix))) -- return 2; -- -- tempstore = aprintf("%s.%s.tmp", filename, randsuffix); -- if(!tempstore) -- return CURLE_OUT_OF_MEMORY; -- -- out = fopen(tempstore, FOPEN_WRITETEXT); -- if(!out) { -- error = CURLE_WRITE_ERROR; -+ error = Curl_fopen(data, filename, &out, &tempstore); -+ if(error) - goto error; -- } - } - - fputs("# Netscape HTTP Cookie File\n" -@@ -1672,7 +1661,7 @@ static CURLcode cookie_output(struct Cur - if(!use_stdout) { - fclose(out); - out = NULL; -- if(Curl_rename(tempstore, filename)) { -+ if(tempstore && Curl_rename(tempstore, filename)) { - unlink(tempstore); - error = CURLE_WRITE_ERROR; - goto error; -Index: curl-7.81.0/lib/fopen.c -=================================================================== ---- /dev/null -+++ curl-7.81.0/lib/fopen.c -@@ -0,0 +1,106 @@ -+/*************************************************************************** -+ * _ _ ____ _ -+ * Project ___| | | | _ \| | -+ * / __| | | | |_) | | -+ * | (__| |_| | _ <| |___ -+ * \___|\___/|_| \_\_____| -+ * -+ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. -+ * -+ * This software is licensed as described in the file COPYING, which -+ * you should have received as part of this distribution. The terms -+ * are also available at https://curl.se/docs/copyright.html. -+ * -+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell -+ * copies of the Software, and permit persons to whom the Software is -+ * furnished to do so, under the terms of the COPYING file. -+ * -+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -+ * KIND, either express or implied. -+ * -+ ***************************************************************************/ -+ -+#include "curl_setup.h" -+ -+#if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) || \ -+ !defined(CURL_DISABLE_HSTS) -+ -+#ifdef HAVE_FCNTL_H -+#include -+#endif -+ -+#include "urldata.h" -+#include "rand.h" -+#include "fopen.h" -+/* The last 3 #include files should be in this order */ -+#include "curl_printf.h" -+#include "curl_memory.h" -+#include "memdebug.h" -+ -+/* -+ * Curl_fopen() opens a file for writing with a temp name, to be renamed -+ * to the final name when completed. If there is an existing file using this -+ * name at the time of the open, this function will clone the mode from that -+ * file. if 'tempname' is non-NULL, it needs a rename after the file is -+ * written. -+ */ -+CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, -+ FILE **fh, char **tempname) -+{ -+ CURLcode result = CURLE_WRITE_ERROR; -+ unsigned char randsuffix[9]; -+ char *tempstore = NULL; -+ struct_stat sb, nsb; -+ int fd = -1; -+ *tempname = NULL; -+ -+ if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) { -+ /* a non-regular file, fallback to direct fopen() */ -+ *fh = fopen(filename, FOPEN_WRITETEXT); -+ if(*fh) -+ return CURLE_OK; -+ goto fail; -+ } -+ -+ result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix)); -+ if(result) -+ goto fail; -+ -+ tempstore = aprintf("%s.%s.tmp", filename, randsuffix); -+ if(!tempstore) { -+ result = CURLE_OUT_OF_MEMORY; -+ goto fail; -+ } -+ -+ result = CURLE_WRITE_ERROR; -+ fd = open(tempstore, O_WRONLY | O_CREAT | O_EXCL, 0600); -+ if(fd == -1) -+ goto fail; -+ -+ if((fstat(fd, &nsb) != -1) && -+ (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) { -+ /* if the user and group are the same, clone the original mode */ -+ if(fchmod(fd, sb.st_mode) == -1) -+ goto fail; -+ } -+ -+ *fh = fdopen(fd, FOPEN_WRITETEXT); -+ if(!*fh) -+ goto fail; -+ -+ *tempname = tempstore; -+ return CURLE_OK; -+ -+fail: -+ if(fd != -1) { -+ close(fd); -+ unlink(tempstore); -+ } -+ -+ free(tempstore); -+ -+ *tempname = NULL; -+ return result; -+} -+ -+#endif /* ! disabled */ -Index: curl-7.81.0/lib/fopen.h -=================================================================== ---- /dev/null -+++ curl-7.81.0/lib/fopen.h -@@ -0,0 +1,28 @@ -+#ifndef HEADER_CURL_FOPEN_H -+#define HEADER_CURL_FOPEN_H -+/*************************************************************************** -+ * _ _ ____ _ -+ * Project ___| | | | _ \| | -+ * / __| | | | |_) | | -+ * | (__| |_| | _ <| |___ -+ * \___|\___/|_| \_\_____| -+ * -+ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. -+ * -+ * This software is licensed as described in the file COPYING, which -+ * you should have received as part of this distribution. The terms -+ * are also available at https://curl.se/docs/copyright.html. -+ * -+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell -+ * copies of the Software, and permit persons to whom the Software is -+ * furnished to do so, under the terms of the COPYING file. -+ * -+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -+ * KIND, either express or implied. -+ * -+ ***************************************************************************/ -+ -+CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, -+ FILE **fh, char **tempname); -+ -+#endif -Index: curl-7.81.0/lib/altsvc.c -=================================================================== ---- curl-7.81.0.orig/lib/altsvc.c -+++ curl-7.81.0/lib/altsvc.c -@@ -34,7 +34,7 @@ - #include "parsedate.h" - #include "sendf.h" - #include "warnless.h" --#include "rand.h" -+#include "fopen.h" - #include "rename.h" - - /* The last 3 #include files should be in this order */ -@@ -329,8 +329,7 @@ CURLcode Curl_altsvc_save(struct Curl_ea - struct Curl_llist_element *n; - CURLcode result = CURLE_OK; - FILE *out; -- char *tempstore; -- unsigned char randsuffix[9]; -+ char *tempstore = NULL; - - if(!altsvc) - /* no cache activated */ -@@ -344,17 +343,8 @@ CURLcode Curl_altsvc_save(struct Curl_ea - /* marked as read-only, no file or zero length file name */ - return CURLE_OK; - -- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix))) -- return CURLE_FAILED_INIT; -- -- tempstore = aprintf("%s.%s.tmp", file, randsuffix); -- if(!tempstore) -- return CURLE_OUT_OF_MEMORY; -- -- out = fopen(tempstore, FOPEN_WRITETEXT); -- if(!out) -- result = CURLE_WRITE_ERROR; -- else { -+ result = Curl_fopen(data, file, &out, &tempstore); -+ if(!result) { - fputs("# Your alt-svc cache. https://curl.se/docs/alt-svc.html\n" - "# This file was generated by libcurl! Edit at your own risk.\n", - out); -@@ -366,10 +356,10 @@ CURLcode Curl_altsvc_save(struct Curl_ea - break; - } - fclose(out); -- if(!result && Curl_rename(tempstore, file)) -+ if(!result && tempstore && Curl_rename(tempstore, file)) - result = CURLE_WRITE_ERROR; - -- if(result) -+ if(result && tempstore) - unlink(tempstore); - } - free(tempstore); -Index: curl-7.81.0/lib/hsts.c -=================================================================== ---- curl-7.81.0.orig/lib/hsts.c -+++ curl-7.81.0/lib/hsts.c -@@ -35,7 +35,7 @@ - #include "sendf.h" - #include "strtoofft.h" - #include "parsedate.h" --#include "rand.h" -+#include "fopen.h" - #include "rename.h" - #include "strtoofft.h" - -@@ -334,8 +334,7 @@ CURLcode Curl_hsts_save(struct Curl_easy - struct Curl_llist_element *n; - CURLcode result = CURLE_OK; - FILE *out; -- char *tempstore; -- unsigned char randsuffix[9]; -+ char *tempstore = NULL; - - if(!h) - /* no cache activated */ -@@ -349,17 +348,8 @@ CURLcode Curl_hsts_save(struct Curl_easy - /* marked as read-only, no file or zero length file name */ - goto skipsave; - -- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix))) -- return CURLE_FAILED_INIT; -- -- tempstore = aprintf("%s.%s.tmp", file, randsuffix); -- if(!tempstore) -- return CURLE_OUT_OF_MEMORY; -- -- out = fopen(tempstore, FOPEN_WRITETEXT); -- if(!out) -- result = CURLE_WRITE_ERROR; -- else { -+ result = Curl_fopen(data, file, &out, &tempstore); -+ if(!result) { - fputs("# Your HSTS cache. https://curl.se/docs/hsts.html\n" - "# This file was generated by libcurl! Edit at your own risk.\n", - out); -@@ -371,10 +361,10 @@ CURLcode Curl_hsts_save(struct Curl_easy - break; - } - fclose(out); -- if(!result && Curl_rename(tempstore, file)) -+ if(!result && tempstore && Curl_rename(tempstore, file)) - result = CURLE_WRITE_ERROR; - -- if(result) -+ if(result && tempstore) - unlink(tempstore); - } - free(tempstore); diff --git a/backport-CVE-2022-32208.patch b/backport-CVE-2022-32208.patch deleted file mode 100644 index 6158851..0000000 --- a/backport-CVE-2022-32208.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 4c3f77e871820d055a5f6c4cd7a6ac47a7f3877d Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 9 Jun 2022 09:27:24 +0200 -Subject: [PATCH] krb5: return error properly on decode errors - ---- - lib/krb5.c | 18 +++++++++++------- - 1 file changed, 11 insertions(+), 7 deletions(-) - -Index: curl-7.81.0/lib/krb5.c -=================================================================== ---- curl-7.81.0.orig/lib/krb5.c -+++ curl-7.81.0/lib/krb5.c -@@ -146,11 +146,8 @@ krb5_decode(void *app_data, void *buf, i - enc.value = buf; - enc.length = len; - maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL); -- if(maj != GSS_S_COMPLETE) { -- if(len >= 4) -- strcpy(buf, "599 "); -+ if(maj != GSS_S_COMPLETE) - return -1; -- } - - memcpy(buf, dec.value, dec.length); - len = curlx_uztosi(dec.length); -@@ -512,6 +509,7 @@ static CURLcode read_data(struct connect - { - int len; - CURLcode result; -+ int nread; - - result = socket_read(fd, &len, sizeof(len)); - if(result) -@@ -520,7 +518,10 @@ static CURLcode read_data(struct connect - if(len) { - /* only realloc if there was a length */ - len = ntohl(len); -- buf->data = Curl_saferealloc(buf->data, len); -+ if(len > CURL_MAX_INPUT_LENGTH) -+ len = 0; -+ else -+ buf->data = Curl_saferealloc(buf->data, len); - } - if(!len || !buf->data) - return CURLE_OUT_OF_MEMORY; -@@ -528,8 +529,11 @@ static CURLcode read_data(struct connect - result = socket_read(fd, buf->data, len); - if(result) - return result; -- buf->size = conn->mech->decode(conn->app_data, buf->data, len, -- conn->data_prot, conn); -+ nread = conn->mech->decode(conn->app_data, buf->data, len, -+ conn->data_prot, conn); -+ if(nread < 0) -+ return CURLE_RECV_ERROR; -+ buf->size = (size_t)nread; - buf->index = 0; - return CURLE_OK; - } diff --git a/backport-CVE-2022-32221.patch b/backport-CVE-2022-32221.patch deleted file mode 100644 index b206372..0000000 --- a/backport-CVE-2022-32221.patch +++ /dev/null @@ -1,28 +0,0 @@ -From a64e3e59938abd7d667e4470a18072a24d7e9de9 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 15 Sep 2022 09:22:45 +0200 -Subject: [PATCH] setopt: when POST is set, reset the 'upload' field - -Reported-by: RobBotic1 on github -Fixes #9507 -Closes #9511 - -Conflict: NA -Reference: https://github.com/curl/curl/commit/a64e3e59938abd7d667e4470a18072a24d7e9de9 - ---- - lib/setopt.