cmake: Fixes for CVE-2022-43552, CVE-2023-27536, CVE-2023-27535, CVE-…

…2023-27538, CVE-2023-23916 and CVE-2023-46218 (#11043)

Co-authored-by: Sharath Srikanth Chellappa <[email protected]>
Co-authored-by: Andrew Phelps <[email protected]>
Co-authored-by: jslobodzian <[email protected]>
(cherry picked from commit ecd289e)

SPECS/cmake/CVE-2022-43552.patch

@@ -0,0 +1,74 @@
+From 6967f3bebe94e6878500dea358438e8ac95baf47 Mon Sep 17 00:00:00 2001
+From: Sharath Srikanth Chellappa <[email protected]>
+Date: Tue, 12 Nov 2024 17:05:45 -0800
+Subject: [PATCH] Patch for CVE-2022-43552
+
+Upstream patch: https://github.com/curl/curl/commit/4f20188ac644afe174be6005ef4f6ffba232b8b2.patch
+
+---
+ Utilities/cmcurl/lib/smb.c    | 14 ++------------
+ Utilities/cmcurl/lib/telnet.c |  3 ---
+ 2 files changed, 2 insertions(+), 15 deletions(-)
+
+diff --git a/Utilities/cmcurl/lib/smb.c b/Utilities/cmcurl/lib/smb.c
+index 39facb267d..eb4ef15be0 100644
+--- a/Utilities/cmcurl/lib/smb.c
++++ b/Utilities/cmcurl/lib/smb.c
+@@ -60,8 +60,6 @@ static CURLcode smb_connect(struct Curl_easy *data, bool *done);
+ static CURLcode smb_connection_state(struct Curl_easy *data, bool *done);
+ static CURLcode smb_do(struct Curl_easy *data, bool *done);
+ static CURLcode smb_request_state(struct Curl_easy *data, bool *done);
+-static CURLcode smb_done(struct Curl_easy *data, CURLcode status,
+-                         bool premature);
+ static CURLcode smb_disconnect(struct Curl_easy *data,
+                                struct connectdata *conn, bool dead);
+ static int smb_getsock(struct Curl_easy *data, struct connectdata *conn,
+@@ -76,7 +74,7 @@ const struct Curl_handler Curl_handler_smb = {
+   "SMB",                                /* scheme */
+   smb_setup_connection,                 /* setup_connection */
+   smb_do,                               /* do_it */
+-  smb_done,                             /* done */
++  ZERO_NULL,                            /* done */
+   ZERO_NULL,                            /* do_more */
+   smb_connect,                          /* connect_it */
+   smb_connection_state,                 /* connecting */
+@@ -103,7 +101,7 @@ const struct Curl_handler Curl_handler_smbs = {
+   "SMBS",                               /* scheme */
+   smb_setup_connection,                 /* setup_connection */
+   smb_do,                               /* do_it */
+-  smb_done,                             /* done */
++  ZERO_NULL,                            /* done */
+   ZERO_NULL,                            /* do_more */
+   smb_connect,                          /* connect_it */
+   smb_connection_state,                 /* connecting */
+@@ -940,14 +938,6 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done)
+   return CURLE_OK;
+ }
+
+-static CURLcode smb_done(struct Curl_easy *data, CURLcode status,
+-                         bool premature)
+-{
+-  (void) premature;
+-  Curl_safefree(data->req.p.smb);
+-  return status;
+-}
+-
+ static CURLcode smb_disconnect(struct Curl_easy *data,
+                                struct connectdata *conn, bool dead)
+ {
+diff --git a/Utilities/cmcurl/lib/telnet.c b/Utilities/cmcurl/lib/telnet.c
+index fdd137fb0c..96c89096e5 100644
+--- a/Utilities/cmcurl/lib/telnet.c
++++ b/Utilities/cmcurl/lib/telnet.c
+@@ -1243,9 +1243,6 @@ static CURLcode telnet_done(struct Curl_easy *data,
+
+   curl_slist_free_all(tn->telnet_vars);
+   tn->telnet_vars = NULL;
+-
+-  Curl_safefree(data->req.p.telnet);
+-
+   return CURLE_OK;
+ }
+
+--
+2.45.2

