Sync from SUSE:ALP:Source:Standard:1.0 curl revision 0ef1802cf13d6361dd244b71d939d59a

0001-vtls-revert-receive-max-buffer-add-test-case.patch

@@ -0,0 +1,70 @@
+From e00609fc15f5d5adaf0896b751bf2c3a74a5f6f4 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Thu, 1 Feb 2024 18:15:50 +0100
+Subject: [PATCH] vtls: revert "receive max buffer" + add test case
+
+- add test_05_04 for requests using http/1.0, http/1.1 and h2 against an
+  Apache resource that does an unclean TLS shutdown.
+- revert special workarund in openssl.c for suppressing shutdown errors
+  on multiplexed connections
+- vlts.c restore to its state before 9a90c9dd64d2f03601833a70786d485851bd1b53
+
+Fixes #12885
+Fixes #12844
+
+Closes #12848
+
+(cherry picked from commit ed09a99af57200643d5ae001e815eeab9ffe3f84)
+---
+ lib/vtls/vtls.c                               | 27 +++++--------------
+ tests/http/test_05_errors.py                  | 27 +++++++++++++++++++
+ tests/http/testenv/httpd.py                   |  7 ++++-
+ .../http/testenv/mod_curltest/mod_curltest.c  |  2 +-
+ 4 files changed, 40 insertions(+), 23 deletions(-)
+
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index e928ba5d0..f654a9749 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -1715,32 +1715,17 @@ static ssize_t ssl_cf_recv(struct Curl_cfilter *cf,
+ {
+   struct cf_call_data save;
+   ssize_t nread;
+-  size_t ntotal = 0;
+ 
+   CF_DATA_SAVE(save, cf, data);
+   *err = CURLE_OK;
+-  /* Do receive until we fill the buffer somehwhat or EGAIN, error or EOF */
+-  while(!ntotal || (len - ntotal) > (4*1024)) {
++  nread = Curl_ssl->recv_plain(cf, data, buf, len, err);
++  if(nread > 0) {
++    DEBUGASSERT((size_t)nread <= len);
++  }
++  else if(nread == 0) {
++    /* eof */
+     *err = CURLE_OK;
+-    nread = Curl_ssl->recv_plain(cf, data, buf + ntotal, len - ntotal, err);
+-    if(nread < 0) {
+-      if(*err == CURLE_AGAIN && ntotal > 0) {
+-        /* we EAGAINed after having reed data, return the success amount */
+-        *err = CURLE_OK;
+-        break;
+-      }
+-      /* we have a an error to report */
+-      goto out;
+-    }
+-    else if(nread == 0) {
+-      /* eof */
+-      break;
+-    }
+-    ntotal += (size_t)nread;
+-    DEBUGASSERT((size_t)ntotal <= len);
+   }
+-  nread = (ssize_t)ntotal;
+-out:
+   CURL_TRC_CF(data, cf, "cf_recv(len=%zu) -> %zd, %d", len,
+               nread, *err);
+   CF_DATA_RESTORE(cf, save);
+-- 
+2.43.0
+

