From 98c91c9f34a7abcae20ea93db599e13cafffca12 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 15 Feb 2023 10:05:29 +0100 Subject: [PATCH 001/120] new upstream release - 7.88.0 Resolves: CVE-2023-23916 - HTTP multi-header compression denial of service Resolves: CVE-2023-23915 - HSTS amnesia with --parallel Resolves: CVE-2023-23914 - HSTS ignored on multiple requests --- 0001-curl-7.87.0-header-file-regression.patch | 55 ------------------- curl.spec | 14 +++-- sources | 4 +- 3 files changed, 10 insertions(+), 63 deletions(-) delete mode 100644 0001-curl-7.87.0-header-file-regression.patch diff --git a/0001-curl-7.87.0-header-file-regression.patch b/0001-curl-7.87.0-header-file-regression.patch deleted file mode 100644 index 9c479dc..0000000 --- a/0001-curl-7.87.0-header-file-regression.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 613d3c45879636e88b88fcebee48dc77de345291 Mon Sep 17 00:00:00 2001 -From: Patrick Monnerat -Date: Fri, 23 Dec 2022 15:35:27 +0100 -Subject: [PATCH] typecheck: accept expressions for option/info parameters - -As expressions can have side effects, evaluate only once. - -To enable deprecation reporting only once, get rid of the __typeof__ -use to define the local temporary variable and use the target type -(CURLoption/CURLINFO). This also avoids multiple reports on type -conflicts (if some) by the curlcheck_* macros. - -Note that CURLOPT_* and CURLINFO_* symbols may be deprecated, but not -their values: a curl_easy_setopt call with an integer constant as option -will never report a deprecation. - -Reported-by: Thomas Klausner -Fixes #10148 -Closes #10149 - -Upstream-commit: e2aed004302e51cfa5b6ce8c8ab65ef92aa83196 -Signed-off-by: Kamil Dudka ---- - include/curl/typecheck-gcc.h | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h -index bf655bb..85aa8b7 100644 ---- a/include/curl/typecheck-gcc.h -+++ b/include/curl/typecheck-gcc.h -@@ -42,9 +42,8 @@ - */ - #define curl_easy_setopt(handle, option, value) \ - __extension__({ \ -- CURL_IGNORE_DEPRECATION(__typeof__(option) _curl_opt = option;) \ -+ CURLoption _curl_opt = (option); \ - if(__builtin_constant_p(_curl_opt)) { \ -- (void) option; \ - CURL_IGNORE_DEPRECATION( \ - if(curlcheck_long_option(_curl_opt)) \ - if(!curlcheck_long(value)) \ -@@ -120,9 +119,8 @@ - /* wraps curl_easy_getinfo() with typechecking */ - #define curl_easy_getinfo(handle, info, arg) \ - __extension__({ \ -- CURL_IGNORE_DEPRECATION(__typeof__(info) _curl_info = info;) \ -+ CURLINFO _curl_info = (info); \ - if(__builtin_constant_p(_curl_info)) { \ -- (void) info; \ - CURL_IGNORE_DEPRECATION( \ - if(curlcheck_string_info(_curl_info)) \ - if(!curlcheck_arr((arg), char *)) \ --- -2.39.0 - diff --git a/curl.spec b/curl.spec index 61f3004..7207a18 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.87.0 -Release: 4%{?dist} +Version: 7.88.0 +Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,9 +10,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# fix regression in a public header file (#2162716) -Patch1: 0001-curl-7.87.0-header-file-regression.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -200,7 +197,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 # Fedora patches %patch101 -p1 @@ -435,6 +431,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Feb 15 2023 Kamil Dudka - 7.88.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-23916 - HTTP multi-header compression denial of service + CVE-2023-23915 - HSTS amnesia with --parallel + CVE-2023-23914 - HSTS ignored on multiple requests + * Fri Jan 20 2023 Kamil Dudka - 7.87.0-4 - fix regression in a public header file (#2162716) diff --git a/sources b/sources index 7906eb7..5c159bb 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-7.87.0.tar.xz) = aa125991592667280dce3788aabe81487cf8c55b0afc59d675cc30b76055bb7114f5380b4a0e3b6461a8f81bf9812fa26d493a85f7e01d84263d484a0d699ee7 -SHA512 (curl-7.87.0.tar.xz.asc) = 0bcc12bafc4ae50d80128af2cf4bf1a1ec6018ebb8d5b9c49f52b51c0c25acc77e820858965656549ef43c1f923f4e5fe75b0a3523623154b4cfb9dc8a1d76e4 +SHA512 (curl-7.88.0.tar.xz) = 2008cbc67694f746b7449f087a19b2a9a4950333d6bac1cdc7d80351aa38d8d9b442087dedbc7b0909a419d3b10f510521c942aac012d04a53c32bdb15dce5f0 +SHA512 (curl-7.88.0.tar.xz.asc) = 6f3d9a5f8fcec64652f872adf994ff3d0162fba1b483a0e359522173bf29ef3d26eeda7c328207fa1fa974a45e62674a3a8ebec21830ab3981b56851d5804ade From f3c2fe3549a681755a71e827de1de4085fd1c343 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 15 Feb 2023 10:46:00 +0100 Subject: [PATCH 002/120] do not fail on warnings in the upstream test driver --- 0104-curl-7.88.0-tests-warnings.patch | 30 +++++++++++++++++++++++++++ curl.spec | 4 ++++ 2 files changed, 34 insertions(+) create mode 100644 0104-curl-7.88.0-tests-warnings.patch diff --git a/0104-curl-7.88.0-tests-warnings.patch b/0104-curl-7.88.0-tests-warnings.patch new file mode 100644 index 0000000..dff89f9 --- /dev/null +++ b/0104-curl-7.88.0-tests-warnings.patch @@ -0,0 +1,30 @@ +From d506d885aa16b4a87acbac082eea41dccdc7b69f Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Wed, 15 Feb 2023 10:42:38 +0100 +Subject: [PATCH] Revert "runtests: consider warnings fatal and error on them" + +While it might be useful for upstream developers, it is not so useful +for downstream consumers. + +This reverts upstream commit 22f795c834cfdbacbb1b55426028a581e3cf67a8. +--- + tests/runtests.pl | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/tests/runtests.pl b/tests/runtests.pl +index 71644ad18..0cf85c3fe 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -75,8 +75,7 @@ BEGIN { + } + + use strict; +-# Promote all warnings to fatal +-use warnings FATAL => 'all'; ++use warnings; + use Cwd; + use Digest::MD5 qw(md5); + use MIME::Base64; +-- +2.39.1 + diff --git a/curl.spec b/curl.spec index 7207a18..7d58071 100644 --- a/curl.spec +++ b/curl.spec @@ -19,6 +19,9 @@ Patch102: 0102-curl-7.84.0-test3026.patch # test3012: temporarily disable valgrind (#2143040) Patch103: 0103-curl-7.87.0-test3012.patch +# do not fail on warnings in the upstream test driver +Patch104: 0104-curl-7.88.0-tests-warnings.patch + Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.se/ @@ -202,6 +205,7 @@ be installed. %patch101 -p1 %patch102 -p1 %patch103 -p1 +%patch104 -p1 # disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed # with errno 98: Address already in use' in Koji environment), and test 1801 From bdbf01f50c45ac08a7b8ce4ae889e508253b3da0 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 15 Feb 2023 12:53:26 +0100 Subject: [PATCH 003/120] add glibc-langpack-en BR needed for test1560 to succeed Suggested-by: Paul Howarth --- curl.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/curl.spec b/curl.spec index 7d58071..353e082 100644 --- a/curl.spec +++ b/curl.spec @@ -60,6 +60,9 @@ BuildRequires: perl(Pod::Usage) BuildRequires: perl(strict) BuildRequires: perl(warnings) +# needed for test1560 to succeed +BuildRequires: glibc-langpack-en + # gnutls-serv is used by the upstream test-suite BuildRequires: gnutls-utils From 531c0747a3ec8803d52a96f53b64c0823f72a7a0 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 15 Feb 2023 14:51:53 +0100 Subject: [PATCH 004/120] share HSTS between handles Resolves: CVE-2023-23915 - HSTS amnesia with --parallel Resolves: CVE-2023-23914 - HSTS ignored on multiple requests --- 0006-curl-7.87.0-hsts-CVEs.patch | 575 +++++++++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 583 insertions(+), 1 deletion(-) create mode 100644 0006-curl-7.87.0-hsts-CVEs.patch diff --git a/0006-curl-7.87.0-hsts-CVEs.patch b/0006-curl-7.87.0-hsts-CVEs.patch new file mode 100644 index 0000000..759ece8 --- /dev/null +++ b/0006-curl-7.87.0-hsts-CVEs.patch @@ -0,0 +1,575 @@ +From 117fce3d4fe11c36a20403cd4d6850e5b8771b41 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 27 Dec 2022 11:50:20 +0100 +Subject: [PATCH 1/5] share: add sharing of HSTS cache among handles + +Closes #10138 + +Upstream-commit: 076a2f629119222aeeb50f5a03bf9f9052fabb9a +Signed-off-by: Kamil Dudka +--- + docs/libcurl/opts/CURLSHOPT_SHARE.3 | 4 +++ + docs/libcurl/symbols-in-versions | 1 + + include/curl/curl.h | 1 + + lib/hsts.c | 15 +++++++++ + lib/hsts.h | 2 ++ + lib/setopt.c | 48 ++++++++++++++++++++++++----- + lib/share.c | 32 +++++++++++++++++-- + lib/share.h | 6 +++- + lib/transfer.c | 3 ++ + lib/url.c | 6 +++- + lib/urldata.h | 2 ++ + 11 files changed, 109 insertions(+), 11 deletions(-) + +diff --git a/docs/libcurl/opts/CURLSHOPT_SHARE.3 b/docs/libcurl/opts/CURLSHOPT_SHARE.3 +index 92783b6..b15af82 100644 +--- a/docs/libcurl/opts/CURLSHOPT_SHARE.3 ++++ b/docs/libcurl/opts/CURLSHOPT_SHARE.3 +@@ -79,6 +79,10 @@ Added in 7.61.0. + + Note that when you use the multi interface, all easy handles added to the same + multi handle will share PSL cache by default without using this option. ++.IP CURL_LOCK_DATA_HSTS ++The in-memory HSTS cache. ++ ++Added in 7.88.0 + .SH PROTOCOLS + All + .SH EXAMPLE +diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions +index 5ee245d..41fffc3 100644 +--- a/docs/libcurl/symbols-in-versions ++++ b/docs/libcurl/symbols-in-versions +@@ -73,6 +73,7 @@ CURL_LOCK_ACCESS_SINGLE 7.10.3 + CURL_LOCK_DATA_CONNECT 7.10.3 + CURL_LOCK_DATA_COOKIE 7.10.3 + CURL_LOCK_DATA_DNS 7.10.3 ++CURL_LOCK_DATA_HSTS 7.88.0 + CURL_LOCK_DATA_NONE 7.10.3 + CURL_LOCK_DATA_PSL 7.61.0 + CURL_LOCK_DATA_SHARE 7.10.4 +diff --git a/include/curl/curl.h b/include/curl/curl.h +index 139df99..5758e3b 100644 +--- a/include/curl/curl.h ++++ b/include/curl/curl.h +@@ -2953,6 +2953,7 @@ typedef enum { + CURL_LOCK_DATA_SSL_SESSION, + CURL_LOCK_DATA_CONNECT, + CURL_LOCK_DATA_PSL, ++ CURL_LOCK_DATA_HSTS, + CURL_LOCK_DATA_LAST + } curl_lock_data; + +diff --git a/lib/hsts.c b/lib/hsts.c +index c449120..339237b 100644 +--- a/lib/hsts.c ++++ b/lib/hsts.c +@@ -39,6 +39,7 @@ + #include "parsedate.h" + #include "fopen.h" + #include "rename.h" ++#include "share.h" + + /* The last 3 #include files should be in this order */ + #include "curl_printf.h" +@@ -551,4 +552,18 @@ CURLcode Curl_hsts_loadcb(struct Curl_easy *data, struct hsts *h) + return CURLE_OK; + } + ++void Curl_hsts_loadfiles(struct Curl_easy *data) ++{ ++ struct curl_slist *l = data->set.hstslist; ++ if(l) { ++ Curl_share_lock(data, CURL_LOCK_DATA_HSTS, CURL_LOCK_ACCESS_SINGLE); ++ ++ while(l) { ++ (void)Curl_hsts_loadfile(data, data->hsts, l->data); ++ l = l->next; ++ } ++ Curl_share_unlock(data, CURL_LOCK_DATA_HSTS); ++ } ++} ++ + #endif /* CURL_DISABLE_HTTP || CURL_DISABLE_HSTS */ +diff --git a/lib/hsts.h b/lib/hsts.h +index 0e36a77..3da7574 100644 +--- a/lib/hsts.h ++++ b/lib/hsts.h +@@ -59,9 +59,11 @@ CURLcode Curl_hsts_loadfile(struct Curl_easy *data, + struct hsts *h, const char *file); + CURLcode Curl_hsts_loadcb(struct Curl_easy *data, + struct hsts *h); ++void Curl_hsts_loadfiles(struct Curl_easy *data); + #else + #define Curl_hsts_cleanup(x) + #define Curl_hsts_loadcb(x,y) CURLE_OK + #define Curl_hsts_save(x,y,z) ++#define Curl_hsts_loadfiles(x) + #endif /* CURL_DISABLE_HTTP || CURL_DISABLE_HSTS */ + #endif /* HEADER_CURL_HSTS_H */ +diff --git a/lib/setopt.c b/lib/setopt.c +index b77e95b..f71a606 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -2260,9 +2260,14 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + data->cookies = NULL; + #endif + ++#ifndef CURL_DISABLE_HSTS ++ if(data->share->hsts == data->hsts) ++ data->hsts = NULL; ++#endif ++#ifdef USE_SSL + if(data->share->sslsession == data->state.session) + data->state.session = NULL; +- ++#endif + #ifdef USE_LIBPSL + if(data->psl == &data->share->psl) + data->psl = data->multi? &data->multi->psl: NULL; +@@ -2296,10 +2301,19 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + data->cookies = data->share->cookies; + } + #endif /* CURL_DISABLE_HTTP */ ++#ifndef CURL_DISABLE_HSTS ++ if(data->share->hsts) { ++ /* first free the private one if any */ ++ Curl_hsts_cleanup(&data->hsts); ++ data->hsts = data->share->hsts; ++ } ++#endif /* CURL_DISABLE_HTTP */ ++#ifdef USE_SSL + if(data->share->sslsession) { + data->set.general_ssl.max_ssl_sessions = data->share->max_ssl_sessions; + data->state.session = data->share->sslsession; + } ++#endif + #ifdef USE_LIBPSL + if(data->share->specifier & (1 << CURL_LOCK_DATA_PSL)) + data->psl = &data->share->psl; +@@ -3049,19 +3063,39 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + case CURLOPT_HSTSWRITEDATA: + data->set.hsts_write_userp = va_arg(param, void *); + break; +- case CURLOPT_HSTS: ++ case CURLOPT_HSTS: { ++ struct curl_slist *h; + if(!data->hsts) { + data->hsts = Curl_hsts_init(); + if(!data->hsts) + return CURLE_OUT_OF_MEMORY; + } + argptr = va_arg(param, char *); +- result = Curl_setstropt(&data->set.str[STRING_HSTS], argptr); +- if(result) +- return result; +- if(argptr) +- (void)Curl_hsts_loadfile(data, data->hsts, argptr); ++ if(argptr) { ++ result = Curl_setstropt(&data->set.str[STRING_HSTS], argptr); ++ if(result) ++ return result; ++ /* this needs to build a list of file names to read from, so that it can ++ read them later, as we might get a shared HSTS handle to load them ++ into */ ++ h = curl_slist_append(data->set.hstslist, argptr); ++ if(!h) { ++ curl_slist_free_all(data->set.hstslist); ++ data->set.hstslist = NULL; ++ return CURLE_OUT_OF_MEMORY; ++ } ++ data->set.hstslist = h; /* store the list for later use */ ++ } ++ else { ++ /* clear the list of HSTS files */ ++ curl_slist_free_all(data->set.hstslist); ++ data->set.hstslist = NULL; ++ if(!data->share || !data->share->hsts) ++ /* throw away the HSTS cache unless shared */ ++ Curl_hsts_cleanup(&data->hsts); ++ } + break; ++ } + case CURLOPT_HSTS_CTRL: + arg = va_arg(param, long); + if(arg & CURLHSTS_ENABLE) { +diff --git a/lib/share.c b/lib/share.c +index 1a083e7..69ee00b 100644 +--- a/lib/share.c ++++ b/lib/share.c +@@ -29,9 +29,11 @@ + #include "share.h" + #include "psl.h" + #include "vtls/vtls.h" +-#include "curl_memory.h" ++#include "hsts.h" + +-/* The last #include file should be: */ ++/* The last 3 #include files should be in this order */ ++#include "curl_printf.h" ++#include "curl_memory.h" + #include "memdebug.h" + + struct Curl_share * +@@ -89,6 +91,18 @@ curl_share_setopt(struct Curl_share *share, CURLSHoption option, ...) + #endif + break; + ++ case CURL_LOCK_DATA_HSTS: ++#ifndef CURL_DISABLE_HSTS ++ if(!share->hsts) { ++ share->hsts = Curl_hsts_init(); ++ if(!share->hsts) ++ res = CURLSHE_NOMEM; ++ } ++#else /* CURL_DISABLE_HSTS */ ++ res = CURLSHE_NOT_BUILT_IN; ++#endif ++ break; ++ + case CURL_LOCK_DATA_SSL_SESSION: + #ifdef USE_SSL + if(!share->sslsession) { +@@ -141,6 +155,16 @@ curl_share_setopt(struct Curl_share *share, CURLSHoption option, ...) + #endif + break; + ++ case CURL_LOCK_DATA_HSTS: ++#ifndef CURL_DISABLE_HSTS ++ if(share->hsts) { ++ Curl_hsts_cleanup(&share->hsts); ++ } ++#else /* CURL_DISABLE_HSTS */ ++ res = CURLSHE_NOT_BUILT_IN; ++#endif ++ break; ++ + case CURL_LOCK_DATA_SSL_SESSION: + #ifdef USE_SSL + Curl_safefree(share->sslsession); +@@ -207,6 +231,10 @@ curl_share_cleanup(struct Curl_share *share) + Curl_cookie_cleanup(share->cookies); + #endif + ++#ifndef CURL_DISABLE_HSTS ++ Curl_hsts_cleanup(&share->hsts); ++#endif ++ + #ifdef USE_SSL + if(share->sslsession) { + size_t i; +diff --git a/lib/share.h b/lib/share.h +index 32be416..2449730 100644 +--- a/lib/share.h ++++ b/lib/share.h +@@ -59,10 +59,14 @@ struct Curl_share { + #ifdef USE_LIBPSL + struct PslCache psl; + #endif +- ++#ifndef CURL_DISABLE_HSTS ++ struct hsts *hsts; ++#endif ++#ifdef USE_SSL + struct Curl_ssl_session *sslsession; + size_t max_ssl_sessions; + long sessionage; ++#endif + }; + + CURLSHcode Curl_share_lock(struct Curl_easy *, curl_lock_data, +diff --git a/lib/transfer.c b/lib/transfer.c +index ba0410f..d433117 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1398,6 +1398,9 @@ CURLcode Curl_pretransfer(struct Curl_easy *data) + if(data->state.resolve) + result = Curl_loadhostpairs(data); + ++ /* If there is a list of hsts files to read */ ++ Curl_hsts_loadfiles(data); ++ + if(!result) { + /* Allow data->set.use_port to set which port to use. This needs to be + * disabled for example when we follow Location: headers to URLs using +diff --git a/lib/url.c b/lib/url.c +index 3ab63a0..831ae06 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -434,7 +434,11 @@ CURLcode Curl_close(struct Curl_easy **datap) + Curl_altsvc_save(data, data->asi, data->set.str[STRING_ALTSVC]); + Curl_altsvc_cleanup(&data->asi); + Curl_hsts_save(data, data->hsts, data->set.str[STRING_HSTS]); +- Curl_hsts_cleanup(&data->hsts); ++#ifndef CURL_DISABLE_HSTS ++ if(!data->share || !data->share->hsts) ++ Curl_hsts_cleanup(&data->hsts); ++ curl_slist_free_all(data->set.hstslist); /* clean up list */ ++#endif + #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH) + Curl_http_auth_cleanup_digest(data); + #endif +diff --git a/lib/urldata.h b/lib/urldata.h +index 3d7545c..5b4b34f 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1662,6 +1662,8 @@ struct UserDefined { + + void *seek_client; /* pointer to pass to the seek callback */ + #ifndef CURL_DISABLE_HSTS ++ struct curl_slist *hstslist; /* list of HSTS files set by ++ curl_easy_setopt(HSTS) calls */ + curl_hstsread_callback hsts_read; + void *hsts_read_userp; + curl_hstswrite_callback hsts_write; +-- +2.39.1 + + +From 32066a5fa8f649da2aa7a4e4e86bc0b73d32212f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 27 Dec 2022 11:50:23 +0100 +Subject: [PATCH 2/5] tool_operate: share HSTS between handles + +Upstream-commit: 0bf8b796a0ea98395b390c7807187982215f5c11 +Signed-off-by: Kamil Dudka +--- + src/tool_operate.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/tool_operate.c b/src/tool_operate.c +index 79db063..a5b024e 100644 +--- a/src/tool_operate.c ++++ b/src/tool_operate.c +@@ -2722,6 +2722,7 @@ CURLcode operate(struct GlobalConfig *global, int argc, argv_item_t argv[]) + curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_SSL_SESSION); + curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_CONNECT); + curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_PSL); ++ curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_HSTS); + + /* Get the required arguments for each operation */ + do { +-- +2.39.1 + + +From fe6b64ac33a0994e5f50ef8b3d0916b3a248a7e8 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 27 Dec 2022 11:50:23 +0100 +Subject: [PATCH 3/5] hsts: handle adding the same host name again + +It will then use the largest expire time of the two entries. + +Upstream-commit: ca02a77f05bd5cef20618c8f741aa48b7be0a648 +Signed-off-by: Kamil Dudka +--- + lib/hsts.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/lib/hsts.c b/lib/hsts.c +index 339237b..8d6723e 100644 +--- a/lib/hsts.c ++++ b/lib/hsts.c +@@ -426,14 +426,23 @@ static CURLcode hsts_add(struct hsts *h, char *line) + if(2 == rc) { + time_t expires = strcmp(date, UNLIMITED) ? Curl_getdate_capped(date) : + TIME_T_MAX; +- CURLcode result; ++ CURLcode result = CURLE_OK; + char *p = host; + bool subdomain = FALSE; ++ struct stsentry *e; + if(p[0] == '.') { + p++; + subdomain = TRUE; + } +- result = hsts_create(h, p, subdomain, expires); ++ /* only add it if not already present */ ++ e = Curl_hsts(h, p, subdomain); ++ if(!e) ++ result = hsts_create(h, p, subdomain, expires); ++ else { ++ /* the same host name, use the largest expire time */ ++ if(expires > e->expires) ++ e->expires = expires; ++ } + if(result) + return result; + } +-- +2.39.1 + + +From c52b93434c65ec8a44193a6f2b833a1efec8f643 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 27 Dec 2022 11:50:23 +0100 +Subject: [PATCH 4/5] runtests: support crlf="yes" for verify/proxy + +Upstream-commit: dc0725244a3163f1e2d5f51165db3a1a430f3ba0 +Signed-off-by: Kamil Dudka +--- + tests/FILEFORMAT.md | 4 ++-- + tests/runtests.pl | 5 +++++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/tests/FILEFORMAT.md b/tests/FILEFORMAT.md +index 8143967..be11167 100644 +--- a/tests/FILEFORMAT.md ++++ b/tests/FILEFORMAT.md +@@ -566,7 +566,7 @@ changing protocol data such as port numbers or user-agent strings. + One perl op per line that operates on the protocol dump. This is pretty + advanced. Example: `s/^EPRT .*/EPRT stripped/`. + +-### `` ++### `` + + the protocol dump curl should transmit, if `nonewline` is set, we will cut off + the trailing newline of this given data before comparing with the one actually +@@ -576,7 +576,7 @@ comparisons are made. + `crlf=yes` forces the newlines to become CRLF even if not written so in the + test. + +-### `` ++### `` + + The protocol dump curl should transmit to an HTTP proxy (when the http-proxy + server is used), if `nonewline` is set, we will cut off the trailing newline +diff --git a/tests/runtests.pl b/tests/runtests.pl +index c6a739e..f49e385 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -4744,6 +4744,11 @@ sub singletest { + } + } + ++ if($hash{'crlf'} || ++ ($has_hyper && ($keywords{"HTTP"} || $keywords{"HTTPS"}))) { ++ map subNewlines(0, \$_), @protstrip; ++ } ++ + $res = compare($testnum, $testname, "proxy", \@out, \@protstrip); + if($res) { + return $errorreturncode; +-- +2.39.1 + + +From e428f66157caedc1f58ff5206915842937b0950e Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 27 Dec 2022 11:50:23 +0100 +Subject: [PATCH 5/5] test446: verify hsts with two URLs + +Upstream-commit: ea5aaaa5ede53819f8bc7ae767fc2d13d3704d37 +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 2 +- + tests/data/test446 | 84 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 85 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test446 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 3e0221a..fb51cd6 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -71,7 +71,7 @@ test408 test409 test410 test411 test412 test413 test414 test415 test416 \ + \ + test430 test431 test432 test433 test434 test435 test436 \ + \ +-test440 test441 test442 test443 test444 test445 \ ++test440 test441 test442 test443 test444 test445 test446 \ + \ + test490 test491 test492 test493 test494 test495 test496 \ + \ +diff --git a/tests/data/test446 b/tests/data/test446 +new file mode 100644 +index 0000000..0e2dfdc +--- /dev/null ++++ b/tests/data/test446 +@@ -0,0 +1,84 @@ ++ ++ ++ ++ ++HTTP ++HTTP proxy ++HSTS ++trailing-dot ++ ++ ++ ++ ++ ++# we use this as response to a CONNECT ++ ++HTTP/1.1 200 OK ++ ++ ++ ++HTTP/1.1 200 OK ++Content-Length: 6 ++Strict-Transport-Security: max-age=604800 ++ ++-foo- ++ ++ ++HTTP/1.1 200 OK ++Content-Length: 6 ++Strict-Transport-Security: max-age=6048000 ++ ++-baa- ++ ++ ++ ++ ++ ++https ++http-proxy ++ ++ ++HSTS ++proxy ++https ++debug ++ ++ ++CURL_HSTS_HTTP=yes ++CURL_TIME=2000000000 ++ ++ ++ ++HSTS with two URLs ++ ++ ++-x http://%HOSTIP:%PROXYPORT --hsts log/hsts%TESTNUMBER http://this.hsts.example./%TESTNUMBER http://another.example.com/%TESTNUMBER0002 ++ ++ ++ ++ ++# we let it CONNECT to the server to confirm HSTS but deny from there ++ ++GET http://this.hsts.example./%TESTNUMBER HTTP/1.1 ++Host: this.hsts.example. ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://another.example.com/%TESTNUMBER0002 HTTP/1.1 ++Host: another.example.com ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ ++# Your HSTS cache. https://curl.se/docs/hsts.html ++# This file was generated by libcurl! Edit at your own risk. ++this.hsts.example "20330525 03:33:20" ++another.example.com "20330727 03:33:20" ++ ++ ++ ++ +-- +2.39.1 + diff --git a/curl.spec b/curl.spec index 61f3004..d5fb421 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.87.0 -Release: 4%{?dist} +Release: 5%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -13,6 +13,9 @@ Source2: mykey.asc # fix regression in a public header file (#2162716) Patch1: 0001-curl-7.87.0-header-file-regression.patch +# share HSTS between handles (CVE-2023-23915 CVE-2023-23914) +Patch6: 0006-curl-7.87.0-hsts-CVEs.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -201,6 +204,7 @@ be installed. # upstream patches %patch1 -p1 +%patch6 -p1 # Fedora patches %patch101 -p1 @@ -435,6 +439,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Feb 15 2023 Kamil Dudka - 7.87.0-5 +- share HSTS between handles (CVE-2023-23915 CVE-2023-23914) + * Fri Jan 20 2023 Kamil Dudka - 7.87.0-4 - fix regression in a public header file (#2162716) From 5e6ef31ed95b567e079bc7037390facd504218ae Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 15 Feb 2023 18:01:30 +0100 Subject: [PATCH 005/120] Resolves: CVE-2023-23916 - fix HTTP multi-header compression denial of service --- 0007-curl-7.87.0-CVE-2023-23916.patch | 243 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 248 insertions(+) create mode 100644 0007-curl-7.87.0-CVE-2023-23916.patch diff --git a/0007-curl-7.87.0-CVE-2023-23916.patch b/0007-curl-7.87.0-CVE-2023-23916.patch new file mode 100644 index 0000000..b82ffc5 --- /dev/null +++ b/0007-curl-7.87.0-CVE-2023-23916.patch @@ -0,0 +1,243 @@ +From bc5fc958b017895728962c9d44c469418cbec1a0 Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat +Date: Mon, 13 Feb 2023 08:33:09 +0100 +Subject: [PATCH] content_encoding: do not reset stage counter for each header + +Test 418 verifies + +Closes #10492 + +Upstream-commit: 119fb187192a9ea13dc90d9d20c215fc82799ab9 +Signed-off-by: Kamil Dudka +--- + lib/content_encoding.c | 7 +- + lib/urldata.h | 1 + + tests/data/Makefile.inc | 1 + + tests/data/test387 | 2 +- + tests/data/test418 | 152 ++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 158 insertions(+), 5 deletions(-) + create mode 100644 tests/data/test418 + +diff --git a/lib/content_encoding.c b/lib/content_encoding.c +index bfc13e2..94344d6 100644 +--- a/lib/content_encoding.c ++++ b/lib/content_encoding.c +@@ -1045,7 +1045,6 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, + const char *enclist, int maybechunked) + { + struct SingleRequest *k = &data->req; +- int counter = 0; + + do { + const char *name; +@@ -1080,9 +1079,9 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, + if(!encoding) + encoding = &error_encoding; /* Defer error at stack use. */ + +- if(++counter >= MAX_ENCODE_STACK) { +- failf(data, "Reject response due to %u content encodings", +- counter); ++ if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) { ++ failf(data, "Reject response due to more than %u content encodings", ++ MAX_ENCODE_STACK); + return CURLE_BAD_CONTENT_ENCODING; + } + /* Stack the unencoding stage. */ +diff --git a/lib/urldata.h b/lib/urldata.h +index 5b4b34f..8c8c20b 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -707,6 +707,7 @@ struct SingleRequest { + struct dohdata *doh; /* DoH specific data for this request */ + #endif + unsigned char setcookies; ++ unsigned char writer_stack_depth; /* Unencoding stack depth. */ + BIT(header); /* incoming data has HTTP header */ + BIT(content_range); /* set TRUE if Content-Range: was found */ + BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index fb51cd6..86b6f85 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -68,6 +68,7 @@ test380 test381 test383 test384 test385 test386 test387 test388 test389 \ + test390 test391 test392 test393 test394 test395 test396 test397 test398 \ + test399 test400 test401 test402 test403 test404 test405 test406 test407 \ + test408 test409 test410 test411 test412 test413 test414 test415 test416 \ ++ test418 \ + \ + test430 test431 test432 test433 test434 test435 test436 \ + \ +diff --git a/tests/data/test387 b/tests/data/test387 +index 015ec25..644fc7f 100644 +--- a/tests/data/test387 ++++ b/tests/data/test387 +@@ -47,7 +47,7 @@ Accept: */* + 61 + + +-curl: (61) Reject response due to 5 content encodings ++curl: (61) Reject response due to more than 5 content encodings + + + +diff --git a/tests/data/test418 b/tests/data/test418 +new file mode 100644 +index 0000000..50e974e +--- /dev/null ++++ b/tests/data/test418 +@@ -0,0 +1,152 @@ ++ ++ ++ ++HTTP ++gzip ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++ ++-foo- ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++Response with multiple Transfer-Encoding headers ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++ ++ ++# CURLE_BAD_CONTENT_ENCODING is 61 ++ ++61 ++ ++ ++curl: (61) Reject response due to more than 5 content encodings ++ ++ ++ +-- +2.39.1 + diff --git a/curl.spec b/curl.spec index d5fb421..af07f42 100644 --- a/curl.spec +++ b/curl.spec @@ -16,6 +16,9 @@ Patch1: 0001-curl-7.87.0-header-file-regression.patch # share HSTS between handles (CVE-2023-23915 CVE-2023-23914) Patch6: 0006-curl-7.87.0-hsts-CVEs.patch +# fix HTTP multi-header compression denial of service (CVE-2023-23916) +Patch7: 0007-curl-7.87.0-CVE-2023-23916.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -205,6 +208,7 @@ be installed. # upstream patches %patch1 -p1 %patch6 -p1 +%patch7 -p1 # Fedora patches %patch101 -p1 @@ -440,6 +444,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Feb 15 2023 Kamil Dudka - 7.87.0-5 +- fix HTTP multi-header compression denial of service (CVE-2023-23916) - share HSTS between handles (CVE-2023-23915 CVE-2023-23914) * Fri Jan 20 2023 Kamil Dudka - 7.87.0-4 From 13a96c9b8fbb54bc9d1bb1e8888e8d57cb975192 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 17 Feb 2023 14:34:10 +0100 Subject: [PATCH 006/120] http2: set drain on stream end This is an attempt to fix the following issue in COPR: https://pagure.io/fedora-infrastructure/issue/11133 --- 0001-curl-7.88.0-http2-drain.patch | 113 +++++++++++++++++++++++++++++ curl.spec | 9 ++- 2 files changed, 121 insertions(+), 1 deletion(-) create mode 100644 0001-curl-7.88.0-http2-drain.patch diff --git a/0001-curl-7.88.0-http2-drain.patch b/0001-curl-7.88.0-http2-drain.patch new file mode 100644 index 0000000..40fd03a --- /dev/null +++ b/0001-curl-7.88.0-http2-drain.patch @@ -0,0 +1,113 @@ +From d38da6c41c897eff642d9e39a234290dd51a3947 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Wed, 15 Feb 2023 22:11:13 +0100 +Subject: [PATCH 1/2] http2: buffer/pausedata and output flush fix. + + * do not process pending input data when copying pausedata to the + caller + * return CURLE_AGAIN if the output buffer could not be completely + written out. + +Ref: #10525 +Closes #10529 + +Upstream-commit: 3103de2053ca8cacf9cdbe78764ba6814481709f +Signed-off-by: Kamil Dudka +--- + lib/http2.c | 15 +++------------ + 1 file changed, 3 insertions(+), 12 deletions(-) + +diff --git a/lib/http2.c b/lib/http2.c +index 46fc746..1ef5d39 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -467,6 +467,7 @@ static CURLcode flush_output(struct Curl_cfilter *cf, + } + if((size_t)written < buflen) { + Curl_dyn_tail(&ctx->outbuf, buflen - (size_t)written); ++ return CURLE_AGAIN; + } + else { + Curl_dyn_reset(&ctx->outbuf); +@@ -1790,6 +1791,7 @@ static ssize_t cf_h2_recv(struct Curl_cfilter *cf, struct Curl_easy *data, + + stream->pausedata += nread; + stream->pauselen -= nread; ++ drain_this(cf, data); + + if(stream->pauselen == 0) { + DEBUGF(LOG_CF(data, cf, "[h2sid=%u] Unpaused", stream->stream_id)); +@@ -1798,18 +1800,6 @@ static ssize_t cf_h2_recv(struct Curl_cfilter *cf, struct Curl_easy *data, + + stream->pausedata = NULL; + stream->pauselen = 0; +- +- /* When NGHTTP2_ERR_PAUSE is returned from +- data_source_read_callback, we might not process DATA frame +- fully. Calling nghttp2_session_mem_recv() again will +- continue to process DATA frame, but if there is no incoming +- frames, then we have to call it again with 0-length data. +- Without this, on_stream_close callback will not be called, +- and stream could be hanged. */ +- if(h2_process_pending_input(cf, data, err) != 0) { +- nread = -1; +- goto out; +- } + } + DEBUGF(LOG_CF(data, cf, "[h2sid=%u] recv: returns unpaused %zd bytes", + stream->stream_id, nread)); +@@ -1933,6 +1923,7 @@ static ssize_t cf_h2_recv(struct Curl_cfilter *cf, struct Curl_easy *data, + drained_transfer(cf, data); + } + ++ *err = CURLE_OK; + nread = retlen; + DEBUGF(LOG_CF(data, cf, "[h2sid=%u] cf_h2_recv -> %zd", + stream->stream_id, nread)); +-- +2.39.1 + + +From 77e5170fe89bce943c52de732071189f463f38a8 Mon Sep 17 00:00:00 2001 +From: Harry Sintonen +Date: Thu, 16 Feb 2023 06:26:26 +0200 +Subject: [PATCH 2/2] http2: set drain on stream end + +Ensure that on_frame_recv() stream end will trigger a read if there is +pending data. Without this it could happen that the pending data is +never consumed. + +This combined with https://github.com/curl/curl/pull/10529 should fix +https://github.com/curl/curl/issues/10525 + +Ref: https://github.com/curl/curl/issues/10525 +Closes #10530 + +Upstream-commit: 87ed650d04dc1a6f7944a5d952f7d5b0934a19ac +Signed-off-by: Kamil Dudka +--- + lib/http2.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/lib/http2.c b/lib/http2.c +index 1ef5d39..bdb5e73 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -868,6 +868,14 @@ static int on_frame_recv(nghttp2_session *session, const nghttp2_frame *frame, + return NGHTTP2_ERR_CALLBACK_FAILURE; + } + } ++ if(frame->hd.flags & NGHTTP2_FLAG_END_STREAM) { ++ /* Stream has ended. If there is pending data, ensure that read ++ will occur to consume it. */ ++ if(!data->state.drain && stream->memlen) { ++ drain_this(cf, data_s); ++ Curl_expire(data, 0, EXPIRE_RUN_NOW); ++ } ++ } + break; + case NGHTTP2_HEADERS: + DEBUGF(LOG_CF(data_s, cf, "[h2sid=%u] recv frame HEADERS", stream_id)); +-- +2.39.1 + diff --git a/curl.spec b/curl.spec index 353e082..688ac91 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.88.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,6 +10,9 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# http2: set drain on stream end +Patch1: 0001-curl-7.88.0-http2-drain.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -203,6 +206,7 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 @@ -438,6 +442,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Feb 17 2023 Kamil Dudka - 7.88.0-2 +- http2: set drain on stream end + * Wed Feb 15 2023 Kamil Dudka - 7.88.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2023-23916 - HTTP multi-header compression denial of service From d5c1163ef3a64c125452ce067670886765ecc5be Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 20 Feb 2023 14:41:52 +0100 Subject: [PATCH 007/120] new upstream release - 7.88.1 --- 0001-curl-7.88.0-http2-drain.patch | 113 ----------------------------- curl.spec | 11 ++- sources | 4 +- 3 files changed, 7 insertions(+), 121 deletions(-) delete mode 100644 0001-curl-7.88.0-http2-drain.patch diff --git a/0001-curl-7.88.0-http2-drain.patch b/0001-curl-7.88.0-http2-drain.patch deleted file mode 100644 index 40fd03a..0000000 --- a/0001-curl-7.88.0-http2-drain.patch +++ /dev/null @@ -1,113 +0,0 @@ -From d38da6c41c897eff642d9e39a234290dd51a3947 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Wed, 15 Feb 2023 22:11:13 +0100 -Subject: [PATCH 1/2] http2: buffer/pausedata and output flush fix. - - * do not process pending input data when copying pausedata to the - caller - * return CURLE_AGAIN if the output buffer could not be completely - written out. - -Ref: #10525 -Closes #10529 - -Upstream-commit: 3103de2053ca8cacf9cdbe78764ba6814481709f -Signed-off-by: Kamil Dudka ---- - lib/http2.c | 15 +++------------ - 1 file changed, 3 insertions(+), 12 deletions(-) - -diff --git a/lib/http2.c b/lib/http2.c -index 46fc746..1ef5d39 100644 ---- a/lib/http2.c -+++ b/lib/http2.c -@@ -467,6 +467,7 @@ static CURLcode flush_output(struct Curl_cfilter *cf, - } - if((size_t)written < buflen) { - Curl_dyn_tail(&ctx->outbuf, buflen - (size_t)written); -+ return CURLE_AGAIN; - } - else { - Curl_dyn_reset(&ctx->outbuf); -@@ -1790,6 +1791,7 @@ static ssize_t cf_h2_recv(struct Curl_cfilter *cf, struct Curl_easy *data, - - stream->pausedata += nread; - stream->pauselen -= nread; -+ drain_this(cf, data); - - if(stream->pauselen == 0) { - DEBUGF(LOG_CF(data, cf, "[h2sid=%u] Unpaused", stream->stream_id)); -@@ -1798,18 +1800,6 @@ static ssize_t cf_h2_recv(struct Curl_cfilter *cf, struct Curl_easy *data, - - stream->pausedata = NULL; - stream->pauselen = 0; -- -- /* When NGHTTP2_ERR_PAUSE is returned from -- data_source_read_callback, we might not process DATA frame -- fully. Calling nghttp2_session_mem_recv() again will -- continue to process DATA frame, but if there is no incoming -- frames, then we have to call it again with 0-length data. -- Without this, on_stream_close callback will not be called, -- and stream could be hanged. */ -- if(h2_process_pending_input(cf, data, err) != 0) { -- nread = -1; -- goto out; -- } - } - DEBUGF(LOG_CF(data, cf, "[h2sid=%u] recv: returns unpaused %zd bytes", - stream->stream_id, nread)); -@@ -1933,6 +1923,7 @@ static ssize_t cf_h2_recv(struct Curl_cfilter *cf, struct Curl_easy *data, - drained_transfer(cf, data); - } - -+ *err = CURLE_OK; - nread = retlen; - DEBUGF(LOG_CF(data, cf, "[h2sid=%u] cf_h2_recv -> %zd", - stream->stream_id, nread)); --- -2.39.1 - - -From 77e5170fe89bce943c52de732071189f463f38a8 Mon Sep 17 00:00:00 2001 -From: Harry Sintonen -Date: Thu, 16 Feb 2023 06:26:26 +0200 -Subject: [PATCH 2/2] http2: set drain on stream end - -Ensure that on_frame_recv() stream end will trigger a read if there is -pending data. Without this it could happen that the pending data is -never consumed. - -This combined with https://github.com/curl/curl/pull/10529 should fix -https://github.com/curl/curl/issues/10525 - -Ref: https://github.com/curl/curl/issues/10525 -Closes #10530 - -Upstream-commit: 87ed650d04dc1a6f7944a5d952f7d5b0934a19ac -Signed-off-by: Kamil Dudka ---- - lib/http2.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/lib/http2.c b/lib/http2.c -index 1ef5d39..bdb5e73 100644 ---- a/lib/http2.c -+++ b/lib/http2.c -@@ -868,6 +868,14 @@ static int on_frame_recv(nghttp2_session *session, const nghttp2_frame *frame, - return NGHTTP2_ERR_CALLBACK_FAILURE; - } - } -+ if(frame->hd.flags & NGHTTP2_FLAG_END_STREAM) { -+ /* Stream has ended. If there is pending data, ensure that read -+ will occur to consume it. */ -+ if(!data->state.drain && stream->memlen) { -+ drain_this(cf, data_s); -+ Curl_expire(data, 0, EXPIRE_RUN_NOW); -+ } -+ } - break; - case NGHTTP2_HEADERS: - DEBUGF(LOG_CF(data_s, cf, "[h2sid=%u] recv frame HEADERS", stream_id)); --- -2.39.1 - diff --git a/curl.spec b/curl.spec index 688ac91..d2bc211 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.88.0 -Release: 2%{?dist} +Version: 7.88.1 +Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,9 +10,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# http2: set drain on stream end -Patch1: 0001-curl-7.88.0-http2-drain.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -206,7 +203,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 # Fedora patches %patch101 -p1 @@ -442,6 +438,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Feb 20 2023 Kamil Dudka - 7.88.1-1 +- new upstream release + * Fri Feb 17 2023 Kamil Dudka - 7.88.0-2 - http2: set drain on stream end diff --git a/sources b/sources index 5c159bb..99be100 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-7.88.0.tar.xz) = 2008cbc67694f746b7449f087a19b2a9a4950333d6bac1cdc7d80351aa38d8d9b442087dedbc7b0909a419d3b10f510521c942aac012d04a53c32bdb15dce5f0 -SHA512 (curl-7.88.0.tar.xz.asc) = 6f3d9a5f8fcec64652f872adf994ff3d0162fba1b483a0e359522173bf29ef3d26eeda7c328207fa1fa974a45e62674a3a8ebec21830ab3981b56851d5804ade +SHA512 (curl-7.88.1.tar.xz) = b8d30c52a6d1c3e272608a7a8db78dfd79aef21330f34d6f1df43839a400e13ac6aac72a383526db0b711a70ecbec89a3b934677d7ecf5094fd64d3dbcb3492f +SHA512 (curl-7.88.1.tar.xz.asc) = d6dc720533004c4d533cc4fb3dd33ac28d95e114f440ec011e4b58f65d1f4c40cfa10ba26d2e2f2f1f9de99511632578b4758c5e79593c7c30d29788fdf1cbb6 From ec2bc20d6e59b5aabc431a9c2c97b5774593a323 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 15 Mar 2023 16:46:54 +0100 Subject: [PATCH 008/120] tests: make sure gnuserv-tls has SRP support before using it --- 0002-curl-7.87.0-tests-tls-srp.patch | 54 ++++++++++++++++++++++++++++ curl.spec | 9 ++++- 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 0002-curl-7.87.0-tests-tls-srp.patch diff --git a/0002-curl-7.87.0-tests-tls-srp.patch b/0002-curl-7.87.0-tests-tls-srp.patch new file mode 100644 index 0000000..f2ad919 --- /dev/null +++ b/0002-curl-7.87.0-tests-tls-srp.patch @@ -0,0 +1,54 @@ +From 34ba217b433f222f486a42f2157866ab40dba221 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 15 Feb 2023 15:04:07 +0100 +Subject: [PATCH] tests: make sure gnuserv-tls has SRP support before using it + +Reported-by: fundawang on github +Fixes #10522 +Closes #10524 + +Upstream-commit: 2fdc1d816ebf3c77f43068103bec1b3a3767881a +Signed-off-by: Kamil Dudka +--- + tests/runtests.pl | 2 +- + tests/sshhelp.pm | 11 ++++++++++- + 2 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/tests/runtests.pl b/tests/runtests.pl +index f49e385..d2e0e52 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -5373,7 +5373,7 @@ sub startservers { + elsif($what eq "httptls") { + if(!$httptlssrv) { + # for now, we can't run http TLS-EXT tests without gnutls-serv +- return "no gnutls-serv"; ++ return "no gnutls-serv (with SRP support)"; + } + if($torture && $run{'httptls'} && + !responsive_httptls_server($verbose, "IPv4")) { +diff --git a/tests/sshhelp.pm b/tests/sshhelp.pm +index 2d419c1..0c553da 100644 +--- a/tests/sshhelp.pm ++++ b/tests/sshhelp.pm +@@ -408,7 +408,16 @@ sub find_sshkeygen { + # Find httptlssrv (gnutls-serv) and return canonical filename + # + sub find_httptlssrv { +- return find_exe_file_hpath($httptlssrvexe); ++ my $p = find_exe_file_hpath($httptlssrvexe); ++ my @o = `$p -l`; ++ my $found; ++ for(@o) { ++ if(/Key exchange: SRP/) { ++ $found = 1; ++ last; ++ } ++ } ++ return $p if($found); + } + + +-- +2.39.2 + diff --git a/curl.spec b/curl.spec index af07f42..86ee916 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.87.0 -Release: 5%{?dist} +Release: 6%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -13,6 +13,9 @@ Source2: mykey.asc # fix regression in a public header file (#2162716) Patch1: 0001-curl-7.87.0-header-file-regression.patch +# tests: make sure gnuserv-tls has SRP support before using it +Patch2: 0002-curl-7.87.0-tests-tls-srp.patch + # share HSTS between handles (CVE-2023-23915 CVE-2023-23914) Patch6: 0006-curl-7.87.0-hsts-CVEs.patch @@ -207,6 +210,7 @@ be installed. # upstream patches %patch1 -p1 +%patch2 -p1 %patch6 -p1 %patch7 -p1 @@ -443,6 +447,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Mar 15 2023 Kamil Dudka - 7.87.0-6 +- tests: make sure gnuserv-tls has SRP support before using it + * Wed Feb 15 2023 Kamil Dudka - 7.87.0-5 - fix HTTP multi-header compression denial of service (CVE-2023-23916) - share HSTS between handles (CVE-2023-23915 CVE-2023-23914) From 7b0a4d3dfc08b37261a2a5f3e475cc13acdaa922 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 20 Mar 2023 10:08:53 +0100 Subject: [PATCH 009/120] new upstream release - 8.0.0 Resolves: CVE-2023-27538 - SSH connection too eager reuse still Resolves: CVE-2023-27537 - HSTS double-free Resolves: CVE-2023-27536 - GSS delegation too eager connection re-use Resolves: CVE-2023-27535 - FTP too eager connection reuse Resolves: CVE-2023-27534 - SFTP path ~ resolving discrepancy Resolves: CVE-2023-27533 - TELNET option IAC injection --- 0001-curl-8.0.0-revert-multi-remove.patch | 230 ++++++++++++++++++++++ curl.spec | 16 +- sources | 4 +- 3 files changed, 247 insertions(+), 3 deletions(-) create mode 100644 0001-curl-8.0.0-revert-multi-remove.patch diff --git a/0001-curl-8.0.0-revert-multi-remove.patch b/0001-curl-8.0.0-revert-multi-remove.patch new file mode 100644 index 0000000..8bd375a --- /dev/null +++ b/0001-curl-8.0.0-revert-multi-remove.patch @@ -0,0 +1,230 @@ +From d7c75c3608d6002cfb46a2612efa507d9a8ba66e Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 20 Mar 2023 12:51:05 +0100 +Subject: [PATCH] Revert "multi: remove PENDING + MSGSENT handles from the main + linked list" + +This reverts commit f6d6f3ce01e377932f1ce7c24ee34d45a36950b8. + +The commits caused issues in the 8.0.0 release. Needs a retake. + +Upstream-commit: cf1eebc68a28cb18bffde5a0a0d2f02bf7b183ec +Signed-off-by: Kamil Dudka +--- + lib/multi.c | 73 +++++++++++++++++++---------------------------- + lib/multihandle.h | 2 -- + lib/urldata.h | 3 +- + 3 files changed, 31 insertions(+), 47 deletions(-) + +diff --git a/lib/multi.c b/lib/multi.c +index 0967500d0..731b2598f 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -383,10 +383,12 @@ static void sh_init(struct Curl_hash *hash, int hashsize) + * Called when a transfer is completed. Adds the given msg pointer to + * the list kept in the multi handle. + */ +-static void multi_addmsg(struct Curl_multi *multi, struct Curl_message *msg) ++static CURLMcode multi_addmsg(struct Curl_multi *multi, ++ struct Curl_message *msg) + { + Curl_llist_insert_next(&multi->msglist, multi->msglist.tail, msg, + &msg->list); ++ return CURLM_OK; + } + + struct Curl_multi *Curl_multi_handle(int hashsize, /* socket hash */ +@@ -409,7 +411,6 @@ struct Curl_multi *Curl_multi_handle(int hashsize, /* socket hash */ + + Curl_llist_init(&multi->msglist, NULL); + Curl_llist_init(&multi->pending, NULL); +- Curl_llist_init(&multi->msgsent, NULL); + + multi->multiplexing = TRUE; + +@@ -455,14 +456,6 @@ struct Curl_multi *curl_multi_init(void) + CURL_DNS_HASH_SIZE); + } + +-/* returns TRUE if the easy handle is supposed to be present in the main link +- list */ +-static bool in_main_list(struct Curl_easy *data) +-{ +- return ((data->mstate != MSTATE_PENDING) && +- (data->mstate != MSTATE_MSGSENT)); +-} +- + static void link_easy(struct Curl_multi *multi, + struct Curl_easy *data) + { +@@ -496,8 +489,6 @@ static void unlink_easy(struct Curl_multi *multi, + data->next->prev = data->prev; + else + multi->easylp = data->prev; /* point to last node */ +- +- data->prev = data->next = NULL; + } + + +@@ -857,16 +848,10 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, + called. Do it after multi_done() in case that sets another time! */ + Curl_expire_clear(data); + +- if(data->connect_queue.ptr) { +- /* the handle is in the pending or msgsent lists, so go ahead and remove +- it */ +- if(data->mstate == MSTATE_PENDING) +- Curl_llist_remove(&multi->pending, &data->connect_queue, NULL); +- else +- Curl_llist_remove(&multi->msgsent, &data->connect_queue, NULL); +- } +- if(in_main_list(data)) +- unlink_easy(multi, data); ++ if(data->connect_queue.ptr) ++ /* the handle was in the pending list waiting for an available connection, ++ so go ahead and remove it */ ++ Curl_llist_remove(&multi->pending, &data->connect_queue, NULL); + + if(data->dns.hostcachetype == HCACHE_MULTI) { + /* stop using the multi handle's DNS cache, *after* the possible +@@ -927,6 +912,7 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, + + /* make sure there's no pending message in the queue sent from this easy + handle */ ++ + for(e = multi->msglist.head; e; e = e->next) { + struct Curl_message *msg = e->ptr; + +@@ -937,6 +923,19 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, + } + } + ++ /* Remove from the pending list if it is there. Otherwise this will ++ remain on the pending list forever due to the state change. */ ++ for(e = multi->pending.head; e; e = e->next) { ++ struct Curl_easy *curr_data = e->ptr; ++ ++ if(curr_data == data) { ++ Curl_llist_remove(&multi->pending, e, NULL); ++ break; ++ } ++ } ++ ++ unlink_easy(multi, data); ++ + /* NOTE NOTE NOTE + We do not touch the easy handle here! */ + multi->num_easy--; /* one less to care about now */ +@@ -1944,6 +1943,11 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, + } + break; + ++ case MSTATE_PENDING: ++ /* We will stay here until there is a connection available. Then ++ we try again in the MSTATE_CONNECT state. */ ++ break; ++ + case MSTATE_CONNECT: + /* Connect. We want to get a connection identifier filled in. */ + /* init this transfer. */ +@@ -1967,8 +1971,6 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, + /* add this handle to the list of connect-pending handles */ + Curl_llist_insert_next(&multi->pending, multi->pending.tail, data, + &data->connect_queue); +- /* unlink from the main list */ +- unlink_easy(multi, data); + result = CURLE_OK; + break; + } +@@ -2595,11 +2597,9 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, + case MSTATE_COMPLETED: + break; + +- case MSTATE_PENDING: + case MSTATE_MSGSENT: +- /* handles in these states should NOT be in this list */ +- DEBUGASSERT(0); +- break; ++ data->result = result; ++ return CURLM_OK; /* do nothing */ + + default: + return CURLM_INTERNAL_ERROR; +@@ -2687,17 +2687,10 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, + msg->extmsg.easy_handle = data; + msg->extmsg.data.result = result; + +- multi_addmsg(multi, msg); ++ rc = multi_addmsg(multi, msg); + DEBUGASSERT(!data->conn); + } + multistate(data, MSTATE_MSGSENT); +- +- /* add this handle to the list of msgsent handles */ +- Curl_llist_insert_next(&multi->msgsent, multi->msgsent.tail, data, +- &data->connect_queue); +- /* unlink from the main list */ +- unlink_easy(multi, data); +- return CURLM_OK; + } + } while((rc == CURLM_CALL_MULTI_PERFORM) || multi_ischanged(multi, FALSE)); + +@@ -2728,9 +2721,6 @@ CURLMcode curl_multi_perform(struct Curl_multi *multi, int *running_handles) + /* Do the loop and only alter the signal ignore state if the next handle + has a different NO_SIGNAL state than the previous */ + do { +- /* the current node might be unlinked in multi_runsingle(), get the next +- pointer now */ +- struct Curl_easy *datanext = data->next; + if(data->set.no_signal != nosig) { + sigpipe_restore(&pipe_st); + sigpipe_ignore(data, &pipe_st); +@@ -2739,7 +2729,7 @@ CURLMcode curl_multi_perform(struct Curl_multi *multi, int *running_handles) + result = multi_runsingle(multi, &now, data); + if(result) + returncode = result; +- data = datanext; /* operate on next handle */ ++ data = data->next; /* operate on next handle */ + } while(data); + sigpipe_restore(&pipe_st); + } +@@ -3720,9 +3710,6 @@ static void process_pending_handles(struct Curl_multi *multi) + + DEBUGASSERT(data->mstate == MSTATE_PENDING); + +- /* put it back into the main list */ +- link_easy(multi, data); +- + multistate(data, MSTATE_CONNECT); + + /* Remove this node from the list */ +diff --git a/lib/multihandle.h b/lib/multihandle.h +index 5b16bb605..6cda65d44 100644 +--- a/lib/multihandle.h ++++ b/lib/multihandle.h +@@ -101,8 +101,6 @@ struct Curl_multi { + + struct Curl_llist pending; /* Curl_easys that are in the + MSTATE_PENDING state */ +- struct Curl_llist msgsent; /* Curl_easys that are in the +- MSTATE_MSGSENT state */ + + /* callback function and user data pointer for the *socket() API */ + curl_socket_callback socket_cb; +diff --git a/lib/urldata.h b/lib/urldata.h +index 4e07bcd60..8b54518d2 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1894,8 +1894,7 @@ struct Curl_easy { + struct Curl_easy *prev; + + struct connectdata *conn; +- struct Curl_llist_element connect_queue; /* for the pending and msgsent +- lists */ ++ struct Curl_llist_element connect_queue; + struct Curl_llist_element conn_queue; /* list per connectdata */ + + CURLMstate mstate; /* the handle's state */ +-- +2.40.0 + diff --git a/curl.spec b/curl.spec index d2bc211..8832786 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.88.1 +Version: 8.0.0 Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -10,6 +10,10 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# revert a commit that caused issues in the 8.0.0 release +# https://github.com/curl/curl/pull/10795 +Patch1: 0001-curl-8.0.0-revert-multi-remove.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -203,6 +207,7 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 @@ -438,6 +443,15 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Mar 20 2023 Kamil Dudka - 8.0.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-27538 - SSH connection too eager reuse still + CVE-2023-27537 - HSTS double-free + CVE-2023-27536 - GSS delegation too eager connection re-use + CVE-2023-27535 - FTP too eager connection reuse + CVE-2023-27534 - SFTP path ~ resolving discrepancy + CVE-2023-27533 - TELNET option IAC injection + * Mon Feb 20 2023 Kamil Dudka - 7.88.1-1 - new upstream release diff --git a/sources b/sources index 99be100..7ce28de 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-7.88.1.tar.xz) = b8d30c52a6d1c3e272608a7a8db78dfd79aef21330f34d6f1df43839a400e13ac6aac72a383526db0b711a70ecbec89a3b934677d7ecf5094fd64d3dbcb3492f -SHA512 (curl-7.88.1.tar.xz.asc) = d6dc720533004c4d533cc4fb3dd33ac28d95e114f440ec011e4b58f65d1f4c40cfa10ba26d2e2f2f1f9de99511632578b4758c5e79593c7c30d29788fdf1cbb6 +SHA512 (curl-8.0.0.tar.xz) = 7141e0e2ed065ba14a7fd7e080bc78cadfcf0c7e4054384f17bfbe24caa0bf512d1feaac89dabb9bebc30c2ba40e78ea4e77ac16ce07515f1e9d6b0f05098c9c +SHA512 (curl-8.0.0.tar.xz.asc) = ab741ce5a93e8729bb280c38a109dd11c6f07bc5d955368171dd0c26641d117c62945c13cdc8ff66e32e98fa027cc8ae08aba833a3ee702a2a06c7cef5b8f4ea From c96705f9dc873e3e749d7cbfcd13f678605aea63 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 20 Mar 2023 15:39:59 +0100 Subject: [PATCH 010/120] new upstream release - 8.0.1 --- 0001-curl-8.0.0-revert-multi-remove.patch | 230 ---------------------- curl.spec | 10 +- sources | 4 +- 3 files changed, 6 insertions(+), 238 deletions(-) delete mode 100644 0001-curl-8.0.0-revert-multi-remove.patch diff --git a/0001-curl-8.0.0-revert-multi-remove.patch b/0001-curl-8.0.0-revert-multi-remove.patch deleted file mode 100644 index 8bd375a..0000000 --- a/0001-curl-8.0.0-revert-multi-remove.patch +++ /dev/null @@ -1,230 +0,0 @@ -From d7c75c3608d6002cfb46a2612efa507d9a8ba66e Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 20 Mar 2023 12:51:05 +0100 -Subject: [PATCH] Revert "multi: remove PENDING + MSGSENT handles from the main - linked list" - -This reverts commit f6d6f3ce01e377932f1ce7c24ee34d45a36950b8. - -The commits caused issues in the 8.0.0 release. Needs a retake. - -Upstream-commit: cf1eebc68a28cb18bffde5a0a0d2f02bf7b183ec -Signed-off-by: Kamil Dudka ---- - lib/multi.c | 73 +++++++++++++++++++---------------------------- - lib/multihandle.h | 2 -- - lib/urldata.h | 3 +- - 3 files changed, 31 insertions(+), 47 deletions(-) - -diff --git a/lib/multi.c b/lib/multi.c -index 0967500d0..731b2598f 100644 ---- a/lib/multi.c -+++ b/lib/multi.c -@@ -383,10 +383,12 @@ static void sh_init(struct Curl_hash *hash, int hashsize) - * Called when a transfer is completed. Adds the given msg pointer to - * the list kept in the multi handle. - */ --static void multi_addmsg(struct Curl_multi *multi, struct Curl_message *msg) -+static CURLMcode multi_addmsg(struct Curl_multi *multi, -+ struct Curl_message *msg) - { - Curl_llist_insert_next(&multi->msglist, multi->msglist.tail, msg, - &msg->list); -+ return CURLM_OK; - } - - struct Curl_multi *Curl_multi_handle(int hashsize, /* socket hash */ -@@ -409,7 +411,6 @@ struct Curl_multi *Curl_multi_handle(int hashsize, /* socket hash */ - - Curl_llist_init(&multi->msglist, NULL); - Curl_llist_init(&multi->pending, NULL); -- Curl_llist_init(&multi->msgsent, NULL); - - multi->multiplexing = TRUE; - -@@ -455,14 +456,6 @@ struct Curl_multi *curl_multi_init(void) - CURL_DNS_HASH_SIZE); - } - --/* returns TRUE if the easy handle is supposed to be present in the main link -- list */ --static bool in_main_list(struct Curl_easy *data) --{ -- return ((data->mstate != MSTATE_PENDING) && -- (data->mstate != MSTATE_MSGSENT)); --} -- - static void link_easy(struct Curl_multi *multi, - struct Curl_easy *data) - { -@@ -496,8 +489,6 @@ static void unlink_easy(struct Curl_multi *multi, - data->next->prev = data->prev; - else - multi->easylp = data->prev; /* point to last node */ -- -- data->prev = data->next = NULL; - } - - -@@ -857,16 +848,10 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, - called. Do it after multi_done() in case that sets another time! */ - Curl_expire_clear(data); - -- if(data->connect_queue.ptr) { -- /* the handle is in the pending or msgsent lists, so go ahead and remove -- it */ -- if(data->mstate == MSTATE_PENDING) -- Curl_llist_remove(&multi->pending, &data->connect_queue, NULL); -- else -- Curl_llist_remove(&multi->msgsent, &data->connect_queue, NULL); -- } -- if(in_main_list(data)) -- unlink_easy(multi, data); -+ if(data->connect_queue.ptr) -+ /* the handle was in the pending list waiting for an available connection, -+ so go ahead and remove it */ -+ Curl_llist_remove(&multi->pending, &data->connect_queue, NULL); - - if(data->dns.hostcachetype == HCACHE_MULTI) { - /* stop using the multi handle's DNS cache, *after* the possible -@@ -927,6 +912,7 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, - - /* make sure there's no pending message in the queue sent from this easy - handle */ -+ - for(e = multi->msglist.head; e; e = e->next) { - struct Curl_message *msg = e->ptr; - -@@ -937,6 +923,19 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, - } - } - -+ /* Remove from the pending list if it is there. Otherwise this will -+ remain on the pending list forever due to the state change. */ -+ for(e = multi->pending.head; e; e = e->next) { -+ struct Curl_easy *curr_data = e->ptr; -+ -+ if(curr_data == data) { -+ Curl_llist_remove(&multi->pending, e, NULL); -+ break; -+ } -+ } -+ -+ unlink_easy(multi, data); -+ - /* NOTE NOTE NOTE - We do not touch the easy handle here! */ - multi->num_easy--; /* one less to care about now */ -@@ -1944,6 +1943,11 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, - } - break; - -+ case MSTATE_PENDING: -+ /* We will stay here until there is a connection available. Then -+ we try again in the MSTATE_CONNECT state. */ -+ break; -+ - case MSTATE_CONNECT: - /* Connect. We want to get a connection identifier filled in. */ - /* init this transfer. */ -@@ -1967,8 +1971,6 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, - /* add this handle to the list of connect-pending handles */ - Curl_llist_insert_next(&multi->pending, multi->pending.tail, data, - &data->connect_queue); -- /* unlink from the main list */ -- unlink_easy(multi, data); - result = CURLE_OK; - break; - } -@@ -2595,11 +2597,9 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, - case MSTATE_COMPLETED: - break; - -- case MSTATE_PENDING: - case MSTATE_MSGSENT: -- /* handles in these states should NOT be in this list */ -- DEBUGASSERT(0); -- break; -+ data->result = result; -+ return CURLM_OK; /* do nothing */ - - default: - return CURLM_INTERNAL_ERROR; -@@ -2687,17 +2687,10 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, - msg->extmsg.easy_handle = data; - msg->extmsg.data.result = result; - -- multi_addmsg(multi, msg); -+ rc = multi_addmsg(multi, msg); - DEBUGASSERT(!data->conn); - } - multistate(data, MSTATE_MSGSENT); -- -- /* add this handle to the list of msgsent handles */ -- Curl_llist_insert_next(&multi->msgsent, multi->msgsent.tail, data, -- &data->connect_queue); -- /* unlink from the main list */ -- unlink_easy(multi, data); -- return CURLM_OK; - } - } while((rc == CURLM_CALL_MULTI_PERFORM) || multi_ischanged(multi, FALSE)); - -@@ -2728,9 +2721,6 @@ CURLMcode curl_multi_perform(struct Curl_multi *multi, int *running_handles) - /* Do the loop and only alter the signal ignore state if the next handle - has a different NO_SIGNAL state than the previous */ - do { -- /* the current node might be unlinked in multi_runsingle(), get the next -- pointer now */ -- struct Curl_easy *datanext = data->next; - if(data->set.no_signal != nosig) { - sigpipe_restore(&pipe_st); - sigpipe_ignore(data, &pipe_st); -@@ -2739,7 +2729,7 @@ CURLMcode curl_multi_perform(struct Curl_multi *multi, int *running_handles) - result = multi_runsingle(multi, &now, data); - if(result) - returncode = result; -- data = datanext; /* operate on next handle */ -+ data = data->next; /* operate on next handle */ - } while(data); - sigpipe_restore(&pipe_st); - } -@@ -3720,9 +3710,6 @@ static void process_pending_handles(struct Curl_multi *multi) - - DEBUGASSERT(data->mstate == MSTATE_PENDING); - -- /* put it back into the main list */ -- link_easy(multi, data); -- - multistate(data, MSTATE_CONNECT); - - /* Remove this node from the list */ -diff --git a/lib/multihandle.h b/lib/multihandle.h -index 5b16bb605..6cda65d44 100644 ---- a/lib/multihandle.h -+++ b/lib/multihandle.h -@@ -101,8 +101,6 @@ struct Curl_multi { - - struct Curl_llist pending; /* Curl_easys that are in the - MSTATE_PENDING state */ -- struct Curl_llist msgsent; /* Curl_easys that are in the -- MSTATE_MSGSENT state */ - - /* callback function and user data pointer for the *socket() API */ - curl_socket_callback socket_cb; -diff --git a/lib/urldata.h b/lib/urldata.h -index 4e07bcd60..8b54518d2 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -1894,8 +1894,7 @@ struct Curl_easy { - struct Curl_easy *prev; - - struct connectdata *conn; -- struct Curl_llist_element connect_queue; /* for the pending and msgsent -- lists */ -+ struct Curl_llist_element connect_queue; - struct Curl_llist_element conn_queue; /* list per connectdata */ - - CURLMstate mstate; /* the handle's state */ --- -2.40.0 - diff --git a/curl.spec b/curl.spec index 8832786..15705c1 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.0.0 +Version: 8.0.1 Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -10,10 +10,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# revert a commit that caused issues in the 8.0.0 release -# https://github.com/curl/curl/pull/10795 -Patch1: 0001-curl-8.0.0-revert-multi-remove.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -207,7 +203,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 # Fedora patches %patch101 -p1 @@ -443,6 +438,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Mar 20 2023 Kamil Dudka - 8.0.1-1 +- new upstream release + * Mon Mar 20 2023 Kamil Dudka - 8.0.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2023-27538 - SSH connection too eager reuse still diff --git a/sources b/sources index 7ce28de..fe0a4ce 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.0.0.tar.xz) = 7141e0e2ed065ba14a7fd7e080bc78cadfcf0c7e4054384f17bfbe24caa0bf512d1feaac89dabb9bebc30c2ba40e78ea4e77ac16ce07515f1e9d6b0f05098c9c -SHA512 (curl-8.0.0.tar.xz.asc) = ab741ce5a93e8729bb280c38a109dd11c6f07bc5d955368171dd0c26641d117c62945c13cdc8ff66e32e98fa027cc8ae08aba833a3ee702a2a06c7cef5b8f4ea +SHA512 (curl-8.0.1.tar.xz) = 3bb777982659ed697ae90f113ff7b65d6ce8ba9fe6a8984cfd6769d2f051a72ba953c911abe234c204ec2cc5a35d68b4d033037fad7fba31bb92a52543f8d13d +SHA512 (curl-8.0.1.tar.xz.asc) = 92c6a0570e9a8a708fe2f717b8b37a68dcb9cd4520ca50c9baafec5891bda103bce2d2dcb67f1387bf11bd7e51e0e64ccd52d196e61d58b598ad3aa1960386cf From 54363444c5ff7e8271e42f5be146b24787eacd33 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Zaoral?= Date: Tue, 21 Mar 2023 15:46:58 +0100 Subject: [PATCH 011/120] migrate to SPDX license --- curl.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index 15705c1..e04b29c 100644 --- a/curl.spec +++ b/curl.spec @@ -1,8 +1,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.0.1 -Release: 1%{?dist} -License: MIT +Release: 2%{?dist} +License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # The curl download page ( https://curl.se/download.html ) links @@ -438,6 +438,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Mar 21 2023 Lukáš Zaoral - 8.0.1-2 +- migrated to SPDX license + * Mon Mar 20 2023 Kamil Dudka - 8.0.1-1 - new upstream release From 070308204190e2e781f0b1fec5877c6a40c634bd Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 24 Mar 2023 13:14:43 +0100 Subject: [PATCH 012/120] Resolves: CVE-2023-27533 - fix TELNET option IAC injection --- 0023-curl-7.87.0-CVE-2023-27533.patch | 59 +++++++++++++++++++++++++++ curl.spec | 9 +++- 2 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 0023-curl-7.87.0-CVE-2023-27533.patch diff --git a/0023-curl-7.87.0-CVE-2023-27533.patch b/0023-curl-7.87.0-CVE-2023-27533.patch new file mode 100644 index 0000000..8810c27 --- /dev/null +++ b/0023-curl-7.87.0-CVE-2023-27533.patch @@ -0,0 +1,59 @@ +From c9828d86040737a47da862197b5def7ff6b0e3c4 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 6 Mar 2023 12:07:33 +0100 +Subject: [PATCH] telnet: only accept option arguments in ascii + +To avoid embedded telnet negotiation commands etc. + +Reported-by: Harry Sintonen +Closes #10728 + +Upstream-commit: 538b1e79a6e7b0bb829ab4cecc828d32105d0684 +Signed-off-by: Kamil Dudka +--- + lib/telnet.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/lib/telnet.c b/lib/telnet.c +index 22bc81e..baea885 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -770,6 +770,17 @@ static void printsub(struct Curl_easy *data, + } + } + ++static bool str_is_nonascii(const char *str) ++{ ++ size_t len = strlen(str); ++ while(len--) { ++ if(*str & 0x80) ++ return TRUE; ++ str++; ++ } ++ return FALSE; ++} ++ + static CURLcode check_telnet_options(struct Curl_easy *data) + { + struct curl_slist *head; +@@ -784,6 +795,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data) + /* Add the user name as an environment variable if it + was given on the command line */ + if(data->state.aptr.user) { ++ if(str_is_nonascii(data->conn->user)) ++ return CURLE_BAD_FUNCTION_ARGUMENT; + msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user); + beg = curl_slist_append(tn->telnet_vars, option_arg); + if(!beg) { +@@ -798,6 +811,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data) + for(head = data->set.telnet_options; head; head = head->next) { + if(sscanf(head->data, "%127[^= ]%*[ =]%255s", + option_keyword, option_arg) == 2) { ++ if(str_is_nonascii(option_arg)) ++ continue; + + /* Terminal type */ + if(strcasecompare(option_keyword, "TTYPE")) { +-- +2.39.2 + diff --git a/curl.spec b/curl.spec index 86ee916..108f44d 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.87.0 -Release: 6%{?dist} +Release: 7%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -22,6 +22,9 @@ Patch6: 0006-curl-7.87.0-hsts-CVEs.patch # fix HTTP multi-header compression denial of service (CVE-2023-23916) Patch7: 0007-curl-7.87.0-CVE-2023-23916.patch +# fix TELNET option IAC injection (CVE-2023-27533) +Patch23: 0023-curl-7.87.0-CVE-2023-27533.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -213,6 +216,7 @@ be installed. %patch2 -p1 %patch6 -p1 %patch7 -p1 +%patch23 -p1 # Fedora patches %patch101 -p1 @@ -447,6 +451,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Mar 24 2023 Kamil Dudka - 7.87.0-7 +- fix TELNET option IAC injection (CVE-2023-27533) + * Wed Mar 15 2023 Kamil Dudka - 7.87.0-6 - tests: make sure gnuserv-tls has SRP support before using it From bdb83efe757fb9a6191c0b196a9a05fcb9014659 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 24 Mar 2023 13:16:13 +0100 Subject: [PATCH 013/120] Resolves: CVE-2023-27534 - fix SFTP path ~ resolving discrepancy --- 0024-curl-7.87.0-CVE-2023-27534.patch | 126 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 131 insertions(+) create mode 100644 0024-curl-7.87.0-CVE-2023-27534.patch diff --git a/0024-curl-7.87.0-CVE-2023-27534.patch b/0024-curl-7.87.0-CVE-2023-27534.patch new file mode 100644 index 0000000..ea589f3 --- /dev/null +++ b/0024-curl-7.87.0-CVE-2023-27534.patch @@ -0,0 +1,126 @@ +From 5ebdef4442b438ab1a899edb169489fc259fae1a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 9 Mar 2023 16:22:11 +0100 +Subject: [PATCH] curl_path: create the new path with dynbuf + +Closes #10729 + +Upstream-commit: 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 +Signed-off-by: Kamil Dudka +--- + lib/curl_path.c | 75 +++++++++++++++++++++++-------------------------- + 1 file changed, 35 insertions(+), 40 deletions(-) + +diff --git a/lib/curl_path.c b/lib/curl_path.c +index f00e3ee..8106042 100644 +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -32,70 +32,65 @@ + #include "escape.h" + #include "memdebug.h" + ++#define MAX_SSHPATH_LEN 100000 /* arbitrary */ ++ + /* figure out the path to work with in this particular request */ + CURLcode Curl_getworkingpath(struct Curl_easy *data, + char *homedir, /* when SFTP is used */ + char **path) /* returns the allocated + real path to work with */ + { +- char *real_path = NULL; + char *working_path; + size_t working_path_len; ++ struct dynbuf npath; + CURLcode result = + Curl_urldecode(data->state.up.path, 0, &working_path, + &working_path_len, REJECT_ZERO); + if(result) + return result; + ++ /* new path to switch to in case we need to */ ++ Curl_dyn_init(&npath, MAX_SSHPATH_LEN); ++ + /* Check for /~/, indicating relative to the user's home directory */ +- if(data->conn->handler->protocol & CURLPROTO_SCP) { +- real_path = malloc(working_path_len + 1); +- if(!real_path) { ++ if((data->conn->handler->protocol & CURLPROTO_SCP) && ++ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) { ++ /* It is referenced to the home directory, so strip the leading '/~/' */ ++ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) { + free(working_path); + return CURLE_OUT_OF_MEMORY; + } +- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) +- /* It is referenced to the home directory, so strip the leading '/~/' */ +- memcpy(real_path, working_path + 3, working_path_len - 2); +- else +- memcpy(real_path, working_path, 1 + working_path_len); + } +- else if(data->conn->handler->protocol & CURLPROTO_SFTP) { +- if((working_path_len > 1) && (working_path[1] == '~')) { +- size_t homelen = strlen(homedir); +- real_path = malloc(homelen + working_path_len + 1); +- if(!real_path) { +- free(working_path); +- return CURLE_OUT_OF_MEMORY; +- } +- /* It is referenced to the home directory, so strip the +- leading '/' */ +- memcpy(real_path, homedir, homelen); +- /* Only add a trailing '/' if homedir does not end with one */ +- if(homelen == 0 || real_path[homelen - 1] != '/') { +- real_path[homelen] = '/'; +- homelen++; +- real_path[homelen] = '\0'; +- } +- if(working_path_len > 3) { +- memcpy(real_path + homelen, working_path + 3, +- 1 + working_path_len -3); +- } ++ else if((data->conn->handler->protocol & CURLPROTO_SFTP) && ++ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { ++ size_t len; ++ const char *p; ++ int copyfrom = 3; ++ if(Curl_dyn_add(&npath, homedir)) { ++ free(working_path); ++ return CURLE_OUT_OF_MEMORY; + } +- else { +- real_path = malloc(working_path_len + 1); +- if(!real_path) { +- free(working_path); +- return CURLE_OUT_OF_MEMORY; +- } +- memcpy(real_path, working_path, 1 + working_path_len); ++ /* Copy a separating '/' if homedir does not end with one */ ++ len = Curl_dyn_len(&npath); ++ p = Curl_dyn_ptr(&npath); ++ if(len && (p[len-1] != '/')) ++ copyfrom = 2; ++ ++ if(Curl_dyn_addn(&npath, ++ &working_path[copyfrom], working_path_len - copyfrom)) { ++ free(working_path); ++ return CURLE_OUT_OF_MEMORY; + } + } + +- free(working_path); ++ if(Curl_dyn_len(&npath)) { ++ free(working_path); + +- /* store the pointer for the caller to receive */ +- *path = real_path; ++ /* store the pointer for the caller to receive */ ++ *path = Curl_dyn_ptr(&npath); ++ } ++ else ++ *path = working_path; + + return CURLE_OK; + } +-- +2.39.2 + diff --git a/curl.spec b/curl.spec index 108f44d..2fd9e4a 100644 --- a/curl.spec +++ b/curl.spec @@ -25,6 +25,9 @@ Patch7: 0007-curl-7.87.0-CVE-2023-23916.patch # fix TELNET option IAC injection (CVE-2023-27533) Patch23: 0023-curl-7.87.0-CVE-2023-27533.patch +# fix SFTP path ~ resolving discrepancy (CVE-2023-27534) +Patch24: 0024-curl-7.87.0-CVE-2023-27534.