curl: Backport CVE fixes

Backport fixes for: - CVE-2022-32221 POST following PUT confusion - CVE-2022-35260 .netrc parser out-of-bounds access - CVE-2022-42915 HTTP proxy double-free - CVE-2022-42916 HSTS bypass via IDN (From OE-Core rev: 724c8b65fe307af602b6bf7e3704dfb25bc51ee9) Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Robert Joslyn <robert.joslyn@redrectangle.org> 2022-11-06 13:52:13 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-11-14 15:59:15 +0000
commit: 2ac597044a45c338beb3b4ec12612e4f69fcc9e2 (patch)
tree: 394d6637faf4330d9d9bc6d15b5aefbb8db40c9d /meta
parent: 79434a17eb4835e85fcd477baec08c8ce49a4c14 (diff)
download: poky-2ac597044a45c338beb3b4ec12612e4f69fcc9e2.tar.gz
5 files changed, 291 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2022-32221.patch b/meta/recipes-support/curl/curl/CVE-2022-32221.patch
new file mode 100644
index 0000000000..03a7ac513b
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-32221.patch
@@ -0,0 +1,27 @@
+From dd31455d46dcf9e3a1b8bd37e671af1a6af52807 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 15 Sep 2022 09:22:45 +0200
+Subject: [PATCH] setopt: when POST is set, reset the 'upload' field
+Reported-by: RobBotic1 on github
+Fixes #9507
+Closes #9511
+Upstream-Status: Backport [https://github.com/curl/curl/commit/a64e3e59938abd7d6]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/setopt.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/lib/setopt.c b/lib/setopt.c
+index d5e3b50..b8793b4 100644
+--- a/lib/setopt.c
+++ b/lib/setopt.c
+@@ -696,6 +696,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+     }
+     else
+       data->set.method = HTTPREQ_GET;
+    data->set.upload = FALSE;
+     break;
+ 
+   case CURLOPT_HTTPPOST:
diff --git a/meta/recipes-support/curl/curl/CVE-2022-35260.patch b/meta/recipes-support/curl/curl/CVE-2022-35260.patch
new file mode 100644
index 0000000000..a4aae69fd0
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-35260.patch
@@ -0,0 +1,73 @@
+From 9169e54444bdca7b5e7b44034c463fe5fc801e88 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 4 Oct 2022 14:37:24 +0200
+Subject: [PATCH] netrc: replace fgets with Curl_get_line
+Make the parser only accept complete lines and avoid problems with
+overly long lines.
+Reported-by: Hiroki Kurosawa
+Closes #9789
+Upstream-Status: Backport [https://github.com/curl/curl/commit/c97ec984fb2bc919a3aa86]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/curl_get_line.c | 6 +++---
+ lib/netrc.c         | 5 +++--
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+diff --git a/lib/curl_get_line.c b/lib/curl_get_line.c
+index 6a26bb2..22e3705 100644
+--- a/lib/curl_get_line.c
+++ b/lib/curl_get_line.c
+@@ -25,7 +25,7 @@
+ #include "curl_setup.h"
+ 
+ #if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) ||  \
+-  !defined(CURL_DISABLE_HSTS)
+  !defined(CURL_DISABLE_HSTS) || !defined(CURL_DISABLE_NETRC)
+ 
+ #include "curl_get_line.h"
+ #include "curl_memory.h"
+@@ -33,8 +33,8 @@
+ #include "memdebug.h"
+ 
+ /*
+- * get_line() makes sure to only return complete whole lines that fit in 'len'
+- * bytes and end with a newline.
+ * Curl_get_line() makes sure to only return complete whole lines that fit in
+ * 'len' bytes and end with a newline.
