From fdc14f085c4e216fbe3121b8d5c1592297ebc847 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Mar 24 2023 12:34:23 +0000
Subject: Resolves: CVE-2023-27533 - fix TELNET option IAC injection


---

diff --git a/0023-curl-7.87.0-CVE-2023-27533.patch b/0023-curl-7.87.0-CVE-2023-27533.patch
new file mode 100644
index 0000000..8810c27
--- /dev/null
+++ b/0023-curl-7.87.0-CVE-2023-27533.patch
@@ -0,0 +1,59 @@
+From c9828d86040737a47da862197b5def7ff6b0e3c4 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 6 Mar 2023 12:07:33 +0100
+Subject: [PATCH] telnet: only accept option arguments in ascii
+
+To avoid embedded telnet negotiation commands etc.
+
+Reported-by: Harry Sintonen
+Closes #10728
+
+Upstream-commit: 538b1e79a6e7b0bb829ab4cecc828d32105d0684
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/telnet.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/lib/telnet.c b/lib/telnet.c
+index 22bc81e..baea885 100644
+--- a/lib/telnet.c
++++ b/lib/telnet.c
+@@ -770,6 +770,17 @@ static void printsub(struct Curl_easy *data,
+   }
+ }
+ 
++static bool str_is_nonascii(const char *str)
++{
++  size_t len = strlen(str);
++  while(len--) {
++    if(*str & 0x80)
++      return TRUE;
++    str++;
++  }
++  return FALSE;
++}
++
+ static CURLcode check_telnet_options(struct Curl_easy *data)
+ {
+   struct curl_slist *head;
+@@ -784,6 +795,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data)
+   /* Add the user name as an environment variable if it
+      was given on the command line */
+   if(data->state.aptr.user) {
++   if(str_is_nonascii(data->conn->user))
++     return CURLE_BAD_FUNCTION_ARGUMENT;
+     msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user);
+     beg = curl_slist_append(tn->telnet_vars, option_arg);
+     if(!beg) {
+@@ -798,6 +811,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data)
+   for(head = data->set.telnet_options; head; head = head->next) {
+     if(sscanf(head->data, "%127[^= ]%*[ =]%255s",
+               option_keyword, option_arg) == 2) {
++      if(str_is_nonascii(option_arg))
++        continue;
+ 
+       /* Terminal type */
+       if(strcasecompare(option_keyword, "TTYPE")) {
+-- 
+2.39.2
+
diff --git a/curl.spec b/curl.spec
index ab506f4..f674415 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.85.0
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: MIT
 Source0: https://curl.se/download/%{name}-%{version}.tar.xz
 Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
@@ -40,6 +40,9 @@ Patch20:  0020-curl-7.85.0-CVE-2022-43551.patch
 # smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552)
 Patch21:  0021-curl-7.85.0-CVE-2022-43552.patch
 
+# fix TELNET option IAC injection (CVE-2023-27533)
+Patch23:  0023-curl-7.87.0-CVE-2023-27533.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -234,6 +237,7 @@ be installed.
 %patch8 -p1
 %patch20 -p1
 %patch21 -p1
+%patch23 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -467,6 +471,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
+* Fri Mar 24 2023 Kamil Dudka <kdudka@redhat.com> - 7.85.0-8
+- fix TELNET option IAC injection (CVE-2023-27533)
+
 * Mon Feb 27 2023 Kamil Dudka <kdudka@redhat.com> - 7.85.0-7
 - header: define public API functions as extern C (#2173299)