From a4ed273b19474e930e1fa605c7ef05a663b9e841 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 27 Jun 2022 12:57:53 +0200 Subject: [PATCH 001/108] new upstream release - 7.84.0 Resolves: CVE-2022-32207 - Unpreserved file permissions Resolves: CVE-2022-32205 - Set-Cookie denial of service Resolves: CVE-2022-32206 - HTTP compression denial of service Resolves: CVE-2022-32208 - FTP-KRB bad message verification --- 0101-curl-7.32.0-multilib.patch | 8 ++++---- curl.spec | 9 ++++++++- sources | 4 ++-- 3 files changed, 14 insertions(+), 7 deletions(-) diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 46c8986..63701c1 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -13,7 +13,7 @@ diff --git a/curl-config.in b/curl-config.in index 150004d..95d0759 100644 --- a/curl-config.in +++ b/curl-config.in -@@ -76,7 +76,7 @@ while test $# -gt 0; do +@@ -78,7 +78,7 @@ while test $# -gt 0; do ;; --cc) @@ -22,7 +22,7 @@ index 150004d..95d0759 100644 ;; --prefix) -@@ -155,32 +155,19 @@ while test $# -gt 0; do +@@ -157,32 +157,19 @@ while test $# -gt 0; do ;; --libs) @@ -63,7 +63,7 @@ diff --git a/docs/curl-config.1 b/docs/curl-config.1 index 14a9d2b..ffcc004 100644 --- a/docs/curl-config.1 +++ b/docs/curl-config.1 -@@ -70,7 +70,9 @@ no, one or several names. If more than one name, they will appear +@@ -72,7 +72,9 @@ no, one or several names. If more than one name, they will appear comma-separated. (Added in 7.58.0) .IP "--static-libs" Shows the complete set of libs and other linker options you will need in order @@ -78,7 +78,7 @@ diff --git a/libcurl.pc.in b/libcurl.pc.in index 2ba9c39..f8f8b00 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in -@@ -29,6 +29,7 @@ libdir=@libdir@ +@@ -31,6 +31,7 @@ libdir=@libdir@ includedir=@includedir@ supported_protocols="@SUPPORT_PROTOCOLS@" supported_features="@SUPPORT_FEATURES@" diff --git a/curl.spec b/curl.spec index 22bac0a..ec7925b 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.83.1 +Version: 7.84.0 Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -411,6 +411,13 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Jun 27 2022 Kamil Dudka - 7.84.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2022-32207 - Unpreserved file permissions + CVE-2022-32205 - Set-Cookie denial of service + CVE-2022-32206 - HTTP compression denial of service + CVE-2022-32208 - FTP-KRB bad message verification + * Wed May 11 2022 Kamil Dudka - 7.83.1-1 - new upstream release, which fixes the following vulnerabilities CVE-2022-27782 - fix too eager reuse of TLS and SSH connections diff --git a/sources b/sources index 7de7a70..2bfcb46 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-7.83.1.tar.xz) = 2f63327d6d3687ba36fb7b8d5d3d15599eca33ebfb08681613612ea9c4b629d3b6ce4d2742fa1ebd7a997ed332001d3a4c798985f9277c83b9e7a9aecdb1b1ee -SHA512 (curl-7.83.1.tar.xz.asc) = f0d29de315488c844eb81ed5a89ed6334910970224c8cac43e7e6f2d58c35ad0064c0b6122e69b3a34ce91f4b56873c63e2e8aea1c602ef40711bfd62a01b191 +SHA512 (curl-7.84.0.tar.xz) = 86231866a35593a1637fbc0c6af3b6761bdfd99fb35580cc52970c36f19604f93dce59fea67a1d5bb4b455f719307599c7916c77d14f2b661f6bf7fb1ca716ce +SHA512 (curl-7.84.0.tar.xz.asc) = 80ff5274277ad97448fa53511bab6e8a1c302bcb25fc0916d78b8dc6c6af43d944c37c4ed46668b651cc639ec4964780725117ca0e85168ea66ad7cc98d29702 From 768ce3965dcc9798e1a7dfd0de756ab159e04988 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 27 Jun 2022 17:00:18 +0200 Subject: [PATCH 002/108] test3026: disable valgrind It fails on x86_64 with: ``` Use --max-threads=INT to specify a larger number of threads and rerun valgrind valgrind: the 'impossible' happened: Max number of threads is too low host stacktrace: ==174357== at 0x58042F5A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==174357== by 0x58043087: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==174357== by 0x580432EF: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==174357== by 0x58043310: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==174357== by 0x58099E77: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==174357== by 0x580E67E9: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==174357== by 0x5809D59D: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==174357== by 0x5809901A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==174357== by 0x5809B0B6: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==174357== by 0x580E4050: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) sched status: running_tid=1 Thread 1: status = VgTs_Runnable syscall 56 (lwpid 174357) ==174357== at 0x4A07816: clone (in /usr/lib64/libc.so.6) ==174357== by 0x4A08720: __clone_internal (in /usr/lib64/libc.so.6) ==174357== by 0x4987ACF: create_thread (in /usr/lib64/libc.so.6) ==174357== by 0x49885F6: pthread_create@@GLIBC_2.34 (in /usr/lib64/libc.so.6) ==174357== by 0x1093B5: test.part.0 (lib3026.c:64) ==174357== by 0x492454F: (below main) (in /usr/lib64/libc.so.6) client stack range: [0x1FFEFFC000 0x1FFF000FFF] client SP: 0x1FFEFFC998 valgrind stack range: [0x1002BAA000 0x1002CA9FFF] top usage: 11728 of 1048576 [...] ``` --- 0102-curl-7.84.0-test3026.patch | 55 +++++++++++++++++++++++++++++++++ curl.spec | 4 +++ 2 files changed, 59 insertions(+) create mode 100644 0102-curl-7.84.0-test3026.patch diff --git a/0102-curl-7.84.0-test3026.patch b/0102-curl-7.84.0-test3026.patch new file mode 100644 index 0000000..d92ed07 --- /dev/null +++ b/0102-curl-7.84.0-test3026.patch @@ -0,0 +1,55 @@ +From 279b990727a1fd3e2828fbbd80581777e4200b67 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 27 Jun 2022 16:50:57 +0200 +Subject: [PATCH] test3026: disable valgrind + +It fails on x86_64 with: +``` + Use --max-threads=INT to specify a larger number of threads + and rerun valgrind + valgrind: the 'impossible' happened: + Max number of threads is too low + host stacktrace: + ==174357== at 0x58042F5A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x58043087: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x580432EF: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x58043310: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x58099E77: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x580E67E9: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x5809D59D: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x5809901A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x5809B0B6: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + ==174357== by 0x580E4050: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) + sched status: + running_tid=1 + Thread 1: status = VgTs_Runnable syscall 56 (lwpid 174357) + ==174357== at 0x4A07816: clone (in /usr/lib64/libc.so.6) + ==174357== by 0x4A08720: __clone_internal (in /usr/lib64/libc.so.6) + ==174357== by 0x4987ACF: create_thread (in /usr/lib64/libc.so.6) + ==174357== by 0x49885F6: pthread_create@@GLIBC_2.34 (in /usr/lib64/libc.so.6) + ==174357== by 0x1093B5: test.part.0 (lib3026.c:64) + ==174357== by 0x492454F: (below main) (in /usr/lib64/libc.so.6) + client stack range: [0x1FFEFFC000 0x1FFF000FFF] client SP: 0x1FFEFFC998 + valgrind stack range: [0x1002BAA000 0x1002CA9FFF] top usage: 11728 of 1048576 +[...] +``` +--- + tests/data/test3026 | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tests/data/test3026 b/tests/data/test3026 +index fb80cc8..01f2ba5 100644 +--- a/tests/data/test3026 ++++ b/tests/data/test3026 +@@ -41,5 +41,8 @@ none + + 0 + ++ ++disable ++ + + +-- +2.35.3 + diff --git a/curl.spec b/curl.spec index ec7925b..405068d 100644 --- a/curl.spec +++ b/curl.spec @@ -13,6 +13,9 @@ Source2: mykey.asc # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch +# test3026: disable valgrind +Patch102: 0102-curl-7.84.0-test3026.patch + Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.se/ @@ -188,6 +191,7 @@ be installed. # Fedora patches %patch101 -p1 +%patch102 -p1 # disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed # with errno 98: Address already in use' in Koji environment), and test 1801 From 9ba06cfc6ed6b8057974a597b5f89941dd3ed4ed Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 27 Jun 2022 17:52:30 +0200 Subject: [PATCH 003/108] easy_lock.h: include sched.h if available to fix build --- 0001-curl-7.84.0-sched-yield.patch | 32 ++++++++++++++++++++++++++++++ curl.spec | 4 ++++ 2 files changed, 36 insertions(+) create mode 100644 0001-curl-7.84.0-sched-yield.patch diff --git a/0001-curl-7.84.0-sched-yield.patch b/0001-curl-7.84.0-sched-yield.patch new file mode 100644 index 0000000..104bd8b --- /dev/null +++ b/0001-curl-7.84.0-sched-yield.patch @@ -0,0 +1,32 @@ +From 711902d9e591947d5d8ec9568beab0c7d36b7dd0 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 27 Jun 2022 08:46:21 +0200 +Subject: [PATCH] easy_lock.h: include sched.h if available to fix build + +Patched-by: Harry Sintonen + +Closes #9054 + +Upstream-commit: e2e7f54b7bea521fa8373095d0f43261a720cda0 +Signed-off-by: Kamil Dudka +--- + lib/easy_lock.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/easy_lock.h b/lib/easy_lock.h +index 819f50c..1f54289 100644 +--- a/lib/easy_lock.h ++++ b/lib/easy_lock.h +@@ -36,6 +36,9 @@ + + #elif defined (HAVE_ATOMIC) + #include ++#if defined(HAVE_SCHED_YIELD) ++#include ++#endif + + #define curl_simple_lock atomic_bool + #define CURL_SIMPLE_LOCK_INIT false +-- +2.35.3 + diff --git a/curl.spec b/curl.spec index 405068d..f3a2169 100644 --- a/curl.spec +++ b/curl.spec @@ -10,6 +10,9 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# easy_lock.h: include sched.h if available to fix build +Patch1: 0001-curl-7.84.0-sched-yield.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -188,6 +191,7 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 From f052e58217c1c715344ec5f7e2ab1187fe2c0ec7 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 28 Jun 2022 09:04:19 +0200 Subject: [PATCH 004/108] test3026: avoid pthread_create() failure due to resource exhaustion on i386 --- 0102-curl-7.84.0-test3026.patch | 15 +++++++++++++++ curl.spec | 6 ++++++ 2 files changed, 21 insertions(+) diff --git a/0102-curl-7.84.0-test3026.patch b/0102-curl-7.84.0-test3026.patch index d92ed07..e00ef94 100644 --- a/0102-curl-7.84.0-test3026.patch +++ b/0102-curl-7.84.0-test3026.patch @@ -53,3 +53,18 @@ index fb80cc8..01f2ba5 100644 -- 2.35.3 +diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c +index 43fe335..70cd7a4 100644 +--- a/tests/libtest/lib3026.c ++++ b/tests/libtest/lib3026.c +@@ -63,8 +63,8 @@ int test(char *URL) + for(i = 0; i < tid_count; i++) { + int res = pthread_create(&tids[i], NULL, run_thread, &results[i]); + if(res) { +- fprintf(stderr, "%s:%d Couldn't create thread, errno %d\n", +- __FILE__, __LINE__, res); ++ fprintf(stderr, "%s:%d Couldn't create thread, i=%u, errno %d\n", ++ __FILE__, __LINE__, i, res); + tid_count = i; + test_failure = -1; + goto cleanup; diff --git a/curl.spec b/curl.spec index f3a2169..b2fd81e 100644 --- a/curl.spec +++ b/curl.spec @@ -227,6 +227,12 @@ printf "702\n703\n716\n" >> tests/data/DISABLED printf "3000\n3001\n" >> tests/data/DISABLED %endif +# test3026: avoid pthread_create() failure due to resource exhaustion on i386 +%ifarch %{ix86} +sed -e 's|NUM_THREADS 1000$|NUM_THREADS 256|' \ + -i tests/libtest/lib3026.c +%endif + # adapt test 323 for updated OpenSSL sed -e 's|^35$|35,52|' -i tests/data/test323 From 2fded2f1a8dc6bd3bcf7bdd44135fbd8b4dd8ff5 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 20 Jul 2022 23:54:27 +0000 Subject: [PATCH 005/108] Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index b2fd81e..4c1098f 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.84.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -425,6 +425,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 20 2022 Fedora Release Engineering - 7.84.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + * Mon Jun 27 2022 Kamil Dudka - 7.84.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2022-32207 - Unpreserved file permissions From f58874c27163656243fe334ef1d3cb57accff788 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 25 Aug 2022 13:16:44 +0200 Subject: [PATCH 006/108] tests: fix http2 tests to use CRLF headers ... to make it work with nghttp2-1.49.0 --- 0002-curl-7.84.0-tests-http2.patch | 156 +++++++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 164 insertions(+), 1 deletion(-) create mode 100644 0002-curl-7.84.0-tests-http2.patch diff --git a/0002-curl-7.84.0-tests-http2.patch b/0002-curl-7.84.0-tests-http2.patch new file mode 100644 index 0000000..a6b9b62 --- /dev/null +++ b/0002-curl-7.84.0-tests-http2.patch @@ -0,0 +1,156 @@ +From 221905eca9fb4b82822b6a14ef6d82c98c5702d9 Mon Sep 17 00:00:00 2001 +From: Jay Satiro +Date: Thu, 25 Aug 2022 03:46:42 -0400 +Subject: [PATCH] tests: fix http2 tests to use CRLF headers + +Prior to this change some tests that rely on nghttpx proxy did not use +CRLF headers everywhere. Recent changes in nghttp2 (??? ref here) +requires curl's HTTP/1.1 test server to use CRLF headers. + +Fixes https://github.com/curl/curl/issues/9364 +Closes https://github.com/curl/curl/pull/9365 +--- + tests/data/test1700 | 34 +++++++++++++++++----------------- + tests/data/test1701 | 22 +++++++++++----------- + tests/data/test358 | 16 ++++++++-------- + tests/data/test359 | 16 ++++++++-------- + 4 files changed, 44 insertions(+), 44 deletions(-) + +diff --git a/tests/data/test1700 b/tests/data/test1700 +index 8b1ef4ae3..7f78bcf5f 100644 +--- a/tests/data/test1700 ++++ b/tests/data/test1700 +@@ -11,26 +11,26 @@ HTTP/2 + # Server-side + + +-HTTP/1.1 200 OK +-Date: Tue, 09 Nov 2010 14:49:00 GMT +-Server: test-server/fake +-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT +-ETag: "21025-dc7-39462498" +-Accept-Ranges: bytes +-Content-Length: 6 +-Connection: close +-Content-Type: text/html +-Funny-head: yesyes +- ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Content-Type: text/html ++Funny-head: yesyes ++ + -foo- + + +-HTTP/1.1 200 OK +-Date: Tue, 09 Nov 2010 14:49:00 GMT +-Content-Length: 6 +-Connection: close +-Content-Type: text/html +- ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Content-Length: 6 ++Connection: close ++Content-Type: text/html ++ + -maa- + + +diff --git a/tests/data/test1701 b/tests/data/test1701 +index 3c1a2bd0b..22f6147d0 100644 +--- a/tests/data/test1701 ++++ b/tests/data/test1701 +@@ -11,17 +11,17 @@ HTTP/2 + # Server-side + + +-HTTP/1.1 200 OK +-Date: Tue, 09 Nov 2010 14:49:00 GMT +-Server: test-server/fake +-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT +-ETag: "21025-dc7-39462498" +-Accept-Ranges: bytes +-Content-Length: 6 +-Connection: close +-Content-Type: text/html +-Funny-head: yesyes +- ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Content-Type: text/html ++Funny-head: yesyes ++ + -foo- + + +diff --git a/tests/data/test358 b/tests/data/test358 +index 8b4f66062..0f8a9801b 100644 +--- a/tests/data/test358 ++++ b/tests/data/test358 +@@ -12,14 +12,14 @@ HTTP/2 + # Server-side + + +-HTTP/1.1 200 OK +-Date: Tue, 09 Nov 2010 14:49:00 GMT +-Content-Length: 6 +-Connection: close +-Content-Type: text/html +-Funny-head: yesyes +-Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0 +- ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Content-Length: 6 ++Connection: close ++Content-Type: text/html ++Funny-head: yesyes ++Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0 ++ + -foo- + + +diff --git a/tests/data/test359 b/tests/data/test359 +index a5ba4e3ae..0e684e39e 100644 +--- a/tests/data/test359 ++++ b/tests/data/test359 +@@ -12,14 +12,14 @@ HTTP/2 + # Server-side + + +-HTTP/1.1 200 OK +-Date: Tue, 09 Nov 2010 14:49:00 GMT +-Content-Length: 6 +-Connection: close +-Content-Type: text/html +-Funny-head: yesyes +-Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0 +- ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Content-Length: 6 ++Connection: close ++Content-Type: text/html ++Funny-head: yesyes ++Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0 ++ + -foo- + + +-- +2.37.1 + diff --git a/curl.spec b/curl.spec index 4c1098f..ac30fa7 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.84.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -13,6 +13,9 @@ Source2: mykey.asc # easy_lock.h: include sched.h if available to fix build Patch1: 0001-curl-7.84.0-sched-yield.patch +# tests: fix http2 tests to use CRLF headers to make it work with nghttp2-1.49.0 +Patch2: 0002-curl-7.84.0-tests-http2.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -192,6 +195,7 @@ be installed. # upstream patches %patch1 -p1 +%patch2 -p1 # Fedora patches %patch101 -p1 @@ -425,6 +429,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Aug 25 2022 Kamil Dudka - 7.84.0-3 +- tests: fix http2 tests to use CRLF headers to make it work with nghttp2-1.49.0 + * Wed Jul 20 2022 Fedora Release Engineering - 7.84.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild From 1322e86ddbb4f74d3ead55fba5c03468288e80f8 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 1 Sep 2022 13:38:12 +0200 Subject: [PATCH 007/108] new upstream release - 7.85.0 Resolves: CVE-2022-35252 - control code in cookie denial of service --- 0001-curl-7.84.0-sched-yield.patch | 32 ------ 0002-curl-7.84.0-tests-http2.patch | 156 ----------------------------- 0101-curl-7.32.0-multilib.patch | 2 +- 0102-curl-7.84.0-test3026.patch | 17 ++-- curl.spec | 16 ++- sources | 4 +- 6 files changed, 18 insertions(+), 209 deletions(-) delete mode 100644 0001-curl-7.84.0-sched-yield.patch delete mode 100644 0002-curl-7.84.0-tests-http2.patch diff --git a/0001-curl-7.84.0-sched-yield.patch b/0001-curl-7.84.0-sched-yield.patch deleted file mode 100644 index 104bd8b..0000000 --- a/0001-curl-7.84.0-sched-yield.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 711902d9e591947d5d8ec9568beab0c7d36b7dd0 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 27 Jun 2022 08:46:21 +0200 -Subject: [PATCH] easy_lock.h: include sched.h if available to fix build - -Patched-by: Harry Sintonen - -Closes #9054 - -Upstream-commit: e2e7f54b7bea521fa8373095d0f43261a720cda0 -Signed-off-by: Kamil Dudka ---- - lib/easy_lock.h | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/lib/easy_lock.h b/lib/easy_lock.h -index 819f50c..1f54289 100644 ---- a/lib/easy_lock.h -+++ b/lib/easy_lock.h -@@ -36,6 +36,9 @@ - - #elif defined (HAVE_ATOMIC) - #include -+#if defined(HAVE_SCHED_YIELD) -+#include -+#endif - - #define curl_simple_lock atomic_bool - #define CURL_SIMPLE_LOCK_INIT false --- -2.35.3 - diff --git a/0002-curl-7.84.0-tests-http2.patch b/0002-curl-7.84.0-tests-http2.patch deleted file mode 100644 index a6b9b62..0000000 --- a/0002-curl-7.84.0-tests-http2.patch +++ /dev/null @@ -1,156 +0,0 @@ -From 221905eca9fb4b82822b6a14ef6d82c98c5702d9 Mon Sep 17 00:00:00 2001 -From: Jay Satiro -Date: Thu, 25 Aug 2022 03:46:42 -0400 -Subject: [PATCH] tests: fix http2 tests to use CRLF headers - -Prior to this change some tests that rely on nghttpx proxy did not use -CRLF headers everywhere. Recent changes in nghttp2 (??? ref here) -requires curl's HTTP/1.1 test server to use CRLF headers. - -Fixes https://github.com/curl/curl/issues/9364 -Closes https://github.com/curl/curl/pull/9365 ---- - tests/data/test1700 | 34 +++++++++++++++++----------------- - tests/data/test1701 | 22 +++++++++++----------- - tests/data/test358 | 16 ++++++++-------- - tests/data/test359 | 16 ++++++++-------- - 4 files changed, 44 insertions(+), 44 deletions(-) - -diff --git a/tests/data/test1700 b/tests/data/test1700 -index 8b1ef4ae3..7f78bcf5f 100644 ---- a/tests/data/test1700 -+++ b/tests/data/test1700 -@@ -11,26 +11,26 @@ HTTP/2 - # Server-side - - --HTTP/1.1 200 OK --Date: Tue, 09 Nov 2010 14:49:00 GMT --Server: test-server/fake --Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT --ETag: "21025-dc7-39462498" --Accept-Ranges: bytes --Content-Length: 6 --Connection: close --Content-Type: text/html --Funny-head: yesyes -- -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT -+ETag: "21025-dc7-39462498" -+Accept-Ranges: bytes -+Content-Length: 6 -+Connection: close -+Content-Type: text/html -+Funny-head: yesyes -+ - -foo- - - --HTTP/1.1 200 OK --Date: Tue, 09 Nov 2010 14:49:00 GMT --Content-Length: 6 --Connection: close --Content-Type: text/html -- -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Content-Length: 6 -+Connection: close -+Content-Type: text/html -+ - -maa- - - -diff --git a/tests/data/test1701 b/tests/data/test1701 -index 3c1a2bd0b..22f6147d0 100644 ---- a/tests/data/test1701 -+++ b/tests/data/test1701 -@@ -11,17 +11,17 @@ HTTP/2 - # Server-side - - --HTTP/1.1 200 OK --Date: Tue, 09 Nov 2010 14:49:00 GMT --Server: test-server/fake --Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT --ETag: "21025-dc7-39462498" --Accept-Ranges: bytes --Content-Length: 6 --Connection: close --Content-Type: text/html --Funny-head: yesyes -- -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT -+ETag: "21025-dc7-39462498" -+Accept-Ranges: bytes -+Content-Length: 6 -+Connection: close -+Content-Type: text/html -+Funny-head: yesyes -+ - -foo- - - -diff --git a/tests/data/test358 b/tests/data/test358 -index 8b4f66062..0f8a9801b 100644 ---- a/tests/data/test358 -+++ b/tests/data/test358 -@@ -12,14 +12,14 @@ HTTP/2 - # Server-side - - --HTTP/1.1 200 OK --Date: Tue, 09 Nov 2010 14:49:00 GMT --Content-Length: 6 --Connection: close --Content-Type: text/html --Funny-head: yesyes --Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0 -- -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Content-Length: 6 -+Connection: close -+Content-Type: text/html -+Funny-head: yesyes -+Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0 -+ - -foo- - - -diff --git a/tests/data/test359 b/tests/data/test359 -index a5ba4e3ae..0e684e39e 100644 ---- a/tests/data/test359 -+++ b/tests/data/test359 -@@ -12,14 +12,14 @@ HTTP/2 - # Server-side - - --HTTP/1.1 200 OK --Date: Tue, 09 Nov 2010 14:49:00 GMT --Content-Length: 6 --Connection: close --Content-Type: text/html --Funny-head: yesyes --Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0 -- -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Content-Length: 6 -+Connection: close -+Content-Type: text/html -+Funny-head: yesyes -+Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0 -+ - -foo- - - --- -2.37.1 - diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 63701c1..b4f8e2a 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -44,7 +44,7 @@ index 150004d..95d0759 100644 --static-libs) - if test "X@ENABLE_STATIC@" != "Xno" ; then -- echo @libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_LIBS@ +- echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_LIBS@ - else - echo "curl was built with static libraries disabled" >&2 - exit 1 diff --git a/0102-curl-7.84.0-test3026.patch b/0102-curl-7.84.0-test3026.patch index e00ef94..8c4ddb5 100644 --- a/0102-curl-7.84.0-test3026.patch +++ b/0102-curl-7.84.0-test3026.patch @@ -34,8 +34,9 @@ It fails on x86_64 with: [...] ``` --- - tests/data/test3026 | 3 +++ - 1 file changed, 3 insertions(+) + tests/data/test3026 | 3 +++ + tests/libtest/lib3026.c | 4 ++-- + 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/data/test3026 b/tests/data/test3026 index fb80cc8..01f2ba5 100644 @@ -50,16 +51,13 @@ index fb80cc8..01f2ba5 100644 + --- -2.35.3 - diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c index 43fe335..70cd7a4 100644 --- a/tests/libtest/lib3026.c +++ b/tests/libtest/lib3026.c -@@ -63,8 +63,8 @@ int test(char *URL) - for(i = 0; i < tid_count; i++) { - int res = pthread_create(&tids[i], NULL, run_thread, &results[i]); +@@ -123,8 +123,8 @@ int test(char *URL) + results[i] = CURL_LAST; /* initialize with invalid value */ + res = pthread_create(&tids[i], NULL, run_thread, &results[i]); if(res) { - fprintf(stderr, "%s:%d Couldn't create thread, errno %d\n", - __FILE__, __LINE__, res); @@ -68,3 +66,6 @@ index 43fe335..70cd7a4 100644 tid_count = i; test_failure = -1; goto cleanup; +-- +2.37.1 + diff --git a/curl.spec b/curl.spec index ac30fa7..3dcf355 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.84.0 -Release: 3%{?dist} +Version: 7.85.0 +Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,12 +10,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# easy_lock.h: include sched.h if available to fix build -Patch1: 0001-curl-7.84.0-sched-yield.patch - -# tests: fix http2 tests to use CRLF headers to make it work with nghttp2-1.49.0 -Patch2: 0002-curl-7.84.0-tests-http2.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -194,8 +188,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 -%patch2 -p1 # Fedora patches %patch101 -p1 @@ -429,6 +421,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Sep 01 2022 Kamil Dudka - 7.85.0-3 +- new upstream release, which fixes the following vulnerability + CVE-2022-35252 - control code in cookie denial of service + * Thu Aug 25 2022 Kamil Dudka - 7.84.0-3 - tests: fix http2 tests to use CRLF headers to make it work with nghttp2-1.49.0 diff --git a/sources b/sources index 2bfcb46..3662440 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-7.84.0.tar.xz) = 86231866a35593a1637fbc0c6af3b6761bdfd99fb35580cc52970c36f19604f93dce59fea67a1d5bb4b455f719307599c7916c77d14f2b661f6bf7fb1ca716ce -SHA512 (curl-7.84.0.tar.xz.asc) = 80ff5274277ad97448fa53511bab6e8a1c302bcb25fc0916d78b8dc6c6af43d944c37c4ed46668b651cc639ec4964780725117ca0e85168ea66ad7cc98d29702 +SHA512 (curl-7.85.0.tar.xz) = b57cc31649a4f47cc4b482f56a85c86c8e8aaeaf01bc1b51b065fdb9145a9092bc52535e52a85a66432eb163605b2edbf5bc5c33ea6e40e50f26a69ad1365cbd +SHA512 (curl-7.85.0.tar.xz.asc) = 7022daf84b330b24112d595edee715cdeb881a4ba8a4fa7eec23aed28292e5d943af778f03aadd036d44d875f9e226096ea142d18afe516b6bdbd475fcd3aca6 From 4bceeec6e16b6b2d8e5c9eb90092aca5a9a2074d Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 26 Oct 2022 14:16:26 +0200 Subject: [PATCH 008/108] curl.spec: fix the last change log entry --- curl.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 3dcf355..6625b13 100644 --- a/curl.spec +++ b/curl.spec @@ -421,7 +421,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog -* Thu Sep 01 2022 Kamil Dudka - 7.85.0-3 +* Thu Sep 01 2022 Kamil Dudka - 7.85.0-1 - new upstream release, which fixes the following vulnerability CVE-2022-35252 - control code in cookie denial of service From 3501daee0ba664ab3667dc0a56560a2a4b4b2113 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 26 Oct 2022 14:24:08 +0200 Subject: [PATCH 009/108] new upstream release - 7.86.0 Resolves: CVE-2022-42916 - HSTS bypass via IDN Resolves: CVE-2022-42915 - HTTP proxy double-free Resolves: CVE-2022-35260 - .netrc parser out-of-bounds access Resolves: CVE-2022-32221 - POST following PUT confusion --- 0102-curl-7.84.0-test3026.patch | 2 +- curl.spec | 9 ++++++++- sources | 4 ++-- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/0102-curl-7.84.0-test3026.patch b/0102-curl-7.84.0-test3026.patch index 8c4ddb5..56b10c6 100644 --- a/0102-curl-7.84.0-test3026.patch +++ b/0102-curl-7.84.0-test3026.patch @@ -55,7 +55,7 @@ diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c index 43fe335..70cd7a4 100644 --- a/tests/libtest/lib3026.c +++ b/tests/libtest/lib3026.c -@@ -123,8 +123,8 @@ int test(char *URL) +@@ -139,8 +139,8 @@ int test(char *URL) results[i] = CURL_LAST; /* initialize with invalid value */ res = pthread_create(&tids[i], NULL, run_thread, &results[i]); if(res) { diff --git a/curl.spec b/curl.spec index 6625b13..3e17984 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.85.0 +Version: 7.86.0 Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -421,6 +421,13 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Oct 26 2022 Kamil Dudka - 7.86.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2022-42916 - HSTS bypass via IDN + CVE-2022-42915 - HTTP proxy double-free + CVE-2022-35260 - .netrc parser out-of-bounds access + CVE-2022-32221 - POST following PUT confusion + * Thu Sep 01 2022 Kamil Dudka - 7.85.0-1 - new upstream release, which fixes the following vulnerability CVE-2022-35252 - control code in cookie denial of service diff --git a/sources b/sources index 3662440..45ced88 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-7.85.0.tar.xz) = b57cc31649a4f47cc4b482f56a85c86c8e8aaeaf01bc1b51b065fdb9145a9092bc52535e52a85a66432eb163605b2edbf5bc5c33ea6e40e50f26a69ad1365cbd -SHA512 (curl-7.85.0.tar.xz.asc) = 7022daf84b330b24112d595edee715cdeb881a4ba8a4fa7eec23aed28292e5d943af778f03aadd036d44d875f9e226096ea142d18afe516b6bdbd475fcd3aca6 +SHA512 (curl-7.86.0.tar.xz) = 18e03a3c00f22125e07bddb18becbf5acdca22baeb7b29f45ef189a5c56f95b2d51247813f7a9a90f04eb051739e9aa7d3a1c5be397bae75d763a2b918d1b656 +SHA512 (curl-7.86.0.tar.xz.asc) = 9e97d5f44b3c856f401fe30ba713e1ca1f74edfc693dc42f1ce8e43f9f6dd4bf6998c579bc9c5d0f749f475a7d67d232e92ab6f89b95141acdb53e149f2312f0 From 394bdcb95657341453d63fe508d549572fee9083 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 31 Oct 2022 09:34:58 +0100 Subject: [PATCH 010/108] fix regression in noproxy matching --- 0001-curl-7.86.0-noproxy.patch | 195 +++++++++++++++++++++++++++++++++ curl.spec | 9 +- 2 files changed, 203 insertions(+), 1 deletion(-) create mode 100644 0001-curl-7.86.0-noproxy.patch diff --git a/0001-curl-7.86.0-noproxy.patch b/0001-curl-7.86.0-noproxy.patch new file mode 100644 index 0000000..c4ba638 --- /dev/null +++ b/0001-curl-7.86.0-noproxy.patch @@ -0,0 +1,195 @@ +From b0ff1fd270924c5eaec09687e3d279130123671a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 27 Oct 2022 13:54:27 +0200 +Subject: [PATCH 1/2] noproxy: also match with adjacent comma + +If the host name is an IP address and the noproxy string contained that +IP address with a following comma, it would erroneously not match. + +Extended test 1614 to verify this combo as well. + +Reported-by: Henning Schild + +Fixes #9813 +Closes #9814 + +Upstream-commit: efc286b7a62af0568fdcbf3c68791c9955182128 +Signed-off-by: Kamil Dudka +--- + lib/noproxy.c | 20 ++++++++++++-------- + tests/data/test1614 | 2 +- + tests/unit/unit1614.c | 14 ++++++++++++++ + 3 files changed, 27 insertions(+), 9 deletions(-) + +diff --git a/lib/noproxy.c b/lib/noproxy.c +index 81f1e09..d08a16b 100644 +--- a/lib/noproxy.c ++++ b/lib/noproxy.c +@@ -188,18 +188,22 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy) + /* FALLTHROUGH */ + case TYPE_IPV6: { + const char *check = token; +- char *slash = strchr(check, '/'); ++ char *slash; + unsigned int bits = 0; + char checkip[128]; ++ if(tokenlen >= sizeof(checkip)) ++ /* this cannot match */ ++ break; ++ /* copy the check name to a temp buffer */ ++ memcpy(checkip, check, tokenlen); ++ checkip[tokenlen] = 0; ++ check = checkip; ++ ++ slash = strchr(check, '/'); + /* if the slash is part of this token, use it */ +- if(slash && (slash < &check[tokenlen])) { ++ if(slash) { + bits = atoi(slash + 1); +- /* copy the check name to a temp buffer */ +- if(tokenlen >= sizeof(checkip)) +- break; +- memcpy(checkip, check, tokenlen); +- checkip[ slash - check ] = 0; +- check = checkip; ++ *slash = 0; /* null terminate there */ + } + if(type == TYPE_IPV6) + match = Curl_cidr6_match(name, check, bits); +diff --git a/tests/data/test1614 b/tests/data/test1614 +index 4a9d54e..73bdbb4 100644 +--- a/tests/data/test1614 ++++ b/tests/data/test1614 +@@ -16,7 +16,7 @@ unittest + proxy + + +-cidr comparisons ++noproxy and cidr comparisons + + + +diff --git a/tests/unit/unit1614.c b/tests/unit/unit1614.c +index 6028545..c2f563a 100644 +--- a/tests/unit/unit1614.c ++++ b/tests/unit/unit1614.c +@@ -77,6 +77,20 @@ UNITTEST_START + { NULL, NULL, 0, FALSE} /* end marker */ + }; + struct noproxy list[]= { ++ { "127.0.0.1", "127.0.0.1,localhost", TRUE}, ++ { "127.0.0.1", "127.0.0.1,localhost,", TRUE}, ++ { "127.0.0.1", "127.0.0.1/8,localhost,", TRUE}, ++ { "127.0.0.1", "127.0.0.1/28,localhost,", TRUE}, ++ { "127.0.0.1", "127.0.0.1/31,localhost,", TRUE}, ++ { "127.0.0.1", "localhost,127.0.0.1", TRUE}, ++ { "127.0.0.1", "localhost,127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1." ++ "127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127." ++ "0.0.1.127.0.0.1.127.0.0." /* 128 bytes "address" */, FALSE}, ++ { "127.0.0.1", "localhost,127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1." ++ "127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127." ++ "0.0.1.127.0.0.1.127.0.0" /* 127 bytes "address" */, FALSE}, ++ { "localhost", "localhost,127.0.0.1", TRUE}, ++ { "localhost", "127.0.0.1,localhost", TRUE}, + { "foobar", "barfoo", FALSE}, + { "foobar", "foobar", TRUE}, + { "192.168.0.1", "foobar", FALSE}, +-- +2.37.3 + + +From d539fd9f11e2a244dbab6b9171f5a9e5c86cc417 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 28 Oct 2022 10:51:49 +0200 +Subject: [PATCH 2/2] noproxy: fix tail-matching + +Also ignore trailing dots in both host name and comparison pattern. + +Regression in 7.86.0 (from 1e9a538e05c0) + +Extended test 1614 to verify better. + +Reported-by: Henning Schild +Fixes #9821 +Closes #9822 + +Upstream-commit: b830f9ba9e94acf672cd191993ff679fa888838b +Signed-off-by: Kamil Dudka +--- + lib/noproxy.c | 30 +++++++++++++++++++++++------- + tests/unit/unit1614.c | 9 +++++++++ + 2 files changed, 32 insertions(+), 7 deletions(-) + +diff --git a/lib/noproxy.c b/lib/noproxy.c +index d08a16b..01f8f47 100644 +--- a/lib/noproxy.c ++++ b/lib/noproxy.c +@@ -149,9 +149,14 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy) + } + else { + unsigned int address; ++ namelen = strlen(name); + if(1 == Curl_inet_pton(AF_INET, name, &address)) + type = TYPE_IPV4; +- namelen = strlen(name); ++ else { ++ /* ignore trailing dots in the host name */ ++ if(name[namelen - 1] == '.') ++ namelen--; ++ } + } + + while(*p) { +@@ -173,12 +178,23 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy) + if(tokenlen) { + switch(type) { + case TYPE_HOST: +- if(*token == '.') { +- ++token; +- --tokenlen; +- /* tailmatch */ +- match = (tokenlen <= namelen) && +- strncasecompare(token, name + (namelen - tokenlen), namelen); ++ /* ignore trailing dots in the token to check */ ++ if(token[tokenlen - 1] == '.') ++ tokenlen--; ++ ++ if(tokenlen && (*token == '.')) { ++ /* A: example.com matches '.example.com' ++ B: www.example.com matches '.example.com' ++ C: nonexample.com DOES NOT match '.example.com' ++ */ ++ if((tokenlen - 1) == namelen) ++ /* case A, exact match without leading dot */ ++ match = strncasecompare(token + 1, name, namelen); ++ else if(tokenlen < namelen) ++ /* case B, tailmatch with leading dot */ ++ match = strncasecompare(token, name + (namelen - tokenlen), ++ tokenlen); ++ /* case C passes through, not a match */ + } + else + match = (tokenlen == namelen) && +diff --git a/tests/unit/unit1614.c b/tests/unit/unit1614.c +index c2f563a..8f62b70 100644 +--- a/tests/unit/unit1614.c ++++ b/tests/unit/unit1614.c +@@ -77,6 +77,15 @@ UNITTEST_START + { NULL, NULL, 0, FALSE} /* end marker */ + }; + struct noproxy list[]= { ++ { "www.example.com", "localhost,.example.com,.example.de", TRUE}, ++ { "www.example.com.", "localhost,.example.com,.example.de", TRUE}, ++ { "example.com", "localhost,.example.com,.example.de", TRUE}, ++ { "example.com.", "localhost,.example.com,.example.de", TRUE}, ++ { "www.example.com", "localhost,.example.com.,.example.de", TRUE}, ++ { "www.example.com", "localhost,www.example.com.,.example.de", TRUE}, ++ { "example.com", "localhost,example.com,.example.de", TRUE}, ++ { "example.com.", "localhost,example.com,.example.de", TRUE}, ++ { "www.example.com", "localhost,example.com,.example.de", FALSE}, + { "127.0.0.1", "127.0.0.1,localhost", TRUE}, + { "127.0.0.1", "127.0.0.1,localhost,", TRUE}, + { "127.0.0.1", "127.0.0.1/8,localhost,", TRUE}, +-- +2.37.3 + diff --git a/curl.spec b/curl.spec index 3e17984..661e4fc 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.86.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,6 +10,9 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# fix regression in noproxy matching +Patch1: 0001-curl-7.86.0-noproxy.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -188,6 +191,7 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 @@ -421,6 +425,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Oct 31 2022 Kamil Dudka - 7.86.0-2 +- fix regression in noproxy matching + * Wed Oct 26 2022 Kamil Dudka - 7.86.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2022-42916 - HSTS bypass via IDN From 7b44e0b7aa4e4876b7462879c701f1973f72f36d Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 24 Nov 2022 16:25:47 +0100 Subject: [PATCH 011/108] Related: #2144277 - enforce versioned libnghttp2 dependency for libcurl --- curl.spec | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 661e4fc..dab163e 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.86.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -104,6 +104,10 @@ BuildRequires: stunnel # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION Requires: libcurl%{?_isa} >= %{version}-%{release} +# require at least the version of libnghttp2 that we were built against, +# to ensure that we have the necessary symbols available (#2144277) +%global libnghttp2_version %(pkg-config --modversion libnghttp2 2>/dev/null || echo 0) + # require at least the version of libpsl that we were built against, # to ensure that we have the necessary symbols available (#1631804) %global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0) @@ -127,6 +131,7 @@ resume, proxy tunneling and a busload of other useful tricks. %package -n libcurl Summary: A library for getting files from web servers +Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} Requires: libpsl%{?_isa} >= %{libpsl_version} Requires: libssh%{?_isa} >= %{libssh_version} Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} @@ -172,6 +177,7 @@ be installed. %package -n libcurl-minimal Summary: Conservatively configured build of libcurl for minimal installations +Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} Provides: libcurl = %{version}-%{release} Provides: libcurl%{?_isa} = %{version}-%{release} @@ -425,6 +431,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Nov 24 2022 Kamil Dudka - 7.86.0-3 +- enforce versioned libnghttp2 dependency for libcurl (#2144277) + * Mon Oct 31 2022 Kamil Dudka - 7.86.0-2 - fix regression in noproxy matching From aa9b0f2a8fba03ad2806790c951b6eea4dc4e803 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 29 Nov 2022 12:07:37 +0100 Subject: [PATCH 012/108] Resolves: #2149224 - noproxy: tailmatch like in 7.85.0 and earlier --- 0001-curl-7.86.0-noproxy.patch | 106 ++++++++++++++++++++++++++++++++- curl.spec | 5 +- 2 files changed, 108 insertions(+), 3 deletions(-) diff --git a/0001-curl-7.86.0-noproxy.patch b/0001-curl-7.86.0-noproxy.patch index c4ba638..8f36502 100644 --- a/0001-curl-7.86.0-noproxy.patch +++ b/0001-curl-7.86.0-noproxy.patch @@ -1,7 +1,7 @@ From b0ff1fd270924c5eaec09687e3d279130123671a Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 27 Oct 2022 13:54:27 +0200 -Subject: [PATCH 1/2] noproxy: also match with adjacent comma +Subject: [PATCH 1/3] noproxy: also match with adjacent comma If the host name is an IP address and the noproxy string contained that IP address with a following comma, it would erroneously not match. @@ -101,7 +101,7 @@ index 6028545..c2f563a 100644 From d539fd9f11e2a244dbab6b9171f5a9e5c86cc417 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 28 Oct 2022 10:51:49 +0200 -Subject: [PATCH 2/2] noproxy: fix tail-matching +Subject: [PATCH 2/3] noproxy: fix tail-matching Also ignore trailing dots in both host name and comparison pattern. @@ -193,3 +193,105 @@ index c2f563a..8f62b70 100644 -- 2.37.3 + +From 560b593cb9ba261169df5ea18ac8d0c188e239cd Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 6 Nov 2022 23:19:51 +0100 +Subject: [PATCH 3/3] noproxy: tailmatch like in 7.85.0 and earlier + +A regfression in 7.86.0 (via 1e9a538e05c010) made the tailmatch work +differently than before. This restores the logic to how it used to work: + +All names listed in NO_PROXY are tailmatched against the used domain +name, if the lengths are identical it needs a full match. + +Update the docs, update test 1614. + +Reported-by: Stuart Henderson +Fixes #9842 +Closes #9858 + +Upstream-commit: b1953c1933b369b1217ef0f16053e26da63488c3 +Signed-off-by: Kamil Dudka +--- + docs/libcurl/opts/CURLOPT_NOPROXY.3 | 4 ---- + lib/noproxy.c | 32 +++++++++++++++-------------- + tests/unit/unit1614.c | 3 ++- + 3 files changed, 19 insertions(+), 20 deletions(-) + +diff --git a/docs/libcurl/opts/CURLOPT_NOPROXY.3 b/docs/libcurl/opts/CURLOPT_NOPROXY.3 +index 149eaac..98c7920 100644 +--- a/docs/libcurl/opts/CURLOPT_NOPROXY.3 ++++ b/docs/libcurl/opts/CURLOPT_NOPROXY.3 +@@ -41,10 +41,6 @@ list is matched as either a domain which contains the hostname, or the + hostname itself. For example, "ample.com" would match ample.com, ample.com:80, + and www.ample.com, but not www.example.com or ample.com.org. + +-If the name in the \fInoproxy\fP list has a leading period, it is a domain +-match against the provided host name. This way ".example.com" will switch off +-proxy use for both "www.example.com" as well as for "foo.example.com". +- + Setting the \fInoproxy\fP string to "" (an empty string) will explicitly + enable the proxy for all host names, even if there is an environment variable + set for it. +diff --git a/lib/noproxy.c b/lib/noproxy.c +index 01f8f47..31d1ca7 100644 +--- a/lib/noproxy.c ++++ b/lib/noproxy.c +@@ -183,22 +183,24 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy) + tokenlen--; + + if(tokenlen && (*token == '.')) { +- /* A: example.com matches '.example.com' +- B: www.example.com matches '.example.com' +- C: nonexample.com DOES NOT match '.example.com' +- */ +- if((tokenlen - 1) == namelen) +- /* case A, exact match without leading dot */ +- match = strncasecompare(token + 1, name, namelen); +- else if(tokenlen < namelen) +- /* case B, tailmatch with leading dot */ +- match = strncasecompare(token, name + (namelen - tokenlen), +- tokenlen); +- /* case C passes through, not a match */ ++ /* ignore leading token dot as well */ ++ token++; ++ tokenlen--; + } +- else +- match = (tokenlen == namelen) && +- strncasecompare(token, name, namelen); ++ /* A: example.com matches 'example.com' ++ B: www.example.com matches 'example.com' ++ C: nonexample.com DOES NOT match 'example.com' ++ */ ++ if(tokenlen == namelen) ++ /* case A, exact match */ ++ match = strncasecompare(token, name, namelen); ++ else if(tokenlen < namelen) { ++ /* case B, tailmatch domain */ ++ match = (name[namelen - tokenlen - 1] == '.') && ++ strncasecompare(token, name + (namelen - tokenlen), ++ tokenlen); ++ } ++ /* case C passes through, not a match */ + break; + case TYPE_IPV4: + /* FALLTHROUGH */ +diff --git a/tests/unit/unit1614.c b/tests/unit/unit1614.c +index 8f62b70..523d102 100644 +--- a/tests/unit/unit1614.c ++++ b/tests/unit/unit1614.c +@@ -85,7 +85,8 @@ UNITTEST_START + { "www.example.com", "localhost,www.example.com.,.example.de", TRUE}, + { "example.com", "localhost,example.com,.example.de", TRUE}, + { "example.com.", "localhost,example.com,.example.de", TRUE}, +- { "www.example.com", "localhost,example.com,.example.de", FALSE}, ++ { "nexample.com", "localhost,example.com,.example.de", FALSE}, ++ { "www.example.com", "localhost,example.com,.example.de", TRUE}, + { "127.0.0.1", "127.0.0.1,localhost", TRUE}, + { "127.0.0.1", "127.0.0.1,localhost,", TRUE}, + { "127.0.0.1", "127.0.0.1/8,localhost,", TRUE}, +-- +2.37.3 + diff --git a/curl.spec b/curl.spec index dab163e..68bd41e 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.86.0 -Release: 3%{?dist} +Release: 4%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -431,6 +431,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Nov 29 2022 Kamil Dudka - 7.86.0-4 +- noproxy: tailmatch like in 7.85.0 and earlier (#2149224) + * Thu Nov 24 2022 Kamil Dudka - 7.86.0-3 - enforce versioned libnghttp2 dependency for libcurl (#2144277) From 60cc0c557430b240f7fb79d33ed6bd932db63b36 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 21 Dec 2022 13:48:45 +0100 Subject: [PATCH 013/108] new upstream release - 7.87.0 Resolves: CVE-2022-43552 - HTTP Proxy deny use-after-free Resolves: CVE-2022-43551 - Another HSTS bypass via IDN --- 0001-curl-7.86.0-noproxy.patch | 297 -------------------------------- 0102-curl-7.84.0-test3026.patch | 2 +- curl.spec | 13 +- sources | 4 +- 4 files changed, 10 insertions(+), 306 deletions(-) delete mode 100644 0001-curl-7.86.0-noproxy.patch diff --git a/0001-curl-7.86.0-noproxy.patch b/0001-curl-7.86.0-noproxy.patch deleted file mode 100644 index 8f36502..0000000 --- a/0001-curl-7.86.0-noproxy.patch +++ /dev/null @@ -1,297 +0,0 @@ -From b0ff1fd270924c5eaec09687e3d279130123671a Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 27 Oct 2022 13:54:27 +0200 -Subject: [PATCH 1/3] noproxy: also match with adjacent comma - -If the host name is an IP address and the noproxy string contained that -IP address with a following comma, it would erroneously not match. - -Extended test 1614 to verify this combo as well. - -Reported-by: Henning Schild - -Fixes #9813 -Closes #9814 - -Upstream-commit: efc286b7a62af0568fdcbf3c68791c9955182128 -Signed-off-by: Kamil Dudka ---- - lib/noproxy.c | 20 ++++++++++++-------- - tests/data/test1614 | 2 +- - tests/unit/unit1614.c | 14 ++++++++++++++ - 3 files changed, 27 insertions(+), 9 deletions(-) - -diff --git a/lib/noproxy.c b/lib/noproxy.c -index 81f1e09..d08a16b 100644 ---- a/lib/noproxy.c -+++ b/lib/noproxy.c -@@ -188,18 +188,22 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy) - /* FALLTHROUGH */ - case TYPE_IPV6: { - const char *check = token; -- char *slash = strchr(check, '/'); -+ char *slash; - unsigned int bits = 0; - char checkip[128]; -+ if(tokenlen >= sizeof(checkip)) -+ /* this cannot match */ -+ break; -+ /* copy the check name to a temp buffer */ -+ memcpy(checkip, check, tokenlen); -+ checkip[tokenlen] = 0; -+ check = checkip; -+ -+ slash = strchr(check, '/'); - /* if the slash is part of this token, use it */ -- if(slash && (slash < &check[tokenlen])) { -+ if(slash) { - bits = atoi(slash + 1); -- /* copy the check name to a temp buffer */ -- if(tokenlen >= sizeof(checkip)) -- break; -- memcpy(checkip, check, tokenlen); -- checkip[ slash - check ] = 0; -- check = checkip; -+ *slash = 0; /* null terminate there */ - } - if(type == TYPE_IPV6) - match = Curl_cidr6_match(name, check, bits); -diff --git a/tests/data/test1614 b/tests/data/test1614 -index 4a9d54e..73bdbb4 100644 ---- a/tests/data/test1614 -+++ b/tests/data/test1614 -@@ -16,7 +16,7 @@ unittest - proxy - - --cidr comparisons -+noproxy and cidr comparisons - - - -diff --git a/tests/unit/unit1614.c b/tests/unit/unit1614.c -index 6028545..c2f563a 100644 ---- a/tests/unit/unit1614.c -+++ b/tests/unit/unit1614.c -@@ -77,6 +77,20 @@ UNITTEST_START - { NULL, NULL, 0, FALSE} /* end marker */ - }; - struct noproxy list[]= { -+ { "127.0.0.1", "127.0.0.1,localhost", TRUE}, -+ { "127.0.0.1", "127.0.0.1,localhost,", TRUE}, -+ { "127.0.0.1", "127.0.0.1/8,localhost,", TRUE}, -+ { "127.0.0.1", "127.0.0.1/28,localhost,", TRUE}, -+ { "127.0.0.1", "127.0.0.1/31,localhost,", TRUE}, -+ { "127.0.0.1", "localhost,127.0.0.1", TRUE}, -+ { "127.0.0.1", "localhost,127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1." -+ "127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127." -+ "0.0.1.127.0.0.1.127.0.0." /* 128 bytes "address" */, FALSE}, -+ { "127.0.0.1", "localhost,127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1." -+ "127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127." -+ "0.0.1.127.0.0.1.127.0.0" /* 127 bytes "address" */, FALSE}, -+ { "localhost", "localhost,127.0.0.1", TRUE}, -+ { "localhost", "127.0.0.1,localhost", TRUE}, - { "foobar", "barfoo", FALSE}, - { "foobar", "foobar", TRUE}, - { "192.168.0.1", "foobar", FALSE}, --- -2.37.3 - - -From d539fd9f11e2a244dbab6b9171f5a9e5c86cc417 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Fri, 28 Oct 2022 10:51:49 +0200 -Subject: [PATCH 2/3] noproxy: fix tail-matching - -Also ignore trailing dots in both host name and comparison pattern. - -Regression in 7.86.0 (from 1e9a538e05c0) - -Extended test 1614 to verify better. - -Reported-by: Henning Schild -Fixes #9821 -Closes #9822 - -Upstream-commit: b830f9ba9e94acf672cd191993ff679fa888838b -Signed-off-by: Kamil Dudka ---- - lib/noproxy.c | 30 +++++++++++++++++++++++------- - tests/unit/unit1614.c | 9 +++++++++ - 2 files changed, 32 insertions(+), 7 deletions(-) - -diff --git a/lib/noproxy.c b/lib/noproxy.c -index d08a16b..01f8f47 100644 ---- a/lib/noproxy.c -+++ b/lib/noproxy.c -@@ -149,9 +149,14 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy) - } - else { - unsigned int address; -+ namelen = strlen(name); - if(1 == Curl_inet_pton(AF_INET, name, &address)) - type = TYPE_IPV4; -- namelen = strlen(name); -+ else { -+ /* ignore trailing dots in the host name */ -+ if(name[namelen - 1] == '.') -+ namelen--; -+ } - } - - while(*p) { -@@ -173,12 +178,23 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy) - if(tokenlen) { - switch(type) { - case TYPE_HOST: -- if(*token == '.') { -- ++token; -- --tokenlen; -- /* tailmatch */ -- match = (tokenlen <= namelen) && -- strncasecompare(token, name + (namelen - tokenlen), namelen); -+ /* ignore trailing dots in the token to check */ -+ if(token[tokenlen - 1] == '.') -+ tokenlen--; -+ -+ if(tokenlen && (*token == '.')) { -+ /* A: example.com matches '.example.com' -+ B: www.example.com matches '.example.com' -+ C: nonexample.com DOES NOT match '.example.com' -+ */ -+ if((tokenlen - 1) == namelen) -+ /* case A, exact match without leading dot */ -+ match = strncasecompare(token + 1, name, namelen); -+ else if(tokenlen < namelen) -+ /* case B, tailmatch with leading dot */ -+ match = strncasecompare(token, name + (namelen - tokenlen), -+ tokenlen); -+ /* case C passes through, not a match */ - } - else - match = (tokenlen == namelen) && -diff --git a/tests/unit/unit1614.c b/tests/unit/unit1614.c -index c2f563a..8f62b70 100644 ---- a/tests/unit/unit1614.c -+++ b/tests/unit/unit1614.c -@@ -77,6 +77,15 @@ UNITTEST_START - { NULL, NULL, 0, FALSE} /* end marker */ - }; - struct noproxy list[]= { -+ { "www.example.com", "localhost,.example.com,.example.de", TRUE}, -+ { "www.example.com.", "localhost,.example.com,.example.de", TRUE}, -+ { "example.com", "localhost,.example.com,.example.de", TRUE}, -+ { "example.com.", "localhost,.example.com,.example.de", TRUE}, -+ { "www.example.com", "localhost,.example.com.,.example.de", TRUE}, -+ { "www.example.com", "localhost,www.example.com.,.example.de", TRUE}, -+ { "example.com", "localhost,example.com,.example.de", TRUE}, -+ { "example.com.", "localhost,example.com,.example.de", TRUE}, -+ { "www.example.com", "localhost,example.com,.example.de", FALSE}, - { "127.0.0.1", "127.0.0.1,localhost", TRUE}, - { "127.0.0.1", "127.0.0.1,localhost,", TRUE}, - { "127.0.0.1", "127.0.0.1/8,localhost,", TRUE}, --- -2.37.3 - - -From 560b593cb9ba261169df5ea18ac8d0c188e239cd Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Sun, 6 Nov 2022 23:19:51 +0100 -Subject: [PATCH 3/3] noproxy: tailmatch like in 7.85.0 and earlier - -A regfression in 7.86.0 (via 1e9a538e05c010) made the tailmatch work -differently than before. This restores the logic to how it used to work: - -All names listed in NO_PROXY are tailmatched against the used domain -name, if the lengths are identical it needs a full match. - -Update the docs, update test 1614. - -Reported-by: Stuart Henderson -Fixes #9842 -Closes #9858 - -Upstream-commit: b1953c1933b369b1217ef0f16053e26da63488c3 -Signed-off-by: Kamil Dudka ---- - docs/libcurl/opts/CURLOPT_NOPROXY.3 | 4 ---- - lib/noproxy.c | 32 +++++++++++++++-------------- - tests/unit/unit1614.c | 3 ++- - 3 files changed, 19 insertions(+), 20 deletions(-) - -diff --git a/docs/libcurl/opts/CURLOPT_NOPROXY.3 b/docs/libcurl/opts/CURLOPT_NOPROXY.3 -index 149eaac..98c7920 100644 ---- a/docs/libcurl/opts/CURLOPT_NOPROXY.3 -+++ b/docs/libcurl/opts/CURLOPT_NOPROXY.3 -@@ -41,10 +41,6 @@ list is matched as either a domain which contains the hostname, or the - hostname itself. For example, "ample.com" would match ample.com, ample.com:80, - and www.ample.com, but not www.example.com or ample.com.org. - --If the name in the \fInoproxy\fP list has a leading period, it is a domain --match against the provided host name. This way ".example.com" will switch off --proxy use for both "www.example.com" as well as for "foo.example.com". -- - Setting the \fInoproxy\fP string to "" (an empty string) will explicitly - enable the proxy for all host names, even if there is an environment variable - set for it. -diff --git a/lib/noproxy.c b/lib/noproxy.c -index 01f8f47..31d1ca7 100644 ---- a/lib/noproxy.c -+++ b/lib/noproxy.c -@@ -183,22 +183,24 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy) - tokenlen--; - - if(tokenlen && (*token == '.')) { -- /* A: example.com matches '.example.com' -- B: www.example.com matches '.example.com' -- C: nonexample.com DOES NOT match '.example.com' -- */ -- if((tokenlen - 1) == namelen) -- /* case A, exact match without leading dot */ -- match = strncasecompare(token + 1, name, namelen); -- else if(tokenlen < namelen) -- /* case B, tailmatch with leading dot */ -- match = strncasecompare(token, name + (namelen - tokenlen), -- tokenlen); -- /* case C passes through, not a match */ -+ /* ignore leading token dot as well */ -+ token++; -+ tokenlen--; - } -- else -- match = (tokenlen == namelen) && -- strncasecompare(token, name, namelen); -+ /* A: example.com matches 'example.com' -+ B: www.example.com matches 'example.com' -+ C: nonexample.com DOES NOT match 'example.com' -+ */ -+ if(tokenlen == namelen) -+ /* case A, exact match */ -+ match = strncasecompare(token, name, namelen); -+ else if(tokenlen < namelen) { -+ /* case B, tailmatch domain */ -+ match = (name[namelen - tokenlen - 1] == '.') && -+ strncasecompare(token, name + (namelen - tokenlen), -+ tokenlen); -+ } -+ /* case C passes through, not a match */ - break; - case TYPE_IPV4: - /* FALLTHROUGH */ -diff --git a/tests/unit/unit1614.c b/tests/unit/unit1614.c -index 8f62b70..523d102 100644 ---- a/tests/unit/unit1614.c -+++ b/tests/unit/unit1614.c -@@ -85,7 +85,8 @@ UNITTEST_START - { "www.example.com", "localhost,www.example.com.,.example.de", TRUE}, - { "example.com", "localhost,example.com,.example.de", TRUE}, - { "example.com.", "localhost,example.com,.example.de", TRUE}, -- { "www.example.com", "localhost,example.com,.example.de", FALSE}, -+ { "nexample.com", "localhost,example.com,.example.de", FALSE}, -+ { "www.example.com", "localhost,example.com,.example.de", TRUE}, - { "127.0.0.1", "127.0.0.1,localhost", TRUE}, - { "127.0.0.1", "127.0.0.1,localhost,", TRUE}, - { "127.0.0.1", "127.0.0.1/8,localhost,", TRUE}, --- -2.37.3 - diff --git a/0102-curl-7.84.0-test3026.patch b/0102-curl-7.84.0-test3026.patch index 56b10c6..1098583 100644 --- a/0102-curl-7.84.0-test3026.patch +++ b/0102-curl-7.84.0-test3026.patch @@ -55,7 +55,7 @@ diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c index 43fe335..70cd7a4 100644 --- a/tests/libtest/lib3026.c +++ b/tests/libtest/lib3026.c -@@ -139,8 +139,8 @@ int test(char *URL) +@@ -147,8 +147,8 @@ int test(char *URL) results[i] = CURL_LAST; /* initialize with invalid value */ res = pthread_create(&tids[i], NULL, run_thread, &results[i]); if(res) { diff --git a/curl.spec b/curl.spec index 68bd41e..76374f2 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.86.0 -Release: 4%{?dist} +Version: 7.87.0 +Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,9 +10,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# fix regression in noproxy matching -Patch1: 0001-curl-7.86.0-noproxy.