ALP-pool/curl
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Sync from SUSE:ALP:Source:Standard:1.0 curl revision 0ef1802cf13d6361dd244b71d939d59a

Browse Source
This commit is contained in:
Adrian Schröter 2024-09-04 16:11:29 +02:00
parent caa23e9ccf
commit 48b7e6c71a
9 changed files with 797 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
0001-vtls-revert-receive-max-buffer-add-test-case.patch Normal file
View File

@ -0,0 +1,70 @@
From e00609fc15f5d5adaf0896b751bf2c3a74a5f6f4 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Thu, 1 Feb 2024 18:15:50 +0100
Subject: [PATCH] vtls: revert "receive max buffer" + add test case
- add test_05_04 for requests using http/1.0, http/1.1 and h2 against an
Apache resource that does an unclean TLS shutdown.
- revert special workarund in openssl.c for suppressing shutdown errors
on multiplexed connections
- vlts.c restore to its state before 9a90c9dd64d2f03601833a70786d485851bd1b53
Fixes #12885
Fixes #12844
Closes #12848
(cherry picked from commit ed09a99af57200643d5ae001e815eeab9ffe3f84)
---
lib/vtls/vtls.c | 27 +++++--------------
tests/http/test_05_errors.py | 27 +++++++++++++++++++
tests/http/testenv/httpd.py | 7 ++++-
.../http/testenv/mod_curltest/mod_curltest.c | 2 +-
4 files changed, 40 insertions(+), 23 deletions(-)
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index e928ba5d0..f654a9749 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -1715,32 +1715,17 @@ static ssize_t ssl_cf_recv(struct Curl_cfilter *cf,
{
struct cf_call_data save;
ssize_t nread;
- size_t ntotal = 0;
CF_DATA_SAVE(save, cf, data);
*err = CURLE_OK;
- /* Do receive until we fill the buffer somehwhat or EGAIN, error or EOF */
- while(!ntotal || (len - ntotal) > (4*1024)) {
+ nread = Curl_ssl->recv_plain(cf, data, buf, len, err);
+ if(nread > 0) {
+ DEBUGASSERT((size_t)nread <= len);
+ }
+ else if(nread == 0) {
+ /* eof */
*err = CURLE_OK;
- nread = Curl_ssl->recv_plain(cf, data, buf + ntotal, len - ntotal, err);
- if(nread < 0) {
- if(*err == CURLE_AGAIN && ntotal > 0) {
- /* we EAGAINed after having reed data, return the success amount */
- *err = CURLE_OK;
- break;
- }
- /* we have a an error to report */
- goto out;
- }
- else if(nread == 0) {
- /* eof */
- break;
- }
- ntotal += (size_t)nread;
- DEBUGASSERT((size_t)ntotal <= len);
}
- nread = (ssize_t)ntotal;
-out:
CURL_TRC_CF(data, cf, "cf_recv(len=%zu) -> %zd, %d", len,
nread, *err);
CF_DATA_RESTORE(cf, save);
--
2.43.0

