Sync from SUSE:SLFO:Main curl revision 0ef1802cf13d6361dd244b71d939d59a

2024-08-07 22:08:56 +02:00 · 2024-08-07 22:08:56 +02:00 · e800aa20c2
commit e800aa20c2
parent eb6d4068f5
5 changed files with 456 additions and 17 deletions
--- a/0001-vtls-revert-receive-max-buffer-add-test-case.patch
+++ b/0001-vtls-revert-receive-max-buffer-add-test-case.patch
@ -0,0 +1,70 @@
 From e00609fc15f5d5adaf0896b751bf2c3a74a5f6f4 Mon Sep 17 00:00:00 2001
 From: Stefan Eissing <stefan@eissing.org>
 Date: Thu, 1 Feb 2024 18:15:50 +0100
 Subject: [PATCH] vtls: revert "receive max buffer" + add test case
 - add test_05_04 for requests using http/1.0, http/1.1 and h2 against an
  Apache resource that does an unclean TLS shutdown.
 - revert special workarund in openssl.c for suppressing shutdown errors
  on multiplexed connections
 - vlts.c restore to its state before 9a90c9dd64d2f03601833a70786d485851bd1b53
 Fixes #12885
 Fixes #12844
 Closes #12848
 (cherry picked from commit ed09a99af57200643d5ae001e815eeab9ffe3f84)
 ---
 lib/vtls/vtls.c                               | 27 +++++--------------
 tests/http/test_05_errors.py                  | 27 +++++++++++++++++++
 tests/http/testenv/httpd.py                   |  7 ++++-
 .../http/testenv/mod_curltest/mod_curltest.c  |  2 +-
 4 files changed, 40 insertions(+), 23 deletions(-)
 diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
 index e928ba5d0..f654a9749 100644
 --- a/lib/vtls/vtls.c
 +++ b/lib/vtls/vtls.c
@@ -1715,32 +1715,17 @@ static ssize_t ssl_cf_recv(struct Curl_cfilter *cf,
 {
   struct cf_call_data save;
   ssize_t nread;
 -  size_t ntotal = 0;
   CF_DATA_SAVE(save, cf, data);
   *err = CURLE_OK;
 -  /* Do receive until we fill the buffer somehwhat or EGAIN, error or EOF */
 -  while(!ntotal || (len - ntotal) > (4*1024)) {
 +  nread = Curl_ssl->recv_plain(cf, data, buf, len, err);
 +  if(nread > 0) {
 +    DEBUGASSERT((size_t)nread <= len);
 +  }
 +  else if(nread == 0) {
 +    /* eof */
     *err = CURLE_OK;
 -    nread = Curl_ssl->recv_plain(cf, data, buf + ntotal, len - ntotal, err);
 -    if(nread < 0) {
 -      if(*err == CURLE_AGAIN && ntotal > 0) {
 -        /* we EAGAINed after having reed data, return the success amount */
 -        *err = CURLE_OK;
 -        break;
 -      }
 -      /* we have a an error to report */
 -      goto out;
 -    }
 -    else if(nread == 0) {
 -      /* eof */
 -      break;
 -    }
 -    ntotal += (size_t)nread;
 -    DEBUGASSERT((size_t)ntotal <= len);
   }
 -  nread = (ssize_t)ntotal;
 -out:
   CURL_TRC_CF(data, cf, "cf_recv(len=%zu) -> %zd, %d", len,
               nread, *err);
   CF_DATA_RESTORE(cf, save);
 -- 
 2.43.0
--- a/curl-CVE-2024-6197.patch
+++ b/curl-CVE-2024-6197.patch
@ -0,0 +1,21 @@
 From 3a537a4db9e65e545ec45b1b5d5575ee09a2569d Mon Sep 17 00:00:00 2001
 From: z2_ <88509734+z2-2z@users.noreply.github.com>
 Date: Fri, 28 Jun 2024 14:45:47 +0200
 Subject: [PATCH] x509asn1: remove superfluous free()
 ---
 lib/vtls/x509asn1.c | 1 -
 1 file changed, 1 deletion(-)
 diff --git a/lib/vtls/x509asn1.c b/lib/vtls/x509asn1.c
 index f71ab0b90a5931..1bc4243ddae343 100644
 --- a/lib/vtls/x509asn1.c
 +++ b/lib/vtls/x509asn1.c
@@ -393,7 +393,6 @@ utf8asn1str(struct dynbuf *to, int type, const char *from, const char *end)
         if(wc >= 0x00000800) {
           if(wc >= 0x00010000) {
             if(wc >= 0x00200000) {
 -              free(buf);
               /* Invalid char. size for target encoding. */
               return CURLE_WEIRD_SERVER_REPLY;
             }
--- a/curl-CVE-2024-7264.patch
+++ b/curl-CVE-2024-7264.patch
@ -0,0 +1,322 @@
 From 3c914bc680155b32178f1f15ca8d47c7f4640afe Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Tue, 30 Jul 2024 10:05:17 +0200
 Subject: [PATCH] x509asn1: clean up GTime2str
 Co-authored-by: Stefan Eissing
 Reported-by: Dov Murik
 Closes #14307
 ---
 lib/vtls/x509asn1.c | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)
 Index: curl-8.6.0/lib/vtls/x509asn1.c
 ===================================================================
 --- curl-8.6.0.orig/lib/vtls/x509asn1.c
 +++ curl-8.6.0/lib/vtls/x509asn1.c
@@ -488,7 +488,7 @@ static CURLcode GTime2str(struct dynbuf
   /* Convert an ASN.1 Generalized time to a printable string.
