From 42a5114285172122c9ca8150a815990504165b70 Mon Sep 17 00:00:00 2001 From: xingwei Date: Mon, 27 Mar 2023 07:27:51 +0000 Subject: [PATCH] Fix patch optimization for CVE-2023-27535 (cherry picked from commit 8c38eb064a843b689fa9741797bab78e3836624c) --- backport-CVE-2023-27535-pre1.patch | 35 +++++++++++++++++++++++++----- backport-CVE-2023-27535.patch | 22 +++++++++---------- curl.spec | 8 ++++++- 3 files changed, 46 insertions(+), 19 deletions(-) diff --git a/backport-CVE-2023-27535-pre1.patch b/backport-CVE-2023-27535-pre1.patch index 72a632d..88dbd01 100644 --- a/backport-CVE-2023-27535-pre1.patch +++ b/backport-CVE-2023-27535-pre1.patch @@ -17,10 +17,10 @@ Closes #9658 lib/netrc.c | 6 +++--- lib/strcase.c | 22 ++++++++++++++++++++++ lib/strcase.h | 1 + - lib/url.c | 18 ++++++++++-------- + lib/url.c | 33 +++++++++++++-------------------- lib/vauth/digest_sspi.c | 4 ++-- lib/vtls/vtls.c | 4 ++-- - 6 files changed, 40 insertions(+), 15 deletions(-) + 6 files changed, 43 insertions(+), 27 deletions(-) diff --git a/lib/netrc.c b/lib/netrc.c index 1c9da31..70b4e16 100644 @@ -92,10 +92,33 @@ index 8929a53..8077108 100644 #endif /* HEADER_CURL_STRCASE_H */ diff --git a/lib/url.c b/lib/url.c -index 2771d32..7a1b3c2 100644 +index 2771d32..ba4fa7a 100644 --- a/lib/url.c +++ b/lib/url.c -@@ -1267,10 +1267,10 @@ ConnectionExists(struct Curl_easy *data, +@@ -888,19 +888,10 @@ socks_proxy_info_matches(const struct proxy_info *data, + /* the user information is case-sensitive + or at least it is not defined as case-insensitive + see https://tools.ietf.org/html/rfc3986#section-3.2.1 */ +- if((data->user == NULL) != (needle->user == NULL)) +- return FALSE; +- /* curl_strequal does a case insentive comparison, so do not use it here! */ +- if(data->user && +- needle->user && +- strcmp(data->user, needle->user) != 0) +- return FALSE; +- if((data->passwd == NULL) != (needle->passwd == NULL)) +- return FALSE; ++ + /* curl_strequal does a case insentive comparison, so do not use it here! */ +- if(data->passwd && +- needle->passwd && +- strcmp(data->passwd, needle->passwd) != 0) ++ if(Curl_timestrcmp(data->user, needle->user) || ++ Curl_timestrcmp(data->passwd, needle->passwd)) + return FALSE; + return TRUE; + } +@@ -1267,10 +1258,10 @@ ConnectionExists(struct Curl_easy *data, if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) { /* This protocol requires credentials per connection, so verify that we're using the same name and password as well */ @@ -110,7 +133,7 @@ index 2771d32..7a1b3c2 100644 /* one of them was different */ continue; } -@@ -1339,8 +1339,8 @@ ConnectionExists(struct Curl_easy *data, +@@ -1339,8 +1330,8 @@ ConnectionExists(struct Curl_easy *data, possible. (Especially we must not reuse the same connection if partway through a handshake!) */ if(wantNTLMhttp) { @@ -121,7 +144,7 @@ index 2771d32..7a1b3c2 100644 /* we prefer a credential match, but this is at least a connection that can be reused and "upgraded" to NTLM */ -@@ -1362,8 +1362,10 @@ ConnectionExists(struct