133
curl-CVE-2024-2004.patch Normal file
View File

@ -0,0 +1,133 @@
From 17d302e56221f5040092db77d4f85086e8a20e0e Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <daniel@yesql.se>
Date: Tue, 27 Feb 2024 15:43:56 +0100
Subject: [PATCH] setopt: Fix disabling all protocols
When disabling all protocols without enabling any, the resulting
set of allowed protocols remained the default set. Clearing the
allowed set before inspecting the passed value from --proto make
the set empty even in the errorpath of no protocols enabled.
Co-authored-by: Dan Fandrich <dan@telarity.com>
Reported-by: Dan Fandrich <dan@telarity.com>
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Closes: #13004
---
lib/setopt.c | 16 ++++++++--------
tests/data/Makefile.inc | 2 +-
tests/data/test1474 | 42 +++++++++++++++++++++++++++++++++++++++++
3 files changed, 51 insertions(+), 9 deletions(-)
create mode 100644 tests/data/test1474
diff --git a/lib/setopt.c b/lib/setopt.c
index 6a4990cce6731b..ce1321fc80be9d 100644
--- a/lib/setopt.c
+++ b/lib/setopt.c
@@ -155,6 +155,12 @@ static CURLcode setstropt_userpwd(char *option, char **userp, char **passwdp)
static CURLcode protocol2num(const char *str, curl_prot_t *val)
{
+ /*
+ * We are asked to cherry-pick protocols, so play it safe and disallow all
+ * protocols to start with, and re-add the wanted ones back in.
+ */
+ *val = 0;
+
if(!str)
return CURLE_BAD_FUNCTION_ARGUMENT;
@@ -163,8 +169,6 @@ static CURLcode protocol2num(const char *str, curl_prot_t *val)
return CURLE_OK;
}
- *val = 0;
-
do {
const char *token = str;
size_t tlen;
@@ -2654,22 +2658,18 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
break;
case CURLOPT_PROTOCOLS_STR: {
- curl_prot_t prot;
argptr = va_arg(param, char *);
- result = protocol2num(argptr, &prot);
+ result = protocol2num(argptr, &data->set.allowed_protocols);
if(result)
return result;
- data->set.allowed_protocols = prot;
break;
}
case CURLOPT_REDIR_PROTOCOLS_STR: {
- curl_prot_t prot;
argptr = va_arg(param, char *);
- result = protocol2num(argptr, &prot);
+ result = protocol2num(argptr, &data->set.redir_protocols);
if(result)
return result;
- data->set.redir_protocols = prot;
break;
}
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index c20f90d945cc90..b80ffb618e55b9 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -187,7 +187,7 @@ test1439 test1440 test1441 test1442 test1443 test1444 test1445 test1446 \
test1447 test1448 test1449 test1450 test1451 test1452 test1453 test1454 \
test1455 test1456 test1457 test1458 test1459 test1460 test1461 test1462 \
test1463 test1464 test1465 test1466 test1467 test1468 test1469 test1470 \
-test1471 test1472 test1473 test1475 test1476 test1477 test1478 \
+test1471 test1472 test1473 test1474 test1475 test1476 test1477 test1478 \
\
test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \
test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \
diff --git a/tests/data/test1474 b/tests/data/test1474
new file mode 100644
index 00000000000000..c66fa2810483f2
--- /dev/null
+++ b/tests/data/test1474
@@ -0,0 +1,42 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+--proto
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data>
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+none
+</server>
+<features>
+http
+</features>
+<name>
+--proto -all disables all protocols
+</name>
+<command>
+--proto -all http://%HOSTIP:%NOLISTENPORT/%TESTNUMBER
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+# 1 - Protocol "http" disabled
+<errorcode>
+1
+</errorcode>
+</verify>
+</testcase>

47
curl-CVE-2024-2379.patch Normal file
View File

@ -0,0 +1,47 @@
From aedbbdf18e689a5eee8dc39600914f5eda6c409c Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 11 Mar 2024 10:53:08 +0100
Subject: [PATCH] vquic-tls: return appropirate errors on wolfSSL errors
Reported-by: Dexter Gerig
Closes #13107
---
lib/vquic/vquic-tls.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/vquic/vquic-tls.c b/lib/vquic/vquic-tls.c
index cc7794e405a5f6..dbde21f476f1dc 100644
--- a/lib/vquic/vquic-tls.c
+++ b/lib/vquic/vquic-tls.c
@@ -375,6 +375,7 @@ static CURLcode curl_wssl_init_ctx(struct quic_tls_ctx *ctx,
char error_buffer[256];
ERR_error_string_n(ERR_get_error(), error_buffer, sizeof(error_buffer));
failf(data, "wolfSSL failed to set ciphers: %s", error_buffer);
+ result = CURLE_BAD_FUNCTION_ARGUMENT;
goto out;
}
@@ -382,6 +383,7 @@ static CURLcode curl_wssl_init_ctx(struct quic_tls_ctx *ctx,
conn_config->curves :
(char *)QUIC_GROUPS) != 1) {
failf(data, "wolfSSL failed to set curves");
+ result = CURLE_BAD_FUNCTION_ARGUMENT;
goto out;
}
@@ -392,6 +394,7 @@ static CURLcode curl_wssl_init_ctx(struct quic_tls_ctx *ctx,
wolfSSL_CTX_set_keylog_callback(ctx->ssl_ctx, keylog_callback);
#else
failf(data, "wolfSSL was built without keylog callback");
+ result = CURLE_NOT_BUILT_IN;
goto out;
#endif
}
@@ -414,6 +417,7 @@ static CURLcode curl_wssl_init_ctx(struct quic_tls_ctx *ctx,
" CAfile: %s CApath: %s",
ssl_cafile ? ssl_cafile : "none",
ssl_capath ? ssl_capath : "none");
+ result = CURLE_SSL_CACERT;
goto out;
}
infof(data, " CAfile: %s", ssl_cafile ? ssl_cafile : "none");

