packages/curl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:32e88d05b0a0f1e69c9bbc74d0a448a6b8bb74dc
Branches Tags
packages:main
...
compare: packages:90a76dce4e5fb4c5467ed016dd8dcc9430cac1ed
Branches Tags
packages:main

10 Commits
32e88d05b0 ... 90a76dce4e

Author SHA1 Message Date
openeuler-ci-bot
90a76dce4e
!369 fix CVE-2025-0725 
From: @sherlock2010 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12
 2025-02-11 07:59:30 +00:00
sherlock2010
58b1a5fa07 fix CVE-2025-0725 2025-02-10 08:35:41 +00:00
openeuler-ci-bot
0971088654
!355 cookie: treat cookie name case sensitively 
From: @sherlock2010 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12
 2024-12-10 07:39:37 +00:00
sherlock2010
2c145170bb cookie: treat cookie name case sensitively 2024-12-10 02:02:38 +00:00
openeuler-ci-bot
a7e01fa8e8
!347 multi: check that the multi handle is valid in curl_multi_assign 
From: @sherlock2010 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12
 2024-12-02 08:24:10 +00:00
sherlock2010
9b0959167a multi: check that the multi handle is valid in curl_multi_assign 2024-11-30 10:22:59 +00:00
openeuler-ci-bot
8a0fc0ddc1
!326 url: allow DoH transfers to override max connection limit 
From: @sherlock2010 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12
 2024-09-23 02:48:55 +00:00
sherlock2010
bd79cbb34e url: allow DoH transfers to override max connection limit 2024-09-23 01:57:46 +00:00
openeuler-ci-bot
cf90c9e7f4
!319 fix CVE-2024-8096 
From: @sherlock2010 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12
 2024-09-12 07:02:22 +00:00
sherlock2010
2013e2dc02 fix CVE-2024-8096 2024-09-12 06:03:56 +00:00
6 changed files with 710 additions and 1 deletions
Show Stats Expand all files Collapse all files

206
backport-CVE-2024-8096-gtls-fix-OCSP-stapling-management.patch Normal file
View File

