From 69417f5875a96209debed91d8e62514378ebd987c98ad0a7948f3bb00254ebeb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Mon, 30 Sep 2024 10:41:04 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main curl revision 43add2c1b839fe6ab27924090a393bb0 --- ...ert-receive-max-buffer-add-test-case.patch | 70 --- _multibuild | 3 + curl-8.6.0.tar.xz | 3 - curl-8.6.0.tar.xz.asc | 11 - curl-8.9.1.tar.xz | 3 + curl-8.9.1.tar.xz.asc | 11 + curl-CVE-2024-2004.patch | 133 ----- curl-CVE-2024-2379.patch | 47 -- curl-CVE-2024-2398.patch | 89 ---- curl-CVE-2024-2466.patch | 40 -- curl-CVE-2024-6197.patch | 21 - curl-CVE-2024-7264.patch | 322 ------------ curl-CVE-2024-8096.patch | 200 -------- ..._sigv4-url-encode-the-canonical-path.patch | 295 ----------- curl-sigpipe.patch | 32 ++ curl.changes | 474 ++++++++++++------ curl.spec | 152 ++++-- libcurl-ocloexec.patch | 44 +- 18 files changed, 508 insertions(+), 1442 deletions(-) delete mode 100644 0001-vtls-revert-receive-max-buffer-add-test-case.patch create mode 100644 _multibuild delete mode 100644 curl-8.6.0.tar.xz delete mode 100644 curl-8.6.0.tar.xz.asc create mode 100644 curl-8.9.1.tar.xz create mode 100644 curl-8.9.1.tar.xz.asc delete mode 100644 curl-CVE-2024-2004.patch delete mode 100644 curl-CVE-2024-2379.patch delete mode 100644 curl-CVE-2024-2398.patch delete mode 100644 curl-CVE-2024-2466.patch delete mode 100644 curl-CVE-2024-6197.patch delete mode 100644 curl-CVE-2024-7264.patch delete mode 100644 curl-CVE-2024-8096.patch delete mode 100644 curl-aws_sigv4-url-encode-the-canonical-path.patch create mode 100644 curl-sigpipe.patch diff --git a/0001-vtls-revert-receive-max-buffer-add-test-case.patch b/0001-vtls-revert-receive-max-buffer-add-test-case.patch deleted file mode 100644 index 4a432c4..0000000 --- a/0001-vtls-revert-receive-max-buffer-add-test-case.patch +++ /dev/null @@ -1,70 +0,0 @@ -From e00609fc15f5d5adaf0896b751bf2c3a74a5f6f4 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Thu, 1 Feb 2024 18:15:50 +0100 -Subject: [PATCH] vtls: revert "receive max buffer" + add test case - -- add test_05_04 for requests using http/1.0, http/1.1 and h2 against an - Apache resource that does an unclean TLS shutdown. -- revert special workarund in openssl.c for suppressing shutdown errors - on multiplexed connections -- vlts.c restore to its state before 9a90c9dd64d2f03601833a70786d485851bd1b53 - -Fixes #12885 -Fixes #12844 - -Closes #12848 - -(cherry picked from commit ed09a99af57200643d5ae001e815eeab9ffe3f84) ---- - lib/vtls/vtls.c | 27 +++++-------------- - tests/http/test_05_errors.py | 27 +++++++++++++++++++ - tests/http/testenv/httpd.py | 7 ++++- - .../http/testenv/mod_curltest/mod_curltest.c | 2 +- - 4 files changed, 40 insertions(+), 23 deletions(-) - -diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c -index e928ba5d0..f654a9749 100644 ---- a/lib/vtls/vtls.c -+++ b/lib/vtls/vtls.c -@@ -1715,32 +1715,17 @@ static ssize_t ssl_cf_recv(struct Curl_cfilter *cf, - { - struct cf_call_data save; - ssize_t nread; -- size_t ntotal = 0; - - CF_DATA_SAVE(save, cf, data); - *err = CURLE_OK; -- /* Do receive until we fill the buffer somehwhat or EGAIN, error or EOF */ -- while(!ntotal || (len - ntotal) > (4*1024)) { -+ nread = Curl_ssl->recv_plain(cf, data, buf, len, err); -+ if(nread > 0) { -+ DEBUGASSERT((size_t)nread <= len); -+ } -+ else if(nread == 0) { -+ /* eof */ - *err = CURLE_OK; -- nread = Curl_ssl->recv_plain(cf, data, buf + ntotal, len - ntotal, err); -- if(nread < 0) { -- if(*err == CURLE_AGAIN && ntotal > 0) { -- /* we EAGAINed after having reed data, return the success amount */ -- *err = CURLE_OK; -- break; -- } -- /* we have a an error to report */ -- goto out; -- } -- else if(nread == 0) { -- /* eof */ -- break; -- } -- ntotal += (size_t)nread; -- DEBUGASSERT((size_t)ntotal <= len); - } -- nread = (ssize_t)ntotal; --out: - CURL_TRC_CF(data, cf, "cf_recv(len=%zu) -> %zd, %d", len, - nread, *err); - CF_DATA_RESTORE(cf, save); --- -2.43.0 - diff --git a/_multibuild b/_multibuild new file mode 100644 index 0000000..9317e4b --- /dev/null +++ b/_multibuild @@ -0,0 +1,3 @@ + + mini + diff --git a/curl-8.6.0.tar.xz b/curl-8.6.0.tar.xz deleted file mode 100644 index 2299c12..0000000 --- a/curl-8.6.0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3ccd55d91af9516539df80625f818c734dc6f2ecf9bada33c76765e99121db15 -size 2630108 diff --git a/curl-8.6.0.tar.xz.asc b/curl-8.6.0.tar.xz.asc deleted file mode 100644 index 2cfe8a7..0000000 --- a/curl-8.6.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmW58RcACgkQXMkI/bce -EsKLvgf9Em0etBEnbJzkhmCiKUOfn3sTKhIHA4y1/O+anaNfEx0E89VUQuFZRcUz -i4ENOVjTXxVy4zZUobOOWz7RXrvv6XnX9A++RYkBoEk4mmNB3A6ShsTeCR2mS4yi -dL5UfH2YEu7B6x/ONROKKuGawsqw0D6wzVgrD+J1e8Bu+1P8YOUqsQWVJmJFlYMN -2A8NP4GZHnmP3rnupx1RY3/MgJU0FjlQ428BOA7PIiYKEVto0dp6cqd4AQsLgQPy -J1RBcge1Uwqe+k/IenUx7bUaQfr+NY34ryrMxbLPghPimfeyjjsDxyr+OwoQM1aw -64WqLXBgQmhluT0STyHdD0Tc/JHYrw== -=GboB ------END PGP SIGNATURE----- diff --git a/curl-8.9.1.tar.xz b/curl-8.9.1.tar.xz new file mode 100644 index 0000000..807d384 --- /dev/null +++ b/curl-8.9.1.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f292f6cc051d5bbabf725ef85d432dfeacc8711dd717ea97612ae590643801e5 +size 2782364 diff --git a/curl-8.9.1.tar.xz.asc b/curl-8.9.1.tar.xz.asc new file mode 100644 index 0000000..bda8785 --- /dev/null +++ b/curl-8.9.1.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmap30kACgkQXMkI/bce +EsKX+wf/brccw5rGTAbmjj7WGBfbAmwrSsDexTXRiEBXT/+qhkWIplN6wdtsZ86I +tUraaapoyvRKLa3Wxlv9fSF/xXji+5lhO/W9pfWxwZNeSZFiOgKcK/Li4Fx0c7t4 +WpxkAbRvbJreA40BR32qSgnNNjKU5QX/ivf67B1EFL71kgsCW/QczB6mcuxszlkN +ro39Jb8hDtnAD3hHXrTEaW3lOEgf/Jo/a1Zii3+W3OkW+uZHwzUoqe+HLGHYM2vW +Q3hBVQaEWmNIwArA73s/kOiFATLthUTvSJO56ebLQJFHJf61cwqSsg2o07i5SqEc +QlKzV/h7ydbBWdHiSTpCMxue7tLUZw== +=EiUG +-----END PGP SIGNATURE----- diff --git a/curl-CVE-2024-2004.patch b/curl-CVE-2024-2004.patch deleted file mode 100644 index 8596d9c..0000000 --- a/curl-CVE-2024-2004.patch +++ /dev/null @@ -1,133 +0,0 @@ -From 17d302e56221f5040092db77d4f85086e8a20e0e Mon Sep 17 00:00:00 2001 -From: Daniel Gustafsson -Date: Tue, 27 Feb 2024 15:43:56 +0100 -Subject: [PATCH] setopt: Fix disabling all protocols - -When disabling all protocols without enabling any, the resulting -set of allowed protocols remained the default set. Clearing the -allowed set before inspecting the passed value from --proto make -the set empty even in the errorpath of no protocols enabled. - -Co-authored-by: Dan Fandrich -Reported-by: Dan Fandrich -Reviewed-by: Daniel Stenberg -Closes: #13004 ---- - lib/setopt.c | 16 ++++++++-------- - tests/data/Makefile.inc | 2 +- - tests/data/test1474 | 42 +++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 51 insertions(+), 9 deletions(-) - create mode 100644 tests/data/test1474 - -diff --git a/lib/setopt.c b/lib/setopt.c -index 6a4990cce6731b..ce1321fc80be9d 100644 ---- a/lib/setopt.c -+++ b/lib/setopt.c -@@ -155,6 +155,12 @@ static CURLcode setstropt_userpwd(char *option, char **userp, char **passwdp) - - static CURLcode protocol2num(const char *str, curl_prot_t *val) - { -+ /* -+ * We are asked to cherry-pick protocols, so play it safe and disallow all -+ * protocols to start with, and re-add the wanted ones back in. -+ */ -+ *val = 0; -+ - if(!str) - return CURLE_BAD_FUNCTION_ARGUMENT; - -@@ -163,8 +169,6 @@ static CURLcode protocol2num(const char *str, curl_prot_t *val) - return CURLE_OK; - } - -- *val = 0; -- - do { - const char *token = str; - size_t tlen; -@@ -2654,22 +2658,18 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - break; - - case CURLOPT_PROTOCOLS_STR: { -- curl_prot_t prot; - argptr = va_arg(param, char *); -- result = protocol2num(argptr, &prot); -+ result = protocol2num(argptr, &data->set.allowed_protocols); - if(result) - return result; -- data->set.allowed_protocols = prot; - break; - } - - case CURLOPT_REDIR_PROTOCOLS_STR: { -- curl_prot_t prot; - argptr = va_arg(param, char *); -- result = protocol2num(argptr, &prot); -+ result = protocol2num(argptr, &data->set.redir_protocols); - if(result) - return result; -- data->set.redir_protocols = prot; - break; - } - -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index c20f90d945cc90..b80ffb618e55b9 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -187,7 +187,7 @@ test1439 test1440 test1441 test1442 test1443 test1444 test1445 test1446 \ - test1447 test1448 test1449 test1450 test1451 test1452 test1453 test1454 \ - test1455 test1456 test1457 test1458 test1459 test1460 test1461 test1462 \ - test1463 test1464 test1465 test1466 test1467 test1468 test1469 test1470 \ --test1471 test1472 test1473 test1475 test1476 test1477 test1478 \ -+test1471 test1472 test1473 test1474 test1475 test1476 test1477 test1478 \ - \ - test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \ - test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \ -diff --git a/tests/data/test1474 b/tests/data/test1474 -new file mode 100644 -index 00000000000000..c66fa2810483f2 ---- /dev/null -+++ b/tests/data/test1474 -@@ -0,0 +1,42 @@ -+ -+ -+ -+HTTP -+HTTP GET -+--proto -+ -+ -+ -+# -+# Server-side -+ -+ -+ -+ -+ -+# -+# Client-side -+ -+ -+none -+ -+ -+http -+ -+ -+--proto -all disables all protocols -+ -+ -+--proto -all http://%HOSTIP:%NOLISTENPORT/%TESTNUMBER -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+# 1 - Protocol "http" disabled -+ -+1 -+ -+ -+ diff --git a/curl-CVE-2024-2379.patch b/curl-CVE-2024-2379.patch deleted file mode 100644 index b5dcbb6..0000000 --- a/curl-CVE-2024-2379.patch +++ /dev/null @@ -1,47 +0,0 @@ -From aedbbdf18e689a5eee8dc39600914f5eda6c409c Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 11 Mar 2024 10:53:08 +0100 -Subject: [PATCH] vquic-tls: return appropirate errors on wolfSSL errors - -Reported-by: Dexter Gerig -Closes #13107 ---- - lib/vquic/vquic-tls.