diff --git a/.gitignore b/.gitignore index c5a82f4..9bb4285 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,5 @@ /curl-[0-9.]*.tar.lzma.asc /curl-[0-9.]*.tar.xz /curl-[0-9.]*.tar.xz.asc +/curl-[0-9]*.[0-9]*.[0-9]*/ +/*.src.rpm diff --git a/0001-curl-8.2.1-CVE-2023-38039.patch b/0001-curl-8.2.1-CVE-2023-38039.patch deleted file mode 100644 index 9e42c90..0000000 --- a/0001-curl-8.2.1-CVE-2023-38039.patch +++ /dev/null @@ -1,217 +0,0 @@ -From 831c077c6d3a9466417f8a7b310177fca946a4cc Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Wed, 2 Aug 2023 23:34:48 +0200 -Subject: [PATCH] http: return error when receiving too large header set - -To avoid abuse. The limit is set to 300 KB for the accumulated size of -all received HTTP headers for a single response. Incomplete research -suggests that Chrome uses a 256-300 KB limit, while Firefox allows up to -1MB. - -Closes #11582 - -(cherry picked from commit 3ee79c1674fd6f99e8efca52cd7510e08b766770) -Signed-off-by: Jan Macku ---- - lib/c-hyper.c | 12 +++++++----- - lib/cf-h1-proxy.c | 4 +++- - lib/http.c | 34 ++++++++++++++++++++++++++++++---- - lib/http.h | 9 +++++++++ - lib/pingpong.c | 4 +++- - lib/urldata.h | 17 ++++++++--------- - 6 files changed, 60 insertions(+), 20 deletions(-) - -diff --git a/lib/c-hyper.c b/lib/c-hyper.c -index c29983c0b..0b9d9ab47 100644 ---- a/lib/c-hyper.c -+++ b/lib/c-hyper.c -@@ -182,8 +182,11 @@ static int hyper_each_header(void *userdata, - } - } - -- data->info.header_size += (curl_off_t)len; -- data->req.headerbytecount += (curl_off_t)len; -+ result = Curl_bump_headersize(data, len, FALSE); -+ if(result) { -+ data->state.hresult = result; -+ return HYPER_ITER_BREAK; -+ } - return HYPER_ITER_CONTINUE; - } - -@@ -313,9 +316,8 @@ static CURLcode status_line(struct Curl_easy *data, - if(result) - return result; - } -- data->info.header_size += (curl_off_t)len; -- data->req.headerbytecount += (curl_off_t)len; -- return CURLE_OK; -+ result = Curl_bump_headersize(data, len, FALSE); -+ return result; - } - - /* -diff --git a/lib/cf-h1-proxy.c b/lib/cf-h1-proxy.c -index c9b157c9b..b1d8cb618 100644 ---- a/lib/cf-h1-proxy.c -+++ b/lib/cf-h1-proxy.c -@@ -587,7 +587,9 @@ static CURLcode recv_CONNECT_resp(struct Curl_cfilter *cf, - return result; - } - -- data->info.header_size += (long)perline; -+ result = Curl_bump_headersize(data, perline, TRUE); -+ if(result) -+ return result; - - /* Newlines are CRLF, so the CR is ignored as the line isn't - really terminated until the LF comes. Treat a following CR -diff --git a/lib/http.c b/lib/http.c -index e611d2789..ebf48660d 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -3918,6 +3918,29 @@ static CURLcode verify_header(struct Curl_easy *data) - return CURLE_OK; - } - -+CURLcode Curl_bump_headersize(struct Curl_easy *data, -+ size_t delta, -+ bool connect_only) -+{ -+ size_t bad = 0; -+ if(delta < MAX_HTTP_RESP_HEADER_SIZE) { -+ if(!connect_only) -+ data->req.headerbytecount += (unsigned int)delta; -+ data->info.header_size += (unsigned int)delta; -+ if(data->info.header_size > MAX_HTTP_RESP_HEADER_SIZE) -+ bad = data->info.header_size; -+ } -+ else -+ bad = data->info.header_size + delta; -+ if(bad) { -+ failf(data, "Too large response headers: %zu > %zu", -+ bad, MAX_HTTP_RESP_HEADER_SIZE); -+ return CURLE_RECV_ERROR; -+ } -+ return CURLE_OK; -+} -+ -+ - /* - * Read any HTTP header lines from the server and pass them to the client app. - */ -@@ -4165,8 +4188,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, - if(result) - return result; - -- data->info.header_size += (long)headerlen; -- data->req.headerbytecount += (long)headerlen; -+ result = Curl_bump_headersize(data, headerlen, FALSE); -+ if(result) -+ return result; - - /* - * When all the headers have been parsed, see if we should give -@@ -4488,8 +4512,10 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, - if(result) - return result; - -- data->info.header_size += Curl_dyn_len(&data->state.headerb); -- data->req.headerbytecount += Curl_dyn_len(&data->state.headerb); -+ result = Curl_bump_headersize(data, Curl_dyn_len(&data->state.headerb), -+ FALSE); -+ if(result) -+ return result; - - Curl_dyn_reset(&data->state.headerb); - } -diff --git a/lib/http.h b/lib/http.h -index df3b4e38b..4aeabc345 100644 ---- a/lib/http.h -+++ b/lib/http.h -@@ -64,6 +64,10 @@ extern const struct Curl_handler Curl_handler_wss; - - struct dynhds; - -+CURLcode Curl_bump_headersize(struct Curl_easy *data, -+ size_t delta, -+ bool connect_only); -+ - /* Header specific functions */ - bool Curl_compareheader(const char *headerline, /* line to check */ - const char *header, /* header keyword _with_ colon */ -@@ -183,6 +187,11 @@ CURLcode Curl_http_auth_act(struct Curl_easy *data); - #define EXPECT_100_THRESHOLD (1024*1024) - #endif - -+/* MAX_HTTP_RESP_HEADER_SIZE is the maximum size of all response headers -+ combined that libcurl allows for a single HTTP response, any HTTP -+ version. This count includes CONNECT response headers. */ -+#define MAX_HTTP_RESP_HEADER_SIZE (300*1024) -+ - #endif /* CURL_DISABLE_HTTP */ - - /**************************************************************************** -diff --git a/lib/pingpong.c b/lib/pingpong.c -index f3f7cb93c..523bbec18 100644 ---- a/lib/pingpong.c -+++ b/lib/pingpong.c -@@ -341,7 +341,9 @@ CURLcode Curl_pp_readresp(struct Curl_easy *data, - ssize_t clipamount = 0; - bool restart = FALSE; - -- data->req.headerbytecount += (long)gotbytes; -+ result = Curl_bump_headersize(data, gotbytes, FALSE); -+ if(result) -+ return result; - - pp->nread_resp += gotbytes; - for(i = 0; i < gotbytes; ptr++, i++) { -diff --git a/lib/urldata.h b/lib/urldata.h -index c45913b31..ddb2938d7 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -629,17 +629,16 @@ struct SingleRequest { - curl_off_t bytecount; /* total number of bytes read */ - curl_off_t writebytecount; /* number of bytes written */ - -- curl_off_t headerbytecount; /* only count received headers */ -- curl_off_t deductheadercount; /* this amount of bytes doesn't count when we -- check if anything has been transferred at -- the end of a connection. We use this -- counter to make only a 100 reply (without a -- following second response code) result in a -- CURLE_GOT_NOTHING error code */ -- - curl_off_t pendingheader; /* this many bytes left to send is actually - header and not body */ - struct curltime start; /* transfer started at this time */ -+ unsigned int headerbytecount; /* only count received headers */ -+ unsigned int deductheadercount; /* this amount of bytes doesn't count when -+ we check if anything has been transferred -+ at the end of a connection. We use this -+ counter to make only a 100 reply (without -+ a following second response code) result -+ in a CURLE_GOT_NOTHING error code */ - enum { - HEADER_NORMAL, /* no bad header at all */ - HEADER_PARTHEADER, /* part of the chunk is a bad header, the rest -@@ -1089,7 +1088,6 @@ struct PureInfo { - int httpversion; /* the http version number X.Y = X*10+Y */ - time_t filetime; /* If requested, this is might get set. Set to -1 if the - time was unretrievable. */ -- curl_off_t header_size; /* size of read header(s) in bytes */ - curl_off_t request_size; /* the amount of bytes sent in the request(s) */ - unsigned long proxyauthavail; /* what proxy auth types were announced */ - unsigned long httpauthavail; /* what host auth types were announced */ -@@ -1097,6 +1095,7 @@ struct PureInfo { - char *contenttype; /* the content type of the object */ - char *wouldredirect; /* URL this would've been redirected to if asked to */ - curl_off_t retry_after; /* info from Retry-After: header */ -+ unsigned int header_size; /* size of read header(s) in bytes */ - - /* PureInfo members 'conn_primary_ip', 'conn_primary_port', 'conn_local_ip' - and, 'conn_local_port' are copied over from the connectdata struct in --- -2.41.0 - diff --git a/0002-curl-8.2.1-CVE-2023-38545.patch b/0002-curl-8.2.1-CVE-2023-38545.patch deleted file mode 100644 index 77be7ef..0000000 --- a/0002-curl-8.2.1-CVE-2023-38545.patch +++ /dev/null @@ -1,135 +0,0 @@ -From 6b313d6d3520eb4c7429723babd59dbb63681bcd Mon Sep 17 00:00:00 2001 -From: Jay Satiro -Date: Wed, 11 Oct 2023 07:34:19 +0200 -Subject: [PATCH 1/2] socks: return error if hostname too long for remote - resolve - -Prior to this change the state machine attempted to change the remote -resolve to a local resolve if the hostname was longer than 255 -characters. Unfortunately that did not work as intended and caused a -security issue. - -Bug: https://curl.se/docs/CVE-2023-38545.html - -(cherry picked from commit fb4415d8aee6c1045be932a34fe6107c2f5ed147) - -Signed-off-by: Jan Macku ---- - lib/socks.c | 8 +++--- - tests/data/Makefile.inc | 2 +- - tests/data/test728 | 64 +++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 69 insertions(+), 5 deletions(-) - create mode 100644 tests/data/test728 - -diff --git a/lib/socks.c b/lib/socks.c -index c492d663c..a7b5ab07e 100644 ---- a/lib/socks.c -+++ b/lib/socks.c -@@ -587,9 +587,9 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf, - - /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */ - if(!socks5_resolve_local && hostname_len > 255) { -- infof(data, "SOCKS5: server resolving disabled for hostnames of " -- "length > 255 [actual len=%zu]", hostname_len); -- socks5_resolve_local = TRUE; -+ failf(data, "SOCKS5: the destination hostname is too long to be " -+ "resolved remotely by the proxy."); -+ return CURLPX_LONG_HOSTNAME; - } - - if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI)) -@@ -903,7 +903,7 @@ CONNECT_RESOLVE_REMOTE: - } - else { - socksreq[len++] = 3; -- socksreq[len++] = (char) hostname_len; /* one byte address length */ -+ socksreq[len++] = (unsigned char) hostname_len; /* one byte length */ - memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */ - len += hostname_len; - } -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index a253b5c6e..cd22f937f 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -100,7 +100,7 @@ test679 test680 test681 test682 test683 test684 test685 test686 \ - \ - test700 test701 test702 test703 test704 test705 test706 test707 test708 \ - test709 test710 test711 test712 test713 test714 test715 test716 test717 \ --test718 test719 test720 test721 \ -+test718 test719 test720 test721 test728 \ - \ - test799 test800 test801 test802 test803 test804 test805 test806 test807 \ - test808 test809 test810 test811 test812 test813 test814 test815 test816 \ -diff --git a/tests/data/test728 b/tests/data/test728 -new file mode 100644 -index 000000000..05bcf2883 ---- /dev/null -+++ b/tests/data/test728 -@@ -0,0 +1,64 @@ -+ -+ -+ -+HTTP -+HTTP GET -+SOCKS5 -+SOCKS5h -+followlocation -+ -+ -+ -+# -+# Server-side -+ -+# The hostname in this redirect is 256 characters and too long (> 255) for -+# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case. -+ -+HTTP/1.1 301 Moved Permanently -+Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ -+Content-Length: 0 -+Connection: close -+ -+ -+ -+ -+# -+# Client-side -+ -+ -+proxy -+ -+ -+http -+socks5 -+ -+ -+SOCKS5h with HTTP redirect to hostname too long -+ -+ -+--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/%TESTNUMBER -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+GET /%TESTNUMBER HTTP/1.1 -+Host: %HOSTIP:%HTTPPORT -+User-Agent: curl/%VERSION -+Accept: */* -+ -+ -+ -+97 -+ -+# the error message is verified because error code CURLE_PROXY (97) may be -+# returned for any number of reasons and we need to make sure it is -+# specifically for the reason below so that we know the check is working. -+ -+curl: (97) SOCKS5: the destination hostname is too long to be resolved remotely by the proxy. -+ -+ -+ --- -2.41.0 - diff --git a/0003-curl-8.2.1-CVE-2023-38546.patch b/0003-curl-8.2.1-CVE-2023-38546.patch deleted file mode 100644 index 582f62a..0000000 --- a/0003-curl-8.2.1-CVE-2023-38546.patch +++ /dev/null @@ -1,134 +0,0 @@ -From 9b837dd18c44bedf28054ba498e94740e1533d69 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 14 Sep 2023 23:28:32 +0200 -Subject: [PATCH 2/2] cookie: remove unnecessary struct fields - -Plus: reduce the hash table size from 256 to 63. It seems unlikely to -make much of a speed difference for most use cases but saves 1.5KB of -data per instance. - -Closes #11862 - -(cherry picked from commit 61275672b46d9abb3285740467b882e22ed75da8) -Signed-off-by: Jan Macku ---- - lib/cookie.c | 13 +------------ - lib/cookie.h | 13 ++++--------- - lib/easy.c | 4 +--- - 3 files changed, 6 insertions(+), 24 deletions(-) - -diff --git a/lib/cookie.c b/lib/cookie.c -index 4345a84c6..e39c89a94 100644 ---- a/lib/cookie.c -+++ b/lib/cookie.c -@@ -119,7 +119,6 @@ static void freecookie(struct Cookie *co) - free(co->name); - free(co->value); - free(co->maxage); -- free(co->version); - free(co); - } - -@@ -718,11 +717,7 @@ Curl_cookie_add(struct Curl_easy *data, - } - } - else if((nlen == 7) && strncasecompare("version", namep, 7)) { -- strstore(&co->version, valuep, vlen); -- if(!co->version) { -- badcookie = TRUE; -- break; -- } -+ /* just ignore */ - } - else if((nlen == 7) && strncasecompare("max-age", namep, 7)) { - /* -@@ -1160,7 +1155,6 @@ Curl_cookie_add(struct Curl_easy *data, - free(clist->path); - free(clist->spath); - free(clist->expirestr); -- free(clist->version); - free(clist->maxage); - - *clist = *co; /* then store all the new data */ -@@ -1224,9 +1218,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data, - c = calloc(1, sizeof(struct CookieInfo)); - if(!c) - return NULL; /* failed to get memory */ -- c->filename = strdup(file?file:"none"); /* copy the name just in case */ -- if(!c->filename) -- goto fail; /* failed to get memory */ - /* - * Initialize the next_expiration time to signal that we don't have enough - * information yet. -@@ -1378,7 +1369,6 @@ static struct Cookie *dup_cookie(struct Cookie *src) - CLONE(name); - CLONE(value); - CLONE(maxage); -- CLONE(version); - d->expires = src->expires; - d->tailmatch = src->tailmatch; - d->secure = src->secure; -@@ -1595,7 +1585,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c) - { - if(c) { - unsigned int i; -- free(c->filename); - for(i = 0; i < COOKIE_HASH_SIZE; i++) - Curl_cookie_freelist(c->cookies[i]); - free(c); /* free the base struct as well */ -diff --git a/lib/cookie.h b/lib/cookie.h -index b3c0063b2..41e9e7a69 100644 ---- a/lib/cookie.h -+++ b/lib/cookie.h -@@ -36,11 +36,7 @@ struct Cookie { - char *domain; /* domain = */ - curl_off_t expires; /* expires = */ - char *expirestr; /* the plain text version */ -- -- /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */ -- char *version; /* Version = */ - char *maxage; /* Max-Age = */ -- - bool tailmatch; /* whether we do tail-matching of the domain name */ - bool secure; /* whether the 'secure' keyword was used */ - bool livecookie; /* updated from a server, not a stored file */ -@@ -56,17 +52,16 @@ struct Cookie { - #define COOKIE_PREFIX__SECURE (1<<0) - #define COOKIE_PREFIX__HOST (1<<1) - --#define COOKIE_HASH_SIZE 256 -+#define COOKIE_HASH_SIZE 63 - - struct CookieInfo { - /* linked list of cookies we know of */ - struct Cookie *cookies[COOKIE_HASH_SIZE]; -- char *filename; /* file we read from/write to */ -- long numcookies; /* number of cookies in the "jar" */ -+ curl_off_t next_expiration; /* the next time at which expiration happens */ -+ int numcookies; /* number of cookies in the "jar" */ -+ int lastct; /* last creation-time used in the jar */ - bool running; /* state info, for cookie adding information */ - bool newsession; /* new session, discard session cookies on load */ -- int lastct; /* last creation-time used in the jar */ -- curl_off_t next_expiration; /* the next time at which expiration happens */ - }; - - /* The maximum sizes we accept for cookies. RFC 6265 section 6.1 says -diff --git a/lib/easy.c b/lib/easy.c -index d034629b5..2c621963d 100644 ---- a/lib/easy.c -+++ b/lib/easy.c -@@ -909,9 +909,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data) - if(data->cookies) { - /* If cookies are enabled in the parent handle, we enable them - in the clone as well! */ -- outcurl->cookies = Curl_cookie_init(data, -- data->cookies->filename, -- outcurl->cookies, -+ outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies, - data->set.cookiesession); - if(!outcurl->cookies) - goto fail; --- -2.41.0 - diff --git a/0004-curl-8.2.1-CVE-2023-46218.patch b/0004-curl-8.2.1-CVE-2023-46218.patch deleted file mode 100644 index 082d714..0000000 --- a/0004-curl-8.2.1-CVE-2023-46218.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 053b0d4eb6768563adc55fa936bbb32d19114d49 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 23 Nov 2023 08:15:47 +0100 -Subject: [PATCH 1/2] cookie: lowercase the domain names before PSL checks - -Reported-by: Harry Sintonen - -Closes #12387 - -(cherry picked from commit 2b0994c29a721c91c572cff7808c572a24d251eb) - -Signed-off-by: Jan Macku ---- - lib/cookie.c | 24 ++++++++++++++++-------- - 1 file changed, 16 insertions(+), 8 deletions(-) - -diff --git a/lib/cookie.c b/lib/cookie.c -index e39c89a94..18ed4bb7e 100644 ---- a/lib/cookie.c -+++ b/lib/cookie.c -@@ -1036,15 +1036,23 @@ Curl_cookie_add(struct Curl_easy *data, - * dereference it. - */ - if(data && (domain && co->domain && !Curl_host_is_ipnum(co->domain))) { -- const psl_ctx_t *psl = Curl_psl_use(data); -- int acceptable; -- -- if(psl) { -- acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain); -- Curl_psl_release(data); -+ bool acceptable = FALSE; -+ char lcase[256]; -+ char lcookie[256]; -+ size_t dlen = strlen(domain); -+ size_t clen = strlen(co->domain); -+ if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) { -+ const psl_ctx_t *psl = Curl_psl_use(data); -+ if(psl) { -+ /* the PSL check requires lowercase domain name and pattern */ -+ Curl_strntolower(lcase, domain, dlen + 1); -+ Curl_strntolower(lcookie, co->domain, clen + 1); -+ acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie); -+ Curl_psl_release(data); -+ } -+ else -+ acceptable = !bad_domain(domain, strlen(domain)); - } -- else -- acceptable = !bad_domain(domain, strlen(domain)); - - if(!acceptable) { - infof(data, "cookie '%s' dropped, domain '%s' must not " --- -2.43.0 - diff --git a/0005-curl-8.2.1-CVE-2023-46219.patch b/0005-curl-8.2.1-CVE-2023-46219.patch deleted file mode 100644 index 881ce2c..0000000 --- a/0005-curl-8.2.1-CVE-2023-46219.patch +++ /dev/null @@ -1,134 +0,0 @@ -From cca676ef222399591f5a116e1c13889014fad624 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 23 Nov 2023 08:23:17 +0100 -Subject: [PATCH 2/2] fopen: create short(er) temporary file name - -Only using random letters in the name plus a ".tmp" extension. Not by -appending characters to the final file name. - -Reported-by: Maksymilian Arciemowicz - -Closes #12388 - -(cherry picked from commit 73b65e94f3531179de45c6f3c836a610e3d0a846) - -Signed-off-by: Jan Macku ---- - lib/fopen.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++----- - 1 file changed, 60 insertions(+), 5 deletions(-) - -diff --git a/lib/fopen.c b/lib/fopen.c -index b6e3caddd..5cd4dde3e 100644 ---- a/lib/fopen.c -+++ b/lib/fopen.c -@@ -39,6 +39,51 @@ - #include "curl_memory.h" - #include "memdebug.h" - -+/* -+ The dirslash() function breaks a null-terminated pathname string into -+ directory and filename components then returns the directory component up -+ to, *AND INCLUDING*, a final '/'. If there is no directory in the path, -+ this instead returns a "" string. -+ -+ This function returns a pointer to malloc'ed memory. -+ -+ The input path to this function is expected to have a file name part. -+*/ -+ -+#ifdef _WIN32 -+#define PATHSEP "\\" -+#define IS_SEP(x) (((x) == '/') || ((x) == '\\')) -+#elif defined(MSDOS) || defined(__EMX__) || defined(OS2) -+#define PATHSEP "\\" -+#define IS_SEP(x) ((x) == '\\') -+#else -+#define PATHSEP "/" -+#define IS_SEP(x) ((x) == '/') -+#endif -+ -+static char *dirslash(const char *path) -+{ -+ size_t n; -+ struct dynbuf out; -+ DEBUGASSERT(path); -+ Curl_dyn_init(&out, CURL_MAX_INPUT_LENGTH); -+ n = strlen(path); -+ if(n) { -+ /* find the rightmost path separator, if any */ -+ while(n && !IS_SEP(path[n-1])) -+ --n; -+ /* skip over all the path separators, if any */ -+ while(n && IS_SEP(path[n-1])) -+ --n; -+ } -+ if(Curl_dyn_addn(&out, path, n)) -+ return NULL; -+ /* if there was a directory, append a single trailing slash */ -+ if(n && Curl_dyn_addn(&out, PATHSEP, 1)) -+ return NULL; -+ return Curl_dyn_ptr(&out); -+} -+ - /* - * Curl_fopen() opens a file for writing with a temp name, to be renamed - * to the final name when completed. If there is an existing file using this -@@ -50,25 +95,34 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, - FILE **fh, char **tempname) - { - CURLcode result = CURLE_WRITE_ERROR; -- unsigned char randsuffix[9]; -+ unsigned char randbuf[41]; - char *tempstore = NULL; - struct_stat sb; - int fd = -1; -+ char *dir; - *tempname = NULL; - -+ dir = dirslash(filename); -+ if(!dir) -+ goto fail; -+ - *fh = fopen(filename, FOPEN_WRITETEXT); - if(!*fh) - goto fail; -- if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode)) -+ if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode)) { -+ free(dir); - return CURLE_OK; -+ } - fclose(*fh); - *fh = NULL; - -- result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix)); -+ result = Curl_rand_hex(data, randbuf, sizeof(randbuf)); - if(result) - goto fail; - -- tempstore = aprintf("%s.%s.tmp", filename, randsuffix); -+ /* The temp file name should not end up too long for the target file -+ system */ -+ tempstore = aprintf("%s%s.tmp", dir, randbuf); - if(!tempstore) { - result = CURLE_OUT_OF_MEMORY; - goto fail; -@@ -95,6 +149,7 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, - if(!