@ -0,0 +1,206 @@
From aeb1a281cab13c7ba791cb104e556b20e713941f Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 20 Aug 2024 16:14:39 +0200
Subject: [PATCH] gtls: fix OCSP stapling management
Reported-by: Hiroki Kurosawa
Closes #14642
Conflict:context adapt
Reference:https://github.com/curl/curl/commit/aeb1a281cab13c7ba791cb104e556b20e713941f
---
lib/vtls/gtls.c | 146 ++++++++++++++++++++++++------------------------
1 file changed, 73 insertions(+), 73 deletions(-)
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index 03d6fcc03..c7589d9d3 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -850,6 +850,13 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf,
init_flags |= GNUTLS_NO_TICKETS;
#endif
+#if defined(GNUTLS_NO_STATUS_REQUEST)
+ if(!config->verifystatus)
+ /* Disable the "status_request" TLS extension, enabled by default since
+ GnuTLS 3.8.0. */
+ init_flags |= GNUTLS_NO_STATUS_REQUEST;
+#endif
+
rc = gnutls_init(&backend->session, init_flags);
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "gnutls_init() failed: %d", rc);
@@ -1321,104 +1328,97 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
infof(data, "\t server certificate verification SKIPPED\n");
if(SSL_CONN_CONFIG(verifystatus)) {
- if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) {
- gnutls_datum_t status_request;
- gnutls_ocsp_resp_t ocsp_resp;
+ gnutls_datum_t status_request;
+ gnutls_ocsp_resp_t ocsp_resp;
+ gnutls_ocsp_cert_status_t status;
+ gnutls_x509_crl_reason_t reason;
- gnutls_ocsp_cert_status_t status;
- gnutls_x509_crl_reason_t reason;
+ rc = gnutls_ocsp_status_request_get(session, &status_request);
- rc = gnutls_ocsp_status_request_get(session, &status_request);
+ if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+ failf(data, "No OCSP response received");
+ return CURLE_SSL_INVALIDCERTSTATUS;
+ }
- infof(data, "\t server certificate status verification FAILED\n");
+ if(rc < 0) {
+ failf(data, "Invalid OCSP response received");
+ return CURLE_SSL_INVALIDCERTSTATUS;
+ }
- if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
- failf(data, "No OCSP response received");
- return CURLE_SSL_INVALIDCERTSTATUS;
- }
+ gnutls_ocsp_resp_init(&ocsp_resp);
- if(rc < 0) {
- failf(data, "Invalid OCSP response received");
- return CURLE_SSL_INVALIDCERTSTATUS;
- }
+ rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
+ if(rc < 0) {
+ failf(data, "Invalid OCSP response received");
+ return CURLE_SSL_INVALIDCERTSTATUS;
+ }
- gnutls_ocsp_resp_init(&ocsp_resp);
+ (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
+ &status, NULL, NULL, NULL, &reason);
- rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
- if(rc < 0) {
- failf(data, "Invalid OCSP response received");
- return CURLE_SSL_INVALIDCERTSTATUS;
- }
+ switch(status) {
+ case GNUTLS_OCSP_CERT_GOOD:
+ break;
- (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
- &status, NULL, NULL, NULL, &reason);
+ case GNUTLS_OCSP_CERT_REVOKED: {
+ const char *crl_reason;
- switch(status) {
- case GNUTLS_OCSP_CERT_GOOD:
+ switch(reason) {
+ default:
+ case GNUTLS_X509_CRLREASON_UNSPECIFIED:
+ crl_reason = "unspecified reason";
break;
- case GNUTLS_OCSP_CERT_REVOKED: {
- const char *crl_reason;
-
- switch(reason) {
- default:
- case GNUTLS_X509_CRLREASON_UNSPECIFIED:
- crl_reason = "unspecified reason";
- break;
-
- case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
- crl_reason = "private key compromised";
- break;
-
- case GNUTLS_X509_CRLREASON_CACOMPROMISE:
- crl_reason = "CA compromised";
- break;
-
- case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
- crl_reason = "affiliation has changed";
- break;
+ case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
+ crl_reason = "private key compromised";
+ break;
- case GNUTLS_X509_CRLREASON_SUPERSEDED:
- crl_reason = "certificate superseded";
- break;
+ case GNUTLS_X509_CRLREASON_CACOMPROMISE:
+ crl_reason = "CA compromised";
+ break;
- case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
- crl_reason = "operation has ceased";
- break;
+ case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
+ crl_reason = "affiliation has changed";
+ break;
- case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
- crl_reason = "certificate is on hold";
- break;
+ case GNUTLS_X509_CRLREASON_SUPERSEDED:
+ crl_reason = "certificate superseded";
+ break;
- case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
- crl_reason = "will be removed from delta CRL";
- break;
+ case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
+ crl_reason = "operation has ceased";
+ break;
- case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
- crl_reason = "privilege withdrawn";
- break;
+ case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
+ crl_reason = "certificate is on hold";
+ break;
- case GNUTLS_X509_CRLREASON_AACOMPROMISE:
- crl_reason = "AA compromised";
- break;
- }
+ case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
+ crl_reason = "will be removed from delta CRL";
+ break;
- failf(data, "Server certificate was revoked: %s", crl_reason);
+ case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
+ crl_reason = "privilege withdrawn";
break;
- }
- default:
- case GNUTLS_OCSP_CERT_UNKNOWN:
- failf(data, "Server certificate status is unknown");
+ case GNUTLS_X509_CRLREASON_AACOMPROMISE:
+ crl_reason = "AA compromised";
break;
}
- gnutls_ocsp_resp_deinit(ocsp_resp);
+ failf(data, "Server certificate was revoked: %s", crl_reason);
+ break;
+ }
- return CURLE_SSL_INVALIDCERTSTATUS;
+ default:
+ case GNUTLS_OCSP_CERT_UNKNOWN:
+ failf(data, "Server certificate status is unknown");
+ break;
}
- else
- infof(data, "\t server certificate status verification OK\n");
+
+ gnutls_ocsp_resp_deinit(ocsp_resp);
+ if(status != GNUTLS_OCSP_CERT_GOOD)
+ return CURLE_SSL_INVALIDCERTSTATUS;
}
else
infof(data, "\t server certificate status verification SKIPPED\n");
--
2.33.0

