From b18dd1b34cc34242b100301f19e3acbdcaa87cf2 Mon Sep 17 00:00:00 2001 From: eaglegai Date: Wed, 29 Jun 2022 11:23:21 +0800 Subject: [PATCH] fix CVE-2022-32205 CVE-2022-32206 CVE-2022-32207 CVE-2022-32208 --- backport-CVE-2022-32205.patch | 159 ++++++++++++++++ backport-CVE-2022-32206.patch | 43 +++++ backport-CVE-2022-32207.patch | 336 ++++++++++++++++++++++++++++++++++ backport-CVE-2022-32208.patch | 60 ++++++ curl.spec | 12 +- 5 files changed, 609 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-32205.patch create mode 100644 backport-CVE-2022-32206.patch create mode 100644 backport-CVE-2022-32207.patch create mode 100644 backport-CVE-2022-32208.patch diff --git a/backport-CVE-2022-32205.patch b/backport-CVE-2022-32205.patch new file mode 100644 index 0000000..5353162 --- /dev/null +++ b/backport-CVE-2022-32205.patch @@ -0,0 +1,159 @@ +From 631f95b7013ba017692d9512093746af93b4e327 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 19 May 2022 12:12:04 +0200 +Subject: [PATCH] cookie: apply limits + +- Send no more than 150 cookies per request +- Cap the max length used for a cookie: header to 8K +- Cap the max number of received Set-Cookie: headers to 50 +diff --git a/lib/cookie.c b/lib/cookie.c +index d418efa..51b3149 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -469,6 +469,10 @@ Curl_cookie_add(struct Curl_easy *data, + (void)data; + #endif + ++ DEBUGASSERT(MAX_SET_COOKIE_AMOUNT <= 255); /* counter is an unsigned char */ ++ if(data->req.setcookies >= MAX_SET_COOKIE_AMOUNT) ++ return NULL; ++ + /* First, alloc and init a new struct for it */ + co = calloc(1, sizeof(struct Cookie)); + if(!co) +@@ -808,7 +812,7 @@ Curl_cookie_add(struct Curl_easy *data, + freecookie(co); + return NULL; + } +- ++ data->req.setcookies++; + } + else { + /* +@@ -1346,7 +1350,8 @@ static struct Cookie *dup_cookie(struct Cookie *src) + * + * It shall only return cookies that haven't expired. + */ +-struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, ++struct Cookie *Curl_cookie_getlist(struct Curl_easy *data, ++ struct CookieInfo *c, + const char *host, const char *path, + bool secure) + { +@@ -1401,6 +1406,11 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, + mainco = newco; + + matches++; ++ if(matches >= MAX_COOKIE_SEND_AMOUNT) { ++ infof(data, "Included max number of cookies (%u) in request!", ++ matches); ++ break; ++ } + } + else + goto fail; +diff --git a/lib/cookie.h b/lib/cookie.h +index 0ffe08e..7411980 100644 +--- a/lib/cookie.h ++++ b/lib/cookie.h +@@ -81,10 +81,26 @@ struct CookieInfo { + */ + #define MAX_COOKIE_LINE 5000 + +-/* This is the maximum length of a cookie name or content we deal with: */ ++/* Maximum length of an incoming cookie name or content we deal with. Longer ++ cookies are ignored. */ + #define MAX_NAME 4096 + #define MAX_NAME_TXT "4095" + ++/* Maximum size for an outgoing cookie line libcurl will use in an http ++ request. This is the default maximum length used in some versions of Apache ++ httpd. */ ++#define MAX_COOKIE_HEADER_LEN 8190 ++ ++/* Maximum number of cookies libcurl will send in a single request, even if ++ there might be more cookies that match. One reason to cap the number is to ++ keep the maximum HTTP request within the maximum allowed size. */ ++#define MAX_COOKIE_SEND_AMOUNT 150 ++ ++/* Maximum number of Set-Cookie: lines accepted in a single response. If more ++ such header lines are received, they are ignored. This value must be less ++ than 256 since an unsigned char is used to count. */ ++#define MAX_SET_COOKIE_AMOUNT 50 ++ + struct Curl_easy; + /* + * Add a cookie to the internal list of cookies. The domain and path arguments +@@ -97,7 +113,8 @@ struct Cookie *Curl_cookie_add(struct Curl_easy *data, + const char *domain, const char *path, + bool secure); + +-struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, const