SLFO-pool/curl
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main curl revision 43add2c1b839fe6ab27924090a393bb0

Browse Source
This commit is contained in:
Adrian Schröter 2024-09-30 10:41:04 +02:00
parent 63c5ef1c91
commit 69417f5875
18 changed files with 508 additions and 1442 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
0001-vtls-revert-receive-max-buffer-add-test-case.patch
View File

@ -1,70 +0,0 @@
From e00609fc15f5d5adaf0896b751bf2c3a74a5f6f4 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Thu, 1 Feb 2024 18:15:50 +0100
Subject: [PATCH] vtls: revert "receive max buffer" + add test case
- add test_05_04 for requests using http/1.0, http/1.1 and h2 against an
Apache resource that does an unclean TLS shutdown.
- revert special workarund in openssl.c for suppressing shutdown errors
on multiplexed connections
- vlts.c restore to its state before 9a90c9dd64d2f03601833a70786d485851bd1b53
Fixes #12885
Fixes #12844
Closes #12848
(cherry picked from commit ed09a99af57200643d5ae001e815eeab9ffe3f84)
---
lib/vtls/vtls.c | 27 +++++--------------
tests/http/test_05_errors.py | 27 +++++++++++++++++++
tests/http/testenv/httpd.py | 7 ++++-
.../http/testenv/mod_curltest/mod_curltest.c | 2 +-
4 files changed, 40 insertions(+), 23 deletions(-)
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index e928ba5d0..f654a9749 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -1715,32 +1715,17 @@ static ssize_t ssl_cf_recv(struct Curl_cfilter *cf,
{
struct cf_call_data save;
ssize_t nread;
- size_t ntotal = 0;
CF_DATA_SAVE(save, cf, data);
*err = CURLE_OK;
- /* Do receive until we fill the buffer somehwhat or EGAIN, error or EOF */
- while(!ntotal || (len - ntotal) > (4*1024)) {
+ nread = Curl_ssl->recv_plain(cf, data, buf, len, err);
+ if(nread > 0) {
+ DEBUGASSERT((size_t)nread <= len);
+ }
+ else if(nread == 0) {
+ /* eof */
*err = CURLE_OK;
- nread = Curl_ssl->recv_plain(cf, data, buf + ntotal, len - ntotal, err);
- if(nread < 0) {
- if(*err == CURLE_AGAIN && ntotal > 0) {
- /* we EAGAINed after having reed data, return the success amount */
- *err = CURLE_OK;
- break;
- }
- /* we have a an error to report */
- goto out;
- }
- else if(nread == 0) {
- /* eof */
- break;
- }
- ntotal += (size_t)nread;
- DEBUGASSERT((size_t)ntotal <= len);
}
- nread = (ssize_t)ntotal;
-out:
CURL_TRC_CF(data, cf, "cf_recv(len=%zu) -> %zd, %d", len,
nread, *err);
CF_DATA_RESTORE(cf, save);
--
2.43.0

3
_multibuild Normal file
View File

@ -0,0 +1,3 @@
<multibuild>
<package>mini</package>
</multibuild>

BIN
curl-8.6.0.tar.xz (Stored with Git LFS)
View File

Binary file not shown.

11
curl-8.6.0.tar.xz.asc
View File

@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmW58RcACgkQXMkI/bce
EsKLvgf9Em0etBEnbJzkhmCiKUOfn3sTKhIHA4y1/O+anaNfEx0E89VUQuFZRcUz
i4ENOVjTXxVy4zZUobOOWz7RXrvv6XnX9A++RYkBoEk4mmNB3A6ShsTeCR2mS4yi
dL5UfH2YEu7B6x/ONROKKuGawsqw0D6wzVgrD+J1e8Bu+1P8YOUqsQWVJmJFlYMN
2A8NP4GZHnmP3rnupx1RY3/MgJU0FjlQ428BOA7PIiYKEVto0dp6cqd4AQsLgQPy
J1RBcge1Uwqe+k/IenUx7bUaQfr+NY34ryrMxbLPghPimfeyjjsDxyr+OwoQM1aw
64WqLXBgQmhluT0STyHdD0Tc/JHYrw==
=GboB
-----END PGP SIGNATURE-----

BIN
curl-8.9.1.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

11
curl-8.9.1.tar.xz.asc Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmap30kACgkQXMkI/bce
EsKX+wf/brccw5rGTAbmjj7WGBfbAmwrSsDexTXRiEBXT/+qhkWIplN6wdtsZ86I
tUraaapoyvRKLa3Wxlv9fSF/xXji+5lhO/W9pfWxwZNeSZFiOgKcK/Li4Fx0c7t4
WpxkAbRvbJreA40BR32qSgnNNjKU5QX/ivf67B1EFL71kgsCW/QczB6mcuxszlkN
ro39Jb8hDtnAD3hHXrTEaW3lOEgf/Jo/a1Zii3+W3OkW+uZHwzUoqe+HLGHYM2vW
Q3hBVQaEWmNIwArA73s/kOiFATLthUTvSJO56ebLQJFHJf61cwqSsg2o07i5SqEc
QlKzV/h7ydbBWdHiSTpCMxue7tLUZw==
=EiUG
-----END PGP SIGNATURE-----

133
curl-CVE-2024-2004.patch
View File

@ -1,133 +0,0 @@
From 17d302e56221f5040092db77d4f85086e8a20e0e Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <daniel@yesql.se>
Date: Tue, 27 Feb 2024 15:43:56 +0100
Subject: [PATCH] setopt: Fix disabling all protocols
When disabling all protocols without enabling any, the resulting
set of allowed protocols remained the default set. Clearing the
allowed set before inspecting the passed value from --proto make
the set empty even in the errorpath of no protocols enabled.
Co-authored-by: Dan Fandrich <dan@telarity.com>
Reported-by: Dan Fandrich <dan@telarity.com>
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Closes: #13004
---
lib/setopt.c | 16 ++++++++--------
tests/data/Makefile.inc | 2 +-
tests/data/test1474 | 42 +++++++++++++++++++++++++++++++++++++++++
3 files changed, 51 insertions(+), 9 deletions(-)
create mode 100644 tests/data/test1474
diff --git a/lib/setopt.c b/lib/setopt.c
index 6a4990cce6731b..ce1321fc80be9d 100644
--- a/lib/setopt.c
+++ b/lib/setopt.c
@@ -155,6 +155,12 @@ static CURLcode setstropt_userpwd(char *option, char **userp, char **passwdp)
static CURLcode protocol2num(const char *str, curl_prot_t *val)
{
+ /*
+ * We are asked to cherry-pick protocols, so play it safe and disallow all
+ * protocols to start with, and re-add the wanted ones back in.
+ */
+ *val = 0;
+
if(!str)
return CURLE_BAD_FUNCTION_ARGUMENT;
@@ -163,8 +169,6 @@ static CURLcode protocol2num(const char *str, curl_prot_t *val)
return CURLE_OK;
}
- *val = 0;
-
do {
const char *token = str;
size_t tlen;
@@ -2654,22 +2658,18 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
break;
case CURLOPT_PROTOCOLS_STR: {
- curl_prot_t prot;
argptr = va_arg(param, char *);
- result = protocol2num(argptr, &prot);
+ result = protocol2num(argptr, &data->set.allowed_protocols);
if(result)
return result;
- data->set.allowed_protocols = prot;
break;
}
case CURLOPT_REDIR_PROTOCOLS_STR: {
- curl_prot_t prot;
argptr = va_arg(param, char *);
- result = protocol2num(argptr, &prot);
+ result = protocol2num(argptr, &data->set.redir_protocols);
if(result)
return result;
- data->set.redir_protocols = prot;
break;
}
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index c20f90d945cc90..b80ffb618e55b9 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -187,7 +187,7 @@ test1439 test1440 test1441 test1442 test1443 test1444 test1445 test1446 \
test1447 test1448 test1449 test1450 test1451 test1452 test1453 test1454 \
test1455 test1456 test1457 test1458 test1459 test1460 test1461 test1462 \
test1463 test1464 test1465 test1466 test1467 test1468 test1469 test1470 \
-test1471 test1472 test1473 test1475 test1476 test1477 test1478 \
+test1471 test1472 test1473 test1474 test1475 test1476 test1477 test1478 \
\
test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \
test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \
diff --git a/tests/data/test1474 b/tests/data/test1474
new file mode 100644
index 00000000000000..c66fa2810483f2
--- /dev/null
+++ b/tests/data/test1474
@@ -0,0 +1,42 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+--proto
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data>
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+none
+</server>
+<features>
+http
+</features>
+<name>
+--proto -all disables all protocols
+</name>
+<command>
+--proto -all http://%HOSTIP:%NOLISTENPORT/%TESTNUMBER
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+# 1 - Protocol "http" disabled
+<errorcode>
+1
+</errorcode>
+</verify>
+</testcase>