+  */
+ char *Curl_get_line(char *buf, int len, FILE *input)
+ {
+diff --git a/lib/netrc.c b/lib/netrc.c
+index 62a6a10..5d17482 100644
+--- a/lib/netrc.c
+++ b/lib/netrc.c
+@@ -33,6 +33,7 @@
+ #include "netrc.h"
+ #include "strtok.h"
+ #include "strcase.h"
+#include "curl_get_line.h"
+ 
+ /* The last 3 #include files should be in this order */
+ #include "curl_printf.h"
+@@ -84,7 +85,7 @@ static int parsenetrc(const char *host,
+     char netrcbuffer[4096];
+     int  netrcbuffsize = (int)sizeof(netrcbuffer);
+ 
+-    while(!done && fgets(netrcbuffer, netrcbuffsize, file)) {
+    while(!done && Curl_get_line(netrcbuffer, netrcbuffsize, file)) {
+       char *tok;
+       char *tok_end;
+       bool quoted;
+@@ -243,7 +244,7 @@ static int parsenetrc(const char *host,
+         } /* switch (state) */
+         tok = ++tok_end;
+       }
+-    } /* while fgets() */
+    } /* while Curl_get_line() */
+ 
+     out:
+     if(!retcode) {
diff --git a/meta/recipes-support/curl/curl/CVE-2022-42915.patch b/meta/recipes-support/curl/curl/CVE-2022-42915.patch
new file mode 100644
index 0000000000..43de6e62eb
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-42915.patch
@@ -0,0 +1,53 @@
+From 3ede0e72aaad6447d2a5ab07dac43e1b9d7e617b Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 6 Oct 2022 14:13:36 +0200
+Subject: [PATCH] http_proxy: restore the protocol pointer on error
+Reported-by: Trail of Bits
+Closes #9790
+Upstream-Status: Backport [https://github.com/curl/curl/commit/55e1875729f9d9fc7315ce]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/http_proxy.c | 6 ++----
+ lib/url.c        | 9 ---------
+ 2 files changed, 2 insertions(+), 13 deletions(-)
+diff --git a/lib/http_proxy.c b/lib/http_proxy.c
+index 1f87f6c..cc20b3a 100644
+--- a/lib/http_proxy.c
+++ b/lib/http_proxy.c
+@@ -212,10 +212,8 @@ void Curl_connect_done(struct Curl_easy *data)
+     Curl_dyn_free(&s->rcvbuf);
+     Curl_dyn_free(&s->req);
+ 
+-    /* restore the protocol pointer, if not already done */
+-    if(s->prot_save)
+-      data->req.p.http = s->prot_save;
+-    s->prot_save = NULL;
+    /* restore the protocol pointer */
+    data->req.p.http = s->prot_save;
+     data->info.httpcode = 0; /* clear it as it might've been used for the
+                                 proxy */
+     data->req.ignorebody = FALSE;
+diff --git a/lib/url.c b/lib/url.c
+index bfc784f..61c99d2 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -746,15 +746,6 @@ static void conn_shutdown(struct Curl_easy *data, struct connectdata *conn)
+   DEBUGASSERT(data);
+   infof(data, "Closing connection %ld", conn->connection_id);
+ 
+-#ifndef USE_HYPER
+-  if(conn->connect_state && conn->connect_state->prot_save) {
+-    /* If this was closed with a CONNECT in progress, cleanup this temporary
+-       struct arrangement */
+-    data->req.p.http = NULL;
+-    Curl_safefree(conn->connect_state->prot_save);
+-  }
+-#endif
+-
+   /* possible left-overs from the async name resolvers */
+   Curl_resolver_cancel(data);
+ 
diff --git a/meta/recipes-support/curl/curl/CVE-2022-42916.patch b/meta/recipes-support/curl/curl/CVE-2022-42916.patch
new file mode 100644
index 0000000000..000af69885
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-42916.patch
@@ -0,0 +1,134 @@
+From 401455229a5006bed0346fedc99791ccb53e146c Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 12 Oct 2022 10:47:59 +0200
+Subject: [PATCH] url: use IDN decoded names for HSTS checks
+Reported-by: Hiroki Kurosawa
+Closes #9791
+Upstream-Status: Backport [https://github.com/curl/curl/commit/53bcf55b4538067e6]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/url.c | 91 ++++++++++++++++++++++++++++---------------------------
+ 1 file changed, 47 insertions(+), 44 deletions(-)
+diff --git a/lib/url.c b/lib/url.c