curl-CVE-2024-2004.patch

@@ -0,0 +1,133 @@
+From 17d302e56221f5040092db77d4f85086e8a20e0e Mon Sep 17 00:00:00 2001
+From: Daniel Gustafsson <daniel@yesql.se>
+Date: Tue, 27 Feb 2024 15:43:56 +0100
+Subject: [PATCH] setopt: Fix disabling all protocols
+
+When disabling all protocols without enabling any, the resulting
+set of allowed protocols remained the default set.  Clearing the
+allowed set before inspecting the passed value from --proto make
+the set empty even in the errorpath of no protocols enabled.
+
+Co-authored-by: Dan Fandrich <dan@telarity.com>
+Reported-by: Dan Fandrich <dan@telarity.com>
+Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+Closes: #13004
+---
+ lib/setopt.c            | 16 ++++++++--------
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test1474     | 42 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 51 insertions(+), 9 deletions(-)
+ create mode 100644 tests/data/test1474
+
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 6a4990cce6731b..ce1321fc80be9d 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -155,6 +155,12 @@ static CURLcode setstropt_userpwd(char *option, char **userp, char **passwdp)
+ 
+ static CURLcode protocol2num(const char *str, curl_prot_t *val)
+ {
++  /*
++   * We are asked to cherry-pick protocols, so play it safe and disallow all
++   * protocols to start with, and re-add the wanted ones back in.
++   */
++  *val = 0;
++
+   if(!str)
+     return CURLE_BAD_FUNCTION_ARGUMENT;
+ 
+@@ -163,8 +169,6 @@ static CURLcode protocol2num(const char *str, curl_prot_t *val)
+     return CURLE_OK;
+   }
+ 
+-  *val = 0;
+-
+   do {
+     const char *token = str;
+     size_t tlen;
+@@ -2654,22 +2658,18 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+     break;
+ 
+   case CURLOPT_PROTOCOLS_STR: {
+-    curl_prot_t prot;
+     argptr = va_arg(param, char *);
+-    result = protocol2num(argptr, &prot);
++    result = protocol2num(argptr, &data->set.allowed_protocols);
+     if(result)
+       return result;
+-    data->set.allowed_protocols = prot;
+     break;
+   }
+ 
+   case CURLOPT_REDIR_PROTOCOLS_STR: {
+-    curl_prot_t prot;
+     argptr = va_arg(param, char *);
+-    result = protocol2num(argptr, &prot);
++    result = protocol2num(argptr, &data->set.redir_protocols);
+     if(result)
+       return result;
+-    data->set.redir_protocols = prot;
+     break;
+   }
+ 
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index c20f90d945cc90..b80ffb618e55b9 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -187,7 +187,7 @@ test1439 test1440 test1441 test1442 test1443 test1444 test1445 test1446 \
+ test1447 test1448 test1449 test1450 test1451 test1452 test1453 test1454 \
+ test1455 test1456 test1457 test1458 test1459 test1460 test1461 test1462 \
+ test1463 test1464 test1465 test1466 test1467 test1468 test1469 test1470 \
+-test1471 test1472 test1473          test1475 test1476 test1477 test1478 \
++test1471 test1472 test1473 test1474 test1475 test1476 test1477 test1478 \
+ \
+ test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \
+ test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \
+diff --git a/tests/data/test1474 b/tests/data/test1474
+new file mode 100644
+index 00000000000000..c66fa2810483f2
+--- /dev/null
++++ b/tests/data/test1474
+@@ -0,0 +1,42 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP GET
++--proto
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data>
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++none
++</server>
++<features>
++http
++</features>
++<name>
++--proto -all disables all protocols
++</name>
++<command>
++--proto -all http://%HOSTIP:%NOLISTENPORT/%TESTNUMBER
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# 1 - Protocol "http" disabled
++<errorcode>
++1
++</errorcode>
++</verify>
++</testcase>

curl-CVE-2024-2379.patch

@@ -0,0 +1,47 @@
+From aedbbdf18e689a5eee8dc39600914f5eda6c409c Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 11 Mar 2024 10:53:08 +0100
+Subject: [PATCH] vquic-tls: return appropirate errors on wolfSSL errors
+
+Reported-by: Dexter Gerig
+Closes #13107
+---
+ lib/vquic/vquic-tls.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/lib/vquic/vquic-tls.c b/lib/vquic/vquic-tls.c
+index cc7794e405a5f6..dbde21f476f1dc 100644
+--- a/lib/vquic/vquic-tls.c
++++ b/lib/vquic/vquic-tls.c
+@@ -375,6 +375,7 @@ static CURLcode curl_wssl_init_ctx(struct quic_tls_ctx *ctx,
+     char error_buffer[256];
+     ERR_error_string_n(ERR_get_error(), error_buffer, sizeof(error_buffer));
+     failf(data, "wolfSSL failed to set ciphers: %s", error_buffer);
++    result = CURLE_BAD_FUNCTION_ARGUMENT;
+     goto out;
+   }
+ 
+@@ -382,6 +383,7 @@ static CURLcode curl_wssl_init_ctx(struct quic_tls_ctx *ctx,
+                                   conn_config->curves :
+                                   (char *)QUIC_GROUPS) != 1) {
+     failf(data, "wolfSSL failed to set curves");
++    result = CURLE_BAD_FUNCTION_ARGUMENT;
+     goto out;
+   }
+ 
+@@ -392,6 +394,7 @@ static CURLcode curl_wssl_init_ctx(struct quic_tls_ctx *ctx,
+     wolfSSL_CTX_set_keylog_callback(ctx->ssl_ctx, keylog_callback);
+ #else
+     failf(data, "wolfSSL was built without keylog callback");
++    result = CURLE_NOT_BUILT_IN;
+     goto out;
+ #endif
+   }
+@@ -414,6 +417,7 @@ static CURLcode curl_wssl_init_ctx(struct quic_tls_ctx *ctx,
+               "  CAfile: %s CApath: %s",
+               ssl_cafile ? ssl_cafile : "none",
+               ssl_capath ? ssl_capath : "none");
++        result = CURLE_SSL_CACERT;
+         goto out;
+       }
+       infof(data, " CAfile: %s", ssl_cafile ? ssl_cafile : "none");