47
curl-CVE-2024-2379.patch
View File

@ -1,47 +0,0 @@
From aedbbdf18e689a5eee8dc39600914f5eda6c409c Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 11 Mar 2024 10:53:08 +0100
Subject: [PATCH] vquic-tls: return appropirate errors on wolfSSL errors
Reported-by: Dexter Gerig
Closes #13107
---
lib/vquic/vquic-tls.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/vquic/vquic-tls.c b/lib/vquic/vquic-tls.c
index cc7794e405a5f6..dbde21f476f1dc 100644
--- a/lib/vquic/vquic-tls.c
+++ b/lib/vquic/vquic-tls.c
@@ -375,6 +375,7 @@ static CURLcode curl_wssl_init_ctx(struct quic_tls_ctx *ctx,
char error_buffer[256];
ERR_error_string_n(ERR_get_error(), error_buffer, sizeof(error_buffer));
failf(data, "wolfSSL failed to set ciphers: %s", error_buffer);
+ result = CURLE_BAD_FUNCTION_ARGUMENT;
goto out;
}
@@ -382,6 +383,7 @@ static CURLcode curl_wssl_init_ctx(struct quic_tls_ctx *ctx,
conn_config->curves :
(char *)QUIC_GROUPS) != 1) {
failf(data, "wolfSSL failed to set curves");
+ result = CURLE_BAD_FUNCTION_ARGUMENT;
goto out;
}
@@ -392,6 +394,7 @@ static CURLcode curl_wssl_init_ctx(struct quic_tls_ctx *ctx,
wolfSSL_CTX_set_keylog_callback(ctx->ssl_ctx, keylog_callback);
#else
failf(data, "wolfSSL was built without keylog callback");
+ result = CURLE_NOT_BUILT_IN;
goto out;
#endif
}
@@ -414,6 +417,7 @@ static CURLcode curl_wssl_init_ctx(struct quic_tls_ctx *ctx,
" CAfile: %s CApath: %s",
ssl_cafile ? ssl_cafile : "none",
ssl_capath ? ssl_capath : "none");
+ result = CURLE_SSL_CACERT;
goto out;
}
infof(data, " CAfile: %s", ssl_cafile ? ssl_cafile : "none");

89
curl-CVE-2024-2398.patch
View File

@ -1,89 +0,0 @@
From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Wed, 6 Mar 2024 09:36:08 +0100
Subject: [PATCH] http2: push headers better cleanup
- provide common cleanup method for push headers
Closes #13054
---
lib/http2.c | 34 +++++++++++++++-------------------
1 file changed, 15 insertions(+), 19 deletions(-)
Index: curl-8.6.0/lib/http2.c
===================================================================
--- curl-8.6.0.orig/lib/http2.c
+++ curl-8.6.0/lib/http2.c
@@ -271,6 +271,15 @@ static CURLcode http2_data_setup(struct
return CURLE_OK;
}
+static void free_push_headers(struct stream_ctx *stream)
+{
+ size_t i;
+ for(i = 0; i<stream->push_headers_used; i++)
+ free(stream->push_headers[i]);
+ Curl_safefree(stream->push_headers);
+ stream->push_headers_used = 0;
+}
+
static void http2_data_done(struct Curl_cfilter *cf,
struct Curl_easy *data, bool premature)
{
@@ -317,15 +326,7 @@ static void http2_data_done(struct Curl_
Curl_bufq_free(&stream->recvbuf);
Curl_h1_req_parse_free(&stream->h1);
Curl_dynhds_free(&stream->resp_trailers);
- if(stream->push_headers) {
- /* if they weren't used and then freed before */
- for(; stream->push_headers_used > 0; --stream->push_headers_used) {
- free(stream->push_headers[stream->push_headers_used - 1]);
- }
- free(stream->push_headers);
- stream->push_headers = NULL;
- }
-
+ free_push_headers(stream);
free(stream);
H2_STREAM_LCTX(data) = NULL;
}
@@ -872,7 +873,6 @@ static int push_promise(struct Curl_cfil
struct curl_pushheaders heads;
CURLMcode rc;
CURLcode result;
- size_t i;
/* clone the parent */
struct Curl_easy *newhandle = h2_duphandle(cf, data);
if(!newhandle) {
@@ -917,11 +917,7 @@ static int push_promise(struct Curl_cfil
Curl_set_in_callback(data, false);
/* free the headers again */
- for(i = 0; i<stream->push_headers_used; i++)
- free(stream->push_headers[i]);
- free(stream->push_headers);
- stream->push_headers = NULL;
- stream->push_headers_used = 0;
+ free_push_headers(stream);
if(rv) {
DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT));
@@ -1468,14 +1464,14 @@ static int on_header(nghttp2_session *se
if(stream->push_headers_alloc > 1000) {
/* this is beyond crazy many headers, bail out */
failf(data_s, "Too many PUSH_PROMISE headers");
- Curl_safefree(stream->push_headers);
+ free_push_headers(stream);
return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
}
stream->push_headers_alloc *= 2;
- headp = Curl_saferealloc(stream->push_headers,
- stream->push_headers_alloc * sizeof(char *));
+ headp = realloc(stream->push_headers,
+ stream->push_headers_alloc * sizeof(char *));
if(!headp) {
- stream->push_headers = NULL;
+ free_push_headers(stream);
return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
}
stream->push_headers = headp;

40
curl-CVE-2024-2466.patch
View File

@ -1,40 +0,0 @@
From 3d0fd382a29b95561b90b7ea3e7eb04dfdd43538 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Fri, 15 Mar 2024 10:10:13 +0100
Subject: [PATCH] mbedtls: fix pytest for newer versions
Fix the expectations in pytest for newer versions of mbedtls
Closes #13132
---
lib/vtls/mbedtls.c | 15 +++++++--------
tests/http/test_10_proxy.py | 8 ++++++--
tests/http/testenv/env.py | 14 +++++++++++---
3 files changed, 24 insertions(+), 13 deletions(-)
Index: curl-8.6.0/lib/vtls/mbedtls.c
===================================================================
--- curl-8.6.0.orig/lib/vtls/mbedtls.c
+++ curl-8.6.0/lib/vtls/mbedtls.c
@@ -654,14 +654,13 @@ mbed_connect_step1(struct Curl_cfilter *
&backend->clicert, &backend->pk);
}
- if(connssl->peer.sni) {
- if(mbedtls_ssl_set_hostname(&backend->ssl, connssl->peer.sni)) {
- /* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks and
- the name to set in the SNI extension. So even if curl connects to a
- host specified as an IP address, this function must be used. */
- failf(data, "Failed to set SNI");
- return CURLE_SSL_CONNECT_ERROR;
- }
+ if(mbedtls_ssl_set_hostname(&backend->ssl, connssl->peer.sni?
+ connssl->peer.sni : connssl->peer.hostname)) {
+ /* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks and
+ the name to set in the SNI extension. So even if curl connects to a
+ host specified as an IP address, this function must be used. */
+ failf(data, "Failed to set SNI");
+ return CURLE_SSL_CONNECT_ERROR;
}
#ifdef HAS_ALPN

