diff --git a/backport-krb5_gssapi-fix-memory-leak-on-error-path.patch b/backport-krb5_gssapi-fix-memory-leak-on-error-path.patch new file mode 100644 index 0000000000000000000000000000000000000000..0adfb407920b5a300ab934a8516f460c41f4ad34 --- /dev/null +++ b/backport-krb5_gssapi-fix-memory-leak-on-error-path.patch @@ -0,0 +1,32 @@ +From 2c6505e0ef9c0368e9acbef5662eb15e43328b65 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 9 Oct 2025 16:51:55 +0200 +Subject: [PATCH] krb5_gssapi: fix memory leak on error path + +If a non-compliant amount of bytes is received, the function would +return error without free. + +Reported-by: Joshua Rogers +Closes #18976 + +Conflict:NA +Reference:https://github.com/curl/curl/commit/2c6505e0ef9c0368e9acbef5662eb15e43328b65 +--- + lib/vauth/krb5_gssapi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/vauth/krb5_gssapi.c b/lib/vauth/krb5_gssapi.c +index 70144e5514..a414d0a359 100644 +--- a/lib/vauth/krb5_gssapi.c ++++ b/lib/vauth/krb5_gssapi.c +@@ -225,6 +225,7 @@ CURLcode Curl_auth_create_gssapi_security_message(struct Curl_easy *data, + /* Not 4 octets long so fail as per RFC4752 Section 3.1 */ + if(output_token.length != 4) { + infof(data, "GSSAPI handshake failure (invalid security data)"); ++ gss_release_buffer(&unused_status, &output_token); + return CURLE_BAD_CONTENT_ENCODING; + } + +-- +2.43.0 + diff --git a/backport-libssh-fix-readdir-issues.patch b/backport-libssh-fix-readdir-issues.patch new file mode 100644 index 0000000000000000000000000000000000000000..9866056090ef581eb3dd038ce576b96119edabff --- /dev/null +++ b/backport-libssh-fix-readdir-issues.patch @@ -0,0 +1,49 @@ +From ac8271d020848bca7da0976bd4eeb57a0bb4178e Mon Sep 17 00:00:00 2001 +From: Eshan Kelkar +Date: Tue, 8 Jul 2025 12:42:29 +0530 +Subject: [PATCH] libssh: fix readdir issues + +Signed-off-by: Eshan Kelkar +Closes #17856 + +Conflict:context adapt +remove 4th trunk which is not needed by current context +Reference:https://github.com/curl/curl/commit/ac8271d020848bca7da0976bd4eeb57a0bb4178e +--- + lib/vssh/libssh.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c +index c5044b2..c06c72a 100644 +--- a/lib/vssh/libssh.c ++++ b/lib/vssh/libssh.c +@@ -1506,7 +1506,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) + break; + } + else { +- failf(data, "Could not open remote file for reading: %s", ++ failf(data, "Could not open remote directory for reading: %s", + ssh_get_error(sshc->ssh_session)); + MOVE_TO_SFTP_CLOSE_STATE(); + break; +@@ -1519,7 +1519,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) + + sshc->readdir_link_attrs = sftp_lstat(sshc->sftp_session, + sshc->readdir_linkPath); +- if(sshc->readdir_link_attrs == 0) { ++ if(!sshc->readdir_link_attrs) { + failf(data, "Could not read symlink for reading: %s", + ssh_get_error(sshc->ssh_session)); + MOVE_TO_SFTP_CLOSE_STATE(); +@@ -1529,7 +1529,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) + if(!sshc->readdir_link_attrs->name) { + sshc->readdir_tmp = sftp_readlink(sshc->sftp_session, + sshc->readdir_linkPath); +- if(!sshc->readdir_filename) ++ if(!sshc->readdir_tmp) + sshc->readdir_len = 0; + else + sshc->readdir_len = strlen(sshc->readdir_tmp); +-- +2.43.0 + diff --git a/backport-libssh-properly-free-sftp_attributes.patch b/backport-libssh-properly-free-sftp_attributes.patch new file mode 100644 index 0000000000000000000000000000000000000000..07f5b2011436778bc054471244fb980e512cf977 --- /dev/null +++ b/backport-libssh-properly-free-sftp_attributes.patch @@ -0,0 +1,37 @@ +From b42f226b94409defd7487347b543911f18eb1468 Mon Sep 17 00:00:00 2001 +From: x2018 +Date: Mon, 17 Nov 2025 18:36:42 +0800 +Subject: [PATCH] libssh: properly free sftp_attributes + +Closes #19564 + +Conflict:context adapt +Reference:https://github.com/curl/curl/commit/b42f226b94409defd7487347b543911f18eb1468 +--- + lib/vssh/libssh.