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -217,6 +220,7 @@ be installed. %patch6 -p1 %patch7 -p1 %patch23 -p1 +%patch24 -p1 # Fedora patches %patch101 -p1 @@ -452,6 +456,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Fri Mar 24 2023 Kamil Dudka - 7.87.0-7 +- fix SFTP path ~ resolving discrepancy (CVE-2023-27534) - fix TELNET option IAC injection (CVE-2023-27533) * Wed Mar 15 2023 Kamil Dudka - 7.87.0-6 From 8c6f543d9e51bb5a3362781a784a4b10fa61be61 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 24 Mar 2023 13:24:04 +0100 Subject: [PATCH 014/120] Resolves: CVE-2023-27535 - fix FTP too eager connection reuse --- 0025-curl-7.87.0-CVE-2023-27535.patch | 166 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 171 insertions(+) create mode 100644 0025-curl-7.87.0-CVE-2023-27535.patch diff --git a/0025-curl-7.87.0-CVE-2023-27535.patch b/0025-curl-7.87.0-CVE-2023-27535.patch new file mode 100644 index 0000000..4d3cf52 --- /dev/null +++ b/0025-curl-7.87.0-CVE-2023-27535.patch @@ -0,0 +1,166 @@ +From b79a0e768fcd71003b33feb5deea697dd0903e48 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 9 Mar 2023 17:47:06 +0100 +Subject: [PATCH] ftp: add more conditions for connection reuse + +Reported-by: Harry Sintonen +Closes #10730 + +Upstream-commit: 8f4608468b890dce2dad9f91d5607ee7e9c1aba1 +Signed-off-by: Kamil Dudka +--- + lib/ftp.c | 28 ++++++++++++++++++++++++++-- + lib/ftp.h | 5 +++++ + lib/setopt.c | 2 +- + lib/url.c | 16 +++++++++++++++- + lib/urldata.h | 4 ++-- + 5 files changed, 49 insertions(+), 6 deletions(-) + +diff --git a/lib/ftp.c b/lib/ftp.c +index 8f0ac2e..d90509e 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -4069,6 +4069,8 @@ static CURLcode ftp_disconnect(struct Curl_easy *data, + } + + freedirs(ftpc); ++ Curl_safefree(ftpc->account); ++ Curl_safefree(ftpc->alternative_to_user); + Curl_safefree(ftpc->prevpath); + Curl_safefree(ftpc->server_os); + Curl_pp_disconnect(pp); +@@ -4338,11 +4340,31 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data, + char *type; + struct FTP *ftp; + CURLcode result = CURLE_OK; ++ struct ftp_conn *ftpc = &conn->proto.ftpc; + +- data->req.p.ftp = ftp = calloc(sizeof(struct FTP), 1); ++ ftp = calloc(sizeof(struct FTP), 1); + if(!ftp) + return CURLE_OUT_OF_MEMORY; + ++ /* clone connection related data that is FTP specific */ ++ if(data->set.str[STRING_FTP_ACCOUNT]) { ++ ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]); ++ if(!ftpc->account) { ++ free(ftp); ++ return CURLE_OUT_OF_MEMORY; ++ } ++ } ++ if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]) { ++ ftpc->alternative_to_user = ++ strdup(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]); ++ if(!ftpc->alternative_to_user) { ++ Curl_safefree(ftpc->account); ++ free(ftp); ++ return CURLE_OUT_OF_MEMORY; ++ } ++ } ++ data->req.p.ftp = ftp; ++ + ftp->path = &data->state.up.path[1]; /* don't include the initial slash */ + + /* FTP URLs support an extension like ";type=" that +@@ -4377,7 +4399,9 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data, + /* get some initial data into the ftp struct */ + ftp->transfer = PPTRANSFER_BODY; + ftp->downloadsize = 0; +- conn->proto.ftpc.known_filesize = -1; /* unknown size for now */ ++ ftpc->known_filesize = -1; /* unknown size for now */ ++ ftpc->use_ssl = data->set.use_ssl; ++ ftpc->ccc = data->set.ftp_ccc; + + return result; + } +diff --git a/lib/ftp.h b/lib/ftp.h +index 7f6f432..3f33e27 100644 +--- a/lib/ftp.h ++++ b/lib/ftp.h +@@ -119,6 +119,8 @@ struct FTP { + struct */ + struct ftp_conn { + struct pingpong pp; ++ char *account; ++ char *alternative_to_user; + char *entrypath; /* the PWD reply when we logged on */ + char *file; /* url-decoded file name (or path) */ + char **dirs; /* realloc()ed array for path components */ +@@ -148,6 +150,9 @@ struct ftp_conn { + ftpstate state; /* always use ftp.c:state() to change state! */ + ftpstate state_saved; /* transfer type saved to be reloaded after + data connection is established */ ++ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or ++ IMAP or POP3 or others! (type: curl_usessl)*/ ++ unsigned char ccc; /* ccc level for this connection */ + curl_off_t retr_size_saved; /* Size of retrieved file saved */ + char *server_os; /* The target server operating system. */ + curl_off_t known_filesize; /* file size is different from -1, if wildcard +diff --git a/lib/setopt.c b/lib/setopt.c +index f71a606..d1905c6 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -2351,7 +2351,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + arg = va_arg(param, long); + if((arg < CURLUSESSL_NONE) || (arg >= CURLUSESSL_LAST)) + return CURLE_BAD_FUNCTION_ARGUMENT; +- data->set.use_ssl = (curl_usessl)arg; ++ data->set.use_ssl = (unsigned char)arg; + break; + + case CURLOPT_SSL_OPTIONS: +diff --git a/lib/url.c b/lib/url.c +index 831ae06..3b11b7e 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1352,10 +1352,24 @@ ConnectionExists(struct Curl_easy *data, + (data->state.httpwant < CURL_HTTP_VERSION_2_0)) + continue; + +- if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { ++#ifdef USE_SSH ++ else if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { + if(!ssh_config_matches(needle, check)) + continue; + } ++#endif ++#ifndef CURL_DISABLE_FTP ++ else if(get_protocol_family(needle->handler) & PROTO_FAMILY_FTP) { ++ /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */ ++ if(Curl_timestrcmp(needle->proto.ftpc.account, ++ check->proto.ftpc.account) || ++ Curl_timestrcmp(needle->proto.ftpc.alternative_to_user, ++ check->proto.ftpc.alternative_to_user) || ++ (needle->proto.ftpc.use_ssl != check->proto.ftpc.use_ssl) || ++ (needle->proto.ftpc.ccc != check->proto.ftpc.ccc)) ++ continue; ++ } ++#endif + + if((needle->handler->flags&PROTOPT_SSL) + #ifndef CURL_DISABLE_PROXY +diff --git a/lib/urldata.h b/lib/urldata.h +index 8c8c20b..ce90304 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1750,8 +1750,6 @@ struct UserDefined { + #ifndef CURL_DISABLE_NETRC + unsigned char use_netrc; /* enum CURL_NETRC_OPTION values */ + #endif +- curl_usessl use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or +- IMAP or POP3 or others! */ + unsigned int new_file_perms; /* when creating remote files */ + unsigned int new_directory_perms; /* when creating remote dirs */ + int ssh_auth_types; /* allowed SSH auth types */ +@@ -1810,6 +1808,8 @@ struct UserDefined { + BIT(mail_rcpt_allowfails); /* allow RCPT TO command to fail for some + recipients */ + #endif ++ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or ++ IMAP or POP3 or others! (type: curl_usessl)*/ + unsigned char connect_only; /* make connection/request, then let + application use the socket */ + BIT(is_fread_set); /* has read callback been set to non-NULL? */ +-- +2.39.2 + diff --git a/curl.spec b/curl.spec index 2fd9e4a..3217d50 100644 --- a/curl.spec +++ b/curl.spec @@ -28,6 +28,9 @@ Patch23: 0023-curl-7.87.0-CVE-2023-27533.patch # fix SFTP path ~ resolving discrepancy (CVE-2023-27534) Patch24: 0024-curl-7.87.0-CVE-2023-27534.patch +# fix FTP too eager connection reuse (CVE-2023-27535) +Patch25: 0025-curl-7.87.0-CVE-2023-27535.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -221,6 +224,7 @@ be installed. %patch7 -p1 %patch23 -p1 %patch24 -p1 +%patch25 -p1 # Fedora patches %patch101 -p1 @@ -456,6 +460,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Fri Mar 24 2023 Kamil Dudka - 7.87.0-7 +- fix FTP too eager connection reuse (CVE-2023-27535) - fix SFTP path ~ resolving discrepancy (CVE-2023-27534) - fix TELNET option IAC injection (CVE-2023-27533) From 4b9d35186873af2621fa67eb44cc064c843c3cbc Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 24 Mar 2023 13:25:23 +0100 Subject: [PATCH 015/120] Resolves: CVE-2023-27536 - fix GSS delegation too eager connection re-use --- 0026-curl-7.87.0-CVE-2023-27536.patch | 54 +++++++++++++++++++++++++++ curl.spec | 5 +++ 2 files changed, 59 insertions(+) create mode 100644 0026-curl-7.87.0-CVE-2023-27536.patch diff --git a/0026-curl-7.87.0-CVE-2023-27536.patch b/0026-curl-7.87.0-CVE-2023-27536.patch new file mode 100644 index 0000000..268e206 --- /dev/null +++ b/0026-curl-7.87.0-CVE-2023-27536.patch @@ -0,0 +1,54 @@ +From 9d6dd7bc1dea42ae8e710aeae714e2a2c290de61 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 10 Mar 2023 09:22:43 +0100 +Subject: [PATCH] url: only reuse connections with same GSS delegation + +Reported-by: Harry Sintonen +Closes #10731 + +Upstream-commit: cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 +Signed-off-by: Kamil Dudka +--- + lib/url.c | 6 ++++++ + lib/urldata.h | 1 + + 2 files changed, 7 insertions(+) + +diff --git a/lib/url.c b/lib/url.c +index 3b11b7e..cbbc7f3 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1345,6 +1345,11 @@ ConnectionExists(struct Curl_easy *data, + } + } + ++ /* GSS delegation differences do not actually affect every connection ++ and auth method, but this check takes precaution before efficiency */ ++ if(needle->gssapi_delegation != check->gssapi_delegation) ++ continue; ++ + /* If multiplexing isn't enabled on the h2 connection and h1 is + explicitly requested, handle it: */ + if((needle->handler->protocol & PROTO_FAMILY_HTTP) && +@@ -1662,6 +1667,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) + conn->fclosesocket = data->set.fclosesocket; + conn->closesocket_client = data->set.closesocket_client; + conn->lastused = Curl_now(); /* used now */ ++ conn->gssapi_delegation = data->set.gssapi_delegation; + + return conn; + error: +diff --git a/lib/urldata.h b/lib/urldata.h +index ce90304..9e16f26 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1111,6 +1111,7 @@ struct connectdata { + unsigned char ip_version; /* copied from the Curl_easy at creation time */ + unsigned char httpversion; /* the HTTP version*10 reported by the server */ + unsigned char connect_only; ++ unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */ + }; + + /* The end of connectdata. */ +-- +2.39.2 + diff --git a/curl.spec b/curl.spec index 3217d50..6cd2a58 100644 --- a/curl.spec +++ b/curl.spec @@ -31,6 +31,9 @@ Patch24: 0024-curl-7.87.0-CVE-2023-27534.patch # fix FTP too eager connection reuse (CVE-2023-27535) Patch25: 0025-curl-7.87.0-CVE-2023-27535.patch +# fix GSS delegation too eager connection re-use (CVE-2023-27536) +Patch26: 0026-curl-7.87.0-CVE-2023-27536.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -225,6 +228,7 @@ be installed. %patch23 -p1 %patch24 -p1 %patch25 -p1 +%patch26 -p1 # Fedora patches %patch101 -p1 @@ -460,6 +464,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Fri Mar 24 2023 Kamil Dudka - 7.87.0-7 +- fix GSS delegation too eager connection re-use (CVE-2023-27536) - fix FTP too eager connection reuse (CVE-2023-27535) - fix SFTP path ~ resolving discrepancy (CVE-2023-27534) - fix TELNET option IAC injection (CVE-2023-27533) From be852f01b83d2cffb3d00130c44a6e74e5affdcb Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 24 Mar 2023 13:26:50 +0100 Subject: [PATCH 016/120] Resolves: CVE-2023-27537 - fix HSTS double-free --- 0027-curl-7.87.0-CVE-2023-27537.patch | 40 +++++++++++++++++++++++++++ curl.spec | 5 ++++ 2 files changed, 45 insertions(+) create mode 100644 0027-curl-7.87.0-CVE-2023-27537.patch diff --git a/0027-curl-7.87.0-CVE-2023-27537.patch b/0027-curl-7.87.0-CVE-2023-27537.patch new file mode 100644 index 0000000..df90d49 --- /dev/null +++ b/0027-curl-7.87.0-CVE-2023-27537.patch @@ -0,0 +1,40 @@ +From ed7451520fd1b5da62a5371c07db69bed36a5486 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 9 Mar 2023 18:01:34 +0100 +Subject: [PATCH] CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe + +Reported-by: Hiroki Kurosawa +Closes #10732 + +Upstream-commit: dca4cdf071be095bcdc7126eaa77a8946ea4790b +Signed-off-by: Kamil Dudka +--- + docs/libcurl/opts/CURLSHOPT_SHARE.3 | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/docs/libcurl/opts/CURLSHOPT_SHARE.3 b/docs/libcurl/opts/CURLSHOPT_SHARE.3 +index b15af82..4544160 100644 +--- a/docs/libcurl/opts/CURLSHOPT_SHARE.3 ++++ b/docs/libcurl/opts/CURLSHOPT_SHARE.3 +@@ -57,8 +57,7 @@ implemented until 7.23.0. + Put the connection cache in the share object and make all easy handles using + this share object share the connection cache. + +-Note that due to a known bug, it is not safe to share connections this way +-between multiple concurrent threads. ++It is not supported to share connections between multiple concurrent threads. + + Connections that are used for HTTP/1.1 Pipelining or HTTP/2 multiplexing only + get additional transfers added to them if the existing connection is held by +@@ -82,6 +81,8 @@ multi handle will share PSL cache by default without using this option. + .IP CURL_LOCK_DATA_HSTS + The in-memory HSTS cache. + ++It is not supported to share the HSTS between multiple concurrent threads. ++ + Added in 7.88.0 + .SH PROTOCOLS + All +-- +2.39.2 + diff --git a/curl.spec b/curl.spec index 6cd2a58..d33a3b3 100644 --- a/curl.spec +++ b/curl.spec @@ -34,6 +34,9 @@ Patch25: 0025-curl-7.87.0-CVE-2023-27535.patch # fix GSS delegation too eager connection re-use (CVE-2023-27536) Patch26: 0026-curl-7.87.0-CVE-2023-27536.patch +# fix HSTS double-free (CVE-2023-27537) +Patch27: 0027-curl-7.87.0-CVE-2023-27537.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -229,6 +232,7 @@ be installed. %patch24 -p1 %patch25 -p1 %patch26 -p1 +%patch27 -p1 # Fedora patches %patch101 -p1 @@ -464,6 +468,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Fri Mar 24 2023 Kamil Dudka - 7.87.0-7 +- fix HSTS double-free (CVE-2023-27537) - fix GSS delegation too eager connection re-use (CVE-2023-27536) - fix FTP too eager connection reuse (CVE-2023-27535) - fix SFTP path ~ resolving discrepancy (CVE-2023-27534) From a3bc8ee146d975e61a010a14029dce309989330c Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 24 Mar 2023 13:28:18 +0100 Subject: [PATCH 017/120] Resolves: CVE-2023-27538 - fix SSH connection too eager reuse still --- 0028-curl-7.87.0-CVE-2023-27538.patch | 30 +++++++++++++++++++++++++++ curl.spec | 5 +++++ 2 files changed, 35 insertions(+) create mode 100644 0028-curl-7.87.0-CVE-2023-27538.patch diff --git a/0028-curl-7.87.0-CVE-2023-27538.patch b/0028-curl-7.87.0-CVE-2023-27538.patch new file mode 100644 index 0000000..0fb2fe8 --- /dev/null +++ b/0028-curl-7.87.0-CVE-2023-27538.patch @@ -0,0 +1,30 @@ +From 133e25afe4b8961b9c12334ee0bd3374db9a1fd4 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 10 Mar 2023 08:22:51 +0100 +Subject: [PATCH] url: fix the SSH connection reuse check + +Reported-by: Harry Sintonen +Closes #10735 + +Upstream-commit: af369db4d3833272b8ed443f7fcc2e757a0872eb +Signed-off-by: Kamil Dudka +--- + lib/url.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/url.c b/lib/url.c +index 0c31486..3b11b7e 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1353,7 +1353,7 @@ ConnectionExists(struct Curl_easy *data, + continue; + + #ifdef USE_SSH +- else if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { ++ else if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) { + if(!ssh_config_matches(needle, check)) + continue; + } +-- +2.39.2 + diff --git a/curl.spec b/curl.spec index d33a3b3..fb4b8d9 100644 --- a/curl.spec +++ b/curl.spec @@ -37,6 +37,9 @@ Patch26: 0026-curl-7.87.0-CVE-2023-27536.patch # fix HSTS double-free (CVE-2023-27537) Patch27: 0027-curl-7.87.0-CVE-2023-27537.patch +# fix SSH connection too eager reuse still (CVE-2023-27538) +Patch28: 0028-curl-7.87.0-CVE-2023-27538.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -233,6 +236,7 @@ be installed. %patch25 -p1 %patch26 -p1 %patch27 -p1 +%patch28 -p1 # Fedora patches %patch101 -p1 @@ -468,6 +472,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Fri Mar 24 2023 Kamil Dudka - 7.87.0-7 +- fix SSH connection too eager reuse still (CVE-2023-27538) - fix HSTS double-free (CVE-2023-27537) - fix GSS delegation too eager connection re-use (CVE-2023-27536) - fix FTP too eager connection reuse (CVE-2023-27535) From 7a1d94d30cbb5b05d30659355ea407955b49905b Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 21 Apr 2023 13:50:00 +0200 Subject: [PATCH 018/120] Resolves: #2185433 - cfilters: use the first non-connected filter --- 0003-curl-7.87.0-cfilters-ostree.patch | 40 ++++++++++++++++++++++++++ curl.spec | 9 +++++- 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 0003-curl-7.87.0-cfilters-ostree.patch diff --git a/0003-curl-7.87.0-cfilters-ostree.patch b/0003-curl-7.87.0-cfilters-ostree.patch new file mode 100644 index 0000000..8f48861 --- /dev/null +++ b/0003-curl-7.87.0-cfilters-ostree.patch @@ -0,0 +1,40 @@ +From 4388f4af77c6741873062dc8da5c6cbcef2d5dfd Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 26 Dec 2022 09:59:20 +0100 +Subject: [PATCH] cfilters:Curl_conn_get_select_socks: use the first + non-connected filter + +When there are filters addded for both socket and SSL, the code +previously checked the SSL sockets during connect when it *should* first +check the socket layer until that has connected. + +Fixes #10157 +Fixes #10146 +Closes #10160 + +Reviewed-by: Stefan Eissing + +Upstream-commit: 728400f875e845f72ee5602edb905f6301ade3e7 +Signed-off-by: Kamil Dudka +--- + lib/cfilters.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/lib/cfilters.c b/lib/cfilters.c +index bcb33da..94471e8 100644 +--- a/lib/cfilters.c ++++ b/lib/cfilters.c +@@ -437,6 +437,10 @@ int Curl_conn_get_select_socks(struct Curl_easy *data, int sockindex, + DEBUGASSERT(data); + DEBUGASSERT(data->conn); + cf = data->conn->cfilter[sockindex]; ++ ++ /* if the next one is not yet connected, that's the one we want */ ++ while(cf && cf->next && !cf->next->connected) ++ cf = cf->next; + if(cf) { + return cf->cft->get_select_socks(cf, data, socks); + } +-- +2.39.2 + diff --git a/curl.spec b/curl.spec index fb4b8d9..d8ebf77 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.87.0 -Release: 7%{?dist} +Release: 8%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -16,6 +16,9 @@ Patch1: 0001-curl-7.87.0-header-file-regression.patch # tests: make sure gnuserv-tls has SRP support before using it Patch2: 0002-curl-7.87.0-tests-tls-srp.patch +# cfilters: use the first non-connected filter (#2185433) +Patch3: 0003-curl-7.87.0-cfilters-ostree.patch + # share HSTS between handles (CVE-2023-23915 CVE-2023-23914) Patch6: 0006-curl-7.87.0-hsts-CVEs.patch @@ -229,6 +232,7 @@ be installed. # upstream patches %patch1 -p1 %patch2 -p1 +%patch3 -p1 %patch6 -p1 %patch7 -p1 %patch23 -p1 @@ -471,6 +475,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Apr 21 2023 Kamil Dudka - 7.87.0-8 +- cfilters: use the first non-connected filter (#2185433) + * Fri Mar 24 2023 Kamil Dudka - 7.87.0-7 - fix SSH connection too eager reuse still (CVE-2023-27538) - fix HSTS double-free (CVE-2023-27537) From 449e5165fd459f6a380feebf4fa7aa913dd40519 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 21 Apr 2023 14:32:13 +0200 Subject: [PATCH 019/120] curl.spec: apply patches automatically ... to ease maintenance and to avoid the following warning on Fedora Rawhide: ``` warning: %patchN is deprecated (4 usages found), use %patch N (or %patch -P N) ``` --- curl.spec | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/curl.spec b/curl.spec index e04b29c..86222da 100644 --- a/curl.spec +++ b/curl.spec @@ -200,15 +200,7 @@ be installed. %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' -%setup -q - -# upstream patches - -# Fedora patches -%patch101 -p1 -%patch102 -p1 -%patch103 -p1 -%patch104 -p1 +%autosetup -p1 # disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed # with errno 98: Address already in use' in Koji environment), and test 1801 @@ -438,6 +430,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Apr 21 2023 Kamil Dudka - 8.0.1-3 +- apply patches automatically + * Tue Mar 21 2023 Lukáš Zaoral - 8.0.1-2 - migrated to SPDX license From fb877acc4b669b7c8e1fcc51db02828928b42e12 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 21 Apr 2023 14:41:58 +0200 Subject: [PATCH 020/120] curl.spec: forgot to bump release --- curl.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 86222da..8920deb 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.0.1 -Release: 2%{?dist} +Release: 3%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc From 2d313d8a465f02f3fe191d2daccba00260c81ced Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 21 Apr 2023 18:00:44 +0200 Subject: [PATCH 021/120] tests: attempt to fix a conflict on port numbers ... where stunnel listens for legacy HTTPS and HTTP/2, which manifests as a hard-to-explain failure of the following tests: 1630 1631 1632 1904 1941 1945 2050 2055 3028 ``` [...] startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https_server.pid" --logfile "log/https_stunnel.log" --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 42917 --accept 24642 RUN: HTTPS server is PID 114398 port 24642 * pid https => 114398 114402 [...] startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https2_server.pid" --logfile "log/https2_stunnel.log" --id 2 --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 36763 --accept 24642 startnew: child process has died, server might start up Warning: http2 server unexpectedly alive RUN: Process with pid 73992 signalled to die RUN: Process with pid 73992 forced to die with SIGKILL == Contents of files in the log/ dir after test 1630 === Start of file http2_server.log 14:01:21.881018 exit_signal_handler: 15 14:01:21.881372 signalled to die 14:01:21.881511 ========> IPv4 sws (port 36763 pid: 73992) exits with signal (15) === End of file http2_server.log === Start of file https2_stunnel.log [ ] Initializing inetd mode configuration [ ] Clients allowed=500 [.] stunnel 5.69 on x86_64-redhat-linux-gnu platform [.] Compiled/running with OpenSSL 3.0.8 7 Feb 2023 [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI [ ] errno: (*__errno_location ()) [ ] Initializing inetd mode configuration [.] Reading configuration from file /builddir/build/BUILD/curl-8.0.1/build-minimal/tests/https_stunnel.conf [.] UTF-8 byte order mark not detected [.] FIPS mode disabled [ ] Compression disabled [ ] No PRNG seeding was required [ ] Initializing service [curltest] [ ] Using the default TLS minimum version as specified in crypto policies. Not setting explicitly. [ ] Using the default TLS maximum version as specified in crypto policies. Not setting explicitly [ ] stunnel default security level set: 2 [ ] Ciphers: PROFILE=SYSTEM [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 [ ] TLS options: 0x2100000 (+0x0, -0x0) [ ] Session resumption enabled [ ] Loading certificate from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem [ ] Certificate loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem [ ] Loading private key from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem [ ] Private key loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem [ ] Private key check succeeded [!] No trusted certificates found [ ] DH initialization needed for DHE-RSA-AES256-GCM-SHA384 [ ] DH initialization [ ] Could not load DH parameters from /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem [ ] Using dynamic DH parameters [ ] ECDH initialization [ ] ECDH initialized with curves X25519:P-256:X448:P-521:P-384 [.] Configuration successful [ ] Deallocating deployed section defaults [ ] Binding service [curltest] [ ] Listening file descriptor created (FD=8) [ ] Setting accept socket options (FD=8) [ ] Option SO_REUSEADDR set on accept socket [.] Binding service [curltest] to 0.0.0.0:24642: Address already in use (98) [ ] Listening file descriptor created (FD=8) [ ] Setting accept socket options (FD=8) [ ] Option SO_REUSEADDR set on accept socket [.] Binding service [curltest] to :::24642: Address already in use (98) [!] Binding service [curltest] failed [ ] Unbinding service [curltest] [ ] Service [curltest] closed [ ] Deallocating deployed section defaults [ ] Deallocating section [curltest] [ ] Initializing inetd mode configuration === End of file https2_stunnel.log ``` --- 0105-curl-8.0.1-tests-stunnel-port.patch | 97 ++++++++++++++++++++++++ curl.spec | 4 + 2 files changed, 101 insertions(+) create mode 100644 0105-curl-8.0.1-tests-stunnel-port.patch diff --git a/0105-curl-8.0.1-tests-stunnel-port.patch b/0105-curl-8.0.1-tests-stunnel-port.patch new file mode 100644 index 0000000..47d1419 --- /dev/null +++ b/0105-curl-8.0.1-tests-stunnel-port.patch @@ -0,0 +1,97 @@ +From c9a1d18e5f8f28b90c1b2fcc1f15699327067e59 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Fri, 21 Apr 2023 17:44:10 +0200 +Subject: [PATCH] tests/runtests.pl: attempt to fix a conflict on port numbers + +... where stunnel listens for legacy HTTPS and HTTP/2, which manifests +as a hard-to-explain failure of the following tests: 1630 1631 1632 1904 +1941 1945 2050 2055 3028 +``` +[...] +startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https_server.pid" --logfile "log/https_stunnel.log" --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 42917 --accept 24642 +RUN: HTTPS server is PID 114398 port 24642 +* pid https => 114398 114402 +[...] +startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https2_server.pid" --logfile "log/https2_stunnel.log" --id 2 --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 36763 --accept 24642 +startnew: child process has died, server might start up +Warning: http2 server unexpectedly alive +RUN: Process with pid 73992 signalled to die +RUN: Process with pid 73992 forced to die with SIGKILL +== Contents of files in the log/ dir after test 1630 +=== Start of file http2_server.log + 14:01:21.881018 exit_signal_handler: 15 + 14:01:21.881372 signalled to die + 14:01:21.881511 ========> IPv4 sws (port 36763 pid: 73992) exits with signal (15) +=== End of file http2_server.log +=== Start of file https2_stunnel.log + [ ] Initializing inetd mode configuration + [ ] Clients allowed=500 + [.] stunnel 5.69 on x86_64-redhat-linux-gnu platform + [.] Compiled/running with OpenSSL 3.0.8 7 Feb 2023 + [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI + [ ] errno: (*__errno_location ()) + [ ] Initializing inetd mode configuration + [.] Reading configuration from file /builddir/build/BUILD/curl-8.0.1/build-minimal/tests/https_stunnel.conf + [.] UTF-8 byte order mark not detected + [.] FIPS mode disabled + [ ] Compression disabled + [ ] No PRNG seeding was required + [ ] Initializing service [curltest] + [ ] Using the default TLS minimum version as specified in crypto policies. Not setting explicitly. + [ ] Using the default TLS maximum version as specified in crypto policies. Not setting explicitly + [ ] stunnel default security level set: 2 + [ ] Ciphers: PROFILE=SYSTEM + [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 + [ ] TLS options: 0x2100000 (+0x0, -0x0) + [ ] Session resumption enabled + [ ] Loading certificate from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem + [ ] Certificate loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem + [ ] Loading private key from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem + [ ] Private key loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem + [ ] Private key check succeeded + [!] No trusted certificates found + [ ] DH initialization needed for DHE-RSA-AES256-GCM-SHA384 + [ ] DH initialization + [ ] Could not load DH parameters from /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem + [ ] Using dynamic DH parameters + [ ] ECDH initialization + [ ] ECDH initialized with curves X25519:P-256:X448:P-521:P-384 + [.] Configuration successful + [ ] Deallocating deployed section defaults + [ ] Binding service [curltest] + [ ] Listening file descriptor created (FD=8) + [ ] Setting accept socket options (FD=8) + [ ] Option SO_REUSEADDR set on accept socket + [.] Binding service [curltest] to 0.0.0.0:24642: Address already in use (98) + [ ] Listening file descriptor created (FD=8) + [ ] Setting accept socket options (FD=8) + [ ] Option SO_REUSEADDR set on accept socket + [.] Binding service [curltest] to :::24642: Address already in use (98) + [!] Binding service [curltest] failed + [ ] Unbinding service [curltest] + [ ] Service [curltest] closed + [ ] Deallocating deployed section defaults + [ ] Deallocating section [curltest] + [ ] Initializing inetd mode configuration +=== End of file https2_stunnel.log +``` +--- + tests/runtests.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/runtests.pl b/tests/runtests.pl +index 54f6923..bb362c9 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -1802,7 +1802,7 @@ sub runhttpsserver { + + my $pid2; + my $httpspid; +- my $port = 24512; # start attempt ++ my $port = 24512 * $idnum; # start attempt + for (1 .. 10) { + $port += int(rand(600)); + my $options = "$flags --accept $port"; +-- +2.39.2 + diff --git a/curl.spec b/curl.spec index 8920deb..dd121e1 100644 --- a/curl.spec +++ b/curl.spec @@ -22,6 +22,9 @@ Patch103: 0103-curl-7.87.0-test3012.patch # do not fail on warnings in the upstream test driver Patch104: 0104-curl-7.88.0-tests-warnings.patch +# tests: attempt to fix a conflict on port numbers +Patch105: 0105-curl-8.0.1-tests-stunnel-port.patch + Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.se/ @@ -431,6 +434,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Fri Apr 21 2023 Kamil Dudka - 8.0.1-3 +- tests: attempt to fix a conflict on port numbers - apply patches automatically * Tue Mar 21 2023 Lukáš Zaoral - 8.0.1-2 From d8bddc669c31f8c84053cde2d4755501eac337b7 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 21 Apr 2023 18:01:25 +0200 Subject: [PATCH 022/120] tests: re-enable temporarily disabled test-cases --- curl.spec | 31 +++---------------------------- 1 file changed, 3 insertions(+), 28 deletions(-) diff --git a/curl.spec b/curl.spec index dd121e1..fbc8caa 100644 --- a/curl.spec +++ b/curl.spec @@ -205,35 +205,9 @@ be installed. %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 -# disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed -# with errno 98: Address already in use' in Koji environment), and test 1801 +# disable test 1801 # -printf "1112\n1455\n1184\n1801\n" >> tests/data/DISABLED - -# disable test 1319 on ppc64 (server times out) -%ifarch ppc64 -echo "1319" >> tests/data/DISABLED -%endif - -# disable tests 320..322 on ppc64le where it started to hang/fail -%ifarch ppc64le -printf "320\n321\n322\n" >> tests/data/DISABLED -%endif - -# temporarily disable tests 582 and 1452 on s390x (client times out) -%ifarch s390x -printf "582\n1452\n" >> tests/data/DISABLED -%endif - -# temporarily disable tests 702 703 716 on armv7hl (#1829180) -%ifarch armv7hl -printf "702\n703\n716\n" >> tests/data/DISABLED -%endif - -# temporarily disable tests 300{0,1} on x86_64 (stunnel clashes with itself) -%ifarch x86_64 -printf "3000\n3001\n" >> tests/data/DISABLED -%endif +echo "1801" >> tests/data/DISABLED # test3026: avoid pthread_create() failure due to resource exhaustion on i386 %ifarch %{ix86} @@ -434,6 +408,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Fri Apr 21 2023 Kamil Dudka - 8.0.1-3 +- tests: re-enable temporarily disabled test-cases - tests: attempt to fix a conflict on port numbers - apply patches automatically From 65d0dfbac54daa22d674f8009cd5895da8977417 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 17 Feb 2023 15:14:53 +0100 Subject: [PATCH 023/120] changelog: trim entries that predate curl-7.29.0 ... which RHEL-7 builds of curl are based on Closes: https://src.fedoraproject.org/rpms/curl/pull-request/16 --- curl.spec | 878 ------------------------------------------------------ 1 file changed, 878 deletions(-) diff --git a/curl.spec b/curl.spec index fbc8caa..b41cf59 100644 --- a/curl.spec +++ b/curl.spec @@ -1212,881 +1212,3 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la * Wed Feb 06 2013 Kamil Dudka 7.29.0-1 - new upstream release (fixes CVE-2013-0249) - -* Tue Jan 15 2013 Kamil Dudka 7.28.1-3 -- require valgrind for build only on i386 and x86_64 (#886891) - -* Tue Jan 15 2013 Kamil Dudka 7.28.1-2 -- prevent NSS from crashing on client auth hook failure -- clear session cache if a client cert from file is used -- fix error messages for CURLE_SSL_{CACERT,CRL}_BADFILE - -* Tue Nov 20 2012 Kamil Dudka 7.28.1-1 -- new upstream release - -* Wed Oct 31 2012 Kamil Dudka 7.28.0-1 -- new upstream release - -* Mon Oct 01 2012 Kamil Dudka 7.27.0-3 -- use the upstream facility to disable problematic tests -- do not crash if MD5 fingerprint is not provided by libssh2 - -* Wed Aug 01 2012 Kamil Dudka 7.27.0-2 -- eliminate unnecessary inotify events on upload via file protocol (#844385) - -* Sat Jul 28 2012 Kamil Dudka 7.27.0-1 -- new upstream release - -* Mon Jul 23 2012 Kamil Dudka 7.26.0-6 -- print reason phrase from HTTP status line on error (#676596) - -* Wed Jul 18 2012 Fedora Release Engineering - 7.26.0-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Sat Jun 09 2012 Kamil Dudka 7.26.0-4 -- fix duplicated SSL handshake with multi interface and proxy (#788526) - -* Wed May 30 2012 Karsten Hopp 7.26.0-3 -- disable test 1319 on ppc64, server times out - -* Mon May 28 2012 Kamil Dudka 7.26.0-2 -- use human-readable error messages provided by NSS (upstream commit 72f4b534) - -* Fri May 25 2012 Kamil Dudka 7.26.0-1 -- new upstream release - -* Wed Apr 25 2012 Karsten Hopp 7.25.0-3 -- valgrind on ppc64 works fine, disable ppc32 only - -* Wed Apr 25 2012 Karsten Hopp 7.25.0-3 -- drop BR valgrind on PPC(64) until bugzilla #810992 gets fixed - -* Fri Apr 13 2012 Kamil Dudka 7.25.0-2 -- use NSS_InitContext() to initialize NSS if available (#738456) -- provide human-readable names for NSS errors (upstream commit a60edcc6) - -* Fri Mar 23 2012 Paul Howarth 7.25.0-1 -- new upstream release (#806264) -- fix character encoding of docs with a patch rather than just iconv -- update debug and multilib patches -- don't use macros for commands -- reduce size of %%prep output for readability - -* Tue Jan 24 2012 Kamil Dudka 7.24.0-1 -- new upstream release (fixes CVE-2012-0036) - -* Thu Jan 05 2012 Paul Howarth 7.23.0-6 -- rebuild for gcc 4.7 - -* Mon Jan 02 2012 Kamil Dudka 7.23.0-5 -- upstream patch that allows to run FTPS tests with nss-3.13 (#760060) - -* Tue Dec 27 2011 Kamil Dudka 7.23.0-4 -- allow to run FTPS tests with nss-3.13 (#760060) - -* Sun Dec 25 2011 Kamil Dudka 7.23.0-3 -- avoid unnecessary timeout event when waiting for 100-continue (#767490) - -* Mon Nov 21 2011 Kamil Dudka 7.23.0-2 -- curl -JO now uses -O name if no C-D header comes (upstream commit c532604) - -* Wed Nov 16 2011 Kamil Dudka 7.23.0-1 -- new upstream release (#754391) - -* Mon Sep 19 2011 Kamil Dudka 7.22.0-2 -- nss: select client certificates by DER (#733657) - -* Tue Sep 13 2011 Kamil Dudka 7.22.0-1 -- new upstream release -- curl-config now provides dummy --static-libs option (#733956) - -* Sun Aug 21 2011 Paul Howarth 7.21.7-4 -- actually fix SIGSEGV of curl -O -J given more than one URL (#723075) - -* Mon Aug 15 2011 Kamil Dudka 7.21.7-3 -- fix SIGSEGV of curl -O -J given more than one URL (#723075) -- introduce the --delegation option of curl (#730444) -- initialize NSS with no database if the selected database is broken (#728562) - -* Wed Aug 03 2011 Kamil Dudka 7.21.7-2 -- add a new option CURLOPT_GSSAPI_DELEGATION (#719939) - -* Thu Jun 23 2011 Kamil Dudka 7.21.7-1 -- new upstream release (fixes CVE-2011-2192) - -* Wed Jun 08 2011 Kamil Dudka 7.21.6-2 -- avoid an invalid timeout event on a reused handle (#679709) - -* Sat Apr 23 2011 Paul Howarth 7.21.6-1 -- new upstream release - -* Mon Apr 18 2011 Kamil Dudka 7.21.5-2 -- fix the output of curl-config --version (upstream commit 82ecc85) - -* Mon Apr 18 2011 Kamil Dudka 7.21.5-1 -- new upstream release - -* Sat Apr 16 2011 Peter Robinson 7.21.4-4 -- no valgrind on ARMv5 arches - -* Sat Mar 05 2011 Dennis Gilmore 7.21.4-3 -- no valgrind on sparc arches - -* Tue Feb 22 2011 Kamil Dudka 7.21.4-2 -- do not ignore failure of SSL handshake (upstream commit 7aa2d10) - -* Fri Feb 18 2011 Kamil Dudka 7.21.4-1 -- new upstream release -- avoid memory leak on SSL connection failure (upstream commit a40f58d) -- work around valgrind bug (#678518) - -* Tue Feb 08 2011 Fedora Release Engineering - 7.21.3-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild - -* Wed Jan 12 2011 Kamil Dudka 7.21.3-2 -- build libcurl with --enable-hidden-symbols - -* Thu Dec 16 2010 Paul Howarth 7.21.3-1 -- update to 7.21.3: - - added --noconfigure switch to testcurl.pl - - added --xattr option - - added CURLOPT_RESOLVE and --resolve - - added CURLAUTH_ONLY - - added version-check.pl to the examples dir - - check for libcurl features for some command line options - - Curl_setopt: disallow CURLOPT_USE_SSL without SSL support - - http_chunks: remove debug output - - URL-parsing: consider ? a divider - - SSH: avoid using the libssh2_ prefix - - SSH: use libssh2_session_handshake() to work on win64 - - ftp: prevent server from hanging on closed data connection when stopping - a transfer before the end of the full transfer (ranges) - - LDAP: detect non-binary attributes properly - - ftp: treat server's response 421 as CURLE_OPERATION_TIMEDOUT - - gnutls->handshake: improved timeout handling - - security: pass the right parameter to init - - krb5: use GSS_ERROR to check for error - - TFTP: resend the correct data - - configure: fix autoconf 2.68 warning: no AC_LANG_SOURCE call detected - - GnuTLS: now detects socket errors on Windows - - symbols-in-versions: updated en masse - - added a couple of examples that were missing from the tarball - - Curl_send/recv_plain: return errno on failure - - Curl_wait_for_resolv (for c-ares): correct timeout - - ossl_connect_common: detect connection re-use - - configure: prevent link errors with --librtmp - - openldap: use remote port in URL passed to ldap_init_fd() - - url: provide dead_connection flag in Curl_handler::disconnect - - lots of compiler warning fixes - - ssh: fix a download resume point calculation - - fix getinfo CURLINFO_LOCAL* for reused connections - - multi: the returned running handles counter could turn negative - - multi: only ever consider pipelining for connections doing HTTP(S) -- drop upstream patches now in tarball -- update bz650255 and disable-test1112 patches to apply against new codebase -- add workaround for false-positive glibc-detected buffer overflow in tftpd - test server with FORTIFY_SOURCE (similar to #515361) - -* Fri Nov 12 2010 Kamil Dudka 7.21.2-5 -- do not send QUIT to a dead FTP control connection (#650255) -- pull back glibc's implementation of str[n]casecmp(), #626470 appears fixed - -* Tue Nov 09 2010 Kamil Dudka 7.21.2-4 -- prevent FTP client from hanging on unrecognized ABOR response (#649347) -- return more appropriate error code in case FTP server session idle - timeout has exceeded (#650255) - -* Fri Oct 29 2010 Kamil Dudka 7.21.2-3 -- prevent FTP server from hanging on closed data connection (#643656) - -* Thu Oct 14 2010 Paul Howarth 7.21.2-2 -- enforce versioned libssh2 dependency for libcurl (#642796) - -* Wed Oct 13 2010 Kamil Dudka 7.21.2-1 -- new upstream release, drop applied patches -- make 0102-curl-7.21.2-debug.patch less intrusive - -* Wed Sep 29 2010 jkeating - 7.21.1-6 -- Rebuilt for gcc bug 634757 - -* Sat Sep 11 2010 Kamil Dudka 7.21.1-5 -- make it possible to run SCP/SFTP tests on x86_64 (#632914) - -* Tue Sep 07 2010 Kamil Dudka 7.21.1-4 -- work around glibc/valgrind problem on x86_64 (#631449) - -* Tue Aug 24 2010 Paul Howarth 7.21.1-3 -- fix up patches so there's no need to run autotools in the rpm build -- drop buildreq automake -- drop dependency on automake for devel package from F-14, where - %%{_datadir}/aclocal is included in the filesystem package -- drop dependency on pkgconfig for devel package from F-11, where - pkgconfig dependencies are auto-generated - -* Mon Aug 23 2010 Kamil Dudka 7.21.1-2 -- re-enable test575 on s390(x), already fixed (upstream commit d63bdba) -- modify system headers to work around gcc bug (#617757) -- curl -T now ignores file size of special files (#622520) -- fix kerberos proxy authentication for https (#625676) -- work around glibc/valgrind problem on x86_64 (#626470) - -* Thu Aug 12 2010 Kamil Dudka 7.21.1-1 -- new upstream release - -* Mon Jul 12 2010 Dan Horák 7.21.0-3 -- disable test 575 on s390(x) - -* Mon Jun 28 2010 Kamil Dudka 7.21.0-2 -- add support for NTLM authentication (#603783) - -* Wed Jun 16 2010 Kamil Dudka 7.21.0-1 -- new upstream release, drop applied patches -- update of %%description -- disable valgrind for certain test-cases (libssh2 problem) - -* Tue May 25 2010 Kamil Dudka 7.20.1-6 -- fix -J/--remote-header-name to strip CR-LF (upstream patch) - -* Wed Apr 28 2010 Kamil Dudka 7.20.1-5 -- CRL support now works again (#581926) -- make it possible to start a testing OpenSSH server when building with SELinux - in the enforcing mode (#521087) - -* Sat Apr 24 2010 Kamil Dudka 7.20.1-4 -- upstream patch preventing failure of test536 with threaded DNS resolver -- upstream patch preventing SSL handshake timeout underflow - -* Thu Apr 22 2010 Paul Howarth 7.20.1-3 -- replace Rawhide s390-sleep patch with a more targeted patch adding a - delay after tests 513 and 514 rather than after all tests - -* Wed Apr 21 2010 Kamil Dudka 7.20.1-2 -- experimentally enabled threaded DNS lookup -- make curl-config multilib ready again (#584107) - -* Mon Apr 19 2010 Kamil Dudka 7.20.1-1 -- new upstream release - -* Tue Mar 23 2010 Kamil Dudka 7.20.0-4 -- add missing quote in libcurl.m4 (#576252) - -* Fri Mar 19 2010 Kamil Dudka 7.20.0-3 -- throw CURLE_SSL_CERTPROBLEM in case peer rejects a certificate (#565972) -- valgrind temporarily disabled (#574889) -- kerberos installation prefix has been changed - -* Wed Feb 24 2010 Kamil Dudka 7.20.0-2 -- exclude test1112 from the test suite (#565305) - -* Thu Feb 11 2010 Kamil Dudka 7.20.0-1 -- new upstream release - added support for IMAP(S), POP3(S), SMTP(S) and RTSP -- dropped patches applied upstream -- dropped curl-7.16.0-privlibs.patch no longer useful -- a new patch forcing -lrt when linking the curl tool and test-cases - -* Fri Jan 29 2010 Kamil Dudka 7.19.7-11 -- upstream patch adding a new option -J/--remote-header-name -- dropped temporary workaround for #545779 - -* Thu Jan 14 2010 Chris Weyl 7.19.7-10 -- bump for libssh2 rebuild - -* Sun Dec 20 2009 Kamil Dudka 7.19.7-9 -- temporary workaround for #548269 - (restored behavior of 7.19.7-4) - -* Wed Dec 09 2009 Kamil Dudka 7.19.7-8 -- replace hard wired port numbers in the test suite - -* Wed Dec 09 2009 Kamil Dudka 7.19.7-7 -- use different port numbers for 32bit and 64bit builds -- temporary workaround for #545779 - -* Tue Dec 08 2009 Kamil Dudka 7.19.7-6 -- make it possible to run test241 -- re-enable SCP/SFTP tests (#539444) - -* Sat Dec 05 2009 Kamil Dudka 7.19.7-5 -- avoid use of uninitialized value in lib/nss.c -- suppress failure of test513 on s390 - -* Tue Dec 01 2009 Kamil Dudka 7.19.7-4 -- do not require valgrind on s390 and s390x -- temporarily disabled SCP/SFTP test-suite (#539444) - -* Thu Nov 12 2009 Kamil Dudka 7.19.7-3 -- fix crash on doubly closed NSPR descriptor, patch contributed - by Kevin Baughman (#534176) -- new version of patch for broken TLS servers (#525496, #527771) - -* Wed Nov 04 2009 Kamil Dudka 7.19.7-2 -- increased release number (CVS problem) - -* Wed Nov 04 2009 Kamil Dudka 7.19.7-1 -- new upstream release, dropped applied patches -- workaround for broken TLS servers (#525496, #527771) - -* Wed Oct 14 2009 Kamil Dudka 7.19.6-13 -- fix timeout issues and gcc warnings within lib/nss.c - -* Tue Oct 06 2009 Kamil Dudka 7.19.6-12 -- upstream patch for NSS support written by Guenter Knauf - -* Wed Sep 30 2009 Kamil Dudka 7.19.6-11 -- build libcurl with c-ares support (#514771) - -* Sun Sep 27 2009 Kamil Dudka 7.19.6-10 -- require libssh2>=1.2 properly (#525002) - -* Sat Sep 26 2009 Kamil Dudka 7.19.6-9 -- let curl test-suite use valgrind -- require libssh2>=1.2 (#525002) - -* Mon Sep 21 2009 Chris Weyl - 7.19.6-8 -- rebuild for libssh2 1.2 - -* Thu Sep 17 2009 Kamil Dudka 7.19.6-7 -- make curl test-suite more verbose - -* Wed Sep 16 2009 Kamil Dudka 7.19.6-6 -- update polling patch to the latest upstream version - -* Thu Sep 03 2009 Kamil Dudka 7.19.6-5 -- cover ssh and stunnel support by the test-suite - -* Wed Sep 02 2009 Kamil Dudka 7.19.6-4 -- use pkg-config to find nss and libssh2 if possible -- better patch (not only) for SCP/SFTP polling -- improve error message for not matching common name (#516056) - -* Fri Aug 21 2009 Kamil Dudka 7.19.6-3 -- avoid tight loop during a sftp upload -- http://permalink.gmane.org/gmane.comp.web.curl.library/24744 - -* Tue Aug 18 2009 Kamil Dudka 7.19.6-2 -- let curl package depend on the same version of libcurl - -* Fri Aug 14 2009 Kamil Dudka 7.19.6-1 -- new upstream release, dropped applied patches -- changed NSS code to not ignore the value of ssl.verifyhost and produce more - verbose error messages (#516056) - -* Wed Aug 12 2009 Ville Skyttä - 7.19.5-10 -- Use lzma compressed upstream tarball. - -* Fri Jul 24 2009 Fedora Release Engineering - 7.19.5-9 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - -* Wed Jul 22 2009 Kamil Dudka 7.19.5-8 -- do not pre-login to all PKCS11 slots, it causes problems with HW tokens -- try to select client certificate automatically when not specified, thanks - to Claes Jakobsson - -* Fri Jul 10 2009 Kamil Dudka 7.19.5-7 -- fix SIGSEGV when using NSS client certificates, thanks to Claes Jakobsson - -* Sun Jul 05 2009 Kamil Dudka 7.19.5-6 -- force test suite to use the just built libcurl, thanks to Paul Howarth - -* Thu Jul 02 2009 Kamil Dudka 7.19.5-5 -- run test suite after build -- enable built-in manual - -* Wed Jun 24 2009 Kamil Dudka 7.19.5-4 -- fix bug introduced by the last build (#504857) - -* Wed Jun 24 2009 Kamil Dudka 7.19.5-3 -- exclude curlbuild.h content from spec (#504857) - -* Wed Jun 10 2009 Kamil Dudka 7.19.5-2 -- avoid unguarded comparison in the spec file, thanks to R P Herrold (#504857) - -* Tue May 19 2009 Kamil Dudka 7.19.5-1 -- update to 7.19.5, dropped applied patches - -* Mon May 11 2009 Kamil Dudka 7.19.4-11 -- fix infinite loop while loading a private key, thanks to Michael Cronenworth - (#453612) - -* Mon Apr 27 2009 Kamil Dudka 7.19.4-10 -- fix curl/nss memory leaks while using client certificate (#453612, accepted - by upstream) - -* Wed Apr 22 2009 Kamil Dudka 7.19.4-9 -- add missing BuildRequire for autoconf - -* Wed Apr 22 2009 Kamil Dudka 7.19.4-8 -- fix configure.ac to not discard -g in CFLAGS (#496778) - -* Tue Apr 21 2009 Debarshi Ray 7.19.4-7 -- Fixed configure to respect the environment's CFLAGS and CPPFLAGS settings. - -* Tue Apr 14 2009 Kamil Dudka 7.19.4-6 -- upstream patch fixing memory leak in lib/nss.c (#453612) -- remove redundant dependency of libcurl-devel on libssh2-devel - -* Wed Mar 18 2009 Kamil Dudka 7.19.4-5 -- enable 6 additional crypto algorithms by default (#436781, - accepted by upstream) - -* Thu Mar 12 2009 Kamil Dudka 7.19.4-4 -- fix memory leak in src/main.c (accepted by upstream) -- avoid using %%ifarch - -* Wed Mar 11 2009 Kamil Dudka 7.19.4-3 -- make libcurl-devel multilib-ready (bug #488922) - -* Fri Mar 06 2009 Jindrich Novy 7.19.4-2 -- drop .easy-leak patch, causes problems in pycurl (#488791) -- fix libcurl-devel dependencies (#488895) - -* Tue Mar 03 2009 Jindrich Novy 7.19.4-1 -- update to 7.19.4 (fixes CVE-2009-0037) -- fix leak in curl_easy* functions, thanks to Kamil Dudka -- drop nss-fix patch, applied upstream - -* Tue Feb 24 2009 Fedora Release Engineering - 7.19.3-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - -* Tue Feb 17 2009 Kamil Dudka 7.19.3-1 -- update to 7.19.3, dropped applied nss patches -- add patch fixing 7.19.3 curl/nss bugs - -* Mon Dec 15 2008 Jindrich Novy 7.18.2-9 -- rebuild for f10/rawhide cvs tag clashes - -* Sat Dec 06 2008 Jindrich Novy 7.18.2-8 -- use improved NSS patch, thanks to Rob Crittenden (#472489) - -* Tue Sep 09 2008 Jindrich Novy 7.18.2-7 -- update the thread safety patch, thanks to Rob Crittenden (#462217) - -* Wed Sep 03 2008 Warren Togami 7.18.2-6 -- add thread safety to libcurl NSS cleanup() functions (#459297) - -* Fri Aug 22 2008 Tom "spot" Callaway 7.18.2-5 -- undo mini libcurl.so.3 - -* Mon Aug 11 2008 Tom "spot" Callaway 7.18.2-4 -- make miniature library for libcurl.so.3 - -* Fri Jul 4 2008 Jindrich Novy 7.18.2-3 -- enable support for libssh2 (#453958) - -* Wed Jun 18 2008 Jindrich Novy 7.18.2-2 -- fix curl_multi_perform() over a proxy (#450140), thanks to - Rob Crittenden - -* Wed Jun 4 2008 Jindrich Novy 7.18.2-1 -- update to 7.18.2 - -* Wed May 7 2008 Jindrich Novy 7.18.1-2 -- spec cleanup, thanks to Paul Howarth (#225671) - - drop BR: libtool - - convert CHANGES and README to UTF-8 - - _GNU_SOURCE in CFLAGS is no more needed - - remove bogus rpath - -* Mon Mar 31 2008 Jindrich Novy 7.18.1-1 -- update to curl 7.18.1 (fixes #397911) -- add ABI docs for libcurl -- remove --static-libs from curl-config -- drop curl-config patch, obsoleted by @SSL_ENABLED@ autoconf - substitution (#432667) - -* Fri Feb 15 2008 Jindrich Novy 7.18.0-2 -- define _GNU_SOURCE so that NI_MAXHOST gets defined from glibc - -* Mon Jan 28 2008 Jindrich Novy 7.18.0-1 -- update to curl-7.18.0 -- drop sslgen patch -> applied upstream -- fix typo in description - -* Tue Jan 22 2008 Jindrich Novy 7.17.1-6 -- fix curl-devel obsoletes so that we don't break F8->F9 upgrade - path (#429612) - -* Tue Jan 8 2008 Jindrich Novy 7.17.1-5 -- do not attempt to close a bad socket (#427966), - thanks to Caolan McNamara - -* Tue Dec 4 2007 Jindrich Novy 7.17.1-4 -- rebuild because of the openldap soname bump -- remove old nsspem patch - -* Fri Nov 30 2007 Jindrich Novy 7.17.1-3 -- drop useless ldap library detection since curl doesn't - dlopen()s it but links to it -> BR: openldap-devel -- enable LDAPS support (#225671), thanks to Paul Howarth -- BR: krb5-devel to reenable GSSAPI support -- simplify build process -- update description - -* Wed Nov 21 2007 Jindrich Novy 7.17.1-2 -- update description to contain complete supported servers list (#393861) - -* Sat Nov 17 2007 Jindrich Novy 7.17.1-1 -- update to curl 7.17.1 -- include patch to enable SSL usage in NSS when a socket is opened - nonblocking, thanks to Rob Crittenden (rcritten@redhat.com) - -* Wed Oct 24 2007 Jindrich Novy 7.16.4-10 -- correctly provide/obsolete curl-devel (#130251) - -* Wed Oct 24 2007 Jindrich Novy 7.16.4-9 -- create libcurl and libcurl-devel subpackages (#130251) - -* Thu Oct 11 2007 Jindrich Novy 7.16.4-8 -- list features correctly when curl is compiled against NSS (#316191) - -* Mon Sep 17 2007 Jindrich Novy 7.16.4-7 -- add zlib-devel BR to enable gzip compressed transfers in curl (#292211) - -* Mon Sep 10 2007 Jindrich Novy 7.16.4-6 -- provide webclient (#225671) - -* Thu Sep 6 2007 Jindrich Novy 7.16.4-5 -- add support for the NSS PKCS#11 pem reader so the command-line is the - same for both OpenSSL and NSS by Rob Crittenden (rcritten@redhat.com) -- switch to NSS again - -* Mon Sep 3 2007 Jindrich Novy 7.16.4-4 -- revert back to use OpenSSL (#266021) - -* Mon Aug 27 2007 Jindrich Novy 7.16.4-3 -- don't use openssl, use nss instead - -* Fri Aug 10 2007 Jindrich Novy 7.16.4-2 -- fix anonymous ftp login (#251570), thanks to David Cantrell - -* Wed Jul 11 2007 Jindrich Novy 7.16.4-1 -- update to 7.16.4 - -* Mon Jun 25 2007 Jindrich Novy 7.16.3-1 -- update to 7.16.3 -- drop .print patch, applied upstream -- next series of merge review fixes by Paul Howarth -- remove aclocal stuff, no more needed -- simplify makefile arguments -- don't reference standard library paths in libcurl.pc -- include docs/CONTRIBUTE - -* Mon Jun 18 2007 Jindrich Novy 7.16.2-5 -- don't print like crazy (#236981), backported from upstream CVS - -* Fri Jun 15 2007 Jindrich Novy 7.16.2-4 -- another series of review fixes (#225671), - thanks to Paul Howarth -- check version of ldap library automatically -- don't use %%makeinstall and preserve timestamps -- drop useless patches - -* Fri May 11 2007 Jindrich Novy 7.16.2-3 -- add automake BR to curl-devel to fix aclocal dir. ownership, - thanks to Patrice Dumas - -* Thu May 10 2007 Jindrich Novy 7.16.2-2 -- package libcurl.m4 in curl-devel (#239664), thanks to Quy Tonthat - -* Wed Apr 11 2007 Jindrich Novy 7.16.2-1 -- update to 7.16.2 - -* Mon Feb 19 2007 Jindrich Novy 7.16.1-3 -- don't create/ship static libraries (#225671) - -* Mon Feb 5 2007 Jindrich Novy 7.16.1-2 -- merge review related spec fixes (#225671) - -* Mon Jan 29 2007 Jindrich Novy 7.16.1-1 -- update to 7.16.1 - -* Tue Jan 16 2007 Jindrich Novy 7.16.0-5 -- don't package generated makefiles for docs/examples to avoid - multilib conflicts - -* Mon Dec 18 2006 Jindrich Novy 7.16.0-4 -- convert spec to UTF-8 -- don't delete BuildRoot in %%prep phase -- rpmlint fixes - -* Thu Nov 16 2006 Jindrich Novy -7.16.0-3 -- prevent curl from dlopen()ing missing ldap libraries so that - ldap:// requests work (#215928) - -* Tue Oct 31 2006 Jindrich Novy - 7.16.0-2 -- fix BuildRoot -- add Requires: pkgconfig for curl-devel -- move LDFLAGS and LIBS to Libs.private in libcurl.pc.in (#213278) - -* Mon Oct 30 2006 Jindrich Novy - 7.16.0-1 -- update to curl-7.16.0 - -* Thu Aug 24 2006 Jindrich Novy - 7.15.5-1.fc6 -- update to curl-7.15.5 -- use %%{?dist} - -* Fri Jun 30 2006 Ivana Varekova - 7.15.4-1 -- update to 7.15.4 - -* Mon Mar 20 2006 Ivana Varekova - 7.15.3-1 -- fix multilib problem using pkg-config -- update to 7.15.3 - -* Thu Feb 23 2006 Ivana Varekova - 7.15.1-2 -- fix multilib problem - #181290 - - curl-devel.i386 not installable together with curl-devel.x86-64 - -* Fri Feb 10 2006 Jesse Keating - 7.15.1-1.2.1 -- bump again for double-long bug on ppc(64) - -* Tue Feb 07 2006 Jesse Keating - 7.15.1-1.2 -- rebuilt for new gcc4.1 snapshot and glibc changes - -* Fri Dec 09 2005 Jesse Keating -- rebuilt - -* Thu Dec 8 2005 Ivana Varekova 7.15.1-1 -- update to 7.15.1 (bug 175191) - -* Wed Nov 30 2005 Ivana Varekova 7.15.0-3 -- fix curl-config bug 174556 - missing vernum value - -* Wed Nov 9 2005 Ivana Varekova 7.15.0-2 -- rebuilt - -* Tue Oct 18 2005 Ivana Varekova 7.15.0-1 -- update to 7.15.0 - -* Thu Oct 13 2005 Ivana Varekova 7.14.1-1 -- update to 7.14.1 - -* Thu Jun 16 2005 Ivana Varekova 7.14.0-1 -- rebuild new version - -* Tue May 03 2005 Ivana Varekova 7.13.1-3 -- fix bug 150768 - curl-7.12.3-2 breaks basic authentication - used Daniel Stenberg patch - -* Mon Apr 25 2005 Joe Orton 7.13.1-2 -- update to use ca-bundle in /etc/pki -- mark License as MIT not MPL - -* Wed Mar 9 2005 Ivana Varekova 7.13.1-1 -- rebuilt (7.13.1) - -* Tue Mar 1 2005 Tomas Mraz 7.13.0-2 -- rebuild with openssl-0.9.7e - -* Sun Feb 13 2005 Florian La Roche -- 7.13.0 - -* Wed Feb 9 2005 Joe Orton 7.12.3-3 -- don't pass /usr to --with-libidn to remove "-L/usr/lib" from - 'curl-config --libs' output on x86_64. - -* Fri Jan 28 2005 Adrian Havill 7.12.3-1 -- Upgrade to 7.12.3, which uses poll() for FDSETSIZE limit (#134794) -- require libidn-devel for devel subpkg (#141341) -- remove proftpd kludge; included upstream - -* Wed Oct 06 2004 Adrian Havill 7.12.1-1 -- upgrade to 7.12.1 -- enable GSSAPI auth (#129353) -- enable I18N domain names (#134595) -- workaround for broken ProFTPD SSL auth (#134133). Thanks to - Aleksandar Milivojevic - -* Wed Sep 29 2004 Adrian Havill 7.12.0-4 -- move new docs position so defattr gets applied - -* Mon Sep 27 2004 Warren Togami 7.12.0-3 -- remove INSTALL, move libcurl docs to -devel - -* Mon Jul 26 2004 Jindrich Novy -- updated to 7.12.0 -- updated nousr patch - -* Tue Jun 15 2004 Elliot Lee -- rebuilt - -* Wed Apr 07 2004 Adrian Havill 7.11.1-1 -- upgraded; updated nousr patch -- added COPYING (#115956) -- - -* Tue Mar 02 2004 Elliot Lee -- rebuilt - -* Fri Feb 13 2004 Elliot Lee -- rebuilt - -* Sat Jan 31 2004 Florian La Roche -- update to 7.10.8 -- remove patch2, already upstream - -* Wed Oct 15 2003 Adrian Havill 7.10.6-7 -- aclocal before libtoolize -- move OpenLDAP license so it's present as a doc file, present in - both the source and binary as per conditions - -* Mon Oct 13 2003 Adrian Havill 7.10.6-6 -- add OpenLDAP copyright notice for usage of code, add OpenLDAP - license for this code - -* Tue Oct 07 2003 Adrian Havill 7.10.6-5 -- match serverAltName certs with SSL (#106168) - -* Tue Sep 16 2003 Adrian Havill 7.10.6-4.1 -- bump n-v-r for RHEL - -* Tue Sep 16 2003 Adrian Havill 7.10.6-4 -- restore ca cert bundle (#104400) -- require openssl, we want to use its ca-cert bundle - -* Sun Sep 7 2003 Joe Orton 7.10.6-3 -- rebuild - -* Fri Sep 5 2003 Joe Orton 7.10.6-2.2 -- fix to include libcurl.so - -* Mon Aug 25 2003 Adrian Havill 7.10.6-2.1 -- bump n-v-r for RHEL - -* Mon Aug 25 2003 Adrian Havill 7.10.6-2 -- devel subpkg needs openssl-devel as a Require (#102963) - -* Mon Jul 28 2003 Adrian Havill 7.10.6-1 -- bumped version - -* Tue Jul 01 2003 Adrian Havill 7.10.5-1 -- bumped version - -* Wed Jun 04 2003 Elliot Lee -- rebuilt - -* Sat Apr 12 2003 Florian La Roche -- update to 7.10.4 -- adapt nousr patch - -* Wed Jan 22 2003 Tim Powers -- rebuilt - -* Tue Jan 21 2003 Joe Orton 7.9.8-4 -- don't add -L/usr/lib to 'curl-config --libs' output - -* Tue Jan 7 2003 Nalin Dahyabhai 7.9.8-3 -- rebuild - -* Wed Nov 6 2002 Joe Orton 7.9.8-2 -- fix `curl-config --libs` output for libdir!=/usr/lib -- remove docs/LIBCURL from docs list; remove unpackaged libcurl.la -- libtoolize and reconf - -* Mon Jul 22 2002 Trond Eivind Glomsrød 7.9.8-1 -- 7.9.8 (# 69473) - -* Fri Jun 21 2002 Tim Powers -- automated rebuild - -* Sun May 26 2002 Tim Powers -- automated rebuild - -* Thu May 16 2002 Trond Eivind Glomsrød 7.9.7-1 -- 7.9.7 - -* Wed Apr 24 2002 Trond Eivind Glomsrød 7.9.6-1 -- 7.9.6 - -* Thu Mar 21 2002 Trond Eivind Glomsrød 7.9.5-2 -- Stop the curl-config script from printing -I/usr/include - and -L/usr/lib (#59497) - -* Fri Mar 8 2002 Trond Eivind Glomsrød 7.9.5-1 -- 7.9.5 - -* Tue Feb 26 2002 Trond Eivind Glomsrød 7.9.3-2 -- Rebuild - -* Wed Jan 23 2002 Nalin Dahyabhai 7.9.3-1 -- update to 7.9.3 - -* Wed Jan 09 2002 Tim Powers 7.9.2-2 -- automated rebuild - -* Wed Jan 9 2002 Trond Eivind Glomsrød 7.9.2-1 -- 7.9.2 - -* Fri Aug 17 2001 Nalin Dahyabhai -- include curl-config in curl-devel -- update to 7.8 to fix memory leak and strlcat() symbol pollution from libcurl - -* Wed Jul 18 2001 Crutcher Dunnavant -- added openssl-devel build req - -* Mon May 21 2001 Tim Powers -- built for the distro - -* Tue Apr 24 2001 Jeff Johnson -- upgrade to curl-7.7.2. -- enable IPv6. - -* Fri Mar 2 2001 Tim Powers -- rebuilt against openssl-0.9.6-1 - -* Thu Jan 4 2001 Tim Powers -- fixed mising ldconfigs -- updated to 7.5.2, bug fixes - -* Mon Dec 11 2000 Tim Powers -- updated to 7.5.1 - -* Mon Nov 6 2000 Tim Powers -- update to 7.4.1 to fix bug #20337, problems with curl -c -- not using patch anymore, it's included in the new source. Keeping - for reference - -* Fri Oct 20 2000 Nalin Dahyabhai -- fix bogus req in -devel package - -* Fri Oct 20 2000 Tim Powers -- devel package needed defattr so that root owns the files - -* Mon Oct 16 2000 Nalin Dahyabhai -- update to 7.3 -- apply vsprintf/vsnprintf patch from Colin Phipps via Debian - -* Mon Aug 21 2000 Nalin Dahyabhai -- enable SSL support -- fix packager tag -- move buildroot to %%{_tmppath} - -* Tue Aug 1 2000 Tim Powers -- fixed vendor tag for bug #15028 - -* Mon Jul 24 2000 Prospector -- rebuilt - -* Tue Jul 11 2000 Tim Powers -- workaround alpha build problems with optimizations - -* Mon Jul 10 2000 Tim Powers -- rebuilt - -* Mon Jun 5 2000 Tim Powers -- put man pages in correct place -- use %%makeinstall - -* Mon Apr 24 2000 Tim Powers -- updated to 6.5.2 - -* Wed Nov 3 1999 Tim Powers -- updated sources to 6.2 -- gzip man page - -* Mon Aug 30 1999 Tim Powers -- changed group - -* Thu Aug 26 1999 Tim Powers -- changelog started -- general cleanups, changed prefix to /usr, added manpage to files section -- including in Powertools From 472ff9ff394deee558414aea9cd405309e2642b9 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 3 May 2023 13:48:50 +0200 Subject: [PATCH 024/120] Resolves: #2192665 - vtls: fix hostname handling in filters --- 0008-curl-7.87.0-vtls-hostname.patch | 177 +++++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 185 insertions(+), 1 deletion(-) create mode 100644 0008-curl-7.87.0-vtls-hostname.patch diff --git a/0008-curl-7.87.0-vtls-hostname.patch b/0008-curl-7.87.0-vtls-hostname.patch new file mode 100644 index 0000000..24d6a31 --- /dev/null +++ b/0008-curl-7.87.0-vtls-hostname.patch @@ -0,0 +1,177 @@ +From d12c233950e22052a8541abd69565772c13f832e Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Tue, 17 Jan 2023 11:21:29 +0100 +Subject: [PATCH] vtls: fix hostname handling in filters + +- Copy the hostname and dispname to ssl_connect_data. + +Use a copy instead of referencing the `connectdata` instance since this +may get free'ed on connection reuse. + +Reported-by: Stefan Talpalaru +Reported-by: sergio-nsk@users.noreply.github.com + +Fixes https://github.com/curl/curl/issues/10273 +Fixes https://github.com/curl/curl/issues/10309 + +Closes https://github.com/curl/curl/pull/10310 + +Upstream-commit: f8da4f2f2d0451dc0a126ae3e5077b4527ccdc86 +Signed-off-by: Kamil Dudka +--- + lib/url.c | 14 ++++++++++ + lib/vtls/vtls.c | 66 ++++++++++++++++++++++++++++++--------------- + lib/vtls/vtls_int.h | 4 +-- + 3 files changed, 61 insertions(+), 23 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index cbbc7f3..5192204 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -3406,6 +3406,20 @@ static void reuse_conn(struct Curl_easy *data, + } + #endif + ++ /* Finding a connection for reuse in the cache matches, among other ++ * things on the "remote-relevant" hostname. This is not necessarily ++ * the authority of the URL, e.g. conn->host. For example: ++ * - we use a proxy (not tunneling). we want to send all requests ++ * that use the same proxy on this connection. ++ * - we have a "connect-to" setting that may redirect the hostname of ++ * a new request to the same remote endpoint of an existing conn. ++ * We want to reuse an existing conn to the remote endpoint. ++ * Since connection reuse does not match on conn->host necessarily, we ++ * switch `existing` conn to `temp` conn's host settings. ++ * TODO: is this correct in the case of TLS connections that have ++ * used the original hostname in SNI to negotiate? Do we send ++ * requests for another host through the different SNI? ++ */ + Curl_free_idnconverted_hostname(&existing->host); + Curl_free_idnconverted_hostname(&existing->conn_to_host); + Curl_safefree(existing->host.rawalloc); +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index 873ee6b..c7ec77a 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -1430,47 +1430,71 @@ CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name, + + #ifdef USE_SSL + ++static void free_hostname(struct ssl_connect_data *connssl) ++{ ++ if(connssl->dispname != connssl->hostname) ++ free(connssl->dispname); ++ free(connssl->hostname); ++ connssl->hostname = connssl->dispname = NULL; ++} ++ + static void cf_close(struct Curl_cfilter *cf, struct Curl_easy *data) + { + struct ssl_connect_data *connssl = cf->ctx; +- /* TODO: close_one closes BOTH conn->ssl AND conn->proxy_ssl for this +- * sockindex (if in use). Gladly, it is safe to call more than once. */ + if(connssl) { + Curl_ssl->close(cf, data); + connssl->state = ssl_connection_none; ++ free_hostname(connssl); + } + cf->connected = FALSE; + } + +-static void reinit_hostname(struct Curl_cfilter *cf) ++static CURLcode reinit_hostname(struct Curl_cfilter *cf) + { + struct ssl_connect_data *connssl = cf->ctx; ++ const char *ehostname, *edispname; ++ int eport; + ++ /* We need the hostname for SNI negotiation. Once handshaked, this ++ * remains the SNI hostname for the TLS connection. But when the ++ * connection is reused, the settings in cf->conn might change. ++ * So we keep a copy of the hostname we use for SNI. ++ */ + #ifndef CURL_DISABLE_PROXY + if(Curl_ssl_cf_is_proxy(cf)) { +- /* TODO: there is not definition for a proxy setup on a secondary conn */ +- connssl->hostname = cf->conn->http_proxy.host.name; +- connssl->dispname = cf->conn->http_proxy.host.dispname; +- connssl->port = cf->conn->http_proxy.port; ++ ehostname = cf->conn->http_proxy.host.name; ++ edispname = cf->conn->http_proxy.host.dispname; ++ eport = cf->conn->http_proxy.port; + } + else + #endif + { +- /* TODO: secondaryhostname is set to the IP address we connect to +- * in the FTP handler, it is assumed that host verification uses the +- * hostname from FIRSTSOCKET */ +- if(cf->sockindex == SECONDARYSOCKET && 0) { +- connssl->hostname = cf->conn->secondaryhostname; +- connssl->dispname = connssl->hostname; +- connssl->port = cf->conn->secondary_port; ++ ehostname = cf->conn->host.name; ++ edispname = cf->conn->host.dispname; ++ eport = cf->conn->remote_port; ++ } ++ ++ /* change if ehostname changed */ ++ if(ehostname && (!connssl->hostname ++ || strcmp(ehostname, connssl->hostname))) { ++ free_hostname(connssl); ++ connssl->hostname = strdup(ehostname); ++ if(!connssl->hostname) { ++ free_hostname(connssl); ++ return CURLE_OUT_OF_MEMORY; + } ++ if(!edispname || !strcmp(ehostname, edispname)) ++ connssl->dispname = connssl->hostname; + else { +- connssl->hostname = cf->conn->host.name; +- connssl->dispname = cf->conn->host.dispname; +- connssl->port = cf->conn->remote_port; ++ connssl->dispname = strdup(edispname); ++ if(!connssl->dispname) { ++ free_hostname(connssl); ++ return CURLE_OUT_OF_MEMORY; ++ } + } + } +- DEBUGASSERT(connssl->hostname); ++ connssl->port = eport; ++ return CURLE_OK; + } + + static void ssl_cf_destroy(struct Curl_cfilter *cf, struct Curl_easy *data) +@@ -1513,10 +1537,10 @@ static CURLcode ssl_cf_connect(struct Curl_cfilter *cf, + if(result || !