开源软件构建与测试

We truncated the diff of some files because they were too big. If you want to see the full diff for every file, click here.

Changes of Revision 2

_service:tar_scm:curl.spec Changed

@@ -6,7 +6,7 @@
 
 Name:           curl
 Version:        8.1.2
-Release:        2
+Release:        4
 Summary:        Curl is used in command lines or scripts to transfer data
 License:        curl
 URL:            https://curl.se/
@@ -16,6 +16,9 @@
 Patch2:         backport-curl-7.84.0-test3026.patch
 Patch4:         backport-curl-7.88.0-tests-warnings.patch
 Patch5:         backport-CVE-2023-32001.patch
+Patch6:         backport-vtls-avoid-memory-leak-if-sha256-call-fails.patch
+Patch7:         backport-urlapi-make-sure-zoneid-is-also-duplicated-in-curl_u.patch
+Patch8:         backport-CVE-2023-38039.patch
 
 BuildRequires:  automake brotli-devel coreutils gcc groff krb5-devel
 BuildRequires:  libidn2-devel libnghttp2-devel libpsl-devel
@@ -200,6 +203,19 @@
 %{_mandir}/man3/*
 
 %changelog
+* Thu Sep 14 2023 gaihuiying <eaglegai@163.com> - 8.1.2-4
+- Type:CVE
+- CVE:CVE-2023-38039
+- SUG:NA
+- DESC:fix CVE-2023-38039
+
+* Wed Sep 06 2023 yanglu <yanglu72@h-partners.com> - 8.1.2-3
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:vtls:avoid memory leak if sha256 call fails
+       urlapi:make sure zoneid is also duplicated in curl_url_dup
+
 * Thu Jul 20 2023 zhouyihang <zhouyihang3@h-partners.com> - 8.1.2-2
 - Type:CVE
 - CVE:CVE-2023-32001

