Version in base suite: 7.74.0-1.3+deb11u3

Base version: curl_7.74.0-1.3+deb11u3
Target version: curl_7.74.0-1.3+deb11u4
Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/curl/curl_7.74.0-1.3+deb11u3.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/c/curl/curl_7.74.0-1.3+deb11u4.dsc

 changelog                    |   29 ++++++++++++++++++
 patches/CVE-2021-22946.patch |   63 ++++++++++++++++++---------------------
 patches/CVE-2022-32221.patch |   21 +++++++++++++
 patches/CVE-2022-43552.patch |   69 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    2 +
 5 files changed, 151 insertions(+), 33 deletions(-)

diff -Nru curl-7.74.0/debian/changelog curl-7.74.0/debian/changelog
--- curl-7.74.0/debian/changelog	2022-09-03 10:26:12.000000000 +0000
+++ curl-7.74.0/debian/changelog	2022-12-27 00:05:50.000000000 +0000
@@ -1,3 +1,32 @@
+curl (7.74.0-1.3+deb11u4) bullseye-security; urgency=high
+
+  * Fix backport of patch for CVE-2021-22946, which was passing a wrong first
+    argument to ftp_state_user_resp, this was likely causing a regression when
+    using ftp.
+  * Backport two patches from upstream to solve 2 CVEs:
+    CVE-2022-32221.patch, CVE-2022-43552.patch.
+    - CVE-2022-32221
+      POST following PUT confusion When doing HTTP(S) transfers, libcurl might
+      erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data
+      to send, even when the CURLOPT_POSTFIELDS option has been set, if the
+      same handle previously was used to issue a PUT request which used that
+      callback.
+      .
+      This flaw may surprise the application and cause it to misbehave and
+      either send off the wrong data or use memory after free or similar in the
+      subsequent POST request.
+    - CVE-2022-43552
+      HTTP Proxy deny use-after-free curl can be asked to tunnel virtually all
+      protocols it supports through an HTTP proxy. HTTP proxies can (and often
+      do) deny such tunnel operations using an appropriate HTTP error response
+      code.
+      .
+      When getting denied to tunnel the specific protocols SMB or TELNET, curl
+      would use a heap-allocated struct after it had been freed, in its
+      transfer shutdown code path.
+
+ -- Samuel Henrique <samueloph@debian.org>  Tue, 27 Dec 2022 00:05:50 +0000
+
 curl (7.74.0-1.3+deb11u3) bullseye; urgency=medium
 
   * cookie: reject cookies with "control bytes" (CVE-2022-35252)
diff -Nru curl-7.74.0/debian/patches/CVE-2021-22946.patch curl-7.74.0/debian/patches/CVE-2021-22946.patch
--- curl-7.74.0/debian/patches/CVE-2021-22946.patch	2022-09-03 10:26:12.000000000 +0000
+++ curl-7.74.0/debian/patches/CVE-2021-22946.patch	2022-12-27 00:05:50.000000000 +0000
@@ -16,11 +16,11 @@
  create mode 100644 tests/data/test985
  create mode 100644 tests/data/test986
 
-diff --git a/lib/ftp.c b/lib/ftp.c
-index bc35574..481a07a 100644
---- a/lib/ftp.c
-+++ b/lib/ftp.c
-@@ -2642,9 +2642,12 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+Index: curl/lib/ftp.c
+===================================================================
+--- curl.orig/lib/ftp.c
++++ curl/lib/ftp.c
+@@ -2642,9 +2642,12 @@ static CURLcode ftp_statemach_act(struct
      /* we have now received a full FTP server response */
      switch(ftpc->state) {
      case FTP_WAIT220:
@@ -31,16 +31,16 @@
 +        /* 230 User logged in - already! Take as 220 if TLS required. */
 +        if(data->set.use_ssl <= CURLUSESSL_TRY ||
 +           conn->bits.ftp_use_control_ssl)
-+          return ftp_state_user_resp(data, ftpcode, ftpc->state);
++          return ftp_state_user_resp(conn, ftpcode, ftpc->state);
 +      }
        else if(ftpcode != 220) {
          failf(data, "Got a %03d ftp-server response when 220 was expected",
                ftpcode);
-diff --git a/lib/imap.c b/lib/imap.c
-index c6dd7a2..c37da83 100644
---- a/lib/imap.c
-+++ b/lib/imap.c
-@@ -919,22 +919,18 @@ static CURLcode imap_state_capability_resp(struct connectdata *conn,
+Index: curl/lib/imap.c
+===================================================================
+--- curl.orig/lib/imap.c
++++ curl/lib/imap.c
+@@ -919,22 +919,18 @@ static CURLcode imap_state_capability_re
        line += wordlen;
      }
    }
@@ -73,11 +73,11 @@
    }
    else
      result = imap_perform_authentication(conn);
-diff --git a/lib/pop3.c b/lib/pop3.c
-index e71860e..c90e929 100644
---- a/lib/pop3.c
-+++ b/lib/pop3.c
-@@ -723,28 +723,22 @@ static CURLcode pop3_state_capa_resp(struct connectdata *conn, int pop3code,
+Index: curl/lib/pop3.c
+===================================================================
+--- curl.orig/lib/pop3.c
++++ curl/lib/pop3.c
+@@ -723,28 +723,22 @@ static CURLcode pop3_state_capa_resp(str
        }
      }
    }
@@ -120,11 +120,11 @@
    }
  