*done) + goto out; + +- /* TODO: right now we do not fully control when hostname is set, +- * assign it on each connect call. */ +- reinit_hostname(cf); + *done = FALSE; ++ result = reinit_hostname(cf); ++ if(result) ++ goto out; + + if(blocking) { + result = ssl_connect(cf, data); +diff --git a/lib/vtls/vtls_int.h b/lib/vtls/vtls_int.h +index 6710a2b..010c20b 100644 +--- a/lib/vtls/vtls_int.h ++++ b/lib/vtls/vtls_int.h +@@ -33,8 +33,8 @@ + struct ssl_connect_data { + ssl_connection_state state; + ssl_connect_state connecting_state; +- const char *hostname; /* hostnaem for verification */ +- const char *dispname; /* display version of hostname */ ++ char *hostname; /* hostname for verification */ ++ char *dispname; /* display version of hostname */ + int port; /* remote port at origin */ + struct ssl_backend_data *backend; /* vtls backend specific props */ + struct Curl_easy *call_data; /* data handle used in current call, +-- +2.40.1 + diff --git a/curl.spec b/curl.spec index d8ebf77..21fd2a8 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.87.0 -Release: 8%{?dist} +Release: 9%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -25,6 +25,9 @@ Patch6: 0006-curl-7.87.0-hsts-CVEs.patch # fix HTTP multi-header compression denial of service (CVE-2023-23916) Patch7: 0007-curl-7.87.0-CVE-2023-23916.patch +# vtls: fix hostname handling in filters (#2192665) +Patch8: 0008-curl-7.87.0-vtls-hostname.patch + # fix TELNET option IAC injection (CVE-2023-27533) Patch23: 0023-curl-7.87.0-CVE-2023-27533.patch @@ -235,6 +238,7 @@ be installed. %patch3 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 %patch23 -p1 %patch24 -p1 %patch25 -p1 @@ -475,6 +479,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed May 03 2023 Kamil Dudka - 7.87.0-9 +- vtls: fix hostname handling in filters (#2192665) + * Fri Apr 21 2023 Kamil Dudka - 7.87.0-8 - cfilters: use the first non-connected filter (#2185433) From 23fee3d38607b49d63fbbc7e2f374f489b7be184 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 3 May 2023 15:41:31 +0200 Subject: [PATCH 025/120] Resolves: #2192665 - http_proxy: fix memory corruption with http proxy tunneling --- curl.spec | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 21fd2a8..9b139d7 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.87.0 -Release: 9%{?dist} +Release: 10%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -28,6 +28,9 @@ Patch7: 0007-curl-7.87.0-CVE-2023-23916.patch # vtls: fix hostname handling in filters (#2192665) Patch8: 0008-curl-7.87.0-vtls-hostname.patch +# http_proxy: fix memory corruption with http proxy tunneling (#2192665) +Patch9: 0009-curl-7.87.0-http-proxy.patch + # fix TELNET option IAC injection (CVE-2023-27533) Patch23: 0023-curl-7.87.0-CVE-2023-27533.patch @@ -239,6 +242,7 @@ be installed. %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 %patch23 -p1 %patch24 -p1 %patch25 -p1 @@ -479,6 +483,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed May 03 2023 Kamil Dudka - 7.87.0-10 +- http_proxy: fix memory corruption with http proxy tunneling (#2192665) + * Wed May 03 2023 Kamil Dudka - 7.87.0-9 - vtls: fix hostname handling in filters (#2192665) From ac9ca2137b4a7ce3b44ce16dedabe950e183e933 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 3 May 2023 15:46:13 +0200 Subject: [PATCH 026/120] 0009-curl-7.87.0-http-proxy.patch: add forgotten patch --- 0009-curl-7.87.0-http-proxy.patch | 263 ++++++++++++++++++++++++++++++ 1 file changed, 263 insertions(+) create mode 100644 0009-curl-7.87.0-http-proxy.patch diff --git a/0009-curl-7.87.0-http-proxy.patch b/0009-curl-7.87.0-http-proxy.patch new file mode 100644 index 0000000..8fca8a5 --- /dev/null +++ b/0009-curl-7.87.0-http-proxy.patch @@ -0,0 +1,263 @@ +From bc893dea666ffa09fa015f0a585eb62a489749fc Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 5 Jan 2023 09:38:11 +0100 +Subject: [PATCH] http_proxy: do not assign data->req.p.http use local copy + +Avoid the tricky reusing of the data->req.p.http pointer for http proxy +tunneling. + +Fixes #10194 +Closes #10234 + +Upstream-commit: 3f3ddee0665176040b3eaf89a912a922726ecb18 +Signed-off-by: Kamil Dudka +--- + lib/http.c | 32 ++++++++++++++++++-------------- + lib/http.h | 3 +++ + lib/http_proxy.c | 25 +++++++------------------ + lib/rtsp.c | 2 +- + 4 files changed, 29 insertions(+), 33 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index 1b75022..4cf6043 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -1256,8 +1256,8 @@ static size_t readmoredata(char *buffer, + size_t nitems, + void *userp) + { +- struct Curl_easy *data = (struct Curl_easy *)userp; +- struct HTTP *http = data->req.p.http; ++ struct HTTP *http = (struct HTTP *)userp; ++ struct Curl_easy *data = http->backup.data; + size_t fullsize = size * nitems; + + if(!http->postsize) +@@ -1309,6 +1309,7 @@ static size_t readmoredata(char *buffer, + */ + CURLcode Curl_buffer_send(struct dynbuf *in, + struct Curl_easy *data, ++ struct HTTP *http, + /* add the number of sent bytes to this + counter */ + curl_off_t *bytes_written, +@@ -1321,7 +1322,6 @@ CURLcode Curl_buffer_send(struct dynbuf *in, + char *ptr; + size_t size; + struct connectdata *conn = data->conn; +- struct HTTP *http = data->req.p.http; + size_t sendsize; + curl_socket_t sockfd; + size_t headersize; +@@ -1456,10 +1456,11 @@ CURLcode Curl_buffer_send(struct dynbuf *in, + http->backup.fread_in = data->state.in; + http->backup.postdata = http->postdata; + http->backup.postsize = http->postsize; ++ http->backup.data = data; + + /* set the new pointers for the request-sending */ + data->state.fread_func = (curl_read_callback)readmoredata; +- data->state.in = (void *)data; ++ data->state.in = (void *)http; + http->postdata = ptr; + http->postsize = (curl_off_t)size; + +@@ -1468,7 +1469,6 @@ CURLcode Curl_buffer_send(struct dynbuf *in, + + http->send_buffer = *in; /* copy the whole struct */ + http->sending = HTTPSEND_REQUEST; +- + return CURLE_OK; + } + http->sending = HTTPSEND_BODY; +@@ -2359,7 +2359,7 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn, + curl_off_t included_body = 0; + #else + /* from this point down, this function should not be used */ +-#define Curl_buffer_send(a,b,c,d,e) CURLE_OK ++#define Curl_buffer_send(a,b,c,d,e,f) CURLE_OK + #endif + CURLcode result = CURLE_OK; + struct HTTP *http = data->req.p.http; +@@ -2403,7 +2403,8 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn, + Curl_pgrsSetUploadSize(data, http->postsize); + + /* this sends the buffer and frees all the buffer resources */ +- result = Curl_buffer_send(r, data, &data->info.request_size, 0, ++ result = Curl_buffer_send(r, data, data->req.p.http, ++ &data->info.request_size, 0, + FIRSTSOCKET); + if(result) + failf(data, "Failed sending PUT request"); +@@ -2424,7 +2425,8 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn, + if(result) + return result; + +- result = Curl_buffer_send(r, data, &data->info.request_size, 0, ++ result = Curl_buffer_send(r, data, data->req.p.http, ++ &data->info.request_size, 0, + FIRSTSOCKET); + if(result) + failf(data, "Failed sending POST request"); +@@ -2495,7 +2497,8 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn, + http->sending = HTTPSEND_BODY; + + /* this sends the buffer and frees all the buffer resources */ +- result = Curl_buffer_send(r, data, &data->info.request_size, 0, ++ result = Curl_buffer_send(r, data, data->req.p.http, ++ &data->info.request_size, 0, + FIRSTSOCKET); + if(result) + failf(data, "Failed sending POST request"); +@@ -2612,11 +2615,10 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn, + else { + /* A huge POST coming up, do data separate from the request */ + http->postdata = data->set.postfields; +- + http->sending = HTTPSEND_BODY; +- ++ http->backup.data = data; + data->state.fread_func = (curl_read_callback)readmoredata; +- data->state.in = (void *)data; ++ data->state.in = (void *)http; + + /* set the upload size to the progress meter */ + Curl_pgrsSetUploadSize(data, http->postsize); +@@ -2655,7 +2657,8 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn, + } + } + /* issue the request */ +- result = Curl_buffer_send(r, data, &data->info.request_size, included_body, ++ result = Curl_buffer_send(r, data, data->req.p.http, ++ &data->info.request_size, included_body, + FIRSTSOCKET); + + if(result) +@@ -2671,7 +2674,8 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn, + return result; + + /* issue the request */ +- result = Curl_buffer_send(r, data, &data->info.request_size, 0, ++ result = Curl_buffer_send(r, data, data->req.p.http, ++ &data->info.request_size, 0, + FIRSTSOCKET); + if(result) + failf(data, "Failed sending HTTP request"); +diff --git a/lib/http.h b/lib/http.h +index ecfe4ee..bd2b5f6 100644 +--- a/lib/http.h ++++ b/lib/http.h +@@ -73,8 +73,10 @@ char *Curl_checkProxyheaders(struct Curl_easy *data, + const struct connectdata *conn, + const char *thisheader, + const size_t thislen); ++struct HTTP; /* see below */ + CURLcode Curl_buffer_send(struct dynbuf *in, + struct Curl_easy *data, ++ struct HTTP *http, + curl_off_t *bytes_written, + curl_off_t included_body_bytes, + int socketindex); +@@ -220,6 +222,7 @@ struct HTTP { + void *fread_in; /* backup storage for fread_in pointer */ + const char *postdata; + curl_off_t postsize; ++ struct Curl_easy *data; + } backup; + + enum { +diff --git a/lib/http_proxy.c b/lib/http_proxy.c +index e30730a..14f11e9 100644 +--- a/lib/http_proxy.c ++++ b/lib/http_proxy.c +@@ -63,8 +63,7 @@ struct tunnel_state { + int sockindex; + const char *hostname; + int remote_port; +- struct HTTP http_proxy; +- struct HTTP *prot_save; ++ struct HTTP CONNECT; + struct dynbuf rcvbuf; + struct dynbuf req; + size_t nsend; +@@ -149,17 +148,6 @@ static CURLcode tunnel_init(struct tunnel_state **pts, + Curl_dyn_init(&ts->rcvbuf, DYN_PROXY_CONNECT_HEADERS); + Curl_dyn_init(&ts->req, DYN_HTTP_REQUEST); + +- /* Curl_proxyCONNECT is based on a pointer to a struct HTTP at the +- * member conn->proto.http; we want [protocol] through HTTP and we have +- * to change the member temporarily for connecting to the HTTP +- * proxy. After Curl_proxyCONNECT we have to set back the member to the +- * original pointer +- * +- * This function might be called several times in the multi interface case +- * if the proxy's CONNECT response is not instant. +- */ +- ts->prot_save = data->req.p.http; +- data->req.p.http = &ts->http_proxy; + *pts = ts; + connkeep(conn, "HTTP proxy CONNECT"); + return tunnel_reinit(ts, conn, data); +@@ -210,7 +198,6 @@ static void tunnel_go_state(struct Curl_cfilter *cf, + Curl_dyn_reset(&ts->rcvbuf); + Curl_dyn_reset(&ts->req); + /* restore the protocol pointer */ +- data->req.p.http = ts->prot_save; + data->info.httpcode = 0; /* clear it as it might've been used for the + proxy */ + /* If a proxy-authorization header was used for the proxy, then we should +@@ -338,7 +325,8 @@ static CURLcode start_CONNECT(struct Curl_easy *data, + goto out; + + /* Send the connect request to the proxy */ +- result = Curl_buffer_send(&ts->req, data, &data->info.request_size, 0, ++ result = Curl_buffer_send(&ts->req, data, &ts->CONNECT, ++ &data->info.request_size, 0, + ts->sockindex); + ts->headerlines = 0; + +@@ -356,7 +344,7 @@ static CURLcode send_CONNECT(struct Curl_easy *data, + bool *done) + { + struct SingleRequest *k = &data->req; +- struct HTTP *http = data->req.p.http; ++ struct HTTP *http = &ts->CONNECT; + CURLcode result = CURLE_OK; + + if(http->sending != HTTPSEND_REQUEST) +@@ -377,7 +365,7 @@ static CURLcode send_CONNECT(struct Curl_easy *data, + result = Curl_write(data, + conn->writesockfd, /* socket to send to */ + k->upload_fromhere, /* buffer pointer */ +- ts->nsend, /* buffer size */ ++ ts->nsend, /* buffer size */ + &bytes_written); /* actually sent */ + if(result) + goto out; +@@ -1131,8 +1119,9 @@ static int http_proxy_cf_get_select_socks(struct Curl_cfilter *cf, + wait for the socket to become readable to be able to get the + response headers or if we're still sending the request, wait + for write. */ +- if(ts->http_proxy.sending == HTTPSEND_REQUEST) ++ if(ts->CONNECT.sending == HTTPSEND_REQUEST) { + return GETSOCK_WRITESOCK(0); ++ } + return GETSOCK_READSOCK(0); + } + return GETSOCK_WRITESOCK(0); +diff --git a/lib/rtsp.c b/lib/rtsp.c +index 75e620d..80d1cf1 100644 +--- a/lib/rtsp.c ++++ b/lib/rtsp.c +@@ -592,7 +592,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done) + } + + /* issue the request */ +- result = Curl_buffer_send(&req_buffer, data, ++ result = Curl_buffer_send(&req_buffer, data, data->req.p.http, + &data->info.request_size, 0, FIRSTSOCKET); + if(result) { + failf(data, "Failed sending RTSP request"); +-- +2.40.1 + From f854769ba434c9fffd92498b590b8d0e29c9a616 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 20 Mar 2023 15:39:59 +0100 Subject: [PATCH 027/120] Resolves: #2192665 - new upstream release - 8.0.1 --- 0001-curl-7.87.0-header-file-regression.patch | 55 -- 0002-curl-7.87.0-tests-tls-srp.patch | 54 -- 0003-curl-7.87.0-cfilters-ostree.patch | 40 -- 0006-curl-7.87.0-hsts-CVEs.patch | 575 ------------------ 0007-curl-7.87.0-CVE-2023-23916.patch | 243 -------- 0008-curl-7.87.0-vtls-hostname.patch | 177 ------ 0009-curl-7.87.0-http-proxy.patch | 263 -------- 0023-curl-7.87.0-CVE-2023-27533.patch | 59 -- 0024-curl-7.87.0-CVE-2023-27534.patch | 126 ---- 0025-curl-7.87.0-CVE-2023-27535.patch | 166 ----- 0026-curl-7.87.0-CVE-2023-27536.patch | 54 -- 0027-curl-7.87.0-CVE-2023-27537.patch | 40 -- 0028-curl-7.87.0-CVE-2023-27538.patch | 30 - curl.spec | 59 +- sources | 4 +- 15 files changed, 7 insertions(+), 1938 deletions(-) delete mode 100644 0001-curl-7.87.0-header-file-regression.patch delete mode 100644 0002-curl-7.87.0-tests-tls-srp.patch delete mode 100644 0003-curl-7.87.0-cfilters-ostree.patch delete mode 100644 0006-curl-7.87.0-hsts-CVEs.patch delete mode 100644 0007-curl-7.87.0-CVE-2023-23916.patch delete mode 100644 0008-curl-7.87.0-vtls-hostname.patch delete mode 100644 0009-curl-7.87.0-http-proxy.patch delete mode 100644 0023-curl-7.87.0-CVE-2023-27533.patch delete mode 100644 0024-curl-7.87.0-CVE-2023-27534.patch delete mode 100644 0025-curl-7.87.0-CVE-2023-27535.patch delete mode 100644 0026-curl-7.87.0-CVE-2023-27536.patch delete mode 100644 0027-curl-7.87.0-CVE-2023-27537.patch delete mode 100644 0028-curl-7.87.0-CVE-2023-27538.patch diff --git a/0001-curl-7.87.0-header-file-regression.patch b/0001-curl-7.87.0-header-file-regression.patch deleted file mode 100644 index 9c479dc..0000000 --- a/0001-curl-7.87.0-header-file-regression.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 613d3c45879636e88b88fcebee48dc77de345291 Mon Sep 17 00:00:00 2001 -From: Patrick Monnerat -Date: Fri, 23 Dec 2022 15:35:27 +0100 -Subject: [PATCH] typecheck: accept expressions for option/info parameters - -As expressions can have side effects, evaluate only once. - -To enable deprecation reporting only once, get rid of the __typeof__ -use to define the local temporary variable and use the target type -(CURLoption/CURLINFO). This also avoids multiple reports on type -conflicts (if some) by the curlcheck_* macros. - -Note that CURLOPT_* and CURLINFO_* symbols may be deprecated, but not -their values: a curl_easy_setopt call with an integer constant as option -will never report a deprecation. - -Reported-by: Thomas Klausner -Fixes #10148 -Closes #10149 - -Upstream-commit: e2aed004302e51cfa5b6ce8c8ab65ef92aa83196 -Signed-off-by: Kamil Dudka ---- - include/curl/typecheck-gcc.h | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h -index bf655bb..85aa8b7 100644 ---- a/include/curl/typecheck-gcc.h -+++ b/include/curl/typecheck-gcc.h -@@ -42,9 +42,8 @@ - */ - #define curl_easy_setopt(handle, option, value) \ - __extension__({ \ -- CURL_IGNORE_DEPRECATION(__typeof__(option) _curl_opt = option;) \ -+ CURLoption _curl_opt = (option); \ - if(__builtin_constant_p(_curl_opt)) { \ -- (void) option; \ - CURL_IGNORE_DEPRECATION( \ - if(curlcheck_long_option(_curl_opt)) \ - if(!curlcheck_long(value)) \ -@@ -120,9 +119,8 @@ - /* wraps curl_easy_getinfo() with typechecking */ - #define curl_easy_getinfo(handle, info, arg) \ - __extension__({ \ -- CURL_IGNORE_DEPRECATION(__typeof__(info) _curl_info = info;) \ -+ CURLINFO _curl_info = (info); \ - if(__builtin_constant_p(_curl_info)) { \ -- (void) info; \ - CURL_IGNORE_DEPRECATION( \ - if(curlcheck_string_info(_curl_info)) \ - if(!curlcheck_arr((arg), char *)) \ --- -2.39.0 - diff --git a/0002-curl-7.87.0-tests-tls-srp.patch b/0002-curl-7.87.0-tests-tls-srp.patch deleted file mode 100644 index f2ad919..0000000 --- a/0002-curl-7.87.0-tests-tls-srp.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 34ba217b433f222f486a42f2157866ab40dba221 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Wed, 15 Feb 2023 15:04:07 +0100 -Subject: [PATCH] tests: make sure gnuserv-tls has SRP support before using it - -Reported-by: fundawang on github -Fixes #10522 -Closes #10524 - -Upstream-commit: 2fdc1d816ebf3c77f43068103bec1b3a3767881a -Signed-off-by: Kamil Dudka ---- - tests/runtests.pl | 2 +- - tests/sshhelp.pm | 11 ++++++++++- - 2 files changed, 11 insertions(+), 2 deletions(-) - -diff --git a/tests/runtests.pl b/tests/runtests.pl -index f49e385..d2e0e52 100755 ---- a/tests/runtests.pl -+++ b/tests/runtests.pl -@@ -5373,7 +5373,7 @@ sub startservers { - elsif($what eq "httptls") { - if(!$httptlssrv) { - # for now, we can't run http TLS-EXT tests without gnutls-serv -- return "no gnutls-serv"; -+ return "no gnutls-serv (with SRP support)"; - } - if($torture && $run{'httptls'} && - !responsive_httptls_server($verbose, "IPv4")) { -diff --git a/tests/sshhelp.pm b/tests/sshhelp.pm -index 2d419c1..0c553da 100644 ---- a/tests/sshhelp.pm -+++ b/tests/sshhelp.pm -@@ -408,7 +408,16 @@ sub find_sshkeygen { - # Find httptlssrv (gnutls-serv) and return canonical filename - # - sub find_httptlssrv { -- return find_exe_file_hpath($httptlssrvexe); -+ my $p = find_exe_file_hpath($httptlssrvexe); -+ my @o = `$p -l`; -+ my $found; -+ for(@o) { -+ if(/Key exchange: SRP/) { -+ $found = 1; -+ last; -+ } -+ } -+ return $p if($found); - } - - --- -2.39.2 - diff --git a/0003-curl-7.87.0-cfilters-ostree.patch b/0003-curl-7.87.0-cfilters-ostree.patch deleted file mode 100644 index 8f48861..0000000 --- a/0003-curl-7.87.0-cfilters-ostree.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 4388f4af77c6741873062dc8da5c6cbcef2d5dfd Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 26 Dec 2022 09:59:20 +0100 -Subject: [PATCH] cfilters:Curl_conn_get_select_socks: use the first - non-connected filter - -When there are filters addded for both socket and SSL, the code -previously checked the SSL sockets during connect when it *should* first -check the socket layer until that has connected. - -Fixes #10157 -Fixes #10146 -Closes #10160 - -Reviewed-by: Stefan Eissing - -Upstream-commit: 728400f875e845f72ee5602edb905f6301ade3e7 -Signed-off-by: Kamil Dudka ---- - lib/cfilters.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/lib/cfilters.c b/lib/cfilters.c -index bcb33da..94471e8 100644 ---- a/lib/cfilters.c -+++ b/lib/cfilters.c -@@ -437,6 +437,10 @@ int Curl_conn_get_select_socks(struct Curl_easy *data, int sockindex, - DEBUGASSERT(data); - DEBUGASSERT(data->conn); - cf = data->conn->cfilter[sockindex]; -+ -+ /* if the next one is not yet connected, that's the one we want */ -+ while(cf && cf->next && !cf->next->connected) -+ cf = cf->next; - if(cf) { - return cf->cft->get_select_socks(cf, data, socks); - } --- -2.39.2 - diff --git a/0006-curl-7.87.0-hsts-CVEs.patch b/0006-curl-7.87.0-hsts-CVEs.patch deleted file mode 100644 index 759ece8..0000000 --- a/0006-curl-7.87.0-hsts-CVEs.patch +++ /dev/null @@ -1,575 +0,0 @@ -From 117fce3d4fe11c36a20403cd4d6850e5b8771b41 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Tue, 27 Dec 2022 11:50:20 +0100 -Subject: [PATCH 1/5] share: add sharing of HSTS cache among handles - -Closes #10138 - -Upstream-commit: 076a2f629119222aeeb50f5a03bf9f9052fabb9a -Signed-off-by: Kamil Dudka ---- - docs/libcurl/opts/CURLSHOPT_SHARE.3 | 4 +++ - docs/libcurl/symbols-in-versions | 1 + - include/curl/curl.h | 1 + - lib/hsts.c | 15 +++++++++ - lib/hsts.h | 2 ++ - lib/setopt.c | 48 ++++++++++++++++++++++++----- - lib/share.c | 32 +++++++++++++++++-- - lib/share.h | 6 +++- - lib/transfer.c | 3 ++ - lib/url.c | 6 +++- - lib/urldata.h | 2 ++ - 11 files changed, 109 insertions(+), 11 deletions(-) - -diff --git a/docs/libcurl/opts/CURLSHOPT_SHARE.3 b/docs/libcurl/opts/CURLSHOPT_SHARE.3 -index 92783b6..b15af82 100644 ---- a/docs/libcurl/opts/CURLSHOPT_SHARE.3 -+++ b/docs/libcurl/opts/CURLSHOPT_SHARE.3 -@@ -79,6 +79,10 @@ Added in 7.61.0. - - Note that when you use the multi interface, all easy handles added to the same - multi handle will share PSL cache by default without using this option. -+.IP CURL_LOCK_DATA_HSTS -+The in-memory HSTS cache. -+ -+Added in 7.88.0 - .SH PROTOCOLS - All - .SH EXAMPLE -diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions -index 5ee245d..41fffc3 100644 ---- a/docs/libcurl/symbols-in-versions -+++ b/docs/libcurl/symbols-in-versions -@@ -73,6 +73,7 @@ CURL_LOCK_ACCESS_SINGLE 7.10.3 - CURL_LOCK_DATA_CONNECT 7.10.3 - CURL_LOCK_DATA_COOKIE 7.10.3 - CURL_LOCK_DATA_DNS 7.10.3 -+CURL_LOCK_DATA_HSTS 7.88.0 - CURL_LOCK_DATA_NONE 7.10.3 - CURL_LOCK_DATA_PSL 7.61.0 - CURL_LOCK_DATA_SHARE 7.10.4 -diff --git a/include/curl/curl.h b/include/curl/curl.h -index 139df99..5758e3b 100644 ---- a/include/curl/curl.h -+++ b/include/curl/curl.h -@@ -2953,6 +2953,7 @@ typedef enum { - CURL_LOCK_DATA_SSL_SESSION, - CURL_LOCK_DATA_CONNECT, - CURL_LOCK_DATA_PSL, -+ CURL_LOCK_DATA_HSTS, - CURL_LOCK_DATA_LAST - } curl_lock_data; - -diff --git a/lib/hsts.c b/lib/hsts.c -index c449120..339237b 100644 ---- a/lib/hsts.c -+++ b/lib/hsts.c -@@ -39,6 +39,7 @@ - #include "parsedate.h" - #include "fopen.h" - #include "rename.h" -+#include "share.h" - - /* The last 3 #include files should be in this order */ - #include "curl_printf.h" -@@ -551,4 +552,18 @@ CURLcode Curl_hsts_loadcb(struct Curl_easy *data, struct hsts *h) - return CURLE_OK; - } - -+void Curl_hsts_loadfiles(struct Curl_easy *data) -+{ -+ struct curl_slist *l = data->set.hstslist; -+ if(l) { -+ Curl_share_lock(data, CURL_LOCK_DATA_HSTS, CURL_LOCK_ACCESS_SINGLE); -+ -+ while(l) { -+ (void)Curl_hsts_loadfile(data, data->hsts, l->data); -+ l = l->next; -+ } -+ Curl_share_unlock(data, CURL_LOCK_DATA_HSTS); -+ } -+} -+ - #endif /* CURL_DISABLE_HTTP || CURL_DISABLE_HSTS */ -diff --git a/lib/hsts.h b/lib/hsts.h -index 0e36a77..3da7574 100644 ---- a/lib/hsts.h -+++ b/lib/hsts.h -@@ -59,9 +59,11 @@ CURLcode Curl_hsts_loadfile(struct Curl_easy *data, - struct hsts *h, const char *file); - CURLcode Curl_hsts_loadcb(struct Curl_easy *data, - struct hsts *h); -+void Curl_hsts_loadfiles(struct Curl_easy *data); - #else - #define Curl_hsts_cleanup(x) - #define Curl_hsts_loadcb(x,y) CURLE_OK - #define Curl_hsts_save(x,y,z) -+#define Curl_hsts_loadfiles(x) - #endif /* CURL_DISABLE_HTTP || CURL_DISABLE_HSTS */ - #endif /* HEADER_CURL_HSTS_H */ -diff --git a/lib/setopt.c b/lib/setopt.c -index b77e95b..f71a606 100644 ---- a/lib/setopt.c -+++ b/lib/setopt.c -@@ -2260,9 +2260,14 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - data->cookies = NULL; - #endif - -+#ifndef CURL_DISABLE_HSTS -+ if(data->share->hsts == data->hsts) -+ data->hsts = NULL; -+#endif -+#ifdef USE_SSL - if(data->share->sslsession == data->state.session) - data->state.session = NULL; -- -+#endif - #ifdef USE_LIBPSL - if(data->psl == &data->share->psl) - data->psl = data->multi? &data->multi->psl: NULL; -@@ -2296,10 +2301,19 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - data->cookies = data->share->cookies; - } - #endif /* CURL_DISABLE_HTTP */ -+#ifndef CURL_DISABLE_HSTS -+ if(data->share->hsts) { -+ /* first free the private one if any */ -+ Curl_hsts_cleanup(&data->hsts); -+ data->hsts = data->share->hsts; -+ } -+#endif /* CURL_DISABLE_HTTP */ -+#ifdef USE_SSL - if(data->share->sslsession) { - data->set.general_ssl.max_ssl_sessions = data->share->max_ssl_sessions; - data->state.session = data->share->sslsession; - } -+#endif - #ifdef USE_LIBPSL - if(data->share->specifier & (1 << CURL_LOCK_DATA_PSL)) - data->psl = &data->share->psl; -@@ -3049,19 +3063,39 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - case CURLOPT_HSTSWRITEDATA: - data->set.hsts_write_userp = va_arg(param, void *); - break; -- case CURLOPT_HSTS: -+ case CURLOPT_HSTS: { -+ struct curl_slist *h; - if(!data->hsts) { - data->hsts = Curl_hsts_init(); - if(!data->hsts) - return CURLE_OUT_OF_MEMORY; - } - argptr = va_arg(param, char *); -- result = Curl_setstropt(&data->set.str[STRING_HSTS], argptr); -- if(result) -- return result; -- if(argptr) -- (void)Curl_hsts_loadfile(data, data->hsts, argptr); -+ if(argptr) { -+ result = Curl_setstropt(&data->set.str[STRING_HSTS], argptr); -+ if(result) -+ return result; -+ /* this needs to build a list of file names to read from, so that it can -+ read them later, as we might get a shared HSTS handle to load them -+ into */ -+ h = curl_slist_append(data->set.hstslist, argptr); -+ if(!h) { -+ curl_slist_free_all(data->set.hstslist); -+ data->set.hstslist = NULL; -+ return CURLE_OUT_OF_MEMORY; -+ } -+ data->set.hstslist = h; /* store the list for later use */ -+ } -+ else { -+ /* clear the list of HSTS files */ -+ curl_slist_free_all(data->set.hstslist); -+ data->set.hstslist = NULL; -+ if(!data->share || !data->share->hsts) -+ /* throw away the HSTS cache unless shared */ -+ Curl_hsts_cleanup(&data->hsts); -+ } - break; -+ } - case CURLOPT_HSTS_CTRL: - arg = va_arg(param, long); - if(arg & CURLHSTS_ENABLE) { -diff --git a/lib/share.c b/lib/share.c -index 1a083e7..69ee00b 100644 ---- a/lib/share.c -+++ b/lib/share.c -@@ -29,9 +29,11 @@ - #include "share.h" - #include "psl.h" - #include "vtls/vtls.h" --#include "curl_memory.h" -+#include "hsts.h" - --/* The last #include file should be: */ -+/* The last 3 #include files should be in this order */ -+#include "curl_printf.h" -+#include "curl_memory.h" - #include "memdebug.h" - - struct Curl_share * -@@ -89,6 +91,18 @@ curl_share_setopt(struct Curl_share *share, CURLSHoption option, ...) - #endif - break; - -+ case CURL_LOCK_DATA_HSTS: -+#ifndef CURL_DISABLE_HSTS -+ if(!share->hsts) { -+ share->hsts = Curl_hsts_init(); -+ if(!share->hsts) -+ res = CURLSHE_NOMEM; -+ } -+#else /* CURL_DISABLE_HSTS */ -+ res = CURLSHE_NOT_BUILT_IN; -+#endif -+ break; -+ - case CURL_LOCK_DATA_SSL_SESSION: - #ifdef USE_SSL - if(!share->sslsession) { -@@ -141,6 +155,16 @@ curl_share_setopt(struct Curl_share *share, CURLSHoption option, ...) - #endif - break; - -+ case CURL_LOCK_DATA_HSTS: -+#ifndef CURL_DISABLE_HSTS -+ if(share->hsts) { -+ Curl_hsts_cleanup(&share->hsts); -+ } -+#else /* CURL_DISABLE_HSTS */ -+ res = CURLSHE_NOT_BUILT_IN; -+#endif -+ break; -+ - case CURL_LOCK_DATA_SSL_SESSION: - #ifdef USE_SSL - Curl_safefree(share->sslsession); -@@ -207,6 +231,10 @@ curl_share_cleanup(struct Curl_share *share) - Curl_cookie_cleanup(share->cookies); - #endif - -+#ifndef CURL_DISABLE_HSTS -+ Curl_hsts_cleanup(&share->hsts); -+#endif -+ - #ifdef USE_SSL - if(share->sslsession) { - size_t i; -diff --git a/lib/share.h b/lib/share.h -index 32be416..2449730 100644 ---- a/lib/share.h -+++ b/lib/share.h -@@ -59,10 +59,14 @@ struct Curl_share { - #ifdef USE_LIBPSL - struct PslCache psl; - #endif -- -+#ifndef CURL_DISABLE_HSTS -+ struct hsts *hsts; -+#endif -+#ifdef USE_SSL - struct Curl_ssl_session *sslsession; - size_t max_ssl_sessions; - long sessionage; -+#endif - }; - - CURLSHcode Curl_share_lock(struct Curl_easy *, curl_lock_data, -diff --git a/lib/transfer.c b/lib/transfer.c -index ba0410f..d433117 100644 ---- a/lib/transfer.c -+++ b/lib/transfer.c -@@ -1398,6 +1398,9 @@ CURLcode Curl_pretransfer(struct Curl_easy *data) - if(data->state.resolve) - result = Curl_loadhostpairs(data); - -+ /* If there is a list of hsts files to read */ -+ Curl_hsts_loadfiles(data); -+ - if(!result) { - /* Allow data->set.use_port to set which port to use. This needs to be - * disabled for example when we follow Location: headers to URLs using -diff --git a/lib/url.c b/lib/url.c -index 3ab63a0..831ae06 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -434,7 +434,11 @@ CURLcode Curl_close(struct Curl_easy **datap) - Curl_altsvc_save(data, data->asi, data->set.str[STRING_ALTSVC]); - Curl_altsvc_cleanup(&data->asi); - Curl_hsts_save(data, data->hsts, data->set.str[STRING_HSTS]); -- Curl_hsts_cleanup(&data->hsts); -+#ifndef CURL_DISABLE_HSTS -+ if(!data->share || !data->share->hsts) -+ Curl_hsts_cleanup(&data->hsts); -+ curl_slist_free_all(data->set.hstslist); /* clean up list */ -+#endif - #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH) - Curl_http_auth_cleanup_digest(data); - #endif -diff --git a/lib/urldata.h b/lib/urldata.h -index 3d7545c..5b4b34f 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -1662,6 +1662,8 @@ struct UserDefined { - - void *seek_client; /* pointer to pass to the seek callback */ - #ifndef CURL_DISABLE_HSTS -+ struct curl_slist *hstslist; /* list of HSTS files set by -+ curl_easy_setopt(HSTS) calls */ - curl_hstsread_callback hsts_read; - void *hsts_read_userp; - curl_hstswrite_callback hsts_write; --- -2.39.1 - - -From 32066a5fa8f649da2aa7a4e4e86bc0b73d32212f Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Tue, 27 Dec 2022 11:50:23 +0100 -Subject: [PATCH 2/5] tool_operate: share HSTS between handles - -Upstream-commit: 0bf8b796a0ea98395b390c7807187982215f5c11 -Signed-off-by: Kamil Dudka ---- - src/tool_operate.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/tool_operate.c b/src/tool_operate.c -index 79db063..a5b024e 100644 ---- a/src/tool_operate.c -+++ b/src/tool_operate.c -@@ -2722,6 +2722,7 @@ CURLcode operate(struct GlobalConfig *global, int argc, argv_item_t argv[]) - curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_SSL_SESSION); - curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_CONNECT); - curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_PSL); -+ curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_HSTS); - - /* Get the required arguments for each operation */ - do { --- -2.39.1 - - -From fe6b64ac33a0994e5f50ef8b3d0916b3a248a7e8 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Tue, 27 Dec 2022 11:50:23 +0100 -Subject: [PATCH 3/5] hsts: handle adding the same host name again - -It will then use the largest expire time of the two entries. - -Upstream-commit: ca02a77f05bd5cef20618c8f741aa48b7be0a648 -Signed-off-by: Kamil Dudka ---- - lib/hsts.c | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - -diff --git a/lib/hsts.c b/lib/hsts.c -index 339237b..8d6723e 100644 ---- a/lib/hsts.c -+++ b/lib/hsts.c -@@ -426,14 +426,23 @@ static CURLcode hsts_add(struct hsts *h, char *line) - if(2 == rc) { - time_t expires = strcmp(date, UNLIMITED) ? Curl_getdate_capped(date) : - TIME_T_MAX; -- CURLcode result; -+ CURLcode result = CURLE_OK; - char *p = host; - bool subdomain = FALSE; -+ struct stsentry *e; - if(p[0] == '.') { - p++; - subdomain = TRUE; - } -- result = hsts_create(h, p, subdomain, expires); -+ /* only add it if not already present */ -+ e = Curl_hsts(h, p, subdomain); -+ if(!e) -+ result = hsts_create(h, p, subdomain, expires); -+ else { -+ /* the same host name, use the largest expire time */ -+ if(expires > e->expires) -+ e->expires = expires; -+ } - if(result) - return result; - } --- -2.39.1 - - -From c52b93434c65ec8a44193a6f2b833a1efec8f643 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Tue, 27 Dec 2022 11:50:23 +0100 -Subject: [PATCH 4/5] runtests: support crlf="yes" for verify/proxy - -Upstream-commit: dc0725244a3163f1e2d5f51165db3a1a430f3ba0 -Signed-off-by: Kamil Dudka ---- - tests/FILEFORMAT.md | 4 ++-- - tests/runtests.pl | 5 +++++ - 2 files changed, 7 insertions(+), 2 deletions(-) - -diff --git a/tests/FILEFORMAT.md b/tests/FILEFORMAT.md -index 8143967..be11167 100644 ---- a/tests/FILEFORMAT.md -+++ b/tests/FILEFORMAT.md -@@ -566,7 +566,7 @@ changing protocol data such as port numbers or user-agent strings. - One perl op per line that operates on the protocol dump. This is pretty - advanced. Example: `s/^EPRT .*/EPRT stripped/`. - --### `` -+### `` - - the protocol dump curl should transmit, if `nonewline` is set, we will cut off - the trailing newline of this given data before comparing with the one actually -@@ -576,7 +576,7 @@ comparisons are made. - `crlf=yes` forces the newlines to become CRLF even if not written so in the - test. - --### `` -+### `` - - The protocol dump curl should transmit to an HTTP proxy (when the http-proxy - server is used), if `nonewline` is set, we will cut off the trailing newline -diff --git a/tests/runtests.pl b/tests/runtests.pl -index c6a739e..f49e385 100755 ---- a/tests/runtests.pl -+++ b/tests/runtests.pl -@@ -4744,6 +4744,11 @@ sub singletest { - } - } - -+ if($hash{'crlf'} || -+ ($has_hyper && ($keywords{"HTTP"} || $keywords{"HTTPS"}))) { -+ map subNewlines(0, \$_), @protstrip; -+ } -+ - $res = compare($testnum, $testname, "proxy", \@out, \@protstrip); - if($res) { - return $errorreturncode; --- -2.39.1 - - -From e428f66157caedc1f58ff5206915842937b0950e Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Tue, 27 Dec 2022 11:50:23 +0100 -Subject: [PATCH 5/5] test446: verify hsts with two URLs - -Upstream-commit: ea5aaaa5ede53819f8bc7ae767fc2d13d3704d37 -Signed-off-by: Kamil Dudka ---- - tests/data/Makefile.inc | 2 +- - tests/data/test446 | 84 +++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 85 insertions(+), 1 deletion(-) - create mode 100644 tests/data/test446 - -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index 3e0221a..fb51cd6 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -71,7 +71,7 @@ test408 test409 test410 test411 test412 test413 test414 test415 test416 \ - \ - test430 test431 test432 test433 test434 test435 test436 \ - \ --test440 test441 test442 test443 test444 test445 \ -+test440 test441 test442 test443 test444 test445 test446 \ - \ - test490 test491 test492 test493 test494 test495 test496 \ - \ -diff --git a/tests/data/test446 b/tests/data/test446 -new file mode 100644 -index 0000000..0e2dfdc ---- /dev/null -+++ b/tests/data/test446 -@@ -0,0 +1,84 @@ -+ -+ -+ -+ -+HTTP -+HTTP proxy -+HSTS -+trailing-dot -+ -+ -+ -+ -+ -+# we use this as response to a CONNECT -+ -+HTTP/1.1 200 OK -+ -+ -+ -+HTTP/1.1 200 OK -+Content-Length: 6 -+Strict-Transport-Security: max-age=604800 -+ -+-foo- -+ -+ -+HTTP/1.1 200 OK -+Content-Length: 6 -+Strict-Transport-Security: max-age=6048000 -+ -+-baa- -+ -+ -+ -+ -+ -+https -+http-proxy -+ -+ -+HSTS -+proxy -+https -+debug -+ -+ -+CURL_HSTS_HTTP=yes -+CURL_TIME=2000000000 -+ -+ -+ -+HSTS with two URLs -+ -+ -+-x http://%HOSTIP:%PROXYPORT --hsts log/hsts%TESTNUMBER http://this.hsts.example./%TESTNUMBER http://another.example.com/%TESTNUMBER0002 -+ -+ -+ -+ -+# we let it CONNECT to the server to confirm HSTS but deny from there -+ -+GET http://this.hsts.example./%TESTNUMBER HTTP/1.1 -+Host: this.hsts.example. -+User-Agent: curl/%VERSION -+Accept: */* -+Proxy-Connection: Keep-Alive -+ -+GET http://another.example.com/%TESTNUMBER0002 HTTP/1.1 -+Host: another.example.com -+User-Agent: curl/%VERSION -+Accept: */* -+Proxy-Connection: Keep-Alive -+ -+ -+ -+ -+# Your HSTS cache. https://curl.se/docs/hsts.html -+# This file was generated by libcurl! Edit at your own risk. -+this.hsts.example "20330525 03:33:20" -+another.example.com "20330727 03:33:20" -+ -+ -+ -+ --- -2.39.1 - diff --git a/0007-curl-7.87.0-CVE-2023-23916.patch b/0007-curl-7.87.0-CVE-2023-23916.patch deleted file mode 100644 index b82ffc5..0000000 --- a/0007-curl-7.87.0-CVE-2023-23916.patch +++ /dev/null @@ -1,243 +0,0 @@ -From bc5fc958b017895728962c9d44c469418cbec1a0 Mon Sep 17 00:00:00 2001 -From: Patrick Monnerat -Date: Mon, 13 Feb 2023 08:33:09 +0100 -Subject: [PATCH] content_encoding: do not reset stage counter for each header - -Test 418 verifies - -Closes #10492 - -Upstream-commit: 119fb187192a9ea13dc90d9d20c215fc82799ab9 -Signed-off-by: Kamil Dudka ---- - lib/content_encoding.c | 7 +- - lib/urldata.h | 1 + - tests/data/Makefile.inc | 1 + - tests/data/test387 | 2 +- - tests/data/test418 | 152 ++++++++++++++++++++++++++++++++++++++++ - 5 files changed, 158 insertions(+), 5 deletions(-) - create mode 100644 tests/data/test418 - -diff --git a/lib/content_encoding.c b/lib/content_encoding.c -index bfc13e2..94344d6 100644 ---- a/lib/content_encoding.c -+++ b/lib/content_encoding.c -@@ -1045,7 +1045,6 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, - const char *enclist, int maybechunked) - { - struct SingleRequest *k = &data->req; -- int counter = 0; - - do { - const char *name; -@@ -1080,9 +1079,9 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, - if(!encoding) - encoding = &error_encoding; /* Defer error at stack use. */ - -- if(++counter >= MAX_ENCODE_STACK) { -- failf(data, "Reject response due to %u content encodings", -- counter); -+ if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) { -+ failf(data, "Reject response due to more than %u content encodings", -+ MAX_ENCODE_STACK); - return CURLE_BAD_CONTENT_ENCODING; - } - /* Stack the unencoding stage. */ -diff --git a/lib/urldata.h b/lib/urldata.h -index 5b4b34f..8c8c20b 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -707,6 +707,7 @@ struct SingleRequest { - struct dohdata *doh; /* DoH specific data for this request */ - #endif - unsigned char setcookies; -+ unsigned char writer_stack_depth; /* Unencoding stack depth. */ - BIT(header); /* incoming data has HTTP header */ - BIT(content_range); /* set TRUE if Content-Range: was found */ - BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index fb51cd6..86b6f85 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -68,6 +68,7 @@ test380 test381 test383 test384 test385 test386 test387 test388 test389 \ - test390 test391 test392 test393 test394 test395 test396 test397 test398 \ - test399 test400 test401 test402 test403 test404 test405 test406 test407 \ - test408 test409 test410 test411 test412 test413 test414 test415 test416 \ -+ test418 \ - \ - test430 test431 test432 test433 test434 test435 test436 \ - \ -diff --git a/tests/data/test387 b/tests/data/test387 -index 015ec25..644fc7f 100644 ---- a/tests/data/test387 -+++ b/tests/data/test387 -@@ -47,7 +47,7 @@ Accept: */* - 61 - - --curl: (61) Reject response due to 5 content encodings -+curl: (61) Reject response due to more than 5 content encodings - - - -diff --git a/tests/data/test418 b/tests/data/test418 -new file mode 100644 -index 0000000..50e974e ---- /dev/null -+++ b/tests/data/test418 -@@ -0,0 +1,152 @@ -+ -+ -+ -+HTTP -+gzip -+ -+ -+ -+# -+# Server-side -+ -+ -+HTTP/1.1 200 OK -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+ -+-foo- -+ -+ -+ -+# -+# Client-side -+ -+ -+http -+ -+ -+Response with multiple Transfer-Encoding headers -+ -+ -+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+GET /%TESTNUMBER HTTP/1.1 -+Host: %HOSTIP:%HTTPPORT -+User-Agent: curl/%VERSION -+Accept: */* -+ -+ -+ -+# CURLE_BAD_CONTENT_ENCODING is 61 -+ -+61 -+ -+ -+curl: (61) Reject response due to more than 5 content encodings -+ -+ -+ --- -2.39.1 - diff --git a/0008-curl-7.87.0-vtls-hostname.patch b/0008-curl-7.87.0-vtls-hostname.patch deleted file mode 100644 index 24d6a31..0000000 --- a/0008-curl-7.87.0-vtls-hostname.patch +++ /dev/null @@ -1,177 +0,0 @@ -From d12c233950e22052a8541abd69565772c13f832e Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Tue, 17 Jan 2023 11:21:29 +0100 -Subject: [PATCH] vtls: fix hostname handling in filters - -- Copy the hostname and dispname to ssl_connect_data. - -Use a copy instead of referencing the `connectdata` instance since this -may get free'ed on connection reuse. - -Reported-by: Stefan Talpalaru -Reported-by: sergio-nsk@users.noreply.github.com - -Fixes https://github.com/curl/curl/issues/10273 -Fixes https://github.com/curl/curl/issues/10309 - -Closes https://github.com/curl/curl/pull/10310 - -Upstream-commit: f8da4f2f2d0451dc0a126ae3e5077b4527ccdc86 -Signed-off-by: Kamil Dudka ---- - lib/url.c | 14 ++++++++++ - lib/vtls/vtls.c | 66 ++++++++++++++++++++++++++++++--------------- - lib/vtls/vtls_int.h | 4 +-- - 3 files changed, 61 insertions(+), 23 deletions(-) - -diff --git a/lib/url.c b/lib/url.c -index cbbc7f3..5192204 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -3406,6 +3406,20 @@ static void reuse_conn(struct Curl_easy *data, - } - #endif - -+ /* Finding a connection for reuse in the cache matches, among other -+ * things on the "remote-relevant" hostname. This is not necessarily -+ * the authority of the URL, e.g. conn->host. For example: -+ * - we use a proxy (not tunneling). we want to send all requests -+ * that use the same proxy on this connection. -+ * - we have a "connect-to" setting that may redirect the hostname of -+ * a new request to the same remote endpoint of an existing conn. -+ * We want to reuse an existing conn to the remote endpoint. -+ * Since connection reuse does not match on conn->host necessarily, we -+ * switch `existing` conn to `temp` conn's host settings. -+ * TODO: is this correct in the case of TLS connections that have -+ * used the original hostname in SNI to negotiate? Do we send -+ * requests for another host through the different SNI? -+ */ - Curl_free_idnconverted_hostname(&existing->host); - Curl_free_idnconverted_hostname(&existing->conn_to_host); - Curl_safefree(existing->host.rawalloc); -diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c -index 873ee6b..c7ec77a 100644 ---- a/lib/vtls/vtls.c -+++ b/lib/vtls/vtls.c -@@ -1430,47 +1430,71 @@ CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name, - - #ifdef USE_SSL - -+static void free_hostname(struct ssl_connect_data *connssl) -+{ -+ if(connssl->dispname != connssl->hostname) -+ free(connssl->dispname); -+ free(connssl->hostname); -+ connssl->hostname = connssl->dispname = NULL; -+} -+ - static void cf_close(struct Curl_cfilter *cf, struct Curl_easy *data) - { - struct ssl_connect_data *connssl = cf->ctx; -- /* TODO: close_one closes BOTH conn->ssl AND conn->proxy_ssl for this -- * sockindex (if in use). Gladly, it is safe to call more than once. */ - if(connssl) { - Curl_ssl->close(cf, data); - connssl->state = ssl_connection_none; -+ free_hostname(connssl); - } - cf->connected = FALSE; - } - --static void reinit_hostname(struct Curl_cfilter *cf) -+static CURLcode reinit_hostname(struct Curl_cfilter *cf) - { - struct ssl_connect_data *connssl = cf->ctx; -+ const char *ehostname, *edispname; -+ int eport; - -+ /* We need the hostname for SNI negotiation. Once handshaked, this -+ * remains the SNI hostname for the TLS connection. But when the -+ * connection is reused, the settings in cf->conn might change. -+ * So we keep a copy of the hostname we use for SNI. -+ */ - #ifndef CURL_DISABLE_PROXY - if(Curl_ssl_cf_is_proxy(cf)) { -- /* TODO: there is not definition for a proxy setup on a secondary conn */ -- connssl->hostname = cf->conn->http_proxy.host.name; -- connssl->dispname = cf->conn->http_proxy.host.dispname; -- connssl->port = cf->conn->http_proxy.port; -+ ehostname = cf->conn->http_proxy.host.name; -+ edispname = cf->conn->http_proxy.host.dispname; -+ eport = cf->conn->http_proxy.port; - } - else - #endif - { -- /* TODO: secondaryhostname is set to the IP address we connect to -- * in the FTP handler, it is assumed that host verification uses the -- * hostname from FIRSTSOCKET */ -- if(cf->sockindex == SECONDARYSOCKET && 0) { -- connssl->hostname = cf->conn->secondaryhostname; -- connssl->dispname = connssl->hostname; -- connssl->port = cf->conn->secondary_port; -+ ehostname = cf->conn->host.name; -+ edispname = cf->conn->host.dispname; -+ eport = cf->conn->remote_port; -+ } -+ -+ /* change if ehostname changed */ -+ if(ehostname && (!connssl->hostname -+ || strcmp(ehostname, connssl->hostname))) { -+ free_hostname(connssl); -+ connssl->hostname = strdup(ehostname); -+ if(!connssl->hostname) { -+ free_hostname(connssl); -+ return CURLE_OUT_OF_MEMORY; - } -+ if(!edispname || !strcmp(ehostname, edispname)) -+ connssl->dispname = connssl->hostname; - else { -- connssl->hostname = cf->conn->host.name; -- connssl->dispname = cf->conn->host.dispname; -- connssl->port = cf->conn->remote_port; -+ connssl->dispname = strdup(edispname); -+ if(!connssl->dispname) { -+ free_hostname(connssl); -+ return CURLE_OUT_OF_MEMORY; -+ } - } - } -- DEBUGASSERT(connssl->hostname); -+ connssl->port = eport; -+ return CURLE_OK; - } - - static void ssl_cf_destroy(struct Curl_cfilter *cf, struct Curl_easy *data) -@@ -1513,10 +1537,10 @@ static CURLcode ssl_cf_connect(struct Curl_cfilter *cf, - if(result || !*done) - goto out; - -- /* TODO: right now we do not fully control when hostname is set, -- * assign it on each connect call. */ -- reinit_hostname(cf); - *done = FALSE; -+ result = reinit_hostname(cf); -+ if(result) -+ goto out; - - if(blocking) { - result = ssl_connect(cf, data); -diff --git a/lib/vtls/vtls_int.h b/lib/vtls/vtls_int.h -index 6710a2b..010c20b 100644 ---- a/lib/vtls/vtls_int.h -+++ b/lib/vtls/vtls_int.h -@@ -33,8 +33,8 @@ - struct ssl_connect_data { - ssl_connection_state state; - ssl_connect_state connecting_state; -- const char *hostname; /* hostnaem for verification */ -- const char *dispname; /* display version of hostname */ -+ char *hostname; /* hostname for verification */ -+ char *dispname; /* display version of hostname */ - int port; /* remote port at origin */ - struct ssl_backend_data *backend; /* vtls backend specific props */ - struct Curl_easy *call_data; /* data handle used in current call, --- -2.40.1 - diff --git a/0009-curl-7.87.0-http-proxy.patch b/0009-curl-7.87.0-http-proxy.patch deleted file mode 100644 index 8fca8a5..0000000 --- a/0009-curl-7.87.0-http-proxy.patch +++ /dev/null @@ -1,263 +0,0 @@ -From bc893dea666ffa09fa015f0a585eb62a489749fc Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 5 Jan 2023 09:38:11 +0100 -Subject: [PATCH] http_proxy: do not assign data->req.p.http use local copy - -Avoid the tricky reusing of the data->req.p.http pointer for http proxy -tunneling. - -Fixes #10194 -Closes #10234 - -Upstream-commit: 3f3ddee0665176040b3eaf89a912a922726ecb18 -Signed-off-by: Kamil Dudka ---- - lib/http.c | 32 ++++++++++++++++++-------------- - lib/http.h | 3 +++ - lib/http_proxy.c | 25 +++++++------------------ - lib/rtsp.c | 2 +- - 4 files changed, 29 insertions(+), 33 deletions(-) - -diff --git a/lib/http.c b/lib/http.c -index 1b75022..4cf6043 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -1256,8 +1256,8 @@ static size_t readmoredata(char *buffer, - size_t nitems, - void *userp) - { -- struct Curl_easy *data = (struct Curl_easy *)userp; -- struct HTTP *http = data->req.p.http; -+ struct HTTP *http = (struct HTTP *)userp; -+ struct Curl_easy *data = http->backup.data; - size_t fullsize = size * nitems; - - if(!http->postsize) -@@ -1309,6 +1309,7 @@ static size_t readmoredata(char *buffer, - */ - CURLcode Curl_buffer_send(struct dynbuf *in, - struct Curl_easy *data, -+ struct HTTP *http, - /* add the number of sent bytes to this - counter */ - curl_off_t *bytes_written, -@@ -1321,7 +1322,6 @@ CURLcode Curl_buffer_send(struct dynbuf *in, - char *ptr; - size_t size; - struct connectdata *conn = data->conn; -- struct HTTP *http = data->req.p.http; - size_t sendsize; - curl_socket_t sockfd; - size_t headersize; -@@ -1456,10 +1456,11 @@ CURLcode Curl_buffer_send(struct dynbuf *in, - http->backup.fread_in = data->state.in; - http->backup.postdata = http->postdata; - http->backup.postsize = http->postsize; -+ http->backup.data = data; - - /* set the new pointers for the request-sending */ - data->state.fread_func = (curl_read_callback)readmoredata; -- data->state.in = (void *)data; -+ data->state.in = (void *)http; - http->postdata = ptr; - http->postsize = (curl_off_t)size; - -@@ -1468,7 +1469,6 @@ CURLcode Curl_buffer_send(struct dynbuf *in, - - http->send_buffer = *in; /* copy the whole struct */ - http->sending = HTTPSEND_REQUEST; -- - return CURLE_OK; - } - http->sending = HTTPSEND_BODY; -@@ -2359,7 +2359,7 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn, - curl_off_t included_body = 0; - #else - /* from this point down, this function should not be used */ --#define Curl_buffer_send(a,b,c,d,e) CURLE_OK -+#define Curl_buffer_send(a,b,c,d,e,f) CURLE_OK - #endif - CURLcode result = CURLE_OK; - struct HTTP *http = data->req.p.http; -@@ -2403,7 +2403,8 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn, - Curl_pgrsSetUploadSize(data, http->postsize); - - /* this sends the buffer and frees all the buffer resources */ -- result = Curl_buffer_send(r, data, &data->info.request_size, 0, -+ result = Curl_buffer_send(r, data, data->req.p.http, -+ &data->info.request_size, 0, - FIRSTSOCKET); - if(result) - failf(data, "Failed sending PUT request"); -@@ -2424,7 +2425,8 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn, - if(result) - return result; - -- result = Curl_buffer_send(r, data, &data->info.request_size, 0, -+ result = Curl_buffer_send(r, data, data->req.p.http, -+ &data->info.request_size, 0, - FIRSTSOCKET); - if(result) - failf(data, "Failed sending POST request"); -@@ -2495,7 +2497,8 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn, - http->sending = HTTPSEND_BODY; - - /* this sends the buffer and frees all the buffer resources */ -- result = Curl_buffer_send(r, data, &data->info.request_size, 0, -+ result = Curl_buffer_send(r, data, data->req.p.http, -+ &data->info.request_size, 0, - FIRSTSOCKET); - if(result) - failf(data, "Failed sending POST request"); -@@ -2612,11 +2615,10 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn, - else { - /* A huge POST coming up, do data separate from the request */ - http->postdata = data->set.postfields; -- - http->sending = HTTPSEND_BODY; -- -+ http->backup.data = data; - data->state.fread_func = (curl_read_callback)readmoredata; -- data->state.in = (void *)data; -+ data->state.in = (void *)http; - - /* set the upload size to the progress meter */ - Curl_pgrsSetUploadSize(data, http->postsize); -@@ -2655,7 +2657,8 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn, - } - } - /* issue the request */ -- result = Curl_buffer_send(r, data, &data->info.request_size, included_body, -+ result = Curl_buffer_send(r, data, data->req.p.http, -+ &data->info.request_size, included_body, - FIRSTSOCKET); - - if(result) -@@ -2671,7 +2674,8 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn, - return result; - - /* issue the request */ -- result = Curl_buffer_send(r, data, &data->info.request_size, 0, -+ result = Curl_buffer_send(r, data, data->req.p.http, -+ &data->info.request_size, 0, - FIRSTSOCKET); - if(result) - failf(data, "Failed sending HTTP request"); -diff --git a/lib/http.h b/lib/http.h -index ecfe4ee..bd2b5f6 100644 ---- a/lib/http.h -+++ b/lib/http.h -@@ -73,8 +73,10 @@ char *Curl_checkProxyheaders(struct Curl_easy *data, - const struct connectdata *conn, - const char *thisheader, - const size_t thislen); -+struct HTTP; /* see below */ - CURLcode Curl_buffer_send(struct dynbuf *in, - struct Curl_easy *data, -+ struct HTTP *http, - curl_off_t *bytes_written, - curl_off_t included_body_bytes, - int socketindex); -@@ -220,6 +222,7 @@ struct HTTP { - void *fread_in; /* backup storage for fread_in pointer */ - const char *postdata; - curl_off_t postsize; -+ struct Curl_easy *data; - } backup; - - enum { -diff --git a/lib/http_proxy.c b/lib/http_proxy.c -index e30730a..14f11e9 100644 ---- a/lib/http_proxy.c -+++ b/lib/http_proxy.c -@@ -63,8 +63,7 @@ struct tunnel_state { - int sockindex; - const char *hostname; - int remote_port; -- struct HTTP http_proxy; -- struct HTTP *prot_save; -+ struct HTTP CONNECT; - struct dynbuf rcvbuf; - struct dynbuf req; - size_t nsend; -@@ -149,17 +148,6 @@ static CURLcode tunnel_init(struct tunnel_state **pts, - Curl_dyn_init(&ts->rcvbuf, DYN_PROXY_CONNECT_HEADERS); - Curl_dyn_init(&ts->req, DYN_HTTP_REQUEST); - -- /* Curl_proxyCONNECT is based on a pointer to a struct HTTP at the -- * member conn->proto.http; we want [protocol] through HTTP and we have -- * to change the member temporarily for connecting to the HTTP -- * proxy. After Curl_proxyCONNECT we have to set back the member to the -- * original pointer -- * -- * This function might be called several times in the multi interface case -- * if the proxy's CONNECT response is not instant. -- */ -- ts->prot_save = data->req.p.http; -- data->req.p.http = &ts->http_proxy; - *pts = ts; - connkeep(conn, "HTTP proxy CONNECT"); - return tunnel_reinit(ts, conn, data); -@@ -210,7 +198,6 @@ static void tunnel_go_state(struct Curl_cfilter *cf, - Curl_dyn_reset(&ts->rcvbuf); - Curl_dyn_reset(&ts->req); - /* restore the protocol pointer */ -- data->req.p.http = ts->prot_save; - data->info.httpcode = 0; /* clear it as it might've been used for the - proxy */ - /* If a proxy-authorization header was used for the proxy, then we should -@@ -338,7 +325,8 @@ static CURLcode start_CONNECT(struct Curl_easy *data, - goto out; - - /* Send the connect request to the proxy */ -- result = Curl_buffer_send(&ts->req, data, &data->info.request_size, 0, -+ result = Curl_buffer_send(&ts->req, data, &ts->CONNECT, -+ &data->info.request_size, 0, - ts->sockindex); - ts->headerlines = 0; - -@@ -356,7 +344,7 @@ static CURLcode send_CONNECT(struct Curl_easy *data, - bool *done) - { - struct SingleRequest *k = &data->req; -- struct HTTP *http = data->req.p.http; -+ struct HTTP *http = &ts->CONNECT; - CURLcode result = CURLE_OK; - - if(http->sending != HTTPSEND_REQUEST) -@@ -377,7 +365,7 @@ static CURLcode send_CONNECT(struct Curl_easy *data, - result = Curl_write(data, - conn->writesockfd, /* socket to send to */ - k->upload_fromhere, /* buffer pointer */ -- ts->nsend, /* buffer size */ -+ ts->nsend, /* buffer size */ - &bytes_written); /* actually sent */ - if(result) - goto out; -@@ -1131,8 +1119,9 @@ static int http_proxy_cf_get_select_socks(struct Curl_cfilter *cf, - wait for the socket to become readable to be able to get the - response headers or if we're still sending the request, wait - for write. */ -- if(ts->http_proxy.sending == HTTPSEND_REQUEST) -+ if(ts->CONNECT.sending == HTTPSEND_REQUEST) { - return GETSOCK_WRITESOCK(0); -+ } - return GETSOCK_READSOCK(0); - } - return GETSOCK_WRITESOCK(0); -diff --git a/lib/rtsp.c b/lib/rtsp.c -index 75e620d..80d1cf1 100644 ---- a/lib/rtsp.c -+++ b/lib/rtsp.c -@@ -592,7 +592,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done) - } - - /* issue the request */ -- result = Curl_buffer_send(&req_buffer, data, -+ result = Curl_buffer_send(&req_buffer, data, data->req.p.http, - &data->info.request_size, 0, FIRSTSOCKET); - if(result) { - failf(data, "Failed sending RTSP request"); --- -2.40.1 - diff --git a/0023-curl-7.87.0-CVE-2023-27533.patch b/0023-curl-7.87.0-CVE-2023-27533.patch deleted file mode 100644 index 8810c27..0000000 --- a/0023-curl-7.87.0-CVE-2023-27533.patch +++ /dev/null @@ -1,59 +0,0 @@ -From c9828d86040737a47da862197b5def7ff6b0e3c4 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 6 Mar 2023 12:07:33 +0100 -Subject: [PATCH] telnet: only accept option arguments in ascii - -To avoid embedded telnet negotiation commands etc. - -Reported-by: Harry Sintonen -Closes #10728 - -Upstream-commit: 538b1e79a6e7b0bb829ab4cecc828d32105d0684 -Signed-off-by: Kamil Dudka ---- - lib/telnet.c | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - -diff --git a/lib/telnet.c b/lib/telnet.c -index 22bc81e..baea885 100644 ---- a/lib/telnet.c -+++ b/lib/telnet.c -@@ -770,6 +770,17 @@ static void printsub(struct Curl_easy *data, - } - } - -+static bool str_is_nonascii(const char *str) -+{ -+ size_t len = strlen(str); -+ while(len--) { -+ if(*str & 0x80) -+ return TRUE; -+ str++; -+ } -+ return FALSE; -+} -+ - static CURLcode check_telnet_options(struct Curl_easy *data) - { - struct curl_slist *head; -@@ -784,6 +795,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data) - /* Add the user name as an environment variable if it - was given on the command line */ - if(data->state.aptr.user) { -+ if(str_is_nonascii(data->conn->user)) -+ return CURLE_BAD_FUNCTION_ARGUMENT; - msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user); - beg = curl_slist_append(tn->telnet_vars, option_arg); - if(!beg) { -@@ -798,6 +811,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data) - for(head = data->set.telnet_options; head; head = head->next) { - if(sscanf(head->data, "%127[^= ]%*[ =]%255s", - option_keyword, option_arg) == 2) { -+ if(str_is_nonascii(option_arg)) -+ continue; - - /* Terminal type */ - if(strcasecompare(option_keyword, "TTYPE")) { --- -2.39.2 - diff --git a/0024-curl-7.87.0-CVE-2023-27534.patch b/0024-curl-7.87.0-CVE-2023-27534.patch deleted file mode 100644 index ea589f3..0000000 --- a/0024-curl-7.87.0-CVE-2023-27534.patch +++ /dev/null @@ -1,126 +0,0 @@ -From 5ebdef4442b438ab1a899edb169489fc259fae1a Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 9 Mar 2023 16:22:11 +0100 -Subject: [PATCH] curl_path: create the new path with dynbuf - -Closes #10729 - -Upstream-commit: 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 -Signed-off-by: Kamil Dudka ---- - lib/curl_path.c | 75 +++++++++++++++++++++++-------------------------- - 1 file changed, 35 insertions(+), 40 deletions(-) - -diff --git a/lib/curl_path.c b/lib/curl_path.c -index f00e3ee..8106042 100644 ---- a/lib/curl_path.c -+++ b/lib/curl_path.c -@@ -32,70 +32,65 @@ - #include "escape.h" - #include "memdebug.h" - -+#define MAX_SSHPATH_LEN 100000 /* arbitrary */ -+ - /* figure out the path to work with in this particular request */ - CURLcode Curl_getworkingpath(struct Curl_easy *data, - char *homedir, /* when SFTP is used */ - char **path) /* returns the allocated - real path to work with */ - { -- char *real_path = NULL; - char *working_path; - size_t working_path_len; -+ struct dynbuf npath; - CURLcode result = - Curl_urldecode(data->state.up.path, 0, &working_path, - &working_path_len, REJECT_ZERO); - if(result) - return result; - -+ /* new path to switch to in case we need to */ -+ Curl_dyn_init(&npath, MAX_SSHPATH_LEN); -+ - /* Check for /~/, indicating relative to the user's home directory */ -- if(data->conn->handler->protocol & CURLPROTO_SCP) { -- real_path = malloc(working_path_len + 1); -- if(!real_path) { -+ if((data->conn->handler->protocol & CURLPROTO_SCP) && -+ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) { -+ /* It is referenced to the home directory, so strip the leading '/~/' */ -+ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) { - free(working_path); - return CURLE_OUT_OF_MEMORY; - } -- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) -- /* It is referenced to the home directory, so strip the leading '/~/' */ -- memcpy(real_path, working_path + 3, working_path_len - 2); -- else -- memcpy(real_path, working_path, 1 + working_path_len); - } -- else if(data->conn->handler->protocol & CURLPROTO_SFTP) { -- if((working_path_len > 1) && (working_path[1] == '~')) { -- size_t homelen = strlen(homedir); -- real_path = malloc(homelen + working_path_len + 1); -- if(!real_path) { -- free(working_path); -- return CURLE_OUT_OF_MEMORY; -- } -- /* It is referenced to the home directory, so strip the -- leading '/' */ -- memcpy(real_path, homedir, homelen); -- /* Only add a trailing '/' if homedir does not end with one */ -- if(homelen == 0 || real_path[homelen - 1] != '/') { -- real_path[homelen] = '/'; -- homelen++; -- real_path[homelen] = '\0'; -- } -- if(working_path_len > 3) { -- memcpy(real_path + homelen, working_path + 3, -- 1 + working_path_len -3); -- } -+ else if((data->conn->handler->protocol & CURLPROTO_SFTP) && -+ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { -+ size_t len; -+ const char *p; -+ int copyfrom = 3; -+ if(Curl_dyn_add(&npath, homedir)) { -+ free(working_path); -+ return CURLE_OUT_OF_MEMORY; - } -- else { -- real_path = malloc(working_path_len + 1); -- if(!real_path) { -- free(working_path); -- return CURLE_OUT_OF_MEMORY; -- } -- memcpy(real_path, working_path, 1 + working_path_len); -+ /* Copy a separating '/' if homedir does not end with one */ -+ len = Curl_dyn_len(&npath); -+ p = Curl_dyn_ptr(&npath); -+ if(len && (p[len-1] != '/')) -+ copyfrom = 2; -+ -+ if(Curl_dyn_addn(&npath, -+ &working_path[copyfrom], working_path_len - copyfrom)) { -+ free(working_path); -+ return CURLE_OUT_OF_MEMORY; - } - } - -- free(working_path); -+ if(Curl_dyn_len(&npath)) { -+ free(working_path); - -- /* store the pointer for the caller to receive */ -- *path = real_path; -+ /* store the pointer for the caller to receive */ -+ *path = Curl_dyn_ptr(&npath); -+ } -+ else -+ *path = working_path; - - return CURLE_OK; - } --- -2.39.2 - diff --git a/0025-curl-7.87.0-CVE-2023-27535.patch b/0025-curl-7.87.0-CVE-2023-27535.patch deleted file mode 100644 index 4d3cf52..0000000 --- a/0025-curl-7.87.0-CVE-2023-27535.patch +++ /dev/null @@ -1,166 +0,0 @@ -From b79a0e768fcd71003b33feb5deea697dd0903e48 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 9 Mar 2023 17:47:06 +0100 -Subject: [PATCH] ftp: add more conditions for connection reuse - -Reported-by: Harry Sintonen -Closes #10730 - -Upstream-commit: 8f4608468b890dce2dad9f91d5607ee7e9c1aba1 -Signed-off-by: Kamil Dudka ---- - lib/ftp.c | 28 ++++++++++++++++++++++++++-- - lib/ftp.h | 5 +++++ - lib/setopt.c | 2 +- - lib/url.c | 16 +++++++++++++++- - lib/urldata.h | 4 ++-- - 5 files changed, 49 insertions(+), 6 deletions(-) - -diff --git a/lib/ftp.c b/lib/ftp.c -index 8f0ac2e..d90509e 100644 ---- a/lib/ftp.c -+++ b/lib/ftp.c -@@ -4069,6 +4069,8 @@ static CURLcode ftp_disconnect(struct Curl_easy *data, - } - - freedirs(ftpc); -+ Curl_safefree(ftpc->account); -+ Curl_safefree(ftpc->alternative_to_user); - Curl_safefree(ftpc->prevpath); - Curl_safefree(ftpc->server_os); - Curl_pp_disconnect(pp); -@@ -4338,11 +4340,31 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data, - char *type; - struct FTP *ftp; - CURLcode result = CURLE_OK; -+ struct ftp_conn *ftpc = &conn->proto.ftpc; - -- data->req.p.ftp = ftp = calloc(sizeof(struct FTP), 1); -+ ftp = calloc(sizeof(struct FTP), 1); - if(!ftp) - return CURLE_OUT_OF_MEMORY; - -+ /* clone connection related data that is FTP specific */ -+ if(data->set.str[STRING_FTP_ACCOUNT]) { -+ ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]); -+ if(!ftpc->account) { -+ free(ftp); -+ return CURLE_OUT_OF_MEMORY; -+ } -+ } -+ if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]) { -+ ftpc->alternative_to_user = -+ strdup(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]); -+ if(!ftpc->alternative_to_user) { -+ Curl_safefree(ftpc->account); -+ free(ftp); -+ return CURLE_OUT_OF_MEMORY; -+ } -+ } -+ data->req.p.ftp = ftp; -+ - ftp->path = &data->state.up.path[1]; /* don't include the initial slash */ - - /* FTP URLs support an extension like ";type=" that -@@ -4377,7 +4399,9 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data, - /* get some initial data into the ftp struct */ - ftp->transfer = PPTRANSFER_BODY; - ftp->downloadsize = 0; -- conn->proto.ftpc.known_filesize = -1; /* unknown size for now */ -+ ftpc->known_filesize = -1; /* unknown size for now */ -+ ftpc->use_ssl = data->set.use_ssl; -+ ftpc->ccc = data->set.ftp_ccc; - - return result; - } -diff --git a/lib/ftp.h b/lib/ftp.h -index 7f6f432..3f33e27 100644 ---- a/lib/ftp.h -+++ b/lib/ftp.h -@@ -119,6 +119,8 @@ struct FTP { - struct */ - struct ftp_conn { - struct pingpong pp; -+ char *account; -+ char *alternative_to_user; - char *entrypath; /* the PWD reply when we logged on */ - char *file; /* url-decoded file name (or path) */ - char **dirs; /* realloc()ed array for path components */ -@@ -148,6 +150,9 @@ struct ftp_conn { - ftpstate state; /* always use ftp.c:state() to change state! */ - ftpstate state_saved; /* transfer type saved to be reloaded after - data connection is established */ -+ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or -+ IMAP or POP3 or others! (type: curl_usessl)*/ -+ unsigned char ccc; /* ccc level for this connection */ - curl_off_t retr_size_saved; /* Size of retrieved file saved */ - char *server_os; /* The target server operating system. */ - curl_off_t known_filesize; /* file size is different from -1, if wildcard -diff --git a/lib/setopt.c b/lib/setopt.c -index f71a606..d1905c6 100644 ---- a/lib/setopt.c -+++ b/lib/setopt.c -@@ -2351,7 +2351,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - arg = va_arg(param, long); - if((arg < CURLUSESSL_NONE) || (arg >= CURLUSESSL_LAST)) - return CURLE_BAD_FUNCTION_ARGUMENT; -- data->set.use_ssl = (curl_usessl)arg; -+ data->set.use_ssl = (unsigned char)arg; - break; - - case CURLOPT_SSL_OPTIONS: -diff --git a/lib/url.c b/lib/url.c -index 831ae06..3b11b7e 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -1352,10 +1352,24 @@ ConnectionExists(struct Curl_easy *data, - (data->state.httpwant < CURL_HTTP_VERSION_2_0)) - continue; - -- if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { -+#ifdef USE_SSH -+ else if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { - if(!ssh_config_matches(needle, check)) - continue; - } -+#endif -+#ifndef CURL_DISABLE_FTP -+ else if(get_protocol_family(needle->handler) & PROTO_FAMILY_FTP) { -+ /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */ -+ if(Curl_timestrcmp(needle->proto.ftpc.account, -+ check->proto.ftpc.account) || -+ Curl_timestrcmp(needle->proto.ftpc.alternative_to_user, -+ check->proto.ftpc.alternative_to_user) || -+ (needle->proto.ftpc.use_ssl != check->proto.ftpc.use_ssl) || -+ (needle->proto.ftpc.ccc != check->proto.ftpc.ccc)) -+ continue; -+ } -+#endif - - if((needle->handler->flags&PROTOPT_SSL) - #ifndef CURL_DISABLE_PROXY -diff --git a/lib/urldata.h b/lib/urldata.h -index 8c8c20b..ce90304 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -1750,8 +1750,6 @@ struct UserDefined { - #ifndef CURL_DISABLE_NETRC - unsigned char use_netrc; /* enum CURL_NETRC_OPTION values */ - #endif -- curl_usessl use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or -- IMAP or POP3 or others! */ - unsigned int new_file_perms; /* when creating remote files */ - unsigned int new_directory_perms; /* when creating remote dirs */ - int ssh_auth_types; /* allowed SSH auth types */ -@@ -1810,6 +1808,8 @@ struct UserDefined { - BIT(mail_rcpt_allowfails); /* allow RCPT TO command to fail for some - recipients */ - #endif -+ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or -+ IMAP or POP3 or others! (type: curl_usessl)*/ - unsigned char connect_only; /* make connection/request, then let - application use the socket */ - BIT(is_fread_set); /* has read callback been set to non-NULL? */ --- -2.39.2 - diff --git a/0026-curl-7.87.0-CVE-2023-27536.patch b/0026-curl-7.87.0-CVE-2023-27536.patch deleted file mode 100644 index 268e206..0000000 --- a/0026-curl-7.87.0-CVE-2023-27536.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 9d6dd7bc1dea42ae8e710aeae714e2a2c290de61 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Fri, 10 Mar 2023 09:22:43 +0100 -Subject: [PATCH] url: only reuse connections with same GSS delegation - -Reported-by: Harry Sintonen -Closes #10731 - -Upstream-commit: cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 -Signed-off-by: Kamil Dudka ---- - lib/url.c | 6 ++++++ - lib/urldata.h | 1 + - 2 files changed, 7 insertions(+) - -diff --git a/lib/url.c b/lib/url.c -index 3b11b7e..cbbc7f3 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -1345,6 +1345,11 @@ ConnectionExists(struct Curl_easy *data, - } - } - -+ /* GSS delegation differences do not actually affect every connection -+ and auth method, but this check takes precaution before efficiency */ -+ if(needle->gssapi_delegation != check->gssapi_delegation) -+ continue; -+ - /* If multiplexing isn't enabled on the h2 connection and h1 is - explicitly requested, handle it: */ - if((needle->handler->protocol & PROTO_FAMILY_HTTP) && -@@ -1662,6 +1667,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) - conn->fclosesocket = data->set.fclosesocket; - conn->closesocket_client = data->set.closesocket_client; - conn->lastused = Curl_now(); /* used now */ -+ conn->gssapi_delegation = data->set.gssapi_delegation; - - return conn; - error: -diff --git a/lib/urldata.h b/lib/urldata.h -index ce90304..9e16f26 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -1111,6 +1111,7 @@ struct connectdata { - unsigned char ip_version; /* copied from the Curl_easy at creation time */ - unsigned char httpversion; /* the HTTP version*10 reported by the server */ - unsigned char connect_only; -+ unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */ - }; - - /* The end of connectdata. */ --- -2.39.2 - diff --git a/0027-curl-7.87.0-CVE-2023-27537.patch b/0027-curl-7.87.0-CVE-2023-27537.patch deleted file mode 100644 index df90d49..0000000 --- a/0027-curl-7.87.0-CVE-2023-27537.patch +++ /dev/null @@ -1,40 +0,0 @@ -From ed7451520fd1b5da62a5371c07db69bed36a5486 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 9 Mar 2023 18:01:34 +0100 -Subject: [PATCH] CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe - -Reported-by: Hiroki Kurosawa -Closes #10732 - -Upstream-commit: dca4cdf071be095bcdc7126eaa77a8946ea4790b -Signed-off-by: Kamil Dudka ---- - docs/libcurl/opts/CURLSHOPT_SHARE.3 | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/docs/libcurl/opts/CURLSHOPT_SHARE.3 b/docs/libcurl/opts/CURLSHOPT_SHARE.3 -index b15af82..4544160 100644 ---- a/docs/libcurl/opts/CURLSHOPT_SHARE.3 -+++ b/docs/libcurl/opts/CURLSHOPT_SHARE.3 -@@ -57,8 +57,7 @@ implemented until 7.23.0. - Put the connection cache in the share object and make all easy handles using - this share object share the connection cache. - --Note that due to a known bug, it is not safe to share connections this way --between multiple concurrent threads. -+It is not supported to share connections between multiple concurrent threads. - - Connections that are used for HTTP/1.1 Pipelining or HTTP/2 multiplexing only - get additional transfers added to them if the existing connection is held by -@@ -82,6 +81,8 @@ multi handle will share PSL cache by default without using this option. - .IP CURL_LOCK_DATA_HSTS - The in-memory HSTS cache. - -+It is not supported to share the HSTS between multiple concurrent threads. -+ - Added in 7.88.0 - .SH PROTOCOLS - All --- -2.39.2 - diff --git a/0028-curl-7.87.0-CVE-2023-27538.patch b/0028-curl-7.87.0-CVE-2023-27538.patch deleted file mode 100644 index 0fb2fe8..0000000 --- a/0028-curl-7.87.0-CVE-2023-27538.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 133e25afe4b8961b9c12334ee0bd3374db9a1fd4 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Fri, 10 Mar 2023 08:22:51 +0100 -Subject: [PATCH] url: fix the SSH connection reuse check - -Reported-by: Harry Sintonen -Closes #10735 - -Upstream-commit: af369db4d3833272b8ed443f7fcc2e757a0872eb -Signed-off-by: Kamil Dudka ---- - lib/url.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/url.c b/lib/url.c -index 0c31486..3b11b7e 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -1353,7 +1353,7 @@ ConnectionExists(struct Curl_easy *data, - continue; - - #ifdef USE_SSH -- else if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { -+ else if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) { - if(!ssh_config_matches(needle, check)) - continue; - } --- -2.39.2 - diff --git a/curl.spec b/curl.spec index 9b139d7..db326c9 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.87.0 -Release: 10%{?dist} +Version: 8.0.1 +Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,45 +10,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# fix regression in a public header file (#2162716) -Patch1: 0001-curl-7.87.0-header-file-regression.patch - -# tests: make sure gnuserv-tls has SRP support before using it -Patch2: 0002-curl-7.87.0-tests-tls-srp.patch - -# cfilters: use the first non-connected filter (#2185433) -Patch3: 0003-curl-7.87.0-cfilters-ostree.patch - -# share HSTS between handles (CVE-2023-23915 CVE-2023-23914) -Patch6: 0006-curl-7.87.0-hsts-CVEs.patch - -# fix HTTP multi-header compression denial of service (CVE-2023-23916) -Patch7: 0007-curl-7.87.0-CVE-2023-23916.patch - -# vtls: fix hostname handling in filters (#2192665) -Patch8: 0008-curl-7.87.0-vtls-hostname.patch - -# http_proxy: fix memory corruption with http proxy tunneling (#2192665) -Patch9: 0009-curl-7.87.0-http-proxy.patch - -# fix TELNET option IAC injection (CVE-2023-27533) -Patch23: 0023-curl-7.87.0-CVE-2023-27533.patch - -# fix SFTP path ~ resolving discrepancy (CVE-2023-27534) -Patch24: 0024-curl-7.87.0-CVE-2023-27534.patch - -# fix FTP too eager connection reuse (CVE-2023-27535) -Patch25: 0025-curl-7.87.0-CVE-2023-27535.patch - -# fix GSS delegation too eager connection re-use (CVE-2023-27536) -Patch26: 0026-curl-7.87.0-CVE-2023-27536.patch - -# fix HSTS double-free (CVE-2023-27537) -Patch27: 0027-curl-7.87.0-CVE-2023-27537.patch - -# fix SSH connection too eager reuse still (CVE-2023-27538) -Patch28: 0028-curl-7.87.0-CVE-2023-27538.