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/lib/setopt.c b/lib/setopt.c -index 03c4efdbf1e58..7289a4e78bdd0 100644 ---- a/lib/setopt.c -+++ b/lib/setopt.c -@@ -700,6 +700,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - } - else - data->set.method = HTTPREQ_GET; -+ data->set.upload = FALSE; - break; - - case CURLOPT_HTTPPOST: diff --git a/backport-CVE-2022-35252-cookie-reject-cookies-with-control-bytes.patch b/backport-CVE-2022-35252-cookie-reject-cookies-with-control-bytes.patch deleted file mode 100644 index 58c4031..0000000 --- a/backport-CVE-2022-35252-cookie-reject-cookies-with-control-bytes.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 8dfc93e573ca740544a2d79ebb0ed786592c65c3 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 29 Aug 2022 00:09:17 +0200 -Subject: [PATCH] cookie: reject cookies with "control bytes" - -Rejects 0x01 - 0x1f (except 0x09) plus 0x7f - -Reported-by: Axel Chong - -Bug: https://curl.se/docs/CVE-2022-35252.html - -CVE-2022-35252 - -Closes #9381 ---- - lib/cookie.c | 29 +++++++++++++++++++++++++++++ - 1 file changed, 29 insertions(+) - -diff --git a/lib/cookie.c b/lib/cookie.c -index 5a4d9e9..ab790a1 100644 ---- a/lib/cookie.c -+++ b/lib/cookie.c -@@ -442,6 +442,30 @@ static bool bad_domain(const char *domain) - } - - /* -+ RFC 6265 section 4.1.1 says a server should accept this range: -+ -+ cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E -+ -+ But Firefox and Chrome as of June 2022 accept space, comma and double-quotes -+ fine. The prime reason for filtering out control bytes is that some HTTP -+ servers return 400 for requests that contain such. -+*/ -+static int invalid_octets(const char *p) -+{ -+ /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */ -+ static const char badoctets[] = { -+ "\x01\x02\x03\x04\x05\x06\x07\x08\x0a" -+ "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14" -+ "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f" -+ }; -+ size_t vlen, len; -+ /* scan for all the octets that are *not* in cookie-octet */ -+ len = strcspn(p, badoctets); -+ vlen = strlen(p); -+ return (len != vlen); -+} -+ -+/* - * Curl_cookie_add - * - * Add a single cookie line to the cookie keeping object. Be aware that -@@ -595,6 +619,11 @@ Curl_cookie_add(struct Curl_easy *data, - badcookie = TRUE; - break; - } -+ if(invalid_octets(whatptr) || invalid_octets(name)) { -+ infof(data, "invalid octets in name/value, cookie dropped"); -+ badcookie = TRUE; -+ break; -+ } - } - else if(!len) { - /* --- -1.8.3.1 - diff --git a/backport-CVE-2022-42915.patch b/backport-CVE-2022-42915.patch deleted file mode 100644 index 66d4268..0000000 --- a/backport-CVE-2022-42915.patch +++ /dev/null @@ -1,155 +0,0 @@ -From 3c54eaf986d62a1f7482b8d5fff2d6ac42d19f23 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 6 Oct 2022 14:13:36 +0200 -Subject: [PATCH 1/2] http_proxy: restore the protocol pointer on error - -Reported-by: Trail of Bits - -Closes #9790 - -Upstream-commit: 55e1875729f9d9fc7315cec611bffbd2c817ad89 -Signed-off-by: Kamil Dudka - -Conflict: NA -Reference:https://src.fedoraproject.org/rpms/curl/blob/f35/f/0017-curl-7.82.0-CVE-2022-42915.patch ---- - lib/http_proxy.c | 3 +-- - lib/url.c | 9 --------- - 2 files changed, 1 insertion(+), 11 deletions(-) - -diff --git a/lib/http_proxy.c b/lib/http_proxy.c -index 1f87f6c..cc20b3a 100644 ---- a/lib/http_proxy.c -+++ b/lib/http_proxy.c -@@ -207,9 +207,8 @@ static void connect_done(struct Curl_easy *data) - Curl_dyn_free(&s->rcvbuf); - Curl_dyn_free(&s->req); - -- /* retore the protocol pointer */ -+ /* restore the protocol pointer */ - data->req.p.http = s->prot_save; -- s->prot_save = NULL; - infof(data, "CONNECT phase completed!"); - } - } -diff --git a/lib/url.c b/lib/url.c -index bfc784f..61c99d2 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -735,15 +735,6 @@ static void conn_shutdown(struct Curl_easy *data, struct connectdata *conn) - DEBUGASSERT(data); - infof(data, "Closing connection %ld", conn->connection_id); - --#ifndef USE_HYPER -- if(conn->connect_state && conn->connect_state->prot_save) { -- /* If this was closed with a CONNECT in progress, cleanup this temporary -- struct arrangement */ -- data->req.p.http = NULL; -- Curl_safefree(conn->connect_state->prot_save); -- } --#endif -- - /* possible left-overs from the async name resolvers */ - Curl_resolver_cancel(data); - --- -2.37.3 - - -From 5fdb5e8433c132dbb1e31a48d39a4a54ba4d7a9e Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 