21
curl-CVE-2024-6197.patch
View File

@ -1,21 +0,0 @@
From 3a537a4db9e65e545ec45b1b5d5575ee09a2569d Mon Sep 17 00:00:00 2001
From: z2_ <88509734+z2-2z@users.noreply.github.com>
Date: Fri, 28 Jun 2024 14:45:47 +0200
Subject: [PATCH] x509asn1: remove superfluous free()
---
lib/vtls/x509asn1.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/lib/vtls/x509asn1.c b/lib/vtls/x509asn1.c
index f71ab0b90a5931..1bc4243ddae343 100644
--- a/lib/vtls/x509asn1.c
+++ b/lib/vtls/x509asn1.c
@@ -393,7 +393,6 @@ utf8asn1str(struct dynbuf *to, int type, const char *from, const char *end)
if(wc >= 0x00000800) {
if(wc >= 0x00010000) {
if(wc >= 0x00200000) {
- free(buf);
/* Invalid char. size for target encoding. */
return CURLE_WEIRD_SERVER_REPLY;
}

322
curl-CVE-2024-7264.patch
View File

@ -1,322 +0,0 @@
From 3c914bc680155b32178f1f15ca8d47c7f4640afe Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 30 Jul 2024 10:05:17 +0200
Subject: [PATCH] x509asn1: clean up GTime2str
Co-authored-by: Stefan Eissing
Reported-by: Dov Murik
Closes #14307
---
lib/vtls/x509asn1.c | 23 ++++++++++++++---------
1 file changed, 14 insertions(+), 9 deletions(-)
Index: curl-8.6.0/lib/vtls/x509asn1.c
===================================================================
--- curl-8.6.0.orig/lib/vtls/x509asn1.c
+++ curl-8.6.0/lib/vtls/x509asn1.c
@@ -488,7 +488,7 @@ static CURLcode GTime2str(struct dynbuf
/* Convert an ASN.1 Generalized time to a printable string.
Return the dynamically allocated string, or NULL if an error occurs. */
- for(fracp = beg; fracp < end && *fracp >= '0' && *fracp <= '9'; fracp++)
+ for(fracp = beg; fracp < end && ISDIGIT(*fracp); fracp++)
;
/* Get seconds digits. */
@@ -507,32 +507,44 @@ static CURLcode GTime2str(struct dynbuf
return CURLE_BAD_FUNCTION_ARGUMENT;
}
- /* Scan for timezone, measure fractional seconds. */
+ /* timezone follows optional fractional seconds. */
tzp = fracp;
- fracl = 0;
+ fracl = 0; /* no fractional seconds detected so far */
if(fracp < end && (*fracp == '.' || *fracp == ',')) {
- fracp++;
- do
+ /* Have fractional seconds, e.g. "[.,]\d+". How many? */
+ fracp++; /* should be a digit char or BAD ARGUMENT */
+ tzp = fracp;
+ while(tzp < end && ISDIGIT(*tzp))
tzp++;
- while(tzp < end && *tzp >= '0' && *tzp <= '9');
- /* Strip leading zeroes in fractional seconds. */
- for(fracl = tzp - fracp - 1; fracl && fracp[fracl - 1] == '0'; fracl--)
- ;
+ if(tzp == fracp) /* never looped, no digit after [.,] */
+ return CURLE_BAD_FUNCTION_ARGUMENT;
+ fracl = tzp - fracp; /* number of fractional sec digits */
+ DEBUGASSERT(fracl > 0);
+ /* Strip trailing zeroes in fractional seconds.
+ * May reduce fracl to 0 if only '0's are present. */
+ while(fracl && fracp[fracl - 1] == '0')
+ fracl--;
}
/* Process timezone. */
- if(tzp >= end)
- ; /* Nothing to do. */
+ if(tzp >= end) {
+ tzp = "";
+ tzl = 0;
+ }
else if(*tzp == 'Z') {
- tzp = " GMT";
- end = tzp + 4;
+ sep = " ";
+ tzp = "GMT";
+ tzl = 3;
+ }
+ else if((*tzp == '+') || (*tzp == '-')) {
+ sep = " UTC";
+ tzl = end - tzp;
}
else {
sep = " ";
- tzp++;
+ tzl = end - tzp;
}
- tzl = end - tzp;
return Curl_dyn_addf(store,
"%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s",
beg, beg + 4, beg + 6,
@@ -541,6 +553,15 @@ static CURLcode GTime2str(struct dynbuf
sep, (int)tzl, tzp);
}
+#ifdef UNITTESTS
+/* used by unit1656.c */
+CURLcode Curl_x509_GTime2str(struct dynbuf *store,
+ const char *beg, const char *end)
+{
+ return GTime2str(store, beg, end);
+}
+#endif
+
/*
* Convert an ASN.1 UTC time to a printable string.
*
Index: curl-8.6.0/lib/vtls/x509asn1.h
===================================================================
--- curl-8.6.0.orig/lib/vtls/x509asn1.h
+++ curl-8.6.0/lib/vtls/x509asn1.h
@@ -76,5 +76,16 @@ CURLcode Curl_extract_certinfo(struct Cu
const char *beg, const char *end);
CURLcode Curl_verifyhost(struct Curl_cfilter *cf, struct Curl_easy *data,
const char *beg, const char *end);
+
+#ifdef UNITTESTS
+#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
+ defined(USE_MBEDTLS)
+
+/* used by unit1656.c */
+CURLcode Curl_x509_GTime2str(struct dynbuf *store,
+ const char *beg, const char *end);
+#endif
+#endif
+
#endif /* USE_GNUTLS or USE_WOLFSSL or USE_SCHANNEL or USE_SECTRANSP */
#endif /* HEADER_CURL_X509ASN1_H */
Index: curl-8.6.0/tests/data/Makefile.inc
===================================================================
--- curl-8.6.0.orig/tests/data/Makefile.inc
+++ curl-8.6.0/tests/data/Makefile.inc
@@ -208,7 +208,7 @@ test1620 test1621 \
\
test1630 test1631 test1632 test1633 test1634 test1635 \
\
-test1650 test1651 test1652 test1653 test1654 test1655 \
+test1650 test1651 test1652 test1653 test1654 test1655 test1656 \
test1660 test1661 test1662 \
\
test1670 test1671 \
Index: curl-8.6.0/tests/data/test1656
===================================================================
--- /dev/null
+++ curl-8.6.0/tests/data/test1656
@@ -0,0 +1,22 @@
+<testcase>
+<info>
+<keywords>
+unittest
+Curl_x509_GTime2str
+</keywords>
+</info>
+
+#
+# Client-side
+<client>
+<server>
+none
+</server>
+<features>
+unittest
+</features>
+<name>
+Curl_x509_GTime2str unit tests
+</name>
+</client>
+</testcase>
Index: curl-8.6.0/tests/unit/Makefile.inc
===================================================================
--- curl-8.6.0.orig/tests/unit/Makefile.inc
+++ curl-8.6.0/tests/unit/Makefile.inc
@@ -36,7 +36,7 @@ UNITPROGS = unit1300 unit1302 u
unit1600 unit1601 unit1602 unit1603 unit1604 unit1605 unit1606 unit1607 \
unit1608 unit1609 unit1610 unit1611 unit1612 unit1614 \
unit1620 unit1621 \
- unit1650 unit1651 unit1652 unit1653 unit1654 unit1655 \
+ unit1650 unit1651 unit1652 unit1653 unit1654 unit1655 unit1656 \
unit1660 unit1661 \
unit2600 unit2601 unit2602 unit2603 \
unit3200
@@ -117,6 +117,8 @@ unit1654_SOURCES = unit1654.c $(UNITFILE
unit1655_SOURCES = unit1655.c $(UNITFILES)
+unit1656_SOURCES = unit1656.c $(UNITFILES)
+
unit1660_SOURCES = unit1660.c $(UNITFILES)
unit1661_SOURCES = unit1661.c $(UNITFILES)
Index: curl-8.6.0/tests/unit/unit1656.c
===================================================================
--- /dev/null
+++ curl-8.6.0/tests/unit/unit1656.c
@@ -0,0 +1,133 @@
+/***************************************************************************
+ * _ _ ____ _
+ * Project ___| | | | _ \| |
+ * / __| | | | |_) | |
+ * | (__| |_| | _ <| |___
+ * \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ * SPDX-License-Identifier: curl
+ *
+ ***************************************************************************/
+#include "curlcheck.h"
+
+#include "vtls/x509asn1.h"
+
+static CURLcode unit_setup(void)
+{
+ return CURLE_OK;
+}
+
+static void unit_stop(void)
+{
+
+}
+
+#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
+ defined(USE_MBEDTLS)
+
+#ifndef ARRAYSIZE
+#define ARRAYSIZE(A) (sizeof(A)/sizeof((A)[0]))
+#endif
+
+struct test_spec {
+ const char *input;
+ const char *exp_output;
+ CURLcode exp_result;
+};
+
+static struct test_spec test_specs[] = {
+ { "190321134340", "1903-21-13 43:40:00", CURLE_OK },
+ { "", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
+ { "WTF", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
+ { "0WTF", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
+ { "19032113434", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
+ { "19032113434WTF", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
+ { "190321134340.", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
+ { "190321134340.1", "1903-21-13 43:40:00.1", CURLE_OK },
+ { "19032113434017.0", "1903-21-13 43:40:17", CURLE_OK },
+ { "19032113434017.01", "1903-21-13 43:40:17.01", CURLE_OK },
+ { "19032113434003.001", "1903-21-13 43:40:03.001", CURLE_OK },
+ { "19032113434003.090", "1903-21-13 43:40:03.09", CURLE_OK },
+ { "190321134340Z", "1903-21-13 43:40:00 GMT", CURLE_OK },
+ { "19032113434017.0Z", "1903-21-13 43:40:17 GMT", CURLE_OK },
+ { "19032113434017.01Z", "1903-21-13 43:40:17.01 GMT", CURLE_OK },
+ { "19032113434003.001Z", "1903-21-13 43:40:03.001 GMT", CURLE_OK },
+ { "19032113434003.090Z", "1903-21-13 43:40:03.09 GMT", CURLE_OK },
+ { "190321134340CET", "1903-21-13 43:40:00 CET", CURLE_OK },
+ { "19032113434017.0CET", "1903-21-13 43:40:17 CET", CURLE_OK },
+ { "19032113434017.01CET", "1903-21-13 43:40:17.01 CET", CURLE_OK },
+ { "190321134340+02:30", "1903-21-13 43:40:00 UTC+02:30", CURLE_OK },
+ { "19032113434017.0+02:30", "1903-21-13 43:40:17 UTC+02:30", CURLE_OK },
+ { "19032113434017.01+02:30", "1903-21-13 43:40:17.01 UTC+02:30", CURLE_OK },
+ { "190321134340-3", "1903-21-13 43:40:00 UTC-3", CURLE_OK },
+ { "19032113434017.0-04", "1903-21-13 43:40:17 UTC-04", CURLE_OK },
+ { "19032113434017.01-01:10", "1903-21-13 43:40:17.01 UTC-01:10", CURLE_OK },
+};
+
+static bool do_test(struct test_spec *spec, size_t i, struct dynbuf *dbuf)
+{
+ CURLcode result;
+ const char *in = spec->input;
+
+ Curl_dyn_reset(dbuf);
+ result = Curl_x509_GTime2str(dbuf, in, in + strlen(in));
+ if(result != spec->exp_result) {
+ fprintf(stderr, "test %zu: expect result %d, got %d\n",
+ i, spec->exp_result, result);
+ return FALSE;
+ }
+ else if(!result && strcmp(spec->exp_output, Curl_dyn_ptr(dbuf))) {
+ fprintf(stderr, "test %zu: input '%s', expected output '%s', got '%s'\n",
+ i, in, spec->exp_output, Curl_dyn_ptr(dbuf));
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
+UNITTEST_START
+{
+ size_t i;
+ struct dynbuf dbuf;
+ bool all_ok = TRUE;
+
+ Curl_dyn_init(&dbuf, 32*1024);
+
+ if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) {
+ fprintf(stderr, "curl_global_init() failed\n");
+ return TEST_ERR_MAJOR_BAD;
+ }
+
+ for(i = 0; i < ARRAYSIZE(test_specs); ++i) {
+ if(!do_test(&test_specs[i], i, &dbuf))
+ all_ok = FALSE;
+ }
+ fail_unless(all_ok, "some tests of Curl_x509_GTime2str() fails");
+
+ Curl_dyn_free(&dbuf);
+ curl_global_cleanup();
+}
+UNITTEST_STOP
+
+#else
+
+UNITTEST_START
+{
+ puts("not tested since Curl_x509_GTime2str() is not built-in");
+}
+UNITTEST_STOP
+
+#endif