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -236,19 +197,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch23 -p1 -%patch24 -p1 -%patch25 -p1 -%patch26 -p1 -%patch27 -p1 -%patch28 -p1 # Fedora patches %patch101 -p1 @@ -483,6 +431,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed May 03 2023 Kamil Dudka - 8.0.1-1 +- rebase to latest upstream release (#2192665) + * Wed May 03 2023 Kamil Dudka - 7.87.0-10 - http_proxy: fix memory corruption with http proxy tunneling (#2192665) diff --git a/sources b/sources index 7906eb7..fe0a4ce 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-7.87.0.tar.xz) = aa125991592667280dce3788aabe81487cf8c55b0afc59d675cc30b76055bb7114f5380b4a0e3b6461a8f81bf9812fa26d493a85f7e01d84263d484a0d699ee7 -SHA512 (curl-7.87.0.tar.xz.asc) = 0bcc12bafc4ae50d80128af2cf4bf1a1ec6018ebb8d5b9c49f52b51c0c25acc77e820858965656549ef43c1f923f4e5fe75b0a3523623154b4cfb9dc8a1d76e4 +SHA512 (curl-8.0.1.tar.xz) = 3bb777982659ed697ae90f113ff7b65d6ce8ba9fe6a8984cfd6769d2f051a72ba953c911abe234c204ec2cc5a35d68b4d033037fad7fba31bb92a52543f8d13d +SHA512 (curl-8.0.1.tar.xz.asc) = 92c6a0570e9a8a708fe2f717b8b37a68dcb9cd4520ca50c9baafec5891bda103bce2d2dcb67f1387bf11bd7e51e0e64ccd52d196e61d58b598ad3aa1960386cf From a70e47eb40dea3908e69c6afaa85792bf7510239 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 15 Feb 2023 10:46:00 +0100 Subject: [PATCH 028/120] do not fail on warnings in the upstream test driver --- 0104-curl-7.88.0-tests-warnings.patch | 30 +++++++++++++++++++++++++++ curl.spec | 4 ++++ 2 files changed, 34 insertions(+) create mode 100644 0104-curl-7.88.0-tests-warnings.patch diff --git a/0104-curl-7.88.0-tests-warnings.patch b/0104-curl-7.88.0-tests-warnings.patch new file mode 100644 index 0000000..dff89f9 --- /dev/null +++ b/0104-curl-7.88.0-tests-warnings.patch @@ -0,0 +1,30 @@ +From d506d885aa16b4a87acbac082eea41dccdc7b69f Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Wed, 15 Feb 2023 10:42:38 +0100 +Subject: [PATCH] Revert "runtests: consider warnings fatal and error on them" + +While it might be useful for upstream developers, it is not so useful +for downstream consumers. + +This reverts upstream commit 22f795c834cfdbacbb1b55426028a581e3cf67a8. +--- + tests/runtests.pl | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/tests/runtests.pl b/tests/runtests.pl +index 71644ad18..0cf85c3fe 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -75,8 +75,7 @@ BEGIN { + } + + use strict; +-# Promote all warnings to fatal +-use warnings FATAL => 'all'; ++use warnings; + use Cwd; + use Digest::MD5 qw(md5); + use MIME::Base64; +-- +2.39.1 + diff --git a/curl.spec b/curl.spec index db326c9..1cc3240 100644 --- a/curl.spec +++ b/curl.spec @@ -19,6 +19,9 @@ Patch102: 0102-curl-7.84.0-test3026.patch # test3012: temporarily disable valgrind (#2143040) Patch103: 0103-curl-7.87.0-test3012.patch +# do not fail on warnings in the upstream test driver +Patch104: 0104-curl-7.88.0-tests-warnings.patch + Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.se/ @@ -202,6 +205,7 @@ be installed. %patch101 -p1 %patch102 -p1 %patch103 -p1 +%patch104 -p1 # disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed # with errno 98: Address already in use' in Koji environment), and test 1801 From 0980c80da7d03d7dd215985777cd1d0144327618 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 15 Feb 2023 12:53:26 +0100 Subject: [PATCH 029/120] add glibc-langpack-en BR needed for test1560 to succeed Suggested-by: Paul Howarth --- curl.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/curl.spec b/curl.spec index 1cc3240..2f5be4a 100644 --- a/curl.spec +++ b/curl.spec @@ -60,6 +60,9 @@ BuildRequires: perl(Pod::Usage) BuildRequires: perl(strict) BuildRequires: perl(warnings) +# needed for test1560 to succeed +BuildRequires: glibc-langpack-en + # gnutls-serv is used by the upstream test-suite BuildRequires: gnutls-utils From 24723f4bdf070044ea46235b002a3d65e854075e Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 21 Apr 2023 14:32:13 +0200 Subject: [PATCH 030/120] curl.spec: apply patches automatically ... to ease maintenance and to avoid the following warning on Fedora Rawhide: ``` warning: %patchN is deprecated (4 usages found), use %patch N (or %patch -P N) ``` --- curl.spec | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/curl.spec b/curl.spec index 2f5be4a..9a3fa7d 100644 --- a/curl.spec +++ b/curl.spec @@ -200,15 +200,7 @@ be installed. %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' -%setup -q - -# upstream patches - -# Fedora patches -%patch101 -p1 -%patch102 -p1 -%patch103 -p1 -%patch104 -p1 +%autosetup -p1 # disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed # with errno 98: Address already in use' in Koji environment), and test 1801 @@ -439,6 +431,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed May 03 2023 Kamil Dudka - 8.0.1-1 +- apply patches automatically - rebase to latest upstream release (#2192665) * Wed May 03 2023 Kamil Dudka - 7.87.0-10 From e76d3e0e652b69f95a36d5d51367b53bc33f4d6e Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 21 Apr 2023 18:00:44 +0200 Subject: [PATCH 031/120] tests: attempt to fix a conflict on port numbers ... where stunnel listens for legacy HTTPS and HTTP/2, which manifests as a hard-to-explain failure of the following tests: 1630 1631 1632 1904 1941 1945 2050 2055 3028 ``` [...] startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https_server.pid" --logfile "log/https_stunnel.log" --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 42917 --accept 24642 RUN: HTTPS server is PID 114398 port 24642 * pid https => 114398 114402 [...] startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https2_server.pid" --logfile "log/https2_stunnel.log" --id 2 --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 36763 --accept 24642 startnew: child process has died, server might start up Warning: http2 server unexpectedly alive RUN: Process with pid 73992 signalled to die RUN: Process with pid 73992 forced to die with SIGKILL == Contents of files in the log/ dir after test 1630 === Start of file http2_server.log 14:01:21.881018 exit_signal_handler: 15 14:01:21.881372 signalled to die 14:01:21.881511 ========> IPv4 sws (port 36763 pid: 73992) exits with signal (15) === End of file http2_server.log === Start of file https2_stunnel.log [ ] Initializing inetd mode configuration [ ] Clients allowed=500 [.] stunnel 5.69 on x86_64-redhat-linux-gnu platform [.] Compiled/running with OpenSSL 3.0.8 7 Feb 2023 [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI [ ] errno: (*__errno_location ()) [ ] Initializing inetd mode configuration [.] Reading configuration from file /builddir/build/BUILD/curl-8.0.1/build-minimal/tests/https_stunnel.conf [.] UTF-8 byte order mark not detected [.] FIPS mode disabled [ ] Compression disabled [ ] No PRNG seeding was required [ ] Initializing service [curltest] [ ] Using the default TLS minimum version as specified in crypto policies. Not setting explicitly. [ ] Using the default TLS maximum version as specified in crypto policies. Not setting explicitly [ ] stunnel default security level set: 2 [ ] Ciphers: PROFILE=SYSTEM [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 [ ] TLS options: 0x2100000 (+0x0, -0x0) [ ] Session resumption enabled [ ] Loading certificate from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem [ ] Certificate loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem [ ] Loading private key from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem [ ] Private key loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem [ ] Private key check succeeded [!] No trusted certificates found [ ] DH initialization needed for DHE-RSA-AES256-GCM-SHA384 [ ] DH initialization [ ] Could not load DH parameters from /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem [ ] Using dynamic DH parameters [ ] ECDH initialization [ ] ECDH initialized with curves X25519:P-256:X448:P-521:P-384 [.] Configuration successful [ ] Deallocating deployed section defaults [ ] Binding service [curltest] [ ] Listening file descriptor created (FD=8) [ ] Setting accept socket options (FD=8) [ ] Option SO_REUSEADDR set on accept socket [.] Binding service [curltest] to 0.0.0.0:24642: Address already in use (98) [ ] Listening file descriptor created (FD=8) [ ] Setting accept socket options (FD=8) [ ] Option SO_REUSEADDR set on accept socket [.] Binding service [curltest] to :::24642: Address already in use (98) [!] Binding service [curltest] failed [ ] Unbinding service [curltest] [ ] Service [curltest] closed [ ] Deallocating deployed section defaults [ ] Deallocating section [curltest] [ ] Initializing inetd mode configuration === End of file https2_stunnel.log ``` --- 0105-curl-8.0.1-tests-stunnel-port.patch | 97 ++++++++++++++++++++++++ curl.spec | 4 + 2 files changed, 101 insertions(+) create mode 100644 0105-curl-8.0.1-tests-stunnel-port.patch diff --git a/0105-curl-8.0.1-tests-stunnel-port.patch b/0105-curl-8.0.1-tests-stunnel-port.patch new file mode 100644 index 0000000..47d1419 --- /dev/null +++ b/0105-curl-8.0.1-tests-stunnel-port.patch @@ -0,0 +1,97 @@ +From c9a1d18e5f8f28b90c1b2fcc1f15699327067e59 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Fri, 21 Apr 2023 17:44:10 +0200 +Subject: [PATCH] tests/runtests.pl: attempt to fix a conflict on port numbers + +... where stunnel listens for legacy HTTPS and HTTP/2, which manifests +as a hard-to-explain failure of the following tests: 1630 1631 1632 1904 +1941 1945 2050 2055 3028 +``` +[...] +startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https_server.pid" --logfile "log/https_stunnel.log" --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 42917 --accept 24642 +RUN: HTTPS server is PID 114398 port 24642 +* pid https => 114398 114402 +[...] +startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https2_server.pid" --logfile "log/https2_stunnel.log" --id 2 --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 36763 --accept 24642 +startnew: child process has died, server might start up +Warning: http2 server unexpectedly alive +RUN: Process with pid 73992 signalled to die +RUN: Process with pid 73992 forced to die with SIGKILL +== Contents of files in the log/ dir after test 1630 +=== Start of file http2_server.log + 14:01:21.881018 exit_signal_handler: 15 + 14:01:21.881372 signalled to die + 14:01:21.881511 ========> IPv4 sws (port 36763 pid: 73992) exits with signal (15) +=== End of file http2_server.log +=== Start of file https2_stunnel.log + [ ] Initializing inetd mode configuration + [ ] Clients allowed=500 + [.] stunnel 5.69 on x86_64-redhat-linux-gnu platform + [.] Compiled/running with OpenSSL 3.0.8 7 Feb 2023 + [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI + [ ] errno: (*__errno_location ()) + [ ] Initializing inetd mode configuration + [.] Reading configuration from file /builddir/build/BUILD/curl-8.0.1/build-minimal/tests/https_stunnel.conf + [.] UTF-8 byte order mark not detected + [.] FIPS mode disabled + [ ] Compression disabled + [ ] No PRNG seeding was required + [ ] Initializing service [curltest] + [ ] Using the default TLS minimum version as specified in crypto policies. Not setting explicitly. + [ ] Using the default TLS maximum version as specified in crypto policies. Not setting explicitly + [ ] stunnel default security level set: 2 + [ ] Ciphers: PROFILE=SYSTEM + [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 + [ ] TLS options: 0x2100000 (+0x0, -0x0) + [ ] Session resumption enabled + [ ] Loading certificate from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem + [ ] Certificate loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem + [ ] Loading private key from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem + [ ] Private key loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem + [ ] Private key check succeeded + [!] No trusted certificates found + [ ] DH initialization needed for DHE-RSA-AES256-GCM-SHA384 + [ ] DH initialization + [ ] Could not load DH parameters from /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem + [ ] Using dynamic DH parameters + [ ] ECDH initialization + [ ] ECDH initialized with curves X25519:P-256:X448:P-521:P-384 + [.] Configuration successful + [ ] Deallocating deployed section defaults + [ ] Binding service [curltest] + [ ] Listening file descriptor created (FD=8) + [ ] Setting accept socket options (FD=8) + [ ] Option SO_REUSEADDR set on accept socket + [.] Binding service [curltest] to 0.0.0.0:24642: Address already in use (98) + [ ] Listening file descriptor created (FD=8) + [ ] Setting accept socket options (FD=8) + [ ] Option SO_REUSEADDR set on accept socket + [.] Binding service [curltest] to :::24642: Address already in use (98) + [!] Binding service [curltest] failed + [ ] Unbinding service [curltest] + [ ] Service [curltest] closed + [ ] Deallocating deployed section defaults + [ ] Deallocating section [curltest] + [ ] Initializing inetd mode configuration +=== End of file https2_stunnel.log +``` +--- + tests/runtests.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/runtests.pl b/tests/runtests.pl +index 54f6923..bb362c9 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -1802,7 +1802,7 @@ sub runhttpsserver { + + my $pid2; + my $httpspid; +- my $port = 24512; # start attempt ++ my $port = 24512 * $idnum; # start attempt + for (1 .. 10) { + $port += int(rand(600)); + my $options = "$flags --accept $port"; +-- +2.39.2 + diff --git a/curl.spec b/curl.spec index 9a3fa7d..e79c83c 100644 --- a/curl.spec +++ b/curl.spec @@ -22,6 +22,9 @@ Patch103: 0103-curl-7.87.0-test3012.patch # do not fail on warnings in the upstream test driver Patch104: 0104-curl-7.88.0-tests-warnings.patch +# tests: attempt to fix a conflict on port numbers +Patch105: 0105-curl-8.0.1-tests-stunnel-port.patch + Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.se/ @@ -431,6 +434,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed May 03 2023 Kamil Dudka - 8.0.1-1 +- tests: attempt to fix a conflict on port numbers - apply patches automatically - rebase to latest upstream release (#2192665) From c2176d668adf421991074089d6752e181a9d1b50 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 21 Apr 2023 18:01:25 +0200 Subject: [PATCH 032/120] tests: re-enable temporarily disabled test-cases --- curl.spec | 31 +++---------------------------- 1 file changed, 3 insertions(+), 28 deletions(-) diff --git a/curl.spec b/curl.spec index e79c83c..3b1e1e5 100644 --- a/curl.spec +++ b/curl.spec @@ -205,35 +205,9 @@ be installed. %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 -# disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed -# with errno 98: Address already in use' in Koji environment), and test 1801 +# disable test 1801 # -printf "1112\n1455\n1184\n1801\n" >> tests/data/DISABLED - -# disable test 1319 on ppc64 (server times out) -%ifarch ppc64 -echo "1319" >> tests/data/DISABLED -%endif - -# disable tests 320..322 on ppc64le where it started to hang/fail -%ifarch ppc64le -printf "320\n321\n322\n" >> tests/data/DISABLED -%endif - -# temporarily disable tests 582 and 1452 on s390x (client times out) -%ifarch s390x -printf "582\n1452\n" >> tests/data/DISABLED -%endif - -# temporarily disable tests 702 703 716 on armv7hl (#1829180) -%ifarch armv7hl -printf "702\n703\n716\n" >> tests/data/DISABLED -%endif - -# temporarily disable tests 300{0,1} on x86_64 (stunnel clashes with itself) -%ifarch x86_64 -printf "3000\n3001\n" >> tests/data/DISABLED -%endif +echo "1801" >> tests/data/DISABLED # test3026: avoid pthread_create() failure due to resource exhaustion on i386 %ifarch %{ix86} @@ -434,6 +408,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed May 03 2023 Kamil Dudka - 8.0.1-1 +- tests: re-enable temporarily disabled test-cases - tests: attempt to fix a conflict on port numbers - apply patches automatically - rebase to latest upstream release (#2192665) From c0b70e927f358df34598d6ab38da54ea04676a2e Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 17 May 2023 09:28:55 +0200 Subject: [PATCH 033/120] new upstream release - 8.1.0 Resolves: CVE-2023-28321 - IDN wildcard match Resolves: CVE-2023-28322 - more POST-after-PUT confusion --- 0103-curl-7.87.0-test3012.patch | 2 +- 0104-curl-7.88.0-tests-warnings.patch | 10 +-- 0105-curl-8.0.1-tests-stunnel-port.patch | 97 ------------------------ curl.spec | 13 ++-- sources | 4 +- 5 files changed, 16 insertions(+), 110 deletions(-) delete mode 100644 0105-curl-8.0.1-tests-stunnel-port.patch diff --git a/0103-curl-7.87.0-test3012.patch b/0103-curl-7.87.0-test3012.patch index 108d715..1de7ff3 100644 --- a/0103-curl-7.87.0-test3012.patch +++ b/0103-curl-7.87.0-test3012.patch @@ -38,7 +38,7 @@ index 1889c93..ea43a49 100644 --- a/tests/data/test3012 +++ b/tests/data/test3012 @@ -56,5 +56,9 @@ Accept: */* - + -foo- + diff --git a/0104-curl-7.88.0-tests-warnings.patch b/0104-curl-7.88.0-tests-warnings.patch index dff89f9..04b2ba2 100644 --- a/0104-curl-7.88.0-tests-warnings.patch +++ b/0104-curl-7.88.0-tests-warnings.patch @@ -15,16 +15,16 @@ diff --git a/tests/runtests.pl b/tests/runtests.pl index 71644ad18..0cf85c3fe 100755 --- a/tests/runtests.pl +++ b/tests/runtests.pl -@@ -75,8 +75,7 @@ BEGIN { - } +@@ -55,8 +55,7 @@ + # given, this won't be a problem. use strict; -# Promote all warnings to fatal -use warnings FATAL => 'all'; +use warnings; - use Cwd; - use Digest::MD5 qw(md5); - use MIME::Base64; + use 5.006; + + # These should be the only variables that might be needed to get edited: -- 2.39.1 diff --git a/0105-curl-8.0.1-tests-stunnel-port.patch b/0105-curl-8.0.1-tests-stunnel-port.patch deleted file mode 100644 index 47d1419..0000000 --- a/0105-curl-8.0.1-tests-stunnel-port.patch +++ /dev/null @@ -1,97 +0,0 @@ -From c9a1d18e5f8f28b90c1b2fcc1f15699327067e59 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Fri, 21 Apr 2023 17:44:10 +0200 -Subject: [PATCH] tests/runtests.pl: attempt to fix a conflict on port numbers - -... where stunnel listens for legacy HTTPS and HTTP/2, which manifests -as a hard-to-explain failure of the following tests: 1630 1631 1632 1904 -1941 1945 2050 2055 3028 -``` -[...] -startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https_server.pid" --logfile "log/https_stunnel.log" --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 42917 --accept 24642 -RUN: HTTPS server is PID 114398 port 24642 -* pid https => 114398 114402 -[...] -startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https2_server.pid" --logfile "log/https2_stunnel.log" --id 2 --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 36763 --accept 24642 -startnew: child process has died, server might start up -Warning: http2 server unexpectedly alive -RUN: Process with pid 73992 signalled to die -RUN: Process with pid 73992 forced to die with SIGKILL -== Contents of files in the log/ dir after test 1630 -=== Start of file http2_server.log - 14:01:21.881018 exit_signal_handler: 15 - 14:01:21.881372 signalled to die - 14:01:21.881511 ========> IPv4 sws (port 36763 pid: 73992) exits with signal (15) -=== End of file http2_server.log -=== Start of file https2_stunnel.log - [ ] Initializing inetd mode configuration - [ ] Clients allowed=500 - [.] stunnel 5.69 on x86_64-redhat-linux-gnu platform - [.] Compiled/running with OpenSSL 3.0.8 7 Feb 2023 - [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI - [ ] errno: (*__errno_location ()) - [ ] Initializing inetd mode configuration - [.] Reading configuration from file /builddir/build/BUILD/curl-8.0.1/build-minimal/tests/https_stunnel.conf - [.] UTF-8 byte order mark not detected - [.] FIPS mode disabled - [ ] Compression disabled - [ ] No PRNG seeding was required - [ ] Initializing service [curltest] - [ ] Using the default TLS minimum version as specified in crypto policies. Not setting explicitly. - [ ] Using the default TLS maximum version as specified in crypto policies. Not setting explicitly - [ ] stunnel default security level set: 2 - [ ] Ciphers: PROFILE=SYSTEM - [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 - [ ] TLS options: 0x2100000 (+0x0, -0x0) - [ ] Session resumption enabled - [ ] Loading certificate from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem - [ ] Certificate loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem - [ ] Loading private key from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem - [ ] Private key loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem - [ ] Private key check succeeded - [!] No trusted certificates found - [ ] DH initialization needed for DHE-RSA-AES256-GCM-SHA384 - [ ] DH initialization - [ ] Could not load DH parameters from /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem - [ ] Using dynamic DH parameters - [ ] ECDH initialization - [ ] ECDH initialized with curves X25519:P-256:X448:P-521:P-384 - [.] Configuration successful - [ ] Deallocating deployed section defaults - [ ] Binding service [curltest] - [ ] Listening file descriptor created (FD=8) - [ ] Setting accept socket options (FD=8) - [ ] Option SO_REUSEADDR set on accept socket - [.] Binding service [curltest] to 0.0.0.0:24642: Address already in use (98) - [ ] Listening file descriptor created (FD=8) - [ ] Setting accept socket options (FD=8) - [ ] Option SO_REUSEADDR set on accept socket - [.] Binding service [curltest] to :::24642: Address already in use (98) - [!] Binding service [curltest] failed - [ ] Unbinding service [curltest] - [ ] Service [curltest] closed - [ ] Deallocating deployed section defaults - [ ] Deallocating section [curltest] - [ ] Initializing inetd mode configuration -=== End of file https2_stunnel.log -``` ---- - tests/runtests.pl | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/runtests.pl b/tests/runtests.pl -index 54f6923..bb362c9 100755 ---- a/tests/runtests.pl -+++ b/tests/runtests.pl -@@ -1802,7 +1802,7 @@ sub runhttpsserver { - - my $pid2; - my $httpspid; -- my $port = 24512; # start attempt -+ my $port = 24512 * $idnum; # start attempt - for (1 .. 10) { - $port += int(rand(600)); - my $options = "$flags --accept $port"; --- -2.39.2 - diff --git a/curl.spec b/curl.spec index b41cf59..6caa923 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.0.1 -Release: 3%{?dist} +Version: 8.1.0 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -22,9 +22,6 @@ Patch103: 0103-curl-7.87.0-test3012.patch # do not fail on warnings in the upstream test driver Patch104: 0104-curl-7.88.0-tests-warnings.patch -# tests: attempt to fix a conflict on port numbers -Patch105: 0105-curl-8.0.1-tests-stunnel-port.patch - Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.se/ @@ -84,6 +81,7 @@ BuildRequires: perl(File::Basename) BuildRequires: perl(File::Copy) BuildRequires: perl(File::Spec) BuildRequires: perl(IPC::Open2) +BuildRequires: perl(Memoize) BuildRequires: perl(MIME::Base64) BuildRequires: perl(Time::Local) BuildRequires: perl(Time::HiRes) @@ -407,6 +405,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed May 17 2023 Kamil Dudka - 8.1.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-28321 - IDN wildcard match + CVE-2023-28322 - more POST-after-PUT confusion + * Fri Apr 21 2023 Kamil Dudka - 8.0.1-3 - tests: re-enable temporarily disabled test-cases - tests: attempt to fix a conflict on port numbers diff --git a/sources b/sources index fe0a4ce..f60ca98 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.0.1.tar.xz) = 3bb777982659ed697ae90f113ff7b65d6ce8ba9fe6a8984cfd6769d2f051a72ba953c911abe234c204ec2cc5a35d68b4d033037fad7fba31bb92a52543f8d13d -SHA512 (curl-8.0.1.tar.xz.asc) = 92c6a0570e9a8a708fe2f717b8b37a68dcb9cd4520ca50c9baafec5891bda103bce2d2dcb67f1387bf11bd7e51e0e64ccd52d196e61d58b598ad3aa1960386cf +SHA512 (curl-8.1.0.tar.xz) = b99926f372ddd715cd1d2b54d8fb96b26b085e6501715e25aa57b6c6a7f8452473506ddb284e2f280f8afdb301b7f0c3bfde7ad7ed393b12c022430a9301096d +SHA512 (curl-8.1.0.tar.xz.asc) = 191a74c7a6b6aa78b7f36e1535fda0701bde8b333a61c90343e1f1b2d65cc5097b5febc5fa42b2f373795ef1b34078790deaaa71c8aaa45eed1c753729a45f3d From 4da3349c052a3dbc42320f3dbca35ed5fb60fbaf Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 17 May 2023 09:55:40 +0200 Subject: [PATCH 034/120] drop 0103-curl-7.87.0-test3012.patch The related valgrind bug has been fixed https://bugzilla.redhat.com/2143040 --- 0103-curl-7.87.0-test3012.patch | 52 --------------------------------- curl.spec | 3 -- 2 files changed, 55 deletions(-) delete mode 100644 0103-curl-7.87.0-test3012.patch diff --git a/0103-curl-7.87.0-test3012.patch b/0103-curl-7.87.0-test3012.patch deleted file mode 100644 index 1de7ff3..0000000 --- a/0103-curl-7.87.0-test3012.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 0d0a256c8e7f6261d49e1bdd583c04c0e5dfe706 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Wed, 11 Jan 2023 08:53:05 +0100 -Subject: [PATCH] test3012: disable valgrind - -valgrind reports a call to memcpy() with overlapping blocks by mistake: -``` -test 3012...[--output-dir with -J] -../libtool --mode=execute /usr/bin/valgrind --tool=memcheck --quiet --leak-check=yes --suppressions=../../tests/valgrind.supp --num-callers=16 --log-file=log/valgrind3012 ../src/curl --trace-ascii log/trace3012 --trace-time http://127.0.0.1:35981/this/is/the/3012 -OJ --output-dir /root/rpmbuild/BUILD/curl-7.86.0/build-minimal/tests/log >log/stdout3012 2>log/stderr3012 -CMD (0): ../libtool --mode=execute /usr/bin/valgrind --tool=memcheck --quiet --leak-check=yes --suppressions=../../tests/valgrind.supp --num-callers=16 --log-file=log/valgrind3012 ../src/curl --trace-ascii log/trace3012 --trace-time http://127.0.0.1:35981/this/is/the/3012 -OJ --output-dir /root/rpmbuild/BUILD/curl-7.86.0/build-minimal/tests/log >log/stdout3012 2>log/stderr3012 - valgrind ERROR ==496584== Source and destination overlap in memcpy_chk(0x54ad1a0, 0x54ad1a1, 11) -==496584== at 0x484C332: __memcpy_chk (vg_replace_strmem.c:1741) -==496584== by 0x118FDB: UnknownInlinedFun (string_fortified.h:36) -==496584== by 0x118FDB: UnknownInlinedFun (tool_cb_hdr.c:301) -==496584== by 0x118FDB: tool_header_cb (tool_cb_hdr.c:173) -==496584== by 0x489907B: chop_write.lto_priv.0 (sendf.c:620) -==496584== by 0x489CDD1: UnknownInlinedFun (http.c:4449) -==496584== by 0x489CDD1: UnknownInlinedFun (transfer.c:633) -==496584== by 0x489CDD1: Curl_readwrite (transfer.c:1219) -==496584== by 0x488C116: multi_runsingle (multi.c:2404) -==496584== by 0x488F491: curl_multi_perform (multi.c:2682) -==496584== by 0x486A9DA: UnknownInlinedFun (easy.c:663) -==496584== by 0x486A9DA: UnknownInlinedFun (easy.c:753) -==496584== by 0x486A9DA: curl_easy_perform (easy.c:772) -==496584== by 0x114B28: UnknownInlinedFun (tool_operate.c:2406) -==496584== by 0x114B28: UnknownInlinedFun (tool_operate.c:2594) -==496584== by 0x114B28: UnknownInlinedFun (tool_operate.c:2706) -==496584== by 0x114B28: main (tool_main.c:284) -``` - -Bug: https://bugzilla.redhat.com/2143040 ---- - tests/data/test3012 | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/tests/data/test3012 b/tests/data/test3012 -index 1889c93..ea43a49 100644 ---- a/tests/data/test3012 -+++ b/tests/data/test3012 -@@ -56,5 +56,9 @@ Accept: */* - - -foo- - -+ -+ -+disable -+ - - --- -2.39.0 - diff --git a/curl.spec b/curl.spec index 6caa923..1a0f830 100644 --- a/curl.spec +++ b/curl.spec @@ -16,9 +16,6 @@ Patch101: 0101-curl-7.32.0-multilib.patch # test3026: disable valgrind Patch102: 0102-curl-7.84.0-test3026.patch -# test3012: temporarily disable valgrind (#2143040) -Patch103: 0103-curl-7.87.0-test3012.patch - # do not fail on warnings in the upstream test driver Patch104: 0104-curl-7.88.0-tests-warnings.patch From fa58a15ce67d2e5d68f7629acd230a78ff1034b0 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 17 May 2023 12:11:00 +0200 Subject: [PATCH 035/120] add BR for perl(base) needed by the test-suite --- curl.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/curl.spec b/curl.spec index 1a0f830..255e7cd 100644 --- a/curl.spec +++ b/curl.spec @@ -70,6 +70,7 @@ BuildRequires: hostname BuildRequires: nghttp2 # perl modules used in the test suite +BuildRequires: perl(base) BuildRequires: perl(Cwd) BuildRequires: perl(Digest::MD5) BuildRequires: perl(Digest::SHA) From 6beac072292c9c0ce88dd00d2be0257eca27d38e Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Wed, 17 May 2023 13:12:45 +0100 Subject: [PATCH 036/120] Ignore lzma-compressed tarballs from old releases --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index d7bfa33..c5a82f4 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,4 @@ +/curl-[0-9.]*.tar.lzma +/curl-[0-9.]*.tar.lzma.asc /curl-[0-9.]*.tar.xz /curl-[0-9.]*.tar.xz.asc From dc1838de584fd131fd3714807b1396d9e469002d Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Wed, 17 May 2023 13:14:43 +0100 Subject: [PATCH 037/120] Additional test suite dependencies --- curl.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 255e7cd..fb65da1 100644 --- a/curl.spec +++ b/curl.spec @@ -70,7 +70,9 @@ BuildRequires: hostname BuildRequires: nghttp2 # perl modules used in the test suite +BuildRequires: perl(B) BuildRequires: perl(base) +BuildRequires: perl(constant) BuildRequires: perl(Cwd) BuildRequires: perl(Digest::MD5) BuildRequires: perl(Digest::SHA) @@ -79,10 +81,13 @@ BuildRequires: perl(File::Basename) BuildRequires: perl(File::Copy) BuildRequires: perl(File::Spec) BuildRequires: perl(IPC::Open2) +BuildRequires: perl(List::Util) BuildRequires: perl(Memoize) BuildRequires: perl(MIME::Base64) -BuildRequires: perl(Time::Local) +BuildRequires: perl(POSIX) +BuildRequires: perl(Storable) BuildRequires: perl(Time::HiRes) +BuildRequires: perl(Time::Local) BuildRequires: perl(vars) %if 0%{?fedora} From d31965bf5b22057013b93a03c0e47879956aa329 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 23 May 2023 10:07:28 +0200 Subject: [PATCH 038/120] new upstream release - 8.1.1 Resolves: #2209217 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index fb65da1..defad36 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.1.0 +Version: 8.1.1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -408,6 +408,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue May 23 2023 Jan Macku - 8.1.1-1 +- new upstream release, with small bugfixes and improvements + * Wed May 17 2023 Kamil Dudka - 8.1.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2023-28321 - IDN wildcard match diff --git a/sources b/sources index f60ca98..83f1628 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.1.0.tar.xz) = b99926f372ddd715cd1d2b54d8fb96b26b085e6501715e25aa57b6c6a7f8452473506ddb284e2f280f8afdb301b7f0c3bfde7ad7ed393b12c022430a9301096d -SHA512 (curl-8.1.0.tar.xz.asc) = 191a74c7a6b6aa78b7f36e1535fda0701bde8b333a61c90343e1f1b2d65cc5097b5febc5fa42b2f373795ef1b34078790deaaa71c8aaa45eed1c753729a45f3d +SHA512 (curl-8.1.1.tar.xz) = d034b1ab9c00e8a0acf7ba6c6344734945d45666b4f38394f5456fcd9b22623146a897270861b7411412ca25c912e1bbf24eb139a6dfc1a8c00d098b3b925399 +SHA512 (curl-8.1.1.tar.xz.asc) = 6a71c18d67de8c340b5d80c7452a82c00f7ef466f690eec12edcd6123aee6866e8a0e757e1cc6c9af87a63fdeaafbc9fc1b1a4e2e0fd8a75b5952d4738fd0b27 From f91221e9d701cc0d8d40261855558d003dbb4024 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 30 May 2023 10:05:35 +0200 Subject: [PATCH 039/120] new upstream release - 8.1.2 Resolves: #2210976 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index defad36..41c8643 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.1.1 +Version: 8.1.2 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -408,6 +408,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue May 30 2023 Jan Macku - 8.1.2-1 +- new upstream release, with small bugfixes and improvements + * Tue May 23 2023 Jan Macku - 8.1.1-1 - new upstream release, with small bugfixes and improvements diff --git a/sources b/sources index 83f1628..f4ba12c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.1.1.tar.xz) = d034b1ab9c00e8a0acf7ba6c6344734945d45666b4f38394f5456fcd9b22623146a897270861b7411412ca25c912e1bbf24eb139a6dfc1a8c00d098b3b925399 -SHA512 (curl-8.1.1.tar.xz.asc) = 6a71c18d67de8c340b5d80c7452a82c00f7ef466f690eec12edcd6123aee6866e8a0e757e1cc6c9af87a63fdeaafbc9fc1b1a4e2e0fd8a75b5952d4738fd0b27 +SHA512 (curl-8.1.2.tar.xz) = 532ab96eba6dea66d272f3be56f5af5c5da922480f9a10e203de98037c311f12f8145ba6bf813831e42815e068874ccfd108f84f7650743f5dbb3ebc3bc9c4f4 +SHA512 (curl-8.1.2.tar.xz.asc) = d120299a2d59259aeb19ae0fa3a3e181e25b6927677187037c61a0901879956177ce8dda10764073a47848f81dcbbcb94e0b6008742994042b6b8fd194e169c3 From 3ce778ed47eec817969b48efed9dda8fd6e58d8b Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 5 Jun 2023 08:29:08 +0200 Subject: [PATCH 040/120] Resolves: CVE-2023-28322 - fix more POST-after-PUT confusion --- 0001-curl-8.0.1-CVE-2023-28322.patch | 437 +++++++++++++++++++++++++++ curl.spec | 8 +- 2 files changed, 444 insertions(+), 1 deletion(-) create mode 100644 0001-curl-8.0.1-CVE-2023-28322.patch diff --git a/0001-curl-8.0.1-CVE-2023-28322.patch b/0001-curl-8.0.1-CVE-2023-28322.patch new file mode 100644 index 0000000..133ef63 --- /dev/null +++ b/0001-curl-8.0.1-CVE-2023-28322.patch @@ -0,0 +1,437 @@ +From 074adec63f0dd7a8f0d823ee503dfb0626061505 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 25 Apr 2023 08:28:01 +0200 +Subject: [PATCH] lib: unify the upload/method handling + +By making sure we set state.upload based on the set.method value and not +independently as set.upload, we reduce confusion and mixup risks, both +internally and externally. + +Closes #11017 + +(cherry picked from commit 7815647d6582c0a4900be2e1de6c5e61272c496b) +Signed-off-by: Jan Macku +--- + lib/curl_rtmp.c | 4 ++-- + lib/file.c | 4 ++-- + lib/ftp.c | 8 ++++---- + lib/http.c | 4 ++-- + lib/imap.c | 6 +++--- + lib/rtsp.c | 4 ++-- + lib/setopt.c | 6 ++---- + lib/smb.c | 6 +++--- + lib/smtp.c | 4 ++-- + lib/tftp.c | 8 ++++---- + lib/transfer.c | 4 ++-- + lib/urldata.h | 2 +- + lib/vssh/libssh.c | 6 +++--- + lib/vssh/libssh2.c | 6 +++--- + lib/vssh/wolfssh.c | 2 +- + 15 files changed, 36 insertions(+), 38 deletions(-) + +diff --git a/lib/curl_rtmp.c b/lib/curl_rtmp.c +index 2679a2cdc..406fb42ac 100644 +--- a/lib/curl_rtmp.c ++++ b/lib/curl_rtmp.c +@@ -231,7 +231,7 @@ static CURLcode rtmp_connect(struct Curl_easy *data, bool *done) + /* We have to know if it's a write before we send the + * connect request packet + */ +- if(data->set.upload) ++ if(data->state.upload) + r->Link.protocol |= RTMP_FEATURE_WRITE; + + /* For plain streams, use the buffer toggle trick to keep data flowing */ +@@ -263,7 +263,7 @@ static CURLcode rtmp_do(struct Curl_easy *data, bool *done) + if(!RTMP_ConnectStream(r, 0)) + return CURLE_FAILED_INIT; + +- if(data->set.upload) { ++ if(data->state.upload) { + Curl_pgrsSetUploadSize(data, data->state.infilesize); + Curl_setup_transfer(data, -1, -1, FALSE, FIRSTSOCKET); + } +diff --git a/lib/file.c b/lib/file.c +index 51c5d07ce..c751e8861 100644 +--- a/lib/file.c ++++ b/lib/file.c +@@ -240,7 +240,7 @@ static CURLcode file_connect(struct Curl_easy *data, bool *done) + file->freepath = real_path; /* free this when done */ + + file->fd = fd; +- if(!data->set.upload && (fd == -1)) { ++ if(!data->state.upload && (fd == -1)) { + failf(data, "Couldn't open file %s", data->state.up.path); + file_done(data, CURLE_FILE_COULDNT_READ_FILE, FALSE); + return CURLE_FILE_COULDNT_READ_FILE; +@@ -422,7 +422,7 @@ static CURLcode file_do(struct Curl_easy *data, bool *done) + + Curl_pgrsStartNow(data); + +- if(data->set.upload) ++ if(data->state.upload) + return file_upload(data); + + file = data->req.p.file; +diff --git a/lib/ftp.c b/lib/ftp.c +index caf33d214..0b6e5cd4f 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -1350,7 +1350,7 @@ static CURLcode ftp_state_prepare_transfer(struct Curl_easy *data) + data->set.str[STRING_CUSTOMREQUEST]? + data->set.str[STRING_CUSTOMREQUEST]: + (data->state.list_only?"NLST":"LIST")); +- else if(data->set.upload) ++ else if(data->state.upload) + result = Curl_pp_sendf(data, &ftpc->pp, "PRET STOR %s", + conn->proto.ftpc.file); + else +@@ -3386,7 +3386,7 @@ static CURLcode ftp_done(struct Curl_easy *data, CURLcode status, + /* the response code from the transfer showed an error already so no + use checking further */ + ; +- else if(data->set.upload) { ++ else if(data->state.upload) { + if((-1 != data->state.infilesize) && + (data->state.infilesize != data->req.writebytecount) && + !data->set.crlf && +@@ -3642,7 +3642,7 @@ static CURLcode ftp_do_more(struct Curl_easy *data, int *completep) + connected back to us */ + } + } +- else if(data->set.upload) { ++ else if(data->state.upload) { + result = ftp_nb_type(data, conn, data->state.prefer_ascii, + FTP_STOR_TYPE); + if(result) +@@ -4231,7 +4231,7 @@ CURLcode ftp_parse_url_path(struct Curl_easy *data) + ftpc->file = NULL; /* instead of point to a zero byte, + we make it a NULL pointer */ + +- if(data->set.upload && !ftpc->file && (ftp->transfer == PPTRANSFER_BODY)) { ++ if(data->state.upload && !ftpc->file && (ftp->transfer == PPTRANSFER_BODY)) { + /* We need a file name when uploading. Return error! */ + failf(data, "Uploading to a URL without a file name"); + free(rawPath); +diff --git a/lib/http.c b/lib/http.c +index faa486cc6..400d2b081 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -1960,7 +1960,7 @@ void Curl_http_method(struct Curl_easy *data, struct connectdata *conn, + Curl_HttpReq httpreq = (Curl_HttpReq)data->state.httpreq; + const char *request; + if((conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_FTP)) && +- data->set.upload) ++ data->state.upload) + httpreq = HTTPREQ_PUT; + + /* Now set the 'request' pointer to the proper request string */ +@@ -2277,7 +2277,7 @@ CURLcode Curl_http_body(struct Curl_easy *data, struct connectdata *conn, + if((conn->handler->protocol & PROTO_FAMILY_HTTP) && + (((httpreq == HTTPREQ_POST_MIME || httpreq == HTTPREQ_POST_FORM) && + http->postsize < 0) || +- ((data->set.upload || httpreq == HTTPREQ_POST) && ++ ((data->state.upload || httpreq == HTTPREQ_POST) && + data->state.infilesize == -1))) { + if(conn->bits.authneg) + /* don't enable chunked during auth neg */ +diff --git a/lib/imap.c b/lib/imap.c +index c2f675d4b..1952e66a1 100644 +--- a/lib/imap.c ++++ b/lib/imap.c +@@ -1511,11 +1511,11 @@ static CURLcode imap_done(struct Curl_easy *data, CURLcode status, + result = status; /* use the already set error code */ + } + else if(!data->set.connect_only && !imap->custom && +- (imap->uid || imap->mindex || data->set.upload || ++ (imap->uid || imap->mindex || data->state.upload || + data->set.mimepost.kind != MIMEKIND_NONE)) { + /* Handle responses after FETCH or APPEND transfer has finished */ + +- if(!data->set.upload && data->set.mimepost.kind == MIMEKIND_NONE) ++ if(!data->state.upload && data->set.mimepost.kind == MIMEKIND_NONE) + state(data, IMAP_FETCH_FINAL); + else { + /* End the APPEND command first by sending an empty line */ +@@ -1581,7 +1581,7 @@ static CURLcode imap_perform(struct Curl_easy *data, bool *connected, + selected = TRUE; + + /* Start the first command in the DO phase */ +- if(data->set.upload || data->set.mimepost.kind != MIMEKIND_NONE) ++ if(data->state.upload || data->set.mimepost.kind != MIMEKIND_NONE) + /* APPEND can be executed directly */ + result = imap_perform_append(data); + else if(imap->custom && (selected || !imap->mailbox)) +diff --git a/lib/rtsp.c b/lib/rtsp.c +index aef3560a9..6df3706b5 100644 +--- a/lib/rtsp.c ++++ b/lib/rtsp.c +@@ -495,7 +495,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done) + rtspreq == RTSPREQ_SET_PARAMETER || + rtspreq == RTSPREQ_GET_PARAMETER) { + +- if(data->set.upload) { ++ if(data->state.upload) { + putsize = data->state.infilesize; + data->state.httpreq = HTTPREQ_PUT; + +@@ -514,7 +514,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done) + result = + Curl_dyn_addf(&req_buffer, + "Content-Length: %" CURL_FORMAT_CURL_OFF_T"\r\n", +- (data->set.upload ? putsize : postsize)); ++ (data->state.upload ? putsize : postsize)); + if(result) + return result; + } +diff --git a/lib/setopt.c b/lib/setopt.c +index 6bb88791c..2cbaf898a 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -329,8 +329,8 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + * We want to sent data to the remote host. If this is HTTP, that equals + * using the PUT request. + */ +- data->set.upload = (0 != va_arg(param, long)) ? TRUE : FALSE; +- if(data->set.upload) { ++ arg = va_arg(param, long); ++ if(arg) { + /* If this is HTTP, PUT is what's needed to "upload" */ + data->set.method = HTTPREQ_PUT; + data->set.opt_no_body = FALSE; /* this is implied */ +@@ -660,7 +660,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + } + else + data->set.method = HTTPREQ_GET; +- data->set.upload = FALSE; + break; + + #ifndef CURL_DISABLE_MIME +@@ -884,7 +883,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + */ + if(va_arg(param, long)) { + data->set.method = HTTPREQ_GET; +- data->set.upload = FALSE; /* switch off upload */ + data->set.opt_no_body = FALSE; /* this is implied */ + } + break; +diff --git a/lib/smb.c b/lib/smb.c +index 076200472..2baf764fa 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -530,7 +530,7 @@ static CURLcode smb_send_open(struct Curl_easy *data) + byte_count = strlen(req->path); + msg.name_length = smb_swap16((unsigned short)byte_count); + msg.share_access = smb_swap32(SMB_FILE_SHARE_ALL); +- if(data->set.upload) { ++ if(data->state.upload) { + msg.access = smb_swap32(SMB_GENERIC_READ | SMB_GENERIC_WRITE); + msg.create_disposition = smb_swap32(SMB_FILE_OVERWRITE_IF); + } +@@ -762,7 +762,7 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done) + void *msg = NULL; + const struct smb_nt_create_response *smb_m; + +- if(data->set.upload && (data->state.infilesize < 0)) { ++ if(data->state.upload && (data->state.infilesize < 0)) { + failf(data, "SMB upload needs to know the size up front"); + return CURLE_SEND_ERROR; + } +@@ -813,7 +813,7 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done) + smb_m = (const struct smb_nt_create_response*) msg; + req->fid = smb_swap16(smb_m->fid); + data->req.offset = 0; +- if(data->set.upload) { ++ if(data->state.upload) { + data->req.size = data->state.infilesize; + Curl_pgrsSetUploadSize(data, data->req.size); + next_state = SMB_UPLOAD; +diff --git a/lib/smtp.c b/lib/smtp.c +index 7a030308d..c182cace7 100644 +--- a/lib/smtp.c ++++ b/lib/smtp.c +@@ -1419,7 +1419,7 @@ static CURLcode smtp_done(struct Curl_easy *data, CURLcode status, + result = status; /* use the already set error code */ + } + else if(!data->set.connect_only && data->set.mail_rcpt && +- (data->set.upload || data->set.mimepost.kind)) { ++ (data->state.upload || data->set.mimepost.kind)) { + /* Calculate the EOB taking into account any terminating CRLF from the + previous line of the email or the CRLF of the DATA command when there + is "no mail data". RFC-5321, sect. 4.1.1.4. +@@ -1511,7 +1511,7 @@ static CURLcode smtp_perform(struct Curl_easy *data, bool *connected, + smtp->eob = 2; + + /* Start the first command in the DO phase */ +- if((data->set.upload || data->set.mimepost.kind) && data->set.mail_rcpt) ++ if((data->state.upload || data->set.mimepost.kind) && data->set.mail_rcpt) + /* MAIL transfer */ + result = smtp_perform_mail(data); + else +diff --git a/lib/tftp.c b/lib/tftp.c +index 164d3c723..8ed1b887b 100644 +--- a/lib/tftp.c ++++ b/lib/tftp.c +@@ -370,7 +370,7 @@ static CURLcode tftp_parse_option_ack(struct tftp_state_data *state, + + /* tsize should be ignored on upload: Who cares about the size of the + remote file? */ +- if(!data->set.upload) { ++ if(!data->state.upload) { + if(!tsize) { + failf(data, "invalid tsize -:%s:- value in OACK packet", value); + return CURLE_TFTP_ILLEGAL; +@@ -451,7 +451,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state, + return result; + } + +- if(data->set.upload) { ++ if(data->state.upload) { + /* If we are uploading, send an WRQ */ + setpacketevent(&state->spacket, TFTP_EVENT_WRQ); + state->data->req.upload_fromhere = +@@ -486,7 +486,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state, + if(!data->set.tftp_no_options) { + char buf[64]; + /* add tsize option */ +- if(data->set.upload && (data->state.infilesize != -1)) ++ if(data->state.upload && (data->state.infilesize != -1)) + msnprintf(buf, sizeof(buf), "%" CURL_FORMAT_CURL_OFF_T, + data->state.infilesize); + else +@@ -540,7 +540,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state, + break; + + case TFTP_EVENT_OACK: +- if(data->set.upload) { ++ if(data->state.upload) { + result = tftp_connect_for_tx(state, event); + } + else { +diff --git a/lib/transfer.c b/lib/transfer.c +index a28395233..85910455c 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1294,6 +1294,7 @@ void Curl_init_CONNECT(struct Curl_easy *data) + { + data->state.fread_func = data->set.fread_func_set; + data->state.in = data->set.in_set; ++ data->state.upload = (data->state.httpreq == HTTPREQ_PUT); + } + + /* +@@ -1728,7 +1729,6 @@ CURLcode Curl_follow(struct Curl_easy *data, + data->state.httpreq != HTTPREQ_POST_MIME) || + !(data->set.keep_post & CURL_REDIR_POST_303))) { + data->state.httpreq = HTTPREQ_GET; +- data->set.upload = false; + infof(data, "Switch to %s", + data->req.no_body?"HEAD":"GET"); + } +@@ -1766,7 +1766,7 @@ CURLcode Curl_retry_request(struct Curl_easy *data, char **url) + + /* if we're talking upload, we can't do the checks below, unless the protocol + is HTTP as when uploading over HTTP we will still get a response */ +- if(data->set.upload && ++ if(data->state.upload && + !(conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_RTSP))) + return CURLE_OK; + +diff --git a/lib/urldata.h b/lib/urldata.h +index 8b54518d2..f3e782ad3 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1446,6 +1446,7 @@ struct UrlState { + BIT(rewindbeforesend);/* TRUE when the sending couldn't be stopped even + though it will be discarded. We must call the data + rewind callback before trying to send again. */ ++ BIT(upload); /* upload request */ + }; + + /* +@@ -1822,7 +1823,6 @@ struct UserDefined { + BIT(http_auto_referer); /* set "correct" referer when following + location: */ + BIT(opt_no_body); /* as set with CURLOPT_NOBODY */ +- BIT(upload); /* upload request */ + BIT(verbose); /* output verbosity */ + BIT(krb); /* Kerberos connection requested */ + BIT(reuse_forbid); /* forbidden to be reused, close after use */ +diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c +index b31f741ba..d60edaa30 100644 +--- a/lib/vssh/libssh.c ++++ b/lib/vssh/libssh.c +@@ -1209,7 +1209,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) + } + + case SSH_SFTP_TRANS_INIT: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SFTP_UPLOAD_INIT); + else { + if(protop->path[strlen(protop->path)-1] == '/') +@@ -1802,7 +1802,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) + /* Functions from the SCP subsystem cannot handle/return SSH_AGAIN */ + ssh_set_blocking(sshc->ssh_session, 1); + +- if(data->set.upload) { ++ if(data->state.upload) { + if(data->state.infilesize < 0) { + failf(data, "SCP requires a known file size for upload"); + sshc->actualcode = CURLE_UPLOAD_FAILED; +@@ -1907,7 +1907,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) + break; + } + case SSH_SCP_DONE: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SCP_SEND_EOF); + else + state(data, SSH_SCP_CHANNEL_FREE); +diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c +index f1154dc47..f2e5352d1 100644 +--- a/lib/vssh/libssh2.c ++++ b/lib/vssh/libssh2.c +@@ -2019,7 +2019,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block) + } + + case SSH_SFTP_TRANS_INIT: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SFTP_UPLOAD_INIT); + else { + if(sshp->path[strlen(sshp->path)-1] == '/') +@@ -2691,7 +2691,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block) + break; + } + +- if(data->set.upload) { ++ if(data->state.upload) { + if(data->state.infilesize < 0) { + failf(data, "SCP requires a known file size for upload"); + sshc->actualcode = CURLE_UPLOAD_FAILED; +@@ -2831,7 +2831,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block) + break; + + case SSH_SCP_DONE: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SCP_SEND_EOF); + else + state(data, SSH_SCP_CHANNEL_FREE); +diff --git a/lib/vssh/wolfssh.c b/lib/vssh/wolfssh.c +index 17d59ecd2..2ca91b736 100644 +--- a/lib/vssh/wolfssh.c ++++ b/lib/vssh/wolfssh.c +@@ -557,7 +557,7 @@ static CURLcode wssh_statemach_act(struct Curl_easy *data, bool *block) + } + break; + case SSH_SFTP_TRANS_INIT: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SFTP_UPLOAD_INIT); + else { + if(sftp_scp->path[strlen(sftp_scp->path)-1] == '/') +-- +2.40.1 + diff --git a/curl.spec b/curl.spec index 3b1e1e5..ae2c45c 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.0.1 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,6 +10,9 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# fix more POST-after-PUT confusion (CVE-2023-28322) +Patch1: 0001-curl-8.0.1-CVE-2023-28322.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -407,6 +410,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Jun 05 2023 Jan Macku - 8.0.1-2 +- fix more POST-after-PUT confusion (CVE-2023-28322) + * Wed May 03 2023 Kamil Dudka - 8.0.1-1 - tests: re-enable temporarily disabled test-cases - tests: attempt to fix a conflict on port numbers From 0d582aa92f47ef275b1d103a96ef5c71a3632082 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 5 Jun 2023 08:43:27 +0200 Subject: [PATCH 041/120] Resolves: CVE-2023-28321 - fix IDN wildcard match --- 0002-curl-8.0.1-CVE-2023-28321.patch | 498 +++++++++++++++++++++++++++ curl.spec | 4 + 2 files changed, 502 insertions(+) create mode 100644 0002-curl-8.0.1-CVE-2023-28321.patch diff --git a/0002-curl-8.0.1-CVE-2023-28321.patch b/0002-curl-8.0.1-CVE-2023-28321.patch new file mode 100644 index 0000000..a69fdbd --- /dev/null +++ b/0002-curl-8.0.1-CVE-2023-28321.patch @@ -0,0 +1,498 @@ +From 9cfc8e3107920116ac31ab1fbf6439d38ab2f30e Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 24 Apr 2023 21:07:02 +0200 +Subject: [PATCH] hostcheck: fix host name wildcard checking + +The leftmost "label" of the host name can now only match against single +'*'. Like the browsers have worked for a long time. + +- extended unit test 1397 for this +- move some SOURCE variables from unit/Makefile.am to unit/Makefile.inc + +Reported-by: Hiroki Kurosawa +Closes #11018 + +(cherry picked from commit 199f2d440d8659b42670c1b796220792b01a97bf) +Signed-off-by: Jan Macku +--- + lib/vtls/hostcheck.c | 50 +++++++-------- + tests/data/test1397 | 10 ++- + tests/unit/Makefile.am | 88 -------------------------- + tests/unit/Makefile.inc | 94 ++++++++++++++++++++++++++++ + tests/unit/unit1397.c | 134 ++++++++++++++++++++++++---------------- + 5 files changed, 202 insertions(+), 174 deletions(-) + +diff --git a/lib/vtls/hostcheck.c b/lib/vtls/hostcheck.c +index e827dc58f..d061c6356 100644 +--- a/lib/vtls/hostcheck.c ++++ b/lib/vtls/hostcheck.c +@@ -71,7 +71,12 @@ static bool pmatch(const char *hostname, size_t hostlen, + * apparent distinction between a name and an IP. We need to detect the use of + * an IP address and not wildcard match on such names. + * ++ * Only match on "*" being used for the leftmost label, not "a*", "a*b" nor ++ * "*b". ++ * + * Return TRUE on a match. FALSE if not. ++ * ++ * @unittest: 1397 + */ + + static bool hostmatch(const char *hostname, +@@ -79,53 +84,42 @@ static bool hostmatch(const char *hostname, + const char *pattern, + size_t patternlen) + { +- const char *pattern_label_end, *wildcard, *hostname_label_end; +- size_t prefixlen, suffixlen; ++ const char *pattern_label_end; + +- /* normalize pattern and hostname by stripping off trailing dots */ ++ DEBUGASSERT(pattern); + DEBUGASSERT(patternlen); ++ DEBUGASSERT(hostname); ++ DEBUGASSERT(hostlen); ++ ++ /* normalize pattern and hostname by stripping off trailing dots */ + if(hostname[hostlen-1]=='.') + hostlen--; + if(pattern[patternlen-1]=='.') + patternlen--; + +- wildcard = memchr(pattern, '*', patternlen); +- if(!wildcard) ++ if(strncmp(pattern, "*.", 2)) + return pmatch(hostname, hostlen, pattern, patternlen); + + /* detect IP address as hostname and fail the match if so */ +- if(Curl_host_is_ipnum(hostname)) ++ else if(Curl_host_is_ipnum(hostname)) + return FALSE; + + /* We require at least 2 dots in the pattern to avoid too wide wildcard + match. */ + pattern_label_end = memchr(pattern, '.', patternlen); + if(!pattern_label_end || +- (memrchr(pattern, '.', patternlen) == pattern_label_end) || +- strncasecompare(pattern, "xn--", 4)) ++ (memrchr(pattern, '.', patternlen) == pattern_label_end)) + return pmatch(hostname, hostlen, pattern, patternlen); +- +- hostname_label_end = memchr(hostname, '.', hostlen); +- if(!hostname_label_end) +- return FALSE; + else { +- size_t skiphost = hostname_label_end - hostname; +- size_t skiplen = pattern_label_end - pattern; +- if(!pmatch(hostname_label_end, hostlen - skiphost, +- pattern_label_end, patternlen - skiplen)) +- return FALSE; ++ const char *hostname_label_end = memchr(hostname, '.', hostlen); ++ if(hostname_label_end) { ++ size_t skiphost = hostname_label_end - hostname; ++ size_t skiplen = pattern_label_end - pattern; ++ return pmatch(hostname_label_end, hostlen - skiphost, ++ pattern_label_end, patternlen - skiplen); ++ } + } +- /* The wildcard must match at least one character, so the left-most +- label of the hostname is at least as large as the left-most label +- of the pattern. */ +- if(hostname_label_end - hostname < pattern_label_end - pattern) +- return FALSE; +- +- prefixlen = wildcard - pattern; +- suffixlen = pattern_label_end - (wildcard + 1); +- return strncasecompare(pattern, hostname, prefixlen) && +- strncasecompare(wildcard + 1, hostname_label_end - suffixlen, +- suffixlen) ? TRUE : FALSE; ++ return FALSE; + } + + /* +diff --git a/tests/data/test1397 b/tests/data/test1397 +index 84f962abe..f31b2c2a3 100644 +--- a/tests/data/test1397 ++++ b/tests/data/test1397 +@@ -2,8 +2,7 @@ + + + unittest +-ssl +-wildcard ++Curl_cert_hostcheck + + + +@@ -16,9 +15,8 @@ none + + unittest + +- +-Check wildcard certificate matching function Curl_cert_hostcheck +- ++ ++Curl_cert_hostcheck unit tests ++ + +- + +diff --git a/tests/unit/Makefile.am b/tests/unit/Makefile.am +index 4f64ff596..e7a6aa452 100644 +--- a/tests/unit/Makefile.am ++++ b/tests/unit/Makefile.am +@@ -67,91 +67,3 @@ noinst_PROGRAMS = $(UNITPROGS) + else + noinst_PROGRAMS = + endif +- +-unit1300_SOURCES = unit1300.c $(UNITFILES) +- +-unit1302_SOURCES = unit1302.c $(UNITFILES) +- +-unit1303_SOURCES = unit1303.c $(UNITFILES) +- +-unit1304_SOURCES = unit1304.c $(UNITFILES) +- +-unit1305_SOURCES = unit1305.c $(UNITFILES) +- +-unit1307_SOURCES = unit1307.c $(UNITFILES) +- +-unit1308_SOURCES = unit1308.c $(UNITFILES) +- +-unit1309_SOURCES = unit1309.c $(UNITFILES) +- +-unit1323_SOURCES = unit1323.c $(UNITFILES) +- +-unit1330_SOURCES = unit1330.c $(UNITFILES) +- +-unit1394_SOURCES = unit1394.c $(UNITFILES) +-unit1394_LDADD = $(top_builddir)/lib/libcurl.la @LIBCURL_LIBS@ +-unit1394_LDFLAGS = $(top_builddir)/src/libcurltool.la +-unit1394_LIBS = +- +-unit1395_SOURCES = unit1395.c $(UNITFILES) +- +-unit1396_SOURCES = unit1396.c $(UNITFILES) +- +-unit1397_SOURCES = unit1397.c $(UNITFILES) +- +-unit1398_SOURCES = unit1398.c $(UNITFILES) +- +-unit1399_SOURCES = unit1399.c $(UNITFILES) +- +-unit1600_SOURCES = unit1600.c $(UNITFILES) +- +-unit1601_SOURCES = unit1601.c $(UNITFILES) +- +-unit1602_SOURCES = unit1602.c $(UNITFILES) +- +-unit1603_SOURCES = unit1603.c $(UNITFILES) +- +-unit1604_SOURCES = unit1604.c $(UNITFILES) +- +-unit1605_SOURCES = unit1605.c $(UNITFILES) +- +-unit1606_SOURCES = unit1606.c $(UNITFILES) +- +-unit1607_SOURCES = unit1607.c $(UNITFILES) +- +-unit1608_SOURCES = unit1608.c $(UNITFILES) +- +-unit1609_SOURCES = unit1609.c $(UNITFILES) +- +-unit1610_SOURCES = unit1610.c $(UNITFILES) +- +-unit1611_SOURCES = unit1611.c $(UNITFILES) +- +-unit1612_SOURCES = unit1612.c $(UNITFILES) +- +-unit1614_SOURCES = unit1614.c $(UNITFILES) +- +-unit1620_SOURCES = unit1620.c $(UNITFILES) +- +-unit1621_SOURCES = unit1621.c $(UNITFILES) +-unit1621_LDADD = $(top_builddir)/src/libcurltool.la $(top_builddir)/lib/libcurl.la @NSS_LIBS@ +- +-unit1650_SOURCES = unit1650.c $(UNITFILES) +- +-unit1651_SOURCES = unit1651.c $(UNITFILES) +- +-unit1652_SOURCES = unit1652.c $(UNITFILES) +- +-unit1653_SOURCES = unit1653.c $(UNITFILES) +- +-unit1654_SOURCES = unit1654.c $(UNITFILES) +- +-unit1655_SOURCES = unit1655.c $(UNITFILES) +- +-unit1660_SOURCES = unit1660.c $(UNITFILES) +- +-unit1661_SOURCES = unit1661.c $(UNITFILES) +- +-unit2600_SOURCES = unit2600.c $(UNITFILES) +- +-unit3200_SOURCES = unit3200.c $(UNITFILES) +diff --git a/tests/unit/Makefile.inc b/tests/unit/Makefile.inc +index 4ab15b5db..20a9963d1 100644 +--- a/tests/unit/Makefile.inc ++++ b/tests/unit/Makefile.inc +@@ -40,3 +40,97 @@ UNITPROGS = unit1300 unit1302 unit1303 unit1304 unit1305 unit1307 \ + unit1660 unit1661 \ + unit2600 \ + unit3200 ++ ++unit1300_SOURCES = unit1300.c $(UNITFILES) ++ ++unit1302_SOURCES = unit1302.c $(UNITFILES) ++ ++unit1303_SOURCES = unit1303.c $(UNITFILES) ++ ++unit1304_SOURCES = unit1304.c $(UNITFILES) ++ ++unit1305_SOURCES = unit1305.c $(UNITFILES) ++ ++unit1307_SOURCES = unit1307.c $(UNITFILES) ++ ++unit1308_SOURCES = unit1308.c $(UNITFILES) ++ ++unit1309_SOURCES = unit1309.c $(UNITFILES) ++ ++unit1323_SOURCES = unit1323.c $(UNITFILES) ++ ++unit1330_SOURCES = unit1330.c $(UNITFILES) ++ ++unit1394_SOURCES = unit1394.c $(UNITFILES) ++unit1394_LDADD = $(top_builddir)/lib/libcurl.la @LIBCURL_LIBS@ ++unit1394_LDFLAGS = $(top_builddir)/src/libcurltool.la ++unit1394_LIBS = ++ ++unit1395_SOURCES = unit1395.c $(UNITFILES) ++ ++unit1396_SOURCES = unit1396.c $(UNITFILES) ++ ++unit1397_SOURCES = unit1397.c $(UNITFILES) ++ ++unit1398_SOURCES = unit1398.c $(UNITFILES) ++ ++unit1399_SOURCES = unit1399.c $(UNITFILES) ++ ++unit1600_SOURCES = unit1600.c $(UNITFILES) ++ ++unit1601_SOURCES = unit1601.c $(UNITFILES) ++ ++unit1602_SOURCES = unit1602.c $(UNITFILES) ++ ++unit1603_SOURCES = unit1603.c $(UNITFILES) ++ ++unit1604_SOURCES = unit1604.c $(UNITFILES) ++ ++unit1605_SOURCES = unit1605.c $(UNITFILES) ++ ++unit1606_SOURCES = unit1606.c $(UNITFILES) ++ ++unit1607_SOURCES = unit1607.c $(UNITFILES) ++ ++unit1608_SOURCES = unit1608.c $(UNITFILES) ++ ++unit1609_SOURCES = unit1609.c $(UNITFILES) ++ ++unit1610_SOURCES = unit1610.c $(UNITFILES) ++ ++unit1611_SOURCES = unit1611.c $(UNITFILES) ++ ++unit1612_SOURCES = unit1612.c $(UNITFILES) ++ ++unit1614_SOURCES = unit1614.c $(UNITFILES) ++ ++unit1620_SOURCES = unit1620.c $(UNITFILES) ++ ++unit1621_SOURCES = unit1621.c $(UNITFILES) ++unit1621_LDADD = $(top_builddir)/src/libcurltool.la $(top_builddir)/lib/libcurl.la @NSS_LIBS@ ++ ++unit1650_SOURCES = unit1650.c $(UNITFILES) ++ ++unit1651_SOURCES = unit1651.c $(UNITFILES) ++ ++unit1652_SOURCES = unit1652.c $(UNITFILES) ++ ++unit1653_SOURCES = unit1653.c $(UNITFILES) ++ ++unit1654_SOURCES = unit1654.c $(UNITFILES) ++ ++unit1655_SOURCES = unit1655.c $(UNITFILES) ++ ++unit1660_SOURCES = unit1660.c $(UNITFILES) ++ ++unit1661_SOURCES = unit1661.c $(UNITFILES) ++ ++unit2600_SOURCES = unit2600.c $(UNITFILES) ++ ++unit2601_SOURCES = unit2601.c $(UNITFILES) ++ ++unit2602_SOURCES = unit2602.c $(UNITFILES) ++ ++unit2603_SOURCES = unit2603.c $(UNITFILES) ++ ++unit3200_SOURCES = unit3200.c $(UNITFILES) +diff --git a/tests/unit/unit1397.c b/tests/unit/unit1397.c +index 2f3d3aa4d..3ae75618d 100644 +--- a/tests/unit/unit1397.c ++++ b/tests/unit/unit1397.c +@@ -23,7 +23,6 @@ + ***************************************************************************/ + #include "curlcheck.h" + +-#include "vtls/hostcheck.h" /* from the lib dir */ + + static CURLcode unit_setup(void) + { +@@ -32,63 +31,94 @@ static CURLcode unit_setup(void) + + static void unit_stop(void) + { +- /* done before shutting down and exiting */ + } + +-UNITTEST_START +- + /* only these backends define the tested functions */ +-#if defined(USE_OPENSSL) || defined(USE_GSKIT) +- +- /* here you start doing things and checking that the results are good */ ++#if defined(USE_OPENSSL) || defined(USE_GSKIT) || defined(USE_SCHANNEL) ++#include "vtls/hostcheck.h" ++struct testcase { ++ const char *host; ++ const char *pattern; ++ bool match; ++}; + +-fail_unless(Curl_cert_hostcheck(STRCONST("www.example.com"), +- STRCONST("www.example.com")), "good 1"); +-fail_unless(Curl_cert_hostcheck(STRCONST("*.example.com"), +- STRCONST("www.example.com")), +- "good 2"); +-fail_unless(Curl_cert_hostcheck(STRCONST("xxx*.example.com"), +- STRCONST("xxxwww.example.com")), "good 3"); +-fail_unless(Curl_cert_hostcheck(STRCONST("f*.example.com"), +- STRCONST("foo.example.com")), "good 4"); +-fail_unless(Curl_cert_hostcheck(STRCONST("192.168.0.0"), +- STRCONST("192.168.0.0")), "good 5"); ++static struct testcase tests[] = { ++ {"", "", FALSE}, ++ {"a", "", FALSE}, ++ {"", "b", FALSE}, ++ {"a", "b", FALSE}, ++ {"aa", "bb", FALSE}, ++ {"\xff", "\xff", TRUE}, ++ {"aa.aa.aa", "aa.aa.bb", FALSE}, ++ {"aa.aa.aa", "aa.aa.aa", TRUE}, ++ {"aa.aa.aa", "*.aa.bb", FALSE}, ++ {"aa.aa.aa", "*.aa.aa", TRUE}, ++ {"192.168.0.1", "192.168.0.1", TRUE}, ++ {"192.168.0.1", "*.168.0.1", FALSE}, ++ {"192.168.0.1", "*.0.1", FALSE}, ++ {"h.ello", "*.ello", FALSE}, ++ {"h.ello.", "*.ello", FALSE}, ++ {"h.ello", "*.ello.", FALSE}, ++ {"h.e.llo", "*.e.llo", TRUE}, ++ {"h.e.llo", " *.e.llo", FALSE}, ++ {" h.e.llo", "*.e.llo", TRUE}, ++ {"h.e.llo.", "*.e.llo", TRUE}, ++ {"*.e.llo.", "*.e.llo", TRUE}, ++ {"************.e.llo.", "*.e.llo", TRUE}, ++ {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ++ "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" ++ "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC" ++ "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" ++ "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" ++ ".e.llo.", "*.e.llo", TRUE}, ++ {"\xfe\xfe.e.llo.", "*.e.llo", TRUE}, ++ {"h.e.llo.", "*.e.llo.", TRUE}, ++ {"h.e.llo", "*.e.llo.", TRUE}, ++ {".h.e.llo", "*.e.llo.", FALSE}, ++ {"h.e.llo", "*.*.llo.", FALSE}, ++ {"h.e.llo", "h.*.llo", FALSE}, ++ {"h.e.llo", "h.e.*", FALSE}, ++ {"hello", "*.ello", FALSE}, ++ {"hello", "**llo", FALSE}, ++ {"bar.foo.example.com", "*.example.com", FALSE}, ++ {"foo.example.com", "*.example.com", TRUE}, ++ {"baz.example.net", "b*z.example.net", FALSE}, ++ {"foobaz.example.net", "*baz.example.net", FALSE}, ++ {"xn--l8j.example.local", "x*.example.local", FALSE}, ++ {"xn--l8j.example.net", "*.example.net", TRUE}, ++ {"xn--l8j.example.net", "*j.example.net", FALSE}, ++ {"xn--l8j.example.net", "xn--l8j.example.net", TRUE}, ++ {"xn--l8j.example.net", "xn--l8j.*.net", FALSE}, ++ {"xl8j.example.net", "*.example.net", TRUE}, ++ {"fe80::3285:a9ff:fe46:b619", "*::3285:a9ff:fe46:b619", FALSE}, ++ {"fe80::3285:a9ff:fe46:b619", "fe80::3285:a9ff:fe46:b619", TRUE}, ++ {NULL, NULL, FALSE} ++}; + +-fail_if(Curl_cert_hostcheck(STRCONST("xxx.example.com"), +- STRCONST("www.example.com")), "bad 1"); +-fail_if(Curl_cert_hostcheck(STRCONST("*"), +- STRCONST("www.example.com")),"bad 2"); +-fail_if(Curl_cert_hostcheck(STRCONST("*.*.com"), +- STRCONST("www.example.com")), "bad 3"); +-fail_if(Curl_cert_hostcheck(STRCONST("*.example.com"), +- STRCONST("baa.foo.example.com")), "bad 4"); +-fail_if(Curl_cert_hostcheck(STRCONST("f*.example.com"), +- STRCONST("baa.example.com")), "bad 5"); +-fail_if(Curl_cert_hostcheck(STRCONST("*.com"), +- STRCONST("example.com")), "bad 6"); +-fail_if(Curl_cert_hostcheck(STRCONST("*fail.com"), +- STRCONST("example.com")), "bad 7"); +-fail_if(Curl_cert_hostcheck(STRCONST("*.example."), +- STRCONST("www.example.")), "bad 8"); +-fail_if(Curl_cert_hostcheck(STRCONST("*.example."), +- STRCONST("www.example")), "bad 9"); +-fail_if(Curl_cert_hostcheck(STRCONST(""), STRCONST("www")), "bad 10"); +-fail_if(Curl_cert_hostcheck(STRCONST("*"), STRCONST("www")), "bad 11"); +-fail_if(Curl_cert_hostcheck(STRCONST("*.168.0.0"), +- STRCONST("192.168.0.0")), "bad 12"); +-fail_if(Curl_cert_hostcheck(STRCONST("www.example.com"), +- STRCONST("192.168.0.0")), "bad 13"); +- +-#ifdef ENABLE_IPV6 +-fail_if(Curl_cert_hostcheck(STRCONST("*::3285:a9ff:fe46:b619"), +- STRCONST("fe80::3285:a9ff:fe46:b619")), "bad 14"); +-fail_unless(Curl_cert_hostcheck(STRCONST("fe80::3285:a9ff:fe46:b619"), +- STRCONST("fe80::3285:a9ff:fe46:b619")), +- "good 6"); +-#endif ++UNITTEST_START ++{ ++ int i; ++ for(i = 0; tests[i].host; i++) { ++ if(tests[i].match != Curl_cert_hostcheck(tests[i].pattern, ++ strlen(tests[i].pattern), ++ tests[i].host, ++ strlen(tests[i].host))) { ++ fprintf(stderr, ++ "HOST: %s\n" ++ "PTRN: %s\n" ++ "did %sMATCH\n", ++ tests[i].host, ++ tests[i].pattern, ++ tests[i].match ? "NOT ": ""); ++ unitfail++; ++ } ++ } ++} + +-#endif ++UNITTEST_STOP ++#else + +- /* you end the test code like this: */ ++UNITTEST_START + + UNITTEST_STOP ++#endif +-- +2.40.1 + diff --git a/curl.spec b/curl.spec index ae2c45c..b243059 100644 --- a/curl.spec +++ b/curl.spec @@ -13,6 +13,9 @@ Source2: mykey.asc # fix more POST-after-PUT confusion (CVE-2023-28322) Patch1: 0001-curl-8.0.1-CVE-2023-28322.patch +# fix IDN wildcard match (CVE-2023-28321) +Patch2: 0002-curl-8.0.1-CVE-2023-28321.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -412,6 +415,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Mon Jun 05 2023 Jan Macku - 8.0.1-2 - fix more POST-after-PUT confusion (CVE-2023-28322) +- fix IDN wildcard match (CVE-2023-28321) * Wed May 03 2023 Kamil Dudka - 8.0.1-1 - tests: re-enable temporarily disabled test-cases From de1364bf2c55ec7312f6bcc1d79acaaba766bfd9 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 19 Jul 2023 13:44:49 +0200 Subject: [PATCH 042/120] new upstream release - 8.2.0 Resolves: CVE-2023-32001 - fopen race condition --- curl.spec | 6 +++++- sources | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 41c8643..47663c7 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.1.2 +Version: 8.2.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -408,6 +408,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 19 2023 Jan Macku - 8.2.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-32001 - fopen race condition + * Tue May 30 2023 Jan Macku - 8.1.2-1 - new upstream release, with small bugfixes and improvements diff --git a/sources b/sources index f4ba12c..0a72bc7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.1.2.tar.xz) = 532ab96eba6dea66d272f3be56f5af5c5da922480f9a10e203de98037c311f12f8145ba6bf813831e42815e068874ccfd108f84f7650743f5dbb3ebc3bc9c4f4 -SHA512 (curl-8.1.2.tar.xz.asc) = d120299a2d59259aeb19ae0fa3a3e181e25b6927677187037c61a0901879956177ce8dda10764073a47848f81dcbbcb94e0b6008742994042b6b8fd194e169c3 +SHA512 (curl-8.2.0.tar.xz) = 3ba5f393185d28dd9430d3be4fcd293646a5456d2f7467469896561b1577e60e7a3f030955d3cc5ec6ea5c5bfa1dfb9420a1d76e583d23f01d1c74aa291351b5 +SHA512 (curl-8.2.0.tar.xz.asc) = 66005647c54bae098feebac68f2762af2e4463dc7eb8ba4c0db79590a1a7fe581ec3d2bc4fbea39729e42836b62b011a3f7c83c29bd2f00b3ce5cf875b60b187 From 3eba762b345c65d6fb38818e263eea7eb0bad757 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 20 Jul 2023 09:44:10 +0200 Subject: [PATCH 043/120] Resolves: CVE-2023-32001 - fix fopen race condition --- 0003-curl-8.0.1-CVE-2023-32001.patch | 40 ++++++++++++++++++++++++++++ curl.spec | 8 +++++- 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 0003-curl-8.0.1-CVE-2023-32001.patch diff --git a/0003-curl-8.0.1-CVE-2023-32001.patch b/0003-curl-8.0.1-CVE-2023-32001.patch new file mode 100644 index 0000000..eaa9d8f --- /dev/null +++ b/0003-curl-8.0.1-CVE-2023-32001.patch @@ -0,0 +1,40 @@ +From 98474a7848e20716935f471f4e48610b00fe9dc0 Mon Sep 17 00:00:00 2001 +From: SaltyMilk +Date: Mon, 10 Jul 2023 21:43:28 +0200 +Subject: [PATCH] fopen: optimize + +Closes #11419 + +(cherry picked from commit 0c667188e0c6cda615a036b8a2b4125f2c404dde) +Signed-off-by: Jan Macku +--- + lib/fopen.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/lib/fopen.c b/lib/fopen.c +index f710dbf05..8c728f2a8 100644 +--- a/lib/fopen.c ++++ b/lib/fopen.c +@@ -56,13 +56,13 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, + int fd = -1; + *tempname = NULL; + +- if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) { +- /* a non-regular file, fallback to direct fopen() */ +- *fh = fopen(filename, FOPEN_WRITETEXT); +- if(*fh) +- return CURLE_OK; ++ *fh = fopen(filename, FOPEN_WRITETEXT); ++ if(!*fh) + goto fail; +- } ++ if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode)) ++ return CURLE_OK; ++ fclose(*fh); ++ *fh = NULL; + + result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix)); + if(result) +-- +2.41.0 + diff --git a/curl.spec b/curl.spec index b243059..50001aa 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.0.1 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -16,6 +16,9 @@ Patch1: 0001-curl-8.0.1-CVE-2023-28322.patch # fix IDN wildcard match (CVE-2023-28321) Patch2: 0002-curl-8.0.1-CVE-2023-28321.patch +# fix fopen race condition (CVE-2023-32001) +Patch3: 0003-curl-8.0.1-CVE-2023-32001.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -413,6 +416,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Jul 20 2023 Jan Macku - 8.0.1-3 +- fix fopen race condition (CVE-2023-32001) + * Mon Jun 05 2023 Jan Macku - 8.0.1-2 - fix more POST-after-PUT confusion (CVE-2023-28322) - fix IDN wildcard match (CVE-2023-28321) From b64627ff52a876c0111c0802c4d6519de980b785 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Zaoral?= Date: Wed, 26 Jul 2023 12:40:15 +0200 Subject: [PATCH 044/120] new upstream release - 8.2.1 Resolves: rhbz#2226659 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 47663c7..66f9da5 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.2.0 +Version: 8.2.1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -408,6 +408,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 26 2023 Lukáš Zaoral - 8.2.1-1 +- new upstream release (rhbz#2226659) + * Wed Jul 19 2023 Jan Macku - 8.2.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2023-32001 - fopen race condition diff --git a/sources b/sources index 0a72bc7..efbc09c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.2.0.tar.xz) = 3ba5f393185d28dd9430d3be4fcd293646a5456d2f7467469896561b1577e60e7a3f030955d3cc5ec6ea5c5bfa1dfb9420a1d76e583d23f01d1c74aa291351b5 -SHA512 (curl-8.2.0.tar.xz.asc) = 66005647c54bae098feebac68f2762af2e4463dc7eb8ba4c0db79590a1a7fe581ec3d2bc4fbea39729e42836b62b011a3f7c83c29bd2f00b3ce5cf875b60b187 +SHA512 (curl-8.2.1.tar.xz) = 3f78c9330c52d32b166f17829fc2be13418ef925e88f75aacad7f369e7afe00dc4a56566418730dbb845b2b284d721b08f639df322e2e1ef2dfab165c4189094 +SHA512 (curl-8.2.1.tar.xz.asc) = 31ee66a09e7bd14de949ae991c23a0b905d38407b73ae39bae6d01854d8708355c14bc4d0eab3ff931b85986d0236dd34e934eef6061f4b70739137fd0525084 From 76f5788cab9c5fa6e0ab458fbaef16737f102748 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 2 Aug 2023 14:36:11 +0200 Subject: [PATCH 045/120] enable websockets Resolves: #2224651 --- curl.