328
backport-CVE-2025-0725.patch Normal file
View File

@ -0,0 +1,328 @@
From 76f83f0db23846e254d940ec7fe141010077eb88 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 24 Jan 2025 11:13:24 +0100
Subject: [PATCH] content_encoding: drop support for zlib before 1.2.0.4
zlib 1.2.0.4 was released on 10 August 2003
Closes #16079
Conflict:context adapt
Reference:https://github.com/curl/curl/commit/76f83f0db23846e254d940ec7
---
docs/INTERNALS.md | 2 +-
lib/content_encoding.c | 232 ++---------------------------------------
2 files changed, 8 insertions(+), 226 deletions(-)
diff --git a/docs/INTERNALS.md b/docs/INTERNALS.md
index 635e7b2..3cd4eee 100644
--- a/docs/INTERNALS.md
+++ b/docs/INTERNALS.md
@@ -86,7 +86,7 @@ Dependencies
- OpenSSL 0.9.7
- GnuTLS 3.1.10
- - zlib 1.1.4
+ - zlib 1.2.0.4
- libssh2 0.16
- c-ares 1.6.0
- libidn2 2.0.0
diff --git a/lib/content_encoding.c b/lib/content_encoding.c
index 3633791..db06b1d 100644
--- a/lib/content_encoding.c
+++ b/lib/content_encoding.c
@@ -52,31 +52,13 @@
#define DSIZ CURL_MAX_WRITE_SIZE /* buffer size for decompressed data */
-
#ifdef HAVE_LIBZ
-/* Comment this out if zlib is always going to be at least ver. 1.2.0.4
- (doing so will reduce code size slightly). */
-#define OLD_ZLIB_SUPPORT 1
-
-#define GZIP_MAGIC_0 0x1f
-#define GZIP_MAGIC_1 0x8b
-
-/* gzip flag byte */
-#define ASCII_FLAG 0x01 /* bit 0 set: file probably ascii text */
-#define HEAD_CRC 0x02 /* bit 1 set: header CRC present */
-#define EXTRA_FIELD 0x04 /* bit 2 set: extra field present */
-#define ORIG_NAME 0x08 /* bit 3 set: original file name present */
-#define COMMENT 0x10 /* bit 4 set: file comment present */
-#define RESERVED 0xE0 /* bits 5..7: reserved */
-
typedef enum {
ZLIB_UNINIT, /* uninitialized */
ZLIB_INIT, /* initialized */
ZLIB_INFLATING, /* inflating started. */
ZLIB_EXTERNAL_TRAILER, /* reading external trailer */
- ZLIB_GZIP_HEADER, /* reading gzip header */
- ZLIB_GZIP_INFLATING, /* inflating gzip stream */
ZLIB_INIT_GZIP /* initialized in transparent gzip mode */
} zlibInitState;
@@ -121,9 +103,6 @@ static CURLcode
exit_zlib(struct connectdata *conn,
z_stream *z, zlibInitState *zlib_init, CURLcode result)
{
- if(*zlib_init == ZLIB_GZIP_HEADER)
- Curl_safefree(z->next_in);
-
if(*zlib_init != ZLIB_UNINIT) {
if(inflateEnd(z) != Z_OK && result == CURLE_OK)
result = process_zlib_error(conn, z);
@@ -172,8 +151,7 @@ static CURLcode inflate_stream(struct connectdata *conn,
/* Check state. */
if(zp->zlib_init != ZLIB_INIT &&
zp->zlib_init != ZLIB_INFLATING &&
- zp->zlib_init != ZLIB_INIT_GZIP &&
- zp->zlib_init != ZLIB_GZIP_INFLATING)
+ zp->zlib_init != ZLIB_INIT_GZIP)
return exit_zlib(conn, z, &zp->zlib_init, CURLE_WRITE_ERROR);
/* Dynamically allocate a buffer for decompression because it's uncommonly
@@ -322,6 +300,7 @@ static CURLcode gzip_init_writer(struct connectdata *conn,
{
struct zlib_params *zp = (struct zlib_params *) &writer->params;
z_stream *z = &zp->z; /* zlib state structure */
+ const char *v = zlibVersion();
if(!writer->downstream)
return CURLE_WRITE_ERROR;
@@ -330,109 +309,21 @@ static CURLcode gzip_init_writer(struct connectdata *conn,
