Resolves: CVE-2019-5481 - double free due to subsequent call of realloc()

Resolves: #1697566
Resolves: #1723242

0001-curl-7.65.3-negotiate-fails.patch

@@ -0,0 +1,166 @@
+From 90f7ca7bec18b49bf2706430aa6493eda7d7a573 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 30 Jul 2019 12:59:35 +0200
+Subject: [PATCH] http_negotiate: improve handling of gss_init_sec_context()
+ failures
+
+If HTTPAUTH_GSSNEGOTIATE was used for a POST request and
+gss_init_sec_context() failed, the POST request was sent
+with empty body.  This commit also restores the original
+behavior of `curl --fail --negotiate`, which was changed
+by commit 6c6035532383e300c712e4c1cd9fdd749ed5cf59.
+
+Add regression tests 2077 and 2078 to cover this.
+
+Fixes #3992
+Closes #4171
+
+Upstream-commit: 4c187043c5aac57f354ebb96cc6ff3263411e98d
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/http_negotiate.c    |  2 +-
+ tests/data/Makefile.inc |  3 ++-
+ tests/data/test2077     | 42 ++++++++++++++++++++++++++++++++
+ tests/data/test2078     | 54 +++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 99 insertions(+), 2 deletions(-)
+ create mode 100644 tests/data/test2077
+ create mode 100644 tests/data/test2078
+
+diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
+index c8f406444..fe15dcefb 100644
+--- a/lib/http_negotiate.c
++++ b/lib/http_negotiate.c
+@@ -151,7 +151,7 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
+       if(result == CURLE_LOGIN_DENIED) {
+         /* negotiate auth failed, let's continue unauthenticated to stay
+          * compatible with the behavior before curl-7_64_0-158-g6c6035532 */
+-        conn->data->state.authproblem = TRUE;
++        authp->done = TRUE;
+         return CURLE_OK;
+       }
+       else if(result)
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 693e53d7c..3ed4a03e4 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -199,7 +199,8 @@ test2040 test2041 test2042 test2043 test2044 test2045 test2046 test2047 \
+ test2048 test2049 test2050 test2051 test2052 test2053 test2054 test2055 \
+ test2056 test2057 test2058 test2059 test2060 test2061 test2062 test2063 \
+ test2064 test2065 test2066 test2067 test2068 test2069 \
+-         test2071 test2072 test2073 test2074 test2075 test2076 \
++         test2071 test2072 test2073 test2074 test2075 test2076 test2077 \
++test2078 \
+ test2080 \
+ test2100 \
+ \
+diff --git a/tests/data/test2077 b/tests/data/test2077
+new file mode 100644
+index 000000000..0c600f5c3
+--- /dev/null
++++ b/tests/data/test2077
+@@ -0,0 +1,42 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP GET
++GSS-API
++</keywords>
++</info>
++
++# Server-side
++<reply>
++<data>
++HTTP/1.1 200 OK swsclose
++Content-Length: 23
++
++This IS the real page!
++</data>
++</reply>
++
++# Client-side
++<client>
++<server>
++http
++</server>
++<features>
++GSS-API
++</features>
++<name>
++curl --fail --negotiate to unauthenticated service fails
++</name>
++<command>
++http://%HOSTIP:%HTTPPORT/2077 -u : --fail --negotiate
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++<errorcode>
++0
++</errorcode>
++</verify>
++</testcase>
+diff --git a/tests/data/test2078 b/tests/data/test2078
+new file mode 100644
+index 000000000..99bc2dbee
+--- /dev/null
++++ b/tests/data/test2078
+@@ -0,0 +1,54 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP GET
++GSS-API
++</keywords>
++</info>
++
++# Server-side
++<reply>
++<data>
++HTTP/1.1 200 OK swsclose
++Content-Length: 23
++
++This IS the real page!
++</data>
++</reply>
++
++# Client-side
++<client>
++<server>
++http
++</server>
++<features>
++GSS-API
++</features>
++<name>
++curl --negotiate should not send empty POST request only
++</name>
++<command>
++http://%HOSTIP:%HTTPPORT/2078 -u : --negotiate --data name=value
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++<errorcode>
++0
++</errorcode>
++<strip>
++^User-Agent:.*
++</strip>
++<protocol nonewline="yes">
++POST /2078 HTTP/1.1
++Host: 127.0.0.1:8990
++Accept: */*
++Content-Length: 10
++Content-Type: application/x-www-form-urlencoded
++
++name=value
++</protocol>
++</verify>
++</testcase>
+-- 
+2.20.1
+

