diff --git a/backport-CVE-2025-0167.patch b/backport-CVE-2025-0167.patch new file mode 100644 index 0000000000000000000000000000000000000000..4b3358446166ff1faaa2da1077493a5ee30da18b --- /dev/null +++ b/backport-CVE-2025-0167.patch @@ -0,0 +1,170 @@ +From 0e120c5b925e8ca75d5319e319e5ce4b8080d8eb Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 3 Jan 2025 16:22:27 +0100 +Subject: [PATCH] netrc: 'default' with no credentials is not a match + +Test 486 verifies. + +Reported-by: Yihang Zhou + +Closes #15908 + +Conflict:context adapt +Reference:https://github.com/curl/curl/commit/0e120c5b925e8ca75d5319e +--- + lib/netrc.c | 15 ++++-- + tests/data/Makefile.inc | 2 +- + tests/data/test486 | 105 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 116 insertions(+), 6 deletions(-) + create mode 100644 tests/data/test486 + +diff --git a/lib/netrc.c b/lib/netrc.c +index b517c1dfab67..7ad81ece229f 100644 +--- a/lib/netrc.c ++++ b/lib/netrc.c +@@ -316,11 +316,16 @@ static int parsenetrc(struct store_netrc *store, + + out: + Curl_dyn_free(&token); +- if(!retcode && !password && our_login) { +- /* success without a password, set a blank one */ +- password = strdup(""); +- if(!password) +- retcode = 1; /* out of memory */ ++ if(!retcode) { ++ if(!password && our_login) { ++ /* success without a password, set a blank one */ ++ password = strdup(""); ++ if(!password) ++ retcode = 1; /* out of memory */ ++ } ++ else if(!login && !password) ++ /* a default with no credentials */ ++ retcode = NETRC_FILE_MISSING; + } + if(!retcode) { + /* success */ +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 9ec101a7c74b..fc5e4cef5668 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -78,7 +78,7 @@ test426 test427 test428 test429 test430 test431 test432 test433 test434 \ + test435 test436 test437 test438 test439 test440 test441 test442 test443 \ + test444 test445 test446 test447 test448 test449 test450 test451 test452 \ + test453 test454 test455 test456 test457 test458 \ +-test478 test479 test480 \ ++test478 test479 test480 test486 \ + \ + test490 test491 test492 test493 test494 test495 test496 test497 test498 \ + \ +diff --git a/tests/data/test486 b/tests/data/test486 +new file mode 100644 +index 000000000000..53efae597a1b +--- /dev/null ++++ b/tests/data/test486 +@@ -0,0 +1,105 @@ ++ ++ ++ ++netrc ++HTTP ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 301 Follow this you fool ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Location: http://b.com/%TESTNUMBER0002 ++ ++-foo- ++ ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 7 ++Connection: close ++ ++target ++ ++ ++ ++HTTP/1.1 301 Follow this you fool ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Location: http://b.com/%TESTNUMBER0002 ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 7 ++Connection: close ++ ++target ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++proxy ++ ++ ++.netrc with redirect and "default" with no password or login ++ ++ ++--netrc --netrc-file %LOGDIR/netrc%TESTNUMBER -L -x http://%HOSTIP:%HTTPPORT/ http://a.com/ ++ ++ ++ ++machine a.com ++ login alice ++ password alicespassword ++ ++default ++ ++ ++ ++ ++ ++ ++GET http://a.com/ HTTP/1.1 ++Host: a.com ++Authorization: Basic %b64[alice:alicespassword]b64% ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://b.com/%TESTNUMBER0002 HTTP/1.1 ++Host: b.com ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ diff --git a/backport-CVE-2025-0725.patch b/backport-CVE-2025-0725.patch new file mode 100644 index 0000000000000000000000000000000000000000..1d36d0808e2c88db83ea0fae06f9e8cd0c1ecaf7 --- /dev/null +++ b/backport-CVE-2025-0725.patch @@ -0,0 +1,324 @@ +From 76f83f0db23846e254d940ec7fe141010077eb88 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 24 Jan 2025 11:13:24 +0100 +Subject: [PATCH] content_encoding: drop support for zlib before 1.2.0.4 + +zlib 1.2.0.4 was released on 10 August 2003 + +Closes #16079 + +Conflict:context adapt +Reference:https://github.com/curl/curl/commit/76f83f0db23846e254d940ec7 +--- + docs/INTERNALS.md | 2 +- + lib/content_encoding.c | 232 ++--------------------------------------- + 2 files changed, 8 insertions(+), 226 deletions(-) + +diff --git a/docs/INTERNALS.md b/docs/INTERNALS.md +index d7513a8..f8aba15 100644 +--- a/docs/INTERNALS.md ++++ b/docs/INTERNALS.md +@@ -20,7 +20,7 @@ versions of libs and build tools. + + - OpenSSL 0.9.7 + - GnuTLS 3.1.10 +- - zlib 1.1.4 ++ - zlib 1.2.0.4 + - libssh2 1.0 + - c-ares 1.16.0 + - libidn2 2.0.0 +diff --git a/lib/content_encoding.c b/lib/content_encoding.c +index be7c075..7fc418e 100644 +--- a/lib/content_encoding.c ++++ b/lib/content_encoding.c +@@ -65,31 +65,13 @@ + + #define DSIZ CURL_MAX_WRITE_SIZE /* buffer size for decompressed data */ + +- + #ifdef HAVE_LIBZ + +-/* Comment this out if zlib is always going to be at least ver. 1.2.0.4 +- (doing so will reduce code size slightly). */ +-#define OLD_ZLIB_SUPPORT 1 +- +-#define GZIP_MAGIC_0 0x1f +-#define GZIP_MAGIC_1 0x8b +- +-/* gzip flag byte */ +-#define ASCII_FLAG 0x01 /* bit 0 set: file probably ascii text */ +-#define HEAD_CRC 0x02 /* bit 1 set: header CRC present */ +-#define EXTRA_FIELD 0x04 /* bit 2 set: extra field present */ +-#define ORIG_NAME 0x08 /* bit 3 set: original file name present */ +-#define COMMENT 0x10 /* bit 4 set: file comment present */ +-#define RESERVED 0xE0 /* bits 5..7: reserved */ +- + typedef enum { + ZLIB_UNINIT, /* uninitialized */ + ZLIB_INIT, /* initialized */ + ZLIB_INFLATING, /* inflating started. */ + ZLIB_EXTERNAL_TRAILER, /* reading external trailer */ +- ZLIB_GZIP_HEADER, /* reading gzip header */ +- ZLIB_GZIP_INFLATING, /* inflating gzip stream */ + ZLIB_INIT_GZIP /* initialized in transparent gzip mode */ + } zlibInitState; + +@@ -134,9 +116,6 @@ static CURLcode + exit_zlib(struct Curl_easy *data, + z_stream *z, zlibInitState *zlib_init, CURLcode result) + { +- if(*zlib_init == ZLIB_GZIP_HEADER) +- Curl_safefree(z->next_in); +- + if(*zlib_init != ZLIB_UNINIT) { + if(inflateEnd(z) != Z_OK && result == CURLE_OK) + result = process_zlib_error(data, z); +@@ -185,8 +164,7 @@ static CURLcode inflate_stream(struct Curl_easy *data, + /* Check state. */ + if(zp->zlib_init != ZLIB_INIT && + zp->zlib_init != ZLIB_INFLATING && +- zp->zlib_init != ZLIB_INIT_GZIP && +- zp->zlib_init != ZLIB_GZIP_INFLATING) ++ zp->zlib_init != ZLIB_INIT_GZIP) + return exit_zlib(data, z, &zp->zlib_init, CURLE_WRITE_ERROR); + + /* Dynamically allocate a buffer for decompression because it's uncommonly +@@ -333,114 +311,27 @@ static CURLcode gzip_init_writer(struct Curl_easy *data, + { + struct zlib_writer *zp = (struct zlib_writer *) writer; + z_stream *z = &zp->z; /* zlib state structure */ ++ const char *v = zlibVersion(); + + /* Initialize zlib */ + z->zalloc = (alloc_func) zalloc_cb; + z->zfree = (free_func) zfree_cb; + +- if(strcmp(zlibVersion(), "1.2.0.4") >= 0) { +- /* zlib ver. >= 1.2.0.4 supports transparent gzip decompressing */ ++ if(strcmp(v, "1.2.0.4") >= 0) { ++ /* zlib version >= 1.2.0.4 supports transparent gzip decompressing */ + if(inflateInit2(z, MAX_WBITS + 32) != Z_OK) { + return