+index 61c99d2..6426fa7 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -2024,10 +2024,56 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
+     failf(data, "Too long host name (maximum is %d)", MAX_URL_LEN);
+     return CURLE_URL_MALFORMAT;
+   }
+  hostname = data->state.up.hostname;
+
+  if(hostname && hostname[0] == '[') {
+    /* This looks like an IPv6 address literal. See if there is an address
+       scope. */
+    size_t hlen;
+    conn->bits.ipv6_ip = TRUE;
+    /* cut off the brackets! */
+    hostname++;
+    hlen = strlen(hostname);
+    hostname[hlen - 1] = 0;
+
+    zonefrom_url(uh, data, conn);
+  }
+
+  /* make sure the connect struct gets its own copy of the host name */
+  conn->host.rawalloc = strdup(hostname ? hostname : "");
+  if(!conn->host.rawalloc)
+    return CURLE_OUT_OF_MEMORY;
+  conn->host.name = conn->host.rawalloc;
+
+  /*************************************************************
+   * IDN-convert the hostnames
+   *************************************************************/
+  result = Curl_idnconvert_hostname(data, &conn->host);
+  if(result)
+    return result;
+  if(conn->bits.conn_to_host) {
+    result = Curl_idnconvert_hostname(data, &conn->conn_to_host);
+    if(result)
+      return result;
+  }
+#ifndef CURL_DISABLE_PROXY
+  if(conn->bits.httpproxy) {
+    result = Curl_idnconvert_hostname(data, &conn->http_proxy.host);
+    if(result)
+      return result;
+  }
+  if(conn->bits.socksproxy) {
+    result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host);
+    if(result)
+      return result;
+  }
+#endif
+ 
+ #ifndef CURL_DISABLE_HSTS
+  /* HSTS upgrade */
+   if(data->hsts && strcasecompare("http", data->state.up.scheme)) {
+-    if(Curl_hsts(data->hsts, data->state.up.hostname, TRUE)) {
+    /* This MUST use the IDN decoded name */
+    if(Curl_hsts(data->hsts, conn->host.name, TRUE)) {
+       char *url;
+       Curl_safefree(data->state.up.scheme);
+       uc = curl_url_set(uh, CURLUPART_SCHEME, "https", 0);
+@@ -2133,26 +2179,6 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
+ 
+   (void)curl_url_get(uh, CURLUPART_QUERY, &data->state.up.query, 0);
+ 
+-  hostname = data->state.up.hostname;
+-  if(hostname && hostname[0] == '[') {
+-    /* This looks like an IPv6 address literal. See if there is an address
+-       scope. */
+-    size_t hlen;
+-    conn->bits.ipv6_ip = TRUE;
+-    /* cut off the brackets! */
+-    hostname++;
+-    hlen = strlen(hostname);
+-    hostname[hlen - 1] = 0;
+-
+-    zonefrom_url(uh, data, conn);
+-  }
+-
+-  /* make sure the connect struct gets its own copy of the host name */
+-  conn->host.rawalloc = strdup(hostname ? hostname : "");
+-  if(!conn->host.rawalloc)
+-    return CURLE_OUT_OF_MEMORY;
+-  conn->host.name = conn->host.rawalloc;
+-
+ #ifdef ENABLE_IPV6
+   if(data->set.scope_id)
+     /* Override any scope that was set above.  */
+@@ -3781,29 +3807,6 @@ static CURLcode create_conn(struct Curl_easy *data,
+   if(result)
+     goto out;
+ 
+-  /*************************************************************
+-   * IDN-convert the hostnames
+-   *************************************************************/
+-  result = Curl_idnconvert_hostname(data, &conn->host);
+-  if(result)
+-    goto out;
+-  if(conn->bits.conn_to_host) {
+-    result = Curl_idnconvert_hostname(data, &conn->conn_to_host);
+-    if(result)
+-      goto out;
+-  }
+-#ifndef CURL_DISABLE_PROXY
+-  if(conn->bits.httpproxy) {
+-    result = Curl_idnconvert_hostname(data, &conn->http_proxy.host);
+-    if(result)
+-      goto out;
+-  }
+-  if(conn->bits.socksproxy) {
+-    result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host);
+-    if(result)
+-      goto out;
+-  }
+-#endif
+ 
+   /*************************************************************
+    * Check whether the host and the "connect to host" are equal.