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c +index 8653c4901d..9428a20a5f 100644 +--- a/lib/vssh/libssh.c ++++ b/lib/vssh/libssh.c +@@ -1137,14 +1137,13 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) + attrs = sftp_stat(sshc->sftp_session, protop->path); + if(attrs) { + curl_off_t size = attrs->size; ++ sftp_attributes_free(attrs); + if(size < 0) { + failf(data, "Bad file size (%" CURL_FORMAT_CURL_OFF_T ")", size); + MOVE_TO_ERROR_STATE(CURLE_BAD_DOWNLOAD_RESUME); + break; + } +- data->state.resume_from = attrs->size; +- +- sftp_attributes_free(attrs); ++ data->state.resume_from = size; + } + else { + data->state.resume_from = 0; +-- +2.43.0 + diff --git a/backport-pop3-fix-CAPA-response-termination-detection.patch b/backport-pop3-fix-CAPA-response-termination-detection.patch new file mode 100644 index 0000000000000000000000000000000000000000..650ad850eb2a465656640b25caddc73d808f9e50 --- /dev/null +++ b/backport-pop3-fix-CAPA-response-termination-detection.patch @@ -0,0 +1,48 @@ +From a49e4e3d16991465144558f405b2d7972824abb0 Mon Sep 17 00:00:00 2001 +From: TheBitBrine +Date: Sun, 26 Oct 2025 03:15:07 +0000 +Subject: [PATCH] pop3: fix CAPA response termination detection + +The code was checking if a line starts with '.', which would +incorrectly match capability names starting with dots. Per RFC 2449, +the terminator must be a line containing only a single dot. + +RFC 2449 also explicitly excludes '.' from valid capability name +starting characters, so this is purely theoretical, but the code +should match the spec. + +Changed to check for exact match: line length of 3 with '.\r' or +length 2 with '.\n' to handle both CRLF and LF-only servers. + +(Mistake detected with ZeroPath) + +Fixes #19228 +Reported-by: Joshua Rogers +Closes #19245 + +Conflict:NA +Reference:https://github.com/curl/curl/commit/a49e4e3d16991465144558f405b2d7972824abb0 +--- + lib/pop3.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/lib/pop3.c b/lib/pop3.c +index 2fd496cb31..c6b6ed659c 100644 +--- a/lib/pop3.c ++++ b/lib/pop3.c +@@ -323,8 +323,10 @@ static bool pop3_endofresp(struct Curl_easy *data, struct connectdata *conn, + + /* Are we processing CAPA command responses? */ + if(pop3c->state == POP3_CAPA) { +- /* Do we have the terminating line? */ +- if(len >= 1 && line[0] == '.') ++ /* Do we have the terminating line? Per RFC 2449 this is a line ++ containing only a single dot */ ++ if((len == 3 && line[0] == '.' && line[1] == '\r') || ++ (len == 2 && line[0] == '.' && line[1] == '\n')) + /* Treat the response as a success */ + *resp = '+'; + else +-- +2.43.0 + diff --git a/curl.spec b/curl.spec index 7f969a918a0557e78a777f7da782ec6582574cb5..2a97d88f4b53d92fe12252694e56aabf41cd97dc 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Name: curl Version: 7.79.1 -Release: 44 +Release: 45 Summary: Curl is used in command lines or scripts to transfer data License: MIT URL: https://curl.haxx.se/ @@ -124,6 +124,10 @@ Patch110: backport-tool_getparam-clear-argument-only-when-needed.patch Patch111: backport-CVE-2025-9086.patch Patch112: backport-runtests-don-t-try-to-stop-stunnel-before-trying-aga.patch Patch113: backport-CVE-2025-10966.patch +Patch114: backport-libssh-fix-readdir-issues.patch +Patch115: backport-krb5_gssapi-fix-memory-leak-on-error-path.patch +Patch116: backport-pop3-fix-CAPA-response-termination-detection.patch +Patch117: backport-libssh-properly-free-sftp_attributes.patch BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel BuildRequires: libidn2-devel libnghttp2-devel libpsl-devel @@ -292,6 +296,15 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_mandir}/man3/* %changelog +* Wed Nov 26 2025 zhouyihang - 7.79.1-45 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:libssh: fix readdir issues + krb5_gssapi: fix memory leak on error path + pop3: fix CAPA response termination detection + libssh: properly free sftp_attributes + * Wed Nov 19 2025 zhouyihang - 7.79.1-44 - Type:CVE - CVE:CVE-2025-10966