Sync from SUSE:SLFO:Main curl revision c63d3b2adf6bc69325143335ca0f1cad

This commit is contained in:
Adrian Schröter 2024-06-07 18:38:04 +02:00
parent 59d34073d7
commit eb6d4068f5
6 changed files with 345 additions and 0 deletions

133
curl-CVE-2024-2004.patch Normal file
View File

@ -0,0 +1,133 @@
From 17d302e56221f5040092db77d4f85086e8a20e0e Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <daniel@yesql.se>
Date: Tue, 27 Feb 2024 15:43:56 +0100
Subject: [PATCH] setopt: Fix disabling all protocols
When disabling all protocols without enabling any, the resulting
set of allowed protocols remained the default set. Clearing the
allowed set before inspecting the passed value from --proto make
the set empty even in the errorpath of no protocols enabled.
Co-authored-by: Dan Fandrich <dan@telarity.com>
Reported-by: Dan Fandrich <dan@telarity.com>
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Closes: #13004
---
lib/setopt.c | 16 ++++++++--------
tests/data/Makefile.inc | 2 +-
tests/data/test1474 | 42 +++++++++++++++++++++++++++++++++++++++++
3 files changed, 51 insertions(+), 9 deletions(-)
create mode 100644 tests/data/test1474
diff --git a/lib/setopt.c b/lib/setopt.c
index 6a4990cce6731b..ce1321fc80be9d 100644
--- a/lib/setopt.c
+++ b/lib/setopt.c
@@ -155,6 +155,12 @@ static CURLcode setstropt_userpwd(char *option, char **userp, char **passwdp)
static CURLcode protocol2num(const char *str, curl_prot_t *val)
{
+ /*
+ * We are asked to cherry-pick protocols, so play it safe and disallow all
+ * protocols to start with, and re-add the wanted ones back in.
+ */
+ *val = 0;
+
if(!str)
return CURLE_BAD_FUNCTION_ARGUMENT;
@@ -163,8 +169,6 @@ static CURLcode protocol2num(const char *str, curl_prot_t *val)
return CURLE_OK;
}
- *val = 0;
-
do {
const char *token = str;
size_t tlen;
@@ -2654,22 +2658,18 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
break;
case CURLOPT_PROTOCOLS_STR: {
- curl_prot_t prot;
argptr = va_arg(param, char *);
- result = protocol2num(argptr, &prot);
+ result = protocol2num(argptr, &data->set.allowed_protocols);
if(result)
return result;
- data->set.allowed_protocols = prot;
break;
}
case CURLOPT_REDIR_PROTOCOLS_STR: {
- curl_prot_t prot;
argptr = va_arg(param, char *);
- result = protocol2num(argptr, &prot);
+ result = protocol2num(argptr, &data->set.redir_protocols);
if(result)
return result;
- data->set.redir_protocols = prot;
break;
}
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index c20f90d945cc90..b80ffb618e55b9 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -187,7 +187,7 @@ test1439 test1440 test1441 test1442 test1443 test1444 test1445 test1446 \
test1447 test1448 test1449 test1450 test1451 test1452 test1453 test1454 \
test1455 test1456 test1457 test1458 test1459 test1460 test1461 test1462 \
test1463 test1464 test1465 test1466 test1467 test1468 test1469 test1470 \
-test1471 test1472 test1473 test1475 test1476 test1477 test1478 \
+test1471 test1472 test1473 test1474 test1475 test1476 test1477 test1478 \
\
test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \
test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \
diff --git a/tests/data/test1474 b/tests/data/test1474
new file mode 100644
index 00000000000000..c66fa2810483f2
--- /dev/null
+++ b/tests/data/test1474
@@ -0,0 +1,42 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+--proto
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data>
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+none
+</server>
+<features>
+http
+</features>
+<name>
+--proto -all disables all protocols
+</name>
+<command>
+--proto -all http://%HOSTIP:%NOLISTENPORT/%TESTNUMBER
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+# 1 - Protocol "http" disabled
+<errorcode>
+1
+</errorcode>
+</verify>
+</testcase>