200
curl-CVE-2024-8096.patch
View File

@ -1,200 +0,0 @@
From aeb1a281cab13c7ba791cb104e556b20e713941f Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 20 Aug 2024 16:14:39 +0200
Subject: [PATCH] gtls: fix OCSP stapling management
Reported-by: Hiroki Kurosawa
Closes #14642
---
lib/vtls/gtls.c | 146 ++++++++++++++++++++++++------------------------
1 file changed, 73 insertions(+), 73 deletions(-)
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index 03d6fcc038aac3..c7589d9d39bc81 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -850,6 +850,13 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf,
init_flags |= GNUTLS_NO_TICKETS;
#endif
+#if defined(GNUTLS_NO_STATUS_REQUEST)
+ if(!config->verifystatus)
+ /* Disable the "status_request" TLS extension, enabled by default since
+ GnuTLS 3.8.0. */
+ init_flags |= GNUTLS_NO_STATUS_REQUEST;
+#endif
+
rc = gnutls_init(&gtls->session, init_flags);
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "gnutls_init() failed: %d", rc);
@@ -1321,104 +1328,97 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
infof(data, " server certificate verification SKIPPED");
if(config->verifystatus) {
- if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) {
- gnutls_datum_t status_request;
- gnutls_ocsp_resp_t ocsp_resp;
+ gnutls_datum_t status_request;
+ gnutls_ocsp_resp_t ocsp_resp;
+ gnutls_ocsp_cert_status_t status;
+ gnutls_x509_crl_reason_t reason;
- gnutls_ocsp_cert_status_t status;
- gnutls_x509_crl_reason_t reason;
+ rc = gnutls_ocsp_status_request_get(session, &status_request);
- rc = gnutls_ocsp_status_request_get(session, &status_request);
+ if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+ failf(data, "No OCSP response received");
+ return CURLE_SSL_INVALIDCERTSTATUS;
+ }
- infof(data, " server certificate status verification FAILED");
+ if(rc < 0) {
+ failf(data, "Invalid OCSP response received");
+ return CURLE_SSL_INVALIDCERTSTATUS;
+ }
- if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
- failf(data, "No OCSP response received");
- return CURLE_SSL_INVALIDCERTSTATUS;
- }
+ gnutls_ocsp_resp_init(&ocsp_resp);
- if(rc < 0) {
- failf(data, "Invalid OCSP response received");
- return CURLE_SSL_INVALIDCERTSTATUS;
- }
+ rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
+ if(rc < 0) {
+ failf(data, "Invalid OCSP response received");
+ return CURLE_SSL_INVALIDCERTSTATUS;
+ }
- gnutls_ocsp_resp_init(&ocsp_resp);
+ (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
+ &status, NULL, NULL, NULL, &reason);
- rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
- if(rc < 0) {
- failf(data, "Invalid OCSP response received");
- return CURLE_SSL_INVALIDCERTSTATUS;
- }
+ switch(status) {
+ case GNUTLS_OCSP_CERT_GOOD:
+ break;
- (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
- &status, NULL, NULL, NULL, &reason);
+ case GNUTLS_OCSP_CERT_REVOKED: {
+ const char *crl_reason;
- switch(status) {
- case GNUTLS_OCSP_CERT_GOOD:
+ switch(reason) {
+ default:
+ case GNUTLS_X509_CRLREASON_UNSPECIFIED:
+ crl_reason = "unspecified reason";
break;
- case GNUTLS_OCSP_CERT_REVOKED: {
- const char *crl_reason;
-
- switch(reason) {
- default:
- case GNUTLS_X509_CRLREASON_UNSPECIFIED:
- crl_reason = "unspecified reason";
- break;
-
- case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
- crl_reason = "private key compromised";
- break;
-
- case GNUTLS_X509_CRLREASON_CACOMPROMISE:
- crl_reason = "CA compromised";
- break;
-
- case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
- crl_reason = "affiliation has changed";
- break;
+ case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
+ crl_reason = "private key compromised";
+ break;
- case GNUTLS_X509_CRLREASON_SUPERSEDED:
- crl_reason = "certificate superseded";
- break;
+ case GNUTLS_X509_CRLREASON_CACOMPROMISE:
+ crl_reason = "CA compromised";
+ break;
- case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
- crl_reason = "operation has ceased";
- break;
+ case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
+ crl_reason = "affiliation has changed";
+ break;
- case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
- crl_reason = "certificate is on hold";
- break;
+ case GNUTLS_X509_CRLREASON_SUPERSEDED:
+ crl_reason = "certificate superseded";
+ break;
- case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
- crl_reason = "will be removed from delta CRL";
- break;
+ case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
+ crl_reason = "operation has ceased";
+ break;
- case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
- crl_reason = "privilege withdrawn";
- break;
+ case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
+ crl_reason = "certificate is on hold";
+ break;
- case GNUTLS_X509_CRLREASON_AACOMPROMISE:
- crl_reason = "AA compromised";
- break;
- }
+ case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
+ crl_reason = "will be removed from delta CRL";
+ break;
- failf(data, "Server certificate was revoked: %s", crl_reason);
+ case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
+ crl_reason = "privilege withdrawn";
break;
- }
- default:
- case GNUTLS_OCSP_CERT_UNKNOWN:
- failf(data, "Server certificate status is unknown");
+ case GNUTLS_X509_CRLREASON_AACOMPROMISE:
+ crl_reason = "AA compromised";
break;
}
- gnutls_ocsp_resp_deinit(ocsp_resp);
+ failf(data, "Server certificate was revoked: %s", crl_reason);
+ break;
+ }
- return CURLE_SSL_INVALIDCERTSTATUS;
+ default:
+ case GNUTLS_OCSP_CERT_UNKNOWN:
+ failf(data, "Server certificate status is unknown");
+ break;
}
- else
- infof(data, " server certificate status verification OK");
+
+ gnutls_ocsp_resp_deinit(ocsp_resp);
+ if(status != GNUTLS_OCSP_CERT_GOOD)
+ return CURLE_SSL_INVALIDCERTSTATUS;
}
else
infof(data, " server certificate status verification SKIPPED");

