curl-7.86.0

[Bruce Dubbs]

New minor version.

[Bruce Dubbs]

Version 7.86.0 (26 Oct 2022

This release includes the following changes:

• NPN: remove support for and use of [16]
• Websockets: initial support [23]

This release includes the f-llowing bugfixes:

• altsvc: reject bad port numbers [86]
• altsvc: use 'h3' for h3 [46]
• amiga: do not hardcode openssl/zlib into the os config [158]
• amiga: set SIZEOF_CURL_OFF_T=8 by default [150]
• amigaos: add missing curl header [159]
• asyn-ares: set hint flags when calling ares_getaddrinfo [93]
• autotools: allow --enable-symbol-hiding with windows [65]
• autotools: allow unix sockets on Windows [144]
• autotools: reduce brute-force when detecting recv/send arg list [66]
• aws_sigv4: fix header computation [139]
• bearssl: make it proper C89 compliant
• CI/GHA: cancel outdated CI runs on new PR changes [20]
• CI/GHA: merge msh3 and openssl3 builds into linux workflow [110]
• cirrus-ci: add macOS build with m1 [81]
• cirrus: use make LDFLAGS=-all-static instead of curl_LDFLAGS [129]
• cli tool: do not use disabled protocols
• cmake: add missing inet_ntop check [145]
• cmake: add the check of HAVE_SOCKETPAIR [98]
• cmake: define BUILDING_LIBCURL in lib/CMakeLists, not config.h [5]
• cmake: delete duplicate HAVE_GETADDRINFO test [149]
• cmake: enable more detection on Windows [143]
• cmake: fix original MinGW builds [177]
• cmake: improve usability of CMake build as a sub-project [186]
• cmake: set HAVE_GETADDRINFO_THREADSAFE on Windows [147]
• cmake: set HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID on Windows [146]
• cmake: sync HAVE_SIGNAL detection with autotools [148]
• cmdline/docs: add a required 'multi' keyword for each option [160]
• configure: correct the wording when checking grep -E [13]
• configure: deprecate builds with small curl_off_t [89]
• configure: fail if '--without-ssl' + explicit parameter for an ssl lib [164]
• configure: the ngtcp2 option should default to 'no' [125]
• connect: change verbose IPv6 address:port to [address]:port [83]
• connect: fix builds without AF_INET6 [152]
• connect: fix Curl_updateconninfo for TRNSPRT_UNIX [108]
• connect: fix the wrong error message on connect failures [55]
• content_encoding: use writer struct subclasses for different encodings [8]
• cookie: reject cookie names or content with TAB characters [94]
• ctype: remove all use of <ctype.h>, use our own versions [12]
• curl-compilers.m4: for gcc + want warnings, set gnu89 standard [72]
• curl-compilers.m4: use -O2 as default optimize for clang [6]
• curl-wolfssl.m4: error out if wolfSSL is not usable [102]
• curl.h: fix mention of wrong error code in comment
• curl/add_file_name_to_url: use the libcurl URL parser [99]
• curl/add_parallel_transfers: better error handling [101]
• curl/get_url_file_name: use libcurl URL parser [97]
• curl: warn for --ssl use, considered insecure [49]
• curl_ctype: convert to macros-only [10]
• curl_easy_pause.3: unpausing is as fast as possible [14]
• curl_escape.3: fix typo [50]
• curl_setup: disable use of FLOSS for 64-bit NonStop builds [69]
• curl_setup: include curl.h after platform setup headers [37]
• curl_setup: include only system.h instead of curl.h [34]
• curl_strequal.3: fix argument typo [60]
• curl_url_set.3: document CURLU_APPENDQUERY proper [96]
• CURLMOPT_PIPELINING.3: dedup manpage xref [111]
• CURLOPT_ACCEPT_ENCODING.3: remove "four" as they are five [85]
• CURLOPT_AUTOREFERER.3: highlight the privacy leak risk [161]
• CURLOPT_COOKIEFILE: insist on "" for enable-without-file [119]
• CURLOPT_COOKIELIST.3: fix formatting mistake [80]
• CURLOPT_DNS_INTERFACE.3: mention it works for almost all protocols [15]
• CURLOPT_MIMEPOST.3: add an (inline) example [126]
• CURLOPT_POSTFIELDS.3: refer to CURLOPT_MIMEPOST [167]
• CURLOPT_PROXY_SSLCERT_BLOB.3: this is for HTTPS proxies [9]
• CURLOPT_WILDCARDMATCH.3: Fix backslash escaping under single quotes [172]
• CURLSHOPT_UNLOCKFUNC.3: the callback has no 'access' argument [84]
• DEPRECATE.md: Support for systems without 64 bit data types [19]
• docs/examples: avoid deprecated options in examples where possible [115]
• docs/INSTALL: update Android Instructions for newer NDKs [151]
• docs/libcurl/symbols-in-versions: add several missing symbols
• docs: 100+ spellfixes
• docs: correct missing uppercase in Markdown files [38]
• docs: document more server names for test files
• docs: fix deprecation versions inconsistencies [123]
• docs: make sure libcurl opts examples pass in long arguments [182]
• docs: remove mentions of deprecated '--without-openssl' parameter [170]
• docs: tag curl options better in man pages
• docs: tell about disabled protocols in CURLOPT_*PROTOCOLS_STR.
• docs: update sourceforge project links [95]
• easy: fix the #include order [53]
• easy: fix the altsvc init for curl_easy_duphandle [77]
• easy_lock: check for HAVE_STDATOMIC_H as well [187]
• examples/chkspeed: improve portability [48]
• formdata: fix warning: 'CURLformoption' is promoted to 'int' [24]
• ftp: ignore a 550 response to MDTM [1]
• ftp: remove redundant if [163]
• functypes: provide the recv and send arg and return types [87]
• getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled [17]
• GHA: build tests in a separate step from the running of them [78]
• GHA: run proselint on markdown files [22]
• github: initial CODEOWNERS setup for CI configuration [52]
• header: define public API functions as extern c [26]
• headers: reset the requests counter at transfer start [25]
• hostip: guard PF_INET6 use [157]
• hostip: lazily wait to figure out if IPv6 works until needed [36]