_service:tar_scm:backport-CVE-2023-38039.patch Added

@@ -0,0 +1,212 @@
+From 3ee79c1674fd6f99e8efca52cd7510e08b766770 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 2 Aug 2023 23:34:48 +0200
+Subject: PATCH http: return error when receiving too large header set
+
+To avoid abuse. The limit is set to 300 KB for the accumulated size of
+all received HTTP headers for a single response. Incomplete research
+suggests that Chrome uses a 256-300 KB limit, while Firefox allows up to
+1MB.
+
+Closes #11582
+---
+ lib/c-hyper.c     | 12 +++++++-----
+ lib/cf-h1-proxy.c |  4 +++-
+ lib/http.c        | 34 ++++++++++++++++++++++++++++++----
+ lib/http.h        |  9 +++++++++
+ lib/pingpong.c    |  4 +++-
+ lib/urldata.h     | 17 ++++++++---------
+ 6 files changed, 60 insertions(+), 20 deletions(-)
+
+diff --git a/lib/c-hyper.c b/lib/c-hyper.c
+index c29983c0b24a6..0b9d9ab478e67 100644
+--- a/lib/c-hyper.c
++++ b/lib/c-hyper.c
+@@ -182,8 +182,11 @@ static int hyper_each_header(void *userdata,
+     }
+   }
+ 
+-  data->info.header_size += (curl_off_t)len;
+-  data->req.headerbytecount += (curl_off_t)len;
++  result = Curl_bump_headersize(data, len, FALSE);
++  if(result) {
++    data->state.hresult = result;
++    return HYPER_ITER_BREAK;
++  }
+   return HYPER_ITER_CONTINUE;
+ }
+ 
+@@ -313,9 +316,8 @@ static CURLcode status_line(struct Curl_easy *data,
+     if(result)
+       return result;
+   }
+-  data->info.header_size += (curl_off_t)len;
+-  data->req.headerbytecount += (curl_off_t)len;
+-  return CURLE_OK;
++  result = Curl_bump_headersize(data, len, FALSE);
++  return result;
+ }
+ 
+ /*
+diff --git a/lib/cf-h1-proxy.c b/lib/cf-h1-proxy.c
+index c9b157c9bccc7..b1d8cb618b7d1 100644
+--- a/lib/cf-h1-proxy.c
++++ b/lib/cf-h1-proxy.c
+@@ -587,7 +587,9 @@ static CURLcode recv_CONNECT_resp(struct Curl_cfilter *cf,
+         return result;
+     }
+ 
+-    data->info.header_size += (long)perline;
++    result = Curl_bump_headersize(data, perline, TRUE);
++    if(result)
++      return result;
+ 
+     /* Newlines are CRLF, so the CR is ignored as the line isn't
+        really terminated until the LF comes. Treat a following CR
+diff --git a/lib/http.c b/lib/http.c
+index f7c71afd7d847..bc78ff97435c4 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -3920,6 +3920,29 @@ static CURLcode verify_header(struct Curl_easy *data)
+   return CURLE_OK;
+ }
+ 
++CURLcode Curl_bump_headersize(struct Curl_easy *data,
++                              size_t delta,
++                              bool connect_only)
++{
++  size_t bad = 0;
++  if(delta < MAX_HTTP_RESP_HEADER_SIZE) {
++    if(!connect_only)
++      data->req.headerbytecount += (unsigned int)delta;
++    data->info.header_size += (unsigned int)delta;
++    if(data->info.header_size > MAX_HTTP_RESP_HEADER_SIZE)
++      bad = data->info.header_size;
++  }
++  else
++    bad = data->info.header_size + delta;
++  if(bad) {
++    failf(data, "Too large response headers: %zu > %zu",
++          bad, MAX_HTTP_RESP_HEADER_SIZE);
++    return CURLE_RECV_ERROR;
++  }
++  return CURLE_OK;
++}
++
++
+ /*
+  * Read any HTTP header lines from the server and pass them to the client app.
+  */
+@@ -4173,8 +4196,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
+       if(result)
+         return result;
+ 
+-      data->info.header_size += (long)headerlen;
+-      data->req.headerbytecount += (long)headerlen;
++      result = Curl_bump_headersize(data, headerlen, FALSE);
++      if(result)
++        return result;
+ 
+       /*
+        * When all the headers have been parsed, see if we should give
+@@ -4496,8 +4520,10 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
+     if(result)
+       return result;
+ 
+-    data->info.header_size += Curl_dyn_len(&data->state.headerb);
