diff -Nru curl-7.88.1/debian/changelog curl-7.88.1/debian/changelog --- curl-7.88.1/debian/changelog 2023-12-22 00:54:28.000000000 +0000 +++ curl-7.88.1/debian/changelog 2024-03-29 17:42:54.000000000 +0000 @@ -1,3 +1,19 @@ +curl (7.88.1-11+18.04.sav4) bionic; urgency=medium + + * debian/patches/CVE-2024-2398.patch: Fix patch for Curl 7.88.1 + + -- Rob Savoury Fri, 29 Mar 2024 10:42:54 -0700 + +curl (7.88.1-11+18.04.sav3) bionic; urgency=medium + + * SECURITY UPDATE: HTTP/2 push headers memory-leak + - debian/patches/CVE-2024-2398.patch: push headers better cleanup in + lib/http2.c. + - CVE-2024-2398 + [ patch thanks to Marc Deslauriers ] + + -- Rob Savoury Fri, 29 Mar 2024 10:30:11 -0700 + curl (7.88.1-11+18.04.sav2) bionic; urgency=medium * SECURITY UPDATE: cookie mixed case PSL bypass @@ -355,6 +371,228 @@ -- Samuel Henrique Sat, 05 Mar 2022 13:40:14 +0000 +curl (7.81.0-1ubuntu1.16) jammy-security; urgency=medium + + * SECURITY UPDATE: HTTP/2 push headers memory-leak + - debian/patches/CVE-2024-2398.patch: push headers better cleanup in + lib/http2.c. + - CVE-2024-2398 + + -- Marc Deslauriers Tue, 19 Mar 2024 08:16:19 -0400 + +curl (7.81.0-1ubuntu1.15) jammy-security; urgency=medium + + * SECURITY UPDATE: cookie mixed case PSL bypass + - debian/patches/CVE-2023-46218.patch: lowercase the domain names + before PSL checks in lib/cookie.c. + - CVE-2023-46218 + + -- Marc Deslauriers Wed, 29 Nov 2023 14:23:00 -0500 + +curl (7.81.0-1ubuntu1.14) jammy-security; urgency=medium + + * SECURITY UPDATE: SOCKS5 heap buffer overflow + - debian/patches/CVE-2023-38545.patch: return error if hostname too + long for remote resolve in lib/socks.c, tests/data/Makefile.inc, + tests/data/test728. + - CVE-2023-38545 + * SECURITY UPDATE: cookie injection with none file + - debian/patches/CVE-2023-38546.patch: remove unnecessary struct fields + in lib/cookie.c, lib/cookie.h, lib/easy.c. + - CVE-2023-38546 + + -- Marc Deslauriers Tue, 03 Oct 2023 13:15:41 -0400 + +curl (7.81.0-1ubuntu1.13) jammy-security; urgency=medium + + * SECURITY REGRESSION: broken ssl cert wildcard handling (LP: #2028170) + - debian/patches/CVE-2023-28321.patch: fix missing line in backport. + + -- Marc Deslauriers Wed, 19 Jul 2023 12:23:36 -0400 + +curl (7.81.0-1ubuntu1.11) jammy-security; urgency=medium + + * SECURITY UPDATE: improper certificate validation vulnerability + - debian/patches/CVE-2023-28321.patch: fix host name wildcard checking + in lib/hostcheck.c, tests/data/test1397, tests/unit/unit1397.c. + - CVE-2023-28321 + * SECURITY UPDATE: information disclosure vulnerability + - debian/patches/CVE-2023-28322.patch: unify the upload/method handling + in lib/curl_rtmp.c, lib/file.c, lib/ftp.c, lib/http.c, lib/imap.c, + lib/rtsp.c, lib/setopt.c, lib/smb.c, lib/smtp.c, lib/tftp.c, + lib/transfer.c, lib/urldata.h, lib/vssh/libssh.c, lib/vssh/libssh2.c, + lib/vssh/wolfssh.c. + - CVE-2023-28322 + + -- Marc Deslauriers Mon, 17 Jul 2023 10:25:41 -0400 + +curl (7.81.0-1ubuntu1.10) jammy-security; urgency=medium + + * SECURITY UPDATE: TELNET option IAC injection + - debian/patches/CVE-2023-27533.patch: only accept option arguments in + ascii in lib/telnet.c. + - CVE-2023-27533 + * SECURITY UPDATE: SFTP path ~ resolving discrepancy + - debian/patches/CVE-2023-27534-pre1.patch: do not add '/' if homedir + ends with