new upstream release - 7.77.0

Resolves: CVE-2021-22901 - TLS session caching disaster
Resolves: CVE-2021-22898 - TELNET stack contents disclosure
This commit is contained in:
Kamil Dudka 2021-05-26 09:13:52 +02:00
parent 4b7b124d75
commit 4c89d92ee7
6 changed files with 20 additions and 152 deletions

View File

@ -1,133 +0,0 @@
From 2281afef6757ed66c9e8a9a737aa91cb9e2950ef Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Fri, 30 Apr 2021 18:14:45 +0200
Subject: [PATCH 1/2] http2: fix resource leaks in set_transfer_url()
... detected by Coverity:
Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
lib/http2.c:486: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:488: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
lib/http2.c:493: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:495: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
lib/http2.c:500: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:502: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
lib/http2.c:505: noescape: Resource "u" is not freed or pointed-to in "curl_url_get". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:507: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
Closes #6986
Upstream-commit: 31931704707324af4b4edb24cc877829f7e9949e
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/http2.c | 24 +++++++++++++++++-------
1 file changed, 17 insertions(+), 7 deletions(-)
diff --git a/lib/http2.c b/lib/http2.c
index ce9a0d3..d5ba89b 100644
--- a/lib/http2.c
+++ b/lib/http2.c
@@ -500,32 +500,42 @@ static int set_transfer_url(struct Curl_easy *data,
CURLU *u = curl_url();
CURLUcode uc;
char *url;
+ int rc = 0;
v = curl_pushheader_byname(hp, ":scheme");
if(v) {
uc = curl_url_set(u, CURLUPART_SCHEME, v, 0);
- if(uc)
- return 1;
+ if(uc) {
+ rc = 1;
+ goto fail;
+ }
}
v = curl_pushheader_byname(hp, ":authority");
if(v) {
uc = curl_url_set(u, CURLUPART_HOST, v, 0);
- if(uc)
- return 2;
+ if(uc) {
+ rc = 2;
+ goto fail;
+ }
}
v = curl_pushheader_byname(hp, ":path");
if(v) {
uc = curl_url_set(u, CURLUPART_PATH, v, 0);
- if(uc)
- return 3;
+ if(uc) {
+ rc = 3;
+ goto fail;
+ }
}
uc = curl_url_get(u, CURLUPART_URL, &url, 0);
if(uc)
- return 4;
+ rc = 4;
+ fail:
curl_url_cleanup(u);
+ if(rc)
+ return rc;
if(data->state.url_alloc)
free(data->state.url);
--
2.30.2
From 92ad72983f8462be1d5a5228672657ddf4d7ed72 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Fri, 30 Apr 2021 18:18:02 +0200
Subject: [PATCH 2/2] http2: fix a resource leak in push_promise()
... detected by Coverity:
Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:532: alloc_fn: Storage is returned from allocation function "duphandle".
lib/http2.c:532: var_assign: Assigning: "newhandle" = storage returned from "duphandle(data)".
lib/http2.c:552: noescape: Resource "newhandle" is not freed or pointed-to in "set_transfer_url".
lib/http2.c:555: leaked_storage: Variable "newhandle" going out of scope leaks the storage it points to.
Closes #6986
Upstream-commit: 3a6058cb976981ec1db870f9657c73c9a1162822
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/http2.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/http2.c b/lib/http2.c
index d5ba89b..d0f69ea 100644
--- a/lib/http2.c
+++ b/lib/http2.c
@@ -581,6 +581,7 @@ static int push_promise(struct Curl_easy *data,
rv = set_transfer_url(newhandle, &heads);
if(rv) {
+ (void)Curl_close(&newhandle);
rv = CURL_PUSH_DENY;
goto fail;
}
--
2.30.2

View File

@ -26,7 +26,7 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
index 080421b..ea3b806 100644
--- a/tests/libtest/Makefile.inc
+++ b/tests/libtest/Makefile.inc
@@ -592,6 +592,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
@@ -600,6 +600,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
lib1559_LDADD = $(TESTUTIL_LIBS)
lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)

View File

@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmB2hJEACgkQXMkI/bce
EsJN2Qf9GFcide66cPmOPEVW9Lu9dYmg5R6g6KanvxCO02CrdlCzD1Z49M7YjJdp
dU6sP71/BWqI0+IoUd+94O39BR96ARqPgL3TjPf1Fux8x5PeaUP0oD0TaSGq635m
da930dB1RABlvf5/0L9A5+x+Mkgjk/u+RCeoX1nh6WF0HLZ9RSQmBSBxuInzZgHe
Q5bAj1DSOrDizHQ2yvNqymmDqUZVeiusIc3QIzTIwsFSg0PbBqG9sYUCSMdeVSjm
jGcyp5EjyzCyBq7YIzA7VpSRvNTGFr7Q+QP+Sm68kZ6AMCCn/a83jiFUfMyy7H5/
PEKUqdkKrPScu7DKFWAyqL5DWXt7cA==
=GTGl
-----END PGP SIGNATURE-----

11
curl-7.77.0.tar.xz.asc Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmCt6IwACgkQXMkI/bce
EsJd+Af/YCvzoV76IFh2aJpoi74XOglG327GQWnJRAt6VooIXvBPddundYOSepAw
OQbReLSQgzmWIICjp4GnV/+gkNodpqJPB1uFHo8AHEBsiVJBTNO7c/mGirQlp5TM
f5xGP8cf1OxwDJ6PBAHAYl4s71t6CWm0C2nf8x24ROlDsO85lz+yFCg1665IbZvp
PFSfeIGHwyUoZesBmBFznm5KI5yc+Yn9gxsq3ujPYMvjMH7KFdw7zQu3SzYjT1+w
bHqVul6+SC8laHuIqZfKnvrjLJMcIhe0vADoyV0/P64ZJ/4X2tGBrpxtXUJJ9S9C
Cif/PNjYIGKg9Mk8odMjXzo8EcVFGA==
=+IKy
-----END PGP SIGNATURE-----

View File

@ -1,13 +1,10 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.76.1
Release: 2%{?dist}
Version: 7.77.0
Release: 1%{?dist}
License: MIT
Source: https://curl.se/download/%{name}-%{version}.tar.xz
# http2: fix resource leaks detected by Coverity
Patch1: 0001-curl-7.76.1-resource-leaks.patch
# patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch
@ -183,7 +180,6 @@ be installed.
%setup -q
# upstream patches
%patch1 -p1
# Fedora patches
%patch101 -p1
@ -364,6 +360,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog
* Wed May 26 2021 Kamil Dudka <kdudka@redhat.com> - 7.77.0-1
- new upstream release, which fixes the following vulnerabilities
CVE-2021-22901 - TLS session caching disaster
CVE-2021-22898 - TELNET stack contents disclosure
* Mon May 03 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.1-2
- http2: fix resource leaks detected by Coverity

View File

@ -1 +1 @@
SHA512 (curl-7.76.1.tar.xz) = 5fe85d2e776789aa8117c57fe7648e375b7fa92d5ead5d69855f19ca9a2624d77a1f9ab91766ecb72bbc17e82862248cd07e48917884d6fd856b93fb00d83e28
SHA512 (curl-7.77.0.tar.xz) = aef92a0e3f8ce8491b258a9a1c4dcea3c07c29b139a1f68f08619caa0295cfde76335d2dfb9cdf434525daea7dd05d8acd22f203f5ccc7735bd317964ec1da76