diff --git a/backport-openssl-avoid-BN_num_bits-NULL-pointer-derefs.patch b/backport-openssl-avoid-BN_num_bits-NULL-pointer-derefs.patch new file mode 100644 index 0000000..4a75f4c --- /dev/null +++ b/backport-openssl-avoid-BN_num_bits-NULL-pointer-derefs.patch @@ -0,0 +1,34 @@ +From b9f832edcce9db2de31070e76c3cbe59ca9ef512 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 12 Oct 2023 16:00:38 +0200 +Subject: [PATCH] openssl: avoid BN_num_bits() NULL pointer derefs + +Reported-by: icy17 on github +Fixes #12099 +Closes #12100 + +Conflict: NA +Reference: https://github.com/curl/curl/commit/b9f832edcce9db2de31070e76c3cbe59ca9ef512 +--- + lib/vtls/openssl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 9f9c8d136..6be86f871 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -538,9 +538,9 @@ CURLcode Curl_ossl_certchain(struct Curl_easy *data, SSL *ssl) + #else + RSA_get0_key(rsa, &n, &e, NULL); + #endif /* HAVE_EVP_PKEY_GET_PARAMS */ +- BIO_printf(mem, "%d", BN_num_bits(n)); ++ BIO_printf(mem, "%d", n ? BN_num_bits(n) : 0); + #else +- BIO_printf(mem, "%d", BN_num_bits(rsa->n)); ++ BIO_printf(mem, "%d", rsa->n ? BN_num_bits(rsa->n) : 0); + #endif /* HAVE_OPAQUE_RSA_DSA_DH */ + push_certinfo("RSA Public Key", i); + print_pubkey_BN(rsa, n, i); +-- +2.33.0 + diff --git a/backport-transfer-also-stop-the-sending-on-closed-connection.patch b/backport-transfer-also-stop-the-sending-on-closed-connection.patch new file mode 100644 index 0000000..473b724 --- /dev/null +++ b/backport-transfer-also-stop-the-sending-on-closed-connection.patch @@ -0,0 +1,46 @@ +From 95a865b462195d9d847f7f2676f0c789179e2073 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 4 Sep 2023 14:14:32 +0200 +Subject: [PATCH] transfer: also stop the sending on closed connection + +Previously this cleared the receiving bit only but in some cases it is +also still sending (like a request-body) when disconnected and neither +direction can continue then. + +Fixes #11769 +Reported-by: Oleg Jukovec +Closes #11795 + +Conflict: NA +Reference: https://github.com/curl/curl/commit/95a865b462195d9d847f7f2676f0c789179e2073 +--- + lib/transfer.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/lib/transfer.c b/lib/transfer.c +index fb0a6a45d..d0602b875 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -492,15 +492,16 @@ static CURLcode readwrite_data(struct Curl_easy *data, + if(0 < nread || is_empty_data) { + buf[nread] = 0; + } +- else { ++ if(!nread) { + /* if we receive 0 or less here, either the data transfer is done or the + server closed the connection and we bail out from this! */ + if(data_eof_handled) + DEBUGF(infof(data, "nread == 0, stream closed, bailing")); + else + DEBUGF(infof(data, "nread <= 0, server closed connection, bailing")); +- k->keepon &= ~KEEP_RECV; +- break; ++ k->keepon = 0; /* stop sending as well */ ++ if(!is_empty_data) ++ break; + } + + /* Default buffer to use when we write the buffer, it may be changed +-- +2.33.0 + diff --git a/curl.spec b/curl.spec index ace74ab..71daee6 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Name: curl Version: 8.1.2 -Release: 6 +Release: 7 Summary: Curl is used in command lines or scripts to transfer data License: curl URL: https://curl.se/ @@ -24,6 +24,8 @@ Patch10: backport-CVE-2023-38546.patch Patch11: backport-CVE-2023-46218.patch Patch12: backport-0001-CVE-2023-46219.patch Patch13: backport-0002-CVE-2023-46219.patch +Patch14: backport-transfer-also-stop-the-sending-on-closed-connection.patch +Patch15: backport-openssl-avoid-BN_num_bits-NULL-pointer-derefs.patch BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel BuildRequires: libidn2-devel libnghttp2-devel libpsl-devel @@ -208,6 +210,13 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_mandir}/man3/* %changelog +* Thu Dec 28 2023 zhouyihang - 8.1.2-7 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:transfer: also stop the sending on closed connection + openssl: avoid BN_num_bits() NULL pointer derefs + * Fri Dec 08 2023 zhouyihang - 8.1.2-6 - Type:CVE - CVE:CVE-2023-46218 CVE-2023-46219