From a1b38730cec8a39decb90b3b05d2746b72ebc0ee Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 15 Mar 2018 14:22:08 +0100 Subject: [PATCH 001/256] make the test-suite use Python 3 Unfortunately, smbserver.py does not work with Python 3 because there is no 'impacket' module available for Python 3: https://github.com/CoreSecurity/impacket/issues/61 --- 0103-curl-7.59.0-python3.patch | 140 +++++++++++++++++++++++++++++++++ curl.spec | 14 +++- 2 files changed, 152 insertions(+), 2 deletions(-) create mode 100644 0103-curl-7.59.0-python3.patch diff --git a/0103-curl-7.59.0-python3.patch b/0103-curl-7.59.0-python3.patch new file mode 100644 index 0000000..8a39f85 --- /dev/null +++ b/0103-curl-7.59.0-python3.patch @@ -0,0 +1,140 @@ +From bdba7b54224814055185513de1e7ff6619031553 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Thu, 15 Mar 2018 13:21:40 +0100 +Subject: [PATCH 1/2] tests/http_pipe.py: migrate to Python 3 + +--- + tests/http_pipe.py | 4 ++-- + tests/runtests.pl | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tests/http_pipe.py b/tests/http_pipe.py +index bc32173..75ac165 100755 +--- a/tests/http_pipe.py ++++ b/tests/http_pipe.py +@@ -383,13 +383,13 @@ class PipelineRequestHandler(socketserver.BaseRequestHandler): + self.request.setblocking(True) + if not new_data: + return +- new_requests = self._request_parser.ParseAdditionalData(new_data) ++ new_requests = self._request_parser.ParseAdditionalData(new_data.decode('utf8')) + self._response_builder.QueueRequests( + new_requests, self._request_parser.were_all_requests_http_1_1) + self._num_queued += len(new_requests) + self._last_queued_time = time.time() + elif fileno in wlist: +- num_bytes_sent = self.request.send(self._send_buffer[0:4096]) ++ num_bytes_sent = self.request.send(self._send_buffer[0:4096].encode('utf8')) + self._send_buffer = self._send_buffer[num_bytes_sent:] + time.sleep(0.05) + +diff --git a/tests/runtests.pl b/tests/runtests.pl +index d6aa5ca..4d395ef 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -1437,7 +1437,7 @@ sub runhttpserver { + elsif($alt eq "pipe") { + # basically the same, but another ID + $idnum = 3; +- $exe = "python $srcdir/http_pipe.py"; ++ $exe = "python3 $srcdir/http_pipe.py"; + $verbose_flag .= "1 "; + } + elsif($alt eq "unix") { +-- +2.14.3 + + +From 3c4c7340e455b7256c0786759422f34ec3e2d440 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Thu, 15 Mar 2018 14:49:56 +0100 +Subject: [PATCH 2/2] tests/{negtelnet,smb}server.py: migrate to Python 3 + +Unfortunately, smbserver.py does not work with Python 3 because +there is no 'impacket' module available for Python 3: + +https://github.com/CoreSecurity/impacket/issues/61 +--- + tests/negtelnetserver.py | 12 ++++++------ + tests/smbserver.py | 4 ++-- + 2 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/tests/negtelnetserver.py b/tests/negtelnetserver.py +index 8cfd409..72ee771 100755 +--- a/tests/negtelnetserver.py ++++ b/tests/negtelnetserver.py +@@ -23,7 +23,7 @@ IDENT = "NTEL" + + # The strings that indicate the test framework is checking our aliveness + VERIFIED_REQ = b"verifiedserver" +-VERIFIED_RSP = b"WE ROOLZ: {pid}" ++VERIFIED_RSP = "WE ROOLZ: {pid}" + + + def telnetserver(options): +@@ -34,7 +34,7 @@ def telnetserver(options): + if options.pidfile: + pid = os.getpid() + with open(options.pidfile, "w") as f: +- f.write(b"{0}".format(pid)) ++ f.write("{0}".format(pid)) + + local_bind = (HOST, options.port) + log.info("Listening on %s", local_bind) +@@ -73,11 +73,11 @@ class NegotiatingTelnetHandler(socketserver.BaseRequestHandler): + response_data = VERIFIED_RSP.format(pid=os.getpid()) + else: + log.debug("Received normal request - echoing back") +- response_data = data.strip() ++ response_data = data.decode('utf8').strip() + + if response_data: + log.debug("Sending %r", response_data) +- self.request.sendall(response_data) ++ self.request.sendall(response_data.encode('utf8')) + + except IOError: + log.exception("IOError hit during request") +@@ -132,7 +132,7 @@ class Negotiator(object): + return buffer + + def byte_to_int(self, byte): +- return struct.unpack(b'B', byte)[0] ++ return int(byte) + + def no_neg(self, byte, byte_int, buffer): + # Not negotiating anything thus far. Check to see if we +@@ -197,7 +197,7 @@ class Negotiator(object): + self.tcp.sendall(packed_message) + + def pack(self, arr): +- return struct.pack(b'{0}B'.format(len(arr)), *arr) ++ return struct.pack('{0}B'.format(len(arr)), *arr) + + def send_iac(self, arr): + message = [NegTokens.IAC] +diff --git a/tests/smbserver.py b/tests/smbserver.py +index 195ae39..b09cd44 100755 +--- a/tests/smbserver.py ++++ b/tests/smbserver.py +@@ -24,7 +24,7 @@ + from __future__ import (absolute_import, division, print_function) + # unicode_literals) + import argparse +-import ConfigParser ++import configparser + import os + import sys + import logging +@@ -58,7 +58,7 @@ def smbserver(options): + f.write("{0}".format(pid)) + + # Here we write a mini config for the server +- smb_config = ConfigParser.ConfigParser() ++ smb_config = configparser.ConfigParser() + smb_config.add_section("global") + smb_config.set("global", "server_name", "SERVICE") + smb_config.set("global", "server_os", "UNIX") +-- +2.14.3 + diff --git a/curl.spec b/curl.spec index d722f07..eb0ad83 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.59.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -14,6 +14,9 @@ Patch101: 0101-curl-7.32.0-multilib.patch # prevent configure script from discarding -g in CFLAGS (#496778) Patch102: 0102-curl-7.36.0-debug.patch +# migrate tests/http_pipe.py to Python 3 +Patch103: 0103-curl-7.59.0-python3.patch + # use localhost6 instead of ip6-localhost in the curl test-suite Patch104: 0104-curl-7.19.7-localhost6.patch @@ -36,7 +39,7 @@ BuildRequires: openssh-clients BuildRequires: openssh-server BuildRequires: openssl-devel BuildRequires: pkgconfig -BuildRequires: python +BuildRequires: python3 BuildRequires: sed BuildRequires: stunnel BuildRequires: zlib-devel @@ -159,8 +162,12 @@ be installed. # Fedora patches %patch101 -p1 %patch102 -p1 +%patch103 -p1 %patch104 -p1 +# make tests/*.py use Python 3 +sed -e '1 s|^#!/.*python|&3|' -i tests/*.py + # regenerate Makefile.in files #aclocal -I m4 #automake @@ -300,6 +307,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Mar 15 2018 Kamil Dudka - 7.59.0-3 +- make the test-suite use Python 3 + * Wed Mar 14 2018 Kamil Dudka - 7.59.0-2 - ftp: fix typo in recursive callback detection for seeking From 5a0fa9250ba51f804d18b99133055a4874bf06b7 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 16 May 2018 13:16:56 +0200 Subject: [PATCH 002/256] new upstream release, which fixes the following vulnerabilities Resolves: CVE-2018-1000300 - FTP shutdown response buffer overflow Resolves: CVE-2018-1000301 - RTSP bad headers buffer over-read --- ...typo-in-recursive-callback-detection.patch | 29 ------------------- 0102-curl-7.36.0-debug.patch | 2 +- 0103-curl-7.59.0-python3.patch | 2 +- curl-7.59.0.tar.xz.asc | 11 ------- curl-7.60.0.tar.xz.asc | 11 +++++++ curl.spec | 13 +++++---- sources | 2 +- 7 files changed, 21 insertions(+), 49 deletions(-) delete mode 100644 0001-curl-7.58.0-ftp-typo-in-recursive-callback-detection.patch delete mode 100644 curl-7.59.0.tar.xz.asc create mode 100644 curl-7.60.0.tar.xz.asc diff --git a/0001-curl-7.58.0-ftp-typo-in-recursive-callback-detection.patch b/0001-curl-7.58.0-ftp-typo-in-recursive-callback-detection.patch deleted file mode 100644 index 224630c..0000000 --- a/0001-curl-7.58.0-ftp-typo-in-recursive-callback-detection.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 1b02cb2b51148915b2ba025bb262ef34f369fa4b Mon Sep 17 00:00:00 2001 -From: dasimx -Date: Wed, 14 Mar 2018 11:02:05 +0100 -Subject: [PATCH] FTP: fix typo in recursive callback detection for seeking - -Fixes #2380 - -Upstream-commit: 920f73a6906dce87c6ee87c32b109a287189965d -Signed-off-by: Kamil Dudka ---- - lib/ftp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/ftp.c b/lib/ftp.c -index e2cc38b..0cc583b 100644 ---- a/lib/ftp.c -+++ b/lib/ftp.c -@@ -1621,7 +1621,7 @@ static CURLcode ftp_state_ul_setup(struct connectdata *conn, - Curl_set_in_callback(data, true); - seekerr = conn->seek_func(conn->seek_client, data->state.resume_from, - SEEK_SET); -- Curl_set_in_callback(data, true); -+ Curl_set_in_callback(data, false); - } - - if(seekerr != CURL_SEEKFUNC_OK) { --- -2.14.3 - diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch index 13f07df..95670f0 100644 --- a/0102-curl-7.36.0-debug.patch +++ b/0102-curl-7.36.0-debug.patch @@ -12,7 +12,7 @@ diff --git a/configure b/configure index 8f079a3..53b4774 100755 --- a/configure +++ b/configure -@@ -16524,18 +16524,11 @@ $as_echo "yes" >&6; } +@@ -16537,18 +16537,11 @@ $as_echo "yes" >&6; } gccvhi=`echo $gccver | cut -d . -f1` gccvlo=`echo $gccver | cut -d . -f2` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` diff --git a/0103-curl-7.59.0-python3.patch b/0103-curl-7.59.0-python3.patch index 8a39f85..dd10986 100644 --- a/0103-curl-7.59.0-python3.patch +++ b/0103-curl-7.59.0-python3.patch @@ -32,7 +32,7 @@ diff --git a/tests/runtests.pl b/tests/runtests.pl index d6aa5ca..4d395ef 100755 --- a/tests/runtests.pl +++ b/tests/runtests.pl -@@ -1437,7 +1437,7 @@ sub runhttpserver { +@@ -1438,7 +1438,7 @@ sub runhttpserver { elsif($alt eq "pipe") { # basically the same, but another ID $idnum = 3; diff --git a/curl-7.59.0.tar.xz.asc b/curl-7.59.0.tar.xz.asc deleted file mode 100644 index e74f7b2..0000000 --- a/curl-7.59.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlqoxTwACgkQXMkI/bce -EsJrHQf7B0ik8F5dfGYumYWkXHc9poJU+dJ0o6pwzg4QsP+4mwVTw/gnrXDm1hVk -iFPIAdgTkxiIDZi+6mDfZA9dZ8Aq38XbYjRIwXTW4KrjTtEFQXtwlEClrHrJyXfl -+2YC52BcY0D2JVDqUAB9cVSSgaHHf1jd4h32a8YMrwco4jP5rSxbmZe4psU2m8TC -skaZEoSIRJzg5oV+AgDSQMrq+fLsc5lIDKTl+7v6sjnGlcYeRC1SiBePyrh5g/o5 -w4JJH839MyjrYvi6MyCBHeyCFYDrxKvQw8zRwivfZ1oipM2SaSVq8c60PdR85Zw5 -/SNOU/7Qpvhua0GhAfaI/CTwwewy6w== -=OcVv ------END PGP SIGNATURE----- diff --git a/curl-7.60.0.tar.xz.asc b/curl-7.60.0.tar.xz.asc new file mode 100644 index 0000000..53ca282 --- /dev/null +++ b/curl-7.60.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlr7zUoACgkQXMkI/bce +EsK3jgf7Bvnswxxgq4wQWmqRKQvkN/zkuA2GjSm98M7mizVHl/7/imeqDl7S1vp0 +A6KCI99Epf+2EYgxrEbvZqlSQ6H30eBxOvV2yNwPhrS3UnXwNSJsbFr5bDRE4o8S +upyP/tSgEIGJcpq0bstrD7T/DRZ1yFCLB5rOOJx4lQnPuB3C7GAmuOj1ZtIxWIn+ +D/G+X1+/oZlils2TMI7ryjRuFvOSPHdUNldwtvfaRg0i3tNYnPbWq54lhouSn31H +ft8wNd3nnUpueWCWaKKXo+GBVDemDAMEcDbna+woW5SFLI6ZG/c822ljtld05Dk1 +KmwikC7MREQxkODmC10yrgy9I9akNg== +=f++X +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index eb0ad83..348f6db 100644 --- a/curl.spec +++ b/curl.spec @@ -1,13 +1,10 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.59.0 -Release: 3%{?dist} +Version: 7.60.0 +Release: 1%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz -# ftp: fix typo in recursive callback detection for seeking -Patch1: 0001-curl-7.58.0-ftp-typo-in-recursive-callback-detection.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -157,7 +154,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 # Fedora patches %patch101 -p1 @@ -307,6 +303,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed May 16 2018 Kamil Dudka - 7.60.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2018-1000300 - FTP shutdown response buffer overflow + CVE-2018-1000301 - RTSP bad headers buffer over-read + * Thu Mar 15 2018 Kamil Dudka - 7.59.0-3 - make the test-suite use Python 3 diff --git a/sources b/sources index f353b13..4a1cecd 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.59.0.tar.xz) = 6982a5950b564d6b2a4f4b96296b6db3db24a096acc68aa96966821b57f66362f5a69d9f2da762b5d2b1011a4a47478ebacaf05e26604f78bb013098749dd8a6 +SHA512 (curl-7.60.0.tar.xz) = 96a0c32ca846a76bba75e9e560ad4c15df79540992ed1a83713095be94ddba039f289bda9678762fd79fb9691fe810735178fb9dc970c37012dff96b8ce08abf From 09c874db5300a1846a61cd675164d84974a4a8e0 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 16 May 2018 15:23:55 +0200 Subject: [PATCH 003/256] require glibc-debuginfo for valgrind-enabled build ... as suggested by valgrind itself: valgrind: Fatal error at startup: a function redirection valgrind: which is mandatory for this platform-tool combination valgrind: cannot be set up. Details of the redirection are: valgrind: valgrind: A must-be-redirected function valgrind: whose name matches the pattern: strlen valgrind: in an object with soname matching: ld-linux-x86-64.so.2 valgrind: was not found whilst processing valgrind: symbols from the object with soname: ld-linux-x86-64.so.2 valgrind: valgrind: Possible fixes: (1, short term): install glibc's debuginfo valgrind: package on this machine. (2, longer term): ask the packagers valgrind: for your Linux distribution to please in future ship a non- valgrind: stripped ld.so (or whatever the dynamic linker .so is called) valgrind: that exports the above-named function using the standard valgrind: calling conventions for this platform. The package you need valgrind: to install for fix (1) is called valgrind: valgrind: On Debian, Ubuntu: libc6-dbg valgrind: On SuSE, openSuSE, Fedora, RHEL: glibc-debuginfo valgrind: valgrind: Note that if you are debugging a 32 bit process on a valgrind: 64 bit system, you will need a corresponding 32 bit debuginfo valgrind: package (e.g. libc6-dbg:i386). valgrind: valgrind: Cannot continue -- exiting now. Sorry. --- curl.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/curl.spec b/curl.spec index 348f6db..9c12786 100644 --- a/curl.spec +++ b/curl.spec @@ -69,6 +69,7 @@ BuildRequires: perl(vars) # #810992, #816175, and #886891). Nevertheless developers are free to install # valgrind manually to improve test coverage on any architecture. %ifarch x86_64 %{ix86} +BuildRequires: glibc-debuginfo BuildRequires: valgrind %endif From e51a34d6cc39a103b43b20a7eee32ed783f98035 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 16 May 2018 15:54:58 +0200 Subject: [PATCH 004/256] Related: #1570246 - temporarily disable valgrind completely ... and revert the previous workaround, which does not work on Koji --- curl.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index 9c12786..5f11302 100644 --- a/curl.spec +++ b/curl.spec @@ -69,8 +69,8 @@ BuildRequires: perl(vars) # #810992, #816175, and #886891). Nevertheless developers are free to install # valgrind manually to improve test coverage on any architecture. %ifarch x86_64 %{ix86} -BuildRequires: glibc-debuginfo -BuildRequires: valgrind +# temporarily disabled completely because of https://bugzilla.redhat.com/1570246 +# BuildRequires: valgrind %endif # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION From 5dee6fb8b33f1ef9ea84f54394da4aaee390ed25 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 18 May 2018 16:17:51 +0200 Subject: [PATCH 005/256] Resolves: CVE-2018-1000301 - http: restore buffer ptr when bad response-line is parsed --- 0002-curl-7.59.0-CVE-2018-1000301.patch | 48 +++++++++++++++++++++++++ curl.spec | 9 ++++- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 0002-curl-7.59.0-CVE-2018-1000301.patch diff --git a/0002-curl-7.59.0-CVE-2018-1000301.patch b/0002-curl-7.59.0-CVE-2018-1000301.patch new file mode 100644 index 0000000..b733979 --- /dev/null +++ b/0002-curl-7.59.0-CVE-2018-1000301.patch @@ -0,0 +1,48 @@ +From 5815730864a2010872840bae24797983e892eb90 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 24 Mar 2018 23:47:41 +0100 +Subject: [PATCH 1/2] http: restore buffer pointer when bad response-line is + parsed + +... leaving the k->str could lead to buffer over-reads later on. + +CVE: CVE-2018-1000301 +Assisted-by: Max Dymond + +Detected by OSS-Fuzz. +Bug: https://curl.haxx.se/docs/adv_2018-b138.html +Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105 + +Upstream-commit: 8c7b3737d29ed5c0575bf592063de8a51450812d +Signed-off-by: Kamil Dudka +--- + lib/http.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/http.c b/lib/http.c +index 841f6cc..dc10f5f 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2966,6 +2966,8 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, + { + CURLcode result; + struct SingleRequest *k = &data->req; ++ ssize_t onread = *nread; ++ char *ostr = k->str; + + /* header line within buffer loop */ + do { +@@ -3030,7 +3032,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, + else { + /* this was all we read so it's all a bad header */ + k->badheader = HEADER_ALLBAD; +- *nread = (ssize_t)rest_length; ++ *nread = onread; ++ k->str = ostr; ++ return CURLE_OK; + } + break; + } +-- +2.14.3 + diff --git a/curl.spec b/curl.spec index d722f07..4bdc523 100644 --- a/curl.spec +++ b/curl.spec @@ -1,13 +1,16 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.59.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz # ftp: fix typo in recursive callback detection for seeking Patch1: 0001-curl-7.58.0-ftp-typo-in-recursive-callback-detection.patch +# fix RTSP bad headers buffer over-read (CVE-2018-1000301) +Patch2: 0002-curl-7.59.0-CVE-2018-1000301.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -155,6 +158,7 @@ be installed. # upstream patches %patch1 -p1 +%patch2 -p1 # Fedora patches %patch101 -p1 @@ -300,6 +304,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri May 18 2018 Kamil Dudka - 7.59.0-3 +- fix RTSP bad headers buffer over-read (CVE-2018-1000301) + * Wed Mar 14 2018 Kamil Dudka - 7.59.0-2 - ftp: fix typo in recursive callback detection for seeking From 73d6b73380f22edd6565e870ac6aa169c74b6e3f Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 18 May 2018 16:20:36 +0200 Subject: [PATCH 006/256] Resolves: CVE-2018-1000300 - fix FTP shutdown response buffer overflow --- 0003-curl-7.59.0-CVE-2018-1000300.patch | 39 +++++++++++++++++++++++++ curl.spec | 5 ++++ 2 files changed, 44 insertions(+) create mode 100644 0003-curl-7.59.0-CVE-2018-1000300.patch diff --git a/0003-curl-7.59.0-CVE-2018-1000300.patch b/0003-curl-7.59.0-CVE-2018-1000300.patch new file mode 100644 index 0000000..fb4d15b --- /dev/null +++ b/0003-curl-7.59.0-CVE-2018-1000300.patch @@ -0,0 +1,39 @@ +From 9b757a9a431f6859807d9f6e697cc2d2a120098d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 23 Mar 2018 23:30:04 +0100 +Subject: [PATCH 2/2] pingpong: fix response cache memcpy overflow + +Response data for a handle with a large buffer might be cached and then +used with the "closure" handle when it has a smaller buffer and then the +larger cache will be copied and overflow the new smaller heap based +buffer. + +Reported-by: Dario Weisser +CVE: CVE-2018-1000300 +Bug: https://curl.haxx.se/docs/adv_2018-82c2.html + +Upstream-commit: 583b42cb3b809b1bf597af160468ccba728c2248 +Signed-off-by: Kamil Dudka +--- + lib/pingpong.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/lib/pingpong.c b/lib/pingpong.c +index 438856a..ad370ee 100644 +--- a/lib/pingpong.c ++++ b/lib/pingpong.c +@@ -304,7 +304,10 @@ CURLcode Curl_pp_readresp(curl_socket_t sockfd, + * it would have been populated with something of size int to begin + * with, even though its datatype may be larger than an int. + */ +- DEBUGASSERT((ptr + pp->cache_size) <= (buf + data->set.buffer_size + 1)); ++ if((ptr + pp->cache_size) > (buf + data->set.buffer_size + 1)) { ++ failf(data, "cached response data too big to handle"); ++ return CURLE_RECV_ERROR; ++ } + memcpy(ptr, pp->cache, pp->cache_size); + gotbytes = (ssize_t)pp->cache_size; + free(pp->cache); /* free the cache */ +-- +2.14.3 + diff --git a/curl.spec b/curl.spec index 4bdc523..904ba10 100644 --- a/curl.spec +++ b/curl.spec @@ -11,6 +11,9 @@ Patch1: 0001-curl-7.58.0-ftp-typo-in-recursive-callback-detection.patch # fix RTSP bad headers buffer over-read (CVE-2018-1000301) Patch2: 0002-curl-7.59.0-CVE-2018-1000301.patch +# fix FTP shutdown response buffer overflow (CVE-2018-1000300) +Patch3: 0003-curl-7.59.0-CVE-2018-1000300.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -159,6 +162,7 @@ be installed. # upstream patches %patch1 -p1 %patch2 -p1 +%patch3 -p1 # Fedora patches %patch101 -p1 @@ -305,6 +309,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Fri May 18 2018 Kamil Dudka - 7.59.0-3 +- fix FTP shutdown response buffer overflow (CVE-2018-1000300) - fix RTSP bad headers buffer over-read (CVE-2018-1000301) * Wed Mar 14 2018 Kamil Dudka - 7.59.0-2 From 67e93f67b8904524e2013cef126d5f6d7e5b18e4 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 5 Jun 2018 15:10:20 +0200 Subject: [PATCH 007/256] Resolves: #1585797 - http2: handle GOAWAY properly --- 0004-curl-7.59.0-http2-GOAWAY.patch | 137 ++++++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 145 insertions(+), 1 deletion(-) create mode 100644 0004-curl-7.59.0-http2-GOAWAY.patch diff --git a/0004-curl-7.59.0-http2-GOAWAY.patch b/0004-curl-7.59.0-http2-GOAWAY.patch new file mode 100644 index 0000000..0e76a6e --- /dev/null +++ b/0004-curl-7.59.0-http2-GOAWAY.patch @@ -0,0 +1,137 @@ +From 84ddda3994c1f12d79946780dee9111b3cf1c308 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 19 Apr 2018 20:03:30 +0200 +Subject: [PATCH] http2: handle GOAWAY properly + +When receiving REFUSED_STREAM, mark the connection for close and retry +streams accordingly on another/fresh connection. + +Reported-by: Terry Wu +Fixes #2416 +Fixes #1618 +Closes #2510 + +Upstream-commit: d122df5972fc01e39ae28e6bca705237d7e3318a +Signed-off-by: Kamil Dudka +--- + lib/http2.c | 17 ++++++++++++----- + lib/multi.c | 4 +++- + lib/transfer.c | 17 +++++++++++++++-- + lib/urldata.h | 2 +- + 4 files changed, 31 insertions(+), 9 deletions(-) + +diff --git a/lib/http2.c b/lib/http2.c +index b2c34e9..fba4d70 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -1078,7 +1078,6 @@ void Curl_http2_done(struct connectdata *conn, bool premature) + struct http_conn *httpc = &conn->proto.httpc; + + if(http->header_recvbuf) { +- H2BUGF(infof(data, "free header_recvbuf!!\n")); + Curl_add_buffer_free(http->header_recvbuf); + http->header_recvbuf = NULL; /* clear the pointer */ + Curl_add_buffer_free(http->trailer_recvbuf); +@@ -1351,7 +1350,15 @@ static ssize_t http2_handle_stream_close(struct connectdata *conn, + + /* Reset to FALSE to prevent infinite loop in readwrite_data function. */ + stream->closed = FALSE; +- if(httpc->error_code != NGHTTP2_NO_ERROR) { ++ if(httpc->error_code == NGHTTP2_REFUSED_STREAM) { ++ H2BUGF(infof(data, "REFUSED_STREAM (%d), try again on a new connection!\n", ++ stream->stream_id)); ++ connclose(conn, "REFUSED_STREAM"); /* don't use this anymore */ ++ data->state.refused_stream = TRUE; ++ *err = CURLE_RECV_ERROR; /* trigger Curl_retry_request() later */ ++ return -1; ++ } ++ else if(httpc->error_code != NGHTTP2_NO_ERROR) { + failf(data, "HTTP/2 stream %u was not closed cleanly: %s (err %d)", + stream->stream_id, Curl_http2_strerror(httpc->error_code), + httpc->error_code); +@@ -1579,9 +1586,9 @@ static ssize_t http2_recv(struct connectdata *conn, int sockindex, + } + + if(nread == 0) { +- failf(data, "Unexpected EOF"); +- *err = CURLE_RECV_ERROR; +- return -1; ++ H2BUGF(infof(data, "end of stream\n")); ++ *err = CURLE_OK; ++ return 0; + } + + H2BUGF(infof(data, "nread=%zd\n", nread)); +diff --git a/lib/multi.c b/lib/multi.c +index 98e5fca..d69e5f9 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -541,7 +541,9 @@ static CURLcode multi_done(struct connectdata **connp, + if(conn->send_pipe.size || conn->recv_pipe.size) { + /* Stop if pipeline is not empty . */ + data->easy_conn = NULL; +- DEBUGF(infof(data, "Connection still in use, no more multi_done now!\n")); ++ DEBUGF(infof(data, "Connection still in use %d/%d, " ++ "no more multi_done now!\n", ++ conn->send_pipe.size, conn->recv_pipe.size)); + return CURLE_OK; + } + +diff --git a/lib/transfer.c b/lib/transfer.c +index fd9af31..5c29cc9 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1926,7 +1926,7 @@ CURLcode Curl_retry_request(struct connectdata *conn, + char **url) + { + struct Curl_easy *data = conn->data; +- ++ bool retry = FALSE; + *url = NULL; + + /* if we're talking upload, we can't do the checks below, unless the protocol +@@ -1939,7 +1939,7 @@ CURLcode Curl_retry_request(struct connectdata *conn, + conn->bits.reuse && + (!data->set.opt_no_body + || (conn->handler->protocol & PROTO_FAMILY_HTTP)) && +- (data->set.rtspreq != RTSPREQ_RECEIVE)) { ++ (data->set.rtspreq != RTSPREQ_RECEIVE)) + /* We got no data, we attempted to re-use a connection. For HTTP this + can be a retry so we try again regardless if we expected a body. + For other protocols we only try again only if we expected a body. +@@ -1947,6 +1947,19 @@ CURLcode Curl_retry_request(struct connectdata *conn, + This might happen if the connection was left alive when we were + done using it before, but that was closed when we wanted to read from + it again. Bad luck. Retry the same request on a fresh connect! */ ++ retry = TRUE; ++ else if(data->state.refused_stream && ++ (data->req.bytecount + data->req.headerbytecount == 0) ) { ++ /* This was sent on a refused stream, safe to rerun. A refused stream ++ error can typically only happen on HTTP/2 level if the stream is safe ++ to issue again, but the nghttp2 API can deliver the message to other ++ streams as well, which is why this adds the check the data counters ++ too. */ ++ infof(conn->data, "REFUSED_STREAM, retrying a fresh connect\n"); ++ data->state.refused_stream = FALSE; /* clear again */ ++ retry = TRUE; ++ } ++ if(retry) { + infof(conn->data, "Connection died, retrying a fresh connect\n"); + *url = strdup(conn->data->change.url); + if(!*url) +diff --git a/lib/urldata.h b/lib/urldata.h +index 3d7b9e5..6a36ee9 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1225,7 +1225,7 @@ struct UrlState { + curl_off_t current_speed; /* the ProgressShow() function sets this, + bytes / second */ + bool this_is_a_follow; /* this is a followed Location: request */ +- ++ bool refused_stream; /* this was refused, try again */ + char *first_host; /* host name of the first (not followed) request. + if set, this should be the host name that we will + sent authorization to, no else. Used to make Location: +-- +2.14.4 + diff --git a/curl.spec b/curl.spec index 904ba10..abf84a4 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.59.0 -Release: 3%{?dist} +Release: 4%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -14,6 +14,9 @@ Patch2: 0002-curl-7.59.0-CVE-2018-1000301.patch # fix FTP shutdown response buffer overflow (CVE-2018-1000300) Patch3: 0003-curl-7.59.0-CVE-2018-1000300.patch +# http2: handle GOAWAY properly (#1585797) +Patch4: 0004-curl-7.59.0-http2-GOAWAY.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -163,6 +166,7 @@ be installed. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 # Fedora patches %patch101 -p1 @@ -308,6 +312,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Jun 05 2018 Kamil Dudka - 7.59.0-4 +- http2: handle GOAWAY properly (#1585797) + * Fri May 18 2018 Kamil Dudka - 7.59.0-3 - fix FTP shutdown response buffer overflow (CVE-2018-1000300) - fix RTSP bad headers buffer over-read (CVE-2018-1000301) From 4f55f71cfecf26e83feac730cb1c7eda58cc65a4 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 4 Jul 2018 15:12:27 +0200 Subject: [PATCH 008/256] Related: #1570246 - enable vlagrind again This reverts commit e51a34d6cc39a103b43b20a7eee32ed783f98035. --- curl.spec | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index 5f11302..348f6db 100644 --- a/curl.spec +++ b/curl.spec @@ -69,8 +69,7 @@ BuildRequires: perl(vars) # #810992, #816175, and #886891). Nevertheless developers are free to install # valgrind manually to improve test coverage on any architecture. %ifarch x86_64 %{ix86} -# temporarily disabled completely because of https://bugzilla.redhat.com/1570246 -# BuildRequires: valgrind +BuildRequires: valgrind %endif # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION From befa5428f0a60d2f134dd8976cdf338cf6abbc5f Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 4 Jul 2018 15:07:32 +0200 Subject: [PATCH 009/256] do not hard-wire path of the Python 3 interpreter --- curl.spec | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 348f6db..814abf2 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.60.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -36,7 +36,7 @@ BuildRequires: openssh-clients BuildRequires: openssh-server BuildRequires: openssl-devel BuildRequires: pkgconfig -BuildRequires: python3 +BuildRequires: python3-devel BuildRequires: sed BuildRequires: stunnel BuildRequires: zlib-devel @@ -162,7 +162,7 @@ be installed. %patch104 -p1 # make tests/*.py use Python 3 -sed -e '1 s|^#!/.*python|&3|' -i tests/*.py +sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py # regenerate Makefile.in files #aclocal -I m4 @@ -303,6 +303,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 04 2018 Kamil Dudka - 7.60.0-2 +- do not hard-wire path of the Python 3 interpreter + * Wed May 16 2018 Kamil Dudka - 7.60.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2018-1000300 - FTP shutdown response buffer overflow From 9f5f0d1189a299bbe690ebb6233ad3f746b5b801 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 10 Jul 2018 13:51:08 +0200 Subject: [PATCH 010/256] enable support for brotli compression in libcurl-full --- curl.spec | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 814abf2..94a77a8 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.60.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -21,6 +21,7 @@ Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.haxx.se/ #BuildRequires: automake +BuildRequires: brotli-devel BuildRequires: coreutils BuildRequires: gcc BuildRequires: groff @@ -198,6 +199,7 @@ export common_configure_opts=" \ --disable-ldap \ --disable-ldaps \ --disable-manual \ + --without-brotli \ --without-libidn2 \ --without-libmetalink \ --without-libpsl \ @@ -211,6 +213,7 @@ export common_configure_opts=" \ --enable-ldap \ --enable-ldaps \ --enable-manual \ + --with-brotli \ --with-libidn2 \ --with-libmetalink \ --with-libpsl \ @@ -303,6 +306,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Jul 10 2018 Kamil Dudka - 7.60.0-3 +- enable support for brotli compression in libcurl-full + * Wed Jul 04 2018 Kamil Dudka - 7.60.0-2 - do not hard-wire path of the Python 3 interpreter From d41d215108ce0cb639ba45ae3f20fa05a47454c5 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 10 Jul 2018 15:14:27 +0200 Subject: [PATCH 011/256] disable test 1455, which occasionally fails in Koji ... with 'bind failed with errno 98: Address already in use' --- curl.spec | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index 94a77a8..4072953 100644 --- a/curl.spec +++ b/curl.spec @@ -169,9 +169,10 @@ sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py #aclocal -I m4 #automake -# disable test 1112 (#565305) and test 1801 +# disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed +# with errno 98: Address already in use' in Koji environment), and test 1801 # -printf "1112\n1801\n" >> tests/data/DISABLED +printf "1112\n1455\n1801\n" >> tests/data/DISABLED # disable test 1319 on ppc64 (server times out) %ifarch ppc64 From a89a46eca8e5466c18dc70a0e5f7b54eb60071af Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 11 Jul 2018 14:16:32 +0200 Subject: [PATCH 012/256] new upstream release - 7.61.0 Resolves: CVE-2018-0500 - SMTP send heap buffer overflow --- 0102-curl-7.36.0-debug.patch | 2 +- curl-7.60.0.tar.xz.asc | 11 ----------- curl-7.61.0.tar.xz.asc | 11 +++++++++++ curl.spec | 8 ++++++-- sources | 2 +- 5 files changed, 19 insertions(+), 15 deletions(-) delete mode 100644 curl-7.60.0.tar.xz.asc create mode 100644 curl-7.61.0.tar.xz.asc diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch index 95670f0..5fb54b6 100644 --- a/0102-curl-7.36.0-debug.patch +++ b/0102-curl-7.36.0-debug.patch @@ -12,7 +12,7 @@ diff --git a/configure b/configure index 8f079a3..53b4774 100755 --- a/configure +++ b/configure -@@ -16537,18 +16537,11 @@ $as_echo "yes" >&6; } +@@ -16409,18 +16409,11 @@ $as_echo "yes" >&6; } gccvhi=`echo $gccver | cut -d . -f1` gccvlo=`echo $gccver | cut -d . -f2` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` diff --git a/curl-7.60.0.tar.xz.asc b/curl-7.60.0.tar.xz.asc deleted file mode 100644 index 53ca282..0000000 --- a/curl-7.60.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlr7zUoACgkQXMkI/bce -EsK3jgf7Bvnswxxgq4wQWmqRKQvkN/zkuA2GjSm98M7mizVHl/7/imeqDl7S1vp0 -A6KCI99Epf+2EYgxrEbvZqlSQ6H30eBxOvV2yNwPhrS3UnXwNSJsbFr5bDRE4o8S -upyP/tSgEIGJcpq0bstrD7T/DRZ1yFCLB5rOOJx4lQnPuB3C7GAmuOj1ZtIxWIn+ -D/G+X1+/oZlils2TMI7ryjRuFvOSPHdUNldwtvfaRg0i3tNYnPbWq54lhouSn31H -ft8wNd3nnUpueWCWaKKXo+GBVDemDAMEcDbna+woW5SFLI6ZG/c822ljtld05Dk1 -KmwikC7MREQxkODmC10yrgy9I9akNg== -=f++X ------END PGP SIGNATURE----- diff --git a/curl-7.61.0.tar.xz.asc b/curl-7.61.0.tar.xz.asc new file mode 100644 index 0000000..024ef39 --- /dev/null +++ b/curl-7.61.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAltFnUIACgkQXMkI/bce +EsJSSggAo2pO9DacErY/wVqYm2KA76s8HDMyGkvb7HXPWe3w1Nj6nwCY8Knbp2C6 +s6LZ73gqKfe3K+kFsFE6bFy9l2MKNs64cBG19dNUGcoYek6zt1BBXC6LT8/eOWc4 +l6HKift+CBh6ErtInB2CzmoG7dvNoZA00sERJbj9w+QZK4CTBZPWjz9BRHo7V31q +VnciTRgJ39HjL0kupdDIZgpCL741aWlkbOZu5wsRfe7nxWeiCdyOVluXluDi9t2i +s1mTPMpkMWDIEh723QL5jOlct9/hTLXAS2yZeR6qJafcicyIboXh0ZwGQGonHADi +aBs922AWx3v8x18thsCMQZwJSHiYEw== +=7p0n +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index 4072953..813d18b 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.60.0 -Release: 3%{?dist} +Version: 7.61.0 +Release: 1%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -307,6 +307,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 11 2018 Kamil Dudka - 7.61.0-1 +- new upstream release, which fixes the following vulnerability + CVE-2018-0500 - SMTP send heap buffer overflow + * Tue Jul 10 2018 Kamil Dudka - 7.60.0-3 - enable support for brotli compression in libcurl-full diff --git a/sources b/sources index 4a1cecd..4248e66 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.60.0.tar.xz) = 96a0c32ca846a76bba75e9e560ad4c15df79540992ed1a83713095be94ddba039f289bda9678762fd79fb9691fe810735178fb9dc970c37012dff96b8ce08abf +SHA512 (curl-7.61.0.tar.xz) = 1b450bbd794460fea12374a49739a49a43c3651038dc092c277769bab09a62627f8eedfa94b5c1610503bf20eeaf60643a1e32fdcf1bcf8d4085090c4a598b13 From c79dff9b8baa2cb7ca51060f7303d91092fb7d0a Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 11 Jul 2018 17:51:58 +0200 Subject: [PATCH 013/256] Resolves: CVE-2018-0500 - fix heap buffer overflow in SMTP send --- 0005-curl-7.59.0-CVE-2018-0500.patch | 40 ++++++++++++++++++++++++++++ curl.spec | 9 ++++++- 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 0005-curl-7.59.0-CVE-2018-0500.patch diff --git a/0005-curl-7.59.0-CVE-2018-0500.patch b/0005-curl-7.59.0-CVE-2018-0500.patch new file mode 100644 index 0000000..221c05f --- /dev/null +++ b/0005-curl-7.59.0-CVE-2018-0500.patch @@ -0,0 +1,40 @@ +From 7a5d2b67b8bee753735d4b03f66c4054d9b812f9 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 13 Jun 2018 12:24:40 +0200 +Subject: [PATCH] smtp: use the upload buffer size for scratch buffer malloc + +... not the read buffer size, as that can be set smaller and thus cause +a buffer overflow! CVE-2018-0500 + +Reported-by: Peter Wu +Bug: https://curl.haxx.se/docs/adv_2018-70a2.html + +Upstream-commit: ba1dbd78e5f1ed67c1b8d37ac89d90e5e330b628 +Signed-off-by: Kamil Dudka +--- + lib/smtp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/smtp.c b/lib/smtp.c +index 3f3b45a..400ad54 100644 +--- a/lib/smtp.c ++++ b/lib/smtp.c +@@ -1563,13 +1563,14 @@ CURLcode Curl_smtp_escape_eob(struct connectdata *conn, const ssize_t nread) + if(!scratch || data->set.crlf) { + oldscratch = scratch; + +- scratch = newscratch = malloc(2 * data->set.buffer_size); ++ scratch = newscratch = malloc(2 * UPLOAD_BUFSIZE); + if(!newscratch) { + failf(data, "Failed to alloc scratch buffer!"); + + return CURLE_OUT_OF_MEMORY; + } + } ++ DEBUGASSERT(UPLOAD_BUFSIZE >= nread); + + /* Have we already sent part of the EOB? */ + eob_sent = smtp->eob; +-- +2.14.4 + diff --git a/curl.spec b/curl.spec index abf84a4..008dd3f 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.59.0 -Release: 4%{?dist} +Release: 5%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -17,6 +17,9 @@ Patch3: 0003-curl-7.59.0-CVE-2018-1000300.patch # http2: handle GOAWAY properly (#1585797) Patch4: 0004-curl-7.59.0-http2-GOAWAY.patch +# fix heap buffer overflow in SMTP send (CVE-2018-0500) +Patch5: 0005-curl-7.59.0-CVE-2018-0500.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -167,6 +170,7 @@ be installed. %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 # Fedora patches %patch101 -p1 @@ -312,6 +316,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 11 2018 Kamil Dudka - 7.59.0-5 +- fix heap buffer overflow in SMTP send (CVE-2018-0500) + * Tue Jun 05 2018 Kamil Dudka - 7.59.0-4 - http2: handle GOAWAY properly (#1585797) From 072eac2fb6b2bf8875ccb915628d2ca30cd9a8af Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 12 Jul 2018 22:28:24 +0000 Subject: [PATCH 014/256] - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 813d18b..2bac3e1 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.61.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -307,6 +307,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Jul 12 2018 Fedora Release Engineering - 7.61.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + * Wed Jul 11 2018 Kamil Dudka - 7.61.0-1 - new upstream release, which fixes the following vulnerability CVE-2018-0500 - SMTP send heap buffer overflow From bcdea587035cd7e9fbbf3fe1bb41e4658beb64da Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 4 Jul 2018 17:17:26 +0200 Subject: [PATCH 015/256] temporarily disable test 582 on s390x (client times out) --- curl.spec | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/curl.spec b/curl.spec index 2bac3e1..c897629 100644 --- a/curl.spec +++ b/curl.spec @@ -179,6 +179,11 @@ printf "1112\n1455\n1801\n" >> tests/data/DISABLED echo "1319" >> tests/data/DISABLED %endif +# temporarily disable test 582 on s390x (client times out) +%ifarch s390x +echo "582" >> tests/data/DISABLED +%endif + %build mkdir build-{full,minimal} export common_configure_opts=" \ From 85286dc2b33ebd0343f5bdf8c79fa49e8e9183a9 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 31 Jul 2018 10:33:53 +0200 Subject: [PATCH 016/256] adapt test 323 for updated OpenSSL --- curl.spec | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index c897629..e1149bc 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.61.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -184,6 +184,9 @@ echo "1319" >> tests/data/DISABLED echo "582" >> tests/data/DISABLED %endif +# adapt test 323 for updated OpenSSL +sed -e 's/^35$/35,52/' -i tests/data/test323 + %build mkdir build-{full,minimal} export common_configure_opts=" \ @@ -312,6 +315,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Jul 31 2018 Kamil Dudka - 7.61.0-3 +- adapt test 323 for updated OpenSSL + * Thu Jul 12 2018 Fedora Release Engineering - 7.61.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild From 3fb6e235575109530b10e9bc17c4f2ba21d17bcb Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 31 Jul 2018 10:34:24 +0200 Subject: [PATCH 017/256] disable flaky test 1900, which covers deprecated HTTP pipelining See https://github.com/curl/curl/pull/2705 for details. --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index e1149bc..a56de38 100644 --- a/curl.spec +++ b/curl.spec @@ -172,7 +172,9 @@ sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py # disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed # with errno 98: Address already in use' in Koji environment), and test 1801 # -printf "1112\n1455\n1801\n" >> tests/data/DISABLED +# and test 1900, which is flaky and covers a deprecated feature of libcurl +# +printf "1112\n1455\n1801\n1900\n" >> tests/data/DISABLED # disable test 1319 on ppc64 (server times out) %ifarch ppc64 @@ -316,6 +318,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Tue Jul 31 2018 Kamil Dudka - 7.61.0-3 +- disable flaky test 1900, which covers deprecated HTTP pipelining - adapt test 323 for updated OpenSSL * Thu Jul 12 2018 Fedora Release Engineering - 7.61.0-2 From 35134a4aeeb38d3e2ce158e023acc4f3ffd0c175 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 7 Aug 2018 16:56:26 +0200 Subject: [PATCH 018/256] Related: #1610888 - relax crypto policy for the test-suite to make it pass again --- curl.spec | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index a56de38..2b7a4f5 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.61.0 -Release: 3%{?dist} +Release: 4%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -248,6 +248,10 @@ export LD_LIBRARY_PATH cd build-full/tests make %{?_smp_mflags} V=1 +# relax crypto policy for the test-suite to make it pass again (#1610888) +export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=XXX +export OPENSSL_CONF= + # run the upstream test-suite srcdir=../../tests perl -I../../tests ../../tests/runtests.pl -a -p -v '!flaky' @@ -317,6 +321,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Aug 07 2018 Kamil Dudka - 7.61.0-4 +- relax crypto policy for the test-suite to make it pass again (#1610888) + * Tue Jul 31 2018 Kamil Dudka - 7.61.0-3 - disable flaky test 1900, which covers deprecated HTTP pipelining - adapt test 323 for updated OpenSSL From 178b0fc823a0cf52899b809e90b02860be596a1f Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 9 Aug 2018 13:37:25 +0200 Subject: [PATCH 019/256] Resolves: #1219544 - ssl: set engine implicitly when a PKCS#11 URI is provided --- 0001-curl-7.61.0-pkcs11.patch | 272 ++++++++++++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 280 insertions(+), 1 deletion(-) create mode 100644 0001-curl-7.61.0-pkcs11.patch diff --git a/0001-curl-7.61.0-pkcs11.patch b/0001-curl-7.61.0-pkcs11.patch new file mode 100644 index 0000000..d92b3e9 --- /dev/null +++ b/0001-curl-7.61.0-pkcs11.patch @@ -0,0 +1,272 @@ +From a9a65ae9f6516faf042b36eca2450db7d34bff47 Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Mon, 19 Feb 2018 14:31:06 +0100 +Subject: [PATCH 1/2] ssl: set engine implicitly when a PKCS#11 URI is provided + +This allows the use of PKCS#11 URI for certificates and keys without +setting the corresponding type as "ENG" and the engine as "pkcs11" +explicitly. If a PKCS#11 URI is provided for certificate, key, +proxy_certificate or proxy_key, the corresponding type is set as "ENG" +if not provided and the engine is set to "pkcs11" if not provided. + +Acked-by: Nikos Mavrogiannopoulos +Closes #2333 + +Upstream-commit: 298d2565e2a2f06a859b7f5a1cc24ba7c87a8ce2 +Signed-off-by: Kamil Dudka +--- + docs/cmdline-opts/cert.d | 7 ++++++ + docs/cmdline-opts/key.d | 7 ++++++ + lib/vtls/openssl.c | 38 ++++++++++++++++++++++++++++ + src/tool_getparam.c | 2 +- + src/tool_operate.c | 53 ++++++++++++++++++++++++++++++++++++++++ + tests/unit/unit1394.c | 3 +++ + 6 files changed, 109 insertions(+), 1 deletion(-) + +diff --git a/docs/cmdline-opts/cert.d b/docs/cmdline-opts/cert.d +index adf62fc..510b833 100644 +--- a/docs/cmdline-opts/cert.d ++++ b/docs/cmdline-opts/cert.d +@@ -23,6 +23,13 @@ nickname contains ":", it needs to be preceded by "\\" so that it is not + recognized as password delimiter. If the nickname contains "\\", it needs to + be escaped as "\\\\" so that it is not recognized as an escape character. + ++If curl is built against OpenSSL library, and the engine pkcs11 is available, ++then a PKCS#11 URI (RFC 7512) can be used to specify a certificate located in ++a PKCS#11 device. A string beginning with "pkcs11:" will be interpreted as a ++PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set ++as "pkcs11" if none was provided and the --cert-type option will be set as ++"ENG" if none was provided. ++ + (iOS and macOS only) If curl is built against Secure Transport, then the + certificate string can either be the name of a certificate/private key in the + system or user keychain, or the path to a PKCS#12-encoded certificate and +diff --git a/docs/cmdline-opts/key.d b/docs/cmdline-opts/key.d +index fbf583a..4877b42 100644 +--- a/docs/cmdline-opts/key.d ++++ b/docs/cmdline-opts/key.d +@@ -7,4 +7,11 @@ Private key file name. Allows you to provide your private key in this separate + file. For SSH, if not specified, curl tries the following candidates in order: + '~/.ssh/id_rsa', '~/.ssh/id_dsa', './id_rsa', './id_dsa'. + ++If curl is built against OpenSSL library, and the engine pkcs11 is available, ++then a PKCS#11 URI (RFC 7512) can be used to specify a private key located in a ++PKCS#11 device. A string beginning with "pkcs11:" will be interpreted as a ++PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set ++as "pkcs11" if none was provided and the --key-type option will be set as ++"ENG" if none was provided. ++ + If this option is used several times, the last one will be used. +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 0b1929b..bc46eca 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -558,8 +558,25 @@ static int ssl_ui_writer(UI *ui, UI_STRING *uis) + } + return (UI_method_get_writer(UI_OpenSSL()))(ui, uis); + } ++ ++/* ++ * Check if a given string is a PKCS#11 URI ++ */ ++static bool is_pkcs11_uri(const char *string) ++{ ++ if(strncasecompare(string, "pkcs11:", 7)) { ++ return TRUE; ++ } ++ else { ++ return FALSE; ++ } ++} ++ + #endif + ++static CURLcode Curl_ossl_set_engine(struct Curl_easy *data, ++ const char *engine); ++ + static + int cert_stuff(struct connectdata *conn, + SSL_CTX* ctx, +@@ -622,6 +639,16 @@ int cert_stuff(struct connectdata *conn, + case SSL_FILETYPE_ENGINE: + #if defined(USE_OPENSSL_ENGINE) && defined(ENGINE_CTRL_GET_CMD_FROM_NAME) + { ++ /* Implicitly use pkcs11 engine if none was provided and the ++ * cert_file is a PKCS#11 URI */ ++ if(!data->state.engine) { ++ if(is_pkcs11_uri(cert_file)) { ++ if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) { ++ return 0; ++ } ++ } ++ } ++ + if(data->state.engine) { + const char *cmd_name = "LOAD_CERT_CTRL"; + struct { +@@ -798,6 +825,17 @@ int cert_stuff(struct connectdata *conn, + #ifdef USE_OPENSSL_ENGINE + { /* XXXX still needs some work */ + EVP_PKEY *priv_key = NULL; ++ ++ /* Implicitly use pkcs11 engine if none was provided and the ++ * key_file is a PKCS#11 URI */ ++ if(!data->state.engine) { ++ if(is_pkcs11_uri(key_file)) { ++ if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) { ++ return 0; ++ } ++ } ++ } ++ + if(data->state.engine) { + UI_METHOD *ui_method = + UI_create_method((char *)"curl user interface"); +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index cc3fcf3..a7bb7f9 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -342,7 +342,7 @@ void parse_cert_parameter(const char *cert_parameter, + * looks like a RFC7512 PKCS#11 URI which can be used as-is. + * Also if cert_parameter contains no colon nor backslash, this + * means no passphrase was given and no characters escaped */ +- if(!strncmp(cert_parameter, "pkcs11:", 7) || ++ if(curl_strnequal(cert_parameter, "pkcs11:", 7) || + !strpbrk(cert_parameter, ":\\")) { + *certname = strdup(cert_parameter); + return; +diff --git a/src/tool_operate.c b/src/tool_operate.c +index 26fc251..25d450c 100644 +--- a/src/tool_operate.c ++++ b/src/tool_operate.c +@@ -113,6 +113,19 @@ static bool is_fatal_error(CURLcode code) + return FALSE; + } + ++/* ++ * Check if a given string is a PKCS#11 URI ++ */ ++static bool is_pkcs11_uri(const char *string) ++{ ++ if(curl_strnequal(string, "pkcs11:", 7)) { ++ return TRUE; ++ } ++ else { ++ return FALSE; ++ } ++} ++ + #ifdef __VMS + /* + * get_vms_file_size does what it takes to get the real size of the file +@@ -1073,6 +1086,46 @@ static CURLcode operate_do(struct GlobalConfig *global, + my_setopt_str(curl, CURLOPT_PINNEDPUBLICKEY, config->pinnedpubkey); + + if(curlinfo->features & CURL_VERSION_SSL) { ++ /* Check if config->cert is a PKCS#11 URI and set the ++ * config->cert_type if necessary */ ++ if(config->cert) { ++ if(!config->cert_type) { ++ if(is_pkcs11_uri(config->cert)) { ++ config->cert_type = strdup("ENG"); ++ } ++ } ++ } ++ ++ /* Check if config->key is a PKCS#11 URI and set the ++ * config->key_type if necessary */ ++ if(config->key) { ++ if(!config->key_type) { ++ if(is_pkcs11_uri(config->key)) { ++ config->key_type = strdup("ENG"); ++ } ++ } ++ } ++ ++ /* Check if config->proxy_cert is a PKCS#11 URI and set the ++ * config->proxy_type if necessary */ ++ if(config->proxy_cert) { ++ if(!config->proxy_cert_type) { ++ if(is_pkcs11_uri(config->proxy_cert)) { ++ config->proxy_cert_type = strdup("ENG"); ++ } ++ } ++ } ++ ++ /* Check if config->proxy_key is a PKCS#11 URI and set the ++ * config->proxy_key_type if necessary */ ++ if(config->proxy_key) { ++ if(!config->proxy_key_type) { ++ if(is_pkcs11_uri(config->proxy_key)) { ++ config->proxy_key_type = strdup("ENG"); ++ } ++ } ++ } ++ + my_setopt_str(curl, CURLOPT_SSLCERT, config->cert); + my_setopt_str(curl, CURLOPT_PROXY_SSLCERT, config->proxy_cert); + my_setopt_str(curl, CURLOPT_SSLCERTTYPE, config->cert_type); +diff --git a/tests/unit/unit1394.c b/tests/unit/unit1394.c +index 667991d..010f052 100644 +--- a/tests/unit/unit1394.c ++++ b/tests/unit/unit1394.c +@@ -56,6 +56,9 @@ UNITTEST_START + "foo:bar\\\\", "foo", "bar\\\\", + "foo:bar:", "foo", "bar:", + "foo\\::bar\\:", "foo:", "bar\\:", ++ "pkcs11:foobar", "pkcs11:foobar", NULL, ++ "PKCS11:foobar", "PKCS11:foobar", NULL, ++ "PkCs11:foobar", "PkCs11:foobar", NULL, + #ifdef WIN32 + "c:\\foo:bar:baz", "c:\\foo", "bar:baz", + "c:\\foo\\:bar:baz", "c:\\foo:bar", "baz", +-- +2.17.1 + + +From 2be42ac65f4c345ed3ddc97917c8ef54e13fcbfd Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Thu, 9 Aug 2018 15:34:22 +0200 +Subject: [PATCH 2/2] docs: add files needed to regenerate curl.1 man page + +Bug: https://github.com/curl/curl/pull/2856 +--- + docs/cmdline-opts/disallow-username-in-url.d | 7 +++++++ + docs/cmdline-opts/haproxy-protocol.d | 11 +++++++++++ + 2 files changed, 18 insertions(+) + create mode 100644 docs/cmdline-opts/disallow-username-in-url.d + create mode 100644 docs/cmdline-opts/haproxy-protocol.d + +diff --git a/docs/cmdline-opts/disallow-username-in-url.d b/docs/cmdline-opts/disallow-username-in-url.d +new file mode 100644 +index 0000000..a7f46ea +--- /dev/null ++++ b/docs/cmdline-opts/disallow-username-in-url.d +@@ -0,0 +1,7 @@ ++Long: disallow-username-in-url ++Help: Disallow username in url ++Protocols: HTTP ++Added: 7.61.0 ++See-also: proto ++--- ++This tells curl to exit if passed a url containing a username. +diff --git a/docs/cmdline-opts/haproxy-protocol.d b/docs/cmdline-opts/haproxy-protocol.d +new file mode 100644 +index 0000000..cc41c9c +--- /dev/null ++++ b/docs/cmdline-opts/haproxy-protocol.d +@@ -0,0 +1,11 @@ ++Long: haproxy-protocol ++Help: Send HAProxy PROXY protocol v1 header ++Protocols: HTTP ++Added: 7.60.0 ++--- ++Send a HAProxy PROXY protocol v1 header at the beginning of the connection. This ++is used by some load balancers and reverse proxies to indicate the client's ++true IP address and port. ++ ++This option is primarily useful when sending test requests to a service that ++expects this header. +-- +2.17.1 + diff --git a/curl.spec b/curl.spec index 2b7a4f5..db7d3a4 100644 --- a/curl.spec +++ b/curl.spec @@ -1,10 +1,13 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.61.0 -Release: 4%{?dist} +Release: 5%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz +# ssl: set engine implicitly when a PKCS#11 URI is provided (#1219544) +Patch1: 0001-curl-7.61.0-pkcs11.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -155,6 +158,7 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 @@ -321,6 +325,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Aug 09 2018 Kamil Dudka - 7.61.0-5 +- ssl: set engine implicitly when a PKCS#11 URI is provided (#1219544) + * Tue Aug 07 2018 Kamil Dudka - 7.61.0-4 - relax crypto policy for the test-suite to make it pass again (#1610888) From ab86f69980d8f5936b4fcfa98669c1bb8bfc1265 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 9 Aug 2018 13:37:25 +0200 Subject: [PATCH 020/256] Resolves: #1219544 - ssl: set engine implicitly when a PKCS#11 URI is provided --- 0006-curl-7.59.0-pkcs11.patch | 225 ++++++++++++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 233 insertions(+), 1 deletion(-) create mode 100644 0006-curl-7.59.0-pkcs11.patch diff --git a/0006-curl-7.59.0-pkcs11.patch b/0006-curl-7.59.0-pkcs11.patch new file mode 100644 index 0000000..d0f8ff1 --- /dev/null +++ b/0006-curl-7.59.0-pkcs11.patch @@ -0,0 +1,225 @@ +From cf48e08b1a7c480e43d6e66154e94c5029c0d335 Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Mon, 19 Feb 2018 14:31:06 +0100 +Subject: [PATCH] ssl: set engine implicitly when a PKCS#11 URI is provided + +This allows the use of PKCS#11 URI for certificates and keys without +setting the corresponding type as "ENG" and the engine as "pkcs11" +explicitly. If a PKCS#11 URI is provided for certificate, key, +proxy_certificate or proxy_key, the corresponding type is set as "ENG" +if not provided and the engine is set to "pkcs11" if not provided. + +Acked-by: Nikos Mavrogiannopoulos +Closes #2333 + +Upstream-commit: 298d2565e2a2f06a859b7f5a1cc24ba7c87a8ce2 +Signed-off-by: Kamil Dudka +--- + docs/cmdline-opts/cert.d | 7 ++++++ + docs/cmdline-opts/key.d | 7 ++++++ + lib/vtls/openssl.c | 38 ++++++++++++++++++++++++++++ + src/tool_getparam.c | 2 +- + src/tool_operate.c | 53 ++++++++++++++++++++++++++++++++++++++++ + tests/unit/unit1394.c | 3 +++ + 6 files changed, 109 insertions(+), 1 deletion(-) + +diff --git a/docs/cmdline-opts/cert.d b/docs/cmdline-opts/cert.d +index 0cd5d53..ae6fe2f 100644 +--- a/docs/cmdline-opts/cert.d ++++ b/docs/cmdline-opts/cert.d +@@ -23,6 +23,13 @@ nickname contains ":", it needs to be preceded by "\\" so that it is not + recognized as password delimiter. If the nickname contains "\\", it needs to + be escaped as "\\\\" so that it is not recognized as an escape character. + ++If curl is built against OpenSSL library, and the engine pkcs11 is available, ++then a PKCS#11 URI (RFC 7512) can be used to specify a certificate located in ++a PKCS#11 device. A string beginning with "pkcs11:" will be interpreted as a ++PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set ++as "pkcs11" if none was provided and the --cert-type option will be set as ++"ENG" if none was provided. ++ + (iOS and macOS only) If curl is built against Secure Transport, then the + certificate string can either be the name of a certificate/private key in the + system or user keychain, or the path to a PKCS#12-encoded certificate and +diff --git a/docs/cmdline-opts/key.d b/docs/cmdline-opts/key.d +index fbf583a..4877b42 100644 +--- a/docs/cmdline-opts/key.d ++++ b/docs/cmdline-opts/key.d +@@ -7,4 +7,11 @@ Private key file name. Allows you to provide your private key in this separate + file. For SSH, if not specified, curl tries the following candidates in order: + '~/.ssh/id_rsa', '~/.ssh/id_dsa', './id_rsa', './id_dsa'. + ++If curl is built against OpenSSL library, and the engine pkcs11 is available, ++then a PKCS#11 URI (RFC 7512) can be used to specify a private key located in a ++PKCS#11 device. A string beginning with "pkcs11:" will be interpreted as a ++PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set ++as "pkcs11" if none was provided and the --key-type option will be set as ++"ENG" if none was provided. ++ + If this option is used several times, the last one will be used. +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 2a6b3cf..5f16dbd 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -532,8 +532,25 @@ static int ssl_ui_writer(UI *ui, UI_STRING *uis) + } + return (UI_method_get_writer(UI_OpenSSL()))(ui, uis); + } ++ ++/* ++ * Check if a given string is a PKCS#11 URI ++ */ ++static bool is_pkcs11_uri(const char *string) ++{ ++ if(strncasecompare(string, "pkcs11:", 7)) { ++ return TRUE; ++ } ++ else { ++ return FALSE; ++ } ++} ++ + #endif + ++static CURLcode Curl_ossl_set_engine(struct Curl_easy *data, ++ const char *engine); ++ + static + int cert_stuff(struct connectdata *conn, + SSL_CTX* ctx, +@@ -596,6 +613,16 @@ int cert_stuff(struct connectdata *conn, + case SSL_FILETYPE_ENGINE: + #if defined(HAVE_OPENSSL_ENGINE_H) && defined(ENGINE_CTRL_GET_CMD_FROM_NAME) + { ++ /* Implicitly use pkcs11 engine if none was provided and the ++ * cert_file is a PKCS#11 URI */ ++ if(!data->state.engine) { ++ if(is_pkcs11_uri(cert_file)) { ++ if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) { ++ return 0; ++ } ++ } ++ } ++ + if(data->state.engine) { + const char *cmd_name = "LOAD_CERT_CTRL"; + struct { +@@ -762,6 +789,17 @@ int cert_stuff(struct connectdata *conn, + #ifdef HAVE_OPENSSL_ENGINE_H + { /* XXXX still needs some work */ + EVP_PKEY *priv_key = NULL; ++ ++ /* Implicitly use pkcs11 engine if none was provided and the ++ * key_file is a PKCS#11 URI */ ++ if(!data->state.engine) { ++ if(is_pkcs11_uri(key_file)) { ++ if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) { ++ return 0; ++ } ++ } ++ } ++ + if(data->state.engine) { + UI_METHOD *ui_method = + UI_create_method((char *)"curl user interface"); +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index 7ce9c28..6628247 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -337,7 +337,7 @@ void parse_cert_parameter(const char *cert_parameter, + * looks like a RFC7512 PKCS#11 URI which can be used as-is. + * Also if cert_parameter contains no colon nor backslash, this + * means no passphrase was given and no characters escaped */ +- if(!strncmp(cert_parameter, "pkcs11:", 7) || ++ if(curl_strnequal(cert_parameter, "pkcs11:", 7) || + !strpbrk(cert_parameter, ":\\")) { + *certname = strdup(cert_parameter); + return; +diff --git a/src/tool_operate.c b/src/tool_operate.c +index e8b434a..fa44c70 100644 +--- a/src/tool_operate.c ++++ b/src/tool_operate.c +@@ -113,6 +113,19 @@ static bool is_fatal_error(CURLcode code) + return FALSE; + } + ++/* ++ * Check if a given string is a PKCS#11 URI ++ */ ++static bool is_pkcs11_uri(const char *string) ++{ ++ if(curl_strnequal(string, "pkcs11:", 7)) { ++ return TRUE; ++ } ++ else { ++ return FALSE; ++ } ++} ++ + #ifdef __VMS + /* + * get_vms_file_size does what it takes to get the real size of the file +@@ -1057,6 +1070,46 @@ static CURLcode operate_do(struct GlobalConfig *global, + my_setopt_str(curl, CURLOPT_PINNEDPUBLICKEY, config->pinnedpubkey); + + if(curlinfo->features & CURL_VERSION_SSL) { ++ /* Check if config->cert is a PKCS#11 URI and set the ++ * config->cert_type if necessary */ ++ if(config->cert) { ++ if(!config->cert_type) { ++ if(is_pkcs11_uri(config->cert)) { ++ config->cert_type = strdup("ENG"); ++ } ++ } ++ } ++ ++ /* Check if config->key is a PKCS#11 URI and set the ++ * config->key_type if necessary */ ++ if(config->key) { ++ if(!config->key_type) { ++ if(is_pkcs11_uri(config->key)) { ++ config->key_type = strdup("ENG"); ++ } ++ } ++ } ++ ++ /* Check if config->proxy_cert is a PKCS#11 URI and set the ++ * config->proxy_type if necessary */ ++ if(config->proxy_cert) { ++ if(!config->proxy_cert_type) { ++ if(is_pkcs11_uri(config->proxy_cert)) { ++ config->proxy_cert_type = strdup("ENG"); ++ } ++ } ++ } ++ ++ /* Check if config->proxy_key is a PKCS#11 URI and set the ++ * config->proxy_key_type if necessary */ ++ if(config->proxy_key) { ++ if(!config->proxy_key_type) { ++ if(is_pkcs11_uri(config->proxy_key)) { ++ config->proxy_key_type = strdup("ENG"); ++ } ++ } ++ } ++ + my_setopt_str(curl, CURLOPT_SSLCERT, config->cert); + my_setopt_str(curl, CURLOPT_PROXY_SSLCERT, config->proxy_cert); + my_setopt_str(curl, CURLOPT_SSLCERTTYPE, config->cert_type); +diff --git a/tests/unit/unit1394.c b/tests/unit/unit1394.c +index 667991d..010f052 100644 +--- a/tests/unit/unit1394.c ++++ b/tests/unit/unit1394.c +@@ -56,6 +56,9 @@ UNITTEST_START + "foo:bar\\\\", "foo", "bar\\\\", + "foo:bar:", "foo", "bar:", + "foo\\::bar\\:", "foo:", "bar\\:", ++ "pkcs11:foobar", "pkcs11:foobar", NULL, ++ "PKCS11:foobar", "PKCS11:foobar", NULL, ++ "PkCs11:foobar", "PkCs11:foobar", NULL, + #ifdef WIN32 + "c:\\foo:bar:baz", "c:\\foo", "bar:baz", + "c:\\foo\\:bar:baz", "c:\\foo:bar", "baz", +-- +2.17.1 + diff --git a/curl.spec b/curl.spec index 008dd3f..a49e005 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.59.0 -Release: 5%{?dist} +Release: 6%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -20,6 +20,9 @@ Patch4: 0004-curl-7.59.0-http2-GOAWAY.patch # fix heap buffer overflow in SMTP send (CVE-2018-0500) Patch5: 0005-curl-7.59.0-CVE-2018-0500.patch +# ssl: set engine implicitly when a PKCS#11 URI is provided (#1219544) +Patch6: 0006-curl-7.59.0-pkcs11.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -171,6 +174,7 @@ be installed. %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 # Fedora patches %patch101 -p1 @@ -316,6 +320,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Aug 09 2018 Kamil Dudka - 7.59.0-6 +- ssl: set engine implicitly when a PKCS#11 URI is provided (#1219544) + * Wed Jul 11 2018 Kamil Dudka - 7.59.0-5 - fix heap buffer overflow in SMTP send (CVE-2018-0500) From 023b327acc85474414b8935401fd90238f89b5bb Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 15 Aug 2018 13:56:12 +0200 Subject: [PATCH 021/256] Resolves: #1595135 - scp/sftp: fix infinite connect loop on invalid private key --- 0002-curl-7.61.0-libssh.patch | 130 ++++++++++++++++++++++++++++++++++ curl.spec | 15 ++-- 2 files changed, 141 insertions(+), 4 deletions(-) create mode 100644 0002-curl-7.61.0-libssh.patch diff --git a/0002-curl-7.61.0-libssh.patch b/0002-curl-7.61.0-libssh.patch new file mode 100644 index 0000000..75966b4 --- /dev/null +++ b/0002-curl-7.61.0-libssh.patch @@ -0,0 +1,130 @@ +From 155d4ffb7d40daf2afa0102f91f810675220ab6e Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 14 Aug 2018 13:14:49 +0200 +Subject: [PATCH] ssh-libssh: reduce excessive verbose output about pubkey auth + +The verbose message "Authentication using SSH public key file" was +printed each time the ssh_userauth_publickey_auto() was called, which +meant each time a packet was transferred over network because the API +operates in non-blocking mode. + +This patch makes sure that the verbose message is printed just once +(when the authentication state is entered by the SSH state machine). + +Upstream-commit: 1e843a31a49484aeddf8f358e71392205f5fd6b1 +Signed-off-by: Kamil Dudka +--- + lib/ssh-libssh.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c +index cecf477ac..f40f074b9 100644 +--- a/lib/ssh-libssh.c ++++ b/lib/ssh-libssh.c +@@ -618,6 +618,7 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block) + sshc->auth_methods = ssh_userauth_list(sshc->ssh_session, NULL); + if(sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) { + state(conn, SSH_AUTH_PKEY_INIT); ++ infof(data, "Authentication using SSH public key file\n"); + } + else if(sshc->auth_methods & SSH_AUTH_METHOD_GSSAPI_MIC) { + state(conn, SSH_AUTH_GSSAPI); +@@ -670,8 +671,6 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block) + + } + else { +- infof(data, "Authentication using SSH public key file\n"); +- + rc = ssh_userauth_publickey_auto(sshc->ssh_session, NULL, + data->set.ssl.key_passwd); + if(rc == SSH_AUTH_AGAIN) { +-- +2.17.1 + +From 4b445519694ab620bd6376066844a7076e8ce4ab Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 14 Aug 2018 12:47:18 +0200 +Subject: [PATCH] ssh-libssh: fix infinite connect loop on invalid private key + +Added test 656 (based on test 604) to verify the fix. + +Bug: https://bugzilla.redhat.com/1595135 + +Closes #2879 + +Upstream-commit: a4c7911a48dadb4f68ba6b38bb1bf3f061b747f6 +Signed-off-by: Kamil Dudka +--- + lib/ssh-libssh.c | 1 + + tests/data/Makefile.inc | 2 +- + tests/data/test656 | 33 +++++++++++++++++++++++++++++++++ + 3 files changed, 35 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test656 + +diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c +index f40f074b9..12d618cfe 100644 +--- a/lib/ssh-libssh.c ++++ b/lib/ssh-libssh.c +@@ -663,6 +663,7 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block) + if(rc != SSH_OK) { + failf(data, "Could not load private key file %s", + data->set.str[STRING_SSH_PRIVATE_KEY]); ++ MOVE_TO_ERROR_STATE(CURLE_LOGIN_DENIED); + break; + } + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 20274b37c..518a5a543 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -83,7 +83,7 @@ test617 test618 test619 test620 test621 test622 test623 test624 test625 \ + test626 test627 test628 test629 test630 test631 test632 test633 test634 \ + test635 test636 test637 test638 test639 test640 test641 test642 \ + test643 test644 test645 test646 test647 test648 test649 test650 test651 \ +-test652 test653 test654 test655 \ ++test652 test653 test654 test655 test656 \ + \ + test700 test701 test702 test703 test704 test705 test706 test707 test708 \ + test709 test710 test711 test712 test713 test714 test715 \ +diff --git a/tests/data/test656 b/tests/data/test656 +new file mode 100644 +index 000000000..4107d3d17 +--- /dev/null ++++ b/tests/data/test656 +@@ -0,0 +1,33 @@ ++ ++ ++ ++SFTP ++FAILURE ++ ++ ++ ++# ++# Client-side ++ ++ ++sftp ++ ++ ++SFTP retrieval with nonexistent private key file ++ ++ ++--key DOES_NOT_EXIST --pubkey curl_client_key.pub -u %USER: sftp://%HOSTIP:%SSHPORT%PWD/not-a-valid-file-moooo --insecure --connect-timeout 8 ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++disable ++ ++ ++67 ++ ++ ++ +-- +2.17.1 + diff --git a/curl.spec b/curl.spec index db7d3a4..8c2b8bb 100644 --- a/curl.spec +++ b/curl.spec @@ -1,13 +1,16 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.61.0 -Release: 5%{?dist} +Release: 6%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz # ssl: set engine implicitly when a PKCS#11 URI is provided (#1219544) Patch1: 0001-curl-7.61.0-pkcs11.patch +# scp/sftp: fix infinite connect loop on invalid private key (#1595135) +Patch2: 0002-curl-7.61.0-libssh.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -23,7 +26,7 @@ Patch104: 0104-curl-7.19.7-localhost6.patch Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.haxx.se/ -#BuildRequires: automake +BuildRequires: automake BuildRequires: brotli-devel BuildRequires: coreutils BuildRequires: gcc @@ -159,6 +162,7 @@ be installed. # upstream patches %patch1 -p1 +%patch2 -p1 # Fedora patches %patch101 -p1 @@ -170,8 +174,8 @@ be installed. sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py # regenerate Makefile.in files -#aclocal -I m4 -#automake +aclocal -I m4 +automake # disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed # with errno 98: Address already in use' in Koji environment), and test 1801 @@ -325,6 +329,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Aug 15 2018 Kamil Dudka - 7.61.0-6 +- scp/sftp: fix infinite connect loop on invalid private key (#1595135) + * Thu Aug 09 2018 Kamil Dudka - 7.61.0-5 - ssl: set engine implicitly when a PKCS#11 URI is provided (#1219544) From 8bff7e0d6b511d2b351c51f86933ac2eaa7c6180 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 27 Aug 2018 15:58:33 +0200 Subject: [PATCH 022/256] Related: #1622594 - tests: make ssh-keygen always produce PEM format The default format produced by openssh-7.8p1 cannot be consumed by currently available versions of libssh and libssh2. --- 0105-curl-7.61.0-tests-ssh-keygen.patch | 33 +++++++++++++++++++++++++ curl.spec | 9 ++++++- 2 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 0105-curl-7.61.0-tests-ssh-keygen.patch diff --git a/0105-curl-7.61.0-tests-ssh-keygen.patch b/0105-curl-7.61.0-tests-ssh-keygen.patch new file mode 100644 index 0000000..b8b9ffb --- /dev/null +++ b/0105-curl-7.61.0-tests-ssh-keygen.patch @@ -0,0 +1,33 @@ +From daded1aff280104d16e405fcd1be1a857c74b191 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 27 Aug 2018 15:53:35 +0200 +Subject: [PATCH] tests: make ssh-keygen always produce PEM format + +The default format produced by openssh-7.8p1 cannot be consumed +by currently available versions of libssh and libssh2. +--- + tests/sshserver.pl | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tests/sshserver.pl b/tests/sshserver.pl +index 9b3d122..d477a02 100755 +--- a/tests/sshserver.pl ++++ b/tests/sshserver.pl +@@ -372,12 +372,12 @@ if((! -e $hstprvkeyf) || (! -s $hstprvkeyf) || + # Make sure all files are gone so ssh-keygen doesn't complain + unlink($hstprvkeyf, $hstpubkeyf, $cliprvkeyf, $clipubkeyf); + logmsg 'generating host keys...' if($verbose); +- if(system "\"$sshkeygen\" -q -t rsa -f $hstprvkeyf -C 'curl test server' -N ''") { ++ if(system "\"$sshkeygen\" -q -t rsa -f $hstprvkeyf -C 'curl test server' -N '' -m PEM") { + logmsg 'Could not generate host key'; + exit 1; + } + logmsg 'generating client keys...' if($verbose); +- if(system "\"$sshkeygen\" -q -t rsa -f $cliprvkeyf -C 'curl test client' -N ''") { ++ if(system "\"$sshkeygen\" -q -t rsa -f $cliprvkeyf -C 'curl test client' -N '' -m PEM") { + logmsg 'Could not generate client key'; + exit 1; + } +-- +2.17.1 + diff --git a/curl.spec b/curl.spec index 8c2b8bb..41e828b 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.61.0 -Release: 6%{?dist} +Release: 7%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -23,6 +23,9 @@ Patch103: 0103-curl-7.59.0-python3.patch # use localhost6 instead of ip6-localhost in the curl test-suite Patch104: 0104-curl-7.19.7-localhost6.patch +# tests: make ssh-keygen always produce PEM format (#1622594) +Patch105: 0105-curl-7.61.0-tests-ssh-keygen.patch + Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.haxx.se/ @@ -169,6 +172,7 @@ be installed. %patch102 -p1 %patch103 -p1 %patch104 -p1 +%patch105 -p1 # make tests/*.py use Python 3 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py @@ -329,6 +333,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Aug 27 2018 Kamil Dudka - 7.61.0-7 +- tests: make ssh-keygen always produce PEM format (#1622594) + * Wed Aug 15 2018 Kamil Dudka - 7.61.0-6 - scp/sftp: fix infinite connect loop on invalid private key (#1595135) From e7b6b91818749a26ce0f5a152d6c7387dc883efb Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 4 Sep 2018 15:20:55 +0200 Subject: [PATCH 023/256] make the --tls13-ciphers option work --- 0003-curl-7.61.0-tls13-ciphers.patch | 101 +++++++++++++++++++++++++++ curl.spec | 9 ++- 2 files changed, 109 insertions(+), 1 deletion(-) create mode 100644 0003-curl-7.61.0-tls13-ciphers.patch diff --git a/0003-curl-7.61.0-tls13-ciphers.patch b/0003-curl-7.61.0-tls13-ciphers.patch new file mode 100644 index 0000000..a55ca64 --- /dev/null +++ b/0003-curl-7.61.0-tls13-ciphers.patch @@ -0,0 +1,101 @@ +From 426b00d0587797d79806f9682b058d5c90a0ab79 Mon Sep 17 00:00:00 2001 +From: Jay Satiro +Date: Fri, 31 Aug 2018 19:46:29 -0400 +Subject: [PATCH 1/2] openssl: Fix setting TLS 1.3 cipher suites + +The flag indicating TLS 1.3 cipher support in the OpenSSL backend was +missing. + +Bug: https://github.com/curl/curl/pull/2607#issuecomment-417283187 +Reported-by: Kamil Dudka + +Closes #2926 + +Upstream-commit: 978574b502294ae06eb97d4f590b54ed5d24cd7f +Signed-off-by: Kamil Dudka +--- + lib/vtls/openssl.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index bc46eca..fad4287 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -3804,6 +3804,9 @@ const struct Curl_ssl Curl_ssl_openssl = { + SSLSUPP_CERTINFO | + SSLSUPP_PINNEDPUBKEY | + SSLSUPP_SSL_CTX | ++#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES ++ SSLSUPP_TLS13_CIPHERSUITES | ++#endif + SSLSUPP_HTTPS_PROXY, + + sizeof(struct ssl_backend_data), +-- +2.17.1 + + +From 081afa4e2eb5e853833bd87ca43f48ab550fe657 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 3 Sep 2018 13:04:00 +0200 +Subject: [PATCH 2/2] url, vtls: make CURLOPT{,_PROXY}_TLS13_CIPHERS work + +This is a follow-up to PR #2607 and PR #2926. + +Closes #2936 + +Upstream-commit: 52c13d6328ff56b2d2e8313e88cfdfc78acda365 +Signed-off-by: Kamil Dudka +--- + lib/url.c | 4 ++++ + lib/vtls/vtls.c | 5 ++++- + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/lib/url.c b/lib/url.c +index 27b2c1e..46898c4 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -4356,6 +4356,10 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.str[STRING_SSL_CIPHER_LIST_ORIG]; + data->set.proxy_ssl.primary.cipher_list = + data->set.str[STRING_SSL_CIPHER_LIST_PROXY]; ++ data->set.ssl.primary.cipher_list13 = ++ data->set.str[STRING_SSL_CIPHER13_LIST_ORIG]; ++ data->set.proxy_ssl.primary.cipher_list13 = ++ data->set.str[STRING_SSL_CIPHER13_LIST_PROXY]; + + data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG]; + data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index bf96518..b61c640 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -96,7 +96,8 @@ Curl_ssl_config_matches(struct ssl_primary_config* data, + Curl_safe_strcasecompare(data->clientcert, needle->clientcert) && + Curl_safe_strcasecompare(data->random_file, needle->random_file) && + Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) && +- Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list)) ++ Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && ++ Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13)) + return TRUE; + + return FALSE; +@@ -119,6 +120,7 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, + CLONE_STRING(random_file); + CLONE_STRING(egdsocket); + CLONE_STRING(cipher_list); ++ CLONE_STRING(cipher_list13); + + return TRUE; + } +@@ -131,6 +133,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc) + Curl_safefree(sslc->random_file); + Curl_safefree(sslc->egdsocket); + Curl_safefree(sslc->cipher_list); ++ Curl_safefree(sslc->cipher_list13); + } + + #ifdef USE_SSL +-- +2.17.1 + diff --git a/curl.spec b/curl.spec index 41e828b..dbd4d40 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.61.0 -Release: 7%{?dist} +Release: 8%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -11,6 +11,9 @@ Patch1: 0001-curl-7.61.0-pkcs11.patch # scp/sftp: fix infinite connect loop on invalid private key (#1595135) Patch2: 0002-curl-7.61.0-libssh.patch +# make the --tls13-ciphers option work +Patch3: 0003-curl-7.61.0-tls13-ciphers.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -166,6 +169,7 @@ be installed. # upstream patches %patch1 -p1 %patch2 -p1 +%patch3 -p1 # Fedora patches %patch101 -p1 @@ -333,6 +337,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Sep 04 2018 Kamil Dudka - 7.61.0-8 +- make the --tls13-ciphers option work + * Mon Aug 27 2018 Kamil Dudka - 7.61.0-7 - tests: make ssh-keygen always produce PEM format (#1622594) From 20b63790e4e0f1c1ef978d2f337c858d90f6e262 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 5 Sep 2018 09:57:41 +0200 Subject: [PATCH 024/256] new upstream release - 7.61.1 Resolves: CVE-2018-14618 - NTLM password overflow via integer overflow --- 0001-curl-7.61.0-pkcs11.patch | 272 --------------------------- 0002-curl-7.61.0-libssh.patch | 130 ------------- 0003-curl-7.61.0-tls13-ciphers.patch | 101 ---------- 0102-curl-7.36.0-debug.patch | 2 +- 0103-curl-7.59.0-python3.patch | 2 +- curl-7.61.0.tar.xz.asc | 11 -- curl-7.61.1.tar.xz.asc | 11 ++ curl.spec | 20 +- sources | 2 +- 9 files changed, 20 insertions(+), 531 deletions(-) delete mode 100644 0001-curl-7.61.0-pkcs11.patch delete mode 100644 0002-curl-7.61.0-libssh.patch delete mode 100644 0003-curl-7.61.0-tls13-ciphers.patch delete mode 100644 curl-7.61.0.tar.xz.asc create mode 100644 curl-7.61.1.tar.xz.asc diff --git a/0001-curl-7.61.0-pkcs11.patch b/0001-curl-7.61.0-pkcs11.patch deleted file mode 100644 index d92b3e9..0000000 --- a/0001-curl-7.61.0-pkcs11.patch +++ /dev/null @@ -1,272 +0,0 @@ -From a9a65ae9f6516faf042b36eca2450db7d34bff47 Mon Sep 17 00:00:00 2001 -From: Anderson Toshiyuki Sasaki -Date: Mon, 19 Feb 2018 14:31:06 +0100 -Subject: [PATCH 1/2] ssl: set engine implicitly when a PKCS#11 URI is provided - -This allows the use of PKCS#11 URI for certificates and keys without -setting the corresponding type as "ENG" and the engine as "pkcs11" -explicitly. If a PKCS#11 URI is provided for certificate, key, -proxy_certificate or proxy_key, the corresponding type is set as "ENG" -if not provided and the engine is set to "pkcs11" if not provided. - -Acked-by: Nikos Mavrogiannopoulos -Closes #2333 - -Upstream-commit: 298d2565e2a2f06a859b7f5a1cc24ba7c87a8ce2 -Signed-off-by: Kamil Dudka ---- - docs/cmdline-opts/cert.d | 7 ++++++ - docs/cmdline-opts/key.d | 7 ++++++ - lib/vtls/openssl.c | 38 ++++++++++++++++++++++++++++ - src/tool_getparam.c | 2 +- - src/tool_operate.c | 53 ++++++++++++++++++++++++++++++++++++++++ - tests/unit/unit1394.c | 3 +++ - 6 files changed, 109 insertions(+), 1 deletion(-) - -diff --git a/docs/cmdline-opts/cert.d b/docs/cmdline-opts/cert.d -index adf62fc..510b833 100644 ---- a/docs/cmdline-opts/cert.d -+++ b/docs/cmdline-opts/cert.d -@@ -23,6 +23,13 @@ nickname contains ":", it needs to be preceded by "\\" so that it is not - recognized as password delimiter. If the nickname contains "\\", it needs to - be escaped as "\\\\" so that it is not recognized as an escape character. - -+If curl is built against OpenSSL library, and the engine pkcs11 is available, -+then a PKCS#11 URI (RFC 7512) can be used to specify a certificate located in -+a PKCS#11 device. A string beginning with "pkcs11:" will be interpreted as a -+PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set -+as "pkcs11" if none was provided and the --cert-type option will be set as -+"ENG" if none was provided. -+ - (iOS and macOS only) If curl is built against Secure Transport, then the - certificate string can either be the name of a certificate/private key in the - system or user keychain, or the path to a PKCS#12-encoded certificate and -diff --git a/docs/cmdline-opts/key.d b/docs/cmdline-opts/key.d -index fbf583a..4877b42 100644 ---- a/docs/cmdline-opts/key.d -+++ b/docs/cmdline-opts/key.d -@@ -7,4 +7,11 @@ Private key file name. Allows you to provide your private key in this separate - file. For SSH, if not specified, curl tries the following candidates in order: - '~/.ssh/id_rsa', '~/.ssh/id_dsa', './id_rsa', './id_dsa'. - -+If curl is built against OpenSSL library, and the engine pkcs11 is available, -+then a PKCS#11 URI (RFC 7512) can be used to specify a private key located in a -+PKCS#11 device. A string beginning with "pkcs11:" will be interpreted as a -+PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set -+as "pkcs11" if none was provided and the --key-type option will be set as -+"ENG" if none was provided. -+ - If this option is used several times, the last one will be used. -diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c -index 0b1929b..bc46eca 100644 ---- a/lib/vtls/openssl.c -+++ b/lib/vtls/openssl.c -@@ -558,8 +558,25 @@ static int ssl_ui_writer(UI *ui, UI_STRING *uis) - } - return (UI_method_get_writer(UI_OpenSSL()))(ui, uis); - } -+ -+/* -+ * Check if a given string is a PKCS#11 URI -+ */ -+static bool is_pkcs11_uri(const char *string) -+{ -+ if(strncasecompare(string, "pkcs11:", 7)) { -+ return TRUE; -+ } -+ else { -+ return FALSE; -+ } -+} -+ - #endif - -+static CURLcode Curl_ossl_set_engine(struct Curl_easy *data, -+ const char *engine); -+ - static - int cert_stuff(struct connectdata *conn, - SSL_CTX* ctx, -@@ -622,6 +639,16 @@ int cert_stuff(struct connectdata *conn, - case SSL_FILETYPE_ENGINE: - #if defined(USE_OPENSSL_ENGINE) && defined(ENGINE_CTRL_GET_CMD_FROM_NAME) - { -+ /* Implicitly use pkcs11 engine if none was provided and the -+ * cert_file is a PKCS#11 URI */ -+ if(!data->state.engine) { -+ if(is_pkcs11_uri(cert_file)) { -+ if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) { -+ return 0; -+ } -+ } -+ } -+ - if(data->state.engine) { - const char *cmd_name = "LOAD_CERT_CTRL"; - struct { -@@ -798,6 +825,17 @@ int cert_stuff(struct connectdata *conn, - #ifdef USE_OPENSSL_ENGINE - { /* XXXX still needs some work */ - EVP_PKEY *priv_key = NULL; -+ -+ /* Implicitly use pkcs11 engine if none was provided and the -+ * key_file is a PKCS#11 URI */ -+ if(!data->state.engine) { -+ if(is_pkcs11_uri(key_file)) { -+ if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) { -+ return 0; -+ } -+ } -+ } -+ - if(data->state.engine) { - UI_METHOD *ui_method = - UI_create_method((char *)"curl user interface"); -diff --git a/src/tool_getparam.c b/src/tool_getparam.c -index cc3fcf3..a7bb7f9 100644 ---- a/src/tool_getparam.c -+++ b/src/tool_getparam.c -@@ -342,7 +342,7 @@ void parse_cert_parameter(const char *cert_parameter, - * looks like a RFC7512 PKCS#11 URI which can be used as-is. - * Also if cert_parameter contains no colon nor backslash, this - * means no passphrase was given and no characters escaped */ -- if(!strncmp(cert_parameter, "pkcs11:", 7) || -+ if(curl_strnequal(cert_parameter, "pkcs11:", 7) || - !strpbrk(cert_parameter, ":\\")) { - *certname = strdup(cert_parameter); - return; -diff --git a/src/tool_operate.c b/src/tool_operate.c -index 26fc251..25d450c 100644 ---- a/src/tool_operate.c -+++ b/src/tool_operate.c -@@ -113,6 +113,19 @@ static bool is_fatal_error(CURLcode code) - return FALSE; - } - -+/* -+ * Check if a given string is a PKCS#11 URI -+ */ -+static bool is_pkcs11_uri(const char *string) -+{ -+ if(curl_strnequal(string, "pkcs11:", 7)) { -+ return TRUE; -+ } -+ else { -+ return FALSE; -+ } -+} -+ - #ifdef __VMS - /* - * get_vms_file_size does what it takes to get the real size of the file -@@ -1073,6 +1086,46 @@ static CURLcode operate_do(struct GlobalConfig *global, - my_setopt_str(curl, CURLOPT_PINNEDPUBLICKEY, config->pinnedpubkey); - - if(curlinfo->features & CURL_VERSION_SSL) { -+ /* Check if config->cert is a PKCS#11 URI and set the -+ * config->cert_type if necessary */ -+ if(config->cert) { -+ if(!config->cert_type) { -+ if(is_pkcs11_uri(config->cert)) { -+ config->cert_type = strdup("ENG"); -+ } -+ } -+ } -+ -+ /* Check if config->key is a PKCS#11 URI and set the -+ * config->key_type if necessary */ -+ if(config->key) { -+ if(!config->key_type) { -+ if(is_pkcs11_uri(config->key)) { -+ config->key_type = strdup("ENG"); -+ } -+ } -+ } -+ -+ /* Check if config->proxy_cert is a PKCS#11 URI and set the -+ * config->proxy_type if necessary */ -+ if(config->proxy_cert) { -+ if(!config->proxy_cert_type) { -+ if(is_pkcs11_uri(config->proxy_cert)) { -+ config->proxy_cert_type = strdup("ENG"); -+ } -+ } -+ } -+ -+ /* Check if config->proxy_key is a PKCS#11 URI and set the -+ * config->proxy_key_type if necessary */ -+ if(config->proxy_key) { -+ if(!config->proxy_key_type) { -+ if(is_pkcs11_uri(config->proxy_key)) { -+ config->proxy_key_type = strdup("ENG"); -+ } -+ } -+ } -+ - my_setopt_str(curl, CURLOPT_SSLCERT, config->cert); - my_setopt_str(curl, CURLOPT_PROXY_SSLCERT, config->proxy_cert); - my_setopt_str(curl, CURLOPT_SSLCERTTYPE, config->cert_type); -diff --git a/tests/unit/unit1394.c b/tests/unit/unit1394.c -index 667991d..010f052 100644 ---- a/tests/unit/unit1394.c -+++ b/tests/unit/unit1394.c -@@ -56,6 +56,9 @@ UNITTEST_START - "foo:bar\\\\", "foo", "bar\\\\", - "foo:bar:", "foo", "bar:", - "foo\\::bar\\:", "foo:", "bar\\:", -+ "pkcs11:foobar", "pkcs11:foobar", NULL, -+ "PKCS11:foobar", "PKCS11:foobar", NULL, -+ "PkCs11:foobar", "PkCs11:foobar", NULL, - #ifdef WIN32 - "c:\\foo:bar:baz", "c:\\foo", "bar:baz", - "c:\\foo\\:bar:baz", "c:\\foo:bar", "baz", --- -2.17.1 - - -From 2be42ac65f4c345ed3ddc97917c8ef54e13fcbfd Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Thu, 9 Aug 2018 15:34:22 +0200 -Subject: [PATCH 2/2] docs: add files needed to regenerate curl.1 man page - -Bug: https://github.com/curl/curl/pull/2856 ---- - docs/cmdline-opts/disallow-username-in-url.d | 7 +++++++ - docs/cmdline-opts/haproxy-protocol.d | 11 +++++++++++ - 2 files changed, 18 insertions(+) - create mode 100644 docs/cmdline-opts/disallow-username-in-url.d - create mode 100644 docs/cmdline-opts/haproxy-protocol.d - -diff --git a/docs/cmdline-opts/disallow-username-in-url.d b/docs/cmdline-opts/disallow-username-in-url.d -new file mode 100644 -index 0000000..a7f46ea ---- /dev/null -+++ b/docs/cmdline-opts/disallow-username-in-url.d -@@ -0,0 +1,7 @@ -+Long: disallow-username-in-url -+Help: Disallow username in url -+Protocols: HTTP -+Added: 7.61.0 -+See-also: proto -+--- -+This tells curl to exit if passed a url containing a username. -diff --git a/docs/cmdline-opts/haproxy-protocol.d b/docs/cmdline-opts/haproxy-protocol.d -new file mode 100644 -index 0000000..cc41c9c ---- /dev/null -+++ b/docs/cmdline-opts/haproxy-protocol.d -@@ -0,0 +1,11 @@ -+Long: haproxy-protocol -+Help: Send HAProxy PROXY protocol v1 header -+Protocols: HTTP -+Added: 7.60.0 -+--- -+Send a HAProxy PROXY protocol v1 header at the beginning of the connection. This -+is used by some load balancers and reverse proxies to indicate the client's -+true IP address and port. -+ -+This option is primarily useful when sending test requests to a service that -+expects this header. --- -2.17.1 - diff --git a/0002-curl-7.61.0-libssh.patch b/0002-curl-7.61.0-libssh.patch deleted file mode 100644 index 75966b4..0000000 --- a/0002-curl-7.61.0-libssh.patch +++ /dev/null @@ -1,130 +0,0 @@ -From 155d4ffb7d40daf2afa0102f91f810675220ab6e Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Tue, 14 Aug 2018 13:14:49 +0200 -Subject: [PATCH] ssh-libssh: reduce excessive verbose output about pubkey auth - -The verbose message "Authentication using SSH public key file" was -printed each time the ssh_userauth_publickey_auto() was called, which -meant each time a packet was transferred over network because the API -operates in non-blocking mode. - -This patch makes sure that the verbose message is printed just once -(when the authentication state is entered by the SSH state machine). - -Upstream-commit: 1e843a31a49484aeddf8f358e71392205f5fd6b1 -Signed-off-by: Kamil Dudka ---- - lib/ssh-libssh.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c -index cecf477ac..f40f074b9 100644 ---- a/lib/ssh-libssh.c -+++ b/lib/ssh-libssh.c -@@ -618,6 +618,7 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block) - sshc->auth_methods = ssh_userauth_list(sshc->ssh_session, NULL); - if(sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) { - state(conn, SSH_AUTH_PKEY_INIT); -+ infof(data, "Authentication using SSH public key file\n"); - } - else if(sshc->auth_methods & SSH_AUTH_METHOD_GSSAPI_MIC) { - state(conn, SSH_AUTH_GSSAPI); -@@ -670,8 +671,6 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block) - - } - else { -- infof(data, "Authentication using SSH public key file\n"); -- - rc = ssh_userauth_publickey_auto(sshc->ssh_session, NULL, - data->set.ssl.key_passwd); - if(rc == SSH_AUTH_AGAIN) { --- -2.17.1 - -From 4b445519694ab620bd6376066844a7076e8ce4ab Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Tue, 14 Aug 2018 12:47:18 +0200 -Subject: [PATCH] ssh-libssh: fix infinite connect loop on invalid private key - -Added test 656 (based on test 604) to verify the fix. - -Bug: https://bugzilla.redhat.com/1595135 - -Closes #2879 - -Upstream-commit: a4c7911a48dadb4f68ba6b38bb1bf3f061b747f6 -Signed-off-by: Kamil Dudka ---- - lib/ssh-libssh.c | 1 + - tests/data/Makefile.inc | 2 +- - tests/data/test656 | 33 +++++++++++++++++++++++++++++++++ - 3 files changed, 35 insertions(+), 1 deletion(-) - create mode 100644 tests/data/test656 - -diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c -index f40f074b9..12d618cfe 100644 ---- a/lib/ssh-libssh.c -+++ b/lib/ssh-libssh.c -@@ -663,6 +663,7 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block) - if(rc != SSH_OK) { - failf(data, "Could not load private key file %s", - data->set.str[STRING_SSH_PRIVATE_KEY]); -+ MOVE_TO_ERROR_STATE(CURLE_LOGIN_DENIED); - break; - } - -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index 20274b37c..518a5a543 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -83,7 +83,7 @@ test617 test618 test619 test620 test621 test622 test623 test624 test625 \ - test626 test627 test628 test629 test630 test631 test632 test633 test634 \ - test635 test636 test637 test638 test639 test640 test641 test642 \ - test643 test644 test645 test646 test647 test648 test649 test650 test651 \ --test652 test653 test654 test655 \ -+test652 test653 test654 test655 test656 \ - \ - test700 test701 test702 test703 test704 test705 test706 test707 test708 \ - test709 test710 test711 test712 test713 test714 test715 \ -diff --git a/tests/data/test656 b/tests/data/test656 -new file mode 100644 -index 000000000..4107d3d17 ---- /dev/null -+++ b/tests/data/test656 -@@ -0,0 +1,33 @@ -+ -+ -+ -+SFTP -+FAILURE -+ -+ -+ -+# -+# Client-side -+ -+ -+sftp -+ -+ -+SFTP retrieval with nonexistent private key file -+ -+ -+--key DOES_NOT_EXIST --pubkey curl_client_key.pub -u %USER: sftp://%HOSTIP:%SSHPORT%PWD/not-a-valid-file-moooo --insecure --connect-timeout 8 -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+disable -+ -+ -+67 -+ -+ -+ --- -2.17.1 - diff --git a/0003-curl-7.61.0-tls13-ciphers.patch b/0003-curl-7.61.0-tls13-ciphers.patch deleted file mode 100644 index a55ca64..0000000 --- a/0003-curl-7.61.0-tls13-ciphers.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 426b00d0587797d79806f9682b058d5c90a0ab79 Mon Sep 17 00:00:00 2001 -From: Jay Satiro -Date: Fri, 31 Aug 2018 19:46:29 -0400 -Subject: [PATCH 1/2] openssl: Fix setting TLS 1.3 cipher suites - -The flag indicating TLS 1.3 cipher support in the OpenSSL backend was -missing. - -Bug: https://github.com/curl/curl/pull/2607#issuecomment-417283187 -Reported-by: Kamil Dudka - -Closes #2926 - -Upstream-commit: 978574b502294ae06eb97d4f590b54ed5d24cd7f -Signed-off-by: Kamil Dudka ---- - lib/vtls/openssl.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c -index bc46eca..fad4287 100644 ---- a/lib/vtls/openssl.c -+++ b/lib/vtls/openssl.c -@@ -3804,6 +3804,9 @@ const struct Curl_ssl Curl_ssl_openssl = { - SSLSUPP_CERTINFO | - SSLSUPP_PINNEDPUBKEY | - SSLSUPP_SSL_CTX | -+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES -+ SSLSUPP_TLS13_CIPHERSUITES | -+#endif - SSLSUPP_HTTPS_PROXY, - - sizeof(struct ssl_backend_data), --- -2.17.1 - - -From 081afa4e2eb5e853833bd87ca43f48ab550fe657 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 3 Sep 2018 13:04:00 +0200 -Subject: [PATCH 2/2] url, vtls: make CURLOPT{,_PROXY}_TLS13_CIPHERS work - -This is a follow-up to PR #2607 and PR #2926. - -Closes #2936 - -Upstream-commit: 52c13d6328ff56b2d2e8313e88cfdfc78acda365 -Signed-off-by: Kamil Dudka ---- - lib/url.c | 4 ++++ - lib/vtls/vtls.c | 5 ++++- - 2 files changed, 8 insertions(+), 1 deletion(-) - -diff --git a/lib/url.c b/lib/url.c -index 27b2c1e..46898c4 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -4356,6 +4356,10 @@ static CURLcode create_conn(struct Curl_easy *data, - data->set.str[STRING_SSL_CIPHER_LIST_ORIG]; - data->set.proxy_ssl.primary.cipher_list = - data->set.str[STRING_SSL_CIPHER_LIST_PROXY]; -+ data->set.ssl.primary.cipher_list13 = -+ data->set.str[STRING_SSL_CIPHER13_LIST_ORIG]; -+ data->set.proxy_ssl.primary.cipher_list13 = -+ data->set.str[STRING_SSL_CIPHER13_LIST_PROXY]; - - data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG]; - data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; -diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c -index bf96518..b61c640 100644 ---- a/lib/vtls/vtls.c -+++ b/lib/vtls/vtls.c -@@ -96,7 +96,8 @@ Curl_ssl_config_matches(struct ssl_primary_config* data, - Curl_safe_strcasecompare(data->clientcert, needle->clientcert) && - Curl_safe_strcasecompare(data->random_file, needle->random_file) && - Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) && -- Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list)) -+ Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && -+ Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13)) - return TRUE; - - return FALSE; -@@ -119,6 +120,7 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, - CLONE_STRING(random_file); - CLONE_STRING(egdsocket); - CLONE_STRING(cipher_list); -+ CLONE_STRING(cipher_list13); - - return TRUE; - } -@@ -131,6 +133,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc) - Curl_safefree(sslc->random_file); - Curl_safefree(sslc->egdsocket); - Curl_safefree(sslc->cipher_list); -+ Curl_safefree(sslc->cipher_list13); - } - - #ifdef USE_SSL --- -2.17.1 - diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch index 5fb54b6..bbb253f 100644 --- a/0102-curl-7.36.0-debug.patch +++ b/0102-curl-7.36.0-debug.patch @@ -12,7 +12,7 @@ diff --git a/configure b/configure index 8f079a3..53b4774 100755 --- a/configure +++ b/configure -@@ -16409,18 +16409,11 @@ $as_echo "yes" >&6; } +@@ -16414,18 +16414,11 @@ $as_echo "yes" >&6; } gccvhi=`echo $gccver | cut -d . -f1` gccvlo=`echo $gccver | cut -d . -f2` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` diff --git a/0103-curl-7.59.0-python3.patch b/0103-curl-7.59.0-python3.patch index dd10986..f66b6c0 100644 --- a/0103-curl-7.59.0-python3.patch +++ b/0103-curl-7.59.0-python3.patch @@ -32,7 +32,7 @@ diff --git a/tests/runtests.pl b/tests/runtests.pl index d6aa5ca..4d395ef 100755 --- a/tests/runtests.pl +++ b/tests/runtests.pl -@@ -1438,7 +1438,7 @@ sub runhttpserver { +@@ -1439,7 +1439,7 @@ sub runhttpserver { elsif($alt eq "pipe") { # basically the same, but another ID $idnum = 3; diff --git a/curl-7.61.0.tar.xz.asc b/curl-7.61.0.tar.xz.asc deleted file mode 100644 index 024ef39..0000000 --- a/curl-7.61.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAltFnUIACgkQXMkI/bce -EsJSSggAo2pO9DacErY/wVqYm2KA76s8HDMyGkvb7HXPWe3w1Nj6nwCY8Knbp2C6 -s6LZ73gqKfe3K+kFsFE6bFy9l2MKNs64cBG19dNUGcoYek6zt1BBXC6LT8/eOWc4 -l6HKift+CBh6ErtInB2CzmoG7dvNoZA00sERJbj9w+QZK4CTBZPWjz9BRHo7V31q -VnciTRgJ39HjL0kupdDIZgpCL741aWlkbOZu5wsRfe7nxWeiCdyOVluXluDi9t2i -s1mTPMpkMWDIEh723QL5jOlct9/hTLXAS2yZeR6qJafcicyIboXh0ZwGQGonHADi -aBs922AWx3v8x18thsCMQZwJSHiYEw== -=7p0n ------END PGP SIGNATURE----- diff --git a/curl-7.61.1.tar.xz.asc b/curl-7.61.1.tar.xz.asc new file mode 100644 index 0000000..6a1e664 --- /dev/null +++ b/curl-7.61.1.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAluPblgACgkQXMkI/bce +EsJynAgArST/gB9eVYIQTTAdXxCOSnArBK/Ne/UNW83QIgOawj0HvEpj9+1SNfTi +EwC5YSwymyMuKGTDLNswTnJ0MripRKylekfu1QGGzmIOkqovTiHz60xiFuWYI3vy +fYuAAse5MJz64GCVFwOM4me8SgEjtb/hIbhiCLqilOyXnqtocDm4FPCMAYQ1mTFy +RJBbwgDLwtktfBDCQyMXTeETGuk3bTrtvSwRv8+Rq8qehOt5s58Fqeztv8EVNi+B +Qzsi5NXMulgl3C0P3dN/cC81+OL75ehuE91AFXUmbNOnlYNTOxHR2dioaXaEyhKb +51KLH2D0G75wlfMbgMhX/rguuXT2rg== +=vM6i +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index dbd4d40..d4edfd9 100644 --- a/curl.spec +++ b/curl.spec @@ -1,19 +1,10 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.61.0 -Release: 8%{?dist} +Version: 7.61.1 +Release: 1%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz -# ssl: set engine implicitly when a PKCS#11 URI is provided (#1219544) -Patch1: 0001-curl-7.61.0-pkcs11.patch - -# scp/sftp: fix infinite connect loop on invalid private key (#1595135) -Patch2: 0002-curl-7.61.0-libssh.patch - -# make the --tls13-ciphers option work -Patch3: 0003-curl-7.61.0-tls13-ciphers.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -167,9 +158,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 # Fedora patches %patch101 -p1 @@ -337,6 +325,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 05 2018 Kamil Dudka - 7.61.1-1 +- new upstream release, which fixes the following vulnerability + CVE-2018-14618 - NTLM password overflow via integer overflow + * Tue Sep 04 2018 Kamil Dudka - 7.61.0-8 - make the --tls13-ciphers option work diff --git a/sources b/sources index 4248e66..717a22e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.61.0.tar.xz) = 1b450bbd794460fea12374a49739a49a43c3651038dc092c277769bab09a62627f8eedfa94b5c1610503bf20eeaf60643a1e32fdcf1bcf8d4085090c4a598b13 +SHA512 (curl-7.61.1.tar.xz) = e6f82a7292c70841162480c8880d25046bcfa64058f4ff76f7d398c85da569af1c244442c9c58a3478d59264365ff8e39eed2fb564cb137118588f7862e64e9a From 964e6fe0a35b78324a7c2b9618192029dabf2726 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 15 Aug 2018 13:56:12 +0200 Subject: [PATCH 025/256] Resolves: #1595135 - scp/sftp: fix infinite connect loop on invalid private key --- 0007-curl-7.61.0-libssh.patch | 133 ++++++++++++++++++++++++++++++++++ curl.spec | 16 +++- 2 files changed, 145 insertions(+), 4 deletions(-) create mode 100644 0007-curl-7.61.0-libssh.patch diff --git a/0007-curl-7.61.0-libssh.patch b/0007-curl-7.61.0-libssh.patch new file mode 100644 index 0000000..496e9b1 --- /dev/null +++ b/0007-curl-7.61.0-libssh.patch @@ -0,0 +1,133 @@ +From 155d4ffb7d40daf2afa0102f91f810675220ab6e Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 14 Aug 2018 13:14:49 +0200 +Subject: [PATCH 1/2] ssh-libssh: reduce excessive verbose output about pubkey + auth + +The verbose message "Authentication using SSH public key file" was +printed each time the ssh_userauth_publickey_auto() was called, which +meant each time a packet was transferred over network because the API +operates in non-blocking mode. + +This patch makes sure that the verbose message is printed just once +(when the authentication state is entered by the SSH state machine). + +Upstream-commit: 1e843a31a49484aeddf8f358e71392205f5fd6b1 +Signed-off-by: Kamil Dudka +--- + lib/ssh-libssh.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c +index cecf477ac..f40f074b9 100644 +--- a/lib/ssh-libssh.c ++++ b/lib/ssh-libssh.c +@@ -607,6 +607,7 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block) + sshc->auth_methods = ssh_userauth_list(sshc->ssh_session, NULL); + if(sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) { + state(conn, SSH_AUTH_PKEY_INIT); ++ infof(data, "Authentication using SSH public key file\n"); + } + else if(sshc->auth_methods & SSH_AUTH_METHOD_GSSAPI_MIC) { + state(conn, SSH_AUTH_GSSAPI); +@@ -659,8 +660,6 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block) + + } + else { +- infof(data, "Authentication using SSH public key file\n"); +- + rc = ssh_userauth_publickey_auto(sshc->ssh_session, NULL, + data->set.ssl.key_passwd); + if(rc == SSH_AUTH_AGAIN) { +-- +2.17.1 + + +From 4b445519694ab620bd6376066844a7076e8ce4ab Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 14 Aug 2018 12:47:18 +0200 +Subject: [PATCH 2/2] ssh-libssh: fix infinite connect loop on invalid private + key + +Added test 656 (based on test 604) to verify the fix. + +Bug: https://bugzilla.redhat.com/1595135 + +Closes #2879 + +Upstream-commit: a4c7911a48dadb4f68ba6b38bb1bf3f061b747f6 +Signed-off-by: Kamil Dudka +--- + lib/ssh-libssh.c | 1 + + tests/data/Makefile.inc | 2 +- + tests/data/test656 | 33 +++++++++++++++++++++++++++++++++ + 3 files changed, 35 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test656 + +diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c +index f40f074b9..12d618cfe 100644 +--- a/lib/ssh-libssh.c ++++ b/lib/ssh-libssh.c +@@ -652,6 +652,7 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block) + if(rc != SSH_OK) { + failf(data, "Could not load private key file %s", + data->set.str[STRING_SSH_PRIVATE_KEY]); ++ MOVE_TO_ERROR_STATE(CURLE_LOGIN_DENIED); + break; + } + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 20274b37c..518a5a543 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -83,7 +83,7 @@ test617 test618 test619 test620 test621 test622 test623 test624 test625 \ + test626 test627 test628 test629 test630 test631 test632 test633 test634 \ + test635 test636 test637 test638 test639 test640 test641 test642 \ + test643 test644 test645 test646 test647 test648 test649 test650 test651 \ +-test652 test653 test654 test655 \ ++test652 test653 test654 test655 test656 \ + \ + test700 test701 test702 test703 test704 test705 test706 test707 test708 \ + test709 test710 test711 test712 test713 test714 test715 \ +diff --git a/tests/data/test656 b/tests/data/test656 +new file mode 100644 +index 000000000..4107d3d17 +--- /dev/null ++++ b/tests/data/test656 +@@ -0,0 +1,33 @@ ++ ++ ++ ++SFTP ++FAILURE ++ ++ ++ ++# ++# Client-side ++ ++ ++sftp ++ ++ ++SFTP retrieval with nonexistent private key file ++ ++ ++--key DOES_NOT_EXIST --pubkey curl_client_key.pub -u %USER: sftp://%HOSTIP:%SSHPORT%PWD/not-a-valid-file-moooo --insecure --connect-timeout 8 ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++disable ++ ++ ++67 ++ ++ ++ +-- +2.17.1 + diff --git a/curl.spec b/curl.spec index a49e005..1e7aff0 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.59.0 -Release: 6%{?dist} +Release: 7%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -23,6 +23,9 @@ Patch5: 0005-curl-7.59.0-CVE-2018-0500.patch # ssl: set engine implicitly when a PKCS#11 URI is provided (#1219544) Patch6: 0006-curl-7.59.0-pkcs11.patch +# scp/sftp: fix infinite connect loop on invalid private key (#1595135) +Patch7: 0007-curl-7.61.0-libssh.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -35,7 +38,8 @@ Patch104: 0104-curl-7.19.7-localhost6.patch Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.haxx.se/ -#BuildRequires: automake + +BuildRequires: automake BuildRequires: coreutils BuildRequires: gcc BuildRequires: groff @@ -175,6 +179,7 @@ be installed. %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 # Fedora patches %patch101 -p1 @@ -182,8 +187,8 @@ be installed. %patch104 -p1 # regenerate Makefile.in files -#aclocal -I m4 -#automake +aclocal -I m4 +automake # disable test 1112 (#565305) and test 1801 # @@ -320,6 +325,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 05 2018 Kamil Dudka - 7.59.0-7 +- scp/sftp: fix infinite connect loop on invalid private key (#1595135) + * Thu Aug 09 2018 Kamil Dudka - 7.59.0-6 - ssl: set engine implicitly when a PKCS#11 URI is provided (#1219544) From 503408095bf15813c472c371f8b4c2fd23b59d60 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 27 Aug 2018 15:58:33 +0200 Subject: [PATCH 026/256] Related: #1622594 - tests: make ssh-keygen always produce PEM format The default format produced by openssh-7.8p1 cannot be consumed by currently available versions of libssh and libssh2. --- 0105-curl-7.61.0-tests-ssh-keygen.patch | 33 +++++++++++++++++++++++++ curl.spec | 5 ++++ 2 files changed, 38 insertions(+) create mode 100644 0105-curl-7.61.0-tests-ssh-keygen.patch diff --git a/0105-curl-7.61.0-tests-ssh-keygen.patch b/0105-curl-7.61.0-tests-ssh-keygen.patch new file mode 100644 index 0000000..b8b9ffb --- /dev/null +++ b/0105-curl-7.61.0-tests-ssh-keygen.patch @@ -0,0 +1,33 @@ +From daded1aff280104d16e405fcd1be1a857c74b191 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 27 Aug 2018 15:53:35 +0200 +Subject: [PATCH] tests: make ssh-keygen always produce PEM format + +The default format produced by openssh-7.8p1 cannot be consumed +by currently available versions of libssh and libssh2. +--- + tests/sshserver.pl | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tests/sshserver.pl b/tests/sshserver.pl +index 9b3d122..d477a02 100755 +--- a/tests/sshserver.pl ++++ b/tests/sshserver.pl +@@ -372,12 +372,12 @@ if((! -e $hstprvkeyf) || (! -s $hstprvkeyf) || + # Make sure all files are gone so ssh-keygen doesn't complain + unlink($hstprvkeyf, $hstpubkeyf, $cliprvkeyf, $clipubkeyf); + logmsg 'generating host keys...' if($verbose); +- if(system "\"$sshkeygen\" -q -t rsa -f $hstprvkeyf -C 'curl test server' -N ''") { ++ if(system "\"$sshkeygen\" -q -t rsa -f $hstprvkeyf -C 'curl test server' -N '' -m PEM") { + logmsg 'Could not generate host key'; + exit 1; + } + logmsg 'generating client keys...' if($verbose); +- if(system "\"$sshkeygen\" -q -t rsa -f $cliprvkeyf -C 'curl test client' -N ''") { ++ if(system "\"$sshkeygen\" -q -t rsa -f $cliprvkeyf -C 'curl test client' -N '' -m PEM") { + logmsg 'Could not generate client key'; + exit 1; + } +-- +2.17.1 + diff --git a/curl.spec b/curl.spec index 1e7aff0..c0d7575 100644 --- a/curl.spec +++ b/curl.spec @@ -35,6 +35,9 @@ Patch102: 0102-curl-7.36.0-debug.patch # use localhost6 instead of ip6-localhost in the curl test-suite Patch104: 0104-curl-7.19.7-localhost6.patch +# tests: make ssh-keygen always produce PEM format (#1622594) +Patch105: 0105-curl-7.61.0-tests-ssh-keygen.patch + Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.haxx.se/ @@ -185,6 +188,7 @@ be installed. %patch101 -p1 %patch102 -p1 %patch104 -p1 +%patch105 -p1 # regenerate Makefile.in files aclocal -I m4 @@ -326,6 +330,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Sep 05 2018 Kamil Dudka - 7.59.0-7 +- tests: make ssh-keygen always produce PEM format (#1622594) - scp/sftp: fix infinite connect loop on invalid private key (#1595135) * Thu Aug 09 2018 Kamil Dudka - 7.59.0-6 From 5f4e92def348a7733bdce0d2aeb7d57b2a42000e Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 5 Sep 2018 13:03:52 +0200 Subject: [PATCH 027/256] Resolves: CVE-2018-14618 - fix NTLM password overflow via integer overflow --- 0008-curl-7.59.0-CVE-2018-14618.patch | 72 +++++++++++++++++++++++++++ curl.spec | 5 ++ 2 files changed, 77 insertions(+) create mode 100644 0008-curl-7.59.0-CVE-2018-14618.patch diff --git a/0008-curl-7.59.0-CVE-2018-14618.patch b/0008-curl-7.59.0-CVE-2018-14618.patch new file mode 100644 index 0000000..e9ed142 --- /dev/null +++ b/0008-curl-7.59.0-CVE-2018-14618.patch @@ -0,0 +1,72 @@ +From 114b31ab5b7e6965b629697020a7ce4b6cea340e Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 13 Aug 2018 10:35:52 +0200 +Subject: [PATCH] Curl_ntlm_core_mk_nt_hash: return error on too long password + +... since it would cause an integer overflow if longer than (max size_t +/ 2). + +This is CVE-2018-14618 + +Bug: https://curl.haxx.se/docs/CVE-2018-14618.html +Closes #2756 +Reported-by: Zhaoyang Wu + +Upstream-commit: 57d299a499155d4b327e341c6024e293b0418243 +Signed-off-by: Kamil Dudka +--- + lib/curl_ntlm_core.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c +index e896276..e5c785d 100644 +--- a/lib/curl_ntlm_core.c ++++ b/lib/curl_ntlm_core.c +@@ -143,6 +143,15 @@ + #define NTLMv2_BLOB_SIGNATURE "\x01\x01\x00\x00" + #define NTLMv2_BLOB_LEN (44 -16 + ntlm->target_info_len + 4) + ++#ifndef SIZE_T_MAX ++/* some limits.h headers have this defined, some don't */ ++#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) ++#define SIZE_T_MAX 18446744073709551615U ++#else ++#define SIZE_T_MAX 4294967295U ++#endif ++#endif ++ + /* + * Turns a 56-bit key into being 64-bit wide. + */ +@@ -557,8 +566,11 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct Curl_easy *data, + unsigned char *ntbuffer /* 21 bytes */) + { + size_t len = strlen(password); +- unsigned char *pw = len ? malloc(len * 2) : strdup(""); ++ unsigned char *pw; + CURLcode result; ++ if(len > SIZE_T_MAX/2) /* avoid integer overflow */ ++ return CURLE_OUT_OF_MEMORY; ++ pw = len ? malloc(len * 2) : strdup(""); + if(!pw) + return CURLE_OUT_OF_MEMORY; + +@@ -646,15 +658,6 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen, + return CURLE_OK; + } + +-#ifndef SIZE_T_MAX +-/* some limits.h headers have this defined, some don't */ +-#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) +-#define SIZE_T_MAX 18446744073709551615U +-#else +-#define SIZE_T_MAX 4294967295U +-#endif +-#endif +- + /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode + * (uppercase UserName + Domain) as the data + */ +-- +2.17.1 + diff --git a/curl.spec b/curl.spec index c0d7575..b7041ad 100644 --- a/curl.spec +++ b/curl.spec @@ -26,6 +26,9 @@ Patch6: 0006-curl-7.59.0-pkcs11.patch # scp/sftp: fix infinite connect loop on invalid private key (#1595135) Patch7: 0007-curl-7.61.0-libssh.patch +# fix NTLM password overflow via integer overflow (CVE-2018-14618) +Patch8: 0008-curl-7.59.0-CVE-2018-14618.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -183,6 +186,7 @@ be installed. %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 # Fedora patches %patch101 -p1 @@ -330,6 +334,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Wed Sep 05 2018 Kamil Dudka - 7.59.0-7 +- fix NTLM password overflow via integer overflow (CVE-2018-14618) - tests: make ssh-keygen always produce PEM format (#1622594) - scp/sftp: fix infinite connect loop on invalid private key (#1595135) From ece57c4aa470860579c18e7181321cbe894a55a1 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 4 Oct 2018 15:37:53 +0200 Subject: [PATCH 028/256] Related: #1622594 - drop 0105-curl-7.61.0-tests-ssh-keygen.patch no longer needed --- 0105-curl-7.61.0-tests-ssh-keygen.patch | 33 ------------------------- curl.spec | 9 +++---- 2 files changed, 4 insertions(+), 38 deletions(-) delete mode 100644 0105-curl-7.61.0-tests-ssh-keygen.patch diff --git a/0105-curl-7.61.0-tests-ssh-keygen.patch b/0105-curl-7.61.0-tests-ssh-keygen.patch deleted file mode 100644 index b8b9ffb..0000000 --- a/0105-curl-7.61.0-tests-ssh-keygen.patch +++ /dev/null @@ -1,33 +0,0 @@ -From daded1aff280104d16e405fcd1be1a857c74b191 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 27 Aug 2018 15:53:35 +0200 -Subject: [PATCH] tests: make ssh-keygen always produce PEM format - -The default format produced by openssh-7.8p1 cannot be consumed -by currently available versions of libssh and libssh2. ---- - tests/sshserver.pl | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/tests/sshserver.pl b/tests/sshserver.pl -index 9b3d122..d477a02 100755 ---- a/tests/sshserver.pl -+++ b/tests/sshserver.pl -@@ -372,12 +372,12 @@ if((! -e $hstprvkeyf) || (! -s $hstprvkeyf) || - # Make sure all files are gone so ssh-keygen doesn't complain - unlink($hstprvkeyf, $hstpubkeyf, $cliprvkeyf, $clipubkeyf); - logmsg 'generating host keys...' if($verbose); -- if(system "\"$sshkeygen\" -q -t rsa -f $hstprvkeyf -C 'curl test server' -N ''") { -+ if(system "\"$sshkeygen\" -q -t rsa -f $hstprvkeyf -C 'curl test server' -N '' -m PEM") { - logmsg 'Could not generate host key'; - exit 1; - } - logmsg 'generating client keys...' if($verbose); -- if(system "\"$sshkeygen\" -q -t rsa -f $cliprvkeyf -C 'curl test client' -N ''") { -+ if(system "\"$sshkeygen\" -q -t rsa -f $cliprvkeyf -C 'curl test client' -N '' -m PEM") { - logmsg 'Could not generate client key'; - exit 1; - } --- -2.17.1 - diff --git a/curl.spec b/curl.spec index d4edfd9..93e2d57 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.61.1 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -17,9 +17,6 @@ Patch103: 0103-curl-7.59.0-python3.patch # use localhost6 instead of ip6-localhost in the curl test-suite Patch104: 0104-curl-7.19.7-localhost6.patch -# tests: make ssh-keygen always produce PEM format (#1622594) -Patch105: 0105-curl-7.61.0-tests-ssh-keygen.patch - Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.haxx.se/ @@ -164,7 +161,6 @@ be installed. %patch102 -p1 %patch103 -p1 %patch104 -p1 -%patch105 -p1 # make tests/*.py use Python 3 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py @@ -325,6 +321,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Oct 04 2018 Kamil Dudka - 7.61.1-2 +- drop 0105-curl-7.61.0-tests-ssh-keygen.patch no longer needed (#1622594) + * Wed Sep 05 2018 Kamil Dudka - 7.61.1-1 - new upstream release, which fixes the following vulnerability CVE-2018-14618 - NTLM password overflow via integer overflow From 84125cbefe7feae53efed8b177e41106c7ed7262 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 4 Oct 2018 15:40:31 +0200 Subject: [PATCH 029/256] test320: update expected output for gnutls-3.6.4 --- 0001-curl-7.61.1-test320-gnutls.patch | 63 +++++++++++++++++++++++++++ curl.spec | 5 +++ 2 files changed, 68 insertions(+) create mode 100644 0001-curl-7.61.1-test320-gnutls.patch diff --git a/0001-curl-7.61.1-test320-gnutls.patch b/0001-curl-7.61.1-test320-gnutls.patch new file mode 100644 index 0000000..a9cbaac --- /dev/null +++ b/0001-curl-7.61.1-test320-gnutls.patch @@ -0,0 +1,63 @@ +From 3cd5b375e31fb98e4782dc3a77e7316ad9eb26cf Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 4 Oct 2018 15:34:13 +0200 +Subject: [PATCH] test320: strip out more HTML when comparing + +To make the test case work with different gnutls-serv versions better. + +Reported-by: Kamil Dudka +Fixes #3093 +Closes #3094 + +Upstream-commit: 94ad57b0246b5658c2a9139dbe6a80efa4c4e2f3 +Signed-off-by: Kamil Dudka +--- + tests/data/test320 | 24 ++++-------------------- + 1 file changed, 4 insertions(+), 20 deletions(-) + +diff --git a/tests/data/test320 b/tests/data/test320 +index 457a11eb2..87311d4f2 100644 +--- a/tests/data/test320 ++++ b/tests/data/test320 +@@ -62,34 +62,18 @@ simple TLS-SRP HTTPS GET, check user in response + HTTP/1.0 200 OK + Content-type: text/html + +- +- +-

This is GnuTLS

+- +- +- +-
If your browser supports session resuming, then you should see the same session ID, when you press the reload button.
+-

Connected as user 'jsmith'.

+-

+- +- +- +- +- +-

Key Exchange:SRP
CompressionNULL
CipherAES-NNN-CBC
MACSHA1
CiphersuiteSRP_SHA_AES_NNN_CBC_SHA1
+-

Your HTTP header was:

Host: %HOSTIP:%HTTPTLSPORT
++FINE
+ User-Agent: curl-test-suite
+ Accept: */*
+ 
+-

+- +- + + +-s/^

Session ID:.*// ++s/^

Connected as user 'jsmith'.*/FINE/ + s/Protocol version:.*[0-9]// + s/GNUTLS/GnuTLS/ + s/(AES[-_])\d\d\d([-_]CBC)/$1NNN$2/ ++s/^<.*\n// ++s/^\n// + + + +-- +2.17.1 + diff --git a/curl.spec b/curl.spec index 93e2d57..61b9341 100644 --- a/curl.spec +++ b/curl.spec @@ -5,6 +5,9 @@ Release: 2%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz +# test320: update expected output for gnutls-3.6.4 +Patch1: 0001-curl-7.61.1-test320-gnutls.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -155,6 +158,7 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 @@ -322,6 +326,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Thu Oct 04 2018 Kamil Dudka - 7.61.1-2 +- test320: update expected output for gnutls-3.6.4 - drop 0105-curl-7.61.0-tests-ssh-keygen.patch no longer needed (#1622594) * Wed Sep 05 2018 Kamil Dudka - 7.61.1-1 From 800bb58ef3610df46777baebf996060460cbbb0c Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 5 Oct 2018 13:59:35 +0200 Subject: [PATCH 030/256] Resolves: #1631804 - enforce versioned libpsl dependency for libcurl --- curl.spec | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/curl.spec b/curl.spec index 61b9341..f057d54 100644 --- a/curl.spec +++ b/curl.spec @@ -79,6 +79,10 @@ BuildRequires: valgrind # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION Requires: libcurl%{?_isa} >= %{version}-%{release} +# require at least the version of libpsl that we were built against, +# to ensure that we have the necessary symbols available (#1631804) +%global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0) + # require at least the version of libssh that we were built against, # to ensure that we have the necessary symbols available (#525002, #642796) %global libssh_version %(pkg-config --modversion libssh 2>/dev/null || echo 0) @@ -97,6 +101,7 @@ resume, proxy tunneling and a busload of other useful tricks. %package -n libcurl Summary: A library for getting files from web servers +Requires: libpsl%{?_isa} >= %{libpsl_version} Requires: libssh%{?_isa} >= %{libssh_version} Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} Provides: libcurl-full = %{version}-%{release} @@ -326,6 +331,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Thu Oct 04 2018 Kamil Dudka - 7.61.1-2 +- enforce versioned libpsl dependency for libcurl (#1631804) - test320: update expected output for gnutls-3.6.4 - drop 0105-curl-7.61.0-tests-ssh-keygen.patch no longer needed (#1622594) From 2346b66a23a6369c284f5b649aa5af42ad7960a7 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 8 Oct 2018 13:45:20 +0200 Subject: [PATCH 031/256] update the documentation of --tlsv1.0 in curl(1) man page --- 0002-curl-7.61.1-tlsv1.0-man.patch | 28 ++++++++++++++++++++++++++++ curl.spec | 12 +++++++++++- 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 0002-curl-7.61.1-tlsv1.0-man.patch diff --git a/0002-curl-7.61.1-tlsv1.0-man.patch b/0002-curl-7.61.1-tlsv1.0-man.patch new file mode 100644 index 0000000..f384366 --- /dev/null +++ b/0002-curl-7.61.1-tlsv1.0-man.patch @@ -0,0 +1,28 @@ +From c574e05b0035f0d78e6bf6040d3f80430112ab4f Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Fri, 7 Sep 2018 16:50:45 +0200 +Subject: [PATCH] docs/cmdline-opts: update the documentation of --tlsv1.0 + +... to reflect the changes in 6015cefb1b2cfde4b4850121c42405275e5e77d9 + +Closes #2955 + +Upstream-commit: 9ba22ce6b52751ed1e2abdd177b0a1d241819b4e +Signed-off-by: Kamil Dudka +--- + docs/cmdline-opts/tlsv1.0.d | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs/cmdline-opts/tlsv1.0.d b/docs/cmdline-opts/tlsv1.0.d +index 8789025e0..54e259682 100644 +--- a/docs/cmdline-opts/tlsv1.0.d ++++ b/docs/cmdline-opts/tlsv1.0.d +@@ -3,4 +3,4 @@ Help: Use TLSv1.0 + Protocols: TLS + Added: 7.34.0 + --- +-Forces curl to use TLS version 1.0 when connecting to a remote TLS server. ++Forces curl to use TLS version 1.0 or later when connecting to a remote TLS server. +-- +2.17.1 + diff --git a/curl.spec b/curl.spec index f057d54..946836a 100644 --- a/curl.spec +++ b/curl.spec @@ -1,13 +1,16 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.61.1 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz # test320: update expected output for gnutls-3.6.4 Patch1: 0001-curl-7.61.1-test320-gnutls.patch +# update the documentation of --tlsv1.0 in curl(1) man page +Patch2: 0002-curl-7.61.1-tlsv1.0-man.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -45,6 +48,9 @@ BuildRequires: sed BuildRequires: stunnel BuildRequires: zlib-devel +# needed to compress content of tool_hugehelp.c after changing curl.1 man page +BuildRequires: perl(IO::Compress::Gzip) + # gnutls-serv is used by the upstream test-suite BuildRequires: gnutls-utils @@ -164,6 +170,7 @@ be installed. # upstream patches %patch1 -p1 +%patch2 -p1 # Fedora patches %patch101 -p1 @@ -330,6 +337,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Oct 11 2018 Kamil Dudka - 7.61.1-3 +- update the documentation of --tlsv1.0 in curl(1) man page + * Thu Oct 04 2018 Kamil Dudka - 7.61.1-2 - enforce versioned libpsl dependency for libcurl (#1631804) - test320: update expected output for gnutls-3.6.4 From 9be316eea198f1bf9647692c3386f90325104192 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 11 Oct 2018 16:06:50 +0200 Subject: [PATCH 032/256] enable TLS 1.3 post-handshake auth in OpenSSL Bug: https://github.com/curl/curl/pull/3027 --- 0003-curl-7.61.1-TLS-1.3-PHA.patch | 46 ++++++++++++++++++++++++++++++ curl.spec | 5 ++++ 2 files changed, 51 insertions(+) create mode 100644 0003-curl-7.61.1-TLS-1.3-PHA.patch diff --git a/0003-curl-7.61.1-TLS-1.3-PHA.patch b/0003-curl-7.61.1-TLS-1.3-PHA.patch new file mode 100644 index 0000000..99273ac --- /dev/null +++ b/0003-curl-7.61.1-TLS-1.3-PHA.patch @@ -0,0 +1,46 @@ +From bb8ad3da3fb4ab3f6556daa1f67b259c12a3c7de Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Fri, 21 Sep 2018 10:37:43 +0200 +Subject: [PATCH] OpenSSL: enable TLS 1.3 post-handshake auth + +OpenSSL 1.1.1 requires clients to opt-in for post-handshake +authentication. + +Fixes: https://github.com/curl/curl/issues/3026 +Signed-off-by: Christian Heimes + +Closes https://github.com/curl/curl/pull/3027 + +Upstream-commit: b939bc47b27cd57c6ebb852ad653933e4124b452 +Signed-off-by: Kamil Dudka +--- + lib/vtls/openssl.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index a487f55..78970d1 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -178,6 +178,7 @@ static unsigned long OpenSSL_version_num(void) + !defined(LIBRESSL_VERSION_NUMBER) && \ + !defined(OPENSSL_IS_BORINGSSL)) + #define HAVE_SSL_CTX_SET_CIPHERSUITES ++#define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH + #endif + + #if defined(LIBRESSL_VERSION_NUMBER) +@@ -2467,6 +2468,11 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) + } + #endif + ++#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH ++ /* OpenSSL 1.1.1 requires clients to opt-in for PHA */ ++ SSL_CTX_set_post_handshake_auth(BACKEND->ctx, 1); ++#endif ++ + #ifdef USE_TLS_SRP + if(ssl_authtype == CURL_TLSAUTH_SRP) { + char * const ssl_username = SSL_SET_OPTION(username); +-- +2.17.1 + diff --git a/curl.spec b/curl.spec index 946836a..d3366ac 100644 --- a/curl.spec +++ b/curl.spec @@ -11,6 +11,9 @@ Patch1: 0001-curl-7.61.1-test320-gnutls.patch # update the documentation of --tlsv1.0 in curl(1) man page Patch2: 0002-curl-7.61.1-tlsv1.0-man.patch +# enable TLS 1.3 post-handshake auth in OpenSSL +Patch3: 0003-curl-7.61.1-TLS-1.3-PHA.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -171,6 +174,7 @@ be installed. # upstream patches %patch1 -p1 %patch2 -p1 +%patch3 -p1 # Fedora patches %patch101 -p1 @@ -338,6 +342,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Thu Oct 11 2018 Kamil Dudka - 7.61.1-3 +- enable TLS 1.3 post-handshake auth in OpenSSL - update the documentation of --tlsv1.0 in curl(1) man page * Thu Oct 04 2018 Kamil Dudka - 7.61.1-2 From 34a4d8f84827412e621e7a424df1a2341ec0c292 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 31 Oct 2018 10:49:24 +0100 Subject: [PATCH 033/256] new upstream release - 7.62.0 Resolves: CVE-2018-16839 - SASL password overflow via integer overflow Resolves: CVE-2018-16840 - use-after-free in handle close Resolves: CVE-2018-16842 - warning message out-of-buffer read --- 0001-curl-7.61.1-test320-gnutls.patch | 63 ------------------ 0002-curl-7.61.1-tlsv1.0-man.patch | 28 -------- 0003-curl-7.61.1-TLS-1.3-PHA.patch | 46 ------------- 0101-curl-7.32.0-multilib.patch | 2 +- 0102-curl-7.36.0-debug.patch | 2 +- 0103-curl-7.59.0-python3.patch | 93 ++------------------------- curl-7.61.1.tar.xz.asc | 11 ---- curl-7.62.0.tar.xz.asc | 11 ++++ curl.spec | 22 +++---- sources | 2 +- 10 files changed, 27 insertions(+), 253 deletions(-) delete mode 100644 0001-curl-7.61.1-test320-gnutls.patch delete mode 100644 0002-curl-7.61.1-tlsv1.0-man.patch delete mode 100644 0003-curl-7.61.1-TLS-1.3-PHA.patch delete mode 100644 curl-7.61.1.tar.xz.asc create mode 100644 curl-7.62.0.tar.xz.asc diff --git a/0001-curl-7.61.1-test320-gnutls.patch b/0001-curl-7.61.1-test320-gnutls.patch deleted file mode 100644 index a9cbaac..0000000 --- a/0001-curl-7.61.1-test320-gnutls.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 3cd5b375e31fb98e4782dc3a77e7316ad9eb26cf Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 4 Oct 2018 15:34:13 +0200 -Subject: [PATCH] test320: strip out more HTML when comparing - -To make the test case work with different gnutls-serv versions better. - -Reported-by: Kamil Dudka -Fixes #3093 -Closes #3094 - -Upstream-commit: 94ad57b0246b5658c2a9139dbe6a80efa4c4e2f3 -Signed-off-by: Kamil Dudka ---- - tests/data/test320 | 24 ++++-------------------- - 1 file changed, 4 insertions(+), 20 deletions(-) - -diff --git a/tests/data/test320 b/tests/data/test320 -index 457a11eb2..87311d4f2 100644 ---- a/tests/data/test320 -+++ b/tests/data/test320 -@@ -62,34 +62,18 @@ simple TLS-SRP HTTPS GET, check user in response - HTTP/1.0 200 OK - Content-type: text/html - -- -- --

This is GnuTLS

-- -- -- --
If your browser supports session resuming, then you should see the same session ID, when you press the reload button.
--

Connected as user 'jsmith'.

