diff --git a/.gitignore b/.gitignore index 9bb4285..505a7d9 100644 --- a/.gitignore +++ b/.gitignore @@ -2,5 +2,4 @@ /curl-[0-9.]*.tar.lzma.asc /curl-[0-9.]*.tar.xz /curl-[0-9.]*.tar.xz.asc -/curl-[0-9]*.[0-9]*.[0-9]*/ -/*.src.rpm +/curl-[0-9].[0-9].[0-9]/ diff --git a/0001-curl-8.6.0-remove-duplicate-content.patch b/0001-curl-8.6.0-remove-duplicate-content.patch new file mode 100644 index 0000000..bbbb7ff --- /dev/null +++ b/0001-curl-8.6.0-remove-duplicate-content.patch @@ -0,0 +1,108 @@ +From 960cf3ceb40cf875b146d4d1065d9267ccb83da1 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Thu, 1 Feb 2024 12:56:31 +0100 +Subject: [PATCH 1/2] doc: remove duplicate content from curl-config.1 + +This will be resolved in next release by: +https://github.com/curl/curl/pull/12818 + +see also: https://github.com/curl/curl/issues/12840 + +Signed-off-by: Jan Macku +--- + docs/curl-config.1 | 82 ---------------------------------------------- + 1 file changed, 82 deletions(-) + +diff --git a/docs/curl-config.1 b/docs/curl-config.1 +index 186ba3a..c142cb9 100644 +--- a/docs/curl-config.1 ++++ b/docs/curl-config.1 +@@ -80,85 +80,3 @@ How do I build a single file with a one\-line command? + .fi + .SH SEE ALSO + .BR curl (1) +-.\" generated by cd2nroff 0.1 from curl-config.md +-.TH curl-config 1 "January 26 2024" curl-config +-.SH NAME +-curl\-config \- Get information about a libcurl installation +-.SH SYNOPSIS +-\fBcurl\-config [options]\fP +-.SH DESCRIPTION +-\fBcurl\-config\fP +-displays information about the curl and libcurl installation. +-.SH OPTIONS +-.IP --ca +-Displays the built\-in path to the CA cert bundle this libcurl uses. +-.IP --cc +-Displays the compiler used to build libcurl. +-.IP --cflags +-Set of compiler options (CFLAGS) to use when compiling files that use +-libcurl. Currently that is only the include path to the curl include files. +-.IP "--checkfor [version]" +-Specify the oldest possible libcurl version string you want, and this +-script will return 0 if the current installation is new enough or it +-returns 1 and outputs a text saying that the current version is not new +-enough. (Added in 7.15.4) +-.IP --configure +-Displays the arguments given to configure when building curl. +-.IP --feature +-Lists what particular main features the installed libcurl was built with. At +-the time of writing, this list may include SSL, KRB4 or IPv6. Do not assume +-any particular order. The keywords will be separated by newlines. There may be +-none, one, or several keywords in the list. +-.IP --help +-Displays the available options. +-.IP --libs +-Shows the complete set of libs and other linker options you will need in order +-to link your application with libcurl. +-.IP --prefix +-This is the prefix used when libcurl was installed. Libcurl is then installed +-in $prefix/lib and its header files are installed in $prefix/include and so +-on. The prefix is set with "configure \--prefix". +-.IP --protocols +-Lists what particular protocols the installed libcurl was built to support. At +-the time of writing, this list may include HTTP, HTTPS, FTP, FTPS, FILE, +-TELNET, LDAP, DICT and many more. Do not assume any particular order. The +-protocols will be listed using uppercase and are separated by newlines. There +-may be none, one, or several protocols in the list. (Added in 7.13.0) +-.IP --ssl-backends +-Lists the SSL backends that were enabled when libcurl was built. It might be +-no, one or several names. If more than one name, they will appear +-comma\-separated. (Added in 7.58.0) +-.IP --static-libs +-Shows the complete set of libs and other linker options you will need in order +-to link your application with libcurl statically. (Added in 7.17.1) +-.IP --version +-Outputs version information about the installed libcurl. +-.IP --vernum +-Outputs version information about the installed libcurl, in numerical mode. +-This shows the version number, in hexadecimal, using 8 bits for each part: +-major, minor, and patch numbers. This makes libcurl 7.7.4 appear as 070704 and +-libcurl 12.13.14 appear as 0c0d0e... Note that the initial zero might be +-omitted. (This option was broken in the 7.15.0 release.) +-.SH EXAMPLES +-What linker options do I need when I link with libcurl? +-.nf +- $ curl-config --libs +-.fi +-What compiler options do I need when I compile using libcurl functions? +-.nf +- $ curl-config --cflags +-.fi +-How do I know if libcurl was built with SSL support? +-.nf +- $ curl-config --feature | grep SSL +-.fi +-What\(aqs the installed libcurl version? +-.nf +- $ curl-config --version +-.fi +-How do I build a single file with a one\-line command? +-.nf +- $ `curl-config --cc --cflags` -o example source.c `curl-config --libs` +-.fi +-.SH SEE ALSO +-.BR curl (1) +-- +2.43.0 + diff --git a/0002-curl-8.6.0-ignore-response-body-to-HEAD.patch b/0002-curl-8.6.0-ignore-response-body-to-HEAD.patch new file mode 100644 index 0000000..4dee602 --- /dev/null +++ b/0002-curl-8.6.0-ignore-response-body-to-HEAD.patch @@ -0,0 +1,184 @@ +From e61ea3ba7054afedafe1eb473226e842ac17b8ff Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 1 Feb 2024 13:23:12 +0100 +Subject: [PATCH] sendf: ignore response body to HEAD + +and mark the stream for close, but return OK since the response this far +was ok - if headers were received. Partly because this is what curl has +done traditionally. + +Test 499 verifies. Updates test 689. + +Reported-by: Sergey Bronnikov +Bug: https://curl.se/mail/lib-2024-02/0000.html +Closes #12842 + +(cherry picked from commit b8c003832d730bb2f4b9de4204675ca5d9f7a903) +Signed-off-by: Jan Macku +--- + lib/sendf.c | 3 ++ + tests/data/Makefile.inc | 44 ++++++++++++++-------------- + tests/data/test499 | 65 +++++++++++++++++++++++++++++++++++++++++ + tests/data/test689 | 4 +-- + 4 files changed, 92 insertions(+), 24 deletions(-) + create mode 100644 tests/data/test499 + +diff --git a/lib/sendf.c b/lib/sendf.c +index db3189a29..60ac0742c 100644 +--- a/lib/sendf.c ++++ b/lib/sendf.c +@@ -575,6 +575,9 @@ static CURLcode cw_download_write(struct Curl_easy *data, + DEBUGF(infof(data, "did not want a BODY, but seeing %zu bytes", + nbytes)); + data->req.download_done = TRUE; ++ if(data->info.header_size) ++ /* if headers have been received, this is fine */ ++ return CURLE_OK; + return CURLE_WEIRD_SERVER_REPLY; + } + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index c3d496f64..cd393da75 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -75,28 +75,28 @@ test444 test445 test446 test447 test448 test449 test450 test451 test452 \ + test453 test454 test455 test456 test457 test458 test459 