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 66f9da5..2bbafff 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.2.1 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -268,6 +268,7 @@ export common_configure_opts=" \ --disable-telnet \ --disable-tftp \ --disable-tls-srp \ + --disable-websockets \ --without-brotli \ --without-libpsl \ --without-libssh @@ -293,6 +294,7 @@ export common_configure_opts=" \ --enable-telnet \ --enable-tftp \ --enable-tls-srp \ + --enable-websockets \ --with-brotli \ --with-libpsl \ --with-libssh @@ -408,6 +410,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Aug 02 2023 Jan Macku - 8.2.1-2 +- enable websockets (#2224651) + * Wed Jul 26 2023 Lukáš Zaoral - 8.2.1-1 - new upstream release (rhbz#2226659) From dd8c36f3ea85421587cc180c0edb7b43525c0284 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 13 Sep 2023 10:33:22 +0200 Subject: [PATCH 046/120] new upstream release - 8.3.0 Resolves: CVE-2023-38039 - HTTP headers eat all memory --- curl.spec | 8 ++++++-- sources | 4 ++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/curl.spec b/curl.spec index 2bbafff..5c0854e 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.2.1 -Release: 2%{?dist} +Version: 8.3.0 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -410,6 +410,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 13 2023 Jan Macku - 8.3.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-38039 - HTTP headers eat all memory + * Wed Aug 02 2023 Jan Macku - 8.2.1-2 - enable websockets (#2224651) diff --git a/sources b/sources index efbc09c..e2b2e44 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.2.1.tar.xz) = 3f78c9330c52d32b166f17829fc2be13418ef925e88f75aacad7f369e7afe00dc4a56566418730dbb845b2b284d721b08f639df322e2e1ef2dfab165c4189094 -SHA512 (curl-8.2.1.tar.xz.asc) = 31ee66a09e7bd14de949ae991c23a0b905d38407b73ae39bae6d01854d8708355c14bc4d0eab3ff931b85986d0236dd34e934eef6061f4b70739137fd0525084 +SHA512 (curl-8.3.0.tar.xz) = 6404b4c74fe1185cb482631ca3a143996cb7298d0d8a76bfafd7696e7729c00559999a069bdba782dee3f3eb273fb678a4438cb27d3deca54022878cdff83a51 +SHA512 (curl-8.3.0.tar.xz.asc) = b7d45722640ac50181b20a6d663168ec6eec6691c5604ddfe9c7177f07da598cb2de688c631043dc428c311774d781ccd16bd1e2fb4f038be651e3bee383aec4 From 640fb40e90094efde318484bc0e77ddff538caea Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 13 Sep 2023 13:39:44 +0200 Subject: [PATCH 047/120] Resolves: CVE-2023-38039 - fix HTTP headers eat all memory --- 0004-curl-8.0.1-CVE-2023-38039.patch | 201 +++++++++++++++++++++++++++ curl.spec | 8 +- 2 files changed, 208 insertions(+), 1 deletion(-) create mode 100644 0004-curl-8.0.1-CVE-2023-38039.patch diff --git a/0004-curl-8.0.1-CVE-2023-38039.patch b/0004-curl-8.0.1-CVE-2023-38039.patch new file mode 100644 index 0000000..dc63e75 --- /dev/null +++ b/0004-curl-8.0.1-CVE-2023-38039.patch @@ -0,0 +1,201 @@ +From fe13e206a80cee9ffa686ead170980dbdb2cf9e1 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 2 Aug 2023 23:34:48 +0200 +Subject: [PATCH] http: return error when receiving too large header set + +To avoid abuse. The limit is set to 300 KB for the accumulated size of +all received HTTP headers for a single response. Incomplete research +suggests that Chrome uses a 256-300 KB limit, while Firefox allows up to +1MB. + +Closes #11582 + +(cherry picked from commit 3ee79c1674fd6f99e8efca52cd7510e08b766770) +Signed-off-by: Jan Macku +--- + lib/c-hyper.c | 12 +++++++----- + lib/http.c | 34 ++++++++++++++++++++++++++++++---- + lib/http.h | 9 +++++++++ + lib/pingpong.c | 4 +++- + lib/urldata.h | 17 ++++++++--------- + 5 files changed, 57 insertions(+), 19 deletions(-) + +diff --git a/lib/c-hyper.c b/lib/c-hyper.c +index 9c7632d35..28f64ef97 100644 +--- a/lib/c-hyper.c ++++ b/lib/c-hyper.c +@@ -174,8 +174,11 @@ static int hyper_each_header(void *userdata, + } + } + +- data->info.header_size += (curl_off_t)len; +- data->req.headerbytecount += (curl_off_t)len; ++ result = Curl_bump_headersize(data, len, FALSE); ++ if(result) { ++ data->state.hresult = result; ++ return HYPER_ITER_BREAK; ++ } + return HYPER_ITER_CONTINUE; + } + +@@ -305,9 +308,8 @@ static CURLcode status_line(struct Curl_easy *data, + if(result) + return result; + } +- data->info.header_size += (curl_off_t)len; +- data->req.headerbytecount += (curl_off_t)len; +- return CURLE_OK; ++ result = Curl_bump_headersize(data, len, FALSE); ++ return result; + } + + /* +diff --git a/lib/http.c b/lib/http.c +index 400d2b081..d8c3e1eda 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -3760,6 +3760,29 @@ static CURLcode verify_header(struct Curl_easy *data) + return CURLE_OK; + } + ++CURLcode Curl_bump_headersize(struct Curl_easy *data, ++ size_t delta, ++ bool connect_only) ++{ ++ size_t bad = 0; ++ if(delta < MAX_HTTP_RESP_HEADER_SIZE) { ++ if(!connect_only) ++ data->req.headerbytecount += (unsigned int)delta; ++ data->info.header_size += (unsigned int)delta; ++ if(data->info.header_size > MAX_HTTP_RESP_HEADER_SIZE) ++ bad = data->info.header_size; ++ } ++ else ++ bad = data->info.header_size + delta; ++ if(bad) { ++ failf(data, "Too large response headers: %zu > %zu", ++ bad, MAX_HTTP_RESP_HEADER_SIZE); ++ return CURLE_RECV_ERROR; ++ } ++ return CURLE_OK; ++} ++ ++ + /* + * Read any HTTP header lines from the server and pass them to the client app. + */ +@@ -4007,8 +4030,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, + if(result) + return result; + +- data->info.header_size += (long)headerlen; +- data->req.headerbytecount += (long)headerlen; ++ result = Curl_bump_headersize(data, headerlen, FALSE); ++ if(result) ++ return result; + + /* + * When all the headers have been parsed, see if we should give +@@ -4330,8 +4354,10 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, + if(result) + return result; + +- data->info.header_size += Curl_dyn_len(&data->state.headerb); +- data->req.headerbytecount += Curl_dyn_len(&data->state.headerb); ++ result = Curl_bump_headersize(data, Curl_dyn_len(&data->state.headerb), ++ FALSE); ++ if(result) ++ return result; + + Curl_dyn_reset(&data->state.headerb); + } +diff --git a/lib/http.h b/lib/http.h +index 444abc0be..b29f3b84f 100644 +--- a/lib/http.h ++++ b/lib/http.h +@@ -61,6 +61,10 @@ extern const struct Curl_handler Curl_handler_wss; + #endif /* websockets */ + + ++CURLcode Curl_bump_headersize(struct Curl_easy *data, ++ size_t delta, ++ bool connect_only); ++ + /* Header specific functions */ + bool Curl_compareheader(const char *headerline, /* line to check */ + const char *header, /* header keyword _with_ colon */ +@@ -176,6 +180,11 @@ CURLcode Curl_http_auth_act(struct Curl_easy *data); + #define EXPECT_100_THRESHOLD (1024*1024) + #endif + ++/* MAX_HTTP_RESP_HEADER_SIZE is the maximum size of all response headers ++ combined that libcurl allows for a single HTTP response, any HTTP ++ version. This count includes CONNECT response headers. */ ++#define MAX_HTTP_RESP_HEADER_SIZE (300*1024) ++ + #endif /* CURL_DISABLE_HTTP */ + + #ifdef USE_NGHTTP3 +diff --git a/lib/pingpong.c b/lib/pingpong.c +index 2f4aa1c34..189a0b68e 100644 +--- a/lib/pingpong.c ++++ b/lib/pingpong.c +@@ -341,7 +341,9 @@ CURLcode Curl_pp_readresp(struct Curl_easy *data, + ssize_t clipamount = 0; + bool restart = FALSE; + +- data->req.headerbytecount += (long)gotbytes; ++ result = Curl_bump_headersize(data, gotbytes, FALSE); ++ if(result) ++ return result; + + pp->nread_resp += gotbytes; + for(i = 0; i < gotbytes; ptr++, i++) { +diff --git a/lib/urldata.h b/lib/urldata.h +index f3e782ad3..390c611e2 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -619,17 +619,16 @@ struct SingleRequest { + curl_off_t bytecount; /* total number of bytes read */ + curl_off_t writebytecount; /* number of bytes written */ + +- curl_off_t headerbytecount; /* only count received headers */ +- curl_off_t deductheadercount; /* this amount of bytes doesn't count when we +- check if anything has been transferred at +- the end of a connection. We use this +- counter to make only a 100 reply (without a +- following second response code) result in a +- CURLE_GOT_NOTHING error code */ +- + curl_off_t pendingheader; /* this many bytes left to send is actually + header and not body */ + struct curltime start; /* transfer started at this time */ ++ unsigned int headerbytecount; /* only count received headers */ ++ unsigned int deductheadercount; /* this amount of bytes doesn't count when ++ we check if anything has been transferred ++ at the end of a connection. We use this ++ counter to make only a 100 reply (without ++ a following second response code) result ++ in a CURLE_GOT_NOTHING error code */ + enum { + HEADER_NORMAL, /* no bad header at all */ + HEADER_PARTHEADER, /* part of the chunk is a bad header, the rest +@@ -1076,7 +1075,6 @@ struct PureInfo { + int httpversion; /* the http version number X.Y = X*10+Y */ + time_t filetime; /* If requested, this is might get set. Set to -1 if the + time was unretrievable. */ +- curl_off_t header_size; /* size of read header(s) in bytes */ + curl_off_t request_size; /* the amount of bytes sent in the request(s) */ + unsigned long proxyauthavail; /* what proxy auth types were announced */ + unsigned long httpauthavail; /* what host auth types were announced */ +@@ -1084,6 +1082,7 @@ struct PureInfo { + char *contenttype; /* the content type of the object */ + char *wouldredirect; /* URL this would've been redirected to if asked to */ + curl_off_t retry_after; /* info from Retry-After: header */ ++ unsigned int header_size; /* size of read header(s) in bytes */ + + /* PureInfo members 'conn_primary_ip', 'conn_primary_port', 'conn_local_ip' + and, 'conn_local_port' are copied over from the connectdata struct in +-- +2.41.0 + diff --git a/curl.spec b/curl.spec index 50001aa..730577e 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.0.1 -Release: 3%{?dist} +Release: 4%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -19,6 +19,9 @@ Patch2: 0002-curl-8.0.1-CVE-2023-28321.patch # fix fopen race condition (CVE-2023-32001) Patch3: 0003-curl-8.0.1-CVE-2023-32001.patch +# fix HTTP headers eat all memory (CVE-2023-38039) +Patch4: 0004-curl-8.0.1-CVE-2023-38039.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -416,6 +419,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 13 2023 Jan Macku - 8.0.1-4 +- fix HTTP headers eat all memory (CVE-2023-38039) + * Thu Jul 20 2023 Jan Macku - 8.0.1-3 - fix fopen race condition (CVE-2023-32001) From 8a97eeb08aa1a9f8bec01a548c4993118c80ab8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Zaoral?= Date: Mon, 9 Oct 2023 10:39:43 +0200 Subject: [PATCH 048/120] tests: use newer Fedora URLs for testing ... because F36 URLs are no longer available. --- tests/non-root-user-download/runtest.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/non-root-user-download/runtest.sh b/tests/non-root-user-download/runtest.sh index 0529a12..4d51e62 100755 --- a/tests/non-root-user-download/runtest.sh +++ b/tests/non-root-user-download/runtest.sh @@ -31,9 +31,9 @@ PACKAGE="curl" -FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM -HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM -CONTENT=85cb450443d68d513b41e57b0bd818a740279dac5dfc09c68e681ff8a3006404 +FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM +HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM +CONTENT=4d042dedc8886856db10bc882074b84dcce52f829ea7b3f31d8031db8d84df20 PASSWORD=pAssw0rd OPTIONS="" rlIsRHEL 7 && OPTIONS="--insecure" From 554e13f7988559069134175ddc81017ca579d83e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Zaoral?= Date: Mon, 9 Oct 2023 10:39:43 +0200 Subject: [PATCH 049/120] tests: use newer Fedora URLs for testing ... because F36 URLs are no longer available. --- tests/non-root-user-download/runtest.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/non-root-user-download/runtest.sh b/tests/non-root-user-download/runtest.sh index 0529a12..4d51e62 100755 --- a/tests/non-root-user-download/runtest.sh +++ b/tests/non-root-user-download/runtest.sh @@ -31,9 +31,9 @@ PACKAGE="curl" -FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM -HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM -CONTENT=85cb450443d68d513b41e57b0bd818a740279dac5dfc09c68e681ff8a3006404 +FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM +HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM +CONTENT=4d042dedc8886856db10bc882074b84dcce52f829ea7b3f31d8031db8d84df20 PASSWORD=pAssw0rd OPTIONS="" rlIsRHEL 7 && OPTIONS="--insecure" From cb17cbc66ada184c1016dc88d4573a91f9ce3481 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 11 Oct 2023 15:36:19 +0200 Subject: [PATCH 050/120] new upstream release - 8.4.0 Resolves: CVE-2023-38545 - SOCKS5 heap buffer overflow Resolves: CVE-2023-38546 - cookie injection with none file --- curl.spec | 7 ++++++- sources | 4 ++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 5c0854e..f3a402c 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.3.0 +Version: 8.4.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -410,6 +410,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Oct 11 2023 Jan Macku - 8.4.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-38545 - SOCKS5 heap buffer overflow + CVE-2023-38546 - cookie injection with none file + * Wed Sep 13 2023 Jan Macku - 8.3.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2023-38039 - HTTP headers eat all memory diff --git a/sources b/sources index e2b2e44..9205220 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.3.0.tar.xz) = 6404b4c74fe1185cb482631ca3a143996cb7298d0d8a76bfafd7696e7729c00559999a069bdba782dee3f3eb273fb678a4438cb27d3deca54022878cdff83a51 -SHA512 (curl-8.3.0.tar.xz.asc) = b7d45722640ac50181b20a6d663168ec6eec6691c5604ddfe9c7177f07da598cb2de688c631043dc428c311774d781ccd16bd1e2fb4f038be651e3bee383aec4 +SHA512 (curl-8.4.0.tar.xz) = 7027dbf3b759b39d6ec9c4da58fadd254e84bb93bff599541b3bc3135bad4c2955c6237d7ddd60973f9f1a6948bc32d7e312985fb50658bc958b9f22fee74f2b +SHA512 (curl-8.4.0.tar.xz.asc) = b8b7a5b76be816e7b1552354f267f335fdc608cdadbd2c40ab44faf6450c6bbd2853b6de5c2746a1292aad33a8ee1c367380d32bb1a8282540b38c3b985a320e From 4db7b87ac44c6b1988f3fe94ba288c8d2ede1fb4 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 12 Oct 2023 09:32:40 +0200 Subject: [PATCH 051/120] Resolves: CVE-2023-38545 - SOCKS5 heap buffer overflow --- 0005-curl-8.0.1-CVE-2023-38545.patch | 135 +++++++++++++++++++++++++++ curl.spec | 16 +++- 2 files changed, 146 insertions(+), 5 deletions(-) create mode 100644 0005-curl-8.0.1-CVE-2023-38545.patch diff --git a/0005-curl-8.0.1-CVE-2023-38545.patch b/0005-curl-8.0.1-CVE-2023-38545.patch new file mode 100644 index 0000000..7b06ee4 --- /dev/null +++ b/0005-curl-8.0.1-CVE-2023-38545.patch @@ -0,0 +1,135 @@ +From fa4aed65588db8e7c7e3d98f6c5bcf394f3a515d Mon Sep 17 00:00:00 2001 +From: Jay Satiro +Date: Wed, 11 Oct 2023 07:34:19 +0200 +Subject: [PATCH 1/2] socks: return error if hostname too long for remote + resolve + +Prior to this change the state machine attempted to change the remote +resolve to a local resolve if the hostname was longer than 255 +characters. Unfortunately that did not work as intended and caused a +security issue. + +Bug: https://curl.se/docs/CVE-2023-38545.html + +(cherry picked from commit fb4415d8aee6c1045be932a34fe6107c2f5ed147) + +Signed-off-by: Jan Macku +--- + lib/socks.c | 8 +++--- + tests/data/Makefile.inc | 2 +- + tests/data/test728 | 64 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 69 insertions(+), 5 deletions(-) + create mode 100644 tests/data/test728 + +diff --git a/lib/socks.c b/lib/socks.c +index 95c2b004c..8cf694d1d 100644 +--- a/lib/socks.c ++++ b/lib/socks.c +@@ -588,9 +588,9 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf, + + /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */ + if(!socks5_resolve_local && hostname_len > 255) { +- infof(data, "SOCKS5: server resolving disabled for hostnames of " +- "length > 255 [actual len=%zu]", hostname_len); +- socks5_resolve_local = TRUE; ++ failf(data, "SOCKS5: the destination hostname is too long to be " ++ "resolved remotely by the proxy."); ++ return CURLPX_LONG_HOSTNAME; + } + + if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI)) +@@ -904,7 +904,7 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf, + } + else { + socksreq[len++] = 3; +- socksreq[len++] = (char) hostname_len; /* one byte address length */ ++ socksreq[len++] = (unsigned char) hostname_len; /* one byte length */ + memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */ + len += hostname_len; + } +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 7ed03a247..eb89437ef 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -100,7 +100,7 @@ test679 test680 test681 test682 test683 test684 test685 test686 \ + \ + test700 test701 test702 test703 test704 test705 test706 test707 test708 \ + test709 test710 test711 test712 test713 test714 test715 test716 test717 \ +-test718 test719 test720 test721 \ ++test718 test719 test720 test721 test728 \ + \ + test800 test801 test802 test803 test804 test805 test806 test807 test808 \ + test809 test810 test811 test812 test813 test814 test815 test816 test817 \ +diff --git a/tests/data/test728 b/tests/data/test728 +new file mode 100644 +index 000000000..05bcf2883 +--- /dev/null ++++ b/tests/data/test728 +@@ -0,0 +1,64 @@ ++ ++ ++ ++HTTP ++HTTP GET ++SOCKS5 ++SOCKS5h ++followlocation ++ ++ ++ ++# ++# Server-side ++ ++# The hostname in this redirect is 256 characters and too long (> 255) for ++# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case. ++ ++HTTP/1.1 301 Moved Permanently ++Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ ++Content-Length: 0 ++Connection: close ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++proxy ++ ++ ++http ++socks5 ++ ++ ++SOCKS5h with HTTP redirect to hostname too long ++ ++ ++--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/%TESTNUMBER ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++ ++ ++97 ++ ++# the error message is verified because error code CURLE_PROXY (97) may be ++# returned for any number of reasons and we need to make sure it is ++# specifically for the reason below so that we know the check is working. ++ ++curl: (97) SOCKS5: the destination hostname is too long to be resolved remotely by the proxy. ++ ++ ++ +-- +2.41.0 + diff --git a/curl.spec b/curl.spec index 730577e..c39651e 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.0.1 -Release: 4%{?dist} +Release: 5%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -11,16 +11,19 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc Source2: mykey.asc # fix more POST-after-PUT confusion (CVE-2023-28322) -Patch1: 0001-curl-8.0.1-CVE-2023-28322.patch +Patch1: 0001-curl-8.0.1-CVE-2023-28322.patch # fix IDN wildcard match (CVE-2023-28321) -Patch2: 0002-curl-8.0.1-CVE-2023-28321.patch +Patch2: 0002-curl-8.0.1-CVE-2023-28321.patch # fix fopen race condition (CVE-2023-32001) -Patch3: 0003-curl-8.0.1-CVE-2023-32001.patch +Patch3: 0003-curl-8.0.1-CVE-2023-32001.patch # fix HTTP headers eat all memory (CVE-2023-38039) -Patch4: 0004-curl-8.0.1-CVE-2023-38039.patch +Patch4: 0004-curl-8.0.1-CVE-2023-38039.patch + +# fix SOCKS5 heap buffer overflow (CVE-2023-38545) +Patch5: 0005-curl-8.0.1-CVE-2023-38545.patch # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -419,6 +422,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Oct 12 2023 Jan Macku - 8.0.1-5 +- fix SOCKS5 heap buffer overflow (CVE-2023-38545) + * Wed Sep 13 2023 Jan Macku - 8.0.1-4 - fix HTTP headers eat all memory (CVE-2023-38039) From e1c9c5d6837c89c294893d32bec3ab0bb5254245 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 12 Oct 2023 09:35:11 +0200 Subject: [PATCH 052/120] Resolves: CVE-2023-38546 - cookie injection with none file --- 0006-curl-8.0.1-CVE-2023-38546.patch | 136 +++++++++++++++++++++++++++ curl.spec | 4 + 2 files changed, 140 insertions(+) create mode 100644 0006-curl-8.0.1-CVE-2023-38546.patch diff --git a/0006-curl-8.0.1-CVE-2023-38546.patch b/0006-curl-8.0.1-CVE-2023-38546.patch new file mode 100644 index 0000000..111f0d3 --- /dev/null +++ b/0006-curl-8.0.1-CVE-2023-38546.patch @@ -0,0 +1,136 @@ +From a9a3f49fc87d4b64f380e19d69c139e9fba676f2 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 14 Sep 2023 23:28:32 +0200 +Subject: [PATCH 2/2] cookie: remove unnecessary struct fields + +Plus: reduce the hash table size from 256 to 63. It seems unlikely to +make much of a speed difference for most use cases but saves 1.5KB of +data per instance. + +Closes #11862 + +(cherry picked from commit 61275672b46d9abb3285740467b882e22ed75da8) + +Signed-off-by: Jan Macku +--- + lib/cookie.c | 13 +------------ + lib/cookie.h | 14 ++++---------- + lib/easy.c | 4 +--- + 3 files changed, 6 insertions(+), 25 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index 0c6e0f7cd..d34620351 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -119,7 +119,6 @@ static void freecookie(struct Cookie *co) + free(co->name); + free(co->value); + free(co->maxage); +- free(co->version); + free(co); + } + +@@ -726,11 +725,7 @@ Curl_cookie_add(struct Curl_easy *data, + } + } + else if((nlen == 7) && strncasecompare("version", namep, 7)) { +- strstore(&co->version, valuep, vlen); +- if(!co->version) { +- badcookie = TRUE; +- break; +- } ++ /* just ignore */ + } + else if((nlen == 7) && strncasecompare("max-age", namep, 7)) { + /* +@@ -1174,7 +1169,6 @@ Curl_cookie_add(struct Curl_easy *data, + free(clist->path); + free(clist->spath); + free(clist->expirestr); +- free(clist->version); + free(clist->maxage); + + *clist = *co; /* then store all the new data */ +@@ -1238,9 +1232,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data, + c = calloc(1, sizeof(struct CookieInfo)); + if(!c) + return NULL; /* failed to get memory */ +- c->filename = strdup(file?file:"none"); /* copy the name just in case */ +- if(!c->filename) +- goto fail; /* failed to get memory */ + /* + * Initialize the next_expiration time to signal that we don't have enough + * information yet. +@@ -1394,7 +1385,6 @@ static struct Cookie *dup_cookie(struct Cookie *src) + CLONE(name); + CLONE(value); + CLONE(maxage); +- CLONE(version); + d->expires = src->expires; + d->tailmatch = src->tailmatch; + d->secure = src->secure; +@@ -1611,7 +1601,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c) + { + if(c) { + unsigned int i; +- free(c->filename); + for(i = 0; i < COOKIE_HASH_SIZE; i++) + Curl_cookie_freelist(c->cookies[i]); + free(c); /* free the base struct as well */ +diff --git a/lib/cookie.h b/lib/cookie.h +index 39bb08bc4..3a43bbf33 100644 +--- a/lib/cookie.h ++++ b/lib/cookie.h +@@ -36,11 +36,7 @@ struct Cookie { + char *domain; /* domain = */ + curl_off_t expires; /* expires = */ + char *expirestr; /* the plain text version */ +- +- /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */ +- char *version; /* Version = */ + char *maxage; /* Max-Age = */ +- + bool tailmatch; /* whether we do tail-matching of the domain name */ + bool secure; /* whether the 'secure' keyword was used */ + bool livecookie; /* updated from a server, not a stored file */ +@@ -56,18 +52,16 @@ struct Cookie { + #define COOKIE_PREFIX__SECURE (1<<0) + #define COOKIE_PREFIX__HOST (1<<1) + +-#define COOKIE_HASH_SIZE 256 ++#define COOKIE_HASH_SIZE 63 + + struct CookieInfo { + /* linked list of cookies we know of */ + struct Cookie *cookies[COOKIE_HASH_SIZE]; +- +- char *filename; /* file we read from/write to */ +- long numcookies; /* number of cookies in the "jar" */ ++ curl_off_t next_expiration; /* the next time at which expiration happens */ ++ int numcookies; /* number of cookies in the "jar" */ ++ int lastct; /* last creation-time used in the jar */ + bool running; /* state info, for cookie adding information */ + bool newsession; /* new session, discard session cookies on load */ +- int lastct; /* last creation-time used in the jar */ +- curl_off_t next_expiration; /* the next time at which expiration happens */ + }; + + /* This is the maximum line length we accept for a cookie line. RFC 2109 +diff --git a/lib/easy.c b/lib/easy.c +index 27124a72f..fddf047f2 100644 +--- a/lib/easy.c ++++ b/lib/easy.c +@@ -911,9 +911,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data) + if(data->cookies) { + /* If cookies are enabled in the parent handle, we enable them + in the clone as well! */ +- outcurl->cookies = Curl_cookie_init(data, +- data->cookies->filename, +- outcurl->cookies, ++ outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies, + data->set.cookiesession); + if(!outcurl->cookies) + goto fail; +-- +2.41.0 + diff --git a/curl.spec b/curl.spec index c39651e..fc8fa99 100644 --- a/curl.spec +++ b/curl.spec @@ -25,6 +25,9 @@ Patch4: 0004-curl-8.0.1-CVE-2023-38039.patch # fix SOCKS5 heap buffer overflow (CVE-2023-38545) Patch5: 0005-curl-8.0.1-CVE-2023-38545.patch +# fix cookie injection with none file (CVE-2023-38546) +Patch6: 0006-curl-8.0.1-CVE-2023-38546.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -423,6 +426,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Thu Oct 12 2023 Jan Macku - 8.0.1-5 +- fix cookie injection with none file (CVE-2023-38546) - fix SOCKS5 heap buffer overflow (CVE-2023-38545) * Wed Sep 13 2023 Jan Macku - 8.0.1-4 From 7d149f66f5cb4d9b9af3d383835889f3b7753a15 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 6 Dec 2023 08:50:13 +0100 Subject: [PATCH 053/120] new upstream release - 8.5.0 Resolves: CVE-2023-46218 - cookie mixed case PSL bypass Resolves: CVE-2023-46219 - HSTS long file name clears contents --- ...d-tests-errorcodes.pl-to-the-tarball.patch | 162 ++++++++++++++++++ curl.spec | 10 +- sources | 4 +- 3 files changed, 173 insertions(+), 3 deletions(-) create mode 100644 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch diff --git a/001-dist-add-tests-errorcodes.pl-to-the-tarball.patch b/001-dist-add-tests-errorcodes.pl-to-the-tarball.patch new file mode 100644 index 0000000..4fd5490 --- /dev/null +++ b/001-dist-add-tests-errorcodes.pl-to-the-tarball.patch @@ -0,0 +1,162 @@ +From 8ed817e84e3a24b5902416718cf445009a032ea9 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 6 Dec 2023 09:40:30 +0100 +Subject: [PATCH] dist: add tests/errorcodes.pl to the tarball + +Used by test 1477 + +Reported-by: Xi Ruoyao +Follow-up to 0ca3a4ec9a7 +Fixes #12462 +Closes #12463 + +(cherry picked from commit da8c1d15782c8161b455a7ee90197c16ae5edb90) + +also include missing tests/errorcodes.pl + +Signed-off-by: Jan Macku +--- + tests/Makefile.am | 20 ++++----- + tests/errorcodes.pl | 99 +++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 110 insertions(+), 9 deletions(-) + create mode 100755 tests/errorcodes.pl + +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 17e9ad049..c6ae7a97a 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -26,15 +26,17 @@ HTMLPAGES = testcurl.html runtests.html + PDFPAGES = testcurl.pdf runtests.pdf + MANDISTPAGES = runtests.1.dist testcurl.1.dist + +-EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl CMakeLists.txt \ +- devtest.pl dictserver.py directories.pm disable-scan.pl error-codes.pl extern-scan.pl FILEFORMAT.md \ +- processhelp.pm ftpserver.pl getpart.pm globalconfig.pm http-server.pl http2-server.pl \ +- http3-server.pl manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl \ +- memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl options-scan.pl \ +- pathhelp.pm README.md rtspserver.pl runner.pm runtests.1 runtests.pl secureserver.pl \ +- serverhelp.pm servers.pm smbserver.py sshhelp.pm sshserver.pl stunnel.pem symbol-scan.pl \ +- testcurl.1 testcurl.pl testutil.pm tftpserver.pl util.py valgrind.pm \ +- valgrind.supp version-scan.pl check-translatable-options.pl ++EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl \ ++ CMakeLists.txt devtest.pl dictserver.py directories.pm disable-scan.pl \ ++ error-codes.pl extern-scan.pl FILEFORMAT.md processhelp.pm ftpserver.pl \ ++ getpart.pm globalconfig.pm http-server.pl http2-server.pl http3-server.pl \ ++ manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl \ ++ memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl \ ++ options-scan.pl pathhelp.pm README.md rtspserver.pl runner.pm runtests.1 \ ++ runtests.pl secureserver.pl serverhelp.pm servers.pm smbserver.py sshhelp.pm \ ++ sshserver.pl stunnel.pem symbol-scan.pl testcurl.1 testcurl.pl testutil.pm \ ++ tftpserver.pl util.py valgrind.pm valgrind.supp version-scan.pl \ ++ check-translatable-options.pl errorcodes.pl + + DISTCLEANFILES = configurehelp.pm + +diff --git a/tests/errorcodes.pl b/tests/errorcodes.pl +new file mode 100755 +index 000000000..9c8f9e882 +--- /dev/null ++++ b/tests/errorcodes.pl +@@ -0,0 +1,99 @@ ++#!/usr/bin/env perl ++#*************************************************************************** ++# _ _ ____ _ ++# Project ___| | | | _ \| | ++# / __| | | | |_) | | ++# | (__| |_| | _ <| |___ ++# \___|\___/|_| \_\_____| ++# ++# Copyright (C) Daniel Stenberg, , et al. ++# ++# This software is licensed as described in the file COPYING, which ++# you should have received as part of this distribution. The terms ++# are also available at https://curl.se/docs/copyright.html. ++# ++# You may opt to use, copy, modify, merge, publish, distribute and/or sell ++# copies of the Software, and permit persons to whom the Software is ++# furnished to do so, under the terms of the COPYING file. ++# ++# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++# KIND, either express or implied. ++# ++# SPDX-License-Identifier: curl ++# ++########################################################################### ++ ++# Check that libcurl-errors.3 and the public header files have the same set of ++# error codes. ++ ++use strict; ++use warnings; ++ ++# we may get the dir roots pointed out ++my $root=$ARGV[0] || "."; ++my $manpge = "$root/docs/libcurl/libcurl-errors.3"; ++my $curlh = "$root/include/curl"; ++my $errors=0; ++ ++my @hnames; ++my %wherefrom; ++my @mnames; ++my %manfrom; ++ ++sub scanheader { ++ my ($file)=@_; ++ open H, "<$file"; ++ my $line = 0; ++ while() { ++ $line++; ++ if($_ =~ /^ (CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) { ++ my ($name)=($1); ++ if(($name !~ /OBSOLETE/) && ($name !~ /_LAST\z/)) { ++ push @hnames, $name; ++ if($wherefrom{$name}) { ++ print STDERR "double: $name\n"; ++ } ++ $wherefrom{$name}="$file:$line"; ++ } ++ } ++ } ++ close(H); ++} ++ ++sub scanmanpage { ++ my ($file)=@_; ++ open H, "<$file"; ++ my $line = 0; ++ while() { ++ $line++; ++ if($_ =~ /^\.IP \"(CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) { ++ my ($name)=($1); ++ push @mnames, $name; ++ $manfrom{$name}="$file:$line"; ++ } ++ } ++ close(H); ++} ++ ++ ++opendir(my $dh, $curlh) || die "Can't opendir $curlh: $!"; ++my @hfiles = grep { /\.h$/ } readdir($dh); ++closedir $dh; ++ ++for(sort @hfiles) { ++ scanheader("$curlh/$_"); ++} ++scanmanpage($manpge); ++ ++print "Result\n"; ++for my $h (sort @hnames) { ++ if(!$manfrom{$h}) { ++ printf "$h from %s, not in man page\n", $wherefrom{$h}; ++ } ++} ++ ++for my $m (sort @mnames) { ++ if(!$wherefrom{$m}) { ++ printf "$m from %s, not in any header\n", $manfrom{$m}; ++ } ++} +-- +2.43.0 + diff --git a/curl.spec b/curl.spec index f3a402c..fbdebe7 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.4.0 +Version: 8.5.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -10,6 +10,9 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# add missing test script tests/errorcodes.pl to the tarball +Patch001: 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -410,6 +413,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Dec 06 2023 Jan Macku - 8.5.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-46218 - cookie mixed case PSL bypass + CVE-2023-46219 - HSTS long file name clears contents + * Wed Oct 11 2023 Jan Macku - 8.4.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2023-38545 - SOCKS5 heap buffer overflow diff --git a/sources b/sources index 9205220..6a14222 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.4.0.tar.xz) = 7027dbf3b759b39d6ec9c4da58fadd254e84bb93bff599541b3bc3135bad4c2955c6237d7ddd60973f9f1a6948bc32d7e312985fb50658bc958b9f22fee74f2b -SHA512 (curl-8.4.0.tar.xz.asc) = b8b7a5b76be816e7b1552354f267f335fdc608cdadbd2c40ab44faf6450c6bbd2853b6de5c2746a1292aad33a8ee1c367380d32bb1a8282540b38c3b985a320e +SHA512 (curl-8.5.0.tar.xz) = acffa2cf61d9b8e4188575a1b40227da8d722df2e5fe8bb82a222b4eb2fd64bf8aebd90852ce050c79fb5e517d5cee2546bf7de92ede1dd394263e231cb741a3 +SHA512 (curl-8.5.0.tar.xz.asc) = 9c6a2e61860878cd731d951fac1bb52cd314db20439a5173a95b48da1742737e02bfb9978d65e25de6535f839e281235203599a29f252e78e0d7a83769727329 From eee0c7d606170b4da54b83c8f1e5a96720ba574f Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 6 Dec 2023 16:06:31 +0100 Subject: [PATCH 054/120] Resolves: CVE-2023-46218 - cookie mixed case PSL bypass --- 0007-curl-8.0.1-CVE-2023-46218.patch | 55 ++++++++++++++++++++++++++++ curl.spec | 8 +++- 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 0007-curl-8.0.1-CVE-2023-46218.patch diff --git a/0007-curl-8.0.1-CVE-2023-46218.patch b/0007-curl-8.0.1-CVE-2023-46218.patch new file mode 100644 index 0000000..1494a41 --- /dev/null +++ b/0007-curl-8.0.1-CVE-2023-46218.patch @@ -0,0 +1,55 @@ +From ef4abe34b2b704e2a318063b387b628773b78663 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 23 Nov 2023 08:15:47 +0100 +Subject: [PATCH 1/2] cookie: lowercase the domain names before PSL checks + +Reported-by: Harry Sintonen + +Closes #12387 + +(cherry picked from commit 2b0994c29a721c91c572cff7808c572a24d251eb) + +Signed-off-by: Jan Macku +--- + lib/cookie.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index d34620351..730c3c6f4 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -1044,15 +1044,23 @@ Curl_cookie_add(struct Curl_easy *data, + * dereference it. + */ + if(data && (domain && co->domain && !Curl_host_is_ipnum(co->domain))) { +- const psl_ctx_t *psl = Curl_psl_use(data); +- int acceptable; +- +- if(psl) { +- acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain); +- Curl_psl_release(data); ++ bool acceptable = FALSE; ++ char lcase[256]; ++ char lcookie[256]; ++ size_t dlen = strlen(domain); ++ size_t clen = strlen(co->domain); ++ if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) { ++ const psl_ctx_t *psl = Curl_psl_use(data); ++ if(psl) { ++ /* the PSL check requires lowercase domain name and pattern */ ++ Curl_strntolower(lcase, domain, dlen + 1); ++ Curl_strntolower(lcookie, co->domain, clen + 1); ++ acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie); ++ Curl_psl_release(data); ++ } ++ else ++ acceptable = !bad_domain(domain, strlen(domain)); + } +- else +- acceptable = !bad_domain(domain, strlen(domain)); + + if(!acceptable) { + infof(data, "cookie '%s' dropped, domain '%s' must not " +-- +2.43.0 + diff --git a/curl.spec b/curl.spec index fc8fa99..b2e85a9 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.0.1 -Release: 5%{?dist} +Release: 6%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -28,6 +28,9 @@ Patch5: 0005-curl-8.0.1-CVE-2023-38545.patch # fix cookie injection with none file (CVE-2023-38546) Patch6: 0006-curl-8.0.1-CVE-2023-38546.patch +# fix cookie mixed case PSL bypass (CVE-2023-46218) +Patch7: 0007-curl-8.0.1-CVE-2023-46218.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -425,6 +428,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Dec 06 2023 Jan Macku - 8.0.1-6 +- fix cookie mixed case PSL bypass (CVE-2023-46218) + * Thu Oct 12 2023 Jan Macku - 8.0.1-5 - fix cookie injection with none file (CVE-2023-38546) - fix SOCKS5 heap buffer overflow (CVE-2023-38545) From 1f7f31bdbf18acf2829aac71f30fc140d4687ced Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 6 Dec 2023 16:08:39 +0100 Subject: [PATCH 055/120] Resolves: CVE-2023-46219 - HSTS long file name clears contents --- 0008-curl-8.0.1-CVE-2023-46219.patch | 134 +++++++++++++++++++++++++++ curl.spec | 4 + 2 files changed, 138 insertions(+) create mode 100644 0008-curl-8.0.1-CVE-2023-46219.patch diff --git a/0008-curl-8.0.1-CVE-2023-46219.patch b/0008-curl-8.0.1-CVE-2023-46219.patch new file mode 100644 index 0000000..08c4938 --- /dev/null +++ b/0008-curl-8.0.1-CVE-2023-46219.patch @@ -0,0 +1,134 @@ +From 45ed144efd8b194cc7d0acbe00594f730a2ad62d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 23 Nov 2023 08:23:17 +0100 +Subject: [PATCH 2/2] fopen: create short(er) temporary file name + +Only using random letters in the name plus a ".tmp" extension. Not by +appending characters to the final file name. + +Reported-by: Maksymilian Arciemowicz + +Closes #12388 + +(cherry picked from commit 73b65e94f3531179de45c6f3c836a610e3d0a846) + +Signed-off-by: Jan Macku +--- + lib/fopen.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 60 insertions(+), 5 deletions(-) + +diff --git a/lib/fopen.c b/lib/fopen.c +index 8c728f2a8..7b9d4022e 100644 +--- a/lib/fopen.c ++++ b/lib/fopen.c +@@ -39,6 +39,51 @@ + #include "curl_memory.h" + #include "memdebug.h" + ++/* ++ The dirslash() function breaks a null-terminated pathname string into ++ directory and filename components then returns the directory component up ++ to, *AND INCLUDING*, a final '/'. If there is no directory in the path, ++ this instead returns a "" string. ++ ++ This function returns a pointer to malloc'ed memory. ++ ++ The input path to this function is expected to have a file name part. ++*/ ++ ++#ifdef _WIN32 ++#define PATHSEP "\\" ++#define IS_SEP(x) (((x) == '/') || ((x) == '\\')) ++#elif defined(MSDOS) || defined(__EMX__) || defined(OS2) ++#define PATHSEP "\\" ++#define IS_SEP(x) ((x) == '\\') ++#else ++#define PATHSEP "/" ++#define IS_SEP(x) ((x) == '/') ++#endif ++ ++static char *dirslash(const char *path) ++{ ++ size_t n; ++ struct dynbuf out; ++ DEBUGASSERT(path); ++ Curl_dyn_init(&out, CURL_MAX_INPUT_LENGTH); ++ n = strlen(path); ++ if(n) { ++ /* find the rightmost path separator, if any */ ++ while(n && !IS_SEP(path[n-1])) ++ --n; ++ /* skip over all the path separators, if any */ ++ while(n && IS_SEP(path[n-1])) ++ --n; ++ } ++ if(Curl_dyn_addn(&out, path, n)) ++ return NULL; ++ /* if there was a directory, append a single trailing slash */ ++ if(n && Curl_dyn_addn(&out, PATHSEP, 1)) ++ return NULL; ++ return Curl_dyn_ptr(&out); ++} ++ + /* + * Curl_fopen() opens a file for writing with a temp name, to be renamed + * to the final name when completed. If there is an existing file using this +@@ -50,25 +95,34 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, + FILE **fh, char **tempname) + { + CURLcode result = CURLE_WRITE_ERROR; +- unsigned char randsuffix[9]; ++ unsigned char randbuf[41]; + char *tempstore = NULL; + struct_stat sb; + int fd = -1; ++ char *dir; + *tempname = NULL; + ++ dir = dirslash(filename); ++ if(!dir) ++ goto fail; ++ + *fh = fopen(filename, FOPEN_WRITETEXT); + if(!*fh) + goto fail; +- if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode)) ++ if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode)) { ++ free(dir); + return CURLE_OK; ++ } + fclose(*fh); + *fh = NULL; + +- result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix)); ++ result = Curl_rand_hex(data, randbuf, sizeof(randbuf)); + if(result) + goto fail; + +- tempstore = aprintf("%s.%s.tmp", filename, randsuffix); ++ /* The temp file name should not end up too long for the target file ++ system */ ++ tempstore = aprintf("%s%s.tmp", dir, randbuf); + if(!tempstore) { + result = CURLE_OUT_OF_MEMORY; + goto fail; +@@ -95,6 +149,7 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, + if(!*fh) + goto fail; + ++ free(dir); + *tempname = tempstore; + return CURLE_OK; + +@@ -105,7 +160,7 @@ fail: + } + + free(tempstore); +- ++ free(dir); + return result; + } + +-- +2.43.0 + diff --git a/curl.spec b/curl.spec index b2e85a9..bb95483 100644 --- a/curl.spec +++ b/curl.spec @@ -31,6 +31,9 @@ Patch6: 0006-curl-8.0.1-CVE-2023-38546.patch # fix cookie mixed case PSL bypass (CVE-2023-46218) Patch7: 0007-curl-8.0.1-CVE-2023-46218.patch +# fix HSTS long file name clears contents (CVE-2023-46219) +Patch8: 0008-curl-8.0.1-CVE-2023-46219.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -429,6 +432,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Dec 06 2023 Jan Macku - 8.0.1-6 +- fix HSTS long file name clears contents (CVE-2023-46219) - fix cookie mixed case PSL bypass (CVE-2023-46218) * Thu Oct 12 2023 Jan Macku - 8.0.1-5 From 3c4671bd88692f6de620dbd6907d23beb921ea7a Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 19 Jan 2024 16:32:26 +0000 Subject: [PATCH 056/120] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index fbdebe7..b5e1ef0 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.5.0 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -413,6 +413,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Jan 19 2024 Fedora Release Engineering - 8.5.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + * Wed Dec 06 2023 Jan Macku - 8.5.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2023-46218 - cookie mixed case PSL bypass From 98780da3f86dec6140fef3b7a408fe17434b0727 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 1 Feb 2024 13:07:37 +0100 Subject: [PATCH 057/120] new upstream release - 8.6.0 Resolves: CVE-2024-0853 - OCSP verification bypass with TLS session reuse --- .gitignore | 1 + ...-curl-8.6.0-remove-duplicate-content.patch | 108 ++++++++++++ ...d-tests-errorcodes.pl-to-the-tarball.patch | 162 ------------------ 0101-curl-7.32.0-multilib.patch | 26 +-- curl.spec | 18 +- sources | 4 +- 6 files changed, 138 insertions(+), 181 deletions(-) create mode 100644 0001-curl-8.6.0-remove-duplicate-content.patch delete mode 100644 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch diff --git a/.gitignore b/.gitignore index c5a82f4..505a7d9 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ /curl-[0-9.]*.tar.lzma.asc /curl-[0-9.]*.tar.xz /curl-[0-9.]*.tar.xz.asc +/curl-[0-9].[0-9].[0-9]/ diff --git a/0001-curl-8.6.0-remove-duplicate-content.patch b/0001-curl-8.6.0-remove-duplicate-content.patch new file mode 100644 index 0000000..bbbb7ff --- /dev/null +++ b/0001-curl-8.6.0-remove-duplicate-content.patch @@ -0,0 +1,108 @@ +From 960cf3ceb40cf875b146d4d1065d9267ccb83da1 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Thu, 1 Feb 2024 12:56:31 +0100 +Subject: [PATCH 1/2] doc: remove duplicate content from curl-config.1 + +This will be resolved in next release by: +https://github.com/curl/curl/pull/12818 + +see also: https://github.com/curl/curl/issues/12840 + +Signed-off-by: Jan Macku +--- + docs/curl-config.1 | 82 ---------------------------------------------- + 1 file changed, 82 deletions(-) + +diff --git a/docs/curl-config.1 b/docs/curl-config.1 +index 186ba3a..c142cb9 100644 +--- a/docs/curl-config.1 ++++ b/docs/curl-config.1 +@@ -80,85 +80,3 @@ How do I build a single file with a one\-line command? + .fi + .SH SEE ALSO + .BR curl (1) +-.\" generated by cd2nroff 0.1 from curl-config.md +-.TH curl-config 1 "January 26 2024" curl-config +-.SH NAME +-curl\-config \- Get information about a libcurl installation +-.SH SYNOPSIS +-\fBcurl\-config [options]\fP +-.SH DESCRIPTION +-\fBcurl\-config\fP +-displays information about the curl and libcurl installation. +-.SH OPTIONS +-.IP --ca +-Displays the built\-in path to the CA cert bundle this libcurl uses. +-.IP --cc +-Displays the compiler used to build libcurl. +-.IP --cflags +-Set of compiler options (CFLAGS) to use when compiling files that use +-libcurl. Currently that is only the include path to the curl include files. +-.IP "--checkfor [version]" +-Specify the oldest possible libcurl version string you want, and this +-script will return 0 if the current installation is new enough or it +-returns 1 and outputs a text saying that the current version is not new +-enough. (Added in 7.15.4) +-.IP --configure +-Displays the arguments given to configure when building curl. +-.IP --feature +-Lists what particular main features the installed libcurl was built with. At +-the time of writing, this list may include SSL, KRB4 or IPv6. Do not assume +-any particular order. The keywords will be separated by newlines. There may be +-none, one, or several keywords in the list. +-.IP --help +-Displays the available options. +-.IP --libs +-Shows the complete set of libs and other linker options you will need in order +-to link your application with libcurl. +-.IP --prefix +-This is the prefix used when libcurl was installed. Libcurl is then installed +-in $prefix/lib and its header files are installed in $prefix/include and so +-on. The prefix is set with "configure \--prefix". +-.IP --protocols +-Lists what particular protocols the installed libcurl was built to support. At +-the time of writing, this list may include HTTP, HTTPS, FTP, FTPS, FILE, +-TELNET, LDAP, DICT and many more. Do not assume any particular order. The +-protocols will be listed using uppercase and are separated by newlines. There +-may be none, one, or several protocols in the list. (Added in 7.13.0) +-.IP --ssl-backends +-Lists the SSL backends that were enabled when libcurl was built. It might be +-no, one or several names. If more than one name, they will appear +-comma\-separated. (Added in 7.58.0) +-.IP --static-libs +-Shows the complete set of libs and other linker options you will need in order +-to link your application with libcurl statically. (Added in 7.17.1) +-.IP --version +-Outputs version information about the installed libcurl. +-.IP --vernum +-Outputs version information about the installed libcurl, in numerical mode. +-This shows the version number, in hexadecimal, using 8 bits for each part: +-major, minor, and patch numbers. This makes libcurl 7.7.4 appear as 070704 and +-libcurl 12.13.14 appear as 0c0d0e... Note that the initial zero might be +-omitted. (This option was broken in the 7.15.0 release.) +-.SH EXAMPLES +-What linker options do I need when I link with libcurl? +-.nf +- $ curl-config --libs +-.fi +-What compiler options do I need when I compile using libcurl functions? +-.nf +- $ curl-config --cflags +-.fi +-How do I know if libcurl was built with SSL support? +-.nf +- $ curl-config --feature | grep SSL +-.fi +-What\(aqs the installed libcurl version? +-.nf +- $ curl-config --version +-.fi +-How do I build a single file with a one\-line command? +-.nf +- $ `curl-config --cc --cflags` -o example source.c `curl-config --libs` +-.fi +-.SH SEE ALSO +-.BR curl (1) +-- +2.43.0 + diff --git a/001-dist-add-tests-errorcodes.pl-to-the-tarball.patch b/001-dist-add-tests-errorcodes.pl-to-the-tarball.patch deleted file mode 100644 index 4fd5490..0000000 --- a/001-dist-add-tests-errorcodes.pl-to-the-tarball.patch +++ /dev/null @@ -1,162 +0,0 @@ -From 8ed817e84e3a24b5902416718cf445009a032ea9 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Wed, 6 Dec 2023 09:40:30 +0100 -Subject: [PATCH] dist: add tests/errorcodes.pl to the tarball - -Used by test 1477 - -Reported-by: Xi Ruoyao -Follow-up to 0ca3a4ec9a7 -Fixes #12462 -Closes #12463 - -(cherry picked from commit da8c1d15782c8161b455a7ee90197c16ae5edb90) - -also include missing tests/errorcodes.pl - -Signed-off-by: Jan Macku ---- - tests/Makefile.am | 20 ++++----- - tests/errorcodes.pl | 99 +++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 110 insertions(+), 9 deletions(-) - create mode 100755 tests/errorcodes.pl - -diff --git a/tests/Makefile.am b/tests/Makefile.am -index 17e9ad049..c6ae7a97a 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -26,15 +26,17 @@ HTMLPAGES = testcurl.html runtests.html - PDFPAGES = testcurl.pdf runtests.pdf - MANDISTPAGES = runtests.1.dist testcurl.1.dist - --EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl CMakeLists.txt \ -- devtest.pl dictserver.py directories.pm disable-scan.pl error-codes.pl extern-scan.pl FILEFORMAT.md \ -- processhelp.pm ftpserver.pl getpart.pm globalconfig.pm http-server.pl http2-server.pl \ -- http3-server.pl manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl \ -- memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl options-scan.pl \ -- pathhelp.pm README.md rtspserver.pl runner.pm runtests.1 runtests.pl secureserver.pl \ -- serverhelp.pm servers.pm smbserver.py sshhelp.pm sshserver.pl stunnel.pem symbol-scan.pl \ -- testcurl.1 testcurl.pl testutil.pm tftpserver.pl util.py valgrind.pm \ -- valgrind.supp version-scan.pl check-translatable-options.pl -+EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl \ -+ CMakeLists.txt devtest.pl dictserver.py directories.pm disable-scan.pl \ -+ error-codes.pl extern-scan.pl FILEFORMAT.md processhelp.pm ftpserver.pl \ -+ getpart.pm globalconfig.pm http-server.pl http2-server.pl http3-server.pl \ -+ manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl \ -+ memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl \ -+ options-scan.pl pathhelp.pm README.md rtspserver.pl runner.pm runtests.1 \ -+ runtests.pl secureserver.pl serverhelp.pm servers.pm smbserver.py sshhelp.pm \ -+ sshserver.pl stunnel.pem symbol-scan.pl testcurl.1 testcurl.pl testutil.pm \ -+ tftpserver.pl util.py valgrind.pm valgrind.supp version-scan.pl \ -+ check-translatable-options.pl errorcodes.pl - - DISTCLEANFILES = configurehelp.pm - -diff --git a/tests/errorcodes.pl b/tests/errorcodes.pl -new file mode 100755 -index 000000000..9c8f9e882 ---- /dev/null -+++ b/tests/errorcodes.pl -@@ -0,0 +1,99 @@ -+#!/usr/bin/env perl -+#*************************************************************************** -+# _ _ ____ _ -+# Project ___| | | | _ \| | -+# / __| | | | |_) | | -+# | (__| |_| | _ <| |___ -+# \___|\___/|_| \_\_____| -+# -+# Copyright (C) Daniel Stenberg, , et al. -+# -+# This software is licensed as described in the file COPYING, which -+# you should have received as part of this distribution. The terms -+# are also available at https://curl.se/docs/copyright.html. -+# -+# You may opt to use, copy, modify, merge, publish, distribute and/or sell -+# copies of the Software, and permit persons to whom the Software is -+# furnished to do so, under the terms of the COPYING file. -+# -+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -+# KIND, either express or implied. -+# -+# SPDX-License-Identifier: curl -+# -+########################################################################### -+ -+# Check that libcurl-errors.3 and the public header files have the same set of -+# error codes. -+ -+use strict; -+use warnings; -+ -+# we may get the dir roots pointed out -+my $root=$ARGV[0] || "."; -+my $manpge = "$root/docs/libcurl/libcurl-errors.3"; -+my $curlh = "$root/include/curl"; -+my $errors=0; -+ -+my @hnames; -+my %wherefrom; -+my @mnames; -+my %manfrom; -+ -+sub scanheader { -+ my ($file)=@_; -+ open H, "<$file"; -+ my $line = 0; -+ while() { -+ $line++; -+ if($_ =~ /^ (CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) { -+ my ($name)=($1); -+ if(($name !~ /OBSOLETE/) && ($name !~ /_LAST\z/)) { -+ push @hnames, $name; -+ if($wherefrom{$name}) { -+ print STDERR "double: $name\n"; -+ } -+ $wherefrom{$name}="$file:$line"; -+ } -+ } -+ } -+ close(H); -+} -+ -+sub scanmanpage { -+ my ($file)=@_; -+ open H, "<$file"; -+ my $line = 0; -+ while() { -+ $line++; -+ if($_ =~ /^\.IP \"(CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) { -+ my ($name)=($1); -+ push @mnames, $name; -+ $manfrom{$name}="$file:$line"; -+ } -+ } -+ close(H); -+} -+ -+ -+opendir(my $dh, $curlh) || die "Can't opendir $curlh: $!"; -+my @hfiles = grep { /\.h$/ } readdir($dh); -+closedir $dh; -+ -+for(sort @hfiles) { -+ scanheader("$curlh/$_"); -+} -+scanmanpage($manpge); -+ -+print "Result\n"; -+for my $h (sort @hnames) { -+ if(!$manfrom{$h}) { -+ printf "$h from %s, not in man page\n", $wherefrom{$h}; -+ } -+} -+ -+for my $m (sort @mnames) { -+ if(!$wherefrom{$m}) { -+ printf "$m from %s, not in any header\n", $manfrom{$m}; -+ } -+} --- -2.43.0 - diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index b4f8e2a..328d3a4 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,7 +1,7 @@ -From 2a4754a3a7cf60ecc36d83cbe50b8c337cb87632 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Fri, 12 Apr 2013 12:04:05 +0200 -Subject: [PATCH] prevent multilib conflicts on the curl-config script +From 84b7e1cf486761e99361f5dcf5879cd7baf51b58 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Thu, 1 Feb 2024 13:01:23 +0100 +Subject: [PATCH 2/2] prevent multilib conflicts on the curl-config script --- curl-config.in | 23 +++++------------------ @@ -10,7 +10,7 @@ Subject: [PATCH] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 150004d..95d0759 100644 +index 54f92d9..15a60da 100644 --- a/curl-config.in +++ b/curl-config.in @@ -78,7 +78,7 @@ while test $# -gt 0; do @@ -60,22 +60,22 @@ index 150004d..95d0759 100644 *) diff --git a/docs/curl-config.1 b/docs/curl-config.1 -index 14a9d2b..ffcc004 100644 +index c142cb9..0e189b4 100644 --- a/docs/curl-config.1 +++ b/docs/curl-config.1 -@@ -72,7 +72,9 @@ no, one or several names. If more than one name, they will appear - comma-separated. (Added in 7.58.0) - .IP "--static-libs" +@@ -48,7 +48,9 @@ no, one or several names. If more than one name, they will appear + comma\-separated. (Added in 7.58.0) + .IP --static-libs Shows the complete set of libs and other linker options you will need in order -to link your application with libcurl statically. (Added in 7.17.1) +to link your application with libcurl statically. Note that Fedora/RHEL libcurl +packages do not provide any static libraries, thus cannot be linked statically. +(Added in 7.17.1) - .IP "--version" + .IP --version Outputs version information about the installed libcurl. - .IP "--vernum" + .IP --vernum diff --git a/libcurl.pc.in b/libcurl.pc.in -index 2ba9c39..f8f8b00 100644 +index 9db6b0f..dcac692 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in @@ -31,6 +31,7 @@ libdir=@libdir@ @@ -87,5 +87,5 @@ index 2ba9c39..f8f8b00 100644 Name: libcurl URL: https://curl.se/ -- -2.26.2 +2.43.0 diff --git a/curl.spec b/curl.spec index b5e1ef0..20848b3 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.5.0 -Release: 2%{?dist} +Version: 8.6.0 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,8 +10,8 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# add missing test script tests/errorcodes.pl to the tarball -Patch001: 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch +# remove duplicate content from curl-config.1 +Patch001: 0001-curl-8.6.0-remove-duplicate-content.patch # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -371,6 +371,10 @@ rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la +# Don't install man for mk-ca-bundle it's upstream bug +# should be fixed in next release https://github.com/curl/curl/pull/12843 +rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* + %ldconfig_scriptlets -n libcurl %ldconfig_scriptlets -n libcurl-minimal @@ -413,6 +417,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Feb 01 2024 Jan Macku - 8.6.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-0853 - OCSP verification bypass with TLS session reuse +- drop 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch (replaced by upstream fix) +- remove accidentally included mk-ca-bundle.1 man page (upstream bug #12843) + * Fri Jan 19 2024 Fedora Release Engineering - 8.5.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild diff --git a/sources b/sources index 6a14222..9c9d4a1 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.5.0.tar.xz) = acffa2cf61d9b8e4188575a1b40227da8d722df2e5fe8bb82a222b4eb2fd64bf8aebd90852ce050c79fb5e517d5cee2546bf7de92ede1dd394263e231cb741a3 -SHA512 (curl-8.5.0.tar.xz.asc) = 9c6a2e61860878cd731d951fac1bb52cd314db20439a5173a95b48da1742737e02bfb9978d65e25de6535f839e281235203599a29f252e78e0d7a83769727329 +SHA512 (curl-8.6.0.tar.xz) = 359c08d88a5dec441255b36afe1a821730eca0ca8800ba52f57132b9e7d21f32457623907b4ae4876904b5e505eb1a59652372bb7de8dbd8db429dae9785e036 +SHA512 (curl-8.6.0.tar.xz.asc) = 2b835bb4b307e5e1c929b7136c5acfb9f6f06efa471ac27060336cabcfac40e02143f40434986c5e6817d4a9562b09efa8ff3168beed310a45453148cc1b5c8f From 6730b754a9e6ae98c39a164a3bc1c8df3a50adb7 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Fri, 2 Feb 2024 10:22:12 +0100 Subject: [PATCH 058/120] don't build curl manual feature use man 1 curl instead Resolves: #2262373 --- curl.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index 20848b3..6e3d932 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.6.0 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -286,7 +286,7 @@ export common_configure_opts=" \ --enable-imap \ --enable-ldap \ --enable-ldaps \ - --enable-manual \ + --disable-manual \ --enable-mqtt \ --enable-ntlm \ --enable-ntlm-wb \ @@ -417,6 +417,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Feb 02 2024 Jan Macku - 8.6.0-2 +- don't build manual for curl-full - use man 1 curl instead (#2262373) + * Thu Feb 01 2024 Jan Macku - 8.6.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2024-0853 - OCSP verification bypass with TLS session reuse From be5d7739cfcd1964bd0595998e2a2617fdcdbb1e Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 2 Feb 2024 12:01:47 +0100 Subject: [PATCH 059/120] deduplicate the --disable-manual configure option No change in behavior intended. Related: #2262373 Closes: https://src.fedoraproject.org/rpms/curl/pull-request/22 --- curl.spec | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index 6e3d932..ec08090 100644 --- a/curl.spec +++ b/curl.spec @@ -238,6 +238,7 @@ autoreconf -fiv mkdir build-{full,minimal} export common_configure_opts=" \ --cache-file=../config.cache \ + --disable-manual \ --disable-static \ --enable-hsts \ --enable-ipv6 \ @@ -260,7 +261,6 @@ export common_configure_opts=" \ --disable-imap \ --disable-ldap \ --disable-ldaps \ - --disable-manual \ --disable-mqtt \ --disable-ntlm \ --disable-ntlm-wb \ @@ -286,7 +286,6 @@ export common_configure_opts=" \ --enable-imap \ --enable-ldap \ --enable-ldaps \ - --disable-manual \ --enable-mqtt \ --enable-ntlm \ --enable-ntlm-wb \ From ec3f7ae8ee65d8464b3c1d339b0c5f164cbc1089 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 5 Feb 2024 10:49:10 +0100 Subject: [PATCH 060/120] fix: ignore response body to HEAD requests Discovered/Reported by: @lis in FEDORA-2024-634a6662aa --- ...l-8.6.0-ignore-response-body-to-HEAD.patch | 184 ++++++++++++++++++ curl.spec | 9 +- 2 files changed, 192 insertions(+), 1 deletion(-) create mode 100644 0002-curl-8.6.0-ignore-response-body-to-HEAD.patch diff --git a/0002-curl-8.6.0-ignore-response-body-to-HEAD.patch b/0002-curl-8.6.0-ignore-response-body-to-HEAD.patch new file mode 100644 index 0000000..4dee602 --- /dev/null +++ b/0002-curl-8.6.0-ignore-response-body-to-HEAD.patch @@ -0,0 +1,184 @@ +From e61ea3ba7054afedafe1eb473226e842ac17b8ff Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 1 Feb 2024 13:23:12 +0100 +Subject: [PATCH] sendf: ignore response body to HEAD + +and mark the stream for close, but return OK since the response this far +was ok - if headers were received. Partly because this is what curl has +done traditionally. + +Test 499 verifies. Updates test 689. + +Reported-by: Sergey Bronnikov +Bug: https://curl.se/mail/lib-2024-02/0000.html +Closes #12842 + +(cherry picked from commit b8c003832d730bb2f4b9de4204675ca5d9f7a903) +Signed-off-by: Jan Macku +--- + lib/sendf.c | 3 ++ + tests/data/Makefile.inc | 44 ++++++++++++++-------------- + tests/data/test499 | 65 +++++++++++++++++++++++++++++++++++++++++ + tests/data/test689 | 4 +-- + 4 files changed, 92 insertions(+), 24 deletions(-) + create mode 100644 tests/data/test499 + +diff --git a/lib/sendf.c b/lib/sendf.c +index db3189a29..60ac0742c 100644 +--- a/lib/sendf.c ++++ b/lib/sendf.c +@@ -575,6 +575,9 @@ static CURLcode cw_download_write(struct Curl_easy *data, + DEBUGF(infof(data, "did not want a BODY, but seeing %zu bytes", + nbytes)); + data->req.download_done = TRUE; ++ if(data->info.header_size) ++ /* if headers have been received, this is fine */ ++ return CURLE_OK; + return CURLE_WEIRD_SERVER_REPLY; + } + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index c3d496f64..cd393da75 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -75,28 +75,28 @@ test444 test445 test446 test447 test448 test449 test450 test451 test452 \ + test453 test454 test455 test456 test457 test458 test459 test460 test461 \ + \ + test490 test491 test492 test493 test494 test495 test496 test497 test498 \ +-\ +-test500 test501 test502 test503 test504 test505 test506 test507 test508 \ +-test509 test510 test511 test512 test513 test514 test515 test516 test517 \ +-test518 test519 test520 test521 test522 test523 test524 test525 test526 \ +-test527 test528 test529 test530 test531 test532 test533 test534 test535 \ +- test537 test538 test539 test540 test541 test542 test543 test544 \ +-test545 test546 test547 test548 test549 test550 test551 test552 test553 \ +-test554 test555 test556 test557 test558 test559 test560 test561 test562 \ +-test563 test564 test565 test566 test567 test568 test569 test570 test571 \ +-test572 test573 test574 test575 test576 test577 test578 test579 test580 \ +-test581 test582 test583 test584 test585 test586 test587 test588 test589 \ +-test590 test591 test592 test593 test594 test595 test596 test597 test598 \ +-test599 test600 test601 test602 test603 test604 test605 test606 test607 \ +-test608 test609 test610 test611 test612 test613 test614 test615 test616 \ +-test617 test618 test619 test620 test621 test622 test623 test624 test625 \ +-test626 test627 test628 test629 test630 test631 test632 test633 test634 \ +-test635 test636 test637 test638 test639 test640 test641 test642 test643 \ +-test644 test645 test646 test647 test648 test649 test650 test651 test652 \ +-test653 test654 test655 test656 test658 test659 test660 test661 test662 \ +-test663 test664 test665 test666 test667 test668 test669 test670 test671 \ +-test672 test673 test674 test675 test676 test677 test678 test679 test680 \ +-test681 test682 test683 test684 test685 test686 test687 test688 test689 \ ++test499 test500 test501 test502 test503 test504 test505 test506 test507 \ ++test508 test509 test510 test511 test512 test513 test514 test515 test516 \ ++test517 test518 test519 test520 test521 test522 test523 test524 test525 \ ++test526 test527 test528 test529 test530 test531 test532 test533 test534 \ ++test535 test537 test538 test539 test540 test541 test542 test543 \ ++test544 test545 test546 test547 test548 test549 test550 test551 test552 \ ++test553 test554 test555 test556 test557 test558 test559 test560 test561 \ ++test562 test563 test564 test565 test566 test567 test568 test569 test570 \ ++test571 test572 test573 test574 test575 test576 test577 test578 test579 \ ++test580 test581 test582 test583 test584 test585 test586 test587 test588 \ ++test589 test590 test591 test592 test593 test594 test595 test596 test597 \ ++test598 test599 test600 test601 test602 test603 test604 test605 test606 \ ++test607 test608 test609 test610 test611 test612 test613 test614 test615 \ ++test616 test617 test618 test619 test620 test621 test622 test623 test624 \ ++test625 test626 test627 test628 test629 test630 test631 test632 test633 \ ++test634 test635 test636 test637 test638 test639 test640 test641 test642 \ ++test643 test644 test645 test646 test647 test648 test649 test650 test651 \ ++test652 test653 test654 test655 test656 test658 test659 test660 test661 \ ++test662 test663 test664 test665 test666 test667 test668 test669 test670 \ ++test671 test672 test673 test674 test675 test676 test677 test678 test679 \ ++test680 test681 test682 test683 test684 test685 test686 test687 test688 \ ++test689 \ + \ + test700 test701 test702 test703 test704 test705 test706 test707 test708 \ + test709 test710 test711 test712 test713 test714 test715 test716 test717 \ +diff --git a/tests/data/test499 b/tests/data/test499 +new file mode 100644 +index 000000000..d4040b07c +--- /dev/null ++++ b/tests/data/test499 +@@ -0,0 +1,65 @@ ++ ++ ++ ++HTTP ++HTTP GET ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Content-Type: text/html ++Funny-head: yesyes ++ ++-foo- ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Content-Type: text/html ++Funny-head: yesyes ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++HTTP HEAD to server still sending a body ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -I ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++HEAD /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++ ++ ++ +diff --git a/tests/data/test689 b/tests/data/test689 +index 821556dec..381ae225a 100644 +--- a/tests/data/test689 ++++ b/tests/data/test689 +@@ -44,9 +44,9 @@ User-Agent: test567 + Test-Number: 567 + + +-# 8 == CURLE_WEIRD_SERVER_REPLY ++# 85 == CURLE_RTSP_CSEQ_ERROR + +-8 ++85 + + + +-- +2.43.0 + diff --git a/curl.spec b/curl.spec index ec08090..c75f108 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.6.0 -Release: 2%{?dist} +Release: 3%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -13,6 +13,10 @@ Source2: mykey.asc # remove duplicate content from curl-config.1 Patch001: 0001-curl-8.6.0-remove-duplicate-content.patch +# ignore response bode to HEAD requests +# https://bodhi.fedoraproject.org/updates/FEDORA-2024-634a6662aa +Patch002: 0002-curl-8.6.0-ignore-response-body-to-HEAD.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -416,6 +420,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Feb 05 2024 Jan Macku - 8.6.0-3 +- ignore response body to HEAD requests + * Fri Feb 02 2024 Jan Macku - 8.6.0-2 - don't build manual for curl-full - use man 1 curl instead (#2262373) From 8cec2e9cc7c18e48039a2d9dd780b0528afed8cd Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 6 Feb 2024 15:25:02 +0100 Subject: [PATCH 061/120] drop curl-minimal subpackage in favor of curl-full The reason for maintaining two separate packages for curl is no longer valid. The curl-minimal is currently almost identical to curl-full, so let's drop curl-minimal. Resolves: #2262096 --- curl.spec | 39 ++++++++++++++------------------------- 1 file changed, 14 insertions(+), 25 deletions(-) diff --git a/curl.spec b/curl.spec index c75f108..b953ebb 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.6.0 -Release: 3%{?dist} +Release: 4%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -29,6 +29,12 @@ Patch104: 0104-curl-7.88.0-tests-warnings.patch Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.se/ + +# The reason for maintaining two separate packages for curl is no longer valid. +# The curl-minimal is currently almost identical to curl-full, so let's drop curl-minimal. +# For more details, see https://bugzilla.redhat.com/show_bug.cgi?id=2262096 +Obsoletes: curl-minimal < 8.6.0-4 + BuildRequires: automake BuildRequires: brotli-devel BuildRequires: coreutils @@ -118,6 +124,10 @@ BuildRequires: valgrind BuildRequires: stunnel %endif +# Suggest minimal version of libcurl to to keep number of dependencies low +# after dropping curl-minimal. +Suggests: libcurl-minimal + # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION Requires: libcurl%{?_isa} >= %{version}-%{release} @@ -176,22 +186,6 @@ The libcurl-devel package includes header files and libraries necessary for developing programs which use the libcurl library. It contains the API documentation of the library, too. -%package -n curl-minimal -Summary: Conservatively configured build of curl for minimal installations -Provides: curl = %{version}-%{release} -Conflicts: curl -Suggests: libcurl-minimal -RemovePathPostfixes: .minimal - -# using an older version of libcurl could result in CURLE_UNKNOWN_OPTION -Requires: libcurl%{?_isa} >= %{version}-%{release} - -%description -n curl-minimal -This is a replacement of the 'curl' package for minimal installations. It -comes with a limited set of features compared to the 'curl' package. On the -other hand, the package is smaller and requires fewer run-time dependencies to -be installed. - %package -n libcurl-minimal Summary: Conservatively configured build of libcurl for minimal installations Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} @@ -351,10 +345,6 @@ for i in ${RPM_BUILD_ROOT}%{_libdir}/*; do mv -v $i $i.minimal done -# install and rename the executable that will be packaged as curl-minimal -%make_install -C build-minimal/src -mv -v ${RPM_BUILD_ROOT}%{_bindir}/curl{,.minimal} - # install libcurl.m4 install -d $RPM_BUILD_ROOT%{_datadir}/aclocal install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal @@ -410,16 +400,15 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %{_mandir}/man3/* %{_datadir}/aclocal/libcurl.m4 -%files -n curl-minimal -%{_bindir}/curl.minimal -%{_mandir}/man1/curl.1* - %files -n libcurl-minimal %license COPYING %{_libdir}/libcurl.so.4.minimal %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Feb 07 2024 Jan Macku - 8.6.0-4 +- drop curl-minimal subpackage in favor of curl-full (#2262096) + * Mon Feb 05 2024 Jan Macku - 8.6.0-3 - ignore response body to HEAD requests From 31bc86593e0630ced1691d269785a4ba9106efdf Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 12 Feb 2024 12:40:33 +0100 Subject: [PATCH 062/120] curl-full: add Provides to curl-minimal --- curl.