From 9a38bdf948aacf59ec81f0e35ef10f430252f1a6 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 19 Feb 2024 13:23:34 +0100 Subject: [PATCH 01/57] fix: Leftovers after chunking should not be part of the curl buffer output Resolves: #2264220 --- ...fix-the-accounting-of-consumed-bytes.patch | 83 +++++++++++++++++++ curl.spec | 8 +- 2 files changed, 90 insertions(+), 1 deletion(-) create mode 100644 0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch diff --git a/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch b/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch new file mode 100644 index 0000000..39b2f31 --- /dev/null +++ b/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch @@ -0,0 +1,83 @@ +From c7438ccfceee373a75d6d890259cf2e6b5e0e203 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Wed, 14 Feb 2024 16:27:23 +0100 +Subject: [PATCH] http_chunks: fix the accounting of consumed bytes + +Prior to this change chunks were handled correctly although in verbose +mode libcurl could incorrectly warn of "Leftovers after chunking" even +if there were none. + +Reported-by: Michael Kaufmann + +Fixes https://github.com/curl/curl/issues/12937 +Closes https://github.com/curl/curl/pull/12939 + +(cherry picked from commit 59e2c78af3a5588d6e6ae6d2223b222f067e054b) +Signed-off-by: Jan Macku +--- + lib/http_chunks.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/lib/http_chunks.c b/lib/http_chunks.c +index 039c179c4..ad1ee9ada 100644 +--- a/lib/http_chunks.c ++++ b/lib/http_chunks.c +@@ -152,6 +152,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + ch->hexbuffer[ch->hexindex++] = *buf; + buf++; + blen--; ++ (*pconsumed)++; + } + else { + char *endptr; +@@ -189,6 +190,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + + buf++; + blen--; ++ (*pconsumed)++; + break; + + case CHUNK_DATA: +@@ -236,6 +238,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + } + buf++; + blen--; ++ (*pconsumed)++; + break; + + case CHUNK_TRAILER: +@@ -293,6 +296,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + } + buf++; + blen--; ++ (*pconsumed)++; + break; + + case CHUNK_TRAILER_CR: +@@ -300,6 +304,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + ch->state = CHUNK_TRAILER_POSTCR; + buf++; + blen--; ++ (*pconsumed)++; + } + else { + ch->state = CHUNK_FAILED; +@@ -320,6 +325,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + /* skip if CR */ + buf++; + blen--; ++ (*pconsumed)++; + } + /* now wait for the final LF */ + ch->state = CHUNK_STOP; +@@ -328,6 +334,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + case CHUNK_STOP: + if(*buf == 0x0a) { + blen--; ++ (*pconsumed)++; + /* Record the length of any data left in the end of the buffer + even if there's no more chunks to read */ + ch->datasize = blen; +-- +2.43.2 + diff --git a/curl.spec b/curl.spec index 33f4fba..5118b71 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.6.0 -Release: 6%{?dist} +Release: 7%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -21,6 +21,9 @@ Patch002: 0002-curl-8.6.0-ignore-response-body-to-HEAD.patch # it breaks pycurl tests suite Patch003: 0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch +# Fix: Leftovers after chunking should not be part of the curl buffer output +Patch004: 0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -411,6 +414,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Feb 19 2024 Jan Macku - 8.6.0-7 +- Fix: Leftovers after chunking should not be part of the curl buffer output (#2264220) + * Mon Feb 12 2024 Jan Macku - 8.6.0-6 - revert "receive max buffer" + add test case - temporarily disable test 0313 From f5a882f1213fe3b0c1470846229bdad5027516be Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 19 Feb 2024 13:23:34 +0100 Subject: [PATCH 02/57] fix: Leftovers after chunking should not be part of the curl buffer output Resolves: #2264220 --- ...fix-the-accounting-of-consumed-bytes.patch | 83 +++++++++++++++++++ curl.spec | 8 +- 2 files changed, 90 insertions(+), 1 deletion(-) create mode 100644 0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch diff --git a/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch b/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch new file mode 100644 index 0000000..39b2f31 --- /dev/null +++ b/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch @@ -0,0 +1,83 @@ +From c7438ccfceee373a75d6d890259cf2e6b5e0e203 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Wed, 14 Feb 2024 16:27:23 +0100 +Subject: [PATCH] http_chunks: fix the accounting of consumed bytes + +Prior to this change chunks were handled correctly although in verbose +mode libcurl could incorrectly warn of "Leftovers after chunking" even +if there were none. + +Reported-by: Michael Kaufmann + +Fixes https://github.com/curl/curl/issues/12937 +Closes https://github.com/curl/curl/pull/12939 + +(cherry picked from commit 59e2c78af3a5588d6e6ae6d2223b222f067e054b) +Signed-off-by: Jan Macku +--- + lib/http_chunks.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/lib/http_chunks.c b/lib/http_chunks.c +index 039c179c4..ad1ee9ada 100644 +--- a/lib/http_chunks.c ++++ b/lib/http_chunks.c +@@ -152,6 +152,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + ch->hexbuffer[ch->hexindex++] = *buf; + buf++; + blen--; ++ (*pconsumed)++; + } + else { + char *endptr; +@@ -189,6 +190,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + + buf++; + blen--; ++ (*pconsumed)++; + break; + + case CHUNK_DATA: +@@ -236,6 +238,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + } + buf++; + blen--; ++ (*pconsumed)++; + break; + + case CHUNK_TRAILER: +@@ -293,6 +296,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + } + buf++; + blen--; ++ (*pconsumed)++; + break; + + case CHUNK_TRAILER_CR: +@@ -300,6 +304,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + ch->state = CHUNK_TRAILER_POSTCR; + buf++; + blen--; ++ (*pconsumed)++; + } + else { + ch->state = CHUNK_FAILED; +@@ -320,6 +325,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + /* skip if CR */ + buf++; + blen--; ++ (*pconsumed)++; + } + /* now wait for the final LF */ + ch->state = CHUNK_STOP; +@@ -328,6 +334,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + case CHUNK_STOP: + if(*buf == 0x0a) { + blen--; ++ (*pconsumed)++; + /* Record the length of any data left in the end of the buffer + even if there's no more chunks to read */ + ch->datasize = blen; +-- +2.43.2 + diff --git a/curl.spec b/curl.spec index 33f4fba..5118b71 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.6.0 -Release: 6%{?dist} +Release: 7%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -21,6 +21,9 @@ Patch002: 0002-curl-8.6.0-ignore-response-body-to-HEAD.patch # it breaks pycurl tests suite Patch003: 0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch +# Fix: Leftovers after chunking should not be part of the curl buffer output +Patch004: 0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -411,6 +414,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Feb 19 2024 Jan Macku - 8.6.0-7 +- Fix: Leftovers after chunking should not be part of the curl buffer output (#2264220) + * Mon Feb 12 2024 Jan Macku - 8.6.0-6 - revert "receive max buffer" + add test case - temporarily disable test 0313 From f9311ae69d7c143fec8f3282907ac95546869cfc Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 27 Mar 2024 09:43:54 +0100 Subject: [PATCH 03/57] new upstream release - 8.7.1 Resolves: CVE-2024-2004 - Usage of disabled protocol Resolves: CVE-2024-2379 - QUIC certificate check bypass with wolfSSL Resolves: CVE-2024-2398 - HTTP/2 push headers memory-leak Resolves: CVE-2024-2466 - TLS certificate check bypass with mbedTLS --- .gitignore | 3 +- ...-curl-8.6.0-remove-duplicate-content.patch | 108 ---------- 0001-curl-8.7.1-fix-compressed-option.patch | 174 +++++++++++++++++ ...l-8.6.0-ignore-response-body-to-HEAD.patch | 184 ------------------ ...-8.7.1-fix-chunked-POST-via-callback.patch | 69 +++++++ ...ert-receive-max-buffer-add-test-case.patch | 68 ------- ...fix-the-accounting-of-consumed-bytes.patch | 83 -------- 0101-curl-7.32.0-multilib.patch | 20 +- curl.spec | 49 ++--- sources | 4 +- 10 files changed, 277 insertions(+), 485 deletions(-) delete mode 100644 0001-curl-8.6.0-remove-duplicate-content.patch create mode 100644 0001-curl-8.7.1-fix-compressed-option.patch delete mode 100644 0002-curl-8.6.0-ignore-response-body-to-HEAD.patch create mode 100644 0002-curl-8.7.1-fix-chunked-POST-via-callback.patch delete mode 100644 0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch delete mode 100644 0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch diff --git a/.gitignore b/.gitignore index 505a7d9..e91a948 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,4 @@ -/curl-[0-9.]*.tar.lzma -/curl-[0-9.]*.tar.lzma.asc /curl-[0-9.]*.tar.xz /curl-[0-9.]*.tar.xz.asc /curl-[0-9].[0-9].[0-9]/ +/*.src.rpm diff --git a/0001-curl-8.6.0-remove-duplicate-content.patch b/0001-curl-8.6.0-remove-duplicate-content.patch deleted file mode 100644 index bbbb7ff..0000000 --- a/0001-curl-8.6.0-remove-duplicate-content.patch +++ /dev/null @@ -1,108 +0,0 @@ -From 960cf3ceb40cf875b146d4d1065d9267ccb83da1 Mon Sep 17 00:00:00 2001 -From: Jan Macku -Date: Thu, 1 Feb 2024 12:56:31 +0100 -Subject: [PATCH 1/2] doc: remove duplicate content from curl-config.1 - -This will be resolved in next release by: -https://github.com/curl/curl/pull/12818 - -see also: https://github.com/curl/curl/issues/12840 - -Signed-off-by: Jan Macku ---- - docs/curl-config.1 | 82 ---------------------------------------------- - 1 file changed, 82 deletions(-) - -diff --git a/docs/curl-config.1 b/docs/curl-config.1 -index 186ba3a..c142cb9 100644 ---- a/docs/curl-config.1 -+++ b/docs/curl-config.1 -@@ -80,85 +80,3 @@ How do I build a single file with a one\-line command? - .fi - .SH SEE ALSO - .BR curl (1) --.\" generated by cd2nroff 0.1 from curl-config.md --.TH curl-config 1 "January 26 2024" curl-config --.SH NAME --curl\-config \- Get information about a libcurl installation --.SH SYNOPSIS --\fBcurl\-config [options]\fP --.SH DESCRIPTION --\fBcurl\-config\fP --displays information about the curl and libcurl installation. --.SH OPTIONS --.IP --ca --Displays the built\-in path to the CA cert bundle this libcurl uses. --.IP --cc --Displays the compiler used to build libcurl. --.IP --cflags --Set of compiler options (CFLAGS) to use when compiling files that use --libcurl. Currently that is only the include path to the curl include files. --.IP "--checkfor [version]" --Specify the oldest possible libcurl version string you want, and this --script will return 0 if the current installation is new enough or it --returns 1 and outputs a text saying that the current version is not new --enough. (Added in 7.15.4) --.IP --configure --Displays the arguments given to configure when building curl. --.IP --feature --Lists what particular main features the installed libcurl was built with. At --the time of writing, this list may include SSL, KRB4 or IPv6. Do not assume --any particular order. The keywords will be separated by newlines. There may be --none, one, or several keywords in the list. --.IP --help --Displays the available options. --.IP --libs --Shows the complete set of libs and other linker options you will need in order --to link your application with libcurl. --.IP --prefix --This is the prefix used when libcurl was installed. Libcurl is then installed --in $prefix/lib and its header files are installed in $prefix/include and so --on. The prefix is set with "configure \--prefix". --.IP --protocols --Lists what particular protocols the installed libcurl was built to support. At --the time of writing, this list may include HTTP, HTTPS, FTP, FTPS, FILE, --TELNET, LDAP, DICT and many more. Do not assume any particular order. The --protocols will be listed using uppercase and are separated by newlines. There --may be none, one, or several protocols in the list. (Added in 7.13.0) --.IP --ssl-backends --Lists the SSL backends that were enabled when libcurl was built. It might be --no, one or several names. If more than one name, they will appear --comma\-separated. (Added in 7.58.0) --.IP --static-libs --Shows the complete set of libs and other linker options you will need in order --to link your application with libcurl statically. (Added in 7.17.1) --.IP --version --Outputs version information about the installed libcurl. --.IP --vernum --Outputs version information about the installed libcurl, in numerical mode. --This shows the version number, in hexadecimal, using 8 bits for each part: --major, minor, and patch numbers. This makes libcurl 7.7.4 appear as 070704 and --libcurl 12.13.14 appear as 0c0d0e... Note that the initial zero might be --omitted. (This option was broken in the 7.15.0 release.) --.SH EXAMPLES --What linker options do I need when I link with libcurl? --.nf -- $ curl-config --libs --.fi --What compiler options do I need when I compile using libcurl functions? --.nf -- $ curl-config --cflags --.fi --How do I know if libcurl was built with SSL support? --.nf -- $ curl-config --feature | grep SSL --.fi --What\(aqs the installed libcurl version? --.nf -- $ curl-config --version --.fi --How do I build a single file with a one\-line command? --.nf -- $ `curl-config --cc --cflags` -o example source.c `curl-config --libs` --.fi --.SH SEE ALSO --.BR curl (1) --- -2.43.0 - diff --git a/0001-curl-8.7.1-fix-compressed-option.patch b/0001-curl-8.7.1-fix-compressed-option.patch new file mode 100644 index 0000000..dc2e720 --- /dev/null +++ b/0001-curl-8.7.1-fix-compressed-option.patch @@ -0,0 +1,174 @@ +From 8f1a06a9efe1048c7ad17af43ae7d4b26de8117e Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Thu, 28 Mar 2024 11:08:15 +0100 +Subject: [PATCH 1/2] content_encoding: brotli and others, pass through + 0-length writes + +- curl's transfer handling may write 0-length chunks at the end of the + download with an EOS flag. (HTTP/2 does this commonly) + +- content encoders need to pass-through such a write and not count this + as error in case they are finished decoding + +Fixes #13209 +Fixes #13212 +Closes #13219 + +(cherry picked from commit b30d694a027eb771c02a3db0dee0ca03ccab7377) +Signed-off-by: Jan Macku +--- + lib/content_encoding.c | 10 +++++----- + tests/http/test_02_download.py | 13 +++++++++++++ + tests/http/testenv/env.py | 7 ++++++- + tests/http/testenv/httpd.py | 20 ++++++++++++++++++++ + 4 files changed, 44 insertions(+), 6 deletions(-) + +diff --git a/lib/content_encoding.c b/lib/content_encoding.c +index c1abf24e8..8e926dd2e 100644 +--- a/lib/content_encoding.c ++++ b/lib/content_encoding.c +@@ -300,7 +300,7 @@ static CURLcode deflate_do_write(struct Curl_easy *data, + struct zlib_writer *zp = (struct zlib_writer *) writer; + z_stream *z = &zp->z; /* zlib state structure */ + +- if(!(type & CLIENTWRITE_BODY)) ++ if(!(type & CLIENTWRITE_BODY) || !nbytes) + return Curl_cwriter_write(data, writer->next, type, buf, nbytes); + + /* Set the compressed input when this function is called */ +@@ -457,7 +457,7 @@ static CURLcode gzip_do_write(struct Curl_easy *data, + struct zlib_writer *zp = (struct zlib_writer *) writer; + z_stream *z = &zp->z; /* zlib state structure */ + +- if(!(type & CLIENTWRITE_BODY)) ++ if(!(type & CLIENTWRITE_BODY) || !nbytes) + return Curl_cwriter_write(data, writer->next, type, buf, nbytes); + + if(zp->zlib_init == ZLIB_INIT_GZIP) { +@@ -669,7 +669,7 @@ static CURLcode brotli_do_write(struct Curl_easy *data, + CURLcode result = CURLE_OK; + BrotliDecoderResult r = BROTLI_DECODER_RESULT_NEEDS_MORE_OUTPUT; + +- if(!(type & CLIENTWRITE_BODY)) ++ if(!(type & CLIENTWRITE_BODY) || !nbytes) + return Curl_cwriter_write(data, writer->next, type, buf, nbytes); + + if(!bp->br) +@@ -762,7 +762,7 @@ static CURLcode zstd_do_write(struct Curl_easy *data, + ZSTD_outBuffer out; + size_t errorCode; + +- if(!(type & CLIENTWRITE_BODY)) ++ if(!(type & CLIENTWRITE_BODY) || !nbytes) + return Curl_cwriter_write(data, writer->next, type, buf, nbytes); + + if(!zp->decomp) { +@@ -916,7 +916,7 @@ static CURLcode error_do_write(struct Curl_easy *data, + (void) buf; + (void) nbytes; + +- if(!(type & CLIENTWRITE_BODY)) ++ if(!(type & CLIENTWRITE_BODY) || !nbytes) + return Curl_cwriter_write(data, writer->next, type, buf, nbytes); + + failf(data, "Unrecognized content encoding type. " +diff --git a/tests/http/test_02_download.py b/tests/http/test_02_download.py +index 4db9c9d36..395fc862f 100644 +--- a/tests/http/test_02_download.py ++++ b/tests/http/test_02_download.py +@@ -394,6 +394,19 @@ class TestDownload: + r = client.run(args=[url]) + r.check_exit_code(0) + ++ @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3']) ++ def test_02_28_get_compressed(self, env: Env, httpd, nghttpx, repeat, proto): ++ if proto == 'h3' and not env.have_h3(): ++ pytest.skip("h3 not supported") ++ count = 1 ++ urln = f'https://{env.authority_for(env.domain1brotli, proto)}/data-100k?[0-{count-1}]' ++ curl = CurlClient(env=env) ++ r = curl.http_download(urls=[urln], alpn_proto=proto, extra_args=[ ++ '--compressed' ++ ]) ++ r.check_exit_code(code=0) ++ r.check_response(count=count, http_status=200) ++ + def check_downloads(self, client, srcfile: str, count: int, + complete: bool = True): + for i in range(count): +diff --git a/tests/http/testenv/env.py b/tests/http/testenv/env.py +index a207059dc..13c5d6bd4 100644 +--- a/tests/http/testenv/env.py ++++ b/tests/http/testenv/env.py +@@ -129,10 +129,11 @@ class EnvConfig: + self.htdocs_dir = os.path.join(self.gen_dir, 'htdocs') + self.tld = 'http.curl.se' + self.domain1 = f"one.{self.tld}" ++ self.domain1brotli = f"brotli.one.{self.tld}" + self.domain2 = f"two.{self.tld}" + self.proxy_domain = f"proxy.{self.tld}" + self.cert_specs = [ +- CertificateSpec(domains=[self.domain1, 'localhost'], key_type='rsa2048'), ++ CertificateSpec(domains=[self.domain1, self.domain1brotli, 'localhost'], key_type='rsa2048'), + CertificateSpec(domains=[self.domain2], key_type='rsa2048'), + CertificateSpec(domains=[self.proxy_domain, '127.0.0.1'], key_type='rsa2048'), + CertificateSpec(name="clientsX", sub_specs=[ +@@ -376,6 +377,10 @@ class Env: + def domain1(self) -> str: + return self.CONFIG.domain1 + ++ @property ++ def domain1brotli(self) -> str: ++ return self.CONFIG.domain1brotli ++ + @property + def domain2(self) -> str: + return self.CONFIG.domain2 +diff --git a/tests/http/testenv/httpd.py b/tests/http/testenv/httpd.py +index c04c22699..b8615875a 100644 +--- a/tests/http/testenv/httpd.py ++++ b/tests/http/testenv/httpd.py +@@ -50,6 +50,7 @@ class Httpd: + 'alias', 'env', 'filter', 'headers', 'mime', 'setenvif', + 'socache_shmcb', + 'rewrite', 'http2', 'ssl', 'proxy', 'proxy_http', 'proxy_connect', ++ 'brotli', + 'mpm_event', + ] + COMMON_MODULES_DIRS = [ +@@ -203,6 +204,7 @@ class Httpd: + + def _write_config(self): + domain1 = self.env.domain1 ++ domain1brotli = self.env.domain1brotli + creds1 = self.env.get_credentials(domain1) + domain2 = self.env.domain2 + creds2 = self.env.get_credentials(domain2) +@@ -285,6 +287,24 @@ class Httpd: + f'', + f'', + ]) ++ # Alternate to domain1 with BROTLI compression ++ conf.extend([ # https host for domain1, h1 + h2 ++ f'', ++ f' ServerName {domain1brotli}', ++ f' Protocols h2 http/1.1', ++ f' SSLEngine on', ++ f' SSLCertificateFile {creds1.cert_file}', ++ f' SSLCertificateKeyFile {creds1.pkey_file}', ++ f' DocumentRoot "{self._docs_dir}"', ++ f' SetOutputFilter BROTLI_COMPRESS', ++ ]) ++ conf.extend(self._curltest_conf(domain1)) ++ if domain1 in self._extra_configs: ++ conf.extend(self._extra_configs[domain1]) ++ conf.extend([ ++ f'', ++ f'', ++ ]) + conf.extend([ # https host for domain2, no h2 + f'', + f' ServerName {domain2}', +-- +2.44.0 + diff --git a/0002-curl-8.6.0-ignore-response-body-to-HEAD.patch b/0002-curl-8.6.0-ignore-response-body-to-HEAD.patch deleted file mode 100644 index 4dee602..0000000 --- a/0002-curl-8.6.0-ignore-response-body-to-HEAD.patch +++ /dev/null @@ -1,184 +0,0 @@ -From e61ea3ba7054afedafe1eb473226e842ac17b8ff Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 1 Feb 2024 13:23:12 +0100 -Subject: [PATCH] sendf: ignore response body to HEAD - -and mark the stream for close, but return OK since the response this far -was ok - if headers were received. Partly because this is what curl has -done traditionally. - -Test 499 verifies. Updates test 689. - -Reported-by: Sergey Bronnikov -Bug: https://curl.se/mail/lib-2024-02/0000.html -Closes #12842 - -(cherry picked from commit b8c003832d730bb2f4b9de4204675ca5d9f7a903) -Signed-off-by: Jan Macku ---- - lib/sendf.c | 3 ++ - tests/data/Makefile.inc | 44 ++++++++++++++-------------- - tests/data/test499 | 65 +++++++++++++++++++++++++++++++++++++++++ - tests/data/test689 | 4 +-- - 4 files changed, 92 insertions(+), 24 deletions(-) - create mode 100644 tests/data/test499 - -diff --git a/lib/sendf.c b/lib/sendf.c -index db3189a29..60ac0742c 100644 ---- a/lib/sendf.c -+++ b/lib/sendf.c -@@ -575,6 +575,9 @@ static CURLcode cw_download_write(struct Curl_easy *data, - DEBUGF(infof(data, "did not want a BODY, but seeing %zu bytes", - nbytes)); - data->req.download_done = TRUE; -+ if(data->info.header_size) -+ /* if headers have been received, this is fine */ -+ return CURLE_OK; - return CURLE_WEIRD_SERVER_REPLY; - } - -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index c3d496f64..cd393da75 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -75,28 +75,28 @@ test444 test445 test446 test447 test448 test449 test450 test451 test452 \ - test453 test454 test455 test456 test457 test458 test459 test460 test461 \ - \ - test490 test491 test492 test493 test494 test495 test496 test497 test498 \ --\ --test500 test501 test502 test503 test504 test505 test506 test507 test508 \ --test509 test510 test511 test512 test513 test514 test515 test516 test517 \ --test518 test519 test520 test521 test522 test523 test524 test525 test526 \ --test527 test528 test529 test530 test531 test532 test533 test534 test535 \ -- test537 test538 test539 test540 test541 test542 test543 test544 \ --test545 test546 test547 test548 test549 test550 test551 test552 test553 \ --test554 test555 test556 test557 test558 test559 test560 test561 test562 \ --test563 test564 test565 test566 test567 test568 test569 test570 test571 \ --test572 test573 test574 test575 test576 test577 test578 test579 test580 \ --test581 test582 test583 test584 test585 test586 test587 test588 test589 \ --test590 test591 test592 test593 test594 test595 test596 test597 test598 \ --test599 test600 test601 test602 test603 test604 test605 test606 test607 \ --test608 test609 test610 test611 test612 test613 test614 test615 test616 \ --test617 test618 test619 test620 test621 test622 test623 test624 test625 \ --test626 test627 test628 test629 test630 test631 test632 test633 test634 \ --test635 test636 test637 test638 test639 test640 test641 test642 test643 \ --test644 test645 test646 test647 test648 test649 test650 test651 test652 \ --test653 test654 test655 test656 test658 test659 test660 test661 test662 \ --test663 test664 test665 test666 test667 test668 test669 test670 test671 \ --test672 test673 test674 test675 test676 test677 test678 test679 test680 \ --test681 test682 test683 test684 test685 test686 test687 test688 test689 \ -+test499 test500 test501 test502 test503 test504 test505 test506 test507 \ -+test508 test509 test510 test511 test512 test513 test514 test515 test516 \ -+test517 test518 test519 test520 test521 test522 test523 test524 test525 \ -+test526 test527 test528 test529 test530 test531 test532 test533 test534 \ -+test535 test537 test538 test539 test540 test541 test542 test543 \ -+test544 test545 test546 test547 test548 test549 test550 test551 test552 \ -+test553 test554 test555 test556 test557 test558 test559 test560 test561 \ -+test562 test563 test564 test565 test566 test567 test568 test569 test570 \ -+test571 test572 test573 test574 test575 test576 test577 test578 test579 \ -+test580 test581 test582 test583 test584 test585 test586 test587 test588 \ -+test589 test590 test591 test592 test593 test594 test595 test596 test597 \ -+test598 test599 test600 test601 test602 test603 test604 test605 test606 \ -+test607 test608 test609 test610 test611 test612 test613 test614 test615 \ -+test616 test617 test618 test619 test620 test621 test622 test623 test624 \ -+test625 test626 test627 test628 test629 test630 test631 test632 test633 \ -+test634 test635 test636 test637 test638 test639 test640 test641 test642 \ -+test643 test644 test645 test646 test647 test648 test649 test650 test651 \ -+test652 test653 test654 test655 test656 test658 test659 test660 test661 \ -+test662 test663 test664 test665 test666 test667 test668 test669 test670 \ -+test671 test672 test673 test674 test675 test676 test677 test678 test679 \ -+test680 test681 test682 test683 test684 test685 test686 test687 test688 \ -+test689 \ - \ - test700 test701 test702 test703 test704 test705 test706 test707 test708 \ - test709 test710 test711 test712 test713 test714 test715 test716 test717 \ -diff --git a/tests/data/test499 b/tests/data/test499 -new file mode 100644 -index 000000000..d4040b07c ---- /dev/null -+++ b/tests/data/test499 -@@ -0,0 +1,65 @@ -+ -+ -+ -+HTTP -+HTTP GET -+ -+ -+ -+# -+# Server-side -+ -+ -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT -+ETag: "21025-dc7-39462498" -+Accept-Ranges: bytes -+Content-Length: 6 -+Connection: close -+Content-Type: text/html -+Funny-head: yesyes -+ -+-foo- -+ -+ -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT -+ETag: "21025-dc7-39462498" -+Accept-Ranges: bytes -+Content-Length: 6 -+Connection: close -+Content-Type: text/html -+Funny-head: yesyes -+ -+ -+ -+# -+# Client-side -+ -+ -+http -+ -+ -+HTTP HEAD to server still sending a body -+ -+ -+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -I -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+HEAD /%TESTNUMBER HTTP/1.1 -+Host: %HOSTIP:%HTTPPORT -+User-Agent: curl/%VERSION -+Accept: */* -+ -+ -+ -+ -diff --git a/tests/data/test689 b/tests/data/test689 -index 821556dec..381ae225a 100644 ---- a/tests/data/test689 -+++ b/tests/data/test689 -@@ -44,9 +44,9 @@ User-Agent: test567 - Test-Number: 567 - - --# 8 == CURLE_WEIRD_SERVER_REPLY -+# 85 == CURLE_RTSP_CSEQ_ERROR - --8 -+85 - - - --- -2.43.0 - diff --git a/0002-curl-8.7.1-fix-chunked-POST-via-callback.patch b/0002-curl-8.7.1-fix-chunked-POST-via-callback.patch new file mode 100644 index 0000000..5421984 --- /dev/null +++ b/0002-curl-8.7.1-fix-chunked-POST-via-callback.patch @@ -0,0 +1,69 @@ +From 2c20a15717bd408ce225dd8707c1798136f084f5 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Mon, 1 Apr 2024 15:41:18 +0200 +Subject: [PATCH 2/2] http: with chunked POST forced, disable length check on + read callback + +- when an application forces HTTP/1.1 chunked transfer encoding + by setting the corresponding header and instructs curl to use + the CURLOPT_READFUNCTION, disregard any POST length information. +- this establishes backward compatibility with previous curl versions + +Applications are encouraged to not force "chunked", but rather +set length information for a POST. By setting -1, curl will +auto-select chunked on HTTP/1.1 and work properly on other HTTP +versions. + +Reported-by: Jeff King +Fixes #13229 +Closes #13257 + +(cherry picked from commit 721941aadf4adf4f6aeb3f4c0ab489bb89610c36) +Signed-off-by: Jan Macku +--- + lib/http.