diff --git a/0001-curl-8.11.1-eventfd.patch b/0001-curl-8.11.1-eventfd.patch new file mode 100644 index 0000000..3960452 --- /dev/null +++ b/0001-curl-8.11.1-eventfd.patch @@ -0,0 +1,31 @@ +From 17c06b1ed19147d9e641ad5bcd672e8bce451b46 Mon Sep 17 00:00:00 2001 +From: Andy Pan +Date: Thu, 12 Dec 2024 12:48:56 +0000 +Subject: [PATCH] async-thread: avoid closing eventfd twice + +When employing eventfd for socketpair, there is only one file +descriptor. Closing that fd twice might result in fd corruption. +Thus, we should avoid closing the eventfd twice, following the +pattern in lib/multi.c. + +Fixes #15725 +--- + lib/asyn-thread.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c +index a58e4b790494ab..32d496b107cb0a 100644 +--- a/lib/asyn-thread.c ++++ b/lib/asyn-thread.c +@@ -195,9 +195,11 @@ void destroy_thread_sync_data(struct thread_sync_data *tsd) + * close one end of the socket pair (may be done in resolver thread); + * the other end (for reading) is always closed in the parent thread. + */ ++#ifndef USE_EVENTFD + if(tsd->sock_pair[1] != CURL_SOCKET_BAD) { + wakeup_close(tsd->sock_pair[1]); + } ++#endif + #endif + memset(tsd, 0, sizeof(*tsd)); + } diff --git a/0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch b/0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch new file mode 100644 index 0000000..9000c48 --- /dev/null +++ b/0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch @@ -0,0 +1,227 @@ +From b876aeb3f5d5c6539102f0575c0ec1d116388337 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Fri, 17 Jan 2025 11:57:00 +0100 +Subject: [PATCH] TLS: check connection for SSL use, not handler + +Protocol handler option PROTOPT_SSL is used to setup a connection +filters. Once that is done, used `Curl_conn_is_ssl()` to check if +a connection uses SSL. + +There may be other reasons to add SSL to a connection, e.g. starttls. + +Closes #16034 + +(cherry picked from commit 25b445e4796bcbf9f842de686a8c384b30f6c2a2) +--- + lib/cf-socket.c | 2 +- + lib/ftp.c | 2 +- + lib/http.c | 8 ++++---- + lib/http_negotiate.c | 3 ++- + lib/imap.c | 2 +- + lib/ldap.c | 3 ++- + lib/openldap.c | 2 +- + lib/pop3.c | 2 +- + lib/smb.c | 2 +- + lib/smtp.c | 2 +- + lib/url.c | 12 ++++++------ + 11 files changed, 21 insertions(+), 19 deletions(-) + +diff --git a/lib/cf-socket.c b/lib/cf-socket.c +index 497a3b965..de0c8a3ba 100644 +--- a/lib/cf-socket.c ++++ b/lib/cf-socket.c +@@ -1282,7 +1282,7 @@ static int do_connect(struct Curl_cfilter *cf, struct Curl_easy *data, + + rc = connect(ctx->sock, &ctx->addr.curl_sa_addr, ctx->addr.addrlen); + #elif defined(MSG_FASTOPEN) /* old Linux */ +- if(cf->conn->given->flags & PROTOPT_SSL) ++ if(Curl_conn_is_ssl(cf->conn, cf->sockindex)) + rc = connect(ctx->sock, &ctx->addr.curl_sa_addr, ctx->addr.addrlen); + else + rc = 0; /* Do nothing */ +diff --git a/lib/ftp.c b/lib/ftp.c +index 16ab0af0d..5137ddca4 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -3154,7 +3154,7 @@ static CURLcode ftp_connect(struct Curl_easy *data, + + PINGPONG_SETUP(pp, ftp_statemachine, ftp_endofresp); + +- if(conn->handler->flags & PROTOPT_SSL) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) { + /* BLOCKING */ + result = Curl_conn_connect(data, FIRSTSOCKET, TRUE, done); + if(result) +diff --git a/lib/http.c b/lib/http.c +index 35e708551..8e9f0a52e 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2526,7 +2526,7 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done) + goto fail; + } + +- if(!(conn->handler->flags&PROTOPT_SSL) && ++ if(!Curl_conn_is_ssl(conn, FIRSTSOCKET) && + conn->httpversion < 20 && + (data->state.httpwant == CURL_HTTP_VERSION_2)) { + /* append HTTP2 upgrade magic stuff to the HTTP request if it is not done +@@ -2672,7 +2672,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, + case 'A': + #ifndef CURL_DISABLE_ALTSVC + v = (data->asi && +- ((data->conn->handler->flags & PROTOPT_SSL) || ++ (Curl_conn_is_ssl(data->conn, FIRSTSOCKET) || + #ifdef DEBUGBUILD + /* allow debug builds to circumvent the HTTPS restriction */ + getenv("CURL_ALTSVC_HTTP") +@@ -2938,7 +2938,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, + #ifndef CURL_DISABLE_HSTS + /* If enabled, the header is incoming and this is over HTTPS */ + v = (data->hsts && +- ((conn->handler->flags & PROTOPT_SSL) || ++ (Curl_conn_is_ssl(conn, FIRSTSOCKET) || + #ifdef DEBUGBUILD + /* allow debug builds to circumvent the HTTPS restriction */ + getenv("CURL_HSTS_HTTP") +@@ -4160,7 +4160,7 @@ CURLcode Curl_http_req_to_h2(struct dynhds *h2_headers, + infof(data, "set pseudo header %s to %s", HTTP_PSEUDO_SCHEME, scheme); + } + else { +- scheme = (data->conn && data->conn->handler->flags & PROTOPT_SSL) ? ++ scheme = Curl_conn_is_ssl(data->conn, FIRSTSOCKET) ? + "https" : "http"; + } + } +diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c +index 5d76bddf7..f031d0abc 100644 +--- a/lib/http_negotiate.c ++++ b/lib/http_negotiate.c +@@ -27,6 +27,7 @@ + #if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO) + + #include "urldata.h" ++#include "cfilters.h" + #include "sendf.h" + #include "http_negotiate.h" + #include "vauth/vauth.h" +@@ -109,7 +110,7 @@ CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn, + #endif + /* Check if the connection is using SSL and get the channel binding data */ + #if defined(USE_SSL) && defined(HAVE_GSSAPI) +- if(conn->handler->flags & PROTOPT_SSL) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) { + Curl_dyn_init(&neg_ctx->channel_binding_data, SSL_CB_MAX_SIZE + 1); + result = Curl_ssl_get_channel_binding( + data, FIRSTSOCKET, &neg_ctx->channel_binding_data); +diff --git a/lib/imap.c b/lib/imap.c +index e424cdb05..df9dc343b 100644 +--- a/lib/imap.c ++++ b/lib/imap.c +@@ -1390,7 +1390,7 @@ static CURLcode imap_multi_statemach(struct Curl_easy *data, bool *done) + struct connectdata *conn = data->conn; + struct imap_conn *imapc = &conn->proto.imapc; + +- if((conn->handler->flags & PROTOPT_SSL) && !imapc->ssldone) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !imapc->ssldone) { + bool ssldone = FALSE; + result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); + imapc->ssldone = ssldone; +diff --git a/lib/ldap.c b/lib/ldap.c +index 2cbdb9c21..7dd40acef 100644 +--- a/lib/ldap.c ++++ b/lib/ldap.c +@@ -78,6 +78,7 @@ + + #include "urldata.h" + #include ++#include "cfilters.h" + #include "sendf.h" + #include "escape.h" + #include "progress.h" +@@ -346,7 +347,7 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done) + } + + /* Get the URL scheme (either ldap or ldaps) */ +- if(conn->given->flags & PROTOPT_SSL) ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) + ldap_ssl = 1; + infof(data, "LDAP local: trying to establish %s connection", + ldap_ssl ? "encrypted" : "cleartext"); +diff --git a/lib/openldap.c b/lib/openldap.c +index 8c4af22be..9676ad3d0 100644 +--- a/lib/openldap.c ++++ b/lib/openldap.c +@@ -571,7 +571,7 @@ static CURLcode oldap_connect(struct Curl_easy *data, bool *done) + ldap_set_option(li->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); + + #ifdef USE_SSL +- if(conn->handler->flags & PROTOPT_SSL) ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) + return oldap_ssl_connect(data, OLDAP_SSL); + + if(data->set.use_ssl) { +diff --git a/lib/pop3.c b/lib/pop3.c +index db6ec04c7..83dd64cda 100644 +--- a/lib/pop3.c ++++ b/lib/pop3.c +@@ -1110,7 +1110,7 @@ static CURLcode pop3_multi_statemach(struct Curl_easy *data, bool *done) + struct connectdata *conn = data->conn; + struct pop3_conn *pop3c = &conn->proto.pop3c; + +- if((conn->handler->flags & PROTOPT_SSL) && !pop3c->ssldone) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !pop3c->ssldone) { + bool ssldone = FALSE; + result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); + pop3c->ssldone = ssldone; +diff --git a/lib/smb.c b/lib/smb.c +index a72ece62a..a2c82df5e 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -840,7 +840,7 @@ static CURLcode smb_connection_state(struct Curl_easy *data, bool *done) + + if(smbc->state == SMB_CONNECTING) { + #ifdef USE_SSL +- if((conn->handler->flags & PROTOPT_SSL)) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) { + bool ssl_done = FALSE; + result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssl_done); + if(result && result != CURLE_AGAIN) +diff --git a/lib/smtp.c b/lib/smtp.c +index d854d364f..c7fb0a4ca 100644 +--- a/lib/smtp.c ++++ b/lib/smtp.c +@@ -1286,7 +1286,7 @@ static CURLcode smtp_multi_statemach(struct Curl_easy *data, bool *done) + struct connectdata *conn = data->conn; + struct smtp_conn *smtpc = &conn->proto.smtpc; + +- if((conn->handler->flags & PROTOPT_SSL) && !smtpc->ssldone) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !smtpc->ssldone) { + bool ssldone = FALSE; + result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); + smtpc->ssldone = ssldone; +diff --git a/lib/url.c b/lib/url.c +index 436edd891..de200e1dd 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -958,12 +958,12 @@ static bool url_match_conn(struct connectdata *conn, void *userdata) + return FALSE; + #endif + +- if((needle->handler->flags&PROTOPT_SSL) != +- (conn->handler->flags&PROTOPT_SSL)) +- /* do not do mixed SSL and non-SSL connections */ +- if(get_protocol_family(conn->handler) != +- needle->handler->protocol || !conn->bits.tls_upgraded) +- /* except protocols that have been upgraded via TLS */ ++ if((!