89
curl-CVE-2024-2398.patch Normal file
View File

@ -0,0 +1,89 @@
From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Wed, 6 Mar 2024 09:36:08 +0100
Subject: [PATCH] http2: push headers better cleanup
- provide common cleanup method for push headers
Closes #13054
---
lib/http2.c | 34 +++++++++++++++-------------------
1 file changed, 15 insertions(+), 19 deletions(-)
Index: curl-8.6.0/lib/http2.c
===================================================================
--- curl-8.6.0.orig/lib/http2.c
+++ curl-8.6.0/lib/http2.c
@@ -271,6 +271,15 @@ static CURLcode http2_data_setup(struct
return CURLE_OK;
}
+static void free_push_headers(struct stream_ctx *stream)
+{
+ size_t i;
+ for(i = 0; i<stream->push_headers_used; i++)
+ free(stream->push_headers[i]);
+ Curl_safefree(stream->push_headers);
+ stream->push_headers_used = 0;
+}
+
static void http2_data_done(struct Curl_cfilter *cf,
struct Curl_easy *data, bool premature)
{
@@ -317,15 +326,7 @@ static void http2_data_done(struct Curl_
Curl_bufq_free(&stream->recvbuf);
Curl_h1_req_parse_free(&stream->h1);
Curl_dynhds_free(&stream->resp_trailers);
- if(stream->push_headers) {
- /* if they weren't used and then freed before */
- for(; stream->push_headers_used > 0; --stream->push_headers_used) {
- free(stream->push_headers[stream->push_headers_used - 1]);
- }
- free(stream->push_headers);
- stream->push_headers = NULL;
- }
-
+ free_push_headers(stream);
free(stream);
H2_STREAM_LCTX(data) = NULL;
}
@@ -872,7 +873,6 @@ static int push_promise(struct Curl_cfil
struct curl_pushheaders heads;
CURLMcode rc;
CURLcode result;
- size_t i;
/* clone the parent */
struct Curl_easy *newhandle = h2_duphandle(cf, data);
if(!newhandle) {
@@ -917,11 +917,7 @@ static int push_promise(struct Curl_cfil
Curl_set_in_callback(data, false);
/* free the headers again */
- for(i = 0; i<stream->push_headers_used; i++)
- free(stream->push_headers[i]);
- free(stream->push_headers);
- stream->push_headers = NULL;
- stream->push_headers_used = 0;
+ free_push_headers(stream);
if(rv) {
DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT));
@@ -1468,14 +1464,14 @@ static int on_header(nghttp2_session *se
if(stream->push_headers_alloc > 1000) {
/* this is beyond crazy many headers, bail out */
failf(data_s, "Too many PUSH_PROMISE headers");
- Curl_safefree(stream->push_headers);
+ free_push_headers(stream);
return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
}
stream->push_headers_alloc *= 2;
- headp = Curl_saferealloc(stream->push_headers,
- stream->push_headers_alloc * sizeof(char *));
+ headp = realloc(stream->push_headers,
+ stream->push_headers_alloc * sizeof(char *));
if(!headp) {
- stream->push_headers = NULL;
+ free_push_headers(stream);
return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
}
stream->push_headers = headp;

