From 0396dadbd3ca4c97858c591458e2ea69cf7ce453 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= <adrian@suse.de>
Date: Mon, 6 Jan 2025 11:05:03 +0100
Subject: [PATCH] Sync from SUSE:ALP:Source:Standard:1.0 curl revision
 371eb015288d2514d7714fccf7b9d161

---
 curl-CVE-2024-11053.patch | 148 ++++++++++++++++++++++++++++++++++++++
 curl.changes              |   9 +++
 curl.spec                 |   2 +
 3 files changed, 159 insertions(+)
 create mode 100644 curl-CVE-2024-11053.patch

diff --git a/curl-CVE-2024-11053.patch b/curl-CVE-2024-11053.patch
new file mode 100644
index 0000000..3f97cbb
--- /dev/null
+++ b/curl-CVE-2024-11053.patch
@@ -0,0 +1,148 @@
+From e9b9bbac22c26cf67316fa8e6c6b9e831af31949 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 15 Nov 2024 11:06:36 +0100
+Subject: [PATCH] netrc: address several netrc parser flaws
+
+- make sure that a match that returns a username also returns a
+  password, that should be blank if no password is found
+
+- fix handling of multiple logins for same host where the password/login
+  order might be reversed.
+
+- reject credentials provided in the .netrc if they contain ASCII control
+  codes - if the used protocol does not support such (like HTTP and WS do)
+
+Reported-by: Harry Sintonen
+
+Add test 478, 479 and 480 to verify. Updated unit 1304.
+
+Closes #15586
+---
+ lib/netrc.c            | 113 +++++++++++++++++++++++------------------
+ lib/url.c              |  60 +++++++++++++++-------
+ tests/data/Makefile.am |   2 +-
+ tests/data/test478     |  73 ++++++++++++++++++++++++++
+ tests/data/test479     | 107 ++++++++++++++++++++++++++++++++++++++
+ tests/data/test480     |  38 ++++++++++++++
+ tests/unit/unit1304.c  |  75 ++++++++-------------------
+ 7 files changed, 345 insertions(+), 123 deletions(-)
+ create mode 100644 tests/data/test478
+ create mode 100644 tests/data/test479
+ create mode 100644 tests/data/test480
+
+Index: curl-8.6.0/lib/netrc.c
+===================================================================
+--- curl-8.6.0.orig/lib/netrc.c
++++ curl-8.6.0/lib/netrc.c
+@@ -238,6 +238,16 @@ static int parsenetrc(const char *host,
+             state = HOSTFOUND;
+             state_our_login = FALSE;
+           }
++          else if(strcasecompare("default", tok)) {
++            state = HOSTVALID;
++            retcode = NETRC_SUCCESS; /* we did find our host */
++            Curl_safefree(password);
++            if(!specific_login)
++              if(login_alloc) {
++                free(login);
++                login_alloc = FALSE;
++              }
++          }
+           break;
+         } /* switch (state) */
+         tok = ++tok_end;
+@@ -245,6 +255,12 @@ static int parsenetrc(const char *host,
+     } /* while Curl_get_line() */
+ 
+ out:
++    if(!retcode && !password && state_our_login) {
++      /* success without a password, set a blank one */
++      password = strdup("");
++      if(!password)
++        retcode = 1; /* out of memory */
++    }
+     if(!retcode) {
+       /* success */
+       if(login_alloc) {
+Index: curl-8.6.0/lib/url.c
+===================================================================
+--- curl-8.6.0.orig/lib/url.c
++++ curl-8.6.0/lib/url.c
+@@ -2725,6 +2725,17 @@ static CURLcode parse_remote_port(struct
+   return CURLE_OK;
+ }
+ 
++static bool str_has_ctrl(const char *input)
++{
++  const unsigned char *str = (const unsigned char *)input;
++  while(*str) {
++    if(*str < 0x20)
++      return TRUE;
++    str++;
++  }
++  return FALSE;
++}
++
+ /*
+  * Override the login details from the URL with that in the CURLOPT_USERPWD
+  * option or a .netrc file, if applicable.
