Resolves: CVE-2019-5481 - double free due to subsequent call of realloc()

Resolves: #1697566
Resolves: #1723242

0001-curl-7.64.0-zsh-completion.patch

@@ -1,76 +0,0 @@
-From 082034e2334b2d0795b2b324ff3e0635bb7d2b86 Mon Sep 17 00:00:00 2001
-From: Alessandro Ghedini <alessandro@ghedini.me>
-Date: Tue, 5 Feb 2019 20:44:14 +0000
-Subject: [PATCH 1/2] zsh.pl: update regex to better match curl -h output
-
-The current regex fails to match '<...>' arguments properly (e.g. those
-with spaces in them), which causes an completion script with wrong
-descriptions for some options.
-
-The problem can be reproduced as follows:
-
-% curl --reso<TAB>
-
-Upstream-commit: dbd32f3241b297b96ee11a51da1a661f528ca026
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- scripts/zsh.pl | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/scripts/zsh.pl b/scripts/zsh.pl
-index 1257190..941b322 100755
---- a/scripts/zsh.pl
-+++ b/scripts/zsh.pl
-@@ -7,7 +7,7 @@ use warnings;
- 
- my $curl = $ARGV[0] || 'curl';
- 
--my $regex = '\s+(?:(-[^\s]+),\s)?(--[^\s]+)\s([^\s.]+)?\s+(.*)';
-+my $regex = '\s+(?:(-[^\s]+),\s)?(--[^\s]+)\s*(\<.+?\>)?\s+(.*)';
- my @opts = parse_main_opts('--help', $regex);
- 
- my $opts_str;
--- 
-2.17.2
-
-
-From 45abc785e101346f19599aa5f9fa1617e525ec4d Mon Sep 17 00:00:00 2001
-From: Alessandro Ghedini <alessandro@ghedini.me>
-Date: Tue, 5 Feb 2019 21:06:26 +0000
-Subject: [PATCH 2/2] zsh.pl: escape ':' character
-
-':' is interpreted as separator by zsh, so if used as part of the argument
-or option's description it needs to be escaped.
-
-The problem can be reproduced as follows:
-
-% curl -E <TAB>
-
-Bug: https://bugs.debian.org/921452
-
-Upstream-commit: b3cc8017b7364f588365be2b2629c49c142efdb7
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- scripts/zsh.pl | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/scripts/zsh.pl b/scripts/zsh.pl
-index 941b322..0f9cbec 100755
---- a/scripts/zsh.pl
-+++ b/scripts/zsh.pl
-@@ -45,9 +45,12 @@ sub parse_main_opts {
- 
-         my $option = '';
- 
-+        $arg =~ s/\:/\\\:/g if defined $arg;
-+
-         $desc =~ s/'/'\\''/g if defined $desc;
-         $desc =~ s/\[/\\\[/g if defined $desc;
-         $desc =~ s/\]/\\\]/g if defined $desc;
-+        $desc =~ s/\:/\\\:/g if defined $desc;
- 
-         $option .= '{' . trim($short) . ',' if defined $short;
-         $option .= trim($long)  if defined $long;
--- 
-2.17.2
-