char *host, ++struct Cookie *Curl_cookie_getlist(struct Curl_easy *data, ++ struct CookieInfo *c, const char *host, + const char *path, bool secure); + void Curl_cookie_freelist(struct Cookie *cookies); + void Curl_cookie_clearall(struct CookieInfo *cookies); +diff --git a/lib/http.c b/lib/http.c +index a07be0b..66c5645 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2706,12 +2706,14 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn, + } + + #if !defined(CURL_DISABLE_COOKIES) ++ + CURLcode Curl_http_cookies(struct Curl_easy *data, + struct connectdata *conn, + struct dynbuf *r) + { + CURLcode result = CURLE_OK; + char *addcookies = NULL; ++ bool linecap = FALSE; + if(data->set.str[STRING_COOKIE] && !Curl_checkheaders(data, "Cookie")) + addcookies = data->set.str[STRING_COOKIE]; + +@@ -2728,7 +2730,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, + !strcmp(host, "127.0.0.1") || + !strcmp(host, "[::1]") ? TRUE : FALSE; + Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE); +- co = Curl_cookie_getlist(data->cookies, host, data->state.up.path, ++ co = Curl_cookie_getlist(data, data->cookies, host, data->state.up.path, + secure_context); + Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE); + } +@@ -2742,6 +2744,13 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, + if(result) + break; + } ++ if((Curl_dyn_len(r) + strlen(co->name) + strlen(co->value) + 1) >= ++ MAX_COOKIE_HEADER_LEN) { ++ infof(data, "Restricted outgoing cookies due to header size, " ++ "'%s' not sent", co->name); ++ linecap = TRUE; ++ break; ++ } + result = Curl_dyn_addf(r, "%s%s=%s", count?"; ":"", + co->name, co->value); + if(result) +@@ -2752,7 +2761,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, + } + Curl_cookie_freelist(store); + } +- if(addcookies && !result) { ++ if(addcookies && !result && !linecap) { + if(!count) + result = Curl_dyn_add(r, "Cookie: "); + if(!result) { +diff --git a/lib/urldata.h b/lib/urldata.h +index 9bd31b7..7060844 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -707,6 +707,7 @@ struct SingleRequest { + #ifndef CURL_DISABLE_DOH + struct dohdata *doh; /* DoH specific data for this request */ + #endif ++ unsigned char setcookies; + BIT(header); /* incoming data has HTTP header */ + BIT(content_range); /* set TRUE if Content-Range: was found */ + BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding diff --git a/backport-CVE-2022-32206.patch b/backport-CVE-2022-32206.patch new file mode 100644 index 0000000..4d8a47f --- /dev/null +++ b/backport-CVE-2022-32206.patch @@ -0,0 +1,43 @@ +From 7035676c3daa4f1c3766095561f12e7a0e82c736 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 16 May 2022 16:28:13 +0200 +Subject: [PATCH] content_encoding: return error on too many compression steps + +The max allowed steps is arbitrarily set to 5. +--- + lib/content_encoding.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +Index: curl-7.83.1/lib/content_encoding.c +=================================================================== +--- curl-7.83.1.orig/lib/content_encoding.c ++++ curl-7.83.1/lib/content_encoding.c +@@ -1026,12 +1026,16 @@ static const struct content_encoding *fi + return NULL; + } + ++/* allow no more than 5 "chained" compression steps */ ++#define MAX_ENCODE_STACK 5 ++ + /* Set-up the unencoding stack from the Content-Encoding header value. + * See RFC 7231 section 3.1.2.2. */ + CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, + const char *enclist, int maybechunked) + { + struct SingleRequest *k = &data->req; ++ int counter = 0; + + do { + const char *name; +@@ -1066,6 +1070,11 @@ CURLcode Curl_build_unencoding_stack(str + if(!encoding) + encoding = &error_encoding; /* Defer error at stack use. */ + ++ if(++counter >= MAX_ENCODE_STACK) { ++ failf(data, "Reject response due to %u content encodings", ++ counter); ++ return CURLE_BAD_CONTENT_ENCODING; ++ } + /* Stack the unencoding stage. */ + writer = new_unencoding_writer(data, encoding, k->writer_stack); + if(!writer) diff --git a/backport-CVE-2022-32207.patch b/backport-CVE-2022-32207.patch new file mode 100644 index 0000000..697fd8f --- /dev/null +++ b/backport-CVE-2022-32207.patch @@ -0,0 +1,336 @@ +From 3782dfda5fc4f45a19b1ce1b01ecf7206a3d304a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 25 May 2022 10:09:53 +0200 +Subject: [PATCH 1/3] fopen: add Curl_fopen() for better overwriting of files + +--- + lib/Makefile.inc | 2 + + lib/cookie.c | 19 ++------- + lib/fopen.c | 106 +++++++++++++++++++++++++++++++++++++++++++++++ + lib/fopen.h | 28 +++++++++++++ + 4 files changed, 140 insertions(+), 15 deletions(-) + create mode 100644 lib/fopen.c + create mode 100644 lib/fopen.h + +Index: curl-7.81.0/lib/Makefile.inc +=================================================================== +--- curl-7.81.0.orig/lib/Makefile.inc ++++ curl-7.81.0/lib/Makefile.inc +@@ -131,6 +131,7 @@ LIB_CFILES = \ + escape.c \ + file.c \ + fileinfo.c \ ++ fopen.c \ + formdata.c \ + ftp.c \ + ftplistparser.c \ +@@ -263,6 +264,7 @@ LIB_HFILES = \ + escape.h \ + file.h \ + fileinfo.h \ ++ fopen.h \ + formdata.h \ + ftp.h \ + ftplistparser.h \ +Index: curl-7.81.0/lib/cookie.c +=================================================================== +--- curl-7.81.0.orig/lib/cookie.c ++++ curl-7.81.0/lib/cookie.c +@@ -96,8 +96,8 @@ Example set of cookies: + #include "curl_get_line.h" + #include "curl_memrchr.h" + #include "parsedate.h" +-#include "rand.h" + #include "rename.h" ++#include "fopen.h" + + /* The last 3 #include files should be in this order */ + #include "curl_printf.h" +@@ -1612,20 +1612,9 @@ static CURLcode cookie_output(struct Cur + use_stdout = TRUE; + } + else { +- unsigned char randsuffix[9]; +- +- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix))) +- return 2; +- +- tempstore = aprintf("%s.%s.tmp", filename, randsuffix); +- if(!tempstore) +- return CURLE_OUT_OF_MEMORY; +- +- out = fopen(tempstore, FOPEN_WRITETEXT); +- if(!out) { +- error = CURLE_WRITE_ERROR; ++ error = Curl_fopen(data, filename, &out, &tempstore); ++ if(error) + goto error; +- } + } + + fputs("# Netscape HTTP Cookie File\n" +@@ -1672,7 +1661,7 @@ static CURLcode cookie_output(struct Cur + if(!use_stdout) { + fclose(out); + out = NULL; +- if(Curl_rename(tempstore, filename)) { ++ if(tempstore && Curl_rename(tempstore, filename)) { + unlink(tempstore); + error = CURLE_WRITE_ERROR; + goto error; +Index: curl-7.81.0/lib/fopen.c +=================================================================== +--- /dev/null ++++ curl-7.81.0/lib/fopen.c +@@ -0,0 +1,106 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ ***************************************************************************/ ++ ++#include "curl_setup.h" ++ ++#if !defined(CURL_DISABLE_COOKIES) && !defined(CURL_DISABLE_ALTSVC) && \ ++ !defined(CURL_DISABLE_HSTS) ++ ++#ifdef HAVE_FCNTL_H ++#include ++#endif ++ ++#include "urldata.h" ++#include "rand.h" ++#include "fopen.h" ++/* The last 3 #include files should be in this order */ ++#include "curl_printf.h" ++#include "curl_memory.h" ++#include "memdebug.h" ++ ++/* ++ * Curl_fopen() opens a file for writing with a temp name, to be renamed ++ * to the final name when completed. If there is an existing file using this ++ * name at the time of the open, this function will clone the mode from that ++ * file. if 'tempname' is non-NULL, it needs a rename after the file is ++ * written. ++ */ ++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, ++ FILE **fh, char **tempname) ++{ ++ CURLcode result = CURLE_WRITE_ERROR; ++ unsigned char randsuffix[9]; ++ char *tempstore = NULL; ++ struct_stat sb, nsb; ++ int fd = -1; ++ *tempname = NULL; ++ ++ if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) { ++ /* a non-regular file, fallback to direct fopen() */ ++ *fh = fopen(filename, FOPEN_WRITETEXT); ++ if(*fh) ++ return CURLE_OK; ++ goto fail; ++ } ++ ++ result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix)); ++ if(result) ++ goto fail; ++ ++ tempstore = aprintf("%s.