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index 92c04e69c..a764d3c44 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2046,8 +2046,19 @@ static CURLcode set_reader(struct Curl_easy *data, Curl_HttpReq httpreq) + else + result = Curl_creader_set_null(data); + } +- else { /* we read the bytes from the callback */ +- result = Curl_creader_set_fread(data, postsize); ++ else { ++ /* we read the bytes from the callback. In case "chunked" encoding ++ * is forced by the application, we disregard `postsize`. This is ++ * a backward compatibility decision to earlier versions where ++ * chunking disregarded this. See issue #13229. */ ++ bool chunked = FALSE; ++ char *ptr = Curl_checkheaders(data, STRCONST("Transfer-Encoding")); ++ if(ptr) { ++ /* Some kind of TE is requested, check if 'chunked' is chosen */ ++ chunked = Curl_compareheader(ptr, STRCONST("Transfer-Encoding:"), ++ STRCONST("chunked")); ++ } ++ result = Curl_creader_set_fread(data, chunked? -1 : postsize); + } + return result; + +@@ -2115,6 +2126,13 @@ CURLcode Curl_http_req_set_reader(struct Curl_easy *data, + data->req.upload_chunky = + Curl_compareheader(ptr, + STRCONST("Transfer-Encoding:"), STRCONST("chunked")); ++ if(data->req.upload_chunky && ++ Curl_use_http_1_1plus(data, data->conn) && ++ (data->conn->httpversion >= 20)) { ++ infof(data, "suppressing chunked transfer encoding on connection " ++ "using HTTP version 2 or higher"); ++ data->req.upload_chunky = FALSE; ++ } + } + else { + curl_off_t req_clen = Curl_creader_total_length(data); +-- +2.44.0 + diff --git a/0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch b/0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch deleted file mode 100644 index 3e9078c..0000000 --- a/0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 0f65eaab19624ca018d7bd5ca404618f9bfe267f Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Thu, 1 Feb 2024 18:15:50 +0100 -Subject: [PATCH] vtls: revert "receive max buffer" + add test case - -- add test_05_04 for requests using http/1.0, http/1.1 and h2 against an - Apache resource that does an unclean TLS shutdown. -- revert special workarund in openssl.c for suppressing shutdown errors - on multiplexed connections -- vlts.c restore to its state before 9a90c9dd64d2f03601833a70786d485851bd1b53 - -Fixes #12885 -Fixes #12844 - -Closes #12848 - -(cherry picked from commit ed09a99af57200643d5ae001e815eeab9ffe3f84) -Signed-off-by: Jan Macku ---- - lib/vtls/vtls.c | 27 ++++++--------------------- - 1 file changed, 6 insertions(+), 21 deletions(-) - -diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c -index e928ba5d0..f654a9749 100644 ---- a/lib/vtls/vtls.c -+++ b/lib/vtls/vtls.c -@@ -1715,32 +1715,17 @@ static ssize_t ssl_cf_recv(struct Curl_cfilter *cf, - { - struct cf_call_data save; - ssize_t nread; -- size_t ntotal = 0; - - CF_DATA_SAVE(save, cf, data); - *err = CURLE_OK; -- /* Do receive until we fill the buffer somehwhat or EGAIN, error or EOF */ -- while(!ntotal || (len - ntotal) > (4*1024)) { -+ nread = Curl_ssl->recv_plain(cf, data, buf, len, err); -+ if(nread > 0) { -+ DEBUGASSERT((size_t)nread <= len); -+ } -+ else if(nread == 0) { -+ /* eof */ - *err = CURLE_OK; -- nread = Curl_ssl->recv_plain(cf, data, buf + ntotal, len - ntotal, err); -- if(nread < 0) { -- if(*err == CURLE_AGAIN && ntotal > 0) { -- /* we EAGAINed after having reed data, return the success amount */ -- *err = CURLE_OK; -- break; -- } -- /* we have a an error to report */ -- goto out; -- } -- else if(nread == 0) { -- /* eof */ -- break; -- } -- ntotal += (size_t)nread; -- DEBUGASSERT((size_t)ntotal <= len); - } -- nread = (ssize_t)ntotal; --out: - CURL_TRC_CF(data, cf, "cf_recv(len=%zu) -> %zd, %d", len, - nread, *err); - CF_DATA_RESTORE(cf, save); --- -2.43.0 - diff --git a/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch b/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch deleted file mode 100644 index 39b2f31..0000000 --- a/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch +++ /dev/null @@ -1,83 +0,0 @@ -From c7438ccfceee373a75d6d890259cf2e6b5e0e203 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Wed, 14 Feb 2024 16:27:23 +0100 -Subject: [PATCH] http_chunks: fix the accounting of consumed bytes - -Prior to this change chunks were handled correctly although in verbose -mode libcurl could incorrectly warn of "Leftovers after chunking" even -if there were none. - -Reported-by: Michael Kaufmann - -Fixes https://github.com/curl/curl/issues/12937 -Closes https://github.com/curl/curl/pull/12939 - -(cherry picked from commit 59e2c78af3a5588d6e6ae6d2223b222f067e054b) -Signed-off-by: Jan Macku ---- - lib/http_chunks.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/lib/http_chunks.c b/lib/http_chunks.c -index 039c179c4..ad1ee9ada 100644 ---- a/lib/http_chunks.c -+++ b/lib/http_chunks.c -@@ -152,6 +152,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, - ch->hexbuffer[ch->hexindex++] = *buf; - buf++; - blen--; -+ (*pconsumed)++; - } - else { - char *endptr; -@@ -189,6 +190,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, - - buf++; - blen--; -+ (*pconsumed)++; - break; - - case CHUNK_DATA: -@@ -236,6 +238,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, - } - buf++; - blen--; -+ (*pconsumed)++; - break; - - case CHUNK_TRAILER: -@@ -293,6 +296,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, - } - buf++; - blen--; -+ (*pconsumed)++; - break; - - case CHUNK_TRAILER_CR: -@@ -300,6 +304,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, - ch->state = CHUNK_TRAILER_POSTCR; - buf++; - blen--; -+ (*pconsumed)++; - } - else { - ch->state = CHUNK_FAILED; -@@ -320,6 +325,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, - /* skip if CR */ - buf++; - blen--; -+ (*pconsumed)++; - } - /* now wait for the final LF */ - ch->state = CHUNK_STOP; -@@ -328,6 +334,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, - case CHUNK_STOP: - if(*buf == 0x0a) { - blen--; -+ (*pconsumed)++; - /* Record the length of any data left in the end of the buffer - even if there's no more chunks to read */ - ch->datasize = blen; --- -2.43.2 - diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 328d3a4..2edb7c8 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,7 +1,7 @@ -From 84b7e1cf486761e99361f5dcf5879cd7baf51b58 Mon Sep 17 00:00:00 2001 +From dcc0efa441abace568e00bf930889da78356d041 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Thu, 1 Feb 2024 13:01:23 +0100 -Subject: [PATCH 2/2] prevent multilib conflicts on the curl-config script +Date: Wed, 27 Mar 2024 10:16:03 +0100 +Subject: [PATCH] prevent multilib conflicts on the curl-config script --- curl-config.in | 23 +++++------------------ @@ -60,15 +60,15 @@ index 54f92d9..15a60da 100644 *) diff --git a/docs/curl-config.1 b/docs/curl-config.1 -index c142cb9..0e189b4 100644 +index 2d5617c..0d90aaa 100644 --- a/docs/curl-config.1 +++ b/docs/curl-config.1 -@@ -48,7 +48,9 @@ no, one or several names. If more than one name, they will appear - comma\-separated. (Added in 7.58.0) +@@ -48,7 +48,9 @@ no, one or several names. If more than one name, they appear comma\-separated. + (Added in 7.58.0) .IP --static-libs - Shows the complete set of libs and other linker options you will need in order --to link your application with libcurl statically. (Added in 7.17.1) -+to link your application with libcurl statically. Note that Fedora/RHEL libcurl + Shows the complete set of libs and other linker options you need in order to +-link your application with libcurl statically. (Added in 7.17.1) ++link your application with libcurl statically. Note that Fedora/RHEL libcurl +packages do not provide any static libraries, thus cannot be linked statically. +(Added in 7.17.1) .IP --version @@ -87,5 +87,5 @@ index 9db6b0f..dcac692 100644 Name: libcurl URL: https://curl.se/ -- -2.43.0 +2.44.0 diff --git a/curl.spec b/curl.spec index 5118b71..31141a4 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.6.0 -Release: 7%{?dist} +Version: 8.7.1 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,19 +10,11 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# remove duplicate content from curl-config.1 -Patch001: 0001-curl-8.6.0-remove-duplicate-content.patch +# fix issue with --compressed option +Patch001: 0001-curl-8.7.1-fix-compressed-option.patch -# ignore response bode to HEAD requests -# https://bodhi.fedoraproject.org/updates/FEDORA-2024-634a6662aa -Patch002: 0002-curl-8.6.0-ignore-response-body-to-HEAD.patch - -# revert "receive max buffer" + add test case -# it breaks pycurl tests suite -Patch003: 0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch - -# Fix: Leftovers after chunking should not be part of the curl buffer output -Patch004: 0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch +# fix chunked POST via callback regression +Patch002: 0002-curl-8.7.1-fix-chunked-POST-via-callback.patch # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -212,12 +204,9 @@ be installed. %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 -# temporarily disable test 0313 -# -# # disable test 1801 # -printf "313\n1801\n" >> tests/data/DISABLED +printf "1801\n" >> tests/data/DISABLED # test3026: avoid pthread_create() failure due to resource exhaustion on i386 %ifarch %{ix86} @@ -254,7 +243,8 @@ export common_configure_opts=" \ --with-gssapi \ --with-libidn2 \ --with-nghttp2 \ - --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt" + --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt \ + --with-zsh-functions-dir" %global _configure ../configure @@ -361,21 +351,12 @@ install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal cd build-full %make_install -# install zsh completion for curl -# (we have to override LD_LIBRARY_PATH because we eliminated rpath) -LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \ - %make_install -C scripts - # do not install /usr/share/fish/completions/curl.fish which is also installed # by fish-3.0.2-1.module_f31+3716+57207597 and would trigger a conflict rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la -# Don't install man for mk-ca-bundle it's upstream bug -# should be fixed in next release https://github.com/curl/curl/pull/12843 -rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* - %ldconfig_scriptlets -n libcurl %ldconfig_scriptlets -n libcurl-minimal @@ -384,6 +365,7 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %doc CHANGES %doc README %doc docs/BUGS.md +%doc docs/DISTROS.md %doc docs/FAQ %doc docs/FEATURES.md %doc docs/TODO @@ -414,6 +396,17 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Mar 27 2024 Jan Macku - 8.7.1-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-2004 - Usage of disabled protocol + CVE-2024-2379 - QUIC certificate check bypass with wolfSSL + CVE-2024-2398 - HTTP/2 push headers memory-leak + CVE-2024-2466 - TLS certificate check bypass with mbedTLS +- drop upstreamed patches +- reenable test 0313 +- fix zsh completions, use --with-zsh-functions-dir +- apply upstream patches for 8.7.1 issues and regressions + * Mon Feb 19 2024 Jan Macku - 8.6.0-7 - Fix: Leftovers after chunking should not be part of the curl buffer output (#2264220) diff --git a/sources b/sources index 9c9d4a1..9576bf7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.6.0.tar.xz) = 359c08d88a5dec441255b36afe1a821730eca0ca8800ba52f57132b9e7d21f32457623907b4ae4876904b5e505eb1a59652372bb7de8dbd8db429dae9785e036 -SHA512 (curl-8.6.0.tar.xz.asc) = 2b835bb4b307e5e1c929b7136c5acfb9f6f06efa471ac27060336cabcfac40e02143f40434986c5e6817d4a9562b09efa8ff3168beed310a45453148cc1b5c8f +SHA512 (curl-8.7.1.tar.xz) = 5bbde9d5648e9226f5490fa951690aaf159149345f3a315df2ba58b2468f3e59ca32e8a49734338afc861803a4f81caac6d642a4699b72c6310ebfb1f618aad2 +SHA512 (curl-8.7.1.tar.xz.asc) = f98c393997c4a32f545a8982226e8cd612395210915a4576c2ce227d0f650cff341be7bf15e989d1789abf32ac4fd9c190b9250b81e650b569e8532048746b37 From 2e7c137de767af8396e260d2a9117bbb54ea5c95 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 3 Apr 2024 14:48:39 +0200 Subject: [PATCH 04/57] Resolves: CVE-2024-2004 - Usage of disabled protocol --- 0005-curl-8.6.0-CVE-2024-2004.patch | 138 ++++++++++++++++++++++++++++ curl.spec | 8 +- 2 files changed, 145 insertions(+), 1 deletion(-) create mode 100644 0005-curl-8.6.0-CVE-2024-2004.patch diff --git a/0005-curl-8.6.0-CVE-2024-2004.patch b/0005-curl-8.6.0-CVE-2024-2004.patch new file mode 100644 index 0000000..770c391 --- /dev/null +++ b/0005-curl-8.6.0-CVE-2024-2004.patch @@ -0,0 +1,138 @@ +From c8dac4ba172c145dbdf924a5e309fe7539b3610e Mon Sep 17 00:00:00 2001 +From: Daniel Gustafsson +Date: Tue, 27 Feb 2024 15:43:56 +0100 +Subject: [PATCH 1/2] setopt: Fix disabling all protocols + +When disabling all protocols without enabling any, the resulting +set of allowed protocols remained the default set. Clearing the +allowed set before inspecting the passed value from --proto make +the set empty even in the errorpath of no protocols enabled. + +Co-authored-by: Dan Fandrich +Reported-by: Dan Fandrich +Reviewed-by: Daniel Stenberg +Closes: #13004 +(cherry picked from commit 17d302e56221f5040092db77d4f85086e8a20e0e) +Signed-off-by: Jan Macku +--- + lib/setopt.c | 16 ++++++++-------- + tests/data/Makefile.inc | 2 +- + tests/data/test1474 | 42 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 51 insertions(+), 9 deletions(-) + create mode 100644 tests/data/test1474 + +diff --git a/lib/setopt.c b/lib/setopt.c +index a5270773f..3891eb679 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -155,6 +155,12 @@ static CURLcode setstropt_userpwd(char *option, char **userp, char **passwdp) + + static CURLcode protocol2num(const char *str, curl_prot_t *val) + { ++ /* ++ * We are asked to cherry-pick protocols, so play it safe and disallow all ++ * protocols to start with, and re-add the wanted ones back in. ++ */ ++ *val = 0; ++ + if(!str) + return CURLE_BAD_FUNCTION_ARGUMENT; + +@@ -163,8 +169,6 @@ static CURLcode protocol2num(const char *str, curl_prot_t *val) + return CURLE_OK; + } + +- *val = 0; +- + do { + const char *token = str; + size_t tlen; +@@ -2657,22 +2661,18 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + break; + + case CURLOPT_PROTOCOLS_STR: { +- curl_prot_t prot; + argptr = va_arg(param, char *); +- result = protocol2num(argptr, &prot); ++ result = protocol2num(argptr, &data->set.allowed_protocols); + if(result) + return result; +- data->set.allowed_protocols = prot; + break; + } + + case CURLOPT_REDIR_PROTOCOLS_STR: { +- curl_prot_t prot; + argptr = va_arg(param, char *); +- result = protocol2num(argptr, &prot); ++ result = protocol2num(argptr, &data->set.redir_protocols); + if(result) + return result; +- data->set.redir_protocols = prot; + break; + } + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index cd393da75..011aa4607 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -186,7 +186,7 @@ test1439 test1440 test1441 test1442 test1443 test1444 test1445 test1446 \ + test1447 test1448 test1449 test1450 test1451 test1452 test1453 test1454 \ + test1455 test1456 test1457 test1458 test1459 test1460 test1461 test1462 \ + test1463 test1464 test1465 test1466 test1467 test1468 test1469 test1470 \ +-test1471 test1472 test1473 test1475 test1476 test1477 test1478 \ ++test1471 test1472 test1473 test1474 test1475 test1476 test1477 test1478 \ + \ + test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \ + test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \ +diff --git a/tests/data/test1474 b/tests/data/test1474 +new file mode 100644 +index 000000000..c66fa2810 +--- /dev/null ++++ b/tests/data/test1474 +@@ -0,0 +1,42 @@ ++ ++ ++ ++HTTP ++HTTP GET ++--proto ++ ++ ++ ++# ++# Server-side ++ ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++none ++ ++ ++http ++ ++ ++--proto -all disables all protocols ++ ++ ++--proto -all http://%HOSTIP:%NOLISTENPORT/%TESTNUMBER ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++# 1 - Protocol "http" disabled ++ ++1 ++ ++ ++ +-- +2.44.0 + diff --git a/curl.spec b/curl.spec index 5118b71..563b995 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.6.0 -Release: 7%{?dist} +Release: 8%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -24,6 +24,9 @@ Patch003: 0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch # Fix: Leftovers after chunking should not be part of the curl buffer output Patch004: 0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch +# fix Usage of disabled protocol (CVE-2024-2004) +Patch005: 0005-curl-8.6.0-CVE-2024-2004.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -414,6 +417,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Apr 03 2024 Jan Macku - 8.6.0-8 +- fix Usage of disabled protocol (CVE-2024-2004) + * Mon Feb 19 2024 Jan Macku - 8.6.0-7 - Fix: Leftovers after chunking should not be part of the curl buffer output (#2264220) From b042b47525ca52f7dd337ae67763d7c60ff725cb Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 3 Apr 2024 14:51:00 +0200 Subject: [PATCH 05/57] Resolves: CVE-2024-2398 - HTTP/2 push headers memory-leak --- 0006-curl-8.6.0-CVE-2024-2398.patch | 95 +++++++++++++++++++++++++++++ curl.spec | 4 ++ 2 files changed, 99 insertions(+) create mode 100644 0006-curl-8.6.0-CVE-2024-2398.patch diff --git a/0006-curl-8.6.0-CVE-2024-2398.patch b/0006-curl-8.6.0-CVE-2024-2398.patch new file mode 100644 index 0000000..a431c53 --- /dev/null +++ b/0006-curl-8.6.0-CVE-2024-2398.patch @@ -0,0 +1,95 @@ +From 62ff9aab364ca19cf858972aa1b1f00042763a8a Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Wed, 6 Mar 2024 09:36:08 +0100 +Subject: [PATCH] http2: push headers better cleanup + +- provide common cleanup method for push headers + +Closes #13054 + +(cherry picked from commit deca8039991886a559b67bcd6701db800a5cf764) +Signed-off-by: Jan Macku +--- + lib/http2.c | 34 +++++++++++++++------------------- + 1 file changed, 15 insertions(+), 19 deletions(-) + +diff --git a/lib/http2.c b/lib/http2.c +index c3157d1ef..501dc355f 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -271,6 +271,15 @@ static CURLcode http2_data_setup(struct Curl_cfilter *cf, + return CURLE_OK; + } + ++static void free_push_headers(struct stream_ctx *stream) ++{ ++ size_t i; ++ for(i = 0; ipush_headers_used; i++) ++ free(stream->push_headers[i]); ++ Curl_safefree(stream->push_headers); ++ stream->push_headers_used = 0; ++} ++ + static void http2_data_done(struct Curl_cfilter *cf, + struct Curl_easy *data, bool premature) + { +@@ -317,15 +326,7 @@ static void http2_data_done(struct Curl_cfilter *cf, + Curl_bufq_free(&stream->recvbuf); + Curl_h1_req_parse_free(&stream->h1); + Curl_dynhds_free(&stream->resp_trailers); +- if(stream->push_headers) { +- /* if they weren't used and then freed before */ +- for(; stream->push_headers_used > 0; --stream->push_headers_used) { +- free(stream->push_headers[stream->push_headers_used - 1]); +- } +- free(stream->push_headers); +- stream->push_headers = NULL; +- } +- ++ free_push_headers(stream); + free(stream); + H2_STREAM_LCTX(data) = NULL; + } +@@ -872,7 +873,6 @@ static int push_promise(struct Curl_cfilter *cf, + struct curl_pushheaders heads; + CURLMcode rc; + CURLcode result; +- size_t i; + /* clone the parent */ + struct Curl_easy *newhandle = h2_duphandle(cf, data); + if(!newhandle) { +@@ -917,11 +917,7 @@ static int push_promise(struct Curl_cfilter *cf, + Curl_set_in_callback(data, false); + + /* free the headers again */ +- for(i = 0; ipush_headers_used; i++) +- free(stream->push_headers[i]); +- free(stream->push_headers); +- stream->push_headers = NULL; +- stream->push_headers_used = 0; ++ free_push_headers(stream); + + if(rv) { + DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT)); +@@ -1468,14 +1464,14 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame, + if(stream->push_headers_alloc > 1000) { + /* this is beyond crazy many headers, bail out */ + failf(data_s, "Too many PUSH_PROMISE headers"); +- Curl_safefree(stream->push_headers); ++ free_push_headers(stream); + return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + } + stream->push_headers_alloc *= 2; +- headp = Curl_saferealloc(stream->push_headers, +- stream->push_headers_alloc * sizeof(char *)); ++ headp = realloc(stream->push_headers, ++ stream->push_headers_alloc * sizeof(char *)); + if(!headp) { +- stream->push_headers = NULL; ++ free_push_headers(stream); + return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + } + stream->push_headers = headp; +-- +2.44.0 + diff --git a/curl.spec b/curl.spec index 563b995..d5de433 100644 --- a/curl.spec +++ b/curl.spec @@ -27,6 +27,9 @@ Patch004: 0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch # fix Usage of disabled protocol (CVE-2024-2004) Patch005: 0005-curl-8.6.0-CVE-2024-2004.patch +# fix HTTP/2 push headers memory-leak (CVE-2024-2398) +Patch006: 0006-curl-8.6.0-CVE-2024-2398.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -419,6 +422,7 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %changelog * Wed Apr 03 2024 Jan Macku - 8.6.0-8 - fix Usage of disabled protocol (CVE-2024-2004) +- fix HTTP/2 push headers memory-leak (CVE-2024-2398) * Mon Feb 19 2024 Jan Macku - 8.6.0-7 - Fix: Leftovers after chunking should not be part of the curl buffer output (#2264220) From 24a6093c53e89bfe6f0084edfa4f47d033367fe1 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 22 May 2024 12:44:18 +0200 Subject: [PATCH 06/57] new upstream release - 8.8.0 --- 0001-curl-8.7.1-fix-compressed-option.patch | 174 ------------------ 0001-curl-8.8.0-install-config-man.patch | 26 +++ ...-8.7.1-fix-chunked-POST-via-callback.patch | 69 ------- 0101-curl-7.32.0-multilib.patch | 119 ++++++------ 0102-curl-7.84.0-test3026.patch | 18 +- curl.spec | 13 +- sources | 4 +- 7 files changed, 104 insertions(+), 319 deletions(-) delete mode 100644 0001-curl-8.7.1-fix-compressed-option.patch create mode 100644 0001-curl-8.8.0-install-config-man.patch delete mode 100644 0002-curl-8.7.1-fix-chunked-POST-via-callback.patch diff --git a/0001-curl-8.7.1-fix-compressed-option.patch b/0001-curl-8.7.1-fix-compressed-option.patch deleted file mode 100644 index dc2e720..0000000 --- a/0001-curl-8.7.1-fix-compressed-option.patch +++ /dev/null @@ -1,174 +0,0 @@ -From 8f1a06a9efe1048c7ad17af43ae7d4b26de8117e Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Thu, 28 Mar 2024 11:08:15 +0100 -Subject: [PATCH 1/2] content_encoding: brotli and others, pass through - 0-length writes - -- curl's transfer handling may write 0-length chunks at the end of the - download with an EOS flag. (HTTP/2 does this commonly) - -- content encoders need to pass-through such a write and not count this - as error in case they are finished decoding - -Fixes #13209 -Fixes #13212 -Closes #13219 - -(cherry picked from commit b30d694a027eb771c02a3db0dee0ca03ccab7377) -Signed-off-by: Jan Macku ---- - lib/content_encoding.c | 10 +++++----- - tests/http/test_02_download.py | 13 +++++++++++++ - tests/http/testenv/env.py | 7 ++++++- - tests/http/testenv/httpd.py | 20 ++++++++++++++++++++ - 4 files changed, 44 insertions(+), 6 deletions(-) - -diff --git a/lib/content_encoding.c b/lib/content_encoding.c -index c1abf24e8..8e926dd2e 100644 ---- a/lib/content_encoding.c -+++ b/lib/content_encoding.c -@@ -300,7 +300,7 @@ static CURLcode deflate_do_write(struct Curl_easy *data, - struct zlib_writer *zp = (struct zlib_writer *) writer; - z_stream *z = &zp->z; /* zlib state structure */ - -- if(!(type & CLIENTWRITE_BODY)) -+ if(!(type & CLIENTWRITE_BODY) || !nbytes) - return Curl_cwriter_write(data, writer->next, type, buf, nbytes); - - /* Set the compressed input when this function is called */ -@@ -457,7 +457,7 @@ static CURLcode gzip_do_write(struct Curl_easy *data, - struct zlib_writer *zp = (struct zlib_writer *) writer; - z_stream *z = &zp->z; /* zlib state structure */ - -- if(!(type & CLIENTWRITE_BODY)) -+ if(!(type & CLIENTWRITE_BODY) || !nbytes) - return Curl_cwriter_write(data, writer->next, type, buf, nbytes); - - if(zp->zlib_init == ZLIB_INIT_GZIP) { -@@ -669,7 +669,7 @@ static CURLcode brotli_do_write(struct Curl_easy *data, - CURLcode result = CURLE_OK; - BrotliDecoderResult r = BROTLI_DECODER_RESULT_NEEDS_MORE_OUTPUT; - -- if(!(type & CLIENTWRITE_BODY)) -+ if(!(type & CLIENTWRITE_BODY) || !nbytes) - return Curl_cwriter_write(data, writer->next, type, buf, nbytes); - - if(!bp->br) -@@ -762,7 +762,7 @@ static CURLcode zstd_do_write(struct Curl_easy *data, - ZSTD_outBuffer out; - size_t errorCode; - -- if(!(type & CLIENTWRITE_BODY)) -+ if(!(type & CLIENTWRITE_BODY) || !nbytes) - return Curl_cwriter_write(data, writer->next, type, buf, nbytes); - - if(!zp->decomp) { -@@ -916,7 +916,7 @@ static CURLcode error_do_write(struct Curl_easy *data, - (void) buf; - (void) nbytes; - -- if(!(type & CLIENTWRITE_BODY)) -+ if(!(type & CLIENTWRITE_BODY) || !nbytes) - return Curl_cwriter_write(data, writer->next, type, buf, nbytes); - - failf(data, "Unrecognized content encoding type. " -diff --git a/tests/http/test_02_download.py b/tests/http/test_02_download.py -index 4db9c9d36..395fc862f 100644 ---- a/tests/http/test_02_download.py -+++ b/tests/http/test_02_download.py -@@ -394,6 +394,19 @@ class TestDownload: - r = client.run(args=[url]) - r.check_exit_code(0) - -+ @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3']) -+ def test_02_28_get_compressed(self, env: Env, httpd, nghttpx, repeat, proto): -+ if proto == 'h3' and not env.have_h3(): -+ pytest.skip("h3 not supported") -+ count = 1 -+ urln = f'https://{env.authority_for(env.domain1brotli, proto)}/data-100k?[0-{count-1}]' -+ curl = CurlClient(env=env) -+ r = curl.http_download(urls=[urln], alpn_proto=proto, extra_args=[ -+ '--compressed' -+ ]) -+ r.check_exit_code(code=0) -+ r.check_response(count=count, http_status=200) -+ - def check_downloads(self, client, srcfile: str, count: int, - complete: bool = True): - for i in range(count): -diff --git a/tests/http/testenv/env.py b/tests/http/testenv/env.py -index a207059dc..13c5d6bd4 100644 ---- a/tests/http/testenv/env.py -+++ b/tests/http/testenv/env.py -@@ -129,10 +129,11 @@ class EnvConfig: - self.htdocs_dir = os.path.join(self.gen_dir, 'htdocs') - self.tld = 'http.curl.se' - self.domain1 = f"one.{self.tld}" -+ self.domain1brotli = f"brotli.one.{self.tld}" - self.domain2 = f"two.{self.tld}" - self.proxy_domain = f"proxy.