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/lib/vquic/vquic-tls.c b/lib/vquic/vquic-tls.c -index cc7794e405a5f6..dbde21f476f1dc 100644 ---- a/lib/vquic/vquic-tls.c -+++ b/lib/vquic/vquic-tls.c -@@ -375,6 +375,7 @@ static CURLcode curl_wssl_init_ctx(struct quic_tls_ctx *ctx, - char error_buffer[256]; - ERR_error_string_n(ERR_get_error(), error_buffer, sizeof(error_buffer)); - failf(data, "wolfSSL failed to set ciphers: %s", error_buffer); -+ result = CURLE_BAD_FUNCTION_ARGUMENT; - goto out; - } - -@@ -382,6 +383,7 @@ static CURLcode curl_wssl_init_ctx(struct quic_tls_ctx *ctx, - conn_config->curves : - (char *)QUIC_GROUPS) != 1) { - failf(data, "wolfSSL failed to set curves"); -+ result = CURLE_BAD_FUNCTION_ARGUMENT; - goto out; - } - -@@ -392,6 +394,7 @@ static CURLcode curl_wssl_init_ctx(struct quic_tls_ctx *ctx, - wolfSSL_CTX_set_keylog_callback(ctx->ssl_ctx, keylog_callback); - #else - failf(data, "wolfSSL was built without keylog callback"); -+ result = CURLE_NOT_BUILT_IN; - goto out; - #endif - } -@@ -414,6 +417,7 @@ static CURLcode curl_wssl_init_ctx(struct quic_tls_ctx *ctx, - " CAfile: %s CApath: %s", - ssl_cafile ? ssl_cafile : "none", - ssl_capath ? ssl_capath : "none"); -+ result = CURLE_SSL_CACERT; - goto out; - } - infof(data, " CAfile: %s", ssl_cafile ? ssl_cafile : "none"); diff --git a/curl-CVE-2024-2398.patch b/curl-CVE-2024-2398.patch deleted file mode 100644 index 88568c0..0000000 --- a/curl-CVE-2024-2398.patch +++ /dev/null @@ -1,89 +0,0 @@ -From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Wed, 6 Mar 2024 09:36:08 +0100 -Subject: [PATCH] http2: push headers better cleanup - -- provide common cleanup method for push headers - -Closes #13054 ---- - lib/http2.c | 34 +++++++++++++++------------------- - 1 file changed, 15 insertions(+), 19 deletions(-) - -Index: curl-8.6.0/lib/http2.c -=================================================================== ---- curl-8.6.0.orig/lib/http2.c -+++ curl-8.6.0/lib/http2.c -@@ -271,6 +271,15 @@ static CURLcode http2_data_setup(struct - return CURLE_OK; - } - -+static void free_push_headers(struct stream_ctx *stream) -+{ -+ size_t i; -+ for(i = 0; ipush_headers_used; i++) -+ free(stream->push_headers[i]); -+ Curl_safefree(stream->push_headers); -+ stream->push_headers_used = 0; -+} -+ - static void http2_data_done(struct Curl_cfilter *cf, - struct Curl_easy *data, bool premature) - { -@@ -317,15 +326,7 @@ static void http2_data_done(struct Curl_ - Curl_bufq_free(&stream->recvbuf); - Curl_h1_req_parse_free(&stream->h1); - Curl_dynhds_free(&stream->resp_trailers); -- if(stream->push_headers) { -- /* if they weren't used and then freed before */ -- for(; stream->push_headers_used > 0; --stream->push_headers_used) { -- free(stream->push_headers[stream->push_headers_used - 1]); -- } -- free(stream->push_headers); -- stream->push_headers = NULL; -- } -- -+ free_push_headers(stream); - free(stream); - H2_STREAM_LCTX(data) = NULL; - } -@@ -872,7 +873,6 @@ static int push_promise(struct Curl_cfil - struct curl_pushheaders heads; - CURLMcode rc; - CURLcode result; -- size_t i; - /* clone the parent */ - struct Curl_easy *newhandle = h2_duphandle(cf, data); - if(!newhandle) { -@@ -917,11 +917,7 @@ static int push_promise(struct Curl_cfil - Curl_set_in_callback(data, false); - - /* free the headers again */ -- for(i = 0; ipush_headers_used; i++) -- free(stream->push_headers[i]); -- free(stream->push_headers); -- stream->push_headers = NULL; -- stream->push_headers_used = 0; -+ free_push_headers(stream); - - if(rv) { - DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT)); -@@ -1468,14 +1464,14 @@ static int on_header(nghttp2_session *se - if(stream->push_headers_alloc > 1000) { - /* this is beyond crazy many headers, bail out */ - failf(data_s, "Too many PUSH_PROMISE headers"); -- Curl_safefree(stream->push_headers); -+ free_push_headers(stream); - return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; - } - stream->push_headers_alloc *= 2; -- headp = Curl_saferealloc(stream->push_headers, -- stream->push_headers_alloc * sizeof(char *)); -+ headp = realloc(stream->push_headers, -+ stream->push_headers_alloc * sizeof(char *)); - if(!headp) { -- stream->push_headers = NULL; -+ free_push_headers(stream); - return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; - } - stream->push_headers = headp; diff --git a/curl-CVE-2024-2466.patch b/curl-CVE-2024-2466.patch deleted file mode 100644 index 4673590..0000000 --- a/curl-CVE-2024-2466.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 3d0fd382a29b95561b90b7ea3e7eb04dfdd43538 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Fri, 15 Mar 2024 10:10:13 +0100 -Subject: [PATCH] mbedtls: fix pytest for newer versions - -Fix the expectations in pytest for newer versions of mbedtls - -Closes #13132 ---- - lib/vtls/mbedtls.c | 15 +++++++-------- - tests/http/test_10_proxy.py | 8 ++++++-- - tests/http/testenv/env.py | 14 +++++++++++--- - 3 files changed, 24 insertions(+), 13 deletions(-) - -Index: curl-8.6.0/lib/vtls/mbedtls.c -=================================================================== ---- curl-8.6.0.orig/lib/vtls/mbedtls.c -+++ curl-8.6.0/lib/vtls/mbedtls.c -@@ -654,14 +654,13 @@ mbed_connect_step1(struct Curl_cfilter * - &backend->clicert, &backend->pk); - } - -- if(connssl->peer.sni) { -- if(mbedtls_ssl_set_hostname(&backend->ssl, connssl->peer.sni)) { -- /* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks and -- the name to set in the SNI extension. So even if curl connects to a -- host specified as an IP address, this function must be used. */ -- failf(data, "Failed to set SNI"); -- return CURLE_SSL_CONNECT_ERROR; -- } -+ if(mbedtls_ssl_set_hostname(&backend->ssl, connssl->peer.sni? -+ connssl->peer.sni : connssl->peer.hostname)) { -+ /* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks and -+ the name to set in the SNI extension. So even if curl connects to a -+ host specified as an IP address, this function must be used. */ -+ failf(data, "Failed to set SNI"); -+ return CURLE_SSL_CONNECT_ERROR; - } - - #ifdef HAS_ALPN diff --git a/curl-CVE-2024-6197.patch b/curl-CVE-2024-6197.patch deleted file mode 100644 index bf48925..0000000 --- a/curl-CVE-2024-6197.patch +++ /dev/null @@ -1,21 +0,0 @@ -From 3a537a4db9e65e545ec45b1b5d5575ee09a2569d Mon Sep 17 00:00:00 2001 -From: z2_ <88509734+z2-2z@users.noreply.github.com> -Date: Fri, 28 Jun 2024 14:45:47 +0200 -Subject: [PATCH] x509asn1: remove superfluous free() - ---- - lib/vtls/x509asn1.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/lib/vtls/x509asn1.c b/lib/vtls/x509asn1.c -index f71ab0b90a5931..1bc4243ddae343 100644 ---- a/lib/vtls/x509asn1.c -+++ b/lib/vtls/x509asn1.c -@@ -393,7 +393,6 @@ utf8asn1str(struct dynbuf *to, int type, const char *from, const char *end) - if(wc >= 0x00000800) { - if(wc >= 0x00010000) { - if(wc >= 0x00200000) { -- free(buf); - /* Invalid char. size for target encoding. */ - return CURLE_WEIRD_SERVER_REPLY; - } diff --git a/curl-CVE-2024-7264.patch b/curl-CVE-2024-7264.patch deleted file mode 100644 index 49357ff..0000000 --- a/curl-CVE-2024-7264.patch +++ /dev/null @@ -1,322 +0,0 @@ -From 3c914bc680155b32178f1f15ca8d47c7f4640afe Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Tue, 30 Jul 2024 10:05:17 +0200 -Subject: [PATCH] x509asn1: clean up GTime2str - -Co-authored-by: Stefan Eissing -Reported-by: Dov Murik - -Closes #14307 ---- - lib/vtls/x509asn1.c | 23 ++++++++++++++--------- - 1 file changed, 14 insertions(+), 9 deletions(-) - -Index: curl-8.6.0/lib/vtls/x509asn1.c -=================================================================== ---- curl-8.6.0.orig/lib/vtls/x509asn1.c -+++ curl-8.6.0/lib/vtls/x509asn1.c -@@ -488,7 +488,7 @@ static CURLcode GTime2str(struct dynbuf - /* Convert an ASN.1 Generalized time to a printable string. - Return the dynamically allocated string, or NULL if an error occurs. */ - -- for(fracp = beg; fracp < end && *fracp >= '0' && *fracp <= '9'; fracp++) -+ for(fracp = beg; fracp < end && ISDIGIT(*fracp); fracp++) - ; - - /* Get seconds digits. */ -@@ -507,32 +507,44 @@ static CURLcode GTime2str(struct dynbuf - return CURLE_BAD_FUNCTION_ARGUMENT; - } - -- /* Scan for timezone, measure fractional seconds. */ -+ /* timezone follows optional fractional seconds. */ - tzp = fracp; -- fracl = 0; -+ fracl = 0; /* no fractional seconds detected so far */ - if(fracp < end && (*fracp == '.' || *fracp == ',')) { -- fracp++; -- do -+ /* Have fractional seconds, e.g. "[.,]\d+". How many? */ -+ fracp++; /* should be a digit char or BAD ARGUMENT */ -+ tzp = fracp; -+ while(tzp < end && ISDIGIT(*tzp)) - tzp++; -- while(tzp < end && *tzp >= '0' && *tzp <= '9'); -- /* Strip leading zeroes in fractional seconds. */ -- for(fracl = tzp - fracp - 1; fracl && fracp[fracl - 1] == '0'; fracl--) -- ; -+ if(tzp == fracp) /* never looped, no digit after [.,] */ -+ return CURLE_BAD_FUNCTION_ARGUMENT; -+ fracl = tzp - fracp; /* number of fractional sec digits */ -+ DEBUGASSERT(fracl > 0); -+ /* Strip trailing zeroes in fractional seconds. -+ * May reduce fracl to 0 if only '0's are present. */ -+ while(fracl && fracp[fracl - 1] == '0') -+ fracl--; - } - - /* Process timezone. */ -- if(tzp >= end) -- ; /* Nothing to do. */ -+ if(tzp >= end) { -+ tzp = ""; -+ tzl = 0; -+ } - else if(*tzp == 'Z') { -- tzp = " GMT"; -- end = tzp + 4; -+ sep = " "; -+ tzp = "GMT"; -+ tzl = 3; -+ } -+ else if((*tzp == '+') || (*tzp == '-')) { -+ sep = " UTC"; -+ tzl = end - tzp; - } - else { - sep = " "; -- tzp++; -+ tzl = end - tzp; - } - -- tzl = end - tzp; - return Curl_dyn_addf(store, - "%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s", - beg, beg + 4, beg + 6, -@@ -541,6 +553,15 @@ static CURLcode GTime2str(struct dynbuf - sep, (int)tzl, tzp); - } - -+#ifdef UNITTESTS -+/* used by unit1656.c */ -+CURLcode Curl_x509_GTime2str(struct dynbuf *store, -+ const char *beg, const char *end) -+{ -+ return GTime2str(store, beg, end); -+} -+#endif -+ - /* - * Convert an ASN.1 UTC time to a printable string. - * -Index: curl-8.6.0/lib/vtls/x509asn1.h -=================================================================== ---- curl-8.6.0.orig/lib/vtls/x509asn1.h -+++ curl-8.6.0/lib/vtls/x509asn1.h -@@ -76,5 +76,16 @@ CURLcode Curl_extract_certinfo(struct Cu - const char *beg, const char *end); - CURLcode Curl_verifyhost(struct Curl_cfilter *cf, struct Curl_easy *data, - const char *beg, const char *end); -+ -+#ifdef UNITTESTS -+#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \ -+ defined(USE_MBEDTLS) -+ -+/* used by unit1656.c */ -+CURLcode Curl_x509_GTime2str(struct dynbuf *store, -+ const char *beg, const char *end); -+#endif -+#endif -+ - #endif /* USE_GNUTLS or USE_WOLFSSL or USE_SCHANNEL or USE_SECTRANSP */ - #endif /* HEADER_CURL_X509ASN1_H */ -Index: curl-8.6.0/tests/data/Makefile.inc -=================================================================== ---- curl-8.6.0.orig/tests/data/Makefile.inc -+++ curl-8.6.0/tests/data/Makefile.inc -@@ -208,7 +208,7 @@ test1620 test1621 \ - \ - test1630 test1631 test1632 test1633 test1634 test1635 \ - \ --test1650 test1651 test1652 test1653 test1654 test1655 \ -+test1650 test1651 test1652 test1653 test1654 test1655 test1656 \ - test1660 test1661 test1662 \ - \ - test1670 test1671 \ -Index: curl-8.6.0/tests/data/test1656 -=================================================================== ---- /dev/null -+++ curl-8.6.0/tests/data/test1656 -@@ -0,0 +1,22 @@ -+ -+ -+ -+unittest -+Curl_x509_GTime2str -+ -+ -+ -+# -+# Client-side -+ -+ -+none -+ -+ -+unittest -+ -+ -+Curl_x509_GTime2str unit tests -+ -+ -+ -Index: curl-8.6.0/tests/unit/Makefile.inc -=================================================================== ---- curl-8.6.0.orig/tests/unit/Makefile.inc -+++ curl-8.6.0/tests/unit/Makefile.inc -@@ -36,7 +36,7 @@ UNITPROGS = unit1300 unit1302 u - unit1600 unit1601 unit1602 unit1603 unit1604 unit1605 unit1606 unit1607 \ - unit1608 unit1609 unit1610 unit1611 unit1612 unit1614 \ - unit1620 unit1621 \ -- unit1650 unit1651 unit1652 unit1653 unit1654 unit1655 \ -+ unit1650 unit1651 unit1652 unit1653 unit1654 unit1655 unit1656 \ - unit1660 unit1661 \ - unit2600 unit2601 unit2602 unit2603 \ - unit3200 -@@ -117,6 +117,8 @@ unit1654_SOURCES = unit1654.c $(UNITFILE - - unit1655_SOURCES = unit1655.c $(UNITFILES) - -+unit1656_SOURCES = unit1656.c $(UNITFILES) -+ - unit1660_SOURCES = unit1660.c $(UNITFILES) - - unit1661_SOURCES = unit1661.c $(UNITFILES) -Index: curl-8.6.0/tests/unit/unit1656.c -=================================================================== ---- /dev/null -+++ curl-8.6.0/tests/unit/unit1656.c -@@ -0,0 +1,133 @@ -+/*************************************************************************** -+ * _ _ ____ _ -+ * Project ___| | | | _ \| | -+ * / __| | | | |_) | | -+ * | (__| |_| | _ <| |___ -+ * \___|\___/|_| \_\_____| -+ * -+ * Copyright (C) Daniel Stenberg, , et al. -+ * -+ * This software is licensed as described in the file COPYING, which -+ * you should have received as part of this distribution. The terms -+ * are also available at https://curl.se/docs/copyright.html. -+ * -+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell -+ * copies of the Software, and permit persons to whom the Software is -+ * furnished to do so, under the terms of the COPYING file. -+ * -+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -+ * KIND, either express or implied. -+ * -+ * SPDX-License-Identifier: curl -+ * -+ ***************************************************************************/ -+#include "curlcheck.h" -+ -+#include "vtls/x509asn1.h" -+ -+static CURLcode unit_setup(void) -+{ -+ return CURLE_OK; -+} -+ -+static void unit_stop(void) -+{ -+ -+} -+ -+#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \ -+ defined(USE_MBEDTLS) -+ -+#ifndef ARRAYSIZE -+#define ARRAYSIZE(A) (sizeof(A)/sizeof((A)[0])) -+#endif -+ -+struct test_spec { -+ const char *input; -+ const char *exp_output; -+ CURLcode exp_result; -+}; -+ -+static struct test_spec test_specs[] = { -+ { "190321134340", "1903-21-13 43:40:00", CURLE_OK }, -+ { "", NULL, CURLE_BAD_FUNCTION_ARGUMENT }, -+ { "WTF", NULL, CURLE_BAD_FUNCTION_ARGUMENT }, -+ { "0WTF", NULL, CURLE_BAD_FUNCTION_ARGUMENT }, -+ { "19032113434", NULL, CURLE_BAD_FUNCTION_ARGUMENT }, -+ { "19032113434WTF", NULL, CURLE_BAD_FUNCTION_ARGUMENT }, -+ { "190321134340.", NULL, CURLE_BAD_FUNCTION_ARGUMENT }, -+ { "190321134340.1", "1903-21-13 43:40:00.1", CURLE_OK }, -+ { "19032113434017.0", "1903-21-13 43:40:17", CURLE_OK }, -+ { "19032113434017.01", "1903-21-13 43:40:17.01", CURLE_OK }, -+ { "19032113434003.001", "1903-21-13 43:40:03.001", CURLE_OK }, -+ { "19032113434003.090", "1903-21-13 43:40:03.09", CURLE_OK }, -+ { "190321134340Z", "1903-21-13 43:40:00 GMT", CURLE_OK }, -+ { "19032113434017.0Z", "1903-21-13 43:40:17 GMT", CURLE_OK }, -+ { "19032113434017.01Z", "1903-21-13 43:40:17.01 GMT", CURLE_OK }, -+ { "19032113434003.001Z", "1903-21-13 43:40:03.001 GMT", CURLE_OK }, -+ { "19032113434003.090Z", "1903-21-13 43:40:03.09 GMT", CURLE_OK }, -+ { "190321134340CET", "1903-21-13 43:40:00 CET", CURLE_OK }, -+ { "19032113434017.0CET", "1903-21-13 43:40:17 CET", CURLE_OK }, -+ { "19032113434017.01CET", "1903-21-13 43:40:17.01 CET", CURLE_OK }, -+ { "190321134340+02:30", "1903-21-13 43:40:00 UTC+02:30", CURLE_OK }, -+ { "19032113434017.0+02:30", "1903-21-13 43:40:17 UTC+02:30", CURLE_OK }, -+ { "19032113434017.01+02:30", "1903-21-13 43:40:17.01 UTC+02:30", CURLE_OK }, -+ { "190321134340-3", "1903-21-13 43:40:00 UTC-3", CURLE_OK }, -+ { "19032113434017.0-04", "1903-21-13 43:40:17 UTC-04", CURLE_OK }, -+ { "19032113434017.01-01:10", "1903-21-13 43:40:17.01 UTC-01:10", CURLE_OK }, -+}; -+ -+static bool do_test(struct test_spec *spec, size_t i, struct dynbuf *dbuf) -+{ -+ CURLcode result; -+ const char *in = spec->input; -+ -+ Curl_dyn_reset(dbuf); -+ result = Curl_x509_GTime2str(dbuf, in, in + strlen(in)); -+ if(result != spec->exp_result) { -+ fprintf(stderr, "test %zu: expect result %d, got %d\n", -+ i, spec->exp_result, result); -+ return FALSE; -+ } -+ else if(!result && strcmp(spec->exp_output, Curl_dyn_ptr(dbuf))) { -+ fprintf(stderr, "test %zu: input '%s', expected output '%s', got '%s'\n", -+ i, in, spec->exp_output, Curl_dyn_ptr(dbuf)); -+ return FALSE; -+ } -+ -+ return TRUE; -+} -+ -+UNITTEST_START -+{ -+ size_t i; -+ struct dynbuf dbuf; -+ bool all_ok = TRUE; -+ -+ Curl_dyn_init(&dbuf, 32*1024); -+ -+ if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { -+ fprintf(stderr, "curl_global_init() failed\n"); -+ return TEST_ERR_MAJOR_BAD; -+ } -+ -+ for(i = 0; i < ARRAYSIZE(test_specs); ++i) { -+ if(!do_test(&test_specs[i], i, &dbuf)) -+ all_ok = FALSE; -+ } -+ fail_unless(all_ok, "some tests of Curl_x509_GTime2str() fails"); -+ -+ Curl_dyn_free(&dbuf); -+ curl_global_cleanup(); -+} -+UNITTEST_STOP -+ -+#else -+ -+UNITTEST_START -+{ -+ puts("not tested since Curl_x509_GTime2str() is not built-in"); -+} -+UNITTEST_STOP -+ -+#endif diff --git a/curl-CVE-2024-8096.patch b/curl-CVE-2024-8096.patch deleted file mode 100644 index 18b4d87..0000000 --- a/curl-CVE-2024-8096.patch +++ /dev/null @@ -1,200 +0,0 @@ -From aeb1a281cab13c7ba791cb104e556b20e713941f Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Tue, 20 Aug 2024 16:14:39 +0200 -Subject: [PATCH] gtls: fix OCSP stapling management - -Reported-by: Hiroki Kurosawa -Closes #14642 ---- - lib/vtls/gtls.c | 146 ++++++++++++++++++++++++------------------------ - 1 file changed, 73 insertions(+), 73 deletions(-) - -diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c -index 03d6fcc038aac3..c7589d9d39bc81 100644 ---- a/lib/vtls/gtls.c -+++ b/lib/vtls/gtls.c -@@ -850,6 +850,13 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf, - init_flags |= GNUTLS_NO_TICKETS; - #endif - -+#if defined(GNUTLS_NO_STATUS_REQUEST) -+ if(!config->verifystatus) -+ /* Disable the "status_request" TLS extension, enabled by default since -+ GnuTLS 3.8.0. */ -+ init_flags |= GNUTLS_NO_STATUS_REQUEST; -+#endif -+ - rc = gnutls_init(>ls->session, init_flags); - if(rc != GNUTLS_E_SUCCESS) { - failf(data, "gnutls_init() failed: %d", rc); -@@ -1321,104 +1328,97 @@ Curl_gtls_verifyserver(struct Curl_easy *data, - infof(data, " server certificate verification SKIPPED"); - - if(config->verifystatus) { -- if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) { -- gnutls_datum_t status_request; -- gnutls_ocsp_resp_t ocsp_resp; -+ gnutls_datum_t status_request; -+ gnutls_ocsp_resp_t ocsp_resp; -+ gnutls_ocsp_cert_status_t status; -+ gnutls_x509_crl_reason_t reason; - -- gnutls_ocsp_cert_status_t status; -- gnutls_x509_crl_reason_t reason; -+ rc = gnutls_ocsp_status_request_get(session, &status_request); - -- rc = gnutls_ocsp_status_request_get(session, &status_request); -+ if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { -+ failf(data, "No OCSP response received"); -+ return CURLE_SSL_INVALIDCERTSTATUS; -+ } - -- infof(data, " server certificate status verification FAILED"); -+ if(rc < 0) { -+ failf(data, "Invalid OCSP response received"); -+ return CURLE_SSL_INVALIDCERTSTATUS; -+ } - -- if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { -- failf(data, "No OCSP response received"); -- return CURLE_SSL_INVALIDCERTSTATUS; -- } -+ gnutls_ocsp_resp_init(&ocsp_resp); - -- if(rc < 0) { -- failf(data, "Invalid OCSP response received"); -- return CURLE_SSL_INVALIDCERTSTATUS; -- } -+ rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request); -+ if(rc < 0) { -+ failf(data, "Invalid OCSP response received"); -+ return CURLE_SSL_INVALIDCERTSTATUS; -+ } - -- gnutls_ocsp_resp_init(&ocsp_resp); -+ (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL, -+ &status, NULL, NULL, NULL, &reason); - -- rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request); -- if(rc < 0) { -- failf(data, "Invalid OCSP response received"); -- return CURLE_SSL_INVALIDCERTSTATUS; -- } -+ switch(status) { -+ case GNUTLS_OCSP_CERT_GOOD: -+ break; - -- (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL, -- &status, NULL, NULL, NULL, &reason); -+ case GNUTLS_OCSP_CERT_REVOKED: { -+ const char *crl_reason; - -- switch(status) { -- case GNUTLS_OCSP_CERT_GOOD: -+ switch(reason) { -+ default: -+ case GNUTLS_X509_CRLREASON_UNSPECIFIED: -+ crl_reason = "unspecified reason"; - break; - -- case GNUTLS_OCSP_CERT_REVOKED: { -- const char *crl_reason; -- -- switch(reason) { -- default: -- case GNUTLS_X509_CRLREASON_UNSPECIFIED: -- crl_reason = "unspecified reason"; -- break; -- -- case GNUTLS_X509_CRLREASON_KEYCOMPROMISE: -- crl_reason = "private key compromised"; -- break; -- -- case GNUTLS_X509_CRLREASON_CACOMPROMISE: -- crl_reason = "CA compromised"; -- break; -- -- case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED: -- crl_reason = "affiliation has changed"; -- break; -+ case GNUTLS_X509_CRLREASON_KEYCOMPROMISE: -+ crl_reason = "private key compromised"; -+ break; - -- case GNUTLS_X509_CRLREASON_SUPERSEDED: -- crl_reason = "certificate superseded"; -- break; -+ case GNUTLS_X509_CRLREASON_CACOMPROMISE: -+ crl_reason = "CA compromised"; -+ break; - -- case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION: -- crl_reason = "operation has ceased"; -- break; -+ case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED: -+ crl_reason = "affiliation has changed"; -+ break; - -- case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD: -- crl_reason = "certificate is on hold"; -- break; -+ case GNUTLS_X509_CRLREASON_SUPERSEDED: -+ crl_reason = "certificate superseded"; -+ break; - -- case GNUTLS_X509_CRLREASON_REMOVEFROMCRL: -- crl_reason = "will be removed from delta CRL"; -- break; -+ case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION: -+ crl_reason = "operation has ceased"; -+ break; - -- case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN: -- crl_reason = "privilege withdrawn"; -- break; -+ case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD: -+ crl_reason = "certificate is on hold"; -+ break; - -- case GNUTLS_X509_CRLREASON_AACOMPROMISE: -- crl_reason = "AA compromised"; -- break; -- } -+ case GNUTLS_X509_CRLREASON_REMOVEFROMCRL: -+ crl_reason = "will be removed from delta CRL"; -+ break; - -- failf(data, "Server certificate was revoked: %s", crl_reason); -+ case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN: -+ crl_reason = "privilege withdrawn"; - break; -- } - -- default: -- case GNUTLS_OCSP_CERT_UNKNOWN: -- failf(data, "Server certificate status is unknown"); -+ case GNUTLS_X509_CRLREASON_AACOMPROMISE: -+ crl_reason = "AA compromised"; - break; - } - -- gnutls_ocsp_resp_deinit(ocsp_resp); -+ failf(data, "Server certificate was revoked: %s", crl_reason); -+ break; -+ } - -- return CURLE_SSL_INVALIDCERTSTATUS; -+ default: -+ case GNUTLS_OCSP_CERT_UNKNOWN: -+ failf(data, "Server certificate status is unknown"); -+ break; - } -- else -- infof(data, " server certificate status verification OK"); -+ -+ gnutls_ocsp_resp_deinit(ocsp_resp); -+ if(status != GNUTLS_OCSP_CERT_GOOD) -+ return