From fed54f300d44d1389eb3b15f0264f5b9d1e4f091 Mon Sep 17 00:00:00 2001
From: yangl777 <yanglu72@h-partners.com>
Date: Thu, 27 Oct 2022 12:39:56 +0000
Subject: [PATCH] fix CVE-2022-32221 CVE-2022-42915 CVE-2022-42916

(cherry picked from commit 629c69990093152e329f66f6b50c82dbc7a58ee3)
---
 backport-CVE-2022-32221.patch |  28 ++++++
 backport-CVE-2022-42915.patch | 155 ++++++++++++++++++++++++++++++++++
 backport-CVE-2022-42916.patch | 135 +++++++++++++++++++++++++++++
 curl.spec                     |  11 ++-
 4 files changed, 328 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2022-32221.patch
 create mode 100644 backport-CVE-2022-42915.patch
 create mode 100644 backport-CVE-2022-42916.patch

diff --git a/backport-CVE-2022-32221.patch b/backport-CVE-2022-32221.patch
new file mode 100644
index 0000000..b206372
--- /dev/null
+++ b/backport-CVE-2022-32221.patch
@@ -0,0 +1,28 @@
+From a64e3e59938abd7d667e4470a18072a24d7e9de9 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 15 Sep 2022 09:22:45 +0200
+Subject: [PATCH] setopt: when POST is set, reset the 'upload' field
+
+Reported-by: RobBotic1 on github
+Fixes #9507
+Closes #9511
+
+Conflict: NA
+Reference: https://github.com/curl/curl/commit/a64e3e59938abd7d667e4470a18072a24d7e9de9
+
+---
+ lib/setopt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 03c4efdbf1e58..7289a4e78bdd0 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -700,6 +700,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+     }
+     else
+       data->set.method = HTTPREQ_GET;
++    data->set.upload = FALSE;
+     break;
+ 
+   case CURLOPT_HTTPPOST:
diff --git a/backport-CVE-2022-42915.patch b/backport-CVE-2022-42915.patch
new file mode 100644
index 0000000..66d4268
--- /dev/null
+++ b/backport-CVE-2022-42915.patch
@@ -0,0 +1,155 @@
+From 3c54eaf986d62a1f7482b8d5fff2d6ac42d19f23 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 6 Oct 2022 14:13:36 +0200
+Subject: [PATCH 1/2] http_proxy: restore the protocol pointer on error
+ 
+Reported-by: Trail of Bits
+ 
+Closes #9790
+ 
+Upstream-commit: 55e1875729f9d9fc7315cec611bffbd2c817ad89
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+
+Conflict: NA
+Reference:https://src.fedoraproject.org/rpms/curl/blob/f35/f/0017-curl-7.82.0-CVE-2022-42915.patch
+---
+ lib/http_proxy.c | 3 +--
+ lib/url.c        | 9 ---------
+ 2 files changed, 1 insertion(+), 11 deletions(-)
+ 
+diff --git a/lib/http_proxy.c b/lib/http_proxy.c
+index 1f87f6c..cc20b3a 100644
+--- a/lib/http_proxy.c
++++ b/lib/http_proxy.c
+@@ -207,9 +207,8 @@ static void connect_done(struct Curl_easy *data)
+     Curl_dyn_free(&s->rcvbuf);
+     Curl_dyn_free(&s->req);
+ 
+-    /* retore the protocol pointer */
++    /* restore the protocol pointer */
+     data->req.p.http = s->prot_save;
+-    s->prot_save = NULL;
+     infof(data, "CONNECT phase completed!");
+   }
+ }
+diff --git a/lib/url.c b/lib/url.c
+index bfc784f..61c99d2 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -735,15 +735,6 @@ static void conn_shutdown(struct Curl_easy *data, struct connectdata *conn)
+   DEBUGASSERT(data);
+   infof(data, "Closing connection %ld", conn->connection_id);
+ 
+-#ifndef USE_HYPER
+-  if(conn->connect_state && conn->connect_state->prot_save) {
+-    /* If this was closed with a CONNECT in progress, cleanup this temporary
+-       struct arrangement */
+-    data->req.p.http = NULL;
+-    Curl_safefree(conn->connect_state->prot_save);
+-  }
+-#endif
+-
+   /* possible left-overs from the async name resolvers */
+   Curl_resolver_cancel(data);
+ 
+-- 
+2.37.3
+ 
+
+From 5fdb5e8433c132dbb1e31a48d39a4a54ba4d7a9e Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 6 Oct 2022 14:14:25 +0200
+Subject: [PATCH 2/2] test445: verifies the protocols-over-http-proxy flaw and
+ fix
+
+Upstream-commit: 038bfb8522a93328b7e65bd2b6b8387c974b9ac8
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test445      | 61 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 62 insertions(+), 1 deletion(-)
+ create mode 100644 tests/data/test445
+
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 1f774ce..f79b63e 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -67,7 +67,7 @@ test392 test393 test394 test395 test396 test397 \
+ test400 test401 test402 test403 test404 test405 test406 test407 test408 \
+ test409 test410 \
+ \
+-test430 test431 test432 test433 test434 test435 \
++test430 test431 test432 test433 test434 test435 test445\
+ \
+ test490 test491 test492 test493 test494 \
+ \
+diff --git a/tests/data/test445 b/tests/data/test445
+new file mode 100644
+index 0000000..0406c0f
+--- /dev/null
++++ b/tests/data/test445
+@@ -0,0 +1,61 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP proxy
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<connect>
++HTTP/1.1 503 no just no
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Accept-Ranges: bytes
++Content-Length: 6
++Connection: close
++
++-foo-
++</connect>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++gopher
++dict
++http
++ftp
++imap
++ldap
++mqtt
++pop3
++rtsp
++scp
++sftp
++smb
++smtp
++</features>
++<server>
++http-proxy
++</server>
++ <name>
++Refuse tunneling protocols through HTTP proxy
++ </name>