--

-- -- -- -- -- --

Key Exchange:SRP
CompressionNULL
CipherAES-NNN-CBC
MACSHA1
CiphersuiteSRP_SHA_AES_NNN_CBC_SHA1
--

Your HTTP header was:

Host: %HOSTIP:%HTTPTLSPORT
-+FINE
- User-Agent: curl-test-suite
- Accept: */*
- 
--

-- -- - - --s/^

Session ID:.*// -+s/^

Connected as user 'jsmith'.*/FINE/ - s/Protocol version:.*[0-9]// - s/GNUTLS/GnuTLS/ - s/(AES[-_])\d\d\d([-_]CBC)/$1NNN$2/ -+s/^<.*\n// -+s/^\n// - - - --- -2.17.1 - diff --git a/0002-curl-7.61.1-tlsv1.0-man.patch b/0002-curl-7.61.1-tlsv1.0-man.patch deleted file mode 100644 index f384366..0000000 --- a/0002-curl-7.61.1-tlsv1.0-man.patch +++ /dev/null @@ -1,28 +0,0 @@ -From c574e05b0035f0d78e6bf6040d3f80430112ab4f Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Fri, 7 Sep 2018 16:50:45 +0200 -Subject: [PATCH] docs/cmdline-opts: update the documentation of --tlsv1.0 - -... to reflect the changes in 6015cefb1b2cfde4b4850121c42405275e5e77d9 - -Closes #2955 - -Upstream-commit: 9ba22ce6b52751ed1e2abdd177b0a1d241819b4e -Signed-off-by: Kamil Dudka ---- - docs/cmdline-opts/tlsv1.0.d | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/docs/cmdline-opts/tlsv1.0.d b/docs/cmdline-opts/tlsv1.0.d -index 8789025e0..54e259682 100644 ---- a/docs/cmdline-opts/tlsv1.0.d -+++ b/docs/cmdline-opts/tlsv1.0.d -@@ -3,4 +3,4 @@ Help: Use TLSv1.0 - Protocols: TLS - Added: 7.34.0 - --- --Forces curl to use TLS version 1.0 when connecting to a remote TLS server. -+Forces curl to use TLS version 1.0 or later when connecting to a remote TLS server. --- -2.17.1 - diff --git a/0003-curl-7.61.1-TLS-1.3-PHA.patch b/0003-curl-7.61.1-TLS-1.3-PHA.patch deleted file mode 100644 index 99273ac..0000000 --- a/0003-curl-7.61.1-TLS-1.3-PHA.patch +++ /dev/null @@ -1,46 +0,0 @@ -From bb8ad3da3fb4ab3f6556daa1f67b259c12a3c7de Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Fri, 21 Sep 2018 10:37:43 +0200 -Subject: [PATCH] OpenSSL: enable TLS 1.3 post-handshake auth - -OpenSSL 1.1.1 requires clients to opt-in for post-handshake -authentication. - -Fixes: https://github.com/curl/curl/issues/3026 -Signed-off-by: Christian Heimes - -Closes https://github.com/curl/curl/pull/3027 - -Upstream-commit: b939bc47b27cd57c6ebb852ad653933e4124b452 -Signed-off-by: Kamil Dudka ---- - lib/vtls/openssl.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c -index a487f55..78970d1 100644 ---- a/lib/vtls/openssl.c -+++ b/lib/vtls/openssl.c -@@ -178,6 +178,7 @@ static unsigned long OpenSSL_version_num(void) - !defined(LIBRESSL_VERSION_NUMBER) && \ - !defined(OPENSSL_IS_BORINGSSL)) - #define HAVE_SSL_CTX_SET_CIPHERSUITES -+#define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH - #endif - - #if defined(LIBRESSL_VERSION_NUMBER) -@@ -2467,6 +2468,11 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) - } - #endif - -+#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH -+ /* OpenSSL 1.1.1 requires clients to opt-in for PHA */ -+ SSL_CTX_set_post_handshake_auth(BACKEND->ctx, 1); -+#endif -+ - #ifdef USE_TLS_SRP - if(ssl_authtype == CURL_TLSAUTH_SRP) { - char * const ssl_username = SSL_SET_OPTION(username); --- -2.17.1 - diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 532980e..613106d 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -22,7 +22,7 @@ index 150004d..95d0759 100644 ;; --prefix) -@@ -143,32 +143,17 @@ while test $# -gt 0; do +@@ -155,32 +155,17 @@ while test $# -gt 0; do ;; --libs) diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch index bbb253f..495fe63 100644 --- a/0102-curl-7.36.0-debug.patch +++ b/0102-curl-7.36.0-debug.patch @@ -12,7 +12,7 @@ diff --git a/configure b/configure index 8f079a3..53b4774 100755 --- a/configure +++ b/configure -@@ -16414,18 +16414,11 @@ $as_echo "yes" >&6; } +@@ -16421,18 +16421,11 @@ $as_echo "yes" >&6; } gccvhi=`echo $gccver | cut -d . -f1` gccvlo=`echo $gccver | cut -d . -f2` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` diff --git a/0103-curl-7.59.0-python3.patch b/0103-curl-7.59.0-python3.patch index f66b6c0..56485fe 100644 --- a/0103-curl-7.59.0-python3.patch +++ b/0103-curl-7.59.0-python3.patch @@ -1,88 +1,23 @@ -From bdba7b54224814055185513de1e7ff6619031553 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Thu, 15 Mar 2018 13:21:40 +0100 -Subject: [PATCH 1/2] tests/http_pipe.py: migrate to Python 3 - ---- - tests/http_pipe.py | 4 ++-- - tests/runtests.pl | 2 +- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/tests/http_pipe.py b/tests/http_pipe.py -index bc32173..75ac165 100755 ---- a/tests/http_pipe.py -+++ b/tests/http_pipe.py -@@ -383,13 +383,13 @@ class PipelineRequestHandler(socketserver.BaseRequestHandler): - self.request.setblocking(True) - if not new_data: - return -- new_requests = self._request_parser.ParseAdditionalData(new_data) -+ new_requests = self._request_parser.ParseAdditionalData(new_data.decode('utf8')) - self._response_builder.QueueRequests( - new_requests, self._request_parser.were_all_requests_http_1_1) - self._num_queued += len(new_requests) - self._last_queued_time = time.time() - elif fileno in wlist: -- num_bytes_sent = self.request.send(self._send_buffer[0:4096]) -+ num_bytes_sent = self.request.send(self._send_buffer[0:4096].encode('utf8')) - self._send_buffer = self._send_buffer[num_bytes_sent:] - time.sleep(0.05) - -diff --git a/tests/runtests.pl b/tests/runtests.pl -index d6aa5ca..4d395ef 100755 ---- a/tests/runtests.pl -+++ b/tests/runtests.pl -@@ -1439,7 +1439,7 @@ sub runhttpserver { - elsif($alt eq "pipe") { - # basically the same, but another ID - $idnum = 3; -- $exe = "python $srcdir/http_pipe.py"; -+ $exe = "python3 $srcdir/http_pipe.py"; - $verbose_flag .= "1 "; - } - elsif($alt eq "unix") { --- -2.14.3 - - From 3c4c7340e455b7256c0786759422f34ec3e2d440 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 15 Mar 2018 14:49:56 +0100 -Subject: [PATCH 2/2] tests/{negtelnet,smb}server.py: migrate to Python 3 +Subject: [PATCH] tests/{negtelnet,smb}server.py: migrate to Python 3 Unfortunately, smbserver.py does not work with Python 3 because there is no 'impacket' module available for Python 3: https://github.com/CoreSecurity/impacket/issues/61 --- - tests/negtelnetserver.py | 12 ++++++------ - tests/smbserver.py | 4 ++-- - 2 files changed, 8 insertions(+), 8 deletions(-) + tests/negtelnetserver.py | 4 ++-- + tests/smbserver.py | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/negtelnetserver.py b/tests/negtelnetserver.py index 8cfd409..72ee771 100755 --- a/tests/negtelnetserver.py +++ b/tests/negtelnetserver.py -@@ -23,7 +23,7 @@ IDENT = "NTEL" - - # The strings that indicate the test framework is checking our aliveness - VERIFIED_REQ = b"verifiedserver" --VERIFIED_RSP = b"WE ROOLZ: {pid}" -+VERIFIED_RSP = "WE ROOLZ: {pid}" - - - def telnetserver(options): -@@ -34,7 +34,7 @@ def telnetserver(options): - if options.pidfile: - pid = os.getpid() - with open(options.pidfile, "w") as f: -- f.write(b"{0}".format(pid)) -+ f.write("{0}".format(pid)) - - local_bind = (HOST, options.port) - log.info("Listening on %s", local_bind) @@ -73,11 +73,11 @@ class NegotiatingTelnetHandler(socketserver.BaseRequestHandler): - response_data = VERIFIED_RSP.format(pid=os.getpid()) + response_data = response.encode('ascii') else: log.debug("Received normal request - echoing back") - response_data = data.strip() @@ -95,24 +30,6 @@ index 8cfd409..72ee771 100755 except IOError: log.exception("IOError hit during request") -@@ -132,7 +132,7 @@ class Negotiator(object): - return buffer - - def byte_to_int(self, byte): -- return struct.unpack(b'B', byte)[0] -+ return int(byte) - - def no_neg(self, byte, byte_int, buffer): - # Not negotiating anything thus far. Check to see if we -@@ -197,7 +197,7 @@ class Negotiator(object): - self.tcp.sendall(packed_message) - - def pack(self, arr): -- return struct.pack(b'{0}B'.format(len(arr)), *arr) -+ return struct.pack('{0}B'.format(len(arr)), *arr) - - def send_iac(self, arr): - message = [NegTokens.IAC] diff --git a/tests/smbserver.py b/tests/smbserver.py index 195ae39..b09cd44 100755 --- a/tests/smbserver.py diff --git a/curl-7.61.1.tar.xz.asc b/curl-7.61.1.tar.xz.asc deleted file mode 100644 index 6a1e664..0000000 --- a/curl-7.61.1.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAluPblgACgkQXMkI/bce -EsJynAgArST/gB9eVYIQTTAdXxCOSnArBK/Ne/UNW83QIgOawj0HvEpj9+1SNfTi -EwC5YSwymyMuKGTDLNswTnJ0MripRKylekfu1QGGzmIOkqovTiHz60xiFuWYI3vy -fYuAAse5MJz64GCVFwOM4me8SgEjtb/hIbhiCLqilOyXnqtocDm4FPCMAYQ1mTFy -RJBbwgDLwtktfBDCQyMXTeETGuk3bTrtvSwRv8+Rq8qehOt5s58Fqeztv8EVNi+B -Qzsi5NXMulgl3C0P3dN/cC81+OL75ehuE91AFXUmbNOnlYNTOxHR2dioaXaEyhKb -51KLH2D0G75wlfMbgMhX/rguuXT2rg== -=vM6i ------END PGP SIGNATURE----- diff --git a/curl-7.62.0.tar.xz.asc b/curl-7.62.0.tar.xz.asc new file mode 100644 index 0000000..230438a --- /dev/null +++ b/curl-7.62.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlvZT5wACgkQXMkI/bce +EsJG4gf+IY2RkT9d7SIBAanHOD2NeT4UtPAOVRVtpW8dD9TIJq4IKOqv8CpcCCRq +OZPJovdxM0qmXcrX2Dlf3zpPuY+bSzBW/xUYsKBBTTXhdUh5dv1Tz3HR6JzMHyT4 +hQm1mj6eFHFvayUKxoeQwiw3SkvW6WIlAySwEBzIzaE7icwvJ2dPO7xUOJWLXk/F +pDRCAuHqIIgNzNph0EKXkvLWz5poBzGaK9kpJxmeaS3aWpe0EZ4+N6ju2GfHK5jO +VQSuLWDHCZulv1eve+LOxgRjp/5kqQ/PPc3/99mEOxGRUxwCWVMEWGklAungn4bX +nBPWNGArGJq2+kMP7v5pr0onBz6wxg== +=CWQL +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index d3366ac..70e148e 100644 --- a/curl.spec +++ b/curl.spec @@ -1,19 +1,10 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.61.1 -Release: 3%{?dist} +Version: 7.62.0 +Release: 1%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz -# test320: update expected output for gnutls-3.6.4 -Patch1: 0001-curl-7.61.1-test320-gnutls.patch - -# update the documentation of --tlsv1.0 in curl(1) man page -Patch2: 0002-curl-7.61.1-tlsv1.0-man.patch - -# enable TLS 1.3 post-handshake auth in OpenSSL -Patch3: 0003-curl-7.61.1-TLS-1.3-PHA.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -172,9 +163,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 # Fedora patches %patch101 -p1 @@ -341,6 +329,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Oct 31 2018 Kamil Dudka - 7.62.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2018-16839 - SASL password overflow via integer overflow + CVE-2018-16840 - use-after-free in handle close + CVE-2018-16842 - warning message out-of-buffer read + * Thu Oct 11 2018 Kamil Dudka - 7.61.1-3 - enable TLS 1.3 post-handshake auth in OpenSSL - update the documentation of --tlsv1.0 in curl(1) man page diff --git a/sources b/sources index 717a22e..f127541 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.61.1.tar.xz) = e6f82a7292c70841162480c8880d25046bcfa64058f4ff76f7d398c85da569af1c244442c9c58a3478d59264365ff8e39eed2fb564cb137118588f7862e64e9a +SHA512 (curl-7.62.0.tar.xz) = 3aace2fc85e1d5ac06a3208980f887b5f1de5e2a1460e130b15cff3f7e5700b958cbb8f296483290961ef41f550245590067f86558dbba25e3d3ac10cec1adcd From 6c95600feddc0b86189ebf037d2099ad84a94835 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 4 Oct 2018 15:40:31 +0200 Subject: [PATCH 034/256] test320: update expected output for gnutls-3.6.4 --- 0009-curl-7.59.0-test320-gnutls.patch | 63 +++++++++++++++++++++++++++ curl.spec | 9 +++- 2 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 0009-curl-7.59.0-test320-gnutls.patch diff --git a/0009-curl-7.59.0-test320-gnutls.patch b/0009-curl-7.59.0-test320-gnutls.patch new file mode 100644 index 0000000..a9cbaac --- /dev/null +++ b/0009-curl-7.59.0-test320-gnutls.patch @@ -0,0 +1,63 @@ +From 3cd5b375e31fb98e4782dc3a77e7316ad9eb26cf Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 4 Oct 2018 15:34:13 +0200 +Subject: [PATCH] test320: strip out more HTML when comparing + +To make the test case work with different gnutls-serv versions better. + +Reported-by: Kamil Dudka +Fixes #3093 +Closes #3094 + +Upstream-commit: 94ad57b0246b5658c2a9139dbe6a80efa4c4e2f3 +Signed-off-by: Kamil Dudka +--- + tests/data/test320 | 24 ++++-------------------- + 1 file changed, 4 insertions(+), 20 deletions(-) + +diff --git a/tests/data/test320 b/tests/data/test320 +index 457a11eb2..87311d4f2 100644 +--- a/tests/data/test320 ++++ b/tests/data/test320 +@@ -62,34 +62,18 @@ simple TLS-SRP HTTPS GET, check user in response + HTTP/1.0 200 OK + Content-type: text/html + +- +- +-

This is GnuTLS

+- +- +- +-
If your browser supports session resuming, then you should see the same session ID, when you press the reload button.
+-

Connected as user 'jsmith'.

+-

+- +- +- +- +- +-

Key Exchange:SRP
CompressionNULL
CipherAES-NNN-CBC
MACSHA1
CiphersuiteSRP_SHA_AES_NNN_CBC_SHA1
+-

Your HTTP header was:

Host: %HOSTIP:%HTTPTLSPORT
++FINE
+ User-Agent: curl-test-suite
+ Accept: */*
+ 
+-