295
curl-aws_sigv4-url-encode-the-canonical-path.patch
View File

@ -1,295 +0,0 @@
From 768909d89cb3089f96fb495b13e636ecf0742e3d Mon Sep 17 00:00:00 2001
From: Matthias Gatto <matthias.gatto@outscale.com>
Date: Mon, 27 May 2024 14:58:11 +0200
Subject: [PATCH] aws-sigv4: url encode the canonical path
Refactors canon_query, so it could use the encoding part of the function
to use it in the path.
As the path doesn't encode '/', but encode '=', I had to add some
conditions to know If I was doing the query or path encoding.
Also, instead of adding a `bool in_path` variable, I use `bool
*found_equals` to know if the function was called for the query or path,
as found_equals is used only in query_encoding.
Test 472 verifies.
Reported-by: Alexander Shtuchkin
Fixes #13754
Closes #13814
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Index: curl-8.6.0/lib/http_aws_sigv4.c
===================================================================
--- curl-8.6.0.orig/lib/http_aws_sigv4.c
+++ curl-8.6.0/lib/http_aws_sigv4.c
@@ -426,6 +426,76 @@ static int compare_func(const void *a, c
#define MAX_QUERYPAIRS 64
+/**
+ * found_equals have a double meaning,
+ * detect if an equal have been found when called from canon_query,
+ * and mark that this function is called to compute the path,
+ * if found_equals is NULL.
+ */
+static CURLcode canon_string(const char *q, size_t len,
+ struct dynbuf *dq, bool *found_equals)
+{
+ CURLcode result = CURLE_OK;
+
+ for(; len && !result; q++, len--) {
+ if(ISALNUM(*q))
+ result = Curl_dyn_addn(dq, q, 1);
+ else {
+ switch(*q) {
+ case '-':
+ case '.':
+ case '_':
+ case '~':
+ /* allowed as-is */
+ result = Curl_dyn_addn(dq, q, 1);
+ break;
+ case '%':
+ /* uppercase the following if hexadecimal */
+ if(ISXDIGIT(q[1]) && ISXDIGIT(q[2])) {
+ char tmp[3]="%";
+ tmp[1] = Curl_raw_toupper(q[1]);
+ tmp[2] = Curl_raw_toupper(q[2]);
+ result = Curl_dyn_addn(dq, tmp, 3);
+ q += 2;
+ len -= 2;
+ }
+ else
+ /* '%' without a following two-digit hex, encode it */
+ result = Curl_dyn_addn(dq, "%25", 3);
+ break;
+ default: {
+ const char hex[] = "0123456789ABCDEF";
+ char out[3]={'%'};
+
+ if(!found_equals) {
+ /* if found_equals is NULL assuming, been in path */
+ if(*q == '/') {
+ /* allowed as if */
+ result = Curl_dyn_addn(dq, q, 1);
+ break;
+ }
+ }
+ else {
+ /* allowed as-is */
+ if(*q == '=') {
+ result = Curl_dyn_addn(dq, q, 1);
+ *found_equals = true;
+ break;
+ }
+ }
+ /* URL encode */
+ out[1] = hex[((unsigned char)*q)>>4];
+ out[2] = hex[*q & 0xf];
+ result = Curl_dyn_addn(dq, out, 3);
+ break;
+ }
+ }
+ }
+ }
+ return result;
+}
+
+
static CURLcode canon_query(struct Curl_easy *data,
const char *query, struct dynbuf *dq)
{
@@ -463,54 +533,11 @@ static CURLcode canon_query(struct Curl_
ap = &array[0];
for(i = 0; !result && (i < entry); i++, ap++) {
- size_t len;
const char *q = ap->p;
bool found_equals = false;
if(!ap->len)
continue;
- for(len = ap->len; len && !result; q++, len--) {
- if(ISALNUM(*q))
- result = Curl_dyn_addn(dq, q, 1);
- else {
- switch(*q) {
- case '-':
- case '.':
- case '_':
- case '~':
- /* allowed as-is */
- result = Curl_dyn_addn(dq, q, 1);
- break;
- case '=':
- /* allowed as-is */
- result = Curl_dyn_addn(dq, q, 1);
- found_equals = true;
- break;
- case '%':
- /* uppercase the following if hexadecimal */
- if(ISXDIGIT(q[1]) && ISXDIGIT(q[2])) {
- char tmp[3]="%";
- tmp[1] = Curl_raw_toupper(q[1]);
- tmp[2] = Curl_raw_toupper(q[2]);
- result = Curl_dyn_addn(dq, tmp, 3);
- q += 2;
- len -= 2;
- }
- else
- /* '%' without a following two-digit hex, encode it */
- result = Curl_dyn_addn(dq, "%25", 3);
- break;
- default: {
- /* URL encode */
- const char hex[] = "0123456789ABCDEF";
- char out[3]={'%'};
- out[1] = hex[((unsigned char)*q)>>4];
- out[2] = hex[*q & 0xf];
- result = Curl_dyn_addn(dq, out, 3);
- break;
- }
- }
- }
- }
+ result = canon_string(q, ap->len, dq, &found_equals);
if(!result && !found_equals) {
/* queries without value still need an equals */
result = Curl_dyn_addn(dq, "=", 1);
@@ -543,6 +570,7 @@ CURLcode Curl_output_aws_sigv4(struct Cu
struct dynbuf canonical_headers;
struct dynbuf signed_headers;
struct dynbuf canonical_query;
+ struct dynbuf canonical_path;
char *date_header = NULL;
Curl_HttpReq httpreq;
const char *method = NULL;
@@ -573,6 +601,7 @@ CURLcode Curl_output_aws_sigv4(struct Cu
Curl_dyn_init(&canonical_headers, CURL_MAX_HTTP_HEADER);
Curl_dyn_init(&canonical_query, CURL_MAX_HTTP_HEADER);
Curl_dyn_init(&signed_headers, CURL_MAX_HTTP_HEADER);
+ Curl_dyn_init(&canonical_path, CURL_MAX_HTTP_HEADER);
/*
* Parameters parsing
@@ -701,6 +730,11 @@ CURLcode Curl_output_aws_sigv4(struct Cu
result = canon_query(data, data->state.up.query, &canonical_query);
if(result)
goto fail;
+
+ result = canon_string(data->state.up.path, strlen(data->state.up.path),
+ &canonical_path, NULL);
+ if(result)
+ goto fail;
result = CURLE_OUT_OF_MEMORY;
canonical_request =
@@ -711,7 +745,7 @@ CURLcode Curl_output_aws_sigv4(struct Cu
"%s\n" /* SignedHeaders */
"%.*s", /* HashedRequestPayload in hex */
method,
- data->state.up.path,
+ Curl_dyn_ptr(&canonical_path),
Curl_dyn_ptr(&canonical_query) ?
Curl_dyn_ptr(&canonical_query) : "",
Curl_dyn_ptr(&canonical_headers),
@@ -803,6 +837,7 @@ CURLcode Curl_output_aws_sigv4(struct Cu
fail:
Curl_dyn_free(&canonical_query);
+ Curl_dyn_free(&canonical_path);
Curl_dyn_free(&canonical_headers);
Curl_dyn_free(&signed_headers);
free(canonical_request);
Index: curl-8.6.0/tests/data/Makefile.inc
===================================================================
--- curl-8.6.0.orig/tests/data/Makefile.inc
+++ curl-8.6.0/tests/data/Makefile.inc
@@ -73,7 +73,7 @@ test426 test427 test428 test429 test430
test435 test436 test437 test438 test439 test440 test441 test442 test443 \
test444 test445 test446 test447 test448 test449 test450 test451 test452 \
test453 test454 test455 test456 test457 test458 test459 test460 test461 \
-\
+test472 \
test490 test491 test492 test493 test494 test495 test496 test497 test498 \
\
test500 test501 test502 test503 test504 test505 test506 test507 test508 \
Index: curl-8.6.0/tests/data/test472
===================================================================
--- /dev/null
+++ curl-8.6.0/tests/data/test472
@@ -0,0 +1,59 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+aws-sigv4
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data crlf="yes">
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+ETag: "21025-dc7-39462498"
+Accept-Ranges: bytes
+Content-Length: 6
+Connection: close
+Content-Type: text/html
+Funny-head: yesyes
+
+-foo-
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+</server>
+<features>
+debug
+Unicode
+</features>
+<name>
+aws-sigv4 with query
+</name>
+<command>
+"http://fake.fake.fake:8000/%TESTNUMBER/a=あ" -u user:secret --aws-sigv4 "aws:amz:us-east-2:es" --connect-to fake.fake.fake:8000:%HOSTIP:%HTTPPORT
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol crlf="yes">
+GET /472/a=%e3%81%82 HTTP/1.1
+Host: fake.fake.fake:8000
+Authorization: AWS4-HMAC-SHA256 Credential=user/19700101/us-east-2/es/aws4_request, SignedHeaders=host;x-amz-date, Signature=c63315c199922f7ee00141869a250389405d19e205057249fb74726d940b1fc3
+X-Amz-Date: 19700101T000000Z
+User-Agent: curl/%VERSION
+Accept: */*
+
+</protocol>
+</verify>
+</testcase>
Index: curl-8.6.0/tests/data/Makefile.in
===================================================================
--- curl-8.6.0.orig/tests/data/Makefile.in
+++ curl-8.6.0/tests/data/Makefile.in
@@ -445,7 +445,7 @@ test426 test427 test428 test429 test430
test435 test436 test437 test438 test439 test440 test441 test442 test443 \
test444 test445 test446 test447 test448 test449 test450 test451 test452 \
test453 test454 test455 test456 test457 test458 test459 test460 test461 \
-\
+test472 \
test490 test491 test492 test493 test494 test495 test496 test497 test498 \
\
test500 test501 test502 test503 test504 test505 test506 test507 test508 \

