From 11d9c9173f89991b0b773a7de8f0475de68b6fef Mon Sep 17 00:00:00 2001 From: Karen Arutyunov Date: Thu, 12 Oct 2023 20:29:02 +0300 Subject: Upgrade to 8.4.0 That in particular fixes CVE-2023-38545 CVE-2023-38546. --- curl/.gitignore | 1 + curl/README-DEV | 9 +- curl/curl/base64.c | 1 + curl/curl/buildfile | 2 +- curl/curl/tool_main.c | 39 +++--- curl/curl/tool_main.c.orig | 290 ++++++++++++++++++++++++++++++++++++++++++++ curl/curl/tool_main.c.patch | 16 +-- curl/manifest | 2 +- 8 files changed, 324 insertions(+), 36 deletions(-) create mode 120000 curl/curl/base64.c create mode 100644 curl/curl/tool_main.c.orig (limited to 'curl') diff --git a/curl/.gitignore b/curl/.gitignore index 3dcc22f..d4a1da2 100644 --- a/curl/.gitignore +++ b/curl/.gitignore @@ -13,6 +13,7 @@ *.ifc *.so *.so.* +*.dylib *.dll *.a *.lib diff --git a/curl/README-DEV b/curl/README-DEV index 760e273..fa202e4 100644 --- a/curl/README-DEV +++ b/curl/README-DEV @@ -5,11 +5,16 @@ understanding will be useful when upgrading to a new upstream version. See Symlink the required upstream directories into curl/: $ ln -s ../../upstream/{src,lib} curl -$ ln -s lib/{strtoofft,nonblock,warnless,dynbuf,version_win32,curl_multibyte}.c curl +$ ln -s lib/{strtoofft,nonblock,warnless,dynbuf,version_win32,curl_multibyte,base64}.c curl $ ln -s ../../libcurl/libcurl/curl_config.h curl Patch curl to use CA certificate bundle provided by the libca-certificates-curl package by default: +$ cp curl/src/tool_main.c curl/tool_main.c.orig $ cp curl/src/tool_main.c curl -$ patch -p0 curl/tool_main.c.patch diff --git a/curl/curl/base64.c b/curl/curl/base64.c new file mode 120000 index 0000000..6a380e3 --- /dev/null +++ b/curl/curl/base64.c @@ -0,0 +1 @@ +lib/base64.c \ No newline at end of file diff --git a/curl/curl/buildfile b/curl/curl/buildfile index 9780540..cdd8f9f 100644 --- a/curl/curl/buildfile +++ b/curl/curl/buildfile @@ -11,7 +11,7 @@ tsys = $c.target.system # Build options. # -c.poptions += -DHAVE_CONFIG_H +c.poptions += -DBUILDING_CURL -DHAVE_CONFIG_H switch $tclass, $tsys { diff --git a/curl/curl/tool_main.c b/curl/curl/tool_main.c index 0eb4e6d..494ec02 100644 --- a/curl/curl/tool_main.c +++ b/curl/curl/tool_main.c @@ -29,19 +29,12 @@ #include #endif -#ifdef HAVE_SIGNAL_H #include -#endif #ifdef HAVE_FCNTL_H #include #endif -#ifdef USE_NSS -#include -#include -#endif - #include /* setenv(), _putenv() */ #include @@ -57,6 +50,7 @@ #include "tool_vms.h" #include "tool_main.h" #include "tool_libinfo.h" +#include "tool_stderr.h" /* * This is low-level hard-hacking memory leak tracking and similar. Using @@ -81,6 +75,7 @@ int vms_show = 0; * when command-line argument globbing is enabled under the MSYS shell, so turn * it off. */ +extern int _CRT_glob; int _CRT_glob = 0; #endif /* __MINGW32__ */ @@ -195,7 +190,6 @@ static CURLcode main_init(struct GlobalConfig *config) /* Initialise the global config */ config->showerror = FALSE; /* show errors when silent */ - config->errors = stderr; /* Default errors to stderr */ config->styled_output = TRUE; /* enable detection */ config->parallel_max = PARALLEL_DEFAULT; @@ -214,17 +208,17 @@ static CURLcode main_init(struct GlobalConfig *config) config->first->global = config; } else { - errorf(config, "error retrieving curl library information\n"); + errorf(config, "error retrieving curl library information"); free(config->first); } } else { - errorf(config, "error initializing curl library\n"); + errorf(config, "error initializing curl library"); free(config->first); } } else { - errorf(config, "error initializing curl\n"); + errorf(config, "error initializing curl"); result = CURLE_FAILED_INIT; } @@ -235,10 +229,6 @@ static void free_globalconfig(struct GlobalConfig *config) { Curl_safefree(config->trace_dump); - if(config->errors_fopened && config->errors) - fclose(config->errors); - config->errors = NULL; - if(config->trace_fopened && config->trace_stream) fclose(config->trace_stream); config->trace_stream = NULL; @@ -255,14 +245,6 @@ static void main_free(struct GlobalConfig *config) /* Cleanup the easy handle */ /* Main cleanup */ curl_global_cleanup(); -#ifdef USE_NSS - if(PR_Initialized()) { - /* prevent valgrind from reporting still reachable mem from NSPR arenas */ - PL_ArenaFinish(); - /* prevent valgrind from reporting possibly lost memory (fd cache, ...) */ - PR_Cleanup(); - } -#endif free_globalconfig(config); /* Free the config structures */ @@ -275,6 +257,11 @@ static void main_free(struct GlobalConfig *config) ** curl tool main function. */ #ifdef _UNICODE +#if defined(__GNUC__) +/* GCC doesn't know about wmain() */ +#pragma GCC diagnostic ignored "-Wmissing-prototypes" +#pragma GCC diagnostic ignored "-Wmissing-declarations" +#endif int wmain(int argc, wchar_t *argv[]) #else int main(int argc, char *argv[]) @@ -284,6 +271,8 @@ int main(int argc, char *argv[]) struct GlobalConfig global; memset(&global, 0, sizeof(global)); + tool_init_stderr(); + #ifdef WIN32 /* Undocumented diagnostic option to list the full paths of all loaded modules. This is purposely pre-init. */ @@ -297,13 +286,13 @@ int main(int argc, char *argv[]) /* win32_init must be called before other init routines. */ result = win32_init(); if(result) { - fprintf(stderr, "curl: (%d) Windows-specific init failed.\n", result); + errorf(&global, "(%d) Windows-specific init failed", result); return result; } #endif if(main_checkfds()) { - fprintf(stderr, "curl: out of file descriptors\n"); + errorf(&global, "out of file descriptors"); return CURLE_FAILED_INIT; } diff --git a/curl/curl/tool_main.c.orig b/curl/curl/tool_main.c.orig new file mode 100644 index 0000000..2f132e2 --- /dev/null +++ b/curl/curl/tool_main.c.orig @@ -0,0 +1,290 @@ +/*************************************************************************** + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * + * Copyright (C) Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at https://curl.se/docs/copyright.html. + * + * You may opt to use, copy, modify, merge, publish, distribute and/or sell + * copies of the Software, and permit persons to whom the Software is + * furnished to do so, under the terms of the COPYING file. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + * SPDX-License-Identifier: curl + * + ***************************************************************************/ +#include "tool_setup.h" + +#include + +#ifdef WIN32 +#include +#endif + +#include + +#ifdef HAVE_FCNTL_H +#include +#endif + +#define ENABLE_CURLX_PRINTF +/* use our own printf() functions */ +#include "curlx.h" + +#include "tool_cfgable.h" +#include "tool_doswin.h" +#include "tool_msgs.h" +#include "tool_operate.h" +#include "tool_vms.h" +#include "tool_main.h" +#include "tool_libinfo.h" +#include "tool_stderr.h" + +/* + * This is low-level hard-hacking memory leak tracking and similar. Using + * the library level code from this client-side is ugly, but we do this + * anyway for convenience. + */ +#include "memdebug.h" /* keep this as LAST include */ + +#ifdef __VMS +/* + * vms_show is a global variable, used in main() as parameter for + * function vms_special_exit() to allow proper curl tool exiting. + * Its value may be set in other tool_*.c source files thanks to + * forward declaration present in tool_vms.h + */ +int vms_show = 0; +#endif + +#ifdef __MINGW32__ +/* + * There seems to be no way to escape "*" in command-line arguments with MinGW + * when command-line argument globbing is enabled under the MSYS shell, so turn + * it off. + */ +extern int _CRT_glob; +int _CRT_glob = 0; +#endif /* __MINGW32__ */ + +/* if we build a static library for unit tests, there is no main() function */ +#ifndef UNITTESTS + +#if defined(HAVE_PIPE) && defined(HAVE_FCNTL) +/* + * Ensure that file descriptors 0, 1 and 2 (stdin, stdout, stderr) are + * open before starting to run. Otherwise, the first three network + * sockets opened by curl could be used for input sources, downloaded data + * or error logs as they will effectively be stdin, stdout and/or stderr. + * + * fcntl's F_GETFD instruction returns -1 if the file descriptor is closed, + * otherwise it returns "the file descriptor flags (which typically can only + * be FD_CLOEXEC, which is not set here). + */ +static int main_checkfds(void) +{ + int fd[2]; + while((fcntl(STDIN_FILENO, F_GETFD) == -1) || + (fcntl(STDOUT_FILENO, F_GETFD) == -1) || + (fcntl(STDERR_FILENO, F_GETFD) == -1)) + if(pipe(fd)) + return 1; + return 0; +} +#else +#define main_checkfds() 0 +#endif + +#ifdef CURLDEBUG +static void memory_tracking_init(void) +{ + char *env; + /* if CURL_MEMDEBUG is set, this starts memory tracking message logging */ + env = curlx_getenv("CURL_MEMDEBUG"); + if(env) { + /* use the value as file name */ + char fname[CURL_MT_LOGFNAME_BUFSIZE]; + if(strlen(env) >= CURL_MT_LOGFNAME_BUFSIZE) + env[CURL_MT_LOGFNAME_BUFSIZE-1] = '\0'; + strcpy(fname, env); + curl_free(env); + curl_dbg_memdebug(fname); + /* this weird stuff here is to make curl_free() get called before + curl_dbg_memdebug() as otherwise memory tracking will log a free() + without an alloc! */ + } + /* if CURL_MEMLIMIT is set, this enables fail-on-alloc-number-N feature */ + env = curlx_getenv("CURL_MEMLIMIT"); + if(env) { + char *endptr; + long num = strtol(env, &endptr, 10); + if((endptr != env) && (endptr == env + strlen(env)) && (num > 0)) + curl_dbg_memlimit(num); + curl_free(env); + } +} +#else +# define memory_tracking_init() Curl_nop_stmt +#endif + +/* + * This is the main global constructor for the app. Call this before + * _any_ libcurl usage. If this fails, *NO* libcurl functions may be + * used, or havoc may be the result. + */ +static CURLcode main_init(struct GlobalConfig *config) +{ + CURLcode result = CURLE_OK; + +#if defined(__DJGPP__) || defined(__GO32__) + /* stop stat() wasting time */ + _djstat_flags |= _STAT_INODE | _STAT_EXEC_MAGIC | _STAT_DIRSIZE; +#endif + + /* Initialise the global config */ + config->showerror = FALSE; /* show errors when silent */ + config->styled_output = TRUE; /* enable detection */ + config->parallel_max = PARALLEL_DEFAULT; + + /* Allocate the initial operate config */ + config->first = config->last = malloc(sizeof(struct OperationConfig)); + if(config->first) { + /* Perform the libcurl initialization */ + result = curl_global_init(CURL_GLOBAL_DEFAULT); + if(!result) { + /* Get information about libcurl */ + result = get_libcurl_info(); + + if(!result) { + /* Initialise the config */ + config_init(config->first); + config->first->global = config; + } + else { + errorf(config, "error retrieving curl library information"); + free(config->first); + } + } + else { + errorf(config, "error initializing curl library"); + free(config->first); + } + } + else { + errorf(config, "error initializing curl"); + result = CURLE_FAILED_INIT; + } + + return result; +} + +static void free_globalconfig(struct GlobalConfig *config) +{ + Curl_safefree(config->trace_dump); + + if(config->trace_fopened && config->trace_stream) + fclose(config->trace_stream); + config->trace_stream = NULL; + + Curl_safefree(config->libcurl); +} + +/* + * This is the main global destructor for the app. Call this after + * _all_ libcurl usage is done. + */ +static void main_free(struct GlobalConfig *config) +{ + /* Cleanup the easy handle */ + /* Main cleanup */ + curl_global_cleanup(); + free_globalconfig(config); + + /* Free the config structures */ + config_free(config->last); + config->first = NULL; + config->last = NULL; +} + +/* +** curl tool main function. +*/ +#ifdef _UNICODE +#if defined(__GNUC__) +/* GCC doesn't know about wmain() */ +#pragma GCC diagnostic ignored "-Wmissing-prototypes" +#pragma GCC diagnostic ignored "-Wmissing-declarations" +#endif +int wmain(int argc, wchar_t *argv[]) +#else +int main(int argc, char *argv[]) +#endif +{ + CURLcode result = CURLE_OK; + struct GlobalConfig global; + memset(&global, 0, sizeof(global)); + + tool_init_stderr(); + +#ifdef WIN32 + /* Undocumented diagnostic option to list the full paths of all loaded + modules. This is purposely pre-init. */ + if(argc == 2 && !_tcscmp(argv[1], _T("--dump-module-paths"))) { + struct curl_slist *item, *head = GetLoadedModulePaths(); + for(item = head; item; item = item->next) + printf("%s\n", item->data); + curl_slist_free_all(head); + return head ? 0 : 1; + } + /* win32_init must be called before other init routines. */ + result = win32_init(); + if(result) { + errorf(&global, "(%d) Windows-specific init failed", result); + return result; + } +#endif + + if(main_checkfds()) { + errorf(&global, "out of file descriptors"); + return CURLE_FAILED_INIT; + } + +#if defined(HAVE_SIGNAL) && defined(SIGPIPE) + (void)signal(SIGPIPE, SIG_IGN); +#endif + + /* Initialize memory tracking */ + memory_tracking_init(); + + /* Initialize the curl library - do not call any libcurl functions before + this point */ + result = main_init(&global); + if(!result) { + /* Start our curl operation */ + result = operate(&global, argc, argv); + + /* Perform the main cleanup */ + main_free(&global); + } + +#ifdef WIN32 + /* Flush buffers of all streams opened in write or update mode */ + fflush(NULL); +#endif + +#ifdef __VMS + vms_special_exit(result, vms_show); +#else + return (int)result; +#endif +} + +#endif /* ndef UNITTESTS */ diff --git a/curl/curl/tool_main.c.patch b/curl/curl/tool_main.c.patch index cae1787..b344940 100644 --- a/curl/curl/tool_main.c.patch +++ b/curl/curl/tool_main.c.patch @@ -1,9 +1,11 @@ ---- curl/src/tool_main.c 2020-01-18 23:47:34.559751631 +0300 -+++ curl/tool_main.c 2020-01-20 16:07:17.183814044 +0300 -@@ -32,6 +32,10 @@ - #include +diff --git a/curl/curl/tool_main.c b/curl/curl/tool_main.c +index 2f132e2..494ec02 100644 +--- a/curl/curl/tool_main.c ++++ b/curl/curl/tool_main.c +@@ -35,6 +35,10 @@ + #include #endif - + +#include /* setenv(), _putenv() */ + +#include @@ -11,7 +13,7 @@ #define ENABLE_CURLX_PRINTF /* use our own printf() functions */ #include "curlx.h" -@@ -138,6 +142,41 @@ static void memory_tracking_init(void) +@@ -142,6 +146,41 @@ static void memory_tracking_init(void) */ static CURLcode main_init(struct GlobalConfig *config) { @@ -51,5 +53,5 @@ + return CURLE_FAILED_INIT; + CURLcode result = CURLE_OK; - + #if defined(__DJGPP__) || defined(__GO32__) diff --git a/curl/manifest b/curl/manifest index 80cbfe4..009133d 100644 --- a/curl/manifest +++ b/curl/manifest @@ -1,6 +1,6 @@ : 1 name: curl -version: 7.88.1 +version: 8.4.0-a.0.z priority: security summary: Command line tool for transferring data with URLs license: curl ; MIT/X derivate license. -- cgit v1.1