+- +- + + +-s/^

Session ID:.*// ++s/^

Connected as user 'jsmith'.*/FINE/ + s/Protocol version:.*[0-9]// + s/GNUTLS/GnuTLS/ + s/(AES[-_])\d\d\d([-_]CBC)/$1NNN$2/ ++s/^<.*\n// ++s/^\n// + + + +-- +2.17.1 + diff --git a/curl.spec b/curl.spec index b7041ad..f031f2e 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.59.0 -Release: 7%{?dist} +Release: 8%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -29,6 +29,9 @@ Patch7: 0007-curl-7.61.0-libssh.patch # fix NTLM password overflow via integer overflow (CVE-2018-14618) Patch8: 0008-curl-7.59.0-CVE-2018-14618.patch +# test320: update expected output for gnutls-3.6.4 +Patch9: 0009-curl-7.59.0-test320-gnutls.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -187,6 +190,7 @@ be installed. %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 # Fedora patches %patch101 -p1 @@ -333,6 +337,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Nov 01 2018 Kamil Dudka - 7.59.0-8 +- test320: update expected output for gnutls-3.6.4 + * Wed Sep 05 2018 Kamil Dudka - 7.59.0-7 - fix NTLM password overflow via integer overflow (CVE-2018-14618) - tests: make ssh-keygen always produce PEM format (#1622594) From 796d905297bafdca5ff3bbfb51bf57620b48227d Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 1 Nov 2018 09:45:48 +0100 Subject: [PATCH 035/256] Resolves: CVE-2018-16842 - fix bad arethmetic when outputting warnings to stderr Use `git apply` to apply the patch because `patch` would fail with: File tests/data/test2080: git binary diffs are not supported. --- 0010-curl-7.59.0-CVE-2018-16842.patch | 78 +++++++++++++++++++++++++++ curl.spec | 7 +++ 2 files changed, 85 insertions(+) create mode 100644 0010-curl-7.59.0-CVE-2018-16842.patch diff --git a/0010-curl-7.59.0-CVE-2018-16842.patch b/0010-curl-7.59.0-CVE-2018-16842.patch new file mode 100644 index 0000000..6903ad6 --- /dev/null +++ b/0010-curl-7.59.0-CVE-2018-16842.patch @@ -0,0 +1,78 @@ +From 27d6c92acdac671ddf8f77f72956b2181561f774 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 28 Oct 2018 01:33:23 +0200 +Subject: [PATCH 1/2] voutf: fix bad arethmetic when outputting warnings to + stderr + +CVE-2018-16842 +Reported-by: Brian Carpenter +Bug: https://curl.haxx.se/docs/CVE-2018-16842.html + +Upstream-commit: d530e92f59ae9bb2d47066c3c460b25d2ffeb211 +Signed-off-by: Kamil Dudka +--- + src/tool_msgs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tool_msgs.c b/src/tool_msgs.c +index 9cce806..05bec39 100644 +--- a/src/tool_msgs.c ++++ b/src/tool_msgs.c +@@ -67,7 +67,7 @@ static void voutf(struct GlobalConfig *config, + (void)fwrite(ptr, cut + 1, 1, config->errors); + fputs("\n", config->errors); + ptr += cut + 1; /* skip the space too */ +- len -= cut; ++ len -= cut + 1; + } + else { + fputs(ptr, config->errors); +-- +2.17.2 + + +From 23f8c641b02e6c302d0e8cc5a5ee225a33b01f28 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 28 Oct 2018 10:43:57 +0100 +Subject: [PATCH 2/2] test2080: verify the fix for CVE-2018-16842 + +Upstream-commit: 350306e4726b71b5b386fc30e3fecc039a807157 +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 3 ++- + tests/data/test2080 | Bin 0 -> 20659 bytes + 2 files changed, 2 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test2080 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index e045748..aa5fff0 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -194,4 +194,5 @@ test2048 test2049 test2050 test2051 test2052 test2053 test2054 test2055 \ + test2056 test2057 test2058 test2059 test2060 test2061 test2062 test2063 \ + test2064 test2065 test2066 test2067 test2068 test2069 \ + \ +-test2070 test2071 test2072 test2073 ++test2070 test2071 test2072 test2073 \ ++test2080 +diff --git a/tests/data/test2080 b/tests/data/test2080 +new file mode 100644 +index 0000000000000000000000000000000000000000..47e376ecb5d7879c0a98e392bff48ccc52e9db0a +GIT binary patch +literal 20659 +zcmeI)Pj3@35QkyT{uI*`iBshYE(n>u@JB+F3kdG+t~asjwJY0gl}``eO+)FONU8ef +zl6Ca+%A4K8~qdz +zd{+G6l*#ToY+DU||F9%J1n*+KPxQ;7MapuoQ!&MMQSXmpqMh0_yS6g=;N;HNjilBk +zY$c?)mULZxib{;$g~jw~nrs|8b@sJI)_QmS_4(WLrNld}2Y0LEO$e>m->_NA&o$n! +z9^YDZ>cvMs2q1s}0tg_000PG)@a?$9VHyMwKmY**5I_I{1Q0m1z~!MEP#*yV5I_I{ +z1Q0*~0R#|0009ILKmY**4ldvh-hl=PAb-+Xw`j-8D +zzg+g?Rt8(G*s;1Sb>n1S94H%G - 7.59.0-8 +- fix bad arethmetic when outputting warnings to stderr (CVE-2018-16842) - test320: update expected output for gnutls-3.6.4 * Wed Sep 05 2018 Kamil Dudka - 7.59.0-7 From 00c5d944d93e5ca4efc1776ec1419f79c1cb05f7 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 1 Nov 2018 09:59:22 +0100 Subject: [PATCH 036/256] Resolves: CVE-2018-16840 - fix use-after-free in handle close --- 0011-curl-7.59.0-CVE-2018-16840.patch | 39 +++++++++++++++++++++++++++ curl.spec | 5 ++++ 2 files changed, 44 insertions(+) create mode 100644 0011-curl-7.59.0-CVE-2018-16840.patch diff --git a/0011-curl-7.59.0-CVE-2018-16840.patch b/0011-curl-7.59.0-CVE-2018-16840.patch new file mode 100644 index 0000000..43f5eb2 --- /dev/null +++ b/0011-curl-7.59.0-CVE-2018-16840.patch @@ -0,0 +1,39 @@ +From 235f209a0e62edee654be441a50bb0c154edeaa5 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 18 Oct 2018 15:07:15 +0200 +Subject: [PATCH] Curl_close: clear data->multi_easy on free to avoid + use-after-free + +Regression from b46cfbc068 (7.59.0) +CVE-2018-16840 +Reported-by: Brian Carpenter (Geeknik Labs) + +Bug: https://curl.haxx.se/docs/CVE-2018-16840.html + +Upstream-commit: 81d135d67155c5295b1033679c606165d4e28f3f +Signed-off-by: Kamil Dudka +--- + lib/url.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/url.c b/lib/url.c +index f159008..dcc1ecc 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -320,10 +320,12 @@ CURLcode Curl_close(struct Curl_easy *data) + and detach this handle from there. */ + curl_multi_remove_handle(data->multi, data); + +- if(data->multi_easy) ++ if(data->multi_easy) { + /* when curl_easy_perform() is used, it creates its own multi handle to + use and this is the one */ + curl_multi_cleanup(data->multi_easy); ++ data->multi_easy = NULL; ++ } + + /* Destroy the timeout list that is held in the easy handle. It is + /normally/ done by curl_multi_remove_handle() but this is "just in +-- +2.17.2 + diff --git a/curl.spec b/curl.spec index 43e035e..6cd55a8 100644 --- a/curl.spec +++ b/curl.spec @@ -37,6 +37,9 @@ Patch10: 0010-curl-7.59.0-CVE-2018-16842.patch # we need `git apply` to apply this patch BuildRequires: git +# fix use-after-free in handle close (CVE-2018-16840) +Patch11: 0011-curl-7.59.0-CVE-2018-16840.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -197,6 +200,7 @@ be installed. %patch8 -p1 %patch9 -p1 git apply %{PATCH10} +%patch11 -p1 # Fedora patches %patch101 -p1 @@ -344,6 +348,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Thu Nov 01 2018 Kamil Dudka - 7.59.0-8 +- fix use-after-free in handle close (CVE-2018-16840) - fix bad arethmetic when outputting warnings to stderr (CVE-2018-16842) - test320: update expected output for gnutls-3.6.4 From a1bd4f84de03b8d4f0f1c65acba7914cd9c601ce Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 1 Nov 2018 10:07:35 +0100 Subject: [PATCH 037/256] Resolves: CVE-2018-16839 - SASL password overflow via integer overflow --- 0012-curl-7.59.0-CVE-2018-16839.patch | 136 ++++++++++++++++++++++++++ curl.spec | 5 + 2 files changed, 141 insertions(+) create mode 100644 0012-curl-7.59.0-CVE-2018-16839.patch diff --git a/0012-curl-7.59.0-CVE-2018-16839.patch b/0012-curl-7.59.0-CVE-2018-16839.patch new file mode 100644 index 0000000..5570f44 --- /dev/null +++ b/0012-curl-7.59.0-CVE-2018-16839.patch @@ -0,0 +1,136 @@ +From 4df8ff21144236497fc92521d79fbca2dc079686 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 20 Mar 2018 15:15:14 +0100 +Subject: [PATCH 1/2] vauth/cleartext: fix integer overflow check + +Make the integer overflow check not rely on the undefined behavior that +a size_t wraps around on overflow. + +Detected by lgtm.com +Closes #2408 + +Upstream-commit: c1366571b609407cf0d4d9f4a2769d29e1313151 +Signed-off-by: Kamil Dudka +--- + lib/curl_ntlm_core.c | 11 +---------- + lib/curl_setup.h | 9 +++++++++ + lib/vauth/cleartext.c | 14 ++++---------- + 3 files changed, 14 insertions(+), 20 deletions(-) + +diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c +index e5c785d..b69c293 100644 +--- a/lib/curl_ntlm_core.c ++++ b/lib/curl_ntlm_core.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -143,15 +143,6 @@ + #define NTLMv2_BLOB_SIGNATURE "\x01\x01\x00\x00" + #define NTLMv2_BLOB_LEN (44 -16 + ntlm->target_info_len + 4) + +-#ifndef SIZE_T_MAX +-/* some limits.h headers have this defined, some don't */ +-#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) +-#define SIZE_T_MAX 18446744073709551615U +-#else +-#define SIZE_T_MAX 4294967295U +-#endif +-#endif +- + /* + * Turns a 56-bit key into being 64-bit wide. + */ +diff --git a/lib/curl_setup.h b/lib/curl_setup.h +index f128696..e4503c6 100644 +--- a/lib/curl_setup.h ++++ b/lib/curl_setup.h +@@ -447,6 +447,15 @@ + # endif + #endif + ++#ifndef SIZE_T_MAX ++/* some limits.h headers have this defined, some don't */ ++#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) ++#define SIZE_T_MAX 18446744073709551615U ++#else ++#define SIZE_T_MAX 4294967295U ++#endif ++#endif ++ + /* + * Arg 2 type for gethostname in case it hasn't been defined in config file. + */ +diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c +index a761ae7..5d61ce6 100644 +--- a/lib/vauth/cleartext.c ++++ b/lib/vauth/cleartext.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -73,16 +73,10 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data, + ulen = strlen(userp); + plen = strlen(passwdp); + +- /* Compute binary message length, checking for overflows. */ +- plainlen = 2 * ulen; +- if(plainlen < ulen) +- return CURLE_OUT_OF_MEMORY; +- plainlen += plen; +- if(plainlen < plen) +- return CURLE_OUT_OF_MEMORY; +- plainlen += 2; +- if(plainlen < 2) ++ /* Compute binary message length. Check for overflows. */ ++ if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2))) + return CURLE_OUT_OF_MEMORY; ++ plainlen = 2 * ulen + plen + 2; + + plainauth = malloc(plainlen); + if(!plainauth) +-- +2.17.2 + + +From ad9943254ded9a983af7d581e8a1f3317e8a8781 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 28 Sep 2018 16:08:16 +0200 +Subject: [PATCH 2/2] Curl_auth_create_plain_message: fix too-large-input-check + +CVE-2018-16839 +Reported-by: Harry Sintonen +Bug: https://curl.haxx.se/docs/CVE-2018-16839.html + +Upstream-commit: f3a24d7916b9173c69a3e0ee790102993833d6c5 +Signed-off-by: Kamil Dudka +--- + lib/vauth/cleartext.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c +index 5d61ce6..1367143 100644 +--- a/lib/vauth/cleartext.c ++++ b/lib/vauth/cleartext.c +@@ -74,7 +74,7 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data, + plen = strlen(passwdp); + + /* Compute binary message length. Check for overflows. */ +- if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2))) ++ if((ulen > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2))) + return CURLE_OUT_OF_MEMORY; + plainlen = 2 * ulen + plen + 2; + +-- +2.17.2 + diff --git a/curl.spec b/curl.spec index 6cd55a8..d26bec3 100644 --- a/curl.spec +++ b/curl.spec @@ -40,6 +40,9 @@ BuildRequires: git # fix use-after-free in handle close (CVE-2018-16840) Patch11: 0011-curl-7.59.0-CVE-2018-16840.patch +# SASL password overflow via integer overflow (CVE-2018-16839) +Patch12: 0012-curl-7.59.0-CVE-2018-16839.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -201,6 +204,7 @@ be installed. %patch9 -p1 git apply %{PATCH10} %patch11 -p1 +%patch12 -p1 # Fedora patches %patch101 -p1 @@ -348,6 +352,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Thu Nov 01 2018 Kamil Dudka - 7.59.0-8 +- SASL password overflow via integer overflow (CVE-2018-16839) - fix use-after-free in handle close (CVE-2018-16840) - fix bad arethmetic when outputting warnings to stderr (CVE-2018-16842) - test320: update expected output for gnutls-3.6.4 From 58646f29ccd62a0703ed6cd56ca854328ca0b817 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 15 Nov 2018 15:32:09 +0100 Subject: [PATCH 038/256] Resolves: CVE-2018-16842 - make the patch for CVE-2018-16842 apply properly `git apply` fails silently unless `git init` is invoked first. --- curl.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index d26bec3..337ec68 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.59.0 -Release: 8%{?dist} +Release: 9%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -202,6 +202,7 @@ be installed. %patch7 -p1 %patch8 -p1 %patch9 -p1 +git init git apply %{PATCH10} %patch11 -p1 %patch12 -p1 @@ -351,6 +352,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Nov 15 2018 Kamil Dudka - 7.59.0-9 +- make the patch for CVE-2018-16842 apply properly (CVE-2018-16842) + * Thu Nov 01 2018 Kamil Dudka - 7.59.0-8 - SASL password overflow via integer overflow (CVE-2018-16839) - fix use-after-free in handle close (CVE-2018-16840) From a94ce82de00deaf7134abcceb2ff0c94de4e7be3 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 12 Dec 2018 09:45:07 +0100 Subject: [PATCH 039/256] new upstream release - 7.63.0 --- 0102-curl-7.36.0-debug.patch | 2 +- curl-7.62.0.tar.xz.asc | 11 ----------- curl-7.63.0.tar.xz.asc | 11 +++++++++++ curl.spec | 5 ++++- sources | 2 +- 5 files changed, 17 insertions(+), 14 deletions(-) delete mode 100644 curl-7.62.0.tar.xz.asc create mode 100644 curl-7.63.0.tar.xz.asc diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch index 495fe63..60de5b3 100644 --- a/0102-curl-7.36.0-debug.patch +++ b/0102-curl-7.36.0-debug.patch @@ -12,7 +12,7 @@ diff --git a/configure b/configure index 8f079a3..53b4774 100755 --- a/configure +++ b/configure -@@ -16421,18 +16421,11 @@ $as_echo "yes" >&6; } +@@ -16415,18 +16415,11 @@ $as_echo "yes" >&6; } gccvhi=`echo $gccver | cut -d . -f1` gccvlo=`echo $gccver | cut -d . -f2` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` diff --git a/curl-7.62.0.tar.xz.asc b/curl-7.62.0.tar.xz.asc deleted file mode 100644 index 230438a..0000000 --- a/curl-7.62.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlvZT5wACgkQXMkI/bce -EsJG4gf+IY2RkT9d7SIBAanHOD2NeT4UtPAOVRVtpW8dD9TIJq4IKOqv8CpcCCRq -OZPJovdxM0qmXcrX2Dlf3zpPuY+bSzBW/xUYsKBBTTXhdUh5dv1Tz3HR6JzMHyT4 -hQm1mj6eFHFvayUKxoeQwiw3SkvW6WIlAySwEBzIzaE7icwvJ2dPO7xUOJWLXk/F -pDRCAuHqIIgNzNph0EKXkvLWz5poBzGaK9kpJxmeaS3aWpe0EZ4+N6ju2GfHK5jO -VQSuLWDHCZulv1eve+LOxgRjp/5kqQ/PPc3/99mEOxGRUxwCWVMEWGklAungn4bX -nBPWNGArGJq2+kMP7v5pr0onBz6wxg== -=CWQL ------END PGP SIGNATURE----- diff --git a/curl-7.63.0.tar.xz.asc b/curl-7.63.0.tar.xz.asc new file mode 100644 index 0000000..1dd44ac --- /dev/null +++ b/curl-7.63.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlwQtYIACgkQXMkI/bce +EsKPHgf/RhfKPvl1Q8ftuEOXakF/ZIvINukj49vOMFmfQRHfmGWh5ajaGj0qVF6x +U5HtrDoFOP5m74tj6jrzr2Ala/HGeyZmiTWwRLMgu+Tvq4djIv2pzZUJpgawJS52 +LCb2DUS2F+E1AsZQYvyliYA+r2FO2RRX1kbwdu+0RyuFy5WmWwkI02VahAIYV48o +44IqtXshxfSAlfEqQ8MgXtU1KW0SWtfKVP2HpsurugjGyknoXxHP7yoDMgDAkMk0 +fNYyPDZbUXXN+6Oyo4Xh8rz4dpVLBkIoCZb4WG2pFZSrfP2+FTL5/vRo/tUyjFfv +2LHmDUOOFH3VMwMYlnMCgaaXG7/jtg== +=TkSP +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index 70e148e..b39182e 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.62.0 +Version: 7.63.0 Release: 1%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -329,6 +329,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Dec 12 2018 Kamil Dudka - 7.63.0-1 +- new upstream release + * Wed Oct 31 2018 Kamil Dudka - 7.62.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2018-16839 - SASL password overflow via integer overflow diff --git a/sources b/sources index f127541..c40ff26 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.62.0.tar.xz) = 3aace2fc85e1d5ac06a3208980f887b5f1de5e2a1460e130b15cff3f7e5700b958cbb8f296483290961ef41f550245590067f86558dbba25e3d3ac10cec1adcd +SHA512 (curl-7.63.0.tar.xz) = c905eb157c6b0093f1b1a506e4782b83af423fd6de1ce0ab5372164a686ef292ffb10d7999d3dec2de602f63ee41b65e1a1008409dd8c959a597644c0ecb395b From c91c27bce90e913a6fdfd4cb42172496d0e264a8 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 12 Dec 2018 14:39:00 +0100 Subject: [PATCH 040/256] libtest: avoid symbol lookup error in libstubgss.so --- 0105-curl-7.63.0-libstubgss-ldadd.patch | 25 +++++++++++++++++++++++++ curl.spec | 4 ++++ 2 files changed, 29 insertions(+) create mode 100644 0105-curl-7.63.0-libstubgss-ldadd.patch diff --git a/0105-curl-7.63.0-libstubgss-ldadd.patch b/0105-curl-7.63.0-libstubgss-ldadd.patch new file mode 100644 index 0000000..e87b05b --- /dev/null +++ b/0105-curl-7.63.0-libstubgss-ldadd.patch @@ -0,0 +1,25 @@ +From d8a3bdce7a43cb777866c34d3dabf908254e516d Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Wed, 12 Dec 2018 14:25:32 +0100 +Subject: [PATCH] libtest: avoid symbol lookup error in libstubgss.so + +--- + tests/libtest/Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/libtest/Makefile.am b/tests/libtest/Makefile.am +index 56c84a7..117b79f 100644 +--- a/tests/libtest/Makefile.am ++++ b/tests/libtest/Makefile.am +@@ -123,7 +123,7 @@ libstubgss_la_CFLAGS = $(AM_CFLAGS) -g + + libstubgss_la_SOURCES = stub_gssapi.c stub_gssapi.h + +-libstubgss_la_LIBADD = ++libstubgss_la_LIBADD = $(top_builddir)/lib/libcurl.la + libstubgss_la_DEPENDENCIES = + endif + +-- +2.17.2 + diff --git a/curl.spec b/curl.spec index b39182e..e77d447 100644 --- a/curl.spec +++ b/curl.spec @@ -17,6 +17,9 @@ Patch103: 0103-curl-7.59.0-python3.patch # use localhost6 instead of ip6-localhost in the curl test-suite Patch104: 0104-curl-7.19.7-localhost6.patch +# libtest: avoid symbol lookup error in libstubgss.so +Patch105: 0105-curl-7.63.0-libstubgss-ldadd.patch + Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.haxx.se/ @@ -169,6 +172,7 @@ be installed. %patch102 -p1 %patch103 -p1 %patch104 -p1 +%patch105 -p1 # make tests/*.py use Python 3 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py From c30a9c7fdb343528c29e503b626dc566fa4deb9e Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 14 Dec 2018 11:21:54 +0100 Subject: [PATCH 041/256] Resolves: #1659329 - revert an upstream commit that broke `fedpkg new-sources` --- 0001-curl-7.62.0-http-post-negotiate.patch | 72 ++++++++++++++++++++++ curl.spec | 9 ++- 2 files changed, 80 insertions(+), 1 deletion(-) create mode 100644 0001-curl-7.62.0-http-post-negotiate.patch diff --git a/0001-curl-7.62.0-http-post-negotiate.patch b/0001-curl-7.62.0-http-post-negotiate.patch new file mode 100644 index 0000000..a391183 --- /dev/null +++ b/0001-curl-7.62.0-http-post-negotiate.patch @@ -0,0 +1,72 @@ +From be7395e31ae884cfaf87056f400130e3321767b3 Mon Sep 17 00:00:00 2001 +From: Elia Tufarolo +Date: Tue, 13 Nov 2018 18:30:56 +0100 +Subject: [PATCH] http_negotiate: do not close connection until negotiation is + completed + +Fix HTTP POST using CURLAUTH_NEGOTIATE. + +Closes #3275 + +Upstream-commit: 07ebaf837843124ee670e5b8c218b80b92e06e47 +Signed-off-by: Kamil Dudka +--- + lib/http.c | 1 - + lib/http_negotiate.c | 8 ++++++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/lib/http.c b/lib/http.c +index 46ac15a6e..afc919b09 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -610,7 +610,6 @@ output_auth_headers(struct connectdata *conn, + result = Curl_output_negotiate(conn, proxy); + if(result) + return result; +- authstatus->done = TRUE; + negdata->state = GSS_AUTHSENT; + } + else +diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c +index ddcd65b3b..444265d11 100644 +--- a/lib/http_negotiate.c ++++ b/lib/http_negotiate.c +@@ -49,6 +49,7 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy, + + /* Point to the correct struct with this */ + struct negotiatedata *neg_ctx; ++ struct auth *authp; + + if(proxy) { + userp = conn->http_proxy.user; +@@ -57,6 +58,7 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy, + data->set.str[STRING_PROXY_SERVICE_NAME] : "HTTP"; + host = conn->http_proxy.host.name; + neg_ctx = &data->state.proxyneg; ++ authp = &conn->data->state.authproxy; + } + else { + userp = conn->user; +@@ -65,6 +67,7 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy, + data->set.str[STRING_SERVICE_NAME] : "HTTP"; + host = conn->host.name; + neg_ctx = &data->state.negotiate; ++ authp = &conn->data->state.authhost; + } + + /* Not set means empty */ +@@ -95,6 +98,11 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy, + + if(result) + Curl_auth_spnego_cleanup(neg_ctx); ++ else ++ /* If the status is different than 0 and we encountered no errors ++ it means we have to continue. 0 is the OK value for both GSSAPI ++ (GSS_S_COMPLETE) and SSPI (SEC_E_OK) */ ++ authp->done = !neg_ctx->status; + + return result; + } +-- +2.20.0 + diff --git a/curl.spec b/curl.spec index e77d447..3237389 100644 --- a/curl.spec +++ b/curl.spec @@ -1,10 +1,13 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.63.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz +# revert an upstream commit that broke `fedpkg new-sources` (#1659329) +Patch1: 0001-curl-7.62.0-http-post-negotiate.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -164,6 +167,7 @@ be installed. %prep %setup -q +%patch1 -p1 -R # upstream patches @@ -333,6 +337,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Dec 14 2018 Kamil Dudka - 7.63.0-2 +- revert an upstream commit that broke `fedpkg new-sources` (#1659329) + * Wed Dec 12 2018 Kamil Dudka - 7.63.0-1 - new upstream release From 49f5a42f9621baf874c9387c2b6e8d13e8f7868e Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 19 Dec 2018 13:42:58 +0100 Subject: [PATCH 042/256] Resolves: #1658574 - curl -J: do not append to the destination file --- 0007-curl-7.63.0-JO-preserve-local-file.patch | 115 ++++++++++++++++++ curl.spec | 11 +- 2 files changed, 125 insertions(+), 1 deletion(-) create mode 100644 0007-curl-7.63.0-JO-preserve-local-file.patch diff --git a/0007-curl-7.63.0-JO-preserve-local-file.patch b/0007-curl-7.63.0-JO-preserve-local-file.patch new file mode 100644 index 0000000..12ac53e --- /dev/null +++ b/0007-curl-7.63.0-JO-preserve-local-file.patch @@ -0,0 +1,115 @@ +From ff74657fb645e7175971128a171ef7d5ece40d77 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 17 Dec 2018 12:51:51 +0100 +Subject: [PATCH] curl -J: do not append to the destination file + +Reported-by: Kamil Dudka +Fixes #3380 +Closes #3381 + +Upstream-commit: 4849267197682e69cfa056c2bd7a44acd123a917 +Signed-off-by: Kamil Dudka +--- + src/tool_cb_hdr.c | 6 +++--- + src/tool_cb_wrt.c | 9 ++++----- + src/tool_cb_wrt.h | 2 +- + src/tool_operate.c | 2 +- + 4 files changed, 9 insertions(+), 10 deletions(-) + +diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c +index 84b0d9c..3844904 100644 +--- a/src/tool_cb_hdr.c ++++ b/src/tool_cb_hdr.c +@@ -157,12 +157,12 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata) + outs->filename = filename; + outs->alloc_filename = TRUE; + hdrcbdata->honor_cd_filename = FALSE; /* done now! */ +- if(!tool_create_output_file(outs, TRUE)) ++ if(!tool_create_output_file(outs)) + return failure; + } + break; + } +- if(!outs->stream && !tool_create_output_file(outs, FALSE)) ++ if(!outs->stream && !tool_create_output_file(outs)) + return failure; + } + +@@ -172,7 +172,7 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata) + /* bold headers only for selected protocols */ + char *value = NULL; + +- if(!outs->stream && !tool_create_output_file(outs, FALSE)) ++ if(!outs->stream && !tool_create_output_file(outs)) + return failure; + + if(hdrcbdata->global->isatty && hdrcbdata->global->styled_output) +diff --git a/src/tool_cb_wrt.c b/src/tool_cb_wrt.c +index 2cb5e1b..195d6e7 100644 +--- a/src/tool_cb_wrt.c ++++ b/src/tool_cb_wrt.c +@@ -32,8 +32,7 @@ + #include "memdebug.h" /* keep this as LAST include */ + + /* create a local file for writing, return TRUE on success */ +-bool tool_create_output_file(struct OutStruct *outs, +- bool append) ++bool tool_create_output_file(struct OutStruct *outs) + { + struct GlobalConfig *global = outs->config->global; + FILE *file; +@@ -43,7 +42,7 @@ bool tool_create_output_file(struct OutStruct *outs, + return FALSE; + } + +- if(outs->is_cd_filename && !append) { ++ if(outs->is_cd_filename) { + /* don't overwrite existing files */ + file = fopen(outs->filename, "rb"); + if(file) { +@@ -55,7 +54,7 @@ bool tool_create_output_file(struct OutStruct *outs, + } + + /* open file for writing */ +- file = fopen(outs->filename, append?"ab":"wb"); ++ file = fopen(outs->filename, "wb"); + if(!file) { + warnf(global, "Failed to create the file %s: %s\n", outs->filename, + strerror(errno)); +@@ -142,7 +141,7 @@ size_t tool_write_cb(char *buffer, size_t sz, size_t nmemb, void *userdata) + } + #endif + +- if(!outs->stream && !tool_create_output_file(outs, FALSE)) ++ if(!outs->stream && !tool_create_output_file(outs)) + return failure; + + if(is_tty && (outs->bytes < 2000) && !config->terminal_binary_ok) { +diff --git a/src/tool_cb_wrt.h b/src/tool_cb_wrt.h +index 51e002b..188d3ea 100644 +--- a/src/tool_cb_wrt.h ++++ b/src/tool_cb_wrt.h +@@ -30,6 +30,6 @@ + size_t tool_write_cb(char *buffer, size_t sz, size_t nmemb, void *userdata); + + /* create a local file for writing, return TRUE on success */ +-bool tool_create_output_file(struct OutStruct *outs, bool append); ++bool tool_create_output_file(struct OutStruct *outs); + + #endif /* HEADER_CURL_TOOL_CB_WRT_H */ +diff --git a/src/tool_operate.c b/src/tool_operate.c +index e53a9d8..429e9cf 100644 +--- a/src/tool_operate.c ++++ b/src/tool_operate.c +@@ -1583,7 +1583,7 @@ static CURLcode operate_do(struct GlobalConfig *global, + /* do not create (or even overwrite) the file in case we get no + data because of unmet condition */ + curl_easy_getinfo(curl, CURLINFO_CONDITION_UNMET, &cond_unmet); +- if(!cond_unmet && !tool_create_output_file(&outs, FALSE)) ++ if(!cond_unmet && !tool_create_output_file(&outs)) + result = CURLE_WRITE_ERROR; + } + +-- +2.17.2 + diff --git a/curl.spec b/curl.spec index 3237389..aaa75a4 100644 --- a/curl.spec +++ b/curl.spec @@ -1,13 +1,16 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.63.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz # revert an upstream commit that broke `fedpkg new-sources` (#1659329) Patch1: 0001-curl-7.62.0-http-post-negotiate.patch +# curl -J: do not append to the destination file (#1658574) +Patch7: 0007-curl-7.63.0-JO-preserve-local-file.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -167,9 +170,12 @@ be installed. %prep %setup -q + +# upstream patches to revert %patch1 -p1 -R # upstream patches +%patch7 -p1 # Fedora patches %patch101 -p1 @@ -337,6 +343,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Dec 19 2018 Kamil Dudka - 7.63.0-3 +- curl -J: do not append to the destination file (#1658574) + * Fri Dec 14 2018 Kamil Dudka - 7.63.0-2 - revert an upstream commit that broke `fedpkg new-sources` (#1659329) From 32b0144f200134a2eee3b466e79f9f6488463541 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 4 Jan 2019 14:18:26 +0100 Subject: [PATCH 043/256] replace 0105-curl-7.63.0-libstubgss-ldadd.patch by upstream patch --- ...-7.62.0-libtest-stub_gssapi-snprintf.patch | 63 +++++++++++++++++++ 0105-curl-7.63.0-libstubgss-ldadd.patch | 25 -------- curl.spec | 13 ++-- 3 files changed, 71 insertions(+), 30 deletions(-) create mode 100644 0002-curl-7.62.0-libtest-stub_gssapi-snprintf.patch delete mode 100644 0105-curl-7.63.0-libstubgss-ldadd.patch diff --git a/0002-curl-7.62.0-libtest-stub_gssapi-snprintf.patch b/0002-curl-7.62.0-libtest-stub_gssapi-snprintf.patch new file mode 100644 index 0000000..22868c4 --- /dev/null +++ b/0002-curl-7.62.0-libtest-stub_gssapi-snprintf.patch @@ -0,0 +1,63 @@ +From 510ab52ed43589d96f0fab338eb6286940a29a78 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 3 Jan 2019 12:00:58 +0100 +Subject: [PATCH] libtest/stub_gssapi: use "real" snprintf + +... since it doesn't link with libcurl. + +Reverts the commit dcd6f81025 changes from this file. + +Bug: https://curl.haxx.se/mail/lib-2019-01/0000.html +Reported-by: Shlomi Fish +Reviewed-by: Daniel Gustafsson +Reviewed-by: Kamil Dudka + +Closes #3434 + +Upstream-commit: c7c362a24c0247644f9fde05e8ea353af4a94b04 +Signed-off-by: Kamil Dudka +--- + tests/libtest/stub_gssapi.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/tests/libtest/stub_gssapi.c b/tests/libtest/stub_gssapi.c +index 254a01b31..377b75452 100644 +--- a/tests/libtest/stub_gssapi.c ++++ b/tests/libtest/stub_gssapi.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 2017-2018, Daniel Stenberg, , et al. ++ * Copyright (C) 2017-2019, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -28,10 +28,7 @@ + + #include "stub_gssapi.h" + +-#define ENABLE_CURLX_PRINTF +-/* make the curlx header define all printf() functions to use the curlx_* +- versions instead */ +-#include "curlx.h" /* from the private lib dir */ ++/* !checksrc! disable SNPRINTF all */ + + #define MAX_CREDS_LENGTH 250 + #define APPROX_TOKEN_LEN 250 +@@ -207,8 +204,10 @@ OM_uint32 gss_init_sec_context(OM_uint32 *min, + } + + /* Token format: creds:target:type:padding */ +- used = msnprintf(token, length, "%s:%s:%d:", creds, +- (char *) target_name, ctx->sent); ++ /* Note: this is using the *real* snprintf() and not the curl provided ++ one */ ++ used = snprintf(token, length, "%s:%s:%d:", creds, ++ (char *) target_name, ctx->sent); + + if(used >= length) { + free(token); +-- +2.17.2 + diff --git a/0105-curl-7.63.0-libstubgss-ldadd.patch b/0105-curl-7.63.0-libstubgss-ldadd.patch deleted file mode 100644 index e87b05b..0000000 --- a/0105-curl-7.63.0-libstubgss-ldadd.patch +++ /dev/null @@ -1,25 +0,0 @@ -From d8a3bdce7a43cb777866c34d3dabf908254e516d Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Wed, 12 Dec 2018 14:25:32 +0100 -Subject: [PATCH] libtest: avoid symbol lookup error in libstubgss.so - ---- - tests/libtest/Makefile.am | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/libtest/Makefile.am b/tests/libtest/Makefile.am -index 56c84a7..117b79f 100644 ---- a/tests/libtest/Makefile.am -+++ b/tests/libtest/Makefile.am -@@ -123,7 +123,7 @@ libstubgss_la_CFLAGS = $(AM_CFLAGS) -g - - libstubgss_la_SOURCES = stub_gssapi.c stub_gssapi.h - --libstubgss_la_LIBADD = -+libstubgss_la_LIBADD = $(top_builddir)/lib/libcurl.la - libstubgss_la_DEPENDENCIES = - endif - --- -2.17.2 - diff --git a/curl.spec b/curl.spec index aaa75a4..fc60ce6 100644 --- a/curl.spec +++ b/curl.spec @@ -1,13 +1,16 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.63.0 -Release: 3%{?dist} +Release: 4%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz # revert an upstream commit that broke `fedpkg new-sources` (#1659329) Patch1: 0001-curl-7.62.0-http-post-negotiate.patch +# libtest: avoid symbol lookup error in libstubgss.so +Patch2: 0002-curl-7.62.0-libtest-stub_gssapi-snprintf.patch + # curl -J: do not append to the destination file (#1658574) Patch7: 0007-curl-7.63.0-JO-preserve-local-file.patch @@ -23,9 +26,6 @@ Patch103: 0103-curl-7.59.0-python3.patch # use localhost6 instead of ip6-localhost in the curl test-suite Patch104: 0104-curl-7.19.7-localhost6.patch -# libtest: avoid symbol lookup error in libstubgss.so -Patch105: 0105-curl-7.63.0-libstubgss-ldadd.patch - Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.haxx.se/ @@ -175,6 +175,7 @@ be installed. %patch1 -p1 -R # upstream patches +%patch2 -p1 %patch7 -p1 # Fedora patches @@ -182,7 +183,6 @@ be installed. %patch102 -p1 %patch103 -p1 %patch104 -p1 -%patch105 -p1 # make tests/*.py use Python 3 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py @@ -343,6 +343,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Jan 04 2019 Kamil Dudka - 7.63.0-4 +- replace 0105-curl-7.63.0-libstubgss-ldadd.patch by upstream patch + * Wed Dec 19 2018 Kamil Dudka - 7.63.0-3 - curl -J: do not append to the destination file (#1658574) From da8449decdcb41b4b6d51b44e3eae06f831e4327 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 7 Jan 2019 12:39:58 +0100 Subject: [PATCH 044/256] replace 0001-curl-7.62.0-http-post-negotiate.patch by upstream patch --- 0001-curl-7.62.0-http-post-negotiate.patch | 75 ++++++++++++++-------- curl.spec | 4 +- 2 files changed, 49 insertions(+), 30 deletions(-) diff --git a/0001-curl-7.62.0-http-post-negotiate.patch b/0001-curl-7.62.0-http-post-negotiate.patch index a391183..4bb3f0d 100644 --- a/0001-curl-7.62.0-http-post-negotiate.patch +++ b/0001-curl-7.62.0-http-post-negotiate.patch @@ -1,69 +1,90 @@ -From be7395e31ae884cfaf87056f400130e3321767b3 Mon Sep 17 00:00:00 2001 -From: Elia Tufarolo -Date: Tue, 13 Nov 2018 18:30:56 +0100 -Subject: [PATCH] http_negotiate: do not close connection until negotiation is - completed +From 46fe12fc1d35b8d2484811b9359f0de72114dee4 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 4 Jan 2019 23:34:50 +0100 +Subject: [PATCH] Revert "http_negotiate: do not close connection until + negotiation is completed" -Fix HTTP POST using CURLAUTH_NEGOTIATE. +This reverts commit 07ebaf837843124ee670e5b8c218b80b92e06e47. -Closes #3275 +This also reopens PR #3275 which brought the change now reverted. -Upstream-commit: 07ebaf837843124ee670e5b8c218b80b92e06e47 +Fixes #3384 +Closes #3439 + +Upstream-commit: ebe658c1e5a6577178981a7f406794699305be5c Signed-off-by: Kamil Dudka --- - lib/http.c | 1 - - lib/http_negotiate.c | 8 ++++++++ - 2 files changed, 8 insertions(+), 1 deletion(-) + lib/http.c | 3 ++- + lib/http_negotiate.c | 10 +--------- + 2 files changed, 3 insertions(+), 10 deletions(-) diff --git a/lib/http.c b/lib/http.c -index 46ac15a6e..afc919b09 100644 +index 8866fdf0a..303535af6 100644 --- a/lib/http.c +++ b/lib/http.c -@@ -610,7 +610,6 @@ output_auth_headers(struct connectdata *conn, +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -616,6 +616,7 @@ output_auth_headers(struct connectdata *conn, result = Curl_output_negotiate(conn, proxy); if(result) return result; -- authstatus->done = TRUE; ++ authstatus->done = TRUE; negdata->state = GSS_AUTHSENT; } else diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c -index ddcd65b3b..444265d11 100644 +index 444265d11..4713d1bd5 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c -@@ -49,6 +49,7 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy, +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -49,7 +49,6 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy, /* Point to the correct struct with this */ struct negotiatedata *neg_ctx; -+ struct auth *authp; +- struct auth *authp; if(proxy) { userp = conn->http_proxy.user; -@@ -57,6 +58,7 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy, +@@ -58,7 +57,6 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy, data->set.str[STRING_PROXY_SERVICE_NAME] : "HTTP"; host = conn->http_proxy.host.name; neg_ctx = &data->state.proxyneg; -+ authp = &conn->data->state.authproxy; +- authp = &conn->data->state.authproxy; } else { userp = conn->user; -@@ -65,6 +67,7 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy, +@@ -67,7 +65,6 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy, data->set.str[STRING_SERVICE_NAME] : "HTTP"; host = conn->host.name; neg_ctx = &data->state.negotiate; -+ authp = &conn->data->state.authhost; +- authp = &conn->data->state.authhost; } /* Not set means empty */ -@@ -95,6 +98,11 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy, +@@ -98,11 +95,6 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy, if(result) Curl_auth_spnego_cleanup(neg_ctx); -+ else -+ /* If the status is different than 0 and we encountered no errors -+ it means we have to continue. 0 is the OK value for both GSSAPI -+ (GSS_S_COMPLETE) and SSPI (SEC_E_OK) */ -+ authp->done = !neg_ctx->status; +- else +- /* If the status is different than 0 and we encountered no errors +- it means we have to continue. 0 is the OK value for both GSSAPI +- (GSS_S_COMPLETE) and SSPI (SEC_E_OK) */ +- authp->done = !neg_ctx->status; return result; } diff --git a/curl.spec b/curl.spec index fc60ce6..f04fb8b 100644 --- a/curl.spec +++ b/curl.spec @@ -171,10 +171,8 @@ be installed. %prep %setup -q -# upstream patches to revert -%patch1 -p1 -R - # upstream patches +%patch1 -p1 %patch2 -p1 %patch7 -p1 From 1a6a3b20a66509e5fad971d6dfb8b33daab8ca60 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 21 Jan 2019 10:13:55 +0100 Subject: [PATCH 045/256] Resolves: CVE-2018-20483 - xattr: strip credentials from any URL that is stored --- ...xattr-strip-credentials-from-any-URL.patch | 284 ++++++++++++++++++ curl.spec | 9 +- 2 files changed, 292 insertions(+), 1 deletion(-) create mode 100644 0008-curl-7.63.0-xattr-strip-credentials-from-any-URL.patch diff --git a/0008-curl-7.63.0-xattr-strip-credentials-from-any-URL.patch b/0008-curl-7.63.0-xattr-strip-credentials-from-any-URL.patch new file mode 100644 index 0000000..d9fa798 --- /dev/null +++ b/0008-curl-7.63.0-xattr-strip-credentials-from-any-URL.patch @@ -0,0 +1,284 @@ +From 9fa7298750c1d66331dc55a202277b131868c048 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 2 Jan 2019 20:18:27 +0100 +Subject: [PATCH] xattr: strip credentials from any URL that is stored + +Both user and password are cleared uncondtitionally. + +Added unit test 1621 to verify. + +Fixes #3423 +Closes #3433 + +Upstream-commit: 98e6629154044e4ab1ee7cff8351c7ebcb131e88 +Signed-off-by: Kamil Dudka +--- + src/tool_xattr.c | 63 +++++++++++++++++++++++++---- + tests/data/Makefile.inc | 2 +- + tests/data/test1621 | 27 +++++++++++++ + tests/unit/Makefile.inc | 6 ++- + tests/unit/unit1621.c | 89 +++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 177 insertions(+), 10 deletions(-) + create mode 100644 tests/data/test1621 + create mode 100644 tests/unit/unit1621.c + +diff --git a/src/tool_xattr.c b/src/tool_xattr.c +index 92b99db..730381b 100644 +--- a/src/tool_xattr.c ++++ b/src/tool_xattr.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2014, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -49,6 +49,46 @@ static const struct xattr_mapping { + { NULL, CURLINFO_NONE } /* last element, abort loop here */ + }; + ++/* returns TRUE if a new URL is returned, that then needs to be freed */ ++/* @unittest: 1621 */ ++#ifdef UNITTESTS ++bool stripcredentials(char **url); ++#else ++static ++#endif ++bool stripcredentials(char **url) ++{ ++ CURLU *u; ++ CURLUcode uc; ++ char *nurl; ++ u = curl_url(); ++ if(u) { ++ uc = curl_url_set(u, CURLUPART_URL, *url, 0); ++ if(uc) ++ goto error; ++ ++ uc = curl_url_set(u, CURLUPART_USER, NULL, 0); ++ if(uc) ++ goto error; ++ ++ uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0); ++ if(uc) ++ goto error; ++ ++ uc = curl_url_get(u, CURLUPART_URL, &nurl, 0); ++ if(uc) ++ goto error; ++ ++ curl_url_cleanup(u); ++ ++ *url = nurl; ++ return TRUE; ++ } ++ error: ++ curl_url_cleanup(u); ++ return FALSE; ++} ++ + /* store metadata from the curl request alongside the downloaded + * file using extended attributes + */ +@@ -62,17 +102,24 @@ int fwrite_xattr(CURL *curl, int fd) + char *value = NULL; + CURLcode result = curl_easy_getinfo(curl, mappings[i].info, &value); + if(!result && value) { ++ bool freeptr = FALSE; ++ if(CURLINFO_EFFECTIVE_URL == mappings[i].info) ++ freeptr = stripcredentials(&value); ++ if(value) { + #ifdef HAVE_FSETXATTR_6 +- err = fsetxattr(fd, mappings[i].attr, value, strlen(value), 0, 0); ++ err = fsetxattr(fd, mappings[i].attr, value, strlen(value), 0, 0); + #elif defined(HAVE_FSETXATTR_5) +- err = fsetxattr(fd, mappings[i].attr, value, strlen(value), 0); ++ err = fsetxattr(fd, mappings[i].attr, value, strlen(value), 0); + #elif defined(__FreeBSD_version) +- err = extattr_set_fd(fd, EXTATTR_NAMESPACE_USER, mappings[i].attr, value, +- strlen(value)); +- /* FreeBSD's extattr_set_fd returns the length of the extended attribute +- */ +- err = err < 0 ? err : 0; ++ err = extattr_set_fd(fd, EXTATTR_NAMESPACE_USER, mappings[i].attr, ++ value, strlen(value)); ++ /* FreeBSD's extattr_set_fd returns the length of the extended ++ attribute */ ++ err = err < 0 ? err : 0; + #endif ++ if(freeptr) ++ curl_free(value); ++ } + } + i++; + } +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index dd38f89..6172b77 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -180,7 +180,7 @@ test1560 \ + \ + test1590 \ + test1600 test1601 test1602 test1603 test1604 test1605 test1606 test1607 \ +-test1608 test1609 test1620 \ ++test1608 test1609 test1620 test1621 \ + \ + test1650 test1651 test1652 test1653 \ + \ +diff --git a/tests/data/test1621 b/tests/data/test1621 +new file mode 100644 +index 0000000..1117d1b +--- /dev/null ++++ b/tests/data/test1621 +@@ -0,0 +1,27 @@ ++ ++ ++ ++unittest ++stripcredentials ++ ++ ++ ++# ++# Client-side ++ ++ ++none ++ ++ ++unittest ++https ++ ++ ++unit tests for stripcredentials from URL ++ ++ ++unit1621 ++ ++ ++ ++ +diff --git a/tests/unit/Makefile.inc b/tests/unit/Makefile.inc +index 8b1a607..82eaec7 100644 +--- a/tests/unit/Makefile.inc ++++ b/tests/unit/Makefile.inc +@@ -10,7 +10,7 @@ UNITPROGS = unit1300 unit1301 unit1302 unit1303 unit1304 unit1305 unit1307 \ + unit1330 unit1394 unit1395 unit1396 unit1397 unit1398 \ + unit1399 \ + unit1600 unit1601 unit1602 unit1603 unit1604 unit1605 unit1606 unit1607 \ +- unit1608 unit1609 unit1620 \ ++ unit1608 unit1609 unit1620 unit1621 \ + unit1650 unit1651 unit1652 unit1653 + + unit1300_SOURCES = unit1300.c $(UNITFILES) +@@ -100,6 +100,10 @@ unit1609_CPPFLAGS = $(AM_CPPFLAGS) + unit1620_SOURCES = unit1620.c $(UNITFILES) + unit1620_CPPFLAGS = $(AM_CPPFLAGS) + ++unit1621_SOURCES = unit1621.c $(UNITFILES) ++unit1621_CPPFLAGS = $(AM_CPPFLAGS) ++unit1621_LDADD = $(top_builddir)/src/libcurltool.la $(top_builddir)/lib/libcurl.la ++ + unit1650_SOURCES = unit1650.c $(UNITFILES) + unit1650_CPPFLAGS = $(AM_CPPFLAGS) + +diff --git a/tests/unit/unit1621.c b/tests/unit/unit1621.c +new file mode 100644 +index 0000000..6e07b6e +--- /dev/null ++++ b/tests/unit/unit1621.c +@@ -0,0 +1,89 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.haxx.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ ***************************************************************************/ ++#include "curlcheck.h" ++ ++#include "urldata.h" ++#include "url.h" ++ ++#include "memdebug.h" /* LAST include file */ ++ ++static CURLcode unit_setup(void) ++{ ++ return CURLE_OK; ++} ++ ++static void unit_stop(void) ++{ ++} ++ ++#ifdef __MINGW32__ ++UNITTEST_START ++{ ++ return 0; ++} ++UNITTEST_STOP ++#else ++ ++bool stripcredentials(char **url); ++ ++struct checkthis { ++ const char *input; ++ const char *output; ++}; ++ ++static struct checkthis tests[] = { ++ { "ninja://foo@example.com", "ninja://foo@example.com" }, ++ { "https://foo@example.com", "https://example.com/" }, ++ { "https://localhost:45", "https://localhost:45/" }, ++ { "https://foo@localhost:45", "https://localhost:45/" }, ++ { "http://daniel:password@localhost", "http://localhost/" }, ++ { "http://daniel@localhost", "http://localhost/" }, ++ { "http://localhost/", "http://localhost/" }, ++ { NULL, NULL } /* end marker */ ++}; ++ ++UNITTEST_START ++{ ++ bool cleanup; ++ char *url; ++ int i; ++ int rc = 0; ++ ++ for(i = 0; tests[i].input; i++) { ++ url = (char *)tests[i].input; ++ cleanup = stripcredentials(&url); ++ printf("Test %u got input \"%s\", output: \"%s\"\n", ++ i, tests[i].input, url); ++ ++ if(strcmp(tests[i].output, url)) { ++ fprintf(stderr, "Test %u got input \"%s\", expected output \"%s\"\n" ++ " Actual output: \"%s\"\n", i, tests[i].input, tests[i].output, ++ url); ++ rc++; ++ } ++ if(cleanup) ++ curl_free(url); ++ } ++ return rc; ++} ++UNITTEST_STOP ++#endif +-- +2.17.2 + diff --git a/curl.spec b/curl.spec index f04fb8b..8582a58 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.63.0 -Release: 4%{?dist} +Release: 5%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -14,6 +14,9 @@ Patch2: 0002-curl-7.62.0-libtest-stub_gssapi-snprintf.patch # curl -J: do not append to the destination file (#1658574) Patch7: 0007-curl-7.63.0-JO-preserve-local-file.patch +# xattr: strip credentials from any URL that is stored (CVE-2018-20483) +Patch8: 0008-curl-7.63.0-xattr-strip-credentials-from-any-URL.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -175,6 +178,7 @@ be installed. %patch1 -p1 %patch2 -p1 %patch7 -p1 +%patch8 -p1 # Fedora patches %patch101 -p1 @@ -341,6 +345,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Jan 21 2019 Kamil Dudka - 7.63.0-5 +- xattr: strip credentials from any URL that is stored (CVE-2018-20483) + * Fri Jan 04 2019 Kamil Dudka - 7.63.0-4 - replace 0105-curl-7.63.0-libstubgss-ldadd.patch by upstream patch From 9221f774a1e524d8330fb2b72cda15ad83ca1c51 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 31 Jan 2019 16:37:02 +0000 Subject: [PATCH 046/256] - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 8582a58..4600a84 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.63.0 -Release: 5%{?dist} +Release: 6%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -345,6 +345,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Jan 31 2019 Fedora Release Engineering - 7.63.0-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + * Mon Jan 21 2019 Kamil Dudka - 7.63.0-5 - xattr: strip credentials from any URL that is stored (CVE-2018-20483) From 3c5dec6602592a730cbe3518e9b222bc3d3e4a0b Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 4 Feb 2019 17:45:12 +0100 Subject: [PATCH 047/256] prevent valgrind from reporting false positives on x86_64 --- 0105-curl-7.63.0-lib1560-valgrind.patch | 39 +++++++++++++++++++++++++ curl.spec | 9 +++++- 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 0105-curl-7.63.0-lib1560-valgrind.patch diff --git a/0105-curl-7.63.0-lib1560-valgrind.patch b/0105-curl-7.63.0-lib1560-valgrind.patch new file mode 100644 index 0000000..40d0a9b --- /dev/null +++ b/0105-curl-7.63.0-lib1560-valgrind.patch @@ -0,0 +1,39 @@ +From f55cca0e86f59ec11ffafd5c0503c39ca3723e2e Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 4 Feb 2019 17:32:56 +0100 +Subject: [PATCH] libtest: compile lib1560.c with -fno-builtin-strcmp + +... to prevent valgrind from reporting false positives on x86_64: + +Conditional jump or move depends on uninitialised value(s) + at 0x10BCAA: part2id (lib1560.c:489) + by 0x10BCAA: updateurl (lib1560.c:521) + by 0x10BCAA: set_parts (lib1560.c:630) + by 0x10BCAA: test (lib1560.c:802) + by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so) + +Conditional jump or move depends on uninitialised value(s) + at 0x10BCC3: part2id (lib1560.c:491) + by 0x10BCC3: updateurl (lib1560.c:521) + by 0x10BCC3: set_parts (lib1560.c:630) + by 0x10BCC3: test (lib1560.c:802) + by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so) +--- + tests/libtest/Makefile.inc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc +index 080421b..ea3b806 100644 +--- a/tests/libtest/Makefile.inc ++++ b/tests/libtest/Makefile.inc +@@ -516,6 +516,7 @@ lib1557_LDADD = $(TESTUTIL_LIBS) + lib1557_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1557 + + lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) ++lib1560_CFLAGS = $(AM_CFLAGS) -fno-builtin-strcmp + lib1560_LDADD = $(TESTUTIL_LIBS) + + lib1900_SOURCES = lib1900.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) +-- +2.17.2 + diff --git a/curl.spec b/curl.spec index 4600a84..ce957f6 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.63.0 -Release: 6%{?dist} +Release: 7%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -29,6 +29,9 @@ Patch103: 0103-curl-7.59.0-python3.patch # use localhost6 instead of ip6-localhost in the curl test-suite Patch104: 0104-curl-7.19.7-localhost6.patch +# prevent valgrind from reporting false positives on x86_64 +Patch105: 0105-curl-7.63.0-lib1560-valgrind.patch + Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.haxx.se/ @@ -185,6 +188,7 @@ be installed. %patch102 -p1 %patch103 -p1 %patch104 -p1 +%patch105 -p1 # make tests/*.py use Python 3 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py @@ -345,6 +349,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Feb 04 2019 Kamil Dudka - 7.63.0-7 +- prevent valgrind from reporting false positives on x86_64 + * Thu Jan 31 2019 Fedora Release Engineering - 7.63.0-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild From 2bdb62413990d788a0e9acad53ca15e9e2aed17f Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 6 Feb 2019 09:51:19 +0100 Subject: [PATCH 048/256] new upstream release - 7.64.0 Resolves: CVE-2019-3823 - SMTP end-of-response out-of-bounds read Resolves: CVE-2019-3822 - NTLMv2 type-3 header stack buffer overflow Resolves: CVE-2018-16890 - NTLM type-2 out-of-bounds buffer read --- 0001-curl-7.62.0-http-post-negotiate.patch | 93 ------ ...-7.62.0-libtest-stub_gssapi-snprintf.patch | 63 ---- 0007-curl-7.63.0-JO-preserve-local-file.patch | 115 ------- ...xattr-strip-credentials-from-any-URL.patch | 284 ------------------ 0102-curl-7.36.0-debug.patch | 4 +- 0105-curl-7.63.0-lib1560-valgrind.patch | 6 +- curl-7.63.0.tar.xz.asc | 11 - curl-7.64.0.tar.xz.asc | 11 + curl.spec | 26 +- sources | 2 +- 10 files changed, 25 insertions(+), 590 deletions(-) delete mode 100644 0001-curl-7.62.0-http-post-negotiate.patch delete mode 100644 0002-curl-7.62.0-libtest-stub_gssapi-snprintf.patch delete mode 100644 0007-curl-7.63.0-JO-preserve-local-file.patch delete mode 100644 0008-curl-7.63.0-xattr-strip-credentials-from-any-URL.patch delete mode 100644 curl-7.63.0.tar.xz.asc create mode 100644 curl-7.64.0.tar.xz.asc diff --git a/0001-curl-7.62.0-http-post-negotiate.patch b/0001-curl-7.62.0-http-post-negotiate.patch deleted file mode 100644 index 4bb3f0d..0000000 --- a/0001-curl-7.62.0-http-post-negotiate.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 46fe12fc1d35b8d2484811b9359f0de72114dee4 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Fri, 4 Jan 2019 23:34:50 +0100 -Subject: [PATCH] Revert "http_negotiate: do not close connection until - negotiation is completed" - -This reverts commit 07ebaf837843124ee670e5b8c218b80b92e06e47. - -This also reopens PR #3275 which brought the change now reverted. - -Fixes #3384 -Closes #3439 - -Upstream-commit: ebe658c1e5a6577178981a7f406794699305be5c -Signed-off-by: Kamil Dudka ---- - lib/http.c | 3 ++- - lib/http_negotiate.c | 10 +--------- - 2 files changed, 3 insertions(+), 10 deletions(-) - -diff --git a/lib/http.c b/lib/http.c -index 8866fdf0a..303535af6 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -5,7 +5,7 @@ - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * -- * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. -+ * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms -@@ -616,6 +616,7 @@ output_auth_headers(struct connectdata *conn, - result = Curl_output_negotiate(conn, proxy); - if(result) - return result; -+ authstatus->done = TRUE; - negdata->state = GSS_AUTHSENT; - } - else -diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c -index 444265d11..4713d1bd5 100644 ---- a/lib/http_negotiate.c -+++ b/lib/http_negotiate.c -@@ -5,7 +5,7 @@ - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * -- * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. -+ * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms -@@ -49,7 +49,6 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy, - - /* Point to the correct struct with this */ - struct negotiatedata *neg_ctx; -- struct auth *authp; - - if(proxy) { - userp = conn->http_proxy.user; -@@ -58,7 +57,6 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy, - data->set.str[STRING_PROXY_SERVICE_NAME] : "HTTP"; - host = conn->http_proxy.host.name; - neg_ctx = &data->state.proxyneg; -- authp = &conn->data->state.authproxy; - } - else { - userp = conn->user; -@@ -67,7 +65,6 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy, - data->set.str[STRING_SERVICE_NAME] : "HTTP"; - host = conn->host.name; - neg_ctx = &data->state.negotiate; -- authp = &conn->data->state.authhost; - } - - /* Not set means empty */ -@@ -98,11 +95,6 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy, - - if(result) - Curl_auth_spnego_cleanup(neg_ctx); -- else -- /* If the status is different than 0 and we encountered no errors -- it means we have to continue. 0 is the OK value for both GSSAPI -- (GSS_S_COMPLETE) and SSPI (SEC_E_OK) */ -- authp->done = !neg_ctx->status; - - return result; - } --- -2.20.0 - diff --git a/0002-curl-7.62.0-libtest-stub_gssapi-snprintf.patch b/0002-curl-7.62.0-libtest-stub_gssapi-snprintf.patch deleted file mode 100644 index 22868c4..0000000 --- a/0002-curl-7.62.0-libtest-stub_gssapi-snprintf.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 510ab52ed43589d96f0fab338eb6286940a29a78 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 3 Jan 2019 12:00:58 +0100 -Subject: [PATCH] libtest/stub_gssapi: use "real" snprintf - -... since it doesn't link with libcurl. - -Reverts the commit dcd6f81025 changes from this file. - -Bug: https://curl.haxx.se/mail/lib-2019-01/0000.html -Reported-by: Shlomi Fish -Reviewed-by: Daniel Gustafsson -Reviewed-by: Kamil Dudka - -Closes #3434 - -Upstream-commit: c7c362a24c0247644f9fde05e8ea353af4a94b04 -Signed-off-by: Kamil Dudka ---- - tests/libtest/stub_gssapi.c | 13 ++++++------- - 1 file changed, 6 insertions(+), 7 deletions(-) - -diff --git a/tests/libtest/stub_gssapi.c b/tests/libtest/stub_gssapi.c -index 254a01b31..377b75452 100644 ---- a/tests/libtest/stub_gssapi.c -+++ b/tests/libtest/stub_gssapi.c -@@ -5,7 +5,7 @@ - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * -- * Copyright (C) 2017-2018, Daniel Stenberg, , et al. -+ * Copyright (C) 2017-2019, Daniel Stenberg, , et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms -@@ -28,10 +28,7 @@ - - #include "stub_gssapi.h" - --#define ENABLE_CURLX_PRINTF --/* make the curlx header define all printf() functions to use the curlx_* -- versions instead */ --#include "curlx.h" /* from the private lib dir */ -+/* !checksrc! disable SNPRINTF all */ - - #define MAX_CREDS_LENGTH 250 - #define APPROX_TOKEN_LEN 250 -@@ -207,8 +204,10 @@ OM_uint32 gss_init_sec_context(OM_uint32 *min, - } - - /* Token format: creds:target:type:padding */ -- used = msnprintf(token, length, "%s:%s:%d:", creds, -- (char *) target_name, ctx->sent); -+ /* Note: this is using the *real* snprintf() and not the curl provided -+ one */ -+ used = snprintf(token, length, "%s:%s:%d:", creds, -+ (char *) target_name, ctx->sent); - - if(used >= length) { - free(token); --- -2.17.2 - diff --git a/0007-curl-7.63.0-JO-preserve-local-file.patch b/0007-curl-7.63.0-JO-preserve-local-file.patch deleted file mode 100644 index 12ac53e..0000000 --- a/0007-curl-7.63.0-JO-preserve-local-file.patch +++ /dev/null @@ -1,115 +0,0 @@ -From ff74657fb645e7175971128a171ef7d5ece40d77 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 17 Dec 2018 12:51:51 +0100 -Subject: [PATCH] curl -J: do not append to the destination file - -Reported-by: Kamil Dudka -Fixes #3380 -Closes #3381 - -Upstream-commit: 4849267197682e69cfa056c2bd7a44acd123a917 -Signed-off-by: Kamil Dudka ---- - src/tool_cb_hdr.c | 6 +++--- - src/tool_cb_wrt.c | 9 ++++----- - src/tool_cb_wrt.h | 2 +- - src/tool_operate.c | 2 +- - 4 files changed, 9 insertions(+), 10 deletions(-) - -diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c -index 84b0d9c..3844904 100644 ---- a/src/tool_cb_hdr.c -+++ b/src/tool_cb_hdr.c -@@ -157,12 +157,12 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata) - outs->filename = filename; - outs->alloc_filename = TRUE; - hdrcbdata->honor_cd_filename = FALSE; /* done now! */ -- if(!tool_create_output_file(outs, TRUE)) -+ if(!tool_create_output_file(outs)) - return failure; - } - break; - } -- if(!outs->stream && !tool_create_output_file(outs, FALSE)) -+ if(!outs->stream && !tool_create_output_file(outs)) - return failure; - } - -@@ -172,7 +172,7 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata) - /* bold headers only for selected protocols */ - char *value = NULL; - -- if(!outs->stream && !tool_create_output_file(outs, FALSE)) -+ if(!outs->stream && !tool_create_output_file(outs)) - return failure; - - if(hdrcbdata->global->isatty && hdrcbdata->global->styled_output) -diff --git a/src/tool_cb_wrt.c b/src/tool_cb_wrt.c -index 2cb5e1b..195d6e7 100644 ---- a/src/tool_cb_wrt.c -+++ b/src/tool_cb_wrt.c -@@ -32,8 +32,7 @@ - #include "memdebug.h" /* keep this as LAST include */ - - /* create a local file for writing, return TRUE on success */ --bool tool_create_output_file(struct OutStruct *outs, -- bool append) -+bool tool_create_output_file(struct OutStruct *outs) - { - struct GlobalConfig *global = outs->config->global; - FILE *file; -@@ -43,7 +42,7 @@ bool tool_create_output_file(struct OutStruct *outs, - return FALSE; - } - -- if(outs->is_cd_filename && !append) { -+ if(outs->is_cd_filename) { - /* don't overwrite existing files */ - file = fopen(outs->filename, "rb"); - if(file) { -@@ -55,7 +54,7 @@ bool tool_create_output_file(struct OutStruct *outs, - } - - /* open file for writing */ -- file = fopen(outs->filename, append?"ab":"wb"); -+ file = fopen(outs->filename, "wb"); - if(!file) { - warnf(global, "Failed to create the file %s: %s\n", outs->filename, - strerror(errno)); -@@ -142,7 +141,7 @@ size_t tool_write_cb(char *buffer, size_t sz, size_t nmemb, void *userdata) - } - #endif - -- if(!outs->stream && !tool_create_output_file(outs, FALSE)) -+ if(!outs->stream && !tool_create_output_file(outs)) - return failure; - - if(is_tty && (outs->bytes < 2000) && !config->terminal_binary_ok) { -diff --git a/src/tool_cb_wrt.h b/src/tool_cb_wrt.h -index 51e002b..188d3ea 100644 ---- a/src/tool_cb_wrt.h -+++ b/src/tool_cb_wrt.h -@@ -30,6 +30,6 @@ - size_t tool_write_cb(char *buffer, size_t sz, size_t nmemb, void *userdata); - - /* create a local file for writing, return TRUE on success */ --bool tool_create_output_file(struct OutStruct *outs, bool append); -+bool tool_create_output_file(struct OutStruct *outs); - - #endif /* HEADER_CURL_TOOL_CB_WRT_H */ -diff --git a/src/tool_operate.c b/src/tool_operate.c -index e53a9d8..429e9cf 100644 ---- a/src/tool_operate.c -+++ b/src/tool_operate.c -@@ -1583,7 +1583,7 @@ static CURLcode operate_do(struct GlobalConfig *global, - /* do not create (or even overwrite) the file in case we get no - data because of unmet condition */ - curl_easy_getinfo(curl, CURLINFO_CONDITION_UNMET, &cond_unmet); -- if(!cond_unmet && !tool_create_output_file(&outs, FALSE)) -+ if(!cond_unmet && !tool_create_output_file(&outs)) - result = CURLE_WRITE_ERROR; - } - --- -2.17.2 - diff --git a/0008-curl-7.63.0-xattr-strip-credentials-from-any-URL.patch b/0008-curl-7.63.0-xattr-strip-credentials-from-any-URL.patch deleted file mode 100644 index d9fa798..0000000 --- a/0008-curl-7.63.0-xattr-strip-credentials-from-any-URL.patch +++ /dev/null @@ -1,284 +0,0 @@ -From 9fa7298750c1d66331dc55a202277b131868c048 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Wed, 2 Jan 2019 20:18:27 +0100 -Subject: [PATCH] xattr: strip credentials from any URL that is stored - -Both user and password are cleared uncondtitionally. - -Added unit test 1621 to verify. - -Fixes #3423 -Closes #3433 - -Upstream-commit: 98e6629154044e4ab1ee7cff8351c7ebcb131e88 -Signed-off-by: Kamil Dudka ---- - src/tool_xattr.c | 63 +++++++++++++++++++++++++---- - tests/data/Makefile.inc | 2 +- - tests/data/test1621 | 27 +++++++++++++ - tests/unit/Makefile.inc | 6 ++- - tests/unit/unit1621.c | 89 +++++++++++++++++++++++++++++++++++++++++ - 5 files changed, 177 insertions(+), 10 deletions(-) - create mode 100644 tests/data/test1621 - create mode 100644 tests/unit/unit1621.c - -diff --git a/src/tool_xattr.c b/src/tool_xattr.c -index 92b99db..730381b 100644 ---- a/src/tool_xattr.c -+++ b/src/tool_xattr.c -@@ -5,7 +5,7 @@ - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * -- * Copyright (C) 1998 - 2014, Daniel Stenberg, , et al. -+ * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms -@@ -49,6 +49,46 @@ static const struct xattr_mapping { - { NULL, CURLINFO_NONE } /* last element, abort loop here */ - }; - -+/* returns TRUE if a new URL is returned, that then needs to be freed */ -+/* @unittest: 1621 */ -+#ifdef UNITTESTS -+bool stripcredentials(char **url); -+#else -+static -+#endif -+bool stripcredentials(char **url) -+{ -+ CURLU *u; -+ CURLUcode uc; -+ char *nurl; -+ u = curl_url(); -+ if(u) { -+ uc = curl_url_set(u, CURLUPART_URL, *url, 0); -+ if(uc) -+ goto error; -+ -+ uc = curl_url_set(u, CURLUPART_USER, NULL, 0); -+ if(uc) -+ goto error; -+ -+ uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0); -+ if(uc) -+ goto error; -+ -+ uc = curl_url_get(u, CURLUPART_URL, &nurl, 0); -+ if(uc) -+ goto error; -+ -+ curl_url_cleanup(u); -+ -+ *url = nurl; -+ return TRUE; -+ } -+ error: -+ curl_url_cleanup(u); -+ return FALSE; -+} -+ - /* store metadata from the curl request alongside the downloaded - * file using extended attributes - */ -@@ -62,17 +102,24 @@ int fwrite_xattr(CURL *curl, int fd) - char *value = NULL; - CURLcode result = curl_easy_getinfo(curl, mappings[i].info, &value); - if(!result && value) { -+ bool freeptr = FALSE; -+ if(CURLINFO_EFFECTIVE_URL == mappings[i].info) -+ freeptr = stripcredentials(&value); -+ if(value) { - #ifdef HAVE_FSETXATTR_6 -- err = fsetxattr(fd, mappings[i].attr, value, strlen(value), 0, 0); -+ err = fsetxattr(fd, mappings[i].attr, value, strlen(value), 0, 0); - #elif defined(HAVE_FSETXATTR_5) -- err = fsetxattr(fd, mappings[i].attr, value, strlen(value), 0); -+ err = fsetxattr(fd, mappings[i].attr, value, strlen(value), 0); - #elif defined(__FreeBSD_version) -- err = extattr_set_fd(fd, EXTATTR_NAMESPACE_USER, mappings[i].attr, value, -- strlen(value)); -- /* FreeBSD's extattr_set_fd returns the length of the extended attribute -- */ -- err = err < 0 ? err : 0; -+ err = extattr_set_fd(fd, EXTATTR_NAMESPACE_USER, mappings[i].attr, -+ value, strlen(value)); -+ /* FreeBSD's extattr_set_fd returns the length of the extended -+ attribute */ -+ err = err < 0 ? err : 0; - #endif -+ if(freeptr) -+ curl_free(value); -+ } - } - i++; - } -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index dd38f89..6172b77 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -180,7 +180,7 @@ test1560 \ - \ - test1590 \ - test1600 test1601 test1602 test1603 test1604 test1605 test1606 test1607 \ --test1608 test1609 test1620 \ -+test1608 test1609 test1620 test1621 \ - \ - test1650 test1651 test1652 test1653 \ - \ -diff --git a/tests/data/test1621 b/tests/data/test1621 -new file mode 100644 -index 0000000..1117d1b ---- /dev/null -+++ b/tests/data/test1621 -@@ -0,0 +1,27 @@ -+ -+ -+ -+unittest -+stripcredentials -+ -+ -+ -+# -+# Client-side -+ -+ -+none -+ -+ -+unittest -+https -+ -+ -+unit tests for stripcredentials from URL -+ -+ -+unit1621 -+ -+ -+ -+ -diff --git a/tests/unit/Makefile.inc b/tests/unit/Makefile.inc -index 8b1a607..82eaec7 100644 ---- a/tests/unit/Makefile.inc -+++ b/tests/unit/Makefile.inc -@@ -10,7 +10,7 @@ UNITPROGS = unit1300 unit1301 unit1302 unit1303 unit1304 unit1305 unit1307 \ - unit1330 unit1394 unit1395 unit1396 unit1397 unit1398 \ - unit1399 \ - unit1600 unit1601 unit1602 unit1603 unit1604 unit1605 unit1606 unit1607 \ -- unit1608 unit1609 unit1620 \ -+ unit1608 unit1609 unit1620 unit1621 \ - unit1650 unit1651 unit1652 unit1653 - - unit1300_SOURCES = unit1300.c $(UNITFILES) -@@ -100,6 +100,10 @@ unit1609_CPPFLAGS = $(AM_CPPFLAGS) - unit1620_SOURCES = unit1620.c $(UNITFILES) - unit1620_CPPFLAGS = $(AM_CPPFLAGS) - -+unit1621_SOURCES = unit1621.c $(UNITFILES) -+unit1621_CPPFLAGS = $(AM_CPPFLAGS) -+unit1621_LDADD = $(top_builddir)/src/libcurltool.la $(top_builddir)/lib/libcurl.la -+ - unit1650_SOURCES = unit1650.c $(UNITFILES) - unit1650_CPPFLAGS = $(AM_CPPFLAGS) - -diff --git a/tests/unit/unit1621.c b/tests/unit/unit1621.c -new file mode 100644 -index 0000000..6e07b6e ---- /dev/null -+++ b/tests/unit/unit1621.c -@@ -0,0 +1,89 @@ -+/*************************************************************************** -+ * _ _ ____ _ -+ * Project ___| | | | _ \| | -+ * / __| | | | |_) | | -+ * | (__| |_| | _ <| |___ -+ * \___|\___/|_| \_\_____| -+ * -+ * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. -+ * -+ * This software is licensed as described in the file COPYING, which -+ * you should have received as part of this distribution. The terms -+ * are also available at https://curl.haxx.se/docs/copyright.html. -+ * -+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell -+ * copies of the Software, and permit persons to whom the Software is -+ * furnished to do so, under the terms of the COPYING file. -+ * -+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -+ * KIND, either express or implied. -+ * -+ ***************************************************************************/ -+#include "curlcheck.h" -+ -+#include "urldata.h" -+#include "url.h" -+ -+#include "memdebug.h" /* LAST include file */ -+ -+static CURLcode unit_setup(void) -+{ -+ return CURLE_OK; -+} -+ -+static void unit_stop(void) -+{ -+} -+ -+#ifdef __MINGW32__ -+UNITTEST_START -+{ -+ return 0; -+} -+UNITTEST_STOP -+#else -+ -+bool stripcredentials(char **url); -+ -+struct checkthis { -+ const char *input; -+ const char *output; -+}; -+ -+static struct checkthis tests[] = { -+ { "ninja://foo@example.com", "ninja://foo@example.com" }, -+ { "https://foo@example.com", "https://example.com/" }, -+ { "https://localhost:45", "https://localhost:45/" }, -+ { "https://foo@localhost:45", "https://localhost:45/" }, -+ { "http://daniel:password@localhost", "http://localhost/" }, -+ { "http://daniel@localhost", "http://localhost/" }, -+ { "http://localhost/", "http://localhost/" }, -+ { NULL, NULL } /* end marker */ -+}; -+ -+UNITTEST_START -+{ -+ bool cleanup; -+ char *url; -+ int i; -+ int rc = 0; -+ -+ for(i = 0; tests[i].input; i++) { -+ url = (char *)tests[i].input; -+ cleanup = stripcredentials(&url); -+ printf("Test %u got input \"%s\", output: \"%s\"\n", -+ i, tests[i].input, url); -+ -+ if(strcmp(tests[i].output, url)) { -+ fprintf(stderr, "Test %u got input \"%s\", expected output \"%s\"\n" -+ " Actual output: \"%s\"\n", i, tests[i].input, tests[i].output, -+ url); -+ rc++; -+ } -+ if(cleanup) -+ curl_free(url); -+ } -+ return rc; -+} -+UNITTEST_STOP -+#endif --- -2.17.2 - diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch index 60de5b3..57c05c6 100644 --- a/0102-curl-7.36.0-debug.patch +++ b/0102-curl-7.36.0-debug.patch @@ -12,7 +12,7 @@ diff --git a/configure b/configure index 8f079a3..53b4774 100755 --- a/configure +++ b/configure -@@ -16415,18 +16415,11 @@ $as_echo "yes" >&6; } +@@ -16250,18 +16250,11 @@ $as_echo "yes" >&6; } gccvhi=`echo $gccver | cut -d . -f1` gccvlo=`echo $gccver | cut -d . -f2` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` @@ -38,7 +38,7 @@ diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4 index 0cbba7a..9175b5b 100644 --- a/m4/curl-compilers.m4 +++ b/m4/curl-compilers.m4 -@@ -157,18 +157,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [ +@@ -166,18 +166,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [ gccvhi=`echo $gccver | cut -d . -f1` gccvlo=`echo $gccver | cut -d . -f2` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` diff --git a/0105-curl-7.63.0-lib1560-valgrind.patch b/0105-curl-7.63.0-lib1560-valgrind.patch index 40d0a9b..003655c 100644 --- a/0105-curl-7.63.0-lib1560-valgrind.patch +++ b/0105-curl-7.63.0-lib1560-valgrind.patch @@ -26,14 +26,14 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc index 080421b..ea3b806 100644 --- a/tests/libtest/Makefile.inc +++ b/tests/libtest/Makefile.inc -@@ -516,6 +516,7 @@ lib1557_LDADD = $(TESTUTIL_LIBS) - lib1557_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1557 +@@ -521,6 +521,7 @@ lib1558_SOURCES = lib1558.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib1558_LDADD = $(TESTUTIL_LIBS) lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) +lib1560_CFLAGS = $(AM_CFLAGS) -fno-builtin-strcmp lib1560_LDADD = $(TESTUTIL_LIBS) - lib1900_SOURCES = lib1900.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib1591_SOURCES = lib1591.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) -- 2.17.2 diff --git a/curl-7.63.0.tar.xz.asc b/curl-7.63.0.tar.xz.asc deleted file mode 100644 index 1dd44ac..0000000 --- a/curl-7.63.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlwQtYIACgkQXMkI/bce -EsKPHgf/RhfKPvl1Q8ftuEOXakF/ZIvINukj49vOMFmfQRHfmGWh5ajaGj0qVF6x -U5HtrDoFOP5m74tj6jrzr2Ala/HGeyZmiTWwRLMgu+Tvq4djIv2pzZUJpgawJS52 -LCb2DUS2F+E1AsZQYvyliYA+r2FO2RRX1kbwdu+0RyuFy5WmWwkI02VahAIYV48o -44IqtXshxfSAlfEqQ8MgXtU1KW0SWtfKVP2HpsurugjGyknoXxHP7yoDMgDAkMk0 -fNYyPDZbUXXN+6Oyo4Xh8rz4dpVLBkIoCZb4WG2pFZSrfP2+FTL5/vRo/tUyjFfv -2LHmDUOOFH3VMwMYlnMCgaaXG7/jtg== -=TkSP ------END PGP SIGNATURE----- diff --git a/curl-7.64.0.tar.xz.asc b/curl-7.64.0.tar.xz.asc new file mode 100644 index 0000000..21f7542 --- /dev/null +++ b/curl-7.64.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlxahccACgkQXMkI/bce +EsKdrAf+OoNH+Yz1HfJG5MtmEi2sgRC56iAvZBQujPG8SJYGnT3D2nLiuC2+bzA8 +eMCqisodW5f6lV/9JRvLmLS0dhxAfdf/NHlMOdtgSv+NzVGsggpHeYEZ7HucRHsQ +AKZ6/wx7rby8yZqrn2s7yWWB0qgiajWx30r+CJEYXpuw+YwZ2qZo5ecM7fa/J9ko +ESwb7BLF6KMkdSz1wSApwCdznB/BXOaPrUBMiOcwO7ftq/t1ZmqnUWLtdlSp8OoH +Tw832H1kCP2OFHcOFTQmZJLagRQtLBhC522wNsagXaMwak6uhoFApcAPqoPdm4Pm +PvTO6aAopZk+sX9VemdSQzx/4ysT3w== +=HOlc +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index ce957f6..1a410f0 100644 --- a/curl.spec +++ b/curl.spec @@ -1,22 +1,10 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.63.0 -Release: 7%{?dist} +Version: 7.64.0 +Release: 1%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz -# revert an upstream commit that broke `fedpkg new-sources` (#1659329) -Patch1: 0001-curl-7.62.0-http-post-negotiate.patch - -# libtest: avoid symbol lookup error in libstubgss.so -Patch2: 0002-curl-7.62.0-libtest-stub_gssapi-snprintf.patch - -# curl -J: do not append to the destination file (#1658574) -Patch7: 0007-curl-7.63.0-JO-preserve-local-file.patch - -# xattr: strip credentials from any URL that is stored (CVE-2018-20483) -Patch8: 0008-curl-7.63.0-xattr-strip-credentials-from-any-URL.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -178,10 +166,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 -%patch2 -p1 -%patch7 -p1 -%patch8 -p1 # Fedora patches %patch101 -p1 @@ -349,6 +333,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Feb 06 2019 Kamil Dudka - 7.64.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2019-3823 - SMTP end-of-response out-of-bounds read + CVE-2019-3822 - NTLMv2 type-3 header stack buffer overflow + CVE-2018-16890 - NTLM type-2 out-of-bounds buffer read + * Mon Feb 04 2019 Kamil Dudka - 7.63.0-7 - prevent valgrind from reporting false positives on x86_64 diff --git a/sources b/sources index c40ff26..d5662be 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.63.0.tar.xz) = c905eb157c6b0093f1b1a506e4782b83af423fd6de1ce0ab5372164a686ef292ffb10d7999d3dec2de602f63ee41b65e1a1008409dd8c959a597644c0ecb395b +SHA512 (curl-7.64.0.tar.xz) = 953f1f5336ce5dfd1b9f933624432d401552d91ee02d39ecde6f023c956f99ec6aae8d7746d7c34b6eb2d6452f114e67da4e64d9c8dd90b7644b7844e7b9b423 From 9ace613273f52bce8206116b7ab8fb040f7199a1 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 11 Feb 2019 13:22:07 +0100 Subject: [PATCH 049/256] make zsh completion work again --- 0001-curl-7.64.0-zsh-completion.patch | 76 +++++++++++++++++++++++++++ curl.spec | 9 +++- 2 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 0001-curl-7.64.0-zsh-completion.patch diff --git a/0001-curl-7.64.0-zsh-completion.patch b/0001-curl-7.64.0-zsh-completion.patch new file mode 100644 index 0000000..770a15b --- /dev/null +++ b/0001-curl-7.64.0-zsh-completion.patch @@ -0,0 +1,76 @@ +From 082034e2334b2d0795b2b324ff3e0635bb7d2b86 Mon Sep 17 00:00:00 2001 +From: Alessandro Ghedini +Date: Tue, 5 Feb 2019 20:44:14 +0000 +Subject: [PATCH 1/2] zsh.pl: update regex to better match curl -h output + +The current regex fails to match '<...>' arguments properly (e.g. those +with spaces in them), which causes an completion script with wrong +descriptions for some options. + +The problem can be reproduced as follows: + +% curl --reso + +Upstream-commit: dbd32f3241b297b96ee11a51da1a661f528ca026 +Signed-off-by: Kamil Dudka +--- + scripts/zsh.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/zsh.pl b/scripts/zsh.pl +index 1257190..941b322 100755 +--- a/scripts/zsh.pl ++++ b/scripts/zsh.pl +@@ -7,7 +7,7 @@ use warnings; + + my $curl = $ARGV[0] || 'curl'; + +-my $regex = '\s+(?:(-[^\s]+),\s)?(--[^\s]+)\s([^\s.]+)?\s+(.*)'; ++my $regex = '\s+(?:(-[^\s]+),\s)?(--[^\s]+)\s*(\<.+?\>)?\s+(.*)'; + my @opts = parse_main_opts('--help', $regex); + + my $opts_str; +-- +2.17.2 + + +From 45abc785e101346f19599aa5f9fa1617e525ec4d Mon Sep 17 00:00:00 2001 +From: Alessandro Ghedini +Date: Tue, 5 Feb 2019 21:06:26 +0000 +Subject: [PATCH 2/2] zsh.pl: escape ':' character + +':' is interpreted as separator by zsh, so if used as part of the argument +or option's description it needs to be escaped. + +The problem can be reproduced as follows: + +% curl -E + +Bug: https://bugs.debian.org/921452 + +Upstream-commit: b3cc8017b7364f588365be2b2629c49c142efdb7 +Signed-off-by: Kamil Dudka +--- + scripts/zsh.pl | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/scripts/zsh.pl b/scripts/zsh.pl +index 941b322..0f9cbec 100755 +--- a/scripts/zsh.pl ++++ b/scripts/zsh.pl +@@ -45,9 +45,12 @@ sub parse_main_opts { + + my $option = ''; + ++ $arg =~ s/\:/\\\:/g if defined $arg; ++ + $desc =~ s/'/'\\''/g if defined $desc; + $desc =~ s/\[/\\\[/g if defined $desc; + $desc =~ s/\]/\\\]/g if defined $desc; ++ $desc =~ s/\:/\\\:/g if defined $desc; + + $option .= '{' . trim($short) . ',' if defined $short; + $option .= trim($long) if defined $long; +-- +2.17.2 + diff --git a/curl.spec b/curl.spec index 1a410f0..3c8279d 100644 --- a/curl.spec +++ b/curl.spec @@ -1,10 +1,13 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.64.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz +# make zsh completion work again +Patch1: 0001-curl-7.64.0-zsh-completion.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -166,6 +169,7 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 @@ -333,6 +337,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Feb 11 2019 Kamil Dudka - 7.64.0-2 +- make zsh completion work again + * Wed Feb 06 2019 Kamil Dudka - 7.64.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2019-3823 - SMTP end-of-response out-of-bounds read From 77901fea1dce2a28df17ec8a623709f82d4f307d Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 11 Feb 2019 13:22:07 +0100 Subject: [PATCH 050/256] make zsh completion work again --- 0013-curl-7.61.1-zsh-completion.patch | 76 +++++++++++++++++++++++++++ curl.spec | 9 +++- 2 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 0013-curl-7.61.1-zsh-completion.patch diff --git a/0013-curl-7.61.1-zsh-completion.patch b/0013-curl-7.61.1-zsh-completion.patch new file mode 100644 index 0000000..770a15b --- /dev/null +++ b/0013-curl-7.61.1-zsh-completion.patch @@ -0,0 +1,76 @@ +From 082034e2334b2d0795b2b324ff3e0635bb7d2b86 Mon Sep 17 00:00:00 2001 +From: Alessandro Ghedini +Date: Tue, 5 Feb 2019 20:44:14 +0000 +Subject: [PATCH 1/2] zsh.pl: update regex to better match curl -h output + +The current regex fails to match '<...>' arguments properly (e.g. those +with spaces in them), which causes an completion script with wrong +descriptions for some options. + +The problem can be reproduced as follows: + +% curl --reso + +Upstream-commit: dbd32f3241b297b96ee11a51da1a661f528ca026 +Signed-off-by: Kamil Dudka +--- + scripts/zsh.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/zsh.pl b/scripts/zsh.pl +index 1257190..941b322 100755 +--- a/scripts/zsh.pl ++++ b/scripts/zsh.pl +@@ -7,7 +7,7 @@ use warnings; + + my $curl = $ARGV[0] || 'curl'; + +-my $regex = '\s+(?:(-[^\s]+),\s)?(--[^\s]+)\s([^\s.]+)?\s+(.*)'; ++my $regex = '\s+(?:(-[^\s]+),\s)?(--[^\s]+)\s*(\<.+?\>)?\s+(.*)'; + my @opts = parse_main_opts('--help', $regex); + + my $opts_str; +-- +2.17.2 + + +From 45abc785e101346f19599aa5f9fa1617e525ec4d Mon Sep 17 00:00:00 2001 +From: Alessandro Ghedini +Date: Tue, 5 Feb 2019 21:06:26 +0000 +Subject: [PATCH 2/2] zsh.pl: escape ':' character + +':' is interpreted as separator by zsh, so if used as part of the argument +or option's description it needs to be escaped. + +The problem can be reproduced as follows: + +% curl -E + +Bug: https://bugs.debian.org/921452 + +Upstream-commit: b3cc8017b7364f588365be2b2629c49c142efdb7 +Signed-off-by: Kamil Dudka +--- + scripts/zsh.pl | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/scripts/zsh.pl b/scripts/zsh.pl +index 941b322..0f9cbec 100755 +--- a/scripts/zsh.pl ++++ b/scripts/zsh.pl +@@ -45,9 +45,12 @@ sub parse_main_opts { + + my $option = ''; + ++ $arg =~ s/\:/\\\:/g if defined $arg; ++ + $desc =~ s/'/'\\''/g if defined $desc; + $desc =~ s/\[/\\\[/g if defined $desc; + $desc =~ s/\]/\\\]/g if defined $desc; ++ $desc =~ s/\:/\\\:/g if defined $desc; + + $option .= '{' . trim($short) . ',' if defined $short; + $option .= trim($long) if defined $long; +-- +2.17.2 + diff --git a/curl.spec b/curl.spec index 337ec68..ad34021 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.59.0 -Release: 9%{?dist} +Release: 10%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -43,6 +43,9 @@ Patch11: 0011-curl-7.59.0-CVE-2018-16840.patch # SASL password overflow via integer overflow (CVE-2018-16839) Patch12: 0012-curl-7.59.0-CVE-2018-16839.patch +# make zsh completion work again +Patch13: 0013-curl-7.61.1-zsh-completion.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -206,6 +209,7 @@ git init git apply %{PATCH10} %patch11 -p1 %patch12 -p1 +%patch13 -p1 # Fedora patches %patch101 -p1 @@ -352,6 +356,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Feb 11 2019 Kamil Dudka - 7.61.1-10 +- make zsh completion work again + * Thu Nov 15 2018 Kamil Dudka - 7.59.0-9 - make the patch for CVE-2018-16842 apply properly (CVE-2018-16842) From e97fdf9b7f8dfd53c0604b87a8be9678ca548434 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 25 Feb 2019 14:24:32 +0100 Subject: [PATCH 051/256] Resolves: #1680198 - prevent NetworkManager from leaking file descriptors --- 0002-curl-7.64.0-nm-fd-leak.patch | 162 ++++++++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 170 insertions(+), 1 deletion(-) create mode 100644 0002-curl-7.64.0-nm-fd-leak.patch diff --git a/0002-curl-7.64.0-nm-fd-leak.patch b/0002-curl-7.64.0-nm-fd-leak.patch new file mode 100644 index 0000000..681e58f --- /dev/null +++ b/0002-curl-7.64.0-nm-fd-leak.patch @@ -0,0 +1,162 @@ +From 377101f138873bfa481785cb7d04c326006f0b5d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 11 Feb 2019 07:56:00 +0100 +Subject: [PATCH 1/3] connection_check: set ->data to the transfer doing the + check + +The http2 code for connection checking needs a transfer to use. Make +sure a working one is set before handler->connection_check() is called. + +Reported-by: jnbr on github +Fixes #3541 +Closes #3547 + +Upstream-commit: 38d8e1bd4ed1ae52930ae466ecbac78e888b142f +Signed-off-by: Kamil Dudka +--- + lib/url.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/url.c b/lib/url.c +index d5a9820..229c655 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -965,6 +965,7 @@ static bool extract_if_dead(struct connectdata *conn, + /* The protocol has a special method for checking the state of the + connection. Use it to check if the connection is dead. */ + unsigned int state; ++ conn->data = data; /* use this transfer for now */ + state = conn->handler->connection_check(conn, CONNCHECK_ISDEAD); + dead = (state & CONNRESULT_DEAD); + } +-- +2.17.2 + + +From 287f5d70395b3833f8901a57b29a48b87d84a9fe Mon Sep 17 00:00:00 2001 +From: Jay Satiro +Date: Mon, 11 Feb 2019 23:00:00 -0500 +Subject: [PATCH 2/3] connection_check: restore original conn->data after the + check + +- Save the original conn->data before it's changed to the specified + data transfer for the connection check and then restore it afterwards. + +This is a follow-up to 38d8e1b 2019-02-11. + +History: + +It was discovered a month ago that before checking whether to extract a +dead connection that that connection should be associated with a "live" +transfer for the check (ie original conn->data ignored and set to the +passed in data). A fix was landed in 54b201b which did that and also +cleared conn->data after the check. The original conn->data was not +restored, so presumably it was thought that a valid conn->data was no +longer needed. + +Several days later it was discovered that a valid conn->data was needed +after the check and follow-up fix was landed in bbae24c which partially +reverted the original fix and attempted to limit the scope of when +conn->data was changed to only when pruning dead connections. In that +case conn->data was not cleared and the original conn->data not +restored. + +A month later it was discovered that the original fix was somewhat +correct; a "live" transfer is needed for the check in all cases +because original conn->data could be null which could cause a bad deref +at arbitrary points in the check. A fix was landed in 38d8e1b which +expanded the scope to all cases. conn->data was not cleared and the +original conn->data not restored. + +A day later it was discovered that not restoring the original conn->data +may lead to busy loops in applications that use the event interface, and +given this observation it's a pretty safe assumption that there is some +code path that still needs the original conn->data. This commit is the +follow-up fix for that, it restores the original conn->data after the +connection check. + +Assisted-by: tholin@users.noreply.github.com +Reported-by: tholin@users.noreply.github.com + +Fixes https://github.com/curl/curl/issues/3542 +Closes #3559 + +Upstream-commit: 4015fae044ce52a639c9358e22a9e948f287c89f +Signed-off-by: Kamil Dudka +--- + lib/url.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/url.c b/lib/url.c +index 229c655..a77e92d 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -965,8 +965,10 @@ static bool extract_if_dead(struct connectdata *conn, + /* The protocol has a special method for checking the state of the + connection. Use it to check if the connection is dead. */ + unsigned int state; ++ struct Curl_easy *olddata = conn->data; + conn->data = data; /* use this transfer for now */ + state = conn->handler->connection_check(conn, CONNCHECK_ISDEAD); ++ conn->data = olddata; + dead = (state & CONNRESULT_DEAD); + } + else { +@@ -995,7 +997,6 @@ struct prunedead { + static int call_extract_if_dead(struct connectdata *conn, void *param) + { + struct prunedead *p = (struct prunedead *)param; +- conn->data = p->data; /* transfer to use for this check */ + if(extract_if_dead(conn, p->data)) { + /* stop the iteration here, pass back the connection that was extracted */ + p->extracted = conn; +-- +2.17.2 + + +From 15e3f2eef87bff1210f43921cb15f03c68be59f7 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 19 Feb 2019 15:56:54 +0100 +Subject: [PATCH 3/3] singlesocket: fix the 'sincebefore' placement + +The variable wasn't properly reset within the loop and thus could remain +set for sockets that hadn't been set before and miss notifying the app. + +This is a follow-up to 4c35574 (shipped in curl 7.64.0) + +Reported-by: buzo-ffm on github +Detected-by: Jan Alexander Steffens +Fixes #3585 +Closes #3589 + +Upstream-commit: afc00e047c773faeaa60a5f86a246cbbeeba5819 +Signed-off-by: Kamil Dudka +--- + lib/multi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/multi.c b/lib/multi.c +index 130226f..28f4c47 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -2360,8 +2360,6 @@ static CURLMcode singlesocket(struct Curl_multi *multi, + int num; + unsigned int curraction; + int actions[MAX_SOCKSPEREASYHANDLE]; +- unsigned int comboaction; +- bool sincebefore = FALSE; + + for(i = 0; i< MAX_SOCKSPEREASYHANDLE; i++) + socks[i] = CURL_SOCKET_BAD; +@@ -2380,6 +2378,8 @@ static CURLMcode singlesocket(struct Curl_multi *multi, + i++) { + unsigned int action = CURL_POLL_NONE; + unsigned int prevaction = 0; ++ unsigned int comboaction; ++ bool sincebefore = FALSE; + + s = socks[i]; + +-- +2.17.2 + diff --git a/curl.spec b/curl.spec index 3c8279d..834c964 100644 --- a/curl.spec +++ b/curl.spec @@ -1,13 +1,16 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.64.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz # make zsh completion work again Patch1: 0001-curl-7.64.0-zsh-completion.patch +# prevent NetworkManager from leaking file descriptors (#1680198) +Patch2: 0002-curl-7.64.0-nm-fd-leak.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -170,6 +173,7 @@ be installed. # upstream patches %patch1 -p1 +%patch2 -p1 # Fedora patches %patch101 -p1 @@ -337,6 +341,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Feb 25 2019 Kamil Dudka - 7.64.0-3 +- prevent NetworkManager from leaking file descriptors (#1680198) + * Mon Feb 11 2019 Kamil Dudka - 7.64.0-2 - make zsh completion work again From 95008127cf8cce13fd350840dfd31372ab85b48f Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 27 Feb 2019 18:02:05 +0100 Subject: [PATCH 052/256] Resolves: #1683676 - fix NULL dereference if flushing cookies with no CookieInfo set --- 0003-curl-7.64.0-cookie-segfault.patch | 42 ++++++++++++++++++++++++++ curl.spec | 9 +++++- 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 0003-curl-7.64.0-cookie-segfault.patch diff --git a/0003-curl-7.64.0-cookie-segfault.patch b/0003-curl-7.64.0-cookie-segfault.patch new file mode 100644 index 0000000..9539efa --- /dev/null +++ b/0003-curl-7.64.0-cookie-segfault.patch @@ -0,0 +1,42 @@ +From d73dc8d3e70bde0ef999ecf7bcd5585b9892371c Mon Sep 17 00:00:00 2001 +From: Michael Wallner +Date: Mon, 25 Feb 2019 19:05:02 +0100 +Subject: [PATCH] cookies: fix NULL dereference if flushing cookies with no + CookieInfo set + +Regression brought by a52e46f3900fb0 (shipped in 7.63.0) + +Closes #3613 + +Upstream-commit: 8eddb8f4259193633cfc95a42603958a89b31de5 +Signed-off-by: Kamil Dudka +--- + lib/cookie.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index 4fb992a..d535170 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -1504,7 +1504,8 @@ static int cookie_output(struct CookieInfo *c, const char *dumphere) + struct Cookie **array; + + /* at first, remove expired cookies */ +- remove_expired(c); ++ if(c) ++ remove_expired(c); + + if(!strcmp("-", dumphere)) { + /* use stdout */ +@@ -1523,7 +1524,7 @@ static int cookie_output(struct CookieInfo *c, const char *dumphere) + "# This file was generated by libcurl! Edit at your own risk.\n\n", + out); + +- if(c->numcookies) { ++ if(c && c->numcookies) { + array = malloc(sizeof(struct Cookie *) * c->numcookies); + if(!array) { + if(!use_stdout) +-- +2.17.2 + diff --git a/curl.spec b/curl.spec index 834c964..a8292a6 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.64.0 -Release: 3%{?dist} +Release: 4%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -11,6 +11,9 @@ Patch1: 0001-curl-7.64.0-zsh-completion.patch # prevent NetworkManager from leaking file descriptors (#1680198) Patch2: 0002-curl-7.64.0-nm-fd-leak.patch +# fix NULL dereference if flushing cookies with no CookieInfo set (#1683676) +Patch3: 0003-curl-7.64.0-cookie-segfault.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -174,6 +177,7 @@ be installed. # upstream patches %patch1 -p1 %patch2 -p1 +%patch3 -p1 # Fedora patches %patch101 -p1 @@ -341,6 +345,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Feb 27 2019 Kamil Dudka - 7.64.0-4 +- fix NULL dereference if flushing cookies with no CookieInfo set (#1683676) + * Mon Feb 25 2019 Kamil Dudka - 7.64.0-3 - prevent NetworkManager from leaking file descriptors (#1680198) From 902ddefeb533ae02d3588bb99d78fb178999da22 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 21 Mar 2019 09:38:52 +0100 Subject: [PATCH 053/256] avoid spurious "Could not resolve host: [host name]" error messages --- ...-curl-7.64.0-spurious-resolver-error.patch | 118 ++++++++++++++++++ curl.spec | 9 +- 2 files changed, 126 insertions(+), 1 deletion(-) create mode 100644 0004-curl-7.64.0-spurious-resolver-error.patch diff --git a/0004-curl-7.64.0-spurious-resolver-error.patch b/0004-curl-7.64.0-spurious-resolver-error.patch new file mode 100644 index 0000000..3e05ad5 --- /dev/null +++ b/0004-curl-7.64.0-spurious-resolver-error.patch @@ -0,0 +1,118 @@ +From 5ddabe85b2e3e4fd08d06980719d71a2aed77a5b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 28 Feb 2019 20:34:36 +0100 +Subject: [PATCH] threaded-resolver: shutdown the resolver thread without error + message + +When a transfer is done, the resolver thread will be brought down. That +could accidentally generate an error message in the error buffer even +though this is not an error situationand the transfer would still return +OK. An application that still reads the error buffer could find a +"Could not resolve host: [host name]" message there and get confused. + +Reported-by: Michael Schmid +Fixes #3629 +Closes #3630 + +Upstream-commit: 754ae103989a6ad0869d23a6a427d652b5b4a2fe +Signed-off-by: Kamil Dudka +--- + lib/asyn-thread.c | 68 ++++++++++++++++++++++++++--------------------- + 1 file changed, 38 insertions(+), 30 deletions(-) + +diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c +index a9679d0..55e0811 100644 +--- a/lib/asyn-thread.c ++++ b/lib/asyn-thread.c +@@ -461,6 +461,42 @@ static CURLcode resolver_error(struct connectdata *conn) + return result; + } + ++static CURLcode thread_wait_resolv(struct connectdata *conn, ++ struct Curl_dns_entry **entry, ++ bool report) ++{ ++ struct thread_data *td = (struct thread_data*) conn->async.os_specific; ++ CURLcode result = CURLE_OK; ++ ++ DEBUGASSERT(conn && td); ++ DEBUGASSERT(td->thread_hnd != curl_thread_t_null); ++ ++ /* wait for the thread to resolve the name */ ++ if(Curl_thread_join(&td->thread_hnd)) { ++ if(entry) ++ result = getaddrinfo_complete(conn); ++ } ++ else ++ DEBUGASSERT(0); ++ ++ conn->async.done = TRUE; ++ ++ if(entry) ++ *entry = conn->async.dns; ++ ++ if(!conn->async.dns && report) ++ /* a name was not resolved, report error */ ++ result = resolver_error(conn); ++ ++ destroy_async_data(&conn->async); ++ ++ if(!conn->async.dns && report) ++ connclose(conn, "asynch resolve failed"); ++ ++ return result; ++} ++ ++ + /* + * Until we gain a way to signal the resolver threads to stop early, we must + * simply wait for them and ignore their results. +@@ -473,7 +509,7 @@ void Curl_resolver_kill(struct connectdata *conn) + unfortunately. Otherwise, we can simply cancel to clean up any resolver + data. */ + if(td && td->thread_hnd != curl_thread_t_null) +- (void)Curl_resolver_wait_resolv(conn, NULL); ++ (void)thread_wait_resolv(conn, NULL, FALSE); + else + Curl_resolver_cancel(conn); + } +@@ -494,35 +530,7 @@ void Curl_resolver_kill(struct connectdata *conn) + CURLcode Curl_resolver_wait_resolv(struct connectdata *conn, + struct Curl_dns_entry **entry) + { +- struct thread_data *td = (struct thread_data*) conn->async.os_specific; +- CURLcode result = CURLE_OK; +- +- DEBUGASSERT(conn && td); +- DEBUGASSERT(td->thread_hnd != curl_thread_t_null); +- +- /* wait for the thread to resolve the name */ +- if(Curl_thread_join(&td->thread_hnd)) { +- if(entry) +- result = getaddrinfo_complete(conn); +- } +- else +- DEBUGASSERT(0); +- +- conn->async.done = TRUE; +- +- if(entry) +- *entry = conn->async.dns; +- +- if(!conn->async.dns) +- /* a name was not resolved, report error */ +- result = resolver_error(conn); +- +- destroy_async_data(&conn->async); +- +- if(!conn->async.dns) +- connclose(conn, "asynch resolve failed"); +- +- return result; ++ return thread_wait_resolv(conn, entry, TRUE); + } + + /* +-- +2.17.2 + diff --git a/curl.spec b/curl.spec index a8292a6..bed6823 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.64.0 -Release: 4%{?dist} +Release: 5%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -14,6 +14,9 @@ Patch2: 0002-curl-7.64.0-nm-fd-leak.patch # fix NULL dereference if flushing cookies with no CookieInfo set (#1683676) Patch3: 0003-curl-7.64.0-cookie-segfault.patch +# avoid spurious "Could not resolve host: [host name]" error messages +Patch4: 0004-curl-7.64.0-spurious-resolver-error.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -178,6 +181,7 @@ be installed. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 # Fedora patches %patch101 -p1 @@ -345,6 +349,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Mar 21 2019 Kamil Dudka - 7.64.0-5 +- avoid spurious "Could not resolve host: [host name]" error messages + * Wed Feb 27 2019 Kamil Dudka - 7.64.0-4 - fix NULL dereference if flushing cookies with no CookieInfo set (#1683676) From 7594f15bcee986a1946575804b33fabc35d43792 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 25 Mar 2019 12:35:52 +0100 Subject: [PATCH 054/256] Related: #1690971 - remove verbose "Expire in" ... messages --- 0005-curl-7.64.0-expire-in-verbose-msgs.patch | 32 +++++++++++++++++++ curl.spec | 9 +++++- 2 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 0005-curl-7.64.0-expire-in-verbose-msgs.patch diff --git a/0005-curl-7.64.0-expire-in-verbose-msgs.patch b/0005-curl-7.64.0-expire-in-verbose-msgs.patch new file mode 100644 index 0000000..43d3573 --- /dev/null +++ b/0005-curl-7.64.0-expire-in-verbose-msgs.patch @@ -0,0 +1,32 @@ +From 2e8f4d01cdd07779e0582257cb6b53c5a91d6504 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 11 Feb 2019 22:57:33 +0100 +Subject: [PATCH] multi: remove verbose "Expire in" ... messages + +Reported-by: James Brown +Bug: https://curl.haxx.se/mail/archive-2019-02/0013.html +Closes #3558 + +Upstream-commit: aabc7ae5ecf70973add429b5acbc86d6a57e4da5 +Signed-off-by: Kamil Dudka +--- + lib/multi.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/lib/multi.c b/lib/multi.c +index 28f4c47..856cc22 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -3028,9 +3028,6 @@ void Curl_expire(struct Curl_easy *data, time_t milli, expire_id id) + + DEBUGASSERT(id < EXPIRE_LAST); + +- infof(data, "Expire in %ld ms for %x (transfer %p)\n", +- (long)milli, id, data); +- + set = Curl_now(); + set.tv_sec += milli/1000; + set.tv_usec += (unsigned int)(milli%1000)*1000; +-- +2.17.2 + diff --git a/curl.spec b/curl.spec index bed6823..d504c23 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.64.0 -Release: 5%{?dist} +Release: 6%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -17,6 +17,9 @@ Patch3: 0003-curl-7.64.0-cookie-segfault.patch # avoid spurious "Could not resolve host: [host name]" error messages Patch4: 0004-curl-7.64.0-spurious-resolver-error.patch +# remove verbose "Expire in" ... messages (#1690971) +Patch5: 0005-curl-7.64.0-expire-in-verbose-msgs.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -182,6 +185,7 @@ be installed. %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 # Fedora patches %patch101 -p1 @@ -349,6 +353,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Mar 25 2019 Kamil Dudka - 7.64.0-6 +- remove verbose "Expire in" ... messages (#1690971) + * Wed Mar 21 2019 Kamil Dudka - 7.64.0-5 - avoid spurious "Could not resolve host: [host name]" error messages From 0ed971f14f1e1a245d738142d3cd2b3489bc1008 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 25 Mar 2019 12:39:00 +0100 Subject: [PATCH 055/256] fix last but one change log entry --- curl.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index d504c23..6cf125f 100644 --- a/curl.spec +++ b/curl.spec @@ -356,7 +356,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la * Mon Mar 25 2019 Kamil Dudka - 7.64.0-6 - remove verbose "Expire in" ... messages (#1690971) -* Wed Mar 21 2019 Kamil Dudka - 7.64.0-5 +* Thu Mar 21 2019 Kamil Dudka - 7.64.0-5 - avoid spurious "Could not resolve host: [host name]" error messages * Wed Feb 27 2019 Kamil Dudka - 7.64.0-4 From bbad3e0a620be7f54fd5e9af7570cab24a6a233d Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 27 Mar 2019 10:33:41 +0100 Subject: [PATCH 056/256] new upstream release - 7.64.1 --- 0001-curl-7.64.0-zsh-completion.patch | 76 -------- 0002-curl-7.64.0-nm-fd-leak.patch | 162 ------------------ 0003-curl-7.64.0-cookie-segfault.patch | 42 ----- ...-curl-7.64.0-spurious-resolver-error.patch | 118 ------------- 0005-curl-7.64.0-expire-in-verbose-msgs.patch | 32 ---- 0102-curl-7.36.0-debug.patch | 2 +- 0104-curl-7.19.7-localhost6.patch | 4 +- 0105-curl-7.63.0-lib1560-valgrind.patch | 2 +- curl-7.64.0.tar.xz.asc | 11 -- curl-7.64.1.tar.xz.asc | 11 ++ curl.spec | 45 ++--- sources | 2 +- 12 files changed, 34 insertions(+), 473 deletions(-) delete mode 100644 0001-curl-7.64.0-zsh-completion.patch delete mode 100644 0002-curl-7.64.0-nm-fd-leak.patch delete mode 100644 0003-curl-7.64.0-cookie-segfault.patch delete mode 100644 0004-curl-7.64.0-spurious-resolver-error.patch delete mode 100644 0005-curl-7.64.0-expire-in-verbose-msgs.patch delete mode 100644 curl-7.64.0.tar.xz.asc create mode 100644 curl-7.64.1.tar.xz.asc diff --git a/0001-curl-7.64.0-zsh-completion.patch b/0001-curl-7.64.0-zsh-completion.patch deleted file mode 100644 index 770a15b..0000000 --- a/0001-curl-7.64.0-zsh-completion.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 082034e2334b2d0795b2b324ff3e0635bb7d2b86 Mon Sep 17 00:00:00 2001 -From: Alessandro Ghedini -Date: Tue, 5 Feb 2019 20:44:14 +0000 -Subject: [PATCH 1/2] zsh.pl: update regex to better match curl -h output - -The current regex fails to match '<...>' arguments properly (e.g. those -with spaces in them), which causes an completion script with wrong -descriptions for some options. - -The problem can be reproduced as follows: - -% curl --reso - -Upstream-commit: dbd32f3241b297b96ee11a51da1a661f528ca026 -Signed-off-by: Kamil Dudka ---- - scripts/zsh.pl | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/scripts/zsh.pl b/scripts/zsh.pl -index 1257190..941b322 100755 ---- a/scripts/zsh.pl -+++ b/scripts/zsh.pl -@@ -7,7 +7,7 @@ use warnings; - - my $curl = $ARGV[0] || 'curl'; - --my $regex = '\s+(?:(-[^\s]+),\s)?(--[^\s]+)\s([^\s.]+)?\s+(.*)'; -+my $regex = '\s+(?:(-[^\s]+),\s)?(--[^\s]+)\s*(\<.+?\>)?\s+(.*)'; - my @opts = parse_main_opts('--help', $regex); - - my $opts_str; --- -2.17.2 - - -From 45abc785e101346f19599aa5f9fa1617e525ec4d Mon Sep 17 00:00:00 2001 -From: Alessandro Ghedini -Date: Tue, 5 Feb 2019 21:06:26 +0000 -Subject: [PATCH 2/2] zsh.pl: escape ':' character - -':' is interpreted as separator by zsh, so if used as part of the argument -or option's description it needs to be escaped. - -The problem can be reproduced as follows: - -% curl -E - -Bug: https://bugs.debian.org/921452 - -Upstream-commit: b3cc8017b7364f588365be2b2629c49c142efdb7 -Signed-off-by: Kamil Dudka ---- - scripts/zsh.pl | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/scripts/zsh.pl b/scripts/zsh.pl -index 941b322..0f9cbec 100755 ---- a/scripts/zsh.pl -+++ b/scripts/zsh.pl -@@ -45,9 +45,12 @@ sub parse_main_opts { - - my $option = ''; - -+ $arg =~ s/\:/\\\:/g if defined $arg; -+ - $desc =~ s/'/'\\''/g if defined $desc; - $desc =~ s/\[/\\\[/g if defined $desc; - $desc =~ s/\]/\\\]/g if defined $desc; -+ $desc =~ s/\:/\\\:/g if defined $desc; - - $option .= '{' . trim($short) . ',' if defined $short; - $option .= trim($long) if defined $long; --- -2.17.2 - diff --git a/0002-curl-7.64.0-nm-fd-leak.patch b/0002-curl-7.64.0-nm-fd-leak.patch deleted file mode 100644 index 681e58f..0000000 --- a/0002-curl-7.64.0-nm-fd-leak.patch +++ /dev/null @@ -1,162 +0,0 @@ -From 377101f138873bfa481785cb7d04c326006f0b5d Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 11 Feb 2019 07:56:00 +0100 -Subject: [PATCH 1/3] connection_check: set ->data to the transfer doing the - check - -The http2 code for connection checking needs a transfer to use. Make -sure a working one is set before handler->connection_check() is called. - -Reported-by: jnbr on github -Fixes #3541 -Closes #3547 - -Upstream-commit: 38d8e1bd4ed1ae52930ae466ecbac78e888b142f -Signed-off-by: Kamil Dudka ---- - lib/url.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/lib/url.c b/lib/url.c -index d5a9820..229c655 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -965,6 +965,7 @@ static bool extract_if_dead(struct connectdata *conn, - /* The protocol has a special method for checking the state of the - connection. Use it to check if the connection is dead. */ - unsigned int state; -+ conn->data = data; /* use this transfer for now */ - state = conn->handler->connection_check(conn, CONNCHECK_ISDEAD); - dead = (state & CONNRESULT_DEAD); - } --- -2.17.2 - - -From 287f5d70395b3833f8901a57b29a48b87d84a9fe Mon Sep 17 00:00:00 2001 -From: Jay Satiro -Date: Mon, 11 Feb 2019 23:00:00 -0500 -Subject: [PATCH 2/3] connection_check: restore original conn->data after the - check - -- Save the original conn->data before it's changed to the specified - data transfer for the connection check and then restore it afterwards. - -This is a follow-up to 38d8e1b 2019-02-11. - -History: - -It was discovered a month ago that before checking whether to extract a -dead connection that that connection should be associated with a "live" -transfer for the check (ie original conn->data ignored and set to the -passed in data). A fix was landed in 54b201b which did that and also -cleared conn->data after the check. The original conn->data was not -restored, so presumably it was thought that a valid conn->data was no -longer needed. - -Several days later it was discovered that a valid conn->data was needed -after the check and follow-up fix was landed in bbae24c which partially -reverted the original fix and attempted to limit the scope of when -conn->data was changed to only when pruning dead connections. In that -case conn->data was not cleared and the original conn->data not -restored. - -A month later it was discovered that the original fix was somewhat -correct; a "live" transfer is needed for the check in all cases -because original conn->data could be null which could cause a bad deref -at arbitrary points in the check. A fix was landed in 38d8e1b which -expanded the scope to all cases. conn->data was not cleared and the -original conn->data not restored. - -A day later it was discovered that not restoring the original conn->data -may lead to busy loops in applications that use the event interface, and -given this observation it's a pretty safe assumption that there is some -code path that still needs the original conn->data. This commit is the -follow-up fix for that, it restores the original conn->data after the -connection check. - -Assisted-by: tholin@users.noreply.github.com -Reported-by: tholin@users.noreply.github.com - -Fixes https://github.com/curl/curl/issues/3542 -Closes #3559 - -Upstream-commit: 4015fae044ce52a639c9358e22a9e948f287c89f -Signed-off-by: Kamil Dudka ---- - lib/url.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/lib/url.c b/lib/url.c -index 229c655..a77e92d 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -965,8 +965,10 @@ static bool extract_if_dead(struct connectdata *conn, - /* The protocol has a special method for checking the state of the - connection. Use it to check if the connection is dead. */ - unsigned int state; -+ struct Curl_easy *olddata = conn->data; - conn->data = data; /* use this transfer for now */ - state = conn->handler->connection_check(conn, CONNCHECK_ISDEAD); -+ conn->data = olddata; - dead = (state & CONNRESULT_DEAD); - } - else { -@@ -995,7 +997,6 @@ struct prunedead { - static int call_extract_if_dead(struct connectdata *conn, void *param) - { - struct prunedead *p = (struct prunedead *)param; -- conn->data = p->data; /* transfer to use for this check */ - if(extract_if_dead(conn, p->data)) { - /* stop the iteration here, pass back the connection that was extracted */ - p->extracted = conn; --- -2.17.2 - - -From 15e3f2eef87bff1210f43921cb15f03c68be59f7 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Tue, 19 Feb 2019 15:56:54 +0100 -Subject: [PATCH 3/3] singlesocket: fix the 'sincebefore' placement - -The variable wasn't properly reset within the loop and thus could remain -set for sockets that hadn't been set before and miss notifying the app. - -This is a follow-up to 4c35574 (shipped in curl 7.64.0) - -Reported-by: buzo-ffm on github -Detected-by: Jan Alexander Steffens -Fixes #3585 -Closes #3589 - -Upstream-commit: afc00e047c773faeaa60a5f86a246cbbeeba5819 -Signed-off-by: Kamil Dudka ---- - lib/multi.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/lib/multi.c b/lib/multi.c -index 130226f..28f4c47 100644 ---- a/lib/multi.c -+++ b/lib/multi.c -@@ -2360,8 +2360,6 @@ static CURLMcode singlesocket(struct Curl_multi *multi, - int num; - unsigned int curraction; - int actions[MAX_SOCKSPEREASYHANDLE]; -- unsigned int comboaction; -- bool sincebefore = FALSE; - - for(i = 0; i< MAX_SOCKSPEREASYHANDLE; i++) - socks[i] = CURL_SOCKET_BAD; -@@ -2380,6 +2378,8 @@ static CURLMcode singlesocket(struct Curl_multi *multi, - i++) { - unsigned int action = CURL_POLL_NONE; - unsigned int prevaction = 0; -+ unsigned int comboaction; -+ bool sincebefore = FALSE; - - s = socks[i]; - --- -2.17.2 - diff --git a/0003-curl-7.64.0-cookie-segfault.patch b/0003-curl-7.64.0-cookie-segfault.patch deleted file mode 100644 index 9539efa..0000000 --- a/0003-curl-7.64.0-cookie-segfault.patch +++ /dev/null @@ -1,42 +0,0 @@ -From d73dc8d3e70bde0ef999ecf7bcd5585b9892371c Mon Sep 17 00:00:00 2001 -From: Michael Wallner -Date: Mon, 25 Feb 2019 19:05:02 +0100 -Subject: [PATCH] cookies: fix NULL dereference if flushing cookies with no - CookieInfo set - -Regression brought by a52e46f3900fb0 (shipped in 7.63.0) - -Closes #3613 - -Upstream-commit: 8eddb8f4259193633cfc95a42603958a89b31de5 -Signed-off-by: Kamil Dudka ---- - lib/cookie.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/lib/cookie.c b/lib/cookie.c -index 4fb992a..d535170 100644 ---- a/lib/cookie.c -+++ b/lib/cookie.c -@@ -1504,7 +1504,8 @@ static int cookie_output(struct CookieInfo *c, const char *dumphere) - struct Cookie **array; - - /* at first, remove expired cookies */ -- remove_expired(c); -+ if(c) -+ remove_expired(c); - - if(!strcmp("-", dumphere)) { - /* use stdout */ -@@ -1523,7 +1524,7 @@ static int cookie_output(struct CookieInfo *c, const char *dumphere) - "# This file was generated by libcurl! Edit at your own risk.\n\n", - out); - -- if(c->numcookies) { -+ if(c && c->numcookies) { - array = malloc(sizeof(struct Cookie *) * c->numcookies); - if(!array) { - if(!use_stdout) --- -2.17.2 - diff --git a/0004-curl-7.64.0-spurious-resolver-error.patch b/0004-curl-7.64.0-spurious-resolver-error.patch deleted file mode 100644 index 3e05ad5..0000000 --- a/0004-curl-7.64.0-spurious-resolver-error.patch +++ /dev/null @@ -1,118 +0,0 @@ -From 5ddabe85b2e3e4fd08d06980719d71a2aed77a5b Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 28 Feb 2019 20:34:36 +0100 -Subject: [PATCH] threaded-resolver: shutdown the resolver thread without error - message - -When a transfer is done, the resolver thread will be brought down. That -could accidentally generate an error message in the error buffer even -though this is not an error situationand the transfer would still return -OK. An application that still reads the error buffer could find a -"Could not resolve host: [host name]" message there and get confused. - -Reported-by: Michael Schmid -Fixes #3629 -Closes #3630 - -Upstream-commit: 754ae103989a6ad0869d23a6a427d652b5b4a2fe -Signed-off-by: Kamil Dudka ---- - lib/asyn-thread.c | 68 ++++++++++++++++++++++++++--------------------- - 1 file changed, 38 insertions(+), 30 deletions(-) - -diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c -index a9679d0..55e0811 100644 ---- a/lib/asyn-thread.c -+++ b/lib/asyn-thread.c -@@ -461,6 +461,42 @@ static CURLcode resolver_error(struct connectdata *conn) - return result; - } - -+static CURLcode thread_wait_resolv(struct connectdata *conn, -+ struct Curl_dns_entry **entry, -+ bool report) -+{ -+ struct thread_data *td = (struct thread_data*) conn->async.os_specific; -+ CURLcode result = CURLE_OK; -+ -+ DEBUGASSERT(conn && td); -+ DEBUGASSERT(td->thread_hnd != curl_thread_t_null); -+ -+ /* wait for the thread to resolve the name */ -+ if(Curl_thread_join(&td->thread_hnd)) { -+ if(entry) -+ result = getaddrinfo_complete(conn); -+ } -+ else -+ DEBUGASSERT(0); -+ -+ conn->async.done = TRUE; -+ -+ if(entry) -+ *entry = conn->async.dns; -+ -+ if(!conn->async.dns && report) -+ /* a name was not resolved, report error */ -+ result = resolver_error(conn); -+ -+ destroy_async_data(&conn->async); -+ -+ if(!conn->async.dns && report) -+ connclose(conn, "asynch resolve failed"); -+ -+ return result; -+} -+ -+ - /* - * Until we gain a way to signal the resolver threads to stop early, we must - * simply wait for them and ignore their results. -@@ -473,7 +509,7 @@ void Curl_resolver_kill(struct connectdata *conn) - unfortunately. Otherwise, we can simply cancel to clean up any resolver - data. */ - if(td && td->thread_hnd != curl_thread_t_null) -- (void)Curl_resolver_wait_resolv(conn, NULL); -+ (void)thread_wait_resolv(conn, NULL, FALSE); - else - Curl_resolver_cancel(conn); - } -@@ -494,35 +530,7 @@ void Curl_resolver_kill(struct connectdata *conn) - CURLcode Curl_resolver_wait_resolv(struct connectdata *conn, - struct Curl_dns_entry **entry) - { -- struct thread_data *td = (struct thread_data*) conn->async.os_specific; -- CURLcode result = CURLE_OK; -- -- DEBUGASSERT(conn && td); -- DEBUGASSERT(td->thread_hnd != curl_thread_t_null); -- -- /* wait for the thread to resolve the name */ -- if(Curl_thread_join(&td->thread_hnd)) { -- if(entry) -- result = getaddrinfo_complete(conn); -- } -- else -- DEBUGASSERT(0); -- -- conn->async.done = TRUE; -- -- if(entry) -- *entry = conn->async.dns; -- -- if(!conn->async.dns) -- /* a name was not resolved, report error */ -- result = resolver_error(conn); -- -- destroy_async_data(&conn->async); -- -- if(!conn->async.dns) -- connclose(conn, "asynch resolve failed"); -- -- return result; -+ return thread_wait_resolv(conn, entry, TRUE); - } - - /* --- -2.17.2 - diff --git a/0005-curl-7.64.0-expire-in-verbose-msgs.patch b/0005-curl-7.64.0-expire-in-verbose-msgs.patch deleted file mode 100644 index 43d3573..0000000 --- a/0005-curl-7.64.0-expire-in-verbose-msgs.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 2e8f4d01cdd07779e0582257cb6b53c5a91d6504 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 11 Feb 2019 22:57:33 +0100 -Subject: [PATCH] multi: remove verbose "Expire in" ... messages - -Reported-by: James Brown -Bug: https://curl.haxx.se/mail/archive-2019-02/0013.html -Closes #3558 - -Upstream-commit: aabc7ae5ecf70973add429b5acbc86d6a57e4da5 -Signed-off-by: Kamil Dudka ---- - lib/multi.c | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/lib/multi.c b/lib/multi.c -index 28f4c47..856cc22 100644 ---- a/lib/multi.c -+++ b/lib/multi.c -@@ -3028,9 +3028,6 @@ void Curl_expire(struct Curl_easy *data, time_t milli, expire_id id) - - DEBUGASSERT(id < EXPIRE_LAST); - -- infof(data, "Expire in %ld ms for %x (transfer %p)\n", -- (long)milli, id, data); -- - set = Curl_now(); - set.tv_sec += milli/1000; - set.tv_usec += (unsigned int)(milli%1000)*1000; --- -2.17.2 - diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch index 57c05c6..265c3ff 100644 --- a/0102-curl-7.36.0-debug.patch +++ b/0102-curl-7.36.0-debug.patch @@ -12,7 +12,7 @@ diff --git a/configure b/configure index 8f079a3..53b4774 100755 --- a/configure +++ b/configure -@@ -16250,18 +16250,11 @@ $as_echo "yes" >&6; } +@@ -16273,18 +16273,11 @@ $as_echo "yes" >&6; } gccvhi=`echo $gccver | cut -d . -f1` gccvlo=`echo $gccver | cut -d . -f2` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` diff --git a/0104-curl-7.19.7-localhost6.patch b/0104-curl-7.19.7-localhost6.patch index 4f664d3..caa8bc2 100644 --- a/0104-curl-7.19.7-localhost6.patch +++ b/0104-curl-7.19.7-localhost6.patch @@ -14,8 +14,8 @@ index e441278..b0958b6 100644 +-g "http://%HOST6IP:%HTTP6PORT/1083" --interface localhost6 --perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test server host address';} else {exec './server/resolve --ipv6 ip6-localhost'; print 'Cannot run precheck resolve';}" -+perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test server host address';} else {exec './server/resolve --ipv6 localhost6'; print 'Cannot run precheck resolve';}" +-perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test client host address';} else {exec './server/resolve --ipv6 ip6-localhost'; print 'Cannot run precheck resolve';}" ++perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test client host address';} else {exec './server/resolve --ipv6 localhost6'; print 'Cannot run precheck resolve';}" diff --git a/0105-curl-7.63.0-lib1560-valgrind.patch b/0105-curl-7.63.0-lib1560-valgrind.patch index 003655c..84a6ee7 100644 --- a/0105-curl-7.63.0-lib1560-valgrind.patch +++ b/0105-curl-7.63.0-lib1560-valgrind.patch @@ -26,7 +26,7 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc index 080421b..ea3b806 100644 --- a/tests/libtest/Makefile.inc +++ b/tests/libtest/Makefile.inc -@@ -521,6 +521,7 @@ lib1558_SOURCES = lib1558.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) +@@ -530,6 +530,7 @@ lib1558_SOURCES = lib1558.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) lib1558_LDADD = $(TESTUTIL_LIBS) lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) diff --git a/curl-7.64.0.tar.xz.asc b/curl-7.64.0.tar.xz.asc deleted file mode 100644 index 21f7542..0000000 --- a/curl-7.64.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlxahccACgkQXMkI/bce -EsKdrAf+OoNH+Yz1HfJG5MtmEi2sgRC56iAvZBQujPG8SJYGnT3D2nLiuC2+bzA8 -eMCqisodW5f6lV/9JRvLmLS0dhxAfdf/NHlMOdtgSv+NzVGsggpHeYEZ7HucRHsQ -AKZ6/wx7rby8yZqrn2s7yWWB0qgiajWx30r+CJEYXpuw+YwZ2qZo5ecM7fa/J9ko -ESwb7BLF6KMkdSz1wSApwCdznB/BXOaPrUBMiOcwO7ftq/t1ZmqnUWLtdlSp8OoH -Tw832H1kCP2OFHcOFTQmZJLagRQtLBhC522wNsagXaMwak6uhoFApcAPqoPdm4Pm -PvTO6aAopZk+sX9VemdSQzx/4ysT3w== -=HOlc ------END PGP SIGNATURE----- diff --git a/curl-7.64.1.tar.xz.asc b/curl-7.64.1.tar.xz.asc new file mode 100644 index 0000000..d0dc784 --- /dev/null +++ b/curl-7.64.1.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlybHwMACgkQXMkI/bce +EsIlxQf+LUj/zeWzTgxXIFgtfba+RKb66RpWhgzKLBpiGFQjhckILFJ+Li625SE3 +9fCrIslGuY2S4G6fRH1qEIZVglpA185sTeY241/JK788ftJFFQd2GtM/+Ysrla5h +zc2wD3amDXcROWI+QIl/dBy7xRnW8TSTMu2sEPLarsNtXK9EC+h/WIkeYW1amMf2 +a8vRFwXFZ7OrEiq7A0avvmbrQVgIIGP/zyz44ZN00PPgLm40c1rngHGBJJzEMVSS +ClZ+wUQ+AyamL3Ls9a+V3SF3IuVrFInjv5Y1OshPULaqL2VxPsCVw67sCVouePMS +J0u3GZPsE+sVbx7cHCfZFdSnutFBKQ== +=WUio +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index 6cf125f..9ccaff4 100644 --- a/curl.spec +++ b/curl.spec @@ -1,25 +1,10 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.64.0 -Release: 6%{?dist} +Version: 7.64.1 +Release: 1%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz -# make zsh completion work again -Patch1: 0001-curl-7.64.0-zsh-completion.patch - -# prevent NetworkManager from leaking file descriptors (#1680198) -Patch2: 0002-curl-7.64.0-nm-fd-leak.patch - -# fix NULL dereference if flushing cookies with no CookieInfo set (#1683676) -Patch3: 0003-curl-7.64.0-cookie-segfault.patch - -# avoid spurious "Could not resolve host: [host name]" error messages -Patch4: 0004-curl-7.64.0-spurious-resolver-error.patch - -# remove verbose "Expire in" ... messages (#1690971) -Patch5: 0005-curl-7.64.0-expire-in-verbose-msgs.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -181,11 +166,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 # Fedora patches %patch101 -p1 @@ -312,6 +292,10 @@ make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \ make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C scripts +# do not install /usr/share/fish/completions/curl.fish which is also installed +# by fish-3.0.2-1.module_f31+3716+57207597 and would trigger a conflict +rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish + rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %ldconfig_scriptlets -n libcurl @@ -319,13 +303,17 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %ldconfig_scriptlets -n libcurl-minimal %files -%doc CHANGES README* -%doc docs/BUGS docs/FAQ docs/FEATURES -%doc docs/MANUAL docs/RESOURCES -%doc docs/TheArtOfHttpScripting docs/TODO +%doc CHANGES +%doc README +%doc docs/BUGS +%doc docs/FAQ +%doc docs/FEATURES +%doc docs/RESOURCES +%doc docs/TODO +%doc docs/TheArtOfHttpScripting %{_bindir}/curl %{_mandir}/man1/curl.1* -%{_datadir}/zsh/site-functions +%{_datadir}/zsh %files -n libcurl %license COPYING @@ -353,6 +341,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Mar 27 2019 Kamil Dudka - 7.64.1-1 +- new upstream release + * Mon Mar 25 2019 Kamil Dudka - 7.64.0-6 - remove verbose "Expire in" ... messages (#1690971) diff --git a/sources b/sources index d5662be..1c4276d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.64.0.tar.xz) = 953f1f5336ce5dfd1b9f933624432d401552d91ee02d39ecde6f023c956f99ec6aae8d7746d7c34b6eb2d6452f114e67da4e64d9c8dd90b7644b7844e7b9b423 +SHA512 (curl-7.64.1.tar.xz) = 1629ba154691bf9d936e0bce69ec8fb54991a40d34bc16ffdfb117f91e3faa93164154fc9ae9043e963955862e69515018673b7239f2fd625684a59cdd1db81c From 8fd906c5591f06c7eb3be5d0aa182333e6889703 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Fri, 5 Apr 2019 13:38:15 +0100 Subject: [PATCH 057/256] generation of shell completions now needs more perl stuff --- curl.spec | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index 9ccaff4..347018f 100644 --- a/curl.spec +++ b/curl.spec @@ -39,6 +39,7 @@ BuildRequires: openldap-devel BuildRequires: openssh-clients BuildRequires: openssh-server BuildRequires: openssl-devel +BuildRequires: perl-interpreter BuildRequires: pkgconfig BuildRequires: python3-devel BuildRequires: sed @@ -48,6 +49,12 @@ BuildRequires: zlib-devel # needed to compress content of tool_hugehelp.c after changing curl.1 man page BuildRequires: perl(IO::Compress::Gzip) +# needed for generation of shell completions +BuildRequires: perl(Getopt::Long) +BuildRequires: perl(Pod::Usage) +BuildRequires: perl(strict) +BuildRequires: perl(warnings) + # gnutls-serv is used by the upstream test-suite BuildRequires: gnutls-utils @@ -63,10 +70,8 @@ BuildRequires: perl(File::Copy) BuildRequires: perl(File::Spec) BuildRequires: perl(IPC::Open2) BuildRequires: perl(MIME::Base64) -BuildRequires: perl(strict) BuildRequires: perl(Time::Local) BuildRequires: perl(Time::HiRes) -BuildRequires: perl(warnings) BuildRequires: perl(vars) # The test-suite runs automatically through valgrind if valgrind is available From 9dd5d73f3b1c0fcae0ff35500e09e3c3574b2460 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 9 May 2019 09:59:31 +0200 Subject: [PATCH 058/256] do not treat failure of gss_init_sec_context() with --negotiate as fatal This commit fixes a major incompatibility introduced in curl-7.64.1. Bug: https://github.com/curl/curl/issues/3726 --- ...curl-7.64.1-negotiate-without-ticket.patch | 68 +++++++++++++++++++ curl.spec | 9 ++- 2 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 0001-curl-7.64.1-negotiate-without-ticket.patch diff --git a/0001-curl-7.64.1-negotiate-without-ticket.patch b/0001-curl-7.64.1-negotiate-without-ticket.patch new file mode 100644 index 0000000..125ee54 --- /dev/null +++ b/0001-curl-7.64.1-negotiate-without-ticket.patch @@ -0,0 +1,68 @@ +From f7c66081721ac54f68457f07994487f416db383f Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 6 May 2019 14:16:35 +0200 +Subject: [PATCH] spnego_gssapi: fix return code on gss_init_sec_context() + failure + +Fixes #3726 +Closes #3849 + +Upstream-commit: f65845c1eccc02385cdfb22bf2e521e670f7b295 +Signed-off-by: Kamil Dudka +--- + lib/vauth/spnego_gssapi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/vauth/spnego_gssapi.c b/lib/vauth/spnego_gssapi.c +index 7c4bd4b59..de8bde2ba 100644 +--- a/lib/vauth/spnego_gssapi.c ++++ b/lib/vauth/spnego_gssapi.c +@@ -170,7 +170,7 @@ CURLcode Curl_auth_decode_spnego_message(struct Curl_easy *data, + Curl_gss_log_error(data, "gss_init_sec_context() failed: ", + major_status, minor_status); + +- return CURLE_OUT_OF_MEMORY; ++ return CURLE_LOGIN_DENIED; + } + + if(!output_token.value || !output_token.length) { +-- +2.20.1 + +From ce0dbcf6f028c84adf4ff3704c04a09d4450a596 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 6 May 2019 14:32:00 +0200 +Subject: [PATCH] http_negotiate: do not treat failure of + gss_init_sec_context() as fatal + +Fixes #3726 +Closes #3849 + +Upstream-commit: f4603708af08f454bca8b74095d0af40a4516512 +Signed-off-by: Kamil Dudka +--- + lib/http_negotiate.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c +index 9415236fb..201c3a785 100644 +--- a/lib/http_negotiate.c ++++ b/lib/http_negotiate.c +@@ -143,7 +143,13 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy) + } + if(!neg_ctx->context) { + result = Curl_input_negotiate(conn, proxy, "Negotiate"); +- if(result) ++ if(result == CURLE_LOGIN_DENIED) { ++ /* negotiate auth failed, let's continue unauthenticated to stay ++ * compatible with the behavior before curl-7_64_0-158-g6c6035532 */ ++ conn->data->state.authproblem = TRUE; ++ return CURLE_OK; ++ } ++ else if(result) + return result; + } + +-- +2.20.1 + diff --git a/curl.spec b/curl.spec index 347018f..4f4198d 100644 --- a/curl.spec +++ b/curl.spec @@ -1,10 +1,13 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.64.1 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz +# do not treat failure of gss_init_sec_context() with --negotiate as fatal +Patch1: 0001-curl-7.64.1-negotiate-without-ticket.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -171,6 +174,7 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 @@ -346,6 +350,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu May 09 2019 Kamil Dudka - 7.64.1-2 +- do not treat failure of gss_init_sec_context() with --negotiate as fatal + * Wed Mar 27 2019 Kamil Dudka - 7.64.1-1 - new upstream release From 3c7950da770ba435d85bfada130f9d0c512df60b Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 22 May 2019 10:37:45 +0200 Subject: [PATCH 059/256] new upstream release - 7.65.0 Resolves: CVE-2019-5436 - TFTP receive buffer overflow Resolves: CVE-2019-5435 - integer overflows in curl_url_set() --- ...curl-7.64.1-negotiate-without-ticket.patch | 68 ------------------- 0105-curl-7.63.0-lib1560-valgrind.patch | 4 +- curl-7.64.1.tar.xz.asc | 11 --- curl-7.65.0.tar.xz.asc | 11 +++ curl.spec | 13 ++-- sources | 2 +- 6 files changed, 21 insertions(+), 88 deletions(-) delete mode 100644 0001-curl-7.64.1-negotiate-without-ticket.patch delete mode 100644 curl-7.64.1.tar.xz.asc create mode 100644 curl-7.65.0.tar.xz.asc diff --git a/0001-curl-7.64.1-negotiate-without-ticket.patch b/0001-curl-7.64.1-negotiate-without-ticket.patch deleted file mode 100644 index 125ee54..0000000 --- a/0001-curl-7.64.1-negotiate-without-ticket.patch +++ /dev/null @@ -1,68 +0,0 @@ -From f7c66081721ac54f68457f07994487f416db383f Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 6 May 2019 14:16:35 +0200 -Subject: [PATCH] spnego_gssapi: fix return code on gss_init_sec_context() - failure - -Fixes #3726 -Closes #3849 - -Upstream-commit: f65845c1eccc02385cdfb22bf2e521e670f7b295 -Signed-off-by: Kamil Dudka ---- - lib/vauth/spnego_gssapi.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/vauth/spnego_gssapi.c b/lib/vauth/spnego_gssapi.c -index 7c4bd4b59..de8bde2ba 100644 ---- a/lib/vauth/spnego_gssapi.c -+++ b/lib/vauth/spnego_gssapi.c -@@ -170,7 +170,7 @@ CURLcode Curl_auth_decode_spnego_message(struct Curl_easy *data, - Curl_gss_log_error(data, "gss_init_sec_context() failed: ", - major_status, minor_status); - -- return CURLE_OUT_OF_MEMORY; -+ return CURLE_LOGIN_DENIED; - } - - if(!output_token.value || !output_token.length) { --- -2.20.1 - -From ce0dbcf6f028c84adf4ff3704c04a09d4450a596 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 6 May 2019 14:32:00 +0200 -Subject: [PATCH] http_negotiate: do not treat failure of - gss_init_sec_context() as fatal - -Fixes #3726 -Closes #3849 - -Upstream-commit: f4603708af08f454bca8b74095d0af40a4516512 -Signed-off-by: Kamil Dudka ---- - lib/http_negotiate.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c -index 9415236fb..201c3a785 100644 ---- a/lib/http_negotiate.c -+++ b/lib/http_negotiate.c -@@ -143,7 +143,13 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy) - } - if(!neg_ctx->context) { - result = Curl_input_negotiate(conn, proxy, "Negotiate"); -- if(result) -+ if(result == CURLE_LOGIN_DENIED) { -+ /* negotiate auth failed, let's continue unauthenticated to stay -+ * compatible with the behavior before curl-7_64_0-158-g6c6035532 */ -+ conn->data->state.authproblem = TRUE; -+ return CURLE_OK; -+ } -+ else if(result) - return result; - } - --- -2.20.1 - diff --git a/0105-curl-7.63.0-lib1560-valgrind.patch b/0105-curl-7.63.0-lib1560-valgrind.patch index 84a6ee7..652739c 100644 --- a/0105-curl-7.63.0-lib1560-valgrind.patch +++ b/0105-curl-7.63.0-lib1560-valgrind.patch @@ -26,8 +26,8 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc index 080421b..ea3b806 100644 --- a/tests/libtest/Makefile.inc +++ b/tests/libtest/Makefile.inc -@@ -530,6 +530,7 @@ lib1558_SOURCES = lib1558.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) - lib1558_LDADD = $(TESTUTIL_LIBS) +@@ -528,6 +528,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib1559_LDADD = $(TESTUTIL_LIBS) lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) +lib1560_CFLAGS = $(AM_CFLAGS) -fno-builtin-strcmp diff --git a/curl-7.64.1.tar.xz.asc b/curl-7.64.1.tar.xz.asc deleted file mode 100644 index d0dc784..0000000 --- a/curl-7.64.1.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlybHwMACgkQXMkI/bce -EsIlxQf+LUj/zeWzTgxXIFgtfba+RKb66RpWhgzKLBpiGFQjhckILFJ+Li625SE3 -9fCrIslGuY2S4G6fRH1qEIZVglpA185sTeY241/JK788ftJFFQd2GtM/+Ysrla5h -zc2wD3amDXcROWI+QIl/dBy7xRnW8TSTMu2sEPLarsNtXK9EC+h/WIkeYW1amMf2 -a8vRFwXFZ7OrEiq7A0avvmbrQVgIIGP/zyz44ZN00PPgLm40c1rngHGBJJzEMVSS -ClZ+wUQ+AyamL3Ls9a+V3SF3IuVrFInjv5Y1OshPULaqL2VxPsCVw67sCVouePMS -J0u3GZPsE+sVbx7cHCfZFdSnutFBKQ== -=WUio ------END PGP SIGNATURE----- diff --git a/curl-7.65.0.tar.xz.asc b/curl-7.65.0.tar.xz.asc new file mode 100644 index 0000000..21f3b0b --- /dev/null +++ b/curl-7.65.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlzk438ACgkQXMkI/bce +EsITWggAgk129Kxp4Br7Nn2+vyygKwv3dDEm87wJVuQka8gT2pZ9ZVQ6rEX9j0sR +RETf8KrEbSlOBgl2EJpgToL5kgiMCweTXced3VY2szVVibenBa2Zd9MpSl5Sf7hH +axinhdvEPNH+w8WuprEqZh+d/T5grAxChPJz4bLqKQI5fw5T3IuMfYTjZqx8DkOt +4FekihWCr6N/nW9BFOz8H19GFtotYSwoPvQJ+RmB7+Zt7ruHjRgyINCgxbWPvs4P +eZNWykqQ9FaXLSoJQYjLvEx0smye0bxSu3EIYBeL60fiFWJaSHQPyfBgC3JC+dD6 +ufxhEk814I4XzPaRFTLjgzjmTqRMPw== +=4VIp +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index 4f4198d..cb35ee2 100644 --- a/curl.spec +++ b/curl.spec @@ -1,13 +1,10 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.64.1 -Release: 2%{?dist} +Version: 7.65.0 +Release: 1%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz -# do not treat failure of gss_init_sec_context() with --negotiate as fatal -Patch1: 0001-curl-7.64.1-negotiate-without-ticket.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -174,7 +171,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 # Fedora patches %patch101 -p1 @@ -350,6 +346,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed May 22 2019 Kamil Dudka - 7.65.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2019-5436 - TFTP receive buffer overflow + CVE-2019-5435 - integer overflows in curl_url_set() + * Thu May 09 2019 Kamil Dudka - 7.64.1-2 - do not treat failure of gss_init_sec_context() with --negotiate as fatal diff --git a/sources b/sources index 1c4276d..36347c9 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.64.1.tar.xz) = 1629ba154691bf9d936e0bce69ec8fb54991a40d34bc16ffdfb117f91e3faa93164154fc9ae9043e963955862e69515018673b7239f2fd625684a59cdd1db81c +SHA512 (curl-7.65.0.tar.xz) = 032c065c1d4bd07ba028625f8fab6a09e7cb8505a5f19339b3abdee5a9cda7d091c11f075fe3fc227d082690a66c558c770a4cd9fb17b52acc13794976a770c5 From b6ccff47ac093003674a469ec44541edbd8caaef Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 30 May 2019 15:27:58 +0200 Subject: [PATCH 060/256] Resolves: #1714893 - fix spurious timeout events with speed-limit --- 0001-curl-7.65.0-speed-limit-timeout.patch | 203 +++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 211 insertions(+), 1 deletion(-) create mode 100644 0001-curl-7.65.0-speed-limit-timeout.patch diff --git a/0001-curl-7.65.0-speed-limit-timeout.patch b/0001-curl-7.65.0-speed-limit-timeout.patch new file mode 100644 index 0000000..f9e155b --- /dev/null +++ b/0001-curl-7.65.0-speed-limit-timeout.patch @@ -0,0 +1,203 @@ +From f2cc9d8d194c4eef706cb5470bdf6f7483b4e3cf Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 22 May 2019 23:15:34 +0200 +Subject: [PATCH] Revert "progress: CURL_DISABLE_PROGRESS_METER" + +This reverts commit 3b06e68b7734cb10a555f9d7e804dd5d808236a4. + +Clearly this change wasn't good enough as it broke CURLOPT_LOW_SPEED_LIMIT + +CURLOPT_LOW_SPEED_TIME + +Reported-by: Dave Reisner + +Fixes #3927 +Closes #3928 + +Upstream-commit: c6b58137237a89081b4efc33ae0ecf7282e40132 +Signed-off-by: Kamil Dudka +--- + lib/progress.c | 110 ++++++++++++++++++++++--------------------------- + 1 file changed, 49 insertions(+), 61 deletions(-) + +diff --git a/lib/progress.c b/lib/progress.c +index f586d59b4..fe9929bb9 100644 +--- a/lib/progress.c ++++ b/lib/progress.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -31,7 +31,6 @@ + /* check rate limits within this many recent milliseconds, at minimum. */ + #define MIN_RATE_LIMIT_PERIOD 3000 + +-#ifndef CURL_DISABLE_PROGRESS_METER + /* Provide a string that is 2 + 1 + 2 + 1 + 2 = 8 letters long (plus the zero + byte) */ + static void time2str(char *r, curl_off_t seconds) +@@ -120,7 +119,6 @@ static char *max5data(curl_off_t bytes, char *max5) + + return max5; + } +-#endif + + /* + +@@ -364,13 +362,17 @@ void Curl_pgrsSetUploadSize(struct Curl_easy *data, curl_off_t size) + } + } + +-#ifndef CURL_DISABLE_PROGRESS_METER +-static void progress_meter(struct connectdata *conn) ++/* ++ * Curl_pgrsUpdate() returns 0 for success or the value returned by the ++ * progress callback! ++ */ ++int Curl_pgrsUpdate(struct connectdata *conn) + { + struct curltime now; + curl_off_t timespent; + curl_off_t timespent_ms; /* milliseconds */ + struct Curl_easy *data = conn->data; ++ int nowindex = data->progress.speeder_c% CURR_TIME; + bool shownow = FALSE; + curl_off_t dl = data->progress.downloaded; + curl_off_t ul = data->progress.uploaded; +@@ -397,9 +399,7 @@ static void progress_meter(struct connectdata *conn) + /* Calculations done at most once a second, unless end is reached */ + if(data->progress.lastshow != now.tv_sec) { + int countindex; /* amount of seconds stored in the speeder array */ +- int nowindex = data->progress.speeder_c% CURR_TIME; +- if(!(data->progress.flags & PGRS_HIDE)) +- shownow = TRUE; ++ shownow = TRUE; + + data->progress.lastshow = now.tv_sec; + +@@ -461,12 +461,8 @@ static void progress_meter(struct connectdata *conn) + data->progress.ulspeed + data->progress.dlspeed; + + } /* Calculations end */ +- if(!shownow) +- /* only show the internal progress meter once per second */ +- return; +- else { +- /* If there's no external callback set, use internal code to show +- progress */ ++ ++ if(!(data->progress.flags & PGRS_HIDE)) { + /* progress meter has not been shut off */ + char max5[6][10]; + curl_off_t dlpercen = 0; +@@ -481,6 +477,42 @@ static void progress_meter(struct connectdata *conn) + curl_off_t dlestimate = 0; + curl_off_t total_estimate; + ++ if(data->set.fxferinfo) { ++ int result; ++ /* There's a callback set, call that */ ++ Curl_set_in_callback(data, true); ++ result = data->set.fxferinfo(data->set.progress_client, ++ data->progress.size_dl, ++ data->progress.downloaded, ++ data->progress.size_ul, ++ data->progress.uploaded); ++ Curl_set_in_callback(data, false); ++ if(result) ++ failf(data, "Callback aborted"); ++ return result; ++ } ++ if(data->set.fprogress) { ++ int result; ++ /* The older deprecated callback is set, call that */ ++ Curl_set_in_callback(data, true); ++ result = data->set.fprogress(data->set.progress_client, ++ (double)data->progress.size_dl, ++ (double)data->progress.downloaded, ++ (double)data->progress.size_ul, ++ (double)data->progress.uploaded); ++ Curl_set_in_callback(data, false); ++ if(result) ++ failf(data, "Callback aborted"); ++ return result; ++ } ++ ++ if(!shownow) ++ /* only show the internal progress meter once per second */ ++ return 0; ++ ++ /* If there's no external callback set, use internal code to show ++ progress */ ++ + if(!(data->progress.flags & PGRS_HEADERS_OUT)) { + if(data->state.resume_from) { + fprintf(data->set.err, +@@ -563,57 +595,13 @@ static void progress_meter(struct connectdata *conn) + time_total, /* 8 letters */ /* total time */ + time_spent, /* 8 letters */ /* time spent */ + time_left, /* 8 letters */ /* time left */ +- max5data(data->progress.current_speed, max5[5]) +- ); ++ max5data(data->progress.current_speed, max5[5]) /* current speed */ ++ ); + + /* we flush the output stream to make it appear as soon as possible */ + fflush(data->set.err); +- } /* don't show now */ +-} +-#else +- /* progress bar disabled */ +-#define progress_meter(x) +-#endif +- + +-/* +- * Curl_pgrsUpdate() returns 0 for success or the value returned by the +- * progress callback! +- */ +-int Curl_pgrsUpdate(struct connectdata *conn) +-{ +- struct Curl_easy *data = conn->data; +- if(!(data->progress.flags & PGRS_HIDE)) { +- if(data->set.fxferinfo) { +- int result; +- /* There's a callback set, call that */ +- Curl_set_in_callback(data, true); +- result = data->set.fxferinfo(data->set.progress_client, +- data->progress.size_dl, +- data->progress.downloaded, +- data->progress.size_ul, +- data->progress.uploaded); +- Curl_set_in_callback(data, false); +- if(result) +- failf(data, "Callback aborted"); +- return result; +- } +- if(data->set.fprogress) { +- int result; +- /* The older deprecated callback is set, call that */ +- Curl_set_in_callback(data, true); +- result = data->set.fprogress(data->set.progress_client, +- (double)data->progress.size_dl, +- (double)data->progress.downloaded, +- (double)data->progress.size_ul, +- (double)data->progress.uploaded); +- Curl_set_in_callback(data, false); +- if(result) +- failf(data, "Callback aborted"); +- return result; +- } +- } +- progress_meter(conn); ++ } /* !(data->progress.flags & PGRS_HIDE) */ + + return 0; + } +-- +2.20.1 + diff --git a/curl.spec b/curl.spec index cb35ee2..79eb8a9 100644 --- a/curl.spec +++ b/curl.spec @@ -1,10 +1,13 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.65.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz +# fix spurious timeout events with speed-limit (#1714893) +Patch1: 0001-curl-7.65.0-speed-limit-timeout.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -171,6 +174,7 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 @@ -346,6 +350,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu May 30 2019 Kamil Dudka - 7.65.0-2 +- fix spurious timeout events with speed-limit (#1714893) + * Wed May 22 2019 Kamil Dudka - 7.65.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2019-5436 - TFTP receive buffer overflow From 901da63160e081c2f0b4b2dce8b8afc2026e2431 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 5 Jun 2019 09:30:50 +0200 Subject: [PATCH 061/256] new upstream release - 7.65.1 --- 0001-curl-7.65.0-speed-limit-timeout.patch | 203 --------------------- 0102-curl-7.36.0-debug.patch | 2 +- curl-7.65.0.tar.xz.asc | 11 -- curl-7.65.1.tar.xz.asc | 11 ++ curl.spec | 11 +- sources | 2 +- 6 files changed, 18 insertions(+), 222 deletions(-) delete mode 100644 0001-curl-7.65.0-speed-limit-timeout.patch delete mode 100644 curl-7.65.0.tar.xz.asc create mode 100644 curl-7.65.1.tar.xz.asc diff --git a/0001-curl-7.65.0-speed-limit-timeout.patch b/0001-curl-7.65.0-speed-limit-timeout.patch deleted file mode 100644 index f9e155b..0000000 --- a/0001-curl-7.65.0-speed-limit-timeout.patch +++ /dev/null @@ -1,203 +0,0 @@ -From f2cc9d8d194c4eef706cb5470bdf6f7483b4e3cf Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Wed, 22 May 2019 23:15:34 +0200 -Subject: [PATCH] Revert "progress: CURL_DISABLE_PROGRESS_METER" - -This reverts commit 3b06e68b7734cb10a555f9d7e804dd5d808236a4. - -Clearly this change wasn't good enough as it broke CURLOPT_LOW_SPEED_LIMIT + -CURLOPT_LOW_SPEED_TIME - -Reported-by: Dave Reisner - -Fixes #3927 -Closes #3928 - -Upstream-commit: c6b58137237a89081b4efc33ae0ecf7282e40132 -Signed-off-by: Kamil Dudka ---- - lib/progress.c | 110 ++++++++++++++++++++++--------------------------- - 1 file changed, 49 insertions(+), 61 deletions(-) - -diff --git a/lib/progress.c b/lib/progress.c -index f586d59b4..fe9929bb9 100644 ---- a/lib/progress.c -+++ b/lib/progress.c -@@ -5,7 +5,7 @@ - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * -- * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. -+ * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms -@@ -31,7 +31,6 @@ - /* check rate limits within this many recent milliseconds, at minimum. */ - #define MIN_RATE_LIMIT_PERIOD 3000 - --#ifndef CURL_DISABLE_PROGRESS_METER - /* Provide a string that is 2 + 1 + 2 + 1 + 2 = 8 letters long (plus the zero - byte) */ - static void time2str(char *r, curl_off_t seconds) -@@ -120,7 +119,6 @@ static char *max5data(curl_off_t bytes, char *max5) - - return max5; - } --#endif - - /* - -@@ -364,13 +362,17 @@ void Curl_pgrsSetUploadSize(struct Curl_easy *data, curl_off_t size) - } - } - --#ifndef CURL_DISABLE_PROGRESS_METER --static void progress_meter(struct connectdata *conn) -+/* -+ * Curl_pgrsUpdate() returns 0 for success or the value returned by the -+ * progress callback! -+ */ -+int Curl_pgrsUpdate(struct connectdata *conn) - { - struct curltime now; - curl_off_t timespent; - curl_off_t timespent_ms; /* milliseconds */ - struct Curl_easy *data = conn->data; -+ int nowindex = data->progress.speeder_c% CURR_TIME; - bool shownow = FALSE; - curl_off_t dl = data->progress.downloaded; - curl_off_t ul = data->progress.uploaded; -@@ -397,9 +399,7 @@ static void progress_meter(struct connectdata *conn) - /* Calculations done at most once a second, unless end is reached */ - if(data->progress.lastshow != now.tv_sec) { - int countindex; /* amount of seconds stored in the speeder array */ -- int nowindex = data->progress.speeder_c% CURR_TIME; -- if(!(data->progress.flags & PGRS_HIDE)) -- shownow = TRUE; -+ shownow = TRUE; - - data->progress.lastshow = now.tv_sec; - -@@ -461,12 +461,8 @@ static void progress_meter(struct connectdata *conn) - data->progress.ulspeed + data->progress.dlspeed; - - } /* Calculations end */ -- if(!shownow) -- /* only show the internal progress meter once per second */ -- return; -- else { -- /* If there's no external callback set, use internal code to show -- progress */ -+ -+ if(!