      Return the dynamically allocated string, or NULL if an error occurs. */
 -  for(fracp = beg; fracp < end && *fracp >= '0' && *fracp <= '9'; fracp++)
 +  for(fracp = beg; fracp < end && ISDIGIT(*fracp); fracp++)
     ;
   /* Get seconds digits. */
@@ -507,32 +507,44 @@ static CURLcode GTime2str(struct dynbuf
     return CURLE_BAD_FUNCTION_ARGUMENT;
   }
 -  /* Scan for timezone, measure fractional seconds. */
 +  /* timezone follows optional fractional seconds. */
   tzp = fracp;
 -  fracl = 0;
 +  fracl = 0; /* no fractional seconds detected so far */
   if(fracp < end && (*fracp == '.' || *fracp == ',')) {
 -    fracp++;
 -    do
 +    /* Have fractional seconds, e.g. "[.,]\d+". How many? */
 +    fracp++; /* should be a digit char or BAD ARGUMENT */
 +    tzp = fracp;
 +    while(tzp < end && ISDIGIT(*tzp))
       tzp++;
 -    while(tzp < end && *tzp >= '0' && *tzp <= '9');
 -    /* Strip leading zeroes in fractional seconds. */
 -    for(fracl = tzp - fracp - 1; fracl && fracp[fracl - 1] == '0'; fracl--)
 -      ;
 +    if(tzp == fracp) /* never looped, no digit after [.,] */
 +      return CURLE_BAD_FUNCTION_ARGUMENT;
 +    fracl = tzp - fracp; /* number of fractional sec digits */
 +    DEBUGASSERT(fracl > 0);
 +    /* Strip trailing zeroes in fractional seconds.
 +     * May reduce fracl to 0 if only '0's are present. */
 +    while(fracl && fracp[fracl - 1] == '0')
 +      fracl--;
   }
   /* Process timezone. */
 -  if(tzp >= end)
 -    ;           /* Nothing to do. */
 +  if(tzp >= end) {
 +    tzp = "";
 +    tzl = 0;
 +  }
   else if(*tzp == 'Z') {
 -    tzp = " GMT";
 -    end = tzp + 4;
 +    sep = " ";
 +    tzp = "GMT";
 +    tzl = 3;
 +  }
 +  else if((*tzp == '+') || (*tzp == '-')) {
 +    sep = " UTC";
 +    tzl = end - tzp;
   }
   else {
     sep = " ";
 -    tzp++;
 +    tzl = end - tzp;
   }
 -  tzl = end - tzp;
   return Curl_dyn_addf(store,
                        "%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s",
                        beg, beg + 4, beg + 6,
@@ -541,6 +553,15 @@ static CURLcode GTime2str(struct dynbuf
                        sep, (int)tzl, tzp);
 }
 +#ifdef UNITTESTS
 +/* used by unit1656.c */
 +CURLcode Curl_x509_GTime2str(struct dynbuf *store,
 +                             const char *beg, const char *end)
 +{
 +  return GTime2str(store, beg, end);
 +}
 +#endif
 +
 /*
  * Convert an ASN.1 UTC time to a printable string.
