From e88b99931044b24813b405e4bcba04200dd952a6 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Nov 05 2020 08:08:48 +0000
Subject: import curl-7.61.1-15.el8


---

diff --git a/SOURCES/0022-curl-7.61.1-CVE-2020-8231.patch b/SOURCES/0022-curl-7.61.1-CVE-2020-8231.patch
new file mode 100644
index 0000000..6d0c10c
--- /dev/null
+++ b/SOURCES/0022-curl-7.61.1-CVE-2020-8231.patch
@@ -0,0 +1,143 @@
+From 7a26092a9e21f1e0dc3cad69a580a7e2c7822ad0 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 16 Aug 2020 11:34:35 +0200
+Subject: [PATCH] Curl_easy: remember last connection by id, not by pointer
+
+CVE-2020-8231
+
+Bug: https://curl.haxx.se/docs/CVE-2020-8231.html
+
+Reported-by: Marc Aldorasi
+Closes #5824
+
+Upstream-commit: 3c9e021f86872baae412a427e807fbfa2f3e8a22
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/connect.c | 19 ++++++++++---------
+ lib/easy.c    |  3 +--
+ lib/multi.c   |  5 +++--
+ lib/url.c     |  2 +-
+ lib/urldata.h |  2 +-
+ 5 files changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/lib/connect.c b/lib/connect.c
+index 41f2202..f724646 100644
+--- a/lib/connect.c
++++ b/lib/connect.c
+@@ -1214,15 +1214,15 @@ CURLcode Curl_connecthost(struct connectdata *conn,  /* context */
+ }
+ 
+ struct connfind {
+-  struct connectdata *tofind;
+-  bool found;
++  long id_tofind;
++  struct connectdata *found;
+ };
+ 
+ static int conn_is_conn(struct connectdata *conn, void *param)
+ {
+   struct connfind *f = (struct connfind *)param;
+-  if(conn == f->tofind) {
+-    f->found = TRUE;
++  if(conn->connection_id == f->id_tofind) {
++    f->found = conn;
+     return 1;
+   }
+   return 0;
+@@ -1244,21 +1244,22 @@ curl_socket_t Curl_getconnectinfo(struct Curl_easy *data,
+    * - that is associated with a multi handle, and whose connection
+    *   was detached with CURLOPT_CONNECT_ONLY
+    */
+-  if(data->state.lastconnect && (data->multi_easy || data->multi)) {
+-    struct connectdata *c = data->state.lastconnect;
++  if((data->state.lastconnect_id != -1) && (data->multi_easy || data->multi)) {
++    struct connectdata *c;
+     struct connfind find;
+-    find.tofind = data->state.lastconnect;
+-    find.found = FALSE;
++    find.id_tofind = data->state.lastconnect_id;
++    find.found = NULL;
+ 
+     Curl_conncache_foreach(data, data->multi_easy?
+                            &data->multi_easy->conn_cache:
+                            &data->multi->conn_cache, &find, conn_is_conn);
+ 
+     if(!find.found) {
+-      data->state.lastconnect = NULL;
++      data->state.lastconnect_id = -1;
+       return CURL_SOCKET_BAD;
+     }
+ 
++    c = find.found;
+     if(connp) {
+       /* only store this if the caller cares for it */
+       *connp = c;
+diff --git a/lib/easy.c b/lib/easy.c
+index 027d0be..fe61cdd 100644
+--- a/lib/easy.c
++++ b/lib/easy.c
+@@ -919,8 +919,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data)
+ 
+   /* the connection cache is setup on demand */
+   outcurl->state.conn_cache = NULL;
+-
+-  outcurl->state.lastconnect = NULL;
++  outcurl->state.lastconnect_id = -1;
+ 
+   outcurl->progress.flags    = data->progress.flags;
+   outcurl->progress.callback = data->progress.callback;
+diff --git a/lib/multi.c b/lib/multi.c
+index 0caf943..0f57fd5 100644
+--- a/lib/multi.c
++++ b/lib/multi.c
+@@ -427,6 +427,7 @@ CURLMcode curl_multi_add_handle(struct Curl_multi *multi,
+     data->state.conn_cache = &data->share->conn_cache;
+   else
+     data->state.conn_cache = &multi->conn_cache;
++  data->state.lastconnect_id = -1;
+ 
+ #ifdef USE_LIBPSL
+   /* Do the same for PSL. */
+@@ -644,11 +645,11 @@ static CURLcode multi_done(struct connectdata **connp,
+     /* the connection is no longer in use by this transfer */
+     if(Curl_conncache_return_conn(conn)) {
+       /* remember the most recently used connection */
+-      data->state.lastconnect = conn;
++      data->state.lastconnect_id = conn->connection_id;
+       infof(data, "%s\n", buffer);
+     }
+     else
+-      data->state.lastconnect = NULL;
++      data->state.lastconnect_id = -1;
+   }
+ 
+   *connp = NULL; /* to make the caller of this function better detect that
+diff --git a/lib/url.c b/lib/url.c
+index dcc6cc8..d65d17d 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -592,7 +592,7 @@ CURLcode Curl_open(struct Curl_easy **curl)
+       Curl_initinfo(data);
+ 