32
curl-sigpipe.patch Normal file
View File

@ -0,0 +1,32 @@
From 3eec5afbd0b6377eca893c392569b2faf094d970 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 5 Aug 2024 00:17:17 +0200
Subject: [PATCH] sigpipe: init the struct so that first apply ignores
Initializes 'no_signal' to TRUE, so that a call to sigpipe_apply() after
init ignores the signal (unless CURLOPT_NOSIGNAL) is set.
I have read the existing code multiple times now and I think it gets the
initial state reversed this missing to ignore.
Regression from 17e6f06ea37136c36d27
Reported-by: Rasmus Thomsen
Fixes #14344
Closes #14390
---
lib/sigpipe.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/sigpipe.h b/lib/sigpipe.h
index b91a2f51333956..d78afd905d3414 100644
--- a/lib/sigpipe.h
+++ b/lib/sigpipe.h
@@ -39,6 +39,7 @@ struct sigpipe_ignore {
static void sigpipe_init(struct sigpipe_ignore *ig)
{
memset(ig, 0, sizeof(*ig));
+ ig->no_signal = TRUE;
}
/*

474
curl.changes
View File

File diff suppressed because it is too large Load Diff

152
curl.spec
View File

@ -17,11 +17,19 @@
%bcond_without testsuite %bcond_without testsuite
%bcond_with mozilla_nss
# need ssl always for python-pycurl # need ssl always for python-pycurl
%bcond_without openssl %bcond_without openssl
Name: curl %define target @BUILD_FLAVOR@%{nil}
Version: 8.6.0 %if "%{target}" == "mini"
%bcond_without mini
%global psuffix -mini
%else
%bcond_with mini
%global psuffix %{nil}
%endif
Name: curl%{?psuffix}
Version: 8.9.1
Release: 0 Release: 0
Summary: A Tool for Transferring Data from URLs Summary: A Tool for Transferring Data from URLs
License: curl License: curl
@ -35,47 +43,28 @@ Patch1: dont-mess-with-rpmoptflags.patch
Patch2: curl-secure-getenv.patch Patch2: curl-secure-getenv.patch
#PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled #PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled
Patch3: curl-disabled-redirect-protocol-message.patch Patch3: curl-disabled-redirect-protocol-message.patch
# PATCH-FIX-UPSTREAM #PATCH-FIX-UPSTREAM sigpipe: init the struct so that first apply ignores
Patch4: 0001-vtls-revert-receive-max-buffer-add-test-case.patch Patch4: curl-sigpipe.patch
#PATCH-FIX-UPSTREAM bsc#1221665 CVE-2024-2004 Usage of disabled protocol BuildRequires: groff
Patch5: curl-CVE-2024-2004.patch
#PATCH-FIX-UPSTREAM bsc#1221667 CVE-2024-2398 HTTP/2 push headers memory-leak
Patch6: curl-CVE-2024-2398.patch
#PATCH-FIX-UPSTREAM bsc#1221666 CVE-2024-2379 QUIC certificate check bypass with wolfSSL
Patch7: curl-CVE-2024-2379.patch
#PATCH-FIX-UPSTREAM bsc#1221668 CVE-2024-2466 TLS certificate check bypass with mbedTLS
Patch8: curl-CVE-2024-2466.patch
#PATCH-FIX-UPSTREAM bsc#1227888 CVE-2024-6197 Freeing stack buffer in utf8asn1str
Patch9: curl-CVE-2024-6197.patch
#PATCH-FIX-UPSTREAM bsc#1228535 CVE-2024-7264 ASN.1 date parser overread
Patch10: curl-CVE-2024-7264.patch
#PATCH-FIX-UPSTREAM bsc#1230093 CVE-2024-8096 OCSP stapling bypass with GnuTLS
Patch11: curl-CVE-2024-8096.patch
#PATCH-FIX-UPSTREAM bsc#1230516 Make special characters in URL work with aws-sigv4
Patch12: curl-aws_sigv4-url-encode-the-canonical-path.patch
BuildRequires: libtool BuildRequires: libtool
BuildRequires: pkgconfig BuildRequires: pkgconfig
Requires: libcurl4 = %{version}
BuildRequires: groff
BuildRequires: lzma
BuildRequires: openldap2-devel
BuildRequires: pkgconfig(krb5)
BuildRequires: pkgconfig(libbrotlidec)
BuildRequires: pkgconfig(libidn2) BuildRequires: pkgconfig(libidn2)
# Disable metalink [bsc#1188218, CVE-2021-22923][bsc#1188217, CVE-2021-22922] # Disable metalink [bsc#1188218, CVE-2021-22923][bsc#1188217, CVE-2021-22922]
# BuildRequires: pkgconfig(libmetalink) # BuildRequires: pkgconfig(libmetalink)
BuildRequires: pkgconfig(libnghttp2) BuildRequires: pkgconfig(libnghttp2)
BuildRequires: pkgconfig(libpsl) BuildRequires: pkgconfig(libpsl)
BuildRequires: pkgconfig(libssh)
BuildRequires: pkgconfig(libzstd) BuildRequires: pkgconfig(libzstd)
BuildRequires: pkgconfig(zlib) BuildRequires: pkgconfig(zlib)
Requires: libcurl4 = %{version}
%if %{with openssl} %if %{with openssl}
BuildRequires: pkgconfig(libssl) BuildRequires: pkgconfig(libssl)
%endif %endif
%if %{with mozilla_nss} %if !%{with mini}
BuildRequires: mozilla-nss-devel BuildRequires: openldap2-devel
BuildRequires: pkgconfig(krb5)
BuildRequires: pkgconfig(libbrotlidec)
BuildRequires: pkgconfig(libssh)
%endif %endif
#BuildRequires: openssh
%if 0%{?_with_stunnel:1} %if 0%{?_with_stunnel:1}
# used by the testsuite # used by the testsuite
BuildRequires: stunnel BuildRequires: stunnel
@ -87,13 +76,19 @@ server using any of the supported protocols (HTTP, HTTPS, FTP, FTPS,
TFTP, DICT, TELNET, LDAP, or FILE). The command is designed to work TFTP, DICT, TELNET, LDAP, or FILE). The command is designed to work
without user interaction or any kind of interactivity. without user interaction or any kind of interactivity.
%package -n libcurl4 %package -n libcurl%{?psuffix}4
Summary: Library for transferring data from URLs Summary: Library for transferring data from URLs
%if %{with mini}
Provides: libcurl4 = %{version}
%else
Obsoletes: libcurl-mini4 <= %{version}
%endif
%description -n libcurl4 %description -n libcurl%{?psuffix}4
The cURL shared library for accessing data using different The cURL shared library for accessing data using different
network protocols. network protocols.
%if !%{with mini}