0001-curl-7.65.3-negotiate-fails.patch

@@ -0,0 +1,166 @@
+From 90f7ca7bec18b49bf2706430aa6493eda7d7a573 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 30 Jul 2019 12:59:35 +0200
+Subject: [PATCH] http_negotiate: improve handling of gss_init_sec_context()
+ failures
+
+If HTTPAUTH_GSSNEGOTIATE was used for a POST request and
+gss_init_sec_context() failed, the POST request was sent
+with empty body.  This commit also restores the original
+behavior of `curl --fail --negotiate`, which was changed
+by commit 6c6035532383e300c712e4c1cd9fdd749ed5cf59.
+
+Add regression tests 2077 and 2078 to cover this.
+
+Fixes #3992
+Closes #4171
+
+Upstream-commit: 4c187043c5aac57f354ebb96cc6ff3263411e98d
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/http_negotiate.c    |  2 +-
+ tests/data/Makefile.inc |  3 ++-
+ tests/data/test2077     | 42 ++++++++++++++++++++++++++++++++
+ tests/data/test2078     | 54 +++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 99 insertions(+), 2 deletions(-)
+ create mode 100644 tests/data/test2077
+ create mode 100644 tests/data/test2078
+
+diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
+index c8f406444..fe15dcefb 100644
+--- a/lib/http_negotiate.c
++++ b/lib/http_negotiate.c
+@@ -151,7 +151,7 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
+       if(result == CURLE_LOGIN_DENIED) {
+         /* negotiate auth failed, let's continue unauthenticated to stay
+          * compatible with the behavior before curl-7_64_0-158-g6c6035532 */
+-        conn->data->state.authproblem = TRUE;
++        authp->done = TRUE;
+         return CURLE_OK;
+       }
+       else if(result)
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 693e53d7c..3ed4a03e4 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -199,7 +199,8 @@ test2040 test2041 test2042 test2043 test2044 test2045 test2046 test2047 \
+ test2048 test2049 test2050 test2051 test2052 test2053 test2054 test2055 \
+ test2056 test2057 test2058 test2059 test2060 test2061 test2062 test2063 \
+ test2064 test2065 test2066 test2067 test2068 test2069 \
+-         test2071 test2072 test2073 test2074 test2075 test2076 \
++         test2071 test2072 test2073 test2074 test2075 test2076 test2077 \
++test2078 \
+ test2080 \
+ test2100 \
+ \
+diff --git a/tests/data/test2077 b/tests/data/test2077
+new file mode 100644
+index 000000000..0c600f5c3
+--- /dev/null
++++ b/tests/data/test2077
+@@ -0,0 +1,42 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP GET
++GSS-API
++</keywords>
++</info>
++
++# Server-side
++<reply>
++<data>
++HTTP/1.1 200 OK swsclose
++Content-Length: 23
++
++This IS the real page!
++</data>
++</reply>
++
++# Client-side
++<client>
++<server>
++http
++</server>
++<features>
++GSS-API
++</features>
++<name>
++curl --fail --negotiate to unauthenticated service fails
++</name>
++<command>
++http://%HOSTIP:%HTTPPORT/2077 -u : --fail --negotiate
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++<errorcode>
++0
++</errorcode>
++</verify>
++</testcase>
+diff --git a/tests/data/test2078 b/tests/data/test2078
+new file mode 100644
+index 000000000..99bc2dbee
+--- /dev/null
++++ b/tests/data/test2078
+@@ -0,0 +1,54 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP GET
++GSS-API
++</keywords>
++</info>
++
++# Server-side
++<reply>
++<data>
++HTTP/1.1 200 OK swsclose
++Content-Length: 23
++
++This IS the real page!
++</data>
++</reply>
++
++# Client-side
++<client>
++<server>
++http
++</server>
++<features>
++GSS-API
++</features>
++<name>
++curl --negotiate should not send empty POST request only
++</name>
++<command>
++http://%HOSTIP:%HTTPPORT/2078 -u : --negotiate --data name=value
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++<errorcode>
++0
++</errorcode>
++<strip>
++^User-Agent:.*
++</strip>
++<protocol nonewline="yes">
++POST /2078 HTTP/1.1
++Host: 127.0.0.1:8990
++Accept: */*
++Content-Length: 10
++Content-Type: application/x-www-form-urlencoded
++
++name=value
++</protocol>
++</verify>
++</testcase>
+-- 
+2.20.1
+