(data->progress.flags & PGRS_HIDE)) { - /* progress meter has not been shut off */ - char max5[6][10]; - curl_off_t dlpercen = 0; -@@ -481,6 +477,42 @@ static void progress_meter(struct connectdata *conn) - curl_off_t dlestimate = 0; - curl_off_t total_estimate; - -+ if(data->set.fxferinfo) { -+ int result; -+ /* There's a callback set, call that */ -+ Curl_set_in_callback(data, true); -+ result = data->set.fxferinfo(data->set.progress_client, -+ data->progress.size_dl, -+ data->progress.downloaded, -+ data->progress.size_ul, -+ data->progress.uploaded); -+ Curl_set_in_callback(data, false); -+ if(result) -+ failf(data, "Callback aborted"); -+ return result; -+ } -+ if(data->set.fprogress) { -+ int result; -+ /* The older deprecated callback is set, call that */ -+ Curl_set_in_callback(data, true); -+ result = data->set.fprogress(data->set.progress_client, -+ (double)data->progress.size_dl, -+ (double)data->progress.downloaded, -+ (double)data->progress.size_ul, -+ (double)data->progress.uploaded); -+ Curl_set_in_callback(data, false); -+ if(result) -+ failf(data, "Callback aborted"); -+ return result; -+ } -+ -+ if(!shownow) -+ /* only show the internal progress meter once per second */ -+ return 0; -+ -+ /* If there's no external callback set, use internal code to show -+ progress */ -+ - if(!(data->progress.flags & PGRS_HEADERS_OUT)) { - if(data->state.resume_from) { - fprintf(data->set.err, -@@ -563,57 +595,13 @@ static void progress_meter(struct connectdata *conn) - time_total, /* 8 letters */ /* total time */ - time_spent, /* 8 letters */ /* time spent */ - time_left, /* 8 letters */ /* time left */ -- max5data(data->progress.current_speed, max5[5]) -- ); -+ max5data(data->progress.current_speed, max5[5]) /* current speed */ -+ ); - - /* we flush the output stream to make it appear as soon as possible */ - fflush(data->set.err); -- } /* don't show now */ --} --#else -- /* progress bar disabled */ --#define progress_meter(x) --#endif -- - --/* -- * Curl_pgrsUpdate() returns 0 for success or the value returned by the -- * progress callback! -- */ --int Curl_pgrsUpdate(struct connectdata *conn) --{ -- struct Curl_easy *data = conn->data; -- if(!(data->progress.flags & PGRS_HIDE)) { -- if(data->set.fxferinfo) { -- int result; -- /* There's a callback set, call that */ -- Curl_set_in_callback(data, true); -- result = data->set.fxferinfo(data->set.progress_client, -- data->progress.size_dl, -- data->progress.downloaded, -- data->progress.size_ul, -- data->progress.uploaded); -- Curl_set_in_callback(data, false); -- if(result) -- failf(data, "Callback aborted"); -- return result; -- } -- if(data->set.fprogress) { -- int result; -- /* The older deprecated callback is set, call that */ -- Curl_set_in_callback(data, true); -- result = data->set.fprogress(data->set.progress_client, -- (double)data->progress.size_dl, -- (double)data->progress.downloaded, -- (double)data->progress.size_ul, -- (double)data->progress.uploaded); -- Curl_set_in_callback(data, false); -- if(result) -- failf(data, "Callback aborted"); -- return result; -- } -- } -- progress_meter(conn); -+ } /* !(data->progress.flags & PGRS_HIDE) */ - - return 0; - } --- -2.20.1 - diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch index 265c3ff..e757b9d 100644 --- a/0102-curl-7.36.0-debug.patch +++ b/0102-curl-7.36.0-debug.patch @@ -12,7 +12,7 @@ diff --git a/configure b/configure index 8f079a3..53b4774 100755 --- a/configure +++ b/configure -@@ -16273,18 +16273,11 @@ $as_echo "yes" >&6; } +@@ -16268,18 +16268,11 @@ $as_echo "yes" >&6; } gccvhi=`echo $gccver | cut -d . -f1` gccvlo=`echo $gccver | cut -d . -f2` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` diff --git a/curl-7.65.0.tar.xz.asc b/curl-7.65.0.tar.xz.asc deleted file mode 100644 index 21f3b0b..0000000 --- a/curl-7.65.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlzk438ACgkQXMkI/bce -EsITWggAgk129Kxp4Br7Nn2+vyygKwv3dDEm87wJVuQka8gT2pZ9ZVQ6rEX9j0sR -RETf8KrEbSlOBgl2EJpgToL5kgiMCweTXced3VY2szVVibenBa2Zd9MpSl5Sf7hH -axinhdvEPNH+w8WuprEqZh+d/T5grAxChPJz4bLqKQI5fw5T3IuMfYTjZqx8DkOt -4FekihWCr6N/nW9BFOz8H19GFtotYSwoPvQJ+RmB7+Zt7ruHjRgyINCgxbWPvs4P -eZNWykqQ9FaXLSoJQYjLvEx0smye0bxSu3EIYBeL60fiFWJaSHQPyfBgC3JC+dD6 -ufxhEk814I4XzPaRFTLjgzjmTqRMPw== -=4VIp ------END PGP SIGNATURE----- diff --git a/curl-7.65.1.tar.xz.asc b/curl-7.65.1.tar.xz.asc new file mode 100644 index 0000000..1fb59c8 --- /dev/null +++ b/curl-7.65.1.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlz3WXoACgkQXMkI/bce +EsLceAgAg0RTq0HLyI2DtJyR4b60vKXTFizjIxEEBJ9NCjpxwUTg4q3H6tzIOuCR +PrPQXMADKtZpWwBDO1LV0CoUykw3vWxkG8uf5v/2GhdMdRGKm1TBgj1XN8SuAYTB +Srpus7LtyiIuElpOGUNNTIMcVXjT4ykJbLU61ykNSPc8IxK3KSY0C+dc/IpQQWQe +FmkMhuEpI4heu3uTmaj/UDs5LN+pv383XUTbMZvtgzDlquoyECGYX88+K6HC3doy +HiulXv99BUckmnCvbzL9Ly/QsbYq41UJLfc8HN4B1VtKTXkZJFyHwd8NMlSl8rQq +CLhRgj7IFk6VAEPpF3jJrmuvDxvdng== +=hzYt +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index 79eb8a9..e9de3c9 100644 --- a/curl.spec +++ b/curl.spec @@ -1,13 +1,10 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.65.0 -Release: 2%{?dist} +Version: 7.65.1 +Release: 1%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz -# fix spurious timeout events with speed-limit (#1714893) -Patch1: 0001-curl-7.65.0-speed-limit-timeout.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -174,7 +171,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 # Fedora patches %patch101 -p1 @@ -350,6 +346,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jun 05 2019 Kamil Dudka - 7.65.1-1 +- new upstream release + * Thu May 30 2019 Kamil Dudka - 7.65.0-2 - fix spurious timeout events with speed-limit (#1714893) diff --git a/sources b/sources index 36347c9..242cb15 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.65.0.tar.xz) = 032c065c1d4bd07ba028625f8fab6a09e7cb8505a5f19339b3abdee5a9cda7d091c11f075fe3fc227d082690a66c558c770a4cd9fb17b52acc13794976a770c5 +SHA512 (curl-7.65.1.tar.xz) = aba2d979a416d14a0f0852d595665e49fc4f7bff3bee31f3a52b90ba9dc5ffdb09c092777f124215470b72c47ebca7ddb47844cbf5c0e9142099272b6ac55df4 From 6e794d5beb6b56607f163c5c7862b010982f7b69 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 17 Jul 2019 10:28:35 +0200 Subject: [PATCH 062/256] new upstream release - 7.65.2 --- 0102-curl-7.36.0-debug.patch | 2 +- 0105-curl-7.63.0-lib1560-valgrind.patch | 2 +- curl-7.65.1.tar.xz.asc | 11 ----------- curl-7.65.2.tar.xz.asc | 11 +++++++++++ curl.spec | 5 ++++- sources | 2 +- 6 files changed, 18 insertions(+), 15 deletions(-) delete mode 100644 curl-7.65.1.tar.xz.asc create mode 100644 curl-7.65.2.tar.xz.asc diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch index e757b9d..4f7991b 100644 --- a/0102-curl-7.36.0-debug.patch +++ b/0102-curl-7.36.0-debug.patch @@ -12,7 +12,7 @@ diff --git a/configure b/configure index 8f079a3..53b4774 100755 --- a/configure +++ b/configure -@@ -16268,18 +16268,11 @@ $as_echo "yes" >&6; } +@@ -16288,18 +16288,11 @@ $as_echo "yes" >&6; } gccvhi=`echo $gccver | cut -d . -f1` gccvlo=`echo $gccver | cut -d . -f2` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` diff --git a/0105-curl-7.63.0-lib1560-valgrind.patch b/0105-curl-7.63.0-lib1560-valgrind.patch index 652739c..6d05c67 100644 --- a/0105-curl-7.63.0-lib1560-valgrind.patch +++ b/0105-curl-7.63.0-lib1560-valgrind.patch @@ -26,7 +26,7 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc index 080421b..ea3b806 100644 --- a/tests/libtest/Makefile.inc +++ b/tests/libtest/Makefile.inc -@@ -528,6 +528,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) +@@ -531,6 +531,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) lib1559_LDADD = $(TESTUTIL_LIBS) lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) diff --git a/curl-7.65.1.tar.xz.asc b/curl-7.65.1.tar.xz.asc deleted file mode 100644 index 1fb59c8..0000000 --- a/curl-7.65.1.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlz3WXoACgkQXMkI/bce -EsLceAgAg0RTq0HLyI2DtJyR4b60vKXTFizjIxEEBJ9NCjpxwUTg4q3H6tzIOuCR -PrPQXMADKtZpWwBDO1LV0CoUykw3vWxkG8uf5v/2GhdMdRGKm1TBgj1XN8SuAYTB -Srpus7LtyiIuElpOGUNNTIMcVXjT4ykJbLU61ykNSPc8IxK3KSY0C+dc/IpQQWQe -FmkMhuEpI4heu3uTmaj/UDs5LN+pv383XUTbMZvtgzDlquoyECGYX88+K6HC3doy -HiulXv99BUckmnCvbzL9Ly/QsbYq41UJLfc8HN4B1VtKTXkZJFyHwd8NMlSl8rQq -CLhRgj7IFk6VAEPpF3jJrmuvDxvdng== -=hzYt ------END PGP SIGNATURE----- diff --git a/curl-7.65.2.tar.xz.asc b/curl-7.65.2.tar.xz.asc new file mode 100644 index 0000000..911a393 --- /dev/null +++ b/curl-7.65.2.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl0uzp8ACgkQXMkI/bce +EsKvxggApofdiAeSY2lMwKfydA6vmZRhLmdBcBx4AvA3dD56Yzs2Y78EVcv7Mtz7 +Dix90SQEQLrf29DqZh6U3/z96hwbUU0sx0k8I38KhePxAEiFcIgnyXTt4PaRrAzr +WlIk5GX+Xz9HbWEop8b2yIskVUd+VfnyR1VH/+mBzpAHn9tbPscyBT8xcKCN8LxM +QiQdzyXcxfPbBthYPaf2+bWhicch3pS4u4El8o4BTdosZrpElZtSD3RKKCbgK4Kw +688juLaWVfFhoVgyEUc1cMJRqF3Q093rbxH5Z97cW6XBQRlhFW7HFgEEHq1bhXCF ++sMUhfr1Wz+LHfVg4SasOS4fqX3Mlg== +=I4Mq +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index e9de3c9..5d5b096 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.65.1 +Version: 7.65.2 Release: 1%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -346,6 +346,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 17 2019 Kamil Dudka - 7.65.2-1 +- new upstream release + * Wed Jun 05 2019 Kamil Dudka - 7.65.1-1 - new upstream release diff --git a/sources b/sources index 242cb15..563e0f4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.65.1.tar.xz) = aba2d979a416d14a0f0852d595665e49fc4f7bff3bee31f3a52b90ba9dc5ffdb09c092777f124215470b72c47ebca7ddb47844cbf5c0e9142099272b6ac55df4 +SHA512 (curl-7.65.2.tar.xz) = a411cf19c389301473d74b85d775e3ba0c7c2f6e74d7e0f8de47dace1a709bfba552c483c3faf94101f741a5478800284c475422844cedb6a7a070e2f78af263 From a5c984a5907b2ccf14e4d1524b6135244a607b51 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Sat, 20 Jul 2019 12:02:57 +0100 Subject: [PATCH 063/256] new upstream release - 7.65.3 --- curl-7.65.2.tar.xz.asc | 11 ----------- curl-7.65.3.tar.xz.asc | 11 +++++++++++ curl.spec | 5 ++++- sources | 2 +- 4 files changed, 16 insertions(+), 13 deletions(-) delete mode 100644 curl-7.65.2.tar.xz.asc create mode 100644 curl-7.65.3.tar.xz.asc diff --git a/curl-7.65.2.tar.xz.asc b/curl-7.65.2.tar.xz.asc deleted file mode 100644 index 911a393..0000000 --- a/curl-7.65.2.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl0uzp8ACgkQXMkI/bce -EsKvxggApofdiAeSY2lMwKfydA6vmZRhLmdBcBx4AvA3dD56Yzs2Y78EVcv7Mtz7 -Dix90SQEQLrf29DqZh6U3/z96hwbUU0sx0k8I38KhePxAEiFcIgnyXTt4PaRrAzr -WlIk5GX+Xz9HbWEop8b2yIskVUd+VfnyR1VH/+mBzpAHn9tbPscyBT8xcKCN8LxM -QiQdzyXcxfPbBthYPaf2+bWhicch3pS4u4El8o4BTdosZrpElZtSD3RKKCbgK4Kw -688juLaWVfFhoVgyEUc1cMJRqF3Q093rbxH5Z97cW6XBQRlhFW7HFgEEHq1bhXCF -+sMUhfr1Wz+LHfVg4SasOS4fqX3Mlg== -=I4Mq ------END PGP SIGNATURE----- diff --git a/curl-7.65.3.tar.xz.asc b/curl-7.65.3.tar.xz.asc new file mode 100644 index 0000000..1671b07 --- /dev/null +++ b/curl-7.65.3.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl0xj7oACgkQXMkI/bce +EsKYbgf9G41o5x73tc+2TOGt2QmJ7ukyHmd5Vq7XTSNdNU5dJ41Z3qh9Jm72x62i +b4kJMjWyoL2j031ml5JevycpMpNa1v784UlPW2tzzL2B7v6vcA4xknJRLWlPlcTJ +HOgub6r7g/zhOpdAeJh8o4jkBLUyN+S/HOyHLWcvdWDnhqUAmpZfIqtd8kjqzDul +XAkdj7MxWqKZ3wXWwlpp4j81jpfOj7KCC/ZpxlJ0KfefgYEzV23O2hcJzw57jqTy +SQZc39uTQOjbZPlBXJD55QeVISCwe53pn55aWQll90XfE3XRapuYZdiL8wLwtl/L +tjugTKjfoy9qqOGH5YB/4kHqoSJqow== +=Itbi +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index 5d5b096..a3f320a 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.65.2 +Version: 7.65.3 Release: 1%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -346,6 +346,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Sat Jul 20 2019 Paul Howarth - 7.65.3-1 +- new upstream release + * Wed Jul 17 2019 Kamil Dudka - 7.65.2-1 - new upstream release diff --git a/sources b/sources index 563e0f4..e0d70dd 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.65.2.tar.xz) = a411cf19c389301473d74b85d775e3ba0c7c2f6e74d7e0f8de47dace1a709bfba552c483c3faf94101f741a5478800284c475422844cedb6a7a070e2f78af263 +SHA512 (curl-7.65.3.tar.xz) = fc4f041d3d6682378ce9eef2c6081e6ad83bb2502ea4c992c760266584c09e9ebca7c6d35958bd32a888702d9308cbce7aef69c431f97994107d7ff6b953941b From 22186831fb63c0aa5cf7d145919801c20cd96780 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 24 Jul 2019 21:21:56 +0000 Subject: [PATCH 064/256] - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index a3f320a..3828aff 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.65.3 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -346,6 +346,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 24 2019 Fedora Release Engineering - 7.65.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + * Sat Jul 20 2019 Paul Howarth - 7.65.3-1 - new upstream release From 863394fd9543b71d6b01cfb325d20ddcf189b86e Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 1 Aug 2019 16:31:27 +0200 Subject: [PATCH 065/256] improve handling of gss_init_sec_context() failures --- 0001-curl-7.65.3-negotiate-fails.patch | 166 +++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 174 insertions(+), 1 deletion(-) create mode 100644 0001-curl-7.65.3-negotiate-fails.patch diff --git a/0001-curl-7.65.3-negotiate-fails.patch b/0001-curl-7.65.3-negotiate-fails.patch new file mode 100644 index 0000000..9cfae77 --- /dev/null +++ b/0001-curl-7.65.3-negotiate-fails.patch @@ -0,0 +1,166 @@ +From 90f7ca7bec18b49bf2706430aa6493eda7d7a573 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 30 Jul 2019 12:59:35 +0200 +Subject: [PATCH] http_negotiate: improve handling of gss_init_sec_context() + failures + +If HTTPAUTH_GSSNEGOTIATE was used for a POST request and +gss_init_sec_context() failed, the POST request was sent +with empty body. This commit also restores the original +behavior of `curl --fail --negotiate`, which was changed +by commit 6c6035532383e300c712e4c1cd9fdd749ed5cf59. + +Add regression tests 2077 and 2078 to cover this. + +Fixes #3992 +Closes #4171 + +Upstream-commit: 4c187043c5aac57f354ebb96cc6ff3263411e98d +Signed-off-by: Kamil Dudka +--- + lib/http_negotiate.c | 2 +- + tests/data/Makefile.inc | 3 ++- + tests/data/test2077 | 42 ++++++++++++++++++++++++++++++++ + tests/data/test2078 | 54 +++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 99 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test2077 + create mode 100644 tests/data/test2078 + +diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c +index c8f406444..fe15dcefb 100644 +--- a/lib/http_negotiate.c ++++ b/lib/http_negotiate.c +@@ -151,7 +151,7 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy) + if(result == CURLE_LOGIN_DENIED) { + /* negotiate auth failed, let's continue unauthenticated to stay + * compatible with the behavior before curl-7_64_0-158-g6c6035532 */ +- conn->data->state.authproblem = TRUE; ++ authp->done = TRUE; + return CURLE_OK; + } + else if(result) +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 693e53d7c..3ed4a03e4 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -199,7 +199,8 @@ test2040 test2041 test2042 test2043 test2044 test2045 test2046 test2047 \ + test2048 test2049 test2050 test2051 test2052 test2053 test2054 test2055 \ + test2056 test2057 test2058 test2059 test2060 test2061 test2062 test2063 \ + test2064 test2065 test2066 test2067 test2068 test2069 \ +- test2071 test2072 test2073 test2074 test2075 test2076 \ ++ test2071 test2072 test2073 test2074 test2075 test2076 test2077 \ ++test2078 \ + test2080 \ + test2100 \ + \ +diff --git a/tests/data/test2077 b/tests/data/test2077 +new file mode 100644 +index 000000000..0c600f5c3 +--- /dev/null ++++ b/tests/data/test2077 +@@ -0,0 +1,42 @@ ++ ++ ++ ++HTTP ++HTTP GET ++GSS-API ++ ++ ++ ++# Server-side ++ ++ ++HTTP/1.1 200 OK swsclose ++Content-Length: 23 ++ ++This IS the real page! ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++GSS-API ++ ++ ++curl --fail --negotiate to unauthenticated service fails ++ ++ ++http://%HOSTIP:%HTTPPORT/2077 -u : --fail --negotiate ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++0 ++ ++ ++ +diff --git a/tests/data/test2078 b/tests/data/test2078 +new file mode 100644 +index 000000000..99bc2dbee +--- /dev/null ++++ b/tests/data/test2078 +@@ -0,0 +1,54 @@ ++ ++ ++ ++HTTP ++HTTP GET ++GSS-API ++ ++ ++ ++# Server-side ++ ++ ++HTTP/1.1 200 OK swsclose ++Content-Length: 23 ++ ++This IS the real page! ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++GSS-API ++ ++ ++curl --negotiate should not send empty POST request only ++ ++ ++http://%HOSTIP:%HTTPPORT/2078 -u : --negotiate --data name=value ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++0 ++ ++ ++^User-Agent:.* ++ ++ ++POST /2078 HTTP/1.1 ++Host: 127.0.0.1:8990 ++Accept: */* ++Content-Length: 10 ++Content-Type: application/x-www-form-urlencoded ++ ++name=value ++ ++ ++ +-- +2.20.1 + diff --git a/curl.spec b/curl.spec index 3828aff..ad0b460 100644 --- a/curl.spec +++ b/curl.spec @@ -1,10 +1,13 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.65.3 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz +# improve handling of gss_init_sec_context() failures +Patch1: 0001-curl-7.65.3-negotiate-fails.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -171,6 +174,7 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 @@ -346,6 +350,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Aug 01 2019 Kamil Dudka - 7.65.3-3 +- new upstream release + * Wed Jul 24 2019 Fedora Release Engineering - 7.65.3-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild From 8559ecc1d99f43ecedecf06c588afe20286680ce Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 1 Aug 2019 16:41:42 +0200 Subject: [PATCH 066/256] changelog: fix copy/paste error in the last entry --- curl.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index ad0b460..e6799f9 100644 --- a/curl.spec +++ b/curl.spec @@ -351,7 +351,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Thu Aug 01 2019 Kamil Dudka - 7.65.3-3 -- new upstream release +- improve handling of gss_init_sec_context() failures * Wed Jul 24 2019 Fedora Release Engineering - 7.65.3-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild From 91c50ee6d4c7512577cf97fbdb6b8038bf8b6de3 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 27 Aug 2019 18:10:11 +0200 Subject: [PATCH 067/256] Resolves: #1690971 - avoid reporting spurious error in the HTTP2 framing layer --- 0002-curl-7.65.3-h2-framing-layer-error.patch | 37 +++++++++++++++++++ curl.spec | 9 ++++- 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 0002-curl-7.65.3-h2-framing-layer-error.patch diff --git a/0002-curl-7.65.3-h2-framing-layer-error.patch b/0002-curl-7.65.3-h2-framing-layer-error.patch new file mode 100644 index 0000000..24db142 --- /dev/null +++ b/0002-curl-7.65.3-h2-framing-layer-error.patch @@ -0,0 +1,37 @@ +From 98d59387c749256c2421b22dc3419b94d381986a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 26 Aug 2019 16:00:05 +0200 +Subject: [PATCH] http2: when marked for closure and wanted to close == OK + +It could otherwise return an error even when closed correctly if GOAWAY +had been received previously. + +Reported-by: Tom van der Woerdt +Fixes #4267 +Closes #4268 + +Upstream-commit: c1b6a384f9c8a91197c20adb49d43f30dc0e917d +Signed-off-by: Kamil Dudka +--- + lib/http2.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/lib/http2.c b/lib/http2.c +index 930e85165..31d2d698a 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -1566,6 +1566,11 @@ static ssize_t http2_recv(struct connectdata *conn, int sockindex, + if(should_close_session(httpc)) { + H2BUGF(infof(data, + "http2_recv: nothing to do in this session\n")); ++ if(conn->bits.close) { ++ /* already marked for closure, return OK and we're done */ ++ *err = CURLE_OK; ++ return 0; ++ } + *err = CURLE_HTTP2; + return -1; + } +-- +2.20.1 + diff --git a/curl.spec b/curl.spec index e6799f9..54654c4 100644 --- a/curl.spec +++ b/curl.spec @@ -1,13 +1,16 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.65.3 -Release: 3%{?dist} +Release: 4%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz # improve handling of gss_init_sec_context() failures Patch1: 0001-curl-7.65.3-negotiate-fails.patch +# avoid reporting spurious error in the HTTP2 framing layer (#1690971) +Patch2: 0002-curl-7.65.3-h2-framing-layer-error.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -175,6 +178,7 @@ be installed. # upstream patches %patch1 -p1 +%patch2 -p1 # Fedora patches %patch101 -p1 @@ -350,6 +354,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Aug 27 2019 Kamil Dudka - 7.65.3-4 +- avoid reporting spurious error in the HTTP2 framing layer (#1690971) + * Thu Aug 01 2019 Kamil Dudka - 7.65.3-3 - improve handling of gss_init_sec_context() failures From da9af162568dfb4338fd422cf398964fda75b72e Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 11 Sep 2019 09:57:42 +0200 Subject: [PATCH 068/256] new upstream release - 7.66.0 Resolves: CVE-2019-5481 - double free due to subsequent call of realloc() Resolves: CVE-2019-5482 - heap buffer overflow in function tftp_receive_packet() --- 0001-curl-7.65.3-negotiate-fails.patch | 166 ------------------ 0002-curl-7.65.3-h2-framing-layer-error.patch | 37 ---- 0102-curl-7.36.0-debug.patch | 2 +- curl-7.65.3.tar.xz.asc | 11 -- curl-7.66.0.tar.xz.asc | 11 ++ curl.spec | 17 +- sources | 2 +- 7 files changed, 20 insertions(+), 226 deletions(-) delete mode 100644 0001-curl-7.65.3-negotiate-fails.patch delete mode 100644 0002-curl-7.65.3-h2-framing-layer-error.patch delete mode 100644 curl-7.65.3.tar.xz.asc create mode 100644 curl-7.66.0.tar.xz.asc diff --git a/0001-curl-7.65.3-negotiate-fails.patch b/0001-curl-7.65.3-negotiate-fails.patch deleted file mode 100644 index 9cfae77..0000000 --- a/0001-curl-7.65.3-negotiate-fails.patch +++ /dev/null @@ -1,166 +0,0 @@ -From 90f7ca7bec18b49bf2706430aa6493eda7d7a573 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Tue, 30 Jul 2019 12:59:35 +0200 -Subject: [PATCH] http_negotiate: improve handling of gss_init_sec_context() - failures - -If HTTPAUTH_GSSNEGOTIATE was used for a POST request and -gss_init_sec_context() failed, the POST request was sent -with empty body. This commit also restores the original -behavior of `curl --fail --negotiate`, which was changed -by commit 6c6035532383e300c712e4c1cd9fdd749ed5cf59. - -Add regression tests 2077 and 2078 to cover this. - -Fixes #3992 -Closes #4171 - -Upstream-commit: 4c187043c5aac57f354ebb96cc6ff3263411e98d -Signed-off-by: Kamil Dudka ---- - lib/http_negotiate.c | 2 +- - tests/data/Makefile.inc | 3 ++- - tests/data/test2077 | 42 ++++++++++++++++++++++++++++++++ - tests/data/test2078 | 54 +++++++++++++++++++++++++++++++++++++++++ - 4 files changed, 99 insertions(+), 2 deletions(-) - create mode 100644 tests/data/test2077 - create mode 100644 tests/data/test2078 - -diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c -index c8f406444..fe15dcefb 100644 ---- a/lib/http_negotiate.c -+++ b/lib/http_negotiate.c -@@ -151,7 +151,7 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy) - if(result == CURLE_LOGIN_DENIED) { - /* negotiate auth failed, let's continue unauthenticated to stay - * compatible with the behavior before curl-7_64_0-158-g6c6035532 */ -- conn->data->state.authproblem = TRUE; -+ authp->done = TRUE; - return CURLE_OK; - } - else if(result) -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index 693e53d7c..3ed4a03e4 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -199,7 +199,8 @@ test2040 test2041 test2042 test2043 test2044 test2045 test2046 test2047 \ - test2048 test2049 test2050 test2051 test2052 test2053 test2054 test2055 \ - test2056 test2057 test2058 test2059 test2060 test2061 test2062 test2063 \ - test2064 test2065 test2066 test2067 test2068 test2069 \ -- test2071 test2072 test2073 test2074 test2075 test2076 \ -+ test2071 test2072 test2073 test2074 test2075 test2076 test2077 \ -+test2078 \ - test2080 \ - test2100 \ - \ -diff --git a/tests/data/test2077 b/tests/data/test2077 -new file mode 100644 -index 000000000..0c600f5c3 ---- /dev/null -+++ b/tests/data/test2077 -@@ -0,0 +1,42 @@ -+ -+ -+ -+HTTP -+HTTP GET -+GSS-API -+ -+ -+ -+# Server-side -+ -+ -+HTTP/1.1 200 OK swsclose -+Content-Length: 23 -+ -+This IS the real page! -+ -+ -+ -+# Client-side -+ -+ -+http -+ -+ -+GSS-API -+ -+ -+curl --fail --negotiate to unauthenticated service fails -+ -+ -+http://%HOSTIP:%HTTPPORT/2077 -u : --fail --negotiate -+ -+ -+ -+# Verify data after the test has been "shot" -+ -+ -+0 -+ -+ -+ -diff --git a/tests/data/test2078 b/tests/data/test2078 -new file mode 100644 -index 000000000..99bc2dbee ---- /dev/null -+++ b/tests/data/test2078 -@@ -0,0 +1,54 @@ -+ -+ -+ -+HTTP -+HTTP GET -+GSS-API -+ -+ -+ -+# Server-side -+ -+ -+HTTP/1.1 200 OK swsclose -+Content-Length: 23 -+ -+This IS the real page! -+ -+ -+ -+# Client-side -+ -+ -+http -+ -+ -+GSS-API -+ -+ -+curl --negotiate should not send empty POST request only -+ -+ -+http://%HOSTIP:%HTTPPORT/2078 -u : --negotiate --data name=value -+ -+ -+ -+# Verify data after the test has been "shot" -+ -+ -+0 -+ -+ -+^User-Agent:.* -+ -+ -+POST /2078 HTTP/1.1 -+Host: 127.0.0.1:8990 -+Accept: */* -+Content-Length: 10 -+Content-Type: application/x-www-form-urlencoded -+ -+name=value -+ -+ -+ --- -2.20.1 - diff --git a/0002-curl-7.65.3-h2-framing-layer-error.patch b/0002-curl-7.65.3-h2-framing-layer-error.patch deleted file mode 100644 index 24db142..0000000 --- a/0002-curl-7.65.3-h2-framing-layer-error.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 98d59387c749256c2421b22dc3419b94d381986a Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 26 Aug 2019 16:00:05 +0200 -Subject: [PATCH] http2: when marked for closure and wanted to close == OK - -It could otherwise return an error even when closed correctly if GOAWAY -had been received previously. - -Reported-by: Tom van der Woerdt -Fixes #4267 -Closes #4268 - -Upstream-commit: c1b6a384f9c8a91197c20adb49d43f30dc0e917d -Signed-off-by: Kamil Dudka ---- - lib/http2.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/lib/http2.c b/lib/http2.c -index 930e85165..31d2d698a 100644 ---- a/lib/http2.c -+++ b/lib/http2.c -@@ -1566,6 +1566,11 @@ static ssize_t http2_recv(struct connectdata *conn, int sockindex, - if(should_close_session(httpc)) { - H2BUGF(infof(data, - "http2_recv: nothing to do in this session\n")); -+ if(conn->bits.close) { -+ /* already marked for closure, return OK and we're done */ -+ *err = CURLE_OK; -+ return 0; -+ } - *err = CURLE_HTTP2; - return -1; - } --- -2.20.1 - diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch index 4f7991b..affe9f0 100644 --- a/0102-curl-7.36.0-debug.patch +++ b/0102-curl-7.36.0-debug.patch @@ -12,7 +12,7 @@ diff --git a/configure b/configure index 8f079a3..53b4774 100755 --- a/configure +++ b/configure -@@ -16288,18 +16288,11 @@ $as_echo "yes" >&6; } +@@ -16301,18 +16301,11 @@ $as_echo "yes" >&6; } gccvhi=`echo $gccver | cut -d . -f1` gccvlo=`echo $gccver | cut -d . -f2` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` diff --git a/curl-7.65.3.tar.xz.asc b/curl-7.65.3.tar.xz.asc deleted file mode 100644 index 1671b07..0000000 --- a/curl-7.65.3.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl0xj7oACgkQXMkI/bce -EsKYbgf9G41o5x73tc+2TOGt2QmJ7ukyHmd5Vq7XTSNdNU5dJ41Z3qh9Jm72x62i -b4kJMjWyoL2j031ml5JevycpMpNa1v784UlPW2tzzL2B7v6vcA4xknJRLWlPlcTJ -HOgub6r7g/zhOpdAeJh8o4jkBLUyN+S/HOyHLWcvdWDnhqUAmpZfIqtd8kjqzDul -XAkdj7MxWqKZ3wXWwlpp4j81jpfOj7KCC/ZpxlJ0KfefgYEzV23O2hcJzw57jqTy -SQZc39uTQOjbZPlBXJD55QeVISCwe53pn55aWQll90XfE3XRapuYZdiL8wLwtl/L -tjugTKjfoy9qqOGH5YB/4kHqoSJqow== -=Itbi ------END PGP SIGNATURE----- diff --git a/curl-7.66.0.tar.xz.asc b/curl-7.66.0.tar.xz.asc new file mode 100644 index 0000000..83e8258 --- /dev/null +++ b/curl-7.66.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl14i4AACgkQXMkI/bce +EsJwgwf/WauX31s687pdOgpPE4ymPuxIrdVl+NovWdOBdQQfIA0c/4lu4onJYPAT +K6wq86me5y8fj/Q3ymqQ3H1EcJE2vTHPx/w+zEHNsEILtBMFHdm84CJzhdLlI1GC +9iBkjVKk/2s0tBOdC3HuskYLY2y02dHACvTvDJjx42nK4IbsdjoamVdMa7vep1TG +abmLRNHkOHKjioYWi0N04c5H5YDpdWOOjFY+EPO+m+YQuJlYkgw90nlmOaqiLcHL +3zGCMNXb209wxuNEVKenlhPQ/3FQZ9+8a4b6mMqBX7PDwhDiZLhqIJgVseWdw1r0 +Qm2suW4eUtlC2DTqTMtusG7EMN8pag== +=pFLb +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index 54654c4..7d8f9f8 100644 --- a/curl.spec +++ b/curl.spec @@ -1,16 +1,10 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.65.3 -Release: 4%{?dist} +Version: 7.66.0 +Release: 1%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz -# improve handling of gss_init_sec_context() failures -Patch1: 0001-curl-7.65.3-negotiate-fails.patch - -# avoid reporting spurious error in the HTTP2 framing layer (#1690971) -Patch2: 0002-curl-7.65.3-h2-framing-layer-error.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -177,8 +171,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 -%patch2 -p1 # Fedora patches %patch101 -p1 @@ -354,6 +346,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 11 2019 Kamil Dudka - 7.66.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2019-5481 - double free due to subsequent call of realloc() + CVE-2019-5482 - heap buffer overflow in function tftp_receive_packet() + * Tue Aug 27 2019 Kamil Dudka - 7.65.3-4 - avoid reporting spurious error in the HTTP2 framing layer (#1690971) diff --git a/sources b/sources index e0d70dd..aea53b9 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.65.3.tar.xz) = fc4f041d3d6682378ce9eef2c6081e6ad83bb2502ea4c992c760266584c09e9ebca7c6d35958bd32a888702d9308cbce7aef69c431f97994107d7ff6b953941b +SHA512 (curl-7.66.0.tar.xz) = 81170e7e4fa9d99ee2038d96d7f2ab10dcf52435331c818c7565c1a733891720f845a08029915e52ba532c6a344c346e1678474624aac1cc333aea6d1eacde35 From e0bf66ef6c403a5f93199b6f5a29105f5e4c244f Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 13 Sep 2019 10:18:05 +0200 Subject: [PATCH 069/256] fix memory leaked by parse_metalink() --- 0001-curl-7.66.0-metalink-memleak.patch | 71 +++++++++++++++++++++++++ curl.spec | 4 ++ 2 files changed, 75 insertions(+) create mode 100644 0001-curl-7.66.0-metalink-memleak.patch diff --git a/0001-curl-7.66.0-metalink-memleak.patch b/0001-curl-7.66.0-metalink-memleak.patch new file mode 100644 index 0000000..16c8ae2 --- /dev/null +++ b/0001-curl-7.66.0-metalink-memleak.patch @@ -0,0 +1,71 @@ +From 855ebacdffbc421b121563ae1ecd9fde736bfaf2 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Wed, 11 Sep 2019 16:32:11 +0200 +Subject: [PATCH] curl: fix memory leaked by parse_metalink() + +This commit fixes a regression introduced by curl-7_65_3-5-gb88940850. +Detected by tests 2005, 2008, 2009, 2010, 2011, and 2012 with valgrind +and libmetalink enabled. + +Closes #4326 + +Upstream-commit: 1ca91bcdb588dc6c25d345f2411fdba314433732 +Signed-off-by: Kamil Dudka +--- + src/tool_metalink.c | 2 +- + src/tool_metalink.h | 3 +++ + src/tool_operate.c | 4 ++++ + 3 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/tool_metalink.c b/src/tool_metalink.c +index 0740407f9..cd5a7d650 100644 +--- a/src/tool_metalink.c ++++ b/src/tool_metalink.c +@@ -965,7 +965,7 @@ static void delete_metalink_resource(metalink_resource *res) + Curl_safefree(res); + } + +-static void delete_metalinkfile(metalinkfile *mlfile) ++void delete_metalinkfile(metalinkfile *mlfile) + { + metalink_resource *res; + if(mlfile == NULL) { +diff --git a/src/tool_metalink.h b/src/tool_metalink.h +index 1e367033c..f5ec306f7 100644 +--- a/src/tool_metalink.h ++++ b/src/tool_metalink.h +@@ -105,6 +105,8 @@ extern const digest_params SHA256_DIGEST_PARAMS[1]; + * Counts the resource in the metalinkfile. + */ + int count_next_metalink_resource(metalinkfile *mlfile); ++ ++void delete_metalinkfile(metalinkfile *mlfile); + void clean_metalink(struct OperationConfig *config); + + /* +@@ -158,6 +160,7 @@ void metalink_cleanup(void); + #else /* USE_METALINK */ + + #define count_next_metalink_resource(x) 0 ++#define delete_metalinkfile(x) (void)x + #define clean_metalink(x) (void)x + + /* metalink_cleanup() takes no arguments */ +diff --git a/src/tool_operate.c b/src/tool_operate.c +index d2ad9642d..09dfc0c84 100644 +--- a/src/tool_operate.c ++++ b/src/tool_operate.c +@@ -2073,6 +2073,10 @@ static CURLcode serial_transfers(struct GlobalConfig *global, + result = post_transfer(global, share, per, result, &retry); + if(retry) + continue; ++ ++ /* Release metalink related resources here */ ++ delete_metalinkfile(per->mlfile); ++ + per = del_transfer(per); + + /* Bail out upon critical errors or --fail-early */ +-- +2.20.1 + diff --git a/curl.spec b/curl.spec index 7d8f9f8..62a4980 100644 --- a/curl.spec +++ b/curl.spec @@ -5,6 +5,9 @@ Release: 1%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz +# fix memory leaked by parse_metalink() +Patch1: 0001-curl-7.66.0-metalink-memleak.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -171,6 +174,7 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 From c667b141d6e0fa277fba73dc393b474b2ae0eb0c Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 6 Nov 2019 09:21:14 +0100 Subject: [PATCH 070/256] new upstream release - 7.67.0 --- 0001-curl-7.66.0-metalink-memleak.patch | 71 ------------------------- 0102-curl-7.36.0-debug.patch | 2 +- 0103-curl-7.59.0-python3.patch | 25 +-------- 0105-curl-7.63.0-lib1560-valgrind.patch | 2 +- curl-7.66.0.tar.xz.asc | 11 ---- curl-7.67.0.tar.xz.asc | 11 ++++ curl.spec | 9 ++-- sources | 2 +- 8 files changed, 19 insertions(+), 114 deletions(-) delete mode 100644 0001-curl-7.66.0-metalink-memleak.patch delete mode 100644 curl-7.66.0.tar.xz.asc create mode 100644 curl-7.67.0.tar.xz.asc diff --git a/0001-curl-7.66.0-metalink-memleak.patch b/0001-curl-7.66.0-metalink-memleak.patch deleted file mode 100644 index 16c8ae2..0000000 --- a/0001-curl-7.66.0-metalink-memleak.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 855ebacdffbc421b121563ae1ecd9fde736bfaf2 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Wed, 11 Sep 2019 16:32:11 +0200 -Subject: [PATCH] curl: fix memory leaked by parse_metalink() - -This commit fixes a regression introduced by curl-7_65_3-5-gb88940850. -Detected by tests 2005, 2008, 2009, 2010, 2011, and 2012 with valgrind -and libmetalink enabled. - -Closes #4326 - -Upstream-commit: 1ca91bcdb588dc6c25d345f2411fdba314433732 -Signed-off-by: Kamil Dudka ---- - src/tool_metalink.c | 2 +- - src/tool_metalink.h | 3 +++ - src/tool_operate.c | 4 ++++ - 3 files changed, 8 insertions(+), 1 deletion(-) - -diff --git a/src/tool_metalink.c b/src/tool_metalink.c -index 0740407f9..cd5a7d650 100644 ---- a/src/tool_metalink.c -+++ b/src/tool_metalink.c -@@ -965,7 +965,7 @@ static void delete_metalink_resource(metalink_resource *res) - Curl_safefree(res); - } - --static void delete_metalinkfile(metalinkfile *mlfile) -+void delete_metalinkfile(metalinkfile *mlfile) - { - metalink_resource *res; - if(mlfile == NULL) { -diff --git a/src/tool_metalink.h b/src/tool_metalink.h -index 1e367033c..f5ec306f7 100644 ---- a/src/tool_metalink.h -+++ b/src/tool_metalink.h -@@ -105,6 +105,8 @@ extern const digest_params SHA256_DIGEST_PARAMS[1]; - * Counts the resource in the metalinkfile. - */ - int count_next_metalink_resource(metalinkfile *mlfile); -+ -+void delete_metalinkfile(metalinkfile *mlfile); - void clean_metalink(struct OperationConfig *config); - - /* -@@ -158,6 +160,7 @@ void metalink_cleanup(void); - #else /* USE_METALINK */ - - #define count_next_metalink_resource(x) 0 -+#define delete_metalinkfile(x) (void)x - #define clean_metalink(x) (void)x - - /* metalink_cleanup() takes no arguments */ -diff --git a/src/tool_operate.c b/src/tool_operate.c -index d2ad9642d..09dfc0c84 100644 ---- a/src/tool_operate.c -+++ b/src/tool_operate.c -@@ -2073,6 +2073,10 @@ static CURLcode serial_transfers(struct GlobalConfig *global, - result = post_transfer(global, share, per, result, &retry); - if(retry) - continue; -+ -+ /* Release metalink related resources here */ -+ delete_metalinkfile(per->mlfile); -+ - per = del_transfer(per); - - /* Bail out upon critical errors or --fail-early */ --- -2.20.1 - diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch index affe9f0..53022e1 100644 --- a/0102-curl-7.36.0-debug.patch +++ b/0102-curl-7.36.0-debug.patch @@ -12,7 +12,7 @@ diff --git a/configure b/configure index 8f079a3..53b4774 100755 --- a/configure +++ b/configure -@@ -16301,18 +16301,11 @@ $as_echo "yes" >&6; } +@@ -16331,18 +16331,11 @@ $as_echo "yes" >&6; } gccvhi=`echo $gccver | cut -d . -f1` gccvlo=`echo $gccver | cut -d . -f2` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` diff --git a/0103-curl-7.59.0-python3.patch b/0103-curl-7.59.0-python3.patch index 56485fe..55bf4a9 100644 --- a/0103-curl-7.59.0-python3.patch +++ b/0103-curl-7.59.0-python3.patch @@ -9,8 +9,7 @@ there is no 'impacket' module available for Python 3: https://github.com/CoreSecurity/impacket/issues/61 --- tests/negtelnetserver.py | 4 ++-- - tests/smbserver.py | 4 ++-- - 2 files changed, 4 insertions(+), 4 deletions(-) + 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/negtelnetserver.py b/tests/negtelnetserver.py index 8cfd409..72ee771 100755 @@ -30,28 +29,6 @@ index 8cfd409..72ee771 100755 except IOError: log.exception("IOError hit during request") -diff --git a/tests/smbserver.py b/tests/smbserver.py -index 195ae39..b09cd44 100755 ---- a/tests/smbserver.py -+++ b/tests/smbserver.py -@@ -24,7 +24,7 @@ - from __future__ import (absolute_import, division, print_function) - # unicode_literals) - import argparse --import ConfigParser -+import configparser - import os - import sys - import logging -@@ -58,7 +58,7 @@ def smbserver(options): - f.write("{0}".format(pid)) - - # Here we write a mini config for the server -- smb_config = ConfigParser.ConfigParser() -+ smb_config = configparser.ConfigParser() - smb_config.add_section("global") - smb_config.set("global", "server_name", "SERVICE") - smb_config.set("global", "server_os", "UNIX") -- 2.14.3 diff --git a/0105-curl-7.63.0-lib1560-valgrind.patch b/0105-curl-7.63.0-lib1560-valgrind.patch index 6d05c67..8121ee6 100644 --- a/0105-curl-7.63.0-lib1560-valgrind.patch +++ b/0105-curl-7.63.0-lib1560-valgrind.patch @@ -26,7 +26,7 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc index 080421b..ea3b806 100644 --- a/tests/libtest/Makefile.inc +++ b/tests/libtest/Makefile.inc -@@ -531,6 +531,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) +@@ -534,6 +534,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) lib1559_LDADD = $(TESTUTIL_LIBS) lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) diff --git a/curl-7.66.0.tar.xz.asc b/curl-7.66.0.tar.xz.asc deleted file mode 100644 index 83e8258..0000000 --- a/curl-7.66.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl14i4AACgkQXMkI/bce -EsJwgwf/WauX31s687pdOgpPE4ymPuxIrdVl+NovWdOBdQQfIA0c/4lu4onJYPAT -K6wq86me5y8fj/Q3ymqQ3H1EcJE2vTHPx/w+zEHNsEILtBMFHdm84CJzhdLlI1GC -9iBkjVKk/2s0tBOdC3HuskYLY2y02dHACvTvDJjx42nK4IbsdjoamVdMa7vep1TG -abmLRNHkOHKjioYWi0N04c5H5YDpdWOOjFY+EPO+m+YQuJlYkgw90nlmOaqiLcHL -3zGCMNXb209wxuNEVKenlhPQ/3FQZ9+8a4b6mMqBX7PDwhDiZLhqIJgVseWdw1r0 -Qm2suW4eUtlC2DTqTMtusG7EMN8pag== -=pFLb ------END PGP SIGNATURE----- diff --git a/curl-7.67.0.tar.xz.asc b/curl-7.67.0.tar.xz.asc new file mode 100644 index 0000000..e44cfc6 --- /dev/null +++ b/curl-7.67.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl3CauAACgkQXMkI/bce +EsKe7Qf+Py/Wufz3AqqpJ1Xr0oigaV1Sa5AAyRD+KX8jwSJTRaRahaECGMhmR9vh +kBaMFtycctCKcK1masI9GSeTX5nCtmaWzELLsBXynm/l2W+hrW1AD2R++YuM384t +O078GxgsgRH0m8MacSKoV5yPOv/h9URnVMTavkAIfnW50vw17akDZ9MW2NhJzKpP +s6GgWTMB5gomTHlnlHjTjtNoVbKKrV4v9YyRwqzI3XHXYtYOA7iufP4wnT+dpSm5 +ZLdbg5Nq+1pCTEiMg3KZKYNriypoLJuWuSF+bKc54CGN63eoUxXgU6js9ViHS5JS +3dPfzzRA8wgROem58QhHnrR9c2CmdQ== +=5gov +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index 62a4980..9d85067 100644 --- a/curl.spec +++ b/curl.spec @@ -1,13 +1,10 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.66.0 +Version: 7.67.0 Release: 1%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz -# fix memory leaked by parse_metalink() -Patch1: 0001-curl-7.66.0-metalink-memleak.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -174,7 +171,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 # Fedora patches %patch101 -p1 @@ -350,6 +346,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Nov 06 2019 Kamil Dudka - 7.67.1-1 +- new upstream release + * Wed Sep 11 2019 Kamil Dudka - 7.66.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2019-5481 - double free due to subsequent call of realloc() diff --git a/sources b/sources index aea53b9..16e8545 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.66.0.tar.xz) = 81170e7e4fa9d99ee2038d96d7f2ab10dcf52435331c818c7565c1a733891720f845a08029915e52ba532c6a344c346e1678474624aac1cc333aea6d1eacde35 +SHA512 (curl-7.67.0.tar.xz) = 1d5a344be92dd61b1ba5189eff0fe337e492f2e850794943570fe71c985d0af60bd412082be646e07aaa8639908593e1ce4bb2d07db35394ec377e8ce8b9ae29 From 2298078d54ad9124a2eee9c01f62a43b8a633866 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 14 Nov 2019 13:57:06 +0100 Subject: [PATCH 071/256] Resolves: #1771025 - fix infinite loop on upload using a glob --- 0001-curl-7.67.0-upload-glob.patch | 316 +++++++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 324 insertions(+), 1 deletion(-) create mode 100644 0001-curl-7.67.0-upload-glob.patch diff --git a/0001-curl-7.67.0-upload-glob.patch b/0001-curl-7.67.0-upload-glob.patch new file mode 100644 index 0000000..257eb22 --- /dev/null +++ b/0001-curl-7.67.0-upload-glob.patch @@ -0,0 +1,316 @@ +From 37a36231c5e34ae31b1968481fad2e8d76613fbd Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 13 Nov 2019 11:33:29 +0100 +Subject: [PATCH] curl: fix -T globbing + +Regression from e59371a4936f8 (7.67.0) + +Added test 490, 491 and 492 to verify the functionality. + +Reported-by: Kamil Dudka +Reported-by: Anderson Sasaki + +Fixes #4588 +Closes #4591 + +Upstream-commit: 7a46aeb0be3fa00826b0c47a8bc06eddff448659 +Signed-off-by: Kamil Dudka +--- + src/tool_operate.c | 15 ++++--- + tests/data/Makefile.inc | 2 + + tests/data/test490 | 68 +++++++++++++++++++++++++++++++ + tests/data/test491 | 64 +++++++++++++++++++++++++++++ + tests/data/test492 | 89 +++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 232 insertions(+), 6 deletions(-) + create mode 100644 tests/data/test490 + create mode 100644 tests/data/test491 + create mode 100644 tests/data/test492 + +diff --git a/src/tool_operate.c b/src/tool_operate.c +index 3087d2d..4ecb1ed 100644 +--- a/src/tool_operate.c ++++ b/src/tool_operate.c +@@ -829,12 +829,6 @@ static CURLcode single_transfer(struct GlobalConfig *global, + separator = ((!state->outfiles || + !strcmp(state->outfiles, "-")) && urlnum > 1); + +- /* Here's looping around each globbed URL */ +- +- if(state->li >= urlnum) { +- state->li = 0; +- state->up++; +- } + if(state->up < state->infilenum) { + struct per_transfer *per; + struct OutStruct *outs; +@@ -1908,6 +1902,15 @@ static CURLcode single_transfer(struct GlobalConfig *global, + per->retrystart = tvnow(); + + state->li++; ++ /* Here's looping around each globbed URL */ ++ if(state->li >= urlnum) { ++ state->li = 0; ++ state->urlnum = 0; /* forced reglob of URLs */ ++ glob_cleanup(state->urls); ++ state->urls = NULL; ++ state->up++; ++ Curl_safefree(state->uploadfile); /* clear it to get the next */ ++ } + } + else { + /* Free this URL node data without destroying the +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 557f928..212900e 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -66,6 +66,8 @@ test393 test394 test395 \ + test400 test401 test402 test403 test404 test405 test406 test407 test408 \ + test409 \ + \ ++test490 test491 test492 \ ++\ + test500 test501 test502 test503 test504 test505 test506 test507 test508 \ + test509 test510 test511 test512 test513 test514 test515 test516 test517 \ + test518 test519 test520 test521 test522 test523 test524 test525 test526 \ +diff --git a/tests/data/test490 b/tests/data/test490 +new file mode 100644 +index 0000000..a3383a9 +--- /dev/null ++++ b/tests/data/test490 +@@ -0,0 +1,68 @@ ++ ++ ++ ++HTTP ++HTTP PUT ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Content-Type: text/html ++Funny-head: yesyes ++ ++-foo- ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++Two globbed HTTP PUTs ++ ++ ++http://%HOSTIP:%HTTPPORT/490 -T '{log/in490,log/in490}' ++ ++ ++surprise! ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++^User-Agent:.* ++ ++ ++PUT /490 HTTP/1.1 ++Host: 127.0.0.1:8990 ++Accept: */* ++Content-Length: 10 ++Expect: 100-continue ++ ++surprise! ++PUT /490 HTTP/1.1 ++Host: 127.0.0.1:8990 ++Accept: */* ++Content-Length: 10 ++Expect: 100-continue ++ ++surprise! ++ ++ ++ +diff --git a/tests/data/test491 b/tests/data/test491 +new file mode 100644 +index 0000000..b49c06c +--- /dev/null ++++ b/tests/data/test491 +@@ -0,0 +1,64 @@ ++ ++ ++ ++HTTP ++HTTP PUT ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Content-Type: text/html ++Funny-head: yesyes ++ ++-foo- ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++Two globbed HTTP PUTs, the second upload file is missing ++ ++ ++http://%HOSTIP:%HTTPPORT/491 -T '{log/in491,log/bad491}' ++ ++ ++surprise! ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++^User-Agent:.* ++ ++ ++PUT /491 HTTP/1.1 ++Host: 127.0.0.1:8990 ++Accept: */* ++Content-Length: 10 ++Expect: 100-continue ++ ++surprise! ++ ++ ++26 ++ ++ ++ +diff --git a/tests/data/test492 b/tests/data/test492 +new file mode 100644 +index 0000000..12edd8b +--- /dev/null ++++ b/tests/data/test492 +@@ -0,0 +1,89 @@ ++ ++ ++ ++HTTP ++HTTP PUT ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Content-Type: text/html ++Funny-head: yesyes ++ ++-foo- ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++Two globbed HTTP PUTs to two globbed URLs ++ ++ ++'http://%HOSTIP:%HTTPPORT/{one,two}/' -T '{log/first492,log/second492}' -H "Testno: 492" ++ ++ ++first 492 contents ++ ++ ++second 492 contents ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++^User-Agent:.* ++ ++ ++PUT /one/first492 HTTP/1.1 ++Host: 127.0.0.1:8990 ++Accept: */* ++Testno: 492 ++Content-Length: 19 ++Expect: 100-continue ++ ++first 492 contents ++PUT /two/first492 HTTP/1.1 ++Host: 127.0.0.1:8990 ++Accept: */* ++Testno: 492 ++Content-Length: 19 ++Expect: 100-continue ++ ++first 492 contents ++PUT /one/second492 HTTP/1.1 ++Host: 127.0.0.1:8990 ++Accept: */* ++Testno: 492 ++Content-Length: 20 ++Expect: 100-continue ++ ++second 492 contents ++PUT /two/second492 HTTP/1.1 ++Host: 127.0.0.1:8990 ++Accept: */* ++Testno: 492 ++Content-Length: 20 ++Expect: 100-continue ++ ++second 492 contents ++ ++ ++ +-- +2.20.1 + diff --git a/curl.spec b/curl.spec index 9d85067..9266e40 100644 --- a/curl.spec +++ b/curl.spec @@ -1,10 +1,13 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.67.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz +# fix infinite loop on upload using a glob (#1771025) +Patch1: 0001-curl-7.67.0-upload-glob.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -171,6 +174,7 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 @@ -346,6 +350,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Nov 28 2019 Kamil Dudka - 7.67.1-2 +- fix infinite loop on upload using a glob (#1771025) + * Wed Nov 06 2019 Kamil Dudka - 7.67.1-1 - new upstream release From eeb37e29bdb6c563bbe9559420ad4d95193dd6e6 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 14 Nov 2019 16:25:25 +0100 Subject: [PATCH 072/256] Related: #1771025 - fix date in the last change log entry --- curl.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 9266e40..4ca9d0d 100644 --- a/curl.spec +++ b/curl.spec @@ -350,7 +350,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog -* Thu Nov 28 2019 Kamil Dudka - 7.67.1-2 +* Thu Nov 14 2019 Kamil Dudka - 7.67.1-2 - fix infinite loop on upload using a glob (#1771025) * Wed Nov 06 2019 Kamil Dudka - 7.67.1-1 From d1233ad4cd39ea577a23ac966607d0ca04726b13 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 15 Nov 2019 10:37:39 +0100 Subject: [PATCH 073/256] do not run test-suite through valgrind on i686 brew builds The architecture is being decommissioned in Fedora, which makes it difficult to debug valgrind failures (usually not related to curl anyway). --- curl.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 4ca9d0d..85901fe 100644 --- a/curl.spec +++ b/curl.spec @@ -83,7 +83,7 @@ BuildRequires: perl(vars) # to be less reliable, in order to avoid unnecessary build failures (see RHBZ # #810992, #816175, and #886891). Nevertheless developers are free to install # valgrind manually to improve test coverage on any architecture. -%ifarch x86_64 %{ix86} +%ifarch x86_64 BuildRequires: valgrind %endif From 13f70ceee2ecaf605d8e4fa3bd3674480a16a261 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 8 Jan 2020 09:46:20 +0100 Subject: [PATCH 074/256] fix upstream release number in last two change log items --- curl.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index 85901fe..3c38b8f 100644 --- a/curl.spec +++ b/curl.spec @@ -350,10 +350,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog -* Thu Nov 14 2019 Kamil Dudka - 7.67.1-2 +* Thu Nov 14 2019 Kamil Dudka - 7.67.0-2 - fix infinite loop on upload using a glob (#1771025) -* Wed Nov 06 2019 Kamil Dudka - 7.67.1-1 +* Wed Nov 06 2019 Kamil Dudka - 7.67.0-1 - new upstream release * Wed Sep 11 2019 Kamil Dudka - 7.66.0-1 From dfb411a0a2e97508bf2228085e09ea904f711f66 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 8 Jan 2020 09:45:26 +0100 Subject: [PATCH 075/256] new upstream release - 7.68.0 --- 0001-curl-7.67.0-upload-glob.patch | 316 ------------------------ 0102-curl-7.36.0-debug.patch | 2 +- 0105-curl-7.63.0-lib1560-valgrind.patch | 2 +- curl-7.67.0.tar.xz.asc | 11 - curl-7.68.0.tar.xz.asc | 11 + curl.spec | 11 +- sources | 2 +- 7 files changed, 19 insertions(+), 336 deletions(-) delete mode 100644 0001-curl-7.67.0-upload-glob.patch delete mode 100644 curl-7.67.0.tar.xz.asc create mode 100644 curl-7.68.0.tar.xz.asc diff --git a/0001-curl-7.67.0-upload-glob.patch b/0001-curl-7.67.0-upload-glob.patch deleted file mode 100644 index 257eb22..0000000 --- a/0001-curl-7.67.0-upload-glob.patch +++ /dev/null @@ -1,316 +0,0 @@ -From 37a36231c5e34ae31b1968481fad2e8d76613fbd Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Wed, 13 Nov 2019 11:33:29 +0100 -Subject: [PATCH] curl: fix -T globbing - -Regression from e59371a4936f8 (7.67.0) - -Added test 490, 491 and 492 to verify the functionality. - -Reported-by: Kamil Dudka -Reported-by: Anderson Sasaki - -Fixes #4588 -Closes #4591 - -Upstream-commit: 7a46aeb0be3fa00826b0c47a8bc06eddff448659 -Signed-off-by: Kamil Dudka ---- - src/tool_operate.c | 15 ++++--- - tests/data/Makefile.inc | 2 + - tests/data/test490 | 68 +++++++++++++++++++++++++++++++ - tests/data/test491 | 64 +++++++++++++++++++++++++++++ - tests/data/test492 | 89 +++++++++++++++++++++++++++++++++++++++++ - 5 files changed, 232 insertions(+), 6 deletions(-) - create mode 100644 tests/data/test490 - create mode 100644 tests/data/test491 - create mode 100644 tests/data/test492 - -diff --git a/src/tool_operate.c b/src/tool_operate.c -index 3087d2d..4ecb1ed 100644 ---- a/src/tool_operate.c -+++ b/src/tool_operate.c -@@ -829,12 +829,6 @@ static CURLcode single_transfer(struct GlobalConfig *global, - separator = ((!state->outfiles || - !strcmp(state->outfiles, "-")) && urlnum > 1); - -- /* Here's looping around each globbed URL */ -- -- if(state->li >= urlnum) { -- state->li = 0; -- state->up++; -- } - if(state->up < state->infilenum) { - struct per_transfer *per; - struct OutStruct *outs; -@@ -1908,6 +1902,15 @@ static CURLcode single_transfer(struct GlobalConfig *global, - per->retrystart = tvnow(); - - state->li++; -+ /* Here's looping around each globbed URL */ -+ if(state->li >= urlnum) { -+ state->li = 0; -+ state->urlnum = 0; /* forced reglob of URLs */ -+ glob_cleanup(state->urls); -+ state->urls = NULL; -+ state->up++; -+ Curl_safefree(state->uploadfile); /* clear it to get the next */ -+ } - } - else { - /* Free this URL node data without destroying the -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index 557f928..212900e 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -66,6 +66,8 @@ test393 test394 test395 \ - test400 test401 test402 test403 test404 test405 test406 test407 test408 \ - test409 \ - \ -+test490 test491 test492 \ -+\ - test500 test501 test502 test503 test504 test505 test506 test507 test508 \ - test509 test510 test511 test512 test513 test514 test515 test516 test517 \ - test518 test519 test520 test521 test522 test523 test524 test525 test526 \ -diff --git a/tests/data/test490 b/tests/data/test490 -new file mode 100644 -index 0000000..a3383a9 ---- /dev/null -+++ b/tests/data/test490 -@@ -0,0 +1,68 @@ -+ -+ -+ -+HTTP -+HTTP PUT -+ -+ -+ -+# -+# Server-side -+ -+ -+HTTP/1.1 200 OK -+Date: Thu, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT -+ETag: "21025-dc7-39462498" -+Accept-Ranges: bytes -+Content-Length: 6 -+Connection: close -+Content-Type: text/html -+Funny-head: yesyes -+ -+-foo- -+ -+ -+ -+# -+# Client-side -+ -+ -+http -+ -+ -+Two globbed HTTP PUTs -+ -+ -+http://%HOSTIP:%HTTPPORT/490 -T '{log/in490,log/in490}' -+ -+ -+surprise! -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+^User-Agent:.* -+ -+ -+PUT /490 HTTP/1.1 -+Host: 127.0.0.1:8990 -+Accept: */* -+Content-Length: 10 -+Expect: 100-continue -+ -+surprise! -+PUT /490 HTTP/1.1 -+Host: 127.0.0.1:8990 -+Accept: */* -+Content-Length: 10 -+Expect: 100-continue -+ -+surprise! -+ -+ -+ -diff --git a/tests/data/test491 b/tests/data/test491 -new file mode 100644 -index 0000000..b49c06c ---- /dev/null -+++ b/tests/data/test491 -@@ -0,0 +1,64 @@ -+ -+ -+ -+HTTP -+HTTP PUT -+ -+ -+ -+# -+# Server-side -+ -+ -+HTTP/1.1 200 OK -+Date: Thu, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT -+ETag: "21025-dc7-39462498" -+Accept-Ranges: bytes -+Content-Length: 6 -+Connection: close -+Content-Type: text/html -+Funny-head: yesyes -+ -+-foo- -+ -+ -+ -+# -+# Client-side -+ -+ -+http -+ -+ -+Two globbed HTTP PUTs, the second upload file is missing -+ -+ -+http://%HOSTIP:%HTTPPORT/491 -T '{log/in491,log/bad491}' -+ -+ -+surprise! -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+^User-Agent:.* -+ -+ -+PUT /491 HTTP/1.1 -+Host: 127.0.0.1:8990 -+Accept: */* -+Content-Length: 10 -+Expect: 100-continue -+ -+surprise! -+ -+ -+26 -+ -+ -+ -diff --git a/tests/data/test492 b/tests/data/test492 -new file mode 100644 -index 0000000..12edd8b ---- /dev/null -+++ b/tests/data/test492 -@@ -0,0 +1,89 @@ -+ -+ -+ -+HTTP -+HTTP PUT -+ -+ -+ -+# -+# Server-side -+ -+ -+HTTP/1.1 200 OK -+Date: Thu, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT -+ETag: "21025-dc7-39462498" -+Accept-Ranges: bytes -+Content-Length: 6 -+Connection: close -+Content-Type: text/html -+Funny-head: yesyes -+ -+-foo- -+ -+ -+ -+# -+# Client-side -+ -+ -+http -+ -+ -+Two globbed HTTP PUTs to two globbed URLs -+ -+ -+'http://%HOSTIP:%HTTPPORT/{one,two}/' -T '{log/first492,log/second492}' -H "Testno: 492" -+ -+ -+first 492 contents -+ -+ -+second 492 contents -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+^User-Agent:.* -+ -+ -+PUT /one/first492 HTTP/1.1 -+Host: 127.0.0.1:8990 -+Accept: */* -+Testno: 492 -+Content-Length: 19 -+Expect: 100-continue -+ -+first 492 contents -+PUT /two/first492 HTTP/1.1 -+Host: 127.0.0.1:8990 -+Accept: */* -+Testno: 492 -+Content-Length: 19 -+Expect: 100-continue -+ -+first 492 contents -+PUT /one/second492 HTTP/1.1 -+Host: 127.0.0.1:8990 -+Accept: */* -+Testno: 492 -+Content-Length: 20 -+Expect: 100-continue -+ -+second 492 contents -+PUT /two/second492 HTTP/1.1 -+Host: 127.0.0.1:8990 -+Accept: */* -+Testno: 492 -+Content-Length: 20 -+Expect: 100-continue -+ -+second 492 contents -+ -+ -+ --- -2.20.1 - diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch index 53022e1..c227258 100644 --- a/0102-curl-7.36.0-debug.patch +++ b/0102-curl-7.36.0-debug.patch @@ -12,7 +12,7 @@ diff --git a/configure b/configure index 8f079a3..53b4774 100755 --- a/configure +++ b/configure -@@ -16331,18 +16331,11 @@ $as_echo "yes" >&6; } +@@ -16336,18 +16336,11 @@ $as_echo "yes" >&6; } gccvhi=`echo $gccver | cut -d . -f1` gccvlo=`echo $gccver | cut -d . -f2` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` diff --git a/0105-curl-7.63.0-lib1560-valgrind.patch b/0105-curl-7.63.0-lib1560-valgrind.patch index 8121ee6..d37d283 100644 --- a/0105-curl-7.63.0-lib1560-valgrind.patch +++ b/0105-curl-7.63.0-lib1560-valgrind.patch @@ -33,7 +33,7 @@ index 080421b..ea3b806 100644 +lib1560_CFLAGS = $(AM_CFLAGS) -fno-builtin-strcmp lib1560_LDADD = $(TESTUTIL_LIBS) - lib1591_SOURCES = lib1591.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib1564_SOURCES = lib1564.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) -- 2.17.2 diff --git a/curl-7.67.0.tar.xz.asc b/curl-7.67.0.tar.xz.asc deleted file mode 100644 index e44cfc6..0000000 --- a/curl-7.67.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl3CauAACgkQXMkI/bce -EsKe7Qf+Py/Wufz3AqqpJ1Xr0oigaV1Sa5AAyRD+KX8jwSJTRaRahaECGMhmR9vh -kBaMFtycctCKcK1masI9GSeTX5nCtmaWzELLsBXynm/l2W+hrW1AD2R++YuM384t -O078GxgsgRH0m8MacSKoV5yPOv/h9URnVMTavkAIfnW50vw17akDZ9MW2NhJzKpP -s6GgWTMB5gomTHlnlHjTjtNoVbKKrV4v9YyRwqzI3XHXYtYOA7iufP4wnT+dpSm5 -ZLdbg5Nq+1pCTEiMg3KZKYNriypoLJuWuSF+bKc54CGN63eoUxXgU6js9ViHS5JS -3dPfzzRA8wgROem58QhHnrR9c2CmdQ== -=5gov ------END PGP SIGNATURE----- diff --git a/curl-7.68.0.tar.xz.asc b/curl-7.68.0.tar.xz.asc new file mode 100644 index 0000000..1aee04b --- /dev/null +++ b/curl-7.68.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl4Vd+gACgkQXMkI/bce +EsILUwf/YMvltTP+zlsldTRctrfC7FIZkjjj+pYylejKVajl84NZ+JnrH7o/zRyx +blZ+D6b8CYW/3It+IPxtGPvUXW0rhmBU4ClT39mXfZBV19+WhCX7rIi3Y/ylTQ0Y +rCfKNmiw+51u0Mug6cgsV+OAjDyLSsCu/VpWY7wyBBCHwZxYHshcdxbMvps0FBhO +odCmP7wtXfDKxXiycGzgRxoKQ2Xd4EmBxICecPOvPnVmrCJdANjyrPQHsY8FYPG9 +piZ+bwxKCtZLfA6jsYKGelEh8KUew5eTBoSYCz7oXsPFeCmKVaRIPHYxe+RKlG9C +IklQkFVg3FqWvtGU2eXOALyxrZnRUQ== +=XyDf +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index 3c38b8f..256bf4a 100644 --- a/curl.spec +++ b/curl.spec @@ -1,13 +1,10 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.67.0 -Release: 2%{?dist} +Version: 7.68.0 +Release: 1%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz -# fix infinite loop on upload using a glob (#1771025) -Patch1: 0001-curl-7.67.0-upload-glob.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -174,7 +171,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 # Fedora patches %patch101 -p1 @@ -350,6 +346,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jan 08 2020 Kamil Dudka - 7.68.0-1 +- new upstream release + * Thu Nov 14 2019 Kamil Dudka - 7.67.0-2 - fix infinite loop on upload using a glob (#1771025) diff --git a/sources b/sources index 16e8545..f923f78 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.67.0.tar.xz) = 1d5a344be92dd61b1ba5189eff0fe337e492f2e850794943570fe71c985d0af60bd412082be646e07aaa8639908593e1ce4bb2d07db35394ec377e8ce8b9ae29 +SHA512 (curl-7.68.0.tar.xz) = bf365609c9a66a05b3a263d02bcd3f81f905570c5739c8ec522a296b4b8e2a479d64d5524e8345e14eafad28995ee22d923522f1a45fa40eb46db38759c2eb2c From 83181bd6d31f4b9d070588741471f6fc4e0ae42d Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Tue, 28 Jan 2020 15:11:40 +0000 Subject: [PATCH 076/256] - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 256bf4a..c5b13af 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.68.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -346,6 +346,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Jan 28 2020 Fedora Release Engineering - 7.68.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + * Wed Jan 08 2020 Kamil Dudka - 7.68.0-1 - new upstream release From 249d0aea514d8c09b6acbcb55074b50a2e1973f1 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 4 Mar 2020 11:39:00 +0100 Subject: [PATCH 077/256] new upstream release - 7.69.0 --- 0102-curl-7.36.0-debug.patch | 2 +- curl-7.68.0.tar.xz.asc | 11 ----------- curl-7.69.0.tar.xz.asc | 11 +++++++++++ curl.spec | 7 +++++-- sources | 2 +- 5 files changed, 18 insertions(+), 15 deletions(-) delete mode 100644 curl-7.68.0.tar.xz.asc create mode 100644 curl-7.69.0.tar.xz.asc diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch index c227258..e9b3848 100644 --- a/0102-curl-7.36.0-debug.patch +++ b/0102-curl-7.36.0-debug.patch @@ -12,7 +12,7 @@ diff --git a/configure b/configure index 8f079a3..53b4774 100755 --- a/configure +++ b/configure -@@ -16336,18 +16336,11 @@ $as_echo "yes" >&6; } +@@ -16343,18 +16343,11 @@ $as_echo "yes" >&6; } gccvhi=`echo $gccver | cut -d . -f1` gccvlo=`echo $gccver | cut -d . -f2` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` diff --git a/curl-7.68.0.tar.xz.asc b/curl-7.68.0.tar.xz.asc deleted file mode 100644 index 1aee04b..0000000 --- a/curl-7.68.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl4Vd+gACgkQXMkI/bce -EsILUwf/YMvltTP+zlsldTRctrfC7FIZkjjj+pYylejKVajl84NZ+JnrH7o/zRyx -blZ+D6b8CYW/3It+IPxtGPvUXW0rhmBU4ClT39mXfZBV19+WhCX7rIi3Y/ylTQ0Y -rCfKNmiw+51u0Mug6cgsV+OAjDyLSsCu/VpWY7wyBBCHwZxYHshcdxbMvps0FBhO -odCmP7wtXfDKxXiycGzgRxoKQ2Xd4EmBxICecPOvPnVmrCJdANjyrPQHsY8FYPG9 -piZ+bwxKCtZLfA6jsYKGelEh8KUew5eTBoSYCz7oXsPFeCmKVaRIPHYxe+RKlG9C -IklQkFVg3FqWvtGU2eXOALyxrZnRUQ== -=XyDf ------END PGP SIGNATURE----- diff --git a/curl-7.69.0.tar.xz.asc b/curl-7.69.0.tar.xz.asc new file mode 100644 index 0000000..dffe2da --- /dev/null +++ b/curl-7.69.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl5fTaIACgkQXMkI/bce +EsIyaAf8DEjmWf+UpZDBjyirl6PuNfxpgZGm8Qw5eWBKD1rdQuMjZ3xJLauAR34G +fYvsj8cYotUaIPHw4jWcvn6m/M5KFII6XWANcasn7edbg47BcXS6xadNkUnqcJnF +0U9YbghGXaj0CwaNjqP4Gv23oG2nuYyWhUzI4wD8cRcO3oE/5Wksfwhwq5DrnpuQ +CLlgP8o9qMgfrds87WK4Gb+AFHW4jkCAT2wnJBvtEfK97pG1E9y7S8l5oZ7H8hTe +Vm3UgM8Stk13yPCCN3nOaTdPKk5nA6co7VWW5TbjJPQ+6mT+eD6SY/+k5yJ+A11X +zaXOa3fXEJiRX3nfAR47iThh2Pj8wA== +=baDZ +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index c5b13af..dacb502 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.68.0 -Release: 2%{?dist} +Version: 7.69.0 +Release: 1%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -346,6 +346,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Mar 04 2020 Kamil Dudka - 7.69.0-1 +- new upstream release + * Tue Jan 28 2020 Fedora Release Engineering - 7.68.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild diff --git a/sources b/sources index f923f78..63cb9a9 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.68.0.tar.xz) = bf365609c9a66a05b3a263d02bcd3f81f905570c5739c8ec522a296b4b8e2a479d64d5524e8345e14eafad28995ee22d923522f1a45fa40eb46db38759c2eb2c +SHA512 (curl-7.69.0.tar.xz) = 8c151201b09c51cc1437c2f6345036fce88ea5402cd1fd62b76c093e294b87d0c1f61e1dcf6f799f508d8dcfe381589a3815001a8c8bbc085aed0fdca6f2536d From fbcad9a3a0d50831db86e64633da4c9ba983650c Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 9 Mar 2020 09:53:54 +0100 Subject: [PATCH 078/256] Resolves: #1810989 - make Flatpak work again --- 0001-curl-7.69.0-flatpak.patch | 58 ++++++++++++++++++++++++++++++++++ curl.spec | 9 +++++- 2 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 0001-curl-7.69.0-flatpak.patch diff --git a/0001-curl-7.69.0-flatpak.patch b/0001-curl-7.69.0-flatpak.patch new file mode 100644 index 0000000..0268258 --- /dev/null +++ b/0001-curl-7.69.0-flatpak.patch @@ -0,0 +1,58 @@ +From 2c706c44b98998fa619ddc63b2c14955b0f50692 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 5 Mar 2020 23:45:36 +0100 +Subject: [PATCH] Revert "pause: force-drain the transfer on unpause" + +This reverts commit fa0216b294af4c7113a9040ca65eefc7fc18ac1c (from #5000) + +Clearly that didn't solve the problem correctly. + +Reported-by: Christopher Reid +Reopens #4966 +Fixes #5044 + +Upstream-commit: 8aa04e9a24932b830bc5eaf6838dea5a3329341e +Signed-off-by: Kamil Dudka +--- + lib/easy.c | 1 - + lib/transfer.c | 5 ++--- + 2 files changed, 2 insertions(+), 4 deletions(-) + +diff --git a/lib/easy.c b/lib/easy.c +index 1a69127..4546210 100644 +--- a/lib/easy.c ++++ b/lib/easy.c +@@ -1033,7 +1033,6 @@ CURLcode curl_easy_pause(struct Curl_easy *data, int action) + to have this handle checked soon */ + if((newstate & (KEEP_RECV_PAUSE|KEEP_SEND_PAUSE)) != + (KEEP_RECV_PAUSE|KEEP_SEND_PAUSE)) { +- data->state.drain++; + Curl_expire(data, 0, EXPIRE_RUN_NOW); /* get this handle going again */ + if(data->multi) + Curl_update_timer(data->multi); +diff --git a/lib/transfer.c b/lib/transfer.c +index 8270761..ead8b36 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2020, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -1217,8 +1217,7 @@ CURLcode Curl_readwrite(struct connectdata *conn, + else + fd_write = CURL_SOCKET_BAD; + +- if(data->state.drain) { +- data->state.drain--; ++ if(conn->data->state.drain) { + select_res |= CURL_CSELECT_IN; + DEBUGF(infof(data, "Curl_readwrite: forcibly told to drain data\n")); + } +-- +2.21.1 + diff --git a/curl.spec b/curl.spec index dacb502..67e623c 100644 --- a/curl.spec +++ b/curl.spec @@ -1,10 +1,13 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.69.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz +# make Flatpak work again (#1810989) +Patch1: 0001-curl-7.69.0-flatpak.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -171,6 +174,7 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 @@ -346,6 +350,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Mar 09 2020 Kamil Dudka - 7.69.0-2 +- make Flatpak work again (#1810989) + * Wed Mar 04 2020 Kamil Dudka - 7.69.0-1 - new upstream release From ac5c236f18be0a8a6ad3b5ee6a72039f68b7eaab Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 11 Mar 2020 10:21:27 +0100 Subject: [PATCH 079/256] new upstream release - 7.69.1 --- 0001-curl-7.69.0-flatpak.patch | 58 ------------------------- 0105-curl-7.63.0-lib1560-valgrind.patch | 2 +- curl-7.69.0.tar.xz.asc | 11 ----- curl-7.69.1.tar.xz.asc | 11 +++++ curl.spec | 11 +++-- sources | 2 +- 6 files changed, 18 insertions(+), 77 deletions(-) delete mode 100644 0001-curl-7.69.0-flatpak.patch delete mode 100644 curl-7.69.0.tar.xz.asc create mode 100644 curl-7.69.1.tar.xz.asc diff --git a/0001-curl-7.69.0-flatpak.patch b/0001-curl-7.69.0-flatpak.patch deleted file mode 100644 index 0268258..0000000 --- a/0001-curl-7.69.0-flatpak.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 2c706c44b98998fa619ddc63b2c14955b0f50692 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 5 Mar 2020 23:45:36 +0100 -Subject: [PATCH] Revert "pause: force-drain the transfer on unpause" - -This reverts commit fa0216b294af4c7113a9040ca65eefc7fc18ac1c (from #5000) - -Clearly that didn't solve the problem correctly. - -Reported-by: Christopher Reid -Reopens #4966 -Fixes #5044 - -Upstream-commit: 8aa04e9a24932b830bc5eaf6838dea5a3329341e -Signed-off-by: Kamil Dudka ---- - lib/easy.c | 1 - - lib/transfer.c | 5 ++--- - 2 files changed, 2 insertions(+), 4 deletions(-) - -diff --git a/lib/easy.c b/lib/easy.c -index 1a69127..4546210 100644 ---- a/lib/easy.c -+++ b/lib/easy.c -@@ -1033,7 +1033,6 @@ CURLcode curl_easy_pause(struct Curl_easy *data, int action) - to have this handle checked soon */ - if((newstate & (KEEP_RECV_PAUSE|KEEP_SEND_PAUSE)) != - (KEEP_RECV_PAUSE|KEEP_SEND_PAUSE)) { -- data->state.drain++; - Curl_expire(data, 0, EXPIRE_RUN_NOW); /* get this handle going again */ - if(data->multi) - Curl_update_timer(data->multi); -diff --git a/lib/transfer.c b/lib/transfer.c -index 8270761..ead8b36 100644 ---- a/lib/transfer.c -+++ b/lib/transfer.c -@@ -5,7 +5,7 @@ - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * -- * Copyright (C) 1998 - 2020, Daniel Stenberg, , et al. -+ * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms -@@ -1217,8 +1217,7 @@ CURLcode Curl_readwrite(struct connectdata *conn, - else - fd_write = CURL_SOCKET_BAD; - -- if(data->state.drain) { -- data->state.drain--; -+ if(conn->data->state.drain) { - select_res |= CURL_CSELECT_IN; - DEBUGF(infof(data, "Curl_readwrite: forcibly told to drain data\n")); - } --- -2.21.1 - diff --git a/0105-curl-7.63.0-lib1560-valgrind.patch b/0105-curl-7.63.0-lib1560-valgrind.patch index d37d283..49a3bdd 100644 --- a/0105-curl-7.63.0-lib1560-valgrind.patch +++ b/0105-curl-7.63.0-lib1560-valgrind.patch @@ -26,7 +26,7 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc index 080421b..ea3b806 100644 --- a/tests/libtest/Makefile.inc +++ b/tests/libtest/Makefile.inc -@@ -534,6 +534,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) +@@ -562,6 +562,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) lib1559_LDADD = $(TESTUTIL_LIBS) lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) diff --git a/curl-7.69.0.tar.xz.asc b/curl-7.69.0.tar.xz.asc deleted file mode 100644 index dffe2da..0000000 --- a/curl-7.69.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl5fTaIACgkQXMkI/bce -EsIyaAf8DEjmWf+UpZDBjyirl6PuNfxpgZGm8Qw5eWBKD1rdQuMjZ3xJLauAR34G -fYvsj8cYotUaIPHw4jWcvn6m/M5KFII6XWANcasn7edbg47BcXS6xadNkUnqcJnF -0U9YbghGXaj0CwaNjqP4Gv23oG2nuYyWhUzI4wD8cRcO3oE/5Wksfwhwq5DrnpuQ -CLlgP8o9qMgfrds87WK4Gb+AFHW4jkCAT2wnJBvtEfK97pG1E9y7S8l5oZ7H8hTe -Vm3UgM8Stk13yPCCN3nOaTdPKk5nA6co7VWW5TbjJPQ+6mT+eD6SY/+k5yJ+A11X -zaXOa3fXEJiRX3nfAR47iThh2Pj8wA== -=baDZ ------END PGP SIGNATURE----- diff --git a/curl-7.69.1.tar.xz.asc b/curl-7.69.1.tar.xz.asc new file mode 100644 index 0000000..7607e60 --- /dev/null +++ b/curl-7.69.1.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl5oh44ACgkQXMkI/bce +EsL/5QgAlK2oYZTG3OQziHD8RtvjcRZyVfSPgH+UCEe12o+pqrWncWG5kVbFPjoX +USq8EEmRLaTdPPVY+lLZjrll0LgAHa5fyOYV5IFeKHHlRtGUsurMx+IW7NXg1kWn +lZXV/xzcogVeaqTZtJS1QQeyBxV55BEzwbO7WI7U3dQHKspE2724IqaGwHAj7BaL +K3hmHpBHuuGNpP5wsmnA0GXVLYSfqTJhc2itcupG8ZveNeEjCXPoRxGq/aewqUCH +UoT0tLu/LJ/D4FW1zGYdQXkli4MHKzTP9l2Tp/6ounEc+WpEirIRJLWRE8Wn/bmH +JjmSkls5sMCsmLl5DNoSUEw4Jco0oQ== +=+Rw4 +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index 67e623c..15a1a8b 100644 --- a/curl.spec +++ b/curl.spec @@ -1,13 +1,10 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.69.0 -Release: 2%{?dist} +Version: 7.69.1 +Release: 1%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz -# make Flatpak work again (#1810989) -Patch1: 0001-curl-7.69.0-flatpak.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -174,7 +171,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 # Fedora patches %patch101 -p1 @@ -350,6 +346,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Mar 11 2020 Kamil Dudka - 7.69.1-1 +- new upstream release + * Mon Mar 09 2020 Kamil Dudka - 7.69.0-2 - make Flatpak work again (#1810989) diff --git a/sources b/sources index 63cb9a9..af5828c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.69.0.tar.xz) = 8c151201b09c51cc1437c2f6345036fce88ea5402cd1fd62b76c093e294b87d0c1f61e1dcf6f799f508d8dcfe381589a3815001a8c8bbc085aed0fdca6f2536d +SHA512 (curl-7.69.1.tar.xz) = dcb917ce9a6f34b30adae10e2e635d7a8c67781d69789cc5617ab2b49e898394ecfeee546453b14ab168d4b3b52baf974b2ec07e7a4b199addbc1ba57274d8fa From 53c8c93125c0fcb24c0cb6688e25c11631f8f8a0 Mon Sep 17 00:00:00 2001 From: Tom Stellard Date: Fri, 17 Apr 2020 16:06:52 +0000 Subject: [PATCH 080/256] Prevent discarding of -g when compiling with clang --- 0102-curl-7.36.0-debug.patch | 63 ++++++++++++++++++++++++++++++------ curl.spec | 5 ++- 2 files changed, 58 insertions(+), 10 deletions(-) diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch index e9b3848..10180bf 100644 --- a/0102-curl-7.36.0-debug.patch +++ b/0102-curl-7.36.0-debug.patch @@ -1,18 +1,41 @@ -From 6710648c2b270c9ce68a7d9f1bba1222c7be8b58 Mon Sep 17 00:00:00 2001 +From 3602ee9dcc74683f91fe4f9ca228aa17a6474403 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 31 Oct 2012 11:38:30 +0100 -Subject: [PATCH] prevent configure script from discarding -g in CFLAGS (#496778) +Subject: [PATCH] prevent configure script from discarding -g in CFLAGS + (#496778) --- - configure | 13 +++---------- - m4/curl-compilers.m4 | 13 +++---------- - 2 files changed, 6 insertions(+), 20 deletions(-) + configure | 26 ++++++-------------------- + m4/curl-compilers.m4 | 26 ++++++-------------------- + 2 files changed, 12 insertions(+), 40 deletions(-) diff --git a/configure b/configure -index 8f079a3..53b4774 100755 +index d6d125f49..3eba7b15f 100755 --- a/configure +++ b/configure -@@ -16343,18 +16343,11 @@ $as_echo "yes" >&6; } +@@ -16269,18 +16269,11 @@ $as_echo "no" >&6; } + clangvhi=`echo $clangver | cut -d . -f1` + clangvlo=`echo $clangver | cut -d . -f2` + compiler_num=`(expr $clangvhi "*" 100 + $clangvlo) 2>/dev/null` +- flags_dbg_all="-g -g0 -g1 -g2 -g3" +- flags_dbg_all="$flags_dbg_all -ggdb" +- flags_dbg_all="$flags_dbg_all -gstabs" +- flags_dbg_all="$flags_dbg_all -gstabs+" +- flags_dbg_all="$flags_dbg_all -gcoff" +- flags_dbg_all="$flags_dbg_all -gxcoff" +- flags_dbg_all="$flags_dbg_all -gdwarf-2" +- flags_dbg_all="$flags_dbg_all -gvms" ++ flags_dbg_all="" + flags_dbg_yes="-g" + flags_dbg_off="" +- flags_opt_all="-O -O0 -O1 -O2 -Os -O3 -O4" +- flags_opt_yes="-Os" ++ flags_opt_all="" ++ flags_opt_yes="" + flags_opt_off="-O0" + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +@@ -16343,18 +16336,11 @@ $as_echo "yes" >&6; } gccvhi=`echo $gccver | cut -d . -f1` gccvlo=`echo $gccver | cut -d . -f2` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` @@ -35,10 +58,32 @@ index 8f079a3..53b4774 100755 OLDCPPFLAGS=$CPPFLAGS diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4 -index 0cbba7a..9175b5b 100644 +index c64db4bc6..d115a4aed 100644 --- a/m4/curl-compilers.m4 +++ b/m4/curl-compilers.m4 -@@ -166,18 +166,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [ +@@ -106,18 +106,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_CLANG], [ + clangvhi=`echo $clangver | cut -d . -f1` + clangvlo=`echo $clangver | cut -d . -f2` + compiler_num=`(expr $clangvhi "*" 100 + $clangvlo) 2>/dev/null` +- flags_dbg_all="-g -g0 -g1 -g2 -g3" +- flags_dbg_all="$flags_dbg_all -ggdb" +- flags_dbg_all="$flags_dbg_all -gstabs" +- flags_dbg_all="$flags_dbg_all -gstabs+" +- flags_dbg_all="$flags_dbg_all -gcoff" +- flags_dbg_all="$flags_dbg_all -gxcoff" +- flags_dbg_all="$flags_dbg_all -gdwarf-2" +- flags_dbg_all="$flags_dbg_all -gvms" ++ flags_dbg_all="" + flags_dbg_yes="-g" + flags_dbg_off="" +- flags_opt_all="-O -O0 -O1 -O2 -Os -O3 -O4" +- flags_opt_yes="-Os" ++ flags_opt_all="" ++ flags_opt_yes="" + flags_opt_off="-O0" + else + AC_MSG_RESULT([no]) +@@ -166,18 +159,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [ gccvhi=`echo $gccver | cut -d . -f1` gccvlo=`echo $gccver | cut -d . -f2` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` diff --git a/curl.spec b/curl.spec index 15a1a8b..e67587c 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.69.1 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -346,6 +346,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Apr 17 2020 Tom Stellard - 7.69.1-2 +- Prevent discarding of -g when compiling with clang + * Wed Mar 11 2020 Kamil Dudka - 7.69.1-1 - new upstream release From 6a752013d0c9403d74c37810273e4a73da8d494c Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 20 Apr 2020 11:21:23 +0200 Subject: [PATCH 081/256] Resolves: #1824926 - SSH: use new ECDSA key types to check known hosts --- 0001-curl-7.69.1-ssh-ecdsa-keys.patch | 47 +++++++++++++++++++++++++++ curl.spec | 9 ++++- 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 0001-curl-7.69.1-ssh-ecdsa-keys.patch diff --git a/0001-curl-7.69.1-ssh-ecdsa-keys.patch b/0001-curl-7.69.1-ssh-ecdsa-keys.patch new file mode 100644 index 0000000..e354299 --- /dev/null +++ b/0001-curl-7.69.1-ssh-ecdsa-keys.patch @@ -0,0 +1,47 @@ +From e7bd08d289e55c9080590c1147df6584ec881523 Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Thu, 16 Apr 2020 19:26:06 +0200 +Subject: [PATCH] libssh: Use new ECDSA key types to check known hosts + +From libssh 0.9.0, ssh_key_type() returns different key types for ECDSA +keys depending on the curve. + +Signed-off-by: Anderson Toshiyuki Sasaki +Fixes #5252 +Closes #5253 + +Upstream-commit: 14bf7eb6e526f7ce0c60c1c972b4d935c1c5132d +Signed-off-by: Kamil Dudka +--- + lib/vssh/libssh.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c +index 08d9f9e0f..54bc5e019 100644 +--- a/lib/vssh/libssh.c ++++ b/lib/vssh/libssh.c +@@ -403,6 +403,9 @@ static int myssh_is_known(struct connectdata *conn) + knownkey.keytype = CURLKHTYPE_RSA1; + break; + case SSH_KEYTYPE_ECDSA: ++ case SSH_KEYTYPE_ECDSA_P256: ++ case SSH_KEYTYPE_ECDSA_P384: ++ case SSH_KEYTYPE_ECDSA_P521: + knownkey.keytype = CURLKHTYPE_ECDSA; + break; + case SSH_KEYTYPE_ED25519: +@@ -470,6 +473,11 @@ static int myssh_is_known(struct connectdata *conn) + foundkey.keytype = CURLKHTYPE_RSA1; + break; + case SSH_KEYTYPE_ECDSA: ++#if LIBSSH_VERSION_INT >= SSH_VERSION_INT(0,9,0) ++ case SSH_KEYTYPE_ECDSA_P256: ++ case SSH_KEYTYPE_ECDSA_P384: ++ case SSH_KEYTYPE_ECDSA_P521: ++#endif + foundkey.keytype = CURLKHTYPE_ECDSA; + break; + #if LIBSSH_VERSION_INT >= SSH_VERSION_INT(0,7,0) +-- +2.21.1 + diff --git a/curl.spec b/curl.spec index e67587c..6b1e006 100644 --- a/curl.spec +++ b/curl.spec @@ -1,10 +1,13 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.69.1 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz +# SSH: use new ECDSA key types to check known hosts (#1824926) +Patch1: 0001-curl-7.69.1-ssh-ecdsa-keys.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -169,6 +172,7 @@ be installed. %prep %setup -q +%patch1 -p1 # upstream patches @@ -346,6 +350,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Apr 20 2020 Kamil Dudka - 7.69.1-3 +- SSH: use new ECDSA key types to check known hosts (#1824926) + * Fri Apr 17 2020 Tom Stellard - 7.69.1-2 - Prevent discarding of -g when compiling with clang From c88a6aff3021debacb21f4639b36b23886d0c962 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 29 Apr 2020 09:51:03 +0200 Subject: [PATCH 082/256] new upstream release - 7.70.0 --- 0001-curl-7.69.1-ssh-ecdsa-keys.patch | 47 ------------------ 0001-curl-7.70.0-tests-build-dir.patch | 63 +++++++++++++++++++++++++ 0102-curl-7.36.0-debug.patch | 53 +-------------------- 0103-curl-7.59.0-python3.patch | 34 ------------- 0105-curl-7.63.0-lib1560-valgrind.patch | 2 +- curl-7.69.1.tar.xz.asc | 11 ----- curl-7.70.0.tar.xz.asc | 11 +++++ curl.spec | 23 +++++---- sources | 2 +- 9 files changed, 89 insertions(+), 157 deletions(-) delete mode 100644 0001-curl-7.69.1-ssh-ecdsa-keys.patch create mode 100644 0001-curl-7.70.0-tests-build-dir.patch delete mode 100644 0103-curl-7.59.0-python3.patch delete mode 100644 curl-7.69.1.tar.xz.asc create mode 100644 curl-7.70.0.tar.xz.asc diff --git a/0001-curl-7.69.1-ssh-ecdsa-keys.patch b/0001-curl-7.69.1-ssh-ecdsa-keys.patch deleted file mode 100644 index e354299..0000000 --- a/0001-curl-7.69.1-ssh-ecdsa-keys.patch +++ /dev/null @@ -1,47 +0,0 @@ -From e7bd08d289e55c9080590c1147df6584ec881523 Mon Sep 17 00:00:00 2001 -From: Anderson Toshiyuki Sasaki -Date: Thu, 16 Apr 2020 19:26:06 +0200 -Subject: [PATCH] libssh: Use new ECDSA key types to check known hosts - -From libssh 0.9.0, ssh_key_type() returns different key types for ECDSA -keys depending on the curve. - -Signed-off-by: Anderson Toshiyuki Sasaki -Fixes #5252 -Closes #5253 - -Upstream-commit: 14bf7eb6e526f7ce0c60c1c972b4d935c1c5132d -Signed-off-by: Kamil Dudka ---- - lib/vssh/libssh.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c -index 08d9f9e0f..54bc5e019 100644 ---- a/lib/vssh/libssh.c -+++ b/lib/vssh/libssh.c -@@ -403,6 +403,9 @@ static int myssh_is_known(struct connectdata *conn) - knownkey.keytype = CURLKHTYPE_RSA1; - break; - case SSH_KEYTYPE_ECDSA: -+ case SSH_KEYTYPE_ECDSA_P256: -+ case SSH_KEYTYPE_ECDSA_P384: -+ case SSH_KEYTYPE_ECDSA_P521: - knownkey.keytype = CURLKHTYPE_ECDSA; - break; - case SSH_KEYTYPE_ED25519: -@@ -470,6 +473,11 @@ static int myssh_is_known(struct connectdata *conn) - foundkey.keytype = CURLKHTYPE_RSA1; - break; - case SSH_KEYTYPE_ECDSA: -+#if LIBSSH_VERSION_INT >= SSH_VERSION_INT(0,9,0) -+ case SSH_KEYTYPE_ECDSA_P256: -+ case SSH_KEYTYPE_ECDSA_P384: -+ case SSH_KEYTYPE_ECDSA_P521: -+#endif - foundkey.keytype = CURLKHTYPE_ECDSA; - break; - #if LIBSSH_VERSION_INT >= SSH_VERSION_INT(0,7,0) --- -2.21.1 - diff --git a/0001-curl-7.70.0-tests-build-dir.patch b/0001-curl-7.70.0-tests-build-dir.patch new file mode 100644 index 0000000..b4c2d16 --- /dev/null +++ b/0001-curl-7.70.0-tests-build-dir.patch @@ -0,0 +1,63 @@ +From a6d36d6795d18895a63ced7b01a2b1ba2e9e04e5 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Wed, 29 Apr 2020 13:26:14 +0200 +Subject: [PATCH 1/2] tests: look for preprocessed tests in build directory + +... which is not always the same directory as source directory + +Closes #5310 + +Upstream-commit: 1066f5f0d4b304f7ba46f912cf13e12f45e39553 +Signed-off-by: Kamil Dudka +--- + tests/server/util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/server/util.c b/tests/server/util.c +index f576b9c..09bb515 100644 +--- a/tests/server/util.c ++++ b/tests/server/util.c +@@ -199,7 +199,7 @@ FILE *test2fopen(long testno) + FILE *stream; + char filename[256]; + /* first try the alternative, preprocessed, file */ +- msnprintf(filename, sizeof(filename), ALTTEST_DATA_PATH, path, testno); ++ msnprintf(filename, sizeof(filename), ALTTEST_DATA_PATH, ".", testno); + stream = fopen(filename, "rb"); + if(stream) + return stream; +-- +2.21.1 + + +From 540709d145c875c4cf67ce0c7acd6416c05f773c Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Wed, 29 Apr 2020 13:27:20 +0200 +Subject: [PATCH 2/2] test1177: look for curl.h in source directory + +If we use a separate build directory, there is no copy of the header. + +Closes #5310 + +Upstream-commit: 68774da9ca5f39dbb403d63a7d9326b28263bdcb +Signed-off-by: Kamil Dudka +--- + tests/data/test1177 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/data/test1177 b/tests/data/test1177 +index 75a1ab3..85b520c 100644 +--- a/tests/data/test1177 ++++ b/tests/data/test1177 +@@ -18,7 +18,7 @@ Verify that CURL_VERSION_* in headers and docs are in sync + + + +-%SRCDIR/version-scan.pl %SRCDIR/../docs/libcurl/curl_version_info.3 ../include/curl/curl.h ++%SRCDIR/version-scan.pl %SRCDIR/../docs/libcurl/curl_version_info.3 %SRCDIR/../include/curl/curl.h + + + +-- +2.21.1 + diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch index 10180bf..c096d67 100644 --- a/0102-curl-7.36.0-debug.patch +++ b/0102-curl-7.36.0-debug.patch @@ -5,58 +5,9 @@ Subject: [PATCH] prevent configure script from discarding -g in CFLAGS (#496778) --- - configure | 26 ++++++-------------------- m4/curl-compilers.m4 | 26 ++++++-------------------- - 2 files changed, 12 insertions(+), 40 deletions(-) + 1 file changed, 6 insertions(+), 20 deletions(-) -diff --git a/configure b/configure -index d6d125f49..3eba7b15f 100755 ---- a/configure -+++ b/configure -@@ -16269,18 +16269,11 @@ $as_echo "no" >&6; } - clangvhi=`echo $clangver | cut -d . -f1` - clangvlo=`echo $clangver | cut -d . -f2` - compiler_num=`(expr $clangvhi "*" 100 + $clangvlo) 2>/dev/null` -- flags_dbg_all="-g -g0 -g1 -g2 -g3" -- flags_dbg_all="$flags_dbg_all -ggdb" -- flags_dbg_all="$flags_dbg_all -gstabs" -- flags_dbg_all="$flags_dbg_all -gstabs+" -- flags_dbg_all="$flags_dbg_all -gcoff" -- flags_dbg_all="$flags_dbg_all -gxcoff" -- flags_dbg_all="$flags_dbg_all -gdwarf-2" -- flags_dbg_all="$flags_dbg_all -gvms" -+ flags_dbg_all="" - flags_dbg_yes="-g" - flags_dbg_off="" -- flags_opt_all="-O -O0 -O1 -O2 -Os -O3 -O4" -- flags_opt_yes="-Os" -+ flags_opt_all="" -+ flags_opt_yes="" - flags_opt_off="-O0" - else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -@@ -16343,18 +16336,11 @@ $as_echo "yes" >&6; } - gccvhi=`echo $gccver | cut -d . -f1` - gccvlo=`echo $gccver | cut -d . -f2` - compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` -- flags_dbg_all="-g -g0 -g1 -g2 -g3" -- flags_dbg_all="$flags_dbg_all -ggdb" -- flags_dbg_all="$flags_dbg_all -gstabs" -- flags_dbg_all="$flags_dbg_all -gstabs+" -- flags_dbg_all="$flags_dbg_all -gcoff" -- flags_dbg_all="$flags_dbg_all -gxcoff" -- flags_dbg_all="$flags_dbg_all -gdwarf-2" -- flags_dbg_all="$flags_dbg_all -gvms" -+ flags_dbg_all="" - flags_dbg_yes="-g" - flags_dbg_off="" -- flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast" -- flags_opt_yes="-O2" -+ flags_opt_all="" -+ flags_opt_yes="" - flags_opt_off="-O0" - - OLDCPPFLAGS=$CPPFLAGS diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4 index c64db4bc6..d115a4aed 100644 --- a/m4/curl-compilers.m4 @@ -83,7 +34,7 @@ index c64db4bc6..d115a4aed 100644 flags_opt_off="-O0" else AC_MSG_RESULT([no]) -@@ -166,18 +159,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [ +@@ -175,18 +168,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [ gccvhi=`echo $gccver | cut -d . -f1` gccvlo=`echo $gccver | cut -d . -f2` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` diff --git a/0103-curl-7.59.0-python3.patch b/0103-curl-7.59.0-python3.patch deleted file mode 100644 index 55bf4a9..0000000 --- a/0103-curl-7.59.0-python3.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 3c4c7340e455b7256c0786759422f34ec3e2d440 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Thu, 15 Mar 2018 14:49:56 +0100 -Subject: [PATCH] tests/{negtelnet,smb}server.py: migrate to Python 3 - -Unfortunately, smbserver.py does not work with Python 3 because -there is no 'impacket' module available for Python 3: - -https://github.com/CoreSecurity/impacket/issues/61 ---- - tests/negtelnetserver.py | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/tests/negtelnetserver.py b/tests/negtelnetserver.py -index 8cfd409..72ee771 100755 ---- a/tests/negtelnetserver.py -+++ b/tests/negtelnetserver.py -@@ -73,11 +73,11 @@ class NegotiatingTelnetHandler(socketserver.BaseRequestHandler): - response_data = response.encode('ascii') - else: - log.debug("Received normal request - echoing back") -- response_data = data.strip() -+ response_data = data.decode('utf8').strip() - - if response_data: - log.debug("Sending %r", response_data) -- self.request.sendall(response_data) -+ self.request.sendall(response_data.encode('utf8')) - - except IOError: - log.exception("IOError hit during request") --- -2.14.3 - diff --git a/0105-curl-7.63.0-lib1560-valgrind.patch b/0105-curl-7.63.0-lib1560-valgrind.patch index 49a3bdd..933b289 100644 --- a/0105-curl-7.63.0-lib1560-valgrind.patch +++ b/0105-curl-7.63.0-lib1560-valgrind.patch @@ -26,7 +26,7 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc index 080421b..ea3b806 100644 --- a/tests/libtest/Makefile.inc +++ b/tests/libtest/Makefile.inc -@@ -562,6 +562,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) +@@ -583,6 +583,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) lib1559_LDADD = $(TESTUTIL_LIBS) lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) diff --git a/curl-7.69.1.tar.xz.asc b/curl-7.69.1.tar.xz.asc deleted file mode 100644 index 7607e60..0000000 --- a/curl-7.69.1.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl5oh44ACgkQXMkI/bce -EsL/5QgAlK2oYZTG3OQziHD8RtvjcRZyVfSPgH+UCEe12o+pqrWncWG5kVbFPjoX -USq8EEmRLaTdPPVY+lLZjrll0LgAHa5fyOYV5IFeKHHlRtGUsurMx+IW7NXg1kWn -lZXV/xzcogVeaqTZtJS1QQeyBxV55BEzwbO7WI7U3dQHKspE2724IqaGwHAj7BaL -K3hmHpBHuuGNpP5wsmnA0GXVLYSfqTJhc2itcupG8ZveNeEjCXPoRxGq/aewqUCH -UoT0tLu/LJ/D4FW1zGYdQXkli4MHKzTP9l2Tp/6ounEc+WpEirIRJLWRE8Wn/bmH -JjmSkls5sMCsmLl5DNoSUEw4Jco0oQ== -=+Rw4 ------END PGP SIGNATURE----- diff --git a/curl-7.70.0.tar.xz.asc b/curl-7.70.0.tar.xz.asc new file mode 100644 index 0000000..06df293 --- /dev/null +++ b/curl-7.70.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl6pGOwACgkQXMkI/bce +EsJJvggAoWbMdK1FfuTzNORxiW/UoJmT2HCjuN5nLzlObJbhYQWnKWRfE09c2j3C +g1GQJ6vUq452DFAYiWFnml4u1E9UVjmLVrsOzsBZD1EvbVaFQF9cP1UoURU7h9n/ +uTcNZ4oxuvnxYX0oDStEx9mVw63Gw+CtyUJoDNmzmVAk0sBfcCa3mRBZwhNnYPXU +dUxb6bpelcdTDJZGCJIzcmoidbS214GAGomLYrLhKlcYwU4aSKpERAnXK4TbiZjR +l30qG0HkrP1vQ1UKkUKLbuC4Fy27WgSqYBq/dY9ljmwAXb1txrsbHqA1RE3L4NyA +7uE/as3hskrUuVFidsTPwoAOPljJpw== +=g8R9 +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index 6b1e006..9d5932f 100644 --- a/curl.spec +++ b/curl.spec @@ -1,12 +1,12 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.69.1 -Release: 3%{?dist} +Version: 7.70.0 +Release: 1%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz -# SSH: use new ECDSA key types to check known hosts (#1824926) -Patch1: 0001-curl-7.69.1-ssh-ecdsa-keys.patch +# make test-suite work with separate build dir +Patch1: 0001-curl-7.70.0-tests-build-dir.patch # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -14,9 +14,6 @@ Patch101: 0101-curl-7.32.0-multilib.patch # prevent configure script from discarding -g in CFLAGS (#496778) Patch102: 0102-curl-7.36.0-debug.patch -# migrate tests/http_pipe.py to Python 3 -Patch103: 0103-curl-7.59.0-python3.patch - # use localhost6 instead of ip6-localhost in the curl test-suite Patch104: 0104-curl-7.19.7-localhost6.patch @@ -37,6 +34,7 @@ BuildRequires: libmetalink-devel BuildRequires: libnghttp2-devel BuildRequires: libpsl-devel BuildRequires: libssh-devel +BuildRequires: libtool BuildRequires: make BuildRequires: openldap-devel BuildRequires: openssh-clients @@ -172,23 +170,21 @@ be installed. %prep %setup -q -%patch1 -p1 # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 %patch102 -p1 -%patch103 -p1 %patch104 -p1 %patch105 -p1 # make tests/*.py use Python 3 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py -# regenerate Makefile.in files -aclocal -I m4 -automake +# regenerate the configure script and Makefile.in files +autoreconf -fiv # disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed # with errno 98: Address already in use' in Koji environment), and test 1801 @@ -350,6 +346,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Apr 29 2020 Kamil Dudka - 7.70.0-1 +- new upstream release + * Mon Apr 20 2020 Kamil Dudka - 7.69.1-3 - SSH: use new ECDSA key types to check known hosts (#1824926) diff --git a/sources b/sources index af5828c..8f47dc0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.69.1.tar.xz) = dcb917ce9a6f34b30adae10e2e635d7a8c67781d69789cc5617ab2b49e898394ecfeee546453b14ab168d4b3b52baf974b2ec07e7a4b199addbc1ba57274d8fa +SHA512 (curl-7.70.0.tar.xz) = ab8796af1bd6f35ae704fd5e3639a8153482615a05c24e2e6d0b9cef8ed9a1e0d497ead2dbf5972cc53f632c2d87f0bf79e9e7cac625452dd24e6c7d8045cfc6 From ce4949188b23da437a0ac036e3058ac9078f0a18 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Sat, 2 May 2020 09:52:39 +0200 Subject: [PATCH 083/256] Related: #1829180 - temporarily disable tests 702 703 716 on armv7hl --- curl.spec | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/curl.spec b/curl.spec index 9d5932f..c7fe7d8 100644 --- a/curl.spec +++ b/curl.spec @@ -203,6 +203,11 @@ echo "1319" >> tests/data/DISABLED echo "582" >> tests/data/DISABLED %endif +# temporarily disable tests 702 703 716 on armv7hl (#1829180) +%ifarch armv7hl +printf "702\n703\n716\n" >> tests/data/DISABLED +%endif + # adapt test 323 for updated OpenSSL sed -e 's/^35$/35,52/' -i tests/data/test323 From c74a58b095defb130a633813358017556b300d82 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Sat, 2 May 2020 10:07:26 +0200 Subject: [PATCH 084/256] Related: #1829180 - add BuildRequires for hostname It is used by the test-suite but it is missing in armv7hl buildroot. --- curl.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/curl.spec b/curl.spec index c7fe7d8..f75467c 100644 --- a/curl.spec +++ b/curl.spec @@ -59,6 +59,9 @@ BuildRequires: perl(warnings) # gnutls-serv is used by the upstream test-suite BuildRequires: gnutls-utils +# hostname(1) is used by the test-suite but it is missing in armv7hl buildroot +BuildRequires: hostname + # nghttpx (an HTTP/2 proxy) is used by the upstream test-suite BuildRequires: nghttp2 From 8c661bb9d7bae4bd4a9036e3a9b88648a2ba44d0 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 24 Jun 2020 09:27:34 +0200 Subject: [PATCH 085/256] new upstream release - 7.71.0 Resolves: CVE-2020-8169 - curl: Partial password leak over DNS on HTTP redirect Resolves: CVE-2020-8177 - curl: overwrite local file with -J --- 0001-curl-7.70.0-tests-build-dir.patch | 63 ------------------------- 0101-curl-7.32.0-multilib.patch | 14 +++--- 0105-curl-7.63.0-lib1560-valgrind.patch | 2 +- curl-7.70.0.tar.xz.asc | 11 ----- curl-7.71.0.tar.xz.asc | 11 +++++ curl.spec | 13 ++--- sources | 2 +- 7 files changed, 28 insertions(+), 88 deletions(-) delete mode 100644 0001-curl-7.70.0-tests-build-dir.patch delete mode 100644 curl-7.70.0.tar.xz.asc create mode 100644 curl-7.71.0.tar.xz.asc diff --git a/0001-curl-7.70.0-tests-build-dir.patch b/0001-curl-7.70.0-tests-build-dir.patch deleted file mode 100644 index b4c2d16..0000000 --- a/0001-curl-7.70.0-tests-build-dir.patch +++ /dev/null @@ -1,63 +0,0 @@ -From a6d36d6795d18895a63ced7b01a2b1ba2e9e04e5 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Wed, 29 Apr 2020 13:26:14 +0200 -Subject: [PATCH 1/2] tests: look for preprocessed tests in build directory - -... which is not always the same directory as source directory - -Closes #5310 - -Upstream-commit: 1066f5f0d4b304f7ba46f912cf13e12f45e39553 -Signed-off-by: Kamil Dudka ---- - tests/server/util.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/server/util.c b/tests/server/util.c -index f576b9c..09bb515 100644 ---- a/tests/server/util.c -+++ b/tests/server/util.c -@@ -199,7 +199,7 @@ FILE *test2fopen(long testno) - FILE *stream; - char filename[256]; - /* first try the alternative, preprocessed, file */ -- msnprintf(filename, sizeof(filename), ALTTEST_DATA_PATH, path, testno); -+ msnprintf(filename, sizeof(filename), ALTTEST_DATA_PATH, ".", testno); - stream = fopen(filename, "rb"); - if(stream) - return stream; --- -2.21.1 - - -From 540709d145c875c4cf67ce0c7acd6416c05f773c Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Wed, 29 Apr 2020 13:27:20 +0200 -Subject: [PATCH 2/2] test1177: look for curl.h in source directory - -If we use a separate build directory, there is no copy of the header. - -Closes #5310 - -Upstream-commit: 68774da9ca5f39dbb403d63a7d9326b28263bdcb -Signed-off-by: Kamil Dudka ---- - tests/data/test1177 | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/data/test1177 b/tests/data/test1177 -index 75a1ab3..85b520c 100644 ---- a/tests/data/test1177 -+++ b/tests/data/test1177 -@@ -18,7 +18,7 @@ Verify that CURL_VERSION_* in headers and docs are in sync - - - --%SRCDIR/version-scan.pl %SRCDIR/../docs/libcurl/curl_version_info.3 ../include/curl/curl.h -+%SRCDIR/version-scan.pl %SRCDIR/../docs/libcurl/curl_version_info.3 %SRCDIR/../include/curl/curl.h - - - --- -2.21.1 - diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 613106d..b4de30d 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -4,10 +4,10 @@ Date: Fri, 12 Apr 2013 12:04:05 +0200 Subject: [PATCH] prevent multilib conflicts on the curl-config script --- - curl-config.in | 21 +++------------------ - docs/curl-config.1 | 4 +++- - libcurl.pc.in | 1 + - 3 files changed, 7 insertions(+), 19 deletions(-) + curl-config.in | 23 +++++------------------ + docs/curl-config.1 | 4 +++- + libcurl.pc.in | 1 + + 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in index 150004d..95d0759 100644 @@ -22,7 +22,7 @@ index 150004d..95d0759 100644 ;; --prefix) -@@ -155,32 +155,17 @@ while test $# -gt 0; do +@@ -155,32 +155,19 @@ while test $# -gt 0; do ;; --libs) @@ -31,7 +31,7 @@ index 150004d..95d0759 100644 - else - CURLLIBDIR="" - fi -- if test "X@REQUIRE_LIB_DEPS@" = "Xyes"; then +- if test "X@ENABLE_SHARED@" = "Xno" -o "X@REQUIRE_LIB_DEPS@" = "Xyes"; then - echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@ - else - echo ${CURLLIBDIR}-lcurl @@ -49,6 +49,8 @@ index 150004d..95d0759 100644 - echo "curl was built with static libraries disabled" >&2 - exit 1 - fi ++ echo "curl was built with static libraries disabled" >&2 ++ exit 1 ;; --configure) diff --git a/0105-curl-7.63.0-lib1560-valgrind.patch b/0105-curl-7.63.0-lib1560-valgrind.patch index 933b289..c0d390b 100644 --- a/0105-curl-7.63.0-lib1560-valgrind.patch +++ b/0105-curl-7.63.0-lib1560-valgrind.patch @@ -26,7 +26,7 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc index 080421b..ea3b806 100644 --- a/tests/libtest/Makefile.inc +++ b/tests/libtest/Makefile.inc -@@ -583,6 +583,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) +@@ -586,6 +586,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) lib1559_LDADD = $(TESTUTIL_LIBS) lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) diff --git a/curl-7.70.0.tar.xz.asc b/curl-7.70.0.tar.xz.asc deleted file mode 100644 index 06df293..0000000 --- a/curl-7.70.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl6pGOwACgkQXMkI/bce -EsJJvggAoWbMdK1FfuTzNORxiW/UoJmT2HCjuN5nLzlObJbhYQWnKWRfE09c2j3C -g1GQJ6vUq452DFAYiWFnml4u1E9UVjmLVrsOzsBZD1EvbVaFQF9cP1UoURU7h9n/ -uTcNZ4oxuvnxYX0oDStEx9mVw63Gw+CtyUJoDNmzmVAk0sBfcCa3mRBZwhNnYPXU -dUxb6bpelcdTDJZGCJIzcmoidbS214GAGomLYrLhKlcYwU4aSKpERAnXK4TbiZjR -l30qG0HkrP1vQ1UKkUKLbuC4Fy27WgSqYBq/dY9ljmwAXb1txrsbHqA1RE3L4NyA -7uE/as3hskrUuVFidsTPwoAOPljJpw== -=g8R9 ------END PGP SIGNATURE----- diff --git a/curl-7.71.0.tar.xz.asc b/curl-7.71.0.tar.xz.asc new file mode 100644 index 0000000..53797d9 --- /dev/null +++ b/curl-7.71.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl7y9KMACgkQXMkI/bce +EsJDYAgAmtxtJ5xPWUQ3zYFzPGVGvAOIzRT0UrdWHR5JH9ED23zXsm8Nw8hgrwX4 +VS6d0olNYNzEVDf+on/p3SbLBnvG4rc+i3hLMYmwfJMZW/+1Z0iwmT+nKFzBqt3n +KCmvokRzRyztasCiagBagv3qbV8v2o72hfMmEH7AWqafrRvsaAjiJDedUHi5W9rH +aBFrvuyllA/PfUsM3de4/g2Gs0i882gRmR/BMJNTCYlVRXGDXzO1Vj/jpXWOvV7W +llT0W3Y8FbPch0/R05q5Dc4k7+slPYP4eQ95qVU7pyMozHFsCiP0P3guk4LDbgW4 +ljK090GRc3xBVPHI5+UYYAnt/BEnwg== +=ccth +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index f75467c..861561b 100644 --- a/curl.spec +++ b/curl.spec @@ -1,13 +1,10 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.70.0 +Version: 7.71.0 Release: 1%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz -# make test-suite work with separate build dir -Patch1: 0001-curl-7.70.0-tests-build-dir.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -175,7 +172,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 # Fedora patches %patch101 -p1 @@ -335,7 +331,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %files -n libcurl-devel %doc docs/examples/*.c docs/examples/Makefile.example docs/INTERNALS.md -%doc docs/CONTRIBUTE.md docs/libcurl/ABI +%doc docs/CONTRIBUTE.md docs/libcurl/ABI.md %{_bindir}/curl-config* %{_includedir}/curl %{_libdir}/*.so @@ -354,6 +350,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jun 24 2020 Kamil Dudka - 7.71.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2020-8169 - curl: Partial password leak over DNS on HTTP redirect + CVE-2020-8177 - curl: overwrite local file with -J + * Wed Apr 29 2020 Kamil Dudka - 7.70.0-1 - new upstream release diff --git a/sources b/sources index 8f47dc0..1cee95b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.70.0.tar.xz) = ab8796af1bd6f35ae704fd5e3639a8153482615a05c24e2e6d0b9cef8ed9a1e0d497ead2dbf5972cc53f632c2d87f0bf79e9e7cac625452dd24e6c7d8045cfc6 +SHA512 (curl-7.71.0.tar.xz) = f1ea045f23b6a7e2c84ea83954d3299c612f57c3b1e5fee0b39493dc92fc4e95e7af2a5424c2e5bc480659e80cf1adce1fc528fc816f8ff2d0e7bfcfe4c5830a From 6071e0dd16fcdf6a7b644e9b686d362285437de9 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 1 Jul 2020 09:24:32 +0200 Subject: [PATCH 086/256] new upstream release - 7.71.1 --- 0105-curl-7.63.0-lib1560-valgrind.patch | 2 +- curl-7.71.0.tar.xz.asc | 11 ----------- curl-7.71.1.tar.xz.asc | 11 +++++++++++ curl.spec | 5 ++++- sources | 2 +- 5 files changed, 17 insertions(+), 14 deletions(-) delete mode 100644 curl-7.71.0.tar.xz.asc create mode 100644 curl-7.71.1.tar.xz.asc diff --git a/0105-curl-7.63.0-lib1560-valgrind.patch b/0105-curl-7.63.0-lib1560-valgrind.patch index c0d390b..76018a7 100644 --- a/0105-curl-7.63.0-lib1560-valgrind.patch +++ b/0105-curl-7.63.0-lib1560-valgrind.patch @@ -26,7 +26,7 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc index 080421b..ea3b806 100644 --- a/tests/libtest/Makefile.inc +++ b/tests/libtest/Makefile.inc -@@ -586,6 +586,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) +@@ -590,6 +590,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) lib1559_LDADD = $(TESTUTIL_LIBS) lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) diff --git a/curl-7.71.0.tar.xz.asc b/curl-7.71.0.tar.xz.asc deleted file mode 100644 index 53797d9..0000000 --- a/curl-7.71.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl7y9KMACgkQXMkI/bce -EsJDYAgAmtxtJ5xPWUQ3zYFzPGVGvAOIzRT0UrdWHR5JH9ED23zXsm8Nw8hgrwX4 -VS6d0olNYNzEVDf+on/p3SbLBnvG4rc+i3hLMYmwfJMZW/+1Z0iwmT+nKFzBqt3n -KCmvokRzRyztasCiagBagv3qbV8v2o72hfMmEH7AWqafrRvsaAjiJDedUHi5W9rH -aBFrvuyllA/PfUsM3de4/g2Gs0i882gRmR/BMJNTCYlVRXGDXzO1Vj/jpXWOvV7W -llT0W3Y8FbPch0/R05q5Dc4k7+slPYP4eQ95qVU7pyMozHFsCiP0P3guk4LDbgW4 -ljK090GRc3xBVPHI5+UYYAnt/BEnwg== -=ccth ------END PGP SIGNATURE----- diff --git a/curl-7.71.1.tar.xz.asc b/curl-7.71.1.tar.xz.asc new file mode 100644 index 0000000..5954fb7 --- /dev/null +++ b/curl-7.71.1.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl78MUgACgkQXMkI/bce +EsJkEgf/ZDR7QKw9aPQoT2dOyqoCTKip1fLCtJBEOmctjS86zF+1caPABYLV1kq6 +9baz7L2qWOmDdHkxF4poTpPH9CkcG3Krq6lHFjbFQ0GxMC+MEnnFYKfDVrRopaKq +ioBUnZrRSIytgwbiwxB+uxxa4ItzV6tZNVKIiIZOuuVSAZ9azA/swpezet8x2kxg +yp1Y3oe0R1VCYiCJ2EOB/rMs0ndPHSRuWiCCIBK7uPXA0jJsL4rjhmY5l2qAadfy +6iDpk85CJvQcGcC8nZMmpbivniOjIjEefjeXviLvg5dZi7f3M028QyGpkkUVzf27 +FiWCDZuZkp9ed2eLIBGWo/wy70f2pw== +=0YwO +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index 861561b..2d2de5b 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.71.0 +Version: 7.71.1 Release: 1%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -350,6 +350,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 01 2020 Kamil Dudka - 7.71.1-1 +- new upstream release + * Wed Jun 24 2020 Kamil Dudka - 7.71.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2020-8169 - curl: Partial password leak over DNS on HTTP redirect diff --git a/sources b/sources index 1cee95b..9983b9e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.71.0.tar.xz) = f1ea045f23b6a7e2c84ea83954d3299c612f57c3b1e5fee0b39493dc92fc4e95e7af2a5424c2e5bc480659e80cf1adce1fc528fc816f8ff2d0e7bfcfe4c5830a +SHA512 (curl-7.71.1.tar.xz) = 631e0ee8562e5029fe022bfab4222836a3e6d666e82e2bfbd78311fe5985105218a36d1ea68c93472fc57a12b713957a3bcca6e385eda4e58a47ca8d5d50265b From 87d774717a0f9d4d9f70d799bd82669e4b40d98c Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 3 Jul 2020 12:47:48 +0200 Subject: [PATCH 087/256] Resolves: #1833193 - curl: make the --krb option work again --- 0001-curl-7.71.1-tool-krb-opt.patch | 65 +++++++++++++++++++++++++++++ curl.spec | 9 +++- 2 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 0001-curl-7.71.1-tool-krb-opt.patch diff --git a/0001-curl-7.71.1-tool-krb-opt.patch b/0001-curl-7.71.1-tool-krb-opt.patch new file mode 100644 index 0000000..5e76f50 --- /dev/null +++ b/0001-curl-7.71.1-tool-krb-opt.patch @@ -0,0 +1,65 @@ +From a58654cbc5bea608b9c8729703a6d866ffaae8d8 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Thu, 2 Jul 2020 17:41:37 +0200 +Subject: [PATCH 1/2] tool_getparam: make --krb option work again + +It was disabled by mistake in commit curl-7_37_1-23-ge38ba4301. + +Bug: https://bugzilla.redhat.com/1833193 +Closes #5640 + +Upstream-commit: d2fd845c35922ca73b89c617597dd5c59772e16a +Signed-off-by: Kamil Dudka +--- + src/tool_getparam.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index 3409621..9c6bc8a 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -813,7 +813,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + break; + case 'x': /* --krb */ + /* kerberos level string */ +- if(curlinfo->features & CURL_VERSION_KERBEROS4) ++ if(curlinfo->features & CURL_VERSION_SPNEGO) + GetStr(&config->krblevel, nextarg); + else + return PARAM_LIBCURL_DOESNT_SUPPORT; +-- +2.21.3 + + +From 0be44560dfe3597a12b21b95798f69714ff0459a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 2 Jul 2020 23:46:40 +0200 +Subject: [PATCH 2/2] curl_version_info.3: CURL_VERSION_KERBEROS4 is deprecated + +This came up in #5640. It make sense to clarify this in the docs! + +Reminded-by: Kamil Dudka +Closes #5642 + +Upstream-commit: 54f21be2e3a64b9e57130cf6d1eb4f17c44d7967 +Signed-off-by: Kamil Dudka +--- + docs/libcurl/curl_version_info.3 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs/libcurl/curl_version_info.3 b/docs/libcurl/curl_version_info.3 +index 2d21dfb..0d26e87 100644 +--- a/docs/libcurl/curl_version_info.3 ++++ b/docs/libcurl/curl_version_info.3 +@@ -151,7 +151,7 @@ letters. (Added in 7.12.0) + .IP CURL_VERSION_IPV6 + supports IPv6 + .IP CURL_VERSION_KERBEROS4 +-supports Kerberos V4 (when using FTP) ++supports Kerberos V4 (when using FTP). Legacy bit. Deprecated since 7.33.0. + .IP CURL_VERSION_KERBEROS5 + supports Kerberos V5 authentication for FTP, IMAP, POP3, SMTP and SOCKSv5 proxy + (Added in 7.40.0) +-- +2.21.3 + diff --git a/curl.spec b/curl.spec index 2d2de5b..220bcb9 100644 --- a/curl.spec +++ b/curl.spec @@ -1,10 +1,13 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.71.1 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz +# curl: make the --krb option work again (#1833193) +Patch1: 0001-curl-7.71.1-tool-krb-opt.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -172,6 +175,7 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 @@ -350,6 +354,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Jul 03 2020 Kamil Dudka - 7.71.1-2 +- curl: make the --krb option work again (#1833193) + * Wed Jul 01 2020 Kamil Dudka - 7.71.1-1 - new upstream release From df6371398406134c9a82464053900b35587370a9 Mon Sep 17 00:00:00 2001 From: Tom Stellard Date: Mon, 13 Jul 2020 19:00:01 +0000 Subject: [PATCH 088/256] Use make macros https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro --- curl.spec | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/curl.spec b/curl.spec index 220bcb9..eab9e07 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.71.1 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -261,8 +261,8 @@ sed -e 's/^runpath_var=.*/runpath_var=/' \ -e 's/^hardcode_libdir_flag_spec=".*"$/hardcode_libdir_flag_spec=""/' \ -i build-{full,minimal}/libtool -make %{?_smp_mflags} V=1 -C build-minimal -make %{?_smp_mflags} V=1 -C build-full +%make_build V=1 -C build-minimal +%make_build V=1 -C build-full %check # we have to override LD_LIBRARY_PATH because we eliminated rpath @@ -271,7 +271,7 @@ export LD_LIBRARY_PATH # compile upstream test-cases cd build-full/tests -make %{?_smp_mflags} V=1 +%make_build V=1 # relax crypto policy for the test-suite to make it pass again (#1610888) export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=XXX @@ -282,14 +282,14 @@ srcdir=../../tests perl -I../../tests ../../tests/runtests.pl -a -p -v '!flaky' %install # install and rename the library that will be packaged as libcurl-minimal -make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C build-minimal/lib +%make_install -C build-minimal/lib rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.{la,so} for i in ${RPM_BUILD_ROOT}%{_libdir}/*; do mv -v $i $i.minimal done # install and rename the executable that will be packaged as curl-minimal -make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C build-minimal/src +%make_install -C build-minimal/src mv -v ${RPM_BUILD_ROOT}%{_bindir}/curl{,.minimal} # install libcurl.m4 @@ -298,12 +298,12 @@ install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal # install the executable and library that will be packaged as curl and libcurl cd build-full -make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install +%make_install # install zsh completion for curl # (we have to override LD_LIBRARY_PATH because we eliminated rpath) LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \ - make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C scripts + %make_install -C scripts # do not install /usr/share/fish/completions/curl.fish which is also installed # by fish-3.0.2-1.module_f31+3716+57207597 and would trigger a conflict @@ -354,6 +354,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Jul 13 2020 Tom Stellard - 7.71.1-3 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro + * Fri Jul 03 2020 Kamil Dudka - 7.71.1-2 - curl: make the --krb option work again (#1833193) From 407d32e00a5cbf18fa0c1a847b2c370bca714186 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Mon, 27 Jul 2020 14:52:54 +0000 Subject: [PATCH 089/256] - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index eab9e07..9706b9f 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.71.1 -Release: 3%{?dist} +Release: 4%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -354,6 +354,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Jul 27 2020 Fedora Release Engineering - 7.71.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + * Mon Jul 13 2020 Tom Stellard - 7.71.1-3 - Use make macros - https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro From b740a1ecc6be64a35e5b83c1185a518d607765d7 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 6 Aug 2020 11:04:30 +0200 Subject: [PATCH 090/256] setopt: unset NOBODY switches to GET if still HEAD MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Vít Ondruch --- 0002-curl-7.71.1-unset-nobody.patch | 108 ++++++++++++++++++++++++++++ curl.spec | 9 ++- 2 files changed, 116 insertions(+), 1 deletion(-) create mode 100644 0002-curl-7.71.1-unset-nobody.patch diff --git a/0002-curl-7.71.1-unset-nobody.patch b/0002-curl-7.71.1-unset-nobody.patch new file mode 100644 index 0000000..8487132 --- /dev/null +++ b/0002-curl-7.71.1-unset-nobody.patch @@ -0,0 +1,108 @@ +From 750188fc8eb239f51255d6f3510f544377e78ecd Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 27 Jul 2020 11:44:01 +0200 +Subject: [PATCH 1/2] setopt: unset NOBODY switches to GET if still HEAD + +Unsetting CURLOPT_NOBODY with 0L when doing HTTP has no documented +action but before 7.71.0 that used to switch back to GET and with this +change (assuming the method is still set to HEAD) this behavior is +brought back. + +Reported-by: causal-agent on github +Fixes #5725 +Closes #5728 + +Upstream-commit: 91cb16b21faa556d4467399781379ad3abafd3fe +Signed-off-by: Kamil Dudka +--- + lib/setopt.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/setopt.c b/lib/setopt.c +index 90edf6a..d621335 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -274,6 +274,8 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + if(data->set.opt_no_body) + /* in HTTP lingo, no body means using the HEAD request... */ + data->set.method = HTTPREQ_HEAD; ++ else if(data->set.method == HTTPREQ_HEAD) ++ data->set.method = HTTPREQ_GET; + break; + case CURLOPT_FAILONERROR: + /* +-- +2.25.4 + + +From 44add6f66c7ddec9f002fb52ce8e893a8ca9165d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 27 Jul 2020 11:54:29 +0200 +Subject: [PATCH 2/2] CURLOPT_NOBODY.3: clarify what setting to 0 means + +... and mention that HTTP with other methods than HEAD might get a body and +there's no option available to stop that. + +Closes #5729 + +Upstream-commit: e1bac81cc815f3fe968e009eb69b8e0236dcd82c +Signed-off-by: Kamil Dudka +--- + docs/libcurl/opts/CURLOPT_NOBODY.3 | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/docs/libcurl/opts/CURLOPT_NOBODY.3 b/docs/libcurl/opts/CURLOPT_NOBODY.3 +index f720f49..3674dde 100644 +--- a/docs/libcurl/opts/CURLOPT_NOBODY.3 ++++ b/docs/libcurl/opts/CURLOPT_NOBODY.3 +@@ -5,7 +5,7 @@ + .\" * | (__| |_| | _ <| |___ + .\" * \___|\___/|_| \_\_____| + .\" * +-.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. ++.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, , et al. + .\" * + .\" * This software is licensed as described in the file COPYING, which + .\" * you should have received as part of this distribution. The terms +@@ -34,7 +34,17 @@ output when doing what would otherwise be a download. For HTTP(S), this makes + libcurl do a HEAD request. For most other protocols it means just not asking + to transfer the body data. + +-Enabling this option means asking for a download but without a body. ++For HTTP operations when \fBCURLOPT_NOBODY(3)\fP has been set, unsetting the ++option (with 0) will make it a GET again - only if the method is still set to ++be HEAD. The proper way to get back to a GET request is to set ++\fBCURLOPT_HTTPGET(3)\fP and for other methods, use the POST ur UPLOAD ++options. ++ ++Enabling \fBCURLOPT_NOBODY(3)\fP means asking for a download without a body. ++ ++If you do a transfer with HTTP that involves a method other than HEAD, you ++will get a body (unless the resource and server sends a zero byte body for the ++specific URL you request). + .SH DEFAULT + 0, the body is transferred + .SH PROTOCOLS +@@ -43,9 +53,9 @@ Most + .nf + curl = curl_easy_init(); + if(curl) { +- curl_easy_setopt(curl, CURLOPT_URL, "http://example.com"); ++ curl_easy_setopt(curl, CURLOPT_URL, "https://example.com"); + +- /* get us the resource without a body! */ ++ /* get us the resource without a body - use HEAD! */ + curl_easy_setopt(curl, CURLOPT_NOBODY, 1L); + + /* Perform the request */ +@@ -57,5 +67,5 @@ Always + .SH RETURN VALUE + Returns CURLE_OK + .SH "SEE ALSO" +-.BR CURLOPT_HTTPGET "(3), " CURLOPT_POST "(3), " +-.BR CURLOPT_REQUEST_TARGET "(3), " ++.BR CURLOPT_HTTPGET "(3), " CURLOPT_POSTFIELDS "(3), " CURLOPT_UPLOAD "(3), " ++.BR CURLOPT_REQUEST_TARGET "(3), " CURLOPT_MIMEPOST "(3), " +-- +2.25.4 + diff --git a/curl.spec b/curl.spec index 9706b9f..dcde2a2 100644 --- a/curl.spec +++ b/curl.spec @@ -1,13 +1,16 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.71.1 -Release: 4%{?dist} +Release: 5%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz # curl: make the --krb option work again (#1833193) Patch1: 0001-curl-7.71.1-tool-krb-opt.patch +# setopt: unset NOBODY switches to GET if still HEAD +Patch2: 0002-curl-7.71.1-unset-nobody.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -176,6 +179,7 @@ be installed. # upstream patches %patch1 -p1 +%patch2 -p1 # Fedora patches %patch101 -p1 @@ -354,6 +358,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Aug 06 2020 Kamil Dudka - 7.71.1-5 +- setopt: unset NOBODY switches to GET if still HEAD + * Mon Jul 27 2020 Fedora Release Engineering - 7.71.1-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild From 840be82e6f407f4f5bf7fddac8bf796f50f50c04 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 6 Aug 2020 11:48:24 +0200 Subject: [PATCH 091/256] pick an upstream fix to make test 1140 pass again --- 0002-curl-7.71.1-unset-nobody.patch | 44 +++++++++++++++++++++++++++-- 1 file changed, 42 insertions(+), 2 deletions(-) diff --git a/0002-curl-7.71.1-unset-nobody.patch b/0002-curl-7.71.1-unset-nobody.patch index 8487132..1646a72 100644 --- a/0002-curl-7.71.1-unset-nobody.patch +++ b/0002-curl-7.71.1-unset-nobody.patch @@ -1,7 +1,7 @@ From 750188fc8eb239f51255d6f3510f544377e78ecd Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 27 Jul 2020 11:44:01 +0200 -Subject: [PATCH 1/2] setopt: unset NOBODY switches to GET if still HEAD +Subject: [PATCH 1/3] setopt: unset NOBODY switches to GET if still HEAD Unsetting CURLOPT_NOBODY with 0L when doing HTTP has no documented action but before 7.71.0 that used to switch back to GET and with this @@ -38,7 +38,7 @@ index 90edf6a..d621335 100644 From 44add6f66c7ddec9f002fb52ce8e893a8ca9165d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 27 Jul 2020 11:54:29 +0200 -Subject: [PATCH 2/2] CURLOPT_NOBODY.3: clarify what setting to 0 means +Subject: [PATCH 2/3] CURLOPT_NOBODY.3: clarify what setting to 0 means ... and mention that HTTP with other methods than HEAD might get a body and there's no option available to stop that. @@ -106,3 +106,43 @@ index f720f49..3674dde 100644 -- 2.25.4 + +From cc8e488c83254013a0ad1149a77565723aee870b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 27 Jul 2020 23:59:00 +0200 +Subject: [PATCH 3/3] CURLOPT_NOBODY.3: fix the syntax for referring to options + +As test 1140 fails otherwise! + +Follow-up to e1bac81cc815 + +Upstream-commit: 34e5ad21d2cb98475acdbf7a3a6ea973d8c12249 +Signed-off-by: Kamil Dudka +--- + docs/libcurl/opts/CURLOPT_NOBODY.3 | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/docs/libcurl/opts/CURLOPT_NOBODY.3 b/docs/libcurl/opts/CURLOPT_NOBODY.3 +index 3674dde..112fb1a 100644 +--- a/docs/libcurl/opts/CURLOPT_NOBODY.3 ++++ b/docs/libcurl/opts/CURLOPT_NOBODY.3 +@@ -34,13 +34,13 @@ output when doing what would otherwise be a download. For HTTP(S), this makes + libcurl do a HEAD request. For most other protocols it means just not asking + to transfer the body data. + +-For HTTP operations when \fBCURLOPT_NOBODY(3)\fP has been set, unsetting the ++For HTTP operations when \fICURLOPT_NOBODY(3)\fP has been set, unsetting the + option (with 0) will make it a GET again - only if the method is still set to + be HEAD. The proper way to get back to a GET request is to set +-\fBCURLOPT_HTTPGET(3)\fP and for other methods, use the POST ur UPLOAD ++\fICURLOPT_HTTPGET(3)\fP and for other methods, use the POST ur UPLOAD + options. + +-Enabling \fBCURLOPT_NOBODY(3)\fP means asking for a download without a body. ++Enabling \fICURLOPT_NOBODY(3)\fP means asking for a download without a body. + + If you do a transfer with HTTP that involves a method other than HEAD, you + will get a body (unless the resource and server sends a zero byte body for the +-- +2.25.4 + From e7a12a6b7bc3fff9a60f2abefb6d0988af4c2fd2 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 19 Aug 2020 12:06:12 +0200 Subject: [PATCH 092/256] new upstream release - 7.72.0 Resolves: CVE-2020-8231 - libcurl: wrong connect-only connection --- 0001-curl-7.71.1-tool-krb-opt.patch | 65 ----------- 0002-curl-7.71.1-unset-nobody.patch | 148 ------------------------ 0101-curl-7.32.0-multilib.patch | 2 +- 0105-curl-7.63.0-lib1560-valgrind.patch | 2 +- curl-7.71.1.tar.xz.asc | 11 -- curl-7.72.0.tar.xz.asc | 11 ++ curl.spec | 16 +-- sources | 2 +- 8 files changed, 20 insertions(+), 237 deletions(-) delete mode 100644 0001-curl-7.71.1-tool-krb-opt.patch delete mode 100644 0002-curl-7.71.1-unset-nobody.patch delete mode 100644 curl-7.71.1.tar.xz.asc create mode 100644 curl-7.72.0.tar.xz.asc diff --git a/0001-curl-7.71.1-tool-krb-opt.patch b/0001-curl-7.71.1-tool-krb-opt.patch deleted file mode 100644 index 5e76f50..0000000 --- a/0001-curl-7.71.1-tool-krb-opt.patch +++ /dev/null @@ -1,65 +0,0 @@ -From a58654cbc5bea608b9c8729703a6d866ffaae8d8 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Thu, 2 Jul 2020 17:41:37 +0200 -Subject: [PATCH 1/2] tool_getparam: make --krb option work again - -It was disabled by mistake in commit curl-7_37_1-23-ge38ba4301. - -Bug: https://bugzilla.redhat.com/1833193 -Closes #5640 - -Upstream-commit: d2fd845c35922ca73b89c617597dd5c59772e16a -Signed-off-by: Kamil Dudka ---- - src/tool_getparam.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/tool_getparam.c b/src/tool_getparam.c -index 3409621..9c6bc8a 100644 ---- a/src/tool_getparam.c -+++ b/src/tool_getparam.c -@@ -813,7 +813,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ - break; - case 'x': /* --krb */ - /* kerberos level string */ -- if(curlinfo->features & CURL_VERSION_KERBEROS4) -+ if(curlinfo->features & CURL_VERSION_SPNEGO) - GetStr(&config->krblevel, nextarg); - else - return PARAM_LIBCURL_DOESNT_SUPPORT; --- -2.21.3 - - -From 0be44560dfe3597a12b21b95798f69714ff0459a Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 2 Jul 2020 23:46:40 +0200 -Subject: [PATCH 2/2] curl_version_info.3: CURL_VERSION_KERBEROS4 is deprecated - -This came up in #5640. It make sense to clarify this in the docs! - -Reminded-by: Kamil Dudka -Closes #5642 - -Upstream-commit: 54f21be2e3a64b9e57130cf6d1eb4f17c44d7967 -Signed-off-by: Kamil Dudka ---- - docs/libcurl/curl_version_info.3 | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/docs/libcurl/curl_version_info.3 b/docs/libcurl/curl_version_info.3 -index 2d21dfb..0d26e87 100644 ---- a/docs/libcurl/curl_version_info.3 -+++ b/docs/libcurl/curl_version_info.3 -@@ -151,7 +151,7 @@ letters. (Added in 7.12.0) - .IP CURL_VERSION_IPV6 - supports IPv6 - .IP CURL_VERSION_KERBEROS4 --supports Kerberos V4 (when using FTP) -+supports Kerberos V4 (when using FTP). Legacy bit. Deprecated since 7.33.0. - .IP CURL_VERSION_KERBEROS5 - supports Kerberos V5 authentication for FTP, IMAP, POP3, SMTP and SOCKSv5 proxy - (Added in 7.40.0) --- -2.21.3 - diff --git a/0002-curl-7.71.1-unset-nobody.patch b/0002-curl-7.71.1-unset-nobody.patch deleted file mode 100644 index 1646a72..0000000 --- a/0002-curl-7.71.1-unset-nobody.patch +++ /dev/null @@ -1,148 +0,0 @@ -From 750188fc8eb239f51255d6f3510f544377e78ecd Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 27 Jul 2020 11:44:01 +0200 -Subject: [PATCH 1/3] setopt: unset NOBODY switches to GET if still HEAD - -Unsetting CURLOPT_NOBODY with 0L when doing HTTP has no documented -action but before 7.71.0 that used to switch back to GET and with this -change (assuming the method is still set to HEAD) this behavior is -brought back. - -Reported-by: causal-agent on github -Fixes #5725 -Closes #5728 - -Upstream-commit: 91cb16b21faa556d4467399781379ad3abafd3fe -Signed-off-by: Kamil Dudka ---- - lib/setopt.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/lib/setopt.c b/lib/setopt.c -index 90edf6a..d621335 100644 ---- a/lib/setopt.c -+++ b/lib/setopt.c -@@ -274,6 +274,8 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - if(data->set.opt_no_body) - /* in HTTP lingo, no body means using the HEAD request... */ - data->set.method = HTTPREQ_HEAD; -+ else if(data->set.method == HTTPREQ_HEAD) -+ data->set.method = HTTPREQ_GET; - break; - case CURLOPT_FAILONERROR: - /* --- -2.25.4 - - -From 44add6f66c7ddec9f002fb52ce8e893a8ca9165d Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 27 Jul 2020 11:54:29 +0200 -Subject: [PATCH 2/3] CURLOPT_NOBODY.3: clarify what setting to 0 means - -... and mention that HTTP with other methods than HEAD might get a body and -there's no option available to stop that. - -Closes #5729 - -Upstream-commit: e1bac81cc815f3fe968e009eb69b8e0236dcd82c -Signed-off-by: Kamil Dudka ---- - docs/libcurl/opts/CURLOPT_NOBODY.3 | 22 ++++++++++++++++------ - 1 file changed, 16 insertions(+), 6 deletions(-) - -diff --git a/docs/libcurl/opts/CURLOPT_NOBODY.3 b/docs/libcurl/opts/CURLOPT_NOBODY.3 -index f720f49..3674dde 100644 ---- a/docs/libcurl/opts/CURLOPT_NOBODY.3 -+++ b/docs/libcurl/opts/CURLOPT_NOBODY.3 -@@ -5,7 +5,7 @@ - .\" * | (__| |_| | _ <| |___ - .\" * \___|\___/|_| \_\_____| - .\" * --.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. -+.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, , et al. - .\" * - .\" * This software is licensed as described in the file COPYING, which - .\" * you should have received as part of this distribution. The terms -@@ -34,7 +34,17 @@ output when doing what would otherwise be a download. For HTTP(S), this makes - libcurl do a HEAD request. For most other protocols it means just not asking - to transfer the body data. - --Enabling this option means asking for a download but without a body. -+For HTTP operations when \fBCURLOPT_NOBODY(3)\fP has been set, unsetting the -+option (with 0) will make it a GET again - only if the method is still set to -+be HEAD. The proper way to get back to a GET request is to set -+\fBCURLOPT_HTTPGET(3)\fP and for other methods, use the POST ur UPLOAD -+options. -+ -+Enabling \fBCURLOPT_NOBODY(3)\fP means asking for a download without a body. -+ -+If you do a transfer with HTTP that involves a method other than HEAD, you -+will get a body (unless the resource and server sends a zero byte body for the -+specific URL you request). - .SH DEFAULT - 0, the body is transferred - .SH PROTOCOLS -@@ -43,9 +53,9 @@ Most - .nf - curl = curl_easy_init(); - if(curl) { -- curl_easy_setopt(curl, CURLOPT_URL, "http://example.com"); -+ curl_easy_setopt(curl, CURLOPT_URL, "https://example.com"); - -- /* get us the resource without a body! */ -+ /* get us the resource without a body - use HEAD! */ - curl_easy_setopt(curl, CURLOPT_NOBODY, 1L); - - /* Perform the request */ -@@ -57,5 +67,5 @@ Always - .SH RETURN VALUE - Returns CURLE_OK - .SH "SEE ALSO" --.BR CURLOPT_HTTPGET "(3), " CURLOPT_POST "(3), " --.BR CURLOPT_REQUEST_TARGET "(3), " -+.BR CURLOPT_HTTPGET "(3), " CURLOPT_POSTFIELDS "(3), " CURLOPT_UPLOAD "(3), " -+.BR CURLOPT_REQUEST_TARGET "(3), " CURLOPT_MIMEPOST "(3), " --- -2.25.4 - - -From cc8e488c83254013a0ad1149a77565723aee870b Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 27 Jul 2020 23:59:00 +0200 -Subject: [PATCH 3/3] CURLOPT_NOBODY.3: fix the syntax for referring to options - -As test 1140 fails otherwise! - -Follow-up to e1bac81cc815 - -Upstream-commit: 34e5ad21d2cb98475acdbf7a3a6ea973d8c12249 -Signed-off-by: Kamil Dudka ---- - docs/libcurl/opts/CURLOPT_NOBODY.3 | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/docs/libcurl/opts/CURLOPT_NOBODY.3 b/docs/libcurl/opts/CURLOPT_NOBODY.3 -index 3674dde..112fb1a 100644 ---- a/docs/libcurl/opts/CURLOPT_NOBODY.3 -+++ b/docs/libcurl/opts/CURLOPT_NOBODY.3 -@@ -34,13 +34,13 @@ output when doing what would otherwise be a download. For HTTP(S), this makes - libcurl do a HEAD request. For most other protocols it means just not asking - to transfer the body data. - --For HTTP operations when \fBCURLOPT_NOBODY(3)\fP has been set, unsetting the -+For HTTP operations when \fICURLOPT_NOBODY(3)\fP has been set, unsetting the - option (with 0) will make it a GET again - only if the method is still set to - be HEAD. The proper way to get back to a GET request is to set --\fBCURLOPT_HTTPGET(3)\fP and for other methods, use the POST ur UPLOAD -+\fICURLOPT_HTTPGET(3)\fP and for other methods, use the POST ur UPLOAD - options. - --Enabling \fBCURLOPT_NOBODY(3)\fP means asking for a download without a body. -+Enabling \fICURLOPT_NOBODY(3)\fP means asking for a download without a body. - - If you do a transfer with HTTP that involves a method other than HEAD, you - will get a body (unless the resource and server sends a zero byte body for the --- -2.25.4 - diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index b4de30d..295120e 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -31,7 +31,7 @@ index 150004d..95d0759 100644 - else - CURLLIBDIR="" - fi -- if test "X@ENABLE_SHARED@" = "Xno" -o "X@REQUIRE_LIB_DEPS@" = "Xyes"; then +- if test "X@ENABLE_SHARED@" = "Xno"; then - echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@ - else - echo ${CURLLIBDIR}-lcurl diff --git a/0105-curl-7.63.0-lib1560-valgrind.patch b/0105-curl-7.63.0-lib1560-valgrind.patch index 76018a7..2f64091 100644 --- a/0105-curl-7.63.0-lib1560-valgrind.patch +++ b/0105-curl-7.63.0-lib1560-valgrind.patch @@ -26,7 +26,7 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc index 080421b..ea3b806 100644 --- a/tests/libtest/Makefile.inc +++ b/tests/libtest/Makefile.inc -@@ -590,6 +590,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) +@@ -594,6 +594,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) lib1559_LDADD = $(TESTUTIL_LIBS) lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) diff --git a/curl-7.71.1.tar.xz.asc b/curl-7.71.1.tar.xz.asc deleted file mode 100644 index 5954fb7..0000000 --- a/curl-7.71.1.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl78MUgACgkQXMkI/bce -EsJkEgf/ZDR7QKw9aPQoT2dOyqoCTKip1fLCtJBEOmctjS86zF+1caPABYLV1kq6 -9baz7L2qWOmDdHkxF4poTpPH9CkcG3Krq6lHFjbFQ0GxMC+MEnnFYKfDVrRopaKq -ioBUnZrRSIytgwbiwxB+uxxa4ItzV6tZNVKIiIZOuuVSAZ9azA/swpezet8x2kxg -yp1Y3oe0R1VCYiCJ2EOB/rMs0ndPHSRuWiCCIBK7uPXA0jJsL4rjhmY5l2qAadfy -6iDpk85CJvQcGcC8nZMmpbivniOjIjEefjeXviLvg5dZi7f3M028QyGpkkUVzf27 -FiWCDZuZkp9ed2eLIBGWo/wy70f2pw== -=0YwO ------END PGP SIGNATURE----- diff --git a/curl-7.72.0.tar.xz.asc b/curl-7.72.0.tar.xz.asc new file mode 100644 index 0000000..53d5b62 --- /dev/null +++ b/curl-7.72.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl881xgACgkQXMkI/bce +EsIjuwgAj6aeQgnWkubxxXAQ2kbckLh6QUKZWJQxPjb91kz98cGRcrdGRP292JFN +qQprls4rFTWWOIVVMP/kdheeNI9LqDvQAfZMCaLFAWUdw1L2pbId7VbV+NuTAce8 +V/ENqh+Xj2q2LsMnj02k0Uc1e6Nh1K4al2hwFiozarI/ltb3q7jZN2P2fAmDX89y +f3VsVfNZgv7VIwlX2d3b1RvMdppMFrDC3ZsAXlg2GQZ5sE7yfa2Qq+J5RzaNvEDh +p3pMbPiNgk1ZuGQrzoiYq9tqK/o7pD2t4h2GsftppALxC3SsoneNrdnly910IfKh +8qczoMpszBs8F7jts6KnfXszyhyyhQ== +=sC+U +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index dcde2a2..4ba2b38 100644 --- a/curl.spec +++ b/curl.spec @@ -1,16 +1,10 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.71.1 -Release: 5%{?dist} +Version: 7.72.0 +Release: 1%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz -# curl: make the --krb option work again (#1833193) -Patch1: 0001-curl-7.71.1-tool-krb-opt.patch - -# setopt: unset NOBODY switches to GET if still HEAD -Patch2: 0002-curl-7.71.1-unset-nobody.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -178,8 +172,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 -%patch2 -p1 # Fedora patches %patch101 -p1 @@ -358,6 +350,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Aug 19 2020 Kamil Dudka - 7.72.0-1 +- new upstream release, which fixes the following vulnerability + CVE-2020-8231 - libcurl: wrong connect-only connection + * Thu Aug 06 2020 Kamil Dudka - 7.71.1-5 - setopt: unset NOBODY switches to GET if still HEAD diff --git a/sources b/sources index 9983b9e..153b0e1 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.71.1.tar.xz) = 631e0ee8562e5029fe022bfab4222836a3e6d666e82e2bfbd78311fe5985105218a36d1ea68c93472fc57a12b713957a3bcca6e385eda4e58a47ca8d5d50265b +SHA512 (curl-7.72.0.tar.xz) = e5025a32eac6108ccb13d1fcce9c2de28b3a6d6e9a258a647c4be45d71718f75653e1ccd477ef5f29242a15588255c4ef43fe47bf9908b938b6769fccfaac107 From 4226c316c7594a3cce784e9a8db7994e54e1645f Mon Sep 17 00:00:00 2001 From: Jinoh Kang Date: Thu, 10 Sep 2020 09:17:00 +0200 Subject: [PATCH 093/256] Resolves: #1877671O - fix multiarch conflicts in libcurl-minimal --- curl.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index 4ba2b38..bca10d3 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.72.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -157,7 +157,7 @@ Summary: Conservatively configured build of libcurl for minimal installations Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} Provides: libcurl = %{version}-%{release} Provides: libcurl%{?_isa} = %{version}-%{release} -Conflicts: libcurl +Conflicts: libcurl%{?_isa} RemovePathPostfixes: .minimal # needed for RemovePathPostfixes to work with shared libraries %undefine __brp_ldconfig @@ -350,6 +350,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Sep 10 2020 Jinoh Kang - 7.72.0-2 +- fix multiarch conflicts in libcurl-minimal (#1877671O) + * Wed Aug 19 2020 Kamil Dudka - 7.72.0-1 - new upstream release, which fixes the following vulnerability CVE-2020-8231 - libcurl: wrong connect-only connection From 89714e3b2488f3e60a417a42de56e893e35e592f Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Sun, 20 Sep 2020 11:49:49 +0100 Subject: [PATCH 094/256] Fix bug reference in changelog --- curl.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index bca10d3..d42d951 100644 --- a/curl.spec +++ b/curl.spec @@ -351,7 +351,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Thu Sep 10 2020 Jinoh Kang - 7.72.0-2 -- fix multiarch conflicts in libcurl-minimal (#1877671O) +- fix multiarch conflicts in libcurl-minimal (#1877671) * Wed Aug 19 2020 Kamil Dudka - 7.72.0-1 - new upstream release, which fixes the following vulnerability From a15dd89aaabb40be70b0fcfd563e803051725376 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 14 Oct 2020 09:33:29 +0200 Subject: [PATCH 095/256] new upstream release - 7.73.0 --- ...patch => 0104-curl-7.73.0-localhost6.patch | 20 ++++++++++++++++--- 0105-curl-7.63.0-lib1560-valgrind.patch | 2 +- curl-7.72.0.tar.xz.asc | 11 ---------- curl-7.73.0.tar.xz.asc | 11 ++++++++++ curl.spec | 18 ++++++++--------- sources | 2 +- 6 files changed, 39 insertions(+), 25 deletions(-) rename 0104-curl-7.19.7-localhost6.patch => 0104-curl-7.73.0-localhost6.patch (75%) delete mode 100644 curl-7.72.0.tar.xz.asc create mode 100644 curl-7.73.0.tar.xz.asc diff --git a/0104-curl-7.19.7-localhost6.patch b/0104-curl-7.73.0-localhost6.patch similarity index 75% rename from 0104-curl-7.19.7-localhost6.patch rename to 0104-curl-7.73.0-localhost6.patch index caa8bc2..7104dcb 100644 --- a/0104-curl-7.19.7-localhost6.patch +++ b/0104-curl-7.73.0-localhost6.patch @@ -1,3 +1,14 @@ +From 70734612c0f2f6f864e771ab4d2509c903342739 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Wed, 14 Oct 2020 09:41:28 +0200 +Subject: [PATCH] use localhost6 instead of ip6-localhost in the curl + test-suite + +--- + tests/data/test1083 | 6 +++--- + tests/data/test241 | 8 ++++---- + 2 files changed, 7 insertions(+), 7 deletions(-) + diff --git a/tests/data/test1083 b/tests/data/test1083 index e441278..b0958b6 100644 --- a/tests/data/test1083 @@ -40,12 +51,15 @@ index 46eae1f..4e1632c 100644 -@@ -48,7 +48,7 @@ HTTP-IPv6 GET (using ip6-localhost) - +@@ -45,7 +45,7 @@ HTTP-IPv6 GET (using ip6-localhost) + GET /241 HTTP/1.1 -Host: ip6-localhost:%HTTP6PORT +Host: localhost6:%HTTP6PORT + User-Agent: curl/%VERSION Accept: */* - +-- +2.25.4 + diff --git a/0105-curl-7.63.0-lib1560-valgrind.patch b/0105-curl-7.63.0-lib1560-valgrind.patch index 2f64091..c0d390b 100644 --- a/0105-curl-7.63.0-lib1560-valgrind.patch +++ b/0105-curl-7.63.0-lib1560-valgrind.patch @@ -26,7 +26,7 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc index 080421b..ea3b806 100644 --- a/tests/libtest/Makefile.inc +++ b/tests/libtest/Makefile.inc -@@ -594,6 +594,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) +@@ -586,6 +586,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) lib1559_LDADD = $(TESTUTIL_LIBS) lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) diff --git a/curl-7.72.0.tar.xz.asc b/curl-7.72.0.tar.xz.asc deleted file mode 100644 index 53d5b62..0000000 --- a/curl-7.72.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl881xgACgkQXMkI/bce -EsIjuwgAj6aeQgnWkubxxXAQ2kbckLh6QUKZWJQxPjb91kz98cGRcrdGRP292JFN -qQprls4rFTWWOIVVMP/kdheeNI9LqDvQAfZMCaLFAWUdw1L2pbId7VbV+NuTAce8 -V/ENqh+Xj2q2LsMnj02k0Uc1e6Nh1K4al2hwFiozarI/ltb3q7jZN2P2fAmDX89y -f3VsVfNZgv7VIwlX2d3b1RvMdppMFrDC3ZsAXlg2GQZ5sE7yfa2Qq+J5RzaNvEDh -p3pMbPiNgk1ZuGQrzoiYq9tqK/o7pD2t4h2GsftppALxC3SsoneNrdnly910IfKh -8qczoMpszBs8F7jts6KnfXszyhyyhQ== -=sC+U ------END PGP SIGNATURE----- diff --git a/curl-7.73.0.tar.xz.asc b/curl-7.73.0.tar.xz.asc new file mode 100644 index 0000000..41b3394 --- /dev/null +++ b/curl-7.73.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl+GkkYACgkQXMkI/bce +EsI5vwf+NwIw3Jmn9lW7/VHNgFWB1Qa0gB4KlDISM2qG9CHzeIW8K50g2JiIAuLa +CVOfuMi/jg1r2INRLErZzdGDtD71TzjaEv6A/dxWL+k5/ieFxmH5iC80rYWi8EE9 +sv/bx8vEq8ikIqqV7KxYPlX8xMJBMfCs+TNQbzYM3WUDMLYJLpuNiWrzS6h8+mPq +4w8qYyrNI5x/J3HSJuzyoJy0ueQOQ6CaZwV/ViGBLmFkMKgsAXJu9ImRMmJXKAk5 +MLiVUKI1KpHJNHZS5pLIP5wrjIN3z7FIRxThJ6f/IqUF1mIc6MNnqcER6lBtxeq4 +SuRq9Dx5W2en/g+I5iic8GwkDD+U6A== +=W3Yh +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index d42d951..1b93fec 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.72.0 -Release: 2%{?dist} +Version: 7.73.0 +Release: 1%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -12,7 +12,7 @@ Patch101: 0101-curl-7.32.0-multilib.patch Patch102: 0102-curl-7.36.0-debug.patch # use localhost6 instead of ip6-localhost in the curl test-suite -Patch104: 0104-curl-7.19.7-localhost6.patch +Patch104: 0104-curl-7.73.0-localhost6.patch # prevent valgrind from reporting false positives on x86_64 Patch105: 0105-curl-7.63.0-lib1560-valgrind.patch @@ -188,9 +188,7 @@ autoreconf -fiv # disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed # with errno 98: Address already in use' in Koji environment), and test 1801 # -# and test 1900, which is flaky and covers a deprecated feature of libcurl -# -printf "1112\n1455\n1801\n1900\n" >> tests/data/DISABLED +printf "1112\n1455\n1801\n" >> tests/data/DISABLED # disable test 1319 on ppc64 (server times out) %ifarch ppc64 @@ -314,12 +312,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %files %doc CHANGES %doc README -%doc docs/BUGS +%doc docs/BUGS.md %doc docs/FAQ %doc docs/FEATURES -%doc docs/RESOURCES %doc docs/TODO -%doc docs/TheArtOfHttpScripting +%doc docs/TheArtOfHttpScripting.md %{_bindir}/curl %{_mandir}/man1/curl.1* %{_datadir}/zsh @@ -350,6 +347,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Oct 14 2020 Kamil Dudka - 7.73.0-1 +- new upstream release + * Thu Sep 10 2020 Jinoh Kang - 7.72.0-2 - fix multiarch conflicts in libcurl-minimal (#1877671) diff --git a/sources b/sources index 153b0e1..586c3da 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.72.0.tar.xz) = e5025a32eac6108ccb13d1fcce9c2de28b3a6d6e9a258a647c4be45d71718f75653e1ccd477ef5f29242a15588255c4ef43fe47bf9908b938b6769fccfaac107 +SHA512 (curl-7.73.0.tar.xz) = 95330bac2d6bc5306d47723b3c7bdb754fabe2ba2df7b2a8027453a40286f1c7caaee69333f0715e59fbc7fdf09080968ea624398c995cabf3d57493973867bd From 3c950d55416b900db1a4bd1720769de977c56ac1 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 14 Oct 2020 11:10:34 +0200 Subject: [PATCH 096/256] prevent upstream test 1451 from being skipped --- curl.spec | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 1b93fec..30b5fb2 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.73.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -75,6 +75,9 @@ BuildRequires: perl(Time::Local) BuildRequires: perl(Time::HiRes) BuildRequires: perl(vars) +# needed for upstream test 1451 +BuildRequires: python3-impacket + # The test-suite runs automatically through valgrind if valgrind is available # on the system. By not installing valgrind into mock's chroot, we disable # this feature for production builds on architectures where valgrind is known @@ -181,6 +184,7 @@ be installed. # make tests/*.py use Python 3 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py +sed -e 's|^python |%{__python3} |' -i tests/data/test1451 # regenerate the configure script and Makefile.in files autoreconf -fiv @@ -347,6 +351,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Oct 14 2020 Kamil Dudka - 7.73.0-2 +- prevent upstream test 1451 from being skipped + * Wed Oct 14 2020 Kamil Dudka - 7.73.0-1 - new upstream release From 9ef73a22d07669f1c8b6b749218c5ad808fb41fb Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Mon, 9 Nov 2020 12:31:52 +0000 Subject: [PATCH 097/256] Upstream moved from curl.haxx.se to curl.se --- curl.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index 30b5fb2..eeca740 100644 --- a/curl.spec +++ b/curl.spec @@ -3,7 +3,7 @@ Name: curl Version: 7.73.0 Release: 2%{?dist} License: MIT -Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz +Source: https://curl.se/download/%{name}-%{version}.tar.xz # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -19,7 +19,7 @@ Patch105: 0105-curl-7.63.0-lib1560-valgrind.patch Provides: curl-full = %{version}-%{release} Provides: webclient -URL: https://curl.haxx.se/ +URL: https://curl.se/ BuildRequires: automake BuildRequires: brotli-devel BuildRequires: coreutils From c829072f9fee134adc18797198988f3aac885673 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 9 Dec 2020 10:30:08 +0100 Subject: [PATCH 098/256] new upstream release - 7.74.0 Resolves: CVE-2020-8286 - curl: Inferior OCSP verification Resolves: CVE-2020-8285 - libcurl: FTP wildcard stack overflow Resolves: CVE-2020-8284 - curl: trusting FTP PASV responses --- 0101-curl-7.32.0-multilib.patch | 4 ++-- 0105-curl-7.63.0-lib1560-valgrind.patch | 2 +- curl-7.73.0.tar.xz.asc | 11 ----------- curl-7.74.0.tar.xz.asc | 11 +++++++++++ curl.spec | 12 +++++++++--- sources | 2 +- 6 files changed, 24 insertions(+), 18 deletions(-) delete mode 100644 curl-7.73.0.tar.xz.asc create mode 100644 curl-7.74.0.tar.xz.asc diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 295120e..46c8986 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -85,7 +85,7 @@ index 2ba9c39..f8f8b00 100644 +configure_options=@CONFIGURE_OPTIONS@ Name: libcurl - URL: https://curl.haxx.se/ + URL: https://curl.se/ -- -2.5.0 +2.26.2 diff --git a/0105-curl-7.63.0-lib1560-valgrind.patch b/0105-curl-7.63.0-lib1560-valgrind.patch index c0d390b..f99a737 100644 --- a/0105-curl-7.63.0-lib1560-valgrind.patch +++ b/0105-curl-7.63.0-lib1560-valgrind.patch @@ -26,7 +26,7 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc index 080421b..ea3b806 100644 --- a/tests/libtest/Makefile.inc +++ b/tests/libtest/Makefile.inc -@@ -586,6 +586,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) +@@ -587,6 +587,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) lib1559_LDADD = $(TESTUTIL_LIBS) lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) diff --git a/curl-7.73.0.tar.xz.asc b/curl-7.73.0.tar.xz.asc deleted file mode 100644 index 41b3394..0000000 --- a/curl-7.73.