diff --git a/backport-CVE-2024-2398.patch b/backport-CVE-2024-2398.patch new file mode 100644 index 0000000..bc055a7 --- /dev/null +++ b/backport-CVE-2024-2398.patch @@ -0,0 +1,89 @@ +From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Wed, 6 Mar 2024 09:36:08 +0100 +Subject: [PATCH] http2: push headers better cleanup + +- provide common cleanup method for push headers + +Closes #13054 + +Conflict:NA +Reference:http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.81.0-1ubuntu1.16.debian.tar.xz +--- + lib/http2.c | 32 ++++++++++++++------------------ + 1 file changed, 14 insertions(+), 18 deletions(-) + +diff --git a/lib/http2.c b/lib/http2.c +index 6d63f43..f5c6013 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -547,6 +547,15 @@ static int set_transfer_url(struct Curl_easy *data, + return 0; + } + ++static void free_push_headers(struct HTTP *stream) ++{ ++ size_t i; ++ for(i = 0; ipush_headers_used; i++) ++ free(stream->push_headers[i]); ++ Curl_safefree(stream->push_headers); ++ stream->push_headers_used = 0; ++} ++ + static int push_promise(struct Curl_easy *data, + struct connectdata *conn, + const nghttp2_push_promise *frame) +@@ -560,7 +569,6 @@ static int push_promise(struct Curl_easy *data, + struct curl_pushheaders heads; + CURLMcode rc; + struct http_conn *httpc; +- size_t i; + /* clone the parent */ + struct Curl_easy *newhandle = duphandle(data); + if(!newhandle) { +@@ -596,11 +604,7 @@ static int push_promise(struct Curl_easy *data, + Curl_set_in_callback(data, false); + + /* free the headers again */ +- for(i = 0; ipush_headers_used; i++) +- free(stream->push_headers[i]); +- free(stream->push_headers); +- stream->push_headers = NULL; +- stream->push_headers_used = 0; ++ free_push_headers(stream); + + if(rv) { + DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT)); +@@ -1037,10 +1041,10 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame, + stream->push_headers_alloc) { + char **headp; + stream->push_headers_alloc *= 2; +- headp = Curl_saferealloc(stream->push_headers, +- stream->push_headers_alloc * sizeof(char *)); ++ headp = realloc(stream->push_headers, ++ stream->push_headers_alloc * sizeof(char *)); + if(!headp) { +- stream->push_headers = NULL; ++ free_push_headers(stream); + return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + } + stream->push_headers = headp; +@@ -1206,15 +1210,7 @@ void Curl_http2_done(struct Curl_easy *data, bool premature) + setup */ + Curl_dyn_free(&http->header_recvbuf); + Curl_dyn_free(&http->trailer_recvbuf); +- if(http->push_headers) { +- /* if they weren't used and then freed before */ +- for(; http->push_headers_used > 0; --http->push_headers_used) { +- free(http->push_headers[http->push_headers_used - 1]); +- } +- free(http->push_headers); +- http->push_headers = NULL; +- } +- ++ free_push_headers(http); + if(!(data->conn->handler->protocol&PROTO_FAMILY_HTTP) || + !httpc->h2) /* not HTTP/2 ? */ + return; +-- +2.33.0 \ No newline at end of file diff --git a/curl.spec b/curl.spec index 374491e..601675c 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Name: curl Version: 7.79.1 -Release: 27 +Release: 28 Summary: Curl is used in command lines or scripts to transfer data License: MIT URL: https://curl.haxx.se/ @@ -96,6 +96,7 @@ Patch82: backport-vtls-avoid-memory-leak-if-sha256-call-fails.patch Patch83: backport-urlapi-make-sure-zoneid-is-also-duplicated-in-curl_u.patch Patch84: backport-transfer-also-stop-the-sending-on-closed-connection.patch Patch85: backport-openssl-avoid-BN_num_bits-NULL-pointer-derefs.patch +Patch86: backport-CVE-2024-2398.patch BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel BuildRequires: libidn2-devel libnghttp2-devel libpsl-devel @@ -264,6 +265,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_mandir}/man3/* %changelog +* Fri Mar 29 2024 zhouyihang - 7.79.1-28 +- Type:CVE +- CVE:CVE-2024-2398 +- SUG:NA +- DESC:fix CVE-2024-2398 + * Fri Jan 05 2024 zhouyihang - 7.79.1-27 - Type:bugfix - CVE:NA