40
curl-CVE-2024-2466.patch Normal file
View File

@ -0,0 +1,40 @@
From 3d0fd382a29b95561b90b7ea3e7eb04dfdd43538 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Fri, 15 Mar 2024 10:10:13 +0100
Subject: [PATCH] mbedtls: fix pytest for newer versions
Fix the expectations in pytest for newer versions of mbedtls
Closes #13132
---
lib/vtls/mbedtls.c | 15 +++++++--------
tests/http/test_10_proxy.py | 8 ++++++--
tests/http/testenv/env.py | 14 +++++++++++---
3 files changed, 24 insertions(+), 13 deletions(-)
Index: curl-8.6.0/lib/vtls/mbedtls.c
===================================================================
--- curl-8.6.0.orig/lib/vtls/mbedtls.c
+++ curl-8.6.0/lib/vtls/mbedtls.c
@@ -654,14 +654,13 @@ mbed_connect_step1(struct Curl_cfilter *
&backend->clicert, &backend->pk);
}
- if(connssl->peer.sni) {
- if(mbedtls_ssl_set_hostname(&backend->ssl, connssl->peer.sni)) {
- /* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks and
- the name to set in the SNI extension. So even if curl connects to a
- host specified as an IP address, this function must be used. */
- failf(data, "Failed to set SNI");
- return CURLE_SSL_CONNECT_ERROR;
- }
+ if(mbedtls_ssl_set_hostname(&backend->ssl, connssl->peer.sni?
+ connssl->peer.sni : connssl->peer.hostname)) {
+ /* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks and
+ the name to set in the SNI extension. So even if curl connects to a
+ host specified as an IP address, this function must be used. */
+ failf(data, "Failed to set SNI");
+ return CURLE_SSL_CONNECT_ERROR;
}
#ifdef HAS_ALPN

21
curl-CVE-2024-6197.patch Normal file
View File

@ -0,0 +1,21 @@
From 3a537a4db9e65e545ec45b1b5d5575ee09a2569d Mon Sep 17 00:00:00 2001
From: z2_ <88509734+z2-2z@users.noreply.github.com>
Date: Fri, 28 Jun 2024 14:45:47 +0200
Subject: [PATCH] x509asn1: remove superfluous free()
---
lib/vtls/x509asn1.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/lib/vtls/x509asn1.c b/lib/vtls/x509asn1.c
index f71ab0b90a5931..1bc4243ddae343 100644
--- a/lib/vtls/x509asn1.c
+++ b/lib/vtls/x509asn1.c
@@ -393,7 +393,6 @@ utf8asn1str(struct dynbuf *to, int type, const char *from, const char *end)
if(wc >= 0x00000800) {
if(wc >= 0x00010000) {
if(wc >= 0x00200000) {
- free(buf);
/* Invalid char. size for target encoding. */
return CURLE_WEIRD_SERVER_REPLY;
}

