diff --git a/backport-0002-CVE-2023-23916.patch b/backport-0002-CVE-2023-23916.patch index 1b607a0..5d07ea1 100644 --- a/backport-0002-CVE-2023-23916.patch +++ b/backport-0002-CVE-2023-23916.patch @@ -64,7 +64,7 @@ index 879d846..660ee28 100644 test409 test410 \ -\ +test418 \ - test430 test431 test432 test433 test434 test435 test445 test446\ + test430 test431 test432 test433 test434 test435 test446\ \ test490 test491 test492 test493 test494 \ diff --git a/tests/data/test418 b/tests/data/test418 diff --git a/backport-0004-CVE-2023-23914-CVE-2023-23915.patch b/backport-0004-CVE-2023-23914-CVE-2023-23915.patch index 4a9fd2e..3d46901 100644 --- a/backport-0004-CVE-2023-23914-CVE-2023-23915.patch +++ b/backport-0004-CVE-2023-23914-CVE-2023-23915.patch @@ -19,8 +19,8 @@ index f79b63e..879d846 100644 test400 test401 test402 test403 test404 test405 test406 test407 test408 \ test409 test410 \ \ --test430 test431 test432 test433 test434 test435 test445\ -+test430 test431 test432 test433 test434 test435 test445 test446\ +-test430 test431 test432 test433 test434 test435 \ ++test430 test431 test432 test433 test434 test435 test446\ \ test490 test491 test492 test493 test494 \ \ diff --git a/backport-CVE-2022-42915.patch b/backport-CVE-2022-42915.patch index 66d4268..eb49b16 100644 --- a/backport-CVE-2022-42915.patch +++ b/backport-CVE-2022-42915.patch @@ -10,25 +10,27 @@ Closes #9790 Upstream-commit: 55e1875729f9d9fc7315cec611bffbd2c817ad89 Signed-off-by: Kamil Dudka -Conflict: NA +Conflict: context adapt Reference:https://src.fedoraproject.org/rpms/curl/blob/f35/f/0017-curl-7.82.0-CVE-2022-42915.patch --- - lib/http_proxy.c | 3 +-- + lib/http_proxy.c | 6 ++---- lib/url.c | 9 --------- - 2 files changed, 1 insertion(+), 11 deletions(-) + 2 files changed, 2 insertion(+), 13 deletions(-) diff --git a/lib/http_proxy.c b/lib/http_proxy.c index 1f87f6c..cc20b3a 100644 --- a/lib/http_proxy.c +++ b/lib/http_proxy.c -@@ -207,9 +207,8 @@ static void connect_done(struct Curl_easy *data) +@@ -207,10 +207,8 @@ static void connect_done(struct Curl_easy *data) Curl_dyn_free(&s->rcvbuf); Curl_dyn_free(&s->req); -- /* retore the protocol pointer */ -+ /* restore the protocol pointer */ - data->req.p.http = s->prot_save; +- /* restore the protocol pointer, if not already done */ +- if(s->prot_save) +- data->req.p.http = s->prot_save; - s->prot_save = NULL; ++ /* restore the protocol pointer */ ++ data->req.p.http = s->prot_save; infof(data, "CONNECT phase completed!"); } } @@ -77,9 +79,9 @@ index 1f774ce..f79b63e 100644 @@ -67,7 +67,7 @@ test392 test393 test394 test395 test396 test397 \ test400 test401 test402 test403 test404 test405 test406 test407 test408 \ test409 test410 \ - \ --test430 test431 test432 test433 test434 test435 \ -+test430 test431 test432 test433 test434 test435 test445\ + test418 \ +-test430 test431 test432 test433 test434 test435 test446\ ++test430 test431 test432 test433 test434 test435 test445 test446\ \ test490 test491 test492 test493 test494 \ \ diff --git a/backport-Curl_connect_done-handle-being-called-twice.patch b/backport-Curl_connect_done-handle-being-called-twice.patch new file mode 100644 index 0000000..a660c3c --- /dev/null +++ b/backport-Curl_connect_done-handle-being-called-twice.patch @@ -0,0 +1,38 @@ +From b89a4b5191e8471acca14d7de904213b0aa20125 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 12 Nov 2021 13:34:49 +0100 +Subject: [PATCH 1/1] Curl_connect_done: handle being called twice + +Follow-up to f0b7099a10d1a7c + +When torture testing 1021, it turns out the Curl_connect_done function +might be called twice and that previously then wrongly cleared the HTTP +pointer in the second invoke. + +Closes #7999 + +Conflict:context adapt +Reference:https://github.com/curl/curl/commit/b89a4b5191e8471acca14d7de904213b0aa20125 +--- + lib/http_proxy.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/lib/http_proxy.c b/lib/http_proxy.c +index cfe616fa6..2555b401a 100644 +--- a/lib/http_proxy.c ++++ b/lib/http_proxy.c +@@ -207,8 +207,9 @@ void Curl_connect_done(struct Curl_easy *data) + Curl_dyn_free(&s->rcvbuf); + Curl_dyn_free(&s->req); + +- /* retore the protocol pointer */ +- data->req.p.http = s->prot_save; ++ /* restore the protocol pointer, if not already done */ ++ if(s->prot_save) ++ data->req.p.http = s->prot_save; + s->prot_save = NULL; + infof(data, "CONNECT phase completed!"); + } +-- +2.33.0 + diff --git a/backport-curl_easy_cleanup.3-remove-from-multi-handle-first.patch b/backport-curl_easy_cleanup.3-remove-from-multi-handle-first.patch new file mode 100644 index 0000000..0df8382 --- /dev/null +++ b/backport-curl_easy_cleanup.3-remove-from-multi-handle-first.patch @@ -0,0 +1,36 @@ +From 11a46d6d66c32e4be7015aca92008d979f8b90a2 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 10 Nov 2021 08:41:51 +0100 +Subject: [PATCH] curl_easy_cleanup.3: remove from multi handle first + +Easy handles that are used by the multi interface should be removed from +the multi handle before they are cleaned up. + +Reported-by: Stephen M. Coakley +Ref: #7982 +Closes #7983 + +Conflict:context adapt +Reference:https://github.com/curl/curl/commit/f0b7099a10d1a7cfbbe8f67b0ecdff5846f9805b +--- + docs/libcurl/curl_easy_cleanup.3 | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/docs/libcurl/curl_easy_cleanup.3 b/docs/libcurl/curl_easy_cleanup.3 +index 3c3425624..c62f4e073 100644 +--- a/docs/libcurl/curl_easy_cleanup.3 ++++ b/docs/libcurl/curl_easy_cleanup.3 +@@ -47,6 +47,10 @@ Any use of the \fBhandle\fP after this function has been called and have + returned, is illegal. \fIcurl_easy_cleanup(3)\fP kills the handle and all + memory associated with it! + ++To close an easy handle that has been used with the multi interface, make sure ++to call \fIcurl_multi_remove_handle(3)\fP first to remove it from the multi ++handle before it is closed. ++ + Passing in a NULL pointer in \fIhandle\fP will make this function return + immediately with no action. + .SH "OLD TIMES" +-- +2.33.0 + diff --git a/backport-http_proxy-make-Curl_connect_done-work-for-proxy-dis.patch b/backport-http_proxy-make-Curl_connect_done-work-for-proxy-dis.patch new file mode 100644 index 0000000..1f12078 --- /dev/null +++ b/backport-http_proxy-make-Curl_connect_done-work-for-proxy-dis.patch @@ -0,0 +1,46 @@ +From 2989b11377c215884ae5a50c07607f75a31dc2ff Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 12 Nov 2021 08:08:34 +0100 +Subject: [PATCH] http_proxy: make Curl_connect_done() work for proxy disabled + builds + +... by making it an empty macro then. + +Follow-up to f0b7099a10d1a +Reported-by: Vincent Grande +Fixes #7995 +Closes #7996 + +Conflict:NA +Reference:https://github.com/curl/curl/commit/2989b11377c215884ae5a50c07607f75a31dc2ff +--- + lib/http_proxy.