{self.tld}" - self.cert_specs = [ -- CertificateSpec(domains=[self.domain1, 'localhost'], key_type='rsa2048'), -+ CertificateSpec(domains=[self.domain1, self.domain1brotli, 'localhost'], key_type='rsa2048'), - CertificateSpec(domains=[self.domain2], key_type='rsa2048'), - CertificateSpec(domains=[self.proxy_domain, '127.0.0.1'], key_type='rsa2048'), - CertificateSpec(name="clientsX", sub_specs=[ -@@ -376,6 +377,10 @@ class Env: - def domain1(self) -> str: - return self.CONFIG.domain1 - -+ @property -+ def domain1brotli(self) -> str: -+ return self.CONFIG.domain1brotli -+ - @property - def domain2(self) -> str: - return self.CONFIG.domain2 -diff --git a/tests/http/testenv/httpd.py b/tests/http/testenv/httpd.py -index c04c22699..b8615875a 100644 ---- a/tests/http/testenv/httpd.py -+++ b/tests/http/testenv/httpd.py -@@ -50,6 +50,7 @@ class Httpd: - 'alias', 'env', 'filter', 'headers', 'mime', 'setenvif', - 'socache_shmcb', - 'rewrite', 'http2', 'ssl', 'proxy', 'proxy_http', 'proxy_connect', -+ 'brotli', - 'mpm_event', - ] - COMMON_MODULES_DIRS = [ -@@ -203,6 +204,7 @@ class Httpd: - - def _write_config(self): - domain1 = self.env.domain1 -+ domain1brotli = self.env.domain1brotli - creds1 = self.env.get_credentials(domain1) - domain2 = self.env.domain2 - creds2 = self.env.get_credentials(domain2) -@@ -285,6 +287,24 @@ class Httpd: - f'', - f'', - ]) -+ # Alternate to domain1 with BROTLI compression -+ conf.extend([ # https host for domain1, h1 + h2 -+ f'', -+ f' ServerName {domain1brotli}', -+ f' Protocols h2 http/1.1', -+ f' SSLEngine on', -+ f' SSLCertificateFile {creds1.cert_file}', -+ f' SSLCertificateKeyFile {creds1.pkey_file}', -+ f' DocumentRoot "{self._docs_dir}"', -+ f' SetOutputFilter BROTLI_COMPRESS', -+ ]) -+ conf.extend(self._curltest_conf(domain1)) -+ if domain1 in self._extra_configs: -+ conf.extend(self._extra_configs[domain1]) -+ conf.extend([ -+ f'', -+ f'', -+ ]) - conf.extend([ # https host for domain2, no h2 - f'', - f' ServerName {domain2}', --- -2.44.0 - diff --git a/0001-curl-8.8.0-install-config-man.patch b/0001-curl-8.8.0-install-config-man.patch new file mode 100644 index 0000000..74b13f0 --- /dev/null +++ b/0001-curl-8.8.0-install-config-man.patch @@ -0,0 +1,26 @@ +From 4cc5657247183a0bc3b0969beeaea9acddb09d22 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 22 May 2024 08:43:43 +0200 +Subject: [PATCH] docs/Makefile.am: make curl-config.1 install + +on "make install" like it should + +Follow-up to 60971d665b9b1df87082 + +Closes #13741 +--- + docs/Makefile.am | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/docs/Makefile.am b/docs/Makefile.am +index 83f5b0c461cc0f..e9ef6284860555 100644 +--- a/docs/Makefile.am ++++ b/docs/Makefile.am +@@ -28,6 +28,7 @@ if BUILD_DOCS + # if we disable man page building, ignore these + MK_CA_DOCS = mk-ca-bundle.1 + CURLCONF_DOCS = curl-config.1 ++man_MANS = curl-config.1 + endif + + CURLPAGES = curl-config.md mk-ca-bundle.md diff --git a/0002-curl-8.7.1-fix-chunked-POST-via-callback.patch b/0002-curl-8.7.1-fix-chunked-POST-via-callback.patch deleted file mode 100644 index 5421984..0000000 --- a/0002-curl-8.7.1-fix-chunked-POST-via-callback.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 2c20a15717bd408ce225dd8707c1798136f084f5 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Mon, 1 Apr 2024 15:41:18 +0200 -Subject: [PATCH 2/2] http: with chunked POST forced, disable length check on - read callback - -- when an application forces HTTP/1.1 chunked transfer encoding - by setting the corresponding header and instructs curl to use - the CURLOPT_READFUNCTION, disregard any POST length information. -- this establishes backward compatibility with previous curl versions - -Applications are encouraged to not force "chunked", but rather -set length information for a POST. By setting -1, curl will -auto-select chunked on HTTP/1.1 and work properly on other HTTP -versions. - -Reported-by: Jeff King -Fixes #13229 -Closes #13257 - -(cherry picked from commit 721941aadf4adf4f6aeb3f4c0ab489bb89610c36) -Signed-off-by: Jan Macku ---- - lib/http.c | 22 ++++++++++++++++++++-- - 1 file changed, 20 insertions(+), 2 deletions(-) - -diff --git a/lib/http.c b/lib/http.c -index 92c04e69c..a764d3c44 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -2046,8 +2046,19 @@ static CURLcode set_reader(struct Curl_easy *data, Curl_HttpReq httpreq) - else - result = Curl_creader_set_null(data); - } -- else { /* we read the bytes from the callback */ -- result = Curl_creader_set_fread(data, postsize); -+ else { -+ /* we read the bytes from the callback. In case "chunked" encoding -+ * is forced by the application, we disregard `postsize`. This is -+ * a backward compatibility decision to earlier versions where -+ * chunking disregarded this. See issue #13229. */ -+ bool chunked = FALSE; -+ char *ptr = Curl_checkheaders(data, STRCONST("Transfer-Encoding")); -+ if(ptr) { -+ /* Some kind of TE is requested, check if 'chunked' is chosen */ -+ chunked = Curl_compareheader(ptr, STRCONST("Transfer-Encoding:"), -+ STRCONST("chunked")); -+ } -+ result = Curl_creader_set_fread(data, chunked? -1 : postsize); - } - return result; - -@@ -2115,6 +2126,13 @@ CURLcode Curl_http_req_set_reader(struct Curl_easy *data, - data->req.upload_chunky = - Curl_compareheader(ptr, - STRCONST("Transfer-Encoding:"), STRCONST("chunked")); -+ if(data->req.upload_chunky && -+ Curl_use_http_1_1plus(data, data->conn) && -+ (data->conn->httpversion >= 20)) { -+ infof(data, "suppressing chunked transfer encoding on connection " -+ "using HTTP version 2 or higher"); -+ data->req.upload_chunky = FALSE; -+ } - } - else { - curl_off_t req_clen = Curl_creader_total_length(data); --- -2.44.0 - diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 2edb7c8..f3636dc 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,81 +1,82 @@ -From dcc0efa441abace568e00bf930889da78356d041 Mon Sep 17 00:00:00 2001 +From f4e7b98fb25ff737af29908f3a2081cca9a73437 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Wed, 27 Mar 2024 10:16:03 +0100 -Subject: [PATCH] prevent multilib conflicts on the curl-config script +Date: Wed, 22 May 2024 13:00:08 +0200 +Subject: [PATCH 1/2] prevent multilib conflicts on the curl-config script --- - curl-config.in | 23 +++++------------------ - docs/curl-config.1 | 4 +++- - libcurl.pc.in | 1 + + curl-config.in | 23 +++++------------------ + docs/curl-config.md | 4 +++- + libcurl.pc.in | 1 + 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 54f92d9..15a60da 100644 +index 085bb1ef5..e4700260e 100644 --- a/curl-config.in +++ b/curl-config.in -@@ -78,7 +78,7 @@ while test $# -gt 0; do - ;; +@@ -73,7 +73,7 @@ while test "$#" -gt 0; do + ;; - --cc) -- echo "@CC@" -+ echo "gcc" - ;; + --cc) +- echo '@CC@' ++ echo "gcc" + ;; - --prefix) -@@ -157,32 +157,19 @@ while test $# -gt 0; do - ;; + --prefix) +@@ -153,16 +153,7 @@ while test "$#" -gt 0; do + ;; - --libs) -- if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then -- CURLLIBDIR="-L@libdir@ " -- else -- CURLLIBDIR="" -- fi -- if test "X@ENABLE_SHARED@" = "Xno"; then -- echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@ -- else -- echo ${CURLLIBDIR}-lcurl -- fi -+ echo -lcurl - ;; - --ssl-backends) - echo "@SSL_BACKENDS@" - ;; + --libs) +- if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then +- CURLLIBDIR="-L@libdir@ " +- else +- CURLLIBDIR="" +- fi +- if test "X@ENABLE_SHARED@" = "Xno"; then +- echo "${CURLLIBDIR}-lcurl @LIBCURL_LIBS@" +- else +- echo "${CURLLIBDIR}-lcurl" +- fi ++ echo -lcurl + ;; - --static-libs) -- if test "X@ENABLE_STATIC@" != "Xno" ; then -- echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_LIBS@ -- else -- echo "curl was built with static libraries disabled" >&2 -- exit 1 -- fi -+ echo "curl was built with static libraries disabled" >&2 -+ exit 1 - ;; + --ssl-backends) +@@ -170,16 +161,12 @@ while test "$#" -gt 0; do + ;; - --configure) -- echo @CONFIGURE_OPTIONS@ -+ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//' - ;; + --static-libs) +- if test "X@ENABLE_STATIC@" != "Xno" ; then +- echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_LIBS@ +- else +- echo 'curl was built with static libraries disabled' >&2 +- exit 1 +- fi ++ echo "curl was built with static libraries disabled" >&2 ++ exit 1 + ;; + + --configure) +- echo @CONFIGURE_OPTIONS@ ++ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//' + ;; + + *) +diff --git a/docs/curl-config.md b/docs/curl-config.md +index d82725082..a79f816e2 100644 +--- a/docs/curl-config.md ++++ b/docs/curl-config.md +@@ -86,7 +86,9 @@ no, one or several names. If more than one name, they appear comma-separated. + ## --static-libs - *) -diff --git a/docs/curl-config.1 b/docs/curl-config.1 -index 2d5617c..0d90aaa 100644 ---- a/docs/curl-config.1 -+++ b/docs/curl-config.1 -@@ -48,7 +48,9 @@ no, one or several names. If more than one name, they appear comma\-separated. - (Added in 7.58.0) - .IP --static-libs Shows the complete set of libs and other linker options you need in order to -link your application with libcurl statically. (Added in 7.17.1) +link your application with libcurl statically. Note that Fedora/RHEL libcurl +packages do not provide any static libraries, thus cannot be linked statically. +(Added in 7.17.1) - .IP --version - Outputs version information about the installed libcurl. - .IP --vernum + + ## --version + diff --git a/libcurl.pc.in b/libcurl.pc.in -index 9db6b0f..dcac692 100644 +index 9db6b0f89..dcac6925a 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in @@ -31,6 +31,7 @@ libdir=@libdir@ @@ -87,5 +88,5 @@ index 9db6b0f..dcac692 100644 Name: libcurl URL: https://curl.se/ -- -2.44.0 +2.45.1 diff --git a/0102-curl-7.84.0-test3026.patch b/0102-curl-7.84.0-test3026.patch index 1098583..82f4642 100644 --- a/0102-curl-7.84.0-test3026.patch +++ b/0102-curl-7.84.0-test3026.patch @@ -1,7 +1,7 @@ -From 279b990727a1fd3e2828fbbd80581777e4200b67 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 27 Jun 2022 16:50:57 +0200 -Subject: [PATCH] test3026: disable valgrind +From 6e470567ca691a7b20334f1b9a5b309053d714b7 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Wed, 22 May 2024 13:03:43 +0200 +Subject: [PATCH 2/2] test3026: disable valgrind It fails on x86_64 with: ``` @@ -39,7 +39,7 @@ It fails on x86_64 with: 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/data/test3026 b/tests/data/test3026 -index fb80cc8..01f2ba5 100644 +index ee9b30678..dd582c3e5 100644 --- a/tests/data/test3026 +++ b/tests/data/test3026 @@ -41,5 +41,8 @@ none @@ -52,10 +52,10 @@ index fb80cc8..01f2ba5 100644 diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c -index 43fe335..70cd7a4 100644 +index 7e914010e..39374f5bc 100644 --- a/tests/libtest/lib3026.c +++ b/tests/libtest/lib3026.c -@@ -147,8 +147,8 @@ int test(char *URL) +@@ -145,8 +145,8 @@ CURLcode test(char *URL) results[i] = CURL_LAST; /* initialize with invalid value */ res = pthread_create(&tids[i], NULL, run_thread, &results[i]); if(res) { @@ -64,8 +64,8 @@ index 43fe335..70cd7a4 100644 + fprintf(stderr, "%s:%d Couldn't create thread, i=%u, errno %d\n", + __FILE__, __LINE__, i, res); tid_count = i; - test_failure = -1; + test_failure = (CURLcode)-1; goto cleanup; -- -2.37.1 +2.45.1 diff --git a/curl.spec b/curl.spec index 31141a4..8be220b 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.7.1 +Version: 8.8.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -10,11 +10,8 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# fix issue with --compressed option -Patch001: 0001-curl-8.7.1-fix-compressed-option.patch - -# fix chunked POST via callback regression -Patch002: 0002-curl-8.7.1-fix-chunked-POST-via-callback.patch +# install curl-config man page +Patch001: 0001-curl-8.8.0-install-config-man.patch # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -396,6 +393,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed May 22 2024 Jan Macku - 8.8.0-1 +- new upstream release +- drop upstreamed patches + * Wed Mar 27 2024 Jan Macku - 8.7.1-1 - new upstream release, which fixes the following vulnerabilities CVE-2024-2004 - Usage of disabled protocol diff --git a/sources b/sources index 9576bf7..d6dbc8c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.7.1.tar.xz) = 5bbde9d5648e9226f5490fa951690aaf159149345f3a315df2ba58b2468f3e59ca32e8a49734338afc861803a4f81caac6d642a4699b72c6310ebfb1f618aad2 -SHA512 (curl-8.7.1.tar.xz.asc) = f98c393997c4a32f545a8982226e8cd612395210915a4576c2ce227d0f650cff341be7bf15e989d1789abf32ac4fd9c190b9250b81e650b569e8532048746b37 +SHA512 (curl-8.8.0.tar.xz) = 9d2c0d3a0d8f6c31ba4fabe48f801910f886fde43dc198dc4213708d6967ed5e040a1bb7348aa1cb126577ee508a3ec36fe65256d027d861d6ffb70f6383967a +SHA512 (curl-8.8.0.tar.xz.asc) = 37b501770225dff6b1e7bde1157f556f10ec1c597fcbbb5c8b8c370efb97a3a70f585f2f5c201b96380d68466696474a5f65a07da59b704678d6927567d25359 From 781fa86ead65acd7063f1ae4a061f7d0e0f4f638 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Fri, 12 Jul 2024 08:06:48 +0100 Subject: [PATCH 07/57] adapt for https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine Added build condition for openssl_engine_support, true by default so as to not change the resulting built package (yet) - With openssl_engine_support true, BR: openssl-devel-engine - With openssl_engine_support false, build with -DOPENSSL_NO_ENGINE --- .gitignore | 2 ++ curl.spec | 23 ++++++++++++++++++++++- 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index e91a948..cd6f067 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ +/curl-[0-9.]*.tar.lzma +/curl-[0-9.]*.tar.lzma.asc /curl-[0-9.]*.tar.xz /curl-[0-9.]*.tar.xz.asc /curl-[0-9].[0-9].[0-9]/ diff --git a/curl.spec b/curl.spec index 8be220b..57d36cb 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,13 @@ +# OpenSSL ENGINE support +# This is deprecated by OpenSSL since OpenSSL 3.0 and by Fedora since Fedora 41 +# https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine +# Change the bcond to 0 to turn off ENGINE support by default +%bcond openssl_engine_support 1 + Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.8.0 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -49,6 +55,9 @@ BuildRequires: openldap-devel BuildRequires: openssh-clients BuildRequires: openssh-server BuildRequires: openssl-devel +%if %{with openssl_engine_support} +BuildRequires: openssl-devel-engine +%endif BuildRequires: perl-interpreter BuildRequires: pkgconfig BuildRequires: python-unversioned-command @@ -125,6 +134,11 @@ BuildRequires: stunnel # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION Requires: libcurl%{?_isa} >= %{version}-%{release} +# Define OPENSSL_NO_ENGINE to avoid inclusion of +%if %{without openssl_engine_support} +%global _preprocessor_defines %{?_preprocessor_defines} -DOPENSSL_NO_ENGINE +%endif + # require at least the version of libnghttp2 that we were built against, # to ensure that we have the necessary symbols available (#2144277) %global libnghttp2_version %(pkg-config --modversion libnghttp2 2>/dev/null || echo 0) @@ -393,6 +407,13 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Jul 12 2024 Paul Howarth - 8.8.0-2 +- adapt for https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine +- added build condition for openssl_engine_support, true by default so as to + not change the resulting built package (yet) +- with openssl_engine_support true, BR: openssl-devel-engine +- with openssl_engine_support false, build with -DOPENSSL_NO_ENGINE + * Wed May 22 2024 Jan Macku - 8.8.0-1 - new upstream release - drop upstreamed patches From ed1f78db34d5cf8e1aede9d6d2df5e1952d5c634 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 17 Jul 2024 20:23:31 +0000 Subject: [PATCH 08/57] Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 57d36cb..d665c95 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.8.0 -Release: 2%{?dist} +Release: 3%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 17 2024 Fedora Release Engineering - 8.8.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + * Fri Jul 12 2024 Paul Howarth - 8.8.0-2 - adapt for https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine - added build condition for openssl_engine_support, true by default so as to From 27557f07463358e21eb63d1502dc2a2b979b775e Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 24 Jul 2024 14:59:53 +0200 Subject: [PATCH 09/57] new upstream release - 8.9.0 --- 0001-curl-8.8.0-install-config-man.patch | 26 ------------------------ 0104-curl-7.88.0-tests-warnings.patch | 14 ++++++------- curl.spec | 13 +++++++----- sources | 4 ++-- 4 files changed, 17 insertions(+), 40 deletions(-) delete mode 100644 0001-curl-8.8.0-install-config-man.patch diff --git a/0001-curl-8.8.0-install-config-man.patch b/0001-curl-8.8.0-install-config-man.patch deleted file mode 100644 index 74b13f0..0000000 --- a/0001-curl-8.8.0-install-config-man.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 4cc5657247183a0bc3b0969beeaea9acddb09d22 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Wed, 22 May 2024 08:43:43 +0200 -Subject: [PATCH] docs/Makefile.am: make curl-config.1 install - -on "make install" like it should - -Follow-up to 60971d665b9b1df87082 - -Closes #13741 ---- - docs/Makefile.am | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/docs/Makefile.am b/docs/Makefile.am -index 83f5b0c461cc0f..e9ef6284860555 100644 ---- a/docs/Makefile.am -+++ b/docs/Makefile.am -@@ -28,6 +28,7 @@ if BUILD_DOCS - # if we disable man page building, ignore these - MK_CA_DOCS = mk-ca-bundle.1 - CURLCONF_DOCS = curl-config.1 -+man_MANS = curl-config.1 - endif - - CURLPAGES = curl-config.md mk-ca-bundle.md diff --git a/0104-curl-7.88.0-tests-warnings.patch b/0104-curl-7.88.0-tests-warnings.patch index 04b2ba2..0977dee 100644 --- a/0104-curl-7.88.0-tests-warnings.patch +++ b/0104-curl-7.88.0-tests-warnings.patch @@ -1,6 +1,6 @@ -From d506d885aa16b4a87acbac082eea41dccdc7b69f Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Wed, 15 Feb 2023 10:42:38 +0100 +From ebee18be05631494263bb6be249501eb8874e07a Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Wed, 24 Jul 2024 15:15:11 +0200 Subject: [PATCH] Revert "runtests: consider warnings fatal and error on them" While it might be useful for upstream developers, it is not so useful @@ -12,10 +12,10 @@ This reverts upstream commit 22f795c834cfdbacbb1b55426028a581e3cf67a8. 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/runtests.pl b/tests/runtests.pl -index 71644ad18..0cf85c3fe 100755 +index 9cc9ef1..c9a1c5d 100755 --- a/tests/runtests.pl +++ b/tests/runtests.pl -@@ -55,8 +55,7 @@ +@@ -57,8 +57,7 @@ # given, this won't be a problem. use strict; @@ -23,8 +23,8 @@ index 71644ad18..0cf85c3fe 100755 -use warnings FATAL => 'all'; +use warnings; use 5.006; + use POSIX qw(strftime); - # These should be the only variables that might be needed to get edited: -- -2.39.1 +2.45.2 diff --git a/curl.spec b/curl.spec index d665c95..45436cc 100644 --- a/curl.spec +++ b/curl.spec @@ -6,8 +6,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.8.0 -Release: 3%{?dist} +Version: 8.9.0 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -16,9 +16,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# install curl-config man page -Patch001: 0001-curl-8.8.0-install-config-man.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -407,6 +404,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 24 2024 Jan Macku - 8.9.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-6874 - macidn punycode buffer overread + CVE-2024-6197 - freeing stack buffer in utf8asn1str +- drop upstreamed patches + * Wed Jul 17 2024 Fedora Release Engineering - 8.8.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild diff --git a/sources b/sources index d6dbc8c..ba6559e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.8.0.tar.xz) = 9d2c0d3a0d8f6c31ba4fabe48f801910f886fde43dc198dc4213708d6967ed5e040a1bb7348aa1cb126577ee508a3ec36fe65256d027d861d6ffb70f6383967a -SHA512 (curl-8.8.0.tar.xz.asc) = 37b501770225dff6b1e7bde1157f556f10ec1c597fcbbb5c8b8c370efb97a3a70f585f2f5c201b96380d68466696474a5f65a07da59b704678d6927567d25359 +SHA512 (curl-8.9.0.tar.xz) = 922c726cfa3a73954927a32f485248d7a53a3348638a6a01add1bc0a67a7d2ee9cdb7c78b6db84bb7e2fab9d2d5487a96d9071832198b63a86d2caaef85c9310 +SHA512 (curl-8.9.0.tar.xz.asc) = 44cc7053ac0fddcb5131e7806fcd793d70bd49c5549b2548bbcbe60fdf913f450e45861ff6497b30eb00fd84483302ff9b6c3aea6b66728d6e54dd7ffc388408 From 6ce0a7ff3764999b5f54b362f7a11415c83af53d Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 25 Jul 2024 14:59:58 +0200 Subject: [PATCH 10/57] Resolves: CVE-2024-6197 - freeing stack buffer in utf8asn1str --- 0007-curl-8.6.0-CVE-2024-6197.patch | 25 +++++++++++++++++++++++++ curl.spec | 8 +++++++- 2 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 0007-curl-8.6.0-CVE-2024-6197.patch diff --git a/0007-curl-8.6.0-CVE-2024-6197.patch b/0007-curl-8.6.0-CVE-2024-6197.patch new file mode 100644 index 0000000..ae5bf6c --- /dev/null +++ b/0007-curl-8.6.0-CVE-2024-6197.patch @@ -0,0 +1,25 @@ +From 5e1d97ac8d3ffebfaf50afe8641486ffc17ec9ba Mon Sep 17 00:00:00 2001 +From: z2_ <88509734+z2-2z@users.noreply.github.com> +Date: Fri, 28 Jun 2024 14:45:47 +0200 +Subject: [PATCH] x509asn1: remove superfluous free() + +(cherry picked from commit 3a537a4db9e65e545ec45b1b5d5575ee09a2569d) +--- + lib/vtls/x509asn1.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/lib/vtls/x509asn1.c b/lib/vtls/x509asn1.c +index da079361d..2ccf6327a 100644 +--- a/lib/vtls/x509asn1.c ++++ b/lib/vtls/x509asn1.c +@@ -389,7 +389,6 @@ utf8asn1str(struct dynbuf *to, int type, const char *from, const char *end) + if(wc >= 0x00000800) { + if(wc >= 0x00010000) { + if(wc >= 0x00200000) { +- free(buf); + /* Invalid char. size for target encoding. */ + return CURLE_WEIRD_SERVER_REPLY; + } +-- +2.45.2 + diff --git a/curl.spec b/curl.spec index d5de433..e607eba 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.6.0 -Release: 8%{?dist} +Release: 9%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -30,6 +30,9 @@ Patch005: 0005-curl-8.6.0-CVE-2024-2004.patch # fix HTTP/2 push headers memory-leak (CVE-2024-2398) Patch006: 0006-curl-8.6.0-CVE-2024-2398.patch +# fix freeing stack buffer in utf8asn1str (CVE-2024-6197) +Patch007: 0007-curl-8.6.0-CVE-2024-6197.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -420,6 +423,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Jul 25 2024 Jan Macku - 8.6.0-9 +- fix freeing stack buffer in utf8asn1str (CVE-2024-6197) + * Wed Apr 03 2024 Jan Macku - 8.6.0-8 - fix Usage of disabled protocol (CVE-2024-2004) - fix HTTP/2 push headers memory-leak (CVE-2024-2398) From 4b8b6169a0f9fc8dc2aed034a4580078c4284a4b Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 30 Jul 2024 14:48:09 +0200 Subject: [PATCH 11/57] fix speed limiting fix for 32bit systems Resolves: #2301597 --- ....0-speed-throttling-precision-issues.patch | 45 +++++++++++++++++++ ...speed-limiting-fix-for-32bit-systems.patch | 41 +++++++++++++++++ curl.spec | 14 +++++- 3 files changed, 99 insertions(+), 1 deletion(-) create mode 100644 0008-curl-8.6.0-speed-throttling-precision-issues.patch create mode 100644 0009-curl-8.6.0-speed-limiting-fix-for-32bit-systems.patch diff --git a/0008-curl-8.6.0-speed-throttling-precision-issues.patch b/0008-curl-8.6.0-speed-throttling-precision-issues.patch new file mode 100644 index 0000000..6d52194 --- /dev/null +++ b/0008-curl-8.6.0-speed-throttling-precision-issues.patch @@ -0,0 +1,45 @@ +From 6db0d23dea968e65091261b9daa69325557e5ad0 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Tue, 5 Mar 2024 11:08:55 +0100 +Subject: [PATCH 1/2] transfer.c: break receive loop in speed limited transfers + +- the change breaks looping in transfer.c receive for transfers that are + speed limited on having gotten *some* bytes. +- the overall speed limit timing is done in multi.c + +Reported-by: Dmitry Karpov +Bug: https://curl.se/mail/lib-2024-03/0001.html +Closes #13050 + +(cherry picked from commit db5c9f4f9e0779b49624752b135281a0717b277b) +--- + lib/transfer.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/lib/transfer.c b/lib/transfer.c +index 3ae4b61c0..6ceefd637 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -492,13 +492,14 @@ static CURLcode readwrite_data(struct Curl_easy *data, + buf = data->state.buffer; + bytestoread = data->set.buffer_size; + +- /* Observe any imposed speed limit */ + if(bytestoread && data->set.max_recv_speed) { +- curl_off_t net_limit = data->set.max_recv_speed - total_received; +- if(net_limit <= 0) ++ /* In case of speed limit on receiving: if this loop already got ++ * data, break out. If not, limit the amount of bytes to receive. ++ * The overall, timed, speed limiting is done in multi.c */ ++ if(total_received) + break; +- if((size_t)net_limit < bytestoread) +- bytestoread = (size_t)net_limit; ++ if((size_t)data->set.max_recv_speed < bytestoread) ++ bytestoread = (size_t)data->set.max_recv_speed; + } + + nread = Curl_xfer_recv_resp(data, buf, bytestoread, +-- +2.45.2 + diff --git a/0009-curl-8.6.0-speed-limiting-fix-for-32bit-systems.patch b/0009-curl-8.6.0-speed-limiting-fix-for-32bit-systems.patch new file mode 100644 index 0000000..4928dfb --- /dev/null +++ b/0009-curl-8.6.0-speed-limiting-fix-for-32bit-systems.patch @@ -0,0 +1,41 @@ +From 478cab9651d332d1bcb02114895d5a664ce6725a Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Fri, 26 Jul 2024 10:38:45 +0200 +Subject: [PATCH 2/2] transfer: speed limiting fix for 32bit systems + +When checking if a speed limit on receives applies, compare the receive +sizes using the large int type to prevent an overflow on systems where +size_t is 32bit. + +Fixes #14272 +Reported-by: Mamoru Tasaka +Closes #14277 + +(cherry picked from commit fc273027f16df2dd1eb66ffc7df417f605199e35) +--- + lib/transfer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/transfer.c b/lib/transfer.c +index 6ceefd637..66e444aa1 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -492,13 +492,13 @@ static CURLcode readwrite_data(struct Curl_easy *data, + buf = data->state.buffer; + bytestoread = data->set.buffer_size; + +- if(bytestoread && data->set.max_recv_speed) { ++ if(bytestoread && data->set.max_recv_speed > 0) { + /* In case of speed limit on receiving: if this loop already got + * data, break out. If not, limit the amount of bytes to receive. + * The overall, timed, speed limiting is done in multi.c */ + if(total_received) + break; +- if((size_t)data->set.max_recv_speed < bytestoread) ++ if(data->set.max_recv_speed < (curl_off_t)bytestoread) + bytestoread = (size_t)data->set.max_recv_speed; + } + +-- +2.45.2 + diff --git a/curl.spec b/curl.spec index e607eba..54b8b20 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.6.0 -Release: 9%{?dist} +Release: 10%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -33,6 +33,14 @@ Patch006: 0006-curl-8.6.0-CVE-2024-2398.patch # fix freeing stack buffer in utf8asn1str (CVE-2024-6197) Patch007: 0007-curl-8.6.0-CVE-2024-6197.patch +# fix speed throttling precision issues in transfer.c +# https://curl.se/mail/lib-2024-03/0001.html +Patch008: 0008-curl-8.6.0-speed-throttling-precision-issues.patch + +# fix speed limiting fix for 32bit systems +# https://github.com/curl/curl/issues/14272 +Patch009: 0009-curl-8.6.0-speed-limiting-fix-for-32bit-systems.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -423,6 +431,10 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Jul 30 2024 Jan Macku - 8.6.0-10 +- fix speed throttling precision issues in transfer.c +- fix speed limiting fix for 32bit systems + * Thu Jul 25 2024 Jan Macku - 8.6.0-9 - fix freeing stack buffer in utf8asn1str (CVE-2024-6197) From 40967e47b5a847174d8c923ad219882036d03bf0 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 31 Jul 2024 09:47:16 +0200 Subject: [PATCH 12/57] new upstream release - 8.9.1 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 45436cc..9ee3966 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.9.0 +Version: 8.9.1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -404,6 +404,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 24 2024 Jan Macku - 8.9.1-1 +- new upstream release + * Wed Jul 24 2024 Jan Macku - 8.9.