*fh) - goto fail; - -+ free(dir); - *tempname = tempstore; - return CURLE_OK; - -@@ -105,7 +160,7 @@ fail: - } - - free(tempstore); -- -+ free(dir); - return result; - } - --- -2.43.0 - diff --git a/0006-curl-8.2.1-CVE-2024-2004.patch b/0006-curl-8.2.1-CVE-2024-2004.patch deleted file mode 100644 index e4dcad2..0000000 --- a/0006-curl-8.2.1-CVE-2024-2004.patch +++ /dev/null @@ -1,138 +0,0 @@ -From e614d4615943b9d43e4f6db8bc8223a20c66cd44 Mon Sep 17 00:00:00 2001 -From: Daniel Gustafsson -Date: Tue, 27 Feb 2024 15:43:56 +0100 -Subject: [PATCH 1/2] setopt: Fix disabling all protocols - -When disabling all protocols without enabling any, the resulting -set of allowed protocols remained the default set. Clearing the -allowed set before inspecting the passed value from --proto make -the set empty even in the errorpath of no protocols enabled. - -Co-authored-by: Dan Fandrich -Reported-by: Dan Fandrich -Reviewed-by: Daniel Stenberg -Closes: #13004 - -(cherry picked from commit 17d302e56221f5040092db77d4f85086e8a20e0e) -Signed-off-by: Jan Macku ---- - lib/setopt.c | 16 ++++++++-------- - tests/data/Makefile.inc | 1 + - tests/data/test1474 | 42 +++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 51 insertions(+), 8 deletions(-) - create mode 100644 tests/data/test1474 - -diff --git a/lib/setopt.c b/lib/setopt.c -index b05162a55..fb71b7fd4 100644 ---- a/lib/setopt.c -+++ b/lib/setopt.c -@@ -154,6 +154,12 @@ static CURLcode setstropt_userpwd(char *option, char **userp, char **passwdp) - - static CURLcode protocol2num(const char *str, curl_prot_t *val) - { -+ /* -+ * We are asked to cherry-pick protocols, so play it safe and disallow all -+ * protocols to start with, and re-add the wanted ones back in. -+ */ -+ *val = 0; -+ - if(!str) - return CURLE_BAD_FUNCTION_ARGUMENT; - -@@ -162,8 +168,6 @@ static CURLcode protocol2num(const char *str, curl_prot_t *val) - return CURLE_OK; - } - -- *val = 0; -- - do { - const char *token = str; - size_t tlen; -@@ -2679,22 +2683,18 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - break; - - case CURLOPT_PROTOCOLS_STR: { -- curl_prot_t prot; - argptr = va_arg(param, char *); -- result = protocol2num(argptr, &prot); -+ result = protocol2num(argptr, &data->set.allowed_protocols); - if(result) - return result; -- data->set.allowed_protocols = prot; - break; - } - - case CURLOPT_REDIR_PROTOCOLS_STR: { -- curl_prot_t prot; - argptr = va_arg(param, char *); -- result = protocol2num(argptr, &prot); -+ result = protocol2num(argptr, &data->set.redir_protocols); - if(result) - return result; -- data->set.redir_protocols = prot; - break; - } - -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index cd22f937f..da0e8bb0a 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -160,6 +160,7 @@ test1247 test1248 test1249 test1250 test1251 test1252 test1253 test1254 \ - test1255 test1256 test1257 test1258 test1259 test1260 test1261 test1262 \ - test1263 test1264 test1265 test1266 test1267 test1268 test1269 test1270 \ - test1271 test1272 test1273 test1274 test1275 test1276 test1277 test1278 \ -+test1474 \ - \ - test1280 test1281 test1282 test1283 test1284 test1285 test1286 test1287 \ - test1288 test1289 test1290 test1291 test1292 test1293 test1294 test1295 \ -diff --git a/tests/data/test1474 b/tests/data/test1474 -new file mode 100644 -index 000000000..c66fa2810 ---- /dev/null -+++ b/tests/data/test1474 -@@ -0,0 +1,42 @@ -+ -+ -+ -+HTTP -+HTTP GET -+--proto -+ -+ -+ -+# -+# Server-side -+ -+ -+ -+ -+ -+# -+# Client-side -+ -+ -+none -+ -+ -+http -+ -+ -+--proto -all disables all protocols -+ -+ -+--proto -all http://%HOSTIP:%NOLISTENPORT/%TESTNUMBER -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+# 1 - Protocol "http" disabled -+ -+1 -+ -+ -+ --- -2.44.0 - diff --git a/0007-curl-8.2.1-CVE-2024-2398.patch b/0007-curl-8.2.1-CVE-2024-2398.patch deleted file mode 100644 index 7485a43..0000000 --- a/0007-curl-8.2.1-CVE-2024-2398.patch +++ /dev/null @@ -1,95 +0,0 @@ -From d8c8695a7d10c21c0fb5b871b032716ca9683903 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Wed, 6 Mar 2024 09:36:08 +0100 -Subject: [PATCH] http2: push headers better cleanup - -- provide common cleanup method for push headers - -Closes #13054 - -(cherry picked from commit deca8039991886a559b67bcd6701db800a5cf764) -Signed-off-by: Jan Macku ---- - lib/http2.c | 34 +++++++++++++++------------------- - 1 file changed, 15 insertions(+), 19 deletions(-) - -diff --git a/lib/http2.c b/lib/http2.c -index 6c09ec1..533237d 100644 ---- a/lib/http2.c -+++ b/lib/http2.c -@@ -267,6 +267,15 @@ static CURLcode http2_data_setup(struct Curl_cfilter *cf, - return CURLE_OK; - } - -+static void free_push_headers(struct stream_ctx *stream) -+{ -+ size_t i; -+ for(i = 0; ipush_headers_used; i++) -+ free(stream->push_headers[i]); -+ Curl_safefree(stream->push_headers); -+ stream->push_headers_used = 0; -+} -+ - static void http2_data_done(struct Curl_cfilter *cf, - struct Curl_easy *data, bool premature) - { -@@ -313,15 +322,7 @@ static void http2_data_done(struct Curl_cfilter *cf, - Curl_bufq_free(&stream->sendbuf); - Curl_bufq_free(&stream->recvbuf); - Curl_dynhds_free(&stream->resp_trailers); -- if(stream->push_headers) { -- /* if they weren't used and then freed before */ -- for(; stream->push_headers_used > 0; --stream->push_headers_used) { -- free(stream->push_headers[stream->push_headers_used - 1]); -- } -- free(stream->push_headers); -- stream->push_headers = NULL; -- } -- -+ free_push_headers(stream); - free(stream); - H2_STREAM_LCTX(data) = NULL; - } -@@ -859,7 +860,6 @@ static int push_promise(struct Curl_cfilter *cf, - struct curl_pushheaders heads; - CURLMcode rc; - CURLcode result; -- size_t i; - /* clone the parent */ - struct Curl_easy *newhandle = h2_duphandle(cf, data); - if(!newhandle) { -@@ -904,11 +904,7 @@ static int push_promise(struct Curl_cfilter *cf, - Curl_set_in_callback(data, false); - - /* free the headers again */ -- for(i = 0; ipush_headers_used; i++) -- free(stream->push_headers[i]); -- free(stream->push_headers); -- stream->push_headers = NULL; -- stream->push_headers_used = 0; -+ free_push_headers(stream); - - if(rv) { - DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT)); -@@ -1357,14 +1353,14 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame, - if(stream->push_headers_alloc > 1000) { - /* this is beyond crazy many headers, bail out */ - failf(data_s, "Too many PUSH_PROMISE headers"); -- Curl_safefree(stream->push_headers); -+ free_push_headers(stream); - return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; - } - stream->push_headers_alloc *= 2; -- headp = Curl_saferealloc(stream->push_headers, -- stream->push_headers_alloc * sizeof(char *)); -+ headp = realloc(stream->push_headers, -+ stream->push_headers_alloc * sizeof(char *)); - if(!headp) { -- stream->push_headers = NULL; -+ free_push_headers(stream); - return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; - } - stream->push_headers = headp; --- -2.44.0 - diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index b4f8e2a..f7f66e6 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,84 +1,85 @@ -From 2a4754a3a7cf60ecc36d83cbe50b8c337cb87632 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Fri, 