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/http_proxy.h b/lib/http_proxy.h +index cdf8de4fb..2820e1184 100644 +--- a/lib/http_proxy.h ++++ b/lib/http_proxy.h +@@ -39,6 +39,7 @@ CURLcode Curl_proxy_connect(struct Curl_easy *data, int sockindex); + bool Curl_connect_complete(struct connectdata *conn); + bool Curl_connect_ongoing(struct connectdata *conn); + int Curl_connect_getsock(struct connectdata *conn); ++void Curl_connect_done(struct Curl_easy *data); + + #else + #define Curl_proxyCONNECT(x,y,z,w) CURLE_NOT_BUILT_IN +@@ -46,10 +47,10 @@ int Curl_connect_getsock(struct connectdata *conn); + #define Curl_connect_complete(x) CURLE_OK + #define Curl_connect_ongoing(x) FALSE + #define Curl_connect_getsock(x) 0 ++#define Curl_connect_done(x) + #endif + + void Curl_connect_free(struct Curl_easy *data); +-void Curl_connect_done(struct Curl_easy *data); + + /* struct for HTTP CONNECT state data */ + struct http_connect_state { +-- +2.33.0 + diff --git a/backport-lib1939-make-it-endure-torture-tests.patch b/backport-lib1939-make-it-endure-torture-tests.patch new file mode 100644 index 0000000..ea25706 --- /dev/null +++ b/backport-lib1939-make-it-endure-torture-tests.patch @@ -0,0 +1,90 @@ +From 26247a0d7e24c06d5b250f044a951441674a4484 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 13 Nov 2021 14:13:20 +0100 +Subject: [PATCH 1/1] lib1939: make it endure torture tests + +Follow-up to f0b7099a10d1a + +Closes #8007 + +Conflict:NA +Reference:https://github.com/curl/curl/commit/26247a0d7e24c06d5b250f044a951441674a4484 +--- + tests/libtest/lib1939.c | 55 +++++++++++++++++++---------------------- + 1 file changed, 26 insertions(+), 29 deletions(-) + +diff --git a/tests/libtest/lib1939.c b/tests/libtest/lib1939.c +index 644617712..510215dbd 100644 +--- a/tests/libtest/lib1939.c ++++ b/tests/libtest/lib1939.c +@@ -33,41 +33,38 @@ int test(char *URL) + curl_global_init(CURL_GLOBAL_DEFAULT); + + multi = curl_multi_init(); +- if(!multi) +- return 1; ++ if(multi) { ++ easy = curl_easy_init(); ++ if(easy) { ++ CURLcode c; ++ CURLMcode m; + +- easy = curl_easy_init(); +- if(easy) { +- CURLcode c; +- CURLMcode m; ++ /* Crash only happens when using HTTPS */ ++ c = curl_easy_setopt(easy, CURLOPT_URL, URL); ++ if(!c) ++ /* Any old HTTP tunneling proxy will do here */ ++ c = curl_easy_setopt(easy, CURLOPT_PROXY, libtest_arg2); + +- /* Crash only happens when using HTTPS */ +- c = curl_easy_setopt(easy, CURLOPT_URL, URL); +- if(!c) +- /* Any old HTTP tunneling proxy will do here */ +- c = curl_easy_setopt(easy, CURLOPT_PROXY, libtest_arg2); ++ if(!c) { + +- if(c) +- return 2; ++ /* We're going to drive the transfer using multi interface here, ++ because we want to stop during the middle. */ ++ m = curl_multi_add_handle(multi, easy); + +- /* We're going to drive the transfer using multi interface here, because we +- want to stop during the middle. */ +- m = curl_multi_add_handle(multi, easy); ++ if(!m) ++ /* Run the multi handle once, just enough to