From 48b7e6c71a2bc656641f97439b7b2064df363f15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Wed, 4 Sep 2024 16:11:29 +0200 Subject: [PATCH] Sync from SUSE:ALP:Source:Standard:1.0 curl revision 0ef1802cf13d6361dd244b71d939d59a --- ...ert-receive-max-buffer-add-test-case.patch | 70 ++++ curl-CVE-2024-2004.patch | 133 ++++++++ curl-CVE-2024-2379.patch | 47 +++ curl-CVE-2024-2398.patch | 89 +++++ curl-CVE-2024-2466.patch | 40 +++ curl-CVE-2024-6197.patch | 21 ++ curl-CVE-2024-7264.patch | 322 ++++++++++++++++++ curl.changes | 59 ++++ curl.spec | 29 +- 9 files changed, 797 insertions(+), 13 deletions(-) create mode 100644 0001-vtls-revert-receive-max-buffer-add-test-case.patch create mode 100644 curl-CVE-2024-2004.patch create mode 100644 curl-CVE-2024-2379.patch create mode 100644 curl-CVE-2024-2398.patch create mode 100644 curl-CVE-2024-2466.patch create mode 100644 curl-CVE-2024-6197.patch create mode 100644 curl-CVE-2024-7264.patch diff --git a/0001-vtls-revert-receive-max-buffer-add-test-case.patch b/0001-vtls-revert-receive-max-buffer-add-test-case.patch new file mode 100644 index 0000000..87f3fdc --- /dev/null +++ b/0001-vtls-revert-receive-max-buffer-add-test-case.patch @@ -0,0 +1,70 @@ +From e00609fc15f5d5adaf0896b751bf2c3a74a5f6f4 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Thu, 1 Feb 2024 18:15:50 +0100 +Subject: [PATCH] vtls: revert "receive max buffer" + add test case + +- add test_05_04 for requests using http/1.0, http/1.1 and h2 against an + Apache resource that does an unclean TLS shutdown. +- revert special workarund in openssl.c for suppressing shutdown errors + on multiplexed connections +- vlts.c restore to its state before 9a90c9dd64d2f03601833a70786d485851bd1b53 + +Fixes #12885 +Fixes #12844 + +Closes #12848 + +(cherry picked from commit ed09a99af57200643d5ae001e815eeab9ffe3f84) +--- + lib/vtls/vtls.c | 27 +++++-------------- + tests/http/test_05_errors.py | 27 +++++++++++++++++++ + tests/http/testenv/httpd.py | 7 ++++- + .../http/testenv/mod_curltest/mod_curltest.c | 2 +- + 4 files changed, 40 insertions(+), 23 deletions(-) + +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index e928ba5d0..f654a9749 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -1715,32 +1715,17 @@ static ssize_t ssl_cf_recv(struct Curl_cfilter *cf, + { + struct cf_call_data save; + ssize_t nread; +- size_t ntotal = 0; + + CF_DATA_SAVE(save, cf, data); + *err = CURLE_OK; +- /* Do receive until we fill the buffer somehwhat or EGAIN, error or EOF */ +- while(!ntotal || (len - ntotal) > (4*1024)) { ++ nread = Curl_ssl->recv_plain(cf, data, buf, len, err); ++ if(nread > 0) { ++ DEBUGASSERT((size_t)nread <= len); ++ } ++ else if(nread == 0) { ++ /* eof */ + *err = CURLE_OK; +- nread = Curl_ssl->recv_plain(cf, data, buf + ntotal, len - ntotal, err); +- if(nread < 0) { +- if(*err == CURLE_AGAIN && ntotal > 0) { +- /* we EAGAINed after having reed data, return the success amount */ +- *err = CURLE_OK; +- break; +- } +- /* we have a an error to report */ +- goto out; +- } +- else if(nread == 0) { +- /* eof */ +- break; +- } +- ntotal += (size_t)nread; +- DEBUGASSERT((size_t)ntotal <= len); + } +- nread = (ssize_t)ntotal; +-out: + CURL_TRC_CF(data, cf, "cf_recv(len=%zu) -> %zd, %d", len, + nread, *err); + CF_DATA_RESTORE(cf, save); +-- +2.43.0 + diff --git a/curl-CVE-2024-2004.patch b/curl-CVE-2024-2004.patch new file mode 100644 index 0000000..26ec21f --- /dev/null +++ b/curl-CVE-2024-2004.patch @@ -0,0 +1,133 @@ +From 