0002-curl-7.64.0-nm-fd-leak.patch

@@ -1,162 +0,0 @@
-From 377101f138873bfa481785cb7d04c326006f0b5d Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 11 Feb 2019 07:56:00 +0100
-Subject: [PATCH 1/3] connection_check: set ->data to the transfer doing the
- check
-
-The http2 code for connection checking needs a transfer to use. Make
-sure a working one is set before handler->connection_check() is called.
-
-Reported-by: jnbr on github
-Fixes #3541
-Closes #3547
-
-Upstream-commit: 38d8e1bd4ed1ae52930ae466ecbac78e888b142f
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/url.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/lib/url.c b/lib/url.c
-index d5a9820..229c655 100644
---- a/lib/url.c
-+++ b/lib/url.c
-@@ -965,6 +965,7 @@ static bool extract_if_dead(struct connectdata *conn,
-       /* The protocol has a special method for checking the state of the
-          connection. Use it to check if the connection is dead. */
-       unsigned int state;
-+      conn->data = data; /* use this transfer for now */
-       state = conn->handler->connection_check(conn, CONNCHECK_ISDEAD);
-       dead = (state & CONNRESULT_DEAD);
-     }
--- 
-2.17.2
-
-
-From 287f5d70395b3833f8901a57b29a48b87d84a9fe Mon Sep 17 00:00:00 2001
-From: Jay Satiro <raysatiro@yahoo.com>
-Date: Mon, 11 Feb 2019 23:00:00 -0500
-Subject: [PATCH 2/3] connection_check: restore original conn->data after the
- check
-
-- Save the original conn->data before it's changed to the specified
-  data transfer for the connection check and then restore it afterwards.
-
-This is a follow-up to 38d8e1b 2019-02-11.
-
-History:
-
-It was discovered a month ago that before checking whether to extract a
-dead connection that that connection should be associated with a "live"
-transfer for the check (ie original conn->data ignored and set to the
-passed in data). A fix was landed in 54b201b which did that and also
-cleared conn->data after the check. The original conn->data was not
-restored, so presumably it was thought that a valid conn->data was no
-longer needed.
-
-Several days later it was discovered that a valid conn->data was needed
-after the check and follow-up fix was landed in bbae24c which partially
-reverted the original fix and attempted to limit the scope of when
-conn->data was changed to only when pruning dead connections. In that
-case conn->data was not cleared and the original conn->data not
-restored.
-
-A month later it was discovered that the original fix was somewhat
-correct; a "live" transfer is needed for the check in all cases
-because original conn->data could be null which could cause a bad deref
-at arbitrary points in the check. A fix was landed in 38d8e1b which
-expanded the scope to all cases. conn->data was not cleared and the
-original conn->data not restored.
-
-A day later it was discovered that not restoring the original conn->data
-may lead to busy loops in applications that use the event interface, and
-given this observation it's a pretty safe assumption that there is some
-code path that still needs the original conn->data. This commit is the
-follow-up fix for that, it restores the original conn->data after the
-connection check.
-
-Assisted-by: tholin@users.noreply.github.com
-Reported-by: tholin@users.noreply.github.com
-
-Fixes https://github.com/curl/curl/issues/3542
-Closes #3559
-
-Upstream-commit: 4015fae044ce52a639c9358e22a9e948f287c89f
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/url.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/lib/url.c b/lib/url.c
-index 229c655..a77e92d 100644
---- a/lib/url.c
-+++ b/lib/url.c
-@@ -965,8 +965,10 @@ static bool extract_if_dead(struct connectdata *conn,
-       /* The protocol has a special method for checking the state of the
-          connection. Use it to check if the connection is dead. */
-       unsigned int state;
-+      struct Curl_easy *olddata = conn->data;
-       conn->data = data; /* use this transfer for now */
-       state = conn->handler->connection_check(conn, CONNCHECK_ISDEAD);
-+      conn->data = olddata;
-       dead = (state & CONNRESULT_DEAD);
-     }
-     else {
-@@ -995,7 +997,6 @@ struct prunedead {
- static int call_extract_if_dead(struct connectdata *conn, void *param)
- {
-   struct prunedead *p = (struct prunedead *)param;
--  conn->data = p->data; /* transfer to use for this check */
-   if(extract_if_dead(conn, p->data)) {
-     /* stop the iteration here, pass back the connection that was extracted */
-     p->extracted = conn;
--- 
-2.17.2
-
-
-From 15e3f2eef87bff1210f43921cb15f03c68be59f7 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Tue, 19 Feb 2019 15:56:54 +0100
-Subject: [PATCH 3/3] singlesocket: fix the 'sincebefore' placement
-
-The variable wasn't properly reset within the loop and thus could remain
-set for sockets that hadn't been set before and miss notifying the app.
-
-This is a follow-up to 4c35574 (shipped in curl 7.64.0)
-
-Reported-by: buzo-ffm on github
-Detected-by: Jan Alexander Steffens
-Fixes #3585
-Closes #3589
-
-Upstream-commit: afc00e047c773faeaa60a5f86a246cbbeeba5819
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/multi.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/lib/multi.c b/lib/multi.c
-index 130226f..28f4c47 100644
---- a/lib/multi.c
-+++ b/lib/multi.c
-@@ -2360,8 +2360,6 @@ static CURLMcode singlesocket(struct Curl_multi *multi,
-   int num;
-   unsigned int curraction;
-   int actions[MAX_SOCKSPEREASYHANDLE];
--  unsigned int comboaction;
--  bool sincebefore = FALSE;
- 
-   for(i = 0; i< MAX_SOCKSPEREASYHANDLE; i++)
-     socks[i] = CURL_SOCKET_BAD;
-@@ -2380,6 +2378,8 @@ static CURLMcode singlesocket(struct Curl_multi *multi,
-       i++) {
-     unsigned int action = CURL_POLL_NONE;
-     unsigned int prevaction = 0;
-+    unsigned int comboaction;
-+    bool sincebefore = FALSE;
- 
-     s = socks[i];
- 
--- 
-2.17.2
-

0002-curl-7.65.3-h2-framing-layer-error.patch

@@ -0,0 +1,37 @@
+From 98d59387c749256c2421b22dc3419b94d381986a Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 26 Aug 2019 16:00:05 +0200
+Subject: [PATCH] http2: when marked for closure and wanted to close == OK
+
+It could otherwise return an error even when closed correctly if GOAWAY
+had been received previously.
+
+Reported-by: Tom van der Woerdt
+Fixes #4267
+Closes #4268
+
+Upstream-commit: c1b6a384f9c8a91197c20adb49d43f30dc0e917d
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/http2.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/lib/http2.c b/lib/http2.c
+index 930e85165..31d2d698a 100644
+--- a/lib/http2.c
++++ b/lib/http2.c
+@@ -1566,6 +1566,11 @@ static ssize_t http2_recv(struct connectdata *conn, int sockindex,
+   if(should_close_session(httpc)) {
+     H2BUGF(infof(data,
+                  "http2_recv: nothing to do in this session\n"));
++    if(conn->bits.close) {
++      /* already marked for closure, return OK and we're done */
++      *err = CURLE_OK;
++      return 0;
++    }
+     *err = CURLE_HTTP2;
+     return -1;
+   }
+-- 
+2.20.1
+