12 Apr 2013 12:04:05 +0200 +From 6bb4e674cdc953f5c0048aa84172539900725166 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Tue, 16 Dec 2025 10:04:40 +0100 Subject: [PATCH] prevent multilib conflicts on the curl-config script --- - curl-config.in | 23 +++++------------------ - docs/curl-config.1 | 4 +++- - libcurl.pc.in | 1 + + curl-config.in | 23 +++++------------------ + docs/curl-config.md | 4 +++- + libcurl.pc.in | 1 + 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 150004d..95d0759 100644 +index a1c8185875..bb43ca8335 100644 --- a/curl-config.in +++ b/curl-config.in -@@ -78,7 +78,7 @@ while test $# -gt 0; do - ;; +@@ -74,7 +74,7 @@ while test "$#" -gt 0; do + ;; - --cc) -- echo "@CC@" -+ echo "gcc" - ;; + --cc) +- echo '@CC@' ++ echo 'gcc' + ;; - --prefix) -@@ -157,32 +157,19 @@ while test $# -gt 0; do - ;; + --prefix) +@@ -149,16 +149,7 @@ while test "$#" -gt 0; do + ;; - --libs) -- if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then -- CURLLIBDIR="-L@libdir@ " -- else -- CURLLIBDIR="" -- fi -- if test "X@ENABLE_SHARED@" = "Xno"; then -- echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@ -- else -- echo ${CURLLIBDIR}-lcurl -- fi -+ echo -lcurl - ;; - --ssl-backends) - echo "@SSL_BACKENDS@" - ;; + --libs) +- if test "@libdir@" != '/usr/lib' && test "@libdir@" != '/usr/lib64'; then +- curllibdir="-L@libdir@ " +- else +- curllibdir='' +- fi +- if test '@ENABLE_SHARED@' = 'no'; then +- echo "${curllibdir}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" +- else +- echo "${curllibdir}-lcurl" +- fi ++ echo '-lcurl' + ;; - --static-libs) -- if test "X@ENABLE_STATIC@" != "Xno" ; then -- echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_LIBS@ -- else -- echo "curl was built with static libraries disabled" >&2 -- exit 1 -- fi -+ echo "curl was built with static libraries disabled" >&2 -+ exit 1 - ;; + --ssl-backends) +@@ -166,16 +157,12 @@ while test "$#" -gt 0; do + ;; - --configure) -- echo @CONFIGURE_OPTIONS@ -+ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//' - ;; + --static-libs) +- if test '@ENABLE_STATIC@' != 'no'; then +- echo "@libdir@/libcurl.@libext@ @LIBCURL_PC_LDFLAGS_PRIVATE@ @LIBCURL_PC_LIBS_PRIVATE@" +- else +- echo 'curl was built with static libraries disabled' >&2 +- exit 1 +- fi ++ echo 'curl was built with static libraries disabled' >&2 ++ exit 1 + ;; - *) -diff --git a/docs/curl-config.1 b/docs/curl-config.1 -index 14a9d2b..ffcc004 100644 ---- a/docs/curl-config.1 -+++ b/docs/curl-config.1 -@@ -72,7 +72,9 @@ no, one or several names. If more than one name, they will appear - comma-separated. (Added in 7.58.0) - .IP "--static-libs" - Shows the complete set of libs and other linker options you will need in order --to link your application with libcurl statically. (Added in 7.17.1) -+to link your application with libcurl statically. Note that Fedora/RHEL libcurl + --configure) +- echo @CONFIGURE_OPTIONS@ ++ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//' + ;; + + *) +diff --git a/docs/curl-config.md b/docs/curl-config.md +index 12ad245b79..fa0e03d273 100644 +--- a/docs/curl-config.md ++++ b/docs/curl-config.md +@@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated. + ## `--static-libs` + + Shows the complete set of libs and other linker options you need in order to +-link your application with libcurl statically. (Added in 7.17.1) ++link your application with libcurl statically. Note that Fedora/RHEL libcurl +packages do not provide any static libraries, thus cannot be linked statically. +(Added in 7.17.1) - .IP "--version" - Outputs version information about the installed libcurl. - .IP "--vernum" + + ## `--version` + diff --git a/libcurl.pc.in b/libcurl.pc.in -index 2ba9c39..f8f8b00 100644 +index c0ba5244a8..f3645e1748 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in -@@ -31,6 +31,7 @@ libdir=@libdir@ +@@ -28,6 +28,7 @@ libdir=@libdir@ includedir=@includedir@ supported_protocols="@SUPPORT_PROTOCOLS@" supported_features="@SUPPORT_FEATURES@" @@ -87,5 +88,5 @@ index 2ba9c39..f8f8b00 100644 Name: libcurl URL: https://curl.se/ -- -2.26.2 +2.52.0 diff --git a/0102-curl-7.84.0-test3026.patch b/0102-curl-7.84.0-test3026.patch deleted file mode 100644 index 1098583..0000000 --- a/0102-curl-7.84.0-test3026.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 279b990727a1fd3e2828fbbd80581777e4200b67 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 27 Jun 2022 16:50:57 +0200 -Subject: [PATCH] test3026: disable valgrind - -It fails on x86_64 with: -``` - Use --max-threads=INT to specify a larger number of threads - and rerun valgrind - valgrind: the 'impossible' happened: - Max number of threads is too low - host stacktrace: - ==174357== at 0x58042F5A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x58043087: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x580432EF: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x58043310: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x58099E77: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x580E67E9: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x5809D59D: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x5809901A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x5809B0B6: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - ==174357== by 0x580E4050: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) - sched status: - running_tid=1 - Thread 1: status = VgTs_Runnable syscall 56 (lwpid 174357) - ==174357== at 0x4A07816: clone (in /usr/lib64/libc.so.6) - ==174357== by 0x4A08720: __clone_internal (in /usr/lib64/libc.so.6) - ==174357== by 0x4987ACF: create_thread (in /usr/lib64/libc.so.6) - ==174357== by 0x49885F6: pthread_create@@GLIBC_2.34 (in /usr/lib64/libc.so.6) - ==174357== by 0x1093B5: test.part.0 (lib3026.c:64) - ==174357== by 0x492454F: (below main) (in /usr/lib64/libc.so.6) - client stack range: [0x1FFEFFC000 0x1FFF000FFF] client SP: 0x1FFEFFC998 - valgrind stack range: [0x1002BAA000 0x1002CA9FFF] top usage: 11728 of 1048576 -[...] -``` ---- - tests/data/test3026 | 3 +++ - tests/libtest/lib3026.c | 4 ++-- - 2 files changed, 5 insertions(+), 2 deletions(-) - -diff --git a/tests/data/test3026 b/tests/data/test3026 -index fb80cc8..01f2ba5 100644 ---- a/tests/data/test3026 -+++ b/tests/data/test3026 -@@ -41,5 +41,8 @@ none - - 0 - -+ -+disable -+ - - -diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c -index 43fe335..70cd7a4 100644 ---- a/tests/libtest/lib3026.c -+++ b/tests/libtest/lib3026.c -@@ -147,8 +147,8 @@ int test(char *URL) - results[i] = CURL_LAST; /* initialize with invalid value */ - res = pthread_create(&tids[i], NULL, run_thread, &results[i]); - if(res) { -- fprintf(stderr, "%s:%d Couldn't create thread, errno %d\n", -- __FILE__, __LINE__, res); -+ fprintf(stderr, "%s:%d Couldn't create thread, i=%u, errno %d\n", -+ __FILE__, __LINE__, i, res); - tid_count = i; - test_failure = -1; - goto cleanup; --- -2.37.1 - diff --git a/0104-curl-7.88.0-tests-warnings.patch b/0104-curl-7.88.0-tests-warnings.patch deleted file mode 100644 index 04b2ba2..0000000 --- a/0104-curl-7.88.0-tests-warnings.patch +++ /dev/null @@ -1,30 +0,0 @@ -From d506d885aa16b4a87acbac082eea41dccdc7b69f Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Wed, 