17d302e56221f5040092db77d4f85086e8a20e0e Mon Sep 17 00:00:00 2001 +From: Daniel Gustafsson +Date: Tue, 27 Feb 2024 15:43:56 +0100 +Subject: [PATCH] setopt: Fix disabling all protocols + +When disabling all protocols without enabling any, the resulting +set of allowed protocols remained the default set. Clearing the +allowed set before inspecting the passed value from --proto make +the set empty even in the errorpath of no protocols enabled. + +Co-authored-by: Dan Fandrich +Reported-by: Dan Fandrich +Reviewed-by: Daniel Stenberg +Closes: #13004 +--- + lib/setopt.c | 16 ++++++++-------- + tests/data/Makefile.inc | 2 +- + tests/data/test1474 | 42 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 51 insertions(+), 9 deletions(-) + create mode 100644 tests/data/test1474 + +diff --git a/lib/setopt.c b/lib/setopt.c +index 6a4990cce6731b..ce1321fc80be9d 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -155,6 +155,12 @@ static CURLcode setstropt_userpwd(char *option, char **userp, char **passwdp) + + static CURLcode protocol2num(const char *str, curl_prot_t *val) + { ++ /* ++ * We are asked to cherry-pick protocols, so play it safe and disallow all ++ * protocols to start with, and re-add the wanted ones back in. ++ */ ++ *val = 0; ++ + if(!str) + return CURLE_BAD_FUNCTION_ARGUMENT; + +@@ -163,8 +169,6 @@ static CURLcode protocol2num(const char *str, curl_prot_t *val) + return CURLE_OK; + } + +- *val = 0; +- + do { + const char *token = str; + size_t tlen; +@@ -2654,22 +2658,18 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + break; + + case CURLOPT_PROTOCOLS_STR: { +- curl_prot_t prot; + argptr = va_arg(param, char *); +- result = protocol2num(argptr, &prot); ++ result = protocol2num(argptr, &data->set.allowed_protocols); + if(result) + return result; +- data->set.allowed_protocols = prot; + break; + } + + case CURLOPT_REDIR_PROTOCOLS_STR: { +- curl_prot_t prot; + argptr = va_arg(param, char *); +- result = protocol2num(argptr, &prot); ++ result = protocol2num(argptr, &data->set.redir_protocols); + if(result) + return result; +- data->set.redir_protocols = prot; + break; + } + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index c20f90d945cc90..b80ffb618e55b9 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -187,7 +187,7 @@ test1439 test1440 test1441 test1442 test1443 test1444 test1445 test1446 \ + test1447 test1448 test1449 test1450 test1451 test1452 test1453 test1454 \ + test1455 test1456 test1457 test1458 test1459 test1460 test1461 test1462 \ + test1463 test1464 test1465 test1466 test1467 test1468 test1469 test1470 \ +-test1471 test1472 test1473 test1475 test1476 test1477 test1478 \ ++test1471 test1472 test1473 test1474 test1475 test1476 test1477 test1478 \ + \ + test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \ + test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \ +diff --git a/tests/data/test1474 b/tests/data/test1474 +new file mode 100644 +index 00000000000000..c66fa2810483f2 +--- /dev/null ++++ b/tests/data/test1474 +@@ -0,0 +1,42 @@ ++ ++ ++ ++HTTP ++HTTP GET ++--proto ++ ++ ++ ++# ++# Server-side ++ ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++none ++ ++ ++http ++ ++ ++--proto -all disables all protocols ++ ++ ++--proto -all http://%HOSTIP:%NOLISTENPORT/%TESTNUMBER ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++# 1 - Protocol "http" disabled ++ ++1 ++ ++ ++ diff --git a/curl-CVE-2024-2379.patch b/curl-CVE-2024-2379.patch new file mode 100644 index 0000000..a24d5d6 --- /dev/null +++ b/curl-CVE-2024-2379.patch @@ -0,0 +1,47 @@ +From aedbbdf18e689a5eee8dc39600914f5eda6c409c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 11 Mar 2024 10:53:08 +0100 +Subject: [PATCH] vquic-tls: return appropirate errors on wolfSSL errors + +Reported-by: Dexter Gerig +Closes #13107 +--- + lib/vquic/vquic-tls.