z->zalloc = (alloc_func) zalloc_cb;
z->zfree = (free_func) zfree_cb;
- if(strcmp(zlibVersion(), "1.2.0.4") >= 0) {
- /* zlib ver. >= 1.2.0.4 supports transparent gzip decompressing */
+ if(strcmp(v, "1.2.0.4") >= 0) {
+ /* zlib version >= 1.2.0.4 supports transparent gzip decompressing */
if(inflateInit2(z, MAX_WBITS + 32) != Z_OK) {
return process_zlib_error(conn, z);
}
zp->zlib_init = ZLIB_INIT_GZIP; /* Transparent gzip decompress state */
}
else {
- /* we must parse the gzip header and trailer ourselves */
- if(inflateInit2(z, -MAX_WBITS) != Z_OK) {
- return process_zlib_error(conn, z);
- }
- zp->trailerlen = 8; /* A CRC-32 and a 32-bit input size (RFC 1952, 2.2) */
- zp->zlib_init = ZLIB_INIT; /* Initial call state */
+ failf(conn->data, "too old zlib version: %s", v);
+ return CURLE_FAILED_INIT;
}
return CURLE_OK;
}
-#ifdef OLD_ZLIB_SUPPORT
-/* Skip over the gzip header */
-static enum {
- GZIP_OK,
- GZIP_BAD,
- GZIP_UNDERFLOW
-} check_gzip_header(unsigned char const *data, ssize_t len, ssize_t *headerlen)
-{
- int method, flags;
- const ssize_t totallen = len;
-
- /* The shortest header is 10 bytes */
- if(len < 10)
- return GZIP_UNDERFLOW;
-
- if((data[0] != GZIP_MAGIC_0) || (data[1] != GZIP_MAGIC_1))
- return GZIP_BAD;
-
- method = data[2];
- flags = data[3];
-
- if(method != Z_DEFLATED || (flags & RESERVED) != 0) {
- /* Can't handle this compression method or unknown flag */
- return GZIP_BAD;
- }
-
- /* Skip over time, xflags, OS code and all previous bytes */
- len -= 10;
- data += 10;
-
- if(flags & EXTRA_FIELD) {
- ssize_t extra_len;
-
- if(len < 2)
- return GZIP_UNDERFLOW;
-
- extra_len = (data[1] << 8) | data[0];
-
- if(len < (extra_len + 2))
- return GZIP_UNDERFLOW;
-
- len -= (extra_len + 2);
- data += (extra_len + 2);
- }
-
- if(flags & ORIG_NAME) {
- /* Skip over NUL-terminated file name */
- while(len && *data) {
- --len;
- ++data;
- }
- if(!len || *data)
- return GZIP_UNDERFLOW;
-
- /* Skip over the NUL */
- --len;
- ++data;
- }
-
- if(flags & COMMENT) {
- /* Skip over NUL-terminated comment */
- while(len && *data) {
- --len;
- ++data;
- }
- if(!len || *data)
- return GZIP_UNDERFLOW;
-
- /* Skip over the NUL */
- --len;
- }
-
- if(flags & HEAD_CRC) {
- if(len < 2)
- return GZIP_UNDERFLOW;
-
- len -= 2;
- }
-
- *headerlen = totallen - len;
- return GZIP_OK;
-}
-#endif
-
static CURLcode gzip_unencode_write(struct connectdata *conn,
struct contenc_writer *writer,
const char *buf, size_t nbytes)
@@ -448,117 +339,8 @@ static CURLcode gzip_unencode_write(struct connectdata *conn,
return inflate_stream(conn, writer, ZLIB_INIT_GZIP);
}
-#ifndef OLD_ZLIB_SUPPORT
- /* Support for old zlib versions is compiled away and we are running with
- an old version, so return an error. */
+ /* We are running with an old version: return error. */
return exit_zlib(conn, z, &zp->zlib_init, CURLE_WRITE_ERROR);
-
-#else
- /* This next mess is to get around the potential case where there isn't
- * enough data passed in to skip over the gzip header. If that happens, we
- * malloc a block and copy what we have then wait for the next call. If
