From 989892cc136b24c7668d0f88d108ca5aeec794b9 Mon Sep 17 00:00:00 2001 From: anolis-bot Date: Tue, 16 May 2023 18:16:28 +0800 Subject: [PATCH 1/2] update to curl-7.61.1-30.el8_8.2 Signed-off-by: anolis-bot --- 0043-curl-7.61.1-CVE-2022-35252.patch | 171 +++++++++++++++++ 0045-curl-7.61.1-CVE-2022-43552.patch | 81 ++++++++ 0048-curl-7.61.1-CVE-2023-27535.patch | 231 +++++++++++++++++++++++ 0050-curl-7.61.1-sftp-upload-flags.patch | 34 ++++ curl.spec | 65 ++++--- dist | 2 +- 6 files changed, 557 insertions(+), 27 deletions(-) create mode 100644 0043-curl-7.61.1-CVE-2022-35252.patch create mode 100644 0045-curl-7.61.1-CVE-2022-43552.patch create mode 100644 0048-curl-7.61.1-CVE-2023-27535.patch create mode 100644 0050-curl-7.61.1-sftp-upload-flags.patch diff --git a/0043-curl-7.61.1-CVE-2022-35252.patch b/0043-curl-7.61.1-CVE-2022-35252.patch new file mode 100644 index 0000000..f2eedd8 --- /dev/null +++ b/0043-curl-7.61.1-CVE-2022-35252.patch @@ -0,0 +1,171 @@ +From 005d3f387bc5c3b2ee94d0597b5e202644c825f5 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 31 Oct 2018 11:08:49 +0100 +Subject: [PATCH 1/3] runtests: use the local curl for verifying + +... revert the mistaken change brought in commit 8440616f53. + +Reported-by: Alessandro Ghedini +Bug: https://curl.haxx.se/mail/lib-2018-10/0118.html + +Closes #3198 + +Upstream-commit: 8effa8c2b09906a2f00a3f08322dc5da35245b0a +Signed-off-by: Kamil Dudka +--- + tests/runtests.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/runtests.pl b/tests/runtests.pl +index 8d8ed81..d62fa40 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -152,7 +152,7 @@ my $NEGTELNETPORT; # TELNET server port with negotiation + + my $srcdir = $ENV{'srcdir'} || '.'; + my $CURL="../src/curl".exe_ext(); # what curl executable to run on the tests +-my $VCURL="curl"; # what curl binary to use to verify the servers with ++my $VCURL=$CURL; # what curl binary to use to verify the servers with + # VCURL is handy to set to the system one when the one you + # just built hangs or crashes and thus prevent verification + my $DBGCURL=$CURL; #"../src/.libs/curl"; # alternative for debugging +-- +2.37.3 + + +From fbc2ac6f06ec13cc872ce7adb870f4d7c7d5dded Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 29 Aug 2022 00:09:17 +0200 +Subject: [PATCH 2/3] cookie: reject cookies with "control bytes" + +Rejects 0x01 - 0x1f (except 0x09) plus 0x7f + +Reported-by: Axel Chong + +Bug: https://curl.se/docs/CVE-2022-35252.html + +CVE-2022-35252 + +Closes #9381 + +Upstream-commit: 8dfc93e573ca740544a2d79ebb0ed786592c65c3 +Signed-off-by: Kamil Dudka +--- + lib/cookie.c | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +diff --git a/lib/cookie.c b/lib/cookie.c +index cb0c03b..e0470a1 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -371,6 +371,30 @@ static void strstore(char **str, const char *newstr) + *str = strdup(newstr); + } + ++/* ++ RFC 6265 section 4.1.1 says a server should accept this range: ++ ++ cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E ++ ++ But Firefox and Chrome as of June 2022 accept space, comma and double-quotes ++ fine. The prime reason for filtering out control bytes is that some HTTP ++ servers return 400 for requests that contain such. ++*/ ++static int invalid_octets(const char *p) ++{ ++ /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */ ++ static const char badoctets[] = { ++ "\x01\x02\x03\x04\x05\x06\x07\x08\x0a" ++ "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14" ++ "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f" ++ }; ++ size_t vlen, len; ++ /* scan for all the octets that are *not* in cookie-octet */ ++ len = strcspn(p, badoctets); ++ vlen = strlen(p); ++ return (len != vlen); ++} ++ + /* + * remove_expired() removes expired cookies. + */ +@@ -541,6 +565,11 @@ Curl_cookie_add(struct Curl_easy *data, + badcookie = TRUE; + break; + } ++ if(invalid_octets(whatptr) || invalid_octets(name)) { ++ infof(data, "invalid octets in name/value, cookie dropped"); ++ badcookie = TRUE; ++ break; ++ } + } + else if(!len) { + /* this was a "=" with no content, and we must allow +-- +2.37.1 + + +From 1a3e2bd48572761236934651091c899a4d460ef5 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 29 Aug 2022 00:09:17 +0200 +Subject: [PATCH 3/3] test8: verify that "ctrl-byte cookies" are ignored + +Upstream-commit: 2fc031d834d488854ffc58bf7dbcef7fa7c1fc28 +Signed-off-by: Kamil Dudka +--- + tests/data/test8 | 32 +++++++++++++++++++++++++++++++- + 1 file changed, 31 insertions(+), 1 deletion(-) + +diff --git a/tests/data/test8 b/tests/data/test8 +index a8548e6..8587611 100644 +--- a/tests/data/test8 ++++ b/tests/data/test8 +@@ -46,6 +46,36 @@ Set-Cookie: trailingspace = removed; path=/we/want; + Set-Cookie: nocookie=yes; path=/WE; + Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad; + Set-Cookie: partialip=nono; domain=.0.0.1; ++Set-Cookie: cookie1=-junk ++Set-Cookie: cookie2=-junk ++Set-Cookie: cookie3=-junk ++Set-Cookie: cookie4=-junk ++Set-Cookie: cookie5=-junk ++Set-Cookie: cookie6=-junk ++Set-Cookie: cookie7=-junk ++Set-Cookie: cookie8=-junk ++Set-Cookie: cookie9=junk- - ++Set-Cookie: cookie11= -junk ++Set-Cookie: cookie12= -junk ++Set-Cookie: cookie14=-junk ++Set-Cookie: cookie15=-junk ++Set-Cookie: cookie16=-junk ++Set-Cookie: cookie17=-junk ++Set-Cookie: cookie18=-junk ++Set-Cookie: cookie19=-junk ++Set-Cookie: cookie20=-junk ++Set-Cookie: cookie21=-junk ++Set-Cookie: cookie22=-junk ++Set-Cookie: cookie23=-junk ++Set-Cookie: cookie24=-junk ++Set-Cookie: cookie25=-junk ++Set-Cookie: cookie26=-junk ++Set-Cookie: cookie27=-junk ++Set-Cookie: cookie28=-junk ++Set-Cookie: cookie29=-junk ++Set-Cookie: cookie30=-junk ++Set-Cookie: cookie31=-junk ++Set-Cookie: cookie31=-junk + + + +@@ -62,7 +92,7 @@ perl -e 'if ("%HOSTIP" !~ /\.0\.0\.1$/) {print "Test only works for HOSTIPs endi + GET /we/want/8 HTTP/1.1 + Host: %HOSTIP:%HTTPPORT + Accept: */* +-Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes ++Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes; cookie9=junk- - + + + +-- +2.37.1 + diff --git a/0045-curl-7.61.1-CVE-2022-43552.patch b/0045-curl-7.61.1-CVE-2022-43552.patch new file mode 100644 index 0000000..3ffacc5 --- /dev/null +++ b/0045-curl-7.61.1-CVE-2022-43552.patch @@ -0,0 +1,81 @@ +From 5cdcf1dbd39c64e18a81fc912a36942a3ec87565 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 19 Dec 2022 08:38:37 +0100 +Subject: [PATCH] smb/telnet: do not free the protocol struct in *_done() + +It is managed by the generic layer. + +Reported-by: Trail of Bits + +Closes #10112 + +Upstream-commit: 4f20188ac644afe174be6005ef4f6ffba232b8b2 +Signed-off-by: Kamil Dudka +--- + lib/smb.c | 14 ++------------ + lib/telnet.c | 3 --- + 2 files changed, 2 insertions(+), 15 deletions(-) + +diff --git a/lib/smb.c b/lib/smb.c +index 039d680..f682c1f 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -61,8 +61,6 @@ static CURLcode smb_connect(struct connectdata *conn, bool *done); + static CURLcode smb_connection_state(struct connectdata *conn, bool *done); + static CURLcode smb_do(struct connectdata *conn, bool *done); + static CURLcode smb_request_state(struct connectdata *conn, bool *done); +-static CURLcode smb_done(struct connectdata *conn, CURLcode status, +- bool premature); + static CURLcode smb_disconnect(struct connectdata *conn, bool dead); + static int smb_getsock(struct connectdata *conn, curl_socket_t *socks, + int numsocks); +@@ -75,7 +73,7 @@ const struct Curl_handler Curl_handler_smb = { + "SMB", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -100,7 +98,7 @@ const struct Curl_handler Curl_handler_smbs = { + "SMBS", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -915,14 +913,6 @@ static CURLcode smb_request_state(struct connectdata *conn, bool *done) + return CURLE_OK; + } + +-static CURLcode smb_done(struct connectdata *conn, CURLcode status, +- bool premature) +-{ +- (void) premature; +- Curl_safefree(conn->data->req.protop); +- return status; +-} +- + static CURLcode smb_disconnect(struct connectdata *conn, bool dead) + { + struct smb_conn *smbc = &conn->proto.smbc; +diff --git a/lib/telnet.c b/lib/telnet.c +index 923c7f8..48cd0d7 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -1294,9 +1294,6 @@ static CURLcode telnet_done(struct connectdata *conn, + + curl_slist_free_all(tn->telnet_vars); + tn->telnet_vars = NULL; +- +- Curl_safefree(conn->data->req.protop); +- + return CURLE_OK; + } + +-- +2.38.1 + diff --git a/0048-curl-7.61.1-CVE-2023-27535.patch b/0048-curl-7.61.1-CVE-2023-27535.patch new file mode 100644 index 0000000..7d5ba97 --- /dev/null +++ b/0048-curl-7.61.1-CVE-2023-27535.patch @@ -0,0 +1,231 @@ +From e8705acd69383c13191c9dd4867d5118e58c54ba Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 6 Oct 2022 00:49:10 +0200 +Subject: [PATCH 1/2] strcase: add Curl_timestrcmp + +This is a strcmp() alternative function for comparing "secrets", +designed to take the same time no matter the content to not leak +match/non-match info to observers based on how fast it is. + +The time this function takes is only a function of the shortest input +string. + +Reported-by: Trail of Bits + +Closes #9658 + +Upstream-commit: ed5095ed94281989e103c72e032200b83be37878 +Signed-off-by: Kamil Dudka +--- + lib/strcase.c | 22 ++++++++++++++++++++++ + lib/strcase.h | 1 + + 2 files changed, 23 insertions(+) + +diff --git a/lib/strcase.c b/lib/strcase.c +index f932485..c73907d 100644 +--- a/lib/strcase.c ++++ b/lib/strcase.c +@@ -175,6 +175,28 @@ bool Curl_safecmp(char *a, char *b) + return !a && !b; + } + ++/* ++ * Curl_timestrcmp() returns 0 if the two strings are identical. The time this ++ * function spends is a function of the shortest string, not of the contents. ++ */ ++int Curl_timestrcmp(const char *a, const char *b) ++{ ++ int match = 0; ++ int i = 0; ++ ++ if(a && b) { ++ while(1) { ++ match |= a[i]^b[i]; ++ if(!a[i] || !b[i]) ++ break; ++ i++; ++ } ++ } ++ else ++ return a || b; ++ return match; ++} ++ + /* --- public functions --- */ + + int curl_strequal(const char *first, const char *second) +diff --git a/lib/strcase.h b/lib/strcase.h +index d245929..11a67a1 100644 +--- a/lib/strcase.h ++++ b/lib/strcase.h +@@ -48,5 +48,6 @@ char Curl_raw_toupper(char in); + void Curl_strntoupper(char *dest, const char *src, size_t n); + + bool Curl_safecmp(char *a, char *b); ++int Curl_timestrcmp(const char *first, const char *second); + + #endif /* HEADER_CURL_STRCASE_H */ +-- +2.39.2 + + +From 9cfaea212ff347937a38f6b5d6b885ed8ba1b931 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 9 Mar 2023 17:47:06 +0100 +Subject: [PATCH 2/2] ftp: add more conditions