  *
 Index: curl-8.6.0/lib/vtls/x509asn1.h
 ===================================================================
 --- curl-8.6.0.orig/lib/vtls/x509asn1.h
 +++ curl-8.6.0/lib/vtls/x509asn1.h
@@ -76,5 +76,16 @@ CURLcode Curl_extract_certinfo(struct Cu
                                const char *beg, const char *end);
 CURLcode Curl_verifyhost(struct Curl_cfilter *cf, struct Curl_easy *data,
                          const char *beg, const char *end);
 +
 +#ifdef UNITTESTS
 +#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
 +  defined(USE_MBEDTLS)
 +
 +/* used by unit1656.c */
 +CURLcode Curl_x509_GTime2str(struct dynbuf *store,
 +                             const char *beg, const char *end);
 +#endif
 +#endif
 +
 #endif /* USE_GNUTLS or USE_WOLFSSL or USE_SCHANNEL or USE_SECTRANSP */
 #endif /* HEADER_CURL_X509ASN1_H */
 Index: curl-8.6.0/tests/data/Makefile.inc
 ===================================================================
 --- curl-8.6.0.orig/tests/data/Makefile.inc
 +++ curl-8.6.0/tests/data/Makefile.inc
@@ -208,7 +208,7 @@ test1620 test1621 \
 \
 test1630 test1631 test1632 test1633 test1634 test1635 \
 \
 -test1650 test1651 test1652 test1653 test1654 test1655 \
 +test1650 test1651 test1652 test1653 test1654 test1655 test1656 \
 test1660 test1661 test1662 \
 \
 test1670 test1671 \
 Index: curl-8.6.0/tests/data/test1656
 ===================================================================
 --- /dev/null
 +++ curl-8.6.0/tests/data/test1656
@@ -0,0 +1,22 @@
 +<testcase>
 +<info>
 +<keywords>
 +unittest
 +Curl_x509_GTime2str
 +</keywords>
 +</info>
 +
 +#
 +# Client-side
 +<client>
 +<server>
 +none
 +</server>
 +<features>
 +unittest
 +</features>
 +<name>
 +Curl_x509_GTime2str unit tests
 +</name>
 +</client>
 +</testcase>
 Index: curl-8.6.0/tests/unit/Makefile.inc
 ===================================================================
 --- curl-8.6.0.orig/tests/unit/Makefile.inc
 +++ curl-8.6.0/tests/unit/Makefile.inc
@@ -36,7 +36,7 @@ UNITPROGS = unit1300          unit1302 u
  unit1600 unit1601 unit1602 unit1603 unit1604 unit1605 unit1606 unit1607 \
  unit1608 unit1609 unit1610 unit1611 unit1612 unit1614 \
  unit1620 unit1621 \
 - unit1650 unit1651 unit1652 unit1653 unit1654 unit1655 \
 + unit1650 unit1651 unit1652 unit1653 unit1654 unit1655 unit1656 \
  unit1660 unit1661 \
  unit2600 unit2601 unit2602 unit2603 \
  unit3200
@@ -117,6 +117,8 @@ unit1654_SOURCES = unit1654.c $(UNITFILE
 unit1655_SOURCES = unit1655.c $(UNITFILES)
 +unit1656_SOURCES = unit1656.c $(UNITFILES)
 +
 unit1660_SOURCES = unit1660.c $(UNITFILES)
 unit1661_SOURCES = unit1661.c $(UNITFILES)
 Index: curl-8.6.0/tests/unit/unit1656.c
 ===================================================================
 --- /dev/null
 +++ curl-8.6.0/tests/unit/unit1656.c
@@ -0,0 +1,133 @@
 +/***************************************************************************
 + *                                  _   _ ____  _
 + *  Project                     ___| | | |  _ \| |
 + *                             / __| | | | |_) | |
 + *                            | (__| |_| |  _ <| |___
 + *                             \___|\___/|_| \_\_____|
 + *
 + * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
 + *
 + * This software is licensed as described in the file COPYING, which
 + * you should have received as part of this distribution. The terms
 + * are also available at https://curl.se/docs/copyright.html.
 + *
 + * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 + * copies of the Software, and permit persons to whom the Software is
 + * furnished to do so, under the terms of the COPYING file.
 + *
 + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 + * KIND, either express or implied.