CURLE_SSL_INVALIDCERTSTATUS; - } - else - infof(data, " server certificate status verification SKIPPED"); diff --git a/curl-aws_sigv4-url-encode-the-canonical-path.patch b/curl-aws_sigv4-url-encode-the-canonical-path.patch deleted file mode 100644 index 981b8e5..0000000 --- a/curl-aws_sigv4-url-encode-the-canonical-path.patch +++ /dev/null @@ -1,295 +0,0 @@ -From 768909d89cb3089f96fb495b13e636ecf0742e3d Mon Sep 17 00:00:00 2001 -From: Matthias Gatto -Date: Mon, 27 May 2024 14:58:11 +0200 -Subject: [PATCH] aws-sigv4: url encode the canonical path - -Refactors canon_query, so it could use the encoding part of the function -to use it in the path. - -As the path doesn't encode '/', but encode '=', I had to add some -conditions to know If I was doing the query or path encoding. - -Also, instead of adding a `bool in_path` variable, I use `bool -*found_equals` to know if the function was called for the query or path, -as found_equals is used only in query_encoding. - -Test 472 verifies. - -Reported-by: Alexander Shtuchkin -Fixes #13754 -Closes #13814 - -Signed-off-by: Matthias Gatto - -Index: curl-8.6.0/lib/http_aws_sigv4.c -=================================================================== ---- curl-8.6.0.orig/lib/http_aws_sigv4.c -+++ curl-8.6.0/lib/http_aws_sigv4.c -@@ -426,6 +426,76 @@ static int compare_func(const void *a, c - - #define MAX_QUERYPAIRS 64 - -+/** -+ * found_equals have a double meaning, -+ * detect if an equal have been found when called from canon_query, -+ * and mark that this function is called to compute the path, -+ * if found_equals is NULL. -+ */ -+static CURLcode canon_string(const char *q, size_t len, -+ struct dynbuf *dq, bool *found_equals) -+{ -+ CURLcode result = CURLE_OK; -+ -+ for(; len && !result; q++, len--) { -+ if(ISALNUM(*q)) -+ result = Curl_dyn_addn(dq, q, 1); -+ else { -+ switch(*q) { -+ case '-': -+ case '.': -+ case '_': -+ case '~': -+ /* allowed as-is */ -+ result = Curl_dyn_addn(dq, q, 1); -+ break; -+ case '%': -+ /* uppercase the following if hexadecimal */ -+ if(ISXDIGIT(q[1]) && ISXDIGIT(q[2])) { -+ char tmp[3]="%"; -+ tmp[1] = Curl_raw_toupper(q[1]); -+ tmp[2] = Curl_raw_toupper(q[2]); -+ result = Curl_dyn_addn(dq, tmp, 3); -+ q += 2; -+ len -= 2; -+ } -+ else -+ /* '%' without a following two-digit hex, encode it */ -+ result = Curl_dyn_addn(dq, "%25", 3); -+ break; -+ default: { -+ const char hex[] = "0123456789ABCDEF"; -+ char out[3]={'%'}; -+ -+ if(!found_equals) { -+ /* if found_equals is NULL assuming, been in path */ -+ if(*q == '/') { -+ /* allowed as if */ -+ result = Curl_dyn_addn(dq, q, 1); -+ break; -+ } -+ } -+ else { -+ /* allowed as-is */ -+ if(*q == '=') { -+ result = Curl_dyn_addn(dq, q, 1); -+ *found_equals = true; -+ break; -+ } -+ } -+ /* URL encode */ -+ out[1] = hex[((unsigned char)*q)>>4]; -+ out[2] = hex[*q & 0xf]; -+ result = Curl_dyn_addn(dq, out, 3); -+ break; -+ } -+ } -+ } -+ } -+ return result; -+} -+ -+ - static CURLcode canon_query(struct Curl_easy *data, - const char *query, struct dynbuf *dq) - { -@@ -463,54 +533,11 @@ static CURLcode canon_query(struct Curl_ - - ap = &array[0]; - for(i = 0; !result && (i < entry); i++, ap++) { -- size_t len; - const char *q = ap->p; - bool found_equals = false; - if(!ap->len) - continue; -- for(len = ap->len; len && !result; q++, len--) { -- if(ISALNUM(*q)) -- result = Curl_dyn_addn(dq, q, 1); -- else { -- switch(*q) { -- case '-': -- case '.': -- case '_': -- case '~': -- /* allowed as-is */ -- result = Curl_dyn_addn(dq, q, 1); -- break; -- case '=': -- /* allowed as-is */ -- result = Curl_dyn_addn(dq, q, 1); -- found_equals = true; -- break; -- case '%': -- /* uppercase the following if hexadecimal */ -- if(ISXDIGIT(q[1]) && ISXDIGIT(q[2])) { -- char tmp[3]="%"; -- tmp[1] = Curl_raw_toupper(q[1]); -- tmp[2] = Curl_raw_toupper(q[2]); -- result = Curl_dyn_addn(dq, tmp, 3); -- q += 2; -- len -= 2; -- } -- else -- /* '%' without a following two-digit hex, encode it */ -- result = Curl_dyn_addn(dq, "%25", 3); -- break; -- default: { -- /* URL encode */ -- const char hex[] = "0123456789ABCDEF"; -- char out[3]={'%'}; -- out[1] = hex[((unsigned char)*q)>>4]; -- out[2] = hex[*q & 0xf]; -- result = Curl_dyn_addn(dq, out, 3); -- break; -- } -- } -- } -- } -+ result = canon_string(q, ap->len, dq, &found_equals); - if(!result && !found_equals) { - /* queries without value still need an equals */ - result = Curl_dyn_addn(dq, "=", 1); -@@ -543,6 +570,7 @@ CURLcode Curl_output_aws_sigv4(struct Cu - struct dynbuf canonical_headers; - struct dynbuf signed_headers; - struct dynbuf canonical_query; -+ struct dynbuf canonical_path; - char *date_header = NULL; - Curl_HttpReq httpreq; - const char *method = NULL; -@@ -573,6 +601,7 @@ CURLcode Curl_output_aws_sigv4(struct Cu - Curl_dyn_init(&canonical_headers, CURL_MAX_HTTP_HEADER); - Curl_dyn_init(&canonical_query, CURL_MAX_HTTP_HEADER); - Curl_dyn_init(&signed_headers, CURL_MAX_HTTP_HEADER); -+ Curl_dyn_init(&canonical_path, CURL_MAX_HTTP_HEADER); - - /* - * Parameters parsing -@@ -701,6 +730,11 @@ CURLcode Curl_output_aws_sigv4(struct Cu - result = canon_query(data, data->state.up.query, &canonical_query); - if(result) - goto fail; -+ -+ result = canon_string(data->state.up.path, strlen(data->state.up.path), -+ &canonical_path, NULL); -+ if(result) -+ goto fail; - result = CURLE_OUT_OF_MEMORY; - - canonical_request = -@@ -711,7 +745,7 @@ CURLcode Curl_output_aws_sigv4(struct Cu - "%s\n" /* SignedHeaders */ - "%.*s", /* HashedRequestPayload in hex */ - method, -- data->state.up.path, -+ Curl_dyn_ptr(&canonical_path), - Curl_dyn_ptr(&canonical_query) ? - Curl_dyn_ptr(&canonical_query) : "", - Curl_dyn_ptr(&canonical_headers), -@@ -803,6 +837,7 @@ CURLcode Curl_output_aws_sigv4(struct Cu - - fail: - Curl_dyn_free(&canonical_query); -+ Curl_dyn_free(&canonical_path); - Curl_dyn_free(&canonical_headers); - Curl_dyn_free(&signed_headers); - free(canonical_request); -Index: curl-8.6.0/tests/data/Makefile.inc -=================================================================== ---- curl-8.6.0.orig/tests/data/Makefile.inc -+++ curl-8.6.0/tests/data/Makefile.inc -@@ -73,7 +73,7 @@ test426 test427 test428 test429 test430 - test435 test436 test437 test438 test439 test440 test441 test442 test443 \ - test444 test445 test446 test447 test448 test449 test450 test451 test452 \ - test453 test454 test455 test456 test457 test458 test459 test460 test461 \ --\ -+test472 \ - test490 test491 test492 test493 test494 test495 test496 test497 test498 \ - \ - test500 test501 test502 test503 test504 test505 test506 test507 test508 \ -Index: curl-8.6.0/tests/data/test472 -=================================================================== ---- /dev/null -+++ curl-8.6.0/tests/data/test472 -@@ -0,0 +1,59 @@ -+ -+ -+ -+HTTP -+aws-sigv4 -+ -+ -+ -+# -+# Server-side -+ -+ -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT -+ETag: "21025-dc7-39462498" -+Accept-Ranges: bytes -+Content-Length: 6 -+Connection: close -+Content-Type: text/html -+Funny-head: yesyes -+ -+-foo- -+ -+ -+ -+# -+# Client-side -+ -+ -+http -+ -+ -+debug -+Unicode -+ -+ -+aws-sigv4 with query -+ -+ -+"http://fake.fake.fake:8000/%TESTNUMBER/a=あ" -u user:secret --aws-sigv4 "aws:amz:us-east-2:es" --connect-to fake.fake.fake:8000:%HOSTIP:%HTTPPORT -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+GET /472/a=%e3%81%82 HTTP/1.1 -+Host: fake.fake.fake:8000 -+Authorization: AWS4-HMAC-SHA256 Credential=user/19700101/us-east-2/es/aws4_request, SignedHeaders=host;x-amz-date, Signature=c63315c199922f7ee00141869a250389405d19e205057249fb74726d940b1fc3 -+X-Amz-Date: 19700101T000000Z -+User-Agent: curl/%VERSION -+Accept: */* -+ -+ -+ -+ -Index: curl-8.6.0/tests/data/Makefile.in -=================================================================== ---- curl-8.6.0.orig/tests/data/Makefile.in -+++ curl-8.6.0/tests/data/Makefile.in -@@ -445,7 +445,7 @@ test426 test427 test428 test429 test430 - test435 test436 test437 test438 test439 test440 test441 test442 test443 \ - test444 test445 test446 test447 test448 test449 test450 test451 test452 \ - test453 test454 test455 test456 test457 test458 test459 test460 test461 \ --\ -+test472 \ - test490 test491 test492 test493 test494 test495 test496 test497 test498 \ - \ - test500 test501 test502 test503 test504 test505 test506 test507 test508 \ diff --git a/curl-sigpipe.patch b/curl-sigpipe.patch new file mode 100644 index 0000000..ba0187a --- /dev/null +++ b/curl-sigpipe.patch @@ -0,0 +1,32 @@ +From 3eec5afbd0b6377eca893c392569b2faf094d970 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 5 Aug 2024 00:17:17 +0200 +Subject: [PATCH] sigpipe: init the struct so that first apply ignores + +Initializes 'no_signal' to TRUE, so that a call to sigpipe_apply() after +init ignores the signal (unless CURLOPT_NOSIGNAL) is set. + +I have read the existing code multiple times now and I think it gets the +initial state reversed this missing to ignore. + +Regression from 17e6f06ea37136c36d27 + +Reported-by: Rasmus Thomsen +Fixes #14344 +Closes #14390 +--- + lib/sigpipe.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/sigpipe.h b/lib/sigpipe.h +index b91a2f51333956..d78afd905d3414 100644 +--- a/lib/sigpipe.h ++++ b/lib/sigpipe.h +@@ -39,6 +39,7 @@ struct sigpipe_ignore { + static void sigpipe_init(struct sigpipe_ignore *ig) + { + memset(ig, 0, sizeof(*ig)); ++ ig->no_signal = TRUE; + } + + /* diff --git a/curl.changes b/curl.changes index 0b89685..036d04b 100644 --- a/curl.changes +++ b/curl.changes @@ -1,60 +1,250 @@ ------------------------------------------------------------------- -Tue Sep 17 10:15:48 UTC 2024 - Pedro Monreal +Mon Aug 12 08:41:26 UTC 2024 - Pedro Monreal -- Make special characters in URL work with aws-sigv4 [bsc#1230516] - * aws-sigv4: url encode the canonical path [768909d8] - * Add upstream patch: - - curl-aws_sigv4-url-encode-the-canonical-path.patch +- Fix regression introduced in version 8.9.1: + * sigpipe: init the struct so that first apply ignores + * Add curl-sigpipe.patch ------------------------------------------------------------------- -Wed Sep 4 09:04:55 UTC 2024 - Pedro Monreal +Wed Jul 31 08:20:44 UTC 2024 - Pedro Monreal -- Security fix: [bsc#1230093, CVE-2024-8096] - * curl: OCSP stapling bypass with GnuTLS - * Add curl-CVE-2024-8096.patch +- Update to 8.9.1: + * Security fixes: + - curl: ASN.1 date parser overread [bsc#1228535, CVE-2024-7264] + * Bugfixes: + - cmake: detect 'libssh' via 'pkg-config' + - cmake: detect 'nettle' when building with GnuTLS + - connect: fix connection shutdown for event based processing + - curl: more defensive socket code for --ip-tos + - CURLOPT_SSL_CTX_FUNCTION.md: mention CA caching + - CURLSHOPT_SHARE.md: mention sessions/cookies as not thread-safe + - ftpserver.pl: make POP3 LIST serve content from the test file + - lib: survive some NULL input args + - os400: build cli manual. + - os400: workaround an IBM ASCII run-time library bug + - transfer: speed