47
curl-CVE-2024-2379.patch Normal file
View File

@ -0,0 +1,47 @@
From aedbbdf18e689a5eee8dc39600914f5eda6c409c Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 11 Mar 2024 10:53:08 +0100
Subject: [PATCH] vquic-tls: return appropirate errors on wolfSSL errors
Reported-by: Dexter Gerig
Closes #13107
---
lib/vquic/vquic-tls.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/vquic/vquic-tls.c b/lib/vquic/vquic-tls.c
index cc7794e405a5f6..dbde21f476f1dc 100644
--- a/lib/vquic/vquic-tls.c
+++ b/lib/vquic/vquic-tls.c
@@ -375,6 +375,7 @@ static CURLcode curl_wssl_init_ctx(struct quic_tls_ctx *ctx,
char error_buffer[256];
ERR_error_string_n(ERR_get_error(), error_buffer, sizeof(error_buffer));
failf(data, "wolfSSL failed to set ciphers: %s", error_buffer);
+ result = CURLE_BAD_FUNCTION_ARGUMENT;
goto out;
}
@@ -382,6 +383,7 @@ static CURLcode curl_wssl_init_ctx(struct quic_tls_ctx *ctx,
conn_config->curves :
(char *)QUIC_GROUPS) != 1) {
failf(data, "wolfSSL failed to set curves");
+ result = CURLE_BAD_FUNCTION_ARGUMENT;
goto out;
}
@@ -392,6 +394,7 @@ static CURLcode curl_wssl_init_ctx(struct quic_tls_ctx *ctx,
wolfSSL_CTX_set_keylog_callback(ctx->ssl_ctx, keylog_callback);
#else
failf(data, "wolfSSL was built without keylog callback");
+ result = CURLE_NOT_BUILT_IN;
goto out;
#endif
}
@@ -414,6 +417,7 @@ static CURLcode curl_wssl_init_ctx(struct quic_tls_ctx *ctx,
" CAfile: %s CApath: %s",
ssl_cafile ? ssl_cafile : "none",
ssl_capath ? ssl_capath : "none");
+ result = CURLE_SSL_CACERT;
goto out;
}
infof(data, " CAfile: %s", ssl_cafile ? ssl_cafile : "none");

89
curl-CVE-2024-2398.patch Normal file
View File

@ -0,0 +1,89 @@
From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Wed, 6 Mar 2024 09:36:08 +0100
Subject: [PATCH] http2: push headers better cleanup
- provide common cleanup method for push headers
Closes #13054
---
lib/http2.c | 34 +++++++++++++++-------------------
1 file changed, 15 insertions(+), 19 deletions(-)
Index: curl-8.6.0/lib/http2.c
===================================================================
--- curl-8.6.0.orig/lib/http2.c
+++ curl-8.6.0/lib/http2.c
@@ -271,6 +271,15 @@ static CURLcode http2_data_setup(struct
return CURLE_OK;
}
+static void free_push_headers(struct stream_ctx *stream)
+{
+ size_t i;
+ for(i = 0; i<stream->push_headers_used; i++)
+ free(stream->push_headers[i]);
+ Curl_safefree(stream->push_headers);
+ stream->push_headers_used = 0;
+}
+
static void http2_data_done(struct Curl_cfilter *cf,
struct Curl_easy *data, bool premature)
{
@@ -317,15 +326,7 @@ static void http2_data_done(struct Curl_
Curl_bufq_free(&stream->recvbuf);
Curl_h1_req_parse_free(&stream->h1);
Curl_dynhds_free(&stream->resp_trailers);
- if(stream->push_headers) {
- /* if they weren't used and then freed before */
- for(; stream->push_headers_used > 0; --stream->push_headers_used) {
- free(stream->push_headers[stream->push_headers_used - 1]);
- }
- free(stream->push_headers);
- stream->push_headers = NULL;
- }
-
+ free_push_headers(stream);
free(stream);
H2_STREAM_LCTX(data) = NULL;
}
@@ -872,7 +873,6 @@ static int push_promise(struct Curl_cfil
struct curl_pushheaders heads;
CURLMcode rc;
CURLcode result;
- size_t i;
/* clone the parent */
struct Curl_easy *newhandle = h2_duphandle(cf, data);
if(!newhandle) {
@@ -917,11 +917,7 @@ static int push_promise(struct Curl_cfil
Curl_set_in_callback(data, false);
/* free the headers again */
- for(i = 0; i<stream->push_headers_used; i++)
- free(stream->push_headers[i]);
- free(stream->push_headers);
- stream->push_headers = NULL;
- stream->push_headers_used = 0;
+ free_push_headers(stream);
if(rv) {
DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT));
@@ -1468,14 +1464,14 @@ static int on_header(nghttp2_session *se
if(stream->push_headers_alloc > 1000) {
/* this is beyond crazy many headers, bail out */
failf(data_s, "Too many PUSH_PROMISE headers");
- Curl_safefree(stream->push_headers);
+ free_push_headers(stream);
return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
}
stream->push_headers_alloc *= 2;
- headp = Curl_saferealloc(stream->push_headers,
- stream->push_headers_alloc * sizeof(char *));
+ headp = realloc(stream->push_headers,
+ stream->push_headers_alloc * sizeof(char *));
if(!headp) {
- stream->push_headers = NULL;
+ free_push_headers(stream);
return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
}
stream->push_headers = headp;