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -197,7 +194,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 # Fedora patches %patch101 -p1 @@ -431,6 +427,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Dec 21 2022 Kamil Dudka - 7.87.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2022-43552 - HTTP Proxy deny use-after-free + CVE-2022-43551 - Another HSTS bypass via IDN + * Tue Nov 29 2022 Kamil Dudka - 7.86.0-4 - noproxy: tailmatch like in 7.85.0 and earlier (#2149224) diff --git a/sources b/sources index 45ced88..7906eb7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-7.86.0.tar.xz) = 18e03a3c00f22125e07bddb18becbf5acdca22baeb7b29f45ef189a5c56f95b2d51247813f7a9a90f04eb051739e9aa7d3a1c5be397bae75d763a2b918d1b656 -SHA512 (curl-7.86.0.tar.xz.asc) = 9e97d5f44b3c856f401fe30ba713e1ca1f74edfc693dc42f1ce8e43f9f6dd4bf6998c579bc9c5d0f749f475a7d67d232e92ab6f89b95141acdb53e149f2312f0 +SHA512 (curl-7.87.0.tar.xz) = aa125991592667280dce3788aabe81487cf8c55b0afc59d675cc30b76055bb7114f5380b4a0e3b6461a8f81bf9812fa26d493a85f7e01d84263d484a0d699ee7 +SHA512 (curl-7.87.0.tar.xz.asc) = 0bcc12bafc4ae50d80128af2cf4bf1a1ec6018ebb8d5b9c49f52b51c0c25acc77e820858965656549ef43c1f923f4e5fe75b0a3523623154b4cfb9dc8a1d76e4 From 0d0fa259a721a1e599468c9c344176eac4099656 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 21 Dec 2022 16:42:54 +0100 Subject: [PATCH 014/108] do not use stunnnel for testing on aarch64 The test 1561 intermittently fails when upstream test-suite runs for the second time during the build: ``` [ ] Initializing inetd mode configuration [ ] Clients allowed=500 [.] stunnel 5.66 on aarch64-redhat-linux-gnu platform [.] Compiled/running with OpenSSL 3.0.5 5 Jul 2022 [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI [ ] errno: (*__errno_location ()) [ ] Initializing inetd mode configuration [.] Reading configuration from file /builddir/build/BUILD/curl-7.87.0/build-full/tests/https_stunnel.conf [.] UTF-8 byte order mark not detected [.] FIPS mode disabled [ ] Compression disabled [ ] No PRNG seeding was required [ ] Initializing service [curltest] [ ] Using the default TLS version as specified in OpenSSL crypto policies. Not setting explicitly. [ ] Using the default TLS version as specified in OpenSSL crypto policies. Not setting explicitly [ ] stunnel default security level set: 2 [ ] Ciphers: PROFILE=SYSTEM [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 [ ] TLS options: 0x2100000 (+0x0, -0x0) [ ] Session resumption enabled [ ] Loading certificate from file: /builddir/build/BUILD/curl-7.87.0/tests/stunnel.pem [ ] Certificate loaded from file: /builddir/build/BUILD/curl-7.87.0/tests/stunnel.pem [ ] Loading private key from file: /builddir/build/BUILD/curl-7.87.0/tests/stunnel.pem [ ] Private key loaded from file: /builddir/build/BUILD/curl-7.87.0/tests/stunnel.pem [ ] Private key check succeeded [ ] DH initialization needed for DHE-RSA-AES256-GCM-SHA384 [ ] DH initialization [ ] Could not load DH parameters from /builddir/build/BUILD/curl-7.87.0/tests/stunnel.pem [ ] Using dynamic DH parameters [ ] ECDH initialization [ ] ECDH initialized with curves X25519:P-256:X448:P-521:P-384 [.] Configuration successful [ ] Deallocating deployed section defaults [ ] Binding service [curltest] [ ] Listening file descriptor created (FD=8) [ ] Setting accept socket options (FD=8) [ ] Option SO_REUSEADDR set on accept socket [.] Binding service [curltest] to 0.0.0.0:24847: Address already in use (98) [ ] Listening file descriptor created (FD=8) [ ] Setting accept socket options (FD=8) [ ] Option SO_REUSEADDR set on accept socket [.] Binding service [curltest] to :::24847: Address already in use (98) [!] Binding service [curltest] failed [ ] Unbinding service [curltest] [ ] Service [curltest] closed [ ] Deallocating deployed section defaults [ ] Deallocating section [curltest] [ ] Initializing inetd mode configuration ``` --- curl.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index 76374f2..06caa54 100644 --- a/curl.spec +++ b/curl.spec @@ -93,8 +93,8 @@ BuildRequires: valgrind %endif # stunnel is used by upstream tests but it does not seem to work reliably -# on s390x and occasionally breaks some tests (mainly 1561 and 1562) -%ifnarch s390x +# on aarch64/s390x and occasionally breaks some tests (mainly 1561 and 1562) +%ifnarch aarch64 s390x BuildRequires: stunnel %endif From 04ebed546a2129a215ef7f8db67b906b7bcb6f12 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 11 Jan 2023 08:56:33 +0100 Subject: [PATCH 015/108] Related: #2143040 - test3012: temporarily disable valgrind --- 0103-curl-7.87.0-test3012.patch | 52 +++++++++++++++++++++++++++++++++ curl.spec | 9 +++++- 2 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 0103-curl-7.87.0-test3012.patch diff --git a/0103-curl-7.87.0-test3012.patch b/0103-curl-7.87.0-test3012.patch new file mode 100644 index 0000000..108d715 --- /dev/null +++ b/0103-curl-7.87.0-test3012.patch @@ -0,0 +1,52 @@ +From 0d0a256c8e7f6261d49e1bdd583c04c0e5dfe706 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Wed, 11 Jan 2023 08:53:05 +0100 +Subject: [PATCH] test3012: disable valgrind + +valgrind reports a call to memcpy() with overlapping blocks by mistake: +``` +test 3012...[--output-dir with -J] +../libtool --mode=execute /usr/bin/valgrind --tool=memcheck --quiet --leak-check=yes --suppressions=../../tests/valgrind.supp --num-callers=16 --log-file=log/valgrind3012 ../src/curl --trace-ascii log/trace3012 --trace-time http://127.0.0.1:35981/this/is/the/3012 -OJ --output-dir /root/rpmbuild/BUILD/curl-7.86.0/build-minimal/tests/log >log/stdout3012 2>log/stderr3012 +CMD (0): ../libtool --mode=execute /usr/bin/valgrind --tool=memcheck --quiet --leak-check=yes --suppressions=../../tests/valgrind.supp --num-callers=16 --log-file=log/valgrind3012 ../src/curl --trace-ascii log/trace3012 --trace-time http://127.0.0.1:35981/this/is/the/3012 -OJ --output-dir /root/rpmbuild/BUILD/curl-7.86.0/build-minimal/tests/log >log/stdout3012 2>log/stderr3012 + valgrind ERROR ==496584== Source and destination overlap in memcpy_chk(0x54ad1a0, 0x54ad1a1, 11) +==496584== at 0x484C332: __memcpy_chk (vg_replace_strmem.c:1741) +==496584== by 0x118FDB: UnknownInlinedFun (string_fortified.h:36) +==496584== by 0x118FDB: UnknownInlinedFun (tool_cb_hdr.c:301) +==496584== by 0x118FDB: tool_header_cb (tool_cb_hdr.c:173) +==496584== by 0x489907B: chop_write.lto_priv.0 (sendf.c:620) +==496584== by 0x489CDD1: UnknownInlinedFun (http.c:4449) +==496584== by 0x489CDD1: UnknownInlinedFun (transfer.c:633) +==496584== by 0x489CDD1: Curl_readwrite (transfer.c:1219) +==496584== by 0x488C116: multi_runsingle (multi.c:2404) +==496584== by 0x488F491: curl_multi_perform (multi.c:2682) +==496584== by 0x486A9DA: UnknownInlinedFun (easy.c:663) +==496584== by 0x486A9DA: UnknownInlinedFun (easy.c:753) +==496584== by 0x486A9DA: curl_easy_perform (easy.c:772) +==496584== by 0x114B28: UnknownInlinedFun (tool_operate.c:2406) +==496584== by 0x114B28: UnknownInlinedFun (tool_operate.c:2594) +==496584== by 0x114B28: UnknownInlinedFun (tool_operate.c:2706) +==496584== by 0x114B28: main (tool_main.c:284) +``` + +Bug: https://bugzilla.redhat.com/2143040 +--- + tests/data/test3012 | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tests/data/test3012 b/tests/data/test3012 +index 1889c93..ea43a49 100644 +--- a/tests/data/test3012 ++++ b/tests/data/test3012 +@@ -56,5 +56,9 @@ Accept: */* + + -foo- + ++ ++ ++disable ++ + + +-- +2.39.0 + diff --git a/curl.spec b/curl.spec index 06caa54..0101e2a 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.87.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -16,6 +16,9 @@ Patch101: 0101-curl-7.32.0-multilib.patch # test3026: disable valgrind Patch102: 0102-curl-7.84.0-test3026.patch +# test3012: temporarily disable valgrind (#2143040) +Patch103: 0103-curl-7.87.0-test3012.patch + Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.se/ @@ -198,6 +201,7 @@ be installed. # Fedora patches %patch101 -p1 %patch102 -p1 +%patch103 -p1 # disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed # with errno 98: Address already in use' in Koji environment), and test 1801 @@ -427,6 +431,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jan 11 2023 Kamil Dudka - 7.87.0-2 +- test3012: temporarily disable valgrind (#2143040) + * Wed Dec 21 2022 Kamil Dudka - 7.87.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2022-43552 - HTTP Proxy deny use-after-free From c3e870d57a2273f85a4619fb7b27e83caf4aacae Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 19 Jan 2023 00:50:41 +0000 Subject: [PATCH 016/108] Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 0101e2a..e07cee5 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.87.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -431,6 +431,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Jan 19 2023 Fedora Release Engineering - 7.87.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + * Wed Jan 11 2023 Kamil Dudka - 7.87.0-2 - test3012: temporarily disable valgrind (#2143040) From 8ff989f4fdfc54bad462c3c4363b8ec921710268 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 20 Jan 2023 17:48:02 +0100 Subject: [PATCH 017/108] Resolves: #2162716 - fix regression in a public header file --- 0001-curl-7.87.0-header-file-regression.patch | 55 +++++++++++++++++++ curl.spec | 9 ++- 2 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 0001-curl-7.87.0-header-file-regression.patch diff --git a/0001-curl-7.87.0-header-file-regression.patch b/0001-curl-7.87.0-header-file-regression.patch new file mode 100644 index 0000000..9c479dc --- /dev/null +++ b/0001-curl-7.87.0-header-file-regression.patch @@ -0,0 +1,55 @@ +From 613d3c45879636e88b88fcebee48dc77de345291 Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat +Date: Fri, 23 Dec 2022 15:35:27 +0100 +Subject: [PATCH] typecheck: accept expressions for option/info parameters + +As expressions can have side effects, evaluate only once. + +To enable deprecation reporting only once, get rid of the __typeof__ +use to define the local temporary variable and use the target type +(CURLoption/CURLINFO). This also avoids multiple reports on type +conflicts (if some) by the curlcheck_* macros. + +Note that CURLOPT_* and CURLINFO_* symbols may be deprecated, but not +their values: a curl_easy_setopt call with an integer constant as option +will never report a deprecation. + +Reported-by: Thomas Klausner +Fixes #10148 +Closes #10149 + +Upstream-commit: e2aed004302e51cfa5b6ce8c8ab65ef92aa83196 +Signed-off-by: Kamil Dudka +--- + include/curl/typecheck-gcc.h | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h +index bf655bb..85aa8b7 100644 +--- a/include/curl/typecheck-gcc.h ++++ b/include/curl/typecheck-gcc.h +@@ -42,9 +42,8 @@ + */ + #define curl_easy_setopt(handle, option, value) \ + __extension__({ \ +- CURL_IGNORE_DEPRECATION(__typeof__(option) _curl_opt = option;) \ ++ CURLoption _curl_opt = (option); \ + if(__builtin_constant_p(_curl_opt)) { \ +- (void) option; \ + CURL_IGNORE_DEPRECATION( \ + if(curlcheck_long_option(_curl_opt)) \ + if(!curlcheck_long(value)) \ +@@ -120,9 +119,8 @@ + /* wraps curl_easy_getinfo() with typechecking */ + #define curl_easy_getinfo(handle, info, arg) \ + __extension__({ \ +- CURL_IGNORE_DEPRECATION(__typeof__(info) _curl_info = info;) \ ++ CURLINFO _curl_info = (info); \ + if(__builtin_constant_p(_curl_info)) { \ +- (void) info; \ + CURL_IGNORE_DEPRECATION( \ + if(curlcheck_string_info(_curl_info)) \ + if(!curlcheck_arr((arg), char *)) \ +-- +2.39.0 + diff --git a/curl.spec b/curl.spec index e07cee5..61f3004 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.87.0 -Release: 3%{?dist} +Release: 4%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,6 +10,9 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# fix regression in a public header file (#2162716) +Patch1: 0001-curl-7.87.0-header-file-regression.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -197,6 +200,7 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 @@ -431,6 +435,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Jan 20 2023 Kamil Dudka - 7.87.0-4 +- fix regression in a public header file (#2162716) + * Thu Jan 19 2023 Fedora Release Engineering - 7.87.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild From 98c91c9f34a7abcae20ea93db599e13cafffca12 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 15 Feb 2023 10:05:29 +0100 Subject: [PATCH 018/108] new upstream release - 7.88.0 Resolves: CVE-2023-23916 - HTTP multi-header compression denial of service Resolves: CVE-2023-23915 - HSTS amnesia with --parallel Resolves: CVE-2023-23914 - HSTS ignored on multiple requests --- 0001-curl-7.87.0-header-file-regression.patch | 55 ------------------- curl.spec | 14 +++-- sources | 4 +- 3 files changed, 10 insertions(+), 63 deletions(-) delete mode 100644 0001-curl-7.87.0-header-file-regression.patch diff --git a/0001-curl-7.87.0-header-file-regression.patch b/0001-curl-7.87.0-header-file-regression.patch deleted file mode 100644 index 9c479dc..0000000 --- a/0001-curl-7.87.0-header-file-regression.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 613d3c45879636e88b88fcebee48dc77de345291 Mon Sep 17 00:00:00 2001 -From: Patrick Monnerat -Date: Fri, 23 Dec 2022 15:35:27 +0100 -Subject: [PATCH] typecheck: accept expressions for option/info parameters - -As expressions can have side effects, evaluate only once. - -To enable deprecation reporting only once, get rid of the __typeof__ -use to define the local temporary variable and use the target type -(CURLoption/CURLINFO). This also avoids multiple reports on type -conflicts (if some) by the curlcheck_* macros. - -Note that CURLOPT_* and CURLINFO_* symbols may be deprecated, but not -their values: a curl_easy_setopt call with an integer constant as option -will never report a deprecation. - -Reported-by: Thomas Klausner -Fixes #10148 -Closes #10149 - -Upstream-commit: e2aed004302e51cfa5b6ce8c8ab65ef92aa83196 -Signed-off-by: Kamil Dudka ---- - include/curl/typecheck-gcc.h | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h -index bf655bb..85aa8b7 100644 ---- a/include/curl/typecheck-gcc.h -+++ b/include/curl/typecheck-gcc.h -@@ -42,9 +42,8 @@ - */ - #define curl_easy_setopt(handle, option, value) \ - __extension__({ \ -- CURL_IGNORE_DEPRECATION(__typeof__(option) _curl_opt = option;) \ -+ CURLoption _curl_opt = (option); \ - if(__builtin_constant_p(_curl_opt)) { \ -- (void) option; \ - CURL_IGNORE_DEPRECATION( \ - if(curlcheck_long_option(_curl_opt)) \ - if(!curlcheck_long(value)) \ -@@ -120,9 +119,8 @@ - /* wraps curl_easy_getinfo() with typechecking */ - #define curl_easy_getinfo(handle, info, arg) \ - __extension__({ \ -- CURL_IGNORE_DEPRECATION(__typeof__(info) _curl_info = info;) \ -+ CURLINFO _curl_info = (info); \ - if(__builtin_constant_p(_curl_info)) { \ -- (void) info; \ - CURL_IGNORE_DEPRECATION( \ - if(curlcheck_string_info(_curl_info)) \ - if(!curlcheck_arr((arg), char *)) \ --- -2.39.0 - diff --git a/curl.spec b/curl.spec index 61f3004..7207a18 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.87.0 -Release: 4%{?dist} +Version: 7.88.0 +Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,9 +10,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# fix regression in a public header file (#2162716) -Patch1: 0001-curl-7.87.0-header-file-regression.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -200,7 +197,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 # Fedora patches %patch101 -p1 @@ -435,6 +431,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Feb 15 2023 Kamil Dudka - 7.88.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-23916 - HTTP multi-header compression denial of service + CVE-2023-23915 - HSTS amnesia with --parallel + CVE-2023-23914 - HSTS ignored on multiple requests + * Fri Jan 20 2023 Kamil Dudka - 7.87.0-4 - fix regression in a public header file (#2162716) diff --git a/sources b/sources index 7906eb7..5c159bb 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-7.87.0.tar.xz) = aa125991592667280dce3788aabe81487cf8c55b0afc59d675cc30b76055bb7114f5380b4a0e3b6461a8f81bf9812fa26d493a85f7e01d84263d484a0d699ee7 -SHA512 (curl-7.87.0.tar.xz.asc) = 0bcc12bafc4ae50d80128af2cf4bf1a1ec6018ebb8d5b9c49f52b51c0c25acc77e820858965656549ef43c1f923f4e5fe75b0a3523623154b4cfb9dc8a1d76e4 +SHA512 (curl-7.88.0.tar.xz) = 2008cbc67694f746b7449f087a19b2a9a4950333d6bac1cdc7d80351aa38d8d9b442087dedbc7b0909a419d3b10f510521c942aac012d04a53c32bdb15dce5f0 +SHA512 (curl-7.88.0.tar.xz.asc) = 6f3d9a5f8fcec64652f872adf994ff3d0162fba1b483a0e359522173bf29ef3d26eeda7c328207fa1fa974a45e62674a3a8ebec21830ab3981b56851d5804ade From f3c2fe3549a681755a71e827de1de4085fd1c343 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 15 Feb 2023 10:46:00 +0100 Subject: [PATCH 019/108] do not fail on warnings in the upstream test driver --- 0104-curl-7.88.0-tests-warnings.patch | 30 +++++++++++++++++++++++++++ curl.spec | 4 ++++ 2 files changed, 34 insertions(+) create mode 100644 0104-curl-7.88.0-tests-warnings.patch diff --git a/0104-curl-7.88.0-tests-warnings.patch b/0104-curl-7.88.0-tests-warnings.patch new file mode 100644 index 0000000..dff89f9 --- /dev/null +++ b/0104-curl-7.88.0-tests-warnings.patch @@ -0,0 +1,30 @@ +From d506d885aa16b4a87acbac082eea41dccdc7b69f Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Wed, 15 Feb 2023 10:42:38 +0100 +Subject: [PATCH] Revert "runtests: consider warnings fatal and error on them" + +While it might be useful for upstream developers, it is not so useful +for downstream consumers. + +This reverts upstream commit 22f795c834cfdbacbb1b55426028a581e3cf67a8. +--- + tests/runtests.pl | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/tests/runtests.pl b/tests/runtests.pl +index 71644ad18..0cf85c3fe 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -75,8 +75,7 @@ BEGIN { + } + + use strict; +-# Promote all warnings to fatal +-use warnings FATAL => 'all'; ++use warnings; + use Cwd; + use Digest::MD5 qw(md5); + use MIME::Base64; +-- +2.39.1 + diff --git a/curl.spec b/curl.spec index 7207a18..7d58071 100644 --- a/curl.spec +++ b/curl.spec @@ -19,6 +19,9 @@ Patch102: 0102-curl-7.84.0-test3026.patch # test3012: temporarily disable valgrind (#2143040) Patch103: 0103-curl-7.87.0-test3012.patch +# do not fail on warnings in the upstream test driver +Patch104: 0104-curl-7.88.0-tests-warnings.patch + Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.se/ @@ -202,6 +205,7 @@ be installed. %patch101 -p1 %patch102 -p1 %patch103 -p1 +%patch104 -p1 # disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed # with errno 98: Address already in use' in Koji environment), and test 1801 From bdbf01f50c45ac08a7b8ce4ae889e508253b3da0 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 15 Feb 2023 12:53:26 +0100 Subject: [PATCH 020/108] add glibc-langpack-en BR needed for test1560 to succeed Suggested-by: Paul Howarth --- curl.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/curl.spec b/curl.spec index 7d58071..353e082 100644 --- a/curl.spec +++ b/curl.spec @@ -60,6 +60,9 @@ BuildRequires: perl(Pod::Usage) BuildRequires: perl(strict) BuildRequires: perl(warnings) +# needed for test1560 to succeed +BuildRequires: glibc-langpack-en + # gnutls-serv is used by the upstream test-suite BuildRequires: gnutls-utils From 13a96c9b8fbb54bc9d1bb1e8888e8d57cb975192 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 17 Feb 2023 14:34:10 +0100 Subject: [PATCH 021/108] http2: set drain on stream end This is an attempt to fix the following issue in COPR: https://pagure.io/fedora-infrastructure/issue/11133 --- 0001-curl-7.88.0-http2-drain.patch | 113 +++++++++++++++++++++++++++++ curl.spec | 9 ++- 2 files changed, 121 insertions(+), 1 deletion(-) create mode 100644 0001-curl-7.88.0-http2-drain.patch diff --git a/0001-curl-7.88.0-http2-drain.patch b/0001-curl-7.88.0-http2-drain.patch new file mode 100644 index 0000000..40fd03a --- /dev/null +++ b/0001-curl-7.88.0-http2-drain.patch @@ -0,0 +1,113 @@ +From d38da6c41c897eff642d9e39a234290dd51a3947 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Wed, 15 Feb 2023 22:11:13 +0100 +Subject: [PATCH 1/2] http2: buffer/pausedata and output flush fix. + + * do not process pending input data when copying pausedata to the + caller + * return CURLE_AGAIN if the output buffer could not be completely + written out. + +Ref: #10525 +Closes #10529 + +Upstream-commit: 3103de2053ca8cacf9cdbe78764ba6814481709f +Signed-off-by: Kamil Dudka +--- + lib/http2.c | 15 +++------------ + 1 file changed, 3 insertions(+), 12 deletions(-) + +diff --git a/lib/http2.c b/lib/http2.c +index 46fc746..1ef5d39 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -467,6 +467,7 @@ static CURLcode flush_output(struct Curl_cfilter *cf, + } + if((size_t)written < buflen) { + Curl_dyn_tail(&ctx->outbuf, buflen - (size_t)written); ++ return CURLE_AGAIN; + } + else { + Curl_dyn_reset(&ctx->outbuf); +@@ -1790,6 +1791,7 @@ static ssize_t cf_h2_recv(struct Curl_cfilter *cf, struct Curl_easy *data, + + stream->pausedata += nread; + stream->pauselen -= nread; ++ drain_this(cf, data); + + if(stream->pauselen == 0) { + DEBUGF(LOG_CF(data, cf, "[h2sid=%u] Unpaused", stream->stream_id)); +@@ -1798,18 +1800,6 @@ static ssize_t cf_h2_recv(struct Curl_cfilter *cf, struct Curl_easy *data, + + stream->pausedata = NULL; + stream->pauselen = 0; +- +- /* When NGHTTP2_ERR_PAUSE is returned from +- data_source_read_callback, we might not process DATA frame +- fully. Calling nghttp2_session_mem_recv() again will +- continue to process DATA frame, but if there is no incoming +- frames, then we have to call it again with 0-length data. +- Without this, on_stream_close callback will not be called, +- and stream could be hanged. */ +- if(h2_process_pending_input(cf, data, err) != 0) { +- nread = -1; +- goto out; +- } + } + DEBUGF(LOG_CF(data, cf, "[h2sid=%u] recv: returns unpaused %zd bytes", + stream->stream_id, nread)); +@@ -1933,6 +1923,7 @@ static ssize_t cf_h2_recv(struct Curl_cfilter *cf, struct Curl_easy *data, + drained_transfer(cf, data); + } + ++ *err = CURLE_OK; + nread = retlen; + DEBUGF(LOG_CF(data, cf, "[h2sid=%u] cf_h2_recv -> %zd", + stream->stream_id, nread)); +-- +2.39.1 + + +From 77e5170fe89bce943c52de732071189f463f38a8 Mon Sep 17 00:00:00 2001 +From: Harry Sintonen +Date: Thu, 16 Feb 2023 06:26:26 +0200 +Subject: [PATCH 2/2] http2: set drain on stream end + +Ensure that on_frame_recv() stream end will trigger a read if there is +pending data. Without this it could happen that the pending data is +never consumed. + +This combined with https://github.com/curl/curl/pull/10529 should fix +https://github.com/curl/curl/issues/10525 + +Ref: https://github.com/curl/curl/issues/10525 +Closes #10530 + +Upstream-commit: 87ed650d04dc1a6f7944a5d952f7d5b0934a19ac +Signed-off-by: Kamil Dudka +--- + lib/http2.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/lib/http2.c b/lib/http2.c +index 1ef5d39..bdb5e73 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -868,6 +868,14 @@ static int on_frame_recv(nghttp2_session *session, const nghttp2_frame *frame, + return NGHTTP2_ERR_CALLBACK_FAILURE; + } + } ++ if(frame->hd.flags & NGHTTP2_FLAG_END_STREAM) { ++ /* Stream has ended. If there is pending data, ensure that read ++ will occur to consume it. */ ++ if(!data->state.drain && stream->memlen) { ++ drain_this(cf, data_s); ++ Curl_expire(data, 0, EXPIRE_RUN_NOW); ++ } ++ } + break; + case NGHTTP2_HEADERS: + DEBUGF(LOG_CF(data_s, cf, "[h2sid=%u] recv frame HEADERS", stream_id)); +-- +2.39.1 + diff --git a/curl.spec b/curl.spec index 353e082..688ac91 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.88.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,6 +10,9 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# http2: set drain on stream end +Patch1: 0001-curl-7.88.0-http2-drain.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -203,6 +206,7 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 @@ -438,6 +442,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Feb 17 2023 Kamil Dudka - 7.88.0-2 +- http2: set drain on stream end + * Wed Feb 15 2023 Kamil Dudka - 7.88.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2023-23916 - HTTP multi-header compression denial of service From d5c1163ef3a64c125452ce067670886765ecc5be Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 20 Feb 2023 14:41:52 +0100 Subject: [PATCH 022/108] new upstream release - 7.88.1 --- 0001-curl-7.88.0-http2-drain.patch | 113 ----------------------------- curl.spec | 11 ++- sources | 4 +- 3 files changed, 7 insertions(+), 121 deletions(-) delete mode 100644 0001-curl-7.88.0-http2-drain.patch diff --git a/0001-curl-7.88.0-http2-drain.patch b/0001-curl-7.88.0-http2-drain.patch deleted file mode 100644 index 40fd03a..0000000 --- a/0001-curl-7.88.0-http2-drain.patch +++ /dev/null @@ -1,113 +0,0 @@ -From d38da6c41c897eff642d9e39a234290dd51a3947 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Wed, 15 Feb 2023 22:11:13 +0100 -Subject: [PATCH 1/2] http2: buffer/pausedata and output flush fix. - - * do not process pending input data when copying pausedata to the - caller - * return CURLE_AGAIN if the output buffer could not be completely - written out. - -Ref: #10525 -Closes #10529 - -Upstream-commit: 3103de2053ca8cacf9cdbe78764ba6814481709f -Signed-off-by: Kamil Dudka ---- - lib/http2.c | 15 +++------------ - 1 file changed, 3 insertions(+), 12 deletions(-) - -diff --git a/lib/http2.c b/lib/http2.c -index 46fc746..1ef5d39 100644 ---- a/lib/http2.c -+++ b/lib/http2.c -@@ -467,6 +467,7 @@ static CURLcode flush_output(struct Curl_cfilter *cf, - } - if((size_t)written < buflen) { - Curl_dyn_tail(&ctx->outbuf, buflen - (size_t)written); -+ return CURLE_AGAIN; - } - else { - Curl_dyn_reset(&ctx->outbuf); -@@ -1790,6 +1791,7 @@ static ssize_t cf_h2_recv(struct Curl_cfilter *cf, struct Curl_easy *data, - - stream->pausedata += nread; - stream->pauselen -= nread; -+ drain_this(cf, data); - - if(stream->pauselen == 0) { - DEBUGF(LOG_CF(data, cf, "[h2sid=%u] Unpaused", stream->stream_id)); -@@ -1798,18 +1800,6 @@ static ssize_t cf_h2_recv(struct Curl_cfilter *cf, struct Curl_easy *data, - - stream->pausedata = NULL; - stream->pauselen = 0; -- -- /* When NGHTTP2_ERR_PAUSE is returned from -- data_source_read_callback, we might not process DATA frame -- fully. Calling nghttp2_session_mem_recv() again will -- continue to process DATA frame, but if there is no incoming -- frames, then we have to call it again with 0-length data. -- Without this, on_stream_close callback will not be called, -- and stream could be hanged. */ -- if(h2_process_pending_input(cf, data, err) != 0) { -- nread = -1; -- goto out; -- } - } - DEBUGF(LOG_CF(data, cf, "[h2sid=%u] recv: returns unpaused %zd bytes", - stream->stream_id, nread)); -@@ -1933,6 +1923,7 @@ static ssize_t cf_h2_recv(struct Curl_cfilter *cf, struct Curl_easy *data, - drained_transfer(cf, data); - } - -+ *err = CURLE_OK; - nread = retlen; - DEBUGF(LOG_CF(data, cf, "[h2sid=%u] cf_h2_recv -> %zd", - stream->stream_id, nread)); --- -2.39.1 - - -From 77e5170fe89bce943c52de732071189f463f38a8 Mon Sep 17 00:00:00 2001 -From: Harry Sintonen -Date: Thu, 16 Feb 2023 06:26:26 +0200 -Subject: [PATCH 2/2] http2: set drain on stream end - -Ensure that on_frame_recv() stream end will trigger a read if there is -pending data. Without this it could happen that the pending data is -never consumed. - -This combined with https://github.com/curl/curl/pull/10529 should fix -https://github.com/curl/curl/issues/10525 - -Ref: https://github.com/curl/curl/issues/10525 -Closes #10530 - -Upstream-commit: 87ed650d04dc1a6f7944a5d952f7d5b0934a19ac -Signed-off-by: Kamil Dudka ---- - lib/http2.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/lib/http2.c b/lib/http2.c -index 1ef5d39..bdb5e73 100644 ---- a/lib/http2.c -+++ b/lib/http2.c -@@ -868,6 +868,14 @@ static int on_frame_recv(nghttp2_session *session, const nghttp2_frame *frame, - return NGHTTP2_ERR_CALLBACK_FAILURE; - } - } -+ if(frame->hd.flags & NGHTTP2_FLAG_END_STREAM) { -+ /* Stream has ended. If there is pending data, ensure that read -+ will occur to consume it. */ -+ if(!data->state.drain && stream->memlen) { -+ drain_this(cf, data_s); -+ Curl_expire(data, 0, EXPIRE_RUN_NOW); -+ } -+ } - break; - case NGHTTP2_HEADERS: - DEBUGF(LOG_CF(data_s, cf, "[h2sid=%u] recv frame HEADERS", stream_id)); --- -2.39.1 - diff --git a/curl.spec b/curl.spec index 688ac91..d2bc211 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.88.0 -Release: 2%{?dist} +Version: 7.88.1 +Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,9 +10,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# http2: set drain on stream end -Patch1: 0001-curl-7.88.0-http2-drain.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -206,7 +203,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 # Fedora patches %patch101 -p1 @@ -442,6 +438,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Feb 20 2023 Kamil Dudka - 7.88.1-1 +- new upstream release + * Fri Feb 17 2023 Kamil Dudka - 7.88.0-2 - http2: set drain on stream end diff --git a/sources b/sources index 5c159bb..99be100 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-7.88.0.tar.xz) = 2008cbc67694f746b7449f087a19b2a9a4950333d6bac1cdc7d80351aa38d8d9b442087dedbc7b0909a419d3b10f510521c942aac012d04a53c32bdb15dce5f0 -SHA512 (curl-7.88.0.tar.xz.asc) = 6f3d9a5f8fcec64652f872adf994ff3d0162fba1b483a0e359522173bf29ef3d26eeda7c328207fa1fa974a45e62674a3a8ebec21830ab3981b56851d5804ade +SHA512 (curl-7.88.1.tar.xz) = b8d30c52a6d1c3e272608a7a8db78dfd79aef21330f34d6f1df43839a400e13ac6aac72a383526db0b711a70ecbec89a3b934677d7ecf5094fd64d3dbcb3492f +SHA512 (curl-7.88.1.tar.xz.asc) = d6dc720533004c4d533cc4fb3dd33ac28d95e114f440ec011e4b58f65d1f4c40cfa10ba26d2e2f2f1f9de99511632578b4758c5e79593c7c30d29788fdf1cbb6 From 7b0a4d3dfc08b37261a2a5f3e475cc13acdaa922 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 20 Mar 2023 10:08:53 +0100 Subject: [PATCH 023/108] new upstream release - 8.0.0 Resolves: CVE-2023-27538 - SSH connection too eager reuse still Resolves: CVE-2023-27537 - HSTS double-free Resolves: CVE-2023-27536 - GSS delegation too eager connection re-use Resolves: CVE-2023-27535 - FTP too eager connection reuse Resolves: CVE-2023-27534 - SFTP path ~ resolving discrepancy Resolves: CVE-2023-27533 - TELNET option IAC injection --- 0001-curl-8.0.0-revert-multi-remove.patch | 230 ++++++++++++++++++++++ curl.spec | 16 +- sources | 4 +- 3 files changed, 247 insertions(+), 3 deletions(-) create mode 100644 0001-curl-8.0.0-revert-multi-remove.patch diff --git a/0001-curl-8.0.0-revert-multi-remove.patch b/0001-curl-8.0.0-revert-multi-remove.patch new file mode 100644 index 0000000..8bd375a --- /dev/null +++ b/0001-curl-8.0.0-revert-multi-remove.patch @@ -0,0 +1,230 @@ +From d7c75c3608d6002cfb46a2612efa507d9a8ba66e Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 20 Mar 2023 12:51:05 +0100 +Subject: [PATCH] Revert "multi: remove PENDING + MSGSENT handles from the main + linked list" + +This reverts commit f6d6f3ce01e377932f1ce7c24ee34d45a36950b8. + +The commits caused issues in the 8.0.0 release. Needs a retake. + +Upstream-commit: cf1eebc68a28cb18bffde5a0a0d2f02bf7b183ec +Signed-off-by: Kamil Dudka +--- + lib/multi.c | 73 +++++++++++++++++++---------------------------- + lib/multihandle.h | 2 -- + lib/urldata.h | 3 +- + 3 files changed, 31 insertions(+), 47 deletions(-) + +diff --git a/lib/multi.c b/lib/multi.c +index 0967500d0..731b2598f 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -383,10 +383,12 @@ static void sh_init(struct Curl_hash *hash, int hashsize) + * Called when a transfer is completed. Adds the given msg pointer to + * the list kept in the multi handle. + */ +-static void multi_addmsg(struct Curl_multi *multi, struct Curl_message *msg) ++static CURLMcode multi_addmsg(struct Curl_multi *multi, ++ struct Curl_message *msg) + { + Curl_llist_insert_next(&multi->msglist, multi->msglist.tail, msg, + &msg->list); ++ return CURLM_OK; + } + + struct Curl_multi *Curl_multi_handle(int hashsize, /* socket hash */ +@@ -409,7 +411,6 @@ struct Curl_multi *Curl_multi_handle(int hashsize, /* socket hash */ + + Curl_llist_init(&multi->msglist, NULL); + Curl_llist_init(&multi->pending, NULL); +- Curl_llist_init(&multi->msgsent, NULL); + + multi->multiplexing = TRUE; + +@@ -455,14 +456,6 @@ struct Curl_multi *curl_multi_init(void) + CURL_DNS_HASH_SIZE); + } + +-/* returns TRUE if the easy handle is supposed to be present in the main link +- list */ +-static bool in_main_list(struct Curl_easy *data) +-{ +- return ((data->mstate != MSTATE_PENDING) && +- (data->mstate != MSTATE_MSGSENT)); +-} +- + static void link_easy(struct Curl_multi *multi, + struct Curl_easy *data) + { +@@ -496,8 +489,6 @@ static void unlink_easy(struct Curl_multi *multi, + data->next->prev = data->prev; + else + multi->easylp = data->prev; /* point to last node */ +- +- data->prev = data->next = NULL; + } + + +@@ -857,16 +848,10 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, + called. Do it after multi_done() in case that sets another time! */ + Curl_expire_clear(data); + +- if(data->connect_queue.ptr) { +- /* the handle is in the pending or msgsent lists, so go ahead and remove +- it */ +- if(data->mstate == MSTATE_PENDING) +- Curl_llist_remove(&multi->pending, &data->connect_queue, NULL); +- else +- Curl_llist_remove(&multi->msgsent, &data->connect_queue, NULL); +- } +- if(in_main_list(data)) +- unlink_easy(multi, data); ++ if(data->connect_queue.ptr) ++ /* the handle was in the pending list waiting for an available connection, ++ so go ahead and remove it */ ++ Curl_llist_remove(&multi->pending, &data->connect_queue, NULL); + + if(data->dns.hostcachetype == HCACHE_MULTI) { + /* stop using the multi handle's DNS cache, *after* the possible +@@ -927,6 +912,7 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, + + /* make sure there's no pending message in the queue sent from this easy + handle */ ++ + for(e = multi->msglist.head; e; e = e->next) { + struct Curl_message *msg = e->ptr; + +@@ -937,6 +923,19 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, + } + } + ++ /* Remove from the pending list if it is there. Otherwise this will ++ remain on the pending list forever due to the state change. */ ++ for(e = multi->pending.head; e; e = e->next) { ++ struct Curl_easy *curr_data = e->ptr; ++ ++ if(curr_data == data) { ++ Curl_llist_remove(&multi->pending, e, NULL); ++ break; ++ } ++ } ++ ++ unlink_easy(multi, data); ++ + /* NOTE NOTE NOTE + We do not touch the easy handle here! */ + multi->num_easy--; /* one less to care about now */ +@@ -1944,6 +1943,11 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, + } + break; + ++ case MSTATE_PENDING: ++ /* We will stay here until there is a connection available. Then ++ we try again in the MSTATE_CONNECT state. */ ++ break; ++ + case MSTATE_CONNECT: + /* Connect. We want to get a connection identifier filled in. */ + /* init this transfer. */ +@@ -1967,8 +1971,6 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, + /* add this handle to the list of connect-pending handles */ + Curl_llist_insert_next(&multi->pending, multi->pending.tail, data, + &data->connect_queue); +- /* unlink from the main list */ +- unlink_easy(multi, data); + result = CURLE_OK; + break; + } +@@ -2595,11 +2597,9 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, + case MSTATE_COMPLETED: + break; + +- case MSTATE_PENDING: + case MSTATE_MSGSENT: +- /* handles in these states should NOT be in this list */ +- DEBUGASSERT(0); +- break; ++ data->result = result; ++ return CURLM_OK; /* do nothing */ + + default: + return CURLM_INTERNAL_ERROR; +@@ -2687,17 +2687,10 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, + msg->extmsg.easy_handle = data; + msg->extmsg.data.result = result; + +- multi_addmsg(multi, msg); ++ rc = multi_addmsg(multi, msg); + DEBUGASSERT(!data->conn); + } + multistate(data, MSTATE_MSGSENT); +- +- /* add this handle to the list of msgsent handles */ +- Curl_llist_insert_next(&multi->msgsent, multi->msgsent.tail, data, +- &data->connect_queue); +- /* unlink from the main list */ +- unlink_easy(multi, data); +- return CURLM_OK; + } + } while((rc == CURLM_CALL_MULTI_PERFORM) || multi_ischanged(multi, FALSE)); + +@@ -2728,9 +2721,6 @@ CURLMcode curl_multi_perform(struct Curl_multi *multi, int *running_handles) + /* Do the loop and only alter the signal ignore state if the next handle + has a different NO_SIGNAL state than the previous */ + do { +- /* the current node might be unlinked in multi_runsingle(), get the next +- pointer now */ +- struct Curl_easy *datanext = data->next; + if(data->set.no_signal != nosig) { + sigpipe_restore(&pipe_st); + sigpipe_ignore(data, &pipe_st); +@@ -2739,7 +2729,7 @@ CURLMcode curl_multi_perform(struct Curl_multi *multi, int *running_handles) + result = multi_runsingle(multi, &now, data); + if(result) + returncode = result; +- data = datanext; /* operate on next handle */ ++ data = data->next; /* operate on next handle */ + } while(data); + sigpipe_restore(&pipe_st); + } +@@ -3720,9 +3710,6 @@ static void process_pending_handles(struct Curl_multi *multi) + + DEBUGASSERT(data->mstate == MSTATE_PENDING); + +- /* put it back into the main list */ +- link_easy(multi, data); +- + multistate(data, MSTATE_CONNECT); + + /* Remove this node from the list */ +diff --git a/lib/multihandle.h b/lib/multihandle.h +index 5b16bb605..6cda65d44 100644 +--- a/lib/multihandle.h ++++ b/lib/multihandle.h +@@ -101,8 +101,6 @@ struct Curl_multi { + + struct Curl_llist pending; /* Curl_easys that are in the + MSTATE_PENDING state */ +- struct Curl_llist msgsent; /* Curl_easys that are in the +- MSTATE_MSGSENT state */ + + /* callback function and user data pointer for the *socket() API */ + curl_socket_callback socket_cb; +diff --git a/lib/urldata.h b/lib/urldata.h +index 4e07bcd60..8b54518d2 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1894,8 +1894,7 @@ struct Curl_easy { + struct Curl_easy *prev; + + struct connectdata *conn; +- struct Curl_llist_element connect_queue; /* for the pending and msgsent +- lists */ ++ struct Curl_llist_element connect_queue; + struct Curl_llist_element conn_queue; /* list per connectdata */ + + CURLMstate mstate; /* the handle's state */ +-- +2.40.0 + diff --git a/curl.spec b/curl.spec index d2bc211..8832786 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.88.1 +Version: 8.0.0 Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -10,6 +10,10 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# revert a commit that caused issues in the 8.0.0 release +# https://github.com/curl/curl/pull/10795 +Patch1: 0001-curl-8.0.0-revert-multi-remove.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -203,6 +207,7 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 @@ -438,6 +443,15 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Mar 20 2023 Kamil Dudka - 8.0.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-27538 - SSH connection too eager reuse still + CVE-2023-27537 - HSTS double-free + CVE-2023-27536 - GSS delegation too eager connection re-use + CVE-2023-27535 - FTP too eager connection reuse + CVE-2023-27534 - SFTP path ~ resolving discrepancy + CVE-2023-27533 - TELNET option IAC injection + * Mon Feb 20 2023 Kamil Dudka - 7.88.1-1 - new upstream release diff --git a/sources b/sources index 99be100..7ce28de 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-7.88.1.tar.xz) = b8d30c52a6d1c3e272608a7a8db78dfd79aef21330f34d6f1df43839a400e13ac6aac72a383526db0b711a70ecbec89a3b934677d7ecf5094fd64d3dbcb3492f -SHA512 (curl-7.88.1.tar.xz.asc) = d6dc720533004c4d533cc4fb3dd33ac28d95e114f440ec011e4b58f65d1f4c40cfa10ba26d2e2f2f1f9de99511632578b4758c5e79593c7c30d29788fdf1cbb6 +SHA512 (curl-8.0.0.tar.xz) = 7141e0e2ed065ba14a7fd7e080bc78cadfcf0c7e4054384f17bfbe24caa0bf512d1feaac89dabb9bebc30c2ba40e78ea4e77ac16ce07515f1e9d6b0f05098c9c +SHA512 (curl-8.0.0.tar.xz.asc) = ab741ce5a93e8729bb280c38a109dd11c6f07bc5d955368171dd0c26641d117c62945c13cdc8ff66e32e98fa027cc8ae08aba833a3ee702a2a06c7cef5b8f4ea From c96705f9dc873e3e749d7cbfcd13f678605aea63 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 20 Mar 2023 15:39:59 +0100 Subject: [PATCH 024/108] new upstream release - 8.0.1 --- 0001-curl-8.0.0-revert-multi-remove.patch | 230 ---------------------- curl.spec | 10 +- sources | 4 +- 3 files changed, 6 insertions(+), 238 deletions(-) delete mode 100644 0001-curl-8.0.0-revert-multi-remove.patch diff --git a/0001-curl-8.0.0-revert-multi-remove.patch b/0001-curl-8.0.0-revert-multi-remove.patch deleted file mode 100644 index 8bd375a..0000000 --- a/0001-curl-8.0.0-revert-multi-remove.patch +++ /dev/null @@ -1,230 +0,0 @@ -From d7c75c3608d6002cfb46a2612efa507d9a8ba66e Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 20 Mar 2023 12:51:05 +0100 -Subject: [PATCH] Revert "multi: remove PENDING + MSGSENT handles from the main - linked list" - -This reverts commit f6d6f3ce01e377932f1ce7c24ee34d45a36950b8. - -The commits caused issues in the 8.0.0 release. Needs a retake. - -Upstream-commit: cf1eebc68a28cb18bffde5a0a0d2f02bf7b183ec -Signed-off-by: Kamil Dudka ---- - lib/multi.c | 73 +++++++++++++++++++---------------------------- - lib/multihandle.h | 2 -- - lib/urldata.h | 3 +- - 3 files changed, 31 insertions(+), 47 deletions(-) - -diff --git a/lib/multi.c b/lib/multi.c -index 0967500d0..731b2598f 100644 ---- a/lib/multi.c -+++ b/lib/multi.c -@@ -383,10 +383,12 @@ static void sh_init(struct Curl_hash *hash, int hashsize) - * Called when a transfer is completed. Adds the given msg pointer to - * the list kept in the multi handle. - */ --static void multi_addmsg(struct Curl_multi *multi, struct Curl_message *msg) -+static CURLMcode multi_addmsg(struct Curl_multi *multi, -+ struct Curl_message *msg) - { - Curl_llist_insert_next(&multi->msglist, multi->msglist.tail, msg, - &msg->list); -+ return CURLM_OK; - } - - struct Curl_multi *Curl_multi_handle(int hashsize, /* socket hash */ -@@ -409,7 +411,6 @@ struct Curl_multi *Curl_multi_handle(int hashsize, /* socket hash */ - - Curl_llist_init(&multi->msglist, NULL); - Curl_llist_init(&multi->pending, NULL); -- Curl_llist_init(&multi->msgsent, NULL); - - multi->multiplexing = TRUE; - -@@ -455,14 +456,6 @@ struct Curl_multi *curl_multi_init(void) - CURL_DNS_HASH_SIZE); - } - --/* returns TRUE if the easy handle is supposed to be present in the main link -- list */ --static bool in_main_list(struct Curl_easy *data) --{ -- return ((data->mstate != MSTATE_PENDING) && -- (data->mstate != MSTATE_MSGSENT)); --} -- - static void link_easy(struct Curl_multi *multi, - struct Curl_easy *data) - { -@@ -496,8 +489,6 @@ static void unlink_easy(struct Curl_multi *multi, - data->next->prev = data->prev; - else - multi->easylp = data->prev; /* point to last node */ -- -- data->prev = data->next = NULL; - } - - -@@ -857,16 +848,10 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, - called. Do it after multi_done() in case that sets another time! */ - Curl_expire_clear(data); - -- if(data->connect_queue.ptr) { -- /* the handle is in the pending or msgsent lists, so go ahead and remove -- it */ -- if(data->mstate == MSTATE_PENDING) -- Curl_llist_remove(&multi->pending, &data->connect_queue, NULL); -- else -- Curl_llist_remove(&multi->msgsent, &data->connect_queue, NULL); -- } -- if(in_main_list(data)) -- unlink_easy(multi, data); -+ if(data->connect_queue.ptr) -+ /* the handle was in the pending list waiting for an available connection, -+ so go ahead and remove it */ -+ Curl_llist_remove(&multi->pending, &data->connect_queue, NULL); - - if(data->dns.hostcachetype == HCACHE_MULTI) { - /* stop using the multi handle's DNS cache, *after* the possible -@@ -927,6 +912,7 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, - - /* make sure there's no pending message in the queue sent from this easy - handle */ -+ - for(e = multi->msglist.head; e; e = e->next) { - struct Curl_message *msg = e->ptr; - -@@ -937,6 +923,19 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, - } - } - -+ /* Remove from the pending list if it is there. Otherwise this will -+ remain on the pending list forever due to the state change. */ -+ for(e = multi->pending.head; e; e = e->next) { -+ struct Curl_easy *curr_data = e->ptr; -+ -+ if(curr_data == data) { -+ Curl_llist_remove(&multi->pending, e, NULL); -+ break; -+ } -+ } -+ -+ unlink_easy(multi, data); -+ - /* NOTE NOTE NOTE - We do not touch the easy handle here! */ - multi->num_easy--; /* one less to care about now */ -@@ -1944,6 +1943,11 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, - } - break; - -+ case MSTATE_PENDING: -+ /* We will stay here until there is a connection available. Then -+ we try again in the MSTATE_CONNECT state. */ -+ break; -+ - case MSTATE_CONNECT: - /* Connect. We want to get a connection identifier filled in. */ - /* init this transfer. */ -@@ -1967,8 +1971,6 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, - /* add this handle to the list of connect-pending handles */ - Curl_llist_insert_next(&multi->pending, multi->pending.tail, data, - &data->connect_queue); -- /* unlink from the main list */ -- unlink_easy(multi, data); - result = CURLE_OK; - break; - } -@@ -2595,11 +2597,9 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, - case MSTATE_COMPLETED: - break; - -- case MSTATE_PENDING: - case MSTATE_MSGSENT: -- /* handles in these states should NOT be in this list */ -- DEBUGASSERT(0); -- break; -+ data->result = result; -+ return CURLM_OK; /* do nothing */ - - default: - return CURLM_INTERNAL_ERROR; -@@ -2687,17 +2687,10 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, - msg->extmsg.easy_handle = data; - msg->extmsg.data.result = result; - -- multi_addmsg(multi, msg); -+ rc = multi_addmsg(multi, msg); - DEBUGASSERT(!data->conn); - } - multistate(data, MSTATE_MSGSENT); -- -- /* add this handle to the list of msgsent handles */ -- Curl_llist_insert_next(&multi->msgsent, multi->msgsent.tail, data, -- &data->connect_queue); -- /* unlink from the main list */ -- unlink_easy(multi, data); -- return CURLM_OK; - } - } while((rc == CURLM_CALL_MULTI_PERFORM) || multi_ischanged(multi, FALSE)); - -@@ -2728,9 +2721,6 @@ CURLMcode curl_multi_perform(struct Curl_multi *multi, int *running_handles) - /* Do the loop and only alter the signal ignore state if the next handle - has a different NO_SIGNAL state than the previous */ - do { -- /* the current node might be unlinked in multi_runsingle(), get the next -- pointer now */ -- struct Curl_easy *datanext = data->next; - if(data->set.no_signal != nosig) { - sigpipe_restore(&pipe_st); - sigpipe_ignore(data, &pipe_st); -@@ -2739,7 +2729,7 @@ CURLMcode curl_multi_perform(struct Curl_multi *multi, int *running_handles) - result = multi_runsingle(multi, &now, data); - if(result) - returncode = result; -- data = datanext; /* operate on next handle */ -+ data = data->next; /* operate on next handle */ - } while(data); - sigpipe_restore(&pipe_st); - } -@@ -3720,9 +3710,6 @@ static void process_pending_handles(struct Curl_multi *multi) - - DEBUGASSERT(data->mstate == MSTATE_PENDING); - -- /* put it back into the main list */ -- link_easy(multi, data); -- - multistate(data, MSTATE_CONNECT); - - /* Remove this node from the list */ -diff --git a/lib/multihandle.h b/lib/multihandle.h -index 5b16bb605..6cda65d44 100644 ---- a/lib/multihandle.h -+++ b/lib/multihandle.h -@@ -101,8 +101,6 @@ struct Curl_multi { - - struct Curl_llist pending; /* Curl_easys that are in the - MSTATE_PENDING state */ -- struct Curl_llist msgsent; /* Curl_easys that are in the -- MSTATE_MSGSENT state */ - - /* callback function and user data pointer for the *socket() API */ - curl_socket_callback socket_cb; -diff --git a/lib/urldata.h b/lib/urldata.h -index 4e07bcd60..8b54518d2 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -1894,8 +1894,7 @@ struct Curl_easy { - struct Curl_easy *prev; - - struct connectdata *conn; -- struct Curl_llist_element connect_queue; /* for the pending and msgsent -- lists */ -+ struct Curl_llist_element connect_queue; - struct Curl_llist_element conn_queue; /* list per connectdata */ - - CURLMstate mstate; /* the handle's state */ --- -2.40.0 - diff --git a/curl.spec b/curl.spec index 8832786..15705c1 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.0.0 +Version: 8.0.1 Release: 1%{?dist} License: MIT Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -10,10 +10,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# revert a commit that caused issues in the 8.0.0 release -# https://github.com/curl/curl/pull/10795 -Patch1: 0001-curl-8.0.0-revert-multi-remove.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -207,7 +203,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 # Fedora patches %patch101 -p1 @@ -443,6 +438,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Mar 20 2023 Kamil Dudka - 8.0.1-1 +- new upstream release + * Mon Mar 20 2023 Kamil Dudka - 8.0.