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index b953ebb..c50172b 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.6.0 -Release: 4%{?dist} +Release: 5%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -27,6 +27,8 @@ Patch102: 0102-curl-7.84.0-test3026.patch Patch104: 0104-curl-7.88.0-tests-warnings.patch Provides: curl-full = %{version}-%{release} +# do not fail when trying to install curl-minimal after drop +Provides: curl-minimal = %{version}-%{release} Provides: webclient URL: https://curl.se/ @@ -406,6 +408,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Feb 12 2024 Jan Macku - 8.6.0-5 +- add Provides to curl-minimal + * Wed Feb 07 2024 Jan Macku - 8.6.0-4 - drop curl-minimal subpackage in favor of curl-full (#2262096) From 9c77cd7c46571de15a73b7f19f779e9e98151792 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 12 Feb 2024 12:33:29 +0100 Subject: [PATCH 063/120] vtls: revert "receive max buffer" + add test case It breaks the test suite of pycurl --- ...ert-receive-max-buffer-add-test-case.patch | 68 +++++++++++++++++++ curl.spec | 9 ++- 2 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch diff --git a/0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch b/0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch new file mode 100644 index 0000000..3e9078c --- /dev/null +++ b/0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch @@ -0,0 +1,68 @@ +From 0f65eaab19624ca018d7bd5ca404618f9bfe267f Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Thu, 1 Feb 2024 18:15:50 +0100 +Subject: [PATCH] vtls: revert "receive max buffer" + add test case + +- add test_05_04 for requests using http/1.0, http/1.1 and h2 against an + Apache resource that does an unclean TLS shutdown. +- revert special workarund in openssl.c for suppressing shutdown errors + on multiplexed connections +- vlts.c restore to its state before 9a90c9dd64d2f03601833a70786d485851bd1b53 + +Fixes #12885 +Fixes #12844 + +Closes #12848 + +(cherry picked from commit ed09a99af57200643d5ae001e815eeab9ffe3f84) +Signed-off-by: Jan Macku +--- + lib/vtls/vtls.c | 27 ++++++--------------------- + 1 file changed, 6 insertions(+), 21 deletions(-) + +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index e928ba5d0..f654a9749 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -1715,32 +1715,17 @@ static ssize_t ssl_cf_recv(struct Curl_cfilter *cf, + { + struct cf_call_data save; + ssize_t nread; +- size_t ntotal = 0; + + CF_DATA_SAVE(save, cf, data); + *err = CURLE_OK; +- /* Do receive until we fill the buffer somehwhat or EGAIN, error or EOF */ +- while(!ntotal || (len - ntotal) > (4*1024)) { ++ nread = Curl_ssl->recv_plain(cf, data, buf, len, err); ++ if(nread > 0) { ++ DEBUGASSERT((size_t)nread <= len); ++ } ++ else if(nread == 0) { ++ /* eof */ + *err = CURLE_OK; +- nread = Curl_ssl->recv_plain(cf, data, buf + ntotal, len - ntotal, err); +- if(nread < 0) { +- if(*err == CURLE_AGAIN && ntotal > 0) { +- /* we EAGAINed after having reed data, return the success amount */ +- *err = CURLE_OK; +- break; +- } +- /* we have a an error to report */ +- goto out; +- } +- else if(nread == 0) { +- /* eof */ +- break; +- } +- ntotal += (size_t)nread; +- DEBUGASSERT((size_t)ntotal <= len); + } +- nread = (ssize_t)ntotal; +-out: + CURL_TRC_CF(data, cf, "cf_recv(len=%zu) -> %zd, %d", len, + nread, *err); + CF_DATA_RESTORE(cf, save); +-- +2.43.0 + diff --git a/curl.spec b/curl.spec index c50172b..1500065 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.6.0 -Release: 5%{?dist} +Release: 6%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -17,6 +17,10 @@ Patch001: 0001-curl-8.6.0-remove-duplicate-content.patch # https://bodhi.fedoraproject.org/updates/FEDORA-2024-634a6662aa Patch002: 0002-curl-8.6.0-ignore-response-body-to-HEAD.patch +# revert "receive max buffer" + add test case +# it breaks pycurl tests suite +Patch003: 0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -408,6 +412,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Feb 12 2024 Jan Macku - 8.6.0-6 +- revert "receive max buffer" + add test case + * Mon Feb 12 2024 Jan Macku - 8.6.0-5 - add Provides to curl-minimal From 685f0d3645117846f05da367608ee7e6d1e7801a Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 12 Feb 2024 16:01:16 +0100 Subject: [PATCH 064/120] temporarily disable test 0313 ``` test 0313...[CRL test] ../libtool --mode=execute /usr/bin/valgrind --tool=memcheck --quiet --leak-check=yes --suppressions=../../tests/valgrind.supp --num-callers=16 --log-file=log/valgrind313 ../src/curl --output log/curl313.out --include --trace-ascii log/trace313 --trace-time --cacert ../../tests/certs/EdelCurlRoot-ca.crt --crlfile ../../tests/certs/Server-localhost-sv.crl https://localhost:37247/313 > log/stdout313 2> log/stderr313 CMD (15360): ../libtool --mode=execute /usr/bin/valgrind --tool=memcheck --quiet --leak-check=yes --suppressions=../../tests/valgrind.supp --num-callers=16 --log-file=log/valgrind313 ../src/curl --output log/curl313.out --include --trace-ascii log/trace313 --trace-time --cacert ../../tests/certs/EdelCurlRoot-ca.crt --crlfile ../../tests/certs/Server-localhost-sv.crl https://localhost:37247/313 > log/stdout313 2> log/stderr313 valgrind ERROR ==89628== 1,795 (248 direct, 1,547 indirect) bytes in 1 blocks are definitely lost in loss record 32 of 32 ==89628== at 0x484280F: malloc (vg_replace_malloc.c:442) ==89628== by 0x4D71B20: CRYPTO_malloc (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x4D71BD4: CRYPTO_zalloc (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x4C67FD3: ??? (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x4C69B00: ??? (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x4C69E3F: ASN1_item_d2i_ex (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x4D944C0: PEM_ASN1_read_bio (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x4DD3C31: X509_load_crl_file (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x48B6D48: UnknownInlinedFun (openssl.c:3284) ==89628== by 0x48B6D48: Curl_ssl_setup_x509_store (openssl.c:3437) ==89628== by 0x48B7445: ossl_bio_cf_in_read (openssl.c:776) ==89628== by 0x4C6DB32: ??? (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x4C71C16: ??? (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x4C71DAA: BIO_read (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x4B9BE92: ??? (in /usr/lib64/libssl.so.3.2.1) ==89628== by 0x4BA0B4A: ??? (in /usr/lib64/libssl.so.3.2.1) ==89628== by 0x4B9B099: ??? (in /usr/lib64/libssl.so.3.2.1) ==89628== == Contents of files in the log/ dir after test 313 === Start of file commands.log ../libtool --mode=execute /usr/bin/valgrind --tool=memcheck --quiet --leak-check=yes --suppressions=../../tests/valgrind.supp --num-callers=16 --log-file=log/valgrind313 ../src/curl --output log/curl313.out --include --trace-ascii log/trace313 --trace-time --cacert ../../tests/certs/EdelCurlRoot-ca.crt --crlfile ../../tests/certs/Server-localhost-sv.crl https://localhost:37247/313 > log/stdout313 2> log/stderr313 === End of file commands.log ``` Related: openssl #2263877 a --- curl.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 1500065..6a9e71b 100644 --- a/curl.spec +++ b/curl.spec @@ -213,9 +213,12 @@ be installed. %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 +# temporarily disable test 0313 +# +# # disable test 1801 # -echo "1801" >> tests/data/DISABLED +echo "313\n1801" >> tests/data/DISABLED # test3026: avoid pthread_create() failure due to resource exhaustion on i386 %ifarch %{ix86} @@ -414,6 +417,7 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %changelog * Mon Feb 12 2024 Jan Macku - 8.6.0-6 - revert "receive max buffer" + add test case +- temporarily disable test 0313 * Mon Feb 12 2024 Jan Macku - 8.6.0-5 - add Provides to curl-minimal From cbd939da23a539224dffb7405a83138469eedea3 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 12 Feb 2024 16:20:24 +0100 Subject: [PATCH 065/120] spec: don't suggests libcurl-minimal it might break existing setups, tests, etc. Also fedora documentation about suggests is not right about meaning of Suggests macro. --- curl.spec | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/curl.spec b/curl.spec index 6a9e71b..a5ae989 100644 --- a/curl.spec +++ b/curl.spec @@ -130,10 +130,6 @@ BuildRequires: valgrind BuildRequires: stunnel %endif -# Suggest minimal version of libcurl to to keep number of dependencies low -# after dropping curl-minimal. -Suggests: libcurl-minimal - # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION Requires: libcurl%{?_isa} >= %{version}-%{release} @@ -418,6 +414,7 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* * Mon Feb 12 2024 Jan Macku - 8.6.0-6 - revert "receive max buffer" + add test case - temporarily disable test 0313 +- remove suggests of libcurl-minimal in curl-full * Mon Feb 12 2024 Jan Macku - 8.6.0-5 - add Provides to curl-minimal From cbc7f6603c591c1b16bdab240b4c53cc655655cb Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 12 Feb 2024 17:13:40 +0100 Subject: [PATCH 066/120] spec: use `echo -e` to populate `tests/data/DISABLED` with a newline --- curl.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index a5ae989..de93364 100644 --- a/curl.spec +++ b/curl.spec @@ -214,7 +214,7 @@ be installed. # # disable test 1801 # -echo "313\n1801" >> tests/data/DISABLED +echo -e "313\n1801\n" >> tests/data/DISABLED # test3026: avoid pthread_create() failure due to resource exhaustion on i386 %ifarch %{ix86} From e58b8f772bd18d9c4fa5750a6bd9f56745e888f7 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 12 Feb 2024 17:34:59 +0100 Subject: [PATCH 067/120] spec: use `printf` to populate `tests/data/DISABLED` with a newline --- curl.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index de93364..33f4fba 100644 --- a/curl.spec +++ b/curl.spec @@ -214,7 +214,7 @@ be installed. # # disable test 1801 # -echo -e "313\n1801\n" >> tests/data/DISABLED +printf "313\n1801\n" >> tests/data/DISABLED # test3026: avoid pthread_create() failure due to resource exhaustion on i386 %ifarch %{ix86} From 5bf3c70332c078de6a3652c86ae9f74379ae077f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Zaoral?= Date: Wed, 14 Feb 2024 12:31:44 +0100 Subject: [PATCH 068/120] fix openldap conftest --- 0009-curl-8.0.1-fix-openldap-conftest.patch | 43 +++++++++++++++++++++ curl.spec | 8 +++- 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 0009-curl-8.0.1-fix-openldap-conftest.patch diff --git a/0009-curl-8.0.1-fix-openldap-conftest.patch b/0009-curl-8.0.1-fix-openldap-conftest.patch new file mode 100644 index 0000000..c3e2e17 --- /dev/null +++ b/0009-curl-8.0.1-fix-openldap-conftest.patch @@ -0,0 +1,43 @@ +From 0ac6108856b9d500bc376d1d7e0b648d15499837 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 22 Jun 2023 14:34:49 +0200 +Subject: [PATCH] configure: add check for ldap_init_fd + +... as otherwise the configure script will say it is OpenLDAP in the +summary, but not set the USE_OPENLDAP define, therefor not using the +intended OpenLDAP code paths. + +Regression since 4d7385446 (7.85.0) +Fixes #11372 +Closes #11374 +Reported-by: vlkl-sap on github +--- + configure.ac | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 373e2e0cef6862..696a50505f37ab 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1706,16 +1706,19 @@ if test x$CURL_DISABLE_LDAP != x1 ; then + fi + + if test x$CURL_DISABLE_LDAP != x1 ; then +- AC_CHECK_FUNCS([ldap_url_parse]) ++ AC_CHECK_FUNCS([ldap_url_parse \ ++ ldap_init_fd]) + + if test "$LDAPLIBNAME" = "wldap32"; then + curl_ldap_msg="enabled (winldap)" + AC_DEFINE(USE_WIN32_LDAP, 1, [Use Windows LDAP implementation]) + else +- curl_ldap_msg="enabled (OpenLDAP)" + if test "x$ac_cv_func_ldap_init_fd" = "xyes"; then ++ curl_ldap_msg="enabled (OpenLDAP)" + AC_DEFINE(USE_OPENLDAP, 1, [Use OpenLDAP-specific code]) + AC_SUBST(USE_OPENLDAP, [1]) ++ else ++ curl_ldap_msg="enabled (ancient OpenLDAP)" + fi + fi + fi diff --git a/curl.spec b/curl.spec index bb95483..7224088 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.0.1 -Release: 6%{?dist} +Release: 7%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -34,6 +34,9 @@ Patch7: 0007-curl-8.0.1-CVE-2023-46218.patch # fix HSTS long file name clears contents (CVE-2023-46219) Patch8: 0008-curl-8.0.1-CVE-2023-46219.patch +# fix OpenLDAP conftest +Patch9: 0009-curl-8.0.1-fix-openldap-conftest.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -431,6 +434,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Feb 14 2024 Lukáš Zaoral - 8.0.1-7 +- fix openldap conftest + * Wed Dec 06 2023 Jan Macku - 8.0.1-6 - fix HSTS long file name clears contents (CVE-2023-46219) - fix cookie mixed case PSL bypass (CVE-2023-46218) From 9a38bdf948aacf59ec81f0e35ef10f430252f1a6 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 19 Feb 2024 13:23:34 +0100 Subject: [PATCH 069/120] fix: Leftovers after chunking should not be part of the curl buffer output Resolves: #2264220 --- ...fix-the-accounting-of-consumed-bytes.patch | 83 +++++++++++++++++++ curl.spec | 8 +- 2 files changed, 90 insertions(+), 1 deletion(-) create mode 100644 0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch diff --git a/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch b/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch new file mode 100644 index 0000000..39b2f31 --- /dev/null +++ b/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch @@ -0,0 +1,83 @@ +From c7438ccfceee373a75d6d890259cf2e6b5e0e203 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Wed, 14 Feb 2024 16:27:23 +0100 +Subject: [PATCH] http_chunks: fix the accounting of consumed bytes + +Prior to this change chunks were handled correctly although in verbose +mode libcurl could incorrectly warn of "Leftovers after chunking" even +if there were none. + +Reported-by: Michael Kaufmann + +Fixes https://github.com/curl/curl/issues/12937 +Closes https://github.com/curl/curl/pull/12939 + +(cherry picked from commit 59e2c78af3a5588d6e6ae6d2223b222f067e054b) +Signed-off-by: Jan Macku +--- + lib/http_chunks.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/lib/http_chunks.c b/lib/http_chunks.c +index 039c179c4..ad1ee9ada 100644 +--- a/lib/http_chunks.c ++++ b/lib/http_chunks.c +@@ -152,6 +152,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + ch->hexbuffer[ch->hexindex++] = *buf; + buf++; + blen--; ++ (*pconsumed)++; + } + else { + char *endptr; +@@ -189,6 +190,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + + buf++; + blen--; ++ (*pconsumed)++; + break; + + case CHUNK_DATA: +@@ -236,6 +238,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + } + buf++; + blen--; ++ (*pconsumed)++; + break; + + case CHUNK_TRAILER: +@@ -293,6 +296,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + } + buf++; + blen--; ++ (*pconsumed)++; + break; + + case CHUNK_TRAILER_CR: +@@ -300,6 +304,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + ch->state = CHUNK_TRAILER_POSTCR; + buf++; + blen--; ++ (*pconsumed)++; + } + else { + ch->state = CHUNK_FAILED; +@@ -320,6 +325,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + /* skip if CR */ + buf++; + blen--; ++ (*pconsumed)++; + } + /* now wait for the final LF */ + ch->state = CHUNK_STOP; +@@ -328,6 +334,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + case CHUNK_STOP: + if(*buf == 0x0a) { + blen--; ++ (*pconsumed)++; + /* Record the length of any data left in the end of the buffer + even if there's no more chunks to read */ + ch->datasize = blen; +-- +2.43.2 + diff --git a/curl.spec b/curl.spec index 33f4fba..5118b71 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.6.0 -Release: 6%{?dist} +Release: 7%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -21,6 +21,9 @@ Patch002: 0002-curl-8.6.0-ignore-response-body-to-HEAD.patch # it breaks pycurl tests suite Patch003: 0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch +# Fix: Leftovers after chunking should not be part of the curl buffer output +Patch004: 0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -411,6 +414,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Feb 19 2024 Jan Macku - 8.6.0-7 +- Fix: Leftovers after chunking should not be part of the curl buffer output (#2264220) + * Mon Feb 12 2024 Jan Macku - 8.6.0-6 - revert "receive max buffer" + add test case - temporarily disable test 0313 From f9311ae69d7c143fec8f3282907ac95546869cfc Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 27 Mar 2024 09:43:54 +0100 Subject: [PATCH 070/120] new upstream release - 8.7.1 Resolves: CVE-2024-2004 - Usage of disabled protocol Resolves: CVE-2024-2379 - QUIC certificate check bypass with wolfSSL Resolves: CVE-2024-2398 - HTTP/2 push headers memory-leak Resolves: CVE-2024-2466 - TLS certificate check bypass with mbedTLS --- .gitignore | 3 +- ...-curl-8.6.0-remove-duplicate-content.patch | 108 ---------- 0001-curl-8.7.1-fix-compressed-option.patch | 174 +++++++++++++++++ ...l-8.6.0-ignore-response-body-to-HEAD.patch | 184 ------------------ ...-8.7.1-fix-chunked-POST-via-callback.patch | 69 +++++++ ...ert-receive-max-buffer-add-test-case.patch | 68 ------- ...fix-the-accounting-of-consumed-bytes.patch | 83 -------- 0101-curl-7.32.0-multilib.patch | 20 +- curl.spec | 49 ++--- sources | 4 +- 10 files changed, 277 insertions(+), 485 deletions(-) delete mode 100644 0001-curl-8.6.0-remove-duplicate-content.patch create mode 100644 0001-curl-8.7.1-fix-compressed-option.patch delete mode 100644 0002-curl-8.6.0-ignore-response-body-to-HEAD.patch create mode 100644 0002-curl-8.7.1-fix-chunked-POST-via-callback.patch delete mode 100644 0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch delete mode 100644 0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch diff --git a/.gitignore b/.gitignore index 505a7d9..e91a948 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,4 @@ -/curl-[0-9.]*.tar.lzma -/curl-[0-9.]*.tar.lzma.asc /curl-[0-9.]*.tar.xz /curl-[0-9.]*.tar.xz.asc /curl-[0-9].[0-9].[0-9]/ +/*.src.rpm diff --git a/0001-curl-8.6.0-remove-duplicate-content.patch b/0001-curl-8.6.0-remove-duplicate-content.patch deleted file mode 100644 index bbbb7ff..0000000 --- a/0001-curl-8.6.0-remove-duplicate-content.patch +++ /dev/null @@ -1,108 +0,0 @@ -From 960cf3ceb40cf875b146d4d1065d9267ccb83da1 Mon Sep 17 00:00:00 2001 -From: Jan Macku -Date: Thu, 1 Feb 2024 12:56:31 +0100 -Subject: [PATCH 1/2] doc: remove duplicate content from curl-config.1 - -This will be resolved in next release by: -https://github.com/curl/curl/pull/12818 - -see also: https://github.com/curl/curl/issues/12840 - -Signed-off-by: Jan Macku ---- - docs/curl-config.1 | 82 ---------------------------------------------- - 1 file changed, 82 deletions(-) - -diff --git a/docs/curl-config.1 b/docs/curl-config.1 -index 186ba3a..c142cb9 100644 ---- a/docs/curl-config.1 -+++ b/docs/curl-config.1 -@@ -80,85 +80,3 @@ How do I build a single file with a one\-line command? - .fi - .SH SEE ALSO - .BR curl (1) --.\" generated by cd2nroff 0.1 from curl-config.md --.TH curl-config 1 "January 26 2024" curl-config --.SH NAME --curl\-config \- Get information about a libcurl installation --.SH SYNOPSIS --\fBcurl\-config [options]\fP --.SH DESCRIPTION --\fBcurl\-config\fP --displays information about the curl and libcurl installation. --.SH OPTIONS --.IP --ca --Displays the built\-in path to the CA cert bundle this libcurl uses. --.IP --cc --Displays the compiler used to build libcurl. --.IP --cflags --Set of compiler options (CFLAGS) to use when compiling files that use --libcurl. Currently that is only the include path to the curl include files. --.IP "--checkfor [version]" --Specify the oldest possible libcurl version string you want, and this --script will return 0 if the current installation is new enough or it --returns 1 and outputs a text saying that the current version is not new --enough. (Added in 7.15.4) --.IP --configure --Displays the arguments given to configure when building curl. --.IP --feature --Lists what particular main features the installed libcurl was built with. At --the time of writing, this list may include SSL, KRB4 or IPv6. Do not assume --any particular order. The keywords will be separated by newlines. There may be --none, one, or several keywords in the list. --.IP --help --Displays the available options. --.IP --libs --Shows the complete set of libs and other linker options you will need in order --to link your application with libcurl. --.IP --prefix --This is the prefix used when libcurl was installed. Libcurl is then installed --in $prefix/lib and its header files are installed in $prefix/include and so --on. The prefix is set with "configure \--prefix". --.IP --protocols --Lists what particular protocols the installed libcurl was built to support. At --the time of writing, this list may include HTTP, HTTPS, FTP, FTPS, FILE, --TELNET, LDAP, DICT and many more. Do not assume any particular order. The --protocols will be listed using uppercase and are separated by newlines. There --may be none, one, or several protocols in the list. (Added in 7.13.0) --.IP --ssl-backends --Lists the SSL backends that were enabled when libcurl was built. It might be --no, one or several names. If more than one name, they will appear --comma\-separated. (Added in 7.58.0) --.IP --static-libs --Shows the complete set of libs and other linker options you will need in order --to link your application with libcurl statically. (Added in 7.17.1) --.IP --version --Outputs version information about the installed libcurl. --.IP --vernum --Outputs version information about the installed libcurl, in numerical mode. --This shows the version number, in hexadecimal, using 8 bits for each part: --major, minor, and patch numbers. This makes libcurl 7.7.4 appear as 070704 and --libcurl 12.13.14 appear as 0c0d0e... Note that the initial zero might be --omitted. (This option was broken in the 7.15.0 release.) --.SH EXAMPLES --What linker options do I need when I link with libcurl? --.nf -- $ curl-config --libs --.fi --What compiler options do I need when I compile using libcurl functions? --.nf -- $ curl-config --cflags --.fi --How do I know if libcurl was built with SSL support? --.nf -- $ curl-config --feature | grep SSL --.fi --What\(aqs the installed libcurl version? --.nf -- $ curl-config --version --.fi --How do I build a single file with a one\-line command? --.nf -- $ `curl-config --cc --cflags` -o example source.c `curl-config --libs` --.fi --.SH SEE ALSO --.BR curl (1) --- -2.43.0 - diff --git a/0001-curl-8.7.1-fix-compressed-option.patch b/0001-curl-8.7.1-fix-compressed-option.patch new file mode 100644 index 0000000..dc2e720 --- /dev/null +++ b/0001-curl-8.7.1-fix-compressed-option.patch @@ -0,0 +1,174 @@ +From 8f1a06a9efe1048c7ad17af43ae7d4b26de8117e Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Thu, 28 Mar 2024 11:08:15 +0100 +Subject: [PATCH 1/2] content_encoding: brotli and others, pass through + 0-length writes + +- curl's transfer handling may write 0-length chunks at the end of the + download with an EOS flag. (HTTP/2 does this commonly) + +- content encoders need to pass-through such a write and not count this + as error in case they are finished decoding + +Fixes #13209 +Fixes #13212 +Closes #13219 + +(cherry picked from commit b30d694a027eb771c02a3db0dee0ca03ccab7377) +Signed-off-by: Jan Macku +--- + lib/content_encoding.c | 10 +++++----- + tests/http/test_02_download.py | 13 +++++++++++++ + tests/http/testenv/env.py | 7 ++++++- + tests/http/testenv/httpd.py | 20 ++++++++++++++++++++ + 4 files changed, 44 insertions(+), 6 deletions(-) + +diff --git a/lib/content_encoding.c b/lib/content_encoding.c +index c1abf24e8..8e926dd2e 100644 +--- a/lib/content_encoding.c ++++ b/lib/content_encoding.c +@@ -300,7 +300,7 @@ static CURLcode deflate_do_write(struct Curl_easy *data, + struct zlib_writer *zp = (struct zlib_writer *) writer; + z_stream *z = &zp->z; /* zlib state structure */ + +- if(!(type & CLIENTWRITE_BODY)) ++ if(!(type & CLIENTWRITE_BODY) || !nbytes) + return Curl_cwriter_write(data, writer->next, type, buf, nbytes); + + /* Set the compressed input when this function is called */ +@@ -457,7 +457,7 @@ static CURLcode gzip_do_write(struct Curl_easy *data, + struct zlib_writer *zp = (struct zlib_writer *) writer; + z_stream *z = &zp->z; /* zlib state structure */ + +- if(!(type & CLIENTWRITE_BODY)) ++ if(!(type & CLIENTWRITE_BODY) || !nbytes) + return Curl_cwriter_write(data, writer->next, type, buf, nbytes); + + if(zp->zlib_init == ZLIB_INIT_GZIP) { +@@ -669,7 +669,7 @@ static CURLcode brotli_do_write(struct Curl_easy *data, + CURLcode result = CURLE_OK; + BrotliDecoderResult r = BROTLI_DECODER_RESULT_NEEDS_MORE_OUTPUT; + +- if(!(type & CLIENTWRITE_BODY)) ++ if(!(type & CLIENTWRITE_BODY) || !nbytes) + return Curl_cwriter_write(data, writer->next, type, buf, nbytes); + + if(!bp->br) +@@ -762,7 +762,7 @@ static CURLcode zstd_do_write(struct Curl_easy *data, + ZSTD_outBuffer out; + size_t errorCode; + +- if(!(type & CLIENTWRITE_BODY)) ++ if(!(type & CLIENTWRITE_BODY) || !nbytes) + return Curl_cwriter_write(data, writer->next, type, buf, nbytes); + + if(!zp->decomp) { +@@ -916,7 +916,7 @@ static CURLcode error_do_write(struct Curl_easy *data, + (void) buf; + (void) nbytes; + +- if(!(type & CLIENTWRITE_BODY)) ++ if(!(type & CLIENTWRITE_BODY) || !nbytes) + return Curl_cwriter_write(data, writer->next, type, buf, nbytes); + + failf(data, "Unrecognized content encoding type. " +diff --git a/tests/http/test_02_download.py b/tests/http/test_02_download.py +index 4db9c9d36..395fc862f 100644 +--- a/tests/http/test_02_download.py ++++ b/tests/http/test_02_download.py +@@ -394,6 +394,19 @@ class TestDownload: + r = client.run(args=[url]) + r.check_exit_code(0) + ++ @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3']) ++ def test_02_28_get_compressed(self, env: Env, httpd, nghttpx, repeat, proto): ++ if proto == 'h3' and not env.have_h3(): ++ pytest.skip("h3 not supported") ++ count = 1 ++ urln = f'https://{env.authority_for(env.domain1brotli, proto)}/data-100k?[0-{count-1}]' ++ curl = CurlClient(env=env) ++ r = curl.http_download(urls=[urln], alpn_proto=proto, extra_args=[ ++ '--compressed' ++ ]) ++ r.check_exit_code(code=0) ++ r.check_response(count=count, http_status=200) ++ + def check_downloads(self, client, srcfile: str, count: int, + complete: bool = True): + for i in range(count): +diff --git a/tests/http/testenv/env.py b/tests/http/testenv/env.py +index a207059dc..13c5d6bd4 100644 +--- a/tests/http/testenv/env.py ++++ b/tests/http/testenv/env.py +@@ -129,10 +129,11 @@ class EnvConfig: + self.htdocs_dir = os.path.join(self.gen_dir, 'htdocs') + self.tld = 'http.curl.se' + self.domain1 = f"one.{self.tld}" ++ self.domain1brotli = f"brotli.one.{self.tld}" + self.domain2 = f"two.{self.tld}" + self.proxy_domain = f"proxy.{self.tld}" + self.cert_specs = [ +- CertificateSpec(domains=[self.domain1, 'localhost'], key_type='rsa2048'), ++ CertificateSpec(domains=[self.domain1, self.domain1brotli, 'localhost'], key_type='rsa2048'), + CertificateSpec(domains=[self.domain2], key_type='rsa2048'), + CertificateSpec(domains=[self.proxy_domain, '127.0.0.1'], key_type='rsa2048'), + CertificateSpec(name="clientsX", sub_specs=[ +@@ -376,6 +377,10 @@ class Env: + def domain1(self) -> str: + return self.CONFIG.domain1 + ++ @property ++ def domain1brotli(self) -> str: ++ return self.CONFIG.domain1brotli ++ + @property + def domain2(self) -> str: + return self.CONFIG.domain2 +diff --git a/tests/http/testenv/httpd.py b/tests/http/testenv/httpd.py +index c04c22699..b8615875a 100644 +--- a/tests/http/testenv/httpd.py ++++ b/tests/http/testenv/httpd.py +@@ -50,6 +50,7 @@ class Httpd: + 'alias', 'env', 'filter', 'headers', 'mime', 'setenvif', + 'socache_shmcb', + 'rewrite', 'http2', 'ssl', 'proxy', 'proxy_http', 'proxy_connect', ++ 'brotli', + 'mpm_event', + ] + COMMON_MODULES_DIRS = [ +@@ -203,6 +204,7 @@ class Httpd: + + def _write_config(self): + domain1 = self.env.domain1 ++ domain1brotli = self.env.domain1brotli + creds1 = self.env.get_credentials(domain1) + domain2 = self.env.domain2 + creds2 = self.env.get_credentials(domain2) +@@ -285,6 +287,24 @@ class Httpd: + f'', + f'', + ]) ++ # Alternate to domain1 with BROTLI compression ++ conf.extend([ # https host for domain1, h1 + h2 ++ f'', ++ f' ServerName {domain1brotli}', ++ f' Protocols h2 http/1.1', ++ f' SSLEngine on', ++ f' SSLCertificateFile {creds1.cert_file}', ++ f' SSLCertificateKeyFile {creds1.pkey_file}', ++ f' DocumentRoot "{self._docs_dir}"', ++ f' SetOutputFilter BROTLI_COMPRESS', ++ ]) ++ conf.extend(self._curltest_conf(domain1)) ++ if domain1 in self._extra_configs: ++ conf.extend(self._extra_configs[domain1]) ++ conf.extend([ ++ f'', ++ f'', ++ ]) + conf.extend([ # https host for domain2, no h2 + f'', + f' ServerName {domain2}', +-- +2.44.0 + diff --git a/0002-curl-8.6.0-ignore-response-body-to-HEAD.patch b/0002-curl-8.6.0-ignore-response-body-to-HEAD.patch deleted file mode 100644 index 4dee602..0000000 --- a/0002-curl-8.6.0-ignore-response-body-to-HEAD.patch +++ /dev/null @@ -1,184 +0,0 @@ -From e61ea3ba7054afedafe1eb473226e842ac17b8ff Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 1 Feb 2024 13:23:12 +0100 -Subject: [PATCH] sendf: ignore response body to HEAD - -and mark the stream for close, but return OK since the response this far -was ok - if headers were received. Partly because this is what curl has -done traditionally. - -Test 499 verifies. Updates test 689. - -Reported-by: Sergey Bronnikov -Bug: https://curl.se/mail/lib-2024-02/0000.html -Closes #12842 - -(cherry picked from commit b8c003832d730bb2f4b9de4204675ca5d9f7a903) -Signed-off-by: Jan Macku ---- - lib/sendf.c | 3 ++ - tests/data/Makefile.inc | 44 ++++++++++++++-------------- - tests/data/test499 | 65 +++++++++++++++++++++++++++++++++++++++++ - tests/data/test689 | 4 +-- - 4 files changed, 92 insertions(+), 24 deletions(-) - create mode 100644 tests/data/test499 - -diff --git a/lib/sendf.c b/lib/sendf.c -index db3189a29..60ac0742c 100644 ---- a/lib/sendf.c -+++ b/lib/sendf.c -@@ -575,6 +575,9 @@ static CURLcode cw_download_write(struct Curl_easy *data, - DEBUGF(infof(data, "did not want a BODY, but seeing %zu bytes", - nbytes)); - data->req.download_done = TRUE; -+ if(data->info.header_size) -+ /* if headers have been received, this is fine */ -+ return CURLE_OK; - return CURLE_WEIRD_SERVER_REPLY; - } - -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index c3d496f64..cd393da75 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -75,28 +75,28 @@ test444 test445 test446 test447 test448 test449 test450 test451 test452 \ - test453 test454 test455 test456 test457 test458 test459 test460 test461 \ - \ - test490 test491 test492 test493 test494 test495 test496 test497 test498 \ --\ --test500 test501 test502 test503 test504 test505 test506 test507 test508 \ --test509 test510 test511 test512 test513 test514 test515 test516 test517 \ --test518 test519 test520 test521 test522 test523 test524 test525 test526 \ --test527 test528 test529 test530 test531 test532 test533 test534 test535 \ -- test537 test538 test539 test540 test541 test542 test543 test544 \ --test545 test546 test547 test548 test549 test550 test551 test552 test553 \ --test554 test555 test556 test557 test558 test559 test560 test561 test562 \ --test563 test564 test565 test566 test567 test568 test569 test570 test571 \ --test572 test573 test574 test575 test576 test577 test578 test579 test580 \ --test581 test582 test583 test584 test585 test586 test587 test588 test589 \ --test590 test591 test592 test593 test594 test595 test596 test597 test598 \ --test599 test600 test601 test602 test603 test604 test605 test606 test607 \ --test608 test609 test610 test611 test612 test613 test614 test615 test616 \ --test617 test618 test619 test620 test621 test622 test623 test624 test625 \ --test626 test627 test628 test629 test630 test631 test632 test633 test634 \ --test635 test636 test637 test638 test639 test640 test641 test642 test643 \ --test644 test645 test646 test647 test648 test649 test650 test651 test652 \ --test653 test654 test655 test656 test658 test659 test660 test661 test662 \ --test663 test664 test665 test666 test667 test668 test669 test670 test671 \ --test672 test673 test674 test675 test676 test677 test678 test679 test680 \ --test681 test682 test683 test684 test685 test686 test687 test688 test689 \ -+test499 test500 test501 test502 test503 test504 test505 test506 test507 \ -+test508 test509 test510 test511 test512 test513 test514 test515 test516 \ -+test517 test518 test519 test520 test521 test522 test523 test524 test525 \ -+test526 test527 test528 test529 test530 test531 test532 test533 test534 \ -+test535 test537 test538 test539 test540 test541 test542 test543 \ -+test544 test545 test546 test547 test548 test549 test550 test551 test552 \ -+test553 test554 test555 test556 test557 test558 test559 test560 test561 \ -+test562 test563 test564 test565 test566 test567 test568 test569 test570 \ -+test571 test572 test573 test574 test575 test576 test577 test578 test579 \ -+test580 test581 test582 test583 test584 test585 test586 test587 test588 \ -+test589 test590 test591 test592 test593 test594 test595 test596 test597 \ -+test598 test599 test600 test601 test602 test603 test604 test605 test606 \ -+test607 test608 test609 test610 test611 test612 test613 test614 test615 \ -+test616 test617 test618 test619 test620 test621 test622 test623 test624 \ -+test625 test626 test627 test628 test629 test630 test631 test632 test633 \ -+test634 test635 test636 test637 test638 test639 test640 test641 test642 \ -+test643 test644 test645 test646 test647 test648 test649 test650 test651 \ -+test652 test653 test654 test655 test656 test658 test659 test660 test661 \ -+test662 test663 test664 test665 test666 test667 test668 test669 test670 \ -+test671 test672 test673 test674 test675 test676 test677 test678 test679 \ -+test680 test681 test682 test683 test684 test685 test686 test687 test688 \ -+test689 \ - \ - test700 test701 test702 test703 test704 test705 test706 test707 test708 \ - test709 test710 test711 test712 test713 test714 test715 test716 test717 \ -diff --git a/tests/data/test499 b/tests/data/test499 -new file mode 100644 -index 000000000..d4040b07c ---- /dev/null -+++ b/tests/data/test499 -@@ -0,0 +1,65 @@ -+ -+ -+ -+HTTP -+HTTP GET -+ -+ -+ -+# -+# Server-side -+ -+ -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT -+ETag: "21025-dc7-39462498" -+Accept-Ranges: bytes -+Content-Length: 6 -+Connection: close -+Content-Type: text/html -+Funny-head: yesyes -+ -+-foo- -+ -+ -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT -+ETag: "21025-dc7-39462498" -+Accept-Ranges: bytes -+Content-Length: 6 -+Connection: close -+Content-Type: text/html -+Funny-head: yesyes -+ -+ -+ -+# -+# Client-side -+ -+ -+http -+ -+ -+HTTP HEAD to server still sending a body -+ -+ -+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -I -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+HEAD /%TESTNUMBER HTTP/1.1 -+Host: %HOSTIP:%HTTPPORT -+User-Agent: curl/%VERSION -+Accept: */* -+ -+ -+ -+ -diff --git a/tests/data/test689 b/tests/data/test689 -index 821556dec..381ae225a 100644 ---- a/tests/data/test689 -+++ b/tests/data/test689 -@@ -44,9 +44,9 @@ User-Agent: test567 - Test-Number: 567 - - --# 8 == CURLE_WEIRD_SERVER_REPLY -+# 85 == CURLE_RTSP_CSEQ_ERROR - --8 -+85 - - - --- -2.43.0 - diff --git a/0002-curl-8.7.1-fix-chunked-POST-via-callback.patch b/0002-curl-8.7.1-fix-chunked-POST-via-callback.patch new file mode 100644 index 0000000..5421984 --- /dev/null +++ b/0002-curl-8.7.1-fix-chunked-POST-via-callback.patch @@ -0,0 +1,69 @@ +From 2c20a15717bd408ce225dd8707c1798136f084f5 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Mon, 1 Apr 2024 15:41:18 +0200 +Subject: [PATCH 2/2] http: with chunked POST forced, disable length check on + read callback + +- when an application forces HTTP/1.1 chunked transfer encoding + by setting the corresponding header and instructs curl to use + the CURLOPT_READFUNCTION, disregard any POST length information. +- this establishes backward compatibility with previous curl versions + +Applications are encouraged to not force "chunked", but rather +set length information for a POST. By setting -1, curl will +auto-select chunked on HTTP/1.1 and work properly on other HTTP +versions. + +Reported-by: Jeff King +Fixes #13229 +Closes #13257 + +(cherry picked from commit 721941aadf4adf4f6aeb3f4c0ab489bb89610c36) +Signed-off-by: Jan Macku +--- + lib/http.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index 92c04e69c..a764d3c44 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2046,8 +2046,19 @@ static CURLcode set_reader(struct Curl_easy *data, Curl_HttpReq httpreq) + else + result = Curl_creader_set_null(data); + } +- else { /* we read the bytes from the callback */ +- result = Curl_creader_set_fread(data, postsize); ++ else { ++ /* we read the bytes from the callback. In case "chunked" encoding ++ * is forced by the application, we disregard `postsize`. This is ++ * a backward compatibility decision to earlier versions where ++ * chunking disregarded this. See issue #13229. */ ++ bool chunked = FALSE; ++ char *ptr = Curl_checkheaders(data, STRCONST("Transfer-Encoding")); ++ if(ptr) { ++ /* Some kind of TE is requested, check if 'chunked' is chosen */ ++ chunked = Curl_compareheader(ptr, STRCONST("Transfer-Encoding:"), ++ STRCONST("chunked")); ++ } ++ result = Curl_creader_set_fread(data, chunked? -1 : postsize); + } + return result; + +@@ -2115,6 +2126,13 @@ CURLcode Curl_http_req_set_reader(struct Curl_easy *data, + data->req.upload_chunky = + Curl_compareheader(ptr, + STRCONST("Transfer-Encoding:"), STRCONST("chunked")); ++ if(data->req.upload_chunky && ++ Curl_use_http_1_1plus(data, data->conn) && ++ (data->conn->httpversion >= 20)) { ++ infof(data, "suppressing chunked transfer encoding on connection " ++ "using HTTP version 2 or higher"); ++ data->req.upload_chunky = FALSE; ++ } + } + else { + curl_off_t req_clen = Curl_creader_total_length(data); +-- +2.44.0 + diff --git a/0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch b/0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch deleted file mode 100644 index 3e9078c..0000000 --- a/0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 0f65eaab19624ca018d7bd5ca404618f9bfe267f Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Thu, 1 Feb 2024 18:15:50 +0100 -Subject: [PATCH] vtls: revert "receive max buffer" + add test case - -- add test_05_04 for requests using http/1.0, http/1.1 and h2 against an - Apache resource that does an unclean TLS shutdown. -- revert special workarund in openssl.c for suppressing shutdown errors - on multiplexed connections -- vlts.c restore to its state before 9a90c9dd64d2f03601833a70786d485851bd1b53 - -Fixes #12885 -Fixes #12844 - -Closes #12848 - -(cherry picked from commit ed09a99af57200643d5ae001e815eeab9ffe3f84) -Signed-off-by: Jan Macku ---- - lib/vtls/vtls.c | 27 ++++++--------------------- - 1 file changed, 6 insertions(+), 21 deletions(-) - -diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c -index e928ba5d0..f654a9749 100644 ---- a/lib/vtls/vtls.c -+++ b/lib/vtls/vtls.c -@@ -1715,32 +1715,17 @@ static ssize_t ssl_cf_recv(struct Curl_cfilter *cf, - { - struct cf_call_data save; - ssize_t nread; -- size_t ntotal = 0; - - CF_DATA_SAVE(save, cf, data); - *err = CURLE_OK; -- /* Do receive until we fill the buffer somehwhat or EGAIN, error or EOF */ -- while(!ntotal || (len - ntotal) > (4*1024)) { -+ nread = Curl_ssl->recv_plain(cf, data, buf, len, err); -+ if(nread > 0) { -+ DEBUGASSERT((size_t)nread <= len); -+ } -+ else if(nread == 0) { -+ /* eof */ - *err = CURLE_OK; -- nread = Curl_ssl->recv_plain(cf, data, buf + ntotal, len - ntotal, err); -- if(nread < 0) { -- if(*err == CURLE_AGAIN && ntotal > 0) { -- /* we EAGAINed after having reed data, return the success amount */ -- *err = CURLE_OK; -- break; -- } -- /* we have a an error to report */ -- goto out; -- } -- else if(nread == 0) { -- /* eof */ -- break; -- } -- ntotal += (size_t)nread; -- DEBUGASSERT((size_t)ntotal <= len); - } -- nread = (ssize_t)ntotal; --out: - CURL_TRC_CF(data, cf, "cf_recv(len=%zu) -> %zd, %d", len, - nread, *err); - CF_DATA_RESTORE(cf, save); --- -2.43.0 - diff --git a/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch b/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch deleted file mode 100644 index 39b2f31..0000000 --- a/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch +++ /dev/null @@ -1,83 +0,0 @@ -From c7438ccfceee373a75d6d890259cf2e6b5e0e203 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Wed, 14 Feb 2024 16:27:23 +0100 -Subject: [PATCH] http_chunks: fix the accounting of consumed bytes - -Prior to this change chunks were handled correctly although in verbose -mode libcurl could incorrectly warn of "Leftovers after chunking" even -if there were none. - -Reported-by: Michael Kaufmann - -Fixes https://github.com/curl/curl/issues/12937 -Closes https://github.com/curl/curl/pull/12939 - -(cherry picked from commit 59e2c78af3a5588d6e6ae6d2223b222f067e054b) -Signed-off-by: Jan Macku ---- - lib/http_chunks.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/lib/http_chunks.c b/lib/http_chunks.c -index 039c179c4..ad1ee9ada 100644 ---- a/lib/http_chunks.c -+++ b/lib/http_chunks.c -@@ -152,6 +152,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, - ch->hexbuffer[ch->hexindex++] = *buf; - buf++; - blen--; -+ (*pconsumed)++; - } - else { - char *endptr; -@@ -189,6 +190,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, - - buf++; - blen--; -+ (*pconsumed)++; - break; - - case CHUNK_DATA: -@@ -236,6 +238,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, - } - buf++; - blen--; -+ (*pconsumed)++; - break; - - case CHUNK_TRAILER: -@@ -293,6 +296,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, - } - buf++; - blen--; -+ (*pconsumed)++; - break; - - case CHUNK_TRAILER_CR: -@@ -300,6 +304,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, - ch->state = CHUNK_TRAILER_POSTCR; - buf++; - blen--; -+ (*pconsumed)++; - } - else { - ch->state = CHUNK_FAILED; -@@ -320,6 +325,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, - /* skip if CR */ - buf++; - blen--; -+ (*pconsumed)++; - } - /* now wait for the final LF */ - ch->state = CHUNK_STOP; -@@ -328,6 +334,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, - case CHUNK_STOP: - if(*buf == 0x0a) { - blen--; -+ (*pconsumed)++; - /* Record the length of any data left in the end of the buffer - even if there's no more chunks to read */ - ch->datasize = blen; --- -2.43.2 - diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 328d3a4..2edb7c8 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,7 +1,7 @@ -From 84b7e1cf486761e99361f5dcf5879cd7baf51b58 Mon Sep 17 00:00:00 2001 +From dcc0efa441abace568e00bf930889da78356d041 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Thu, 1 Feb 2024 13:01:23 +0100 -Subject: [PATCH 2/2] prevent multilib conflicts on the curl-config script +Date: Wed, 27 Mar 2024 10:16:03 +0100 +Subject: [PATCH] prevent multilib conflicts on the curl-config script --- curl-config.in | 23 +++++------------------ @@ -60,15 +60,15 @@ index 54f92d9..15a60da 100644 *) diff --git a/docs/curl-config.1 b/docs/curl-config.1 -index c142cb9..0e189b4 100644 +index 2d5617c..0d90aaa 100644 --- a/docs/curl-config.1 +++ b/docs/curl-config.1 -@@ -48,7 +48,9 @@ no, one or several names. If more than one name, they will appear - comma\-separated. (Added in 7.58.0) +@@ -48,7 +48,9 @@ no, one or several names. If more than one name, they appear comma\-separated. + (Added in 7.58.0) .IP --static-libs - Shows the complete set of libs and other linker options you will need in order --to link your application with libcurl statically. (Added in 7.17.1) -+to link your application with libcurl statically. Note that Fedora/RHEL libcurl + Shows the complete set of libs and other linker options you need in order to +-link your application with libcurl statically. (Added in 7.17.1) ++link your application with libcurl statically. Note that Fedora/RHEL libcurl +packages do not provide any static libraries, thus cannot be linked statically. +(Added in 7.17.1) .IP --version @@ -87,5 +87,5 @@ index 9db6b0f..dcac692 100644 Name: libcurl URL: https://curl.se/ -- -2.43.0 +2.44.0 diff --git a/curl.spec b/curl.spec index 5118b71..31141a4 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.6.0 -Release: 7%{?dist} +Version: 8.7.1 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,19 +10,11 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# remove duplicate content from curl-config.1 -Patch001: 0001-curl-8.6.0-remove-duplicate-content.patch +# fix issue with --compressed option +Patch001: 0001-curl-8.7.1-fix-compressed-option.patch -# ignore response bode to HEAD requests -# https://bodhi.fedoraproject.org/updates/FEDORA-2024-634a6662aa -Patch002: 0002-curl-8.6.0-ignore-response-body-to-HEAD.patch - -# revert "receive max buffer" + add test case -# it breaks pycurl tests suite -Patch003: 0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch - -# Fix: Leftovers after chunking should not be part of the curl buffer output -Patch004: 0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch +# fix chunked POST via callback regression +Patch002: 0002-curl-8.7.1-fix-chunked-POST-via-callback.patch # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -212,12 +204,9 @@ be installed. %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 -# temporarily disable test 0313 -# -# # disable test 1801 # -printf "313\n1801\n" >> tests/data/DISABLED +printf "1801\n" >> tests/data/DISABLED # test3026: avoid pthread_create() failure due to resource exhaustion on i386 %ifarch %{ix86} @@ -254,7 +243,8 @@ export common_configure_opts=" \ --with-gssapi \ --with-libidn2 \ --with-nghttp2 \ - --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt" + --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt \ + --with-zsh-functions-dir" %global _configure ../configure @@ -361,21 +351,12 @@ install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal cd build-full %make_install -# install zsh completion for curl -# (we have to override LD_LIBRARY_PATH because we eliminated rpath) -LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \ - %make_install -C scripts - # do not install /usr/share/fish/completions/curl.fish which is also installed # by fish-3.0.2-1.module_f31+3716+57207597 and would trigger a conflict rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la -# Don't install man for mk-ca-bundle it's upstream bug -# should be fixed in next release https://github.com/curl/curl/pull/12843 -rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* - %ldconfig_scriptlets -n libcurl %ldconfig_scriptlets -n libcurl-minimal @@ -384,6 +365,7 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %doc CHANGES %doc README %doc docs/BUGS.md +%doc docs/DISTROS.md %doc docs/FAQ %doc docs/FEATURES.md %doc docs/TODO @@ -414,6 +396,17 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Mar 27 2024 Jan Macku - 8.7.1-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-2004 - Usage of disabled protocol + CVE-2024-2379 - QUIC certificate check bypass with wolfSSL + CVE-2024-2398 - HTTP/2 push headers memory-leak + CVE-2024-2466 - TLS certificate check bypass with mbedTLS +- drop upstreamed patches +- reenable test 0313 +- fix zsh completions, use --with-zsh-functions-dir +- apply upstream patches for 8.7.1 issues and regressions + * Mon Feb 19 2024 Jan Macku - 8.6.0-7 - Fix: Leftovers after chunking should not be part of the curl buffer output (#2264220) diff --git a/sources b/sources index 9c9d4a1..9576bf7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.6.0.tar.xz) = 359c08d88a5dec441255b36afe1a821730eca0ca8800ba52f57132b9e7d21f32457623907b4ae4876904b5e505eb1a59652372bb7de8dbd8db429dae9785e036 -SHA512 (curl-8.6.0.tar.xz.asc) = 2b835bb4b307e5e1c929b7136c5acfb9f6f06efa471ac27060336cabcfac40e02143f40434986c5e6817d4a9562b09efa8ff3168beed310a45453148cc1b5c8f +SHA512 (curl-8.7.1.tar.xz) = 5bbde9d5648e9226f5490fa951690aaf159149345f3a315df2ba58b2468f3e59ca32e8a49734338afc861803a4f81caac6d642a4699b72c6310ebfb1f618aad2 +SHA512 (curl-8.7.1.tar.xz.asc) = f98c393997c4a32f545a8982226e8cd612395210915a4576c2ce227d0f650cff341be7bf15e989d1789abf32ac4fd9c190b9250b81e650b569e8532048746b37 From 24a6093c53e89bfe6f0084edfa4f47d033367fe1 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 22 May 2024 12:44:18 +0200 Subject: [PATCH 071/120] new upstream release - 8.8.0 --- 0001-curl-8.7.1-fix-compressed-option.patch | 174 ------------------ 0001-curl-8.8.0-install-config-man.patch | 26 +++ ...-8.7.1-fix-chunked-POST-via-callback.patch | 69 ------- 0101-curl-7.32.0-multilib.patch | 119 ++++++------ 0102-curl-7.84.0-test3026.patch | 18 +- curl.spec | 13 +- sources | 4 +- 7 files changed, 104 insertions(+), 319 deletions(-) delete mode 100644 0001-curl-8.7.1-fix-compressed-option.patch create mode 100644 0001-curl-8.8.0-install-config-man.patch delete mode 100644 0002-curl-8.7.1-fix-chunked-POST-via-callback.patch diff --git a/0001-curl-8.7.1-fix-compressed-option.patch b/0001-curl-8.7.1-fix-compressed-option.patch deleted file mode 100644 index dc2e720..0000000 --- a/0001-curl-8.7.1-fix-compressed-option.patch +++ /dev/null @@ -1,174 +0,0 @@ -From 8f1a06a9efe1048c7ad17af43ae7d4b26de8117e Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Thu, 28 Mar 2024 11:08:15 +0100 -Subject: [PATCH 1/2] content_encoding: brotli and others, pass through - 0-length writes - -- curl's transfer handling may write 0-length chunks at the end of the - download with an EOS flag. (HTTP/2 does this commonly) - -- content encoders need to pass-through such a write and not count this - as error in case they are finished decoding - -Fixes #13209 -Fixes #13212 -Closes #13219 - -(cherry picked from commit b30d694a027eb771c02a3db0dee0ca03ccab7377) -Signed-off-by: Jan Macku ---- - lib/content_encoding.c | 10 +++++----- - tests/http/test_02_download.py | 13 +++++++++++++ - tests/http/testenv/env.py | 7 ++++++- - tests/http/testenv/httpd.py | 20 ++++++++++++++++++++ - 4 files changed, 44 insertions(+), 6 deletions(-) - -diff --git a/lib/content_encoding.c b/lib/content_encoding.c -index c1abf24e8..8e926dd2e 100644 ---- a/lib/content_encoding.c -+++ b/lib/content_encoding.c -@@ -300,7 +300,7 @@ static CURLcode deflate_do_write(struct Curl_easy *data, - struct zlib_writer *zp = (struct zlib_writer *) writer; - z_stream *z = &zp->z; /* zlib state structure */ - -- if(!(type & CLIENTWRITE_BODY)) -+ if(!(type & CLIENTWRITE_BODY) || !nbytes) - return Curl_cwriter_write(data, writer->next, type, buf, nbytes); - - /* Set the compressed input when this function is called */ -@@ -457,7 +457,7 @@ static CURLcode gzip_do_write(struct Curl_easy *data, - struct zlib_writer *zp = (struct zlib_writer *) writer; - z_stream *z = &zp->z; /* zlib state structure */ - -- if(!(type & CLIENTWRITE_BODY)) -+ if(!(type & CLIENTWRITE_BODY) || !nbytes) - return Curl_cwriter_write(data, writer->next, type, buf, nbytes); - - if(zp->zlib_init == ZLIB_INIT_GZIP) { -@@ -669,7 +669,7 @@ static CURLcode brotli_do_write(struct Curl_easy *data, - CURLcode result = CURLE_OK; - BrotliDecoderResult r = BROTLI_DECODER_RESULT_NEEDS_MORE_OUTPUT; - -- if(!(type & CLIENTWRITE_BODY)) -+ if(!(type & CLIENTWRITE_BODY) || !nbytes) - return Curl_cwriter_write(data, writer->next, type, buf, nbytes); - - if(!bp->br) -@@ -762,7 +762,7 @@ static CURLcode zstd_do_write(struct Curl_easy *data, - ZSTD_outBuffer out; - size_t errorCode; - -- if(!(type & CLIENTWRITE_BODY)) -+ if(!(type & CLIENTWRITE_BODY) || !nbytes) - return Curl_cwriter_write(data, writer->next, type, buf, nbytes); - - if(!zp->decomp) { -@@ -916,7 +916,7 @@ static CURLcode error_do_write(struct Curl_easy *data, - (void) buf; - (void) nbytes; - -- if(!(type & CLIENTWRITE_BODY)) -+ if(!(type & CLIENTWRITE_BODY) || !nbytes) - return Curl_cwriter_write(data, writer->next, type, buf, nbytes); - - failf(data, "Unrecognized content encoding type. " -diff --git a/tests/http/test_02_download.py b/tests/http/test_02_download.py -index 4db9c9d36..395fc862f 100644 ---- a/tests/http/test_02_download.py -+++ b/tests/http/test_02_download.py -@@ -394,6 +394,19 @@ class TestDownload: - r = client.run(args=[url]) - r.check_exit_code(0) - -+ @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3']) -+ def test_02_28_get_compressed(self, env: Env, httpd, nghttpx, repeat, proto): -+ if proto == 'h3' and not env.have_h3(): -+ pytest.skip("h3 not supported") -+ count = 1 -+ urln = f'https://{env.authority_for(env.domain1brotli, proto)}/data-100k?[0-{count-1}]' -+ curl = CurlClient(env=env) -+ r = curl.http_download(urls=[urln], alpn_proto=proto, extra_args=[ -+ '--compressed' -+ ]) -+ r.check_exit_code(code=0) -+ r.check_response(count=count, http_status=200) -+ - def check_downloads(self, client, srcfile: str, count: int, - complete: bool = True): - for i in range(count): -diff --git a/tests/http/testenv/env.py b/tests/http/testenv/env.py -index a207059dc..13c5d6bd4 100644 ---- a/tests/http/testenv/env.py -+++ b/tests/http/testenv/env.py -@@ -129,10 +129,11 @@ class EnvConfig: - self.htdocs_dir = os.path.join(self.gen_dir, 'htdocs') - self.tld = 'http.curl.se' - self.domain1 = f"one.{self.tld}" -+ self.domain1brotli = f"brotli.one.{self.tld}" - self.domain2 = f"two.{self.tld}" - self.proxy_domain = f"proxy.{self.tld}" - self.cert_specs = [ -- CertificateSpec(domains=[self.domain1, 'localhost'], key_type='rsa2048'), -+ CertificateSpec(domains=[self.domain1, self.domain1brotli, 'localhost'], key_type='rsa2048'), - CertificateSpec(domains=[self.domain2], key_type='rsa2048'), - CertificateSpec(domains=[self.proxy_domain, '127.0.0.1'], key_type='rsa2048'), - CertificateSpec(name="clientsX", sub_specs=[ -@@ -376,6 +377,10 @@ class Env: - def domain1(self) -> str: - return self.CONFIG.domain1 - -+ @property -+ def domain1brotli(self) -> str: -+ return self.CONFIG.domain1brotli -+ - @property - def domain2(self) -> str: - return self.CONFIG.domain2 -diff --git a/tests/http/testenv/httpd.py b/tests/http/testenv/httpd.py -index c04c22699..b8615875a 100644 ---- a/tests/http/testenv/httpd.py -+++ b/tests/http/testenv/httpd.py -@@ -50,6 +50,7 @@ class Httpd: - 'alias', 'env', 'filter', 'headers', 'mime', 'setenvif', - 'socache_shmcb', - 'rewrite', 'http2', 'ssl', 'proxy', 'proxy_http', 'proxy_connect', -+ 'brotli', - 'mpm_event', - ] - COMMON_MODULES_DIRS = [ -@@ -203,6 +204,7 @@ class Httpd: - - def _write_config(self): - domain1 = self.env.domain1 -+ domain1brotli = self.env.domain1brotli - creds1 = self.env.get_credentials(domain1) - domain2 = self.env.domain2 - creds2 = self.env.get_credentials(domain2) -@@ -285,6 +287,24 @@ class Httpd: - f'', - f'', - ]) -+ # Alternate to domain1 with BROTLI compression -+ conf.extend([ # https host for domain1, h1 + h2 -+ f'', -+ f' ServerName {domain1brotli}', -+ f' Protocols h2 http/1.1', -+ f' SSLEngine on', -+ f' SSLCertificateFile {creds1.cert_file}', -+ f' SSLCertificateKeyFile {creds1.pkey_file}', -+ f' DocumentRoot "{self._docs_dir}"', -+ f' SetOutputFilter BROTLI_COMPRESS', -+ ]) -+ conf.extend(self._curltest_conf(domain1)) -+ if domain1 in self._extra_configs: -+ conf.extend(self._extra_configs[domain1]) -+ conf.extend([ -+ f'', -+ f'', -+ ]) - conf.extend([ # https host for domain2, no h2 - f'', - f' ServerName {domain2}', --- -2.44.0 - diff --git a/0001-curl-8.8.0-install-config-man.patch b/0001-curl-8.8.0-install-config-man.patch new file mode 100644 index 0000000..74b13f0 --- /dev/null +++ b/0001-curl-8.8.0-install-config-man.patch @@ -0,0 +1,26 @@ +From 4cc5657247183a0bc3b0969beeaea9acddb09d22 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 22 May 2024 08:43:43 +0200 +Subject: [PATCH] docs/Makefile.am: make curl-config.1 install + +on "make install" like it should + +Follow-up to 60971d665b9b1df87082 + +Closes #13741 +--- + docs/Makefile.am | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/docs/Makefile.am b/docs/Makefile.am +index 83f5b0c461cc0f..e9ef6284860555 100644 +--- a/docs/Makefile.am ++++ b/docs/Makefile.am +@@ -28,6 +28,7 @@ if BUILD_DOCS + # if we disable man page building, ignore these + MK_CA_DOCS = mk-ca-bundle.1 + CURLCONF_DOCS = curl-config.1 ++man_MANS = curl-config.1 + endif + + CURLPAGES = curl-config.md mk-ca-bundle.md diff --git a/0002-curl-8.7.1-fix-chunked-POST-via-callback.patch b/0002-curl-8.7.1-fix-chunked-POST-via-callback.patch deleted file mode 100644 index 5421984..0000000 --- a/0002-curl-8.7.1-fix-chunked-POST-via-callback.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 2c20a15717bd408ce225dd8707c1798136f084f5 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Mon, 1 Apr 2024 15:41:18 +0200 -Subject: [PATCH 2/2] http: with chunked POST forced, disable length check on - read callback - -- when an application forces HTTP/1.1 chunked transfer encoding - by setting the corresponding header and instructs curl to use - the CURLOPT_READFUNCTION, disregard any POST length information. -- this establishes backward compatibility with previous curl versions - -Applications are encouraged to not force "chunked", but rather -set length information for a POST. By setting -1, curl will -auto-select chunked on HTTP/1.1 and work properly on other HTTP -versions. - -Reported-by: Jeff King -Fixes #13229 -Closes #13257 - -(cherry picked from commit 721941aadf4adf4f6aeb3f4c0ab489bb89610c36) -Signed-off-by: Jan Macku ---- - lib/http.c | 22 ++++++++++++++++++++-- - 1 file changed, 20 insertions(+), 2 deletions(-) - -diff --git a/lib/http.c b/lib/http.c -index 92c04e69c..a764d3c44 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -2046,8 +2046,19 @@ static CURLcode set_reader(struct Curl_easy *data, Curl_HttpReq httpreq) - else - result = Curl_creader_set_null(data); - } -- else { /* we read the bytes from the callback */ -- result = Curl_creader_set_fread(data, postsize); -+ else { -+ /* we read the bytes from the callback. In case "chunked" encoding -+ * is forced by the application, we disregard `postsize`. This is -+ * a backward compatibility decision to earlier versions where -+ * chunking disregarded this. See issue #13229. */ -+ bool chunked = FALSE; -+ char *ptr = Curl_checkheaders(data, STRCONST("Transfer-Encoding")); -+ if(ptr) { -+ /* Some kind of TE is requested, check if 'chunked' is chosen */ -+ chunked = Curl_compareheader(ptr, STRCONST("Transfer-Encoding:"), -+ STRCONST("chunked")); -+ } -+ result = Curl_creader_set_fread(data, chunked? -1 : postsize); - } - return result; - -@@ -2115,6 +2126,13 @@ CURLcode Curl_http_req_set_reader(struct Curl_easy *data, - data->req.upload_chunky = - Curl_compareheader(ptr, - STRCONST("Transfer-Encoding:"), STRCONST("chunked")); -+ if(data->req.upload_chunky && -+ Curl_use_http_1_1plus(data, data->conn) && -+ (data->conn->httpversion >= 20)) { -+ infof(data, "suppressing chunked transfer encoding on connection " -+ "using HTTP version 2 or higher"); -+ data->req.upload_chunky = FALSE; -+ } - } - else { - curl_off_t req_clen = Curl_creader_total_length(data); --- -2.44.0 - diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 2edb7c8..f3636dc 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,81 +1,82 @@ -From dcc0efa441abace568e00bf930889da78356d041 Mon Sep 17 00:00:00 2001 +From f4e7b98fb25ff737af29908f3a2081cca9a73437 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Wed, 27 Mar 2024 10:16:03 +0100 -Subject: [PATCH] prevent multilib conflicts on the curl-config script +Date: Wed, 22 May 2024 13:00:08 +0200 +Subject: [PATCH 1/2] prevent multilib conflicts on the curl-config script --- - curl-config.in | 23 +++++------------------ - docs/curl-config.1 | 4 +++- - libcurl.pc.in | 1 + + curl-config.in | 23 +++++------------------ + docs/curl-config.md | 4 +++- + libcurl.pc.in | 1 + 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 54f92d9..15a60da 100644 +index 085bb1ef5..e4700260e 100644 --- a/curl-config.in +++ b/curl-config.in -@@ -78,7 +78,7 @@ while test $# -gt 0; do - ;; +@@ -73,7 +73,7 @@ while test "$#" -gt 0; do + ;; - --cc) -- echo "@CC@" -+ echo "gcc" - ;; + --cc) +- echo '@CC@' ++ echo "gcc" + ;; - --prefix) -@@ -157,32 +157,19 @@ while test $# -gt 0; do - ;; + --prefix) +@@ -153,16 +153,7 @@ while test "$#" -gt 0; do + ;; - --libs) -- if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then -- CURLLIBDIR="-L@libdir@ " -- else -- CURLLIBDIR="" -- fi -- if test "X@ENABLE_SHARED@" = "Xno"; then -- echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@ -- else -- echo ${CURLLIBDIR}-lcurl -- fi -+ echo -lcurl - ;; - --ssl-backends) - echo "@SSL_BACKENDS@" - ;; + --libs) +- if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then +- CURLLIBDIR="-L@libdir@ " +- else +- CURLLIBDIR="" +- fi +- if test "X@ENABLE_SHARED@" = "Xno"; then +- echo "${CURLLIBDIR}-lcurl @LIBCURL_LIBS@" +- else +- echo "${CURLLIBDIR}-lcurl" +- fi ++ echo -lcurl + ;; - --static-libs) -- if test "X@ENABLE_STATIC@" != "Xno" ; then -- echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_LIBS@ -- else -- echo "curl was built with static libraries disabled" >&2 -- exit 1 -- fi -+ echo "curl was built with static libraries disabled" >&2 -+ exit 1 - ;; + --ssl-backends) +@@ -170,16 +161,12 @@ while test "$#" -gt 0; do + ;; - --configure) -- echo @CONFIGURE_OPTIONS@ -+ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//' - ;; + --static-libs) +- if test "X@ENABLE_STATIC@" != "Xno" ; then +- echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_LIBS@ +- else +- echo 'curl was built with static libraries disabled' >&2 +- exit 1 +- fi ++ echo "curl was built with static libraries disabled" >&2 ++ exit 1 + ;; + + --configure) +- echo @CONFIGURE_OPTIONS@ ++ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//' + ;; + + *) +diff --git a/docs/curl-config.md b/docs/curl-config.md +index d82725082..a79f816e2 100644 +--- a/docs/curl-config.md ++++ b/docs/curl-config.md +@@ -86,7 +86,9 @@ no, one or several names. If more than one name, they appear comma-separated. + ## --static-libs - *) -diff --git a/docs/curl-config.1 b/docs/curl-config.1 -index 2d5617c..0d90aaa 100644 ---- a/docs/curl-config.1 -+++ b/docs/curl-config.1 -@@ -48,7 +48,9 @@ no, one or several names. If more than one name, they appear comma\-separated. - (Added in 7.58.0) - .IP --static-libs Shows the complete set of libs and other linker options you need in order to -link your application with libcurl statically. (Added in 7.17.1) +link your application with libcurl statically. Note that Fedora/RHEL libcurl +packages do not provide any static libraries, thus cannot be linked statically. +(Added in 7.17.1) - .IP --version - Outputs version information about the installed libcurl. - .IP --vernum + + ## --version + diff --git a/libcurl.pc.in b/libcurl.pc.in -index 9db6b0f..dcac692 100644 +index 9db6b0f89..dcac6925a 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in @@ -31,6 +31,7 @@ libdir=@libdir@ @@ -87,5 +88,5 @@ index 9db6b0f..dcac692 100644 Name: libcurl URL: https://curl.se/ -- -2.44.0 +2.45.1 diff --git a/0102-curl-7.84.0-test3026.patch b/0102-curl-7.84.0-test3026.patch index 1098583..82f4642 100644 --- a/0102-curl-7.84.0-test3026.patch +++ b/0102-curl-7.84.0-test3026.patch @@ -1,7 +1,7 @@ -From 279b990727a1fd3e2828fbbd80581777e4200b67 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 27 Jun 2022 16:50:57 +0200 -Subject: [PATCH] test3026: disable valgrind +From 6e470567ca691a7b20334f1b9a5b309053d714b7 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Wed, 22 May 2024 13:03:43 +0200 +Subject: [PATCH 2/2] test3026: disable valgrind It fails on x86_64 with: ``` @@ -39,7 +39,7 @@ It fails on x86_64 with: 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/data/test3026 b/tests/data/test3026 -index fb80cc8..01f2ba5 100644 +index ee9b30678..dd582c3e5 100644 --- a/tests/data/test3026 +++ b/tests/data/test3026 @@ -41,5 +41,8 @@ none @@ -52,10 +52,10 @@ index fb80cc8..01f2ba5 100644 diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c -index 43fe335..70cd7a4 100644 +index 7e914010e..39374f5bc 100644 --- a/tests/libtest/lib3026.c +++ b/tests/libtest/lib3026.c -@@ -147,8 +147,8 @@ int test(char *URL) +@@ -145,8 +145,8 @@ CURLcode test(char *URL) results[i] = CURL_LAST; /* initialize with invalid value */ res = pthread_create(&tids[i], NULL, run_thread, &results[i]); if(res) { @@ -64,8 +64,8 @@ index 43fe335..70cd7a4 100644 + fprintf(stderr, "%s:%d Couldn't create thread, i=%u, errno %d\n", + __FILE__, __LINE__, i, res); tid_count = i; - test_failure = -1; + test_failure = (CURLcode)-1; goto cleanup; -- -2.37.1 +2.45.1 diff --git a/curl.spec b/curl.spec index 31141a4..8be220b 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.7.1 +Version: 8.8.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -10,11 +10,8 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# fix issue with --compressed option -Patch001: 0001-curl-8.7.1-fix-compressed-option.patch - -# fix chunked POST via callback regression -Patch002: 0002-curl-8.7.1-fix-chunked-POST-via-callback.patch +# install curl-config man page +Patch001: 0001-curl-8.8.0-install-config-man.patch # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -396,6 +393,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed May 22 2024 Jan Macku - 8.8.0-1 +- new upstream release +- drop upstreamed patches + * Wed Mar 27 2024 Jan Macku - 8.7.1-1 - new upstream release, which fixes the following vulnerabilities CVE-2024-2004 - Usage of disabled protocol diff --git a/sources b/sources index 9576bf7..d6dbc8c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.7.1.tar.xz) = 5bbde9d5648e9226f5490fa951690aaf159149345f3a315df2ba58b2468f3e59ca32e8a49734338afc861803a4f81caac6d642a4699b72c6310ebfb1f618aad2 -SHA512 (curl-8.7.1.tar.xz.asc) = f98c393997c4a32f545a8982226e8cd612395210915a4576c2ce227d0f650cff341be7bf15e989d1789abf32ac4fd9c190b9250b81e650b569e8532048746b37 +SHA512 (curl-8.8.0.tar.xz) = 9d2c0d3a0d8f6c31ba4fabe48f801910f886fde43dc198dc4213708d6967ed5e040a1bb7348aa1cb126577ee508a3ec36fe65256d027d861d6ffb70f6383967a +SHA512 (curl-8.8.0.tar.xz.asc) = 37b501770225dff6b1e7bde1157f556f10ec1c597fcbbb5c8b8c370efb97a3a70f585f2f5c201b96380d68466696474a5f65a07da59b704678d6927567d25359 From 781fa86ead65acd7063f1ae4a061f7d0e0f4f638 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Fri, 12 Jul 2024 08:06:48 +0100 Subject: [PATCH 072/120] adapt for https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine Added build condition for openssl_engine_support, true by default so as to not change the resulting built package (yet) - With openssl_engine_support true, BR: openssl-devel-engine - With openssl_engine_support false, build with -DOPENSSL_NO_ENGINE --- .gitignore | 2 ++ curl.spec | 23 ++++++++++++++++++++++- 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index e91a948..cd6f067 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ +/curl-[0-9.]*.tar.lzma +/curl-[0-9.]*.tar.lzma.asc /curl-[0-9.]*.tar.xz /curl-[0-9.]*.tar.xz.asc /curl-[0-9].[0-9].[0-9]/ diff --git a/curl.spec b/curl.spec index 8be220b..57d36cb 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,13 @@ +# OpenSSL ENGINE support +# This is deprecated by OpenSSL since OpenSSL 3.0 and by Fedora since Fedora 41 +# https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine +# Change the bcond to 0 to turn off ENGINE support by default +%bcond openssl_engine_support 1 + Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.8.0 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -49,6 +55,9 @@ BuildRequires: openldap-devel BuildRequires: openssh-clients BuildRequires: openssh-server BuildRequires: openssl-devel +%if %{with openssl_engine_support} +BuildRequires: openssl-devel-engine +%endif BuildRequires: perl-interpreter BuildRequires: pkgconfig BuildRequires: python-unversioned-command @@ -125,6 +134,11 @@ BuildRequires: stunnel # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION Requires: libcurl%{?_isa} >= %{version}-%{release} +# Define OPENSSL_NO_ENGINE to avoid inclusion of +%if %{without openssl_engine_support} +%global _preprocessor_defines %{?_preprocessor_defines} -DOPENSSL_NO_ENGINE +%endif + # require at least the version of libnghttp2 that we were built against, # to ensure that we have the necessary symbols available (#2144277) %global libnghttp2_version %(pkg-config --modversion libnghttp2 2>/dev/null || echo 0) @@ -393,6 +407,13 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Jul 12 2024 Paul Howarth - 8.8.0-2 +- adapt for https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine +- added build condition for openssl_engine_support, true by default so as to + not change the resulting built package (yet) +- with openssl_engine_support true, BR: openssl-devel-engine +- with openssl_engine_support false, build with -DOPENSSL_NO_ENGINE + * Wed May 22 2024 Jan Macku - 8.8.0-1 - new upstream release - drop upstreamed patches From ed1f78db34d5cf8e1aede9d6d2df5e1952d5c634 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 17 Jul 2024 20:23:31 +0000 Subject: [PATCH 073/120] Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 57d36cb..d665c95 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.8.0 -Release: 2%{?dist} +Release: 3%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 17 2024 Fedora Release Engineering - 8.8.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + * Fri Jul 12 2024 Paul Howarth - 8.8.0-2 - adapt for https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine - added build condition for openssl_engine_support, true by default so as to From 27557f07463358e21eb63d1502dc2a2b979b775e Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 24 Jul 2024 14:59:53 +0200 Subject: [PATCH 074/120] new upstream release - 8.9.0 --- 0001-curl-8.8.0-install-config-man.patch | 26 ------------------------ 0104-curl-7.88.0-tests-warnings.patch | 14 ++++++------- curl.spec | 13 +++++++----- sources | 4 ++-- 4 files changed, 17 insertions(+), 40 deletions(-) delete mode 100644 0001-curl-8.8.0-install-config-man.patch diff --git a/0001-curl-8.8.0-install-config-man.patch b/0001-curl-8.8.0-install-config-man.patch deleted file mode 100644 index 74b13f0..0000000 --- a/0001-curl-8.8.0-install-config-man.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 4cc5657247183a0bc3b0969beeaea9acddb09d22 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Wed, 22 May 2024 08:43:43 +0200 -Subject: [PATCH] docs/Makefile.am: make curl-config.1 install - -on "make install" like it should - -Follow-up to 60971d665b9b1df87082 - -Closes #13741 ---- - docs/Makefile.am | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/docs/Makefile.am b/docs/Makefile.am -index 83f5b0c461cc0f..e9ef6284860555 100644 ---- a/docs/Makefile.am -+++ b/docs/Makefile.am -@@ -28,6 +28,7 @@ if BUILD_DOCS - # if we disable man page building, ignore these - MK_CA_DOCS = mk-ca-bundle.1 - CURLCONF_DOCS = curl-config.1 -+man_MANS = curl-config.1 - endif - - CURLPAGES = curl-config.md mk-ca-bundle.md diff --git a/0104-curl-7.88.0-tests-warnings.patch b/0104-curl-7.88.0-tests-warnings.patch index 04b2ba2..0977dee 100644 --- a/0104-curl-7.88.0-tests-warnings.patch +++ b/0104-curl-7.88.0-tests-warnings.patch @@ -1,6 +1,6 @@ -From d506d885aa16b4a87acbac082eea41dccdc7b69f Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Wed, 15 Feb 2023 10:42:38 +0100 +From ebee18be05631494263bb6be249501eb8874e07a Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Wed, 24 Jul 2024 15:15:11 +0200 Subject: [PATCH] Revert "runtests: consider warnings fatal and error on them" While it might be useful for upstream developers, it is not so useful @@ -12,10 +12,10 @@ This reverts upstream commit 22f795c834cfdbacbb1b55426028a581e3cf67a8. 