(needle->handler->flags&PROTOPT_SSL) != ++ !Curl_conn_is_ssl(conn, FIRSTSOCKET)) && ++ !(get_protocol_family(conn->handler) == needle->handler->protocol && ++ conn->bits.tls_upgraded)) ++ /* Deny `conn` if it is not fit for `needle`'s SSL needs, ++ * UNLESS `conn` is the same protocol family and was upgraded to SSL. */ + return FALSE; + + #ifndef CURL_DISABLE_PROXY +-- +2.48.1 + diff --git a/0003-curl-8.11.1-tool_formparse-accept-digits-in-form-type-strings.patch b/0003-curl-8.11.1-tool_formparse-accept-digits-in-form-type-strings.patch new file mode 100644 index 0000000..2829129 --- /dev/null +++ b/0003-curl-8.11.1-tool_formparse-accept-digits-in-form-type-strings.patch @@ -0,0 +1,73 @@ +From 0a4f5c593d785c4cafa322a5976d4c2b08f8cfa1 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 17 Dec 2024 07:52:06 +0100 +Subject: [PATCH] tool_formparse: accept digits in --form type= strings + +Adjusted test 186 to verify. + +Regression in 9664d5a5475fdc66, shipped in 8.11.1 + +Reported-by: IcedCoffeee on github +Assisted-by: Jay Satiro +Fixes #15761 +Closes #15762 + +(cherry picked from commit f7e065f314f9d307af8f194a16c95cc754fefd4a) +--- + src/tool_formparse.c | 5 +++-- + tests/data/test186 | 6 +++--- + 2 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/src/tool_formparse.c b/src/tool_formparse.c +index ddbf1b1a7..814f240e6 100644 +--- a/src/tool_formparse.c ++++ b/src/tool_formparse.c +@@ -495,14 +495,15 @@ static int get_param_part(struct OperationConfig *config, char endchar, + ; + + if(!endct && checkprefix("type=", p)) { ++ size_t tlen; + for(p += 5; ISSPACE(*p); p++) + ; + /* set type pointer */ + type = p; + + /* find end of content-type */ +- while(*p && (ISALPHA(*p) || (*p == '/') || (*p == '-'))) +- p++; ++ tlen = strcspn(p, "()<>@,;:\\\"[]?=\r\n "); ++ p += tlen; + endct = p; + sep = *p; + } +diff --git a/tests/data/test186 b/tests/data/test186 +index f5c071946..006de7904 100644 +--- a/tests/data/test186 ++++ b/tests/data/test186 +@@ -31,7 +31,7 @@ http + HTTP RFC1867-type formposting with types on text fields + + +-http://%HOSTIP:%HTTPPORT/we/want/%TESTNUMBER -F "name=daniel;type=moo/foo" -F "html= hello;type=text/html;charset=verymoo" ++http://%HOSTIP:%HTTPPORT/we/want/%TESTNUMBER -F "name=daniel;type=moo/foo-.4" -F "html= hello;type=text/html;charset=verymoo" + + # We create this file before the command is invoked! + +@@ -46,12 +46,12 @@ POST /we/want/%TESTNUMBER HTTP/1.1 + Host: %HOSTIP:%HTTPPORT + User-Agent: curl/%VERSION + Accept: */* +-Content-Length: 338 ++Content-Length: 341 + Content-Type: multipart/form-data; boundary=----------------------------212d9006ceb5 + + ------------------------------212d9006ceb5 + Content-Disposition: form-data; name="name" +-Content-Type: moo/foo ++Content-Type: moo/foo-.4 + + daniel + ------------------------------212d9006ceb5 +-- +2.49.0 + diff --git a/0004-curl-8.11.1-CVE-2025-9086.patch b/0004-curl-8.11.1-CVE-2025-9086.patch new file mode 100644 index 0000000..10c2de9 --- /dev/null +++ b/0004-curl-8.11.1-CVE-2025-9086.patch @@ -0,0 +1,53 @@ +From aa1c6961db8df9c50850b48e3d675066c54fa510 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 11 Aug 2025 20:23:05 +0200 +Subject: [PATCH] cookie: don't treat the leading slash as trailing + +If there is only a leading slash in the path, keep that. Also add an +assert to make sure the path is never blank. + +Reported-by: Google Big Sleep +Closes #18266 + +(cherry picked from commit c6ae07c6a541e0e96d0040afb62b45dd37711300) +--- + lib/cookie.