diff --git a/backport-CVE-2023-28321.patch b/backport-CVE-2023-28321.patch new file mode 100644 index 0000000000000000000000000000000000000000..8f1b9548c826dfe5662de3baefa98845a52022c7 --- /dev/null +++ b/backport-CVE-2023-28321.patch @@ -0,0 +1,172 @@ +From 97fe40da79ac0d28d13a68f2c8181d18b8ff0ef8 Mon Sep 17 00:00:00 2001 +From: s00423892 +Date: Fri, 19 May 2023 18:02:52 +0800 +Subject: [PATCH] [Backport]curl:fix CVE-2023-28321 + +Conflict:The hostmatch function does not have the hostlen and patternlen parameters. +However, the two parameters are the lengths of the existing input parameters host and pattern, +which can be generated. +Reference:https://github.com/curl/curl/commit/199f2d440d8659b42 + +Signed-off-by: shichenchen shichenchen@huawei.com +--- + lib/hostcheck.c | 104 +++++++++++++++++++++++++----------------------- + 1 file changed, 55 insertions(+), 49 deletions(-) + +diff --git a/lib/hostcheck.c b/lib/hostcheck.c +index cf267a7..e055958 100644 +--- a/lib/hostcheck.c ++++ b/lib/hostcheck.c +@@ -33,6 +33,7 @@ + #ifdef HAVE_NETINET_IN6_H + #include + #endif ++#include "curl_memrchr.h" + + #include "hostcheck.h" + #include "strcase.h" +@@ -42,13 +43,23 @@ + /* The last #include file should be: */ + #include "memdebug.h" + ++/* check the two input strings with given length, but do not ++ assume they end in nul-bytes */ ++static bool pmatch(const char *hostname, size_t hostlen, ++ const char *pattern, size_t patternlen) ++{ ++ if(hostlen != patternlen) ++ return FALSE; ++ return strncasecompare(hostname, pattern, hostlen); ++} ++ + /* + * Match a hostname against a wildcard pattern. + * E.g. + * "foo.host.com" matches "*.host.com". + * + * We use the matching rule described in RFC6125, section 6.4.3. +- * https://tools.ietf.org/html/rfc6125#section-6.4.3 ++ * https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3 + * + * In addition: ignore trailing dots in the host names and wildcards, so that + * the names are used normalized. This is what the browsers do. +@@ -58,65 +69,58 @@ + * apparent distinction between a name and an IP. We need to detect the use of + * an IP address and not wildcard match on such names. + * +- * NOTE: hostmatch() gets called with copied buffers so that it can modify the +- * contents at will. ++ * Only match on "*" being used for the leftmost label, not "a*", "a*b" nor ++ * "*b". ++ * ++ * Return TRUE on a match. FALSE if not. ++ * ++ * @unittest: 1397 + */ + +-static int hostmatch(char *hostname, char *pattern) ++static bool hostmatch(const char *hostname, ++ size_t hostlen, ++ const char *pattern, ++ size_t patternlen) + { +- const char *pattern_label_end, *pattern_wildcard, *hostname_label_end; +- int wildcard_enabled; +- size_t prefixlen, suffixlen; ++ const char *pattern_label_end; ++ ++ DEBUGASSERT(pattern); ++ DEBUGASSERT(patternlen); ++ DEBUGASSERT(hostname); ++ DEBUGASSERT(hostlen); + + /* normalize pattern and hostname by stripping off trailing dots */ +- size_t len = strlen(hostname); +- if(hostname[len-1]=='.') +- hostname[len-1] = 0; +- len = strlen(pattern); +- if(pattern[len-1]=='.') +- pattern[len-1] = 0; +- +- pattern_wildcard = strchr(pattern, '*'); +- if(!pattern_wildcard) +- return strcasecompare(pattern, hostname) ? +- CURL_HOST_MATCH : CURL_HOST_NOMATCH; ++ if(hostname[hostlen-1]=='.') ++ hostlen--; ++ if(pattern[patternlen-1]=='.') ++ patternlen--; ++ ++ if(strncmp(pattern, "*.", 2)) ++ return pmatch(hostname, hostlen, pattern, patternlen); + + /* detect IP address as hostname and fail the match if so */ +- if(Curl_host_is_ipnum(hostname)) +- return CURL_HOST_NOMATCH; ++ else if(Curl_host_is_ipnum(hostname)) ++ return FALSE; + +- /* We require at least 2 dots in pattern to avoid too wide wildcard ++ /* We require at least 2 dots in the pattern to avoid too wide wildcard + match. */ +- wildcard_enabled = 1; +- pattern_label_end = strchr(pattern, '.'); +- if(!pattern_label_end || strchr(pattern_label_end + 1, '.') == NULL || +- pattern_wildcard > pattern_label_end || +- strncasecompare(pattern, "xn--", 4)) { +- wildcard_enabled = 0; ++ pattern_label_end = memchr(pattern, '.', patternlen); ++ if(!pattern_label_end || ++ (memrchr(pattern, '.', patternlen) == pattern_label_end)) ++ return pmatch(hostname, hostlen, pattern, patternlen); ++ else { ++ const char *hostname_label_end = memchr(hostname, '.', hostlen); ++ if(hostname_label_end) { ++ size_t skiphost = hostname_label_end - hostname; ++ size_t skiplen = pattern_label_end - pattern; ++ return pmatch(hostname_label_end, hostlen - skiphost, ++ pattern_label_end, patternlen - skiplen); ++ } + } +- if(!wildcard_enabled) +- return strcasecompare(pattern, hostname) ? +- CURL_HOST_MATCH : CURL_HOST_NOMATCH; +- +- hostname_label_end = strchr(hostname, '.'); +- if(!hostname_label_end || +- !strcasecompare(pattern_label_end, hostname_label_end)) +- return CURL_HOST_NOMATCH; +- +- /* The wildcard must match at least one character, so the left-most +- label of the hostname is at least as large as the left-most label +- of the pattern. */ +- if(hostname_label_end - hostname < pattern_label_end - pattern) +- return CURL_HOST_NOMATCH; +- +- prefixlen = pattern_wildcard - pattern; +- suffixlen = pattern_label_end - (pattern_wildcard + 1); +- return strncasecompare(pattern, hostname, prefixlen) && +- strncasecompare(pattern_wildcard + 1, hostname_label_end - suffixlen, +- suffixlen) ? +- CURL_HOST_MATCH : CURL_HOST_NOMATCH; ++ return FALSE; + } + ++ + int Curl_cert_hostcheck(const char *match_pattern, const char *hostname) + { + int res = 0; +@@ -128,7 +132,9 @@ int Curl_cert_hostcheck(const char *match_pattern, const char *hostname) + if(matchp) { + char *hostp = strdup(hostname); + if(hostp) { +- if(hostmatch(hostp, matchp) == CURL_HOST_MATCH) ++ size_t hostlen = strlen(hostp); ++ size_t matchlen = strlen(matchp); ++ if(hostmatch(hostp, hostlen, matchp, matchlen) == TRUE) + res = 1; + free(hostp); + } +-- +2.27.0 + diff --git a/backport-CVE-2023-28322.patch b/backport-CVE-2023-28322.patch new file mode 100644 index 0000000000000000000000000000000000000000..5adf6ec34ba13b4a5c8f91698a227e74881456a7 --- /dev/null +++ b/backport-CVE-2023-28322.patch @@ -0,0 +1,428 @@ +From 7815647d6582c0a4900be2e1de6c5e61272c496b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 25 Apr 2023 08:28:01 +0200 +Subject: [PATCH] lib: unify the upload/method handling + +By making sure we set state.upload based on the set.method value and not +independently as set.upload, we reduce confusion and mixup risks, both +internally and externally. + +Closes #11017 + +Conflict:Context adaptation and delete modifications for code which not exit +Reference:https://github.com/curl/curl/commit/7815647d6582c0a4900be2e1de +--- + lib/curl_rtmp.c | 4 ++-- + lib/file.c | 4 ++-- + lib/ftp.c | 8 ++++---- + lib/http.c | 4 ++-- + lib/imap.c | 6 +++--- + lib/rtsp.c | 4 ++-- + lib/setopt.c | 6 ++---- + lib/smb.c | 4 ++-- + lib/smtp.c | 4 ++-- + lib/tftp.c | 8 ++++---- + lib/transfer.c | 4 ++-- + lib/urldata.h | 2 +- + lib/vssh/libssh.c | 6 +++--- + lib/vssh/libssh2.c | 6 +++--- + lib/vssh/wolfssh.c | 2 +- + 15 