From bea985e3e644ab80c4075fe4aa440553698567a2 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Mon, 13 May 2013 18:12:37 +0200 Subject: curl / el5: sync with 7.27.0-10 from F18 --- 0011-curl-7.27.0-2eb8dcf2.patch | 295 ++++++++++++++++++++++++++++++++++++++++ 0012-curl-7.27.0-25e577b3.patch | 86 ++++++++++++ 0013-curl-7.27.0-b37b5233.patch | 35 +++++ 0014-curl-7.27.0-9d0af301.patch | 95 +++++++++++++ curl.spec | 40 +++++- 5 files changed, 550 insertions(+), 1 deletion(-) create mode 100644 0011-curl-7.27.0-2eb8dcf2.patch create mode 100644 0012-curl-7.27.0-25e577b3.patch create mode 100644 0013-curl-7.27.0-b37b5233.patch create mode 100644 0014-curl-7.27.0-9d0af301.patch diff --git a/0011-curl-7.27.0-2eb8dcf2.patch b/0011-curl-7.27.0-2eb8dcf2.patch new file mode 100644 index 0000000..f77f104 --- /dev/null +++ b/0011-curl-7.27.0-2eb8dcf2.patch @@ -0,0 +1,295 @@ +From 5ceda5fa61a87015275ab94f99da4f92f49ac802 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Fri, 12 Apr 2013 16:49:32 +0200 +Subject: [PATCH 1/3] test1216: test tailmatching cookie domains + +This test is an attempt to repeat the problem YAMADA Yasuharu reported +at http://curl.haxx.se/mail/lib-2013-04/0108.html + +Conflicts: + + tests/data/Makefile.am + +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.am | 2 +- + tests/data/Makefile.in | 2 +- + tests/data/test1216 | 62 ++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 64 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test1216 + +diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am +index 372f127..9321d61 100644 +--- a/tests/data/Makefile.am ++++ b/tests/data/Makefile.am +@@ -78,7 +78,7 @@ test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125 \ + test1126 test1127 test1128 test1129 test1130 test1131 \ + test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ + test1208 test1209 test1210 test1211 \ +-test1220 \ ++test1220 test1216 \ + test1300 test1301 test1302 test1303 test1304 test1305 \ + test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \ + test1314 test1315 test1316 test1317 test1318 test1319 test1320 test1321 \ +diff --git a/tests/data/Makefile.in b/tests/data/Makefile.in +index e0a554a..0c18cb5 100644 +--- a/tests/data/Makefile.in ++++ b/tests/data/Makefile.in +@@ -343,7 +343,7 @@ test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125 \ + test1126 test1127 test1128 test1129 test1130 test1131 \ + test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ + test1208 test1209 test1210 test1211 \ +-test1220 \ ++test1220 test1216 \ + test1300 test1301 test1302 test1303 test1304 test1305 \ + test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \ + test1314 test1315 test1316 test1317 test1318 test1319 test1320 test1321 \ +diff --git a/tests/data/test1216 b/tests/data/test1216 +new file mode 100644 +index 0000000..e63fe92 +--- /dev/null ++++ b/tests/data/test1216 +@@ -0,0 +1,62 @@ ++ ++ ++ ++HTTP ++HTTP GET ++HTTP proxy ++cookies ++ ++ ++ ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Server: Microsoft-IIS/4.0 ++Date: Tue, 25 Sep 2001 19:37:44 GMT ++Content-Type: text/html ++Connection: close ++Content-Length: 21 ++ ++This server says moo ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++HTTP cookie domains tailmatching the host name ++ ++ ++http://example.fake/c/1216 http://bexample.fake/c/1216 -b log/injar1216 -x %HOSTIP:%HTTPPORT ++ ++ ++example.fake FALSE /a FALSE 2139150993 mooo indeed ++example.fake FALSE /b FALSE 0 moo1 indeed ++example.fake FALSE /c FALSE 2139150993 moo2 indeed ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++^User-Agent:.