Version in base suite: 7.88.1-10+deb12u5 Base version: curl_7.88.1-10+deb12u5 Target version: curl_7.88.1-10+deb12u6 Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/curl/curl_7.88.1-10+deb12u5.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/c/curl/curl_7.88.1-10+deb12u6.dsc changelog | 24 + patches/CVE-2024-2004.patch | 135 ++++++++++ patches/CVE-2024-2398.patch | 91 ++++++ patches/openldap-create-ldap-URLs-correctly-for-IPv6-addresses.patch | 48 +++ patches/series | 5 5 files changed, 303 insertions(+) diff -Nru curl-7.88.1/debian/changelog curl-7.88.1/debian/changelog --- curl-7.88.1/debian/changelog 2023-12-10 06:07:30.000000000 +0000 +++ curl-7.88.1/debian/changelog 2024-04-02 23:02:10.000000000 +0000 @@ -1,3 +1,27 @@ +curl (7.88.1-10+deb12u6) bookworm; urgency=medium + + * Team upload. + + [ Sergio Durigan Junior ] + * d/p/openldap-create-ldap-URLs-correctly-for-IPv6-addresses.patch: + (Closes: #1053643) + + [ Guilherme Puida Moreira ] + * Add patches to fix CVE-2024-2004 and CVE-2024-2398. + - CVE-2024-2004: When a protocol selection parameter disables all + protocols without adding any then the default set of protocols would + remain in the allowed set due to an error in the logic for removing + protocols. + - CVE-2024-2398: When an application tells libcurl it wants to allow + HTTP/2 server push and the amount of received headers for the push + surpasses the maximum allowed limit (1000), libcurl aborts the server + push and leaks the memory allocated for the previously allocated + headers. + * d/p/openldap-create-ldap-URLs-correctly-for-IPv6-addresses.patch: + Refresh patch. + + -- Guilherme Puida Moreira Tue, 02 Apr 2024 20:02:10 -0300 + curl (7.88.1-10+deb12u5) bookworm-security; urgency=high * Add patches to fix CVE-2023-46218 and CVE-2023-46219 diff -Nru curl-7.88.1/debian/patches/CVE-2024-2004.patch curl-7.88.1/debian/patches/CVE-2024-2004.patch --- curl-7.88.1/debian/patches/CVE-2024-2004.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.88.1/debian/patches/CVE-2024-2004.patch 2024-04-02 23:02:10.000000000 +0000 @@ -0,0 +1,135 @@ +From 17d302e56221f5040092db77d4f85086e8a20e0e Mon Sep 17 00:00:00 2001 +From: Daniel Gustafsson +Date: Tue, 27 Feb 2024 15:43:56 +0100 +Subject: [PATCH] setopt: Fix disabling all protocols + +When disabling all protocols without enabling any, the resulting +set of allowed protocols remained the default set. Clearing the +allowed set before inspecting the passed value from --proto make +the set empty even in the errorpath of no protocols enabled. + +Co-authored-by: Dan Fandrich +Reported-by: Dan Fandrich +Reviewed-by: Daniel Stenberg +Closes: #13004 + +Backported by: Guilherme Puida Moreira + * Small change in the Makefile to add a new test. + +--- + lib/setopt.c | 16 ++++++++-------- + tests/data/Makefile.inc | 2 +- + tests/data/test1474 | 42 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 51 insertions(+), 9 deletions(-) + create mode 100644 tests/data/test1474 + +Index: curl/lib/setopt.c +=================================================================== +--- curl.orig/lib/setopt.c ++++ curl/lib/setopt.c +@@ -150,6 +150,12 @@ static CURLcode setstropt_userpwd(char * + + static CURLcode protocol2num(const char *str, curl_prot_t *val) + { ++ /* ++ * We are asked to cherry-pick protocols, so play it safe and disallow all ++ * protocols to start with, and re-add the wanted ones back in. ++ */ ++ *val = 0; ++ + if(!str) + return CURLE_BAD_FUNCTION_ARGUMENT; + +@@ -158,8 +164,6 @@ static CURLcode protocol2num(const char + return CURLE_OK; + } + +- *val = 0; +- + do { + const char *token = str; + size_t tlen; +@@ -2666,22 +2670,18 @@ CURLcode Curl_vsetopt(struct Curl_easy * + break; + + case