From 94f262cd0575c8917aa82f865020cbde58d5922f Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 29 Jun 2017 11:28:39 +0200 Subject: [PATCH 1/4] Related: #1445153 - switch the TLS backend back to NSS --- curl.spec | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/curl.spec b/curl.spec index 1aabeec..bdec0b2 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.54.1 -Release: 2%{?dist} +Release: 2.1%{?dist} License: MIT Group: Applications/Internet Source: https://curl.haxx.se/download/%{name}-%{version}.tar.lzma @@ -28,10 +28,10 @@ BuildRequires: libnghttp2-devel BuildRequires: libpsl-devel BuildRequires: libssh2-devel BuildRequires: multilib-rpm-config +BuildRequires: nss-devel BuildRequires: openldap-devel BuildRequires: openssh-clients BuildRequires: openssh-server -BuildRequires: openssl-devel BuildRequires: pkgconfig BuildRequires: python BuildRequires: stunnel @@ -72,10 +72,6 @@ Requires: libcurl%{?_isa} >= %{version}-%{release} # to ensure that we have the necessary symbols available (#525002, #642796) %global libssh2_version %(pkg-config --modversion libssh2 2>/dev/null || echo 0) -# require at least the version of openssl-libs that we were built against, -# to ensure that we have the necessary symbols available (#1462184, #1462211) -%global openssl_version %(pkg-config --modversion openssl 2>/dev/null || echo 0) - %description curl is a command line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, @@ -88,10 +84,13 @@ resume, proxy tunneling and a busload of other useful tricks. Summary: A library for getting files from web servers Group: Development/Libraries Requires: libssh2%{?_isa} >= %{libssh2_version} -Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} Provides: libcurl-full = %{version}-%{release} Provides: libcurl-full%{?_isa} = %{version}-%{release} +# libnsspem.so is no longer included in the nss package (#1347336) +BuildRequires: nss-pem +Requires: nss-pem%{?_isa} + %description -n libcurl libcurl is a free and easy-to-use client-side URL transfer library, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, @@ -137,6 +136,9 @@ Provides: libcurl%{?_isa} = %{version}-%{release} Conflicts: libcurl RemovePathPostfixes: .minimal +# libnsspem.so is no longer included in the nss package (#1347336) +Requires: nss-pem%{?_isa} + %description -n libcurl-minimal This is a replacement of the 'libcurl' package for minimal installations. It comes with a limited set of features compared to the 'libcurl' package. On the @@ -180,7 +182,7 @@ export common_configure_opts=" \ --enable-threaded-resolver \ --with-gssapi \ --with-nghttp2 \ - --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt" + --without-ssl --with-nss --without-ca-bundle" %global _configure ../configure @@ -302,6 +304,9 @@ install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal %{_libdir}/libcurl.so.[0-9].[0-9].[0-9].minimal %changelog +* Thu Jun 29 2017 Kamil Dudka 7.54.1-2.1 +- switch the TLS backend back to NSS (#1445153) + * Mon Jun 19 2017 Kamil Dudka 7.54.1-2 - enforce versioned openssl-libs dependency for libcurl (#1462184) From 055aeffd0bc7facc96c109ec2099b759fd4dfff1 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 18 Aug 2017 16:07:18 +0200 Subject: [PATCH 2/4] test1451: disable valgrind I was not able to find a bug in smb.c, neither prove that it is a false positive of valgrind. Not that I spent too much time digging it though. ==23721== Syscall param socketcall.sendto(msg) points