one in lib/curl_path.c. + - debian/patches/CVE-2023-27534.patch: create the new path with dynbuf + in lib/curl_path.c. + - CVE-2023-27534 + * SECURITY UPDATE: FTP too eager connection reuse + - debian/patches/CVE-2023-27535-pre1.patch: add and use Curl_timestrcmp + in lib/netrc.c, lib/strcase.c, lib/strcase.h, lib/url.c, + lib/vauth/digest_sspi.c, lib/vtls/vtls.c. + - debian/patches/CVE-2023-27535.patch: add more conditions for + connection reuse in lib/ftp.c, lib/ftp.h, lib/url.c, lib/urldata.h. + - CVE-2023-27535 + * SECURITY UPDATE: GSS delegation too eager connection re-use + - debian/patches/CVE-2023-27536.patch: only reuse connections with same + GSS delegation in lib/url.c, lib/urldata.h. + - CVE-2023-27536 + * SECURITY UPDATE: SSH connection too eager reuse still + - debian/patches/CVE-2023-27538.patch: fix the SSH connection reuse + check in lib/url.c. + - CVE-2023-27538 + + -- Marc Deslauriers Tue, 14 Mar 2023 12:37:02 -0400 + +curl (7.81.0-1ubuntu1.8) jammy-security; urgency=medium + + * SECURITY UPDATE: multiple HSTS issues + - debian/patches/CVE-2023-23914_5-1.patch: add sharing of HSTS cache + among handles in docs/libcurl/opts/CURLSHOPT_SHARE.3, + docs/libcurl/symbols-in-versions, include/curl/curl.h, lib/hsts.c, + lib/hsts.h, lib/setopt.c, lib/share.c, lib/share.h, lib/transfer.c, + lib/url.c, lib/urldata.h. + - debian/patches/CVE-2023-23914_5-2.patch: share HSTS between handles + in src/tool_operate.c. + - debian/patches/CVE-2023-23914_5-3.patch: handle adding the same host + name again in lib/hsts.c. + - debian/patches/CVE-2023-23914_5-4.patch: support crlf="yes" for + verify/proxy in tests/FILEFORMAT.md, tests/runtests.pl. + - debian/patches/CVE-2023-23914_5-5.patch: verify hsts with two URLs in + tests/data/Makefile.inc, tests/data/test446. + - CVE-2023-23914 + - CVE-2023-23915 + * SECURITY UPDATE: HTTP multi-header compression denial of service + - debian/patches/CVE-2023-23916-pre1.patch: do CRLF replacements in + tests/FILEFORMAT.md, tests/data/test1, tests/runtests.pl. + - debian/patches/CVE-2023-23916.patch: do not reset stage counter for + each header in lib/content_encoding.c, lib/urldata.h, + tests/data/Makefile.inc, tests/data/test418. + - CVE-2023-23916 + + -- Marc Deslauriers Wed, 15 Feb 2023 08:20:05 -0500 + +curl (7.81.0-1ubuntu1.7) jammy-security; urgency=medium + + * SECURITY UPDATE: Another HSTS bypass via IDN + - debian/patches/CVE-2022-43551.patch: use the IDN decoded name in HSTS + checks in lib/http.c. + - CVE-2022-43551 + * SECURITY UPDATE: HTTP Proxy deny use-after-free + - debian/patches/CVE-2022-43552.patch: do not free the protocol struct + in *_done() in lib/smb.c, lib/telnet.c. + - CVE-2022-43552 + + -- Marc Deslauriers Wed, 04 Jan 2023 09:53:07 -0500 + +curl (7.81.0-1ubuntu1.6) jammy-security; urgency=medium + + * SECURITY UPDATE: POST following PUT confusion + - debian/patches/CVE-2022-32221.patch: when POST is set, reset the + 'upload' field in lib/setopt.c. + - CVE-2022-32221 + * SECURITY UPDATE: HTTP proxy double-free + - debian/patches/CVE-2022-42915.patch: restore the protocol pointer on + error in lib/http_proxy.c, lib/url.c. + - CVE-2022-42915 + * SECURITY UPDATE: HSTS bypass via IDN + - debian/patches/CVE-2022-42916.patch: use IDN decoded names for HSTS + checks in lib/url.c. + - CVE-2022-42916 + + -- Marc