0001-curl-7.67.0-upload-glob.patch

@@ -1,316 +0,0 @@
-From 37a36231c5e34ae31b1968481fad2e8d76613fbd Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Wed, 13 Nov 2019 11:33:29 +0100
-Subject: [PATCH] curl: fix -T globbing
-
-Regression from e59371a4936f8 (7.67.0)
-
-Added test 490, 491 and 492 to verify the functionality.
-
-Reported-by: Kamil Dudka
-Reported-by: Anderson Sasaki
-
-Fixes #4588
-Closes #4591
-
-Upstream-commit: 7a46aeb0be3fa00826b0c47a8bc06eddff448659
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- src/tool_operate.c      | 15 ++++---
- tests/data/Makefile.inc |  2 +
- tests/data/test490      | 68 +++++++++++++++++++++++++++++++
- tests/data/test491      | 64 +++++++++++++++++++++++++++++
- tests/data/test492      | 89 +++++++++++++++++++++++++++++++++++++++++
- 5 files changed, 232 insertions(+), 6 deletions(-)
- create mode 100644 tests/data/test490
- create mode 100644 tests/data/test491
- create mode 100644 tests/data/test492
-
-diff --git a/src/tool_operate.c b/src/tool_operate.c
-index 3087d2d..4ecb1ed 100644
---- a/src/tool_operate.c
-+++ b/src/tool_operate.c
-@@ -829,12 +829,6 @@ static CURLcode single_transfer(struct GlobalConfig *global,
-       separator = ((!state->outfiles ||
-                     !strcmp(state->outfiles, "-")) && urlnum > 1);
- 
--      /* Here's looping around each globbed URL */
--
--      if(state->li >= urlnum) {
--        state->li = 0;
--        state->up++;
--      }
-       if(state->up < state->infilenum) {
-         struct per_transfer *per;
-         struct OutStruct *outs;
-@@ -1908,6 +1902,15 @@ static CURLcode single_transfer(struct GlobalConfig *global,
-         per->retrystart = tvnow();
- 
-         state->li++;
-+        /* Here's looping around each globbed URL */
-+        if(state->li >= urlnum) {
-+          state->li = 0;
-+          state->urlnum = 0; /* forced reglob of URLs */
-+          glob_cleanup(state->urls);
-+          state->urls = NULL;
-+          state->up++;
-+          Curl_safefree(state->uploadfile); /* clear it to get the next */
-+        }
-       }
-       else {
-         /* Free this URL node data without destroying the
-diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
-index 557f928..212900e 100644
---- a/tests/data/Makefile.inc
-+++ b/tests/data/Makefile.inc
-@@ -66,6 +66,8 @@ test393 test394 test395 \
- test400 test401 test402 test403 test404 test405 test406 test407 test408 \
- test409 \
- \
-+test490 test491 test492 \
-+\
- test500 test501 test502 test503 test504 test505 test506 test507 test508 \
- test509 test510 test511 test512 test513 test514 test515 test516 test517 \
- test518 test519 test520 test521 test522 test523 test524 test525 test526 \
-diff --git a/tests/data/test490 b/tests/data/test490
-new file mode 100644
-index 0000000..a3383a9
---- /dev/null
-+++ b/tests/data/test490
-@@ -0,0 +1,68 @@
-+<testcase>
-+<info>
-+<keywords>
-+HTTP
-+HTTP PUT
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<data>
-+HTTP/1.1 200 OK
-+Date: Thu, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
-+ETag: "21025-dc7-39462498"
-+Accept-Ranges: bytes
-+Content-Length: 6
-+Connection: close
-+Content-Type: text/html
-+Funny-head: yesyes
-+
-+-foo-
-+</data>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<server>
-+http
-+</server>
-+ <name>
-+Two globbed HTTP PUTs
-+ </name>
-+ <command>
-+http://%HOSTIP:%HTTPPORT/490 -T '{log/in490,log/in490}'
-+</command>
-+<file name="log/in490">
-+surprise!
-+</file>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+<strip>
-+^User-Agent:.*
-+</strip>
-+<protocol>
-+PUT /490 HTTP/1.1
-+Host: 127.0.0.1:8990
-+Accept: */*
-+Content-Length: 10
-+Expect: 100-continue
-+
-+surprise!
-+PUT /490 HTTP/1.1
-+Host: 127.0.0.1:8990
-+Accept: */*
-+Content-Length: 10
-+Expect: 100-continue
-+
-+surprise!
-+</protocol>
-+</verify>
-+</testcase>
-diff --git a/tests/data/test491 b/tests/data/test491
-new file mode 100644
-index 0000000..b49c06c
---- /dev/null
-+++ b/tests/data/test491
-@@ -0,0 +1,64 @@
-+<testcase>
-+<info>
-+<keywords>
-+HTTP
-+HTTP PUT
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<data>
-+HTTP/1.1 200 OK
-+Date: Thu, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
-+ETag: "21025-dc7-39462498"
-+Accept-Ranges: bytes
-+Content-Length: 6
-+Connection: close
-+Content-Type: text/html
-+Funny-head: yesyes
-+
-+-foo-
-+</data>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<server>
-+http
-+</server>
-+ <name>
-+Two globbed HTTP PUTs, the second upload file is missing
-+ </name>
-+ <command>
-+http://%HOSTIP:%HTTPPORT/491 -T '{log/in491,log/bad491}'
-+</command>
-+<file name="log/in491">
-+surprise!
-+</file>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+<strip>
-+^User-Agent:.*
-+</strip>
-+<protocol>
-+PUT /491 HTTP/1.1
-+Host: 127.0.0.1:8990
-+Accept: */*
-+Content-Length: 10
-+Expect: 100-continue
-+
-+surprise!
-+</protocol>
-+<errorcode>
-+26
-+</errorcode>
-+</verify>
-+</testcase>
-diff --git a/tests/data/test492 b/tests/data/test492
-new file mode 100644
-index 0000000..12edd8b
---- /dev/null
-+++ b/tests/data/test492
-@@ -0,0 +1,89 @@
-+<testcase>
-+<info>
-+<keywords>
-+HTTP
-+HTTP PUT
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<data>
-+HTTP/1.1 200 OK
-+Date: Thu, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
-+ETag: "21025-dc7-39462498"
-+Accept-Ranges: bytes
-+Content-Length: 6
-+Connection: close
-+Content-Type: text/html
-+Funny-head: yesyes
-+
-+-foo-
-+</data>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<server>
-+http
-+</server>
-+ <name>
-+Two globbed HTTP PUTs to two globbed URLs
-+ </name>
-+ <command>
-+'http://%HOSTIP:%HTTPPORT/{one,two}/' -T '{log/first492,log/second492}' -H "Testno: 492"
-+</command>
-+<file name="log/first492">
-+first 492 contents
-+</file>
-+<file1 name="log/second492">
-+second 492 contents
-+</file1>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+<strip>
-+^User-Agent:.*
-+</strip>
-+<protocol>
-+PUT /one/first492 HTTP/1.1
-+Host: 127.0.0.1:8990
-+Accept: */*
-+Testno: 492
-+Content-Length: 19
-+Expect: 100-continue
-+
-+first 492 contents
-+PUT /two/first492 HTTP/1.1
-+Host: 127.0.0.1:8990
-+Accept: */*
-+Testno: 492
-+Content-Length: 19
-+Expect: 100-continue
-+
-+first 492 contents
-+PUT /one/second492 HTTP/1.1
-+Host: 127.0.0.1:8990
-+Accept: */*
-+Testno: 492
-+Content-Length: 20
-+Expect: 100-continue
-+
-+second 492 contents
-+PUT /two/second492 HTTP/1.1
-+Host: 127.0.0.1:8990
-+Accept: */*
-+Testno: 492
-+Content-Length: 20
-+Expect: 100-continue
-+
-+second 492 contents
-+</protocol>
-+</verify>
-+</testcase>
--- 
-2.20.1
-