curl-CVE-2024-2398.patch

@@ -0,0 +1,89 @@
+From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Wed, 6 Mar 2024 09:36:08 +0100
+Subject: [PATCH] http2: push headers better cleanup
+
+- provide common cleanup method for push headers
+
+Closes #13054
+---
+ lib/http2.c | 34 +++++++++++++++-------------------
+ 1 file changed, 15 insertions(+), 19 deletions(-)
+
+Index: curl-8.6.0/lib/http2.c
+===================================================================
+--- curl-8.6.0.orig/lib/http2.c
++++ curl-8.6.0/lib/http2.c
+@@ -271,6 +271,15 @@ static CURLcode http2_data_setup(struct
+   return CURLE_OK;
+ }
+ 
++static void free_push_headers(struct stream_ctx *stream)
++{
++  size_t i;
++  for(i = 0; i<stream->push_headers_used; i++)
++    free(stream->push_headers[i]);
++  Curl_safefree(stream->push_headers);
++  stream->push_headers_used = 0;
++}
++
+ static void http2_data_done(struct Curl_cfilter *cf,
+                             struct Curl_easy *data, bool premature)
+ {
+@@ -317,15 +326,7 @@ static void http2_data_done(struct Curl_
+   Curl_bufq_free(&stream->recvbuf);
+   Curl_h1_req_parse_free(&stream->h1);
+   Curl_dynhds_free(&stream->resp_trailers);
+-  if(stream->push_headers) {
+-    /* if they weren't used and then freed before */
+-    for(; stream->push_headers_used > 0; --stream->push_headers_used) {
+-      free(stream->push_headers[stream->push_headers_used - 1]);
+-    }
+-    free(stream->push_headers);
+-    stream->push_headers = NULL;
+-  }
+-
++  free_push_headers(stream);
+   free(stream);
+   H2_STREAM_LCTX(data) = NULL;
+ }
+@@ -872,7 +873,6 @@ static int push_promise(struct Curl_cfil
+     struct curl_pushheaders heads;
+     CURLMcode rc;
+     CURLcode result;
+-    size_t i;
+     /* clone the parent */
+     struct Curl_easy *newhandle = h2_duphandle(cf, data);
+     if(!newhandle) {
+@@ -917,11 +917,7 @@ static int push_promise(struct Curl_cfil
+     Curl_set_in_callback(data, false);
+ 
+     /* free the headers again */
+-    for(i = 0; i<stream->push_headers_used; i++)
+-      free(stream->push_headers[i]);
+-    free(stream->push_headers);
+-    stream->push_headers = NULL;
+-    stream->push_headers_used = 0;
++    free_push_headers(stream);
+ 
+     if(rv) {
+       DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT));
+@@ -1468,14 +1464,14 @@ static int on_header(nghttp2_session *se
+       if(stream->push_headers_alloc > 1000) {
+         /* this is beyond crazy many headers, bail out */
+         failf(data_s, "Too many PUSH_PROMISE headers");
+-        Curl_safefree(stream->push_headers);
++        free_push_headers(stream);
+         return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+       }
+       stream->push_headers_alloc *= 2;
+-      headp = Curl_saferealloc(stream->push_headers,
+-                               stream->push_headers_alloc * sizeof(char *));
++      headp = realloc(stream->push_headers,
++                      stream->push_headers_alloc * sizeof(char *));
+       if(!headp) {
+-        stream->push_headers = NULL;
++        free_push_headers(stream);
+         return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+       }
+       stream->push_headers = headp;