++ <command>
++-x http://%HOSTIP:%PROXYPORT/%TESTNUMBER -p gopher://127.0.0.1 dict://127.0.0.1 http://moo https://example telnet://another ftp://yes ftps://again imap://more ldap://perhaps mqtt://yes pop3://mail rtsp://harder scp://copy sftp://files smb://wird smtp://send
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# refused in the CONNECT
++<errorcode>
++56
++</errorcode>
++</verify>
++</testcase>
+--
+2.33.0
+
diff --git a/backport-CVE-2022-42916.patch b/backport-CVE-2022-42916.patch
new file mode 100644
index 0000000..2321e32
--- /dev/null
+++ b/backport-CVE-2022-42916.patch
@@ -0,0 +1,135 @@
+From 53bcf55b4538067e6dc36242168866becb987bb7 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 12 Oct 2022 10:47:59 +0200
+Subject: [PATCH] url: use IDN decoded names for HSTS checks
+
+Reported-by: Hiroki Kurosawa
+
+Closes #9791
+
+Conflict: Context adaptation
+Reference: https://github.com/curl/curl/commit/53bcf55b4538067e6dc36242168866becb987bb7
+
+---
+ lib/url.c | 91 ++++++++++++++++++++++++++++---------------------------
+ 1 file changed, 47 insertions(+), 44 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index a3be56bced9de..690c53c81a3c1 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -2036,10 +2036,56 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
+     if(!strcasecompare("file", data->state.up.scheme))
+       return CURLE_OUT_OF_MEMORY;
+   }
++  hostname = data->state.up.hostname;
++
++  if(hostname && hostname[0] == '[') {
++    /* This looks like an IPv6 address literal. See if there is an address
++       scope. */
++    size_t hlen;
++    conn->bits.ipv6_ip = TRUE;
++    /* cut off the brackets! */
++    hostname++;
++    hlen = strlen(hostname);
++    hostname[hlen - 1] = 0;
++
++    zonefrom_url(uh, data, conn);
++  }
++
++  /* make sure the connect struct gets its own copy of the host name */
++  conn->host.rawalloc = strdup(hostname ? hostname : "");
++  if(!conn->host.rawalloc)
++    return CURLE_OUT_OF_MEMORY;
++  conn->host.name = conn->host.rawalloc;
++
++  /*************************************************************
++   * IDN-convert the hostnames
++   *************************************************************/
++  result = Curl_idnconvert_hostname(data, &conn->host);
++  if(result)
++    return result;
++  if(conn->bits.conn_to_host) {
++    result = Curl_idnconvert_hostname(data, &conn->conn_to_host);
++    if(result)
++      return result;
++  }
++#ifndef CURL_DISABLE_PROXY
++  if(conn->bits.httpproxy) {
++    result = Curl_idnconvert_hostname(data, &conn->http_proxy.host);
++    if(result)
++      return result;
++  }
++  if(conn->bits.socksproxy) {
++    result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host);
++    if(result)
++      return result;
++  }
++#endif
+ 
+ #ifndef CURL_DISABLE_HSTS
++  /* HSTS upgrade */
+   if(data->hsts && strcasecompare("http", data->state.up.scheme)) {
+-    if(Curl_hsts(data->hsts, data->state.up.hostname, TRUE)) {
++    /* This MUST use the IDN decoded name */
++    if(Curl_hsts(data->hsts, conn->host.name, TRUE)) {
+       char *url;
+       Curl_safefree(data->state.up.scheme);
+       uc = curl_url_set(uh, CURLUPART_SCHEME, "https", 0);
+@@ -2145,26 +2191,6 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
+ 
+   (void)curl_url_get(uh, CURLUPART_QUERY, &data->state.up.query, 0);
+ 
+-  hostname = data->state.up.hostname;
+-  if(hostname && hostname[0] == '[') {
+-    /* This looks like an IPv6 address literal. See if there is an address
+-       scope. */
+-    size_t hlen;
+-    conn->bits.ipv6_ip = TRUE;
+-    /* cut off the brackets! */
+-    hostname++;
+-    hlen = strlen(hostname);
+-    hostname[hlen - 1] = 0;
+-
+-    zonefrom_url(uh, data, conn);
+-  }
+-
+-  /* make sure the connect struct gets its own copy of the host name */
+-  conn->host.rawalloc = strdup(hostname ? hostname : "");
+-  if(!conn->host.rawalloc)
+-    return CURLE_OUT_OF_MEMORY;
+-  conn->host.name = conn->host.rawalloc;
+-
+   if(data->set.scope_id)
+     /* Override any scope that was set above.  */
+     conn->scope_id = data->set.scope_id;
+@@ -3713,29 +3739,6 @@ static CURLcode create_conn(struct Curl_easy *data,
+   if(result)
+     goto out;
+ 
+-  /*************************************************************
+-   * IDN-convert the hostnames
+-   *************************************************************/
+-  result = Curl_idnconvert_hostname(data, &conn->host);
+-  if(result)
+-    goto out;
+-  if(conn->bits.conn_to_host) {
+-    result = Curl_idnconvert_hostname(data, &conn->conn_to_host);
+-    if(result)
+-      goto out;
+-  }
+-#ifndef CURL_DISABLE_PROXY
+-  if(conn->bits.httpproxy) {
+-    result = Curl_idnconvert_hostname(data, &conn->http_proxy.host);
+-    if(result)
+-      goto out;
+-  }
+-  if(conn->bits.socksproxy) {
+-    result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host);
+-    if(result)
+-      goto out;
+-  }
+-#endif
+ 
+   /*************************************************************
+    * Check whether the host and the "connect to host" are equal.
diff --git a/curl.spec b/curl.spec
index 676f77d..7a36884 100644
--- a/curl.spec
+++ b/curl.spec
@@ -6,7 +6,7 @@
 