+-    data->req.headerbytecount += Curl_dyn_len(&data->state.headerb);
++    result = Curl_bump_headersize(data, Curl_dyn_len(&data->state.headerb),
++                                  FALSE);
++    if(result)
++      return result;
+ 
+     Curl_dyn_reset(&data->state.headerb);
+   }
+diff --git a/lib/http.h b/lib/http.h
+index df3b4e38b8a88..4aeabc345938c 100644
+--- a/lib/http.h
++++ b/lib/http.h
+@@ -64,6 +64,10 @@ extern const struct Curl_handler Curl_handler_wss;
+ 
+ struct dynhds;
+ 
++CURLcode Curl_bump_headersize(struct Curl_easy *data,
++                              size_t delta,
++                              bool connect_only);
++
+ /* Header specific functions */
+ bool Curl_compareheader(const char *headerline,  /* line to check */
+                         const char *header,   /* header keyword _with_ colon */
+@@ -183,6 +187,11 @@ CURLcode Curl_http_auth_act(struct Curl_easy *data);
+ #define EXPECT_100_THRESHOLD (1024*1024)
+ #endif
+ 
++/* MAX_HTTP_RESP_HEADER_SIZE is the maximum size of all response headers
++   combined that libcurl allows for a single HTTP response, any HTTP
++   version. This count includes CONNECT response headers. */
++#define MAX_HTTP_RESP_HEADER_SIZE (300*1024)
++
+ #endif /* CURL_DISABLE_HTTP */
+ 
+ /****************************************************************************
+diff --git a/lib/pingpong.c b/lib/pingpong.c
+index f3f7cb93cb9b7..523bbec189fe6 100644
+--- a/lib/pingpong.c
++++ b/lib/pingpong.c
+@@ -341,7 +341,9 @@ CURLcode Curl_pp_readresp(struct Curl_easy *data,
+       ssize_t clipamount = 0;
+       bool restart = FALSE;
+ 
+-      data->req.headerbytecount += (long)gotbytes;
++      result = Curl_bump_headersize(data, gotbytes, FALSE);
++      if(result)
++        return result;
+ 
+       pp->nread_resp += gotbytes;
+       for(i = 0; i < gotbytes; ptr++, i++) {
+diff --git a/lib/urldata.h b/lib/urldata.h
+index e5446b6840f63..d21aa415dc94b 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -629,17 +629,16 @@ struct SingleRequest {
+   curl_off_t bytecount;         /* total number of bytes read */
+   curl_off_t writebytecount;    /* number of bytes written */
+ 
+-  curl_off_t headerbytecount;   /* only count received headers */
+-  curl_off_t deductheadercount; /* this amount of bytes doesn't count when we
+-                                   check if anything has been transferred at
+-                                   the end of a connection. We use this
+-                                   counter to make only a 100 reply (without a
+-                                   following second response code) result in a
+-                                   CURLE_GOT_NOTHING error code */
+-
+   curl_off_t pendingheader;      /* this many bytes left to send is actually
+                                     header and not body */
+   struct curltime start;         /* transfer started at this time */
++  unsigned int headerbytecount;  /* only count received headers */
++  unsigned int deductheadercount; /* this amount of bytes doesn't count when
++                                     we check if anything has been transferred
++                                     at the end of a connection. We use this
++                                     counter to make only a 100 reply (without
++                                     a following second response code) result
++                                     in a CURLE_GOT_NOTHING error code */
+   enum {
+     HEADER_NORMAL,              /* no bad header at all */
+     HEADER_PARTHEADER,          /* part of the chunk is a bad header, the rest
+@@ -1089,7 +1088,6 @@ struct PureInfo {
+   int httpversion; /* the http version number X.Y = X*10+Y */
+   time_t filetime; /* If requested, this is might get set. Set to -1 if the
+                       time was unretrievable. */