SPECS/cmake/CVE-2023-23916.patch

@@ -0,0 +1,52 @@
+From bd3423bcd2c427ee591b9c8772206af7574a3e80 Mon Sep 17 00:00:00 2001
+From: Sharath Srikanth Chellappa <[email protected]>
+Date: Thu, 14 Nov 2024 15:45:07 -0800
+Subject: [PATCH] Patch for CVE-2023-23916
+
+Upstream patch: https://github.com/curl/curl/commit/119fb187192a9ea13dc
+
+---
+ Utilities/cmcurl/lib/content_encoding.c | 8 ++++++++
+ Utilities/cmcurl/lib/urldata.h          | 1 +
+ 2 files changed, 9 insertions(+)
+
+diff --git a/Utilities/cmcurl/lib/content_encoding.c b/Utilities/cmcurl/lib/content_encoding.c
+index a84ff543b9..c870df2dd4 100644
+--- a/Utilities/cmcurl/lib/content_encoding.c
++++ b/Utilities/cmcurl/lib/content_encoding.c
+@@ -1025,6 +1025,9 @@ static const struct content_encoding *find_encoding(const char *name,
+   return NULL;
+ }
+
++/* allow no more than 5 "chained" compression steps */
++#define MAX_ENCODE_STACK 5
++
+ /* Set-up the unencoding stack from the Content-Encoding header value.
+  * See RFC 7231 section 3.1.2.2. */
+ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
+@@ -1065,6 +1068,11 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
+       if(!encoding)
+         encoding = &error_encoding;  /* Defer error at stack use. */
+
++      if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) {
++        failf(data, "Reject response due to more than %u content encodings",
++              MAX_ENCODE_STACK);
++        return CURLE_BAD_CONTENT_ENCODING;
++      }
+       /* Stack the unencoding stage. */
+       writer = new_unencoding_writer(data, encoding, k->writer_stack);
+       if(!writer)
+diff --git a/Utilities/cmcurl/lib/urldata.h b/Utilities/cmcurl/lib/urldata.h
+index ef3a58e55a..3505962f45 100644
+--- a/Utilities/cmcurl/lib/urldata.h
++++ b/Utilities/cmcurl/lib/urldata.h
+@@ -702,6 +702,7 @@ struct SingleRequest {
+ #ifndef CURL_DISABLE_DOH
+   struct dohdata *doh; /* DoH specific data for this request */
+ #endif
++  unsigned char writer_stack_depth; /* Unencoding stack depth. */
+   BIT(header);       /* incoming data has HTTP header */
+   BIT(content_range); /* set TRUE if Content-Range: was found */
+   BIT(upload_done);  /* set to TRUE when doing chunked transfer-encoding
+-- 
+2.45.2