- * there still isn't enough (this is definitely a worst-case scenario), we
- * make the block bigger, copy the next part in and keep waiting.
- *
- * This is only required with zlib versions < 1.2.0.4 as newer versions
- * can handle the gzip header themselves.
- */
-
- switch(zp->zlib_init) {
- /* Skip over gzip header? */
- case ZLIB_INIT:
- {
- /* Initial call state */
- ssize_t hlen;
-
- switch(check_gzip_header((unsigned char *) buf, nbytes, &hlen)) {
- case GZIP_OK:
- z->next_in = (Bytef *) buf + hlen;
- z->avail_in = (uInt) (nbytes - hlen);
- zp->zlib_init = ZLIB_GZIP_INFLATING; /* Inflating stream state */
- break;
-
- case GZIP_UNDERFLOW:
- /* We need more data so we can find the end of the gzip header. It's
- * possible that the memory block we malloc here will never be freed if
- * the transfer abruptly aborts after this point. Since it's unlikely
- * that circumstances will be right for this code path to be followed in
- * the first place, and it's even more unlikely for a transfer to fail
- * immediately afterwards, it should seldom be a problem.
- */
- z->avail_in = (uInt) nbytes;
- z->next_in = malloc(z->avail_in);
- if(z->next_in == NULL) {
- return exit_zlib(conn, z, &zp->zlib_init, CURLE_OUT_OF_MEMORY);
- }
- memcpy(z->next_in, buf, z->avail_in);
- zp->zlib_init = ZLIB_GZIP_HEADER; /* Need more gzip header data state */
- /* We don't have any data to inflate yet */
- return CURLE_OK;
-
- case GZIP_BAD:
- default:
- return exit_zlib(conn, z, &zp->zlib_init, process_zlib_error(conn, z));
- }
-
- }
- break;
-
- case ZLIB_GZIP_HEADER:
- {
- /* Need more gzip header data state */
- ssize_t hlen;
- z->avail_in += (uInt) nbytes;
- z->next_in = Curl_saferealloc(z->next_in, z->avail_in);
- if(z->next_in == NULL) {
- return exit_zlib(conn, z, &zp->zlib_init, CURLE_OUT_OF_MEMORY);
- }
- /* Append the new block of data to the previous one */
- memcpy(z->next_in + z->avail_in - nbytes, buf, nbytes);
-
- switch(check_gzip_header(z->next_in, z->avail_in, &hlen)) {
- case GZIP_OK:
- /* This is the zlib stream data */
- free(z->next_in);
- /* Don't point into the malloced block since we just freed it */
- z->next_in = (Bytef *) buf + hlen + nbytes - z->avail_in;
- z->avail_in = (uInt) (z->avail_in - hlen);
- zp->zlib_init = ZLIB_GZIP_INFLATING; /* Inflating stream state */
- break;
-
- case GZIP_UNDERFLOW:
- /* We still don't have any data to inflate! */
- return CURLE_OK;
-
- case GZIP_BAD:
- default:
- return exit_zlib(conn, z, &zp->zlib_init, process_zlib_error(conn, z));
- }
-
- }
- break;
-
- case ZLIB_EXTERNAL_TRAILER:
- z->next_in = (Bytef *) buf;
- z->avail_in = (uInt) nbytes;
- return process_trailer(conn, zp);
-
- case ZLIB_GZIP_INFLATING:
- default:
- /* Inflating stream state */
- z->next_in = (Bytef *) buf;
- z->avail_in = (uInt) nbytes;
- break;
- }
-
- if(z->avail_in == 0) {
- /* We don't have any data to inflate; wait until next time */
- return CURLE_OK;
- }
-
- /* We've parsed the header, now uncompress the data */
- return inflate_stream(conn, writer, ZLIB_GZIP_INFLATING);
-#endif
}
static void gzip_close_writer(struct connectdata *conn,
--
2.33.0