test460 test461 \ + \ + test490 test491 test492 test493 test494 test495 test496 test497 test498 \ +-\ +-test500 test501 test502 test503 test504 test505 test506 test507 test508 \ +-test509 test510 test511 test512 test513 test514 test515 test516 test517 \ +-test518 test519 test520 test521 test522 test523 test524 test525 test526 \ +-test527 test528 test529 test530 test531 test532 test533 test534 test535 \ +- test537 test538 test539 test540 test541 test542 test543 test544 \ +-test545 test546 test547 test548 test549 test550 test551 test552 test553 \ +-test554 test555 test556 test557 test558 test559 test560 test561 test562 \ +-test563 test564 test565 test566 test567 test568 test569 test570 test571 \ +-test572 test573 test574 test575 test576 test577 test578 test579 test580 \ +-test581 test582 test583 test584 test585 test586 test587 test588 test589 \ +-test590 test591 test592 test593 test594 test595 test596 test597 test598 \ +-test599 test600 test601 test602 test603 test604 test605 test606 test607 \ +-test608 test609 test610 test611 test612 test613 test614 test615 test616 \ +-test617 test618 test619 test620 test621 test622 test623 test624 test625 \ +-test626 test627 test628 test629 test630 test631 test632 test633 test634 \ +-test635 test636 test637 test638 test639 test640 test641 test642 test643 \ +-test644 test645 test646 test647 test648 test649 test650 test651 test652 \ +-test653 test654 test655 test656 test658 test659 test660 test661 test662 \ +-test663 test664 test665 test666 test667 test668 test669 test670 test671 \ +-test672 test673 test674 test675 test676 test677 test678 test679 test680 \ +-test681 test682 test683 test684 test685 test686 test687 test688 test689 \ ++test499 test500 test501 test502 test503 test504 test505 test506 test507 \ ++test508 test509 test510 test511 test512 test513 test514 test515 test516 \ ++test517 test518 test519 test520 test521 test522 test523 test524 test525 \ ++test526 test527 test528 test529 test530 test531 test532 test533 test534 \ ++test535 test537 test538 test539 test540 test541 test542 test543 \ ++test544 test545 test546 test547 test548 test549 test550 test551 test552 \ ++test553 test554 test555 test556 test557 test558 test559 test560 test561 \ ++test562 test563 test564 test565 test566 test567 test568 test569 test570 \ ++test571 test572 test573 test574 test575 test576 test577 test578 test579 \ ++test580 test581 test582 test583 test584 test585 test586 test587 test588 \ ++test589 test590 test591 test592 test593 test594 test595 test596 test597 \ ++test598 test599 test600 test601 test602 test603 test604 test605 test606 \ ++test607 test608 test609 test610 test611 test612 test613 test614 test615 \ ++test616 test617 test618 test619 test620 test621 test622 test623 test624 \ ++test625 test626 test627 test628 test629 test630 test631 test632 test633 \ ++test634 test635 test636 test637 test638 test639 test640 test641 test642 \ ++test643 test644 test645 test646 test647 test648 test649 test650 test651 \ ++test652 test653 test654 test655 test656 test658 test659 test660 test661 \ ++test662 test663 test664 test665 test666 test667 test668 test669 test670 \ ++test671 test672 test673 test674 test675 test676 test677 test678 test679 \ ++test680 test681 test682 test683 test684 test685 test686 test687 test688 \ ++test689 \ + \ + test700 test701 test702 test703 test704 test705 test706 test707 test708 \ + test709 test710 test711 test712 test713 test714 test715 test716 test717 \ +diff --git a/tests/data/test499 b/tests/data/test499 +new file mode 100644 +index 000000000..d4040b07c +--- /dev/null ++++ b/tests/data/test499 +@@ -0,0 +1,65 @@ ++ ++ ++ ++HTTP ++HTTP GET ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Content-Type: text/html ++Funny-head: yesyes ++ ++-foo- ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Content-Type: text/html ++Funny-head: yesyes ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++HTTP HEAD to server still sending a body ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -I ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++HEAD /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++ ++ ++ +diff --git a/tests/data/test689 b/tests/data/test689 +index 821556dec..381ae225a 100644 +--- a/tests/data/test689 ++++ b/tests/data/test689 +@@ -44,9 +44,9 @@ User-Agent: test567 + Test-Number: 567 + + +-# 8 == CURLE_WEIRD_SERVER_REPLY ++# 85 == CURLE_RTSP_CSEQ_ERROR + +-8 ++85 + + + +-- +2.43.0 + diff --git a/0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch b/0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch new file mode 100644 index 0000000..3e9078c --- /dev/null +++ b/0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch @@ -0,0 +1,68 @@ +From 0f65eaab19624ca018d7bd5ca404618f9bfe267f Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Thu, 1 Feb 2024 18:15:50 +0100 +Subject: [PATCH] vtls: revert "receive max buffer" + add test case + +- add test_05_04 for requests using http/1.0, http/1.1 and h2 against an + Apache resource that does an unclean TLS shutdown. +- revert special workarund in openssl.c for suppressing shutdown errors + on multiplexed connections +- vlts.c restore to its state before 9a90c9dd64d2f03601833a70786d485851bd1b53 + +Fixes #12885 +Fixes #12844 + +Closes #12848 + +(cherry picked from commit ed09a99af57200643d5ae001e815eeab9ffe3f84) +Signed-off-by: Jan Macku +--- + lib/vtls/vtls.c | 27 ++++++--------------------- + 1 file changed, 6 insertions(+), 21 deletions(-) + +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index e928ba5d0..f654a9749 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -1715,32 +1715,17 @@ static ssize_t ssl_cf_recv(struct Curl_cfilter *cf, + { + struct cf_call_data save; + ssize_t nread; +- size_t ntotal = 0; + + CF_DATA_SAVE(save, cf, data); + *err = CURLE_OK; +- /* Do receive until we fill the buffer somehwhat or EGAIN, error or EOF */ +- while(!ntotal || (len - ntotal) > (4*1024)) { ++ nread = Curl_ssl->recv_plain(cf, data, buf, len, err); ++ if(nread > 0) { ++ DEBUGASSERT((size_t)nread <= len); ++ } ++ else if(nread == 0) { ++ /* eof */ + *err = CURLE_OK; +- nread = Curl_ssl->recv_plain(cf, data, buf + ntotal, len - ntotal, err); +- if(nread < 0) { +- if(*err == CURLE_AGAIN && ntotal > 0) { +- /* we EAGAINed after having reed data, return the success amount */ +- *err = CURLE_OK; +- break; +- } +- /* we have a an error to report */ +- goto out; +- } +- else if(nread == 0) { +- /* eof */ +- break; +- } +- ntotal += (size_t)nread; +- DEBUGASSERT((size_t)ntotal <= len); + } +- nread = (ssize_t)ntotal; +-out: + CURL_TRC_CF(data, cf, "cf_recv(len=%zu) -> %zd, %d", len, + nread, *err); + CF_DATA_RESTORE(cf, save); +-- +2.43.0 + diff --git a/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch b/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch new file mode 100644 index 0000000..39b2f31 --- /dev/null +++ b/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch @@ -0,0 +1,83 @@ +From c7438ccfceee373a75d6d890259cf2e6b5e0e203 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Wed, 14 Feb 2024 16:27:23 +0100 +Subject: [PATCH] http_chunks: fix the accounting of consumed bytes + +Prior to this change chunks were handled correctly although in verbose +mode libcurl could incorrectly warn of "Leftovers after chunking" even +if there were none. + +Reported-by: Michael Kaufmann + +Fixes https://github.com/curl/curl/issues/12937 +Closes https://github.com/curl/curl/pull/12939 + +(cherry picked from commit 59e2c78af3a5588d6e6ae6d2223b222f067e054b) +Signed-off-by: Jan Macku +--- + lib/http_chunks.