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2023-27538 - SSH connection too eager reuse still diff --git a/sources b/sources index 7ce28de..fe0a4ce 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.0.0.tar.xz) = 7141e0e2ed065ba14a7fd7e080bc78cadfcf0c7e4054384f17bfbe24caa0bf512d1feaac89dabb9bebc30c2ba40e78ea4e77ac16ce07515f1e9d6b0f05098c9c -SHA512 (curl-8.0.0.tar.xz.asc) = ab741ce5a93e8729bb280c38a109dd11c6f07bc5d955368171dd0c26641d117c62945c13cdc8ff66e32e98fa027cc8ae08aba833a3ee702a2a06c7cef5b8f4ea +SHA512 (curl-8.0.1.tar.xz) = 3bb777982659ed697ae90f113ff7b65d6ce8ba9fe6a8984cfd6769d2f051a72ba953c911abe234c204ec2cc5a35d68b4d033037fad7fba31bb92a52543f8d13d +SHA512 (curl-8.0.1.tar.xz.asc) = 92c6a0570e9a8a708fe2f717b8b37a68dcb9cd4520ca50c9baafec5891bda103bce2d2dcb67f1387bf11bd7e51e0e64ccd52d196e61d58b598ad3aa1960386cf From 54363444c5ff7e8271e42f5be146b24787eacd33 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Zaoral?= Date: Tue, 21 Mar 2023 15:46:58 +0100 Subject: [PATCH 025/108] migrate to SPDX license --- curl.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index 15705c1..e04b29c 100644 --- a/curl.spec +++ b/curl.spec @@ -1,8 +1,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.0.1 -Release: 1%{?dist} -License: MIT +Release: 2%{?dist} +License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # The curl download page ( https://curl.se/download.html ) links @@ -438,6 +438,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Mar 21 2023 Lukáš Zaoral - 8.0.1-2 +- migrated to SPDX license + * Mon Mar 20 2023 Kamil Dudka - 8.0.1-1 - new upstream release From 449e5165fd459f6a380feebf4fa7aa913dd40519 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 21 Apr 2023 14:32:13 +0200 Subject: [PATCH 026/108] curl.spec: apply patches automatically ... to ease maintenance and to avoid the following warning on Fedora Rawhide: ``` warning: %patchN is deprecated (4 usages found), use %patch N (or %patch -P N) ``` --- curl.spec | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/curl.spec b/curl.spec index e04b29c..86222da 100644 --- a/curl.spec +++ b/curl.spec @@ -200,15 +200,7 @@ be installed. %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' -%setup -q - -# upstream patches - -# Fedora patches -%patch101 -p1 -%patch102 -p1 -%patch103 -p1 -%patch104 -p1 +%autosetup -p1 # disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed # with errno 98: Address already in use' in Koji environment), and test 1801 @@ -438,6 +430,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Apr 21 2023 Kamil Dudka - 8.0.1-3 +- apply patches automatically + * Tue Mar 21 2023 Lukáš Zaoral - 8.0.1-2 - migrated to SPDX license From fb877acc4b669b7c8e1fcc51db02828928b42e12 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 21 Apr 2023 14:41:58 +0200 Subject: [PATCH 027/108] curl.spec: forgot to bump release --- curl.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 86222da..8920deb 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.0.1 -Release: 2%{?dist} +Release: 3%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc From 2d313d8a465f02f3fe191d2daccba00260c81ced Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 21 Apr 2023 18:00:44 +0200 Subject: [PATCH 028/108] tests: attempt to fix a conflict on port numbers ... where stunnel listens for legacy HTTPS and HTTP/2, which manifests as a hard-to-explain failure of the following tests: 1630 1631 1632 1904 1941 1945 2050 2055 3028 ``` [...] startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https_server.pid" --logfile "log/https_stunnel.log" --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 42917 --accept 24642 RUN: HTTPS server is PID 114398 port 24642 * pid https => 114398 114402 [...] startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https2_server.pid" --logfile "log/https2_stunnel.log" --id 2 --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 36763 --accept 24642 startnew: child process has died, server might start up Warning: http2 server unexpectedly alive RUN: Process with pid 73992 signalled to die RUN: Process with pid 73992 forced to die with SIGKILL == Contents of files in the log/ dir after test 1630 === Start of file http2_server.log 14:01:21.881018 exit_signal_handler: 15 14:01:21.881372 signalled to die 14:01:21.881511 ========> IPv4 sws (port 36763 pid: 73992) exits with signal (15) === End of file http2_server.log === Start of file https2_stunnel.log [ ] Initializing inetd mode configuration [ ] Clients allowed=500 [.] stunnel 5.69 on x86_64-redhat-linux-gnu platform [.] Compiled/running with OpenSSL 3.0.8 7 Feb 2023 [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI [ ] errno: (*__errno_location ()) [ ] Initializing inetd mode configuration [.] Reading configuration from file /builddir/build/BUILD/curl-8.0.1/build-minimal/tests/https_stunnel.conf [.] UTF-8 byte order mark not detected [.] FIPS mode disabled [ ] Compression disabled [ ] No PRNG seeding was required [ ] Initializing service [curltest] [ ] Using the default TLS minimum version as specified in crypto policies. Not setting explicitly. [ ] Using the default TLS maximum version as specified in crypto policies. Not setting explicitly [ ] stunnel default security level set: 2 [ ] Ciphers: PROFILE=SYSTEM [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 [ ] TLS options: 0x2100000 (+0x0, -0x0) [ ] Session resumption enabled [ ] Loading certificate from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem [ ] Certificate loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem [ ] Loading private key from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem [ ] Private key loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem [ ] Private key check succeeded [!] No trusted certificates found [ ] DH initialization needed for DHE-RSA-AES256-GCM-SHA384 [ ] DH initialization [ ] Could not load DH parameters from /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem [ ] Using dynamic DH parameters [ ] ECDH initialization [ ] ECDH initialized with curves X25519:P-256:X448:P-521:P-384 [.] Configuration successful [ ] Deallocating deployed section defaults [ ] Binding service [curltest] [ ] Listening file descriptor created (FD=8) [ ] Setting accept socket options (FD=8) [ ] Option SO_REUSEADDR set on accept socket [.] Binding service [curltest] to 0.0.0.0:24642: Address already in use (98) [ ] Listening file descriptor created (FD=8) [ ] Setting accept socket options (FD=8) [ ] Option SO_REUSEADDR set on accept socket [.] Binding service [curltest] to :::24642: Address already in use (98) [!] Binding service [curltest] failed [ ] Unbinding service [curltest] [ ] Service [curltest] closed [ ] Deallocating deployed section defaults [ ] Deallocating section [curltest] [ ] Initializing inetd mode configuration === End of file https2_stunnel.log ``` --- 0105-curl-8.0.1-tests-stunnel-port.patch | 97 ++++++++++++++++++++++++ curl.spec | 4 + 2 files changed, 101 insertions(+) create mode 100644 0105-curl-8.0.1-tests-stunnel-port.patch diff --git a/0105-curl-8.0.1-tests-stunnel-port.patch b/0105-curl-8.0.1-tests-stunnel-port.patch new file mode 100644 index 0000000..47d1419 --- /dev/null +++ b/0105-curl-8.0.1-tests-stunnel-port.patch @@ -0,0 +1,97 @@ +From c9a1d18e5f8f28b90c1b2fcc1f15699327067e59 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Fri, 21 Apr 2023 17:44:10 +0200 +Subject: [PATCH] tests/runtests.pl: attempt to fix a conflict on port numbers + +... where stunnel listens for legacy HTTPS and HTTP/2, which manifests +as a hard-to-explain failure of the following tests: 1630 1631 1632 1904 +1941 1945 2050 2055 3028 +``` +[...] +startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https_server.pid" --logfile "log/https_stunnel.log" --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 42917 --accept 24642 +RUN: HTTPS server is PID 114398 port 24642 +* pid https => 114398 114402 +[...] +startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https2_server.pid" --logfile "log/https2_stunnel.log" --id 2 --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 36763 --accept 24642 +startnew: child process has died, server might start up +Warning: http2 server unexpectedly alive +RUN: Process with pid 73992 signalled to die +RUN: Process with pid 73992 forced to die with SIGKILL +== Contents of files in the log/ dir after test 1630 +=== Start of file http2_server.log + 14:01:21.881018 exit_signal_handler: 15 + 14:01:21.881372 signalled to die + 14:01:21.881511 ========> IPv4 sws (port 36763 pid: 73992) exits with signal (15) +=== End of file http2_server.log +=== Start of file https2_stunnel.log + [ ] Initializing inetd mode configuration + [ ] Clients allowed=500 + [.] stunnel 5.69 on x86_64-redhat-linux-gnu platform + [.] Compiled/running with OpenSSL 3.0.8 7 Feb 2023 + [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI + [ ] errno: (*__errno_location ()) + [ ] Initializing inetd mode configuration + [.] Reading configuration from file /builddir/build/BUILD/curl-8.0.1/build-minimal/tests/https_stunnel.conf + [.] UTF-8 byte order mark not detected + [.] FIPS mode disabled + [ ] Compression disabled + [ ] No PRNG seeding was required + [ ] Initializing service [curltest] + [ ] Using the default TLS minimum version as specified in crypto policies. Not setting explicitly. + [ ] Using the default TLS maximum version as specified in crypto policies. Not setting explicitly + [ ] stunnel default security level set: 2 + [ ] Ciphers: PROFILE=SYSTEM + [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 + [ ] TLS options: 0x2100000 (+0x0, -0x0) + [ ] Session resumption enabled + [ ] Loading certificate from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem + [ ] Certificate loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem + [ ] Loading private key from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem + [ ] Private key loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem + [ ] Private key check succeeded + [!] No trusted certificates found + [ ] DH initialization needed for DHE-RSA-AES256-GCM-SHA384 + [ ] DH initialization + [ ] Could not load DH parameters from /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem + [ ] Using dynamic DH parameters + [ ] ECDH initialization + [ ] ECDH initialized with curves X25519:P-256:X448:P-521:P-384 + [.] Configuration successful + [ ] Deallocating deployed section defaults + [ ] Binding service [curltest] + [ ] Listening file descriptor created (FD=8) + [ ] Setting accept socket options (FD=8) + [ ] Option SO_REUSEADDR set on accept socket + [.] Binding service [curltest] to 0.0.0.0:24642: Address already in use (98) + [ ] Listening file descriptor created (FD=8) + [ ] Setting accept socket options (FD=8) + [ ] Option SO_REUSEADDR set on accept socket + [.] Binding service [curltest] to :::24642: Address already in use (98) + [!] Binding service [curltest] failed + [ ] Unbinding service [curltest] + [ ] Service [curltest] closed + [ ] Deallocating deployed section defaults + [ ] Deallocating section [curltest] + [ ] Initializing inetd mode configuration +=== End of file https2_stunnel.log +``` +--- + tests/runtests.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/runtests.pl b/tests/runtests.pl +index 54f6923..bb362c9 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -1802,7 +1802,7 @@ sub runhttpsserver { + + my $pid2; + my $httpspid; +- my $port = 24512; # start attempt ++ my $port = 24512 * $idnum; # start attempt + for (1 .. 10) { + $port += int(rand(600)); + my $options = "$flags --accept $port"; +-- +2.39.2 + diff --git a/curl.spec b/curl.spec index 8920deb..dd121e1 100644 --- a/curl.spec +++ b/curl.spec @@ -22,6 +22,9 @@ Patch103: 0103-curl-7.87.0-test3012.patch # do not fail on warnings in the upstream test driver Patch104: 0104-curl-7.88.0-tests-warnings.patch +# tests: attempt to fix a conflict on port numbers +Patch105: 0105-curl-8.0.1-tests-stunnel-port.patch + Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.se/ @@ -431,6 +434,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Fri Apr 21 2023 Kamil Dudka - 8.0.1-3 +- tests: attempt to fix a conflict on port numbers - apply patches automatically * Tue Mar 21 2023 Lukáš Zaoral - 8.0.1-2 From d8bddc669c31f8c84053cde2d4755501eac337b7 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 21 Apr 2023 18:01:25 +0200 Subject: [PATCH 029/108] tests: re-enable temporarily disabled test-cases --- curl.spec | 31 +++---------------------------- 1 file changed, 3 insertions(+), 28 deletions(-) diff --git a/curl.spec b/curl.spec index dd121e1..fbc8caa 100644 --- a/curl.spec +++ b/curl.spec @@ -205,35 +205,9 @@ be installed. %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 -# disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed -# with errno 98: Address already in use' in Koji environment), and test 1801 +# disable test 1801 # -printf "1112\n1455\n1184\n1801\n" >> tests/data/DISABLED - -# disable test 1319 on ppc64 (server times out) -%ifarch ppc64 -echo "1319" >> tests/data/DISABLED -%endif - -# disable tests 320..322 on ppc64le where it started to hang/fail -%ifarch ppc64le -printf "320\n321\n322\n" >> tests/data/DISABLED -%endif - -# temporarily disable tests 582 and 1452 on s390x (client times out) -%ifarch s390x -printf "582\n1452\n" >> tests/data/DISABLED -%endif - -# temporarily disable tests 702 703 716 on armv7hl (#1829180) -%ifarch armv7hl -printf "702\n703\n716\n" >> tests/data/DISABLED -%endif - -# temporarily disable tests 300{0,1} on x86_64 (stunnel clashes with itself) -%ifarch x86_64 -printf "3000\n3001\n" >> tests/data/DISABLED -%endif +echo "1801" >> tests/data/DISABLED # test3026: avoid pthread_create() failure due to resource exhaustion on i386 %ifarch %{ix86} @@ -434,6 +408,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %changelog * Fri Apr 21 2023 Kamil Dudka - 8.0.1-3 +- tests: re-enable temporarily disabled test-cases - tests: attempt to fix a conflict on port numbers - apply patches automatically From 65d0dfbac54daa22d674f8009cd5895da8977417 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 17 Feb 2023 15:14:53 +0100 Subject: [PATCH 030/108] changelog: trim entries that predate curl-7.29.0 ... which RHEL-7 builds of curl are based on Closes: https://src.fedoraproject.org/rpms/curl/pull-request/16 --- curl.spec | 878 ------------------------------------------------------ 1 file changed, 878 deletions(-) diff --git a/curl.spec b/curl.spec index fbc8caa..b41cf59 100644 --- a/curl.spec +++ b/curl.spec @@ -1212,881 +1212,3 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la * Wed Feb 06 2013 Kamil Dudka 7.29.0-1 - new upstream release (fixes CVE-2013-0249) - -* Tue Jan 15 2013 Kamil Dudka 7.28.1-3 -- require valgrind for build only on i386 and x86_64 (#886891) - -* Tue Jan 15 2013 Kamil Dudka 7.28.1-2 -- prevent NSS from crashing on client auth hook failure -- clear session cache if a client cert from file is used -- fix error messages for CURLE_SSL_{CACERT,CRL}_BADFILE - -* Tue Nov 20 2012 Kamil Dudka 7.28.1-1 -- new upstream release - -* Wed Oct 31 2012 Kamil Dudka 7.28.0-1 -- new upstream release - -* Mon Oct 01 2012 Kamil Dudka 7.27.0-3 -- use the upstream facility to disable problematic tests -- do not crash if MD5 fingerprint is not provided by libssh2 - -* Wed Aug 01 2012 Kamil Dudka 7.27.0-2 -- eliminate unnecessary inotify events on upload via file protocol (#844385) - -* Sat Jul 28 2012 Kamil Dudka 7.27.0-1 -- new upstream release - -* Mon Jul 23 2012 Kamil Dudka 7.26.0-6 -- print reason phrase from HTTP status line on error (#676596) - -* Wed Jul 18 2012 Fedora Release Engineering - 7.26.0-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Sat Jun 09 2012 Kamil Dudka 7.26.0-4 -- fix duplicated SSL handshake with multi interface and proxy (#788526) - -* Wed May 30 2012 Karsten Hopp 7.26.0-3 -- disable test 1319 on ppc64, server times out - -* Mon May 28 2012 Kamil Dudka 7.26.0-2 -- use human-readable error messages provided by NSS (upstream commit 72f4b534) - -* Fri May 25 2012 Kamil Dudka 7.26.0-1 -- new upstream release - -* Wed Apr 25 2012 Karsten Hopp 7.25.0-3 -- valgrind on ppc64 works fine, disable ppc32 only - -* Wed Apr 25 2012 Karsten Hopp 7.25.0-3 -- drop BR valgrind on PPC(64) until bugzilla #810992 gets fixed - -* Fri Apr 13 2012 Kamil Dudka 7.25.0-2 -- use NSS_InitContext() to initialize NSS if available (#738456) -- provide human-readable names for NSS errors (upstream commit a60edcc6) - -* Fri Mar 23 2012 Paul Howarth 7.25.0-1 -- new upstream release (#806264) -- fix character encoding of docs with a patch rather than just iconv -- update debug and multilib patches -- don't use macros for commands -- reduce size of %%prep output for readability - -* Tue Jan 24 2012 Kamil Dudka 7.24.0-1 -- new upstream release (fixes CVE-2012-0036) - -* Thu Jan 05 2012 Paul Howarth 7.23.0-6 -- rebuild for gcc 4.7 - -* Mon Jan 02 2012 Kamil Dudka 7.23.0-5 -- upstream patch that allows to run FTPS tests with nss-3.13 (#760060) - -* Tue Dec 27 2011 Kamil Dudka 7.23.0-4 -- allow to run FTPS tests with nss-3.13 (#760060) - -* Sun Dec 25 2011 Kamil Dudka 7.23.0-3 -- avoid unnecessary timeout event when waiting for 100-continue (#767490) - -* Mon Nov 21 2011 Kamil Dudka 7.23.0-2 -- curl -JO now uses -O name if no C-D header comes (upstream commit c532604) - -* Wed Nov 16 2011 Kamil Dudka 7.23.0-1 -- new upstream release (#754391) - -* Mon Sep 19 2011 Kamil Dudka 7.22.0-2 -- nss: select client certificates by DER (#733657) - -* Tue Sep 13 2011 Kamil Dudka 7.22.0-1 -- new upstream release -- curl-config now provides dummy --static-libs option (#733956) - -* Sun Aug 21 2011 Paul Howarth 7.21.7-4 -- actually fix SIGSEGV of curl -O -J given more than one URL (#723075) - -* Mon Aug 15 2011 Kamil Dudka 7.21.7-3 -- fix SIGSEGV of curl -O -J given more than one URL (#723075) -- introduce the --delegation option of curl (#730444) -- initialize NSS with no database if the selected database is broken (#728562) - -* Wed Aug 03 2011 Kamil Dudka 7.21.7-2 -- add a new option CURLOPT_GSSAPI_DELEGATION (#719939) - -* Thu Jun 23 2011 Kamil Dudka 7.21.7-1 -- new upstream release (fixes CVE-2011-2192) - -* Wed Jun 08 2011 Kamil Dudka 7.21.6-2 -- avoid an invalid timeout event on a reused handle (#679709) - -* Sat Apr 23 2011 Paul Howarth 7.21.6-1 -- new upstream release - -* Mon Apr 18 2011 Kamil Dudka 7.21.5-2 -- fix the output of curl-config --version (upstream commit 82ecc85) - -* Mon Apr 18 2011 Kamil Dudka 7.21.5-1 -- new upstream release - -* Sat Apr 16 2011 Peter Robinson 7.21.4-4 -- no valgrind on ARMv5 arches - -* Sat Mar 05 2011 Dennis Gilmore 7.21.4-3 -- no valgrind on sparc arches - -* Tue Feb 22 2011 Kamil Dudka 7.21.4-2 -- do not ignore failure of SSL handshake (upstream commit 7aa2d10) - -* Fri Feb 18 2011 Kamil Dudka 7.21.4-1 -- new upstream release -- avoid memory leak on SSL connection failure (upstream commit a40f58d) -- work around valgrind bug (#678518) - -* Tue Feb 08 2011 Fedora Release Engineering - 7.21.3-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild - -* Wed Jan 12 2011 Kamil Dudka 7.21.3-2 -- build libcurl with --enable-hidden-symbols - -* Thu Dec 16 2010 Paul Howarth 7.21.3-1 -- update to 7.21.3: - - added --noconfigure switch to testcurl.pl - - added --xattr option - - added CURLOPT_RESOLVE and --resolve - - added CURLAUTH_ONLY - - added version-check.pl to the examples dir - - check for libcurl features for some command line options - - Curl_setopt: disallow CURLOPT_USE_SSL without SSL support - - http_chunks: remove debug output - - URL-parsing: consider ? a divider - - SSH: avoid using the libssh2_ prefix - - SSH: use libssh2_session_handshake() to work on win64 - - ftp: prevent server from hanging on closed data connection when stopping - a transfer before the end of the full transfer (ranges) - - LDAP: detect non-binary attributes properly - - ftp: treat server's response 421 as CURLE_OPERATION_TIMEDOUT - - gnutls->handshake: improved timeout handling - - security: pass the right parameter to init - - krb5: use GSS_ERROR to check for error - - TFTP: resend the correct data - - configure: fix autoconf 2.68 warning: no AC_LANG_SOURCE call detected - - GnuTLS: now detects socket errors on Windows - - symbols-in-versions: updated en masse - - added a couple of examples that were missing from the tarball - - Curl_send/recv_plain: return errno on failure - - Curl_wait_for_resolv (for c-ares): correct timeout - - ossl_connect_common: detect connection re-use - - configure: prevent link errors with --librtmp - - openldap: use remote port in URL passed to ldap_init_fd() - - url: provide dead_connection flag in Curl_handler::disconnect - - lots of compiler warning fixes - - ssh: fix a download resume point calculation - - fix getinfo CURLINFO_LOCAL* for reused connections - - multi: the returned running handles counter could turn negative - - multi: only ever consider pipelining for connections doing HTTP(S) -- drop upstream patches now in tarball -- update bz650255 and disable-test1112 patches to apply against new codebase -- add workaround for false-positive glibc-detected buffer overflow in tftpd - test server with FORTIFY_SOURCE (similar to #515361) - -* Fri Nov 12 2010 Kamil Dudka 7.21.2-5 -- do not send QUIT to a dead FTP control connection (#650255) -- pull back glibc's implementation of str[n]casecmp(), #626470 appears fixed - -* Tue Nov 09 2010 Kamil Dudka 7.21.2-4 -- prevent FTP client from hanging on unrecognized ABOR response (#649347) -- return more appropriate error code in case FTP server session idle - timeout has exceeded (#650255) - -* Fri Oct 29 2010 Kamil Dudka 7.21.2-3 -- prevent FTP server from hanging on closed data connection (#643656) - -* Thu Oct 14 2010 Paul Howarth 7.21.2-2 -- enforce versioned libssh2 dependency for libcurl (#642796) - -* Wed Oct 13 2010 Kamil Dudka 7.21.2-1 -- new upstream release, drop applied patches -- make 0102-curl-7.21.2-debug.patch less intrusive - -* Wed Sep 29 2010 jkeating - 7.21.1-6 -- Rebuilt for gcc bug 634757 - -* Sat Sep 11 2010 Kamil Dudka 7.21.1-5 -- make it possible to run SCP/SFTP tests on x86_64 (#632914) - -* Tue Sep 07 2010 Kamil Dudka 7.21.1-4 -- work around glibc/valgrind problem on x86_64 (#631449) - -* Tue Aug 24 2010 Paul Howarth 7.21.1-3 -- fix up patches so there's no need to run autotools in the rpm build -- drop buildreq automake -- drop dependency on automake for devel package from F-14, where - %%{_datadir}/aclocal is included in the filesystem package -- drop dependency on pkgconfig for devel package from F-11, where - pkgconfig dependencies are auto-generated - -* Mon Aug 23 2010 Kamil Dudka 7.21.1-2 -- re-enable test575 on s390(x), already fixed (upstream commit d63bdba) -- modify system headers to work around gcc bug (#617757) -- curl -T now ignores file size of special files (#622520) -- fix kerberos proxy authentication for https (#625676) -- work around glibc/valgrind problem on x86_64 (#626470) - -* Thu Aug 12 2010 Kamil Dudka 7.21.1-1 -- new upstream release - -* Mon Jul 12 2010 Dan Horák 7.21.0-3 -- disable test 575 on s390(x) - -* Mon Jun 28 2010 Kamil Dudka 7.21.0-2 -- add support for NTLM authentication (#603783) - -* Wed Jun 16 2010 Kamil Dudka 7.21.0-1 -- new upstream release, drop applied patches -- update of %%description -- disable valgrind for certain test-cases (libssh2 problem) - -* Tue May 25 2010 Kamil Dudka 7.20.1-6 -- fix -J/--remote-header-name to strip CR-LF (upstream patch) - -* Wed Apr 28 2010 Kamil Dudka 7.20.1-5 -- CRL support now works again (#581926) -- make it possible to start a testing OpenSSH server when building with SELinux - in the enforcing mode (#521087) - -* Sat Apr 24 2010 Kamil Dudka 7.20.1-4 -- upstream patch preventing failure of test536 with threaded DNS resolver -- upstream patch preventing SSL handshake timeout underflow - -* Thu Apr 22 2010 Paul Howarth 7.20.1-3 -- replace Rawhide s390-sleep patch with a more targeted patch adding a - delay after tests 513 and 514 rather than after all tests - -* Wed Apr 21 2010 Kamil Dudka 7.20.1-2 -- experimentally enabled threaded DNS lookup -- make curl-config multilib ready again (#584107) - -* Mon Apr 19 2010 Kamil Dudka 7.20.1-1 -- new upstream release - -* Tue Mar 23 2010 Kamil Dudka 7.20.0-4 -- add missing quote in libcurl.m4 (#576252) - -* Fri Mar 19 2010 Kamil Dudka 7.20.0-3 -- throw CURLE_SSL_CERTPROBLEM in case peer rejects a certificate (#565972) -- valgrind temporarily disabled (#574889) -- kerberos installation prefix has been changed - -* Wed Feb 24 2010 Kamil Dudka 7.20.0-2 -- exclude test1112 from the test suite (#565305) - -* Thu Feb 11 2010 Kamil Dudka 7.20.0-1 -- new upstream release - added support for IMAP(S), POP3(S), SMTP(S) and RTSP -- dropped patches applied upstream -- dropped curl-7.16.0-privlibs.patch no longer useful -- a new patch forcing -lrt when linking the curl tool and test-cases - -* Fri Jan 29 2010 Kamil Dudka 7.19.7-11 -- upstream patch adding a new option -J/--remote-header-name -- dropped temporary workaround for #545779 - -* Thu Jan 14 2010 Chris Weyl 7.19.7-10 -- bump for libssh2 rebuild - -* Sun Dec 20 2009 Kamil Dudka 7.19.7-9 -- temporary workaround for #548269 - (restored behavior of 7.19.7-4) - -* Wed Dec 09 2009 Kamil Dudka 7.19.7-8 -- replace hard wired port numbers in the test suite - -* Wed Dec 09 2009 Kamil Dudka 7.19.7-7 -- use different port numbers for 32bit and 64bit builds -- temporary workaround for #545779 - -* Tue Dec 08 2009 Kamil Dudka 7.19.7-6 -- make it possible to run test241 -- re-enable SCP/SFTP tests (#539444) - -* Sat Dec 05 2009 Kamil Dudka 7.19.7-5 -- avoid use of uninitialized value in lib/nss.c -- suppress failure of test513 on s390 - -* Tue Dec 01 2009 Kamil Dudka 7.19.7-4 -- do not require valgrind on s390 and s390x -- temporarily disabled SCP/SFTP test-suite (#539444) - -* Thu Nov 12 2009 Kamil Dudka 7.19.7-3 -- fix crash on doubly closed NSPR descriptor, patch contributed - by Kevin Baughman (#534176) -- new version of patch for broken TLS servers (#525496, #527771) - -* Wed Nov 04 2009 Kamil Dudka 7.19.7-2 -- increased release number (CVS problem) - -* Wed Nov 04 2009 Kamil Dudka 7.19.7-1 -- new upstream release, dropped applied patches -- workaround for broken TLS servers (#525496, #527771) - -* Wed Oct 14 2009 Kamil Dudka 7.19.6-13 -- fix timeout issues and gcc warnings within lib/nss.c - -* Tue Oct 06 2009 Kamil Dudka 7.19.6-12 -- upstream patch for NSS support written by Guenter Knauf - -* Wed Sep 30 2009 Kamil Dudka 7.19.6-11 -- build libcurl with c-ares support (#514771) - -* Sun Sep 27 2009 Kamil Dudka 7.19.6-10 -- require libssh2>=1.2 properly (#525002) - -* Sat Sep 26 2009 Kamil Dudka 7.19.6-9 -- let curl test-suite use valgrind -- require libssh2>=1.2 (#525002) - -* Mon Sep 21 2009 Chris Weyl - 7.19.6-8 -- rebuild for libssh2 1.2 - -* Thu Sep 17 2009 Kamil Dudka 7.19.6-7 -- make curl test-suite more verbose - -* Wed Sep 16 2009 Kamil Dudka 7.19.6-6 -- update polling patch to the latest upstream version - -* Thu Sep 03 2009 Kamil Dudka 7.19.6-5 -- cover ssh and stunnel support by the test-suite - -* Wed Sep 02 2009 Kamil Dudka 7.19.6-4 -- use pkg-config to find nss and libssh2 if possible -- better patch (not only) for SCP/SFTP polling -- improve error message for not matching common name (#516056) - -* Fri Aug 21 2009 Kamil Dudka 7.19.6-3 -- avoid tight loop during a sftp upload -- http://permalink.gmane.org/gmane.comp.web.curl.library/24744 - -* Tue Aug 18 2009 Kamil Dudka 7.19.6-2 -- let curl package depend on the same version of libcurl - -* Fri Aug 14 2009 Kamil Dudka 7.19.6-1 -- new upstream release, dropped applied patches -- changed NSS code to not ignore the value of ssl.verifyhost and produce more - verbose error messages (#516056) - -* Wed Aug 12 2009 Ville Skyttä - 7.19.5-10 -- Use lzma compressed upstream tarball. - -* Fri Jul 24 2009 Fedora Release Engineering - 7.19.5-9 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - -* Wed Jul 22 2009 Kamil Dudka 7.19.5-8 -- do not pre-login to all PKCS11 slots, it causes problems with HW tokens -- try to select client certificate automatically when not specified, thanks - to Claes Jakobsson - -* Fri Jul 10 2009 Kamil Dudka 7.19.5-7 -- fix SIGSEGV when using NSS client certificates, thanks to Claes Jakobsson - -* Sun Jul 05 2009 Kamil Dudka 7.19.5-6 -- force test suite to use the just built libcurl, thanks to Paul Howarth - -* Thu Jul 02 2009 Kamil Dudka 7.19.5-5 -- run test suite after build -- enable built-in manual - -* Wed Jun 24 2009 Kamil Dudka 7.19.5-4 -- fix bug introduced by the last build (#504857) - -* Wed Jun 24 2009 Kamil Dudka 7.19.5-3 -- exclude curlbuild.h content from spec (#504857) - -* Wed Jun 10 2009 Kamil Dudka 7.19.5-2 -- avoid unguarded comparison in the spec file, thanks to R P Herrold (#504857) - -* Tue May 19 2009 Kamil Dudka 7.19.5-1 -- update to 7.19.5, dropped applied patches - -* Mon May 11 2009 Kamil Dudka 7.19.4-11 -- fix infinite loop while loading a private key, thanks to Michael Cronenworth - (#453612) - -* Mon Apr 27 2009 Kamil Dudka 7.19.4-10 -- fix curl/nss memory leaks while using client certificate (#453612, accepted - by upstream) - -* Wed Apr 22 2009 Kamil Dudka 7.19.4-9 -- add missing BuildRequire for autoconf - -* Wed Apr 22 2009 Kamil Dudka 7.19.4-8 -- fix configure.ac to not discard -g in CFLAGS (#496778) - -* Tue Apr 21 2009 Debarshi Ray 7.19.4-7 -- Fixed configure to respect the environment's CFLAGS and CPPFLAGS settings. - -* Tue Apr 14 2009 Kamil Dudka 7.19.4-6 -- upstream patch fixing memory leak in lib/nss.c (#453612) -- remove redundant dependency of libcurl-devel on libssh2-devel - -* Wed Mar 18 2009 Kamil Dudka 7.19.4-5 -- enable 6 additional crypto algorithms by default (#436781, - accepted by upstream) - -* Thu Mar 12 2009 Kamil Dudka 7.19.4-4 -- fix memory leak in src/main.c (accepted by upstream) -- avoid using %%ifarch - -* Wed Mar 11 2009 Kamil Dudka 7.19.4-3 -- make libcurl-devel multilib-ready (bug #488922) - -* Fri Mar 06 2009 Jindrich Novy 7.19.4-2 -- drop .easy-leak patch, causes problems in pycurl (#488791) -- fix libcurl-devel dependencies (#488895) - -* Tue Mar 03 2009 Jindrich Novy 7.19.4-1 -- update to 7.19.4 (fixes CVE-2009-0037) -- fix leak in curl_easy* functions, thanks to Kamil Dudka -- drop nss-fix patch, applied upstream - -* Tue Feb 24 2009 Fedora Release Engineering - 7.19.3-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - -* Tue Feb 17 2009 Kamil Dudka 7.19.3-1 -- update to 7.19.3, dropped applied nss patches -- add patch fixing 7.19.3 curl/nss bugs - -* Mon Dec 15 2008 Jindrich Novy 7.18.2-9 -- rebuild for f10/rawhide cvs tag clashes - -* Sat Dec 06 2008 Jindrich Novy 7.18.2-8 -- use improved NSS patch, thanks to Rob Crittenden (#472489) - -* Tue Sep 09 2008 Jindrich Novy 7.18.2-7 -- update the thread safety patch, thanks to Rob Crittenden (#462217) - -* Wed Sep 03 2008 Warren Togami 7.18.2-6 -- add thread safety to libcurl NSS cleanup() functions (#459297) - -* Fri Aug 22 2008 Tom "spot" Callaway 7.18.2-5 -- undo mini libcurl.so.3 - -* Mon Aug 11 2008 Tom "spot" Callaway 7.18.2-4 -- make miniature library for libcurl.so.3 - -* Fri Jul 4 2008 Jindrich Novy 7.18.2-3 -- enable support for libssh2 (#453958) - -* Wed Jun 18 2008 Jindrich Novy 7.18.2-2 -- fix curl_multi_perform() over a proxy (#450140), thanks to - Rob Crittenden - -* Wed Jun 4 2008 Jindrich Novy 7.18.2-1 -- update to 7.18.2 - -* Wed May 7 2008 Jindrich Novy 7.18.1-2 -- spec cleanup, thanks to Paul Howarth (#225671) - - drop BR: libtool - - convert CHANGES and README to UTF-8 - - _GNU_SOURCE in CFLAGS is no more needed - - remove bogus rpath - -* Mon Mar 31 2008 Jindrich Novy 7.18.1-1 -- update to curl 7.18.1 (fixes #397911) -- add ABI docs for libcurl -- remove --static-libs from curl-config -- drop curl-config patch, obsoleted by @SSL_ENABLED@ autoconf - substitution (#432667) - -* Fri Feb 15 2008 Jindrich Novy 7.18.0-2 -- define _GNU_SOURCE so that NI_MAXHOST gets defined from glibc - -* Mon Jan 28 2008 Jindrich Novy 7.18.0-1 -- update to curl-7.18.0 -- drop sslgen patch -> applied upstream -- fix typo in description - -* Tue Jan 22 2008 Jindrich Novy 7.17.1-6 -- fix curl-devel obsoletes so that we don't break F8->F9 upgrade - path (#429612) - -* Tue Jan 8 2008 Jindrich Novy 7.17.1-5 -- do not attempt to close a bad socket (#427966), - thanks to Caolan McNamara - -* Tue Dec 4 2007 Jindrich Novy 7.17.1-4 -- rebuild because of the openldap soname bump -- remove old nsspem patch - -* Fri Nov 30 2007 Jindrich Novy 7.17.1-3 -- drop useless ldap library detection since curl doesn't - dlopen()s it but links to it -> BR: openldap-devel -- enable LDAPS support (#225671), thanks to Paul Howarth -- BR: krb5-devel to reenable GSSAPI support -- simplify build process -- update description - -* Wed Nov 21 2007 Jindrich Novy 7.17.1-2 -- update description to contain complete supported servers list (#393861) - -* Sat Nov 17 2007 Jindrich Novy 7.17.1-1 -- update to curl 7.17.1 -- include patch to enable SSL usage in NSS when a socket is opened - nonblocking, thanks to Rob Crittenden (rcritten@redhat.com) - -* Wed Oct 24 2007 Jindrich Novy 7.16.4-10 -- correctly provide/obsolete curl-devel (#130251) - -* Wed Oct 24 2007 Jindrich Novy 7.16.4-9 -- create libcurl and libcurl-devel subpackages (#130251) - -* Thu Oct 11 2007 Jindrich Novy 7.16.4-8 -- list features correctly when curl is compiled against NSS (#316191) - -* Mon Sep 17 2007 Jindrich Novy 7.16.4-7 -- add zlib-devel BR to enable gzip compressed transfers in curl (#292211) - -* Mon Sep 10 2007 Jindrich Novy 7.16.4-6 -- provide webclient (#225671) - -* Thu Sep 6 2007 Jindrich Novy 7.16.4-5 -- add support for the NSS PKCS#11 pem reader so the command-line is the - same for both OpenSSL and NSS by Rob Crittenden (rcritten@redhat.com) -- switch to NSS again - -* Mon Sep 3 2007 Jindrich Novy 7.16.4-4 -- revert back to use OpenSSL (#266021) - -* Mon Aug 27 2007 Jindrich Novy 7.16.4-3 -- don't use openssl, use nss instead - -* Fri Aug 10 2007 Jindrich Novy 7.16.4-2 -- fix anonymous ftp login (#251570), thanks to David Cantrell - -* Wed Jul 11 2007 Jindrich Novy 7.16.4-1 -- update to 7.16.4 - -* Mon Jun 25 2007 Jindrich Novy 7.16.3-1 -- update to 7.16.3 -- drop .print patch, applied upstream -- next series of merge review fixes by Paul Howarth -- remove aclocal stuff, no more needed -- simplify makefile arguments -- don't reference standard library paths in libcurl.pc -- include docs/CONTRIBUTE - -* Mon Jun 18 2007 Jindrich Novy 7.16.2-5 -- don't print like crazy (#236981), backported from upstream CVS - -* Fri Jun 15 2007 Jindrich Novy 7.16.2-4 -- another series of review fixes (#225671), - thanks to Paul Howarth -- check version of ldap library automatically -- don't use %%makeinstall and preserve timestamps -- drop useless patches - -* Fri May 11 2007 Jindrich Novy 7.16.2-3 -- add automake BR to curl-devel to fix aclocal dir. ownership, - thanks to Patrice Dumas - -* Thu May 10 2007 Jindrich Novy 7.16.2-2 -- package libcurl.m4 in curl-devel (#239664), thanks to Quy Tonthat - -* Wed Apr 11 2007 Jindrich Novy 7.16.2-1 -- update to 7.16.2 - -* Mon Feb 19 2007 Jindrich Novy 7.16.1-3 -- don't create/ship static libraries (#225671) - -* Mon Feb 5 2007 Jindrich Novy 7.16.1-2 -- merge review related spec fixes (#225671) - -* Mon Jan 29 2007 Jindrich Novy 7.16.1-1 -- update to 7.16.1 - -* Tue Jan 16 2007 Jindrich Novy 7.16.0-5 -- don't package generated makefiles for docs/examples to avoid - multilib conflicts - -* Mon Dec 18 2006 Jindrich Novy 7.16.0-4 -- convert spec to UTF-8 -- don't delete BuildRoot in %%prep phase -- rpmlint fixes - -* Thu Nov 16 2006 Jindrich Novy -7.16.0-3 -- prevent curl from dlopen()ing missing ldap libraries so that - ldap:// requests work (#215928) - -* Tue Oct 31 2006 Jindrich Novy - 7.16.0-2 -- fix BuildRoot -- add Requires: pkgconfig for curl-devel -- move LDFLAGS and LIBS to Libs.private in libcurl.pc.in (#213278) - -* Mon Oct 30 2006 Jindrich Novy - 7.16.0-1 -- update to curl-7.16.0 - -* Thu Aug 24 2006 Jindrich Novy - 7.15.5-1.fc6 -- update to curl-7.15.5 -- use %%{?dist} - -* Fri Jun 30 2006 Ivana Varekova - 7.15.4-1 -- update to 7.15.4 - -* Mon Mar 20 2006 Ivana Varekova - 7.15.3-1 -- fix multilib problem using pkg-config -- update to 7.15.3 - -* Thu Feb 23 2006 Ivana Varekova - 7.15.1-2 -- fix multilib problem - #181290 - - curl-devel.i386 not installable together with curl-devel.x86-64 - -* Fri Feb 10 2006 Jesse Keating - 7.15.1-1.2.1 -- bump again for double-long bug on ppc(64) - -* Tue Feb 07 2006 Jesse Keating - 7.15.1-1.2 -- rebuilt for new gcc4.1 snapshot and glibc changes - -* Fri Dec 09 2005 Jesse Keating -- rebuilt - -* Thu Dec 8 2005 Ivana Varekova 7.15.1-1 -- update to 7.15.1 (bug 175191) - -* Wed Nov 30 2005 Ivana Varekova 7.15.0-3 -- fix curl-config bug 174556 - missing vernum value - -* Wed Nov 9 2005 Ivana Varekova 7.15.0-2 -- rebuilt - -* Tue Oct 18 2005 Ivana Varekova 7.15.0-1 -- update to 7.15.0 - -* Thu Oct 13 2005 Ivana Varekova 7.14.1-1 -- update to 7.14.1 - -* Thu Jun 16 2005 Ivana Varekova 7.14.0-1 -- rebuild new version - -* Tue May 03 2005 Ivana Varekova 7.13.1-3 -- fix bug 150768 - curl-7.12.3-2 breaks basic authentication - used Daniel Stenberg patch - -* Mon Apr 25 2005 Joe Orton 7.13.1-2 -- update to use ca-bundle in /etc/pki -- mark License as MIT not MPL - -* Wed Mar 9 2005 Ivana Varekova 7.13.1-1 -- rebuilt (7.13.1) - -* Tue Mar 1 2005 Tomas Mraz 7.13.0-2 -- rebuild with openssl-0.9.7e - -* Sun Feb 13 2005 Florian La Roche -- 7.13.0 - -* Wed Feb 9 2005 Joe Orton 7.12.3-3 -- don't pass /usr to --with-libidn to remove "-L/usr/lib" from - 'curl-config --libs' output on x86_64. - -* Fri Jan 28 2005 Adrian Havill 7.12.3-1 -- Upgrade to 7.12.3, which uses poll() for FDSETSIZE limit (#134794) -- require libidn-devel for devel subpkg (#141341) -- remove proftpd kludge; included upstream - -* Wed Oct 06 2004 Adrian Havill 7.12.1-1 -- upgrade to 7.12.1 -- enable GSSAPI auth (#129353) -- enable I18N domain names (#134595) -- workaround for broken ProFTPD SSL auth (#134133). Thanks to - Aleksandar Milivojevic - -* Wed Sep 29 2004 Adrian Havill 7.12.0-4 -- move new docs position so defattr gets applied - -* Mon Sep 27 2004 Warren Togami 7.12.0-3 -- remove INSTALL, move libcurl docs to -devel - -* Mon Jul 26 2004 Jindrich Novy -- updated to 7.12.0 -- updated nousr patch - -* Tue Jun 15 2004 Elliot Lee -- rebuilt - -* Wed Apr 07 2004 Adrian Havill 7.11.1-1 -- upgraded; updated nousr patch -- added COPYING (#115956) -- - -* Tue Mar 02 2004 Elliot Lee -- rebuilt - -* Fri Feb 13 2004 Elliot Lee -- rebuilt - -* Sat Jan 31 2004 Florian La Roche -- update to 7.10.8 -- remove patch2, already upstream - -* Wed Oct 15 2003 Adrian Havill 7.10.6-7 -- aclocal before libtoolize -- move OpenLDAP license so it's present as a doc file, present in - both the source and binary as per conditions - -* Mon Oct 13 2003 Adrian Havill 7.10.6-6 -- add OpenLDAP copyright notice for usage of code, add OpenLDAP - license for this code - -* Tue Oct 07 2003 Adrian Havill 7.10.6-5 -- match serverAltName certs with SSL (#106168) - -* Tue Sep 16 2003 Adrian Havill 7.10.6-4.1 -- bump n-v-r for RHEL - -* Tue Sep 16 2003 Adrian Havill 7.10.6-4 -- restore ca cert bundle (#104400) -- require openssl, we want to use its ca-cert bundle - -* Sun Sep 7 2003 Joe Orton 7.10.6-3 -- rebuild - -* Fri Sep 5 2003 Joe Orton 7.10.6-2.2 -- fix to include libcurl.so - -* Mon Aug 25 2003 Adrian Havill 7.10.6-2.1 -- bump n-v-r for RHEL - -* Mon Aug 25 2003 Adrian Havill 7.10.6-2 -- devel subpkg needs openssl-devel as a Require (#102963) - -* Mon Jul 28 2003 Adrian Havill 7.10.6-1 -- bumped version - -* Tue Jul 01 2003 Adrian Havill 7.10.5-1 -- bumped version - -* Wed Jun 04 2003 Elliot Lee -- rebuilt - -* Sat Apr 12 2003 Florian La Roche -- update to 7.10.4 -- adapt nousr patch - -* Wed Jan 22 2003 Tim Powers -- rebuilt - -* Tue Jan 21 2003 Joe Orton 7.9.8-4 -- don't add -L/usr/lib to 'curl-config --libs' output - -* Tue Jan 7 2003 Nalin Dahyabhai 7.9.8-3 -- rebuild - -* Wed Nov 6 2002 Joe Orton 7.9.8-2 -- fix `curl-config --libs` output for libdir!=/usr/lib -- remove docs/LIBCURL from docs list; remove unpackaged libcurl.la -- libtoolize and reconf - -* Mon Jul 22 2002 Trond Eivind Glomsrød 7.9.8-1 -- 7.9.8 (# 69473) - -* Fri Jun 21 2002 Tim Powers -- automated rebuild - -* Sun May 26 2002 Tim Powers -- automated rebuild - -* Thu May 16 2002 Trond Eivind Glomsrød 7.9.7-1 -- 7.9.7 - -* Wed Apr 24 2002 Trond Eivind Glomsrød 7.9.6-1 -- 7.9.6 - -* Thu Mar 21 2002 Trond Eivind Glomsrød 7.9.5-2 -- Stop the curl-config script from printing -I/usr/include - and -L/usr/lib (#59497) - -* Fri Mar 8 2002 Trond Eivind Glomsrød 7.9.5-1 -- 7.9.5 - -* Tue Feb 26 2002 Trond Eivind Glomsrød 7.9.3-2 -- Rebuild - -* Wed Jan 23 2002 Nalin Dahyabhai 7.9.3-1 -- update to 7.9.3 - -* Wed Jan 09 2002 Tim Powers 7.9.2-2 -- automated rebuild - -* Wed Jan 9 2002 Trond Eivind Glomsrød 7.9.2-1 -- 7.9.2 - -* Fri Aug 17 2001 Nalin Dahyabhai -- include curl-config in curl-devel -- update to 7.8 to fix memory leak and strlcat() symbol pollution from libcurl - -* Wed Jul 18 2001 Crutcher Dunnavant -- added openssl-devel build req - -* Mon May 21 2001 Tim Powers -- built for the distro - -* Tue Apr 24 2001 Jeff Johnson -- upgrade to curl-7.7.2. -- enable IPv6. - -* Fri Mar 2 2001 Tim Powers -- rebuilt against openssl-0.9.6-1 - -* Thu Jan 4 2001 Tim Powers -- fixed mising ldconfigs -- updated to 7.5.2, bug fixes - -* Mon Dec 11 2000 Tim Powers -- updated to 7.5.1 - -* Mon Nov 6 2000 Tim Powers -- update to 7.4.1 to fix bug #20337, problems with curl -c -- not using patch anymore, it's included in the new source. Keeping - for reference - -* Fri Oct 20 2000 Nalin Dahyabhai -- fix bogus req in -devel package - -* Fri Oct 20 2000 Tim Powers -- devel package needed defattr so that root owns the files - -* Mon Oct 16 2000 Nalin Dahyabhai -- update to 7.3 -- apply vsprintf/vsnprintf patch from Colin Phipps via Debian - -* Mon Aug 21 2000 Nalin Dahyabhai -- enable SSL support -- fix packager tag -- move buildroot to %%{_tmppath} - -* Tue Aug 1 2000 Tim Powers -- fixed vendor tag for bug #15028 - -* Mon Jul 24 2000 Prospector -- rebuilt - -* Tue Jul 11 2000 Tim Powers -- workaround alpha build problems with optimizations - -* Mon Jul 10 2000 Tim Powers -- rebuilt - -* Mon Jun 5 2000 Tim Powers -- put man pages in correct place -- use %%makeinstall - -* Mon Apr 24 2000 Tim Powers -- updated to 6.5.2 - -* Wed Nov 3 1999 Tim Powers -- updated sources to 6.2 -- gzip man page - -* Mon Aug 30 1999 Tim Powers -- changed group - -* Thu Aug 26 1999 Tim Powers -- changelog started -- general cleanups, changed prefix to /usr, added manpage to files section -- including in Powertools From c0b70e927f358df34598d6ab38da54ea04676a2e Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 17 May 2023 09:28:55 +0200 Subject: [PATCH 031/108] new upstream release - 8.1.0 Resolves: CVE-2023-28321 - IDN wildcard match Resolves: CVE-2023-28322 - more POST-after-PUT confusion --- 0103-curl-7.87.0-test3012.patch | 2 +- 0104-curl-7.88.0-tests-warnings.patch | 10 +-- 0105-curl-8.0.1-tests-stunnel-port.patch | 97 ------------------------ curl.spec | 13 ++-- sources | 4 +- 5 files changed, 16 insertions(+), 110 deletions(-) delete mode 100644 0105-curl-8.0.1-tests-stunnel-port.patch diff --git a/0103-curl-7.87.0-test3012.patch b/0103-curl-7.87.0-test3012.patch index 108d715..1de7ff3 100644 --- a/0103-curl-7.87.0-test3012.patch +++ b/0103-curl-7.87.0-test3012.patch @@ -38,7 +38,7 @@ index 1889c93..ea43a49 100644 --- a/tests/data/test3012 +++ b/tests/data/test3012 @@ -56,5 +56,9 @@ Accept: */* - + -foo- + diff --git a/0104-curl-7.88.0-tests-warnings.patch b/0104-curl-7.88.0-tests-warnings.patch index dff89f9..04b2ba2 100644 --- a/0104-curl-7.88.0-tests-warnings.patch +++ b/0104-curl-7.88.0-tests-warnings.patch @@ -15,16 +15,16 @@ diff --git a/tests/runtests.pl b/tests/runtests.pl index 71644ad18..0cf85c3fe 100755 --- a/tests/runtests.pl +++ b/tests/runtests.pl -@@ -75,8 +75,7 @@ BEGIN { - } +@@ -55,8 +55,7 @@ + # given, this won't be a problem. use strict; -# Promote all warnings to fatal -use warnings FATAL => 'all'; +use warnings; - use Cwd; - use Digest::MD5 qw(md5); - use MIME::Base64; + use 5.006; + + # These should be the only variables that might be needed to get edited: -- 2.39.1 diff --git a/0105-curl-8.0.1-tests-stunnel-port.patch b/0105-curl-8.0.1-tests-stunnel-port.patch deleted file mode 100644 index 47d1419..0000000 --- a/0105-curl-8.0.1-tests-stunnel-port.patch +++ /dev/null @@ -1,97 +0,0 @@ -From c9a1d18e5f8f28b90c1b2fcc1f15699327067e59 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Fri, 21 Apr 2023 17:44:10 +0200 -Subject: [PATCH] tests/runtests.pl: attempt to fix a conflict on port numbers - -... where stunnel listens for legacy HTTPS and HTTP/2, which manifests -as a hard-to-explain failure of the following tests: 1630 1631 1632 1904 -1941 1945 2050 2055 3028 -``` -[...] -startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https_server.pid" --logfile "log/https_stunnel.log" --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 42917 --accept 24642 -RUN: HTTPS server is PID 114398 port 24642 -* pid https => 114398 114402 -[...] -startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https2_server.pid" --logfile "log/https2_stunnel.log" --id 2 --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 36763 --accept 24642 -startnew: child process has died, server might start up -Warning: http2 server unexpectedly alive -RUN: Process with pid 73992 signalled to die -RUN: Process with pid 73992 forced to die with SIGKILL -== Contents of files in the log/ dir after test 1630 -=== Start of file http2_server.log - 14:01:21.881018 exit_signal_handler: 15 - 14:01:21.881372 signalled to die - 14:01:21.881511 ========> IPv4 sws (port 36763 pid: 73992) exits with signal (15) -=== End of file http2_server.log -=== Start of file https2_stunnel.log - [ ] Initializing inetd mode configuration - [ ] Clients allowed=500 - [.] stunnel 5.69 on x86_64-redhat-linux-gnu platform - [.] Compiled/running with OpenSSL 3.0.8 7 Feb 2023 - [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI - [ ] errno: (*__errno_location ()) - [ ] Initializing inetd mode configuration - [.] Reading configuration from file /builddir/build/BUILD/curl-8.0.1/build-minimal/tests/https_stunnel.conf - [.] UTF-8 byte order mark not detected - [.] FIPS mode disabled - [ ] Compression disabled - [ ] No PRNG seeding was required - [ ] Initializing service [curltest] - [ ] Using the default TLS minimum version as specified in crypto policies. Not setting explicitly. - [ ] Using the default TLS maximum version as specified in crypto policies. Not setting explicitly - [ ] stunnel default security level set: 2 - [ ] Ciphers: PROFILE=SYSTEM - [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 - [ ] TLS options: 0x2100000 (+0x0, -0x0) - [ ] Session resumption enabled - [ ] Loading certificate from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem - [ ] Certificate loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem - [ ] Loading private key from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem - [ ] Private key loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem - [ ] Private key check succeeded - [!] No trusted certificates found - [ ] DH initialization needed for DHE-RSA-AES256-GCM-SHA384 - [ ] DH initialization - [ ] Could not load DH parameters from /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem - [ ] Using dynamic DH parameters - [ ] ECDH initialization - [ ] ECDH initialized with curves X25519:P-256:X448:P-521:P-384 - [.] Configuration successful - [ ] Deallocating deployed section defaults - [ ] Binding service [curltest] - [ ] Listening file descriptor created (FD=8) - [ ] Setting accept socket options (FD=8) - [ ] Option SO_REUSEADDR set on accept socket - [.] Binding service [curltest] to 0.0.0.0:24642: Address already in use (98) - [ ] Listening file descriptor created (FD=8) - [ ] Setting accept socket options (FD=8) - [ ] Option SO_REUSEADDR set on accept socket - [.] Binding service [curltest] to :::24642: Address already in use (98) - [!] Binding service [curltest] failed - [ ] Unbinding service [curltest] - [ ] Service [curltest] closed - [ ] Deallocating deployed section defaults - [ ] Deallocating section [curltest] - [ ] Initializing inetd mode configuration -=== End of file https2_stunnel.log -``` ---- - tests/runtests.pl | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/runtests.pl b/tests/runtests.pl -index 54f6923..bb362c9 100755 ---- a/tests/runtests.pl -+++ b/tests/runtests.pl -@@ -1802,7 +1802,7 @@ sub runhttpsserver { - - my $pid2; - my $httpspid; -- my $port = 24512; # start attempt -+ my $port = 24512 * $idnum; # start attempt - for (1 .. 10) { - $port += int(rand(600)); - my $options = "$flags --accept $port"; --- -2.39.2 - diff --git a/curl.spec b/curl.spec index b41cf59..6caa923 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.0.1 -Release: 3%{?dist} +Version: 8.1.0 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -22,9 +22,6 @@ Patch103: 0103-curl-7.87.0-test3012.patch # do not fail on warnings in the upstream test driver Patch104: 0104-curl-7.88.0-tests-warnings.patch -# tests: attempt to fix a conflict on port numbers -Patch105: 0105-curl-8.0.1-tests-stunnel-port.patch - Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.se/ @@ -84,6 +81,7 @@ BuildRequires: perl(File::Basename) BuildRequires: perl(File::Copy) BuildRequires: perl(File::Spec) BuildRequires: perl(IPC::Open2) +BuildRequires: perl(Memoize) BuildRequires: perl(MIME::Base64) BuildRequires: perl(Time::Local) BuildRequires: perl(Time::HiRes) @@ -407,6 +405,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed May 17 2023 Kamil Dudka - 8.1.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-28321 - IDN wildcard match + CVE-2023-28322 - more POST-after-PUT confusion + * Fri Apr 21 2023 Kamil Dudka - 8.0.1-3 - tests: re-enable temporarily disabled test-cases - tests: attempt to fix a conflict on port numbers diff --git a/sources b/sources index fe0a4ce..f60ca98 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.0.1.tar.xz) = 3bb777982659ed697ae90f113ff7b65d6ce8ba9fe6a8984cfd6769d2f051a72ba953c911abe234c204ec2cc5a35d68b4d033037fad7fba31bb92a52543f8d13d -SHA512 (curl-8.0.1.tar.xz.asc) = 92c6a0570e9a8a708fe2f717b8b37a68dcb9cd4520ca50c9baafec5891bda103bce2d2dcb67f1387bf11bd7e51e0e64ccd52d196e61d58b598ad3aa1960386cf +SHA512 (curl-8.1.0.tar.xz) = b99926f372ddd715cd1d2b54d8fb96b26b085e6501715e25aa57b6c6a7f8452473506ddb284e2f280f8afdb301b7f0c3bfde7ad7ed393b12c022430a9301096d +SHA512 (curl-8.1.0.tar.xz.asc) = 191a74c7a6b6aa78b7f36e1535fda0701bde8b333a61c90343e1f1b2d65cc5097b5febc5fa42b2f373795ef1b34078790deaaa71c8aaa45eed1c753729a45f3d From 4da3349c052a3dbc42320f3dbca35ed5fb60fbaf Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 17 May 2023 09:55:40 +0200 Subject: [PATCH 032/108] drop 0103-curl-7.87.0-test3012.patch The related valgrind bug has been fixed https://bugzilla.redhat.com/2143040 --- 0103-curl-7.87.0-test3012.patch | 52 --------------------------------- curl.spec | 3 -- 2 files changed, 55 deletions(-) delete mode 100644 0103-curl-7.87.0-test3012.patch diff --git a/0103-curl-7.87.0-test3012.patch b/0103-curl-7.87.0-test3012.patch deleted file mode 100644 index 1de7ff3..0000000 --- a/0103-curl-7.87.0-test3012.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 0d0a256c8e7f6261d49e1bdd583c04c0e5dfe706 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Wed, 11 Jan 2023 08:53:05 +0100 -Subject: [PATCH] test3012: disable valgrind - -valgrind reports a call to memcpy() with overlapping blocks by mistake: -``` -test 3012...