 Name:           curl
 Version:        7.79.1
-Release:        11
+Release:        12
 Summary:        Curl is used in command lines or scripts to transfer data
 License:        MIT
 URL:            https://curl.haxx.se/
@@ -28,6 +28,9 @@ Patch13:        backport-CVE-2022-32207.patch
 Patch14:        backport-CVE-2022-32208.patch
 Patch15:        backport-fix-configure-disable-http-auth-build-error.patch
 Patch16:        backport-CVE-2022-35252-cookie-reject-cookies-with-control-bytes.patch
+Patch17:        backport-CVE-2022-32221.patch
+Patch18:        backport-CVE-2022-42916.patch
+Patch19:        backport-CVE-2022-42915.patch
 
 BuildRequires:  automake brotli-devel coreutils gcc groff krb5-devel
 BuildRequires:  libidn2-devel libnghttp2-devel libpsl-devel
@@ -202,6 +205,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_mandir}/man3/*
 
 %changelog
+* Thu Oct 27 2022 yanglu <yanglu72@h-partners.com> - 7.79.1-12
+- Type:cves
+- CVE:CVE-2022-32221 CVE-2022-42915 CVE-2022-42916
+- SUG:NA
+- DESC:fix CVE-2022-32221 CVE-2022-42915 CVE-2022-42916
+
 * Tue Oct 11 2022 huangduirong <huangduirong@huawei.com> - 7.79.1-11
 - Type:bugfix
 - ID:NA