to uninitialised byte(s) ==23721== at 0x62F3A4D: send (send.c:26) ==23721== by 0x4E5292C: Curl_send_plain (sendf.c:371) ==23721== by 0x4E52202: Curl_write (sendf.c:328) ==23721== by 0x4E95446: smb_send (smb.c:376) ==23721== by 0x4E95446: smb_send_message (smb.c:423) ==23721== by 0x4E95F3A: smb_send_setup (smb.c:479) ==23721== by 0x4E9610B: smb_connection_state (smb.c:690) ==23721== by 0x4E74AED: multi_runsingle (multi.c:1622) ==23721== by 0x4E75CD0: curl_multi_perform (multi.c:2160) ==23721== by 0x4E6BEAC: easy_transfer (easy.c:708) ==23721== by 0x4E6BEAC: easy_perform (easy.c:794) ==23721== by 0x4E6BEAC: curl_easy_perform (easy.c:813) ==23721== by 0x11CF7F: operate_do (tool_operate.c:1563) ==23721== by 0x11D809: operate (tool_operate.c:2064) ==23721== by 0x111099: main (tool_main.c:252) ==23721== Address 0xa28fb21 is 2,993 bytes inside a block of size 20,840 alloc'd ==23721== at 0x4C2FA50: calloc (vg_replace_malloc.c:711) ==23721== by 0x4E59FCE: Curl_open (url.c:647) ==23721== by 0x4E6BC43: curl_easy_init (easy.c:359) ==23721== by 0x111061: main_init (tool_main.c:153) ==23721== by 0x111061: main (tool_main.c:249) --- 0103-curl-7.55.0-valgrind.patch | 51 +++++++++++++++++++++++++++++++++ curl.spec | 5 ++++ 2 files changed, 56 insertions(+) create mode 100644 0103-curl-7.55.0-valgrind.patch diff --git a/0103-curl-7.55.0-valgrind.patch b/0103-curl-7.55.0-valgrind.patch new file mode 100644 index 0000000..b40ccbb --- /dev/null +++ b/0103-curl-7.55.0-valgrind.patch @@ -0,0 +1,51 @@ +From c31ac3904e2fd8f5e8bccf057b0fc349f3aa294b Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Fri, 18 Aug 2017 15:57:31 +0200 +Subject: [PATCH] test1451: disable valgrind + +I was not able to find a bug in smb.c, neither prove that it is a false +positive of valgrind. Not that I spent too much time digging it though. + +==23721== Syscall param socketcall.sendto(msg) points to uninitialised byte(s) +==23721== at 0x62F3A4D: send (send.c:26) +==23721== by 0x4E5292C: Curl_send_plain (sendf.c:371) +==23721== by 0x4E52202: Curl_write (sendf.c:328) +==23721== by 0x4E95446: smb_send (smb.c:376) +==23721== by 0x4E95446: smb_send_message (smb.c:423) +==23721== by 0x4E95F3A: smb_send_setup (smb.c:479) +==23721== by 0x4E9610B: smb_connection_state (smb.c:690) +==23721== by 0x4E74AED: multi_runsingle (multi.c:1622) +==23721== by 0x4E75CD0: curl_multi_perform (multi.c:2160) +==23721== by 0x4E6BEAC: easy_transfer (easy.c:708) +==23721== by 0x4E6BEAC: easy_perform (easy.c:794) +==23721== by 0x4E6BEAC: curl_easy_perform (easy.c:813) +==23721== by 0x11CF7F: operate_do (tool_operate.c:1563) +==23721== by 0x11D809: operate (tool_operate.c:2064) +==23721== by 0x111099: main (tool_main.c:252) +==23721== Address 0xa28fb21 is 2,993 bytes inside a block of size 20,840 alloc'd +==23721== at 0x4C2FA50: calloc (vg_replace_malloc.c:711) +==23721== by 0x4E59FCE: Curl_open (url.c:647) +==23721== by 0x4E6BC43: curl_easy_init (easy.c:359) +==23721== by 0x111061: main_init (tool_main.c:153) +==23721== by 0x111061: main (tool_main.c:249) +--- + tests/data/test1451 | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tests/data/test1451 b/tests/data/test1451 +index 0c114e1..7e796a1 100644 +--- a/tests/data/test1451 ++++ b/tests/data/test1451 +@@ -31,6 +31,9 @@ Basic SMB request + # + # Verify data after the test has been "shot" + ++ ++disable ++ + Basic SMB test complete + + +-- +2.9.5 + diff --git a/curl.spec b/curl.spec