diff --git a/meta/recipes-support/curl/curl_7.85.0.bb b/meta/recipes-support/curl/curl_7.85.0.bb
index ad6a5175bc..0386052bf4 100644
--- a/meta/recipes-support/curl/curl_7.85.0.bb
+++ b/meta/recipes-support/curl/curl_7.85.0.bb
@@ -13,6 +13,10 @@ SRC_URI = " \
    https://curl.se/download/${BP}.tar.xz \
    file://run-ptest \
    file://disable-tests \
+    file://CVE-2022-32221.patch \
+    file://CVE-2022-35260.patch \
+    file://CVE-2022-42915.patch \
+    file://CVE-2022-42916.patch \
 "
 SRC_URI[sha256sum] = "88b54a6d4b9a48cb4d873c7056dcba997ddd5b7be5a2d537a4acb55c20b04be6"
author	Robert Joslyn <robert.joslyn@redrectangle.org>	2022-11-06 13:52:13 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-11-14 15:59:15 +0000
commit	2ac597044a45c338beb3b4ec12612e4f69fcc9e2 (patch)
tree	394d6637faf4330d9d9bc6d15b5aefbb8db40c9d /meta
parent	79434a17eb4835e85fcd477baec08c8ce49a4c14 (diff)
download	poky-2ac597044a45c338beb3b4ec12612e4f69fcc9e2.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2022-32221.patch b/meta/recipes-support/curl/curl/CVE-2022-32221.patch new file mode 100644 index 0000000000..03a7ac513b --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-32221.patch
@@ -0,0 +1,27 @@
		1	From dd31455d46dcf9e3a1b8bd37e671af1a6af52807 Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Thu, 15 Sep 2022 09:22:45 +0200
		4	Subject: [PATCH] setopt: when POST is set, reset the 'upload' field
		5
		6	Reported-by: RobBotic1 on github
		7	Fixes #9507
		8	Closes #9511
		9
		10	Upstream-Status: Backport [https://github.com/curl/curl/commit/a64e3e59938abd7d6]
		11	Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
		12	---
		13	lib/setopt.c \| 1 +
		14	1 file changed, 1 insertion(+)
		15
		16	diff --git a/lib/setopt.c b/lib/setopt.c
		17	index d5e3b50..b8793b4 100644
		18	--- a/lib/setopt.c
		19	+++ b/lib/setopt.c
		20	@@ -696,6 +696,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
		21	}
		22	else
		23	data->set.method = HTTPREQ_GET;
		24	+ data->set.upload = FALSE;
		25	break;
		26
		27	case CURLOPT_HTTPPOST:


diff --git a/meta/recipes-support/curl/curl/CVE-2022-35260.patch b/meta/recipes-support/curl/curl/CVE-2022-35260.patch new file mode 100644 index 0000000000..a4aae69fd0 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-35260.patch
@@ -0,0 +1,73 @@
		1	From 9169e54444bdca7b5e7b44034c463fe5fc801e88 Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Tue, 4 Oct 2022 14:37:24 +0200
		4	Subject: [PATCH] netrc: replace fgets with Curl_get_line
		5
		6	Make the parser only accept complete lines and avoid problems with
		7	overly long lines.