process_zlib_error(data, z); + } + zp->zlib_init = ZLIB_INIT_GZIP; /* Transparent gzip decompress state */ + } + else { +- /* we must parse the gzip header and trailer ourselves */ +- if(inflateInit2(z, -MAX_WBITS) != Z_OK) { +- return process_zlib_error(data, z); +- } +- zp->trailerlen = 8; /* A CRC-32 and a 32-bit input size (RFC 1952, 2.2) */ +- zp->zlib_init = ZLIB_INIT; /* Initial call state */ ++ failf(data, "too old zlib version: %s", v); ++ return CURLE_FAILED_INIT; + } + + return CURLE_OK; + } + +-#ifdef OLD_ZLIB_SUPPORT +-/* Skip over the gzip header */ +-static enum { +- GZIP_OK, +- GZIP_BAD, +- GZIP_UNDERFLOW +-} check_gzip_header(unsigned char const *data, ssize_t len, ssize_t *headerlen) +-{ +- int method, flags; +- const ssize_t totallen = len; +- +- /* The shortest header is 10 bytes */ +- if(len < 10) +- return GZIP_UNDERFLOW; +- +- if((data[0] != GZIP_MAGIC_0) || (data[1] != GZIP_MAGIC_1)) +- return GZIP_BAD; +- +- method = data[2]; +- flags = data[3]; +- +- if(method != Z_DEFLATED || (flags & RESERVED) != 0) { +- /* Can't handle this compression method or unknown flag */ +- return GZIP_BAD; +- } +- +- /* Skip over time, xflags, OS code and all previous bytes */ +- len -= 10; +- data += 10; +- +- if(flags & EXTRA_FIELD) { +- ssize_t extra_len; +- +- if(len < 2) +- return GZIP_UNDERFLOW; +- +- extra_len = (data[1] << 8) | data[0]; +- +- if(len < (extra_len + 2)) +- return GZIP_UNDERFLOW; +- +- len -= (extra_len + 2); +- data += (extra_len + 2); +- } +- +- if(flags & ORIG_NAME) { +- /* Skip over NUL-terminated file name */ +- while(len && *data) { +- --len; +- ++data; +- } +- if(!len || *data) +- return GZIP_UNDERFLOW; +- +- /* Skip over the NUL */ +- --len; +- ++data; +- } +- +- if(flags & COMMENT) { +- /* Skip over NUL-terminated comment */ +- while(len && *data) { +- --len; +- ++data; +- } +- if(!len || *data) +- return GZIP_UNDERFLOW; +- +- /* Skip over the NUL */ +- --len; +- } +- +- if(flags & HEAD_CRC) { +- if(len < 2) +- return GZIP_UNDERFLOW; +- +- len -= 2; +- } +- +- *headerlen = totallen - len; +- return GZIP_OK; +-} +-#endif +- + static CURLcode gzip_unencode_write(struct Curl_easy *data, + struct contenc_writer *writer, + const char *buf, size_t nbytes) +@@ -456,117 +347,8 @@ static CURLcode gzip_unencode_write(struct Curl_easy *data, + return inflate_stream(data, writer, ZLIB_INIT_GZIP); + } + +-#ifndef OLD_ZLIB_SUPPORT +- /* Support for old zlib versions is compiled away and we are running with +- an old version, so return an error. */ ++ /* We are running with an old version: return error. */ + return exit_zlib(data, z, &zp->zlib_init, CURLE_WRITE_ERROR); +- +-#else +- /* This next mess is to get around the potential case where there isn't +- * enough data passed in to skip over the gzip header. If that happens, we +- * malloc a block and copy what we have then wait for the next call. If +- * there still isn't enough (this is definitely a worst-case scenario), we +- * make the block bigger, copy the next part in and keep waiting. +- * +- * This is only required with zlib versions < 1.2.0.4 as newer versions +- * can handle the gzip header themselves. +- */ +- +- switch(zp->zlib_init) { +- /* Skip over gzip header? */ +- case ZLIB_INIT: +- { +- /* Initial call state */ +- ssize_t hlen; +- +- switch(check_gzip_header((unsigned char *) buf, nbytes, &hlen)) { +- case GZIP_OK: +- z->next_in = (Bytef *) buf + hlen; +- z->avail_in = (uInt) (nbytes - hlen); +- zp->zlib_init = ZLIB_GZIP_INFLATING; /* Inflating stream state */ +- break; +- +- case GZIP_UNDERFLOW: +- /* We need more data so we can find the end of the gzip header. It's +- * possible that the memory block we malloc here will never be freed if +- * the transfer abruptly aborts after this point. Since it's unlikely +- * that circumstances will be right for this code path to be followed in +- * the first place, and it's even more unlikely for a transfer to fail +- * immediately afterwards, it should seldom be a problem. +- */ +- z->avail_in = (uInt) nbytes; +- z->next_in = malloc(z->avail_in); +- if(!z->next_in) { +- return exit_zlib(data, z, &zp->zlib_init, CURLE_OUT_OF_MEMORY); +- } +- memcpy(z->next_in, buf, z->avail_in); +- zp->zlib_init = ZLIB_GZIP_HEADER; /* Need more gzip header data state */ +- /* We don't have any data to inflate yet */ +- return CURLE_OK; +- +- case GZIP_BAD: +- default: +- return exit_zlib(data, z, &zp->zlib_init, process_zlib_error(data, z)); +- } +- +- } +- break; +- +- case ZLIB_GZIP_HEADER: +- { +- /* Need more gzip header data state */ +- ssize_t hlen; +- z->avail_in += (uInt) nbytes; +- z->next_in = Curl_saferealloc(z->next_in, z->avail_in); +- if(!z->next_in) { +- return exit_zlib(data, z, &zp->zlib_init, CURLE_OUT_OF_MEMORY); +- } +- /* Append the new block of data to the previous one */ +- memcpy(z->next_in + z->avail_in - nbytes, buf, nbytes); +- +- switch(check_gzip_header(z->next_in, z->avail_in, &hlen)) { +- case GZIP_OK: +- /* This is the zlib stream data */ +- free(z->next_in); +- /* Don't point into the malloced block since we just freed it */ +- z->next_in = (Bytef *) buf + hlen + nbytes - z->avail_in; +- z->avail_in = (uInt) (z->avail_in - hlen); +- zp->zlib_init = ZLIB_GZIP_INFLATING; /* Inflating stream state */ +- break; +- +- case GZIP_UNDERFLOW: +- /* We still don't have any data to inflate! */ +- return CURLE_OK; +- +- case GZIP_BAD: +- default: +- return exit_zlib(data, z, &zp->zlib_init, process_zlib_error(data, z)); +- } +- +- } +- break; +- +- case ZLIB_EXTERNAL_TRAILER: +- z->next_in = (Bytef *) buf; +- z->avail_in = (uInt) nbytes; +- return process_trailer(data, zp); +- +- case ZLIB_GZIP_INFLATING: +- default: +- /* Inflating stream state */ +- z->next_in = (Bytef *) buf; +- z->avail_in = (uInt) nbytes; +- break; +- } +- +- if(z->avail_in == 0) { +- /* We don't have any data to inflate; wait until next time */ +- return CURLE_OK; +- } +- +- /* We've parsed the header, now uncompress the data */ +- return inflate_stream(data, writer, ZLIB_GZIP_INFLATING); +-#endif + } + + static void gzip_close_writer(struct Curl_easy *data, diff --git a/curl.spec b/curl.spec index d4012d44c2e6a1b7698eec591a631bdd1fb35311..d6f465c212acd8588ab346a8d8c8adae9443e87c 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Name: curl Version: 8.4.0 -Release: 14 +Release: 15 Summary: Curl is used in command lines or scripts to transfer data License: curl URL: https://curl.se/ @@ -46,6 +46,8 @@ Patch37: backport-CVE-2024-11053-pre5.patch Patch38: backport-CVE-2024-11053.patch Patch39: backport-CVE-2024-11053-post1.patch Patch40: backport-CVE-2024-11053-post2.patch +Patch41: backport-CVE-2025-0167.patch +Patch42: backport-CVE-2025-0725.patch BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel BuildRequires: libidn2-devel libnghttp2-devel libpsl-devel @@ -231,6 +233,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_mandir}/man3/* %changelog +* Sat Feb 08 2025 zhouyihang - 8.4.0-15 +- Type:CVE +- CVE:CVE-2025-0167 CVE-2025-0725 +- SUG:NA +- DESC:fix CVE-2025-0167 CVE-2025-0725 + * Tue Jan 07 2025 zhouyihang - 8.4.0-14 - Type:CVE - CVE:CVE-2024-11053