* ++ ++ ++GET http://example.fake/c/1216 HTTP/1.1 ++Host: example.fake ++Accept: */* ++Proxy-Connection: Keep-Alive ++Cookie: moo2=indeed ++ ++GET http://bexample.fake/c/1216 HTTP/1.1 ++Host: bexample.fake ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +-- +1.7.1 + + +From 3cf21844356a152df3af92530bb607ef880588af Mon Sep 17 00:00:00 2001 +From: YAMADA Yasuharu +Date: Thu, 11 Apr 2013 00:17:15 +0200 +Subject: [PATCH 2/3] cookie: fix tailmatching to prevent cross-domain leakage + +Cookies set for 'example.com' could accidentaly also be sent by libcurl +to the 'bexample.com' (ie with a prefix to the first domain name). + +This is a security vulnerabilty, CVE-2013-1944. + +Bug: http://curl.haxx.se/docs/adv_20130412.html + +Signed-off-by: Kamil Dudka +--- + lib/cookie.c | 24 +++++++++++++++++++----- + 1 files changed, 19 insertions(+), 5 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index 644b33a..760a931 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -118,15 +118,29 @@ static void freecookie(struct Cookie *co) + free(co); + } + +-static bool tailmatch(const char *little, const char *bigone) ++static bool tailmatch(const char *cooke_domain, const char *hostname) + { +- size_t littlelen = strlen(little); +- size_t biglen = strlen(bigone); ++ size_t cookie_domain_len = strlen(cooke_domain); ++ size_t hostname_len = strlen(hostname); + +- if(littlelen > biglen) ++ if(hostname_len < cookie_domain_len) + return FALSE; + +- return Curl_raw_equal(little, bigone+biglen-littlelen) ? TRUE : FALSE; ++ if(!Curl_raw_equal(cooke_domain, hostname+hostname_len-cookie_domain_len)) ++ return FALSE; ++ ++ /* A lead char of cookie_domain is not '.'. ++ RFC6265 4.1.2.3. The Domain Attribute says: ++ For example, if the value of the Domain attribute is ++ "example.com", the user agent will include the cookie in the Cookie ++ header when making HTTP requests to example.com, www.example.com, and ++ www.corp.example.com. ++ */ ++ if(hostname_len == cookie_domain_len) ++ return TRUE; ++ if('.' == *(hostname + hostname_len - cookie_domain_len - 1)) ++ return TRUE; ++ return FALSE; + } + + /* +-- +1.7.1 + + +From cb95277d4732d7e9a50df7cca2ce0aa8dc0aa5b9 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Fri, 12 Apr 2013 16:50:11 +0200 +Subject: [PATCH 3/3] test1218: another cookie tailmatch test + +These tests verify commit 3604fde3d3c9b0d, the fix for the "cookie +domain tailmatch" vulnerability. See +http://curl.haxx.se/docs/adv_20130412.html + +Conflicts: + + tests/data/Makefile.am + +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.am | 2 +- + tests/data/Makefile.in | 2 +- + tests/data/test1218 | 61 ++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 63 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test1218 + +diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am +index 9321d61..c8295c3 100644 +--- a/tests/data/Makefile.am ++++ b/tests/data/Makefile.am +@@ -78,7 +78,7 @@ test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125 \ + test1126 test1127 test1128 test1129 test1130 test1131 \ + test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ + test1208 test1209 test1210 test1211 \ +-test1220 test1216 \ ++test1220 test1216 test1218 \ + test1300 test1301 test1302 test1303 test1304 test1305 \ + test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \ + test1314 test1315 test1316 test1317 test1318 test1319 test1320 test1321 \ +diff --git a/tests/data/Makefile.in b/tests/data/Makefile.in +index 0c18cb5..96678cd 100644 +--- a/tests/data/Makefile.in ++++ b/tests/data/Makefile.in +@@ -343,7 +343,7 @@ test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125 \ + test1126 test1127 test1128 test1129 test1130 test1131 \ + test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ + test1208 test1209 test1210 test1211 \ +-test1220 test1216 \ ++test1220 test1216 test1218 \ + test1300 test1301 test1302 test1303 test1304 test1305 \ + test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \ + test1314 test1315 test1316 test1317 test1318 test1319 test1320 test1321 \ +diff --git a/tests/data/test1218 b/tests/data/test1218 +new file mode 100644 +index 0000000..7d86547 +--- /dev/null ++++ b/tests/data/test1218 +@@ -0,0 +1,61 @@ ++ ++ ++ ++HTTP ++HTTP GET ++HTTP proxy ++cookies ++ ++ ++ ++# This test is very similar to 1216, only that it sets the cookies from the ++# first site instead of reading from a file ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 25 Sep 2001 19:37:44 GMT ++Set-Cookie: domain=.example.fake; bug=fixed; ++Content-Length: 21 ++ ++This server says moo ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++HTTP cookies and domains with same prefix ++ ++ ++http://example.fake/c/1218 http://example.fake/c/1218 http://bexample.fake/c/1218 -b nonexisting -x %HOSTIP:%HTTPPORT ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++^User-Agent:.* ++ ++ ++GET http://example.fake/c/1218 HTTP/1.1 ++Host: example.fake ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://example.fake/c/1218 HTTP/1.1 ++Host: example.fake ++Accept: */* ++Proxy-Connection: Keep-Alive ++Cookie: bug=fixed ++ ++GET http://bexample.fake/c/1218 HTTP/1.1 ++Host: bexample.fake ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +-- +1.7.1 + diff --git a/0012-curl-7.27.0-25e577b3.patch b/0012-curl-7.27.0-25e577b3.patch new file mode 100644 index 0000000..4b6ec7d --- /dev/null +++ b/0012-curl-7.27.0-25e577b3.patch @@ -0,0 +1,86 @@ +From 461a96d26c08fcd27fc0ab2c94574461a85782bf Mon Sep 17 00:00:00 2001 +From: Kim Vandry +Date: Mon, 18 Feb 2013 21:36:34 +0100 +Subject: [PATCH] Curl_resolver_is_resolved: show proper host name on failed resolve + +[upstream commit 25e577b33d00afb6630cf2cac98d6baa319e9aef] + +Signed-off-by: Kamil Dudka +--- + lib/asyn-thread.c | 35 ++++++++++++++++++++--------------- + 1 files changed, 20 insertions(+), 15 deletions(-) + +diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c +index b027144..5552810 100644 +--- a/lib/asyn-thread.c ++++ b/lib/asyn-thread.c +@@ -436,8 +436,19 @@ static const char *gai_strerror(int ecode) + * error + */ + +-static void resolver_error(struct connectdata *conn, const char *host_or_proxy) ++static CURLcode resolver_error(struct connectdata *conn) + { ++ const char *host_or_proxy; ++ CURLcode rc; ++ if(conn->bits.httpproxy) { ++ host_or_proxy = "proxy"; ++ rc = CURLE_COULDNT_RESOLVE_PROXY; ++ } ++ else { ++ host_or_proxy = "host"; ++ rc = CURLE_COULDNT_RESOLVE_HOST; ++ } ++ + failf(conn->data, "Could not resolve %s: %s; %s", host_or_proxy, + conn->async.hostname, + #ifdef HAVE_GAI_STRERROR +@@ -448,6 +459,7 @@ static void resolver_error(struct connectdata *conn, const char *host_or_proxy) + Curl_strerror(conn, conn->async.status) + #endif + ); ++ return rc; + } + + /* +@@ -479,17 +491,9 @@ CURLcode Curl_resolver_wait_resolv(struct connectdata *conn, + if(entry) + *entry = conn->async.dns; + +- if(!conn->async.dns) { +- /* a name was not resolved */ +- if(conn->bits.httpproxy) { +- resolver_error(conn, "proxy"); +- rc = CURLE_COULDNT_RESOLVE_PROXY; +- } +- else { +- resolver_error(conn, "host"); +- rc = CURLE_COULDNT_RESOLVE_HOST; +- } +- } ++ if(!conn->async.dns) ++ /* a name was not resolved, report error */ ++ rc = resolver_error(conn); + + destroy_async_data(&conn->async); + +@@ -524,12 +528,13 @@ CURLcode Curl_resolver_is_resolved(struct connectdata *conn, + + if(done) { + getaddrinfo_complete(conn); +- destroy_async_data(&conn->async); + + if(!conn->async.dns) { +- resolver_error(conn, "host"); +- return CURLE_COULDNT_RESOLVE_HOST; ++ CURLcode rc = resolver_error(conn); ++ destroy_async_data(&conn->async); ++ return rc; + } ++ destroy_async_data(&conn->async); + *entry = conn->async.dns; + } + else { +-- +1.7.1 + diff --git a/0013-curl-7.27.0-b37b5233.patch b/0013-curl-7.27.0-b37b5233.patch new file mode 100644 index 0000000..63c2779 --- /dev/null +++ b/0013-curl-7.27.0-b37b5233.patch @@ -0,0 +1,35 @@ +From a0d7db27c1cf8edbde1d468d655be942bcacb39c Mon Sep 17 00:00:00 2001 +From: Zdenek Pavlas +Date: Fri, 26 Apr 2013 14:56:38 +0200 +Subject: [PATCH] url: initialize speed-check data for file:// protocol + +... in order to prevent an artificial timeout event based on stale +speed-check data from a previous network transfer. This commit fixes +a regression caused by 9dd85bced56f6951107f69e581c872c1e7e3e58e. + +Bug: https://bugzilla.redhat.com/906031 + +[upstream commit b37b5233cab96b5b1f2ab7f6e0b9c3df77320bba] + +Signed-off-by: Kamil Dudka +--- + lib/url.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index 87b8701..da53086 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -5058,6 +5058,9 @@ static CURLcode create_conn(struct SessionHandle *data, + -1, NULL); /* no upload */ + } + ++ /* since we skip do_init() */ ++ Curl_speedinit(data); ++ + return result; + } + #endif +-- +1.7.1 + diff --git a/0014-curl-7.27.0-9d0af301.patch b/0014-curl-7.27.0-9d0af301.patch new file mode 100644 index 0000000..739bbe7 --- /dev/null +++ b/0014-curl-7.27.0-9d0af301.patch @@ -0,0 +1,95 @@ +From c7bd0361565f70caf621f588e38bfc6cc196c432 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 5 Mar 2013 17:51:01 +0100 +Subject: [PATCH 1/2] nss: fix misplaced code enabling non-blocking socket mode + +The option needs to be set on the SSL socket. Setting it on the model +takes no effect. Note that the non-blocking mode is still not enabled +for the handshake because the code is not yet ready for that. + +[upstream commit 9d0af3018c5db25f5adda216dbcad6056b4a3107] +--- + lib/nss.c | 12 ++++++------ + 1 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/lib/nss.c b/lib/nss.c +index efa578c..0ad1863 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -1240,12 +1240,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + goto error; + model = SSL_ImportFD(NULL, model); + +- /* make the socket nonblocking */ +- sock_opt.option = PR_SockOpt_Nonblocking; +- sock_opt.value.non_blocking = PR_TRUE; +- if(PR_SetSocketOption(model, &sock_opt) != PR_SUCCESS) +- goto error; +- + if(SSL_OptionSet(model, SSL_SECURITY, PR_TRUE) != SECSuccess) + goto error; + if(SSL_OptionSet(model, SSL_HANDSHAKE_AS_SERVER, PR_FALSE) != SECSuccess) +@@ -1420,6 +1414,12 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + goto error; + } + ++ /* switch the SSL socket into non-blocking mode */ ++ sock_opt.option = PR_SockOpt_Nonblocking; ++ sock_opt.value.non_blocking = PR_TRUE; ++ if(PR_SetSocketOption(connssl->handle, &sock_opt) != PR_SUCCESS) ++ goto error; ++ + connssl->state = ssl_connection_complete; + conn->recv[sockindex] = nss_recv; + conn->send[sockindex] = nss_send; +-- +1.7.1 + + +From f3a5d46280264965ca096c9b3efba481d4883d0e Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 