%package -n libcurl-devel %package -n libcurl-devel
Summary: Development files for the curl library Summary: Development files for the curl library
Requires: glibc-devel Requires: glibc-devel
@ -107,8 +102,37 @@ server using any of the supported protocols (HTTP, HTTPS, FTP, GOPHER,
DICT, TELNET, LDAP, or FILE). The command is designed to work without DICT, TELNET, LDAP, or FILE). The command is designed to work without
user interaction or any kind of interactivity. user interaction or any kind of interactivity.
%package -n libcurl-devel-doc
Summary: Manual pages for libcurl
Provides: libcurl-devel:%{_mandir}/man1/curl-config.1%{?ext_man}
BuildArch: noarch
%description -n libcurl-devel-doc
Manual pages for the libcurl C API.
%package fish-completion
Summary: Fish completion for curl
Group: System/Shells
Requires: fish
Supplements: (curl and fish)
BuildArch: noarch
%description fish-completion
Fish command line completion support for %name.
%package zsh-completion
Summary: Zsh Completion for %name
Group: System/Shells
Requires: zsh
Supplements: (curl and zsh)
BuildArch: noarch
%description zsh-completion
ZSH command line completion support for %name.
%endif
%prep %prep
%autosetup -p1 %autosetup -p1 -n curl-%{version}
%build %build
# curl complains if macro definition is contained in CFLAGS # curl complains if macro definition is contained in CFLAGS
@ -123,7 +147,9 @@ autoreconf -fiv
# (currently, libtool sets link_all_deplibs=(yes|unknown) everywhere, # (currently, libtool sets link_all_deplibs=(yes|unknown) everywhere,
# will hopefully change in the future) # will hopefully change in the future)
sed -i 's/\(link_all_deplibs=\)unknown/\1no/' configure sed -i 's/\(link_all_deplibs=\)unknown/\1no/' configure
%configure \ %configure \
--enable-hsts \
--enable-ipv6 \ --enable-ipv6 \
%if %{with openssl} %if %{with openssl}
--with-openssl \ --with-openssl \
@ -132,16 +158,37 @@ sed -i 's/\(link_all_deplibs=\)unknown/\1no/' configure
--without-ca-bundle \ --without-ca-bundle \
%else %else
--without-openssl \ --without-openssl \
%if %{with mozilla_nss}
--with-nss \
%endif %endif
%endif
--with-gssapi=$(krb5-config --prefix) \
--with-libidn2 \ --with-libidn2 \
--with-nghttp2 \
--enable-docs \
%if %{with mini}
--disable-dict \
--disable-ftp \
--disable-gopher \
--disable-imap \
--disable-mqtt \
--disable-ntlm \
--disable-ntlm-wb \
--disable-pop3 \
--disable-rtsp \
--disable-smtp \
--disable-telnet \
--disable-tftp \
--disable-tls-srp \
--disable-websockets \
--without-brotli \
--without-libssh \
%else
--with-gssapi=$(krb5-config --prefix) \
--with-brotli \
--with-libssh \ --with-libssh \
%endif
--enable-symbol-hiding \ --enable-symbol-hiding \
--disable-static \ --disable-static \
--enable-threaded-resolver --enable-threaded-resolver \
--with-zsh-functions-dir=%{_datadir}/zsh/site-functions/ \
--with-fish-functions-dir=%{_datadir}/fish/vendor_completions.d
# if this fails, the above sed hack did not work # if this fails, the above sed hack did not work
./libtool --config | grep -q link_all_deplibs=no ./libtool --config | grep -q link_all_deplibs=no
@ -163,31 +210,39 @@ popd
%install %install
%make_install %make_install
rm -f %{buildroot}%{_libdir}/libcurl.la rm -f %{buildroot}%{_libdir}/libcurl.la
%if %{with mini}
rm -rv %{buildroot}%{_includedir}/curl %{buildroot}/%{_libdir}/pkgconfig %{buildroot}%{_datadir}
rm -v %{buildroot}%{_bindir}/curl %{buildroot}%{_bindir}/curl-config %{buildroot}%{_libdir}/libcurl.so
%else
install -Dm 0644 docs/libcurl/libcurl.m4 %{buildroot}%{_datadir}/aclocal/libcurl.m4 install -Dm 0644 docs/libcurl/libcurl.m4 %{buildroot}%{_datadir}/aclocal/libcurl.m4
pushd scripts pushd scripts
%make_install %make_install
popd popd
%endif
%post -n libcurl4 -p /sbin/ldconfig %ldconfig_scriptlets -n libcurl%{?psuffix}4
%postun -n libcurl4 -p /sbin/ldconfig
%files -n libcurl%{?psuffix}4
%license COPYING
%{_libdir}/libcurl.so.4*
%if !%{with mini}
%files %files
%doc README RELEASE-NOTES CHANGES %doc README RELEASE-NOTES CHANGES
%doc docs/{BUGS.md,FAQ,FEATURES.md,TODO,TheArtOfHttpScripting.md} %doc docs/{BUGS.md,FAQ,FEATURES.md,TODO,TheArtOfHttpScripting.md}
%{_bindir}/curl %{_bindir}/curl
%{_datadir}/zsh/site-functions/_curl
%{_mandir}/man1/curl.1%{?ext_man} %{_mandir}/man1/curl.1%{?ext_man}
%{_mandir}/man1/mk-ca-bundle.1%{?ext_man}
%files zsh-completion
%dir %{_datadir}/zsh %dir %{_datadir}/zsh
%dir %{_datadir}/zsh/site-functions %dir %{_datadir}/zsh/site-functions
%{_datadir}/zsh/site-functions/_curl
%files fish-completion
%dir %{_datadir}/fish/ %dir %{_datadir}/fish/
%dir %{_datadir}/fish/vendor_completions.d/ %dir %{_datadir}/fish/vendor_completions.d/
%{_datadir}/fish/vendor_completions.d/curl.fish %{_datadir}/fish/vendor_completions.d/curl.fish
%files -n libcurl4
%license COPYING
%{_libdir}/libcurl.so.4*
%files -n libcurl-devel %files -n libcurl-devel
%{_bindir}/curl-config %{_bindir}/curl-config
%{_includedir}/curl %{_includedir}/curl
@ -195,8 +250,11 @@ popd
%{_datadir}/aclocal/libcurl.m4 %{_datadir}/aclocal/libcurl.m4
%{_libdir}/libcurl.so %{_libdir}/libcurl.so
%{_libdir}/pkgconfig/libcurl.pc %{_libdir}/pkgconfig/libcurl.pc
%files -n libcurl-devel-doc
%{_mandir}/man1/curl-config.1%{?ext_man} %{_mandir}/man1/curl-config.1%{?ext_man}
%{_mandir}/man3/* %{_mandir}/man3/*
%doc docs/libcurl/symbols-in-versions %doc docs/libcurl/symbols-in-versions
%endif
%changelog %changelog

