diff --git a/SOURCES/0029-curl-7.61.1-CVE-2021-22876.patch b/SOURCES/0029-curl-7.61.1-CVE-2021-22876.patch new file mode 100644 index 0000000..dbd2496 --- /dev/null +++ b/SOURCES/0029-curl-7.61.1-CVE-2021-22876.patch @@ -0,0 +1,116 @@ +From 239f8d93866605b05f4e6b551f4327dc7fcb922b Mon Sep 17 00:00:00 2001 +From: Viktor Szakats +Date: Tue, 23 Feb 2021 14:54:46 +0100 +Subject: [PATCH 1/2] transfer: strip credentials from the auto-referer header + field + +Added test 2081 to verify. + +CVE-2021-22876 + +Bug: https://curl.se/docs/CVE-2021-22876.html + +Upstream-commit: 7214288898f5625a6cc196e22a74232eada7861c +Signed-off-by: Kamil Dudka +--- + lib/transfer.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +diff --git a/lib/transfer.c b/lib/transfer.c +index ecd1063..263b178 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1473,6 +1473,7 @@ CURLcode Curl_follow(struct Curl_easy *data, + /* Location: redirect */ + bool disallowport = FALSE; + bool reachedmax = FALSE; ++ CURLUcode uc; + + if(type == FOLLOW_REDIR) { + if((data->set.maxredirs != -1) && +@@ -1488,6 +1489,9 @@ CURLcode Curl_follow(struct Curl_easy *data, + data->set.followlocation++; /* count location-followers */ + + if(data->set.http_auto_referer) { ++ CURLU *u; ++ char *referer; ++ + /* We are asked to automatically set the previous URL as the referer + when we get the next URL. We pick the ->url field, which may or may + not be 100% correct */ +@@ -1497,9 +1501,26 @@ CURLcode Curl_follow(struct Curl_easy *data, + data->change.referer_alloc = FALSE; + } + +- data->change.referer = strdup(data->change.url); +- if(!data->change.referer) ++ /* Make a copy of the URL without crenditals and fragment */ ++ u = curl_url(); ++ if(!u) ++ return CURLE_OUT_OF_MEMORY; ++ ++ uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0); ++ if(!uc) ++ uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0); ++ if(!uc) ++ uc = curl_url_set(u, CURLUPART_USER, NULL, 0); ++ if(!uc) ++ uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0); ++ if(!uc) ++ uc = curl_url_get(u, CURLUPART_URL, &referer, 0); ++ ++ curl_url_cleanup(u); ++ ++ if(uc || referer == NULL) + return CURLE_OUT_OF_MEMORY; ++ data->change.referer = referer; + data->change.referer_alloc = TRUE; /* yes, free this later */ + } + } +-- +2.30.2 + + +From f7d1d478b87499ce31d6aa3251830b78447ad952 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 29 Mar 2021 09:32:14 +0200 +Subject: [PATCH 2/2] transfer: clear 'referer' in declaration + +To silence (false positive) compiler warnings about it. + +Follow-up to 7214288898f5625 + +Reviewed-by: Marcel Raad +Closes #6810 + +Upstream-commit: 6bb028dbda6cbfe83f66de773544f71e4813160f +Signed-off-by: Kamil Dudka +--- + lib/transfer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/transfer.c b/lib/transfer.c +index 263b178..ad5a7ba 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1490,7 +1490,7 @@ CURLcode Curl_follow(struct Curl_easy *data, + + if(data->set.http_auto_referer) { + CURLU *u; +- char *referer; ++ char *referer = NULL; + + /* We are asked to automatically set the previous URL as the referer + when we get the next URL. We pick the ->url field, which may or may +@@ -1518,7 +1518,7 @@ CURLcode Curl_follow(struct Curl_easy *data, + + curl_url_cleanup(u); + +- if(uc || referer == NULL) ++ if(uc || !referer) + return CURLE_OUT_OF_MEMORY; + data->change.referer = referer; + data->change.referer_alloc = TRUE; /* yes, free this later */ +-- +2.30.2 + diff --git a/SOURCES/0030-curl-7.61.1-file-head.patch b/SOURCES/0030-curl-7.61.1-file-head.patch new file mode 100644 index 0000000..e545e8e --- /dev/null +++ b/SOURCES/0030-curl-7.61.1-file-head.patch @@ -0,0 +1,693 @@ +From 87e3d094e0dc00efc1abeb2b142d453024cbca69 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 4 Oct 2018 23:53:32 +0200 +Subject: [PATCH] FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output + +Now FILE transfers send headers to the header callback like HTTP and +other protocols. Also made curl_easy_getinfo(...CURLINFO_PROTOCOL...) +work for FILE in the callbacks. + +Makes "curl -i file://.." and "curl -I file://.." work like before +again. Applied the bold header logic to them too. + +Regression from c1c2762 (7.61.0) + +Reported-by: Shaun Jackman +Fixes #3083 +Closes #3101 + +Upstream-commit: e50a2002bd450a4800a165d2874ed79c95b33a07 +Signed-off-by: Kamil Dudka +--- + lib/file.c | 27 +++++++++++++-------------- + lib/getinfo.c | 1 - + lib/url.c | 1 + + src/tool_cb_hdr.c | 5 +++-- + tests/data/test1016 | 2 +- + tests/data/test1017 | 2 +- + tests/data/test1018 | 2 +- + tests/data/test1019 | 2 +- + tests/data/test1020 | 2 +- + tests/data/test1029 | 2 +- + tests/data/test1146 | 2 +- + tests/data/test1220 | 2 +- + tests/data/test200 | 2 +- + tests/data/test2000 | 2 +- + tests/data/test2001 | 13 +------------ + tests/data/test2002 | 13 +------------ + tests/data/test2003 | 26 ++------------------------ + tests/data/test2004 | 2 +- + tests/data/test2006 | 8 ++++++++ + tests/data/test2007 | 8 ++++++++ + tests/data/test2008 | 8 ++++++++ + tests/data/test2009 | 8 ++++++++ + tests/data/test2010 | 8 ++++++++ + tests/data/test202 | 2 +- + tests/data/test203 | 2 +- + tests/data/test204 | 2 +- + tests/data/test205 | 2 +- + tests/data/test2070 | 2 +- + tests/data/test2071 | 2 +- + tests/data/test2072 | 2 +- + tests/data/test210 | 2 +- + tests/data/test231 | 2 +- + tests/data/test288 | 2 +- + 33 files changed, 82 insertions(+), 86 deletions(-) + +diff --git a/lib/file.c b/lib/file.c +index e50e988..f780658 100644 +--- a/lib/file.c ++++ b/lib/file.c +@@ -386,7 +386,6 @@ static CURLcode file_do(struct connectdata *conn, bool *done) + + *done = TRUE; /* unconditionally */ + +- Curl_initinfo(data); + Curl_pgrsStartNow(data); + + if(data->set.upload) +@@ -413,21 +412,18 @@ static CURLcode file_do(struct connectdata *conn, bool *done) + } + } + +- /* If we have selected NOBODY and HEADER, it means that we only want file +- information. Which for FILE can't be much more than the file size and +- date. */ +- if(data->set.opt_no_body && data->set.include_header && fstated) { ++ if(fstated) { + time_t filetime; + struct tm buffer; + const struct tm *tm = &buffer; + char header[80]; + snprintf(header, sizeof(header), + "Content-Length: %" CURL_FORMAT_CURL_OFF_T "\r\n", expected_size); +- result = Curl_client_write(conn, CLIENTWRITE_BOTH, header, 0); ++ result = Curl_client_write(conn, CLIENTWRITE_HEADER, header, 0); + if(result) + return result; + +- result = Curl_client_write(conn, CLIENTWRITE_BOTH, ++ result = Curl_client_write(conn, CLIENTWRITE_HEADER, + (char *)"Accept-ranges: bytes\r\n", 0); + if(result) + return