+       /* most recent connection is not yet defined */
+-      data->state.lastconnect = NULL;
++      data->state.lastconnect_id = -1;
+ 
+       data->progress.flags |= PGRS_HIDE;
+       data->state.current_speed = -1; /* init to negative == impossible */
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 67db3b2..4b70cc5 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1219,7 +1219,7 @@ struct UrlState {
+   /* buffers to store authentication data in, as parsed from input options */
+   struct curltime keeps_speed; /* for the progress meter really */
+ 
+-  struct connectdata *lastconnect; /* The last connection, NULL if undefined */
++  long lastconnect_id; /* The last connection, -1 if undefined */
+ 
+   char *headerbuff; /* allocated buffer to store headers in */
+   size_t headersize;   /* size of the allocation */
+-- 
+2.25.4
+
diff --git a/SOURCES/0023-curl-7.61.1-no-https-proxy-crash.patch b/SOURCES/0023-curl-7.61.1-no-https-proxy-crash.patch
new file mode 100644
index 0000000..f6bcb01
--- /dev/null
+++ b/SOURCES/0023-curl-7.61.1-no-https-proxy-crash.patch
@@ -0,0 +1,60 @@
+From 9d5903ebcbcbcc4f3a997ec7d5552721c5383b9f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Martin=20Ba=C5=A1ti?= <mbasti@redhat.com>
+Date: Thu, 27 Aug 2020 23:09:56 +0200
+Subject: [PATCH] http_proxy: do not crash with HTTPS_PROXY and NO_PROXY set
+
+... in case NO_PROXY takes an effect
+
+Without this patch, the following command crashes:
+
+    $ GIT_CURL_VERBOSE=1 NO_PROXY=github.com HTTPS_PROXY=https://example.com \
+        git clone https://github.com/curl/curl.git
+
+Minimal libcurl-based reproducer:
+
+    #include <curl/curl.h>
+
+    int main() {
+      CURL *curl = curl_easy_init();
+      if(curl) {
+        CURLcode ret;
+        curl_easy_setopt(curl, CURLOPT_URL, "https://github.com/");
+        curl_easy_setopt(curl, CURLOPT_PROXY, "example.com");
+        /* set the proxy type */
+        curl_easy_setopt(curl, CURLOPT_PROXYTYPE, CURLPROXY_HTTPS);
+        curl_easy_setopt(curl, CURLOPT_NOPROXY, "github.com");
+        curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
+        ret = curl_easy_perform(curl);
+        curl_easy_cleanup(curl);
+        return ret;
+      }
+      return -1;
+    }
+
+Assisted-by: Kamil Dudka
+Bug: https://bugzilla.redhat.com/1873327
+Closes #5902
+
+Upstream-commit: 3eff1c5092e542819ac7e6454a70c94b36ab2a40
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/url.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/url.c b/lib/url.c
+index d65d17d..e77f391 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -3074,6 +3074,9 @@ static CURLcode create_conn_helper_init_proxy(struct connectdata *conn)
+     conn->bits.socksproxy = FALSE;
+     conn->bits.proxy_user_passwd = FALSE;
+     conn->bits.tunnel_proxy = FALSE;
++    /* CURLPROXY_HTTPS does not have its own flag in conn->bits, yet we need
++       to signal that CURLPROXY_HTTPS is not used for this connection */
++    conn->http_proxy.proxytype = CURLPROXY_HTTP;
+   }
+ 
+ out:
+-- 
+2.25.4
+
diff --git a/SPECS/curl.spec b/SPECS/curl.spec
index 78b2cd3..f136a0a 100644
--- a/SPECS/curl.spec
+++ b/SPECS/curl.spec
@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.61.1
-Release: 14%{?dist}
+Release: 15%{?dist}
 License: MIT
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
 
@@ -58,6 +58,12 @@ Patch20:  0020-curl-7.61.1-openssl-engines.patch
 # avoid overwriting a local file with -J (CVE-2020-8177)
 Patch21:  0021-curl-7.61.1-CVE-2020-8177.patch
 
+# libcurl: wrong connect-only connection (CVE-2020-8231)
+Patch22:  0022-curl-7.61.1-CVE-2020-8231.patch
+
+# do not crash when HTTPS_PROXY and NO_PROXY are used together (#1873327)
+Patch23:  0023-curl-7.61.1-no-https-proxy-crash.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -242,6 +248,8 @@ git apply %{PATCH4}
 %patch19 -p1
 %patch20 -p1
 %patch21 -p1
+%patch22 -p1
+%patch23 -p1
 
 # make tests/*.py use Python 3
 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
@@ -402,6 +410,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
+* Tue Nov 03 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-15
+- do not crash when HTTPS_PROXY and NO_PROXY are used together (#1873327)
+- libcurl: wrong connect-only connection (CVE-2020-8231)
+
 * Tue Jul 28 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-14
 - avoid overwriting a local file with -J (CVE-2020-8177)