0003-curl-7.64.0-cookie-segfault.patch

@@ -1,42 +0,0 @@
-From d73dc8d3e70bde0ef999ecf7bcd5585b9892371c Mon Sep 17 00:00:00 2001
-From: Michael Wallner <mike@php.net>
-Date: Mon, 25 Feb 2019 19:05:02 +0100
-Subject: [PATCH] cookies: fix NULL dereference if flushing cookies with no
- CookieInfo set
-
-Regression brought by a52e46f3900fb0 (shipped in 7.63.0)
-
-Closes #3613
-
-Upstream-commit: 8eddb8f4259193633cfc95a42603958a89b31de5
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/cookie.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/lib/cookie.c b/lib/cookie.c
-index 4fb992a..d535170 100644
---- a/lib/cookie.c
-+++ b/lib/cookie.c
-@@ -1504,7 +1504,8 @@ static int cookie_output(struct CookieInfo *c, const char *dumphere)
-   struct Cookie **array;
- 
-   /* at first, remove expired cookies */
--  remove_expired(c);
-+  if(c)
-+    remove_expired(c);
- 
-   if(!strcmp("-", dumphere)) {
-     /* use stdout */
-@@ -1523,7 +1524,7 @@ static int cookie_output(struct CookieInfo *c, const char *dumphere)
-         "# This file was generated by libcurl! Edit at your own risk.\n\n",
-         out);
- 
--  if(c->numcookies) {
-+  if(c && c->numcookies) {
-     array = malloc(sizeof(struct Cookie *) * c->numcookies);
-     if(!array) {
-       if(!use_stdout)
--- 
-2.17.2
-

0004-curl-7.64.0-spurious-resolver-error.patch

@@ -1,118 +0,0 @@
-From 5ddabe85b2e3e4fd08d06980719d71a2aed77a5b Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Thu, 28 Feb 2019 20:34:36 +0100
-Subject: [PATCH] threaded-resolver: shutdown the resolver thread without error
- message
-
-When a transfer is done, the resolver thread will be brought down. That
-could accidentally generate an error message in the error buffer even
-though this is not an error situationand the transfer would still return
-OK.  An application that still reads the error buffer could find a
-"Could not resolve host: [host name]" message there and get confused.
-
-Reported-by: Michael Schmid
-Fixes #3629
-Closes #3630
-
-Upstream-commit: 754ae103989a6ad0869d23a6a427d652b5b4a2fe
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/asyn-thread.c | 68 ++++++++++++++++++++++++++---------------------
- 1 file changed, 38 insertions(+), 30 deletions(-)
-
-diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c
-index a9679d0..55e0811 100644
---- a/lib/asyn-thread.c
-+++ b/lib/asyn-thread.c
-@@ -461,6 +461,42 @@ static CURLcode resolver_error(struct connectdata *conn)
-   return result;
- }
- 
-+static CURLcode thread_wait_resolv(struct connectdata *conn,
-+                                   struct Curl_dns_entry **entry,
-+                                   bool report)
-+{
-+  struct thread_data   *td = (struct thread_data*) conn->async.os_specific;
-+  CURLcode result = CURLE_OK;
-+
-+  DEBUGASSERT(conn && td);
-+  DEBUGASSERT(td->thread_hnd != curl_thread_t_null);
-+
-+  /* wait for the thread to resolve the name */
-+  if(Curl_thread_join(&td->thread_hnd)) {
-+    if(entry)
-+      result = getaddrinfo_complete(conn);
-+  }
-+  else
-+    DEBUGASSERT(0);
-+
-+  conn->async.done = TRUE;
-+
-+  if(entry)
-+    *entry = conn->async.dns;
-+
-+  if(!conn->async.dns && report)
-+    /* a name was not resolved, report error */
-+    result = resolver_error(conn);
-+
-+  destroy_async_data(&conn->async);
-+
-+  if(!conn->async.dns && report)
-+    connclose(conn, "asynch resolve failed");
-+
-+  return result;
-+}
-+
-+
- /*
-  * Until we gain a way to signal the resolver threads to stop early, we must
-  * simply wait for them and ignore their results.
-@@ -473,7 +509,7 @@ void Curl_resolver_kill(struct connectdata *conn)
-      unfortunately.  Otherwise, we can simply cancel to clean up any resolver
-      data. */
-   if(td && td->thread_hnd != curl_thread_t_null)
--    (void)Curl_resolver_wait_resolv(conn, NULL);
-+    (void)thread_wait_resolv(conn, NULL, FALSE);
-   else
-     Curl_resolver_cancel(conn);
- }
-@@ -494,35 +530,7 @@ void Curl_resolver_kill(struct connectdata *conn)
- CURLcode Curl_resolver_wait_resolv(struct connectdata *conn,
-                                    struct Curl_dns_entry **entry)
- {
--  struct thread_data   *td = (struct thread_data*) conn->async.os_specific;
--  CURLcode result = CURLE_OK;
--
--  DEBUGASSERT(conn && td);
--  DEBUGASSERT(td->thread_hnd != curl_thread_t_null);
--
--  /* wait for the thread to resolve the name */
--  if(Curl_thread_join(&td->thread_hnd)) {
--    if(entry)
--      result = getaddrinfo_complete(conn);
--  }
--  else
--    DEBUGASSERT(0);
--
--  conn->async.done = TRUE;
--
--  if(entry)
--    *entry = conn->async.dns;
--
--  if(!conn->async.dns)
--    /* a name was not resolved, report error */
--    result = resolver_error(conn);
--
--  destroy_async_data(&conn->async);
--
--  if(!conn->async.dns)
--    connclose(conn, "asynch resolve failed");
--
--  return result;
-+  return thread_wait_resolv(conn, entry, TRUE);
- }
- 
- /*
--- 
-2.17.2
-