%s.tmp", filename, randsuffix); ++ if(!tempstore) { ++ result = CURLE_OUT_OF_MEMORY; ++ goto fail; ++ } ++ ++ result = CURLE_WRITE_ERROR; ++ fd = open(tempstore, O_WRONLY | O_CREAT | O_EXCL, 0600); ++ if(fd == -1) ++ goto fail; ++ ++ if((fstat(fd, &nsb) != -1) && ++ (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) { ++ /* if the user and group are the same, clone the original mode */ ++ if(fchmod(fd, sb.st_mode) == -1) ++ goto fail; ++ } ++ ++ *fh = fdopen(fd, FOPEN_WRITETEXT); ++ if(!*fh) ++ goto fail; ++ ++ *tempname = tempstore; ++ return CURLE_OK; ++ ++fail: ++ if(fd != -1) { ++ close(fd); ++ unlink(tempstore); ++ } ++ ++ free(tempstore); ++ ++ *tempname = NULL; ++ return result; ++} ++ ++#endif /* ! disabled */ +Index: curl-7.81.0/lib/fopen.h +=================================================================== +--- /dev/null ++++ curl-7.81.0/lib/fopen.h +@@ -0,0 +1,28 @@ ++#ifndef HEADER_CURL_FOPEN_H ++#define HEADER_CURL_FOPEN_H ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ ***************************************************************************/ ++ ++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, ++ FILE **fh, char **tempname); ++ ++#endif +Index: curl-7.81.0/lib/altsvc.c +=================================================================== +--- curl-7.81.0.orig/lib/altsvc.c ++++ curl-7.81.0/lib/altsvc.c +@@ -34,7 +34,7 @@ + #include "parsedate.h" + #include "sendf.h" + #include "warnless.h" +-#include "rand.h" ++#include "fopen.h" + #include "rename.h" + + /* The last 3 #include files should be in this order */ +@@ -329,8 +329,7 @@ CURLcode Curl_altsvc_save(struct Curl_ea + struct Curl_llist_element *n; + CURLcode result = CURLE_OK; + FILE *out; +- char *tempstore; +- unsigned char randsuffix[9]; ++ char *tempstore = NULL; + + if(!altsvc) + /* no cache activated */ +@@ -344,17 +343,8 @@ CURLcode Curl_altsvc_save(struct Curl_ea + /* marked as read-only, no file or zero length file name */ + return CURLE_OK; + +- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix))) +- return CURLE_FAILED_INIT; +- +- tempstore = aprintf("%s.%s.tmp", file, randsuffix); +- if(!tempstore) +- return CURLE_OUT_OF_MEMORY; +- +- out = fopen(tempstore, FOPEN_WRITETEXT); +- if(!out) +- result = CURLE_WRITE_ERROR; +- else { ++ result = Curl_fopen(data, file, &out, &tempstore); ++ if(!result) { + fputs("# Your alt-svc cache. https://curl.se/docs/alt-svc.html\n" + "# This file was generated by libcurl! Edit at your own risk.\n", + out); +@@ -366,10 +356,10 @@ CURLcode Curl_altsvc_save(struct Curl_ea + break; + } + fclose(out); +- if(!result && Curl_rename(tempstore, file)) ++ if(!result && tempstore && Curl_rename(tempstore, file)) + result = CURLE_WRITE_ERROR; + +- if(result) ++ if(result && tempstore) + unlink(tempstore); + } + free(tempstore); +Index: curl-7.81.0/lib/hsts.c +=================================================================== +--- curl-7.81.0.orig/lib/hsts.c ++++ curl-7.81.0/lib/hsts.c +@@ -35,7 +35,7 @@ + #include "sendf.h" + #include "strtoofft.h" + #include "parsedate.h" +-#include "rand.h" ++#include "fopen.h" + #include "rename.h" + #include "strtoofft.h" + +@@ -334,8 +334,7 @@ CURLcode Curl_hsts_save(struct Curl_easy + struct Curl_llist_element *n; + CURLcode result = CURLE_OK; + FILE *out; +- char *tempstore; +- unsigned char randsuffix[9]; ++ char *tempstore = NULL; + + if(!h) + /* no cache activated */ +@@ -349,17 +348,8 @@ CURLcode Curl_hsts_save(struct Curl_easy + /* marked as read-only, no file or zero length file name */ + goto skipsave; + +- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix))) +- return CURLE_FAILED_INIT; +- +- tempstore = aprintf("%s.