for connection reuse + +Reported-by: Harry Sintonen +Closes #10730 + +Upstream-commit: 8f4608468b890dce2dad9f91d5607ee7e9c1aba1 +Signed-off-by: Kamil Dudka +--- + lib/ftp.c | 28 ++++++++++++++++++++++++++-- + lib/ftp.h | 5 +++++ + lib/setopt.c | 2 +- + lib/url.c | 13 ++++++++++++- + lib/urldata.h | 4 ++-- + 5 files changed, 46 insertions(+), 6 deletions(-) + +diff --git a/lib/ftp.c b/lib/ftp.c +index 9442832..df15bc0 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -4080,6 +4080,8 @@ static CURLcode ftp_disconnect(struct connectdata *conn, bool dead_connection) + } + + freedirs(ftpc); ++ Curl_safefree(ftpc->account); ++ Curl_safefree(ftpc->alternative_to_user); + free(ftpc->prevpath); + ftpc->prevpath = NULL; + free(ftpc->server_os); +@@ -4391,11 +4393,31 @@ static CURLcode ftp_setup_connection(struct connectdata *conn) + struct Curl_easy *data = conn->data; + char *type; + struct FTP *ftp; ++ struct ftp_conn *ftpc = &conn->proto.ftpc; + +- conn->data->req.protop = ftp = malloc(sizeof(struct FTP)); ++ ftp = calloc(sizeof(struct FTP), 1); + if(NULL == ftp) + return CURLE_OUT_OF_MEMORY; + ++ /* clone connection related data that is FTP specific */ ++ if(data->set.str[STRING_FTP_ACCOUNT]) { ++ ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]); ++ if(!ftpc->account) { ++ free(ftp); ++ return CURLE_OUT_OF_MEMORY; ++ } ++ } ++ if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]) { ++ ftpc->alternative_to_user = ++ strdup(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]); ++ if(!ftpc->alternative_to_user) { ++ Curl_safefree(ftpc->account); ++ free(ftp); ++ return CURLE_OUT_OF_MEMORY; ++ } ++ } ++ data->req.protop = ftp; ++ + data->state.path++; /* don't include the initial slash */ + data->state.slash_removed = TRUE; /* we've skipped the slash */ + +@@ -4445,7 +4467,9 @@ static CURLcode ftp_setup_connection(struct connectdata *conn) + if(isBadFtpString(ftp->passwd)) + return CURLE_URL_MALFORMAT; + +- conn->proto.ftpc.known_filesize = -1; /* unknown size for now */ ++ ftpc->known_filesize = -1; /* unknown size for now */ ++ ftpc->use_ssl = data->set.use_ssl; ++ ftpc->ccc = data->set.ftp_ccc; + + return CURLE_OK; + } +diff --git a/lib/ftp.h b/lib/ftp.h +index 7f6f432..3f33e27 100644 +--- a/lib/ftp.h ++++ b/lib/ftp.h +@@ -117,6 +117,8 @@ struct FTP { + struct */ + struct ftp_conn { + struct pingpong pp; ++ char *account; ++ char *alternative_to_user; + char *entrypath; /* the PWD reply when we logged on */ + char **dirs; /* realloc()ed array for path components */ + int dirdepth; /* number of entries used in the 'dirs' array */ +@@ -144,6 +146,9 @@ struct ftp_conn { + ftpstate state; /* always use ftp.c:state() to change state! */ + ftpstate state_saved; /* transfer type saved to be reloaded after + data connection is established */ ++ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or ++ IMAP or POP3 or others! (type: curl_usessl)*/ ++ unsigned char ccc; /* ccc level for this connection */ + curl_off_t retr_size_saved; /* Size of retrieved file saved */ + char *server_os; /* The target server operating system. */ + curl_off_t known_filesize; /* file size is different from -1, if wildcard +diff --git a/lib/setopt.c b/lib/setopt.c +index 3339a67..6fc111d 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -2039,7 +2039,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + arg = va_arg(param, long); + if((arg < CURLUSESSL_NONE) || (arg > CURLUSESSL_ALL)) + return CURLE_BAD_FUNCTION_ARGUMENT; +- data->set.use_ssl = (curl_usessl)arg; ++ data->set.use_ssl = (unsigned char)arg; + break; + + case CURLOPT_SSL_OPTIONS: +diff --git a/lib/url.c b/lib/url.c +index 61ba832..4e21838 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1309,7 +1309,18 @@ ConnectionExists(struct Curl_easy *data, + if(!ssh_config_matches(needle, check)) + continue; + } +- ++#ifndef CURL_DISABLE_FTP ++ if(needle->handler->protocol & (CURLPROTO_FTP|CURLPROTO_FTPS)) { ++ /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */ ++ if(Curl_timestrcmp(needle->proto.ftpc.account, ++ check->proto.ftpc.account) || ++ Curl_timestrcmp(needle->proto.ftpc.alternative_to_user, ++ check->proto.ftpc.alternative_to_user) || ++ (needle->proto.ftpc.use_ssl != check->proto.ftpc.use_ssl) || ++ (needle->proto.ftpc.ccc != check->proto.ftpc.ccc)) ++ continue; ++ } ++#endif + if(!needle->bits.httpproxy || (needle->handler->flags&PROTOPT_SSL) || + needle->bits.tunnel_proxy) { + /* The requested connection does not use a HTTP proxy or it uses SSL or +diff --git a/lib/urldata.h b/lib/urldata.h +index 9d9ca92..4e2f5b9 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1498,6 +1498,8 @@ struct UserDefined { + curl_write_callback fwrite_header; /* function that stores headers */ + curl_write_callback fwrite_rtp; /* function that stores interleaved RTP */ + curl_read_callback fread_func_set; /* function that reads the input */ ++ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or ++ IMAP or POP3 or others! (type: curl_usessl)*/ + int is_fread_set; /* boolean, has read callback been set to non-NULL? */ + int is_fwrite_set; /* boolean, has write callback been set to non-NULL? */ + curl_progress_callback fprogress; /* OLD and deprecated progress callback */ +@@ -1622,8 +1624,6 @@ struct UserDefined { + bool ftp_use_eprt; /* if EPRT is to be attempted or not */ + bool ftp_use_pret; /* if PRET is to be used before PASV or not */ + +- curl_usessl use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or +- IMAP or POP3 or others! */ + curl_ftpauth ftpsslauth; /* what AUTH XXX to be attempted */ + curl_ftpccc ftp_ccc; /* FTP CCC options */ + bool no_signal; /* do not use any signal/alarm handler */ +-- +2.39.2 + diff --git a/0050-curl-7.61.1-sftp-upload-flags.patch b/0050-curl-7.61.1-sftp-upload-flags.patch new file mode 100644 index 0000000..42efac3 --- /dev/null +++ b/0050-curl-7.61.1-sftp-upload-flags.patch @@ -0,0 +1,34 @@ +From cc52b2d89397ff26b01d791cd1c605cba741aaa4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Felix=20H=C3=A4dicke?= +Date: Wed, 24 Jul 2019 11:47:51 +0200 +Subject: [PATCH] ssh-libssh: do not specify O_APPEND when not in append mode + +Specifying O_APPEND in conjunction with O_TRUNC and O_CREAT does not +make much sense. And this combination of flags is not accepted by all +SFTP servers (at least not Apache SSHD). + +Fixes #4147 +Closes #4148 + +Upstream-commit: 62617495102c60124db8a909f592f063e38a89aa +Signed-off-by: Kamil Dudka +--- + lib/ssh-libssh.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c +index 4110be2..2414173 100644 +--- a/lib/ssh-libssh.c ++++ b/lib/ssh-libssh.c +@@ -1112,7 +1112,7 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block) + flags = O_WRONLY|O_APPEND; + else + /* Clear file before writing (normal behaviour) */ +- flags = O_WRONLY|O_APPEND|O_CREAT|O_TRUNC; ++ flags = O_WRONLY|O_CREAT|O_TRUNC; + + if(sshc->sftp_file) + sftp_close(sshc->sftp_file); +-- +2.39.2 + diff --git a/curl.spec b/curl.spec index 8d1fef9..22c6d96 100644 --- a/curl.spec +++ b/curl.spec @@ -1,8 +1,7 @@ -%define anolis_release .0.2 Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.61.1 -Release: 25%{anolis_release}%{?dist}.3 +Release: 30%{?dist}.2 License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -122,15 +121,27 @@ Patch41: 0041-curl-7.61.1-CVE-2022-32206.patch # setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION (#2063703) Patch42: 0042-curl-7.61.1-ssh-known-hosts.patch +# control code in cookie denial of service (CVE-2022-35252) +Patch43: 0043-curl-7.61.1-CVE-2022-35252.patch + # upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1 (#2139337) Patch44: 0044-curl-7.61.1-retry-http11.patch +# smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552) +Patch45: 0045-curl-7.61.1-CVE-2022-43552.patch + # h2: lower initial window size to 32 MiB (#2166254) Patch46: 0046-curl-7.61.1-h2-window-size.patch # fix HTTP multi-header compression denial of service (CVE-2023-23916) Patch47: 0047-curl-7.61.1-CVE-2023-23916.patch +# fix FTP too eager connection reuse (CVE-2023-27535) +Patch48: 0048-curl-7.61.1-CVE-2023-27535.patch + +# sftp: do not specify O_APPEND when not in append mode (#2187717) +Patch50: 0050-curl-7.61.1-sftp-upload-flags.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -148,8 +159,6 @@ Patch105: 0105-curl-7.61.1-test-ports.patch Provides: curl-full = %{version}-%{release} Provides: webclient -Provides: /usr/bin/curl -Requires: glibc URL: https://curl.haxx.se/ BuildRequires: automake BuildRequires: brotli-devel @@ -289,14 +298,6 @@ comes with a limited set of features compared to the 'libcurl' package. On the other hand, the package is smaller and requires fewer run-time dependencies to be installed. -%package doc -Summary: Documents for %{name} -BuildArch: noarch -Requires: %{name} = %{version}-%{release} - -%description doc -Doc pages for %{name}. - %prep %setup -q @@ -356,9 +357,13 @@ sed -e 's|:8992/|:%{?__isa_bits}92/|g' -i tests/data/test97{3..6} %patch40 -p1 %patch41 -p1 %patch42 -p1 +%patch43 -p1 %patch44 -p1 +%patch45 -p1 %patch46 -p1 %patch47 -p1 +%patch48 -p1 +%patch50 -p1 # make tests/*.py use Python 3 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py @@ -487,15 +492,22 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %ldconfig_scriptlets -n libcurl-minimal %files +%doc CHANGES README* +%doc docs/BUGS docs/FAQ docs/FEATURES +%doc docs/MANUAL docs/RESOURCES +%doc docs/TheArtOfHttpScripting docs/TODO %{_bindir}/curl %{_mandir}/man1/curl.1* %{_datadir}/zsh/site-functions %files -n libcurl +%license COPYING %{_libdir}/libcurl.so.4 %{_libdir}/libcurl.so.4.[0-9].[0-9] %files -n libcurl-devel +%doc docs/examples/*.c docs/examples/Makefile.example docs/INTERNALS.md +%doc docs/CONTRIBUTE.md docs/libcurl/ABI %{_bindir}/curl-config* %{_includedir}/curl %{_libdir}/*.so @@ -509,31 +521,32 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_mandir}/man1/curl.1* %files -n libcurl-minimal +%license COPYING %{_libdir}/libcurl.so.4.minimal %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal -%files doc -%license COPYING -%doc docs/examples/*.c docs/examples/Makefile.example docs/INTERNALS.md -%doc docs/CONTRIBUTE.md docs/libcurl/ABI -%doc CHANGES README* -%doc docs/BUGS docs/FAQ docs/FEATURES -%doc docs/MANUAL docs/RESOURCES -%doc docs/TheArtOfHttpScripting docs/TODO - %changelog -* Wed Mar 08 2023 Weisson - 7.61.1-25.0.2.3 -- Add doc sub package +* Thu Apr 20 2023 Kamil Dudka - 7.61.1-30.el8_8.2 +- sftp: do not specify O_APPEND when not in append mode (#2187717) -* Wed Feb 15 2023 Kamil Dudka - 7.61.1-25.el8_7.3 +* Fri Mar 24 2023 Kamil Dudka - 7.61.1-30.el8_8.1 +- fix FTP too