15 Feb 2023 10:42:38 +0100 -Subject: [PATCH] Revert "runtests: consider warnings fatal and error on them" - -While it might be useful for upstream developers, it is not so useful -for downstream consumers. - -This reverts upstream commit 22f795c834cfdbacbb1b55426028a581e3cf67a8. ---- - tests/runtests.pl | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/tests/runtests.pl b/tests/runtests.pl -index 71644ad18..0cf85c3fe 100755 ---- a/tests/runtests.pl -+++ b/tests/runtests.pl -@@ -55,8 +55,7 @@ - # given, this won't be a problem. - - use strict; --# Promote all warnings to fatal --use warnings FATAL => 'all'; -+use warnings; - use 5.006; - - # These should be the only variables that might be needed to get edited: --- -2.39.1 - diff --git a/curl.rpmlintrc b/curl.rpmlintrc new file mode 100644 index 0000000..022a98e --- /dev/null +++ b/curl.rpmlintrc @@ -0,0 +1,15 @@ +# Intentional stuff we're not concerned about +addFilter("unversioned-explicit-provides webclient") +addFilter("package-with-huge-docs") +addFilter("crypto-policy-non-compliance-openssl /usr/lib(64)?/libcurl.so.4") + +# This is just plain wrong (%_configure redefinition) +addFilter("configure-without-libdir-spec") + +# Technical term +addFilter("E: spelling-error \('kerberos',") + +# Artefacts of RemovePathPostfixes: .minimal +addFilter("W: dangling-relative-symlink /usr/lib/.build-id/.* ../../../../.*curl.*\.minimal") +#addFilter("W: dangling-relative-symlink /usr/lib.*/libcurl.so.4 libcurl.so.4.*.minimal") +#addFilter("E: invalid-ldconfig-symlink /usr/lib.*/libcurl.so.4.* libcurl.so.4.*.minimal") diff --git a/curl.spec b/curl.spec index 69f4429..c0ad4db 100644 --- a/curl.spec +++ b/curl.spec @@ -1,48 +1,45 @@ +# OpenSSL ENGINE support +# This is deprecated by OpenSSL since OpenSSL 3.0 and by Fedora since Fedora 41 +# https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine +# Change the bcond to 0 to turn off ENGINE support by default +%bcond openssl_engine_support %[%{defined fedora} || 0%{?rhel} < 10] + +# HTTP/3 support +# This is using ngtcp2 with OpenSSL 3.5 QUIC support instead of curl's +# experimental native OpenSSL 3.5 support. +%bcond http3 %[0%{?fedora} >= 43] + Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.2.1 -Release: 5%{?dist} +Version: 8.18.0 +Release: 1%{?dist} License: curl -Source0: https://curl.se/download/%{name}-%{version}.tar.xz -Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc +Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz +Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc # The curl download page ( https://curl.se/download.html ) links # to Daniel's address page https://daniel.haxx.se/address.html for the GPG Key, # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# fix HTTP headers eat all memory (CVE-2023-38039) -Patch1: 0001-curl-8.2.1-CVE-2023-38039.patch - -# fix SOCKS5 heap buffer overflow (CVE-2023-38545) -Patch2: 0002-curl-8.2.1-CVE-2023-38545.patch - -# fix cookie injection with none file (CVE-2023-38546) -Patch3: 0003-curl-8.2.1-CVE-2023-38546.patch - -# fix cookie mixed case PSL bypass (CVE-2023-46218) -Patch4: 0004-curl-8.2.1-CVE-2023-46218.patch - -# fix HSTS long file name clears contents (CVE-2023-46219) -Patch5: 0005-curl-8.2.1-CVE-2023-46219.patch - -# fix Usage of disabled protocol (CVE-2024-2004) -Patch6: 0006-curl-8.2.1-CVE-2024-2004.patch - -# fix HTTP/2 push headers memory-leak -Patch7: 0007-curl-8.2.1-CVE-2024-2398.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch -# test3026: disable valgrind -Patch102: 0102-curl-7.84.0-test3026.patch - -# do not fail on warnings in the upstream test driver -Patch104: 0104-curl-7.88.0-tests-warnings.patch - Provides: curl-full = %{version}-%{release} +# do not fail when trying to install curl-minimal after drop +Provides: curl-minimal = %{version}-%{release} Provides: webclient URL: https://curl.se/ + +%if 0%{?fedora} +# instead of bundled wcurl utility, recommend wcurl package +Recommends: wcurl +%endif + +# The reason for maintaining two separate packages for curl is no longer valid. +# The curl-minimal is currently almost identical to curl-full, so let's drop curl-minimal. +# For more details, see https://bugzilla.redhat.com/show_bug.cgi?id=2262096 +Obsoletes: curl-minimal < 8.6.0-4 + BuildRequires: automake BuildRequires: brotli-devel BuildRequires: coreutils @@ -51,14 +48,24 @@ BuildRequires: groff BuildRequires: krb5-devel BuildRequires: libidn2-devel BuildRequires: libnghttp2-devel +%if %{with http3} +BuildRequires: libnghttp3-devel +%endif BuildRequires: libpsl-devel BuildRequires: libssh-devel BuildRequires: libtool BuildRequires: make +%if %{with http3} +BuildRequires: ngtcp2-crypto-ossl-devel +%endif BuildRequires: openldap-devel BuildRequires: openssh-clients BuildRequires: openssh-server +BuildRequires: openssl BuildRequires: openssl-devel +%if %{with openssl_engine_support} && 0%{?fedora} >= 41 +BuildRequires: openssl-devel-engine +%endif BuildRequires: perl-interpreter BuildRequires: pkgconfig BuildRequires: python-unversioned-command @@ -101,6 +108,7 @@ BuildRequires: perl(Exporter) BuildRequires: perl(File::Basename) BuildRequires: perl(File::Copy) BuildRequires: perl(File::Spec) +BuildRequires: perl(I18N::Langinfo) BuildRequires: perl(IPC::Open2) BuildRequires: perl(List::Util) BuildRequires: perl(Memoize) @@ -135,10 +143,19 @@ BuildRequires: stunnel # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION Requires: libcurl%{?_isa} >= %{version}-%{release} +# Define OPENSSL_NO_ENGINE to avoid inclusion of +%if %{without openssl_engine_support} +%global _preprocessor_defines %{?_preprocessor_defines} -DOPENSSL_NO_ENGINE +%endif + # require at least the version of libnghttp2 that we were built against, # to ensure that we have the necessary symbols available (#2144277) %global libnghttp2_version %(pkg-config --modversion libnghttp2 2>/dev/null || echo 0) +# require at least the version of libnghttp3 that we were built against, +# to ensure that we have the necessary symbols available +%global libnghttp3_version %(pkg-config --modversion libnghttp3 2>/dev/null || echo 0) + # require at least the version of libpsl that we were built against, # to ensure that we have the necessary symbols available (#1631804) %global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0) @@ -147,6 +164,10 @@ Requires: libcurl%{?_isa} >= %{version}-%{release} # to ensure that we have the necessary symbols available (#525002, #642796) %global libssh_version %(pkg-config --modversion libssh 2>/dev/null || echo 0) +# require at least the version of ngtcp2 that we were built against, +# to ensure that we have the necessary symbols available +%global ngtcp2_version %(pkg-config --modversion libngtcp2 2>/dev/null || echo 0) + # require at least the version of openssl-libs that we were built against, # to ensure that we have the necessary symbols available (#1462184, #1462211) # (we need to translate 3.0.0-alpha16 -> 3.0.0-0.alpha16 and 3.0.0-beta1 -> 3.0.0-0.beta1 though) @@ -163,8 +184,14 @@ resume, proxy tunneling and a busload of other useful tricks. %package -n libcurl Summary: A library for getting files from web servers Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} +%if %{with http3} +Requires: libnghttp3%{?