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2024-6874 - macidn punycode buffer overread diff --git a/sources b/sources index ba6559e..e35c435 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.9.0.tar.xz) = 922c726cfa3a73954927a32f485248d7a53a3348638a6a01add1bc0a67a7d2ee9cdb7c78b6db84bb7e2fab9d2d5487a96d9071832198b63a86d2caaef85c9310 -SHA512 (curl-8.9.0.tar.xz.asc) = 44cc7053ac0fddcb5131e7806fcd793d70bd49c5549b2548bbcbe60fdf913f450e45861ff6497b30eb00fd84483302ff9b6c3aea6b66728d6e54dd7ffc388408 +SHA512 (curl-8.9.1.tar.xz) = a0fe234402875db194aad4e4208b7e67e7ffc1562622eea90948d4b9b0122c95c3dde8bbe2f7445a687cb3de7cb09f20e5819d424570442d976aa4c913227fc7 +SHA512 (curl-8.9.1.tar.xz.asc) = 18acd58436d70900ab6912b84774da2c451b9dbfc83d6d00f85bbbe7894b67075918e58956fdb753fcc1486e4f10caa31139d7c68b037d7c83dc2e9c2fae9f9b From cc42129b020d949298d0b33be56d64c3b79cf096 Mon Sep 17 00:00:00 2001 From: voidanix Date: Mon, 5 Aug 2024 13:44:53 +0200 Subject: [PATCH 13/57] Add patch due to upstream curl-8.9.1 regression --- 0001-curl-8.9.1-sigpipe.patch | 32 ++++++++++++++++++++++++++++++++ curl.spec | 9 ++++++++- 2 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 0001-curl-8.9.1-sigpipe.patch diff --git a/0001-curl-8.9.1-sigpipe.patch b/0001-curl-8.9.1-sigpipe.patch new file mode 100644 index 0000000..f4f0346 --- /dev/null +++ b/0001-curl-8.9.1-sigpipe.patch @@ -0,0 +1,32 @@ +From 3eec5afbd0b6377eca893c392569b2faf094d970 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 5 Aug 2024 00:17:17 +0200 +Subject: [PATCH] sigpipe: init the struct so that first apply ignores + +Initializes 'no_signal' to TRUE, so that a call to sigpipe_apply() after +init ignores the signal (unless CURLOPT_NOSIGNAL) is set. + +I have read the existing code multiple times now and I think it gets the +initial state reversed this missing to ignore. + +Regression from 17e6f06ea37136c36d27 + +Reported-by: Rasmus Thomsen +Fixes #14344 +Closes #14390 +--- + lib/sigpipe.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/sigpipe.h b/lib/sigpipe.h +index b91a2f51333956..d78afd905d3414 100644 +--- a/lib/sigpipe.h ++++ b/lib/sigpipe.h +@@ -39,6 +39,7 @@ struct sigpipe_ignore { + static void sigpipe_init(struct sigpipe_ignore *ig) + { + memset(ig, 0, sizeof(*ig)); ++ ig->no_signal = TRUE; + } + + /* diff --git a/curl.spec b/curl.spec index 9ee3966..174562f 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.9.1 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -25,6 +25,10 @@ Patch102: 0102-curl-7.84.0-test3026.patch # do not fail on warnings in the upstream test driver Patch104: 0104-curl-7.88.0-tests-warnings.patch +# Fix crashes with transmission due to SIGPIPE +# https://github.com/curl/curl/commit/3eec5afbd0b6377eca893c392569b2faf094d970 +Patch001: 0001-curl-8.9.1-sigpipe.patch + Provides: curl-full = %{version}-%{release} # do not fail when trying to install curl-minimal after drop Provides: curl-minimal = %{version}-%{release} @@ -404,6 +408,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Aug 5 2024 voidanix - 8.9.1-2 +- Apply SIGPIPE-related patch due to upstream regression + * Wed Jul 24 2024 Jan Macku - 8.9.1-1 - new upstream release From 25bb999ab6de05c3cfe0d2fcd99ecc58da092e7b Mon Sep 17 00:00:00 2001 From: Jacek Migacz Date: Wed, 21 Aug 2024 18:04:41 +0200 Subject: [PATCH 14/57] Retire depricated ntlm-wb configure option --- curl.spec | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 174562f..8aaa2b2 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.9.1 -Release: 2%{?dist} +Release: 3%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -271,7 +271,6 @@ export common_configure_opts=" \ --disable-ldaps \ --disable-mqtt \ --disable-ntlm \ - --disable-ntlm-wb \ --disable-pop3 \ --disable-rtsp \ --disable-smb \ @@ -296,7 +295,6 @@ export common_configure_opts=" \ --enable-ldaps \ --enable-mqtt \ --enable-ntlm \ - --enable-ntlm-wb \ --enable-pop3 \ --enable-rtsp \ --enable-smb \ @@ -408,6 +406,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Aug 21 2024 Jacek Migacz - 8.9.1-3 +- Retire depricated ntlm-wb configure option + * Mon Aug 5 2024 voidanix - 8.9.1-2 - Apply SIGPIPE-related patch due to upstream regression From 8669cc07274c3121030e182bfdb8acd2b2973dca Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 11 Sep 2024 09:13:07 +0200 Subject: [PATCH 15/57] new upstream release - 8.10.0 --- 0001-curl-8.9.1-sigpipe.patch | 32 ------------------------------- 0101-curl-7.32.0-multilib.patch | 34 ++++++++++++++++----------------- curl.spec | 13 ++++++------- sources | 4 ++-- 4 files changed, 25 insertions(+), 58 deletions(-) delete mode 100644 0001-curl-8.9.1-sigpipe.patch diff --git a/0001-curl-8.9.1-sigpipe.patch b/0001-curl-8.9.1-sigpipe.patch deleted file mode 100644 index f4f0346..0000000 --- a/0001-curl-8.9.1-sigpipe.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 3eec5afbd0b6377eca893c392569b2faf094d970 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 5 Aug 2024 00:17:17 +0200 -Subject: [PATCH] sigpipe: init the struct so that first apply ignores - -Initializes 'no_signal' to TRUE, so that a call to sigpipe_apply() after -init ignores the signal (unless CURLOPT_NOSIGNAL) is set. - -I have read the existing code multiple times now and I think it gets the -initial state reversed this missing to ignore. - -Regression from 17e6f06ea37136c36d27 - -Reported-by: Rasmus Thomsen -Fixes #14344 -Closes #14390 ---- - lib/sigpipe.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/lib/sigpipe.h b/lib/sigpipe.h -index b91a2f51333956..d78afd905d3414 100644 ---- a/lib/sigpipe.h -+++ b/lib/sigpipe.h -@@ -39,6 +39,7 @@ struct sigpipe_ignore { - static void sigpipe_init(struct sigpipe_ignore *ig) - { - memset(ig, 0, sizeof(*ig)); -+ ig->no_signal = TRUE; - } - - /* diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index f3636dc..8cada87 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,7 +1,7 @@ -From f4e7b98fb25ff737af29908f3a2081cca9a73437 Mon Sep 17 00:00:00 2001 +From da51b3d89a33fb3a1cbc5dd5faebc4ee18bbcc46 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Wed, 22 May 2024 13:00:08 +0200 -Subject: [PATCH 1/2] prevent multilib conflicts on the curl-config script +Date: Wed, 11 Sep 2024 09:21:25 +0200 +Subject: [PATCH] prevent multilib conflicts on the curl-config script --- curl-config.in | 23 +++++------------------ @@ -10,19 +10,19 @@ Subject: [PATCH 1/2] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 085bb1ef5..e4700260e 100644 +index 294e083..df41899 100644 --- a/curl-config.in +++ b/curl-config.in -@@ -73,7 +73,7 @@ while test "$#" -gt 0; do +@@ -75,7 +75,7 @@ while test "$#" -gt 0; do ;; --cc) - echo '@CC@' -+ echo "gcc" ++ echo 'gcc' ;; --prefix) -@@ -153,16 +153,7 @@ while test "$#" -gt 0; do +@@ -155,16 +155,7 @@ while test "$#" -gt 0; do ;; --libs) @@ -32,25 +32,25 @@ index 085bb1ef5..e4700260e 100644 - CURLLIBDIR="" - fi - if test "X@ENABLE_SHARED@" = "Xno"; then -- echo "${CURLLIBDIR}-lcurl @LIBCURL_LIBS@" +- echo "${CURLLIBDIR}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" - else - echo "${CURLLIBDIR}-lcurl" - fi -+ echo -lcurl ++ echo '-lcurl' ;; --ssl-backends) -@@ -170,16 +161,12 @@ while test "$#" -gt 0; do +@@ -172,16 +163,12 @@ while test "$#" -gt 0; do ;; --static-libs) - if test "X@ENABLE_STATIC@" != "Xno" ; then -- echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_LIBS@ +- echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_PC_LIBS_PRIVATE@ - else - echo 'curl was built with static libraries disabled' >&2 - exit 1 - fi -+ echo "curl was built with static libraries disabled" >&2 ++ echo 'curl was built with static libraries disabled' >&2 + exit 1 ;; @@ -61,10 +61,10 @@ index 085bb1ef5..e4700260e 100644 *) diff --git a/docs/curl-config.md b/docs/curl-config.md -index d82725082..a79f816e2 100644 +index 4dfaab6..f4e847e 100644 --- a/docs/curl-config.md +++ b/docs/curl-config.md -@@ -86,7 +86,9 @@ no, one or several names. If more than one name, they appear comma-separated. +@@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated. ## --static-libs Shows the complete set of libs and other linker options you need in order to @@ -76,10 +76,10 @@ index d82725082..a79f816e2 100644 ## --version diff --git a/libcurl.pc.in b/libcurl.pc.in -index 9db6b0f89..dcac6925a 100644 +index 8f6f9b4..f69815c 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in -@@ -31,6 +31,7 @@ libdir=@libdir@ +@@ -28,6 +28,7 @@ libdir=@libdir@ includedir=@includedir@ supported_protocols="@SUPPORT_PROTOCOLS@" supported_features="@SUPPORT_FEATURES@" @@ -88,5 +88,5 @@ index 9db6b0f89..dcac6925a 100644 Name: libcurl URL: https://curl.se/ -- -2.45.1 +2.46.0 diff --git a/curl.spec b/curl.spec index 8aaa2b2..93942f0 100644 --- a/curl.spec +++ b/curl.spec @@ -6,8 +6,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.9.1 -Release: 3%{?dist} +Version: 8.10.0 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -25,10 +25,6 @@ Patch102: 0102-curl-7.84.0-test3026.patch # do not fail on warnings in the upstream test driver Patch104: 0104-curl-7.88.0-tests-warnings.patch -# Fix crashes with transmission due to SIGPIPE -# https://github.com/curl/curl/commit/3eec5afbd0b6377eca893c392569b2faf094d970 -Patch001: 0001-curl-8.9.1-sigpipe.patch - Provides: curl-full = %{version}-%{release} # do not fail when trying to install curl-minimal after drop Provides: curl-minimal = %{version}-%{release} @@ -372,7 +368,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %ldconfig_scriptlets -n libcurl-minimal %files -%doc CHANGES +%doc CHANGES.md %doc README %doc docs/BUGS.md %doc docs/DISTROS.md @@ -406,6 +402,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 11 2024 Jan Macku - 8.10.0-1 +- new upstream release + * Wed Aug 21 2024 Jacek Migacz - 8.9.1-3 - Retire depricated ntlm-wb configure option diff --git a/sources b/sources index e35c435..9865b71 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.9.1.tar.xz) = a0fe234402875db194aad4e4208b7e67e7ffc1562622eea90948d4b9b0122c95c3dde8bbe2f7445a687cb3de7cb09f20e5819d424570442d976aa4c913227fc7 -SHA512 (curl-8.9.1.tar.xz.asc) = 18acd58436d70900ab6912b84774da2c451b9dbfc83d6d00f85bbbe7894b67075918e58956fdb753fcc1486e4f10caa31139d7c68b037d7c83dc2e9c2fae9f9b +SHA512 (curl-8.10.0.tar.xz) = 055277695ea242fcb0bf26ca6c4867a385cd578cd73ed4c5c4a020233248044c1ecaebcbaeaac47d3ffe07a41300ea5fc86396d7e812137cf75ed3e1b54ca5b2 +SHA512 (curl-8.10.0.tar.xz.asc) = 3d3ece14008facc373cd715d46eeb523bb17a701df3b1839f0774847692613a9472d3e7a60ba814846bbc8e8e4f17c81a1f1355e1c9eebef244b7cd00e0f6fb8 From 67e25e1742ad1cbb538297a9287901e14870ca03 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 18 Sep 2024 09:45:38 +0200 Subject: [PATCH 16/57] new upstream release - 8.10.1 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 93942f0..90d611d 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.10.0 +Version: 8.10.1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -402,6 +402,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 18 2024 Jan Macku - 8.10.1-1 +- new upstream release + * Wed Sep 11 2024 Jan Macku - 8.10.0-1 - new upstream release diff --git a/sources b/sources index 9865b71..c221532 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.10.0.tar.xz) = 055277695ea242fcb0bf26ca6c4867a385cd578cd73ed4c5c4a020233248044c1ecaebcbaeaac47d3ffe07a41300ea5fc86396d7e812137cf75ed3e1b54ca5b2 -SHA512 (curl-8.10.0.tar.xz.asc) = 3d3ece14008facc373cd715d46eeb523bb17a701df3b1839f0774847692613a9472d3e7a60ba814846bbc8e8e4f17c81a1f1355e1c9eebef244b7cd00e0f6fb8 +SHA512 (curl-8.10.1.tar.xz) = f1c7a12492dcfb8ba08be69b96a83ce9074592cbaa6b95c72b3c16fc58ad35e9f9deec7b72baca7d360d013b0b1c7ea38bd4edae464903ac67aa3c76238d8c6c +SHA512 (curl-8.10.1.tar.xz.asc) = 21d6d560c027efc9e3e5db182a77501d6376442221ba910df817e2ec980bee44a9fe2afc698205f8d5e8313ae47915a341d60206a46b46e816d73ee357a894ac From 1268eeab81c68b229828d0a19c1992f939728f11 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 24 Sep 2024 13:37:40 +0200 Subject: [PATCH 17/57] spec: use tls-ca-bundle.pem instead of ca-bundle.crt Resolves: #2313564 --- curl.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index 90d611d..0cfbaa8 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.10.1 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -251,7 +251,7 @@ export common_configure_opts=" \ --with-gssapi \ --with-libidn2 \ --with-nghttp2 \ - --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt \ + --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \ --with-zsh-functions-dir" %global _configure ../configure @@ -402,6 +402,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Sep 24 2024 Jan Macku - 8.10.1-2 +- Use tls-ca-bundle.pem instead of ca-bundle.crt (OpenSSL specific) (#2313564) + * Wed Sep 18 2024 Jan Macku - 8.10.1-1 - new upstream release From d92476d332b446e871f74225c987968021a5c526 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 29 Sep 2024 16:03:18 +0200 Subject: [PATCH 18/57] Move the autoreconf invocation to %build section The %prep section is supposed to extract and possibly patch the sources. In particular, the code provided by the package should not be called here, but only in %build section. This keeps %prep quick and allows the code provided by upstream to be inspected before running it. Also drop space after the redirection operator to match the style elsewhere in the spec file. Having symmetrical whitespace around the operator makes it look like a binary operator, which it very much is not. --- curl.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index 0cfbaa8..0c2163c 100644 --- a/curl.spec +++ b/curl.spec @@ -214,7 +214,7 @@ be installed. # disable test 1801 # -printf "1801\n" >> tests/data/DISABLED +printf "1801\n" >>tests/data/DISABLED # test3026: avoid pthread_create() failure due to resource exhaustion on i386 %ifarch %{ix86} @@ -234,10 +234,10 @@ sed -e 's|^35$|35,52|' -i tests/data/test323 eval "$cmd" ) +%build # regenerate the configure script and Makefile.in files autoreconf -fiv -%build mkdir build-{full,minimal} export common_configure_opts=" \ --cache-file=../config.cache \ From e685607ffd9adf33f28101db012be952b5196072 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 29 Sep 2024 16:10:22 +0200 Subject: [PATCH 19/57] Make curl-config arch-independent The final /usr/bin/curl-config file had a comment like "prefix=/usr # used in /usr/lib64" or "prefix=/usr # used in /usr/lib", depending on the arch. This causes the following error on upgrades from f40 for people who have both libcurl-devel.i686 and libcurl-devel.x86_64 installed: Transaction failed: Rpm transaction failed. - file /usr/bin/curl-config conflicts between attempted installs of libcurl-devel-8.9.1-2.fc41.i686 and libcurl-devel-8.9.1-2.fc41.x86_64 The comment is actually not useful at all after the variable is expanded, since it's not clear what is meant by "used in /usr/lib64". Just drop it. With this change, the packages are constinstallable again. --- curl.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/curl.spec b/curl.spec index 0c2163c..3c25207 100644 --- a/curl.spec +++ b/curl.spec @@ -234,6 +234,10 @@ sed -e 's|^35$|35,52|' -i tests/data/test323 eval "$cmd" ) +# avoid unnecessary arch-dependent line in the processed file +sed -e '/# Used in @libdir@/d' \ + -i curl-config.in + %build # regenerate the configure script and Makefile.in files autoreconf -fiv From 44fdfebea17b606fc56b5d0656c982a7a528f366 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 6 Nov 2024 10:06:18 +0100 Subject: [PATCH 20/57] new upstream release - 8.11.0 --- .gitignore | 2 +- 0101-curl-7.32.0-multilib.patch | 20 ++++++++++---------- curl.spec | 9 +++++++-- sources | 4 ++-- 4 files changed, 20 insertions(+), 15 deletions(-) diff --git a/.gitignore b/.gitignore index cd6f067..9bb4285 100644 --- a/.gitignore +++ b/.gitignore @@ -2,5 +2,5 @@ /curl-[0-9.]*.tar.lzma.asc /curl-[0-9.]*.tar.xz /curl-[0-9.]*.tar.xz.asc -/curl-[0-9].[0-9].[0-9]/ +/curl-[0-9]*.[0-9]*.[0-9]*/ /*.src.rpm diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 8cada87..8f3fd08 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,6 +1,6 @@ -From da51b3d89a33fb3a1cbc5dd5faebc4ee18bbcc46 Mon Sep 17 00:00:00 2001 +From fa6477b901ca866a52db18a818975479f2144928 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Wed, 11 Sep 2024 09:21:25 +0200 +Date: Wed, 6 Nov 2024 13:25:10 +0100 Subject: [PATCH] prevent multilib conflicts on the curl-config script --- @@ -10,7 +10,7 @@ Subject: [PATCH] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 294e083..df41899 100644 +index 2dc40ed..9fb1a33 100644 --- a/curl-config.in +++ b/curl-config.in @@ -75,7 +75,7 @@ while test "$#" -gt 0; do @@ -26,12 +26,12 @@ index 294e083..df41899 100644 ;; --libs) -- if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then +- if test "X@libdir@" != 'X/usr/lib' -a "X@libdir@" != 'X/usr/lib64'; then - CURLLIBDIR="-L@libdir@ " - else -- CURLLIBDIR="" +- CURLLIBDIR='' - fi -- if test "X@ENABLE_SHARED@" = "Xno"; then +- if test 'X@ENABLE_SHARED@' = 'Xno'; then - echo "${CURLLIBDIR}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" - else - echo "${CURLLIBDIR}-lcurl" @@ -44,8 +44,8 @@ index 294e083..df41899 100644 ;; --static-libs) -- if test "X@ENABLE_STATIC@" != "Xno" ; then -- echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_PC_LIBS_PRIVATE@ +- if test 'X@ENABLE_STATIC@' != 'Xno'; then +- echo "@libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_PC_LIBS_PRIVATE@" - else - echo 'curl was built with static libraries disabled' >&2 - exit 1 @@ -76,7 +76,7 @@ index 4dfaab6..f4e847e 100644 ## --version diff --git a/libcurl.pc.in b/libcurl.pc.in -index 8f6f9b4..f69815c 100644 +index 4c60a7e..9fd935a 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in @@ -28,6 +28,7 @@ libdir=@libdir@ @@ -88,5 +88,5 @@ index 8f6f9b4..f69815c 100644 Name: libcurl URL: https://curl.se/ -- -2.46.0 +2.47.0 diff --git a/curl.spec b/curl.spec index 3c25207..80243c8 100644 --- a/curl.spec +++ b/curl.spec @@ -6,8 +6,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.10.1 -Release: 2%{?dist} +Version: 8.11.0 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -97,6 +97,7 @@ BuildRequires: perl(Exporter) BuildRequires: perl(File::Basename) BuildRequires: perl(File::Copy) BuildRequires: perl(File::Spec) +BuildRequires: perl(I18N::Langinfo) BuildRequires: perl(IPC::Open2) BuildRequires: perl(List::Util) BuildRequires: perl(Memoize) @@ -406,6 +407,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Nov 06 2024 Jan Macku - 8.11.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-9681 - HSTS subdomain overwrites parent cache entry + * Tue Sep 24 2024 Jan Macku - 8.10.1-2 - Use tls-ca-bundle.pem instead of ca-bundle.crt (OpenSSL specific) (#2313564) diff --git a/sources b/sources index c221532..f45b6fe 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.10.1.tar.xz) = f1c7a12492dcfb8ba08be69b96a83ce9074592cbaa6b95c72b3c16fc58ad35e9f9deec7b72baca7d360d013b0b1c7ea38bd4edae464903ac67aa3c76238d8c6c -SHA512 (curl-8.10.1.tar.xz.asc) = 21d6d560c027efc9e3e5db182a77501d6376442221ba910df817e2ec980bee44a9fe2afc698205f8d5e8313ae47915a341d60206a46b46e816d73ee357a894ac +SHA512 (curl-8.11.0.tar.xz) = 3a642d421e0a5c09ecb681bea18498f2c6124e9af4d8afdc074dfb85a9b0211d8972ade9cf00ab44b5dfed9303262cd83551dd3b5e0976d11fc19da3c4a0987e +SHA512 (curl-8.11.0.tar.xz.asc) = 71073dde48e8f0013e392eb88bf70f6b8a4a4f0c955a3fb56db98e74aa10acc1004e2a0483f30be082e61b59a76fa75ae1d90545ace7c6b07bca8164078375f0 From 0e038361ddf5965bd02544323cab07570e4281f6 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Wed, 6 Nov 2024 13:13:17 -0500 Subject: [PATCH 21/57] Disable engine support on RHEL 10+ RHEL 10 does not provide the engine header at all. Also, restore compatibility with earlier versions which do not have a separate subpackage for the engine header. --- curl.spec | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 80243c8..ba56d35 100644 --- a/curl.spec +++ b/curl.spec @@ -2,12 +2,12 @@ # This is deprecated by OpenSSL since OpenSSL 3.0 and by Fedora since Fedora 41 # https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine # Change the bcond to 0 to turn off ENGINE support by default -%bcond openssl_engine_support 1 +%bcond openssl_engine_support %[%{defined fedora} || 0%{?rhel} < 10] Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.11.0 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -52,7 +52,7 @@ BuildRequires: openldap-devel BuildRequires: openssh-clients BuildRequires: openssh-server BuildRequires: openssl-devel -%if %{with openssl_engine_support} +%if %{with openssl_engine_support} && 0%{?fedora} >= 41 BuildRequires: openssl-devel-engine %endif BuildRequires: perl-interpreter @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Nov 06 2024 Yaakov Selkowitz - 8.11.0-2 +- Disable engine support on RHEL 10+ + * Wed Nov 06 2024 Jan Macku - 8.11.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2024-9681 - HSTS subdomain overwrites parent cache entry From f200f97c286a92379a9a67ca6787d95a8e6e037c Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 11 Dec 2024 15:02:18 +0100 Subject: [PATCH 22/57] new upstream release - 8.11.1 --- 0101-curl-7.32.0-multilib.patch | 12 ++++----- 0105-curl-8.11.1-test616.patch | 48 +++++++++++++++++++++++++++++++++ curl.spec | 11 ++++++-- sources | 4 +-- 4 files changed, 65 insertions(+), 10 deletions(-) create mode 100644 0105-curl-8.11.1-test616.patch diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 8f3fd08..aec4fda 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,6 +1,6 @@ -From fa6477b901ca866a52db18a818975479f2144928 Mon Sep 17 00:00:00 2001 +From 7efcd412447fc41bded2f9621edf0ab4701c9b14 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Wed, 6 Nov 2024 13:25:10 +0100 +Date: Wed, 11 Dec 2024 09:28:12 +0100 Subject: [PATCH] prevent multilib conflicts on the curl-config script --- @@ -10,7 +10,7 @@ Subject: [PATCH] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 2dc40ed..9fb1a33 100644 +index e89c256..9fb1a33 100644 --- a/curl-config.in +++ b/curl-config.in @@ -75,7 +75,7 @@ while test "$#" -gt 0; do @@ -45,7 +45,7 @@ index 2dc40ed..9fb1a33 100644 --static-libs) - if test 'X@ENABLE_STATIC@' != 'Xno'; then -- echo "@libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_PC_LIBS_PRIVATE@" +- echo "@libdir@/libcurl.@libext@ @LIBCURL_PC_LDFLAGS_PRIVATE@ @LIBCURL_PC_LIBS_PRIVATE@" - else - echo 'curl was built with static libraries disabled' >&2 - exit 1 @@ -76,7 +76,7 @@ index 4dfaab6..f4e847e 100644 ## --version diff --git a/libcurl.pc.in b/libcurl.pc.in -index 4c60a7e..9fd935a 100644 +index c0ba524..f3645e1 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in @@ -28,6 +28,7 @@ libdir=@libdir@ @@ -88,5 +88,5 @@ index 4c60a7e..9fd935a 100644 Name: libcurl URL: https://curl.se/ -- -2.47.0 +2.47.1 diff --git a/0105-curl-8.11.1-test616.patch b/0105-curl-8.11.1-test616.patch new file mode 100644 index 0000000..91bde80 --- /dev/null +++ b/0105-curl-8.11.1-test616.patch @@ -0,0 +1,48 @@ +From 82baec8c7cd40361585d8793dfe4531f7aad30e3 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Wed, 11 Dec 2024 13:16:12 +0100 +Subject: [PATCH] test616: disable valgrind + +Valgrind disable was removed in upstream in https://github.com/curl/curl/commit/c91c37b6e87ceee760b7bb334c8e97e03ee93e93#diff-e01fd8774cf5b26329c7dc7dc03ec49745469205f3d501ced72c9d133455d5e7L35 +But test 616 is still failing under valgrind, so disable valgrind for this test. + +``` + valgrind ERROR ==188588== 144 bytes in 1 blocks are definitely lost in loss record 1 of 1 +==188588== at 0x484B133: calloc (vg_replace_malloc.c:1675) +==188588== by 0x4BB7575: ??? (in /usr/lib64/libssh.so.4.10.1) +==188588== by 0x4BB8CC6: sftp_fstat (in /usr/lib64/libssh.so.4.10.1) +==188588== by 0x48EEAFB: myssh_statemach_act (libssh.c:1610) +==188588== by 0x48F1B9D: myssh_multi_statemach.lto_priv.0 (libssh.c:2095) +==188588== by 0x48BA971: UnknownInlinedFun (multi.c:1643) +==188588== by 0x48BA971: UnknownInlinedFun (multi.c:2314) +==188588== by 0x48BA971: multi_runsingle (multi.c:2768) +==188588== by 0x48BCCA4: curl_multi_perform (multi.c:3016) +==188588== by 0x4884E4A: UnknownInlinedFun (easy.c:701) +==188588== by 0x4884E4A: UnknownInlinedFun (easy.c:796) +==188588== by 0x4884E4A: curl_easy_perform (easy.c:815) +==188588== by 0x10C12B: UnknownInlinedFun (tool_operate.c:2902) +==188588== by 0x10C12B: UnknownInlinedFun (tool_operate.c:3127) +==188588== by 0x10C12B: UnknownInlinedFun (tool_operate.c:3249) +==188588== by 0x10C12B: main (tool_main.c:271) +==188588== +``` +--- + tests/data/test616 | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tests/data/test616 b/tests/data/test616 +index f76c68a..0ebc734 100644 +--- a/tests/data/test616 ++++ b/tests/data/test616 +@@ -32,5 +32,8 @@ SFTP retrieval of empty file + # + # Verify data after the test has been "shot" + ++ ++disable ++ + + +-- +2.47.1 + diff --git a/curl.spec b/curl.spec index ba56d35..9b1c4c8 100644 --- a/curl.spec +++ b/curl.spec @@ -6,8 +6,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.11.0 -Release: 2%{?dist} +Version: 8.11.1 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -25,6 +25,9 @@ Patch102: 0102-curl-7.84.0-test3026.patch # do not fail on warnings in the upstream test driver Patch104: 0104-curl-7.88.0-tests-warnings.patch +# test616: disable valgrind +Patch105: 0105-curl-8.11.1-test616.patch + Provides: curl-full = %{version}-%{release} # do not fail when trying to install curl-minimal after drop Provides: curl-minimal = %{version}-%{release} @@ -407,6 +410,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Dec 11 2024 Jan Macku - 8.11.1-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-11053 - netrc and redirect credential leak + * Wed Nov 06 2024 Yaakov Selkowitz - 8.11.0-2 - Disable engine support on RHEL 10+ diff --git a/sources b/sources index f45b6fe..91c8f05 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.11.0.tar.xz) = 3a642d421e0a5c09ecb681bea18498f2c6124e9af4d8afdc074dfb85a9b0211d8972ade9cf00ab44b5dfed9303262cd83551dd3b5e0976d11fc19da3c4a0987e -SHA512 (curl-8.11.0.tar.xz.asc) = 71073dde48e8f0013e392eb88bf70f6b8a4a4f0c955a3fb56db98e74aa10acc1004e2a0483f30be082e61b59a76fa75ae1d90545ace7c6b07bca8164078375f0 +SHA512 (curl-8.11.1.tar.xz) = 7c7c47a49505575b610c56b455f0919ea5082a993bf5483eeb258ead167aadb87078d626b343b417dcfc5439c53556425c8fb4fe3b01b53a87b47c01686a3e57 +SHA512 (curl-8.11.1.tar.xz.asc) = c09bedb67e83fb8ca3ad73c5bd0d92fed7fc2c26dbe5a71cccb193fd151c7219713241a9fe74baefcd1d008cfafba78142bf04cec24dd4a88d67179184d35824 From 60dca4fc329daf8e5799357a68fe1ff41cffb13a Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Sun, 15 Dec 2024 12:05:17 +0000 Subject: [PATCH 23/57] Add rpmlintrc --- curl.rpmlintrc | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 curl.rpmlintrc diff --git a/curl.rpmlintrc b/curl.rpmlintrc new file mode 100644 index 0000000..022a98e --- /dev/null +++ b/curl.rpmlintrc @@ -0,0 +1,15 @@ +# Intentional stuff we're not concerned about +addFilter("unversioned-explicit-provides webclient") +addFilter("package-with-huge-docs") +addFilter("crypto-policy-non-compliance-openssl /usr/lib(64)?/libcurl.so.4") + +# This is just plain wrong (%_configure redefinition) +addFilter("configure-without-libdir-spec") + +# Technical term +addFilter("E: spelling-error \('kerberos',") + +# Artefacts of RemovePathPostfixes: .minimal +addFilter("W: dangling-relative-symlink /usr/lib/.build-id/.* ../../../../.*curl.*\.minimal") +#addFilter("W: dangling-relative-symlink /usr/lib.*/libcurl.so.4 libcurl.so.4.*.minimal") +#addFilter("E: invalid-ldconfig-symlink /usr/lib.*/libcurl.so.4.* libcurl.so.4.*.minimal") From 348d650b12c9787af9669f6a985f57cf3ccdc18c Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Sun, 15 Dec 2024 12:06:23 +0000 Subject: [PATCH 24/57] Fix crash with Unexpected error 9 on netlink descriptor 10 (rhbz#2332350) - https://github.com/curl/curl/issues/15725 - https://github.com/curl/curl/pull/15727 --- 0001-curl-8.11.1-eventfd.patch | 31 +++++++++++++++++++++++++++++++ curl.spec | 15 +++++++++++++-- 2 files changed, 44 insertions(+), 2 deletions(-) create mode 100644 0001-curl-8.11.1-eventfd.patch diff --git a/0001-curl-8.11.1-eventfd.patch b/0001-curl-8.11.1-eventfd.patch new file mode 100644 index 0000000..3960452 --- /dev/null +++ b/0001-curl-8.11.1-eventfd.patch @@ -0,0 +1,31 @@ +From 17c06b1ed19147d9e641ad5bcd672e8bce451b46 Mon Sep 17 00:00:00 2001 +From: Andy Pan +Date: Thu, 12 Dec 2024 12:48:56 +0000 +Subject: [PATCH] async-thread: avoid closing eventfd twice + +When employing eventfd for socketpair, there is only one file +descriptor. Closing that fd twice might result in fd corruption. +Thus, we should avoid closing the eventfd twice, following the +pattern in lib/multi.c. + +Fixes #15725 +--- + lib/asyn-thread.