result; +@@ -439,19 +435,22 @@ static CURLcode file_do(struct connectdata *conn, bool *done) + + /* format: "Tue, 15 Nov 1994 12:45:26 GMT" */ + snprintf(header, sizeof(header), +- "Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT\r\n", ++ "Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT\r\n%s", + Curl_wkday[tm->tm_wday?tm->tm_wday-1:6], + tm->tm_mday, + Curl_month[tm->tm_mon], + tm->tm_year + 1900, + tm->tm_hour, + tm->tm_min, +- tm->tm_sec); +- result = Curl_client_write(conn, CLIENTWRITE_BOTH, header, 0); +- if(!result) +- /* set the file size to make it available post transfer */ +- Curl_pgrsSetDownloadSize(data, expected_size); +- return result; ++ tm->tm_sec, ++ data->set.opt_no_body ? "": "\r\n"); ++ result = Curl_client_write(conn, CLIENTWRITE_HEADER, header, 0); ++ if(result) ++ return result; ++ /* set the file size to make it available post transfer */ ++ Curl_pgrsSetDownloadSize(data, expected_size); ++ if(data->set.opt_no_body) ++ return result; + } + + /* Check whether file range has been specified */ +diff --git a/lib/getinfo.c b/lib/getinfo.c +index 14b4562..54c2c2f 100644 +--- a/lib/getinfo.c ++++ b/lib/getinfo.c +@@ -85,7 +85,6 @@ CURLcode Curl_initinfo(struct Curl_easy *data) + #ifdef USE_SSL + Curl_ssl_free_certinfo(data); + #endif +- + return CURLE_OK; + } + +diff --git a/lib/url.c b/lib/url.c +index b18db25..bb9d107 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -4290,6 +4290,7 @@ static CURLcode create_conn(struct Curl_easy *data, + /* this is supposed to be the connect function so we better at least check + that the file is present here! */ + DEBUGASSERT(conn->handler->connect_it); ++ Curl_persistconninfo(conn); + result = conn->handler->connect_it(conn, &done); + + /* Setup a "faked" transfer that'll do nothing */ +diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c +index e91e8ac..4f21221 100644 +--- a/src/tool_cb_hdr.c ++++ b/src/tool_cb_hdr.c +@@ -153,8 +153,9 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata) + } + + if(hdrcbdata->config->show_headers && +- (protocol & (CURLPROTO_HTTP|CURLPROTO_HTTPS|CURLPROTO_RTSP))) { +- /* bold headers only happen for HTTP(S) and RTSP */ ++ (protocol & ++ (CURLPROTO_HTTP|CURLPROTO_HTTPS|CURLPROTO_RTSP|CURLPROTO_FILE))) { ++ /* bold headers only for selected protocols */ + char *value = NULL; + + if(!outs->stream && !tool_create_output_file(outs)) +diff --git a/tests/data/test1016 b/tests/data/test1016 +index b404cac..4927f9e 100644 +--- a/tests/data/test1016 ++++ b/tests/data/test1016 +@@ -22,7 +22,7 @@ file + + X-Y range on a file:// URL to stdout + +- ++ + -r 1-4 file://localhost/%PWD/log/test1016.txt + + +diff --git a/tests/data/test1017 b/tests/data/test1017 +index 6fbc38a..cfdd80f 100644 +--- a/tests/data/test1017 ++++ b/tests/data/test1017 +@@ -23,7 +23,7 @@ file + + 0-Y range on a file:// URL to stdout + +- ++ + -r 0-3 file://localhost/%PWD/log/test1017.txt + + +diff --git a/tests/data/test1018 b/tests/data/test1018 +index 28a7027..5748701 100644 +--- a/tests/data/test1018 ++++ b/tests/data/test1018 +@@ -22,7 +22,7 @@ file + + X-X range on a file:// URL to stdout + +- ++ + -r 4-4 file://localhost/%PWD/log/test1018.txt + + +diff --git a/tests/data/test1019 b/tests/data/test1019 +index 4d9872a..054e38d 100644 +--- a/tests/data/test1019 ++++ b/tests/data/test1019 +@@ -23,7 +23,7 @@ file + + X- range on a file:// URL to stdout + +- ++ + -r 7- file://localhost/%PWD/log/test1019.txt + + +diff --git a/tests/data/test1020 b/tests/data/test1020 +index 735871d..e924529 100644 +--- a/tests/data/test1020 ++++ b/tests/data/test1020 +@@ -23,7 +23,7 @@ file + + -Y range on a file:// URL to stdout + +- ++ + -r -9 file://localhost/%PWD/log/test1020.txt + + +diff --git a/tests/data/test1029 b/tests/data/test1029 +index 2ffc7c6..c77209c 100644 +--- a/tests/data/test1029 ++++ b/tests/data/test1029 +@@ -29,7 +29,7 @@ http + + HTTP Location: and 'redirect_url' check + +- ++ + http://%HOSTIP:%HTTPPORT/we/want/our/1029 -w '%{redirect_url}\n' + + +diff --git a/tests/data/test1146 b/tests/data/test1146 +index 43f33b7..636748e 100644 +--- a/tests/data/test1146 ++++ b/tests/data/test1146 +@@ -24,7 +24,7 @@ file + + --proto-default file + +- ++ + --proto-default file %PWD/log/test1146.txt + + +diff --git a/tests/data/test1220 b/tests/data/test1220 +index 959abbf..6752eb5 100644 +--- a/tests/data/test1220 ++++ b/tests/data/test1220 +@@ -20,7 +20,7 @@ file + + file:// URLs with query string + +- ++ + file://localhost/%PWD/log/test1220.txt?a_query=foobar#afragment + + +diff --git a/tests/data/test200 b/tests/data/test200 +index 8be1de0..c27f7c0 100644 +--- a/tests/data/test200 ++++ b/tests/data/test200 +@@ -23,7 +23,7 @@ file + + basic file:// file + +- ++ + file://localhost/%PWD/log/test200.txt + + +diff --git a/tests/data/test2000 b/tests/data/test2000 +index d3edb16..db1ba13 100644 +--- a/tests/data/test2000 ++++ b/tests/data/test2000 +@@ -31,7 +31,7 @@ file + + FTP RETR followed by FILE + +- ++ + ftp://%HOSTIP:%FTPPORT/2000 file://localhost/%PWD/log/test2000.txt + + +diff --git a/tests/data/test2001 b/tests/data/test2001 +index 68c0df7..88a258e 100644 +--- a/tests/data/test2001 ++++ b/tests/data/test2001 +@@ -48,7 +48,7 @@ file + + HTTP GET followed by FTP RETR followed by FILE + +- ++ + http://%HOSTIP:%HTTPPORT/20010001 ftp://%HOSTIP:%FTPPORT/20010002 file://localhost/%PWD/log/test2001.txt + + +@@ -81,17 +81,6 @@ RETR 20010002 + QUIT + + +-HTTP/1.1 200 OK +-Date: Thu, 09 Nov 2010 14:49:00 GMT +-Server: test-server/fake +-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT +-ETag: "21025-dc7-39462498" +-Accept-Ranges: bytes +-Content-Length: 6 +-Connection: close +-Content-Type: text/html +-Funny-head: yesyes +- + -foo- + data + to +diff --git a/tests/data/test2002 b/tests/data/test2002 +index db96bfe..6dd2f93 100644 +--- a/tests/data/test2002 ++++ b/tests/data/test2002 +@@ -57,7 +57,7 @@ tftp + + HTTP GET followed by FTP RETR followed by FILE followed by TFTP RRQ + +- ++ + http://%HOSTIP:%HTTPPORT/20020001 ftp://%HOSTIP:%FTPPORT/20020002 file://localhost/%PWD/log/test2002.txt tftp://%HOSTIP:%TFTPPORT//20020003 + + +@@ -96,17 +96,6 @@ filename: /20020003 + QUIT + + +-HTTP/1.1 200 OK +-Date: Thu, 09 Nov 2010 14:49:00 GMT +-Server: test-server/fake +-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT +-ETag: "21025-dc7-39462498" +-Accept-Ranges: bytes +-Content-Length: 6 +-Connection: close +-Content-Type: text/html +-Funny-head: yesyes +- + -foo- + data + to +diff --git a/tests/data/test2003 b/tests/data/test2003 +index 59a743f..09bee8e 100644 +--- a/tests/data/test2003 ++++ b/tests/data/test2003 +@@ -57,8 +57,8 @@ tftp + + HTTP GET followed by FTP RETR followed by FILE followed by TFTP RRQ then again in reverse order + +- +-http://%HOSTIP:%HTTPPORT/20030001 ftp://%HOSTIP:%FTPPORT/20030002 file://localhost/%PWD/log/test2003.txt tftp://%HOSTIP:%TFTPPORT//20030003 tftp://%HOSTIP:%TFTPPORT//20030003 file://localhost/%PWD/log/test2003.txt ftp://%HOSTIP:%FTPPORT/20030002 http://%HOSTIP:%HTTPPORT/20030001 ++ ++http://%HOSTIP:%HTTPPORT/20030001 ftp://%HOSTIP:%FTPPORT/20030002 file://localhost/%PWD/log/test2003.txt tftp://%HOSTIP:%TFTPPORT//20030003 tftp://%HOSTIP:%TFTPPORT//20030003 file://localhost/%PWD/log/test2003.txt ftp://%HOSTIP:%FTPPORT/20030002 http://%HOSTIP:%HTTPPORT/20030001 + + + foo +@@ -109,17 +109,6 @@ Accept: */* + QUIT + + +-HTTP/1.1 200 OK +-Date: Thu, 09 Nov 2010 14:49:00 GMT +-Server: test-server/fake +-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT +-ETag: "21025-dc7-39462498" +-Accept-Ranges: bytes +-Content-Length: 6 +-Connection: close +-Content-Type: text/html +-Funny-head: yesyes +- + -foo- + data + to +@@ -151,17 +140,6 @@ data + that FTP + works + so does it? +-HTTP/1.1 200 OK +-Date: Thu, 09 Nov 2010 14:49:00 GMT +-Server: test-server/fake +-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT +-ETag: "21025-dc7-39462498" +-Accept-Ranges: bytes +-Content-Length: 6 +-Connection: close +-Content-Type: text/html +-Funny-head: yesyes +- + -foo- + + +diff --git a/tests/data/test2004 b/tests/data/test2004 +index 4773f69..b17890b 100644 +--- a/tests/data/test2004 ++++ b/tests/data/test2004 +@@ -29,7 +29,7 @@ sftp + + TFTP RRQ followed by SFTP retrieval followed by FILE followed by SCP retrieval then again in reverse order + +- ++ + --key curl_client_key --pubkey curl_client_key.pub -u %USER: tftp://%HOSTIP:%TFTPPORT//2004 sftp://%HOSTIP:%SSHPORT%POSIX_PWD/log/test2004.txt file://localhost/%PWD/log/test2004.txt scp://%HOSTIP:%SSHPORT%POSIX_PWD/log/test2004.txt file://localhost/%PWD/log/test2004.txt sftp://%HOSTIP:%SSHPORT%POSIX_PWD/log/test2004.txt tftp://%HOSTIP:%TFTPPORT//2004 --insecure + + +diff --git a/tests/data/test2006 b/tests/data/test2006 +index e25556f..3acbdae 100644 +--- a/tests/data/test2006 ++++ b/tests/data/test2006 +@@ -4,6 +4,7 @@ + Metalink + HTTP + HTTP GET ++FILE + + + +@@ -85,6 +86,10 @@ Accept: */* + Some data delivered from an HTTP resource + + ++Content-Length: 496 ++Accept-ranges: bytes ++ ++ + HTTP/1.1 200 OK + Date: Thu, 21 Jun 2012 14:49:01 GMT + Server: test-server/fake +@@ -105,6 +110,9 @@ Metalink: fetching (log/download2006) from (http://%HOSTIP:%HTTPPORT/2006) OK + Metalink: validating (log/download2006)... + Metalink: validating (log/download2006) [sha-256] OK + ++ ++s/Last-Modified:.*// ++ + + $_ = '' if (($_ !~ /^Metalink: /) && ($_ !~ /error/i) && ($_ !~ /warn/i)) + +diff --git a/tests/data/test2007 b/tests/data/test2007 +index cc4bd8c..b169c49 100644 +--- a/tests/data/test2007 ++++ b/tests/data/test2007 +@@ -5,6 +5,7 @@ Metalink + HTTP + HTTP GET + -J ++FILE + + + +@@ -85,7 +86,14 @@ Accept: */* + + Something delivered from an HTTP resource + ++ ++s/Last-Modified:.*// ++ + ++Content-Length: 496 ++Accept-ranges: bytes ++ ++ + HTTP/1.1 200 OK + Date: Thu, 21 Jun 2012 14:50:02 GMT + Server: test-server/fake +diff --git a/tests/data/test2008 b/tests/data/test2008 +index 5843792..012f221 100644 +--- a/tests/data/test2008 ++++ b/tests/data/test2008 +@@ -4,6 +4,7 @@ + Metalink + HTTP + HTTP GET ++FILE + + + +@@ -77,7 +78,14 @@ Accept: */* + + Some stuff delivered from an HTTP resource + ++ ++s/Last-Modified:.*// ++ + ++Content-Length: 496 ++Accept-ranges: bytes ++ ++ + HTTP/1.1 200 OK + Date: Thu, 21 Jun 2012 15:23:48 GMT + Server: test-server/fake +diff --git a/tests/data/test2009 b/tests/data/test2009 +index 84482ce..b0e5c6c 100644 +--- a/tests/data/test2009 ++++ b/tests/data/test2009 +@@ -5,6 +5,7 @@ Metalink + HTTP + HTTP GET + -J ++FILE + + + +@@ -78,7 +79,14 @@ Accept: */* + + Some contents delivered from an HTTP resource + ++ ++s/Last-Modified:.*// ++ + ++Content-Length: 496 ++Accept-ranges: bytes ++ ++ + HTTP/1.1 200 OK + Date: Thu, 21 Jun 2012 16:27:17 GMT + Server: test-server/fake +diff --git a/tests/data/test2010 b/tests/data/test2010 +index 91a83f4..33bb309 100644 +--- a/tests/data/test2010 ++++ b/tests/data/test2010 +@@ -4,6 +4,7 @@ + Metalink + HTTP + HTTP GET ++FILE + + + +@@ -77,7 +78,14 @@ Accept: */* + + Contents delivered from an HTTP resource + ++ ++s/Last-Modified:.*// ++ + ++Content-Length: 496 ++Accept-ranges: bytes ++ ++ + HTTP/1.1 200 OK + Date: Thu, 21 Jun 2012 17:37:27 GMT + Server: test-server/fake +diff --git a/tests/data/test202 b/tests/data/test202 +index f863ec5..0b324b1 100644 +--- a/tests/data/test202 ++++ b/tests/data/test202 +@@ -19,7 +19,7 @@ file + + two file:// URLs to stdout + +- ++ + file://localhost/%PWD/log/test202.txt FILE://localhost/%PWD/log/test202.txt + + +diff --git a/tests/data/test203 b/tests/data/test203 +index 366cc2c..3938426 100644 +--- a/tests/data/test203 ++++ b/tests/data/test203 +@@ -24,7 +24,7 @@ file + + file:/path URL with a single slash + +- ++ + file:%PWD/log/test203.txt + + +diff --git a/tests/data/test204 b/tests/data/test204 +index 9cc7b01..0ed9451 100644 +--- a/tests/data/test204 ++++ b/tests/data/test204 +@@ -15,7 +15,7 @@ file + + "upload" with file:// + +- ++ + file://localhost/%PWD/log/result204.txt -T log/upload204.txt + + +diff --git a/tests/data/test205 b/tests/data/test205 +index 4af93f6..f83c531 100644 +--- a/tests/data/test205 ++++ b/tests/data/test205 +@@ -16,7 +16,7 @@ file + + "upload" with file:// + +- ++ + file://localhost/%PWD/log/nonexisting/result205.txt -T log/upload205.txt + + +diff --git a/tests/data/test2070 b/tests/data/test2070 +index bc3898a..655cd8a 100644 +--- a/tests/data/test2070 ++++ b/tests/data/test2070 +@@ -23,7 +23,7 @@ file + + basic file:// file with no authority + +- ++ + file:%PWD/log/test2070.txt + + +diff --git a/tests/data/test2071 b/tests/data/test2071 +index 997dfff..eddfa4d 100644 +--- a/tests/data/test2071 ++++ b/tests/data/test2071 +@@ -23,7 +23,7 @@ file + + basic file:// file with "127.0.0.1" hostname + +- ++ + file://127.0.0.1/%PWD/log/test2070.txt + + +diff --git a/tests/data/test2072 b/tests/data/test2072 +index cd26f22..1bab158 100644 +--- a/tests/data/test2072 ++++ b/tests/data/test2072 +@@ -23,7 +23,7 @@ file + + file:// with unix path resolution behavior for the case of extra slashes + +- ++ + file:////%PWD/log/test2072.txt + + +diff --git a/tests/data/test210 b/tests/data/test210 +index e904567..c6fb703 100644 +--- a/tests/data/test210 ++++ b/tests/data/test210 +@@ -22,7 +22,7 @@ ftp + + Get two FTP files from the same remote dir: no second CWD + +- ++ + ftp://%HOSTIP:%FTPPORT/a/path/210 ftp://%HOSTIP:%FTPPORT/a/path/210 + + +diff --git a/tests/data/test231 b/tests/data/test231 +index 6994957..3d4bc77 100644 +--- a/tests/data/test231 ++++ b/tests/data/test231 +@@ -22,7 +22,7 @@ file + + file:// with resume + +- ++ + file://localhost/%PWD/log/test231.txt -C 10 + + +diff --git a/tests/data/test288 b/tests/data/test288 +index ff4db6a..9f8f6e1 100644 +--- a/tests/data/test288 ++++ b/tests/data/test288 +@@ -30,7 +30,7 @@ file:// with (unsupported) proxy, authentication and range + + all_proxy=http://fake:user@%HOSTIP:%HTTPPORT/ + +- ++ + file://localhost/%PWD/log/test288.txt + + +-- +2.30.2 + diff --git a/SOURCES/0031-curl-7.61.1-CVE-2021-22924.patch b/SOURCES/0031-curl-7.61.1-CVE-2021-22924.patch new file mode 100644 index 0000000..990d32f --- /dev/null +++ b/SOURCES/0031-curl-7.61.1-CVE-2021-22924.patch @@ -0,0 +1,662 @@ +From 74ba80e293eb2521d28916b24c3be59b3baf688a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 18 Feb 2021 10:13:56 +0100 +Subject: [PATCH 1/2] urldata: remove the _ORIG suffix from string names + +It doesn't provide any useful info but only makes the names longer. + +Closes #6624 + +Upstream-commit: 70472a44deaff387cf8c8c197e04f3add2a96e2e +Signed-off-by: Kamil Dudka +--- + lib/setopt.c | 32 ++++++++++++++++---------------- + lib/url.c | 32 ++++++++++++++++---------------- + lib/urldata.h | 28 ++++++++++++++-------------- + lib/vtls/cyassl.c | 2 +- + lib/vtls/darwinssl.c | 4 ++-- + lib/vtls/gskit.c | 2 +- + lib/vtls/gtls.c | 2 +- + lib/vtls/mbedtls.c | 2 +- + lib/vtls/nss.c | 2 +- + lib/vtls/openssl.c | 2 +- + lib/vtls/polarssl.c | 2 +- + lib/vtls/schannel.c | 2 +- + 12 files changed, 56 insertions(+), 56 deletions(-) + +diff --git a/lib/setopt.c b/lib/setopt.c +index 4f04962..b07ccfe 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -133,7 +133,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + break; + case CURLOPT_SSL_CIPHER_LIST: + /* set a list of cipher we want to use in the SSL connection */ +- result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER_LIST_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER_LIST], + va_arg(param, char *)); + break; + case CURLOPT_PROXY_SSL_CIPHER_LIST: +@@ -145,7 +145,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + case CURLOPT_TLS13_CIPHERS: + if(Curl_ssl_tls13_ciphersuites()) { + /* set preferred list of TLS 1.3 cipher suites */ +- result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST], + va_arg(param, char *)); + } + else +@@ -1532,7 +1532,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + /* + * String that holds file name of the SSL certificate to use + */ +- result = Curl_setstropt(&data->set.str[STRING_CERT_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_CERT], + va_arg(param, char *)); + break; + case CURLOPT_PROXY_SSLCERT: +@@ -1546,7 +1546,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + /* + * String that holds file type of the SSL certificate to use + */ +- result = Curl_setstropt(&data->set.str[STRING_CERT_TYPE_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_CERT_TYPE], + va_arg(param, char *)); + break; + case CURLOPT_PROXY_SSLCERTTYPE: +@@ -1560,7 +1560,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + /* + * String that holds file name of the SSL key to use + */ +- result = Curl_setstropt(&data->set.str[STRING_KEY_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_KEY], + va_arg(param, char *)); + break; + case CURLOPT_PROXY_SSLKEY: +@@ -1574,7 +1574,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + /* + * String that holds file type of the SSL key to use + */ +- result = Curl_setstropt(&data->set.str[STRING_KEY_TYPE_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_KEY_TYPE], + va_arg(param, char *)); + break; + case CURLOPT_PROXY_SSLKEYTYPE: +@@ -1588,7 +1588,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + /* + * String that holds the SSL or SSH private key password. + */ +- result = Curl_setstropt(&data->set.str[STRING_KEY_PASSWD_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_KEY_PASSWD], + va_arg(param, char *)); + break; + case CURLOPT_PROXY_KEYPASSWD: +@@ -1815,7 +1815,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + */ + #ifdef USE_SSL + if(Curl_ssl->supports & SSLSUPP_PINNEDPUBKEY) +- result = Curl_setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY], + va_arg(param, char *)); + else + #endif +@@ -1838,7 +1838,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + /* + * Set CA info for SSL connection. Specify file name of the CA certificate + */ +- result = Curl_setstropt(&data->set.str[STRING_SSL_CAFILE_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_SSL_CAFILE], + va_arg(param, char *)); + break; + case CURLOPT_PROXY_CAINFO: +@@ -1857,7 +1857,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + #ifdef USE_SSL + if(Curl_ssl->supports & SSLSUPP_CA_PATH) + /* This does not work on windows. */ +- result = Curl_setstropt(&data->set.str[STRING_SSL_CAPATH_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_SSL_CAPATH], + va_arg(param, char *)); + else + #endif +@@ -1882,7 +1882,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + * Set CRL file info for SSL connection. Specify file name of the CRL + * to check certificates revocation + */ +- result = Curl_setstropt(&data->set.str[STRING_SSL_CRLFILE_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_SSL_CRLFILE], + va_arg(param, char *)); + break; + case CURLOPT_PROXY_CRLFILE: +@@ -1898,7 +1898,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + * Set Issuer certificate file + * to check certificates issuer + */ +- result = Curl_setstropt(&data->set.str[STRING_SSL_ISSUERCERT_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_SSL_ISSUERCERT], + va_arg(param, char *)); + break; + case CURLOPT_TELNETOPTIONS: +@@ -2449,9 +2449,9 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + break; + #ifdef USE_TLS_SRP + case CURLOPT_TLSAUTH_USERNAME: +- result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME], + va_arg(param, char *)); +- if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype) ++ if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) + data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + break; + case CURLOPT_PROXY_TLSAUTH_USERNAME: +@@ -2462,9 +2462,9 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + break; + case CURLOPT_TLSAUTH_PASSWORD: +- result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_ORIG], ++ result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD], + va_arg(param, char *)); +- if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype) ++ if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) + data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + break; + case CURLOPT_PROXY_TLSAUTH_PASSWORD: +diff --git a/lib/url.c b/lib/url.c +index bb9d107..a6bc012 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -496,7 +496,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) + */ + if(Curl_ssl_backend() != CURLSSLBACKEND_SCHANNEL) { + #if defined(CURL_CA_BUNDLE) +- result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_ORIG], CURL_CA_BUNDLE); ++ result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], CURL_CA_BUNDLE); + if(result) + return result; + +@@ -506,7 +506,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) + return result; + #endif + #if defined(CURL_CA_PATH) +- result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_ORIG], CURL_CA_PATH); ++ result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], CURL_CA_PATH); + if(result) + return result; + +@@ -4333,9 +4333,9 @@ static CURLcode create_conn(struct Curl_easy *data, + that will be freed as part of the Curl_easy struct, but all cloned + copies will be separately allocated. + */ +- data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_ORIG]; ++ data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH]; + data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY]; +- data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_ORIG]; ++ data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE]; + data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY]; + data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE]; + data->set.proxy_ssl.primary.random_file = +@@ -4343,34 +4343,34 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET]; + data->set.proxy_ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET]; + data->set.ssl.primary.cipher_list = +- data->set.str[STRING_SSL_CIPHER_LIST_ORIG]; ++ data->set.str[STRING_SSL_CIPHER_LIST]; + data->set.proxy_ssl.primary.cipher_list = + data->set.str[STRING_SSL_CIPHER_LIST_PROXY]; + data->set.ssl.primary.cipher_list13 = +- data->set.str[STRING_SSL_CIPHER13_LIST_ORIG]; ++ data->set.str[STRING_SSL_CIPHER13_LIST]; + data->set.proxy_ssl.primary.cipher_list13 = + data->set.str[STRING_SSL_CIPHER13_LIST_PROXY]; + +- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG]; ++ data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE]; + data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; +- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG]; ++ data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT]; + data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY]; +- data->set.ssl.cert = data->set.str[STRING_CERT_ORIG]; ++ data->set.ssl.cert = data->set.str[STRING_CERT]; + data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY]; +- data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG]; ++ data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE]; + data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY]; +- data->set.ssl.key = data->set.str[STRING_KEY_ORIG]; ++ data->set.ssl.key = data->set.str[STRING_KEY]; + data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY]; +- data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE_ORIG]; ++ data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE]; + data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY]; +- data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD_ORIG]; ++ data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD]; + data->set.proxy_ssl.key_passwd = data->set.str[STRING_KEY_PASSWD_PROXY]; +- data->set.ssl.primary.clientcert = data->set.str[STRING_CERT_ORIG]; ++ data->set.ssl.primary.clientcert = data->set.str[STRING_CERT]; + data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY]; + #ifdef USE_TLS_SRP +- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG]; ++ data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME]; + data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; +- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG]; ++ data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD]; + data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; + #endif + +diff --git a/lib/urldata.h b/lib/urldata.h +index c70290a..1f8f364 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1366,9 +1366,9 @@ struct DynamicStatic { + struct Curl_multi; /* declared and used only in multi.c */ + + enum dupstring { +- STRING_CERT_ORIG, /* client certificate file name */ ++ STRING_CERT, /* client certificate file name */ + STRING_CERT_PROXY, /* client certificate file name */ +- STRING_CERT_TYPE_ORIG, /* format for certificate (default: PEM)*/ ++ STRING_CERT_TYPE, /* format for certificate (default: PEM)*/ + STRING_CERT_TYPE_PROXY, /* format for certificate (default: PEM)*/ + STRING_COOKIE, /* HTTP cookie string to send */ + STRING_COOKIEJAR, /* dump all cookies to this file */ +@@ -1379,11 +1379,11 @@ enum dupstring { + STRING_FTP_ACCOUNT, /* ftp account data */ + STRING_FTP_ALTERNATIVE_TO_USER, /* command to send if USER/PASS fails */ + STRING_FTPPORT, /* port to send with the FTP PORT command */ +- STRING_KEY_ORIG, /* private key file name */ ++ STRING_KEY, /* private key file name */ + STRING_KEY_PROXY, /* private key file name */ +- STRING_KEY_PASSWD_ORIG, /* plain text private key password */ ++ STRING_KEY_PASSWD, /* plain text private key password */ + STRING_KEY_PASSWD_PROXY, /* plain text private key password */ +- STRING_KEY_TYPE_ORIG, /* format for private key (default: PEM) */ ++ STRING_KEY_TYPE, /* format for private key (default: PEM) */ + STRING_KEY_TYPE_PROXY, /* format for private key (default: PEM) */ + STRING_KRB_LEVEL, /* krb security level */ + STRING_NETRC_FILE, /* if not NULL, use this instead of trying to find +@@ -1393,22 +1393,22 @@ enum dupstring { + STRING_SET_RANGE, /* range, if used */ + STRING_SET_REFERER, /* custom string for the HTTP referer field */ + STRING_SET_URL, /* what original URL to work on */ +- STRING_SSL_CAPATH_ORIG, /* CA directory name (doesn't work on windows) */ ++ STRING_SSL_CAPATH, /* CA directory name (doesn't work on windows) */ + STRING_SSL_CAPATH_PROXY, /* CA directory name (doesn't work on windows) */ +- STRING_SSL_CAFILE_ORIG, /* certificate file to verify peer against */ ++ STRING_SSL_CAFILE, /* certificate file to verify peer against */ + STRING_SSL_CAFILE_PROXY, /* certificate file to verify peer against */ +- STRING_SSL_PINNEDPUBLICKEY_ORIG, /* public key file to verify peer against */ ++ STRING_SSL_PINNEDPUBLICKEY, /* public key file to verify peer against */ + STRING_SSL_PINNEDPUBLICKEY_PROXY, /* public key file to verify proxy */ +- STRING_SSL_CIPHER_LIST_ORIG, /* list of ciphers to use */ ++ STRING_SSL_CIPHER_LIST, /* list of ciphers to use */ + STRING_SSL_CIPHER_LIST_PROXY, /* list of ciphers to use */ +- STRING_SSL_CIPHER13_LIST_ORIG, /* list of TLS 1.3 ciphers to use */ ++ STRING_SSL_CIPHER13_LIST, /* list of TLS 1.3 ciphers to use */ + STRING_SSL_CIPHER13_LIST_PROXY, /* list of TLS 1.3 ciphers to use */ + STRING_SSL_EGDSOCKET, /* path to file containing the EGD daemon socket */ + STRING_SSL_RANDOM_FILE, /* path to file containing "random" data */ + STRING_USERAGENT, /* User-Agent string */ +- STRING_SSL_CRLFILE_ORIG, /* crl file to check certificate */ ++ STRING_SSL_CRLFILE, /* crl file to check certificate */ + STRING_SSL_CRLFILE_PROXY, /* crl file to check certificate */ +- STRING_SSL_ISSUERCERT_ORIG, /* issuer cert file to check certificate */ ++ STRING_SSL_ISSUERCERT, /* issuer cert file to check certificate */ + STRING_SSL_ISSUERCERT_PROXY, /* issuer cert file to check certificate */ + STRING_SSL_ENGINE, /* name of ssl engine */ + STRING_USERNAME, /* , if used */ +@@ -1433,9 +1433,9 @@ enum dupstring { + STRING_MAIL_AUTH, + + #ifdef USE_TLS_SRP +- STRING_TLSAUTH_USERNAME_ORIG, /* TLS auth */ ++ STRING_TLSAUTH_USERNAME, /* TLS auth */ + STRING_TLSAUTH_USERNAME_PROXY, /* TLS auth */ +- STRING_TLSAUTH_PASSWORD_ORIG, /* TLS auth */ ++ STRING_TLSAUTH_PASSWORD, /* TLS auth */ + STRING_TLSAUTH_PASSWORD_PROXY, /* TLS auth */ + #endif + STRING_BEARER, /* , if used */ +diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c +index e10398a..ffd116d 100644 +--- a/lib/vtls/cyassl.c ++++ b/lib/vtls/cyassl.c +@@ -474,7 +474,7 @@ cyassl_connect_step2(struct connectdata *conn, + conn->http_proxy.host.dispname : conn->host.dispname; + const char * const pinnedpubkey = SSL_IS_PROXY() ? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : +- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + + conn->recv[sockindex] = cyassl_recv; + conn->send[sockindex] = cyassl_send; +diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c +index 1aea0dc..572e8bf 100644 +--- a/lib/vtls/darwinssl.c ++++ b/lib/vtls/darwinssl.c +@@ -2449,9 +2449,9 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex) + connssl->connecting_state = ssl_connect_3; + + #ifdef DARWIN_SSL_PINNEDPUBKEY +- if(data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]) { ++ if(data->set.str[STRING_SSL_PINNEDPUBLICKEY]) { + CURLcode result = pkp_pin_peer_pubkey(data, BACKEND->ssl_ctx, +- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]); ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]); + if(result) { + failf(data, "SSL: public key does not match pinned public key!"); + return result; +diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c +index a0b4960..b4c7b8a 100644 +--- a/lib/vtls/gskit.c ++++ b/lib/vtls/gskit.c +@@ -1136,7 +1136,7 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex) + + /* Check pinned public key. */ + ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : +- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + if(!result && ptr) { + curl_X509certificate x509; + curl_asn1Element *p; +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 207b0fd..c5eb948 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -1329,7 +1329,7 @@ gtls_connect_step3(struct connectdata *conn, + } + + ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : +- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + if(ptr) { + result = pkp_pin_peer_pubkey(data, x509_cert, ptr); + if(result != CURLE_OK) { +diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c +index d7759dc..48010ae 100644 +--- a/lib/vtls/mbedtls.c ++++ b/lib/vtls/mbedtls.c +@@ -540,7 +540,7 @@ mbed_connect_step2(struct connectdata *conn, + const mbedtls_x509_crt *peercert; + const char * const pinnedpubkey = SSL_IS_PROXY() ? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : +- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + + #ifdef HAS_ALPN + const char *next_protocol; +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index 89f8183..366bf9e 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -2067,7 +2067,7 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex) + &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult; + const char * const pinnedpubkey = SSL_IS_PROXY() ? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : +- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + + + /* check timeout situation */ +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 35cd652..8c97c1d 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -3388,7 +3388,7 @@ static CURLcode servercert(struct connectdata *conn, + result = CURLE_OK; + + ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : +- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + if(!result && ptr) { + result = pkp_pin_peer_pubkey(data, BACKEND->server_cert, ptr); + if(result) +diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c +index 604cb4c..f284ad1 100644 +--- a/lib/vtls/polarssl.c ++++ b/lib/vtls/polarssl.c +@@ -459,7 +459,7 @@ polarssl_connect_step2(struct connectdata *conn, + char buffer[1024]; + const char * const pinnedpubkey = SSL_IS_PROXY() ? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : +- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + + + char errorbuf[128]; +diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c +index 8f6c301..95c060b 100644 +--- a/lib/vtls/schannel.c ++++ b/lib/vtls/schannel.c +@@ -1060,7 +1060,7 @@ schannel_connect_step2(struct connectdata *conn, int sockindex) + + pubkey_ptr = SSL_IS_PROXY() ? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : +- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + if(pubkey_ptr) { + result = pkp_pin_peer_pubkey(conn, sockindex, pubkey_ptr); + if(result) { +-- +2.31.1 + + +From 040fa4f60f9b809972d51184dfa4980ba44d8b6b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 19 Jun 2021 00:42:28 +0200 +Subject: [PATCH 2/2] vtls: fix connection reuse checks for issuer cert and + case sensitivity + +CVE-2021-22924 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2021-22924.html + +Upstream-commit: 5ea3145850ebff1dc2b13d17440300a01ca38161 +Signed-off-by: Kamil Dudka +--- + lib/url.c | 5 +++-- + lib/urldata.h | 2 +- + lib/vtls/gtls.c | 10 +++++----- + lib/vtls/nss.c | 4 ++-- + lib/vtls/openssl.c | 12 ++++++------ + lib/vtls/vtls.c | 21 ++++++++++++++++----- + 6 files changed, 33 insertions(+), 21 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index a6bc012..4803653 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -4337,6 +4337,9 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY]; + data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE]; + data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY]; ++ data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT]; ++ data->set.proxy_ssl.primary.issuercert = ++ data->set.str[STRING_SSL_ISSUERCERT_PROXY]; + data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE]; + data->set.proxy_ssl.primary.random_file = + data->set.str[STRING_SSL_RANDOM_FILE]; +@@ -4353,8 +4356,6 @@ static CURLcode create_conn(struct Curl_easy *data, + + data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE]; + data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; +- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT]; +- data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY]; + data->set.ssl.cert = data->set.str[STRING_CERT]; + data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY]; + data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE]; +diff --git a/lib/urldata.h b/lib/urldata.h +index 1f8f364..72a36fb 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -223,6 +223,7 @@ struct ssl_primary_config { + bool sessionid; /* cache session IDs or not */ + char *CApath; /* certificate dir (doesn't work on windows) */ + char *CAfile; /* certificate to verify peer against */ ++ char *issuercert; /* optional issuer certificate filename */ + char *clientcert; + char *random_file; /* path to file containing "random" data */ + char *egdsocket; /* path to file containing the EGD daemon socket */ +@@ -238,7 +239,6 @@ struct ssl_config_data { + bool no_partialchain; /* don't accept partial certificate chains */ + long certverifyresult; /* result from the certificate verification */ + char *CRLfile; /* CRL to check certificate revocation */ +- char *issuercert;/* optional issuer certificate filename */ + curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ + void *fsslctxp; /* parameter for call back */ + bool certinfo; /* gather lots of certificate info */ +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index c5eb948..0cb59c8 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -1002,7 +1002,7 @@ gtls_connect_step3(struct connectdata *conn, + if(!chainp) { + if(SSL_CONN_CONFIG(verifypeer) || + SSL_CONN_CONFIG(verifyhost) || +- SSL_SET_OPTION(issuercert)) { ++ SSL_CONN_CONFIG(issuercert)) { + #ifdef USE_TLS_SRP + if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP + && SSL_SET_OPTION(username) != NULL +@@ -1184,21 +1184,21 @@ gtls_connect_step3(struct connectdata *conn, + gnutls_x509_crt_t format */ + gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER); + +- if(SSL_SET_OPTION(issuercert)) { ++ if(SSL_CONN_CONFIG(issuercert)) { + gnutls_x509_crt_init(&x509_issuer); +- issuerp = load_file(SSL_SET_OPTION(issuercert)); ++ issuerp = load_file(SSL_CONN_CONFIG(issuercert)); + gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM); + rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer); + gnutls_x509_crt_deinit(x509_issuer); + unload_file(issuerp); + if(rc <= 0) { + failf(data, "server certificate issuer check failed (IssuerCert: %s)", +- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none"); ++ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); + gnutls_x509_crt_deinit(x509_cert); + return CURLE_SSL_ISSUER_ERROR; + } + infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n", +- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none"); ++ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); + } + + size = sizeof(certbuf); +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index 366bf9e..2d9581d 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -2095,9 +2095,9 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex) + if(result) + goto error; + +- if(SSL_SET_OPTION(issuercert)) { ++ if(SSL_CONN_CONFIG(issuercert)) { + SECStatus ret = SECFailure; +- char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert)); ++ char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert)); + if(nickname) { + /* we support only nicknames in case of issuercert for now */ + ret = check_issuer_cert(BACKEND->handle, nickname); +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 8c97c1d..28eaa6d 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -3311,11 +3311,11 @@ static CURLcode servercert(struct connectdata *conn, + deallocating the certificate. */ + + /* e.g. match issuer name with provided issuer certificate */ +- if(SSL_SET_OPTION(issuercert)) { +- if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) { ++ if(SSL_CONN_CONFIG(issuercert)) { ++ if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) { + if(strict) + failf(data, "SSL: Unable to open issuer cert (%s)", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(BACKEND->server_cert); + BACKEND->server_cert = NULL; +@@ -3326,7 +3326,7 @@ static CURLcode servercert(struct connectdata *conn, + if(!issuer) { + if(strict) + failf(data, "SSL: Unable to read issuer cert (%s)", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(issuer); + X509_free(BACKEND->server_cert); +@@ -3337,7 +3337,7 @@ static CURLcode servercert(struct connectdata *conn, + if(X509_check_issued(issuer, BACKEND->server_cert) != X509_V_OK) { + if(strict) + failf(data, "SSL: Certificate issuer check failed (%s)", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + BIO_free(fp); + X509_free(issuer); + X509_free(BACKEND->server_cert); +@@ -3346,7 +3346,7 @@ static CURLcode servercert(struct connectdata *conn, + } + + infof(data, " SSL certificate issuer check ok (%s)\n", +- SSL_SET_OPTION(issuercert)); ++ SSL_CONN_CONFIG(issuercert)); + X509_free(issuer); + } + +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index b61c640..18672a5 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -82,6 +82,15 @@ + else \ + dest->var = NULL; + ++static bool safecmp(char *a, char *b) ++{ ++ if(a && b) ++ return !strcmp(a, b); ++ else if(!a && !b) ++ return TRUE; /* match */ ++ return FALSE; /* no match */ ++} ++ + bool + Curl_ssl_config_matches(struct ssl_primary_config* data, + struct ssl_primary_config* needle) +@@ -91,11 +100,11 @@ Curl_ssl_config_matches(struct ssl_primary_config* data, + (data->verifypeer == needle->verifypeer) && + (data->verifyhost == needle->verifyhost) && + (data->verifystatus == needle->verifystatus) && +- Curl_safe_strcasecompare(data->CApath, needle->CApath) && +- Curl_safe_strcasecompare(data->CAfile, needle->CAfile) && +- Curl_safe_strcasecompare(data->clientcert, needle->clientcert) && +- Curl_safe_strcasecompare(data->random_file, needle->random_file) && +- Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) && ++ safecmp(data->CApath, needle->CApath) && ++ safecmp(data->CAfile, needle->CAfile) && ++ safecmp(data->clientcert, needle->clientcert) && ++ safecmp(data->random_file, needle->random_file) && ++ safecmp(data->egdsocket, needle->egdsocket) && + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13)) + return TRUE; +@@ -116,6 +125,7 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, + + CLONE_STRING(CApath); + CLONE_STRING(CAfile); ++ CLONE_STRING(issuercert); + CLONE_STRING(clientcert); + CLONE_STRING(random_file); + CLONE_STRING(egdsocket); +@@ -129,6 +139,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc) + { + Curl_safefree(sslc->CApath); + Curl_safefree(sslc->CAfile); ++ Curl_safefree(sslc->issuercert); + Curl_safefree(sslc->clientcert); + Curl_safefree(sslc->random_file); + Curl_safefree(sslc->egdsocket); +-- +2.31.1 + diff --git a/SOURCES/0032-curl-7.61.1-CVE-2021-22898.patch b/SOURCES/0032-curl-7.61.1-CVE-2021-22898.patch new file mode 100644 index 0000000..42e1ccd --- /dev/null +++ b/SOURCES/0032-curl-7.61.1-CVE-2021-22898.patch @@ -0,0 +1,31 @@ +From ae2dc830fb37e9243dbdaf8b92e41df91f43b3f2 Mon Sep 17 00:00:00 2001 +From: Harry Sintonen +Date: Fri, 7 May 2021 13:09:57 +0200 +Subject: [PATCH] telnet: check sscanf() for correct number of matches + +CVE-2021-22898 + +Bug: https://curl.se/docs/CVE-2021-22898.html + +Upstream-commit: 39ce47f219b09c380b81f89fe54ac586c8db6bde +Signed-off-by: Kamil Dudka +--- + lib/telnet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/telnet.c b/lib/telnet.c +index 1fc5af1..ea6bc71 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -967,7 +967,7 @@ static void suboption(struct connectdata *conn) + size_t tmplen = (strlen(v->data) + 1); + /* Add the variable only if it fits */ + if(len + tmplen < (int)sizeof(temp)-6) { +- if(sscanf(v->data, "%127[^,],%127s", varname, varval)) { ++ if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { + snprintf((char *)&temp[len], sizeof(temp) - len, + "%c%s%c%s", CURL_NEW_ENV_VAR, varname, + CURL_NEW_ENV_VALUE, varval); +-- +2.31.1 + diff --git a/SOURCES/0033-curl-7.61.1-CVE-2021-22925.patch b/SOURCES/0033-curl-7.61.1-CVE-2021-22925.patch new file mode 100644 index 0000000..391abbd --- /dev/null +++ b/SOURCES/0033-curl-7.61.1-CVE-2021-22925.patch @@ -0,0 +1,47 @@ +From 2fbbf282e42ae476459f7efe68a88dcb63dcc43b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 12 Jun 2021 18:25:15 +0200 +Subject: [PATCH] telnet: fix option parser to not send uninitialized contents + +CVE-2021-22925 + +Reported-by: Red Hat Product Security +Bug: https://curl.se/docs/CVE-2021-22925.html + +Upstream-commit: 894f6ec730597eb243618d33cc84d71add8d6a8a +Signed-off-by: Kamil Dudka +--- + lib/telnet.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/lib/telnet.c b/lib/telnet.c +index ea6bc71..f8428b8 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -967,12 +967,17 @@ static void suboption(struct connectdata *conn) + size_t tmplen = (strlen(v->data) + 1); + /* Add the variable only if it fits */ + if(len + tmplen < (int)sizeof(temp)-6) { +- if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { +- snprintf((char *)&temp[len], sizeof(temp) - len, +- "%c%s%c%s", CURL_NEW_ENV_VAR, varname, +- CURL_NEW_ENV_VALUE, varval); +- len += tmplen; +- } ++ int rv; ++ char sep[2] = ""; ++ varval[0] = 0; ++ rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval); ++ if(rv == 1) ++ len += snprintf((char *)&temp[len], sizeof(temp) - len, ++ "%c%s", CURL_NEW_ENV_VAR, varname); ++ else if(rv >= 2) ++ len += snprintf((char *)&temp[len], sizeof(temp) - len, ++ "%c%s%c%s", CURL_NEW_ENV_VAR, varname, ++ CURL_NEW_ENV_VALUE, varval); + } + } + snprintf((char *)&temp[len], sizeof(temp) - len, +-- +2.31.1 + diff --git a/SPECS/curl.spec b/SPECS/curl.spec index 8f28ad1..be2443a 100644 --- a/SPECS/curl.spec +++ b/SPECS/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.61.1 -Release: 18%{?dist} +Release: 21%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -79,6 +79,21 @@ Patch27: 0027-curl-7.61.1-CVE-2020-8286.patch # http: send payload when (proxy) authentication is done (#1918692) Patch28: 0028-curl-7.61.1-http-auth-payload.patch +# prevent automatic referer from leaking credentials (CVE-2021-22876) +Patch29: 0029-curl-7.61.1-CVE-2021-22876.patch + +# make `curl --head file://` work as expected (#1947493) +Patch30: 0030-curl-7.61.1-file-head.patch + +# fix bad connection reuse due to flawed path name checks (CVE-2021-22924) +Patch31: 0031-curl-7.61.1-CVE-2021-22924.patch + +# fix TELNET stack contents disclosure (CVE-2021-22898) +Patch32: 0032-curl-7.61.1-CVE-2021-22898.patch + +# fix TELNET stack contents disclosure again (CVE-2021-22925) +Patch33: 0033-curl-7.61.1-CVE-2021-22925.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -104,7 +119,6 @@ BuildRequires: gcc BuildRequires: groff BuildRequires: krb5-devel BuildRequires: libidn2-devel -BuildRequires: libmetalink-devel BuildRequires: libnghttp2-devel BuildRequires: libpsl-devel BuildRequires: libssh-devel @@ -278,6 +292,11 @@ sed -e 's|%%HTTPPORT|%{?__isa_bits}90|g' -i tests/data/test1448 %patch26 -p1 %patch27 -p1 %patch28 -p1 +%patch29 -p1 +%patch30 -p1 +%patch31 -p1 +%patch32 -p1 +%patch33 -p1 # make tests/*.py use Python 3 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py @@ -314,6 +333,7 @@ export common_configure_opts=" \ --enable-symbol-hiding \ --enable-ipv6 \ --enable-threaded-resolver \ + --without-libmetalink \ --with-gssapi \ --with-nghttp2 \ --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt" @@ -329,7 +349,6 @@ export common_configure_opts=" \ --disable-manual \ --without-brotli \ --without-libidn2 \ - --without-libmetalink \ --without-libpsl \ --without-libssh ) @@ -343,7 +362,6 @@ export common_configure_opts=" \ --enable-manual \ --with-brotli \ --with-libidn2 \ - --with-libmetalink \ --with-libpsl \ --with-libssh ) @@ -441,6 +459,21 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Aug 05 2021 Kamil Dudka - 7.61.1-21 +- fix TELNET stack contents disclosure again (CVE-2021-22925) +- fix TELNET stack contents disclosure (CVE-2021-22898) +- fix bad connection reuse due to flawed path name checks (CVE-2021-22924) +- disable metalink support to fix the following vulnerabilities + CVE-2021-22923 - metalink download sends credentials + CVE-2021-22922 - wrong content via metalink not discarded + +* Fri Apr 23 2021 Kamil Dudka - 7.61.1-20 +- fix a cppcheck's false positive in 0029-curl-7.61.1-CVE-2021-22876.patch + +* Fri Apr 23 2021 Kamil Dudka - 7.61.1-19 +- make `curl --head file://` work as expected (#1947493) +- prevent automatic referer from leaking credentials (CVE-2021-22876) + * Thu Jan 28 2021 Kamil Dudka - 7.61.1-18 - http: send payload when (proxy) authentication is done (#1918692) - curl: Inferior OCSP verification (CVE-2020-8286)