_service:tar_scm:backport-urlapi-make-sure-zoneid-is-also-duplicated-in-curl_u.patch Added

@@ -0,0 +1,112 @@
+From 49e244318672c688097c1bf601a110005cd9a6a8 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 31 Jul 2023 10:07:35 +0200
+Subject: PATCH urlapi: make sure zoneid is also duplicated in curl_url_dup
+
+Add several curl_url_dup() tests to the general lib1560 test.
+
+Reported-by: Rutger Broekhoff
+Bug: https://curl.se/mail/lib-2023-07/0047.html
+Closes #11549
+
+Conflict: tests/libtest/lib1560.c for context adapt
+Reference: https://github.com/curl/curl/commit/49e244318672c688097c1bf601a110005cd9a6a8
+---
+ lib/urlapi.c            |  1 +
+ tests/libtest/lib1560.c | 67 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 68 insertions(+)
+
+diff --git a/lib/urlapi.c b/lib/urlapi.c
+index cd423c335d88f..b1a126d548213 100644
+--- a/lib/urlapi.c
++++ b/lib/urlapi.c
+@@ -1385,6 +1385,7 @@ CURLU *curl_url_dup(const CURLU *in)
+     DUP(u, in, path);
+     DUP(u, in, query);
+     DUP(u, in, fragment);
++    DUP(u, in, zoneid);
+     u->portnum = in->portnum;
+   }
+   return u;
+diff --git a/tests/libtest/lib1560.c b/tests/libtest/lib1560.c
+index 0eca0fda72d0b..ff03bec9391a4 100644
+--- a/tests/libtest/lib1560.c
++++ b/tests/libtest/lib1560.c
+@@ -1672,10 +1672,77 @@ static int huge(void)
+   return error;
+ }
+ 
++static int urldup(void)
++{
++  const char *url = {
++    "http://"
++    "user:pwd@"
++    "2a04:4e42:e00::347%25eth0"
++    ":80"
++    "/path"
++    "?query"
++    "#fraggie",
++    "https://example.com",
++    "https://user@example.com",
++    "https://user.pwd@example.com",
++    "https://user.pwd@example.com:1234",
++    "https://example.com:1234",
++    "example.com:1234",
++    "https://user.pwd@example.com:1234/path?query#frag",
++    NULL
++  };
++  CURLU *copy = NULL;
++  char *h_str = NULL, *copy_str = NULL;
++  CURLU *h = curl_url();
++  int i;
++
++  if(!h)
++    goto err;
++
++  for(i = 0; urli; i++) {
++    CURLUcode rc = curl_url_set(h, CURLUPART_URL, urli,
++                                CURLU_GUESS_SCHEME);
++    if(rc)
++      goto err;
++    copy = curl_url_dup(h);
++
++    rc = curl_url_get(h, CURLUPART_URL, &h_str, 0);
++    if(rc)
++      goto err;
++
++    rc = curl_url_get(copy, CURLUPART_URL, &copy_str, 0);
++    if(rc)
++      goto err;
++
++    if(strcmp(h_str, copy_str)) {
++      printf("Original:  %s\nParsed:    %s\nCopy:      %s\n",
++             urli, h_str, copy_str);
++      goto err;
++    }
++    curl_free(copy_str);
++    curl_free(h_str);
++    curl_url_cleanup(copy);
++    copy_str = NULL;
++    h_str = NULL;
++    copy = NULL;
++  }
++  curl_url_cleanup(h);
++  return 0;
++err:
++  curl_free(copy_str);
++  curl_free(h_str);
++  curl_url_cleanup(copy);
++  curl_url_cleanup(h);
++  return 1;
++}
++
+ int test(char *URL)
+ {
+   (void)URL; /* not used */
+ 
++  if(urldup())
++    return 11;
++
+   if(get_url())
+     return 3;
+

_service:tar_scm:backport-vtls-avoid-memory-leak-if-sha256-call-fails.patch Added

@@ -0,0 +1,41 @@
+From a4a5e438ae533c9af5e97457ae424c9189545105 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 12 Jun 2023 14:10:37 +0200
+Subject: PATCH vtls: avoid memory leak if sha256 call fails
+
+... in the pinned public key handling function.
+
+Reported-by: lizhuang0630 on github
+Fixes #11306
+Closes #11307
+
+Conflict: NA
+Reference: https://github.com/curl/curl/commit/a4a5e438ae533c9af5e97457ae424c9189545105
+---
+ lib/vtls/vtls.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index a4ff7d61a6193..cdd3a4fdc1c14 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -907,14 +907,12 @@ CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data,
+     if(!sha256sumdigest)
+       return CURLE_OUT_OF_MEMORY;
+     encode = Curl_ssl->sha256sum(pubkey, pubkeylen,
+-                        sha256sumdigest, CURL_SHA256_DIGEST_LENGTH);
++                                 sha256sumdigest, CURL_SHA256_DIGEST_LENGTH);
+ 
+-    if(encode != CURLE_OK)
+-      return encode;
+-
+-    encode = Curl_base64_encode((char *)sha256sumdigest,
+-                                CURL_SHA256_DIGEST_LENGTH, &encoded,
+-                                &encodedlen);
++    if(!encode)
++      encode = Curl_base64_encode((char *)sha256sumdigest,
++                                  CURL_SHA256_DIGEST_LENGTH, &encoded,
++                                  &encodedlen);
+     Curl_safefree(sha256sumdigest);
+ 
+     if(encode)