start establishing an ++ HTTPS connection. */ ++ m = curl_multi_perform(multi, &running_handles); + +- if(!m) +- /* Run the multi handle once, just enough to start establishing an HTTPS +- connection. */ +- m = curl_multi_perform(multi, &running_handles); +- +- if(m) +- return 3; +- +- /* Close the easy handle *before* the multi handle. Doing it the other way +- around avoids the issue. */ +- curl_easy_cleanup(easy); ++ if(m) ++ fprintf(stderr, "curl_multi_perform failed\n"); ++ } ++ /* Close the easy handle *before* the multi handle. Doing it the other ++ way around avoids the issue. */ ++ curl_easy_cleanup(easy); ++ } ++ curl_multi_cleanup(multi); /* double-free happens here */ + } +- curl_multi_cleanup(multi); /* double-free happens here */ +- + curl_global_cleanup(); + return CURLE_OK; + } +-- +2.33.0 + diff --git a/backport-multi-shut-down-CONNECT-in-Curl_detach_connnection.patch b/backport-multi-shut-down-CONNECT-in-Curl_detach_connnection.patch new file mode 100644 index 0000000..042b4dc --- /dev/null +++ b/backport-multi-shut-down-CONNECT-in-Curl_detach_connnection.patch @@ -0,0 +1,259 @@ +From f0b7099a10d1a7cfbbe8f67b0ecdff5846f9805b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 10 Nov 2021 14:42:04 +0100 +Subject: [PATCH 1/1] multi: shut down CONNECT in Curl_detach_connnection + +... to prevent a lingering pointer that would lead to a double-free. + +Added test 1939 to verify. + +Reported-by: Stephen M. Coakley +Fixes #7982 +Closes #7986 + +Conflict:context adapt of test makefile +Reference:https://github.com/curl/curl/commit/f0b7099a10d1a7cfbbe8f67b0ecdff5846f9805b +--- + lib/http_proxy.c | 10 +++--- + lib/multi.c | 1 + + tests/data/Makefile.inc | 2 +- + tests/data/test1939 | 52 +++++++++++++++++++++++++++ + tests/libtest/Makefile.inc | 5 +++- + tests/libtest/lib1939.c | 73 ++++++++++++++++++++++++++++++++++++++ + 6 files changed, 137 insertions(+), 6 deletions(-) + create mode 100644 tests/data/test1939 + create mode 100644 tests/libtest/lib1939.c + +diff --git a/lib/http_proxy.c b/lib/http_proxy.c +index fc050a07d..cfe616fa6 100644 +--- a/lib/http_proxy.c ++++ b/lib/http_proxy.c +@@ -198,11 +198,11 @@ static CURLcode connect_init(struct Curl_easy *data, bool reinit) + return CURLE_OK; + } + +-static void connect_done(struct Curl_easy *data) ++void Curl_connect_done(struct Curl_easy *data) + { + struct connectdata *conn = data->conn; + struct http_connect_state *s = conn->connect_state; +- if(s->tunnel_state != TUNNEL_EXIT) { ++ if(s && (s->tunnel_state != TUNNEL_EXIT)) { + s->tunnel_state = TUNNEL_EXIT; + Curl_dyn_free(&s->rcvbuf); + Curl_dyn_free(&s->req); +@@ -662,7 +662,7 @@ static CURLcode CONNECT(struct Curl_easy *data, + if(s->close_connection && data->req.newurl) { + conn->bits.proxy_connect_closed = TRUE; + infof(data, "Connect me again please"); +- connect_done(data); ++ Curl_connect_done(data); + } + else { + free(data->req.newurl); +@@ -974,7 +974,7 @@ static CURLcode CONNECT(struct Curl_easy *data, + if(conn->bits.close && data->req.newurl) { + conn->bits.proxy_connect_closed = TRUE; + infof(data, "Connect me again please"); +- connect_done(data); ++ Curl_connect_done(data); + } + else { + free(data->req.newurl); +@@ -1048,7 +1048,7 @@ CURLcode Curl_proxyCONNECT(struct