SPECS/cmake/CVE-2023-27535.patch

@@ -0,0 +1,208 @@
+From f1c9ae1e195f93a5d46434b067d17a60867d0f6a Mon Sep 17 00:00:00 2001
+From: Sharath Srikanth Chellappa <[email protected]>
+Date: Wed, 13 Nov 2024 14:18:44 -0800
+Subject: [PATCH] Patch for CVE-2023-27535
+
+Upstream patch: https://github.com/curl/curl/commit/8f4608468b890dc
+
+---
+ Utilities/cmcurl/lib/ftp.c     | 29 +++++++++++++++++++++++++++--
+ Utilities/cmcurl/lib/ftp.h     |  5 +++++
+ Utilities/cmcurl/lib/setopt.c  |  1 +
+ Utilities/cmcurl/lib/strcase.c | 22 ++++++++++++++++++++++
+ Utilities/cmcurl/lib/strcase.h |  2 ++
+ Utilities/cmcurl/lib/url.c     | 16 +++++++++++++++-
+ Utilities/cmcurl/lib/urldata.h |  4 ++--
+ 7 files changed, 74 insertions(+), 5 deletions(-)
+
+diff --git a/Utilities/cmcurl/lib/ftp.c b/Utilities/cmcurl/lib/ftp.c
+index 425b0afec6..776a65f956 100644
+--- a/Utilities/cmcurl/lib/ftp.c
++++ b/Utilities/cmcurl/lib/ftp.c
+@@ -4084,6 +4084,8 @@ static CURLcode ftp_disconnect(struct Curl_easy *data,
+   }
+
+   freedirs(ftpc);
++  Curl_safefree(ftpc->account);
++  Curl_safefree(ftpc->alternative_to_user);
+   Curl_safefree(ftpc->prevpath);
+   Curl_safefree(ftpc->server_os);
+   Curl_pp_disconnect(pp);
+@@ -4344,11 +4346,32 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data,
+ {
+   char *type;
+   struct FTP *ftp;
++  CURLcode result = CURLE_OK;
++  struct ftp_conn *ftpc = &conn->proto.ftpc;
+
+-  data->req.p.ftp = ftp = calloc(sizeof(struct FTP), 1);
++  ftp = calloc(sizeof(struct FTP), 1);
+   if(NULL == ftp)
+     return CURLE_OUT_OF_MEMORY;
+
++  /* clone connection related data that is FTP specific */
++  if(data->set.str[STRING_FTP_ACCOUNT]) {
++    ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]);
++    if(!ftpc->account) {
++      free(ftp);
++      return CURLE_OUT_OF_MEMORY;
++    }
++  }
++  if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]) {
++    ftpc->alternative_to_user =
++      strdup(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]);
++    if(!ftpc->alternative_to_user) {
++      Curl_safefree(ftpc->account);
++      free(ftp);
++      return CURLE_OUT_OF_MEMORY;
++    }
++  }
++  data->req.p.ftp = ftp;
++
+   ftp->path = &data->state.up.path[1]; /* don't include the initial slash */
+
+   /* FTP URLs support an extension like ";type=<typecode>" that
+@@ -4383,7 +4406,9 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data,
+   /* get some initial data into the ftp struct */
+   ftp->transfer = PPTRANSFER_BODY;
+   ftp->downloadsize = 0;
+-  conn->proto.ftpc.known_filesize = -1; /* unknown size for now */
++  ftpc->known_filesize = -1; /* unknown size for now */
++  ftpc->use_ssl = data->set.use_ssl;
++  ftpc->ccc = data->set.ftp_ccc;
+
+   return CURLE_OK;
+ }
+diff --git a/Utilities/cmcurl/lib/ftp.h b/Utilities/cmcurl/lib/ftp.h
+index 1cfdac0851..afca25b469 100644
+--- a/Utilities/cmcurl/lib/ftp.h
++++ b/Utilities/cmcurl/lib/ftp.h
+@@ -115,6 +115,8 @@ struct FTP {
+    struct */
+ struct ftp_conn {
+   struct pingpong pp;
++  char *account;
++  char *alternative_to_user;
+   char *entrypath; /* the PWD reply when we logged on */
+   char *file;    /* url-decoded file name (or path) */
+   char **dirs;   /* realloc()ed array for path components */
+@@ -144,6 +146,9 @@ struct ftp_conn {
+   ftpstate state; /* always use ftp.c:state() to change state! */
+   ftpstate state_saved; /* transfer type saved to be reloaded after
+                            data connection is established */
++  unsigned char use_ssl;   /* if AUTH TLS is to be attempted etc, for FTP or
++                              IMAP or POP3 or others! (type: curl_usessl)*/
++  unsigned char ccc;       /* ccc level for this connection */
+   curl_off_t retr_size_saved; /* Size of retrieved file saved */
+   char *server_os;     /* The target server operating system. */
+   curl_off_t known_filesize; /* file size is different from -1, if wildcard
+diff --git a/Utilities/cmcurl/lib/setopt.c b/Utilities/cmcurl/lib/setopt.c
+index fb8b86d474..10c6872bb3 100644
+--- a/Utilities/cmcurl/lib/setopt.c
++++ b/Utilities/cmcurl/lib/setopt.c
+@@ -2307,6 +2307,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+     if((arg < CURLUSESSL_NONE) || (arg >= CURLUSESSL_LAST))