curl-CVE-2024-2466.patch

@@ -0,0 +1,40 @@
+From 3d0fd382a29b95561b90b7ea3e7eb04dfdd43538 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Fri, 15 Mar 2024 10:10:13 +0100
+Subject: [PATCH] mbedtls: fix pytest for newer versions
+
+Fix the expectations in pytest for newer versions of mbedtls
+
+Closes #13132
+---
+ lib/vtls/mbedtls.c          | 15 +++++++--------
+ tests/http/test_10_proxy.py |  8 ++++++--
+ tests/http/testenv/env.py   | 14 +++++++++++---
+ 3 files changed, 24 insertions(+), 13 deletions(-)
+
+Index: curl-8.6.0/lib/vtls/mbedtls.c
+===================================================================
+--- curl-8.6.0.orig/lib/vtls/mbedtls.c
++++ curl-8.6.0/lib/vtls/mbedtls.c
+@@ -654,14 +654,13 @@ mbed_connect_step1(struct Curl_cfilter *
+                               &backend->clicert, &backend->pk);
+   }
+ 
+-  if(connssl->peer.sni) {
+-    if(mbedtls_ssl_set_hostname(&backend->ssl, connssl->peer.sni)) {
+-      /* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks and
+-         the name to set in the SNI extension. So even if curl connects to a
+-         host specified as an IP address, this function must be used. */
+-      failf(data, "Failed to set SNI");
+-      return CURLE_SSL_CONNECT_ERROR;
+-    }
++  if(mbedtls_ssl_set_hostname(&backend->ssl, connssl->peer.sni?
++                              connssl->peer.sni : connssl->peer.hostname)) {
++    /* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks and
++       the name to set in the SNI extension. So even if curl connects to a
++       host specified as an IP address, this function must be used. */
++    failf(data, "Failed to set SNI");
++    return CURLE_SSL_CONNECT_ERROR;
+   }
+ 
+ #ifdef HAS_ALPN

curl-CVE-2024-6197.patch

@@ -0,0 +1,21 @@
+From 3a537a4db9e65e545ec45b1b5d5575ee09a2569d Mon Sep 17 00:00:00 2001
+From: z2_ <88509734+z2-2z@users.noreply.github.com>
+Date: Fri, 28 Jun 2024 14:45:47 +0200
+Subject: [PATCH] x509asn1: remove superfluous free()
+
+---
+ lib/vtls/x509asn1.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/lib/vtls/x509asn1.c b/lib/vtls/x509asn1.c
+index f71ab0b90a5931..1bc4243ddae343 100644
+--- a/lib/vtls/x509asn1.c
++++ b/lib/vtls/x509asn1.c
+@@ -393,7 +393,6 @@ utf8asn1str(struct dynbuf *to, int type, const char *from, const char *end)
+         if(wc >= 0x00000800) {
+           if(wc >= 0x00010000) {
+             if(wc >= 0x00200000) {
+-              free(buf);
+               /* Invalid char. size for target encoding. */
+               return CURLE_WEIRD_SERVER_REPLY;
+             }