Curl_easy *data, + result = CONNECT(data, sockindex, hostname, remote_port); + + if(result || Curl_connect_complete(conn)) +- connect_done(data); ++ Curl_connect_done(data); + + return result; + } +diff --git a/lib/multi.c b/lib/multi.c +index f307d63b9..ce634fcac 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -878,6 +878,7 @@ void Curl_detach_connnection(struct Curl_easy *data) + { + struct connectdata *conn = data->conn; + if(conn) { ++ Curl_connect_done(data); /* if mid-CONNECT, shut it down */ + Curl_llist_remove(&conn->easyq, &data->conn_queue, NULL); + Curl_ssl_detach_conn(data, conn); + } +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 9a8b64bed..b6a503e72 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -216,7 +216,7 @@ test1800 test1801 \ + test1908 test1909 test1910 test1911 test1912 test1913 test1914 test1915 \ + test1916 test1917 test1918 \ + \ +-test1933 test1934 test1935 test1936 \ ++test1933 test1934 test1935 test1936 test1939 \ + \ + test2000 test2001 test2002 test2003 test2004 \ + \ +diff --git a/tests/data/test1939 b/tests/data/test1939 +new file mode 100644 +index 000000000..0b9987b5b +--- /dev/null ++++ b/tests/data/test1939 +@@ -0,0 +1,52 @@ ++ ++ ++ ++CONNECT ++curl_easy_cleanup ++ ++ ++ ++# Server-side ++ ++ ++HTTP/1.1 302 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Type: text/html ++Content-Length: 0 ++Location: /%TESTNUMBER0002 ++ ++ ++ ++HTTP/1.1 200 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Type: text/html ++Content-Length: 0 ++ ++ ++ ++ ++# Client-side ++ ++ ++https ++http-proxy ++ ++ ++ ++curl_easy_cleanup without curl_multi_remove_handle - in CONNECT ++ ++ ++lib%TESTNUMBER ++ ++ ++ ++https://%HOSTIP:%HTTPPORT/%TESTNUMBER http://%HOSTIP:%PROXYPORT ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++ +diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc +index 8cea7c014..62a7675b1 100644 +--- a/tests/libtest/Makefile.inc ++++ b/tests/libtest/Makefile.inc +@@ -61,6 +61,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect \ + lib1591 lib1592 lib1593 lib1594 lib1596 \ + lib1905 lib1906 lib1907 lib1908 lib1910 lib1911 lib1912 lib1913 \ + lib1915 lib1916 lib1917 lib1918 lib1933 lib1934 lib1935 lib1936 \ ++ lib1939 \ + lib3010 + + chkdecimalpoint_SOURCES = chkdecimalpoint.c ../../lib/mprintf.c \ +@@ -715,6 +716,10 @@ lib1938_SOURCES = lib1938.c $(SUPPORTFILES) + lib1936_LDADD = $(TESTUTIL_LIBS) + lib1936_CPPFLAGS = $(AM_CPPFLAGS) + ++lib1939_SOURCES = lib1939.c $(SUPPORTFILES) ++lib1939_LDADD = $(TESTUTIL_LIBS) ++lib1939_CPPFLAGS = $(AM_CPPFLAGS) ++ + lib3010_SOURCES = lib3010.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib3010_LDADD = $(TESTUTIL_LIBS) + lib3010_CPPFLAGS = $(AM_CPPFLAGS) +diff --git a/tests/libtest/lib1939.c b/tests/libtest/lib1939.c +new file mode 100644 +index 000000000..644617712 +--- /dev/null ++++ b/tests/libtest/lib1939.c +@@ -0,0 +1,73 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 1998 - 2021, Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.haxx.