+       return CURLE_BAD_FUNCTION_ARGUMENT;
+     data->set.use_ssl = (curl_usessl)arg;
++    data->set.use_ssl = (unsigned char)arg;
+     break;
+
+   case CURLOPT_SSL_OPTIONS:
+diff --git a/Utilities/cmcurl/lib/strcase.c b/Utilities/cmcurl/lib/strcase.c
+index 955e3c79ea..29cc539cdf 100644
+--- a/Utilities/cmcurl/lib/strcase.c
++++ b/Utilities/cmcurl/lib/strcase.c
+@@ -251,6 +251,28 @@ void Curl_strntolower(char *dest, const char *src, size_t n)
+   } while(*src++ && --n);
+ }
+
++/*
++ * Curl_timestrcmp() returns 0 if the two strings are identical. The time this
++ * function spends is a function of the shortest string, not of the contents.
++ */
++int Curl_timestrcmp(const char *a, const char *b)
++{
++  int match = 0;
++  int i = 0;
++
++  if(a && b) {
++    while(1) {
++      match |= a[i]^b[i];
++      if(!a[i] || !b[i])
++        break;
++      i++;
++    }
++  }
++  else
++    return a || b;
++  return match;
++}
++
+ /* --- public functions --- */
+
+ int curl_strequal(const char *first, const char *second)
+diff --git a/Utilities/cmcurl/lib/strcase.h b/Utilities/cmcurl/lib/strcase.h
+index 10dc698817..6fdb32ed08 100644
+--- a/Utilities/cmcurl/lib/strcase.h
++++ b/Utilities/cmcurl/lib/strcase.h
+@@ -48,4 +48,6 @@ char Curl_raw_toupper(char in);
+ void Curl_strntoupper(char *dest, const char *src, size_t n);
+ void Curl_strntolower(char *dest, const char *src, size_t n);
+
++int Curl_timestrcmp(const char *first, const char *second);
++
+ #endif /* HEADER_CURL_STRCASE_H */
+diff --git a/Utilities/cmcurl/lib/url.c b/Utilities/cmcurl/lib/url.c
+index ca40322504..e00c56300b 100644
+--- a/Utilities/cmcurl/lib/url.c
++++ b/Utilities/cmcurl/lib/url.c
+@@ -1334,10 +1334,24 @@ ConnectionExists(struct Curl_easy *data,
+          (data->state.httpwant < CURL_HTTP_VERSION_2_0))
+         continue;
+
+-      if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) {
++#ifdef USE_SSH
++      else if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) {
+         if(!ssh_config_matches(needle, check))
+           continue;
+       }
++#endif
++#ifndef CURL_DISABLE_FTP
++      else if(get_protocol_family(needle->handler) & PROTO_FAMILY_FTP) {
++        /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */
++        if(Curl_timestrcmp(needle->proto.ftpc.account,
++                           check->proto.ftpc.account) ||
++           Curl_timestrcmp(needle->proto.ftpc.alternative_to_user,
++                           check->proto.ftpc.alternative_to_user) ||
++           (needle->proto.ftpc.use_ssl != check->proto.ftpc.use_ssl) ||
++           (needle->proto.ftpc.ccc != check->proto.ftpc.ccc))
++          continue;
++      }
++#endif
+
+       if((needle->handler->flags&PROTOPT_SSL)
+ #ifndef CURL_DISABLE_PROXY
+diff --git a/Utilities/cmcurl/lib/urldata.h b/Utilities/cmcurl/lib/urldata.h
+index 365b6821b1..ef3a58e55a 100644
+--- a/Utilities/cmcurl/lib/urldata.h
++++ b/Utilities/cmcurl/lib/urldata.h
+@@ -1729,8 +1729,6 @@ struct UserDefined {
+   void *ssh_keyfunc_userp;         /* custom pointer to callback */
+   enum CURL_NETRC_OPTION
+        use_netrc;        /* defined in include/curl.h */
+-  curl_usessl use_ssl;   /* if AUTH TLS is to be attempted etc, for FTP or
+-                            IMAP or POP3 or others! */
+   long new_file_perms;    /* Permissions to use when creating remote files */
+   long new_directory_perms; /* Permissions to use when creating remote dirs */
+   long ssh_auth_types;   /* allowed SSH auth types */
+@@ -1773,6 +1771,8 @@ struct UserDefined {
+   CURLU *uh; /* URL handle for the current parsed URL */
+   void *trailer_data; /* pointer to pass to trailer data callback */
+   curl_trailer_callback trailer_callback; /* trailing data callback */
++  unsigned char use_ssl;   /* if AUTH TLS is to be attempted etc, for FTP or
++                              IMAP or POP3 or others! (type: curl_usessl)*/
+   BIT(is_fread_set); /* has read callback been set to non-NULL? */
+   BIT(is_fwrite_set); /* has write callback been set to non-NULL? */
+   BIT(free_referer); /* set TRUE if 'referer' points to a string we
+-- 
+2.45.2