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c +index a58e4b790494ab..32d496b107cb0a 100644 +--- a/lib/asyn-thread.c ++++ b/lib/asyn-thread.c +@@ -195,9 +195,11 @@ void destroy_thread_sync_data(struct thread_sync_data *tsd) + * close one end of the socket pair (may be done in resolver thread); + * the other end (for reading) is always closed in the parent thread. + */ ++#ifndef USE_EVENTFD + if(tsd->sock_pair[1] != CURL_SOCKET_BAD) { + wakeup_close(tsd->sock_pair[1]); + } ++#endif + #endif + memset(tsd, 0, sizeof(*tsd)); + } diff --git a/curl.spec b/curl.spec index 9b1c4c8..beca484 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.11.1 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -16,6 +16,12 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# Fix crash with Unexpected error 9 on netlink descriptor 10 +# https://bugzilla.redhat.com/show_bug.cgi?id=2332350 +# https://github.com/curl/curl/issues/15725 +# https://github.com/curl/curl/pull/15727 +Patch1: 0001-curl-8.11.1-eventfd.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -410,6 +416,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Sun Dec 15 2024 Paul Howarth - 8.11.1-2 +- Fix crash with Unexpected error 9 on netlink descriptor 10 (rhbz#2332350) + - https://github.com/curl/curl/issues/15725 + - https://github.com/curl/curl/pull/15727 + * Wed Dec 11 2024 Jan Macku - 8.11.1-1 - new upstream release, which fixes the following vulnerabilities CVE-2024-11053 - netrc and redirect credential leak @@ -431,7 +442,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la - new upstream release * Wed Aug 21 2024 Jacek Migacz - 8.9.1-3 -- Retire depricated ntlm-wb configure option +- Retire deprecated ntlm-wb configure option * Mon Aug 5 2024 voidanix - 8.9.1-2 - Apply SIGPIPE-related patch due to upstream regression From 84d98cb3c36ac812ecac40f056283c94a3be0f03 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 16 Jan 2025 15:05:19 +0000 Subject: [PATCH 25/57] Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index beca484..ef932e9 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.11.1 -Release: 2%{?dist} +Release: 3%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -416,6 +416,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Jan 16 2025 Fedora Release Engineering - 8.11.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + * Sun Dec 15 2024 Paul Howarth - 8.11.1-2 - Fix crash with Unexpected error 9 on netlink descriptor 10 (rhbz#2332350) - https://github.com/curl/curl/issues/15725 From dbdb66e32ef7a74430edc9f27487a980b933f36b Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Fri, 31 Jan 2025 15:01:32 +0100 Subject: [PATCH 26/57] TLS: check connection for SSL use, not handler Resolves: #2324130 --- ...k-connection-for-SSL-use-not-handler.patch | 227 ++++++++++++++++++ curl.spec | 8 +- 2 files changed, 234 insertions(+), 1 deletion(-) create mode 100644 0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch diff --git a/0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch b/0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch new file mode 100644 index 0000000..9000c48 --- /dev/null +++ b/0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch @@ -0,0 +1,227 @@ +From b876aeb3f5d5c6539102f0575c0ec1d116388337 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Fri, 17 Jan 2025 11:57:00 +0100 +Subject: [PATCH] TLS: check connection for SSL use, not handler + +Protocol handler option PROTOPT_SSL is used to setup a connection +filters. Once that is done, used `Curl_conn_is_ssl()` to check if +a connection uses SSL. + +There may be other reasons to add SSL to a connection, e.g. starttls. + +Closes #16034 + +(cherry picked from commit 25b445e4796bcbf9f842de686a8c384b30f6c2a2) +--- + lib/cf-socket.c | 2 +- + lib/ftp.c | 2 +- + lib/http.c | 8 ++++---- + lib/http_negotiate.c | 3 ++- + lib/imap.c | 2 +- + lib/ldap.c | 3 ++- + lib/openldap.c | 2 +- + lib/pop3.c | 2 +- + lib/smb.c | 2 +- + lib/smtp.c | 2 +- + lib/url.c | 12 ++++++------ + 11 files changed, 21 insertions(+), 19 deletions(-) + +diff --git a/lib/cf-socket.c b/lib/cf-socket.c +index 497a3b965..de0c8a3ba 100644 +--- a/lib/cf-socket.c ++++ b/lib/cf-socket.c +@@ -1282,7 +1282,7 @@ static int do_connect(struct Curl_cfilter *cf, struct Curl_easy *data, + + rc = connect(ctx->sock, &ctx->addr.curl_sa_addr, ctx->addr.addrlen); + #elif defined(MSG_FASTOPEN) /* old Linux */ +- if(cf->conn->given->flags & PROTOPT_SSL) ++ if(Curl_conn_is_ssl(cf->conn, cf->sockindex)) + rc = connect(ctx->sock, &ctx->addr.curl_sa_addr, ctx->addr.addrlen); + else + rc = 0; /* Do nothing */ +diff --git a/lib/ftp.c b/lib/ftp.c +index 16ab0af0d..5137ddca4 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -3154,7 +3154,7 @@ static CURLcode ftp_connect(struct Curl_easy *data, + + PINGPONG_SETUP(pp, ftp_statemachine, ftp_endofresp); + +- if(conn->handler->flags & PROTOPT_SSL) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) { + /* BLOCKING */ + result = Curl_conn_connect(data, FIRSTSOCKET, TRUE, done); + if(result) +diff --git a/lib/http.c b/lib/http.c +index 35e708551..8e9f0a52e 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2526,7 +2526,7 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done) + goto fail; + } + +- if(!(conn->handler->flags&PROTOPT_SSL) && ++ if(!Curl_conn_is_ssl(conn, FIRSTSOCKET) && + conn->httpversion < 20 && + (data->state.httpwant == CURL_HTTP_VERSION_2)) { + /* append HTTP2 upgrade magic stuff to the HTTP request if it is not done +@@ -2672,7 +2672,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, + case 'A': + #ifndef CURL_DISABLE_ALTSVC + v = (data->asi && +- ((data->conn->handler->flags & PROTOPT_SSL) || ++ (Curl_conn_is_ssl(data->conn, FIRSTSOCKET) || + #ifdef DEBUGBUILD + /* allow debug builds to circumvent the HTTPS restriction */ + getenv("CURL_ALTSVC_HTTP") +@@ -2938,7 +2938,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, + #ifndef CURL_DISABLE_HSTS + /* If enabled, the header is incoming and this is over HTTPS */ + v = (data->hsts && +- ((conn->handler->flags & PROTOPT_SSL) || ++ (Curl_conn_is_ssl(conn, FIRSTSOCKET) || + #ifdef DEBUGBUILD + /* allow debug builds to circumvent the HTTPS restriction */ + getenv("CURL_HSTS_HTTP") +@@ -4160,7 +4160,7 @@ CURLcode Curl_http_req_to_h2(struct dynhds *h2_headers, + infof(data, "set pseudo header %s to %s", HTTP_PSEUDO_SCHEME, scheme); + } + else { +- scheme = (data->conn && data->conn->handler->flags & PROTOPT_SSL) ? ++ scheme = Curl_conn_is_ssl(data->conn, FIRSTSOCKET) ? + "https" : "http"; + } + } +diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c +index 5d76bddf7..f031d0abc 100644 +--- a/lib/http_negotiate.c ++++ b/lib/http_negotiate.c +@@ -27,6 +27,7 @@ + #if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO) + + #include "urldata.h" ++#include "cfilters.h" + #include "sendf.h" + #include "http_negotiate.h" + #include "vauth/vauth.h" +@@ -109,7 +110,7 @@ CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn, + #endif + /* Check if the connection is using SSL and get the channel binding data */ + #if defined(USE_SSL) && defined(HAVE_GSSAPI) +- if(conn->handler->flags & PROTOPT_SSL) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) { + Curl_dyn_init(&neg_ctx->channel_binding_data, SSL_CB_MAX_SIZE + 1); + result = Curl_ssl_get_channel_binding( + data, FIRSTSOCKET, &neg_ctx->channel_binding_data); +diff --git a/lib/imap.c b/lib/imap.c +index e424cdb05..df9dc343b 100644 +--- a/lib/imap.c ++++ b/lib/imap.c +@@ -1390,7 +1390,7 @@ static CURLcode imap_multi_statemach(struct Curl_easy *data, bool *done) + struct connectdata *conn = data->conn; + struct imap_conn *imapc = &conn->proto.imapc; + +- if((conn->handler->flags & PROTOPT_SSL) && !imapc->ssldone) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !imapc->ssldone) { + bool ssldone = FALSE; + result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); + imapc->ssldone = ssldone; +diff --git a/lib/ldap.c b/lib/ldap.c +index 2cbdb9c21..7dd40acef 100644 +--- a/lib/ldap.c ++++ b/lib/ldap.c +@@ -78,6 +78,7 @@ + + #include "urldata.h" + #include ++#include "cfilters.h" + #include "sendf.h" + #include "escape.h" + #include "progress.h" +@@ -346,7 +347,7 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done) + } + + /* Get the URL scheme (either ldap or ldaps) */ +- if(conn->given->flags & PROTOPT_SSL) ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) + ldap_ssl = 1; + infof(data, "LDAP local: trying to establish %s connection", + ldap_ssl ? "encrypted" : "cleartext"); +diff --git a/lib/openldap.c b/lib/openldap.c +index 8c4af22be..9676ad3d0 100644 +--- a/lib/openldap.c ++++ b/lib/openldap.c +@@ -571,7 +571,7 @@ static CURLcode oldap_connect(struct Curl_easy *data, bool *done) + ldap_set_option(li->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); + + #ifdef USE_SSL +- if(conn->handler->flags & PROTOPT_SSL) ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) + return oldap_ssl_connect(data, OLDAP_SSL); + + if(data->set.use_ssl) { +diff --git a/lib/pop3.c b/lib/pop3.c +index db6ec04c7..83dd64cda 100644 +--- a/lib/pop3.c ++++ b/lib/pop3.c +@@ -1110,7 +1110,7 @@ static CURLcode pop3_multi_statemach(struct Curl_easy *data, bool *done) + struct connectdata *conn = data->conn; + struct pop3_conn *pop3c = &conn->proto.pop3c; + +- if((conn->handler->flags & PROTOPT_SSL) && !pop3c->ssldone) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !pop3c->ssldone) { + bool ssldone = FALSE; + result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); + pop3c->ssldone = ssldone; +diff --git a/lib/smb.c b/lib/smb.c +index a72ece62a..a2c82df5e 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -840,7 +840,7 @@ static CURLcode smb_connection_state(struct Curl_easy *data, bool *done) + + if(smbc->state == SMB_CONNECTING) { + #ifdef USE_SSL +- if((conn->handler->flags & PROTOPT_SSL)) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) { + bool ssl_done = FALSE; + result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssl_done); + if(result && result != CURLE_AGAIN) +diff --git a/lib/smtp.c b/lib/smtp.c +index d854d364f..c7fb0a4ca 100644 +--- a/lib/smtp.c ++++ b/lib/smtp.c +@@ -1286,7 +1286,7 @@ static CURLcode smtp_multi_statemach(struct Curl_easy *data, bool *done) + struct connectdata *conn = data->conn; + struct smtp_conn *smtpc = &conn->proto.smtpc; + +- if((conn->handler->flags & PROTOPT_SSL) && !smtpc->ssldone) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !smtpc->ssldone) { + bool ssldone = FALSE; + result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); + smtpc->ssldone = ssldone; +diff --git a/lib/url.c b/lib/url.c +index 436edd891..de200e1dd 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -958,12 +958,12 @@ static bool url_match_conn(struct connectdata *conn, void *userdata) + return FALSE; + #endif + +- if((needle->handler->flags&PROTOPT_SSL) != +- (conn->handler->flags&PROTOPT_SSL)) +- /* do not do mixed SSL and non-SSL connections */ +- if(get_protocol_family(conn->handler) != +- needle->handler->protocol || !conn->bits.tls_upgraded) +- /* except protocols that have been upgraded via TLS */ ++ if((!(needle->handler->flags&PROTOPT_SSL) != ++ !Curl_conn_is_ssl(conn, FIRSTSOCKET)) && ++ !(get_protocol_family(conn->handler) == needle->handler->protocol && ++ conn->bits.tls_upgraded)) ++ /* Deny `conn` if it is not fit for `needle`'s SSL needs, ++ * UNLESS `conn` is the same protocol family and was upgraded to SSL. */ + return FALSE; + + #ifndef CURL_DISABLE_PROXY +-- +2.48.1 + diff --git a/curl.spec b/curl.spec index ef932e9..c21fec2 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.11.1 -Release: 3%{?dist} +Release: 4%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -22,6 +22,9 @@ Source2: mykey.asc # https://github.com/curl/curl/pull/15727 Patch1: 0001-curl-8.11.1-eventfd.patch +# Fix https://bugzilla.redhat.com/show_bug.cgi?id=2324130#c7 +Patch2: 0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -416,6 +419,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Jan 31 2025 Jan Macku - 8.11.1-4 +- TLS: check connection for SSL use, not handler (#2324130#c7) + * Thu Jan 16 2025 Fedora Release Engineering - 8.11.1-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild From 057c9e09f00a022d8b5e065164a7d77d2d67e669 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 5 Feb 2025 09:44:27 +0100 Subject: [PATCH 27/57] new upstream release - 8.12.0 --- 0001-curl-8.11.1-eventfd.patch | 31 --- ...k-connection-for-SSL-use-not-handler.patch | 227 ------------------ 0101-curl-7.32.0-multilib.patch | 28 +-- 0102-curl-7.84.0-test3026.patch | 8 +- 0104-curl-7.88.0-tests-warnings.patch | 30 --- curl.spec | 23 +- sources | 4 +- 7 files changed, 29 insertions(+), 322 deletions(-) delete mode 100644 0001-curl-8.11.1-eventfd.patch delete mode 100644 0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch delete mode 100644 0104-curl-7.88.0-tests-warnings.patch diff --git a/0001-curl-8.11.1-eventfd.patch b/0001-curl-8.11.1-eventfd.patch deleted file mode 100644 index 3960452..0000000 --- a/0001-curl-8.11.1-eventfd.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 17c06b1ed19147d9e641ad5bcd672e8bce451b46 Mon Sep 17 00:00:00 2001 -From: Andy Pan -Date: Thu, 12 Dec 2024 12:48:56 +0000 -Subject: [PATCH] async-thread: avoid closing eventfd twice - -When employing eventfd for socketpair, there is only one file -descriptor. Closing that fd twice might result in fd corruption. -Thus, we should avoid closing the eventfd twice, following the -pattern in lib/multi.c. - -Fixes #15725 ---- - lib/asyn-thread.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c -index a58e4b790494ab..32d496b107cb0a 100644 ---- a/lib/asyn-thread.c -+++ b/lib/asyn-thread.c -@@ -195,9 +195,11 @@ void destroy_thread_sync_data(struct thread_sync_data *tsd) - * close one end of the socket pair (may be done in resolver thread); - * the other end (for reading) is always closed in the parent thread. - */ -+#ifndef USE_EVENTFD - if(tsd->sock_pair[1] != CURL_SOCKET_BAD) { - wakeup_close(tsd->sock_pair[1]); - } -+#endif - #endif - memset(tsd, 0, sizeof(*tsd)); - } diff --git a/0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch b/0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch deleted file mode 100644 index 9000c48..0000000 --- a/0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch +++ /dev/null @@ -1,227 +0,0 @@ -From b876aeb3f5d5c6539102f0575c0ec1d116388337 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Fri, 17 Jan 2025 11:57:00 +0100 -Subject: [PATCH] TLS: check connection for SSL use, not handler - -Protocol handler option PROTOPT_SSL is used to setup a connection -filters. Once that is done, used `Curl_conn_is_ssl()` to check if -a connection uses SSL. - -There may be other reasons to add SSL to a connection, e.g. starttls. - -Closes #16034 - -(cherry picked from commit 25b445e4796bcbf9f842de686a8c384b30f6c2a2) ---- - lib/cf-socket.c | 2 +- - lib/ftp.c | 2 +- - lib/http.c | 8 ++++---- - lib/http_negotiate.c | 3 ++- - lib/imap.c | 2 +- - lib/ldap.c | 3 ++- - lib/openldap.c | 2 +- - lib/pop3.c | 2 +- - lib/smb.c | 2 +- - lib/smtp.c | 2 +- - lib/url.c | 12 ++++++------ - 11 files changed, 21 insertions(+), 19 deletions(-) - -diff --git a/lib/cf-socket.c b/lib/cf-socket.c -index 497a3b965..de0c8a3ba 100644 ---- a/lib/cf-socket.c -+++ b/lib/cf-socket.c -@@ -1282,7 +1282,7 @@ static int do_connect(struct Curl_cfilter *cf, struct Curl_easy *data, - - rc = connect(ctx->sock, &ctx->addr.curl_sa_addr, ctx->addr.addrlen); - #elif defined(MSG_FASTOPEN) /* old Linux */ -- if(cf->conn->given->flags & PROTOPT_SSL) -+ if(Curl_conn_is_ssl(cf->conn, cf->sockindex)) - rc = connect(ctx->sock, &ctx->addr.curl_sa_addr, ctx->addr.addrlen); - else - rc = 0; /* Do nothing */ -diff --git a/lib/ftp.c b/lib/ftp.c -index 16ab0af0d..5137ddca4 100644 ---- a/lib/ftp.c -+++ b/lib/ftp.c -@@ -3154,7 +3154,7 @@ static CURLcode ftp_connect(struct Curl_easy *data, - - PINGPONG_SETUP(pp, ftp_statemachine, ftp_endofresp); - -- if(conn->handler->flags & PROTOPT_SSL) { -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) { - /* BLOCKING */ - result = Curl_conn_connect(data, FIRSTSOCKET, TRUE, done); - if(result) -diff --git a/lib/http.c b/lib/http.c -index 35e708551..8e9f0a52e 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -2526,7 +2526,7 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done) - goto fail; - } - -- if(!(conn->handler->flags&PROTOPT_SSL) && -+ if(!Curl_conn_is_ssl(conn, FIRSTSOCKET) && - conn->httpversion < 20 && - (data->state.httpwant == CURL_HTTP_VERSION_2)) { - /* append HTTP2 upgrade magic stuff to the HTTP request if it is not done -@@ -2672,7 +2672,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, - case 'A': - #ifndef CURL_DISABLE_ALTSVC - v = (data->asi && -- ((data->conn->handler->flags & PROTOPT_SSL) || -+ (Curl_conn_is_ssl(data->conn, FIRSTSOCKET) || - #ifdef DEBUGBUILD - /* allow debug builds to circumvent the HTTPS restriction */ - getenv("CURL_ALTSVC_HTTP") -@@ -2938,7 +2938,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, - #ifndef CURL_DISABLE_HSTS - /* If enabled, the header is incoming and this is over HTTPS */ - v = (data->hsts && -- ((conn->handler->flags & PROTOPT_SSL) || -+ (Curl_conn_is_ssl(conn, FIRSTSOCKET) || - #ifdef DEBUGBUILD - /* allow debug builds to circumvent the HTTPS restriction */ - getenv("CURL_HSTS_HTTP") -@@ -4160,7 +4160,7 @@ CURLcode Curl_http_req_to_h2(struct dynhds *h2_headers, - infof(data, "set pseudo header %s to %s", HTTP_PSEUDO_SCHEME, scheme); - } - else { -- scheme = (data->conn && data->conn->handler->flags & PROTOPT_SSL) ? -+ scheme = Curl_conn_is_ssl(data->conn, FIRSTSOCKET) ? - "https" : "http"; - } - } -diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c -index 5d76bddf7..f031d0abc 100644 ---- a/lib/http_negotiate.c -+++ b/lib/http_negotiate.c -@@ -27,6 +27,7 @@ - #if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO) - - #include "urldata.h" -+#include "cfilters.h" - #include "sendf.h" - #include "http_negotiate.h" - #include "vauth/vauth.h" -@@ -109,7 +110,7 @@ CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn, - #endif - /* Check if the connection is using SSL and get the channel binding data */ - #if defined(USE_SSL) && defined(HAVE_GSSAPI) -- if(conn->handler->flags & PROTOPT_SSL) { -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) { - Curl_dyn_init(&neg_ctx->channel_binding_data, SSL_CB_MAX_SIZE + 1); - result = Curl_ssl_get_channel_binding( - data, FIRSTSOCKET, &neg_ctx->channel_binding_data); -diff --git a/lib/imap.c b/lib/imap.c -index e424cdb05..df9dc343b 100644 ---- a/lib/imap.c -+++ b/lib/imap.c -@@ -1390,7 +1390,7 @@ static CURLcode imap_multi_statemach(struct Curl_easy *data, bool *done) - struct connectdata *conn = data->conn; - struct imap_conn *imapc = &conn->proto.imapc; - -- if((conn->handler->flags & PROTOPT_SSL) && !imapc->ssldone) { -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !imapc->ssldone) { - bool ssldone = FALSE; - result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); - imapc->ssldone = ssldone; -diff --git a/lib/ldap.c b/lib/ldap.c -index 2cbdb9c21..7dd40acef 100644 ---- a/lib/ldap.c -+++ b/lib/ldap.c -@@ -78,6 +78,7 @@ - - #include "urldata.h" - #include -+#include "cfilters.h" - #include "sendf.h" - #include "escape.h" - #include "progress.h" -@@ -346,7 +347,7 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done) - } - - /* Get the URL scheme (either ldap or ldaps) */ -- if(conn->given->flags & PROTOPT_SSL) -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) - ldap_ssl = 1; - infof(data, "LDAP local: trying to establish %s connection", - ldap_ssl ? "encrypted" : "cleartext"); -diff --git a/lib/openldap.c b/lib/openldap.c -index 8c4af22be..9676ad3d0 100644 ---- a/lib/openldap.c -+++ b/lib/openldap.c -@@ -571,7 +571,7 @@ static CURLcode oldap_connect(struct Curl_easy *data, bool *done) - ldap_set_option(li->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); - - #ifdef USE_SSL -- if(conn->handler->flags & PROTOPT_SSL) -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) - return oldap_ssl_connect(data, OLDAP_SSL); - - if(data->set.use_ssl) { -diff --git a/lib/pop3.c b/lib/pop3.c -index db6ec04c7..83dd64cda 100644 ---- a/lib/pop3.c -+++ b/lib/pop3.c -@@ -1110,7 +1110,7 @@ static CURLcode pop3_multi_statemach(struct Curl_easy *data, bool *done) - struct connectdata *conn = data->conn; - struct pop3_conn *pop3c = &conn->proto.pop3c; - -- if((conn->handler->flags & PROTOPT_SSL) && !pop3c->ssldone) { -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !pop3c->ssldone) { - bool ssldone = FALSE; - result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); - pop3c->ssldone = ssldone; -diff --git a/lib/smb.c b/lib/smb.c -index a72ece62a..a2c82df5e 100644 ---- a/lib/smb.c -+++ b/lib/smb.c -@@ -840,7 +840,7 @@ static CURLcode smb_connection_state(struct Curl_easy *data, bool *done) - - if(smbc->state == SMB_CONNECTING) { - #ifdef USE_SSL -- if((conn->handler->flags & PROTOPT_SSL)) { -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) { - bool ssl_done = FALSE; - result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssl_done); - if(result && result != CURLE_AGAIN) -diff --git a/lib/smtp.c b/lib/smtp.c -index d854d364f..c7fb0a4ca 100644 ---- a/lib/smtp.c -+++ b/lib/smtp.c -@@ -1286,7 +1286,7 @@ static CURLcode smtp_multi_statemach(struct Curl_easy *data, bool *done) - struct connectdata *conn = data->conn; - struct smtp_conn *smtpc = &conn->proto.smtpc; - -- if((conn->handler->flags & PROTOPT_SSL) && !smtpc->ssldone) { -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !smtpc->ssldone) { - bool ssldone = FALSE; - result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); - smtpc->ssldone = ssldone; -diff --git a/lib/url.c b/lib/url.c -index 436edd891..de200e1dd 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -958,12 +958,12 @@ static bool url_match_conn(struct connectdata *conn, void *userdata) - return FALSE; - #endif - -- if((needle->handler->flags&PROTOPT_SSL) != -- (conn->handler->flags&PROTOPT_SSL)) -- /* do not do mixed SSL and non-SSL connections */ -- if(get_protocol_family(conn->handler) != -- needle->handler->protocol || !conn->bits.tls_upgraded) -- /* except protocols that have been upgraded via TLS */ -+ if((!(needle->handler->flags&PROTOPT_SSL) != -+ !Curl_conn_is_ssl(conn, FIRSTSOCKET)) && -+ !(get_protocol_family(conn->handler) == needle->handler->protocol && -+ conn->bits.tls_upgraded)) -+ /* Deny `conn` if it is not fit for `needle`'s SSL needs, -+ * UNLESS `conn` is the same protocol family and was upgraded to SSL. */ - return FALSE; - - #ifndef CURL_DISABLE_PROXY --- -2.48.1 - diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index aec4fda..13a9a54 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,7 +1,7 @@ -From 7efcd412447fc41bded2f9621edf0ab4701c9b14 Mon Sep 17 00:00:00 2001 +From c96b08867e8593b32cec0f3971f10adfcaf2276e Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Wed, 11 Dec 2024 09:28:12 +0100 -Subject: [PATCH] prevent multilib conflicts on the curl-config script +Date: Wed, 5 Feb 2025 09:31:04 +0100 +Subject: [PATCH 1/2] prevent multilib conflicts on the curl-config script --- curl-config.in | 23 +++++------------------ @@ -10,10 +10,10 @@ Subject: [PATCH] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index e89c256..9fb1a33 100644 +index 55184167b..324e0b740 100644 --- a/curl-config.in +++ b/curl-config.in -@@ -75,7 +75,7 @@ while test "$#" -gt 0; do +@@ -74,7 +74,7 @@ while test "$#" -gt 0; do ;; --cc) @@ -22,25 +22,25 @@ index e89c256..9fb1a33 100644 ;; --prefix) -@@ -155,16 +155,7 @@ while test "$#" -gt 0; do +@@ -149,16 +149,7 @@ while test "$#" -gt 0; do ;; --libs) - if test "X@libdir@" != 'X/usr/lib' -a "X@libdir@" != 'X/usr/lib64'; then -- CURLLIBDIR="-L@libdir@ " +- curllibdir="-L@libdir@ " - else -- CURLLIBDIR='' +- curllibdir='' - fi - if test 'X@ENABLE_SHARED@' = 'Xno'; then -- echo "${CURLLIBDIR}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" +- echo "${curllibdir}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" - else -- echo "${CURLLIBDIR}-lcurl" +- echo "${curllibdir}-lcurl" - fi + echo '-lcurl' ;; --ssl-backends) -@@ -172,16 +163,12 @@ while test "$#" -gt 0; do +@@ -166,16 +157,12 @@ while test "$#" -gt 0; do ;; --static-libs) @@ -61,7 +61,7 @@ index e89c256..9fb1a33 100644 *) diff --git a/docs/curl-config.md b/docs/curl-config.md -index 4dfaab6..f4e847e 100644 +index b1fcf33dc..b15feec8e 100644 --- a/docs/curl-config.md +++ b/docs/curl-config.md @@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated. @@ -76,7 +76,7 @@ index 4dfaab6..f4e847e 100644 ## --version diff --git a/libcurl.pc.in b/libcurl.pc.in -index c0ba524..f3645e1 100644 +index c0ba5244a..f3645e174 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in @@ -28,6 +28,7 @@ libdir=@libdir@ @@ -88,5 +88,5 @@ index c0ba524..f3645e1 100644 Name: libcurl URL: https://curl.se/ -- -2.47.1 +2.48.1 diff --git a/0102-curl-7.84.0-test3026.patch b/0102-curl-7.84.0-test3026.patch index 82f4642..6c45cc8 100644 --- a/0102-curl-7.84.0-test3026.patch +++ b/0102-curl-7.84.0-test3026.patch @@ -1,6 +1,6 @@ -From 6e470567ca691a7b20334f1b9a5b309053d714b7 Mon Sep 17 00:00:00 2001 +From 6460e292e664b03fb550ce70e9a8cdf86ad0ef57 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Wed, 22 May 2024 13:03:43 +0200 +Date: Wed, 5 Feb 2025 09:34:28 +0100 Subject: [PATCH 2/2] test3026: disable valgrind It fails on x86_64 with: @@ -52,7 +52,7 @@ index ee9b30678..dd582c3e5 100644 diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c -index 7e914010e..39374f5bc 100644 +index 61c70eb3b..79302fcf7 100644 --- a/tests/libtest/lib3026.c +++ b/tests/libtest/lib3026.c @@ -145,8 +145,8 @@ CURLcode test(char *URL) @@ -67,5 +67,5 @@ index 7e914010e..39374f5bc 100644 test_failure = (CURLcode)-1; goto cleanup; -- -2.45.1 +2.48.1 diff --git a/0104-curl-7.88.0-tests-warnings.patch b/0104-curl-7.88.0-tests-warnings.patch deleted file mode 100644 index 0977dee..0000000 --- a/0104-curl-7.88.0-tests-warnings.patch +++ /dev/null @@ -1,30 +0,0 @@ -From ebee18be05631494263bb6be249501eb8874e07a Mon Sep 17 00:00:00 2001 -From: Jan Macku -Date: Wed, 24 Jul 2024 15:15:11 +0200 -Subject: [PATCH] Revert "runtests: consider warnings fatal and error on them" - -While it might be useful for upstream developers, it is not so useful -for downstream consumers. - -This reverts upstream commit 22f795c834cfdbacbb1b55426028a581e3cf67a8. ---- - tests/runtests.pl | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/tests/runtests.pl b/tests/runtests.pl -index 9cc9ef1..c9a1c5d 100755 ---- a/tests/runtests.pl -+++ b/tests/runtests.pl -@@ -57,8 +57,7 @@ - # given, this won't be a problem. - - use strict; --# Promote all warnings to fatal --use warnings FATAL => 'all'; -+use warnings; - use 5.006; - use POSIX qw(strftime); - --- -2.45.2 - diff --git a/curl.spec b/curl.spec index c21fec2..186b566 100644 --- a/curl.spec +++ b/curl.spec @@ -6,8 +6,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.11.1 -Release: 4%{?dist} +Version: 8.12.0 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -16,24 +16,12 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# Fix crash with Unexpected error 9 on netlink descriptor 10 -# https://bugzilla.redhat.com/show_bug.cgi?id=2332350 -# https://github.com/curl/curl/issues/15725 -# https://github.com/curl/curl/pull/15727 -Patch1: 0001-curl-8.11.1-eventfd.patch - -# Fix https://bugzilla.redhat.com/show_bug.cgi?id=2324130#c7 -Patch2: 0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch # test3026: disable valgrind Patch102: 0102-curl-7.84.0-test3026.patch -# do not fail on warnings in the upstream test driver -Patch104: 0104-curl-7.88.0-tests-warnings.patch - # test616: disable valgrind Patch105: 0105-curl-8.11.1-test616.patch @@ -419,6 +407,13 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Feb 05 2025 Jan Macku - 8.12.