!149 [sync] PR-146: fix CVE-2022-32221 CVE-2022-42915 CVE-2022-42916

From: @openeuler-sync-bot Reviewed-by: @seuzw Signed-off-by: @seuzw
2022-10-31 06:33:41 +00:00 · 2022-10-31 06:33:41 +00:00 · ccf1d4bf5c
commit ccf1d4bf5c
parent ff313b7812 fed54f300d
4 changed files with 328 additions and 1 deletions
--- a/backport-CVE-2022-32221.patch
+++ b/backport-CVE-2022-32221.patch
@ -0,0 +1,28 @@
+From a64e3e59938abd7d667e4470a18072a24d7e9de9 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 15 Sep 2022 09:22:45 +0200
+Subject: [PATCH] setopt: when POST is set, reset the 'upload' field
+
+Reported-by: RobBotic1 on github
+Fixes #9507
+Closes #9511
+
+Conflict: NA
+Reference: https://github.com/curl/curl/commit/a64e3e59938abd7d667e4470a18072a24d7e9de9
+
+---
+ lib/setopt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 03c4efdbf1e58..7289a4e78bdd0 100644
+--- a/lib/setopt.c
+++ b/lib/setopt.c
+@@ -700,6 +700,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+     }
+     else
+       data->set.method = HTTPREQ_GET;
+    data->set.upload = FALSE;
+     break;
+ 
+   case CURLOPT_HTTPPOST:
--- a/backport-CVE-2022-42915.patch
+++ b/backport-CVE-2022-42915.patch
@ -0,0 +1,155 @@
+From 3c54eaf986d62a1f7482b8d5fff2d6ac42d19f23 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 6 Oct 2022 14:13:36 +0200
+Subject: [PATCH 1/2] http_proxy: restore the protocol pointer on error
+ 
+Reported-by: Trail of Bits
+ 
+Closes #9790
+ 
+Upstream-commit: 55e1875729f9d9fc7315cec611bffbd2c817ad89
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+
+Conflict: NA
+Reference:https://src.fedoraproject.org/rpms/curl/blob/f35/f/0017-curl-7.82.0-CVE-2022-42915.patch
+---
+ lib/http_proxy.c | 3 +--
+ lib/url.c        | 9 ---------
+ 2 files changed, 1 insertion(+), 11 deletions(-)
+ 
+diff --git a/lib/http_proxy.c b/lib/http_proxy.c
+index 1f87f6c..cc20b3a 100644
+--- a/lib/http_proxy.c
+++ b/lib/http_proxy.c
+@@ -207,9 +207,8 @@ static void connect_done(struct Curl_easy *data)
+     Curl_dyn_free(&s->rcvbuf);
+     Curl_dyn_free(&s->req);
+ 
+-    /* retore the protocol pointer */
+    /* restore the protocol pointer */
+     data->req.p.http = s->prot_save;
+-    s->prot_save = NULL;
+     infof(data, "CONNECT phase completed!");
+   }
+ }
+diff --git a/lib/url.c b/lib/url.c
+index bfc784f..61c99d2 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -735,15 +735,6 @@ static void conn_shutdown(struct Curl_easy *data, struct connectdata *conn)
+   DEBUGASSERT(data);
+   infof(data, "Closing connection %ld", conn->connection_id);
+ 
+-#ifndef USE_HYPER
+-  if(conn->connect_state && conn->connect_state->prot_save) {
+-    /* If this was closed with a CONNECT in progress, cleanup this temporary
+-       struct arrangement */
+-    data->req.p.http = NULL;
+-    Curl_safefree(conn->connect_state->prot_save);
+-  }
+-#endif
+-
+   /* possible left-overs from the async name resolvers */
+   Curl_resolver_cancel(data);
+ 
+-- 
+2.37.3
+ 
+
+From 5fdb5e8433c132dbb1e31a48d39a4a54ba4d7a9e Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 6 Oct 2022 14:14:25 +0200
+Subject: [PATCH 2/2] test445: verifies the protocols-over-http-proxy flaw and
+ fix
+
+Upstream-commit: 038bfb8522a93328b7e65bd2b6b8387c974b9ac8
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test445      | 61 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 62 insertions(+), 1 deletion(-)
+ create mode 100644 tests/data/test445
+
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 1f774ce..f79b63e 100644
+--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