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index 773e5357d..7bf8b429f 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -304,7 +304,7 @@ static char *sanitize_cookie_path(const char *cookie_path) + } + + /* convert /hoge/ to /hoge */ +- if(len && new_path[len - 1] == '/') { ++ if(len > 1 && new_path[len - 1] == '/') { + new_path[len - 1] = 0x0; + } + +@@ -1007,7 +1007,7 @@ replace_existing(struct Curl_easy *data, + clist->spath && co->spath && /* both have paths */ + clist->secure && !co->secure && !secure) { + size_t cllen; +- const char *sep; ++ const char *sep = NULL; + + /* + * A non-secure cookie may not overlay an existing secure cookie. +@@ -1016,8 +1016,9 @@ replace_existing(struct Curl_easy *data, + * "/loginhelper" is ok. + */ + +- sep = strchr(clist->spath + 1, '/'); +- ++ DEBUGASSERT(clist->spath[0]); ++ if(clist->spath[0]) ++ sep = strchr(clist->spath + 1, '/'); + if(sep) + cllen = sep - clist->spath; + else +-- +2.51.0 + diff --git a/0005-curl-8.11.1-CVE-2025-10148.patch b/0005-curl-8.11.1-CVE-2025-10148.patch new file mode 100644 index 0000000..b37f548 --- /dev/null +++ b/0005-curl-8.11.1-CVE-2025-10148.patch @@ -0,0 +1,58 @@ +From 537b89d02f7200b3b81c833548d597a13aaf1ecf Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 8 Sep 2025 14:14:15 +0200 +Subject: [PATCH] ws: get a new mask for each new outgoing frame + +Reported-by: Calvin Ruocco +Closes #18496 + +(cherry picked from commit 84db7a9eae8468c0445b15aa806fa7fa806fa0f2) +--- + lib/ws.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/lib/ws.c b/lib/ws.c +index 3d739a538..d6aadc167 100644 +--- a/lib/ws.c ++++ b/lib/ws.c +@@ -545,6 +545,7 @@ static ssize_t ws_enc_write_head(struct Curl_easy *data, + unsigned char firstbyte = 0; + unsigned char opcode; + unsigned char head[14]; ++ CURLcode result; + size_t hlen; + ssize_t n; + +@@ -618,6 +619,13 @@ static ssize_t ws_enc_write_head(struct Curl_easy *data, + enc->payload_remain = enc->payload_len = payload_len; + ws_enc_info(enc, data, "sending"); + ++ /* 4 bytes random */ ++ ++ result = Curl_rand(data, (unsigned char *)&enc->mask, ++ sizeof(enc->mask)); ++ if(result) ++ return result; ++ + /* add 4 bytes mask */ + memcpy(&head[hlen], &enc->mask, 4); + hlen += 4; +@@ -808,14 +816,7 @@ CURLcode Curl_ws_accept(struct Curl_easy *data, + subprotocol not requested by the client), the client MUST Fail + the WebSocket Connection. */ + +- /* 4 bytes random */ +- +- result = Curl_rand(data, (unsigned char *)&ws->enc.mask, +- sizeof(ws->enc.mask)); +- if(result) +- return result; +- infof(data, "Received 101, switch to WebSocket; mask %02x%02x%02x%02x", +- ws->enc.mask[0], ws->enc.mask[1], ws->enc.mask[2], ws->enc.mask[3]); ++ infof(data, "[WS] Received 101, switch to WebSocket"); + + /* Install our client writer that decodes WS frames payload */ + result = Curl_cwriter_create(&ws_dec_writer, data, &ws_cw_decode, +-- +2.51.0 + diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index f7f66e6..aec4fda 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,6 +1,6 @@ -From 6bb4e674cdc953f5c0048aa84172539900725166 Mon Sep 17 00:00:00 2001 +From 7efcd412447fc41bded2f9621edf0ab4701c9b14 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Tue, 16 Dec 2025 10:04:40 +0100 +Date: Wed, 11 Dec 2024 09:28:12 +0100 Subject: [PATCH] prevent multilib conflicts on the curl-config script --- @@ -10,10 +10,10 @@ Subject: [PATCH] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index a1c8185875..bb43ca8335 100644 +index e89c256..9fb1a33 100644 --- a/curl-config.in +++ b/curl-config.in -@@ -74,7 +74,7 @@ while test "$#" -gt 0; do +@@ -75,7 +75,7 @@ while test "$#" -gt 0; do ;; --cc) @@ -22,29 +22,29 @@ index a1c8185875..bb43ca8335 100644 ;; --prefix) -@@ -149,16 +149,7 @@ while test "$#" -gt 0; do +@@ -155,16 +155,7 @@ while test "$#" -gt 0; do ;; --libs) -- if test "@libdir@" != '/usr/lib' && test "@libdir@" != '/usr/lib64'; then -- curllibdir="-L@libdir@ " +- if test "X@libdir@" != 'X/usr/lib' -a "X@libdir@" != 'X/usr/lib64'; then +- CURLLIBDIR="-L@libdir@ " - else -- curllibdir='' +- CURLLIBDIR='' - fi -- if test '@ENABLE_SHARED@' = 'no'; then -- echo "${curllibdir}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" +- if test 'X@ENABLE_SHARED@' = 'Xno'; then +- echo "${CURLLIBDIR}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" - else -- echo "${curllibdir}-lcurl" +- echo "${CURLLIBDIR}-lcurl" - fi + echo '-lcurl' ;; --ssl-backends) -@@ -166,16 +157,12 @@ while test "$#" -gt 0; do +@@ -172,16 +163,12 @@ while test "$#" -gt 0; do ;; --static-libs) -- if test '@ENABLE_STATIC@' != 'no'; then +- if test 'X@ENABLE_STATIC@' != 'Xno'; then - echo "@libdir@/libcurl.