44
libcurl-ocloexec.patch
View File

@ -7,11 +7,11 @@ To make it portable you have to test O_CLOEXEC support at *runtime*
compile time is not enough. compile time is not enough.
Index: curl-8.4.0/lib/file.c Index: curl-8.9.0/lib/file.c
=================================================================== ===================================================================
--- curl-8.4.0.orig/lib/file.c --- curl-8.9.0.orig/lib/file.c
+++ curl-8.4.0/lib/file.c +++ curl-8.9.0/lib/file.c
@@ -232,7 +232,7 @@ static CURLcode file_connect(struct Curl @@ -242,7 +242,7 @@ static CURLcode file_connect(struct Curl
} }
} }
#else #else
@ -20,19 +20,19 @@ Index: curl-8.4.0/lib/file.c
file->path = real_path; file->path = real_path;
#endif #endif
#endif #endif
@@ -318,7 +318,7 @@ static CURLcode file_upload(struct Curl_ @@ -329,7 +329,7 @@ static CURLcode file_upload(struct Curl_
else else
mode = MODE_DEFAULT|O_TRUNC; mode = MODE_DEFAULT|O_TRUNC;
- fd = open(file->path, mode, data->set.new_file_perms); - fd = open(file->path, mode, data->set.new_file_perms);
+ fd = open(file->path, mode|O_CLOEXEC, data->set.new_file_perms); + fd = open(file->path, mode|O_CLOEXEC, data->set.new_file_perms);
if(fd < 0) { if(fd < 0) {
failf(data, "Can't open %s for writing", file->path); failf(data, "cannot open %s for writing", file->path);
return CURLE_WRITE_ERROR; return CURLE_WRITE_ERROR;
Index: curl-8.4.0/lib/if2ip.c Index: curl-8.9.0/lib/if2ip.c
=================================================================== ===================================================================
--- curl-8.4.0.orig/lib/if2ip.c --- curl-8.9.0.orig/lib/if2ip.c
+++ curl-8.4.0/lib/if2ip.c +++ curl-8.9.0/lib/if2ip.c
@@ -208,7 +208,7 @@ if2ip_result_t Curl_if2ip(int af, @@ -208,7 +208,7 @@ if2ip_result_t Curl_if2ip(int af,
if(len >= sizeof(req.ifr_name)) if(len >= sizeof(req.ifr_name))
return IF2IP_NOT_FOUND; return IF2IP_NOT_FOUND;
@ -42,11 +42,11 @@ Index: curl-8.4.0/lib/if2ip.c
if(CURL_SOCKET_BAD == dummy) if(CURL_SOCKET_BAD == dummy)
return IF2IP_NOT_FOUND; return IF2IP_NOT_FOUND;
Index: curl-8.4.0/configure.ac Index: curl-8.9.0/configure.ac
=================================================================== ===================================================================
--- curl-8.4.0.orig/configure.ac --- curl-8.9.0.orig/configure.ac
+++ curl-8.4.0/configure.ac +++ curl-8.9.0/configure.ac
@@ -428,6 +428,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m @@ -441,6 +441,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m
# Silence warning: ar: 'u' modifier ignored since 'D' is the default # Silence warning: ar: 'u' modifier ignored since 'D' is the default
AC_SUBST(AR_FLAGS, [cr]) AC_SUBST(AR_FLAGS, [cr])
@ -55,10 +55,10 @@ Index: curl-8.4.0/configure.ac
dnl This defines _ALL_SOURCE for AIX dnl This defines _ALL_SOURCE for AIX
CURL_CHECK_AIX_ALL_SOURCE CURL_CHECK_AIX_ALL_SOURCE
Index: curl-8.4.0/lib/hostip.c Index: curl-8.9.0/lib/hostip.c
=================================================================== ===================================================================
--- curl-8.4.0.orig/lib/hostip.c --- curl-8.9.0.orig/lib/hostip.c
+++ curl-8.4.0/lib/hostip.c +++ curl-8.9.0/lib/hostip.c
@@ -44,6 +44,7 @@ @@ -44,6 +44,7 @@
#include <setjmp.h> #include <setjmp.h>
#include <signal.h> #include <signal.h>
@ -67,20 +67,20 @@ Index: curl-8.4.0/lib/hostip.c
#include "urldata.h" #include "urldata.h"
#include "sendf.h" #include "sendf.h"
#include "hostip.h" #include "hostip.h"
@@ -609,7 +610,7 @@ bool Curl_ipv6works(struct Curl_easy *da @@ -616,7 +617,7 @@ bool Curl_ipv6works(struct Curl_easy *da
else { else {
int ipv6_works = -1; int ipv6_works = -1;
/* probe to see if we have a working IPv6 stack */ /* probe to see if we have a working IPv6 stack */
- curl_socket_t s = socket(PF_INET6, SOCK_DGRAM, 0); - curl_socket_t s = socket(PF_INET6, SOCK_DGRAM, 0);
+ curl_socket_t s = socket(PF_INET6, SOCK_DGRAM|SOCK_CLOEXEC, 0); + curl_socket_t s = socket(PF_INET6, SOCK_DGRAM|SOCK_CLOEXEC, 0);
if(s == CURL_SOCKET_BAD) if(s == CURL_SOCKET_BAD)
/* an IPv6 address was requested but we can't get/use one */ /* an IPv6 address was requested but we cannot get/use one */
ipv6_works = 0; ipv6_works = 0;
Index: curl-8.4.0/lib/cf-socket.c Index: curl-8.9.0/lib/cf-socket.c
=================================================================== ===================================================================
--- curl-8.4.0.orig/lib/cf-socket.c --- curl-8.9.0.orig/lib/cf-socket.c
+++ curl-8.4.0/lib/cf-socket.c +++ curl-8.9.0/lib/cf-socket.c
@@ -274,7 +274,9 @@ static CURLcode socket_open(struct Curl_ @@ -360,7 +360,9 @@ static CURLcode socket_open(struct Curl_
} }
else { else {
/* opensocket callback not set, so simply create the socket now */ /* opensocket callback not set, so simply create the socket now */