    return result;
-diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
-index aac8bc7..df3485a 100644
---- a/tests/data/Makefile.inc
-+++ b/tests/data/Makefile.inc
-@@ -115,6 +115,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
+Index: curl/tests/data/Makefile.inc
+===================================================================
+--- curl.orig/tests/data/Makefile.inc
++++ curl/tests/data/Makefile.inc
+@@ -115,6 +115,8 @@ test945 test946 test947 test948 test949
  test954 test955 test956 test957 test958 test959 test960 test961 test962 \
  test963 test964 test965 test966 test967 test968 test969 test970 test971 \
  \
@@ -133,11 +133,10 @@
  test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
  test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
  test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \
-diff --git a/tests/data/test984 b/tests/data/test984
-new file mode 100644
-index 0000000..e573f23
+Index: curl/tests/data/test984
+===================================================================
 --- /dev/null
-+++ b/tests/data/test984
++++ curl/tests/data/test984
 @@ -0,0 +1,56 @@
 +<testcase>
 +<info>
@@ -195,11 +194,10 @@
 +</protocol>
 +</verify>
 +</testcase>
-diff --git a/tests/data/test985 b/tests/data/test985
-new file mode 100644
-index 0000000..d0db4aa
+Index: curl/tests/data/test985
+===================================================================
 --- /dev/null
-+++ b/tests/data/test985
++++ curl/tests/data/test985
 @@ -0,0 +1,54 @@
 +<testcase>
 +<info>
@@ -255,11 +253,10 @@
 +</protocol>
 +</verify>
 +</testcase>
-diff --git a/tests/data/test986 b/tests/data/test986
-new file mode 100644
-index 0000000..a709437
+Index: curl/tests/data/test986
+===================================================================
 --- /dev/null
-+++ b/tests/data/test986
++++ curl/tests/data/test986
 @@ -0,0 +1,53 @@
 +<testcase>
 +<info>
diff -Nru curl-7.74.0/debian/patches/CVE-2022-32221.patch curl-7.74.0/debian/patches/CVE-2022-32221.patch
--- curl-7.74.0/debian/patches/CVE-2022-32221.patch	1970-01-01 00:00:00.000000000 +0000
+++ curl-7.74.0/debian/patches/CVE-2022-32221.patch	2022-12-27 00:05:50.000000000 +0000
@@ -0,0 +1,21 @@
+From: Samuel Henrique <samueloph@debian.org>
+Date: Tue, 27 Dec 2022 00:05:50 +0000
+Subject: setopt: when POST is set, reset the 'upload' field (CVE-2022-32221)
+
+Origin: https://github.com/curl/curl/commit/a64e3e59938abd7d667e4470a18072a24d7e9de9
+---
+ lib/setopt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+Index: curl/lib/setopt.c
+===================================================================
+--- curl.orig/lib/setopt.c
++++ curl/lib/setopt.c
+@@ -626,6 +626,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *
+     }
+     else
+       data->set.method = HTTPREQ_GET;
++    data->set.upload = FALSE;
+     break;
+ 
+   case CURLOPT_HTTPPOST:
diff -Nru curl-7.74.0/debian/patches/CVE-2022-43552.patch curl-7.74.0/debian/patches/CVE-2022-43552.patch
--- curl-7.74.0/debian/patches/CVE-2022-43552.patch	1970-01-01 00:00:00.000000000 +0000
+++ curl-7.74.0/debian/patches/CVE-2022-43552.patch	2022-12-27 00:05:50.000000000 +0000
@@ -0,0 +1,69 @@
+From: Samuel Henrique <samueloph@debian.org>
+Date: Tue, 27 Dec 2022 00:05:50 +0000