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl+GkkYACgkQXMkI/bce -EsI5vwf+NwIw3Jmn9lW7/VHNgFWB1Qa0gB4KlDISM2qG9CHzeIW8K50g2JiIAuLa -CVOfuMi/jg1r2INRLErZzdGDtD71TzjaEv6A/dxWL+k5/ieFxmH5iC80rYWi8EE9 -sv/bx8vEq8ikIqqV7KxYPlX8xMJBMfCs+TNQbzYM3WUDMLYJLpuNiWrzS6h8+mPq -4w8qYyrNI5x/J3HSJuzyoJy0ueQOQ6CaZwV/ViGBLmFkMKgsAXJu9ImRMmJXKAk5 -MLiVUKI1KpHJNHZS5pLIP5wrjIN3z7FIRxThJ6f/IqUF1mIc6MNnqcER6lBtxeq4 -SuRq9Dx5W2en/g+I5iic8GwkDD+U6A== -=W3Yh ------END PGP SIGNATURE----- diff --git a/curl-7.74.0.tar.xz.asc b/curl-7.74.0.tar.xz.asc new file mode 100644 index 0000000..2712a60 --- /dev/null +++ b/curl-7.74.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl/QcZ8ACgkQXMkI/bce +EsJYnggAs5MbJByXsUEI3LzdRvjb2s/dNS/+ubJ98GL+ed8uVsLmGxdF0fS9EPVX ++KoaYbaZwjZJH43+UyqtoFr4GQKhxxhcyZi3477s9Ws9x60yEA21oIggkQLF6X+E +OEymG0YmNUn/6vvWizCWZtE7TkoWAXEzPLyVbBzoFzfmgzxiQ9//usKCaDh/nCWA +kouxubBJbpdjk8KTnVf5HMP5PJKs9LeiVh9B2F+Rq1cEvzLrxNlDYptEgH/ml5Sd +WsWeWttngs2pnZu0pMQNGhdXp6XC5lteN21C1/3hy3KVFUnkqaA+1IHm39wBE73j +Bmnoi36d+Ub6ZT3Va84Dp/tWJ65Xig== +=9ka/ +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index eeca740..ecc8711 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.73.0 -Release: 2%{?dist} +Version: 7.74.0 +Release: 1%{?dist} License: MIT Source: https://curl.se/download/%{name}-%{version}.tar.xz @@ -318,7 +318,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %doc README %doc docs/BUGS.md %doc docs/FAQ -%doc docs/FEATURES +%doc docs/FEATURES.md %doc docs/TODO %doc docs/TheArtOfHttpScripting.md %{_bindir}/curl @@ -351,6 +351,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Dec 09 2020 Kamil Dudka - 7.74.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2020-8286 - curl: Inferior OCSP verification + CVE-2020-8285 - libcurl: FTP wildcard stack overflow + CVE-2020-8284 - curl: trusting FTP PASV responses + * Wed Oct 14 2020 Kamil Dudka - 7.73.0-2 - prevent upstream test 1451 from being skipped diff --git a/sources b/sources index 586c3da..fec3ccb 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.73.0.tar.xz) = 95330bac2d6bc5306d47723b3c7bdb754fabe2ba2df7b2a8027453a40286f1c7caaee69333f0715e59fbc7fdf09080968ea624398c995cabf3d57493973867bd +SHA512 (curl-7.74.0.tar.xz) = 5d987f0b4d051c9e254f14d4e2a05f7cda9fb0f0ac7b3ca3664a25a51ee5ffe092ee072c0d9a613fcd3f34727d75bba14b70f5500cb110ca818591e071c3e6f4 From 182c2a8bbbeee42a6e4d16817c764f624390d87d Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 9 Dec 2020 18:51:40 +0100 Subject: [PATCH 099/256] do not rewrite shebangs in test-suite to use python3 explicitly --- curl.spec | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/curl.spec b/curl.spec index ecc8711..027358e 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.74.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source: https://curl.se/download/%{name}-%{version}.tar.xz @@ -39,6 +39,7 @@ BuildRequires: openssh-server BuildRequires: openssl-devel BuildRequires: perl-interpreter BuildRequires: pkgconfig +BuildRequires: python-unversioned-command BuildRequires: python3-devel BuildRequires: sed BuildRequires: stunnel @@ -182,10 +183,6 @@ be installed. %patch104 -p1 %patch105 -p1 -# make tests/*.py use Python 3 -sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py -sed -e 's|^python |%{__python3} |' -i tests/data/test1451 - # regenerate the configure script and Makefile.in files autoreconf -fiv @@ -351,6 +348,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Dec 09 2020 Kamil Dudka - 7.74.0-2 +- do not rewrite shebangs in test-suite to use python3 explicitly + * Wed Dec 09 2020 Kamil Dudka - 7.74.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2020-8286 - curl: Inferior OCSP verification From 3613691251ed92265dbb7bcb678a14c5262e9dbc Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Tue, 26 Jan 2021 02:51:37 +0000 Subject: [PATCH 100/256] - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 027358e..d73bd4f 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.74.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Source: https://curl.se/download/%{name}-%{version}.tar.xz @@ -348,6 +348,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Jan 26 2021 Fedora Release Engineering - 7.74.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + * Wed Dec 09 2020 Kamil Dudka - 7.74.0-2 - do not rewrite shebangs in test-suite to use python3 explicitly From 1cfc0aeb3b0803992927a289aec9140acc107853 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 26 Jan 2021 15:13:50 +0100 Subject: [PATCH 101/256] do not use stunnel for tests on s390x builds ... to avoid spurious failures --- curl.spec | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index d73bd4f..db27a55 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.74.0 -Release: 3%{?dist} +Release: 4%{?dist} License: MIT Source: https://curl.se/download/%{name}-%{version}.tar.xz @@ -42,7 +42,6 @@ BuildRequires: pkgconfig BuildRequires: python-unversioned-command BuildRequires: python3-devel BuildRequires: sed -BuildRequires: stunnel BuildRequires: zlib-devel # needed to compress content of tool_hugehelp.c after changing curl.1 man page @@ -89,6 +88,12 @@ BuildRequires: python3-impacket BuildRequires: valgrind %endif +# stunnel is used by upstream tests but it does not seem to work reliably +# on s390x and occasionally breaks some tests (mainly 1561 and 1562) +%ifnarch s390x +BuildRequires: stunnel +%endif + # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION Requires: libcurl%{?_isa} >= %{version}-%{release} @@ -348,6 +353,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Jan 26 2021 Kamil Dudka - 7.74.0-4 +- do not use stunnel for tests on s390x builds to avoid spurious failures + * Tue Jan 26 2021 Fedora Release Engineering - 7.74.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild From 7dada590f21a6aa8ea6033f636f03e334d91a026 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 3 Feb 2021 08:52:59 +0100 Subject: [PATCH 102/256] new upstream release - 7.75.0 --- 0105-curl-7.63.0-lib1560-valgrind.patch | 2 +- curl-7.74.0.tar.xz.asc | 11 ----------- curl-7.75.0.tar.xz.asc | 11 +++++++++++ curl.spec | 7 +++++-- sources | 2 +- 5 files changed, 18 insertions(+), 15 deletions(-) delete mode 100644 curl-7.74.0.tar.xz.asc create mode 100644 curl-7.75.0.tar.xz.asc diff --git a/0105-curl-7.63.0-lib1560-valgrind.patch b/0105-curl-7.63.0-lib1560-valgrind.patch index f99a737..f492ac5 100644 --- a/0105-curl-7.63.0-lib1560-valgrind.patch +++ b/0105-curl-7.63.0-lib1560-valgrind.patch @@ -26,7 +26,7 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc index 080421b..ea3b806 100644 --- a/tests/libtest/Makefile.inc +++ b/tests/libtest/Makefile.inc -@@ -587,6 +587,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) +@@ -592,6 +592,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) lib1559_LDADD = $(TESTUTIL_LIBS) lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) diff --git a/curl-7.74.0.tar.xz.asc b/curl-7.74.0.tar.xz.asc deleted file mode 100644 index 2712a60..0000000 --- a/curl-7.74.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl/QcZ8ACgkQXMkI/bce -EsJYnggAs5MbJByXsUEI3LzdRvjb2s/dNS/+ubJ98GL+ed8uVsLmGxdF0fS9EPVX -+KoaYbaZwjZJH43+UyqtoFr4GQKhxxhcyZi3477s9Ws9x60yEA21oIggkQLF6X+E -OEymG0YmNUn/6vvWizCWZtE7TkoWAXEzPLyVbBzoFzfmgzxiQ9//usKCaDh/nCWA -kouxubBJbpdjk8KTnVf5HMP5PJKs9LeiVh9B2F+Rq1cEvzLrxNlDYptEgH/ml5Sd -WsWeWttngs2pnZu0pMQNGhdXp6XC5lteN21C1/3hy3KVFUnkqaA+1IHm39wBE73j -Bmnoi36d+Ub6ZT3Va84Dp/tWJ65Xig== -=9ka/ ------END PGP SIGNATURE----- diff --git a/curl-7.75.0.tar.xz.asc b/curl-7.75.0.tar.xz.asc new file mode 100644 index 0000000..ec35a14 --- /dev/null +++ b/curl-7.75.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmAaSxEACgkQXMkI/bce +EsI36QgAlx+oYuWiaMytv/Ixfcm2gTq+9Qu60KsmvccyKLOq7OxAmX+gz1PYOsUc +eqAwq8dg9Mo+cuk7zWpxRMg1qBgvZpv5oeAhy8VUeWD/HE0Z2RoxC3tw87uNn5uN +2g0FJEXGzDaQQdI0hh2Kb4uNqiKiBCsSfHX4J+eWDUoHwzoFestct8PAcAG8lOzt +0nGj6Is1Rba3SrlkCtRdzEkrjfNe5KKNjE9F0ybhL7TPKSZZvlustZgU5OgdjDHu +uJzFQDK5eyjeYu7tyJQOOwercjOQrmp0YYvYt6CdALUflU2RNvnS83+e/syAYEZ4 +FvnYlZyp8WCKxOikGwX2m/JEOATXSw== +=HFSu +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index db27a55..c229723 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.74.0 -Release: 4%{?dist} +Version: 7.75.0 +Release: 1%{?dist} License: MIT Source: https://curl.se/download/%{name}-%{version}.tar.xz @@ -353,6 +353,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Feb 03 2021 Kamil Dudka - 7.75.0-1 +- new upstream release + * Tue Jan 26 2021 Kamil Dudka - 7.74.0-4 - do not use stunnel for tests on s390x builds to avoid spurious failures diff --git a/sources b/sources index fec3ccb..78019a7 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.74.0.tar.xz) = 5d987f0b4d051c9e254f14d4e2a05f7cda9fb0f0ac7b3ca3664a25a51ee5ffe092ee072c0d9a613fcd3f34727d75bba14b70f5500cb110ca818591e071c3e6f4 +SHA512 (curl-7.75.0.tar.xz) = 4c2fc6658379b8b93dd50665b70f3000b63d3bcafd2df60b7e651a8edf4735b3decb06c338b84cb22058191aa9f8f4dc85760a42f9987210b59300758304b746 From d78173330438c43344f847d52af7e190411a24e3 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 11 Feb 2021 11:43:55 +0100 Subject: [PATCH 103/256] %check: use unstripped library from the build dir It results in more detailed backtraces in valgrind's output. --- curl.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index c229723..b008857 100644 --- a/curl.spec +++ b/curl.spec @@ -266,7 +266,7 @@ sed -e 's/^runpath_var=.*/runpath_var=/' \ %check # we have to override LD_LIBRARY_PATH because we eliminated rpath -LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" +LD_LIBRARY_PATH="${PWD}/build-full/lib/.libs" export LD_LIBRARY_PATH # compile upstream test-cases From bd924f90f2cd3b09427127571896d39ec6014a1b Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 23 Feb 2021 22:00:29 +0100 Subject: [PATCH 104/256] build-require python3-impacket only on Fedora It might not be available in RHEL or CentOS Stream build repos. --- curl.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index b008857..8fb7c0b 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.75.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source: https://curl.se/download/%{name}-%{version}.tar.xz @@ -75,8 +75,10 @@ BuildRequires: perl(Time::Local) BuildRequires: perl(Time::HiRes) BuildRequires: perl(vars) +%if 0%{?fedora} # needed for upstream test 1451 BuildRequires: python3-impacket +%endif # The test-suite runs automatically through valgrind if valgrind is available # on the system. By not installing valgrind into mock's chroot, we disable @@ -353,6 +355,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Feb 23 2021 Kamil Dudka - 7.75.0-2 +- build-require python3-impacket only on Fedora + * Wed Feb 03 2021 Kamil Dudka - 7.75.0-1 - new upstream release From 742526c0485e7499005e474ac777a3456e563693 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 24 Mar 2021 11:04:10 +0100 Subject: [PATCH 105/256] Resolves: #1941925 - fix SIGSEGV upon disconnect of a ldaps:// transfer --- 0001-curl-7.75.0-ldaps-segv.patch | 156 ++++++++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 164 insertions(+), 1 deletion(-) create mode 100644 0001-curl-7.75.0-ldaps-segv.patch diff --git a/0001-curl-7.75.0-ldaps-segv.patch b/0001-curl-7.75.0-ldaps-segv.patch new file mode 100644 index 0000000..0e96666 --- /dev/null +++ b/0001-curl-7.75.0-ldaps-segv.patch @@ -0,0 +1,156 @@ +From 17686d25019489f43f3d5641db8683932857845e Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 15 Feb 2021 09:41:22 +0100 +Subject: [PATCH 1/2] openldap: pass 'data' to the callbacks instead of 'conn' + +Upstream-commit: a59c33ceffb8f78b71fa084bbc99c94ecfe82ce6 +Signed-off-by: Kamil Dudka +--- + lib/openldap.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/lib/openldap.c b/lib/openldap.c +index 4070bbf..d079822 100644 +--- a/lib/openldap.c ++++ b/lib/openldap.c +@@ -278,7 +278,7 @@ static CURLcode ldap_connecting(struct Curl_easy *data, bool *done) + if(!li->sslinst) { + Sockbuf *sb; + ldap_get_option(li->ld, LDAP_OPT_SOCKBUF, &sb); +- ber_sockbuf_add_io(sb, &ldapsb_tls, LBER_SBIOD_LEVEL_TRANSPORT, conn); ++ ber_sockbuf_add_io(sb, &ldapsb_tls, LBER_SBIOD_LEVEL_TRANSPORT, data); + li->sslinst = TRUE; + li->recv = conn->recv[FIRSTSOCKET]; + li->send = conn->send[FIRSTSOCKET]; +@@ -716,8 +716,8 @@ ldapsb_tls_ctrl(Sockbuf_IO_Desc *sbiod, int opt, void *arg) + { + (void)arg; + if(opt == LBER_SB_OPT_DATA_READY) { +- struct connectdata *conn = sbiod->sbiod_pvt; +- return Curl_ssl_data_pending(conn, FIRSTSOCKET); ++ struct Curl_easy *data = sbiod->sbiod_pvt; ++ return Curl_ssl_data_pending(data->conn, FIRSTSOCKET); + } + return 0; + } +@@ -725,12 +725,13 @@ ldapsb_tls_ctrl(Sockbuf_IO_Desc *sbiod, int opt, void *arg) + static ber_slen_t + ldapsb_tls_read(Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len) + { +- struct connectdata *conn = sbiod->sbiod_pvt; ++ struct Curl_easy *data = sbiod->sbiod_pvt; ++ struct connectdata *conn = data->conn; + struct ldapconninfo *li = conn->proto.ldapc; + ber_slen_t ret; + CURLcode err = CURLE_RECV_ERROR; + +- ret = (li->recv)(conn->data, FIRSTSOCKET, buf, len, &err); ++ ret = (li->recv)(data, FIRSTSOCKET, buf, len, &err); + if(ret < 0 && err == CURLE_AGAIN) { + SET_SOCKERRNO(EWOULDBLOCK); + } +@@ -740,12 +741,13 @@ ldapsb_tls_read(Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len) + static ber_slen_t + ldapsb_tls_write(Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len) + { +- struct connectdata *conn = sbiod->sbiod_pvt; ++ struct Curl_easy *data = sbiod->sbiod_pvt; ++ struct connectdata *conn = data->conn; + struct ldapconninfo *li = conn->proto.ldapc; + ber_slen_t ret; + CURLcode err = CURLE_SEND_ERROR; + +- ret = (li->send)(conn->data, FIRSTSOCKET, buf, len, &err); ++ ret = (li->send)(data, FIRSTSOCKET, buf, len, &err); + if(ret < 0 && err == CURLE_AGAIN) { + SET_SOCKERRNO(EWOULDBLOCK); + } +-- +2.26.3 + + +From a1c1f175e44ef95c47b1e2e91424e193ee7a0d0b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 23 Mar 2021 09:28:07 +0100 +Subject: [PATCH 2/2] openldap: avoid NULL pointer dereferences + +Follow-up to a59c33ceffb8f78 +Reported-by: Patrick Monnerat +Fixes #6676 +Closes #6780 + +Upstream-commit: e467ea3bd937f38e1d2e070a68ed451303ba1e73 +Signed-off-by: Kamil Dudka +--- + lib/openldap.c | 40 +++++++++++++++++++++++++--------------- + 1 file changed, 25 insertions(+), 15 deletions(-) + +diff --git a/lib/openldap.c b/lib/openldap.c +index d079822..066c0fd 100644 +--- a/lib/openldap.c ++++ b/lib/openldap.c +@@ -369,6 +369,9 @@ static CURLcode ldap_disconnect(struct Curl_easy *data, + + if(li) { + if(li->ld) { ++ Sockbuf *sb; ++ ldap_get_option(li->ld, LDAP_OPT_SOCKBUF, &sb); ++ ber_sockbuf_add_io(sb, &ldapsb_tls, LBER_SBIOD_LEVEL_TRANSPORT, NULL); + ldap_unbind_ext(li->ld, NULL, NULL); + li->ld = NULL; + } +@@ -726,14 +729,18 @@ static ber_slen_t + ldapsb_tls_read(Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len) + { + struct Curl_easy *data = sbiod->sbiod_pvt; +- struct connectdata *conn = data->conn; +- struct ldapconninfo *li = conn->proto.ldapc; +- ber_slen_t ret; +- CURLcode err = CURLE_RECV_ERROR; ++ ber_slen_t ret = 0; ++ if(data) { ++ struct connectdata *conn = data->conn; ++ if(conn) { ++ struct ldapconninfo *li = conn->proto.ldapc; ++ CURLcode err = CURLE_RECV_ERROR; + +- ret = (li->recv)(data, FIRSTSOCKET, buf, len, &err); +- if(ret < 0 && err == CURLE_AGAIN) { +- SET_SOCKERRNO(EWOULDBLOCK); ++ ret = (li->recv)(data, FIRSTSOCKET, buf, len, &err); ++ if(ret < 0 && err == CURLE_AGAIN) { ++ SET_SOCKERRNO(EWOULDBLOCK); ++ } ++ } + } + return ret; + } +@@ -742,14 +749,17 @@ static ber_slen_t + ldapsb_tls_write(Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len) + { + struct Curl_easy *data = sbiod->sbiod_pvt; +- struct connectdata *conn = data->conn; +- struct ldapconninfo *li = conn->proto.ldapc; +- ber_slen_t ret; +- CURLcode err = CURLE_SEND_ERROR; +- +- ret = (li->send)(data, FIRSTSOCKET, buf, len, &err); +- if(ret < 0 && err == CURLE_AGAIN) { +- SET_SOCKERRNO(EWOULDBLOCK); ++ ber_slen_t ret = 0; ++ if(data) { ++ struct connectdata *conn = data->conn; ++ if(conn) { ++ struct ldapconninfo *li = conn->proto.ldapc; ++ CURLcode err = CURLE_SEND_ERROR; ++ ret = (li->send)(data, FIRSTSOCKET, buf, len, &err); ++ if(ret < 0 && err == CURLE_AGAIN) { ++ SET_SOCKERRNO(EWOULDBLOCK); ++ } ++ } + } + return ret; + } +-- +2.26.3 + diff --git a/curl.spec b/curl.spec index 8fb7c0b..62aaa2d 100644 --- a/curl.spec +++ b/curl.spec @@ -1,10 +1,13 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.75.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Source: https://curl.se/download/%{name}-%{version}.tar.xz +# fix SIGSEGV upon disconnect of a ldaps:// transfer +Patch1: 0001-curl-7.75.0-ldaps-segv.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -185,6 +188,7 @@ be installed. # upstream patches # Fedora patches +%patch1 -p1 %patch101 -p1 %patch102 -p1 %patch104 -p1 @@ -355,6 +359,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Mar 24 2021 Kamil Dudka - 7.75.0-3 +- fix SIGSEGV upon disconnect of a ldaps:// transfer + * Tue Feb 23 2021 Kamil Dudka - 7.75.0-2 - build-require python3-impacket only on Fedora From b57f5589af95701cac8523c767918ddee529df03 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 24 Mar 2021 11:17:40 +0100 Subject: [PATCH 106/256] fix misplaced comment in %prep from the previous commit --- curl.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 62aaa2d..afdd1b8 100644 --- a/curl.spec +++ b/curl.spec @@ -186,9 +186,9 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches -%patch1 -p1 %patch101 -p1 %patch102 -p1 %patch104 -p1 From 25676e54ef4a6ff221d817f6eb708a086e63dd1c Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 31 Mar 2021 10:17:37 +0200 Subject: [PATCH 107/256] replace 0104-curl-7.73.0-localhost6.patch by sed invocation ... to avoid conflict resolution on new upstream releases --- 0104-curl-7.73.0-localhost6.patch | 65 ------------------------------- curl.spec | 21 ++++++---- 2 files changed, 13 insertions(+), 73 deletions(-) delete mode 100644 0104-curl-7.73.0-localhost6.patch diff --git a/0104-curl-7.73.0-localhost6.patch b/0104-curl-7.73.0-localhost6.patch deleted file mode 100644 index 7104dcb..0000000 --- a/0104-curl-7.73.0-localhost6.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 70734612c0f2f6f864e771ab4d2509c903342739 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Wed, 14 Oct 2020 09:41:28 +0200 -Subject: [PATCH] use localhost6 instead of ip6-localhost in the curl - test-suite - ---- - tests/data/test1083 | 6 +++--- - tests/data/test241 | 8 ++++---- - 2 files changed, 7 insertions(+), 7 deletions(-) - -diff --git a/tests/data/test1083 b/tests/data/test1083 -index e441278..b0958b6 100644 ---- a/tests/data/test1083 -+++ b/tests/data/test1083 -@@ -33,13 +33,13 @@ ipv6 - http-ipv6 - - --HTTP-IPv6 GET with ip6-localhost --interface -+HTTP-IPv6 GET with localhost6 --interface - - ---g "http://%HOST6IP:%HTTP6PORT/1083" --interface ip6-localhost -+-g "http://%HOST6IP:%HTTP6PORT/1083" --interface localhost6 - - --perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test client host address';} else {exec './server/resolve --ipv6 ip6-localhost'; print 'Cannot run precheck resolve';}" -+perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test client host address';} else {exec './server/resolve --ipv6 localhost6'; print 'Cannot run precheck resolve';}" - - - -diff --git a/tests/data/test241 b/tests/data/test241 -index 46eae1f..4e1632c 100644 ---- a/tests/data/test241 -+++ b/tests/data/test241 -@@ -30,13 +30,13 @@ ipv6 - http-ipv6 - - --HTTP-IPv6 GET (using ip6-localhost) -+HTTP-IPv6 GET (using localhost6) - - ---g "http://ip6-localhost:%HTTP6PORT/241" -+-g "http://localhost6:%HTTP6PORT/241" - - --./server/resolve --ipv6 ip6-localhost -+./server/resolve --ipv6 localhost6 - - - -@@ -45,7 +45,7 @@ HTTP-IPv6 GET (using ip6-localhost) - - - GET /241 HTTP/1.1 --Host: ip6-localhost:%HTTP6PORT -+Host: localhost6:%HTTP6PORT - User-Agent: curl/%VERSION - Accept: */* - --- -2.25.4 - diff --git a/curl.spec b/curl.spec index afdd1b8..b3a1402 100644 --- a/curl.spec +++ b/curl.spec @@ -14,9 +14,6 @@ Patch101: 0101-curl-7.32.0-multilib.patch # prevent configure script from discarding -g in CFLAGS (#496778) Patch102: 0102-curl-7.36.0-debug.patch -# use localhost6 instead of ip6-localhost in the curl test-suite -Patch104: 0104-curl-7.73.0-localhost6.patch - # prevent valgrind from reporting false positives on x86_64 Patch105: 0105-curl-7.63.0-lib1560-valgrind.patch @@ -191,12 +188,8 @@ be installed. # Fedora patches %patch101 -p1 %patch102 -p1 -%patch104 -p1 %patch105 -p1 -# regenerate the configure script and Makefile.in files -autoreconf -fiv - # disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed # with errno 98: Address already in use' in Koji environment), and test 1801 # @@ -218,7 +211,19 @@ printf "702\n703\n716\n" >> tests/data/DISABLED %endif # adapt test 323 for updated OpenSSL -sed -e 's/^35$/35,52/' -i tests/data/test323 +sed -e 's|^35$|35,52|' -i tests/data/test323 + +# use localhost6 instead of ip6-localhost in the curl test-suite +( + # avoid glob expansion in the trace output of `bash -x` + { set +x; } 2>/dev/null + cmd="sed -e 's|ip6-localhost|localhost6|' -i tests/data/test[0-9]*" + printf "+ %s\n" "$cmd" >&2 + eval "$cmd" +) + +# regenerate the configure script and Makefile.in files +autoreconf -fiv %build mkdir build-{full,minimal} From a0d250c162cbb221f09b9aa18d0bf1adc0e36be5 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 31 Mar 2021 10:10:28 +0200 Subject: [PATCH 108/256] new upstream release - 7.76.0 Resolves: CVE-2021-22890 - TLS 1.3 session ticket proxy host mixup Resolves: CVE-2021-22876 - Automatic referer leaks credentials --- 0001-curl-7.75.0-ldaps-segv.patch | 156 ------------------------------ curl-7.75.0.tar.xz.asc | 11 --- curl-7.76.0.tar.xz.asc | 11 +++ curl.spec | 13 +-- sources | 2 +- 5 files changed, 19 insertions(+), 174 deletions(-) delete mode 100644 0001-curl-7.75.0-ldaps-segv.patch delete mode 100644 curl-7.75.0.tar.xz.asc create mode 100644 curl-7.76.0.tar.xz.asc diff --git a/0001-curl-7.75.0-ldaps-segv.patch b/0001-curl-7.75.0-ldaps-segv.patch deleted file mode 100644 index 0e96666..0000000 --- a/0001-curl-7.75.0-ldaps-segv.patch +++ /dev/null @@ -1,156 +0,0 @@ -From 17686d25019489f43f3d5641db8683932857845e Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 15 Feb 2021 09:41:22 +0100 -Subject: [PATCH 1/2] openldap: pass 'data' to the callbacks instead of 'conn' - -Upstream-commit: a59c33ceffb8f78b71fa084bbc99c94ecfe82ce6 -Signed-off-by: Kamil Dudka ---- - lib/openldap.c | 16 +++++++++------- - 1 file changed, 9 insertions(+), 7 deletions(-) - -diff --git a/lib/openldap.c b/lib/openldap.c -index 4070bbf..d079822 100644 ---- a/lib/openldap.c -+++ b/lib/openldap.c -@@ -278,7 +278,7 @@ static CURLcode ldap_connecting(struct Curl_easy *data, bool *done) - if(!li->sslinst) { - Sockbuf *sb; - ldap_get_option(li->ld, LDAP_OPT_SOCKBUF, &sb); -- ber_sockbuf_add_io(sb, &ldapsb_tls, LBER_SBIOD_LEVEL_TRANSPORT, conn); -+ ber_sockbuf_add_io(sb, &ldapsb_tls, LBER_SBIOD_LEVEL_TRANSPORT, data); - li->sslinst = TRUE; - li->recv = conn->recv[FIRSTSOCKET]; - li->send = conn->send[FIRSTSOCKET]; -@@ -716,8 +716,8 @@ ldapsb_tls_ctrl(Sockbuf_IO_Desc *sbiod, int opt, void *arg) - { - (void)arg; - if(opt == LBER_SB_OPT_DATA_READY) { -- struct connectdata *conn = sbiod->sbiod_pvt; -- return Curl_ssl_data_pending(conn, FIRSTSOCKET); -+ struct Curl_easy *data = sbiod->sbiod_pvt; -+ return Curl_ssl_data_pending(data->conn, FIRSTSOCKET); - } - return 0; - } -@@ -725,12 +725,13 @@ ldapsb_tls_ctrl(Sockbuf_IO_Desc *sbiod, int opt, void *arg) - static ber_slen_t - ldapsb_tls_read(Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len) - { -- struct connectdata *conn = sbiod->sbiod_pvt; -+ struct Curl_easy *data = sbiod->sbiod_pvt; -+ struct connectdata *conn = data->conn; - struct ldapconninfo *li = conn->proto.ldapc; - ber_slen_t ret; - CURLcode err = CURLE_RECV_ERROR; - -- ret = (li->recv)(conn->data, FIRSTSOCKET, buf, len, &err); -+ ret = (li->recv)(data, FIRSTSOCKET, buf, len, &err); - if(ret < 0 && err == CURLE_AGAIN) { - SET_SOCKERRNO(EWOULDBLOCK); - } -@@ -740,12 +741,13 @@ ldapsb_tls_read(Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len) - static ber_slen_t - ldapsb_tls_write(Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len) - { -- struct connectdata *conn = sbiod->sbiod_pvt; -+ struct Curl_easy *data = sbiod->sbiod_pvt; -+ struct connectdata *conn = data->conn; - struct ldapconninfo *li = conn->proto.ldapc; - ber_slen_t ret; - CURLcode err = CURLE_SEND_ERROR; - -- ret = (li->send)(conn->data, FIRSTSOCKET, buf, len, &err); -+ ret = (li->send)(data, FIRSTSOCKET, buf, len, &err); - if(ret < 0 && err == CURLE_AGAIN) { - SET_SOCKERRNO(EWOULDBLOCK); - } --- -2.26.3 - - -From a1c1f175e44ef95c47b1e2e91424e193ee7a0d0b Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Tue, 23 Mar 2021 09:28:07 +0100 -Subject: [PATCH 2/2] openldap: avoid NULL pointer dereferences - -Follow-up to a59c33ceffb8f78 -Reported-by: Patrick Monnerat -Fixes #6676 -Closes #6780 - -Upstream-commit: e467ea3bd937f38e1d2e070a68ed451303ba1e73 -Signed-off-by: Kamil Dudka ---- - lib/openldap.c | 40 +++++++++++++++++++++++++--------------- - 1 file changed, 25 insertions(+), 15 deletions(-) - -diff --git a/lib/openldap.c b/lib/openldap.c -index d079822..066c0fd 100644 ---- a/lib/openldap.c -+++ b/lib/openldap.c -@@ -369,6 +369,9 @@ static CURLcode ldap_disconnect(struct Curl_easy *data, - - if(li) { - if(li->ld) { -+ Sockbuf *sb; -+ ldap_get_option(li->ld, LDAP_OPT_SOCKBUF, &sb); -+ ber_sockbuf_add_io(sb, &ldapsb_tls, LBER_SBIOD_LEVEL_TRANSPORT, NULL); - ldap_unbind_ext(li->ld, NULL, NULL); - li->ld = NULL; - } -@@ -726,14 +729,18 @@ static ber_slen_t - ldapsb_tls_read(Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len) - { - struct Curl_easy *data = sbiod->sbiod_pvt; -- struct connectdata *conn = data->conn; -- struct ldapconninfo *li = conn->proto.ldapc; -- ber_slen_t ret; -- CURLcode err = CURLE_RECV_ERROR; -+ ber_slen_t ret = 0; -+ if(data) { -+ struct connectdata *conn = data->conn; -+ if(conn) { -+ struct ldapconninfo *li = conn->proto.ldapc; -+ CURLcode err = CURLE_RECV_ERROR; - -- ret = (li->recv)(data, FIRSTSOCKET, buf, len, &err); -- if(ret < 0 && err == CURLE_AGAIN) { -- SET_SOCKERRNO(EWOULDBLOCK); -+ ret = (li->recv)(data, FIRSTSOCKET, buf, len, &err); -+ if(ret < 0 && err == CURLE_AGAIN) { -+ SET_SOCKERRNO(EWOULDBLOCK); -+ } -+ } - } - return ret; - } -@@ -742,14 +749,17 @@ static ber_slen_t - ldapsb_tls_write(Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len) - { - struct Curl_easy *data = sbiod->sbiod_pvt; -- struct connectdata *conn = data->conn; -- struct ldapconninfo *li = conn->proto.ldapc; -- ber_slen_t ret; -- CURLcode err = CURLE_SEND_ERROR; -- -- ret = (li->send)(data, FIRSTSOCKET, buf, len, &err); -- if(ret < 0 && err == CURLE_AGAIN) { -- SET_SOCKERRNO(EWOULDBLOCK); -+ ber_slen_t ret = 0; -+ if(data) { -+ struct connectdata *conn = data->conn; -+ if(conn) { -+ struct ldapconninfo *li = conn->proto.ldapc; -+ CURLcode err = CURLE_SEND_ERROR; -+ ret = (li->send)(data, FIRSTSOCKET, buf, len, &err); -+ if(ret < 0 && err == CURLE_AGAIN) { -+ SET_SOCKERRNO(EWOULDBLOCK); -+ } -+ } - } - return ret; - } --- -2.26.3 - diff --git a/curl-7.75.0.tar.xz.asc b/curl-7.75.0.tar.xz.asc deleted file mode 100644 index ec35a14..0000000 --- a/curl-7.75.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmAaSxEACgkQXMkI/bce -EsI36QgAlx+oYuWiaMytv/Ixfcm2gTq+9Qu60KsmvccyKLOq7OxAmX+gz1PYOsUc -eqAwq8dg9Mo+cuk7zWpxRMg1qBgvZpv5oeAhy8VUeWD/HE0Z2RoxC3tw87uNn5uN -2g0FJEXGzDaQQdI0hh2Kb4uNqiKiBCsSfHX4J+eWDUoHwzoFestct8PAcAG8lOzt -0nGj6Is1Rba3SrlkCtRdzEkrjfNe5KKNjE9F0ybhL7TPKSZZvlustZgU5OgdjDHu -uJzFQDK5eyjeYu7tyJQOOwercjOQrmp0YYvYt6CdALUflU2RNvnS83+e/syAYEZ4 -FvnYlZyp8WCKxOikGwX2m/JEOATXSw== -=HFSu ------END PGP SIGNATURE----- diff --git a/curl-7.76.0.tar.xz.asc b/curl-7.76.0.tar.xz.asc new file mode 100644 index 0000000..775fb6c --- /dev/null +++ b/curl-7.76.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmBkDkUACgkQXMkI/bce +EsJ15ggAtcFfjbq0Fk1KMymZ7trx49GcOPNUKa7utST3tumg0Tc3HsIeuWIOyO0s +frTWFtroWogELMjjdr+yyrI5PZrLkEdtFKd+lRYO4T2Y0SS6Q57d/4CCu3SXNgmd +zKUq4ZSRbjdPFRKkWJ6RMDfPeu8pcJIGQM23BapPbpxtEgd5f8+PzzSX/8S3I1aD +yDv9V3tM+NQq6peetV6wj7hWFInUHbTWPSlyzuCvWB2cQRxDNsTcSxuShd0krbgV +CA6Kt4MQc7QOi7luUAHEGmjTRIhSwvTfY6w0EqqFzvRHlf0gsCIUn5jEs8cq+2iV +nEUuezAT/rRYfyjyQ1hWvIK5GP5aCw== +=ju96 +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index b3a1402..3a8f6b8 100644 --- a/curl.spec +++ b/curl.spec @@ -1,13 +1,10 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.75.0 -Release: 3%{?dist} +Version: 7.76.0 +Release: 1%{?dist} License: MIT Source: https://curl.se/download/%{name}-%{version}.tar.xz -# fix SIGSEGV upon disconnect of a ldaps:// transfer -Patch1: 0001-curl-7.75.0-ldaps-segv.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -183,7 +180,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 # Fedora patches %patch101 -p1 @@ -364,6 +360,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Mar 31 2021 Kamil Dudka - 7.76.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2021-22890 - TLS 1.3 session ticket proxy host mixup + CVE-2021-22876 - Automatic referer leaks credentials + * Wed Mar 24 2021 Kamil Dudka - 7.75.0-3 - fix SIGSEGV upon disconnect of a ldaps:// transfer diff --git a/sources b/sources index 78019a7..df66d34 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.75.0.tar.xz) = 4c2fc6658379b8b93dd50665b70f3000b63d3bcafd2df60b7e651a8edf4735b3decb06c338b84cb22058191aa9f8f4dc85760a42f9987210b59300758304b746 +SHA512 (curl-7.76.0.tar.xz) = a67e5078b48150c6f5331e76b25a6b197f1e916be1db900bf9455b032b3af5a71610b47e607546ecbae510d196a0cfcb75a14dac549288797af1701b7b587ece From bf8bb4b5b4b3ca912c2fde954769f23ce2fff4b8 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 14 Apr 2021 09:54:02 +0200 Subject: [PATCH 109/256] new upstream release - 7.76.1 --- curl-7.76.0.tar.xz.asc | 11 ----------- curl-7.76.1.tar.xz.asc | 11 +++++++++++ curl.spec | 5 ++++- sources | 2 +- 4 files changed, 16 insertions(+), 13 deletions(-) delete mode 100644 curl-7.76.0.tar.xz.asc create mode 100644 curl-7.76.1.tar.xz.asc diff --git a/curl-7.76.0.tar.xz.asc b/curl-7.76.0.tar.xz.asc deleted file mode 100644 index 775fb6c..0000000 --- a/curl-7.76.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmBkDkUACgkQXMkI/bce -EsJ15ggAtcFfjbq0Fk1KMymZ7trx49GcOPNUKa7utST3tumg0Tc3HsIeuWIOyO0s -frTWFtroWogELMjjdr+yyrI5PZrLkEdtFKd+lRYO4T2Y0SS6Q57d/4CCu3SXNgmd -zKUq4ZSRbjdPFRKkWJ6RMDfPeu8pcJIGQM23BapPbpxtEgd5f8+PzzSX/8S3I1aD -yDv9V3tM+NQq6peetV6wj7hWFInUHbTWPSlyzuCvWB2cQRxDNsTcSxuShd0krbgV -CA6Kt4MQc7QOi7luUAHEGmjTRIhSwvTfY6w0EqqFzvRHlf0gsCIUn5jEs8cq+2iV -nEUuezAT/rRYfyjyQ1hWvIK5GP5aCw== -=ju96 ------END PGP SIGNATURE----- diff --git a/curl-7.76.1.tar.xz.asc b/curl-7.76.1.tar.xz.asc new file mode 100644 index 0000000..c66be4f --- /dev/null +++ b/curl-7.76.1.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmB2hJEACgkQXMkI/bce +EsJN2Qf9GFcide66cPmOPEVW9Lu9dYmg5R6g6KanvxCO02CrdlCzD1Z49M7YjJdp +dU6sP71/BWqI0+IoUd+94O39BR96ARqPgL3TjPf1Fux8x5PeaUP0oD0TaSGq635m +da930dB1RABlvf5/0L9A5+x+Mkgjk/u+RCeoX1nh6WF0HLZ9RSQmBSBxuInzZgHe +Q5bAj1DSOrDizHQ2yvNqymmDqUZVeiusIc3QIzTIwsFSg0PbBqG9sYUCSMdeVSjm +jGcyp5EjyzCyBq7YIzA7VpSRvNTGFr7Q+QP+Sm68kZ6AMCCn/a83jiFUfMyy7H5/ +PEKUqdkKrPScu7DKFWAyqL5DWXt7cA== +=GTGl +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index 3a8f6b8..1eaa8ba 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.76.0 +Version: 7.76.1 Release: 1%{?dist} License: MIT Source: https://curl.se/download/%{name}-%{version}.tar.xz @@ -360,6 +360,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Apr 14 2021 Kamil Dudka - 7.76.1-1 +- new upstream release + * Wed Mar 31 2021 Kamil Dudka - 7.76.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2021-22890 - TLS 1.3 session ticket proxy host mixup diff --git a/sources b/sources index df66d34..01a34cd 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.76.0.tar.xz) = a67e5078b48150c6f5331e76b25a6b197f1e916be1db900bf9455b032b3af5a71610b47e607546ecbae510d196a0cfcb75a14dac549288797af1701b7b587ece +SHA512 (curl-7.76.1.tar.xz) = 5fe85d2e776789aa8117c57fe7648e375b7fa92d5ead5d69855f19ca9a2624d77a1f9ab91766ecb72bbc17e82862248cd07e48917884d6fd856b93fb00d83e28 From 4b7b124d75894dcca8590ba351fc6524973ff80b Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 3 May 2021 17:53:53 +0200 Subject: [PATCH 110/256] Resolves: #1938699 - http2: fix resource leaks detected by Coverity --- 0001-curl-7.76.1-resource-leaks.patch | 133 ++++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 141 insertions(+), 1 deletion(-) create mode 100644 0001-curl-7.76.1-resource-leaks.patch diff --git a/0001-curl-7.76.1-resource-leaks.patch b/0001-curl-7.76.1-resource-leaks.patch new file mode 100644 index 0000000..3fd4f40 --- /dev/null +++ b/0001-curl-7.76.1-resource-leaks.patch @@ -0,0 +1,133 @@ +From 2281afef6757ed66c9e8a9a737aa91cb9e2950ef Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Fri, 30 Apr 2021 18:14:45 +0200 +Subject: [PATCH 1/2] http2: fix resource leaks in set_transfer_url() + +... detected by Coverity: + +Error: RESOURCE_LEAK (CWE-772): +lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.] +lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()". +lib/http2.c:486: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.] +lib/http2.c:488: leaked_storage: Variable "u" going out of scope leaks the storage it points to. + +Error: RESOURCE_LEAK (CWE-772): +lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.] +lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()". +lib/http2.c:493: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.] +lib/http2.c:495: leaked_storage: Variable "u" going out of scope leaks the storage it points to. + +Error: RESOURCE_LEAK (CWE-772): +lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.] +lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()". +lib/http2.c:500: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.] +lib/http2.c:502: leaked_storage: Variable "u" going out of scope leaks the storage it points to. + +Error: RESOURCE_LEAK (CWE-772): +lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.] +lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()". +lib/http2.c:505: noescape: Resource "u" is not freed or pointed-to in "curl_url_get". [Note: The source code implementation of the function has been overridden by a builtin model.] +lib/http2.c:507: leaked_storage: Variable "u" going out of scope leaks the storage it points to. + +Closes #6986 + +Upstream-commit: 31931704707324af4b4edb24cc877829f7e9949e +Signed-off-by: Kamil Dudka +--- + lib/http2.c | 24 +++++++++++++++++------- + 1 file changed, 17 insertions(+), 7 deletions(-) + +diff --git a/lib/http2.c b/lib/http2.c +index ce9a0d3..d5ba89b 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -500,32 +500,42 @@ static int set_transfer_url(struct Curl_easy *data, + CURLU *u = curl_url(); + CURLUcode uc; + char *url; ++ int rc = 0; + + v = curl_pushheader_byname(hp, ":scheme"); + if(v) { + uc = curl_url_set(u, CURLUPART_SCHEME, v, 0); +- if(uc) +- return 1; ++ if(uc) { ++ rc = 1; ++ goto fail; ++ } + } + + v = curl_pushheader_byname(hp, ":authority"); + if(v) { + uc = curl_url_set(u, CURLUPART_HOST, v, 0); +- if(uc) +- return 2; ++ if(uc) { ++ rc = 2; ++ goto fail; ++ } + } + + v = curl_pushheader_byname(hp, ":path"); + if(v) { + uc = curl_url_set(u, CURLUPART_PATH, v, 0); +- if(uc) +- return 3; ++ if(uc) { ++ rc = 3; ++ goto fail; ++ } + } + + uc = curl_url_get(u, CURLUPART_URL, &url, 0); + if(uc) +- return 4; ++ rc = 4; ++ fail: + curl_url_cleanup(u); ++ if(rc) ++ return rc; + + if(data->state.url_alloc) + free(data->state.url); +-- +2.30.2 + + +From 92ad72983f8462be1d5a5228672657ddf4d7ed72 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Fri, 30 Apr 2021 18:18:02 +0200 +Subject: [PATCH 2/2] http2: fix a resource leak in push_promise() + +... detected by Coverity: + +Error: RESOURCE_LEAK (CWE-772): +lib/http2.c:532: alloc_fn: Storage is returned from allocation function "duphandle". +lib/http2.c:532: var_assign: Assigning: "newhandle" = storage returned from "duphandle(data)". +lib/http2.c:552: noescape: Resource "newhandle" is not freed or pointed-to in "set_transfer_url". +lib/http2.c:555: leaked_storage: Variable "newhandle" going out of scope leaks the storage it points to. + +Closes #6986 + +Upstream-commit: 3a6058cb976981ec1db870f9657c73c9a1162822 +Signed-off-by: Kamil Dudka +--- + lib/http2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/http2.c b/lib/http2.c +index d5ba89b..d0f69ea 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -581,6 +581,7 @@ static int push_promise(struct Curl_easy *data, + + rv = set_transfer_url(newhandle, &heads); + if(rv) { ++ (void)Curl_close(&newhandle); + rv = CURL_PUSH_DENY; + goto fail; + } +-- +2.30.2 + diff --git a/curl.spec b/curl.spec index 1eaa8ba..f8b0c24 100644 --- a/curl.spec +++ b/curl.spec @@ -1,10 +1,13 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.76.1 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source: https://curl.se/download/%{name}-%{version}.tar.xz +# http2: fix resource leaks detected by Coverity +Patch1: 0001-curl-7.76.1-resource-leaks.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -180,6 +183,7 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 @@ -360,6 +364,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon May 03 2021 Kamil Dudka - 7.76.1-2 +- http2: fix resource leaks detected by Coverity + * Wed Apr 14 2021 Kamil Dudka - 7.76.1-1 - new upstream release From 4c89d92ee7279c90c2c7bb738fadaf311a8f2e03 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 26 May 2021 09:13:52 +0200 Subject: [PATCH 111/256] new upstream release - 7.77.0 Resolves: CVE-2021-22901 - TLS session caching disaster Resolves: CVE-2021-22898 - TELNET stack contents disclosure --- 0001-curl-7.76.1-resource-leaks.patch | 133 ------------------------ 0105-curl-7.63.0-lib1560-valgrind.patch | 2 +- curl-7.76.1.tar.xz.asc | 11 -- curl-7.77.0.tar.xz.asc | 11 ++ curl.spec | 13 +-- sources | 2 +- 6 files changed, 20 insertions(+), 152 deletions(-) delete mode 100644 0001-curl-7.76.1-resource-leaks.patch delete mode 100644 curl-7.76.1.tar.xz.asc create mode 100644 curl-7.77.0.tar.xz.asc diff --git a/0001-curl-7.76.1-resource-leaks.patch b/0001-curl-7.76.1-resource-leaks.patch deleted file mode 100644 index 3fd4f40..0000000 --- a/0001-curl-7.76.1-resource-leaks.patch +++ /dev/null @@ -1,133 +0,0 @@ -From 2281afef6757ed66c9e8a9a737aa91cb9e2950ef Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Fri, 30 Apr 2021 18:14:45 +0200 -Subject: [PATCH 1/2] http2: fix resource leaks in set_transfer_url() - -... detected by Coverity: - -Error: RESOURCE_LEAK (CWE-772): -lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.] -lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()". -lib/http2.c:486: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.] -lib/http2.c:488: leaked_storage: Variable "u" going out of scope leaks the storage it points to. - -Error: RESOURCE_LEAK (CWE-772): -lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.] -lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()". -lib/http2.c:493: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.] -lib/http2.c:495: leaked_storage: Variable "u" going out of scope leaks the storage it points to. - -Error: RESOURCE_LEAK (CWE-772): -lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.] -lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()". -lib/http2.c:500: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.] -lib/http2.c:502: leaked_storage: Variable "u" going out of scope leaks the storage it points to. - -Error: RESOURCE_LEAK (CWE-772): -lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.] -lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()". -lib/http2.c:505: noescape: Resource "u" is not freed or pointed-to in "curl_url_get". [Note: The source code implementation of the function has been overridden by a builtin model.] -lib/http2.c:507: leaked_storage: Variable "u" going out of scope leaks the storage it points to. - -Closes #6986 - -Upstream-commit: 31931704707324af4b4edb24cc877829f7e9949e -Signed-off-by: Kamil Dudka ---- - lib/http2.c | 24 +++++++++++++++++------- - 1 file changed, 17 insertions(+), 7 deletions(-) - -diff --git a/lib/http2.c b/lib/http2.c -index ce9a0d3..d5ba89b 100644 ---- a/lib/http2.c -+++ b/lib/http2.c -@@ -500,32 +500,42 @@ static int set_transfer_url(struct Curl_easy *data, - CURLU *u = curl_url(); - CURLUcode uc; - char *url; -+ int rc = 0; - - v = curl_pushheader_byname(hp, ":scheme"); - if(v) { - uc = curl_url_set(u, CURLUPART_SCHEME, v, 0); -- if(uc) -- return 1; -+ if(uc) { -+ rc = 1; -+ goto fail; -+ } - } - - v = curl_pushheader_byname(hp, ":authority"); - if(v) { - uc = curl_url_set(u, CURLUPART_HOST, v, 0); -- if(uc) -- return 2; -+ if(uc) { -+ rc = 2; -+ goto fail; -+ } - } - - v = curl_pushheader_byname(hp, ":path"); - if(v) { - uc = curl_url_set(u, CURLUPART_PATH, v, 0); -- if(uc) -- return 3; -+ if(uc) { -+ rc = 3; -+ goto fail; -+ } - } - - uc = curl_url_get(u, CURLUPART_URL, &url, 0); - if(uc) -- return 4; -+ rc = 4; -+ fail: - curl_url_cleanup(u); -+ if(rc) -+ return rc; - - if(data->state.url_alloc) - free(data->state.url); --- -2.30.2 - - -From 92ad72983f8462be1d5a5228672657ddf4d7ed72 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Fri, 30 Apr 2021 18:18:02 +0200 -Subject: [PATCH 2/2] http2: fix a resource leak in push_promise() - -... detected by Coverity: - -Error: RESOURCE_LEAK (CWE-772): -lib/http2.c:532: alloc_fn: Storage is returned from allocation function "duphandle". -lib/http2.c:532: var_assign: Assigning: "newhandle" = storage returned from "duphandle(data)". -lib/http2.c:552: noescape: Resource "newhandle" is not freed or pointed-to in "set_transfer_url". -lib/http2.c:555: leaked_storage: Variable "newhandle" going out of scope leaks the storage it points to. - -Closes #6986 - -Upstream-commit: 3a6058cb976981ec1db870f9657c73c9a1162822 -Signed-off-by: Kamil Dudka ---- - lib/http2.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/lib/http2.c b/lib/http2.c -index d5ba89b..d0f69ea 100644 ---- a/lib/http2.c -+++ b/lib/http2.c -@@ -581,6 +581,7 @@ static int push_promise(struct Curl_easy *data, - - rv = set_transfer_url(newhandle, &heads); - if(rv) { -+ (void)Curl_close(&newhandle); - rv = CURL_PUSH_DENY; - goto fail; - } --- -2.30.2 - diff --git a/0105-curl-7.63.0-lib1560-valgrind.patch b/0105-curl-7.63.0-lib1560-valgrind.patch index f492ac5..6b2773c 100644 --- a/0105-curl-7.63.0-lib1560-valgrind.patch +++ b/0105-curl-7.63.0-lib1560-valgrind.patch @@ -26,7 +26,7 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc index 080421b..ea3b806 100644 --- a/tests/libtest/Makefile.inc +++ b/tests/libtest/Makefile.inc -@@ -592,6 +592,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) +@@ -600,6 +600,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) lib1559_LDADD = $(TESTUTIL_LIBS) lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) diff --git a/curl-7.76.1.tar.xz.asc b/curl-7.76.1.tar.xz.asc deleted file mode 100644 index c66be4f..0000000 --- a/curl-7.76.1.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmB2hJEACgkQXMkI/bce -EsJN2Qf9GFcide66cPmOPEVW9Lu9dYmg5R6g6KanvxCO02CrdlCzD1Z49M7YjJdp -dU6sP71/BWqI0+IoUd+94O39BR96ARqPgL3TjPf1Fux8x5PeaUP0oD0TaSGq635m -da930dB1RABlvf5/0L9A5+x+Mkgjk/u+RCeoX1nh6WF0HLZ9RSQmBSBxuInzZgHe -Q5bAj1DSOrDizHQ2yvNqymmDqUZVeiusIc3QIzTIwsFSg0PbBqG9sYUCSMdeVSjm -jGcyp5EjyzCyBq7YIzA7VpSRvNTGFr7Q+QP+Sm68kZ6AMCCn/a83jiFUfMyy7H5/ -PEKUqdkKrPScu7DKFWAyqL5DWXt7cA== -=GTGl ------END PGP SIGNATURE----- diff --git a/curl-7.77.0.tar.xz.asc b/curl-7.77.0.tar.xz.asc new file mode 100644 index 0000000..428b813 --- /dev/null +++ b/curl-7.77.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmCt6IwACgkQXMkI/bce +EsJd+Af/YCvzoV76IFh2aJpoi74XOglG327GQWnJRAt6VooIXvBPddundYOSepAw +OQbReLSQgzmWIICjp4GnV/+gkNodpqJPB1uFHo8AHEBsiVJBTNO7c/mGirQlp5TM +f5xGP8cf1OxwDJ6PBAHAYl4s71t6CWm0C2nf8x24ROlDsO85lz+yFCg1665IbZvp +PFSfeIGHwyUoZesBmBFznm5KI5yc+Yn9gxsq3ujPYMvjMH7KFdw7zQu3SzYjT1+w +bHqVul6+SC8laHuIqZfKnvrjLJMcIhe0vADoyV0/P64ZJ/4X2tGBrpxtXUJJ9S9C +Cif/PNjYIGKg9Mk8odMjXzo8EcVFGA== +=+IKy +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index f8b0c24..9fabf51 100644 --- a/curl.spec +++ b/curl.spec @@ -1,13 +1,10 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.76.1 -Release: 2%{?dist} +Version: 7.77.0 +Release: 1%{?dist} License: MIT Source: https://curl.se/download/%{name}-%{version}.tar.xz -# http2: fix resource leaks detected by Coverity -Patch1: 0001-curl-7.76.1-resource-leaks.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -183,7 +180,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 # Fedora patches %patch101 -p1 @@ -364,6 +360,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed May 26 2021 Kamil Dudka - 7.77.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2021-22901 - TLS session caching disaster + CVE-2021-22898 - TELNET stack contents disclosure + * Mon May 03 2021 Kamil Dudka - 7.76.1-2 - http2: fix resource leaks detected by Coverity diff --git a/sources b/sources index 01a34cd..7189d3e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.76.1.tar.xz) = 5fe85d2e776789aa8117c57fe7648e375b7fa92d5ead5d69855f19ca9a2624d77a1f9ab91766ecb72bbc17e82862248cd07e48917884d6fd856b93fb00d83e28 +SHA512 (curl-7.77.0.tar.xz) = aef92a0e3f8ce8491b258a9a1c4dcea3c07c29b139a1f68f08619caa0295cfde76335d2dfb9cdf434525daea7dd05d8acd22f203f5ccc7735bd317964ec1da76 From ddaf41062c974e64f5ce0b74825174554c80f7ad Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 2 Jun 2021 18:45:38 +0200 Subject: [PATCH 112/256] Resolves: #1967213 - build the curl tool without metalink support Today curl upstream announced that they are going to completely remove support for metalink from curl already in the next release of curl due to a number of difficult to fix security issues: https://curl.se/mail/archive-2021-06/0006.html https://github.com/curl/curl/pull/7176 --- curl.spec | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/curl.spec b/curl.spec index 9fabf51..e3df8e7 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.77.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source: https://curl.se/download/%{name}-%{version}.tar.xz @@ -24,7 +24,6 @@ BuildRequires: gcc BuildRequires: groff BuildRequires: krb5-devel BuildRequires: libidn2-devel -BuildRequires: libmetalink-devel BuildRequires: libnghttp2-devel BuildRequires: libpsl-devel BuildRequires: libssh-devel @@ -229,6 +228,7 @@ export common_configure_opts=" \ --enable-symbol-hiding \ --enable-ipv6 \ --enable-threaded-resolver \ + --without-libmetalink \ --with-gssapi \ --with-nghttp2 \ --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt" @@ -244,7 +244,6 @@ export common_configure_opts=" \ --disable-manual \ --without-brotli \ --without-libidn2 \ - --without-libmetalink \ --without-libpsl \ --without-libssh ) @@ -258,7 +257,6 @@ export common_configure_opts=" \ --enable-manual \ --with-brotli \ --with-libidn2 \ - --with-libmetalink \ --with-libpsl \ --with-libssh ) @@ -360,6 +358,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jun 02 2021 Kamil Dudka - 7.77.0-2 +- build the curl tool without metalink support (#1967213) + * Wed May 26 2021 Kamil Dudka - 7.77.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2021-22901 - TLS session caching disaster From ece67bdd2f1b47ca80267c663ca8250b9b2e3f8c Mon Sep 17 00:00:00 2001 From: Stewart Smith Date: Fri, 9 Jul 2021 18:41:33 +0000 Subject: [PATCH 113/256] gpgverify source tarball Signed-off-by: Stewart Smith --- curl.spec | 11 +++++++- mykey.asc | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+), 1 deletion(-) create mode 100644 mykey.asc diff --git a/curl.spec b/curl.spec index e3df8e7..3330f94 100644 --- a/curl.spec +++ b/curl.spec @@ -3,7 +3,12 @@ Name: curl Version: 7.77.0 Release: 2%{?dist} License: MIT -Source: https://curl.se/download/%{name}-%{version}.tar.xz +Source0: https://curl.se/download/%{name}-%{version}.tar.xz +Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc +# The curl download page ( https://curl.se/download.html ) links +# to Daniel's address page https://daniel.haxx.se/address.html for the GPG Key, +# which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc +Source2: mykey.asc # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -40,6 +45,9 @@ BuildRequires: python3-devel BuildRequires: sed BuildRequires: zlib-devel +# For gpg verification of source tarball +BuildRequires: gnupg2 + # needed to compress content of tool_hugehelp.c after changing curl.1 man page BuildRequires: perl(IO::Compress::Gzip) @@ -176,6 +184,7 @@ other hand, the package is smaller and requires fewer run-time dependencies to be installed. %prep +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %setup -q # upstream patches diff --git a/mykey.asc b/mykey.asc new file mode 100644 index 0000000..0c77721 --- /dev/null +++ b/mykey.asc @@ -0,0 +1,77 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2 + +mQGiBD6tnnoRBACRPnFBVoapBrTpPrCNZ2rq3DcmW6n/soQJW47+zP+vcrcxQ1WJ +QiWSzLGO+QOIUZSYfnliR22r8HkFX9EUSW3IAcRMJMsaO3wMJ0a+78a9QqWLp6RV +0arcQkuuCvG79h+yJ6NnoAXe1geRt8vNGsaWtsS91CtYlTSs6JVtaRLnYwCg/Ly1 +EFgvNZ6SJRc/8I5rRv0lrz8D/0goih2kZ5z4SI+r2hgABNcN7g565YwGKaQDbIch +soh3OBzgETWc3wuAZqmCzQXPXMpMx+ziqX6XDzDKNiGL1CdrBJQd0II8UutWVDje +f9UxLfo02YQ8diGYeq0u9k1RezC13w4TVUmQfg0Uqn4xM6DNzO1O6yCK8rlNwsvL +gHNJA/9m1pfzjpvdxtmJNKRU3C4cRCjXhxNdM7laSEj0/wOGaR2QWWEge51orWwo +SLQUIe4BDPvtRStQHC+tI7qr7d12rMMEBXviJC5EkGBOzlgWr9virjM/u/pkGMc2 +m5r3pVuWH/JSsHsV952y2kWP64uP4zdLXOpVzX/xs0sYJ9nOPLQnRGFuaWVsIFN0 +ZW5iZXJnIChIYXh4KSA8ZGFuaWVsQGhheHguc2U+iF4EExECAB4CHgECF4AFAlQU +ki4FCwkIBwMFFQoJCAsFFgIDAQAACgkQeOEcayedXJEOOwCggCsNHdAQPAlPte3w +i2IZEekkM0YAoOXXPFAWjUwIHjZY41l7WgzACbANiFkEExECABkFAj6tnnoECwcD +AgMVAgMDFgIBAh4BAheAAAoJEHjhHGsnnVyRjngAoO1y3LoSOEgD8vR062cdYDmv +jLvVAJ0dmp1UiuQp+oMyq2VbWyw8LXN1XLkBDQQ+rZ59EAQAmYsA8gPjJ75gOIPb +XNg9Z31QzIz65qS9XdNsFNAdKxnY4b72nhc0oaS9/7Dcdf2Q+1mDa2p72DWk+9iz +7knmBL++csBP2z9eMe5h8oV53prqNOHDHyL3WLOa25ga9381gZnzWoQME74iSBBM +wDw8vbLEgIZ34JaQ7Oe+9N3+6n8AAwcD/Av+Ms+3gCc5pLp4nx36qqi36fodaG9+ +dwIcMbr9bivEtjmDHeuPsD6X1J9+Y/ikUBIDpMPv33lJxLoubOtpLhEuN2XN/ojT +rueVPDKA1f+GyfHnyfpf/78IgX1hGVqu/3RBWKPpXFwSZA4q8vFR+FaPC5WbU68t +FLJpYuC9ZO/LiEYEGBECAAYFAj6tnn0ACgkQeOEcayedXJGtPQCgxrbd59afemZ9 +OIadZD8kUGC29dUAoJ94aGUkWCwoEiPyEZRGXv9XRlfxmQENBFcGhyIBCAC79AIx +5hHixKmNtqbryuZTDwlt9XXkEn/QSrQD3pzgbsbBiWyqOV4hfscvtmoqA7koOw4h +zZ/b8pJPA36eNzqMFIbkWpIit/BwA5bTKRkKXeD2kBFkjIN+iDuXawwhv7eNKH9O +poAUe0K/esK/kvbMO721q24IgkOjB1Vtr/Y4Xkg7+VWVP0LFh7C/2Nwq6n2bktsA +Ey9uCDD1hl8BdckN/XxpuUqSfxbF85GvYzzON67zOxxo6jqRXXcJ2PdPq0o9Ak0d +6Fe7g9ZxOAeuYEbFTCZHBBccx84K0Bhn5tpqoq8Mq3f3mZfGBoe4J6wr17cxEDC8 +tTHUpDqk0CoLERUxABEBAAG0IERhbmllbCBTdGVuYmVyZyA8ZGFuaWVsQGhheHgu +c2U+iQE3BBMBCgAhBQJXBociAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJ +EPn+r/nTShvbHoAIAJDwb7dcAX4VGPa2oSuQqVnHsjDE7g8ATmcZq2IAzAG6bZg1 +svuhNyPQnL7kNrsz6Ew+yE4vH8mOjDUbc3feY4MzmtEMaB6VS0Xlna6cdtWkv4Y+ +Us4TuYSdftPZuZgI3nN/sXLlxWJCZgCPJJaGM6dXgyTFatk2P1LE98Qif7+ZMqfv ++BA5L6cy2cAwJ5qbvLtuT25rTxooN54JETfwdhUD1NEIqTQxeC4E5lFvwedjAjLh +Gswau8WMCdM/HzGbuQ9Gp3/RafYoAvMV6r6sskvUrWubCHj0u+uNgOpUHvlrwcFg +rBirzQdElumCWqbJVCH0V5NcP/zSz1U1W8wSRqS5AQ0EVwaHIgEIALyCqpnax0cL +y7EK3UiU2Kkryb7LPsZkia9hTcIZjNg0B8XAdqDYpHiquYtX0cz5I1sSZMBJ/xJP +BF2ce/bmOTJtyW3GaF9a+M2zboZSzx9nlv9xx0o3bXBrBlL2vaG2TW+x2G53GA0/ +0chbj35PR+fvJx8ob/fHwCkfzGb1qCzwovhwGVUNHqI5bxK/xVwXfiycbllE3Hmf +09BGeXKR7gQtaal8byKKlqCtayteEaPNQt6czYxZkVAOvY4ZDQKSZJUNwGFog3bG +6rHr1J/0un6nAvX+wMuvRkUDiQxZZCel7e0Qcg3gPrYh+adlr0Tn7wyCP7/BULz8 +67fQfzc2ENkAEQEAAYkBHwQYAQoACQUCVwaHIgIbDAAKCRD5/q/500ob27KaB/9H +a+iDip6mxFdoqy7TAefBy7KgbMQxxT926IcFqf70aJDzeVQI3lGCqN9GW03d+wPr +LoyeQBQKNxxfQ9fEOvp1AXGWFIYYtEZIvQBpIqaSaA7W5IzqfDuO9xG89DNn8zKK +nh/mbYJov/fywhBU6JH7bqdFSHbqoG9TY64s0BkV6shIVOubXLSG5G7LxXhw+xrb +0zl4ie2wCeCBOLdbGHc+o2sKo1rBEz6UBK2DesPfkzxBO7lfa9HTcN03UJPHXmzb +2mCbeFV8yPsTAoaGv4qZH1+FX+9Lv374xTSXa4CjQzSxd0dkZGG+YQjocoPftgsC +OVsiqW0WhRVIEJ+hBAMUmQENBFcGiPEBCAC7sCnaZqWxfXNgBC7P28BSDUs9w4y/ +PEFsOv9bpgbgZagX1FnhG0eV71nm0p8v9T8Bft1eXaBd977Dq9pgk5qKO0xZo8fC +8prFqB5db7fMUvPZCuJTTb6lGMz4OdfT6aHqUvJ+LFF1mKn8Eqt1Q4snHGSL1PI3 +/+435qDRQsU15GdYrj1waNJKk79aes9oguaI2/OTQqzIcOFK5tJjlSOD1ryOIH1e +8vD+5MMpGvsRxv3sQHeTZkfZbkzSLFg/LKpoiQkyql1+BLNhBYq8oaE/jlvQrTEk +bAyKpMScdyHwmkWWKjyZtXTrAtlComnki4yC2lAV9MXINHHvNJBcIXvVABEBAAG0 +IERhbmllbCBTdGVuYmVyZyA8ZGFuaWVsQGhheHguc2U+iQE3BBMBCgAhBQJXBojx +AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEFzJCP23HhLCOKkH/1CyoKiN +2PCgTlWoYQspv/AAmsj+cFwZobI167KowA+o3zxQqxg0MV3ds8G+iig9OIuYurlQ +L5Jr3CbDltaiXdWtVteRh/VKp61EwyXq77vjJbx81hvOuaXWWLSlU0KB3w7Hj6aD +/mt16DpOcY9Aw90mKyvafRTqMF7TcT7J5HeGn2NL45dPkAhiMDEgEnw9yBTxK/x6 +UoQGPgiOWxSSN7Foj3mhUOflp8W0rnkLbJ4icpym6WuLKRMKAefDvk8GVlAWuXAb +9gloL1P6u3uNHllq/IODR2bZUBI0QNKhvt0iSj7WKsc/kaqscl+AE9jd/6kXd6vh +TNFWdzeco/2mGlaIRgQQEQoABgUCVwaJ/AAKCRB44RxrJ51ckWcaAKCJ6+arS/3k +IMcO14Jz8dVf2BH3OACgwTenVSsK66qi+VfGCoALpzpiLDO5AQ0EVwaI8QEIAOxQ +AEvF3idxcn80tbUhJg1J98fAS7Hx3WhlFG74uAikZQl1KZrprBu70RWTb7Nm1tvZ +eXW65IlY7kk42bhfYDs1JrIPWOWKvVwKWDxoEbYgW/yvy1TOuXH276zbxLl5OEE8 +sQuOfXZsFSX2IPF9hsgNGaNzor8Ke7Y5BuCQLcGZWW5dLFbbKRKjXG8CaWmsJVoI +c2nyXCAss2q9oCJ13X/5z+Ei392rwi1d3NxAYkSiDQan+fkWkCvZH+dHmFjQ1AND +KielxcW1VfilK1hu9ziBBDf8TCEud/q0woIAH7rvIft4i3CqjymonByE4/OjfH8j +4EteQ8qoknMCjjwNVqkAEQEAAYkBHwQYAQoACQUCVwaI8QIbDAAKCRBcyQj9tx4S +wupjB/9TV4anbZK58bN7QJ5qGnU3GNjlvWFZXMw1u1xVc7abDJyqmFeJcJ4qLUkv +BA0OsvlVnMWmeCmzsXhlQVM4Bv6IWyr7JBWgkK5q2CWVB59V7v7znf5kWnMGFhDF +PlLsGbxDWLMoZGH+Iy84whMJFgferwCJy1dND/bHXPztfhvFXi8NNlJUFJa8Xtmu +gm78C+nwNHcFpVC70HPr3oa8U1ODXMp7L8W/dL3eLYXmRCNd0urHgYrzDt6V/zf5 +ymvPk5w4HBocn2oRCJj/FXKhFAUptmpTE3g1yvYULmuFcNGAnPAExmAmd6NqsCmb +j/qx4ytjt5uxt6Jm6IXV9cry8i6x +=Phs/ +-----END PGP PUBLIC KEY BLOCK----- From 64bcb4bcc111a840ebdffe4fdf806232b88debff Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 21 Jul 2021 10:15:27 +0200 Subject: [PATCH 114/256] new upstream release - 7.78.0 Resolves: CVE-2021-22925 - TELNET stack contents disclosure again Resolves: CVE-2021-22924 - bad connection reuse due to flawed path name checks Resolves: CVE-2021-22923 - metalink download sends credentials Resolves: CVE-2021-22922 - wrong content via metalink not discarded --- 0102-curl-7.36.0-debug.patch | 61 ------------------------- 0105-curl-7.63.0-lib1560-valgrind.patch | 2 +- curl-7.77.0.tar.xz.asc | 11 ----- curl-7.78.0.tar.xz.asc | 11 +++++ curl.spec | 16 ++++--- sources | 2 +- 6 files changed, 22 insertions(+), 81 deletions(-) delete mode 100644 0102-curl-7.36.0-debug.patch delete mode 100644 curl-7.77.0.tar.xz.asc create mode 100644 curl-7.78.0.tar.xz.asc diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch deleted file mode 100644 index c096d67..0000000 --- a/0102-curl-7.36.0-debug.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 3602ee9dcc74683f91fe4f9ca228aa17a6474403 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Wed, 31 Oct 2012 11:38:30 +0100 -Subject: [PATCH] prevent configure script from discarding -g in CFLAGS - (#496778) - ---- - m4/curl-compilers.m4 | 26 ++++++-------------------- - 1 file changed, 6 insertions(+), 20 deletions(-) - -diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4 -index c64db4bc6..d115a4aed 100644 ---- a/m4/curl-compilers.m4 -+++ b/m4/curl-compilers.m4 -@@ -106,18 +106,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_CLANG], [ - clangvhi=`echo $clangver | cut -d . -f1` - clangvlo=`echo $clangver | cut -d . -f2` - compiler_num=`(expr $clangvhi "*" 100 + $clangvlo) 2>/dev/null` -- flags_dbg_all="-g -g0 -g1 -g2 -g3" -- flags_dbg_all="$flags_dbg_all -ggdb" -- flags_dbg_all="$flags_dbg_all -gstabs" -- flags_dbg_all="$flags_dbg_all -gstabs+" -- flags_dbg_all="$flags_dbg_all -gcoff" -- flags_dbg_all="$flags_dbg_all -gxcoff" -- flags_dbg_all="$flags_dbg_all -gdwarf-2" -- flags_dbg_all="$flags_dbg_all -gvms" -+ flags_dbg_all="" - flags_dbg_yes="-g" - flags_dbg_off="" -- flags_opt_all="-O -O0 -O1 -O2 -Os -O3 -O4" -- flags_opt_yes="-Os" -+ flags_opt_all="" -+ flags_opt_yes="" - flags_opt_off="-O0" - else - AC_MSG_RESULT([no]) -@@ -175,18 +168,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [ - gccvhi=`echo $gccver | cut -d . -f1` - gccvlo=`echo $gccver | cut -d . -f2` - compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` -- flags_dbg_all="-g -g0 -g1 -g2 -g3" -- flags_dbg_all="$flags_dbg_all -ggdb" -- flags_dbg_all="$flags_dbg_all -gstabs" -- flags_dbg_all="$flags_dbg_all -gstabs+" -- flags_dbg_all="$flags_dbg_all -gcoff" -- flags_dbg_all="$flags_dbg_all -gxcoff" -- flags_dbg_all="$flags_dbg_all -gdwarf-2" -- flags_dbg_all="$flags_dbg_all -gvms" -+ flags_dbg_all="" - flags_dbg_yes="-g" - flags_dbg_off="" -- flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast" -- flags_opt_yes="-O2" -+ flags_opt_all="" -+ flags_opt_yes="" - flags_opt_off="-O0" - CURL_CHECK_DEF([_WIN32], [], [silent]) - else --- -1.7.1 - diff --git a/0105-curl-7.63.0-lib1560-valgrind.patch b/0105-curl-7.63.0-lib1560-valgrind.patch index 6b2773c..1dfe973 100644 --- a/0105-curl-7.63.0-lib1560-valgrind.patch +++ b/0105-curl-7.63.0-lib1560-valgrind.patch @@ -26,7 +26,7 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc index 080421b..ea3b806 100644 --- a/tests/libtest/Makefile.inc +++ b/tests/libtest/Makefile.inc -@@ -600,6 +600,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) +@@ -601,6 +601,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) lib1559_LDADD = $(TESTUTIL_LIBS) lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) diff --git a/curl-7.77.0.tar.xz.asc b/curl-7.77.0.tar.xz.asc deleted file mode 100644 index 428b813..0000000 --- a/curl-7.77.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmCt6IwACgkQXMkI/bce -EsJd+Af/YCvzoV76IFh2aJpoi74XOglG327GQWnJRAt6VooIXvBPddundYOSepAw -OQbReLSQgzmWIICjp4GnV/+gkNodpqJPB1uFHo8AHEBsiVJBTNO7c/mGirQlp5TM -f5xGP8cf1OxwDJ6PBAHAYl4s71t6CWm0C2nf8x24ROlDsO85lz+yFCg1665IbZvp -PFSfeIGHwyUoZesBmBFznm5KI5yc+Yn9gxsq3ujPYMvjMH7KFdw7zQu3SzYjT1+w -bHqVul6+SC8laHuIqZfKnvrjLJMcIhe0vADoyV0/P64ZJ/4X2tGBrpxtXUJJ9S9C -Cif/PNjYIGKg9Mk8odMjXzo8EcVFGA== -=+IKy ------END PGP SIGNATURE----- diff --git a/curl-7.78.0.tar.xz.asc b/curl-7.78.0.tar.xz.asc new file mode 100644 index 0000000..d93dee2 --- /dev/null +++ b/curl-7.78.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmD3wwYACgkQXMkI/bce +EsIFMggAt5xxRun4gxld2xZB0shI8fDhjGwMK+uQNpDnnt509j/UZ9+yfDra3Stl +BHeQXSnTE6y4dKfXIkq4q3sSX2XZUuFRLHMhzH99FsY6bxgOSnZi/iIZv/RLLXTX +NGlDR93OfsYg9UNkZVeZlFo9262f6rz7P5EsHa4HlCS0xpvLCU7q2dtkDu8SQSW1 +sQiEZOhsyXoiqqrLAgTIP9psHt6dE7qoYh1hS6b+7S9d87MSkL5MEnHukFkemlzC +7d9cYD9Bah1LfAaYunvzPuC9FoF6gonGPrw3tLECdl2P9PpnrGeV1Z/Nhmu0d5mN +E2A1BXBqLs8UVo4vUbiNLk0gB3TmHg== +=yVDK +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index 3330f94..b191189 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.77.0 -Release: 2%{?dist} +Version: 7.78.0 +Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -13,9 +13,6 @@ Source2: mykey.asc # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch -# prevent configure script from discarding -g in CFLAGS (#496778) -Patch102: 0102-curl-7.36.0-debug.patch - # prevent valgrind from reporting false positives on x86_64 Patch105: 0105-curl-7.63.0-lib1560-valgrind.patch @@ -191,7 +188,6 @@ be installed. # Fedora patches %patch101 -p1 -%patch102 -p1 %patch105 -p1 # disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed @@ -237,7 +233,6 @@ export common_configure_opts=" \ --enable-symbol-hiding \ --enable-ipv6 \ --enable-threaded-resolver \ - --without-libmetalink \ --with-gssapi \ --with-nghttp2 \ --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt" @@ -367,6 +362,13 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 21 2021 Kamil Dudka - 7.78.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2021-22925 - TELNET stack contents disclosure again + CVE-2021-22924 - bad connection reuse due to flawed path name checks + CVE-2021-22923 - metalink download sends credentials + CVE-2021-22922 - wrong content via metalink not discarded + * Wed Jun 02 2021 Kamil Dudka - 7.77.0-2 - build the curl tool without metalink support (#1967213) diff --git a/sources b/sources index 7189d3e..d95c311 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.77.0.tar.xz) = aef92a0e3f8ce8491b258a9a1c4dcea3c07c29b139a1f68f08619caa0295cfde76335d2dfb9cdf434525daea7dd05d8acd22f203f5ccc7735bd317964ec1da76 +SHA512 (curl-7.78.0.tar.xz) = f72e822a0b5e28320ef547c7a441c07f3b4870579a70ab4c428751baba435a1385cb89a22b9ed4b84a7fafecf620f155911e4131e3463ec1bdad80ecde47bb7a From ef5a5be78ec8fe0880416941cd1be231af4224c0 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 21 Jul 2021 12:06:57 +0200 Subject: [PATCH 115/256] temporarily disable test 1452 on s390x ... where the client times out --- curl.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index b191189..20e97c0 100644 --- a/curl.spec +++ b/curl.spec @@ -200,9 +200,9 @@ printf "1112\n1455\n1801\n" >> tests/data/DISABLED echo "1319" >> tests/data/DISABLED %endif -# temporarily disable test 582 on s390x (client times out) +# temporarily disable tests 582 and 1452 on s390x (client times out) %ifarch s390x -echo "582" >> tests/data/DISABLED +printf "582\n1452\n" >> tests/data/DISABLED %endif # temporarily disable tests 702 703 716 on armv7hl (#1829180) From c921b2c69d7cfe8710fb4b5ec98782e404680f18 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 21 Jul 2021 12:36:07 +0200 Subject: [PATCH 116/256] remove a valgrind-related patch no longer needed --- 0105-curl-7.63.0-lib1560-valgrind.patch | 39 ------------------------- curl.spec | 4 --- 2 files changed, 43 deletions(-) delete mode 100644 0105-curl-7.63.0-lib1560-valgrind.patch diff --git a/0105-curl-7.63.0-lib1560-valgrind.patch b/0105-curl-7.63.0-lib1560-valgrind.patch deleted file mode 100644 index 1dfe973..0000000 --- a/0105-curl-7.63.0-lib1560-valgrind.patch +++ /dev/null @@ -1,39 +0,0 @@ -From f55cca0e86f59ec11ffafd5c0503c39ca3723e2e Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 4 Feb 2019 17:32:56 +0100 -Subject: [PATCH] libtest: compile lib1560.c with -fno-builtin-strcmp - -... to prevent valgrind from reporting false positives on x86_64: - -Conditional jump or move depends on uninitialised value(s) - at 0x10BCAA: part2id (lib1560.c:489) - by 0x10BCAA: updateurl (lib1560.c:521) - by 0x10BCAA: set_parts (lib1560.c:630) - by 0x10BCAA: test (lib1560.c:802) - by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so) - -Conditional jump or move depends on uninitialised value(s) - at 0x10BCC3: part2id (lib1560.c:491) - by 0x10BCC3: updateurl (lib1560.c:521) - by 0x10BCC3: set_parts (lib1560.c:630) - by 0x10BCC3: test (lib1560.c:802) - by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so) ---- - tests/libtest/Makefile.inc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc -index 080421b..ea3b806 100644 ---- a/tests/libtest/Makefile.inc -+++ b/tests/libtest/Makefile.inc -@@ -601,6 +601,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) - lib1559_LDADD = $(TESTUTIL_LIBS) - - lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) -+lib1560_CFLAGS = $(AM_CFLAGS) -fno-builtin-strcmp - lib1560_LDADD = $(TESTUTIL_LIBS) - - lib1564_SOURCES = lib1564.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) --- -2.17.2 - diff --git a/curl.spec b/curl.spec index 20e97c0..0faeab4 100644 --- a/curl.spec +++ b/curl.spec @@ -13,9 +13,6 @@ Source2: mykey.asc # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch -# prevent valgrind from reporting false positives on x86_64 -Patch105: 0105-curl-7.63.0-lib1560-valgrind.patch - Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.se/ @@ -188,7 +185,6 @@ be installed. # Fedora patches %patch101 -p1 -%patch105 -p1 # disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed # with errno 98: Address already in use' in Koji environment), and test 1801 From 0ac0b6fbd121ae949e2ae9322e8cdd4622ec2d44 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 21 Jul 2021 12:36:07 +0200 Subject: [PATCH 117/256] prevent valgrind from being extremely slow --- curl.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/curl.spec b/curl.spec index 0faeab4..532f2ff 100644 --- a/curl.spec +++ b/curl.spec @@ -282,6 +282,10 @@ cd build-full/tests export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=XXX export OPENSSL_CONF= +# prevent valgrind from being extremely slow (#1662656) +# https://fedoraproject.org/wiki/Changes/DebuginfodByDefault +unset DEBUGINFOD_URLS + # run the upstream test-suite srcdir=../../tests perl -I../../tests ../../tests/runtests.pl -a -p -v '!flaky' From 85619bdba3a92ac8f09a5e09b37fe50b6727a399 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 21 Jul 2021 15:36:42 +0200 Subject: [PATCH 118/256] disable tests 320..322 on ppc64le where it started to hang/fail ... in Koji environment only. I was not able to reproduce the issues with the fedora-rawhide-ppc64le buildroot in mock on a ppc64le machine. --- curl.spec | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/curl.spec b/curl.spec index 532f2ff..4528eeb 100644 --- a/curl.spec +++ b/curl.spec @@ -196,6 +196,11 @@ printf "1112\n1455\n1801\n" >> tests/data/DISABLED echo "1319" >> tests/data/DISABLED %endif +# disable tests 320..322 on ppc64le where it started to hang/fail +%ifarch ppc64le +printf "320\n321\n322\n" >> tests/data/DISABLED +%endif + # temporarily disable tests 582 and 1452 on s390x (client times out) %ifarch s390x printf "582\n1452\n" >> tests/data/DISABLED From adeb2cb476afe1e0c159deba6ba2e74c9fa3613a Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 21 Jul 2021 20:15:37 +0000 Subject: [PATCH 119/256] - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 4528eeb..bc5744a 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.78.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -367,6 +367,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 21 2021 Fedora Release Engineering - 7.78.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + * Wed Jul 21 2021 Kamil Dudka - 7.78.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2021-22925 - TELNET stack contents disclosure again From f964aefff3d637593db140ac9f95efdd84362ed1 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 23 Jul 2021 17:14:53 +0200 Subject: [PATCH 120/256] make explicit dependency on openssl work with alpha/beta builds of openssl Reported-by: Daniel Rusek --- curl.spec | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index bc5744a..d5b9462 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.78.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -107,7 +107,8 @@ Requires: libcurl%{?_isa} >= %{version}-%{release} # require at least the version of openssl-libs that we were built against, # to ensure that we have the necessary symbols available (#1462184, #1462211) -%global openssl_version %(pkg-config --modversion openssl 2>/dev/null || echo 0) +# (we need to translate 3.0.0-alpha16 -> 3.0.0-0.alpha16 and 3.0.0-beta1 -> 3.0.0-0.beta1 though) +%global openssl_version %({ pkg-config --modversion openssl 2>/dev/null || echo 0;} | sed 's|-|-0.|') %description curl is a command line tool for transferring data with URL syntax, supporting @@ -367,6 +368,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Jul 23 2021 Kamil Dudka - 7.78.0-3 +- make explicit dependency on openssl work with alpha/beta builds of openssl + * Wed Jul 21 2021 Fedora Release Engineering - 7.78.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild From 62e2b8d5647c01a1493bbe583ed5a50a092658bf Mon Sep 17 00:00:00 2001 From: Sahana Prasad Date: Tue, 14 Sep 2021 19:00:02 +0200 Subject: [PATCH 121/256] Rebuilt with OpenSSL 3.0.0 --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index d5b9462..b13555a 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.78.0 -Release: 3%{?dist} +Release: 4%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -368,6 +368,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Sep 14 2021 Sahana Prasad - 7.78.0-4 +- Rebuilt with OpenSSL 3.0.0 + * Fri Jul 23 2021 Kamil Dudka - 7.78.0-3 - make explicit dependency on openssl work with alpha/beta builds of openssl From d02617d3252493983631775d7575e9c3dcbb09be Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 15 Sep 2021 09:08:01 +0200 Subject: [PATCH 122/256] new upstream release - 7.79.0 Resolves: CVE-2021-22947 - STARTTLS protocol injection via MITM Resolves: CVE-2021-22946 - protocol downgrade required TLS bypassed Resolves: CVE-2021-22945 - use-after-free and double-free in MQTT sending --- curl-7.78.0.tar.xz.asc | 11 ----------- curl-7.79.0.tar.xz.asc | 11 +++++++++++ curl.spec | 10 ++++++++-- sources | 2 +- 4 files changed, 20 insertions(+), 14 deletions(-) delete mode 100644 curl-7.78.0.tar.xz.asc create mode 100644 curl-7.79.0.tar.xz.asc diff --git a/curl-7.78.0.tar.xz.asc b/curl-7.78.0.tar.xz.asc deleted file mode 100644 index d93dee2..0000000 --- a/curl-7.78.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmD3wwYACgkQXMkI/bce -EsIFMggAt5xxRun4gxld2xZB0shI8fDhjGwMK+uQNpDnnt509j/UZ9+yfDra3Stl -BHeQXSnTE6y4dKfXIkq4q3sSX2XZUuFRLHMhzH99FsY6bxgOSnZi/iIZv/RLLXTX -NGlDR93OfsYg9UNkZVeZlFo9262f6rz7P5EsHa4HlCS0xpvLCU7q2dtkDu8SQSW1 -sQiEZOhsyXoiqqrLAgTIP9psHt6dE7qoYh1hS6b+7S9d87MSkL5MEnHukFkemlzC -7d9cYD9Bah1LfAaYunvzPuC9FoF6gonGPrw3tLECdl2P9PpnrGeV1Z/Nhmu0d5mN -E2A1BXBqLs8UVo4vUbiNLk0gB3TmHg== -=yVDK ------END PGP SIGNATURE----- diff --git a/curl-7.79.0.tar.xz.asc b/curl-7.79.0.tar.xz.asc new file mode 100644 index 0000000..0828b9f --- /dev/null +++ b/curl-7.79.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmFBj6gACgkQXMkI/bce +EsJkpQgAuTRPniJDsiVa9yqtfgSNq2BG3u+JpcKFC3bJ/PB2DAtNVORNrTYkk3B1 +wIgfVWYBBJiCXoy5Ivof0MIfUM8kMFJXwHfy0Gs5/60GCy5mXOvVC7IEmKZ24lOU +7cNNzNkyR69z1yWM1VFfaDNmO3+GWIvM2YJTEdHlAxABR71FfW/ARtXjSFEJ01FL +t9IyDiH56cCkWEFFvM2YxNo0IjduvC5pLBiGfrBe5bAKV63Z0/Qtp18zoVaYgv6Y ++yLxv4jgteN/wrTHXVQ5o6FiqoTP/OEpJOLe1Zd4sJhMBkobCPwi5HHAjbavqeFc +3zs3aRTNMaVdvv4VqFhO5o8u2kZEbg== +=2Tq/ +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index b13555a..c8ab381 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.78.0 -Release: 4%{?dist} +Version: 7.79.0 +Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -368,6 +368,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 15 2021 Kamil Dudka - 7.79.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2021-22947 - STARTTLS protocol injection via MITM + CVE-2021-22946 - protocol downgrade required TLS bypassed + CVE-2021-22945 - use-after-free and double-free in MQTT sending + * Tue Sep 14 2021 Sahana Prasad - 7.78.0-4 - Rebuilt with OpenSSL 3.0.0 diff --git a/sources b/sources index d95c311..b8a81d9 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.78.0.tar.xz) = f72e822a0b5e28320ef547c7a441c07f3b4870579a70ab4c428751baba435a1385cb89a22b9ed4b84a7fafecf620f155911e4131e3463ec1bdad80ecde47bb7a +SHA512 (curl-7.79.0.tar.xz) = 68bccba61f18de9f94c311b0d92cfa6572bb7e55e8773917c13b25203164a5a9f4ef6b8ad84a14d3d5dcb286271bf18c3dd84c4ca353866763c726f9defce808 From 287da1ceece28a3af10a47e0b0f7e264f90c2c40 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 15 Sep 2021 10:55:21 +0200 Subject: [PATCH 123/256] temporarily disable test 1184 ... which occasionally fails on aarch64/armv7hl Koji builders for no apparent reason --- curl.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index c8ab381..daa837e 100644 --- a/curl.spec +++ b/curl.spec @@ -190,7 +190,7 @@ be installed. # disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed # with errno 98: Address already in use' in Koji environment), and test 1801 # -printf "1112\n1455\n1801\n" >> tests/data/DISABLED +printf "1112\n1455\n1184\n1801\n" >> tests/data/DISABLED # disable test 1319 on ppc64 (server times out) %ifarch ppc64 From 25f443ae129881c43ce0ee6e86e81fedf657ead7 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 16 Sep 2021 08:44:39 +0200 Subject: [PATCH 124/256] make SCP/SFTP tests work with openssh-8.7p1 --- 0001-curl-7.79.0-ssh-tests.patch | 101 +++++++++++++++++++++++++++++++ curl.spec | 7 +++ 2 files changed, 108 insertions(+) create mode 100644 0001-curl-7.79.0-ssh-tests.patch diff --git a/0001-curl-7.79.0-ssh-tests.patch b/0001-curl-7.79.0-ssh-tests.patch new file mode 100644 index 0000000..9df34f3 --- /dev/null +++ b/0001-curl-7.79.0-ssh-tests.patch @@ -0,0 +1,101 @@ +From 3b1db8a1032f5728f7da5a1fabe8db0bec1f4574 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Wed, 15 Sep 2021 09:59:14 +0200 +Subject: [PATCH] tests/sshserver.pl: make it work with openssh-8.7p1 + +... by not using options with no argument where an argument is required: + +=== Start of file tests/log/ssh_server.log +curl_sshd_config line 6: no argument after keyword "DenyGroups" +curl_sshd_config line 7: no argument after keyword "AllowGroups" +curl_sshd_config line 10: Deprecated option AuthorizedKeysFile2 +curl_sshd_config line 29: Deprecated option KeyRegenerationInterval +curl_sshd_config line 39: Deprecated option RhostsRSAAuthentication +curl_sshd_config line 40: Deprecated option RSAAuthentication +curl_sshd_config line 41: Deprecated option ServerKeyBits +curl_sshd_config line 45: Deprecated option UseLogin +curl_sshd_config line 56: no argument after keyword "AcceptEnv" +curl_sshd_config: terminating, 3 bad configuration options +=== End of file tests/log/ssh_server.log + +=== Start of file log/sftp_server.log +curl_sftp_config line 33: Unsupported option "rhostsrsaauthentication" +curl_sftp_config line 34: Unsupported option "rsaauthentication" +curl_sftp_config line 52: no argument after keyword "sendenv" +curl_sftp_config: terminating, 1 bad configuration options +Connection closed. +Connection closed +=== End of file log/sftp_server.log + +Closes #7724 + +Upstream-commit: ab78d2c679dfb37b27e89f42ad050c3153fa7513 +Signed-off-by: Kamil Dudka +--- + tests/sshserver.pl | 14 -------------- + 1 file changed, 14 deletions(-) + +diff --git a/tests/sshserver.pl b/tests/sshserver.pl +index d0952a2d8..412cab33e 100644 +--- a/tests/sshserver.pl ++++ b/tests/sshserver.pl +@@ -428,9 +428,7 @@ if ($sshdid =~ /OpenSSH-Windows/) { + # ssh daemon configuration file options we might use and version support + # + # AFSTokenPassing : OpenSSH 1.2.1 and later [1] +-# AcceptEnv : OpenSSH 3.9.0 and later + # AddressFamily : OpenSSH 4.0.0 and later +-# AllowGroups : OpenSSH 1.2.1 and later + # AllowTcpForwarding : OpenSSH 2.3.0 and later + # AllowUsers : OpenSSH 1.2.1 and later + # AuthorizedKeysFile : OpenSSH 2.9.9 and later +@@ -441,7 +439,6 @@ if ($sshdid =~ /OpenSSH-Windows/) { + # ClientAliveCountMax : OpenSSH 2.9.0 and later + # ClientAliveInterval : OpenSSH 2.9.0 and later + # Compression : OpenSSH 3.3.0 and later +-# DenyGroups : OpenSSH 1.2.1 and later + # DenyUsers : OpenSSH 1.2.1 and later + # ForceCommand : OpenSSH 4.4.0 and later [3] + # GatewayPorts : OpenSSH 2.1.0 and later +@@ -534,9 +531,6 @@ if ($sshdid =~ /OpenSSH-Windows/) { + push @cfgarr, "AllowUsers $username"; + } + +-push @cfgarr, 'DenyGroups'; +-push @cfgarr, 'AllowGroups'; +-push @cfgarr, '#'; + push @cfgarr, "AuthorizedKeysFile $clipubkeyf_config"; + push @cfgarr, "AuthorizedKeysFile2 $clipubkeyf_config"; + push @cfgarr, "HostKey $hstprvkeyf_config"; +@@ -684,9 +678,6 @@ push @cfgarr, '#'; + #*************************************************************************** + # Options that might be supported or not in sshd OpenSSH 2.9.9 and later + # +-if(sshd_supports_opt('AcceptEnv','')) { +- push @cfgarr, 'AcceptEnv'; +-} + if(sshd_supports_opt('AddressFamily','any')) { + # Address family must be specified before ListenAddress + splice @cfgarr, 14, 0, 'AddressFamily any'; +@@ -873,7 +864,6 @@ if ($sshdid =~ /OpenSSH-Windows/) { + # RemoteForward : OpenSSH 1.2.1 and later [3] + # RhostsRSAAuthentication : OpenSSH 1.2.1 and later + # RSAAuthentication : OpenSSH 1.2.1 and later +-# SendEnv : OpenSSH 3.9.0 and later + # ServerAliveCountMax : OpenSSH 3.8.0 and later + # ServerAliveInterval : OpenSSH 3.8.0 and later + # SmartcardDevice : OpenSSH 2.9.9 and later [1][3] +@@ -1028,10 +1018,6 @@ if((($sshid =~ /OpenSSH/) && ($sshvernum >= 370)) || + push @cfgarr, 'RekeyLimit 1G'; + } + +-if(($sshid =~ /OpenSSH/) && ($sshvernum >= 390)) { +- push @cfgarr, 'SendEnv'; +-} +- + if((($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) || + (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) { + push @cfgarr, 'ServerAliveCountMax 3'; +-- +2.31.1 + diff --git a/curl.spec b/curl.spec index daa837e..e6e9484 100644 --- a/curl.spec +++ b/curl.spec @@ -10,6 +10,9 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# make SCP/SFTP tests work with openssh-8.7p1 +Patch1: 0001-curl-7.79.0-ssh-tests.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -183,6 +186,7 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 @@ -368,6 +372,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Sep 16 2021 Kamil Dudka - 7.79.0-2 +- make SCP/SFTP tests work with openssh-8.7p1 + * Wed Sep 15 2021 Kamil Dudka - 7.79.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2021-22947 - STARTTLS protocol injection via MITM From 31329d944382e3abb4e717c23d5f16b307d35ab2 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 16 Sep 2021 08:51:26 +0200 Subject: [PATCH 125/256] forgot to bump release in the previous commit --- curl.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index e6e9484..403a556 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.79.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc From f97c73e9d71f50d7938181b9f4bce617d0e22a0f Mon Sep 17 00:00:00 2001 From: Sahana Prasad Date: Thu, 16 Sep 2021 12:23:37 +0200 Subject: [PATCH 126/256] Rebuilt with OpenSSL 3.0.0 --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 403a556..5118350 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.79.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -372,6 +372,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Sep 16 2021 Sahana Prasad - 7.79.0-3 +- Rebuilt with OpenSSL 3.0.0 + * Thu Sep 16 2021 Kamil Dudka - 7.79.0-2 - make SCP/SFTP tests work with openssh-8.7p1 From e2155b2695dcacb62dcf51fa2b69fb7a54b15986 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 16 Sep 2021 12:26:16 +0200 Subject: [PATCH 127/256] fix regression in http2 implementation ... introduced in the last release --- 0002-curl-7.79.0-http2-fixup.patch | 53 ++++++++++++++++++++++++++++++ curl.spec | 9 ++++- 2 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 0002-curl-7.79.0-http2-fixup.patch diff --git a/0002-curl-7.79.0-http2-fixup.patch b/0002-curl-7.79.0-http2-fixup.patch new file mode 100644 index 0000000..66b6bc6 --- /dev/null +++ b/0002-curl-7.79.0-http2-fixup.patch @@ -0,0 +1,53 @@ +From 130f84913b372f27e8db065a614cd34beda3ba14 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 16 Sep 2021 08:50:54 +0200 +Subject: [PATCH] Curl_http2_setup: don't change connection data on repeat + invokes + +Regression from 3cb8a748670ab88c (releasde in 7.79.0). That change moved +transfer oriented inits to before the check but also erroneously moved a +few connection oriented ones, which causes problems. + +Reported-by: Evangelos Foutras +Fixes #7730 +Closes #7731 + +Upstream-commit: 901804ef95777b8e735a55b77f8dd630a58c575b +Signed-off-by: Kamil Dudka +--- + lib/http2.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/lib/http2.c b/lib/http2.c +index a3de607c7..6d63f4363 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -2221,12 +2221,6 @@ CURLcode Curl_http2_setup(struct Curl_easy *data, + stream->mem = data->state.buffer; + stream->len = data->set.buffer_size; + +- httpc->inbuflen = 0; +- httpc->nread_inbuf = 0; +- +- httpc->pause_stream_id = 0; +- httpc->drain_total = 0; +- + multi_connchanged(data->multi); + /* below this point only connection related inits are done, which only needs + to be done once per connection */ +@@ -2252,6 +2246,12 @@ CURLcode Curl_http2_setup(struct Curl_easy *data, + conn->httpversion = 20; + conn->bundle->multiuse = BUNDLE_MULTIPLEX; + ++ httpc->inbuflen = 0; ++ httpc->nread_inbuf = 0; ++ ++ httpc->pause_stream_id = 0; ++ httpc->drain_total = 0; ++ + infof(data, "Connection state changed (HTTP/2 confirmed)"); + + return CURLE_OK; +-- +2.31.1 + diff --git a/curl.spec b/curl.spec index 5118350..51d1517 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.79.0 -Release: 3%{?dist} +Release: 4%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -13,6 +13,9 @@ Source2: mykey.asc # make SCP/SFTP tests work with openssh-8.7p1 Patch1: 0001-curl-7.79.0-ssh-tests.patch +# fix regression in http2 implementation introduced in the last release +Patch2: 0002-curl-7.79.0-http2-fixup.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -187,6 +190,7 @@ be installed. # upstream patches %patch1 -p1 +%patch2 -p1 # Fedora patches %patch101 -p1 @@ -372,6 +376,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Sep 16 2021 Kamil Dudka - 7.79.0-4 +- fix regression in http2 implementation introduced in the last release + * Thu Sep 16 2021 Sahana Prasad - 7.79.0-3 - Rebuilt with OpenSSL 3.0.0 From 407e3960e4dd126c057e7bf831e7bd14b7af8d90 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 22 Sep 2021 09:15:59 +0200 Subject: [PATCH 128/256] new upstream release - 7.79.1 --- 0001-curl-7.79.0-ssh-tests.patch | 101 ----------------------------- 0002-curl-7.79.0-http2-fixup.patch | 53 --------------- curl-7.79.0.tar.xz.asc | 11 ---- curl-7.79.1.tar.xz.asc | 11 ++++ curl.spec | 15 ++--- sources | 2 +- 6 files changed, 17 insertions(+), 176 deletions(-) delete mode 100644 0001-curl-7.79.0-ssh-tests.patch delete mode 100644 0002-curl-7.79.0-http2-fixup.patch delete mode 100644 curl-7.79.0.tar.xz.asc create mode 100644 curl-7.79.1.tar.xz.asc diff --git a/0001-curl-7.79.0-ssh-tests.patch b/0001-curl-7.79.0-ssh-tests.patch deleted file mode 100644 index 9df34f3..0000000 --- a/0001-curl-7.79.0-ssh-tests.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 3b1db8a1032f5728f7da5a1fabe8db0bec1f4574 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Wed, 15 Sep 2021 09:59:14 +0200 -Subject: [PATCH] tests/sshserver.pl: make it work with openssh-8.7p1 - -... by not using options with no argument where an argument is required: - -=== Start of file tests/log/ssh_server.log -curl_sshd_config line 6: no argument after keyword "DenyGroups" -curl_sshd_config line 7: no argument after keyword "AllowGroups" -curl_sshd_config line 10: Deprecated option AuthorizedKeysFile2 -curl_sshd_config line 29: Deprecated option KeyRegenerationInterval -curl_sshd_config line 39: Deprecated option RhostsRSAAuthentication -curl_sshd_config line 40: Deprecated option RSAAuthentication -curl_sshd_config line 41: Deprecated option ServerKeyBits -curl_sshd_config line 45: Deprecated option UseLogin -curl_sshd_config line 56: no argument after keyword "AcceptEnv" -curl_sshd_config: terminating, 3 bad configuration options -=== End of file tests/log/ssh_server.log - -=== Start of file log/sftp_server.log -curl_sftp_config line 33: Unsupported option "rhostsrsaauthentication" -curl_sftp_config line 34: Unsupported option "rsaauthentication" -curl_sftp_config line 52: no argument after keyword "sendenv" -curl_sftp_config: terminating, 1 bad configuration options -Connection closed. -Connection closed -=== End of file log/sftp_server.log - -Closes #7724 - -Upstream-commit: ab78d2c679dfb37b27e89f42ad050c3153fa7513 -Signed-off-by: Kamil Dudka ---- - tests/sshserver.pl | 14 -------------- - 1 file changed, 14 deletions(-) - -diff --git a/tests/sshserver.pl b/tests/sshserver.pl -index d0952a2d8..412cab33e 100644 ---- a/tests/sshserver.pl -+++ b/tests/sshserver.pl -@@ -428,9 +428,7 @@ if ($sshdid =~ /OpenSSH-Windows/) { - # ssh daemon configuration file options we might use and version support - # - # AFSTokenPassing : OpenSSH 1.2.1 and later [1] --# AcceptEnv : OpenSSH 3.9.0 and later - # AddressFamily : OpenSSH 4.0.0 and later --# AllowGroups : OpenSSH 1.2.1 and later - # AllowTcpForwarding : OpenSSH 2.3.0 and later - # AllowUsers : OpenSSH 1.2.1 and later - # AuthorizedKeysFile : OpenSSH 2.9.9 and later -@@ -441,7 +439,6 @@ if ($sshdid =~ /OpenSSH-Windows/) { - # ClientAliveCountMax : OpenSSH 2.9.0 and later - # ClientAliveInterval : OpenSSH 2.9.0 and later - # Compression : OpenSSH 3.3.0 and later --# DenyGroups : OpenSSH 1.2.1 and later - # DenyUsers : OpenSSH 1.2.1 and later - # ForceCommand : OpenSSH 4.4.0 and later [3] - # GatewayPorts : OpenSSH 2.1.0 and later -@@ -534,9 +531,6 @@ if ($sshdid =~ /OpenSSH-Windows/) { - push @cfgarr, "AllowUsers $username"; - } - --push @cfgarr, 'DenyGroups'; --push @cfgarr, 'AllowGroups'; --push @cfgarr, '#'; - push @cfgarr, "AuthorizedKeysFile $clipubkeyf_config"; - push @cfgarr, "AuthorizedKeysFile2 $clipubkeyf_config"; - push @cfgarr, "HostKey $hstprvkeyf_config"; -@@ -684,9 +678,6 @@ push @cfgarr, '#'; - #*************************************************************************** - # Options that might be supported or not in sshd OpenSSH 2.9.9 and later - # --if(sshd_supports_opt('AcceptEnv','')) { -- push @cfgarr, 'AcceptEnv'; --} - if(sshd_supports_opt('AddressFamily','any')) { - # Address family must be specified before ListenAddress - splice @cfgarr, 14, 0, 'AddressFamily any'; -@@ -873,7 +864,6 @@ if ($sshdid =~ /OpenSSH-Windows/) { - # RemoteForward : OpenSSH 1.2.1 and later [3] - # RhostsRSAAuthentication : OpenSSH 1.2.1 and later - # RSAAuthentication : OpenSSH 1.2.1 and later --# SendEnv : OpenSSH 3.9.0 and later - # ServerAliveCountMax : OpenSSH 3.8.0 and later - # ServerAliveInterval : OpenSSH 3.8.0 and later - # SmartcardDevice : OpenSSH 2.9.9 and later [1][3] -@@ -1028,10 +1018,6 @@ if((($sshid =~ /OpenSSH/) && ($sshvernum >= 370)) || - push @cfgarr, 'RekeyLimit 1G'; - } - --if(($sshid =~ /OpenSSH/) && ($sshvernum >= 390)) { -- push @cfgarr, 'SendEnv'; --} -- - if((($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) || - (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) { - push @cfgarr, 'ServerAliveCountMax 3'; --- -2.31.1 - diff --git a/0002-curl-7.79.0-http2-fixup.patch b/0002-curl-7.79.0-http2-fixup.patch deleted file mode 100644 index 66b6bc6..0000000 --- a/0002-curl-7.79.0-http2-fixup.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 130f84913b372f27e8db065a614cd34beda3ba14 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 16 Sep 2021 08:50:54 +0200 -Subject: [PATCH] Curl_http2_setup: don't change connection data on repeat - invokes - -Regression from 3cb8a748670ab88c (releasde in 7.79.0). That change moved -transfer oriented inits to before the check but also erroneously moved a -few connection oriented ones, which causes problems. - -Reported-by: Evangelos Foutras -Fixes #7730 -Closes #7731 - -Upstream-commit: 901804ef95777b8e735a55b77f8dd630a58c575b -Signed-off-by: Kamil Dudka ---- - lib/http2.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/lib/http2.c b/lib/http2.c -index a3de607c7..6d63f4363 100644 ---- a/lib/http2.c -+++ b/lib/http2.c -@@ -2221,12 +2221,6 @@ CURLcode Curl_http2_setup(struct Curl_easy *data, - stream->mem = data->state.buffer; - stream->len = data->set.buffer_size; - -- httpc->inbuflen = 0; -- httpc->nread_inbuf = 0; -- -- httpc->pause_stream_id = 0; -- httpc->drain_total = 0; -- - multi_connchanged(data->multi); - /* below this point only connection related inits are done, which only needs - to be done once per connection */ -@@ -2252,6 +2246,12 @@ CURLcode Curl_http2_setup(struct Curl_easy *data, - conn->httpversion = 20; - conn->bundle->multiuse = BUNDLE_MULTIPLEX; - -+ httpc->inbuflen = 0; -+ httpc->nread_inbuf = 0; -+ -+ httpc->pause_stream_id = 0; -+ httpc->drain_total = 0; -+ - infof(data, "Connection state changed (HTTP/2 confirmed)"); - - return CURLE_OK; --- -2.31.1 - diff --git a/curl-7.79.0.tar.xz.asc b/curl-7.79.0.tar.xz.asc deleted file mode 100644 index 0828b9f..0000000 --- a/curl-7.79.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmFBj6gACgkQXMkI/bce -EsJkpQgAuTRPniJDsiVa9yqtfgSNq2BG3u+JpcKFC3bJ/PB2DAtNVORNrTYkk3B1 -wIgfVWYBBJiCXoy5Ivof0MIfUM8kMFJXwHfy0Gs5/60GCy5mXOvVC7IEmKZ24lOU -7cNNzNkyR69z1yWM1VFfaDNmO3+GWIvM2YJTEdHlAxABR71FfW/ARtXjSFEJ01FL -t9IyDiH56cCkWEFFvM2YxNo0IjduvC5pLBiGfrBe5bAKV63Z0/Qtp18zoVaYgv6Y -+yLxv4jgteN/wrTHXVQ5o6FiqoTP/OEpJOLe1Zd4sJhMBkobCPwi5HHAjbavqeFc -3zs3aRTNMaVdvv4VqFhO5o8u2kZEbg== -=2Tq/ ------END PGP SIGNATURE----- diff --git a/curl-7.79.1.tar.xz.asc b/curl-7.79.1.tar.xz.asc new file mode 100644 index 0000000..47f281b --- /dev/null +++ b/curl-7.79.1.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmFKyZYACgkQXMkI/bce +EsKyewgAivvAdC3J5DBsXlR7NMWpdbVVbT87m8ONxaIflFjwrIPdaazgiX/dsiS9 +zNaPQe5k5JH0DoQipiebrg4Zi248TTqH8GXi1sAlsqBFjWroYoeKxeCkSLOsFDVj +ahZp2UM6FZTTUAQElw92+xlHJ1eD5L5CzIc+VLeVi4PAysrB1L4tPDmOFEfS1iZl +wLzxKHuNnuDMWaizfxt9F2yc/ct++sNNuBZ8FHv4nJRIEANY/nCpttQFGgjS8V8l +b22q5yIQez7zsCc9o7phS+CWLYEEgrcM+Qw7bmj1ANPgNlQ/dP5FKIwreZB1s5uV +FBq4pS30d/CfaaE0vZ27D1G6ZoLvyA== +=oayQ +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index 51d1517..33018c5 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.79.0 -Release: 4%{?dist} +Version: 7.79.1 +Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,12 +10,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# make SCP/SFTP tests work with openssh-8.7p1 -Patch1: 0001-curl-7.79.0-ssh-tests.patch - -# fix regression in http2 implementation introduced in the last release -Patch2: 0002-curl-7.79.0-http2-fixup.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -189,8 +183,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 -%patch2 -p1 # Fedora patches %patch101 -p1 @@ -376,6 +368,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 22 2021 Kamil Dudka - 7.79.1-1 +- new upstream release + * Thu Sep 16 2021 Kamil Dudka - 7.79.0-4 - fix regression in http2 implementation introduced in the last release diff --git a/sources b/sources index b8a81d9..fe8ddcf 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.79.0.tar.xz) = 68bccba61f18de9f94c311b0d92cfa6572bb7e55e8773917c13b25203164a5a9f4ef6b8ad84a14d3d5dcb286271bf18c3dd84c4ca353866763c726f9defce808 +SHA512 (curl-7.79.1.tar.xz) = 1edb71647a7f4dbb070baf1a019b4751aefeda793ff523c504410bb5cc74e5bffc52f20dd889697d1585f9ca3c4e81b1a9caadd182c30c8358ffd25f33e4db4d From c2f61abc1cb764ad2cbf865d4e61da84c55a8183 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 20 Sep 2021 14:47:47 +0200 Subject: [PATCH 129/256] curl.spec: align the lists of configure options ... to make it easier to extend the lists --- curl.spec | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/curl.spec b/curl.spec index 33018c5..5ef29f7 100644 --- a/curl.spec +++ b/curl.spec @@ -229,14 +229,14 @@ autoreconf -fiv %build mkdir build-{full,minimal} -export common_configure_opts=" \ - --cache-file=../config.cache \ - --disable-static \ - --enable-symbol-hiding \ - --enable-ipv6 \ - --enable-threaded-resolver \ - --with-gssapi \ - --with-nghttp2 \ +export common_configure_opts=" \ + --cache-file=../config.cache \ + --disable-static \ + --enable-symbol-hiding \ + --enable-ipv6 \ + --enable-threaded-resolver \ + --with-gssapi \ + --with-nghttp2 \ --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt" %global _configure ../configure @@ -244,26 +244,26 @@ export common_configure_opts=" \ # configure minimal build ( cd build-minimal - %configure $common_configure_opts \ - --disable-ldap \ - --disable-ldaps \ - --disable-manual \ - --without-brotli \ - --without-libidn2 \ - --without-libpsl \ + %configure $common_configure_opts \ + --disable-ldap \ + --disable-ldaps \ + --disable-manual \ + --without-brotli \ + --without-libidn2 \ + --without-libpsl \ --without-libssh ) # configure full build ( cd build-full - %configure $common_configure_opts \ - --enable-ldap \ - --enable-ldaps \ - --enable-manual \ - --with-brotli \ - --with-libidn2 \ - --with-libpsl \ + %configure $common_configure_opts \ + --enable-ldap \ + --enable-ldaps \ + --enable-manual \ + --with-brotli \ + --with-libidn2 \ + --with-libpsl \ --with-libssh ) From 54117120e4ddaabc1d456a8857552625bffa81b9 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 20 Sep 2021 14:48:51 +0200 Subject: [PATCH 130/256] explicitly disable zstd while configuring curl ... in order to make local builds closer to what we get from Koji --- curl.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/curl.spec b/curl.spec index 5ef29f7..6a24806 100644 --- a/curl.spec +++ b/curl.spec @@ -235,6 +235,7 @@ export common_configure_opts=" \ --enable-symbol-hiding \ --enable-ipv6 \ --enable-threaded-resolver \ + --without-zstd \ --with-gssapi \ --with-nghttp2 \ --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt" From 5ebead952bed4dce9ceefb8fc307b168b9154ad6 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 20 Sep 2021 14:54:20 +0200 Subject: [PATCH 131/256] Resolves: #1994521 - disable more protocols and features in libcurl-minimal ... to limit vulnerability exposure in case there is a CVE in curl in some of the rarer protocols --- curl.spec | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 6a24806..0104012 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.79.1 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -246,9 +246,23 @@ export common_configure_opts=" \ ( cd build-minimal %configure $common_configure_opts \ + --disable-dict \ + --disable-gopher \ + --disable-hsts \ + --disable-imap \ --disable-ldap \ --disable-ldaps \ --disable-manual \ + --disable-mqtt \ + --disable-ntlm \ + --disable-ntlm-wb \ + --disable-pop3 \ + --disable-rtsp \ + --disable-smb \ + --disable-smtp \ + --disable-telnet \ + --disable-tftp \ + --disable-tls-srp \ --without-brotli \ --without-libidn2 \ --without-libpsl \ @@ -259,9 +273,23 @@ export common_configure_opts=" \ ( cd build-full %configure $common_configure_opts \ + --enable-dict \ + --enable-gopher \ + --enable-hsts \ + --enable-imap \ --enable-ldap \ --enable-ldaps \ --enable-manual \ + --enable-mqtt \ + --enable-ntlm \ + --enable-ntlm-wb \ + --enable-pop3 \ + --enable-rtsp \ + --enable-smb \ + --enable-smtp \ + --enable-telnet \ + --enable-tftp \ + --enable-tls-srp \ --with-brotli \ --with-libidn2 \ --with-libpsl \ @@ -369,6 +397,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Oct 04 2021 Kamil Dudka - 7.79.1-2 +- disable more protocols and features in libcurl-minimal (#1994521) + * Wed Sep 22 2021 Kamil Dudka - 7.79.1-1 - new upstream release From d4c5b54bf3629397059785612bf16cb2e63999c9 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 20 Sep 2021 15:04:37 +0200 Subject: [PATCH 132/256] run upstream tests for both curl-minimal and curl-full As we made libcurl-minimal more minimal, it differs more from libcurl-full and it should be tested separately. On the other hand, the test-suite for libcurl-minimal runs faster now because more tests are skipped. --- curl.spec | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/curl.spec b/curl.spec index 0104012..58077a2 100644 --- a/curl.spec +++ b/curl.spec @@ -305,24 +305,33 @@ sed -e 's/^runpath_var=.*/runpath_var=/' \ %make_build V=1 -C build-full %check -# we have to override LD_LIBRARY_PATH because we eliminated rpath -LD_LIBRARY_PATH="${PWD}/build-full/lib/.libs" -export LD_LIBRARY_PATH - # compile upstream test-cases -cd build-full/tests -%make_build V=1 +%make_build V=1 -C build-minimal/tests +%make_build V=1 -C build-full/tests # relax crypto policy for the test-suite to make it pass again (#1610888) export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=XXX export OPENSSL_CONF= +# make runtests.pl work for out-of-tree builds +export srcdir=../../tests + # prevent valgrind from being extremely slow (#1662656) # https://fedoraproject.org/wiki/Changes/DebuginfodByDefault unset DEBUGINFOD_URLS -# run the upstream test-suite -srcdir=../../tests perl -I../../tests ../../tests/runtests.pl -a -p -v '!flaky' +# run the upstream test-suite for both curl-minimal and curl-full +for size in minimal full; do ( + cd build-${size} + + # we have to override LD_LIBRARY_PATH because we eliminated rpath + export LD_LIBRARY_PATH="${PWD}/lib/.libs" + + cd tests + perl -I../../tests ../../tests/runtests.pl -a -p -v '!flaky' +) +done + %install # install and rename the library that will be packaged as libcurl-minimal From a0acb0cc77f4bb010a8e45ba3550bcd65a6578f5 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 4 Oct 2021 12:29:42 +0200 Subject: [PATCH 133/256] Related: #2005874 - use correct bug ID in the change log --- curl.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 58077a2..225b369 100644 --- a/curl.spec +++ b/curl.spec @@ -407,7 +407,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Mon Oct 04 2021 Kamil Dudka - 7.79.1-2 -- disable more protocols and features in libcurl-minimal (#1994521) +- disable more protocols and features in libcurl-minimal (#2005874) * Wed Sep 22 2021 Kamil Dudka - 7.79.1-1 - new upstream release From 1b982b367edd13073ee83a264faad872523e5919 Mon Sep 17 00:00:00 2001 From: Miroslav Vadkerti Date: Mon, 4 Oct 2021 22:40:37 +0200 Subject: [PATCH 134/256] Migrate tests to tmt Signed-off-by: Miroslav Vadkerti --- .fmf/version | 1 + ci.fmf | 9 +++ tests/non-root-user-download/Makefile | 63 -------------------- tests/non-root-user-download/PURPOSE | 3 - tests/non-root-user-download/main.fmf | 17 ++++++ tests/non-root-user-download/runtest.sh | 1 - tests/non-root-user-download/runtest.yml | 64 --------------------- tests/scp-and-sftp-download-test/Makefile | 63 -------------------- tests/scp-and-sftp-download-test/PURPOSE | 12 ---- tests/scp-and-sftp-download-test/main.fmf | 20 +++++++ tests/scp-and-sftp-download-test/runtest.sh | 3 +- tests/tests.yml | 26 --------- 12 files changed, 48 insertions(+), 234 deletions(-) create mode 100644 .fmf/version create mode 100644 ci.fmf delete mode 100644 tests/non-root-user-download/Makefile delete mode 100644 tests/non-root-user-download/PURPOSE create mode 100644 tests/non-root-user-download/main.fmf mode change 100644 => 100755 tests/non-root-user-download/runtest.sh delete mode 100644 tests/non-root-user-download/runtest.yml delete mode 100644 tests/scp-and-sftp-download-test/Makefile delete mode 100644 tests/scp-and-sftp-download-test/PURPOSE create mode 100644 tests/scp-and-sftp-download-test/main.fmf mode change 100644 => 100755 tests/scp-and-sftp-download-test/runtest.sh delete mode 100644 tests/tests.yml diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/ci.fmf b/ci.fmf new file mode 100644 index 0000000..d3546e9 --- /dev/null +++ b/ci.fmf @@ -0,0 +1,9 @@ +discover: + how: fmf +prepare: + how: install + exclude: + - libcurl-minimal + - curl-minimal +execute: + how: tmt diff --git a/tests/non-root-user-download/Makefile b/tests/non-root-user-download/Makefile deleted file mode 100644 index 9746b63..0000000 --- a/tests/non-root-user-download/Makefile +++ /dev/null @@ -1,63 +0,0 @@ -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Makefile of /CoreOS/curl/Sanity/non-root-user-download -# Description: various download methods with non-root user -# Author: Karel Srot -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Copyright (c) 2013 Red Hat, Inc. All rights reserved. -# -# This copyrighted material is made available to anyone wishing -# to use, modify, copy, or redistribute it subject to the terms -# and conditions of the GNU General Public License version 2. -# -# This program is distributed in the hope that it will be -# useful, but WITHOUT ANY WARRANTY; without even the implied -# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -# PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public -# License along with this program; if not, write to the Free -# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, -# Boston, MA 02110-1301, USA. -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -export TEST=/CoreOS/curl/Sanity/non-root-user-download -export TESTVERSION=1.0 - -BUILT_FILES= - -FILES=$(METADATA) runtest.sh Makefile PURPOSE - -.PHONY: all install download clean - -run: $(FILES) build - ./runtest.sh - -build: $(BUILT_FILES) - test -x runtest.sh || chmod a+x runtest.sh - -clean: - rm -f *~ $(BUILT_FILES) - - -include /usr/share/rhts/lib/rhts-make.include - -$(METADATA): Makefile - @echo "Owner: Karel Srot " > $(METADATA) - @echo "Name: $(TEST)" >> $(METADATA) - @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) - @echo "Path: $(TEST_DIR)" >> $(METADATA) - @echo "Description: various download methods with non-root user" >> $(METADATA) - @echo "Type: Sanity" >> $(METADATA) - @echo "TestTime: 5m" >> $(METADATA) - @echo "RunFor: curl" >> $(METADATA) - @echo "Requires: curl" >> $(METADATA) - @echo "Priority: Normal" >> $(METADATA) - @echo "License: GPLv2" >> $(METADATA) - @echo "Confidential: no" >> $(METADATA) - @echo "Destructive: no" >> $(METADATA) - - rhts-lint $(METADATA) diff --git a/tests/non-root-user-download/PURPOSE b/tests/non-root-user-download/PURPOSE deleted file mode 100644 index 048ed68..0000000 --- a/tests/non-root-user-download/PURPOSE +++ /dev/null @@ -1,3 +0,0 @@ -PURPOSE of /CoreOS/curl/Sanity/non-root-user-download -Description: various download methods with non-root user -Author: Karel Srot diff --git a/tests/non-root-user-download/main.fmf b/tests/non-root-user-download/main.fmf new file mode 100644 index 0000000..15c0c12 --- /dev/null +++ b/tests/non-root-user-download/main.fmf @@ -0,0 +1,17 @@ +summary: various download methods with non-root user +description: '' +contact: Daniel Rusek +component: + - curl +require: + - findutils + - libselinux-utils + - openssh-clients + - passwd +test: ./runtest.sh +framework: beakerlib +duration: 5m +enabled: true +tier: '1' +link: + - relates: https://bugzilla.redhat.com/show_bug.cgi?id=1049921 diff --git a/tests/non-root-user-download/runtest.sh b/tests/non-root-user-download/runtest.sh old mode 100644 new mode 100755 index 1b5f8f1..fd5f375 --- a/tests/non-root-user-download/runtest.sh +++ b/tests/non-root-user-download/runtest.sh @@ -27,7 +27,6 @@ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Include Beaker environment -. /usr/bin/rhts-environment.sh || exit 1 . /usr/share/beakerlib/beakerlib.sh || exit 1 PACKAGE="curl" diff --git a/tests/non-root-user-download/runtest.yml b/tests/non-root-user-download/runtest.yml deleted file mode 100644 index c03e729..0000000 --- a/tests/non-root-user-download/runtest.yml +++ /dev/null @@ -1,64 +0,0 @@ -- hosts: '{{ hosts | default("localhost") }}' - vars: - package: "curl" - tasks: - - name: "Set Content variables" - set_fact: - content: "a276e06d244e04b765f0a35532d9036ad84f340b0bdcc32e0233a8fbc31d5bed" - password: "pAssw0rd" - crypt_password: "$6$/5GE87XLYLLfB3qx$w84Kct34UZG/4buTSXWkaaVIsw2xGXSAdmnS2QYdG8TtRgTsBnHdFdSkhoy.tKIE6A6LKlxczIZjQbpB19k7B1" - - name: "Create user curltester" - user: - name: "curltester" - password: "{{ crypt_password }}" - - name: "Copy testfile" - copy: - dest: "/home/curltester/testfile" - content: "{{ content }}" - - block: - - name: "http download" - command: "curl https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM" - args: - warn: false - register: http - become: yes - become_user: curltester - - name: "Compare http output" - fail: - msg: "{{ content }} not in {{ http.stdout }}" - when: content not in http.stdout - - name: "ftp download" - command: "curl ftp://ftp.scientificlinux.org/linux/fedora/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM" - args: - warn: false - register: ftp - become: yes - become_user: curltester - - name: "Compare ftp output" - fail: - msg: "{{ content }} not in {{ ftp.stdout }}" - when: content not in ftp.stdout - - name: "scp download" - command: "curl -u curltester:{{ password }} --insecure scp://localhost/home/curltester/testfile" - args: - warn: false - register: scp - - name: "Compare scp output" - fail: - msg: "{{ content }} not in {{ scp.stdout }}" - when: content not in scp.stdout - - name: "sftp download" - command: "curl -u curltester:{{ password }} --insecure sftp://localhost/home/curltester/testfile" - args: - warn: false - register: sftp - - name: "Compare sftp output" - fail: - msg: "{{ content }} not in {{ sftp.stdout }}" - when: content not in sftp.stdout - always: - - name: "Remove user curltester" - user: - name: "curltester" - remove: yes - state: absent diff --git a/tests/scp-and-sftp-download-test/Makefile b/tests/scp-and-sftp-download-test/Makefile deleted file mode 100644 index b4d1c52..0000000 --- a/tests/scp-and-sftp-download-test/Makefile +++ /dev/null @@ -1,63 +0,0 @@ -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Makefile of /CoreOS/curl/Sanity/scp-and-sftp-download-test -# Description: downloads test file through scp and sftp -# Author: Karel Srot -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Copyright (c) 2012 Red Hat, Inc. All rights reserved. -# -# This copyrighted material is made available to anyone wishing -# to use, modify, copy, or redistribute it subject to the terms -# and conditions of the GNU General Public License version 2. -# -# This program is distributed in the hope that it will be -# useful, but WITHOUT ANY WARRANTY; without even the implied -# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -# PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public -# License along with this program; if not, write to the Free -# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, -# Boston, MA 02110-1301, USA. -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -export TEST=/CoreOS/curl/Sanity/scp-and-sftp-download-test -export TESTVERSION=1.0 - -BUILT_FILES= - -FILES=$(METADATA) runtest.sh Makefile PURPOSE - -.PHONY: all install download clean - -run: $(FILES) build - ./runtest.sh - -build: $(BUILT_FILES) - test -x runtest.sh || chmod a+x runtest.sh - -clean: - rm -f *~ $(BUILT_FILES) - - -include /usr/share/rhts/lib/rhts-make.include - -$(METADATA): Makefile - @echo "Owner: Karel Srot " > $(METADATA) - @echo "Name: $(TEST)" >> $(METADATA) - @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) - @echo "Path: $(TEST_DIR)" >> $(METADATA) - @echo "Description: downloads test file through scp and sftp" >> $(METADATA) - @echo "Type: Sanity" >> $(METADATA) - @echo "TestTime: 10m" >> $(METADATA) - @echo "RunFor: curl" >> $(METADATA) - @echo "Requires: curl openssh" >> $(METADATA) - @echo "Priority: Normal" >> $(METADATA) - @echo "License: GPLv2" >> $(METADATA) - @echo "Confidential: no" >> $(METADATA) - @echo "Destructive: no" >> $(METADATA) - - rhts-lint $(METADATA) diff --git a/tests/scp-and-sftp-download-test/PURPOSE b/tests/scp-and-sftp-download-test/PURPOSE deleted file mode 100644 index 03adc4c..0000000 --- a/tests/scp-and-sftp-download-test/PURPOSE +++ /dev/null @@ -1,12 +0,0 @@ -PURPOSE of /CoreOS/curl/Sanity/scp-and-sftp-download-test -Description: downloads test file through scp and sftp -Author: Karel Srot - -Test scenario: -- scp download -- sftp download -- scp upload -- sftp upload - -When PUBKEY_PARAM global variable is set to 'empty' or 'none', scenarios are executed -with empty --pubkey parameter (--pubkey "") or with the paramiter omitted diff --git a/tests/scp-and-sftp-download-test/main.fmf b/tests/scp-and-sftp-download-test/main.fmf new file mode 100644 index 0000000..b69aff6 --- /dev/null +++ b/tests/scp-and-sftp-download-test/main.fmf @@ -0,0 +1,20 @@ +summary: downloads test file through scp and sftp +description: | + Test scenario: + - scp download + - sftp download + - scp upload + - sftp upload + + When PUBKEY_PARAM global variable is set to 'empty' or 'none', scenarios are executed + with empty --pubkey parameter (--pubkey "") or with the paramiter omitted +contact: Daniel Rusek +require: + - findutils +component: + - curl +test: ./runtest.sh +path: /tests/scp-and-sftp-download-test +framework: beakerlib +duration: 10m +enabled: true diff --git a/tests/scp-and-sftp-download-test/runtest.sh b/tests/scp-and-sftp-download-test/runtest.sh old mode 100644 new mode 100755 index 6e5d748..9cf9a2c --- a/tests/scp-and-sftp-download-test/runtest.sh +++ b/tests/scp-and-sftp-download-test/runtest.sh @@ -27,8 +27,7 @@ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Include Beaker environment -. /usr/bin/rhts-environment.sh -. /usr/lib/beakerlib/beakerlib.sh +. /usr/share/beakerlib/beakerlib.sh || exit 1 PACKAGE="curl" diff --git a/tests/tests.yml b/tests/tests.yml deleted file mode 100644 index 819d636..0000000 --- a/tests/tests.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# Tests for Classic -- hosts: localhost - roles: - - role: standard-test-beakerlib - tags: - - classic - tests: - - scp-and-sftp-download-test - - non-root-user-download - required_packages: - - findutils # non-root-user-download needs find command - # scp-and-sftp-download-test needs find command - - passwd # non-root-user-download needs passwd command - - openssh-clients # non-root-user-download needs ssh-keyscan command - -# Tests for Atomic -- hosts: localhost - roles: - - role: standard-test-beakerlib - tags: - - atomic - tests: - - scp-and-sftp-download-test - - non-root-user-download - From 94a3e807dda3a194551fa20c15281970b726e668 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 26 Oct 2021 17:15:50 +0200 Subject: [PATCH 135/256] Related: #2005874 - re-enable HSTS in libcurl-minimal ... as a security feature --- curl.spec | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/curl.spec b/curl.spec index 225b369..9a107c1 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.79.1 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -232,8 +232,9 @@ mkdir build-{full,minimal} export common_configure_opts=" \ --cache-file=../config.cache \ --disable-static \ - --enable-symbol-hiding \ + --enable-hsts \ --enable-ipv6 \ + --enable-symbol-hiding \ --enable-threaded-resolver \ --without-zstd \ --with-gssapi \ @@ -248,7 +249,6 @@ export common_configure_opts=" \ %configure $common_configure_opts \ --disable-dict \ --disable-gopher \ - --disable-hsts \ --disable-imap \ --disable-ldap \ --disable-ldaps \ @@ -275,7 +275,6 @@ export common_configure_opts=" \ %configure $common_configure_opts \ --enable-dict \ --enable-gopher \ - --enable-hsts \ --enable-imap \ --enable-ldap \ --enable-ldaps \ @@ -406,6 +405,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Oct 26 2021 Kamil Dudka - 7.79.1-3 +- re-enable HSTS in libcurl-minimal as a security feature (#2005874) + * Mon Oct 04 2021 Kamil Dudka - 7.79.1-2 - disable more protocols and features in libcurl-minimal (#2005874) From ac00a5bac07defe453f5f799a6b373ecf1eec1c0 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 27 Oct 2021 13:23:58 +0200 Subject: [PATCH 136/256] temporarily disable tests 300{0,1} on x86_64 stunnel clashes with itself --- curl.spec | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/curl.spec b/curl.spec index 9a107c1..0fe142a 100644 --- a/curl.spec +++ b/curl.spec @@ -212,6 +212,11 @@ printf "582\n1452\n" >> tests/data/DISABLED printf "702\n703\n716\n" >> tests/data/DISABLED %endif +# temporarily disable tests 300{0,1} on x86_64 (stunnel clashes with itself) +%ifarch x86_64 +printf "3000\n3001\n" >> tests/data/DISABLED +%endif + # adapt test 323 for updated OpenSSL sed -e 's|^35$|35,52|' -i tests/data/test323 From ef0743b641e0a66eb31c07b481c7f4c6cd799bd0 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 10 Nov 2021 09:03:13 +0100 Subject: [PATCH 137/256] new upstream release - 7.80.0 --- curl-7.79.1.tar.xz.asc | 11 ----------- curl-7.80.0.tar.xz.asc | 11 +++++++++++ curl.spec | 7 +++++-- sources | 2 +- 4 files changed, 17 insertions(+), 14 deletions(-) delete mode 100644 curl-7.79.1.tar.xz.asc create mode 100644 curl-7.80.0.tar.xz.asc diff --git a/curl-7.79.1.tar.xz.asc b/curl-7.79.1.tar.xz.asc deleted file mode 100644 index 47f281b..0000000 --- a/curl-7.79.1.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmFKyZYACgkQXMkI/bce -EsKyewgAivvAdC3J5DBsXlR7NMWpdbVVbT87m8ONxaIflFjwrIPdaazgiX/dsiS9 -zNaPQe5k5JH0DoQipiebrg4Zi248TTqH8GXi1sAlsqBFjWroYoeKxeCkSLOsFDVj -ahZp2UM6FZTTUAQElw92+xlHJ1eD5L5CzIc+VLeVi4PAysrB1L4tPDmOFEfS1iZl -wLzxKHuNnuDMWaizfxt9F2yc/ct++sNNuBZ8FHv4nJRIEANY/nCpttQFGgjS8V8l -b22q5yIQez7zsCc9o7phS+CWLYEEgrcM+Qw7bmj1ANPgNlQ/dP5FKIwreZB1s5uV -FBq4pS30d/CfaaE0vZ27D1G6ZoLvyA== -=oayQ ------END PGP SIGNATURE----- diff --git a/curl-7.80.0.tar.xz.asc b/curl-7.80.0.tar.xz.asc new file mode 100644 index 0000000..8b45339 --- /dev/null +++ b/curl-7.80.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmGLaNoACgkQXMkI/bce +EsKjDQgAgGlHB1nwcbahhkHWVnEqBrDrMFnKvGe8uCtJHnpRxrYfWceck3j8gZBV +V4xKrz3g/nTVu9p7QjEta/ZHP9TW1TJKePH6mqe31GtXGqUURTVz3XKusvyVwLYy +qqf2vA+3QKCTFM/xbP33W5eFUYA9KvdWGeRe34WoL5i2IpsElacehzg69eIfU5uK +yreJcAHHYgLWPwE2ipMBDiBZa1sz5wTAC3RXzfGHjcCvYHlrqC7CVAyWXy3xL/j2 +d8MUkqL3lKGlVRaNPYWAq6shw1hNw+i86DHcxiKeZKgF0vRk3NqhFH6dRFUS6N4w +f3GZ72waLPhwfIL/d08WAD1jZZQang== +=uLqC +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index 0fe142a..f00ef27 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.79.1 -Release: 3%{?dist} +Version: 7.80.0 +Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -410,6 +410,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Nov 10 2021 Kamil Dudka - 7.80.0-1 +- new upstream release + * Tue Oct 26 2021 Kamil Dudka - 7.79.1-3 - re-enable HSTS in libcurl-minimal as a security feature (#2005874) diff --git a/sources b/sources index fe8ddcf..9500493 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.79.1.tar.xz) = 1edb71647a7f4dbb070baf1a019b4751aefeda793ff523c504410bb5cc74e5bffc52f20dd889697d1585f9ca3c4e81b1a9caadd182c30c8358ffd25f33e4db4d +SHA512 (curl-7.80.0.tar.xz) = e04ddd74b0d5b3607a29bcf5d379d83a01c7dffa4ad3e2f25d8c85a3df7dbdb0625b0df1f04f02351695674502828e0e17e8b46c889cbf1e43f86d6e6dd716ab From 503307b6877b3e7650b668756ab48e69fc531a8e Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Sun, 14 Nov 2021 17:06:12 +0000 Subject: [PATCH 138/256] sshserver.pl (used in test suite) now requires the Digest::SHA perl module --- ...-tests-3021-and-3022-require-libssh2.patch | 45 +++++++++++++++++++ curl.spec | 10 ++++- 2 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 0001-tests-3021-and-3022-require-libssh2.patch diff --git a/0001-tests-3021-and-3022-require-libssh2.patch b/0001-tests-3021-and-3022-require-libssh2.patch new file mode 100644 index 0000000..53b74a6 --- /dev/null +++ b/0001-tests-3021-and-3022-require-libssh2.patch @@ -0,0 +1,45 @@ +From 4825d0cd3af5a5e51bb5e045cb12283138620d0c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 13 Nov 2021 23:10:42 +0100 +Subject: [PATCH] test302[12]: run only with the libssh2 backend + +... as the others don't support --hostpubsha256 + +Reported-by: Paul Howarth +Fixes #8009 +Closes #8010 +--- + tests/data/test3021 | 4 ++++ + tests/data/test3022 | 4 ++++ + 2 files changed, 8 insertions(+) + +diff --git a/tests/data/test3021 b/tests/data/test3021 +index 0a02e18443e4..bd6ae8d6dc47 100644 +--- a/tests/data/test3021 ++++ b/tests/data/test3021 +@@ -17,6 +17,10 @@ test + # + # Client-side + ++# so far only the libssh2 backend supports SHA256 ++ ++libssh2 ++ + + sftp + +diff --git a/tests/data/test3022 b/tests/data/test3022 +index f3477909d698..db24ca9f4a01 100644 +--- a/tests/data/test3022 ++++ b/tests/data/test3022 +@@ -17,6 +17,10 @@ test + # + # Client-side + ++# so far only the libssh2 backend supports SHA256 ++ ++libssh2 ++ + + scp + diff --git a/curl.spec b/curl.spec index f00ef27..baddb24 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.80.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,6 +10,9 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# patch to skip tests 3031/2 unless SSH backend is libssh2 +Patch1: 0001-tests-3021-and-3022-require-libssh2.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -63,6 +66,7 @@ BuildRequires: nghttp2 # perl modules used in the test suite BuildRequires: perl(Cwd) BuildRequires: perl(Digest::MD5) +BuildRequires: perl(Digest::SHA) BuildRequires: perl(Exporter) BuildRequires: perl(File::Basename) BuildRequires: perl(File::Copy) @@ -183,6 +187,7 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 @@ -410,6 +415,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Sun Nov 14 2021 Paul Howarth - 7.80.0-2 +- sshserver.pl (used in test suite) now requires the Digest::SHA perl module + * Wed Nov 10 2021 Kamil Dudka - 7.80.0-1 - new upstream release From 3e801a6f9fe0124d587a6ce2f9cd33c243d6e1f9 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 5 Jan 2022 09:34:15 +0100 Subject: [PATCH 139/256] new upstream release - 7.81.0 --- ...-tests-3021-and-3022-require-libssh2.patch | 45 ------------------- curl-7.80.0.tar.xz.asc | 11 ----- curl-7.81.0.tar.xz.asc | 11 +++++ curl.spec | 11 +++-- sources | 2 +- 5 files changed, 17 insertions(+), 63 deletions(-) delete mode 100644 0001-tests-3021-and-3022-require-libssh2.patch delete mode 100644 curl-7.80.0.tar.xz.asc create mode 100644 curl-7.81.0.tar.xz.asc diff --git a/0001-tests-3021-and-3022-require-libssh2.patch b/0001-tests-3021-and-3022-require-libssh2.patch deleted file mode 100644 index 53b74a6..0000000 --- a/0001-tests-3021-and-3022-require-libssh2.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 4825d0cd3af5a5e51bb5e045cb12283138620d0c Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Sat, 13 Nov 2021 23:10:42 +0100 -Subject: [PATCH] test302[12]: run only with the libssh2 backend - -... as the others don't support --hostpubsha256 - -Reported-by: Paul Howarth -Fixes #8009 -Closes #8010 ---- - tests/data/test3021 | 4 ++++ - tests/data/test3022 | 4 ++++ - 2 files changed, 8 insertions(+) - -diff --git a/tests/data/test3021 b/tests/data/test3021 -index 0a02e18443e4..bd6ae8d6dc47 100644 ---- a/tests/data/test3021 -+++ b/tests/data/test3021 -@@ -17,6 +17,10 @@ test - # - # Client-side - -+# so far only the libssh2 backend supports SHA256 -+ -+libssh2 -+ - - sftp - -diff --git a/tests/data/test3022 b/tests/data/test3022 -index f3477909d698..db24ca9f4a01 100644 ---- a/tests/data/test3022 -+++ b/tests/data/test3022 -@@ -17,6 +17,10 @@ test - # - # Client-side - -+# so far only the libssh2 backend supports SHA256 -+ -+libssh2 -+ - - scp - diff --git a/curl-7.80.0.tar.xz.asc b/curl-7.80.0.tar.xz.asc deleted file mode 100644 index 8b45339..0000000 --- a/curl-7.80.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmGLaNoACgkQXMkI/bce -EsKjDQgAgGlHB1nwcbahhkHWVnEqBrDrMFnKvGe8uCtJHnpRxrYfWceck3j8gZBV -V4xKrz3g/nTVu9p7QjEta/ZHP9TW1TJKePH6mqe31GtXGqUURTVz3XKusvyVwLYy -qqf2vA+3QKCTFM/xbP33W5eFUYA9KvdWGeRe34WoL5i2IpsElacehzg69eIfU5uK -yreJcAHHYgLWPwE2ipMBDiBZa1sz5wTAC3RXzfGHjcCvYHlrqC7CVAyWXy3xL/j2 -d8MUkqL3lKGlVRaNPYWAq6shw1hNw+i86DHcxiKeZKgF0vRk3NqhFH6dRFUS6N4w -f3GZ72waLPhwfIL/d08WAD1jZZQang== -=uLqC ------END PGP SIGNATURE----- diff --git a/curl-7.81.0.tar.xz.asc b/curl-7.81.0.tar.xz.asc new file mode 100644 index 0000000..08aa7ea --- /dev/null +++ b/curl-7.81.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmHVTjsACgkQXMkI/bce +EsLAggf/dMpvzTs3GEKddYzD/73UGJt5rqSYEc93KilASwUGWC3LnZ1hwY+wunmf +z04ULsN6VkUFLDlbVaQvfMA6XyWBXS5QI34ztfHbiTsAtLwqHBtHBAL0uPn+y2bB ++r6O/rOtd5isPgm5H+MIfPphQWOj5va0vQ9r3e2sr8+Nma8Th1qtFALoCQi6kftK +6Aa9ZI2BYyosDUwT5PNsrZ941wFHtQJQpcVb1SaEwIWiMUSkTkUKk6dHxFnT9mkV +uakgAd2AmyJ6O5cAeGlYX7IZxvdhKqd6/+KkmKD4zzgQLKEl2pUtaieTJqsp1zSU +9kyUFaMR4XzSjdCOtVh5RCxURzMNhg== +=kV6S +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index baddb24..ca9d274 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.80.0 -Release: 2%{?dist} +Version: 7.81.0 +Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,9 +10,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# patch to skip tests 3031/2 unless SSH backend is libssh2 -Patch1: 0001-tests-3021-and-3022-require-libssh2.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -187,7 +184,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 # Fedora patches %patch101 -p1 @@ -415,6 +411,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jan 05 2022 Kamil Dudka - 7.81.0-1 +- new upstream release + * Sun Nov 14 2021 Paul Howarth - 7.80.0-2 - sshserver.pl (used in test suite) now requires the Digest::SHA perl module diff --git a/sources b/sources index 9500493..eb1e3bc 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.80.0.tar.xz) = e04ddd74b0d5b3607a29bcf5d379d83a01c7dffa4ad3e2f25d8c85a3df7dbdb0625b0df1f04f02351695674502828e0e17e8b46c889cbf1e43f86d6e6dd716ab +SHA512 (curl-7.81.0.tar.xz) = 38355aaee38db04bb2babdc5fd7a88284580c836d15df754f42b104997dd344b7841be8e53b4fc91aea31db170a7d6967c4976833eb4bfe0d265c7275c4800df From c3286199cbbef556d085b0537e2561cdc54ab8e8 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 20 Jan 2022 00:08:37 +0000 Subject: [PATCH 140/256] - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index ca9d274..83070a1 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.81.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -411,6 +411,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Jan 20 2022 Fedora Release Engineering - 7.81.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + * Wed Jan 05 2022 Kamil Dudka - 7.81.0-1 - new upstream release From d768f3c8142649d2bbcdb9082238b573c1d5713a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 10 Feb 2022 19:11:32 +0100 Subject: [PATCH 141/256] Pull in libcurl-minimal if installing curl-minimal curl-minimal has an automatically generated dependency on libcurl.so.4(), so it'd pull in either libcurl or libcurl-minimal. Let's make the second one preferred. $ sudo dnf install --releasever=rawhide --installroot=/var/tmp/f36-test --setopt install_weak_deps=False curl-minimal ... Total download size: 21 M Installed size: 64 M $ sudo dnf install --releasever=rawhide --installroot=/var/tmp/f36-test --setopt install_weak_deps=False curl-minimal libcurl-minimal ... Total download size: 18 M Installed size: 57 M --- curl.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 83070a1..0b6c7ed 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.81.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -152,6 +152,7 @@ documentation of the library, too. Summary: Conservatively configured build of curl for minimal installations Provides: curl = %{version}-%{release} Conflicts: curl +Suggests: libcurl-minimal RemovePathPostfixes: .minimal # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION @@ -411,6 +412,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Feb 10 2022 Zbigniew Jędrzejewski-Szmek - 7.81.0-3 +- Suggest libcurl-minimal in curl-minimal + * Thu Jan 20 2022 Fedora Release Engineering - 7.81.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild From cf3c14e497c82d4294736a81e8c1b7620d16a472 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 24 Feb 2022 09:41:36 +0100 Subject: [PATCH 142/256] enable IDN support also in libcurl-minimal ... as requested at fedora devel mailing-list: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/SH5WAIBVF7GVSKL2VPMSQKY7BB4QYEB5/ --- curl.spec | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 0b6c7ed..834227b 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.81.0 -Release: 3%{?dist} +Release: 4%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -245,6 +245,7 @@ export common_configure_opts=" \ --enable-threaded-resolver \ --without-zstd \ --with-gssapi \ + --with-libidn2 \ --with-nghttp2 \ --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt" @@ -271,7 +272,6 @@ export common_configure_opts=" \ --disable-tftp \ --disable-tls-srp \ --without-brotli \ - --without-libidn2 \ --without-libpsl \ --without-libssh ) @@ -297,7 +297,6 @@ export common_configure_opts=" \ --enable-tftp \ --enable-tls-srp \ --with-brotli \ - --with-libidn2 \ --with-libpsl \ --with-libssh ) @@ -412,6 +411,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Feb 24 2022 Kamil Dudka - 7.81.0-4 +- enable IDN support also in libcurl-minimal + * Thu Feb 10 2022 Zbigniew Jędrzejewski-Szmek - 7.81.0-3 - Suggest libcurl-minimal in curl-minimal From 4f4da0817def0b495735a426e5bf9309085ca05d Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Sat, 5 Mar 2022 11:15:03 +0100 Subject: [PATCH 143/256] new upstream release - 7.82.0 --- curl-7.81.0.tar.xz.asc | 11 ----------- curl-7.82.0.tar.xz.asc | 11 +++++++++++ curl.spec | 7 +++++-- sources | 2 +- 4 files changed, 17 insertions(+), 14 deletions(-) delete mode 100644 curl-7.81.0.tar.xz.asc create mode 100644 curl-7.82.0.tar.xz.asc diff --git a/curl-7.81.0.tar.xz.asc b/curl-7.81.0.tar.xz.asc deleted file mode 100644 index 08aa7ea..0000000 --- a/curl-7.81.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmHVTjsACgkQXMkI/bce -EsLAggf/dMpvzTs3GEKddYzD/73UGJt5rqSYEc93KilASwUGWC3LnZ1hwY+wunmf -z04ULsN6VkUFLDlbVaQvfMA6XyWBXS5QI34ztfHbiTsAtLwqHBtHBAL0uPn+y2bB -+r6O/rOtd5isPgm5H+MIfPphQWOj5va0vQ9r3e2sr8+Nma8Th1qtFALoCQi6kftK -6Aa9ZI2BYyosDUwT5PNsrZ941wFHtQJQpcVb1SaEwIWiMUSkTkUKk6dHxFnT9mkV -uakgAd2AmyJ6O5cAeGlYX7IZxvdhKqd6/+KkmKD4zzgQLKEl2pUtaieTJqsp1zSU -9kyUFaMR4XzSjdCOtVh5RCxURzMNhg== -=kV6S ------END PGP SIGNATURE----- diff --git a/curl-7.82.0.tar.xz.asc b/curl-7.82.0.tar.xz.asc new file mode 100644 index 0000000..507084c --- /dev/null +++ b/curl-7.82.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmIjIysACgkQXMkI/bce +EsK2qQf/bcLm7LXO+Cvh0gbbIS9S5uT2/8g8AJ3/dFijs/BvqW85ajsfSCx9Z4+4 +Bad/CfZvuHoBMKKsSC9uSyBzv3UmupEHxYlIw0oik97Q0NDml5czsLJznGEtRiwh +DzOSl8hwLg3OhHXD/G239oSPk2b7ys1P7KQsdxadaxHaoVjFMT4qI0/1DQBKBb/C +AnzXcQUii3HEsPwnS7OmTvbXcDR6HS0Pq4b0Usop1YVppUlP5rG/gV6o7ogA13Cv +yssbfL8fGN3pSgJWtCLoxbIyZbRUROvR74u0ymlf5oLs4bCWzLR9pGKt+oM9YBGq +m9LkqrxKUEOp36vdLN4UgqGdWLa5zQ== +=/k1v +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index 834227b..0e4f95e 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.81.0 -Release: 4%{?dist} +Version: 7.82.0 +Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -411,6 +411,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Sat Mar 05 2022 Kamil Dudka - 7.82.0-1 +- new upstream release + * Thu Feb 24 2022 Kamil Dudka - 7.81.0-4 - enable IDN support also in libcurl-minimal diff --git a/sources b/sources index eb1e3bc..7c44f53 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.81.0.tar.xz) = 38355aaee38db04bb2babdc5fd7a88284580c836d15df754f42b104997dd344b7841be8e53b4fc91aea31db170a7d6967c4976833eb4bfe0d265c7275c4800df +SHA512 (curl-7.82.0.tar.xz) = a977d69360d1793f8872096a21f5c0271e7ad145cd69ad45f4056a0657772f0f298b04bdb41aefd4ea5c4478352c60d80b5a118642280a07a7198aa80ffb1d57 From cbc7b73e100155546f78c00c43019c5e23b17985 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 15 Mar 2022 12:53:45 +0100 Subject: [PATCH 144/256] openssl: fix incorrect CURLE_OUT_OF_MEMORY error ... on CN check failure, which was breaking the test-suite of pycurl. Reported-by: Lukas Zaoral --- 0001-curl-7.82.0-openssl-spurious-oom.patch | 36 +++++++++++++++++++++ curl.spec | 7 ++++ 2 files changed, 43 insertions(+) create mode 100644 0001-curl-7.82.0-openssl-spurious-oom.patch diff --git a/0001-curl-7.82.0-openssl-spurious-oom.patch b/0001-curl-7.82.0-openssl-spurious-oom.patch new file mode 100644 index 0000000..186134d --- /dev/null +++ b/0001-curl-7.82.0-openssl-spurious-oom.patch @@ -0,0 +1,36 @@ +From 58781adaaff911303f69876236918b9049dde926 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 8 Mar 2022 13:38:13 +0100 +Subject: [PATCH] openssl: fix CN check error code + +Due to a missing 'else' this returns error too easily. + +Regressed in: d15692ebb + +Reported-by: Kristoffer Gleditsch +Fixes #8559 +Closes #8560 + +Upstream-commit: 911714d617c106ed5d553bf003e34ec94ab6a136 +Signed-off-by: Kamil Dudka +--- + lib/vtls/openssl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 616a510..1bafe96 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -1808,7 +1808,8 @@ CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn, + memcpy(peer_CN, ASN1_STRING_get0_data(tmp), peerlen); + peer_CN[peerlen] = '\0'; + } +- result = CURLE_OUT_OF_MEMORY; ++ else ++ result = CURLE_OUT_OF_MEMORY; + } + } + else /* not a UTF8 name */ +-- +2.34.1 + diff --git a/curl.spec b/curl.spec index 0e4f95e..ce5b16e 100644 --- a/curl.spec +++ b/curl.spec @@ -10,6 +10,9 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# openssl: fix incorrect CURLE_OUT_OF_MEMORY error on CN check failure +Patch1: 0001-curl-7.82.0-openssl-spurious-oom.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -185,6 +188,7 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 @@ -411,6 +415,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Mar 15 2022 Kamil Dudka - 7.82.0-2 +- openssl: fix incorrect CURLE_OUT_OF_MEMORY error on CN check failure + * Sat Mar 05 2022 Kamil Dudka - 7.82.0-1 - new upstream release From cd99025ff8e04abcbf1befe2c3ebefb6ad8df37f Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 15 Mar 2022 12:57:49 +0100 Subject: [PATCH 145/256] curl.spec: bump release for the previous commit --- curl.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index ce5b16e..3d1f6b2 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.82.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc From f17162c526cb5094b28a604c4e4550568a77c5b1 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 27 Apr 2022 13:38:35 +0200 Subject: [PATCH 146/256] new upstream release - 7.83.0 Resolves: CVE-2022-27774 - curl credential leak on redirect Resolves: CVE-2022-27776 - curl auth/cookie leak on redirect Resolves: CVE-2022-27775 - curl bad local IPv6 connection reuse Resolves: CVE-2022-22576 - curl OAUTH2 bearer bypass in connection re-use --- .gitignore | 2 +- 0001-curl-7.82.0-openssl-spurious-oom.patch | 36 --------------------- curl-7.82.0.tar.xz.asc | 11 ------- curl.spec | 15 +++++---- sources | 3 +- 5 files changed, 12 insertions(+), 55 deletions(-) delete mode 100644 0001-curl-7.82.0-openssl-spurious-oom.patch delete mode 100644 curl-7.82.0.tar.xz.asc diff --git a/.gitignore b/.gitignore index 7dcfd8f..d7bfa33 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -/curl-[0-9.]*.tar.lzma /curl-[0-9.]*.tar.xz +/curl-[0-9.]*.tar.xz.asc diff --git a/0001-curl-7.82.0-openssl-spurious-oom.patch b/0001-curl-7.82.0-openssl-spurious-oom.patch deleted file mode 100644 index 186134d..0000000 --- a/0001-curl-7.82.0-openssl-spurious-oom.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 58781adaaff911303f69876236918b9049dde926 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Tue, 8 Mar 2022 13:38:13 +0100 -Subject: [PATCH] openssl: fix CN check error code - -Due to a missing 'else' this returns error too easily. - -Regressed in: d15692ebb - -Reported-by: Kristoffer Gleditsch -Fixes #8559 -Closes #8560 - -Upstream-commit: 911714d617c106ed5d553bf003e34ec94ab6a136 -Signed-off-by: Kamil Dudka ---- - lib/vtls/openssl.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c -index 616a510..1bafe96 100644 ---- a/lib/vtls/openssl.c -+++ b/lib/vtls/openssl.c -@@ -1808,7 +1808,8 @@ CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn, - memcpy(peer_CN, ASN1_STRING_get0_data(tmp), peerlen); - peer_CN[peerlen] = '\0'; - } -- result = CURLE_OUT_OF_MEMORY; -+ else -+ result = CURLE_OUT_OF_MEMORY; - } - } - else /* not a UTF8 name */ --- -2.34.1 - diff --git a/curl-7.82.0.tar.xz.asc b/curl-7.82.0.tar.xz.asc deleted file mode 100644 index 507084c..0000000 --- a/curl-7.82.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmIjIysACgkQXMkI/bce -EsK2qQf/bcLm7LXO+Cvh0gbbIS9S5uT2/8g8AJ3/dFijs/BvqW85ajsfSCx9Z4+4 -Bad/CfZvuHoBMKKsSC9uSyBzv3UmupEHxYlIw0oik97Q0NDml5czsLJznGEtRiwh -DzOSl8hwLg3OhHXD/G239oSPk2b7ys1P7KQsdxadaxHaoVjFMT4qI0/1DQBKBb/C -AnzXcQUii3HEsPwnS7OmTvbXcDR6HS0Pq4b0Usop1YVppUlP5rG/gV6o7ogA13Cv -yssbfL8fGN3pSgJWtCLoxbIyZbRUROvR74u0ymlf5oLs4bCWzLR9pGKt+oM9YBGq -m9LkqrxKUEOp36vdLN4UgqGdWLa5zQ== -=/k1v ------END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index 3d1f6b2..93b14e4 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.82.0 -Release: 2%{?dist} +Version: 7.83.0 +Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,9 +10,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# openssl: fix incorrect CURLE_OUT_OF_MEMORY error on CN check failure -Patch1: 0001-curl-7.82.0-openssl-spurious-oom.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -188,7 +185,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 # Fedora patches %patch101 -p1 @@ -415,6 +411,13 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Apr 27 2022 Kamil Dudka - 7.83.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2022-27774 - curl credential leak on redirect + CVE-2022-27776 - curl auth/cookie leak on redirect + CVE-2022-27775 - curl bad local IPv6 connection reuse + CVE-2022-22576 - curl OAUTH2 bearer bypass in connection re-use + * Tue Mar 15 2022 Kamil Dudka - 7.82.0-2 - openssl: fix incorrect CURLE_OUT_OF_MEMORY error on CN check failure diff --git a/sources b/sources index 7c44f53..f18cf42 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ -SHA512 (curl-7.82.0.tar.xz) = a977d69360d1793f8872096a21f5c0271e7ad145cd69ad45f4056a0657772f0f298b04bdb41aefd4ea5c4478352c60d80b5a118642280a07a7198aa80ffb1d57 +SHA512 (curl-7.83.0.tar.xz) = be02bb2a8a3140eff3a9046f27cd4f872ed9ddaa644af49e56e5ef7dfec84a15b01db133469269437cddc937eda73953fa8c51bb758f7e98873822cd2290d3a9 +SHA512 (curl-7.83.0.tar.xz.asc) = 8fb90f9692f4fdb82ea49f0e5151219b2334da5d3910f28e787bb688fb055b8b028ccf75cdcc15cd9f86d780d479f88f902fef7d7b9e007a4b849cb25c6c13cc From 4ad1229e9d7e326a9f92e293970ea381b2f25c6c Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 11 May 2022 10:02:14 +0200 Subject: [PATCH 147/256] new upstream release - 7.83.1 Resolves: CVE-2022-27782 - fix too eager reuse of TLS and SSH connections Resolves: CVE-2022-27779 - do not accept cookies for TLD with trailing dot Resolves: CVE-2022-27778 - do not remove wrong file on error Resolves: CVE-2022-30115 - hsts: ignore trailing dots when comparing hosts names Resolves: CVE-2022-27780 - reject percent-encoded path separator in URL host --- curl.spec | 10 +++++++++- sources | 4 ++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 93b14e4..22bac0a 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.83.0 +Version: 7.83.1 Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -411,6 +411,14 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed May 11 2022 Kamil Dudka - 7.83.1-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2022-27782 - fix too eager reuse of TLS and SSH connections + CVE-2022-27779 - do not accept cookies for TLD with trailing dot + CVE-2022-27778 - do not remove wrong file on error + CVE-2022-30115 - hsts: ignore trailing dots when comparing hosts names + CVE-2022-27780 - reject percent-encoded path separator in URL host + * Wed Apr 27 2022 Kamil Dudka - 7.83.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2022-27774 - curl credential leak on redirect diff --git a/sources b/sources index f18cf42..7de7a70 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-7.83.0.tar.xz) = be02bb2a8a3140eff3a9046f27cd4f872ed9ddaa644af49e56e5ef7dfec84a15b01db133469269437cddc937eda73953fa8c51bb758f7e98873822cd2290d3a9 -SHA512 (curl-7.83.0.tar.xz.asc) = 8fb90f9692f4fdb82ea49f0e5151219b2334da5d3910f28e787bb688fb055b8b028ccf75cdcc15cd9f86d780d479f88f902fef7d7b9e007a4b849cb25c6c13cc +SHA512 (curl-7.83.1.tar.xz) = 2f63327d6d3687ba36fb7b8d5d3d15599eca33ebfb08681613612ea9c4b629d3b6ce4d2742fa1ebd7a997ed332001d3a4c798985f9277c83b9e7a9aecdb1b1ee +SHA512 (curl-7.83.1.tar.xz.asc) = f0d29de315488c844eb81ed5a89ed6334910970224c8cac43e7e6f2d58c35ad0064c0b6122e69b3a34ce91f4b56873c63e2e8aea1c602ef40711bfd62a01b191 From dd6ee45b2d117994b2b6922f8b1251c5c1b2c344 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Zaoral?= Date: Thu, 12 May 2022 10:15:57 +0200 Subject: [PATCH 148/256] tests/non-root-user-download: fix test failures --- tests/non-root-user-download/main.fmf | 1 + tests/non-root-user-download/runtest.sh | 14 ++++++++------ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/tests/non-root-user-download/main.fmf b/tests/non-root-user-download/main.fmf index 15c0c12..2e3980f 100644 --- a/tests/non-root-user-download/main.fmf +++ b/tests/non-root-user-download/main.fmf @@ -7,6 +7,7 @@ require: - findutils - libselinux-utils - openssh-clients + - openssh-server - passwd test: ./runtest.sh framework: beakerlib diff --git a/tests/non-root-user-download/runtest.sh b/tests/non-root-user-download/runtest.sh index fd5f375..0529a12 100755 --- a/tests/non-root-user-download/runtest.sh +++ b/tests/non-root-user-download/runtest.sh @@ -31,9 +31,9 @@ PACKAGE="curl" -FTP_URL=ftp://ftp.scientificlinux.org/linux/fedora/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM -HTTP_URL=https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM -CONTENT=a276e06d244e04b765f0a35532d9036ad84f340b0bdcc32e0233a8fbc31d5bed +FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM +HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM +CONTENT=85cb450443d68d513b41e57b0bd818a740279dac5dfc09c68e681ff8a3006404 PASSWORD=pAssw0rd OPTIONS="" rlIsRHEL 7 && OPTIONS="--insecure" @@ -46,9 +46,11 @@ rlJournalStart rlRun "useradd -m curltester" 0 "Adding the test user" rlRun "echo $PASSWORD | passwd --stdin curltester" 0 "Setting the password for the test user" rlRun "su - curltester -c 'echo $CONTENT > ~/testfile'" 0 "Creating ~curltester/testfile" + rlFileBackup --clean --missing-ok $HOME/.ssh /etc/hosts + rlRun "rm -f $HOME/.ssh/*" [ -d $HOME/.ssh ] || ( mkdir $HOME/.ssh && restorecon HOME/.ssh ) - rlFileBackup $HOME/.ssh/known_hosts /etc/hosts - ssh-keygen -F localhost -f $HOME/.ssh/known_hosts || rlRun "ssh-keyscan localhost >> $HOME/.ssh/known_hosts" + rlRun "rlServiceStart sshd" + rlRun "ssh-keyscan localhost >> $HOME/.ssh/known_hosts" rlPhaseEnd rlPhaseStartTest "http download" @@ -81,7 +83,7 @@ if ! rlIsRHEL 5; then fi rlPhaseStartCleanup - rlRun "rm -f $HOME/.ssh/known_hosts" + rlRun "rlServiceRestore" rlFileRestore rlRun "popd" rlRun "rm -r $TmpDir" 0 "Removing tmp directory" From a4ed273b19474e930e1fa605c7ef05a663b9e841 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 27 Jun 2022 12:57:53 +0200 Subject: [PATCH 149/256] new upstream release - 7.84.0 Resolves: CVE-2022-32207 - Unpreserved file permissions Resolves: CVE-2022-32205 - Set-Cookie denial of service Resolves: CVE-2022-32206 - HTTP compression denial of service Resolves: CVE-2022-32208 - FTP-KRB bad message verification --- 0101-curl-7.32.0-multilib.patch | 8 ++++---- curl.spec | 9 ++++++++- sources | 4 ++-- 3 files changed, 14 insertions(+), 7 deletions(-) diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 46c8986..63701c1 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -13,7 +13,7 @@ diff --git a/curl-config.in b/curl-config.in index 150004d..95d0759 100644 --- a/curl-config.in +++ b/curl-config.in -@@ -76,7 +76,7 @@ while test $# -gt 0; do +@@ -78,7 +78,7 @@ while test $# -gt 0; do ;; --cc) @@ -22,7 +22,7 @@ index 150004d..95d0759 100644 ;; --prefix) -@@ -155,32 +155,19 @@ while test $# -gt 0; do +@@ -157,32 +157,19 @@ while test $# -gt 0; do ;; --libs) @@ -63,7 +63,7 @@ diff --git a/docs/curl-config.1 b/docs/curl-config.1 index 14a9d2b..ffcc004 100644 --- a/docs/curl-config.1 +++ b/docs/curl-config.1 -@@ -70,7 +70,9 @@ no, one or several names. If more than one name, they will appear +@@ -72,7 +72,9 @@ no, one or several names. If more than one name, they will appear comma-separated. (Added in 7.58.0) .IP "--static-libs" Shows the complete set of libs and other linker options you will need in order @@ -78,7 +78,7 @@ diff --git a/libcurl.pc.in b/libcurl.pc.in index 2ba9c39..f8f8b00 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in -@@ -29,6 +29,7 @@ libdir=@libdir@ +@@ -31,6 +31,7 @@ libdir=@libdir@ includedir=@includedir@ supported_protocols="@SUPPORT_PROTOCOLS@" supported_features="@SUPPORT_FEATURES@" diff --git a/curl.spec b/curl.spec index 22bac0a..ec7925b 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.83.1 +Version: 7.84.0 Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -411,6 +411,13 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Jun 27 2022 Kamil Dudka - 7.84.