new upstream release - 7.59.0

Resolves: CVE-2018-1000120 - FTP path trickery leads to NIL byte out of bounds write Resolves: CVE-2018-1000121 - LDAP NULL pointer dereference Resolves: CVE-2018-1000122 - RTSP RTP buffer over-read
2018-03-14 10:23:40 +01:00 · 2018-03-14 10:23:40 +01:00 · bdef0a1bf6
parent 43b81665b0
commit bdef0a1bf6
6 changed files with 21 additions and 225 deletions
--- a/0001-curl-7.58.0-h2-goaway.patch
+++ b/0001-curl-7.58.0-h2-goaway.patch
@ -1,206 +0,0 @@
-From d9a3018050ce24e1ee416c33f4907f238e860ce3 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Sat, 10 Mar 2018 23:48:43 +0100
-Subject: [PATCH] http2: mark the connection for close on GOAWAY
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-... don't consider it an error!
-
-Assisted-by: Jay Satiro
-Reported-by: Łukasz Domeradzki
-Fixes #2365
-Closes #2375
-
-Upstream-commit: 8b498a875c975294545581282289991bbcfeabf4
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
- lib/http.h  |  5 ++---
- lib/http2.c | 33 +++++++++++++++++++++------------
- lib/multi.c |  9 +++------
- 3 files changed, 26 insertions(+), 21 deletions(-)
-
-diff --git a/lib/http.h b/lib/http.h
-index d2781bc..2ce44bb 100644
--- a/lib/http.h
-+++ b/lib/http.h
-@@ -7,7 +7,7 @@
-  *                            | (__| |_| |  _ <| |___
-  *                             \___|\___/|_| \_\_____|
-  *
- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
-+ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
-  *
-  * This software is licensed as described in the file COPYING, which
-  * you should have received as part of this distribution. The terms
-@@ -172,8 +172,6 @@ struct HTTP {
-   size_t pauselen; /* the number of bytes left in data */
-   bool closed; /* TRUE on HTTP2 stream close */
-   bool close_handled; /* TRUE if stream closure is handled by libcurl */
-  uint32_t error_code; /* HTTP/2 error code */
-
-   char *mem;     /* points to a buffer in memory to store received data */
-   size_t len;    /* size of the buffer 'mem' points to */
-   size_t memlen; /* size of data copied to mem */
-@@ -226,6 +224,7 @@ struct http_conn {
-   /* list of settings that will be sent */
-   nghttp2_settings_entry local_settings[3];
-   size_t local_settings_num;
-+  uint32_t error_code; /* HTTP/2 error code */
- #else
-   int unused; /* prevent a compiler warning */
- #endif
-diff --git a/lib/http2.c b/lib/http2.c
-index 6992879..13a79d1 100644
--- a/lib/http2.c
-+++ b/lib/http2.c
-@@ -204,7 +204,6 @@ void Curl_http2_setup_req(struct Curl_easy *data)
-   http->status_code = -1;
-   http->pausedata = NULL;
-   http->pauselen = 0;
-  http->error_code = NGHTTP2_NO_ERROR;
-   http->closed = FALSE;
-   http->close_handled = FALSE;
-   http->mem = data->state.buffer;
-@@ -217,6 +216,7 @@ void Curl_http2_setup_conn(struct connectdata *conn)
- {
-   conn->proto.httpc.settings.max_concurrent_streams =
-     DEFAULT_MAX_CONCURRENT_STREAMS;
-+  conn->proto.httpc.error_code = NGHTTP2_NO_ERROR;
- }
- 
- /*
-@@ -777,6 +777,7 @@ static int on_stream_close(nghttp2_session *session, int32_t stream_id,
-   (void)stream_id;
- 
-   if(stream_id) {
-+    struct http_conn *httpc;
-     /* get the stream from the hash based on Stream ID, stream ID zero is for
-        connection-oriented stuff */
-     data_s = nghttp2_session_get_stream_user_data(session, stream_id);
-@@ -791,10 +792,11 @@ static int on_stream_close(nghttp2_session *session, int32_t stream_id,
-     if(!stream)
-       return NGHTTP2_ERR_CALLBACK_FAILURE;
- 
-    stream->error_code = error_code;
-     stream->closed = TRUE;
-     data_s->state.drain++;
-    conn->proto.httpc.drain_total++;
-+    httpc = &conn->proto.httpc;
-+    httpc->drain_total++;
-+    httpc->error_code = error_code;
- 
-     /* remove the entry from the hash as the stream is now gone */
-     nghttp2_session_set_stream_user_data(session, stream_id, 0);
-@@ -1225,13 +1227,14 @@ static int h2_session_send(struct Curl_easy *data,
-  * This function returns 0 if it succeeds, or -1 and error code will
-  * be assigned to *err.
-  */
-static int h2_process_pending_input(struct Curl_easy *data,
-+static int h2_process_pending_input(struct connectdata *conn,
-                                     struct http_conn *httpc,
-                                     CURLcode *err)
- {
-   ssize_t nread;
-   char *inbuf;
-   ssize_t rv;
-+  struct Curl_easy *data = conn->data;
- 
-   nread = httpc->inbuflen - httpc->nread_inbuf;
-   inbuf = httpc->inbuf + httpc->nread_inbuf;
-@@ -1269,7 +1272,13 @@ static int h2_process_pending_input(struct Curl_easy *data,
-   if(should_close_session(httpc)) {
-     DEBUGF(infof(data,
-                  "h2_process_pending_input: nothing to do in this session\n"));
-    *err = CURLE_HTTP2;
-+    if(httpc->error_code)
-+      *err = CURLE_HTTP2;
-+    else {
-+      /* not an error per se, but should still close the connection */
-+      connclose(conn, "GOAWAY received");
-+      *err = CURLE_OK;
-+    }
-     return -1;