322
curl-CVE-2024-7264.patch Normal file
View File

@ -0,0 +1,322 @@
From 3c914bc680155b32178f1f15ca8d47c7f4640afe Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 30 Jul 2024 10:05:17 +0200
Subject: [PATCH] x509asn1: clean up GTime2str
Co-authored-by: Stefan Eissing
Reported-by: Dov Murik
Closes #14307
---
lib/vtls/x509asn1.c | 23 ++++++++++++++---------
1 file changed, 14 insertions(+), 9 deletions(-)
Index: curl-8.6.0/lib/vtls/x509asn1.c
===================================================================
--- curl-8.6.0.orig/lib/vtls/x509asn1.c
+++ curl-8.6.0/lib/vtls/x509asn1.c
@@ -488,7 +488,7 @@ static CURLcode GTime2str(struct dynbuf
/* Convert an ASN.1 Generalized time to a printable string.
Return the dynamically allocated string, or NULL if an error occurs. */
- for(fracp = beg; fracp < end && *fracp >= '0' && *fracp <= '9'; fracp++)
+ for(fracp = beg; fracp < end && ISDIGIT(*fracp); fracp++)
;
/* Get seconds digits. */
@@ -507,32 +507,44 @@ static CURLcode GTime2str(struct dynbuf
return CURLE_BAD_FUNCTION_ARGUMENT;
}
- /* Scan for timezone, measure fractional seconds. */
+ /* timezone follows optional fractional seconds. */
tzp = fracp;
- fracl = 0;
+ fracl = 0; /* no fractional seconds detected so far */
if(fracp < end && (*fracp == '.' || *fracp == ',')) {
- fracp++;
- do
+ /* Have fractional seconds, e.g. "[.,]\d+". How many? */
+ fracp++; /* should be a digit char or BAD ARGUMENT */
+ tzp = fracp;
+ while(tzp < end && ISDIGIT(*tzp))
tzp++;
- while(tzp < end && *tzp >= '0' && *tzp <= '9');
- /* Strip leading zeroes in fractional seconds. */
- for(fracl = tzp - fracp - 1; fracl && fracp[fracl - 1] == '0'; fracl--)
- ;
+ if(tzp == fracp) /* never looped, no digit after [.,] */
+ return CURLE_BAD_FUNCTION_ARGUMENT;
+ fracl = tzp - fracp; /* number of fractional sec digits */
+ DEBUGASSERT(fracl > 0);
+ /* Strip trailing zeroes in fractional seconds.
+ * May reduce fracl to 0 if only '0's are present. */
+ while(fracl && fracp[fracl - 1] == '0')
+ fracl--;
}
/* Process timezone. */
- if(tzp >= end)
- ; /* Nothing to do. */
+ if(tzp >= end) {
+ tzp = "";
+ tzl = 0;
+ }
else if(*tzp == 'Z') {
- tzp = " GMT";
- end = tzp + 4;
+ sep = " ";
+ tzp = "GMT";
+ tzl = 3;
+ }
+ else if((*tzp == '+') || (*tzp == '-')) {
+ sep = " UTC";
+ tzl = end - tzp;
}
else {
sep = " ";
- tzp++;
+ tzl = end - tzp;
}
- tzl = end - tzp;
return Curl_dyn_addf(store,
"%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s",
beg, beg + 4, beg + 6,
@@ -541,6 +553,15 @@ static CURLcode GTime2str(struct dynbuf
sep, (int)tzl, tzp);
}
+#ifdef UNITTESTS
+/* used by unit1656.c */
+CURLcode Curl_x509_GTime2str(struct dynbuf *store,
+ const char *beg, const char *end)
+{
+ return GTime2str(store, beg, end);
+}
+#endif
+
/*
* Convert an ASN.1 UTC time to a printable string.
*
Index: curl-8.6.0/lib/vtls/x509asn1.h
===================================================================
--- curl-8.6.0.orig/lib/vtls/x509asn1.h
+++ curl-8.6.0/lib/vtls/x509asn1.h
@@ -76,5 +76,16 @@ CURLcode Curl_extract_certinfo(struct Cu
const char *beg, const char *end);