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2022-32207 - Unpreserved file permissions + CVE-2022-32205 - Set-Cookie denial of service + CVE-2022-32206 - HTTP compression denial of service + CVE-2022-32208 - FTP-KRB bad message verification + * Wed May 11 2022 Kamil Dudka - 7.83.1-1 - new upstream release, which fixes the following vulnerabilities CVE-2022-27782 - fix too eager reuse of TLS and SSH connections diff --git a/sources b/sources index 7de7a70..2bfcb46 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-7.83.1.tar.xz) = 2f63327d6d3687ba36fb7b8d5d3d15599eca33ebfb08681613612ea9c4b629d3b6ce4d2742fa1ebd7a997ed332001d3a4c798985f9277c83b9e7a9aecdb1b1ee -SHA512 (curl-7.83.1.tar.xz.asc) = f0d29de315488c844eb81ed5a89ed6334910970224c8cac43e7e6f2d58c35ad0064c0b6122e69b3a34ce91f4b56873c63e2e8aea1c602ef40711bfd62a01b191 +SHA512 (curl-7.84.0.tar.xz) = 86231866a35593a1637fbc0c6af3b6761bdfd99fb35580cc52970c36f19604f93dce59fea67a1d5bb4b455f719307599c7916c77d14f2b661f6bf7fb1ca716ce +SHA512 (curl-7.84.0.tar.xz.asc) = 80ff5274277ad97448fa53511bab6e8a1c302bcb25fc0916d78b8dc6c6af43d944c37c4ed46668b651cc639ec4964780725117ca0e85168ea66ad7cc98d29702 From 768ce3965dcc9798e1a7dfd0de756ab159e04988 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 27 Jun 2022 17:00:18 +0200 Subject: [PATCH 150/256] test3026: disable valgrind It fails on x86_64 with: ``` Use --max-threads=INT to specify a larger number of threads and rerun valgrind valgrind: the 'impossible' happened: Max number of threads is too low host stacktrace: ==174357== at 0x58042F5A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==174357== by 0x58043087: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==174357== by 0x580432EF: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==174357== by 0x58043310: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==174357== by 0x58099E77: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==174357== by 0x580E67E9: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==174357== by 0x5809D59D: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==174357== by 0x5809901A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==174357== by 0x5809B0B6: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==174357== by 0x580E4050: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) sched status: running_tid=1 Thread 1: status = VgTs_Runnable syscall 56 (lwpid 174357) ==174357== at 0x4A07816: clone (in /usr/lib64/libc.so.6) ==174357== by 0x4A08720: __clone_internal (in /usr/lib64/libc.so.6) ==174357== by 0x4987ACF: create_thread (in /usr/lib64/libc.so.6) ==174357== by 0x49885F6: pthread_create@@GLIBC_2.34 (in /usr/lib64/libc.so.6) ==174357== by 0x1093B5: test.part.0 (lib3026.c:64) ==174357== by 0x492454F: (below main) (in /usr/lib64/libc.so.6) client stack range: [0x1FFEFFC000 0x1FFF000FFF] client SP: 0x1FFEFFC998 valgrind stack range: [0x1002BAA000 0x1002CA9FFF] top usage: 11728 of 1048576 [...] ``` --- 0102-curl-7.84.0-test3026.patch | 55 +++++++++++++++++++++++++++++++++ curl.spec | 4 +++ 2 files changed, 59 insertions(+) create mode 100644 0102-curl-7.84.0-test3026.patch diff --git a/0102-curl-7.84.0-test3026.patch b/0102-curl-7.84.0-test3026.patch new file mode 100644 index 0000000..d92ed07 --- /dev/null +++ b/0102-curl-7.84.0-test3026.patch @@ -0,0 +1,55 @@ +From 279b990727a1fd3e2828fbbd80581777e4200b67 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 27 Jun 2022 16:50:57 +0200 +Subject: [PATCH] test3026: disable valgrind + +It fails on x86_64 with: +``` + Use --max-threads=INT to specify a larger number of threads + and rerun valgrind + valgrind: the 'impossible' happened: + Max number of threads is too low + host stacktrace: + ==174357== at 0x58042F5A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x58043087: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x580432EF: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x58043310: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x58099E77: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x580E67E9: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x5809D59D: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x5809901A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x5809B0B6: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x580E4050: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + sched status: + running_tid=1 + Thread 1: status = VgTs_Runnable syscall 56 (lwpid 174357) + ==174357== at 0x4A07816: clone (in /usr/lib64/libc.so.6) + ==174357== by 0x4A08720: __clone_internal (in /usr/lib64/libc.so.6) + ==174357== by 0x4987ACF: create_thread (in /usr/lib64/libc.so.6) + ==174357== by 0x49885F6: pthread_create@@GLIBC_2.34 (in /usr/lib64/libc.so.6) + ==174357== by 0x1093B5: test.part.0 (lib3026.c:64) + ==174357== by 0x492454F: (below main) (in /usr/lib64/libc.so.6) + client stack range: [0x1FFEFFC000 0x1FFF000FFF] client SP: 0x1FFEFFC998 + valgrind stack range: [0x1002BAA000 0x1002CA9FFF] top usage: 11728 of 1048576 +[...] +``` +--- + tests/data/test3026 | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tests/data/test3026 b/tests/data/test3026 +index fb80cc8..01f2ba5 100644 +--- a/tests/data/test3026 ++++ b/tests/data/test3026 +@@ -41,5 +41,8 @@ none + + 0 + ++ ++disable ++ + + +-- +2.35.3 + diff --git a/curl.spec b/curl.spec index ec7925b..405068d 100644 --- a/curl.spec +++ b/curl.spec @@ -13,6 +13,9 @@ Source2: mykey.asc # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch +# test3026: disable valgrind +Patch102: 0102-curl-7.84.0-test3026.patch + Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.se/ @@ -188,6 +191,7 @@ be installed. # Fedora patches %patch101 -p1 +%patch102 -p1 # disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed # with errno 98: Address already in use' in Koji environment), and test 1801 From 9ba06cfc6ed6b8057974a597b5f89941dd3ed4ed Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 27 Jun 2022 17:52:30 +0200 Subject: [PATCH 151/256] easy_lock.h: include sched.h if available to fix build --- 0001-curl-7.84.0-sched-yield.patch | 32 ++++++++++++++++++++++++++++++ curl.spec | 4 ++++ 2 files changed, 36 insertions(+) create mode 100644 0001-curl-7.84.0-sched-yield.patch diff --git a/0001-curl-7.84.0-sched-yield.patch b/0001-curl-7.84.0-sched-yield.patch new file mode 100644 index 0000000..104bd8b --- /dev/null +++ b/0001-curl-7.84.0-sched-yield.patch @@ -0,0 +1,32 @@ +From 711902d9e591947d5d8ec9568beab0c7d36b7dd0 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 27 Jun 2022 08:46:21 +0200 +Subject: [PATCH] easy_lock.h: include sched.h if available to fix build + +Patched-by: Harry Sintonen + +Closes #9054 + +Upstream-commit: e2e7f54b7bea521fa8373095d0f43261a720cda0 +Signed-off-by: Kamil Dudka +--- + lib/easy_lock.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/easy_lock.h b/lib/easy_lock.h +index 819f50c..1f54289 100644 +--- a/lib/easy_lock.h ++++ b/lib/easy_lock.h +@@ -36,6 +36,9 @@ + + #elif defined (HAVE_ATOMIC) + #include ++#if defined(HAVE_SCHED_YIELD) ++#include ++#endif + + #define curl_simple_lock atomic_bool + #define CURL_SIMPLE_LOCK_INIT false +-- +2.35.3 + diff --git a/curl.spec b/curl.spec index 405068d..f3a2169 100644 --- a/curl.spec +++ b/curl.spec @@ -10,6 +10,9 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# easy_lock.h: include sched.h if available to fix build +Patch1: 0001-curl-7.84.0-sched-yield.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -188,6 +191,7 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 From f052e58217c1c715344ec5f7e2ab1187fe2c0ec7 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 28 Jun 2022 09:04:19 +0200 Subject: [PATCH 152/256] test3026: avoid pthread_create() failure due to resource exhaustion on i386 --- 0102-curl-7.84.0-test3026.patch | 15 +++++++++++++++ curl.spec | 6 ++++++ 2 files changed, 21 insertions(+) diff --git a/0102-curl-7.84.0-test3026.patch b/0102-curl-7.84.0-test3026.patch index d92ed07..e00ef94 100644 --- a/0102-curl-7.84.0-test3026.patch +++ b/0102-curl-7.84.0-test3026.patch @@ -53,3 +53,18 @@ index fb80cc8..01f2ba5 100644 -- 2.35.3 +diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c +index 43fe335..70cd7a4 100644 +--- a/tests/libtest/lib3026.c ++++ b/tests/libtest/lib3026.c +@@ -63,8 +63,8 @@ int test(char *URL) + for(i = 0; i < tid_count; i++) { + int res = pthread_create(&tids[i], NULL, run_thread, &results[i]); + if(res) { +- fprintf(stderr, "%s:%d Couldn't create thread, errno %d\n", +- __FILE__, __LINE__, res); ++ fprintf(stderr, "%s:%d Couldn't create thread, i=%u, errno %d\n", ++ __FILE__, __LINE__, i, res); + tid_count = i; + test_failure = -1; + goto cleanup; diff --git a/curl.spec b/curl.spec index f3a2169..b2fd81e 100644 --- a/curl.spec +++ b/curl.spec @@ -227,6 +227,12 @@ printf "702\n703\n716\n" >> tests/data/DISABLED printf "3000\n3001\n" >> tests/data/DISABLED %endif +# test3026: avoid pthread_create() failure due to resource exhaustion on i386 +%ifarch %{ix86} +sed -e 's|NUM_THREADS 1000$|NUM_THREADS 256|' \ + -i tests/libtest/lib3026.c +%endif + # adapt test 323 for updated OpenSSL sed -e 's|^35$|35,52|' -i tests/data/test323 From 2fded2f1a8dc6bd3bcf7bdd44135fbd8b4dd8ff5 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 20 Jul 2022 23:54:27 +0000 Subject: [PATCH 153/256] Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index b2fd81e..4c1098f 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.84.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -425,6 +425,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 20 2022 Fedora Release Engineering - 7.84.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + * Mon Jun 27 2022 Kamil Dudka - 7.84.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2022-32207 - Unpreserved file permissions From f58874c27163656243fe334ef1d3cb57accff788 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 25 Aug 2022 13:16:44 +0200 Subject: [PATCH 154/256] tests: fix http2 tests to use CRLF headers ... to make it work with nghttp2-1.49.0 --- 0002-curl-7.84.0-tests-http2.patch | 156 +++++++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 164 insertions(+), 1 deletion(-) create mode 100644 0002-curl-7.84.0-tests-http2.patch diff --git a/0002-curl-7.84.0-tests-http2.patch b/0002-curl-7.84.0-tests-http2.patch new file mode 100644 index 0000000..a6b9b62 --- /dev/null +++ b/0002-curl-7.84.0-tests-http2.patch @@ -0,0 +1,156 @@ +From 221905eca9fb4b82822b6a14ef6d82c98c5702d9 Mon Sep 17 00:00:00 2001 +From: Jay Satiro +Date: Thu, 25 Aug 2022 03:46:42 -0400 +Subject: [PATCH] tests: fix http2 tests to use CRLF headers + +Prior to this change some tests that rely on nghttpx proxy did not use +CRLF headers everywhere. Recent changes in nghttp2 (??? ref here) +requires curl's HTTP/1.1 test server to use CRLF headers. + +Fixes https://github.com/curl/curl/issues/9364 +Closes https://github.com/curl/curl/pull/9365 +--- + tests/data/test1700 | 34 +++++++++++++++++----------------- + tests/data/test1701 | 22 +++++++++++----------- + tests/data/test358 | 16 ++++++++-------- + tests/data/test359 | 16 ++++++++-------- + 4 files changed, 44 insertions(+), 44 deletions(-) + +diff --git a/tests/data/test1700 b/tests/data/test1700 +index 8b1ef4ae3..7f78bcf5f 100644 +--- a/tests/data/test1700 ++++ b/tests/data/test1700 +@@ -11,26 +11,26 @@ HTTP/2 + # Server-side + + +-HTTP/1.1 200 OK +-Date: Tue, 09 Nov 2010 14:49:00 GMT +-Server: test-server/fake +-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT +-ETag: "21025-dc7-39462498" +-Accept-Ranges: bytes +-Content-Length: 6 +-Connection: close +-Content-Type: text/html +-Funny-head: yesyes +- ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Content-Type: text/html ++Funny-head: yesyes ++ + -foo- + + +-HTTP/1.1 200 OK +-Date: Tue, 09 Nov 2010 14:49:00 GMT +-Content-Length: 6 +-Connection: close +-Content-Type: text/html +- ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Content-Length: 6 ++Connection: close ++Content-Type: text/html ++ + -maa- + + +diff --git a/tests/data/test1701 b/tests/data/test1701 +index 3c1a2bd0b..22f6147d0 100644 +--- a/tests/data/test1701 ++++ b/tests/data/test1701 +@@ -11,17 +11,17 @@ HTTP/2 + # Server-side + + +-HTTP/1.1 200 OK +-Date: Tue, 09 Nov 2010 14:49:00 GMT +-Server: test-server/fake +-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT +-ETag: "21025-dc7-39462498" +-Accept-Ranges: bytes +-Content-Length: 6 +-Connection: close +-Content-Type: text/html +-Funny-head: yesyes +- ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Content-Type: text/html ++Funny-head: yesyes ++ + -foo- + + +diff --git a/tests/data/test358 b/tests/data/test358 +index 8b4f66062..0f8a9801b 100644 +--- a/tests/data/test358 ++++ b/tests/data/test358 +@@ -12,14 +12,14 @@ HTTP/2 + # Server-side + + +-HTTP/1.1 200 OK +-Date: Tue, 09 Nov 2010 14:49:00 GMT +-Content-Length: 6 +-Connection: close +-Content-Type: text/html +-Funny-head: yesyes +-Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0 +- ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Content-Length: 6 ++Connection: close ++Content-Type: text/html ++Funny-head: yesyes ++Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0 ++ + -foo- + + +diff --git a/tests/data/test359 b/tests/data/test359 +index a5ba4e3ae..0e684e39e 100644 +--- a/tests/data/test359 ++++ b/tests/data/test359 +@@ -12,14 +12,14 @@ HTTP/2 + # Server-side + + +-HTTP/1.1 200 OK +-Date: Tue, 09 Nov 2010 14:49:00 GMT +-Content-Length: 6 +-Connection: close +-Content-Type: text/html +-Funny-head: yesyes +-Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0 +- ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Content-Length: 6 ++Connection: close ++Content-Type: text/html ++Funny-head: yesyes ++Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0 ++ + -foo- + + +-- +2.37.1 + diff --git a/curl.spec b/curl.spec index 4c1098f..ac30fa7 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.84.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -13,6 +13,9 @@ Source2: mykey.asc # easy_lock.h: include sched.h if available to fix build Patch1: 0001-curl-7.84.0-sched-yield.patch +# tests: fix http2 tests to use CRLF headers to make it work with nghttp2-1.49.0 +Patch2: 0002-curl-7.84.0-tests-http2.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -192,6 +195,7 @@ be installed. # upstream patches %patch1 -p1 +%patch2 -p1 # Fedora patches %patch101 -p1 @@ -425,6 +429,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Aug 25 2022 Kamil Dudka - 7.84.0-3 +- tests: fix http2 tests to use CRLF headers to make it work with nghttp2-1.49.0 + * Wed Jul 20 2022 Fedora Release Engineering - 7.84.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild From 1322e86ddbb4f74d3ead55fba5c03468288e80f8 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 1 Sep 2022 13:38:12 +0200 Subject: [PATCH 155/256] new upstream release - 7.85.0 Resolves: CVE-2022-35252 - control code in cookie denial of service --- 0001-curl-7.84.0-sched-yield.patch | 32 ------ 0002-curl-7.84.0-tests-http2.patch | 156 ----------------------------- 0101-curl-7.32.0-multilib.patch | 2 +- 0102-curl-7.84.0-test3026.patch | 17 ++-- curl.spec | 16 ++- sources | 4 +- 6 files changed, 18 insertions(+), 209 deletions(-) delete mode 100644 0001-curl-7.84.0-sched-yield.patch delete mode 100644 0002-curl-7.84.0-tests-http2.patch diff --git a/0001-curl-7.84.0-sched-yield.patch b/0001-curl-7.84.0-sched-yield.patch deleted file mode 100644 index 104bd8b..0000000 --- a/0001-curl-7.84.0-sched-yield.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 711902d9e591947d5d8ec9568beab0c7d36b7dd0 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 27 Jun 2022 08:46:21 +0200 -Subject: [PATCH] easy_lock.h: include sched.h if available to fix build - -Patched-by: Harry Sintonen - -Closes #9054 - -Upstream-commit: e2e7f54b7bea521fa8373095d0f43261a720cda0 -Signed-off-by: Kamil Dudka ---- - lib/easy_lock.h | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/lib/easy_lock.h b/lib/easy_lock.h -index 819f50c..1f54289 100644 ---- a/lib/easy_lock.h -+++ b/lib/easy_lock.h -@@ -36,6 +36,9 @@ - - #elif defined (HAVE_ATOMIC) - #include -+#if defined(HAVE_SCHED_YIELD) -+#include -+#endif - - #define curl_simple_lock atomic_bool - #define CURL_SIMPLE_LOCK_INIT false --- -2.35.3 - diff --git a/0002-curl-7.84.0-tests-http2.patch b/0002-curl-7.84.0-tests-http2.patch deleted file mode 100644 index a6b9b62..0000000 --- a/0002-curl-7.84.0-tests-http2.patch +++ /dev/null @@ -1,156 +0,0 @@ -From 221905eca9fb4b82822b6a14ef6d82c98c5702d9 Mon Sep 17 00:00:00 2001 -From: Jay Satiro -Date: Thu, 25 Aug 2022 03:46:42 -0400 -Subject: [PATCH] tests: fix http2 tests to use CRLF headers - -Prior to this change some tests that rely on nghttpx proxy did not use -CRLF headers everywhere. Recent changes in nghttp2 (??? ref here) -requires curl's HTTP/1.1 test server to use CRLF headers. - -Fixes https://github.com/curl/curl/issues/9364 -Closes https://github.com/curl/curl/pull/9365 ---- - tests/data/test1700 | 34 +++++++++++++++++----------------- - tests/data/test1701 | 22 +++++++++++----------- - tests/data/test358 | 16 ++++++++-------- - tests/data/test359 | 16 ++++++++-------- - 4 files changed, 44 insertions(+), 44 deletions(-) - -diff --git a/tests/data/test1700 b/tests/data/test1700 -index 8b1ef4ae3..7f78bcf5f 100644 ---- a/tests/data/test1700 -+++ b/tests/data/test1700 -@@ -11,26 +11,26 @@ HTTP/2 - # Server-side - - --HTTP/1.1 200 OK --Date: Tue, 09 Nov 2010 14:49:00 GMT --Server: test-server/fake --Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT --ETag: "21025-dc7-39462498" --Accept-Ranges: bytes --Content-Length: 6 --Connection: close --Content-Type: text/html --Funny-head: yesyes -- -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT -+ETag: "21025-dc7-39462498" -+Accept-Ranges: bytes -+Content-Length: 6 -+Connection: close -+Content-Type: text/html -+Funny-head: yesyes -+ - -foo- - - --HTTP/1.1 200 OK --Date: Tue, 09 Nov 2010 14:49:00 GMT --Content-Length: 6 --Connection: close --Content-Type: text/html -- -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Content-Length: 6 -+Connection: close -+Content-Type: text/html -+ - -maa- - - -diff --git a/tests/data/test1701 b/tests/data/test1701 -index 3c1a2bd0b..22f6147d0 100644 ---- a/tests/data/test1701 -+++ b/tests/data/test1701 -@@ -11,17 +11,17 @@ HTTP/2 - # Server-side - - --HTTP/1.1 200 OK --Date: Tue, 09 Nov 2010 14:49:00 GMT --Server: test-server/fake --Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT --ETag: "21025-dc7-39462498" --Accept-Ranges: bytes --Content-Length: 6 --Connection: close --Content-Type: text/html --Funny-head: yesyes -- -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT -+ETag: "21025-dc7-39462498" -+Accept-Ranges: bytes -+Content-Length: 6 -+Connection: close -+Content-Type: text/html -+Funny-head: yesyes -+ - -foo- - - -diff --git a/tests/data/test358 b/tests/data/test358 -index 8b4f66062..0f8a9801b 100644 ---- a/tests/data/test358 -+++ b/tests/data/test358 -@@ -12,14 +12,14 @@ HTTP/2 - # Server-side - - --HTTP/1.1 200 OK --Date: Tue, 09 Nov 2010 14:49:00 GMT --Content-Length: 6 --Connection: close --Content-Type: text/html --Funny-head: yesyes --Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0 -- -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Content-Length: 6 -+Connection: close -+Content-Type: text/html -+Funny-head: yesyes -+Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0 -+ - -foo- - - -diff --git a/tests/data/test359 b/tests/data/test359 -index a5ba4e3ae..0e684e39e 100644 ---- a/tests/data/test359 -+++ b/tests/data/test359 -@@ -12,14 +12,14 @@ HTTP/2 - # Server-side - - --HTTP/1.1 200 OK --Date: Tue, 09 Nov 2010 14:49:00 GMT --Content-Length: 6 --Connection: close --Content-Type: text/html --Funny-head: yesyes --Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0 -- -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Content-Length: 6 -+Connection: close -+Content-Type: text/html -+Funny-head: yesyes -+Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0 -+ - -foo- - - --- -2.37.1 - diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 63701c1..b4f8e2a 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -44,7 +44,7 @@ index 150004d..95d0759 100644 --static-libs) - if test "X@ENABLE_STATIC@" != "Xno" ; then -- echo @libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_LIBS@ +- echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_LIBS@ - else - echo "curl was built with static libraries disabled" >&2 - exit 1 diff --git a/0102-curl-7.84.0-test3026.patch b/0102-curl-7.84.0-test3026.patch index e00ef94..8c4ddb5 100644 --- a/0102-curl-7.84.0-test3026.patch +++ b/0102-curl-7.84.0-test3026.patch @@ -34,8 +34,9 @@ It fails on x86_64 with: [...] ``` --- - tests/data/test3026 | 3 +++ - 1 file changed, 3 insertions(+) + tests/data/test3026 | 3 +++ + tests/libtest/lib3026.c | 4 ++-- + 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/data/test3026 b/tests/data/test3026 index fb80cc8..01f2ba5 100644 @@ -50,16 +51,13 @@ index fb80cc8..01f2ba5 100644 + --- -2.35.3 - diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c index 43fe335..70cd7a4 100644 --- a/tests/libtest/lib3026.c +++ b/tests/libtest/lib3026.c -@@ -63,8 +63,8 @@ int test(char *URL) - for(i = 0; i < tid_count; i++) { - int res = pthread_create(&tids[i], NULL, run_thread, &results[i]); +@@ -123,8 +123,8 @@ int test(char *URL) + results[i] = CURL_LAST; /* initialize with invalid value */ + res = pthread_create(&tids[i], NULL, run_thread, &results[i]); if(res) { - fprintf(stderr, "%s:%d Couldn't create thread, errno %d\n", - __FILE__, __LINE__, res); @@ -68,3 +66,6 @@ index 43fe335..70cd7a4 100644 tid_count = i; test_failure = -1; goto cleanup; +-- +2.37.1 + diff --git a/curl.spec b/curl.spec index ac30fa7..3dcf355 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.84.0 -Release: 3%{?dist} +Version: 7.85.0 +Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,12 +10,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# easy_lock.h: include sched.h if available to fix build -Patch1: 0001-curl-7.84.0-sched-yield.patch - -# tests: fix http2 tests to use CRLF headers to make it work with nghttp2-1.49.0 -Patch2: 0002-curl-7.84.0-tests-http2.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -194,8 +188,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 -%patch2 -p1 # Fedora patches %patch101 -p1 @@ -429,6 +421,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Sep 01 2022 Kamil Dudka - 7.85.0-3 +- new upstream release, which fixes the following vulnerability + CVE-2022-35252 - control code in cookie denial of service + * Thu Aug 25 2022 Kamil Dudka - 7.84.0-3 - tests: fix http2 tests to use CRLF headers to make it work with nghttp2-1.49.0 diff --git a/sources b/sources index 2bfcb46..3662440 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-7.84.0.tar.xz) = 86231866a35593a1637fbc0c6af3b6761bdfd99fb35580cc52970c36f19604f93dce59fea67a1d5bb4b455f719307599c7916c77d14f2b661f6bf7fb1ca716ce -SHA512 (curl-7.84.0.tar.xz.asc) = 80ff5274277ad97448fa53511bab6e8a1c302bcb25fc0916d78b8dc6c6af43d944c37c4ed46668b651cc639ec4964780725117ca0e85168ea66ad7cc98d29702 +SHA512 (curl-7.85.0.tar.xz) = b57cc31649a4f47cc4b482f56a85c86c8e8aaeaf01bc1b51b065fdb9145a9092bc52535e52a85a66432eb163605b2edbf5bc5c33ea6e40e50f26a69ad1365cbd +SHA512 (curl-7.85.0.tar.xz.asc) = 7022daf84b330b24112d595edee715cdeb881a4ba8a4fa7eec23aed28292e5d943af778f03aadd036d44d875f9e226096ea142d18afe516b6bdbd475fcd3aca6 From 4bceeec6e16b6b2d8e5c9eb90092aca5a9a2074d Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 26 Oct 2022 14:16:26 +0200 Subject: [PATCH 156/256] curl.spec: fix the last change log entry --- curl.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 3dcf355..6625b13 100644 --- a/curl.spec +++ b/curl.spec @@ -421,7 +421,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog -* Thu Sep 01 2022 Kamil Dudka - 7.85.0-3 +* Thu Sep 01 2022 Kamil Dudka - 7.85.0-1 - new upstream release, which fixes the following vulnerability CVE-2022-35252 - control code in cookie denial of service From 3501daee0ba664ab3667dc0a56560a2a4b4b2113 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 26 Oct 2022 14:24:08 +0200 Subject: [PATCH 157/256] new upstream release - 7.86.0 Resolves: CVE-2022-42916 - HSTS bypass via IDN Resolves: CVE-2022-42915 - HTTP proxy double-free Resolves: CVE-2022-35260 - .netrc parser out-of-bounds access Resolves: CVE-2022-32221 - POST following PUT confusion --- 0102-curl-7.84.0-test3026.patch | 2 +- curl.spec | 9 ++++++++- sources | 4 ++-- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/0102-curl-7.84.0-test3026.patch b/0102-curl-7.84.0-test3026.patch index 8c4ddb5..56b10c6 100644 --- a/0102-curl-7.84.0-test3026.patch +++ b/0102-curl-7.84.0-test3026.patch @@ -55,7 +55,7 @@ diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c index 43fe335..70cd7a4 100644 --- a/tests/libtest/lib3026.c +++ b/tests/libtest/lib3026.c -@@ -123,8 +123,8 @@ int test(char *URL) +@@ -139,8 +139,8 @@ int test(char *URL) results[i] = CURL_LAST; /* initialize with invalid value */ res = pthread_create(&tids[i], NULL, run_thread, &results[i]); if(res) { diff --git a/curl.spec b/curl.spec index 6625b13..3e17984 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.85.0 +Version: 7.86.0 Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -421,6 +421,13 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Oct 26 2022 Kamil Dudka - 7.86.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2022-42916 - HSTS bypass via IDN + CVE-2022-42915 - HTTP proxy double-free + CVE-2022-35260 - .netrc parser out-of-bounds access + CVE-2022-32221 - POST following PUT confusion + * Thu Sep 01 2022 Kamil Dudka - 7.85.0-1 - new upstream release, which fixes the following vulnerability CVE-2022-35252 - control code in cookie denial of service diff --git a/sources b/sources index 3662440..45ced88 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-7.85.0.tar.xz) = b57cc31649a4f47cc4b482f56a85c86c8e8aaeaf01bc1b51b065fdb9145a9092bc52535e52a85a66432eb163605b2edbf5bc5c33ea6e40e50f26a69ad1365cbd -SHA512 (curl-7.85.0.tar.xz.asc) = 7022daf84b330b24112d595edee715cdeb881a4ba8a4fa7eec23aed28292e5d943af778f03aadd036d44d875f9e226096ea142d18afe516b6bdbd475fcd3aca6 +SHA512 (curl-7.86.0.tar.xz) = 18e03a3c00f22125e07bddb18becbf5acdca22baeb7b29f45ef189a5c56f95b2d51247813f7a9a90f04eb051739e9aa7d3a1c5be397bae75d763a2b918d1b656 +SHA512 (curl-7.86.0.tar.xz.asc) = 9e97d5f44b3c856f401fe30ba713e1ca1f74edfc693dc42f1ce8e43f9f6dd4bf6998c579bc9c5d0f749f475a7d67d232e92ab6f89b95141acdb53e149f2312f0 From 394bdcb95657341453d63fe508d549572fee9083 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 31 Oct 2022 09:34:58 +0100 Subject: [PATCH 158/256] fix regression in noproxy matching --- 0001-curl-7.86.0-noproxy.patch | 195 +++++++++++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 203 insertions(+), 1 deletion(-) create mode 100644 0001-curl-7.86.0-noproxy.patch diff --git a/0001-curl-7.86.0-noproxy.patch b/0001-curl-7.86.0-noproxy.patch new file mode 100644 index 0000000..c4ba638 --- /dev/null +++ b/0001-curl-7.86.0-noproxy.patch @@ -0,0 +1,195 @@ +From b0ff1fd270924c5eaec09687e3d279130123671a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 27 Oct 2022 13:54:27 +0200 +Subject: [PATCH 1/2] noproxy: also match with adjacent comma + +If the host name is an IP address and the noproxy string contained that +IP address with a following comma, it would erroneously not match. + +Extended test 1614 to verify this combo as well. + +Reported-by: Henning Schild + +Fixes #9813 +Closes #9814 + +Upstream-commit: efc286b7a62af0568fdcbf3c68791c9955182128 +Signed-off-by: Kamil Dudka +--- + lib/noproxy.c | 20 ++++++++++++-------- + tests/data/test1614 | 2 +- + tests/unit/unit1614.c | 14 ++++++++++++++ + 3 files changed, 27 insertions(+), 9 deletions(-) + +diff --git a/lib/noproxy.c b/lib/noproxy.c +index 81f1e09..d08a16b 100644 +--- a/lib/noproxy.c ++++ b/lib/noproxy.c +@@ -188,18 +188,22 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy) + /* FALLTHROUGH */ + case TYPE_IPV6: { + const char *check = token; +- char *slash = strchr(check, '/'); ++ char *slash; + unsigned int bits = 0; + char checkip[128]; ++ if(tokenlen >= sizeof(checkip)) ++ /* this cannot match */ ++ break; ++ /* copy the check name to a temp buffer */ ++ memcpy(checkip, check, tokenlen); ++ checkip[tokenlen] = 0; ++ check = checkip; ++ ++ slash = strchr(check, '/'); + /* if the slash is part of this token, use it */ +- if(slash && (slash < &check[tokenlen])) { ++ if(slash) { + bits = atoi(slash + 1); +- /* copy the check name to a temp buffer */ +- if(tokenlen >= sizeof(checkip)) +- break; +- memcpy(checkip, check, tokenlen); +- checkip[ slash - check ] = 0; +- check = checkip; ++ *slash = 0; /* null terminate there */ + } + if(type == TYPE_IPV6) + match = Curl_cidr6_match(name, check, bits); +diff --git a/tests/data/test1614 b/tests/data/test1614 +index 4a9d54e..73bdbb4 100644 +--- a/tests/data/test1614 ++++ b/tests/data/test1614 +@@ -16,7 +16,7 @@ unittest + proxy + + +-cidr comparisons ++noproxy and cidr comparisons + + + +diff --git a/tests/unit/unit1614.c b/tests/unit/unit1614.c +index 6028545..c2f563a 100644 +--- a/tests/unit/unit1614.c ++++ b/tests/unit/unit1614.c +@@ -77,6 +77,20 @@ UNITTEST_START + { NULL, NULL, 0, FALSE} /* end marker */ + }; + struct noproxy list[]= { ++ { "127.0.0.1", "127.0.0.1,localhost", TRUE}, ++ { "127.0.0.1", "127.0.0.1,localhost,", TRUE}, ++ { "127.0.0.1", "127.0.0.1/8,localhost,", TRUE}, ++ { "127.0.0.1", "127.0.0.1/28,localhost,", TRUE}, ++ { "127.0.0.1", "127.0.0.1/31,localhost,", TRUE}, ++ { "127.0.0.1", "localhost,127.0.0.1", TRUE}, ++ { "127.0.0.1", "localhost,127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1." ++ "127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127." ++ "0.0.1.127.0.0.1.127.0.0." /* 128 bytes "address" */, FALSE}, ++ { "127.0.0.1", "localhost,127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1." ++ "127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127." ++ "0.0.1.127.0.0.1.127.0.0" /* 127 bytes "address" */, FALSE}, ++ { "localhost", "localhost,127.0.0.1", TRUE}, ++ { "localhost", "127.0.0.1,localhost", TRUE}, + { "foobar", "barfoo", FALSE}, + { "foobar", "foobar", TRUE}, + { "192.168.0.1", "foobar", FALSE}, +-- +2.37.3 + + +From d539fd9f11e2a244dbab6b9171f5a9e5c86cc417 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 28 Oct 2022 10:51:49 +0200 +Subject: [PATCH 2/2] noproxy: fix tail-matching + +Also ignore trailing dots in both host name and comparison pattern. + +Regression in 7.86.0 (from 1e9a538e05c0) + +Extended test 1614 to verify better. + +Reported-by: Henning Schild +Fixes #9821 +Closes #9822 + +Upstream-commit: b830f9ba9e94acf672cd191993ff679fa888838b +Signed-off-by: Kamil Dudka +--- + lib/noproxy.c | 30 +++++++++++++++++++++++------- + tests/unit/unit1614.c | 9 +++++++++ + 2 files changed, 32 insertions(+), 7 deletions(-) + +diff --git a/lib/noproxy.c b/lib/noproxy.c +index d08a16b..01f8f47 100644 +--- a/lib/noproxy.c ++++ b/lib/noproxy.c +@@ -149,9 +149,14 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy) + } + else { + unsigned int address; ++ namelen = strlen(name); + if(1 == Curl_inet_pton(AF_INET, name, &address)) + type = TYPE_IPV4; +- namelen = strlen(name); ++ else { ++ /* ignore trailing dots in the host name */ ++ if(name[namelen - 1] == '.') ++ namelen--; ++ } + } + + while(*p) { +@@ -173,12 +178,23 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy) + if(tokenlen) { + switch(type) { + case TYPE_HOST: +- if(*token == '.') { +- ++token; +- --tokenlen; +- /* tailmatch */ +- match = (tokenlen <= namelen) && +- strncasecompare(token, name + (namelen - tokenlen), namelen); ++ /* ignore trailing dots in the token to check */ ++ if(token[tokenlen - 1] == '.') ++ tokenlen--; ++ ++ if(tokenlen && (*token == '.')) { ++ /* A: example.com matches '.example.com' ++ B: www.example.com matches '.example.com' ++ C: nonexample.com DOES NOT match '.example.com' ++ */ ++ if((tokenlen - 1) == namelen) ++ /* case A, exact match without leading dot */ ++ match = strncasecompare(token + 1, name, namelen); ++ else if(tokenlen < namelen) ++ /* case B, tailmatch with leading dot */ ++ match = strncasecompare(token, name + (namelen - tokenlen), ++ tokenlen); ++ /* case C passes through, not a match */ + } + else + match = (tokenlen == namelen) && +diff --git a/tests/unit/unit1614.c b/tests/unit/unit1614.c +index c2f563a..8f62b70 100644 +--- a/tests/unit/unit1614.c ++++ b/tests/unit/unit1614.c +@@ -77,6 +77,15 @@ UNITTEST_START + { NULL, NULL, 0, FALSE} /* end marker */ + }; + struct noproxy list[]= { ++ { "www.example.com", "localhost,.example.com,.example.de", TRUE}, ++ { "www.example.com.", "localhost,.example.com,.example.de", TRUE}, ++ { "example.com", "localhost,.example.com,.example.de", TRUE}, ++ { "example.com.", "localhost,.example.com,.example.de", TRUE}, ++ { "www.example.com", "localhost,.example.com.,.example.de", TRUE}, ++ { "www.example.com", "localhost,www.example.com.,.example.de", TRUE}, ++ { "example.com", "localhost,example.com,.example.de", TRUE}, ++ { "example.com.", "localhost,example.com,.example.de", TRUE}, ++ { "www.example.com", "localhost,example.com,.example.de", FALSE}, + { "127.0.0.1", "127.0.0.1,localhost", TRUE}, + { "127.0.0.1", "127.0.0.1,localhost,", TRUE}, + { "127.0.0.1", "127.0.0.1/8,localhost,", TRUE}, +-- +2.37.3 + diff --git a/curl.spec b/curl.spec index 3e17984..661e4fc 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.86.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,6 +10,9 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# fix regression in noproxy matching +Patch1: 0001-curl-7.86.0-noproxy.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -188,6 +191,7 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 @@ -421,6 +425,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Oct 31 2022 Kamil Dudka - 7.86.0-2 +- fix regression in noproxy matching + * Wed Oct 26 2022 Kamil Dudka - 7.86.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2022-42916 - HSTS bypass via IDN From 7b44e0b7aa4e4876b7462879c701f1973f72f36d Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 24 Nov 2022 16:25:47 +0100 Subject: [PATCH 159/256] Related: #2144277 - enforce versioned libnghttp2 dependency for libcurl --- curl.spec | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 661e4fc..dab163e 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.86.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -104,6 +104,10 @@ BuildRequires: stunnel # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION Requires: libcurl%{?_isa} >= %{version}-%{release} +# require at least the version of libnghttp2 that we were built against, +# to ensure that we have the necessary symbols available (#2144277) +%global libnghttp2_version %(pkg-config --modversion libnghttp2 2>/dev/null || echo 0) + # require at least the version of libpsl that we were built against, # to ensure that we have the necessary symbols available (#1631804) %global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0) @@ -127,6 +131,7 @@ resume, proxy tunneling and a busload of other useful tricks. %package -n libcurl Summary: A library for getting files from web servers +Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} Requires: libpsl%{?_isa} >= %{libpsl_version} Requires: libssh%{?_isa} >= %{libssh_version} Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} @@ -172,6 +177,7 @@ be installed. %package -n libcurl-minimal Summary: Conservatively configured build of libcurl for minimal installations +Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} Provides: libcurl = %{version}-%{release} Provides: libcurl%{?_isa} = %{version}-%{release} @@ -425,6 +431,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Nov 24 2022 Kamil Dudka - 7.86.0-3 +- enforce versioned libnghttp2 dependency for libcurl (#2144277) + * Mon Oct 31 2022 Kamil Dudka - 7.86.0-2 - fix regression in noproxy matching From aa9b0f2a8fba03ad2806790c951b6eea4dc4e803 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 29 Nov 2022 12:07:37 +0100 Subject: [PATCH 160/256] Resolves: #2149224 - noproxy: tailmatch like in 7.85.0 and earlier --- 0001-curl-7.86.0-noproxy.patch | 106 ++++++++++++++++++++++++++++++++- curl.spec | 5 +- 2 files changed, 108 insertions(+), 3 deletions(-) diff --git a/0001-curl-7.86.0-noproxy.patch b/0001-curl-7.86.0-noproxy.patch index c4ba638..8f36502 100644 --- a/0001-curl-7.86.0-noproxy.patch +++ b/0001-curl-7.86.0-noproxy.patch @@ -1,7 +1,7 @@ From b0ff1fd270924c5eaec09687e3d279130123671a Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 27 Oct 2022 13:54:27 +0200 -Subject: [PATCH 1/2] noproxy: also match with adjacent comma +Subject: [PATCH 1/3] noproxy: also match with adjacent comma If the host name is an IP address and the noproxy string contained that IP address with a following comma, it would erroneously not match. @@ -101,7 +101,7 @@ index 6028545..c2f563a 100644 From d539fd9f11e2a244dbab6b9171f5a9e5c86cc417 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 28 Oct 2022 10:51:49 +0200 -Subject: [PATCH 2/2] noproxy: fix tail-matching +Subject: [PATCH 2/3] noproxy: fix tail-matching Also ignore trailing dots in both host name and comparison pattern. @@ -193,3 +193,105 @@ index c2f563a..8f62b70 100644 -- 2.37.3 + +From 560b593cb9ba261169df5ea18ac8d0c188e239cd Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 6 Nov 2022 23:19:51 +0100 +Subject: [PATCH 3/3] noproxy: tailmatch like in 7.85.0 and earlier + +A regfression in 7.86.0 (via 1e9a538e05c010) made the tailmatch work +differently than before. This restores the logic to how it used to work: + +All names listed in NO_PROXY are tailmatched against the used domain +name, if the lengths are identical it needs a full match. + +Update the docs, update test 1614. + +Reported-by: Stuart Henderson +Fixes #9842 +Closes #9858 + +Upstream-commit: b1953c1933b369b1217ef0f16053e26da63488c3 +Signed-off-by: Kamil Dudka +--- + docs/libcurl/opts/CURLOPT_NOPROXY.3 | 4 ---- + lib/noproxy.c | 32 +++++++++++++++-------------- + tests/unit/unit1614.c | 3 ++- + 3 files changed, 19 insertions(+), 20 deletions(-) + +diff --git a/docs/libcurl/opts/CURLOPT_NOPROXY.3 b/docs/libcurl/opts/CURLOPT_NOPROXY.3 +index 149eaac..98c7920 100644 +--- a/docs/libcurl/opts/CURLOPT_NOPROXY.3 ++++ b/docs/libcurl/opts/CURLOPT_NOPROXY.3 +@@ -41,10 +41,6 @@ list is matched as either a domain which contains the hostname, or the + hostname itself. For example, "ample.com" would match ample.com, ample.com:80, + and www.ample.com, but not www.example.com or ample.com.org. + +-If the name in the \fInoproxy\fP list has a leading period, it is a domain +-match against the provided host name. This way ".example.com" will switch off +-proxy use for both "www.example.com" as well as for "foo.example.com". +- + Setting the \fInoproxy\fP string to "" (an empty string) will explicitly + enable the proxy for all host names, even if there is an environment variable + set for it. +diff --git a/lib/noproxy.c b/lib/noproxy.c +index 01f8f47..31d1ca7 100644 +--- a/lib/noproxy.c ++++ b/lib/noproxy.c +@@ -183,22 +183,24 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy) + tokenlen--; + + if(tokenlen && (*token == '.')) { +- /* A: example.com matches '.example.com' +- B: www.example.com matches '.example.com' +- C: nonexample.com DOES NOT match '.example.com' +- */ +- if((tokenlen - 1) == namelen) +- /* case A, exact match without leading dot */ +- match = strncasecompare(token + 1, name, namelen); +- else if(tokenlen < namelen) +- /* case B, tailmatch with leading dot */ +- match = strncasecompare(token, name + (namelen - tokenlen), +- tokenlen); +- /* case C passes through, not a match */ ++ /* ignore leading token dot as well */ ++ token++; ++ tokenlen--; + } +- else +- match = (tokenlen == namelen) && +- strncasecompare(token, name, namelen); ++ /* A: example.com matches 'example.com' ++ B: www.example.com matches 'example.com' ++ C: nonexample.com DOES NOT match 'example.com' ++ */ ++ if(tokenlen == namelen) ++ /* case A, exact match */ ++ match = strncasecompare(token, name, namelen); ++ else if(tokenlen < namelen) { ++ /* case B, tailmatch domain */ ++ match = (name[namelen - tokenlen - 1] == '.') && ++ strncasecompare(token, name + (namelen - tokenlen), ++ tokenlen); ++ } ++ /* case C passes through, not a match */ + break; + case TYPE_IPV4: + /* FALLTHROUGH */ +diff --git a/tests/unit/unit1614.c b/tests/unit/unit1614.c +index 8f62b70..523d102 100644 +--- a/tests/unit/unit1614.c ++++ b/tests/unit/unit1614.c +@@ -85,7 +85,8 @@ UNITTEST_START + { "www.example.com", "localhost,www.example.com.,.example.de", TRUE}, + { "example.com", "localhost,example.com,.example.de", TRUE}, + { "example.com.", "localhost,example.com,.example.de", TRUE}, +- { "www.example.com", "localhost,example.com,.example.de", FALSE}, ++ { "nexample.com", "localhost,example.com,.example.de", FALSE}, ++ { "www.example.com", "localhost,example.com,.example.de", TRUE}, + { "127.0.0.1", "127.0.0.1,localhost", TRUE}, + { "127.0.0.1", "127.0.0.1,localhost,", TRUE}, + { "127.0.0.1", "127.0.0.1/8,localhost,", TRUE}, +-- +2.37.3 + diff --git a/curl.spec b/curl.spec index dab163e..68bd41e 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.86.0 -Release: 3%{?dist} +Release: 4%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -431,6 +431,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Nov 29 2022 Kamil Dudka - 7.86.0-4 +- noproxy: tailmatch like in 7.85.0 and earlier (#2149224) + * Thu Nov 24 2022 Kamil Dudka - 7.86.0-3 - enforce versioned libnghttp2 dependency for libcurl (#2144277) From 60cc0c557430b240f7fb79d33ed6bd932db63b36 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 21 Dec 2022 13:48:45 +0100 Subject: [PATCH 161/256] new upstream release - 7.87.0 Resolves: CVE-2022-43552 - HTTP Proxy deny use-after-free Resolves: CVE-2022-43551 - Another HSTS bypass via IDN --- 0001-curl-7.86.0-noproxy.patch | 297 -------------------------------- 0102-curl-7.84.0-test3026.patch | 2 +- curl.spec | 13 +- sources | 4 +- 4 files changed, 10 insertions(+), 306 deletions(-) delete mode 100644 0001-curl-7.86.0-noproxy.patch diff --git a/0001-curl-7.86.0-noproxy.patch b/0001-curl-7.86.0-noproxy.patch deleted file mode 100644 index 8f36502..0000000 --- a/0001-curl-7.86.0-noproxy.patch +++ /dev/null @@ -1,297 +0,0 @@ -From b0ff1fd270924c5eaec09687e3d279130123671a Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 27 Oct 2022 13:54:27 +0200 -Subject: [PATCH 1/3] noproxy: also match with adjacent comma - -If the host name is an IP address and the noproxy string contained that -IP address with a following comma, it would erroneously not match. - -Extended test 1614 to verify this combo as well. - -Reported-by: Henning Schild - -Fixes #9813 -Closes #9814 - -Upstream-commit: efc286b7a62af0568fdcbf3c68791c9955182128 -Signed-off-by: Kamil Dudka ---- - lib/noproxy.c | 20 ++++++++++++-------- - tests/data/test1614 | 2 +- - tests/unit/unit1614.c | 14 ++++++++++++++ - 3 files changed, 27 insertions(+), 9 deletions(-) - -diff --git a/lib/noproxy.c b/lib/noproxy.c -index 81f1e09..d08a16b 100644 ---- a/lib/noproxy.c -+++ b/lib/noproxy.c -@@ -188,18 +188,22 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy) - /* FALLTHROUGH */ - case TYPE_IPV6: { - const char *check = token; -- char *slash = strchr(check, '/'); -+ char *slash; - unsigned int bits = 0; - char checkip[128]; -+ if(tokenlen >= sizeof(checkip)) -+ /* this cannot match */ -+ break; -+ /* copy the check name to a temp buffer */ -+ memcpy(checkip, check, tokenlen); -+ checkip[tokenlen] = 0; -+ check = checkip; -+ -+ slash = strchr(check, '/'); - /* if the slash is part of this token, use it */ -- if(slash && (slash < &check[tokenlen])) { -+ if(slash) { - bits = atoi(slash + 1); -- /* copy the check name to a temp buffer */ -- if(tokenlen >= sizeof(checkip)) -- break; -- memcpy(checkip, check, tokenlen); -- checkip[ slash - check ] = 0; -- check = checkip; -+ *slash = 0; /* null terminate there */ - } - if(type == TYPE_IPV6) - match = Curl_cidr6_match(name, check, bits); -diff --git a/tests/data/test1614 b/tests/data/test1614 -index 4a9d54e..73bdbb4 100644 ---- a/tests/data/test1614 -+++ b/tests/data/test1614 -@@ -16,7 +16,7 @@ unittest - proxy - - --cidr comparisons -+noproxy and cidr comparisons - - - -diff --git a/tests/unit/unit1614.c b/tests/unit/unit1614.c -index 6028545..c2f563a 100644 ---- a/tests/unit/unit1614.c -+++ b/tests/unit/unit1614.c -@@ -77,6 +77,20 @@ UNITTEST_START - { NULL, NULL, 0, FALSE} /* end marker */ - }; - struct noproxy list[]= { -+ { "127.0.0.1", "127.0.0.1,localhost", TRUE}, -+ { "127.0.0.1", "127.0.0.1,localhost,", TRUE}, -+ { "127.0.0.1", "127.0.0.1/8,localhost,", TRUE}, -+ { "127.0.0.1", "127.0.0.1/28,localhost,", TRUE}, -+ { "127.0.0.1", "127.0.0.1/31,localhost,", TRUE}, -+ { "127.0.0.1", "localhost,127.0.0.1", TRUE}, -+ { "127.0.0.1", "localhost,127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1." -+ "127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127." -+ "0.0.1.127.0.0.1.127.0.0." /* 128 bytes "address" */, FALSE}, -+ { "127.0.0.1", "localhost,127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1." -+ "127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127." -+ "0.0.1.127.0.0.1.127.0.0" /* 127 bytes "address" */, FALSE}, -+ { "localhost", "localhost,127.0.0.1", TRUE}, -+ { "localhost", "127.0.0.1,localhost", TRUE}, - { "foobar", "barfoo", FALSE}, - { "foobar", "foobar", TRUE}, - { "192.168.0.1", "foobar", FALSE}, --- -2.37.3 - - -From d539fd9f11e2a244dbab6b9171f5a9e5c86cc417 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Fri, 28 Oct 2022 10:51:49 +0200 -Subject: [PATCH 2/3] noproxy: fix tail-matching - -Also ignore trailing dots in both host name and comparison pattern. - -Regression in 7.86.0 (from 1e9a538e05c0) - -Extended test 1614 to verify better. - -Reported-by: Henning Schild -Fixes #9821 -Closes #9822 - -Upstream-commit: b830f9ba9e94acf672cd191993ff679fa888838b -Signed-off-by: Kamil Dudka ---- - lib/noproxy.c | 30 +++++++++++++++++++++++------- - tests/unit/unit1614.c | 9 +++++++++ - 2 files changed, 32 insertions(+), 7 deletions(-) - -diff --git a/lib/noproxy.c b/lib/noproxy.c -index d08a16b..01f8f47 100644 ---- a/lib/noproxy.c -+++ b/lib/noproxy.c -@@ -149,9 +149,14 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy) - } - else { - unsigned int address; -+ namelen = strlen(name); - if(1 == Curl_inet_pton(AF_INET, name, &address)) - type = TYPE_IPV4; -- namelen = strlen(name); -+ else { -+ /* ignore trailing dots in the host name */ -+ if(name[namelen - 1] == '.') -+ namelen--; -+ } - } - - while(*p) { -@@ -173,12 +178,23 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy) - if(tokenlen) { - switch(type) { - case TYPE_HOST: -- if(*token == '.') { -- ++token; -- --tokenlen; -- /* tailmatch */ -- match = (tokenlen <= namelen) && -- strncasecompare(token, name + (namelen - tokenlen), namelen); -+ /* ignore trailing dots in the token to check */ -+ if(token[tokenlen - 1] == '.') -+ tokenlen--; -+ -+ if(tokenlen && (*token == '.')) { -+ /* A: example.com matches '.example.com' -+ B: www.example.com matches '.example.com' -+ C: nonexample.com DOES NOT match '.example.com' -+ */ -+ if((tokenlen - 1) == namelen) -+ /* case A, exact match without leading dot */ -+ match = strncasecompare(token + 1, name, namelen); -+ else if(tokenlen < namelen) -+ /* case B, tailmatch with leading dot */ -+ match = strncasecompare(token, name + (namelen - tokenlen), -+ tokenlen); -+ /* case C passes through, not a match */ - } - else - match = (tokenlen == namelen) && -diff --git a/tests/unit/unit1614.c b/tests/unit/unit1614.c -index c2f563a..8f62b70 100644 ---- a/tests/unit/unit1614.c -+++ b/tests/unit/unit1614.c -@@ -77,6 +77,15 @@ UNITTEST_START - { NULL, NULL, 0, FALSE} /* end marker */ - }; - struct noproxy list[]= { -+ { "www.example.com", "localhost,.example.com,.example.de", TRUE}, -+ { "www.example.com.", "localhost,.example.com,.example.de", TRUE}, -+ { "example.com", "localhost,.example.com,.example.de", TRUE}, -+ { "example.com.", "localhost,.example.com,.example.de", TRUE}, -+ { "www.example.com", "localhost,.example.com.,.example.de", TRUE}, -+ { "www.example.com", "localhost,www.example.com.,.example.de", TRUE}, -+ { "example.com", "localhost,example.com,.example.de", TRUE}, -+ { "example.com.", "localhost,example.com,.example.de", TRUE}, -+ { "www.example.com", "localhost,example.com,.example.de", FALSE}, - { "127.0.0.1", "127.0.0.1,localhost", TRUE}, - { "127.0.0.1", "127.0.0.1,localhost,", TRUE}, - { "127.0.0.1", "127.0.0.1/8,localhost,", TRUE}, --- -2.37.3 - - -From 560b593cb9ba261169df5ea18ac8d0c188e239cd Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Sun, 6 Nov 2022 23:19:51 +0100 -Subject: [PATCH 3/3] noproxy: tailmatch like in 7.85.0 and earlier - -A regfression in 7.86.0 (via 1e9a538e05c010) made the tailmatch work -differently than before. This restores the logic to how it used to work: - -All names listed in NO_PROXY are tailmatched against the used domain -name, if the lengths are identical it needs a full match. - -Update the docs, update test 1614. - -Reported-by: Stuart Henderson -Fixes #9842 -Closes #9858 - -Upstream-commit: b1953c1933b369b1217ef0f16053e26da63488c3 -Signed-off-by: Kamil Dudka ---- - docs/libcurl/opts/CURLOPT_NOPROXY.3 | 4 ---- - lib/noproxy.c | 32 +++++++++++++++-------------- - tests/unit/unit1614.c | 3 ++- - 3 files changed, 19 insertions(+), 20 deletions(-) - -diff --git a/docs/libcurl/opts/CURLOPT_NOPROXY.3 b/docs/libcurl/opts/CURLOPT_NOPROXY.3 -index 149eaac..98c7920 100644 ---- a/docs/libcurl/opts/CURLOPT_NOPROXY.3 -+++ b/docs/libcurl/opts/CURLOPT_NOPROXY.3 -@@ -41,10 +41,6 @@ list is matched as either a domain which contains the hostname, or the - hostname itself. For example, "ample.com" would match ample.com, ample.com:80, - and www.ample.com, but not www.example.com or ample.com.org. - --If the name in the \fInoproxy\fP list has a leading period, it is a domain --match against the provided host name. This way ".example.com" will switch off --proxy use for both "www.example.com" as well as for "foo.example.com". -- - Setting the \fInoproxy\fP string to "" (an empty string) will explicitly - enable the proxy for all host names, even if there is an environment variable - set for it. -diff --git a/lib/noproxy.c b/lib/noproxy.c -index 01f8f47..31d1ca7 100644 ---- a/lib/noproxy.c -+++ b/lib/noproxy.c -@@ -183,22 +183,24 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy) - tokenlen--; - - if(tokenlen && (*token == '.')) { -- /* A: example.com matches '.example.com' -- B: www.example.com matches '.example.com' -- C: nonexample.com DOES NOT match '.example.com' -- */ -- if((tokenlen - 1) == namelen) -- /* case A, exact match without leading dot */ -- match = strncasecompare(token + 1, name, namelen); -- else if(tokenlen < namelen) -- /* case B, tailmatch with leading dot */ -- match = strncasecompare(token, name + (namelen - tokenlen), -- tokenlen); -- /* case C passes through, not a match */ -+ /* ignore leading token dot as well */ -+ token++; -+ tokenlen--; - } -- else -- match = (tokenlen == namelen) && -- strncasecompare(token, name, namelen); -+ /* A: example.com matches 'example.com' -+ B: www.example.com matches 'example.com' -+ C: nonexample.com DOES NOT match 'example.com' -+ */ -+ if(tokenlen == namelen) -+ /* case A, exact match */ -+ match = strncasecompare(token, name, namelen); -+ else if(tokenlen < namelen) { -+ /* case B, tailmatch domain */ -+ match = (name[namelen - tokenlen - 1] == '.') && -+ strncasecompare(token, name + (namelen - tokenlen), -+ tokenlen); -+ } -+ /* case C passes through, not a match */ - break; - case TYPE_IPV4: - /* FALLTHROUGH */ -diff --git a/tests/unit/unit1614.c b/tests/unit/unit1614.c -index 8f62b70..523d102 100644 ---- a/tests/unit/unit1614.c -+++ b/tests/unit/unit1614.c -@@ -85,7 +85,8 @@ UNITTEST_START - { "www.example.com", "localhost,www.example.com.,.example.de", TRUE}, - { "example.com", "localhost,example.com,.example.de", TRUE}, - { "example.com.", "localhost,example.com,.example.de", TRUE}, -- { "www.example.com", "localhost,example.com,.example.de", FALSE}, -+ { "nexample.com", "localhost,example.com,.example.de", FALSE}, -+ { "www.example.com", "localhost,example.com,.example.de", TRUE}, - { "127.0.0.1", "127.0.0.1,localhost", TRUE}, - { "127.0.0.1", "127.0.0.1,localhost,", TRUE}, - { "127.0.0.1", "127.0.0.1/8,localhost,", TRUE}, --- -2.37.3 - diff --git a/0102-curl-7.84.0-test3026.patch b/0102-curl-7.84.0-test3026.patch index 56b10c6..1098583 100644 --- a/0102-curl-7.84.0-test3026.patch +++ b/0102-curl-7.84.0-test3026.patch @@ -55,7 +55,7 @@ diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c index 43fe335..70cd7a4 100644 --- a/tests/libtest/lib3026.c +++ b/tests/libtest/lib3026.c -@@ -139,8 +139,8 @@ int test(char *URL) +@@ -147,8 +147,8 @@ int test(char *URL) results[i] = CURL_LAST; /* initialize with invalid value */ res = pthread_create(&tids[i], NULL, run_thread, &results[i]); if(res) { diff --git a/curl.spec b/curl.spec index 68bd41e..76374f2 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.86.0 -Release: 4%{?dist} +Version: 7.87.0 +Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,9 +10,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# fix regression in noproxy matching -Patch1: 0001-curl-7.86.0-noproxy.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -197,7 +194,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 # Fedora patches %patch101 -p1 @@ -431,6 +427,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Dec 21 2022 Kamil Dudka - 7.87.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2022-43552 - HTTP Proxy deny use-after-free + CVE-2022-43551 - Another HSTS bypass via IDN + * Tue Nov 29 2022 Kamil Dudka - 7.86.0-4 - noproxy: tailmatch like in 7.85.0 and earlier (#2149224) diff --git a/sources b/sources index 45ced88..7906eb7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-7.86.0.tar.xz) = 18e03a3c00f22125e07bddb18becbf5acdca22baeb7b29f45ef189a5c56f95b2d51247813f7a9a90f04eb051739e9aa7d3a1c5be397bae75d763a2b918d1b656 -SHA512 (curl-7.86.0.tar.xz.asc) = 9e97d5f44b3c856f401fe30ba713e1ca1f74edfc693dc42f1ce8e43f9f6dd4bf6998c579bc9c5d0f749f475a7d67d232e92ab6f89b95141acdb53e149f2312f0 +SHA512 (curl-7.87.0.tar.xz) = aa125991592667280dce3788aabe81487cf8c55b0afc59d675cc30b76055bb7114f5380b4a0e3b6461a8f81bf9812fa26d493a85f7e01d84263d484a0d699ee7 +SHA512 (curl-7.87.0.tar.xz.asc) = 0bcc12bafc4ae50d80128af2cf4bf1a1ec6018ebb8d5b9c49f52b51c0c25acc77e820858965656549ef43c1f923f4e5fe75b0a3523623154b4cfb9dc8a1d76e4 From 0d0fa259a721a1e599468c9c344176eac4099656 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 21 Dec 2022 16:42:54 +0100 Subject: [PATCH 162/256] do not use stunnnel for testing on aarch64 The test 1561 intermittently fails when upstream test-suite runs for the second time during the build: ``` [ ] Initializing inetd mode configuration [ ] Clients allowed=500 [.] stunnel 5.66 on aarch64-redhat-linux-gnu platform [.] Compiled/running with OpenSSL 3.0.5 5 Jul 2022 [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI [ ] errno: (*__errno_location ()) [ ] Initializing inetd mode configuration [.] Reading configuration from file /builddir/build/BUILD/curl-7.87.0/build-full/tests/https_stunnel.conf [.] UTF-8 byte order mark not detected [.] FIPS mode disabled [ ] Compression disabled [ ] No PRNG seeding was required [ ] Initializing service [curltest] [ ] Using the default TLS version as specified in OpenSSL crypto policies. Not setting explicitly. [ ] Using the default TLS version as specified in OpenSSL crypto policies. Not setting explicitly [ ] stunnel default security level set: 2 [ ] Ciphers: PROFILE=SYSTEM [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 [ ] TLS options: 0x2100000 (+0x0, -0x0) [ ] Session resumption enabled [ ] Loading certificate from file: /builddir/build/BUILD/curl-7.87.0/tests/stunnel.pem [ ] Certificate loaded from file: /builddir/build/BUILD/curl-7.87.0/tests/stunnel.pem [ ] Loading private key from file: /builddir/build/BUILD/curl-7.87.0/tests/stunnel.pem [ ] Private key loaded from file: /builddir/build/BUILD/curl-7.87.0/tests/stunnel.pem [ ] Private key check succeeded [ ] DH initialization needed for DHE-RSA-AES256-GCM-SHA384 [ ] DH initialization [ ] Could not load DH parameters from /builddir/build/BUILD/curl-7.87.0/tests/stunnel.pem [ ] Using dynamic DH parameters [ ] ECDH initialization [ ] ECDH initialized with curves X25519:P-256:X448:P-521:P-384 [.] Configuration successful [ ] Deallocating deployed section defaults [ ] Binding service [curltest] [ ] Listening file descriptor created (FD=8) [ ] Setting accept socket options (FD=8) [ ] Option SO_REUSEADDR set on accept socket [.] Binding service [curltest] to 0.0.0.0:24847: Address already in use (98) [ ] Listening file descriptor created (FD=8) [ ] Setting accept socket options (FD=8) [ ] Option SO_REUSEADDR set on accept socket [.] Binding service [curltest] to :::24847: Address already in use (98) [!] Binding service [curltest] failed [ ] Unbinding service [curltest] [ ] Service [curltest] closed [ ] Deallocating deployed section defaults [ ] Deallocating section [curltest] [ ] Initializing inetd mode configuration ``` --- curl.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index 76374f2..06caa54 100644 --- a/curl.spec +++ b/curl.spec @@ -93,8 +93,8 @@ BuildRequires: valgrind %endif # stunnel is used by upstream tests but it does not seem to work reliably -# on s390x and occasionally breaks some tests (mainly 1561 and 1562) -%ifnarch s390x +# on aarch64/s390x and occasionally breaks some tests (mainly 1561 and 1562) +%ifnarch aarch64 s390x BuildRequires: stunnel %endif From 04ebed546a2129a215ef7f8db67b906b7bcb6f12 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 11 Jan 2023 08:56:33 +0100 Subject: [PATCH 163/256] Related: #2143040 - test3012: temporarily disable valgrind --- 0103-curl-7.87.0-test3012.patch | 52 +++++++++++++++++++++++++++++++++ curl.spec | 9 +++++- 2 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 0103-curl-7.87.0-test3012.patch diff --git a/0103-curl-7.87.0-test3012.patch b/0103-curl-7.87.0-test3012.patch new file mode 100644 index 0000000..108d715 --- /dev/null +++ b/0103-curl-7.87.0-test3012.patch @@ -0,0 +1,52 @@ +From 0d0a256c8e7f6261d49e1bdd583c04c0e5dfe706 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Wed, 11 Jan 2023 08:53:05 +0100 +Subject: [PATCH] test3012: disable valgrind + +valgrind reports a call to memcpy() with overlapping blocks by mistake: +``` +test 3012...[--output-dir with -J] +../libtool --mode=execute /usr/bin/valgrind --tool=memcheck --quiet --leak-check=yes --suppressions=../../tests/valgrind.supp --num-callers=16 --log-file=log/valgrind3012 ../src/curl --trace-ascii log/trace3012 --trace-time http://127.0.0.1:35981/this/is/the/3012 -OJ --output-dir /root/rpmbuild/BUILD/curl-7.86.0/build-minimal/tests/log >log/stdout3012 2>log/stderr3012 +CMD (0): ../libtool --mode=execute /usr/bin/valgrind --tool=memcheck --quiet --leak-check=yes --suppressions=../../tests/valgrind.supp --num-callers=16 --log-file=log/valgrind3012 ../src/curl --trace-ascii log/trace3012 --trace-time http://127.0.0.1:35981/this/is/the/3012 -OJ --output-dir /root/rpmbuild/BUILD/curl-7.86.0/build-minimal/tests/log >log/stdout3012 2>log/stderr3012 + valgrind ERROR ==496584== Source and destination overlap in memcpy_chk(0x54ad1a0, 0x54ad1a1, 11) +==496584== at 0x484C332: __memcpy_chk (vg_replace_strmem.c:1741) +==496584== by 0x118FDB: UnknownInlinedFun (string_fortified.h:36) +==496584== by 0x118FDB: UnknownInlinedFun (tool_cb_hdr.c:301) +==496584== by 0x118FDB: tool_header_cb (tool_cb_hdr.c:173) +==496584== by 0x489907B: chop_write.lto_priv.0 (sendf.c:620) +==496584== by 0x489CDD1: UnknownInlinedFun (http.c:4449) +==496584== by 0x489CDD1: UnknownInlinedFun (transfer.c:633) +==496584== by 0x489CDD1: Curl_readwrite (transfer.c:1219) +==496584== by 0x488C116: multi_runsingle (multi.c:2404) +==496584== by 0x488F491: curl_multi_perform (multi.c:2682) +==496584== by 0x486A9DA: UnknownInlinedFun (easy.c:663) +==496584== by 0x486A9DA: UnknownInlinedFun (easy.c:753) +==496584== by 0x486A9DA: curl_easy_perform (easy.c:772) +==496584== by 0x114B28: UnknownInlinedFun (tool_operate.c:2406) +==496584== by 0x114B28: UnknownInlinedFun (tool_operate.c:2594) +==496584== by 0x114B28: UnknownInlinedFun (tool_operate.c:2706) +==496584== by 0x114B28: main (tool_main.c:284) +``` + +Bug: https://bugzilla.redhat.com/2143040 +--- + tests/data/test3012 | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tests/data/test3012 b/tests/data/test3012 +index 1889c93..ea43a49 100644 +--- a/tests/data/test3012 ++++ b/tests/data/test3012 +@@ -56,5 +56,9 @@ Accept: */* + + -foo- + ++ ++ ++disable ++ + + +-- +2.39.0 + diff --git a/curl.spec b/curl.spec index 06caa54..0101e2a 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.87.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -16,6 +16,9 @@ Patch101: 0101-curl-7.32.0-multilib.patch # test3026: disable valgrind Patch102: 0102-curl-7.84.0-test3026.patch +# test3012: temporarily disable valgrind (#2143040) +Patch103: 0103-curl-7.87.0-test3012.patch + Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.se/ @@ -198,6 +201,7 @@ be installed. # Fedora patches %patch101 -p1 %patch102 -p1 +%patch103 -p1 # disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed # with errno 98: Address already in use' in Koji environment), and test 1801 @@ -427,6 +431,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jan 11 2023 Kamil Dudka - 7.87.0-2 +- test3012: temporarily disable valgrind (#2143040) + * Wed Dec 21 2022 Kamil Dudka - 7.87.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2022-43552 - HTTP Proxy deny use-after-free From c3e870d57a2273f85a4619fb7b27e83caf4aacae Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 19 Jan 2023 00:50:41 +0000 Subject: [PATCH 164/256] Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 0101e2a..e07cee5 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.87.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -431,6 +431,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Jan 19 2023 Fedora Release Engineering - 7.87.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + * Wed Jan 11 2023 Kamil Dudka - 7.87.0-2 - test3012: temporarily disable valgrind (#2143040) From 8ff989f4fdfc54bad462c3c4363b8ec921710268 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 20 Jan 2023 17:48:02 +0100 Subject: [PATCH 165/256] Resolves: #2162716 - fix regression in a public header file --- 0001-curl-7.87.0-header-file-regression.patch | 55 +++++++++++++++++++ curl.spec | 9 ++- 2 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 0001-curl-7.87.0-header-file-regression.patch diff --git a/0001-curl-7.87.0-header-file-regression.patch b/0001-curl-7.87.0-header-file-regression.patch new file mode 100644 index 0000000..9c479dc --- /dev/null +++ b/0001-curl-7.87.0-header-file-regression.patch @@ -0,0 +1,55 @@ +From 613d3c45879636e88b88fcebee48dc77de345291 Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat +Date: Fri, 23 Dec 2022 15:35:27 +0100 +Subject: [PATCH] typecheck: accept expressions for option/info parameters + +As expressions can have side effects, evaluate only once. + +To enable deprecation reporting only once, get rid of the __typeof__ +use to define the local temporary variable and use the target type +(CURLoption/CURLINFO). This also avoids multiple reports on type +conflicts (if some) by the curlcheck_* macros. + +Note that CURLOPT_* and CURLINFO_* symbols may be deprecated, but not +their values: a curl_easy_setopt call with an integer constant as option +will never report a deprecation. + +Reported-by: Thomas Klausner +Fixes #10148 +Closes #10149 + +Upstream-commit: e2aed004302e51cfa5b6ce8c8ab65ef92aa83196 +Signed-off-by: Kamil Dudka +--- + include/curl/typecheck-gcc.h | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h +index bf655bb..85aa8b7 100644 +--- a/include/curl/typecheck-gcc.h ++++ b/include/curl/typecheck-gcc.h +@@ -42,9 +42,8 @@ + */ + #define curl_easy_setopt(handle, option, value) \ + __extension__({ \ +- CURL_IGNORE_DEPRECATION(__typeof__(option) _curl_opt = option;) \ ++ CURLoption _curl_opt = (option); \ + if(__builtin_constant_p(_curl_opt)) { \ +- (void) option; \ + CURL_IGNORE_DEPRECATION( \ + if(curlcheck_long_option(_curl_opt)) \ + if(!curlcheck_long(value)) \ +@@ -120,9 +119,8 @@ + /* wraps curl_easy_getinfo() with typechecking */ + #define curl_easy_getinfo(handle, info, arg) \ + __extension__({ \ +- CURL_IGNORE_DEPRECATION(__typeof__(info) _curl_info = info;) \ ++ CURLINFO _curl_info = (info); \ + if(__builtin_constant_p(_curl_info)) { \ +- (void) info; \ + CURL_IGNORE_DEPRECATION( \ + if(curlcheck_string_info(_curl_info)) \ + if(!curlcheck_arr((arg), char *)) \ +-- +2.39.0 + diff --git a/curl.spec b/curl.spec index e07cee5..61f3004 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.87.0 -Release: 3%{?dist} +Release: 4%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,6 +10,9 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# fix regression in a public header file (#2162716) +Patch1: 0001-curl-7.87.0-header-file-regression.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -197,6 +200,7 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 @@ -431,6 +435,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Jan 20 2023 Kamil Dudka - 7.87.0-4 +- fix regression in a public header file (#2162716) + * Thu Jan 19 2023 Fedora Release Engineering - 7.87.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild From 98c91c9f34a7abcae20ea93db599e13cafffca12 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 15 Feb 2023 10:05:29 +0100 Subject: [PATCH 166/256] new upstream release - 7.88.0 Resolves: CVE-2023-23916 - HTTP multi-header compression denial of service Resolves: CVE-2023-23915 - HSTS amnesia with --parallel Resolves: CVE-2023-23914 - HSTS ignored on multiple requests --- 0001-curl-7.87.0-header-file-regression.patch | 55 ------------------- curl.spec | 14 +++-- sources | 4 +- 3 files changed, 10 insertions(+), 63 deletions(-) delete mode 100644 0001-curl-7.87.0-header-file-regression.patch diff --git a/0001-curl-7.87.0-header-file-regression.patch b/0001-curl-7.87.0-header-file-regression.patch deleted file mode 100644 index 9c479dc..0000000 --- a/0001-curl-7.87.0-header-file-regression.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 613d3c45879636e88b88fcebee48dc77de345291 Mon Sep 17 00:00:00 2001 -From: Patrick Monnerat -Date: Fri, 23 Dec 2022 15:35:27 +0100 -Subject: [PATCH] typecheck: accept expressions for option/info parameters - -As expressions can have side effects, evaluate only once. - -To enable deprecation reporting only once, get rid of the __typeof__ -use to define the local temporary variable and use the target type -(CURLoption/CURLINFO). This also avoids multiple reports on type -conflicts (if some) by the curlcheck_* macros. - -Note that CURLOPT_* and CURLINFO_* symbols may be deprecated, but not -their values: a curl_easy_setopt call with an integer constant as option -will never report a deprecation. - -Reported-by: Thomas Klausner -Fixes #10148 -Closes #10149 - -Upstream-commit: e2aed004302e51cfa5b6ce8c8ab65ef92aa83196 -Signed-off-by: Kamil Dudka ---- - include/curl/typecheck-gcc.h | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h -index bf655bb..85aa8b7 100644 ---- a/include/curl/typecheck-gcc.h -+++ b/include/curl/typecheck-gcc.h -@@ -42,9 +42,8 @@ - */ - #define curl_easy_setopt(handle, option, value) \ - __extension__({ \ -- CURL_IGNORE_DEPRECATION(__typeof__(option) _curl_opt = option;) \ -+ CURLoption _curl_opt = (option); \ - if(__builtin_constant_p(_curl_opt)) { \ -- (void) option; \ - CURL_IGNORE_DEPRECATION( \ - if(curlcheck_long_option(_curl_opt)) \ - if(!curlcheck_long(value)) \ -@@ -120,9 +119,8 @@ - /* wraps curl_easy_getinfo() with typechecking */ - #define curl_easy_getinfo(handle, info, arg) \ - __extension__({ \ -- CURL_IGNORE_DEPRECATION(__typeof__(info) _curl_info = info;) \ -+ CURLINFO _curl_info = (info); \ - if(__builtin_constant_p(_curl_info)) { \ -- (void) info; \ - CURL_IGNORE_DEPRECATION( \ - if(curlcheck_string_info(_curl_info)) \ - if(!curlcheck_arr((arg), char *)) \ --- -2.39.0 - diff --git a/curl.spec b/curl.spec index 61f3004..7207a18 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.87.0 -Release: 4%{?dist} +Version: 7.88.0 +Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,9 +10,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# fix regression in a public header file (#2162716) -Patch1: 0001-curl-7.87.0-header-file-regression.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -200,7 +197,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 # Fedora patches %patch101 -p1 @@ -435,6 +431,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Feb 15 2023 Kamil Dudka - 7.88.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-23916 - HTTP multi-header compression denial of service + CVE-2023-23915 - HSTS amnesia with --parallel + CVE-2023-23914 - HSTS ignored on multiple requests + * Fri Jan 20 2023 Kamil Dudka - 7.87.0-4 - fix regression in a public header file (#2162716) diff --git a/sources b/sources index 7906eb7..5c159bb 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-7.87.0.tar.xz) = aa125991592667280dce3788aabe81487cf8c55b0afc59d675cc30b76055bb7114f5380b4a0e3b6461a8f81bf9812fa26d493a85f7e01d84263d484a0d699ee7 -SHA512 (curl-7.87.0.tar.xz.asc) = 0bcc12bafc4ae50d80128af2cf4bf1a1ec6018ebb8d5b9c49f52b51c0c25acc77e820858965656549ef43c1f923f4e5fe75b0a3523623154b4cfb9dc8a1d76e4 +SHA512 (curl-7.88.0.tar.xz) = 2008cbc67694f746b7449f087a19b2a9a4950333d6bac1cdc7d80351aa38d8d9b442087dedbc7b0909a419d3b10f510521c942aac012d04a53c32bdb15dce5f0 +SHA512 (curl-7.88.0.tar.xz.asc) = 6f3d9a5f8fcec64652f872adf994ff3d0162fba1b483a0e359522173bf29ef3d26eeda7c328207fa1fa974a45e62674a3a8ebec21830ab3981b56851d5804ade From f3c2fe3549a681755a71e827de1de4085fd1c343 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 15 Feb 2023 10:46:00 +0100 Subject: [PATCH 167/256] do not fail on warnings in the upstream test driver --- 0104-curl-7.88.0-tests-warnings.patch | 30 +++++++++++++++++++++++++++ curl.spec | 4 ++++ 2 files changed, 34 insertions(+) create mode 100644 0104-curl-7.88.0-tests-warnings.patch diff --git a/0104-curl-7.88.0-tests-warnings.patch b/0104-curl-7.88.0-tests-warnings.patch new file mode 100644 index 0000000..dff89f9 --- /dev/null +++ b/0104-curl-7.88.0-tests-warnings.patch @@ -0,0 +1,30 @@ +From d506d885aa16b4a87acbac082eea41dccdc7b69f Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Wed, 15 Feb 2023 10:42:38 +0100 +Subject: [PATCH] Revert "runtests: consider warnings fatal and error on them" + +While it might be useful for upstream developers, it is not so useful +for downstream consumers. + +This reverts upstream commit 22f795c834cfdbacbb1b55426028a581e3cf67a8. +--- + tests/runtests.pl | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/tests/runtests.pl b/tests/runtests.pl +index 71644ad18..0cf85c3fe 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -75,8 +75,7 @@ BEGIN { + } + + use strict; +-# Promote all warnings to fatal +-use warnings FATAL => 'all'; ++use warnings; + use Cwd; + use Digest::MD5 qw(md5); + use MIME::Base64; +-- +2.39.1 + diff --git a/curl.spec b/curl.spec index 7207a18..7d58071 100644 --- a/curl.spec +++ b/curl.spec @@ -19,6 +19,9 @@ Patch102: 0102-curl-7.84.0-test3026.patch # test3012: temporarily disable valgrind (#2143040) Patch103: 0103-curl-7.87.0-test3012.patch +# do not fail on warnings in the upstream test driver +Patch104: 0104-curl-7.88.0-tests-warnings.patch + Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.se/ @@ -202,6 +205,7 @@ be installed. %patch101 -p1 %patch102 -p1 %patch103 -p1 +%patch104 -p1 # disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed # with errno 98: Address already in use' in Koji environment), and test 1801 From bdbf01f50c45ac08a7b8ce4ae889e508253b3da0 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 15 Feb 2023 12:53:26 +0100 Subject: [PATCH 168/256] add glibc-langpack-en BR needed for test1560 to succeed Suggested-by: Paul Howarth --- curl.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/curl.spec b/curl.spec index 7d58071..353e082 100644 --- a/curl.spec +++ b/curl.spec @@ -60,6 +60,9 @@ BuildRequires: perl(Pod::Usage) BuildRequires: perl(strict) BuildRequires: perl(warnings) +# needed for test1560 to succeed +BuildRequires: glibc-langpack-en + # gnutls-serv is used by the upstream test-suite BuildRequires: gnutls-utils From 13a96c9b8fbb54bc9d1bb1e8888e8d57cb975192 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 17 Feb 2023 14:34:10 +0100 Subject: [PATCH 169/256] http2: set drain on stream end This is an attempt to fix the following issue in COPR: https://pagure.io/fedora-infrastructure/issue/11133 --- 0001-curl-7.88.0-http2-drain.patch | 113 +++++++++++++++++++++++++++++ curl.spec | 9 ++- 2 files changed, 121 insertions(+), 1 deletion(-) create mode 100644 0001-curl-7.88.0-http2-drain.patch diff --git a/0001-curl-7.88.0-http2-drain.patch b/0001-curl-7.88.0-http2-drain.patch new file mode 100644 index 0000000..40fd03a --- /dev/null +++ b/0001-curl-7.88.0-http2-drain.patch @@ -0,0 +1,113 @@ +From d38da6c41c897eff642d9e39a234290dd51a3947 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Wed, 15 Feb 2023 22:11:13 +0100 +Subject: [PATCH 1/2] http2: buffer/pausedata and output flush fix. + + * do not process pending input data when copying pausedata to the + caller + * return CURLE_AGAIN if the output buffer could not be completely + written out. + +Ref: #10525 +Closes #10529 + +Upstream-commit: 3103de2053ca8cacf9cdbe78764ba6814481709f +Signed-off-by: Kamil Dudka +--- + lib/http2.c | 15 +++------------ + 1 file changed, 3 insertions(+), 12 deletions(-) + +diff --git a/lib/http2.c b/lib/http2.c +index 46fc746..1ef5d39 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -467,6 +467,7 @@ static CURLcode flush_output(struct Curl_cfilter *cf, + } + if((size_t)written < buflen) { + Curl_dyn_tail(&ctx->outbuf, buflen - (size_t)written); ++ return CURLE_AGAIN; + } + else { + Curl_dyn_reset(&ctx->outbuf); +@@ -1790,6 +1791,7 @@ static ssize_t cf_h2_recv(struct Curl_cfilter *cf, struct Curl_easy *data, + + stream->pausedata += nread; + stream->pauselen -= nread; ++ drain_this(cf, data); + + if(stream->pauselen == 0) { + DEBUGF(LOG_CF(data, cf, "[h2sid=%u] Unpaused", stream->stream_id)); +@@ -1798,18 +1800,6 @@ static ssize_t cf_h2_recv(struct Curl_cfilter *cf, struct Curl_easy *data, + + stream->pausedata = NULL; + stream->pauselen = 0; +- +- /* When NGHTTP2_ERR_PAUSE is returned from +- data_source_read_callback, we might not process DATA frame +- fully. Calling nghttp2_session_mem_recv() again will +- continue to process DATA frame, but if there is no incoming +- frames, then we have to call it again with 0-length data. +- Without this, on_stream_close callback will not be called, +- and stream could be hanged. */ +- if(h2_process_pending_input(cf, data, err) != 0) { +- nread = -1; +- goto out; +- } + } + DEBUGF(LOG_CF(data, cf, "[h2sid=%u] recv: returns unpaused %zd bytes", + stream->stream_id, nread)); +@@ -1933,6 +1923,7 @@ static ssize_t cf_h2_recv(struct Curl_cfilter *cf, struct Curl_easy *data, + drained_transfer(cf, data); + } + ++ *err = CURLE_OK; + nread = retlen; + DEBUGF(LOG_CF(data, cf, "[h2sid=%u] cf_h2_recv -> %zd", + stream->stream_id, nread)); +-- +2.39.1 + + +From 77e5170fe89bce943c52de732071189f463f38a8 Mon Sep 17 00:00:00 2001 +From: Harry Sintonen +Date: Thu, 16 Feb 2023 06:26:26 +0200 +Subject: [PATCH 2/2] http2: set drain on stream end + +Ensure that on_frame_recv() stream end will trigger a read if there is +pending data. Without this it could happen that the pending data is +never consumed. + +This combined with https://github.com/curl/curl/pull/10529 should fix +https://github.com/curl/curl/issues/10525 + +Ref: https://github.com/curl/curl/issues/10525 +Closes #10530 + +Upstream-commit: 87ed650d04dc1a6f7944a5d952f7d5b0934a19ac +Signed-off-by: Kamil Dudka +--- + lib/http2.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/lib/http2.c b/lib/http2.c +index 1ef5d39..bdb5e73 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -868,6 +868,14 @@ static int on_frame_recv(nghttp2_session *session, const nghttp2_frame *frame, + return NGHTTP2_ERR_CALLBACK_FAILURE; + } + } ++ if(frame->hd.flags & NGHTTP2_FLAG_END_STREAM) { ++ /* Stream has ended. If there is pending data, ensure that read ++ will occur to consume it. */ ++ if(!data->state.drain && stream->memlen) { ++ drain_this(cf, data_s); ++ Curl_expire(data, 0, EXPIRE_RUN_NOW); ++ } ++ } + break; + case NGHTTP2_HEADERS: + DEBUGF(LOG_CF(data_s, cf, "[h2sid=%u] recv frame HEADERS", stream_id)); +-- +2.39.1 + diff --git a/curl.spec b/curl.spec index 353e082..688ac91 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.88.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,6 +10,9 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# http2: set drain on stream end +Patch1: 0001-curl-7.88.0-http2-drain.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -203,6 +206,7 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 @@ -438,6 +442,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Feb 17 2023 Kamil Dudka - 7.88.0-2 +- http2: set drain on stream end + * Wed Feb 15 2023 Kamil Dudka - 7.88.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2023-23916 - HTTP multi-header compression denial of service From d5c1163ef3a64c125452ce067670886765ecc5be Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 20 Feb 2023 14:41:52 +0100 Subject: [PATCH 170/256] new upstream release - 7.88.1 --- 0001-curl-7.88.0-http2-drain.patch | 113 ----------------------------- curl.spec | 11 ++- sources | 4 +- 3 files changed, 7 insertions(+), 121 deletions(-) delete mode 100644 0001-curl-7.88.0-http2-drain.patch diff --git a/0001-curl-7.88.0-http2-drain.patch b/0001-curl-7.88.0-http2-drain.patch deleted file mode 100644 index 40fd03a..0000000 --- a/0001-curl-7.88.0-http2-drain.patch +++ /dev/null @@ -1,113 +0,0 @@ -From d38da6c41c897eff642d9e39a234290dd51a3947 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Wed, 15 Feb 2023 22:11:13 +0100 -Subject: [PATCH 1/2] http2: buffer/pausedata and output flush fix. - - * do not process pending input data when copying pausedata to the - caller - * return CURLE_AGAIN if the output buffer could not be completely - written out. - -Ref: #10525 -Closes #10529 - -Upstream-commit: 3103de2053ca8cacf9cdbe78764ba6814481709f -Signed-off-by: Kamil Dudka ---- - lib/http2.c | 15 +++------------ - 1 file changed, 3 insertions(+), 12 deletions(-) - -diff --git a/lib/http2.c b/lib/http2.c -index 46fc746..1ef5d39 100644 ---- a/lib/http2.c -+++ b/lib/http2.c -@@ -467,6 +467,7 @@ static CURLcode flush_output(struct Curl_cfilter *cf, - } - if((size_t)written < buflen) { - Curl_dyn_tail(&ctx->outbuf, buflen - (size_t)written); -+ return CURLE_AGAIN; - } - else { - Curl_dyn_reset(&ctx->outbuf); -@@ -1790,6 +1791,7 @@ static ssize_t cf_h2_recv(struct Curl_cfilter *cf, struct Curl_easy *data, - - stream->pausedata += nread; - stream->pauselen -= nread; -+ drain_this(cf, data); - - if(stream->pauselen == 0) { - DEBUGF(LOG_CF(data, cf, "[h2sid=%u] Unpaused", stream->stream_id)); -@@ -1798,18 +1800,6 @@ static ssize_t cf_h2_recv(struct Curl_cfilter *cf, struct Curl_easy *data, - - stream->pausedata = NULL; - stream->pauselen = 0; -- -- /* When NGHTTP2_ERR_PAUSE is returned from -- data_source_read_callback, we might not process DATA frame -- fully. Calling nghttp2_session_mem_recv() again will -- continue to process DATA frame, but if there is no incoming -- frames, then we have to call it again with 0-length data. -- Without this, on_stream_close callback will not be called, -- and stream could be hanged. */ -- if(h2_process_pending_input(cf, data, err) != 0) { -- nread = -1; -- goto out; -- } - } - DEBUGF(LOG_CF(data, cf, "[h2sid=%u] recv: returns unpaused %zd bytes", - stream->stream_id, nread)); -@@ -1933,6 +1923,7 @@ static ssize_t cf_h2_recv(struct Curl_cfilter *cf, struct Curl_easy *data, - drained_transfer(cf, data); - } - -+ *err = CURLE_OK; - nread = retlen; - DEBUGF(LOG_CF(data, cf, "[h2sid=%u] cf_h2_recv -> %zd", - stream->stream_id, nread)); --- -2.39.1 - - -From 77e5170fe89bce943c52de732071189f463f38a8 Mon Sep 17 00:00:00 2001 -From: Harry Sintonen -Date: Thu, 16 Feb 2023 06:26:26 +0200 -Subject: [PATCH 2/2] http2: set drain on stream end - -Ensure that on_frame_recv() stream end will trigger a read if there is -pending data. Without this it could happen that the pending data is -never consumed. - -This combined with https://github.com/curl/curl/pull/10529 should fix -https://github.com/curl/curl/issues/10525 - -Ref: https://github.com/curl/curl/issues/10525 -Closes #10530 - -Upstream-commit: 87ed650d04dc1a6f7944a5d952f7d5b0934a19ac -Signed-off-by: Kamil Dudka ---- - lib/http2.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/lib/http2.c b/lib/http2.c -index 1ef5d39..bdb5e73 100644 ---- a/lib/http2.c -+++ b/lib/http2.c -@@ -868,6 +868,14 @@ static int on_frame_recv(nghttp2_session *session, const nghttp2_frame *frame, - return NGHTTP2_ERR_CALLBACK_FAILURE; - } - } -+ if(frame->hd.flags & NGHTTP2_FLAG_END_STREAM) { -+ /* Stream has ended. If there is pending data, ensure that read -+ will occur to consume it. */ -+ if(!data->state.drain && stream->memlen) { -+ drain_this(cf, data_s); -+ Curl_expire(data, 0, EXPIRE_RUN_NOW); -+ } -+ } - break; - case NGHTTP2_HEADERS: - DEBUGF(LOG_CF(data_s, cf, "[h2sid=%u] recv frame HEADERS", stream_id)); --- -2.39.1 - diff --git a/curl.spec b/curl.spec index 688ac91..d2bc211 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.88.0 -Release: 2%{?dist} +Version: 7.88.1 +Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,9 +10,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# http2: set drain on stream end -Patch1: 0001-curl-7.88.0-http2-drain.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -206,7 +203,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 # Fedora patches %patch101 -p1 @@ -442,6 +438,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Feb 20 2023 Kamil Dudka - 7.88.1-1 +- new upstream release + * Fri Feb 17 2023 Kamil Dudka - 7.88.0-2 - http2: set drain on stream end diff --git a/sources b/sources index 5c159bb..99be100 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-7.88.0.tar.xz) = 2008cbc67694f746b7449f087a19b2a9a4950333d6bac1cdc7d80351aa38d8d9b442087dedbc7b0909a419d3b10f510521c942aac012d04a53c32bdb15dce5f0 -SHA512 (curl-7.88.0.tar.xz.asc) = 6f3d9a5f8fcec64652f872adf994ff3d0162fba1b483a0e359522173bf29ef3d26eeda7c328207fa1fa974a45e62674a3a8ebec21830ab3981b56851d5804ade +SHA512 (curl-7.88.1.tar.xz) = b8d30c52a6d1c3e272608a7a8db78dfd79aef21330f34d6f1df43839a400e13ac6aac72a383526db0b711a70ecbec89a3b934677d7ecf5094fd64d3dbcb3492f +SHA512 (curl-7.88.1.tar.xz.asc) = d6dc720533004c4d533cc4fb3dd33ac28d95e114f440ec011e4b58f65d1f4c40cfa10ba26d2e2f2f1f9de99511632578b4758c5e79593c7c30d29788fdf1cbb6 From 7b0a4d3dfc08b37261a2a5f3e475cc13acdaa922 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 20 Mar 2023 10:08:53 +0100 Subject: [PATCH 171/256] new upstream release - 8.0.0 Resolves: CVE-2023-27538 - SSH connection too eager reuse still Resolves: CVE-2023-27537 - HSTS double-free Resolves: CVE-2023-27536 - GSS delegation too eager connection re-use Resolves: CVE-2023-27535 - FTP too eager connection reuse Resolves: CVE-2023-27534 - SFTP path ~ resolving discrepancy Resolves: CVE-2023-27533 - TELNET option IAC injection --- 0001-curl-8.0.0-revert-multi-remove.patch | 230 ++++++++++++++++++++++ curl.spec | 16 +- sources | 4 +- 3 files changed, 247 insertions(+), 3 deletions(-) create mode 100644 0001-curl-8.0.0-revert-multi-remove.patch diff --git a/0001-curl-8.0.0-revert-multi-remove.patch b/0001-curl-8.0.0-revert-multi-remove.patch new file mode 100644 index 0000000..8bd375a --- /dev/null +++ b/0001-curl-8.0.0-revert-multi-remove.patch @@ -0,0 +1,230 @@ +From d7c75c3608d6002cfb46a2612efa507d9a8ba66e Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 20 Mar 2023 12:51:05 +0100 +Subject: [PATCH] Revert "multi: remove PENDING + MSGSENT handles from the main + linked list" + +This reverts commit f6d6f3ce01e377932f1ce7c24ee34d45a36950b8. + +The commits caused issues in the 8.0.0 release. Needs a retake. + +Upstream-commit: cf1eebc68a28cb18bffde5a0a0d2f02bf7b183ec +Signed-off-by: Kamil Dudka +--- + lib/multi.c | 73 +++++++++++++++++++---------------------------- + lib/multihandle.h | 2 -- + lib/urldata.h | 3 +- + 3 files changed, 31 insertions(+), 47 deletions(-) + +diff --git a/lib/multi.c b/lib/multi.c +index 0967500d0..731b2598f 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -383,10 +383,12 @@ static void sh_init(struct Curl_hash *hash, int hashsize) + * Called when a transfer is completed. Adds the given msg pointer to + * the list kept in the multi handle. + */ +-static void multi_addmsg(struct Curl_multi *multi, struct Curl_message *msg) ++static CURLMcode multi_addmsg(struct Curl_multi *multi, ++ struct Curl_message *msg) + { + Curl_llist_insert_next(&multi->msglist, multi->msglist.tail, msg, + &msg->list); ++ return CURLM_OK; + } + + struct Curl_multi *Curl_multi_handle(int hashsize, /* socket hash */ +@@ -409,7 +411,6 @@ struct Curl_multi *Curl_multi_handle(int hashsize, /* socket hash */ + + Curl_llist_init(&multi->msglist, NULL); + Curl_llist_init(&multi->pending, NULL); +- Curl_llist_init(&multi->msgsent, NULL); + + multi->multiplexing = TRUE; + +@@ -455,14 +456,6 @@ struct Curl_multi *curl_multi_init(void) + CURL_DNS_HASH_SIZE); + } + +-/* returns TRUE if the easy handle is supposed to be present in the main link +- list */ +-static bool in_main_list(struct Curl_easy *data) +-{ +- return ((data->mstate != MSTATE_PENDING) && +- (data->mstate != MSTATE_MSGSENT)); +-} +- + static void link_easy(struct Curl_multi *multi, + struct Curl_easy *data) + { +@@ -496,8 +489,6 @@ static void unlink_easy(struct Curl_multi *multi, + data->next->prev = data->prev; + else + multi->easylp = data->prev; /* point to last node */ +- +- data->prev = data->next = NULL; + } + + +@@ -857,16 +848,10 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, + called. Do it after multi_done() in case that sets another time! */ + Curl_expire_clear(data); + +- if(data->connect_queue.ptr) { +- /* the handle is in the pending or msgsent lists, so go ahead and remove +- it */ +- if(data->mstate == MSTATE_PENDING) +- Curl_llist_remove(&multi->pending, &data->connect_queue, NULL); +- else +- Curl_llist_remove(&multi->msgsent, &data->connect_queue, NULL); +- } +- if(in_main_list(data)) +- unlink_easy(multi, data); ++ if(data->connect_queue.ptr) ++ /* the handle was in the pending list waiting for an available connection, ++ so go ahead and remove it */ ++ Curl_llist_remove(&multi->pending, &data->connect_queue, NULL); + + if(data->dns.hostcachetype == HCACHE_MULTI) { + /* stop using the multi handle's DNS cache, *after* the possible +@@ -927,6 +912,7 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, + + /* make sure there's no pending message in the queue sent from this easy + handle */ ++ + for(e = multi->msglist.head; e; e = e->next) { + struct Curl_message *msg = e->ptr; + +@@ -937,6 +923,19 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, + } + } + ++ /* Remove from the pending list if it is there. Otherwise this will ++ remain on the pending list forever due to the state change. */ ++ for(e = multi->pending.head; e; e = e->next) { ++ struct Curl_easy *curr_data = e->ptr; ++ ++ if(curr_data == data) { ++ Curl_llist_remove(&multi->pending, e, NULL); ++ break; ++ } ++ } ++ ++ unlink_easy(multi, data); ++ + /* NOTE NOTE NOTE + We do not touch the easy handle here! */ + multi->num_easy--; /* one less to care about now */ +@@ -1944,6 +1943,11 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, + } + break; + ++ case MSTATE_PENDING: ++ /* We will stay here until there is a connection available. Then ++ we try again in the MSTATE_CONNECT state. */ ++ break; ++ + case MSTATE_CONNECT: + /* Connect. We want to get a connection identifier filled in. */ + /* init this transfer. */ +@@ -1967,8 +1971,6 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, + /* add this handle to the list of connect-pending handles */ + Curl_llist_insert_next(&multi->pending, multi->pending.tail, data, + &data->connect_queue); +- /* unlink from the main list */ +- unlink_easy(multi, data); + result = CURLE_OK; + break; + } +@@ -2595,11 +2597,9 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, + case MSTATE_COMPLETED: + break; + +- case MSTATE_PENDING: + case MSTATE_MSGSENT: +- /* handles in these states should NOT be in this list */ +- DEBUGASSERT(0); +- break; ++ data->result = result; ++ return CURLM_OK; /* do nothing */ + + default: + return CURLM_INTERNAL_ERROR; +@@ -2687,17 +2687,10 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, + msg->extmsg.easy_handle = data; + msg->extmsg.data.result = result; + +- multi_addmsg(multi, msg); ++ rc = multi_addmsg(multi, msg); + DEBUGASSERT(!data->conn); + } + multistate(data, MSTATE_MSGSENT); +- +- /* add this handle to the list of msgsent handles */ +- Curl_llist_insert_next(&multi->msgsent, multi->msgsent.tail, data, +- &data->connect_queue); +- /* unlink from the main list */ +- unlink_easy(multi, data); +- return CURLM_OK; + } + } while((rc == CURLM_CALL_MULTI_PERFORM) || multi_ischanged(multi, FALSE)); + +@@ -2728,9 +2721,6 @@ CURLMcode curl_multi_perform(struct Curl_multi *multi, int *running_handles) + /* Do the loop and only alter the signal ignore state if the next handle + has a different NO_SIGNAL state than the previous */ + do { +- /* the current node might be unlinked in multi_runsingle(), get the next +- pointer now */ +- struct Curl_easy *datanext = data->next; + if(data->set.no_signal != nosig) { + sigpipe_restore(&pipe_st); + sigpipe_ignore(data, &pipe_st); +@@ -2739,7 +2729,7 @@ CURLMcode curl_multi_perform(struct Curl_multi *multi, int *running_handles) + result = multi_runsingle(multi, &now, data); + if(result) + returncode = result; +- data = datanext; /* operate on next handle */ ++ data = data->next; /* operate on next handle */ + } while(data); + sigpipe_restore(&pipe_st); + } +@@ -3720,9 +3710,6 @@ static void process_pending_handles(struct Curl_multi *multi) + + DEBUGASSERT(data->mstate == MSTATE_PENDING); + +- /* put it back into the main list */ +- link_easy(multi, data); +- + multistate(data, MSTATE_CONNECT); + + /* Remove this node from the list */ +diff --git a/lib/multihandle.h b/lib/multihandle.h +index 5b16bb605..6cda65d44 100644 +--- a/lib/multihandle.h ++++ b/lib/multihandle.h +@@ -101,8 +101,6 @@ struct Curl_multi { + + struct Curl_llist pending; /* Curl_easys that are in the + MSTATE_PENDING state */ +- struct Curl_llist msgsent; /* Curl_easys that are in the +- MSTATE_MSGSENT state */ + + /* callback function and user data pointer for the *socket() API */ + curl_socket_callback socket_cb; +diff --git a/lib/urldata.h b/lib/urldata.h +index 4e07bcd60..8b54518d2 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1894,8 +1894,7 @@ struct Curl_easy { + struct Curl_easy *prev; + + struct connectdata *conn; +- struct Curl_llist_element connect_queue; /* for the pending and msgsent +- lists */ ++ struct Curl_llist_element connect_queue; + struct Curl_llist_element conn_queue; /* list per connectdata */ + + CURLMstate mstate; /* the handle's state */ +-- +2.40.0 + diff --git a/curl.spec b/curl.spec index d2bc211..8832786 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.88.1 +Version: 8.0.0 Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -10,6 +10,10 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# revert a commit that caused issues in the 8.0.0 release +# https://github.com/curl/curl/pull/10795 +Patch1: 0001-curl-8.0.0-revert-multi-remove.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -203,6 +207,7 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 @@ -438,6 +443,15 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Mar 20 2023 Kamil Dudka - 8.0.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-27538 - SSH connection too eager reuse still + CVE-2023-27537 - HSTS double-free + CVE-2023-27536 - GSS delegation too eager connection re-use + CVE-2023-27535 - FTP too eager connection reuse + CVE-2023-27534 - SFTP path ~ resolving discrepancy + CVE-2023-27533 - TELNET option IAC injection + * Mon Feb 20 2023 Kamil Dudka - 7.88.1-1 - new upstream release diff --git a/sources b/sources index 99be100..7ce28de 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-7.88.1.tar.xz) = b8d30c52a6d1c3e272608a7a8db78dfd79aef21330f34d6f1df43839a400e13ac6aac72a383526db0b711a70ecbec89a3b934677d7ecf5094fd64d3dbcb3492f -SHA512 (curl-7.88.1.tar.xz.asc) = d6dc720533004c4d533cc4fb3dd33ac28d95e114f440ec011e4b58f65d1f4c40cfa10ba26d2e2f2f1f9de99511632578b4758c5e79593c7c30d29788fdf1cbb6 +SHA512 (curl-8.0.0.tar.xz) = 7141e0e2ed065ba14a7fd7e080bc78cadfcf0c7e4054384f17bfbe24caa0bf512d1feaac89dabb9bebc30c2ba40e78ea4e77ac16ce07515f1e9d6b0f05098c9c +SHA512 (curl-8.0.0.tar.xz.asc) = ab741ce5a93e8729bb280c38a109dd11c6f07bc5d955368171dd0c26641d117c62945c13cdc8ff66e32e98fa027cc8ae08aba833a3ee702a2a06c7cef5b8f4ea From c96705f9dc873e3e749d7cbfcd13f678605aea63 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 20 Mar 2023 15:39:59 +0100 Subject: [PATCH 172/256] new upstream release - 8.0.1 --- 0001-curl-8.0.0-revert-multi-remove.patch | 230 ---------------------- curl.spec | 10 +- sources | 4 +- 3 files changed, 6 insertions(+), 238 deletions(-) delete mode 100644 0001-curl-8.0.0-revert-multi-remove.patch diff --git a/0001-curl-8.0.0-revert-multi-remove.patch b/0001-curl-8.0.0-revert-multi-remove.patch deleted file mode 100644 index 8bd375a..0000000 --- a/0001-curl-8.0.0-revert-multi-remove.patch +++ /dev/null @@ -1,230 +0,0 @@ -From d7c75c3608d6002cfb46a2612efa507d9a8ba66e Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 20 Mar 2023 12:51:05 +0100 -Subject: [PATCH] Revert "multi: remove PENDING + MSGSENT handles from the main - linked list" - -This reverts commit f6d6f3ce01e377932f1ce7c24ee34d45a36950b8. - -The commits caused issues in the 8.0.0 release. Needs a retake. - -Upstream-commit: cf1eebc68a28cb18bffde5a0a0d2f02bf7b183ec -Signed-off-by: Kamil Dudka ---- - lib/multi.c | 73 +++++++++++++++++++---------------------------- - lib/multihandle.h | 2 -- - lib/urldata.h | 3 +- - 3 files changed, 31 insertions(+), 47 deletions(-) - -diff --git a/lib/multi.c b/lib/multi.c -index 0967500d0..731b2598f 100644 ---- a/lib/multi.c -+++ b/lib/multi.c -@@ -383,10 +383,12 @@ static void sh_init(struct Curl_hash *hash, int hashsize) - * Called when a transfer is completed. Adds the given msg pointer to - * the list kept in the multi handle. - */ --static void multi_addmsg(struct Curl_multi *multi, struct Curl_message *msg) -+static CURLMcode multi_addmsg(struct Curl_multi *multi, -+ struct Curl_message *msg) - { - Curl_llist_insert_next(&multi->msglist, multi->msglist.tail, msg, - &msg->list); -+ return CURLM_OK; - } - - struct Curl_multi *Curl_multi_handle(int hashsize, /* socket hash */ -@@ -409,7 +411,6 @@ struct Curl_multi *Curl_multi_handle(int hashsize, /* socket hash */ - - Curl_llist_init(&multi->msglist, NULL); - Curl_llist_init(&multi->pending, NULL); -- Curl_llist_init(&multi->msgsent, NULL); - - multi->multiplexing = TRUE; - -@@ -455,14 +456,6 @@ struct Curl_multi *curl_multi_init(void) - CURL_DNS_HASH_SIZE); - } - --/* returns TRUE if the easy handle is supposed to be present in the main link -- list */ --static bool in_main_list(struct Curl_easy *data) --{ -- return ((data->mstate != MSTATE_PENDING) && -- (data->mstate != MSTATE_MSGSENT)); --} -- - static void link_easy(struct Curl_multi *multi, - struct Curl_easy *data) - { -@@ -496,8 +489,6 @@ static void unlink_easy(struct Curl_multi *multi, - data->next->prev = data->prev; - else - multi->easylp = data->prev; /* point to last node */ -- -- data->prev = data->next = NULL; - } - - -@@ -857,16 +848,10 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, - called. Do it after multi_done() in case that sets another time! */ - Curl_expire_clear(data); - -- if(data->connect_queue.ptr) { -- /* the handle is in the pending or msgsent lists, so go ahead and remove -- it */ -- if(data->mstate == MSTATE_PENDING) -- Curl_llist_remove(&multi->pending, &data->connect_queue, NULL); -- else -- Curl_llist_remove(&multi->msgsent, &data->connect_queue, NULL); -- } -- if(in_main_list(data)) -- unlink_easy(multi, data); -+ if(data->connect_queue.ptr) -+ /* the handle was in the pending list waiting for an available connection, -+ so go ahead and remove it */ -+ Curl_llist_remove(&multi->pending, &data->connect_queue, NULL); - - if(data->dns.hostcachetype == HCACHE_MULTI) { - /* stop using the multi handle's DNS cache, *after* the possible -@@ -927,6 +912,7 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, - - /* make sure there's no pending message in the queue sent from this easy - handle */ -+ - for(e = multi->msglist.head; e; e = e->next) { - struct Curl_message *msg = e->ptr; - -@@ -937,6 +923,19 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, - } - } - -+ /* Remove from the pending list if it is there. Otherwise this will -+ remain on the pending list forever due to the state change. */ -+ for(e = multi->pending.head; e; e = e->next) { -+ struct Curl_easy *curr_data = e->ptr; -+ -+ if(curr_data == data) { -+ Curl_llist_remove(&multi->pending, e, NULL); -+ break; -+ } -+ } -+ -+ unlink_easy(multi, data); -+ - /* NOTE NOTE NOTE - We do not touch the easy handle here! */ - multi->num_easy--; /* one less to care about now */ -@@ -1944,6 +1943,11 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, - } - break; - -+ case MSTATE_PENDING: -+ /* We will stay here until there is a connection available. Then -+ we try again in the MSTATE_CONNECT state. */ -+ break; -+ - case MSTATE_CONNECT: - /* Connect. We want to get a connection identifier filled in. */ - /* init this transfer. */ -@@ -1967,8 +1971,6 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, - /* add this handle to the list of connect-pending handles */ - Curl_llist_insert_next(&multi->pending, multi->pending.tail, data, - &data->connect_queue); -- /* unlink from the main list */ -- unlink_easy(multi, data); - result = CURLE_OK; - break; - } -@@ -2595,11 +2597,9 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, - case MSTATE_COMPLETED: - break; - -- case MSTATE_PENDING: - case MSTATE_MSGSENT: -- /* handles in these states should NOT be in this list */ -- DEBUGASSERT(0); -- break; -+ data->result = result; -+ return CURLM_OK; /* do nothing */ - - default: - return CURLM_INTERNAL_ERROR; -@@ -2687,17 +2687,10 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, - msg->extmsg.easy_handle = data; - msg->extmsg.data.result = result; - -- multi_addmsg(multi, msg); -+ rc = multi_addmsg(multi, msg); - DEBUGASSERT(!data->conn); - } - multistate(data, MSTATE_MSGSENT); -- -- /* add this handle to the list of msgsent handles */ -- Curl_llist_insert_next(&multi->msgsent, multi->msgsent.tail, data, -- &data->connect_queue); -- /* unlink from the main list */ -- unlink_easy(multi, data); -- return CURLM_OK; - } - } while((rc == CURLM_CALL_MULTI_PERFORM) || multi_ischanged(multi, FALSE)); - -@@ -2728,9 +2721,6 @@ CURLMcode curl_multi_perform(struct Curl_multi *multi, int *running_handles) - /* Do the loop and only alter the signal ignore state if the next handle - has a different NO_SIGNAL state than the previous */ - do { -- /* the current node might be unlinked in multi_runsingle(), get the next -- pointer now */ -- struct Curl_easy *datanext = data->next; - if(data->set.no_signal != nosig) { - sigpipe_restore(&pipe_st); - sigpipe_ignore(data, &pipe_st); -@@ -2739,7 +2729,7 @@ CURLMcode curl_multi_perform(struct Curl_multi *multi, int *running_handles) - result = multi_runsingle(multi, &now, data); - if(result) - returncode = result; -- data = datanext; /* operate on next handle */ -+ data = data->next; /* operate on next handle */ - } while(data); - sigpipe_restore(&pipe_st); - } -@@ -3720,9 +3710,6 @@ static void process_pending_handles(struct Curl_multi *multi) - - DEBUGASSERT(data->mstate == MSTATE_PENDING); - -- /* put it back into the main list */ -- link_easy(multi, data); -- - multistate(data, MSTATE_CONNECT); - - /* Remove this node from the list */ -diff --git a/lib/multihandle.h b/lib/multihandle.h -index 5b16bb605..6cda65d44 100644 ---- a/lib/multihandle.h -+++ b/lib/multihandle.h -@@ -101,8 +101,6 @@ struct Curl_multi { - - struct Curl_llist pending; /* Curl_easys that are in the - MSTATE_PENDING state */ -- struct Curl_llist msgsent; /* Curl_easys that are in the -- MSTATE_MSGSENT state */ - - /* callback function and user data pointer for the *socket() API */ - curl_socket_callback socket_cb; -diff --git a/lib/urldata.h b/lib/urldata.h -index 4e07bcd60..8b54518d2 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -1894,8 +1894,7 @@ struct Curl_easy { - struct Curl_easy *prev; - - struct connectdata *conn; -- struct Curl_llist_element connect_queue; /* for the pending and msgsent -- lists */ -+ struct Curl_llist_element connect_queue; - struct Curl_llist_element conn_queue; /* list per connectdata */ - - CURLMstate mstate; /* the handle's state */ --- -2.40.0 - diff --git a/curl.spec b/curl.spec index 8832786..15705c1 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.0.0 +Version: 8.0.1 Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -10,10 +10,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# revert a commit that caused issues in the 8.0.0 release -# https://github.com/curl/curl/pull/10795 -Patch1: 0001-curl-8.0.0-revert-multi-remove.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -207,7 +203,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 # Fedora patches %patch101 -p1 @@ -443,6 +438,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Mar 20 2023 Kamil Dudka - 8.0.1-1 +- new upstream release + * Mon Mar 20 2023 Kamil Dudka - 8.0.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2023-27538 - SSH connection too eager reuse still diff --git a/sources b/sources index 7ce28de..fe0a4ce 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.0.0.tar.xz) = 7141e0e2ed065ba14a7fd7e080bc78cadfcf0c7e4054384f17bfbe24caa0bf512d1feaac89dabb9bebc30c2ba40e78ea4e77ac16ce07515f1e9d6b0f05098c9c -SHA512 (curl-8.0.0.tar.xz.asc) = ab741ce5a93e8729bb280c38a109dd11c6f07bc5d955368171dd0c26641d117c62945c13cdc8ff66e32e98fa027cc8ae08aba833a3ee702a2a06c7cef5b8f4ea +SHA512 (curl-8.0.1.tar.xz) = 3bb777982659ed697ae90f113ff7b65d6ce8ba9fe6a8984cfd6769d2f051a72ba953c911abe234c204ec2cc5a35d68b4d033037fad7fba31bb92a52543f8d13d +SHA512 (curl-8.0.1.tar.xz.asc) = 92c6a0570e9a8a708fe2f717b8b37a68dcb9cd4520ca50c9baafec5891bda103bce2d2dcb67f1387bf11bd7e51e0e64ccd52d196e61d58b598ad3aa1960386cf From 54363444c5ff7e8271e42f5be146b24787eacd33 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Zaoral?= Date: Tue, 21 Mar 2023 15:46:58 +0100 Subject: [PATCH 173/256] migrate to SPDX license --- curl.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index 15705c1..e04b29c 100644 --- a/curl.spec +++ b/curl.spec @@ -1,8 +1,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.0.1 -Release: 1%{?dist} -License: MIT +Release: 2%{?dist} +License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # The curl download page ( https://curl.se/download.html ) links @@ -438,6 +438,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Mar 21 2023 Lukáš Zaoral - 8.0.1-2 +- migrated to SPDX license + * Mon Mar 20 2023 Kamil Dudka - 8.0.1-1 - new upstream release From 449e5165fd459f6a380feebf4fa7aa913dd40519 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 21 Apr 2023 14:32:13 +0200 Subject: [PATCH 174/256] curl.spec: apply patches automatically ... to ease maintenance and to avoid the following warning on Fedora Rawhide: ``` warning: %patchN is deprecated (4 usages found), use %patch N (or %patch -P N) ``` --- curl.spec | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/curl.spec b/curl.spec index e04b29c..86222da 100644 --- a/curl.spec +++ b/curl.spec @@ -200,15 +200,7 @@ be installed. %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' -%setup -q - -# upstream patches - -# Fedora patches -%patch101 -p1 -%patch102 -p1 -%patch103 -p1 -%patch104 -p1 +%autosetup -p1 # disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed # with errno 98: Address already in use' in Koji environment), and test 1801 @@ -438,6 +430,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Apr 21 2023 Kamil Dudka - 8.0.1-3 +- apply patches automatically + * Tue Mar 21 2023 Lukáš Zaoral - 8.0.1-2 - migrated to SPDX license From fb877acc4b669b7c8e1fcc51db02828928b42e12 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 21 Apr 2023 14:41:58 +0200 Subject: [PATCH 175/256] curl.spec: forgot to bump release --- curl.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 86222da..8920deb 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.0.1 -Release: 2%{?dist} +Release: 3%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc From 2d313d8a465f02f3fe191d2daccba00260c81ced Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 21 Apr 2023 18:00:44 +0200 Subject: [PATCH 176/256] tests: attempt to fix a conflict on port numbers ... where stunnel listens for legacy HTTPS and HTTP/2, which manifests as a hard-to-explain failure of the following tests: 1630 1631 1632 1904 1941 1945 2050 2055 3028 ``` [...] startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https_server.pid" --logfile "log/https_stunnel.log" --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 42917 --accept 24642 RUN: HTTPS server is PID 114398 port 24642 * pid https => 114398 114402 [...] startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https2_server.pid" --logfile "log/https2_stunnel.log" --id 2 --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 36763 --accept 24642 startnew: child process has died, server might start up Warning: http2 server unexpectedly alive RUN: Process with pid 73992 signalled to die RUN: Process with pid 73992 forced to die with SIGKILL == Contents of files in the log/ dir after test 1630 === Start of file http2_server.log 14:01:21.881018 exit_signal_handler: 15 14:01:21.881372 signalled to die 14:01:21.881511 ========> IPv4 sws (port 36763 pid: 73992) exits with signal (15) === End of file http2_server.log === Start of file https2_stunnel.log [ ] Initializing inetd mode configuration [ ] Clients allowed=500 [.] stunnel 5.69 on x86_64-redhat-linux-gnu platform [.] Compiled/running with OpenSSL 3.0.8 7 Feb 2023 [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI [ ] errno: (*__errno_location ()) [ ] Initializing inetd mode configuration [.] Reading configuration from file /builddir/build/BUILD/curl-8.0.1/build-minimal/tests/https_stunnel.conf [.] UTF-8 byte order mark not detected [.] FIPS mode disabled [ ] Compression disabled [ ] No PRNG seeding was required [ ] Initializing service [curltest] [ ] Using the default TLS minimum version as specified in crypto policies. Not setting explicitly. [ ] Using the default TLS maximum version as specified in crypto policies. Not setting explicitly [ ] stunnel default security level set: 2 [ ] Ciphers: PROFILE=SYSTEM [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 [ ] TLS options: 0x2100000 (+0x0, -0x0) [ ] Session resumption enabled [ ] Loading certificate from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem [ ] Certificate loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem [ ] Loading private key from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem [ ] Private key loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem [ ] Private key check succeeded [!] No trusted certificates found [ ] DH initialization needed for DHE-RSA-AES256-GCM-SHA384 [ ] DH initialization [ ] Could not load DH parameters from /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem [ ] Using dynamic DH parameters [ ] ECDH initialization [ ] ECDH initialized with curves X25519:P-256:X448:P-521:P-384 [.] Configuration successful [ ] Deallocating deployed section defaults [ ] Binding service [curltest] [ ] Listening file descriptor created (FD=8) [ ] Setting accept socket options (FD=8) [ ] Option SO_REUSEADDR set on accept socket [.] Binding service [curltest] to 0.0.0.0:24642: Address already in use (98) [ ] Listening file descriptor created (FD=8) [ ] Setting accept socket options (FD=8) [ ] Option SO_REUSEADDR set on accept socket [.] Binding service [curltest] to :::24642: Address already in use (98) [!] Binding service [curltest] failed [ ] Unbinding service [curltest] [ ] Service [curltest] closed [ ] Deallocating deployed section defaults [ ] Deallocating section [curltest] [ ] Initializing inetd mode configuration === End of file https2_stunnel.log ``` --- 0105-curl-8.0.1-tests-stunnel-port.patch | 97 ++++++++++++++++++++++++ curl.spec | 4 + 2 files changed, 101 insertions(+) create mode 100644 0105-curl-8.0.1-tests-stunnel-port.patch diff --git a/0105-curl-8.0.1-tests-stunnel-port.patch b/0105-curl-8.0.1-tests-stunnel-port.patch new file mode 100644 index 0000000..47d1419 --- /dev/null +++ b/0105-curl-8.0.1-tests-stunnel-port.patch @@ -0,0 +1,97 @@ +From c9a1d18e5f8f28b90c1b2fcc1f15699327067e59 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Fri, 21 Apr 2023 17:44:10 +0200 +Subject: [PATCH] tests/runtests.pl: attempt to fix a conflict on port numbers + +... where stunnel listens for legacy HTTPS and HTTP/2, which manifests +as a hard-to-explain failure of the following tests: 1630 1631 1632 1904 +1941 1945 2050 2055 3028 +``` +[...] +startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https_server.pid" --logfile "log/https_stunnel.log" --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 42917 --accept 24642 +RUN: HTTPS server is PID 114398 port 24642 +* pid https => 114398 114402 +[...] +startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https2_server.pid" --logfile "log/https2_stunnel.log" --id 2 --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 36763 --accept 24642 +startnew: child process has died, server might start up +Warning: http2 server unexpectedly alive +RUN: Process with pid 73992 signalled to die +RUN: Process with pid 73992 forced to die with SIGKILL +== Contents of files in the log/ dir after test 1630 +=== Start of file http2_server.log + 14:01:21.881018 exit_signal_handler: 15 + 14:01:21.881372 signalled to die + 14:01:21.881511 ========> IPv4 sws (port 36763 pid: 73992) exits with signal (15) +=== End of file http2_server.log +=== Start of file https2_stunnel.log + [ ] Initializing inetd mode configuration + [ ] Clients allowed=500 + [.] stunnel 5.69 on x86_64-redhat-linux-gnu platform + [.] Compiled/running with OpenSSL 3.0.8 7 Feb 2023 + [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI + [ ] errno: (*__errno_location ()) + [ ] Initializing inetd mode configuration + [.] Reading configuration from file /builddir/build/BUILD/curl-8.0.1/build-minimal/tests/https_stunnel.conf + [.] UTF-8 byte order mark not detected + [.] FIPS mode disabled + [ ] Compression disabled + [ ] No PRNG seeding was required + [ ] Initializing service [curltest] + [ ] Using the default TLS minimum version as specified in crypto policies. Not setting explicitly. + [ ] Using the default TLS maximum version as specified in crypto policies. Not setting explicitly + [ ] stunnel default security level set: 2 + [ ] Ciphers: PROFILE=SYSTEM + [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 + [ ] TLS options: 0x2100000 (+0x0, -0x0) + [ ] Session resumption enabled + [ ] Loading certificate from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem + [ ] Certificate loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem + [ ] Loading private key from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem + [ ] Private key loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem + [ ] Private key check succeeded + [!] No trusted certificates found + [ ] DH initialization needed for DHE-RSA-AES256-GCM-SHA384 + [ ] DH initialization + [ ] Could not load DH parameters from /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem + [ ] Using dynamic DH parameters + [ ] ECDH initialization + [ ] ECDH initialized with curves X25519:P-256:X448:P-521:P-384 + [.] Configuration successful + [ ] Deallocating deployed section defaults + [ ] Binding service [curltest] + [ ] Listening file descriptor created (FD=8) + [ ] Setting accept socket options (FD=8) + [ ] Option SO_REUSEADDR set on accept socket + [.] Binding service [curltest] to 0.0.0.0:24642: Address already in use (98) + [ ] Listening file descriptor created (FD=8) + [ ] Setting accept socket options (FD=8) + [ ] Option SO_REUSEADDR set on accept socket + [.] Binding service [curltest] to :::24642: Address already in use (98) + [!] Binding service [curltest] failed + [ ] Unbinding service [curltest] + [ ] Service [curltest] closed + [ ] Deallocating deployed section defaults + [ ] Deallocating section [curltest] + [ ] Initializing inetd mode configuration +=== End of file https2_stunnel.log +``` +--- + tests/runtests.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/runtests.pl b/tests/runtests.pl +index 54f6923..bb362c9 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -1802,7 +1802,7 @@ sub runhttpsserver { + + my $pid2; + my $httpspid; +- my $port = 24512; # start attempt ++ my $port = 24512 * $idnum; # start attempt + for (1 .. 10) { + $port += int(rand(600)); + my $options = "$flags --accept $port"; +-- +2.39.2 + diff --git a/curl.spec b/curl.spec index 8920deb..dd121e1 100644 --- a/curl.spec +++ b/curl.spec @@ -22,6 +22,9 @@ Patch103: 0103-curl-7.87.0-test3012.patch # do not fail on warnings in the upstream test driver Patch104: 0104-curl-7.88.0-tests-warnings.patch +# tests: attempt to fix a conflict on port numbers +Patch105: 0105-curl-8.0.1-tests-stunnel-port.patch + Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.se/ @@ -431,6 +434,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Fri Apr 21 2023 Kamil Dudka - 8.0.1-3 +- tests: attempt to fix a conflict on port numbers - apply patches automatically * Tue Mar 21 2023 Lukáš Zaoral - 8.0.1-2 From d8bddc669c31f8c84053cde2d4755501eac337b7 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 21 Apr 2023 18:01:25 +0200 Subject: [PATCH 177/256] tests: re-enable temporarily disabled test-cases --- curl.spec | 31 +++---------------------------- 1 file changed, 3 insertions(+), 28 deletions(-) diff --git a/curl.spec b/curl.spec index dd121e1..fbc8caa 100644 --- a/curl.spec +++ b/curl.spec @@ -205,35 +205,9 @@ be installed. %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 -# disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed -# with errno 98: Address already in use' in Koji environment), and test 1801 +# disable test 1801 # -printf "1112\n1455\n1184\n1801\n" >> tests/data/DISABLED - -# disable test 1319 on ppc64 (server times out) -%ifarch ppc64 -echo "1319" >> tests/data/DISABLED -%endif - -# disable tests 320..322 on ppc64le where it started to hang/fail -%ifarch ppc64le -printf "320\n321\n322\n" >> tests/data/DISABLED -%endif - -# temporarily disable tests 582 and 1452 on s390x (client times out) -%ifarch s390x -printf "582\n1452\n" >> tests/data/DISABLED -%endif - -# temporarily disable tests 702 703 716 on armv7hl (#1829180) -%ifarch armv7hl -printf "702\n703\n716\n" >> tests/data/DISABLED -%endif - -# temporarily disable tests 300{0,1} on x86_64 (stunnel clashes with itself) -%ifarch x86_64 -printf "3000\n3001\n" >> tests/data/DISABLED -%endif +echo "1801" >> tests/data/DISABLED # test3026: avoid pthread_create() failure due to resource exhaustion on i386 %ifarch %{ix86} @@ -434,6 +408,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Fri Apr 21 2023 Kamil Dudka - 8.0.1-3 +- tests: re-enable temporarily disabled test-cases - tests: attempt to fix a conflict on port numbers - apply patches automatically From 65d0dfbac54daa22d674f8009cd5895da8977417 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 17 Feb 2023 15:14:53 +0100 Subject: [PATCH 178/256] changelog: trim entries that predate curl-7.29.0 ... which RHEL-7 builds of curl are based on Closes: https://src.fedoraproject.org/rpms/curl/pull-request/16 --- curl.spec | 878 ------------------------------------------------------ 1 file changed, 878 deletions(-) diff --git a/curl.spec b/curl.spec index fbc8caa..b41cf59 100644 --- a/curl.spec +++ b/curl.spec @@ -1212,881 +1212,3 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la * Wed Feb 06 2013 Kamil Dudka 7.29.0-1 - new upstream release (fixes CVE-2013-0249) - -* Tue Jan 15 2013 Kamil Dudka 7.28.1-3 -- require valgrind for build only on i386 and x86_64 (#886891) - -* Tue Jan 15 2013 Kamil Dudka 7.28.1-2 -- prevent NSS from crashing on client auth hook failure -- clear session cache if a client cert from file is used -- fix error messages for CURLE_SSL_{CACERT,CRL}_BADFILE - -* Tue Nov 20 2012 Kamil Dudka 7.28.1-1 -- new upstream release - -* Wed Oct 31 2012 Kamil Dudka 7.28.0-1 -- new upstream release - -* Mon Oct 01 2012 Kamil Dudka 7.27.0-3 -- use the upstream facility to disable problematic tests -- do not crash if MD5 fingerprint is not provided by libssh2 - -* Wed Aug 01 2012 Kamil Dudka 7.27.0-2 -- eliminate unnecessary inotify events on upload via file protocol (#844385) - -* Sat Jul 28 2012 Kamil Dudka 7.27.0-1 -- new upstream release - -* Mon Jul 23 2012 Kamil Dudka 7.26.0-6 -- print reason phrase from HTTP status line on error (#676596) - -* Wed Jul 18 2012 Fedora Release Engineering - 7.26.0-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Sat Jun 09 2012 Kamil Dudka 7.26.0-4 -- fix duplicated SSL handshake with multi interface and proxy (#788526) - -* Wed May 30 2012 Karsten Hopp 7.26.0-3 -- disable test 1319 on ppc64, server times out - -* Mon May 28 2012 Kamil Dudka 7.26.0-2 -- use human-readable error messages provided by NSS (upstream commit 72f4b534) - -* Fri May 25 2012 Kamil Dudka 7.26.0-1 -- new upstream release - -* Wed Apr 25 2012 Karsten Hopp 7.25.0-3 -- valgrind on ppc64 works fine, disable ppc32 only - -* Wed Apr 25 2012 Karsten Hopp 7.25.0-3 -- drop BR valgrind on PPC(64) until bugzilla #810992 gets fixed - -* Fri Apr 13 2012 Kamil Dudka 7.25.0-2 -- use NSS_InitContext() to initialize NSS if available (#738456) -- provide human-readable names for NSS errors (upstream commit a60edcc6) - -* Fri Mar 23 2012 Paul Howarth 7.25.0-1 -- new upstream release (#806264) -- fix character encoding of docs with a patch rather than just iconv -- update debug and multilib patches -- don't use macros for commands -- reduce size of %%prep output for readability - -* Tue Jan 24 2012 Kamil Dudka 7.24.0-1 -- new upstream release (fixes CVE-2012-0036) - -* Thu Jan 05 2012 Paul Howarth 7.23.0-6 -- rebuild for gcc 4.7 - -* Mon Jan 02 2012 Kamil Dudka 7.23.0-5 -- upstream patch that allows to run FTPS tests with nss-3.13 (#760060) - -* Tue Dec 27 2011 Kamil Dudka 7.23.0-4 -- allow to run FTPS tests with nss-3.13 (#760060) - -* Sun Dec 25 2011 Kamil Dudka 7.23.0-3 -- avoid unnecessary timeout event when waiting for 100-continue (#767490) - -* Mon Nov 21 2011 Kamil Dudka 7.23.0-2 -- curl -JO now uses -O name if no C-D header comes (upstream commit c532604) - -* Wed Nov 16 2011 Kamil Dudka 7.23.0-1 -- new upstream release (#754391) - -* Mon Sep 19 2011 Kamil Dudka 7.22.0-2 -- nss: select client certificates by DER (#733657) - -* Tue Sep 13 2011 Kamil Dudka 7.22.0-1 -- new upstream release -- curl-config now provides dummy --static-libs option (#733956) - -* Sun Aug 21 2011 Paul Howarth 7.21.7-4 -- actually fix SIGSEGV of curl -O -J given more than one URL (#723075) - -* Mon Aug 15 2011 Kamil Dudka 7.21.7-3 -- fix SIGSEGV of curl -O -J given more than one URL (#723075) -- introduce the --delegation option of curl (#730444) -- initialize NSS with no database if the selected database is broken (#728562) - -* Wed Aug 03 2011 Kamil Dudka 7.21.7-2 -- add a new option CURLOPT_GSSAPI_DELEGATION (#719939) - -* Thu Jun 23 2011 Kamil Dudka 7.21.7-1 -- new upstream release (fixes CVE-2011-2192) - -* Wed Jun 08 2011 Kamil Dudka 7.21.6-2 -- avoid an invalid timeout event on a reused handle (#679709) - -* Sat Apr 23 2011 Paul Howarth 7.21.6-1 -- new upstream release - -* Mon Apr 18 2011 Kamil Dudka 7.21.5-2 -- fix the output of curl-config --version (upstream commit 82ecc85) - -* Mon Apr 18 2011 Kamil Dudka 7.21.5-1 -- new upstream release - -* Sat Apr 16 2011 Peter Robinson 7.21.4-4 -- no valgrind on ARMv5 arches - -* Sat Mar 05 2011 Dennis Gilmore 7.21.4-3 -- no valgrind on sparc arches - -* Tue Feb 22 2011 Kamil Dudka 7.21.4-2 -- do not ignore failure of SSL handshake (upstream commit 7aa2d10) - -* Fri Feb 18 2011 Kamil Dudka 7.21.4-1 -- new upstream release -- avoid memory leak on SSL connection failure (upstream commit a40f58d) -- work around valgrind bug (#678518) - -* Tue Feb 08 2011 Fedora Release Engineering - 7.21.3-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild - -* Wed Jan 12 2011 Kamil Dudka 7.21.3-2 -- build libcurl with --enable-hidden-symbols - -* Thu Dec 16 2010 Paul Howarth 7.21.3-1 -- update to 7.21.3: - - added --noconfigure switch to testcurl.pl - - added --xattr option - - added CURLOPT_RESOLVE and --resolve - - added CURLAUTH_ONLY - - added version-check.pl to the examples dir - - check for libcurl features for some command line options - - Curl_setopt: disallow CURLOPT_USE_SSL without SSL support - - http_chunks: remove debug output - - URL-parsing: consider ? a divider - - SSH: avoid using the libssh2_ prefix - - SSH: use libssh2_session_handshake() to work on win64 - - ftp: prevent server from hanging on closed data connection when stopping - a transfer before the end of the full transfer (ranges) - - LDAP: detect non-binary attributes properly - - ftp: treat server's response 421 as CURLE_OPERATION_TIMEDOUT - - gnutls->handshake: improved timeout handling - - security: pass the right parameter to init - - krb5: use GSS_ERROR to check for error - - TFTP: resend the correct data - - configure: fix autoconf 2.68 warning: no AC_LANG_SOURCE call detected - - GnuTLS: now detects socket errors on Windows - - symbols-in-versions: updated en masse - - added a couple of examples that were missing from the tarball - - Curl_send/recv_plain: return errno on failure - - Curl_wait_for_resolv (for c-ares): correct timeout - - ossl_connect_common: detect connection re-use - - configure: prevent link errors with --librtmp - - openldap: use remote port in URL passed to ldap_init_fd() - - url: provide dead_connection flag in Curl_handler::disconnect - - lots of compiler warning fixes - - ssh: fix a download resume point calculation - - fix getinfo CURLINFO_LOCAL* for reused connections - - multi: the returned running handles counter could turn negative - - multi: only ever consider pipelining for connections doing HTTP(S) -- drop upstream patches now in tarball -- update bz650255 and disable-test1112 patches to apply against new codebase -- add workaround for false-positive glibc-detected buffer overflow in tftpd - test server with FORTIFY_SOURCE (similar to #515361) - -* Fri Nov 12 2010 Kamil Dudka 7.21.2-5 -- do not send QUIT to a dead FTP control connection (#650255) -- pull back glibc's implementation of str[n]casecmp(), #626470 appears fixed - -* Tue Nov 09 2010 Kamil Dudka 7.21.2-4 -- prevent FTP client from hanging on unrecognized ABOR response (#649347) -- return more appropriate error code in case FTP server session idle - timeout has exceeded (#650255) - -* Fri Oct 29 2010 Kamil Dudka 7.21.2-3 -- prevent FTP server from hanging on closed data connection (#643656) - -* Thu Oct 14 2010 Paul Howarth 7.21.2-2 -- enforce versioned libssh2 dependency for libcurl (#642796) - -* Wed Oct 13 2010 Kamil Dudka 7.21.2-1 -- new upstream release, drop applied patches -- make 0102-curl-7.21.2-debug.patch less intrusive - -* Wed Sep 29 2010 jkeating - 7.21.1-6 -- Rebuilt for gcc bug 634757 - -* Sat Sep 11 2010 Kamil Dudka 7.21.1-5 -- make it possible to run SCP/SFTP tests on x86_64 (#632914) - -* Tue Sep 07 2010 Kamil Dudka 7.21.1-4 -- work around glibc/valgrind problem on x86_64 (#631449) - -* Tue Aug 24 2010 Paul Howarth 7.21.1-3 -- fix up patches so there's no need to run autotools in the rpm build -- drop buildreq automake -- drop dependency on automake for devel package from F-14, where - %%{_datadir}/aclocal is included in the filesystem package -- drop dependency on pkgconfig for devel package from F-11, where - pkgconfig dependencies are auto-generated - -* Mon Aug 23 2010 Kamil Dudka 7.21.1-2 -- re-enable test575 on s390(x), already fixed (upstream commit d63bdba) -- modify system headers to work around gcc bug (#617757) -- curl -T now ignores file size of special files (#622520) -- fix kerberos proxy authentication for https (#625676) -- work around glibc/valgrind problem on x86_64 (#626470) - -* Thu Aug 12 2010 Kamil Dudka 7.21.1-1 -- new upstream release - -* Mon Jul 12 2010 Dan Horák 7.21.0-3 -- disable test 575 on s390(x) - -* Mon Jun 28 2010 Kamil Dudka 7.21.0-2 -- add support for NTLM authentication (#603783) - -* Wed Jun 16 2010 Kamil Dudka 7.21.0-1 -- new upstream release, drop applied patches -- update of %%description -- disable valgrind for certain test-cases (libssh2 problem) - -* Tue May 25 2010 Kamil Dudka 7.20.1-6 -- fix -J/--remote-header-name to strip CR-LF (upstream patch) - -* Wed Apr 28 2010 Kamil Dudka 7.20.1-5 -- CRL support now works again (#581926) -- make it possible to start a testing OpenSSH server when building with SELinux - in the enforcing mode (#521087) - -* Sat Apr 24 2010 Kamil Dudka 7.20.1-4 -- upstream patch preventing failure of test536 with threaded DNS resolver -- upstream patch preventing SSL handshake timeout underflow - -* Thu Apr 22 2010 Paul Howarth 7.20.1-3 -- replace Rawhide s390-sleep patch with a more targeted patch adding a - delay after tests 513 and 514 rather than after all tests - -* Wed Apr 21 2010 Kamil Dudka 7.20.1-2 -- experimentally enabled threaded DNS lookup -- make curl-config multilib ready again (#584107) - -* Mon Apr 19 2010 Kamil Dudka 7.20.1-1 -- new upstream release - -* Tue Mar 23 2010 Kamil Dudka 7.20.0-4 -- add missing quote in libcurl.m4 (#576252) - -* Fri Mar 19 2010 Kamil Dudka 7.20.0-3 -- throw CURLE_SSL_CERTPROBLEM in case peer rejects a certificate (#565972) -- valgrind temporarily disabled (#574889) -- kerberos installation prefix has been changed - -* Wed Feb 24 2010 Kamil Dudka 7.20.0-2 -- exclude test1112 from the test suite (#565305) - -* Thu Feb 11 2010 Kamil Dudka 7.20.0-1 -- new upstream release - added support for IMAP(S), POP3(S), SMTP(S) and RTSP -- dropped patches applied upstream -- dropped curl-7.16.0-privlibs.patch no longer useful -- a new patch forcing -lrt when linking the curl tool and test-cases - -* Fri Jan 29 2010 Kamil Dudka 7.19.7-11 -- upstream patch adding a new option -J/--remote-header-name -- dropped temporary workaround for #545779 - -* Thu Jan 14 2010 Chris Weyl 7.19.7-10 -- bump for libssh2 rebuild - -* Sun Dec 20 2009 Kamil Dudka 7.19.7-9 -- temporary workaround for #548269 - (restored behavior of 7.19.7-4) - -* Wed Dec 09 2009 Kamil Dudka 7.19.7-8 -- replace hard wired port numbers in the test suite - -* Wed Dec 09 2009 Kamil Dudka 7.19.7-7 -- use different port numbers for 32bit and 64bit builds -- temporary workaround for #545779 - -* Tue Dec 08 2009 Kamil Dudka 7.19.7-6 -- make it possible to run test241 -- re-enable SCP/SFTP tests (#539444) - -* Sat Dec 05 2009 Kamil Dudka 7.19.7-5 -- avoid use of uninitialized value in lib/nss.c -- suppress failure of test513 on s390 - -* Tue Dec 01 2009 Kamil Dudka 7.19.7-4 -- do not require valgrind on s390 and s390x -- temporarily disabled SCP/SFTP test-suite (#539444) - -* Thu Nov 12 2009 Kamil Dudka 7.19.7-3 -- fix crash on doubly closed NSPR descriptor, patch contributed - by Kevin Baughman (#534176) -- new version of patch for broken TLS servers (#525496, #527771) - -* Wed Nov 04 2009 Kamil Dudka 7.19.7-2 -- increased release number (CVS problem) - -* Wed Nov 04 2009 Kamil Dudka 7.19.7-1 -- new upstream release, dropped applied patches -- workaround for broken TLS servers (#525496, #527771) - -* Wed Oct 14 2009 Kamil Dudka 7.19.6-13 -- fix timeout issues and gcc warnings within lib/nss.c - -* Tue Oct 06 2009 Kamil Dudka 7.19.6-12 -- upstream patch for NSS support written by Guenter Knauf - -* Wed Sep 30 2009 Kamil Dudka 7.19.6-11 -- build libcurl with c-ares support (#514771) - -* Sun Sep 27 2009 Kamil Dudka 7.19.6-10 -- require libssh2>=1.2 properly (#525002) - -* Sat Sep 26 2009 Kamil Dudka 7.19.6-9 -- let curl test-suite use valgrind -- require libssh2>=1.2 (#525002) - -* Mon Sep 21 2009 Chris Weyl - 7.19.6-8 -- rebuild for libssh2 1.2 - -* Thu Sep 17 2009 Kamil Dudka 7.19.6-7 -- make curl test-suite more verbose - -* Wed Sep 16 2009 Kamil Dudka 7.19.6-6 -- update polling patch to the latest upstream version - -* Thu Sep 03 2009 Kamil Dudka 7.19.6-5 -- cover ssh and stunnel support by the test-suite - -* Wed Sep 02 2009 Kamil Dudka 7.19.6-4 -- use pkg-config to find nss and libssh2 if possible -- better patch (not only) for SCP/SFTP polling -- improve error message for not matching common name (#516056) - -* Fri Aug 21 2009 Kamil Dudka 7.19.6-3 -- avoid tight loop during a sftp upload -- http://permalink.gmane.org/gmane.comp.web.curl.library/24744 - -* Tue Aug 18 2009 Kamil Dudka 7.19.6-2 -- let curl package depend on the same version of libcurl - -* Fri Aug 14 2009 Kamil Dudka 7.19.6-1 -- new upstream release, dropped applied patches -- changed NSS code to not ignore the value of ssl.verifyhost and produce more - verbose error messages (#516056) - -* Wed Aug 12 2009 Ville Skyttä - 7.19.5-10 -- Use lzma compressed upstream tarball. - -* Fri Jul 24 2009 Fedora Release Engineering - 7.19.5-9 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - -* Wed Jul 22 2009 Kamil Dudka 7.19.5-8 -- do not pre-login to all PKCS11 slots, it causes problems with HW tokens -- try to select client certificate automatically when not specified, thanks - to Claes Jakobsson - -* Fri Jul 10 2009 Kamil Dudka 7.19.5-7 -- fix SIGSEGV when using NSS client certificates, thanks to Claes Jakobsson - -* Sun Jul 05 2009 Kamil Dudka 7.19.5-6 -- force test suite to use the just built libcurl, thanks to Paul Howarth - -* Thu Jul 02 2009 Kamil Dudka 7.19.5-5 -- run test suite after build -- enable built-in manual - -* Wed Jun 24 2009 Kamil Dudka 7.19.5-4 -- fix bug introduced by the last build (#504857) - -* Wed Jun 24 2009 Kamil Dudka 7.19.5-3 -- exclude curlbuild.h content from spec (#504857) - -* Wed Jun 10 2009 Kamil Dudka 7.19.5-2 -- avoid unguarded comparison in the spec file, thanks to R P Herrold (#504857) - -* Tue May 19 2009 Kamil Dudka 7.19.5-1 -- update to 7.19.5, dropped applied patches - -* Mon May 11 2009 Kamil Dudka 7.19.4-11 -- fix infinite loop while loading a private key, thanks to Michael Cronenworth - (#453612) - -* Mon Apr 27 2009 Kamil Dudka 7.19.4-10 -- fix curl/nss memory leaks while using client certificate (#453612, accepted - by upstream) - -* Wed Apr 22 2009 Kamil Dudka 7.19.4-9 -- add missing BuildRequire for autoconf - -* Wed Apr 22 2009 Kamil Dudka 7.19.4-8 -- fix configure.ac to not discard -g in CFLAGS (#496778) - -* Tue Apr 21 2009 Debarshi Ray 7.19.4-7 -- Fixed configure to respect the environment's CFLAGS and CPPFLAGS settings. - -* Tue Apr 14 2009 Kamil Dudka 7.19.4-6 -- upstream patch fixing memory leak in lib/nss.c (#453612) -- remove redundant dependency of libcurl-devel on libssh2-devel - -* Wed Mar 18 2009 Kamil Dudka 7.19.4-5 -- enable 6 additional crypto algorithms by default (#436781, - accepted by upstream) - -* Thu Mar 12 2009 Kamil Dudka 7.19.4-4 -- fix memory leak in src/main.c (accepted by upstream) -- avoid using %%ifarch - -* Wed Mar 11 2009 Kamil Dudka 7.19.4-3 -- make libcurl-devel multilib-ready (bug #488922) - -* Fri Mar 06 2009 Jindrich Novy 7.19.4-2 -- drop .easy-leak patch, causes problems in pycurl (#488791) -- fix libcurl-devel dependencies (#488895) - -* Tue Mar 03 2009 Jindrich Novy 7.19.4-1 -- update to 7.19.4 (fixes CVE-2009-0037) -- fix leak in curl_easy* functions, thanks to Kamil Dudka -- drop nss-fix patch, applied upstream - -* Tue Feb 24 2009 Fedora Release Engineering - 7.19.3-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - -* Tue Feb 17 2009 Kamil Dudka 7.19.3-1 -- update to 7.19.3, dropped applied nss patches -- add patch fixing 7.19.3 curl/nss bugs - -* Mon Dec 15 2008 Jindrich Novy 7.18.2-9 -- rebuild for f10/rawhide cvs tag clashes - -* Sat Dec 06 2008 Jindrich Novy 7.18.2-8 -- use improved NSS patch, thanks to Rob Crittenden (#472489) - -* Tue Sep 09 2008 Jindrich Novy 7.18.2-7 -- update the thread safety patch, thanks to Rob Crittenden (#462217) - -* Wed Sep 03 2008 Warren Togami 7.18.2-6 -- add thread safety to libcurl NSS cleanup() functions (#459297) - -* Fri Aug 22 2008 Tom "spot" Callaway 7.18.2-5 -- undo mini libcurl.so.3 - -* Mon Aug 11 2008 Tom "spot" Callaway 7.18.2-4 -- make miniature library for libcurl.so.3 - -* Fri Jul 4 2008 Jindrich Novy 7.18.2-3 -- enable support for libssh2 (#453958) - -* Wed Jun 18 2008 Jindrich Novy 7.18.2-2 -- fix curl_multi_perform() over a proxy (#450140), thanks to - Rob Crittenden - -* Wed Jun 4 2008 Jindrich Novy 7.18.2-1 -- update to 7.18.2 - -* Wed May 7 2008 Jindrich Novy 7.18.1-2 -- spec cleanup, thanks to Paul Howarth (#225671) - - drop BR: libtool - - convert CHANGES and README to UTF-8 - - _GNU_SOURCE in CFLAGS is no more needed - - remove bogus rpath - -* Mon Mar 31 2008 Jindrich Novy 7.18.1-1 -- update to curl 7.18.1 (fixes #397911) -- add ABI docs for libcurl -- remove --static-libs from curl-config -- drop curl-config patch, obsoleted by @SSL_ENABLED@ autoconf - substitution (#432667) - -* Fri Feb 15 2008 Jindrich Novy 7.18.0-2 -- define _GNU_SOURCE so that NI_MAXHOST gets defined from glibc - -* Mon Jan 28 2008 Jindrich Novy 7.18.0-1 -- update to curl-7.18.0 -- drop sslgen patch -> applied upstream -- fix typo in description - -* Tue Jan 22 2008 Jindrich Novy 7.17.1-6 -- fix curl-devel obsoletes so that we don't break F8->F9 upgrade - path (#429612) - -* Tue Jan 8 2008 Jindrich Novy 7.17.1-5 -- do not attempt to close a bad socket (#427966), - thanks to Caolan McNamara - -* Tue Dec 4 2007 Jindrich Novy 7.17.1-4 -- rebuild because of the openldap soname bump -- remove old nsspem patch - -* Fri Nov 30 2007 Jindrich Novy 7.17.1-3 -- drop useless ldap library detection since curl doesn't - dlopen()s it but links to it -> BR: openldap-devel -- enable LDAPS support (#225671), thanks to Paul Howarth -- BR: krb5-devel to reenable GSSAPI support -- simplify build process -- update description - -* Wed Nov 21 2007 Jindrich Novy 7.17.1-2 -- update description to contain complete supported servers list (#393861) - -* Sat Nov 17 2007 Jindrich Novy 7.17.1-1 -- update to curl 7.17.1 -- include patch to enable SSL usage in NSS when a socket is opened - nonblocking, thanks to Rob Crittenden (rcritten@redhat.com) - -* Wed Oct 24 2007 Jindrich Novy 7.16.4-10 -- correctly provide/obsolete curl-devel (#130251) - -* Wed Oct 24 2007 Jindrich Novy 7.16.4-9 -- create libcurl and libcurl-devel subpackages (#130251) - -* Thu Oct 11 2007 Jindrich Novy 7.16.4-8 -- list features correctly when curl is compiled against NSS (#316191) - -* Mon Sep 17 2007 Jindrich Novy 7.16.4-7 -- add zlib-devel BR to enable gzip compressed transfers in curl (#292211) - -* Mon Sep 10 2007 Jindrich Novy 7.16.4-6 -- provide webclient (#225671) - -* Thu Sep 6 2007 Jindrich Novy 7.16.4-5 -- add support for the NSS PKCS#11 pem reader so the command-line is the - same for both OpenSSL and NSS by Rob Crittenden (rcritten@redhat.com) -- switch to NSS again - -* Mon Sep 3 2007 Jindrich Novy 7.16.4-4 -- revert back to use OpenSSL (#266021) - -* Mon Aug 27 2007 Jindrich Novy 7.16.4-3 -- don't use openssl, use nss instead - -* Fri Aug 10 2007 Jindrich Novy 7.16.4-2 -- fix anonymous ftp login (#251570), thanks to David Cantrell - -* Wed Jul 11 2007 Jindrich Novy 7.16.4-1 -- update to 7.16.4 - -* Mon Jun 25 2007 Jindrich Novy 7.16.3-1 -- update to 7.16.3 -- drop .print patch, applied upstream -- next series of merge review fixes by Paul Howarth -- remove aclocal stuff, no more needed -- simplify makefile arguments -- don't reference standard library paths in libcurl.pc -- include docs/CONTRIBUTE - -* Mon Jun 18 2007 Jindrich Novy 7.16.2-5 -- don't print like crazy (#236981), backported from upstream CVS - -* Fri Jun 15 2007 Jindrich Novy 7.16.2-4 -- another series of review fixes (#225671), - thanks to Paul Howarth -- check version of ldap library automatically -- don't use %%makeinstall and preserve timestamps -- drop useless patches - -* Fri May 11 2007 Jindrich Novy 7.16.2-3 -- add automake BR to curl-devel to fix aclocal dir. ownership, - thanks to Patrice Dumas - -* Thu May 10 2007 Jindrich Novy 7.16.2-2 -- package libcurl.m4 in curl-devel (#239664), thanks to Quy Tonthat - -* Wed Apr 11 2007 Jindrich Novy 7.16.2-1 -- update to 7.16.2 - -* Mon Feb 19 2007 Jindrich Novy 7.16.1-3 -- don't create/ship static libraries (#225671) - -* Mon Feb 5 2007 Jindrich Novy 7.16.1-2 -- merge review related spec fixes (#225671) - -* Mon Jan 29 2007 Jindrich Novy 7.16.1-1 -- update to 7.16.1 - -* Tue Jan 16 2007 Jindrich Novy 7.16.0-5 -- don't package generated makefiles for docs/examples to avoid - multilib conflicts - -* Mon Dec 18 2006 Jindrich Novy 7.16.0-4 -- convert spec to UTF-8 -- don't delete BuildRoot in %%prep phase -- rpmlint fixes - -* Thu Nov 16 2006 Jindrich Novy -7.16.0-3 -- prevent curl from dlopen()ing missing ldap libraries so that - ldap:// requests work (#215928) - -* Tue Oct 31 2006 Jindrich Novy - 7.16.0-2 -- fix BuildRoot -- add Requires: pkgconfig for curl-devel -- move LDFLAGS and LIBS to Libs.private in libcurl.pc.in (#213278) - -* Mon Oct 30 2006 Jindrich Novy - 7.16.0-1 -- update to curl-7.16.0 - -* Thu Aug 24 2006 Jindrich Novy - 7.15.5-1.fc6 -- update to curl-7.15.5 -- use %%{?dist} - -* Fri Jun 30 2006 Ivana Varekova - 7.15.4-1 -- update to 7.15.4 - -* Mon Mar 20 2006 Ivana Varekova - 7.15.3-1 -- fix multilib problem using pkg-config -- update to 7.15.3 - -* Thu Feb 23 2006 Ivana Varekova - 7.15.1-2 -- fix multilib problem - #181290 - - curl-devel.i386 not installable together with curl-devel.x86-64 - -* Fri Feb 10 2006 Jesse Keating - 7.15.1-1.2.1 -- bump again for double-long bug on ppc(64) - -* Tue Feb 07 2006 Jesse Keating - 7.15.1-1.2 -- rebuilt for new gcc4.1 snapshot and glibc changes - -* Fri Dec 09 2005 Jesse Keating -- rebuilt - -* Thu Dec 8 2005 Ivana Varekova 7.15.1-1 -- update to 7.15.1 (bug 175191) - -* Wed Nov 30 2005 Ivana Varekova 7.15.0-3 -- fix curl-config bug 174556 - missing vernum value - -* Wed Nov 9 2005 Ivana Varekova 7.15.0-2 -- rebuilt - -* Tue Oct 18 2005 Ivana Varekova 7.15.0-1 -- update to 7.15.0 - -* Thu Oct 13 2005 Ivana Varekova 7.14.1-1 -- update to 7.14.1 - -* Thu Jun 16 2005 Ivana Varekova 7.14.0-1 -- rebuild new version - -* Tue May 03 2005 Ivana Varekova 7.13.1-3 -- fix bug 150768 - curl-7.12.3-2 breaks basic authentication - used Daniel Stenberg patch - -* Mon Apr 25 2005 Joe Orton 7.13.1-2 -- update to use ca-bundle in /etc/pki -- mark License as MIT not MPL - -* Wed Mar 9 2005 Ivana Varekova 7.13.1-1 -- rebuilt (7.13.1) - -* Tue Mar 1 2005 Tomas Mraz 7.13.0-2 -- rebuild with openssl-0.9.7e - -* Sun Feb 13 2005 Florian La Roche -- 7.13.0 - -* Wed Feb 9 2005 Joe Orton 7.12.3-3 -- don't pass /usr to --with-libidn to remove "-L/usr/lib" from - 'curl-config --libs' output on x86_64. - -* Fri Jan 28 2005 Adrian Havill 7.12.3-1 -- Upgrade to 7.12.3, which uses poll() for FDSETSIZE limit (#134794) -- require libidn-devel for devel subpkg (#141341) -- remove proftpd kludge; included upstream - -* Wed Oct 06 2004 Adrian Havill 7.12.1-1 -- upgrade to 7.12.1 -- enable GSSAPI auth (#129353) -- enable I18N domain names (#134595) -- workaround for broken ProFTPD SSL auth (#134133). Thanks to - Aleksandar Milivojevic - -* Wed Sep 29 2004 Adrian Havill 7.12.0-4 -- move new docs position so defattr gets applied - -* Mon Sep 27 2004 Warren Togami 7.12.0-3 -- remove INSTALL, move libcurl docs to -devel - -* Mon Jul 26 2004 Jindrich Novy -- updated to 7.12.0 -- updated nousr patch - -* Tue Jun 15 2004 Elliot Lee -- rebuilt - -* Wed Apr 07 2004 Adrian Havill 7.11.1-1 -- upgraded; updated nousr patch -- added COPYING (#115956) -- - -* Tue Mar 02 2004 Elliot Lee -- rebuilt - -* Fri Feb 13 2004 Elliot Lee -- rebuilt - -* Sat Jan 31 2004 Florian La Roche -- update to 7.10.8 -- remove patch2, already upstream - -* Wed Oct 15 2003 Adrian Havill 7.10.6-7 -- aclocal before libtoolize -- move OpenLDAP license so it's present as a doc file, present in - both the source and binary as per conditions - -* Mon Oct 13 2003 Adrian Havill 7.10.6-6 -- add OpenLDAP copyright notice for usage of code, add OpenLDAP - license for this code - -* Tue Oct 07 2003 Adrian Havill 7.10.6-5 -- match serverAltName certs with SSL (#106168) - -* Tue Sep 16 2003 Adrian Havill 7.10.6-4.1 -- bump n-v-r for RHEL - -* Tue Sep 16 2003 Adrian Havill 7.10.6-4 -- restore ca cert bundle (#104400) -- require openssl, we want to use its ca-cert bundle - -* Sun Sep 7 2003 Joe Orton 7.10.6-3 -- rebuild - -* Fri Sep 5 2003 Joe Orton 7.10.6-2.2 -- fix to include libcurl.so - -* Mon Aug 25 2003 Adrian Havill 7.10.6-2.1 -- bump n-v-r for RHEL - -* Mon Aug 25 2003 Adrian Havill 7.10.6-2 -- devel subpkg needs openssl-devel as a Require (#102963) - -* Mon Jul 28 2003 Adrian Havill 7.10.6-1 -- bumped version - -* Tue Jul 01 2003 Adrian Havill 7.10.5-1 -- bumped version - -* Wed Jun 04 2003 Elliot Lee -- rebuilt - -* Sat Apr 12 2003 Florian La Roche -- update to 7.10.4 -- adapt nousr patch - -* Wed Jan 22 2003 Tim Powers -- rebuilt - -* Tue Jan 21 2003 Joe Orton 7.9.8-4 -- don't add -L/usr/lib to 'curl-config --libs' output - -* Tue Jan 7 2003 Nalin Dahyabhai 7.9.8-3 -- rebuild - -* Wed Nov 6 2002 Joe Orton 7.9.8-2 -- fix `curl-config --libs` output for libdir!