6 Oct 2022 14:14:25 +0200 -Subject: [PATCH 2/2] test445: verifies the protocols-over-http-proxy flaw and - fix - -Upstream-commit: 038bfb8522a93328b7e65bd2b6b8387c974b9ac8 -Signed-off-by: Kamil Dudka ---- - tests/data/Makefile.inc | 2 +- - tests/data/test445 | 61 +++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 62 insertions(+), 1 deletion(-) - create mode 100644 tests/data/test445 - -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index 1f774ce..f79b63e 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -67,7 +67,7 @@ test392 test393 test394 test395 test396 test397 \ - test400 test401 test402 test403 test404 test405 test406 test407 test408 \ - test409 test410 \ - \ --test430 test431 test432 test433 test434 test435 \ -+test430 test431 test432 test433 test434 test435 test445\ - \ - test490 test491 test492 test493 test494 \ - \ -diff --git a/tests/data/test445 b/tests/data/test445 -new file mode 100644 -index 0000000..0406c0f ---- /dev/null -+++ b/tests/data/test445 -@@ -0,0 +1,61 @@ -+ -+ -+ -+HTTP -+HTTP proxy -+ -+ -+ -+# -+# Server-side -+ -+ -+HTTP/1.1 503 no just no -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Accept-Ranges: bytes -+Content-Length: 6 -+Connection: close -+ -+-foo- -+ -+ -+ -+# -+# Client-side -+ -+ -+gopher -+dict -+http -+ftp -+imap -+ldap -+mqtt -+pop3 -+rtsp -+scp -+sftp -+smb -+smtp -+ -+ -+http-proxy -+ -+ -+Refuse tunneling protocols through HTTP proxy -+ -+ -+-x http://%HOSTIP:%PROXYPORT/%TESTNUMBER -p gopher://127.0.0.1 dict://127.0.0.1 http://moo https://example telnet://another ftp://yes ftps://again imap://more ldap://perhaps mqtt://yes pop3://mail rtsp://harder scp://copy sftp://files smb://wird smtp://send -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+# refused in the CONNECT -+ -+56 -+ -+ -+ --- -2.33.0 - diff --git a/backport-CVE-2022-42916.patch b/backport-CVE-2022-42916.patch deleted file mode 100644 index 2321e32..0000000 --- a/backport-CVE-2022-42916.patch +++ /dev/null @@ -1,135 +0,0 @@ -From 53bcf55b4538067e6dc36242168866becb987bb7 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Wed, 12 Oct 2022 10:47:59 +0200 -Subject: [PATCH] url: use IDN decoded names for HSTS checks - -Reported-by: Hiroki Kurosawa - -Closes #9791 - -Conflict: Context adaptation -Reference: https://github.com/curl/curl/commit/53bcf55b4538067e6dc36242168866becb987bb7 - ---- - lib/url.c | 91 ++++++++++++++++++++++++++++--------------------------- - 1 file changed, 47 insertions(+), 44 deletions(-) - -diff --git a/lib/url.c b/lib/url.c -index a3be56bced9de..690c53c81a3c1 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -2036,10 +2036,56 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, - if(!strcasecompare("file", data->state.up.scheme)) - return CURLE_OUT_OF_MEMORY; - } -+ hostname = data->state.up.hostname; -+ -+ if(hostname && hostname[0] == '[') { -+ /* This looks like an IPv6 address literal. See if there is an address -+ scope. */ -+ size_t hlen; -+ conn->bits.ipv6_ip = TRUE; -+ /* cut off the brackets! */ -+ hostname++; -+ hlen = strlen(hostname); -+ hostname[hlen - 1] = 0; -+ -+ zonefrom_url(uh, data, conn); -+ } -+ -+ /* make sure the connect struct gets its own copy of the host name */ -+ conn->host.rawalloc = strdup(hostname ? hostname : ""); -+ if(!conn->host.rawalloc) -+ return CURLE_OUT_OF_MEMORY; -+ conn->host.name = conn->host.rawalloc; -+ -+ /************************************************************* -+ * IDN-convert the hostnames -+ *************************************************************/ -+ result = Curl_idnconvert_hostname(data, &conn->host); -+ if(result) -+ return result; -+ if(conn->bits.conn_to_host) { -+ result = Curl_idnconvert_hostname(data, &conn->conn_to_host); -+ if(result) -+ return result; -+ } -+#ifndef CURL_DISABLE_PROXY -+ if(conn->bits.httpproxy) { -+ result = Curl_idnconvert_hostname(data, &conn->http_proxy.host); -+ if(result) -+ return result; -+ } -+ if(conn->bits.socksproxy) { -+ result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host); -+ if(result) -+ return result; -+ } -+#endif - - #ifndef CURL_DISABLE_HSTS -+ /* HSTS upgrade */ - if(data->hsts && strcasecompare("http", data->state.up.scheme)) { -- if(Curl_hsts(data->hsts, data->state.up.hostname, TRUE)) { -+ /* This MUST use the IDN decoded name */ -+ if(Curl_hsts(data->hsts, conn->host.name, TRUE)) { - char *url; - Curl_safefree(data->state.up.scheme); - uc = curl_url_set(uh, CURLUPART_SCHEME, "https", 0); -@@ -2145,26 +2191,6 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, - - (void)curl_url_get(uh, CURLUPART_QUERY, &data->state.up.query, 0); - -- hostname = data->state.up.hostname; -- if(hostname && hostname[0] == '[') { -- /* This looks like an IPv6 address literal. See if there is an address -- scope. */ -- size_t hlen; -- conn->bits.ipv6_ip = TRUE; -- /* cut off the brackets! */ -- hostname++; -- hlen = strlen(hostname); -- hostname[hlen - 1] = 0; -- -- zonefrom_url(uh, data, conn); -- } -- -- /* make