curl-CVE-2024-7264.patch

@@ -0,0 +1,322 @@
+From 3c914bc680155b32178f1f15ca8d47c7f4640afe Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 30 Jul 2024 10:05:17 +0200
+Subject: [PATCH] x509asn1: clean up GTime2str
+
+Co-authored-by: Stefan Eissing
+Reported-by: Dov Murik
+
+Closes #14307
+---
+ lib/vtls/x509asn1.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+Index: curl-8.6.0/lib/vtls/x509asn1.c
+===================================================================
+--- curl-8.6.0.orig/lib/vtls/x509asn1.c
++++ curl-8.6.0/lib/vtls/x509asn1.c
+@@ -488,7 +488,7 @@ static CURLcode GTime2str(struct dynbuf
+   /* Convert an ASN.1 Generalized time to a printable string.
+      Return the dynamically allocated string, or NULL if an error occurs. */
+ 
+-  for(fracp = beg; fracp < end && *fracp >= '0' && *fracp <= '9'; fracp++)
++  for(fracp = beg; fracp < end && ISDIGIT(*fracp); fracp++)
+     ;
+ 
+   /* Get seconds digits. */
+@@ -507,32 +507,44 @@ static CURLcode GTime2str(struct dynbuf
+     return CURLE_BAD_FUNCTION_ARGUMENT;
+   }
+ 
+-  /* Scan for timezone, measure fractional seconds. */
++  /* timezone follows optional fractional seconds. */
+   tzp = fracp;
+-  fracl = 0;
++  fracl = 0; /* no fractional seconds detected so far */
+   if(fracp < end && (*fracp == '.' || *fracp == ',')) {
+-    fracp++;
+-    do
++    /* Have fractional seconds, e.g. "[.,]\d+". How many? */
++    fracp++; /* should be a digit char or BAD ARGUMENT */
++    tzp = fracp;
++    while(tzp < end && ISDIGIT(*tzp))
+       tzp++;
+-    while(tzp < end && *tzp >= '0' && *tzp <= '9');
+-    /* Strip leading zeroes in fractional seconds. */
+-    for(fracl = tzp - fracp - 1; fracl && fracp[fracl - 1] == '0'; fracl--)
+-      ;
++    if(tzp == fracp) /* never looped, no digit after [.,] */
++      return CURLE_BAD_FUNCTION_ARGUMENT;
++    fracl = tzp - fracp; /* number of fractional sec digits */
++    DEBUGASSERT(fracl > 0);
++    /* Strip trailing zeroes in fractional seconds.
++     * May reduce fracl to 0 if only '0's are present. */
++    while(fracl && fracp[fracl - 1] == '0')
++      fracl--;
+   }
+ 
+   /* Process timezone. */
+-  if(tzp >= end)
+-    ;           /* Nothing to do. */
++  if(tzp >= end) {
++    tzp = "";
++    tzl = 0;
++  }
+   else if(*tzp == 'Z') {
+-    tzp = " GMT";
+-    end = tzp + 4;
++    sep = " ";
++    tzp = "GMT";
++    tzl = 3;
++  }
++  else if((*tzp == '+') || (*tzp == '-')) {
++    sep = " UTC";
++    tzl = end - tzp;
+   }
+   else {
+     sep = " ";
+-    tzp++;
++    tzl = end - tzp;
+   }
+ 
+-  tzl = end - tzp;
+   return Curl_dyn_addf(store,
+                        "%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s",
+                        beg, beg + 4, beg + 6,
+@@ -541,6 +553,15 @@ static CURLcode GTime2str(struct dynbuf
+                        sep, (int)tzl, tzp);
+ }
+ 
++#ifdef UNITTESTS
++/* used by unit1656.c */
++CURLcode Curl_x509_GTime2str(struct dynbuf *store,
++                             const char *beg, const char *end)
++{
++  return GTime2str(store, beg, end);
++}
++#endif
++
+ /*
+  * Convert an ASN.1 UTC time to a printable string.
+  *
+Index: curl-8.6.0/lib/vtls/x509asn1.h
+===================================================================
+--- curl-8.6.0.orig/lib/vtls/x509asn1.h
++++ curl-8.6.0/lib/vtls/x509asn1.h
+@@ -76,5 +76,16 @@ CURLcode Curl_extract_certinfo(struct Cu