_isa} >= %{libnghttp3_version} +%endif Requires: libpsl%{?_isa} >= %{libpsl_version} Requires: libssh%{?_isa} >= %{libssh_version} +%if %{with http3} +Requires: ngtcp2%{?_isa} >= %{ngtcp2_version} +%endif Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} Provides: libcurl-full = %{version}-%{release} Provides: libcurl-full%{?_isa} = %{version}-%{release} @@ -190,22 +217,6 @@ The libcurl-devel package includes header files and libraries necessary for developing programs which use the libcurl library. It contains the API documentation of the library, too. -%package -n curl-minimal -Summary: Conservatively configured build of curl for minimal installations -Provides: curl = %{version}-%{release} -Conflicts: curl -Suggests: libcurl-minimal -RemovePathPostfixes: .minimal - -# using an older version of libcurl could result in CURLE_UNKNOWN_OPTION -Requires: libcurl%{?_isa} >= %{version}-%{release} - -%description -n curl-minimal -This is a replacement of the 'curl' package for minimal installations. It -comes with a limited set of features compared to the 'curl' package. On the -other hand, the package is smaller and requires fewer run-time dependencies to -be installed. - %package -n libcurl-minimal Summary: Conservatively configured build of libcurl for minimal installations Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} @@ -225,12 +236,11 @@ be installed. %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' -%autosetup -p1 +%autosetup -n %{name}-%{version_no_tilde} -p1 -# disable test 420 # disable test 1801 # -printf "420\n1801\n" >> tests/data/DISABLED +printf "1801\n" >>tests/data/DISABLED # test3026: avoid pthread_create() failure due to resource exhaustion on i386 %ifarch %{ix86} @@ -250,13 +260,18 @@ sed -e 's|^35$|35,52|' -i tests/data/test323 eval "$cmd" ) +# avoid unnecessary arch-dependent line in the processed file +sed -e '/# Used in @libdir@/d' \ + -i curl-config.in + +%build # regenerate the configure script and Makefile.in files autoreconf -fiv -%build mkdir build-{full,minimal} export common_configure_opts=" \ --cache-file=../config.cache \ + --disable-manual \ --disable-static \ --enable-hsts \ --enable-ipv6 \ @@ -266,7 +281,8 @@ export common_configure_opts=" \ --with-gssapi \ --with-libidn2 \ --with-nghttp2 \ - --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt" + --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \ + --with-zsh-functions-dir" %global _configure ../configure @@ -279,10 +295,8 @@ export common_configure_opts=" \ --disable-imap \ --disable-ldap \ --disable-ldaps \ - --disable-manual \ --disable-mqtt \ --disable-ntlm \ - --disable-ntlm-wb \ --disable-pop3 \ --disable-rtsp \ --disable-smb \ @@ -290,6 +304,7 @@ export common_configure_opts=" \ --disable-telnet \ --disable-tftp \ --disable-tls-srp \ + --disable-websockets \ --without-brotli \ --without-libpsl \ --without-libssh @@ -304,10 +319,8 @@ export common_configure_opts=" \ --enable-imap \ --enable-ldap \ --enable-ldaps \ - --enable-manual \ --enable-mqtt \ --enable-ntlm \ - --enable-ntlm-wb \ --enable-pop3 \ --enable-rtsp \ --enable-smb \ @@ -315,9 +328,14 @@ export common_configure_opts=" \ --enable-telnet \ --enable-tftp \ --enable-tls-srp \ + --enable-websockets \ --with-brotli \ --with-libpsl \ - --with-libssh + --with-libssh \ +%if %{with http3} + --with-nghttp3 \ + --with-ngtcp2 \ +%endif ) # avoid using rpath @@ -365,10 +383,6 @@ for i in ${RPM_BUILD_ROOT}%{_libdir}/*; do mv -v $i $i.minimal done -# install and rename the executable that will be packaged as curl-minimal -%make_install -C build-minimal/src -mv -v ${RPM_BUILD_ROOT}%{_bindir}/curl{,.minimal} - # install libcurl.m4 install -d $RPM_BUILD_ROOT%{_datadir}/aclocal install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal @@ -377,28 +391,30 @@ install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal cd build-full %make_install -# install zsh completion for curl -# (we have to override LD_LIBRARY_PATH because we eliminated rpath) -LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \ - %make_install -C scripts - # do not install /usr/share/fish/completions/curl.fish which is also installed # by fish-3.0.2-1.module_f31+3716+57207597 and would trigger a conflict rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la +# do not install bundled wcurl utility +# it is provided by the wcurl package +rm -f ${RPM_BUILD_ROOT}%{_bindir}/wcurl +rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* + %ldconfig_scriptlets -n libcurl %ldconfig_scriptlets -n libcurl-minimal %files -%doc CHANGES +%doc CHANGES.md %doc README %doc docs/BUGS.md -%doc docs/FAQ +%doc docs/DISTROS.md +%doc docs/FAQ.md %doc docs/FEATURES.md -%doc docs/TODO +%doc docs/KNOWN_BUGS.md +%doc docs/TODO.md %doc docs/TheArtOfHttpScripting.md %{_bindir}/curl %{_mandir}/man1/curl.1* @@ -420,30 +436,228 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_mandir}/man3/* %{_datadir}/aclocal/libcurl.m4 -%files -n curl-minimal -%{_bindir}/curl.minimal -%{_mandir}/man1/curl.1* - %files -n libcurl-minimal %license COPYING %{_libdir}/libcurl.so.4.minimal %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog -* Wed Apr 03 2024 Jan Macku - 8.2.1-5 -- fix Usage of disabled protocol (CVE-2024-2004) -- fix HTTP/2 push headers memory-leak (CVE-2024-2398) +* Wed Jan 07 2026 Jan Macku - 8.18.0-1 +- new upstream release -* Wed Dec 06 2023 Jan Macku - 8.2.1-4 -- fix HSTS long file name clears contents (CVE-2023-46219) -- fix cookie mixed case PSL bypass (CVE-2023-46218) +* Mon Jan 05 2026 Jan Macku - 8.18.0~rc3-1 +- new upstream release candidate -* Wed Oct 11 2023 Jan Macku - 8.2.1-3 -- fix cookie injection with none file (CVE-2023-38546) -- fix SOCKS5 heap buffer overflow (CVE-2023-38545) +* Tue Dec 16 2025 Jan Macku - 8.18.0~rc2-1 +- new upstream release candidate +- reenable valgrind on test 616 -* Wed Sep 13 2023 Jan Macku - 8.2.1-2 -- fix HTTP headers eat all memory (CVE-2023-38039) +* Tue Dec 09 2025 Jan Macku - 8.18.0~rc1-1 +- new upstream release candidate +- drop upstreamed patches + +* Sun Dec 07 2025 Aleksei Bavshin - 8.17.0-5 +- Enable HTTP/3 support with ngtcp2 + +* Thu Dec 04 2025 Jan Macku - 8.17.0-4 +- apply upstream patches for valgrind issues in HTTP/3 (#2408809) + +* Thu Nov 13 2025 Jan Macku - 8.17.0-3 +- recommend wcurl package instead of bundled wcurl utility + +* Thu Nov 13 2025 Jan Macku - 8.17.0-2 +- remove bundled wcurl utility that was added in 8.14.0~rc1, use wcurl package instead + +* Mon Nov 10 2025 Jan Macku - 8.17.0-1 +- new upstream release + +* Thu Oct 30 2025 Jan Macku - 8.17.0~rc3-1 +- new upstream release candidate + +* Tue Oct 21 2025 Jan Macku - 8.17.0~rc2-1 +- new upstream release candidate + +* Mon Oct 13 2025 Jan Macku - 8.17.0~rc1-1 +- new upstream release candidate + +* Wed Sep 10 2025 Jan Macku - 8.16.0-1 +- new upstream release + +* Wed Sep 03 2025 Jan Macku - 8.16.0~rc3-1 +- new upstream release candidate + +* Tue Aug 26 2025 Jan Macku - 8.16.0~rc2-1 +- new upstream release candidate + +* Wed Jul 23 2025 Fedora Release Engineering - 8.15.