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/lib/http_chunks.c b/lib/http_chunks.c +index 039c179c4..ad1ee9ada 100644 +--- a/lib/http_chunks.c ++++ b/lib/http_chunks.c +@@ -152,6 +152,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + ch->hexbuffer[ch->hexindex++] = *buf; + buf++; + blen--; ++ (*pconsumed)++; + } + else { + char *endptr; +@@ -189,6 +190,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + + buf++; + blen--; ++ (*pconsumed)++; + break; + + case CHUNK_DATA: +@@ -236,6 +238,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + } + buf++; + blen--; ++ (*pconsumed)++; + break; + + case CHUNK_TRAILER: +@@ -293,6 +296,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + } + buf++; + blen--; ++ (*pconsumed)++; + break; + + case CHUNK_TRAILER_CR: +@@ -300,6 +304,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + ch->state = CHUNK_TRAILER_POSTCR; + buf++; + blen--; ++ (*pconsumed)++; + } + else { + ch->state = CHUNK_FAILED; +@@ -320,6 +325,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + /* skip if CR */ + buf++; + blen--; ++ (*pconsumed)++; + } + /* now wait for the final LF */ + ch->state = CHUNK_STOP; +@@ -328,6 +334,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + case CHUNK_STOP: + if(*buf == 0x0a) { + blen--; ++ (*pconsumed)++; + /* Record the length of any data left in the end of the buffer + even if there's no more chunks to read */ + ch->datasize = blen; +-- +2.43.2 + diff --git a/0005-curl-8.6.0-CVE-2024-2004.patch b/0005-curl-8.6.0-CVE-2024-2004.patch new file mode 100644 index 0000000..770c391 --- /dev/null +++ b/0005-curl-8.6.0-CVE-2024-2004.patch @@ -0,0 +1,138 @@ +From c8dac4ba172c145dbdf924a5e309fe7539b3610e Mon Sep 17 00:00:00 2001 +From: Daniel Gustafsson +Date: Tue, 27 Feb 2024 15:43:56 +0100 +Subject: [PATCH 1/2] setopt: Fix disabling all protocols + +When disabling all protocols without enabling any, the resulting +set of allowed protocols remained the default set. Clearing the +allowed set before inspecting the passed value from --proto make +the set empty even in the errorpath of no protocols enabled. + +Co-authored-by: Dan Fandrich +Reported-by: Dan Fandrich +Reviewed-by: Daniel Stenberg +Closes: #13004 +(cherry picked from commit 17d302e56221f5040092db77d4f85086e8a20e0e) +Signed-off-by: Jan Macku +--- + lib/setopt.c | 16 ++++++++-------- + tests/data/Makefile.inc | 2 +- + tests/data/test1474 | 42 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 51 insertions(+), 9 deletions(-) + create mode 100644 tests/data/test1474 + +diff --git a/lib/setopt.c b/lib/setopt.c +index a5270773f..3891eb679 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -155,6 +155,12 @@ static CURLcode setstropt_userpwd(char *option, char **userp, char **passwdp) + + static CURLcode protocol2num(const char *str, curl_prot_t *val) + { ++ /* ++ * We are asked to cherry-pick protocols, so play it safe and disallow all ++ * protocols to start with, and re-add the wanted ones back in. ++ */ ++ *val = 0; ++ + if(!str) + return CURLE_BAD_FUNCTION_ARGUMENT; + +@@ -163,8 +169,6 @@ static CURLcode protocol2num(const char *str, curl_prot_t *val) + return CURLE_OK; + } + +- *val = 0; +- + do { + const char *token = str; + size_t tlen; +@@ -2657,22 +2661,18 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + break; + + case CURLOPT_PROTOCOLS_STR: { +- curl_prot_t prot; + argptr = va_arg(param, char *); +- result = protocol2num(argptr, &prot); ++ result = protocol2num(argptr, &data->set.allowed_protocols); + if(result) + return result; +- data->set.allowed_protocols = prot; + break; + } + + case CURLOPT_REDIR_PROTOCOLS_STR: { +- curl_prot_t prot; + argptr = va_arg(param, char *); +- result = protocol2num(argptr, &prot); ++ result = protocol2num(argptr, &data->set.redir_protocols); + if(result) + return result; +- data->set.redir_protocols = prot; + break; + } + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index cd393da75..011aa4607 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -186,7 +186,7 @@ test1439 test1440 test1441 test1442 test1443 test1444 test1445 test1446 \ + test1447 test1448 test1449 test1450 test1451 test1452 test1453 test1454 \ + test1455 test1456 test1457 test1458 test1459 test1460 test1461 test1462 \ + test1463 test1464 test1465 test1466 test1467 test1468 test1469 test1470 \ +-test1471 test1472 test1473 test1475 test1476 test1477 test1478 \ ++test1471 test1472 test1473 test1474 test1475 test1476 test1477 test1478 \ + \ + test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \ + test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \ +diff --git a/tests/data/test1474 b/tests/data/test1474 +new file mode 100644 +index 000000000..c66fa2810 +--- /dev/null ++++ b/tests/data/test1474 +@@ -0,0 +1,42 @@ ++ ++ ++ ++HTTP ++HTTP GET ++--proto ++ ++ ++ ++# ++# Server-side ++ ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++none ++ ++ ++http ++ ++ ++--proto -all disables all protocols ++ ++ ++--proto -all http://%HOSTIP:%NOLISTENPORT/%TESTNUMBER ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++# 1 - Protocol "http" disabled ++ ++1 ++ ++ ++ +-- +2.44.0 + diff --git a/0006-curl-8.6.0-CVE-2024-2398.patch b/0006-curl-8.6.0-CVE-2024-2398.patch new file mode 100644 index 0000000..a431c53 --- /dev/null +++ b/0006-curl-8.6.0-CVE-2024-2398.patch @@ -0,0 +1,95 @@ +From 62ff9aab364ca19cf858972aa1b1f00042763a8a Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Wed, 6 Mar 2024 09:36:08 +0100 +Subject: [PATCH] http2: push headers better cleanup + +- provide common cleanup method for push headers + +Closes #13054 + +(cherry picked from commit deca8039991886a559b67bcd6701db800a5cf764) +Signed-off-by: Jan Macku +--- + lib/http2.c | 