+Subject: smb/telnet: do not free the protocol struct in *_done() (CVE-2022-43552)
+
+Origin: https://github.com/curl/curl/commit/4f20188ac644afe174be6005ef4f6ffba232b8b2
+---
+ lib/smb.c    | 14 ++------------
+ lib/telnet.c |  3 ---
+ 2 files changed, 2 insertions(+), 15 deletions(-)
+
+Index: curl/lib/smb.c
+===================================================================
+--- curl.orig/lib/smb.c
++++ curl/lib/smb.c
+@@ -59,8 +59,6 @@ static CURLcode smb_connect(struct conne
+ static CURLcode smb_connection_state(struct connectdata *conn, bool *done);
+ static CURLcode smb_do(struct connectdata *conn, bool *done);
+ static CURLcode smb_request_state(struct connectdata *conn, bool *done);
+-static CURLcode smb_done(struct connectdata *conn, CURLcode status,
+-                         bool premature);
+ static CURLcode smb_disconnect(struct connectdata *conn, bool dead);
+ static int smb_getsock(struct connectdata *conn, curl_socket_t *socks);
+ static CURLcode smb_parse_url_path(struct connectdata *conn);
+@@ -72,7 +70,7 @@ const struct Curl_handler Curl_handler_s
+   "SMB",                                /* scheme */
+   smb_setup_connection,                 /* setup_connection */
+   smb_do,                               /* do_it */
+-  smb_done,                             /* done */
++  ZERO_NULL,                            /* done */
+   ZERO_NULL,                            /* do_more */
+   smb_connect,                          /* connect_it */
+   smb_connection_state,                 /* connecting */
+@@ -98,7 +96,7 @@ const struct Curl_handler Curl_handler_s
+   "SMBS",                               /* scheme */
+   smb_setup_connection,                 /* setup_connection */
+   smb_do,                               /* do_it */
+-  smb_done,                             /* done */
++  ZERO_NULL,                            /* done */
+   ZERO_NULL,                            /* do_more */
+   smb_connect,                          /* connect_it */
+   smb_connection_state,                 /* connecting */
+@@ -919,14 +917,6 @@ static CURLcode smb_request_state(struct
+   return CURLE_OK;
+ }
+ 
+-static CURLcode smb_done(struct connectdata *conn, CURLcode status,
+-                         bool premature)
+-{
+-  (void) premature;
+-  Curl_safefree(conn->data->req.p.smb);
+-  return status;
+-}
+-
+ static CURLcode smb_disconnect(struct connectdata *conn, bool dead)
+ {
+   struct smb_conn *smbc = &conn->proto.smbc;
+Index: curl/lib/telnet.c
+===================================================================
+--- curl.orig/lib/telnet.c
++++ curl/lib/telnet.c
+@@ -1250,8 +1250,6 @@ static CURLcode telnet_done(struct conne
+   curl_slist_free_all(tn->telnet_vars);
+   tn->telnet_vars = NULL;
+ 
+-  Curl_safefree(conn->data->req.p.telnet);
+-
+   return CURLE_OK;
+ }
+ 
diff -Nru curl-7.74.0/debian/patches/series curl-7.74.0/debian/patches/series
--- curl-7.74.0/debian/patches/series	2022-09-03 10:26:12.000000000 +0000
+++ curl-7.74.0/debian/patches/series	2022-12-27 00:05:50.000000000 +0000
@@ -26,6 +26,8 @@
 CVE-2022-27774.patch
 cookie-reject-cookies-with-control-bytes.patch
 test8-verify-that-ctrl-byte-cookies-are-ignored.patch
+CVE-2022-32221.patch
+CVE-2022-43552.patch
 
 # Always add CVE patches before these two patches
 90_gnutls.patch