+                                const char *beg, const char *end);
+ CURLcode Curl_verifyhost(struct Curl_cfilter *cf, struct Curl_easy *data,
+                          const char *beg, const char *end);
++
++#ifdef UNITTESTS
++#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
++  defined(USE_MBEDTLS)
++
++/* used by unit1656.c */
++CURLcode Curl_x509_GTime2str(struct dynbuf *store,
++                             const char *beg, const char *end);
++#endif
++#endif
++
+ #endif /* USE_GNUTLS or USE_WOLFSSL or USE_SCHANNEL or USE_SECTRANSP */
+ #endif /* HEADER_CURL_X509ASN1_H */
+Index: curl-8.6.0/tests/data/Makefile.inc
+===================================================================
+--- curl-8.6.0.orig/tests/data/Makefile.inc
++++ curl-8.6.0/tests/data/Makefile.inc
+@@ -208,7 +208,7 @@ test1620 test1621 \
+ \
+ test1630 test1631 test1632 test1633 test1634 test1635 \
+ \
+-test1650 test1651 test1652 test1653 test1654 test1655 \
++test1650 test1651 test1652 test1653 test1654 test1655 test1656 \
+ test1660 test1661 test1662 \
+ \
+ test1670 test1671 \
+Index: curl-8.6.0/tests/data/test1656
+===================================================================
+--- /dev/null
++++ curl-8.6.0/tests/data/test1656
+@@ -0,0 +1,22 @@
++<testcase>
++<info>
++<keywords>
++unittest
++Curl_x509_GTime2str
++</keywords>
++</info>
++
++#
++# Client-side
++<client>
++<server>
++none
++</server>
++<features>
++unittest
++</features>
++<name>
++Curl_x509_GTime2str unit tests
++</name>
++</client>
++</testcase>
+Index: curl-8.6.0/tests/unit/Makefile.inc
+===================================================================
+--- curl-8.6.0.orig/tests/unit/Makefile.inc
++++ curl-8.6.0/tests/unit/Makefile.inc
+@@ -36,7 +36,7 @@ UNITPROGS = unit1300          unit1302 u
+  unit1600 unit1601 unit1602 unit1603 unit1604 unit1605 unit1606 unit1607 \
+  unit1608 unit1609 unit1610 unit1611 unit1612 unit1614 \
+  unit1620 unit1621 \
+- unit1650 unit1651 unit1652 unit1653 unit1654 unit1655 \
++ unit1650 unit1651 unit1652 unit1653 unit1654 unit1655 unit1656 \
+  unit1660 unit1661 \
+  unit2600 unit2601 unit2602 unit2603 \
+  unit3200
+@@ -117,6 +117,8 @@ unit1654_SOURCES = unit1654.c $(UNITFILE
+ 
+ unit1655_SOURCES = unit1655.c $(UNITFILES)
+ 
++unit1656_SOURCES = unit1656.c $(UNITFILES)
++
+ unit1660_SOURCES = unit1660.c $(UNITFILES)
+ 
+ unit1661_SOURCES = unit1661.c $(UNITFILES)
+Index: curl-8.6.0/tests/unit/unit1656.c
+===================================================================
+--- /dev/null
++++ curl-8.6.0/tests/unit/unit1656.c
+@@ -0,0 +1,133 @@
++/***************************************************************************
++ *                                  _   _ ____  _
++ *  Project                     ___| | | |  _ \| |
++ *                             / __| | | | |_) | |
++ *                            | (__| |_| |  _ <| |___
++ *                             \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ * SPDX-License-Identifier: curl
++ *
++ ***************************************************************************/
++#include "curlcheck.h"
++
++#include "vtls/x509asn1.h"
++
++static CURLcode unit_setup(void)
++{
++  return CURLE_OK;
++}
++
++static void unit_stop(void)
++{
++
++}
++
++#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
++  defined(USE_MBEDTLS)
++