@libext@ @LIBCURL_PC_LDFLAGS_PRIVATE@ @LIBCURL_PC_LIBS_PRIVATE@" - else - echo 'curl was built with static libraries disabled' >&2 @@ -61,11 +61,11 @@ index a1c8185875..bb43ca8335 100644 *) diff --git a/docs/curl-config.md b/docs/curl-config.md -index 12ad245b79..fa0e03d273 100644 +index 4dfaab6..f4e847e 100644 --- a/docs/curl-config.md +++ b/docs/curl-config.md @@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated. - ## `--static-libs` + ## --static-libs Shows the complete set of libs and other linker options you need in order to -link your application with libcurl statically. (Added in 7.17.1) @@ -73,10 +73,10 @@ index 12ad245b79..fa0e03d273 100644 +packages do not provide any static libraries, thus cannot be linked statically. +(Added in 7.17.1) - ## `--version` + ## --version diff --git a/libcurl.pc.in b/libcurl.pc.in -index c0ba5244a8..f3645e1748 100644 +index c0ba524..f3645e1 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in @@ -28,6 +28,7 @@ libdir=@libdir@ @@ -88,5 +88,5 @@ index c0ba5244a8..f3645e1748 100644 Name: libcurl URL: https://curl.se/ -- -2.52.0 +2.47.1 diff --git a/0102-curl-7.84.0-test3026.patch b/0102-curl-7.84.0-test3026.patch new file mode 100644 index 0000000..82f4642 --- /dev/null +++ b/0102-curl-7.84.0-test3026.patch @@ -0,0 +1,71 @@ +From 6e470567ca691a7b20334f1b9a5b309053d714b7 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Wed, 22 May 2024 13:03:43 +0200 +Subject: [PATCH 2/2] test3026: disable valgrind + +It fails on x86_64 with: +``` + Use --max-threads=INT to specify a larger number of threads + and rerun valgrind + valgrind: the 'impossible' happened: + Max number of threads is too low + host stacktrace: + ==174357== at 0x58042F5A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x58043087: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x580432EF: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x58043310: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x58099E77: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x580E67E9: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x5809D59D: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x5809901A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x5809B0B6: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x580E4050: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + sched status: + running_tid=1 + Thread 1: status = VgTs_Runnable syscall 56 (lwpid 174357) + ==174357== at 0x4A07816: clone (in /usr/lib64/libc.so.6) + ==174357== by 0x4A08720: __clone_internal (in /usr/lib64/libc.so.6) + ==174357== by 0x4987ACF: create_thread (in /usr/lib64/libc.so.6) + ==174357== by 0x49885F6: pthread_create@@GLIBC_2.34 (in /usr/lib64/libc.so.6) + ==174357== by 0x1093B5: test.part.0 (lib3026.c:64) + ==174357== by 0x492454F: (below main) (in /usr/lib64/libc.so.6) + client stack range: [0x1FFEFFC000 0x1FFF000FFF] client SP: 0x1FFEFFC998 + valgrind stack range: [0x1002BAA000 0x1002CA9FFF] top usage: 11728 of 1048576 +[...] +``` +--- + tests/data/test3026 | 3 +++ + tests/libtest/lib3026.c | 4 ++-- + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tests/data/test3026 b/tests/data/test3026 +index ee9b30678..dd582c3e5 100644 +--- a/tests/data/test3026 ++++ b/tests/data/test3026 +@@ -41,5 +41,8 @@ none + + 0 + ++ ++disable ++ + + +diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c +index 7e914010e..39374f5bc 100644 +--- a/tests/libtest/lib3026.c ++++ b/tests/libtest/lib3026.c +@@ -145,8 +145,8 @@ CURLcode test(char *URL) + results[i] = CURL_LAST; /* initialize with invalid value */ + res = pthread_create(&tids[i], NULL, run_thread, &results[i]); + if(res) { +- fprintf(stderr, "%s:%d Couldn't create thread, errno %d\n", +- __FILE__, __LINE__, res); ++ fprintf(stderr, "%s:%d Couldn't create thread, i=%u, errno %d\n", ++ __FILE__, __LINE__, i, res); + tid_count = i; + test_failure = (CURLcode)-1; + goto cleanup; +-- +2.45.1 + diff --git a/0104-curl-7.88.0-tests-warnings.patch b/0104-curl-7.88.0-tests-warnings.patch new file mode 100644 index 0000000..0977dee --- /dev/null +++ b/0104-curl-7.88.0-tests-warnings.patch @@ -0,0 +1,30 @@ +From ebee18be05631494263bb6be249501eb8874e07a Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Wed, 24 Jul 2024 15:15:11 +0200 +Subject: [PATCH] Revert "runtests: consider warnings fatal and error on them" + +While it might be useful for upstream developers, it is not so useful +for downstream consumers. + +This reverts upstream commit 22f795c834cfdbacbb1b55426028a581e3cf67a8. +--- + tests/runtests.pl | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/tests/runtests.pl b/tests/runtests.pl +index 9cc9ef1..c9a1c5d 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -57,8 +57,7 @@ + # given, this won't