diff --git a/backport-CVE-2023-27533.patch b/backport-CVE-2023-27533.patch new file mode 100644 index 0000000000000000000000000000000000000000..035916c7bc7daca3a6ebdd89c6cfc9428ed94218 --- /dev/null +++ b/backport-CVE-2023-27533.patch @@ -0,0 +1,52 @@ +From 538b1e79a6e7b0bb829ab4cecc828d32105d0684 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 6 Mar 2023 12:07:33 +0100 +Subject: [PATCH] telnet: only accept option arguments in ascii + +To avoid embedded telnet negotiation commands etc. + +Reported-by: Harry Sintonen +Closes #10728 +--- + lib/telnet.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -770,6 +770,17 @@ static void printsub(struct Curl_easy *d + } + } + ++static bool str_is_nonascii(const char *str) ++{ ++ size_t len = strlen(str); ++ while(len--) { ++ if(*str & 0x80) ++ return TRUE; ++ str++; ++ } ++ return FALSE; ++} ++ + static CURLcode check_telnet_options(struct Curl_easy *data) + { + struct curl_slist *head; +@@ -784,6 +795,8 @@ static CURLcode check_telnet_options(str + /* Add the user name as an environment variable if it + was given on the command line */ + if(data->state.aptr.user) { ++ if(str_is_nonascii(data->conn->user)) ++ return CURLE_BAD_FUNCTION_ARGUMENT; + msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user); + beg = curl_slist_append(tn->telnet_vars, option_arg); + if(!beg) { +@@ -799,6 +812,9 @@ static CURLcode check_telnet_options(str + if(sscanf(head->data, "%127[^= ]%*[ =]%255s", + option_keyword, option_arg) == 2) { + ++ if(str_is_nonascii(option_arg)) ++ continue; ++ + /* Terminal type */ + if(strcasecompare(option_keyword, "TTYPE")) { + strncpy(tn->subopt_ttype, option_arg, 31); diff --git a/backport-CVE-2023-27534.patch b/backport-CVE-2023-27534.patch new file mode 100644 index 0000000000000000000000000000000000000000..ece7791de6b8a0576656412cb3ef4bf8299ef9b8 --- /dev/null +++ b/backport-CVE-2023-27534.patch @@ -0,0 +1,120 @@ +From 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 9 Mar 2023 16:22:11 +0100 +Subject: [PATCH] curl_path: create the new path with dynbuf + +Closes #10729 +--- + lib/curl_path.c | 75 +++++++++++++++++++++++-------------------------- + 1 file changed, 35 insertions(+), 40 deletions(-) + +diff --git a/lib/curl_path.c b/lib/curl_path.c +index 2df8687a557ba..977e5336f552c 100644 +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -32,70 +32,65 @@ + #include "escape.h" + #include "memdebug.h" + ++#define MAX_SSHPATH_LEN 100000 /* arbitrary */ ++ + /* figure out the path to work with in this particular request */ + CURLcode Curl_getworkingpath(struct Curl_easy *data, + char *homedir, /* when SFTP is used */ + char **path) /* returns the allocated + real path to work with */ + { +- char *real_path = NULL; + char *working_path; + size_t working_path_len; ++ struct dynbuf npath; + CURLcode result = + Curl_urldecode(data->state.up.path, 0, &working_path, + &working_path_len, REJECT_ZERO); + if(result) + return result; + ++ /* new path to switch to in case we need to */ ++ Curl_dyn_init(&npath, MAX_SSHPATH_LEN); ++ + /* Check for /~/, indicating relative to the user's home directory */ +- if(data->conn->handler->protocol & CURLPROTO_SCP) { +- real_path = malloc(working_path_len + 1); +- if(!real_path) { ++ if((data->conn->handler->protocol & CURLPROTO_SCP) && ++ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) { ++ /* It is referenced to the home directory, so strip the leading '/~/' */ ++ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) { + free(working_path); + return CURLE_OUT_OF_MEMORY; + } +- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) +- /* It is referenced to the home directory, so strip the leading '/~/' */ +- memcpy(real_path, working_path + 3, working_path_len - 2); +- else +- memcpy(real_path, working_path, 1 + working_path_len); + } +- else if(data->conn->handler->protocol & CURLPROTO_SFTP) { +- if((working_path_len > 1) && (working_path[1] == '~')) { +- size_t homelen = strlen(homedir); +- real_path = malloc(homelen + working_path_len + 1); +- if(!real_path) { +- free(working_path); +- return CURLE_OUT_OF_MEMORY; +- } +- /* It is referenced