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2025-0725 - gzip integer overflow + CVE-2025-0665 - eventfd double close + CVE-2025-0167 - netrc and default credential leak +- drop upstreamed patches + * Fri Jan 31 2025 Jan Macku - 8.11.1-4 - TLS: check connection for SSL use, not handler (#2324130#c7) diff --git a/sources b/sources index 91c8f05..01ad1a6 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.11.1.tar.xz) = 7c7c47a49505575b610c56b455f0919ea5082a993bf5483eeb258ead167aadb87078d626b343b417dcfc5439c53556425c8fb4fe3b01b53a87b47c01686a3e57 -SHA512 (curl-8.11.1.tar.xz.asc) = c09bedb67e83fb8ca3ad73c5bd0d92fed7fc2c26dbe5a71cccb193fd151c7219713241a9fe74baefcd1d008cfafba78142bf04cec24dd4a88d67179184d35824 +SHA512 (curl-8.12.0.tar.xz) = ed35f0020541050ce387f4ba80f9e87562ececd99082da1bae85840dee81c49b86a4a55909e15fcbf4eb116106a796c29a9b2678dee11326f80db75992c6edc5 +SHA512 (curl-8.12.0.tar.xz.asc) = 8526554ffb2187b48b6a4c6a0d4a8c73d484ef3ce4c3791add0e759baf953ac7ae0b2f88d688365b1f09c5745198611fa1761aa14d02ddf52823c4ff238779cd From 9c7fc53ab273793fba55aef94b81682065923b4f Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 13 Feb 2025 08:28:44 +0100 Subject: [PATCH 28/57] new upstream release - 8.12.1 --- curl.spec | 2 +- sources | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 186b566..c7f23e3 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.12.0 +Version: 8.12.1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz diff --git a/sources b/sources index 01ad1a6..acd884b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.12.0.tar.xz) = ed35f0020541050ce387f4ba80f9e87562ececd99082da1bae85840dee81c49b86a4a55909e15fcbf4eb116106a796c29a9b2678dee11326f80db75992c6edc5 -SHA512 (curl-8.12.0.tar.xz.asc) = 8526554ffb2187b48b6a4c6a0d4a8c73d484ef3ce4c3791add0e759baf953ac7ae0b2f88d688365b1f09c5745198611fa1761aa14d02ddf52823c4ff238779cd +SHA512 (curl-8.12.1.tar.xz) = 88915468fa1bb7256e3dd6c9d058ada6894faa1e3e7800c7d9bfee3e8be4081ae57e7f2bf260c5342b709499fc4302ddc2d7864e25bfa3300fa07f118a3de603 +SHA512 (curl-8.12.1.tar.xz.asc) = 41fc5582935090d13940d86974fdea3ea901dd5dab156c16029a87f811d2535172c59dc8dc366f2ffc37bcf85accbecb5aa765bc7b83c2991a3ef402bf25af69 From 3ce21a370c4a3523ee3affbaea685b8c8e6c2cdf Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 10 Mar 2025 14:27:02 +0100 Subject: [PATCH 29/57] new upstream release - 8.13.0~rc1 --- ...test1022-add-support-for-rc-releases.patch | 44 +++++++++++++++++++ 0101-curl-7.32.0-multilib.patch | 16 +++---- curl.spec | 16 ++++--- sources | 4 +- 4 files changed, 65 insertions(+), 15 deletions(-) create mode 100644 0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch diff --git a/0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch b/0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch new file mode 100644 index 0000000..789aa0e --- /dev/null +++ b/0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch @@ -0,0 +1,44 @@ +From 3c1a88fdf72e9e43f289d121318fc31536964e66 Mon Sep 17 00:00:00 2001 +From: Samuel Henrique +Date: Sat, 8 Mar 2025 12:47:21 +0000 +Subject: [PATCH] test1022: add support for rc releases + + Fix the following test failure: + curl-config: illegal value + +Closes #16626 +--- + tests/libtest/test1022.pl | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tests/libtest/test1022.pl b/tests/libtest/test1022.pl +index 583b8f8562c0..5c5c02070ff7 100755 +--- a/tests/libtest/test1022.pl ++++ b/tests/libtest/test1022.pl +@@ -35,7 +35,7 @@ + open(CURL, "$ARGV[1]") || die "Can't open curl --version list in $ARGV[1]\n"; + $_ = ; + chomp; +-/libcurl\/([\.\d]+((-DEV)|(-\d+))?)/; ++/libcurl\/([\.\d]+((-DEV)|(-rc\d)|(-\d+))?)/; + my $version = $1; + close CURL; + +@@ -47,7 +47,7 @@ + chomp; + my $filever=$_; + if ( $what eq "version" ) { +- if($filever =~ /^libcurl ([\.\d]+((-DEV)|(-\d+))?)$/) { ++ if($filever =~ /^libcurl ([\.\d]+((-DEV)|(-rc\d)|(-\d+))?)$/) { + $curlconfigversion = $1; + } + else { +@@ -63,7 +63,7 @@ + $curlconfigversion = "illegal value"; + } + +- # Strip off the -DEV from the curl version if it's there ++ # Strip off the -DEV and -rc suffixes from the curl version if they're there + $version =~ s/-\w*$//; + } + close CURLCONFIG; diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 13a9a54..e7b2a32 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,7 +1,7 @@ -From c96b08867e8593b32cec0f3971f10adfcaf2276e Mon Sep 17 00:00:00 2001 +From 495c771a6f9be008b783c5f59285d30fdc15fd63 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Wed, 5 Feb 2025 09:31:04 +0100 -Subject: [PATCH 1/2] prevent multilib conflicts on the curl-config script +Date: Mon, 10 Mar 2025 14:23:59 +0100 +Subject: [PATCH] prevent multilib conflicts on the curl-config script --- curl-config.in | 23 +++++------------------ @@ -10,7 +10,7 @@ Subject: [PATCH 1/2] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 55184167b..324e0b740 100644 +index 5518416..324e0b7 100644 --- a/curl-config.in +++ b/curl-config.in @@ -74,7 +74,7 @@ while test "$#" -gt 0; do @@ -61,11 +61,11 @@ index 55184167b..324e0b740 100644 *) diff --git a/docs/curl-config.md b/docs/curl-config.md -index b1fcf33dc..b15feec8e 100644 +index 12ad245..fa0e03d 100644 --- a/docs/curl-config.md +++ b/docs/curl-config.md @@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated. - ## --static-libs + ## `--static-libs` Shows the complete set of libs and other linker options you need in order to -link your application with libcurl statically. (Added in 7.17.1) @@ -73,10 +73,10 @@ index b1fcf33dc..b15feec8e 100644 +packages do not provide any static libraries, thus cannot be linked statically. +(Added in 7.17.1) - ## --version + ## `--version` diff --git a/libcurl.pc.in b/libcurl.pc.in -index c0ba5244a..f3645e174 100644 +index c0ba524..f3645e1 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in @@ -28,6 +28,7 @@ libdir=@libdir@ diff --git a/curl.spec b/curl.spec index c7f23e3..80a56c3 100644 --- a/curl.spec +++ b/curl.spec @@ -6,18 +6,21 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.12.1 +Version: 8.13.0~rc1 Release: 1%{?dist} License: curl -Source0: https://curl.se/download/%{name}-%{version}.tar.xz -Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc +Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz +Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc # The curl download page ( https://curl.se/download.html ) links # to Daniel's address page https://daniel.haxx.se/address.html for the GPG Key, # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# Test 1022 add support for rc releases +Patch001: 0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch + # patch making libcurl multilib ready -Patch101: 0101-curl-7.32.0-multilib.patch +# Patch101: 0101-curl-7.32.0-multilib.patch # test3026: disable valgrind Patch102: 0102-curl-7.84.0-test3026.patch @@ -211,7 +214,7 @@ be installed. %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' -%autosetup -p1 +%autosetup -n %{name}-%{version_no_tilde} -p1 # disable test 1801 # @@ -407,6 +410,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Mar 10 2025 Jan Macku - 8.13.0~rc1-1 +- new upstream release candidate + * Wed Feb 05 2025 Jan Macku - 8.12.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2025-0725 - gzip integer overflow diff --git a/sources b/sources index acd884b..fd8d757 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.12.1.tar.xz) = 88915468fa1bb7256e3dd6c9d058ada6894faa1e3e7800c7d9bfee3e8be4081ae57e7f2bf260c5342b709499fc4302ddc2d7864e25bfa3300fa07f118a3de603 -SHA512 (curl-8.12.1.tar.xz.asc) = 41fc5582935090d13940d86974fdea3ea901dd5dab156c16029a87f811d2535172c59dc8dc366f2ffc37bcf85accbecb5aa765bc7b83c2991a3ef402bf25af69 +SHA512 (curl-8.13.0-rc1.tar.xz) = 6890dae4abf9c9d4017c28ea8ced84ef457aa911574b261af97b81ab1631e04deef188928d015a19c861d8dd319a23d9a7725d93046fc07a39694c5dc445562e +SHA512 (curl-8.13.0-rc1.tar.xz.asc) = aeb6f5abcf1bd19d836ae688bebd0193c673060ed74afa7c5b63c2a0ecf7eaf00a223110cd7aa77d19183e8ba757bd0b8fb481e279cf1141c4b459f92604a740 From 5e5bbeb413edc79263a785e0ba467df9cb9c093c Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 13 Mar 2025 09:30:38 +0100 Subject: [PATCH 30/57] fix --cert parameter Resolves: #2351531 --- ...3.0~rc1-fix--cert-parameter-clearing.patch | 60 +++++++++++++++++++ curl.spec | 8 ++- 2 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch diff --git a/0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch b/0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch new file mode 100644 index 0000000..e08a349 --- /dev/null +++ b/0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch @@ -0,0 +1,60 @@ +From 886569e2db200c31073895a2626d20e0712e5207 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Wed, 12 Mar 2025 14:42:19 +0100 +Subject: [PATCH] curl: fix --cert parameter clearing + +Blank the argument *after* it has been copied. + +Reported-by: Jan Macku +Fixes #16686 +Closes #16688 +--- + src/tool_getparam.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index 9f227abbfdb5..e5272de74feb 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -2481,8 +2481,8 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + } + break; + case C_CERT: /* --cert */ +- cleanarg(clearthis); + GetFileAndPassword(nextarg, &config->cert, &config->key_passwd); ++ cleanarg(clearthis); + break; + case C_CACERT: /* --cacert */ + err = getstr(&config->cacert, nextarg, DENY_BLANK); +@@ -2601,18 +2601,18 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + config->tcp_fastopen = TRUE; + break; + case C_PROXY_TLSUSER: /* --proxy-tlsuser */ +- cleanarg(clearthis); + if(!feature_tls_srp) + err = PARAM_LIBCURL_DOESNT_SUPPORT; + else + err = getstr(&config->proxy_tls_username, nextarg, ALLOW_BLANK); ++ cleanarg(clearthis); + break; + case C_PROXY_TLSPASSWORD: /* --proxy-tlspassword */ +- cleanarg(clearthis); + if(!feature_tls_srp) + err = PARAM_LIBCURL_DOESNT_SUPPORT; + else + err = getstr(&config->proxy_tls_password, nextarg, DENY_BLANK); ++ cleanarg(clearthis); + break; + case C_PROXY_TLSAUTHTYPE: /* --proxy-tlsauthtype */ + if(!feature_tls_srp) +@@ -2624,9 +2624,9 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + } + break; + case C_PROXY_CERT: /* --proxy-cert */ +- cleanarg(clearthis); + GetFileAndPassword(nextarg, &config->proxy_cert, + &config->proxy_key_passwd); ++ cleanarg(clearthis); + break; + case C_PROXY_CERT_TYPE: /* --proxy-cert-type */ + err = getstr(&config->proxy_cert_type, nextarg, DENY_BLANK); diff --git a/curl.spec b/curl.spec index 80a56c3..c7f41cc 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.13.0~rc1 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -19,6 +19,9 @@ Source2: mykey.asc # Test 1022 add support for rc releases Patch001: 0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch +# Fix --cert parameter (#2351531) +Patch002: 0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch + # patch making libcurl multilib ready # Patch101: 0101-curl-7.32.0-multilib.patch @@ -410,6 +413,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Mar 13 2025 Jan Macku - 8.13.0~rc1-2 +- fix --cert parameter (#2351531) + * Mon Mar 10 2025 Jan Macku - 8.13.0~rc1-1 - new upstream release candidate From 4fcaa6c40447770a0df7ce914dd5ce90bf67a27c Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 18 Mar 2025 09:23:12 +0100 Subject: [PATCH 31/57] new upstream release - 8.13.0~rc2 --- ...test1022-add-support-for-rc-releases.patch | 44 -------------- ...3.0~rc1-fix--cert-parameter-clearing.patch | 60 ------------------- curl.spec | 13 ++-- sources | 4 +- 4 files changed, 7 insertions(+), 114 deletions(-) delete mode 100644 0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch delete mode 100644 0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch diff --git a/0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch b/0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch deleted file mode 100644 index 789aa0e..0000000 --- a/0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 3c1a88fdf72e9e43f289d121318fc31536964e66 Mon Sep 17 00:00:00 2001 -From: Samuel Henrique -Date: Sat, 8 Mar 2025 12:47:21 +0000 -Subject: [PATCH] test1022: add support for rc releases - - Fix the following test failure: - curl-config: illegal value - -Closes #16626 ---- - tests/libtest/test1022.pl | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/tests/libtest/test1022.pl b/tests/libtest/test1022.pl -index 583b8f8562c0..5c5c02070ff7 100755 ---- a/tests/libtest/test1022.pl -+++ b/tests/libtest/test1022.pl -@@ -35,7 +35,7 @@ - open(CURL, "$ARGV[1]") || die "Can't open curl --version list in $ARGV[1]\n"; - $_ = ; - chomp; --/libcurl\/([\.\d]+((-DEV)|(-\d+))?)/; -+/libcurl\/([\.\d]+((-DEV)|(-rc\d)|(-\d+))?)/; - my $version = $1; - close CURL; - -@@ -47,7 +47,7 @@ - chomp; - my $filever=$_; - if ( $what eq "version" ) { -- if($filever =~ /^libcurl ([\.\d]+((-DEV)|(-\d+))?)$/) { -+ if($filever =~ /^libcurl ([\.\d]+((-DEV)|(-rc\d)|(-\d+))?)$/) { - $curlconfigversion = $1; - } - else { -@@ -63,7 +63,7 @@ - $curlconfigversion = "illegal value"; - } - -- # Strip off the -DEV from the curl version if it's there -+ # Strip off the -DEV and -rc suffixes from the curl version if they're there - $version =~ s/-\w*$//; - } - close CURLCONFIG; diff --git a/0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch b/0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch deleted file mode 100644 index e08a349..0000000 --- a/0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 886569e2db200c31073895a2626d20e0712e5207 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Wed, 12 Mar 2025 14:42:19 +0100 -Subject: [PATCH] curl: fix --cert parameter clearing - -Blank the argument *after* it has been copied. - -Reported-by: Jan Macku -Fixes #16686 -Closes #16688 ---- - src/tool_getparam.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/tool_getparam.c b/src/tool_getparam.c -index 9f227abbfdb5..e5272de74feb 100644 ---- a/src/tool_getparam.c -+++ b/src/tool_getparam.c -@@ -2481,8 +2481,8 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ - } - break; - case C_CERT: /* --cert */ -- cleanarg(clearthis); - GetFileAndPassword(nextarg, &config->cert, &config->key_passwd); -+ cleanarg(clearthis); - break; - case C_CACERT: /* --cacert */ - err = getstr(&config->cacert, nextarg, DENY_BLANK); -@@ -2601,18 +2601,18 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ - config->tcp_fastopen = TRUE; - break; - case C_PROXY_TLSUSER: /* --proxy-tlsuser */ -- cleanarg(clearthis); - if(!feature_tls_srp) - err = PARAM_LIBCURL_DOESNT_SUPPORT; - else - err = getstr(&config->proxy_tls_username, nextarg, ALLOW_BLANK); -+ cleanarg(clearthis); - break; - case C_PROXY_TLSPASSWORD: /* --proxy-tlspassword */ -- cleanarg(clearthis); - if(!feature_tls_srp) - err = PARAM_LIBCURL_DOESNT_SUPPORT; - else - err = getstr(&config->proxy_tls_password, nextarg, DENY_BLANK); -+ cleanarg(clearthis); - break; - case C_PROXY_TLSAUTHTYPE: /* --proxy-tlsauthtype */ - if(!feature_tls_srp) -@@ -2624,9 +2624,9 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ - } - break; - case C_PROXY_CERT: /* --proxy-cert */ -- cleanarg(clearthis); - GetFileAndPassword(nextarg, &config->proxy_cert, - &config->proxy_key_passwd); -+ cleanarg(clearthis); - break; - case C_PROXY_CERT_TYPE: /* --proxy-cert-type */ - err = getstr(&config->proxy_cert_type, nextarg, DENY_BLANK); diff --git a/curl.spec b/curl.spec index c7f41cc..4e2d4ac 100644 --- a/curl.spec +++ b/curl.spec @@ -6,8 +6,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.13.0~rc1 -Release: 2%{?dist} +Version: 8.13.0~rc2 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -16,12 +16,6 @@ Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# Test 1022 add support for rc releases -Patch001: 0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch - -# Fix --cert parameter (#2351531) -Patch002: 0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch - # patch making libcurl multilib ready # Patch101: 0101-curl-7.32.0-multilib.patch @@ -413,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Mar 18 2025 Jan Macku - 8.13.0~rc2-1 +- new upstream release candidate + * Thu Mar 13 2025 Jan Macku - 8.13.0~rc1-2 - fix --cert parameter (#2351531) diff --git a/sources b/sources index fd8d757..d2c4139 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.13.0-rc1.tar.xz) = 6890dae4abf9c9d4017c28ea8ced84ef457aa911574b261af97b81ab1631e04deef188928d015a19c861d8dd319a23d9a7725d93046fc07a39694c5dc445562e -SHA512 (curl-8.13.0-rc1.tar.xz.asc) = aeb6f5abcf1bd19d836ae688bebd0193c673060ed74afa7c5b63c2a0ecf7eaf00a223110cd7aa77d19183e8ba757bd0b8fb481e279cf1141c4b459f92604a740 +SHA512 (curl-8.13.0-rc2.tar.xz) = 299b41b5bf52b29f5064f68cd7d8d1e95d8b8f8b36fb80fb67ed2b342123f1fc87a543754cbee8c49c83a8e73daca89cb132a76c795d7fa4d9231c6bf281a9e0 +SHA512 (curl-8.13.0-rc2.tar.xz.asc) = 8149ff96d25b41b0a9418929bbdbb0675267457e7999bd98012289fb74af96f96e66bc9319024f37ef478a965ef233827d832e153db867f2cb6cd140954a4b3e From 95664fdd301c40c2d1a6d93b2a9d858a3c430e14 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 26 Mar 2025 10:11:44 +0100 Subject: [PATCH 32/57] new upstream release - 8.13.0~rc3 --- 0102-curl-7.84.0-test3026.patch | 71 --------------------------------- curl.spec | 11 ++--- sources | 4 +- 3 files changed, 8 insertions(+), 78 deletions(-) delete mode 100644 0102-curl-7.84.0-test3026.patch diff --git a/0102-curl-7.84.0-test3026.patch b/0102-curl-7.84.0-test3026.patch deleted file mode 100644 index 6c45cc8..0000000 --- a/0102-curl-7.84.0-test3026.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 6460e292e664b03fb550ce70e9a8cdf86ad0ef57 Mon Sep 17 00:00:00 2001 -From: Jan Macku -Date: Wed, 5 Feb 2025 09:34:28 +0100 -Subject: [PATCH 2/2] test3026: disable valgrind - -It fails on x86_64 with: -``` - Use --max-threads=INT to specify a larger number of threads - and rerun valgrind - valgrind: the 'impossible' happened: - Max number of threads is too low - host stacktrace: - ==174357== at 0x58042F5A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x58043087: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x580432EF: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x58043310: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x58099E77: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x580E67E9: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x5809D59D: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x5809901A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x5809B0B6: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x580E4050: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - sched status: - running_tid=1 - Thread 1: status = VgTs_Runnable syscall 56 (lwpid 174357) - ==174357== at 0x4A07816: clone (in /usr/lib64/libc.so.6) - ==174357== by 0x4A08720: __clone_internal (in /usr/lib64/libc.so.6) - ==174357== by 0x4987ACF: create_thread (in /usr/lib64/libc.so.6) - ==174357== by 0x49885F6: pthread_create@@GLIBC_2.34 (in /usr/lib64/libc.so.6) - ==174357== by 0x1093B5: test.part.0 (lib3026.c:64) - ==174357== by 0x492454F: (below main) (in /usr/lib64/libc.so.6) - client stack range: [0x1FFEFFC000 0x1FFF000FFF] client SP: 0x1FFEFFC998 - valgrind stack range: [0x1002BAA000 0x1002CA9FFF] top usage: 11728 of 1048576 -[...] -``` ---- - tests/data/test3026 | 3 +++ - tests/libtest/lib3026.c | 4 ++-- - 2 files changed, 5 insertions(+), 2 deletions(-) - -diff --git a/tests/data/test3026 b/tests/data/test3026 -index ee9b30678..dd582c3e5 100644 ---- a/tests/data/test3026 -+++ b/tests/data/test3026 -@@ -41,5 +41,8 @@ none - - 0 - -+ -+disable -+ - - -diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c -index 61c70eb3b..79302fcf7 100644 ---- a/tests/libtest/lib3026.c -+++ b/tests/libtest/lib3026.c -@@ -145,8 +145,8 @@ CURLcode test(char *URL) - results[i] = CURL_LAST; /* initialize with invalid value */ - res = pthread_create(&tids[i], NULL, run_thread, &results[i]); - if(res) { -- fprintf(stderr, "%s:%d Couldn't create thread, errno %d\n", -- __FILE__, __LINE__, res); -+ fprintf(stderr, "%s:%d Couldn't create thread, i=%u, errno %d\n", -+ __FILE__, __LINE__, i, res); - tid_count = i; - test_failure = (CURLcode)-1; - goto cleanup; --- -2.48.1 - diff --git a/curl.spec b/curl.spec index 4e2d4ac..279a92f 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.13.0~rc2 +Version: 8.13.0~rc3 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -17,10 +17,7 @@ Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc Source2: mykey.asc # patch making libcurl multilib ready -# Patch101: 0101-curl-7.32.0-multilib.patch - -# test3026: disable valgrind -Patch102: 0102-curl-7.84.0-test3026.patch +Patch101: 0101-curl-7.32.0-multilib.patch # test616: disable valgrind Patch105: 0105-curl-8.11.1-test616.patch @@ -407,6 +404,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Mar 26 2025 Jan Macku - 8.13.0~rc3-1 +- new upstream release candidate +- drop: 0102-curl-7.84.0-test3026.patch (no longer needed) + * Tue Mar 18 2025 Jan Macku - 8.13.0~rc2-1 - new upstream release candidate diff --git a/sources b/sources index d2c4139..168aaff 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.13.0-rc2.tar.xz) = 299b41b5bf52b29f5064f68cd7d8d1e95d8b8f8b36fb80fb67ed2b342123f1fc87a543754cbee8c49c83a8e73daca89cb132a76c795d7fa4d9231c6bf281a9e0 -SHA512 (curl-8.13.0-rc2.tar.xz.asc) = 8149ff96d25b41b0a9418929bbdbb0675267457e7999bd98012289fb74af96f96e66bc9319024f37ef478a965ef233827d832e153db867f2cb6cd140954a4b3e +SHA512 (curl-8.13.0-rc3.tar.xz) = 72c0e0b8b0bc9117ab911b97bab6b1502d877f5a72a34091b68e48c046e45dfd188f24f270c0200f4df3f1a70933ada00f3a73a0aa078ec2b125fa5a9294d33f +SHA512 (curl-8.13.0-rc3.tar.xz.asc) = a2d94a898824fabc1c4834f9e5719fb65311d0f218f6170e80fe1a04c6f842f9fbf589d281767ab916f668ff7087bb318b819a1fb26790640df136f335ff3b99 From 4d98bbf51edd9f631e7e91abc79fd94b1e44e097 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 2 Apr 2025 11:17:10 +0200 Subject: [PATCH 33/57] new upstream release - 8.13.0 --- curl.spec | 7 ++++++- sources | 4 ++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 279a92f..e265266 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.13.0~rc3 +Version: 8.13.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -48,6 +48,7 @@ BuildRequires: make BuildRequires: openldap-devel BuildRequires: openssh-clients BuildRequires: openssh-server +BuildRequires: openssl BuildRequires: openssl-devel %if %{with openssl_engine_support} && 0%{?fedora} >= 41 BuildRequires: openssl-devel-engine @@ -404,6 +405,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Apr 02 2025 Jan Macku - 8.13.0-1 +- new upstream release +- add build time dependency on openssl (required by tests) + * Wed Mar 26 2025 Jan Macku - 8.13.0~rc3-1 - new upstream release candidate - drop: 0102-curl-7.84.0-test3026.patch (no longer needed) diff --git a/sources b/sources index 168aaff..92367a0 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.13.0-rc3.tar.xz) = 72c0e0b8b0bc9117ab911b97bab6b1502d877f5a72a34091b68e48c046e45dfd188f24f270c0200f4df3f1a70933ada00f3a73a0aa078ec2b125fa5a9294d33f -SHA512 (curl-8.13.0-rc3.tar.xz.asc) = a2d94a898824fabc1c4834f9e5719fb65311d0f218f6170e80fe1a04c6f842f9fbf589d281767ab916f668ff7087bb318b819a1fb26790640df136f335ff3b99 +SHA512 (curl-8.13.0.tar.xz) = d266e460f162ee455b56726e5b7247b2d1aa5265ae12081513fc0c5c79e785a594097bc71d505dc9bcd2c2f6f1ff6f4bab9dbd9d120bb76d06c5be8521a8ca7d +SHA512 (curl-8.13.0.tar.xz.asc) = 07f79c7fd7c305c96e10a5f52797254aed7d2a1f3577c8626b8d617855ceb82634ac6787bfa0b7130a4ed72c3a9945d3c9ba5b7be54df8bafa07ded1c62ef2be From ece940a64912f74d92fd403675eef80f9b357e68 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Fri, 2 May 2025 09:36:02 +0200 Subject: [PATCH 34/57] new upstream release - 8.14.0~rc1 --- curl.spec | 8 +++++++- sources | 4 ++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index e265266..1e416a3 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.13.0 +Version: 8.14.0~rc1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -381,6 +381,8 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %doc docs/TheArtOfHttpScripting.md %{_bindir}/curl %{_mandir}/man1/curl.1* +%{_bindir}/wcurl +%{_mandir}/man1/wcurl.1* %{_datadir}/zsh %files -n libcurl @@ -405,6 +407,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri May 02 2025 Jan Macku - 8.14.0~rc1-1 +- new upstream release candidate +- new utility: wcurl which lets you download URLs without having to remember any parameters + * Wed Apr 02 2025 Jan Macku - 8.13.0-1 - new upstream release - add build time dependency on openssl (required by tests) diff --git a/sources b/sources index 92367a0..769013c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.13.0.tar.xz) = d266e460f162ee455b56726e5b7247b2d1aa5265ae12081513fc0c5c79e785a594097bc71d505dc9bcd2c2f6f1ff6f4bab9dbd9d120bb76d06c5be8521a8ca7d -SHA512 (curl-8.13.0.tar.xz.asc) = 07f79c7fd7c305c96e10a5f52797254aed7d2a1f3577c8626b8d617855ceb82634ac6787bfa0b7130a4ed72c3a9945d3c9ba5b7be54df8bafa07ded1c62ef2be +SHA512 (curl-8.14.0-rc1.tar.xz) = e9bd9e5c95580ee04171de937ff852c30b4606ef28a0250c1fdd231d7155089d3591e0dbed1f10280c9868b66329c1c9badf9a0e15e3e2721ab103627e92caa3 +SHA512 (curl-8.14.0-rc1.tar.xz.asc) = f02e0fd84bffcbe31fa6ccdba41729be86404241c177087500d4d992278d217ea55d73a9bc260b601ddeef70738e45b799a2bd49c68db05adfe8c127434f5708 From b8ae67753af119081cacdecf02e2180ad85e1b17 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 28 May 2025 12:59:33 +0200 Subject: [PATCH 35/57] new upstream release - 8.14.0 --- ...8.14.0-multi-fix-add_handle-resizing.patch | 209 ++++++++++++++++++ curl.spec | 11 +- sources | 4 +- 3 files changed, 221 insertions(+), 3 deletions(-) create mode 100644 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch diff --git a/0001-curl-8.14.0-multi-fix-add_handle-resizing.patch b/0001-curl-8.14.0-multi-fix-add_handle-resizing.patch new file mode 100644 index 0000000..4b7e58a --- /dev/null +++ b/0001-curl-8.14.0-multi-fix-add_handle-resizing.patch @@ -0,0 +1,209 @@ +From d16ccbd55de80c271fe822f4ba8b6271fd9166ff Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Wed, 28 May 2025 14:04:31 +0200 +Subject: [PATCH] multi: fix add_handle resizing + +Due to someone being stupid, the resizing of the multi's transfer +table was actually shrinking it. Oh my. + +Add test751 to reproduce, add code assertion. + +Fixes #17473 +Reported-by: Jeroen Ooms +Closes #17475 +--- + lib/multi.c | 3 +- + tests/data/Makefile.am | 2 +- + tests/data/test751 | 33 ++++++++++++++ + tests/libtest/Makefile.inc | 4 ++ + tests/libtest/lib751.c | 92 ++++++++++++++++++++++++++++++++++++++ + 5 files changed, 132 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test751 + create mode 100644 tests/libtest/lib751.c + +diff --git a/lib/multi.c b/lib/multi.c +index 792b30515d8b..b744e03ae52f 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -347,7 +347,8 @@ static CURLMcode multi_xfers_add(struct Curl_multi *multi, + if(unused <= min_unused) { + /* make it a 64 multiple, since our bitsets frow by that and + * small (easy_multi) grows to at least 64 on first resize. */ +- unsigned int newsize = ((capacity + min_unused) + 63) / 64; ++ unsigned int newsize = (((capacity + min_unused) + 63) / 64) * 64; ++ DEBUGASSERT(newsize > capacity); + /* Grow the bitsets first. Should one fail, we do not need + * to downsize the already resized ones. The sets continue + * to work properly when larger than the table, but not +diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am +index e8f9e12be71e..16bb57db8e69 100644 +--- a/tests/data/Makefile.am ++++ b/tests/data/Makefile.am +@@ -107,7 +107,7 @@ test709 test710 test711 test712 test713 test714 test715 test716 test717 \ + test718 test719 test720 test721 test722 test723 test724 test725 test726 \ + test727 test728 test729 test730 test731 test732 test733 test734 test735 \ + test736 test737 test738 test739 test740 test741 test742 test743 test744 \ +-test745 test746 test747 test748 test749 test750 \ ++test745 test746 test747 test748 test749 test750 test751 \ + \ + test780 test781 test782 test783 test784 test785 test786 test787 test788 \ + test789 test790 test791 \ +diff --git a/tests/data/test751 b/tests/data/test751 +new file mode 100644 +index 000000000000..ffc6df512f83 +--- /dev/null ++++ b/tests/data/test751 +@@ -0,0 +1,33 @@ ++ ++ ++ ++MULTI ++ ++ ++ ++ ++ ++ ++ ++# Client-side ++ ++ ++none ++ ++# tool is what to use instead of 'curl' ++ ++lib%TESTNUMBER ++ ++ ++ ++multi - add many easy handles ++ ++ ++ ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++ +diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc +index faf7eacdf6af..002e7ab5470d 100644 +--- a/tests/libtest/Makefile.inc ++++ b/tests/libtest/Makefile.inc +@@ -50,6 +50,7 @@ LIBTESTPROGS = libauthretry libntlmconnect libprereq \ + lib659 lib661 lib666 lib667 lib668 \ + lib670 lib671 lib672 lib673 lib674 lib676 lib677 lib678 lib694 lib695 \ + lib696 \ ++ lib751 \ + lib1156 \ + lib1301 \ + lib1308 \ +@@ -349,6 +350,9 @@ lib695_SOURCES = lib695.c $(SUPPORTFILES) + lib696_SOURCES = lib556.c $(SUPPORTFILES) $(WARNLESS) + lib696_CPPFLAGS = $(AM_CPPFLAGS) -DLIB696 + ++lib751_SOURCES = lib751.