!177 [sync] PR-176: Fix patch optimization for CVE-2023-27535

From: @openeuler-sync-bot 
Reviewed-by: @seuzw 
Signed-off-by: @seuzw

backport-CVE-2023-27535-pre1.patch

@@ -17,10 +17,10 @@ Closes #9658
  lib/netrc.c             |  6 +++---
  lib/strcase.c           | 22 ++++++++++++++++++++++
  lib/strcase.h           |  1 +
- lib/url.c               | 18 ++++++++++--------
+ lib/url.c               | 33 +++++++++++++--------------------
  lib/vauth/digest_sspi.c |  4 ++--
  lib/vtls/vtls.c         |  4 ++--
- 6 files changed, 40 insertions(+), 15 deletions(-)
+ 6 files changed, 43 insertions(+), 27 deletions(-)
 
 diff --git a/lib/netrc.c b/lib/netrc.c
 index 1c9da31..70b4e16 100644
@@ -92,10 +92,33 @@ index 8929a53..8077108 100644
  
  #endif /* HEADER_CURL_STRCASE_H */
 diff --git a/lib/url.c b/lib/url.c
-index 2771d32..7a1b3c2 100644
+index 2771d32..ba4fa7a 100644
 --- a/lib/url.c
 +++ b/lib/url.c
-@@ -1267,10 +1267,10 @@ ConnectionExists(struct Curl_easy *data,
+@@ -888,19 +888,10 @@ socks_proxy_info_matches(const struct proxy_info *data,
+   /* the user information is case-sensitive
+      or at least it is not defined as case-insensitive
+      see https://tools.ietf.org/html/rfc3986#section-3.2.1 */
+-  if((data->user == NULL) != (needle->user == NULL))
+-    return FALSE;
+-  /* curl_strequal does a case insentive comparison, so do not use it here! */
+-  if(data->user &&
+-     needle->user &&
+-     strcmp(data->user, needle->user) != 0)
+-    return FALSE;
+-  if((data->passwd == NULL) != (needle->passwd == NULL))
+-    return FALSE;
++
+   /* curl_strequal does a case insentive comparison, so do not use it here! */
+-  if(data->passwd &&
+-     needle->passwd &&
+-     strcmp(data->passwd, needle->passwd) != 0)
++  if(Curl_timestrcmp(data->user, needle->user) ||
++     Curl_timestrcmp(data->passwd, needle->passwd))
+     return FALSE;
+   return TRUE;
+ }
+@@ -1267,10 +1258,10 @@ ConnectionExists(struct Curl_easy *data,
        if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) {
          /* This protocol requires credentials per connection,
             so verify that we're using the same name and password as well */
@@ -110,7 +133,7 @@ index 2771d32..7a1b3c2 100644
            /* one of them was different */
            continue;
          }
-@@ -1339,8 +1339,8 @@ ConnectionExists(struct Curl_easy *data,
+@@ -1339,8 +1330,8 @@ ConnectionExists(struct Curl_easy *data,
             possible. (Especially we must not reuse the same connection if
             partway through a handshake!) */
          if(wantNTLMhttp) {
@@ -121,7 +144,7 @@ index 2771d32..7a1b3c2 100644
  
              /* we prefer a credential match, but this is at least a connection
                 that can be reused and "upgraded" to NTLM */
-@@ -1362,8 +1362,10 @@ ConnectionExists(struct Curl_easy *data,
+@@ -1362,8 +1353,10 @@ ConnectionExists(struct Curl_easy *data,
            if(!check->http_proxy.user || !check->http_proxy.passwd)
              continue;
  

backport-CVE-2023-27535.patch

@@ -6,29 +6,27 @@ Subject: [PATCH] ftp: add more conditions for connection reuse
 Reported-by: Harry Sintonen
 Closes #10730
 ---
- lib/ftp.c     | 30 ++++++++++++++++++++++++++++--
+ lib/ftp.c     | 28 ++++++++++++++++++++++++++--
  lib/ftp.h     |  5 +++++
  lib/setopt.c  |  2 +-
  lib/url.c     | 16 +++++++++++++++-
  lib/urldata.h |  4 ++--
- 5 files changed, 51 insertions(+), 6 deletions(-)
+ 5 files changed, 49 insertions(+), 6 deletions(-)
 
 diff --git a/lib/ftp.c b/lib/ftp.c
-index 8e98a5f..195419c 100644
+index 8e98a5f..82574db 100644
 --- a/lib/ftp.c
 +++ b/lib/ftp.c
-@@ -4077,6 +4077,10 @@ static CURLcode ftp_disconnect(struct connectdata *conn, bool dead_connection)
+@@ -4077,6 +4077,8 @@ static CURLcode ftp_disconnect(struct connectdata *conn, bool dead_connection)
    }
  
    freedirs(ftpc);
-+  free(ftpc->account);
-+  ftpc->account = NULL;
-+  free(ftpc->alternative_to_user);
-+  ftpc->alternative_to_user = NULL;
++  Curl_safefree(ftpc->account);
++  Curl_safefree(ftpc->alternative_to_user);
    free(ftpc->prevpath);
    ftpc->prevpath = NULL;
    free(ftpc->server_os);
-@@ -4344,11 +4348,31 @@ static CURLcode ftp_setup_connection(struct connectdata *conn)
+@@ -4344,11 +4346,31 @@ static CURLcode ftp_setup_connection(struct connectdata *conn)
    struct Curl_easy *data = conn->data;
    char *type;
    struct FTP *ftp;
@@ -61,7 +59,7 @@ index 8e98a5f..195419c 100644
    ftp->path = &data->state.up.path[1]; /* don't include the initial slash */
  
    /* FTP URLs support an extension like ";type=<typecode>" that
-@@ -4383,7 +4407,9 @@ static CURLcode ftp_setup_connection(struct connectdata *conn)
+@@ -4383,7 +4405,9 @@ static CURLcode ftp_setup_connection(struct connectdata *conn)
    /* get some initial data into the ftp struct */
    ftp->transfer = FTPTRANSFER_BODY;
    ftp->downloadsize = 0;
@@ -109,10 +107,10 @@ index ed54481..16e94a6 100644
  
    case CURLOPT_SSL_OPTIONS:
 diff --git a/lib/url.c b/lib/url.c
-index 2771d32..dcc97d5 100644
+index ba4fa7a..6c34924 100644
 --- a/lib/url.c
 +++ b/lib/url.c
-@@ -1276,10 +1276,24 @@ ConnectionExists(struct Curl_easy *data,
+@@ -1267,10 +1267,24 @@ ConnectionExists(struct Curl_easy *data,
          }
        }
  

curl.spec

@@ -6,7 +6,7 @@
 
 Name:           curl
 Version:        7.71.1
-Release:        23
+Release:        24
 Summary:        Curl is used in command lines or scripts to transfer data
 License:        MIT
 URL:            https://curl.haxx.se/
@@ -223,6 +223,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_mandir}/man3/*
 
 %changelog
+* Mon Mar 27 2023 xingwei <xingwei14@h-partners.com> - 7.71.1-24
+- Type:cves
+- CVE:CVE-2023-27535
+- SUG:NA
+- DESC:Fix patch optimization for CVE-2023-27535
+
 * Thu Mar 23 2023 xingwei <xingwei14@h-partners.com> - 7.71.1-23
 - Type:cves
 - CVE:CVE-2023-27533 CVE-2023-27534 CVE-2023-27535 CVE-2023-27536 CVE-2023-27538