• http, vauth: always provide Curl_allow_auth_to_host() functionality [90]
• http2: make nghttp2 less picky about field whitespace [27]
• HTTP3.md: update Caddy example [76]
• http: try parsing Retry-After: as a number first [122]
• http_proxy: restore the protocol pointer on error [104]
• httpput-postfields.c: shorten string for C89 compliance [57]
• ldap: delete stray CURL_HAS_MOZILLA_LDAP reference [79]
• lib1560: extended to verify detect/reject of unknown schemes
• lib517: fix C89 constant signedness [73]
• lib: add missing limits.h includes [35]
• lib: add required Win32 setup definitions in setup-win32.h [4]
• lib: prepare the incoming of additional protocols [71]
• lib: sanitize conditional exclusion around MIME [82]
• lib: set more flags in config-win32.h [109]
• lib: the number four in a sequence is the "fourth" [28]
• libssh: if sftp_init fails, don't get the sftp error code [132]
• Makefile.m32: deduplicate build rules [131]
• Makefile.m32: drop CROSSPREFIX and our CC/AR defaults [137]
• Makefile.m32: exclude libs & libpaths for shared mode exes [127]
• Makefile.m32: fix regression with tool_hugehelp [130]
• Makefile.m32: major rework [92]
• Makefile.m32: reintroduce CROSSPREFIX and -W -Wall [179]
• Makefile.m32: support more options [142]
• manpage-syntax.pl: all libcurl option symbols should be \fI-tagged [75]
• manpages: Fix spelling of "allows to" -> "allows one to" [171]
• misc: ISSPACE() => ISBLANK() [11]
• misc: use the term "null-terminate" consistently [41]
• mprintf: reject two kinds of precision for the same argument [162]
• mprintf: use snprintf if available [74]
• mqtt: return error for too long topic [133]
• mqtt: spell out CONNECT in comments [166]
• msh3: change the static_assert to make the code C89
• netrc: compare user name case sensitively [118]
• netrc: replace fgets with Curl_get_line [174]
• netrc: use the URL-decoded user [103]
• ngtcp2: fix build errors due to changes in ngtcp2 library [107]
• ngtcp2: fix C89 compliance nit
• noproxy: support proxies specified using cidr notation [184]
• openssl: make certinfo available for QUIC [91]
• README.md: add GHA status badges for Linux and macOS builds [40]
• RELEASE-PROCEDURE.md: mention patch releases [21]
• resolve: make forced IPv4 resolve only use A queries [61]
• runtests: fix uninitialized value on ignored tests [128]
• schannel: ban server ALPN change during recv renegotiation [63]
• schannel: don't reset recv/send function pointers on renegotiation [156]
• schannel: when importing PFX, disable key persistence [141]
• scripts: use grep -E instead of egrep [30]
• setopt: use the handler table for protocol name to number conversions [45]
• setopt: when POST is set, reset the 'upload' field [51]
• setup-win32: no longer define UNICODE/_UNICODE implicitly [3]
• single_transfer: use the libcurl URL parser when appending query parts [100]
• smb: replace CURL_WIN32 with WIN32 [138]
• strcase: add and use Curl_timestrcmp [106]
• strerror: improve two URL API error messages
• symbol-scan.pl: also check for LIBCURL* symbols [43]
• symbol-scan.pl: scan and verify .3 man pages [42]
• symbols-in-versions: add missing LIBCURL* symbols
• symbols-in-versions: CURLOPT_ENCODING is deprecated since 7.21.6
• test1119: scan all public headers [44]
• test1275: verify uppercase after period in markdown [135]
• test972: verify the output without using external tool [32]
• tests/certs/scripts: insert standard curl source headers [169]
• tests/Makefile: remove run time stats from ci-test [120]
• tests: avoid CreateThread if _beginthreadex is available [155]
• tests: fix tag syntax errors in test files
• tests: skip mime/form tests when mime is not built-in [54]
• tidy-up: delete parallel/unused feature flags [117]
• tidy-up: delete unused HAVE_STRUCT_POLLFD [134]
• TODO: provide the error body from a CONNECT response [67]
• tool: avoid generating ambiguous escaped characters in --libcurl [124]
• tool: remove dead code [70]
• tool: reorganize function c_escape around a dynbuf [121]
• tool_hugehelp: make hugehelp a blank macro when disabled [7]
• tool_main: exit at once if out of file descriptors [113]
• tool_operate: avoid a few #ifdefs for disabled-libcurl builds [29]
• tool_operate: more transfer cleanup after parallel transfer fail [165]
• tool_operate: prevent over-queuing in parallel mode [176]
• tool_operate: reduce errorbuffer allocs [173]
• tool_paramhelp: asserts verify maximum sizes for string loading [112]
• tool_paramhelp: make the max argument a 'double' [136]
• tool_progress: remove 'Qd' from the parallel progress bar [175]
• tool_setopt: use better English in --libcurl source comments [39]
• tool_xattr: save the original URL, not the final redirected one [181]
• unit test 1655: make it C89-compliant [59]
• url: a zero-length userinfo part in the URL is still a (blank) user [64]
• url: allow non-HTTPS HSTS-matching for debug builds [105]
• url: rename function due to name-clash in Watt-32 [62]
• url: use IDN decoded names for HSTS checks [140]
• urlapi: detect scheme better when not guessing [56]
• urlapi: fix parsing URL without slash with CURLU_URLENCODE [154]
• urlapi: leaner with fewer allocs [2]
• urlapi: reject more bad characters from the host name field [88]
• winbuild/MakefileBuild.vc: handle spaces in libssh(2) include paths [18]
• winbuild: use NMake batch-rules for compilation [47]
• windows: add .rc support to autotools builds [33]
• windows: adjust name of two internal public functions [58]
• windows: autotools .rc warnings fixup [68]
• wolfSSL: fix session management bug. [31]