CURLOPT_PROTOCOLS_STR: { +- curl_prot_t prot; + argptr = va_arg(param, char *); +- result = protocol2num(argptr, &prot); ++ result = protocol2num(argptr, &data->set.allowed_protocols); + if(result) + return result; +- data->set.allowed_protocols = prot; + break; + } + + case CURLOPT_REDIR_PROTOCOLS_STR: { +- curl_prot_t prot; + argptr = va_arg(param, char *); +- result = protocol2num(argptr, &prot); ++ result = protocol2num(argptr, &data->set.redir_protocols); + if(result) + return result; +- data->set.redir_protocols = prot; + break; + } + +Index: curl/tests/data/Makefile.inc +=================================================================== +--- curl.orig/tests/data/Makefile.inc ++++ curl/tests/data/Makefile.inc +@@ -186,6 +186,7 @@ test1440 test1441 test1442 test1443 test + test1448 test1449 test1450 test1451 test1452 test1453 test1454 test1455 \ + test1456 test1457 test1458 test1459 test1460 test1461 test1462 test1463 \ + test1464 test1465 test1466 test1467 test1468 test1469 \ ++test1474 \ + \ + test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \ + test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \ +Index: curl/tests/data/test1474 +=================================================================== +--- /dev/null ++++ curl/tests/data/test1474 +@@ -0,0 +1,42 @@ ++ ++ ++ ++HTTP ++HTTP GET ++--proto ++ ++ ++ ++# ++# Server-side ++ ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++none ++ ++ ++http ++ ++ ++--proto -all disables all protocols ++ ++ ++--proto -all http://%HOSTIP:%NOLISTENPORT/%TESTNUMBER ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++# 1 - Protocol "http" disabled ++ ++1 ++ ++ ++ diff -Nru curl-7.88.1/debian/patches/CVE-2024-2398.patch curl-7.88.1/debian/patches/CVE-2024-2398.patch --- curl-7.88.1/debian/patches/CVE-2024-2398.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.88.1/debian/patches/CVE-2024-2398.patch 2024-04-02 23:02:10.000000000 +0000 @@ -0,0 +1,91 @@ +From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Wed, 6 Mar 2024 09:36:08 +0100 +Subject: [PATCH] http2: push headers better cleanup + +- provide common cleanup method for push headers + +Closes #13054 + +Backported by: Guilherme Puida Moreira : + * Changed h2_stream_ctx to HTTP in free_push_headers. +--- + lib/http2.c | 34 +++++++++++++++------------------- + 1 file changed, 15 insertions(+), 19 deletions(-) + +Index: curl/lib/http2.c +=================================================================== +--- curl.orig/lib/http2.c ++++ curl/lib/http2.c +@@ -229,6 +229,15 @@ static CURLcode http2_data_setup(struct + return CURLE_OK; + } + ++static void free_push_headers(struct HTTP *stream) ++{ ++ size_t i; ++ for(i = 0; ipush_headers_used; i++) ++ free(stream->push_headers[i]); ++ Curl_safefree(stream->push_headers); ++ stream->push_headers_used = 0; ++} ++ + /* + * Initialize the cfilter context + */ +@@ -702,7 +711,6 @@ static int push_promise(struct Curl_cfil + struct HTTP *newstream; + struct curl_pushheaders heads; + CURLMcode rc; +- size_t i; + /* clone the parent */ + struct Curl_easy *newhandle = h2_duphandle(cf, data); + if(!newhandle) { +@@ -738,11 +746,7 @@ static int push_promise(struct Curl_cfil + Curl_set_in_callback(data, false); + + /* free the headers again */ +- for(i = 0; ipush_headers_used; i++) +- free(stream->push_headers[i]); +- free(stream->push_headers); +- stream->push_headers = NULL; +- stream->push_headers_used = 0; ++ free_push_headers(stream); + + if(rv) { + DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT)); +@@ -1198,14 +1202,14 @@ static int on_header(nghttp2_session *se + if(stream->push_headers_alloc > 1000) { + /* this is beyond crazy many headers, bail out */ + failf(data_s, "Too