diff --git a/changelog/security/2023-10-13-curl-backport.md b/changelog/security/2023-10-13-curl-backport.md new file mode 100644 index 0000000000..9ad66702d5 --- /dev/null +++ b/changelog/security/2023-10-13-curl-backport.md @@ -0,0 +1 @@ +- curl ([CVE-2023-38545](https://nvd.nist.gov/vuln/detail/CVE-2023-38545), [CVE-2023-38546](https://nvd.nist.gov/vuln/detail/CVE-2023-38546)) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/net-misc/curl/CVE-2023-38546.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/net-misc/curl/CVE-2023-38546.patch index e714a21fd4..189fc87803 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/net-misc/curl/CVE-2023-38546.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/net-misc/curl/CVE-2023-38546.patch @@ -14,11 +14,10 @@ Closes #11862 lib/easy.c | 4 +--- 3 files changed, 6 insertions(+), 24 deletions(-) -diff --git a/lib/cookie.c b/lib/cookie.c -index 4345a84c6fd9d..e39c89a94a960 100644 ---- a/lib/cookie.c -+++ b/lib/cookie.c -@@ -119,7 +119,6 @@ static void freecookie(struct Cookie *co) +diff -r -u -p curl-8.0.1/lib/cookie.c curl-8.0.1-patched/lib/cookie.c +--- curl-8.0.1/lib/cookie.c 2023-03-20 11:38:42.000000000 -0000 ++++ curl-8.0.1-patched/lib/cookie.c 2023-10-13 11:42:44.820188193 -0000 +@@ -119,7 +119,6 @@ static void freecookie(struct Cookie *co free(co->name); free(co->value); free(co->maxage); @@ -26,7 +25,7 @@ index 4345a84c6fd9d..e39c89a94a960 100644 free(co); } -@@ -718,11 +717,7 @@ Curl_cookie_add(struct Curl_easy *data, +@@ -726,11 +725,7 @@ Curl_cookie_add(struct Curl_easy *data, } } else if((nlen == 7) && strncasecompare("version", namep, 7)) { @@ -39,7 +38,7 @@ index 4345a84c6fd9d..e39c89a94a960 100644 } else if((nlen == 7) && strncasecompare("max-age", namep, 7)) { /* -@@ -1160,7 +1155,6 @@ Curl_cookie_add(struct Curl_easy *data, +@@ -1174,7 +1169,6 @@ Curl_cookie_add(struct Curl_easy *data, free(clist->path); free(clist->spath); free(clist->expirestr); @@ -47,7 +46,7 @@ index 4345a84c6fd9d..e39c89a94a960 100644 free(clist->maxage); *clist = *co; /* then store all the new data */ -@@ -1224,9 +1218,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data, +@@ -1238,9 +1232,6 @@ struct CookieInfo *Curl_cookie_init(stru c = calloc(1, sizeof(struct CookieInfo)); if(!c) return NULL; /* failed to get memory */ @@ -57,7 +56,7 @@ index 4345a84c6fd9d..e39c89a94a960 100644 /* * Initialize the next_expiration time to signal that we don't have enough * information yet. -@@ -1378,7 +1369,6 @@ static struct Cookie *dup_cookie(struct Cookie *src) +@@ -1394,7 +1385,6 @@ static struct Cookie *dup_cookie(struct CLONE(name); CLONE(value); CLONE(maxage); @@ -65,7 +64,7 @@ index 4345a84c6fd9d..e39c89a94a960 100644 d->expires = src->expires; d->tailmatch = src->tailmatch; d->secure = src->secure; -@@ -1595,7 +1585,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c) +@@ -1611,7 +1601,6 @@ void Curl_cookie_cleanup(struct CookieIn { if(c) { unsigned int i; @@ -73,10 +72,9 @@ index 4345a84c6fd9d..e39c89a94a960 100644 for(i = 0; i < COOKIE_HASH_SIZE; i++) Curl_cookie_freelist(c->cookies[i]); free(c); /* free the base struct as well */ -diff --git a/lib/cookie.h b/lib/cookie.h -index b3c0063b2cfb2..41e9e7a6914e0 100644 ---- a/lib/cookie.h -+++ b/lib/cookie.h +diff -r -u -p curl-8.0.1/lib/cookie.h curl-8.0.1-patched/lib/cookie.h +--- curl-8.0.1/lib/cookie.h 2023-03-17 23:34:19.000000000 -0000 ++++ curl-8.0.1-patched/lib/cookie.h 2023-10-13 11:47:39.693438491 -0000 @@ -36,11 +36,7 @@ struct Cookie { char *domain; /* domain = */ curl_off_t expires; /* expires = */ @@ -89,16 +87,11 @@ index b3c0063b2cfb2..41e9e7a6914e0 100644 bool tailmatch; /* whether we do tail-matching of the domain name */ bool secure; /* whether the 'secure' keyword was used */ bool livecookie; /* updated from a server, not a stored file */ -@@ -56,17 +52,16 @@ struct Cookie { - #define COOKIE_PREFIX__SECURE (1<<0) - #define COOKIE_PREFIX__HOST (1<<1) - --#define COOKIE_HASH_SIZE 256 -+#define COOKIE_HASH_SIZE 63 - +@@ -61,13 +57,11 @@ struct Cookie { struct CookieInfo { /* linked list of cookies we know of */ struct Cookie *cookies[COOKIE_HASH_SIZE]; +- - char *filename; /* file we read from/write to */ - long numcookies; /* number of cookies in the "jar" */ + curl_off_t next_expiration; /* the next time at which expiration happens */ @@ -110,12 +103,11 @@ index b3c0063b2cfb2..41e9e7a6914e0 100644 - curl_off_t next_expiration; /* the next time at which expiration happens */ }; - /* The maximum sizes we accept for cookies. RFC 6265 section 6.1 says -diff --git a/lib/easy.c b/lib/easy.c -index 16bbd35251d40..03195481f9780 100644 ---- a/lib/easy.c -+++ b/lib/easy.c -@@ -925,9 +925,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data) + /* This is the maximum line length we accept for a cookie line. RFC 2109 +diff -r -u -p curl-8.0.1/lib/easy.c curl-8.0.1-patched/lib/easy.c +--- curl-8.0.1/lib/easy.c 2023-03-20 11:28:32.000000000 -0000 ++++ curl-8.0.1-patched/lib/easy.c 2023-10-13 11:42:44.824188258 -0000 +@@ -911,9 +911,7 @@ struct Curl_easy *curl_easy_duphandle(st if(data->cookies) { /* If cookies are enabled in the parent handle, we enable them in the clone as well! */