backport some patches from community

backport-urlapi-make-sure-zoneid-is-also-duplicated-in-curl_u.patch

@@ -0,0 +1,112 @@
+From 49e244318672c688097c1bf601a110005cd9a6a8 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 31 Jul 2023 10:07:35 +0200
+Subject: [PATCH] urlapi: make sure zoneid is also duplicated in curl_url_dup
+
+Add several curl_url_dup() tests to the general lib1560 test.
+
+Reported-by: Rutger Broekhoff
+Bug: https://curl.se/mail/lib-2023-07/0047.html
+Closes #11549
+
+Conflict: tests/libtest/lib1560.c for context adapt
+Reference: https://github.com/curl/curl/commit/49e244318672c688097c1bf601a110005cd9a6a8
+---
+ lib/urlapi.c            |  1 +
+ tests/libtest/lib1560.c | 67 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 68 insertions(+)
+
+diff --git a/lib/urlapi.c b/lib/urlapi.c
+index cd423c335d88f..b1a126d548213 100644
+--- a/lib/urlapi.c
++++ b/lib/urlapi.c
+@@ -1385,6 +1385,7 @@ CURLU *curl_url_dup(const CURLU *in)
+     DUP(u, in, path);
+     DUP(u, in, query);
+     DUP(u, in, fragment);
++    DUP(u, in, zoneid);
+     u->portnum = in->portnum;
+   }
+   return u;
+diff --git a/tests/libtest/lib1560.c b/tests/libtest/lib1560.c
+index 0eca0fda72d0b..ff03bec9391a4 100644
+--- a/tests/libtest/lib1560.c
++++ b/tests/libtest/lib1560.c
+@@ -1672,10 +1672,77 @@ static int huge(void)
+   return error;
+ }
+ 
++static int urldup(void)
++{
++  const char *url[] = {
++    "http://"
++    "user:pwd@"
++    "[2a04:4e42:e00::347%25eth0]"
++    ":80"
++    "/path"
++    "?query"
++    "#fraggie",
++    "https://example.com",
++    "https://user@example.com",
++    "https://user.pwd@example.com",
++    "https://user.pwd@example.com:1234",
++    "https://example.com:1234",
++    "example.com:1234",
++    "https://user.pwd@example.com:1234/path?query#frag",
++    NULL
++  };
++  CURLU *copy = NULL;
++  char *h_str = NULL, *copy_str = NULL;
++  CURLU *h = curl_url();
++  int i;
++
++  if(!h)
++    goto err;
++
++  for(i = 0; url[i]; i++) {
++    CURLUcode rc = curl_url_set(h, CURLUPART_URL, url[i],
++                                CURLU_GUESS_SCHEME);
++    if(rc)
++      goto err;
++    copy = curl_url_dup(h);
++
++    rc = curl_url_get(h, CURLUPART_URL, &h_str, 0);
++    if(rc)
++      goto err;
++
++    rc = curl_url_get(copy, CURLUPART_URL, &copy_str, 0);
++    if(rc)
++      goto err;
++
++    if(strcmp(h_str, copy_str)) {
++      printf("Original:  %s\nParsed:    %s\nCopy:      %s\n",
++             url[i], h_str, copy_str);
++      goto err;
++    }
++    curl_free(copy_str);
++    curl_free(h_str);
++    curl_url_cleanup(copy);
++    copy_str = NULL;
++    h_str = NULL;
++    copy = NULL;
++  }
++  curl_url_cleanup(h);
++  return 0;
++err:
++  curl_free(copy_str);
++  curl_free(h_str);
++  curl_url_cleanup(copy);
++  curl_url_cleanup(h);
++  return 1;
++}
++
+ int test(char *URL)
+ {
+   (void)URL; /* not used */
+ 
++  if(urldup())
++    return 11;
++
+   if(get_url())
+     return 3;
+ 

backport-vtls-avoid-memory-leak-if-sha256-call-fails.patch

@@ -0,0 +1,41 @@
+From a4a5e438ae533c9af5e97457ae424c9189545105 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 12 Jun 2023 14:10:37 +0200
+Subject: [PATCH] vtls: avoid memory leak if sha256 call fails
+
+... in the pinned public key handling function.
+
+Reported-by: lizhuang0630 on github
+Fixes #11306
+Closes #11307
+
+Conflict: NA
+Reference: https://github.com/curl/curl/commit/a4a5e438ae533c9af5e97457ae424c9189545105
+---
+ lib/vtls/vtls.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index a4ff7d61a6193..cdd3a4fdc1c14 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -907,14 +907,12 @@ CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data,
+     if(!sha256sumdigest)
+       return CURLE_OUT_OF_MEMORY;
+     encode = Curl_ssl->sha256sum(pubkey, pubkeylen,
+-                        sha256sumdigest, CURL_SHA256_DIGEST_LENGTH);
++                                 sha256sumdigest, CURL_SHA256_DIGEST_LENGTH);
+ 
+-    if(encode != CURLE_OK)
+-      return encode;
+-
+-    encode = Curl_base64_encode((char *)sha256sumdigest,
+-                                CURL_SHA256_DIGEST_LENGTH, &encoded,
+-                                &encodedlen);
++    if(!encode)
++      encode = Curl_base64_encode((char *)sha256sumdigest,
++                                  CURL_SHA256_DIGEST_LENGTH, &encoded,
++                                  &encodedlen);
+     Curl_safefree(sha256sumdigest);
+ 
+     if(encode)

curl.spec

@@ -6,7 +6,7 @@
 
 Name:           curl
 Version:        8.1.2
-Release:        2
+Release:        3
 Summary:        Curl is used in command lines or scripts to transfer data
 License:        curl
 URL:            https://curl.se/
@@ -16,6 +16,8 @@ Patch1:         backport-0101-curl-7.32.0-multilib.patch
 Patch2:         backport-curl-7.84.0-test3026.patch
 Patch4:         backport-curl-7.88.0-tests-warnings.patch
 Patch5:         backport-CVE-2023-32001.patch
+Patch6:         backport-vtls-avoid-memory-leak-if-sha256-call-fails.patch
+Patch7:         backport-urlapi-make-sure-zoneid-is-also-duplicated-in-curl_u.patch
 
 BuildRequires:  automake brotli-devel coreutils gcc groff krb5-devel
 BuildRequires:  libidn2-devel libnghttp2-devel libpsl-devel
@@ -200,6 +202,13 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_mandir}/man3/*
 
 %changelog
+* Wed Sep 06 2023 yanglu <yanglu72@h-partners.com> - 8.1.2-3
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:vtls:avoid memory leak if sha256 call fails
+       urlapi:make sure zoneid is also duplicated in curl_url_dup
+
 * Thu Jul 20 2023 zhouyihang <zhouyihang3@h-partners.com> - 8.1.2-2
 - Type:CVE
 - CVE:CVE-2023-32001