=/usr/lib -- remove docs/LIBCURL from docs list; remove unpackaged libcurl.la -- libtoolize and reconf - -* Mon Jul 22 2002 Trond Eivind Glomsrød 7.9.8-1 -- 7.9.8 (# 69473) - -* Fri Jun 21 2002 Tim Powers -- automated rebuild - -* Sun May 26 2002 Tim Powers -- automated rebuild - -* Thu May 16 2002 Trond Eivind Glomsrød 7.9.7-1 -- 7.9.7 - -* Wed Apr 24 2002 Trond Eivind Glomsrød 7.9.6-1 -- 7.9.6 - -* Thu Mar 21 2002 Trond Eivind Glomsrød 7.9.5-2 -- Stop the curl-config script from printing -I/usr/include - and -L/usr/lib (#59497) - -* Fri Mar 8 2002 Trond Eivind Glomsrød 7.9.5-1 -- 7.9.5 - -* Tue Feb 26 2002 Trond Eivind Glomsrød 7.9.3-2 -- Rebuild - -* Wed Jan 23 2002 Nalin Dahyabhai 7.9.3-1 -- update to 7.9.3 - -* Wed Jan 09 2002 Tim Powers 7.9.2-2 -- automated rebuild - -* Wed Jan 9 2002 Trond Eivind Glomsrød 7.9.2-1 -- 7.9.2 - -* Fri Aug 17 2001 Nalin Dahyabhai -- include curl-config in curl-devel -- update to 7.8 to fix memory leak and strlcat() symbol pollution from libcurl - -* Wed Jul 18 2001 Crutcher Dunnavant -- added openssl-devel build req - -* Mon May 21 2001 Tim Powers -- built for the distro - -* Tue Apr 24 2001 Jeff Johnson -- upgrade to curl-7.7.2. -- enable IPv6. - -* Fri Mar 2 2001 Tim Powers -- rebuilt against openssl-0.9.6-1 - -* Thu Jan 4 2001 Tim Powers -- fixed mising ldconfigs -- updated to 7.5.2, bug fixes - -* Mon Dec 11 2000 Tim Powers -- updated to 7.5.1 - -* Mon Nov 6 2000 Tim Powers -- update to 7.4.1 to fix bug #20337, problems with curl -c -- not using patch anymore, it's included in the new source. Keeping - for reference - -* Fri Oct 20 2000 Nalin Dahyabhai -- fix bogus req in -devel package - -* Fri Oct 20 2000 Tim Powers -- devel package needed defattr so that root owns the files - -* Mon Oct 16 2000 Nalin Dahyabhai -- update to 7.3 -- apply vsprintf/vsnprintf patch from Colin Phipps via Debian - -* Mon Aug 21 2000 Nalin Dahyabhai -- enable SSL support -- fix packager tag -- move buildroot to %%{_tmppath} - -* Tue Aug 1 2000 Tim Powers -- fixed vendor tag for bug #15028 - -* Mon Jul 24 2000 Prospector -- rebuilt - -* Tue Jul 11 2000 Tim Powers -- workaround alpha build problems with optimizations - -* Mon Jul 10 2000 Tim Powers -- rebuilt - -* Mon Jun 5 2000 Tim Powers -- put man pages in correct place -- use %%makeinstall - -* Mon Apr 24 2000 Tim Powers -- updated to 6.5.2 - -* Wed Nov 3 1999 Tim Powers -- updated sources to 6.2 -- gzip man page - -* Mon Aug 30 1999 Tim Powers -- changed group - -* Thu Aug 26 1999 Tim Powers -- changelog started -- general cleanups, changed prefix to /usr, added manpage to files section -- including in Powertools From c0b70e927f358df34598d6ab38da54ea04676a2e Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 17 May 2023 09:28:55 +0200 Subject: [PATCH 179/256] new upstream release - 8.1.0 Resolves: CVE-2023-28321 - IDN wildcard match Resolves: CVE-2023-28322 - more POST-after-PUT confusion --- 0103-curl-7.87.0-test3012.patch | 2 +- 0104-curl-7.88.0-tests-warnings.patch | 10 +-- 0105-curl-8.0.1-tests-stunnel-port.patch | 97 ------------------------ curl.spec | 13 ++-- sources | 4 +- 5 files changed, 16 insertions(+), 110 deletions(-) delete mode 100644 0105-curl-8.0.1-tests-stunnel-port.patch diff --git a/0103-curl-7.87.0-test3012.patch b/0103-curl-7.87.0-test3012.patch index 108d715..1de7ff3 100644 --- a/0103-curl-7.87.0-test3012.patch +++ b/0103-curl-7.87.0-test3012.patch @@ -38,7 +38,7 @@ index 1889c93..ea43a49 100644 --- a/tests/data/test3012 +++ b/tests/data/test3012 @@ -56,5 +56,9 @@ Accept: */* - + -foo- + diff --git a/0104-curl-7.88.0-tests-warnings.patch b/0104-curl-7.88.0-tests-warnings.patch index dff89f9..04b2ba2 100644 --- a/0104-curl-7.88.0-tests-warnings.patch +++ b/0104-curl-7.88.0-tests-warnings.patch @@ -15,16 +15,16 @@ diff --git a/tests/runtests.pl b/tests/runtests.pl index 71644ad18..0cf85c3fe 100755 --- a/tests/runtests.pl +++ b/tests/runtests.pl -@@ -75,8 +75,7 @@ BEGIN { - } +@@ -55,8 +55,7 @@ + # given, this won't be a problem. use strict; -# Promote all warnings to fatal -use warnings FATAL => 'all'; +use warnings; - use Cwd; - use Digest::MD5 qw(md5); - use MIME::Base64; + use 5.006; + + # These should be the only variables that might be needed to get edited: -- 2.39.1 diff --git a/0105-curl-8.0.1-tests-stunnel-port.patch b/0105-curl-8.0.1-tests-stunnel-port.patch deleted file mode 100644 index 47d1419..0000000 --- a/0105-curl-8.0.1-tests-stunnel-port.patch +++ /dev/null @@ -1,97 +0,0 @@ -From c9a1d18e5f8f28b90c1b2fcc1f15699327067e59 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Fri, 21 Apr 2023 17:44:10 +0200 -Subject: [PATCH] tests/runtests.pl: attempt to fix a conflict on port numbers - -... where stunnel listens for legacy HTTPS and HTTP/2, which manifests -as a hard-to-explain failure of the following tests: 1630 1631 1632 1904 -1941 1945 2050 2055 3028 -``` -[...] -startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https_server.pid" --logfile "log/https_stunnel.log" --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 42917 --accept 24642 -RUN: HTTPS server is PID 114398 port 24642 -* pid https => 114398 114402 -[...] -startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https2_server.pid" --logfile "log/https2_stunnel.log" --id 2 --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 36763 --accept 24642 -startnew: child process has died, server might start up -Warning: http2 server unexpectedly alive -RUN: Process with pid 73992 signalled to die -RUN: Process with pid 73992 forced to die with SIGKILL -== Contents of files in the log/ dir after test 1630 -=== Start of file http2_server.log - 14:01:21.881018 exit_signal_handler: 15 - 14:01:21.881372 signalled to die - 14:01:21.881511 ========> IPv4 sws (port 36763 pid: 73992) exits with signal (15) -=== End of file http2_server.log -=== Start of file https2_stunnel.log - [ ] Initializing inetd mode configuration - [ ] Clients allowed=500 - [.] stunnel 5.69 on x86_64-redhat-linux-gnu platform - [.] Compiled/running with OpenSSL 3.0.8 7 Feb 2023 - [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI - [ ] errno: (*__errno_location ()) - [ ] Initializing inetd mode configuration - [.] Reading configuration from file /builddir/build/BUILD/curl-8.0.1/build-minimal/tests/https_stunnel.conf - [.] UTF-8 byte order mark not detected - [.] FIPS mode disabled - [ ] Compression disabled - [ ] No PRNG seeding was required - [ ] Initializing service [curltest] - [ ] Using the default TLS minimum version as specified in crypto policies. Not setting explicitly. - [ ] Using the default TLS maximum version as specified in crypto policies. Not setting explicitly - [ ] stunnel default security level set: 2 - [ ] Ciphers: PROFILE=SYSTEM - [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 - [ ] TLS options: 0x2100000 (+0x0, -0x0) - [ ] Session resumption enabled - [ ] Loading certificate from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem - [ ] Certificate loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem - [ ] Loading private key from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem - [ ] Private key loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem - [ ] Private key check succeeded - [!] No trusted certificates found - [ ] DH initialization needed for DHE-RSA-AES256-GCM-SHA384 - [ ] DH initialization - [ ] Could not load DH parameters from /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem - [ ] Using dynamic DH parameters - [ ] ECDH initialization - [ ] ECDH initialized with curves X25519:P-256:X448:P-521:P-384 - [.] Configuration successful - [ ] Deallocating deployed section defaults - [ ] Binding service [curltest] - [ ] Listening file descriptor created (FD=8) - [ ] Setting accept socket options (FD=8) - [ ] Option SO_REUSEADDR set on accept socket - [.] Binding service [curltest] to 0.0.0.0:24642: Address already in use (98) - [ ] Listening file descriptor created (FD=8) - [ ] Setting accept socket options (FD=8) - [ ] Option SO_REUSEADDR set on accept socket - [.] Binding service [curltest] to :::24642: Address already in use (98) - [!] Binding service [curltest] failed - [ ] Unbinding service [curltest] - [ ] Service [curltest] closed - [ ] Deallocating deployed section defaults - [ ] Deallocating section [curltest] - [ ] Initializing inetd mode configuration -=== End of file https2_stunnel.log -``` ---- - tests/runtests.pl | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/runtests.pl b/tests/runtests.pl -index 54f6923..bb362c9 100755 ---- a/tests/runtests.pl -+++ b/tests/runtests.pl -@@ -1802,7 +1802,7 @@ sub runhttpsserver { - - my $pid2; - my $httpspid; -- my $port = 24512; # start attempt -+ my $port = 24512 * $idnum; # start attempt - for (1 .. 10) { - $port += int(rand(600)); - my $options = "$flags --accept $port"; --- -2.39.2 - diff --git a/curl.spec b/curl.spec index b41cf59..6caa923 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.0.1 -Release: 3%{?dist} +Version: 8.1.0 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -22,9 +22,6 @@ Patch103: 0103-curl-7.87.0-test3012.patch # do not fail on warnings in the upstream test driver Patch104: 0104-curl-7.88.0-tests-warnings.patch -# tests: attempt to fix a conflict on port numbers -Patch105: 0105-curl-8.0.1-tests-stunnel-port.patch - Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.se/ @@ -84,6 +81,7 @@ BuildRequires: perl(File::Basename) BuildRequires: perl(File::Copy) BuildRequires: perl(File::Spec) BuildRequires: perl(IPC::Open2) +BuildRequires: perl(Memoize) BuildRequires: perl(MIME::Base64) BuildRequires: perl(Time::Local) BuildRequires: perl(Time::HiRes) @@ -407,6 +405,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed May 17 2023 Kamil Dudka - 8.1.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-28321 - IDN wildcard match + CVE-2023-28322 - more POST-after-PUT confusion + * Fri Apr 21 2023 Kamil Dudka - 8.0.1-3 - tests: re-enable temporarily disabled test-cases - tests: attempt to fix a conflict on port numbers diff --git a/sources b/sources index fe0a4ce..f60ca98 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.0.1.tar.xz) = 3bb777982659ed697ae90f113ff7b65d6ce8ba9fe6a8984cfd6769d2f051a72ba953c911abe234c204ec2cc5a35d68b4d033037fad7fba31bb92a52543f8d13d -SHA512 (curl-8.0.1.tar.xz.asc) = 92c6a0570e9a8a708fe2f717b8b37a68dcb9cd4520ca50c9baafec5891bda103bce2d2dcb67f1387bf11bd7e51e0e64ccd52d196e61d58b598ad3aa1960386cf +SHA512 (curl-8.1.0.tar.xz) = b99926f372ddd715cd1d2b54d8fb96b26b085e6501715e25aa57b6c6a7f8452473506ddb284e2f280f8afdb301b7f0c3bfde7ad7ed393b12c022430a9301096d +SHA512 (curl-8.1.0.tar.xz.asc) = 191a74c7a6b6aa78b7f36e1535fda0701bde8b333a61c90343e1f1b2d65cc5097b5febc5fa42b2f373795ef1b34078790deaaa71c8aaa45eed1c753729a45f3d From 4da3349c052a3dbc42320f3dbca35ed5fb60fbaf Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 17 May 2023 09:55:40 +0200 Subject: [PATCH 180/256] drop 0103-curl-7.87.0-test3012.patch The related valgrind bug has been fixed https://bugzilla.redhat.com/2143040 --- 0103-curl-7.87.0-test3012.patch | 52 --------------------------------- curl.spec | 3 -- 2 files changed, 55 deletions(-) delete mode 100644 0103-curl-7.87.0-test3012.patch diff --git a/0103-curl-7.87.0-test3012.patch b/0103-curl-7.87.0-test3012.patch deleted file mode 100644 index 1de7ff3..0000000 --- a/0103-curl-7.87.0-test3012.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 0d0a256c8e7f6261d49e1bdd583c04c0e5dfe706 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Wed, 11 Jan 2023 08:53:05 +0100 -Subject: [PATCH] test3012: disable valgrind - -valgrind reports a call to memcpy() with overlapping blocks by mistake: -``` -test 3012...[--output-dir with -J] -../libtool --mode=execute /usr/bin/valgrind --tool=memcheck --quiet --leak-check=yes --suppressions=../../tests/valgrind.supp --num-callers=16 --log-file=log/valgrind3012 ../src/curl --trace-ascii log/trace3012 --trace-time http://127.0.0.1:35981/this/is/the/3012 -OJ --output-dir /root/rpmbuild/BUILD/curl-7.86.0/build-minimal/tests/log >log/stdout3012 2>log/stderr3012 -CMD (0): ../libtool --mode=execute /usr/bin/valgrind --tool=memcheck --quiet --leak-check=yes --suppressions=../../tests/valgrind.supp --num-callers=16 --log-file=log/valgrind3012 ../src/curl --trace-ascii log/trace3012 --trace-time http://127.0.0.1:35981/this/is/the/3012 -OJ --output-dir /root/rpmbuild/BUILD/curl-7.86.0/build-minimal/tests/log >log/stdout3012 2>log/stderr3012 - valgrind ERROR ==496584== Source and destination overlap in memcpy_chk(0x54ad1a0, 0x54ad1a1, 11) -==496584== at 0x484C332: __memcpy_chk (vg_replace_strmem.c:1741) -==496584== by 0x118FDB: UnknownInlinedFun (string_fortified.h:36) -==496584== by 0x118FDB: UnknownInlinedFun (tool_cb_hdr.c:301) -==496584== by 0x118FDB: tool_header_cb (tool_cb_hdr.c:173) -==496584== by 0x489907B: chop_write.lto_priv.0 (sendf.c:620) -==496584== by 0x489CDD1: UnknownInlinedFun (http.c:4449) -==496584== by 0x489CDD1: UnknownInlinedFun (transfer.c:633) -==496584== by 0x489CDD1: Curl_readwrite (transfer.c:1219) -==496584== by 0x488C116: multi_runsingle (multi.c:2404) -==496584== by 0x488F491: curl_multi_perform (multi.c:2682) -==496584== by 0x486A9DA: UnknownInlinedFun (easy.c:663) -==496584== by 0x486A9DA: UnknownInlinedFun (easy.c:753) -==496584== by 0x486A9DA: curl_easy_perform (easy.c:772) -==496584== by 0x114B28: UnknownInlinedFun (tool_operate.c:2406) -==496584== by 0x114B28: UnknownInlinedFun (tool_operate.c:2594) -==496584== by 0x114B28: UnknownInlinedFun (tool_operate.c:2706) -==496584== by 0x114B28: main (tool_main.c:284) -``` - -Bug: https://bugzilla.redhat.com/2143040 ---- - tests/data/test3012 | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/tests/data/test3012 b/tests/data/test3012 -index 1889c93..ea43a49 100644 ---- a/tests/data/test3012 -+++ b/tests/data/test3012 -@@ -56,5 +56,9 @@ Accept: */* - - -foo- - -+ -+ -+disable -+ - - --- -2.39.0 - diff --git a/curl.spec b/curl.spec index 6caa923..1a0f830 100644 --- a/curl.spec +++ b/curl.spec @@ -16,9 +16,6 @@ Patch101: 0101-curl-7.32.0-multilib.patch # test3026: disable valgrind Patch102: 0102-curl-7.84.0-test3026.patch -# test3012: temporarily disable valgrind (#2143040) -Patch103: 0103-curl-7.87.0-test3012.patch - # do not fail on warnings in the upstream test driver Patch104: 0104-curl-7.88.0-tests-warnings.patch From fa58a15ce67d2e5d68f7629acd230a78ff1034b0 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 17 May 2023 12:11:00 +0200 Subject: [PATCH 181/256] add BR for perl(base) needed by the test-suite --- curl.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/curl.spec b/curl.spec index 1a0f830..255e7cd 100644 --- a/curl.spec +++ b/curl.spec @@ -70,6 +70,7 @@ BuildRequires: hostname BuildRequires: nghttp2 # perl modules used in the test suite +BuildRequires: perl(base) BuildRequires: perl(Cwd) BuildRequires: perl(Digest::MD5) BuildRequires: perl(Digest::SHA) From 6beac072292c9c0ce88dd00d2be0257eca27d38e Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Wed, 17 May 2023 13:12:45 +0100 Subject: [PATCH 182/256] Ignore lzma-compressed tarballs from old releases --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index d7bfa33..c5a82f4 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,4 @@ +/curl-[0-9.]*.tar.lzma +/curl-[0-9.]*.tar.lzma.asc /curl-[0-9.]*.tar.xz /curl-[0-9.]*.tar.xz.asc From dc1838de584fd131fd3714807b1396d9e469002d Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Wed, 17 May 2023 13:14:43 +0100 Subject: [PATCH 183/256] Additional test suite dependencies --- curl.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 255e7cd..fb65da1 100644 --- a/curl.spec +++ b/curl.spec @@ -70,7 +70,9 @@ BuildRequires: hostname BuildRequires: nghttp2 # perl modules used in the test suite +BuildRequires: perl(B) BuildRequires: perl(base) +BuildRequires: perl(constant) BuildRequires: perl(Cwd) BuildRequires: perl(Digest::MD5) BuildRequires: perl(Digest::SHA) @@ -79,10 +81,13 @@ BuildRequires: perl(File::Basename) BuildRequires: perl(File::Copy) BuildRequires: perl(File::Spec) BuildRequires: perl(IPC::Open2) +BuildRequires: perl(List::Util) BuildRequires: perl(Memoize) BuildRequires: perl(MIME::Base64) -BuildRequires: perl(Time::Local) +BuildRequires: perl(POSIX) +BuildRequires: perl(Storable) BuildRequires: perl(Time::HiRes) +BuildRequires: perl(Time::Local) BuildRequires: perl(vars) %if 0%{?fedora} From d31965bf5b22057013b93a03c0e47879956aa329 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 23 May 2023 10:07:28 +0200 Subject: [PATCH 184/256] new upstream release - 8.1.1 Resolves: #2209217 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index fb65da1..defad36 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.1.0 +Version: 8.1.1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -408,6 +408,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue May 23 2023 Jan Macku - 8.1.1-1 +- new upstream release, with small bugfixes and improvements + * Wed May 17 2023 Kamil Dudka - 8.1.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2023-28321 - IDN wildcard match diff --git a/sources b/sources index f60ca98..83f1628 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.1.0.tar.xz) = b99926f372ddd715cd1d2b54d8fb96b26b085e6501715e25aa57b6c6a7f8452473506ddb284e2f280f8afdb301b7f0c3bfde7ad7ed393b12c022430a9301096d -SHA512 (curl-8.1.0.tar.xz.asc) = 191a74c7a6b6aa78b7f36e1535fda0701bde8b333a61c90343e1f1b2d65cc5097b5febc5fa42b2f373795ef1b34078790deaaa71c8aaa45eed1c753729a45f3d +SHA512 (curl-8.1.1.tar.xz) = d034b1ab9c00e8a0acf7ba6c6344734945d45666b4f38394f5456fcd9b22623146a897270861b7411412ca25c912e1bbf24eb139a6dfc1a8c00d098b3b925399 +SHA512 (curl-8.1.1.tar.xz.asc) = 6a71c18d67de8c340b5d80c7452a82c00f7ef466f690eec12edcd6123aee6866e8a0e757e1cc6c9af87a63fdeaafbc9fc1b1a4e2e0fd8a75b5952d4738fd0b27 From f91221e9d701cc0d8d40261855558d003dbb4024 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 30 May 2023 10:05:35 +0200 Subject: [PATCH 185/256] new upstream release - 8.1.2 Resolves: #2210976 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index defad36..41c8643 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.1.1 +Version: 8.1.2 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -408,6 +408,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue May 30 2023 Jan Macku - 8.1.2-1 +- new upstream release, with small bugfixes and improvements + * Tue May 23 2023 Jan Macku - 8.1.1-1 - new upstream release, with small bugfixes and improvements diff --git a/sources b/sources index 83f1628..f4ba12c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.1.1.tar.xz) = d034b1ab9c00e8a0acf7ba6c6344734945d45666b4f38394f5456fcd9b22623146a897270861b7411412ca25c912e1bbf24eb139a6dfc1a8c00d098b3b925399 -SHA512 (curl-8.1.1.tar.xz.asc) = 6a71c18d67de8c340b5d80c7452a82c00f7ef466f690eec12edcd6123aee6866e8a0e757e1cc6c9af87a63fdeaafbc9fc1b1a4e2e0fd8a75b5952d4738fd0b27 +SHA512 (curl-8.1.2.tar.xz) = 532ab96eba6dea66d272f3be56f5af5c5da922480f9a10e203de98037c311f12f8145ba6bf813831e42815e068874ccfd108f84f7650743f5dbb3ebc3bc9c4f4 +SHA512 (curl-8.1.2.tar.xz.asc) = d120299a2d59259aeb19ae0fa3a3e181e25b6927677187037c61a0901879956177ce8dda10764073a47848f81dcbbcb94e0b6008742994042b6b8fd194e169c3 From de1364bf2c55ec7312f6bcc1d79acaaba766bfd9 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 19 Jul 2023 13:44:49 +0200 Subject: [PATCH 186/256] new upstream release - 8.2.0 Resolves: CVE-2023-32001 - fopen race condition --- curl.spec | 6 +++++- sources | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 41c8643..47663c7 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.1.2 +Version: 8.2.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -408,6 +408,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 19 2023 Jan Macku - 8.2.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-32001 - fopen race condition + * Tue May 30 2023 Jan Macku - 8.1.2-1 - new upstream release, with small bugfixes and improvements diff --git a/sources b/sources index f4ba12c..0a72bc7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.1.2.tar.xz) = 532ab96eba6dea66d272f3be56f5af5c5da922480f9a10e203de98037c311f12f8145ba6bf813831e42815e068874ccfd108f84f7650743f5dbb3ebc3bc9c4f4 -SHA512 (curl-8.1.2.tar.xz.asc) = d120299a2d59259aeb19ae0fa3a3e181e25b6927677187037c61a0901879956177ce8dda10764073a47848f81dcbbcb94e0b6008742994042b6b8fd194e169c3 +SHA512 (curl-8.2.0.tar.xz) = 3ba5f393185d28dd9430d3be4fcd293646a5456d2f7467469896561b1577e60e7a3f030955d3cc5ec6ea5c5bfa1dfb9420a1d76e583d23f01d1c74aa291351b5 +SHA512 (curl-8.2.0.tar.xz.asc) = 66005647c54bae098feebac68f2762af2e4463dc7eb8ba4c0db79590a1a7fe581ec3d2bc4fbea39729e42836b62b011a3f7c83c29bd2f00b3ce5cf875b60b187 From b64627ff52a876c0111c0802c4d6519de980b785 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Zaoral?= Date: Wed, 26 Jul 2023 12:40:15 +0200 Subject: [PATCH 187/256] new upstream release - 8.2.1 Resolves: rhbz#2226659 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 47663c7..66f9da5 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.2.0 +Version: 8.2.1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -408,6 +408,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 26 2023 Lukáš Zaoral - 8.2.1-1 +- new upstream release (rhbz#2226659) + * Wed Jul 19 2023 Jan Macku - 8.2.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2023-32001 - fopen race condition diff --git a/sources b/sources index 0a72bc7..efbc09c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.2.0.tar.xz) = 3ba5f393185d28dd9430d3be4fcd293646a5456d2f7467469896561b1577e60e7a3f030955d3cc5ec6ea5c5bfa1dfb9420a1d76e583d23f01d1c74aa291351b5 -SHA512 (curl-8.2.0.tar.xz.asc) = 66005647c54bae098feebac68f2762af2e4463dc7eb8ba4c0db79590a1a7fe581ec3d2bc4fbea39729e42836b62b011a3f7c83c29bd2f00b3ce5cf875b60b187 +SHA512 (curl-8.2.1.tar.xz) = 3f78c9330c52d32b166f17829fc2be13418ef925e88f75aacad7f369e7afe00dc4a56566418730dbb845b2b284d721b08f639df322e2e1ef2dfab165c4189094 +SHA512 (curl-8.2.1.tar.xz.asc) = 31ee66a09e7bd14de949ae991c23a0b905d38407b73ae39bae6d01854d8708355c14bc4d0eab3ff931b85986d0236dd34e934eef6061f4b70739137fd0525084 From 76f5788cab9c5fa6e0ab458fbaef16737f102748 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 2 Aug 2023 14:36:11 +0200 Subject: [PATCH 188/256] enable websockets Resolves: #2224651 --- curl.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 66f9da5..2bbafff 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.2.1 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -268,6 +268,7 @@ export common_configure_opts=" \ --disable-telnet \ --disable-tftp \ --disable-tls-srp \ + --disable-websockets \ --without-brotli \ --without-libpsl \ --without-libssh @@ -293,6 +294,7 @@ export common_configure_opts=" \ --enable-telnet \ --enable-tftp \ --enable-tls-srp \ + --enable-websockets \ --with-brotli \ --with-libpsl \ --with-libssh @@ -408,6 +410,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Aug 02 2023 Jan Macku - 8.2.1-2 +- enable websockets (#2224651) + * Wed Jul 26 2023 Lukáš Zaoral - 8.2.1-1 - new upstream release (rhbz#2226659) From dd8c36f3ea85421587cc180c0edb7b43525c0284 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 13 Sep 2023 10:33:22 +0200 Subject: [PATCH 189/256] new upstream release - 8.3.0 Resolves: CVE-2023-38039 - HTTP headers eat all memory --- curl.spec | 8 ++++++-- sources | 4 ++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/curl.spec b/curl.spec index 2bbafff..5c0854e 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.2.1 -Release: 2%{?dist} +Version: 8.3.0 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -410,6 +410,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 13 2023 Jan Macku - 8.3.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-38039 - HTTP headers eat all memory + * Wed Aug 02 2023 Jan Macku - 8.2.1-2 - enable websockets (#2224651) diff --git a/sources b/sources index efbc09c..e2b2e44 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.2.1.tar.xz) = 3f78c9330c52d32b166f17829fc2be13418ef925e88f75aacad7f369e7afe00dc4a56566418730dbb845b2b284d721b08f639df322e2e1ef2dfab165c4189094 -SHA512 (curl-8.2.1.tar.xz.asc) = 31ee66a09e7bd14de949ae991c23a0b905d38407b73ae39bae6d01854d8708355c14bc4d0eab3ff931b85986d0236dd34e934eef6061f4b70739137fd0525084 +SHA512 (curl-8.3.0.tar.xz) = 6404b4c74fe1185cb482631ca3a143996cb7298d0d8a76bfafd7696e7729c00559999a069bdba782dee3f3eb273fb678a4438cb27d3deca54022878cdff83a51 +SHA512 (curl-8.3.0.tar.xz.asc) = b7d45722640ac50181b20a6d663168ec6eec6691c5604ddfe9c7177f07da598cb2de688c631043dc428c311774d781ccd16bd1e2fb4f038be651e3bee383aec4 From 554e13f7988559069134175ddc81017ca579d83e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Zaoral?= Date: Mon, 9 Oct 2023 10:39:43 +0200 Subject: [PATCH 190/256] tests: use newer Fedora URLs for testing ... because F36 URLs are no longer available. --- tests/non-root-user-download/runtest.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/non-root-user-download/runtest.sh b/tests/non-root-user-download/runtest.sh index 0529a12..4d51e62 100755 --- a/tests/non-root-user-download/runtest.sh +++ b/tests/non-root-user-download/runtest.sh @@ -31,9 +31,9 @@ PACKAGE="curl" -FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM -HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM -CONTENT=85cb450443d68d513b41e57b0bd818a740279dac5dfc09c68e681ff8a3006404 +FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM +HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM +CONTENT=4d042dedc8886856db10bc882074b84dcce52f829ea7b3f31d8031db8d84df20 PASSWORD=pAssw0rd OPTIONS="" rlIsRHEL 7 && OPTIONS="--insecure" From cb17cbc66ada184c1016dc88d4573a91f9ce3481 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 11 Oct 2023 15:36:19 +0200 Subject: [PATCH 191/256] new upstream release - 8.4.0 Resolves: CVE-2023-38545 - SOCKS5 heap buffer overflow Resolves: CVE-2023-38546 - cookie injection with none file --- curl.spec | 7 ++++++- sources | 4 ++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 5c0854e..f3a402c 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.3.0 +Version: 8.4.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -410,6 +410,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Oct 11 2023 Jan Macku - 8.4.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-38545 - SOCKS5 heap buffer overflow + CVE-2023-38546 - cookie injection with none file + * Wed Sep 13 2023 Jan Macku - 8.3.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2023-38039 - HTTP headers eat all memory diff --git a/sources b/sources index e2b2e44..9205220 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.3.0.tar.xz) = 6404b4c74fe1185cb482631ca3a143996cb7298d0d8a76bfafd7696e7729c00559999a069bdba782dee3f3eb273fb678a4438cb27d3deca54022878cdff83a51 -SHA512 (curl-8.3.0.tar.xz.asc) = b7d45722640ac50181b20a6d663168ec6eec6691c5604ddfe9c7177f07da598cb2de688c631043dc428c311774d781ccd16bd1e2fb4f038be651e3bee383aec4 +SHA512 (curl-8.4.0.tar.xz) = 7027dbf3b759b39d6ec9c4da58fadd254e84bb93bff599541b3bc3135bad4c2955c6237d7ddd60973f9f1a6948bc32d7e312985fb50658bc958b9f22fee74f2b +SHA512 (curl-8.4.0.tar.xz.asc) = b8b7a5b76be816e7b1552354f267f335fdc608cdadbd2c40ab44faf6450c6bbd2853b6de5c2746a1292aad33a8ee1c367380d32bb1a8282540b38c3b985a320e From 7d149f66f5cb4d9b9af3d383835889f3b7753a15 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 6 Dec 2023 08:50:13 +0100 Subject: [PATCH 192/256] new upstream release - 8.5.0 Resolves: CVE-2023-46218 - cookie mixed case PSL bypass Resolves: CVE-2023-46219 - HSTS long file name clears contents --- ...d-tests-errorcodes.pl-to-the-tarball.patch | 162 ++++++++++++++++++ curl.spec | 10 +- sources | 4 +- 3 files changed, 173 insertions(+), 3 deletions(-) create mode 100644 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch diff --git a/001-dist-add-tests-errorcodes.pl-to-the-tarball.patch b/001-dist-add-tests-errorcodes.pl-to-the-tarball.patch new file mode 100644 index 0000000..4fd5490 --- /dev/null +++ b/001-dist-add-tests-errorcodes.pl-to-the-tarball.patch @@ -0,0 +1,162 @@ +From 8ed817e84e3a24b5902416718cf445009a032ea9 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 6 Dec 2023 09:40:30 +0100 +Subject: [PATCH] dist: add tests/errorcodes.pl to the tarball + +Used by test 1477 + +Reported-by: Xi Ruoyao +Follow-up to 0ca3a4ec9a7 +Fixes #12462 +Closes #12463 + +(cherry picked from commit da8c1d15782c8161b455a7ee90197c16ae5edb90) + +also include missing tests/errorcodes.pl + +Signed-off-by: Jan Macku +--- + tests/Makefile.am | 20 ++++----- + tests/errorcodes.pl | 99 +++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 110 insertions(+), 9 deletions(-) + create mode 100755 tests/errorcodes.pl + +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 17e9ad049..c6ae7a97a 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -26,15 +26,17 @@ HTMLPAGES = testcurl.html runtests.html + PDFPAGES = testcurl.pdf runtests.pdf + MANDISTPAGES = runtests.1.dist testcurl.1.dist + +-EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl CMakeLists.txt \ +- devtest.pl dictserver.py directories.pm disable-scan.pl error-codes.pl extern-scan.pl FILEFORMAT.md \ +- processhelp.pm ftpserver.pl getpart.pm globalconfig.pm http-server.pl http2-server.pl \ +- http3-server.pl manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl \ +- memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl options-scan.pl \ +- pathhelp.pm README.md rtspserver.pl runner.pm runtests.1 runtests.pl secureserver.pl \ +- serverhelp.pm servers.pm smbserver.py sshhelp.pm sshserver.pl stunnel.pem symbol-scan.pl \ +- testcurl.1 testcurl.pl testutil.pm tftpserver.pl util.py valgrind.pm \ +- valgrind.supp version-scan.pl check-translatable-options.pl ++EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl \ ++ CMakeLists.txt devtest.pl dictserver.py directories.pm disable-scan.pl \ ++ error-codes.pl extern-scan.pl FILEFORMAT.md processhelp.pm ftpserver.pl \ ++ getpart.pm globalconfig.pm http-server.pl http2-server.pl http3-server.pl \ ++ manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl \ ++ memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl \ ++ options-scan.pl pathhelp.pm README.md rtspserver.pl runner.pm runtests.1 \ ++ runtests.pl secureserver.pl serverhelp.pm servers.pm smbserver.py sshhelp.pm \ ++ sshserver.pl stunnel.pem symbol-scan.pl testcurl.1 testcurl.pl testutil.pm \ ++ tftpserver.pl util.py valgrind.pm valgrind.supp version-scan.pl \ ++ check-translatable-options.pl errorcodes.pl + + DISTCLEANFILES = configurehelp.pm + +diff --git a/tests/errorcodes.pl b/tests/errorcodes.pl +new file mode 100755 +index 000000000..9c8f9e882 +--- /dev/null ++++ b/tests/errorcodes.pl +@@ -0,0 +1,99 @@ ++#!/usr/bin/env perl ++#*************************************************************************** ++# _ _ ____ _ ++# Project ___| | | | _ \| | ++# / __| | | | |_) | | ++# | (__| |_| | _ <| |___ ++# \___|\___/|_| \_\_____| ++# ++# Copyright (C) Daniel Stenberg, , et al. ++# ++# This software is licensed as described in the file COPYING, which ++# you should have received as part of this distribution. The terms ++# are also available at https://curl.se/docs/copyright.html. ++# ++# You may opt to use, copy, modify, merge, publish, distribute and/or sell ++# copies of the Software, and permit persons to whom the Software is ++# furnished to do so, under the terms of the COPYING file. ++# ++# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++# KIND, either express or implied. ++# ++# SPDX-License-Identifier: curl ++# ++########################################################################### ++ ++# Check that libcurl-errors.3 and the public header files have the same set of ++# error codes. ++ ++use strict; ++use warnings; ++ ++# we may get the dir roots pointed out ++my $root=$ARGV[0] || "."; ++my $manpge = "$root/docs/libcurl/libcurl-errors.3"; ++my $curlh = "$root/include/curl"; ++my $errors=0; ++ ++my @hnames; ++my %wherefrom; ++my @mnames; ++my %manfrom; ++ ++sub scanheader { ++ my ($file)=@_; ++ open H, "<$file"; ++ my $line = 0; ++ while() { ++ $line++; ++ if($_ =~ /^ (CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) { ++ my ($name)=($1); ++ if(($name !~ /OBSOLETE/) && ($name !~ /_LAST\z/)) { ++ push @hnames, $name; ++ if($wherefrom{$name}) { ++ print STDERR "double: $name\n"; ++ } ++ $wherefrom{$name}="$file:$line"; ++ } ++ } ++ } ++ close(H); ++} ++ ++sub scanmanpage { ++ my ($file)=@_; ++ open H, "<$file"; ++ my $line = 0; ++ while() { ++ $line++; ++ if($_ =~ /^\.IP \"(CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) { ++ my ($name)=($1); ++ push @mnames, $name; ++ $manfrom{$name}="$file:$line"; ++ } ++ } ++ close(H); ++} ++ ++ ++opendir(my $dh, $curlh) || die "Can't opendir $curlh: $!"; ++my @hfiles = grep { /\.h$/ } readdir($dh); ++closedir $dh; ++ ++for(sort @hfiles) { ++ scanheader("$curlh/$_"); ++} ++scanmanpage($manpge); ++ ++print "Result\n"; ++for my $h (sort @hnames) { ++ if(!$manfrom{$h}) { ++ printf "$h from %s, not in man page\n", $wherefrom{$h}; ++ } ++} ++ ++for my $m (sort @mnames) { ++ if(!$wherefrom{$m}) { ++ printf "$m from %s, not in any header\n", $manfrom{$m}; ++ } ++} +-- +2.43.0 + diff --git a/curl.spec b/curl.spec index f3a402c..fbdebe7 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.4.0 +Version: 8.5.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -10,6 +10,9 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# add missing test script tests/errorcodes.pl to the tarball +Patch001: 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -410,6 +413,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Dec 06 2023 Jan Macku - 8.5.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-46218 - cookie mixed case PSL bypass + CVE-2023-46219 - HSTS long file name clears contents + * Wed Oct 11 2023 Jan Macku - 8.4.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2023-38545 - SOCKS5 heap buffer overflow diff --git a/sources b/sources index 9205220..6a14222 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.4.0.tar.xz) = 7027dbf3b759b39d6ec9c4da58fadd254e84bb93bff599541b3bc3135bad4c2955c6237d7ddd60973f9f1a6948bc32d7e312985fb50658bc958b9f22fee74f2b -SHA512 (curl-8.4.0.tar.xz.asc) = b8b7a5b76be816e7b1552354f267f335fdc608cdadbd2c40ab44faf6450c6bbd2853b6de5c2746a1292aad33a8ee1c367380d32bb1a8282540b38c3b985a320e +SHA512 (curl-8.5.0.tar.xz) = acffa2cf61d9b8e4188575a1b40227da8d722df2e5fe8bb82a222b4eb2fd64bf8aebd90852ce050c79fb5e517d5cee2546bf7de92ede1dd394263e231cb741a3 +SHA512 (curl-8.5.0.tar.xz.asc) = 9c6a2e61860878cd731d951fac1bb52cd314db20439a5173a95b48da1742737e02bfb9978d65e25de6535f839e281235203599a29f252e78e0d7a83769727329 From 3c4671bd88692f6de620dbd6907d23beb921ea7a Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 19 Jan 2024 16:32:26 +0000 Subject: [PATCH 193/256] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index fbdebe7..b5e1ef0 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.5.0 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -413,6 +413,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Jan 19 2024 Fedora Release Engineering - 8.5.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + * Wed Dec 06 2023 Jan Macku - 8.5.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2023-46218 - cookie mixed case PSL bypass From 98780da3f86dec6140fef3b7a408fe17434b0727 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 1 Feb 2024 13:07:37 +0100 Subject: [PATCH 194/256] new upstream release - 8.6.0 Resolves: CVE-2024-0853 - OCSP verification bypass with TLS session reuse --- .gitignore | 1 + ...-curl-8.6.0-remove-duplicate-content.patch | 108 ++++++++++++ ...d-tests-errorcodes.pl-to-the-tarball.patch | 162 ------------------ 0101-curl-7.32.0-multilib.patch | 26 +-- curl.spec | 18 +- sources | 4 +- 6 files changed, 138 insertions(+), 181 deletions(-) create mode 100644 0001-curl-8.6.0-remove-duplicate-content.patch delete mode 100644 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch diff --git a/.gitignore b/.gitignore index c5a82f4..505a7d9 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ /curl-[0-9.]*.tar.lzma.asc /curl-[0-9.]*.tar.xz /curl-[0-9.]*.tar.xz.asc +/curl-[0-9].[0-9].[0-9]/ diff --git a/0001-curl-8.6.0-remove-duplicate-content.patch b/0001-curl-8.6.0-remove-duplicate-content.patch new file mode 100644 index 0000000..bbbb7ff --- /dev/null +++ b/0001-curl-8.6.0-remove-duplicate-content.patch @@ -0,0 +1,108 @@ +From 960cf3ceb40cf875b146d4d1065d9267ccb83da1 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Thu, 1 Feb 2024 12:56:31 +0100 +Subject: [PATCH 1/2] doc: remove duplicate content from curl-config.1 + +This will be resolved in next release by: +https://github.com/curl/curl/pull/12818 + +see also: https://github.com/curl/curl/issues/12840 + +Signed-off-by: Jan Macku +--- + docs/curl-config.1 | 82 ---------------------------------------------- + 1 file changed, 82 deletions(-) + +diff --git a/docs/curl-config.1 b/docs/curl-config.1 +index 186ba3a..c142cb9 100644 +--- a/docs/curl-config.1 ++++ b/docs/curl-config.1 +@@ -80,85 +80,3 @@ How do I build a single file with a one\-line command? + .fi + .SH SEE ALSO + .BR curl (1) +-.\" generated by cd2nroff 0.1 from curl-config.md +-.TH curl-config 1 "January 26 2024" curl-config +-.SH NAME +-curl\-config \- Get information about a libcurl installation +-.SH SYNOPSIS +-\fBcurl\-config [options]\fP +-.SH DESCRIPTION +-\fBcurl\-config\fP +-displays information about the curl and libcurl installation. +-.SH OPTIONS +-.IP --ca +-Displays the built\-in path to the CA cert bundle this libcurl uses. +-.IP --cc +-Displays the compiler used to build libcurl. +-.IP --cflags +-Set of compiler options (CFLAGS) to use when compiling files that use +-libcurl. Currently that is only the include path to the curl include files. +-.IP "--checkfor [version]" +-Specify the oldest possible libcurl version string you want, and this +-script will return 0 if the current installation is new enough or it +-returns 1 and outputs a text saying that the current version is not new +-enough. (Added in 7.15.4) +-.IP --configure +-Displays the arguments given to configure when building curl. +-.IP --feature +-Lists what particular main features the installed libcurl was built with. At +-the time of writing, this list may include SSL, KRB4 or IPv6. Do not assume +-any particular order. The keywords will be separated by newlines. There may be +-none, one, or several keywords in the list. +-.IP --help +-Displays the available options. +-.IP --libs +-Shows the complete set of libs and other linker options you will need in order +-to link your application with libcurl. +-.IP --prefix +-This is the prefix used when libcurl was installed. Libcurl is then installed +-in $prefix/lib and its header files are installed in $prefix/include and so +-on. The prefix is set with "configure \--prefix". +-.IP --protocols +-Lists what particular protocols the installed libcurl was built to support. At +-the time of writing, this list may include HTTP, HTTPS, FTP, FTPS, FILE, +-TELNET, LDAP, DICT and many more. Do not assume any particular order. The +-protocols will be listed using uppercase and are separated by newlines. There +-may be none, one, or several protocols in the list. (Added in 7.13.0) +-.IP --ssl-backends +-Lists the SSL backends that were enabled when libcurl was built. It might be +-no, one or several names. If more than one name, they will appear +-comma\-separated. (Added in 7.58.0) +-.IP --static-libs +-Shows the complete set of libs and other linker options you will need in order +-to link your application with libcurl statically. (Added in 7.17.1) +-.IP --version +-Outputs version information about the installed libcurl. +-.IP --vernum +-Outputs version information about the installed libcurl, in numerical mode. +-This shows the version number, in hexadecimal, using 8 bits for each part: +-major, minor, and patch numbers. This makes libcurl 7.7.4 appear as 070704 and +-libcurl 12.13.14 appear as 0c0d0e... Note that the initial zero might be +-omitted. (This option was broken in the 7.15.0 release.) +-.SH EXAMPLES +-What linker options do I need when I link with libcurl? +-.nf +- $ curl-config --libs +-.fi +-What compiler options do I need when I compile using libcurl functions? +-.nf +- $ curl-config --cflags +-.fi +-How do I know if libcurl was built with SSL support? +-.nf +- $ curl-config --feature | grep SSL +-.fi +-What\(aqs the installed libcurl version? +-.nf +- $ curl-config --version +-.fi +-How do I build a single file with a one\-line command? +-.nf +- $ `curl-config --cc --cflags` -o example source.c `curl-config --libs` +-.fi +-.SH SEE ALSO +-.BR curl (1) +-- +2.43.0 + diff --git a/001-dist-add-tests-errorcodes.pl-to-the-tarball.patch b/001-dist-add-tests-errorcodes.pl-to-the-tarball.patch deleted file mode 100644 index 4fd5490..0000000 --- a/001-dist-add-tests-errorcodes.pl-to-the-tarball.patch +++ /dev/null @@ -1,162 +0,0 @@ -From 8ed817e84e3a24b5902416718cf445009a032ea9 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Wed, 6 Dec 2023 09:40:30 +0100 -Subject: [PATCH] dist: add tests/errorcodes.pl to the tarball - -Used by test 1477 - -Reported-by: Xi Ruoyao -Follow-up to 0ca3a4ec9a7 -Fixes #12462 -Closes #12463 - -(cherry picked from commit da8c1d15782c8161b455a7ee90197c16ae5edb90) - -also include missing tests/errorcodes.pl - -Signed-off-by: Jan Macku ---- - tests/Makefile.am | 20 ++++----- - tests/errorcodes.pl | 99 +++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 110 insertions(+), 9 deletions(-) - create mode 100755 tests/errorcodes.pl - -diff --git a/tests/Makefile.am b/tests/Makefile.am -index 17e9ad049..c6ae7a97a 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -26,15 +26,17 @@ HTMLPAGES = testcurl.html runtests.html - PDFPAGES = testcurl.pdf runtests.pdf - MANDISTPAGES = runtests.1.dist testcurl.1.dist - --EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl CMakeLists.txt \ -- devtest.pl dictserver.py directories.pm disable-scan.pl error-codes.pl extern-scan.pl FILEFORMAT.md \ -- processhelp.pm ftpserver.pl getpart.pm globalconfig.pm http-server.pl http2-server.pl \ -- http3-server.pl manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl \ -- memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl options-scan.pl \ -- pathhelp.pm README.md rtspserver.pl runner.pm runtests.1 runtests.pl secureserver.pl \ -- serverhelp.pm servers.pm smbserver.py sshhelp.pm sshserver.pl stunnel.pem symbol-scan.pl \ -- testcurl.1 testcurl.pl testutil.pm tftpserver.pl util.py valgrind.pm \ -- valgrind.supp version-scan.pl check-translatable-options.pl -+EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl \ -+ CMakeLists.txt devtest.pl dictserver.py directories.pm disable-scan.pl \ -+ error-codes.pl extern-scan.pl FILEFORMAT.md processhelp.pm ftpserver.pl \ -+ getpart.pm globalconfig.pm http-server.pl http2-server.pl http3-server.pl \ -+ manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl \ -+ memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl \ -+ options-scan.pl pathhelp.pm README.md rtspserver.pl runner.pm runtests.1 \ -+ runtests.pl secureserver.pl serverhelp.pm servers.pm smbserver.py sshhelp.pm \ -+ sshserver.pl stunnel.pem symbol-scan.pl testcurl.1 testcurl.pl testutil.pm \ -+ tftpserver.pl util.py valgrind.pm valgrind.supp version-scan.pl \ -+ check-translatable-options.pl errorcodes.pl - - DISTCLEANFILES = configurehelp.pm - -diff --git a/tests/errorcodes.pl b/tests/errorcodes.pl -new file mode 100755 -index 000000000..9c8f9e882 ---- /dev/null -+++ b/tests/errorcodes.pl -@@ -0,0 +1,99 @@ -+#!/usr/bin/env perl -+#*************************************************************************** -+# _ _ ____ _ -+# Project ___| | | | _ \| | -+# / __| | | | |_) | | -+# | (__| |_| | _ <| |___ -+# \___|\___/|_| \_\_____| -+# -+# Copyright (C) Daniel Stenberg, , et al. -+# -+# This software is licensed as described in the file COPYING, which -+# you should have received as part of this distribution. The terms -+# are also available at https://curl.se/docs/copyright.html. -+# -+# You may opt to use, copy, modify, merge, publish, distribute and/or sell -+# copies of the Software, and permit persons to whom the Software is -+# furnished to do so, under the terms of the COPYING file. -+# -+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -+# KIND, either express or implied. -+# -+# SPDX-License-Identifier: curl -+# -+########################################################################### -+ -+# Check that libcurl-errors.3 and the public header files have the same set of -+# error codes. -+ -+use strict; -+use warnings; -+ -+# we may get the dir roots pointed out -+my $root=$ARGV[0] || "."; -+my $manpge = "$root/docs/libcurl/libcurl-errors.3"; -+my $curlh = "$root/include/curl"; -+my $errors=0; -+ -+my @hnames; -+my %wherefrom; -+my @mnames; -+my %manfrom; -+ -+sub scanheader { -+ my ($file)=@_; -+ open H, "<$file"; -+ my $line = 0; -+ while() { -+ $line++; -+ if($_ =~ /^ (CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) { -+ my ($name)=($1); -+ if(($name !~ /OBSOLETE/) && ($name !~ /_LAST\z/)) { -+ push @hnames, $name; -+ if($wherefrom{$name}) { -+ print STDERR "double: $name\n"; -+ } -+ $wherefrom{$name}="$file:$line"; -+ } -+ } -+ } -+ close(H); -+} -+ -+sub scanmanpage { -+ my ($file)=@_; -+ open H, "<$file"; -+ my $line = 0; -+ while() { -+ $line++; -+ if($_ =~ /^\.IP \"(CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) { -+ my ($name)=($1); -+ push @mnames, $name; -+ $manfrom{$name}="$file:$line"; -+ } -+ } -+ close(H); -+} -+ -+ -+opendir(my $dh, $curlh) || die "Can't opendir $curlh: $!"; -+my @hfiles = grep { /\.h$/ } readdir($dh); -+closedir $dh; -+ -+for(sort @hfiles) { -+ scanheader("$curlh/$_"); -+} -+scanmanpage($manpge); -+ -+print "Result\n"; -+for my $h (sort @hnames) { -+ if(!$manfrom{$h}) { -+ printf "$h from %s, not in man page\n", $wherefrom{$h}; -+ } -+} -+ -+for my $m (sort @mnames) { -+ if(!$wherefrom{$m}) { -+ printf "$m from %s, not in any header\n", $manfrom{$m}; -+ } -+} --- -2.43.0 - diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index b4f8e2a..328d3a4 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,7 +1,7 @@ -From 2a4754a3a7cf60ecc36d83cbe50b8c337cb87632 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Fri, 12 Apr 2013 12:04:05 +0200 -Subject: [PATCH] prevent multilib conflicts on the curl-config script +From 84b7e1cf486761e99361f5dcf5879cd7baf51b58 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Thu, 1 Feb 2024 13:01:23 +0100 +Subject: [PATCH 2/2] prevent multilib conflicts on the curl-config script --- curl-config.in | 23 +++++------------------ @@ -10,7 +10,7 @@ Subject: [PATCH] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 150004d..95d0759 100644 +index 54f92d9..15a60da 100644 --- a/curl-config.in +++ b/curl-config.in @@ -78,7 +78,7 @@ while test $# -gt 0; do @@ -60,22 +60,22 @@ index 150004d..95d0759 100644 *) diff --git a/docs/curl-config.1 b/docs/curl-config.1 -index 14a9d2b..ffcc004 100644 +index c142cb9..0e189b4 100644 --- a/docs/curl-config.1 +++ b/docs/curl-config.1 -@@ -72,7 +72,9 @@ no, one or several names. If more than one name, they will appear - comma-separated. (Added in 7.58.0) - .IP "--static-libs" +@@ -48,7 +48,9 @@ no, one or several names. If more than one name, they will appear + comma\-separated. (Added in 7.58.0) + .IP --static-libs Shows the complete set of libs and other linker options you will need in order -to link your application with libcurl statically. (Added in 7.17.1) +to link your application with libcurl statically. Note that Fedora/RHEL libcurl +packages do not provide any static libraries, thus cannot be linked statically. +(Added in 7.17.1) - .IP "--version" + .IP --version Outputs version information about the installed libcurl. - .IP "--vernum" + .IP --vernum diff --git a/libcurl.pc.in b/libcurl.pc.in -index 2ba9c39..f8f8b00 100644 +index 9db6b0f..dcac692 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in @@ -31,6 +31,7 @@ libdir=@libdir@ @@ -87,5 +87,5 @@ index 2ba9c39..f8f8b00 100644 Name: libcurl URL: https://curl.se/ -- -2.26.2 +2.43.0 diff --git a/curl.spec b/curl.spec index b5e1ef0..20848b3 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.5.0 -Release: 2%{?dist} +Version: 8.6.0 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,8 +10,8 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# add missing test script tests/errorcodes.pl to the tarball -Patch001: 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch +# remove duplicate content from curl-config.1 +Patch001: 0001-curl-8.6.0-remove-duplicate-content.patch # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -371,6 +371,10 @@ rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la +# Don't install man for mk-ca-bundle it's upstream bug +# should be fixed in next release https://github.com/curl/curl/pull/12843 +rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* + %ldconfig_scriptlets -n libcurl %ldconfig_scriptlets -n libcurl-minimal @@ -413,6 +417,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Feb 01 2024 Jan Macku - 8.6.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-0853 - OCSP verification bypass with TLS session reuse +- drop 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch (replaced by upstream fix) +- remove accidentally included mk-ca-bundle.1 man page (upstream bug #12843) + * Fri Jan 19 2024 Fedora Release Engineering - 8.5.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild diff --git a/sources b/sources index 6a14222..9c9d4a1 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.5.0.tar.xz) = acffa2cf61d9b8e4188575a1b40227da8d722df2e5fe8bb82a222b4eb2fd64bf8aebd90852ce050c79fb5e517d5cee2546bf7de92ede1dd394263e231cb741a3 -SHA512 (curl-8.5.0.tar.xz.asc) = 9c6a2e61860878cd731d951fac1bb52cd314db20439a5173a95b48da1742737e02bfb9978d65e25de6535f839e281235203599a29f252e78e0d7a83769727329 +SHA512 (curl-8.6.0.tar.xz) = 359c08d88a5dec441255b36afe1a821730eca0ca8800ba52f57132b9e7d21f32457623907b4ae4876904b5e505eb1a59652372bb7de8dbd8db429dae9785e036 +SHA512 (curl-8.6.0.tar.xz.asc) = 2b835bb4b307e5e1c929b7136c5acfb9f6f06efa471ac27060336cabcfac40e02143f40434986c5e6817d4a9562b09efa8ff3168beed310a45453148cc1b5c8f From 6730b754a9e6ae98c39a164a3bc1c8df3a50adb7 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Fri, 2 Feb 2024 10:22:12 +0100 Subject: [PATCH 195/256] don't build curl manual feature use man 1 curl instead Resolves: #2262373 --- curl.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index 20848b3..6e3d932 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.6.0 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -286,7 +286,7 @@ export common_configure_opts=" \ --enable-imap \ --enable-ldap \ --enable-ldaps \ - --enable-manual \ + --disable-manual \ --enable-mqtt \ --enable-ntlm \ --enable-ntlm-wb \ @@ -417,6 +417,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Feb 02 2024 Jan Macku - 8.6.0-2 +- don't build manual for curl-full - use man 1 curl instead (#2262373) + * Thu Feb 01 2024 Jan Macku - 8.6.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2024-0853 - OCSP verification bypass with TLS session reuse From be5d7739cfcd1964bd0595998e2a2617fdcdbb1e Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 2 Feb 2024 12:01:47 +0100 Subject: [PATCH 196/256] deduplicate the --disable-manual configure option No change in behavior intended. Related: #2262373 Closes: https://src.fedoraproject.org/rpms/curl/pull-request/22 --- curl.spec | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index 6e3d932..ec08090 100644 --- a/curl.spec +++ b/curl.spec @@ -238,6 +238,7 @@ autoreconf -fiv mkdir build-{full,minimal} export common_configure_opts=" \ --cache-file=../config.cache \ + --disable-manual \ --disable-static \ --enable-hsts \ --enable-ipv6 \ @@ -260,7 +261,6 @@ export common_configure_opts=" \ --disable-imap \ --disable-ldap \ --disable-ldaps \ - --disable-manual \ --disable-mqtt \ --disable-ntlm \ --disable-ntlm-wb \ @@ -286,7 +286,6 @@ export common_configure_opts=" \ --enable-imap \ --enable-ldap \ --enable-ldaps \ - --disable-manual \ --enable-mqtt \ --enable-ntlm \ --enable-ntlm-wb \ From ec3f7ae8ee65d8464b3c1d339b0c5f164cbc1089 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 5 Feb 2024 10:49:10 +0100 Subject: [PATCH 197/256] fix: ignore response body to HEAD requests Discovered/Reported by: @lis in FEDORA-2024-634a6662aa --- ...l-8.6.0-ignore-response-body-to-HEAD.patch | 184 ++++++++++++++++++ curl.spec | 9 +- 2 files changed, 192 insertions(+), 1 deletion(-) create mode 100644 0002-curl-8.6.0-ignore-response-body-to-HEAD.patch diff --git a/0002-curl-8.6.0-ignore-response-body-to-HEAD.patch b/0002-curl-8.6.0-ignore-response-body-to-HEAD.patch new file mode 100644 index 0000000..4dee602 --- /dev/null +++ b/0002-curl-8.6.0-ignore-response-body-to-HEAD.patch @@ -0,0 +1,184 @@ +From e61ea3ba7054afedafe1eb473226e842ac17b8ff Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 1 Feb 2024 13:23:12 +0100 +Subject: [PATCH] sendf: ignore response body to HEAD + +and mark the stream for close, but return OK since the response this far +was ok - if headers were received. Partly because this is what curl has +done traditionally. + +Test 499 verifies. Updates test 689. + +Reported-by: Sergey Bronnikov +Bug: https://curl.se/mail/lib-2024-02/0000.html +Closes #12842 + +(cherry picked from commit b8c003832d730bb2f4b9de4204675ca5d9f7a903) +Signed-off-by: Jan Macku +--- + lib/sendf.c | 3 ++ + tests/data/Makefile.inc | 44 ++++++++++++++-------------- + tests/data/test499 | 65 +++++++++++++++++++++++++++++++++++++++++ + tests/data/test689 | 4 +-- + 4 files changed, 92 insertions(+), 24 deletions(-) + create mode 100644 tests/data/test499 + +diff --git a/lib/sendf.c b/lib/sendf.c +index db3189a29..60ac0742c 100644 +--- a/lib/sendf.c ++++ b/lib/sendf.c +@@ -575,6 +575,9 @@ static CURLcode cw_download_write(struct Curl_easy *data, + DEBUGF(infof(data, "did not want a BODY, but seeing %zu bytes", + nbytes)); + data->req.download_done = TRUE; ++ if(data->info.header_size) ++ /* if headers have been received, this is fine */ ++ return CURLE_OK; + return CURLE_WEIRD_SERVER_REPLY; + } + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index c3d496f64..cd393da75 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -75,28 +75,28 @@ test444 test445 test446 test447 test448 test449 test450 test451 test452 \ + test453 test454 test455 test456 test457 test458 test459 test460 test461 \ + \ + test490 test491 test492 test493 test494 test495 test496 test497 test498 \ +-\ +-test500 test501 test502 test503 test504 test505 test506 test507 test508 \ +-test509 test510 test511 test512 test513 test514 test515 test516 test517 \ +-test518 test519 test520 test521 test522 test523 test524 test525 test526 \ +-test527 test528 test529 test530 test531 test532 test533 test534 test535 \ +- test537 test538 test539 test540 test541 test542 test543 test544 \ +-test545 test546 test547 test548 test549 test550 test551 test552 test553 \ +-test554 test555 test556 test557 test558 test559 test560 test561 test562 \ +-test563 test564 test565 test566 test567 test568 test569 test570 test571 \ +-test572 test573 test574 test575 test576 test577 test578 test579 test580 \ +-test581 test582 test583 test584 test585 test586 test587 test588 test589 \ +-test590 test591 test592 test593 test594 test595 test596 test597 test598 \ +-test599 test600 test601 test602 test603 test604 test605 test606 test607 \ +-test608 test609 test610 test611 test612 test613 test614 test615 test616 \ +-test617 test618 test619 test620 test621 test622 test623 test624 test625 \ +-test626 test627 test628 test629 test630 test631 test632 test633 test634 \ +-test635 test636 test637 test638 test639 test640 test641 test642 test643 \ +-test644 test645 test646 test647 test648 test649 test650 test651 test652 \ +-test653 test654 test655 test656 test658 test659 test660 test661 test662 \ +-test663 test664 test665 test666 test667 test668 test669 test670 test671 \ +-test672 test673 test674 test675 test676 test677 test678 test679 test680 \ +-test681 test682 test683 test684 test685 test686 test687 test688 test689 \ ++test499 test500 test501 test502 test503 test504 test505 test506 test507 \ ++test508 test509 test510 test511 test512 test513 test514 test515 test516 \ ++test517 test518 test519 test520 test521 test522 test523 test524 test525 \ ++test526 test527 test528 test529 test530 test531 test532 test533 test534 \ ++test535 test537 test538 test539 test540 test541 test542 test543 \ ++test544 test545 test546 test547 test548 test549 test550 test551 test552 \ ++test553 test554 test555 test556 test557 test558 test559 test560 test561 \ ++test562 test563 test564 test565 test566 test567 test568 test569 test570 \ ++test571 test572 test573 test574 test575 test576 test577 test578 test579 \ ++test580 test581 test582 test583 test584 test585 test586 test587 test588 \ ++test589 test590 test591 test592 test593 test594 test595 test596 test597 \ ++test598 test599 test600 test601 test602 test603 test604 test605 test606 \ ++test607 test608 test609 test610 test611 test612 test613 test614 test615 \ ++test616 test617 test618 test619 test620 test621 test622 test623 test624 \ ++test625 test626 test627 test628 test629 test630 test631 test632 test633 \ ++test634 test635 test636 test637 test638 test639 test640 test641 test642 \ ++test643 test644 test645 test646 test647 test648 test649 test650 test651 \ ++test652 test653 test654 test655 test656 test658 test659 test660 test661 \ ++test662 test663 test664 test665 test666 test667 test668 test669 test670 \ ++test671 test672 test673 test674 test675 test676 test677 test678 test679 \ ++test680 test681 test682 test683 test684 test685 test686 test687 test688 \ ++test689 \ + \ + test700 test701 test702 test703 test704 test705 test706 test707 test708 \ + test709 test710 test711 test712 test713 test714 test715 test716 test717 \ +diff --git a/tests/data/test499 b/tests/data/test499 +new file mode 100644 +index 000000000..d4040b07c +--- /dev/null ++++ b/tests/data/test499 +@@ -0,0 +1,65 @@ ++ ++ ++ ++HTTP ++HTTP GET ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Content-Type: text/html ++Funny-head: yesyes ++ ++-foo- ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Content-Type: text/html ++Funny-head: yesyes ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++HTTP HEAD to server still sending a body ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -I ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++HEAD /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++ ++ ++ +diff --git a/tests/data/test689 b/tests/data/test689 +index 821556dec..381ae225a 100644 +--- a/tests/data/test689 ++++ b/tests/data/test689 +@@ -44,9 +44,9 @@ User-Agent: test567 + Test-Number: 567 + + +-# 8 == CURLE_WEIRD_SERVER_REPLY ++# 85 == CURLE_RTSP_CSEQ_ERROR + +-8 ++85 + + + +-- +2.43.0 + diff --git a/curl.spec b/curl.spec index ec08090..c75f108 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.6.0 -Release: 2%{?dist} +Release: 3%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -13,6 +13,10 @@ Source2: mykey.asc # remove duplicate content from curl-config.1 Patch001: 0001-curl-8.6.0-remove-duplicate-content.patch +# ignore response bode to HEAD requests +# https://bodhi.fedoraproject.org/updates/FEDORA-2024-634a6662aa +Patch002: 0002-curl-8.6.0-ignore-response-body-to-HEAD.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -416,6 +420,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Feb 05 2024 Jan Macku - 8.6.0-3 +- ignore response body to HEAD requests + * Fri Feb 02 2024 Jan Macku - 8.6.0-2 - don't build manual for curl-full - use man 1 curl instead (#2262373) From 8cec2e9cc7c18e48039a2d9dd780b0528afed8cd Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 6 Feb 2024 15:25:02 +0100 Subject: [PATCH 198/256] drop curl-minimal subpackage in favor of curl-full The reason for maintaining two separate packages for curl is no longer valid. The curl-minimal is currently almost identical to curl-full, so let's drop curl-minimal. Resolves: #2262096 --- curl.spec | 39 ++++++++++++++------------------------- 1 file changed, 14 insertions(+), 25 deletions(-) diff --git a/curl.spec b/curl.spec index c75f108..b953ebb 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.6.0 -Release: 3%{?dist} +Release: 4%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -29,6 +29,12 @@ Patch104: 0104-curl-7.88.0-tests-warnings.patch Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.se/ + +# The reason for maintaining two separate packages for curl is no longer valid. +# The curl-minimal is currently almost identical to curl-full, so let's drop curl-minimal. +# For more details, see https://bugzilla.redhat.com/show_bug.cgi?id=2262096 +Obsoletes: curl-minimal < 8.6.0-4 + BuildRequires: automake BuildRequires: brotli-devel BuildRequires: coreutils @@ -118,6 +124,10 @@ BuildRequires: valgrind BuildRequires: stunnel %endif +# Suggest minimal version of libcurl to to keep number of dependencies low +# after dropping curl-minimal. +Suggests: libcurl-minimal + # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION Requires: libcurl%{?_isa} >= %{version}-%{release} @@ -176,22 +186,6 @@ The libcurl-devel package includes header files and libraries necessary for developing programs which use the libcurl library. It contains the API documentation of the library, too. -%package -n curl-minimal -Summary: Conservatively configured build of curl for minimal installations -Provides: curl = %{version}-%{release} -Conflicts: curl -Suggests: libcurl-minimal -RemovePathPostfixes: .minimal - -# using an older version of libcurl could result in CURLE_UNKNOWN_OPTION -Requires: libcurl%{?_isa} >= %{version}-%{release} - -%description -n curl-minimal -This is a replacement of the 'curl' package for minimal installations. It -comes with a limited set of features compared to the 'curl' package. On the -other hand, the package is smaller and requires fewer run-time dependencies to -be installed. - %package -n libcurl-minimal Summary: Conservatively configured build of libcurl for minimal installations Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} @@ -351,10 +345,6 @@ for i in ${RPM_BUILD_ROOT}%{_libdir}/*; do mv -v $i $i.minimal done -# install and rename the executable that will be packaged as curl-minimal -%make_install -C build-minimal/src -mv -v ${RPM_BUILD_ROOT}%{_bindir}/curl{,.minimal} - # install libcurl.m4 install -d $RPM_BUILD_ROOT%{_datadir}/aclocal install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal @@ -410,16 +400,15 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %{_mandir}/man3/* %{_datadir}/aclocal/libcurl.m4 -%files -n curl-minimal -%{_bindir}/curl.minimal -%{_mandir}/man1/curl.1* - %files -n libcurl-minimal %license COPYING %{_libdir}/libcurl.so.4.minimal %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Feb 07 2024 Jan Macku - 8.6.0-4 +- drop curl-minimal subpackage in favor of curl-full (#2262096) + * Mon Feb 05 2024 Jan Macku - 8.6.0-3 - ignore response body to HEAD requests From 31bc86593e0630ced1691d269785a4ba9106efdf Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 12 Feb 2024 12:40:33 +0100 Subject: [PATCH 199/256] curl-full: add Provides to curl-minimal --- curl.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index b953ebb..c50172b 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.6.0 -Release: 4%{?dist} +Release: 5%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -27,6 +27,8 @@ Patch102: 0102-curl-7.84.0-test3026.patch Patch104: 0104-curl-7.88.0-tests-warnings.patch Provides: curl-full = %{version}-%{release} +# do not fail when trying to install curl-minimal after drop +Provides: curl-minimal = %{version}-%{release} Provides: webclient URL: https://curl.se/ @@ -406,6 +408,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Feb 12 2024 Jan Macku - 8.6.0-5 +- add Provides to curl-minimal + * Wed Feb 07 2024 Jan Macku - 8.6.0-4 - drop curl-minimal subpackage in favor of curl-full (#2262096) From 9c77cd7c46571de15a73b7f19f779e9e98151792 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 12 Feb 2024 12:33:29 +0100 Subject: [PATCH 200/256] vtls: revert "receive max buffer" + add test case It breaks the test suite of pycurl --- ...ert-receive-max-buffer-add-test-case.patch | 68 +++++++++++++++++++ curl.spec | 9 ++- 2 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch diff --git a/0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch b/0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch new file mode 100644 index 0000000..3e9078c --- /dev/null +++ b/0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch @@ -0,0 +1,68 @@ +From 0f65eaab19624ca018d7bd5ca404618f9bfe267f Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Thu, 1 Feb 2024 18:15:50 +0100 +Subject: [PATCH] vtls: revert "receive max buffer" + add test case + +- add test_05_04 for requests using http/1.0, http/1.1 and h2 against an + Apache resource that does an unclean TLS shutdown. +- revert special workarund in openssl.c for suppressing shutdown errors + on multiplexed connections +- vlts.c restore to its state before 9a90c9dd64d2f03601833a70786d485851bd1b53 + +Fixes #12885 +Fixes #12844 + +Closes #12848 + +(cherry picked from commit ed09a99af57200643d5ae001e815eeab9ffe3f84) +Signed-off-by: Jan Macku +--- + lib/vtls/vtls.c | 27 ++++++--------------------- + 1 file changed, 6 insertions(+), 21 deletions(-) + +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index e928ba5d0..f654a9749 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -1715,32 +1715,17 @@ static ssize_t ssl_cf_recv(struct Curl_cfilter *cf, + { + struct cf_call_data save; + ssize_t nread; +- size_t ntotal = 0; + + CF_DATA_SAVE(save, cf, data); + *err = CURLE_OK; +- /* Do receive until we fill the buffer somehwhat or EGAIN, error or EOF */ +- while(!ntotal || (len - ntotal) > (4*1024)) { ++ nread = Curl_ssl->recv_plain(cf, data, buf, len, err); ++ if(nread > 0) { ++ DEBUGASSERT((size_t)nread <= len); ++ } ++ else if(nread == 0) { ++ /* eof */ + *err = CURLE_OK; +- nread = Curl_ssl->recv_plain(cf, data, buf + ntotal, len - ntotal, err); +- if(nread < 0) { +- if(*err == CURLE_AGAIN && ntotal > 0) { +- /* we EAGAINed after having reed data, return the success amount */ +- *err = CURLE_OK; +- break; +- } +- /* we have a an error to report */ +- goto out; +- } +- else if(nread == 0) { +- /* eof */ +- break; +- } +- ntotal += (size_t)nread; +- DEBUGASSERT((size_t)ntotal <= len); + } +- nread = (ssize_t)ntotal; +-out: + CURL_TRC_CF(data, cf, "cf_recv(len=%zu) -> %zd, %d", len, + nread, *err); + CF_DATA_RESTORE(cf, save); +-- +2.43.0 + diff --git a/curl.spec b/curl.spec index c50172b..1500065 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.6.0 -Release: 5%{?dist} +Release: 6%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -17,6 +17,10 @@ Patch001: 0001-curl-8.6.0-remove-duplicate-content.patch # https://bodhi.fedoraproject.org/updates/FEDORA-2024-634a6662aa Patch002: 0002-curl-8.6.0-ignore-response-body-to-HEAD.patch +# revert "receive max buffer" + add test case +# it breaks pycurl tests suite +Patch003: 0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -408,6 +412,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Feb 12 2024 Jan Macku - 8.6.0-6 +- revert "receive max buffer" + add test case + * Mon Feb 12 2024 Jan Macku - 8.6.0-5 - add Provides to curl-minimal From 685f0d3645117846f05da367608ee7e6d1e7801a Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 12 Feb 2024 16:01:16 +0100 Subject: [PATCH 201/256] temporarily disable test 0313 ``` test 0313...[CRL test] ../libtool --mode=execute /usr/bin/valgrind --tool=memcheck --quiet --leak-check=yes --suppressions=../../tests/valgrind.supp --num-callers=16 --log-file=log/valgrind313 ../src/curl --output log/curl313.out --include --trace-ascii log/trace313 --trace-time --cacert ../../tests/certs/EdelCurlRoot-ca.crt --crlfile ../../tests/certs/Server-localhost-sv.crl https://localhost:37247/313 > log/stdout313 2> log/stderr313 CMD (15360): ../libtool --mode=execute /usr/bin/valgrind --tool=memcheck --quiet --leak-check=yes --suppressions=../../tests/valgrind.supp --num-callers=16 --log-file=log/valgrind313 ../src/curl --output log/curl313.out --include --trace-ascii log/trace313 --trace-time --cacert ../../tests/certs/EdelCurlRoot-ca.crt --crlfile ../../tests/certs/Server-localhost-sv.crl https://localhost:37247/313 > log/stdout313 2> log/stderr313 valgrind ERROR ==89628== 1,795 (248 direct, 1,547 indirect) bytes in 1 blocks are definitely lost in loss record 32 of 32 ==89628== at 0x484280F: malloc (vg_replace_malloc.c:442) ==89628== by 0x4D71B20: CRYPTO_malloc (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x4D71BD4: CRYPTO_zalloc (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x4C67FD3: ??? (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x4C69B00: ??? (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x4C69E3F: ASN1_item_d2i_ex (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x4D944C0: PEM_ASN1_read_bio (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x4DD3C31: X509_load_crl_file (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x48B6D48: UnknownInlinedFun (openssl.c:3284) ==89628== by 0x48B6D48: Curl_ssl_setup_x509_store (openssl.c:3437) ==89628== by 0x48B7445: ossl_bio_cf_in_read (openssl.c:776) ==89628== by 0x4C6DB32: ??? (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x4C71C16: ??? (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x4C71DAA: BIO_read (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x4B9BE92: ??? (in /usr/lib64/libssl.so.3.2.1) ==89628== by 0x4BA0B4A: ??? (in /usr/lib64/libssl.so.3.2.1) ==89628== by 0x4B9B099: ??? (in /usr/lib64/libssl.so.3.2.1) ==89628== == Contents of files in the log/ dir after test 313 === Start of file commands.log ../libtool --mode=execute /usr/bin/valgrind --tool=memcheck --quiet --leak-check=yes --suppressions=../../tests/valgrind.supp --num-callers=16 --log-file=log/valgrind313 ../src/curl --output log/curl313.out --include --trace-ascii log/trace313 --trace-time --cacert ../../tests/certs/EdelCurlRoot-ca.crt --crlfile ../../tests/certs/Server-localhost-sv.crl https://localhost:37247/313 > log/stdout313 2> log/stderr313 === End of file commands.log ``` Related: openssl #2263877 a --- curl.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 1500065..6a9e71b 100644 --- a/curl.spec +++ b/curl.spec @@ -213,9 +213,12 @@ be installed. %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 +# temporarily disable test 0313 +# +# # disable test 1801 # -echo "1801" >> tests/data/DISABLED +echo "313\n1801" >> tests/data/DISABLED # test3026: avoid pthread_create() failure due to resource exhaustion on i386 %ifarch %{ix86} @@ -414,6 +417,7 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %changelog * Mon Feb 12 2024 Jan Macku - 8.6.0-6 - revert "receive max buffer" + add test case +- temporarily disable test 0313 * Mon Feb 12 2024 Jan Macku - 8.6.0-5 - add Provides to curl-minimal From cbd939da23a539224dffb7405a83138469eedea3 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 12 Feb 2024 16:20:24 +0100 Subject: [PATCH 202/256] spec: don't suggests libcurl-minimal it might break existing setups, tests, etc. Also fedora documentation about suggests is not right about meaning of Suggests macro. --- curl.spec | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/curl.spec b/curl.spec index 6a9e71b..a5ae989 100644 --- a/curl.spec +++ b/curl.spec @@ -130,10 +130,6 @@ BuildRequires: valgrind BuildRequires: stunnel %endif -# Suggest minimal version of libcurl to to keep number of dependencies low -# after dropping curl-minimal. -Suggests: libcurl-minimal - # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION Requires: libcurl%{?_isa} >= %{version}-%{release} @@ -418,6 +414,7 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* * Mon Feb 12 2024 Jan Macku - 8.6.0-6 - revert "receive max buffer" + add test case - temporarily disable test 0313 +- remove suggests of libcurl-minimal in curl-full * Mon Feb 12 2024 Jan Macku - 8.6.0-5 - add Provides to curl-minimal From cbc7f6603c591c1b16bdab240b4c53cc655655cb Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 12 Feb 2024 17:13:40 +0100 Subject: [PATCH 203/256] spec: use `echo -e` to populate `tests/data/DISABLED` with a newline --- curl.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index a5ae989..de93364 100644 --- a/curl.spec +++ b/curl.spec @@ -214,7 +214,7 @@ be installed. # # disable test 1801 # -echo "313\n1801" >> tests/data/DISABLED +echo -e "313\n1801\n" >> tests/data/DISABLED # test3026: avoid pthread_create() failure due to resource exhaustion on i386 %ifarch %{ix86} From e58b8f772bd18d9c4fa5750a6bd9f56745e888f7 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 12 Feb 2024 17:34:59 +0100 Subject: [PATCH 204/256] spec: use `printf` to populate `tests/data/DISABLED` with a newline --- curl.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index de93364..33f4fba 100644 --- a/curl.spec +++ b/curl.spec @@ -214,7 +214,7 @@ be installed. # # disable test 1801 # -echo -e "313\n1801\n" >> tests/data/DISABLED +printf "313\n1801\n" >> tests/data/DISABLED # test3026: avoid pthread_create() failure due to resource exhaustion on i386 %ifarch %{ix86} From 9a38bdf948aacf59ec81f0e35ef10f430252f1a6 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 19 Feb 2024 13:23:34 +0100 Subject: [PATCH 205/256] fix: Leftovers after chunking should not be part of the curl buffer output Resolves: #2264220 --- ...fix-the-accounting-of-consumed-bytes.patch | 83 +++++++++++++++++++ curl.spec | 8 +- 2 files changed, 90 insertions(+), 1 deletion(-) create mode 100644 0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch diff --git a/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch b/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch new file mode 100644 index 0000000..39b2f31 --- /dev/null +++ b/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch @@ -0,0 +1,83 @@ +From c7438ccfceee373a75d6d890259cf2e6b5e0e203 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Wed, 14 Feb 2024 16:27:23 +0100 +Subject: [PATCH] http_chunks: fix the accounting of consumed bytes + +Prior to this change chunks were handled correctly although in verbose +mode libcurl could incorrectly warn of "Leftovers after chunking" even +if there were none. + +Reported-by: Michael Kaufmann + +Fixes https://github.com/curl/curl/issues/12937 +Closes https://github.com/curl/curl/pull/12939 + +(cherry picked from commit 59e2c78af3a5588d6e6ae6d2223b222f067e054b) +Signed-off-by: Jan Macku +--- + lib/http_chunks.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/lib/http_chunks.c b/lib/http_chunks.c +index 039c179c4..ad1ee9ada 100644 +--- a/lib/http_chunks.c ++++ b/lib/http_chunks.c +@@ -152,6 +152,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + ch->hexbuffer[ch->hexindex++] = *buf; + buf++; + blen--; ++ (*pconsumed)++; + } + else { + char *endptr; +@@ -189,6 +190,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + + buf++; + blen--; ++ (*pconsumed)++; + break; + + case CHUNK_DATA: +@@ -236,6 +238,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + } + buf++; + blen--; ++ (*pconsumed)++; + break; + + case CHUNK_TRAILER: +@@ -293,6 +296,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + } + buf++; + blen--; ++ (*pconsumed)++; + break; + + case CHUNK_TRAILER_CR: +@@ -300,6 +304,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + ch->state = CHUNK_TRAILER_POSTCR; + buf++; + blen--; ++ (*pconsumed)++; + } + else { + ch->state = CHUNK_FAILED; +@@ -320,6 +325,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + /* skip if CR */ + buf++; + blen--; ++ (*pconsumed)++; + } + /* now wait for the final LF */ + ch->state = CHUNK_STOP; +@@ -328,6 +334,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + case CHUNK_STOP: + if(*buf == 0x0a) { + blen--; ++ (*pconsumed)++; + /* Record the length of any data left in the end of the buffer + even if there's no more chunks to read */ + ch->datasize = blen; +-- +2.43.2 + diff --git a/curl.spec b/curl.spec index 33f4fba..5118b71 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.6.0 -Release: 6%{?dist} +Release: 7%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -21,6 +21,9 @@ Patch002: 0002-curl-8.6.0-ignore-response-body-to-HEAD.patch # it breaks pycurl tests suite Patch003: 0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch +# Fix: Leftovers after chunking should not be part of the curl buffer output +Patch004: 0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -411,6 +414,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Feb 19 2024 Jan Macku - 8.6.0-7 +- Fix: Leftovers after chunking should not be part of the curl buffer output (#2264220) + * Mon Feb 12 2024 Jan Macku - 8.6.0-6 - revert "receive max buffer" + add test case - temporarily disable test 0313 From f9311ae69d7c143fec8f3282907ac95546869cfc Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 27 Mar 2024 09:43:54 +0100 Subject: [PATCH 206/256] new upstream release - 8.7.1 Resolves: CVE-2024-2004 - Usage of disabled protocol Resolves: CVE-2024-2379 - QUIC certificate check bypass with wolfSSL Resolves: CVE-2024-2398 - HTTP/2 push headers memory-leak Resolves: CVE-2024-2466 - TLS certificate check bypass with mbedTLS --- .gitignore | 3 +- ...-curl-8.6.0-remove-duplicate-content.patch | 108 ---------- 0001-curl-8.7.1-fix-compressed-option.patch | 174 +++++++++++++++++ ...l-8.6.0-ignore-response-body-to-HEAD.patch | 184 ------------------ ...-8.7.1-fix-chunked-POST-via-callback.patch | 69 +++++++ ...ert-receive-max-buffer-add-test-case.patch | 68 ------- ...fix-the-accounting-of-consumed-bytes.patch | 83 -------- 0101-curl-7.32.0-multilib.patch | 20 +- curl.spec | 49 ++--- sources | 4 +- 10 files changed, 277 insertions(+), 485 deletions(-) delete mode 100644 0001-curl-8.6.0-remove-duplicate-content.patch create mode 100644 0001-curl-8.7.1-fix-compressed-option.patch delete mode 100644 0002-curl-8.6.0-ignore-response-body-to-HEAD.patch create mode 100644 0002-curl-8.7.1-fix-chunked-POST-via-callback.patch delete mode 100644 0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch delete mode 100644 0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch diff --git a/.gitignore b/.gitignore index 505a7d9..e91a948 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,4 @@ -/curl-[0-9.]*.tar.lzma -/curl-[0-9.]*.tar.lzma.asc /curl-[0-9.]*.tar.xz /curl-[0-9.]*.tar.xz.asc /curl-[0-9].[0-9].[0-9]/ +/*.src.rpm diff --git a/0001-curl-8.6.0-remove-duplicate-content.patch b/0001-curl-8.6.0-remove-duplicate-content.patch deleted file mode 100644 index bbbb7ff..0000000 --- a/0001-curl-8.6.0-remove-duplicate-content.patch +++ /dev/null @@ -1,108 +0,0 @@ -From 960cf3ceb40cf875b146d4d1065d9267ccb83da1 Mon Sep 17 00:00:00 2001 -From: Jan Macku -Date: Thu, 1 Feb 2024 12:56:31 +0100 -Subject: [PATCH 1/2] doc: remove duplicate content from curl-config.1 - -This will be resolved in next release by: -https://github.com/curl/curl/pull/12818 - -see also: https://github.com/curl/curl/issues/12840 - -Signed-off-by: Jan Macku ---- - docs/curl-config.1 | 82 ---------------------------------------------- - 1 file changed, 82 deletions(-) - -diff --git a/docs/curl-config.1 b/docs/curl-config.1 -index 186ba3a..c142cb9 100644 ---- a/docs/curl-config.1 -+++ b/docs/curl-config.1 -@@ -80,85 +80,3 @@ How do I build a single file with a one\-line command? - .fi - .SH SEE ALSO - .BR curl (1) --.\" generated by cd2nroff 0.1 from curl-config.md --.TH curl-config 1 "January 26 2024" curl-config --.SH NAME --curl\-config \- Get information about a libcurl installation --.SH SYNOPSIS --\fBcurl\-config [options]\fP --.SH DESCRIPTION --\fBcurl\-config\fP --displays information about the curl and libcurl installation. --.SH OPTIONS --.IP --ca --Displays the built\-in path to the CA cert bundle this libcurl uses. --.IP --cc --Displays the compiler used to build libcurl. --.IP --cflags --Set of compiler options (CFLAGS) to use when compiling files that use --libcurl. Currently that is only the include path to the curl include files. --.IP "--checkfor [version]" --Specify the oldest possible libcurl version string you want, and this --script will return 0 if the current installation is new enough or it --returns 1 and outputs a text saying that the current version is not new --enough. (Added in 7.15.4) --.IP --configure --Displays the arguments given to configure when building curl. --.IP --feature --Lists what particular main features the installed libcurl was built with. At --the time of writing, this list may include SSL, KRB4 or IPv6. Do not assume --any particular order. The keywords will be separated by newlines. There may be --none, one, or several keywords in the list. --.IP --help --Displays the available options. --.IP --libs --Shows the complete set of libs and other linker options you will need in order --to link your application with libcurl. --.IP --prefix --This is the prefix used when libcurl was installed. Libcurl is then installed --in $prefix/lib and its header files are installed in $prefix/include and so --on. The prefix is set with "configure \--prefix". --.IP --protocols --Lists what particular protocols the installed libcurl was built to support. At --the time of writing, this list may include HTTP, HTTPS, FTP, FTPS, FILE, --TELNET, LDAP, DICT and many more. Do not assume any particular order. The --protocols will be listed using uppercase and are separated by newlines. There --may be none, one, or several protocols in the list. (Added in 7.13.0) --.IP --ssl-backends --Lists the SSL backends that were enabled when libcurl was built. It might be --no, one or several names. If more than one name, they will appear --comma\-separated. (Added in 7.58.0) --.IP --static-libs --Shows the complete set of libs and other linker options you will need in order --to link your application with libcurl statically. (Added in 7.17.1) --.IP --version --Outputs version information about the installed libcurl. --.IP --vernum --Outputs version information about the installed libcurl, in numerical mode. --This shows the version number, in hexadecimal, using 8 bits for each part: --major, minor, and patch numbers. This makes libcurl 7.7.4 appear as 070704 and --libcurl 12.13.14 appear as 0c0d0e... Note that the initial zero might be --omitted. (This option was broken in the 7.15.0 release.) --.SH EXAMPLES --What linker options do I need when I link with libcurl? --.nf -- $ curl-config --libs --.fi --What compiler options do I need when I compile using libcurl functions? --.nf -- $ curl-config --cflags --.fi --How do I know if libcurl was built with SSL support? --.nf -- $ curl-config --feature | grep SSL --.fi --What\(aqs the installed libcurl version? --.nf -- $ curl-config --version --.fi --How do I build a single file with a one\-line command? --.nf -- $ `curl-config --cc --cflags` -o example source.c `curl-config --libs` --.fi --.SH SEE ALSO --.BR curl (1) --- -2.43.0 - diff --git a/0001-curl-8.7.1-fix-compressed-option.patch b/0001-curl-8.7.1-fix-compressed-option.patch new file mode 100644 index 0000000..dc2e720 --- /dev/null +++ b/0001-curl-8.7.1-fix-compressed-option.patch @@ -0,0 +1,174 @@ +From 8f1a06a9efe1048c7ad17af43ae7d4b26de8117e Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Thu, 28 Mar 2024 11:08:15 +0100 +Subject: [PATCH 1/2] content_encoding: brotli and others, pass through + 0-length writes + +- curl's transfer handling may write 0-length chunks at the end of the + download with an EOS flag. (HTTP/2 does this commonly) + +- content encoders need to pass-through such a write and not count this + as error in case they are finished decoding + +Fixes #13209 +Fixes #13212 +Closes #13219 + +(cherry picked from commit b30d694a027eb771c02a3db0dee0ca03ccab7377) +Signed-off-by: Jan Macku +--- + lib/content_encoding.c | 10 +++++----- + tests/http/test_02_download.py | 13 +++++++++++++ + tests/http/testenv/env.py | 7 ++++++- + tests/http/testenv/httpd.py | 20 ++++++++++++++++++++ + 4 files changed, 44 insertions(+), 6 deletions(-) + +diff --git a/lib/content_encoding.c b/lib/content_encoding.c +index c1abf24e8..8e926dd2e 100644 +--- a/lib/content_encoding.c ++++ b/lib/content_encoding.c +@@ -300,7 +300,7 @@ static CURLcode deflate_do_write(struct Curl_easy *data, + struct zlib_writer *zp = (struct zlib_writer *) writer; + z_stream *z = &zp->z; /* zlib state structure */ + +- if(!(type & CLIENTWRITE_BODY)) ++ if(!(type & CLIENTWRITE_BODY) || !nbytes) + return Curl_cwriter_write(data, writer->next, type, buf, nbytes); + + /* Set the compressed input when this function is called */ +@@ -457,7 +457,7 @@ static CURLcode gzip_do_write(struct Curl_easy *data, + struct zlib_writer *zp = (struct zlib_writer *) writer; + z_stream *z = &zp->z; /* zlib state structure */ + +- if(!(type & CLIENTWRITE_BODY)) ++ if(!(type & CLIENTWRITE_BODY) || !nbytes) + return Curl_cwriter_write(data, writer->next, type, buf, nbytes); + + if(zp->zlib_init == ZLIB_INIT_GZIP) { +@@ -669,7 +669,7 @@ static CURLcode brotli_do_write(struct Curl_easy *data, + CURLcode result = CURLE_OK; + BrotliDecoderResult r = BROTLI_DECODER_RESULT_NEEDS_MORE_OUTPUT; + +- if(!(type & CLIENTWRITE_BODY)) ++ if(!(type & CLIENTWRITE_BODY) || !nbytes) + return Curl_cwriter_write(data, writer->next, type, buf, nbytes); + + if(!bp->br) +@@ -762,7 +762,7 @@ static CURLcode zstd_do_write(struct Curl_easy *data, + ZSTD_outBuffer out; + size_t errorCode; + +- if(!(type & CLIENTWRITE_BODY)) ++ if(!(type & CLIENTWRITE_BODY) || !nbytes) + return Curl_cwriter_write(data, writer->next, type, buf, nbytes); + + if(!zp->decomp) { +@@ -916,7 +916,7 @@ static CURLcode error_do_write(struct Curl_easy *data, + (void) buf; + (void) nbytes; + +- if(!(type & CLIENTWRITE_BODY)) ++ if(!(type & CLIENTWRITE_BODY) || !nbytes) + return Curl_cwriter_write(data, writer->next, type, buf, nbytes); + + failf(data, "Unrecognized content encoding type. " +diff --git a/tests/http/test_02_download.py b/tests/http/test_02_download.py +index 4db9c9d36..395fc862f 100644 +--- a/tests/http/test_02_download.py ++++ b/tests/http/test_02_download.py +@@ -394,6 +394,19 @@ class TestDownload: + r = client.run(args=[url]) + r.check_exit_code(0) + ++ @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3']) ++ def test_02_28_get_compressed(self, env: Env, httpd, nghttpx, repeat, proto): ++ if proto == 'h3' and not env.have_h3(): ++ pytest.skip("h3 not supported") ++ count = 1 ++ urln = f'https://{env.authority_for(env.domain1brotli, proto)}/data-100k?[0-{count-1}]' ++ curl = CurlClient(env=env) ++ r = curl.http_download(urls=[urln], alpn_proto=proto, extra_args=[ ++ '--compressed' ++ ]) ++ r.check_exit_code(code=0) ++ r.check_response(count=count, http_status=200) ++ + def check_downloads(self, client, srcfile: str, count: int, + complete: bool = True): + for i in range(count): +diff --git a/tests/http/testenv/env.py b/tests/http/testenv/env.py +index a207059dc..13c5d6bd4 100644 +--- a/tests/http/testenv/env.py ++++ b/tests/http/testenv/env.py +@@ -129,10 +129,11 @@ class EnvConfig: + self.htdocs_dir = os.path.join(self.gen_dir, 'htdocs') + self.tld = 'http.curl.se' + self.domain1 = f"one.{self.tld}" ++ self.domain1brotli = f"brotli.one.{self.tld}" + self.domain2 = f"two.{self.tld}" + self.proxy_domain = f"proxy.{self.tld}" + self.cert_specs = [ +- CertificateSpec(domains=[self.domain1, 'localhost'], key_type='rsa2048'), ++ CertificateSpec(domains=[self.domain1, self.domain1brotli, 'localhost'], key_type='rsa2048'), + CertificateSpec(domains=[self.domain2], key_type='rsa2048'), + CertificateSpec(domains=[self.proxy_domain, '127.0.0.1'], key_type='rsa2048'), + CertificateSpec(name="clientsX", sub_specs=[ +@@ -376,6 +377,10 @@ class Env: + def domain1(self) -> str: + return self.CONFIG.domain1 + ++ @property ++ def domain1brotli(self) -> str: ++ return self.CONFIG.domain1brotli ++ + @property + def domain2(self) -> str: + return self.CONFIG.domain2 +diff --git a/tests/http/testenv/httpd.py b/tests/http/testenv/httpd.py +index c04c22699..b8615875a 100644 +--- a/tests/http/testenv/httpd.py ++++ b/tests/http/testenv/httpd.py +@@ -50,6 +50,7 @@ class Httpd: + 'alias', 'env', 'filter', 'headers', 'mime', 'setenvif', + 'socache_shmcb', + 'rewrite', 'http2', 'ssl', 'proxy', 'proxy_http', 'proxy_connect', ++ 'brotli', + 'mpm_event', + ] + COMMON_MODULES_DIRS = [ +@@ -203,6 +204,7 @@ class Httpd: + + def _write_config(self): + domain1 = self.env.domain1 ++ domain1brotli = self.env.domain1brotli + creds1 = self.env.get_credentials(domain1) + domain2 = self.env.domain2 + creds2 = self.env.get_credentials(domain2) +@@ -285,6 +287,24 @@ class Httpd: + f'', + f'', + ]) ++ # Alternate to domain1 with BROTLI compression ++ conf.extend([ # https host for domain1, h1 + h2 ++ f'', ++ f' ServerName {domain1brotli}', ++ f' Protocols h2 http/1.1', ++ f' SSLEngine on', ++ f' SSLCertificateFile {creds1.cert_file}', ++ f' SSLCertificateKeyFile {creds1.pkey_file}', ++ f' DocumentRoot "{self._docs_dir}"', ++ f' SetOutputFilter BROTLI_COMPRESS', ++ ]) ++ conf.extend(self._curltest_conf(domain1)) ++ if domain1 in self._extra_configs: ++ conf.extend(self._extra_configs[domain1]) ++ conf.extend([ ++ f'', ++ f'', ++ ]) + conf.extend([ # https host for domain2, no h2 + f'', + f' ServerName {domain2}', +-- +2.44.0 + diff --git a/0002-curl-8.6.0-ignore-response-body-to-HEAD.patch b/0002-curl-8.6.0-ignore-response-body-to-HEAD.patch deleted file mode 100644 index 4dee602..0000000 --- a/0002-curl-8.6.0-ignore-response-body-to-HEAD.patch +++ /dev/null @@ -1,184 +0,0 @@ -From e61ea3ba7054afedafe1eb473226e842ac17b8ff Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 1 Feb 2024 13:23:12 +0100 -Subject: [PATCH] sendf: ignore response body to HEAD - -and mark the stream for close, but return OK since the response this far -was ok - if headers were received. Partly because this is what curl has -done traditionally. - -Test 499 verifies. Updates test 689. - -Reported-by: Sergey Bronnikov -Bug: https://curl.se/mail/lib-2024-02/0000.html -Closes #12842 - -(cherry picked from commit b8c003832d730bb2f4b9de4204675ca5d9f7a903) -Signed-off-by: Jan Macku ---- - lib/sendf.c | 3 ++ - tests/data/Makefile.inc | 44 ++++++++++++++-------------- - tests/data/test499 | 65 +++++++++++++++++++++++++++++++++++++++++ - tests/data/test689 | 4 +-- - 4 files changed, 92 insertions(+), 24 deletions(-) - create mode 100644 tests/data/test499 - -diff --git a/lib/sendf.c b/lib/sendf.c -index db3189a29..60ac0742c 100644 ---- a/lib/sendf.c -+++ b/lib/sendf.c -@@ -575,6 +575,9 @@ static CURLcode cw_download_write(struct Curl_easy *data, - DEBUGF(infof(data, "did not want a BODY, but seeing %zu bytes", - nbytes)); - data->req.download_done = TRUE; -+ if(data->info.header_size) -+ /* if headers have been received, this is fine */ -+ return CURLE_OK; - return CURLE_WEIRD_SERVER_REPLY; - } - -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index c3d496f64..cd393da75 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -75,28 +75,28 @@ test444 test445 test446 test447 test448 test449 test450 test451 test452 \ - test453 test454 test455 test456 test457 test458 test459 test460 test461 \ - \ - test490 test491 test492 test493 test494 test495 test496 test497 test498 \ --\ --test500 test501 test502 test503 test504 test505 test506 test507 test508 \ --test509 test510 test511 test512 test513 test514 test515 test516 test517 \ --test518 test519 test520 test521 test522 test523 test524 test525 test526 \ --test527 test528 test529 test530 test531 test532 test533 test534 test535 \ -- test537 test538 test539 test540 test541 test542 test543 test544 \ --test545 test546 test547 test548 test549 test550 test551 test552 test553 \ --test554 test555 test556 test557 test558 test559 test560 test561 test562 \ --test563 test564 test565 test566 test567 test568 test569 test570 test571 \ --test572 test573 test574 test575 test576 test577 test578 test579 test580 \ --test581 test582 test583 test584 test585 test586 test587 test588 test589 \ --test590 test591 test592 test593 test594 test595 test596 test597 test598 \ --test599 test600 test601 test602 test603 test604 test605 test606 test607 \ --test608 test609 test610 test611 test612 test613 test614 test615 test616 \ --test617 test618 test619 test620 test621 test622 test623 test624 test625 \ --test626 test627 test628 test629 test630 test631 test632 test633 test634 \ --test635 test636 test637 test638 test639 test640 test641 test642 test643 \ --test644 test645 test646 test647 test648 test649 test650 test651 test652 \ --test653 test654 test655 test656 test658 test659 test660 test661 test662 \ --test663 test664 test665 test666 test667 test668 test669 test670 test671 \ --test672 test673 test674 test675 test676 test677 test678 test679 test680 \ --test681 test682 test683 test684 test685 test686 test687 test688 test689 \ -+test499 test500 test501 test502 test503 test504 test505 test506 test507 \ -+test508 test509 test510 test511 test512 test513 test514 test515 test516 \ -+test517 test518 test519 test520 test521 test522 test523 test524 test525 \ -+test526 test527 test528 test529 test530 test531 test532 test533 test534 \ -+test535 test537 test538 test539 test540 test541 test542 test543 \ -+test544 test545 test546 test547 test548 test549 test550 test551 test552 \ -+test553 test554 test555 test556 test557 test558 test559 test560 test561 \ -+test562 test563 test564 test565 test566 test567 test568 test569 test570 \ -+test571 test572 test573 test574 test575 test576 test577 test578 test579 \ -+test580 test581 test582 test583 test584 test585 test586 test587 test588 \ -+test589 test590 test591 test592 test593 test594 test595 test596 test597 \ -+test598 test599 test600 test601 test602 test603 test604 test605 test606 \ -+test607 test608 test609 test610 test611 test612 test613 test614 test615 \ -+test616 test617 test618 test619 test620 test621 test622 test623 test624 \ -+test625 test626 test627 test628 test629 test630 test631 test632 test633 \ -+test634 test635 test636 test637 test638 test639 test640 test641 test642 \ -+test643 test644 test645 test646 test647 test648 test649 test650 test651 \ -+test652 test653 test654 test655 test656 test658 test659 test660 test661 \ -+test662 test663 test664 test665 test666 test667 test668 test669 test670 \ -+test671 test672 test673 test674 test675 test676 test677 test678 test679 \ -+test680 test681 test682 test683 test684 test685 test686 test687 test688 \ -+test689 \ - \ - test700 test701 test702 test703 test704 test705 test706 test707 test708 \ - test709 test710 test711 test712 test713 test714 test715 test716 test717 \ -diff --git a/tests/data/test499 b/tests/data/test499 -new file mode 100644 -index 000000000..d4040b07c ---- /dev/null -+++ b/tests/data/test499 -@@ -0,0 +1,65 @@ -+ -+ -+ -+HTTP -+HTTP GET -+ -+ -+ -+# -+# Server-side -+ -+ -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT -+ETag: "21025-dc7-39462498" -+Accept-Ranges: bytes -+Content-Length: 6 -+Connection: close -+Content-Type: text/html -+Funny-head: yesyes -+ -+-foo- -+ -+ -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT -+ETag: "21025-dc7-39462498" -+Accept-Ranges: bytes -+Content-Length: 6 -+Connection: close -+Content-Type: text/html -+Funny-head: yesyes -+ -+ -+ -+# -+# Client-side -+ -+ -+http -+ -+ -+HTTP HEAD to server still sending a body -+ -+ -+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -I -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+HEAD /%TESTNUMBER HTTP/1.1 -+Host: %HOSTIP:%HTTPPORT -+User-Agent: curl/%VERSION -+Accept: */* -+ -+ -+ -+ -diff --git a/tests/data/test689 b/tests/data/test689 -index 821556dec..381ae225a 100644 ---- a/tests/data/test689 -+++ b/tests/data/test689 -@@ -44,9 +44,9 @@ User-Agent: test567 - Test-Number: 567 - - --# 8 == CURLE_WEIRD_SERVER_REPLY -+# 85 == CURLE_RTSP_CSEQ_ERROR - --8 -+85 - - - --- -2.43.0 - diff --git a/0002-curl-8.7.1-fix-chunked-POST-via-callback.patch b/0002-curl-8.7.1-fix-chunked-POST-via-callback.patch new file mode 100644 index 0000000..5421984 --- /dev/null +++ b/0002-curl-8.7.1-fix-chunked-POST-via-callback.patch @@ -0,0 +1,69 @@ +From 2c20a15717bd408ce225dd8707c1798136f084f5 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Mon, 1 Apr 2024 15:41:18 +0200 +Subject: [PATCH 2/2] http: with chunked POST forced, disable length check on + read callback + +- when an application forces HTTP/1.1 chunked transfer encoding + by setting the corresponding header and instructs curl to use + the CURLOPT_READFUNCTION, disregard any POST length information. +- this establishes backward compatibility with previous curl versions + +Applications are encouraged to not force "chunked", but rather +set length information for a POST. By setting -1, curl will +auto-select chunked on HTTP/1.1 and work properly on other HTTP +versions. + +Reported-by: Jeff King +Fixes #13229 +Closes #13257 + +(cherry picked from commit 721941aadf4adf4f6aeb3f4c0ab489bb89610c36) +Signed-off-by: Jan Macku +--- + lib/http.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index 92c04e69c..a764d3c44 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2046,8 +2046,19 @@ static CURLcode set_reader(struct Curl_easy *data, Curl_HttpReq httpreq) + else + result = Curl_creader_set_null(data); + } +- else { /* we read the bytes from the callback */ +- result = Curl_creader_set_fread(data, postsize); ++ else { ++ /* we read the bytes from the callback. In case "chunked" encoding ++ * is forced by the application, we disregard `postsize`. This is ++ * a backward compatibility decision to earlier versions where ++ * chunking disregarded this. See issue #13229. */ ++ bool chunked = FALSE; ++ char *ptr = Curl_checkheaders(data, STRCONST("Transfer-Encoding")); ++ if(ptr) { ++ /* Some kind of TE is requested, check if 'chunked' is chosen */ ++ chunked = Curl_compareheader(ptr, STRCONST("Transfer-Encoding:"), ++ STRCONST("chunked")); ++ } ++ result = Curl_creader_set_fread(data, chunked? -1 : postsize); + } + return result; + +@@ -2115,6 +2126,13 @@ CURLcode Curl_http_req_set_reader(struct Curl_easy *data, + data->req.upload_chunky = + Curl_compareheader(ptr, + STRCONST("Transfer-Encoding:"), STRCONST("chunked")); ++ if(data->req.upload_chunky && ++ Curl_use_http_1_1plus(data, data->conn) && ++ (data->conn->httpversion >= 20)) { ++ infof(data, "suppressing chunked transfer encoding on connection " ++ "using HTTP version 2 or higher"); ++ data->req.upload_chunky = FALSE; ++ } + } + else { + curl_off_t req_clen = Curl_creader_total_length(data); +-- +2.44.0 + diff --git a/0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch b/0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch deleted file mode 100644 index 3e9078c..0000000 --- a/0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 0f65eaab19624ca018d7bd5ca404618f9bfe267f Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Thu, 1 Feb 2024 18:15:50 +0100 -Subject: [PATCH] vtls: revert "receive max buffer" + add test case - -- add test_05_04 for requests using http/1.0, http/1.1 and h2 against an - Apache resource that does an unclean TLS shutdown. -- revert special workarund in openssl.c for suppressing shutdown errors - on multiplexed connections -- vlts.c restore to its state before 9a90c9dd64d2f03601833a70786d485851bd1b53 - -Fixes #12885 -Fixes #12844 - -Closes #12848 - -(cherry picked from commit ed09a99af57200643d5ae001e815eeab9ffe3f84) -Signed-off-by: Jan Macku ---- - lib/vtls/vtls.c | 27 ++++++--------------------- - 1 file changed, 6 insertions(+), 21 deletions(-) - -diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c -index e928ba5d0..f654a9749 100644 ---- a/lib/vtls/vtls.c -+++ b/lib/vtls/vtls.c -@@ -1715,32 +1715,17 @@ static ssize_t ssl_cf_recv(struct Curl_cfilter *cf, - { - struct cf_call_data save; - ssize_t nread; -- size_t ntotal = 0; - - CF_DATA_SAVE(save, cf, data); - *err = CURLE_OK; -- /* Do receive until we fill the buffer somehwhat or EGAIN, error or EOF */ -- while(!ntotal || (len - ntotal) > (4*1024)) { -+ nread = Curl_ssl->recv_plain(cf, data, buf, len, err); -+ if(nread > 0) { -+ DEBUGASSERT((size_t)nread <= len); -+ } -+ else if(nread == 0) { -+ /* eof */ - *err = CURLE_OK; -- nread = Curl_ssl->recv_plain(cf, data, buf + ntotal, len - ntotal, err); -- if(nread < 0) { -- if(*err == CURLE_AGAIN && ntotal > 0) { -- /* we EAGAINed after having reed data, return the success amount */ -- *err = CURLE_OK; -- break; -- } -- /* we have a an error to report */ -- goto out; -- } -- else if(nread == 0) { -- /* eof */ -- break; -- } -- ntotal += (size_t)nread; -- DEBUGASSERT((size_t)ntotal <= len); - } -- nread = (ssize_t)ntotal; --out: - CURL_TRC_CF(data, cf, "cf_recv(len=%zu) -> %zd, %d", len, - nread, *err); - CF_DATA_RESTORE(cf, save); --- -2.43.0 - diff --git a/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch b/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch deleted file mode 100644 index 39b2f31..0000000 --- a/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch +++ /dev/null @@ -1,83 +0,0 @@ -From c7438ccfceee373a75d6d890259cf2e6b5e0e203 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Wed, 14 Feb 2024 16:27:23 +0100 -Subject: [PATCH] http_chunks: fix the accounting of consumed bytes - -Prior to this change chunks were handled correctly although in verbose -mode libcurl could incorrectly warn of "Leftovers after chunking" even -if there were none. - -Reported-by: Michael Kaufmann - -Fixes https://github.com/curl/curl/issues/12937 -Closes https://github.com/curl/curl/pull/12939 - -(cherry picked from commit 59e2c78af3a5588d6e6ae6d2223b222f067e054b) -Signed-off-by: Jan Macku ---- - lib/http_chunks.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/lib/http_chunks.c b/lib/http_chunks.c -index 039c179c4..ad1ee9ada 100644 ---- a/lib/http_chunks.c -+++ b/lib/http_chunks.c -@@ -152,6 +152,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, - ch->hexbuffer[ch->hexindex++] = *buf; - buf++; - blen--; -+ (*pconsumed)++; - } - else { - char *endptr; -@@ -189,6 +190,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, - - buf++; - blen--; -+ (*pconsumed)++; - break; - - case CHUNK_DATA: -@@ -236,6 +238,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, - } - buf++; - blen--; -+ (*pconsumed)++; - break; - - case CHUNK_TRAILER: -@@ -293,6 +296,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, - } - buf++; - blen--; -+ (*pconsumed)++; - break; - - case CHUNK_TRAILER_CR: -@@ -300,6 +304,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, - ch->state = CHUNK_TRAILER_POSTCR; - buf++; - blen--; -+ (*pconsumed)++; - } - else { - ch->state = CHUNK_FAILED; -@@ -320,6 +325,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, - /* skip if CR */ - buf++; - blen--; -+ (*pconsumed)++; - } - /* now wait for the final LF */ - ch->state = CHUNK_STOP; -@@ -328,6 +334,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, - case CHUNK_STOP: - if(*buf == 0x0a) { - blen--; -+ (*pconsumed)++; - /* Record the length of any data left in the end of the buffer - even if there's no more chunks to read */ - ch->datasize = blen; --- -2.43.2 - diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 328d3a4..2edb7c8 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,7 +1,7 @@ -From 84b7e1cf486761e99361f5dcf5879cd7baf51b58 Mon Sep 17 00:00:00 2001 +From dcc0efa441abace568e00bf930889da78356d041 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Thu, 1 Feb 2024 13:01:23 +0100 -Subject: [PATCH 2/2] prevent multilib conflicts on the curl-config script +Date: Wed, 27 Mar 2024 10:16:03 +0100 +Subject: [PATCH] prevent multilib conflicts on the curl-config script --- curl-config.in | 23 +++++------------------ @@ -60,15 +60,15 @@ index 54f92d9..15a60da 100644 *) diff --git a/docs/curl-config.1 b/docs/curl-config.1 -index c142cb9..0e189b4 100644 +index 2d5617c..0d90aaa 100644 --- a/docs/curl-config.1 +++ b/docs/curl-config.1 -@@ -48,7 +48,9 @@ no, one or several names. If more than one name, they will appear - comma\-separated. (Added in 7.58.0) +@@ -48,7 +48,9 @@ no, one or several names. If more than one name, they appear comma\-separated. + (Added in 7.58.0) .IP --static-libs - Shows the complete set of libs and other linker options you will need in order --to link your application with libcurl statically. (Added in 7.17.1) -+to link your application with libcurl statically. Note that Fedora/RHEL libcurl + Shows the complete set of libs and other linker options you need in order to +-link your application with libcurl statically. (Added in 7.17.1) ++link your application with libcurl statically. Note that Fedora/RHEL libcurl +packages do not provide any static libraries, thus cannot be linked statically. +(Added in 7.17.1) .IP --version @@ -87,5 +87,5 @@ index 9db6b0f..dcac692 100644 Name: libcurl URL: https://curl.se/ -- -2.43.0 +2.44.0 diff --git a/curl.spec b/curl.spec index 5118b71..31141a4 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.6.0 -Release: 7%{?dist} +Version: 8.7.1 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,19 +10,11 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# remove duplicate content from curl-config.1 -Patch001: 0001-curl-8.6.0-remove-duplicate-content.patch +# fix issue with --compressed option +Patch001: 0001-curl-8.7.1-fix-compressed-option.patch -# ignore response bode to HEAD requests -# https://bodhi.fedoraproject.org/updates/FEDORA-2024-634a6662aa -Patch002: 0002-curl-8.6.0-ignore-response-body-to-HEAD.patch - -# revert "receive max buffer" + add test case -# it breaks pycurl tests suite -Patch003: 0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch - -# Fix: Leftovers after chunking should not be part of the curl buffer output -Patch004: 0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch +# fix chunked POST via callback regression +Patch002: 0002-curl-8.7.1-fix-chunked-POST-via-callback.patch # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -212,12 +204,9 @@ be installed. %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 -# temporarily disable test 0313 -# -# # disable test 1801 # -printf "313\n1801\n" >> tests/data/DISABLED +printf "1801\n" >> tests/data/DISABLED # test3026: avoid pthread_create() failure due to resource exhaustion on i386 %ifarch %{ix86} @@ -254,7 +243,8 @@ export common_configure_opts=" \ --with-gssapi \ --with-libidn2 \ --with-nghttp2 \ - --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt" + --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt \ + --with-zsh-functions-dir" %global _configure ../configure @@ -361,21 +351,12 @@ install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal cd build-full %make_install -# install zsh completion for curl -# (we have to override LD_LIBRARY_PATH because we eliminated rpath) -LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \ - %make_install -C scripts - # do not install /usr/share/fish/completions/curl.fish which is also installed # by fish-3.0.2-1.module_f31+3716+57207597 and would trigger a conflict rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la -# Don't install man for mk-ca-bundle it's upstream bug -# should be fixed in next release https://github.com/curl/curl/pull/12843 -rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* - %ldconfig_scriptlets -n libcurl %ldconfig_scriptlets -n libcurl-minimal @@ -384,6 +365,7 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %doc CHANGES %doc README %doc docs/BUGS.md +%doc docs/DISTROS.md %doc docs/FAQ %doc docs/FEATURES.md %doc docs/TODO @@ -414,6 +396,17 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Mar 27 2024 Jan Macku - 8.7.1-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-2004 - Usage of disabled protocol + CVE-2024-2379 - QUIC certificate check bypass with wolfSSL + CVE-2024-2398 - HTTP/2 push headers memory-leak + CVE-2024-2466 - TLS certificate check bypass with mbedTLS +- drop upstreamed patches +- reenable test 0313 +- fix zsh completions, use --with-zsh-functions-dir +- apply upstream patches for 8.7.1 issues and regressions + * Mon Feb 19 2024 Jan Macku - 8.6.0-7 - Fix: Leftovers after chunking should not be part of the curl buffer output (#2264220) diff --git a/sources b/sources index 9c9d4a1..9576bf7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.6.0.tar.xz) = 359c08d88a5dec441255b36afe1a821730eca0ca8800ba52f57132b9e7d21f32457623907b4ae4876904b5e505eb1a59652372bb7de8dbd8db429dae9785e036 -SHA512 (curl-8.6.0.tar.xz.asc) = 2b835bb4b307e5e1c929b7136c5acfb9f6f06efa471ac27060336cabcfac40e02143f40434986c5e6817d4a9562b09efa8ff3168beed310a45453148cc1b5c8f +SHA512 (curl-8.7.1.tar.xz) = 5bbde9d5648e9226f5490fa951690aaf159149345f3a315df2ba58b2468f3e59ca32e8a49734338afc861803a4f81caac6d642a4699b72c6310ebfb1f618aad2 +SHA512 (curl-8.7.1.tar.xz.asc) = f98c393997c4a32f545a8982226e8cd612395210915a4576c2ce227d0f650cff341be7bf15e989d1789abf32ac4fd9c190b9250b81e650b569e8532048746b37 From 24a6093c53e89bfe6f0084edfa4f47d033367fe1 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 22 May 2024 12:44:18 +0200 Subject: [PATCH 207/256] new upstream release - 8.8.0 --- 0001-curl-8.7.1-fix-compressed-option.patch | 174 ------------------ 0001-curl-8.8.0-install-config-man.patch | 26 +++ ...-8.7.1-fix-chunked-POST-via-callback.patch | 69 ------- 0101-curl-7.32.0-multilib.patch | 119 ++++++------ 0102-curl-7.84.0-test3026.patch | 18 +- curl.spec | 13 +- sources | 4 +- 7 files changed, 104 insertions(+), 319 deletions(-) delete mode 100644 0001-curl-8.7.1-fix-compressed-option.patch create mode 100644 0001-curl-8.8.0-install-config-man.patch delete mode 100644 0002-curl-8.7.1-fix-chunked-POST-via-callback.patch diff --git a/0001-curl-8.7.1-fix-compressed-option.patch b/0001-curl-8.7.1-fix-compressed-option.patch deleted file mode 100644 index dc2e720..0000000 --- a/0001-curl-8.7.1-fix-compressed-option.patch +++ /dev/null @@ -1,174 +0,0 @@ -From 8f1a06a9efe1048c7ad17af43ae7d4b26de8117e Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Thu, 28 Mar 2024 11:08:15 +0100 -Subject: [PATCH 1/2] content_encoding: brotli and others, pass through - 0-length writes - -- curl's transfer handling may write 0-length chunks at the end of the - download with an EOS flag. (HTTP/2 does this commonly) - -- content encoders need to pass-through such a write and not count this - as error in case they are finished decoding - -Fixes #13209 -Fixes #13212 -Closes #13219 - -(cherry picked from commit b30d694a027eb771c02a3db0dee0ca03ccab7377) -Signed-off-by: Jan Macku ---- - lib/content_encoding.c | 10 +++++----- - tests/http/test_02_download.py | 13 +++++++++++++ - tests/http/testenv/env.py | 7 ++++++- - tests/http/testenv/httpd.py | 20 ++++++++++++++++++++ - 4 files changed, 44 insertions(+), 6 deletions(-) - -diff --git a/lib/content_encoding.c b/lib/content_encoding.c -index c1abf24e8..8e926dd2e 100644 ---- a/lib/content_encoding.c -+++ b/lib/content_encoding.c -@@ -300,7 +300,7 @@ static CURLcode deflate_do_write(struct Curl_easy *data, - struct zlib_writer *zp = (struct zlib_writer *) writer; - z_stream *z = &zp->z; /* zlib state structure */ - -- if(!(type & CLIENTWRITE_BODY)) -+ if(!(type & CLIENTWRITE_BODY) || !nbytes) - return Curl_cwriter_write(data, writer->next, type, buf, nbytes); - - /* Set the compressed input when this function is called */ -@@ -457,7 +457,7 @@ static CURLcode gzip_do_write(struct Curl_easy *data, - struct zlib_writer *zp = (struct zlib_writer *) writer; - z_stream *z = &zp->z; /* zlib state structure */ - -- if(!(type & CLIENTWRITE_BODY)) -+ if(!(type & CLIENTWRITE_BODY) || !nbytes) - return Curl_cwriter_write(data, writer->next, type, buf, nbytes); - - if(zp->zlib_init == ZLIB_INIT_GZIP) { -@@ -669,7 +669,7 @@ static CURLcode brotli_do_write(struct Curl_easy *data, - CURLcode result = CURLE_OK; - BrotliDecoderResult r = BROTLI_DECODER_RESULT_NEEDS_MORE_OUTPUT; - -- if(!(type & CLIENTWRITE_BODY)) -+ if(!(type & CLIENTWRITE_BODY) || !nbytes) - return Curl_cwriter_write(data, writer->next, type, buf, nbytes); - - if(!bp->br) -@@ -762,7 +762,7 @@ static CURLcode zstd_do_write(struct Curl_easy *data, - ZSTD_outBuffer out; - size_t errorCode; - -- if(!(type & CLIENTWRITE_BODY)) -+ if(!(type & CLIENTWRITE_BODY) || !nbytes) - return Curl_cwriter_write(data, writer->next, type, buf, nbytes); - - if(!zp->decomp) { -@@ -916,7 +916,7 @@ static CURLcode error_do_write(struct Curl_easy *data, - (void) buf; - (void) nbytes; - -- if(!(type & CLIENTWRITE_BODY)) -+ if(!(type & CLIENTWRITE_BODY) || !nbytes) - return Curl_cwriter_write(data, writer->next, type, buf, nbytes); - - failf(data, "Unrecognized content encoding type. " -diff --git a/tests/http/test_02_download.py b/tests/http/test_02_download.py -index 4db9c9d36..395fc862f 100644 ---- a/tests/http/test_02_download.py -+++ b/tests/http/test_02_download.py -@@ -394,6 +394,19 @@ class TestDownload: - r = client.run(args=[url]) - r.check_exit_code(0) - -+ @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3']) -+ def test_02_28_get_compressed(self, env: Env, httpd, nghttpx, repeat, proto): -+ if proto == 'h3' and not env.have_h3(): -+ pytest.skip("h3 not supported") -+ count = 1 -+ urln = f'https://{env.authority_for(env.domain1brotli, proto)}/data-100k?[0-{count-1}]' -+ curl = CurlClient(env=env) -+ r = curl.http_download(urls=[urln], alpn_proto=proto, extra_args=[ -+ '--compressed' -+ ]) -+ r.check_exit_code(code=0) -+ r.check_response(count=count, http_status=200) -+ - def check_downloads(self, client, srcfile: str, count: int, - complete: bool = True): - for i in range(count): -diff --git a/tests/http/testenv/env.py b/tests/http/testenv/env.py -index a207059dc..13c5d6bd4 100644 ---- a/tests/http/testenv/env.py -+++ b/tests/http/testenv/env.py -@@ -129,10 +129,11 @@ class EnvConfig: - self.htdocs_dir = os.path.join(self.gen_dir, 'htdocs') - self.tld = 'http.curl.se' - self.domain1 = f"one.{self.tld}" -+ self.domain1brotli = f"brotli.one.{self.tld}" - self.domain2 = f"two.{self.tld}" - self.proxy_domain = f"proxy.{self.tld}" - self.cert_specs = [ -- CertificateSpec(domains=[self.domain1, 'localhost'], key_type='rsa2048'), -+ CertificateSpec(domains=[self.domain1, self.domain1brotli, 'localhost'], key_type='rsa2048'), - CertificateSpec(domains=[self.domain2], key_type='rsa2048'), - CertificateSpec(domains=[self.proxy_domain, '127.0.0.1'], key_type='rsa2048'), - CertificateSpec(name="clientsX", sub_specs=[ -@@ -376,6 +377,10 @@ class Env: - def domain1(self) -> str: - return self.CONFIG.domain1 - -+ @property -+ def domain1brotli(self) -> str: -+ return self.CONFIG.domain1brotli -+ - @property - def domain2(self) -> str: - return self.CONFIG.domain2 -diff --git a/tests/http/testenv/httpd.py b/tests/http/testenv/httpd.py -index c04c22699..b8615875a 100644 ---- a/tests/http/testenv/httpd.py -+++ b/tests/http/testenv/httpd.py -@@ -50,6 +50,7 @@ class Httpd: - 'alias', 'env', 'filter', 'headers', 'mime', 'setenvif', - 'socache_shmcb', - 'rewrite', 'http2', 'ssl', 'proxy', 'proxy_http', 'proxy_connect', -+ 'brotli', - 'mpm_event', - ] - COMMON_MODULES_DIRS = [ -@@ -203,6 +204,7 @@ class Httpd: - - def _write_config(self): - domain1 = self.env.domain1 -+ domain1brotli = self.env.domain1brotli - creds1 = self.env.get_credentials(domain1) - domain2 = self.env.domain2 - creds2 = self.env.get_credentials(domain2) -@@ -285,6 +287,24 @@ class Httpd: - f'', - f'', - ]) -+ # Alternate to domain1 with BROTLI compression -+ conf.extend([ # https host for domain1, h1 + h2 -+ f'', -+ f' ServerName {domain1brotli}', -+ f' Protocols h2 http/1.1', -+ f' SSLEngine on', -+ f' SSLCertificateFile {creds1.cert_file}', -+ f' SSLCertificateKeyFile {creds1.pkey_file}', -+ f' DocumentRoot "{self._docs_dir}"', -+ f' SetOutputFilter BROTLI_COMPRESS', -+ ]) -+ conf.extend(self._curltest_conf(domain1)) -+ if domain1 in self._extra_configs: -+ conf.extend(self._extra_configs[domain1]) -+ conf.extend([ -+ f'', -+ f'', -+ ]) - conf.extend([ # https host for domain2, no h2 - f'', - f' ServerName {domain2}', --- -2.44.0 - diff --git a/0001-curl-8.8.0-install-config-man.patch b/0001-curl-8.8.0-install-config-man.patch new file mode 100644 index 0000000..74b13f0 --- /dev/null +++ b/0001-curl-8.8.0-install-config-man.patch @@ -0,0 +1,26 @@ +From 4cc5657247183a0bc3b0969beeaea9acddb09d22 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 22 May 2024 08:43:43 +0200 +Subject: [PATCH] docs/Makefile.am: make curl-config.1 install + +on "make install" like it should + +Follow-up to 60971d665b9b1df87082 + +Closes #13741 +--- + docs/Makefile.am | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/docs/Makefile.am b/docs/Makefile.am +index 83f5b0c461cc0f..e9ef6284860555 100644 +--- a/docs/Makefile.am ++++ b/docs/Makefile.am +@@ -28,6 +28,7 @@ if BUILD_DOCS + # if we disable man page building, ignore these + MK_CA_DOCS = mk-ca-bundle.1 + CURLCONF_DOCS = curl-config.1 ++man_MANS = curl-config.1 + endif + + CURLPAGES = curl-config.md mk-ca-bundle.md diff --git a/0002-curl-8.7.1-fix-chunked-POST-via-callback.patch b/0002-curl-8.7.1-fix-chunked-POST-via-callback.patch deleted file mode 100644 index 5421984..0000000 --- a/0002-curl-8.7.1-fix-chunked-POST-via-callback.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 2c20a15717bd408ce225dd8707c1798136f084f5 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Mon, 1 Apr 2024 15:41:18 +0200 -Subject: [PATCH 2/2] http: with chunked POST forced, disable length check on - read callback - -- when an application forces HTTP/1.1 chunked transfer encoding - by setting the corresponding header and instructs curl to use - the CURLOPT_READFUNCTION, disregard any POST length information. -- this establishes backward compatibility with previous curl versions - -Applications are encouraged to not force "chunked", but rather -set length information for a POST. By setting -1, curl will -auto-select chunked on HTTP/1.1 and work properly on other HTTP -versions. - -Reported-by: Jeff King -Fixes #13229 -Closes #13257 - -(cherry picked from commit 721941aadf4adf4f6aeb3f4c0ab489bb89610c36) -Signed-off-by: Jan Macku ---- - lib/http.c | 22 ++++++++++++++++++++-- - 1 file changed, 20 insertions(+), 2 deletions(-) - -diff --git a/lib/http.c b/lib/http.c -index 92c04e69c..a764d3c44 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -2046,8 +2046,19 @@ static CURLcode set_reader(struct Curl_easy *data, Curl_HttpReq httpreq) - else - result = Curl_creader_set_null(data); - } -- else { /* we read the bytes from the callback */ -- result = Curl_creader_set_fread(data, postsize); -+ else { -+ /* we read the bytes from the callback. In case "chunked" encoding -+ * is forced by the application, we disregard `postsize`. This is -+ * a backward compatibility decision to earlier versions where -+ * chunking disregarded this. See issue #13229. */ -+ bool chunked = FALSE; -+ char *ptr = Curl_checkheaders(data, STRCONST("Transfer-Encoding")); -+ if(ptr) { -+ /* Some kind of TE is requested, check if 'chunked' is chosen */ -+ chunked = Curl_compareheader(ptr, STRCONST("Transfer-Encoding:"), -+ STRCONST("chunked")); -+ } -+ result = Curl_creader_set_fread(data, chunked? -1 : postsize); - } - return result; - -@@ -2115,6 +2126,13 @@ CURLcode Curl_http_req_set_reader(struct Curl_easy *data, - data->req.upload_chunky = - Curl_compareheader(ptr, - STRCONST("Transfer-Encoding:"), STRCONST("chunked")); -+ if(data->req.upload_chunky && -+ Curl_use_http_1_1plus(data, data->conn) && -+ (data->conn->httpversion >= 20)) { -+ infof(data, "suppressing chunked transfer encoding on connection " -+ "using HTTP version 2 or higher"); -+ data->req.upload_chunky = FALSE; -+ } - } - else { - curl_off_t req_clen = Curl_creader_total_length(data); --- -2.44.0 - diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 2edb7c8..f3636dc 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,81 +1,82 @@ -From dcc0efa441abace568e00bf930889da78356d041 Mon Sep 17 00:00:00 2001 +From f4e7b98fb25ff737af29908f3a2081cca9a73437 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Wed, 27 Mar 2024 10:16:03 +0100 -Subject: [PATCH] prevent multilib conflicts on the curl-config script +Date: Wed, 22 May 2024 13:00:08 +0200 +Subject: [PATCH 1/2] prevent multilib conflicts on the curl-config script --- - curl-config.in | 23 +++++------------------ - docs/curl-config.1 | 4 +++- - libcurl.pc.in | 1 + + curl-config.in | 23 +++++------------------ + docs/curl-config.md | 4 +++- + libcurl.pc.in | 1 + 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 54f92d9..15a60da 100644 +index 085bb1ef5..e4700260e 100644 --- a/curl-config.in +++ b/curl-config.in -@@ -78,7 +78,7 @@ while test $# -gt 0; do - ;; +@@ -73,7 +73,7 @@ while test "$#" -gt 0; do + ;; - --cc) -- echo "@CC@" -+ echo "gcc" - ;; + --cc) +- echo '@CC@' ++ echo "gcc" + ;; - --prefix) -@@ -157,32 +157,19 @@ while test $# -gt 0; do - ;; + --prefix) +@@ -153,16 +153,7 @@ while test "$#" -gt 0; do + ;; - --libs) -- if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then -- CURLLIBDIR="-L@libdir@ " -- else -- CURLLIBDIR="" -- fi -- if test "X@ENABLE_SHARED@" = "Xno"; then -- echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@ -- else -- echo ${CURLLIBDIR}-lcurl -- fi -+ echo -lcurl - ;; - --ssl-backends) - echo "@SSL_BACKENDS@" - ;; + --libs) +- if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then +- CURLLIBDIR="-L@libdir@ " +- else +- CURLLIBDIR="" +- fi +- if test "X@ENABLE_SHARED@" = "Xno"; then +- echo "${CURLLIBDIR}-lcurl @LIBCURL_LIBS@" +- else +- echo "${CURLLIBDIR}-lcurl" +- fi ++ echo -lcurl + ;; - --static-libs) -- if test "X@ENABLE_STATIC@" != "Xno" ; then -- echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_LIBS@ -- else -- echo "curl was built with static libraries disabled" >&2 -- exit 1 -- fi -+ echo "curl was built with static libraries disabled" >&2 -+ exit 1 - ;; + --ssl-backends) +@@ -170,16 +161,12 @@ while test "$#" -gt 0; do + ;; - --configure) -- echo @CONFIGURE_OPTIONS@ -+ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//' - ;; + --static-libs) +- if test "X@ENABLE_STATIC@" != "Xno" ; then +- echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_LIBS@ +- else +- echo 'curl was built with static libraries disabled' >&2 +- exit 1 +- fi ++ echo "curl was built with static libraries disabled" >&2 ++ exit 1 + ;; + + --configure) +- echo @CONFIGURE_OPTIONS@ ++ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//' + ;; + + *) +diff --git a/docs/curl-config.md b/docs/curl-config.md +index d82725082..a79f816e2 100644 +--- a/docs/curl-config.md ++++ b/docs/curl-config.md +@@ -86,7 +86,9 @@ no, one or several names. If more than one name, they appear comma-separated. + ## --static-libs - *) -diff --git a/docs/curl-config.1 b/docs/curl-config.1 -index 2d5617c..0d90aaa 100644 ---- a/docs/curl-config.1 -+++ b/docs/curl-config.1 -@@ -48,7 +48,9 @@ no, one or several names. If more than one name, they appear comma\-separated. - (Added in 7.58.0) - .IP --static-libs Shows the complete set of libs and other linker options you need in order to -link your application with libcurl statically. (Added in 7.17.1) +link your application with libcurl statically. Note that Fedora/RHEL libcurl +packages do not provide any static libraries, thus cannot be linked statically. +(Added in 7.17.1) - .IP --version - Outputs version information about the installed libcurl. - .IP --vernum + + ## --version + diff --git a/libcurl.pc.in b/libcurl.pc.in -index 9db6b0f..dcac692 100644 +index 9db6b0f89..dcac6925a 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in @@ -31,6 +31,7 @@ libdir=@libdir@ @@ -87,5 +88,5 @@ index 9db6b0f..dcac692 100644 Name: libcurl URL: https://curl.se/ -- -2.44.0 +2.45.1 diff --git a/0102-curl-7.84.0-test3026.patch b/0102-curl-7.84.0-test3026.patch index 1098583..82f4642 100644 --- a/0102-curl-7.84.0-test3026.patch +++ b/0102-curl-7.84.0-test3026.patch @@ -1,7 +1,7 @@ -From 279b990727a1fd3e2828fbbd80581777e4200b67 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 27 Jun 2022 16:50:57 +0200 -Subject: [PATCH] test3026: disable valgrind +From 6e470567ca691a7b20334f1b9a5b309053d714b7 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Wed, 22 May 2024 13:03:43 +0200 +Subject: [PATCH 2/2] test3026: disable valgrind It fails on x86_64 with: ``` @@ -39,7 +39,7 @@ It fails on x86_64 with: 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/data/test3026 b/tests/data/test3026 -index fb80cc8..01f2ba5 100644 +index ee9b30678..dd582c3e5 100644 --- a/tests/data/test3026 +++ b/tests/data/test3026 @@ -41,5 +41,8 @@ none @@ -52,10 +52,10 @@ index fb80cc8..01f2ba5 100644 diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c -index 43fe335..70cd7a4 100644 +index 7e914010e..39374f5bc 100644 --- a/tests/libtest/lib3026.c +++ b/tests/libtest/lib3026.c -@@ -147,8 +147,8 @@ int test(char *URL) +@@ -145,8 +145,8 @@ CURLcode test(char *URL) results[i] = CURL_LAST; /* initialize with invalid value */ res = pthread_create(&tids[i], NULL, run_thread, &results[i]); if(res) { @@ -64,8 +64,8 @@ index 43fe335..70cd7a4 100644 + fprintf(stderr, "%s:%d Couldn't create thread, i=%u, errno %d\n", + __FILE__, __LINE__, i, res); tid_count = i; - test_failure = -1; + test_failure = (CURLcode)-1; goto cleanup; -- -2.37.1 +2.45.1 diff --git a/curl.spec b/curl.spec index 31141a4..8be220b 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.7.1 +Version: 8.8.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -10,11 +10,8 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# fix issue with --compressed option -Patch001: 0001-curl-8.7.1-fix-compressed-option.patch - -# fix chunked POST via callback regression -Patch002: 0002-curl-8.7.1-fix-chunked-POST-via-callback.patch +# install curl-config man page +Patch001: 0001-curl-8.8.0-install-config-man.patch # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -396,6 +393,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed May 22 2024 Jan Macku - 8.8.0-1 +- new upstream release +- drop upstreamed patches + * Wed Mar 27 2024 Jan Macku - 8.7.1-1 - new upstream release, which fixes the following vulnerabilities CVE-2024-2004 - Usage of disabled protocol diff --git a/sources b/sources index 9576bf7..d6dbc8c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.7.1.tar.xz) = 5bbde9d5648e9226f5490fa951690aaf159149345f3a315df2ba58b2468f3e59ca32e8a49734338afc861803a4f81caac6d642a4699b72c6310ebfb1f618aad2 -SHA512 (curl-8.7.1.tar.xz.asc) = f98c393997c4a32f545a8982226e8cd612395210915a4576c2ce227d0f650cff341be7bf15e989d1789abf32ac4fd9c190b9250b81e650b569e8532048746b37 +SHA512 (curl-8.8.0.tar.xz) = 9d2c0d3a0d8f6c31ba4fabe48f801910f886fde43dc198dc4213708d6967ed5e040a1bb7348aa1cb126577ee508a3ec36fe65256d027d861d6ffb70f6383967a +SHA512 (curl-8.8.0.tar.xz.asc) = 37b501770225dff6b1e7bde1157f556f10ec1c597fcbbb5c8b8c370efb97a3a70f585f2f5c201b96380d68466696474a5f65a07da59b704678d6927567d25359 From 781fa86ead65acd7063f1ae4a061f7d0e0f4f638 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Fri, 12 Jul 2024 08:06:48 +0100 Subject: [PATCH 208/256] adapt for https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine Added build condition for openssl_engine_support, true by default so as to not change the resulting built package (yet) - With openssl_engine_support true, BR: openssl-devel-engine - With openssl_engine_support false, build with -DOPENSSL_NO_ENGINE --- .gitignore | 2 ++ curl.spec | 23 ++++++++++++++++++++++- 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index e91a948..cd6f067 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ +/curl-[0-9.]*.tar.lzma +/curl-[0-9.]*.tar.lzma.asc /curl-[0-9.]*.tar.xz /curl-[0-9.]*.tar.xz.asc /curl-[0-9].[0-9].[0-9]/ diff --git a/curl.spec b/curl.spec index 8be220b..57d36cb 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,13 @@ +# OpenSSL ENGINE support +# This is deprecated by OpenSSL since OpenSSL 3.0 and by Fedora since Fedora 41 +# https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine +# Change the bcond to 0 to turn off ENGINE support by default +%bcond openssl_engine_support 1 + Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.8.0 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -49,6 +55,9 @@ BuildRequires: openldap-devel BuildRequires: openssh-clients BuildRequires: openssh-server BuildRequires: openssl-devel +%if %{with openssl_engine_support} +BuildRequires: openssl-devel-engine +%endif BuildRequires: perl-interpreter BuildRequires: pkgconfig BuildRequires: python-unversioned-command @@ -125,6 +134,11 @@ BuildRequires: stunnel # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION Requires: libcurl%{?_isa} >= %{version}-%{release} +# Define OPENSSL_NO_ENGINE to avoid inclusion of +%if %{without openssl_engine_support} +%global _preprocessor_defines %{?_preprocessor_defines} -DOPENSSL_NO_ENGINE +%endif + # require at least the version of libnghttp2 that we were built against, # to ensure that we have the necessary symbols available (#2144277) %global libnghttp2_version %(pkg-config --modversion libnghttp2 2>/dev/null || echo 0) @@ -393,6 +407,13 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Jul 12 2024 Paul Howarth - 8.8.0-2 +- adapt for https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine +- added build condition for openssl_engine_support, true by default so as to + not change the resulting built package (yet) +- with openssl_engine_support true, BR: openssl-devel-engine +- with openssl_engine_support false, build with -DOPENSSL_NO_ENGINE + * Wed May 22 2024 Jan Macku - 8.8.0-1 - new upstream release - drop upstreamed patches From ed1f78db34d5cf8e1aede9d6d2df5e1952d5c634 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 17 Jul 2024 20:23:31 +0000 Subject: [PATCH 209/256] Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 57d36cb..d665c95 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.8.0 -Release: 2%{?dist} +Release: 3%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 17 2024 Fedora Release Engineering - 8.8.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + * Fri Jul 12 2024 Paul Howarth - 8.8.0-2 - adapt for https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine - added build condition for openssl_engine_support, true by default so as to From 27557f07463358e21eb63d1502dc2a2b979b775e Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 24 Jul 2024 14:59:53 +0200 Subject: [PATCH 210/256] new upstream release - 8.9.0 --- 0001-curl-8.8.0-install-config-man.patch | 26 ------------------------ 0104-curl-7.88.0-tests-warnings.patch | 14 ++++++------- curl.spec | 13 +++++++----- sources | 4 ++-- 4 files changed, 17 insertions(+), 40 deletions(-) delete mode 100644 0001-curl-8.8.0-install-config-man.patch diff --git a/0001-curl-8.8.0-install-config-man.patch b/0001-curl-8.8.0-install-config-man.patch deleted file mode 100644 index 74b13f0..0000000 --- a/0001-curl-8.8.0-install-config-man.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 4cc5657247183a0bc3b0969beeaea9acddb09d22 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Wed, 22 May 2024 08:43:43 +0200 -Subject: [PATCH] docs/Makefile.am: make curl-config.1 install - -on "make install" like it should - -Follow-up to 60971d665b9b1df87082 - -Closes #13741 ---- - docs/Makefile.am | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/docs/Makefile.am b/docs/Makefile.am -index 83f5b0c461cc0f..e9ef6284860555 100644 ---- a/docs/Makefile.am -+++ b/docs/Makefile.am -@@ -28,6 +28,7 @@ if BUILD_DOCS - # if we disable man page building, ignore these - MK_CA_DOCS = mk-ca-bundle.1 - CURLCONF_DOCS = curl-config.1 -+man_MANS = curl-config.1 - endif - - CURLPAGES = curl-config.md mk-ca-bundle.md diff --git a/0104-curl-7.88.0-tests-warnings.patch b/0104-curl-7.88.0-tests-warnings.patch index 04b2ba2..0977dee 100644 --- a/0104-curl-7.88.0-tests-warnings.patch +++ b/0104-curl-7.88.0-tests-warnings.patch @@ -1,6 +1,6 @@ -From d506d885aa16b4a87acbac082eea41dccdc7b69f Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Wed, 15 Feb 2023 10:42:38 +0100 +From ebee18be05631494263bb6be249501eb8874e07a Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Wed, 24 Jul 2024 15:15:11 +0200 Subject: [PATCH] Revert "runtests: consider warnings fatal and error on them" While it might be useful for upstream developers, it is not so useful @@ -12,10 +12,10 @@ This reverts upstream commit 22f795c834cfdbacbb1b55426028a581e3cf67a8. 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/runtests.pl b/tests/runtests.pl -index 71644ad18..0cf85c3fe 100755 +index 9cc9ef1..c9a1c5d 100755 --- a/tests/runtests.pl +++ b/tests/runtests.pl -@@ -55,8 +55,7 @@ +@@ -57,8 +57,7 @@ # given, this won't be a problem. use strict; @@ -23,8 +23,8 @@ index 71644ad18..0cf85c3fe 100755 -use warnings FATAL => 'all'; +use warnings; use 5.006; + use POSIX qw(strftime); - # These should be the only variables that might be needed to get edited: -- -2.39.1 +2.45.2 diff --git a/curl.spec b/curl.spec index d665c95..45436cc 100644 --- a/curl.spec +++ b/curl.spec @@ -6,8 +6,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.8.0 -Release: 3%{?dist} +Version: 8.9.0 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -16,9 +16,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# install curl-config man page -Patch001: 0001-curl-8.8.0-install-config-man.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -407,6 +404,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 24 2024 Jan Macku - 8.9.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-6874 - macidn punycode buffer overread + CVE-2024-6197 - freeing stack buffer in utf8asn1str +- drop upstreamed patches + * Wed Jul 17 2024 Fedora Release Engineering - 8.8.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild diff --git a/sources b/sources index d6dbc8c..ba6559e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.8.0.tar.xz) = 9d2c0d3a0d8f6c31ba4fabe48f801910f886fde43dc198dc4213708d6967ed5e040a1bb7348aa1cb126577ee508a3ec36fe65256d027d861d6ffb70f6383967a -SHA512 (curl-8.8.0.tar.xz.asc) = 37b501770225dff6b1e7bde1157f556f10ec1c597fcbbb5c8b8c370efb97a3a70f585f2f5c201b96380d68466696474a5f65a07da59b704678d6927567d25359 +SHA512 (curl-8.9.0.tar.xz) = 922c726cfa3a73954927a32f485248d7a53a3348638a6a01add1bc0a67a7d2ee9cdb7c78b6db84bb7e2fab9d2d5487a96d9071832198b63a86d2caaef85c9310 +SHA512 (curl-8.9.0.tar.xz.asc) = 44cc7053ac0fddcb5131e7806fcd793d70bd49c5549b2548bbcbe60fdf913f450e45861ff6497b30eb00fd84483302ff9b6c3aea6b66728d6e54dd7ffc388408 From 40967e47b5a847174d8c923ad219882036d03bf0 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 31 Jul 2024 09:47:16 +0200 Subject: [PATCH 211/256] new upstream release - 8.9.1 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 45436cc..9ee3966 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.9.0 +Version: 8.9.1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -404,6 +404,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 24 2024 Jan Macku - 8.9.1-1 +- new upstream release + * Wed Jul 24 2024 Jan Macku - 8.9.