0002-curl-7.65.3-h2-framing-layer-error.patch

@@ -0,0 +1,37 @@
+From 98d59387c749256c2421b22dc3419b94d381986a Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 26 Aug 2019 16:00:05 +0200
+Subject: [PATCH] http2: when marked for closure and wanted to close == OK
+
+It could otherwise return an error even when closed correctly if GOAWAY
+had been received previously.
+
+Reported-by: Tom van der Woerdt
+Fixes #4267
+Closes #4268
+
+Upstream-commit: c1b6a384f9c8a91197c20adb49d43f30dc0e917d
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/http2.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/lib/http2.c b/lib/http2.c
+index 930e85165..31d2d698a 100644
+--- a/lib/http2.c
++++ b/lib/http2.c
+@@ -1566,6 +1566,11 @@ static ssize_t http2_recv(struct connectdata *conn, int sockindex,
+   if(should_close_session(httpc)) {
+     H2BUGF(infof(data,
+                  "http2_recv: nothing to do in this session\n"));
++    if(conn->bits.close) {
++      /* already marked for closure, return OK and we're done */
++      *err = CURLE_OK;
++      return 0;
++    }
+     *err = CURLE_HTTP2;
+     return -1;
+   }
+-- 
+2.20.1
+

0018-curl-7.65.3-CVE-2019-5482.patch

@@ -0,0 +1,158 @@
+From 63f9837b4ccf600da79314e8667f91bda69988fc Mon Sep 17 00:00:00 2001
+From: Thomas Vegas <>
+Date: Sat, 31 Aug 2019 16:59:56 +0200
+Subject: [PATCH 1/2] tftp: return error when packet is too small for options
+
+Upstream-commit: 82f3ba3806a34fe94dcf9e5c9b88deda6679ca1b
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/tftp.c | 53 +++++++++++++++++++++++++++++++++--------------------
+ 1 file changed, 33 insertions(+), 20 deletions(-)
+
+diff --git a/lib/tftp.c b/lib/tftp.c
+index 289cda2..4532170 100644
+--- a/lib/tftp.c
++++ b/lib/tftp.c
+@@ -404,13 +404,14 @@ static CURLcode tftp_parse_option_ack(tftp_state_data_t *state,
+   return CURLE_OK;
+ }
+ 
+-static size_t tftp_option_add(tftp_state_data_t *state, size_t csize,
+-                              char *buf, const char *option)
++static CURLcode tftp_option_add(tftp_state_data_t *state, size_t *csize,
++                                char *buf, const char *option)
+ {
+-  if(( strlen(option) + csize + 1) > (size_t)state->blksize)
+-    return 0;
++  if(( strlen(option) + *csize + 1) > (size_t)state->blksize)
++    return CURLE_TFTP_ILLEGAL;
+   strcpy(buf, option);
+-  return strlen(option) + 1;
++  *csize += strlen(option) + 1;
++  return CURLE_OK;
+ }
+ 
+ static CURLcode tftp_connect_for_tx(tftp_state_data_t *state,
+@@ -511,26 +512,38 @@ static CURLcode tftp_send_first(tftp_state_data_t *state, tftp_event_t event)
+       else
+         strcpy(buf, "0"); /* the destination is large enough */
+ 
+-      sbytes += tftp_option_add(state, sbytes,
+-                                (char *)state->spacket.data + sbytes,
+-                                TFTP_OPTION_TSIZE);
+-      sbytes += tftp_option_add(state, sbytes,
+-                                (char *)state->spacket.data + sbytes, buf);
++      result = tftp_option_add(state, &sbytes,
++                               (char *)state->spacket.data + sbytes,
++                               TFTP_OPTION_TSIZE);
++      if(result == CURLE_OK)
++        result = tftp_option_add(state, &sbytes,
++                                 (char *)state->spacket.data + sbytes, buf);
++
+       /* add blksize option */
+       msnprintf(buf, sizeof(buf), "%d", state->requested_blksize);
+-      sbytes += tftp_option_add(state, sbytes,
+-                                (char *)state->spacket.data + sbytes,
+-                                TFTP_OPTION_BLKSIZE);
