diff --git a/1000-fix-CVE-2024-2004.patch b/1000-fix-CVE-2024-2004.patch new file mode 100644 index 0000000000000000000000000000000000000000..00b6d14446a4baa592f18d164b4c690ca80a029b --- /dev/null +++ b/1000-fix-CVE-2024-2004.patch @@ -0,0 +1,64 @@ +From 10cd800b3b45e83ed94d563d0f6208a2f9c67204 Mon Sep 17 00:00:00 2001 +From: Chunmei Xu +Date: Tue, 13 Aug 2024 14:05:54 +0800 +Subject: [PATCH 1/1] fix CVE-2024-2004 + +--- + lib/setopt.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/lib/setopt.c b/lib/setopt.c +index 0d399ad..e022096 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -154,6 +154,12 @@ static CURLcode setstropt_userpwd(char *option, char **userp, char **passwdp) + + static CURLcode protocol2num(const char *str, curl_prot_t *val) + { ++ /* ++ * We are asked to cherry-pick protocols, so play it safe and disallow all ++ * protocols to start with, and re-add the wanted ones back in. ++ */ ++ *val = 0; ++ + if(!str) + return CURLE_BAD_FUNCTION_ARGUMENT; + +@@ -162,8 +168,6 @@ static CURLcode protocol2num(const char *str, curl_prot_t *val) + return CURLE_OK; + } + +- *val = 0; +- + do { + const char *token = str; + size_t tlen; +@@ -2690,22 +2694,18 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + break; + + case CURLOPT_PROTOCOLS_STR: { +- curl_prot_t prot; + argptr = va_arg(param, char *); +- result = protocol2num(argptr, &prot); ++ result = protocol2num(argptr, &data->set.allowed_protocols); + if(result) + return result; +- data->set.allowed_protocols = prot; + break; + } + + case CURLOPT_REDIR_PROTOCOLS_STR: { +- curl_prot_t prot; + argptr = va_arg(param, char *); +- result = protocol2num(argptr, &prot); ++ result = protocol2num(argptr, &data->set.redir_protocols); + if(result) + return result; +- data->set.redir_protocols = prot; + break; + } + +-- +2.41.0 + + diff --git a/1001-fix-CVE-2023-46218.patch b/1001-fix-CVE-2023-46218.patch new file mode 100644 index 0000000000000000000000000000000000000000..ff08b8457ff18fb7bfa0fb93aa52d854a5d6d108 --- /dev/null +++ b/1001-fix-CVE-2023-46218.patch @@ -0,0 +1,48 @@ +From 2b0994c29a721c91c572cff7808c572a24d251eb Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 23 Nov 2023 08:15:47 +0100 +Subject: [PATCH] cookie: lowercase the domain names before PSL checks + +Reported-by: Harry Sintonen + +Closes #12387 +--- + lib/cookie.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index 568cf537ad1b..9095cea3e97f 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -1027,15 +1027,23 @@ Curl_cookie_add(struct Curl_easy *data, + * dereference it. + */ + if(data && (domain && co->domain && !Curl_host_is_ipnum(co->domain))) { +- const psl_ctx_t *psl = Curl_psl_use(data); +- int acceptable; +- +- if(psl) { +- acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain); +- Curl_psl_release(data); ++ bool acceptable = FALSE; ++ char lcase[256]; ++ char lcookie[256]; ++ size_t dlen = strlen(domain); ++ size_t clen = strlen(co->domain); ++ if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) { ++ const psl_ctx_t *psl = Curl_psl_use(data); ++ if(psl) { ++ /* the PSL check requires lowercase domain name and pattern */ ++ Curl_strntolower(lcase, domain, dlen + 1); ++ Curl_strntolower(lcookie, co->domain, clen + 1); ++ acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie); ++ Curl_psl_release(data); ++ } ++ else ++ acceptable = !bad_domain(domain, strlen(domain)); + } +- else +- acceptable = !bad_domain(domain, strlen(domain)); + + if(!acceptable) { + infof(data, "cookie '%s' dropped, domain '%s' must not " diff --git a/1002-fix-CVE-2023-46219.patch b/1002-fix-CVE-2023-46219.patch new file mode 100644 index 0000000000000000000000000000000000000000..83b3bc3632883956745168133165bb624aad9384 --- /dev/null +++ b/1002-fix-CVE-2023-46219.patch @@ -0,0 +1,127 @@ +From 73b65e94f3531179de45c6f3c836a610e3d0a846 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 23 Nov 2023 08:23:17 +0100 +Subject: [PATCH] fopen: create short(er) temporary file name + +Only using random letters in the name plus a ".tmp" extension. Not by +appending characters to the final file name. + +Reported-by: Maksymilian Arciemowicz + +Closes #12388 +--- + lib/fopen.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 60 insertions(+), 5 deletions(-) + +diff --git a/lib/fopen.c b/lib/fopen.c +index 75b8a7aa5340..a73ac068ea30 100644 +--- a/lib/fopen.c ++++ b/lib/fopen.c +@@ -39,6 +39,51 @@ + #include "curl_memory.h" + #include "memdebug.h" + ++/* ++ The dirslash() function breaks a null-terminated pathname string into ++ directory and filename components then returns the directory component up ++ to, *AND INCLUDING*, a final '/'. If there is no directory in the path, ++ this instead returns a "" string. ++ ++ This function returns a pointer to malloc'ed memory. ++ ++ The input path to this function is expected to have a file name part. ++*/ ++ ++#ifdef _WIN32 ++#define PATHSEP "\\" ++#define IS_SEP(x) (((x) == '/') || ((x) == '\\')) ++#elif defined(MSDOS) || defined(__EMX__) || defined(OS2) ++#define PATHSEP "\\" ++#define IS_SEP(x) ((x) == '\\') ++#else ++#define PATHSEP "/" ++#define IS_SEP(x) ((x) == '/') ++#endif ++ ++static char *dirslash(const char *path) ++{ ++ size_t n; ++ struct dynbuf out; ++ DEBUGASSERT(path); ++ Curl_dyn_init(&out, CURL_MAX_INPUT_LENGTH); ++ n = strlen(path); ++ if(n) { ++ /* find the rightmost path separator, if any */ ++ while(n && !IS_SEP(path[n-1])) ++ --n; ++ /* skip over all the path separators, if any */ ++ while(n && IS_SEP(path[n-1])) ++ --n; ++ } ++ if(Curl_dyn_addn(&out, path, n)) ++ return NULL; ++ /* if there was a directory, append a single trailing slash */ ++ if(n && Curl_dyn_addn(&out, PATHSEP, 1)) ++ return NULL; ++ return Curl_dyn_ptr(&out); ++} ++ + /* + * Curl_fopen() opens a file for writing with a temp name, to be renamed + * to the final name when completed. If there is an existing file using this +@@ -50,25 +95,34 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, + FILE **fh, char **tempname) + { + CURLcode result = CURLE_WRITE_ERROR; +- unsigned char randsuffix[9]; ++ unsigned char randbuf[41]; + char *tempstore = NULL; + struct_stat sb; + int fd = -1; ++ char *dir; + *tempname = NULL; + ++ dir = dirslash(filename); ++ if(!dir) ++ goto fail; ++ + *fh = fopen(filename, FOPEN_WRITETEXT); + if(!*fh) + goto fail; +- if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode)) ++ if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode)) { ++ free(dir); + return CURLE_OK; ++ } + fclose(*fh); + *fh = NULL; + +- result = Curl_rand_alnum(data, randsuffix, sizeof(randsuffix)); ++ result = Curl_rand_alnum(data, randbuf, sizeof(randbuf)); + if(result) + goto fail; + +- tempstore = aprintf("%s.