diff --git a/SOURCES/0021-curl-7.61.1-CVE-2020-8177.patch b/SOURCES/0021-curl-7.61.1-CVE-2020-8177.patch new file mode 100644 index 0000000..388e0c4 --- /dev/null +++ b/SOURCES/0021-curl-7.61.1-CVE-2020-8177.patch @@ -0,0 +1,59 @@ +From a6fcd8a32f3b1c5d80e524f8b2c1de32e6ecdb2b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 31 May 2020 23:09:59 +0200 +Subject: [PATCH] tool_getparam: -i is not OK if -J is used + +Reported-by: sn on hackerone +Bug: https://curl.haxx.se/docs/CVE-2020-8177.html + +Upstream-commit: 8236aba58542c5f89f1d41ca09d84579efb05e22 +Signed-off-by: Kamil Dudka +--- + src/tool_cb_hdr.c | 13 ++++--------- + src/tool_getparam.c | 5 +++++ + 2 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c +index 3b10238..b80707f 100644 +--- a/src/tool_cb_hdr.c ++++ b/src/tool_cb_hdr.c +@@ -132,16 +132,11 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata) + filename = parse_filename(p, len); + if(filename) { + if(outs->stream) { +- /* already opened and possibly written to */ +- if(outs->fopened) +- fclose(outs->stream); +- outs->stream = NULL; +- +- /* rename the initial file name to the new file name */ +- rename(outs->filename, filename); +- if(outs->alloc_filename) +- free(outs->filename); ++ /* indication of problem, get out! */ ++ free(filename); ++ return failure; + } ++ + outs->is_cd_filename = TRUE; + outs->s_isreg = TRUE; + outs->fopened = FALSE; +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index 764caa2..c5c7429 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -1745,6 +1745,11 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + } + break; + case 'i': ++ if(config->content_disposition) { ++ warnf(global, ++ "--include and --remote-header-name cannot be combined.\n"); ++ return PARAM_BAD_USE; ++ } + config->show_headers = toggle; /* show the headers as well in the + general output stream */ + break; +-- +2.21.3 + diff --git a/SPECS/curl.spec b/SPECS/curl.spec index 7b8aceb..78b2cd3 100644 --- a/SPECS/curl.spec +++ b/SPECS/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.61.1 -Release: 13%{?dist} +Release: 14%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -55,6 +55,9 @@ Patch19: 0019-curl-7.65.3-CVE-2019-5481.patch # load built-in openssl engines (#1854369) Patch20: 0020-curl-7.61.1-openssl-engines.patch +# avoid overwriting a local file with -J (CVE-2020-8177) +Patch21: 0021-curl-7.61.1-CVE-2020-8177.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -238,6 +241,7 @@ git apply %{PATCH4} %patch18 -p1 %patch19 -p1 %patch20 -p1 +%patch21 -p1 # make tests/*.py use Python 3 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py @@ -398,6 +402,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Jul 28 2020 Kamil Dudka - 7.61.1-14 +- avoid overwriting a local file with -J (CVE-2020-8177) + * Wed Jul 15 2020 Kamil Dudka - 7.61.1-13 - load built-in openssl engines (#1854369)