Planned upc-ming removals include:

• NSS
• Support for systems without 64 bit data types

[Bruce Dubbs]

Fixed at commits

80cd2ac953 Update to PerlIO-utf8_strict-0.010 (Perl module).
32d7d10de3 Update to curl-7.86.0.
5bb1f9d35b Update to wireshark-4.0.1.

[Douglas R. Reno]

cURL Security Advisories:

CVE-2022-32221

CVE-2022-32221: POST following PUT confusion
============================================

Project curl Security Advisory, October 26 2022 -
[Permalink](https://curl.se/docs/CVE-2022-32221.html)

VULNERABILITY
-------------

When doing HTTP(S) transfers, libcurl might erroneously use the read callback
(`CURLOPT_READFUNCTION`) to ask for data to send, even when the
`CURLOPT_POSTFIELDS` option has been set, if the same handle previously was
used to issue a `PUT` request which used that callback.

This flaw may surprise the application and cause it to misbehave and either
send off the wrong data or use memory after free or similar in the subsequent
`POST` request.

The problem exists in the logic for a reused handle when it is changed from a
PUT to a POST.

We are not aware of any exploit of this flaw.

INFO
----

The code actually sending wrong data or doing a use-after-free is not present
in libcurl code but are only presumed scenarios that might become the outcome
of libcurl surprisingly calling the read callback in a situation where it is
not expected to.

This flaw cannot be triggered with the command line tool.

This issue was [reported and managed
publicly](https://github.com/curl/curl/issues/9507) before the security impact
was properly understood.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2022-32221 to this issue.