54
backport-cookie-treat-cookie-name-case-sensitively.patch Normal file
View File

@ -0,0 +1,54 @@
From 9919149aef67014150e2a1c75a7aa2c79204e30d Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 6 Nov 2024 11:26:25 +0100
Subject: [PATCH] cookie: treat cookie name case sensitively
Extend test 31 to verify
Reported-by: delogicsreal on github
Fixes #15492
Closes #15493
Conflict:context adapt
Reference:https://github.com/curl/curl/commit/9919149aef67014150e2a1c75a7aa2c79204e30d
---
lib/cookie.c | 2 +-
tests/data/test31 | 2 ++
2 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/lib/cookie.c b/lib/cookie.c
index ca8c3c596..e37d58f1d 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -989,7 +989,7 @@ replace_existing(struct Curl_easy *data,
clist = c->cookies[myhash];
replace_old = FALSE;
while(clist) {
- if(strcasecompare(clist->name, co->name)) {
+ if(!strcmp(clist->name, co->name)) {
/* the names are identical */
if(clist->domain && co->domain) {
diff --git a/tests/data/test31 b/tests/data/test31
index d9d073996..2d411b5cd 100644
--- a/tests/data/test31
+++ b/tests/data/test31
@@ -26,6 +26,7 @@ Set-Cookie: blankdomain=sure; domain=; path=/
Funny-head: yesyes
Set-Cookie: foobar=name; domain=anything.com; path=/ ; secure
Set-Cookie:ismatch=this ; domain=127.0.0.1; path=/silly/
+Set-Cookie:ISMATCH=this ; domain=127.0.0.1; path=/silly/
Set-Cookie: overwrite=this ; domain=127.0.0.1; path=/overwrite/
Set-Cookie: overwrite=this2 ; domain=127.0.0.1; path=/overwrite
Set-Cookie: sec1value=secure1 ; domain=127.0.0.1; path=/secure1/ ; secure
@@ -181,6 +183,7 @@ 127.0.0.1 FALSE /we/want/ FALSE 2118138987 nodomain value
#HttpOnly_127.0.0.1 FALSE /p2/ FALSE 0 httpo2 value2
#HttpOnly_127.0.0.1 FALSE /p1/ FALSE 0 httpo1 value1
127.0.0.1 FALSE /overwrite FALSE 0 overwrite this2
+127.0.0.1 FALSE /silly/ FALSE 0 ISMATCH this
127.0.0.1 FALSE /silly/ FALSE 0 ismatch this
</file>
</verify>
--
2.33.0

37
backport-multi-check-that-the-multi-handle-is-valid-in-curl_m.patch Normal file
View File

@ -0,0 +1,37 @@
From 48f61e781a01e6a8dbc4a347e280644b1c68ab6a Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 11 Sep 2024 14:12:41 +0200
Subject: [PATCH] multi: check that the multi handle is valid in
curl_multi_assign
By requiring that the multi handle is fine, it can detect bad usage
better and by that avoid crashes. Like in the #14860 case, which is an
application calling curl_multi_assign() with a NULL pointer multi
handle.
Reported-by: Carlo Cabrera
Fixes #14860
Closes #14862
Conflict:Context adapt
Reference:https://github.com/curl/curl/commit/48f61e781a01e6a8dbc4a347e280644b1c68ab6a
---
lib/multi.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib/multi.c b/lib/multi.c
index 062d09cc0..78e5c0a1e 100644
--- a/lib/multi.c
+++ b/lib/multi.c
@@ -3688,6 +3688,8 @@ CURLMcode curl_multi_assign(struct Curl_multi *multi, curl_socket_t s,
void *hashp)
{
struct Curl_sh_entry *there = NULL;
+ if(!GOOD_MULTI_HANDLE(multi))
+ return CURLM_BAD_HANDLE;
if(multi->in_callback)
return CURLM_RECURSIVE_API_CALL;
--
2.33.0