		8
		9	Reported-by: Hiroki Kurosawa
		10
		11	Closes #9789
		12
		13	Upstream-Status: Backport [https://github.com/curl/curl/commit/c97ec984fb2bc919a3aa86]
		14	Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
		15	---
		16	lib/curl_get_line.c \| 6 +++---
		17	lib/netrc.c \| 5 +++--
		18	2 files changed, 6 insertions(+), 5 deletions(-)
		19
		20	diff --git a/lib/curl_get_line.c b/lib/curl_get_line.c
		21	index 6a26bb2..22e3705 100644
		22	--- a/lib/curl_get_line.c
		23	+++ b/lib/curl_get_line.c
		24	@@ -25,7 +25,7 @@
		25	#include "curl_setup.h"
		26
		27	#if !defined(CURL_DISABLE_COOKIES) \|\| !defined(CURL_DISABLE_ALTSVC) \|\| \
		28	- !defined(CURL_DISABLE_HSTS)
		29	+ !defined(CURL_DISABLE_HSTS) \|\| !defined(CURL_DISABLE_NETRC)
		30
		31	#include "curl_get_line.h"
		32	#include "curl_memory.h"
		33	@@ -33,8 +33,8 @@
		34	#include "memdebug.h"
		35
		36	/*
		37	- * get_line() makes sure to only return complete whole lines that fit in 'len'
		38	- * bytes and end with a newline.
		39	+ * Curl_get_line() makes sure to only return complete whole lines that fit in
		40	+ * 'len' bytes and end with a newline.
		41	*/
		42	char Curl_get_line(char buf, int len, FILE *input)
		43	{
		44	diff --git a/lib/netrc.c b/lib/netrc.c
		45	index 62a6a10..5d17482 100644
		46	--- a/lib/netrc.c
		47	+++ b/lib/netrc.c
		48	@@ -33,6 +33,7 @@
		49	#include "netrc.h"
		50	#include "strtok.h"
		51	#include "strcase.h"
		52	+#include "curl_get_line.h"
		53
		54	/* The last 3 #include files should be in this order */
		55	#include "curl_printf.h"
		56	@@ -84,7 +85,7 @@ static int parsenetrc(const char *host,
		57	char netrcbuffer[4096];
		58	int netrcbuffsize = (int)sizeof(netrcbuffer);
		59
		60	- while(!done && fgets(netrcbuffer, netrcbuffsize, file)) {
		61	+ while(!done && Curl_get_line(netrcbuffer, netrcbuffsize, file)) {
		62	char *tok;
		63	char *tok_end;
		64	bool quoted;
		65	@@ -243,7 +244,7 @@ static int parsenetrc(const char *host,
		66	} /* switch (state) */
		67	tok = ++tok_end;
		68	}
		69	- } /* while fgets() */
		70	+ } /* while Curl_get_line() */
		71
		72	out:
		73	if(!retcode) {


diff --git a/meta/recipes-support/curl/curl/CVE-2022-42915.patch b/meta/recipes-support/curl/curl/CVE-2022-42915.patch new file mode 100644 index 0000000000..43de6e62eb --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-42915.patch
@@ -0,0 +1,53 @@
		1	From 3ede0e72aaad6447d2a5ab07dac43e1b9d7e617b Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Thu, 6 Oct 2022 14:13:36 +0200
		4	Subject: [PATCH] http_proxy: restore the protocol pointer on error
		5
		6	Reported-by: Trail of Bits
		7
		8	Closes #9790
		9
		10	Upstream-Status: Backport [https://github.com/curl/curl/commit/55e1875729f9d9fc7315ce]
		11	Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
		12	---
		13	lib/http_proxy.c \| 6 ++----
		14	lib/url.c \| 9 ---------
		15	2 files changed, 2 insertions(+), 13 deletions(-)
		16
		17	diff --git a/lib/http_proxy.c b/lib/http_proxy.c
		18	index 1f87f6c..cc20b3a 100644
		19	--- a/lib/http_proxy.c
		20	+++ b/lib/http_proxy.c
		21	@@ -212,10 +212,8 @@ void Curl_connect_done(struct Curl_easy *data)
		22	Curl_dyn_free(&s->rcvbuf);
		23	Curl_dyn_free(&s->req);
		24
		25	- /* restore the protocol pointer, if not already done */
		26	- if(s->prot_save)
		27	- data->req.p.http = s->prot_save;
		28	- s->prot_save = NULL;
