Overview

File curl-CVE-2025-0167.patch of Package curl.37302

From 0e120c5b925e8ca75d5319e319e5ce4b8080d8eb Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 3 Jan 2025 16:22:27 +0100
Subject: [PATCH] netrc: 'default' with no credentials is not a match

Reported-by: Yihang Zhou

Closes #15908
---
 lib/netrc.c            |  15 ++++--

Index: curl-7.66.0/lib/netrc.c
===================================================================
--- curl-7.66.0.orig/lib/netrc.c
+++ curl-7.66.0/lib/netrc.c
@@ -182,11 +182,16 @@ static int parsenetrc(const char *host,
     } /* while fgets() */
 
     out:
-    if(!retcode && !password && state_our_login) {
-      /* success without a password, set a blank one */
-      password = strdup("");
-      if(!password)
-        retcode = 1; /* out of memory */
+    if(!retcode) {
+      if(!password && state_our_login) {
+        /* success without a password, set a blank one */
+        password = strdup("");
+        if(!password)
+          retcode = 1; /* out of memory */
+      }
+      else if(!login && !password)
+        /* a default with no credentials */
+        retcode = NETRC_FILE_MISSING;
     }
     if(!retcode) {
       /* success */
openSUSE Build Service is sponsored by
Places