[--output-dir with -J] -../libtool --mode=execute /usr/bin/valgrind --tool=memcheck --quiet --leak-check=yes --suppressions=../../tests/valgrind.supp --num-callers=16 --log-file=log/valgrind3012 ../src/curl --trace-ascii log/trace3012 --trace-time http://127.0.0.1:35981/this/is/the/3012 -OJ --output-dir /root/rpmbuild/BUILD/curl-7.86.0/build-minimal/tests/log >log/stdout3012 2>log/stderr3012 -CMD (0): ../libtool --mode=execute /usr/bin/valgrind --tool=memcheck --quiet --leak-check=yes --suppressions=../../tests/valgrind.supp --num-callers=16 --log-file=log/valgrind3012 ../src/curl --trace-ascii log/trace3012 --trace-time http://127.0.0.1:35981/this/is/the/3012 -OJ --output-dir /root/rpmbuild/BUILD/curl-7.86.0/build-minimal/tests/log >log/stdout3012 2>log/stderr3012 - valgrind ERROR ==496584== Source and destination overlap in memcpy_chk(0x54ad1a0, 0x54ad1a1, 11) -==496584== at 0x484C332: __memcpy_chk (vg_replace_strmem.c:1741) -==496584== by 0x118FDB: UnknownInlinedFun (string_fortified.h:36) -==496584== by 0x118FDB: UnknownInlinedFun (tool_cb_hdr.c:301) -==496584== by 0x118FDB: tool_header_cb (tool_cb_hdr.c:173) -==496584== by 0x489907B: chop_write.lto_priv.0 (sendf.c:620) -==496584== by 0x489CDD1: UnknownInlinedFun (http.c:4449) -==496584== by 0x489CDD1: UnknownInlinedFun (transfer.c:633) -==496584== by 0x489CDD1: Curl_readwrite (transfer.c:1219) -==496584== by 0x488C116: multi_runsingle (multi.c:2404) -==496584== by 0x488F491: curl_multi_perform (multi.c:2682) -==496584== by 0x486A9DA: UnknownInlinedFun (easy.c:663) -==496584== by 0x486A9DA: UnknownInlinedFun (easy.c:753) -==496584== by 0x486A9DA: curl_easy_perform (easy.c:772) -==496584== by 0x114B28: UnknownInlinedFun (tool_operate.c:2406) -==496584== by 0x114B28: UnknownInlinedFun (tool_operate.c:2594) -==496584== by 0x114B28: UnknownInlinedFun (tool_operate.c:2706) -==496584== by 0x114B28: main (tool_main.c:284) -``` - -Bug: https://bugzilla.redhat.com/2143040 ---- - tests/data/test3012 | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/tests/data/test3012 b/tests/data/test3012 -index 1889c93..ea43a49 100644 ---- a/tests/data/test3012 -+++ b/tests/data/test3012 -@@ -56,5 +56,9 @@ Accept: */* - - -foo- - -+ -+ -+disable -+ - - --- -2.39.0 - diff --git a/curl.spec b/curl.spec index 6caa923..1a0f830 100644 --- a/curl.spec +++ b/curl.spec @@ -16,9 +16,6 @@ Patch101: 0101-curl-7.32.0-multilib.patch # test3026: disable valgrind Patch102: 0102-curl-7.84.0-test3026.patch -# test3012: temporarily disable valgrind (#2143040) -Patch103: 0103-curl-7.87.0-test3012.patch - # do not fail on warnings in the upstream test driver Patch104: 0104-curl-7.88.0-tests-warnings.patch From fa58a15ce67d2e5d68f7629acd230a78ff1034b0 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 17 May 2023 12:11:00 +0200 Subject: [PATCH 033/108] add BR for perl(base) needed by the test-suite --- curl.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/curl.spec b/curl.spec index 1a0f830..255e7cd 100644 --- a/curl.spec +++ b/curl.spec @@ -70,6 +70,7 @@ BuildRequires: hostname BuildRequires: nghttp2 # perl modules used in the test suite +BuildRequires: perl(base) BuildRequires: perl(Cwd) BuildRequires: perl(Digest::MD5) BuildRequires: perl(Digest::SHA) From 6beac072292c9c0ce88dd00d2be0257eca27d38e Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Wed, 17 May 2023 13:12:45 +0100 Subject: [PATCH 034/108] Ignore lzma-compressed tarballs from old releases --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index d7bfa33..c5a82f4 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,4 @@ +/curl-[0-9.]*.tar.lzma +/curl-[0-9.]*.tar.lzma.asc /curl-[0-9.]*.tar.xz /curl-[0-9.]*.tar.xz.asc From dc1838de584fd131fd3714807b1396d9e469002d Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Wed, 17 May 2023 13:14:43 +0100 Subject: [PATCH 035/108] Additional test suite dependencies --- curl.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 255e7cd..fb65da1 100644 --- a/curl.spec +++ b/curl.spec @@ -70,7 +70,9 @@ BuildRequires: hostname BuildRequires: nghttp2 # perl modules used in the test suite +BuildRequires: perl(B) BuildRequires: perl(base) +BuildRequires: perl(constant) BuildRequires: perl(Cwd) BuildRequires: perl(Digest::MD5) BuildRequires: perl(Digest::SHA) @@ -79,10 +81,13 @@ BuildRequires: perl(File::Basename) BuildRequires: perl(File::Copy) BuildRequires: perl(File::Spec) BuildRequires: perl(IPC::Open2) +BuildRequires: perl(List::Util) BuildRequires: perl(Memoize) BuildRequires: perl(MIME::Base64) -BuildRequires: perl(Time::Local) +BuildRequires: perl(POSIX) +BuildRequires: perl(Storable) BuildRequires: perl(Time::HiRes) +BuildRequires: perl(Time::Local) BuildRequires: perl(vars) %if 0%{?fedora} From d31965bf5b22057013b93a03c0e47879956aa329 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 23 May 2023 10:07:28 +0200 Subject: [PATCH 036/108] new upstream release - 8.1.1 Resolves: #2209217 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index fb65da1..defad36 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.1.0 +Version: 8.1.1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -408,6 +408,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue May 23 2023 Jan Macku - 8.1.1-1 +- new upstream release, with small bugfixes and improvements + * Wed May 17 2023 Kamil Dudka - 8.1.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2023-28321 - IDN wildcard match diff --git a/sources b/sources index f60ca98..83f1628 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.1.0.tar.xz) = b99926f372ddd715cd1d2b54d8fb96b26b085e6501715e25aa57b6c6a7f8452473506ddb284e2f280f8afdb301b7f0c3bfde7ad7ed393b12c022430a9301096d -SHA512 (curl-8.1.0.tar.xz.asc) = 191a74c7a6b6aa78b7f36e1535fda0701bde8b333a61c90343e1f1b2d65cc5097b5febc5fa42b2f373795ef1b34078790deaaa71c8aaa45eed1c753729a45f3d +SHA512 (curl-8.1.1.tar.xz) = d034b1ab9c00e8a0acf7ba6c6344734945d45666b4f38394f5456fcd9b22623146a897270861b7411412ca25c912e1bbf24eb139a6dfc1a8c00d098b3b925399 +SHA512 (curl-8.1.1.tar.xz.asc) = 6a71c18d67de8c340b5d80c7452a82c00f7ef466f690eec12edcd6123aee6866e8a0e757e1cc6c9af87a63fdeaafbc9fc1b1a4e2e0fd8a75b5952d4738fd0b27 From f91221e9d701cc0d8d40261855558d003dbb4024 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 30 May 2023 10:05:35 +0200 Subject: [PATCH 037/108] new upstream release - 8.1.2 Resolves: #2210976 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index defad36..41c8643 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.1.1 +Version: 8.1.2 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -408,6 +408,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue May 30 2023 Jan Macku - 8.1.2-1 +- new upstream release, with small bugfixes and improvements + * Tue May 23 2023 Jan Macku - 8.1.1-1 - new upstream release, with small bugfixes and improvements diff --git a/sources b/sources index 83f1628..f4ba12c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.1.1.tar.xz) = d034b1ab9c00e8a0acf7ba6c6344734945d45666b4f38394f5456fcd9b22623146a897270861b7411412ca25c912e1bbf24eb139a6dfc1a8c00d098b3b925399 -SHA512 (curl-8.1.1.tar.xz.asc) = 6a71c18d67de8c340b5d80c7452a82c00f7ef466f690eec12edcd6123aee6866e8a0e757e1cc6c9af87a63fdeaafbc9fc1b1a4e2e0fd8a75b5952d4738fd0b27 +SHA512 (curl-8.1.2.tar.xz) = 532ab96eba6dea66d272f3be56f5af5c5da922480f9a10e203de98037c311f12f8145ba6bf813831e42815e068874ccfd108f84f7650743f5dbb3ebc3bc9c4f4 +SHA512 (curl-8.1.2.tar.xz.asc) = d120299a2d59259aeb19ae0fa3a3e181e25b6927677187037c61a0901879956177ce8dda10764073a47848f81dcbbcb94e0b6008742994042b6b8fd194e169c3 From de1364bf2c55ec7312f6bcc1d79acaaba766bfd9 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 19 Jul 2023 13:44:49 +0200 Subject: [PATCH 038/108] new upstream release - 8.2.0 Resolves: CVE-2023-32001 - fopen race condition --- curl.spec | 6 +++++- sources | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 41c8643..47663c7 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.1.2 +Version: 8.2.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -408,6 +408,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 19 2023 Jan Macku - 8.2.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-32001 - fopen race condition + * Tue May 30 2023 Jan Macku - 8.1.2-1 - new upstream release, with small bugfixes and improvements diff --git a/sources b/sources index f4ba12c..0a72bc7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.1.2.tar.xz) = 532ab96eba6dea66d272f3be56f5af5c5da922480f9a10e203de98037c311f12f8145ba6bf813831e42815e068874ccfd108f84f7650743f5dbb3ebc3bc9c4f4 -SHA512 (curl-8.1.2.tar.xz.asc) = d120299a2d59259aeb19ae0fa3a3e181e25b6927677187037c61a0901879956177ce8dda10764073a47848f81dcbbcb94e0b6008742994042b6b8fd194e169c3 +SHA512 (curl-8.2.0.tar.xz) = 3ba5f393185d28dd9430d3be4fcd293646a5456d2f7467469896561b1577e60e7a3f030955d3cc5ec6ea5c5bfa1dfb9420a1d76e583d23f01d1c74aa291351b5 +SHA512 (curl-8.2.0.tar.xz.asc) = 66005647c54bae098feebac68f2762af2e4463dc7eb8ba4c0db79590a1a7fe581ec3d2bc4fbea39729e42836b62b011a3f7c83c29bd2f00b3ce5cf875b60b187 From b64627ff52a876c0111c0802c4d6519de980b785 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Zaoral?= Date: Wed, 26 Jul 2023 12:40:15 +0200 Subject: [PATCH 039/108] new upstream release - 8.2.1 Resolves: rhbz#2226659 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 47663c7..66f9da5 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.2.0 +Version: 8.2.1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -408,6 +408,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 26 2023 Lukáš Zaoral - 8.2.1-1 +- new upstream release (rhbz#2226659) + * Wed Jul 19 2023 Jan Macku - 8.2.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2023-32001 - fopen race condition diff --git a/sources b/sources index 0a72bc7..efbc09c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.2.0.tar.xz) = 3ba5f393185d28dd9430d3be4fcd293646a5456d2f7467469896561b1577e60e7a3f030955d3cc5ec6ea5c5bfa1dfb9420a1d76e583d23f01d1c74aa291351b5 -SHA512 (curl-8.2.0.tar.xz.asc) = 66005647c54bae098feebac68f2762af2e4463dc7eb8ba4c0db79590a1a7fe581ec3d2bc4fbea39729e42836b62b011a3f7c83c29bd2f00b3ce5cf875b60b187 +SHA512 (curl-8.2.1.tar.xz) = 3f78c9330c52d32b166f17829fc2be13418ef925e88f75aacad7f369e7afe00dc4a56566418730dbb845b2b284d721b08f639df322e2e1ef2dfab165c4189094 +SHA512 (curl-8.2.1.tar.xz.asc) = 31ee66a09e7bd14de949ae991c23a0b905d38407b73ae39bae6d01854d8708355c14bc4d0eab3ff931b85986d0236dd34e934eef6061f4b70739137fd0525084 From 76f5788cab9c5fa6e0ab458fbaef16737f102748 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 2 Aug 2023 14:36:11 +0200 Subject: [PATCH 040/108] enable websockets Resolves: #2224651 --- curl.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 66f9da5..2bbafff 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.2.1 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -268,6 +268,7 @@ export common_configure_opts=" \ --disable-telnet \ --disable-tftp \ --disable-tls-srp \ + --disable-websockets \ --without-brotli \ --without-libpsl \ --without-libssh @@ -293,6 +294,7 @@ export common_configure_opts=" \ --enable-telnet \ --enable-tftp \ --enable-tls-srp \ + --enable-websockets \ --with-brotli \ --with-libpsl \ --with-libssh @@ -408,6 +410,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Aug 02 2023 Jan Macku - 8.2.1-2 +- enable websockets (#2224651) + * Wed Jul 26 2023 Lukáš Zaoral - 8.2.1-1 - new upstream release (rhbz#2226659) From dd8c36f3ea85421587cc180c0edb7b43525c0284 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 13 Sep 2023 10:33:22 +0200 Subject: [PATCH 041/108] new upstream release - 8.3.0 Resolves: CVE-2023-38039 - HTTP headers eat all memory --- curl.spec | 8 ++++++-- sources | 4 ++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/curl.spec b/curl.spec index 2bbafff..5c0854e 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.2.1 -Release: 2%{?dist} +Version: 8.3.0 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -410,6 +410,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 13 2023 Jan Macku - 8.3.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-38039 - HTTP headers eat all memory + * Wed Aug 02 2023 Jan Macku - 8.2.1-2 - enable websockets (#2224651) diff --git a/sources b/sources index efbc09c..e2b2e44 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.2.1.tar.xz) = 3f78c9330c52d32b166f17829fc2be13418ef925e88f75aacad7f369e7afe00dc4a56566418730dbb845b2b284d721b08f639df322e2e1ef2dfab165c4189094 -SHA512 (curl-8.2.1.tar.xz.asc) = 31ee66a09e7bd14de949ae991c23a0b905d38407b73ae39bae6d01854d8708355c14bc4d0eab3ff931b85986d0236dd34e934eef6061f4b70739137fd0525084 +SHA512 (curl-8.3.0.tar.xz) = 6404b4c74fe1185cb482631ca3a143996cb7298d0d8a76bfafd7696e7729c00559999a069bdba782dee3f3eb273fb678a4438cb27d3deca54022878cdff83a51 +SHA512 (curl-8.3.0.tar.xz.asc) = b7d45722640ac50181b20a6d663168ec6eec6691c5604ddfe9c7177f07da598cb2de688c631043dc428c311774d781ccd16bd1e2fb4f038be651e3bee383aec4 From 554e13f7988559069134175ddc81017ca579d83e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Zaoral?= Date: Mon, 9 Oct 2023 10:39:43 +0200 Subject: [PATCH 042/108] tests: use newer Fedora URLs for testing ... because F36 URLs are no longer available. --- tests/non-root-user-download/runtest.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/non-root-user-download/runtest.sh b/tests/non-root-user-download/runtest.sh index 0529a12..4d51e62 100755 --- a/tests/non-root-user-download/runtest.sh +++ b/tests/non-root-user-download/runtest.sh @@ -31,9 +31,9 @@ PACKAGE="curl" -FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM -HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM -CONTENT=85cb450443d68d513b41e57b0bd818a740279dac5dfc09c68e681ff8a3006404 +FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM +HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM +CONTENT=4d042dedc8886856db10bc882074b84dcce52f829ea7b3f31d8031db8d84df20 PASSWORD=pAssw0rd OPTIONS="" rlIsRHEL 7 && OPTIONS="--insecure" From cb17cbc66ada184c1016dc88d4573a91f9ce3481 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 11 Oct 2023 15:36:19 +0200 Subject: [PATCH 043/108] new upstream release - 8.4.0 Resolves: CVE-2023-38545 - SOCKS5 heap buffer overflow Resolves: CVE-2023-38546 - cookie injection with none file --- curl.spec | 7 ++++++- sources | 4 ++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 5c0854e..f3a402c 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.3.0 +Version: 8.4.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -410,6 +410,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Oct 11 2023 Jan Macku - 8.4.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-38545 - SOCKS5 heap buffer overflow + CVE-2023-38546 - cookie injection with none file + * Wed Sep 13 2023 Jan Macku - 8.3.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2023-38039 - HTTP headers eat all memory diff --git a/sources b/sources index e2b2e44..9205220 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.3.0.tar.xz) = 6404b4c74fe1185cb482631ca3a143996cb7298d0d8a76bfafd7696e7729c00559999a069bdba782dee3f3eb273fb678a4438cb27d3deca54022878cdff83a51 -SHA512 (curl-8.3.0.tar.xz.asc) = b7d45722640ac50181b20a6d663168ec6eec6691c5604ddfe9c7177f07da598cb2de688c631043dc428c311774d781ccd16bd1e2fb4f038be651e3bee383aec4 +SHA512 (curl-8.4.0.tar.xz) = 7027dbf3b759b39d6ec9c4da58fadd254e84bb93bff599541b3bc3135bad4c2955c6237d7ddd60973f9f1a6948bc32d7e312985fb50658bc958b9f22fee74f2b +SHA512 (curl-8.4.0.tar.xz.asc) = b8b7a5b76be816e7b1552354f267f335fdc608cdadbd2c40ab44faf6450c6bbd2853b6de5c2746a1292aad33a8ee1c367380d32bb1a8282540b38c3b985a320e From 7d149f66f5cb4d9b9af3d383835889f3b7753a15 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 6 Dec 2023 08:50:13 +0100 Subject: [PATCH 044/108] new upstream release - 8.5.0 Resolves: CVE-2023-46218 - cookie mixed case PSL bypass Resolves: CVE-2023-46219 - HSTS long file name clears contents --- ...d-tests-errorcodes.pl-to-the-tarball.patch | 162 ++++++++++++++++++ curl.spec | 10 +- sources | 4 +- 3 files changed, 173 insertions(+), 3 deletions(-) create mode 100644 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch diff --git a/001-dist-add-tests-errorcodes.pl-to-the-tarball.patch b/001-dist-add-tests-errorcodes.pl-to-the-tarball.patch new file mode 100644 index 0000000..4fd5490 --- /dev/null +++ b/001-dist-add-tests-errorcodes.pl-to-the-tarball.patch @@ -0,0 +1,162 @@ +From 8ed817e84e3a24b5902416718cf445009a032ea9 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 6 Dec 2023 09:40:30 +0100 +Subject: [PATCH] dist: add tests/errorcodes.pl to the tarball + +Used by test 1477 + +Reported-by: Xi Ruoyao +Follow-up to 0ca3a4ec9a7 +Fixes #12462 +Closes #12463 + +(cherry picked from commit da8c1d15782c8161b455a7ee90197c16ae5edb90) + +also include missing tests/errorcodes.pl + +Signed-off-by: Jan Macku +--- + tests/Makefile.am | 20 ++++----- + tests/errorcodes.pl | 99 +++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 110 insertions(+), 9 deletions(-) + create mode 100755 tests/errorcodes.pl + +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 17e9ad049..c6ae7a97a 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -26,15 +26,17 @@ HTMLPAGES = testcurl.html runtests.html + PDFPAGES = testcurl.pdf runtests.pdf + MANDISTPAGES = runtests.1.dist testcurl.1.dist + +-EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl CMakeLists.txt \ +- devtest.pl dictserver.py directories.pm disable-scan.pl error-codes.pl extern-scan.pl FILEFORMAT.md \ +- processhelp.pm ftpserver.pl getpart.pm globalconfig.pm http-server.pl http2-server.pl \ +- http3-server.pl manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl \ +- memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl options-scan.pl \ +- pathhelp.pm README.md rtspserver.pl runner.pm runtests.1 runtests.pl secureserver.pl \ +- serverhelp.pm servers.pm smbserver.py sshhelp.pm sshserver.pl stunnel.pem symbol-scan.pl \ +- testcurl.1 testcurl.pl testutil.pm tftpserver.pl util.py valgrind.pm \ +- valgrind.supp version-scan.pl check-translatable-options.pl ++EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl \ ++ CMakeLists.txt devtest.pl dictserver.py directories.pm disable-scan.pl \ ++ error-codes.pl extern-scan.pl FILEFORMAT.md processhelp.pm ftpserver.pl \ ++ getpart.pm globalconfig.pm http-server.pl http2-server.pl http3-server.pl \ ++ manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl \ ++ memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl \ ++ options-scan.pl pathhelp.pm README.md rtspserver.pl runner.pm runtests.1 \ ++ runtests.pl secureserver.pl serverhelp.pm servers.pm smbserver.py sshhelp.pm \ ++ sshserver.pl stunnel.pem symbol-scan.pl testcurl.1 testcurl.pl testutil.pm \ ++ tftpserver.pl util.py valgrind.pm valgrind.supp version-scan.pl \ ++ check-translatable-options.pl errorcodes.pl + + DISTCLEANFILES = configurehelp.pm + +diff --git a/tests/errorcodes.pl b/tests/errorcodes.pl +new file mode 100755 +index 000000000..9c8f9e882 +--- /dev/null ++++ b/tests/errorcodes.pl +@@ -0,0 +1,99 @@ ++#!/usr/bin/env perl ++#*************************************************************************** ++# _ _ ____ _ ++# Project ___| | | | _ \| | ++# / __| | | | |_) | | ++# | (__| |_| | _ <| |___ ++# \___|\___/|_| \_\_____| ++# ++# Copyright (C) Daniel Stenberg, , et al. ++# ++# This software is licensed as described in the file COPYING, which ++# you should have received as part of this distribution. The terms ++# are also available at https://curl.se/docs/copyright.html. ++# ++# You may opt to use, copy, modify, merge, publish, distribute and/or sell ++# copies of the Software, and permit persons to whom the Software is ++# furnished to do so, under the terms of the COPYING file. ++# ++# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++# KIND, either express or implied. ++# ++# SPDX-License-Identifier: curl ++# ++########################################################################### ++ ++# Check that libcurl-errors.3 and the public header files have the same set of ++# error codes. ++ ++use strict; ++use warnings; ++ ++# we may get the dir roots pointed out ++my $root=$ARGV[0] || "."; ++my $manpge = "$root/docs/libcurl/libcurl-errors.3"; ++my $curlh = "$root/include/curl"; ++my $errors=0; ++ ++my @hnames; ++my %wherefrom; ++my @mnames; ++my %manfrom; ++ ++sub scanheader { ++ my ($file)=@_; ++ open H, "<$file"; ++ my $line = 0; ++ while() { ++ $line++; ++ if($_ =~ /^ (CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) { ++ my ($name)=($1); ++ if(($name !~ /OBSOLETE/) && ($name !~ /_LAST\z/)) { ++ push @hnames, $name; ++ if($wherefrom{$name}) { ++ print STDERR "double: $name\n"; ++ } ++ $wherefrom{$name}="$file:$line"; ++ } ++ } ++ } ++ close(H); ++} ++ ++sub scanmanpage { ++ my ($file)=@_; ++ open H, "<$file"; ++ my $line = 0; ++ while() { ++ $line++; ++ if($_ =~ /^\.IP \"(CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) { ++ my ($name)=($1); ++ push @mnames, $name; ++ $manfrom{$name}="$file:$line"; ++ } ++ } ++ close(H); ++} ++ ++ ++opendir(my $dh, $curlh) || die "Can't opendir $curlh: $!"; ++my @hfiles = grep { /\.h$/ } readdir($dh); ++closedir $dh; ++ ++for(sort @hfiles) { ++ scanheader("$curlh/$_"); ++} ++scanmanpage($manpge); ++ ++print "Result\n"; ++for my $h (sort @hnames) { ++ if(!$manfrom{$h}) { ++ printf "$h from %s, not in man page\n", $wherefrom{$h}; ++ } ++} ++ ++for my $m (sort @mnames) { ++ if(!$wherefrom{$m}) { ++ printf "$m from %s, not in any header\n", $manfrom{$m}; ++ } ++} +-- +2.43.0 + diff --git a/curl.spec b/curl.spec index f3a402c..fbdebe7 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.4.0 +Version: 8.5.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -10,6 +10,9 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# add missing test script tests/errorcodes.pl to the tarball +Patch001: 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -410,6 +413,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Dec 06 2023 Jan Macku - 8.5.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-46218 - cookie mixed case PSL bypass + CVE-2023-46219 - HSTS long file name clears contents + * Wed Oct 11 2023 Jan Macku - 8.4.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2023-38545 - SOCKS5 heap buffer overflow diff --git a/sources b/sources index 9205220..6a14222 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.4.0.tar.xz) = 7027dbf3b759b39d6ec9c4da58fadd254e84bb93bff599541b3bc3135bad4c2955c6237d7ddd60973f9f1a6948bc32d7e312985fb50658bc958b9f22fee74f2b -SHA512 (curl-8.4.0.tar.xz.asc) = b8b7a5b76be816e7b1552354f267f335fdc608cdadbd2c40ab44faf6450c6bbd2853b6de5c2746a1292aad33a8ee1c367380d32bb1a8282540b38c3b985a320e +SHA512 (curl-8.5.0.tar.xz) = acffa2cf61d9b8e4188575a1b40227da8d722df2e5fe8bb82a222b4eb2fd64bf8aebd90852ce050c79fb5e517d5cee2546bf7de92ede1dd394263e231cb741a3 +SHA512 (curl-8.5.0.tar.xz.asc) = 9c6a2e61860878cd731d951fac1bb52cd314db20439a5173a95b48da1742737e02bfb9978d65e25de6535f839e281235203599a29f252e78e0d7a83769727329 From 3c4671bd88692f6de620dbd6907d23beb921ea7a Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 19 Jan 2024 16:32:26 +0000 Subject: [PATCH 045/108] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index fbdebe7..b5e1ef0 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.5.0 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -413,6 +413,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Jan 19 2024 Fedora Release Engineering - 8.5.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + * Wed Dec 06 2023 Jan Macku - 8.5.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2023-46218 - cookie mixed case PSL bypass From 98780da3f86dec6140fef3b7a408fe17434b0727 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 1 Feb 2024 13:07:37 +0100 Subject: [PATCH 046/108] new upstream release - 8.6.0 Resolves: CVE-2024-0853 - OCSP verification bypass with TLS session reuse --- .gitignore | 1 + ...-curl-8.6.0-remove-duplicate-content.patch | 108 ++++++++++++ ...d-tests-errorcodes.pl-to-the-tarball.patch | 162 ------------------ 0101-curl-7.32.0-multilib.patch | 26 +-- curl.spec | 18 +- sources | 4 +- 6 files changed, 138 insertions(+), 181 deletions(-) create mode 100644 0001-curl-8.6.0-remove-duplicate-content.patch delete mode 100644 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch diff --git a/.gitignore b/.gitignore index c5a82f4..505a7d9 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ /curl-[0-9.]*.tar.lzma.asc /curl-[0-9.]*.tar.xz /curl-[0-9.]*.tar.xz.asc +/curl-[0-9].[0-9].[0-9]/ diff --git a/0001-curl-8.6.0-remove-duplicate-content.patch b/0001-curl-8.6.0-remove-duplicate-content.patch new file mode 100644 index 0000000..bbbb7ff --- /dev/null +++ b/0001-curl-8.6.0-remove-duplicate-content.patch @@ -0,0 +1,108 @@ +From 960cf3ceb40cf875b146d4d1065d9267ccb83da1 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Thu, 1 Feb 2024 12:56:31 +0100 +Subject: [PATCH 1/2] doc: remove duplicate content from curl-config.1 + +This will be resolved in next release by: +https://github.com/curl/curl/pull/12818 + +see also: https://github.com/curl/curl/issues/12840 + +Signed-off-by: Jan Macku +--- + docs/curl-config.1 | 82 ---------------------------------------------- + 1 file changed, 82 deletions(-) + +diff --git a/docs/curl-config.1 b/docs/curl-config.1 +index 186ba3a..c142cb9 100644 +--- a/docs/curl-config.1 ++++ b/docs/curl-config.1 +@@ -80,85 +80,3 @@ How do I build a single file with a one\-line command? + .fi + .SH SEE ALSO + .BR curl (1) +-.\" generated by cd2nroff 0.1 from curl-config.md +-.TH curl-config 1 "January 26 2024" curl-config +-.SH NAME +-curl\-config \- Get information about a libcurl installation +-.SH SYNOPSIS +-\fBcurl\-config [options]\fP +-.SH DESCRIPTION +-\fBcurl\-config\fP +-displays information about the curl and libcurl installation. +-.SH OPTIONS +-.IP --ca +-Displays the built\-in path to the CA cert bundle this libcurl uses. +-.IP --cc +-Displays the compiler used to build libcurl. +-.IP --cflags +-Set of compiler options (CFLAGS) to use when compiling files that use +-libcurl. Currently that is only the include path to the curl include files. +-.IP "--checkfor [version]" +-Specify the oldest possible libcurl version string you want, and this +-script will return 0 if the current installation is new enough or it +-returns 1 and outputs a text saying that the current version is not new +-enough. (Added in 7.15.4) +-.IP --configure +-Displays the arguments given to configure when building curl. +-.IP --feature +-Lists what particular main features the installed libcurl was built with. At +-the time of writing, this list may include SSL, KRB4 or IPv6. Do not assume +-any particular order. The keywords will be separated by newlines. There may be +-none, one, or several keywords in the list. +-.IP --help +-Displays the available options. +-.IP --libs +-Shows the complete set of libs and other linker options you will need in order +-to link your application with libcurl. +-.IP --prefix +-This is the prefix used when libcurl was installed. Libcurl is then installed +-in $prefix/lib and its header files are installed in $prefix/include and so +-on. The prefix is set with "configure \--prefix". +-.IP --protocols +-Lists what particular protocols the installed libcurl was built to support. At +-the time of writing, this list may include HTTP, HTTPS, FTP, FTPS, FILE, +-TELNET, LDAP, DICT and many more. Do not assume any particular order. The +-protocols will be listed using uppercase and are separated by newlines. There +-may be none, one, or several protocols in the list. (Added in 7.13.0) +-.IP --ssl-backends +-Lists the SSL backends that were enabled when libcurl was built. It might be +-no, one or several names. If more than one name, they will appear +-comma\-separated. (Added in 7.58.0) +-.IP --static-libs +-Shows the complete set of libs and other linker options you will need in order +-to link your application with libcurl statically. (Added in 7.17.1) +-.IP --version +-Outputs version information about the installed libcurl. +-.IP --vernum +-Outputs version information about the installed libcurl, in numerical mode. +-This shows the version number, in hexadecimal, using 8 bits for each part: +-major, minor, and patch numbers. This makes libcurl 7.7.4 appear as 070704 and +-libcurl 12.13.14 appear as 0c0d0e... Note that the initial zero might be +-omitted. (This option was broken in the 7.15.0 release.) +-.SH EXAMPLES +-What linker options do I need when I link with libcurl? +-.nf +- $ curl-config --libs +-.fi +-What compiler options do I need when I compile using libcurl functions? +-.nf +- $ curl-config --cflags +-.fi +-How do I know if libcurl was built with SSL support? +-.nf +- $ curl-config --feature | grep SSL +-.fi +-What\(aqs the installed libcurl version? +-.nf +- $ curl-config --version +-.fi +-How do I build a single file with a one\-line command? +-.nf +- $ `curl-config --cc --cflags` -o example source.c `curl-config --libs` +-.fi +-.SH SEE ALSO +-.BR curl (1) +-- +2.43.0 + diff --git a/001-dist-add-tests-errorcodes.pl-to-the-tarball.patch b/001-dist-add-tests-errorcodes.pl-to-the-tarball.patch deleted file mode 100644 index 4fd5490..0000000 --- a/001-dist-add-tests-errorcodes.pl-to-the-tarball.patch +++ /dev/null @@ -1,162 +0,0 @@ -From 8ed817e84e3a24b5902416718cf445009a032ea9 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Wed, 6 Dec 2023 09:40:30 +0100 -Subject: [PATCH] dist: add tests/errorcodes.pl to the tarball - -Used by test 1477 - -Reported-by: Xi Ruoyao -Follow-up to 0ca3a4ec9a7 -Fixes #12462 -Closes #12463 - -(cherry picked from commit da8c1d15782c8161b455a7ee90197c16ae5edb90) - -also include missing tests/errorcodes.pl - -Signed-off-by: Jan Macku ---- - tests/Makefile.am | 20 ++++----- - tests/errorcodes.pl | 99 +++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 110 insertions(+), 9 deletions(-) - create mode 100755 tests/errorcodes.pl - -diff --git a/tests/Makefile.am b/tests/Makefile.am -index 17e9ad049..c6ae7a97a 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -26,15 +26,17 @@ HTMLPAGES = testcurl.html runtests.html - PDFPAGES = testcurl.pdf runtests.pdf - MANDISTPAGES = runtests.1.dist testcurl.1.dist - --EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl CMakeLists.txt \ -- devtest.pl dictserver.py directories.pm disable-scan.pl error-codes.pl extern-scan.pl FILEFORMAT.md \ -- processhelp.pm ftpserver.pl getpart.pm globalconfig.pm http-server.pl http2-server.pl \ -- http3-server.pl manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl \ -- memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl options-scan.pl \ -- pathhelp.pm README.md rtspserver.pl runner.pm runtests.1 runtests.pl secureserver.pl \ -- serverhelp.pm servers.pm smbserver.py sshhelp.pm sshserver.pl stunnel.pem symbol-scan.pl \ -- testcurl.1 testcurl.pl testutil.pm tftpserver.pl util.py valgrind.pm \ -- valgrind.supp version-scan.pl check-translatable-options.pl -+EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl \ -+ CMakeLists.txt devtest.pl dictserver.py directories.pm disable-scan.pl \ -+ error-codes.pl extern-scan.pl FILEFORMAT.md processhelp.pm ftpserver.pl \ -+ getpart.pm globalconfig.pm http-server.pl http2-server.pl http3-server.pl \ -+ manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl \ -+ memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl \ -+ options-scan.pl pathhelp.pm README.md rtspserver.pl runner.pm runtests.1 \ -+ runtests.pl secureserver.pl serverhelp.pm servers.pm smbserver.py sshhelp.pm \ -+ sshserver.pl stunnel.pem symbol-scan.pl testcurl.1 testcurl.pl testutil.pm \ -+ tftpserver.pl util.py valgrind.pm valgrind.supp version-scan.pl \ -+ check-translatable-options.pl errorcodes.pl - - DISTCLEANFILES = configurehelp.pm - -diff --git a/tests/errorcodes.pl b/tests/errorcodes.pl -new file mode 100755 -index 000000000..9c8f9e882 ---- /dev/null -+++ b/tests/errorcodes.pl -@@ -0,0 +1,99 @@ -+#!/usr/bin/env perl -+#*************************************************************************** -+# _ _ ____ _ -+# Project ___| | | | _ \| | -+# / __| | | | |_) | | -+# | (__| |_| | _ <| |___ -+# \___|\___/|_| \_\_____| -+# -+# Copyright (C) Daniel Stenberg, , et al. -+# -+# This software is licensed as described in the file COPYING, which -+# you should have received as part of this distribution. The terms -+# are also available at https://curl.se/docs/copyright.html. -+# -+# You may opt to use, copy, modify, merge, publish, distribute and/or sell -+# copies of the Software, and permit persons to whom the Software is -+# furnished to do so, under the terms of the COPYING file. -+# -+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -+# KIND, either express or implied. -+# -+# SPDX-License-Identifier: curl -+# -+########################################################################### -+ -+# Check that libcurl-errors.3 and the public header files have the same set of -+# error codes. -+ -+use strict; -+use warnings; -+ -+# we may get the dir roots pointed out -+my $root=$ARGV[0] || "."; -+my $manpge = "$root/docs/libcurl/libcurl-errors.3"; -+my $curlh = "$root/include/curl"; -+my $errors=0; -+ -+my @hnames; -+my %wherefrom; -+my @mnames; -+my %manfrom; -+ -+sub scanheader { -+ my ($file)=@_; -+ open H, "<$file"; -+ my $line = 0; -+ while() { -+ $line++; -+ if($_ =~ /^ (CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) { -+ my ($name)=($1); -+ if(($name !~ /OBSOLETE/) && ($name !~ /_LAST\z/)) { -+ push @hnames, $name; -+ if($wherefrom{$name}) { -+ print STDERR "double: $name\n"; -+ } -+ $wherefrom{$name}="$file:$line"; -+ } -+ } -+ } -+ close(H); -+} -+ -+sub scanmanpage { -+ my ($file)=@_; -+ open H, "<$file"; -+ my $line = 0; -+ while() { -+ $line++; -+ if($_ =~ /^\.IP \"(CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) { -+ my ($name)=($1); -+ push @mnames, $name; -+ $manfrom{$name}="$file:$line"; -+ } -+ } -+ close(H); -+} -+ -+ -+opendir(my $dh, $curlh) || die "Can't opendir $curlh: $!"; -+my @hfiles = grep { /\.h$/ } readdir($dh); -+closedir $dh; -+ -+for(sort @hfiles) { -+ scanheader("$curlh/$_"); -+} -+scanmanpage($manpge); -+ -+print "Result\n"; -+for my $h (sort @hnames) { -+ if(!$manfrom{$h}) { -+ printf "$h from %s, not in man page\n", $wherefrom{$h}; -+ } -+} -+ -+for my $m (sort @mnames) { -+ if(!$wherefrom{$m}) { -+ printf "$m from %s, not in any header\n", $manfrom{$m}; -+ } -+} --- -2.43.0 - diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index b4f8e2a..328d3a4 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,7 +1,7 @@ -From 2a4754a3a7cf60ecc36d83cbe50b8c337cb87632 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Fri, 12 Apr 2013 12:04:05 +0200 -Subject: [PATCH] prevent multilib conflicts on the curl-config script +From 84b7e1cf486761e99361f5dcf5879cd7baf51b58 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Thu, 1 Feb 2024 13:01:23 +0100 +Subject: [PATCH 2/2] prevent multilib conflicts on the curl-config script --- curl-config.in | 23 +++++------------------ @@ -10,7 +10,7 @@ Subject: [PATCH] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 150004d..95d0759 100644 +index 54f92d9..15a60da 100644 --- a/curl-config.in +++ b/curl-config.in @@ -78,7 +78,7 @@ while test $# -gt 0; do @@ -60,22 +60,22 @@ index 150004d..95d0759 100644 *) diff --git a/docs/curl-config.1 b/docs/curl-config.1 -index 14a9d2b..ffcc004 100644 +index c142cb9..0e189b4 100644 --- a/docs/curl-config.1 +++ b/docs/curl-config.1 -@@ -72,7 +72,9 @@ no, one or several names. If more than one name, they will appear - comma-separated. (Added in 7.58.0) - .IP "--static-libs" +@@ -48,7 +48,9 @@ no, one or several names. If more than one name, they will appear + comma\-separated. (Added in 7.58.0) + .IP --static-libs Shows the complete set of libs and other linker options you will need in order -to link your application with libcurl statically. (Added in 7.17.1) +to link your application with libcurl statically. Note that Fedora/RHEL libcurl +packages do not provide any static libraries, thus cannot be linked statically. +(Added in 7.17.1) - .IP "--version" + .IP --version Outputs version information about the installed libcurl. - .IP "--vernum" + .IP --vernum diff --git a/libcurl.pc.in b/libcurl.pc.in -index 2ba9c39..f8f8b00 100644 +index 9db6b0f..dcac692 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in @@ -31,6 +31,7 @@ libdir=@libdir@ @@ -87,5 +87,5 @@ index 2ba9c39..f8f8b00 100644 Name: libcurl URL: https://curl.se/ -- -2.26.2 +2.43.0 diff --git a/curl.spec b/curl.spec index b5e1ef0..20848b3 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.5.0 -Release: 2%{?dist} +Version: 8.6.0 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,8 +10,8 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# add missing test script tests/errorcodes.pl to the tarball -Patch001: 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch +# remove duplicate content from curl-config.1 +Patch001: 0001-curl-8.6.0-remove-duplicate-content.patch # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -371,6 +371,10 @@ rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la +# Don't install man for mk-ca-bundle it's upstream bug +# should be fixed in next release https://github.com/curl/curl/pull/12843 +rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* + %ldconfig_scriptlets -n libcurl %ldconfig_scriptlets -n libcurl-minimal @@ -413,6 +417,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Feb 01 2024 Jan Macku - 8.6.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-0853 - OCSP verification bypass with TLS session reuse +- drop 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch (replaced by upstream fix) +- remove accidentally included mk-ca-bundle.1 man page (upstream bug #12843) + * Fri Jan 19 2024 Fedora Release Engineering - 8.5.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild diff --git a/sources b/sources index 6a14222..9c9d4a1 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.5.0.tar.xz) = acffa2cf61d9b8e4188575a1b40227da8d722df2e5fe8bb82a222b4eb2fd64bf8aebd90852ce050c79fb5e517d5cee2546bf7de92ede1dd394263e231cb741a3 -SHA512 (curl-8.5.0.tar.xz.asc) = 9c6a2e61860878cd731d951fac1bb52cd314db20439a5173a95b48da1742737e02bfb9978d65e25de6535f839e281235203599a29f252e78e0d7a83769727329 +SHA512 (curl-8.6.0.tar.xz) = 359c08d88a5dec441255b36afe1a821730eca0ca8800ba52f57132b9e7d21f32457623907b4ae4876904b5e505eb1a59652372bb7de8dbd8db429dae9785e036 +SHA512 (curl-8.6.0.tar.xz.asc) = 2b835bb4b307e5e1c929b7136c5acfb9f6f06efa471ac27060336cabcfac40e02143f40434986c5e6817d4a9562b09efa8ff3168beed310a45453148cc1b5c8f From 6730b754a9e6ae98c39a164a3bc1c8df3a50adb7 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Fri, 2 Feb 2024 10:22:12 +0100 Subject: [PATCH 047/108] don't build curl manual feature use man 1 curl instead Resolves: #2262373 --- curl.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index 20848b3..6e3d932 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.6.0 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -286,7 +286,7 @@ export common_configure_opts=" \ --enable-imap \ --enable-ldap \ --enable-ldaps \ - --enable-manual \ + --disable-manual \ --enable-mqtt \ --enable-ntlm \ --enable-ntlm-wb \ @@ -417,6 +417,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Feb 02 2024 Jan Macku - 8.6.0-2 +- don't build manual for curl-full - use man 1 curl instead (#2262373) + * Thu Feb 01 2024 Jan Macku - 8.6.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2024-0853 - OCSP verification bypass with TLS session reuse From be5d7739cfcd1964bd0595998e2a2617fdcdbb1e Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 2 Feb 2024 12:01:47 +0100 Subject: [PATCH 048/108] deduplicate the --disable-manual configure option No change in behavior intended. Related: #2262373 Closes: https://src.fedoraproject.org/rpms/curl/pull-request/22 --- curl.spec | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index 6e3d932..ec08090 100644 --- a/curl.spec +++ b/curl.spec @@ -238,6 +238,7 @@ autoreconf -fiv mkdir build-{full,minimal} export common_configure_opts=" \ --cache-file=../config.cache \ + --disable-manual \ --disable-static \ --enable-hsts \ --enable-ipv6 \ @@ -260,7 +261,6 @@ export common_configure_opts=" \ --disable-imap \ --disable-ldap \ --disable-ldaps \ - --disable-manual \ --disable-mqtt \ --disable-ntlm \ --disable-ntlm-wb \ @@ -286,7 +286,6 @@ export common_configure_opts=" \ --enable-imap \ --enable-ldap \ --enable-ldaps \ - --disable-manual \ --enable-mqtt \ --enable-ntlm \ --enable-ntlm-wb \ From ec3f7ae8ee65d8464b3c1d339b0c5f164cbc1089 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 5 Feb 2024 10:49:10 +0100 Subject: [PATCH 049/108] fix: ignore response body to HEAD requests Discovered/Reported by: @lis in FEDORA-2024-634a6662aa --- ...l-8.6.0-ignore-response-body-to-HEAD.patch | 184 ++++++++++++++++++ curl.spec | 9 +- 2 files changed, 192 insertions(+), 1 deletion(-) create mode 100644 0002-curl-8.6.0-ignore-response-body-to-HEAD.patch diff --git a/0002-curl-8.6.0-ignore-response-body-to-HEAD.patch b/0002-curl-8.6.0-ignore-response-body-to-HEAD.patch new file mode 100644 index 0000000..4dee602 --- /dev/null +++ b/0002-curl-8.6.0-ignore-response-body-to-HEAD.patch @@ -0,0 +1,184 @@ +From e61ea3ba7054afedafe1eb473226e842ac17b8ff Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 1 Feb 2024 13:23:12 +0100 +Subject: [PATCH] sendf: ignore response body to HEAD + +and mark the stream for close, but return OK since the response this far +was ok - if headers were received. Partly because this is what curl has +done traditionally. + +Test 499 verifies. Updates test 689. + +Reported-by: Sergey Bronnikov +Bug: https://curl.se/mail/lib-2024-02/0000.html +Closes #12842 + +(cherry picked from commit b8c003832d730bb2f4b9de4204675ca5d9f7a903) +Signed-off-by: Jan Macku +--- + lib/sendf.c | 3 ++ + tests/data/Makefile.inc | 44 ++++++++++++++-------------- + tests/data/test499 | 65 +++++++++++++++++++++++++++++++++++++++++ + tests/data/test689 | 4 +-- + 4 files changed, 92 insertions(+), 24 deletions(-) + create mode 100644 tests/data/test499 + +diff --git a/lib/sendf.c b/lib/sendf.c +index db3189a29..60ac0742c 100644 +--- a/lib/sendf.c ++++ b/lib/sendf.c +@@ -575,6 +575,9 @@ static CURLcode cw_download_write(struct Curl_easy *data, + DEBUGF(infof(data, "did not want a BODY, but seeing %zu bytes", + nbytes)); + data->req.download_done = TRUE; ++ if(data->info.header_size) ++ /* if headers have been received, this is fine */ ++ return CURLE_OK; + return CURLE_WEIRD_SERVER_REPLY; + } + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index c3d496f64..cd393da75 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -75,28 +75,28 @@ test444 test445 test446 test447 test448 test449 test450 test451 test452 \ + test453 test454 test455 test456 test457 test458 test459 test460 test461 \ + \ + test490 test491 test492 test493 test494 test495 test496 test497 test498 \ +-\ +-test500 test501 test502 test503 test504 test505 test506 test507 test508 \ +-test509 test510 test511 test512 test513 test514 test515 test516 test517 \ +-test518 test519 test520 test521 test522 test523 test524 test525 test526 \ +-test527 test528 test529 test530 test531 test532 test533 test534 test535 \ +- test537 test538 test539 test540 test541 test542 test543 test544 \ +-test545 test546 test547 test548 test549 test550 test551 test552 test553 \ +-test554 test555 test556 test557 test558 test559 test560 test561 test562 \ +-test563 test564 test565 test566 test567 test568 test569 test570 test571 \ +-test572 test573 test574 test575 test576 test577 test578 test579 test580 \ +-test581 test582 test583 test584 test585 test586 test587 test588 test589 \ +-test590 test591 test592 test593 test594 test595 test596 test597 test598 \ +-test599 test600 test601 test602 test603 test604 test605 test606 test607 \ +-test608 test609 test610 test611 test612 test613 test614 test615 test616 \ +-test617 test618 test619 test620 test621 test622 test623 test624 test625 \ +-test626 test627 test628 test629 test630 test631 test632 test633 test634 \ +-test635 test636 test637 test638 test639 test640 test641 test642 test643 \ +-test644 test645 test646 test647 test648 test649 test650 test651 test652 \ +-test653 test654 test655 test656 test658 test659 test660 test661 test662 \ +-test663 test664 test665 test666 test667 test668 test669 test670 test671 \ +-test672 test673 test674 test675 test676 test677 test678 test679 test680 \ +-test681 test682 test683 test684 test685 test686 test687 test688 test689 \ ++test499 test500 test501 test502 test503 test504 test505 test506 test507 \ ++test508 test509 test510 test511 test512 test513 test514 test515 test516 \ ++test517 test518 test519 test520 test521 test522 test523 test524 test525 \ ++test526 test527 test528 test529 test530 test531 test532 test533 test534 \ ++test535 test537 test538 test539 test540 test541 test542 test543 \ ++test544 test545 test546 test547 test548 test549 test550 test551 test552 \ ++test553 test554 test555 test556 test557 test558 test559 test560 test561 \ ++test562 test563 test564 test565 test566 test567 test568 test569 test570 \ ++test571 test572 test573 test574 test575 test576 test577 test578 test579 \ ++test580 test581 test582 test583 test584 test585 test586 test587 test588 \ ++test589 test590 test591 test592 test593 test594 test595 test596 test597 \ ++test598 test599 test600 test601 test602 test603 test604 test605 test606 \ ++test607 test608 test609 test610 test611 test612 test613 test614 test615 \ ++test616 test617 test618 test619 test620 test621 test622 test623 test624 \ ++test625 test626 test627 test628 test629 test630 test631 test632 test633 \ ++test634 test635 test636 test637 test638 test639 test640 test641 test642 \ ++test643 test644 test645 test646 test647 test648 test649 test650 test651 \ ++test652 test653 test654 test655 test656 test658 test659 test660 test661 \ ++test662 test663 test664 test665 test666 test667 test668 test669 test670 \ ++test671 test672 test673 test674 test675 test676 test677 test678 test679 \ ++test680 test681 test682 test683 test684 test685 test686 test687 test688 \ ++test689 \ + \ + test700 test701 test702 test703 test704 test705 test706 test707 test708 \ + test709 test710 test711 test712 test713 test714 test715 test716 test717 \ +diff --git a/tests/data/test499 b/tests/data/test499 +new file mode 100644 +index 000000000..d4040b07c +--- /dev/null ++++ b/tests/data/test499 +@@ -0,0 +1,65 @@ ++ ++ ++ ++HTTP ++HTTP GET ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Content-Type: text/html ++Funny-head: yesyes ++ ++-foo- ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT ++ETag: "21025-dc7-39462498" ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++Content-Type: text/html ++Funny-head: yesyes ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++HTTP HEAD to server still sending a body ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -I ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++HEAD /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++ ++ ++ +diff --git a/tests/data/test689 b/tests/data/test689 +index 821556dec..381ae225a 100644 +--- a/tests/data/test689 ++++ b/tests/data/test689 +@@ -44,9 +44,9 @@ User-Agent: test567 + Test-Number: 567 + + +-# 8 == CURLE_WEIRD_SERVER_REPLY ++# 85 == CURLE_RTSP_CSEQ_ERROR + +-8 ++85 + + + +-- +2.43.0 + diff --git a/curl.spec b/curl.spec index ec08090..c75f108 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.6.0 -Release: 2%{?dist} +Release: 3%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -13,6 +13,10 @@ Source2: mykey.asc # remove duplicate content from curl-config.1 Patch001: 0001-curl-8.6.0-remove-duplicate-content.patch +# ignore response bode to HEAD requests +# https://bodhi.fedoraproject.org/updates/FEDORA-2024-634a6662aa +Patch002: 0002-curl-8.6.0-ignore-response-body-to-HEAD.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -416,6 +420,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Feb 05 2024 Jan Macku - 8.6.0-3 +- ignore response body to HEAD requests + * Fri Feb 02 2024 Jan Macku - 8.6.0-2 - don't build manual for curl-full - use man 1 curl instead (#2262373) From 8cec2e9cc7c18e48039a2d9dd780b0528afed8cd Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 6 Feb 2024 15:25:02 +0100 Subject: [PATCH 050/108] drop curl-minimal subpackage in favor of curl-full The reason for maintaining two separate packages for curl is no longer valid. The curl-minimal is currently almost identical to curl-full, so let's drop curl-minimal. Resolves: #2262096 --- curl.spec | 39 ++++++++++++++------------------------- 1 file changed, 14 insertions(+), 25 deletions(-) diff --git a/curl.spec b/curl.spec index c75f108..b953ebb 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.6.0 -Release: 3%{?dist} +Release: 4%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -29,6 +29,12 @@ Patch104: 0104-curl-7.88.0-tests-warnings.patch Provides: curl-full = %{version}-%{release} Provides: webclient URL: https://curl.se/ + +# The reason for maintaining two separate packages for curl is no longer valid. +# The curl-minimal is currently almost identical to curl-full, so let's drop curl-minimal. +# For more details, see https://bugzilla.redhat.com/show_bug.cgi?id=2262096 +Obsoletes: curl-minimal < 8.6.0-4 + BuildRequires: automake BuildRequires: brotli-devel BuildRequires: coreutils @@ -118,6 +124,10 @@ BuildRequires: valgrind BuildRequires: stunnel %endif +# Suggest minimal version of libcurl to to keep number of dependencies low +# after dropping curl-minimal. +Suggests: libcurl-minimal + # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION Requires: libcurl%{?_isa} >= %{version}-%{release} @@ -176,22 +186,6 @@ The libcurl-devel package includes header files and libraries necessary for developing programs which use the libcurl library. It contains the API documentation of the library, too. -%package -n curl-minimal -Summary: Conservatively configured build of curl for minimal installations -Provides: curl = %{version}-%{release} -Conflicts: curl -Suggests: libcurl-minimal -RemovePathPostfixes: .minimal - -# using an older version of libcurl could result in CURLE_UNKNOWN_OPTION -Requires: libcurl%{?_isa} >= %{version}-%{release} - -%description -n curl-minimal -This is a replacement of the 'curl' package for minimal installations. It -comes with a limited set of features compared to the 'curl' package. On the -other hand, the package is smaller and requires fewer run-time dependencies to -be installed. - %package -n libcurl-minimal Summary: Conservatively configured build of libcurl for minimal installations Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} @@ -351,10 +345,6 @@ for i in ${RPM_BUILD_ROOT}%{_libdir}/*; do mv -v $i $i.minimal done -# install and rename the executable that will be packaged as curl-minimal -%make_install -C build-minimal/src -mv -v ${RPM_BUILD_ROOT}%{_bindir}/curl{,.minimal} - # install libcurl.m4 install -d $RPM_BUILD_ROOT%{_datadir}/aclocal install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal @@ -410,16 +400,15 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %{_mandir}/man3/* %{_datadir}/aclocal/libcurl.m4 -%files -n curl-minimal -%{_bindir}/curl.minimal -%{_mandir}/man1/curl.1* - %files -n libcurl-minimal %license COPYING %{_libdir}/libcurl.so.4.minimal %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Feb 07 2024 Jan Macku - 8.6.0-4 +- drop curl-minimal subpackage in favor of curl-full (#2262096) + * Mon Feb 05 2024 Jan Macku - 8.6.0-3 - ignore response body to HEAD requests From 31bc86593e0630ced1691d269785a4ba9106efdf Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 12 Feb 2024 12:40:33 +0100 Subject: [PATCH 051/108] curl-full: add Provides to curl-minimal --- curl.