diff --git a/0001-fix-cve-2024-2398.patch b/0001-fix-cve-2024-2398.patch new file mode 100644 index 0000000000000000000000000000000000000000..8085693af8b28c5f0979d3f6e3c6b2f269f7d736 --- /dev/null +++ b/0001-fix-cve-2024-2398.patch @@ -0,0 +1,89 @@ +From 23ff99b2dfb1be7ff040757e73181816d170aca2 Mon Sep 17 00:00:00 2001 +From: Yang_X_Y +Date: Tue, 14 May 2024 15:49:40 +0800 +Subject: [PATCH] fix-cve-2024-2398 + +--- + lib/http2.c | 34 +++++++++++++++------------------- + 1 file changed, 15 insertions(+), 19 deletions(-) + +diff --git a/lib/http2.c b/lib/http2.c +index c8b0594..8c422d1 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -271,6 +271,15 @@ static CURLcode http2_data_setup(struct Curl_cfilter *cf, + return CURLE_OK; + } + ++static void free_push_headers(struct stream_ctx *stream) ++{ ++ size_t i; ++ for(i = 0; ipush_headers_used; i++) ++ free(stream->push_headers[i]); ++ Curl_safefree(stream->push_headers); ++ stream->push_headers_used = 0; ++} ++ + static void http2_data_done(struct Curl_cfilter *cf, + struct Curl_easy *data, bool premature) + { +@@ -318,15 +327,7 @@ static void http2_data_done(struct Curl_cfilter *cf, + Curl_bufq_free(&stream->recvbuf); + Curl_h1_req_parse_free(&stream->h1); + Curl_dynhds_free(&stream->resp_trailers); +- if(stream->push_headers) { +- /* if they weren't used and then freed before */ +- for(; stream->push_headers_used > 0; --stream->push_headers_used) { +- free(stream->push_headers[stream->push_headers_used - 1]); +- } +- free(stream->push_headers); +- stream->push_headers = NULL; +- } +- ++ free_push_headers(stream); + free(stream); + H2_STREAM_LCTX(data) = NULL; + } +@@ -865,7 +866,6 @@ static int push_promise(struct Curl_cfilter *cf, + struct curl_pushheaders heads; + CURLMcode rc; + CURLcode result; +- size_t i; + /* clone the parent */ + struct Curl_easy *newhandle = h2_duphandle(cf, data); + if(!newhandle) { +@@ -910,11 +910,7 @@ static int push_promise(struct Curl_cfilter *cf, + Curl_set_in_callback(data, false); + + /* free the headers again */ +- for(i = 0; ipush_headers_used; i++) +- free(stream->push_headers[i]); +- free(stream->push_headers); +- stream->push_headers = NULL; +- stream->push_headers_used = 0; ++ free_push_headers(stream); + + if(rv) { + DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT)); +@@ -1455,14 +1451,14 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame, + if(stream->push_headers_alloc > 1000) { + /* this is beyond crazy many headers, bail out */ + failf(data_s, "Too many PUSH_PROMISE headers"); +- Curl_safefree(stream->push_headers); ++ free_push_headers(stream); + return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + } + stream->push_headers_alloc *= 2; +- headp = Curl_saferealloc(stream->push_headers, +- stream->push_headers_alloc * sizeof(char *)); ++ headp = realloc(stream->push_headers, ++ stream->push_headers_alloc * sizeof(char *)); + if(!headp) { +- stream->push_headers = NULL; ++ free_push_headers(stream); + return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + } + stream->push_headers = headp; +-- +2.33.0 + diff --git a/curl.spec b/curl.spec index e0aaa1a7610bf872df1924bbcf1baedd81275599..7a4c7d6ed3b984c5e86f6cacee16d9cd111a5dd2 100644 --- a/curl.spec +++ b/curl.spec @@ -1,4 +1,4 @@ -%define anolis_release 2 +%define anolis_release 3 Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Epoch: 1 @@ -75,6 +75,8 @@ BuildRequires: perl(Time::Local) BuildRequires: perl(Time::HiRes) BuildRequires: perl(vars) +Patch: 0001-fix-cve-2024-2398.patch + # The test-suite runs automatically through valgrind if valgrind is available # on the system. By not installing valgrind into mock's chroot, we disable # this feature for production builds on architectures where valgrind is known @@ -365,6 +367,9 @@ rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish %doc docs/TheArtOfHttpScripting.md %changelog +* Tue May 14 2024 yangxinyu - 8.4.0-3 +- fix cve-2024-2398 + * Mon Mar 25 2024 Zhenyu Wang - 8.4.0-2 - Raise the release number to 2 to avoid n-v-r conflicts