to the home directory, so strip the +- leading '/' */ +- memcpy(real_path, homedir, homelen); +- /* Only add a trailing '/' if homedir does not end with one */ +- if(homelen == 0 || real_path[homelen - 1] != '/') { +- real_path[homelen] = '/'; +- homelen++; +- real_path[homelen] = '\0'; +- } +- if(working_path_len > 3) { +- memcpy(real_path + homelen, working_path + 3, +- 1 + working_path_len -3); +- } ++ else if((data->conn->handler->protocol & CURLPROTO_SFTP) && ++ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { ++ size_t len; ++ const char *p; ++ int copyfrom = 3; ++ if(Curl_dyn_add(&npath, homedir)) { ++ free(working_path); ++ return CURLE_OUT_OF_MEMORY; + } +- else { +- real_path = malloc(working_path_len + 1); +- if(!real_path) { +- free(working_path); +- return CURLE_OUT_OF_MEMORY; +- } +- memcpy(real_path, working_path, 1 + working_path_len); ++ /* Copy a separating '/' if homedir does not end with one */ ++ len = Curl_dyn_len(&npath); ++ p = Curl_dyn_ptr(&npath); ++ if(len && (p[len-1] != '/')) ++ copyfrom = 2; ++ ++ if(Curl_dyn_addn(&npath, ++ &working_path[copyfrom], working_path_len - copyfrom)) { ++ free(working_path); ++ return CURLE_OUT_OF_MEMORY; + } + } + +- free(working_path); ++ if(Curl_dyn_len(&npath)) { ++ free(working_path); + +- /* store the pointer for the caller to receive */ +- *path = real_path; ++ /* store the pointer for the caller to receive */ ++ *path = Curl_dyn_ptr(&npath); ++ } ++ else ++ *path = working_path; + + return CURLE_OK; + } diff --git a/backport-CVE-2023-27535.patch b/backport-CVE-2023-27535.patch new file mode 100644 index 0000000000000000000000000000000000000000..54e669db85b2e8a4171ac2ed19a91779233077c1 --- /dev/null +++ b/backport-CVE-2023-27535.patch @@ -0,0 +1,151 @@ +From 8f4608468b890dce2dad9f91d5607ee7e9c1aba1 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 9 Mar 2023 17:47:06 +0100 +Subject: [PATCH] ftp: add more conditions for connection reuse + +Reported-by: Harry Sintonen +Closes #10730 +--- + lib/ftp.c | 28 ++++++++++++++++++++++++++-- + lib/ftp.h | 5 +++++ + lib/setopt.c | 2 +- + lib/url.c | 17 +++++++++++++++-- + lib/urldata.h | 4 ++-- + 5 files changed, 49 insertions(+), 7 deletions(-) + +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -4052,6 +4052,8 @@ static CURLcode ftp_disconnect(struct Cu + } + + freedirs(ftpc); ++ Curl_safefree(ftpc->account); ++ Curl_safefree(ftpc->alternative_to_user); + Curl_safefree(ftpc->prevpath); + Curl_safefree(ftpc->server_os); + Curl_pp_disconnect(pp); +@@ -4321,11 +4323,31 @@ static CURLcode ftp_setup_connection(str + char *type; + struct FTP *ftp; + CURLcode result = CURLE_OK; ++ struct ftp_conn *ftpc = &conn->proto.ftpc; + +- data->req.p.ftp = ftp = calloc(sizeof(struct FTP), 1); ++ ftp = calloc(sizeof(struct FTP), 1); + if(!ftp) + return CURLE_OUT_OF_MEMORY; + ++ /* clone connection related data that is FTP specific */ ++ if(data->set.str[STRING_FTP_ACCOUNT]) { ++ ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]); ++ if(!ftpc->account) { ++ free(ftp); ++ return CURLE_OUT_OF_MEMORY; ++ } ++ } ++ if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]) { ++ ftpc->alternative_to_user = ++ strdup(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]); ++ if(!ftpc->alternative_to_user) { ++ Curl_safefree(ftpc->account); ++ free(ftp); ++ return CURLE_OUT_OF_MEMORY; ++ } ++ } ++ data->req.p.ftp = ftp; ++ + ftp->path = &data->state.up.path[1]; /* don't include the initial slash */ + + /* FTP URLs support an extension like ";type=" that +@@ -4360,7 +4382,9 @@ static CURLcode ftp_setup_connection(str + /* get some initial data into the ftp struct */ + ftp->transfer = PPTRANSFER_BODY; + ftp->downloadsize = 0; +- conn->proto.ftpc.known_filesize = -1; /* unknown size for now */ ++ ftpc->known_filesize = -1; /* unknown size for now */ ++ ftpc->use_ssl = data->set.use_ssl; ++ ftpc->ccc = data->set.ftp_ccc; + + return result; + } +--- a/lib/ftp.h ++++ b/lib/ftp.h +@@ -120,6 +120,8 @@ struct FTP { + struct */ + struct ftp_conn { + struct pingpong pp; ++ char *account; ++ char *alternative_to_user; + char *entrypath; /* the PWD reply when