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index b953ebb..c50172b 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.6.0 -Release: 4%{?dist} +Release: 5%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -27,6 +27,8 @@ Patch102: 0102-curl-7.84.0-test3026.patch Patch104: 0104-curl-7.88.0-tests-warnings.patch Provides: curl-full = %{version}-%{release} +# do not fail when trying to install curl-minimal after drop +Provides: curl-minimal = %{version}-%{release} Provides: webclient URL: https://curl.se/ @@ -406,6 +408,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Feb 12 2024 Jan Macku - 8.6.0-5 +- add Provides to curl-minimal + * Wed Feb 07 2024 Jan Macku - 8.6.0-4 - drop curl-minimal subpackage in favor of curl-full (#2262096) From 9c77cd7c46571de15a73b7f19f779e9e98151792 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 12 Feb 2024 12:33:29 +0100 Subject: [PATCH 052/108] vtls: revert "receive max buffer" + add test case It breaks the test suite of pycurl --- ...ert-receive-max-buffer-add-test-case.patch | 68 +++++++++++++++++++ curl.spec | 9 ++- 2 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch diff --git a/0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch b/0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch new file mode 100644 index 0000000..3e9078c --- /dev/null +++ b/0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch @@ -0,0 +1,68 @@ +From 0f65eaab19624ca018d7bd5ca404618f9bfe267f Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Thu, 1 Feb 2024 18:15:50 +0100 +Subject: [PATCH] vtls: revert "receive max buffer" + add test case + +- add test_05_04 for requests using http/1.0, http/1.1 and h2 against an + Apache resource that does an unclean TLS shutdown. +- revert special workarund in openssl.c for suppressing shutdown errors + on multiplexed connections +- vlts.c restore to its state before 9a90c9dd64d2f03601833a70786d485851bd1b53 + +Fixes #12885 +Fixes #12844 + +Closes #12848 + +(cherry picked from commit ed09a99af57200643d5ae001e815eeab9ffe3f84) +Signed-off-by: Jan Macku +--- + lib/vtls/vtls.c | 27 ++++++--------------------- + 1 file changed, 6 insertions(+), 21 deletions(-) + +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index e928ba5d0..f654a9749 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -1715,32 +1715,17 @@ static ssize_t ssl_cf_recv(struct Curl_cfilter *cf, + { + struct cf_call_data save; + ssize_t nread; +- size_t ntotal = 0; + + CF_DATA_SAVE(save, cf, data); + *err = CURLE_OK; +- /* Do receive until we fill the buffer somehwhat or EGAIN, error or EOF */ +- while(!ntotal || (len - ntotal) > (4*1024)) { ++ nread = Curl_ssl->recv_plain(cf, data, buf, len, err); ++ if(nread > 0) { ++ DEBUGASSERT((size_t)nread <= len); ++ } ++ else if(nread == 0) { ++ /* eof */ + *err = CURLE_OK; +- nread = Curl_ssl->recv_plain(cf, data, buf + ntotal, len - ntotal, err); +- if(nread < 0) { +- if(*err == CURLE_AGAIN && ntotal > 0) { +- /* we EAGAINed after having reed data, return the success amount */ +- *err = CURLE_OK; +- break; +- } +- /* we have a an error to report */ +- goto out; +- } +- else if(nread == 0) { +- /* eof */ +- break; +- } +- ntotal += (size_t)nread; +- DEBUGASSERT((size_t)ntotal <= len); + } +- nread = (ssize_t)ntotal; +-out: + CURL_TRC_CF(data, cf, "cf_recv(len=%zu) -> %zd, %d", len, + nread, *err); + CF_DATA_RESTORE(cf, save); +-- +2.43.0 + diff --git a/curl.spec b/curl.spec index c50172b..1500065 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.6.0 -Release: 5%{?dist} +Release: 6%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -17,6 +17,10 @@ Patch001: 0001-curl-8.6.0-remove-duplicate-content.patch # https://bodhi.fedoraproject.org/updates/FEDORA-2024-634a6662aa Patch002: 0002-curl-8.6.0-ignore-response-body-to-HEAD.patch +# revert "receive max buffer" + add test case +# it breaks pycurl tests suite +Patch003: 0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -408,6 +412,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Feb 12 2024 Jan Macku - 8.6.0-6 +- revert "receive max buffer" + add test case + * Mon Feb 12 2024 Jan Macku - 8.6.0-5 - add Provides to curl-minimal From 685f0d3645117846f05da367608ee7e6d1e7801a Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 12 Feb 2024 16:01:16 +0100 Subject: [PATCH 053/108] temporarily disable test 0313 ``` test 0313...[CRL test] ../libtool --mode=execute /usr/bin/valgrind --tool=memcheck --quiet --leak-check=yes --suppressions=../../tests/valgrind.supp --num-callers=16 --log-file=log/valgrind313 ../src/curl --output log/curl313.out --include --trace-ascii log/trace313 --trace-time --cacert ../../tests/certs/EdelCurlRoot-ca.crt --crlfile ../../tests/certs/Server-localhost-sv.crl https://localhost:37247/313 > log/stdout313 2> log/stderr313 CMD (15360): ../libtool --mode=execute /usr/bin/valgrind --tool=memcheck --quiet --leak-check=yes --suppressions=../../tests/valgrind.supp --num-callers=16 --log-file=log/valgrind313 ../src/curl --output log/curl313.out --include --trace-ascii log/trace313 --trace-time --cacert ../../tests/certs/EdelCurlRoot-ca.crt --crlfile ../../tests/certs/Server-localhost-sv.crl https://localhost:37247/313 > log/stdout313 2> log/stderr313 valgrind ERROR ==89628== 1,795 (248 direct, 1,547 indirect) bytes in 1 blocks are definitely lost in loss record 32 of 32 ==89628== at 0x484280F: malloc (vg_replace_malloc.c:442) ==89628== by 0x4D71B20: CRYPTO_malloc (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x4D71BD4: CRYPTO_zalloc (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x4C67FD3: ??? (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x4C69B00: ??? (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x4C69E3F: ASN1_item_d2i_ex (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x4D944C0: PEM_ASN1_read_bio (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x4DD3C31: X509_load_crl_file (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x48B6D48: UnknownInlinedFun (openssl.c:3284) ==89628== by 0x48B6D48: Curl_ssl_setup_x509_store (openssl.c:3437) ==89628== by 0x48B7445: ossl_bio_cf_in_read (openssl.c:776) ==89628== by 0x4C6DB32: ??? (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x4C71C16: ??? (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x4C71DAA: BIO_read (in /usr/lib64/libcrypto.so.3.2.1) ==89628== by 0x4B9BE92: ??? (in /usr/lib64/libssl.so.3.2.1) ==89628== by 0x4BA0B4A: ??? (in /usr/lib64/libssl.so.3.2.1) ==89628== by 0x4B9B099: ??? (in /usr/lib64/libssl.so.3.2.1) ==89628== == Contents of files in the log/ dir after test 313 === Start of file commands.log ../libtool --mode=execute /usr/bin/valgrind --tool=memcheck --quiet --leak-check=yes --suppressions=../../tests/valgrind.supp --num-callers=16 --log-file=log/valgrind313 ../src/curl --output log/curl313.out --include --trace-ascii log/trace313 --trace-time --cacert ../../tests/certs/EdelCurlRoot-ca.crt --crlfile ../../tests/certs/Server-localhost-sv.crl https://localhost:37247/313 > log/stdout313 2> log/stderr313 === End of file commands.log ``` Related: openssl #2263877 a --- curl.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 1500065..6a9e71b 100644 --- a/curl.spec +++ b/curl.spec @@ -213,9 +213,12 @@ be installed. %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 +# temporarily disable test 0313 +# +# # disable test 1801 # -echo "1801" >> tests/data/DISABLED +echo "313\n1801" >> tests/data/DISABLED # test3026: avoid pthread_create() failure due to resource exhaustion on i386 %ifarch %{ix86} @@ -414,6 +417,7 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %changelog * Mon Feb 12 2024 Jan Macku - 8.6.0-6 - revert "receive max buffer" + add test case +- temporarily disable test 0313 * Mon Feb 12 2024 Jan Macku - 8.6.0-5 - add Provides to curl-minimal From cbd939da23a539224dffb7405a83138469eedea3 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 12 Feb 2024 16:20:24 +0100 Subject: [PATCH 054/108] spec: don't suggests libcurl-minimal it might break existing setups, tests, etc. Also fedora documentation about suggests is not right about meaning of Suggests macro. --- curl.spec | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/curl.spec b/curl.spec index 6a9e71b..a5ae989 100644 --- a/curl.spec +++ b/curl.spec @@ -130,10 +130,6 @@ BuildRequires: valgrind BuildRequires: stunnel %endif -# Suggest minimal version of libcurl to to keep number of dependencies low -# after dropping curl-minimal. -Suggests: libcurl-minimal - # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION Requires: libcurl%{?_isa} >= %{version}-%{release} @@ -418,6 +414,7 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* * Mon Feb 12 2024 Jan Macku - 8.6.0-6 - revert "receive max buffer" + add test case - temporarily disable test 0313 +- remove suggests of libcurl-minimal in curl-full * Mon Feb 12 2024 Jan Macku - 8.6.0-5 - add Provides to curl-minimal From cbc7f6603c591c1b16bdab240b4c53cc655655cb Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 12 Feb 2024 17:13:40 +0100 Subject: [PATCH 055/108] spec: use `echo -e` to populate `tests/data/DISABLED` with a newline --- curl.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index a5ae989..de93364 100644 --- a/curl.spec +++ b/curl.spec @@ -214,7 +214,7 @@ be installed. # # disable test 1801 # -echo "313\n1801" >> tests/data/DISABLED +echo -e "313\n1801\n" >> tests/data/DISABLED # test3026: avoid pthread_create() failure due to resource exhaustion on i386 %ifarch %{ix86} From e58b8f772bd18d9c4fa5750a6bd9f56745e888f7 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 12 Feb 2024 17:34:59 +0100 Subject: [PATCH 056/108] spec: use `printf` to populate `tests/data/DISABLED` with a newline --- curl.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index de93364..33f4fba 100644 --- a/curl.spec +++ b/curl.spec @@ -214,7 +214,7 @@ be installed. # # disable test 1801 # -echo -e "313\n1801\n" >> tests/data/DISABLED +printf "313\n1801\n" >> tests/data/DISABLED # test3026: avoid pthread_create() failure due to resource exhaustion on i386 %ifarch %{ix86} From 9a38bdf948aacf59ec81f0e35ef10f430252f1a6 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 19 Feb 2024 13:23:34 +0100 Subject: [PATCH 057/108] fix: Leftovers after chunking should not be part of the curl buffer output Resolves: #2264220 --- ...fix-the-accounting-of-consumed-bytes.patch | 83 +++++++++++++++++++ curl.spec | 8 +- 2 files changed, 90 insertions(+), 1 deletion(-) create mode 100644 0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch diff --git a/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch b/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch new file mode 100644 index 0000000..39b2f31 --- /dev/null +++ b/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch @@ -0,0 +1,83 @@ +From c7438ccfceee373a75d6d890259cf2e6b5e0e203 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Wed, 14 Feb 2024 16:27:23 +0100 +Subject: [PATCH] http_chunks: fix the accounting of consumed bytes + +Prior to this change chunks were handled correctly although in verbose +mode libcurl could incorrectly warn of "Leftovers after chunking" even +if there were none. + +Reported-by: Michael Kaufmann + +Fixes https://github.com/curl/curl/issues/12937 +Closes https://github.com/curl/curl/pull/12939 + +(cherry picked from commit 59e2c78af3a5588d6e6ae6d2223b222f067e054b) +Signed-off-by: Jan Macku +--- + lib/http_chunks.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/lib/http_chunks.c b/lib/http_chunks.c +index 039c179c4..ad1ee9ada 100644 +--- a/lib/http_chunks.c ++++ b/lib/http_chunks.c +@@ -152,6 +152,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + ch->hexbuffer[ch->hexindex++] = *buf; + buf++; + blen--; ++ (*pconsumed)++; + } + else { + char *endptr; +@@ -189,6 +190,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + + buf++; + blen--; ++ (*pconsumed)++; + break; + + case CHUNK_DATA: +@@ -236,6 +238,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + } + buf++; + blen--; ++ (*pconsumed)++; + break; + + case CHUNK_TRAILER: +@@ -293,6 +296,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + } + buf++; + blen--; ++ (*pconsumed)++; + break; + + case CHUNK_TRAILER_CR: +@@ -300,6 +304,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + ch->state = CHUNK_TRAILER_POSTCR; + buf++; + blen--; ++ (*pconsumed)++; + } + else { + ch->state = CHUNK_FAILED; +@@ -320,6 +325,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + /* skip if CR */ + buf++; + blen--; ++ (*pconsumed)++; + } + /* now wait for the final LF */ + ch->state = CHUNK_STOP; +@@ -328,6 +334,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, + case CHUNK_STOP: + if(*buf == 0x0a) { + blen--; ++ (*pconsumed)++; + /* Record the length of any data left in the end of the buffer + even if there's no more chunks to read */ + ch->datasize = blen; +-- +2.43.2 + diff --git a/curl.spec b/curl.spec index 33f4fba..5118b71 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.6.0 -Release: 6%{?dist} +Release: 7%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -21,6 +21,9 @@ Patch002: 0002-curl-8.6.0-ignore-response-body-to-HEAD.patch # it breaks pycurl tests suite Patch003: 0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch +# Fix: Leftovers after chunking should not be part of the curl buffer output +Patch004: 0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -411,6 +414,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Feb 19 2024 Jan Macku - 8.6.0-7 +- Fix: Leftovers after chunking should not be part of the curl buffer output (#2264220) + * Mon Feb 12 2024 Jan Macku - 8.6.0-6 - revert "receive max buffer" + add test case - temporarily disable test 0313 From f9311ae69d7c143fec8f3282907ac95546869cfc Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 27 Mar 2024 09:43:54 +0100 Subject: [PATCH 058/108] new upstream release - 8.7.1 Resolves: CVE-2024-2004 - Usage of disabled protocol Resolves: CVE-2024-2379 - QUIC certificate check bypass with wolfSSL Resolves: CVE-2024-2398 - HTTP/2 push headers memory-leak Resolves: CVE-2024-2466 - TLS certificate check bypass with mbedTLS --- .gitignore | 3 +- ...-curl-8.6.0-remove-duplicate-content.patch | 108 ---------- 0001-curl-8.7.1-fix-compressed-option.patch | 174 +++++++++++++++++ ...l-8.6.0-ignore-response-body-to-HEAD.patch | 184 ------------------ ...-8.7.1-fix-chunked-POST-via-callback.patch | 69 +++++++ ...ert-receive-max-buffer-add-test-case.patch | 68 ------- ...fix-the-accounting-of-consumed-bytes.patch | 83 -------- 0101-curl-7.32.0-multilib.patch | 20 +- curl.spec | 49 ++--- sources | 4 +- 10 files changed, 277 insertions(+), 485 deletions(-) delete mode 100644 0001-curl-8.6.0-remove-duplicate-content.patch create mode 100644 0001-curl-8.7.1-fix-compressed-option.patch delete mode 100644 0002-curl-8.6.0-ignore-response-body-to-HEAD.patch create mode 100644 0002-curl-8.7.1-fix-chunked-POST-via-callback.patch delete mode 100644 0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch delete mode 100644 0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch diff --git a/.gitignore b/.gitignore index 505a7d9..e91a948 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,4 @@ -/curl-[0-9.]*.tar.lzma -/curl-[0-9.]*.tar.lzma.asc /curl-[0-9.]*.tar.xz /curl-[0-9.]*.tar.xz.asc /curl-[0-9].[0-9].[0-9]/ +/*.src.rpm diff --git a/0001-curl-8.6.0-remove-duplicate-content.patch b/0001-curl-8.6.0-remove-duplicate-content.patch deleted file mode 100644 index bbbb7ff..0000000 --- a/0001-curl-8.6.0-remove-duplicate-content.patch +++ /dev/null @@ -1,108 +0,0 @@ -From 960cf3ceb40cf875b146d4d1065d9267ccb83da1 Mon Sep 17 00:00:00 2001 -From: Jan Macku -Date: Thu, 1 Feb 2024 12:56:31 +0100 -Subject: [PATCH 1/2] doc: remove duplicate content from curl-config.1 - -This will be resolved in next release by: -https://github.com/curl/curl/pull/12818 - -see also: https://github.com/curl/curl/issues/12840 - -Signed-off-by: Jan Macku ---- - docs/curl-config.1 | 82 ---------------------------------------------- - 1 file changed, 82 deletions(-) - -diff --git a/docs/curl-config.1 b/docs/curl-config.1 -index 186ba3a..c142cb9 100644 ---- a/docs/curl-config.1 -+++ b/docs/curl-config.1 -@@ -80,85 +80,3 @@ How do I build a single file with a one\-line command? - .fi - .SH SEE ALSO - .BR curl (1) --.\" generated by cd2nroff 0.1 from curl-config.md --.TH curl-config 1 "January 26 2024" curl-config --.SH NAME --curl\-config \- Get information about a libcurl installation --.SH SYNOPSIS --\fBcurl\-config [options]\fP --.SH DESCRIPTION --\fBcurl\-config\fP --displays information about the curl and libcurl installation. --.SH OPTIONS --.IP --ca --Displays the built\-in path to the CA cert bundle this libcurl uses. --.IP --cc --Displays the compiler used to build libcurl. --.IP --cflags --Set of compiler options (CFLAGS) to use when compiling files that use --libcurl. Currently that is only the include path to the curl include files. --.IP "--checkfor [version]" --Specify the oldest possible libcurl version string you want, and this --script will return 0 if the current installation is new enough or it --returns 1 and outputs a text saying that the current version is not new --enough. (Added in 7.15.4) --.IP --configure --Displays the arguments given to configure when building curl. --.IP --feature --Lists what particular main features the installed libcurl was built with. At --the time of writing, this list may include SSL, KRB4 or IPv6. Do not assume --any particular order. The keywords will be separated by newlines. There may be --none, one, or several keywords in the list. --.IP --help --Displays the available options. --.IP --libs --Shows the complete set of libs and other linker options you will need in order --to link your application with libcurl. --.IP --prefix --This is the prefix used when libcurl was installed. Libcurl is then installed --in $prefix/lib and its header files are installed in $prefix/include and so --on. The prefix is set with "configure \--prefix". --.IP --protocols --Lists what particular protocols the installed libcurl was built to support. At --the time of writing, this list may include HTTP, HTTPS, FTP, FTPS, FILE, --TELNET, LDAP, DICT and many more. Do not assume any particular order. The --protocols will be listed using uppercase and are separated by newlines. There --may be none, one, or several protocols in the list. (Added in 7.13.0) --.IP --ssl-backends --Lists the SSL backends that were enabled when libcurl was built. It might be --no, one or several names. If more than one name, they will appear --comma\-separated. (Added in 7.58.0) --.IP --static-libs --Shows the complete set of libs and other linker options you will need in order --to link your application with libcurl statically. (Added in 7.17.1) --.IP --version --Outputs version information about the installed libcurl. --.IP --vernum --Outputs version information about the installed libcurl, in numerical mode. --This shows the version number, in hexadecimal, using 8 bits for each part: --major, minor, and patch numbers. This makes libcurl 7.7.4 appear as 070704 and --libcurl 12.13.14 appear as 0c0d0e... Note that the initial zero might be --omitted. (This option was broken in the 7.15.0 release.) --.SH EXAMPLES --What linker options do I need when I link with libcurl? --.nf -- $ curl-config --libs --.fi --What compiler options do I need when I compile using libcurl functions? --.nf -- $ curl-config --cflags --.fi --How do I know if libcurl was built with SSL support? --.nf -- $ curl-config --feature | grep SSL --.fi --What\(aqs the installed libcurl version? --.nf -- $ curl-config --version --.fi --How do I build a single file with a one\-line command? --.nf -- $ `curl-config --cc --cflags` -o example source.c `curl-config --libs` --.fi --.SH SEE ALSO --.BR curl (1) --- -2.43.0 - diff --git a/0001-curl-8.7.1-fix-compressed-option.patch b/0001-curl-8.7.1-fix-compressed-option.patch new file mode 100644 index 0000000..dc2e720 --- /dev/null +++ b/0001-curl-8.7.1-fix-compressed-option.patch @@ -0,0 +1,174 @@ +From 8f1a06a9efe1048c7ad17af43ae7d4b26de8117e Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Thu, 28 Mar 2024 11:08:15 +0100 +Subject: [PATCH 1/2] content_encoding: brotli and others, pass through + 0-length writes + +- curl's transfer handling may write 0-length chunks at the end of the + download with an EOS flag. (HTTP/2 does this commonly) + +- content encoders need to pass-through such a write and not count this + as error in case they are finished decoding + +Fixes #13209 +Fixes #13212 +Closes #13219 + +(cherry picked from commit b30d694a027eb771c02a3db0dee0ca03ccab7377) +Signed-off-by: Jan Macku +--- + lib/content_encoding.c | 10 +++++----- + tests/http/test_02_download.py | 13 +++++++++++++ + tests/http/testenv/env.py | 7 ++++++- + tests/http/testenv/httpd.py | 20 ++++++++++++++++++++ + 4 files changed, 44 insertions(+), 6 deletions(-) + +diff --git a/lib/content_encoding.c b/lib/content_encoding.c +index c1abf24e8..8e926dd2e 100644 +--- a/lib/content_encoding.c ++++ b/lib/content_encoding.c +@@ -300,7 +300,7 @@ static CURLcode deflate_do_write(struct Curl_easy *data, + struct zlib_writer *zp = (struct zlib_writer *) writer; + z_stream *z = &zp->z; /* zlib state structure */ + +- if(!(type & CLIENTWRITE_BODY)) ++ if(!(type & CLIENTWRITE_BODY) || !nbytes) + return Curl_cwriter_write(data, writer->next, type, buf, nbytes); + + /* Set the compressed input when this function is called */ +@@ -457,7 +457,7 @@ static CURLcode gzip_do_write(struct Curl_easy *data, + struct zlib_writer *zp = (struct zlib_writer *) writer; + z_stream *z = &zp->z; /* zlib state structure */ + +- if(!(type & CLIENTWRITE_BODY)) ++ if(!(type & CLIENTWRITE_BODY) || !nbytes) + return Curl_cwriter_write(data, writer->next, type, buf, nbytes); + + if(zp->zlib_init == ZLIB_INIT_GZIP) { +@@ -669,7 +669,7 @@ static CURLcode brotli_do_write(struct Curl_easy *data, + CURLcode result = CURLE_OK; + BrotliDecoderResult r = BROTLI_DECODER_RESULT_NEEDS_MORE_OUTPUT; + +- if(!(type & CLIENTWRITE_BODY)) ++ if(!(type & CLIENTWRITE_BODY) || !nbytes) + return Curl_cwriter_write(data, writer->next, type, buf, nbytes); + + if(!bp->br) +@@ -762,7 +762,7 @@ static CURLcode zstd_do_write(struct Curl_easy *data, + ZSTD_outBuffer out; + size_t errorCode; + +- if(!(type & CLIENTWRITE_BODY)) ++ if(!(type & CLIENTWRITE_BODY) || !nbytes) + return Curl_cwriter_write(data, writer->next, type, buf, nbytes); + + if(!zp->decomp) { +@@ -916,7 +916,7 @@ static CURLcode error_do_write(struct Curl_easy *data, + (void) buf; + (void) nbytes; + +- if(!(type & CLIENTWRITE_BODY)) ++ if(!(type & CLIENTWRITE_BODY) || !nbytes) + return Curl_cwriter_write(data, writer->next, type, buf, nbytes); + + failf(data, "Unrecognized content encoding type. " +diff --git a/tests/http/test_02_download.py b/tests/http/test_02_download.py +index 4db9c9d36..395fc862f 100644 +--- a/tests/http/test_02_download.py ++++ b/tests/http/test_02_download.py +@@ -394,6 +394,19 @@ class TestDownload: + r = client.run(args=[url]) + r.check_exit_code(0) + ++ @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3']) ++ def test_02_28_get_compressed(self, env: Env, httpd, nghttpx, repeat, proto): ++ if proto == 'h3' and not env.have_h3(): ++ pytest.skip("h3 not supported") ++ count = 1 ++ urln = f'https://{env.authority_for(env.domain1brotli, proto)}/data-100k?[0-{count-1}]' ++ curl = CurlClient(env=env) ++ r = curl.http_download(urls=[urln], alpn_proto=proto, extra_args=[ ++ '--compressed' ++ ]) ++ r.check_exit_code(code=0) ++ r.check_response(count=count, http_status=200) ++ + def check_downloads(self, client, srcfile: str, count: int, + complete: bool = True): + for i in range(count): +diff --git a/tests/http/testenv/env.py b/tests/http/testenv/env.py +index a207059dc..13c5d6bd4 100644 +--- a/tests/http/testenv/env.py ++++ b/tests/http/testenv/env.py +@@ -129,10 +129,11 @@ class EnvConfig: + self.htdocs_dir = os.path.join(self.gen_dir, 'htdocs') + self.tld = 'http.curl.se' + self.domain1 = f"one.{self.tld}" ++ self.domain1brotli = f"brotli.one.{self.tld}" + self.domain2 = f"two.{self.tld}" + self.proxy_domain = f"proxy.{self.tld}" + self.cert_specs = [ +- CertificateSpec(domains=[self.domain1, 'localhost'], key_type='rsa2048'), ++ CertificateSpec(domains=[self.domain1, self.domain1brotli, 'localhost'], key_type='rsa2048'), + CertificateSpec(domains=[self.domain2], key_type='rsa2048'), + CertificateSpec(domains=[self.proxy_domain, '127.0.0.1'], key_type='rsa2048'), + CertificateSpec(name="clientsX", sub_specs=[ +@@ -376,6 +377,10 @@ class Env: + def domain1(self) -> str: + return self.CONFIG.domain1 + ++ @property ++ def domain1brotli(self) -> str: ++ return self.CONFIG.domain1brotli ++ + @property + def domain2(self) -> str: + return self.CONFIG.domain2 +diff --git a/tests/http/testenv/httpd.py b/tests/http/testenv/httpd.py +index c04c22699..b8615875a 100644 +--- a/tests/http/testenv/httpd.py ++++ b/tests/http/testenv/httpd.py +@@ -50,6 +50,7 @@ class Httpd: + 'alias', 'env', 'filter', 'headers', 'mime', 'setenvif', + 'socache_shmcb', + 'rewrite', 'http2', 'ssl', 'proxy', 'proxy_http', 'proxy_connect', ++ 'brotli', + 'mpm_event', + ] + COMMON_MODULES_DIRS = [ +@@ -203,6 +204,7 @@ class Httpd: + + def _write_config(self): + domain1 = self.env.domain1 ++ domain1brotli = self.env.domain1brotli + creds1 = self.env.get_credentials(domain1) + domain2 = self.env.domain2 + creds2 = self.env.get_credentials(domain2) +@@ -285,6 +287,24 @@ class Httpd: + f'', + f'', + ]) ++ # Alternate to domain1 with BROTLI compression ++ conf.extend([ # https host for domain1, h1 + h2 ++ f'', ++ f' ServerName {domain1brotli}', ++ f' Protocols h2 http/1.1', ++ f' SSLEngine on', ++ f' SSLCertificateFile {creds1.cert_file}', ++ f' SSLCertificateKeyFile {creds1.pkey_file}', ++ f' DocumentRoot "{self._docs_dir}"', ++ f' SetOutputFilter BROTLI_COMPRESS', ++ ]) ++ conf.extend(self._curltest_conf(domain1)) ++ if domain1 in self._extra_configs: ++ conf.extend(self._extra_configs[domain1]) ++ conf.extend([ ++ f'', ++ f'', ++ ]) + conf.extend([ # https host for domain2, no h2 + f'', + f' ServerName {domain2}', +-- +2.44.0 + diff --git a/0002-curl-8.6.0-ignore-response-body-to-HEAD.patch b/0002-curl-8.6.0-ignore-response-body-to-HEAD.patch deleted file mode 100644 index 4dee602..0000000 --- a/0002-curl-8.6.0-ignore-response-body-to-HEAD.patch +++ /dev/null @@ -1,184 +0,0 @@ -From e61ea3ba7054afedafe1eb473226e842ac17b8ff Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 1 Feb 2024 13:23:12 +0100 -Subject: [PATCH] sendf: ignore response body to HEAD - -and mark the stream for close, but return OK since the response this far -was ok - if headers were received. Partly because this is what curl has -done traditionally. - -Test 499 verifies. Updates test 689. - -Reported-by: Sergey Bronnikov -Bug: https://curl.se/mail/lib-2024-02/0000.html -Closes #12842 - -(cherry picked from commit b8c003832d730bb2f4b9de4204675ca5d9f7a903) -Signed-off-by: Jan Macku ---- - lib/sendf.c | 3 ++ - tests/data/Makefile.inc | 44 ++++++++++++++-------------- - tests/data/test499 | 65 +++++++++++++++++++++++++++++++++++++++++ - tests/data/test689 | 4 +-- - 4 files changed, 92 insertions(+), 24 deletions(-) - create mode 100644 tests/data/test499 - -diff --git a/lib/sendf.c b/lib/sendf.c -index db3189a29..60ac0742c 100644 ---- a/lib/sendf.c -+++ b/lib/sendf.c -@@ -575,6 +575,9 @@ static CURLcode cw_download_write(struct Curl_easy *data, - DEBUGF(infof(data, "did not want a BODY, but seeing %zu bytes", - nbytes)); - data->req.download_done = TRUE; -+ if(data->info.header_size) -+ /* if headers have been received, this is fine */ -+ return CURLE_OK; - return CURLE_WEIRD_SERVER_REPLY; - } - -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index c3d496f64..cd393da75 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -75,28 +75,28 @@ test444 test445 test446 test447 test448 test449 test450 test451 test452 \ - test453 test454 test455 test456 test457 test458 test459 test460 test461 \ - \ - test490 test491 test492 test493 test494 test495 test496 test497 test498 \ --\ --test500 test501 test502 test503 test504 test505 test506 test507 test508 \ --test509 test510 test511 test512 test513 test514 test515 test516 test517 \ --test518 test519 test520 test521 test522 test523 test524 test525 test526 \ --test527 test528 test529 test530 test531 test532 test533 test534 test535 \ -- test537 test538 test539 test540 test541 test542 test543 test544 \ --test545 test546 test547 test548 test549 test550 test551 test552 test553 \ --test554 test555 test556 test557 test558 test559 test560 test561 test562 \ --test563 test564 test565 test566 test567 test568 test569 test570 test571 \ --test572 test573 test574 test575 test576 test577 test578 test579 test580 \ --test581 test582 test583 test584 test585 test586 test587 test588 test589 \ --test590 test591 test592 test593 test594 test595 test596 test597 test598 \ --test599 test600 test601 test602 test603 test604 test605 test606 test607 \ --test608 test609 test610 test611 test612 test613 test614 test615 test616 \ --test617 test618 test619 test620 test621 test622 test623 test624 test625 \ --test626 test627 test628 test629 test630 test631 test632 test633 test634 \ --test635 test636 test637 test638 test639 test640 test641 test642 test643 \ --test644 test645 test646 test647 test648 test649 test650 test651 test652 \ --test653 test654 test655 test656 test658 test659 test660 test661 test662 \ --test663 test664 test665 test666 test667 test668 test669 test670 test671 \ --test672 test673 test674 test675 test676 test677 test678 test679 test680 \ --test681 test682 test683 test684 test685 test686 test687 test688 test689 \ -+test499 test500 test501 test502 test503 test504 test505 test506 test507 \ -+test508 test509 test510 test511 test512 test513 test514 test515 test516 \ -+test517 test518 test519 test520 test521 test522 test523 test524 test525 \ -+test526 test527 test528 test529 test530 test531 test532 test533 test534 \ -+test535 test537 test538 test539 test540 test541 test542 test543 \ -+test544 test545 test546 test547 test548 test549 test550 test551 test552 \ -+test553 test554 test555 test556 test557 test558 test559 test560 test561 \ -+test562 test563 test564 test565 test566 test567 test568 test569 test570 \ -+test571 test572 test573 test574 test575 test576 test577 test578 test579 \ -+test580 test581 test582 test583 test584 test585 test586 test587 test588 \ -+test589 test590 test591 test592 test593 test594 test595 test596 test597 \ -+test598 test599 test600 test601 test602 test603 test604 test605 test606 \ -+test607 test608 test609 test610 test611 test612 test613 test614 test615 \ -+test616 test617 test618 test619 test620 test621 test622 test623 test624 \ -+test625 test626 test627 test628 test629 test630 test631 test632 test633 \ -+test634 test635 test636 test637 test638 test639 test640 test641 test642 \ -+test643 test644 test645 test646 test647 test648 test649 test650 test651 \ -+test652 test653 test654 test655 test656 test658 test659 test660 test661 \ -+test662 test663 test664 test665 test666 test667 test668 test669 test670 \ -+test671 test672 test673 test674 test675 test676 test677 test678 test679 \ -+test680 test681 test682 test683 test684 test685 test686 test687 test688 \ -+test689 \ - \ - test700 test701 test702 test703 test704 test705 test706 test707 test708 \ - test709 test710 test711 test712 test713 test714 test715 test716 test717 \ -diff --git a/tests/data/test499 b/tests/data/test499 -new file mode 100644 -index 000000000..d4040b07c ---- /dev/null -+++ b/tests/data/test499 -@@ -0,0 +1,65 @@ -+ -+ -+ -+HTTP -+HTTP GET -+ -+ -+ -+# -+# Server-side -+ -+ -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT -+ETag: "21025-dc7-39462498" -+Accept-Ranges: bytes -+Content-Length: 6 -+Connection: close -+Content-Type: text/html -+Funny-head: yesyes -+ -+-foo- -+ -+ -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT -+ETag: "21025-dc7-39462498" -+Accept-Ranges: bytes -+Content-Length: 6 -+Connection: close -+Content-Type: text/html -+Funny-head: yesyes -+ -+ -+ -+# -+# Client-side -+ -+ -+http -+ -+ -+HTTP HEAD to server still sending a body -+ -+ -+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -I -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+HEAD /%TESTNUMBER HTTP/1.1 -+Host: %HOSTIP:%HTTPPORT -+User-Agent: curl/%VERSION -+Accept: */* -+ -+ -+ -+ -diff --git a/tests/data/test689 b/tests/data/test689 -index 821556dec..381ae225a 100644 ---- a/tests/data/test689 -+++ b/tests/data/test689 -@@ -44,9 +44,9 @@ User-Agent: test567 - Test-Number: 567 - - --# 8 == CURLE_WEIRD_SERVER_REPLY -+# 85 == CURLE_RTSP_CSEQ_ERROR - --8 -+85 - - - --- -2.43.0 - diff --git a/0002-curl-8.7.1-fix-chunked-POST-via-callback.patch b/0002-curl-8.7.1-fix-chunked-POST-via-callback.patch new file mode 100644 index 0000000..5421984 --- /dev/null +++ b/0002-curl-8.7.1-fix-chunked-POST-via-callback.patch @@ -0,0 +1,69 @@ +From 2c20a15717bd408ce225dd8707c1798136f084f5 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Mon, 1 Apr 2024 15:41:18 +0200 +Subject: [PATCH 2/2] http: with chunked POST forced, disable length check on + read callback + +- when an application forces HTTP/1.1 chunked transfer encoding + by setting the corresponding header and instructs curl to use + the CURLOPT_READFUNCTION, disregard any POST length information. +- this establishes backward compatibility with previous curl versions + +Applications are encouraged to not force "chunked", but rather +set length information for a POST. By setting -1, curl will +auto-select chunked on HTTP/1.1 and work properly on other HTTP +versions. + +Reported-by: Jeff King +Fixes #13229 +Closes #13257 + +(cherry picked from commit 721941aadf4adf4f6aeb3f4c0ab489bb89610c36) +Signed-off-by: Jan Macku +--- + lib/http.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index 92c04e69c..a764d3c44 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2046,8 +2046,19 @@ static CURLcode set_reader(struct Curl_easy *data, Curl_HttpReq httpreq) + else + result = Curl_creader_set_null(data); + } +- else { /* we read the bytes from the callback */ +- result = Curl_creader_set_fread(data, postsize); ++ else { ++ /* we read the bytes from the callback. In case "chunked" encoding ++ * is forced by the application, we disregard `postsize`. This is ++ * a backward compatibility decision to earlier versions where ++ * chunking disregarded this. See issue #13229. */ ++ bool chunked = FALSE; ++ char *ptr = Curl_checkheaders(data, STRCONST("Transfer-Encoding")); ++ if(ptr) { ++ /* Some kind of TE is requested, check if 'chunked' is chosen */ ++ chunked = Curl_compareheader(ptr, STRCONST("Transfer-Encoding:"), ++ STRCONST("chunked")); ++ } ++ result = Curl_creader_set_fread(data, chunked? -1 : postsize); + } + return result; + +@@ -2115,6 +2126,13 @@ CURLcode Curl_http_req_set_reader(struct Curl_easy *data, + data->req.upload_chunky = + Curl_compareheader(ptr, + STRCONST("Transfer-Encoding:"), STRCONST("chunked")); ++ if(data->req.upload_chunky && ++ Curl_use_http_1_1plus(data, data->conn) && ++ (data->conn->httpversion >= 20)) { ++ infof(data, "suppressing chunked transfer encoding on connection " ++ "using HTTP version 2 or higher"); ++ data->req.upload_chunky = FALSE; ++ } + } + else { + curl_off_t req_clen = Curl_creader_total_length(data); +-- +2.44.0 + diff --git a/0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch b/0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch deleted file mode 100644 index 3e9078c..0000000 --- a/0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 0f65eaab19624ca018d7bd5ca404618f9bfe267f Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Thu, 1 Feb 2024 18:15:50 +0100 -Subject: [PATCH] vtls: revert "receive max buffer" + add test case - -- add test_05_04 for requests using http/1.0, http/1.1 and h2 against an - Apache resource that does an unclean TLS shutdown. -- revert special workarund in openssl.c for suppressing shutdown errors - on multiplexed connections -- vlts.c restore to its state before 9a90c9dd64d2f03601833a70786d485851bd1b53 - -Fixes #12885 -Fixes #12844 - -Closes #12848 - -(cherry picked from commit ed09a99af57200643d5ae001e815eeab9ffe3f84) -Signed-off-by: Jan Macku ---- - lib/vtls/vtls.c | 27 ++++++--------------------- - 1 file changed, 6 insertions(+), 21 deletions(-) - -diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c -index e928ba5d0..f654a9749 100644 ---- a/lib/vtls/vtls.c -+++ b/lib/vtls/vtls.c -@@ -1715,32 +1715,17 @@ static ssize_t ssl_cf_recv(struct Curl_cfilter *cf, - { - struct cf_call_data save; - ssize_t nread; -- size_t ntotal = 0; - - CF_DATA_SAVE(save, cf, data); - *err = CURLE_OK; -- /* Do receive until we fill the buffer somehwhat or EGAIN, error or EOF */ -- while(!ntotal || (len - ntotal) > (4*1024)) { -+ nread = Curl_ssl->recv_plain(cf, data, buf, len, err); -+ if(nread > 0) { -+ DEBUGASSERT((size_t)nread <= len); -+ } -+ else if(nread == 0) { -+ /* eof */ - *err = CURLE_OK; -- nread = Curl_ssl->recv_plain(cf, data, buf + ntotal, len - ntotal, err); -- if(nread < 0) { -- if(*err == CURLE_AGAIN && ntotal > 0) { -- /* we EAGAINed after having reed data, return the success amount */ -- *err = CURLE_OK; -- break; -- } -- /* we have a an error to report */ -- goto out; -- } -- else if(nread == 0) { -- /* eof */ -- break; -- } -- ntotal += (size_t)nread; -- DEBUGASSERT((size_t)ntotal <= len); - } -- nread = (ssize_t)ntotal; --out: - CURL_TRC_CF(data, cf, "cf_recv(len=%zu) -> %zd, %d", len, - nread, *err); - CF_DATA_RESTORE(cf, save); --- -2.43.0 - diff --git a/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch b/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch deleted file mode 100644 index 39b2f31..0000000 --- a/0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch +++ /dev/null @@ -1,83 +0,0 @@ -From c7438ccfceee373a75d6d890259cf2e6b5e0e203 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Wed, 14 Feb 2024 16:27:23 +0100 -Subject: [PATCH] http_chunks: fix the accounting of consumed bytes - -Prior to this change chunks were handled correctly although in verbose -mode libcurl could incorrectly warn of "Leftovers after chunking" even -if there were none. - -Reported-by: Michael Kaufmann - -Fixes https://github.com/curl/curl/issues/12937 -Closes https://github.com/curl/curl/pull/12939 - -(cherry picked from commit 59e2c78af3a5588d6e6ae6d2223b222f067e054b) -Signed-off-by: Jan Macku ---- - lib/http_chunks.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/lib/http_chunks.c b/lib/http_chunks.c -index 039c179c4..ad1ee9ada 100644 ---- a/lib/http_chunks.c -+++ b/lib/http_chunks.c -@@ -152,6 +152,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, - ch->hexbuffer[ch->hexindex++] = *buf; - buf++; - blen--; -+ (*pconsumed)++; - } - else { - char *endptr; -@@ -189,6 +190,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, - - buf++; - blen--; -+ (*pconsumed)++; - break; - - case CHUNK_DATA: -@@ -236,6 +238,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, - } - buf++; - blen--; -+ (*pconsumed)++; - break; - - case CHUNK_TRAILER: -@@ -293,6 +296,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, - } - buf++; - blen--; -+ (*pconsumed)++; - break; - - case CHUNK_TRAILER_CR: -@@ -300,6 +304,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, - ch->state = CHUNK_TRAILER_POSTCR; - buf++; - blen--; -+ (*pconsumed)++; - } - else { - ch->state = CHUNK_FAILED; -@@ -320,6 +325,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, - /* skip if CR */ - buf++; - blen--; -+ (*pconsumed)++; - } - /* now wait for the final LF */ - ch->state = CHUNK_STOP; -@@ -328,6 +334,7 @@ static CURLcode httpchunk_readwrite(struct Curl_easy *data, - case CHUNK_STOP: - if(*buf == 0x0a) { - blen--; -+ (*pconsumed)++; - /* Record the length of any data left in the end of the buffer - even if there's no more chunks to read */ - ch->datasize = blen; --- -2.43.2 - diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 328d3a4..2edb7c8 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,7 +1,7 @@ -From 84b7e1cf486761e99361f5dcf5879cd7baf51b58 Mon Sep 17 00:00:00 2001 +From dcc0efa441abace568e00bf930889da78356d041 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Thu, 1 Feb 2024 13:01:23 +0100 -Subject: [PATCH 2/2] prevent multilib conflicts on the curl-config script +Date: Wed, 27 Mar 2024 10:16:03 +0100 +Subject: [PATCH] prevent multilib conflicts on the curl-config script --- curl-config.in | 23 +++++------------------ @@ -60,15 +60,15 @@ index 54f92d9..15a60da 100644 *) diff --git a/docs/curl-config.1 b/docs/curl-config.1 -index c142cb9..0e189b4 100644 +index 2d5617c..0d90aaa 100644 --- a/docs/curl-config.1 +++ b/docs/curl-config.1 -@@ -48,7 +48,9 @@ no, one or several names. If more than one name, they will appear - comma\-separated. (Added in 7.58.0) +@@ -48,7 +48,9 @@ no, one or several names. If more than one name, they appear comma\-separated. + (Added in 7.58.0) .IP --static-libs - Shows the complete set of libs and other linker options you will need in order --to link your application with libcurl statically. (Added in 7.17.1) -+to link your application with libcurl statically. Note that Fedora/RHEL libcurl + Shows the complete set of libs and other linker options you need in order to +-link your application with libcurl statically. (Added in 7.17.1) ++link your application with libcurl statically. Note that Fedora/RHEL libcurl +packages do not provide any static libraries, thus cannot be linked statically. +(Added in 7.17.1) .IP --version @@ -87,5 +87,5 @@ index 9db6b0f..dcac692 100644 Name: libcurl URL: https://curl.se/ -- -2.43.0 +2.44.0 diff --git a/curl.spec b/curl.spec index 5118b71..31141a4 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.6.0 -Release: 7%{?dist} +Version: 8.7.1 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,19 +10,11 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# remove duplicate content from curl-config.1 -Patch001: 0001-curl-8.6.0-remove-duplicate-content.patch +# fix issue with --compressed option +Patch001: 0001-curl-8.7.1-fix-compressed-option.patch -# ignore response bode to HEAD requests -# https://bodhi.fedoraproject.org/updates/FEDORA-2024-634a6662aa -Patch002: 0002-curl-8.6.0-ignore-response-body-to-HEAD.patch - -# revert "receive max buffer" + add test case -# it breaks pycurl tests suite -Patch003: 0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch - -# Fix: Leftovers after chunking should not be part of the curl buffer output -Patch004: 0004-curl-8.6.0-http_chunks-fix-the-accounting-of-consumed-bytes.patch +# fix chunked POST via callback regression +Patch002: 0002-curl-8.7.1-fix-chunked-POST-via-callback.patch # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -212,12 +204,9 @@ be installed. %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 -# temporarily disable test 0313 -# -# # disable test 1801 # -printf "313\n1801\n" >> tests/data/DISABLED +printf "1801\n" >> tests/data/DISABLED # test3026: avoid pthread_create() failure due to resource exhaustion on i386 %ifarch %{ix86} @@ -254,7 +243,8 @@ export common_configure_opts=" \ --with-gssapi \ --with-libidn2 \ --with-nghttp2 \ - --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt" + --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt \ + --with-zsh-functions-dir" %global _configure ../configure @@ -361,21 +351,12 @@ install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal cd build-full %make_install -# install zsh completion for curl -# (we have to override LD_LIBRARY_PATH because we eliminated rpath) -LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \ - %make_install -C scripts - # do not install /usr/share/fish/completions/curl.fish which is also installed # by fish-3.0.2-1.module_f31+3716+57207597 and would trigger a conflict rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la -# Don't install man for mk-ca-bundle it's upstream bug -# should be fixed in next release https://github.com/curl/curl/pull/12843 -rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* - %ldconfig_scriptlets -n libcurl %ldconfig_scriptlets -n libcurl-minimal @@ -384,6 +365,7 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %doc CHANGES %doc README %doc docs/BUGS.md +%doc docs/DISTROS.md %doc docs/FAQ %doc docs/FEATURES.md %doc docs/TODO @@ -414,6 +396,17 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Mar 27 2024 Jan Macku - 8.7.1-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-2004 - Usage of disabled protocol + CVE-2024-2379 - QUIC certificate check bypass with wolfSSL + CVE-2024-2398 - HTTP/2 push headers memory-leak + CVE-2024-2466 - TLS certificate check bypass with mbedTLS +- drop upstreamed patches +- reenable test 0313 +- fix zsh completions, use --with-zsh-functions-dir +- apply upstream patches for 8.7.1 issues and regressions + * Mon Feb 19 2024 Jan Macku - 8.6.0-7 - Fix: Leftovers after chunking should not be part of the curl buffer output (#2264220) diff --git a/sources b/sources index 9c9d4a1..9576bf7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.6.0.tar.xz) = 359c08d88a5dec441255b36afe1a821730eca0ca8800ba52f57132b9e7d21f32457623907b4ae4876904b5e505eb1a59652372bb7de8dbd8db429dae9785e036 -SHA512 (curl-8.6.0.tar.xz.asc) = 2b835bb4b307e5e1c929b7136c5acfb9f6f06efa471ac27060336cabcfac40e02143f40434986c5e6817d4a9562b09efa8ff3168beed310a45453148cc1b5c8f +SHA512 (curl-8.7.1.tar.xz) = 5bbde9d5648e9226f5490fa951690aaf159149345f3a315df2ba58b2468f3e59ca32e8a49734338afc861803a4f81caac6d642a4699b72c6310ebfb1f618aad2 +SHA512 (curl-8.7.1.tar.xz.asc) = f98c393997c4a32f545a8982226e8cd612395210915a4576c2ce227d0f650cff341be7bf15e989d1789abf32ac4fd9c190b9250b81e650b569e8532048746b37 From 24a6093c53e89bfe6f0084edfa4f47d033367fe1 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 22 May 2024 12:44:18 +0200 Subject: [PATCH 059/108] new upstream release - 8.8.0 --- 0001-curl-8.7.1-fix-compressed-option.patch | 174 ------------------ 0001-curl-8.8.0-install-config-man.patch | 26 +++ ...-8.7.1-fix-chunked-POST-via-callback.patch | 69 ------- 0101-curl-7.32.0-multilib.patch | 119 ++++++------ 0102-curl-7.84.0-test3026.patch | 18 +- curl.spec | 13 +- sources | 4 +- 7 files changed, 104 insertions(+), 319 deletions(-) delete mode 100644 0001-curl-8.7.1-fix-compressed-option.patch create mode 100644 0001-curl-8.8.0-install-config-man.patch delete mode 100644 0002-curl-8.7.1-fix-chunked-POST-via-callback.patch diff --git a/0001-curl-8.7.1-fix-compressed-option.patch b/0001-curl-8.7.1-fix-compressed-option.patch deleted file mode 100644 index dc2e720..0000000 --- a/0001-curl-8.7.1-fix-compressed-option.patch +++ /dev/null @@ -1,174 +0,0 @@ -From 8f1a06a9efe1048c7ad17af43ae7d4b26de8117e Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Thu, 28 Mar 2024 11:08:15 +0100 -Subject: [PATCH 1/2] content_encoding: brotli and others, pass through - 0-length writes - -- curl's transfer handling may write 0-length chunks at the end of the - download with an EOS flag. (HTTP/2 does this commonly) - -- content encoders need to pass-through such a write and not count this - as error in case they are finished decoding - -Fixes #13209 -Fixes #13212 -Closes #13219 - -(cherry picked from commit b30d694a027eb771c02a3db0dee0ca03ccab7377) -Signed-off-by: Jan Macku ---- - lib/content_encoding.c | 10 +++++----- - tests/http/test_02_download.py | 13 +++++++++++++ - tests/http/testenv/env.py | 7 ++++++- - tests/http/testenv/httpd.py | 20 ++++++++++++++++++++ - 4 files changed, 44 insertions(+), 6 deletions(-) - -diff --git a/lib/content_encoding.c b/lib/content_encoding.c -index c1abf24e8..8e926dd2e 100644 ---- a/lib/content_encoding.c -+++ b/lib/content_encoding.c -@@ -300,7 +300,7 @@ static CURLcode deflate_do_write(struct Curl_easy *data, - struct zlib_writer *zp = (struct zlib_writer *) writer; - z_stream *z = &zp->z; /* zlib state structure */ - -- if(!(type & CLIENTWRITE_BODY)) -+ if(!(type & CLIENTWRITE_BODY) || !nbytes) - return Curl_cwriter_write(data, writer->next, type, buf, nbytes); - - /* Set the compressed input when this function is called */ -@@ -457,7 +457,7 @@ static CURLcode gzip_do_write(struct Curl_easy *data, - struct zlib_writer *zp = (struct zlib_writer *) writer; - z_stream *z = &zp->z; /* zlib state structure */ - -- if(!(type & CLIENTWRITE_BODY)) -+ if(!(type & CLIENTWRITE_BODY) || !nbytes) - return Curl_cwriter_write(data, writer->next, type, buf, nbytes); - - if(zp->zlib_init == ZLIB_INIT_GZIP) { -@@ -669,7 +669,7 @@ static CURLcode brotli_do_write(struct Curl_easy *data, - CURLcode result = CURLE_OK; - BrotliDecoderResult r = BROTLI_DECODER_RESULT_NEEDS_MORE_OUTPUT; - -- if(!(type & CLIENTWRITE_BODY)) -+ if(!(type & CLIENTWRITE_BODY) || !nbytes) - return Curl_cwriter_write(data, writer->next, type, buf, nbytes); - - if(!bp->br) -@@ -762,7 +762,7 @@ static CURLcode zstd_do_write(struct Curl_easy *data, - ZSTD_outBuffer out; - size_t errorCode; - -- if(!(type & CLIENTWRITE_BODY)) -+ if(!(type & CLIENTWRITE_BODY) || !nbytes) - return Curl_cwriter_write(data, writer->next, type, buf, nbytes); - - if(!zp->decomp) { -@@ -916,7 +916,7 @@ static CURLcode error_do_write(struct Curl_easy *data, - (void) buf; - (void) nbytes; - -- if(!(type & CLIENTWRITE_BODY)) -+ if(!(type & CLIENTWRITE_BODY) || !nbytes) - return Curl_cwriter_write(data, writer->next, type, buf, nbytes); - - failf(data, "Unrecognized content encoding type. " -diff --git a/tests/http/test_02_download.py b/tests/http/test_02_download.py -index 4db9c9d36..395fc862f 100644 ---- a/tests/http/test_02_download.py -+++ b/tests/http/test_02_download.py -@@ -394,6 +394,19 @@ class TestDownload: - r = client.run(args=[url]) - r.check_exit_code(0) - -+ @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3']) -+ def test_02_28_get_compressed(self, env: Env, httpd, nghttpx, repeat, proto): -+ if proto == 'h3' and not env.have_h3(): -+ pytest.skip("h3 not supported") -+ count = 1 -+ urln = f'https://{env.authority_for(env.domain1brotli, proto)}/data-100k?[0-{count-1}]' -+ curl = CurlClient(env=env) -+ r = curl.http_download(urls=[urln], alpn_proto=proto, extra_args=[ -+ '--compressed' -+ ]) -+ r.check_exit_code(code=0) -+ r.check_response(count=count, http_status=200) -+ - def check_downloads(self, client, srcfile: str, count: int, - complete: bool = True): - for i in range(count): -diff --git a/tests/http/testenv/env.py b/tests/http/testenv/env.py -index a207059dc..13c5d6bd4 100644 ---- a/tests/http/testenv/env.py -+++ b/tests/http/testenv/env.py -@@ -129,10 +129,11 @@ class EnvConfig: - self.htdocs_dir = os.path.join(self.gen_dir, 'htdocs') - self.tld = 'http.curl.se' - self.domain1 = f"one.{self.tld}" -+ self.domain1brotli = f"brotli.one.{self.tld}" - self.domain2 = f"two.{self.tld}" - self.proxy_domain = f"proxy.{self.tld}" - self.cert_specs = [ -- CertificateSpec(domains=[self.domain1, 'localhost'], key_type='rsa2048'), -+ CertificateSpec(domains=[self.domain1, self.domain1brotli, 'localhost'], key_type='rsa2048'), - CertificateSpec(domains=[self.domain2], key_type='rsa2048'), - CertificateSpec(domains=[self.proxy_domain, '127.0.0.1'], key_type='rsa2048'), - CertificateSpec(name="clientsX", sub_specs=[ -@@ -376,6 +377,10 @@ class Env: - def domain1(self) -> str: - return self.CONFIG.domain1 - -+ @property -+ def domain1brotli(self) -> str: -+ return self.CONFIG.domain1brotli -+ - @property - def domain2(self) -> str: - return self.CONFIG.domain2 -diff --git a/tests/http/testenv/httpd.py b/tests/http/testenv/httpd.py -index c04c22699..b8615875a 100644 ---- a/tests/http/testenv/httpd.py -+++ b/tests/http/testenv/httpd.py -@@ -50,6 +50,7 @@ class Httpd: - 'alias', 'env', 'filter', 'headers', 'mime', 'setenvif', - 'socache_shmcb', - 'rewrite', 'http2', 'ssl', 'proxy', 'proxy_http', 'proxy_connect', -+ 'brotli', - 'mpm_event', - ] - COMMON_MODULES_DIRS = [ -@@ -203,6 +204,7 @@ class Httpd: - - def _write_config(self): - domain1 = self.env.domain1 -+ domain1brotli = self.env.domain1brotli - creds1 = self.env.get_credentials(domain1) - domain2 = self.env.domain2 - creds2 = self.env.get_credentials(domain2) -@@ -285,6 +287,24 @@ class Httpd: - f'', - f'', - ]) -+ # Alternate to domain1 with BROTLI compression -+ conf.extend([ # https host for domain1, h1 + h2 -+ f'', -+ f' ServerName {domain1brotli}', -+ f' Protocols h2 http/1.1', -+ f' SSLEngine on', -+ f' SSLCertificateFile {creds1.cert_file}', -+ f' SSLCertificateKeyFile {creds1.pkey_file}', -+ f' DocumentRoot "{self._docs_dir}"', -+ f' SetOutputFilter BROTLI_COMPRESS', -+ ]) -+ conf.extend(self._curltest_conf(domain1)) -+ if domain1 in self._extra_configs: -+ conf.extend(self._extra_configs[domain1]) -+ conf.extend([ -+ f'', -+ f'', -+ ]) - conf.extend([ # https host for domain2, no h2 - f'', - f' ServerName {domain2}', --- -2.44.0 - diff --git a/0001-curl-8.8.0-install-config-man.patch b/0001-curl-8.8.0-install-config-man.patch new file mode 100644 index 0000000..74b13f0 --- /dev/null +++ b/0001-curl-8.8.0-install-config-man.patch @@ -0,0 +1,26 @@ +From 4cc5657247183a0bc3b0969beeaea9acddb09d22 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 22 May 2024 08:43:43 +0200 +Subject: [PATCH] docs/Makefile.am: make curl-config.1 install + +on "make install" like it should + +Follow-up to 60971d665b9b1df87082 + +Closes #13741 +--- + docs/Makefile.am | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/docs/Makefile.am b/docs/Makefile.am +index 83f5b0c461cc0f..e9ef6284860555 100644 +--- a/docs/Makefile.am ++++ b/docs/Makefile.am +@@ -28,6 +28,7 @@ if BUILD_DOCS + # if we disable man page building, ignore these + MK_CA_DOCS = mk-ca-bundle.1 + CURLCONF_DOCS = curl-config.1 ++man_MANS = curl-config.1 + endif + + CURLPAGES = curl-config.md mk-ca-bundle.md diff --git a/0002-curl-8.7.1-fix-chunked-POST-via-callback.patch b/0002-curl-8.7.1-fix-chunked-POST-via-callback.patch deleted file mode 100644 index 5421984..0000000 --- a/0002-curl-8.7.1-fix-chunked-POST-via-callback.