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/lib/vquic/vquic-tls.c b/lib/vquic/vquic-tls.c +index cc7794e405a5f6..dbde21f476f1dc 100644 +--- a/lib/vquic/vquic-tls.c ++++ b/lib/vquic/vquic-tls.c +@@ -375,6 +375,7 @@ static CURLcode curl_wssl_init_ctx(struct quic_tls_ctx *ctx, + char error_buffer[256]; + ERR_error_string_n(ERR_get_error(), error_buffer, sizeof(error_buffer)); + failf(data, "wolfSSL failed to set ciphers: %s", error_buffer); ++ result = CURLE_BAD_FUNCTION_ARGUMENT; + goto out; + } + +@@ -382,6 +383,7 @@ static CURLcode curl_wssl_init_ctx(struct quic_tls_ctx *ctx, + conn_config->curves : + (char *)QUIC_GROUPS) != 1) { + failf(data, "wolfSSL failed to set curves"); ++ result = CURLE_BAD_FUNCTION_ARGUMENT; + goto out; + } + +@@ -392,6 +394,7 @@ static CURLcode curl_wssl_init_ctx(struct quic_tls_ctx *ctx, + wolfSSL_CTX_set_keylog_callback(ctx->ssl_ctx, keylog_callback); + #else + failf(data, "wolfSSL was built without keylog callback"); ++ result = CURLE_NOT_BUILT_IN; + goto out; + #endif + } +@@ -414,6 +417,7 @@ static CURLcode curl_wssl_init_ctx(struct quic_tls_ctx *ctx, + " CAfile: %s CApath: %s", + ssl_cafile ? ssl_cafile : "none", + ssl_capath ? ssl_capath : "none"); ++ result = CURLE_SSL_CACERT; + goto out; + } + infof(data, " CAfile: %s", ssl_cafile ? ssl_cafile : "none"); diff --git a/curl-CVE-2024-2398.patch b/curl-CVE-2024-2398.patch new file mode 100644 index 0000000..0442d61 --- /dev/null +++ b/curl-CVE-2024-2398.patch @@ -0,0 +1,89 @@ +From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Wed, 6 Mar 2024 09:36:08 +0100 +Subject: [PATCH] http2: push headers better cleanup + +- provide common cleanup method for push headers + +Closes #13054 +--- + lib/http2.c | 34 +++++++++++++++------------------- + 1 file changed, 15 insertions(+), 19 deletions(-) + +Index: curl-8.6.0/lib/http2.c +=================================================================== +--- curl-8.6.0.orig/lib/http2.c ++++ curl-8.6.0/lib/http2.c +@@ -271,6 +271,15 @@ static CURLcode http2_data_setup(struct + return CURLE_OK; + } + ++static void free_push_headers(struct stream_ctx *stream) ++{ ++ size_t i; ++ for(i = 0; ipush_headers_used; i++) ++ free(stream->push_headers[i]); ++ Curl_safefree(stream->push_headers); ++ stream->push_headers_used = 0; ++} ++ + static void http2_data_done(struct Curl_cfilter *cf, + struct Curl_easy *data, bool premature) + { +@@ -317,15 +326,7 @@ static void http2_data_done(struct Curl_ + Curl_bufq_free(&stream->recvbuf); + Curl_h1_req_parse_free(&stream->h1); + Curl_dynhds_free(&stream->resp_trailers); +- if(stream->push_headers) { +- /* if they weren't used and then freed before */ +- for(; stream->push_headers_used > 0; --stream->push_headers_used) { +- free(stream->push_headers[stream->push_headers_used - 1]); +- } +- free(stream->push_headers); +- stream->push_headers = NULL; +- } +- ++ free_push_headers(stream); + free(stream); + H2_STREAM_LCTX(data) = NULL; + } +@@ -872,7 +873,6 @@ static int push_promise(struct Curl_cfil + struct curl_pushheaders heads; + CURLMcode rc; + CURLcode result; +- size_t i; + /* clone the parent */ + struct Curl_easy *newhandle = h2_duphandle(cf, data); + if(!newhandle) { +@@ -917,11 +917,7 @@ static int push_promise(struct Curl_cfil + Curl_set_in_callback(data, false); + + /* free the headers again */ +- for(i = 0; ipush_headers_used; i++) +- free(stream->push_headers[i]); +- free(stream->push_headers); +- stream->push_headers = NULL; +- stream->push_headers_used = 0; ++ free_push_headers(stream); + + if(rv) { + DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT)); +@@ -1468,14 +1464,14 @@ static int on_header(nghttp2_session *se + if(stream->push_headers_alloc > 1000) { + /* this is beyond crazy many headers, bail out */ + failf(data_s, "Too many PUSH_PROMISE headers"); +- Curl_safefree(stream->push_headers); ++ free_push_headers(stream); + return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + } + stream->push_headers_alloc *= 2; +- headp = Curl_saferealloc(stream->push_headers, +- stream->push_headers_alloc * sizeof(char *)); ++ headp = realloc(stream->push_headers, ++ stream->push_headers_alloc * sizeof(char *)); + if(!headp) { +- stream->push_headers = NULL; ++ free_push_headers(stream); + return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + } + stream->push_headers = headp; diff --git a/curl-CVE-2024-2466.patch b/curl-CVE-2024-2466.patch new file mode 100644 index 0000000..80a09ad --- /dev/null +++ b/curl-CVE-2024-2466.patch @@ -0,0 +1,40 @@ +From 3d0fd382a29b95561b90b7ea3e7eb04dfdd43538 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Fri, 15 Mar 2024 10:10:13 +0100 +Subject: [PATCH] mbedtls: fix pytest for newer versions + +Fix the expectations in pytest for newer versions of mbedtls + +Closes #13132 +--- + lib/vtls/mbedtls.c | 15 +++++++-------- + tests/http/test_10_proxy.py | 8 ++++++-- + tests/http/testenv/env.py | 14 +++++++++++--- + 3 files changed, 24 insertions(+), 13 deletions(-) + +Index: curl-8.6.0/lib/vtls/mbedtls.c +=================================================================== +--- curl-8.6.0.orig/lib/vtls/mbedtls.c ++++ curl-8.6.0/lib/vtls/mbedtls.c +@@ -654,14 +654,13 @@ mbed_connect_step1(struct Curl_cfilter * + &backend->clicert, &backend->pk); + } + +- if(connssl->peer.sni) { +- if(mbedtls_ssl_set_hostname(&backend->ssl, connssl->peer.sni)) { +- /* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks and +- the name to set in the SNI extension. So even if curl connects to a +- host specified as an IP address, this function must be used. */ +- failf(data, "Failed to set SNI"); +- return CURLE_SSL_CONNECT_ERROR; +- } ++ if(mbedtls_ssl_set_hostname(&backend->ssl, connssl->peer.sni? ++ connssl->peer.sni : connssl->peer.hostname)) { ++ /* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks and ++ the name to set in the SNI extension. So even if curl connects to a ++ host specified as an IP address, this function must be used. */ ++ failf(data, "Failed to set SNI"); ++ return CURLE_SSL_CONNECT_ERROR; + } + + #ifdef HAS_ALPN diff --git a/curl-CVE-2024-6197.patch b/curl-CVE-2024-6197.patch new file mode 100644 index 0000000..d10a91c --- /dev/null +++ b/curl-CVE-2024-6197.patch @@ -0,0 +1,21 @@ +From 3a537a4db9e65e545ec45b1b5d5575ee09a2569d Mon Sep 17 00:00:00 2001 +From: z2_ <88509734+z2-2z@users.noreply.github.com> +Date: Fri, 28 Jun 2024 14:45:47 +0200 +Subject: [PATCH] x509asn1: remove superfluous free() + +--- + lib/vtls/x509asn1.