sure the connect struct gets its own copy of the host name */ -- conn->host.rawalloc = strdup(hostname ? hostname : ""); -- if(!conn->host.rawalloc) -- return CURLE_OUT_OF_MEMORY; -- conn->host.name = conn->host.rawalloc; -- - if(data->set.scope_id) - /* Override any scope that was set above. */ - conn->scope_id = data->set.scope_id; -@@ -3713,29 +3739,6 @@ static CURLcode create_conn(struct Curl_easy *data, - if(result) - goto out; - -- /************************************************************* -- * IDN-convert the hostnames -- *************************************************************/ -- result = Curl_idnconvert_hostname(data, &conn->host); -- if(result) -- goto out; -- if(conn->bits.conn_to_host) { -- result = Curl_idnconvert_hostname(data, &conn->conn_to_host); -- if(result) -- goto out; -- } --#ifndef CURL_DISABLE_PROXY -- if(conn->bits.httpproxy) { -- result = Curl_idnconvert_hostname(data, &conn->http_proxy.host); -- if(result) -- goto out; -- } -- if(conn->bits.socksproxy) { -- result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host); -- if(result) -- goto out; -- } --#endif - - /************************************************************* - * Check whether the host and the "connect to host" are equal. diff --git a/backport-curl-7.84.0-test3026.patch b/backport-curl-7.84.0-test3026.patch new file mode 100644 index 0000000..a830587 --- /dev/null +++ b/backport-curl-7.84.0-test3026.patch @@ -0,0 +1,72 @@ +From 279b990727a1fd3e2828fbbd80581777e4200b67 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 27 Jun 2022 16:50:57 +0200 +Subject: [PATCH] test3026: disable valgrind + +It fails on x86_64 with: +``` + Use --max-threads=INT to specify a larger number of threads + and rerun valgrind + valgrind: the 'impossible' happened: + Max number of threads is too low + host stacktrace: + ==174357== at 0x58042F5A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x58043087: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x580432EF: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x58043310: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x58099E77: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x580E67E9: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x5809D59D: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x5809901A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x5809B0B6: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x580E4050: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + sched status: + running_tid=1 + Thread 1: status = VgTs_Runnable syscall 56 (lwpid 174357) + ==174357== at 0x4A07816: clone (in /usr/lib64/libc.so.6) + ==174357== by 0x4A08720: __clone_internal (in /usr/lib64/libc.so.6) + ==174357== by 0x4987ACF: create_thread (in /usr/lib64/libc.so.6) + ==174357== by 0x49885F6: pthread_create@@GLIBC_2.34 (in /usr/lib64/libc.so.6) + ==174357== by 0x1093B5: test.part.0 (lib3026.c:64) + ==174357== by 0x492454F: (below main) (in /usr/lib64/libc.so.6) + client stack range: [0x1FFEFFC000 0x1FFF000FFF] client SP: 0x1FFEFFC998 + valgrind stack range: [0x1002BAA000 0x1002CA9FFF] top usage: 11728 of 1048576 +[...] +``` +Conflict: NA +Reference: https://src.fedoraproject.org/rpms/curl/blob/rawhide/f/0102-curl-7.84.0-test3026.patch +--- + tests/data/test3026 | 3 +++ + tests/libtest/lib3026.c | 4 ++-- + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tests/data/test3026 b/tests/data/test3026 +index fb80cc8..01f2ba5 100644 +--- a/tests/data/test3026 ++++ b/tests/data/test3026 +@@ -41,5 +41,8 @@ none + + 0 + ++ ++disable ++ + + +diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c +index 43fe335..70cd7a4 100644 +--- a/tests/libtest/lib3026.c ++++ b/tests/libtest/lib3026.c +@@ -139,8 +139,8 @@ int test(char *URL) + results[i] = CURL_LAST; /* initialize with invalid value */ + res = pthread_create(&tids[i], NULL, run_thread, &results[i]); + if(res) { +- fprintf(stderr, "%s:%d Couldn't create thread, errno %d\n", +- __FILE__, __LINE__, res); ++ fprintf(stderr, "%s:%d Couldn't create thread, i=%u, errno %d\n", ++ __FILE__, __LINE__, i, res); + tid_count = i; + test_failure = -1; + goto cleanup; +-- +2.37.1 diff --git a/backport-curl-7.86.0-noproxy.patch b/backport-curl-7.86.0-noproxy.patch new file mode 100644 index 0000000..26b9c8f --- /dev/null +++ b/backport-curl-7.86.0-noproxy.patch @@ -0,0 +1,197 @@ +From b0ff1fd270924c5eaec09687e3d279130123671a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 27 Oct 2022 13:54:27 +0200 +Subject: [PATCH 1/2] noproxy: also match with adjacent comma + +If the host name is an IP address and the noproxy string contained that +IP address with a following comma, it would erroneously not match. + +Extended test 1614 to verify this combo as well. + +Reported-by: Henning Schild + +Fixes #9813 +Closes #9814 + +Upstream-commit: efc286b7a62af0568fdcbf3c68791c9955182128 +Signed-off-by: Kamil Dudka + +Conflict: NA +Reference: https://src.fedoraproject.org/rpms/curl/blob/rawhide/f/0001-curl-7.86.0-noproxy.patch +--- + lib/noproxy.c | 20 ++++++++++++-------- + tests/data/test1614 | 2 +- + tests/unit/unit1614.c | 14 ++++++++++++++ + 3 files changed, 27 insertions(+), 9 deletions(-) + +diff --git a/lib/noproxy.c b/lib/noproxy.c +index 81f1e09..d08a16b 100644 +--- a/lib/noproxy.c ++++ b/lib/noproxy.c +@@ -188,18 +188,22 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy) + /* FALLTHROUGH */ + case TYPE_IPV6: { + const char *check = token; +- char *slash = strchr(check, '/'); ++ char *slash; + unsigned int bits = 0; + char checkip[128]; ++ if(tokenlen >= sizeof(checkip)) ++ /* this cannot match */ ++ break; ++ /* copy the check name to a temp buffer */ ++ memcpy(checkip, check, tokenlen); ++ checkip[tokenlen] = 0; ++ check = checkip; ++ ++ slash = strchr(check, '/'); + /* if the slash is part of this token, use it */ +- if(slash && (slash < &check[tokenlen])) { ++ if(slash) { + bits = atoi(slash + 1); +- /* copy the check name to a temp buffer */ +- if(tokenlen >= sizeof(checkip)) +- break; +- memcpy(checkip, check, tokenlen); +- checkip[ slash - check ] = 0; +- check = checkip; ++ *slash = 0; /* null terminate there */ + } + if(type == TYPE_IPV6) + match = Curl_cidr6_match(name, check, bits); +diff --git a/tests/data/test1614 b/tests/data/test1614 +index 4a9d54e..73bdbb4 100644 +--- a/tests/data/test1614 ++++ b/tests/data/test1614 +@@ -16,7 +16,7 @@ unittest + proxy + + +-cidr comparisons ++noproxy and cidr comparisons + + + +diff --git a/tests/unit/unit1614.c b/tests/unit/unit1614.c +index 6028545..c2f563a 100644 +--- a/tests/unit/unit1614.c ++++ b/tests/unit/unit1614.c +@@ -77,6 +77,20 @@ UNITTEST_START + { NULL, NULL, 0, FALSE} /* end marker */ + }; + struct noproxy list[]= { ++ { "127.0.0.1", "127.0.0.1,localhost", TRUE}, ++ { "127.0.0.1", "127.0.0.1,localhost,", TRUE}, ++ { "127.0.0.1", "127.0.0.1/8,localhost,", TRUE}, ++ { "127.0.0.1", "127.0.0.1/28,localhost,", TRUE}, ++ { "127.0.0.1", "127.0.0.1/31,localhost,", TRUE}, ++ { "127.0.0.1", "localhost,127.0.0.1", TRUE}, ++ { "127.0.0.1", "localhost,127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1." ++ "127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127." ++ "0.0.1.127.0.0.1.127.0.0." /* 128 bytes "address" */, FALSE}, ++ { "127.0.0.1", "localhost,127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1." ++ "127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127." ++ "0.0.1.127.0.0.1.127.0.0" /* 127 bytes "address" */, FALSE}, ++ { "localhost", "localhost,127.0.0.1", TRUE}, ++ { "localhost", "127.0.0.1,localhost", TRUE}, + { "foobar", "barfoo", FALSE}, + { "foobar", "foobar", TRUE}, + { "192.168.0.1", "foobar", FALSE}, +-- +2.37.3 + + +From d539fd9f11e2a244dbab6b9171f5a9e5c86cc417 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 28 Oct 2022 10:51:49 +0200 +Subject: [PATCH 2/2] noproxy: fix tail-matching + +Also ignore trailing dots in both host name and comparison pattern. + +Regression in 7.86.0 (from 1e9a538e05c0) + +Extended test 1614 to verify better. + +Reported-by: Henning Schild +Fixes #9821 +Closes #9822 + +Upstream-commit: b830f9ba9e94acf672cd191993ff679fa888838b +Signed-off-by: Kamil Dudka +--- + lib/noproxy.c | 30 +++++++++++++++++++++++------- + tests/unit/unit1614.c | 9 +++++++++ + 2 files changed, 32 insertions(+), 7 deletions(-) + +diff --git a/lib/noproxy.c b/lib/noproxy.c +index d08a16b..01f8f47 100644 +--- a/lib/noproxy.c ++++ b/lib/noproxy.c +@@ -149,9 +149,14 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy) + } + else { + unsigned int address; ++ namelen = strlen(name); + if(1 == Curl_inet_pton(AF_INET, name, &address)) + type = TYPE_IPV4; +- namelen = strlen(name); ++ else { ++ /* ignore trailing dots in the host name */ ++ if(name[namelen - 1] == '.') ++ namelen--; ++ } + } + + while(*p) { +@@ -173,12 +178,23 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy) + if(tokenlen) { + switch(type) { + case TYPE_HOST: +- if(*token == '.') { +- ++token; +- --tokenlen; +- /* tailmatch */ +- match = (tokenlen <= namelen) && +- strncasecompare(token, name + (namelen - tokenlen), namelen); ++ /* ignore trailing dots in the token to check */ ++ if(token[tokenlen - 1] == '.') ++ tokenlen--; ++ ++ if(tokenlen && (*token == '.')) { ++ /* A: example.com matches '.example.com' ++ B: www.example.com matches '.example.com' ++ C: nonexample.com DOES NOT match '.example.com' ++ */ ++ if((tokenlen - 1) == namelen) ++ /* case A, exact match without leading dot */ ++ match = strncasecompare(token + 1, name, namelen); ++ else if(tokenlen < namelen) ++ /* case B, tailmatch with leading dot */ ++ match = strncasecompare(token, name + (namelen - tokenlen), ++ tokenlen); ++ /* case C passes through, not a match */ + } + else + match = (tokenlen == namelen) && +diff --git a/tests/unit/unit1614.c b/tests/unit/unit1614.c +index c2f563a..8f62b70 100644 +--- a/tests/unit/unit1614.c ++++ b/tests/unit/unit1614.c +@@ -77,6 +77,15 @@ UNITTEST_START + { NULL, NULL, 0, FALSE} /* end marker */ + }; + struct noproxy list[]= { ++ { "www.example.com", "localhost,.example.com,.example.de", TRUE}, ++ { "www.example.com.", "localhost,.example.com,.example.de", TRUE}, ++ { "example.com", "localhost,.example.com,.example.de", TRUE}, ++ { "example.com.", "localhost,.example.com,.example.de", TRUE}, ++ { "www.example.com", "localhost,.example.com.,.example.de", TRUE}, ++ { "www.example.com", "localhost,www.example.com.,.example.de", TRUE}, ++ { "example.com", "localhost,example.com,.example.de", TRUE}, ++ { "example.com.", "localhost,example.com,.example.de", TRUE}, ++ { "www.example.com", "localhost,example.com,.example.de", FALSE}, + { "127.0.0.1", "127.0.0.1,localhost", TRUE}, + { "127.0.0.1", "127.0.0.1,localhost,", TRUE}, + { "127.0.0.1", "127.0.0.1/8,localhost,", TRUE}, +-- +2.37.3 diff --git a/backport-fix-configure-disable-http-auth-build-error.patch b/backport-fix-configure-disable-http-auth-build-error.patch deleted file mode 100644 index baceeaa..0000000 --- a/backport-fix-configure-disable-http-auth-build-error.patch +++ /dev/null @@ -1,62 +0,0 @@ -From d7b970e46ba29a7e558e21d19f485977ffed6266 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Fri, 29 Apr 2022 22:56:47 +0200 -Subject: [PATCH] http: move Curl_allow_auth_to_host() - -It was mistakenly put within the CURL_DISABLE_HTTP_AUTH #ifdef - -Reported-by: Michael Olbrich -Fixes #8772 -Closes #8775 ---- - lib/http.c | 30 +++++++++++++++--------------- - 1 file changed, 15 insertions(+), 15 deletions(-) - -diff --git a/lib/http.c b/lib/http.c -index 0d5c449bc72a2..b215307dcaaa0 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -651,6 +651,21 @@ CURLcode Curl_http_auth_act(struct Curl_easy *data) - return result; - } - -+/* -+ * Curl_allow_auth_to_host() tells if authentication, cookies or other -+ * "sensitive data" can (still) be sent to this host. -+ */ -+bool Curl_allow_auth_to_host(struct Curl_easy *data) -+{ -+ struct connectdata *conn = data->conn; -+ return (!data->state.this_is_a_follow || -+ data->set.allow_auth_to_other_hosts || -+ (data->state.first_host && -+ strcasecompare(data->state.first_host, conn->host.name) && -+ (data->state.first_remote_port == conn->remote_port) && -+ (data->state.first_remote_protocol == conn->handler->protocol))); -+} -+ - #ifndef CURL_DISABLE_HTTP_AUTH - /* - * Output the correct authentication header depending on the auth type -@@ -775,21 +790,6 @@ output_auth_headers(struct Curl_easy *data, - return CURLE_OK; - } - --/* -- * Curl_allow_auth_to_host() tells if authentication, cookies or other -- * "sensitive data" can (still) be sent to this host. -- */ --bool Curl_allow_auth_to_host(struct Curl_easy *data) --{ -- struct connectdata *conn = data->conn; -- return (!data->state.this_is_a_follow || -- data->set.allow_auth_to_other_hosts || -- (data->state.first_host && -- strcasecompare(data->state.first_host, conn->host.name) && -- (data->state.first_remote_port == conn->remote_port) && -- (data->state.first_remote_protocol == conn->handler->protocol))); --} -- - /** - * Curl_http_output_auth() setups the authentication headers for the - * host/proxy and the correct authentication diff --git a/backport-pre-CVE-2022-27774.patch b/backport-pre-CVE-2022-27774.patch deleted file mode 100644 index cee2c24..0000000 --- a/backport-pre-CVE-2022-27774.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 08b8ef4e726ba10f45081ecda5b3cea788d3c839 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 25 Apr 2022 16:24:33 +0200 -Subject: [PATCH] connect: store "conn_remote_port" in the info struct - -To make it available after the connection ended. ---- - lib/connect.c | 1 + - lib/urldata.h | 6 +++++- - 2 files changed, 6 insertions(+), 1 deletion(-) - -diff --git a/lib/connect.c b/lib/connect.c -index e0b740147157..9bcf525ebb39 100644 ---- a/lib/connect.c -+++ b/lib/connect.c -@@ -623,6 +623,7 @@ void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn, - data->info.conn_scheme = conn->handler->scheme; - data->info.conn_protocol = conn->handler->protocol; - data->info.conn_primary_port = conn->port; -+ data->info.conn_remote_port = conn->remote_port; - data->info.conn_local_port = local_port; - } - -diff --git a/lib/urldata.h b/lib/urldata.h -index ef2174d9e727..9c34ec444c08 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -1160,7 +1160,11 @@ struct PureInfo { - reused, in the connection cache. */ - - char conn_primary_ip[MAX_IPADR_LEN]; -- int conn_primary_port; -+ int conn_primary_port; /* this is the destination port to the connection, -+ which might have been a proxy */ -+ int conn_remote_port; /* this is the "remote port", which is the port -+ number of the used URL, independent of proxy or -+ not */ - char conn_local_ip[MAX_IPADR_LEN]; - int conn_local_port; - const char *conn_scheme; diff --git a/backport-pre-CVE-2022-27782.patch b/backport-pre-CVE-2022-27782.patch deleted file mode 100644 index 95cafbe..0000000 --- a/backport-pre-CVE-2022-27782.