From dcd8c1b66fb2d27d761d388067331caec5007a7b Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 10 2020 09:47:01 +0000 Subject: import curl-7.29.0-59.el7_9.1 --- diff --git a/SOURCES/0075-curl-7.29.0-CVE-2020-8177.patch b/SOURCES/0075-curl-7.29.0-CVE-2020-8177.patch new file mode 100644 index 0000000..a03f89c --- /dev/null +++ b/SOURCES/0075-curl-7.29.0-CVE-2020-8177.patch @@ -0,0 +1,51 @@ +From a6fcd8a32f3b1c5d80e524f8b2c1de32e6ecdb2b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 31 May 2020 23:09:59 +0200 +Subject: [PATCH] tool_getparam: -i is not OK if -J is used + +Reported-by: sn on hackerone +Bug: https://curl.haxx.se/docs/CVE-2020-8177.html + +Upstream-commit: 8236aba58542c5f89f1d41ca09d84579efb05e22 +Signed-off-by: Kamil Dudka +--- + src/tool_cb_hdr.c | 6 ++++++ + src/tool_getparam.c | 5 +++++ + 2 files changed, 11 insertions(+) + +diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c +index 3b10238..b80707f 100644 +--- a/src/tool_cb_hdr.c ++++ b/src/tool_cb_hdr.c +@@ -112,6 +112,12 @@ size_t tool_header_cb(void *ptr, size_t size, size_t nmemb, void *userdata) + len = (ssize_t)cb - (p - str); + filename = parse_filename(p, len); + if(filename) { ++ if(outs->stream) { ++ /* indication of problem, get out! */ ++ free(filename); ++ return failure; ++ } ++ + outs->filename = filename; + outs->alloc_filename = TRUE; + outs->is_cd_filename = TRUE; +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index 764caa2..c5c7429 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -1404,6 +1404,11 @@ ParameterError getparameter(char *flag, /* f or -long-flag */ + return err; + break; + case 'i': ++ if(config->content_disposition) { ++ warnf(config, ++ "--include and --remote-header-name cannot be combined.\n"); ++ return PARAM_BAD_USE; ++ } + config->include_headers = toggle; /* include the headers as well in the + general output stream */ + break; +-- +2.21.3 + diff --git a/SPECS/curl.spec b/SPECS/curl.spec index fe56d67..8c8a795 100644 --- a/SPECS/curl.spec +++ b/SPECS/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.29.0 -Release: 59%{?dist} +Release: 59%{?dist}.1 License: MIT Group: Applications/Internet Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma @@ -229,6 +229,9 @@ Patch73: 0073-curl-7.29.0-post-cdev.patch # http: free protocol-specific struct in setup_connection callback (#1836773) Patch74: 0074-curl-7.29.0-http-setup_connection.patch +# avoid overwriting a local file with -J (CVE-2020-8177) +Patch75: 0075-curl-7.29.0-CVE-2020-8177.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.29.0-multilib.patch @@ -433,6 +436,7 @@ documentation of the library, too. %patch72 -p1 %patch73 -p1 %patch74 -p1 +%patch75 -p1 # regenerate Makefile.in files aclocal -I m4 @@ -548,6 +552,9 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/aclocal/libcurl.m4 %changelog +* Tue Jul 28 2020 Kamil Dudka - 7.29.0-59.el7_9.1 +- avoid overwriting a local file with -J (CVE-2020-8177) + * Tue Jun 02 2020 Kamil Dudka - 7.29.0-59 - http: free protocol-specific struct in setup_connection callback (#1836773)