we logged on */ + char *file; /* url-decoded file name (or path) */ + char **dirs; /* realloc()ed array for path components */ +@@ -143,6 +145,9 @@ struct ftp_conn { + ftpstate state; /* always use ftp.c:state() to change state! */ + ftpstate state_saved; /* transfer type saved to be reloaded after data + connection is established */ ++ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or ++ IMAP or POP3 or others! (type: curl_usessl)*/ ++ unsigned char ccc; /* ccc level for this connection */ + BIT(ftp_trying_alternative); + BIT(dont_check); /* Set to TRUE to prevent the final (post-transfer) + file size and 226/250 status check. It should still +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -2369,7 +2369,7 @@ CURLcode Curl_vsetopt(struct Curl_easy * + arg = va_arg(param, long); + if((arg < CURLUSESSL_NONE) || (arg >= CURLUSESSL_LAST)) + return CURLE_BAD_FUNCTION_ARGUMENT; +- data->set.use_ssl = (curl_usessl)arg; ++ data->set.use_ssl = (unsigned char)arg; + break; + + case CURLOPT_SSL_OPTIONS: +--- a/lib/url.c ++++ b/lib/url.c +@@ -1299,11 +1299,24 @@ ConnectionExists(struct Curl_easy *data, + || ((check->httpversion >= 30) && + (data->state.httpwant < CURL_HTTP_VERSION_3)))) + continue; +- +- if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) { ++#ifdef USE_SSH ++ else if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) { + if(!ssh_config_matches(needle, check)) + continue; + } ++#endif ++#ifndef CURL_DISABLE_FTP ++ else if(get_protocol_family(needle->handler) & PROTO_FAMILY_FTP) { ++ /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */ ++ if(Curl_timestrcmp(needle->proto.ftpc.account, ++ check->proto.ftpc.account) || ++ Curl_timestrcmp(needle->proto.ftpc.alternative_to_user, ++ check->proto.ftpc.alternative_to_user) || ++ (needle->proto.ftpc.use_ssl != check->proto.ftpc.use_ssl) || ++ (needle->proto.ftpc.ccc != check->proto.ftpc.ccc)) ++ continue; ++ } ++#endif + + if((needle->handler->flags&PROTOPT_SSL) + #ifndef CURL_DISABLE_PROXY +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1713,8 +1713,6 @@ struct UserDefined { + #ifndef CURL_DISABLE_NETRC + unsigned char use_netrc; /* enum CURL_NETRC_OPTION values */ + #endif +- curl_usessl use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or +- IMAP or POP3 or others! */ + unsigned int new_file_perms; /* when creating remote files */ + char *str[STRING_LAST]; /* array of strings, pointing to allocated memory */ + struct curl_blob *blobs[BLOB_LAST]; +@@ -1773,6 +1771,8 @@ struct UserDefined { + BIT(mail_rcpt_allowfails); /* allow RCPT TO command to fail for some + recipients */ + #endif ++ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or ++ IMAP or POP3 or others! (type: curl_usessl)*/ + unsigned char connect_only; /* make connection/request, then let + application use the socket */ + BIT(is_fread_set); /* has read callback been set to non-NULL? */ diff --git a/backport-CVE-2023-27536.patch b/backport-CVE-2023-27536.patch new file mode 100644 index 0000000000000000000000000000000000000000..3d626fe9a99660c767b318b6dca844c3d07c9355 --- /dev/null +++ b/backport-CVE-2023-27536.patch @@ -0,0 +1,44 @@ +From cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 10 Mar 2023 09:22:43 +0100 +Subject: [PATCH] url: only reuse connections with same GSS delegation + +Reported-by: Harry Sintonen +Closes #10731 +--- + lib/url.c | 6 ++++++ + lib/urldata.h | 1 + + 2 files changed, 7 insertions(+) + +--- a/lib/url.c ++++ b/lib/url.c +@@ -1291,6 +1291,11 @@ ConnectionExists(struct Curl_easy *data, + } + } + ++ /* GSS delegation differences do not actually affect every connection ++ and auth method, but this check takes precaution before efficiency */ ++ if(needle->gssapi_delegation != check->gssapi_delegation) ++ continue; ++ + /* If multiplexing isn't enabled on the h2 connection and h1 is + explicitly requested, handle it: */ + if((needle->handler->protocol & PROTO_FAMILY_HTTP) && +@@ -1602,6 +1607,7 @@ static struct connectdata *allocate_conn + conn->fclosesocket = data->set.fclosesocket; + conn->closesocket_client = data->set.closesocket_client; + conn->lastused = Curl_now(); /* used