34 +++++++++++++++------------------- + 1 file changed, 15 insertions(+), 19 deletions(-) + +diff --git a/lib/http2.c b/lib/http2.c +index c3157d1ef..501dc355f 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -271,6 +271,15 @@ static CURLcode http2_data_setup(struct Curl_cfilter *cf, + return CURLE_OK; + } + ++static void free_push_headers(struct stream_ctx *stream) ++{ ++ size_t i; ++ for(i = 0; ipush_headers_used; i++) ++ free(stream->push_headers[i]); ++ Curl_safefree(stream->push_headers); ++ stream->push_headers_used = 0; ++} ++ + static void http2_data_done(struct Curl_cfilter *cf, + struct Curl_easy *data, bool premature) + { +@@ -317,15 +326,7 @@ static void http2_data_done(struct Curl_cfilter *cf, + Curl_bufq_free(&stream->recvbuf); + Curl_h1_req_parse_free(&stream->h1); + Curl_dynhds_free(&stream->resp_trailers); +- if(stream->push_headers) { +- /* if they weren't used and then freed before */ +- for(; stream->push_headers_used > 0; --stream->push_headers_used) { +- free(stream->push_headers[stream->push_headers_used - 1]); +- } +- free(stream->push_headers); +- stream->push_headers = NULL; +- } +- ++ free_push_headers(stream); + free(stream); + H2_STREAM_LCTX(data) = NULL; + } +@@ -872,7 +873,6 @@ static int push_promise(struct Curl_cfilter *cf, + struct curl_pushheaders heads; + CURLMcode rc; + CURLcode result; +- size_t i; + /* clone the parent */ + struct Curl_easy *newhandle = h2_duphandle(cf, data); + if(!newhandle) { +@@ -917,11 +917,7 @@ static int push_promise(struct Curl_cfilter *cf, + Curl_set_in_callback(data, false); + + /* free the headers again */ +- for(i = 0; ipush_headers_used; i++) +- free(stream->push_headers[i]); +- free(stream->push_headers); +- stream->push_headers = NULL; +- stream->push_headers_used = 0; ++ free_push_headers(stream); + + if(rv) { + DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT)); +@@ -1468,14 +1464,14 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame, + if(stream->push_headers_alloc > 1000) { + /* this is beyond crazy many headers, bail out */ + failf(data_s, "Too many PUSH_PROMISE headers"); +- Curl_safefree(stream->push_headers); ++ free_push_headers(stream); + return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + } + stream->push_headers_alloc *= 2; +- headp = Curl_saferealloc(stream->push_headers, +- stream->push_headers_alloc * sizeof(char *)); ++ headp = realloc(stream->push_headers, ++ stream->push_headers_alloc * sizeof(char *)); + if(!headp) { +- stream->push_headers = NULL; ++ free_push_headers(stream); + return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + } + stream->push_headers = headp; +-- +2.44.0 + diff --git a/0007-curl-8.6.0-CVE-2024-6197.patch b/0007-curl-8.6.0-CVE-2024-6197.patch new file mode 100644 index 0000000..ae5bf6c --- /dev/null +++ b/0007-curl-8.6.0-CVE-2024-6197.patch @@ -0,0 +1,25 @@ +From 5e1d97ac8d3ffebfaf50afe8641486ffc17ec9ba Mon Sep 17 00:00:00 2001 +From: z2_ <88509734+z2-2z@users.noreply.github.com> +Date: Fri, 28 Jun 2024 14:45:47 +0200 +Subject: [PATCH] x509asn1: remove superfluous free() + +(cherry picked from commit 3a537a4db9e65e545ec45b1b5d5575ee09a2569d) +--- + lib/vtls/x509asn1.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/lib/vtls/x509asn1.c b/lib/vtls/x509asn1.c +index da079361d..2ccf6327a 100644 +--- a/lib/vtls/x509asn1.c ++++ b/lib/vtls/x509asn1.c +@@ -389,7 +389,6 @@ utf8asn1str(struct dynbuf *to, int type, const char *from, const char *end) + if(wc >= 0x00000800) { + if(wc >= 0x00010000) { + if(wc >= 0x00200000) { +- free(buf); + /* Invalid char. size for target encoding. */ + return CURLE_WEIRD_SERVER_REPLY; + } +-- +2.45.2 + diff --git a/0008-curl-8.6.0-speed-throttling-precision-issues.patch b/0008-curl-8.6.0-speed-throttling-precision-issues.patch new file mode 100644 index 0000000..6d52194 --- /dev/null +++ b/0008-curl-8.6.0-speed-throttling-precision-issues.patch @@ -0,0 +1,45 @@ +From 6db0d23dea968e65091261b9daa69325557e5ad0 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Tue, 5 Mar 2024 11:08:55 +0100 +Subject: [PATCH 1/2] transfer.c: break receive loop in speed limited transfers + +- the change breaks looping in transfer.c receive for transfers that are + speed limited on having gotten *some* bytes. +- the overall speed limit timing is done in multi.c + +Reported-by: Dmitry Karpov +Bug: https://curl.se/mail/lib-2024-03/0001.html +Closes #13050 + +(cherry picked from commit db5c9f4f9e0779b49624752b135281a0717b277b) +--- + lib/transfer.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/lib/transfer.c b/lib/transfer.c +index 3ae4b61c0..6ceefd637 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -492,13 +492,14 @@ static CURLcode readwrite_data(struct Curl_easy *data, + buf = data->state.buffer; + bytestoread = data->set.buffer_size; + +- /* Observe any imposed speed limit */ + if(bytestoread && data->set.max_recv_speed) { +- curl_off_t net_limit = data->set.max_recv_speed - total_received; +- if(net_limit <= 0) ++ /* In case of speed limit on receiving: if this loop already got ++ * data, break out. If not, limit the amount of bytes to receive. ++ * The overall, timed, speed limiting is done in multi.c */ ++ if(total_received) + break; +- if((size_t)net_limit < bytestoread) +- bytestoread = (size_t)net_limit; ++ if((size_t)data->set.max_recv_speed < bytestoread) ++ bytestoread = (size_t)data->set.max_recv_speed; + } + + nread = Curl_xfer_recv_resp(data, buf, bytestoread, +-- +2.45.2 + diff --git a/0009-curl-8.6.0-speed-limiting-fix-for-32bit-systems.patch b/0009-curl-8.6.0-speed-limiting-fix-for-32bit-systems.patch new file mode 100644 index 0000000..4928dfb --- /dev/null +++ b/0009-curl-8.6.0-speed-limiting-fix-for-32bit-systems.patch @@ -0,0 +1,41 @@ +From 478cab9651d332d1bcb02114895d5a664ce6725a Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Fri, 26 Jul 2024 10:38:45 +0200 +Subject: [PATCH 2/2] transfer: speed limiting fix for 32bit systems + +When checking if a speed limit on receives applies, compare the receive +sizes using the large int type to prevent an overflow on systems where +size_t is 32bit. + +Fixes #14272 +Reported-by: Mamoru Tasaka +Closes #14277 + +(cherry picked from commit fc273027f16df2dd1eb66ffc7df417f605199e35) +--- + lib/transfer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/transfer.c b/lib/transfer.c +index 6ceefd637..66e444aa1 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -492,13 +492,13 @@ static CURLcode readwrite_data(struct Curl_easy *data, + buf = data->state.buffer; + bytestoread = data->set.buffer_size; + +- if(bytestoread && data->set.max_recv_speed) { ++ if(bytestoread && data->set.max_recv_speed > 0) { + /* In case of speed limit on receiving: if this loop already got + * data, break out. If not, limit the amount of bytes to receive. + * The overall, timed, speed limiting is done in multi.c */ + if(total_received) + break; +- if((size_t)data->set.max_recv_speed < bytestoread) ++ if(data->set.max_recv_speed < (curl_off_t)bytestoread) + bytestoread = (size_t)data->set.max_recv_speed; + } + +-- +2.45.2 + diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index f7f66e6..328d3a4 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,85 +1,84 @@ -From 6bb4e674cdc953f5c0048aa84172539900725166 Mon Sep 17 00:00:00 2001 +From 84b7e1cf486761e99361f5dcf5879cd7baf51b58 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Tue, 16 Dec 2025 10:04:40 +0100 -Subject: [PATCH] prevent multilib conflicts on the curl-config script +Date: Thu, 1 Feb 2024 13:01:23 +0100 +Subject: [PATCH 2/2] prevent multilib conflicts on the curl-config script --- - curl-config.in | 23 +++++------------------ - docs/curl-config.md | 4 +++- - libcurl.pc.in | 1 + + curl-config.in | 23 +++++------------------ + docs/curl-config.1 | 4 +++- + libcurl.pc.in | 1 + 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index a1c8185875..bb43ca8335 100644 +index 54f92d9..15a60da 100644 --- a/curl-config.in +++ b/curl-config.in -@@ -74,7 +74,7 @@ while test "$#" -gt 0; do - ;; +@@ -78,7 +78,7 @@ while test $# -gt 0; do + ;; - --cc) -- echo '@CC@' -+ echo 'gcc' - ;; + --cc) +- echo "@CC@" ++ echo "gcc" + ;; - --prefix) -@@ -149,16 +149,7 @@ while test "$#" -gt 0; do - ;; + --prefix) +@@ -157,32 +157,19 @@ while test $# -gt 0; do + ;; - --libs) -- if test "@libdir@" != '/usr/lib' && test "@libdir@" != '/usr/lib64'; then -- curllibdir="-L@libdir@ " -- else -- curllibdir='' -- fi -- if test '@ENABLE_SHARED@' = 'no'; then -- echo "${curllibdir}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" -- else -- echo "${curllibdir}-lcurl" -- fi -+ echo '-lcurl' - ;; + --libs) +- if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then +- CURLLIBDIR="-L@libdir@ " +- else +- CURLLIBDIR="" +- fi +- if test "X@ENABLE_SHARED@" = "Xno"; then +- echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@ +- else +- echo ${CURLLIBDIR}-lcurl +- fi ++ echo -lcurl + ;; + --ssl-backends) + echo "@SSL_BACKENDS@" + ;; - --ssl-backends) -@@ -166,16 +157,12 @@ while test "$#" -gt 0; do - ;; + --static-libs) +- if test "X@ENABLE_STATIC@" != "Xno" ; then +- echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_LIBS@ +- else +- echo "curl was built with static libraries disabled" >&2 +- exit 1 +- fi ++ echo "curl was built with static libraries disabled" >&2 ++ exit 1 + ;; - --static-libs) -- if test '@ENABLE_STATIC@' != 'no'; then -- echo "@libdir@/libcurl.@libext@ @LIBCURL_PC_LDFLAGS_PRIVATE@ @LIBCURL_PC_LIBS_PRIVATE@" -- else -- echo 'curl was built with static libraries disabled' >&2 -- exit 1 -- fi -+ echo 'curl was built with static libraries disabled' >&2 -+ exit 1 - ;; + --configure) +- echo @CONFIGURE_OPTIONS@ ++ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//' + ;; - --configure) -- echo @CONFIGURE_OPTIONS@ -+ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//' - ;; - - *) -diff --git a/docs/curl-config.md b/docs/curl-config.md -index 12ad245b79..fa0e03d273 100644 ---- a/docs/curl-config.md -+++ b/docs/curl-config.md -@@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated. - ## `--static-libs` - - Shows the complete set of libs and other linker options you need in order to --link your application with libcurl statically. (Added in 7.17.1) -+link your application with libcurl statically. Note that Fedora/RHEL libcurl + *) +diff --git a/docs/curl-config.1 b/docs/curl-config.1 +index c142cb9..0e189b4 100644 +--- a/docs/curl-config.1 ++++ b/docs/curl-config.1 +@@ -48,7 +48,9 @@ no, one or several names. If more than one name, they will appear + comma\-separated. (Added in 7.58.0) + .IP --static-libs + Shows the complete set of libs and other linker options you will need in order +-to link your application with libcurl statically. (Added in 7.17.1) ++to link your application with libcurl statically. Note that Fedora/RHEL libcurl +packages do not provide any static libraries, thus cannot be linked statically. +(Added in 7.17.1) - - ## `--version` - + .IP --version + Outputs version information about the installed libcurl. + .IP --vernum diff --git a/libcurl.pc.in b/libcurl.pc.in -index c0ba5244a8..f3645e1748 100644 +index 9db6b0f..dcac692 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in -@@ -28,6 +28,7 @@ libdir=@libdir@ +@@ -31,6 +31,7 @@ libdir=@libdir@ includedir=@includedir@ supported_protocols="@SUPPORT_PROTOCOLS@" supported_features="@SUPPORT_FEATURES@" @@ -88,5 +87,5 @@ index c0ba5244a8..f3645e1748 100644 Name: libcurl URL: https://curl.se/ -- -2.52.0 +2.43.0 diff --git a/0102-curl-7.84.0-test3026.patch b/0102-curl-7.84.0-test3026.patch new file mode 100644 index 0000000..1098583 --- /dev/null +++ b/0102-curl-7.84.0-test3026.patch @@ -0,0 +1,71 @@ +From 279b990727a1fd3e2828fbbd80581777e4200b67 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 27 Jun 2022 16:50:57 +0200 +Subject: [PATCH] test3026: disable valgrind + +It fails on x86_64 with: +``` + Use --max-threads=INT to specify a larger number of threads + and rerun valgrind + valgrind: the 'impossible' happened: + Max number of threads is too low + host stacktrace: + ==174357== at 0x58042F5A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x58043087: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x580432EF: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x58043310: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x58099E77: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x580E67E9: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x5809D59D: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x5809901A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x5809B0B6: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x580E4050: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + sched status: + running_tid=1 + Thread 1: status = VgTs_Runnable syscall 56 (lwpid 174357) + ==174357== at 0x4A07816: clone (in /usr/lib64/libc.so.6) + ==174357== by 0x4A08720: __clone_internal (in /usr/lib64/libc.so.6) + ==174357== by 0x4987ACF: create_thread (in /usr/lib64/libc.so.6) + ==174357== by 0x49885F6: pthread_create@@GLIBC_2.34 (in /usr/lib64/libc.so.6) + ==174357== by 0x1093B5: test.part.0 (lib3026.c:64) + ==174357== by 0x492454F: (below main) (in /usr/lib64/libc.so.6) + client stack range: [0x1FFEFFC000 0x1FFF000FFF] client SP: 