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) ++lib751_LDADD = $(TESTUTIL_LIBS) ++ + lib1301_SOURCES = lib1301.c $(SUPPORTFILES) $(TESTUTIL) + lib1301_LDADD = $(TESTUTIL_LIBS) + +diff --git a/tests/libtest/lib751.c b/tests/libtest/lib751.c +new file mode 100644 +index 000000000000..ab2f923b959d +--- /dev/null ++++ b/tests/libtest/lib751.c +@@ -0,0 +1,92 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++#include "test.h" ++ ++#include "testutil.h" ++#include "warnless.h" ++#include "memdebug.h" ++ ++#define TEST_HANG_TIMEOUT 60 * 1000 ++ ++/* ++ * Get a single URL without select(). ++ */ ++ ++CURLcode test(char *URL) ++{ ++ CURL *easies[1000]; ++ CURLM *m; ++ CURLcode res = CURLE_FAILED_INIT; ++ CURLMcode mres; ++ int i; ++ ++ (void)URL; ++ memset(easies, 0, sizeof(easies)); ++ ++ curl_global_init(CURL_GLOBAL_DEFAULT); ++ m = curl_multi_init(); ++ if(!m) { ++ res = CURLE_OUT_OF_MEMORY; ++ goto test_cleanup; ++ } ++ ++ for(i = 0; i < 1000; i++) { ++ CURL *e = curl_easy_init(); ++ if(!e) { ++ res = CURLE_OUT_OF_MEMORY; ++ goto test_cleanup; ++ } ++ easies[i] = e; ++ ++ res = curl_easy_setopt(e, CURLOPT_URL, "https://www.example.com/"); ++ if(!res) ++ res = curl_easy_setopt(e, CURLOPT_VERBOSE, 1L); ++ if(res) ++ goto test_cleanup; ++ ++ mres = curl_multi_add_handle(m, e); ++ if(mres != CURLM_OK) { ++ printf("MULTI ERROR: %s\n", curl_multi_strerror(mres)); ++ res = CURLE_FAILED_INIT; ++ goto test_cleanup; ++ } ++ } ++ ++test_cleanup: ++ ++ if(res) ++ printf("ERROR: %s\n", curl_easy_strerror(res)); ++ ++ for(i = 0; i < 1000; i++) { ++ if(easies[i]) { ++ curl_multi_add_handle(m, easies[i]); ++ curl_easy_cleanup(easies[i]); ++ easies[i] = NULL; ++ } ++ } ++ curl_multi_cleanup(m); ++ curl_global_cleanup(); ++ ++ return res; ++} diff --git a/curl.spec b/curl.spec index 1e416a3..555fe8e 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.14.0~rc1 +Version: 8.14.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -16,6 +16,9 @@ Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# Fix 8.14.0 regression: https://github.com/curl/curl/issues/17473 +Patch001: 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -407,6 +410,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed May 28 2025 Jan Macku - 8.14.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2025-5025 - No QUIC certificate pinning with wolfSSL + CVE-2025-4947 - QUIC certificate check skip with wolfSSL +- fix regression: curl_multi_add_handle() returning OOM when using more than 400 handles + * Fri May 02 2025 Jan Macku - 8.14.0~rc1-1 - new upstream release candidate - new utility: wcurl which lets you download URLs without having to remember any parameters diff --git a/sources b/sources index 769013c..c4de0f0 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.14.0-rc1.tar.xz) = e9bd9e5c95580ee04171de937ff852c30b4606ef28a0250c1fdd231d7155089d3591e0dbed1f10280c9868b66329c1c9badf9a0e15e3e2721ab103627e92caa3 -SHA512 (curl-8.14.0-rc1.tar.xz.asc) = f02e0fd84bffcbe31fa6ccdba41729be86404241c177087500d4d992278d217ea55d73a9bc260b601ddeef70738e45b799a2bd49c68db05adfe8c127434f5708 +SHA512 (curl-8.14.0.tar.xz) = d9f49cac0b93dbc53879713cc017392b4277d84b489bbf2ef3b585c6a50eea6c3a7b80043286b34062af04329560f2dc321f315b0038ce93435aa9bbcaec1eea +SHA512 (curl-8.14.0.tar.xz.asc) = 7c147ddb5e141dd9951e2ef6b23fa120318c0e631fb36861b80fce61b4b19ca08273a6b95627f46a8172945fb51bd790ffc74dee0a4b0de860dad518963b4710 From 8077eb733b4ff6f66c2887694a5034b54550df73 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 4 Jun 2025 12:59:43 +0200 Subject: [PATCH 36/57] new upstream release - 8.14.1 --- ...8.14.0-multi-fix-add_handle-resizing.patch | 209 ------------------ curl.spec | 9 +- sources | 4 +- 3 files changed, 7 insertions(+), 215 deletions(-) delete mode 100644 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch diff --git a/0001-curl-8.14.0-multi-fix-add_handle-resizing.patch b/0001-curl-8.14.0-multi-fix-add_handle-resizing.patch deleted file mode 100644 index 4b7e58a..0000000 --- a/0001-curl-8.14.0-multi-fix-add_handle-resizing.patch +++ /dev/null @@ -1,209 +0,0 @@ -From d16ccbd55de80c271fe822f4ba8b6271fd9166ff Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Wed, 28 May 2025 14:04:31 +0200 -Subject: [PATCH] multi: fix add_handle resizing - -Due to someone being stupid, the resizing of the multi's transfer -table was actually shrinking it. Oh my. - -Add test751 to reproduce, add code assertion. - -Fixes #17473 -Reported-by: Jeroen Ooms -Closes #17475 ---- - lib/multi.c | 3 +- - tests/data/Makefile.am | 2 +- - tests/data/test751 | 33 ++++++++++++++ - tests/libtest/Makefile.inc | 4 ++ - tests/libtest/lib751.c | 92 ++++++++++++++++++++++++++++++++++++++ - 5 files changed, 132 insertions(+), 2 deletions(-) - create mode 100644 tests/data/test751 - create mode 100644 tests/libtest/lib751.c - -diff --git a/lib/multi.c b/lib/multi.c -index 792b30515d8b..b744e03ae52f 100644 ---- a/lib/multi.c -+++ b/lib/multi.c -@@ -347,7 +347,8 @@ static CURLMcode multi_xfers_add(struct Curl_multi *multi, - if(unused <= min_unused) { - /* make it a 64 multiple, since our bitsets frow by that and - * small (easy_multi) grows to at least 64 on first resize. */ -- unsigned int newsize = ((capacity + min_unused) + 63) / 64; -+ unsigned int newsize = (((capacity + min_unused) + 63) / 64) * 64; -+ DEBUGASSERT(newsize > capacity); - /* Grow the bitsets first. Should one fail, we do not need - * to downsize the already resized ones. The sets continue - * to work properly when larger than the table, but not -diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am -index e8f9e12be71e..16bb57db8e69 100644 ---- a/tests/data/Makefile.am -+++ b/tests/data/Makefile.am -@@ -107,7 +107,7 @@ test709 test710 test711 test712 test713 test714 test715 test716 test717 \ - test718 test719 test720 test721 test722 test723 test724 test725 test726 \ - test727 test728 test729 test730 test731 test732 test733 test734 test735 \ - test736 test737 test738 test739 test740 test741 test742 test743 test744 \ --test745 test746 test747 test748 test749 test750 \ -+test745 test746 test747 test748 test749 test750 test751 \ - \ - test780 test781 test782 test783 test784 test785 test786 test787 test788 \ - test789 test790 test791 \ -diff --git a/tests/data/test751 b/tests/data/test751 -new file mode 100644 -index 000000000000..ffc6df512f83 ---- /dev/null -+++ b/tests/data/test751 -@@ -0,0 +1,33 @@ -+ -+ -+ -+MULTI -+ -+ -+ -+ -+ -+ -+ -+# Client-side -+ -+ -+none -+ -+# tool is what to use instead of 'curl' -+ -+lib%TESTNUMBER -+ -+ -+ -+multi - add many easy handles -+ -+ -+ -+ -+ -+ -+# Verify data after the test has been "shot" -+ -+ -+ -diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc -index faf7eacdf6af..002e7ab5470d 100644 ---- a/tests/libtest/Makefile.inc -+++ b/tests/libtest/Makefile.inc -@@ -50,6 +50,7 @@ LIBTESTPROGS = libauthretry libntlmconnect libprereq \ - lib659 lib661 lib666 lib667 lib668 \ - lib670 lib671 lib672 lib673 lib674 lib676 lib677 lib678 lib694 lib695 \ - lib696 \ -+ lib751 \ - lib1156 \ - lib1301 \ - lib1308 \ -@@ -349,6 +350,9 @@ lib695_SOURCES = lib695.c $(SUPPORTFILES) - lib696_SOURCES = lib556.c $(SUPPORTFILES) $(WARNLESS) - lib696_CPPFLAGS = $(AM_CPPFLAGS) -DLIB696 - -+lib751_SOURCES = lib751.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) -+lib751_LDADD = $(TESTUTIL_LIBS) -+ - lib1301_SOURCES = lib1301.c $(SUPPORTFILES) $(TESTUTIL) - lib1301_LDADD = $(TESTUTIL_LIBS) - -diff --git a/tests/libtest/lib751.c b/tests/libtest/lib751.c -new file mode 100644 -index 000000000000..ab2f923b959d ---- /dev/null -+++ b/tests/libtest/lib751.c -@@ -0,0 +1,92 @@ -+/*************************************************************************** -+ * _ _ ____ _ -+ * Project ___| | | | _ \| | -+ * / __| | | | |_) | | -+ * | (__| |_| | _ <| |___ -+ * \___|\___/|_| \_\_____| -+ * -+ * Copyright (C) Daniel Stenberg, , et al. -+ * -+ * This software is licensed as described in the file COPYING, which -+ * you should have received as part of this distribution. The terms -+ * are also available at https://curl.se/docs/copyright.html. -+ * -+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell -+ * copies of the Software, and permit persons to whom the Software is -+ * furnished to do so, under the terms of the COPYING file. -+ * -+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -+ * KIND, either express or implied. -+ * -+ * SPDX-License-Identifier: curl -+ * -+ ***************************************************************************/ -+#include "test.h" -+ -+#include "testutil.h" -+#include "warnless.h" -+#include "memdebug.h" -+ -+#define TEST_HANG_TIMEOUT 60 * 1000 -+ -+/* -+ * Get a single URL without select(). -+ */ -+ -+CURLcode test(char *URL) -+{ -+ CURL *easies[1000]; -+ CURLM *m; -+ CURLcode res = CURLE_FAILED_INIT; -+ CURLMcode mres; -+ int i; -+ -+ (void)URL; -+ memset(easies, 0, sizeof(easies)); -+ -+ curl_global_init(CURL_GLOBAL_DEFAULT); -+ m = curl_multi_init(); -+ if(!m) { -+ res = CURLE_OUT_OF_MEMORY; -+ goto test_cleanup; -+ } -+ -+ for(i = 0; i < 1000; i++) { -+ CURL *e = curl_easy_init(); -+ if(!e) { -+ res = CURLE_OUT_OF_MEMORY; -+ goto test_cleanup; -+ } -+ easies[i] = e; -+ -+ res = curl_easy_setopt(e, CURLOPT_URL, "https://www.example.com/"); -+ if(!res) -+ res = curl_easy_setopt(e, CURLOPT_VERBOSE, 1L); -+ if(res) -+ goto test_cleanup; -+ -+ mres = curl_multi_add_handle(m, e); -+ if(mres != CURLM_OK) { -+ printf("MULTI ERROR: %s\n", curl_multi_strerror(mres)); -+ res = CURLE_FAILED_INIT; -+ goto test_cleanup; -+ } -+ } -+ -+test_cleanup: -+ -+ if(res) -+ printf("ERROR: %s\n", curl_easy_strerror(res)); -+ -+ for(i = 0; i < 1000; i++) { -+ if(easies[i]) { -+ curl_multi_add_handle(m, easies[i]); -+ curl_easy_cleanup(easies[i]); -+ easies[i] = NULL; -+ } -+ } -+ curl_multi_cleanup(m); -+ curl_global_cleanup(); -+ -+ return res; -+} diff --git a/curl.spec b/curl.spec index 555fe8e..dd4e145 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.14.0 +Version: 8.14.1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -16,9 +16,6 @@ Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# Fix 8.14.0 regression: https://github.com/curl/curl/issues/17473 -Patch001: 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -410,6 +407,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jun 04 2025 Jan Macku - 8.14.1-1 +- new upstream release +- drop: 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch (no longer needed) + * Wed May 28 2025 Jan Macku - 8.14.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2025-5025 - No QUIC certificate pinning with wolfSSL diff --git a/sources b/sources index c4de0f0..0f72a68 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.14.0.tar.xz) = d9f49cac0b93dbc53879713cc017392b4277d84b489bbf2ef3b585c6a50eea6c3a7b80043286b34062af04329560f2dc321f315b0038ce93435aa9bbcaec1eea -SHA512 (curl-8.14.0.tar.xz.asc) = 7c147ddb5e141dd9951e2ef6b23fa120318c0e631fb36861b80fce61b4b19ca08273a6b95627f46a8172945fb51bd790ffc74dee0a4b0de860dad518963b4710 +SHA512 (curl-8.14.1.tar.xz) = 7f6eae04cc23c50fc41d448aa28dfa59141018009e42c5b1e3f4e0d40c0633460b4e6eec05dfc290f7953671096abfa70a8b5443fccdd3f1be6be32ac10b31d9 +SHA512 (curl-8.14.1.tar.xz.asc) = 663b1652bb27338310d1475a8b0422f04e68fca74be11a4b7120de948af4fc0c2b08b75ce5372d657aa89504a27b36b937b5091cb2d932297a7490d5e390d99f From 1b9d79c6fd4fee6d966e917589125b48c12493ad Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 23 Jun 2025 10:29:25 +0200 Subject: [PATCH 37/57] new upstream release - 8.15.0~rc1 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index dd4e145..f21017b 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.14.1 +Version: 8.15.0~rc1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Jun 23 2025 Jan Macku - 8.15.0~rc1-1 +- new upstream release candidate + * Wed Jun 04 2025 Jan Macku - 8.14.1-1 - new upstream release - drop: 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch (no longer needed) diff --git a/sources b/sources index 0f72a68..8eec045 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.14.1.tar.xz) = 7f6eae04cc23c50fc41d448aa28dfa59141018009e42c5b1e3f4e0d40c0633460b4e6eec05dfc290f7953671096abfa70a8b5443fccdd3f1be6be32ac10b31d9 -SHA512 (curl-8.14.1.tar.xz.asc) = 663b1652bb27338310d1475a8b0422f04e68fca74be11a4b7120de948af4fc0c2b08b75ce5372d657aa89504a27b36b937b5091cb2d932297a7490d5e390d99f +SHA512 (curl-8.15.0-rc1.tar.xz) = eedabb0e416e119107e05c1b6afa04b4157f0381a3572c352e996ff682302690dbe34b75f39d49f6b7a26667eb673f06bd311853e73b9a82839eb1d8a43abe60 +SHA512 (curl-8.15.0-rc1.tar.xz.asc) = 8dbd61cc5246dc6244ac3bc16f9411d3bfe84bae8bd52935dd82d114c92a3be01116963d5518dea12426fbc5d6b45d9baec8354f9183c51f9cddf3204953d865 From 1984beb5371b749ce9fdcd32fde589c2860dc8d5 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 30 Jun 2025 13:44:33 +0200 Subject: [PATCH 38/57] new upstream release - 8.15.0~rc2 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index f21017b..bdb28fb 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.15.0~rc1 +Version: 8.15.0~rc2 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Jun 30 2025 Jan Macku - 8.15.0~rc2-1 +- new upstream release candidate + * Mon Jun 23 2025 Jan Macku - 8.15.0~rc1-1 - new upstream release candidate diff --git a/sources b/sources index 8eec045..9da21bd 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.15.0-rc1.tar.xz) = eedabb0e416e119107e05c1b6afa04b4157f0381a3572c352e996ff682302690dbe34b75f39d49f6b7a26667eb673f06bd311853e73b9a82839eb1d8a43abe60 -SHA512 (curl-8.15.0-rc1.tar.xz.asc) = 8dbd61cc5246dc6244ac3bc16f9411d3bfe84bae8bd52935dd82d114c92a3be01116963d5518dea12426fbc5d6b45d9baec8354f9183c51f9cddf3204953d865 +SHA512 (curl-8.15.0-rc2.tar.xz) = 9b4e04b0e2ff5d7a432ea931a965e7ee73103c5430c59b029ea9846358ed052c1353ea12a5636809a78df370e8639254103eb5e4614b75f33a65683044599580 +SHA512 (curl-8.15.0-rc2.tar.xz.asc) = 4aa6e38ec97159802cada0d89c374d06d5eba145139a8fd9f1bc52c42d296088ed559296fe7847b906eb852d382c523f7e48f0f5e03b30fef7996181e6628c10 From c602d3aa5676dfaf8bcff41b8daa26f27eb6856d Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 10 Jul 2025 09:21:53 +0200 Subject: [PATCH 39/57] new upstream release - 8.15.0~rc3 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index bdb28fb..1045a24 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.15.0~rc2 +Version: 8.15.0~rc3 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Jul 10 2025 Jan Macku - 8.15.0~rc3-1 +- new upstream release candidate + * Mon Jun 30 2025 Jan Macku - 8.15.0~rc2-1 - new upstream release candidate diff --git a/sources b/sources index 9da21bd..0642c98 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.15.0-rc2.tar.xz) = 9b4e04b0e2ff5d7a432ea931a965e7ee73103c5430c59b029ea9846358ed052c1353ea12a5636809a78df370e8639254103eb5e4614b75f33a65683044599580 -SHA512 (curl-8.15.0-rc2.tar.xz.asc) = 4aa6e38ec97159802cada0d89c374d06d5eba145139a8fd9f1bc52c42d296088ed559296fe7847b906eb852d382c523f7e48f0f5e03b30fef7996181e6628c10 +SHA512 (curl-8.15.0-rc3.tar.xz) = 0f1f99bc69fde58f5e9348543e9aee9ca7c27642f04c380f233c6b3280ae53b9d65529ede8fe831ea6770d3657963f02dc8604a5006e805c6f4519cac79c8d01 +SHA512 (curl-8.15.0-rc3.tar.xz.asc) = 41cb379d5bceb5eadad86d007a3352846ebeaca383ef6448b58dc597ebc914a0fd4aaaf19dc4d47557ea06933b981f2db617a07e27848d2ff32fbb1dc7f52fca From e6d7e2ed2d76eaac3c5e59273a81872976efef7e Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 16 Jul 2025 10:14:01 +0200 Subject: [PATCH 40/57] new upstream release - 8.15.0 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 1045a24..885ba52 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.15.0~rc3 +Version: 8.15.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 16 2025 Jan Macku - 8.15.0-1 +- new upstream release + * Thu Jul 10 2025 Jan Macku - 8.15.0~rc3-1 - new upstream release candidate diff --git a/sources b/sources index 0642c98..fe20191 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.15.0-rc3.tar.xz) = 0f1f99bc69fde58f5e9348543e9aee9ca7c27642f04c380f233c6b3280ae53b9d65529ede8fe831ea6770d3657963f02dc8604a5006e805c6f4519cac79c8d01 -SHA512 (curl-8.15.0-rc3.tar.xz.asc) = 41cb379d5bceb5eadad86d007a3352846ebeaca383ef6448b58dc597ebc914a0fd4aaaf19dc4d47557ea06933b981f2db617a07e27848d2ff32fbb1dc7f52fca +SHA512 (curl-8.15.0.tar.xz) = d27e316d70973906ac4b8d2c280f7e99b7528966aa1220c13a38ed45fca2ed6bbde54b8a9d7bed9e283171b92edb621f7b95162ef7d392e6383b0ee469de3191 +SHA512 (curl-8.15.0.tar.xz.asc) = b6aef1c6a1f32c60401494df565a748fa96c1d5098138772c22f6208bafeb8e61402f3077cbc274ea2c05f35ff376d8f736c58554520f8d20fded36d876499a5 From cc5717f9ec610100193bee9eae480f7dad24fa24 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 23 Jul 2025 18:56:38 +0000 Subject: [PATCH 41/57] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 885ba52..ced8578 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.15.0 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 23 2025 Fedora Release Engineering - 8.15.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + * Wed Jul 16 2025 Jan Macku - 8.15.0-1 - new upstream release From e4069769c832d7469bbbeb654b28427c346514dd Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 25 Aug 2025 10:43:21 +0200 Subject: [PATCH 42/57] new upstream release - 8.16.0~rc2 --- 0101-curl-7.32.0-multilib.patch | 14 +++++++------- curl.spec | 7 +++++-- sources | 4 ++-- 3 files changed, 14 insertions(+), 11 deletions(-) diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index e7b2a32..79e9855 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,6 +1,6 @@ -From 495c771a6f9be008b783c5f59285d30fdc15fd63 Mon Sep 17 00:00:00 2001 +From ae56f768f418e1dd91f9eb3edf1a88453f61e160 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Mon, 10 Mar 2025 14:23:59 +0100 +Date: Mon, 25 Aug 2025 10:41:12 +0200 Subject: [PATCH] prevent multilib conflicts on the curl-config script --- @@ -10,7 +10,7 @@ Subject: [PATCH] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 5518416..324e0b7 100644 +index ce23519..bb43ca8 100644 --- a/curl-config.in +++ b/curl-config.in @@ -74,7 +74,7 @@ while test "$#" -gt 0; do @@ -26,12 +26,12 @@ index 5518416..324e0b7 100644 ;; --libs) -- if test "X@libdir@" != 'X/usr/lib' -a "X@libdir@" != 'X/usr/lib64'; then +- if test "@libdir@" != '/usr/lib' -a "@libdir@" != '/usr/lib64'; then - curllibdir="-L@libdir@ " - else - curllibdir='' - fi -- if test 'X@ENABLE_SHARED@' = 'Xno'; then +- if test '@ENABLE_SHARED@' = 'no'; then - echo "${curllibdir}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" - else - echo "${curllibdir}-lcurl" @@ -44,7 +44,7 @@ index 5518416..324e0b7 100644 ;; --static-libs) -- if test 'X@ENABLE_STATIC@' != 'Xno'; then +- if test '@ENABLE_STATIC@' != 'no'; then - echo "@libdir@/libcurl.@libext@ @LIBCURL_PC_LDFLAGS_PRIVATE@ @LIBCURL_PC_LIBS_PRIVATE@" - else - echo 'curl was built with static libraries disabled' >&2 @@ -88,5 +88,5 @@ index c0ba524..f3645e1 100644 Name: libcurl URL: https://curl.se/ -- -2.48.1 +2.50.1 diff --git a/curl.spec b/curl.spec index ced8578..e780804 100644 --- a/curl.spec +++ b/curl.spec @@ -6,8 +6,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.15.0 -Release: 2%{?dist} +Version: 8.16.0~rc2 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Aug 26 2025 Jan Macku - 8.16.0~rc2-1 +- new upstream release candidate + * Wed Jul 23 2025 Fedora Release Engineering - 8.15.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild diff --git a/sources b/sources index fe20191..ad9b1ad 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.15.0.tar.xz) = d27e316d70973906ac4b8d2c280f7e99b7528966aa1220c13a38ed45fca2ed6bbde54b8a9d7bed9e283171b92edb621f7b95162ef7d392e6383b0ee469de3191 -SHA512 (curl-8.15.0.tar.xz.asc) = b6aef1c6a1f32c60401494df565a748fa96c1d5098138772c22f6208bafeb8e61402f3077cbc274ea2c05f35ff376d8f736c58554520f8d20fded36d876499a5 +SHA512 (curl-8.16.0-rc2.tar.xz.asc) = c180343f1037cf51eb32c61035a4da7e728c2ee7f8d4ca1d464545b9b4044b30963e6b1ce424951a151ff901d7c7f4d56e7a54dacc581fc2c5c3b54349c155eb +SHA512 (curl-8.16.0-rc2.tar.xz) = 7cc4f56a05634c651cf7224d3844359498d127f259e531aadefe86f6df3a7fc5f6644c296407d38867ddb716fe3e4951d377592f6d977c196ad1a733374e608f From 581c1b9ace3de047af9bec6a8a59cf0c9f36c91c Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 3 Sep 2025 10:39:46 +0200 Subject: [PATCH 43/57] new upstream release - 8.16.0~rc3 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index e780804..0a7e2b9 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.16.0~rc2 +Version: 8.16.0~rc3 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 03 2025 Jan Macku - 8.16.0~rc3-1 +- new upstream release candidate + * Tue Aug 26 2025 Jan Macku - 8.16.0~rc2-1 - new upstream release candidate diff --git a/sources b/sources index ad9b1ad..9d707b2 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.16.0-rc2.tar.xz.asc) = c180343f1037cf51eb32c61035a4da7e728c2ee7f8d4ca1d464545b9b4044b30963e6b1ce424951a151ff901d7c7f4d56e7a54dacc581fc2c5c3b54349c155eb -SHA512 (curl-8.16.0-rc2.tar.xz) = 7cc4f56a05634c651cf7224d3844359498d127f259e531aadefe86f6df3a7fc5f6644c296407d38867ddb716fe3e4951d377592f6d977c196ad1a733374e608f +SHA512 (curl-8.16.0-rc3.tar.xz) = 119e00ac9c150ac1d61ce5eeb522168b8a1c68d6576077400222170e0bd9b25dbe53182166a194058e58831a8768c1b7d9145fd5051c4e13bcd12841eb3a7284 +SHA512 (curl-8.16.0-rc3.tar.xz.asc) = 50e484772ac1e8390222ce21702c6995c96b4da99d1e0f2e233b7226b48b5ce3a290d6050963e1e2c519b9a29d2ded7134d3bd4e765a946a8abbae3c67e31d32 From 4335a7a3cb25cd33eea86ac9fc8d41bb67fd857f Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 10 Sep 2025 08:56:14 +0200 Subject: [PATCH 44/57] new upstream release - 8.16.0 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 0a7e2b9..bf0f7ee 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.16.0~rc3 +Version: 8.16.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 10 2025 Jan Macku - 8.16.0-1 +- new upstream release + * Wed Sep 03 2025 Jan Macku - 8.16.0~rc3-1 - new upstream release candidate diff --git a/sources b/sources index 9d707b2..8b5feac 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.16.0-rc3.tar.xz) = 119e00ac9c150ac1d61ce5eeb522168b8a1c68d6576077400222170e0bd9b25dbe53182166a194058e58831a8768c1b7d9145fd5051c4e13bcd12841eb3a7284 -SHA512 (curl-8.16.0-rc3.tar.xz.asc) = 50e484772ac1e8390222ce21702c6995c96b4da99d1e0f2e233b7226b48b5ce3a290d6050963e1e2c519b9a29d2ded7134d3bd4e765a946a8abbae3c67e31d32 +SHA512 (curl-8.16.0.tar.xz) = 8262c3dc113cfd5744ef1b82dbccaa69448a9395ad5c094c22df5cf537a047a927d3332db2cb3be12a31a68a60d8d0fa8485b916e975eda36a4ebd860da4f621 +SHA512 (curl-8.16.0.tar.xz.asc) = 591568e997c0d955a00152ce5bdfb4586d84b42f5c1e15df503514fb4eb4bf289a98b1ebdad23913119c67c27d51a6e6f4065ee6f7657b971c3a581c928a0d82 From 804c73ca4bbb4d7a3f454bf93fa621bd3fd06feb Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Fri, 12 Sep 2025 10:40:12 -0700 Subject: [PATCH 45/57] Update test URLs to Fedora 42 to fix tests Tests currently fail because Fedora 38 is archived. This bumps the version to 42 and updates the expected content. This will need updating again annually or so. It'd be safer to use something that doesn't age out frequently instead. Signed-off-by: Adam Williamson --- tests/non-root-user-download/runtest.