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/lib/vtls/x509asn1.c b/lib/vtls/x509asn1.c +index f71ab0b90a5931..1bc4243ddae343 100644 +--- a/lib/vtls/x509asn1.c ++++ b/lib/vtls/x509asn1.c +@@ -393,7 +393,6 @@ utf8asn1str(struct dynbuf *to, int type, const char *from, const char *end) + if(wc >= 0x00000800) { + if(wc >= 0x00010000) { + if(wc >= 0x00200000) { +- free(buf); + /* Invalid char. size for target encoding. */ + return CURLE_WEIRD_SERVER_REPLY; + } diff --git a/curl-CVE-2024-7264.patch b/curl-CVE-2024-7264.patch new file mode 100644 index 0000000..65ef011 --- /dev/null +++ b/curl-CVE-2024-7264.patch @@ -0,0 +1,322 @@ +From 3c914bc680155b32178f1f15ca8d47c7f4640afe Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 30 Jul 2024 10:05:17 +0200 +Subject: [PATCH] x509asn1: clean up GTime2str + +Co-authored-by: Stefan Eissing +Reported-by: Dov Murik + +Closes #14307 +--- + lib/vtls/x509asn1.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +Index: curl-8.6.0/lib/vtls/x509asn1.c +=================================================================== +--- curl-8.6.0.orig/lib/vtls/x509asn1.c ++++ curl-8.6.0/lib/vtls/x509asn1.c +@@ -488,7 +488,7 @@ static CURLcode GTime2str(struct dynbuf + /* Convert an ASN.1 Generalized time to a printable string. + Return the dynamically allocated string, or NULL if an error occurs. */ + +- for(fracp = beg; fracp < end && *fracp >= '0' && *fracp <= '9'; fracp++) ++ for(fracp = beg; fracp < end && ISDIGIT(*fracp); fracp++) + ; + + /* Get seconds digits. */ +@@ -507,32 +507,44 @@ static CURLcode GTime2str(struct dynbuf + return CURLE_BAD_FUNCTION_ARGUMENT; + } + +- /* Scan for timezone, measure fractional seconds. */ ++ /* timezone follows optional fractional seconds. */ + tzp = fracp; +- fracl = 0; ++ fracl = 0; /* no fractional seconds detected so far */ + if(fracp < end && (*fracp == '.' || *fracp == ',')) { +- fracp++; +- do ++ /* Have fractional seconds, e.g. "[.,]\d+". How many? */ ++ fracp++; /* should be a digit char or BAD ARGUMENT */ ++ tzp = fracp; ++ while(tzp < end && ISDIGIT(*tzp)) + tzp++; +- while(tzp < end && *tzp >= '0' && *tzp <= '9'); +- /* Strip leading zeroes in fractional seconds. */ +- for(fracl = tzp - fracp - 1; fracl && fracp[fracl - 1] == '0'; fracl--) +- ; ++ if(tzp == fracp) /* never looped, no digit after [.,] */ ++ return CURLE_BAD_FUNCTION_ARGUMENT; ++ fracl = tzp - fracp; /* number of fractional sec digits */ ++ DEBUGASSERT(fracl > 0); ++ /* Strip trailing zeroes in fractional seconds. ++ * May reduce fracl to 0 if only '0's are present. */ ++ while(fracl && fracp[fracl - 1] == '0') ++ fracl--; + } + + /* Process timezone. */ +- if(tzp >= end) +- ; /* Nothing to do. */ ++ if(tzp >= end) { ++ tzp = ""; ++ tzl = 0; ++ } + else if(*tzp == 'Z') { +- tzp = " GMT"; +- end = tzp + 4; ++ sep = " "; ++ tzp = "GMT"; ++ tzl = 3; ++ } ++ else if((*tzp == '+') || (*tzp == '-')) { ++ sep = " UTC"; ++ tzl = end - tzp; + } + else { + sep = " "; +- tzp++; ++ tzl = end - tzp; + } + +- tzl = end - tzp; + return Curl_dyn_addf(store, + "%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s", + beg, beg + 4, beg + 6, +@@ -541,6 +553,15 @@ static CURLcode GTime2str(struct dynbuf + sep, (int)tzl, tzp); + } + ++#ifdef UNITTESTS ++/* used by unit1656.c */ ++CURLcode Curl_x509_GTime2str(struct dynbuf *store, ++ const char *beg, const char *end) ++{ ++ return GTime2str(store, beg, end); ++} ++#endif ++ + /* + * Convert an ASN.1 UTC time to a printable string. + * +Index: curl-8.6.0/lib/vtls/x509asn1.h +=================================================================== +--- curl-8.6.0.orig/lib/vtls/x509asn1.h ++++ curl-8.6.0/lib/vtls/x509asn1.h +@@ -76,5 +76,16 @@ CURLcode Curl_extract_certinfo(struct Cu + const char *beg, const char *end); + CURLcode Curl_verifyhost(struct Curl_cfilter *cf, struct Curl_easy *data, + const char *beg, const char *end); ++ ++#ifdef UNITTESTS ++#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \ ++ defined(USE_MBEDTLS) ++ ++/* used by unit1656.c */ ++CURLcode Curl_x509_GTime2str(struct dynbuf *store, ++ const char *beg, const char *end); ++#endif ++#endif ++ + #endif /* USE_GNUTLS or USE_WOLFSSL or USE_SCHANNEL or USE_SECTRANSP */ + #endif /* HEADER_CURL_X509ASN1_H */ +Index: curl-8.6.0/tests/data/Makefile.inc +=================================================================== +--- curl-8.6.0.orig/tests/data/Makefile.inc ++++ curl-8.6.0/tests/data/Makefile.inc +@@ -208,7 +208,7 @@ test1620 test1621 \ + \ + test1630 test1631 test1632 test1633 test1634 test1635 \ + \ +-test1650 test1651 test1652 test1653 test1654 test1655 \ ++test1650 test1651 test1652 test1653 test1654 test1655 test1656 \ + test1660 test1661 test1662 \ + \ + test1670 test1671 \ +Index: curl-8.6.0/tests/data/test1656 +=================================================================== +--- /dev/null ++++ curl-8.6.0/tests/data/test1656 +@@ -0,0 +1,22 @@ ++ ++ ++ ++unittest ++Curl_x509_GTime2str ++ ++ ++ ++# ++# Client-side ++ ++ ++none ++ ++ ++unittest ++ ++ ++Curl_x509_GTime2str unit tests ++ ++ ++ +Index: curl-8.6.0/tests/unit/Makefile.inc +=================================================================== +--- curl-8.6.0.orig/tests/unit/Makefile.inc ++++ curl-8.6.0/tests/unit/Makefile.inc +@@ -36,7 +36,7 @@ UNITPROGS = unit1300 unit1302 u + unit1600 unit1601 unit1602 unit1603 unit1604 unit1605 unit1606 unit1607 \ + unit1608 unit1609 unit1610 unit1611 unit1612 unit1614 \ + unit1620 unit1621 \ +- unit1650 unit1651 unit1652 unit1653 unit1654 unit1655 \ ++ unit1650 unit1651 unit1652 unit1653 unit1654 unit1655 unit1656 \ + unit1660 unit1661 \ + unit2600 unit2601 unit2602 unit2603 \ + unit3200 +@@ -117,6 +117,8 @@ unit1654_SOURCES = unit1654.c $(UNITFILE + + unit1655_SOURCES = unit1655.c $(UNITFILES) + ++unit1656_SOURCES = unit1656.c $(UNITFILES) ++ + unit1660_SOURCES = unit1660.c $(UNITFILES) + + unit1661_SOURCES = unit1661.c $(UNITFILES) +Index: curl-8.6.0/tests/unit/unit1656.c +=================================================================== +--- /dev/null ++++ curl-8.6.0/tests/unit/unit1656.c +@@ -0,0 +1,133 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++#include "curlcheck.h" ++ ++#include "vtls/x509asn1.h" ++ ++static CURLcode unit_setup(void) ++{ ++ return CURLE_OK; ++} ++ ++static void unit_stop(void) ++{ ++ ++} ++ ++#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \ ++ defined(USE_MBEDTLS) ++ ++#ifndef ARRAYSIZE ++#define ARRAYSIZE(A) (sizeof(A)/sizeof((A)[0])) ++#endif ++ ++struct test_spec { ++ const char *input; ++ const char *exp_output; ++ CURLcode exp_result; ++}; ++ ++static struct test_spec test_specs[] = { ++ { "190321134340", "1903-21-13 43:40:00", CURLE_OK }, ++ { "", NULL, CURLE_BAD_FUNCTION_ARGUMENT }, ++ { "WTF", NULL, CURLE_BAD_FUNCTION_ARGUMENT }, ++ { "0WTF", NULL, CURLE_BAD_FUNCTION_ARGUMENT }, ++ { "19032113434", NULL, CURLE_BAD_FUNCTION_ARGUMENT }, ++ { "19032113434WTF", NULL, CURLE_BAD_FUNCTION_ARGUMENT }, ++ { "190321134340.", NULL, CURLE_BAD_FUNCTION_ARGUMENT }, ++ { "190321134340.1", "1903-21-13 43:40:00.1", CURLE_OK }, ++ { "19032113434017.0", "1903-21-13 43:40:17", CURLE_OK }, ++ { "19032113434017.01", "1903-21-13 43:40:17.01", CURLE_OK }, ++ { "19032113434003.001", "1903-21-13 43:40:03.001", CURLE_OK }, ++ { "19032113434003.090", "1903-21-13 43:40:03.09", CURLE_OK }, ++ { "190321134340Z", "1903-21-13 43:40:00 GMT", CURLE_OK }, ++ { "19032113434017.0Z", "1903-21-13 43:40:17 GMT", CURLE_OK }, ++ { "19032113434017.01Z", "1903-21-13 43:40:17.01 GMT", CURLE_OK }, ++ { "19032113434003.001Z", "1903-21-13 43:40:03.001 GMT", CURLE_OK }, ++ { "19032113434003.090Z", "1903-21-13 43:40:03.09 GMT", CURLE_OK }, ++ { "190321134340CET", "1903-21-13 43:40:00 CET", CURLE_OK }, ++ { "19032113434017.0CET", "1903-21-13 43:40:17 CET", CURLE_OK }, ++ { "19032113434017.01CET", "1903-21-13 43:40:17.01 CET", CURLE_OK }, ++ { "190321134340+02:30", "1903-21-13 43:40:00 UTC+02:30", CURLE_OK }, ++ { "19032113434017.0+02:30", "1903-21-13 43:40:17 UTC+02:30", CURLE_OK }, ++ { "19032113434017.01+02:30", "1903-21-13 43:40:17.01 UTC+02:30", CURLE_OK }, ++ { "190321134340-3", "1903-21-13 43:40:00 UTC-3", CURLE_OK }, ++ { "19032113434017.0-04", "1903-21-13 43:40:17 UTC-04", CURLE_OK }, ++ { "19032113434017.01-01:10", "1903-21-13 43:40:17.01 UTC-01:10", CURLE_OK }, ++}; ++ ++static bool do_test(struct test_spec *spec, size_t i, struct dynbuf *dbuf) ++{ ++ CURLcode result; ++ const char *in = spec->input; ++ ++ Curl_dyn_reset(dbuf); ++ result = Curl_x509_GTime2str(dbuf, in, in + strlen(in)); ++ if(result != spec->exp_result) { ++ fprintf(stderr, "test %zu: expect result %d, got %d\n", ++ i, spec->exp_result, result); ++ return FALSE; ++ } ++ else if(!result && strcmp(spec->exp_output, Curl_dyn_ptr(dbuf))) { ++ fprintf(stderr, "test %zu: input '%s', expected output '%s', got '%s'\n", ++ i, in, spec->exp_output, Curl_dyn_ptr(dbuf)); ++ return FALSE; ++ } ++ ++ return TRUE; ++} ++ ++UNITTEST_START ++{ ++ size_t i; ++ struct dynbuf dbuf; ++ bool all_ok = TRUE; ++ ++ Curl_dyn_init(&dbuf, 32*1024); ++ ++ if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { ++ fprintf(stderr, "curl_global_init() failed\n"); ++ return TEST_ERR_MAJOR_BAD; ++ } ++ ++ for(i = 0; i < ARRAYSIZE(test_specs); ++i) { ++ if(!do_test(&test_specs[i], i, &dbuf)) ++ all_ok = FALSE; ++ } ++ fail_unless(all_ok, "some tests of Curl_x509_GTime2str() fails"); ++ ++ Curl_dyn_free(&dbuf); ++ curl_global_cleanup(); ++} ++UNITTEST_STOP ++ ++#else ++ ++UNITTEST_START ++{ ++ puts("not tested since Curl_x509_GTime2str() is not built-in"); ++} ++UNITTEST_STOP ++ ++#endif diff --git a/curl.changes b/curl.changes index e7017fa..a6113c7 100644 --- a/curl.changes +++ b/curl.changes @@ -1,3 +1,62 @@ +------------------------------------------------------------------- +Wed Jul 31 08:40:11 UTC 2024 - Pedro Monreal + +- Security fix: [bsc#1228535, CVE-2024-7264] + * curl: ASN.1 date parser overread + * Add curl-CVE-2024-7264.patch + +------------------------------------------------------------------- +Tue Jul 16 08:43:02 UTC 2024 - Pedro Monreal + +- Security fix: [bsc#1227888, CVE-2024-6197] + * Freeing stack buffer in utf8asn1str + * x509asn1: remove superfluous free() + * Add curl-CVE-2024-6197.patch + +------------------------------------------------------------------- +Wed Mar 27 18:32:08 UTC 2024 - Pedro Monreal + +- Security fix: [bsc#1221666, CVE-2024-2379] + * curl: QUIC certificate check bypass with wolfSSL + * Add curl-CVE-2024-2379.patch + +------------------------------------------------------------------- +Wed Mar 27 18:21:59 UTC 2024 - Pedro Monreal + +- Security fix: [bsc#1221668, CVE-2024-2466] + * curl: TLS certificate check bypass with mbedTLS + * Add curl-CVE-2024-2466.patch + +------------------------------------------------------------------- +Fri Mar 22 13:55:01 UTC 2024 - Pedro Monreal + +- Security fix: [bsc#1221665, CVE-2024-2004] + * Usage of disabled protocol + * Add curl-CVE-2024-2004.patch + +------------------------------------------------------------------- +Thu Mar 21 12:27:30 UTC 2024 - Pedro Monreal + +- Security fix: [bsc#1221667, CVE-2024-2398] + * curl: HTTP/2 push headers memory-leak + * Add curl-CVE-2024-2398.patch + +------------------------------------------------------------------- +Tue Mar 12 08:43:30 UTC 2024 - Pedro Monreal + +- Remove the nghttp2 version requirement as a version guard around + the nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation + function was added in curl 8.0.1. + * Upstream commit: https://github.com/curl/curl/commit/744dcf22 + +------------------------------------------------------------------- +Thu Feb 8 13:58:23 UTC 2024 - Fabian Vogt + +- Add patch to fix various TLS related issues including FTP over SSL + transmission timeouts: + * 0001-vtls-revert-receive-max-buffer-add-test-case.patch +- Switch to %autosetup + ------------------------------------------------------------------- Wed Jan 31 09:11:56 UTC 2024 - Pedro Monreal diff --git a/curl.spec b/curl.spec index 430df90..d35d5de 100644 --- a/curl.spec +++ b/curl.spec @@ -35,6 +35,20 @@ Patch1: dont-mess-with-rpmoptflags.patch Patch2: curl-secure-getenv.patch #PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled Patch3: curl-disabled-redirect-protocol-message.patch +# PATCH-FIX-UPSTREAM +Patch4: 0001-vtls-revert-receive-max-buffer-add-test-case.patch +#PATCH-FIX-UPSTREAM bsc#1221665 CVE-2024-2004 Usage of disabled protocol +Patch5: curl-CVE-2024-2004.patch +#PATCH-FIX-UPSTREAM bsc#1221667 CVE-2024-2398 HTTP/2 push headers memory-leak +Patch6: curl-CVE-2024-2398.patch +#PATCH-FIX-UPSTREAM bsc#1221666 CVE-2024-2379 QUIC certificate check bypass with wolfSSL +Patch7: curl-CVE-2024-2379.patch +#PATCH-FIX-UPSTREAM bsc#1221668 CVE-2024-2466 TLS certificate check bypass with mbedTLS +Patch8: curl-CVE-2024-2466.patch +#PATCH-FIX-UPSTREAM bsc#1227888 CVE-2024-6197 Freeing stack buffer in utf8asn1str +Patch9: curl-CVE-2024-6197.patch +#PATCH-FIX-UPSTREAM bsc#1228535 CVE-2024-7264 ASN.1 date parser overread +Patch10: curl-CVE-2024-7264.patch BuildRequires: libtool BuildRequires: pkgconfig Requires: libcurl4 = %{version} @@ -46,17 +60,7 @@ BuildRequires: pkgconfig(libbrotlidec) BuildRequires: pkgconfig(libidn2) # Disable metalink [bsc#1188218, CVE-2021-22923][bsc#1188217, CVE-2021-22922] # BuildRequires: pkgconfig(libmetalink) -# -# The 7.86.0 cURL release introduced the use of -# nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation, -# a function introduced by the 1.50.0 nghttp2 release. -# -# This is a bandaid, as cURL didn't provide a function/version check -# in their build scripts. Without this some users my end up with a broken -# Zypper/cURL if they have a libnghttp2 < 1.50.0 yet in their system, -# and do some Zypper transaction that updates cURL, but not libnghttp2. -# -BuildRequires: pkgconfig(libnghttp2) >= 1.50.0 +BuildRequires: pkgconfig(libnghttp2) BuildRequires: pkgconfig(libpsl) BuildRequires: pkgconfig(libssh) BuildRequires: pkgconfig(libzstd) @@ -100,8 +104,7 @@ DICT, TELNET, LDAP, or FILE). The command is designed to work without user interaction or any kind of interactivity. %prep -%setup -q -n curl-%{version} -%autopatch -p1 +%autosetup -p1 %build # curl complains if macro definition is contained in CFLAGS