		29	+ /* restore the protocol pointer */
		30	+ data->req.p.http = s->prot_save;
		31	data->info.httpcode = 0; /* clear it as it might've been used for the
		32	proxy */
		33	data->req.ignorebody = FALSE;
		34	diff --git a/lib/url.c b/lib/url.c
		35	index bfc784f..61c99d2 100644
		36	--- a/lib/url.c
		37	+++ b/lib/url.c
		38	@@ -746,15 +746,6 @@ static void conn_shutdown(struct Curl_easy data, struct connectdata conn)
		39	DEBUGASSERT(data);
		40	infof(data, "Closing connection %ld", conn->connection_id);
		41
		42	-#ifndef USE_HYPER
		43	- if(conn->connect_state && conn->connect_state->prot_save) {
		44	- /* If this was closed with a CONNECT in progress, cleanup this temporary
		45	- struct arrangement */
		46	- data->req.p.http = NULL;
		47	- Curl_safefree(conn->connect_state->prot_save);
		48	- }
		49	-#endif
		50	-
		51	/* possible left-overs from the async name resolvers */
		52	Curl_resolver_cancel(data);
		53


diff --git a/meta/recipes-support/curl/curl/CVE-2022-42916.patch b/meta/recipes-support/curl/curl/CVE-2022-42916.patch new file mode 100644 index 0000000000..000af69885 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-42916.patch
@@ -0,0 +1,134 @@
		1	From 401455229a5006bed0346fedc99791ccb53e146c Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Wed, 12 Oct 2022 10:47:59 +0200
		4	Subject: [PATCH] url: use IDN decoded names for HSTS checks
		5
		6	Reported-by: Hiroki Kurosawa
		7
		8	Closes #9791
		9
		10	Upstream-Status: Backport [https://github.com/curl/curl/commit/53bcf55b4538067e6]
		11	Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
		12	---
		13	lib/url.c \| 91 ++++++++++++++++++++++++++++---------------------------
		14	1 file changed, 47 insertions(+), 44 deletions(-)
		15
		16	diff --git a/lib/url.c b/lib/url.c
		17	index 61c99d2..6426fa7 100644
		18	--- a/lib/url.c
		19	+++ b/lib/url.c
		20	@@ -2024,10 +2024,56 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
		21	failf(data, "Too long host name (maximum is %d)", MAX_URL_LEN);
		22	return CURLE_URL_MALFORMAT;
		23	}
		24	+ hostname = data->state.up.hostname;
		25	+
		26	+ if(hostname && hostname[0] == '[') {
		27	+ /* This looks like an IPv6 address literal. See if there is an address
		28	+ scope. */
		29	+ size_t hlen;
		30	+ conn->bits.ipv6_ip = TRUE;
		31	+ /* cut off the brackets! */
		32	+ hostname++;
		33	+ hlen = strlen(hostname);
		34	+ hostname[hlen - 1] = 0;
		35	+
		36	+ zonefrom_url(uh, data, conn);
		37	+ }
		38	+
		39	+ /* make sure the connect struct gets its own copy of the host name */
		40	+ conn->host.rawalloc = strdup(hostname ? hostname : "");
		41	+ if(!conn->host.rawalloc)
		42	+ return CURLE_OUT_OF_MEMORY;
		43	+ conn->host.name = conn->host.rawalloc;
		44	+
		45	+ /*************************************************************
		46	+ * IDN-convert the hostnames
		47	+ *************************************************************/
		48	+ result = Curl_idnconvert_hostname(data, &conn->host);
		49	+ if(result)
		50	+ return result;
		51	+ if(conn->bits.conn_to_host) {
		52	+ result = Curl_idnconvert_hostname(data, &conn->conn_to_host);
		53	+ if(result)
		54	+ return result;
		55	+ }
		56	+#ifndef CURL_DISABLE_PROXY
		57	+ if(conn->bits.httpproxy) {
		58	+ result = Curl_idnconvert_hostname(data, &conn->http_proxy.host);
		59	+ if(result)
		60	+ return result;
		61	+ }