CURLcode Curl_verifyhost(struct Curl_cfilter *cf, struct Curl_easy *data,
const char *beg, const char *end);
+
+#ifdef UNITTESTS
+#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
+ defined(USE_MBEDTLS)
+
+/* used by unit1656.c */
+CURLcode Curl_x509_GTime2str(struct dynbuf *store,
+ const char *beg, const char *end);
+#endif
+#endif
+
#endif /* USE_GNUTLS or USE_WOLFSSL or USE_SCHANNEL or USE_SECTRANSP */
#endif /* HEADER_CURL_X509ASN1_H */
Index: curl-8.6.0/tests/data/Makefile.inc
===================================================================
--- curl-8.6.0.orig/tests/data/Makefile.inc
+++ curl-8.6.0/tests/data/Makefile.inc
@@ -208,7 +208,7 @@ test1620 test1621 \
\
test1630 test1631 test1632 test1633 test1634 test1635 \
\
-test1650 test1651 test1652 test1653 test1654 test1655 \
+test1650 test1651 test1652 test1653 test1654 test1655 test1656 \
test1660 test1661 test1662 \
\
test1670 test1671 \
Index: curl-8.6.0/tests/data/test1656
===================================================================
--- /dev/null
+++ curl-8.6.0/tests/data/test1656
@@ -0,0 +1,22 @@
+<testcase>
+<info>
+<keywords>
+unittest
+Curl_x509_GTime2str
+</keywords>
+</info>
+
+#
+# Client-side
+<client>
+<server>
+none
+</server>
+<features>
+unittest
+</features>
+<name>
+Curl_x509_GTime2str unit tests
+</name>
+</client>
+</testcase>
Index: curl-8.6.0/tests/unit/Makefile.inc
===================================================================
--- curl-8.6.0.orig/tests/unit/Makefile.inc
+++ curl-8.6.0/tests/unit/Makefile.inc
@@ -36,7 +36,7 @@ UNITPROGS = unit1300 unit1302 u
unit1600 unit1601 unit1602 unit1603 unit1604 unit1605 unit1606 unit1607 \
unit1608 unit1609 unit1610 unit1611 unit1612 unit1614 \
unit1620 unit1621 \
- unit1650 unit1651 unit1652 unit1653 unit1654 unit1655 \
+ unit1650 unit1651 unit1652 unit1653 unit1654 unit1655 unit1656 \
unit1660 unit1661 \
unit2600 unit2601 unit2602 unit2603 \
unit3200
@@ -117,6 +117,8 @@ unit1654_SOURCES = unit1654.c $(UNITFILE
unit1655_SOURCES = unit1655.c $(UNITFILES)
+unit1656_SOURCES = unit1656.c $(UNITFILES)
+
unit1660_SOURCES = unit1660.c $(UNITFILES)
unit1661_SOURCES = unit1661.c $(UNITFILES)
Index: curl-8.6.0/tests/unit/unit1656.c
===================================================================
--- /dev/null
+++ curl-8.6.0/tests/unit/unit1656.c
@@ -0,0 +1,133 @@
+/***************************************************************************
+ * _ _ ____ _
+ * Project ___| | | | _ \| |
+ * / __| | | | |_) | |
+ * | (__| |_| | _ <| |___
+ * \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ * SPDX-License-Identifier: curl
+ *
+ ***************************************************************************/
+#include "curlcheck.h"
+
+#include "vtls/x509asn1.h"
+
+static CURLcode unit_setup(void)
+{
+ return CURLE_OK;
+}
+
+static void unit_stop(void)
+{
+
+}
+
+#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
+ defined(USE_MBEDTLS)
+
+#ifndef ARRAYSIZE
+#define ARRAYSIZE(A) (sizeof(A)/sizeof((A)[0]))
+#endif
+
+struct test_spec {
+ const char *input;
+ const char *exp_output;