0005-curl-7.64.0-expire-in-verbose-msgs.patch

@@ -1,32 +0,0 @@
-From 2e8f4d01cdd07779e0582257cb6b53c5a91d6504 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 11 Feb 2019 22:57:33 +0100
-Subject: [PATCH] multi: remove verbose "Expire in" ... messages
-
-Reported-by: James Brown
-Bug: https://curl.haxx.se/mail/archive-2019-02/0013.html
-Closes #3558
-
-Upstream-commit: aabc7ae5ecf70973add429b5acbc86d6a57e4da5
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/multi.c | 3 ---
- 1 file changed, 3 deletions(-)
-
-diff --git a/lib/multi.c b/lib/multi.c
-index 28f4c47..856cc22 100644
---- a/lib/multi.c
-+++ b/lib/multi.c
-@@ -3028,9 +3028,6 @@ void Curl_expire(struct Curl_easy *data, time_t milli, expire_id id)
- 
-   DEBUGASSERT(id < EXPIRE_LAST);
- 
--  infof(data, "Expire in %ld ms for %x (transfer %p)\n",
--        (long)milli, id, data);
--
-   set = Curl_now();
-   set.tv_sec += milli/1000;
-   set.tv_usec += (unsigned int)(milli%1000)*1000;
--- 
-2.17.2
-