+@@ -2755,29 +2766,40 @@ static CURLcode override_login(struct Cu
+     bool url_provided = FALSE;
+ 
+     if(data->state.aptr.user) {
+-      /* there was a user name in the URL. Use the URL decoded version */
++      /* there was a username with a length in the URL. Use the URL decoded
++         version */
+       userp = &data->state.aptr.user;
+       url_provided = TRUE;
+     }
+ 
+-    ret = Curl_parsenetrc(conn->host.name,
+-                          userp, passwdp,
+-                          data->set.str[STRING_NETRC_FILE]);
+-    if(ret > 0) {
+-      infof(data, "Couldn't find host %s in the %s file; using defaults",
+-            conn->host.name,
+-            (data->set.str[STRING_NETRC_FILE] ?
+-             data->set.str[STRING_NETRC_FILE] : ".netrc"));
+-    }
+-    else if(ret < 0) {
+-      failf(data, ".netrc parser error");
+-      return CURLE_READ_ERROR;
+-    }
+-    else {
+-      /* set bits.netrc TRUE to remember that we got the name from a .netrc
+-         file, so that it is safe to use even if we followed a Location: to a
+-         different host or similar. */
+-      conn->bits.netrc = TRUE;
++    if(!*passwdp) {
++      ret = Curl_parsenetrc(conn->host.name,
++                            userp, passwdp,
++                            data->set.str[STRING_NETRC_FILE]);
++      if(ret > 0) {
++        infof(data, "Couldn't find host %s in the %s file; using defaults",
++              conn->host.name,
++              (data->set.str[STRING_NETRC_FILE] ?
++               data->set.str[STRING_NETRC_FILE] : ".netrc"));
++      }
++      else if(ret < 0) {
++        failf(data, ".netrc parser error");
++        return CURLE_READ_ERROR;
++      }
++      else {
++        if(!(conn->handler->flags&PROTOPT_USERPWDCTRL)) {
++          /* if the protocol can't handle control codes in credentials, make
++             sure there are none */
++          if(str_has_ctrl(*userp) || str_has_ctrl(*passwdp)) {
++            failf(data, "control code detected in .netrc credentials");
++            return CURLE_READ_ERROR;
++          }
++        }
++        /* set bits.netrc TRUE to remember that we got the name from a .netrc
++           file, so that it is safe to use even if we followed a Location: to a
++           different host or similar. */
++        conn->bits.netrc = TRUE;
++      }
+     }
+     if(url_provided) {
+       Curl_safefree(conn->user);
diff --git a/curl.changes b/curl.changes
index 58f0ff4..aa2daa4 100644
--- a/curl.changes
+++ b/curl.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Tue Dec  3 10:26:59 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Security fix: [bsc#1234068, CVE-2024-11053]
+  * curl could leak the password used for the first host to the
+    followed-to host under certain circumstances.
+  * netrc: address several netrc parser flaws
+  * Add curl-CVE-2024-11053.patch
+
 -------------------------------------------------------------------
 Wed Oct 30 09:37:28 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
 
diff --git a/curl.spec b/curl.spec
index 37467e3..04651de 100644
--- a/curl.spec
+++ b/curl.spec
@@ -55,6 +55,8 @@ Patch11:        curl-CVE-2024-8096.patch
 Patch12:        curl-aws_sigv4-url-encode-the-canonical-path.patch
 #PATCH-FIX-UPSTREAM bsc#1232528 CVE-2024-9681 HSTS subdomain overwrites parent cache entry
 Patch13:        curl-CVE-2024-9681.patch
+#PATCH-FIX-UPSTREAM bsc#1234068 CVE-2024-11053 netrc and redirect credential leak
+Patch14:        curl-CVE-2024-11053.patch
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
 Requires:       libcurl4 = %{version}