0x1FFEFFC998 + valgrind stack range: [0x1002BAA000 0x1002CA9FFF] top usage: 11728 of 1048576 +[...] +``` +--- + tests/data/test3026 | 3 +++ + tests/libtest/lib3026.c | 4 ++-- + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tests/data/test3026 b/tests/data/test3026 +index fb80cc8..01f2ba5 100644 +--- a/tests/data/test3026 ++++ b/tests/data/test3026 +@@ -41,5 +41,8 @@ none + + 0 + ++ ++disable ++ + + +diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c +index 43fe335..70cd7a4 100644 +--- a/tests/libtest/lib3026.c ++++ b/tests/libtest/lib3026.c +@@ -147,8 +147,8 @@ int test(char *URL) + results[i] = CURL_LAST; /* initialize with invalid value */ + res = pthread_create(&tids[i], NULL, run_thread, &results[i]); + if(res) { +- fprintf(stderr, "%s:%d Couldn't create thread, errno %d\n", +- __FILE__, __LINE__, res); ++ fprintf(stderr, "%s:%d Couldn't create thread, i=%u, errno %d\n", ++ __FILE__, __LINE__, i, res); + tid_count = i; + test_failure = -1; + goto cleanup; +-- +2.37.1 + diff --git a/0104-curl-7.88.0-tests-warnings.patch b/0104-curl-7.88.0-tests-warnings.patch new file mode 100644 index 0000000..04b2ba2 --- /dev/null +++ b/0104-curl-7.88.0-tests-warnings.patch @@ -0,0 +1,30 @@ +From d506d885aa16b4a87acbac082eea41dccdc7b69f Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Wed, 15 Feb 2023 10:42:38 +0100 +Subject: [PATCH] Revert "runtests: consider warnings fatal and error on them" + +While it might be useful for upstream developers, it is not so useful +for downstream consumers. + +This reverts upstream commit 22f795c834cfdbacbb1b55426028a581e3cf67a8. +--- + tests/runtests.pl | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/tests/runtests.pl b/tests/runtests.pl +index 71644ad18..0cf85c3fe 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -55,8 +55,7 @@ + # given, this won't be a problem. + + use strict; +-# Promote all warnings to fatal +-use warnings FATAL => 'all'; ++use warnings; + use 5.006; + + # These should be the only variables that might be needed to get edited: +-- +2.39.1 + diff --git a/curl.rpmlintrc b/curl.rpmlintrc deleted file mode 100644 index 022a98e..0000000 --- a/curl.rpmlintrc +++ /dev/null @@ -1,15 +0,0 @@ -# Intentional stuff we're not concerned about -addFilter("unversioned-explicit-provides webclient") -addFilter("package-with-huge-docs") -addFilter("crypto-policy-non-compliance-openssl /usr/lib(64)?/libcurl.so.4") - -# This is just plain wrong (%_configure redefinition) -addFilter("configure-without-libdir-spec") - -# Technical term -addFilter("E: spelling-error \('kerberos',") - -# Artefacts of RemovePathPostfixes: .minimal -addFilter("W: dangling-relative-symlink /usr/lib/.build-id/.* ../../../../.*curl.*\.minimal") -#addFilter("W: dangling-relative-symlink /usr/lib.*/libcurl.so.4 libcurl.so.4.*.minimal") -#addFilter("E: invalid-ldconfig-symlink /usr/lib.*/libcurl.so.4.* libcurl.so.4.*.minimal") diff --git a/curl.spec b/curl.spec index c0ad4db..54b8b20 100644 --- a/curl.spec +++ b/curl.spec @@ -1,40 +1,61 @@ -# OpenSSL ENGINE support -# This is deprecated by OpenSSL since OpenSSL 3.0 and by Fedora since Fedora 41 -# https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine -# Change the bcond to 0 to turn off ENGINE support by default -%bcond openssl_engine_support %[%{defined fedora} || 0%{?rhel} < 10] - -# HTTP/3 support -# This is using ngtcp2 with OpenSSL 3.5 QUIC support instead of curl's -# experimental native OpenSSL 3.5 support. -%bcond http3 %[0%{?fedora} >= 43] - Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.18.0 -Release: 1%{?dist} +Version: 8.6.0 +Release: 10%{?dist} License: curl -Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz -Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc +Source0: https://curl.se/download/%{name}-%{version}.tar.xz +Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # The curl download page ( https://curl.se/download.html ) links # to Daniel's address page https://daniel.haxx.se/address.html for the GPG Key, # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# remove duplicate content from curl-config.1 +Patch001: 0001-curl-8.6.0-remove-duplicate-content.patch + +# ignore response bode to HEAD requests +# https://bodhi.fedoraproject.org/updates/FEDORA-2024-634a6662aa +Patch002: 0002-curl-8.6.0-ignore-response-body-to-HEAD.patch + +# revert "receive max buffer" + add test case +# it breaks pycurl tests suite +Patch003: 0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch + +# Fix: Leftovers after chunking should not be part of the curl buffer output +Patch004: 0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch + +# fix Usage of disabled protocol (CVE-2024-2004) +Patch005: 0005-curl-8.6.0-CVE-2024-2004.patch + +# fix HTTP/2 push headers memory-leak (CVE-2024-2398) +Patch006: 0006-curl-8.6.0-CVE-2024-2398.patch + +# fix freeing stack buffer in utf8asn1str (CVE-2024-6197) +Patch007: 0007-curl-8.6.0-CVE-2024-6197.patch + +# fix speed throttling precision issues in transfer.c +# https://curl.se/mail/lib-2024-03/0001.html +Patch008: 0008-curl-8.6.0-speed-throttling-precision-issues.patch + +# fix speed limiting fix for 32bit systems +# https://github.com/curl/curl/issues/14272 +Patch009: 0009-curl-8.6.0-speed-limiting-fix-for-32bit-systems.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch +# test3026: disable valgrind +Patch102: 0102-curl-7.84.0-test3026.patch + +# do not fail on warnings in the upstream test driver +Patch104: 0104-curl-7.88.0-tests-warnings.patch + Provides: curl-full = %{version}-%{release} # do not fail when trying to install curl-minimal after drop Provides: curl-minimal = %{version}-%{release} Provides: webclient URL: https://curl.se/ -%if 0%{?fedora} -# instead of bundled wcurl utility, recommend wcurl package -Recommends: wcurl -%endif - # The reason for maintaining two separate packages for curl is no longer valid. # The curl-minimal is currently almost identical to curl-full, so let's drop curl-minimal. # For more details, see https://bugzilla.redhat.com/show_bug.cgi?id=2262096 @@ -48,24 +69,14 @@ BuildRequires: groff BuildRequires: krb5-devel BuildRequires: libidn2-devel BuildRequires: libnghttp2-devel -%if %{with http3} -BuildRequires: libnghttp3-devel -%endif BuildRequires: libpsl-devel BuildRequires: libssh-devel BuildRequires: libtool BuildRequires: make -%if %{with http3} -BuildRequires: ngtcp2-crypto-ossl-devel -%endif BuildRequires: openldap-devel BuildRequires: openssh-clients BuildRequires: openssh-server -BuildRequires: openssl BuildRequires: openssl-devel -%if %{with openssl_engine_support} && 0%{?fedora} >= 41 -BuildRequires: openssl-devel-engine -%endif BuildRequires: perl-interpreter BuildRequires: pkgconfig BuildRequires: python-unversioned-command @@ -108,7 +119,6 @@ BuildRequires: perl(Exporter) BuildRequires: perl(File::Basename) BuildRequires: perl(File::Copy) BuildRequires: perl(File::Spec) -BuildRequires: perl(I18N::Langinfo) BuildRequires: perl(IPC::Open2) BuildRequires: perl(List::Util) BuildRequires: perl(Memoize) @@ -143,19 +153,10 @@ BuildRequires: stunnel # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION Requires: libcurl%{?