be a problem. + + use strict; +-# Promote all warnings to fatal +-use warnings FATAL => 'all'; ++use warnings; + use 5.006; + use POSIX qw(strftime); + +-- +2.45.2 + diff --git a/0105-curl-8.11.1-test616.patch b/0105-curl-8.11.1-test616.patch new file mode 100644 index 0000000..91bde80 --- /dev/null +++ b/0105-curl-8.11.1-test616.patch @@ -0,0 +1,48 @@ +From 82baec8c7cd40361585d8793dfe4531f7aad30e3 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Wed, 11 Dec 2024 13:16:12 +0100 +Subject: [PATCH] test616: disable valgrind + +Valgrind disable was removed in upstream in https://github.com/curl/curl/commit/c91c37b6e87ceee760b7bb334c8e97e03ee93e93#diff-e01fd8774cf5b26329c7dc7dc03ec49745469205f3d501ced72c9d133455d5e7L35 +But test 616 is still failing under valgrind, so disable valgrind for this test. + +``` + valgrind ERROR ==188588== 144 bytes in 1 blocks are definitely lost in loss record 1 of 1 +==188588== at 0x484B133: calloc (vg_replace_malloc.c:1675) +==188588== by 0x4BB7575: ??? (in /usr/lib64/libssh.so.4.10.1) +==188588== by 0x4BB8CC6: sftp_fstat (in /usr/lib64/libssh.so.4.10.1) +==188588== by 0x48EEAFB: myssh_statemach_act (libssh.c:1610) +==188588== by 0x48F1B9D: myssh_multi_statemach.lto_priv.0 (libssh.c:2095) +==188588== by 0x48BA971: UnknownInlinedFun (multi.c:1643) +==188588== by 0x48BA971: UnknownInlinedFun (multi.c:2314) +==188588== by 0x48BA971: multi_runsingle (multi.c:2768) +==188588== by 0x48BCCA4: curl_multi_perform (multi.c:3016) +==188588== by 0x4884E4A: UnknownInlinedFun (easy.c:701) +==188588== by 0x4884E4A: UnknownInlinedFun (easy.c:796) +==188588== by 0x4884E4A: curl_easy_perform (easy.c:815) +==188588== by 0x10C12B: UnknownInlinedFun (tool_operate.c:2902) +==188588== by 0x10C12B: UnknownInlinedFun (tool_operate.c:3127) +==188588== by 0x10C12B: UnknownInlinedFun (tool_operate.c:3249) +==188588== by 0x10C12B: main (tool_main.c:271) +==188588== +``` +--- + tests/data/test616 | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tests/data/test616 b/tests/data/test616 +index f76c68a..0ebc734 100644 +--- a/tests/data/test616 ++++ b/tests/data/test616 +@@ -32,5 +32,8 @@ SFTP retrieval of empty file + # + # Verify data after the test has been "shot" + ++ ++disable ++ + + +-- +2.47.1 + diff --git a/curl.spec b/curl.spec index c0ad4db..b3d61f1 100644 --- a/curl.spec +++ b/curl.spec @@ -4,37 +4,54 @@ # Change the bcond to 0 to turn off ENGINE support by default %bcond openssl_engine_support %[%{defined fedora} || 0%{?rhel} < 10] -# HTTP/3 support -# This is using ngtcp2 with OpenSSL 3.5 QUIC support instead of curl's -# experimental native OpenSSL 3.5 support. -%bcond http3 %[0%{?fedora} >= 43] - Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.18.0 -Release: 1%{?dist} +Version: 8.11.1 +Release: 6%{?dist} License: curl -Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz -Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc +Source0: https://curl.se/download/%{name}-%{version}.tar.xz +Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # The curl download page ( https://curl.se/download.html ) links # to Daniel's address page https://daniel.haxx.se/address.html for the GPG Key, # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# Fix crash with Unexpected error 9 on netlink descriptor 10 +# https://bugzilla.redhat.com/show_bug.cgi?id=2332350 +# https://github.com/curl/curl/issues/15725 +# https://github.com/curl/curl/pull/15727 +Patch1: 0001-curl-8.11.1-eventfd.patch + +# Fix https://bugzilla.redhat.com/show_bug.cgi?id=2324130#c7 +Patch2: 0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch + +# Fix https://bugzilla.redhat.com/show_bug.cgi?id=2373760 +Patch3: 0003-curl-8.11.1-tool_formparse-accept-digits-in-form-type-strings.patch + +# Fix Out of bounds read for cookie path (CVE-2025-9086) +Patch4: 0004-curl-8.11.1-CVE-2025-9086.patch + +# Fix predictable WebSocket mask (CVE-2025-10148) +Patch5: 0005-curl-8.11.1-CVE-2025-10148.