eager connection reuse (CVE-2023-27535) + +* Wed Feb 15 2023 Kamil Dudka - 7.61.1-30 - fix HTTP multi-header compression denial of service (CVE-2023-23916) -* Tue Feb 07 2023 Kamil Dudka - 7.61.1-25.el8_7.2 +* Tue Feb 07 2023 Kamil Dudka - 7.61.1-29 - h2: lower initial window size to 32 MiB (#2166254) -* Fri Nov 18 2022 Kamil Dudka - 7.61.1-25.el8_7.1 +* Wed Dec 21 2022 Kamil Dudka - 7.61.1-28 +- smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552) + +* Fri Nov 18 2022 Kamil Dudka - 7.61.1-27 - upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1 (#2139337) +* Fri Sep 02 2022 Kamil Dudka - 7.61.1-26 +- control code in cookie denial of service (CVE-2022-35252) + * Wed Jun 29 2022 Kamil Dudka - 7.61.1-25 - setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION (#2063703) - fix HTTP compression denial of service (CVE-2022-32206) diff --git a/dist b/dist index 535c690..5aa45c5 100644 --- a/dist +++ b/dist @@ -1 +1 @@ -an8_7 +an8_8 -- Gitee From fc0e6542a03a2cb22f0c60c57054783016cd24f9 Mon Sep 17 00:00:00 2001 From: Weisson Date: Sat, 16 Jul 2022 18:56:59 +0800 Subject: [PATCH 2/2] spec: add doc sub package Signed-off-by: Weisson --- curl.spec | 33 ++++++++++++++++++++++++--------- 1 file changed, 24 insertions(+), 9 deletions(-) diff --git a/curl.spec b/curl.spec index 22c6d96..0dfe4ec 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,8 @@ +%define anolis_release .0.2 Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.61.1 -Release: 30%{?dist}.2 +Release: 30%{anolis_release}%{?dist}.2 License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -159,6 +160,8 @@ Patch105: 0105-curl-7.61.1-test-ports.patch Provides: curl-full = %{version}-%{release} Provides: webclient +Provides: /usr/bin/curl +Requires: glibc URL: https://curl.haxx.se/ BuildRequires: automake BuildRequires: brotli-devel @@ -298,6 +301,14 @@ comes with a limited set of features compared to the 'libcurl' package. On the other hand, the package is smaller and requires fewer run-time dependencies to be installed. +%package doc +Summary: Documents for %{name} +BuildArch: noarch +Requires: %{name} = %{version}-%{release} + +%description doc +Doc pages for %{name}. + %prep %setup -q @@ -492,22 +503,15 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %ldconfig_scriptlets -n libcurl-minimal %files -%doc CHANGES README* -%doc docs/BUGS docs/FAQ docs/FEATURES -%doc docs/MANUAL docs/RESOURCES -%doc docs/TheArtOfHttpScripting docs/TODO %{_bindir}/curl %{_mandir}/man1/curl.1* %{_datadir}/zsh/site-functions %files -n libcurl -%license COPYING %{_libdir}/libcurl.so.4 %{_libdir}/libcurl.so.4.[0-9].[0-9] %files -n libcurl-devel -%doc docs/examples/*.c docs/examples/Makefile.example docs/INTERNALS.md -%doc docs/CONTRIBUTE.md docs/libcurl/ABI %{_bindir}/curl-config* %{_includedir}/curl %{_libdir}/*.so @@ -521,11 +525,22 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_mandir}/man1/curl.1* %files -n libcurl-minimal -%license COPYING %{_libdir}/libcurl.so.4.minimal %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal +%files doc +%license COPYING +%doc docs/examples/*.c docs/examples/Makefile.example docs/INTERNALS.md +%doc docs/CONTRIBUTE.md docs/libcurl/ABI +%doc CHANGES README* +%doc docs/BUGS docs/FAQ docs/FEATURES +%doc docs/MANUAL docs/RESOURCES +%doc docs/TheArtOfHttpScripting docs/TODO + %changelog +* Wed May 24 2023 Weisson - 7.61.1-30.0.1.2 +- Add doc sub package + * Thu Apr 20 2023 Kamil Dudka - 7.61.1-30.el8_8.2 - sftp: do not specify O_APPEND when not in append mode (#2187717) -- Gitee