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 2c20a15717bd408ce225dd8707c1798136f084f5 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Mon, 1 Apr 2024 15:41:18 +0200 -Subject: [PATCH 2/2] http: with chunked POST forced, disable length check on - read callback - -- when an application forces HTTP/1.1 chunked transfer encoding - by setting the corresponding header and instructs curl to use - the CURLOPT_READFUNCTION, disregard any POST length information. -- this establishes backward compatibility with previous curl versions - -Applications are encouraged to not force "chunked", but rather -set length information for a POST. By setting -1, curl will -auto-select chunked on HTTP/1.1 and work properly on other HTTP -versions. - -Reported-by: Jeff King -Fixes #13229 -Closes #13257 - -(cherry picked from commit 721941aadf4adf4f6aeb3f4c0ab489bb89610c36) -Signed-off-by: Jan Macku ---- - lib/http.c | 22 ++++++++++++++++++++-- - 1 file changed, 20 insertions(+), 2 deletions(-) - -diff --git a/lib/http.c b/lib/http.c -index 92c04e69c..a764d3c44 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -2046,8 +2046,19 @@ static CURLcode set_reader(struct Curl_easy *data, Curl_HttpReq httpreq) - else - result = Curl_creader_set_null(data); - } -- else { /* we read the bytes from the callback */ -- result = Curl_creader_set_fread(data, postsize); -+ else { -+ /* we read the bytes from the callback. In case "chunked" encoding -+ * is forced by the application, we disregard `postsize`. This is -+ * a backward compatibility decision to earlier versions where -+ * chunking disregarded this. See issue #13229. */ -+ bool chunked = FALSE; -+ char *ptr = Curl_checkheaders(data, STRCONST("Transfer-Encoding")); -+ if(ptr) { -+ /* Some kind of TE is requested, check if 'chunked' is chosen */ -+ chunked = Curl_compareheader(ptr, STRCONST("Transfer-Encoding:"), -+ STRCONST("chunked")); -+ } -+ result = Curl_creader_set_fread(data, chunked? -1 : postsize); - } - return result; - -@@ -2115,6 +2126,13 @@ CURLcode Curl_http_req_set_reader(struct Curl_easy *data, - data->req.upload_chunky = - Curl_compareheader(ptr, - STRCONST("Transfer-Encoding:"), STRCONST("chunked")); -+ if(data->req.upload_chunky && -+ Curl_use_http_1_1plus(data, data->conn) && -+ (data->conn->httpversion >= 20)) { -+ infof(data, "suppressing chunked transfer encoding on connection " -+ "using HTTP version 2 or higher"); -+ data->req.upload_chunky = FALSE; -+ } - } - else { - curl_off_t req_clen = Curl_creader_total_length(data); --- -2.44.0 - diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 2edb7c8..f3636dc 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,81 +1,82 @@ -From dcc0efa441abace568e00bf930889da78356d041 Mon Sep 17 00:00:00 2001 +From f4e7b98fb25ff737af29908f3a2081cca9a73437 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Wed, 27 Mar 2024 10:16:03 +0100 -Subject: [PATCH] prevent multilib conflicts on the curl-config script +Date: Wed, 22 May 2024 13:00:08 +0200 +Subject: [PATCH 1/2] prevent multilib conflicts on the curl-config script --- - curl-config.in | 23 +++++------------------ - docs/curl-config.1 | 4 +++- - libcurl.pc.in | 1 + + curl-config.in | 23 +++++------------------ + docs/curl-config.md | 4 +++- + libcurl.pc.in | 1 + 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 54f92d9..15a60da 100644 +index 085bb1ef5..e4700260e 100644 --- a/curl-config.in +++ b/curl-config.in -@@ -78,7 +78,7 @@ while test $# -gt 0; do - ;; +@@ -73,7 +73,7 @@ while test "$#" -gt 0; do + ;; - --cc) -- echo "@CC@" -+ echo "gcc" - ;; + --cc) +- echo '@CC@' ++ echo "gcc" + ;; - --prefix) -@@ -157,32 +157,19 @@ while test $# -gt 0; do - ;; + --prefix) +@@ -153,16 +153,7 @@ while test "$#" -gt 0; do + ;; - --libs) -- if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then -- CURLLIBDIR="-L@libdir@ " -- else -- CURLLIBDIR="" -- fi -- if test "X@ENABLE_SHARED@" = "Xno"; then -- echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@ -- else -- echo ${CURLLIBDIR}-lcurl -- fi -+ echo -lcurl - ;; - --ssl-backends) - echo "@SSL_BACKENDS@" - ;; + --libs) +- if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then +- CURLLIBDIR="-L@libdir@ " +- else +- CURLLIBDIR="" +- fi +- if test "X@ENABLE_SHARED@" = "Xno"; then +- echo "${CURLLIBDIR}-lcurl @LIBCURL_LIBS@" +- else +- echo "${CURLLIBDIR}-lcurl" +- fi ++ echo -lcurl + ;; - --static-libs) -- if test "X@ENABLE_STATIC@" != "Xno" ; then -- echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_LIBS@ -- else -- echo "curl was built with static libraries disabled" >&2 -- exit 1 -- fi -+ echo "curl was built with static libraries disabled" >&2 -+ exit 1 - ;; + --ssl-backends) +@@ -170,16 +161,12 @@ while test "$#" -gt 0; do + ;; - --configure) -- echo @CONFIGURE_OPTIONS@ -+ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//' - ;; + --static-libs) +- if test "X@ENABLE_STATIC@" != "Xno" ; then +- echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_LIBS@ +- else +- echo 'curl was built with static libraries disabled' >&2 +- exit 1 +- fi ++ echo "curl was built with static libraries disabled" >&2 ++ exit 1 + ;; + + --configure) +- echo @CONFIGURE_OPTIONS@ ++ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//' + ;; + + *) +diff --git a/docs/curl-config.md b/docs/curl-config.md +index d82725082..a79f816e2 100644 +--- a/docs/curl-config.md ++++ b/docs/curl-config.md +@@ -86,7 +86,9 @@ no, one or several names. If more than one name, they appear comma-separated. + ## --static-libs - *) -diff --git a/docs/curl-config.1 b/docs/curl-config.1 -index 2d5617c..0d90aaa 100644 ---- a/docs/curl-config.1 -+++ b/docs/curl-config.1 -@@ -48,7 +48,9 @@ no, one or several names. If more than one name, they appear comma\-separated. - (Added in 7.58.0) - .IP --static-libs Shows the complete set of libs and other linker options you need in order to -link your application with libcurl statically. (Added in 7.17.1) +link your application with libcurl statically. Note that Fedora/RHEL libcurl +packages do not provide any static libraries, thus cannot be linked statically. +(Added in 7.17.1) - .IP --version - Outputs version information about the installed libcurl. - .IP --vernum + + ## --version + diff --git a/libcurl.pc.in b/libcurl.pc.in -index 9db6b0f..dcac692 100644 +index 9db6b0f89..dcac6925a 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in @@ -31,6 +31,7 @@ libdir=@libdir@ @@ -87,5 +88,5 @@ index 9db6b0f..dcac692 100644 Name: libcurl URL: https://curl.se/ -- -2.44.0 +2.45.1 diff --git a/0102-curl-7.84.0-test3026.patch b/0102-curl-7.84.0-test3026.patch index 1098583..82f4642 100644 --- a/0102-curl-7.84.0-test3026.patch +++ b/0102-curl-7.84.0-test3026.patch @@ -1,7 +1,7 @@ -From 279b990727a1fd3e2828fbbd80581777e4200b67 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 27 Jun 2022 16:50:57 +0200 -Subject: [PATCH] test3026: disable valgrind +From 6e470567ca691a7b20334f1b9a5b309053d714b7 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Wed, 22 May 2024 13:03:43 +0200 +Subject: [PATCH 2/2] test3026: disable valgrind It fails on x86_64 with: ``` @@ -39,7 +39,7 @@ It fails on x86_64 with: 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/data/test3026 b/tests/data/test3026 -index fb80cc8..01f2ba5 100644 +index ee9b30678..dd582c3e5 100644 --- a/tests/data/test3026 +++ b/tests/data/test3026 @@ -41,5 +41,8 @@ none @@ -52,10 +52,10 @@ index fb80cc8..01f2ba5 100644 diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c -index 43fe335..70cd7a4 100644 +index 7e914010e..39374f5bc 100644 --- a/tests/libtest/lib3026.c +++ b/tests/libtest/lib3026.c -@@ -147,8 +147,8 @@ int test(char *URL) +@@ -145,8 +145,8 @@ CURLcode test(char *URL) results[i] = CURL_LAST; /* initialize with invalid value */ res = pthread_create(&tids[i], NULL, run_thread, &results[i]); if(res) { @@ -64,8 +64,8 @@ index 43fe335..70cd7a4 100644 + fprintf(stderr, "%s:%d Couldn't create thread, i=%u, errno %d\n", + __FILE__, __LINE__, i, res); tid_count = i; - test_failure = -1; + test_failure = (CURLcode)-1; goto cleanup; -- -2.37.1 +2.45.1 diff --git a/curl.spec b/curl.spec index 31141a4..8be220b 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.7.1 +Version: 8.8.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -10,11 +10,8 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# fix issue with --compressed option -Patch001: 0001-curl-8.7.1-fix-compressed-option.patch - -# fix chunked POST via callback regression -Patch002: 0002-curl-8.7.1-fix-chunked-POST-via-callback.patch +# install curl-config man page +Patch001: 0001-curl-8.8.0-install-config-man.patch # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -396,6 +393,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed May 22 2024 Jan Macku - 8.8.0-1 +- new upstream release +- drop upstreamed patches + * Wed Mar 27 2024 Jan Macku - 8.7.1-1 - new upstream release, which fixes the following vulnerabilities CVE-2024-2004 - Usage of disabled protocol diff --git a/sources b/sources index 9576bf7..d6dbc8c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.7.1.tar.xz) = 5bbde9d5648e9226f5490fa951690aaf159149345f3a315df2ba58b2468f3e59ca32e8a49734338afc861803a4f81caac6d642a4699b72c6310ebfb1f618aad2 -SHA512 (curl-8.7.1.tar.xz.asc) = f98c393997c4a32f545a8982226e8cd612395210915a4576c2ce227d0f650cff341be7bf15e989d1789abf32ac4fd9c190b9250b81e650b569e8532048746b37 +SHA512 (curl-8.8.0.tar.xz) = 9d2c0d3a0d8f6c31ba4fabe48f801910f886fde43dc198dc4213708d6967ed5e040a1bb7348aa1cb126577ee508a3ec36fe65256d027d861d6ffb70f6383967a +SHA512 (curl-8.8.0.tar.xz.asc) = 37b501770225dff6b1e7bde1157f556f10ec1c597fcbbb5c8b8c370efb97a3a70f585f2f5c201b96380d68466696474a5f65a07da59b704678d6927567d25359 From 781fa86ead65acd7063f1ae4a061f7d0e0f4f638 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Fri, 12 Jul 2024 08:06:48 +0100 Subject: [PATCH 060/108] adapt for https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine Added build condition for openssl_engine_support, true by default so as to not change the resulting built package (yet) - With openssl_engine_support true, BR: openssl-devel-engine - With openssl_engine_support false, build with -DOPENSSL_NO_ENGINE --- .gitignore | 2 ++ curl.spec | 23 ++++++++++++++++++++++- 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index e91a948..cd6f067 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ +/curl-[0-9.]*.tar.lzma +/curl-[0-9.]*.tar.lzma.asc /curl-[0-9.]*.tar.xz /curl-[0-9.]*.tar.xz.asc /curl-[0-9].[0-9].[0-9]/ diff --git a/curl.spec b/curl.spec index 8be220b..57d36cb 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,13 @@ +# OpenSSL ENGINE support +# This is deprecated by OpenSSL since OpenSSL 3.0 and by Fedora since Fedora 41 +# https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine +# Change the bcond to 0 to turn off ENGINE support by default +%bcond openssl_engine_support 1 + Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.8.0 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -49,6 +55,9 @@ BuildRequires: openldap-devel BuildRequires: openssh-clients BuildRequires: openssh-server BuildRequires: openssl-devel +%if %{with openssl_engine_support} +BuildRequires: openssl-devel-engine +%endif BuildRequires: perl-interpreter BuildRequires: pkgconfig BuildRequires: python-unversioned-command @@ -125,6 +134,11 @@ BuildRequires: stunnel # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION Requires: libcurl%{?_isa} >= %{version}-%{release} +# Define OPENSSL_NO_ENGINE to avoid inclusion of +%if %{without openssl_engine_support} +%global _preprocessor_defines %{?_preprocessor_defines} -DOPENSSL_NO_ENGINE +%endif + # require at least the version of libnghttp2 that we were built against, # to ensure that we have the necessary symbols available (#2144277) %global libnghttp2_version %(pkg-config --modversion libnghttp2 2>/dev/null || echo 0) @@ -393,6 +407,13 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Jul 12 2024 Paul Howarth - 8.8.0-2 +- adapt for https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine +- added build condition for openssl_engine_support, true by default so as to + not change the resulting built package (yet) +- with openssl_engine_support true, BR: openssl-devel-engine +- with openssl_engine_support false, build with -DOPENSSL_NO_ENGINE + * Wed May 22 2024 Jan Macku - 8.8.0-1 - new upstream release - drop upstreamed patches From ed1f78db34d5cf8e1aede9d6d2df5e1952d5c634 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 17 Jul 2024 20:23:31 +0000 Subject: [PATCH 061/108] Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 57d36cb..d665c95 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.8.0 -Release: 2%{?dist} +Release: 3%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 17 2024 Fedora Release Engineering - 8.8.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + * Fri Jul 12 2024 Paul Howarth - 8.8.0-2 - adapt for https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine - added build condition for openssl_engine_support, true by default so as to From 27557f07463358e21eb63d1502dc2a2b979b775e Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 24 Jul 2024 14:59:53 +0200 Subject: [PATCH 062/108] new upstream release - 8.9.0 --- 0001-curl-8.8.0-install-config-man.patch | 26 ------------------------ 0104-curl-7.88.0-tests-warnings.patch | 14 ++++++------- curl.spec | 13 +++++++----- sources | 4 ++-- 4 files changed, 17 insertions(+), 40 deletions(-) delete mode 100644 0001-curl-8.8.0-install-config-man.patch diff --git a/0001-curl-8.8.0-install-config-man.patch b/0001-curl-8.8.0-install-config-man.patch deleted file mode 100644 index 74b13f0..0000000 --- a/0001-curl-8.8.0-install-config-man.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 4cc5657247183a0bc3b0969beeaea9acddb09d22 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Wed, 22 May 2024 08:43:43 +0200 -Subject: [PATCH] docs/Makefile.am: make curl-config.1 install - -on "make install" like it should - -Follow-up to 60971d665b9b1df87082 - -Closes #13741 ---- - docs/Makefile.am | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/docs/Makefile.am b/docs/Makefile.am -index 83f5b0c461cc0f..e9ef6284860555 100644 ---- a/docs/Makefile.am -+++ b/docs/Makefile.am -@@ -28,6 +28,7 @@ if BUILD_DOCS - # if we disable man page building, ignore these - MK_CA_DOCS = mk-ca-bundle.1 - CURLCONF_DOCS = curl-config.1 -+man_MANS = curl-config.1 - endif - - CURLPAGES = curl-config.md mk-ca-bundle.md diff --git a/0104-curl-7.88.0-tests-warnings.patch b/0104-curl-7.88.0-tests-warnings.patch index 04b2ba2..0977dee 100644 --- a/0104-curl-7.88.0-tests-warnings.patch +++ b/0104-curl-7.88.0-tests-warnings.patch @@ -1,6 +1,6 @@ -From d506d885aa16b4a87acbac082eea41dccdc7b69f Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Wed, 15 Feb 2023 10:42:38 +0100 +From ebee18be05631494263bb6be249501eb8874e07a Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Wed, 24 Jul 2024 15:15:11 +0200 Subject: [PATCH] Revert "runtests: consider warnings fatal and error on them" While it might be useful for upstream developers, it is not so useful @@ -12,10 +12,10 @@ This reverts upstream commit 22f795c834cfdbacbb1b55426028a581e3cf67a8. 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/runtests.pl b/tests/runtests.pl -index 71644ad18..0cf85c3fe 100755 +index 9cc9ef1..c9a1c5d 100755 --- a/tests/runtests.pl +++ b/tests/runtests.pl -@@ -55,8 +55,7 @@ +@@ -57,8 +57,7 @@ # given, this won't be a problem. use strict; @@ -23,8 +23,8 @@ index 71644ad18..0cf85c3fe 100755 -use warnings FATAL => 'all'; +use warnings; use 5.006; + use POSIX qw(strftime); - # These should be the only variables that might be needed to get edited: -- -2.39.1 +2.45.2 diff --git a/curl.spec b/curl.spec index d665c95..45436cc 100644 --- a/curl.spec +++ b/curl.spec @@ -6,8 +6,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.8.0 -Release: 3%{?dist} +Version: 8.9.0 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -16,9 +16,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# install curl-config man page -Patch001: 0001-curl-8.8.0-install-config-man.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -407,6 +404,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 24 2024 Jan Macku - 8.9.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-6874 - macidn punycode buffer overread + CVE-2024-6197 - freeing stack buffer in utf8asn1str +- drop upstreamed patches + * Wed Jul 17 2024 Fedora Release Engineering - 8.8.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild diff --git a/sources b/sources index d6dbc8c..ba6559e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.8.0.tar.xz) = 9d2c0d3a0d8f6c31ba4fabe48f801910f886fde43dc198dc4213708d6967ed5e040a1bb7348aa1cb126577ee508a3ec36fe65256d027d861d6ffb70f6383967a -SHA512 (curl-8.8.0.tar.xz.asc) = 37b501770225dff6b1e7bde1157f556f10ec1c597fcbbb5c8b8c370efb97a3a70f585f2f5c201b96380d68466696474a5f65a07da59b704678d6927567d25359 +SHA512 (curl-8.9.0.tar.xz) = 922c726cfa3a73954927a32f485248d7a53a3348638a6a01add1bc0a67a7d2ee9cdb7c78b6db84bb7e2fab9d2d5487a96d9071832198b63a86d2caaef85c9310 +SHA512 (curl-8.9.0.tar.xz.asc) = 44cc7053ac0fddcb5131e7806fcd793d70bd49c5549b2548bbcbe60fdf913f450e45861ff6497b30eb00fd84483302ff9b6c3aea6b66728d6e54dd7ffc388408 From 40967e47b5a847174d8c923ad219882036d03bf0 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 31 Jul 2024 09:47:16 +0200 Subject: [PATCH 063/108] new upstream release - 8.9.1 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 45436cc..9ee3966 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.9.0 +Version: 8.9.1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -404,6 +404,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 24 2024 Jan Macku - 8.9.1-1 +- new upstream release + * Wed Jul 24 2024 Jan Macku - 8.9.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2024-6874 - macidn punycode buffer overread diff --git a/sources b/sources index ba6559e..e35c435 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.9.0.tar.xz) = 922c726cfa3a73954927a32f485248d7a53a3348638a6a01add1bc0a67a7d2ee9cdb7c78b6db84bb7e2fab9d2d5487a96d9071832198b63a86d2caaef85c9310 -SHA512 (curl-8.9.0.tar.xz.asc) = 44cc7053ac0fddcb5131e7806fcd793d70bd49c5549b2548bbcbe60fdf913f450e45861ff6497b30eb00fd84483302ff9b6c3aea6b66728d6e54dd7ffc388408 +SHA512 (curl-8.9.1.tar.xz) = a0fe234402875db194aad4e4208b7e67e7ffc1562622eea90948d4b9b0122c95c3dde8bbe2f7445a687cb3de7cb09f20e5819d424570442d976aa4c913227fc7 +SHA512 (curl-8.9.1.tar.xz.asc) = 18acd58436d70900ab6912b84774da2c451b9dbfc83d6d00f85bbbe7894b67075918e58956fdb753fcc1486e4f10caa31139d7c68b037d7c83dc2e9c2fae9f9b From cc42129b020d949298d0b33be56d64c3b79cf096 Mon Sep 17 00:00:00 2001 From: voidanix Date: Mon, 5 Aug 2024 13:44:53 +0200 Subject: [PATCH 064/108] Add patch due to upstream curl-8.9.1 regression --- 0001-curl-8.9.1-sigpipe.patch | 32 ++++++++++++++++++++++++++++++++ curl.spec | 9 ++++++++- 2 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 0001-curl-8.9.1-sigpipe.patch diff --git a/0001-curl-8.9.1-sigpipe.patch b/0001-curl-8.9.1-sigpipe.patch new file mode 100644 index 0000000..f4f0346 --- /dev/null +++ b/0001-curl-8.9.1-sigpipe.patch @@ -0,0 +1,32 @@ +From 3eec5afbd0b6377eca893c392569b2faf094d970 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 5 Aug 2024 00:17:17 +0200 +Subject: [PATCH] sigpipe: init the struct so that first apply ignores + +Initializes 'no_signal' to TRUE, so that a call to sigpipe_apply() after +init ignores the signal (unless CURLOPT_NOSIGNAL) is set. + +I have read the existing code multiple times now and I think it gets the +initial state reversed this missing to ignore. + +Regression from 17e6f06ea37136c36d27 + +Reported-by: Rasmus Thomsen +Fixes #14344 +Closes #14390 +--- + lib/sigpipe.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/sigpipe.h b/lib/sigpipe.h +index b91a2f51333956..d78afd905d3414 100644 +--- a/lib/sigpipe.h ++++ b/lib/sigpipe.h +@@ -39,6 +39,7 @@ struct sigpipe_ignore { + static void sigpipe_init(struct sigpipe_ignore *ig) + { + memset(ig, 0, sizeof(*ig)); ++ ig->no_signal = TRUE; + } + + /* diff --git a/curl.spec b/curl.spec index 9ee3966..174562f 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.9.1 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -25,6 +25,10 @@ Patch102: 0102-curl-7.84.0-test3026.patch # do not fail on warnings in the upstream test driver Patch104: 0104-curl-7.88.0-tests-warnings.patch +# Fix crashes with transmission due to SIGPIPE +# https://github.com/curl/curl/commit/3eec5afbd0b6377eca893c392569b2faf094d970 +Patch001: 0001-curl-8.9.1-sigpipe.patch + Provides: curl-full = %{version}-%{release} # do not fail when trying to install curl-minimal after drop Provides: curl-minimal = %{version}-%{release} @@ -404,6 +408,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Aug 5 2024 voidanix - 8.9.1-2 +- Apply SIGPIPE-related patch due to upstream regression + * Wed Jul 24 2024 Jan Macku - 8.9.1-1 - new upstream release From 25bb999ab6de05c3cfe0d2fcd99ecc58da092e7b Mon Sep 17 00:00:00 2001 From: Jacek Migacz Date: Wed, 21 Aug 2024 18:04:41 +0200 Subject: [PATCH 065/108] Retire depricated ntlm-wb configure option --- curl.spec | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 174562f..8aaa2b2 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.9.1 -Release: 2%{?dist} +Release: 3%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -271,7 +271,6 @@ export common_configure_opts=" \ --disable-ldaps \ --disable-mqtt \ --disable-ntlm \ - --disable-ntlm-wb \ --disable-pop3 \ --disable-rtsp \ --disable-smb \ @@ -296,7 +295,6 @@ export common_configure_opts=" \ --enable-ldaps \ --enable-mqtt \ --enable-ntlm \ - --enable-ntlm-wb \ --enable-pop3 \ --enable-rtsp \ --enable-smb \ @@ -408,6 +406,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Aug 21 2024 Jacek Migacz - 8.9.1-3 +- Retire depricated ntlm-wb configure option + * Mon Aug 5 2024 voidanix - 8.9.1-2 - Apply SIGPIPE-related patch due to upstream regression From 8669cc07274c3121030e182bfdb8acd2b2973dca Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 11 Sep 2024 09:13:07 +0200 Subject: [PATCH 066/108] new upstream release - 8.10.0 --- 0001-curl-8.9.1-sigpipe.patch | 32 ------------------------------- 0101-curl-7.32.0-multilib.patch | 34 ++++++++++++++++----------------- curl.spec | 13 ++++++------- sources | 4 ++-- 4 files changed, 25 insertions(+), 58 deletions(-) delete mode 100644 0001-curl-8.9.1-sigpipe.patch diff --git a/0001-curl-8.9.1-sigpipe.patch b/0001-curl-8.9.1-sigpipe.patch deleted file mode 100644 index f4f0346..0000000 --- a/0001-curl-8.9.1-sigpipe.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 3eec5afbd0b6377eca893c392569b2faf094d970 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 5 Aug 2024 00:17:17 +0200 -Subject: [PATCH] sigpipe: init the struct so that first apply ignores - -Initializes 'no_signal' to TRUE, so that a call to sigpipe_apply() after -init ignores the signal (unless CURLOPT_NOSIGNAL) is set. - -I have read the existing code multiple times now and I think it gets the -initial state reversed this missing to ignore. - -Regression from 17e6f06ea37136c36d27 - -Reported-by: Rasmus Thomsen -Fixes #14344 -Closes #14390 ---- - lib/sigpipe.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/lib/sigpipe.h b/lib/sigpipe.h -index b91a2f51333956..d78afd905d3414 100644 ---- a/lib/sigpipe.h -+++ b/lib/sigpipe.h -@@ -39,6 +39,7 @@ struct sigpipe_ignore { - static void sigpipe_init(struct sigpipe_ignore *ig) - { - memset(ig, 0, sizeof(*ig)); -+ ig->no_signal = TRUE; - } - - /* diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index f3636dc..8cada87 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,7 +1,7 @@ -From f4e7b98fb25ff737af29908f3a2081cca9a73437 Mon Sep 17 00:00:00 2001 +From da51b3d89a33fb3a1cbc5dd5faebc4ee18bbcc46 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Wed, 22 May 2024 13:00:08 +0200 -Subject: [PATCH 1/2] prevent multilib conflicts on the curl-config script +Date: Wed, 11 Sep 2024 09:21:25 +0200 +Subject: [PATCH] prevent multilib conflicts on the curl-config script --- curl-config.in | 23 +++++------------------ @@ -10,19 +10,19 @@ Subject: [PATCH 1/2] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 085bb1ef5..e4700260e 100644 +index 294e083..df41899 100644 --- a/curl-config.in +++ b/curl-config.in -@@ -73,7 +73,7 @@ while test "$#" -gt 0; do +@@ -75,7 +75,7 @@ while test "$#" -gt 0; do ;; --cc) - echo '@CC@' -+ echo "gcc" ++ echo 'gcc' ;; --prefix) -@@ -153,16 +153,7 @@ while test "$#" -gt 0; do +@@ -155,16 +155,7 @@ while test "$#" -gt 0; do ;; --libs) @@ -32,25 +32,25 @@ index 085bb1ef5..e4700260e 100644 - CURLLIBDIR="" - fi - if test "X@ENABLE_SHARED@" = "Xno"; then -- echo "${CURLLIBDIR}-lcurl @LIBCURL_LIBS@" +- echo "${CURLLIBDIR}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" - else - echo "${CURLLIBDIR}-lcurl" - fi -+ echo -lcurl ++ echo '-lcurl' ;; --ssl-backends) -@@ -170,16 +161,12 @@ while test "$#" -gt 0; do +@@ -172,16 +163,12 @@ while test "$#" -gt 0; do ;; --static-libs) - if test "X@ENABLE_STATIC@" != "Xno" ; then -- echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_LIBS@ +- echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_PC_LIBS_PRIVATE@ - else - echo 'curl was built with static libraries disabled' >&2 - exit 1 - fi -+ echo "curl was built with static libraries disabled" >&2 ++ echo 'curl was built with static libraries disabled' >&2 + exit 1 ;; @@ -61,10 +61,10 @@ index 085bb1ef5..e4700260e 100644 *) diff --git a/docs/curl-config.md b/docs/curl-config.md -index d82725082..a79f816e2 100644 +index 4dfaab6..f4e847e 100644 --- a/docs/curl-config.md +++ b/docs/curl-config.md -@@ -86,7 +86,9 @@ no, one or several names. If more than one name, they appear comma-separated. +@@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated. ## --static-libs Shows the complete set of libs and other linker options you need in order to @@ -76,10 +76,10 @@ index d82725082..a79f816e2 100644 ## --version diff --git a/libcurl.pc.in b/libcurl.pc.in -index 9db6b0f89..dcac6925a 100644 +index 8f6f9b4..f69815c 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in -@@ -31,6 +31,7 @@ libdir=@libdir@ +@@ -28,6 +28,7 @@ libdir=@libdir@ includedir=@includedir@ supported_protocols="@SUPPORT_PROTOCOLS@" supported_features="@SUPPORT_FEATURES@" @@ -88,5 +88,5 @@ index 9db6b0f89..dcac6925a 100644 Name: libcurl URL: https://curl.se/ -- -2.45.1 +2.46.0 diff --git a/curl.spec b/curl.spec index 8aaa2b2..93942f0 100644 --- a/curl.spec +++ b/curl.spec @@ -6,8 +6,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.9.1 -Release: 3%{?dist} +Version: 8.10.0 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -25,10 +25,6 @@ Patch102: 0102-curl-7.84.0-test3026.patch # do not fail on warnings in the upstream test driver Patch104: 0104-curl-7.88.0-tests-warnings.patch -# Fix crashes with transmission due to SIGPIPE -# https://github.com/curl/curl/commit/3eec5afbd0b6377eca893c392569b2faf094d970 -Patch001: 0001-curl-8.9.1-sigpipe.patch - Provides: curl-full = %{version}-%{release} # do not fail when trying to install curl-minimal after drop Provides: curl-minimal = %{version}-%{release} @@ -372,7 +368,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %ldconfig_scriptlets -n libcurl-minimal %files -%doc CHANGES +%doc CHANGES.md %doc README %doc docs/BUGS.md %doc docs/DISTROS.md @@ -406,6 +402,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 11 2024 Jan Macku - 8.10.0-1 +- new upstream release + * Wed Aug 21 2024 Jacek Migacz - 8.9.1-3 - Retire depricated ntlm-wb configure option diff --git a/sources b/sources index e35c435..9865b71 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.9.1.tar.xz) = a0fe234402875db194aad4e4208b7e67e7ffc1562622eea90948d4b9b0122c95c3dde8bbe2f7445a687cb3de7cb09f20e5819d424570442d976aa4c913227fc7 -SHA512 (curl-8.9.1.tar.xz.asc) = 18acd58436d70900ab6912b84774da2c451b9dbfc83d6d00f85bbbe7894b67075918e58956fdb753fcc1486e4f10caa31139d7c68b037d7c83dc2e9c2fae9f9b +SHA512 (curl-8.10.0.tar.xz) = 055277695ea242fcb0bf26ca6c4867a385cd578cd73ed4c5c4a020233248044c1ecaebcbaeaac47d3ffe07a41300ea5fc86396d7e812137cf75ed3e1b54ca5b2 +SHA512 (curl-8.10.0.tar.xz.asc) = 3d3ece14008facc373cd715d46eeb523bb17a701df3b1839f0774847692613a9472d3e7a60ba814846bbc8e8e4f17c81a1f1355e1c9eebef244b7cd00e0f6fb8 From 67e25e1742ad1cbb538297a9287901e14870ca03 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 18 Sep 2024 09:45:38 +0200 Subject: [PATCH 067/108] new upstream release - 8.10.1 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 93942f0..90d611d 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.10.0 +Version: 8.10.1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz @@ -402,6 +402,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 18 2024 Jan Macku - 8.10.1-1 +- new upstream release + * Wed Sep 11 2024 Jan Macku - 8.10.0-1 - new upstream release diff --git a/sources b/sources index 9865b71..c221532 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.10.0.tar.xz) = 055277695ea242fcb0bf26ca6c4867a385cd578cd73ed4c5c4a020233248044c1ecaebcbaeaac47d3ffe07a41300ea5fc86396d7e812137cf75ed3e1b54ca5b2 -SHA512 (curl-8.10.0.tar.xz.asc) = 3d3ece14008facc373cd715d46eeb523bb17a701df3b1839f0774847692613a9472d3e7a60ba814846bbc8e8e4f17c81a1f1355e1c9eebef244b7cd00e0f6fb8 +SHA512 (curl-8.10.1.tar.xz) = f1c7a12492dcfb8ba08be69b96a83ce9074592cbaa6b95c72b3c16fc58ad35e9f9deec7b72baca7d360d013b0b1c7ea38bd4edae464903ac67aa3c76238d8c6c +SHA512 (curl-8.10.1.tar.xz.asc) = 21d6d560c027efc9e3e5db182a77501d6376442221ba910df817e2ec980bee44a9fe2afc698205f8d5e8313ae47915a341d60206a46b46e816d73ee357a894ac From 1268eeab81c68b229828d0a19c1992f939728f11 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 24 Sep 2024 13:37:40 +0200 Subject: [PATCH 068/108] spec: use tls-ca-bundle.pem instead of ca-bundle.crt Resolves: #2313564 --- curl.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index 90d611d..0cfbaa8 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.10.1 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -251,7 +251,7 @@ export common_configure_opts=" \ --with-gssapi \ --with-libidn2 \ --with-nghttp2 \ - --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt \ + --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \ --with-zsh-functions-dir" %global _configure ../configure @@ -402,6 +402,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Sep 24 2024 Jan Macku - 8.10.1-2 +- Use tls-ca-bundle.pem instead of ca-bundle.crt (OpenSSL specific) (#2313564) + * Wed Sep 18 2024 Jan Macku - 8.10.1-1 - new upstream release From d92476d332b446e871f74225c987968021a5c526 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 29 Sep 2024 16:03:18 +0200 Subject: [PATCH 069/108] Move the autoreconf invocation to %build section The %prep section is supposed to extract and possibly patch the sources. In particular, the code provided by the package should not be called here, but only in %build section. This keeps %prep quick and allows the code provided by upstream to be inspected before running it. Also drop space after the redirection operator to match the style elsewhere in the spec file. Having symmetrical whitespace around the operator makes it look like a binary operator, which it very much is not. --- curl.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index 0cfbaa8..0c2163c 100644 --- a/curl.spec +++ b/curl.spec @@ -214,7 +214,7 @@ be installed. # disable test 1801 # -printf "1801\n" >> tests/data/DISABLED +printf "1801\n" >>tests/data/DISABLED # test3026: avoid pthread_create() failure due to resource exhaustion on i386 %ifarch %{ix86} @@ -234,10 +234,10 @@ sed -e 's|^35$|35,52|' -i tests/data/test323 eval "$cmd" ) +%build # regenerate the configure script and Makefile.in files autoreconf -fiv -%build mkdir build-{full,minimal} export common_configure_opts=" \ --cache-file=../config.cache \ From e685607ffd9adf33f28101db012be952b5196072 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 29 Sep 2024 16:10:22 +0200 Subject: [PATCH 070/108] Make curl-config arch-independent The final /usr/bin/curl-config file had a comment like "prefix=/usr # used in /usr/lib64" or "prefix=/usr # used in /usr/lib", depending on the arch. This causes the following error on upgrades from f40 for people who have both libcurl-devel.i686 and libcurl-devel.x86_64 installed: Transaction failed: Rpm transaction failed. - file /usr/bin/curl-config conflicts between attempted installs of libcurl-devel-8.9.1-2.fc41.i686 and libcurl-devel-8.9.1-2.fc41.x86_64 The comment is actually not useful at all after the variable is expanded, since it's not clear what is meant by "used in /usr/lib64". Just drop it. With this change, the packages are constinstallable again. --- curl.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/curl.spec b/curl.spec index 0c2163c..3c25207 100644 --- a/curl.spec +++ b/curl.spec @@ -234,6 +234,10 @@ sed -e 's|^35$|35,52|' -i tests/data/test323 eval "$cmd" ) +# avoid unnecessary arch-dependent line in the processed file +sed -e '/# Used in @libdir@/d' \ + -i curl-config.in + %build # regenerate the configure script and Makefile.in files autoreconf -fiv From 44fdfebea17b606fc56b5d0656c982a7a528f366 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 6 Nov 2024 10:06:18 +0100 Subject: [PATCH 071/108] new upstream release - 8.11.0 --- .gitignore | 2 +- 0101-curl-7.32.0-multilib.patch | 20 ++++++++++---------- curl.spec | 9 +++++++-- sources | 4 ++-- 4 files changed, 20 insertions(+), 15 deletions(-) diff --git a/.gitignore b/.gitignore index cd6f067..9bb4285 100644 --- a/.gitignore +++ b/.gitignore @@ -2,5 +2,5 @@ /curl-[0-9.]*.tar.lzma.asc /curl-[0-9.]*.tar.xz /curl-[0-9.]*.tar.xz.asc -/curl-[0-9].[0-9].[0-9]/ +/curl-[0-9]*.[0-9]*.[0-9]*/ /*.src.rpm diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 8cada87..8f3fd08 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,6 +1,6 @@ -From da51b3d89a33fb3a1cbc5dd5faebc4ee18bbcc46 Mon Sep 17 00:00:00 2001 +From fa6477b901ca866a52db18a818975479f2144928 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Wed, 11 Sep 2024 09:21:25 +0200 +Date: Wed, 6 Nov 2024 13:25:10 +0100 Subject: [PATCH] prevent multilib conflicts on the curl-config script --- @@ -10,7 +10,7 @@ Subject: [PATCH] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 294e083..df41899 100644 +index 2dc40ed..9fb1a33 100644 --- a/curl-config.in +++ b/curl-config.in @@ -75,7 +75,7 @@ while test "$#" -gt 0; do @@ -26,12 +26,12 @@ index 294e083..df41899 100644 ;; --libs) -- if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then +- if test "X@libdir@" != 'X/usr/lib' -a "X@libdir@" != 'X/usr/lib64'; then - CURLLIBDIR="-L@libdir@ " - else -- CURLLIBDIR="" +- CURLLIBDIR='' - fi -- if test "X@ENABLE_SHARED@" = "Xno"; then +- if test 'X@ENABLE_SHARED@' = 'Xno'; then - echo "${CURLLIBDIR}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" - else - echo "${CURLLIBDIR}-lcurl" @@ -44,8 +44,8 @@ index 294e083..df41899 100644 ;; --static-libs) -- if test "X@ENABLE_STATIC@" != "Xno" ; then -- echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_PC_LIBS_PRIVATE@ +- if test 'X@ENABLE_STATIC@' != 'Xno'; then +- echo "@libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_PC_LIBS_PRIVATE@" - else - echo 'curl was built with static libraries disabled' >&2 - exit 1 @@ -76,7 +76,7 @@ index 4dfaab6..f4e847e 100644 ## --version diff --git a/libcurl.pc.in b/libcurl.pc.in -index 8f6f9b4..f69815c 100644 +index 4c60a7e..9fd935a 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in @@ -28,6 +28,7 @@ libdir=@libdir@ @@ -88,5 +88,5 @@ index 8f6f9b4..f69815c 100644 Name: libcurl URL: https://curl.se/ -- -2.46.0 +2.47.0 diff --git a/curl.spec b/curl.spec index 3c25207..80243c8 100644 --- a/curl.spec +++ b/curl.spec @@ -6,8 +6,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.10.1 -Release: 2%{?dist} +Version: 8.11.0 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -97,6 +97,7 @@ BuildRequires: perl(Exporter) BuildRequires: perl(File::Basename) BuildRequires: perl(File::Copy) BuildRequires: perl(File::Spec) +BuildRequires: perl(I18N::Langinfo) BuildRequires: perl(IPC::Open2) BuildRequires: perl(List::Util) BuildRequires: perl(Memoize) @@ -406,6 +407,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Nov 06 2024 Jan Macku - 8.11.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-9681 - HSTS subdomain overwrites parent cache entry + * Tue Sep 24 2024 Jan Macku - 8.10.1-2 - Use tls-ca-bundle.pem instead of ca-bundle.crt (OpenSSL specific) (#2313564) diff --git a/sources b/sources index c221532..f45b6fe 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.10.1.tar.xz) = f1c7a12492dcfb8ba08be69b96a83ce9074592cbaa6b95c72b3c16fc58ad35e9f9deec7b72baca7d360d013b0b1c7ea38bd4edae464903ac67aa3c76238d8c6c -SHA512 (curl-8.10.1.tar.xz.asc) = 21d6d560c027efc9e3e5db182a77501d6376442221ba910df817e2ec980bee44a9fe2afc698205f8d5e8313ae47915a341d60206a46b46e816d73ee357a894ac +SHA512 (curl-8.11.0.tar.xz) = 3a642d421e0a5c09ecb681bea18498f2c6124e9af4d8afdc074dfb85a9b0211d8972ade9cf00ab44b5dfed9303262cd83551dd3b5e0976d11fc19da3c4a0987e +SHA512 (curl-8.11.0.tar.xz.asc) = 71073dde48e8f0013e392eb88bf70f6b8a4a4f0c955a3fb56db98e74aa10acc1004e2a0483f30be082e61b59a76fa75ae1d90545ace7c6b07bca8164078375f0 From 0e038361ddf5965bd02544323cab07570e4281f6 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Wed, 6 Nov 2024 13:13:17 -0500 Subject: [PATCH 072/108] Disable engine support on RHEL 10+ RHEL 10 does not provide the engine header at all. Also, restore compatibility with earlier versions which do not have a separate subpackage for the engine header. --- curl.spec | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 80243c8..ba56d35 100644 --- a/curl.spec +++ b/curl.spec @@ -2,12 +2,12 @@ # This is deprecated by OpenSSL since OpenSSL 3.0 and by Fedora since Fedora 41 # https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine # Change the bcond to 0 to turn off ENGINE support by default -%bcond openssl_engine_support 1 +%bcond openssl_engine_support %[%{defined fedora} || 0%{?rhel} < 10] Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.11.0 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -52,7 +52,7 @@ BuildRequires: openldap-devel BuildRequires: openssh-clients BuildRequires: openssh-server BuildRequires: openssl-devel -%if %{with openssl_engine_support} +%if %{with openssl_engine_support} && 0%{?fedora} >= 41 BuildRequires: openssl-devel-engine %endif BuildRequires: perl-interpreter @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Nov 06 2024 Yaakov Selkowitz - 8.11.0-2 +- Disable engine support on RHEL 10+ + * Wed Nov 06 2024 Jan Macku - 8.11.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2024-9681 - HSTS subdomain overwrites parent cache entry From f200f97c286a92379a9a67ca6787d95a8e6e037c Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 11 Dec 2024 15:02:18 +0100 Subject: [PATCH 073/108] new upstream release - 8.11.1 --- 0101-curl-7.32.0-multilib.patch | 12 ++++----- 0105-curl-8.11.1-test616.patch | 48 +++++++++++++++++++++++++++++++++ curl.spec | 11 ++++++-- sources | 4 +-- 4 files changed, 65 insertions(+), 10 deletions(-) create mode 100644 0105-curl-8.11.1-test616.patch diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 8f3fd08..aec4fda 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,6 +1,6 @@ -From fa6477b901ca866a52db18a818975479f2144928 Mon Sep 17 00:00:00 2001 +From 7efcd412447fc41bded2f9621edf0ab4701c9b14 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Wed, 6 Nov 2024 13:25:10 +0100 +Date: Wed, 11 Dec 2024 09:28:12 +0100 Subject: [PATCH] prevent multilib conflicts on the curl-config script --- @@ -10,7 +10,7 @@ Subject: [PATCH] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 2dc40ed..9fb1a33 100644 +index e89c256..9fb1a33 100644 --- a/curl-config.in +++ b/curl-config.in @@ -75,7 +75,7 @@ while test "$#" -gt 0; do @@ -45,7 +45,7 @@ index 2dc40ed..9fb1a33 100644 --static-libs) - if test 'X@ENABLE_STATIC@' != 'Xno'; then -- echo "@libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_PC_LIBS_PRIVATE@" +- echo "@libdir@/libcurl.@libext@ @LIBCURL_PC_LDFLAGS_PRIVATE@ @LIBCURL_PC_LIBS_PRIVATE@" - else - echo 'curl was built with static libraries disabled' >&2 - exit 1 @@ -76,7 +76,7 @@ index 4dfaab6..f4e847e 100644 ## --version diff --git a/libcurl.pc.in b/libcurl.pc.in -index 4c60a7e..9fd935a 100644 +index c0ba524..f3645e1 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in @@ -28,6 +28,7 @@ libdir=@libdir@ @@ -88,5 +88,5 @@ index 4c60a7e..9fd935a 100644 Name: libcurl URL: https://curl.se/ -- -2.47.0 +2.47.1 diff --git a/0105-curl-8.11.1-test616.patch b/0105-curl-8.11.1-test616.patch new file mode 100644 index 0000000..91bde80 --- /dev/null +++ b/0105-curl-8.11.1-test616.patch @@ -0,0 +1,48 @@ +From 82baec8c7cd40361585d8793dfe4531f7aad30e3 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Wed, 11 Dec 2024 13:16:12 +0100 +Subject: [PATCH] test616: disable valgrind + +Valgrind disable was removed in upstream in https://github.com/curl/curl/commit/c91c37b6e87ceee760b7bb334c8e97e03ee93e93#diff-e01fd8774cf5b26329c7dc7dc03ec49745469205f3d501ced72c9d133455d5e7L35 +But test 616 is still failing under valgrind, so disable valgrind for this test. + +``` + valgrind ERROR ==188588== 144 bytes in 1 blocks are definitely lost in loss record 1 of 1 +==188588== at 0x484B133: calloc (vg_replace_malloc.c:1675) +==188588== by 0x4BB7575: ??? (in /usr/lib64/libssh.so.4.10.1) +==188588== by 0x4BB8CC6: sftp_fstat (in /usr/lib64/libssh.so.4.10.1) +==188588== by 0x48EEAFB: myssh_statemach_act (libssh.c:1610) +==188588== by 0x48F1B9D: myssh_multi_statemach.lto_priv.0 (libssh.c:2095) +==188588== by 0x48BA971: UnknownInlinedFun (multi.c:1643) +==188588== by 0x48BA971: UnknownInlinedFun (multi.c:2314) +==188588== by 0x48BA971: multi_runsingle (multi.c:2768) +==188588== by 0x48BCCA4: curl_multi_perform (multi.c:3016) +==188588== by 0x4884E4A: UnknownInlinedFun (easy.c:701) +==188588== by 0x4884E4A: UnknownInlinedFun (easy.c:796) +==188588== by 0x4884E4A: curl_easy_perform (easy.c:815) +==188588== by 0x10C12B: UnknownInlinedFun (tool_operate.c:2902) +==188588== by 0x10C12B: UnknownInlinedFun (tool_operate.c:3127) +==188588== by 0x10C12B: UnknownInlinedFun (tool_operate.c:3249) +==188588== by 0x10C12B: main (tool_main.c:271) +==188588== +``` +--- + tests/data/test616 | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tests/data/test616 b/tests/data/test616 +index f76c68a..0ebc734 100644 +--- a/tests/data/test616 ++++ b/tests/data/test616 +@@ -32,5 +32,8 @@ SFTP retrieval of empty file + # + # Verify data after the test has been "shot" + ++ ++disable ++ + + +-- +2.47.1 + diff --git a/curl.spec b/curl.spec index ba56d35..9b1c4c8 100644 --- a/curl.spec +++ b/curl.spec @@ -6,8 +6,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.11.0 -Release: 2%{?dist} +Version: 8.11.1 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -25,6 +25,9 @@ Patch102: 0102-curl-7.84.0-test3026.patch # do not fail on warnings in the upstream test driver Patch104: 0104-curl-7.88.0-tests-warnings.patch +# test616: disable valgrind +Patch105: 0105-curl-8.11.1-test616.patch + Provides: curl-full = %{version}-%{release} # do not fail when trying to install curl-minimal after drop Provides: curl-minimal = %{version}-%{release} @@ -407,6 +410,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Dec 11 2024 Jan Macku - 8.11.1-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-11053 - netrc and redirect credential leak + * Wed Nov 06 2024 Yaakov Selkowitz - 8.11.0-2 - Disable engine support on RHEL 10+ diff --git a/sources b/sources index f45b6fe..91c8f05 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.11.0.tar.xz) = 3a642d421e0a5c09ecb681bea18498f2c6124e9af4d8afdc074dfb85a9b0211d8972ade9cf00ab44b5dfed9303262cd83551dd3b5e0976d11fc19da3c4a0987e -SHA512 (curl-8.11.0.tar.xz.asc) = 71073dde48e8f0013e392eb88bf70f6b8a4a4f0c955a3fb56db98e74aa10acc1004e2a0483f30be082e61b59a76fa75ae1d90545ace7c6b07bca8164078375f0 +SHA512 (curl-8.11.1.tar.xz) = 7c7c47a49505575b610c56b455f0919ea5082a993bf5483eeb258ead167aadb87078d626b343b417dcfc5439c53556425c8fb4fe3b01b53a87b47c01686a3e57 +SHA512 (curl-8.11.1.tar.xz.asc) = c09bedb67e83fb8ca3ad73c5bd0d92fed7fc2c26dbe5a71cccb193fd151c7219713241a9fe74baefcd1d008cfafba78142bf04cec24dd4a88d67179184d35824 From 60dca4fc329daf8e5799357a68fe1ff41cffb13a Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Sun, 15 Dec 2024 12:05:17 +0000 Subject: [PATCH 074/108] Add rpmlintrc --- curl.rpmlintrc | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 curl.rpmlintrc diff --git a/curl.rpmlintrc b/curl.rpmlintrc new file mode 100644 index 0000000..022a98e --- /dev/null +++ b/curl.rpmlintrc @@ -0,0 +1,15 @@ +# Intentional stuff we're not concerned about +addFilter("unversioned-explicit-provides webclient") +addFilter("package-with-huge-docs") +addFilter("crypto-policy-non-compliance-openssl /usr/lib(64)?/libcurl.so.4") + +# This is just plain wrong (%_configure redefinition) +addFilter("configure-without-libdir-spec") + +# Technical term +addFilter("E: spelling-error \('kerberos',") + +# Artefacts of RemovePathPostfixes: .minimal +addFilter("W: dangling-relative-symlink /usr/lib/.build-id/.* ../../../../.*curl.*\.minimal") +#addFilter("W: dangling-relative-symlink /usr/lib.*/libcurl.so.4 libcurl.so.4.*.minimal") +#addFilter("E: invalid-ldconfig-symlink /usr/lib.*/libcurl.so.4.* libcurl.so.4.*.minimal") From 348d650b12c9787af9669f6a985f57cf3ccdc18c Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Sun, 15 Dec 2024 12:06:23 +0000 Subject: [PATCH 075/108] Fix crash with Unexpected error 9 on netlink descriptor 10 (rhbz#2332350) - https://github.com/curl/curl/issues/15725 - https://github.com/curl/curl/pull/15727 --- 0001-curl-8.11.1-eventfd.patch | 31 +++++++++++++++++++++++++++++++ curl.spec | 15 +++++++++++++-- 2 files changed, 44 insertions(+), 2 deletions(-) create mode 100644 0001-curl-8.11.1-eventfd.patch diff --git a/0001-curl-8.11.1-eventfd.patch b/0001-curl-8.11.1-eventfd.patch new file mode 100644 index 0000000..3960452 --- /dev/null +++ b/0001-curl-8.11.1-eventfd.patch @@ -0,0 +1,31 @@ +From 17c06b1ed19147d9e641ad5bcd672e8bce451b46 Mon Sep 17 00:00:00 2001 +From: Andy Pan +Date: Thu, 12 Dec 2024 12:48:56 +0000 +Subject: [PATCH] async-thread: avoid closing eventfd twice + +When employing eventfd for socketpair, there is only one file +descriptor. Closing that fd twice might result in fd corruption. +Thus, we should avoid closing the eventfd twice, following the +pattern in lib/multi.c. + +Fixes #15725 +--- + lib/asyn-thread.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c +index a58e4b790494ab..32d496b107cb0a 100644 +--- a/lib/asyn-thread.c ++++ b/lib/asyn-thread.c +@@ -195,9 +195,11 @@ void destroy_thread_sync_data(struct thread_sync_data *tsd) + * close one end of the socket pair (may be done in resolver thread); + * the other end (for reading) is always closed in the parent thread. + */ ++#ifndef USE_EVENTFD + if(tsd->sock_pair[1] != CURL_SOCKET_BAD) { + wakeup_close(tsd->sock_pair[1]); + } ++#endif + #endif + memset(tsd, 0, sizeof(*tsd)); + } diff --git a/curl.spec b/curl.spec index 9b1c4c8..beca484 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.11.1 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -16,6 +16,12 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# Fix crash with Unexpected error 9 on netlink descriptor 10 +# https://bugzilla.redhat.com/show_bug.cgi?id=2332350 +# https://github.com/curl/curl/issues/15725 +# https://github.com/curl/curl/pull/15727 +Patch1: 0001-curl-8.11.1-eventfd.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -410,6 +416,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Sun Dec 15 2024 Paul Howarth - 8.11.1-2 +- Fix crash with Unexpected error 9 on netlink descriptor 10 (rhbz#2332350) + - https://github.com/curl/curl/issues/15725 + - https://github.com/curl/curl/pull/15727 + * Wed Dec 11 2024 Jan Macku - 8.11.1-1 - new upstream release, which fixes the following vulnerabilities CVE-2024-11053 - netrc and redirect credential leak @@ -431,7 +442,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la - new upstream release * Wed Aug 21 2024 Jacek Migacz - 8.9.1-3 -- Retire depricated ntlm-wb configure option +- Retire deprecated ntlm-wb configure option * Mon Aug 5 2024 voidanix - 8.9.1-2 - Apply SIGPIPE-related patch due to upstream regression From 84d98cb3c36ac812ecac40f056283c94a3be0f03 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 16 Jan 2025 15:05:19 +0000 Subject: [PATCH 076/108] Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index beca484..ef932e9 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.11.1 -Release: 2%{?dist} +Release: 3%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -416,6 +416,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Jan 16 2025 Fedora Release Engineering - 8.11.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + * Sun Dec 15 2024 Paul Howarth - 8.11.1-2 - Fix crash with Unexpected error 9 on netlink descriptor 10 (rhbz#2332350) - https://github.com/curl/curl/issues/15725 From dbdb66e32ef7a74430edc9f27487a980b933f36b Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Fri, 31 Jan 2025 15:01:32 +0100 Subject: [PATCH 077/108] TLS: check connection for SSL use, not handler Resolves: #2324130 --- ...k-connection-for-SSL-use-not-handler.patch | 227 ++++++++++++++++++ curl.spec | 8 +- 2 files changed, 234 insertions(+), 1 deletion(-) create mode 100644 0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch diff --git a/0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch b/0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch new file mode 100644 index 0000000..9000c48 --- /dev/null +++ b/0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch @@ -0,0 +1,227 @@ +From b876aeb3f5d5c6539102f0575c0ec1d116388337 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Fri, 17 Jan 2025 11:57:00 +0100 +Subject: [PATCH] TLS: check connection for SSL use, not handler + +Protocol handler option PROTOPT_SSL is used to setup a connection +filters. Once that is done, used `Curl_conn_is_ssl()` to check if +a connection uses SSL. + +There may be other reasons to add SSL to a connection, e.g. starttls. + +Closes #16034 + +(cherry picked from commit 25b445e4796bcbf9f842de686a8c384b30f6c2a2) +--- + lib/cf-socket.c | 2 +- + lib/ftp.c | 2 +- + lib/http.c | 8 ++++---- + lib/http_negotiate.c | 3 ++- + lib/imap.c | 2 +- + lib/ldap.c | 3 ++- + lib/openldap.c | 2 +- + lib/pop3.c | 2 +- + lib/smb.c | 2 +- + lib/smtp.c | 2 +- + lib/url.c | 12 ++++++------ + 11 files changed, 21 insertions(+), 19 deletions(-) + +diff --git a/lib/cf-socket.c b/lib/cf-socket.c +index 497a3b965..de0c8a3ba 100644 +--- a/lib/cf-socket.c ++++ b/lib/cf-socket.c +@@ -1282,7 +1282,7 @@ static int do_connect(struct Curl_cfilter *cf, struct Curl_easy *data, + + rc = connect(ctx->sock, &ctx->addr.curl_sa_addr, ctx->addr.addrlen); + #elif defined(MSG_FASTOPEN) /* old Linux */ +- if(cf->conn->given->flags & PROTOPT_SSL) ++ if(Curl_conn_is_ssl(cf->conn, cf->sockindex)) + rc = connect(ctx->sock, &ctx->addr.curl_sa_addr, ctx->addr.addrlen); + else + rc = 0; /* Do nothing */ +diff --git a/lib/ftp.c b/lib/ftp.c +index 16ab0af0d..5137ddca4 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -3154,7 +3154,7 @@ static CURLcode ftp_connect(struct Curl_easy *data, + + PINGPONG_SETUP(pp, ftp_statemachine, ftp_endofresp); + +- if(conn->handler->flags & PROTOPT_SSL) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) { + /* BLOCKING */ + result = Curl_conn_connect(data, FIRSTSOCKET, TRUE, done); + if(result) +diff --git a/lib/http.c b/lib/http.c +index 35e708551..8e9f0a52e 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2526,7 +2526,7 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done) + goto fail; + } + +- if(!