%s.tmp", filename, randsuffix); ++ /* The temp file name should not end up too long for the target file ++ system */ ++ tempstore = aprintf("%s%s.tmp", dir, randbuf); + if(!tempstore) { + result = CURLE_OUT_OF_MEMORY; + goto fail; +@@ -95,6 +149,7 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, + if(!*fh) + goto fail; + ++ free(dir); + *tempname = tempstore; + return CURLE_OK; + +@@ -105,7 +160,7 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, + } + + free(tempstore); +- ++ free(dir); + return result; + } + diff --git a/curl.spec b/curl.spec index 25abac50159272089276bf2bd8ad1a0233136a57..0d5f2d67198da967aa80a1246cc7a1ad66ec1951 100644 --- a/curl.spec +++ b/curl.spec @@ -1,4 +1,4 @@ -%define anolis_release 5 +%define anolis_release 6 Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Epoch: 1 @@ -78,6 +78,12 @@ BuildRequires: perl(vars) Patch: 0001-fix-cve-2024-2398.patch # https://github.com/curl/curl/commit/a94973805df96269bf Patch: 0002-fix-cve-2024-9681.patch +# https://github.com/curl/curl/commit/17d302e56221f5040092db77d4f85086e8a20e0e +Patch: 1000-fix-CVE-2024-2004.patch +# https://github.com/curl/curl/commit/2b0994c29a721c91c572cff7808c572a24d251eb +Patch: 1001-fix-CVE-2023-46218.patch +# https://github.com/curl/curl/commit/73b65e94f3531179de45c6f3c836a610e3d0a846 +Patch: 1002-fix-CVE-2023-46219.patch # The test-suite runs automatically through valgrind if valgrind is available # on the system. By not installing valgrind into mock's chroot, we disable @@ -105,7 +111,7 @@ Summary: A library for getting files from web servers Requires: libpsl >= %{installed_version_of libpsl} Requires: libssh >= %{installed_version_of libssh} Requires: openssl-libs >= %{installed_version_of openssl-libs} -Provides: libcurl-full = %{epoch}:%{version}-%{release} +Provides: libcurl-full = %{EVR} Requires: libnghttp2 >= %{installed_version_of libnghttp2} %description -n libcurl @@ -118,9 +124,9 @@ resume, http proxy tunneling and more. %package -n libcurl-devel Summary: Files needed for building applications with libcurl -Requires: libcurl = %{epoch}:%{version}-%{release} +Requires: libcurl = %{EVR} -Provides: curl-devel = %{epoch}:%{version}-%{release} +Provides: curl-devel = %{EVR} Obsoletes: curl-devel < %{version}-%{release} %description -n libcurl-devel @@ -130,7 +136,7 @@ documentation of the library, too. %package -n curl-minimal Summary: Conservatively configured build of curl for minimal installations -Provides: curl = %{epoch}:%{version}-%{release} +Provides: curl = %{EVR} Conflicts: curl RemovePathPostfixes: .minimal @@ -146,7 +152,7 @@ be installed. %package -n libcurl-minimal Summary: Conservatively configured build of libcurl for minimal installations Requires: openssl-libs >= %{installed_version_of openssl-libs} -Provides: libcurl = %{epoch}:%{version}-%{release} +Provides: libcurl = %{EVR} Conflicts: libcurl RemovePathPostfixes: .minimal # needed for RemovePathPostfixes to work with shared libraries @@ -160,7 +166,7 @@ be installed. %package doc Summary: Doc files for curl -Requires: %{name} = %{epoch}:%{version}-%{release} +Requires: %{name} = %{EVR} BuildArch: noarch %description doc @@ -369,6 +375,10 @@ rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish %doc docs/TheArtOfHttpScripting.md %changelog +* Tue Aug 13 2024 mgb01105731 - 8.4.0-6 +- cherry-pick fix CVE-2024-2004 and add Epoch for requires and provides +- Fix CVE-2023-46218 and CVE-2023-46219 + * Wed Jan 15 2025 Kaiqiang Wang - 8.4.0-5 - fix CVE-2024-9681