From c4f73db1f22f2b57d6ccfdf58cfd55c2c187bd8f Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jan 11 2023 14:11:07 +0000
Subject: import curl-7.61.1-28.el8


---

diff --git a/SOURCES/0045-curl-7.61.1-CVE-2022-43552.patch b/SOURCES/0045-curl-7.61.1-CVE-2022-43552.patch
new file mode 100644
index 0000000..3ffacc5
--- /dev/null
+++ b/SOURCES/0045-curl-7.61.1-CVE-2022-43552.patch
@@ -0,0 +1,81 @@
+From 5cdcf1dbd39c64e18a81fc912a36942a3ec87565 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 19 Dec 2022 08:38:37 +0100
+Subject: [PATCH] smb/telnet: do not free the protocol struct in *_done()
+
+It is managed by the generic layer.
+
+Reported-by: Trail of Bits
+
+Closes #10112
+
+Upstream-commit: 4f20188ac644afe174be6005ef4f6ffba232b8b2
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/smb.c    | 14 ++------------
+ lib/telnet.c |  3 ---
+ 2 files changed, 2 insertions(+), 15 deletions(-)
+
+diff --git a/lib/smb.c b/lib/smb.c
+index 039d680..f682c1f 100644
+--- a/lib/smb.c
++++ b/lib/smb.c
+@@ -61,8 +61,6 @@ static CURLcode smb_connect(struct connectdata *conn, bool *done);
+ static CURLcode smb_connection_state(struct connectdata *conn, bool *done);
+ static CURLcode smb_do(struct connectdata *conn, bool *done);
+ static CURLcode smb_request_state(struct connectdata *conn, bool *done);
+-static CURLcode smb_done(struct connectdata *conn, CURLcode status,
+-                         bool premature);
+ static CURLcode smb_disconnect(struct connectdata *conn, bool dead);
+ static int smb_getsock(struct connectdata *conn, curl_socket_t *socks,
+                        int numsocks);
+@@ -75,7 +73,7 @@ const struct Curl_handler Curl_handler_smb = {
+   "SMB",                                /* scheme */
+   smb_setup_connection,                 /* setup_connection */
+   smb_do,                               /* do_it */
+-  smb_done,                             /* done */
++  ZERO_NULL,                            /* done */
+   ZERO_NULL,                            /* do_more */
+   smb_connect,                          /* connect_it */
+   smb_connection_state,                 /* connecting */
+@@ -100,7 +98,7 @@ const struct Curl_handler Curl_handler_smbs = {
+   "SMBS",                               /* scheme */
+   smb_setup_connection,                 /* setup_connection */
+   smb_do,                               /* do_it */
+-  smb_done,                             /* done */
++  ZERO_NULL,                            /* done */
+   ZERO_NULL,                            /* do_more */
+   smb_connect,                          /* connect_it */
+   smb_connection_state,                 /* connecting */
+@@ -915,14 +913,6 @@ static CURLcode smb_request_state(struct connectdata *conn, bool *done)
+   return CURLE_OK;
+ }
+ 
+-static CURLcode smb_done(struct connectdata *conn, CURLcode status,
+-                         bool premature)
+-{
+-  (void) premature;
+-  Curl_safefree(conn->data->req.protop);
+-  return status;
+-}
+-
+ static CURLcode smb_disconnect(struct connectdata *conn, bool dead)
+ {
+   struct smb_conn *smbc = &conn->proto.smbc;
+diff --git a/lib/telnet.c b/lib/telnet.c
+index 923c7f8..48cd0d7 100644
+--- a/lib/telnet.c
++++ b/lib/telnet.c
+@@ -1294,9 +1294,6 @@ static CURLcode telnet_done(struct connectdata *conn,
+ 
+   curl_slist_free_all(tn->telnet_vars);
+   tn->telnet_vars = NULL;
+-
+-  Curl_safefree(conn->data->req.protop);
+-
+   return CURLE_OK;
+ }
+ 
+-- 
+2.38.1
+
diff --git a/SPECS/curl.spec b/SPECS/curl.spec
index 1267117..70ec4ae 100644
--- a/SPECS/curl.spec
+++ b/SPECS/curl.spec
@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.61.1
-Release: 27%{?dist}
+Release: 28%{?dist}
 License: MIT
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
 
@@ -127,6 +127,9 @@ Patch43:  0043-curl-7.61.1-CVE-2022-35252.patch
 # upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1 (#2139337)
 Patch44:  0044-curl-7.61.1-retry-http11.patch
 
+# smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552)
+Patch45:  0045-curl-7.61.1-CVE-2022-43552.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -344,6 +347,7 @@ sed -e 's|:8992/|:%{?__isa_bits}92/|g' -i tests/data/test97{3..6}
 %patch42 -p1
 %patch43 -p1
 %patch44 -p1
+%patch45 -p1
 
 # make tests/*.py use Python 3
 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
@@ -506,6 +510,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
+* Wed Dec 21 2022 Kamil Dudka <kdudka@redhat.com> - 7.61.1-28
+- smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552)
+
 * Fri Nov 18 2022 Kamil Dudka <kdudka@redhat.com> - 7.61.1-27
 - upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1 (#2139337)