		62	+ if(conn->bits.socksproxy) {
		63	+ result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host);
		64	+ if(result)
		65	+ return result;
		66	+ }
		67	+#endif
		68
		69	#ifndef CURL_DISABLE_HSTS
		70	+ /* HSTS upgrade */
		71	if(data->hsts && strcasecompare("http", data->state.up.scheme)) {
		72	- if(Curl_hsts(data->hsts, data->state.up.hostname, TRUE)) {
		73	+ /* This MUST use the IDN decoded name */
		74	+ if(Curl_hsts(data->hsts, conn->host.name, TRUE)) {
		75	char *url;
		76	Curl_safefree(data->state.up.scheme);
		77	uc = curl_url_set(uh, CURLUPART_SCHEME, "https", 0);
		78	@@ -2133,26 +2179,6 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
		79
		80	(void)curl_url_get(uh, CURLUPART_QUERY, &data->state.up.query, 0);
		81
		82	- hostname = data->state.up.hostname;
		83	- if(hostname && hostname[0] == '[') {
		84	- /* This looks like an IPv6 address literal. See if there is an address
		85	- scope. */
		86	- size_t hlen;
		87	- conn->bits.ipv6_ip = TRUE;
		88	- /* cut off the brackets! */
		89	- hostname++;
		90	- hlen = strlen(hostname);
		91	- hostname[hlen - 1] = 0;
		92	-
		93	- zonefrom_url(uh, data, conn);
		94	- }
		95	-
		96	- /* make sure the connect struct gets its own copy of the host name */
		97	- conn->host.rawalloc = strdup(hostname ? hostname : "");
		98	- if(!conn->host.rawalloc)
		99	- return CURLE_OUT_OF_MEMORY;
		100	- conn->host.name = conn->host.rawalloc;
		101	-
		102	#ifdef ENABLE_IPV6
		103	if(data->set.scope_id)
		104	/* Override any scope that was set above. */
		105	@@ -3781,29 +3807,6 @@ static CURLcode create_conn(struct Curl_easy *data,
		106	if(result)
		107	goto out;
		108
		109	- /*************************************************************
		110	- * IDN-convert the hostnames
		111	- *************************************************************/
		112	- result = Curl_idnconvert_hostname(data, &conn->host);
		113	- if(result)
		114	- goto out;
		115	- if(conn->bits.conn_to_host) {
		116	- result = Curl_idnconvert_hostname(data, &conn->conn_to_host);
		117	- if(result)
		118	- goto out;
		119	- }
		120	-#ifndef CURL_DISABLE_PROXY
		121	- if(conn->bits.httpproxy) {
		122	- result = Curl_idnconvert_hostname(data, &conn->http_proxy.host);
		123	- if(result)
		124	- goto out;
		125	- }
		126	- if(conn->bits.socksproxy) {
		127	- result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host);
		128	- if(result)
		129	- goto out;
		130	- }
		131	-#endif
		132
		133	/*************************************************************
		134	* Check whether the host and the "connect to host" are equal.


diff --git a/meta/recipes-support/curl/curl_7.85.0.bb b/meta/recipes-support/curl/curl_7.85.0.bb index ad6a5175bc..0386052bf4 100644 --- a/meta/recipes-support/curl/curl_7.85.0.bb +++ b/meta/recipes-support/curl/curl_7.85.0.bb
@@ -13,6 +13,10 @@ SRC_URI = " \
13	https://curl.se/download/${BP}.tar.xz \	13	https://curl.se/download/${BP}.tar.xz \
14	file://run-ptest \	14	file://run-ptest \
15	file://disable-tests \	15	file://disable-tests \
		16	file://CVE-2022-32221.patch \
		17	file://CVE-2022-35260.patch \
		18	file://CVE-2022-42915.patch \
		19	file://CVE-2022-42916.patch \
16	"	20	"
17	SRC_URI[sha256sum] = "88b54a6d4b9a48cb4d873c7056dcba997ddd5b7be5a2d537a4acb55c20b04be6"	21	SRC_URI[sha256sum] = "88b54a6d4b9a48cb4d873c7056dcba997ddd5b7be5a2d537a4acb55c20b04be6"
18		22