(conn->handler->flags&PROTOPT_SSL) && ++ if(!Curl_conn_is_ssl(conn, FIRSTSOCKET) && + conn->httpversion < 20 && + (data->state.httpwant == CURL_HTTP_VERSION_2)) { + /* append HTTP2 upgrade magic stuff to the HTTP request if it is not done +@@ -2672,7 +2672,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, + case 'A': + #ifndef CURL_DISABLE_ALTSVC + v = (data->asi && +- ((data->conn->handler->flags & PROTOPT_SSL) || ++ (Curl_conn_is_ssl(data->conn, FIRSTSOCKET) || + #ifdef DEBUGBUILD + /* allow debug builds to circumvent the HTTPS restriction */ + getenv("CURL_ALTSVC_HTTP") +@@ -2938,7 +2938,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, + #ifndef CURL_DISABLE_HSTS + /* If enabled, the header is incoming and this is over HTTPS */ + v = (data->hsts && +- ((conn->handler->flags & PROTOPT_SSL) || ++ (Curl_conn_is_ssl(conn, FIRSTSOCKET) || + #ifdef DEBUGBUILD + /* allow debug builds to circumvent the HTTPS restriction */ + getenv("CURL_HSTS_HTTP") +@@ -4160,7 +4160,7 @@ CURLcode Curl_http_req_to_h2(struct dynhds *h2_headers, + infof(data, "set pseudo header %s to %s", HTTP_PSEUDO_SCHEME, scheme); + } + else { +- scheme = (data->conn && data->conn->handler->flags & PROTOPT_SSL) ? ++ scheme = Curl_conn_is_ssl(data->conn, FIRSTSOCKET) ? + "https" : "http"; + } + } +diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c +index 5d76bddf7..f031d0abc 100644 +--- a/lib/http_negotiate.c ++++ b/lib/http_negotiate.c +@@ -27,6 +27,7 @@ + #if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO) + + #include "urldata.h" ++#include "cfilters.h" + #include "sendf.h" + #include "http_negotiate.h" + #include "vauth/vauth.h" +@@ -109,7 +110,7 @@ CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn, + #endif + /* Check if the connection is using SSL and get the channel binding data */ + #if defined(USE_SSL) && defined(HAVE_GSSAPI) +- if(conn->handler->flags & PROTOPT_SSL) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) { + Curl_dyn_init(&neg_ctx->channel_binding_data, SSL_CB_MAX_SIZE + 1); + result = Curl_ssl_get_channel_binding( + data, FIRSTSOCKET, &neg_ctx->channel_binding_data); +diff --git a/lib/imap.c b/lib/imap.c +index e424cdb05..df9dc343b 100644 +--- a/lib/imap.c ++++ b/lib/imap.c +@@ -1390,7 +1390,7 @@ static CURLcode imap_multi_statemach(struct Curl_easy *data, bool *done) + struct connectdata *conn = data->conn; + struct imap_conn *imapc = &conn->proto.imapc; + +- if((conn->handler->flags & PROTOPT_SSL) && !imapc->ssldone) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !imapc->ssldone) { + bool ssldone = FALSE; + result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); + imapc->ssldone = ssldone; +diff --git a/lib/ldap.c b/lib/ldap.c +index 2cbdb9c21..7dd40acef 100644 +--- a/lib/ldap.c ++++ b/lib/ldap.c +@@ -78,6 +78,7 @@ + + #include "urldata.h" + #include ++#include "cfilters.h" + #include "sendf.h" + #include "escape.h" + #include "progress.h" +@@ -346,7 +347,7 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done) + } + + /* Get the URL scheme (either ldap or ldaps) */ +- if(conn->given->flags & PROTOPT_SSL) ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) + ldap_ssl = 1; + infof(data, "LDAP local: trying to establish %s connection", + ldap_ssl ? "encrypted" : "cleartext"); +diff --git a/lib/openldap.c b/lib/openldap.c +index 8c4af22be..9676ad3d0 100644 +--- a/lib/openldap.c ++++ b/lib/openldap.c +@@ -571,7 +571,7 @@ static CURLcode oldap_connect(struct Curl_easy *data, bool *done) + ldap_set_option(li->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); + + #ifdef USE_SSL +- if(conn->handler->flags & PROTOPT_SSL) ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) + return oldap_ssl_connect(data, OLDAP_SSL); + + if(data->set.use_ssl) { +diff --git a/lib/pop3.c b/lib/pop3.c +index db6ec04c7..83dd64cda 100644 +--- a/lib/pop3.c ++++ b/lib/pop3.c +@@ -1110,7 +1110,7 @@ static CURLcode pop3_multi_statemach(struct Curl_easy *data, bool *done) + struct connectdata *conn = data->conn; + struct pop3_conn *pop3c = &conn->proto.pop3c; + +- if((conn->handler->flags & PROTOPT_SSL) && !pop3c->ssldone) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !pop3c->ssldone) { + bool ssldone = FALSE; + result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); + pop3c->ssldone = ssldone; +diff --git a/lib/smb.c b/lib/smb.c +index a72ece62a..a2c82df5e 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -840,7 +840,7 @@ static CURLcode smb_connection_state(struct Curl_easy *data, bool *done) + + if(smbc->state == SMB_CONNECTING) { + #ifdef USE_SSL +- if((conn->handler->flags & PROTOPT_SSL)) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) { + bool ssl_done = FALSE; + result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssl_done); + if(result && result != CURLE_AGAIN) +diff --git a/lib/smtp.c b/lib/smtp.c +index d854d364f..c7fb0a4ca 100644 +--- a/lib/smtp.c ++++ b/lib/smtp.c +@@ -1286,7 +1286,7 @@ static CURLcode smtp_multi_statemach(struct Curl_easy *data, bool *done) + struct connectdata *conn = data->conn; + struct smtp_conn *smtpc = &conn->proto.smtpc; + +- if((conn->handler->flags & PROTOPT_SSL) && !smtpc->ssldone) { ++ if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !smtpc->ssldone) { + bool ssldone = FALSE; + result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); + smtpc->ssldone = ssldone; +diff --git a/lib/url.c b/lib/url.c +index 436edd891..de200e1dd 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -958,12 +958,12 @@ static bool url_match_conn(struct connectdata *conn, void *userdata) + return FALSE; + #endif + +- if((needle->handler->flags&PROTOPT_SSL) != +- (conn->handler->flags&PROTOPT_SSL)) +- /* do not do mixed SSL and non-SSL connections */ +- if(get_protocol_family(conn->handler) != +- needle->handler->protocol || !conn->bits.tls_upgraded) +- /* except protocols that have been upgraded via TLS */ ++ if((!(needle->handler->flags&PROTOPT_SSL) != ++ !Curl_conn_is_ssl(conn, FIRSTSOCKET)) && ++ !(get_protocol_family(conn->handler) == needle->handler->protocol && ++ conn->bits.tls_upgraded)) ++ /* Deny `conn` if it is not fit for `needle`'s SSL needs, ++ * UNLESS `conn` is the same protocol family and was upgraded to SSL. */ + return FALSE; + + #ifndef CURL_DISABLE_PROXY +-- +2.48.1 + diff --git a/curl.spec b/curl.spec index ef932e9..c21fec2 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.11.1 -Release: 3%{?dist} +Release: 4%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -22,6 +22,9 @@ Source2: mykey.asc # https://github.com/curl/curl/pull/15727 Patch1: 0001-curl-8.11.1-eventfd.patch +# Fix https://bugzilla.redhat.com/show_bug.cgi?id=2324130#c7 +Patch2: 0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -416,6 +419,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri Jan 31 2025 Jan Macku - 8.11.1-4 +- TLS: check connection for SSL use, not handler (#2324130#c7) + * Thu Jan 16 2025 Fedora Release Engineering - 8.11.1-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild From 057c9e09f00a022d8b5e065164a7d77d2d67e669 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 5 Feb 2025 09:44:27 +0100 Subject: [PATCH 078/108] new upstream release - 8.12.0 --- 0001-curl-8.11.1-eventfd.patch | 31 --- ...k-connection-for-SSL-use-not-handler.patch | 227 ------------------ 0101-curl-7.32.0-multilib.patch | 28 +-- 0102-curl-7.84.0-test3026.patch | 8 +- 0104-curl-7.88.0-tests-warnings.patch | 30 --- curl.spec | 23 +- sources | 4 +- 7 files changed, 29 insertions(+), 322 deletions(-) delete mode 100644 0001-curl-8.11.1-eventfd.patch delete mode 100644 0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch delete mode 100644 0104-curl-7.88.0-tests-warnings.patch diff --git a/0001-curl-8.11.1-eventfd.patch b/0001-curl-8.11.1-eventfd.patch deleted file mode 100644 index 3960452..0000000 --- a/0001-curl-8.11.1-eventfd.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 17c06b1ed19147d9e641ad5bcd672e8bce451b46 Mon Sep 17 00:00:00 2001 -From: Andy Pan -Date: Thu, 12 Dec 2024 12:48:56 +0000 -Subject: [PATCH] async-thread: avoid closing eventfd twice - -When employing eventfd for socketpair, there is only one file -descriptor. Closing that fd twice might result in fd corruption. -Thus, we should avoid closing the eventfd twice, following the -pattern in lib/multi.c. - -Fixes #15725 ---- - lib/asyn-thread.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c -index a58e4b790494ab..32d496b107cb0a 100644 ---- a/lib/asyn-thread.c -+++ b/lib/asyn-thread.c -@@ -195,9 +195,11 @@ void destroy_thread_sync_data(struct thread_sync_data *tsd) - * close one end of the socket pair (may be done in resolver thread); - * the other end (for reading) is always closed in the parent thread. - */ -+#ifndef USE_EVENTFD - if(tsd->sock_pair[1] != CURL_SOCKET_BAD) { - wakeup_close(tsd->sock_pair[1]); - } -+#endif - #endif - memset(tsd, 0, sizeof(*tsd)); - } diff --git a/0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch b/0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch deleted file mode 100644 index 9000c48..0000000 --- a/0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch +++ /dev/null @@ -1,227 +0,0 @@ -From b876aeb3f5d5c6539102f0575c0ec1d116388337 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Fri, 17 Jan 2025 11:57:00 +0100 -Subject: [PATCH] TLS: check connection for SSL use, not handler - -Protocol handler option PROTOPT_SSL is used to setup a connection -filters. Once that is done, used `Curl_conn_is_ssl()` to check if -a connection uses SSL. - -There may be other reasons to add SSL to a connection, e.g. starttls. - -Closes #16034 - -(cherry picked from commit 25b445e4796bcbf9f842de686a8c384b30f6c2a2) ---- - lib/cf-socket.c | 2 +- - lib/ftp.c | 2 +- - lib/http.c | 8 ++++---- - lib/http_negotiate.c | 3 ++- - lib/imap.c | 2 +- - lib/ldap.c | 3 ++- - lib/openldap.c | 2 +- - lib/pop3.c | 2 +- - lib/smb.c | 2 +- - lib/smtp.c | 2 +- - lib/url.c | 12 ++++++------ - 11 files changed, 21 insertions(+), 19 deletions(-) - -diff --git a/lib/cf-socket.c b/lib/cf-socket.c -index 497a3b965..de0c8a3ba 100644 ---- a/lib/cf-socket.c -+++ b/lib/cf-socket.c -@@ -1282,7 +1282,7 @@ static int do_connect(struct Curl_cfilter *cf, struct Curl_easy *data, - - rc = connect(ctx->sock, &ctx->addr.curl_sa_addr, ctx->addr.addrlen); - #elif defined(MSG_FASTOPEN) /* old Linux */ -- if(cf->conn->given->flags & PROTOPT_SSL) -+ if(Curl_conn_is_ssl(cf->conn, cf->sockindex)) - rc = connect(ctx->sock, &ctx->addr.curl_sa_addr, ctx->addr.addrlen); - else - rc = 0; /* Do nothing */ -diff --git a/lib/ftp.c b/lib/ftp.c -index 16ab0af0d..5137ddca4 100644 ---- a/lib/ftp.c -+++ b/lib/ftp.c -@@ -3154,7 +3154,7 @@ static CURLcode ftp_connect(struct Curl_easy *data, - - PINGPONG_SETUP(pp, ftp_statemachine, ftp_endofresp); - -- if(conn->handler->flags & PROTOPT_SSL) { -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) { - /* BLOCKING */ - result = Curl_conn_connect(data, FIRSTSOCKET, TRUE, done); - if(result) -diff --git a/lib/http.c b/lib/http.c -index 35e708551..8e9f0a52e 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -2526,7 +2526,7 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done) - goto fail; - } - -- if(!(conn->handler->flags&PROTOPT_SSL) && -+ if(!Curl_conn_is_ssl(conn, FIRSTSOCKET) && - conn->httpversion < 20 && - (data->state.httpwant == CURL_HTTP_VERSION_2)) { - /* append HTTP2 upgrade magic stuff to the HTTP request if it is not done -@@ -2672,7 +2672,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, - case 'A': - #ifndef CURL_DISABLE_ALTSVC - v = (data->asi && -- ((data->conn->handler->flags & PROTOPT_SSL) || -+ (Curl_conn_is_ssl(data->conn, FIRSTSOCKET) || - #ifdef DEBUGBUILD - /* allow debug builds to circumvent the HTTPS restriction */ - getenv("CURL_ALTSVC_HTTP") -@@ -2938,7 +2938,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, - #ifndef CURL_DISABLE_HSTS - /* If enabled, the header is incoming and this is over HTTPS */ - v = (data->hsts && -- ((conn->handler->flags & PROTOPT_SSL) || -+ (Curl_conn_is_ssl(conn, FIRSTSOCKET) || - #ifdef DEBUGBUILD - /* allow debug builds to circumvent the HTTPS restriction */ - getenv("CURL_HSTS_HTTP") -@@ -4160,7 +4160,7 @@ CURLcode Curl_http_req_to_h2(struct dynhds *h2_headers, - infof(data, "set pseudo header %s to %s", HTTP_PSEUDO_SCHEME, scheme); - } - else { -- scheme = (data->conn && data->conn->handler->flags & PROTOPT_SSL) ? -+ scheme = Curl_conn_is_ssl(data->conn, FIRSTSOCKET) ? - "https" : "http"; - } - } -diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c -index 5d76bddf7..f031d0abc 100644 ---- a/lib/http_negotiate.c -+++ b/lib/http_negotiate.c -@@ -27,6 +27,7 @@ - #if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO) - - #include "urldata.h" -+#include "cfilters.h" - #include "sendf.h" - #include "http_negotiate.h" - #include "vauth/vauth.h" -@@ -109,7 +110,7 @@ CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn, - #endif - /* Check if the connection is using SSL and get the channel binding data */ - #if defined(USE_SSL) && defined(HAVE_GSSAPI) -- if(conn->handler->flags & PROTOPT_SSL) { -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) { - Curl_dyn_init(&neg_ctx->channel_binding_data, SSL_CB_MAX_SIZE + 1); - result = Curl_ssl_get_channel_binding( - data, FIRSTSOCKET, &neg_ctx->channel_binding_data); -diff --git a/lib/imap.c b/lib/imap.c -index e424cdb05..df9dc343b 100644 ---- a/lib/imap.c -+++ b/lib/imap.c -@@ -1390,7 +1390,7 @@ static CURLcode imap_multi_statemach(struct Curl_easy *data, bool *done) - struct connectdata *conn = data->conn; - struct imap_conn *imapc = &conn->proto.imapc; - -- if((conn->handler->flags & PROTOPT_SSL) && !imapc->ssldone) { -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !imapc->ssldone) { - bool ssldone = FALSE; - result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); - imapc->ssldone = ssldone; -diff --git a/lib/ldap.c b/lib/ldap.c -index 2cbdb9c21..7dd40acef 100644 ---- a/lib/ldap.c -+++ b/lib/ldap.c -@@ -78,6 +78,7 @@ - - #include "urldata.h" - #include -+#include "cfilters.h" - #include "sendf.h" - #include "escape.h" - #include "progress.h" -@@ -346,7 +347,7 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done) - } - - /* Get the URL scheme (either ldap or ldaps) */ -- if(conn->given->flags & PROTOPT_SSL) -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) - ldap_ssl = 1; - infof(data, "LDAP local: trying to establish %s connection", - ldap_ssl ? "encrypted" : "cleartext"); -diff --git a/lib/openldap.c b/lib/openldap.c -index 8c4af22be..9676ad3d0 100644 ---- a/lib/openldap.c -+++ b/lib/openldap.c -@@ -571,7 +571,7 @@ static CURLcode oldap_connect(struct Curl_easy *data, bool *done) - ldap_set_option(li->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); - - #ifdef USE_SSL -- if(conn->handler->flags & PROTOPT_SSL) -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) - return oldap_ssl_connect(data, OLDAP_SSL); - - if(data->set.use_ssl) { -diff --git a/lib/pop3.c b/lib/pop3.c -index db6ec04c7..83dd64cda 100644 ---- a/lib/pop3.c -+++ b/lib/pop3.c -@@ -1110,7 +1110,7 @@ static CURLcode pop3_multi_statemach(struct Curl_easy *data, bool *done) - struct connectdata *conn = data->conn; - struct pop3_conn *pop3c = &conn->proto.pop3c; - -- if((conn->handler->flags & PROTOPT_SSL) && !pop3c->ssldone) { -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !pop3c->ssldone) { - bool ssldone = FALSE; - result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); - pop3c->ssldone = ssldone; -diff --git a/lib/smb.c b/lib/smb.c -index a72ece62a..a2c82df5e 100644 ---- a/lib/smb.c -+++ b/lib/smb.c -@@ -840,7 +840,7 @@ static CURLcode smb_connection_state(struct Curl_easy *data, bool *done) - - if(smbc->state == SMB_CONNECTING) { - #ifdef USE_SSL -- if((conn->handler->flags & PROTOPT_SSL)) { -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) { - bool ssl_done = FALSE; - result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssl_done); - if(result && result != CURLE_AGAIN) -diff --git a/lib/smtp.c b/lib/smtp.c -index d854d364f..c7fb0a4ca 100644 ---- a/lib/smtp.c -+++ b/lib/smtp.c -@@ -1286,7 +1286,7 @@ static CURLcode smtp_multi_statemach(struct Curl_easy *data, bool *done) - struct connectdata *conn = data->conn; - struct smtp_conn *smtpc = &conn->proto.smtpc; - -- if((conn->handler->flags & PROTOPT_SSL) && !smtpc->ssldone) { -+ if(Curl_conn_is_ssl(conn, FIRSTSOCKET) && !smtpc->ssldone) { - bool ssldone = FALSE; - result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); - smtpc->ssldone = ssldone; -diff --git a/lib/url.c b/lib/url.c -index 436edd891..de200e1dd 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -958,12 +958,12 @@ static bool url_match_conn(struct connectdata *conn, void *userdata) - return FALSE; - #endif - -- if((needle->handler->flags&PROTOPT_SSL) != -- (conn->handler->flags&PROTOPT_SSL)) -- /* do not do mixed SSL and non-SSL connections */ -- if(get_protocol_family(conn->handler) != -- needle->handler->protocol || !conn->bits.tls_upgraded) -- /* except protocols that have been upgraded via TLS */ -+ if((!(needle->handler->flags&PROTOPT_SSL) != -+ !Curl_conn_is_ssl(conn, FIRSTSOCKET)) && -+ !(get_protocol_family(conn->handler) == needle->handler->protocol && -+ conn->bits.tls_upgraded)) -+ /* Deny `conn` if it is not fit for `needle`'s SSL needs, -+ * UNLESS `conn` is the same protocol family and was upgraded to SSL. */ - return FALSE; - - #ifndef CURL_DISABLE_PROXY --- -2.48.1 - diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index aec4fda..13a9a54 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,7 +1,7 @@ -From 7efcd412447fc41bded2f9621edf0ab4701c9b14 Mon Sep 17 00:00:00 2001 +From c96b08867e8593b32cec0f3971f10adfcaf2276e Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Wed, 11 Dec 2024 09:28:12 +0100 -Subject: [PATCH] prevent multilib conflicts on the curl-config script +Date: Wed, 5 Feb 2025 09:31:04 +0100 +Subject: [PATCH 1/2] prevent multilib conflicts on the curl-config script --- curl-config.in | 23 +++++------------------ @@ -10,10 +10,10 @@ Subject: [PATCH] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index e89c256..9fb1a33 100644 +index 55184167b..324e0b740 100644 --- a/curl-config.in +++ b/curl-config.in -@@ -75,7 +75,7 @@ while test "$#" -gt 0; do +@@ -74,7 +74,7 @@ while test "$#" -gt 0; do ;; --cc) @@ -22,25 +22,25 @@ index e89c256..9fb1a33 100644 ;; --prefix) -@@ -155,16 +155,7 @@ while test "$#" -gt 0; do +@@ -149,16 +149,7 @@ while test "$#" -gt 0; do ;; --libs) - if test "X@libdir@" != 'X/usr/lib' -a "X@libdir@" != 'X/usr/lib64'; then -- CURLLIBDIR="-L@libdir@ " +- curllibdir="-L@libdir@ " - else -- CURLLIBDIR='' +- curllibdir='' - fi - if test 'X@ENABLE_SHARED@' = 'Xno'; then -- echo "${CURLLIBDIR}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" +- echo "${curllibdir}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" - else -- echo "${CURLLIBDIR}-lcurl" +- echo "${curllibdir}-lcurl" - fi + echo '-lcurl' ;; --ssl-backends) -@@ -172,16 +163,12 @@ while test "$#" -gt 0; do +@@ -166,16 +157,12 @@ while test "$#" -gt 0; do ;; --static-libs) @@ -61,7 +61,7 @@ index e89c256..9fb1a33 100644 *) diff --git a/docs/curl-config.md b/docs/curl-config.md -index 4dfaab6..f4e847e 100644 +index b1fcf33dc..b15feec8e 100644 --- a/docs/curl-config.md +++ b/docs/curl-config.md @@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated. @@ -76,7 +76,7 @@ index 4dfaab6..f4e847e 100644 ## --version diff --git a/libcurl.pc.in b/libcurl.pc.in -index c0ba524..f3645e1 100644 +index c0ba5244a..f3645e174 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in @@ -28,6 +28,7 @@ libdir=@libdir@ @@ -88,5 +88,5 @@ index c0ba524..f3645e1 100644 Name: libcurl URL: https://curl.se/ -- -2.47.1 +2.48.1 diff --git a/0102-curl-7.84.0-test3026.patch b/0102-curl-7.84.0-test3026.patch index 82f4642..6c45cc8 100644 --- a/0102-curl-7.84.0-test3026.patch +++ b/0102-curl-7.84.0-test3026.patch @@ -1,6 +1,6 @@ -From 6e470567ca691a7b20334f1b9a5b309053d714b7 Mon Sep 17 00:00:00 2001 +From 6460e292e664b03fb550ce70e9a8cdf86ad0ef57 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Wed, 22 May 2024 13:03:43 +0200 +Date: Wed, 5 Feb 2025 09:34:28 +0100 Subject: [PATCH 2/2] test3026: disable valgrind It fails on x86_64 with: @@ -52,7 +52,7 @@ index ee9b30678..dd582c3e5 100644 diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c -index 7e914010e..39374f5bc 100644 +index 61c70eb3b..79302fcf7 100644 --- a/tests/libtest/lib3026.c +++ b/tests/libtest/lib3026.c @@ -145,8 +145,8 @@ CURLcode test(char *URL) @@ -67,5 +67,5 @@ index 7e914010e..39374f5bc 100644 test_failure = (CURLcode)-1; goto cleanup; -- -2.45.1 +2.48.1 diff --git a/0104-curl-7.88.0-tests-warnings.patch b/0104-curl-7.88.0-tests-warnings.patch deleted file mode 100644 index 0977dee..0000000 --- a/0104-curl-7.88.0-tests-warnings.patch +++ /dev/null @@ -1,30 +0,0 @@ -From ebee18be05631494263bb6be249501eb8874e07a Mon Sep 17 00:00:00 2001 -From: Jan Macku -Date: Wed, 24 Jul 2024 15:15:11 +0200 -Subject: [PATCH] Revert "runtests: consider warnings fatal and error on them" - -While it might be useful for upstream developers, it is not so useful -for downstream consumers. - -This reverts upstream commit 22f795c834cfdbacbb1b55426028a581e3cf67a8. ---- - tests/runtests.pl | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/tests/runtests.pl b/tests/runtests.pl -index 9cc9ef1..c9a1c5d 100755 ---- a/tests/runtests.pl -+++ b/tests/runtests.pl -@@ -57,8 +57,7 @@ - # given, this won't be a problem. - - use strict; --# Promote all warnings to fatal --use warnings FATAL => 'all'; -+use warnings; - use 5.006; - use POSIX qw(strftime); - --- -2.45.2 - diff --git a/curl.spec b/curl.spec index c21fec2..186b566 100644 --- a/curl.spec +++ b/curl.spec @@ -6,8 +6,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.11.1 -Release: 4%{?dist} +Version: 8.12.0 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -16,24 +16,12 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# Fix crash with Unexpected error 9 on netlink descriptor 10 -# https://bugzilla.redhat.com/show_bug.cgi?id=2332350 -# https://github.com/curl/curl/issues/15725 -# https://github.com/curl/curl/pull/15727 -Patch1: 0001-curl-8.11.1-eventfd.patch - -# Fix https://bugzilla.redhat.com/show_bug.cgi?id=2324130#c7 -Patch2: 0002-curl-8.11.1-TLS-check-connection-for-SSL-use-not-handler.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch # test3026: disable valgrind Patch102: 0102-curl-7.84.0-test3026.patch -# do not fail on warnings in the upstream test driver -Patch104: 0104-curl-7.88.0-tests-warnings.patch - # test616: disable valgrind Patch105: 0105-curl-8.11.1-test616.patch @@ -419,6 +407,13 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Feb 05 2025 Jan Macku - 8.12.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2025-0725 - gzip integer overflow + CVE-2025-0665 - eventfd double close + CVE-2025-0167 - netrc and default credential leak +- drop upstreamed patches + * Fri Jan 31 2025 Jan Macku - 8.11.1-4 - TLS: check connection for SSL use, not handler (#2324130#c7) diff --git a/sources b/sources index 91c8f05..01ad1a6 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.11.1.tar.xz) = 7c7c47a49505575b610c56b455f0919ea5082a993bf5483eeb258ead167aadb87078d626b343b417dcfc5439c53556425c8fb4fe3b01b53a87b47c01686a3e57 -SHA512 (curl-8.11.1.tar.xz.asc) = c09bedb67e83fb8ca3ad73c5bd0d92fed7fc2c26dbe5a71cccb193fd151c7219713241a9fe74baefcd1d008cfafba78142bf04cec24dd4a88d67179184d35824 +SHA512 (curl-8.12.0.tar.xz) = ed35f0020541050ce387f4ba80f9e87562ececd99082da1bae85840dee81c49b86a4a55909e15fcbf4eb116106a796c29a9b2678dee11326f80db75992c6edc5 +SHA512 (curl-8.12.0.tar.xz.asc) = 8526554ffb2187b48b6a4c6a0d4a8c73d484ef3ce4c3791add0e759baf953ac7ae0b2f88d688365b1f09c5745198611fa1761aa14d02ddf52823c4ff238779cd From 9c7fc53ab273793fba55aef94b81682065923b4f Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 13 Feb 2025 08:28:44 +0100 Subject: [PATCH 079/108] new upstream release - 8.12.1 --- curl.spec | 2 +- sources | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 186b566..c7f23e3 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.12.0 +Version: 8.12.1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz diff --git a/sources b/sources index 01ad1a6..acd884b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.12.0.tar.xz) = ed35f0020541050ce387f4ba80f9e87562ececd99082da1bae85840dee81c49b86a4a55909e15fcbf4eb116106a796c29a9b2678dee11326f80db75992c6edc5 -SHA512 (curl-8.12.0.tar.xz.asc) = 8526554ffb2187b48b6a4c6a0d4a8c73d484ef3ce4c3791add0e759baf953ac7ae0b2f88d688365b1f09c5745198611fa1761aa14d02ddf52823c4ff238779cd +SHA512 (curl-8.12.1.tar.xz) = 88915468fa1bb7256e3dd6c9d058ada6894faa1e3e7800c7d9bfee3e8be4081ae57e7f2bf260c5342b709499fc4302ddc2d7864e25bfa3300fa07f118a3de603 +SHA512 (curl-8.12.1.tar.xz.asc) = 41fc5582935090d13940d86974fdea3ea901dd5dab156c16029a87f811d2535172c59dc8dc366f2ffc37bcf85accbecb5aa765bc7b83c2991a3ef402bf25af69 From 3ce21a370c4a3523ee3affbaea685b8c8e6c2cdf Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 10 Mar 2025 14:27:02 +0100 Subject: [PATCH 080/108] new upstream release - 8.13.0~rc1 --- ...test1022-add-support-for-rc-releases.patch | 44 +++++++++++++++++++ 0101-curl-7.32.0-multilib.patch | 16 +++---- curl.spec | 16 ++++--- sources | 4 +- 4 files changed, 65 insertions(+), 15 deletions(-) create mode 100644 0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch diff --git a/0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch b/0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch new file mode 100644 index 0000000..789aa0e --- /dev/null +++ b/0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch @@ -0,0 +1,44 @@ +From 3c1a88fdf72e9e43f289d121318fc31536964e66 Mon Sep 17 00:00:00 2001 +From: Samuel Henrique +Date: Sat, 8 Mar 2025 12:47:21 +0000 +Subject: [PATCH] test1022: add support for rc releases + + Fix the following test failure: + curl-config: illegal value + +Closes #16626 +--- + tests/libtest/test1022.pl | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tests/libtest/test1022.pl b/tests/libtest/test1022.pl +index 583b8f8562c0..5c5c02070ff7 100755 +--- a/tests/libtest/test1022.pl ++++ b/tests/libtest/test1022.pl +@@ -35,7 +35,7 @@ + open(CURL, "$ARGV[1]") || die "Can't open curl --version list in $ARGV[1]\n"; + $_ = ; + chomp; +-/libcurl\/([\.\d]+((-DEV)|(-\d+))?)/; ++/libcurl\/([\.\d]+((-DEV)|(-rc\d)|(-\d+))?)/; + my $version = $1; + close CURL; + +@@ -47,7 +47,7 @@ + chomp; + my $filever=$_; + if ( $what eq "version" ) { +- if($filever =~ /^libcurl ([\.\d]+((-DEV)|(-\d+))?)$/) { ++ if($filever =~ /^libcurl ([\.\d]+((-DEV)|(-rc\d)|(-\d+))?)$/) { + $curlconfigversion = $1; + } + else { +@@ -63,7 +63,7 @@ + $curlconfigversion = "illegal value"; + } + +- # Strip off the -DEV from the curl version if it's there ++ # Strip off the -DEV and -rc suffixes from the curl version if they're there + $version =~ s/-\w*$//; + } + close CURLCONFIG; diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 13a9a54..e7b2a32 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,7 +1,7 @@ -From c96b08867e8593b32cec0f3971f10adfcaf2276e Mon Sep 17 00:00:00 2001 +From 495c771a6f9be008b783c5f59285d30fdc15fd63 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Wed, 5 Feb 2025 09:31:04 +0100 -Subject: [PATCH 1/2] prevent multilib conflicts on the curl-config script +Date: Mon, 10 Mar 2025 14:23:59 +0100 +Subject: [PATCH] prevent multilib conflicts on the curl-config script --- curl-config.in | 23 +++++------------------ @@ -10,7 +10,7 @@ Subject: [PATCH 1/2] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 55184167b..324e0b740 100644 +index 5518416..324e0b7 100644 --- a/curl-config.in +++ b/curl-config.in @@ -74,7 +74,7 @@ while test "$#" -gt 0; do @@ -61,11 +61,11 @@ index 55184167b..324e0b740 100644 *) diff --git a/docs/curl-config.md b/docs/curl-config.md -index b1fcf33dc..b15feec8e 100644 +index 12ad245..fa0e03d 100644 --- a/docs/curl-config.md +++ b/docs/curl-config.md @@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated. - ## --static-libs + ## `--static-libs` Shows the complete set of libs and other linker options you need in order to -link your application with libcurl statically. (Added in 7.17.1) @@ -73,10 +73,10 @@ index b1fcf33dc..b15feec8e 100644 +packages do not provide any static libraries, thus cannot be linked statically. +(Added in 7.17.1) - ## --version + ## `--version` diff --git a/libcurl.pc.in b/libcurl.pc.in -index c0ba5244a..f3645e174 100644 +index c0ba524..f3645e1 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in @@ -28,6 +28,7 @@ libdir=@libdir@ diff --git a/curl.spec b/curl.spec index c7f23e3..80a56c3 100644 --- a/curl.spec +++ b/curl.spec @@ -6,18 +6,21 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.12.1 +Version: 8.13.0~rc1 Release: 1%{?dist} License: curl -Source0: https://curl.se/download/%{name}-%{version}.tar.xz -Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc +Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz +Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc # The curl download page ( https://curl.se/download.html ) links # to Daniel's address page https://daniel.haxx.se/address.html for the GPG Key, # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# Test 1022 add support for rc releases +Patch001: 0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch + # patch making libcurl multilib ready -Patch101: 0101-curl-7.32.0-multilib.patch +# Patch101: 0101-curl-7.32.0-multilib.patch # test3026: disable valgrind Patch102: 0102-curl-7.84.0-test3026.patch @@ -211,7 +214,7 @@ be installed. %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' -%autosetup -p1 +%autosetup -n %{name}-%{version_no_tilde} -p1 # disable test 1801 # @@ -407,6 +410,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Mar 10 2025 Jan Macku - 8.13.0~rc1-1 +- new upstream release candidate + * Wed Feb 05 2025 Jan Macku - 8.12.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2025-0725 - gzip integer overflow diff --git a/sources b/sources index acd884b..fd8d757 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.12.1.tar.xz) = 88915468fa1bb7256e3dd6c9d058ada6894faa1e3e7800c7d9bfee3e8be4081ae57e7f2bf260c5342b709499fc4302ddc2d7864e25bfa3300fa07f118a3de603 -SHA512 (curl-8.12.1.tar.xz.asc) = 41fc5582935090d13940d86974fdea3ea901dd5dab156c16029a87f811d2535172c59dc8dc366f2ffc37bcf85accbecb5aa765bc7b83c2991a3ef402bf25af69 +SHA512 (curl-8.13.0-rc1.tar.xz) = 6890dae4abf9c9d4017c28ea8ced84ef457aa911574b261af97b81ab1631e04deef188928d015a19c861d8dd319a23d9a7725d93046fc07a39694c5dc445562e +SHA512 (curl-8.13.0-rc1.tar.xz.asc) = aeb6f5abcf1bd19d836ae688bebd0193c673060ed74afa7c5b63c2a0ecf7eaf00a223110cd7aa77d19183e8ba757bd0b8fb481e279cf1141c4b459f92604a740 From 5e5bbeb413edc79263a785e0ba467df9cb9c093c Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 13 Mar 2025 09:30:38 +0100 Subject: [PATCH 081/108] fix --cert parameter Resolves: #2351531 --- ...3.0~rc1-fix--cert-parameter-clearing.patch | 60 +++++++++++++++++++ curl.spec | 8 ++- 2 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch diff --git a/0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch b/0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch new file mode 100644 index 0000000..e08a349 --- /dev/null +++ b/0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch @@ -0,0 +1,60 @@ +From 886569e2db200c31073895a2626d20e0712e5207 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Wed, 12 Mar 2025 14:42:19 +0100 +Subject: [PATCH] curl: fix --cert parameter clearing + +Blank the argument *after* it has been copied. + +Reported-by: Jan Macku +Fixes #16686 +Closes #16688 +--- + src/tool_getparam.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index 9f227abbfdb5..e5272de74feb 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -2481,8 +2481,8 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + } + break; + case C_CERT: /* --cert */ +- cleanarg(clearthis); + GetFileAndPassword(nextarg, &config->cert, &config->key_passwd); ++ cleanarg(clearthis); + break; + case C_CACERT: /* --cacert */ + err = getstr(&config->cacert, nextarg, DENY_BLANK); +@@ -2601,18 +2601,18 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + config->tcp_fastopen = TRUE; + break; + case C_PROXY_TLSUSER: /* --proxy-tlsuser */ +- cleanarg(clearthis); + if(!feature_tls_srp) + err = PARAM_LIBCURL_DOESNT_SUPPORT; + else + err = getstr(&config->proxy_tls_username, nextarg, ALLOW_BLANK); ++ cleanarg(clearthis); + break; + case C_PROXY_TLSPASSWORD: /* --proxy-tlspassword */ +- cleanarg(clearthis); + if(!feature_tls_srp) + err = PARAM_LIBCURL_DOESNT_SUPPORT; + else + err = getstr(&config->proxy_tls_password, nextarg, DENY_BLANK); ++ cleanarg(clearthis); + break; + case C_PROXY_TLSAUTHTYPE: /* --proxy-tlsauthtype */ + if(!feature_tls_srp) +@@ -2624,9 +2624,9 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + } + break; + case C_PROXY_CERT: /* --proxy-cert */ +- cleanarg(clearthis); + GetFileAndPassword(nextarg, &config->proxy_cert, + &config->proxy_key_passwd); ++ cleanarg(clearthis); + break; + case C_PROXY_CERT_TYPE: /* --proxy-cert-type */ + err = getstr(&config->proxy_cert_type, nextarg, DENY_BLANK); diff --git a/curl.spec b/curl.spec index 80a56c3..c7f41cc 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.13.0~rc1 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -19,6 +19,9 @@ Source2: mykey.asc # Test 1022 add support for rc releases Patch001: 0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch +# Fix --cert parameter (#2351531) +Patch002: 0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch + # patch making libcurl multilib ready # Patch101: 0101-curl-7.32.0-multilib.patch @@ -410,6 +413,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Mar 13 2025 Jan Macku - 8.13.0~rc1-2 +- fix --cert parameter (#2351531) + * Mon Mar 10 2025 Jan Macku - 8.13.0~rc1-1 - new upstream release candidate From 4fcaa6c40447770a0df7ce914dd5ce90bf67a27c Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 18 Mar 2025 09:23:12 +0100 Subject: [PATCH 082/108] new upstream release - 8.13.0~rc2 --- ...test1022-add-support-for-rc-releases.patch | 44 -------------- ...3.0~rc1-fix--cert-parameter-clearing.patch | 60 ------------------- curl.spec | 13 ++-- sources | 4 +- 4 files changed, 7 insertions(+), 114 deletions(-) delete mode 100644 0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch delete mode 100644 0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch diff --git a/0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch b/0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch deleted file mode 100644 index 789aa0e..0000000 --- a/0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 3c1a88fdf72e9e43f289d121318fc31536964e66 Mon Sep 17 00:00:00 2001 -From: Samuel Henrique -Date: Sat, 8 Mar 2025 12:47:21 +0000 -Subject: [PATCH] test1022: add support for rc releases - - Fix the following test failure: - curl-config: illegal value - -Closes #16626 ---- - tests/libtest/test1022.pl | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/tests/libtest/test1022.pl b/tests/libtest/test1022.pl -index 583b8f8562c0..5c5c02070ff7 100755 ---- a/tests/libtest/test1022.pl -+++ b/tests/libtest/test1022.pl -@@ -35,7 +35,7 @@ - open(CURL, "$ARGV[1]") || die "Can't open curl --version list in $ARGV[1]\n"; - $_ = ; - chomp; --/libcurl\/([\.\d]+((-DEV)|(-\d+))?)/; -+/libcurl\/([\.\d]+((-DEV)|(-rc\d)|(-\d+))?)/; - my $version = $1; - close CURL; - -@@ -47,7 +47,7 @@ - chomp; - my $filever=$_; - if ( $what eq "version" ) { -- if($filever =~ /^libcurl ([\.\d]+((-DEV)|(-\d+))?)$/) { -+ if($filever =~ /^libcurl ([\.\d]+((-DEV)|(-rc\d)|(-\d+))?)$/) { - $curlconfigversion = $1; - } - else { -@@ -63,7 +63,7 @@ - $curlconfigversion = "illegal value"; - } - -- # Strip off the -DEV from the curl version if it's there -+ # Strip off the -DEV and -rc suffixes from the curl version if they're there - $version =~ s/-\w*$//; - } - close CURLCONFIG; diff --git a/0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch b/0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch deleted file mode 100644 index e08a349..0000000 --- a/0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 886569e2db200c31073895a2626d20e0712e5207 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Wed, 12 Mar 2025 14:42:19 +0100 -Subject: [PATCH] curl: fix --cert parameter clearing - -Blank the argument *after* it has been copied. - -Reported-by: Jan Macku -Fixes #16686 -Closes #16688 ---- - src/tool_getparam.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/tool_getparam.c b/src/tool_getparam.c -index 9f227abbfdb5..e5272de74feb 100644 ---- a/src/tool_getparam.c -+++ b/src/tool_getparam.c -@@ -2481,8 +2481,8 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ - } - break; - case C_CERT: /* --cert */ -- cleanarg(clearthis); - GetFileAndPassword(nextarg, &config->cert, &config->key_passwd); -+ cleanarg(clearthis); - break; - case C_CACERT: /* --cacert */ - err = getstr(&config->cacert, nextarg, DENY_BLANK); -@@ -2601,18 +2601,18 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ - config->tcp_fastopen = TRUE; - break; - case C_PROXY_TLSUSER: /* --proxy-tlsuser */ -- cleanarg(clearthis); - if(!feature_tls_srp) - err = PARAM_LIBCURL_DOESNT_SUPPORT; - else - err = getstr(&config->proxy_tls_username, nextarg, ALLOW_BLANK); -+ cleanarg(clearthis); - break; - case C_PROXY_TLSPASSWORD: /* --proxy-tlspassword */ -- cleanarg(clearthis); - if(!feature_tls_srp) - err = PARAM_LIBCURL_DOESNT_SUPPORT; - else - err = getstr(&config->proxy_tls_password, nextarg, DENY_BLANK); -+ cleanarg(clearthis); - break; - case C_PROXY_TLSAUTHTYPE: /* --proxy-tlsauthtype */ - if(!feature_tls_srp) -@@ -2624,9 +2624,9 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ - } - break; - case C_PROXY_CERT: /* --proxy-cert */ -- cleanarg(clearthis); - GetFileAndPassword(nextarg, &config->proxy_cert, - &config->proxy_key_passwd); -+ cleanarg(clearthis); - break; - case C_PROXY_CERT_TYPE: /* --proxy-cert-type */ - err = getstr(&config->proxy_cert_type, nextarg, DENY_BLANK); diff --git a/curl.spec b/curl.spec index c7f41cc..4e2d4ac 100644 --- a/curl.spec +++ b/curl.spec @@ -6,8 +6,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.13.0~rc1 -Release: 2%{?dist} +Version: 8.13.0~rc2 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -16,12 +16,6 @@ Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# Test 1022 add support for rc releases -Patch001: 0001-curl-8.13.0~rc1-test1022-add-support-for-rc-releases.patch - -# Fix --cert parameter (#2351531) -Patch002: 0002-curl-8.13.0~rc1-fix--cert-parameter-clearing.patch - # patch making libcurl multilib ready # Patch101: 0101-curl-7.32.0-multilib.patch @@ -413,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Mar 18 2025 Jan Macku - 8.13.0~rc2-1 +- new upstream release candidate + * Thu Mar 13 2025 Jan Macku - 8.13.0~rc1-2 - fix --cert parameter (#2351531) diff --git a/sources b/sources index fd8d757..d2c4139 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.13.0-rc1.tar.xz) = 6890dae4abf9c9d4017c28ea8ced84ef457aa911574b261af97b81ab1631e04deef188928d015a19c861d8dd319a23d9a7725d93046fc07a39694c5dc445562e -SHA512 (curl-8.13.0-rc1.tar.xz.asc) = aeb6f5abcf1bd19d836ae688bebd0193c673060ed74afa7c5b63c2a0ecf7eaf00a223110cd7aa77d19183e8ba757bd0b8fb481e279cf1141c4b459f92604a740 +SHA512 (curl-8.13.0-rc2.tar.xz) = 299b41b5bf52b29f5064f68cd7d8d1e95d8b8f8b36fb80fb67ed2b342123f1fc87a543754cbee8c49c83a8e73daca89cb132a76c795d7fa4d9231c6bf281a9e0 +SHA512 (curl-8.13.0-rc2.tar.xz.asc) = 8149ff96d25b41b0a9418929bbdbb0675267457e7999bd98012289fb74af96f96e66bc9319024f37ef478a965ef233827d832e153db867f2cb6cd140954a4b3e From 95664fdd301c40c2d1a6d93b2a9d858a3c430e14 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 26 Mar 2025 10:11:44 +0100 Subject: [PATCH 083/108] new upstream release - 8.13.0~rc3 --- 0102-curl-7.84.0-test3026.patch | 71 --------------------------------- curl.spec | 11 ++--- sources | 4 +- 3 files changed, 8 insertions(+), 78 deletions(-) delete mode 100644 0102-curl-7.84.0-test3026.patch diff --git a/0102-curl-7.84.0-test3026.patch b/0102-curl-7.84.0-test3026.patch deleted file mode 100644 index 6c45cc8..0000000 --- a/0102-curl-7.84.0-test3026.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 6460e292e664b03fb550ce70e9a8cdf86ad0ef57 Mon Sep 17 00:00:00 2001 -From: Jan Macku -Date: Wed, 5 Feb 2025 09:34:28 +0100 -Subject: [PATCH 2/2] test3026: disable valgrind - -It fails on x86_64 with: -``` - Use --max-threads=INT to specify a larger number of threads - and rerun valgrind - valgrind: the 'impossible' happened: - Max number of threads is too low - host stacktrace: - ==174357== at 0x58042F5A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x58043087: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x580432EF: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x58043310: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x58099E77: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x580E67E9: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x5809D59D: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x5809901A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x5809B0B6: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x580E4050: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - sched status: - running_tid=1 - Thread 1: status = VgTs_Runnable syscall 56 (lwpid 174357) - ==174357== at 0x4A07816: clone (in /usr/lib64/libc.so.6) - ==174357== by 0x4A08720: __clone_internal (in /usr/lib64/libc.so.6) - ==174357== by 0x4987ACF: create_thread (in /usr/lib64/libc.so.6) - ==174357== by 0x49885F6: pthread_create@@GLIBC_2.34 (in /usr/lib64/libc.so.6) - ==174357== by 0x1093B5: test.part.0 (lib3026.c:64) - ==174357== by 0x492454F: (below main) (in /usr/lib64/libc.so.6) - client stack range: [0x1FFEFFC000 0x1FFF000FFF] client SP: 0x1FFEFFC998 - valgrind stack range: [0x1002BAA000 0x1002CA9FFF] top usage: 11728 of 1048576 -[...] -``` ---- - tests/data/test3026 | 3 +++ - tests/libtest/lib3026.c | 4 ++-- - 2 files changed, 5 insertions(+), 2 deletions(-) - -diff --git a/tests/data/test3026 b/tests/data/test3026 -index ee9b30678..dd582c3e5 100644 ---- a/tests/data/test3026 -+++ b/tests/data/test3026 -@@ -41,5 +41,8 @@ none - - 0 - -+ -+disable -+ - - -diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c -index 61c70eb3b..79302fcf7 100644 ---- a/tests/libtest/lib3026.c -+++ b/tests/libtest/lib3026.c -@@ -145,8 +145,8 @@ CURLcode test(char *URL) - results[i] = CURL_LAST; /* initialize with invalid value */ - res = pthread_create(&tids[i], NULL, run_thread, &results[i]); - if(res) { -- fprintf(stderr, "%s:%d Couldn't create thread, errno %d\n", -- __FILE__, __LINE__, res); -+ fprintf(stderr, "%s:%d Couldn't create thread, i=%u, errno %d\n", -+ __FILE__, __LINE__, i, res); - tid_count = i; - test_failure = (CURLcode)-1; - goto cleanup; --- -2.48.1 - diff --git a/curl.spec b/curl.spec index 4e2d4ac..279a92f 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.13.0~rc2 +Version: 8.13.0~rc3 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -17,10 +17,7 @@ Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc Source2: mykey.asc # patch making libcurl multilib ready -# Patch101: 0101-curl-7.32.0-multilib.patch - -# test3026: disable valgrind -Patch102: 0102-curl-7.84.0-test3026.patch +Patch101: 0101-curl-7.32.0-multilib.patch # test616: disable valgrind Patch105: 0105-curl-8.11.1-test616.patch @@ -407,6 +404,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Mar 26 2025 Jan Macku - 8.13.0~rc3-1 +- new upstream release candidate +- drop: 0102-curl-7.84.0-test3026.patch (no longer needed) + * Tue Mar 18 2025 Jan Macku - 8.13.0~rc2-1 - new upstream release candidate diff --git a/sources b/sources index d2c4139..168aaff 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.13.0-rc2.tar.xz) = 299b41b5bf52b29f5064f68cd7d8d1e95d8b8f8b36fb80fb67ed2b342123f1fc87a543754cbee8c49c83a8e73daca89cb132a76c795d7fa4d9231c6bf281a9e0 -SHA512 (curl-8.13.0-rc2.tar.xz.asc) = 8149ff96d25b41b0a9418929bbdbb0675267457e7999bd98012289fb74af96f96e66bc9319024f37ef478a965ef233827d832e153db867f2cb6cd140954a4b3e +SHA512 (curl-8.13.0-rc3.tar.xz) = 72c0e0b8b0bc9117ab911b97bab6b1502d877f5a72a34091b68e48c046e45dfd188f24f270c0200f4df3f1a70933ada00f3a73a0aa078ec2b125fa5a9294d33f +SHA512 (curl-8.13.0-rc3.tar.xz.asc) = a2d94a898824fabc1c4834f9e5719fb65311d0f218f6170e80fe1a04c6f842f9fbf589d281767ab916f668ff7087bb318b819a1fb26790640df136f335ff3b99 From 4d98bbf51edd9f631e7e91abc79fd94b1e44e097 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 2 Apr 2025 11:17:10 +0200 Subject: [PATCH 084/108] new upstream release - 8.13.0 --- curl.spec | 7 ++++++- sources | 4 ++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 279a92f..e265266 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.13.0~rc3 +Version: 8.13.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -48,6 +48,7 @@ BuildRequires: make BuildRequires: openldap-devel BuildRequires: openssh-clients BuildRequires: openssh-server +BuildRequires: openssl BuildRequires: openssl-devel %if %{with openssl_engine_support} && 0%{?fedora} >= 41 BuildRequires: openssl-devel-engine @@ -404,6 +405,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Apr 02 2025 Jan Macku - 8.13.0-1 +- new upstream release +- add build time dependency on openssl (required by tests) + * Wed Mar 26 2025 Jan Macku - 8.13.0~rc3-1 - new upstream release candidate - drop: 0102-curl-7.84.0-test3026.patch (no longer needed) diff --git a/sources b/sources index 168aaff..92367a0 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.13.0-rc3.tar.xz) = 72c0e0b8b0bc9117ab911b97bab6b1502d877f5a72a34091b68e48c046e45dfd188f24f270c0200f4df3f1a70933ada00f3a73a0aa078ec2b125fa5a9294d33f -SHA512 (curl-8.13.0-rc3.tar.xz.asc) = a2d94a898824fabc1c4834f9e5719fb65311d0f218f6170e80fe1a04c6f842f9fbf589d281767ab916f668ff7087bb318b819a1fb26790640df136f335ff3b99 +SHA512 (curl-8.13.0.tar.xz) = d266e460f162ee455b56726e5b7247b2d1aa5265ae12081513fc0c5c79e785a594097bc71d505dc9bcd2c2f6f1ff6f4bab9dbd9d120bb76d06c5be8521a8ca7d +SHA512 (curl-8.13.0.tar.xz.asc) = 07f79c7fd7c305c96e10a5f52797254aed7d2a1f3577c8626b8d617855ceb82634ac6787bfa0b7130a4ed72c3a9945d3c9ba5b7be54df8bafa07ded1c62ef2be From ece940a64912f74d92fd403675eef80f9b357e68 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Fri, 2 May 2025 09:36:02 +0200 Subject: [PATCH 085/108] new upstream release - 8.14.0~rc1 --- curl.spec | 8 +++++++- sources | 4 ++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index e265266..1e416a3 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.13.0 +Version: 8.14.0~rc1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -381,6 +381,8 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %doc docs/TheArtOfHttpScripting.md %{_bindir}/curl %{_mandir}/man1/curl.1* +%{_bindir}/wcurl +%{_mandir}/man1/wcurl.1* %{_datadir}/zsh %files -n libcurl @@ -405,6 +407,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Fri May 02 2025 Jan Macku - 8.14.0~rc1-1 +- new upstream release candidate +- new utility: wcurl which lets you download URLs without having to remember any parameters + * Wed Apr 02 2025 Jan Macku - 8.13.0-1 - new upstream release - add build time dependency on openssl (required by tests) diff --git a/sources b/sources index 92367a0..769013c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.13.0.tar.xz) = d266e460f162ee455b56726e5b7247b2d1aa5265ae12081513fc0c5c79e785a594097bc71d505dc9bcd2c2f6f1ff6f4bab9dbd9d120bb76d06c5be8521a8ca7d -SHA512 (curl-8.13.0.tar.xz.asc) = 07f79c7fd7c305c96e10a5f52797254aed7d2a1f3577c8626b8d617855ceb82634ac6787bfa0b7130a4ed72c3a9945d3c9ba5b7be54df8bafa07ded1c62ef2be +SHA512 (curl-8.14.0-rc1.tar.xz) = e9bd9e5c95580ee04171de937ff852c30b4606ef28a0250c1fdd231d7155089d3591e0dbed1f10280c9868b66329c1c9badf9a0e15e3e2721ab103627e92caa3 +SHA512 (curl-8.14.0-rc1.tar.xz.asc) = f02e0fd84bffcbe31fa6ccdba41729be86404241c177087500d4d992278d217ea55d73a9bc260b601ddeef70738e45b799a2bd49c68db05adfe8c127434f5708 From b8ae67753af119081cacdecf02e2180ad85e1b17 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 28 May 2025 12:59:33 +0200 Subject: [PATCH 086/108] new upstream release - 8.14.0 --- ...8.14.0-multi-fix-add_handle-resizing.patch | 209 ++++++++++++++++++ curl.spec | 11 +- sources | 4 +- 3 files changed, 221 insertions(+), 3 deletions(-) create mode 100644 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch diff --git a/0001-curl-8.14.0-multi-fix-add_handle-resizing.patch b/0001-curl-8.14.0-multi-fix-add_handle-resizing.patch new file mode 100644 index 0000000..4b7e58a --- /dev/null +++ b/0001-curl-8.14.0-multi-fix-add_handle-resizing.patch @@ -0,0 +1,209 @@ +From d16ccbd55de80c271fe822f4ba8b6271fd9166ff Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Wed, 28 May 2025 14:04:31 +0200 +Subject: [PATCH] multi: fix add_handle resizing + +Due to someone being stupid, the resizing of the multi's transfer +table was actually shrinking it. Oh my. + +Add test751 to reproduce, add code assertion. + +Fixes #17473 +Reported-by: Jeroen Ooms +Closes #17475 +--- + lib/multi.c | 3 +- + tests/data/Makefile.am | 2 +- + tests/data/test751 | 33 ++++++++++++++ + tests/libtest/Makefile.inc | 4 ++ + tests/libtest/lib751.c | 92 ++++++++++++++++++++++++++++++++++++++ + 5 files changed, 132 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test751 + create mode 100644 tests/libtest/lib751.c + +diff --git a/lib/multi.c b/lib/multi.c +index 792b30515d8b..b744e03ae52f 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -347,7 +347,8 @@ static CURLMcode multi_xfers_add(struct Curl_multi *multi, + if(unused <= min_unused) { + /* make it a 64 multiple, since our bitsets frow by that and + * small (easy_multi) grows to at least 64 on first resize. */ +- unsigned int newsize = ((capacity + min_unused) + 63) / 64; ++ unsigned int newsize = (((capacity + min_unused) + 63) / 64) * 64; ++ DEBUGASSERT(newsize > capacity); + /* Grow the bitsets first. Should one fail, we do not need + * to downsize the already resized ones. The sets continue + * to work properly when larger than the table, but not +diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am +index e8f9e12be71e..16bb57db8e69 100644 +--- a/tests/data/Makefile.am ++++ b/tests/data/Makefile.am +@@ -107,7 +107,7 @@ test709 test710 test711 test712 test713 test714 test715 test716 test717 \ + test718 test719 test720 test721 test722 test723 test724 test725 test726 \ + test727 test728 test729 test730 test731 test732 test733 test734 test735 \ + test736 test737 test738 test739 test740 test741 test742 test743 test744 \ +-test745 test746 test747 test748 test749 test750 \ ++test745 test746 test747 test748 test749 test750 test751 \ + \ + test780 test781 test782 test783 test784 test785 test786 test787 test788 \ + test789 test790 test791 \ +diff --git a/tests/data/test751 b/tests/data/test751 +new file mode 100644 +index 000000000000..ffc6df512f83 +--- /dev/null ++++ b/tests/data/test751 +@@ -0,0 +1,33 @@ ++ ++ ++ ++MULTI ++ ++ ++ ++ ++ ++ ++ ++# Client-side ++ ++ ++none ++ ++# tool is what to use instead of 'curl' ++ ++lib%TESTNUMBER ++ ++ ++ ++multi - add many easy handles ++ ++ ++ ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++ +diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc +index faf7eacdf6af..002e7ab5470d 100644 +--- a/tests/libtest/Makefile.inc ++++ b/tests/libtest/Makefile.inc +@@ -50,6 +50,7 @@ LIBTESTPROGS = libauthretry libntlmconnect libprereq \ + lib659 lib661 lib666 lib667 lib668 \ + lib670 lib671 lib672 lib673 lib674 lib676 lib677 lib678 lib694 lib695 \ + lib696 \ ++ lib751 \ + lib1156 \ + lib1301 \ + lib1308 \ +@@ -349,6 +350,9 @@ lib695_SOURCES = lib695.c $(SUPPORTFILES) + lib696_SOURCES = lib556.c $(SUPPORTFILES) $(WARNLESS) + lib696_CPPFLAGS = $(AM_CPPFLAGS) -DLIB696 + ++lib751_SOURCES = lib751.