-   }
- 
-@@ -1300,7 +1309,7 @@ CURLcode Curl_http2_done_sending(struct connectdata *conn)
-          that it can signal EOF to nghttp2 */
-       (void)nghttp2_session_resume_data(h2, stream->stream_id);
- 
-      (void)h2_process_pending_input(conn->data, httpc, &result);
-+      (void)h2_process_pending_input(conn, httpc, &result);
-     }
-   }
-   return result;
-@@ -1324,7 +1333,7 @@ static ssize_t http2_handle_stream_close(struct connectdata *conn,
-   data->state.drain = 0;
- 
-   if(httpc->pause_stream_id == 0) {
-    if(h2_process_pending_input(data, httpc, err) != 0) {
-+    if(h2_process_pending_input(conn, httpc, err) != 0) {
-       return -1;
-     }
-   }
-@@ -1333,10 +1342,10 @@ static ssize_t http2_handle_stream_close(struct connectdata *conn,
- 
-   /* Reset to FALSE to prevent infinite loop in readwrite_data function. */
-   stream->closed = FALSE;
-  if(stream->error_code != NGHTTP2_NO_ERROR) {
-+  if(httpc->error_code != NGHTTP2_NO_ERROR) {
-     failf(data, "HTTP/2 stream %u was not closed cleanly: %s (err %d)",
-          stream->stream_id, Curl_http2_strerror(stream->error_code),
-          stream->error_code);
-+          stream->stream_id, Curl_http2_strerror(httpc->error_code),
-+          httpc->error_code);
-     *err = CURLE_HTTP2_STREAM;
-     return -1;
-   }
-@@ -1484,7 +1493,7 @@ static ssize_t http2_recv(struct connectdata *conn, int sockindex,
-       /* We have paused nghttp2, but we have no pause data (see
-          on_data_chunk_recv). */
-       httpc->pause_stream_id = 0;
-      if(h2_process_pending_input(data, httpc, &result) != 0) {
-+      if(h2_process_pending_input(conn, httpc, &result) != 0) {
-         *err = result;
-         return -1;
-       }
-@@ -1514,7 +1523,7 @@ static ssize_t http2_recv(struct connectdata *conn, int sockindex,
-          frames, then we have to call it again with 0-length data.
-          Without this, on_stream_close callback will not be called,
-          and stream could be hanged. */
-      if(h2_process_pending_input(data, httpc, &result) != 0) {
-+      if(h2_process_pending_input(conn, httpc, &result) != 0) {
-         *err = result;
-         return -1;
-       }
-diff --git a/lib/multi.c b/lib/multi.c
-index 43823cc..50f4d87 100644
--- a/lib/multi.c
-+++ b/lib/multi.c
-@@ -5,7 +5,7 @@
-  *                            | (__| |_| |  _ <| |___
-  *                             \___|\___/|_| \_\_____|
-  *
- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
-+ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
-  *
-  * This software is licensed as described in the file COPYING, which
-  * you should have received as part of this distribution. The terms
-@@ -535,11 +535,8 @@ static CURLcode multi_done(struct connectdata **connp,
-       result = CURLE_ABORTED_BY_CALLBACK;
-   }
- 
-  if(conn->send_pipe.size + conn->recv_pipe.size != 0 &&
-     !data->set.reuse_forbid &&
-     !conn->bits.close) {
-    /* Stop if pipeline is not empty and we do not have to close
-       connection. */
-+  if(conn->send_pipe.size || conn->recv_pipe.size) {
-+    /* Stop if pipeline is not empty . */
-     data->easy_conn = NULL;
-     DEBUGF(infof(data, "Connection still in use, no more multi_done now!\n"));
-     return CURLE_OK;
-- 
-2.14.3
-
--- a/0102-curl-7.36.0-debug.patch
+++ b/0102-curl-7.36.0-debug.patch
@ -12,7 +12,7 @@ diff --git a/configure b/configure
 index 8f079a3..53b4774 100755
 --- a/configure
 +++ b/configure
-@@ -16523,18 +16523,11 @@ $as_echo "yes" >&6; }
+@@ -16524,18 +16524,11 @@ $as_echo "yes" >&6; }
     gccvhi=`echo $gccver | cut -d . -f1`
     gccvlo=`echo $gccver | cut -d . -f2`
     compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
--- a/curl-7.58.0.tar.xz.asc
+++ b/curl-7.58.0.tar.xz.asc
@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlpoMGsACgkQXMkI/bce
-EsIxtwgAnazhBf4KjF3bw1XNxgjkWVUwqLlLwEElg4tD6g/uYw9VeZQyy2wQGmgc
-yKx2WrfqLDmE1gAqKgvGLdS6qvMtv0x/3gNjOy4/LVYBlVqP+k5p0XZhV3jcg929
-Hkv/Fgp1yvtks98CGEIp6xJSjlnL3x5VEsMslXO7dpfq+6gvnbBVBP7QUOb/CYDg
-LHHAIZFSQuTeLKAvvl1koZAZnZ5zD3dtwL8rK4CVD0ugwJplJvGbvoIMNu9uagUZ
-CpBV0Pyv0AUsMTohszyOovi/RizHWl8xTynreJh+sx++NZEX2KjsnISpZAxmD6r5
-dtt21mdhrRSsAXmHD8q5LnbrKosbvQ==
-=ZqfQ
-----END PGP SIGNATURE-----
--- a/curl-7.59.0.tar.xz.asc
+++ b/curl-7.59.0.tar.xz.asc
@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlqoxTwACgkQXMkI/bce
+EsJrHQf7B0ik8F5dfGYumYWkXHc9poJU+dJ0o6pwzg4QsP+4mwVTw/gnrXDm1hVk
+iFPIAdgTkxiIDZi+6mDfZA9dZ8Aq38XbYjRIwXTW4KrjTtEFQXtwlEClrHrJyXfl
+2YC52BcY0D2JVDqUAB9cVSSgaHHf1jd4h32a8YMrwco4jP5rSxbmZe4psU2m8TC
+skaZEoSIRJzg5oV+AgDSQMrq+fLsc5lIDKTl+7v6sjnGlcYeRC1SiBePyrh5g/o5
+w4JJH839MyjrYvi6MyCBHeyCFYDrxKvQw8zRwivfZ1oipM2SaSVq8c60PdR85Zw5
+/SNOU/7Qpvhua0GhAfaI/CTwwewy6w==
+=OcVv
+-----END PGP SIGNATURE-----
--- a/curl.spec
+++ b/curl.spec
@ -1,13 +1,10 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 7.58.0
-Release: 8%{?dist}
+Version: 7.59.0
+Release: 1%{?dist}
 License: MIT
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz

-# http2: mark the connection for close on GOAWAY
-Patch1:   0001-curl-7.58.0-h2-goaway.patch
-
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch

@ -154,7 +151,6 @@ be installed.
 %setup -q

 # upstream patches
-%patch1 -p1

 # Fedora patches
 %patch101 -p1
@ -300,6 +296,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal

 %changelog
+* Wed Mar 14 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-1
+- new upstream release, which fixes the following vulnerabilities
+    CVE-2018-1000120 - FTP path trickery leads to NIL byte out of bounds write
+    CVE-2018-1000121 - LDAP NULL pointer dereference
+    CVE-2018-1000122 - RTSP RTP buffer over-read
+
 * Mon Mar 12 2018 Kamil Dudka <kdudka@redhat.com> - 7.58.0-8
 - http2: mark the connection for close on GOAWAY

--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (curl-7.58.0.tar.xz) = 965affc74ab8f8c94d1b79ebb8012ca4c1a482c7a3282f2661f6382163e47e3ea657398c1a4202008d0c683a3d2266a05a64a26bd514a64a08e4fe83929dcae5
+SHA512 (curl-7.59.0.tar.xz) = 6982a5950b564d6b2a4f4b96296b6db3db24a096acc68aa96966821b57f66362f5a69d9f2da762b5d2b1011a4a47478ebacaf05e26604f78bb013098749dd8a6