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ ***************************************************************************/ ++ ++#include "test.h" ++ ++#include "memdebug.h" ++ ++int test(char *URL) ++{ ++ CURLM *multi; ++ CURL *easy; ++ int running_handles; ++ ++ curl_global_init(CURL_GLOBAL_DEFAULT); ++ ++ multi = curl_multi_init(); ++ if(!multi) ++ return 1; ++ ++ easy = curl_easy_init(); ++ if(easy) { ++ CURLcode c; ++ CURLMcode m; ++ ++ /* Crash only happens when using HTTPS */ ++ c = curl_easy_setopt(easy, CURLOPT_URL, URL); ++ if(!c) ++ /* Any old HTTP tunneling proxy will do here */ ++ c = curl_easy_setopt(easy, CURLOPT_PROXY, libtest_arg2); ++ ++ if(c) ++ return 2; ++ ++ /* We're going to drive the transfer using multi interface here, because we ++ want to stop during the middle. */ ++ m = curl_multi_add_handle(multi, easy); ++ ++ if(!m) ++ /* Run the multi handle once, just enough to start establishing an HTTPS ++ connection. */ ++ m = curl_multi_perform(multi, &running_handles); ++ ++ if(m) ++ return 3; ++ ++ /* Close the easy handle *before* the multi handle. Doing it the other way ++ around avoids the issue. */ ++ curl_easy_cleanup(easy); ++ } ++ curl_multi_cleanup(multi); /* double-free happens here */ ++ ++ curl_global_cleanup(); ++ return CURLE_OK; ++} +-- +2.33.0 + diff --git a/backport-test1939-require-proxy-support-to-run.patch b/backport-test1939-require-proxy-support-to-run.patch new file mode 100644 index 0000000..3787b66 --- /dev/null +++ b/backport-test1939-require-proxy-support-to-run.patch @@ -0,0 +1,32 @@ +From b7e1443a1d59feea9fc63e5b78276153ac635438 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 13 Nov 2021 23:43:24 +0100 +Subject: [PATCH 1/1] test1939: require proxy support to run + +Follow-up to f0b7099a10d1a + +Closes #8011 + +Conflict:NA +Reference:https://github.com/curl/curl/commit/b7e1443a1d59feea9fc63e5b78276153ac635438 +--- + tests/data/test1939 | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tests/data/test1939 b/tests/data/test1939 +index 0b9987b5b..19dc74d2b 100644 +--- a/tests/data/test1939 ++++ b/tests/data/test1939 +@@ -29,6 +29,9 @@ Content-Length: 0 + + # Client-side + ++ ++proxy ++ + + https + http-proxy +-- +2.33.0 + diff --git a/backport-tftp-mark-protocol-as-not-possible-to-do-over-CONNEC.patch b/backport-tftp-mark-protocol-as-not-possible-to-do-over-CONNEC.patch new file mode 100644 index 0000000..185e4d7 --- /dev/null +++ b/backport-tftp-mark-protocol-as-not-possible-to-do-over-CONNEC.patch @@ -0,0 +1,63 @@ +From 4d97fe547322c4ad0868e2282476b1a7d2027f86 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 15 Nov 2021 16:51:32 +0100 +Subject: [PATCH 1/1] tftp: mark protocol as not possible to do over CONNECT + +... and make connect_init() refusing trying to tunnel protocols marked +as not working. Avoids a double-free. + +Reported-by: Even Rouault +Fixes #8018 +Closes #8020 + +Conflict:remove a chunk because the change exists +Reference:https://github.com/curl/curl/commit/4d97fe547322c4ad0868e2282476b1a7d2027f86 +--- + lib/http_proxy.c | 4 ++++ + lib/tftp.c | 2 +- + lib/urldata.h | 1 + + 3 files changed, 6 insertions(+), 1 deletions(-) + +diff --git a/lib/http_proxy.c b/lib/http_proxy.c +index 2555b401a..e788babed 100644 +--- a/lib/http_proxy.c ++++ b/lib/http_proxy.c +@@ -158,6 +158,10 @@ static CURLcode connect_init(struct Curl_easy *data, bool reinit) + { + struct http_connect_state *s; + struct connectdata *conn = data->conn; ++ if(conn->handler->flags & PROTOPT_NOTCPPROXY) { ++ failf(data, "%s cannot be done over CONNECT", conn->handler->scheme); ++ return CURLE_UNSUPPORTED_PROTOCOL; ++ } + if(!reinit) { + CURLcode result; + DEBUGASSERT(!conn->connect_state); +diff --git a/lib/tftp.c b/lib/tftp.c +index 7e5246f01..f8c68441c 100644 +--- a/lib/tftp.c ++++ b/lib/tftp.c +@@ -186,7 +186,7 @@ const struct Curl_handler Curl_handler_tftp = { + PORT_TFTP, /* defport */ + CURLPROTO_TFTP, /* protocol */ + CURLPROTO_TFTP, /* family */ +- PROTOPT_NONE | PROTOPT_NOURLQUERY /* flags */ ++ PROTOPT_NOTCPPROXY | PROTOPT_NOURLQUERY /* flags */ + }; + + /********************************************************** +diff --git a/lib/urldata.h b/lib/urldata.h +index f12e99b8d..22c66cd44 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -835,6 +835,7 @@ struct Curl_handler { + #define PROTOPT_WILDCARD (1<<12) /* protocol supports wildcard matching */ + #define PROTOPT_USERPWDCTRL (1<<13) /* Allow "control bytes" (< 32 ascii) in + user name and password */ ++#define PROTOPT_NOTCPPROXY (1<<14) /* this protocol can't proxy over TCP */ + + #define CONNCHECK_NONE 0 /* No checks */ + #define CONNCHECK_ISDEAD (1<<0) /* Check if the connection is dead. */ +-- +2.33.0 + diff --git a/curl.spec b/curl.spec index 79308a8..5964955 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Name: curl Version: 7.79.1 -Release: 20 +Release: 21 Summary: Curl is used in command lines or scripts to transfer data License: MIT URL: https://curl.haxx.se/ @@ -30,7 +30,6 @@ Patch15: backport-fix-configure-disable-http-auth-build-error.patch Patch16: backport-CVE-2022-35252-cookie-reject-cookies-with-control-bytes.patch Patch17: backport-CVE-2022-32221.patch Patch18: backport-CVE-2022-42916.patch -Patch19: backport-CVE-2022-42915.patch Patch20: backport-CVE-2022-43551-http-use-the-IDN-decoded-name-in-HSTS-checks.patch Patch21: backport-CVE-2022-43552-smb-telnet-do-not-free-the-protocol-struct-in-_done.patch Patch22: backport-0001-CVE-2023-23914-CVE-2023-23915.patch @@ -58,6 +57,14 @@ Patch43: backport-tool_getparam-repair-cleanarg.patch Patch44: backport-tool_getparam-fix-cleanarg-for-unicode-builds.patch Patch45: backport-getparam-correctly-clean-args.patch Patch46: backport-tool_getparam-fix-hiding-of-command-line-secrets.patch +Patch47: backport-multi-shut-down-CONNECT-in-Curl_detach_connnection.patch +Patch48: backport-curl_easy_cleanup.3-remove-from-multi-handle-first.patch +Patch49: backport-http_proxy-make-Curl_connect_done-work-for-proxy-dis.patch +Patch50: backport-Curl_connect_done-handle-being-called-twice.patch +Patch51: backport-tftp-mark-protocol-as-not-possible-to-do-over-CONNEC.patch +Patch52: backport-test1939-require-proxy-support-to-run.patch +Patch53: backport-lib1939-make-it-endure-torture-tests.patch +Patch54: backport-CVE-2022-42915.patch BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel BuildRequires: libidn2-devel libnghttp2-devel libpsl-devel @@ -226,6 +233,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_mandir}/man3/* %changelog +* Mon Jul 03 2023 zhouyihang - 7.79.1-21 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:fix double-free when using https with tunneling proxy + * Mon Jun 19 2023 zhouyihang - 7.79.1-20 - Type:bugfix - CVE:NA