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/runtests.pl b/tests/runtests.pl -index 71644ad18..0cf85c3fe 100755 +index 9cc9ef1..c9a1c5d 100755 --- a/tests/runtests.pl +++ b/tests/runtests.pl -@@ -55,8 +55,7 @@ +@@ -57,8 +57,7 @@ # given, this won't be a problem. use strict; @@ -23,8 +23,8 @@ index 71644ad18..0cf85c3fe 100755 -use warnings FATAL => 'all'; +use warnings; use 5.006; + use POSIX qw(strftime); - # These should be the only variables that might be needed to get edited: -- -2.39.1 +2.45.2 diff --git a/curl.spec b/curl.spec index d665c95..45436cc 100644 --- a/curl.spec +++ b/curl.spec @@ -6,8 +6,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.8.0 -Release: 3%{?dist} +Version: 8.9.0 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -16,9 +16,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# install curl-config man page -Patch001: 0001-curl-8.8.0-install-config-man.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -407,6 +404,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 24 2024 Jan Macku - 8.9.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-6874 - macidn punycode buffer overread + CVE-2024-6197 - freeing stack buffer in utf8asn1str +- drop upstreamed patches + * Wed Jul 17 2024 Fedora Release Engineering - 8.8.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild diff --git a/sources b/sources index d6dbc8c..ba6559e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.8.0.tar.xz) = 9d2c0d3a0d8f6c31ba4fabe48f801910f886fde43dc198dc4213708d6967ed5e040a1bb7348aa1cb126577ee508a3ec36fe65256d027d861d6ffb70f6383967a -SHA512 (curl-8.8.0.tar.xz.asc) = 37b501770225dff6b1e7bde1157f556f10ec1c597fcbbb5c8b8c370efb97a3a70f585f2f5c201b96380d68466696474a5f65a07da59b704678d6927567d25359 +SHA512 (curl-8.9.0.tar.xz) = 922c726cfa3a73954927a32f485248d7a53a3348638a6a01add1bc0a67a7d2ee9cdb7c78b6db84bb7e2fab9d2d5487a96d9071832198b63a86d2caaef85c9310 +SHA512 (curl-8.9.0.tar.xz.asc) = 44cc7053ac0fddcb5131e7806fcd793d70bd49c5549b2548bbcbe60fdf913f450e45861ff6497b30eb00fd84483302ff9b6c3aea6b66728d6e54dd7ffc388408 From 40967e47b5a847174d8c923ad219882036d03bf0 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 31 Jul 2024 09:47:16 +0200 Subject: [PATCH 075/120] new upstream release - 8.9.1 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 45436cc..9ee3966 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.9.0 +Version: 8.9.1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -404,6 +404,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 24 2024 Jan Macku - 8.9.1-1 +- new upstream release + * Wed Jul 24 2024 Jan Macku - 8.9.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2024-6874 - macidn punycode buffer overread diff --git a/sources b/sources index ba6559e..e35c435 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.9.0.tar.xz) = 922c726cfa3a73954927a32f485248d7a53a3348638a6a01add1bc0a67a7d2ee9cdb7c78b6db84bb7e2fab9d2d5487a96d9071832198b63a86d2caaef85c9310 -SHA512 (curl-8.9.0.tar.xz.asc) = 44cc7053ac0fddcb5131e7806fcd793d70bd49c5549b2548bbcbe60fdf913f450e45861ff6497b30eb00fd84483302ff9b6c3aea6b66728d6e54dd7ffc388408 +SHA512 (curl-8.9.1.tar.xz) = a0fe234402875db194aad4e4208b7e67e7ffc1562622eea90948d4b9b0122c95c3dde8bbe2f7445a687cb3de7cb09f20e5819d424570442d976aa4c913227fc7 +SHA512 (curl-8.9.1.tar.xz.asc) = 18acd58436d70900ab6912b84774da2c451b9dbfc83d6d00f85bbbe7894b67075918e58956fdb753fcc1486e4f10caa31139d7c68b037d7c83dc2e9c2fae9f9b From cc42129b020d949298d0b33be56d64c3b79cf096 Mon Sep 17 00:00:00 2001 From: voidanix Date: Mon, 5 Aug 2024 13:44:53 +0200 Subject: [PATCH 076/120] Add patch due to upstream curl-8.9.1 regression --- 0001-curl-8.9.1-sigpipe.patch | 32 ++++++++++++++++++++++++++++++++ curl.spec | 9 ++++++++- 2 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 0001-curl-8.9.1-sigpipe.patch diff --git a/0001-curl-8.9.1-sigpipe.patch b/0001-curl-8.9.1-sigpipe.patch new file mode 100644 index 0000000..f4f0346 --- /dev/null +++ b/0001-curl-8.9.1-sigpipe.patch @@ -0,0 +1,32 @@ +From 3eec5afbd0b6377eca893c392569b2faf094d970 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 5 Aug 2024 00:17:17 +0200 +Subject: [PATCH] sigpipe: init the struct so that first apply ignores + +Initializes 'no_signal' to TRUE, so that a call to sigpipe_apply() after +init ignores the signal (unless CURLOPT_NOSIGNAL) is set. + +I have read the existing code multiple times now and I think it gets the +initial state reversed this missing to ignore. + +Regression from 17e6f06ea37136c36d27 + +Reported-by: Rasmus Thomsen +Fixes #14344 +Closes #14390 +--- + lib/sigpipe.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/sigpipe.h b/lib/sigpipe.h +index b91a2f51333956..d78afd905d3414 100644 +--- a/lib/sigpipe.h ++++ b/lib/sigpipe.h +@@ -39,6 +39,7 @@ struct sigpipe_ignore { + static void sigpipe_init(struct sigpipe_ignore *ig) + { + memset(ig, 0, sizeof(*ig)); ++ ig->no_signal = TRUE; + } + + /* diff --git a/curl.spec b/curl.spec index 9ee3966..174562f 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.9.1 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -25,6 +25,10 @@ Patch102: 0102-curl-7.84.0-test3026.patch # do not fail on warnings in the upstream test driver Patch104: 0104-curl-7.88.0-tests-warnings.patch +# Fix crashes with transmission due to SIGPIPE +# https://github.com/curl/curl/commit/3eec5afbd0b6377eca893c392569b2faf094d970 +Patch001: 0001-curl-8.9.1-sigpipe.patch + Provides: curl-full = %{version}-%{release} # do not fail when trying to install curl-minimal after drop Provides: curl-minimal = %{version}-%{release} @@ -404,6 +408,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Aug 5 2024 voidanix - 8.9.1-2 +- Apply SIGPIPE-related patch due to upstream regression + * Wed Jul 24 2024 Jan Macku - 8.9.1-1 - new upstream release From 25bb999ab6de05c3cfe0d2fcd99ecc58da092e7b Mon Sep 17 00:00:00 2001 From: Jacek Migacz Date: Wed, 21 Aug 2024 18:04:41 +0200 Subject: [PATCH 077/120] Retire depricated ntlm-wb configure option --- curl.spec | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 174562f..8aaa2b2 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.9.1 -Release: 2%{?dist} +Release: 3%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -271,7 +271,6 @@ export common_configure_opts=" \ --disable-ldaps \ --disable-mqtt \ --disable-ntlm \ - --disable-ntlm-wb \ --disable-pop3 \ --disable-rtsp \ --disable-smb \ @@ -296,7 +295,6 @@ export common_configure_opts=" \ --enable-ldaps \ --enable-mqtt \ --enable-ntlm \ - --enable-ntlm-wb \ --enable-pop3 \ --enable-rtsp \ --enable-smb \ @@ -408,6 +406,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Aug 21 2024 Jacek Migacz - 8.9.1-3 +- Retire depricated ntlm-wb configure option + * Mon Aug 5 2024 voidanix - 8.9.1-2 - Apply SIGPIPE-related patch due to upstream regression From 8669cc07274c3121030e182bfdb8acd2b2973dca Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 11 Sep 2024 09:13:07 +0200 Subject: [PATCH 078/120] new upstream release - 8.10.0 --- 0001-curl-8.9.1-sigpipe.patch | 32 ------------------------------- 0101-curl-7.32.0-multilib.patch | 34 ++++++++++++++++----------------- curl.spec | 13 ++++++------- sources | 4 ++-- 4 files changed, 25 insertions(+), 58 deletions(-) delete mode 100644 0001-curl-8.9.1-sigpipe.patch diff --git a/0001-curl-8.9.1-sigpipe.patch b/0001-curl-8.9.1-sigpipe.patch deleted file mode 100644 index f4f0346..0000000 --- a/0001-curl-8.9.1-sigpipe.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 3eec5afbd0b6377eca893c392569b2faf094d970 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 5 Aug 2024 00:17:17 +0200 -Subject: [PATCH] sigpipe: init the struct so that first apply ignores - -Initializes 'no_signal' to TRUE, so that a call to sigpipe_apply() after -init ignores the signal (unless CURLOPT_NOSIGNAL) is set. - -I have read the existing code multiple times now and I think it gets the -initial state reversed this missing to ignore. - -Regression from 17e6f06ea37136c36d27 - -Reported-by: Rasmus Thomsen -Fixes #14344 -Closes #14390 ---- - lib/sigpipe.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/lib/sigpipe.h b/lib/sigpipe.h -index b91a2f51333956..d78afd905d3414 100644 ---- a/lib/sigpipe.h -+++ b/lib/sigpipe.h -@@ -39,6 +39,7 @@ struct sigpipe_ignore { - static void sigpipe_init(struct sigpipe_ignore *ig) - { - memset(ig, 0, sizeof(*ig)); -+ ig->no_signal = TRUE; - } - - /* diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index f3636dc..8cada87 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,7 +1,7 @@ -From f4e7b98fb25ff737af29908f3a2081cca9a73437 Mon Sep 17 00:00:00 2001 +From da51b3d89a33fb3a1cbc5dd5faebc4ee18bbcc46 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Wed, 22 May 2024 13:00:08 +0200 -Subject: [PATCH 1/2] prevent multilib conflicts on the curl-config script +Date: Wed, 11 Sep 2024 09:21:25 +0200 +Subject: [PATCH] prevent multilib conflicts on the curl-config script --- curl-config.in | 23 +++++------------------ @@ -10,19 +10,19 @@ Subject: [PATCH 1/2] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 085bb1ef5..e4700260e 100644 +index 294e083..df41899 100644 --- a/curl-config.in +++ b/curl-config.in -@@ -73,7 +73,7 @@ while test "$#" -gt 0; do +@@ -75,7 +75,7 @@ while test "$#" -gt 0; do ;; --cc) - echo '@CC@' -+ echo "gcc" ++ echo 'gcc' ;; --prefix) -@@ -153,16 +153,7 @@ while test "$#" -gt 0; do +@@ -155,16 +155,7 @@ while test "$#" -gt 0; do ;; --libs) @@ -32,25 +32,25 @@ index 085bb1ef5..e4700260e 100644 - CURLLIBDIR="" - fi - if test "X@ENABLE_SHARED@" = "Xno"; then -- echo "${CURLLIBDIR}-lcurl @LIBCURL_LIBS@" +- echo "${CURLLIBDIR}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" - else - echo "${CURLLIBDIR}-lcurl" - fi -+ echo -lcurl ++ echo '-lcurl' ;; --ssl-backends) -@@ -170,16 +161,12 @@ while test "$#" -gt 0; do +@@ -172,16 +163,12 @@ while test "$#" -gt 0; do ;; --static-libs) - if test "X@ENABLE_STATIC@" != "Xno" ; then -- echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_LIBS@ +- echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_PC_LIBS_PRIVATE@ - else - echo 'curl was built with static libraries disabled' >&2 - exit 1 - fi -+ echo "curl was built with static libraries disabled" >&2 ++ echo 'curl was built with static libraries disabled' >&2 + exit 1 ;; @@ -61,10 +61,10 @@ index 085bb1ef5..e4700260e 100644 *) diff --git a/docs/curl-config.md b/docs/curl-config.md -index d82725082..a79f816e2 100644 +index 4dfaab6..f4e847e 100644 --- a/docs/curl-config.md +++ b/docs/curl-config.md -@@ -86,7 +86,9 @@ no, one or several names. If more than one name, they appear comma-separated. +@@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated. ## --static-libs Shows the complete set of libs and other linker options you need in order to @@ -76,10 +76,10 @@ index d82725082..a79f816e2 100644 ## --version diff --git a/libcurl.pc.in b/libcurl.pc.in -index 9db6b0f89..dcac6925a 100644 +index 8f6f9b4..f69815c 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in -@@ -31,6 +31,7 @@ libdir=@libdir@ +@@ -28,6 +28,7 @@ libdir=@libdir@ includedir=@includedir@ supported_protocols="@SUPPORT_PROTOCOLS@" supported_features="@SUPPORT_FEATURES@" @@ -88,5 +88,5 @@ index 9db6b0f89..dcac6925a 100644 Name: libcurl URL: https://curl.se/ -- -2.45.1 +2.46.0 diff --git a/curl.spec b/curl.spec index 8aaa2b2..93942f0 100644 --- a/curl.spec +++ b/curl.spec @@ -6,8 +6,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.9.1 -Release: 3%{?dist} +Version: 8.10.0 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -25,10 +25,6 @@ Patch102: 0102-curl-7.84.0-test3026.patch # do not fail on warnings in the upstream test driver Patch104: 0104-curl-7.88.0-tests-warnings.patch -# Fix crashes with transmission due to SIGPIPE -# https://github.com/curl/curl/commit/3eec5afbd0b6377eca893c392569b2faf094d970 -Patch001: 0001-curl-8.9.1-sigpipe.patch - Provides: curl-full = %{version}-%{release} # do not fail when trying to install curl-minimal after drop Provides: curl-minimal = %{version}-%{release} @@ -372,7 +368,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %ldconfig_scriptlets -n libcurl-minimal %files -%doc CHANGES +%doc CHANGES.md %doc README %doc docs/BUGS.md %doc docs/DISTROS.md @@ -406,6 +402,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 11 2024 Jan Macku - 8.10.0-1 +- new upstream release + * Wed Aug 21 2024 Jacek Migacz - 8.9.1-3 - Retire depricated ntlm-wb configure option diff --git a/sources b/sources index e35c435..9865b71 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.9.1.tar.xz) = a0fe234402875db194aad4e4208b7e67e7ffc1562622eea90948d4b9b0122c95c3dde8bbe2f7445a687cb3de7cb09f20e5819d424570442d976aa4c913227fc7 -SHA512 (curl-8.9.1.tar.xz.asc) = 18acd58436d70900ab6912b84774da2c451b9dbfc83d6d00f85bbbe7894b67075918e58956fdb753fcc1486e4f10caa31139d7c68b037d7c83dc2e9c2fae9f9b +SHA512 (curl-8.10.0.tar.xz) = 055277695ea242fcb0bf26ca6c4867a385cd578cd73ed4c5c4a020233248044c1ecaebcbaeaac47d3ffe07a41300ea5fc86396d7e812137cf75ed3e1b54ca5b2 +SHA512 (curl-8.10.0.tar.xz.asc) = 3d3ece14008facc373cd715d46eeb523bb17a701df3b1839f0774847692613a9472d3e7a60ba814846bbc8e8e4f17c81a1f1355e1c9eebef244b7cd00e0f6fb8 From 67e25e1742ad1cbb538297a9287901e14870ca03 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 18 Sep 2024 09:45:38 +0200 Subject: [PATCH 079/120] new upstream release - 8.10.1 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 93942f0..90d611d 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.10.0 +Version: 8.10.1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -402,6 +402,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 18 2024 Jan Macku - 8.10.1-1 +- new upstream release + * Wed Sep 11 2024 Jan Macku - 8.10.0-1 - new upstream release diff --git a/sources b/sources index 9865b71..c221532 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.10.0.tar.xz) = 055277695ea242fcb0bf26ca6c4867a385cd578cd73ed4c5c4a020233248044c1ecaebcbaeaac47d3ffe07a41300ea5fc86396d7e812137cf75ed3e1b54ca5b2 -SHA512 (curl-8.10.0.tar.xz.asc) = 3d3ece14008facc373cd715d46eeb523bb17a701df3b1839f0774847692613a9472d3e7a60ba814846bbc8e8e4f17c81a1f1355e1c9eebef244b7cd00e0f6fb8 +SHA512 (curl-8.10.1.tar.xz) = f1c7a12492dcfb8ba08be69b96a83ce9074592cbaa6b95c72b3c16fc58ad35e9f9deec7b72baca7d360d013b0b1c7ea38bd4edae464903ac67aa3c76238d8c6c +SHA512 (curl-8.10.1.tar.xz.asc) = 21d6d560c027efc9e3e5db182a77501d6376442221ba910df817e2ec980bee44a9fe2afc698205f8d5e8313ae47915a341d60206a46b46e816d73ee357a894ac From 1268eeab81c68b229828d0a19c1992f939728f11 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 24 Sep 2024 13:37:40 +0200 Subject: [PATCH 080/120] spec: use tls-ca-bundle.pem instead of ca-bundle.crt Resolves: #2313564 --- curl.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index 90d611d..0cfbaa8 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.10.1 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -251,7 +251,7 @@ export common_configure_opts=" \ --with-gssapi \ --with-libidn2 \ --with-nghttp2 \ - --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt \ + --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \ --with-zsh-functions-dir" %global _configure ../configure @@ -402,6 +402,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Sep 24 2024 Jan Macku - 8.10.1-2 +- Use tls-ca-bundle.pem instead of ca-bundle.crt (OpenSSL specific) (#2313564) + * Wed Sep 18 2024 Jan Macku - 8.10.1-1 - new upstream release From d92476d332b446e871f74225c987968021a5c526 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 29 Sep 2024 16:03:18 +0200 Subject: [PATCH 081/120] Move the autoreconf invocation to %build section The %prep section is supposed to extract and possibly patch the sources. In particular, the code provided by the package should not be called here, but only in %build section. This keeps %prep quick and allows the code provided by upstream to be inspected before running it. Also drop space after the redirection operator to match the style elsewhere in the spec file. Having symmetrical whitespace around the operator makes it look like a binary operator, which it very much is not. --- curl.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index 0cfbaa8..0c2163c 100644 --- a/curl.spec +++ b/curl.spec @@ -214,7 +214,7 @@ be installed. # disable test 1801 # -printf "1801\n" >> tests/data/DISABLED +printf "1801\n" >>tests/data/DISABLED # test3026: avoid pthread_create() failure due to resource exhaustion on i386 %ifarch %{ix86} @@ -234,10 +234,10 @@ sed -e 's|^35$|35,52|' -i tests/data/test323 eval "$cmd" ) +%build # regenerate the configure script and Makefile.in files autoreconf -fiv -%build mkdir build-{full,minimal} export common_configure_opts=" \ --cache-file=../config.cache \ From e685607ffd9adf33f28101db012be952b5196072 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 29 Sep 2024 16:10:22 +0200 Subject: [PATCH 082/120] Make curl-config arch-independent The final /usr/bin/curl-config file had a comment like "prefix=/usr # used in /usr/lib64" or "prefix=/usr # used in /usr/lib", depending on the arch. This causes the following error on upgrades from f40 for people who have both libcurl-devel.i686 and libcurl-devel.x86_64 installed: Transaction failed: Rpm transaction failed. - file /usr/bin/curl-config conflicts between attempted installs of libcurl-devel-8.9.1-2.fc41.i686 and libcurl-devel-8.9.1-2.fc41.x86_64 The comment is actually not useful at all after the variable is expanded, since it's not clear what is meant by "used in /usr/lib64". Just drop it. With this change, the packages are constinstallable again. --- curl.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/curl.spec b/curl.spec index 0c2163c..3c25207 100644 --- a/curl.spec +++ b/curl.spec @@ -234,6 +234,10 @@ sed -e 's|^35$|35,52|' -i tests/data/test323 eval "$cmd" ) +# avoid unnecessary arch-dependent line in the processed file +sed -e '/# Used in @libdir@/d' \ + -i curl-config.in + %build # regenerate the configure script and Makefile.in files autoreconf -fiv From 44fdfebea17b606fc56b5d0656c982a7a528f366 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 6 Nov 2024 10:06:18 +0100 Subject: [PATCH 083/120] new upstream release - 8.11.0 --- .gitignore | 2 +- 0101-curl-7.32.0-multilib.patch | 20 ++++++++++---------- curl.spec | 9 +++++++-- sources | 4 ++-- 4 files changed, 20 insertions(+), 15 deletions(-) diff --git a/.gitignore b/.gitignore index cd6f067..9bb4285 100644 --- a/.gitignore +++ b/.gitignore @@ -2,5 +2,5 @@ /curl-[0-9.]*.tar.lzma.asc /curl-[0-9.]*.tar.xz /curl-[0-9.]*.tar.xz.asc -/curl-[0-9].[0-9].[0-9]/ +/curl-[0-9]*.[0-9]*.[0-9]*/ /*.src.rpm diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 8cada87..8f3fd08 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,6 +1,6 @@ -From da51b3d89a33fb3a1cbc5dd5faebc4ee18bbcc46 Mon Sep 17 00:00:00 2001 +From fa6477b901ca866a52db18a818975479f2144928 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Wed, 11 Sep 2024 09:21:25 +0200 +Date: Wed, 6 Nov 2024 13:25:10 +0100 Subject: [PATCH] prevent multilib conflicts on the curl-config script --- @@ -10,7 +10,7 @@ Subject: [PATCH] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 294e083..df41899 100644 +index 2dc40ed..9fb1a33 100644 --- a/curl-config.in +++ b/curl-config.in @@ -75,7 +75,7 @@ while test "$#" -gt 0; do @@ -26,12 +26,12 @@ index 294e083..df41899 100644 ;; --libs) -- if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then +- if test "X@libdir@" != 'X/usr/lib' -a "X@libdir@" != 'X/usr/lib64'; then - CURLLIBDIR="-L@libdir@ " - else -- CURLLIBDIR="" +- CURLLIBDIR='' - fi -- if test "X@ENABLE_SHARED@" = "Xno"; then +- if test 'X@ENABLE_SHARED@' = 'Xno'; then - echo "${CURLLIBDIR}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" - else - echo "${CURLLIBDIR}-lcurl" @@ -44,8 +44,8 @@ index 294e083..df41899 100644 ;; --static-libs) -- if test "X@ENABLE_STATIC@" != "Xno" ; then -- echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_PC_LIBS_PRIVATE@ +- if test 'X@ENABLE_STATIC@' != 'Xno'; then +- echo "@libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_PC_LIBS_PRIVATE@" - else - echo 'curl was built with static libraries disabled' >&2 - exit 1 @@ -76,7 +76,7 @@ index 4dfaab6..f4e847e 100644 ## --version diff --git a/libcurl.pc.in b/libcurl.pc.in -index 8f6f9b4..f69815c 100644 +index 4c60a7e..9fd935a 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in @@ -28,6 +28,7 @@ libdir=@libdir@ @@ -88,5 +88,5 @@ index 8f6f9b4..f69815c 100644 Name: libcurl URL: https://curl.se/ -- -2.46.0 +2.47.0 diff --git a/curl.spec b/curl.spec index 3c25207..80243c8 100644 --- a/curl.spec +++ b/curl.spec @@ -6,8 +6,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.10.1 -Release: 2%{?dist} +Version: 8.11.0 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -97,6 +97,7 @@ BuildRequires: perl(Exporter) BuildRequires: perl(File::Basename) BuildRequires: perl(File::Copy) BuildRequires: perl(File::Spec) +BuildRequires: perl(I18N::Langinfo) BuildRequires: perl(IPC::Open2) BuildRequires: perl(List::Util) BuildRequires: perl(Memoize) @@ -406,6 +407,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Nov 06 2024 Jan Macku - 8.11.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-9681 - HSTS subdomain overwrites parent cache entry + * Tue Sep 24 2024 Jan Macku - 8.10.1-2 - Use tls-ca-bundle.pem instead of ca-bundle.crt (OpenSSL specific) (#2313564) diff --git a/sources b/sources index c221532..f45b6fe 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.10.1.tar.xz) = f1c7a12492dcfb8ba08be69b96a83ce9074592cbaa6b95c72b3c16fc58ad35e9f9deec7b72baca7d360d013b0b1c7ea38bd4edae464903ac67aa3c76238d8c6c -SHA512 (curl-8.10.1.tar.xz.asc) = 21d6d560c027efc9e3e5db182a77501d6376442221ba910df817e2ec980bee44a9fe2afc698205f8d5e8313ae47915a341d60206a46b46e816d73ee357a894ac +SHA512 (curl-8.11.0.tar.xz) = 3a642d421e0a5c09ecb681bea18498f2c6124e9af4d8afdc074dfb85a9b0211d8972ade9cf00ab44b5dfed9303262cd83551dd3b5e0976d11fc19da3c4a0987e +SHA512 (curl-8.11.0.tar.xz.asc) = 71073dde48e8f0013e392eb88bf70f6b8a4a4f0c955a3fb56db98e74aa10acc1004e2a0483f30be082e61b59a76fa75ae1d90545ace7c6b07bca8164078375f0 From 0e038361ddf5965bd02544323cab07570e4281f6 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Wed, 6 Nov 2024 13:13:17 -0500 Subject: [PATCH 084/120] Disable engine support on RHEL 10+ RHEL 10 does not provide the engine header at all. Also, restore compatibility with earlier versions which do not have a separate subpackage for the engine header. --- curl.spec | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 80243c8..ba56d35 100644 --- a/curl.spec +++ b/curl.spec @@ -2,12 +2,12 @@ # This is deprecated by OpenSSL since OpenSSL 3.0 and by Fedora since Fedora 41 # https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine # Change the bcond to 0 to turn off ENGINE support by default -%bcond openssl_engine_support 1 +%bcond openssl_engine_support %[%{defined fedora} || 0%{?rhel} < 10] Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.11.0 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -52,7 +52,7 @@ BuildRequires: openldap-devel BuildRequires: openssh-clients BuildRequires: openssh-server BuildRequires: openssl-devel -%if %{with openssl_engine_support} +%if %{with openssl_engine_support} && 0%{?fedora} >= 41 BuildRequires: openssl-devel-engine %endif BuildRequires: perl-interpreter @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Nov 06 2024 Yaakov Selkowitz - 8.11.0-2 +- Disable engine support on RHEL 10+ + * Wed Nov 06 2024 Jan Macku - 8.11.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2024-9681 - HSTS subdomain overwrites parent cache entry From f200f97c286a92379a9a67ca6787d95a8e6e037c Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 11 Dec 2024 15:02:18 +0100 Subject: [PATCH 085/120] new upstream release - 8.11.1 --- 0101-curl-7.32.0-multilib.patch | 12 ++++----- 0105-curl-8.11.1-test616.patch | 48 +++++++++++++++++++++++++++++++++ curl.spec | 11 ++++++-- sources | 4 +-- 4 files changed, 65 insertions(+), 10 deletions(-) create mode 100644 0105-curl-8.11.1-test616.patch diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 8f3fd08..aec4fda 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,6 +1,6 @@ -From fa6477b901ca866a52db18a818975479f2144928 Mon Sep 17 00:00:00 2001 +From 7efcd412447fc41bded2f9621edf0ab4701c9b14 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Wed, 6 Nov 2024 13:25:10 +0100 +Date: Wed, 11 Dec 2024 09:28:12 +0100 Subject: [PATCH] prevent multilib conflicts on the curl-config script --- @@ -10,7 +10,7 @@ Subject: [PATCH] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 2dc40ed..9fb1a33 100644 +index e89c256..9fb1a33 100644 --- a/curl-config.in +++ b/curl-config.in @@ -75,7 +75,7 @@ while test "$#" -gt 0; do @@ -45,7 +45,7 @@ index 2dc40ed..9fb1a33 100644 --static-libs) - if test 'X@ENABLE_STATIC@' != 'Xno'; then -- echo "@libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_PC_LIBS_PRIVATE@" +- echo "@libdir@/libcurl.@libext@ @LIBCURL_PC_LDFLAGS_PRIVATE@ @LIBCURL_PC_LIBS_PRIVATE@" - else - echo 'curl was built with static libraries disabled' >&2 - exit 1 @@ -76,7 +76,7 @@ index 4dfaab6..f4e847e 100644 ## --version diff --git a/libcurl.pc.in b/libcurl.pc.in -index 4c60a7e..9fd935a 100644 +index c0ba524..f3645e1 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in @@ -28,6 +28,7 @@ libdir=@libdir@ @@ -88,5 +88,5 @@ index 4c60a7e..9fd935a 100644 Name: libcurl URL: https://curl.se/ -- -2.47.0 +2.47.1 diff --git a/0105-curl-8.11.1-test616.patch b/0105-curl-8.11.1-test616.patch new file mode 100644 index 0000000..91bde80 --- /dev/null +++ b/0105-curl-8.11.1-test616.patch @@ -0,0 +1,48 @@ +From 82baec8c7cd40361585d8793dfe4531f7aad30e3 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Wed, 11 Dec 2024 13:16:12 +0100 +Subject: [PATCH] test616: disable valgrind + +Valgrind disable was removed in upstream in https://github.com/curl/curl/commit/c91c37b6e87ceee760b7bb334c8e97e03ee93e93#diff-e01fd8774cf5b26329c7dc7dc03ec49745469205f3d501ced72c9d133455d5e7L35 +But test 616 is still failing under valgrind, so disable valgrind for this test. + +``` + valgrind ERROR ==188588== 144 bytes in 1 blocks are definitely lost in loss record 1 of 1 +==188588== at 0x484B133: calloc (vg_replace_malloc.c:1675) +==188588== by 0x4BB7575: ??? (in /usr/lib64/libssh.so.4.10.1) +==188588== by 0x4BB8CC6: sftp_fstat (in /usr/lib64/libssh.so.4.10.1) +==188588== by 0x48EEAFB: myssh_statemach_act (libssh.c:1610) +==188588== by 0x48F1B9D: myssh_multi_statemach.lto_priv.0 (libssh.c:2095) +==188588== by 0x48BA971: UnknownInlinedFun (multi.c:1643) +==188588== by 0x48BA971: UnknownInlinedFun (multi.c:2314) +==188588== by 0x48BA971: multi_runsingle (multi.c:2768) +==188588== by 0x48BCCA4: curl_multi_perform (multi.c:3016) +==188588== by 0x4884E4A: UnknownInlinedFun (easy.c:701) +==188588== by 0x4884E4A: UnknownInlinedFun (easy.c:796) +==188588== by 0x4884E4A: curl_easy_perform (easy.c:815) +==188588== by 0x10C12B: UnknownInlinedFun (tool_operate.c:2902) +==188588== by 0x10C12B: UnknownInlinedFun (tool_operate.c:3127) +==188588== by 0x10C12B: UnknownInlinedFun (tool_operate.c:3249) +==188588== by 0x10C12B: main (tool_main.c:271) +==188588== +``` +--- + tests/data/test616 | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tests/data/test616 b/tests/data/test616 +index f76c68a..0ebc734 100644 +--- a/tests/data/test616 ++++ b/tests/data/test616 +@@ -32,5 +32,8 @@ SFTP retrieval of empty file + # + # Verify data after the test has been "shot" + ++ ++disable ++ + + +-- +2.47.1 + diff --git a/curl.spec b/curl.spec index ba56d35..9b1c4c8 100644 --- a/curl.spec +++ b/curl.spec @@ -6,8 +6,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.11.0 -Release: 2%{?dist} +Version: 8.11.1 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -25,6 +25,9 @@ Patch102: 0102-curl-7.84.0-test3026.patch # do not fail on warnings in the upstream test driver Patch104: 0104-curl-7.88.0-tests-warnings.patch +# test616: disable valgrind +Patch105: 0105-curl-8.11.1-test616.patch + Provides: curl-full = %{version}-%{release} # do not fail when trying to install curl-minimal after drop Provides: curl-minimal = %{version}-%{release} @@ -407,6 +410,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Dec 11 2024 Jan Macku - 8.11.1-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-11053 - netrc and redirect credential leak + * Wed Nov 06 2024 Yaakov Selkowitz - 8.11.0-2 - Disable engine support on RHEL 10+ diff --git a/sources b/sources index f45b6fe..91c8f05 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.11.0.tar.xz) = 3a642d421e0a5c09ecb681bea18498f2c6124e9af4d8afdc074dfb85a9b0211d8972ade9cf00ab44b5dfed9303262cd83551dd3b5e0976d11fc19da3c4a0987e -SHA512 (curl-8.11.0.tar.xz.asc) = 71073dde48e8f0013e392eb88bf70f6b8a4a4f0c955a3fb56db98e74aa10acc1004e2a0483f30be082e61b59a76fa75ae1d90545ace7c6b07bca8164078375f0 +SHA512 (curl-8.11.1.tar.xz) = 7c7c47a49505575b610c56b455f0919ea5082a993bf5483eeb258ead167aadb87078d626b343b417dcfc5439c53556425c8fb4fe3b01b53a87b47c01686a3e57 +SHA512 (curl-8.11.1.tar.xz.asc) = c09bedb67e83fb8ca3ad73c5bd0d92fed7fc2c26dbe5a71cccb193fd151c7219713241a9fe74baefcd1d008cfafba78142bf04cec24dd4a88d67179184d35824 From 60dca4fc329daf8e5799357a68fe1ff41cffb13a Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Sun, 15 Dec 2024 12:05:17 +0000 Subject: [PATCH 086/120] Add rpmlintrc --- curl.rpmlintrc | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 curl.rpmlintrc diff --git a/curl.rpmlintrc b/curl.rpmlintrc new file mode 100644 index 0000000..022a98e --- /dev/null +++ b/curl.rpmlintrc @@ -0,0 +1,15 @@ +# Intentional stuff we're not concerned about +addFilter("unversioned-explicit-provides webclient") +addFilter("package-with-huge-docs") +addFilter("crypto-policy-non-compliance-openssl /usr/lib(64)?/libcurl.so.4") + +# This is just plain wrong (%_configure redefinition) +addFilter("configure-without-libdir-spec") + +# Technical term +addFilter("E: spelling-error \('kerberos',") + +# Artefacts of RemovePathPostfixes: .minimal +addFilter("W: dangling-relative-symlink /usr/lib/.build-id/.* ../../../../.*curl.*\.minimal") +#addFilter("W: dangling-relative-symlink /usr/lib.*/libcurl.so.4 libcurl.so.4.*.minimal") +#addFilter("E: invalid-ldconfig-symlink /usr/lib.*/libcurl.so.4.* libcurl.so.4.*.minimal") From 348d650b12c9787af9669f6a985f57cf3ccdc18c Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Sun, 15 Dec 2024 12:06:23 +0000 Subject: [PATCH 087/120] Fix crash with Unexpected error 9 on netlink descriptor 10 (rhbz#2332350) - https://github.com/curl/curl/issues/15725 - https://github.com/curl/curl/pull/15727 --- 0001-curl-8.11.1-eventfd.patch | 31 +++++++++++++++++++++++++++++++ curl.spec | 15 +++++++++++++-- 2 files changed, 44 insertions(+), 2 deletions(-) create mode 100644 0001-curl-8.11.1-eventfd.patch diff --git a/0001-curl-8.11.1-eventfd.patch b/0001-curl-8.11.1-eventfd.patch new file mode 100644 index 0000000..3960452 --- /dev/null +++ b/0001-curl-8.11.1-eventfd.patch @@ -0,0 +1,31 @@ +From 17c06b1ed19147d9e641ad5bcd672e8bce451b46 Mon Sep 17 00:00:00 2001 +From: Andy Pan +Date: Thu, 12 Dec 2024 12:48:56 +0000 +Subject: [PATCH] async-thread: avoid closing eventfd twice + +When employing eventfd for socketpair, there is only one file +descriptor. Closing that fd twice might result in fd corruption. +Thus, we should avoid closing the eventfd twice, following the +pattern in lib/multi.c. + +Fixes #15725 +--- + lib/asyn-thread.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c +index a58e4b790494ab..32d496b107cb0a 100644 +--- a/lib/asyn-thread.c ++++ b/lib/asyn-thread.c +@@ -195,9 +195,11 @@ void destroy_thread_sync_data(struct thread_sync_data *tsd) + * close one end of the socket pair (may be done in resolver thread); + * the other end (for reading) is always closed in the parent thread. + */ ++#ifndef USE_EVENTFD + if(tsd->sock_pair[1] != CURL_SOCKET_BAD) { + wakeup_close(tsd->sock_pair[1]); + } ++#endif + #endif + memset(tsd, 0, sizeof(*tsd)); + } diff --git a/curl.spec b/curl.spec index 9b1c4c8..beca484 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.11.1 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -16,6 +16,12 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# Fix crash with Unexpected error 9 on netlink descriptor 10 +# https://bugzilla.redhat.com/show_bug.cgi?id=2332350 +# https://github.com/curl/curl/issues/15725 +# https://github.com/curl/curl/pull/15727 +Patch1: 0001-curl-8.11.1-eventfd.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -410,6 +416,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Sun Dec 15 2024 Paul Howarth - 8.11.1-2 +- Fix crash with Unexpected error 9 on netlink descriptor 10 (rhbz#2332350) + - https://github.com/curl/curl/issues/15725 + - https://github.com/curl/curl/pull/15727 + * Wed Dec 11 2024 Jan Macku - 8.11.1-1 - new upstream release, which fixes the following vulnerabilities CVE-2024-11053 - netrc and redirect credential leak @@ -431,7 +442,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la - new upstream release * Wed Aug 21 2024 Jacek Migacz - 8.9.1-3 -- Retire depricated ntlm-wb configure option +- Retire deprecated ntlm-wb configure option * Mon Aug 5 2024 voidanix - 8.9.1-2 - Apply SIGPIPE-related patch due to upstream regression From 84d98cb3c36ac812ecac40f056283c94a3be0f03 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 16 Jan 2025 15:05:19 +0000 Subject: [PATCH 088/120] Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index beca484..ef932e9 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.11.1 -Release: 2%{?dist} +Release: 3%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -416,6 +416,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Jan 16 2025 Fedora Release Engineering - 8.11.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + * Sun Dec 15 2024 Paul Howarth - 8.11.1-2 - Fix crash with Unexpected error 9 on netlink descriptor 10 (rhbz#2332350) - https://github.com/curl/curl/issues/15725 From dbdb66e32ef7a74430edc9f27487a980b933f36b Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Fri, 31 Jan 2025 15:01:32 +0100 Subject: [PATCH 089/120] TLS: check connection for SSL use, not handler Resolves: #2324130 --- ...k-connection-for-SSL-use-not-handler.patch | 227 ++++++++++++++++++ curl.spec | 8 +- 2 files changed, 234 insertions(+), 1 deletion(-) create mode 100644 0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch diff --git a/0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch b/0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch new file mode 100644 index 0000000..9000c48 --- /dev/null +++ b/0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch @@ -0,0 +1,227 @@ +From b876aeb3f5d5c6539102f0575c0ec1d116388337 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Fri, 17 Jan 2025 11:57:00 +0100 +Subject: [PATCH] TLS: check connection for SSL use, not handler + +Protocol handler option PROTOPT_SSL is used to setup a connection +filters. Once that is done, used `Curl_conn_is_ssl()` to check if +a connection uses SSL. + +There may be other reasons to add SSL to a connection, e.g. starttls. + +Closes #16034 + +(cherry picked from commit 25b445e4796bcbf9f842de686a8c384b30f6c2a2) +--- + lib/cf-socket.c | 2 +- + lib/ftp.c | 2 +- + lib/http.c | 8 ++++---- + lib/http_negotiate.c | 3 ++- + lib/imap.c | 2 +- + lib/ldap.c | 3 ++- + lib/openldap.c | 2 +- + lib/pop3.c | 2 +- + lib/smb.c | 2 +- + lib/smtp.c | 2 +- + lib/url.c | 12 ++++++------ + 11 files changed, 21 insertions(+), 19 deletions(-) + +diff --git a/lib/cf-socket.c b/lib/cf-socket.c +index 497a3b965..de0c8a3ba 100644 +--- a/lib/cf-socket.c ++++ b/lib/cf-socket.c +@@ -1282,7 +1282,7 @@ static int do_connect(struct Curl_cfilter *cf, struct Curl_easy *data, + + rc = connect(ctx->sock, &ctx->addr.curl_sa_addr, ctx->addr.addrlen); + #elif defined(MSG_FASTOPEN) /* old Linux */ +- if(cf->conn->given->flags & PROTOPT_SSL) ++ if(Curl_conn_is_ssl(cf->conn, cf->sockindex)) + rc = connect(ctx->sock, &ctx->addr.curl_sa_addr, ctx->addr.addrlen); + else + rc = 0; /* Do nothing */ +diff --git a/lib/ftp.c b/lib/ftp.c +index 16ab0af0d..5137ddca4 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -3154,7 +3154,7 @@ static CURLcode ftp_connect(struct Curl_easy *data, + + PINGPONG_SETUP(pp, ftp_statemachine, ftp_endofresp); + +- if(conn->handler->flags & PROTOPT_SSL) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) { + /* BLOCKING */ + result = Curl_conn_connect(data, FIRSTSOCKET, TRUE, done); + if(result) +diff --git a/lib/http.c b/lib/http.c +index 35e708551..8e9f0a52e 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2526,7 +2526,7 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done) + goto fail; + } + +- if(!(conn->handler->flags&PROTOPT_SSL) && ++ if(!Curl_conn_is_ssl(conn, FIRSTSOCKET) && + conn->httpversion < 20 && + (data->state.httpwant == CURL_HTTP_VERSION_2)) { + /* append HTTP2 upgrade magic stuff to the HTTP request if it is not done +@@ -2672,7 +2672,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, + case 'A': + #ifndef CURL_DISABLE_ALTSVC + v = (data->asi && +- ((data->conn->handler->flags & PROTOPT_SSL) || ++ (Curl_conn_is_ssl(data->conn, FIRSTSOCKET) || + #ifdef DEBUGBUILD + /* allow debug builds to circumvent the HTTPS restriction */ + getenv("CURL_ALTSVC_HTTP") +@@ -2938,7 +2938,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, + #ifndef CURL_DISABLE_HSTS + /* If enabled, the header is incoming and this is over HTTPS */ + v = (data->hsts && +- ((conn->handler->flags & PROTOPT_SSL) || ++ (Curl_conn_is_ssl(conn, FIRSTSOCKET) || + #ifdef DEBUGBUILD + /* allow debug builds to circumvent the HTTPS restriction */ + getenv("CURL_HSTS_HTTP") +@@ -4160,7 +4160,7 @@ CURLcode Curl_http_req_to_h2(struct dynhds *h2_headers, + infof(data, "set pseudo header %s to %s", HTTP_PSEUDO_SCHEME, scheme); + } + else { +- scheme = (data->conn && data->conn->handler->flags & PROTOPT_SSL) ? ++ scheme = Curl_conn_is_ssl(data->conn, FIRSTSOCKET) ? + "https" : "http"; + } + } +diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c +index 5d76bddf7..f031d0abc 100644 +--- a/lib/http_negotiate.c ++++ b/lib/http_negotiate.c +@@ -27,6 +27,7 @@ + #if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO) + + #include "urldata.h" ++#include "cfilters.h" + #include "sendf.h" + #include "http_negotiate.h" + #include "vauth/vauth.h" +@@ -109,7 +110,7 @@ CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn, + #endif + /* Check if the connection is using SSL and get the channel binding data */ + #if defined(USE_SSL) && defined(HAVE_GSSAPI) +- if(conn->handler->flags & PROTOPT_SSL) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) { + Curl_dyn_init(&neg_ctx->channel_binding_data, SSL_CB_MAX_SIZE + 1); + result = Curl_ssl_get_channel_binding( + data, FIRSTSOCKET, &neg_ctx->channel_binding_data); +diff --git a/lib/imap.c b/lib/imap.c +index e424cdb05..df9dc343b 100644 +--- a/lib/imap.c ++++ b/lib/imap.c +@@ -1390,7 +1390,7 @@ static CURLcode imap_multi_statemach(struct Curl_easy *data, bool *done) + struct connectdata *conn = data->conn; + struct imap_conn *imapc = &conn->proto.imapc; + +- if((conn->handler->flags & PROTOPT_SSL) && !imapc->ssldone) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !imapc->ssldone) { + bool ssldone = FALSE; + result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); + imapc->ssldone = ssldone; +diff --git a/lib/ldap.c b/lib/ldap.c +index 2cbdb9c21..7dd40acef 100644 +--- a/lib/ldap.c ++++ b/lib/ldap.c +@@ -78,6 +78,7 @@ + + #include "urldata.h" + #include ++#include "cfilters.h" + #include "sendf.h" + #include "escape.h" + #include "progress.h" +@@ -346,7 +347,7 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done) + } + + /* Get the URL scheme (either ldap or ldaps) */ +- if(conn->given->flags & PROTOPT_SSL) ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) + ldap_ssl = 1; + infof(data, "LDAP local: trying to establish %s connection", + ldap_ssl ? "encrypted" : "cleartext"); +diff --git a/lib/openldap.c b/lib/openldap.c +index 8c4af22be..9676ad3d0 100644 +--- a/lib/openldap.c ++++ b/lib/openldap.c +@@ -571,7 +571,7 @@ static CURLcode oldap_connect(struct Curl_easy *data, bool *done) + ldap_set_option(li->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); + + #ifdef USE_SSL +- if(conn->handler->flags & PROTOPT_SSL) ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) + return oldap_ssl_connect(data, OLDAP_SSL); + + if(data->set.use_ssl) { +diff --git a/lib/pop3.c b/lib/pop3.c +index db6ec04c7..83dd64cda 100644 +--- a/lib/pop3.c ++++ b/lib/pop3.c +@@ -1110,7 +1110,7 @@ static CURLcode pop3_multi_statemach(struct Curl_easy *data, bool *done) + struct connectdata *conn = data->conn; + struct pop3_conn *pop3c = &conn->proto.pop3c; + +- if((conn->handler->flags & PROTOPT_SSL) && !pop3c->ssldone) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !pop3c->ssldone) { + bool ssldone = FALSE; + result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); + pop3c->ssldone = ssldone; +diff --git a/lib/smb.c b/lib/smb.c +index a72ece62a..a2c82df5e 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -840,7 +840,7 @@ static CURLcode smb_connection_state(struct Curl_easy *data, bool *done) + + if(smbc->state == SMB_CONNECTING) { + #ifdef USE_SSL +- if((conn->handler->flags & PROTOPT_SSL)) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) { + bool ssl_done = FALSE; + result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssl_done); + if(result && result != CURLE_AGAIN) +diff --git a/lib/smtp.c b/lib/smtp.c +index d854d364f..c7fb0a4ca 100644 +--- a/lib/smtp.c ++++ b/lib/smtp.c +@@ -1286,7 +1286,7 @@ static CURLcode smtp_multi_statemach(struct Curl_easy *data, bool *done) + struct connectdata *conn = data->conn; + struct smtp_conn *smtpc = &conn->proto.smtpc; + +- if((conn->handler->flags & PROTOPT_SSL) && !smtpc->ssldone) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !smtpc->ssldone) { + bool ssldone = FALSE; + result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); + smtpc->ssldone = ssldone; +diff --git a/lib/url.c b/lib/url.c +index 436edd891..de200e1dd 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -958,12 +958,12 @@ static bool url_match_conn(struct connectdata *conn, void *userdata) + return FALSE; + #endif + +- if((needle->handler->flags&PROTOPT_SSL) != +- (conn->handler->flags&PROTOPT_SSL)) +- /* do not do mixed SSL and non-SSL connections */ +- if(get_protocol_family(conn->handler) != +- needle->handler->protocol || !conn->bits.tls_upgraded) +- /* except protocols that have been upgraded via TLS */ ++ if((!(needle->handler->flags&PROTOPT_SSL) != ++ !Curl_conn_is_ssl(conn, FIRSTSOCKET)) && ++ !(get_protocol_family(conn->handler) == needle->handler->protocol && ++ conn->bits.tls_upgraded)) ++ /* Deny `conn` if it is not fit for `needle`'s SSL needs, ++ * UNLESS `conn` is the same protocol family and was upgraded to SSL. */ + return FALSE; + + #ifndef CURL_DISABLE_PROXY +-- +2.48.1 + diff --git a/curl.spec b/curl.spec index ef932e9..c21fec2 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.11.1 -Release: 3%{?dist} +Release: 4%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -22,6 +22,9 @@ Source2: mykey.asc # https://github.com/curl/curl/pull/15727 Patch1: 0001-curl-8.11.1-eventfd.patch +# Fix https://bugzilla.redhat.com/show_bug.cgi?id=2324130#c7 +Patch2: 0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -416,6 +419,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Jan 31 2025 Jan Macku - 8.11.1-4 +- TLS: check connection for SSL use, not handler (#2324130#c7) + * Thu Jan 16 2025 Fedora Release Engineering - 8.11.1-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild From 057c9e09f00a022d8b5e065164a7d77d2d67e669 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 5 Feb 2025 09:44:27 +0100 Subject: [PATCH 090/120] new upstream release - 8.12.0 --- 0001-curl-8.11.1-eventfd.patch | 31 --- ...k-connection-for-SSL-use-not-handler.patch | 227 ------------------ 0101-curl-7.32.0-multilib.patch | 28 +-- 0102-curl-7.84.0-test3026.patch | 8 +- 0104-curl-7.88.0-tests-warnings.patch | 30 --- curl.spec | 23 +- sources | 4 +- 7 files changed, 29 insertions(+), 322 deletions(-) delete mode 100644 0001-curl-8.11.1-eventfd.patch delete mode 100644 0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch delete mode 100644 0104-curl-7.88.0-tests-warnings.patch diff --git a/0001-curl-8.11.1-eventfd.patch b/0001-curl-8.11.1-eventfd.patch deleted file mode 100644 index 3960452..0000000 --- a/0001-curl-8.11.1-eventfd.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 17c06b1ed19147d9e641ad5bcd672e8bce451b46 Mon Sep 17 00:00:00 2001 -From: Andy Pan -Date: Thu, 12 Dec 2024 12:48:56 +0000 -Subject: [PATCH] async-thread: avoid closing eventfd twice - -When employing eventfd for socketpair, there is only one file -descriptor. Closing that fd twice might result in fd corruption. -Thus, we should avoid closing the eventfd twice, following the -pattern in lib/multi.c. - -Fixes #15725 ---- - lib/asyn-thread.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c -index a58e4b790494ab..32d496b107cb0a 100644 ---- a/lib/asyn-thread.c -+++ b/lib/asyn-thread.c -@@ -195,9 +195,11 @@ void destroy_thread_sync_data(struct thread_sync_data *tsd) - * close one end of the socket pair (may be done in resolver thread); - * the other end (for reading) is always closed in the parent thread. - */ -+#ifndef USE_EVENTFD - if(tsd->sock_pair[1] != CURL_SOCKET_BAD) { - wakeup_close(tsd->sock_pair[1]); - } -+#endif - #endif - memset(tsd, 0, sizeof(*tsd)); - } diff --git a/0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch b/0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch deleted file mode 100644 index 9000c48..0000000 --- a/0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch +++ /dev/null @@ -1,227 +0,0 @@ -From b876aeb3f5d5c6539102f0575c0ec1d116388337 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Fri, 17 Jan 2025 11:57:00 +0100 -Subject: [PATCH] TLS: check connection for SSL use, not handler - -Protocol handler option PROTOPT_SSL is used to setup a connection -filters. Once that is done, used `Curl_conn_is_ssl()` to check if -a connection uses SSL. - -There may be other reasons to add SSL to a connection, e.g. starttls. - -Closes #16034 - -(cherry picked from commit 25b445e4796bcbf9f842de686a8c384b30f6c2a2) ---- - lib/cf-socket.c | 2 +- - lib/ftp.c | 2 +- - lib/http.c | 8 ++++---- - lib/http_negotiate.c | 3 ++- - lib/imap.c | 2 +- - lib/ldap.c | 3 ++- - lib/openldap.c | 2 +- - lib/pop3.c | 2 +- - lib/smb.c | 2 +- - lib/smtp.c | 2 +- - lib/url.c | 12 ++++++------ - 11 files changed, 21 insertions(+), 19 deletions(-) - -diff --git a/lib/cf-socket.c b/lib/cf-socket.c -index 497a3b965..de0c8a3ba 100644 ---- a/lib/cf-socket.c -+++ b/lib/cf-socket.c -@@ -1282,7 +1282,7 @@ static int do_connect(struct Curl_cfilter *cf, struct Curl_easy *data, - - rc = connect(ctx->sock, &ctx->addr.curl_sa_addr, ctx->addr.addrlen); - #elif defined(MSG_FASTOPEN) /* old Linux */ -- if(cf->conn->given->flags & PROTOPT_SSL) -+ if(Curl_conn_is_ssl(cf->conn, cf->sockindex)) - rc = connect(ctx->sock, &ctx->addr.curl_sa_addr, ctx->addr.addrlen); - else - rc = 0; /* Do nothing */ -diff --git a/lib/ftp.c b/lib/ftp.c -index 16ab0af0d..5137ddca4 100644 ---- a/lib/ftp.c -+++ b/lib/ftp.c -@@ -3154,7 +3154,7 @@ static CURLcode ftp_connect(struct Curl_easy *data, - - PINGPONG_SETUP(pp, ftp_statemachine, ftp_endofresp); - -- if(conn->handler->flags & PROTOPT_SSL) { -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) { - /* BLOCKING */ - result = Curl_conn_connect(data, FIRSTSOCKET, TRUE, done); - if(result) -diff --git a/lib/http.c b/lib/http.c -index 35e708551..8e9f0a52e 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -2526,7 +2526,7 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done) - goto fail; - } - -- if(!(conn->handler->flags&PROTOPT_SSL) && -+ if(!Curl_conn_is_ssl(conn, FIRSTSOCKET) && - conn->httpversion < 20 && - (data->state.httpwant == CURL_HTTP_VERSION_2)) { - /* append HTTP2 upgrade magic stuff to the HTTP request if it is not done -@@ -2672,7 +2672,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, - case 'A': - #ifndef CURL_DISABLE_ALTSVC - v = (data->asi && -- ((data->conn->handler->flags & PROTOPT_SSL) || -+ (Curl_conn_is_ssl(data->conn, FIRSTSOCKET) || - #ifdef DEBUGBUILD - /* allow debug builds to circumvent the HTTPS restriction */ - getenv("CURL_ALTSVC_HTTP") -@@ -2938,7 +2938,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, - #ifndef CURL_DISABLE_HSTS - /* If enabled, the header is incoming and this is over HTTPS */ - v = (data->hsts && -- ((conn->handler->flags & PROTOPT_SSL) || -+ (Curl_conn_is_ssl(conn, FIRSTSOCKET) || - #ifdef DEBUGBUILD - /* allow debug builds to circumvent the HTTPS restriction */ - getenv("CURL_HSTS_HTTP") -@@ -4160,7 +4160,7 @@ CURLcode Curl_http_req_to_h2(struct dynhds *h2_headers, - infof(data, "set pseudo header %s to %s", HTTP_PSEUDO_SCHEME, scheme); - } - else { -- scheme = (data->conn && data->conn->handler->flags & PROTOPT_SSL) ? -+ scheme = Curl_conn_is_ssl(data->conn, FIRSTSOCKET) ? - "https" : "http"; - } - } -diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c -index 5d76bddf7..f031d0abc 100644 ---- a/lib/http_negotiate.c -+++ b/lib/http_negotiate.c -@@ -27,6 +27,7 @@ - #if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO) - - #include "urldata.h" -+#include "cfilters.h" - #include "sendf.h" - #include "http_negotiate.h" - #include "vauth/vauth.h" -@@ -109,7 +110,7 @@ CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn, - #endif - /* Check if the connection is using SSL and get the channel binding data */ - #if defined(USE_SSL) && defined(HAVE_GSSAPI) -- if(conn->handler->flags & PROTOPT_SSL) { -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) { - Curl_dyn_init(&neg_ctx->channel_binding_data, SSL_CB_MAX_SIZE + 1); - result = Curl_ssl_get_channel_binding( - data, FIRSTSOCKET, &neg_ctx->channel_binding_data); -diff --git a/lib/imap.c b/lib/imap.c -index e424cdb05..df9dc343b 100644 ---- a/lib/imap.c -+++ b/lib/imap.c -@@ -1390,7 +1390,7 @@ static CURLcode imap_multi_statemach(struct Curl_easy *data, bool *done) - struct connectdata *conn = data->conn; - struct imap_conn *imapc = &conn->proto.imapc; - -- if((conn->handler->flags & PROTOPT_SSL) && !imapc->ssldone) { -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !imapc->ssldone) { - bool ssldone = FALSE; - result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); - imapc->ssldone = ssldone; -diff --git a/lib/ldap.c b/lib/ldap.c -index 2cbdb9c21..7dd40acef 100644 ---- a/lib/ldap.c -+++ b/lib/ldap.c -@@ -78,6 +78,7 @@ - - #include "urldata.h" - #include -+#include "cfilters.h" - #include "sendf.h" - #include "escape.h" - #include "progress.h" -@@ -346,7 +347,7 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done) - } - - /* Get the URL scheme (either ldap or ldaps) */ -- if(conn->given->flags & PROTOPT_SSL) -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) - ldap_ssl = 1; - infof(data, "LDAP local: trying to establish %s connection", - ldap_ssl ? "encrypted" : "cleartext"); -diff --git a/lib/openldap.c b/lib/openldap.c -index 8c4af22be..9676ad3d0 100644 ---- a/lib/openldap.c -+++ b/lib/openldap.c -@@ -571,7 +571,7 @@ static CURLcode oldap_connect(struct Curl_easy *data, bool *done) - ldap_set_option(li->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); - - #ifdef USE_SSL -- if(conn->handler->flags & PROTOPT_SSL) -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) - return oldap_ssl_connect(data, OLDAP_SSL); - - if(data->set.use_ssl) { -diff --git a/lib/pop3.c b/lib/pop3.c -index db6ec04c7..83dd64cda 100644 ---- a/lib/pop3.c -+++ b/lib/pop3.c -@@ -1110,7 +1110,7 @@ static CURLcode pop3_multi_statemach(struct Curl_easy *data, bool *done) - struct connectdata *conn = data->conn; - struct pop3_conn *pop3c = &conn->proto.pop3c; - -- if((conn->handler->flags & PROTOPT_SSL) && !pop3c->ssldone) { -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !pop3c->ssldone) { - bool ssldone = FALSE; - result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); - pop3c->ssldone = ssldone; -diff --git a/lib/smb.c b/lib/smb.c -index a72ece62a..a2c82df5e 100644 ---- a/lib/smb.c -+++ b/lib/smb.c -@@ -840,7 +840,7 @@ static CURLcode smb_connection_state(struct Curl_easy *data, bool *done) - - if(smbc->state == SMB_CONNECTING) { - #ifdef USE_SSL -- if((conn->handler->flags & PROTOPT_SSL)) { -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) { - bool ssl_done = FALSE; - result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssl_done); - if(result && result != CURLE_AGAIN) -diff --git a/lib/smtp.c b/lib/smtp.c -index d854d364f..c7fb0a4ca 100644 ---- a/lib/smtp.c -+++ b/lib/smtp.c -@@ -1286,7 +1286,7 @@ static CURLcode smtp_multi_statemach(struct Curl_easy *data, bool *done) - struct connectdata *conn = data->conn; - struct smtp_conn *smtpc = &conn->proto.smtpc; - -- if((conn->handler->flags & PROTOPT_SSL) && !smtpc->ssldone) { -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !smtpc->ssldone) { - bool ssldone = FALSE; - result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); - smtpc->ssldone = ssldone; -diff --git a/lib/url.c b/lib/url.c -index 436edd891..de200e1dd 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -958,12 +958,12 @@ static bool url_match_conn(struct connectdata *conn, void *userdata) - return FALSE; - #endif - -- if((needle->handler->flags&PROTOPT_SSL) != -- (conn->handler->flags&PROTOPT_SSL)) -- /* do not do mixed SSL and non-SSL connections */ -- if(get_protocol_family(conn->handler) != -- needle->handler->protocol || !conn->bits.tls_upgraded) -- /* except protocols that have been upgraded via TLS */ -+ if((!(needle->handler->flags&PROTOPT_SSL) != -+ !Curl_conn_is_ssl(conn, FIRSTSOCKET)) && -+ !(get_protocol_family(conn->handler) == needle->handler->protocol && -+ conn->bits.tls_upgraded)) -+ /* Deny `conn` if it is not fit for `needle`'s SSL needs, -+ * UNLESS `conn` is the same protocol family and was upgraded to SSL. */ - return FALSE; - - #ifndef CURL_DISABLE_PROXY --- -2.48.1 - diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index aec4fda..13a9a54 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,7 +1,7 @@ -From 7efcd412447fc41bded2f9621edf0ab4701c9b14 Mon Sep 17 00:00:00 2001 +From c96b08867e8593b32cec0f3971f10adfcaf2276e Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Wed, 11 Dec 2024 09:28:12 +0100 -Subject: [PATCH] prevent multilib conflicts on the curl-config script +Date: Wed, 5 Feb 2025 09:31:04 +0100 +Subject: [PATCH 1/2] prevent multilib conflicts on the curl-config script --- curl-config.in | 23 +++++------------------ @@ -10,10 +10,10 @@ Subject: [PATCH] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index e89c256..9fb1a33 100644 +index 55184167b..324e0b740 100644 --- a/curl-config.in +++ b/curl-config.in -@@ -75,7 +75,7 @@ while test "$#" -gt 0; do +@@ -74,7 +74,7 @@ while test "$#" -gt 0; do ;; --cc) @@ -22,25 +22,25 @@ index e89c256..9fb1a33 100644 ;; --prefix) -@@ -155,16 +155,7 @@ while test "$#" -gt 0; do +@@ -149,16 +149,7 @@ while test "$#" -gt 0; do ;; --libs) - if test "X@libdir@" != 'X/usr/lib' -a "X@libdir@" != 'X/usr/lib64'; then -- CURLLIBDIR="-L@libdir@ " +- curllibdir="-L@libdir@ " - else -- CURLLIBDIR='' +- curllibdir='' - fi - if test 'X@ENABLE_SHARED@' = 'Xno'; then -- echo "${CURLLIBDIR}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" +- echo "${curllibdir}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" - else -- echo "${CURLLIBDIR}-lcurl" +- echo "${curllibdir}-lcurl" - fi + echo '-lcurl' ;; --ssl-backends) -@@ -172,16 +163,12 @@ while test "$#" -gt 0; do +@@ -166,16 +157,12 @@ while test "$#" -gt 0; do ;; --static-libs) @@ -61,7 +61,7 @@ index e89c256..9fb1a33 100644 *) diff --git a/docs/curl-config.md b/docs/curl-config.md -index 4dfaab6..f4e847e 100644 +index b1fcf33dc..b15feec8e 100644 --- a/docs/curl-config.md +++ b/docs/curl-config.md @@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated. @@ -76,7 +76,7 @@ index 4dfaab6..f4e847e 100644 ## --version diff --git a/libcurl.pc.in b/libcurl.pc.in -index c0ba524..f3645e1 100644 +index c0ba5244a..f3645e174 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in @@ -28,6 +28,7 @@ libdir=@libdir@ @@ -88,5 +88,5 @@ index c0ba524..f3645e1 100644 Name: libcurl URL: https://curl.se/ -- -2.47.1 +2.48.1 diff --git a/0102-curl-7.84.0-test3026.patch b/0102-curl-7.84.0-test3026.patch index 82f4642..6c45cc8 100644 --- a/0102-curl-7.84.0-test3026.patch +++ b/0102-curl-7.84.0-test3026.patch @@ -1,6 +1,6 @@ -From 6e470567ca691a7b20334f1b9a5b309053d714b7 Mon Sep 17 00:00:00 2001 +From 6460e292e664b03fb550ce70e9a8cdf86ad0ef57 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Wed, 22 May 2024 13:03:43 +0200 +Date: Wed, 5 Feb 2025 09:34:28 +0100 Subject: [PATCH 2/2] test3026: disable valgrind It fails on x86_64 with: @@ -52,7 +52,7 @@ index ee9b30678..dd582c3e5 100644 diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c -index 7e914010e..39374f5bc 100644 +index 61c70eb3b..79302fcf7 100644 --- a/tests/libtest/lib3026.c +++ b/tests/libtest/lib3026.c @@ -145,8 +145,8 @@ CURLcode test(char *URL) @@ -67,5 +67,5 @@ index 7e914010e..39374f5bc 100644 test_failure = (CURLcode)-1; goto cleanup; -- -2.45.1 +2.48.1 diff --git a/0104-curl-7.88.0-tests-warnings.patch b/0104-curl-7.88.0-tests-warnings.patch deleted file mode 100644 index 0977dee..0000000 --- a/0104-curl-7.88.0-tests-warnings.patch +++ /dev/null @@ -1,30 +0,0 @@ -From ebee18be05631494263bb6be249501eb8874e07a Mon Sep 17 00:00:00 2001 -From: Jan Macku -Date: Wed, 24 Jul 2024 15:15:11 +0200 -Subject: [PATCH] Revert "runtests: consider warnings fatal and error on them" - -While it might be useful for upstream developers, it is not so useful -for downstream consumers. - -This reverts upstream commit 22f795c834cfdbacbb1b55426028a581e3cf67a8. ---- - tests/runtests.pl | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/tests/runtests.pl b/tests/runtests.pl -index 9cc9ef1..c9a1c5d 100755 ---- a/tests/runtests.pl -+++ b/tests/runtests.pl -@@ -57,8 +57,7 @@ - # given, this won't be a problem. - - use strict; --# Promote all warnings to fatal --use warnings FATAL => 'all'; -+use warnings; - use 5.006; - use POSIX qw(strftime); - --- -2.45.2 - diff --git a/curl.spec b/curl.spec index c21fec2..186b566 100644 --- a/curl.spec +++ b/curl.spec @@ -6,8 +6,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.11.1 -Release: 4%{?dist} +Version: 8.12.0 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -16,24 +16,12 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# Fix crash with Unexpected error 9 on netlink descriptor 10 -# https://bugzilla.redhat.com/show_bug.cgi?id=2332350 -# https://github.com/curl/curl/issues/15725 -# https://github.com/curl/curl/pull/15727 -Patch1: 0001-curl-8.11.1-eventfd.patch - -# Fix https://bugzilla.redhat.com/show_bug.cgi?id=2324130#c7 -Patch2: 0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch # test3026: disable valgrind Patch102: 0102-curl-7.84.0-test3026.patch -# do not fail on warnings in the upstream test driver -Patch104: 0104-curl-7.88.0-tests-warnings.patch - # test616: disable valgrind Patch105: 0105-curl-8.11.1-test616.patch @@ -419,6 +407,13 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Feb 05 2025 Jan Macku - 8.12.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2025-0725 - gzip integer overflow + CVE-2025-0665 - eventfd double close + CVE-2025-0167 - netrc and default credential leak +- drop upstreamed patches + * Fri Jan 31 2025 Jan Macku - 8.11.1-4 - TLS: check connection for SSL use, not handler (#2324130#c7) diff --git a/sources b/sources index 91c8f05..01ad1a6 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.11.1.tar.xz) = 7c7c47a49505575b610c56b455f0919ea5082a993bf5483eeb258ead167aadb87078d626b343b417dcfc5439c53556425c8fb4fe3b01b53a87b47c01686a3e57 -SHA512 (curl-8.11.1.tar.xz.asc) = c09bedb67e83fb8ca3ad73c5bd0d92fed7fc2c26dbe5a71cccb193fd151c7219713241a9fe74baefcd1d008cfafba78142bf04cec24dd4a88d67179184d35824 +SHA512 (curl-8.12.0.tar.xz) = ed35f0020541050ce387f4ba80f9e87562ececd99082da1bae85840dee81c49b86a4a55909e15fcbf4eb116106a796c29a9b2678dee11326f80db75992c6edc5 +SHA512 (curl-8.12.0.tar.xz.asc) = 8526554ffb2187b48b6a4c6a0d4a8c73d484ef3ce4c3791add0e759baf953ac7ae0b2f88d688365b1f09c5745198611fa1761aa14d02ddf52823c4ff238779cd From 9c7fc53ab273793fba55aef94b81682065923b4f Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 13 Feb 2025 08:28:44 +0100 Subject: [PATCH 091/120] new upstream release - 8.12.1 --- curl.spec | 2 +- sources | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 186b566..c7f23e3 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.12.0 +Version: 8.12.1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz diff --git a/sources b/sources index 01ad1a6..acd884b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.12.0.tar.xz) = ed35f0020541050ce387f4ba80f9e87562ececd99082da1bae85840dee81c49b86a4a55909e15fcbf4eb116106a796c29a9b2678dee11326f80db75992c6edc5 -SHA512 (curl-8.12.0.tar.xz.asc) = 8526554ffb2187b48b6a4c6a0d4a8c73d484ef3ce4c3791add0e759baf953ac7ae0b2f88d688365b1f09c5745198611fa1761aa14d02ddf52823c4ff238779cd +SHA512 (curl-8.12.1.tar.xz) = 88915468fa1bb7256e3dd6c9d058ada6894faa1e3e7800c7d9bfee3e8be4081ae57e7f2bf260c5342b709499fc4302ddc2d7864e25bfa3300fa07f118a3de603 +SHA512 (curl-8.12.1.tar.xz.asc) = 41fc5582935090d13940d86974fdea3ea901dd5dab156c16029a87f811d2535172c59dc8dc366f2ffc37bcf85accbecb5aa765bc7b83c2991a3ef402bf25af69 From 3ce21a370c4a3523ee3affbaea685b8c8e6c2cdf Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 10 Mar 2025 14:27:02 +0100 Subject: [PATCH 092/120] new upstream release - 8.13.0~rc1 --- ...test1022-add-support-for-rc-releases.patch | 44 +++++++++++++++++++ 0101-curl-7.32.0-multilib.patch | 16 +++---- curl.spec | 16 ++++--- sources | 4 +- 4 files changed, 65 insertions(+), 15 deletions(-) create mode 100644 0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch diff --git a/0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch b/0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch new file mode 100644 index 0000000..789aa0e --- /dev/null +++ b/0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch @@ -0,0 +1,44 @@ +From 3c1a88fdf72e9e43f289d121318fc31536964e66 Mon Sep 17 00:00:00 2001 +From: Samuel Henrique +Date: Sat, 8 Mar 2025 12:47:21 +0000 +Subject: [PATCH] test1022: add support for rc releases + + Fix the following test failure: + curl-config: illegal value + +Closes #16626 +--- + tests/libtest/test1022.pl | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tests/libtest/test1022.pl b/tests/libtest/test1022.pl +index 583b8f8562c0..5c5c02070ff7 100755 +--- a/tests/libtest/test1022.pl ++++ b/tests/libtest/test1022.pl +@@ -35,7 +35,7 @@ + open(CURL, "$ARGV[1]") || die "Can't open curl --version list in $ARGV[1]\n"; + $_ = ; + chomp; +-/libcurl\/([\.\d]+((-DEV)|(-\d+))?)/; ++/libcurl\/([\.\d]+((-DEV)|(-rc\d)|(-\d+))?)/; + my $version = $1; + close CURL; + +@@ -47,7 +47,7 @@ + chomp; + my $filever=$_; + if ( $what eq "version" ) { +- if($filever =~ /^libcurl ([\.\d]+((-DEV)|(-\d+))?)$/) { ++ if($filever =~ /^libcurl ([\.\d]+((-DEV)|(-rc\d)|(-\d+))?)$/) { + $curlconfigversion = $1; + } + else { +@@ -63,7 +63,7 @@ + $curlconfigversion = "illegal value"; + } + +- # Strip off the -DEV from the curl version if it's there ++ # Strip off the -DEV and -rc suffixes from the curl version if they're there + $version =~ s/-\w*$//; + } + close CURLCONFIG; diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 13a9a54..e7b2a32 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,7 +1,7 @@ -From c96b08867e8593b32cec0f3971f10adfcaf2276e Mon Sep 17 00:00:00 2001 +From 495c771a6f9be008b783c5f59285d30fdc15fd63 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Wed, 5 Feb 2025 09:31:04 +0100 -Subject: [PATCH 1/2] prevent multilib conflicts on the curl-config script +Date: Mon, 10 Mar 2025 14:23:59 +0100 +Subject: [PATCH] prevent multilib conflicts on the curl-config script --- curl-config.in | 23 +++++------------------ @@ -10,7 +10,7 @@ Subject: [PATCH 1/2] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 55184167b..324e0b740 100644 +index 5518416..324e0b7 100644 --- a/curl-config.in +++ b/curl-config.in @@ -74,7 +74,7 @@ while test "$#" -gt 0; do @@ -61,11 +61,11 @@ index 55184167b..324e0b740 100644 *) diff --git a/docs/curl-config.md b/docs/curl-config.md -index b1fcf33dc..b15feec8e 100644 +index 12ad245..fa0e03d 100644 --- a/docs/curl-config.md +++ b/docs/curl-config.md @@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated. - ## --static-libs + ## `--static-libs` Shows the complete set of libs and other linker options you need in order to -link your application with libcurl statically. (Added in 7.17.1) @@ -73,10 +73,10 @@ index b1fcf33dc..b15feec8e 100644 +packages do not provide any static libraries, thus cannot be linked statically. +(Added in 7.17.1) - ## --version + ## `--version` diff --git a/libcurl.pc.in b/libcurl.pc.in -index c0ba5244a..f3645e174 100644 +index c0ba524..f3645e1 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in @@ -28,6 +28,7 @@ libdir=@libdir@ diff --git a/curl.spec b/curl.spec index c7f23e3..80a56c3 100644 --- a/curl.spec +++ b/curl.spec @@ -6,18 +6,21 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.12.1 +Version: 8.13.0~rc1 Release: 1%{?dist} License: curl -Source0: https://curl.se/download/%{name}-%{version}.tar.xz -Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc +Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz +Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc # The curl download page ( https://curl.se/download.html ) links # to Daniel's address page https://daniel.haxx.se/address.html for the GPG Key, # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# Test 1022 add support for rc releases +Patch001: 0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch + # patch making libcurl multilib ready -Patch101: 0101-curl-7.32.0-multilib.patch +# Patch101: 0101-curl-7.32.0-multilib.patch # test3026: disable valgrind Patch102: 0102-curl-7.84.0-test3026.patch @@ -211,7 +214,7 @@ be installed. %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' -%autosetup -p1 +%autosetup -n %{name}-%{version_no_tilde} -p1 # disable test 1801 # @@ -407,6 +410,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Mar 10 2025 Jan Macku - 8.13.0~rc1-1 +- new upstream release candidate + * Wed Feb 05 2025 Jan Macku - 8.12.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2025-0725 - gzip integer overflow diff --git a/sources b/sources index acd884b..fd8d757 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.12.1.tar.xz) = 88915468fa1bb7256e3dd6c9d058ada6894faa1e3e7800c7d9bfee3e8be4081ae57e7f2bf260c5342b709499fc4302ddc2d7864e25bfa3300fa07f118a3de603 -SHA512 (curl-8.12.1.tar.xz.asc) = 41fc5582935090d13940d86974fdea3ea901dd5dab156c16029a87f811d2535172c59dc8dc366f2ffc37bcf85accbecb5aa765bc7b83c2991a3ef402bf25af69 +SHA512 (curl-8.13.0-rc1.tar.xz) = 6890dae4abf9c9d4017c28ea8ced84ef457aa911574b261af97b81ab1631e04deef188928d015a19c861d8dd319a23d9a7725d93046fc07a39694c5dc445562e +SHA512 (curl-8.13.0-rc1.tar.xz.asc) = aeb6f5abcf1bd19d836ae688bebd0193c673060ed74afa7c5b63c2a0ecf7eaf00a223110cd7aa77d19183e8ba757bd0b8fb481e279cf1141c4b459f92604a740 From 5e5bbeb413edc79263a785e0ba467df9cb9c093c Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 13 Mar 2025 09:30:38 +0100 Subject: [PATCH 093/120] fix --cert parameter Resolves: #2351531 --- ...3.0~rc1-fix--cert-parameter-clearing.patch | 60 +++++++++++++++++++ curl.spec | 8 ++- 2 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch diff --git a/0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch b/0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch new file mode 100644 index 0000000..e08a349 --- /dev/null +++ b/0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch @@ -0,0 +1,60 @@ +From 886569e2db200c31073895a2626d20e0712e5207 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Wed, 12 Mar 2025 14:42:19 +0100 +Subject: [PATCH] curl: fix --cert parameter clearing + +Blank the argument *after* it has been copied. + +Reported-by: Jan Macku +Fixes #16686 +Closes #16688 +--- + src/tool_getparam.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index 9f227abbfdb5..e5272de74feb 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -2481,8 +2481,8 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + } + break; + case C_CERT: /* --cert */ +- cleanarg(clearthis); + GetFileAndPassword(nextarg, &config->cert, &config->key_passwd); ++ cleanarg(clearthis); + break; + case C_CACERT: /* --cacert */ + err = getstr(&config->cacert, nextarg, DENY_BLANK); +@@ -2601,18 +2601,18 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + config->tcp_fastopen = TRUE; + break; + case C_PROXY_TLSUSER: /* --proxy-tlsuser */ +- cleanarg(clearthis); + if(!feature_tls_srp) + err = PARAM_LIBCURL_DOESNT_SUPPORT; + else + err = getstr(&config->proxy_tls_username, nextarg, ALLOW_BLANK); ++ cleanarg(clearthis); + break; + case C_PROXY_TLSPASSWORD: /* --proxy-tlspassword */ +- cleanarg(clearthis); + if(!feature_tls_srp) + err = PARAM_LIBCURL_DOESNT_SUPPORT; + else + err = getstr(&config->proxy_tls_password, nextarg, DENY_BLANK); ++ cleanarg(clearthis); + break; + case C_PROXY_TLSAUTHTYPE: /* --proxy-tlsauthtype */ + if(!feature_tls_srp) +@@ -2624,9 +2624,9 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + } + break; + case C_PROXY_CERT: /* --proxy-cert */ +- cleanarg(clearthis); + GetFileAndPassword(nextarg, &config->proxy_cert, + &config->proxy_key_passwd); ++ cleanarg(clearthis); + break; + case C_PROXY_CERT_TYPE: /* --proxy-cert-type */ + err = getstr(&config->proxy_cert_type, nextarg, DENY_BLANK); diff --git a/curl.spec b/curl.spec index 80a56c3..c7f41cc 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.13.0~rc1 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -19,6 +19,9 @@ Source2: mykey.asc # Test 1022 add support for rc releases Patch001: 0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch +# Fix --cert parameter (#2351531) +Patch002: 0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch + # patch making libcurl multilib ready # Patch101: 0101-curl-7.32.0-multilib.patch @@ -410,6 +413,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Mar 13 2025 Jan Macku - 8.13.0~rc1-2 +- fix --cert parameter (#2351531) + * Mon Mar 10 2025 Jan Macku - 8.13.0~rc1-1 - new upstream release candidate From 4fcaa6c40447770a0df7ce914dd5ce90bf67a27c Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 18 Mar 2025 09:23:12 +0100 Subject: [PATCH 094/120] new upstream release - 8.13.0~rc2 --- ...test1022-add-support-for-rc-releases.patch | 44 -------------- ...3.0~rc1-fix--cert-parameter-clearing.patch | 60 ------------------- curl.spec | 13 ++-- sources | 4 +- 4 files changed, 7 insertions(+), 114 deletions(-) delete mode 100644 0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch delete mode 100644 0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch diff --git a/0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch b/0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch deleted file mode 100644 index 789aa0e..0000000 --- a/0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 3c1a88fdf72e9e43f289d121318fc31536964e66 Mon Sep 17 00:00:00 2001 -From: Samuel Henrique -Date: Sat, 8 Mar 2025 12:47:21 +0000 -Subject: [PATCH] test1022: add support for rc releases - - Fix the following test failure: - curl-config: illegal value - -Closes #16626 ---- - tests/libtest/test1022.pl | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/tests/libtest/test1022.pl b/tests/libtest/test1022.pl -index 583b8f8562c0..5c5c02070ff7 100755 ---- a/tests/libtest/test1022.pl -+++ b/tests/libtest/test1022.pl -@@ -35,7 +35,7 @@ - open(CURL, "$ARGV[1]") || die "Can't open curl --version list in $ARGV[1]\n"; - $_ = ; - chomp; --/libcurl\/([\.