Overview

File curl-CVE-2025-0167.patch of Package curl.37295

From 0e120c5b925e8ca75d5319e319e5ce4b8080d8eb Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 3 Jan 2025 16:22:27 +0100
Subject: [PATCH] netrc: 'default' with no credentials is not a match

Reported-by: Yihang Zhou

Closes #15908
---
 lib/netrc.c            |  15 ++++--

Index: curl-8.6.0/lib/netrc.c
===================================================================
--- curl-8.6.0.orig/lib/netrc.c
+++ curl-8.6.0/lib/netrc.c
@@ -255,11 +255,16 @@ static int parsenetrc(const char *host,
     } /* while Curl_get_line() */
 
 out:
-    if(!retcode && !password && state_our_login) {
-      /* success without a password, set a blank one */
-      password = strdup("");
-      if(!password)
-        retcode = 1; /* out of memory */
+    if(!retcode) {
+      if(!password && state_our_login) {
+        /* success without a password, set a blank one */
+        password = strdup("");
+        if(!password)
+          retcode = 1; /* out of memory */
+      }
+      else if(!login && !password)
+        /* a default with no credentials */
+        retcode = NETRC_FILE_MISSING;
     }
     if(!retcode) {
       /* success */
openSUSE Build Service is sponsored by
Places