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) ++lib751_LDADD = $(TESTUTIL_LIBS) ++ + lib1301_SOURCES = lib1301.c $(SUPPORTFILES) $(TESTUTIL) + lib1301_LDADD = $(TESTUTIL_LIBS) + +diff --git a/tests/libtest/lib751.c b/tests/libtest/lib751.c +new file mode 100644 +index 000000000000..ab2f923b959d +--- /dev/null ++++ b/tests/libtest/lib751.c +@@ -0,0 +1,92 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++#include "test.h" ++ ++#include "testutil.h" ++#include "warnless.h" ++#include "memdebug.h" ++ ++#define TEST_HANG_TIMEOUT 60 * 1000 ++ ++/* ++ * Get a single URL without select(). ++ */ ++ ++CURLcode test(char *URL) ++{ ++ CURL *easies[1000]; ++ CURLM *m; ++ CURLcode res = CURLE_FAILED_INIT; ++ CURLMcode mres; ++ int i; ++ ++ (void)URL; ++ memset(easies, 0, sizeof(easies)); ++ ++ curl_global_init(CURL_GLOBAL_DEFAULT); ++ m = curl_multi_init(); ++ if(!m) { ++ res = CURLE_OUT_OF_MEMORY; ++ goto test_cleanup; ++ } ++ ++ for(i = 0; i < 1000; i++) { ++ CURL *e = curl_easy_init(); ++ if(!e) { ++ res = CURLE_OUT_OF_MEMORY; ++ goto test_cleanup; ++ } ++ easies[i] = e; ++ ++ res = curl_easy_setopt(e, CURLOPT_URL, "https://www.example.com/"); ++ if(!res) ++ res = curl_easy_setopt(e, CURLOPT_VERBOSE, 1L); ++ if(res) ++ goto test_cleanup; ++ ++ mres = curl_multi_add_handle(m, e); ++ if(mres != CURLM_OK) { ++ printf("MULTI ERROR: %s\n", curl_multi_strerror(mres)); ++ res = CURLE_FAILED_INIT; ++ goto test_cleanup; ++ } ++ } ++ ++test_cleanup: ++ ++ if(res) ++ printf("ERROR: %s\n", curl_easy_strerror(res)); ++ ++ for(i = 0; i < 1000; i++) { ++ if(easies[i]) { ++ curl_multi_add_handle(m, easies[i]); ++ curl_easy_cleanup(easies[i]); ++ easies[i] = NULL; ++ } ++ } ++ curl_multi_cleanup(m); ++ curl_global_cleanup(); ++ ++ return res; ++} diff --git a/curl.spec b/curl.spec index 1e416a3..555fe8e 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.14.0~rc1 +Version: 8.14.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -16,6 +16,9 @@ Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# Fix 8.14.0 regression: https://github.com/curl/curl/issues/17473 +Patch001: 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -407,6 +410,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed May 28 2025 Jan Macku - 8.14.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2025-5025 - No QUIC certificate pinning with wolfSSL + CVE-2025-4947 - QUIC certificate check skip with wolfSSL +- fix regression: curl_multi_add_handle() returning OOM when using more than 400 handles + * Fri May 02 2025 Jan Macku - 8.14.0~rc1-1 - new upstream release candidate - new utility: wcurl which lets you download URLs without having to remember any parameters diff --git a/sources b/sources index 769013c..c4de0f0 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.14.0-rc1.tar.xz) = e9bd9e5c95580ee04171de937ff852c30b4606ef28a0250c1fdd231d7155089d3591e0dbed1f10280c9868b66329c1c9badf9a0e15e3e2721ab103627e92caa3 -SHA512 (curl-8.14.0-rc1.tar.xz.asc) = f02e0fd84bffcbe31fa6ccdba41729be86404241c177087500d4d992278d217ea55d73a9bc260b601ddeef70738e45b799a2bd49c68db05adfe8c127434f5708 +SHA512 (curl-8.14.0.tar.xz) = d9f49cac0b93dbc53879713cc017392b4277d84b489bbf2ef3b585c6a50eea6c3a7b80043286b34062af04329560f2dc321f315b0038ce93435aa9bbcaec1eea +SHA512 (curl-8.14.0.tar.xz.asc) = 7c147ddb5e141dd9951e2ef6b23fa120318c0e631fb36861b80fce61b4b19ca08273a6b95627f46a8172945fb51bd790ffc74dee0a4b0de860dad518963b4710 From 8077eb733b4ff6f66c2887694a5034b54550df73 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 4 Jun 2025 12:59:43 +0200 Subject: [PATCH 087/108] new upstream release - 8.14.1 --- ...8.14.0-multi-fix-add_handle-resizing.patch | 209 ------------------ curl.spec | 9 +- sources | 4 +- 3 files changed, 7 insertions(+), 215 deletions(-) delete mode 100644 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch diff --git a/0001-curl-8.14.0-multi-fix-add_handle-resizing.patch b/0001-curl-8.14.0-multi-fix-add_handle-resizing.patch deleted file mode 100644 index 4b7e58a..0000000 --- a/0001-curl-8.14.0-multi-fix-add_handle-resizing.patch +++ /dev/null @@ -1,209 +0,0 @@ -From d16ccbd55de80c271fe822f4ba8b6271fd9166ff Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Wed, 28 May 2025 14:04:31 +0200 -Subject: [PATCH] multi: fix add_handle resizing - -Due to someone being stupid, the resizing of the multi's transfer -table was actually shrinking it. Oh my. - -Add test751 to reproduce, add code assertion. - -Fixes #17473 -Reported-by: Jeroen Ooms -Closes #17475 ---- - lib/multi.c | 3 +- - tests/data/Makefile.am | 2 +- - tests/data/test751 | 33 ++++++++++++++ - tests/libtest/Makefile.inc | 4 ++ - tests/libtest/lib751.c | 92 ++++++++++++++++++++++++++++++++++++++ - 5 files changed, 132 insertions(+), 2 deletions(-) - create mode 100644 tests/data/test751 - create mode 100644 tests/libtest/lib751.c - -diff --git a/lib/multi.c b/lib/multi.c -index 792b30515d8b..b744e03ae52f 100644 ---- a/lib/multi.c -+++ b/lib/multi.c -@@ -347,7 +347,8 @@ static CURLMcode multi_xfers_add(struct Curl_multi *multi, - if(unused <= min_unused) { - /* make it a 64 multiple, since our bitsets frow by that and - * small (easy_multi) grows to at least 64 on first resize. */ -- unsigned int newsize = ((capacity + min_unused) + 63) / 64; -+ unsigned int newsize = (((capacity + min_unused) + 63) / 64) * 64; -+ DEBUGASSERT(newsize > capacity); - /* Grow the bitsets first. Should one fail, we do not need - * to downsize the already resized ones. The sets continue - * to work properly when larger than the table, but not -diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am -index e8f9e12be71e..16bb57db8e69 100644 ---- a/tests/data/Makefile.am -+++ b/tests/data/Makefile.am -@@ -107,7 +107,7 @@ test709 test710 test711 test712 test713 test714 test715 test716 test717 \ - test718 test719 test720 test721 test722 test723 test724 test725 test726 \ - test727 test728 test729 test730 test731 test732 test733 test734 test735 \ - test736 test737 test738 test739 test740 test741 test742 test743 test744 \ --test745 test746 test747 test748 test749 test750 \ -+test745 test746 test747 test748 test749 test750 test751 \ - \ - test780 test781 test782 test783 test784 test785 test786 test787 test788 \ - test789 test790 test791 \ -diff --git a/tests/data/test751 b/tests/data/test751 -new file mode 100644 -index 000000000000..ffc6df512f83 ---- /dev/null -+++ b/tests/data/test751 -@@ -0,0 +1,33 @@ -+ -+ -+ -+MULTI -+ -+ -+ -+ -+ -+ -+ -+# Client-side -+ -+ -+none -+ -+# tool is what to use instead of 'curl' -+ -+lib%TESTNUMBER -+ -+ -+ -+multi - add many easy handles -+ -+ -+ -+ -+ -+ -+# Verify data after the test has been "shot" -+ -+ -+ -diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc -index faf7eacdf6af..002e7ab5470d 100644 ---- a/tests/libtest/Makefile.inc -+++ b/tests/libtest/Makefile.inc -@@ -50,6 +50,7 @@ LIBTESTPROGS = libauthretry libntlmconnect libprereq \ - lib659 lib661 lib666 lib667 lib668 \ - lib670 lib671 lib672 lib673 lib674 lib676 lib677 lib678 lib694 lib695 \ - lib696 \ -+ lib751 \ - lib1156 \ - lib1301 \ - lib1308 \ -@@ -349,6 +350,9 @@ lib695_SOURCES = lib695.c $(SUPPORTFILES) - lib696_SOURCES = lib556.c $(SUPPORTFILES) $(WARNLESS) - lib696_CPPFLAGS = $(AM_CPPFLAGS) -DLIB696 - -+lib751_SOURCES = lib751.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) -+lib751_LDADD = $(TESTUTIL_LIBS) -+ - lib1301_SOURCES = lib1301.c $(SUPPORTFILES) $(TESTUTIL) - lib1301_LDADD = $(TESTUTIL_LIBS) - -diff --git a/tests/libtest/lib751.c b/tests/libtest/lib751.c -new file mode 100644 -index 000000000000..ab2f923b959d ---- /dev/null -+++ b/tests/libtest/lib751.c -@@ -0,0 +1,92 @@ -+/*************************************************************************** -+ * _ _ ____ _ -+ * Project ___| | | | _ \| | -+ * / __| | | | |_) | | -+ * | (__| |_| | _ <| |___ -+ * \___|\___/|_| \_\_____| -+ * -+ * Copyright (C) Daniel Stenberg, , et al. -+ * -+ * This software is licensed as described in the file COPYING, which -+ * you should have received as part of this distribution. The terms -+ * are also available at https://curl.se/docs/copyright.html. -+ * -+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell -+ * copies of the Software, and permit persons to whom the Software is -+ * furnished to do so, under the terms of the COPYING file. -+ * -+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -+ * KIND, either express or implied. -+ * -+ * SPDX-License-Identifier: curl -+ * -+ ***************************************************************************/ -+#include "test.h" -+ -+#include "testutil.h" -+#include "warnless.h" -+#include "memdebug.h" -+ -+#define TEST_HANG_TIMEOUT 60 * 1000 -+ -+/* -+ * Get a single URL without select(). -+ */ -+ -+CURLcode test(char *URL) -+{ -+ CURL *easies[1000]; -+ CURLM *m; -+ CURLcode res = CURLE_FAILED_INIT; -+ CURLMcode mres; -+ int i; -+ -+ (void)URL; -+ memset(easies, 0, sizeof(easies)); -+ -+ curl_global_init(CURL_GLOBAL_DEFAULT); -+ m = curl_multi_init(); -+ if(!m) { -+ res = CURLE_OUT_OF_MEMORY; -+ goto test_cleanup; -+ } -+ -+ for(i = 0; i < 1000; i++) { -+ CURL *e = curl_easy_init(); -+ if(!e) { -+ res = CURLE_OUT_OF_MEMORY; -+ goto test_cleanup; -+ } -+ easies[i] = e; -+ -+ res = curl_easy_setopt(e, CURLOPT_URL, "https://www.example.com/"); -+ if(!res) -+ res = curl_easy_setopt(e, CURLOPT_VERBOSE, 1L); -+ if(res) -+ goto test_cleanup; -+ -+ mres = curl_multi_add_handle(m, e); -+ if(mres != CURLM_OK) { -+ printf("MULTI ERROR: %s\n", curl_multi_strerror(mres)); -+ res = CURLE_FAILED_INIT; -+ goto test_cleanup; -+ } -+ } -+ -+test_cleanup: -+ -+ if(res) -+ printf("ERROR: %s\n", curl_easy_strerror(res)); -+ -+ for(i = 0; i < 1000; i++) { -+ if(easies[i]) { -+ curl_multi_add_handle(m, easies[i]); -+ curl_easy_cleanup(easies[i]); -+ easies[i] = NULL; -+ } -+ } -+ curl_multi_cleanup(m); -+ curl_global_cleanup(); -+ -+ return res; -+} diff --git a/curl.spec b/curl.spec index 555fe8e..dd4e145 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.14.0 +Version: 8.14.1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -16,9 +16,6 @@ Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# Fix 8.14.0 regression: https://github.com/curl/curl/issues/17473 -Patch001: 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -410,6 +407,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jun 04 2025 Jan Macku - 8.14.1-1 +- new upstream release +- drop: 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch (no longer needed) + * Wed May 28 2025 Jan Macku - 8.14.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2025-5025 - No QUIC certificate pinning with wolfSSL diff --git a/sources b/sources index c4de0f0..0f72a68 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.14.0.tar.xz) = d9f49cac0b93dbc53879713cc017392b4277d84b489bbf2ef3b585c6a50eea6c3a7b80043286b34062af04329560f2dc321f315b0038ce93435aa9bbcaec1eea -SHA512 (curl-8.14.0.tar.xz.asc) = 7c147ddb5e141dd9951e2ef6b23fa120318c0e631fb36861b80fce61b4b19ca08273a6b95627f46a8172945fb51bd790ffc74dee0a4b0de860dad518963b4710 +SHA512 (curl-8.14.1.tar.xz) = 7f6eae04cc23c50fc41d448aa28dfa59141018009e42c5b1e3f4e0d40c0633460b4e6eec05dfc290f7953671096abfa70a8b5443fccdd3f1be6be32ac10b31d9 +SHA512 (curl-8.14.1.tar.xz.asc) = 663b1652bb27338310d1475a8b0422f04e68fca74be11a4b7120de948af4fc0c2b08b75ce5372d657aa89504a27b36b937b5091cb2d932297a7490d5e390d99f From 1b9d79c6fd4fee6d966e917589125b48c12493ad Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 23 Jun 2025 10:29:25 +0200 Subject: [PATCH 088/108] new upstream release - 8.15.0~rc1 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index dd4e145..f21017b 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.14.1 +Version: 8.15.0~rc1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Jun 23 2025 Jan Macku - 8.15.0~rc1-1 +- new upstream release candidate + * Wed Jun 04 2025 Jan Macku - 8.14.1-1 - new upstream release - drop: 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch (no longer needed) diff --git a/sources b/sources index 0f72a68..8eec045 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.14.1.tar.xz) = 7f6eae04cc23c50fc41d448aa28dfa59141018009e42c5b1e3f4e0d40c0633460b4e6eec05dfc290f7953671096abfa70a8b5443fccdd3f1be6be32ac10b31d9 -SHA512 (curl-8.14.1.tar.xz.asc) = 663b1652bb27338310d1475a8b0422f04e68fca74be11a4b7120de948af4fc0c2b08b75ce5372d657aa89504a27b36b937b5091cb2d932297a7490d5e390d99f +SHA512 (curl-8.15.0-rc1.tar.xz) = eedabb0e416e119107e05c1b6afa04b4157f0381a3572c352e996ff682302690dbe34b75f39d49f6b7a26667eb673f06bd311853e73b9a82839eb1d8a43abe60 +SHA512 (curl-8.15.0-rc1.tar.xz.asc) = 8dbd61cc5246dc6244ac3bc16f9411d3bfe84bae8bd52935dd82d114c92a3be01116963d5518dea12426fbc5d6b45d9baec8354f9183c51f9cddf3204953d865 From 1984beb5371b749ce9fdcd32fde589c2860dc8d5 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 30 Jun 2025 13:44:33 +0200 Subject: [PATCH 089/108] new upstream release - 8.15.0~rc2 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index f21017b..bdb28fb 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.15.0~rc1 +Version: 8.15.0~rc2 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Jun 30 2025 Jan Macku - 8.15.0~rc2-1 +- new upstream release candidate + * Mon Jun 23 2025 Jan Macku - 8.15.0~rc1-1 - new upstream release candidate diff --git a/sources b/sources index 8eec045..9da21bd 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.15.0-rc1.tar.xz) = eedabb0e416e119107e05c1b6afa04b4157f0381a3572c352e996ff682302690dbe34b75f39d49f6b7a26667eb673f06bd311853e73b9a82839eb1d8a43abe60 -SHA512 (curl-8.15.0-rc1.tar.xz.asc) = 8dbd61cc5246dc6244ac3bc16f9411d3bfe84bae8bd52935dd82d114c92a3be01116963d5518dea12426fbc5d6b45d9baec8354f9183c51f9cddf3204953d865 +SHA512 (curl-8.15.0-rc2.tar.xz) = 9b4e04b0e2ff5d7a432ea931a965e7ee73103c5430c59b029ea9846358ed052c1353ea12a5636809a78df370e8639254103eb5e4614b75f33a65683044599580 +SHA512 (curl-8.15.0-rc2.tar.xz.asc) = 4aa6e38ec97159802cada0d89c374d06d5eba145139a8fd9f1bc52c42d296088ed559296fe7847b906eb852d382c523f7e48f0f5e03b30fef7996181e6628c10 From c602d3aa5676dfaf8bcff41b8daa26f27eb6856d Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 10 Jul 2025 09:21:53 +0200 Subject: [PATCH 090/108] new upstream release - 8.15.0~rc3 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index bdb28fb..1045a24 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.15.0~rc2 +Version: 8.15.0~rc3 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Jul 10 2025 Jan Macku - 8.15.0~rc3-1 +- new upstream release candidate + * Mon Jun 30 2025 Jan Macku - 8.15.0~rc2-1 - new upstream release candidate diff --git a/sources b/sources index 9da21bd..0642c98 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.15.0-rc2.tar.xz) = 9b4e04b0e2ff5d7a432ea931a965e7ee73103c5430c59b029ea9846358ed052c1353ea12a5636809a78df370e8639254103eb5e4614b75f33a65683044599580 -SHA512 (curl-8.15.0-rc2.tar.xz.asc) = 4aa6e38ec97159802cada0d89c374d06d5eba145139a8fd9f1bc52c42d296088ed559296fe7847b906eb852d382c523f7e48f0f5e03b30fef7996181e6628c10 +SHA512 (curl-8.15.0-rc3.tar.xz) = 0f1f99bc69fde58f5e9348543e9aee9ca7c27642f04c380f233c6b3280ae53b9d65529ede8fe831ea6770d3657963f02dc8604a5006e805c6f4519cac79c8d01 +SHA512 (curl-8.15.0-rc3.tar.xz.asc) = 41cb379d5bceb5eadad86d007a3352846ebeaca383ef6448b58dc597ebc914a0fd4aaaf19dc4d47557ea06933b981f2db617a07e27848d2ff32fbb1dc7f52fca From e6d7e2ed2d76eaac3c5e59273a81872976efef7e Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 16 Jul 2025 10:14:01 +0200 Subject: [PATCH 091/108] new upstream release - 8.15.0 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 1045a24..885ba52 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.15.0~rc3 +Version: 8.15.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 16 2025 Jan Macku - 8.15.0-1 +- new upstream release + * Thu Jul 10 2025 Jan Macku - 8.15.0~rc3-1 - new upstream release candidate diff --git a/sources b/sources index 0642c98..fe20191 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.15.0-rc3.tar.xz) = 0f1f99bc69fde58f5e9348543e9aee9ca7c27642f04c380f233c6b3280ae53b9d65529ede8fe831ea6770d3657963f02dc8604a5006e805c6f4519cac79c8d01 -SHA512 (curl-8.15.0-rc3.tar.xz.asc) = 41cb379d5bceb5eadad86d007a3352846ebeaca383ef6448b58dc597ebc914a0fd4aaaf19dc4d47557ea06933b981f2db617a07e27848d2ff32fbb1dc7f52fca +SHA512 (curl-8.15.0.tar.xz) = d27e316d70973906ac4b8d2c280f7e99b7528966aa1220c13a38ed45fca2ed6bbde54b8a9d7bed9e283171b92edb621f7b95162ef7d392e6383b0ee469de3191 +SHA512 (curl-8.15.0.tar.xz.asc) = b6aef1c6a1f32c60401494df565a748fa96c1d5098138772c22f6208bafeb8e61402f3077cbc274ea2c05f35ff376d8f736c58554520f8d20fded36d876499a5 From cc5717f9ec610100193bee9eae480f7dad24fa24 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 23 Jul 2025 18:56:38 +0000 Subject: [PATCH 092/108] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild --- curl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 885ba52..ced8578 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.15.0 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jul 23 2025 Fedora Release Engineering - 8.15.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + * Wed Jul 16 2025 Jan Macku - 8.15.0-1 - new upstream release From e4069769c832d7469bbbeb654b28427c346514dd Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 25 Aug 2025 10:43:21 +0200 Subject: [PATCH 093/108] new upstream release - 8.16.0~rc2 --- 0101-curl-7.32.0-multilib.patch | 14 +++++++------- curl.spec | 7 +++++-- sources | 4 ++-- 3 files changed, 14 insertions(+), 11 deletions(-) diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index e7b2a32..79e9855 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,6 +1,6 @@ -From 495c771a6f9be008b783c5f59285d30fdc15fd63 Mon Sep 17 00:00:00 2001 +From ae56f768f418e1dd91f9eb3edf1a88453f61e160 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Mon, 10 Mar 2025 14:23:59 +0100 +Date: Mon, 25 Aug 2025 10:41:12 +0200 Subject: [PATCH] prevent multilib conflicts on the curl-config script --- @@ -10,7 +10,7 @@ Subject: [PATCH] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 5518416..324e0b7 100644 +index ce23519..bb43ca8 100644 --- a/curl-config.in +++ b/curl-config.in @@ -74,7 +74,7 @@ while test "$#" -gt 0; do @@ -26,12 +26,12 @@ index 5518416..324e0b7 100644 ;; --libs) -- if test "X@libdir@" != 'X/usr/lib' -a "X@libdir@" != 'X/usr/lib64'; then +- if test "@libdir@" != '/usr/lib' -a "@libdir@" != '/usr/lib64'; then - curllibdir="-L@libdir@ " - else - curllibdir='' - fi -- if test 'X@ENABLE_SHARED@' = 'Xno'; then +- if test '@ENABLE_SHARED@' = 'no'; then - echo "${curllibdir}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" - else - echo "${curllibdir}-lcurl" @@ -44,7 +44,7 @@ index 5518416..324e0b7 100644 ;; --static-libs) -- if test 'X@ENABLE_STATIC@' != 'Xno'; then +- if test '@ENABLE_STATIC@' != 'no'; then - echo "@libdir@/libcurl.@libext@ @LIBCURL_PC_LDFLAGS_PRIVATE@ @LIBCURL_PC_LIBS_PRIVATE@" - else - echo 'curl was built with static libraries disabled' >&2 @@ -88,5 +88,5 @@ index c0ba524..f3645e1 100644 Name: libcurl URL: https://curl.se/ -- -2.48.1 +2.50.1 diff --git a/curl.spec b/curl.spec index ced8578..e780804 100644 --- a/curl.spec +++ b/curl.spec @@ -6,8 +6,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.15.0 -Release: 2%{?dist} +Version: 8.16.0~rc2 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Aug 26 2025 Jan Macku - 8.16.0~rc2-1 +- new upstream release candidate + * Wed Jul 23 2025 Fedora Release Engineering - 8.15.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild diff --git a/sources b/sources index fe20191..ad9b1ad 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.15.0.tar.xz) = d27e316d70973906ac4b8d2c280f7e99b7528966aa1220c13a38ed45fca2ed6bbde54b8a9d7bed9e283171b92edb621f7b95162ef7d392e6383b0ee469de3191 -SHA512 (curl-8.15.0.tar.xz.asc) = b6aef1c6a1f32c60401494df565a748fa96c1d5098138772c22f6208bafeb8e61402f3077cbc274ea2c05f35ff376d8f736c58554520f8d20fded36d876499a5 +SHA512 (curl-8.16.0-rc2.tar.xz.asc) = c180343f1037cf51eb32c61035a4da7e728c2ee7f8d4ca1d464545b9b4044b30963e6b1ce424951a151ff901d7c7f4d56e7a54dacc581fc2c5c3b54349c155eb +SHA512 (curl-8.16.0-rc2.tar.xz) = 7cc4f56a05634c651cf7224d3844359498d127f259e531aadefe86f6df3a7fc5f6644c296407d38867ddb716fe3e4951d377592f6d977c196ad1a733374e608f From 581c1b9ace3de047af9bec6a8a59cf0c9f36c91c Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 3 Sep 2025 10:39:46 +0200 Subject: [PATCH 094/108] new upstream release - 8.16.0~rc3 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index e780804..0a7e2b9 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.16.0~rc2 +Version: 8.16.0~rc3 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 03 2025 Jan Macku - 8.16.0~rc3-1 +- new upstream release candidate + * Tue Aug 26 2025 Jan Macku - 8.16.0~rc2-1 - new upstream release candidate diff --git a/sources b/sources index ad9b1ad..9d707b2 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.16.0-rc2.tar.xz.asc) = c180343f1037cf51eb32c61035a4da7e728c2ee7f8d4ca1d464545b9b4044b30963e6b1ce424951a151ff901d7c7f4d56e7a54dacc581fc2c5c3b54349c155eb -SHA512 (curl-8.16.0-rc2.tar.xz) = 7cc4f56a05634c651cf7224d3844359498d127f259e531aadefe86f6df3a7fc5f6644c296407d38867ddb716fe3e4951d377592f6d977c196ad1a733374e608f +SHA512 (curl-8.16.0-rc3.tar.xz) = 119e00ac9c150ac1d61ce5eeb522168b8a1c68d6576077400222170e0bd9b25dbe53182166a194058e58831a8768c1b7d9145fd5051c4e13bcd12841eb3a7284 +SHA512 (curl-8.16.0-rc3.tar.xz.asc) = 50e484772ac1e8390222ce21702c6995c96b4da99d1e0f2e233b7226b48b5ce3a290d6050963e1e2c519b9a29d2ded7134d3bd4e765a946a8abbae3c67e31d32 From 4335a7a3cb25cd33eea86ac9fc8d41bb67fd857f Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 10 Sep 2025 08:56:14 +0200 Subject: [PATCH 095/108] new upstream release - 8.16.0 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 0a7e2b9..bf0f7ee 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.16.0~rc3 +Version: 8.16.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Sep 10 2025 Jan Macku - 8.16.0-1 +- new upstream release + * Wed Sep 03 2025 Jan Macku - 8.16.0~rc3-1 - new upstream release candidate diff --git a/sources b/sources index 9d707b2..8b5feac 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.16.0-rc3.tar.xz) = 119e00ac9c150ac1d61ce5eeb522168b8a1c68d6576077400222170e0bd9b25dbe53182166a194058e58831a8768c1b7d9145fd5051c4e13bcd12841eb3a7284 -SHA512 (curl-8.16.0-rc3.tar.xz.asc) = 50e484772ac1e8390222ce21702c6995c96b4da99d1e0f2e233b7226b48b5ce3a290d6050963e1e2c519b9a29d2ded7134d3bd4e765a946a8abbae3c67e31d32 +SHA512 (curl-8.16.0.tar.xz) = 8262c3dc113cfd5744ef1b82dbccaa69448a9395ad5c094c22df5cf537a047a927d3332db2cb3be12a31a68a60d8d0fa8485b916e975eda36a4ebd860da4f621 +SHA512 (curl-8.16.0.tar.xz.asc) = 591568e997c0d955a00152ce5bdfb4586d84b42f5c1e15df503514fb4eb4bf289a98b1ebdad23913119c67c27d51a6e6f4065ee6f7657b971c3a581c928a0d82 From 804c73ca4bbb4d7a3f454bf93fa621bd3fd06feb Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Fri, 12 Sep 2025 10:40:12 -0700 Subject: [PATCH 096/108] Update test URLs to Fedora 42 to fix tests Tests currently fail because Fedora 38 is archived. This bumps the version to 42 and updates the expected content. This will need updating again annually or so. It'd be safer to use something that doesn't age out frequently instead. Signed-off-by: Adam Williamson --- tests/non-root-user-download/runtest.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/non-root-user-download/runtest.sh b/tests/non-root-user-download/runtest.sh index 4d51e62..0d72276 100755 --- a/tests/non-root-user-download/runtest.sh +++ b/tests/non-root-user-download/runtest.sh @@ -31,9 +31,9 @@ PACKAGE="curl" -FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM -HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM -CONTENT=4d042dedc8886856db10bc882074b84dcce52f829ea7b3f31d8031db8d84df20 +FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM +HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM +CONTENT=1bd6ab4798983c2fe4a210f9c4ca135fed453d6142ba852c1f8d5fba22e113ab PASSWORD=pAssw0rd OPTIONS="" rlIsRHEL 7 && OPTIONS="--insecure" From 9776a6bb744df02f85cf73c3b8a02e0e387ae915 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 13 Oct 2025 10:25:01 +0200 Subject: [PATCH 097/108] new upstream release - 8.17.0~rc1 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index bf0f7ee..f247bf3 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.16.0 +Version: 8.17.0~rc1 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Oct 13 2025 Jan Macku - 8.17.0~rc1-1 +- new upstream release candidate + * Wed Sep 10 2025 Jan Macku - 8.16.0-1 - new upstream release diff --git a/sources b/sources index 8b5feac..c657397 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.16.0.tar.xz) = 8262c3dc113cfd5744ef1b82dbccaa69448a9395ad5c094c22df5cf537a047a927d3332db2cb3be12a31a68a60d8d0fa8485b916e975eda36a4ebd860da4f621 -SHA512 (curl-8.16.0.tar.xz.asc) = 591568e997c0d955a00152ce5bdfb4586d84b42f5c1e15df503514fb4eb4bf289a98b1ebdad23913119c67c27d51a6e6f4065ee6f7657b971c3a581c928a0d82 +SHA512 (curl-8.17.0-rc1.tar.xz) = bbaa3c97860f51c069dfc448d212a0d2149abfe76429bd4e7e3b005f44851e609008b90f5ed5caad048b5815043433248b495c41edf04d4bb5b76a8af41ede02 +SHA512 (curl-8.17.0-rc1.tar.xz.asc) = e86f7c9000ee5e8ee775947e720a17cf327b1f3053d6a6d92d3d1d27ed8dacefe1934ce3ee67b1efd59a601e0312bcffd1fb0900b760fda15e0fe7ba1a892c8f From 6bf2cb17bf9b14db4abc7a4f85e502629eafbbf3 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 21 Oct 2025 13:12:51 +0200 Subject: [PATCH 098/108] new upstream release - 8.17.0~rc2 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index f247bf3..6784164 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.17.0~rc1 +Version: 8.17.0~rc2 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Oct 21 2025 Jan Macku - 8.17.0~rc2-1 +- new upstream release candidate + * Mon Oct 13 2025 Jan Macku - 8.17.0~rc1-1 - new upstream release candidate diff --git a/sources b/sources index c657397..5bd897d 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.17.0-rc1.tar.xz) = bbaa3c97860f51c069dfc448d212a0d2149abfe76429bd4e7e3b005f44851e609008b90f5ed5caad048b5815043433248b495c41edf04d4bb5b76a8af41ede02 -SHA512 (curl-8.17.0-rc1.tar.xz.asc) = e86f7c9000ee5e8ee775947e720a17cf327b1f3053d6a6d92d3d1d27ed8dacefe1934ce3ee67b1efd59a601e0312bcffd1fb0900b760fda15e0fe7ba1a892c8f +SHA512 (curl-8.17.0-rc2.tar.xz) = bc7d63e72787c5960a7107e2227b70e761aef2e2e63bda0f13f8c944b31a4e98acc1ca72bde25ff9eba3d97cee38e58e51359dffcfdf59310c6722d3a0986b54 +SHA512 (curl-8.17.0-rc2.tar.xz.asc) = d5bd939f0a004f6ae46f0fca1e05f6f7c4d6e77c3a65641c9b081a28589385a44b51fa968e0a7c35dd76caebe1f4d59ac0b26e0fc84378fd1d57c3ce513c4a2a From 9bd80279ea75fc37dcc6767e0061bc46e4893607 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 30 Oct 2025 09:34:03 +0100 Subject: [PATCH 099/108] new upstream release - 8.17.0~rc3 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 6784164..2cb6993 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.17.0~rc2 +Version: 8.17.0~rc3 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Oct 30 2025 Jan Macku - 8.17.0~rc3-1 +- new upstream release candidate + * Tue Oct 21 2025 Jan Macku - 8.17.0~rc2-1 - new upstream release candidate diff --git a/sources b/sources index 5bd897d..0a3353d 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.17.0-rc2.tar.xz) = bc7d63e72787c5960a7107e2227b70e761aef2e2e63bda0f13f8c944b31a4e98acc1ca72bde25ff9eba3d97cee38e58e51359dffcfdf59310c6722d3a0986b54 -SHA512 (curl-8.17.0-rc2.tar.xz.asc) = d5bd939f0a004f6ae46f0fca1e05f6f7c4d6e77c3a65641c9b081a28589385a44b51fa968e0a7c35dd76caebe1f4d59ac0b26e0fc84378fd1d57c3ce513c4a2a +SHA512 (curl-8.17.0-rc3.tar.xz) = ffa33aaec6c84ee2a9838e4d10f70e905ac414b920794215a0abb5a537e441187b4fd4eba2e1d8103d43375dc6bdf6995f097d22523c6e4ca1172bf0c3e1c347 +SHA512 (curl-8.17.0-rc3.tar.xz.asc) = b2ecef9a04d8337dabfde6be96e9b6fc9151d56dcc8aeb93ce8c5949ba0aaa6bbaf72f25ef3af8a0d4ffc92999d5f5498cead4f519fc0473c4cd311e28d54774 From d2da397853a1847f0a9c1be02842a7720227ec55 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 6 Nov 2025 15:10:09 +0100 Subject: [PATCH 100/108] new upstream release - 8.17.0 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 2cb6993..f96c5aa 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.17.0~rc3 +Version: 8.17.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -407,6 +407,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +*Mon Nov 10 2025 Jan Macku - 8.17.0-1 +- new upstream release + * Thu Oct 30 2025 Jan Macku - 8.17.0~rc3-1 - new upstream release candidate diff --git a/sources b/sources index 0a3353d..2d835d7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.17.0-rc3.tar.xz) = ffa33aaec6c84ee2a9838e4d10f70e905ac414b920794215a0abb5a537e441187b4fd4eba2e1d8103d43375dc6bdf6995f097d22523c6e4ca1172bf0c3e1c347 -SHA512 (curl-8.17.0-rc3.tar.xz.asc) = b2ecef9a04d8337dabfde6be96e9b6fc9151d56dcc8aeb93ce8c5949ba0aaa6bbaf72f25ef3af8a0d4ffc92999d5f5498cead4f519fc0473c4cd311e28d54774 +SHA512 (curl-8.17.0.tar.xz.asc) = e77d4cb1f4961aa0df3d76f1a8c55a0b9005ed557adf745f3ab24d33cee2d0e4bd06cecb9d911e76409852e7755129873cc7d24936c846ff1b854903c0f086b2 +SHA512 (curl-8.17.0.tar.xz) = fc6349def40c3c259de2a568631507df17dff83e78a2edbb93f069586dce594439fdc88bef7ce2bed7491f35800b8c0c181c8c88e6ef656cc3c18f9834681eca From b15bd53eb8d0de3ade9fb785b019f4d36aba07d5 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 13 Nov 2025 09:24:32 +0100 Subject: [PATCH 101/108] remove bundled wcurl utility that was added in 8.14.0~rc1, use wcurl package instead --- curl.spec | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/curl.spec b/curl.spec index f96c5aa..8e3d696 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.17.0 -Release: 1%{?dist} +Release: 2%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -366,6 +366,11 @@ rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la +# do not install bundled wcurl utility +# it is provided by the wcurl package +rm -f ${RPM_BUILD_ROOT}%{_bindir}/wcurl +rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* + %ldconfig_scriptlets -n libcurl %ldconfig_scriptlets -n libcurl-minimal @@ -381,8 +386,6 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %doc docs/TheArtOfHttpScripting.md %{_bindir}/curl %{_mandir}/man1/curl.1* -%{_bindir}/wcurl -%{_mandir}/man1/wcurl.1* %{_datadir}/zsh %files -n libcurl @@ -407,7 +410,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog -*Mon Nov 10 2025 Jan Macku - 8.17.0-1 +* Thu Nov 13 2025 Jan Macku - 8.17.0-2 +- remove bundled wcurl utility that was added in 8.14.0~rc1, use wcurl package instead + +* Mon Nov 10 2025 Jan Macku - 8.17.0-1 - new upstream release * Thu Oct 30 2025 Jan Macku - 8.17.0~rc3-1 From 6803c01e8da370a26d6cd6206093cd8f51ac3bae Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 13 Nov 2025 16:01:43 +0100 Subject: [PATCH 102/108] recommend wcurl package instead of bundled wcurl utility --- curl.spec | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/curl.spec b/curl.spec index 8e3d696..ca173a3 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.17.0 -Release: 2%{?dist} +Release: 3%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -28,6 +28,11 @@ Provides: curl-minimal = %{version}-%{release} Provides: webclient URL: https://curl.se/ +%if 0%{?fedora} +# instead of bundled wcurl utility, recommend wcurl package +Recommends: wcurl +%endif + # The reason for maintaining two separate packages for curl is no longer valid. # The curl-minimal is currently almost identical to curl-full, so let's drop curl-minimal. # For more details, see https://bugzilla.redhat.com/show_bug.cgi?id=2262096 @@ -410,6 +415,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Nov 13 2025 Jan Macku - 8.17.0-3 +- recommend wcurl package instead of bundled wcurl utility + * Thu Nov 13 2025 Jan Macku - 8.17.0-2 - remove bundled wcurl utility that was added in 8.14.0~rc1, use wcurl package instead From 7d91f53d81f6aa9e760638a1e4dceb82a5b839b7 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 4 Dec 2025 09:59:27 +0100 Subject: [PATCH 103/108] http3: apply upstream patches for valgrind issues Related: #2408809 --- ...rl-8.17.0-vquic-do_sendmsg-full-init.patch | 34 +++++++++++++++++++ ...0-ngtcp2-openssl-fix-leak-of-session.patch | 32 +++++++++++++++++ curl.spec | 9 ++++- 3 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch create mode 100644 0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch diff --git a/0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch b/0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch new file mode 100644 index 0000000..f41b79a --- /dev/null +++ b/0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch @@ -0,0 +1,34 @@ +From aa95d1ceda65e7aa20110a69742797d80009e7de Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Thu, 27 Nov 2025 10:23:43 +0100 +Subject: [PATCH 1/2] vquic: do_sendmsg full init + +When passing a `msg_ctrl` to sendmsg() as part of GSO handling, zero the +complete array. This fixes any false positives by valgrind that complain +about uninitialised memory, even though the kernel only ever accesses +the first two bytes. + +Reported-by: Aleksei Bavshin +Fixes #19714 +Closes #19715 + +(cherry picked from commit a9e7a027ed866b791c12a3c701dc40304f4e00cb) +--- + lib/vquic/vquic.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/vquic/vquic.c b/lib/vquic/vquic.c +index 7533001ea..2e8d8e5cd 100644 +--- a/lib/vquic/vquic.c ++++ b/lib/vquic/vquic.c +@@ -144,6 +144,7 @@ static CURLcode do_sendmsg(struct Curl_cfilter *cf, + if(pktlen > gsolen) { + /* Only set this, when we need it. macOS, for example, + * does not seem to like a msg_control of length 0. */ ++ memset(msg_ctrl, 0, sizeof(msg_ctrl)); + msg.msg_control = msg_ctrl; + assert(sizeof(msg_ctrl) >= CMSG_SPACE(sizeof(int))); + msg.msg_controllen = CMSG_SPACE(sizeof(int)); +-- +2.52.0 + diff --git a/0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch b/0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch new file mode 100644 index 0000000..4db6234 --- /dev/null +++ b/0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch @@ -0,0 +1,32 @@ +From a11ab7ad4ea0d97ac0d5af1e28b30b00c37c3c3c Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Thu, 27 Nov 2025 12:11:39 +0100 +Subject: [PATCH 2/2] ngtcp2+openssl: fix leak of session + +Fix return value indicating to OpenSSL if reference to session is kept +(it is not), so OpenSSL frees it. + +Reported-by: Aleksei Bavshin +Fixes #19717 +Closes #19718 + +(cherry picked from commit 9bb5c0578b39e5b086b6a9db5c6eb299a0fe1c5c) +--- + lib/vquic/curl_ngtcp2.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/lib/vquic/curl_ngtcp2.c b/lib/vquic/curl_ngtcp2.c +index f72f6630f..069dcb67e 100644 +--- a/lib/vquic/curl_ngtcp2.c ++++ b/lib/vquic/curl_ngtcp2.c +@@ -2262,7 +2262,6 @@ static int quic_ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) + #endif + Curl_ossl_add_session(cf, data, ctx->peer.scache_key, ssl_sessionid, + SSL_version(ssl), "h3", quic_tp, quic_tp_len); +- return 1; + } + return 0; + } +-- +2.52.0 + diff --git a/curl.spec b/curl.spec index ca173a3..a58a893 100644 --- a/curl.spec +++ b/curl.spec @@ -7,7 +7,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.17.0 -Release: 3%{?dist} +Release: 4%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -16,6 +16,10 @@ Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc +# Fix valgrind issues in HTTP/3 +Patch001: 0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch +Patch002: 0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -415,6 +419,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Dec 04 2025 Jan Macku - 8.17.0-4 +- apply upstream patches for valgrind issues in HTTP/3 (#2408809) + * Thu Nov 13 2025 Jan Macku - 8.17.0-3 - recommend wcurl package instead of bundled wcurl utility From fe73859ecd63f56854b599eda9bc8d991c933d8b Mon Sep 17 00:00:00 2001 From: Aleksei Bavshin Date: Thu, 9 Oct 2025 14:36:47 -0700 Subject: [PATCH 104/108] Enable HTTP/3 support with ngtcp2 --- curl.spec | 36 ++++++++++++++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) diff --git a/curl.spec b/curl.spec index a58a893..a47f422 100644 --- a/curl.spec +++ b/curl.spec @@ -4,10 +4,15 @@ # Change the bcond to 0 to turn off ENGINE support by default %bcond openssl_engine_support %[%{defined fedora} || 0%{?rhel} < 10] +# HTTP/3 support +# This is using ngtcp2 with OpenSSL 3.5 QUIC support instead of curl's +# experimental native OpenSSL 3.5 support. +%bcond http3 %[0%{?fedora} >= 43] + Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 8.17.0 -Release: 4%{?dist} +Release: 5%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -50,10 +55,16 @@ BuildRequires: groff BuildRequires: krb5-devel BuildRequires: libidn2-devel BuildRequires: libnghttp2-devel +%if %{with http3} +BuildRequires: libnghttp3-devel +%endif BuildRequires: libpsl-devel BuildRequires: libssh-devel BuildRequires: libtool BuildRequires: make +%if %{with http3} +BuildRequires: ngtcp2-crypto-ossl-devel +%endif BuildRequires: openldap-devel BuildRequires: openssh-clients BuildRequires: openssh-server @@ -148,6 +159,10 @@ Requires: libcurl%{?_isa} >= %{version}-%{release} # to ensure that we have the necessary symbols available (#2144277) %global libnghttp2_version %(pkg-config --modversion libnghttp2 2>/dev/null || echo 0) +# require at least the version of libnghttp3 that we were built against, +# to ensure that we have the necessary symbols available +%global libnghttp3_version %(pkg-config --modversion libnghttp3 2>/dev/null || echo 0) + # require at least the version of libpsl that we were built against, # to ensure that we have the necessary symbols available (#1631804) %global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0) @@ -156,6 +171,10 @@ Requires: libcurl%{?_isa} >= %{version}-%{release} # to ensure that we have the necessary symbols available (#525002, #642796) %global libssh_version %(pkg-config --modversion libssh 2>/dev/null || echo 0) +# require at least the version of ngtcp2 that we were built against, +# to ensure that we have the necessary symbols available +%global ngtcp2_version %(pkg-config --modversion libngtcp2 2>/dev/null || echo 0) + # require at least the version of openssl-libs that we were built against, # to ensure that we have the necessary symbols available (#1462184, #1462211) # (we need to translate 3.0.0-alpha16 -> 3.0.0-0.alpha16 and 3.0.0-beta1 -> 3.0.0-0.beta1 though) @@ -172,8 +191,14 @@ resume, proxy tunneling and a busload of other useful tricks. %package -n libcurl Summary: A library for getting files from web servers Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} +%if %{with http3} +Requires: libnghttp3%{?_isa} >= %{libnghttp3_version} +%endif Requires: libpsl%{?_isa} >= %{libpsl_version} Requires: libssh%{?_isa} >= %{libssh_version} +%if %{with http3} +Requires: ngtcp2%{?_isa} >= %{ngtcp2_version} +%endif Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} Provides: libcurl-full = %{version}-%{release} Provides: libcurl-full%{?_isa} = %{version}-%{release} @@ -313,7 +338,11 @@ export common_configure_opts=" \ --enable-websockets \ --with-brotli \ --with-libpsl \ - --with-libssh + --with-libssh \ +%if %{with http3} + --with-nghttp3 \ + --with-ngtcp2 \ +%endif ) # avoid using rpath @@ -419,6 +448,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Sun Dec 07 2025 Aleksei Bavshin - 8.17.0-5 +- Enable HTTP/3 support with ngtcp2 + * Thu Dec 04 2025 Jan Macku - 8.17.0-4 - apply upstream patches for valgrind issues in HTTP/3 (#2408809) From 9d9fd36c2e8580eea7562a01230282bde942487e Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 9 Dec 2025 08:50:28 +0100 Subject: [PATCH 105/108] new upstream release - 8.18.0~rc1 --- ...rl-8.17.0-vquic-do_sendmsg-full-init.patch | 34 ------------------- ...0-ngtcp2-openssl-fix-leak-of-session.patch | 32 ----------------- curl.spec | 12 +++---- sources | 4 +-- 4 files changed, 8 insertions(+), 74 deletions(-) delete mode 100644 0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch delete mode 100644 0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch diff --git a/0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch b/0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch deleted file mode 100644 index f41b79a..0000000 --- a/0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch +++ /dev/null @@ -1,34 +0,0 @@ -From aa95d1ceda65e7aa20110a69742797d80009e7de Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Thu, 27 Nov 2025 10:23:43 +0100 -Subject: [PATCH 1/2] vquic: do_sendmsg full init - -When passing a `msg_ctrl` to sendmsg() as part of GSO handling, zero the -complete array. This fixes any false positives by valgrind that complain -about uninitialised memory, even though the kernel only ever accesses -the first two bytes. - -Reported-by: Aleksei Bavshin -Fixes #19714 -Closes #19715 - -(cherry picked from commit a9e7a027ed866b791c12a3c701dc40304f4e00cb) ---- - lib/vquic/vquic.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/lib/vquic/vquic.c b/lib/vquic/vquic.c -index 7533001ea..2e8d8e5cd 100644 ---- a/lib/vquic/vquic.c -+++ b/lib/vquic/vquic.c -@@ -144,6 +144,7 @@ static CURLcode do_sendmsg(struct Curl_cfilter *cf, - if(pktlen > gsolen) { - /* Only set this, when we need it. macOS, for example, - * does not seem to like a msg_control of length 0. */ -+ memset(msg_ctrl, 0, sizeof(msg_ctrl)); - msg.msg_control = msg_ctrl; - assert(sizeof(msg_ctrl) >= CMSG_SPACE(sizeof(int))); - msg.msg_controllen = CMSG_SPACE(sizeof(int)); --- -2.52.0 - diff --git a/0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch b/0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch deleted file mode 100644 index 4db6234..0000000 --- a/0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch +++ /dev/null @@ -1,32 +0,0 @@ -From a11ab7ad4ea0d97ac0d5af1e28b30b00c37c3c3c Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Thu, 27 Nov 2025 12:11:39 +0100 -Subject: [PATCH 2/2] ngtcp2+openssl: fix leak of session - -Fix return value indicating to OpenSSL if reference to session is kept -(it is not), so OpenSSL frees it. - -Reported-by: Aleksei Bavshin -Fixes #19717 -Closes #19718 - -(cherry picked from commit 9bb5c0578b39e5b086b6a9db5c6eb299a0fe1c5c) ---- - lib/vquic/curl_ngtcp2.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/lib/vquic/curl_ngtcp2.c b/lib/vquic/curl_ngtcp2.c -index f72f6630f..069dcb67e 100644 ---- a/lib/vquic/curl_ngtcp2.c -+++ b/lib/vquic/curl_ngtcp2.c -@@ -2262,7 +2262,6 @@ static int quic_ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) - #endif - Curl_ossl_add_session(cf, data, ctx->peer.scache_key, ssl_sessionid, - SSL_version(ssl), "h3", quic_tp, quic_tp_len); -- return 1; - } - return 0; - } --- -2.52.0 - diff --git a/curl.spec b/curl.spec index a47f422..6ce39e2 100644 --- a/curl.spec +++ b/curl.spec @@ -11,8 +11,8 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.17.0 -Release: 5%{?dist} +Version: 8.18.0~rc1 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc @@ -21,10 +21,6 @@ Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# Fix valgrind issues in HTTP/3 -Patch001: 0001-curl-8.17.0-vquic-do_sendmsg-full-init.patch -Patch002: 0002-curl-8.17.0-ngtcp2-openssl-fix-leak-of-session.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -448,6 +444,10 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Dec 09 2025 Jan Macku - 8.18.0~rc1-1 +- new upstream release candidate +- drop upstreamed patches + * Sun Dec 07 2025 Aleksei Bavshin - 8.17.0-5 - Enable HTTP/3 support with ngtcp2 diff --git a/sources b/sources index 2d835d7..80cbe05 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.17.0.tar.xz.asc) = e77d4cb1f4961aa0df3d76f1a8c55a0b9005ed557adf745f3ab24d33cee2d0e4bd06cecb9d911e76409852e7755129873cc7d24936c846ff1b854903c0f086b2 -SHA512 (curl-8.17.0.tar.xz) = fc6349def40c3c259de2a568631507df17dff83e78a2edbb93f069586dce594439fdc88bef7ce2bed7491f35800b8c0c181c8c88e6ef656cc3c18f9834681eca +SHA512 (curl-8.18.0-rc1.tar.xz) = 34cb17db3b16458a82b6f2c6c72f967cd028449a74a026acb2b6085161644ad352adf9cc9324d1e3264caf9039424bc53863e55ce92da7971e15871fee0c2551 +SHA512 (curl-8.18.0-rc1.tar.xz.asc) = 6b64d4d035de78f5111cc4cd7aaf4f6e5d4f14e5ee6685a3ff4e5d67f93aa45008a6c85f62cea54800872815fc01158339fc5d53959d060062cffce327a5346d From 9e1a11614b37b5a26a09a2bca7f81270633e3cbc Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 16 Dec 2025 14:49:18 +0100 Subject: [PATCH 106/108] new upstream release - 8.18.0~rc2 --- 0101-curl-7.32.0-multilib.patch | 14 +++++----- 0105-curl-8.11.1-test616.patch | 48 --------------------------------- curl.spec | 14 +++++----- sources | 4 +-- 4 files changed, 17 insertions(+), 63 deletions(-) delete mode 100644 0105-curl-8.11.1-test616.patch diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 79e9855..f7f66e6 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,6 +1,6 @@ -From ae56f768f418e1dd91f9eb3edf1a88453f61e160 Mon Sep 17 00:00:00 2001 +From 6bb4e674cdc953f5c0048aa84172539900725166 Mon Sep 17 00:00:00 2001 From: Jan Macku -Date: Mon, 25 Aug 2025 10:41:12 +0200 +Date: Tue, 16 Dec 2025 10:04:40 +0100 Subject: [PATCH] prevent multilib conflicts on the curl-config script --- @@ -10,7 +10,7 @@ Subject: [PATCH] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index ce23519..bb43ca8 100644 +index a1c8185875..bb43ca8335 100644 --- a/curl-config.in +++ b/curl-config.in @@ -74,7 +74,7 @@ while test "$#" -gt 0; do @@ -26,7 +26,7 @@ index ce23519..bb43ca8 100644 ;; --libs) -- if test "@libdir@" != '/usr/lib' -a "@libdir@" != '/usr/lib64'; then +- if test "@libdir@" != '/usr/lib' && test "@libdir@" != '/usr/lib64'; then - curllibdir="-L@libdir@ " - else - curllibdir='' @@ -61,7 +61,7 @@ index ce23519..bb43ca8 100644 *) diff --git a/docs/curl-config.md b/docs/curl-config.md -index 12ad245..fa0e03d 100644 +index 12ad245b79..fa0e03d273 100644 --- a/docs/curl-config.md +++ b/docs/curl-config.md @@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated. @@ -76,7 +76,7 @@ index 12ad245..fa0e03d 100644 ## `--version` diff --git a/libcurl.pc.in b/libcurl.pc.in -index c0ba524..f3645e1 100644 +index c0ba5244a8..f3645e1748 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in @@ -28,6 +28,7 @@ libdir=@libdir@ @@ -88,5 +88,5 @@ index c0ba524..f3645e1 100644 Name: libcurl URL: https://curl.se/ -- -2.50.1 +2.52.0 diff --git a/0105-curl-8.11.1-test616.patch b/0105-curl-8.11.1-test616.patch deleted file mode 100644 index 91bde80..0000000 --- a/0105-curl-8.11.1-test616.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 82baec8c7cd40361585d8793dfe4531f7aad30e3 Mon Sep 17 00:00:00 2001 -From: Jan Macku -Date: Wed, 11 Dec 2024 13:16:12 +0100 -Subject: [PATCH] test616: disable valgrind - -Valgrind disable was removed in upstream in https://github.com/curl/curl/commit/c91c37b6e87ceee760b7bb334c8e97e03ee93e93#diff-e01fd8774cf5b26329c7dc7dc03ec49745469205f3d501ced72c9d133455d5e7L35 -But test 616 is still failing under valgrind, so disable valgrind for this test. - -``` - valgrind ERROR ==188588== 144 bytes in 1 blocks are definitely lost in loss record 1 of 1 -==188588== at 0x484B133: calloc (vg_replace_malloc.c:1675) -==188588== by 0x4BB7575: ??? (in /usr/lib64/libssh.so.4.10.1) -==188588== by 0x4BB8CC6: sftp_fstat (in /usr/lib64/libssh.so.4.10.1) -==188588== by 0x48EEAFB: myssh_statemach_act (libssh.c:1610) -==188588== by 0x48F1B9D: myssh_multi_statemach.lto_priv.0 (libssh.c:2095) -==188588== by 0x48BA971: UnknownInlinedFun (multi.c:1643) -==188588== by 0x48BA971: UnknownInlinedFun (multi.c:2314) -==188588== by 0x48BA971: multi_runsingle (multi.c:2768) -==188588== by 0x48BCCA4: curl_multi_perform (multi.c:3016) -==188588== by 0x4884E4A: UnknownInlinedFun (easy.c:701) -==188588== by 0x4884E4A: UnknownInlinedFun (easy.c:796) -==188588== by 0x4884E4A: curl_easy_perform (easy.c:815) -==188588== by 0x10C12B: UnknownInlinedFun (tool_operate.c:2902) -==188588== by 0x10C12B: UnknownInlinedFun (tool_operate.c:3127) -==188588== by 0x10C12B: UnknownInlinedFun (tool_operate.c:3249) -==188588== by 0x10C12B: main (tool_main.c:271) -==188588== -``` ---- - tests/data/test616 | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/tests/data/test616 b/tests/data/test616 -index f76c68a..0ebc734 100644 ---- a/tests/data/test616 -+++ b/tests/data/test616 -@@ -32,5 +32,8 @@ SFTP retrieval of empty file - # - # Verify data after the test has been "shot" - -+ -+disable -+ - - --- -2.47.1 - diff --git a/curl.spec b/curl.spec index 6ce39e2..c2ec049 100644 --- a/curl.spec +++ b/curl.spec @@ -11,7 +11,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.18.0~rc1 +Version: 8.18.0~rc2 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -24,9 +24,6 @@ Source2: mykey.asc # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch -# test616: disable valgrind -Patch105: 0105-curl-8.11.1-test616.patch - Provides: curl-full = %{version}-%{release} # do not fail when trying to install curl-minimal after drop Provides: curl-minimal = %{version}-%{release} @@ -414,9 +411,10 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %doc README %doc docs/BUGS.md %doc docs/DISTROS.md -%doc docs/FAQ +%doc docs/FAQ.md %doc docs/FEATURES.md -%doc docs/TODO +%doc docs/KNOWN_BUGS.md +%doc docs/TODO.md %doc docs/TheArtOfHttpScripting.md %{_bindir}/curl %{_mandir}/man1/curl.1* @@ -444,6 +442,10 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Tue Dec 16 2025 Jan Macku - 8.18.0~rc2-1 +- new upstream release candidate +- reenable valgrind on test 616 + * Tue Dec 09 2025 Jan Macku - 8.18.0~rc1-1 - new upstream release candidate - drop upstreamed patches diff --git a/sources b/sources index 80cbe05..f75181e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.18.0-rc1.tar.xz) = 34cb17db3b16458a82b6f2c6c72f967cd028449a74a026acb2b6085161644ad352adf9cc9324d1e3264caf9039424bc53863e55ce92da7971e15871fee0c2551 -SHA512 (curl-8.18.0-rc1.tar.xz.asc) = 6b64d4d035de78f5111cc4cd7aaf4f6e5d4f14e5ee6685a3ff4e5d67f93aa45008a6c85f62cea54800872815fc01158339fc5d53959d060062cffce327a5346d +SHA512 (curl-8.18.0-rc2.tar.xz) = 4a71016d3a1d53bda007dc510c6eb7c1f35f04f4bb5c9cb1b10595e2ea15062993edd5fcdf73d008f6e91db48467e6a3428dd96e64ad9fb7acdf74db15ac5564 +SHA512 (curl-8.18.0-rc2.tar.xz.asc) = d3cfefd964958aa83da3005030899d12ed6ac0c456b2a2b1490a76a06c5abff839b4d70c1bad1d6218f9bdae0e63e368fc6a423ed10d03334609b499b7440762 From da5bf8f889f2af14cee4a633294b06b02f90ac16 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Mon, 5 Jan 2026 09:35:50 +0100 Subject: [PATCH 107/108] new upstream release - 8.18.0~rc3 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index c2ec049..758e807 100644 --- a/curl.spec +++ b/curl.spec @@ -11,7 +11,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.18.0~rc2 +Version: 8.18.0~rc3 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -442,6 +442,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Mon Jan 05 2026 Jan Macku - 8.18.0~rc3-1 +- new upstream release candidate + * Tue Dec 16 2025 Jan Macku - 8.18.0~rc2-1 - new upstream release candidate - reenable valgrind on test 616 diff --git a/sources b/sources index f75181e..5d0cff9 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.18.0-rc2.tar.xz) = 4a71016d3a1d53bda007dc510c6eb7c1f35f04f4bb5c9cb1b10595e2ea15062993edd5fcdf73d008f6e91db48467e6a3428dd96e64ad9fb7acdf74db15ac5564 -SHA512 (curl-8.18.0-rc2.tar.xz.asc) = d3cfefd964958aa83da3005030899d12ed6ac0c456b2a2b1490a76a06c5abff839b4d70c1bad1d6218f9bdae0e63e368fc6a423ed10d03334609b499b7440762 +SHA512 (curl-8.18.0-rc3.tar.xz) = 1139b79a6c4356fdf6f368812402c2f9bafcbaec6323c367aef85c4d00ffda9541a87ef476ce9a099142ef6f824b562c9dc840878add60a616f0e441fef44801 +SHA512 (curl-8.18.0-rc3.tar.xz.asc) = fac23b293cec82596ddd7757c0984e3977259c5116ddef719fad2a39a3723cf7cb5d85d12c5c5b2542f34a5411aa6f42f4fb08729fde6c564cd3567f2a3f0434 From 3c4947ef9777ff0e270d3680b23a3e10134ee68f Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Wed, 7 Jan 2026 11:16:40 +0100 Subject: [PATCH 108/108] new upstream release - 8.18.0 --- curl.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/curl.spec b/curl.spec index 758e807..c0ad4db 100644 --- a/curl.spec +++ b/curl.spec @@ -11,7 +11,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.18.0~rc3 +Version: 8.18.0 Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz @@ -442,6 +442,9 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jan 07 2026 Jan Macku - 8.18.0-1 +- new upstream release + * Mon Jan 05 2026 Jan Macku - 8.18.0~rc3-1 - new upstream release candidate diff --git a/sources b/sources index 5d0cff9..002e494 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.18.0-rc3.tar.xz) = 1139b79a6c4356fdf6f368812402c2f9bafcbaec6323c367aef85c4d00ffda9541a87ef476ce9a099142ef6f824b562c9dc840878add60a616f0e441fef44801 -SHA512 (curl-8.18.0-rc3.tar.xz.asc) = fac23b293cec82596ddd7757c0984e3977259c5116ddef719fad2a39a3723cf7cb5d85d12c5c5b2542f34a5411aa6f42f4fb08729fde6c564cd3567f2a3f0434 +SHA512 (curl-8.18.0.tar.xz) = 50c7a7b0528e0019697b0c59b3e56abb2578c71d77e4c085b56797276094b5611718c0a9cb2b14db7f8ab502fcf8f42a364297a3387fae3870a4d281484ba21c +SHA512 (curl-8.18.0.tar.xz.asc) = 07e08d1bb3f8bf20b3d22f37fbc19c49c0d9ee4ea9d92da76fa8a9de343023e1b5d416ccc6535a4ff98b08b30eb9334fd856227e37564f6bcd542aa81bced152