40
curl-CVE-2024-2466.patch Normal file
View File

@ -0,0 +1,40 @@
From 3d0fd382a29b95561b90b7ea3e7eb04dfdd43538 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Fri, 15 Mar 2024 10:10:13 +0100
Subject: [PATCH] mbedtls: fix pytest for newer versions
Fix the expectations in pytest for newer versions of mbedtls
Closes #13132
---
lib/vtls/mbedtls.c | 15 +++++++--------
tests/http/test_10_proxy.py | 8 ++++++--
tests/http/testenv/env.py | 14 +++++++++++---
3 files changed, 24 insertions(+), 13 deletions(-)
Index: curl-8.6.0/lib/vtls/mbedtls.c
===================================================================
--- curl-8.6.0.orig/lib/vtls/mbedtls.c
+++ curl-8.6.0/lib/vtls/mbedtls.c
@@ -654,14 +654,13 @@ mbed_connect_step1(struct Curl_cfilter *
&backend->clicert, &backend->pk);
}
- if(connssl->peer.sni) {
- if(mbedtls_ssl_set_hostname(&backend->ssl, connssl->peer.sni)) {
- /* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks and
- the name to set in the SNI extension. So even if curl connects to a
- host specified as an IP address, this function must be used. */
- failf(data, "Failed to set SNI");
- return CURLE_SSL_CONNECT_ERROR;
- }
+ if(mbedtls_ssl_set_hostname(&backend->ssl, connssl->peer.sni?
+ connssl->peer.sni : connssl->peer.hostname)) {
+ /* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks and
+ the name to set in the SNI extension. So even if curl connects to a
+ host specified as an IP address, this function must be used. */
+ failf(data, "Failed to set SNI");
+ return CURLE_SSL_CONNECT_ERROR;
}
#ifdef HAS_ALPN

View File

@ -1,3 +1,31 @@
-------------------------------------------------------------------
Wed Mar 27 18:32:08 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Security fix: [bsc#1221666, CVE-2024-2379]
* curl: QUIC certificate check bypass with wolfSSL
* Add curl-CVE-2024-2379.patch
-------------------------------------------------------------------
Wed Mar 27 18:21:59 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Security fix: [bsc#1221668, CVE-2024-2466]
* curl: TLS certificate check bypass with mbedTLS
* Add curl-CVE-2024-2466.patch
-------------------------------------------------------------------
Fri Mar 22 13:55:01 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Security fix: [bsc#1221665, CVE-2024-2004]
* Usage of disabled protocol
* Add curl-CVE-2024-2004.patch
-------------------------------------------------------------------
Thu Mar 21 12:27:30 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Security fix: [bsc#1221667, CVE-2024-2398]
* curl: HTTP/2 push headers memory-leak
* Add curl-CVE-2024-2398.patch
-------------------------------------------------------------------
Wed Jan 31 09:11:56 UTC 2024 - Pedro Monreal <pmonreal@suse.com>

View File

@ -35,6 +35,14 @@ Patch1: dont-mess-with-rpmoptflags.patch
Patch2: curl-secure-getenv.patch
#PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled
Patch3: curl-disabled-redirect-protocol-message.patch
#PATCH-FIX-UPSTREAM bsc#1221665 CVE-2024-2004 Usage of disabled protocol
Patch4: curl-CVE-2024-2004.patch
#PATCH-FIX-UPSTREAM bsc#1221667 CVE-2024-2398 HTTP/2 push headers memory-leak
Patch5: curl-CVE-2024-2398.patch
#PATCH-FIX-UPSTREAM bsc#1221666 CVE-2024-2379 QUIC certificate check bypass with wolfSSL
Patch6: curl-CVE-2024-2379.patch
#PATCH-FIX-UPSTREAM bsc#1221668 CVE-2024-2466 TLS certificate check bypass with mbedTLS
Patch7: curl-CVE-2024-2466.patch
BuildRequires: libtool
BuildRequires: pkgconfig
Requires: libcurl4 = %{version}