limiting fix for 32bit systems + - vtls: avoid forward declaration in MultiSSL builds + - x509asn1: unittests and fixes for gtime2str ------------------------------------------------------------------- -Wed Jul 31 08:40:11 UTC 2024 - Pedro Monreal +Wed Jul 24 07:07:57 UTC 2024 - Pedro Monreal -- Security fix: [bsc#1228535, CVE-2024-7264] - * curl: ASN.1 date parser overread - * Add curl-CVE-2024-7264.patch +- Update to 8.9.0: + * Security fixes: + - [bsc#1227888, CVE-2024-6197] curl: freeing stack buffer + in utf8asn1str + - [bsc#1228260, CVE-2024-6874] idn: tweak buffer use when + converting with macidn + * Changes: + - curl: add --ip-tos (IP Type of Service / Traffic Class) + - curl: add --mptcp + - curl: add --vlan-priority + - curl: add -w '%{num_retries} + - gnutls: support CA caching + - mbedtls: support CURLOPT_CERTINFO + - noproxy: patterns need to be comma separated + - socket: support binding to interface *AND* IP + - tcpkeepalive: add CURLOPT_TCP_KEEPCNT and --keepalive-cnt + - urlapi: add CURLU_NO_GUESS_SCHEME + - wolfssl: support CA caching + * Bugfixes: + - connection: shutdown TLS (for FTP) better + - curl-config: revert to backticks to support old target envs + - curl: allow etag and content-disposition for 3xx reply + - curl: bsearch the --write-out variable name + - curl: check for --disable case *sensitively* + - doh: fix leak and zero-length HTTPS RR crash + - file: separate fake headers and body with a stand-alone CRLF + - ftp: remove redundant null pointer check in loop condition + - gnutls: improve TLS shutdown + - gnutls: pass in SNI name, not hostname when checking cert + - hostip: skip error check for infallible function call + - http/3: add shutdown support + - http/3: resume upload on ack if we have more data to send + - lib: add a few DEBUGASSERT(data) to aid code analyzers + - lib: add failure reason on bind errors + - lib: graceful connection shutdown + - lib: xfer_setup and non-blocking shutdown + - multi: add multi->proto_hash, a key-value store for protocol data + - multi: do a final progress update on connect failure + - multi: fix multi_wait() timeout handling + - multi: fix pollset during RESOLVING phase + - ngtcp2+quictls: fix cert-status use + - noproxy: test bad ipv6 net size first + - openssl/gnutls: rectify the TLS version checks for QUIC + - openssl: fix hostname handling when using ECH + - openssl: stop duplicate ssl key logging for legacy OpenSSL + - quic: enable UDP GRO + - quic: openssl quic, cmake and doc version update to 3.3.0 + - quic: require at least OpenSSL 3.3 for QUIC + - quic: update to quiche 0.22.0 + - smtp: for starttls, do full upgrade + - tool_operate: avoid explicitly setting verifypeer to 1 + - tool_writeout: get certinfo only when needing it + - transfer: avoid polling socket every transfer loop + - transfer: conn close on paused upload + - transfer: do not use EXPIRE_NOW while blocked + - transfer: remove curl_upload_refill_watermark, no longer used + - transfer: set CSELECT_IN if there is data pending + - url: allow DoH transfers to override max connection limit + - x509asn1: add some common ECDSA OIDs + - x509asn1: ASN1tostr() should fail when 'constructed' is set + - x509asn1: fallback to dotted OID representation + - x509asn1: prevent NULL dereference + - x509asn1: remove superfluous free() + - x509asn1: remove two static variables + * Rebase libcurl-ocloexec.patch + * Remove curl-make-install-curl-config.patch upstream ------------------------------------------------------------------- -Tue Jul 16 08:43:02 UTC 2024 - Pedro Monreal +Thu Jun 20 15:22:47 UTC 2024 - Dirk Müller -- Security fix: [bsc#1227888, CVE-2024-6197] - * Freeing stack buffer in utf8asn1str - * x509asn1: remove superfluous free() - * Add curl-CVE-2024-6197.patch +- add multibuild for minimal libcurl flavored build (useful for + container environments) ------------------------------------------------------------------- -Wed Mar 27 18:32:08 UTC 2024 - Pedro Monreal +Thu Jun 20 14:58:27 UTC 2024 - Dirk Müller -- Security fix: [bsc#1221666, CVE-2024-2379] - * curl: QUIC certificate check bypass with wolfSSL - * Add curl-CVE-2024-2379.patch +- split zsh and fish completion into subpackages to have + proper supplements ------------------------------------------------------------------- -Wed Mar 27 18:21:59 UTC 2024 - Pedro Monreal +Mon Jun 17 21:29:09 UTC 2024 - Dirk Müller -- Security fix: [bsc#1221668, CVE-2024-2466] - * curl: TLS certificate check bypass with mbedTLS - * Add curl-CVE-2024-2466.patch +- remove mozilla-nss code (unsupported since 8.3.0) ------------------------------------------------------------------- -Fri Mar 22 13:55:01 UTC 2024 - Pedro Monreal +Fri May 24 11:05:25 UTC 2024 - Pedro Monreal -- Security fix: [bsc#1221665, CVE-2024-2004] - * Usage of disabled protocol - * Add curl-CVE-2024-2004.patch +- Fix make install for curl-config.1 + * docs/Makefile.am: make curl-config.1 install + * Fixed upstream in: github.com/curl/curl/pull/13741 + * Add curl-make-install-curl-config.patch ------------------------------------------------------------------- -Thu Mar 21 12:27:30 UTC 2024 - Pedro Monreal +Wed May 22 17:56:18 UTC 2024 - Pedro Monreal -- Security fix: [bsc#1221667, CVE-2024-2398] - * curl: HTTP/2 push headers memory-leak - * Add curl-CVE-2024-2398.patch +- Update to 8.8.0: + * Changes: + - curl_version_info: provide librtmp version + - file: add support for directory listings + - lib: add curl_multi_waitfds + - NTLM_WB: drop support + - TLS: add support for ECH (Encrypted Client Hello) + - urlapi: add CURLU_GET_EMPTY for empty queries and fragments + * Bugfixes: + - build: prefer "USE_IPV6" macro internally (was: "ENABLE_IPV6") + - cd2nroff/manage: use UTC when SOURCE_DATE_EPOCH is set + - cf-socket: don't try getting local IP without socket + - cf-socket: remove references to l_ip, l_port + - configure: make --disable-docs imply --disable-manual + - curl.h: change CURL_SSLVERSION_* from enum to defines + - curl_path: make Curl_get_pathname use dynbuf + - curl_sha512_256: do not use workaround for NetBSD when not needed + - curl_sha512_256: fix detection of OpenSSL 1.1.1 or later + - curl_url_get.md: clarify queries and fragments and CURLU_GET_EMPTY + - DEPRECATE.md: TLS libraries without 1.3 support + - digest: replace strcpy for empty string with simple assignment + - doc: pytest "--repeat" -> "--count" + - docs/cmdline-opts: mention STARTTLS for --ssl and --ssl-reqd + - dynbuf: fix returncode on memory error + - ftp: add tracing support + - ftp: fix socket leak on rare error + - gnutls: lazy init the trust settings + - hsts: explicitly skip blank lines + - http2 + ngtcp2: pass CURLcode errors from callbacks + - http2, http3: decouple stream state from easy handle + - http2: emit RST when client write fails + - http: HEAD response body tolerance + - http: reject HTTP major version switch mid connection + - http: with chunked POST forced, disable length check on read callback + - idn: make Curl_idnconvert_hostname() use Curl_idn_decode() + - if2ip: make the buf_size arg a size_t + - krb5: use dynbuf + - lib/cf-h1-proxy: silence compiler warnings (gcc 14) + - lib: add trace support for client reads and writes + - lib: bump hash sizes to "size_t" + - lib: clear the easy handle's saved errno before transfer + - lib: make protocol handlers store scheme name lowercase + - lib: merge "ENABLE_QUIC" C macro into "USE_HTTP3" + - libssh2: set length to 0 if strdup failed + - openssl: do not set SSL_MODE_RELEASE_BUFFERS + - openssl: revert keylog_callback support for LibreSSL + - OS400: fix shellcheck warnings in scripts + - quiche: expire all active transfers on connection close + - quiche: trust its timeout handling + - tls: use shared init code for TCP+QUIC + - tool_cfgable: free {proxy_}cipher13_list on exit + - url: do not URL decode proxy crendentials + - url: fix use of an uninitialized variable + - url: make parse_login_details use memdup0 + - urlapi: allow setting port number zero + - version: use msnprintf instead of strncpy + - vtls: TLS session storage overhaul + - wakeup_create: use FD_CLOEXEC/SOCK_CLOEXEC + - websocket: avoid memory leak in error path + +------------------------------------------------------------------- +Wed May 22 11:04:58 UTC 2024 - Dominique Leuenberger + +- Add split-provides for libcurl-devel -> libcurl-devel-doc. + +------------------------------------------------------------------- +Mon May 20 17:31:35 UTC 2024 - Jan Engelhardt + +- Spin documentation off to libcurl-devel-doc, this saves buildroots + 495 files and time (mandb is run in %posttrans). + +------------------------------------------------------------------- +Wed Mar 27 09:38:34 UTC 2024 - Pedro Monreal + +- Update to 8.7.1: + * Fixed empty tool_hugehelp.c file + +- Update to 8.7.0: + * Security fixes: + - [bsc#1221665, CVE-2024-2004] Usage of disabled protocol + - [bsc#1221667, CVE-2024-2398] HTTP/2 push headers memory-leak + - [bsc#1221666, CVE-2024-2379] QUIC certificate check bypass with wolfSSL + - [bsc#1221668, CVE-2024-2466] TLS certificate check bypass with mbedTLS + * Changes: + - configure: add --disable-docs flag + - CURLINFO_USED_PROXY: return bool whether the proxy was used + - digest: support SHA-512/256 + * Bugfixes: + - asyn-thread: use wakeup_close to close the read descriptor + - bufq: writing into a softlimit queue cannot be partial + - cmake: add USE_OPENSSL_QUIC support + - cookie: if psl fails, reject the cookie + - curl: exit on config file parser errors + - digest: add check for hashing error + - docs/libcurl: add TLS backend info for all TLS options + - file: use xfer buf for file:// transfers + - ftp: do lineend conversions in client writer + - ftp: fix socket wait activity in ftp_domore_getsock + - http2: memory errors in the push callbacks are fatal + - http2: push headers better cleanup + - libssh/libssh2: return error on too big range + - OpenSSL QUIC: adapt to v3.3.x + - setopt: fix check for CURLOPT_PROXY_TLSAUTH_TYPE value + - setopt: fix disabling all protocols + - sha512_256: add support for GnuTLS and OpenSSL + - smtp: fix STARTTLS + - strtoofft: fix the overflow check + - TIMER_STARTTRANSFER: set the same for everyone + - TLS: start shutdown only when peer did not already close + - tool_getparam: accept a blank -w "" + - tool_getparam: handle non-existing (out of range) short-options + - tool_operate: change precedence of server Retry-After time + - transfer.c: break receive loop in speed limited transfers + - version: allow building with ancient libpsl + - vquic-tls: fix the error code returned for bad CA file + - vtls: fix tls proxy peer verification + - vtls: revert "receive max buffer" + add test case + - VULN-DISCLOSURE-POLICY.md: update detail about CVE requests + - websocket: fix curl_ws_recv() + * Remove patch upstream: + - 0001-vtls-revert-receive-max-buffer-add-test-case.patch ------------------------------------------------------------------- Tue