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch +# test3026: disable valgrind +Patch102: 0102-curl-7.84.0-test3026.patch + +# do not fail on warnings in the upstream test driver +Patch104: 0104-curl-7.88.0-tests-warnings.patch + +# test616: disable valgrind +Patch105: 0105-curl-8.11.1-test616.patch + Provides: curl-full = %{version}-%{release} # do not fail when trying to install curl-minimal after drop Provides: curl-minimal = %{version}-%{release} Provides: webclient URL: https://curl.se/ -%if 0%{?fedora} -# instead of bundled wcurl utility, recommend wcurl package -Recommends: wcurl -%endif - # The reason for maintaining two separate packages for curl is no longer valid. # The curl-minimal is currently almost identical to curl-full, so let's drop curl-minimal. # For more details, see https://bugzilla.redhat.com/show_bug.cgi?id=2262096 @@ -48,20 +65,13 @@ BuildRequires: groff BuildRequires: krb5-devel BuildRequires: libidn2-devel BuildRequires: libnghttp2-devel -%if %{with http3} -BuildRequires: libnghttp3-devel -%endif BuildRequires: libpsl-devel BuildRequires: libssh-devel BuildRequires: libtool BuildRequires: make -%if %{with http3} -BuildRequires: ngtcp2-crypto-ossl-devel -%endif BuildRequires: openldap-devel BuildRequires: openssh-clients BuildRequires: openssh-server -BuildRequires: openssl BuildRequires: openssl-devel %if %{with openssl_engine_support} && 0%{?fedora} >= 41 BuildRequires: openssl-devel-engine @@ -152,10 +162,6 @@ Requires: libcurl%{?_isa} >= %{version}-%{release} # to ensure that we have the necessary symbols available (#2144277) %global libnghttp2_version %(pkg-config --modversion libnghttp2 2>/dev/null || echo 0) -# require at least the version of libnghttp3 that we were built against, -# to ensure that we have the necessary symbols available -%global libnghttp3_version %(pkg-config --modversion libnghttp3 2>/dev/null || echo 0) - # require at least the version of libpsl that we were built against, # to ensure that we have the necessary symbols available (#1631804) %global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0) @@ -164,10 +170,6 @@ Requires: libcurl%{?_isa} >= %{version}-%{release} # to ensure that we have the necessary symbols available (#525002, #642796) %global libssh_version %(pkg-config --modversion libssh 2>/dev/null || echo 0) -# require at least the version of ngtcp2 that we were built against, -# to ensure that we have the necessary symbols available -%global ngtcp2_version %(pkg-config --modversion libngtcp2 2>/dev/null || echo 0) - # require at least the version of openssl-libs that we were built against, # to ensure that we have the necessary symbols available (#1462184, #1462211) # (we need to translate 3.0.0-alpha16 -> 3.0.0-0.alpha16 and 3.0.0-beta1 -> 3.0.0-0.beta1 though) @@ -184,14 +186,8 @@ resume, proxy tunneling and a busload of other useful tricks. %package -n libcurl Summary: A library for getting files from web servers Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} -%if %{with http3} -Requires: libnghttp3%{?_isa} >= %{libnghttp3_version} -%endif Requires: libpsl%{?_isa} >= %{libpsl_version} Requires: libssh%{?_isa} >= %{libssh_version} -%if %{with http3} -Requires: ngtcp2%{?_isa} >= %{ngtcp2_version} -%endif Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} Provides: libcurl-full = %{version}-%{release} Provides: libcurl-full%{?_isa} = %{version}-%{release} @@ -236,7 +232,7 @@ be installed. %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' -%autosetup -n %{name}-%{version_no_tilde} -p1 +%autosetup -p1 # disable test 1801 # @@ -331,11 +327,7 @@ export common_configure_opts=" \ --enable-websockets \ --with-brotli \ --with-libpsl \ - --with-libssh \ -%if %{with http3} - --with-nghttp3 \ - --with-ngtcp2 \ -%endif + --with-libssh ) # avoid using rpath @@ -397,11 +389,6 @@ rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la -# do not install bundled wcurl utility -# it is provided by the wcurl package -rm -f ${RPM_BUILD_ROOT}%{_bindir}/wcurl -rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* - %ldconfig_scriptlets -n libcurl %ldconfig_scriptlets -n libcurl-minimal @@ -411,10 +398,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %doc README %doc docs/BUGS.md %doc docs/DISTROS.md -%doc docs/FAQ.md +%doc docs/FAQ %doc docs/FEATURES.md -%doc docs/KNOWN_BUGS.md -%doc docs/TODO.md +%doc docs/TODO %doc docs/TheArtOfHttpScripting.md %{_bindir}/curl %{_mandir}/man1/curl.1* @@ -442,105 +428,12 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog -* Wed Jan 07 2026 Jan Macku - 8.18.0-1 -- new upstream release +* Wed Sep 17 2025 Jan Macku - 8.11.1-6 +- Fix Out of bounds read for cookie path (CVE-2025-9086) +- Fix predictable WebSocket mask (CVE-2025-10148) -* Mon Jan 05 2026 Jan Macku - 8.18.0~rc3-1 -- new upstream release candidate - -* Tue Dec 16 2025 Jan Macku - 8.18.0~rc2-1 -- new upstream release candidate -- reenable valgrind on test 616 - -* Tue Dec 09 2025 Jan Macku - 