 + *
 + * SPDX-License-Identifier: curl
 + *
 + ***************************************************************************/
 +#include "curlcheck.h"
 +
 +#include "vtls/x509asn1.h"
 +
 +static CURLcode unit_setup(void)
 +{
 +  return CURLE_OK;
 +}
 +
 +static void unit_stop(void)
 +{
 +
 +}
 +
 +#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
 +  defined(USE_MBEDTLS)
 +
 +#ifndef ARRAYSIZE
 +#define ARRAYSIZE(A) (sizeof(A)/sizeof((A)[0]))
 +#endif
 +
 +struct test_spec {
 +  const char *input;
 +  const char *exp_output;
 +  CURLcode exp_result;
 +};
 +
 +static struct test_spec test_specs[] = {
 +  { "190321134340", "1903-21-13 43:40:00", CURLE_OK },
 +  { "", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
 +  { "WTF", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
 +  { "0WTF", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
 +  { "19032113434", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
 +  { "19032113434WTF", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
 +  { "190321134340.", NULL, CURLE_BAD_FUNCTION_ARGUMENT },
 +  { "190321134340.1", "1903-21-13 43:40:00.1", CURLE_OK },
 +  { "19032113434017.0", "1903-21-13 43:40:17", CURLE_OK },
 +  { "19032113434017.01", "1903-21-13 43:40:17.01", CURLE_OK },
 +  { "19032113434003.001", "1903-21-13 43:40:03.001", CURLE_OK },
 +  { "19032113434003.090", "1903-21-13 43:40:03.09", CURLE_OK },
 +  { "190321134340Z", "1903-21-13 43:40:00 GMT", CURLE_OK },
 +  { "19032113434017.0Z", "1903-21-13 43:40:17 GMT", CURLE_OK },
 +  { "19032113434017.01Z", "1903-21-13 43:40:17.01 GMT", CURLE_OK },
 +  { "19032113434003.001Z", "1903-21-13 43:40:03.001 GMT", CURLE_OK },
 +  { "19032113434003.090Z", "1903-21-13 43:40:03.09 GMT", CURLE_OK },
 +  { "190321134340CET", "1903-21-13 43:40:00 CET", CURLE_OK },
 +  { "19032113434017.0CET", "1903-21-13 43:40:17 CET", CURLE_OK },
 +  { "19032113434017.01CET", "1903-21-13 43:40:17.01 CET", CURLE_OK },
 +  { "190321134340+02:30", "1903-21-13 43:40:00 UTC+02:30", CURLE_OK },
 +  { "19032113434017.0+02:30", "1903-21-13 43:40:17 UTC+02:30", CURLE_OK },
 +  { "19032113434017.01+02:30", "1903-21-13 43:40:17.01 UTC+02:30", CURLE_OK },
 +  { "190321134340-3", "1903-21-13 43:40:00 UTC-3", CURLE_OK },
 +  { "19032113434017.0-04", "1903-21-13 43:40:17 UTC-04", CURLE_OK },
 +  { "19032113434017.01-01:10", "1903-21-13 43:40:17.01 UTC-01:10", CURLE_OK },
 +};
 +
 +static bool do_test(struct test_spec *spec, size_t i, struct dynbuf *dbuf)
 +{
 +  CURLcode result;
 +  const char *in = spec->input;
 +
 +  Curl_dyn_reset(dbuf);
 +  result = Curl_x509_GTime2str(dbuf, in, in + strlen(in));
 +  if(result != spec->exp_result) {
 +    fprintf(stderr, "test %zu: expect result %d, got %d\n",
 +            i, spec->exp_result, result);
 +    return FALSE;
 +  }
 +  else if(!result && strcmp(spec->exp_output, Curl_dyn_ptr(dbuf))) {
 +    fprintf(stderr, "test %zu: input '%s', expected output '%s', got '%s'\n",
 +            i, in, spec->exp_output, Curl_dyn_ptr(dbuf));
 +    return FALSE;
 +  }
 +
 +  return TRUE;
 +}
 +
 +UNITTEST_START
 +{
 +  size_t i;
 +  struct dynbuf dbuf;
 +  bool all_ok = TRUE;
 +
 +  Curl_dyn_init(&dbuf, 32*1024);
 +
 +  if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) {
 +    fprintf(stderr, "curl_global_init() failed\n");
 +    return TEST_ERR_MAJOR_BAD;
 +  }
 +
 +  for(i = 0; i < ARRAYSIZE(test_specs); ++i) {
 +    if(!do_test(&test_specs[i], i, &dbuf))
 +      all_ok = FALSE;
 +  }
 +  fail_unless(all_ok, "some tests of Curl_x509_GTime2str() fails");
 +
 +  Curl_dyn_free(&dbuf);
 +  curl_global_cleanup();
 +}
 +UNITTEST_STOP
 +
 +#else
 +
 +UNITTEST_START
 +{
 +  puts("not tested since Curl_x509_GTime2str() is not built-in");
 +}
 +UNITTEST_STOP
 +
 +#endif
--- a/curl.changes
+++ b/curl.changes
@ -1,3 +1,18 @@
 -------------------------------------------------------------------
 Wed Jul 31 08:40:11 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
 - Security fix: [bsc#1228535, CVE-2024-7264]
  * curl: ASN.1 date parser overread
  * Add curl-CVE-2024-7264.patch
 -------------------------------------------------------------------
 Tue Jul 16 08:43:02 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
 - Security fix: [bsc#1227888, CVE-2024-6197]
  * Freeing stack buffer in utf8asn1str
  * x509asn1: remove superfluous free()
  * Add curl-CVE-2024-6197.patch
 -------------------------------------------------------------------
 Wed Mar 27 18:32:08 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
@ -26,6 +41,22 @@ Thu Mar 21 12:27:30 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
  * curl: HTTP/2 push headers memory-leak
  * Add curl-CVE-2024-2398.patch
 -------------------------------------------------------------------
 Tue Mar 12 08:43:30 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
 - Remove the nghttp2 version requirement as a version guard around
  the nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation
  function was added in curl 8.0.1.