_isa} >= %{version}-%{release} -# Define OPENSSL_NO_ENGINE to avoid inclusion of -%if %{without openssl_engine_support} -%global _preprocessor_defines %{?_preprocessor_defines} -DOPENSSL_NO_ENGINE -%endif - # require at least the version of libnghttp2 that we were built against, # to ensure that we have the necessary symbols available (#2144277) %global libnghttp2_version %(pkg-config --modversion libnghttp2 2>/dev/null || echo 0) -# require at least the version of libnghttp3 that we were built against, -# to ensure that we have the necessary symbols available -%global libnghttp3_version %(pkg-config --modversion libnghttp3 2>/dev/null || echo 0) - # require at least the version of libpsl that we were built against, # to ensure that we have the necessary symbols available (#1631804) %global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0) @@ -164,10 +165,6 @@ Requires: libcurl%{?_isa} >= %{version}-%{release} # to ensure that we have the necessary symbols available (#525002, #642796) %global libssh_version %(pkg-config --modversion libssh 2>/dev/null || echo 0) -# require at least the version of ngtcp2 that we were built against, -# to ensure that we have the necessary symbols available -%global ngtcp2_version %(pkg-config --modversion libngtcp2 2>/dev/null || echo 0) - # require at least the version of openssl-libs that we were built against, # to ensure that we have the necessary symbols available (#1462184, #1462211) # (we need to translate 3.0.0-alpha16 -> 3.0.0-0.alpha16 and 3.0.0-beta1 -> 3.0.0-0.beta1 though) @@ -184,14 +181,8 @@ resume, proxy tunneling and a busload of other useful tricks. %package -n libcurl Summary: A library for getting files from web servers Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} -%if %{with http3} -Requires: libnghttp3%{?_isa} >= %{libnghttp3_version} -%endif Requires: libpsl%{?_isa} >= %{libpsl_version} Requires: libssh%{?_isa} >= %{libssh_version} -%if %{with http3} -Requires: ngtcp2%{?_isa} >= %{ngtcp2_version} -%endif Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} Provides: libcurl-full = %{version}-%{release} Provides: libcurl-full%{?_isa} = %{version}-%{release} @@ -236,11 +227,14 @@ be installed. %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' -%autosetup -n %{name}-%{version_no_tilde} -p1 +%autosetup -p1 +# temporarily disable test 0313 +# +# # disable test 1801 # -printf "1801\n" >>tests/data/DISABLED +printf "313\n1801\n" >> tests/data/DISABLED # test3026: avoid pthread_create() failure due to resource exhaustion on i386 %ifarch %{ix86} @@ -260,14 +254,10 @@ sed -e 's|^35$|35,52|' -i tests/data/test323 eval "$cmd" ) -# avoid unnecessary arch-dependent line in the processed file -sed -e '/# Used in @libdir@/d' \ - -i curl-config.in - -%build # regenerate the configure script and Makefile.in files autoreconf -fiv +%build mkdir build-{full,minimal} export common_configure_opts=" \ --cache-file=../config.cache \ @@ -281,8 +271,7 @@ export common_configure_opts=" \ --with-gssapi \ --with-libidn2 \ --with-nghttp2 \ - --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \ - --with-zsh-functions-dir" + --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt" %global _configure ../configure @@ -297,6 +286,7 @@ export common_configure_opts=" \ --disable-ldaps \ --disable-mqtt \ --disable-ntlm \ + --disable-ntlm-wb \ --disable-pop3 \ --disable-rtsp \ --disable-smb \ @@ -321,6 +311,7 @@ export common_configure_opts=" \ --enable-ldaps \ --enable-mqtt \ --enable-ntlm \ + --enable-ntlm-wb \ --enable-pop3 \ --enable-rtsp \ --enable-smb \ @@ -331,11 +322,7 @@ export common_configure_opts=" \ --enable-websockets \ --with-brotli \ --with-libpsl \ - --with-libssh \ -%if %{with http3} - --with-nghttp3 \ - --with-ngtcp2 \ -%endif + --with-libssh ) # avoid using rpath @@ -391,30 +378,32 @@ install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal cd build-full %make_install +# install zsh completion for curl +# (we have to override LD_LIBRARY_PATH because we eliminated rpath) +LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \ + %make_install -C scripts + # do not install /usr/share/fish/completions/curl.fish which is also installed # by fish-3.0.2-1.module_f31+3716+57207597 and would trigger a conflict rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la -# do not install bundled wcurl utility -# it is provided by the wcurl package -rm -f ${RPM_BUILD_ROOT}%{_bindir}/wcurl -rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* +# Don't install man for mk-ca-bundle it's upstream bug +# should be fixed in next release https://github.com/curl/curl/pull/12843 +rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %ldconfig_scriptlets -n libcurl %ldconfig_scriptlets -n libcurl-minimal %files -%doc CHANGES.md +%doc CHANGES %doc README %doc docs/BUGS.md -%doc docs/DISTROS.md -%doc docs/FAQ.md +%doc docs/FAQ %doc docs/FEATURES.md -%doc docs/KNOWN_BUGS.md -%doc docs/TODO.md +%doc docs/TODO %doc docs/TheArtOfHttpScripting.md %{_bindir}/curl %{_mandir}/man1/curl.1* @@ -442,176 +431,16 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog -* Wed Jan 07 2026 Jan Macku - 8.18.0-1 -- new upstream release +* Tue Jul 30 2024 Jan Macku - 8.6.0-10 +- fix speed throttling precision issues in transfer.c +- fix speed limiting fix for 32bit systems -* Mon Jan 05 2026 Jan Macku - 8.18.0~rc3-1 -- new upstream release candidate +* Thu Jul 25 2024 Jan Macku - 8.6.0-9 +- fix freeing stack buffer in utf8asn1str (CVE-2024-6197) -* Tue Dec 16 2025 Jan Macku - 8.18.0~rc2-1 -- new upstream release candidate -- reenable valgrind on test 616 - -* Tue Dec 09 2025 Jan Macku - 8.18.0~rc1-1 -- new upstream release candidate -- drop upstreamed patches - -* Sun Dec 07 2025 Aleksei Bavshin - 8.17.0-5 -- Enable HTTP/3 support with ngtcp2 - -* Thu Dec 04 2025 Jan Macku - 8.17.0-4 -- apply upstream patches for valgrind issues in HTTP/3 (#2408809) - -* Thu Nov 13 2025 Jan Macku - 8.17.0-3 -- recommend wcurl package instead of bundled wcurl utility - -* Thu Nov 13 2025 Jan Macku - 8.17.0-2 -- remove bundled wcurl utility that was added in 8.14.0~rc1, use wcurl package instead - -* Mon Nov 10 2025 Jan Macku - 8.17.0-1 -- new upstream release - -* Thu Oct 30 2025 Jan Macku - 8.17.0~rc3-1 -- new upstream release candidate - -* Tue Oct 21 2025 Jan Macku - 8.17.0~rc2-1 -- new upstream release candidate - -* Mon Oct 13 2025 Jan Macku - 8.17.0~rc1-1 -- new upstream release candidate - -* Wed Sep 10 2025 Jan Macku - 8.16.0-1 -- new upstream release - -* Wed Sep 03 2025 Jan Macku - 8.16.0~rc3-1 -- new upstream release candidate - -* Tue Aug 26 2025 Jan Macku - 8.16.0~rc2-1 -- new upstream release candidate - -* Wed Jul 23 2025 Fedora Release Engineering - 8.15.