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/non-root-user-download/runtest.sh b/tests/non-root-user-download/runtest.sh index 4d51e62..0d72276 100755 --- a/tests/non-root-user-download/runtest.sh +++ b/tests/non-root-user-download/runtest.sh @@ -31,9 +31,9 @@ PACKAGE="curl" -FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM -HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM -CONTENT=4d042dedc8886856db10bc882074b84dcce52f829ea7b3f31d8031db8d84df20 +FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM +HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM +CONTENT=1bd6ab4798983c2fe4a210f9c4ca135fed453d6142ba852c1f8d5fba22e113ab PASSWORD=pAssw0rd OPTIONS="" rlIsRHEL 7 && OPTIONS="--insecure" From 9776a6bb744df02f85cf73c3b8a02e0e387ae915 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 13 Oct 2025 10:25:01 +0200 Subject: [PATCH 46/57] new upstream release - 8.17.0~rc1 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index bf0f7ee..f247bf3 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.16.0 +Version: 8.17.0~rc1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Oct 13 2025 Jan Macku - 8.17.0~rc1-1 +- new upstream release candidate + * Wed Sep 10 2025 Jan Macku - 8.16.0-1 - new upstream release diff --git a/sources b/sources index 8b5feac..c657397 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.16.0.tar.xz) = 8262c3dc113cfd5744ef1b82dbccaa69448a9395ad5c094c22df5cf537a047a927d3332db2cb3be12a31a68a60d8d0fa8485b916e975eda36a4ebd860da4f621 -SHA512 (curl-8.16.0.tar.xz.asc) = 591568e997c0d955a00152ce5bdfb4586d84b42f5c1e15df503514fb4eb4bf289a98b1ebdad23913119c67c27d51a6e6f4065ee6f7657b971c3a581c928a0d82 +SHA512 (curl-8.17.0-rc1.tar.xz) = bbaa3c97860f51c069dfc448d212a0d2149abfe76429bd4e7e3b005f44851e609008b90f5ed5caad048b5815043433248b495c41edf04d4bb5b76a8af41ede02 +SHA512 (curl-8.17.0-rc1.tar.xz.asc) = e86f7c9000ee5e8ee775947e720a17cf327b1f3053d6a6d92d3d1d27ed8dacefe1934ce3ee67b1efd59a601e0312bcffd1fb0900b760fda15e0fe7ba1a892c8f From 6bf2cb17bf9b14db4abc7a4f85e502629eafbbf3 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 21 Oct 2025 13:12:51 +0200 Subject: [PATCH 47/57] new upstream release - 8.17.0~rc2 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index f247bf3..6784164 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.17.0~rc1 +Version: 8.17.0~rc2 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Oct 21 2025 Jan Macku - 8.17.0~rc2-1 +- new upstream release candidate + * Mon Oct 13 2025 Jan Macku - 8.17.0~rc1-1 - new upstream release candidate diff --git a/sources b/sources index c657397..5bd897d 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.17.0-rc1.tar.xz) = bbaa3c97860f51c069dfc448d212a0d2149abfe76429bd4e7e3b005f44851e609008b90f5ed5caad048b5815043433248b495c41edf04d4bb5b76a8af41ede02 -SHA512 (curl-8.17.0-rc1.tar.xz.asc) = e86f7c9000ee5e8ee775947e720a17cf327b1f3053d6a6d92d3d1d27ed8dacefe1934ce3ee67b1efd59a601e0312bcffd1fb0900b760fda15e0fe7ba1a892c8f +SHA512 (curl-8.17.0-rc2.tar.xz) = bc7d63e72787c5960a7107e2227b70e761aef2e2e63bda0f13f8c944b31a4e98acc1ca72bde25ff9eba3d97cee38e58e51359dffcfdf59310c6722d3a0986b54 +SHA512 (curl-8.17.0-rc2.tar.xz.asc) = d5bd939f0a004f6ae46f0fca1e05f6f7c4d6e77c3a65641c9b081a28589385a44b51fa968e0a7c35dd76caebe1f4d59ac0b26e0fc84378fd1d57c3ce513c4a2a From 9bd80279ea75fc37dcc6767e0061bc46e4893607 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 30 Oct 2025 09:34:03 +0100 Subject: [PATCH 48/57] new upstream release - 8.17.0~rc3 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 6784164..2cb6993 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.17.0~rc2 +Version: 8.17.0~rc3 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Oct 30 2025 Jan Macku - 8.17.0~rc3-1 +- new upstream release candidate + * Tue Oct 21 2025 Jan Macku - 8.17.0~rc2-1 - new upstream release candidate diff --git a/sources b/sources index 5bd897d..0a3353d 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.17.0-rc2.tar.xz) = bc7d63e72787c5960a7107e2227b70e761aef2e2e63bda0f13f8c944b31a4e98acc1ca72bde25ff9eba3d97cee38e58e51359dffcfdf59310c6722d3a0986b54 -SHA512 (curl-8.17.0-rc2.tar.xz.asc) = d5bd939f0a004f6ae46f0fca1e05f6f7c4d6e77c3a65641c9b081a28589385a44b51fa968e0a7c35dd76caebe1f4d59ac0b26e0fc84378fd1d57c3ce513c4a2a +SHA512 (curl-8.17.0-rc3.tar.xz) = ffa33aaec6c84ee2a9838e4d10f70e905ac414b920794215a0abb5a537e441187b4fd4eba2e1d8103d43375dc6bdf6995f097d22523c6e4ca1172bf0c3e1c347 +SHA512 (curl-8.17.0-rc3.tar.xz.asc) = b2ecef9a04d8337dabfde6be96e9b6fc9151d56dcc8aeb93ce8c5949ba0aaa6bbaf72f25ef3af8a0d4ffc92999d5f5498cead4f519fc0473c4cd311e28d54774 From d2da397853a1847f0a9c1be02842a7720227ec55 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 6 Nov 2025 15:10:09 +0100 Subject: [PATCH 49/57] new upstream release - 8.17.0 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 2cb6993..f96c5aa 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.17.0~rc3 +Version: 8.17.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +*Mon Nov 10 2025 Jan Macku - 8.17.0-1 +- new upstream release + * Thu Oct 30 2025 Jan Macku - 8.17.0~rc3-1 - new upstream release candidate diff --git a/sources b/sources index 0a3353d..2d835d7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.17.0-rc3.tar.xz) = ffa33aaec6c84ee2a9838e4d10f70e905ac414b920794215a0abb5a537e441187b4fd4eba2e1d8103d43375dc6bdf6995f097d22523c6e4ca1172bf0c3e1c347 -SHA512 (curl-8.17.0-rc3.tar.xz.asc) = b2ecef9a04d8337dabfde6be96e9b6fc9151d56dcc8aeb93ce8c5949ba0aaa6bbaf72f25ef3af8a0d4ffc92999d5f5498cead4f519fc0473c4cd311e28d54774 +SHA512 (curl-8.17.0.tar.xz.asc) = e77d4cb1f4961aa0df3d76f1a8c55a0b9005ed557adf745f3ab24d33cee2d0e4bd06cecb9d911e76409852e7755129873cc7d24936c846ff1b854903c0f086b2 +SHA512 (curl-8.17.0.tar.xz) = fc6349def40c3c259de2a568631507df17dff83e78a2edbb93f069586dce594439fdc88bef7ce2bed7491f35800b8c0c181c8c88e6ef656cc3c18f9834681eca From b15bd53eb8d0de3ade9fb785b019f4d36aba07d5 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 13 Nov 2025 09:24:32 +0100 Subject: [PATCH 50/57] remove bundled wcurl utility that was added in 8.14.0~rc1, use wcurl package instead --- curl.spec | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/curl.spec b/curl.spec index f96c5aa..8e3d696 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.17.0 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -366,6 +366,11 @@ rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la +# do not install bundled wcurl utility +# it is provided by the wcurl package +rm -f ${RPM_BUILD_ROOT}%{_bindir}/wcurl +rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* + %ldconfig_scriptlets -n libcurl %ldconfig_scriptlets -n libcurl-minimal @@ -381,8 +386,6 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %doc docs/TheArtOfHttpScripting.md %{_bindir}/curl %{_mandir}/man1/curl.1* -%{_bindir}/wcurl -%{_mandir}/man1/wcurl.1* %{_datadir}/zsh %files -n libcurl @@ -407,7 +410,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog -*Mon Nov 10 2025 Jan Macku - 8.17.0-1 +* Thu Nov 13 2025 Jan Macku - 8.17.0-2 +- remove bundled wcurl utility that was added in 8.14.0~rc1, use wcurl package instead + +* Mon Nov 10 2025 Jan Macku - 8.17.0-1 - new upstream release * Thu Oct 30 2025 Jan Macku - 8.17.0~rc3-1 From 6803c01e8da370a26d6cd6206093cd8f51ac3bae Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 13 Nov 2025 16:01:43 +0100 Subject: [PATCH 51/57] recommend wcurl package instead of bundled wcurl utility --- curl.spec | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 8e3d696..ca173a3 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.17.0 -Release: 2%{?dist} +Release: 3%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -28,6 +28,11 @@ Provides: curl-minimal = %{version}-%{release} Provides: webclient URL: https://curl.se/ +%if 0%{?fedora} +# instead of bundled wcurl utility, recommend wcurl package +Recommends: wcurl +%endif + # The reason for maintaining two separate packages for curl is no longer valid. # The curl-minimal is currently almost identical to curl-full, so let's drop curl-minimal. # For more details, see https://bugzilla.redhat.com/show_bug.cgi?id=2262096 @@ -410,6 +415,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Nov 13 2025 Jan Macku - 8.17.0-3 +- recommend wcurl package instead of bundled wcurl utility + * Thu Nov 13 2025 Jan Macku - 8.17.0-2 - remove bundled wcurl utility that was added in 8.14.0~rc1, use wcurl package instead From 7d91f53d81f6aa9e760638a1e4dceb82a5b839b7 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 4 Dec 2025 09:59:27 +0100 Subject: [PATCH 52/57] http3: apply upstream patches for valgrind issues Related: #2408809 --- ...rl-8.17.0-vquic-do_sendmsg-full-init.patch | 34 +++++++++++++++++++ ...0-ngtcp2-openssl-fix-leak-of-session.patch | 32 +++++++++++++++++ curl.spec | 9 ++++- 3 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch create mode 100644 0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch diff --git a/0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch b/0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch new file mode 100644 index 0000000..f41b79a --- /dev/null +++ b/0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch @@ -0,0 +1,34 @@ +From aa95d1ceda65e7aa20110a69742797d80009e7de Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Thu, 27 Nov 2025 10:23:43 +0100 +Subject: [PATCH 1/2] vquic: do_sendmsg full init + +When passing a `msg_ctrl` to sendmsg() as part of GSO handling, zero the +complete array. This fixes any false positives by valgrind that complain +about uninitialised memory, even though the kernel only ever accesses +the first two bytes. + +Reported-by: Aleksei Bavshin +Fixes #19714 +Closes #19715 + +(cherry picked from commit a9e7a027ed866b791c12a3c701dc40304f4e00cb) +--- + lib/vquic/vquic.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/vquic/vquic.c b/lib/vquic/vquic.c +index 7533001ea..2e8d8e5cd 100644 +--- a/lib/vquic/vquic.c ++++ b/lib/vquic/vquic.c +@@ -144,6 +144,7 @@ static CURLcode do_sendmsg(struct Curl_cfilter *cf, + if(pktlen > gsolen) { + /* Only set this, when we need it. macOS, for example, + * does not seem to like a msg_control of length 0. */ ++ memset(msg_ctrl, 0, sizeof(msg_ctrl)); + msg.msg_control = msg_ctrl; + assert(sizeof(msg_ctrl) >= CMSG_SPACE(sizeof(int))); + msg.msg_controllen = CMSG_SPACE(sizeof(int)); +-- +2.52.0 + diff --git a/0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch b/0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch new file mode 100644 index 0000000..4db6234 --- /dev/null +++ b/0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch @@ -0,0 +1,32 @@ +From a11ab7ad4ea0d97ac0d5af1e28b30b00c37c3c3c Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Thu, 27 Nov 2025 12:11:39 +0100 +Subject: [PATCH 2/2] ngtcp2+openssl: fix leak of session + +Fix return value indicating to OpenSSL if reference to session is kept +(it is not), so OpenSSL frees it. + +Reported-by: Aleksei Bavshin +Fixes #19717 +Closes #19718 + +(cherry picked from commit 9bb5c0578b39e5b086b6a9db5c6eb299a0fe1c5c) +--- + lib/vquic/curl_ngtcp2.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/lib/vquic/curl_ngtcp2.c b/lib/vquic/curl_ngtcp2.c +index f72f6630f..069dcb67e 100644 +--- a/lib/vquic/curl_ngtcp2.c ++++ b/lib/vquic/curl_ngtcp2.c +@@ -2262,7 +2262,6 @@ static int quic_ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) + #endif + Curl_ossl_add_session(cf, data, ctx->peer.scache_key, ssl_sessionid, + SSL_version(ssl), "h3", quic_tp, quic_tp_len); +- return 1; + } + return 0; + } +-- +2.52.0 + diff --git a/curl.spec b/curl.spec index ca173a3..a58a893 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.17.0 -Release: 3%{?dist} +Release: 4%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -16,6 +16,10 @@ Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# Fix valgrind issues in HTTP/3 +Patch001: 0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch +Patch002: 0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -415,6 +419,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Dec 04 2025 Jan Macku - 8.17.0-4 +- apply upstream patches for valgrind issues in HTTP/3 (#2408809) + * Thu Nov 13 2025 Jan Macku - 8.17.0-3 - recommend wcurl package instead of bundled wcurl utility From fe73859ecd63f56854b599eda9bc8d991c933d8b Mon Sep 17 00:00:00 2001 From: Aleksei Bavshin Date: Thu, 9 Oct 2025 14:36:47 -0700 Subject: [PATCH 53/57] Enable HTTP/3 support with ngtcp2 --- curl.spec | 36 ++++++++++++++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index a58a893..a47f422 100644 --- a/curl.spec +++ b/curl.spec @@ -4,10 +4,15 @@ # Change the bcond to 0 to turn off ENGINE support by default %bcond openssl_engine_support %[%{defined fedora} || 0%{?rhel} < 10] +# HTTP/3 support +# This is using ngtcp2 with OpenSSL 3.5 QUIC support instead of curl's +# experimental native OpenSSL 3.5 support. +%bcond http3 %[0%{?fedora} >= 43] + Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.17.0 -Release: 4%{?dist} +Release: 5%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -50,10 +55,16 @@ BuildRequires: groff BuildRequires: krb5-devel BuildRequires: libidn2-devel BuildRequires: libnghttp2-devel +%if %{with http3} +BuildRequires: libnghttp3-devel +%endif BuildRequires: libpsl-devel BuildRequires: libssh-devel BuildRequires: libtool BuildRequires: make +%if %{with http3} +BuildRequires: ngtcp2-crypto-ossl-devel +%endif BuildRequires: openldap-devel BuildRequires: openssh-clients BuildRequires: openssh-server @@ -148,6 +159,10 @@ Requires: libcurl%{?_isa} >= %{version}-%{release} # to ensure that we have the necessary symbols available (#2144277) %global libnghttp2_version %(pkg-config --modversion libnghttp2 2>/dev/null || echo 0) +# require at least the version of libnghttp3 that we were built against, +# to ensure that we have the necessary symbols available +%global libnghttp3_version %(pkg-config --modversion libnghttp3 2>/dev/null || echo 0) + # require at least the version of libpsl that we were built against, # to ensure that we have the necessary symbols available (#1631804) %global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0) @@ -156,6 +171,10 @@ Requires: libcurl%{?_isa} >= %{version}-%{release} # to ensure that we have the necessary symbols available (#525002, #642796) %global libssh_version %(pkg-config --modversion libssh 2>/dev/null || echo 0) +# require at least the version of ngtcp2 that we were built against, +# to ensure that we have the necessary symbols available +%global ngtcp2_version %(pkg-config --modversion libngtcp2 2>/dev/null || echo 0) + # require at least the version of openssl-libs that we were built against, # to ensure that we have the necessary symbols available (#1462184, #1462211) # (we need to translate 3.0.0-alpha16 -> 3.0.0-0.alpha16 and 3.0.0-beta1 -> 3.0.0-0.beta1 though) @@ -172,8 +191,14 @@ resume, proxy tunneling and a busload of other useful tricks. %package -n libcurl Summary: A library for getting files from web servers Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} +%if %{with http3} +Requires: libnghttp3%{?_isa} >= %{libnghttp3_version} +%endif Requires: libpsl%{?_isa} >= %{libpsl_version} Requires: libssh%{?_isa} >= %{libssh_version} +%if %{with http3} +Requires: ngtcp2%{?_isa} >= %{ngtcp2_version} +%endif Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} Provides: libcurl-full = %{version}-%{release} Provides: libcurl-full%{?_isa} = %{version}-%{release} @@ -313,7 +338,11 @@ export common_configure_opts=" \ --enable-websockets \ --with-brotli \ --with-libpsl \ - --with-libssh + --with-libssh \ +%if %{with http3} + --with-nghttp3 \ + --with-ngtcp2 \ +%endif ) # avoid using rpath @@ -419,6 +448,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Sun Dec 07 2025 Aleksei Bavshin - 8.17.0-5 +- Enable HTTP/3 support with ngtcp2 + * Thu Dec 04 2025 Jan Macku - 8.17.0-4 - apply upstream patches for valgrind issues in HTTP/3 (#2408809) From 9d9fd36c2e8580eea7562a01230282bde942487e Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 9 Dec 2025 08:50:28 +0100 Subject: [PATCH 54/57] new upstream release - 8.18.0~rc1 --- ...rl-8.17.0-vquic-do_sendmsg-full-init.patch | 34 ------------------- ...0-ngtcp2-openssl-fix-leak-of-session.patch | 32 ----------------- curl.spec | 12 +++---- sources | 4 +-- 4 files changed, 8 insertions(+), 74 deletions(-) delete mode 100644 0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch delete mode 100644 0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch diff --git a/0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch b/0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch deleted file mode 100644 index f41b79a..0000000 --- a/0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch +++ /dev/null @@ -1,34 +0,0 @@ -From aa95d1ceda65e7aa20110a69742797d80009e7de Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Thu, 27 Nov 2025 10:23:43 +0100 -Subject: [PATCH 1/2] vquic: do_sendmsg full init - -When passing a `msg_ctrl` to sendmsg() as part of GSO handling, zero the -complete array. This fixes any false positives by valgrind that complain -about uninitialised memory, even though the kernel only ever accesses -the first two bytes. - -Reported-by: Aleksei Bavshin -Fixes #19714 -Closes #19715 - -(cherry picked from commit a9e7a027ed866b791c12a3c701dc40304f4e00cb) ---- - lib/vquic/vquic.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/lib/vquic/vquic.c b/lib/vquic/vquic.c -index 7533001ea..2e8d8e5cd 100644 ---- a/lib/vquic/vquic.c -+++ b/lib/vquic/vquic.c -@@ -144,6 +144,7 @@ static CURLcode do_sendmsg(struct Curl_cfilter *cf, - if(pktlen > gsolen) { - /* Only set this, when we need it. macOS, for example, - * does not seem to like a msg_control of length 0. */ -+ memset(msg_ctrl, 0, sizeof(msg_ctrl)); - msg.msg_control = msg_ctrl; - assert(sizeof(msg_ctrl) >= CMSG_SPACE(sizeof(int))); - msg.msg_controllen = CMSG_SPACE(sizeof(int)); --- -2.52.0 - diff --git a/0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch b/0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch deleted file mode 100644 index 4db6234..0000000 --- a/0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch +++ /dev/null @@ -1,32 +0,0 @@ -From a11ab7ad4ea0d97ac0d5af1e28b30b00c37c3c3c Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Thu, 27 Nov 2025 12:11:39 +0100 -Subject: [PATCH 2/2] ngtcp2+openssl: fix leak of session - -Fix return value indicating to OpenSSL if reference to session is kept -(it is not), so OpenSSL frees it. - -Reported-by: Aleksei Bavshin -Fixes #19717 -Closes #19718 - -(cherry picked from commit 9bb5c0578b39e5b086b6a9db5c6eb299a0fe1c5c) ---- - lib/vquic/curl_ngtcp2.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/lib/vquic/curl_ngtcp2.c b/lib/vquic/curl_ngtcp2.c -index f72f6630f..069dcb67e 100644 ---- a/lib/vquic/curl_ngtcp2.c -+++ b/lib/vquic/curl_ngtcp2.c -@@ -2262,7 +2262,6 @@ static int quic_ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) - #endif - Curl_ossl_add_session(cf, data, ctx->peer.scache_key, ssl_sessionid, - SSL_version(ssl), "h3", quic_tp, quic_tp_len); -- return 1; - } - return 0; - } --- -2.52.0 - diff --git a/curl.spec b/curl.spec index a47f422..6ce39e2 100644 --- a/curl.spec +++ b/curl.spec @@ -11,8 +11,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.17.0 -Release: 5%{?dist} +Version: 8.18.0~rc1 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -21,10 +21,6 @@ Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# Fix valgrind issues in HTTP/3 -Patch001: 0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch -Patch002: 0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -448,6 +444,10 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Dec 09 2025 Jan Macku - 8.18.0~rc1-1 +- new upstream release candidate +- drop upstreamed patches + * Sun Dec 07 2025 Aleksei Bavshin - 8.17.0-5 - Enable HTTP/3 support with ngtcp2 diff --git a/sources b/sources index 2d835d7..80cbe05 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.17.0.tar.xz.asc) = e77d4cb1f4961aa0df3d76f1a8c55a0b9005ed557adf745f3ab24d33cee2d0e4bd06cecb9d911e76409852e7755129873cc7d24936c846ff1b854903c0f086b2 -SHA512 (curl-8.17.0.tar.xz) = fc6349def40c3c259de2a568631507df17dff83e78a2edbb93f069586dce594439fdc88bef7ce2bed7491f35800b8c0c181c8c88e6ef656cc3c18f9834681eca +SHA512 (curl-8.18.0-rc1.tar.xz) = 34cb17db3b16458a82b6f2c6c72f967cd028449a74a026acb2b6085161644ad352adf9cc9324d1e3264caf9039424bc53863e55ce92da7971e15871fee0c2551 +SHA512 (curl-8.18.0-rc1.tar.xz.asc) = 6b64d4d035de78f5111cc4cd7aaf4f6e5d4f14e5ee6685a3ff4e5d67f93aa45008a6c85f62cea54800872815fc01158339fc5d53959d060062cffce327a5346d From 9e1a11614b37b5a26a09a2bca7f81270633e3cbc Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 16 Dec 2025 14:49:18 +0100 Subject: [PATCH 55/57] new upstream release - 8.18.0~rc2 --- 0101-curl-7.32.0-multilib.patch | 14 +++++----- 0105-curl-8.11.1-test616.patch | 48 --------------------------------- curl.spec | 14 +++++----- sources | 4 +-- 4 files changed, 17 insertions(+), 63 deletions(-) delete mode 100644 0105-curl-8.11.1-test616.patch diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 79e9855..f7f66e6 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,6 +1,6 @@ -From ae56f768f418e1dd91f9eb3edf1a88453f61e160 Mon Sep 17 00:00:00 2001 +From 6bb4e674cdc953f5c0048aa84172539900725166 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Mon, 25 Aug 2025 10:41:12 +0200 +Date: Tue, 16 Dec 2025 10:04:40 +0100 Subject: [PATCH] prevent multilib conflicts on the curl-config script --- @@ -10,7 +10,7 @@ Subject: [PATCH] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index ce23519..bb43ca8 100644 +index a1c8185875..bb43ca8335 100644 --- a/curl-config.in +++ b/curl-config.in @@ -74,7 +74,7 @@ while test "$#" -gt 0; do @@ -26,7 +26,7 @@ index ce23519..bb43ca8 100644 ;; --libs) -- if test "@libdir@" != '/usr/lib' -a "@libdir@" != '/usr/lib64'; then +- if test "@libdir@" != '/usr/lib' && test "@libdir@" != '/usr/lib64'; then - curllibdir="-L@libdir@ " - else - curllibdir='' @@ -61,7 +61,7 @@ index ce23519..bb43ca8 100644 *) diff --git a/docs/curl-config.md b/docs/curl-config.md -index 12ad245..fa0e03d 100644 +index 12ad245b79..fa0e03d273 100644 --- a/docs/curl-config.md +++ b/docs/curl-config.md @@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated. @@ -76,7 +76,7 @@ index 12ad245..fa0e03d 100644 ## `--version` diff --git a/libcurl.pc.in b/libcurl.pc.in -index c0ba524..f3645e1 100644 +index c0ba5244a8..f3645e1748 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in @@ -28,6 +28,7 @@ libdir=@libdir@ @@ -88,5 +88,5 @@ index c0ba524..f3645e1 100644 Name: libcurl URL: https://curl.se/ -- -2.50.1 +2.52.0 diff --git a/0105-curl-8.11.1-test616.patch b/0105-curl-8.11.1-test616.patch deleted file mode 100644 index 91bde80..0000000 --- a/0105-curl-8.11.1-test616.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 82baec8c7cd40361585d8793dfe4531f7aad30e3 Mon Sep 17 00:00:00 2001 -From: Jan Macku -Date: Wed, 11 Dec 2024 13:16:12 +0100 -Subject: [PATCH] test616: disable valgrind - -Valgrind disable was removed in upstream in https://github.com/curl/curl/commit/c91c37b6e87ceee760b7bb334c8e97e03ee93e93#diff-e01fd8774cf5b26329c7dc7dc03ec49745469205f3d501ced72c9d133455d5e7L35 -But test 616 is still failing under valgrind, so disable valgrind for this test. - -``` - valgrind ERROR ==188588== 144 bytes in 1 blocks are definitely lost in loss record 1 of 1 -==188588== at 0x484B133: calloc (vg_replace_malloc.c:1675) -==188588== by 0x4BB7575: ??? (in /usr/lib64/libssh.so.4.10.1) -==188588== by 0x4BB8CC6: sftp_fstat (in /usr/lib64/libssh.so.4.10.1) -==188588== by 0x48EEAFB: myssh_statemach_act (libssh.c:1610) -==188588== by 0x48F1B9D: myssh_multi_statemach.lto_priv.0 (libssh.c:2095) -==188588== by 0x48BA971: UnknownInlinedFun (multi.c:1643) -==188588== by 0x48BA971: UnknownInlinedFun (multi.c:2314) -==188588== by 0x48BA971: multi_runsingle (multi.c:2768) -==188588== by 0x48BCCA4: curl_multi_perform (multi.c:3016) -==188588== by 0x4884E4A: UnknownInlinedFun (easy.c:701) -==188588== by 0x4884E4A: UnknownInlinedFun (easy.c:796) -==188588== by 0x4884E4A: curl_easy_perform (easy.c:815) -==188588== by 0x10C12B: UnknownInlinedFun (tool_operate.c:2902) -==188588== by 0x10C12B: UnknownInlinedFun (tool_operate.c:3127) -==188588== by 0x10C12B: UnknownInlinedFun (tool_operate.c:3249) -==188588== by 0x10C12B: main (tool_main.c:271) -==188588== -``` ---- - tests/data/test616 | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/tests/data/test616 b/tests/data/test616 -index f76c68a..0ebc734 100644 ---- a/tests/data/test616 -+++ b/tests/data/test616 -@@ -32,5 +32,8 @@ SFTP retrieval of empty file - # - # Verify data after the test has been "shot" - -+ -+disable -+ - - --- -2.47.1 - diff --git a/curl.spec b/curl.spec index 6ce39e2..c2ec049 100644 --- a/curl.spec +++ b/curl.spec @@ -11,7 +11,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.18.0~rc1 +Version: 8.18.0~rc2 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -24,9 +24,6 @@ Source2: mykey.asc # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch -# test616: disable valgrind -Patch105: 0105-curl-8.11.1-test616.patch - Provides: curl-full = %{version}-%{release} # do not fail when trying to install curl-minimal after drop Provides: curl-minimal = %{version}-%{release} @@ -414,9 +411,10 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %doc README %doc docs/BUGS.md %doc docs/DISTROS.md -%doc docs/FAQ +%doc docs/FAQ.md %doc docs/FEATURES.md -%doc docs/TODO +%doc docs/KNOWN_BUGS.md +%doc docs/TODO.md %doc docs/TheArtOfHttpScripting.md %{_bindir}/curl %{_mandir}/man1/curl.1* @@ -444,6 +442,10 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Dec 16 2025 Jan Macku - 8.18.0~rc2-1 +- new upstream release candidate +- reenable valgrind on test 616 + * Tue Dec 09 2025 Jan Macku - 8.18.0~rc1-1 - new upstream release candidate - drop upstreamed patches diff --git a/sources b/sources index 80cbe05..f75181e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.18.0-rc1.tar.xz) = 34cb17db3b16458a82b6f2c6c72f967cd028449a74a026acb2b6085161644ad352adf9cc9324d1e3264caf9039424bc53863e55ce92da7971e15871fee0c2551 -SHA512 (curl-8.18.0-rc1.tar.xz.asc) = 6b64d4d035de78f5111cc4cd7aaf4f6e5d4f14e5ee6685a3ff4e5d67f93aa45008a6c85f62cea54800872815fc01158339fc5d53959d060062cffce327a5346d +SHA512 (curl-8.18.0-rc2.tar.xz) = 4a71016d3a1d53bda007dc510c6eb7c1f35f04f4bb5c9cb1b10595e2ea15062993edd5fcdf73d008f6e91db48467e6a3428dd96e64ad9fb7acdf74db15ac5564 +SHA512 (curl-8.18.0-rc2.tar.xz.asc) = d3cfefd964958aa83da3005030899d12ed6ac0c456b2a2b1490a76a06c5abff839b4d70c1bad1d6218f9bdae0e63e368fc6a423ed10d03334609b499b7440762 From da5bf8f889f2af14cee4a633294b06b02f90ac16 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 5 Jan 2026 09:35:50 +0100 Subject: [PATCH 56/57] new upstream release - 8.18.0~rc3 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index c2ec049..758e807 100644 --- a/curl.spec +++ b/curl.spec @@ -11,7 +11,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.18.0~rc2 +Version: 8.18.0~rc3 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -442,6 +442,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Jan 05 2026 Jan Macku - 8.18.0~rc3-1 +- new upstream release candidate + * Tue Dec 16 2025 Jan Macku - 8.18.0~rc2-1 - new upstream release candidate - reenable valgrind on test 616 diff --git a/sources b/sources index f75181e..5d0cff9 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.18.0-rc2.tar.xz) = 4a71016d3a1d53bda007dc510c6eb7c1f35f04f4bb5c9cb1b10595e2ea15062993edd5fcdf73d008f6e91db48467e6a3428dd96e64ad9fb7acdf74db15ac5564 -SHA512 (curl-8.18.0-rc2.tar.xz.asc) = d3cfefd964958aa83da3005030899d12ed6ac0c456b2a2b1490a76a06c5abff839b4d70c1bad1d6218f9bdae0e63e368fc6a423ed10d03334609b499b7440762 +SHA512 (curl-8.18.0-rc3.tar.xz) = 1139b79a6c4356fdf6f368812402c2f9bafcbaec6323c367aef85c4d00ffda9541a87ef476ce9a099142ef6f824b562c9dc840878add60a616f0e441fef44801 +SHA512 (curl-8.18.0-rc3.tar.xz.asc) = fac23b293cec82596ddd7757c0984e3977259c5116ddef719fad2a39a3723cf7cb5d85d12c5c5b2542f34a5411aa6f42f4fb08729fde6c564cd3567f2a3f0434 From 3c4947ef9777ff0e270d3680b23a3e10134ee68f Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 7 Jan 2026 11:16:40 +0100 Subject: [PATCH 57/57] new upstream release - 8.18.0 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 758e807..c0ad4db 100644 --- a/curl.spec +++ b/curl.spec @@ -11,7 +11,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.18.0~rc3 +Version: 8.18.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -442,6 +442,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jan 07 2026 Jan Macku - 8.18.0-1 +- new upstream release + * Mon Jan 05 2026 Jan Macku - 8.18.0~rc3-1 - new upstream release candidate diff --git a/sources b/sources index 5d0cff9..002e494 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.18.0-rc3.tar.xz) = 1139b79a6c4356fdf6f368812402c2f9bafcbaec6323c367aef85c4d00ffda9541a87ef476ce9a099142ef6f824b562c9dc840878add60a616f0e441fef44801 -SHA512 (curl-8.18.0-rc3.tar.xz.asc) = fac23b293cec82596ddd7757c0984e3977259c5116ddef719fad2a39a3723cf7cb5d85d12c5c5b2542f34a5411aa6f42f4fb08729fde6c564cd3567f2a3f0434 +SHA512 (curl-8.18.0.tar.xz) = 50c7a7b0528e0019697b0c59b3e56abb2578c71d77e4c085b56797276094b5611718c0a9cb2b14db7f8ab502fcf8f42a364297a3387fae3870a4d281484ba21c +SHA512 (curl-8.18.0.tar.xz.asc) = 07e08d1bb3f8bf20b3d22f37fbc19c49c0d9ee4ea9d92da76fa8a9de343023e1b5d416ccc6535a4ff98b08b30eb9334fd856227e37564f6bcd542aa81bced152