Deslauriers Tue, 18 Oct 2022 12:35:33 -0400 + +curl (7.81.0-1ubuntu1.4) jammy-security; urgency=medium + + * SECURITY UPDATE: when curl sends back cookies with control bytes a + HTTP(S) server may return a 400 response + - debian/patches/CVE-2022-35252.patch: adds invalid_octets function + to lib/cookie.c to reject cookies with control bytes + - CVE-2022-35252 + + -- Mark Esler Wed, 31 Aug 2022 14:18:07 -0500 + +curl (7.81.0-1ubuntu1.3) jammy-security; urgency=medium + + * SECURITY UPDATE: Set-cookie denial of service + - debian/patches/CVE-2022-32205.patch: apply limits to cookies + specifications in lib/cookie.c, lib/cookie.h, lib/http.c, lib/urldata.h. + - CVE-2022-32205 + * SECURITY UPDATE: HTTP compression denial of service + - debian/patches/CVE-2022-32206.patch: return error on too many + compression steps in lib/content_encoding.c. + - CVE-2022-32206 + * SECURITY UPDATE: Unpreserved file permissions + - debian/patches/CVE-2022-32207.patch: add Curl_fopen() + for better overwriting of files in lib/Makefile.inc, + lib/cookie.c, lib/fopen.c, lib/fopen.h. + - CVE-2022-32207 + * SECURITY UPDATE: FTP-KRB bad msg verification + - debian/patches/CVE-2022-32208.patch: return error properly + on decode errors in lib/krb5.c. + - CVE-2022-32208 + + -- Leonidas Da Silva Barbosa Mon, 20 Jun 2022 15:08:01 -0300 + +curl (7.81.0-1ubuntu1.2) jammy-security; urgency=medium + + * SECURITY UPDATE: percent-encoded path separator in URL host + - debian/patches/CVE-2022-27780.patch: reject percent-decoding host + name into separator bytes in lib/urlapi.c. + - CVE-2022-27780 + * SECURITY UPDATE: CERTINFO never-ending busy-loop + - debian/patches/CVE-2022-27781.patch: return error if seemingly stuck + in a cert loop in lib/vtls/nss.c. + - CVE-2022-27781 + * SECURITY UPDATE: TLS and SSH connection too eager reuse + - debian/patches/CVE-2022-27782.patch: check more TLS details for + connection reuse in lib/setopt.c, lib/url.c, lib/urldata.h, + lib/vtls/gtls.c, lib/vtls/openssl.c, lib/vtls/nss.c, lib/vtls/vtls.c, + lib/vssh/ssh.h. + - CVE-2022-27782 + + -- Marc Deslauriers Mon, 09 May 2022 08:34:24 -0400 + +curl (7.81.0-1ubuntu1.1) jammy-security; urgency=medium + + * SECURITY UPDATE: OAUTH2 bypass + - debian/patches/CVE-2022-22576.patch: check sasl additional + parameters for conn resuse in lib/strcase.c, lib/strcase.h, + lib/url.c, lib/urldata.h, lib/vtls/vtls.c. + - CVE-2022-22576 + * SECURITY UPDATE: Credential leak on redirect + - debian/patches/CVE-2022-27774-1.patch: store conn_remote_port + in the info struct to make it available after the connection ended + in lib/connect.c, lib/urldata.h. + - debian/patches/CVE-2022-27774-2.patch: redirects to other protocols + or ports clear auth in lib/transfer.c. + - debian/patches/CVE-2022-27774-3.patch: adds tests to verify + these fix in tests/data/Makefile.inc, tests/data/test973, + tests/data/test974, tests/data/test975, tests/data/test976. + - CVE-2022-27774 + * SECURITY UPDATE: Bad local IPV6 connection reuse + - debian/patches/CVE-2022-27775.patch: include the zone id in the + 'bundle' haskey in lib/conncache.c. + - CVE-2022-27775 + * SECURITY UPDATE: Auth/cookie leak on redirect + - debian/patches/CVE-2022-27776.patch: avoid auth/cookie on redirects + same host diff port in lib/http.c, lib/urldata.h. + - CVE-2022-27776 + + -- Leonidas Da Silva Barbosa Wed, 20 Apr 2022 11:50:18 -0300 + curl (7.81.0-1) unstable; urgency=medium * New upstream version 7.81.0 diff -Nru curl-7.88.1/debian/patches/CVE-2024-2398.patch curl-7.88.1/debian/patches/CVE-2024-2398.patch --- curl-7.88.1/debian/patches/CVE-2024-2398.