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2024-6874 - macidn punycode buffer overread diff --git a/sources b/sources index ba6559e..e35c435 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.9.0.tar.xz) = 922c726cfa3a73954927a32f485248d7a53a3348638a6a01add1bc0a67a7d2ee9cdb7c78b6db84bb7e2fab9d2d5487a96d9071832198b63a86d2caaef85c9310 -SHA512 (curl-8.9.0.tar.xz.asc) = 44cc7053ac0fddcb5131e7806fcd793d70bd49c5549b2548bbcbe60fdf913f450e45861ff6497b30eb00fd84483302ff9b6c3aea6b66728d6e54dd7ffc388408 +SHA512 (curl-8.9.1.tar.xz) = a0fe234402875db194aad4e4208b7e67e7ffc1562622eea90948d4b9b0122c95c3dde8bbe2f7445a687cb3de7cb09f20e5819d424570442d976aa4c913227fc7 +SHA512 (curl-8.9.1.tar.xz.asc) = 18acd58436d70900ab6912b84774da2c451b9dbfc83d6d00f85bbbe7894b67075918e58956fdb753fcc1486e4f10caa31139d7c68b037d7c83dc2e9c2fae9f9b From cc42129b020d949298d0b33be56d64c3b79cf096 Mon Sep 17 00:00:00 2001 From: voidanix Date: Mon, 5 Aug 2024 13:44:53 +0200 Subject: [PATCH 212/256] Add patch due to upstream curl-8.9.1 regression --- 0001-curl-8.9.1-sigpipe.patch | 32 ++++++++++++++++++++++++++++++++ curl.spec | 9 ++++++++- 2 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 0001-curl-8.9.1-sigpipe.patch diff --git a/0001-curl-8.9.1-sigpipe.patch b/0001-curl-8.9.1-sigpipe.patch new file mode 100644 index 0000000..f4f0346 --- /dev/null +++ b/0001-curl-8.9.1-sigpipe.patch @@ -0,0 +1,32 @@ +From 3eec5afbd0b6377eca893c392569b2faf094d970 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 5 Aug 2024 00:17:17 +0200 +Subject: [PATCH] sigpipe: init the struct so that first apply ignores + +Initializes 'no_signal' to TRUE, so that a call to sigpipe_apply() after +init ignores the signal (unless CURLOPT_NOSIGNAL) is set. + +I have read the existing code multiple times now and I think it gets the +initial state reversed this missing to ignore. + +Regression from 17e6f06ea37136c36d27 + +Reported-by: Rasmus Thomsen +Fixes #14344 +Closes #14390 +--- + lib/sigpipe.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/sigpipe.h b/lib/sigpipe.h +index b91a2f51333956..d78afd905d3414 100644 +--- a/lib/sigpipe.h ++++ b/lib/sigpipe.h +@@ -39,6 +39,7 @@ struct sigpipe_ignore { + static void sigpipe_init(struct sigpipe_ignore *ig) + { + memset(ig, 0, sizeof(*ig)); ++ ig->no_signal = TRUE; + } + + /* diff --git a/curl.spec b/curl.spec index 9ee3966..174562f 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.9.1 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -25,6 +25,10 @@ Patch102: 0102-curl-7.84.0-test3026.patch # do not fail on warnings in the upstream test driver Patch104: 0104-curl-7.88.0-tests-warnings.patch +# Fix crashes with transmission due to SIGPIPE +# https://github.com/curl/curl/commit/3eec5afbd0b6377eca893c392569b2faf094d970 +Patch001: 0001-curl-8.9.1-sigpipe.patch + Provides: curl-full = %{version}-%{release} # do not fail when trying to install curl-minimal after drop Provides: curl-minimal = %{version}-%{release} @@ -404,6 +408,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Aug 5 2024 voidanix - 8.9.1-2 +- Apply SIGPIPE-related patch due to upstream regression + * Wed Jul 24 2024 Jan Macku - 8.9.1-1 - new upstream release From 25bb999ab6de05c3cfe0d2fcd99ecc58da092e7b Mon Sep 17 00:00:00 2001 From: Jacek Migacz Date: Wed, 21 Aug 2024 18:04:41 +0200 Subject: [PATCH 213/256] Retire depricated ntlm-wb configure option --- curl.spec | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 174562f..8aaa2b2 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.9.1 -Release: 2%{?dist} +Release: 3%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -271,7 +271,6 @@ export common_configure_opts=" \ --disable-ldaps \ --disable-mqtt \ --disable-ntlm \ - --disable-ntlm-wb \ --disable-pop3 \ --disable-rtsp \ --disable-smb \ @@ -296,7 +295,6 @@ export common_configure_opts=" \ --enable-ldaps \ --enable-mqtt \ --enable-ntlm \ - --enable-ntlm-wb \ --enable-pop3 \ --enable-rtsp \ --enable-smb \ @@ -408,6 +406,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Aug 21 2024 Jacek Migacz - 8.9.1-3 +- Retire depricated ntlm-wb configure option + * Mon Aug 5 2024 voidanix - 8.9.1-2 - Apply SIGPIPE-related patch due to upstream regression From 8669cc07274c3121030e182bfdb8acd2b2973dca Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 11 Sep 2024 09:13:07 +0200 Subject: [PATCH 214/256] new upstream release - 8.10.0 --- 0001-curl-8.9.1-sigpipe.patch | 32 ------------------------------- 0101-curl-7.32.0-multilib.patch | 34 ++++++++++++++++----------------- curl.spec | 13 ++++++------- sources | 4 ++-- 4 files changed, 25 insertions(+), 58 deletions(-) delete mode 100644 0001-curl-8.9.1-sigpipe.patch diff --git a/0001-curl-8.9.1-sigpipe.patch b/0001-curl-8.9.1-sigpipe.patch deleted file mode 100644 index f4f0346..0000000 --- a/0001-curl-8.9.1-sigpipe.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 3eec5afbd0b6377eca893c392569b2faf094d970 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 5 Aug 2024 00:17:17 +0200 -Subject: [PATCH] sigpipe: init the struct so that first apply ignores - -Initializes 'no_signal' to TRUE, so that a call to sigpipe_apply() after -init ignores the signal (unless CURLOPT_NOSIGNAL) is set. - -I have read the existing code multiple times now and I think it gets the -initial state reversed this missing to ignore. - -Regression from 17e6f06ea37136c36d27 - -Reported-by: Rasmus Thomsen -Fixes #14344 -Closes #14390 ---- - lib/sigpipe.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/lib/sigpipe.h b/lib/sigpipe.h -index b91a2f51333956..d78afd905d3414 100644 ---- a/lib/sigpipe.h -+++ b/lib/sigpipe.h -@@ -39,6 +39,7 @@ struct sigpipe_ignore { - static void sigpipe_init(struct sigpipe_ignore *ig) - { - memset(ig, 0, sizeof(*ig)); -+ ig->no_signal = TRUE; - } - - /* diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index f3636dc..8cada87 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,7 +1,7 @@ -From f4e7b98fb25ff737af29908f3a2081cca9a73437 Mon Sep 17 00:00:00 2001 +From da51b3d89a33fb3a1cbc5dd5faebc4ee18bbcc46 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Wed, 22 May 2024 13:00:08 +0200 -Subject: [PATCH 1/2] prevent multilib conflicts on the curl-config script +Date: Wed, 11 Sep 2024 09:21:25 +0200 +Subject: [PATCH] prevent multilib conflicts on the curl-config script --- curl-config.in | 23 +++++------------------ @@ -10,19 +10,19 @@ Subject: [PATCH 1/2] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 085bb1ef5..e4700260e 100644 +index 294e083..df41899 100644 --- a/curl-config.in +++ b/curl-config.in -@@ -73,7 +73,7 @@ while test "$#" -gt 0; do +@@ -75,7 +75,7 @@ while test "$#" -gt 0; do ;; --cc) - echo '@CC@' -+ echo "gcc" ++ echo 'gcc' ;; --prefix) -@@ -153,16 +153,7 @@ while test "$#" -gt 0; do +@@ -155,16 +155,7 @@ while test "$#" -gt 0; do ;; --libs) @@ -32,25 +32,25 @@ index 085bb1ef5..e4700260e 100644 - CURLLIBDIR="" - fi - if test "X@ENABLE_SHARED@" = "Xno"; then -- echo "${CURLLIBDIR}-lcurl @LIBCURL_LIBS@" +- echo "${CURLLIBDIR}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" - else - echo "${CURLLIBDIR}-lcurl" - fi -+ echo -lcurl ++ echo '-lcurl' ;; --ssl-backends) -@@ -170,16 +161,12 @@ while test "$#" -gt 0; do +@@ -172,16 +163,12 @@ while test "$#" -gt 0; do ;; --static-libs) - if test "X@ENABLE_STATIC@" != "Xno" ; then -- echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_LIBS@ +- echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_PC_LIBS_PRIVATE@ - else - echo 'curl was built with static libraries disabled' >&2 - exit 1 - fi -+ echo "curl was built with static libraries disabled" >&2 ++ echo 'curl was built with static libraries disabled' >&2 + exit 1 ;; @@ -61,10 +61,10 @@ index 085bb1ef5..e4700260e 100644 *) diff --git a/docs/curl-config.md b/docs/curl-config.md -index d82725082..a79f816e2 100644 +index 4dfaab6..f4e847e 100644 --- a/docs/curl-config.md +++ b/docs/curl-config.md -@@ -86,7 +86,9 @@ no, one or several names. If more than one name, they appear comma-separated. +@@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated. ## --static-libs Shows the complete set of libs and other linker options you need in order to @@ -76,10 +76,10 @@ index d82725082..a79f816e2 100644 ## --version diff --git a/libcurl.pc.in b/libcurl.pc.in -index 9db6b0f89..dcac6925a 100644 +index 8f6f9b4..f69815c 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in -@@ -31,6 +31,7 @@ libdir=@libdir@ +@@ -28,6 +28,7 @@ libdir=@libdir@ includedir=@includedir@ supported_protocols="@SUPPORT_PROTOCOLS@" supported_features="@SUPPORT_FEATURES@" @@ -88,5 +88,5 @@ index 9db6b0f89..dcac6925a 100644 Name: libcurl URL: https://curl.se/ -- -2.45.1 +2.46.0 diff --git a/curl.spec b/curl.spec index 8aaa2b2..93942f0 100644 --- a/curl.spec +++ b/curl.spec @@ -6,8 +6,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.9.1 -Release: 3%{?dist} +Version: 8.10.0 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -25,10 +25,6 @@ Patch102: 0102-curl-7.84.0-test3026.patch # do not fail on warnings in the upstream test driver Patch104: 0104-curl-7.88.0-tests-warnings.patch -# Fix crashes with transmission due to SIGPIPE -# https://github.com/curl/curl/commit/3eec5afbd0b6377eca893c392569b2faf094d970 -Patch001: 0001-curl-8.9.1-sigpipe.patch - Provides: curl-full = %{version}-%{release} # do not fail when trying to install curl-minimal after drop Provides: curl-minimal = %{version}-%{release} @@ -372,7 +368,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %ldconfig_scriptlets -n libcurl-minimal %files -%doc CHANGES +%doc CHANGES.md %doc README %doc docs/BUGS.md %doc docs/DISTROS.md @@ -406,6 +402,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 11 2024 Jan Macku - 8.10.0-1 +- new upstream release + * Wed Aug 21 2024 Jacek Migacz - 8.9.1-3 - Retire depricated ntlm-wb configure option diff --git a/sources b/sources index e35c435..9865b71 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.9.1.tar.xz) = a0fe234402875db194aad4e4208b7e67e7ffc1562622eea90948d4b9b0122c95c3dde8bbe2f7445a687cb3de7cb09f20e5819d424570442d976aa4c913227fc7 -SHA512 (curl-8.9.1.tar.xz.asc) = 18acd58436d70900ab6912b84774da2c451b9dbfc83d6d00f85bbbe7894b67075918e58956fdb753fcc1486e4f10caa31139d7c68b037d7c83dc2e9c2fae9f9b +SHA512 (curl-8.10.0.tar.xz) = 055277695ea242fcb0bf26ca6c4867a385cd578cd73ed4c5c4a020233248044c1ecaebcbaeaac47d3ffe07a41300ea5fc86396d7e812137cf75ed3e1b54ca5b2 +SHA512 (curl-8.10.0.tar.xz.asc) = 3d3ece14008facc373cd715d46eeb523bb17a701df3b1839f0774847692613a9472d3e7a60ba814846bbc8e8e4f17c81a1f1355e1c9eebef244b7cd00e0f6fb8 From 67e25e1742ad1cbb538297a9287901e14870ca03 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 18 Sep 2024 09:45:38 +0200 Subject: [PATCH 215/256] new upstream release - 8.10.1 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 93942f0..90d611d 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.10.0 +Version: 8.10.1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -402,6 +402,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 18 2024 Jan Macku - 8.10.1-1 +- new upstream release + * Wed Sep 11 2024 Jan Macku - 8.10.0-1 - new upstream release diff --git a/sources b/sources index 9865b71..c221532 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.10.0.tar.xz) = 055277695ea242fcb0bf26ca6c4867a385cd578cd73ed4c5c4a020233248044c1ecaebcbaeaac47d3ffe07a41300ea5fc86396d7e812137cf75ed3e1b54ca5b2 -SHA512 (curl-8.10.0.tar.xz.asc) = 3d3ece14008facc373cd715d46eeb523bb17a701df3b1839f0774847692613a9472d3e7a60ba814846bbc8e8e4f17c81a1f1355e1c9eebef244b7cd00e0f6fb8 +SHA512 (curl-8.10.1.tar.xz) = f1c7a12492dcfb8ba08be69b96a83ce9074592cbaa6b95c72b3c16fc58ad35e9f9deec7b72baca7d360d013b0b1c7ea38bd4edae464903ac67aa3c76238d8c6c +SHA512 (curl-8.10.1.tar.xz.asc) = 21d6d560c027efc9e3e5db182a77501d6376442221ba910df817e2ec980bee44a9fe2afc698205f8d5e8313ae47915a341d60206a46b46e816d73ee357a894ac From 1268eeab81c68b229828d0a19c1992f939728f11 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 24 Sep 2024 13:37:40 +0200 Subject: [PATCH 216/256] spec: use tls-ca-bundle.pem instead of ca-bundle.crt Resolves: #2313564 --- curl.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index 90d611d..0cfbaa8 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.10.1 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -251,7 +251,7 @@ export common_configure_opts=" \ --with-gssapi \ --with-libidn2 \ --with-nghttp2 \ - --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt \ + --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \ --with-zsh-functions-dir" %global _configure ../configure @@ -402,6 +402,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Sep 24 2024 Jan Macku - 8.10.1-2 +- Use tls-ca-bundle.pem instead of ca-bundle.crt (OpenSSL specific) (#2313564) + * Wed Sep 18 2024 Jan Macku - 8.10.1-1 - new upstream release From d92476d332b446e871f74225c987968021a5c526 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 29 Sep 2024 16:03:18 +0200 Subject: [PATCH 217/256] Move the autoreconf invocation to %build section The %prep section is supposed to extract and possibly patch the sources. In particular, the code provided by the package should not be called here, but only in %build section. This keeps %prep quick and allows the code provided by upstream to be inspected before running it. Also drop space after the redirection operator to match the style elsewhere in the spec file. Having symmetrical whitespace around the operator makes it look like a binary operator, which it very much is not. --- curl.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index 0cfbaa8..0c2163c 100644 --- a/curl.spec +++ b/curl.spec @@ -214,7 +214,7 @@ be installed. # disable test 1801 # -printf "1801\n" >> tests/data/DISABLED +printf "1801\n" >>tests/data/DISABLED # test3026: avoid pthread_create() failure due to resource exhaustion on i386 %ifarch %{ix86} @@ -234,10 +234,10 @@ sed -e 's|^35$|35,52|' -i tests/data/test323 eval "$cmd" ) +%build # regenerate the configure script and Makefile.in files autoreconf -fiv -%build mkdir build-{full,minimal} export common_configure_opts=" \ --cache-file=../config.cache \ From e685607ffd9adf33f28101db012be952b5196072 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 29 Sep 2024 16:10:22 +0200 Subject: [PATCH 218/256] Make curl-config arch-independent The final /usr/bin/curl-config file had a comment like "prefix=/usr # used in /usr/lib64" or "prefix=/usr # used in /usr/lib", depending on the arch. This causes the following error on upgrades from f40 for people who have both libcurl-devel.i686 and libcurl-devel.x86_64 installed: Transaction failed: Rpm transaction failed. - file /usr/bin/curl-config conflicts between attempted installs of libcurl-devel-8.9.1-2.fc41.i686 and libcurl-devel-8.9.1-2.fc41.x86_64 The comment is actually not useful at all after the variable is expanded, since it's not clear what is meant by "used in /usr/lib64". Just drop it. With this change, the packages are constinstallable again. --- curl.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/curl.spec b/curl.spec index 0c2163c..3c25207 100644 --- a/curl.spec +++ b/curl.spec @@ -234,6 +234,10 @@ sed -e 's|^35$|35,52|' -i tests/data/test323 eval "$cmd" ) +# avoid unnecessary arch-dependent line in the processed file +sed -e '/# Used in @libdir@/d' \ + -i curl-config.in + %build # regenerate the configure script and Makefile.in files autoreconf -fiv From 44fdfebea17b606fc56b5d0656c982a7a528f366 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 6 Nov 2024 10:06:18 +0100 Subject: [PATCH 219/256] new upstream release - 8.11.0 --- .gitignore | 2 +- 0101-curl-7.32.0-multilib.patch | 20 ++++++++++---------- curl.spec | 9 +++++++-- sources | 4 ++-- 4 files changed, 20 insertions(+), 15 deletions(-) diff --git a/.gitignore b/.gitignore index cd6f067..9bb4285 100644 --- a/.gitignore +++ b/.gitignore @@ -2,5 +2,5 @@ /curl-[0-9.]*.tar.lzma.asc /curl-[0-9.]*.tar.xz /curl-[0-9.]*.tar.xz.asc -/curl-[0-9].[0-9].[0-9]/ +/curl-[0-9]*.[0-9]*.[0-9]*/ /*.src.rpm diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 8cada87..8f3fd08 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,6 +1,6 @@ -From da51b3d89a33fb3a1cbc5dd5faebc4ee18bbcc46 Mon Sep 17 00:00:00 2001 +From fa6477b901ca866a52db18a818975479f2144928 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Wed, 11 Sep 2024 09:21:25 +0200 +Date: Wed, 6 Nov 2024 13:25:10 +0100 Subject: [PATCH] prevent multilib conflicts on the curl-config script --- @@ -10,7 +10,7 @@ Subject: [PATCH] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 294e083..df41899 100644 +index 2dc40ed..9fb1a33 100644 --- a/curl-config.in +++ b/curl-config.in @@ -75,7 +75,7 @@ while test "$#" -gt 0; do @@ -26,12 +26,12 @@ index 294e083..df41899 100644 ;; --libs) -- if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then +- if test "X@libdir@" != 'X/usr/lib' -a "X@libdir@" != 'X/usr/lib64'; then - CURLLIBDIR="-L@libdir@ " - else -- CURLLIBDIR="" +- CURLLIBDIR='' - fi -- if test "X@ENABLE_SHARED@" = "Xno"; then +- if test 'X@ENABLE_SHARED@' = 'Xno'; then - echo "${CURLLIBDIR}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" - else - echo "${CURLLIBDIR}-lcurl" @@ -44,8 +44,8 @@ index 294e083..df41899 100644 ;; --static-libs) -- if test "X@ENABLE_STATIC@" != "Xno" ; then -- echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_PC_LIBS_PRIVATE@ +- if test 'X@ENABLE_STATIC@' != 'Xno'; then +- echo "@libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_PC_LIBS_PRIVATE@" - else - echo 'curl was built with static libraries disabled' >&2 - exit 1 @@ -76,7 +76,7 @@ index 4dfaab6..f4e847e 100644 ## --version diff --git a/libcurl.pc.in b/libcurl.pc.in -index 8f6f9b4..f69815c 100644 +index 4c60a7e..9fd935a 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in @@ -28,6 +28,7 @@ libdir=@libdir@ @@ -88,5 +88,5 @@ index 8f6f9b4..f69815c 100644 Name: libcurl URL: https://curl.se/ -- -2.46.0 +2.47.0 diff --git a/curl.spec b/curl.spec index 3c25207..80243c8 100644 --- a/curl.spec +++ b/curl.spec @@ -6,8 +6,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.10.1 -Release: 2%{?dist} +Version: 8.11.0 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -97,6 +97,7 @@ BuildRequires: perl(Exporter) BuildRequires: perl(File::Basename) BuildRequires: perl(File::Copy) BuildRequires: perl(File::Spec) +BuildRequires: perl(I18N::Langinfo) BuildRequires: perl(IPC::Open2) BuildRequires: perl(List::Util) BuildRequires: perl(Memoize) @@ -406,6 +407,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Nov 06 2024 Jan Macku - 8.11.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-9681 - HSTS subdomain overwrites parent cache entry + * Tue Sep 24 2024 Jan Macku - 8.10.1-2 - Use tls-ca-bundle.pem instead of ca-bundle.crt (OpenSSL specific) (#2313564) diff --git a/sources b/sources index c221532..f45b6fe 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.10.1.tar.xz) = f1c7a12492dcfb8ba08be69b96a83ce9074592cbaa6b95c72b3c16fc58ad35e9f9deec7b72baca7d360d013b0b1c7ea38bd4edae464903ac67aa3c76238d8c6c -SHA512 (curl-8.10.1.tar.xz.asc) = 21d6d560c027efc9e3e5db182a77501d6376442221ba910df817e2ec980bee44a9fe2afc698205f8d5e8313ae47915a341d60206a46b46e816d73ee357a894ac +SHA512 (curl-8.11.0.tar.xz) = 3a642d421e0a5c09ecb681bea18498f2c6124e9af4d8afdc074dfb85a9b0211d8972ade9cf00ab44b5dfed9303262cd83551dd3b5e0976d11fc19da3c4a0987e +SHA512 (curl-8.11.0.tar.xz.asc) = 71073dde48e8f0013e392eb88bf70f6b8a4a4f0c955a3fb56db98e74aa10acc1004e2a0483f30be082e61b59a76fa75ae1d90545ace7c6b07bca8164078375f0 From 0e038361ddf5965bd02544323cab07570e4281f6 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Wed, 6 Nov 2024 13:13:17 -0500 Subject: [PATCH 220/256] Disable engine support on RHEL 10+ RHEL 10 does not provide the engine header at all. Also, restore compatibility with earlier versions which do not have a separate subpackage for the engine header. --- curl.spec | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 80243c8..ba56d35 100644 --- a/curl.spec +++ b/curl.spec @@ -2,12 +2,12 @@ # This is deprecated by OpenSSL since OpenSSL 3.0 and by Fedora since Fedora 41 # https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine # Change the bcond to 0 to turn off ENGINE support by default -%bcond openssl_engine_support 1 +%bcond openssl_engine_support %[%{defined fedora} || 0%{?rhel} < 10] Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.11.0 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -52,7 +52,7 @@ BuildRequires: openldap-devel BuildRequires: openssh-clients BuildRequires: openssh-server BuildRequires: openssl-devel -%if %{with openssl_engine_support} +%if %{with openssl_engine_support} && 0%{?fedora} >= 41 BuildRequires: openssl-devel-engine %endif BuildRequires: perl-interpreter @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Nov 06 2024 Yaakov Selkowitz - 8.11.0-2 +- Disable engine support on RHEL 10+ + * Wed Nov 06 2024 Jan Macku - 8.11.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2024-9681 - HSTS subdomain overwrites parent cache entry From f200f97c286a92379a9a67ca6787d95a8e6e037c Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 11 Dec 2024 15:02:18 +0100 Subject: [PATCH 221/256] new upstream release - 8.11.1 --- 0101-curl-7.32.0-multilib.patch | 12 ++++----- 0105-curl-8.11.1-test616.patch | 48 +++++++++++++++++++++++++++++++++ curl.spec | 11 ++++++-- sources | 4 +-- 4 files changed, 65 insertions(+), 10 deletions(-) create mode 100644 0105-curl-8.11.1-test616.patch diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 8f3fd08..aec4fda 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,6 +1,6 @@ -From fa6477b901ca866a52db18a818975479f2144928 Mon Sep 17 00:00:00 2001 +From 7efcd412447fc41bded2f9621edf0ab4701c9b14 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Wed, 6 Nov 2024 13:25:10 +0100 +Date: Wed, 11 Dec 2024 09:28:12 +0100 Subject: [PATCH] prevent multilib conflicts on the curl-config script --- @@ -10,7 +10,7 @@ Subject: [PATCH] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 2dc40ed..9fb1a33 100644 +index e89c256..9fb1a33 100644 --- a/curl-config.in +++ b/curl-config.in @@ -75,7 +75,7 @@ while test "$#" -gt 0; do @@ -45,7 +45,7 @@ index 2dc40ed..9fb1a33 100644 --static-libs) - if test 'X@ENABLE_STATIC@' != 'Xno'; then -- echo "@libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_PC_LIBS_PRIVATE@" +- echo "@libdir@/libcurl.@libext@ @LIBCURL_PC_LDFLAGS_PRIVATE@ @LIBCURL_PC_LIBS_PRIVATE@" - else - echo 'curl was built with static libraries disabled' >&2 - exit 1 @@ -76,7 +76,7 @@ index 4dfaab6..f4e847e 100644 ## --version diff --git a/libcurl.pc.in b/libcurl.pc.in -index 4c60a7e..9fd935a 100644 +index c0ba524..f3645e1 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in @@ -28,6 +28,7 @@ libdir=@libdir@ @@ -88,5 +88,5 @@ index 4c60a7e..9fd935a 100644 Name: libcurl URL: https://curl.se/ -- -2.47.0 +2.47.1 diff --git a/0105-curl-8.11.1-test616.patch b/0105-curl-8.11.1-test616.patch new file mode 100644 index 0000000..91bde80 --- /dev/null +++ b/0105-curl-8.11.1-test616.patch @@ -0,0 +1,48 @@ +From 82baec8c7cd40361585d8793dfe4531f7aad30e3 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Wed, 11 Dec 2024 13:16:12 +0100 +Subject: [PATCH] test616: disable valgrind + +Valgrind disable was removed in upstream in https://github.com/curl/curl/commit/c91c37b6e87ceee760b7bb334c8e97e03ee93e93#diff-e01fd8774cf5b26329c7dc7dc03ec49745469205f3d501ced72c9d133455d5e7L35 +But test 616 is still failing under valgrind, so disable valgrind for this test. + +``` + valgrind ERROR ==188588== 144 bytes in 1 blocks are definitely lost in loss record 1 of 1 +==188588== at 0x484B133: calloc (vg_replace_malloc.c:1675) +==188588== by 0x4BB7575: ??? (in /usr/lib64/libssh.so.4.10.1) +==188588== by 0x4BB8CC6: sftp_fstat (in /usr/lib64/libssh.so.4.10.1) +==188588== by 0x48EEAFB: myssh_statemach_act (libssh.c:1610) +==188588== by 0x48F1B9D: myssh_multi_statemach.lto_priv.0 (libssh.c:2095) +==188588== by 0x48BA971: UnknownInlinedFun (multi.c:1643) +==188588== by 0x48BA971: UnknownInlinedFun (multi.c:2314) +==188588== by 0x48BA971: multi_runsingle (multi.c:2768) +==188588== by 0x48BCCA4: curl_multi_perform (multi.c:3016) +==188588== by 0x4884E4A: UnknownInlinedFun (easy.c:701) +==188588== by 0x4884E4A: UnknownInlinedFun (easy.c:796) +==188588== by 0x4884E4A: curl_easy_perform (easy.c:815) +==188588== by 0x10C12B: UnknownInlinedFun (tool_operate.c:2902) +==188588== by 0x10C12B: UnknownInlinedFun (tool_operate.c:3127) +==188588== by 0x10C12B: UnknownInlinedFun (tool_operate.c:3249) +==188588== by 0x10C12B: main (tool_main.c:271) +==188588== +``` +--- + tests/data/test616 | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tests/data/test616 b/tests/data/test616 +index f76c68a..0ebc734 100644 +--- a/tests/data/test616 ++++ b/tests/data/test616 +@@ -32,5 +32,8 @@ SFTP retrieval of empty file + # + # Verify data after the test has been "shot" + ++ ++disable ++ + + +-- +2.47.1 + diff --git a/curl.spec b/curl.spec index ba56d35..9b1c4c8 100644 --- a/curl.spec +++ b/curl.spec @@ -6,8 +6,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.11.0 -Release: 2%{?dist} +Version: 8.11.1 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -25,6 +25,9 @@ Patch102: 0102-curl-7.84.0-test3026.patch # do not fail on warnings in the upstream test driver Patch104: 0104-curl-7.88.0-tests-warnings.patch +# test616: disable valgrind +Patch105: 0105-curl-8.11.1-test616.patch + Provides: curl-full = %{version}-%{release} # do not fail when trying to install curl-minimal after drop Provides: curl-minimal = %{version}-%{release} @@ -407,6 +410,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Dec 11 2024 Jan Macku - 8.11.1-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-11053 - netrc and redirect credential leak + * Wed Nov 06 2024 Yaakov Selkowitz - 8.11.0-2 - Disable engine support on RHEL 10+ diff --git a/sources b/sources index f45b6fe..91c8f05 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.11.0.tar.xz) = 3a642d421e0a5c09ecb681bea18498f2c6124e9af4d8afdc074dfb85a9b0211d8972ade9cf00ab44b5dfed9303262cd83551dd3b5e0976d11fc19da3c4a0987e -SHA512 (curl-8.11.0.tar.xz.asc) = 71073dde48e8f0013e392eb88bf70f6b8a4a4f0c955a3fb56db98e74aa10acc1004e2a0483f30be082e61b59a76fa75ae1d90545ace7c6b07bca8164078375f0 +SHA512 (curl-8.11.1.tar.xz) = 7c7c47a49505575b610c56b455f0919ea5082a993bf5483eeb258ead167aadb87078d626b343b417dcfc5439c53556425c8fb4fe3b01b53a87b47c01686a3e57 +SHA512 (curl-8.11.1.tar.xz.asc) = c09bedb67e83fb8ca3ad73c5bd0d92fed7fc2c26dbe5a71cccb193fd151c7219713241a9fe74baefcd1d008cfafba78142bf04cec24dd4a88d67179184d35824 From 60dca4fc329daf8e5799357a68fe1ff41cffb13a Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Sun, 15 Dec 2024 12:05:17 +0000 Subject: [PATCH 222/256] Add rpmlintrc --- curl.rpmlintrc | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 curl.rpmlintrc diff --git a/curl.rpmlintrc b/curl.rpmlintrc new file mode 100644 index 0000000..022a98e --- /dev/null +++ b/curl.rpmlintrc @@ -0,0 +1,15 @@ +# Intentional stuff we're not concerned about +addFilter("unversioned-explicit-provides webclient") +addFilter("package-with-huge-docs") +addFilter("crypto-policy-non-compliance-openssl /usr/lib(64)?/libcurl.so.4") + +# This is just plain wrong (%_configure redefinition) +addFilter("configure-without-libdir-spec") + +# Technical term +addFilter("E: spelling-error \('kerberos',") + +# Artefacts of RemovePathPostfixes: .minimal +addFilter("W: dangling-relative-symlink /usr/lib/.build-id/.* ../../../../.*curl.*\.minimal") +#addFilter("W: dangling-relative-symlink /usr/lib.*/libcurl.so.4 libcurl.so.4.*.minimal") +#addFilter("E: invalid-ldconfig-symlink /usr/lib.*/libcurl.so.4.* libcurl.so.4.*.minimal") From 348d650b12c9787af9669f6a985f57cf3ccdc18c Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Sun, 15 Dec 2024 12:06:23 +0000 Subject: [PATCH 223/256] Fix crash with Unexpected error 9 on netlink descriptor 10 (rhbz#2332350) - https://github.com/curl/curl/issues/15725 - https://github.com/curl/curl/pull/15727 --- 0001-curl-8.11.1-eventfd.patch | 31 +++++++++++++++++++++++++++++++ curl.spec | 15 +++++++++++++-- 2 files changed, 44 insertions(+), 2 deletions(-) create mode 100644 0001-curl-8.11.1-eventfd.patch diff --git a/0001-curl-8.11.1-eventfd.patch b/0001-curl-8.11.1-eventfd.patch new file mode 100644 index 0000000..3960452 --- /dev/null +++ b/0001-curl-8.11.1-eventfd.patch @@ -0,0 +1,31 @@ +From 17c06b1ed19147d9e641ad5bcd672e8bce451b46 Mon Sep 17 00:00:00 2001 +From: Andy Pan +Date: Thu, 12 Dec 2024 12:48:56 +0000 +Subject: [PATCH] async-thread: avoid closing eventfd twice + +When employing eventfd for socketpair, there is only one file +descriptor. Closing that fd twice might result in fd corruption. +Thus, we should avoid closing the eventfd twice, following the +pattern in lib/multi.c. + +Fixes #15725 +--- + lib/asyn-thread.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c +index a58e4b790494ab..32d496b107cb0a 100644 +--- a/lib/asyn-thread.c ++++ b/lib/asyn-thread.c +@@ -195,9 +195,11 @@ void destroy_thread_sync_data(struct thread_sync_data *tsd) + * close one end of the socket pair (may be done in resolver thread); + * the other end (for reading) is always closed in the parent thread. + */ ++#ifndef USE_EVENTFD + if(tsd->sock_pair[1] != CURL_SOCKET_BAD) { + wakeup_close(tsd->sock_pair[1]); + } ++#endif + #endif + memset(tsd, 0, sizeof(*tsd)); + } diff --git a/curl.spec b/curl.spec index 9b1c4c8..beca484 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.11.1 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -16,6 +16,12 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# Fix crash with Unexpected error 9 on netlink descriptor 10 +# https://bugzilla.redhat.com/show_bug.cgi?id=2332350 +# https://github.com/curl/curl/issues/15725 +# https://github.com/curl/curl/pull/15727 +Patch1: 0001-curl-8.11.1-eventfd.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -410,6 +416,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Sun Dec 15 2024 Paul Howarth - 8.11.1-2 +- Fix crash with Unexpected error 9 on netlink descriptor 10 (rhbz#2332350) + - https://github.com/curl/curl/issues/15725 + - https://github.com/curl/curl/pull/15727 + * Wed Dec 11 2024 Jan Macku - 8.11.1-1 - new upstream release, which fixes the following vulnerabilities CVE-2024-11053 - netrc and redirect credential leak @@ -431,7 +442,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la - new upstream release * Wed Aug 21 2024 Jacek Migacz - 8.9.1-3 -- Retire depricated ntlm-wb configure option +- Retire deprecated ntlm-wb configure option * Mon Aug 5 2024 voidanix - 8.9.1-2 - Apply SIGPIPE-related patch due to upstream regression From 84d98cb3c36ac812ecac40f056283c94a3be0f03 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 16 Jan 2025 15:05:19 +0000 Subject: [PATCH 224/256] Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index beca484..ef932e9 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.11.1 -Release: 2%{?dist} +Release: 3%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -416,6 +416,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Jan 16 2025 Fedora Release Engineering - 8.11.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + * Sun Dec 15 2024 Paul Howarth - 8.11.1-2 - Fix crash with Unexpected error 9 on netlink descriptor 10 (rhbz#2332350) - https://github.com/curl/curl/issues/15725 From dbdb66e32ef7a74430edc9f27487a980b933f36b Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Fri, 31 Jan 2025 15:01:32 +0100 Subject: [PATCH 225/256] TLS: check connection for SSL use, not handler Resolves: #2324130 --- ...k-connection-for-SSL-use-not-handler.patch | 227 ++++++++++++++++++ curl.spec | 8 +- 2 files changed, 234 insertions(+), 1 deletion(-) create mode 100644 0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch diff --git a/0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch b/0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch new file mode 100644 index 0000000..9000c48 --- /dev/null +++ b/0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch @@ -0,0 +1,227 @@ +From b876aeb3f5d5c6539102f0575c0ec1d116388337 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Fri, 17 Jan 2025 11:57:00 +0100 +Subject: [PATCH] TLS: check connection for SSL use, not handler + +Protocol handler option PROTOPT_SSL is used to setup a connection +filters. Once that is done, used `Curl_conn_is_ssl()` to check if +a connection uses SSL. + +There may be other reasons to add SSL to a connection, e.g. starttls. + +Closes #16034 + +(cherry picked from commit 25b445e4796bcbf9f842de686a8c384b30f6c2a2) +--- + lib/cf-socket.c | 2 +- + lib/ftp.c | 2 +- + lib/http.c | 8 ++++---- + lib/http_negotiate.c | 3 ++- + lib/imap.c | 2 +- + lib/ldap.c | 3 ++- + lib/openldap.c | 2 +- + lib/pop3.c | 2 +- + lib/smb.c | 2 +- + lib/smtp.c | 2 +- + lib/url.c | 12 ++++++------ + 11 files changed, 21 insertions(+), 19 deletions(-) + +diff --git a/lib/cf-socket.c b/lib/cf-socket.c +index 497a3b965..de0c8a3ba 100644 +--- a/lib/cf-socket.c ++++ b/lib/cf-socket.c +@@ -1282,7 +1282,7 @@ static int do_connect(struct Curl_cfilter *cf, struct Curl_easy *data, + + rc = connect(ctx->sock, &ctx->addr.curl_sa_addr, ctx->addr.addrlen); + #elif defined(MSG_FASTOPEN) /* old Linux */ +- if(cf->conn->given->flags & PROTOPT_SSL) ++ if(Curl_conn_is_ssl(cf->conn, cf->sockindex)) + rc = connect(ctx->sock, &ctx->addr.curl_sa_addr, ctx->addr.addrlen); + else + rc = 0; /* Do nothing */ +diff --git a/lib/ftp.c b/lib/ftp.c +index 16ab0af0d..5137ddca4 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -3154,7 +3154,7 @@ static CURLcode ftp_connect(struct Curl_easy *data, + + PINGPONG_SETUP(pp, ftp_statemachine, ftp_endofresp); + +- if(conn->handler->flags & PROTOPT_SSL) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) { + /* BLOCKING */ + result = Curl_conn_connect(data, FIRSTSOCKET, TRUE, done); + if(result) +diff --git a/lib/http.c b/lib/http.c +index 35e708551..8e9f0a52e 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2526,7 +2526,7 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done) + goto fail; + } + +- if(!(conn->handler->flags&PROTOPT_SSL) && ++ if(!Curl_conn_is_ssl(conn, FIRSTSOCKET) && + conn->httpversion < 20 && + (data->state.httpwant == CURL_HTTP_VERSION_2)) { + /* append HTTP2 upgrade magic stuff to the HTTP request if it is not done +@@ -2672,7 +2672,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, + case 'A': + #ifndef CURL_DISABLE_ALTSVC + v = (data->asi && +- ((data->conn->handler->flags & PROTOPT_SSL) || ++ (Curl_conn_is_ssl(data->conn, FIRSTSOCKET) || + #ifdef DEBUGBUILD + /* allow debug builds to circumvent the HTTPS restriction */ + getenv("CURL_ALTSVC_HTTP") +@@ -2938,7 +2938,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, + #ifndef CURL_DISABLE_HSTS + /* If enabled, the header is incoming and this is over HTTPS */ + v = (data->hsts && +- ((conn->handler->flags & PROTOPT_SSL) || ++ (Curl_conn_is_ssl(conn, FIRSTSOCKET) || + #ifdef DEBUGBUILD + /* allow debug builds to circumvent the HTTPS restriction */ + getenv("CURL_HSTS_HTTP") +@@ -4160,7 +4160,7 @@ CURLcode Curl_http_req_to_h2(struct dynhds *h2_headers, + infof(data, "set pseudo header %s to %s", HTTP_PSEUDO_SCHEME, scheme); + } + else { +- scheme = (data->conn && data->conn->handler->flags & PROTOPT_SSL) ? ++ scheme = Curl_conn_is_ssl(data->conn, FIRSTSOCKET) ? + "https" : "http"; + } + } +diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c +index 5d76bddf7..f031d0abc 100644 +--- a/lib/http_negotiate.c ++++ b/lib/http_negotiate.c +@@ -27,6 +27,7 @@ + #if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO) + + #include "urldata.h" ++#include "cfilters.h" + #include "sendf.h" + #include "http_negotiate.h" + #include "vauth/vauth.h" +@@ -109,7 +110,7 @@ CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn, + #endif + /* Check if the connection is using SSL and get the channel binding data */ + #if defined(USE_SSL) && defined(HAVE_GSSAPI) +- if(conn->handler->flags & PROTOPT_SSL) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) { + Curl_dyn_init(&neg_ctx->channel_binding_data, SSL_CB_MAX_SIZE + 1); + result = Curl_ssl_get_channel_binding( + data, FIRSTSOCKET, &neg_ctx->channel_binding_data); +diff --git a/lib/imap.c b/lib/imap.c +index e424cdb05..df9dc343b 100644 +--- a/lib/imap.c ++++ b/lib/imap.c +@@ -1390,7 +1390,7 @@ static CURLcode imap_multi_statemach(struct Curl_easy *data, bool *done) + struct connectdata *conn = data->conn; + struct imap_conn *imapc = &conn->proto.imapc; + +- if((conn->handler->flags & PROTOPT_SSL) && !imapc->ssldone) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !imapc->ssldone) { + bool ssldone = FALSE; + result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); + imapc->ssldone = ssldone; +diff --git a/lib/ldap.c b/lib/ldap.c +index 2cbdb9c21..7dd40acef 100644 +--- a/lib/ldap.c ++++ b/lib/ldap.c +@@ -78,6 +78,7 @@ + + #include "urldata.h" + #include ++#include "cfilters.h" + #include "sendf.h" + #include "escape.h" + #include "progress.h" +@@ -346,7 +347,7 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done) + } + + /* Get the URL scheme (either ldap or ldaps) */ +- if(conn->given->flags & PROTOPT_SSL) ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) + ldap_ssl = 1; + infof(data, "LDAP local: trying to establish %s connection", + ldap_ssl ? "encrypted" : "cleartext"); +diff --git a/lib/openldap.c b/lib/openldap.c +index 8c4af22be..9676ad3d0 100644 +--- a/lib/openldap.c ++++ b/lib/openldap.c +@@ -571,7 +571,7 @@ static CURLcode oldap_connect(struct Curl_easy *data, bool *done) + ldap_set_option(li->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); + + #ifdef USE_SSL +- if(conn->handler->flags & PROTOPT_SSL) ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) + return oldap_ssl_connect(data, OLDAP_SSL); + + if(data->set.use_ssl) { +diff --git a/lib/pop3.c b/lib/pop3.c +index db6ec04c7..83dd64cda 100644 +--- a/lib/pop3.c ++++ b/lib/pop3.c +@@ -1110,7 +1110,7 @@ static CURLcode pop3_multi_statemach(struct Curl_easy *data, bool *done) + struct connectdata *conn = data->conn; + struct pop3_conn *pop3c = &conn->proto.pop3c; + +- if((conn->handler->flags & PROTOPT_SSL) && !pop3c->ssldone) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !pop3c->ssldone) { + bool ssldone = FALSE; + result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); + pop3c->ssldone = ssldone; +diff --git a/lib/smb.c b/lib/smb.c +index a72ece62a..a2c82df5e 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -840,7 +840,7 @@ static CURLcode smb_connection_state(struct Curl_easy *data, bool *done) + + if(smbc->state == SMB_CONNECTING) { + #ifdef USE_SSL +- if((conn->handler->flags & PROTOPT_SSL)) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) { + bool ssl_done = FALSE; + result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssl_done); + if(result && result != CURLE_AGAIN) +diff --git a/lib/smtp.c b/lib/smtp.c +index d854d364f..c7fb0a4ca 100644 +--- a/lib/smtp.c ++++ b/lib/smtp.c +@@ -1286,7 +1286,7 @@ static CURLcode smtp_multi_statemach(struct Curl_easy *data, bool *done) + struct connectdata *conn = data->conn; + struct smtp_conn *smtpc = &conn->proto.smtpc; + +- if((conn->handler->flags & PROTOPT_SSL) && !smtpc->ssldone) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !smtpc->ssldone) { + bool ssldone = FALSE; + result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); + smtpc->ssldone = ssldone; +diff --git a/lib/url.c b/lib/url.c +index 436edd891..de200e1dd 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -958,12 +958,12 @@ static bool url_match_conn(struct connectdata *conn, void *userdata) + return FALSE; + #endif + +- if((needle->handler->flags&PROTOPT_SSL) != +- (conn->handler->flags&PROTOPT_SSL)) +- /* do not do mixed SSL and non-SSL connections */ +- if(get_protocol_family(conn->handler) != +- needle->handler->protocol || !conn->bits.tls_upgraded) +- /* except protocols that have been upgraded via TLS */ ++ if((!(needle->handler->flags&PROTOPT_SSL) != ++ !Curl_conn_is_ssl(conn, FIRSTSOCKET)) && ++ !(get_protocol_family(conn->handler) == needle->handler->protocol && ++ conn->bits.tls_upgraded)) ++ /* Deny `conn` if it is not fit for `needle`'s SSL needs, ++ * UNLESS `conn` is the same protocol family and was upgraded to SSL. */ + return FALSE; + + #ifndef CURL_DISABLE_PROXY +-- +2.48.1 + diff --git a/curl.spec b/curl.spec index ef932e9..c21fec2 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.11.1 -Release: 3%{?dist} +Release: 4%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -22,6 +22,9 @@ Source2: mykey.asc # https://github.com/curl/curl/pull/15727 Patch1: 0001-curl-8.11.1-eventfd.patch +# Fix https://bugzilla.redhat.com/show_bug.cgi?id=2324130#c7 +Patch2: 0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -416,6 +419,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Jan 31 2025 Jan Macku - 8.11.1-4 +- TLS: check connection for SSL use, not handler (#2324130#c7) + * Thu Jan 16 2025 Fedora Release Engineering - 8.11.1-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild From 057c9e09f00a022d8b5e065164a7d77d2d67e669 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 5 Feb 2025 09:44:27 +0100 Subject: [PATCH 226/256] new upstream release - 8.12.0 --- 0001-curl-8.11.1-eventfd.patch | 31 --- ...k-connection-for-SSL-use-not-handler.patch | 227 ------------------ 0101-curl-7.32.0-multilib.patch | 28 +-- 0102-curl-7.84.0-test3026.patch | 8 +- 0104-curl-7.88.0-tests-warnings.patch | 30 --- curl.spec | 23 +- sources | 4 +- 7 files changed, 29 insertions(+), 322 deletions(-) delete mode 100644 0001-curl-8.11.1-eventfd.patch delete mode 100644 0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch delete mode 100644 0104-curl-7.88.0-tests-warnings.patch diff --git a/0001-curl-8.11.1-eventfd.patch b/0001-curl-8.11.1-eventfd.patch deleted file mode 100644 index 3960452..0000000 --- a/0001-curl-8.11.1-eventfd.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 17c06b1ed19147d9e641ad5bcd672e8bce451b46 Mon Sep 17 00:00:00 2001 -From: Andy Pan -Date: Thu, 12 Dec 2024 12:48:56 +0000 -Subject: [PATCH] async-thread: avoid closing eventfd twice - -When employing eventfd for socketpair, there is only one file -descriptor. Closing that fd twice might result in fd corruption. -Thus, we should avoid closing the eventfd twice, following the -pattern in lib/multi.c. - -Fixes #15725 ---- - lib/asyn-thread.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c -index a58e4b790494ab..32d496b107cb0a 100644 ---- a/lib/asyn-thread.c -+++ b/lib/asyn-thread.c -@@ -195,9 +195,11 @@ void destroy_thread_sync_data(struct thread_sync_data *tsd) - * close one end of the socket pair (may be done in resolver thread); - * the other end (for reading) is always closed in the parent thread. - */ -+#ifndef USE_EVENTFD - if(tsd->sock_pair[1] != CURL_SOCKET_BAD) { - wakeup_close(tsd->sock_pair[1]); - } -+#endif - #endif - memset(tsd, 0, sizeof(*tsd)); - } diff --git a/0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch b/0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch deleted file mode 100644 index 9000c48..0000000 --- a/0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch +++ /dev/null @@ -1,227 +0,0 @@ -From b876aeb3f5d5c6539102f0575c0ec1d116388337 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Fri, 17 Jan 2025 11:57:00 +0100 -Subject: [PATCH] TLS: check connection for SSL use, not handler - -Protocol handler option PROTOPT_SSL is used to setup a connection -filters. Once that is done, used `Curl_conn_is_ssl()` to check if -a connection uses SSL. - -There may be other reasons to add SSL to a connection, e.g. starttls. - -Closes #16034 - -(cherry picked from commit 25b445e4796bcbf9f842de686a8c384b30f6c2a2) ---- - lib/cf-socket.c | 2 +- - lib/ftp.c | 2 +- - lib/http.c | 8 ++++---- - lib/http_negotiate.c | 3 ++- - lib/imap.c | 2 +- - lib/ldap.c | 3 ++- - lib/openldap.c | 2 +- - lib/pop3.c | 2 +- - lib/smb.c | 2 +- - lib/smtp.c | 2 +- - lib/url.c | 12 ++++++------ - 11 files changed, 21 insertions(+), 19 deletions(-) - -diff --git a/lib/cf-socket.c b/lib/cf-socket.c -index 497a3b965..de0c8a3ba 100644 ---- a/lib/cf-socket.c -+++ b/lib/cf-socket.c -@@ -1282,7 +1282,7 @@ static int do_connect(struct Curl_cfilter *cf, struct Curl_easy *data, - - rc = connect(ctx->sock, &ctx->addr.curl_sa_addr, ctx->addr.addrlen); - #elif defined(MSG_FASTOPEN) /* old Linux */ -- if(cf->conn->given->flags & PROTOPT_SSL) -+ if(Curl_conn_is_ssl(cf->conn, cf->sockindex)) - rc = connect(ctx->sock, &ctx->addr.curl_sa_addr, ctx->addr.addrlen); - else - rc = 0; /* Do nothing */ -diff --git a/lib/ftp.c b/lib/ftp.c -index 16ab0af0d..5137ddca4 100644 ---- a/lib/ftp.c -+++ b/lib/ftp.c -@@ -3154,7 +3154,7 @@ static CURLcode ftp_connect(struct Curl_easy *data, - - PINGPONG_SETUP(pp, ftp_statemachine, ftp_endofresp); - -- if(conn->handler->flags & PROTOPT_SSL) { -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) { - /* BLOCKING */ - result = Curl_conn_connect(data, FIRSTSOCKET, TRUE, done); - if(result) -diff --git a/lib/http.c b/lib/http.c -index 35e708551..8e9f0a52e 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -2526,7 +2526,7 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done) - goto fail; - } - -- if(!(conn->handler->flags&PROTOPT_SSL) && -+ if(!Curl_conn_is_ssl(conn, FIRSTSOCKET) && - conn->httpversion < 20 && - (data->state.httpwant == CURL_HTTP_VERSION_2)) { - /* append HTTP2 upgrade magic stuff to the HTTP request if it is not done -@@ -2672,7 +2672,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, - case 'A': - #ifndef CURL_DISABLE_ALTSVC - v = (data->asi && -- ((data->conn->handler->flags & PROTOPT_SSL) || -+ (Curl_conn_is_ssl(data->conn, FIRSTSOCKET) || - #ifdef DEBUGBUILD - /* allow debug builds to circumvent the HTTPS restriction */ - getenv("CURL_ALTSVC_HTTP") -@@ -2938,7 +2938,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, - #ifndef CURL_DISABLE_HSTS - /* If enabled, the header is incoming and this is over HTTPS */ - v = (data->hsts && -- ((conn->handler->flags & PROTOPT_SSL) || -+ (Curl_conn_is_ssl(conn, FIRSTSOCKET) || - #ifdef DEBUGBUILD - /* allow debug builds to circumvent the HTTPS restriction */ - getenv("CURL_HSTS_HTTP") -@@ -4160,7 +4160,7 @@ CURLcode Curl_http_req_to_h2(struct dynhds *h2_headers, - infof(data, "set pseudo header %s to %s", HTTP_PSEUDO_SCHEME, scheme); - } - else { -- scheme = (data->conn && data->conn->handler->flags & PROTOPT_SSL) ? -+ scheme = Curl_conn_is_ssl(data->conn, FIRSTSOCKET) ? - "https" : "http"; - } - } -diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c -index 5d76bddf7..f031d0abc 100644 ---- a/lib/http_negotiate.c -+++ b/lib/http_negotiate.c -@@ -27,6 +27,7 @@ - #if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO) - - #include "urldata.h" -+#include "cfilters.h" - #include "sendf.h" - #include "http_negotiate.h" - #include "vauth/vauth.h" -@@ -109,7 +110,7 @@ CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn, - #endif - /* Check if the connection is using SSL and get the channel binding data */ - #if defined(USE_SSL) && defined(HAVE_GSSAPI) -- if(conn->handler->flags & PROTOPT_SSL) { -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) { - Curl_dyn_init(&neg_ctx->channel_binding_data, SSL_CB_MAX_SIZE + 1); - result = Curl_ssl_get_channel_binding( - data, FIRSTSOCKET, &neg_ctx->channel_binding_data); -diff --git a/lib/imap.c b/lib/imap.c -index e424cdb05..df9dc343b 100644 ---- a/lib/imap.c -+++ b/lib/imap.c -@@ -1390,7 +1390,7 @@ static CURLcode imap_multi_statemach(struct Curl_easy *data, bool *done) - struct connectdata *conn = data->conn; - struct imap_conn *imapc = &conn->proto.imapc; - -- if((conn->handler->flags & PROTOPT_SSL) && !imapc->ssldone) { -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !imapc->ssldone) { - bool ssldone = FALSE; - result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); - imapc->ssldone = ssldone; -diff --git a/lib/ldap.c b/lib/ldap.c -index 2cbdb9c21..7dd40acef 100644 ---- a/lib/ldap.c -+++ b/lib/ldap.c -@@ -78,6 +78,7 @@ - - #include "urldata.h" - #include -+#include "cfilters.h" - #include "sendf.h" - #include "escape.h" - #include "progress.h" -@@ -346,7 +347,7 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done) - } - - /* Get the URL scheme (either ldap or ldaps) */ -- if(conn->given->flags & PROTOPT_SSL) -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) - ldap_ssl = 1; - infof(data, "LDAP local: trying to establish %s connection", - ldap_ssl ? "encrypted" : "cleartext"); -diff --git a/lib/openldap.c b/lib/openldap.c -index 8c4af22be..9676ad3d0 100644 ---- a/lib/openldap.c -+++ b/lib/openldap.c -@@ -571,7 +571,7 @@ static CURLcode oldap_connect(struct Curl_easy *data, bool *done) - ldap_set_option(li->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); - - #ifdef USE_SSL -- if(conn->handler->flags & PROTOPT_SSL) -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) - return oldap_ssl_connect(data, OLDAP_SSL); - - if(data->set.use_ssl) { -diff --git a/lib/pop3.c b/lib/pop3.c -index db6ec04c7..83dd64cda 100644 ---- a/lib/pop3.c -+++ b/lib/pop3.c -@@ -1110,7 +1110,7 @@ static CURLcode pop3_multi_statemach(struct Curl_easy *data, bool *done) - struct connectdata *conn = data->conn; - struct pop3_conn *pop3c = &conn->proto.pop3c; - -- if((conn->handler->flags & PROTOPT_SSL) && !pop3c->ssldone) { -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !pop3c->ssldone) { - bool ssldone = FALSE; - result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); - pop3c->ssldone = ssldone; -diff --git a/lib/smb.c b/lib/smb.c -index a72ece62a..a2c82df5e 100644 ---- a/lib/smb.c -+++ b/lib/smb.c -@@ -840,7 +840,7 @@ static CURLcode smb_connection_state(struct Curl_easy *data, bool *done) - - if(smbc->state == SMB_CONNECTING) { - #ifdef USE_SSL -- if((conn->handler->flags & PROTOPT_SSL)) { -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) { - bool ssl_done = FALSE; - result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssl_done); - if(result && result != CURLE_AGAIN) -diff --git a/lib/smtp.c b/lib/smtp.c -index d854d364f..c7fb0a4ca 100644 ---- a/lib/smtp.c -+++ b/lib/smtp.c -@@ -1286,7 +1286,7 @@ static CURLcode smtp_multi_statemach(struct Curl_easy *data, bool *done) - struct connectdata *conn = data->conn; - struct smtp_conn *smtpc = &conn->proto.smtpc; - -- if((conn->handler->flags & PROTOPT_SSL) && !smtpc->ssldone) { -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !smtpc->ssldone) { - bool ssldone = FALSE; - result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); - smtpc->ssldone = ssldone; -diff --git a/lib/url.c b/lib/url.c -index 436edd891..de200e1dd 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -958,12 +958,12 @@ static bool url_match_conn(struct connectdata *conn, void *userdata) - return FALSE; - #endif - -- if((needle->handler->flags&PROTOPT_SSL) != -- (conn->handler->flags&PROTOPT_SSL)) -- /* do not do mixed SSL and non-SSL connections */ -- if(get_protocol_family(conn->handler) != -- needle->handler->protocol || !conn->bits.tls_upgraded) -- /* except protocols that have been upgraded via TLS */ -+ if((!(needle->handler->flags&PROTOPT_SSL) != -+ !Curl_conn_is_ssl(conn, FIRSTSOCKET)) && -+ !(get_protocol_family(conn->handler) == needle->handler->protocol && -+ conn->bits.tls_upgraded)) -+ /* Deny `conn` if it is not fit for `needle`'s SSL needs, -+ * UNLESS `conn` is the same protocol family and was upgraded to SSL. */ - return FALSE; - - #ifndef CURL_DISABLE_PROXY --- -2.48.1 - diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index aec4fda..13a9a54 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,7 +1,7 @@ -From 7efcd412447fc41bded2f9621edf0ab4701c9b14 Mon Sep 17 00:00:00 2001 +From c96b08867e8593b32cec0f3971f10adfcaf2276e Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Wed, 11 Dec 2024 09:28:12 +0100 -Subject: [PATCH] prevent multilib conflicts on the curl-config script +Date: Wed, 5 Feb 2025 09:31:04 +0100 +Subject: [PATCH 1/2] prevent multilib conflicts on the curl-config script --- curl-config.in | 23 +++++------------------ @@ -10,10 +10,10 @@ Subject: [PATCH] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index e89c256..9fb1a33 100644 +index 55184167b..324e0b740 100644 --- a/curl-config.in +++ b/curl-config.in -@@ -75,7 +75,7 @@ while test "$#" -gt 0; do +@@ -74,7 +74,7 @@ while test "$#" -gt 0; do ;; --cc) @@ -22,25 +22,25 @@ index e89c256..9fb1a33 100644 ;; --prefix) -@@ -155,16 +155,7 @@ while test "$#" -gt 0; do +@@ -149,16 +149,7 @@ while test "$#" -gt 0; do ;; --libs) - if test "X@libdir@" != 'X/usr/lib' -a "X@libdir@" != 'X/usr/lib64'; then -- CURLLIBDIR="-L@libdir@ " +- curllibdir="-L@libdir@ " - else -- CURLLIBDIR='' +- curllibdir='' - fi - if test 'X@ENABLE_SHARED@' = 'Xno'; then -- echo "${CURLLIBDIR}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" +- echo "${curllibdir}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" - else -- echo "${CURLLIBDIR}-lcurl" +- echo "${curllibdir}-lcurl" - fi + echo '-lcurl' ;; --ssl-backends) -@@ -172,16 +163,12 @@ while test "$#" -gt 0; do +@@ -166,16 +157,12 @@ while test "$#" -gt 0; do ;; --static-libs) @@ -61,7 +61,7 @@ index e89c256..9fb1a33 100644 *) diff --git a/docs/curl-config.md b/docs/curl-config.md -index 4dfaab6..f4e847e 100644 +index b1fcf33dc..b15feec8e 100644 --- a/docs/curl-config.md +++ b/docs/curl-config.md @@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated. @@ -76,7 +76,7 @@ index 4dfaab6..f4e847e 100644 ## --version diff --git a/libcurl.pc.in b/libcurl.pc.in -index c0ba524..f3645e1 100644 +index c0ba5244a..f3645e174 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in @@ -28,6 +28,7 @@ libdir=@libdir@ @@ -88,5 +88,5 @@ index c0ba524..f3645e1 100644 Name: libcurl URL: https://curl.se/ -- -2.47.1 +2.48.1 diff --git a/0102-curl-7.84.0-test3026.patch b/0102-curl-7.84.0-test3026.patch index 82f4642..6c45cc8 100644 --- a/0102-curl-7.84.0-test3026.patch +++ b/0102-curl-7.84.0-test3026.patch @@ -1,6 +1,6 @@ -From 6e470567ca691a7b20334f1b9a5b309053d714b7 Mon Sep 17 00:00:00 2001 +From 6460e292e664b03fb550ce70e9a8cdf86ad0ef57 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Wed, 22 May 2024 13:03:43 +0200 +Date: Wed, 5 Feb 2025 09:34:28 +0100 Subject: [PATCH 2/2] test3026: disable valgrind It fails on x86_64 with: @@ -52,7 +52,7 @@ index ee9b30678..dd582c3e5 100644 diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c -index 7e914010e..39374f5bc 100644 +index 61c70eb3b..79302fcf7 100644 --- a/tests/libtest/lib3026.c +++ b/tests/libtest/lib3026.c @@ -145,8 +145,8 @@ CURLcode test(char *URL) @@ -67,5 +67,5 @@ index 7e914010e..39374f5bc 100644 test_failure = (CURLcode)-1; goto cleanup; -- -2.45.1 +2.48.1 diff --git a/0104-curl-7.88.0-tests-warnings.patch b/0104-curl-7.88.0-tests-warnings.patch deleted file mode 100644 index 0977dee..0000000 --- a/0104-curl-7.88.0-tests-warnings.patch +++ /dev/null @@ -1,30 +0,0 @@ -From ebee18be05631494263bb6be249501eb8874e07a Mon Sep 17 00:00:00 2001 -From: Jan Macku -Date: Wed, 24 Jul 2024 15:15:11 +0200 -Subject: [PATCH] Revert "runtests: consider warnings fatal and error on them" - -While it might be useful for upstream developers, it is not so useful -for downstream consumers. - -This reverts upstream commit 22f795c834cfdbacbb1b55426028a581e3cf67a8. ---- - tests/runtests.pl | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/tests/runtests.pl b/tests/runtests.pl -index 9cc9ef1..c9a1c5d 100755 ---- a/tests/runtests.pl -+++ b/tests/runtests.pl -@@ -57,8 +57,7 @@ - # given, this won't be a problem. - - use strict; --# Promote all warnings to fatal --use warnings FATAL => 'all'; -+use warnings; - use 5.006; - use POSIX qw(strftime); - --- -2.45.2 - diff --git a/curl.spec b/curl.spec index c21fec2..186b566 100644 --- a/curl.spec +++ b/curl.spec @@ -6,8 +6,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.11.1 -Release: 4%{?dist} +Version: 8.12.0 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -16,24 +16,12 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# Fix crash with Unexpected error 9 on netlink descriptor 10 -# https://bugzilla.redhat.com/show_bug.cgi?id=2332350 -# https://github.com/curl/curl/issues/15725 -# https://github.com/curl/curl/pull/15727 -Patch1: 0001-curl-8.11.1-eventfd.patch - -# Fix https://bugzilla.redhat.com/show_bug.cgi?id=2324130#c7 -Patch2: 0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch # test3026: disable valgrind Patch102: 0102-curl-7.84.0-test3026.patch -# do not fail on warnings in the upstream test driver -Patch104: 0104-curl-7.88.0-tests-warnings.patch - # test616: disable valgrind Patch105: 0105-curl-8.11.1-test616.patch @@ -419,6 +407,13 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Feb 05 2025 Jan Macku - 8.12.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2025-0725 - gzip integer overflow + CVE-2025-0665 - eventfd double close + CVE-2025-0167 - netrc and default credential leak +- drop upstreamed patches + * Fri Jan 31 2025 Jan Macku - 8.11.1-4 - TLS: check connection for SSL use, not handler (#2324130#c7) diff --git a/sources b/sources index 91c8f05..01ad1a6 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.11.1.tar.xz) = 7c7c47a49505575b610c56b455f0919ea5082a993bf5483eeb258ead167aadb87078d626b343b417dcfc5439c53556425c8fb4fe3b01b53a87b47c01686a3e57 -SHA512 (curl-8.11.1.tar.xz.asc) = c09bedb67e83fb8ca3ad73c5bd0d92fed7fc2c26dbe5a71cccb193fd151c7219713241a9fe74baefcd1d008cfafba78142bf04cec24dd4a88d67179184d35824 +SHA512 (curl-8.12.0.tar.xz) = ed35f0020541050ce387f4ba80f9e87562ececd99082da1bae85840dee81c49b86a4a55909e15fcbf4eb116106a796c29a9b2678dee11326f80db75992c6edc5 +SHA512 (curl-8.12.0.tar.xz.asc) = 8526554ffb2187b48b6a4c6a0d4a8c73d484ef3ce4c3791add0e759baf953ac7ae0b2f88d688365b1f09c5745198611fa1761aa14d02ddf52823c4ff238779cd From 9c7fc53ab273793fba55aef94b81682065923b4f Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 13 Feb 2025 08:28:44 +0100 Subject: [PATCH 227/256] new upstream release - 8.12.1 --- curl.spec | 2 +- sources | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 186b566..c7f23e3 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.12.0 +Version: 8.12.1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz diff --git a/sources b/sources index 01ad1a6..acd884b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.12.0.tar.xz) = ed35f0020541050ce387f4ba80f9e87562ececd99082da1bae85840dee81c49b86a4a55909e15fcbf4eb116106a796c29a9b2678dee11326f80db75992c6edc5 -SHA512 (curl-8.12.0.tar.xz.asc) = 8526554ffb2187b48b6a4c6a0d4a8c73d484ef3ce4c3791add0e759baf953ac7ae0b2f88d688365b1f09c5745198611fa1761aa14d02ddf52823c4ff238779cd +SHA512 (curl-8.12.1.tar.xz) = 88915468fa1bb7256e3dd6c9d058ada6894faa1e3e7800c7d9bfee3e8be4081ae57e7f2bf260c5342b709499fc4302ddc2d7864e25bfa3300fa07f118a3de603 +SHA512 (curl-8.12.1.tar.xz.asc) = 41fc5582935090d13940d86974fdea3ea901dd5dab156c16029a87f811d2535172c59dc8dc366f2ffc37bcf85accbecb5aa765bc7b83c2991a3ef402bf25af69 From 3ce21a370c4a3523ee3affbaea685b8c8e6c2cdf Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 10 Mar 2025 14:27:02 +0100 Subject: [PATCH 228/256] new upstream release - 8.13.0~rc1 --- ...test1022-add-support-for-rc-releases.patch | 44 +++++++++++++++++++ 0101-curl-7.32.0-multilib.patch | 16 +++---- curl.spec | 16 ++++--- sources | 4 +- 4 files changed, 65 insertions(+), 15 deletions(-) create mode 100644 0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch diff --git a/0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch b/0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch new file mode 100644 index 0000000..789aa0e --- /dev/null +++ b/0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch @@ -0,0 +1,44 @@ +From 3c1a88fdf72e9e43f289d121318fc31536964e66 Mon Sep 17 00:00:00 2001 +From: Samuel Henrique +Date: Sat, 8 Mar 2025 12:47:21 +0000 +Subject: [PATCH] test1022: add support for rc releases + + Fix the following test failure: + curl-config: illegal value + +Closes #16626 +--- + tests/libtest/test1022.pl | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tests/libtest/test1022.pl b/tests/libtest/test1022.pl +index 583b8f8562c0..5c5c02070ff7 100755 +--- a/tests/libtest/test1022.pl ++++ b/tests/libtest/test1022.pl +@@ -35,7 +35,7 @@ + open(CURL, "$ARGV[1]") || die "Can't open curl --version list in $ARGV[1]\n"; + $_ = ; + chomp; +-/libcurl\/([\.\d]+((-DEV)|(-\d+))?)/; ++/libcurl\/([\.\d]+((-DEV)|(-rc\d)|(-\d+))?)/; + my $version = $1; + close CURL; + +@@ -47,7 +47,7 @@ + chomp; + my $filever=$_; + if ( $what eq "version" ) { +- if($filever =~ /^libcurl ([\.\d]+((-DEV)|(-\d+))?)$/) { ++ if($filever =~ /^libcurl ([\.\d]+((-DEV)|(-rc\d)|(-\d+))?)$/) { + $curlconfigversion = $1; + } + else { +@@ -63,7 +63,7 @@ + $curlconfigversion = "illegal value"; + } + +- # Strip off the -DEV from the curl version if it's there ++ # Strip off the -DEV and -rc suffixes from the curl version if they're there + $version =~ s/-\w*$//; + } + close CURLCONFIG; diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 13a9a54..e7b2a32 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,7 +1,7 @@ -From c96b08867e8593b32cec0f3971f10adfcaf2276e Mon Sep 17 00:00:00 2001 +From 495c771a6f9be008b783c5f59285d30fdc15fd63 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Wed, 5 Feb 2025 09:31:04 +0100 -Subject: [PATCH 1/2] prevent multilib conflicts on the curl-config script +Date: Mon, 10 Mar 2025 14:23:59 +0100 +Subject: [PATCH] prevent multilib conflicts on the curl-config script --- curl-config.in | 23 +++++------------------ @@ -10,7 +10,7 @@ Subject: [PATCH 1/2] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 55184167b..324e0b740 100644 +index 5518416..324e0b7 100644 --- a/curl-config.in +++ b/curl-config.in @@ -74,7 +74,7 @@ while test "$#" -gt 0; do @@ -61,11 +61,11 @@ index 55184167b..324e0b740 100644 *) diff --git a/docs/curl-config.md b/docs/curl-config.md -index b1fcf33dc..b15feec8e 100644 +index 12ad245..fa0e03d 100644 --- a/docs/curl-config.md +++ b/docs/curl-config.md @@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated. - ## --static-libs + ## `--static-libs` Shows the complete set of libs and other linker options you need in order to -link your application with libcurl statically. (Added in 7.17.1) @@ -73,10 +73,10 @@ index b1fcf33dc..b15feec8e 100644 +packages do not provide any static libraries, thus cannot be linked statically. +(Added in 7.17.1) - ## --version + ## `--version` diff --git a/libcurl.pc.in b/libcurl.pc.in -index c0ba5244a..f3645e174 100644 +index c0ba524..f3645e1 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in @@ -28,6 +28,7 @@ libdir=@libdir@ diff --git a/curl.spec b/curl.spec index c7f23e3..80a56c3 100644 --- a/curl.spec +++ b/curl.spec @@ -6,18 +6,21 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.12.1 +Version: 8.13.0~rc1 Release: 1%{?dist} License: curl -Source0: https://curl.se/download/%{name}-%{version}.tar.xz -Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc +Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz +Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc # The curl download page ( https://curl.se/download.html ) links # to Daniel's address page https://daniel.haxx.se/address.html for the GPG Key, # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# Test 1022 add support for rc releases +Patch001: 0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch + # patch making libcurl multilib ready -Patch101: 0101-curl-7.32.0-multilib.patch +# Patch101: 0101-curl-7.32.0-multilib.patch # test3026: disable valgrind Patch102: 0102-curl-7.84.0-test3026.patch @@ -211,7 +214,7 @@ be installed. %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' -%autosetup -p1 +%autosetup -n %{name}-%{version_no_tilde} -p1 # disable test 1801 # @@ -407,6 +410,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Mar 10 2025 Jan Macku - 8.13.0~rc1-1 +- new upstream release candidate + * Wed Feb 05 2025 Jan Macku - 8.12.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2025-0725 - gzip integer overflow diff --git a/sources b/sources index acd884b..fd8d757 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.12.1.tar.xz) = 88915468fa1bb7256e3dd6c9d058ada6894faa1e3e7800c7d9bfee3e8be4081ae57e7f2bf260c5342b709499fc4302ddc2d7864e25bfa3300fa07f118a3de603 -SHA512 (curl-8.12.1.tar.xz.asc) = 41fc5582935090d13940d86974fdea3ea901dd5dab156c16029a87f811d2535172c59dc8dc366f2ffc37bcf85accbecb5aa765bc7b83c2991a3ef402bf25af69 +SHA512 (curl-8.13.0-rc1.tar.xz) = 6890dae4abf9c9d4017c28ea8ced84ef457aa911574b261af97b81ab1631e04deef188928d015a19c861d8dd319a23d9a7725d93046fc07a39694c5dc445562e +SHA512 (curl-8.13.0-rc1.tar.xz.asc) = aeb6f5abcf1bd19d836ae688bebd0193c673060ed74afa7c5b63c2a0ecf7eaf00a223110cd7aa77d19183e8ba757bd0b8fb481e279cf1141c4b459f92604a740 From 5e5bbeb413edc79263a785e0ba467df9cb9c093c Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 13 Mar 2025 09:30:38 +0100 Subject: [PATCH 229/256] fix --cert parameter Resolves: #2351531 --- ...3.0~rc1-fix--cert-parameter-clearing.patch | 60 +++++++++++++++++++ curl.spec | 8 ++- 2 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch diff --git a/0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch b/0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch new file mode 100644 index 0000000..e08a349 --- /dev/null +++ b/0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch @@ -0,0 +1,60 @@ +From 886569e2db200c31073895a2626d20e0712e5207 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Wed, 12 Mar 2025 14:42:19 +0100 +Subject: [PATCH] curl: fix --cert parameter clearing + +Blank the argument *after* it has been copied. + +Reported-by: Jan Macku +Fixes #16686 +Closes #16688 +--- + src/tool_getparam.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index 9f227abbfdb5..e5272de74feb 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -2481,8 +2481,8 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + } + break; + case C_CERT: /* --cert */ +- cleanarg(clearthis); + GetFileAndPassword(nextarg, &config->cert, &config->key_passwd); ++ cleanarg(clearthis); + break; + case C_CACERT: /* --cacert */ + err = getstr(&config->cacert, nextarg, DENY_BLANK); +@@ -2601,18 +2601,18 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + config->tcp_fastopen = TRUE; + break; + case C_PROXY_TLSUSER: /* --proxy-tlsuser */ +- cleanarg(clearthis); + if(!feature_tls_srp) + err = PARAM_LIBCURL_DOESNT_SUPPORT; + else + err = getstr(&config->proxy_tls_username, nextarg, ALLOW_BLANK); ++ cleanarg(clearthis); + break; + case C_PROXY_TLSPASSWORD: /* --proxy-tlspassword */ +- cleanarg(clearthis); + if(!feature_tls_srp) + err = PARAM_LIBCURL_DOESNT_SUPPORT; + else + err = getstr(&config->proxy_tls_password, nextarg, DENY_BLANK); ++ cleanarg(clearthis); + break; + case C_PROXY_TLSAUTHTYPE: /* --proxy-tlsauthtype */ + if(!feature_tls_srp) +@@ -2624,9 +2624,9 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + } + break; + case C_PROXY_CERT: /* --proxy-cert */ +- cleanarg(clearthis); + GetFileAndPassword(nextarg, &config->proxy_cert, + &config->proxy_key_passwd); ++ cleanarg(clearthis); + break; + case C_PROXY_CERT_TYPE: /* --proxy-cert-type */ + err = getstr(&config->proxy_cert_type, nextarg, DENY_BLANK); diff --git a/curl.spec b/curl.spec index 80a56c3..c7f41cc 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.13.0~rc1 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -19,6 +19,9 @@ Source2: mykey.asc # Test 1022 add support for rc releases Patch001: 0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch +# Fix --cert parameter (#2351531) +Patch002: 0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch + # patch making libcurl multilib ready # Patch101: 0101-curl-7.32.0-multilib.patch @@ -410,6 +413,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Mar 13 2025 Jan Macku - 8.13.0~rc1-2 +- fix --cert parameter (#2351531) + * Mon Mar 10 2025 Jan Macku - 8.13.0~rc1-1 - new upstream release candidate From 4fcaa6c40447770a0df7ce914dd5ce90bf67a27c Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 18 Mar 2025 09:23:12 +0100 Subject: [PATCH 230/256] new upstream release - 8.13.0~rc2 --- ...test1022-add-support-for-rc-releases.patch | 44 -------------- ...3.0~rc1-fix--cert-parameter-clearing.patch | 60 ------------------- curl.spec | 13 ++-- sources | 4 +- 4 files changed, 7 insertions(+), 114 deletions(-) delete mode 100644 0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch delete mode 100644 0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch diff --git a/0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch b/0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch deleted file mode 100644 index 789aa0e..0000000 --- a/0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 3c1a88fdf72e9e43f289d121318fc31536964e66 Mon Sep 17 00:00:00 2001 -From: Samuel Henrique -Date: Sat, 8 Mar 2025 12:47:21 +0000 -Subject: [PATCH] test1022: add support for rc releases - - Fix the following test failure: - curl-config: illegal value - -Closes #16626 ---- - tests/libtest/test1022.pl | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/tests/libtest/test1022.pl b/tests/libtest/test1022.pl -index 583b8f8562c0..5c5c02070ff7 100755 ---- a/tests/libtest/test1022.pl -+++ b/tests/libtest/test1022.pl -@@ -35,7 +35,7 @@ - open(CURL, "$ARGV[1]") || die "Can't open curl --version list in $ARGV[1]\n"; - $_ = ; - chomp; --/libcurl\/([\.\d]+((-DEV)|(-\d+))?)/; -+/libcurl\/([\.\d]+((-DEV)|(-rc\d)|(-\d+))?)/; - my $version = $1; - close CURL; - -@@ -47,7 +47,7 @@ - chomp; - my $filever=$_; - if ( $what eq "version" ) { -- if($filever =~ /^libcurl ([\.\d]+((-DEV)|(-\d+))?)$/) { -+ if($filever =~ /^libcurl ([\.\d]+((-DEV)|(-rc\d)|(-\d+))?)$/) { - $curlconfigversion = $1; - } - else { -@@ -63,7 +63,7 @@ - $curlconfigversion = "illegal value"; - } - -- # Strip off the -DEV from the curl version if it's there -+ # Strip off the -DEV and -rc suffixes from the curl version if they're there - $version =~ s/-\w*$//; - } - close CURLCONFIG; diff --git a/0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch b/0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch deleted file mode 100644 index e08a349..0000000 --- a/0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 886569e2db200c31073895a2626d20e0712e5207 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Wed, 12 Mar 2025 14:42:19 +0100 -Subject: [PATCH] curl: fix --cert parameter clearing - -Blank the argument *after* it has been copied. - -Reported-by: Jan Macku -Fixes #16686 -Closes #16688 ---- - src/tool_getparam.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/tool_getparam.c b/src/tool_getparam.c -index 9f227abbfdb5..e5272de74feb 100644 ---- a/src/tool_getparam.c -+++ b/src/tool_getparam.c -@@ -2481,8 +2481,8 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ - } - break; - case C_CERT: /* --cert */ -- cleanarg(clearthis); - GetFileAndPassword(nextarg, &config->cert, &config->key_passwd); -+ cleanarg(clearthis); - break; - case C_CACERT: /* --cacert */ - err = getstr(&config->cacert, nextarg, DENY_BLANK); -@@ -2601,18 +2601,18 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ - config->tcp_fastopen = TRUE; - break; - case C_PROXY_TLSUSER: /* --proxy-tlsuser */ -- cleanarg(clearthis); - if(!feature_tls_srp) - err = PARAM_LIBCURL_DOESNT_SUPPORT; - else - err = getstr(&config->proxy_tls_username, nextarg, ALLOW_BLANK); -+ cleanarg(clearthis); - break; - case C_PROXY_TLSPASSWORD: /* --proxy-tlspassword */ -- cleanarg(clearthis); - if(!feature_tls_srp) - err = PARAM_LIBCURL_DOESNT_SUPPORT; - else - err = getstr(&config->proxy_tls_password, nextarg, DENY_BLANK); -+ cleanarg(clearthis); - break; - case C_PROXY_TLSAUTHTYPE: /* --proxy-tlsauthtype */ - if(!feature_tls_srp) -@@ -2624,9 +2624,9 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ - } - break; - case C_PROXY_CERT: /* --proxy-cert */ -- cleanarg(clearthis); - GetFileAndPassword(nextarg, &config->proxy_cert, - &config->proxy_key_passwd); -+ cleanarg(clearthis); - break; - case C_PROXY_CERT_TYPE: /* --proxy-cert-type */ - err = getstr(&config->proxy_cert_type, nextarg, DENY_BLANK); diff --git a/curl.spec b/curl.spec index c7f41cc..4e2d4ac 100644 --- a/curl.spec +++ b/curl.spec @@ -6,8 +6,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.13.0~rc1 -Release: 2%{?dist} +Version: 8.13.0~rc2 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -16,12 +16,6 @@ Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# Test 1022 add support for rc releases -Patch001: 0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch - -# Fix --cert parameter (#2351531) -Patch002: 0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch - # patch making libcurl multilib ready # Patch101: 0101-curl-7.32.0-multilib.patch @@ -413,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Mar 18 2025 Jan Macku - 8.13.0~rc2-1 +- new upstream release candidate + * Thu Mar 13 2025 Jan Macku - 8.13.0~rc1-2 - fix --cert parameter (#2351531) diff --git a/sources b/sources index fd8d757..d2c4139 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.13.0-rc1.tar.xz) = 6890dae4abf9c9d4017c28ea8ced84ef457aa911574b261af97b81ab1631e04deef188928d015a19c861d8dd319a23d9a7725d93046fc07a39694c5dc445562e -SHA512 (curl-8.13.0-rc1.tar.xz.asc) = aeb6f5abcf1bd19d836ae688bebd0193c673060ed74afa7c5b63c2a0ecf7eaf00a223110cd7aa77d19183e8ba757bd0b8fb481e279cf1141c4b459f92604a740 +SHA512 (curl-8.13.0-rc2.tar.xz) = 299b41b5bf52b29f5064f68cd7d8d1e95d8b8f8b36fb80fb67ed2b342123f1fc87a543754cbee8c49c83a8e73daca89cb132a76c795d7fa4d9231c6bf281a9e0 +SHA512 (curl-8.13.0-rc2.tar.xz.asc) = 8149ff96d25b41b0a9418929bbdbb0675267457e7999bd98012289fb74af96f96e66bc9319024f37ef478a965ef233827d832e153db867f2cb6cd140954a4b3e From 95664fdd301c40c2d1a6d93b2a9d858a3c430e14 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 26 Mar 2025 10:11:44 +0100 Subject: [PATCH 231/256] new upstream release - 8.13.0~rc3 --- 0102-curl-7.84.0-test3026.patch | 71 --------------------------------- curl.spec | 11 ++--- sources | 4 +- 3 files changed, 8 insertions(+), 78 deletions(-) delete mode 100644 0102-curl-7.84.0-test3026.patch diff --git a/0102-curl-7.84.0-test3026.patch b/0102-curl-7.84.0-test3026.patch deleted file mode 100644 index 6c45cc8..0000000 --- a/0102-curl-7.84.0-test3026.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 6460e292e664b03fb550ce70e9a8cdf86ad0ef57 Mon Sep 17 00:00:00 2001 -From: Jan Macku -Date: Wed, 5 Feb 2025 09:34:28 +0100 -Subject: [PATCH 2/2] test3026: disable valgrind - -It fails on x86_64 with: -``` - Use --max-threads=INT to specify a larger number of threads - and rerun valgrind - valgrind: the 'impossible' happened: - Max number of threads is too low - host stacktrace: - ==174357== at 0x58042F5A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x58043087: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x580432EF: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x58043310: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x58099E77: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x580E67E9: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x5809D59D: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x5809901A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x5809B0B6: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x580E4050: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - sched status: - running_tid=1 - Thread 1: status = VgTs_Runnable syscall 56 (lwpid 174357) - ==174357== at 0x4A07816: clone (in /usr/lib64/libc.so.6) - ==174357== by 0x4A08720: __clone_internal (in /usr/lib64/libc.so.6) - ==174357== by 0x4987ACF: create_thread (in /usr/lib64/libc.so.6) - ==174357== by 0x49885F6: pthread_create@@GLIBC_2.34 (in /usr/lib64/libc.so.6) - ==174357== by 0x1093B5: test.part.0 (lib3026.c:64) - ==174357== by 0x492454F: (below main) (in /usr/lib64/libc.so.6) - client stack range: [0x1FFEFFC000 0x1FFF000FFF] client SP: 0x1FFEFFC998 - valgrind stack range: [0x1002BAA000 0x1002CA9FFF] top usage: 11728 of 1048576 -[...] -``` ---- - tests/data/test3026 | 3 +++ - tests/libtest/lib3026.c | 4 ++-- - 2 files changed, 5 insertions(+), 2 deletions(-) - -diff --git a/tests/data/test3026 b/tests/data/test3026 -index ee9b30678..dd582c3e5 100644 ---- a/tests/data/test3026 -+++ b/tests/data/test3026 -@@ -41,5 +41,8 @@ none - - 0 - -+ -+disable -+ - - -diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c -index 61c70eb3b..79302fcf7 100644 ---- a/tests/libtest/lib3026.c -+++ b/tests/libtest/lib3026.c -@@ -145,8 +145,8 @@ CURLcode test(char *URL) - results[i] = CURL_LAST; /* initialize with invalid value */ - res = pthread_create(&tids[i], NULL, run_thread, &results[i]); - if(res) { -- fprintf(stderr, "%s:%d Couldn't create thread, errno %d\n", -- __FILE__, __LINE__, res); -+ fprintf(stderr, "%s:%d Couldn't create thread, i=%u, errno %d\n", -+ __FILE__, __LINE__, i, res); - tid_count = i; - test_failure = (CURLcode)-1; - goto cleanup; --- -2.48.1 - diff --git a/curl.spec b/curl.spec index 4e2d4ac..279a92f 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.13.0~rc2 +Version: 8.13.0~rc3 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -17,10 +17,7 @@ Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc Source2: mykey.asc # patch making libcurl multilib ready -# Patch101: 0101-curl-7.32.0-multilib.patch - -# test3026: disable valgrind -Patch102: 0102-curl-7.84.0-test3026.patch +Patch101: 0101-curl-7.32.0-multilib.patch # test616: disable valgrind Patch105: 0105-curl-8.11.1-test616.patch @@ -407,6 +404,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Mar 26 2025 Jan Macku - 8.13.0~rc3-1 +- new upstream release candidate +- drop: 0102-curl-7.84.0-test3026.patch (no longer needed) + * Tue Mar 18 2025 Jan Macku - 8.13.0~rc2-1 - new upstream release candidate diff --git a/sources b/sources index d2c4139..168aaff 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.13.0-rc2.tar.xz) = 299b41b5bf52b29f5064f68cd7d8d1e95d8b8f8b36fb80fb67ed2b342123f1fc87a543754cbee8c49c83a8e73daca89cb132a76c795d7fa4d9231c6bf281a9e0 -SHA512 (curl-8.13.0-rc2.tar.xz.asc) = 8149ff96d25b41b0a9418929bbdbb0675267457e7999bd98012289fb74af96f96e66bc9319024f37ef478a965ef233827d832e153db867f2cb6cd140954a4b3e +SHA512 (curl-8.13.0-rc3.tar.xz) = 72c0e0b8b0bc9117ab911b97bab6b1502d877f5a72a34091b68e48c046e45dfd188f24f270c0200f4df3f1a70933ada00f3a73a0aa078ec2b125fa5a9294d33f +SHA512 (curl-8.13.0-rc3.tar.xz.asc) = a2d94a898824fabc1c4834f9e5719fb65311d0f218f6170e80fe1a04c6f842f9fbf589d281767ab916f668ff7087bb318b819a1fb26790640df136f335ff3b99 From 4d98bbf51edd9f631e7e91abc79fd94b1e44e097 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 2 Apr 2025 11:17:10 +0200 Subject: [PATCH 232/256] new upstream release - 8.13.0 --- curl.spec | 7 ++++++- sources | 4 ++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 279a92f..e265266 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.13.0~rc3 +Version: 8.13.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -48,6 +48,7 @@ BuildRequires: make BuildRequires: openldap-devel BuildRequires: openssh-clients BuildRequires: openssh-server +BuildRequires: openssl BuildRequires: openssl-devel %if %{with openssl_engine_support} && 0%{?fedora} >= 41 BuildRequires: openssl-devel-engine @@ -404,6 +405,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Apr 02 2025 Jan Macku - 8.13.0-1 +- new upstream release +- add build time dependency on openssl (required by tests) + * Wed Mar 26 2025 Jan Macku - 8.13.0~rc3-1 - new upstream release candidate - drop: 0102-curl-7.84.0-test3026.patch (no longer needed) diff --git a/sources b/sources index 168aaff..92367a0 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.13.0-rc3.tar.xz) = 72c0e0b8b0bc9117ab911b97bab6b1502d877f5a72a34091b68e48c046e45dfd188f24f270c0200f4df3f1a70933ada00f3a73a0aa078ec2b125fa5a9294d33f -SHA512 (curl-8.13.0-rc3.tar.xz.asc) = a2d94a898824fabc1c4834f9e5719fb65311d0f218f6170e80fe1a04c6f842f9fbf589d281767ab916f668ff7087bb318b819a1fb26790640df136f335ff3b99 +SHA512 (curl-8.13.0.tar.xz) = d266e460f162ee455b56726e5b7247b2d1aa5265ae12081513fc0c5c79e785a594097bc71d505dc9bcd2c2f6f1ff6f4bab9dbd9d120bb76d06c5be8521a8ca7d +SHA512 (curl-8.13.0.tar.xz.asc) = 07f79c7fd7c305c96e10a5f52797254aed7d2a1f3577c8626b8d617855ceb82634ac6787bfa0b7130a4ed72c3a9945d3c9ba5b7be54df8bafa07ded1c62ef2be From ece940a64912f74d92fd403675eef80f9b357e68 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Fri, 2 May 2025 09:36:02 +0200 Subject: [PATCH 233/256] new upstream release - 8.14.0~rc1 --- curl.spec | 8 +++++++- sources | 4 ++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index e265266..1e416a3 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.13.0 +Version: 8.14.0~rc1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -381,6 +381,8 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %doc docs/TheArtOfHttpScripting.md %{_bindir}/curl %{_mandir}/man1/curl.1* +%{_bindir}/wcurl +%{_mandir}/man1/wcurl.1* %{_datadir}/zsh %files -n libcurl @@ -405,6 +407,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri May 02 2025 Jan Macku - 8.14.0~rc1-1 +- new upstream release candidate +- new utility: wcurl which lets you download URLs without having to remember any parameters + * Wed Apr 02 2025 Jan Macku - 8.13.0-1 - new upstream release - add build time dependency on openssl (required by tests) diff --git a/sources b/sources index 92367a0..769013c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.13.0.tar.xz) = d266e460f162ee455b56726e5b7247b2d1aa5265ae12081513fc0c5c79e785a594097bc71d505dc9bcd2c2f6f1ff6f4bab9dbd9d120bb76d06c5be8521a8ca7d -SHA512 (curl-8.13.0.tar.xz.asc) = 07f79c7fd7c305c96e10a5f52797254aed7d2a1f3577c8626b8d617855ceb82634ac6787bfa0b7130a4ed72c3a9945d3c9ba5b7be54df8bafa07ded1c62ef2be +SHA512 (curl-8.14.0-rc1.tar.xz) = e9bd9e5c95580ee04171de937ff852c30b4606ef28a0250c1fdd231d7155089d3591e0dbed1f10280c9868b66329c1c9badf9a0e15e3e2721ab103627e92caa3 +SHA512 (curl-8.14.0-rc1.tar.xz.asc) = f02e0fd84bffcbe31fa6ccdba41729be86404241c177087500d4d992278d217ea55d73a9bc260b601ddeef70738e45b799a2bd49c68db05adfe8c127434f5708 From b8ae67753af119081cacdecf02e2180ad85e1b17 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 28 May 2025 12:59:33 +0200 Subject: [PATCH 234/256] new upstream release - 8.14.0 --- ...8.14.0-multi-fix-add_handle-resizing.patch | 209 ++++++++++++++++++ curl.spec | 11 +- sources | 4 +- 3 files changed, 221 insertions(+), 3 deletions(-) create mode 100644 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch diff --git a/0001-curl-8.14.0-multi-fix-add_handle-resizing.patch b/0001-curl-8.14.0-multi-fix-add_handle-resizing.patch new file mode 100644 index 0000000..4b7e58a --- /dev/null +++ b/0001-curl-8.14.0-multi-fix-add_handle-resizing.patch @@ -0,0 +1,209 @@ +From d16ccbd55de80c271fe822f4ba8b6271fd9166ff Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Wed, 28 May 2025 14:04:31 +0200 +Subject: [PATCH] multi: fix add_handle resizing + +Due to someone being stupid, the resizing of the multi's transfer +table was actually shrinking it. Oh my. + +Add test751 to reproduce, add code assertion. + +Fixes #17473 +Reported-by: Jeroen Ooms +Closes #17475 +--- + lib/multi.c | 3 +- + tests/data/Makefile.am | 2 +- + tests/data/test751 | 33 ++++++++++++++ + tests/libtest/Makefile.inc | 4 ++ + tests/libtest/lib751.c | 92 ++++++++++++++++++++++++++++++++++++++ + 5 files changed, 132 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test751 + create mode 100644 tests/libtest/lib751.c + +diff --git a/lib/multi.c b/lib/multi.c +index 792b30515d8b..b744e03ae52f 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -347,7 +347,8 @@ static CURLMcode multi_xfers_add(struct Curl_multi *multi, + if(unused <= min_unused) { + /* make it a 64 multiple, since our bitsets frow by that and + * small (easy_multi) grows to at least 64 on first resize. */ +- unsigned int newsize = ((capacity + min_unused) + 63) / 64; ++ unsigned int newsize = (((capacity + min_unused) + 63) / 64) * 64; ++ DEBUGASSERT(newsize > capacity); + /* Grow the bitsets first. Should one fail, we do not need + * to downsize the already resized ones. The sets continue + * to work properly when larger than the table, but not +diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am +index e8f9e12be71e..16bb57db8e69 100644 +--- a/tests/data/Makefile.am ++++ b/tests/data/Makefile.am +@@ -107,7 +107,7 @@ test709 test710 test711 test712 test713 test714 test715 test716 test717 \ + test718 test719 test720 test721 test722 test723 test724 test725 test726 \ + test727 test728 test729 test730 test731 test732 test733 test734 test735 \ + test736 test737 test738 test739 test740 test741 test742 test743 test744 \ +-test745 test746 test747 test748 test749 test750 \ ++test745 test746 test747 test748 test749 test750 test751 \ + \ + test780 test781 test782 test783 test784 test785 test786 test787 test788 \ + test789 test790 test791 \ +diff --git a/tests/data/test751 b/tests/data/test751 +new file mode 100644 +index 000000000000..ffc6df512f83 +--- /dev/null ++++ b/tests/data/test751 +@@ -0,0 +1,33 @@ ++ ++ ++ ++MULTI ++ ++ ++ ++ ++ ++ ++ ++# Client-side ++ ++ ++none ++ ++# tool is what to use instead of 'curl' ++ ++lib%TESTNUMBER ++ ++ ++ ++multi - add many easy handles ++ ++ ++ ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++ +diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc +index faf7eacdf6af..002e7ab5470d 100644 +--- a/tests/libtest/Makefile.inc ++++ b/tests/libtest/Makefile.inc +@@ -50,6 +50,7 @@ LIBTESTPROGS = libauthretry libntlmconnect libprereq \ + lib659 lib661 lib666 lib667 lib668 \ + lib670 lib671 lib672 lib673 lib674 lib676 lib677 lib678 lib694 lib695 \ + lib696 \ ++ lib751 \ + lib1156 \ + lib1301 \ + lib1308 \ +@@ -349,6 +350,9 @@ lib695_SOURCES = lib695.c $(SUPPORTFILES) + lib696_SOURCES = lib556.c $(SUPPORTFILES) $(WARNLESS) + lib696_CPPFLAGS = $(AM_CPPFLAGS) -DLIB696 + ++lib751_SOURCES = lib751.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) ++lib751_LDADD = $(TESTUTIL_LIBS) ++ + lib1301_SOURCES = lib1301.c $(SUPPORTFILES) $(TESTUTIL) + lib1301_LDADD = $(TESTUTIL_LIBS) + +diff --git a/tests/libtest/lib751.c b/tests/libtest/lib751.c +new file mode 100644 +index 000000000000..ab2f923b959d +--- /dev/null ++++ b/tests/libtest/lib751.c +@@ -0,0 +1,92 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++#include "test.h" ++ ++#include "testutil.h" ++#include "warnless.h" ++#include "memdebug.h" ++ ++#define TEST_HANG_TIMEOUT 60 * 1000 ++ ++/* ++ * Get a single URL without select(). ++ */ ++ ++CURLcode test(char *URL) ++{ ++ CURL *easies[1000]; ++ CURLM *m; ++ CURLcode res = CURLE_FAILED_INIT; ++ CURLMcode mres; ++ int i; ++ ++ (void)URL; ++ memset(easies, 0, sizeof(easies)); ++ ++ curl_global_init(CURL_GLOBAL_DEFAULT); ++ m = curl_multi_init(); ++ if(!m) { ++ res = CURLE_OUT_OF_MEMORY; ++ goto test_cleanup; ++ } ++ ++ for(i = 0; i < 1000; i++) { ++ CURL *e = curl_easy_init(); ++ if(!e) { ++ res = CURLE_OUT_OF_MEMORY; ++ goto test_cleanup; ++ } ++ easies[i] = e; ++ ++ res = curl_easy_setopt(e, CURLOPT_URL, "https://www.example.com/"); ++ if(!res) ++ res = curl_easy_setopt(e, CURLOPT_VERBOSE, 1L); ++ if(res) ++ goto test_cleanup; ++ ++ mres = curl_multi_add_handle(m, e); ++ if(mres != CURLM_OK) { ++ printf("MULTI ERROR: %s\n", curl_multi_strerror(mres)); ++ res = CURLE_FAILED_INIT; ++ goto test_cleanup; ++ } ++ } ++ ++test_cleanup: ++ ++ if(res) ++ printf("ERROR: %s\n", curl_easy_strerror(res)); ++ ++ for(i = 0; i < 1000; i++) { ++ if(easies[i]) { ++ curl_multi_add_handle(m, easies[i]); ++ curl_easy_cleanup(easies[i]); ++ easies[i] = NULL; ++ } ++ } ++ curl_multi_cleanup(m); ++ curl_global_cleanup(); ++ ++ return res; ++} diff --git a/curl.spec b/curl.spec index 1e416a3..555fe8e 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.14.0~rc1 +Version: 8.14.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -16,6 +16,9 @@ Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# Fix 8.14.0 regression: https://github.com/curl/curl/issues/17473 +Patch001: 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -407,6 +410,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed May 28 2025 Jan Macku - 8.14.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2025-5025 - No QUIC certificate pinning with wolfSSL + CVE-2025-4947 - QUIC certificate check skip with wolfSSL +- fix regression: curl_multi_add_handle() returning OOM when using more than 400 handles + * Fri May 02 2025 Jan Macku - 8.14.0~rc1-1 - new upstream release candidate - new utility: wcurl which lets you download URLs without having to remember any parameters diff --git a/sources b/sources index 769013c..c4de0f0 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.14.0-rc1.tar.xz) = e9bd9e5c95580ee04171de937ff852c30b4606ef28a0250c1fdd231d7155089d3591e0dbed1f10280c9868b66329c1c9badf9a0e15e3e2721ab103627e92caa3 -SHA512 (curl-8.14.0-rc1.tar.xz.asc) = f02e0fd84bffcbe31fa6ccdba41729be86404241c177087500d4d992278d217ea55d73a9bc260b601ddeef70738e45b799a2bd49c68db05adfe8c127434f5708 +SHA512 (curl-8.14.0.tar.xz) = d9f49cac0b93dbc53879713cc017392b4277d84b489bbf2ef3b585c6a50eea6c3a7b80043286b34062af04329560f2dc321f315b0038ce93435aa9bbcaec1eea +SHA512 (curl-8.14.0.tar.xz.asc) = 7c147ddb5e141dd9951e2ef6b23fa120318c0e631fb36861b80fce61b4b19ca08273a6b95627f46a8172945fb51bd790ffc74dee0a4b0de860dad518963b4710 From 8077eb733b4ff6f66c2887694a5034b54550df73 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 4 Jun 2025 12:59:43 +0200 Subject: [PATCH 235/256] new upstream release - 8.14.1 --- ...8.14.0-multi-fix-add_handle-resizing.patch | 209 ------------------ curl.spec | 9 +- sources | 4 +- 3 files changed, 7 insertions(+), 215 deletions(-) delete mode 100644 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch diff --git a/0001-curl-8.14.0-multi-fix-add_handle-resizing.patch b/0001-curl-8.14.0-multi-fix-add_handle-resizing.patch deleted file mode 100644 index 4b7e58a..0000000 --- a/0001-curl-8.14.0-multi-fix-add_handle-resizing.patch +++ /dev/null @@ -1,209 +0,0 @@ -From d16ccbd55de80c271fe822f4ba8b6271fd9166ff Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Wed, 28 May 2025 14:04:31 +0200 -Subject: [PATCH] multi: fix add_handle resizing - -Due to someone being stupid, the resizing of the multi's transfer -table was actually shrinking it. Oh my. - -Add test751 to reproduce, add code assertion. - -Fixes #17473 -Reported-by: Jeroen Ooms -Closes #17475 ---- - lib/multi.c | 3 +- - tests/data/Makefile.am | 2 +- - tests/data/test751 | 33 ++++++++++++++ - tests/libtest/Makefile.inc | 4 ++ - tests/libtest/lib751.c | 92 ++++++++++++++++++++++++++++++++++++++ - 5 files changed, 132 insertions(+), 2 deletions(-) - create mode 100644 tests/data/test751 - create mode 100644 tests/libtest/lib751.c - -diff --git a/lib/multi.c b/lib/multi.c -index 792b30515d8b..b744e03ae52f 100644 ---- a/lib/multi.c -+++ b/lib/multi.c -@@ -347,7 +347,8 @@ static CURLMcode multi_xfers_add(struct Curl_multi *multi, - if(unused <= min_unused) { - /* make it a 64 multiple, since our bitsets frow by that and - * small (easy_multi) grows to at least 64 on first resize. */ -- unsigned int newsize = ((capacity + min_unused) + 63) / 64; -+ unsigned int newsize = (((capacity + min_unused) + 63) / 64) * 64; -+ DEBUGASSERT(newsize > capacity); - /* Grow the bitsets first. Should one fail, we do not need - * to downsize the already resized ones. The sets continue - * to work properly when larger than the table, but not -diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am -index e8f9e12be71e..16bb57db8e69 100644 ---- a/tests/data/Makefile.am -+++ b/tests/data/Makefile.am -@@ -107,7 +107,7 @@ test709 test710 test711 test712 test713 test714 test715 test716 test717 \ - test718 test719 test720 test721 test722 test723 test724 test725 test726 \ - test727 test728 test729 test730 test731 test732 test733 test734 test735 \ - test736 test737 test738 test739 test740 test741 test742 test743 test744 \ --test745 test746 test747 test748 test749 test750 \ -+test745 test746 test747 test748 test749 test750 test751 \ - \ - test780 test781 test782 test783 test784 test785 test786 test787 test788 \ - test789 test790 test791 \ -diff --git a/tests/data/test751 b/tests/data/test751 -new file mode 100644 -index 000000000000..ffc6df512f83 ---- /dev/null -+++ b/tests/data/test751 -@@ -0,0 +1,33 @@ -+ -+ -+ -+MULTI -+ -+ -+ -+ -+ -+ -+ -+# Client-side -+ -+ -+none -+ -+# tool is what to use instead of 'curl' -+ -+lib%TESTNUMBER -+ -+ -+ -+multi - add many easy handles -+ -+ -+ -+ -+ -+ -+# Verify data after the test has been "shot" -+ -+ -+ -diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc -index faf7eacdf6af..002e7ab5470d 100644 ---- a/tests/libtest/Makefile.inc -+++ b/tests/libtest/Makefile.inc -@@ -50,6 +50,7 @@ LIBTESTPROGS = libauthretry libntlmconnect libprereq \ - lib659 lib661 lib666 lib667 lib668 \ - lib670 lib671 lib672 lib673 lib674 lib676 lib677 lib678 lib694 lib695 \ - lib696 \ -+ lib751 \ - lib1156 \ - lib1301 \ - lib1308 \ -@@ -349,6 +350,9 @@ lib695_SOURCES = lib695.c $(SUPPORTFILES) - lib696_SOURCES = lib556.c $(SUPPORTFILES) $(WARNLESS) - lib696_CPPFLAGS = $(AM_CPPFLAGS) -DLIB696 - -+lib751_SOURCES = lib751.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) -+lib751_LDADD = $(TESTUTIL_LIBS) -+ - lib1301_SOURCES = lib1301.c $(SUPPORTFILES) $(TESTUTIL) - lib1301_LDADD = $(TESTUTIL_LIBS) - -diff --git a/tests/libtest/lib751.c b/tests/libtest/lib751.c -new file mode 100644 -index 000000000000..ab2f923b959d ---- /dev/null -+++ b/tests/libtest/lib751.c -@@ -0,0 +1,92 @@ -+/*************************************************************************** -+ * _ _ ____ _ -+ * Project ___| | | | _ \| | -+ * / __| | | | |_) | | -+ * | (__| |_| | _ <| |___ -+ * \___|\___/|_| \_\_____| -+ * -+ * Copyright (C) Daniel Stenberg, , et al. -+ * -+ * This software is licensed as described in the file COPYING, which -+ * you should have received as part of this distribution. The terms -+ * are also available at https://curl.se/docs/copyright.html. -+ * -+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell -+ * copies of the Software, and permit persons to whom the Software is -+ * furnished to do so, under the terms of the COPYING file. -+ * -+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -+ * KIND, either express or implied. -+ * -+ * SPDX-License-Identifier: curl -+ * -+ ***************************************************************************/ -+#include "test.h" -+ -+#include "testutil.h" -+#include "warnless.h" -+#include "memdebug.h" -+ -+#define TEST_HANG_TIMEOUT 60 * 1000 -+ -+/* -+ * Get a single URL without select(). -+ */ -+ -+CURLcode test(char *URL) -+{ -+ CURL *easies[1000]; -+ CURLM *m; -+ CURLcode res = CURLE_FAILED_INIT; -+ CURLMcode mres; -+ int i; -+ -+ (void)URL; -+ memset(easies, 0, sizeof(easies)); -+ -+ curl_global_init(CURL_GLOBAL_DEFAULT); -+ m = curl_multi_init(); -+ if(!m) { -+ res = CURLE_OUT_OF_MEMORY; -+ goto test_cleanup; -+ } -+ -+ for(i = 0; i < 1000; i++) { -+ CURL *e = curl_easy_init(); -+ if(!e) { -+ res = CURLE_OUT_OF_MEMORY; -+ goto test_cleanup; -+ } -+ easies[i] = e; -+ -+ res = curl_easy_setopt(e, CURLOPT_URL, "https://www.example.com/"); -+ if(!res) -+ res = curl_easy_setopt(e, CURLOPT_VERBOSE, 1L); -+ if(res) -+ goto test_cleanup; -+ -+ mres = curl_multi_add_handle(m, e); -+ if(mres != CURLM_OK) { -+ printf("MULTI ERROR: %s\n", curl_multi_strerror(mres)); -+ res = CURLE_FAILED_INIT; -+ goto test_cleanup; -+ } -+ } -+ -+test_cleanup: -+ -+ if(res) -+ printf("ERROR: %s\n", curl_easy_strerror(res)); -+ -+ for(i = 0; i < 1000; i++) { -+ if(easies[i]) { -+ curl_multi_add_handle(m, easies[i]); -+ curl_easy_cleanup(easies[i]); -+ easies[i] = NULL; -+ } -+ } -+ curl_multi_cleanup(m); -+ curl_global_cleanup(); -+ -+ return res; -+} diff --git a/curl.spec b/curl.spec index 555fe8e..dd4e145 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.14.0 +Version: 8.14.1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -16,9 +16,6 @@ Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# Fix 8.14.0 regression: https://github.com/curl/curl/issues/17473 -Patch001: 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -410,6 +407,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jun 04 2025 Jan Macku - 8.14.1-1 +- new upstream release +- drop: 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch (no longer needed) + * Wed May 28 2025 Jan Macku - 8.14.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2025-5025 - No QUIC certificate pinning with wolfSSL diff --git a/sources b/sources index c4de0f0..0f72a68 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.14.0.tar.xz) = d9f49cac0b93dbc53879713cc017392b4277d84b489bbf2ef3b585c6a50eea6c3a7b80043286b34062af04329560f2dc321f315b0038ce93435aa9bbcaec1eea -SHA512 (curl-8.14.0.tar.xz.asc) = 7c147ddb5e141dd9951e2ef6b23fa120318c0e631fb36861b80fce61b4b19ca08273a6b95627f46a8172945fb51bd790ffc74dee0a4b0de860dad518963b4710 +SHA512 (curl-8.14.1.tar.xz) = 7f6eae04cc23c50fc41d448aa28dfa59141018009e42c5b1e3f4e0d40c0633460b4e6eec05dfc290f7953671096abfa70a8b5443fccdd3f1be6be32ac10b31d9 +SHA512 (curl-8.14.1.tar.xz.asc) = 663b1652bb27338310d1475a8b0422f04e68fca74be11a4b7120de948af4fc0c2b08b75ce5372d657aa89504a27b36b937b5091cb2d932297a7490d5e390d99f From 1b9d79c6fd4fee6d966e917589125b48c12493ad Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 23 Jun 2025 10:29:25 +0200 Subject: [PATCH 236/256] new upstream release - 8.15.0~rc1 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index dd4e145..f21017b 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.14.1 +Version: 8.15.0~rc1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Jun 23 2025 Jan Macku - 8.15.0~rc1-1 +- new upstream release candidate + * Wed Jun 04 2025 Jan Macku - 8.14.1-1 - new upstream release - drop: 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch (no longer needed) diff --git a/sources b/sources index 0f72a68..8eec045 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.14.1.tar.xz) = 7f6eae04cc23c50fc41d448aa28dfa59141018009e42c5b1e3f4e0d40c0633460b4e6eec05dfc290f7953671096abfa70a8b5443fccdd3f1be6be32ac10b31d9 -SHA512 (curl-8.14.1.tar.xz.asc) = 663b1652bb27338310d1475a8b0422f04e68fca74be11a4b7120de948af4fc0c2b08b75ce5372d657aa89504a27b36b937b5091cb2d932297a7490d5e390d99f +SHA512 (curl-8.15.0-rc1.tar.xz) = eedabb0e416e119107e05c1b6afa04b4157f0381a3572c352e996ff682302690dbe34b75f39d49f6b7a26667eb673f06bd311853e73b9a82839eb1d8a43abe60 +SHA512 (curl-8.15.0-rc1.tar.xz.asc) = 8dbd61cc5246dc6244ac3bc16f9411d3bfe84bae8bd52935dd82d114c92a3be01116963d5518dea12426fbc5d6b45d9baec8354f9183c51f9cddf3204953d865 From 1984beb5371b749ce9fdcd32fde589c2860dc8d5 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 30 Jun 2025 13:44:33 +0200 Subject: [PATCH 237/256] new upstream release - 8.15.0~rc2 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index f21017b..bdb28fb 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.15.0~rc1 +Version: 8.15.0~rc2 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Jun 30 2025 Jan Macku - 8.15.0~rc2-1 +- new upstream release candidate + * Mon Jun 23 2025 Jan Macku - 8.15.0~rc1-1 - new upstream release candidate diff --git a/sources b/sources index 8eec045..9da21bd 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.15.0-rc1.tar.xz) = eedabb0e416e119107e05c1b6afa04b4157f0381a3572c352e996ff682302690dbe34b75f39d49f6b7a26667eb673f06bd311853e73b9a82839eb1d8a43abe60 -SHA512 (curl-8.15.0-rc1.tar.xz.asc) = 8dbd61cc5246dc6244ac3bc16f9411d3bfe84bae8bd52935dd82d114c92a3be01116963d5518dea12426fbc5d6b45d9baec8354f9183c51f9cddf3204953d865 +SHA512 (curl-8.15.0-rc2.tar.xz) = 9b4e04b0e2ff5d7a432ea931a965e7ee73103c5430c59b029ea9846358ed052c1353ea12a5636809a78df370e8639254103eb5e4614b75f33a65683044599580 +SHA512 (curl-8.15.0-rc2.tar.xz.asc) = 4aa6e38ec97159802cada0d89c374d06d5eba145139a8fd9f1bc52c42d296088ed559296fe7847b906eb852d382c523f7e48f0f5e03b30fef7996181e6628c10 From c602d3aa5676dfaf8bcff41b8daa26f27eb6856d Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 10 Jul 2025 09:21:53 +0200 Subject: [PATCH 238/256] new upstream release - 8.15.0~rc3 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index bdb28fb..1045a24 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.15.0~rc2 +Version: 8.15.0~rc3 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Jul 10 2025 Jan Macku - 8.15.0~rc3-1 +- new upstream release candidate + * Mon Jun 30 2025 Jan Macku - 8.15.0~rc2-1 - new upstream release candidate diff --git a/sources b/sources index 9da21bd..0642c98 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.15.0-rc2.tar.xz) = 9b4e04b0e2ff5d7a432ea931a965e7ee73103c5430c59b029ea9846358ed052c1353ea12a5636809a78df370e8639254103eb5e4614b75f33a65683044599580 -SHA512 (curl-8.15.0-rc2.tar.xz.asc) = 4aa6e38ec97159802cada0d89c374d06d5eba145139a8fd9f1bc52c42d296088ed559296fe7847b906eb852d382c523f7e48f0f5e03b30fef7996181e6628c10 +SHA512 (curl-8.15.0-rc3.tar.xz) = 0f1f99bc69fde58f5e9348543e9aee9ca7c27642f04c380f233c6b3280ae53b9d65529ede8fe831ea6770d3657963f02dc8604a5006e805c6f4519cac79c8d01 +SHA512 (curl-8.15.0-rc3.tar.xz.asc) = 41cb379d5bceb5eadad86d007a3352846ebeaca383ef6448b58dc597ebc914a0fd4aaaf19dc4d47557ea06933b981f2db617a07e27848d2ff32fbb1dc7f52fca From e6d7e2ed2d76eaac3c5e59273a81872976efef7e Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 16 Jul 2025 10:14:01 +0200 Subject: [PATCH 239/256] new upstream release - 8.15.0 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 1045a24..885ba52 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.15.0~rc3 +Version: 8.15.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 16 2025 Jan Macku - 8.15.0-1 +- new upstream release + * Thu Jul 10 2025 Jan Macku - 8.15.0~rc3-1 - new upstream release candidate diff --git a/sources b/sources index 0642c98..fe20191 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.15.0-rc3.tar.xz) = 0f1f99bc69fde58f5e9348543e9aee9ca7c27642f04c380f233c6b3280ae53b9d65529ede8fe831ea6770d3657963f02dc8604a5006e805c6f4519cac79c8d01 -SHA512 (curl-8.15.0-rc3.tar.xz.asc) = 41cb379d5bceb5eadad86d007a3352846ebeaca383ef6448b58dc597ebc914a0fd4aaaf19dc4d47557ea06933b981f2db617a07e27848d2ff32fbb1dc7f52fca +SHA512 (curl-8.15.0.tar.xz) = d27e316d70973906ac4b8d2c280f7e99b7528966aa1220c13a38ed45fca2ed6bbde54b8a9d7bed9e283171b92edb621f7b95162ef7d392e6383b0ee469de3191 +SHA512 (curl-8.15.0.tar.xz.asc) = b6aef1c6a1f32c60401494df565a748fa96c1d5098138772c22f6208bafeb8e61402f3077cbc274ea2c05f35ff376d8f736c58554520f8d20fded36d876499a5 From cc5717f9ec610100193bee9eae480f7dad24fa24 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 23 Jul 2025 18:56:38 +0000 Subject: [PATCH 240/256] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 885ba52..ced8578 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.15.0 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 23 2025 Fedora Release Engineering - 8.15.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + * Wed Jul 16 2025 Jan Macku - 8.15.0-1 - new upstream release From e4069769c832d7469bbbeb654b28427c346514dd Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 25 Aug 2025 10:43:21 +0200 Subject: [PATCH 241/256] new upstream release - 8.16.0~rc2 --- 0101-curl-7.32.0-multilib.patch | 14 +++++++------- curl.spec | 7 +++++-- sources | 4 ++-- 3 files changed, 14 insertions(+), 11 deletions(-) diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index e7b2a32..79e9855 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,6 +1,6 @@ -From 495c771a6f9be008b783c5f59285d30fdc15fd63 Mon Sep 17 00:00:00 2001 +From ae56f768f418e1dd91f9eb3edf1a88453f61e160 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Mon, 10 Mar 2025 14:23:59 +0100 +Date: Mon, 25 Aug 2025 10:41:12 +0200 Subject: [PATCH] prevent multilib conflicts on the curl-config script --- @@ -10,7 +10,7 @@ Subject: [PATCH] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 5518416..324e0b7 100644 +index ce23519..bb43ca8 100644 --- a/curl-config.in +++ b/curl-config.in @@ -74,7 +74,7 @@ while test "$#" -gt 0; do @@ -26,12 +26,12 @@ index 5518416..324e0b7 100644 ;; --libs) -- if test "X@libdir@" != 'X/usr/lib' -a "X@libdir@" != 'X/usr/lib64'; then +- if test "@libdir@" != '/usr/lib' -a "@libdir@" != '/usr/lib64'; then - curllibdir="-L@libdir@ " - else - curllibdir='' - fi -- if test 'X@ENABLE_SHARED@' = 'Xno'; then +- if test '@ENABLE_SHARED@' = 'no'; then - echo "${curllibdir}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" - else - echo "${curllibdir}-lcurl" @@ -44,7 +44,7 @@ index 5518416..324e0b7 100644 ;; --static-libs) -- if test 'X@ENABLE_STATIC@' != 'Xno'; then +- if test '@ENABLE_STATIC@' != 'no'; then - echo "@libdir@/libcurl.@libext@ @LIBCURL_PC_LDFLAGS_PRIVATE@ @LIBCURL_PC_LIBS_PRIVATE@" - else - echo 'curl was built with static libraries disabled' >&2 @@ -88,5 +88,5 @@ index c0ba524..f3645e1 100644 Name: libcurl URL: https://curl.se/ -- -2.48.1 +2.50.1 diff --git a/curl.spec b/curl.spec index ced8578..e780804 100644 --- a/curl.spec +++ b/curl.spec @@ -6,8 +6,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.15.0 -Release: 2%{?dist} +Version: 8.16.0~rc2 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Aug 26 2025 Jan Macku - 8.16.0~rc2-1 +- new upstream release candidate + * Wed Jul 23 2025 Fedora Release Engineering - 8.15.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild diff --git a/sources b/sources index fe20191..ad9b1ad 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.15.0.tar.xz) = d27e316d70973906ac4b8d2c280f7e99b7528966aa1220c13a38ed45fca2ed6bbde54b8a9d7bed9e283171b92edb621f7b95162ef7d392e6383b0ee469de3191 -SHA512 (curl-8.15.0.tar.xz.asc) = b6aef1c6a1f32c60401494df565a748fa96c1d5098138772c22f6208bafeb8e61402f3077cbc274ea2c05f35ff376d8f736c58554520f8d20fded36d876499a5 +SHA512 (curl-8.16.0-rc2.tar.xz.asc) = c180343f1037cf51eb32c61035a4da7e728c2ee7f8d4ca1d464545b9b4044b30963e6b1ce424951a151ff901d7c7f4d56e7a54dacc581fc2c5c3b54349c155eb +SHA512 (curl-8.16.0-rc2.tar.xz) = 7cc4f56a05634c651cf7224d3844359498d127f259e531aadefe86f6df3a7fc5f6644c296407d38867ddb716fe3e4951d377592f6d977c196ad1a733374e608f From 581c1b9ace3de047af9bec6a8a59cf0c9f36c91c Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 3 Sep 2025 10:39:46 +0200 Subject: [PATCH 242/256] new upstream release - 8.16.0~rc3 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index e780804..0a7e2b9 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.16.0~rc2 +Version: 8.16.0~rc3 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 03 2025 Jan Macku - 8.16.0~rc3-1 +- new upstream release candidate + * Tue Aug 26 2025 Jan Macku - 8.16.0~rc2-1 - new upstream release candidate diff --git a/sources b/sources index ad9b1ad..9d707b2 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.16.0-rc2.tar.xz.asc) = c180343f1037cf51eb32c61035a4da7e728c2ee7f8d4ca1d464545b9b4044b30963e6b1ce424951a151ff901d7c7f4d56e7a54dacc581fc2c5c3b54349c155eb -SHA512 (curl-8.16.0-rc2.tar.xz) = 7cc4f56a05634c651cf7224d3844359498d127f259e531aadefe86f6df3a7fc5f6644c296407d38867ddb716fe3e4951d377592f6d977c196ad1a733374e608f +SHA512 (curl-8.16.0-rc3.tar.xz) = 119e00ac9c150ac1d61ce5eeb522168b8a1c68d6576077400222170e0bd9b25dbe53182166a194058e58831a8768c1b7d9145fd5051c4e13bcd12841eb3a7284 +SHA512 (curl-8.16.0-rc3.tar.xz.asc) = 50e484772ac1e8390222ce21702c6995c96b4da99d1e0f2e233b7226b48b5ce3a290d6050963e1e2c519b9a29d2ded7134d3bd4e765a946a8abbae3c67e31d32 From 4335a7a3cb25cd33eea86ac9fc8d41bb67fd857f Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 10 Sep 2025 08:56:14 +0200 Subject: [PATCH 243/256] new upstream release - 8.16.0 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 0a7e2b9..bf0f7ee 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.16.0~rc3 +Version: 8.16.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 10 2025 Jan Macku - 8.16.0-1 +- new upstream release + * Wed Sep 03 2025 Jan Macku - 8.16.0~rc3-1 - new upstream release candidate diff --git a/sources b/sources index 9d707b2..8b5feac 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.16.0-rc3.tar.xz) = 119e00ac9c150ac1d61ce5eeb522168b8a1c68d6576077400222170e0bd9b25dbe53182166a194058e58831a8768c1b7d9145fd5051c4e13bcd12841eb3a7284 -SHA512 (curl-8.16.0-rc3.tar.xz.asc) = 50e484772ac1e8390222ce21702c6995c96b4da99d1e0f2e233b7226b48b5ce3a290d6050963e1e2c519b9a29d2ded7134d3bd4e765a946a8abbae3c67e31d32 +SHA512 (curl-8.16.0.tar.xz) = 8262c3dc113cfd5744ef1b82dbccaa69448a9395ad5c094c22df5cf537a047a927d3332db2cb3be12a31a68a60d8d0fa8485b916e975eda36a4ebd860da4f621 +SHA512 (curl-8.16.0.tar.xz.asc) = 591568e997c0d955a00152ce5bdfb4586d84b42f5c1e15df503514fb4eb4bf289a98b1ebdad23913119c67c27d51a6e6f4065ee6f7657b971c3a581c928a0d82 From 804c73ca4bbb4d7a3f454bf93fa621bd3fd06feb Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Fri, 12 Sep 2025 10:40:12 -0700 Subject: [PATCH 244/256] Update test URLs to Fedora 42 to fix tests Tests currently fail because Fedora 38 is archived. This bumps the version to 42 and updates the expected content. This will need updating again annually or so. It'd be safer to use something that doesn't age out frequently instead. Signed-off-by: Adam Williamson --- tests/non-root-user-download/runtest.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/non-root-user-download/runtest.sh b/tests/non-root-user-download/runtest.sh index 4d51e62..0d72276 100755 --- a/tests/non-root-user-download/runtest.sh +++ b/tests/non-root-user-download/runtest.sh @@ -31,9 +31,9 @@ PACKAGE="curl" -FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM -HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM -CONTENT=4d042dedc8886856db10bc882074b84dcce52f829ea7b3f31d8031db8d84df20 +FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM +HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM +CONTENT=1bd6ab4798983c2fe4a210f9c4ca135fed453d6142ba852c1f8d5fba22e113ab PASSWORD=pAssw0rd OPTIONS="" rlIsRHEL 7 && OPTIONS="--insecure" From 9776a6bb744df02f85cf73c3b8a02e0e387ae915 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 13 Oct 2025 10:25:01 +0200 Subject: [PATCH 245/256] new upstream release - 8.17.0~rc1 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index bf0f7ee..f247bf3 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.16.0 +Version: 8.17.0~rc1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Oct 13 2025 Jan Macku - 8.17.0~rc1-1 +- new upstream release candidate + * Wed Sep 10 2025 Jan Macku - 8.16.0-1 - new upstream release diff --git a/sources b/sources index 8b5feac..c657397 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.16.0.tar.xz) = 8262c3dc113cfd5744ef1b82dbccaa69448a9395ad5c094c22df5cf537a047a927d3332db2cb3be12a31a68a60d8d0fa8485b916e975eda36a4ebd860da4f621 -SHA512 (curl-8.16.0.tar.xz.asc) = 591568e997c0d955a00152ce5bdfb4586d84b42f5c1e15df503514fb4eb4bf289a98b1ebdad23913119c67c27d51a6e6f4065ee6f7657b971c3a581c928a0d82 +SHA512 (curl-8.17.0-rc1.tar.xz) = bbaa3c97860f51c069dfc448d212a0d2149abfe76429bd4e7e3b005f44851e609008b90f5ed5caad048b5815043433248b495c41edf04d4bb5b76a8af41ede02 +SHA512 (curl-8.17.0-rc1.tar.xz.asc) = e86f7c9000ee5e8ee775947e720a17cf327b1f3053d6a6d92d3d1d27ed8dacefe1934ce3ee67b1efd59a601e0312bcffd1fb0900b760fda15e0fe7ba1a892c8f From 6bf2cb17bf9b14db4abc7a4f85e502629eafbbf3 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 21 Oct 2025 13:12:51 +0200 Subject: [PATCH 246/256] new upstream release - 8.17.0~rc2 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index f247bf3..6784164 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.17.0~rc1 +Version: 8.17.0~rc2 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Oct 21 2025 Jan Macku - 8.17.0~rc2-1 +- new upstream release candidate + * Mon Oct 13 2025 Jan Macku - 8.17.0~rc1-1 - new upstream release candidate diff --git a/sources b/sources index c657397..5bd897d 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.17.0-rc1.tar.xz) = bbaa3c97860f51c069dfc448d212a0d2149abfe76429bd4e7e3b005f44851e609008b90f5ed5caad048b5815043433248b495c41edf04d4bb5b76a8af41ede02 -SHA512 (curl-8.17.0-rc1.tar.xz.asc) = e86f7c9000ee5e8ee775947e720a17cf327b1f3053d6a6d92d3d1d27ed8dacefe1934ce3ee67b1efd59a601e0312bcffd1fb0900b760fda15e0fe7ba1a892c8f +SHA512 (curl-8.17.0-rc2.tar.xz) = bc7d63e72787c5960a7107e2227b70e761aef2e2e63bda0f13f8c944b31a4e98acc1ca72bde25ff9eba3d97cee38e58e51359dffcfdf59310c6722d3a0986b54 +SHA512 (curl-8.17.0-rc2.tar.xz.asc) = d5bd939f0a004f6ae46f0fca1e05f6f7c4d6e77c3a65641c9b081a28589385a44b51fa968e0a7c35dd76caebe1f4d59ac0b26e0fc84378fd1d57c3ce513c4a2a From 9bd80279ea75fc37dcc6767e0061bc46e4893607 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 30 Oct 2025 09:34:03 +0100 Subject: [PATCH 247/256] new upstream release - 8.17.0~rc3 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 6784164..2cb6993 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.17.0~rc2 +Version: 8.17.0~rc3 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Oct 30 2025 Jan Macku - 8.17.0~rc3-1 +- new upstream release candidate + * Tue Oct 21 2025 Jan Macku - 8.17.0~rc2-1 - new upstream release candidate diff --git a/sources b/sources index 5bd897d..0a3353d 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.17.0-rc2.tar.xz) = bc7d63e72787c5960a7107e2227b70e761aef2e2e63bda0f13f8c944b31a4e98acc1ca72bde25ff9eba3d97cee38e58e51359dffcfdf59310c6722d3a0986b54 -SHA512 (curl-8.17.0-rc2.tar.xz.asc) = d5bd939f0a004f6ae46f0fca1e05f6f7c4d6e77c3a65641c9b081a28589385a44b51fa968e0a7c35dd76caebe1f4d59ac0b26e0fc84378fd1d57c3ce513c4a2a +SHA512 (curl-8.17.0-rc3.tar.xz) = ffa33aaec6c84ee2a9838e4d10f70e905ac414b920794215a0abb5a537e441187b4fd4eba2e1d8103d43375dc6bdf6995f097d22523c6e4ca1172bf0c3e1c347 +SHA512 (curl-8.17.0-rc3.tar.xz.asc) = b2ecef9a04d8337dabfde6be96e9b6fc9151d56dcc8aeb93ce8c5949ba0aaa6bbaf72f25ef3af8a0d4ffc92999d5f5498cead4f519fc0473c4cd311e28d54774 From d2da397853a1847f0a9c1be02842a7720227ec55 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 6 Nov 2025 15:10:09 +0100 Subject: [PATCH 248/256] new upstream release - 8.17.0 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 2cb6993..f96c5aa 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.17.0~rc3 +Version: 8.17.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +*Mon Nov 10 2025 Jan Macku - 8.17.0-1 +- new upstream release + * Thu Oct 30 2025 Jan Macku - 8.17.0~rc3-1 - new upstream release candidate diff --git a/sources b/sources index 0a3353d..2d835d7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.17.0-rc3.tar.xz) = ffa33aaec6c84ee2a9838e4d10f70e905ac414b920794215a0abb5a537e441187b4fd4eba2e1d8103d43375dc6bdf6995f097d22523c6e4ca1172bf0c3e1c347 -SHA512 (curl-8.17.0-rc3.tar.xz.asc) = b2ecef9a04d8337dabfde6be96e9b6fc9151d56dcc8aeb93ce8c5949ba0aaa6bbaf72f25ef3af8a0d4ffc92999d5f5498cead4f519fc0473c4cd311e28d54774 +SHA512 (curl-8.17.0.tar.xz.asc) = e77d4cb1f4961aa0df3d76f1a8c55a0b9005ed557adf745f3ab24d33cee2d0e4bd06cecb9d911e76409852e7755129873cc7d24936c846ff1b854903c0f086b2 +SHA512 (curl-8.17.0.tar.xz) = fc6349def40c3c259de2a568631507df17dff83e78a2edbb93f069586dce594439fdc88bef7ce2bed7491f35800b8c0c181c8c88e6ef656cc3c18f9834681eca From b15bd53eb8d0de3ade9fb785b019f4d36aba07d5 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 13 Nov 2025 09:24:32 +0100 Subject: [PATCH 249/256] remove bundled wcurl utility that was added in 8.14.0~rc1, use wcurl package instead --- curl.spec | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/curl.spec b/curl.spec index f96c5aa..8e3d696 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.17.0 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -366,6 +366,11 @@ rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la +# do not install bundled wcurl utility +# it is provided by the wcurl package +rm -f ${RPM_BUILD_ROOT}%{_bindir}/wcurl +rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* + %ldconfig_scriptlets -n libcurl %ldconfig_scriptlets -n libcurl-minimal @@ -381,8 +386,6 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %doc docs/TheArtOfHttpScripting.md %{_bindir}/curl %{_mandir}/man1/curl.1* -%{_bindir}/wcurl -%{_mandir}/man1/wcurl.1* %{_datadir}/zsh %files -n libcurl @@ -407,7 +410,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog -*Mon Nov 10 2025 Jan Macku - 8.17.0-1 +* Thu Nov 13 2025 Jan Macku - 8.17.0-2 +- remove bundled wcurl utility that was added in 8.14.0~rc1, use wcurl package instead + +* Mon Nov 10 2025 Jan Macku - 8.17.0-1 - new upstream release * Thu Oct 30 2025 Jan Macku - 8.17.0~rc3-1 From 6803c01e8da370a26d6cd6206093cd8f51ac3bae Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 13 Nov 2025 16:01:43 +0100 Subject: [PATCH 250/256] recommend wcurl package instead of bundled wcurl utility --- curl.spec | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 8e3d696..ca173a3 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.17.0 -Release: 2%{?dist} +Release: 3%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -28,6 +28,11 @@ Provides: curl-minimal = %{version}-%{release} Provides: webclient URL: https://curl.se/ +%if 0%{?fedora} +# instead of bundled wcurl utility, recommend wcurl package +Recommends: wcurl +%endif + # The reason for maintaining two separate packages for curl is no longer valid. # The curl-minimal is currently almost identical to curl-full, so let's drop curl-minimal. # For more details, see https://bugzilla.redhat.com/show_bug.cgi?id=2262096 @@ -410,6 +415,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Nov 13 2025 Jan Macku - 8.17.0-3 +- recommend wcurl package instead of bundled wcurl utility + * Thu Nov 13 2025 Jan Macku - 8.17.0-2 - remove bundled wcurl utility that was added in 8.14.0~rc1, use wcurl package instead From 7d91f53d81f6aa9e760638a1e4dceb82a5b839b7 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 4 Dec 2025 09:59:27 +0100 Subject: [PATCH 251/256] http3: apply upstream patches for valgrind issues Related: #2408809 --- ...rl-8.17.0-vquic-do_sendmsg-full-init.patch | 34 +++++++++++++++++++ ...0-ngtcp2-openssl-fix-leak-of-session.patch | 32 +++++++++++++++++ curl.spec | 9 ++++- 3 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch create mode 100644 0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch diff --git a/0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch b/0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch new file mode 100644 index 0000000..f41b79a --- /dev/null +++ b/0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch @@ -0,0 +1,34 @@ +From aa95d1ceda65e7aa20110a69742797d80009e7de Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Thu, 27 Nov 2025 10:23:43 +0100 +Subject: [PATCH 1/2] vquic: do_sendmsg full init + +When passing a `msg_ctrl` to sendmsg() as part of GSO handling, zero the +complete array. This fixes any false positives by valgrind that complain +about uninitialised memory, even though the kernel only ever accesses +the first two bytes. + +Reported-by: Aleksei Bavshin +Fixes #19714 +Closes #19715 + +(cherry picked from commit a9e7a027ed866b791c12a3c701dc40304f4e00cb) +--- + lib/vquic/vquic.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/vquic/vquic.c b/lib/vquic/vquic.c +index 7533001ea..2e8d8e5cd 100644 +--- a/lib/vquic/vquic.c ++++ b/lib/vquic/vquic.c +@@ -144,6 +144,7 @@ static CURLcode do_sendmsg(struct Curl_cfilter *cf, + if(pktlen > gsolen) { + /* Only set this, when we need it. macOS, for example, + * does not seem to like a msg_control of length 0. */ ++ memset(msg_ctrl, 0, sizeof(msg_ctrl)); + msg.msg_control = msg_ctrl; + assert(sizeof(msg_ctrl) >= CMSG_SPACE(sizeof(int))); + msg.msg_controllen = CMSG_SPACE(sizeof(int)); +-- +2.52.0 + diff --git a/0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch b/0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch new file mode 100644 index 0000000..4db6234 --- /dev/null +++ b/0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch @@ -0,0 +1,32 @@ +From a11ab7ad4ea0d97ac0d5af1e28b30b00c37c3c3c Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Thu, 27 Nov 2025 12:11:39 +0100 +Subject: [PATCH 2/2] ngtcp2+openssl: fix leak of session + +Fix return value indicating to OpenSSL if reference to session is kept +(it is not), so OpenSSL frees it. + +Reported-by: Aleksei Bavshin +Fixes #19717 +Closes #19718 + +(cherry picked from commit 9bb5c0578b39e5b086b6a9db5c6eb299a0fe1c5c) +--- + lib/vquic/curl_ngtcp2.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/lib/vquic/curl_ngtcp2.c b/lib/vquic/curl_ngtcp2.c +index f72f6630f..069dcb67e 100644 +--- a/lib/vquic/curl_ngtcp2.c ++++ b/lib/vquic/curl_ngtcp2.c +@@ -2262,7 +2262,6 @@ static int quic_ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) + #endif + Curl_ossl_add_session(cf, data, ctx->peer.scache_key, ssl_sessionid, + SSL_version(ssl), "h3", quic_tp, quic_tp_len); +- return 1; + } + return 0; + } +-- +2.52.0 + diff --git a/curl.spec b/curl.spec index ca173a3..a58a893 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.17.0 -Release: 3%{?dist} +Release: 4%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -16,6 +16,10 @@ Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# Fix valgrind issues in HTTP/3 +Patch001: 0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch +Patch002: 0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -415,6 +419,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Dec 04 2025 Jan Macku - 8.17.0-4 +- apply upstream patches for valgrind issues in HTTP/3 (#2408809) + * Thu Nov 13 2025 Jan Macku - 8.17.0-3 - recommend wcurl package instead of bundled wcurl utility From fe73859ecd63f56854b599eda9bc8d991c933d8b Mon Sep 17 00:00:00 2001 From: Aleksei Bavshin Date: Thu, 9 Oct 2025 14:36:47 -0700 Subject: [PATCH 252/256] Enable HTTP/3 support with ngtcp2 --- curl.spec | 36 ++++++++++++++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index a58a893..a47f422 100644 --- a/curl.spec +++ b/curl.spec @@ -4,10 +4,15 @@ # Change the bcond to 0 to turn off ENGINE support by default %bcond openssl_engine_support %[%{defined fedora} || 0%{?rhel} < 10] +# HTTP/3 support +# This is using ngtcp2 with OpenSSL 3.5 QUIC support instead of curl's +# experimental native OpenSSL 3.5 support. +%bcond http3 %[0%{?fedora} >= 43] + Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.17.0 -Release: 4%{?dist} +Release: 5%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -50,10 +55,16 @@ BuildRequires: groff BuildRequires: krb5-devel BuildRequires: libidn2-devel BuildRequires: libnghttp2-devel +%if %{with http3} +BuildRequires: libnghttp3-devel +%endif BuildRequires: libpsl-devel BuildRequires: libssh-devel BuildRequires: libtool BuildRequires: make +%if %{with http3} +BuildRequires: ngtcp2-crypto-ossl-devel +%endif BuildRequires: openldap-devel BuildRequires: openssh-clients BuildRequires: openssh-server @@ -148,6 +159,10 @@ Requires: libcurl%{?_isa} >= %{version}-%{release} # to ensure that we have the necessary symbols available (#2144277) %global libnghttp2_version %(pkg-config --modversion libnghttp2 2>/dev/null || echo 0) +# require at least the version of libnghttp3 that we were built against, +# to ensure that we have the necessary symbols available +%global libnghttp3_version %(pkg-config --modversion libnghttp3 2>/dev/null || echo 0) + # require at least the version of libpsl that we were built against, # to ensure that we have the necessary symbols available (#1631804) %global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0) @@ -156,6 +171,10 @@ Requires: libcurl%{?_isa} >= %{version}-%{release} # to ensure that we have the necessary symbols available (#525002, #642796) %global libssh_version %(pkg-config --modversion libssh 2>/dev/null || echo 0) +# require at least the version of ngtcp2 that we were built against, +# to ensure that we have the necessary symbols available +%global ngtcp2_version %(pkg-config --modversion libngtcp2 2>/dev/null || echo 0) + # require at least the version of openssl-libs that we were built against, # to ensure that we have the necessary symbols available (#1462184, #1462211) # (we need to translate 3.0.0-alpha16 -> 3.0.0-0.alpha16 and 3.0.0-beta1 -> 3.0.0-0.beta1 though) @@ -172,8 +191,14 @@ resume, proxy tunneling and a busload of other useful tricks. %package -n libcurl Summary: A library for getting files from web servers Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} +%if %{with http3} +Requires: libnghttp3%{?_isa} >= %{libnghttp3_version} +%endif Requires: libpsl%{?_isa} >= %{libpsl_version} Requires: libssh%{?_isa} >= %{libssh_version} +%if %{with http3} +Requires: ngtcp2%{?_isa} >= %{ngtcp2_version} +%endif Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} Provides: libcurl-full = %{version}-%{release} Provides: libcurl-full%{?_isa} = %{version}-%{release} @@ -313,7 +338,11 @@ export common_configure_opts=" \ --enable-websockets \ --with-brotli \ --with-libpsl \ - --with-libssh + --with-libssh \ +%if %{with http3} + --with-nghttp3 \ + --with-ngtcp2 \ +%endif ) # avoid using rpath @@ -419,6 +448,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Sun Dec 07 2025 Aleksei Bavshin - 8.17.0-5 +- Enable HTTP/3 support with ngtcp2 + * Thu Dec 04 2025 Jan Macku - 8.17.0-4 - apply upstream patches for valgrind issues in HTTP/3 (#2408809) From 9d9fd36c2e8580eea7562a01230282bde942487e Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 9 Dec 2025 08:50:28 +0100 Subject: [PATCH 253/256] new upstream release - 8.18.0~rc1 --- ...rl-8.17.0-vquic-do_sendmsg-full-init.patch | 34 ------------------- ...0-ngtcp2-openssl-fix-leak-of-session.patch | 32 ----------------- curl.spec | 12 +++---- sources | 4 +-- 4 files changed, 8 insertions(+), 74 deletions(-) delete mode 100644 0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch delete mode 100644 0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch diff --git a/0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch b/0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch deleted file mode 100644 index f41b79a..0000000 --- a/0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch +++ /dev/null @@ -1,34 +0,0 @@ -From aa95d1ceda65e7aa20110a69742797d80009e7de Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Thu, 27 Nov 2025 10:23:43 +0100 -Subject: [PATCH 1/2] vquic: do_sendmsg full init - -When passing a `msg_ctrl` to sendmsg() as part of GSO handling, zero the -complete array. This fixes any false positives by valgrind that complain -about uninitialised memory, even though the kernel only ever accesses -the first two bytes. - -Reported-by: Aleksei Bavshin -Fixes #19714 -Closes #19715 - -(cherry picked from commit a9e7a027ed866b791c12a3c701dc40304f4e00cb) ---- - lib/vquic/vquic.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/lib/vquic/vquic.c b/lib/vquic/vquic.c -index 7533001ea..2e8d8e5cd 100644 ---- a/lib/vquic/vquic.c -+++ b/lib/vquic/vquic.c -@@ -144,6 +144,7 @@ static CURLcode do_sendmsg(struct Curl_cfilter *cf, - if(pktlen > gsolen) { - /* Only set this, when we need it. macOS, for example, - * does not seem to like a msg_control of length 0. */ -+ memset(msg_ctrl, 0, sizeof(msg_ctrl)); - msg.msg_control = msg_ctrl; - assert(sizeof(msg_ctrl) >= CMSG_SPACE(sizeof(int))); - msg.msg_controllen = CMSG_SPACE(sizeof(int)); --- -2.52.0 - diff --git a/0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch b/0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch deleted file mode 100644 index 4db6234..0000000 --- a/0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch +++ /dev/null @@ -1,32 +0,0 @@ -From a11ab7ad4ea0d97ac0d5af1e28b30b00c37c3c3c Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Thu, 27 Nov 2025 12:11:39 +0100 -Subject: [PATCH 2/2] ngtcp2+openssl: fix leak of session - -Fix return value indicating to OpenSSL if reference to session is kept -(it is not), so OpenSSL frees it. - -Reported-by: Aleksei Bavshin -Fixes #19717 -Closes #19718 - -(cherry picked from commit 9bb5c0578b39e5b086b6a9db5c6eb299a0fe1c5c) ---- - lib/vquic/curl_ngtcp2.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/lib/vquic/curl_ngtcp2.c b/lib/vquic/curl_ngtcp2.c -index f72f6630f..069dcb67e 100644 ---- a/lib/vquic/curl_ngtcp2.c -+++ b/lib/vquic/curl_ngtcp2.c -@@ -2262,7 +2262,6 @@ static int quic_ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) - #endif - Curl_ossl_add_session(cf, data, ctx->peer.scache_key, ssl_sessionid, - SSL_version(ssl), "h3", quic_tp, quic_tp_len); -- return 1; - } - return 0; - } --- -2.52.0 - diff --git a/curl.spec b/curl.spec index a47f422..6ce39e2 100644 --- a/curl.spec +++ b/curl.spec @@ -11,8 +11,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.17.0 -Release: 5%{?dist} +Version: 8.18.0~rc1 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -21,10 +21,6 @@ Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# Fix valgrind issues in HTTP/3 -Patch001: 0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch -Patch002: 0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -448,6 +444,10 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Dec 09 2025 Jan Macku - 8.18.0~rc1-1 +- new upstream release candidate +- drop upstreamed patches + * Sun Dec 07 2025 Aleksei Bavshin - 8.17.0-5 - Enable HTTP/3 support with ngtcp2 diff --git a/sources b/sources index 2d835d7..80cbe05 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.17.0.tar.xz.asc) = e77d4cb1f4961aa0df3d76f1a8c55a0b9005ed557adf745f3ab24d33cee2d0e4bd06cecb9d911e76409852e7755129873cc7d24936c846ff1b854903c0f086b2 -SHA512 (curl-8.17.0.tar.xz) = fc6349def40c3c259de2a568631507df17dff83e78a2edbb93f069586dce594439fdc88bef7ce2bed7491f35800b8c0c181c8c88e6ef656cc3c18f9834681eca +SHA512 (curl-8.18.0-rc1.tar.xz) = 34cb17db3b16458a82b6f2c6c72f967cd028449a74a026acb2b6085161644ad352adf9cc9324d1e3264caf9039424bc53863e55ce92da7971e15871fee0c2551 +SHA512 (curl-8.18.0-rc1.tar.xz.asc) = 6b64d4d035de78f5111cc4cd7aaf4f6e5d4f14e5ee6685a3ff4e5d67f93aa45008a6c85f62cea54800872815fc01158339fc5d53959d060062cffce327a5346d From 9e1a11614b37b5a26a09a2bca7f81270633e3cbc Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 16 Dec 2025 14:49:18 +0100 Subject: [PATCH 254/256] new upstream release - 8.18.0~rc2 --- 0101-curl-7.32.0-multilib.patch | 14 +++++----- 0105-curl-8.11.1-test616.patch | 48 --------------------------------- curl.spec | 14 +++++----- sources | 4 +-- 4 files changed, 17 insertions(+), 63 deletions(-) delete mode 100644 0105-curl-8.11.1-test616.patch diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 79e9855..f7f66e6 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,6 +1,6 @@ -From ae56f768f418e1dd91f9eb3edf1a88453f61e160 Mon Sep 17 00:00:00 2001 +From 6bb4e674cdc953f5c0048aa84172539900725166 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Mon, 25 Aug 2025 10:41:12 +0200 +Date: Tue, 16 Dec 2025 10:04:40 +0100 Subject: [PATCH] prevent multilib conflicts on the curl-config script --- @@ -10,7 +10,7 @@ Subject: [PATCH] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index ce23519..bb43ca8 100644 +index a1c8185875..bb43ca8335 100644 --- a/curl-config.in +++ b/curl-config.in @@ -74,7 +74,7 @@ while test "$#" -gt 0; do @@ -26,7 +26,7 @@ index ce23519..bb43ca8 100644 ;; --libs) -- if test "@libdir@" != '/usr/lib' -a "@libdir@" != '/usr/lib64'; then +- if test "@libdir@" != '/usr/lib' && test "@libdir@" != '/usr/lib64'; then - curllibdir="-L@libdir@ " - else - curllibdir='' @@ -61,7 +61,7 @@ index ce23519..bb43ca8 100644 *) diff --git a/docs/curl-config.md b/docs/curl-config.md -index 12ad245..fa0e03d 100644 +index 12ad245b79..fa0e03d273 100644 --- a/docs/curl-config.md +++ b/docs/curl-config.md @@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated. @@ -76,7 +76,7 @@ index 12ad245..fa0e03d 100644 ## `--version` diff --git a/libcurl.pc.in b/libcurl.pc.in -index c0ba524..f3645e1 100644 +index c0ba5244a8..f3645e1748 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in @@ -28,6 +28,7 @@ libdir=@libdir@ @@ -88,5 +88,5 @@ index c0ba524..f3645e1 100644 Name: libcurl URL: https://curl.se/ -- -2.50.1 +2.52.0 diff --git a/0105-curl-8.11.1-test616.patch b/0105-curl-8.11.1-test616.patch deleted file mode 100644 index 91bde80..0000000 --- a/0105-curl-8.11.1-test616.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 82baec8c7cd40361585d8793dfe4531f7aad30e3 Mon Sep 17 00:00:00 2001 -From: Jan Macku -Date: Wed, 11 Dec 2024 13:16:12 +0100 -Subject: [PATCH] test616: disable valgrind - -Valgrind disable was removed in upstream in https://github.com/curl/curl/commit/c91c37b6e87ceee760b7bb334c8e97e03ee93e93#diff-e01fd8774cf5b26329c7dc7dc03ec49745469205f3d501ced72c9d133455d5e7L35 -But test 616 is still failing under valgrind, so disable valgrind for this test. - -``` - valgrind ERROR ==188588== 144 bytes in 1 blocks are definitely lost in loss record 1 of 1 -==188588== at 0x484B133: calloc (vg_replace_malloc.c:1675) -==188588== by 0x4BB7575: ??? (in /usr/lib64/libssh.so.4.10.1) -==188588== by 0x4BB8CC6: sftp_fstat (in /usr/lib64/libssh.so.4.10.1) -==188588== by 0x48EEAFB: myssh_statemach_act (libssh.c:1610) -==188588== by 0x48F1B9D: myssh_multi_statemach.lto_priv.0 (libssh.c:2095) -==188588== by 0x48BA971: UnknownInlinedFun (multi.c:1643) -==188588== by 0x48BA971: UnknownInlinedFun (multi.c:2314) -==188588== by 0x48BA971: multi_runsingle (multi.c:2768) -==188588== by 0x48BCCA4: curl_multi_perform (multi.c:3016) -==188588== by 0x4884E4A: UnknownInlinedFun (easy.c:701) -==188588== by 0x4884E4A: UnknownInlinedFun (easy.c:796) -==188588== by 0x4884E4A: curl_easy_perform (easy.c:815) -==188588== by 0x10C12B: UnknownInlinedFun (tool_operate.c:2902) -==188588== by 0x10C12B: UnknownInlinedFun (tool_operate.c:3127) -==188588== by 0x10C12B: UnknownInlinedFun (tool_operate.c:3249) -==188588== by 0x10C12B: main (tool_main.c:271) -==188588== -``` ---- - tests/data/test616 | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/tests/data/test616 b/tests/data/test616 -index f76c68a..0ebc734 100644 ---- a/tests/data/test616 -+++ b/tests/data/test616 -@@ -32,5 +32,8 @@ SFTP retrieval of empty file - # - # Verify data after the test has been "shot" - -+ -+disable -+ - - --- -2.47.1 - diff --git a/curl.spec b/curl.spec index 6ce39e2..c2ec049 100644 --- a/curl.spec +++ b/curl.spec @@ -11,7 +11,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.18.0~rc1 +Version: 8.18.0~rc2 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -24,9 +24,6 @@ Source2: mykey.asc # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch -# test616: disable valgrind -Patch105: 0105-curl-8.11.1-test616.patch - Provides: curl-full = %{version}-%{release} # do not fail when trying to install curl-minimal after drop Provides: curl-minimal = %{version}-%{release} @@ -414,9 +411,10 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %doc README %doc docs/BUGS.md %doc docs/DISTROS.md -%doc docs/FAQ +%doc docs/FAQ.md %doc docs/FEATURES.md -%doc docs/TODO +%doc docs/KNOWN_BUGS.md +%doc docs/TODO.md %doc docs/TheArtOfHttpScripting.md %{_bindir}/curl %{_mandir}/man1/curl.1* @@ -444,6 +442,10 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Dec 16 2025 Jan Macku - 8.18.0~rc2-1 +- new upstream release candidate +- reenable valgrind on test 616 + * Tue Dec 09 2025 Jan Macku - 8.18.0~rc1-1 - new upstream release candidate - drop upstreamed patches diff --git a/sources b/sources index 80cbe05..f75181e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.18.0-rc1.tar.xz) = 34cb17db3b16458a82b6f2c6c72f967cd028449a74a026acb2b6085161644ad352adf9cc9324d1e3264caf9039424bc53863e55ce92da7971e15871fee0c2551 -SHA512 (curl-8.18.0-rc1.tar.xz.asc) = 6b64d4d035de78f5111cc4cd7aaf4f6e5d4f14e5ee6685a3ff4e5d67f93aa45008a6c85f62cea54800872815fc01158339fc5d53959d060062cffce327a5346d +SHA512 (curl-8.18.0-rc2.tar.xz) = 4a71016d3a1d53bda007dc510c6eb7c1f35f04f4bb5c9cb1b10595e2ea15062993edd5fcdf73d008f6e91db48467e6a3428dd96e64ad9fb7acdf74db15ac5564 +SHA512 (curl-8.18.0-rc2.tar.xz.asc) = d3cfefd964958aa83da3005030899d12ed6ac0c456b2a2b1490a76a06c5abff839b4d70c1bad1d6218f9bdae0e63e368fc6a423ed10d03334609b499b7440762 From da5bf8f889f2af14cee4a633294b06b02f90ac16 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 5 Jan 2026 09:35:50 +0100 Subject: [PATCH 255/256] new upstream release - 8.18.0~rc3 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index c2ec049..758e807 100644 --- a/curl.spec +++ b/curl.spec @@ -11,7 +11,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.18.0~rc2 +Version: 8.18.0~rc3 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -442,6 +442,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Jan 05 2026 Jan Macku - 8.18.0~rc3-1 +- new upstream release candidate + * Tue Dec 16 2025 Jan Macku - 8.18.0~rc2-1 - new upstream release candidate - reenable valgrind on test 616 diff --git a/sources b/sources index f75181e..5d0cff9 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.18.0-rc2.tar.xz) = 4a71016d3a1d53bda007dc510c6eb7c1f35f04f4bb5c9cb1b10595e2ea15062993edd5fcdf73d008f6e91db48467e6a3428dd96e64ad9fb7acdf74db15ac5564 -SHA512 (curl-8.18.0-rc2.tar.xz.asc) = d3cfefd964958aa83da3005030899d12ed6ac0c456b2a2b1490a76a06c5abff839b4d70c1bad1d6218f9bdae0e63e368fc6a423ed10d03334609b499b7440762 +SHA512 (curl-8.18.0-rc3.tar.xz) = 1139b79a6c4356fdf6f368812402c2f9bafcbaec6323c367aef85c4d00ffda9541a87ef476ce9a099142ef6f824b562c9dc840878add60a616f0e441fef44801 +SHA512 (curl-8.18.0-rc3.tar.xz.asc) = fac23b293cec82596ddd7757c0984e3977259c5116ddef719fad2a39a3723cf7cb5d85d12c5c5b2542f34a5411aa6f42f4fb08729fde6c564cd3567f2a3f0434 From 3c4947ef9777ff0e270d3680b23a3e10134ee68f Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 7 Jan 2026 11:16:40 +0100 Subject: [PATCH 256/256] new upstream release - 8.18.0 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 758e807..c0ad4db 100644 --- a/curl.spec +++ b/curl.spec @@ -11,7 +11,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.18.0~rc3 +Version: 8.18.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -442,6 +442,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jan 07 2026 Jan Macku - 8.18.0-1 +- new upstream release + * Mon Jan 05 2026 Jan Macku - 8.18.0~rc3-1 - new upstream release candidate diff --git a/sources b/sources index 5d0cff9..002e494 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.18.0-rc3.tar.xz) = 1139b79a6c4356fdf6f368812402c2f9bafcbaec6323c367aef85c4d00ffda9541a87ef476ce9a099142ef6f824b562c9dc840878add60a616f0e441fef44801 -SHA512 (curl-8.18.0-rc3.tar.xz.asc) = fac23b293cec82596ddd7757c0984e3977259c5116ddef719fad2a39a3723cf7cb5d85d12c5c5b2542f34a5411aa6f42f4fb08729fde6c564cd3567f2a3f0434 +SHA512 (curl-8.18.0.tar.xz) = 50c7a7b0528e0019697b0c59b3e56abb2578c71d77e4c085b56797276094b5611718c0a9cb2b14db7f8ab502fcf8f42a364297a3387fae3870a4d281484ba21c +SHA512 (curl-8.18.0.tar.xz.asc) = 07e08d1bb3f8bf20b3d22f37fbc19c49c0d9ee4ea9d92da76fa8a9de343023e1b5d416ccc6535a4ff98b08b30eb9334fd856227e37564f6bcd542aa81bced152