\d]+((-DEV)|(-\d+))?)/; -+/libcurl\/([\.\d]+((-DEV)|(-rc\d)|(-\d+))?)/; - my $version = $1; - close CURL; - -@@ -47,7 +47,7 @@ - chomp; - my $filever=$_; - if ( $what eq "version" ) { -- if($filever =~ /^libcurl ([\.\d]+((-DEV)|(-\d+))?)$/) { -+ if($filever =~ /^libcurl ([\.\d]+((-DEV)|(-rc\d)|(-\d+))?)$/) { - $curlconfigversion = $1; - } - else { -@@ -63,7 +63,7 @@ - $curlconfigversion = "illegal value"; - } - -- # Strip off the -DEV from the curl version if it's there -+ # Strip off the -DEV and -rc suffixes from the curl version if they're there - $version =~ s/-\w*$//; - } - close CURLCONFIG; diff --git a/0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch b/0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch deleted file mode 100644 index e08a349..0000000 --- a/0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 886569e2db200c31073895a2626d20e0712e5207 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Wed, 12 Mar 2025 14:42:19 +0100 -Subject: [PATCH] curl: fix --cert parameter clearing - -Blank the argument *after* it has been copied. - -Reported-by: Jan Macku -Fixes #16686 -Closes #16688 ---- - src/tool_getparam.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/tool_getparam.c b/src/tool_getparam.c -index 9f227abbfdb5..e5272de74feb 100644 ---- a/src/tool_getparam.c -+++ b/src/tool_getparam.c -@@ -2481,8 +2481,8 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ - } - break; - case C_CERT: /* --cert */ -- cleanarg(clearthis); - GetFileAndPassword(nextarg, &config->cert, &config->key_passwd); -+ cleanarg(clearthis); - break; - case C_CACERT: /* --cacert */ - err = getstr(&config->cacert, nextarg, DENY_BLANK); -@@ -2601,18 +2601,18 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ - config->tcp_fastopen = TRUE; - break; - case C_PROXY_TLSUSER: /* --proxy-tlsuser */ -- cleanarg(clearthis); - if(!feature_tls_srp) - err = PARAM_LIBCURL_DOESNT_SUPPORT; - else - err = getstr(&config->proxy_tls_username, nextarg, ALLOW_BLANK); -+ cleanarg(clearthis); - break; - case C_PROXY_TLSPASSWORD: /* --proxy-tlspassword */ -- cleanarg(clearthis); - if(!feature_tls_srp) - err = PARAM_LIBCURL_DOESNT_SUPPORT; - else - err = getstr(&config->proxy_tls_password, nextarg, DENY_BLANK); -+ cleanarg(clearthis); - break; - case C_PROXY_TLSAUTHTYPE: /* --proxy-tlsauthtype */ - if(!feature_tls_srp) -@@ -2624,9 +2624,9 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ - } - break; - case C_PROXY_CERT: /* --proxy-cert */ -- cleanarg(clearthis); - GetFileAndPassword(nextarg, &config->proxy_cert, - &config->proxy_key_passwd); -+ cleanarg(clearthis); - break; - case C_PROXY_CERT_TYPE: /* --proxy-cert-type */ - err = getstr(&config->proxy_cert_type, nextarg, DENY_BLANK); diff --git a/curl.spec b/curl.spec index c7f41cc..4e2d4ac 100644 --- a/curl.spec +++ b/curl.spec @@ -6,8 +6,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.13.0~rc1 -Release: 2%{?dist} +Version: 8.13.0~rc2 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -16,12 +16,6 @@ Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# Test 1022 add support for rc releases -Patch001: 0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch - -# Fix --cert parameter (#2351531) -Patch002: 0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch - # patch making libcurl multilib ready # Patch101: 0101-curl-7.32.0-multilib.patch @@ -413,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Mar 18 2025 Jan Macku - 8.13.0~rc2-1 +- new upstream release candidate + * Thu Mar 13 2025 Jan Macku - 8.13.0~rc1-2 - fix --cert parameter (#2351531) diff --git a/sources b/sources index fd8d757..d2c4139 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.13.0-rc1.tar.xz) = 6890dae4abf9c9d4017c28ea8ced84ef457aa911574b261af97b81ab1631e04deef188928d015a19c861d8dd319a23d9a7725d93046fc07a39694c5dc445562e -SHA512 (curl-8.13.0-rc1.tar.xz.asc) = aeb6f5abcf1bd19d836ae688bebd0193c673060ed74afa7c5b63c2a0ecf7eaf00a223110cd7aa77d19183e8ba757bd0b8fb481e279cf1141c4b459f92604a740 +SHA512 (curl-8.13.0-rc2.tar.xz) = 299b41b5bf52b29f5064f68cd7d8d1e95d8b8f8b36fb80fb67ed2b342123f1fc87a543754cbee8c49c83a8e73daca89cb132a76c795d7fa4d9231c6bf281a9e0 +SHA512 (curl-8.13.0-rc2.tar.xz.asc) = 8149ff96d25b41b0a9418929bbdbb0675267457e7999bd98012289fb74af96f96e66bc9319024f37ef478a965ef233827d832e153db867f2cb6cd140954a4b3e From 95664fdd301c40c2d1a6d93b2a9d858a3c430e14 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 26 Mar 2025 10:11:44 +0100 Subject: [PATCH 095/120] new upstream release - 8.13.0~rc3 --- 0102-curl-7.84.0-test3026.patch | 71 --------------------------------- curl.spec | 11 ++--- sources | 4 +- 3 files changed, 8 insertions(+), 78 deletions(-) delete mode 100644 0102-curl-7.84.0-test3026.patch diff --git a/0102-curl-7.84.0-test3026.patch b/0102-curl-7.84.0-test3026.patch deleted file mode 100644 index 6c45cc8..0000000 --- a/0102-curl-7.84.0-test3026.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 6460e292e664b03fb550ce70e9a8cdf86ad0ef57 Mon Sep 17 00:00:00 2001 -From: Jan Macku -Date: Wed, 5 Feb 2025 09:34:28 +0100 -Subject: [PATCH 2/2] test3026: disable valgrind - -It fails on x86_64 with: -``` - Use --max-threads=INT to specify a larger number of threads - and rerun valgrind - valgrind: the 'impossible' happened: - Max number of threads is too low - host stacktrace: - ==174357== at 0x58042F5A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x58043087: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x580432EF: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x58043310: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x58099E77: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x580E67E9: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x5809D59D: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x5809901A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x5809B0B6: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x580E4050: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - sched status: - running_tid=1 - Thread 1: status = VgTs_Runnable syscall 56 (lwpid 174357) - ==174357== at 0x4A07816: clone (in /usr/lib64/libc.so.6) - ==174357== by 0x4A08720: __clone_internal (in /usr/lib64/libc.so.6) - ==174357== by 0x4987ACF: create_thread (in /usr/lib64/libc.so.6) - ==174357== by 0x49885F6: pthread_create@@GLIBC_2.34 (in /usr/lib64/libc.so.6) - ==174357== by 0x1093B5: test.part.0 (lib3026.c:64) - ==174357== by 0x492454F: (below main) (in /usr/lib64/libc.so.6) - client stack range: [0x1FFEFFC000 0x1FFF000FFF] client SP: 0x1FFEFFC998 - valgrind stack range: [0x1002BAA000 0x1002CA9FFF] top usage: 11728 of 1048576 -[...] -``` ---- - tests/data/test3026 | 3 +++ - tests/libtest/lib3026.c | 4 ++-- - 2 files changed, 5 insertions(+), 2 deletions(-) - -diff --git a/tests/data/test3026 b/tests/data/test3026 -index ee9b30678..dd582c3e5 100644 ---- a/tests/data/test3026 -+++ b/tests/data/test3026 -@@ -41,5 +41,8 @@ none - - 0 - -+ -+disable -+ - - -diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c -index 61c70eb3b..79302fcf7 100644 ---- a/tests/libtest/lib3026.c -+++ b/tests/libtest/lib3026.c -@@ -145,8 +145,8 @@ CURLcode test(char *URL) - results[i] = CURL_LAST; /* initialize with invalid value */ - res = pthread_create(&tids[i], NULL, run_thread, &results[i]); - if(res) { -- fprintf(stderr, "%s:%d Couldn't create thread, errno %d\n", -- __FILE__, __LINE__, res); -+ fprintf(stderr, "%s:%d Couldn't create thread, i=%u, errno %d\n", -+ __FILE__, __LINE__, i, res); - tid_count = i; - test_failure = (CURLcode)-1; - goto cleanup; --- -2.48.1 - diff --git a/curl.spec b/curl.spec index 4e2d4ac..279a92f 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.13.0~rc2 +Version: 8.13.0~rc3 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -17,10 +17,7 @@ Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc Source2: mykey.asc # patch making libcurl multilib ready -# Patch101: 0101-curl-7.32.0-multilib.patch - -# test3026: disable valgrind -Patch102: 0102-curl-7.84.0-test3026.patch +Patch101: 0101-curl-7.32.0-multilib.patch # test616: disable valgrind Patch105: 0105-curl-8.11.1-test616.patch @@ -407,6 +404,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Mar 26 2025 Jan Macku - 8.13.0~rc3-1 +- new upstream release candidate +- drop: 0102-curl-7.84.0-test3026.patch (no longer needed) + * Tue Mar 18 2025 Jan Macku - 8.13.0~rc2-1 - new upstream release candidate diff --git a/sources b/sources index d2c4139..168aaff 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.13.0-rc2.tar.xz) = 299b41b5bf52b29f5064f68cd7d8d1e95d8b8f8b36fb80fb67ed2b342123f1fc87a543754cbee8c49c83a8e73daca89cb132a76c795d7fa4d9231c6bf281a9e0 -SHA512 (curl-8.13.0-rc2.tar.xz.asc) = 8149ff96d25b41b0a9418929bbdbb0675267457e7999bd98012289fb74af96f96e66bc9319024f37ef478a965ef233827d832e153db867f2cb6cd140954a4b3e +SHA512 (curl-8.13.0-rc3.tar.xz) = 72c0e0b8b0bc9117ab911b97bab6b1502d877f5a72a34091b68e48c046e45dfd188f24f270c0200f4df3f1a70933ada00f3a73a0aa078ec2b125fa5a9294d33f +SHA512 (curl-8.13.0-rc3.tar.xz.asc) = a2d94a898824fabc1c4834f9e5719fb65311d0f218f6170e80fe1a04c6f842f9fbf589d281767ab916f668ff7087bb318b819a1fb26790640df136f335ff3b99 From 4d98bbf51edd9f631e7e91abc79fd94b1e44e097 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 2 Apr 2025 11:17:10 +0200 Subject: [PATCH 096/120] new upstream release - 8.13.0 --- curl.spec | 7 ++++++- sources | 4 ++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 279a92f..e265266 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.13.0~rc3 +Version: 8.13.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -48,6 +48,7 @@ BuildRequires: make BuildRequires: openldap-devel BuildRequires: openssh-clients BuildRequires: openssh-server +BuildRequires: openssl BuildRequires: openssl-devel %if %{with openssl_engine_support} && 0%{?fedora} >= 41 BuildRequires: openssl-devel-engine @@ -404,6 +405,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Apr 02 2025 Jan Macku - 8.13.0-1 +- new upstream release +- add build time dependency on openssl (required by tests) + * Wed Mar 26 2025 Jan Macku - 8.13.0~rc3-1 - new upstream release candidate - drop: 0102-curl-7.84.0-test3026.patch (no longer needed) diff --git a/sources b/sources index 168aaff..92367a0 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.13.0-rc3.tar.xz) = 72c0e0b8b0bc9117ab911b97bab6b1502d877f5a72a34091b68e48c046e45dfd188f24f270c0200f4df3f1a70933ada00f3a73a0aa078ec2b125fa5a9294d33f -SHA512 (curl-8.13.0-rc3.tar.xz.asc) = a2d94a898824fabc1c4834f9e5719fb65311d0f218f6170e80fe1a04c6f842f9fbf589d281767ab916f668ff7087bb318b819a1fb26790640df136f335ff3b99 +SHA512 (curl-8.13.0.tar.xz) = d266e460f162ee455b56726e5b7247b2d1aa5265ae12081513fc0c5c79e785a594097bc71d505dc9bcd2c2f6f1ff6f4bab9dbd9d120bb76d06c5be8521a8ca7d +SHA512 (curl-8.13.0.tar.xz.asc) = 07f79c7fd7c305c96e10a5f52797254aed7d2a1f3577c8626b8d617855ceb82634ac6787bfa0b7130a4ed72c3a9945d3c9ba5b7be54df8bafa07ded1c62ef2be From ece940a64912f74d92fd403675eef80f9b357e68 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Fri, 2 May 2025 09:36:02 +0200 Subject: [PATCH 097/120] new upstream release - 8.14.0~rc1 --- curl.spec | 8 +++++++- sources | 4 ++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index e265266..1e416a3 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.13.0 +Version: 8.14.0~rc1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -381,6 +381,8 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %doc docs/TheArtOfHttpScripting.md %{_bindir}/curl %{_mandir}/man1/curl.1* +%{_bindir}/wcurl +%{_mandir}/man1/wcurl.1* %{_datadir}/zsh %files -n libcurl @@ -405,6 +407,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri May 02 2025 Jan Macku - 8.14.0~rc1-1 +- new upstream release candidate +- new utility: wcurl which lets you download URLs without having to remember any parameters + * Wed Apr 02 2025 Jan Macku - 8.13.0-1 - new upstream release - add build time dependency on openssl (required by tests) diff --git a/sources b/sources index 92367a0..769013c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.13.0.tar.xz) = d266e460f162ee455b56726e5b7247b2d1aa5265ae12081513fc0c5c79e785a594097bc71d505dc9bcd2c2f6f1ff6f4bab9dbd9d120bb76d06c5be8521a8ca7d -SHA512 (curl-8.13.0.tar.xz.asc) = 07f79c7fd7c305c96e10a5f52797254aed7d2a1f3577c8626b8d617855ceb82634ac6787bfa0b7130a4ed72c3a9945d3c9ba5b7be54df8bafa07ded1c62ef2be +SHA512 (curl-8.14.0-rc1.tar.xz) = e9bd9e5c95580ee04171de937ff852c30b4606ef28a0250c1fdd231d7155089d3591e0dbed1f10280c9868b66329c1c9badf9a0e15e3e2721ab103627e92caa3 +SHA512 (curl-8.14.0-rc1.tar.xz.asc) = f02e0fd84bffcbe31fa6ccdba41729be86404241c177087500d4d992278d217ea55d73a9bc260b601ddeef70738e45b799a2bd49c68db05adfe8c127434f5708 From b8ae67753af119081cacdecf02e2180ad85e1b17 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 28 May 2025 12:59:33 +0200 Subject: [PATCH 098/120] new upstream release - 8.14.0 --- ...8.14.0-multi-fix-add_handle-resizing.patch | 209 ++++++++++++++++++ curl.spec | 11 +- sources | 4 +- 3 files changed, 221 insertions(+), 3 deletions(-) create mode 100644 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch diff --git a/0001-curl-8.14.0-multi-fix-add_handle-resizing.patch b/0001-curl-8.14.0-multi-fix-add_handle-resizing.patch new file mode 100644 index 0000000..4b7e58a --- /dev/null +++ b/0001-curl-8.14.0-multi-fix-add_handle-resizing.patch @@ -0,0 +1,209 @@ +From d16ccbd55de80c271fe822f4ba8b6271fd9166ff Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Wed, 28 May 2025 14:04:31 +0200 +Subject: [PATCH] multi: fix add_handle resizing + +Due to someone being stupid, the resizing of the multi's transfer +table was actually shrinking it. Oh my. + +Add test751 to reproduce, add code assertion. + +Fixes #17473 +Reported-by: Jeroen Ooms +Closes #17475 +--- + lib/multi.c | 3 +- + tests/data/Makefile.am | 2 +- + tests/data/test751 | 33 ++++++++++++++ + tests/libtest/Makefile.inc | 4 ++ + tests/libtest/lib751.c | 92 ++++++++++++++++++++++++++++++++++++++ + 5 files changed, 132 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test751 + create mode 100644 tests/libtest/lib751.c + +diff --git a/lib/multi.c b/lib/multi.c +index 792b30515d8b..b744e03ae52f 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -347,7 +347,8 @@ static CURLMcode multi_xfers_add(struct Curl_multi *multi, + if(unused <= min_unused) { + /* make it a 64 multiple, since our bitsets frow by that and + * small (easy_multi) grows to at least 64 on first resize. */ +- unsigned int newsize = ((capacity + min_unused) + 63) / 64; ++ unsigned int newsize = (((capacity + min_unused) + 63) / 64) * 64; ++ DEBUGASSERT(newsize > capacity); + /* Grow the bitsets first. Should one fail, we do not need + * to downsize the already resized ones. The sets continue + * to work properly when larger than the table, but not +diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am +index e8f9e12be71e..16bb57db8e69 100644 +--- a/tests/data/Makefile.am ++++ b/tests/data/Makefile.am +@@ -107,7 +107,7 @@ test709 test710 test711 test712 test713 test714 test715 test716 test717 \ + test718 test719 test720 test721 test722 test723 test724 test725 test726 \ + test727 test728 test729 test730 test731 test732 test733 test734 test735 \ + test736 test737 test738 test739 test740 test741 test742 test743 test744 \ +-test745 test746 test747 test748 test749 test750 \ ++test745 test746 test747 test748 test749 test750 test751 \ + \ + test780 test781 test782 test783 test784 test785 test786 test787 test788 \ + test789 test790 test791 \ +diff --git a/tests/data/test751 b/tests/data/test751 +new file mode 100644 +index 000000000000..ffc6df512f83 +--- /dev/null ++++ b/tests/data/test751 +@@ -0,0 +1,33 @@ ++ ++ ++ ++MULTI ++ ++ ++ ++ ++ ++ ++ ++# Client-side ++ ++ ++none ++ ++# tool is what to use instead of 'curl' ++ ++lib%TESTNUMBER ++ ++ ++ ++multi - add many easy handles ++ ++ ++ ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++ +diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc +index faf7eacdf6af..002e7ab5470d 100644 +--- a/tests/libtest/Makefile.inc ++++ b/tests/libtest/Makefile.inc +@@ -50,6 +50,7 @@ LIBTESTPROGS = libauthretry libntlmconnect libprereq \ + lib659 lib661 lib666 lib667 lib668 \ + lib670 lib671 lib672 lib673 lib674 lib676 lib677 lib678 lib694 lib695 \ + lib696 \ ++ lib751 \ + lib1156 \ + lib1301 \ + lib1308 \ +@@ -349,6 +350,9 @@ lib695_SOURCES = lib695.c $(SUPPORTFILES) + lib696_SOURCES = lib556.c $(SUPPORTFILES) $(WARNLESS) + lib696_CPPFLAGS = $(AM_CPPFLAGS) -DLIB696 + ++lib751_SOURCES = lib751.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) ++lib751_LDADD = $(TESTUTIL_LIBS) ++ + lib1301_SOURCES = lib1301.c $(SUPPORTFILES) $(TESTUTIL) + lib1301_LDADD = $(TESTUTIL_LIBS) + +diff --git a/tests/libtest/lib751.c b/tests/libtest/lib751.c +new file mode 100644 +index 000000000000..ab2f923b959d +--- /dev/null ++++ b/tests/libtest/lib751.c +@@ -0,0 +1,92 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++#include "test.h" ++ ++#include "testutil.h" ++#include "warnless.h" ++#include "memdebug.h" ++ ++#define TEST_HANG_TIMEOUT 60 * 1000 ++ ++/* ++ * Get a single URL without select(). ++ */ ++ ++CURLcode test(char *URL) ++{ ++ CURL *easies[1000]; ++ CURLM *m; ++ CURLcode res = CURLE_FAILED_INIT; ++ CURLMcode mres; ++ int i; ++ ++ (void)URL; ++ memset(easies, 0, sizeof(easies)); ++ ++ curl_global_init(CURL_GLOBAL_DEFAULT); ++ m = curl_multi_init(); ++ if(!m) { ++ res = CURLE_OUT_OF_MEMORY; ++ goto test_cleanup; ++ } ++ ++ for(i = 0; i < 1000; i++) { ++ CURL *e = curl_easy_init(); ++ if(!e) { ++ res = CURLE_OUT_OF_MEMORY; ++ goto test_cleanup; ++ } ++ easies[i] = e; ++ ++ res = curl_easy_setopt(e, CURLOPT_URL, "https://www.example.com/"); ++ if(!res) ++ res = curl_easy_setopt(e, CURLOPT_VERBOSE, 1L); ++ if(res) ++ goto test_cleanup; ++ ++ mres = curl_multi_add_handle(m, e); ++ if(mres != CURLM_OK) { ++ printf("MULTI ERROR: %s\n", curl_multi_strerror(mres)); ++ res = CURLE_FAILED_INIT; ++ goto test_cleanup; ++ } ++ } ++ ++test_cleanup: ++ ++ if(res) ++ printf("ERROR: %s\n", curl_easy_strerror(res)); ++ ++ for(i = 0; i < 1000; i++) { ++ if(easies[i]) { ++ curl_multi_add_handle(m, easies[i]); ++ curl_easy_cleanup(easies[i]); ++ easies[i] = NULL; ++ } ++ } ++ curl_multi_cleanup(m); ++ curl_global_cleanup(); ++ ++ return res; ++} diff --git a/curl.spec b/curl.spec index 1e416a3..555fe8e 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.14.0~rc1 +Version: 8.14.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -16,6 +16,9 @@ Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# Fix 8.14.0 regression: https://github.com/curl/curl/issues/17473 +Patch001: 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -407,6 +410,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed May 28 2025 Jan Macku - 8.14.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2025-5025 - No QUIC certificate pinning with wolfSSL + CVE-2025-4947 - QUIC certificate check skip with wolfSSL +- fix regression: curl_multi_add_handle() returning OOM when using more than 400 handles + * Fri May 02 2025 Jan Macku - 8.14.0~rc1-1 - new upstream release candidate - new utility: wcurl which lets you download URLs without having to remember any parameters diff --git a/sources b/sources index 769013c..c4de0f0 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.14.0-rc1.tar.xz) = e9bd9e5c95580ee04171de937ff852c30b4606ef28a0250c1fdd231d7155089d3591e0dbed1f10280c9868b66329c1c9badf9a0e15e3e2721ab103627e92caa3 -SHA512 (curl-8.14.0-rc1.tar.xz.asc) = f02e0fd84bffcbe31fa6ccdba41729be86404241c177087500d4d992278d217ea55d73a9bc260b601ddeef70738e45b799a2bd49c68db05adfe8c127434f5708 +SHA512 (curl-8.14.0.tar.xz) = d9f49cac0b93dbc53879713cc017392b4277d84b489bbf2ef3b585c6a50eea6c3a7b80043286b34062af04329560f2dc321f315b0038ce93435aa9bbcaec1eea +SHA512 (curl-8.14.0.tar.xz.asc) = 7c147ddb5e141dd9951e2ef6b23fa120318c0e631fb36861b80fce61b4b19ca08273a6b95627f46a8172945fb51bd790ffc74dee0a4b0de860dad518963b4710 From 8077eb733b4ff6f66c2887694a5034b54550df73 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 4 Jun 2025 12:59:43 +0200 Subject: [PATCH 099/120] new upstream release - 8.14.1 --- ...8.14.0-multi-fix-add_handle-resizing.patch | 209 ------------------ curl.spec | 9 +- sources | 4 +- 3 files changed, 7 insertions(+), 215 deletions(-) delete mode 100644 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch diff --git a/0001-curl-8.14.0-multi-fix-add_handle-resizing.patch b/0001-curl-8.14.0-multi-fix-add_handle-resizing.patch deleted file mode 100644 index 4b7e58a..0000000 --- a/0001-curl-8.14.0-multi-fix-add_handle-resizing.patch +++ /dev/null @@ -1,209 +0,0 @@ -From d16ccbd55de80c271fe822f4ba8b6271fd9166ff Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Wed, 28 May 2025 14:04:31 +0200 -Subject: [PATCH] multi: fix add_handle resizing - -Due to someone being stupid, the resizing of the multi's transfer -table was actually shrinking it. Oh my. - -Add test751 to reproduce, add code assertion. - -Fixes #17473 -Reported-by: Jeroen Ooms -Closes #17475 ---- - lib/multi.c | 3 +- - tests/data/Makefile.am | 2 +- - tests/data/test751 | 33 ++++++++++++++ - tests/libtest/Makefile.inc | 4 ++ - tests/libtest/lib751.c | 92 ++++++++++++++++++++++++++++++++++++++ - 5 files changed, 132 insertions(+), 2 deletions(-) - create mode 100644 tests/data/test751 - create mode 100644 tests/libtest/lib751.c - -diff --git a/lib/multi.c b/lib/multi.c -index 792b30515d8b..b744e03ae52f 100644 ---- a/lib/multi.c -+++ b/lib/multi.c -@@ -347,7 +347,8 @@ static CURLMcode multi_xfers_add(struct Curl_multi *multi, - if(unused <= min_unused) { - /* make it a 64 multiple, since our bitsets frow by that and - * small (easy_multi) grows to at least 64 on first resize. */ -- unsigned int newsize = ((capacity + min_unused) + 63) / 64; -+ unsigned int newsize = (((capacity + min_unused) + 63) / 64) * 64; -+ DEBUGASSERT(newsize > capacity); - /* Grow the bitsets first. Should one fail, we do not need - * to downsize the already resized ones. The sets continue - * to work properly when larger than the table, but not -diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am -index e8f9e12be71e..16bb57db8e69 100644 ---- a/tests/data/Makefile.am -+++ b/tests/data/Makefile.am -@@ -107,7 +107,7 @@ test709 test710 test711 test712 test713 test714 test715 test716 test717 \ - test718 test719 test720 test721 test722 test723 test724 test725 test726 \ - test727 test728 test729 test730 test731 test732 test733 test734 test735 \ - test736 test737 test738 test739 test740 test741 test742 test743 test744 \ --test745 test746 test747 test748 test749 test750 \ -+test745 test746 test747 test748 test749 test750 test751 \ - \ - test780 test781 test782 test783 test784 test785 test786 test787 test788 \ - test789 test790 test791 \ -diff --git a/tests/data/test751 b/tests/data/test751 -new file mode 100644 -index 000000000000..ffc6df512f83 ---- /dev/null -+++ b/tests/data/test751 -@@ -0,0 +1,33 @@ -+ -+ -+ -+MULTI -+ -+ -+ -+ -+ -+ -+ -+# Client-side -+ -+ -+none -+ -+# tool is what to use instead of 'curl' -+ -+lib%TESTNUMBER -+ -+ -+ -+multi - add many easy handles -+ -+ -+ -+ -+ -+ -+# Verify data after the test has been "shot" -+ -+ -+ -diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc -index faf7eacdf6af..002e7ab5470d 100644 ---- a/tests/libtest/Makefile.inc -+++ b/tests/libtest/Makefile.inc -@@ -50,6 +50,7 @@ LIBTESTPROGS = libauthretry libntlmconnect libprereq \ - lib659 lib661 lib666 lib667 lib668 \ - lib670 lib671 lib672 lib673 lib674 lib676 lib677 lib678 lib694 lib695 \ - lib696 \ -+ lib751 \ - lib1156 \ - lib1301 \ - lib1308 \ -@@ -349,6 +350,9 @@ lib695_SOURCES = lib695.c $(SUPPORTFILES) - lib696_SOURCES = lib556.c $(SUPPORTFILES) $(WARNLESS) - lib696_CPPFLAGS = $(AM_CPPFLAGS) -DLIB696 - -+lib751_SOURCES = lib751.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) -+lib751_LDADD = $(TESTUTIL_LIBS) -+ - lib1301_SOURCES = lib1301.c $(SUPPORTFILES) $(TESTUTIL) - lib1301_LDADD = $(TESTUTIL_LIBS) - -diff --git a/tests/libtest/lib751.c b/tests/libtest/lib751.c -new file mode 100644 -index 000000000000..ab2f923b959d ---- /dev/null -+++ b/tests/libtest/lib751.c -@@ -0,0 +1,92 @@ -+/*************************************************************************** -+ * _ _ ____ _ -+ * Project ___| | | | _ \| | -+ * / __| | | | |_) | | -+ * | (__| |_| | _ <| |___ -+ * \___|\___/|_| \_\_____| -+ * -+ * Copyright (C) Daniel Stenberg, , et al. -+ * -+ * This software is licensed as described in the file COPYING, which -+ * you should have received as part of this distribution. The terms -+ * are also available at https://curl.se/docs/copyright.html. -+ * -+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell -+ * copies of the Software, and permit persons to whom the Software is -+ * furnished to do so, under the terms of the COPYING file. -+ * -+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -+ * KIND, either express or implied. -+ * -+ * SPDX-License-Identifier: curl -+ * -+ ***************************************************************************/ -+#include "test.h" -+ -+#include "testutil.h" -+#include "warnless.h" -+#include "memdebug.h" -+ -+#define TEST_HANG_TIMEOUT 60 * 1000 -+ -+/* -+ * Get a single URL without select(). -+ */ -+ -+CURLcode test(char *URL) -+{ -+ CURL *easies[1000]; -+ CURLM *m; -+ CURLcode res = CURLE_FAILED_INIT; -+ CURLMcode mres; -+ int i; -+ -+ (void)URL; -+ memset(easies, 0, sizeof(easies)); -+ -+ curl_global_init(CURL_GLOBAL_DEFAULT); -+ m = curl_multi_init(); -+ if(!m) { -+ res = CURLE_OUT_OF_MEMORY; -+ goto test_cleanup; -+ } -+ -+ for(i = 0; i < 1000; i++) { -+ CURL *e = curl_easy_init(); -+ if(!e) { -+ res = CURLE_OUT_OF_MEMORY; -+ goto test_cleanup; -+ } -+ easies[i] = e; -+ -+ res = curl_easy_setopt(e, CURLOPT_URL, "https://www.example.com/"); -+ if(!res) -+ res = curl_easy_setopt(e, CURLOPT_VERBOSE, 1L); -+ if(res) -+ goto test_cleanup; -+ -+ mres = curl_multi_add_handle(m, e); -+ if(mres != CURLM_OK) { -+ printf("MULTI ERROR: %s\n", curl_multi_strerror(mres)); -+ res = CURLE_FAILED_INIT; -+ goto test_cleanup; -+ } -+ } -+ -+test_cleanup: -+ -+ if(res) -+ printf("ERROR: %s\n", curl_easy_strerror(res)); -+ -+ for(i = 0; i < 1000; i++) { -+ if(easies[i]) { -+ curl_multi_add_handle(m, easies[i]); -+ curl_easy_cleanup(easies[i]); -+ easies[i] = NULL; -+ } -+ } -+ curl_multi_cleanup(m); -+ curl_global_cleanup(); -+ -+ return res; -+} diff --git a/curl.spec b/curl.spec index 555fe8e..dd4e145 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.14.0 +Version: 8.14.1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -16,9 +16,6 @@ Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# Fix 8.14.0 regression: https://github.com/curl/curl/issues/17473 -Patch001: 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -410,6 +407,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jun 04 2025 Jan Macku - 8.14.1-1 +- new upstream release +- drop: 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch (no longer needed) + * Wed May 28 2025 Jan Macku - 8.14.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2025-5025 - No QUIC certificate pinning with wolfSSL diff --git a/sources b/sources index c4de0f0..0f72a68 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.14.0.tar.xz) = d9f49cac0b93dbc53879713cc017392b4277d84b489bbf2ef3b585c6a50eea6c3a7b80043286b34062af04329560f2dc321f315b0038ce93435aa9bbcaec1eea -SHA512 (curl-8.14.0.tar.xz.asc) = 7c147ddb5e141dd9951e2ef6b23fa120318c0e631fb36861b80fce61b4b19ca08273a6b95627f46a8172945fb51bd790ffc74dee0a4b0de860dad518963b4710 +SHA512 (curl-8.14.1.tar.xz) = 7f6eae04cc23c50fc41d448aa28dfa59141018009e42c5b1e3f4e0d40c0633460b4e6eec05dfc290f7953671096abfa70a8b5443fccdd3f1be6be32ac10b31d9 +SHA512 (curl-8.14.1.tar.xz.asc) = 663b1652bb27338310d1475a8b0422f04e68fca74be11a4b7120de948af4fc0c2b08b75ce5372d657aa89504a27b36b937b5091cb2d932297a7490d5e390d99f From 1b9d79c6fd4fee6d966e917589125b48c12493ad Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 23 Jun 2025 10:29:25 +0200 Subject: [PATCH 100/120] new upstream release - 8.15.0~rc1 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index dd4e145..f21017b 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.14.1 +Version: 8.15.0~rc1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Jun 23 2025 Jan Macku - 8.15.0~rc1-1 +- new upstream release candidate + * Wed Jun 04 2025 Jan Macku - 8.14.1-1 - new upstream release - drop: 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch (no longer needed) diff --git a/sources b/sources index 0f72a68..8eec045 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.14.1.tar.xz) = 7f6eae04cc23c50fc41d448aa28dfa59141018009e42c5b1e3f4e0d40c0633460b4e6eec05dfc290f7953671096abfa70a8b5443fccdd3f1be6be32ac10b31d9 -SHA512 (curl-8.14.1.tar.xz.asc) = 663b1652bb27338310d1475a8b0422f04e68fca74be11a4b7120de948af4fc0c2b08b75ce5372d657aa89504a27b36b937b5091cb2d932297a7490d5e390d99f +SHA512 (curl-8.15.0-rc1.tar.xz) = eedabb0e416e119107e05c1b6afa04b4157f0381a3572c352e996ff682302690dbe34b75f39d49f6b7a26667eb673f06bd311853e73b9a82839eb1d8a43abe60 +SHA512 (curl-8.15.0-rc1.tar.xz.asc) = 8dbd61cc5246dc6244ac3bc16f9411d3bfe84bae8bd52935dd82d114c92a3be01116963d5518dea12426fbc5d6b45d9baec8354f9183c51f9cddf3204953d865 From 1984beb5371b749ce9fdcd32fde589c2860dc8d5 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 30 Jun 2025 13:44:33 +0200 Subject: [PATCH 101/120] new upstream release - 8.15.0~rc2 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index f21017b..bdb28fb 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.15.0~rc1 +Version: 8.15.0~rc2 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Jun 30 2025 Jan Macku - 8.15.0~rc2-1 +- new upstream release candidate + * Mon Jun 23 2025 Jan Macku - 8.15.0~rc1-1 - new upstream release candidate diff --git a/sources b/sources index 8eec045..9da21bd 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.15.0-rc1.tar.xz) = eedabb0e416e119107e05c1b6afa04b4157f0381a3572c352e996ff682302690dbe34b75f39d49f6b7a26667eb673f06bd311853e73b9a82839eb1d8a43abe60 -SHA512 (curl-8.15.0-rc1.tar.xz.asc) = 8dbd61cc5246dc6244ac3bc16f9411d3bfe84bae8bd52935dd82d114c92a3be01116963d5518dea12426fbc5d6b45d9baec8354f9183c51f9cddf3204953d865 +SHA512 (curl-8.15.0-rc2.tar.xz) = 9b4e04b0e2ff5d7a432ea931a965e7ee73103c5430c59b029ea9846358ed052c1353ea12a5636809a78df370e8639254103eb5e4614b75f33a65683044599580 +SHA512 (curl-8.15.0-rc2.tar.xz.asc) = 4aa6e38ec97159802cada0d89c374d06d5eba145139a8fd9f1bc52c42d296088ed559296fe7847b906eb852d382c523f7e48f0f5e03b30fef7996181e6628c10 From c602d3aa5676dfaf8bcff41b8daa26f27eb6856d Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 10 Jul 2025 09:21:53 +0200 Subject: [PATCH 102/120] new upstream release - 8.15.0~rc3 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index bdb28fb..1045a24 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.15.0~rc2 +Version: 8.15.0~rc3 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Jul 10 2025 Jan Macku - 8.15.0~rc3-1 +- new upstream release candidate + * Mon Jun 30 2025 Jan Macku - 8.15.0~rc2-1 - new upstream release candidate diff --git a/sources b/sources index 9da21bd..0642c98 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.15.0-rc2.tar.xz) = 9b4e04b0e2ff5d7a432ea931a965e7ee73103c5430c59b029ea9846358ed052c1353ea12a5636809a78df370e8639254103eb5e4614b75f33a65683044599580 -SHA512 (curl-8.15.0-rc2.tar.xz.asc) = 4aa6e38ec97159802cada0d89c374d06d5eba145139a8fd9f1bc52c42d296088ed559296fe7847b906eb852d382c523f7e48f0f5e03b30fef7996181e6628c10 +SHA512 (curl-8.15.0-rc3.tar.xz) = 0f1f99bc69fde58f5e9348543e9aee9ca7c27642f04c380f233c6b3280ae53b9d65529ede8fe831ea6770d3657963f02dc8604a5006e805c6f4519cac79c8d01 +SHA512 (curl-8.15.0-rc3.tar.xz.asc) = 41cb379d5bceb5eadad86d007a3352846ebeaca383ef6448b58dc597ebc914a0fd4aaaf19dc4d47557ea06933b981f2db617a07e27848d2ff32fbb1dc7f52fca From e6d7e2ed2d76eaac3c5e59273a81872976efef7e Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 16 Jul 2025 10:14:01 +0200 Subject: [PATCH 103/120] new upstream release - 8.15.0 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 1045a24..885ba52 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.15.0~rc3 +Version: 8.15.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 16 2025 Jan Macku - 8.15.0-1 +- new upstream release + * Thu Jul 10 2025 Jan Macku - 8.15.0~rc3-1 - new upstream release candidate diff --git a/sources b/sources index 0642c98..fe20191 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.15.0-rc3.tar.xz) = 0f1f99bc69fde58f5e9348543e9aee9ca7c27642f04c380f233c6b3280ae53b9d65529ede8fe831ea6770d3657963f02dc8604a5006e805c6f4519cac79c8d01 -SHA512 (curl-8.15.0-rc3.tar.xz.asc) = 41cb379d5bceb5eadad86d007a3352846ebeaca383ef6448b58dc597ebc914a0fd4aaaf19dc4d47557ea06933b981f2db617a07e27848d2ff32fbb1dc7f52fca +SHA512 (curl-8.15.0.tar.xz) = d27e316d70973906ac4b8d2c280f7e99b7528966aa1220c13a38ed45fca2ed6bbde54b8a9d7bed9e283171b92edb621f7b95162ef7d392e6383b0ee469de3191 +SHA512 (curl-8.15.0.tar.xz.asc) = b6aef1c6a1f32c60401494df565a748fa96c1d5098138772c22f6208bafeb8e61402f3077cbc274ea2c05f35ff376d8f736c58554520f8d20fded36d876499a5 From cc5717f9ec610100193bee9eae480f7dad24fa24 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 23 Jul 2025 18:56:38 +0000 Subject: [PATCH 104/120] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 885ba52..ced8578 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.15.0 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 23 2025 Fedora Release Engineering - 8.15.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + * Wed Jul 16 2025 Jan Macku - 8.15.0-1 - new upstream release From e4069769c832d7469bbbeb654b28427c346514dd Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 25 Aug 2025 10:43:21 +0200 Subject: [PATCH 105/120] new upstream release - 8.16.0~rc2 --- 0101-curl-7.32.0-multilib.patch | 14 +++++++------- curl.spec | 7 +++++-- sources | 4 ++-- 3 files changed, 14 insertions(+), 11 deletions(-) diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index e7b2a32..79e9855 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,6 +1,6 @@ -From 495c771a6f9be008b783c5f59285d30fdc15fd63 Mon Sep 17 00:00:00 2001 +From ae56f768f418e1dd91f9eb3edf1a88453f61e160 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Mon, 10 Mar 2025 14:23:59 +0100 +Date: Mon, 25 Aug 2025 10:41:12 +0200 Subject: [PATCH] prevent multilib conflicts on the curl-config script --- @@ -10,7 +10,7 @@ Subject: [PATCH] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 5518416..324e0b7 100644 +index ce23519..bb43ca8 100644 --- a/curl-config.in +++ b/curl-config.in @@ -74,7 +74,7 @@ while test "$#" -gt 0; do @@ -26,12 +26,12 @@ index 5518416..324e0b7 100644 ;; --libs) -- if test "X@libdir@" != 'X/usr/lib' -a "X@libdir@" != 'X/usr/lib64'; then +- if test "@libdir@" != '/usr/lib' -a "@libdir@" != '/usr/lib64'; then - curllibdir="-L@libdir@ " - else - curllibdir='' - fi -- if test 'X@ENABLE_SHARED@' = 'Xno'; then +- if test '@ENABLE_SHARED@' = 'no'; then - echo "${curllibdir}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" - else - echo "${curllibdir}-lcurl" @@ -44,7 +44,7 @@ index 5518416..324e0b7 100644 ;; --static-libs) -- if test 'X@ENABLE_STATIC@' != 'Xno'; then +- if test '@ENABLE_STATIC@' != 'no'; then - echo "@libdir@/libcurl.@libext@ @LIBCURL_PC_LDFLAGS_PRIVATE@ @LIBCURL_PC_LIBS_PRIVATE@" - else - echo 'curl was built with static libraries disabled' >&2 @@ -88,5 +88,5 @@ index c0ba524..f3645e1 100644 Name: libcurl URL: https://curl.se/ -- -2.48.1 +2.50.1 diff --git a/curl.spec b/curl.spec index ced8578..e780804 100644 --- a/curl.spec +++ b/curl.spec @@ -6,8 +6,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.15.0 -Release: 2%{?dist} +Version: 8.16.0~rc2 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Aug 26 2025 Jan Macku - 8.16.0~rc2-1 +- new upstream release candidate + * Wed Jul 23 2025 Fedora Release Engineering - 8.15.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild diff --git a/sources b/sources index fe20191..ad9b1ad 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.15.0.tar.xz) = d27e316d70973906ac4b8d2c280f7e99b7528966aa1220c13a38ed45fca2ed6bbde54b8a9d7bed9e283171b92edb621f7b95162ef7d392e6383b0ee469de3191 -SHA512 (curl-8.15.0.tar.xz.asc) = b6aef1c6a1f32c60401494df565a748fa96c1d5098138772c22f6208bafeb8e61402f3077cbc274ea2c05f35ff376d8f736c58554520f8d20fded36d876499a5 +SHA512 (curl-8.16.0-rc2.tar.xz.asc) = c180343f1037cf51eb32c61035a4da7e728c2ee7f8d4ca1d464545b9b4044b30963e6b1ce424951a151ff901d7c7f4d56e7a54dacc581fc2c5c3b54349c155eb +SHA512 (curl-8.16.0-rc2.tar.xz) = 7cc4f56a05634c651cf7224d3844359498d127f259e531aadefe86f6df3a7fc5f6644c296407d38867ddb716fe3e4951d377592f6d977c196ad1a733374e608f From 581c1b9ace3de047af9bec6a8a59cf0c9f36c91c Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 3 Sep 2025 10:39:46 +0200 Subject: [PATCH 106/120] new upstream release - 8.16.0~rc3 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index e780804..0a7e2b9 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.16.0~rc2 +Version: 8.16.0~rc3 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 03 2025 Jan Macku - 8.16.0~rc3-1 +- new upstream release candidate + * Tue Aug 26 2025 Jan Macku - 8.16.0~rc2-1 - new upstream release candidate diff --git a/sources b/sources index ad9b1ad..9d707b2 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.16.0-rc2.tar.xz.asc) = c180343f1037cf51eb32c61035a4da7e728c2ee7f8d4ca1d464545b9b4044b30963e6b1ce424951a151ff901d7c7f4d56e7a54dacc581fc2c5c3b54349c155eb -SHA512 (curl-8.16.0-rc2.tar.xz) = 7cc4f56a05634c651cf7224d3844359498d127f259e531aadefe86f6df3a7fc5f6644c296407d38867ddb716fe3e4951d377592f6d977c196ad1a733374e608f +SHA512 (curl-8.16.0-rc3.tar.xz) = 119e00ac9c150ac1d61ce5eeb522168b8a1c68d6576077400222170e0bd9b25dbe53182166a194058e58831a8768c1b7d9145fd5051c4e13bcd12841eb3a7284 +SHA512 (curl-8.16.0-rc3.tar.xz.asc) = 50e484772ac1e8390222ce21702c6995c96b4da99d1e0f2e233b7226b48b5ce3a290d6050963e1e2c519b9a29d2ded7134d3bd4e765a946a8abbae3c67e31d32 From 4335a7a3cb25cd33eea86ac9fc8d41bb67fd857f Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 10 Sep 2025 08:56:14 +0200 Subject: [PATCH 107/120] new upstream release - 8.16.0 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 0a7e2b9..bf0f7ee 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.16.0~rc3 +Version: 8.16.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 10 2025 Jan Macku - 8.16.0-1 +- new upstream release + * Wed Sep 03 2025 Jan Macku - 8.16.0~rc3-1 - new upstream release candidate diff --git a/sources b/sources index 9d707b2..8b5feac 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.16.0-rc3.tar.xz) = 119e00ac9c150ac1d61ce5eeb522168b8a1c68d6576077400222170e0bd9b25dbe53182166a194058e58831a8768c1b7d9145fd5051c4e13bcd12841eb3a7284 -SHA512 (curl-8.16.0-rc3.tar.xz.asc) = 50e484772ac1e8390222ce21702c6995c96b4da99d1e0f2e233b7226b48b5ce3a290d6050963e1e2c519b9a29d2ded7134d3bd4e765a946a8abbae3c67e31d32 +SHA512 (curl-8.16.0.tar.xz) = 8262c3dc113cfd5744ef1b82dbccaa69448a9395ad5c094c22df5cf537a047a927d3332db2cb3be12a31a68a60d8d0fa8485b916e975eda36a4ebd860da4f621 +SHA512 (curl-8.16.0.tar.xz.asc) = 591568e997c0d955a00152ce5bdfb4586d84b42f5c1e15df503514fb4eb4bf289a98b1ebdad23913119c67c27d51a6e6f4065ee6f7657b971c3a581c928a0d82 From 804c73ca4bbb4d7a3f454bf93fa621bd3fd06feb Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Fri, 12 Sep 2025 10:40:12 -0700 Subject: [PATCH 108/120] Update test URLs to Fedora 42 to fix tests Tests currently fail because Fedora 38 is archived. This bumps the version to 42 and updates the expected content. This will need updating again annually or so. It'd be safer to use something that doesn't age out frequently instead. Signed-off-by: Adam Williamson --- tests/non-root-user-download/runtest.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/non-root-user-download/runtest.sh b/tests/non-root-user-download/runtest.sh index 4d51e62..0d72276 100755 --- a/tests/non-root-user-download/runtest.sh +++ b/tests/non-root-user-download/runtest.sh @@ -31,9 +31,9 @@ PACKAGE="curl" -FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM -HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM -CONTENT=4d042dedc8886856db10bc882074b84dcce52f829ea7b3f31d8031db8d84df20 +FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM +HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM +CONTENT=1bd6ab4798983c2fe4a210f9c4ca135fed453d6142ba852c1f8d5fba22e113ab PASSWORD=pAssw0rd OPTIONS="" rlIsRHEL 7 && OPTIONS="--insecure" From 9776a6bb744df02f85cf73c3b8a02e0e387ae915 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 13 Oct 2025 10:25:01 +0200 Subject: [PATCH 109/120] new upstream release - 8.17.0~rc1 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index bf0f7ee..f247bf3 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.16.0 +Version: 8.17.0~rc1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Oct 13 2025 Jan Macku - 8.17.0~rc1-1 +- new upstream release candidate + * Wed Sep 10 2025 Jan Macku - 8.16.0-1 - new upstream release diff --git a/sources b/sources index 8b5feac..c657397 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.16.0.tar.xz) = 8262c3dc113cfd5744ef1b82dbccaa69448a9395ad5c094c22df5cf537a047a927d3332db2cb3be12a31a68a60d8d0fa8485b916e975eda36a4ebd860da4f621 -SHA512 (curl-8.16.0.tar.xz.asc) = 591568e997c0d955a00152ce5bdfb4586d84b42f5c1e15df503514fb4eb4bf289a98b1ebdad23913119c67c27d51a6e6f4065ee6f7657b971c3a581c928a0d82 +SHA512 (curl-8.17.0-rc1.tar.xz) = bbaa3c97860f51c069dfc448d212a0d2149abfe76429bd4e7e3b005f44851e609008b90f5ed5caad048b5815043433248b495c41edf04d4bb5b76a8af41ede02 +SHA512 (curl-8.17.0-rc1.tar.xz.asc) = e86f7c9000ee5e8ee775947e720a17cf327b1f3053d6a6d92d3d1d27ed8dacefe1934ce3ee67b1efd59a601e0312bcffd1fb0900b760fda15e0fe7ba1a892c8f From 6bf2cb17bf9b14db4abc7a4f85e502629eafbbf3 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 21 Oct 2025 13:12:51 +0200 Subject: [PATCH 110/120] new upstream release - 8.17.0~rc2 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index f247bf3..6784164 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.17.0~rc1 +Version: 8.17.0~rc2 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Oct 21 2025 Jan Macku - 8.17.0~rc2-1 +- new upstream release candidate + * Mon Oct 13 2025 Jan Macku - 8.17.0~rc1-1 - new upstream release candidate diff --git a/sources b/sources index c657397..5bd897d 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.17.0-rc1.tar.xz) = bbaa3c97860f51c069dfc448d212a0d2149abfe76429bd4e7e3b005f44851e609008b90f5ed5caad048b5815043433248b495c41edf04d4bb5b76a8af41ede02 -SHA512 (curl-8.17.0-rc1.tar.xz.asc) = e86f7c9000ee5e8ee775947e720a17cf327b1f3053d6a6d92d3d1d27ed8dacefe1934ce3ee67b1efd59a601e0312bcffd1fb0900b760fda15e0fe7ba1a892c8f +SHA512 (curl-8.17.0-rc2.tar.xz) = bc7d63e72787c5960a7107e2227b70e761aef2e2e63bda0f13f8c944b31a4e98acc1ca72bde25ff9eba3d97cee38e58e51359dffcfdf59310c6722d3a0986b54 +SHA512 (curl-8.17.0-rc2.tar.xz.asc) = d5bd939f0a004f6ae46f0fca1e05f6f7c4d6e77c3a65641c9b081a28589385a44b51fa968e0a7c35dd76caebe1f4d59ac0b26e0fc84378fd1d57c3ce513c4a2a From 9bd80279ea75fc37dcc6767e0061bc46e4893607 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 30 Oct 2025 09:34:03 +0100 Subject: [PATCH 111/120] new upstream release - 8.17.0~rc3 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 6784164..2cb6993 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.17.0~rc2 +Version: 8.17.0~rc3 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Oct 30 2025 Jan Macku - 8.17.0~rc3-1 +- new upstream release candidate + * Tue Oct 21 2025 Jan Macku - 8.17.0~rc2-1 - new upstream release candidate diff --git a/sources b/sources index 5bd897d..0a3353d 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.17.0-rc2.tar.xz) = bc7d63e72787c5960a7107e2227b70e761aef2e2e63bda0f13f8c944b31a4e98acc1ca72bde25ff9eba3d97cee38e58e51359dffcfdf59310c6722d3a0986b54 -SHA512 (curl-8.17.0-rc2.tar.xz.asc) = d5bd939f0a004f6ae46f0fca1e05f6f7c4d6e77c3a65641c9b081a28589385a44b51fa968e0a7c35dd76caebe1f4d59ac0b26e0fc84378fd1d57c3ce513c4a2a +SHA512 (curl-8.17.0-rc3.tar.xz) = ffa33aaec6c84ee2a9838e4d10f70e905ac414b920794215a0abb5a537e441187b4fd4eba2e1d8103d43375dc6bdf6995f097d22523c6e4ca1172bf0c3e1c347 +SHA512 (curl-8.17.0-rc3.tar.xz.asc) = b2ecef9a04d8337dabfde6be96e9b6fc9151d56dcc8aeb93ce8c5949ba0aaa6bbaf72f25ef3af8a0d4ffc92999d5f5498cead4f519fc0473c4cd311e28d54774 From d2da397853a1847f0a9c1be02842a7720227ec55 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 6 Nov 2025 15:10:09 +0100 Subject: [PATCH 112/120] new upstream release - 8.17.0 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 2cb6993..f96c5aa 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.17.0~rc3 +Version: 8.17.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +*Mon Nov 10 2025 Jan Macku - 8.17.0-1 +- new upstream release + * Thu Oct 30 2025 Jan Macku - 8.17.0~rc3-1 - new upstream release candidate diff --git a/sources b/sources index 0a3353d..2d835d7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.17.0-rc3.tar.xz) = ffa33aaec6c84ee2a9838e4d10f70e905ac414b920794215a0abb5a537e441187b4fd4eba2e1d8103d43375dc6bdf6995f097d22523c6e4ca1172bf0c3e1c347 -SHA512 (curl-8.17.0-rc3.tar.xz.asc) = b2ecef9a04d8337dabfde6be96e9b6fc9151d56dcc8aeb93ce8c5949ba0aaa6bbaf72f25ef3af8a0d4ffc92999d5f5498cead4f519fc0473c4cd311e28d54774 +SHA512 (curl-8.17.0.tar.xz.asc) = e77d4cb1f4961aa0df3d76f1a8c55a0b9005ed557adf745f3ab24d33cee2d0e4bd06cecb9d911e76409852e7755129873cc7d24936c846ff1b854903c0f086b2 +SHA512 (curl-8.17.0.tar.xz) = fc6349def40c3c259de2a568631507df17dff83e78a2edbb93f069586dce594439fdc88bef7ce2bed7491f35800b8c0c181c8c88e6ef656cc3c18f9834681eca From b15bd53eb8d0de3ade9fb785b019f4d36aba07d5 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 13 Nov 2025 09:24:32 +0100 Subject: [PATCH 113/120] remove bundled wcurl utility that was added in 8.14.0~rc1, use wcurl package instead --- curl.spec | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/curl.spec b/curl.spec index f96c5aa..8e3d696 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.17.0 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -366,6 +366,11 @@ rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la +# do not install bundled wcurl utility +# it is provided by the wcurl package +rm -f ${RPM_BUILD_ROOT}%{_bindir}/wcurl +rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* + %ldconfig_scriptlets -n libcurl %ldconfig_scriptlets -n libcurl-minimal @@ -381,8 +386,6 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %doc docs/TheArtOfHttpScripting.md %{_bindir}/curl %{_mandir}/man1/curl.1* -%{_bindir}/wcurl -%{_mandir}/man1/wcurl.1* %{_datadir}/zsh %files -n libcurl @@ -407,7 +410,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog -*Mon Nov 10 2025 Jan Macku - 8.17.0-1 +* Thu Nov 13 2025 Jan Macku - 8.17.0-2 +- remove bundled wcurl utility that was added in 8.14.0~rc1, use wcurl package instead + +* Mon Nov 10 2025 Jan Macku - 8.17.0-1 - new upstream release * Thu Oct 30 2025 Jan Macku - 8.17.0~rc3-1 From 6803c01e8da370a26d6cd6206093cd8f51ac3bae Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 13 Nov 2025 16:01:43 +0100 Subject: [PATCH 114/120] recommend wcurl package instead of bundled wcurl utility --- curl.spec | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 8e3d696..ca173a3 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.17.0 -Release: 2%{?dist} +Release: 3%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -28,6 +28,11 @@ Provides: curl-minimal = %{version}-%{release} Provides: webclient URL: https://curl.se/ +%if 0%{?fedora} +# instead of bundled wcurl utility, recommend wcurl package +Recommends: wcurl +%endif + # The reason for maintaining two separate packages for curl is no longer valid. # The curl-minimal is currently almost identical to curl-full, so let's drop curl-minimal. # For more details, see https://bugzilla.redhat.com/show_bug.cgi?id=2262096 @@ -410,6 +415,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Nov 13 2025 Jan Macku - 8.17.0-3 +- recommend wcurl package instead of bundled wcurl utility + * Thu Nov 13 2025 Jan Macku - 8.17.0-2 - remove bundled wcurl utility that was added in 8.14.0~rc1, use wcurl package instead From 7d91f53d81f6aa9e760638a1e4dceb82a5b839b7 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 4 Dec 2025 09:59:27 +0100 Subject: [PATCH 115/120] http3: apply upstream patches for valgrind issues Related: #2408809 --- ...rl-8.17.0-vquic-do_sendmsg-full-init.patch | 34 +++++++++++++++++++ ...0-ngtcp2-openssl-fix-leak-of-session.patch | 32 +++++++++++++++++ curl.spec | 9 ++++- 3 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch create mode 100644 0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch diff --git a/0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch b/0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch new file mode 100644 index 0000000..f41b79a --- /dev/null +++ b/0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch @@ -0,0 +1,34 @@ +From aa95d1ceda65e7aa20110a69742797d80009e7de Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Thu, 27 Nov 2025 10:23:43 +0100 +Subject: [PATCH 1/2] vquic: do_sendmsg full init + +When passing a `msg_ctrl` to sendmsg() as part of GSO handling, zero the +complete array. This fixes any false positives by valgrind that complain +about uninitialised memory, even though the kernel only ever accesses +the first two bytes. + +Reported-by: Aleksei Bavshin +Fixes #19714 +Closes #19715 + +(cherry picked from commit a9e7a027ed866b791c12a3c701dc40304f4e00cb) +--- + lib/vquic/vquic.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/vquic/vquic.c b/lib/vquic/vquic.c +index 7533001ea..2e8d8e5cd 100644 +--- a/lib/vquic/vquic.c ++++ b/lib/vquic/vquic.c +@@ -144,6 +144,7 @@ static CURLcode do_sendmsg(struct Curl_cfilter *cf, + if(pktlen > gsolen) { + /* Only set this, when we need it. macOS, for example, + * does not seem to like a msg_control of length 0. */ ++ memset(msg_ctrl, 0, sizeof(msg_ctrl)); + msg.msg_control = msg_ctrl; + assert(sizeof(msg_ctrl) >= CMSG_SPACE(sizeof(int))); + msg.msg_controllen = CMSG_SPACE(sizeof(int)); +-- +2.52.0 + diff --git a/0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch b/0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch new file mode 100644 index 0000000..4db6234 --- /dev/null +++ b/0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch @@ -0,0 +1,32 @@ +From a11ab7ad4ea0d97ac0d5af1e28b30b00c37c3c3c Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Thu, 27 Nov 2025 12:11:39 +0100 +Subject: [PATCH 2/2] ngtcp2+openssl: fix leak of session + +Fix return value indicating to OpenSSL if reference to session is kept +(it is not), so OpenSSL frees it. + +Reported-by: Aleksei Bavshin +Fixes #19717 +Closes #19718 + +(cherry picked from commit 9bb5c0578b39e5b086b6a9db5c6eb299a0fe1c5c) +--- + lib/vquic/curl_ngtcp2.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/lib/vquic/curl_ngtcp2.c b/lib/vquic/curl_ngtcp2.c +index f72f6630f..069dcb67e 100644 +--- a/lib/vquic/curl_ngtcp2.c ++++ b/lib/vquic/curl_ngtcp2.c +@@ -2262,7 +2262,6 @@ static int quic_ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) + #endif + Curl_ossl_add_session(cf, data, ctx->peer.scache_key, ssl_sessionid, + SSL_version(ssl), "h3", quic_tp, quic_tp_len); +- return 1; + } + return 0; + } +-- +2.52.0 + diff --git a/curl.spec b/curl.spec index ca173a3..a58a893 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.17.0 -Release: 3%{?dist} +Release: 4%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -16,6 +16,10 @@ Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# Fix valgrind issues in HTTP/3 +Patch001: 0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch +Patch002: 0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -415,6 +419,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Dec 04 2025 Jan Macku - 8.17.0-4 +- apply upstream patches for valgrind issues in HTTP/3 (#2408809) + * Thu Nov 13 2025 Jan Macku - 8.17.0-3 - recommend wcurl package instead of bundled wcurl utility From fe73859ecd63f56854b599eda9bc8d991c933d8b Mon Sep 17 00:00:00 2001 From: Aleksei Bavshin Date: Thu, 9 Oct 2025 14:36:47 -0700 Subject: [PATCH 116/120] Enable HTTP/3 support with ngtcp2 --- curl.spec | 36 ++++++++++++++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index a58a893..a47f422 100644 --- a/curl.spec +++ b/curl.spec @@ -4,10 +4,15 @@ # Change the bcond to 0 to turn off ENGINE support by default %bcond openssl_engine_support %[%{defined fedora} || 0%{?rhel} < 10] +# HTTP/3 support +# This is using ngtcp2 with OpenSSL 3.5 QUIC support instead of curl's +# experimental native OpenSSL 3.5 support. +%bcond http3 %[0%{?fedora} >= 43] + Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.17.0 -Release: 4%{?dist} +Release: 5%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -50,10 +55,16 @@ BuildRequires: groff BuildRequires: krb5-devel BuildRequires: libidn2-devel BuildRequires: libnghttp2-devel +%if %{with http3} +BuildRequires: libnghttp3-devel +%endif BuildRequires: libpsl-devel BuildRequires: libssh-devel BuildRequires: libtool BuildRequires: make +%if %{with http3} +BuildRequires: ngtcp2-crypto-ossl-devel +%endif BuildRequires: openldap-devel BuildRequires: openssh-clients BuildRequires: openssh-server @@ -148,6 +159,10 @@ Requires: libcurl%{?_isa} >= %{version}-%{release} # to ensure that we have the necessary symbols available (#2144277) %global libnghttp2_version %(pkg-config --modversion libnghttp2 2>/dev/null || echo 0) +# require at least the version of libnghttp3 that we were built against, +# to ensure that we have the necessary symbols available +%global libnghttp3_version %(pkg-config --modversion libnghttp3 2>/dev/null || echo 0) + # require at least the version of libpsl that we were built against, # to ensure that we have the necessary symbols available (#1631804) %global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0) @@ -156,6 +171,10 @@ Requires: libcurl%{?_isa} >= %{version}-%{release} # to ensure that we have the necessary symbols available (#525002, #642796) %global libssh_version %(pkg-config --modversion libssh 2>/dev/null || echo 0) +# require at least the version of ngtcp2 that we were built against, +# to ensure that we have the necessary symbols available +%global ngtcp2_version %(pkg-config --modversion libngtcp2 2>/dev/null || echo 0) + # require at least the version of openssl-libs that we were built against, # to ensure that we have the necessary symbols available (#1462184, #1462211) # (we need to translate 3.0.0-alpha16 -> 3.0.0-0.alpha16 and 3.0.0-beta1 -> 3.0.0-0.beta1 though) @@ -172,8 +191,14 @@ resume, proxy tunneling and a busload of other useful tricks. %package -n libcurl Summary: A library for getting files from web servers Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} +%if %{with http3} +Requires: libnghttp3%{?_isa} >= %{libnghttp3_version} +%endif Requires: libpsl%{?_isa} >= %{libpsl_version} Requires: libssh%{?_isa} >= %{libssh_version} +%if %{with http3} +Requires: ngtcp2%{?_isa} >= %{ngtcp2_version} +%endif Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} Provides: libcurl-full = %{version}-%{release} Provides: libcurl-full%{?_isa} = %{version}-%{release} @@ -313,7 +338,11 @@ export common_configure_opts=" \ --enable-websockets \ --with-brotli \ --with-libpsl \ - --with-libssh + --with-libssh \ +%if %{with http3} + --with-nghttp3 \ + --with-ngtcp2 \ +%endif ) # avoid using rpath @@ -419,6 +448,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Sun Dec 07 2025 Aleksei Bavshin - 8.17.0-5 +- Enable HTTP/3 support with ngtcp2 + * Thu Dec 04 2025 Jan Macku - 8.17.0-4 - apply upstream patches for valgrind issues in HTTP/3 (#2408809) From 9d9fd36c2e8580eea7562a01230282bde942487e Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 9 Dec 2025 08:50:28 +0100 Subject: [PATCH 117/120] new upstream release - 8.18.0~rc1 --- ...rl-8.17.0-vquic-do_sendmsg-full-init.patch | 34 ------------------- ...0-ngtcp2-openssl-fix-leak-of-session.patch | 32 ----------------- curl.spec | 12 +++---- sources | 4 +-- 4 files changed, 8 insertions(+), 74 deletions(-) delete mode 100644 0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch delete mode 100644 0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch diff --git a/0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch b/0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch deleted file mode 100644 index f41b79a..0000000 --- a/0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch +++ /dev/null @@ -1,34 +0,0 @@ -From aa95d1ceda65e7aa20110a69742797d80009e7de Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Thu, 27 Nov 2025 10:23:43 +0100 -Subject: [PATCH 1/2] vquic: do_sendmsg full init - -When passing a `msg_ctrl` to sendmsg() as part of GSO handling, zero the -complete array. This fixes any false positives by valgrind that complain -about uninitialised memory, even though the kernel only ever accesses -the first two bytes. - -Reported-by: Aleksei Bavshin -Fixes #19714 -Closes #19715 - -(cherry picked from commit a9e7a027ed866b791c12a3c701dc40304f4e00cb) ---- - lib/vquic/vquic.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/lib/vquic/vquic.c b/lib/vquic/vquic.c -index 7533001ea..2e8d8e5cd 100644 ---- a/lib/vquic/vquic.c -+++ b/lib/vquic/vquic.c -@@ -144,6 +144,7 @@ static CURLcode do_sendmsg(struct Curl_cfilter *cf, - if(pktlen > gsolen) { - /* Only set this, when we need it. macOS, for example, - * does not seem to like a msg_control of length 0. */ -+ memset(msg_ctrl, 0, sizeof(msg_ctrl)); - msg.msg_control = msg_ctrl; - assert(sizeof(msg_ctrl) >= CMSG_SPACE(sizeof(int))); - msg.msg_controllen = CMSG_SPACE(sizeof(int)); --- -2.52.0 - diff --git a/0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch b/0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch deleted file mode 100644 index 4db6234..0000000 --- a/0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch +++ /dev/null @@ -1,32 +0,0 @@ -From a11ab7ad4ea0d97ac0d5af1e28b30b00c37c3c3c Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Thu, 27 Nov 2025 12:11:39 +0100 -Subject: [PATCH 2/2] ngtcp2+openssl: fix leak of session - -Fix return value indicating to OpenSSL if reference to session is kept -(it is not), so OpenSSL frees it. - -Reported-by: Aleksei Bavshin -Fixes #19717 -Closes #19718 - -(cherry picked from commit 9bb5c0578b39e5b086b6a9db5c6eb299a0fe1c5c) ---- - lib/vquic/curl_ngtcp2.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/lib/vquic/curl_ngtcp2.c b/lib/vquic/curl_ngtcp2.c -index f72f6630f..069dcb67e 100644 ---- a/lib/vquic/curl_ngtcp2.c -+++ b/lib/vquic/curl_ngtcp2.c -@@ -2262,7 +2262,6 @@ static int quic_ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) - #endif - Curl_ossl_add_session(cf, data, ctx->peer.scache_key, ssl_sessionid, - SSL_version(ssl), "h3", quic_tp, quic_tp_len); -- return 1; - } - return 0; - } --- -2.52.0 - diff --git a/curl.spec b/curl.spec index a47f422..6ce39e2 100644 --- a/curl.spec +++ b/curl.spec @@ -11,8 +11,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.17.0 -Release: 5%{?dist} +Version: 8.18.0~rc1 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -21,10 +21,6 @@ Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# Fix valgrind issues in HTTP/3 -Patch001: 0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch -Patch002: 0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -448,6 +444,10 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Dec 09 2025 Jan Macku - 8.18.0~rc1-1 +- new upstream release candidate +- drop upstreamed patches + * Sun Dec 07 2025 Aleksei Bavshin - 8.17.0-5 - Enable HTTP/3 support with ngtcp2 diff --git a/sources b/sources index 2d835d7..80cbe05 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.17.0.tar.xz.asc) = e77d4cb1f4961aa0df3d76f1a8c55a0b9005ed557adf745f3ab24d33cee2d0e4bd06cecb9d911e76409852e7755129873cc7d24936c846ff1b854903c0f086b2 -SHA512 (curl-8.17.0.tar.xz) = fc6349def40c3c259de2a568631507df17dff83e78a2edbb93f069586dce594439fdc88bef7ce2bed7491f35800b8c0c181c8c88e6ef656cc3c18f9834681eca +SHA512 (curl-8.18.0-rc1.tar.xz) = 34cb17db3b16458a82b6f2c6c72f967cd028449a74a026acb2b6085161644ad352adf9cc9324d1e3264caf9039424bc53863e55ce92da7971e15871fee0c2551 +SHA512 (curl-8.18.0-rc1.tar.xz.asc) = 6b64d4d035de78f5111cc4cd7aaf4f6e5d4f14e5ee6685a3ff4e5d67f93aa45008a6c85f62cea54800872815fc01158339fc5d53959d060062cffce327a5346d From 9e1a11614b37b5a26a09a2bca7f81270633e3cbc Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 16 Dec 2025 14:49:18 +0100 Subject: [PATCH 118/120] new upstream release - 8.18.0~rc2 --- 0101-curl-7.32.0-multilib.patch | 14 +++++----- 0105-curl-8.11.1-test616.patch | 48 --------------------------------- curl.spec | 14 +++++----- sources | 4 +-- 4 files changed, 17 insertions(+), 63 deletions(-) delete mode 100644 0105-curl-8.11.1-test616.patch diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 79e9855..f7f66e6 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,6 +1,6 @@ -From ae56f768f418e1dd91f9eb3edf1a88453f61e160 Mon Sep 17 00:00:00 2001 +From 6bb4e674cdc953f5c0048aa84172539900725166 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Mon, 25 Aug 2025 10:41:12 +0200 +Date: Tue, 16 Dec 2025 10:04:40 +0100 Subject: [PATCH] prevent multilib conflicts on the curl-config script --- @@ -10,7 +10,7 @@ Subject: [PATCH] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index ce23519..bb43ca8 100644 +index a1c8185875..bb43ca8335 100644 --- a/curl-config.in +++ b/curl-config.in @@ -74,7 +74,7 @@ while test "$#" -gt 0; do @@ -26,7 +26,7 @@ index ce23519..bb43ca8 100644 ;; --libs) -- if test "@libdir@" != '/usr/lib' -a "@libdir@" != '/usr/lib64'; then +- if test "@libdir@" != '/usr/lib' && test "@libdir@" != '/usr/lib64'; then - curllibdir="-L@libdir@ " - else - curllibdir='' @@ -61,7 +61,7 @@ index ce23519..bb43ca8 100644 *) diff --git a/docs/curl-config.md b/docs/curl-config.md -index 12ad245..fa0e03d 100644 +index 12ad245b79..fa0e03d273 100644 --- a/docs/curl-config.md +++ b/docs/curl-config.md @@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated. @@ -76,7 +76,7 @@ index 12ad245..fa0e03d 100644 ## `--version` diff --git a/libcurl.pc.in b/libcurl.pc.in -index c0ba524..f3645e1 100644 +index c0ba5244a8..f3645e1748 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in @@ -28,6 +28,7 @@ libdir=@libdir@ @@ -88,5 +88,5 @@ index c0ba524..f3645e1 100644 Name: libcurl URL: https://curl.se/ -- -2.50.1 +2.52.0 diff --git a/0105-curl-8.11.1-test616.patch b/0105-curl-8.11.1-test616.patch deleted file mode 100644 index 91bde80..0000000 --- a/0105-curl-8.11.1-test616.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 82baec8c7cd40361585d8793dfe4531f7aad30e3 Mon Sep 17 00:00:00 2001 -From: Jan Macku -Date: Wed, 11 Dec 2024 13:16:12 +0100 -Subject: [PATCH] test616: disable valgrind - -Valgrind disable was removed in upstream in https://github.com/curl/curl/commit/c91c37b6e87ceee760b7bb334c8e97e03ee93e93#diff-e01fd8774cf5b26329c7dc7dc03ec49745469205f3d501ced72c9d133455d5e7L35 -But test 616 is still failing under valgrind, so disable valgrind for this test. - -``` - valgrind ERROR ==188588== 144 bytes in 1 blocks are definitely lost in loss record 1 of 1 -==188588== at 0x484B133: calloc (vg_replace_malloc.c:1675) -==188588== by 0x4BB7575: ??? (in /usr/lib64/libssh.so.4.10.1) -==188588== by 0x4BB8CC6: sftp_fstat (in /usr/lib64/libssh.so.4.10.1) -==188588== by 0x48EEAFB: myssh_statemach_act (libssh.c:1610) -==188588== by 0x48F1B9D: myssh_multi_statemach.lto_priv.0 (libssh.c:2095) -==188588== by 0x48BA971: UnknownInlinedFun (multi.c:1643) -==188588== by 0x48BA971: UnknownInlinedFun (multi.c:2314) -==188588== by 0x48BA971: multi_runsingle (multi.c:2768) -==188588== by 0x48BCCA4: curl_multi_perform (multi.c:3016) -==188588== by 0x4884E4A: UnknownInlinedFun (easy.c:701) -==188588== by 0x4884E4A: UnknownInlinedFun (easy.c:796) -==188588== by 0x4884E4A: curl_easy_perform (easy.c:815) -==188588== by 0x10C12B: UnknownInlinedFun (tool_operate.c:2902) -==188588== by 0x10C12B: UnknownInlinedFun (tool_operate.c:3127) -==188588== by 0x10C12B: UnknownInlinedFun (tool_operate.c:3249) -==188588== by 0x10C12B: main (tool_main.c:271) -==188588== -``` ---- - tests/data/test616 | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/tests/data/test616 b/tests/data/test616 -index f76c68a..0ebc734 100644 ---- a/tests/data/test616 -+++ b/tests/data/test616 -@@ -32,5 +32,8 @@ SFTP retrieval of empty file - # - # Verify data after the test has been "shot" - -+ -+disable -+ - - --- -2.47.1 - diff --git a/curl.spec b/curl.spec index 6ce39e2..c2ec049 100644 --- a/curl.spec +++ b/curl.spec @@ -11,7 +11,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.18.0~rc1 +Version: 8.18.0~rc2 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -24,9 +24,6 @@ Source2: mykey.asc # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch -# test616: disable valgrind -Patch105: 0105-curl-8.11.1-test616.patch - Provides: curl-full = %{version}-%{release} # do not fail when trying to install curl-minimal after drop Provides: curl-minimal = %{version}-%{release} @@ -414,9 +411,10 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %doc README %doc docs/BUGS.md %doc docs/DISTROS.md -%doc docs/FAQ +%doc docs/FAQ.md %doc docs/FEATURES.md -%doc docs/TODO +%doc docs/KNOWN_BUGS.md +%doc docs/TODO.md %doc docs/TheArtOfHttpScripting.md %{_bindir}/curl %{_mandir}/man1/curl.1* @@ -444,6 +442,10 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Dec 16 2025 Jan Macku - 8.18.0~rc2-1 +- new upstream release candidate +- reenable valgrind on test 616 + * Tue Dec 09 2025 Jan Macku - 8.18.0~rc1-1 - new upstream release candidate - drop upstreamed patches diff --git a/sources b/sources index 80cbe05..f75181e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.18.0-rc1.tar.xz) = 34cb17db3b16458a82b6f2c6c72f967cd028449a74a026acb2b6085161644ad352adf9cc9324d1e3264caf9039424bc53863e55ce92da7971e15871fee0c2551 -SHA512 (curl-8.18.0-rc1.tar.xz.asc) = 6b64d4d035de78f5111cc4cd7aaf4f6e5d4f14e5ee6685a3ff4e5d67f93aa45008a6c85f62cea54800872815fc01158339fc5d53959d060062cffce327a5346d +SHA512 (curl-8.18.0-rc2.tar.xz) = 4a71016d3a1d53bda007dc510c6eb7c1f35f04f4bb5c9cb1b10595e2ea15062993edd5fcdf73d008f6e91db48467e6a3428dd96e64ad9fb7acdf74db15ac5564 +SHA512 (curl-8.18.0-rc2.tar.xz.asc) = d3cfefd964958aa83da3005030899d12ed6ac0c456b2a2b1490a76a06c5abff839b4d70c1bad1d6218f9bdae0e63e368fc6a423ed10d03334609b499b7440762 From da5bf8f889f2af14cee4a633294b06b02f90ac16 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 5 Jan 2026 09:35:50 +0100 Subject: [PATCH 119/120] new upstream release - 8.18.0~rc3 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index c2ec049..758e807 100644 --- a/curl.spec +++ b/curl.spec @@ -11,7 +11,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.18.0~rc2 +Version: 8.18.0~rc3 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -442,6 +442,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Jan 05 2026 Jan Macku - 8.18.0~rc3-1 +- new upstream release candidate + * Tue Dec 16 2025 Jan Macku - 8.18.0~rc2-1 - new upstream release candidate - reenable valgrind on test 616 diff --git a/sources b/sources index f75181e..5d0cff9 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.18.0-rc2.tar.xz) = 4a71016d3a1d53bda007dc510c6eb7c1f35f04f4bb5c9cb1b10595e2ea15062993edd5fcdf73d008f6e91db48467e6a3428dd96e64ad9fb7acdf74db15ac5564 -SHA512 (curl-8.18.0-rc2.tar.xz.asc) = d3cfefd964958aa83da3005030899d12ed6ac0c456b2a2b1490a76a06c5abff839b4d70c1bad1d6218f9bdae0e63e368fc6a423ed10d03334609b499b7440762 +SHA512 (curl-8.18.0-rc3.tar.xz) = 1139b79a6c4356fdf6f368812402c2f9bafcbaec6323c367aef85c4d00ffda9541a87ef476ce9a099142ef6f824b562c9dc840878add60a616f0e441fef44801 +SHA512 (curl-8.18.0-rc3.tar.xz.asc) = fac23b293cec82596ddd7757c0984e3977259c5116ddef719fad2a39a3723cf7cb5d85d12c5c5b2542f34a5411aa6f42f4fb08729fde6c564cd3567f2a3f0434 From 3c4947ef9777ff0e270d3680b23a3e10134ee68f Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 7 Jan 2026 11:16:40 +0100 Subject: [PATCH 120/120] new upstream release - 8.18.0 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 758e807..c0ad4db 100644 --- a/curl.spec +++ b/curl.spec @@ -11,7 +11,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.18.0~rc3 +Version: 8.18.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -442,6 +442,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jan 07 2026 Jan Macku - 8.18.0-1 +- new upstream release + * Mon Jan 05 2026 Jan Macku - 8.18.0~rc3-1 - new upstream release candidate diff --git a/sources b/sources index 5d0cff9..002e494 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.18.0-rc3.tar.xz) = 1139b79a6c4356fdf6f368812402c2f9bafcbaec6323c367aef85c4d00ffda9541a87ef476ce9a099142ef6f824b562c9dc840878add60a616f0e441fef44801 -SHA512 (curl-8.18.0-rc3.tar.xz.asc) = fac23b293cec82596ddd7757c0984e3977259c5116ddef719fad2a39a3723cf7cb5d85d12c5c5b2542f34a5411aa6f42f4fb08729fde6c564cd3567f2a3f0434 +SHA512 (curl-8.18.0.tar.xz) = 50c7a7b0528e0019697b0c59b3e56abb2578c71d77e4c085b56797276094b5611718c0a9cb2b14db7f8ab502fcf8f42a364297a3387fae3870a4d281484ba21c +SHA512 (curl-8.18.0.tar.xz.asc) = 07e08d1bb3f8bf20b3d22f37fbc19c49c0d9ee4ea9d92da76fa8a9de343023e1b5d416ccc6535a4ff98b08b30eb9334fd856227e37564f6bcd542aa81bced152