Mar 12 08:43:30 UTC 2024 - Pedro Monreal @@ -345,7 +535,7 @@ Wed Jul 19 06:22:14 UTC 2023 - Pedro Monreal - curl: add --trace-ids - CURLOPT_MAIL_RCPT_ALLOWFAILS: replace CURLOPT_MAIL_RCPT_ALLLOWFAILS - haproxy: add --haproxy-clientip flag to set client IPs - - lib: add CURLINFO_CONN_ID and CURLINFO_XFER_ID + - lib: add CURLINFO_CONN_ID and CURLINFO_XFER_ID * Bugfixes: - cf-socket: don't bypass fclosesocket callback if cancelled before connect - cf-socket: skip getpeername()/getsockname for TFTP @@ -374,7 +564,7 @@ Wed Jul 19 06:22:14 UTC 2023 - Pedro Monreal - urlapi: scheme must start with alpha - vtls: avoid memory leak if sha256 call fails - websocket-cb: example doing WebSocket download using callback - - ws: make the curl_ws_meta() return pointer a const + - ws: make the curl_ws_meta() return pointer a const ------------------------------------------------------------------- Tue May 30 09:08:35 UTC 2023 - Pedro Monreal @@ -430,7 +620,7 @@ Wed May 17 08:13:32 UTC 2023 - David Anes - curl: add --proxy-http2 - CURLPROXY_HTTPS2: for HTTPS proxy that may speak HTTP/2 - hostip: refuse to resolve the .onion TLD - - tool_writeout: add URL component variables + - tool_writeout: add URL component variables * Bugfixes: - See full changelog here: https://curl.se/changes.html#8_1_0 @@ -453,7 +643,7 @@ Mon Mar 20 07:19:32 UTC 2023 - Pedro Monreal - HSTS double-free [bsc#1209213, CVE-2023-27537] - SSH connection too eager reuse still [bsc#1209214, CVE-2023-27538] * Changes: - - build: remove support for curl_off_t < 8 bytes + - build: remove support for curl_off_t < 8 bytes * Bugfixes: - aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3 - BINDINGS: add Fortran binding @@ -565,7 +755,7 @@ Wed Feb 15 08:39:24 UTC 2023 - Pedro Monreal ------------------------------------------------------------------- Wed Dec 21 08:19:23 UTC 2022 - David Anes -- Update to 7.87.0: +- Update to 7.87.0: * Security fixes: - CVE-2022-43551, bsc#1206308: another HSTS bypass via IDN - CVE-2022-43552, bsc#1206309: HTTP Proxy deny use-after-free @@ -574,7 +764,7 @@ Wed Dec 21 08:19:23 UTC 2022 - David Anes - CURLOPT_QUICK_EXIT: don't wait for DNS thread on exit - lib: add CURL_WRITEFUNC_ERROR to signal write callback error - openssl: reduce CA certificate bundle reparsing by caching - - version: add a feature names array to curl_version_info_data + - version: add a feature names array to curl_version_info_data * Bugfixes - altsvc: fix rejection of negative port numbers - aws_sigv4: consult x-%s-content-sha256 for payload hash @@ -730,7 +920,7 @@ Wed Dec 21 08:19:23 UTC 2022 - David Anes - winidn: drop WANT_IDN_PROTOTYPES - ws: if no connection is around, return error - ws: return CURLE_NOT_BUILT_IN when websockets not built in - - x509asn1: avoid freeing unallocated pointers + - x509asn1: avoid freeing unallocated pointers ------------------------------------------------------------------- Wed Nov 16 03:09:27 UTC 2022 - Luciano Santos @@ -897,7 +1087,7 @@ Wed Aug 31 07:34:20 UTC 2022 - Pedro Monreal ------------------------------------------------------------------- Sun Jul 24 19:37:01 UTC 2022 - Dirk Müller -- add tests-for-32bit.patch to fix testsuite on 32bit platforms +- add tests-for-32bit.patch to fix testsuite on 32bit platforms ------------------------------------------------------------------- Mon Jun 27 14:36:10 UTC 2022 - David Anes @@ -916,7 +1106,7 @@ Mon Jun 27 14:36:10 UTC 2022 - David Anes - lib: make curl_global_init() threadsafe when possible - libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION - opts: deprecate RANDOM_FILE and EGDSOCKET - - socks: support unix sockets for socks proxy + - socks: support unix sockets for socks proxy * Bugfixes: - aws-sigv4: fix potentional NULL pointer arithmetic - bindlocal: don't use a random port if port number would wrap @@ -1040,14 +1230,14 @@ Mon Jun 27 14:36:10 UTC 2022 - David Anes - wolfssh.h: removed - wolfssl: correct the failf() message when a handle can't be made - wolfSSL: explicitly use compatibility layer - - x509asn1: mark msnprintf return as unchecked + - x509asn1: mark msnprintf return as unchecked ------------------------------------------------------------------- Wed May 11 07:11:50 UTC 2022 - David Anes - Update to 7.83.1: * Security fixes: - - (bsc#1199225, CVE-2022-30115) HSTS bypass via trailing dot + - (bsc#1199225, CVE-2022-30115) HSTS bypass via trailing dot - (bsc#1199224, CVE-2022-27782) TLS and SSH connection too eager reuse - (bsc#1199223, CVE-2022-27781) CERTINFO never-ending busy-loop - (bsc#1199222, CVE-2022-27780) percent-encoded path separator in URL host @@ -1094,7 +1284,7 @@ Wed May 11 07:11:50 UTC 2022 - David Anes - url: check SSH config match on connection reuse - urlapi: address (harmless) UndefinedBehavior sanitizer warning - urlapi: reject percent-decoding host name into separator bytes - - x509asn1: make do_pubkey handle EC public keys + - x509asn1: make do_pubkey handle EC public keys ------------------------------------------------------------------- Fri Apr 22 11:39:46 UTC 2022 - David Anes @@ -1102,7 +1292,7 @@ Fri Apr 22 11:39:46 UTC 2022 - David Anes - Patches rework: * Refreshed all patches as -p1. * Use autopatch macro. - * Renamed: + * Renamed: - dont-mess-with-rpmoptflags.diff -> dont-mess-with-rpmoptflags.patch * Removed (already upstream): - curl-fix-verifyhost.patch @@ -1119,7 +1309,7 @@ Fri Apr 22 11:39:46 UTC 2022 - David Anes - curl: add --no-clobber - curl: add --remove-on-error - header api: add curl_easy_header and curl_easy_nextheader - - msh3: add support for QUIC and HTTP/3 using msh3 + - msh3: add support for QUIC and HTTP/3 using msh3 * Bugfixes: - appveyor: add Cygwin build - appveyor: only add MSYS2 to PATH where required @@ -1245,7 +1435,7 @@ Fri Apr 22 11:39:46 UTC 2022 - David Anes - vtls: use a generic "ALPN, server accepted" message - winbuild/README.md: fixup dead link - winbuild: Add a Visual Studio example to the README - - wolfssl: fix compiler error without IPv6 + - wolfssl: fix compiler error without IPv6 ------------------------------------------------------------------- Fri Mar 11 16:36:50 UTC 2022 - Pedro Monreal @@ -1471,7 +1661,7 @@ Wed Sep 22 11:17:15 UTC 2021 - Pedro Monreal - http: fix the broken >3 digit response code detection - strerror: use sys_errlist instead of strerror on Windows - test1184: disable: https://github.com/curl/curl/issues/7725 - - tests/sshserver.pl: make it work with openssh-8.7p1 + - tests/sshserver.pl: make it work with openssh-8.7p1 ------------------------------------------------------------------- Wed Sep 15 15:08:18 UTC 2021 - Pedro Monreal @@ -1595,7 +1785,7 @@ Wed May 26 07:47:00 UTC 2021 - Pedro Monreal - curl: ignore options asking for SSLv2 or SSLv3 - hsts: enable by default - SSL: support in-memory CA certs for some backends - - vtls: refuse setting any SSL version + - vtls: refuse setting any SSL version * Bugfixes: - configure: provide --with-openssl, deprecate --with-ssl - cookie: CURLOPT_COOKIEFILE set to NULL switches off cookies @@ -1693,7 +1883,7 @@ Thu Feb 4 11:20:22 UTC 2021 - Pedro Monreal - dns: extend CURLOPT_RESOLVE syntax for adding non-permanent entries - gopher: implement secure gopher protocol - http: add Hyper as new optional HTTP backend - - http: introduce AWS HTTP v4 Signature support + - http: introduce AWS HTTP v4 Signature support * Bugfixes: - cmake: Add an option to disable libidn2 - cmake: enable gophers correctly in curl-config @@ -1721,12 +1911,12 @@ Thu Feb 4 11:20:22 UTC 2021 - Pedro Monreal ------------------------------------------------------------------- Fri Dec 18 20:04:33 UTC 2020 - Cristian Rodríguez -- Enable zstd and brotli support +- Enable zstd and brotli support ------------------------------------------------------------------- Mon Dec 14 15:25:07 UTC 2020 - Pedro Monreal -- Update to 7.74.0 +- Update to 7.74.0 * Changes: hsts: add experimental support for Strict-Transport-Security * Bugfixes: @@ -1788,7 +1978,7 @@ Wed Oct 14 21:29:48 UTC 2020 - Pedro Monreal - mqtt: enable by default - sftp: add new quote commands 'atime' and 'mtime' - ssh: add the option CURLKHSTAT_FINE_REPLACE - - tls: add CURLOPT_SSL_EC_CURVES and --curves + - tls: add CURLOPT_SSL_EC_CURVES and --curves * Bugfixes: - base64: also build for smtp, pop3 and imap - cleanups: avoid curl_ on local variables @@ -1916,7 +2106,7 @@ Wed Jul 1 12:59:25 UTC 2020 - Pedro Monreal Gonzalez @@ -1926,7 +2116,7 @@ Wed Jun 24 07:13:22 UTC 2020 - Pedro Monreal Gonzalez @@ -2035,10 +2225,10 @@ Wed Apr 29 07:45:48 UTC 2020 - Paolo Stivanin - curl: add --ssl-revoke-best-effort to allow a "best effort" revocation check - mqtt: add new experimental protocol - schannel: add "best effort" revocation check option: CURLSSLOPT_REVOKE_BEST_EFFORT - - writeout: support to generate JSON output with '%{json}' + - writeout: support to generate JSON output with '%{json}' * Bugfixes: - gnutls: Don't skip really long certificate fields - - gnutls: ensure TLS 1.3 when SRP isn't requested + - gnutls: ensure TLS 1.3 when SRP isn't requested - lib: never define CURL_CA_BUNDLE with a getenv - libcurl-multi.3: added missing full stop - libssh: avoid options override by configuration files @@ -2076,7 +2266,7 @@ Thu Mar 12 22:07:26 UTC 2020 - Pedro Monreal Gonzalez @@ -2090,7 +2280,7 @@ Wed Mar 4 08:56:45 UTC 2020 - Pedro Monreal Gonzalez - Update to 7.65.3 - * progress: make the progress meter appear again + * progress: make the progress meter appear again ------------------------------------------------------------------- Wed Jul 17 09:07:25 UTC 2019 - Pedro Monreal Gonzalez @@ -2674,7 +2864,7 @@ Wed May 22 11:41:49 UTC 2019 - Pedro Monreal Gonzalez @@ -2892,7 +3082,7 @@ Tue Apr 9 11:41:07 UTC 2019 - Pedro Monreal Gonzalez @@ -3077,7 +3267,7 @@ Thu Dec 27 04:44:48 UTC 2018 - sean@suspend.net * nss: Fix compatibility with nss versions 3.14 to 3.15 * nss: fix fallthrough comment to fix picky compiler warning * nss: remove version selecting dead code - * nss: set default max-tls to 1.3/1.2 + * nss: set default max-tls to 1.3/1.2 * openssl: Remove SSLEAY leftovers * openssl: do not log excess "TLS app data" lines for TLS 1.3 * openssl: do not use file BIOs if not requested @@ -3124,7 +3314,7 @@ Wed Oct 31 09:23:37 UTC 2018 - Pedro Monreal Gonzalez * urldata: remove unused pipe_broke struct field * vtls: reinstantiate engine on duplicated handles * windows: implement send buffer tuning - * wolfSSL/CyaSSL: Fix memory leak in Curl_cyassl_random + * wolfSSL/CyaSSL: Fix memory leak in Curl_cyassl_random - Remove patch included upstream: * curl-switch-off-all-styles.patch @@ -3354,30 +3544,30 @@ Tue Jul 17 13:56:05 UTC 2018 - pgajdos@suse.com Changes: * getinfo: add microsecond precise timers for seven intervals * curl: show headers in bold, switch off with --no-styled-output - * httpauth: add support for Bearer tokens + * httpauth: add support for Bearer tokens * Add CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS * curl: --tls13-ciphers and --proxy-tls13-ciphers * Add CURLOPT_DISALLOW_USERNAME_IN_URL - * curl: --disallow-username-in-url + * curl: --disallow-username-in-url Bugfixes: - * CVE-2018-0500: smtp: fix SMTP send buffer overflow + * CVE-2018-0500: smtp: fix SMTP send buffer overflow * schannel: disable client cert option if APIs not available * schannel: disable manual verify if APIs not available * tests/libtest/Makefile: Do not unconditionally add gcc-specific flags - * openssl: acknowledge --tls-max for default version too + * openssl: acknowledge --tls-max for default version too * stub_gssapi: fix 'unused parameter' warnings * examples/progressfunc: make it build on both new and old libcurls * docs: mention it is HA Proxy protocol "version 1" - * curl_fnmatch: only allow two asterisks for matching - * docs: clarify CURLOPT_HTTPGET + * curl_fnmatch: only allow two asterisks for matching + * docs: clarify CURLOPT_HTTPGET * configure: replace a AC_TRY_RUN with CURL_RUN_IFELSE * configure: do compile-time SIZEOF checks instead of run-time - * checksrc: make sure sizeof() is used *with* parentheses + * checksrc: make sure sizeof() is used *with* parentheses * CURLOPT_ACCEPT_ENCODING.3: add brotli and clarify a bit - * schannel: make CAinfo parsing resilient to CR/LF + * schannel: make CAinfo parsing resilient to CR/LF * tftp: make sure error is zero terminated before printfing it * http resume: skip body if http code 416 (range error) is ignored - * configure: add basic test of --with-ssl prefix + * configure: add basic test of --with-ssl prefix * cmake: set -d postfix for debug builds * multi: provide a socket to wait for in Curl_protocol_getsock * content_encoding: handle zlib versions too old for Z_BLOCK @@ -3385,15 +3575,15 @@ Tue Jul 17 13:56:05 UTC 2018 - pgajdos@suse.com * winbuild: In MakefileBuild.vc fix typo DISTDIR->DIRDIST * schannel: add failf calls for client certificate failures * cmake: Fix the test for fsetxattr and strerror_r - * curl.1: Fix cmdline-opts reference errors + * curl.1: Fix cmdline-opts reference errors * cmdline-opts/gen.pl: warn if mutexes: or see-also: list non-existing options - * cmake: check for getpwuid_r + * cmake: check for getpwuid_r * configure: fix ssh2 linking when built with a static mbedtls * psl: use latest psl and refresh it periodically - * fnmatch: insist on escaped bracket to match - * KNOWN_BUGS: restore text regarding #2101 - * INSTALL: LDFLAGS=-Wl,-R/usr/local/ssl/lib - * configure: override AR_FLAGS to silence warning + * fnmatch: insist on escaped bracket to match + * KNOWN_BUGS: restore text regarding #2101 + * INSTALL: LDFLAGS=-Wl,-R/usr/local/ssl/lib + * configure: override AR_FLAGS to silence warning * os400: implement mime api EBCDIC wrappers * curl.rc: embed manifest for correct Windows version detection * strictness: correct {infof, failf} format specifiers @@ -3470,7 +3660,7 @@ Wed May 16 08:41:48 UTC 2018 - pmonrealgonzalez@suse.com Changes: * Add CURLOPT_HAPROXYPROTOCOL, support for the HAProxy PROXY protocol * Add --haproxy-protocol for the command line tool - * Add CURLOPT_DNS_SHUFFLE_ADDRESSES, shuffle returned IP addresses + * Add CURLOPT_DNS_SHUFFLE_ADDRESSES, shuffle returned IP addresses Bugfixes: * FTP: shutdown response buffer overflow CVE-2018-1000300 * RTSP: bad headers buffer over-read CVE-2018-1000301 @@ -3581,7 +3771,7 @@ Wed May 16 08:41:48 UTC 2018 - pmonrealgonzalez@suse.com * cookies: accept parameter names as cookie name * http2: getsock fix for uploads * all over: fixed format specifiers - * http2: use the correct function pointer typedef + * http2: use the correct function pointer typedef ------------------------------------------------------------------- Wed Mar 14 14:23:22 UTC 2018 - pmonrealgonzalez@suse.com @@ -3602,8 +3792,8 @@ Wed Mar 14 13:08:33 UTC 2018 - pmonrealgonzalez@suse.com * CURLOPT_RESOLVE: Add support for multiple IP addresses per entry * Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS * Add new tool option --happy-eyeballs-timeout-ms - * Add CURLOPT_RESOLVER_START_FUNCTION and CURLOPT_RESOLVER_START_DATA - Bugfixes: + * Add CURLOPT_RESOLVER_START_FUNCTION and CURLOPT_RESOLVER_START_DATA + Bugfixes: * openldap: check ldap_get_attribute_ber() results for NULL before using * FTP: reject path components with control codes * readwrite: make sure excess reads don't go beyond buffer end @@ -3673,7 +3863,7 @@ Wed Mar 14 13:08:33 UTC 2018 - pmonrealgonzalez@suse.com * curl tool: accept --compressed also if Brotli is enabled and zlib is not * WolfSSL: adding TLSv1.3 * checksrc.pl: add -i and -m options - * CURLOPT_COOKIEFILE.3: "-" as file name means stdin + * CURLOPT_COOKIEFILE.3: "-" as file name means stdin - Refreshed patch libcurl-ocloexec.patch @@ -3932,7 +4122,7 @@ Thu Oct 5 16:15:04 UTC 2017 - pmonrealgonzalez@suse.com * libcurl: enable compression for SCP/SFTP with CURLOPT_SSH_COMPRESSION * vtls: added dynamic changing SSL backend with curl_global_sslset() * new MIME API, curl_mime_init() and friends - * openssl: initial SSLKEYLOGFILE implementation + * openssl: initial SSLKEYLOGFILE implementation Security fixes: * CVE-2017-1000254 FTP PWD response parser out of bounds read Bugfixes: @@ -4010,7 +4200,7 @@ Thu Oct 5 16:15:04 UTC 2017 - pmonrealgonzalez@suse.com * connect: fix race condition with happy eyeballs timeout * cookie: fix memory leak if path was set twice in header * vtls: compare and clone ssl configs properly - * proxy: read the "no_proxy" variable only if necessary + * proxy: read the "no_proxy" variable only if necessary - Refreshed patches: * libcurl-ocloexec.patch @@ -4058,7 +4248,7 @@ Wed Aug 9 09:34:25 UTC 2017 - pmonrealgonzalez@suse.com * libcurl: added CURLOPT_SOCKS5_AUTH Bugfixes: * Security Fixes: - - glob: do not parse after a strtoul() overflow range + - glob: do not parse after a strtoul() overflow range (CVE-2017-1000101, bsc#1051643) - tftp: reject file name lengths that don't fit (CVE-2017-1000100, bsc#1051644) @@ -4198,12 +4388,12 @@ Wed Jun 14 11:19:16 UTC 2017 - idonmez@suse.com * ssh: fix memory leak in disconnect due to timeout * redirect: store the "would redirect to" URL when max redirs is reached * file: make speedcheck use current time for checks - * urlglob: fix division by zero + * urlglob: fix division by zero ------------------------------------------------------------------- Tue Jun 13 13:08:21 UTC 2017 - lnussel@suse.de -- Create curl-mini for bootstrapping (boo#1042919) +- Create curl-mini for bootstrapping (boo#1042919) ------------------------------------------------------------------- Wed Apr 19 08:17:17 UTC 2017 - idonmez@suse.com @@ -4375,7 +4565,7 @@ Sun Feb 5 22:33:33 UTC 2017 - astieger@suse.com - build with libidn2 for IDNA2008 support FATE#321897 CVE-2016-8625 bsc#1005649 add curl-7.52.1-idn-fixes.patch to fix test, among other things -- re-enable tests that are no longer failing, +- re-enable tests that are no longer failing, remove curl-disable_failing_tests.patch ------------------------------------------------------------------- @@ -4396,7 +4586,7 @@ Wed Dec 21 07:10:10 UTC 2016 - idonmez@suse.com * curl: Add --retry-connrefused * proxy: Support HTTPS proxy and SOCKS+HTTP(s) * add CURLINFO_SCHEME, CURLINFO_PROTOCOL, and %{scheme} - * curl: add --fail-early + * curl: add --fail-early Bugfixes: * CVE-2016-9586: printf floating point buffer overflow * curl -w: added more decimal digits to timing counters @@ -4437,7 +4627,7 @@ Wed Nov 2 07:15:44 UTC 2016 - idonmez@suse.com Changes: * nss: additional cipher suites are now accepted by CURLOPT_SSL_CIPHER_LIST - * New option: CURLOPT_KEEP_SENDING_ON_ERROR + * New option: CURLOPT_KEEP_SENDING_ON_ERROR Bugfixes: * CVE-2016-8615: cookie injection for other servers * CVE-2016-8616: case insensitive password comparison @@ -4591,7 +4781,7 @@ Fri Aug 5 12:41:43 UTC 2016 - pjanouch@suse.de * curl.h: make public types void * again * win32: fix a potential memory leak in Curl_load_library * travis: fix OSX build by re-installing libtool - * mbedtls: Fix debug function name + * mbedtls: Fix debug function name - removed 0001-tests-distribute-the-http2-server.pl-script-too.patch ------------------------------------------------------------------- @@ -4656,7 +4846,7 @@ Tue Jun 14 11:47:27 UTC 2016 - astieger@suse.com * curl: added --connect-to * libcurl: added CURLOPT_TCP_FASTOPEN * curl: added --tcp-fastopen - * curl: remove support for --ftpport, -http-request and --socks + * curl: remove support for --ftpport, -http-request and --socks * a number of bug and build fixes - update upstream signing key and download URLs - 0001-Fix-invalid-Network-is-unreachable-errors.patch is upstream @@ -4756,7 +4946,7 @@ Sat Oct 10 06:58:35 UTC 2015 - mpluskal@suse.com * getinfo: added CURLINFO_ACTIVESOCKET * turned CURLINFO_* option docs as stand-alone man pages * curl: point out unnecessary uses of -X in verbose mode -- Drop curl-disable_failing_tests.patch as it is now part of +- Drop curl-disable_failing_tests.patch as it is now part of upstream ------------------------------------------------------------------- @@ -4804,14 +4994,14 @@ Fri Jun 19 13:07:44 UTC 2015 - mpluskal@suse.com * Mew curl option: --service-name * New curl option: --data-raw * Added CURLOPT_PIPEWAIT - * Added support for multiplexing transfers using HTTP/2, enable - this with the new CURLPIPE_MULTIPLEX bit for + * Added support for multiplexing transfers using HTTP/2, enable + this with the new CURLPIPE_MULTIPLEX bit for CURLMOPT_PIPELINING * HTTP/2: requires nghttp2 1.0.0 or later * scripts: add zsh.pl for generating zsh completion * curl.h: add CURL_HTTP_VERSION_2 * CVE-2015-3236: lingering HTTP credentials in connection re-use - * CVE-2015-3237: SMB send off unrelated memory contents + * CVE-2015-3237: SMB send off unrelated memory contents - Disable HTTP/2 as it would create build cycle ------------------------------------------------------------------- @@ -4860,7 +5050,7 @@ Thu Feb 26 09:37:22 UTC 2015 - sor.alexei@meowr.ru winbuild: Added option to build with c-ares Added --cert-status Added CURLOPT_SSL_VERIFYSTATUS - sasl: implement EXTERNAL authentication mechanism + sasl: implement EXTERNAL authentication mechanism ------------------------------------------------------------------- Sat Feb 14 18:29:37 UTC 2015 - mpluskal@suse.com @@ -4916,7 +5106,7 @@ Fri Nov 14 15:29:07 UTC 2014 - vcizek@suse.com ------------------------------------------------------------------- Thu Oct 23 15:13:30 UTC 2014 - crrodriguez@opensuse.org -- Ensure the curl command line tool always require +- Ensure the curl command line tool always require the same libcurl it was used for build, even expert users got confused. @@ -4997,7 +5187,7 @@ Wed Apr 9 11:40:19 UTC 2014 - vcizek@suse.com tool: add --no-alpn and --no-npn added CURLOPT_SSL_ENABLE_NPN and CURLOPT_SSL_ENABLE_ALPN http2: build with current nghttp2 version - openssl: info message with SSL