index 3b491a0..f3fdce3 100644 --- a/curl.spec +++ b/curl.spec @@ -15,6 +15,9 @@ Patch101: 0101-curl-7.32.0-multilib.patch # prevent configure script from discarding -g in CFLAGS (#496778) Patch102: 0102-curl-7.36.0-debug.patch +# test1451: disable valgrind +Patch103: 0103-curl-7.55.0-valgrind.patch + # use localhost6 instead of ip6-localhost in the curl test-suite Patch104: 0104-curl-7.19.7-localhost6.patch @@ -159,6 +162,7 @@ be installed. # Fedora patches %patch101 -p1 %patch102 -p1 +%patch103 -p1 %patch104 -p1 # regenerate Makefile.in files @@ -228,6 +232,7 @@ make %{?_smp_mflags} V=1 -C build-full %check # we have to override LD_LIBRARY_PATH because we eliminated rpath +#LD_LIBRARY_PATH="$(dirname $(realpath $(find build-full -name \*.so)))" LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" export LD_LIBRARY_PATH From e30c7b58d7cd6a8ab65bc95d98e6307cf124ef2e Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 27 Jun 2018 12:34:42 +0200 Subject: [PATCH 3/4] sync with master --- ...typo-in-recursive-callback-detection.patch | 29 ------------------- 0102-curl-7.36.0-debug.patch | 2 +- 0103-curl-7.59.0-python3.patch | 2 +- curl-7.59.0.tar.xz.asc | 11 ------- curl-7.60.0.tar.xz.asc | 11 +++++++ curl.spec | 15 +++++----- sources | 2 +- 7 files changed, 22 insertions(+), 50 deletions(-) delete mode 100644 0001-curl-7.58.0-ftp-typo-in-recursive-callback-detection.patch delete mode 100644 curl-7.59.0.tar.xz.asc create mode 100644 curl-7.60.0.tar.xz.asc diff --git a/0001-curl-7.58.0-ftp-typo-in-recursive-callback-detection.patch b/0001-curl-7.58.0-ftp-typo-in-recursive-callback-detection.patch deleted file mode 100644 index 224630c..0000000 --- a/0001-curl-7.58.0-ftp-typo-in-recursive-callback-detection.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 1b02cb2b51148915b2ba025bb262ef34f369fa4b Mon Sep 17 00:00:00 2001 -From: dasimx -Date: Wed, 14 Mar 2018 11:02:05 +0100 -Subject: [PATCH] FTP: fix typo in recursive callback detection for seeking - -Fixes #2380 - -Upstream-commit: 920f73a6906dce87c6ee87c32b109a287189965d -Signed-off-by: Kamil Dudka ---- - lib/ftp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/ftp.c b/lib/ftp.c -index e2cc38b..0cc583b 100644 ---- a/lib/ftp.c -+++ b/lib/ftp.c -@@ -1621,7 +1621,7 @@ static CURLcode ftp_state_ul_setup(struct connectdata *conn, - Curl_set_in_callback(data, true); - seekerr = conn->seek_func(conn->seek_client, data->state.resume_from, - SEEK_SET); -- Curl_set_in_callback(data, true); -+ Curl_set_in_callback(data, false); - } - - if(seekerr != CURL_SEEKFUNC_OK) { --- -2.14.3 - diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch index 13f07df..95670f0 100644 --- a/0102-curl-7.36.0-debug.patch +++ b/0102-curl-7.36.0-debug.patch @@ -12,7 +12,7 @@ diff --git a/configure b/configure index 8f079a3..53b4774 100755 --- a/configure +++ b/configure -@@ -16524,18 +16524,11 @@ $as_echo "yes" >&6; } +@@ -16537,18 +16537,11 @@ $as_echo "yes" >&6; } gccvhi=`echo $gccver | cut -d . -f1` gccvlo=`echo $gccver | cut -d . -f2` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` diff --git a/0103-curl-7.59.0-python3.patch b/0103-curl-7.59.0-python3.patch index 8a39f85..dd10986 100644 --- a/0103-curl-7.59.0-python3.patch +++ b/0103-curl-7.59.0-python3.patch @@ -32,7 +32,7 @@ diff --git a/tests/runtests.pl b/tests/runtests.pl index d6aa5ca..4d395ef 100755 --- a/tests/runtests.pl +++ b/tests/runtests.pl -@@ -1437,7 +1437,7 @@ sub runhttpserver { +@@ -1438,7 +1438,7 @@ sub runhttpserver { elsif($alt eq "pipe") { # basically the same, but another ID $idnum = 3; diff --git a/curl-7.59.0.tar.xz.asc b/curl-7.59.0.tar.xz.asc deleted file mode 100644 index e74f7b2..0000000 --- a/curl-7.59.