many PUSH_PROMISE headers"); +- Curl_safefree(stream->push_headers); ++ free_push_headers(stream); + return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + } + stream->push_headers_alloc *= 2; +- headp = Curl_saferealloc(stream->push_headers, +- stream->push_headers_alloc * sizeof(char *)); ++ headp = realloc(stream->push_headers, ++ stream->push_headers_alloc * sizeof(char *)); + if(!headp) { +- stream->push_headers = NULL; ++ free_push_headers(stream); + return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + } + stream->push_headers = headp; +@@ -1364,14 +1368,7 @@ static void http2_data_done(struct Curl_ + setup */ + Curl_dyn_free(&stream->header_recvbuf); + Curl_dyn_free(&stream->trailer_recvbuf); +- if(stream->push_headers) { +- /* if they weren't used and then freed before */ +- for(; stream->push_headers_used > 0; --stream->push_headers_used) { +- free(stream->push_headers[stream->push_headers_used - 1]); +- } +- free(stream->push_headers); +- stream->push_headers = NULL; +- } ++ free_push_headers(stream); + + if(!ctx || !ctx->h2) + return; diff -Nru curl-7.88.1/debian/patches/openldap-create-ldap-URLs-correctly-for-IPv6-addresses.patch curl-7.88.1/debian/patches/openldap-create-ldap-URLs-correctly-for-IPv6-addresses.patch --- curl-7.88.1/debian/patches/openldap-create-ldap-URLs-correctly-for-IPv6-addresses.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.88.1/debian/patches/openldap-create-ldap-URLs-correctly-for-IPv6-addresses.patch 2024-04-02 23:02:10.000000000 +0000 @@ -0,0 +1,48 @@ +From: Daniel Stenberg +Date: Sat, 30 Mar 2024 11:14:54 +0100 +Subject: openldap: create ldap URLs correctly for IPv6 addresses + +Reported-by: Sergio Durigan Junior +Fixes #13228 +Closes #13235 + +More context: + +When the user specified an IPv6 address to be used as an LDAP server, +curl will fail to properly enclose it in square brackets, which causes +the connection to fail because the host address cannot be +distinguished from the port: + +$ curl -v ldap://[fd42:be5:e632:a6b3:216:3eff:feb1:5bc4]:389 +... +* LDAP local: Cannot connect to ldap://fd42:be5:e632:a6b3:216:3eff:feb1:5bc4:389, Bad parameter to an ldap routine +... + +Fix this by always enclosing the IPv6 address in square brackets. + +Origin: upstream, https://github.com/curl/curl/commit/56935a7dada6975d5a46aa494de0af195e4e8659 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053643 +--- + lib/openldap.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +Index: curl/lib/openldap.c +=================================================================== +--- curl.orig/lib/openldap.c ++++ curl/lib/openldap.c +@@ -547,9 +547,12 @@ static CURLcode oldap_connect(struct Cur + + (void)done; + +- hosturl = aprintf("ldap%s://%s:%d", +- conn->handler->flags & PROTOPT_SSL? "s": "", +- conn->host.name, conn->remote_port); ++ hosturl = aprintf("%s://%s%s%s:%d", ++ conn->handler->scheme, ++ conn->bits.ipv6_ip? "[": "", ++ conn->host.name, ++ conn->bits.ipv6_ip? "]": "", ++ conn->remote_port); + if(!hosturl) + return CURLE_OUT_OF_MEMORY; + diff -Nru curl-7.88.1/debian/patches/series curl-7.88.1/debian/patches/series --- curl-7.88.1/debian/patches/series 2023-12-10 06:07:30.000000000 +0000 +++ curl-7.88.1/debian/patches/series 2024-04-02 23:02:10.000000000 +0000 @@ -7,6 +7,7 @@ Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch fix-unix-domain-socket.patch +openldap-create-ldap-URLs-correctly-for-IPv6-addresses.patch # CVE fixes. # Patches from 8.0.1. @@ -39,6 +40,10 @@ CVE-2023-46218.patch CVE-2023-46219.patch +# Patches from 8.7.1. +CVE-2024-2004.patch +CVE-2024-2398.patch + # Do not add patches below. # Used to generate packages for the other crypto libraries. 90_gnutls.patch