SPECS/cmake/CVE-2023-27536.patch

@@ -0,0 +1,51 @@
+From f7da0416e4b6374fd336fdcf3b708a493a492969 Mon Sep 17 00:00:00 2001
+From: Sharath Srikanth Chellappa <[email protected]>
+Date: Tue, 12 Nov 2024 17:19:13 -0800
+Subject: [PATCH] Patch for CVE-2023-27536
+
+Upstream patch: https://github.com/curl/curl/commit/cb49e67303dba.patch
+
+---
+ Utilities/cmcurl/lib/url.c     | 6 ++++++
+ Utilities/cmcurl/lib/urldata.h | 1 +
+ 2 files changed, 7 insertions(+)
+
+diff --git a/Utilities/cmcurl/lib/url.c b/Utilities/cmcurl/lib/url.c
+index 1ee38af0d5..4ab389af48 100644
+--- a/Utilities/cmcurl/lib/url.c
++++ b/Utilities/cmcurl/lib/url.c
+@@ -1322,6 +1322,11 @@ ConnectionExists(struct Curl_easy *data,
+         }
+       }
+
++      /* GSS delegation differences do not actually affect every connection
++         and auth method, but this check takes precaution before efficiency */
++      if(needle->gssapi_delegation != check->gssapi_delegation)
++        continue;
++
+       /* If multiplexing isn't enabled on the h2 connection and h1 is
+          explicitly requested, handle it: */
+       if((needle->handler->protocol & PROTO_FAMILY_HTTP) &&
+@@ -1766,6 +1771,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
+   conn->fclosesocket = data->set.fclosesocket;
+   conn->closesocket_client = data->set.closesocket_client;
+   conn->lastused = Curl_now(); /* used now */
++  conn->gssapi_delegation = data->set.gssapi_delegation;
+
+   return conn;
+   error:
+diff --git a/Utilities/cmcurl/lib/urldata.h b/Utilities/cmcurl/lib/urldata.h
+index fb905c36c5..365b6821b1 100644
+--- a/Utilities/cmcurl/lib/urldata.h
++++ b/Utilities/cmcurl/lib/urldata.h
+@@ -1120,6 +1120,7 @@ struct connectdata {
+   int socks5_gssapi_enctype;
+ #endif
+   unsigned short localport;
++  unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */
+ };
+
+ /* The end of connectdata. */
+--
+2.45.2
+