8.18.0~rc1-1 -- new upstream release candidate -- drop upstreamed patches - -* Sun Dec 07 2025 Aleksei Bavshin - 8.17.0-5 -- Enable HTTP/3 support with ngtcp2 - -* Thu Dec 04 2025 Jan Macku - 8.17.0-4 -- apply upstream patches for valgrind issues in HTTP/3 (#2408809) - -* Thu Nov 13 2025 Jan Macku - 8.17.0-3 -- recommend wcurl package instead of bundled wcurl utility - -* Thu Nov 13 2025 Jan Macku - 8.17.0-2 -- remove bundled wcurl utility that was added in 8.14.0~rc1, use wcurl package instead - -* Mon Nov 10 2025 Jan Macku - 8.17.0-1 -- new upstream release - -* Thu Oct 30 2025 Jan Macku - 8.17.0~rc3-1 -- new upstream release candidate - -* Tue Oct 21 2025 Jan Macku - 8.17.0~rc2-1 -- new upstream release candidate - -* Mon Oct 13 2025 Jan Macku - 8.17.0~rc1-1 -- new upstream release candidate - -* Wed Sep 10 2025 Jan Macku - 8.16.0-1 -- new upstream release - -* Wed Sep 03 2025 Jan Macku - 8.16.0~rc3-1 -- new upstream release candidate - -* Tue Aug 26 2025 Jan Macku - 8.16.0~rc2-1 -- new upstream release candidate - -* Wed Jul 23 2025 Fedora Release Engineering - 8.15.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild - -* Wed Jul 16 2025 Jan Macku - 8.15.0-1 -- new upstream release - -* Thu Jul 10 2025 Jan Macku - 8.15.0~rc3-1 -- new upstream release candidate - -* Mon Jun 30 2025 Jan Macku - 8.15.0~rc2-1 -- new upstream release candidate - -* Mon Jun 23 2025 Jan Macku - 8.15.0~rc1-1 -- new upstream release candidate - -* Wed Jun 04 2025 Jan Macku - 8.14.1-1 -- new upstream release -- drop: 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch (no longer needed) - -* Wed May 28 2025 Jan Macku - 8.14.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2025-5025 - No QUIC certificate pinning with wolfSSL - CVE-2025-4947 - QUIC certificate check skip with wolfSSL -- fix regression: curl_multi_add_handle() returning OOM when using more than 400 handles - -* Fri May 02 2025 Jan Macku - 8.14.0~rc1-1 -- new upstream release candidate -- new utility: wcurl which lets you download URLs without having to remember any parameters - -* Wed Apr 02 2025 Jan Macku - 8.13.0-1 -- new upstream release -- add build time dependency on openssl (required by tests) - -* Wed Mar 26 2025 Jan Macku - 8.13.0~rc3-1 -- new upstream release candidate -- drop: 0102-curl-7.84.0-test3026.patch (no longer needed) - -* Tue Mar 18 2025 Jan Macku - 8.13.0~rc2-1 -- new upstream release candidate - -* Thu Mar 13 2025 Jan Macku - 8.13.0~rc1-2 -- fix --cert parameter (#2351531) - -* Mon Mar 10 2025 Jan Macku - 8.13.0~rc1-1 -- new upstream release candidate - -* Wed Feb 05 2025 Jan Macku - 8.12.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2025-0725 - gzip integer overflow - CVE-2025-0665 - eventfd double close - CVE-2025-0167 - netrc and default credential leak -- drop upstreamed patches +* Thu Jun 19 2025 Jan Macku - 8.11.1-5 +- properly parse 'type=' in -F command line arguments (#2373760) * Fri Jan 31 2025 Jan Macku - 8.11.1-4 - TLS: check connection for SSL use, not handler (#2324130#c7) diff --git a/sources b/sources index 002e494..91c8f05 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.18.0.tar.xz) = 50c7a7b0528e0019697b0c59b3e56abb2578c71d77e4c085b56797276094b5611718c0a9cb2b14db7f8ab502fcf8f42a364297a3387fae3870a4d281484ba21c -SHA512 (curl-8.18.0.tar.xz.asc) = 07e08d1bb3f8bf20b3d22f37fbc19c49c0d9ee4ea9d92da76fa8a9de343023e1b5d416ccc6535a4ff98b08b30eb9334fd856227e37564f6bcd542aa81bced152 +SHA512 (curl-8.11.1.tar.xz) = 7c7c47a49505575b610c56b455f0919ea5082a993bf5483eeb258ead167aadb87078d626b343b417dcfc5439c53556425c8fb4fe3b01b53a87b47c01686a3e57 +SHA512 (curl-8.11.1.tar.xz.asc) = c09bedb67e83fb8ca3ad73c5bd0d92fed7fc2c26dbe5a71cccb193fd151c7219713241a9fe74baefcd1d008cfafba78142bf04cec24dd4a88d67179184d35824 diff --git a/tests/non-root-user-download/runtest.sh b/tests/non-root-user-download/runtest.sh index 0d72276..4d51e62 100755 --- a/tests/non-root-user-download/runtest.sh +++ b/tests/non-root-user-download/runtest.sh @@ -31,9 +31,9 @@ PACKAGE="curl" -FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM -HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM -CONTENT=1bd6ab4798983c2fe4a210f9c4ca135fed453d6142ba852c1f8d5fba22e113ab +FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM +HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM +CONTENT=4d042dedc8886856db10bc882074b84dcce52f829ea7b3f31d8031db8d84df20 PASSWORD=pAssw0rd OPTIONS="" rlIsRHEL 7 && OPTIONS="--insecure"