diff --git a/backport-CVE-2022-32221.patch b/backport-CVE-2022-32221.patch new file mode 100644 index 0000000..18e8b03 --- /dev/null +++ b/backport-CVE-2022-32221.patch @@ -0,0 +1,28 @@ +From a64e3e59938abd7d667e4470a18072a24d7e9de9 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 15 Sep 2022 09:22:45 +0200 +Subject: [PATCH] setopt: when POST is set, reset the 'upload' field + +Reported-by: RobBotic1 on github +Fixes #9507 +Closes #9511 + +Conflict: case CURLOPT_HTTPPOST => case CURLOPT_COPYPOSTFIELDS +Reference: https://github.com/curl/curl/commit/a64e3e59938abd7d667e4470a18072a24d7e9de9 + +--- + lib/setopt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/setopt.c b/lib/setopt.c +index 03c4efdbf1e58..7289a4e78bdd0 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -700,6 +700,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + } + else + data->set.method = HTTPREQ_GET; ++ data->set.upload = FALSE; + break; + + case CURLOPT_COPYPOSTFIELDS: diff --git a/curl.spec b/curl.spec index 5fff3a1..1b98d64 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Name: curl Version: 7.71.1 -Release: 18 +Release: 19 Summary: Curl is used in command lines or scripts to transfer data License: MIT URL: https://curl.haxx.se/ @@ -48,6 +48,7 @@ Patch134: backport-CVE-2022-32207.patch Patch135: backport-CVE-2022-32208.patch Patch136: backport-fix-configure-disable-http-auth-build-error.patch Patch137: backport-CVE-2022-35252-cookie-reject-cookies-with-control-bytes.patch +Patch138: backport-CVE-2022-32221.patch BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel BuildRequires: libidn2-devel libnghttp2-devel libpsl-devel @@ -189,6 +190,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_mandir}/man3/* %changelog +* Thu Oct 27 2022 yanglu - 7.71.1-19 +- Type:cves +- CVE:CVE-2022-32221 +- SUG:NA +- DESC:fix CVE-2022-32221 + * Thu Sep 01 2022 zhouyihang - 7.71.1-18 - Type:cves - CVE:CVE-2022-35252