++#ifndef ARRAYSIZE
++#define ARRAYSIZE(A) (sizeof(A)/sizeof((A)[0]))
++#endif
++
++struct test_spec {
++  const char *input;
++  const char *exp_output;
++  CURLcode exp_result;
++};
++
++static struct test_spec test_specs[] = {
++  { "190321134340", "1903-21-13 43:40:00", CURLE_OK },
++  { "", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
++  { "WTF", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
++  { "0WTF", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
++  { "19032113434", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
++  { "19032113434WTF", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
++  { "190321134340.", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
++  { "190321134340.1", "1903-21-13 43:40:00.1", CURLE_OK },
++  { "19032113434017.0", "1903-21-13 43:40:17", CURLE_OK },
++  { "19032113434017.01", "1903-21-13 43:40:17.01", CURLE_OK },
++  { "19032113434003.001", "1903-21-13 43:40:03.001", CURLE_OK },
++  { "19032113434003.090", "1903-21-13 43:40:03.09", CURLE_OK },
++  { "190321134340Z", "1903-21-13 43:40:00 GMT", CURLE_OK },
++  { "19032113434017.0Z", "1903-21-13 43:40:17 GMT", CURLE_OK },
++  { "19032113434017.01Z", "1903-21-13 43:40:17.01 GMT", CURLE_OK },
++  { "19032113434003.001Z", "1903-21-13 43:40:03.001 GMT", CURLE_OK },
++  { "19032113434003.090Z", "1903-21-13 43:40:03.09 GMT", CURLE_OK },
++  { "190321134340CET", "1903-21-13 43:40:00 CET", CURLE_OK },
++  { "19032113434017.0CET", "1903-21-13 43:40:17 CET", CURLE_OK },
++  { "19032113434017.01CET", "1903-21-13 43:40:17.01 CET", CURLE_OK },
++  { "190321134340+02:30", "1903-21-13 43:40:00 UTC+02:30", CURLE_OK },
++  { "19032113434017.0+02:30", "1903-21-13 43:40:17 UTC+02:30", CURLE_OK },
++  { "19032113434017.01+02:30", "1903-21-13 43:40:17.01 UTC+02:30", CURLE_OK },
++  { "190321134340-3", "1903-21-13 43:40:00 UTC-3", CURLE_OK },
++  { "19032113434017.0-04", "1903-21-13 43:40:17 UTC-04", CURLE_OK },
++  { "19032113434017.01-01:10", "1903-21-13 43:40:17.01 UTC-01:10", CURLE_OK },
++};
++
++static bool do_test(struct test_spec *spec, size_t i, struct dynbuf *dbuf)
++{
++  CURLcode result;
++  const char *in = spec->input;
++
++  Curl_dyn_reset(dbuf);
++  result = Curl_x509_GTime2str(dbuf, in, in + strlen(in));
++  if(result != spec->exp_result) {
++    fprintf(stderr, "test %zu: expect result %d, got %d\n",
++            i, spec->exp_result, result);
++    return FALSE;
++  }
++  else if(!result && strcmp(spec->exp_output, Curl_dyn_ptr(dbuf))) {
++    fprintf(stderr, "test %zu: input '%s', expected output '%s', got '%s'\n",
++            i, in, spec->exp_output, Curl_dyn_ptr(dbuf));
++    return FALSE;
++  }
++
++  return TRUE;
++}
++
++UNITTEST_START
++{
++  size_t i;
++  struct dynbuf dbuf;
++  bool all_ok = TRUE;
++
++  Curl_dyn_init(&dbuf, 32*1024);
++
++  if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) {
++    fprintf(stderr, "curl_global_init() failed\n");
++    return TEST_ERR_MAJOR_BAD;
++  }
++
++  for(i = 0; i < ARRAYSIZE(test_specs); ++i) {
++    if(!do_test(&test_specs[i], i, &dbuf))
++      all_ok = FALSE;
++  }
++  fail_unless(all_ok, "some tests of Curl_x509_GTime2str() fails");
++
++  Curl_dyn_free(&dbuf);
++  curl_global_cleanup();
++}
++UNITTEST_STOP
++
++#else
++
++UNITTEST_START
++{
++  puts("not tested since Curl_x509_GTime2str() is not built-in");
++}
++UNITTEST_STOP
++
++#endif