+-      sbytes += tftp_option_add(state, sbytes,
+-                                (char *)state->spacket.data + sbytes, buf);
++      if(result == CURLE_OK)
++        result = tftp_option_add(state, &sbytes,
++                                 (char *)state->spacket.data + sbytes,
++                                 TFTP_OPTION_BLKSIZE);
++      if(result == CURLE_OK)
++        result = tftp_option_add(state, &sbytes,
++                                 (char *)state->spacket.data + sbytes, buf);
+ 
+       /* add timeout option */
+       msnprintf(buf, sizeof(buf), "%d", state->retry_time);
+-      sbytes += tftp_option_add(state, sbytes,
+-                                (char *)state->spacket.data + sbytes,
+-                                TFTP_OPTION_INTERVAL);
+-      sbytes += tftp_option_add(state, sbytes,
+-                                (char *)state->spacket.data + sbytes, buf);
++      if(result == CURLE_OK)
++        result = tftp_option_add(state, &sbytes,
++                                 (char *)state->spacket.data + sbytes,
++                                 TFTP_OPTION_INTERVAL);
++      if(result == CURLE_OK)
++        result = tftp_option_add(state, &sbytes,
++                                 (char *)state->spacket.data + sbytes, buf);
++
++      if(result != CURLE_OK) {
++        failf(data, "TFTP buffer too small for options");
++        free(filename);
++        return CURLE_TFTP_ILLEGAL;
++      }
+     }
+ 
+     /* the typecase for the 3rd argument is mostly for systems that do
+-- 
+2.20.1
+
+
+From b6b12a4cfe00c4850a1d6cee4cf267f00dee5987 Mon Sep 17 00:00:00 2001
+From: Thomas Vegas <>
+Date: Sat, 31 Aug 2019 17:30:51 +0200
+Subject: [PATCH 2/2] tftp: Alloc maximum blksize, and use default unless OACK
+ is received
+
+Fixes potential buffer overflow from 'recvfrom()', should the server
+return an OACK without blksize.
+
+Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
+CVE-2019-5482
+
+Upstream-commit: facb0e4662415b5f28163e853dc6742ac5fafb3d
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/tftp.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/lib/tftp.c b/lib/tftp.c
+index 4532170..5651b62 100644
+--- a/lib/tftp.c
++++ b/lib/tftp.c
+@@ -986,6 +986,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+ {
+   tftp_state_data_t *state;
+   int blksize;
++  int need_blksize;
+ 
+   blksize = TFTP_BLKSIZE_DEFAULT;
+ 
+@@ -1000,15 +1001,20 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+       return CURLE_TFTP_ILLEGAL;
+   }
+ 
++  need_blksize = blksize;
++  /* default size is the fallback when no OACK is received */
++  if(need_blksize < TFTP_BLKSIZE_DEFAULT)
++    need_blksize = TFTP_BLKSIZE_DEFAULT;
++
+   if(!state->rpacket.data) {
+-    state->rpacket.data = calloc(1, blksize + 2 + 2);
++    state->rpacket.data = calloc(1, need_blksize + 2 + 2);
+ 
+     if(!state->rpacket.data)
+       return CURLE_OUT_OF_MEMORY;
+   }
+ 
+   if(!state->spacket.data) {
+-    state->spacket.data = calloc(1, blksize + 2 + 2);
++    state->spacket.data = calloc(1, need_blksize + 2 + 2);
+ 
+     if(!state->spacket.data)
+       return CURLE_OUT_OF_MEMORY;
+@@ -1022,7 +1028,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+   state->sockfd = state->conn->sock[FIRSTSOCKET];
+   state->state = TFTP_STATE_START;
+   state->error = TFTP_ERR_NONE;
+-  state->blksize = blksize;
++  state->blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */
+   state->requested_blksize = blksize;
+ 
+   ((struct sockaddr *)&state->local_addr)->sa_family =
+-- 
+2.20.1
+