+@@ -67,7 +67,7 @@ test392 test393 test394 test395 test396 test397 \
+ test400 test401 test402 test403 test404 test405 test406 test407 test408 \
+ test409 test410 \
+ \
+-test430 test431 test432 test433 test434 test435 \
+test430 test431 test432 test433 test434 test435 test445\
+ \
+ test490 test491 test492 test493 test494 \
+ \
+diff --git a/tests/data/test445 b/tests/data/test445
+new file mode 100644
+index 0000000..0406c0f
+--- /dev/null
+++ b/tests/data/test445
+@@ -0,0 +1,61 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP proxy
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<connect>
+HTTP/1.1 503 no just no
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Accept-Ranges: bytes
+Content-Length: 6
+Connection: close
+
+-foo-
+</connect>
+</reply>
+
+#
+# Client-side
+<client>
+<features>
+gopher
+dict
+http
+ftp
+imap
+ldap
+mqtt
+pop3
+rtsp
+scp
+sftp
+smb
+smtp
+</features>
+<server>
+http-proxy
+</server>
+ <name>
+Refuse tunneling protocols through HTTP proxy
+ </name>
+ <command>
+-x http://%HOSTIP:%PROXYPORT/%TESTNUMBER -p gopher://127.0.0.1 dict://127.0.0.1 http://moo https://example telnet://another ftp://yes ftps://again imap://more ldap://perhaps mqtt://yes pop3://mail rtsp://harder scp://copy sftp://files smb://wird smtp://send
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+# refused in the CONNECT
+<errorcode>
+56
+</errorcode>
+</verify>
+</testcase>
+--
+2.33.0
+
--- a/backport-CVE-2022-42916.patch
+++ b/backport-CVE-2022-42916.patch
@ -0,0 +1,135 @@
+From 53bcf55b4538067e6dc36242168866becb987bb7 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 12 Oct 2022 10:47:59 +0200
+Subject: [PATCH] url: use IDN decoded names for HSTS checks
+
+Reported-by: Hiroki Kurosawa
+
+Closes #9791
+
+Conflict: Context adaptation
+Reference: https://github.com/curl/curl/commit/53bcf55b4538067e6dc36242168866becb987bb7
+
+---
+ lib/url.c | 91 ++++++++++++++++++++++++++++---------------------------
+ 1 file changed, 47 insertions(+), 44 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index a3be56bced9de..690c53c81a3c1 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -2036,10 +2036,56 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
+     if(!strcasecompare("file", data->state.up.scheme))
+       return CURLE_OUT_OF_MEMORY;
+   }
+  hostname = data->state.up.hostname;
+
+  if(hostname && hostname[0] == '[') {
+    /* This looks like an IPv6 address literal. See if there is an address
+       scope. */
+    size_t hlen;
+    conn->bits.ipv6_ip = TRUE;
+    /* cut off the brackets! */
+    hostname++;
+    hlen = strlen(hostname);
+    hostname[hlen - 1] = 0;
+
+    zonefrom_url(uh, data, conn);
+  }
+
+  /* make sure the connect struct gets its own copy of the host name */
+  conn->host.rawalloc = strdup(hostname ? hostname : "");
+  if(!conn->host.rawalloc)
+    return CURLE_OUT_OF_MEMORY;
+  conn->host.name = conn->host.rawalloc;
+
+  /*************************************************************
+   * IDN-convert the hostnames
+   *************************************************************/
+  result = Curl_idnconvert_hostname(data, &conn->host);
+  if(result)
+    return result;
+  if(conn->bits.conn_to_host) {
+    result = Curl_idnconvert_hostname(data, &conn->conn_to_host);
+    if(result)
+      return result;
+  }
+#ifndef CURL_DISABLE_PROXY
+  if(conn->bits.httpproxy) {
+    result = Curl_idnconvert_hostname(data, &conn->http_proxy.host);
+    if(result)
+      return result;
+  }
+  if(conn->bits.socksproxy) {
+    result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host);