0018-curl-7.65.3-CVE-2019-5482.patch

@@ -0,0 +1,158 @@
+From 63f9837b4ccf600da79314e8667f91bda69988fc Mon Sep 17 00:00:00 2001
+From: Thomas Vegas <>
+Date: Sat, 31 Aug 2019 16:59:56 +0200
+Subject: [PATCH 1/2] tftp: return error when packet is too small for options
+
+Upstream-commit: 82f3ba3806a34fe94dcf9e5c9b88deda6679ca1b
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/tftp.c | 53 +++++++++++++++++++++++++++++++++--------------------
+ 1 file changed, 33 insertions(+), 20 deletions(-)
+
+diff --git a/lib/tftp.c b/lib/tftp.c
+index 289cda2..4532170 100644
+--- a/lib/tftp.c
++++ b/lib/tftp.c
+@@ -404,13 +404,14 @@ static CURLcode tftp_parse_option_ack(tftp_state_data_t *state,
+   return CURLE_OK;
+ }
+ 
+-static size_t tftp_option_add(tftp_state_data_t *state, size_t csize,
+-                              char *buf, const char *option)
++static CURLcode tftp_option_add(tftp_state_data_t *state, size_t *csize,
++                                char *buf, const char *option)
+ {
+-  if(( strlen(option) + csize + 1) > (size_t)state->blksize)
+-    return 0;
++  if(( strlen(option) + *csize + 1) > (size_t)state->blksize)
++    return CURLE_TFTP_ILLEGAL;
+   strcpy(buf, option);
+-  return strlen(option) + 1;
++  *csize += strlen(option) + 1;
++  return CURLE_OK;
+ }
+ 
+ static CURLcode tftp_connect_for_tx(tftp_state_data_t *state,
+@@ -511,26 +512,38 @@ static CURLcode tftp_send_first(tftp_state_data_t *state, tftp_event_t event)
+       else
+         strcpy(buf, "0"); /* the destination is large enough */
+ 
+-      sbytes += tftp_option_add(state, sbytes,
+-                                (char *)state->spacket.data + sbytes,
+-                                TFTP_OPTION_TSIZE);
+-      sbytes += tftp_option_add(state, sbytes,
+-                                (char *)state->spacket.data + sbytes, buf);
++      result = tftp_option_add(state, &sbytes,
++                               (char *)state->spacket.data + sbytes,
++                               TFTP_OPTION_TSIZE);
++      if(result == CURLE_OK)
++        result = tftp_option_add(state, &sbytes,
++                                 (char *)state->spacket.data + sbytes, buf);
++
+       /* add blksize option */
+       msnprintf(buf, sizeof(buf), "%d", state->requested_blksize);
+-      sbytes += tftp_option_add(state, sbytes,
+-                                (char *)state->spacket.data + sbytes,
+-                                TFTP_OPTION_BLKSIZE);
+-      sbytes += tftp_option_add(state, sbytes,
+-                                (char *)state->spacket.data + sbytes, buf);
++      if(result == CURLE_OK)
++        result = tftp_option_add(state, &sbytes,
++                                 (char *)state->spacket.data + sbytes,
++                                 TFTP_OPTION_BLKSIZE);
++      if(result == CURLE_OK)
++        result = tftp_option_add(state, &sbytes,
++                                 (char *)state->spacket.data + sbytes, buf);
+ 
+       /* add timeout option */
+       msnprintf(buf, sizeof(buf), "%d", state->retry_time);
+-      sbytes += tftp_option_add(state, sbytes,
+-                                (char *)state->spacket.data + sbytes,
+-                                TFTP_OPTION_INTERVAL);
+-      sbytes += tftp_option_add(state, sbytes,
+-                                (char *)state->spacket.data + sbytes, buf);
++      if(result == CURLE_OK)
++        result = tftp_option_add(state, &sbytes,
++                                 (char *)state->spacket.data + sbytes,
++                                 TFTP_OPTION_INTERVAL);
++      if(result == CURLE_OK)
++        result = tftp_option_add(state, &sbytes,
++                                 (char *)state->spacket.data + sbytes, buf);
++
++      if(result != CURLE_OK) {
++        failf(data, "TFTP buffer too small for options");
++        free(filename);
++        return CURLE_TFTP_ILLEGAL;
++      }
+     }
+ 
+     /* the typecase for the 3rd argument is mostly for systems that do
+-- 
+2.20.1
+
+
+From b6b12a4cfe00c4850a1d6cee4cf267f00dee5987 Mon Sep 17 00:00:00 2001
+From: Thomas Vegas <>
+Date: Sat, 31 Aug 2019 17:30:51 +0200
+Subject: [PATCH 2/2] tftp: Alloc maximum blksize, and use default unless OACK
+ is received
+
+Fixes potential buffer overflow from 'recvfrom()', should the server
+return an OACK without blksize.
+
+Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
+CVE-2019-5482
+
+Upstream-commit: facb0e4662415b5f28163e853dc6742ac5fafb3d
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/tftp.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/lib/tftp.c b/lib/tftp.c
+index 4532170..5651b62 100644
+--- a/lib/tftp.c
++++ b/lib/tftp.c
+@@ -986,6 +986,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+ {
+   tftp_state_data_t *state;
+   int blksize;
++  int need_blksize;
+ 
+   blksize = TFTP_BLKSIZE_DEFAULT;
+ 
+@@ -1000,15 +1001,20 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+       return CURLE_TFTP_ILLEGAL;
+   }
+ 
++  need_blksize = blksize;
++  /* default size is the fallback when no OACK is received */
++  if(need_blksize < TFTP_BLKSIZE_DEFAULT)
++    need_blksize = TFTP_BLKSIZE_DEFAULT;
++
+   if(!state->rpacket.data) {
+-    state->rpacket.data = calloc(1, blksize + 2 + 2);
++    state->rpacket.data = calloc(1, need_blksize + 2 + 2);
+ 
+     if(!state->rpacket.data)
+       return CURLE_OUT_OF_MEMORY;
+   }
+ 
+   if(!state->spacket.data) {
+-    state->spacket.data = calloc(1, blksize + 2 + 2);
++    state->spacket.data = calloc(1, need_blksize + 2 + 2);
+ 
+     if(!state->spacket.data)
+       return CURLE_OUT_OF_MEMORY;
+@@ -1022,7 +1028,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+   state->sockfd = state->conn->sock[FIRSTSOCKET];
+   state->state = TFTP_STATE_START;
+   state->error = TFTP_ERR_NONE;
+-  state->blksize = blksize;
++  state->blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */
+   state->requested_blksize = blksize;
+ 
+   ((struct sockaddr *)&state->local_addr)->sa_family =
+-- 
+2.20.1
+

0019-curl-7.65.3-CVE-2019-5481.patch

@@ -0,0 +1,46 @@
+From 13de299b112a59c373b330f0539166ecc9a7627b Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 3 Sep 2019 22:59:32 +0200
+Subject: [PATCH] security:read_data fix bad realloc()
+
+... that could end up a double-free
+
+CVE-2019-5481
+Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
+
+Upstream-commit: 9069838b30fb3b48af0123e39f664cea683254a5
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/security.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/lib/security.c b/lib/security.c
+index 550ea2d..c5e4e13 100644
+--- a/lib/security.c
++++ b/lib/security.c
+@@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn,
+                           struct krb5buffer *buf)
+ {
+   int len;
+-  void *tmp = NULL;
+   CURLcode result;
+ 
+   result = socket_read(fd, &len, sizeof(len));
+@@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn,
+   if(len) {
+     /* only realloc if there was a length */
+     len = ntohl(len);
+-    tmp = Curl_saferealloc(buf->data, len);
++    buf->data = Curl_saferealloc(buf->data, len);
+   }
+-  if(tmp == NULL)
++  if(!len || !buf->data)
+     return CURLE_OUT_OF_MEMORY;
+ 
+-  buf->data = tmp;
+   result = socket_read(fd, buf->data, len);
+   if(result)
+     return result;
+-- 
+2.20.1
+