CWE-440: Expected Behavior Violation

Severity: medium

AFFECTED VERSIONS
-----------------

- Affected versions: libcurl 7.7 to and including 7.85.0
- Not affected versions: libcurl < 7.7 and >= 7.86.0

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION
------------

[The fix for
CVE-2022-32221](https://github.com/curl/curl/commit/a64e3e59938abd7d6) was
committed to the curl git repository and made public before the security
impact of this issue become clear to us. The securty impact was not
highlighted in the commit message nor surrounding messsaging.

RECOMMENDATIONS
--------------

 A - Upgrade curl to version 7.86.0

 B - Apply the patch to your local version

 C - Do not do mix using the read callback and postfields string on a reused
     easy handle

TIMELINE
--------

This issue was reported to the curl project on September 19, 2022. We
contacted distros@openwall on October 18, 2022.

libcurl 7.86.0 was released on October 26 2022, coordinated with the
publication of this advisory. 

CVE-2022-35260

CVE-2022-35260: .netrc parser out-of-bounds access
==================================================

Project curl Security Advisory, October 26 2022 -
[Permalink](https://curl.se/docs/CVE-2022-35260.html)

VULNERABILITY
-------------

curl can be told to parse a `.netrc` file for credentials. If that file ends
in a line with consecutive non-white space letters and no newline, curl could
read past the end of the stack-based buffer, and if the read works, write a
zero byte possibly beyond its boundary.

This will in most cases cause a segfault or similar, but circumstances might
also cause different outcomes.

If a malicious user can provide a custom netrc file to an application or
otherwise affect its contents, this flaw could be used as denial-of-service.

We are not aware of any exploit of this flaw.

INFO
----

The flaw was introduced in curl with [this
commit](https://github.com/curl/curl/commit/eeaae10c0fb27aa06), first shipped
in curl 7.84.0.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2022-35260 to this issue.

CWE-121: Stack-based Buffer Overflow

Severity: low

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.84.0 to and including 7.85.0
- Not affected versions: curl < 7.84.0 and >= 7.86.0

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION
------------

[The fix for CVE-2022-35260](https://github.com/curl/curl/commit/c97ec984fb2bc919a3aa86)

RECOMMENDATIONS
---------------

 A - Upgrade curl to version 7.86.0

 B - Apply the patch to your local version

 C - Do not use `.netrc` files

TIMELINE
--------

This issue was reported to the curl project on October 3, 2022. We contacted
distros@openwall on October 18, 2022.

libcurl 7.86.0 was released on October 26 2022, coordinated with the
publication of this advisory.

CVE-2022-42916

CVE-2022-42916: HSTS bypass via IDN
===================================

Project curl Security Advisory, October 26 2022 -
[Permalink](https://curl.se/docs/CVE-2022-42916.html)

VULNERABILITY
-------------

curl's HSTS check could be bypassed to trick it to keep using HTTP.

Using its HSTS support, curl can be instructed to use HTTPS directly instead
of using an insecure clear-text HTTP step even when HTTP is provided in the
URL. This mechanism could be bypassed if the host name in the given URL uses
IDN characters that get replaced to ASCII counterparts as part of the IDN
conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP)
instead of the common ASCII full stop (U+002E) `.`.

Like this: `http://curl。se。`

We are not aware of any exploit of this flaw.

INFO
----

This flaw was introduced in [commit
7385610d0c7](https://github.com/curl/curl/commit/7385610d0c7), which was
shipped enabled by default from [commit
d71ff2b9db566b3f](https://github.com/curl/curl/commit/d71ff2b9db566b3f) in
curl 7.77.0.

This issue is similar to the previous [CVE-2022-30115](https://curl.se/docs/CVE-2022-30115.html).

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2022-42916 to this issue.

CWE-319: Cleartext Transmission of Sensitive Information

Severity: Medium

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.77.0 to and including 7.85.0
- Not affected versions: curl < 7.77.0 and curl >= 7.86.0

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION
------------

A [fix for CVE-2022-42916](https://github.com/curl/curl/commit/53bcf55b4538067e6)

RECOMMENDATIONS
--------------

 A - Upgrade curl to version 7.86.0

 B - Apply the patch to your local version

 C - Stick to always using `HTTPS://` in URLs

TIMELINE
--------

This issue was reported to the curl project on October 11, 2022. We contacted
distros@openwall on October 18, 2022.

libcurl 7.86.0 was released on October 26 2022, coordinated with the
publication of this advisory. 

[Douglas R. Reno]

Issued SA-11.2-027