+ CURLcode exp_result;
+};
+
+static struct test_spec test_specs[] = {
+ { "190321134340", "1903-21-13 43:40:00", CURLE_OK },
+ { "", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
+ { "WTF", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
+ { "0WTF", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
+ { "19032113434", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
+ { "19032113434WTF", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
+ { "190321134340.", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
+ { "190321134340.1", "1903-21-13 43:40:00.1", CURLE_OK },
+ { "19032113434017.0", "1903-21-13 43:40:17", CURLE_OK },
+ { "19032113434017.01", "1903-21-13 43:40:17.01", CURLE_OK },
+ { "19032113434003.001", "1903-21-13 43:40:03.001", CURLE_OK },
+ { "19032113434003.090", "1903-21-13 43:40:03.09", CURLE_OK },
+ { "190321134340Z", "1903-21-13 43:40:00 GMT", CURLE_OK },
+ { "19032113434017.0Z", "1903-21-13 43:40:17 GMT", CURLE_OK },
+ { "19032113434017.01Z", "1903-21-13 43:40:17.01 GMT", CURLE_OK },
+ { "19032113434003.001Z", "1903-21-13 43:40:03.001 GMT", CURLE_OK },
+ { "19032113434003.090Z", "1903-21-13 43:40:03.09 GMT", CURLE_OK },
+ { "190321134340CET", "1903-21-13 43:40:00 CET", CURLE_OK },
+ { "19032113434017.0CET", "1903-21-13 43:40:17 CET", CURLE_OK },
+ { "19032113434017.01CET", "1903-21-13 43:40:17.01 CET", CURLE_OK },
+ { "190321134340+02:30", "1903-21-13 43:40:00 UTC+02:30", CURLE_OK },
+ { "19032113434017.0+02:30", "1903-21-13 43:40:17 UTC+02:30", CURLE_OK },
+ { "19032113434017.01+02:30", "1903-21-13 43:40:17.01 UTC+02:30", CURLE_OK },
+ { "190321134340-3", "1903-21-13 43:40:00 UTC-3", CURLE_OK },
+ { "19032113434017.0-04", "1903-21-13 43:40:17 UTC-04", CURLE_OK },
+ { "19032113434017.01-01:10", "1903-21-13 43:40:17.01 UTC-01:10", CURLE_OK },
+};
+
+static bool do_test(struct test_spec *spec, size_t i, struct dynbuf *dbuf)
+{
+ CURLcode result;
+ const char *in = spec->input;
+
+ Curl_dyn_reset(dbuf);
+ result = Curl_x509_GTime2str(dbuf, in, in + strlen(in));
+ if(result != spec->exp_result) {
+ fprintf(stderr, "test %zu: expect result %d, got %d\n",
+ i, spec->exp_result, result);
+ return FALSE;
+ }
+ else if(!result && strcmp(spec->exp_output, Curl_dyn_ptr(dbuf))) {
+ fprintf(stderr, "test %zu: input '%s', expected output '%s', got '%s'\n",
+ i, in, spec->exp_output, Curl_dyn_ptr(dbuf));
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
+UNITTEST_START
+{
+ size_t i;
+ struct dynbuf dbuf;
+ bool all_ok = TRUE;
+
+ Curl_dyn_init(&dbuf, 32*1024);
+
+ if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) {
+ fprintf(stderr, "curl_global_init() failed\n");
+ return TEST_ERR_MAJOR_BAD;
+ }
+
+ for(i = 0; i < ARRAYSIZE(test_specs); ++i) {
+ if(!do_test(&test_specs[i], i, &dbuf))
+ all_ok = FALSE;
+ }
+ fail_unless(all_ok, "some tests of Curl_x509_GTime2str() fails");
+
+ Curl_dyn_free(&dbuf);
+ curl_global_cleanup();
+}
+UNITTEST_STOP
+
+#else
+
+UNITTEST_START
+{
+ puts("not tested since Curl_x509_GTime2str() is not built-in");
+}
+UNITTEST_STOP
+
+#endif