0019-curl-7.65.3-CVE-2019-5481.patch

@@ -0,0 +1,46 @@
+From 13de299b112a59c373b330f0539166ecc9a7627b Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 3 Sep 2019 22:59:32 +0200
+Subject: [PATCH] security:read_data fix bad realloc()
+
+... that could end up a double-free
+
+CVE-2019-5481
+Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
+
+Upstream-commit: 9069838b30fb3b48af0123e39f664cea683254a5
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/security.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/lib/security.c b/lib/security.c
+index 550ea2d..c5e4e13 100644
+--- a/lib/security.c
++++ b/lib/security.c
+@@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn,
+                           struct krb5buffer *buf)
+ {
+   int len;
+-  void *tmp = NULL;
+   CURLcode result;
+ 
+   result = socket_read(fd, &len, sizeof(len));
+@@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn,
+   if(len) {
+     /* only realloc if there was a length */
+     len = ntohl(len);
+-    tmp = Curl_saferealloc(buf->data, len);
++    buf->data = Curl_saferealloc(buf->data, len);
+   }
+-  if(tmp == NULL)
++  if(!len || !buf->data)
+     return CURLE_OUT_OF_MEMORY;
+ 
+-  buf->data = tmp;
+   result = socket_read(fd, buf->data, len);
+   if(result)
+     return result;
+-- 
+2.20.1
+