files changed, 35 insertions(+), 37 deletions(-) + +diff --git a/lib/curl_rtmp.c b/lib/curl_rtmp.c +index 2fa0267..c42c07e 100644 +--- a/lib/curl_rtmp.c ++++ b/lib/curl_rtmp.c +@@ -229,7 +229,7 @@ static CURLcode rtmp_connect(struct Curl_easy *data, bool *done) + /* We have to know if it's a write before we send the + * connect request packet + */ +- if(data->set.upload) ++ if(data->state.upload) + r->Link.protocol |= RTMP_FEATURE_WRITE; + + /* For plain streams, use the buffer toggle trick to keep data flowing */ +@@ -261,7 +261,7 @@ static CURLcode rtmp_do(struct Curl_easy *data, bool *done) + if(!RTMP_ConnectStream(r, 0)) + return CURLE_FAILED_INIT; + +- if(data->set.upload) { ++ if(data->state.upload) { + Curl_pgrsSetUploadSize(data, data->state.infilesize); + Curl_setup_transfer(data, -1, -1, FALSE, FIRSTSOCKET); + } +diff --git a/lib/file.c b/lib/file.c +index 0420db3..f15fe71 100644 +--- a/lib/file.c ++++ b/lib/file.c +@@ -200,7 +200,7 @@ static CURLcode file_connect(struct Curl_easy *data, bool *done) + file->freepath = real_path; /* free this when done */ + + file->fd = fd; +- if(!data->set.upload && (fd == -1)) { ++ if(!data->state.upload && (fd == -1)) { + failf(data, "Couldn't open file %s", data->state.up.path); + file_done(data, CURLE_FILE_COULDNT_READ_FILE, FALSE); + return CURLE_FILE_COULDNT_READ_FILE; +@@ -382,7 +382,7 @@ static CURLcode file_do(struct Curl_easy *data, bool *done) + + Curl_pgrsStartNow(data); + +- if(data->set.upload) ++ if(data->state.upload) + return file_upload(data); + + file = data->req.p.file; +diff --git a/lib/ftp.c b/lib/ftp.c +index f2f6852..6b9cd22 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -1381,7 +1381,7 @@ static CURLcode ftp_state_prepare_transfer(struct Curl_easy *data) + data->set.str[STRING_CUSTOMREQUEST]? + data->set.str[STRING_CUSTOMREQUEST]: + (data->state.list_only?"NLST":"LIST")); +- else if(data->set.upload) ++ else if(data->state.upload) + result = Curl_pp_sendf(data, &ftpc->pp, "PRET STOR %s", + conn->proto.ftpc.file); + else +@@ -3371,7 +3371,7 @@ static CURLcode ftp_done(struct Curl_easy *data, CURLcode status, + /* the response code from the transfer showed an error already so no + use checking further */ + ; +- else if(data->set.upload) { ++ else if(data->state.upload) { + if((-1 != data->state.infilesize) && + (data->state.infilesize != data->req.writebytecount) && + !data->set.crlf && +@@ -3643,7 +3643,7 @@ static CURLcode ftp_do_more(struct Curl_easy *data, int *completep) + connected back to us */ + } + } +- else if(data->set.upload) { ++ else if(data->state.upload) { + result = ftp_nb_type(data, conn, data->state.prefer_ascii, + FTP_STOR_TYPE); + if(result) +@@ -4225,7 +4225,7 @@ CURLcode ftp_parse_url_path(struct Curl_easy *data) + ftpc->file = NULL; /* instead of point to a zero byte, + we make it a NULL pointer */ + +- if(data->set.upload && !ftpc->file && (ftp->transfer == PPTRANSFER_BODY)) { ++ if(data->state.upload && !ftpc->file && (ftp->transfer == PPTRANSFER_BODY)) { + /* We need a file name when uploading. Return error! */ + failf(data, "Uploading to a URL without a file name!"); + free(rawPath); +diff --git a/lib/http.c b/lib/http.c +index 9ac77a0..e5a3eb0 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2037,7 +2037,7 @@ void Curl_http_method(struct Curl_easy *data, struct connectdata *conn, + Curl_HttpReq httpreq = data->state.httpreq; + const char *request; + if((conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_FTP)) && +- data->set.upload) ++ data->state.upload) + httpreq = HTTPREQ_PUT; + + /* Now set the 'request' pointer to the proper request string */ +@@ -2353,7 +2353,7 @@ CURLcode Curl_http_body(struct Curl_easy *data, struct connectdata *conn, + if((conn->handler->protocol & PROTO_FAMILY_HTTP) && + (((httpreq == HTTPREQ_POST_MIME || httpreq == HTTPREQ_POST_FORM) && + http->postsize < 0) || +- ((data->set.upload || httpreq == HTTPREQ_POST) && ++ ((data->state.upload || httpreq == HTTPREQ_POST) && + data->state.infilesize == -1))) { + if(conn->bits.authneg) + /* don't enable chunked during auth neg */ +diff --git a/lib/imap.c b/lib/imap.c +index 6163899..5e3bb14 100644 +--- a/lib/imap.c ++++ b/lib/imap.c +@@ -1490,11 +1490,11 @@ static CURLcode imap_done(struct Curl_easy *data, CURLcode status, + result = status; /* use the already set error code */ + } + else if(!data->set.connect_only && !imap->custom && +- (imap->uid || imap->mindex || data->set.upload || ++ (imap->uid || imap->mindex || data->state.upload || + data->set.mimepost.kind != MIMEKIND_NONE)) { + /* Handle responses after FETCH or APPEND transfer has finished */ + +- if(!data->set.upload && data->set.mimepost.kind == MIMEKIND_NONE) ++ if(!data->state.upload && data->set.mimepost.kind == MIMEKIND_NONE) + state(data, IMAP_FETCH_FINAL); + else { + /* End the APPEND command first by sending an empty line */ +@@ -1560,7 +1560,7 @@ static CURLcode imap_perform(struct Curl_easy *data, bool *connected, + selected = TRUE; + + /* Start the first command in the DO phase */ +- if(data->set.upload || data->set.mimepost.kind != MIMEKIND_NONE) ++ if(data->state.upload || data->set.mimepost.kind != MIMEKIND_NONE) + /* APPEND can be executed directly */ + result = imap_perform_append(data); + else if(imap->custom && (selected || !imap->mailbox)) +diff --git a/lib/rtsp.c b/lib/rtsp.c +index 30fefb9..fd902bf 100644 +--- a/lib/rtsp.c ++++ b/lib/rtsp.c +@@ -508,7 +508,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done) + rtspreq == RTSPREQ_SET_PARAMETER || + rtspreq == RTSPREQ_GET_PARAMETER) { + +- if(data->set.upload) { ++ if(data->state.upload) { + putsize = data->state.infilesize; + data->state.httpreq = HTTPREQ_PUT; + +@@ -527,7 +527,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done) + result = + Curl_dyn_addf(&req_buffer, + "Content-Length: %" CURL_FORMAT_CURL_OFF_T"\r\n", +- (data->set.upload ? putsize : postsize)); ++ (data->state.upload ? putsize : postsize)); + if(result) + return result; + } +diff --git a/lib/setopt.c b/lib/setopt.c +index e47c415..ebfa539 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -299,8 +299,8 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + * We want to sent data to the remote host. If this is HTTP, that equals + * using the PUT request. + */ +- data->set.upload = (0 != va_arg(param, long)) ? TRUE : FALSE; +- if(data->set.upload) { ++ arg = va_arg(param, long); ++ if(arg) { + /* If this is HTTP, PUT is what's needed to "upload" */ + data->set.method = HTTPREQ_PUT; + data->set.opt_no_body = FALSE; /* this is implied */ +@@ -630,7 +630,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + } + else + data->set.method = HTTPREQ_GET; +- data->set.upload = FALSE; + break; + + case CURLOPT_HTTPPOST: +@@ -878,7 +877,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + */ + if(va_arg(param, long)) { + data->set.method = HTTPREQ_GET; +- data->set.upload = FALSE; /* switch off upload */ + data->set.opt_no_body = FALSE; /* this is implied */ + } + break; +diff --git a/lib/smb.c b/lib/smb.c +index 1c458a3..d3b6e7c 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -534,7 +534,7 @@ static CURLcode smb_send_open(struct Curl_easy *data) + byte_count = strlen(req->path); + msg.name_length = smb_swap16((unsigned short)byte_count); + msg.share_access = smb_swap32(SMB_FILE_SHARE_ALL); +- if(data->set.upload) { ++ if(data->state.upload) { + msg.access = smb_swap32(SMB_GENERIC_READ | SMB_GENERIC_WRITE); + msg.create_disposition = smb_swap32(SMB_FILE_OVERWRITE_IF); + } +@@ -813,7 +813,7 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done) + smb_m = (const struct smb_nt_create_response*) msg; + req->fid = smb_swap16(smb_m->fid); + data->req.offset = 0; +- if(data->set.upload) { ++ if(data->state.upload) { + data->req.size = data->state.infilesize; + Curl_pgrsSetUploadSize(data, data->req.size); + next_state = SMB_UPLOAD; +diff --git a/lib/smtp.c b/lib/smtp.c +index 02ddaca..1ea0ab5 100644 +--- a/lib/smtp.c ++++ b/lib/smtp.c +@@ -1390,7 +1390,7 @@ static CURLcode smtp_done(struct Curl_easy *data, CURLcode status, + result = status; /* use the already set error code */ + } + else if(!data->set.connect_only && data->set.mail_rcpt && +- (data->set.upload || data->set.mimepost.kind)) { ++ (data->state.upload || data->set.mimepost.kind)) { + /* Calculate the EOB taking into account any terminating CRLF from the + previous line of the email or the CRLF of the DATA command when there + is "no mail data". RFC-5321, sect. 4.1.1.4. +@@ -1483,7 +1483,7 @@ static CURLcode smtp_perform(struct Curl_easy *data, bool *connected, + smtp->eob = 2; + + /* Start the first command in the DO phase */ +- if((data->set.upload || data->set.mimepost.kind) && data->set.mail_rcpt) ++ if((data->state.upload || data->set.mimepost.kind) && data->set.mail_rcpt) + /* MAIL transfer */ + result = smtp_perform_mail(data); + else +diff --git a/lib/tftp.c b/lib/tftp.c +index aae997d..cf6189a 100644 +--- a/lib/tftp.c ++++ b/lib/tftp.c +@@ -367,7 +367,7 @@ static CURLcode tftp_parse_option_ack(struct tftp_state_data *state, + + /* tsize should be ignored on upload: Who cares about the size of the + remote file? */ +- if(!data->set.upload) { ++ if(!data->state.upload) { + if(!tsize) { + failf(data, "invalid tsize -:%s:- value in OACK packet", value); + return CURLE_TFTP_ILLEGAL; +@@ -448,7 +448,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state, + return result; + } + +- if(data->set.upload) { ++ if(data->state.upload) { + /* If we are uploading, send an WRQ */ + setpacketevent(&state->spacket, TFTP_EVENT_WRQ); + state->data->req.upload_fromhere = +@@ -483,7 +483,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state, + if(!data->set.tftp_no_options) { + char buf[64]; + /* add tsize option */ +- if(data->set.upload && (data->state.infilesize != -1)) ++ if(data->state.upload && (data->state.infilesize != -1)) + msnprintf(buf, sizeof(buf), "%" CURL_FORMAT_CURL_OFF_T, + data->state.infilesize); + else +@@ -537,7 +537,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state, + break; + + case TFTP_EVENT_OACK: +- if(data->set.upload) { ++ if(data->state.upload) { + result = tftp_connect_for_tx(state, event); + } + else { +diff --git a/lib/transfer.c b/lib/transfer.c +index 970ef35..9b5a7ed 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1391,6 +1391,7 @@ void Curl_init_CONNECT(struct Curl_easy *data) + { + data->state.fread_func = data->set.fread_func_set; + data->state.in = data->set.in_set; ++ data->state.upload = (data->state.httpreq == HTTPREQ_PUT); + } + + /* +@@ -1814,7 +1815,6 @@ CURLcode Curl_follow(struct Curl_easy *data, + data->state.httpreq != HTTPREQ_POST_MIME) || + !