0102-curl-7.36.0-debug.patch

@@ -12,7 +12,7 @@ diff --git a/configure b/configure
 index 8f079a3..53b4774 100755
 --- a/configure
 +++ b/configure
-@@ -16250,18 +16250,11 @@ $as_echo "yes" >&6; }
+@@ -16288,18 +16288,11 @@ $as_echo "yes" >&6; }
      gccvhi=`echo $gccver | cut -d . -f1`
      gccvlo=`echo $gccver | cut -d . -f2`
      compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`

0104-curl-7.19.7-localhost6.patch

@@ -14,8 +14,8 @@ index e441278..b0958b6 100644
 +-g "http://%HOST6IP:%HTTP6PORT/1083" --interface localhost6
  </command>
  <precheck>
--perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test server host address';} else {exec './server/resolve --ipv6 ip6-localhost'; print 'Cannot run precheck resolve';}"
+-perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test client host address';} else {exec './server/resolve --ipv6 ip6-localhost'; print 'Cannot run precheck resolve';}"
-+perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test server host address';} else {exec './server/resolve --ipv6 localhost6'; print 'Cannot run precheck resolve';}"
++perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test client host address';} else {exec './server/resolve --ipv6 localhost6'; print 'Cannot run precheck resolve';}"
  </precheck>
  </client>
  

0105-curl-7.63.0-lib1560-valgrind.patch

@@ -26,8 +26,8 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
 index 080421b..ea3b806 100644
 --- a/tests/libtest/Makefile.inc
 +++ b/tests/libtest/Makefile.inc
-@@ -521,6 +521,7 @@ lib1558_SOURCES = lib1558.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+@@ -531,6 +531,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
- lib1558_LDADD = $(TESTUTIL_LIBS)
+ lib1559_LDADD = $(TESTUTIL_LIBS)
  
  lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
 +lib1560_CFLAGS = $(AM_CFLAGS) -fno-builtin-strcmp

curl-7.64.0.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlxahccACgkQXMkI/bce
-EsKdrAf+OoNH+Yz1HfJG5MtmEi2sgRC56iAvZBQujPG8SJYGnT3D2nLiuC2+bzA8
-eMCqisodW5f6lV/9JRvLmLS0dhxAfdf/NHlMOdtgSv+NzVGsggpHeYEZ7HucRHsQ
-AKZ6/wx7rby8yZqrn2s7yWWB0qgiajWx30r+CJEYXpuw+YwZ2qZo5ecM7fa/J9ko
-ESwb7BLF6KMkdSz1wSApwCdznB/BXOaPrUBMiOcwO7ftq/t1ZmqnUWLtdlSp8OoH
-Tw832H1kCP2OFHcOFTQmZJLagRQtLBhC522wNsagXaMwak6uhoFApcAPqoPdm4Pm
-PvTO6aAopZk+sX9VemdSQzx/4ysT3w==
-=HOlc
------END PGP SIGNATURE-----

curl-7.65.3.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl0xj7oACgkQXMkI/bce
+EsKYbgf9G41o5x73tc+2TOGt2QmJ7ukyHmd5Vq7XTSNdNU5dJ41Z3qh9Jm72x62i
+b4kJMjWyoL2j031ml5JevycpMpNa1v784UlPW2tzzL2B7v6vcA4xknJRLWlPlcTJ
+HOgub6r7g/zhOpdAeJh8o4jkBLUyN+S/HOyHLWcvdWDnhqUAmpZfIqtd8kjqzDul
+XAkdj7MxWqKZ3wXWwlpp4j81jpfOj7KCC/ZpxlJ0KfefgYEzV23O2hcJzw57jqTy
+SQZc39uTQOjbZPlBXJD55QeVISCwe53pn55aWQll90XfE3XRapuYZdiL8wLwtl/L
+tjugTKjfoy9qqOGH5YB/4kHqoSJqow==
+=Itbi
+-----END PGP SIGNATURE-----

curl.spec

@@ -1,24 +1,21 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 7.64.0
+Version: 7.65.3
-Release: 6%{?dist}
+Release: 4%{?dist}
 License: MIT
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
 
-# make zsh completion work again
+# improve handling of gss_init_sec_context() failures
-Patch1:   0001-curl-7.64.0-zsh-completion.patch
+Patch1:   0001-curl-7.65.3-negotiate-fails.patch
 
-# prevent NetworkManager from leaking file descriptors (#1680198)
+# avoid reporting spurious error in the HTTP2 framing layer (#1690971)
-Patch2:   0002-curl-7.64.0-nm-fd-leak.patch
+Patch2:   0002-curl-7.65.3-h2-framing-layer-error.patch
 