now */ ++ conn->gssapi_delegation = data->set.gssapi_delegation; + + return conn; + error: +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1057,6 +1057,7 @@ struct connectdata { + unsigned char ip_version; /* copied from the Curl_easy at creation time */ + unsigned char httpversion; /* the HTTP version*10 reported by the server */ + unsigned char connect_only; ++ unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */ + }; + + /* The end of connectdata. */ diff --git a/backport-CVE-2023-27537.patch b/backport-CVE-2023-27537.patch new file mode 100644 index 0000000000000000000000000000000000000000..1cffe2507d7a8661db0cd040fd67f52245f3b52e --- /dev/null +++ b/backport-CVE-2023-27537.patch @@ -0,0 +1,32 @@ +From dca4cdf071be095bcdc7126eaa77a8946ea4790b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 9 Mar 2023 18:01:34 +0100 +Subject: [PATCH] CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe + +Reported-by: Hiroki Kurosawa +Closes #10732 +--- + docs/libcurl/opts/CURLSHOPT_SHARE.3 | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/docs/libcurl/opts/CURLSHOPT_SHARE.3 ++++ b/docs/libcurl/opts/CURLSHOPT_SHARE.3 +@@ -57,8 +57,7 @@ implemented until 7.23.0. + Put the connection cache in the share object and make all easy handles using + this share object share the connection cache. + +-Note that due to a known bug, it is not safe to share connections this way +-between multiple concurrent threads. ++It is not supported to share connections between multiple concurrent threads. + + Connections that are used for HTTP/1.1 Pipelining or HTTP/2 multiplexing only + get additional transfers added to them if the existing connection is held by +@@ -82,6 +81,8 @@ multi handle will share PSL cache by def + .IP CURL_LOCK_DATA_HSTS + The in-memory HSTS cache. + ++It is not supported to share the HSTS between multiple concurrent threads. ++ + Added in 7.88.0 + .SH PROTOCOLS + All diff --git a/backport-CVE-2023-27538.patch b/backport-CVE-2023-27538.patch new file mode 100644 index 0000000000000000000000000000000000000000..bfa2f59604a07589a93df2f99368090e9db7a1d4 --- /dev/null +++ b/backport-CVE-2023-27538.patch @@ -0,0 +1,22 @@ +From af369db4d3833272b8ed443f7fcc2e757a0872eb Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 10 Mar 2023 08:22:51 +0100 +Subject: [PATCH] url: fix the SSH connection reuse check + +Reported-by: Harry Sintonen +Closes #10735 +--- + lib/url.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/url.c ++++ b/lib/url.c +@@ -1300,7 +1300,7 @@ ConnectionExists(struct Curl_easy *data, + (data->state.httpwant < CURL_HTTP_VERSION_3)))) + continue; + +- if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { ++ if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) { + if(!ssh_config_matches(needle, check)) + continue; + } diff --git a/curl.spec b/curl.spec index 7e586446add0b6abdee034ac56a161dbe1f82665..832042b7b0b051d4144e8dbfc41cd2f8437a9ff7 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Name: curl Version: 7.88.1 -Release: 1 +Release: 2 Summary: Curl is used in command lines or scripts to transfer data License: MIT URL: https://curl.haxx.se/ @@ -16,6 +16,12 @@ Patch1: backport-0101-curl-7.32.0-multilib.patch Patch2: backport-curl-7.84.0-test3026.patch Patch3: backport-curl-7.87.0-test3012.patch Patch4: backport-curl-7.88.0-tests-warnings.patch +Patch5: backport-CVE-2023-27533.patch +Patch6: backport-CVE-2023-27534.patch +Patch7: backport-CVE-2023-27538.patch +Patch8: backport-CVE-2023-27535.patch +Patch9: backport-CVE-2023-27536.patch +Patch10: backport-CVE-2023-27537.patch BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel BuildRequires: libidn2-devel libnghttp2-devel libpsl-devel @@ -206,6 +212,13 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_mandir}/man3/* %changelog +* Wed Mar 22 2023 zengwefeng - 7.88.1-2 +- Type:cves +- ID:CVE-2023-27533 CVE-2023-27534 CVE-2023-27535 CVE-2023-27536 CVE-2023-27537 CVE-2023-27538 +- SUG:NA +- DESC:fix CVE-2023-27533 CVE-2023-27534 CVE-2023-27535 CVE-2023-27536 CVE-2023-27537 CVE-2023-27538 + + * Thu Mar 02 2023 xinghe - 7.88.1-1 - Type:requirements - ID:NA