(data->set.keep_post & CURL_REDIR_POST_303))) { + data->state.httpreq = HTTPREQ_GET; +- data->set.upload = false; + infof(data, "Switch to %s", + data->set.opt_no_body?"HEAD":"GET"); + } +@@ -1852,7 +1852,7 @@ CURLcode Curl_retry_request(struct Curl_easy *data, char **url) + + /* if we're talking upload, we can't do the checks below, unless the protocol + is HTTP as when uploading over HTTP we will still get a response */ +- if(data->set.upload && ++ if(data->state.upload && + !(conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_RTSP))) + return CURLE_OK; + +diff --git a/lib/urldata.h b/lib/urldata.h +index 7852bd3..8b6e87b 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1485,6 +1485,7 @@ struct UrlState { + BIT(url_alloc); /* URL string is malloc()'ed */ + BIT(referer_alloc); /* referer string is malloc()ed */ + BIT(wildcard_resolve); /* Set to true if any resolve change is a wildcard */ ++ BIT(upload); /* upload request */ + }; + + /* +@@ -1827,7 +1828,6 @@ struct UserDefined { + BIT(http_auto_referer); /* set "correct" referer when following + location: */ + BIT(opt_no_body); /* as set with CURLOPT_NOBODY */ +- BIT(upload); /* upload request */ + BIT(verbose); /* output verbosity */ + BIT(krb); /* Kerberos connection requested */ + BIT(reuse_forbid); /* forbidden to be reused, close after use */ +diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c +index 3e317e8..a871134 100644 +--- a/lib/vssh/libssh.c ++++ b/lib/vssh/libssh.c +@@ -1198,7 +1198,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) + } + + case SSH_SFTP_TRANS_INIT: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SFTP_UPLOAD_INIT); + else { + if(protop->path[strlen(protop->path)-1] == '/') +@@ -1811,7 +1811,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) + /* Functions from the SCP subsystem cannot handle/return SSH_AGAIN */ + ssh_set_blocking(sshc->ssh_session, 1); + +- if(data->set.upload) { ++ if(data->state.upload) { + if(data->state.infilesize < 0) { + failf(data, "SCP requires a known file size for upload"); + sshc->actualcode = CURLE_UPLOAD_FAILED; +@@ -1916,7 +1916,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) + break; + } + case SSH_SCP_DONE: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SCP_SEND_EOF); + else + state(data, SSH_SCP_CHANNEL_FREE); +diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c +index a772f1f..c5b1bc6 100644 +--- a/lib/vssh/libssh2.c ++++ b/lib/vssh/libssh2.c +@@ -1839,7 +1839,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block) + } + + case SSH_SFTP_TRANS_INIT: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SFTP_UPLOAD_INIT); + else { + if(sshp->path[strlen(sshp->path)-1] == '/') +@@ -2511,7 +2511,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block) + break; + } + +- if(data->set.upload) { ++ if(data->state.upload) { + if(data->state.infilesize < 0) { + failf(data, "SCP requires a known file size for upload"); + sshc->actualcode = CURLE_UPLOAD_FAILED; +@@ -2651,7 +2651,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block) + break; + + case SSH_SCP_DONE: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SCP_SEND_EOF); + else + state(data, SSH_SCP_CHANNEL_FREE); +diff --git a/lib/vssh/wolfssh.c b/lib/vssh/wolfssh.c +index 4b1e2ec..4ab21ae 100644 +--- a/lib/vssh/wolfssh.c ++++ b/lib/vssh/wolfssh.c +@@ -553,7 +553,7 @@ static CURLcode wssh_statemach_act(struct Curl_easy *data, bool *block) + } + break; + case SSH_SFTP_TRANS_INIT: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SFTP_UPLOAD_INIT); + else { + if(sftp_scp->path[strlen(sftp_scp->path)-1] == '/') +-- +2.33.0 + diff --git a/backport-curl-fix-CVE-2023-28321.patch b/backport-curl-fix-CVE-2023-28321.patch new file mode 100644 index 0000000000000000000000000000000000000000..8f1b9548c826dfe5662de3baefa98845a52022c7 --- /dev/null +++ b/backport-curl-fix-CVE-2023-28321.patch @@ -0,0 +1,172 @@ +From 97fe40da79ac0d28d13a68f2c8181d18b8ff0ef8 Mon Sep 17 00:00:00 2001 +From: s00423892 +Date: Fri, 19 May 2023 18:02:52 +0800 +Subject: [PATCH] [Backport]curl:fix CVE-2023-28321 + +Conflict:The hostmatch function does not have the hostlen and patternlen parameters. +However, the two parameters are the lengths of the existing input parameters host and pattern, +which can be generated. +Reference:https://github.com/curl/curl/commit/199f2d440d8659b42 + +Signed-off-by: shichenchen shichenchen@huawei.com +--- + lib/hostcheck.c | 104 +++++++++++++++++++++++++----------------------- + 1 file changed, 55 insertions(+), 49 deletions(-) + +diff --git a/lib/hostcheck.c b/lib/hostcheck.c +index cf267a7..e055958 100644 +--- a/lib/hostcheck.c ++++ b/lib/hostcheck.c +@@ -33,6 +33,7 @@ + #ifdef HAVE_NETINET_IN6_H + #include + #endif ++#include "curl_memrchr.h" + + #include "hostcheck.h" + #include "strcase.h" +@@ -42,13 +43,23 @@ + /* The last #include file should be: */ + #include "memdebug.h" + ++/* check the two input strings with given length, but do not ++ assume they end in nul-bytes */ ++static bool pmatch(const char *hostname, size_t hostlen, ++ const char *pattern, size_t patternlen) ++{ ++ if(hostlen != patternlen) ++ return FALSE; ++ return strncasecompare(hostname, pattern, hostlen); ++} ++ + /* + * Match a hostname against a wildcard pattern. + * E.g. + * "foo.host.com" matches "*.host.com". + * + * We use the matching rule described in RFC6125, section 6.4.3. +- * https://tools.ietf.org/html/rfc6125#section-6.4.3 ++ * https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3 + * + * In addition: ignore trailing dots in the host names and wildcards, so that + * the names are used normalized. This is what the browsers do. +@@ -58,65 +69,58 @@ + * apparent distinction between a name and an IP. We need to detect the use of + * an IP address and not wildcard match on such names. + * +- * NOTE: hostmatch() gets called with copied buffers so that it can modify the +- * contents at will. ++ * Only match on "*" being used for the leftmost label, not "a*", "a*b" nor ++ * "*b". ++ * ++ * Return TRUE on a match. FALSE if not. ++ * ++ * @unittest: 1397 + */ + +-static int hostmatch(char *hostname, char *pattern) ++static bool hostmatch(const char *hostname, ++ size_t hostlen, ++ const char *pattern, ++ size_t patternlen) + { +- const char *pattern_label_end, *pattern_wildcard, *hostname_label_end; +- int wildcard_enabled; +- size_t prefixlen, suffixlen; ++ const char *pattern_label_end; ++ ++ DEBUGASSERT(pattern); ++ DEBUGASSERT(patternlen); ++ DEBUGASSERT(hostname); ++ DEBUGASSERT(hostlen); + + /* normalize pattern and hostname by stripping off trailing dots */ +- size_t len = strlen(hostname); +- if(hostname[len-1]=='.') +- hostname[len-1] = 0; +- len = strlen(pattern); +- if(pattern[len-1]=='.') +- pattern[len-1] = 0; +- +- pattern_wildcard = strchr(pattern, '*'); +- if(!pattern_wildcard) +- return strcasecompare(pattern, hostname) ? +- CURL_HOST_MATCH : CURL_HOST_NOMATCH; ++ if(hostname[hostlen-1]=='.') ++ hostlen--; ++ if(pattern[patternlen-1]=='.') ++ patternlen--; ++ ++ if(strncmp(pattern, "*.", 2)) ++ return