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild - -* Wed Jul 16 2025 Jan Macku - 8.15.0-1 -- new upstream release - -* Thu Jul 10 2025 Jan Macku - 8.15.0~rc3-1 -- new upstream release candidate - -* Mon Jun 30 2025 Jan Macku - 8.15.0~rc2-1 -- new upstream release candidate - -* Mon Jun 23 2025 Jan Macku - 8.15.0~rc1-1 -- new upstream release candidate - -* Wed Jun 04 2025 Jan Macku - 8.14.1-1 -- new upstream release -- drop: 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch (no longer needed) - -* Wed May 28 2025 Jan Macku - 8.14.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2025-5025 - No QUIC certificate pinning with wolfSSL - CVE-2025-4947 - QUIC certificate check skip with wolfSSL -- fix regression: curl_multi_add_handle() returning OOM when using more than 400 handles - -* Fri May 02 2025 Jan Macku - 8.14.0~rc1-1 -- new upstream release candidate -- new utility: wcurl which lets you download URLs without having to remember any parameters - -* Wed Apr 02 2025 Jan Macku - 8.13.0-1 -- new upstream release -- add build time dependency on openssl (required by tests) - -* Wed Mar 26 2025 Jan Macku - 8.13.0~rc3-1 -- new upstream release candidate -- drop: 0102-curl-7.84.0-test3026.patch (no longer needed) - -* Tue Mar 18 2025 Jan Macku - 8.13.0~rc2-1 -- new upstream release candidate - -* Thu Mar 13 2025 Jan Macku - 8.13.0~rc1-2 -- fix --cert parameter (#2351531) - -* Mon Mar 10 2025 Jan Macku - 8.13.0~rc1-1 -- new upstream release candidate - -* Wed Feb 05 2025 Jan Macku - 8.12.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2025-0725 - gzip integer overflow - CVE-2025-0665 - eventfd double close - CVE-2025-0167 - netrc and default credential leak -- drop upstreamed patches - -* Fri Jan 31 2025 Jan Macku - 8.11.1-4 -- TLS: check connection for SSL use, not handler (#2324130#c7) - -* Thu Jan 16 2025 Fedora Release Engineering - 8.11.1-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild - -* Sun Dec 15 2024 Paul Howarth - 8.11.1-2 -- Fix crash with Unexpected error 9 on netlink descriptor 10 (rhbz#2332350) - - https://github.com/curl/curl/issues/15725 - - https://github.com/curl/curl/pull/15727 - -* Wed Dec 11 2024 Jan Macku - 8.11.1-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2024-11053 - netrc and redirect credential leak - -* Wed Nov 06 2024 Yaakov Selkowitz - 8.11.0-2 -- Disable engine support on RHEL 10+ - -* Wed Nov 06 2024 Jan Macku - 8.11.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2024-9681 - HSTS subdomain overwrites parent cache entry - -* Tue Sep 24 2024 Jan Macku - 8.10.1-2 -- Use tls-ca-bundle.pem instead of ca-bundle.crt (OpenSSL specific) (#2313564) - -* Wed Sep 18 2024 Jan Macku - 8.10.1-1 -- new upstream release - -* Wed Sep 11 2024 Jan Macku - 8.10.0-1 -- new upstream release - -* Wed Aug 21 2024 Jacek Migacz - 8.9.1-3 -- Retire deprecated ntlm-wb configure option - -* Mon Aug 5 2024 voidanix - 8.9.1-2 -- Apply SIGPIPE-related patch due to upstream regression - -* Wed Jul 24 2024 Jan Macku - 8.9.1-1 -- new upstream release - -* Wed Jul 24 2024 Jan Macku - 8.9.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2024-6874 - macidn punycode buffer overread - CVE-2024-6197 - freeing stack buffer in utf8asn1str -- drop upstreamed patches - -* Wed Jul 17 2024 Fedora Release Engineering - 8.8.0-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild - -* Fri Jul 12 2024 Paul Howarth - 8.8.0-2 -- adapt for https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine -- added build condition for openssl_engine_support, true by default so as to - not change the resulting built package (yet) -- with openssl_engine_support true, BR: openssl-devel-engine -- with openssl_engine_support false, build with -DOPENSSL_NO_ENGINE - -* Wed May 22 2024 Jan Macku - 8.8.0-1 -- new upstream release -- drop upstreamed patches - -* Wed Mar 27 2024 Jan Macku - 8.7.1-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2024-2004 - Usage of disabled protocol - CVE-2024-2379 - QUIC certificate check bypass with wolfSSL - CVE-2024-2398 - HTTP/2 push headers memory-leak - CVE-2024-2466 - TLS certificate check bypass with mbedTLS -- drop upstreamed patches -- reenable test 0313 -- fix zsh completions, use --with-zsh-functions-dir -- apply upstream patches for 8.7.1 issues and regressions +* Wed Apr 03 2024 Jan Macku - 8.6.0-8 +- fix Usage of disabled protocol (CVE-2024-2004) +- fix HTTP/2 push headers memory-leak (CVE-2024-2398) * Mon Feb 19 2024 Jan Macku - 8.6.0-7 - Fix: Leftovers after chunking should not be part of the curl buffer output (#2264220) diff --git a/sources b/sources index 002e494..9c9d4a1 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.18.0.tar.xz) = 50c7a7b0528e0019697b0c59b3e56abb2578c71d77e4c085b56797276094b5611718c0a9cb2b14db7f8ab502fcf8f42a364297a3387fae3870a4d281484ba21c -SHA512 (curl-8.18.0.tar.xz.asc) = 07e08d1bb3f8bf20b3d22f37fbc19c49c0d9ee4ea9d92da76fa8a9de343023e1b5d416ccc6535a4ff98b08b30eb9334fd856227e37564f6bcd542aa81bced152 +SHA512 (curl-8.6.0.tar.xz) = 359c08d88a5dec441255b36afe1a821730eca0ca8800ba52f57132b9e7d21f32457623907b4ae4876904b5e505eb1a59652372bb7de8dbd8db429dae9785e036 +SHA512 (curl-8.6.0.tar.xz.asc) = 2b835bb4b307e5e1c929b7136c5acfb9f6f06efa471ac27060336cabcfac40e02143f40434986c5e6817d4a9562b09efa8ff3168beed310a45453148cc1b5c8f diff --git a/tests/non-root-user-download/runtest.sh b/tests/non-root-user-download/runtest.sh index 0d72276..4d51e62 100755 --- a/tests/non-root-user-download/runtest.sh +++ b/tests/non-root-user-download/runtest.sh @@ -31,9 +31,9 @@ PACKAGE="curl" -FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM -HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM -CONTENT=1bd6ab4798983c2fe4a210f9c4ca135fed453d6142ba852c1f8d5fba22e113ab +FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM +HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM +CONTENT=4d042dedc8886856db10bc882074b84dcce52f829ea7b3f31d8031db8d84df20 PASSWORD=pAssw0rd OPTIONS="" rlIsRHEL 7 && OPTIONS="--insecure"