%s.tmp", file, randsuffix); +- if(!tempstore) +- return CURLE_OUT_OF_MEMORY; +- +- out = fopen(tempstore, FOPEN_WRITETEXT); +- if(!out) +- result = CURLE_WRITE_ERROR; +- else { ++ result = Curl_fopen(data, file, &out, &tempstore); ++ if(!result) { + fputs("# Your HSTS cache. https://curl.se/docs/hsts.html\n" + "# This file was generated by libcurl! Edit at your own risk.\n", + out); +@@ -371,10 +361,10 @@ CURLcode Curl_hsts_save(struct Curl_easy + break; + } + fclose(out); +- if(!result && Curl_rename(tempstore, file)) ++ if(!result && tempstore && Curl_rename(tempstore, file)) + result = CURLE_WRITE_ERROR; + +- if(result) ++ if(result && tempstore) + unlink(tempstore); + } + free(tempstore); diff --git a/backport-CVE-2022-32208.patch b/backport-CVE-2022-32208.patch new file mode 100644 index 0000000..6158851 --- /dev/null +++ b/backport-CVE-2022-32208.patch @@ -0,0 +1,60 @@ +From 4c3f77e871820d055a5f6c4cd7a6ac47a7f3877d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 9 Jun 2022 09:27:24 +0200 +Subject: [PATCH] krb5: return error properly on decode errors + +--- + lib/krb5.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +Index: curl-7.81.0/lib/krb5.c +=================================================================== +--- curl-7.81.0.orig/lib/krb5.c ++++ curl-7.81.0/lib/krb5.c +@@ -146,11 +146,8 @@ krb5_decode(void *app_data, void *buf, i + enc.value = buf; + enc.length = len; + maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL); +- if(maj != GSS_S_COMPLETE) { +- if(len >= 4) +- strcpy(buf, "599 "); ++ if(maj != GSS_S_COMPLETE) + return -1; +- } + + memcpy(buf, dec.value, dec.length); + len = curlx_uztosi(dec.length); +@@ -512,6 +509,7 @@ static CURLcode read_data(struct connect + { + int len; + CURLcode result; ++ int nread; + + result = socket_read(fd, &len, sizeof(len)); + if(result) +@@ -520,7 +518,10 @@ static CURLcode read_data(struct connect + if(len) { + /* only realloc if there was a length */ + len = ntohl(len); +- buf->data = Curl_saferealloc(buf->data, len); ++ if(len > CURL_MAX_INPUT_LENGTH) ++ len = 0; ++ else ++ buf->data = Curl_saferealloc(buf->data, len); + } + if(!len || !buf->data) + return CURLE_OUT_OF_MEMORY; +@@ -528,8 +529,11 @@ static CURLcode read_data(struct connect + result = socket_read(fd, buf->data, len); + if(result) + return result; +- buf->size = conn->mech->decode(conn->app_data, buf->data, len, +- conn->data_prot, conn); ++ nread = conn->mech->decode(conn->app_data, buf->data, len, ++ conn->data_prot, conn); ++ if(nread < 0) ++ return CURLE_RECV_ERROR; ++ buf->size = (size_t)nread; + buf->index = 0; + return CURLE_OK; + } diff --git a/curl.spec b/curl.spec index 19fcb4e..1730300 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Name: curl Version: 7.79.1 -Release: 5 +Release: 6 Summary: Curl is used in command lines or scripts to transfer data License: MIT URL: https://curl.haxx.se/ @@ -22,6 +22,10 @@ Patch7: backport-002-CVE-2022-27774.patch Patch8: backport-CVE-2022-27781.patch Patch9: backport-pre-CVE-2022-27782.patch Patch10: backport-CVE-2022-27782.patch +Patch11: backport-CVE-2022-32205.patch +Patch12: backport-CVE-2022-32206.patch +Patch13: backport-CVE-2022-32207.patch +Patch14: backport-CVE-2022-32208.patch BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel BuildRequires: libidn2-devel libnghttp2-devel libpsl-devel @@ -196,6 +200,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_mandir}/man3/* %changelog +* Wed Jun 29 2022 gaihuiying - 7.79.1-6 +- Type:cves +- CVE:CVE-2022-32205 CVE-2022-32206 CVE-2022-32207 CVE-2022-32208 +- SUG:NA +- DESC:fix CVE-2022-32205 CVE-2022-32206 CVE-2022-32207 CVE-2022-32208 + * Tue May 17 2022 gaihuiying - 7.79.1-5 - Type:cves - CVE:CVE-2022-27781 CVE-2022-27782