pmatch(hostname, hostlen, pattern, patternlen); + + /* detect IP address as hostname and fail the match if so */ +- if(Curl_host_is_ipnum(hostname)) +- return CURL_HOST_NOMATCH; ++ else if(Curl_host_is_ipnum(hostname)) ++ return FALSE; + +- /* We require at least 2 dots in pattern to avoid too wide wildcard ++ /* We require at least 2 dots in the pattern to avoid too wide wildcard + match. */ +- wildcard_enabled = 1; +- pattern_label_end = strchr(pattern, '.'); +- if(!pattern_label_end || strchr(pattern_label_end + 1, '.') == NULL || +- pattern_wildcard > pattern_label_end || +- strncasecompare(pattern, "xn--", 4)) { +- wildcard_enabled = 0; ++ pattern_label_end = memchr(pattern, '.', patternlen); ++ if(!pattern_label_end || ++ (memrchr(pattern, '.', patternlen) == pattern_label_end)) ++ return pmatch(hostname, hostlen, pattern, patternlen); ++ else { ++ const char *hostname_label_end = memchr(hostname, '.', hostlen); ++ if(hostname_label_end) { ++ size_t skiphost = hostname_label_end - hostname; ++ size_t skiplen = pattern_label_end - pattern; ++ return pmatch(hostname_label_end, hostlen - skiphost, ++ pattern_label_end, patternlen - skiplen); ++ } + } +- if(!wildcard_enabled) +- return strcasecompare(pattern, hostname) ? +- CURL_HOST_MATCH : CURL_HOST_NOMATCH; +- +- hostname_label_end = strchr(hostname, '.'); +- if(!hostname_label_end || +- !strcasecompare(pattern_label_end, hostname_label_end)) +- return CURL_HOST_NOMATCH; +- +- /* The wildcard must match at least one character, so the left-most +- label of the hostname is at least as large as the left-most label +- of the pattern. */ +- if(hostname_label_end - hostname < pattern_label_end - pattern) +- return CURL_HOST_NOMATCH; +- +- prefixlen = pattern_wildcard - pattern; +- suffixlen = pattern_label_end - (pattern_wildcard + 1); +- return strncasecompare(pattern, hostname, prefixlen) && +- strncasecompare(pattern_wildcard + 1, hostname_label_end - suffixlen, +- suffixlen) ? +- CURL_HOST_MATCH : CURL_HOST_NOMATCH; ++ return FALSE; + } + ++ + int Curl_cert_hostcheck(const char *match_pattern, const char *hostname) + { + int res = 0; +@@ -128,7 +132,9 @@ int Curl_cert_hostcheck(const char *match_pattern, const char *hostname) + if(matchp) { + char *hostp = strdup(hostname); + if(hostp) { +- if(hostmatch(hostp, matchp) == CURL_HOST_MATCH) ++ size_t hostlen = strlen(hostp); ++ size_t matchlen = strlen(matchp); ++ if(hostmatch(hostp, hostlen, matchp, matchlen) == TRUE) + res = 1; + free(hostp); + } +-- +2.27.0 + diff --git a/curl.spec b/curl.spec index c17b83d046eed6821ae3b782ca3993a94dc87893..b90971d52745582a49e28503dfaeca997ce6d049 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Name: curl Version: 7.79.1 -Release: 16 +Release: 17 Summary: Curl is used in command lines or scripts to transfer data License: MIT URL: https://curl.haxx.se/ @@ -48,6 +48,8 @@ Patch33: backport-CVE-2023-27535-pre1.patch Patch34: backport-CVE-2023-27536.patch Patch35: backport-CVE-2023-27535.patch Patch36: backport-after-CVE-2022-32207-to-fix-build-error-when-user-don-t-use-glibc.patch +Patch37: backport-CVE-2023-28321.patch +Patch38: backport-CVE-2023-28322.patch BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel BuildRequires: libidn2-devel libnghttp2-devel libpsl-devel @@ -222,6 +224,13 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_mandir}/man3/* %changelog + +* Tue May 23 2023 xingwei - 7.79.1-17 +- Type:CVE +- CVE:CVE-2023-28321,CVE-2023-28322 +- SUG:NA +- DESC:fix CVE-2023-28321,CVE-2023-28322 + * Wed Apr 19 2023 gaihuiying - 7.79.1-16 - Type:bugfix - CVE:NA