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 093531556203decd92d92bccd431edbe5561781c Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Tue, 26 Apr 2022 07:46:19 +0200 -Subject: [PATCH] gnutls: don't leak the SRP credentials in redirects - -Follow-up to 620ea21410030 and 139a54ed0a172a - -Reported-by: Harry Sintonen -Closes #8752 ---- - lib/vtls/gtls.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c -index 9c3a68f0ac6b..0535011911d5 100644 ---- a/lib/vtls/gtls.c -+++ b/lib/vtls/gtls.c -@@ -445,11 +445,11 @@ gtls_connect_step1(struct Curl_easy *data, - } - - #ifdef HAVE_GNUTLS_SRP -- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { -+ if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && -+ Curl_allow_auth_to_host(data)) { - infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username)); - -- rc = gnutls_srp_allocate_client_credentials( -- &backend->srp_client_cred); -+ rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred); - if(rc != GNUTLS_E_SUCCESS) { - failf(data, "gnutls_srp_allocate_client_cred() failed: %s", - gnutls_strerror(rc)); diff --git a/curl-7.79.1.tar.xz b/curl-7.79.1.tar.xz deleted file mode 100644 index bb9d086..0000000 Binary files a/curl-7.79.1.tar.xz and /dev/null differ diff --git a/curl-7.86.0.tar.xz b/curl-7.86.0.tar.xz new file mode 100644 index 0000000..b8561e3 Binary files /dev/null and b/curl-7.86.0.tar.xz differ diff --git a/curl.spec b/curl.spec index 7a36884..2ca0b79 100644 --- a/curl.spec +++ b/curl.spec @@ -5,32 +5,16 @@ %global _configure ../configure Name: curl -Version: 7.79.1 -Release: 12 +Version: 7.86.0 +Release: 1 Summary: Curl is used in command lines or scripts to transfer data License: MIT URL: https://curl.haxx.se/ Source: https://curl.haxx.se/download/curl-%{version}.tar.xz Patch1: backport-0101-curl-7.32.0-multilib.patch -Patch2: backport-CVE-2022-22576.patch -Patch3: backport-CVE-2022-27775.patch -Patch4: backport-CVE-2022-27776.patch -Patch5: backport-pre-CVE-2022-27774.patch -Patch6: backport-001-CVE-2022-27774.patch -Patch7: backport-002-CVE-2022-27774.patch -Patch8: backport-CVE-2022-27781.patch -Patch9: backport-pre-CVE-2022-27782.patch -Patch10: backport-CVE-2022-27782.patch -Patch11: backport-CVE-2022-32205.patch -Patch12: backport-CVE-2022-32206.patch -Patch13: backport-CVE-2022-32207.patch -Patch14: backport-CVE-2022-32208.patch -Patch15: backport-fix-configure-disable-http-auth-build-error.patch -Patch16: backport-CVE-2022-35252-cookie-reject-cookies-with-control-bytes.patch -Patch17: backport-CVE-2022-32221.patch -Patch18: backport-CVE-2022-42916.patch -Patch19: backport-CVE-2022-42915.patch +Patch2: backport-curl-7.84.0-test3026.patch +Patch3: backport-curl-7.86.0-noproxy.patch BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel BuildRequires: libidn2-devel libnghttp2-devel libpsl-devel @@ -40,7 +24,7 @@ BuildRequires: stunnel zlib-devel gnutls-utils nghttp2 perl(IO::Compress::Gzip) BuildRequires: perl(Getopt::Long) perl(Pod::Usage) perl(strict) perl(warnings) BuildRequires: perl(Cwd) perl(Digest::MD5) perl(Exporter) perl(File::Basename) BuildRequires: perl(File::Copy) perl(File::Spec) perl(IPC::Open2) perl(MIME::Base64) -BuildRequires: perl(Time::Local) perl(Time::HiRes) perl(vars) +BuildRequires: perl(Time::Local) perl(Time::HiRes) perl(vars) perl(Digest::SHA) %ifarch x86_64 BuildRequires: valgrind @@ -79,7 +63,7 @@ Header files for libcurl. %prep %autosetup -n %{name}-%{version} -p1 -printf "1112\n1455\n1184\n1801\n1592\n" >> tests/data/DISABLED +printf "1112\n1455\n1184\n1801\n1592\n3000\n3001\n" >> tests/data/DISABLED # adapt test 323 for updated OpenSSL sed -e 's/^35$/35,52/' -i tests/data/test323 @@ -99,8 +83,8 @@ automake install -d build-full export common_configure_opts="--cache-file=../config.cache \ - --enable-symbol-hiding --enable-ipv6 --enable-threaded-resolver \ - --with-gssapi --with-nghttp2 --with-ssl \ + --enable-hsts --enable-ipv6 --enable-symbol-hiding --enable-threaded-resolver \ + --without-zstd --with-gssapi --with-libidn2 --with-nghttp2 --with-ssl \ --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt" %global _configure ../configure @@ -108,14 +92,26 @@ export common_configure_opts="--cache-file=../config.cache \ # configure full build ( cd build-full - %configure $common_configure_opts \ - --enable-ldap \ - --enable-ldaps \ - --enable-manual \ - --with-brotli \ - --with-libidn2 \ - --with-libpsl \ - --with-libssh + %configure $common_configure_opts \ + --enable-dict \ + --enable-gopher \ + --enable-imap \ + --enable-ldap \ + --enable-ldaps \ + --enable-manual \ + --enable-mqtt \ + --enable-ntlm \ + --enable-ntlm-wb \ + --enable-pop3 \ + --enable-rtsp \ + --enable-smb \ + --enable-smtp \ + --enable-telnet \ + --enable-tftp \ + --enable-tls-srp \ + --with-brotli \ + --with-libpsl \ + --with-libssh ) sed -e 's/^runpath_var=.*/runpath_var=/' \ @@ -205,6 +201,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_mandir}/man3/* %changelog +* Wed Nov 16 2022 xinghe - 7.86.0-1 +- Type:requirements +- ID:NA +- SUG:NA +- DESC:upgrade to 7.86.0 + * Thu Oct 27 2022 yanglu - 7.79.1-12 - Type:cves - CVE:CVE-2022-32221 CVE-2022-42915 CVE-2022-42916