7 May 2013 23:30:52 +0200 +Subject: [PATCH 2/2] nss: give PR_INTERVAL_NO_WAIT instead of -1 to PR_Recv/PR_Send + +Reported by: David Strauss +Bug: http://curl.haxx.se/mail/lib-2013-05/0088.html + +[upstream commit 01a2abedd7e3a2075de70979003302313570c58c] + +Signed-off-by: Kamil Dudka +--- + lib/nss.c | 11 ++++------- + 1 files changed, 4 insertions(+), 7 deletions(-) + +diff --git a/lib/nss.c b/lib/nss.c +index 0ad1863..f69a888 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -1487,10 +1487,8 @@ static ssize_t nss_send(struct connectdata *conn, /* connection data */ + size_t len, /* amount to write */ + CURLcode *curlcode) + { +- int rc; +- +- rc = PR_Send(conn->ssl[sockindex].handle, mem, (int)len, 0, -1); +- ++ ssize_t rc = PR_Send(conn->ssl[sockindex].handle, mem, (int)len, 0, ++ PR_INTERVAL_NO_WAIT); + if(rc < 0) { + PRInt32 err = PR_GetError(); + if(err == PR_WOULD_BLOCK_ERROR) +@@ -1518,9 +1516,8 @@ static ssize_t nss_recv(struct connectdata * conn, /* connection data */ + size_t buffersize, /* max amount to read */ + CURLcode *curlcode) + { +- ssize_t nread; +- +- nread = PR_Recv(conn->ssl[num].handle, buf, (int)buffersize, 0, -1); ++ ssize_t nread = PR_Recv(conn->ssl[num].handle, buf, (int)buffersize, 0, ++ PR_INTERVAL_NO_WAIT); + if(nread < 0) { + /* failed SSL read */ + PRInt32 err = PR_GetError(); +-- +1.7.1 + diff --git a/curl.spec b/curl.spec index 6f2d5d0..71458a7 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.27.0 -Release: 7%{?dist} +Release: 10%{?dist} License: MIT Group: Applications/Internet Source: http://curl.haxx.se/download/%{name}-%{version}.tar.bz2 @@ -38,6 +38,18 @@ Patch9: 0009-curl-7.27.0-f206d6c0.patch # curl_global_init() now accepts the CURL_GLOBAL_ACK_EINTR flag Patch10: 0010-curl-7.27.0-57ccdfa8.patch +# fix cookie tailmatching to prevent cross-domain leakage (CVE-2013-1944) +Patch11: 0011-curl-7.27.0-2eb8dcf2.patch + +# show proper host name on failed resolve (#957173) +Patch12: 0012-curl-7.27.0-25e577b3.patch + +# prevent an artificial timeout event due to stale speed-check data (#906031) +Patch13: 0013-curl-7.27.0-b37b5233.patch + +# switch SSL socket into non-blocking mode after handshake (#960765) +Patch14: 0014-curl-7.27.0-9d0af301.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.27.0-multilib.patch @@ -145,6 +157,10 @@ documentation of the library, too. %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 # Fedora patches %patch101 -p1 @@ -161,6 +177,15 @@ sed -i s/899\\\([0-9]\\\)/649\\1/ tests/data/test* sed -i s/899\\\([0-9]\\\)/329\\1/ tests/data/test* %endif +# disable test 1112 (#565305) +printf "1112\n" >> tests/data/DISABLED + +# disable test 1319 on ppc64 (server times out) +%ifarch ppc64 +echo "1319" >> tests/data/DISABLED +%endif + + %build [ -x /usr/kerberos/bin/krb5-config ] && KRB5_PREFIX="=/usr/kerberos" %configure --disable-static \ @@ -270,6 +295,19 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/aclocal/libcurl.m4 %changelog +* Mon May 13 2013 Remi Collet - 7.27.0-10 +- sync with 7.27.0-10 from F18 + +* Thu May 09 2013 Kamil Dudka 7.27.0-10 +- switch SSL socket into non-blocking mode after handshake (#960765) + +* Fri Apr 26 2013 Kamil Dudka 7.27.0-9 +- prevent an artificial timeout event due to stale speed-check data (#906031) +- show proper host name on failed resolve (#957173) + +* Fri Apr 12 2013 Kamil Dudka 7.27.0-8 +- fix cookie tailmatching to prevent cross-domain leakage (CVE-2013-1944) + * Mon Oct 17 2011 Remi Collet - 7.27.0-7 - sync with 7.27.0-7 from F18 -- cgit