0102-curl-7.36.0-debug.patch

@@ -12,7 +12,7 @@ diff --git a/configure b/configure
 index 8f079a3..53b4774 100755
 --- a/configure
 +++ b/configure
-@@ -16331,18 +16331,11 @@ $as_echo "yes" >&6; }
+@@ -16288,18 +16288,11 @@ $as_echo "yes" >&6; }
      gccvhi=`echo $gccver | cut -d . -f1`
      gccvlo=`echo $gccver | cut -d . -f2`
      compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`

0103-curl-7.59.0-python3.patch

@@ -9,7 +9,8 @@ there is no 'impacket' module available for Python 3:
 https://github.com/CoreSecurity/impacket/issues/61
 ---
  tests/negtelnetserver.py | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
+ tests/smbserver.py       | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
 
 diff --git a/tests/negtelnetserver.py b/tests/negtelnetserver.py
 index 8cfd409..72ee771 100755
@@ -29,6 +30,28 @@ index 8cfd409..72ee771 100755
  
          except IOError:
              log.exception("IOError hit during request")
+diff --git a/tests/smbserver.py b/tests/smbserver.py
+index 195ae39..b09cd44 100755
+--- a/tests/smbserver.py
++++ b/tests/smbserver.py
+@@ -24,7 +24,7 @@
+ from __future__ import (absolute_import, division, print_function)
+ # unicode_literals)
+ import argparse
+-import ConfigParser
++import configparser
+ import os
+ import sys
+ import logging
+@@ -58,7 +58,7 @@ def smbserver(options):
+             f.write("{0}".format(pid))
+ 
+     # Here we write a mini config for the server
+-    smb_config = ConfigParser.ConfigParser()
++    smb_config = configparser.ConfigParser()
+     smb_config.add_section("global")
+     smb_config.set("global", "server_name", "SERVICE")
+     smb_config.set("global", "server_os", "UNIX")
 -- 
 2.14.3
 

0105-curl-7.63.0-lib1560-valgrind.patch

@@ -26,7 +26,7 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
 index 080421b..ea3b806 100644
 --- a/tests/libtest/Makefile.inc
 +++ b/tests/libtest/Makefile.inc
-@@ -534,6 +534,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+@@ -531,6 +531,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
  lib1559_LDADD = $(TESTUTIL_LIBS)
  
  lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)

curl-7.65.3.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl0xj7oACgkQXMkI/bce
+EsKYbgf9G41o5x73tc+2TOGt2QmJ7ukyHmd5Vq7XTSNdNU5dJ41Z3qh9Jm72x62i
+b4kJMjWyoL2j031ml5JevycpMpNa1v784UlPW2tzzL2B7v6vcA4xknJRLWlPlcTJ
+HOgub6r7g/zhOpdAeJh8o4jkBLUyN+S/HOyHLWcvdWDnhqUAmpZfIqtd8kjqzDul
+XAkdj7MxWqKZ3wXWwlpp4j81jpfOj7KCC/ZpxlJ0KfefgYEzV23O2hcJzw57jqTy
+SQZc39uTQOjbZPlBXJD55QeVISCwe53pn55aWQll90XfE3XRapuYZdiL8wLwtl/L
+tjugTKjfoy9qqOGH5YB/4kHqoSJqow==
+=Itbi
+-----END PGP SIGNATURE-----

curl-7.67.0.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl3CauAACgkQXMkI/bce
-EsKe7Qf+Py/Wufz3AqqpJ1Xr0oigaV1Sa5AAyRD+KX8jwSJTRaRahaECGMhmR9vh
-kBaMFtycctCKcK1masI9GSeTX5nCtmaWzELLsBXynm/l2W+hrW1AD2R++YuM384t
-O078GxgsgRH0m8MacSKoV5yPOv/h9URnVMTavkAIfnW50vw17akDZ9MW2NhJzKpP
-s6GgWTMB5gomTHlnlHjTjtNoVbKKrV4v9YyRwqzI3XHXYtYOA7iufP4wnT+dpSm5
-ZLdbg5Nq+1pCTEiMg3KZKYNriypoLJuWuSF+bKc54CGN63eoUxXgU6js9ViHS5JS
-3dPfzzRA8wgROem58QhHnrR9c2CmdQ==
-=5gov
------END PGP SIGNATURE-----

curl.spec

@@ -1,12 +1,21 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 7.67.0
-Release: 2%{?dist}
+Version: 7.65.3
+Release: 4%{?dist}
 License: MIT
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
 