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlqoxTwACgkQXMkI/bce -EsJrHQf7B0ik8F5dfGYumYWkXHc9poJU+dJ0o6pwzg4QsP+4mwVTw/gnrXDm1hVk -iFPIAdgTkxiIDZi+6mDfZA9dZ8Aq38XbYjRIwXTW4KrjTtEFQXtwlEClrHrJyXfl -+2YC52BcY0D2JVDqUAB9cVSSgaHHf1jd4h32a8YMrwco4jP5rSxbmZe4psU2m8TC -skaZEoSIRJzg5oV+AgDSQMrq+fLsc5lIDKTl+7v6sjnGlcYeRC1SiBePyrh5g/o5 -w4JJH839MyjrYvi6MyCBHeyCFYDrxKvQw8zRwivfZ1oipM2SaSVq8c60PdR85Zw5 -/SNOU/7Qpvhua0GhAfaI/CTwwewy6w== -=OcVv ------END PGP SIGNATURE----- diff --git a/curl-7.60.0.tar.xz.asc b/curl-7.60.0.tar.xz.asc new file mode 100644 index 0000000..53ca282 --- /dev/null +++ b/curl-7.60.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlr7zUoACgkQXMkI/bce +EsK3jgf7Bvnswxxgq4wQWmqRKQvkN/zkuA2GjSm98M7mizVHl/7/imeqDl7S1vp0 +A6KCI99Epf+2EYgxrEbvZqlSQ6H30eBxOvV2yNwPhrS3UnXwNSJsbFr5bDRE4o8S +upyP/tSgEIGJcpq0bstrD7T/DRZ1yFCLB5rOOJx4lQnPuB3C7GAmuOj1ZtIxWIn+ +D/G+X1+/oZlils2TMI7ryjRuFvOSPHdUNldwtvfaRg0i3tNYnPbWq54lhouSn31H +ft8wNd3nnUpueWCWaKKXo+GBVDemDAMEcDbna+woW5SFLI6ZG/c822ljtld05Dk1 +KmwikC7MREQxkODmC10yrgy9I9akNg== +=f++X +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index 44d15f8..6a17268 100644 --- a/curl.spec +++ b/curl.spec @@ -1,13 +1,10 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.59.0 -Release: 3.1%{?dist} +Version: 7.60.0 +Release: 1.1%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz -# ftp: fix typo in recursive callback detection for seeking -Patch1: 0001-curl-7.58.0-ftp-typo-in-recursive-callback-detection.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -161,7 +158,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 # Fedora patches %patch101 -p1 @@ -311,9 +307,14 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog -* Wed May 09 2018 Kamil Dudka - 7.59.0-3.1 +* Wed Jun 27 2018 Kamil Dudka - 7.60.0-1.1 - switch the TLS backend back to NSS (#1445153) +* Wed May 16 2018 Kamil Dudka - 7.60.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2018-1000300 - FTP shutdown response buffer overflow + CVE-2018-1000301 - RTSP bad headers buffer over-read + * Thu Mar 15 2018 Kamil Dudka - 7.59.0-3 - make the test-suite use Python 3 diff --git a/sources b/sources index f353b13..4a1cecd 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.59.0.tar.xz) = 6982a5950b564d6b2a4f4b96296b6db3db24a096acc68aa96966821b57f66362f5a69d9f2da762b5d2b1011a4a47478ebacaf05e26604f78bb013098749dd8a6 +SHA512 (curl-7.60.0.tar.xz) = 96a0c32ca846a76bba75e9e560ad4c15df79540992ed1a83713095be94ddba039f289bda9678762fd79fb9691fe810735178fb9dc970c37012dff96b8ce08abf From fc0f22f372443b7b5adcbfd947ac58b34a444f3f Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 6 Mar 2019 13:10:10 +0100 Subject: [PATCH 4/4] disable test 308, which does not work well with NSS --- curl.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/curl.spec b/curl.spec index 9e02e79..390f842 100644 --- a/curl.spec +++ b/curl.spec @@ -194,6 +194,9 @@ sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py aclocal -I m4 automake +# disable test 308, which does not work well with NSS +echo 308 >> tests/data/DISABLED + # disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed # with errno 98: Address already in use' in Koji environment), and test 1801 #