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + +* Wed Jul 16 2025 Jan Macku - 8.15.0-1 +- new upstream release + +* Thu Jul 10 2025 Jan Macku - 8.15.0~rc3-1 +- new upstream release candidate + +* Mon Jun 30 2025 Jan Macku - 8.15.0~rc2-1 +- new upstream release candidate + +* Mon Jun 23 2025 Jan Macku - 8.15.0~rc1-1 +- new upstream release candidate + +* Wed Jun 04 2025 Jan Macku - 8.14.1-1 +- new upstream release +- drop: 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch (no longer needed) + +* Wed May 28 2025 Jan Macku - 8.14.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2025-5025 - No QUIC certificate pinning with wolfSSL + CVE-2025-4947 - QUIC certificate check skip with wolfSSL +- fix regression: curl_multi_add_handle() returning OOM when using more than 400 handles + +* Fri May 02 2025 Jan Macku - 8.14.0~rc1-1 +- new upstream release candidate +- new utility: wcurl which lets you download URLs without having to remember any parameters + +* Wed Apr 02 2025 Jan Macku - 8.13.0-1 +- new upstream release +- add build time dependency on openssl (required by tests) + +* Wed Mar 26 2025 Jan Macku - 8.13.0~rc3-1 +- new upstream release candidate +- drop: 0102-curl-7.84.0-test3026.patch (no longer needed) + +* Tue Mar 18 2025 Jan Macku - 8.13.0~rc2-1 +- new upstream release candidate + +* Thu Mar 13 2025 Jan Macku - 8.13.0~rc1-2 +- fix --cert parameter (#2351531) + +* Mon Mar 10 2025 Jan Macku - 8.13.0~rc1-1 +- new upstream release candidate + +* Wed Feb 05 2025 Jan Macku - 8.12.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2025-0725 - gzip integer overflow + CVE-2025-0665 - eventfd double close + CVE-2025-0167 - netrc and default credential leak +- drop upstreamed patches + +* Fri Jan 31 2025 Jan Macku - 8.11.1-4 +- TLS: check connection for SSL use, not handler (#2324130#c7) + +* Thu Jan 16 2025 Fedora Release Engineering - 8.11.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + +* Sun Dec 15 2024 Paul Howarth - 8.11.1-2 +- Fix crash with Unexpected error 9 on netlink descriptor 10 (rhbz#2332350) + - https://github.com/curl/curl/issues/15725 + - https://github.com/curl/curl/pull/15727 + +* Wed Dec 11 2024 Jan Macku - 8.11.1-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-11053 - netrc and redirect credential leak + +* Wed Nov 06 2024 Yaakov Selkowitz - 8.11.0-2 +- Disable engine support on RHEL 10+ + +* Wed Nov 06 2024 Jan Macku - 8.11.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-9681 - HSTS subdomain overwrites parent cache entry + +* Tue Sep 24 2024 Jan Macku - 8.10.1-2 +- Use tls-ca-bundle.pem instead of ca-bundle.crt (OpenSSL specific) (#2313564) + +* Wed Sep 18 2024 Jan Macku - 8.10.1-1 +- new upstream release + +* Wed Sep 11 2024 Jan Macku - 8.10.0-1 +- new upstream release + +* Wed Aug 21 2024 Jacek Migacz - 8.9.1-3 +- Retire deprecated ntlm-wb configure option + +* Mon Aug 5 2024 voidanix - 8.9.1-2 +- Apply SIGPIPE-related patch due to upstream regression + +* Wed Jul 24 2024 Jan Macku - 8.9.1-1 +- new upstream release + +* Wed Jul 24 2024 Jan Macku - 8.9.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-6874 - macidn punycode buffer overread + CVE-2024-6197 - freeing stack buffer in utf8asn1str +- drop upstreamed patches + +* Wed Jul 17 2024 Fedora Release Engineering - 8.8.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Fri Jul 12 2024 Paul Howarth - 8.8.0-2 +- adapt for https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine +- added build condition for openssl_engine_support, true by default so as to + not change the resulting built package (yet) +- with openssl_engine_support true, BR: openssl-devel-engine +- with openssl_engine_support false, build with -DOPENSSL_NO_ENGINE + +* Wed May 22 2024 Jan Macku - 8.8.0-1 +- new upstream release +- drop upstreamed patches + +* Wed Mar 27 2024 Jan Macku - 8.7.1-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-2004 - Usage of disabled protocol + CVE-2024-2379 - QUIC certificate check bypass with wolfSSL + CVE-2024-2398 - HTTP/2 push headers memory-leak + CVE-2024-2466 - TLS certificate check bypass with mbedTLS +- drop upstreamed patches +- reenable test 0313 +- fix zsh completions, use --with-zsh-functions-dir +- apply upstream patches for 8.7.1 issues and regressions + +* Mon Feb 19 2024 Jan Macku - 8.6.0-7 +- Fix: Leftovers after chunking should not be part of the curl buffer output (#2264220) + +* Mon Feb 12 2024 Jan Macku - 8.6.0-6 +- revert "receive max buffer" + add test case +- temporarily disable test 0313 +- remove suggests of libcurl-minimal in curl-full + +* Mon Feb 12 2024 Jan Macku - 8.6.0-5 +- add Provides to curl-minimal + +* Wed Feb 07 2024 Jan Macku - 8.6.0-4 +- drop curl-minimal subpackage in favor of curl-full (#2262096) + +* Mon Feb 05 2024 Jan Macku - 8.6.0-3 +- ignore response body to HEAD requests + +* Fri Feb 02 2024 Jan Macku - 8.6.0-2 +- don't build manual for curl-full - use man 1 curl instead (#2262373) + +* Thu Feb 01 2024 Jan Macku - 8.6.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-0853 - OCSP verification bypass with TLS session reuse +- drop 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch (replaced by upstream fix) +- remove accidentally included mk-ca-bundle.1 man page (upstream bug #12843) + +* Fri Jan 19 2024 Fedora Release Engineering - 8.5.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Wed Dec 06 2023 Jan Macku - 8.5.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-46218 - cookie mixed case PSL bypass + CVE-2023-46219 - HSTS long file name clears contents + +* Wed Oct 11 2023 Jan Macku - 8.4.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-38545 - SOCKS5 heap buffer overflow + CVE-2023-38546 - cookie injection with none file + +* Wed Sep 13 2023 Jan Macku - 8.3.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-38039 - HTTP headers eat all memory + +* Wed Aug 02 2023 Jan Macku - 8.2.1-2 +- enable websockets (#2224651) * Wed Jul 26 2023 Lukáš Zaoral - 8.2.1-1 - new upstream release (rhbz#2226659) diff --git a/sources b/sources index efbc09c..002e494 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.2.1.tar.xz) = 3f78c9330c52d32b166f17829fc2be13418ef925e88f75aacad7f369e7afe00dc4a56566418730dbb845b2b284d721b08f639df322e2e1ef2dfab165c4189094 -SHA512 (curl-8.2.1.tar.xz.asc) = 31ee66a09e7bd14de949ae991c23a0b905d38407b73ae39bae6d01854d8708355c14bc4d0eab3ff931b85986d0236dd34e934eef6061f4b70739137fd0525084 +SHA512 (curl-8.18.0.tar.xz) = 50c7a7b0528e0019697b0c59b3e56abb2578c71d77e4c085b56797276094b5611718c0a9cb2b14db7f8ab502fcf8f42a364297a3387fae3870a4d281484ba21c +SHA512 (curl-8.18.0.tar.xz.asc) = 07e08d1bb3f8bf20b3d22f37fbc19c49c0d9ee4ea9d92da76fa8a9de343023e1b5d416ccc6535a4ff98b08b30eb9334fd856227e37564f6bcd542aa81bced152 diff --git a/tests/non-root-user-download/runtest.sh b/tests/non-root-user-download/runtest.sh index 4d51e62..0d72276 100755 --- a/tests/non-root-user-download/runtest.sh +++ b/tests/non-root-user-download/runtest.sh @@ -31,9 +31,9 @@ PACKAGE="curl" -FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM -HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM -CONTENT=4d042dedc8886856db10bc882074b84dcce52f829ea7b3f31d8031db8d84df20 +FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM +HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM +CONTENT=1bd6ab4798983c2fe4a210f9c4ca135fed453d6142ba852c1f8d5fba22e113ab PASSWORD=pAssw0rd OPTIONS="" rlIsRHEL 7 && OPTIONS="--insecure"