curl.changes

@@ -1,3 +1,62 @@
+-------------------------------------------------------------------
+Wed Jul 31 08:40:11 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Security fix: [bsc#1228535, CVE-2024-7264]
+  * curl: ASN.1 date parser overread
+  * Add curl-CVE-2024-7264.patch
+
+-------------------------------------------------------------------
+Tue Jul 16 08:43:02 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Security fix: [bsc#1227888, CVE-2024-6197]
+  * Freeing stack buffer in utf8asn1str
+  * x509asn1: remove superfluous free()
+  * Add curl-CVE-2024-6197.patch
+
+-------------------------------------------------------------------
+Wed Mar 27 18:32:08 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Security fix: [bsc#1221666, CVE-2024-2379]
+  * curl: QUIC certificate check bypass with wolfSSL
+  * Add curl-CVE-2024-2379.patch
+
+-------------------------------------------------------------------
+Wed Mar 27 18:21:59 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Security fix: [bsc#1221668, CVE-2024-2466]
+  * curl: TLS certificate check bypass with mbedTLS
+  * Add curl-CVE-2024-2466.patch
+
+-------------------------------------------------------------------
+Fri Mar 22 13:55:01 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Security fix: [bsc#1221665, CVE-2024-2004]
+  * Usage of disabled protocol
+  * Add curl-CVE-2024-2004.patch
+
+-------------------------------------------------------------------
+Thu Mar 21 12:27:30 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Security fix: [bsc#1221667, CVE-2024-2398]
+  * curl: HTTP/2 push headers memory-leak
+  * Add curl-CVE-2024-2398.patch
+
+-------------------------------------------------------------------
+Tue Mar 12 08:43:30 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Remove the nghttp2 version requirement as a version guard around
+  the nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation
+  function was added in curl 8.0.1.
+  * Upstream commit: https://github.com/curl/curl/commit/744dcf22
+
+-------------------------------------------------------------------
+Thu Feb  8 13:58:23 UTC 2024 - Fabian Vogt <fvogt@suse.com>
+
+- Add patch to fix various TLS related issues including FTP over SSL
+  transmission timeouts:
+  * 0001-vtls-revert-receive-max-buffer-add-test-case.patch
+- Switch to %autosetup
+
 -------------------------------------------------------------------
 Wed Jan 31 09:11:56 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
 

curl.spec

@@ -35,6 +35,20 @@ Patch1:         dont-mess-with-rpmoptflags.patch
 Patch2:         curl-secure-getenv.patch
 #PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled
 Patch3:         curl-disabled-redirect-protocol-message.patch
+# PATCH-FIX-UPSTREAM
+Patch4:         0001-vtls-revert-receive-max-buffer-add-test-case.patch
+#PATCH-FIX-UPSTREAM bsc#1221665 CVE-2024-2004 Usage of disabled protocol
+Patch5:         curl-CVE-2024-2004.patch
+#PATCH-FIX-UPSTREAM bsc#1221667 CVE-2024-2398 HTTP/2 push headers memory-leak
+Patch6:         curl-CVE-2024-2398.patch
+#PATCH-FIX-UPSTREAM bsc#1221666 CVE-2024-2379 QUIC certificate check bypass with wolfSSL
+Patch7:         curl-CVE-2024-2379.patch
+#PATCH-FIX-UPSTREAM bsc#1221668 CVE-2024-2466 TLS certificate check bypass with mbedTLS
+Patch8:         curl-CVE-2024-2466.patch
+#PATCH-FIX-UPSTREAM bsc#1227888 CVE-2024-6197 Freeing stack buffer in utf8asn1str
+Patch9:         curl-CVE-2024-6197.patch
+#PATCH-FIX-UPSTREAM bsc#1228535 CVE-2024-7264 ASN.1 date parser overread
+Patch10:        curl-CVE-2024-7264.patch
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
 Requires:       libcurl4 = %{version}
@@ -46,17 +60,7 @@ BuildRequires:  pkgconfig(libbrotlidec)
 BuildRequires:  pkgconfig(libidn2)
 # Disable metalink [bsc#1188218, CVE-2021-22923][bsc#1188217, CVE-2021-22922]
 # BuildRequires:  pkgconfig(libmetalink)
-#
+BuildRequires:  pkgconfig(libnghttp2)
-# The 7.86.0 cURL release introduced the use of
-# nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation,
-# a function introduced by the 1.50.0 nghttp2 release.
-#
-# This is a bandaid, as cURL didn't provide a function/version check
-# in their build scripts. Without this some users my end up with a broken
-# Zypper/cURL if they have a libnghttp2 < 1.50.0 yet in their system,
-# and do some Zypper transaction that updates cURL, but not libnghttp2.
-#
-BuildRequires:  pkgconfig(libnghttp2) >= 1.50.0
 BuildRequires:  pkgconfig(libpsl)
 BuildRequires:  pkgconfig(libssh)
 BuildRequires:  pkgconfig(libzstd)
@@ -100,8 +104,7 @@ DICT, TELNET, LDAP, or FILE). The command is designed to work without
 user interaction or any kind of interactivity.
 
 %prep
-%setup -q -n curl-%{version}
+%autosetup -p1
-%autopatch -p1
 
 %build
 # curl complains if macro definition is contained in CFLAGS