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.88.1/debian/patches/CVE-2024-2398.patch 2024-03-29 17:42:27.000000000 +0000 @@ -0,0 +1,84 @@ +Backport of: + +From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Wed, 6 Mar 2024 09:36:08 +0100 +Subject: [PATCH] http2: push headers better cleanup + +- provide common cleanup method for push headers + +Closes #13054 +--- + lib/http2.c | 34 +++++++++++++++------------------- + 1 file changed, 15 insertions(+), 19 deletions(-) + +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -688,6 +688,15 @@ static int set_transfer_url(struct Curl_ + return 0; + } + ++static void free_push_headers(struct HTTP *stream) ++{ ++ size_t i; ++ for(i = 0; ipush_headers_used; i++) ++ free(stream->push_headers[i]); ++ Curl_safefree(stream->push_headers); ++ stream->push_headers_used = 0; ++} ++ + static int push_promise(struct Curl_cfilter *cf, + struct Curl_easy *data, + const nghttp2_push_promise *frame) +@@ -702,7 +711,6 @@ static int push_promise(struct Curl_easy + struct HTTP *newstream; + struct curl_pushheaders heads; + CURLMcode rc; +- size_t i; + /* clone the parent */ + struct Curl_easy *newhandle = h2_duphandle(cf, data); + if(!newhandle) { +@@ -738,11 +746,7 @@ static int push_promise(struct Curl_easy + Curl_set_in_callback(data, false); + + /* free the headers again */ +- for(i = 0; ipush_headers_used; i++) +- free(stream->push_headers[i]); +- free(stream->push_headers); +- stream->push_headers = NULL; +- stream->push_headers_used = 0; ++ free_push_headers(stream); + + if(rv) { + DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT)); +@@ -1202,10 +1206,10 @@ static int on_header(nghttp2_session *se + return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + } + stream->push_headers_alloc *= 2; +- headp = Curl_saferealloc(stream->push_headers, +- stream->push_headers_alloc * sizeof(char *)); ++ headp = realloc(stream->push_headers, ++ stream->push_headers_alloc * sizeof(char *)); + if(!headp) { +- stream->push_headers = NULL; ++ free_push_headers(stream); + return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + } + stream->push_headers = headp; +@@ -1364,15 +1368,7 @@ void Curl_http2_done(struct Curl_easy *d + setup */ + Curl_dyn_free(&stream->header_recvbuf); + Curl_dyn_free(&stream->trailer_recvbuf); +- if(stream->push_headers) { +- /* if they weren't used and then freed before */ +- for(; stream->push_headers_used > 0; --stream->push_headers_used) { +- free(stream->push_headers[stream->push_headers_used - 1]); +- } +- free(stream->push_headers); +- stream->push_headers = NULL; +- } +- ++ free_push_headers(stream); + if(!ctx || !ctx->h2) + return; + diff -Nru curl-7.88.1/debian/patches/series curl-7.88.1/debian/patches/series --- curl-7.88.1/debian/patches/series 2023-12-22 00:53:27.000000000 +0000 +++ curl-7.88.1/debian/patches/series 2024-03-29 17:18:38.000000000 +0000 @@ -39,6 +39,9 @@ CVE-2023-46218.patch CVE-2023-46219.patch +# Patches from 8.7.0. +CVE-2024-2398.patch + # curl 3/4 mod 80_curlvers.patch 89_ssl3_syms.patch