Curl_easy *data, +@@ -1362,8 +1353,10 @@ ConnectionExists(struct Curl_easy *data, if(!check->http_proxy.user || !check->http_proxy.passwd) continue; diff --git a/backport-CVE-2023-27535.patch b/backport-CVE-2023-27535.patch index 62e3caf..a2fa9a4 100644 --- a/backport-CVE-2023-27535.patch +++ b/backport-CVE-2023-27535.patch @@ -6,29 +6,27 @@ Subject: [PATCH] ftp: add more conditions for connection reuse Reported-by: Harry Sintonen Closes #10730 --- - lib/ftp.c | 30 ++++++++++++++++++++++++++++-- + lib/ftp.c | 28 ++++++++++++++++++++++++++-- lib/ftp.h | 5 +++++ lib/setopt.c | 2 +- lib/url.c | 16 +++++++++++++++- lib/urldata.h | 4 ++-- - 5 files changed, 51 insertions(+), 6 deletions(-) + 5 files changed, 49 insertions(+), 6 deletions(-) diff --git a/lib/ftp.c b/lib/ftp.c -index 8e98a5f..195419c 100644 +index 8e98a5f..82574db 100644 --- a/lib/ftp.c +++ b/lib/ftp.c -@@ -4077,6 +4077,10 @@ static CURLcode ftp_disconnect(struct connectdata *conn, bool dead_connection) +@@ -4077,6 +4077,8 @@ static CURLcode ftp_disconnect(struct connectdata *conn, bool dead_connection) } freedirs(ftpc); -+ free(ftpc->account); -+ ftpc->account = NULL; -+ free(ftpc->alternative_to_user); -+ ftpc->alternative_to_user = NULL; ++ Curl_safefree(ftpc->account); ++ Curl_safefree(ftpc->alternative_to_user); free(ftpc->prevpath); ftpc->prevpath = NULL; free(ftpc->server_os); -@@ -4344,11 +4348,31 @@ static CURLcode ftp_setup_connection(struct connectdata *conn) +@@ -4344,11 +4346,31 @@ static CURLcode ftp_setup_connection(struct connectdata *conn) struct Curl_easy *data = conn->data; char *type; struct FTP *ftp; @@ -61,7 +59,7 @@ index 8e98a5f..195419c 100644 ftp->path = &data->state.up.path[1]; /* don't include the initial slash */ /* FTP URLs support an extension like ";type=" that -@@ -4383,7 +4407,9 @@ static CURLcode ftp_setup_connection(struct connectdata *conn) +@@ -4383,7 +4405,9 @@ static CURLcode ftp_setup_connection(struct connectdata *conn) /* get some initial data into the ftp struct */ ftp->transfer = FTPTRANSFER_BODY; ftp->downloadsize = 0; @@ -109,10 +107,10 @@ index ed54481..16e94a6 100644 case CURLOPT_SSL_OPTIONS: diff --git a/lib/url.c b/lib/url.c -index 2771d32..dcc97d5 100644 +index ba4fa7a..6c34924 100644 --- a/lib/url.c +++ b/lib/url.c -@@ -1276,10 +1276,24 @@ ConnectionExists(struct Curl_easy *data, +@@ -1267,10 +1267,24 @@ ConnectionExists(struct Curl_easy *data, } } diff --git a/curl.spec b/curl.spec index 2d32214..cc600a4 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Name: curl Version: 7.71.1 -Release: 23 +Release: 24 Summary: Curl is used in command lines or scripts to transfer data License: MIT URL: https://curl.haxx.se/ @@ -223,6 +223,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_mandir}/man3/* %changelog +* Mon Mar 27 2023 xingwei - 7.71.1-24 +- Type:cves +- CVE:CVE-2023-27535 +- SUG:NA +- DESC:Fix patch optimization for CVE-2023-27535 + * Thu Mar 23 2023 xingwei - 7.71.1-23 - Type:cves - CVE:CVE-2023-27533 CVE-2023-27534 CVE-2023-27535 CVE-2023-27536 CVE-2023-27538