-# fix NULL dereference if flushing cookies with no CookieInfo set (#1683676)
+# fix heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482)
-Patch3:   0003-curl-7.64.0-cookie-segfault.patch
+Patch18:  0018-curl-7.65.3-CVE-2019-5482.patch
 
-# avoid spurious "Could not resolve host: [host name]" error messages
+# double free due to subsequent call of realloc() (CVE-2019-5481)
-Patch4:   0004-curl-7.64.0-spurious-resolver-error.patch
+Patch19:  0019-curl-7.65.3-CVE-2019-5481.patch
-
-# remove verbose "Expire in" ... messages (#1690971)
-Patch5:   0005-curl-7.64.0-expire-in-verbose-msgs.patch
 
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
@@ -54,6 +51,7 @@ BuildRequires: openldap-devel
 BuildRequires: openssh-clients
 BuildRequires: openssh-server
 BuildRequires: openssl-devel
+BuildRequires: perl-interpreter
 BuildRequires: pkgconfig
 BuildRequires: python3-devel
 BuildRequires: sed
@@ -63,6 +61,12 @@ BuildRequires: zlib-devel
 # needed to compress content of tool_hugehelp.c after changing curl.1 man page
 BuildRequires: perl(IO::Compress::Gzip)
 
+# needed for generation of shell completions
+BuildRequires: perl(Getopt::Long)
+BuildRequires: perl(Pod::Usage)
+BuildRequires: perl(strict)
+BuildRequires: perl(warnings)
+
 # gnutls-serv is used by the upstream test-suite
 BuildRequires: gnutls-utils
 
@@ -78,10 +82,8 @@ BuildRequires: perl(File::Copy)
 BuildRequires: perl(File::Spec)
 BuildRequires: perl(IPC::Open2)
 BuildRequires: perl(MIME::Base64)
-BuildRequires: perl(strict)
 BuildRequires: perl(Time::Local)
 BuildRequires: perl(Time::HiRes)
-BuildRequires: perl(warnings)
 BuildRequires: perl(vars)
 
 # The test-suite runs automatically through valgrind if valgrind is available
@@ -183,9 +185,8 @@ be installed.
 # upstream patches
 %patch1 -p1
 %patch2 -p1
-%patch3 -p1
+%patch18 -p1
-%patch4 -p1
+%patch19 -p1
-%patch5 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -312,6 +313,10 @@ make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install
 LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \
     make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C scripts
 
+# do not install /usr/share/fish/completions/curl.fish which is also installed
+# by fish-3.0.2-1.module_f31+3716+57207597 and would trigger a conflict
+rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish
+
 rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 
 %ldconfig_scriptlets -n libcurl
@@ -319,13 +324,17 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %ldconfig_scriptlets -n libcurl-minimal
 
 %files
-%doc CHANGES README*
+%doc CHANGES
-%doc docs/BUGS docs/FAQ docs/FEATURES
+%doc README
-%doc docs/MANUAL docs/RESOURCES
+%doc docs/BUGS
-%doc docs/TheArtOfHttpScripting docs/TODO
+%doc docs/FAQ
+%doc docs/FEATURES
+%doc docs/RESOURCES
+%doc docs/TODO
+%doc docs/TheArtOfHttpScripting
 %{_bindir}/curl
 %{_mandir}/man1/curl.1*
-%{_datadir}/zsh/site-functions
+%{_datadir}/zsh
 
 %files -n libcurl
 %license COPYING
@@ -353,6 +362,26 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
+* Wed Sep 11 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.3-4
+- double free due to subsequent call of realloc() (CVE-2019-5481)
+- fix heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482)
+
+* Tue Aug 27 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.3-3
+- avoid reporting spurious error in the HTTP2 framing layer (#1690971)
+
+* Thu Aug 01 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.3-2
+- improve handling of gss_init_sec_context() failures
+
+* Mon Jul 22 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.3-1
+- rebase to 7.65.3 to fix crashes of gnome and flatpak (#1697566)
+
+* Mon Jul 01 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-8
+- prevent multi from crashing with many parallel transfers (#1697566, #1723242)
+
+* Wed May 22 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-7
+- fix TFTP receive buffer overflow (CVE-2019-5436)
+- fix integer overflows in curl_url_set() (CVE-2019-5435)
+
 * Mon Mar 25 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-6
 - remove verbose "Expire in" ... messages (#1690971)
 

sources

@@ -1 +1 @@
-SHA512 (curl-7.64.0.tar.xz) = 953f1f5336ce5dfd1b9f933624432d401552d91ee02d39ecde6f023c956f99ec6aae8d7746d7c34b6eb2d6452f114e67da4e64d9c8dd90b7644b7844e7b9b423
+SHA512 (curl-7.65.3.tar.xz) = fc4f041d3d6682378ce9eef2c6081e6ad83bb2502ea4c992c760266584c09e9ebca7c6d35958bd32a888702d9308cbce7aef69c431f97994107d7ff6b953941b