+    if(result)
+      return result;
+  }
+#endif
+ 
+ #ifndef CURL_DISABLE_HSTS
+  /* HSTS upgrade */
+   if(data->hsts && strcasecompare("http", data->state.up.scheme)) {
+-    if(Curl_hsts(data->hsts, data->state.up.hostname, TRUE)) {
+    /* This MUST use the IDN decoded name */
+    if(Curl_hsts(data->hsts, conn->host.name, TRUE)) {
+       char *url;
+       Curl_safefree(data->state.up.scheme);
+       uc = curl_url_set(uh, CURLUPART_SCHEME, "https", 0);
+@@ -2145,26 +2191,6 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
+ 
+   (void)curl_url_get(uh, CURLUPART_QUERY, &data->state.up.query, 0);
+ 
+-  hostname = data->state.up.hostname;
+-  if(hostname && hostname[0] == '[') {
+-    /* This looks like an IPv6 address literal. See if there is an address
+-       scope. */
+-    size_t hlen;
+-    conn->bits.ipv6_ip = TRUE;
+-    /* cut off the brackets! */
+-    hostname++;
+-    hlen = strlen(hostname);
+-    hostname[hlen - 1] = 0;
+-
+-    zonefrom_url(uh, data, conn);
+-  }
+-
+-  /* make sure the connect struct gets its own copy of the host name */
+-  conn->host.rawalloc = strdup(hostname ? hostname : "");
+-  if(!conn->host.rawalloc)
+-    return CURLE_OUT_OF_MEMORY;
+-  conn->host.name = conn->host.rawalloc;
+-
+   if(data->set.scope_id)
+     /* Override any scope that was set above.  */
+     conn->scope_id = data->set.scope_id;
+@@ -3713,29 +3739,6 @@ static CURLcode create_conn(struct Curl_easy *data,
+   if(result)
+     goto out;
+ 
+-  /*************************************************************
+-   * IDN-convert the hostnames
+-   *************************************************************/
+-  result = Curl_idnconvert_hostname(data, &conn->host);
+-  if(result)
+-    goto out;
+-  if(conn->bits.conn_to_host) {
+-    result = Curl_idnconvert_hostname(data, &conn->conn_to_host);
+-    if(result)
+-      goto out;
+-  }
+-#ifndef CURL_DISABLE_PROXY
+-  if(conn->bits.httpproxy) {
+-    result = Curl_idnconvert_hostname(data, &conn->http_proxy.host);
+-    if(result)
+-      goto out;
+-  }
+-  if(conn->bits.socksproxy) {
+-    result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host);
+-    if(result)
+-      goto out;
+-  }
+-#endif
+ 
+   /*************************************************************
+    * Check whether the host and the "connect to host" are equal.
--- a/curl.spec
+++ b/curl.spec
@ -6,7 +6,7 @@

 Name:           curl
 Version:        7.79.1
-Release:        11
+Release:        12
 Summary:        Curl is used in command lines or scripts to transfer data
 License:        MIT
 URL:            https://curl.haxx.se/
@ -28,6 +28,9 @@ Patch13:        backport-CVE-2022-32207.patch
 Patch14:        backport-CVE-2022-32208.patch
 Patch15:        backport-fix-configure-disable-http-auth-build-error.patch
 Patch16:        backport-CVE-2022-35252-cookie-reject-cookies-with-control-bytes.patch
+Patch17:        backport-CVE-2022-32221.patch
+Patch18:        backport-CVE-2022-42916.patch
+Patch19:        backport-CVE-2022-42915.patch

 BuildRequires:  automake brotli-devel coreutils gcc groff krb5-devel
 BuildRequires:  libidn2-devel libnghttp2-devel libpsl-devel
@ -202,6 +205,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_mandir}/man3/*

 %changelog
+* Thu Oct 27 2022 yanglu <yanglu72@h-partners.com> - 7.79.1-12
+- Type:cves
+- CVE:CVE-2022-32221 CVE-2022-42915 CVE-2022-42916
+- SUG:NA
+- DESC:fix CVE-2022-32221 CVE-2022-42915 CVE-2022-42916
+
 * Tue Oct 11 2022 huangduirong <huangduirong@huawei.com> - 7.79.1-11
 - Type:bugfix
 - ID:NA