49
backport-url-allow-DoH-transfers-to-override-max-connection-limit.patch Normal file
View File

@ -0,0 +1,49 @@
From b049388d473a9a0189f3180e57e04a39a3793382 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 4 Jun 2024 17:00:05 +0200
Subject: [PATCH] url: allow DoH transfers to override max connection limit
When reaching the set maximum limit of allowed connections, allow a new
connection anyway if the transfer is created for the (internal) purpose
of doing a DoH name resolve. Otherwise, unrelated "normal" transfers can
starve out new DoH requests making it impossible to name resolve for new
transfers.
Bug: https://curl.se/mail/lib-2024-06/0001.html
Reported-by: kartatz
Closes #13880
Conflict:context adapt
Reference:https://github.com/curl/curl/commit/b049388d473a9a0189f3180e57e04a39a3793382
---
lib/url.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/lib/url.c b/lib/url.c
index 41e35e153..4eabf0c87 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -3662,10 +3662,16 @@ static CURLcode create_conn(struct Curl_easy *data,
if(conn_candidate)
(void)Curl_disconnect(data, conn_candidate,
/* dead_connection */ FALSE);
- else {
- infof(data, "No connections available in cache\n");
- connections_available = FALSE;
- }
+ else
+#ifndef CURL_DISABLE_DOH
+ if(data->set.dohfor)
+ infof(data, "Allowing DoH to override max connection limit");
+ else
+#endif
+ {
+ infof(data, "No connections available in cache");
+ connections_available = FALSE;
+ }
}
if(!connections_available) {
--
2.33.0

37
curl.spec
View File

@ -6,7 +6,7 @@
Name: curl
Version: 7.71.1
Release: 35
Release: 40
Summary: Curl is used in command lines or scripts to transfer data
License: MIT
URL: https://curl.haxx.se/
@ -84,6 +84,11 @@ Patch171: backport-tool_cb_rea-limit-rate-unpause-for-T-.-uploads.patch
Patch172: backport-tool_cfgable-free-proxy_-cipher13_list-on-exit.patch
Patch173: backport-0001-CVE-2024-7264.patch
Patch174: backport-0002-CVE-2024-7264.patch
Patch175: backport-CVE-2024-8096-gtls-fix-OCSP-stapling-management.patch
Patch176: backport-url-allow-DoH-transfers-to-override-max-connection-limit.patch
Patch177: backport-multi-check-that-the-multi-handle-is-valid-in-curl_m.patch
Patch178: backport-cookie-treat-cookie-name-case-sensitively.patch
Patch179: backport-CVE-2025-0725.patch
BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel
BuildRequires: libidn2-devel libnghttp2-devel libpsl-devel
@ -248,6 +253,36 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_mandir}/man3/*
%changelog
* Sat Feb 08 2025 zhouyihang <zhouyihang3@h-partners.com> - 7.71.1-40
- Type:CVE
- CVE:CVE-2025-0725
- SUG:NA
- DESC:fix CVE-2025-0725
* Mon Dec 09 2024 zhouyihang <zhouyihang3@h-partners.com> - 7.71.1-39
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:cookie: treat cookie name case sensitively
* Sat Nov 30 2024 zhouyihang <zhouyihang3@h-partners.com> - 7.71.1-38
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:multi: check that the multi handle is valid in curl_multi_assign
* Fri Sep 20 2024 zhouyihang <zhouyihang3@h-partners.com> - 7.71.1-37
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:url: allow DoH transfers to override max connection limit
* Thu Sep 12 2024 zhouyihang <zhouyihang3@h-partners.com> - 7.71.1-36
- Type:CVE
- CVE:CVE-2024-8096
- SUG:NA
- DESC:fix CVE-2024-8096
* Mon Aug 05 2024 zhouyihang <zhouyihang3@h-partners.com> - 7.71.1-35
- Type:CVE
- CVE:CVE-2024-7264