-# fix infinite loop on upload using a glob (#1771025)
-Patch1:   0001-curl-7.67.0-upload-glob.patch
+# improve handling of gss_init_sec_context() failures
+Patch1:   0001-curl-7.65.3-negotiate-fails.patch
+
+# avoid reporting spurious error in the HTTP2 framing layer (#1690971)
+Patch2:   0002-curl-7.65.3-h2-framing-layer-error.patch
+
+# fix heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482)
+Patch18:  0018-curl-7.65.3-CVE-2019-5482.patch
+
+# double free due to subsequent call of realloc() (CVE-2019-5481)
+Patch19:  0019-curl-7.65.3-CVE-2019-5481.patch
 
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
@@ -83,7 +92,7 @@ BuildRequires: perl(vars)
 # to be less reliable, in order to avoid unnecessary build failures (see RHBZ
 # #810992, #816175, and #886891).  Nevertheless developers are free to install
 # valgrind manually to improve test coverage on any architecture.
-%ifarch x86_64
+%ifarch x86_64 %{ix86}
 BuildRequires: valgrind
 %endif
 
@@ -175,6 +184,9 @@ be installed.
 
 # upstream patches
 %patch1 -p1
+%patch2 -p1
+%patch18 -p1
+%patch19 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -350,48 +362,25 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
-* Thu Nov 14 2019 Kamil Dudka <kdudka@redhat.com> - 7.67.1-2
-- fix infinite loop on upload using a glob (#1771025)
+* Wed Sep 11 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.3-4
+- double free due to subsequent call of realloc() (CVE-2019-5481)
+- fix heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482)
 
-* Wed Nov 06 2019 Kamil Dudka <kdudka@redhat.com> - 7.67.1-1
-- new upstream release
-
-* Wed Sep 11 2019 Kamil Dudka <kdudka@redhat.com> - 7.66.0-1
-- new upstream release, which fixes the following vulnerabilities
-    CVE-2019-5481 - double free due to subsequent call of realloc()
-    CVE-2019-5482 - heap buffer overflow in function tftp_receive_packet()
-
-* Tue Aug 27 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.3-4
+* Tue Aug 27 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.3-3
 - avoid reporting spurious error in the HTTP2 framing layer (#1690971)
 
-* Thu Aug 01 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.3-3
+* Thu Aug 01 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.3-2
 - improve handling of gss_init_sec_context() failures
 
-* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7.65.3-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+* Mon Jul 22 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.3-1
+- rebase to 7.65.3 to fix crashes of gnome and flatpak (#1697566)
 
-* Sat Jul 20 2019 Paul Howarth <paul@city-fan.org> - 7.65.3-1
-- new upstream release
+* Mon Jul 01 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-8
+- prevent multi from crashing with many parallel transfers (#1697566, #1723242)
 
-* Wed Jul 17 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.2-1
-- new upstream release
-
-* Wed Jun 05 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.1-1
-- new upstream release
-
-* Thu May 30 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.0-2
-- fix spurious timeout events with speed-limit (#1714893)
-
-* Wed May 22 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.0-1
-- new upstream release, which fixes the following vulnerabilities
-    CVE-2019-5436 - TFTP receive buffer overflow
-    CVE-2019-5435 - integer overflows in curl_url_set()
-
-* Thu May 09 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.1-2
-- do not treat failure of gss_init_sec_context() with --negotiate as fatal
-
-* Wed Mar 27 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.1-1
-- new upstream release
+* Wed May 22 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-7
+- fix TFTP receive buffer overflow (CVE-2019-5436)
+- fix integer overflows in curl_url_set() (CVE-2019-5435)
 
 * Mon Mar 25 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-6
 - remove verbose "Expire in" ... messages (#1690971)

sources

@@ -1 +1 @@
-SHA512 (curl-7.67.0.tar.xz) = 1d5a344be92dd61b1ba5189eff0fe337e492f2e850794943570fe71c985d0af60bd412082be646e07aaa8639908593e1ce4bb2d07db35394ec377e8ce8b9ae29
+SHA512 (curl-7.65.3.tar.xz) = fc4f041d3d6682378ce9eef2c6081e6ad83bb2502ea4c992c760266584c09e9ebca7c6d35958bd32a888702d9308cbce7aef69c431f97994107d7ff6b953941b