59
curl.changes
View File

@ -1,3 +1,62 @@
-------------------------------------------------------------------
Wed Jul 31 08:40:11 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Security fix: [bsc#1228535, CVE-2024-7264]
* curl: ASN.1 date parser overread
* Add curl-CVE-2024-7264.patch
-------------------------------------------------------------------
Tue Jul 16 08:43:02 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Security fix: [bsc#1227888, CVE-2024-6197]
* Freeing stack buffer in utf8asn1str
* x509asn1: remove superfluous free()
* Add curl-CVE-2024-6197.patch
-------------------------------------------------------------------
Wed Mar 27 18:32:08 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Security fix: [bsc#1221666, CVE-2024-2379]
* curl: QUIC certificate check bypass with wolfSSL
* Add curl-CVE-2024-2379.patch
-------------------------------------------------------------------
Wed Mar 27 18:21:59 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Security fix: [bsc#1221668, CVE-2024-2466]
* curl: TLS certificate check bypass with mbedTLS
* Add curl-CVE-2024-2466.patch
-------------------------------------------------------------------
Fri Mar 22 13:55:01 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Security fix: [bsc#1221665, CVE-2024-2004]
* Usage of disabled protocol
* Add curl-CVE-2024-2004.patch
-------------------------------------------------------------------
Thu Mar 21 12:27:30 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Security fix: [bsc#1221667, CVE-2024-2398]
* curl: HTTP/2 push headers memory-leak
* Add curl-CVE-2024-2398.patch
-------------------------------------------------------------------
Tue Mar 12 08:43:30 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Remove the nghttp2 version requirement as a version guard around
the nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation
function was added in curl 8.0.1.
* Upstream commit: https://github.com/curl/curl/commit/744dcf22
-------------------------------------------------------------------
Thu Feb 8 13:58:23 UTC 2024 - Fabian Vogt <fvogt@suse.com>
- Add patch to fix various TLS related issues including FTP over SSL
transmission timeouts:
* 0001-vtls-revert-receive-max-buffer-add-test-case.patch
- Switch to %autosetup
-------------------------------------------------------------------
Wed Jan 31 09:11:56 UTC 2024 - Pedro Monreal <pmonreal@suse.com>

29
curl.spec
View File

@ -35,6 +35,20 @@ Patch1: dont-mess-with-rpmoptflags.patch
Patch2: curl-secure-getenv.patch
#PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled
Patch3: curl-disabled-redirect-protocol-message.patch
# PATCH-FIX-UPSTREAM
Patch4: 0001-vtls-revert-receive-max-buffer-add-test-case.patch
#PATCH-FIX-UPSTREAM bsc#1221665 CVE-2024-2004 Usage of disabled protocol
Patch5: curl-CVE-2024-2004.patch
#PATCH-FIX-UPSTREAM bsc#1221667 CVE-2024-2398 HTTP/2 push headers memory-leak
Patch6: curl-CVE-2024-2398.patch
#PATCH-FIX-UPSTREAM bsc#1221666 CVE-2024-2379 QUIC certificate check bypass with wolfSSL
Patch7: curl-CVE-2024-2379.patch
#PATCH-FIX-UPSTREAM bsc#1221668 CVE-2024-2466 TLS certificate check bypass with mbedTLS
Patch8: curl-CVE-2024-2466.patch
#PATCH-FIX-UPSTREAM bsc#1227888 CVE-2024-6197 Freeing stack buffer in utf8asn1str
Patch9: curl-CVE-2024-6197.patch
#PATCH-FIX-UPSTREAM bsc#1228535 CVE-2024-7264 ASN.1 date parser overread
Patch10: curl-CVE-2024-7264.patch
BuildRequires: libtool
BuildRequires: pkgconfig
Requires: libcurl4 = %{version}
@ -46,17 +60,7 @@ BuildRequires: pkgconfig(libbrotlidec)
BuildRequires: pkgconfig(libidn2)
# Disable metalink [bsc#1188218, CVE-2021-22923][bsc#1188217, CVE-2021-22922]
# BuildRequires: pkgconfig(libmetalink)
#
# The 7.86.0 cURL release introduced the use of
# nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation,
# a function introduced by the 1.50.0 nghttp2 release.
#
# This is a bandaid, as cURL didn't provide a function/version check
# in their build scripts. Without this some users my end up with a broken
# Zypper/cURL if they have a libnghttp2 < 1.50.0 yet in their system,
# and do some Zypper transaction that updates cURL, but not libnghttp2.
#
BuildRequires: pkgconfig(libnghttp2) >= 1.50.0
BuildRequires: pkgconfig(libnghttp2)
BuildRequires: pkgconfig(libpsl)
BuildRequires: pkgconfig(libssh)
BuildRequires: pkgconfig(libzstd)
@ -100,8 +104,7 @@ DICT, TELNET, LDAP, or FILE). The command is designed to work without
user interaction or any kind of interactivity.
%prep
%setup -q -n curl-%{version}
%autopatch -p1
%autosetup -p1
%build
# curl complains if macro definition is contained in CFLAGS