  * Upstream commit: https://github.com/curl/curl/commit/744dcf22
 -------------------------------------------------------------------
 Thu Feb  8 13:58:23 UTC 2024 - Fabian Vogt <fvogt@suse.com>
 - Add patch to fix various TLS related issues including FTP over SSL
  transmission timeouts:
  * 0001-vtls-revert-receive-max-buffer-add-test-case.patch
 - Switch to %autosetup
 -------------------------------------------------------------------
 Wed Jan 31 09:11:56 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
--- a/curl.spec
+++ b/curl.spec
@ -35,14 +35,20 @@ Patch1:         dont-mess-with-rpmoptflags.patch
 Patch2:         curl-secure-getenv.patch
 #PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled
 Patch3:         curl-disabled-redirect-protocol-message.patch
 # PATCH-FIX-UPSTREAM
 Patch4:         0001-vtls-revert-receive-max-buffer-add-test-case.patch
 #PATCH-FIX-UPSTREAM bsc#1221665 CVE-2024-2004 Usage of disabled protocol
-Patch4:         curl-CVE-2024-2004.patch
+Patch5:         curl-CVE-2024-2004.patch
 #PATCH-FIX-UPSTREAM bsc#1221667 CVE-2024-2398 HTTP/2 push headers memory-leak
-Patch5:         curl-CVE-2024-2398.patch
+Patch6:         curl-CVE-2024-2398.patch
 #PATCH-FIX-UPSTREAM bsc#1221666 CVE-2024-2379 QUIC certificate check bypass with wolfSSL
-Patch6:         curl-CVE-2024-2379.patch
+Patch7:         curl-CVE-2024-2379.patch
 #PATCH-FIX-UPSTREAM bsc#1221668 CVE-2024-2466 TLS certificate check bypass with mbedTLS
-Patch7:         curl-CVE-2024-2466.patch
+Patch8:         curl-CVE-2024-2466.patch
 #PATCH-FIX-UPSTREAM bsc#1227888 CVE-2024-6197 Freeing stack buffer in utf8asn1str
 Patch9:         curl-CVE-2024-6197.patch
 #PATCH-FIX-UPSTREAM bsc#1228535 CVE-2024-7264 ASN.1 date parser overread
 Patch10:        curl-CVE-2024-7264.patch
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
 Requires:       libcurl4 = %{version}
@ -54,17 +60,7 @@ BuildRequires:  pkgconfig(libbrotlidec)
 BuildRequires:  pkgconfig(libidn2)
 # Disable metalink [bsc#1188218, CVE-2021-22923][bsc#1188217, CVE-2021-22922]
 # BuildRequires:  pkgconfig(libmetalink)
-#
+BuildRequires:  pkgconfig(libnghttp2)
 # The 7.86.0 cURL release introduced the use of
 # nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation,
 # a function introduced by the 1.50.0 nghttp2 release.
 #
 # This is a bandaid, as cURL didn't provide a function/version check
 # in their build scripts. Without this some users my end up with a broken
 # Zypper/cURL if they have a libnghttp2 < 1.50.0 yet in their system,
 # and do some Zypper transaction that updates cURL, but not libnghttp2.
 #
 BuildRequires:  pkgconfig(libnghttp2) >= 1.50.0
 BuildRequires:  pkgconfig(libpsl)
 BuildRequires:  pkgconfig(libssh)
 BuildRequires:  pkgconfig(libzstd)
@ -108,8 +104,7 @@ DICT, TELNET, LDAP, or FILE). The command is designed to work without
 user interaction or any kind of interactivity.
 %prep
-%setup -q -n curl-%{version}
+%autosetup -p1
 %autopatch -p1
 %build
 # curl complains if macro definition is contained in CFLAGS