version used + openssl: info message with SSL version used * dropped curl-test172_cookie_expiration.patch (upstream) * added patches to make it build: - curl-mkhelp.patch @@ -5057,14 +5247,14 @@ Fri Nov 29 15:30:23 UTC 2013 - vcizek@suse.com ------------------------------------------------------------------- Mon Aug 12 05:29:34 UTC 2013 - crrodriguez@opensuse.org -- curl 7.32.0 -* curl: allow timeouts to accept decimal values -* CURLOPT_XFERINFOFUNCTION: introducing a new progress callback +- curl 7.32.0 +* curl: allow timeouts to accept decimal values +* CURLOPT_XFERINFOFUNCTION: introducing a new progress callback * SIGPIPE: ignored while inside the library * OpenSSL: check for read errors -* configure: automake 1.14 compatibility tweak -* curl_multi_wait: set revents for extra fds -* global dns cache: didn't work (regression) +* configure: automake 1.14 compatibility tweak +* curl_multi_wait: set revents for extra fds +* global dns cache: didn't work (regression) * mk-ca-bundle.1: don't install on make install @@ -5158,7 +5348,7 @@ Tue Nov 20 23:43:24 UTC 2012 - crrodriguez@opensuse.org * OpenSSL: Disable SSL/TLS compression - avoid the "CRIME" attack * TFTP: handle resend * memory leak: CURLOPT_RESOLVE with multi interface -* SSL: Several SSL-backend related fixes +* SSL: Several SSL-backend related fixes ------------------------------------------------------------------- Sun Nov 4 19:57:33 UTC 2012 - gber@opensuse.org @@ -5196,7 +5386,7 @@ Sat May 12 23:24:56 UTC 2012 - jengelh@inai.de ------------------------------------------------------------------- Wed Feb 8 00:45:18 UTC 2012 - crrodriguez@opensuse.org -- Problem with the c-ares backend, workaround for [bnc#745534] +- Problem with the c-ares backend, workaround for [bnc#745534] ------------------------------------------------------------------- Thu Feb 2 18:47:10 UTC 2012 - crrodriguez@opensuse.org @@ -5208,7 +5398,7 @@ Thu Feb 2 18:47:10 UTC 2012 - crrodriguez@opensuse.org Wed Jan 18 13:49:56 CET 2012 - dmueller@suse.de - use the rpmoptflags unconditionally, don't do own compiler flag - magic. Fixes debuginfo package built + magic. Fixes debuginfo package built ------------------------------------------------------------------- Wed Dec 28 10:30:28 UTC 2011 - mmarek@suse.cz @@ -5218,7 +5408,7 @@ Wed Dec 28 10:30:28 UTC 2011 - mmarek@suse.cz ------------------------------------------------------------------- Wed Nov 30 22:39:35 UTC 2011 - crrodriguez@opensuse.org -- Use O_CLOEXEC in library code. +- Use O_CLOEXEC in library code. ------------------------------------------------------------------- Tue Nov 29 11:51:38 UTC 2011 - jengelh@medozas.de @@ -5228,7 +5418,7 @@ Tue Nov 29 11:51:38 UTC 2011 - jengelh@medozas.de ------------------------------------------------------------------- Tue Nov 29 08:20:23 UTC 2011 - idoenmez@suse.de -- Use original source tarball +- Use original source tarball ------------------------------------------------------------------- Mon Nov 28 12:00:00 UTC 2011 - opensuse@dstoecker.de @@ -5273,7 +5463,7 @@ Fri Sep 16 17:22:44 UTC 2011 - jengelh@medozas.de ------------------------------------------------------------------- Mon Aug 15 05:05:01 UTC 2011 - crrodriguez@opensuse.org -- Use SSL_MODE_RELEASE_BUFFERS if available, accepted +- Use SSL_MODE_RELEASE_BUFFERS if available, accepted in upstream as commit 3d919440c80333c496fb ------------------------------------------------------------------- @@ -5294,13 +5484,13 @@ Mon Jul 11 11:40:17 CEST 2011 - pth@suse.de ------------------------------------------------------------------- Fri May 20 16:25:34 UTC 2011 - crrodriguez@opensuse.org -- remove unintented LDFLAGS from the spec file +- remove unintented LDFLAGS from the spec file ------------------------------------------------------------------- Fri May 20 15:37:54 UTC 2011 - crrodriguez@opensuse.org - Update to 7.21.6 -* curl-config: fix --version +* curl-config: fix --version * use HTTPS properly after CONNECT * SFTP: close file before post quote operations @@ -5364,7 +5554,7 @@ Fri Oct 22 16:37:03 UTC 2010 - cristian.rodriguez@opensuse.org * TFTP: Work around tftpd-hpa upload bug * libcurl.m4: several fixes * HTTP: remove special case for 416 - * globbing: fix crash on unballanced open brace + * globbing: fix crash on unballanced open brace ------------------------------------------------------------------- Wed Jun 2 14:12:54 UTC 2010 - lnussel@suse.de @@ -5374,7 +5564,7 @@ Wed Jun 2 14:12:54 UTC 2010 - lnussel@suse.de ------------------------------------------------------------------- Mon May 10 01:12:22 UTC 2010 - crrodriguez@opensuse.org -- disable c-ares support while bnc598574 is fixed. +- disable c-ares support while bnc598574 is fixed. ------------------------------------------------------------------- Sat Apr 24 10:58:50 UTC 2010 - coolo@novell.com @@ -5390,17 +5580,17 @@ Fri Apr 23 00:53:19 UTC 2010 - crrodriguez@opensuse.org * threaded resolver double free when closing curl handle * url_multi_remove_handle() caused use after free * SSL possible double free when reusing curl handle - * alarm()-based DNS timeout bug + * alarm()-based DNS timeout bug ------------------------------------------------------------------- Wed Mar 24 18:39:57 UTC 2010 - crrodriguez@opensuse.org -- enable libssh2 support unconditionally. +- enable libssh2 support unconditionally. ------------------------------------------------------------------- Wed Mar 10 13:46:45 UTC 2010 - crrodriguez@opensuse.org -- enable libcares support unconditionally. +- enable libcares support unconditionally. ------------------------------------------------------------------- Sat Feb 13 21:39:56 CET 2010 - dimstar@opensuse.org @@ -5772,7 +5962,7 @@ Fri Jun 1 11:57:28 CEST 2007 - dmueller@suse.de ------------------------------------------------------------------- Wed May 23 16:22:39 CEST 2007 - bk@suse.de -- updated to 7.16.2 (lots of fixes, fixes a segfault in git-http) +- updated to 7.16.2 (lots of fixes, fixes a segfault in git-http) ------------------------------------------------------------------- Fri May 4 14:55:41 CEST 2007 - mmarek@suse.cz @@ -5900,7 +6090,7 @@ Wed Jun 14 17:36:10 CEST 2006 - mmarek@suse.cz Sun May 28 16:16:33 CEST 2006 - cthiel@suse.de - update to version 7.15.3, changes & fixes for this version: - * added docs for --ftp-method and CURLOPT_FTP_FILEMETHOD + * added docs for --ftp-method and CURLOPT_FTP_FILEMETHOD * TFTP Packet Buffer Overflow Vulnerability (CVE-2006-1061) * properly detecting problems with sending the FTP command USER * wrong error message shown when certificate verification failed @@ -5909,7 +6099,7 @@ Sun May 28 16:16:33 CEST 2006 - cthiel@suse.de * "SSL: couldn't set callback" is now treated as a less serious problem * Interix build fix * fixed curl "hang" when out of file handles at start - * prevent FTP uploads to URLs with trailing slash + * prevent FTP uploads to URLs with trailing slash - changes & fixes in 7.15.2 * Support for SOCKS4 proxies (added --socks4) @@ -5960,7 +6150,7 @@ Tue Mar 14 12:35:53 CET 2006 - mmarek@suse.cz ------------------------------------------------------------------- Wed Feb 15 02:53:15 CET 2006 - ro@suse.de -- added libidn-devel to requires of devel package +- added libidn-devel to requires of devel package ------------------------------------------------------------------- Mon Feb 13 16:32:40 CET 2006 - mmarek@suse.cz @@ -6012,7 +6202,7 @@ Mon Oct 10 14:20:12 CEST 2005 - mmarek@suse.cz Mon Jun 20 16:38:34 CEST 2005 - anicka@suse.cz - update to 7.14.0 -- remove obsolete patch curl-ntlm.patch +- remove obsolete patch curl-ntlm.patch ------------------------------------------------------------------- Tue Apr 12 16:37:59 CEST 2005 - tcrhak@suse.cz @@ -6112,7 +6302,7 @@ Fri Jan 18 17:45:31 CET 2002 - tcrhak@suse.cz ------------------------------------------------------------------- Fri Oct 19 08:38:40 CEST 2001 - ro@suse.de -- do not pack shared library into both, main and devel package +- do not pack shared library into both, main and devel package ------------------------------------------------------------------- Mon Oct 8 11:35:52 CEST 2001 - tcrhak@suse.cz @@ -6122,27 +6312,27 @@ Mon Oct 8 11:35:52 CEST 2001 - tcrhak@suse.cz ------------------------------------------------------------------- Fri Sep 21 11:46:09 CEST 2001 - adostal@suse.cz -- fix manual in man.patch +- fix manual in man.patch ------------------------------------------------------------------- Tue Aug 21 16:10:10 CEST 2001 - adostal@suse.cz -- update to version 7.8.1 +- update to version 7.8.1 ------------------------------------------------------------------- Wed Jul 18 10:21:13 CEST 2001 - adostal@suse.cz -- files devel fixed +- files devel fixed ------------------------------------------------------------------- Mon Jul 2 17:51:34 CEST 2001 - adostal@suse.cz -- update to version 7.8 +- update to version 7.8 ------------------------------------------------------------------- Wed Jun 13 17:33:41 CEST 2001 - ro@suse.de -- fixed to compile with new autoconf +- fixed to compile with new autoconf ------------------------------------------------------------------- Mon Apr 9 14:39:03 CEST 2001 - cihlar@suse.cz diff --git a/curl.spec b/curl.spec index 58d0556..5ad327d 100644 --- a/curl.spec +++ b/curl.spec @@ -17,11 +17,19 @@ %bcond_without testsuite -%bcond_with mozilla_nss # need ssl always for python-pycurl %bcond_without openssl -Name: curl -Version: 8.6.0 +%define target @BUILD_FLAVOR@%{nil} +%if "%{target}" == "mini" +%bcond_without mini +%global psuffix -mini +%else +%bcond_with mini +%global psuffix %{nil} +%endif + +Name: curl%{?psuffix} +Version: 8.9.1 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl @@ -35,47 +43,28 @@ Patch1: dont-mess-with-rpmoptflags.patch Patch2: curl-secure-getenv.patch #PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled Patch3: curl-disabled-redirect-protocol-message.patch -# PATCH-FIX-UPSTREAM -Patch4: 0001-vtls-revert-receive-max-buffer-add-test-case.patch -#PATCH-FIX-UPSTREAM bsc#1221665 CVE-2024-2004 Usage of disabled protocol -Patch5: curl-CVE-2024-2004.patch -#PATCH-FIX-UPSTREAM bsc#1221667 CVE-2024-2398 HTTP/2 push headers memory-leak -Patch6: curl-CVE-2024-2398.patch -#PATCH-FIX-UPSTREAM bsc#1221666 CVE-2024-2379 QUIC certificate check bypass with wolfSSL -Patch7: curl-CVE-2024-2379.patch -#PATCH-FIX-UPSTREAM bsc#1221668 CVE-2024-2466 TLS certificate check bypass with mbedTLS -Patch8: curl-CVE-2024-2466.patch -#PATCH-FIX-UPSTREAM bsc#1227888 CVE-2024-6197 Freeing stack buffer in utf8asn1str -Patch9: curl-CVE-2024-6197.patch -#PATCH-FIX-UPSTREAM bsc#1228535 CVE-2024-7264 ASN.1 date parser overread -Patch10: curl-CVE-2024-7264.patch -#PATCH-FIX-UPSTREAM bsc#1230093 CVE-2024-8096 OCSP stapling bypass with GnuTLS -Patch11: curl-CVE-2024-8096.patch -#PATCH-FIX-UPSTREAM bsc#1230516 Make special characters in URL work with aws-sigv4 -Patch12: curl-aws_sigv4-url-encode-the-canonical-path.patch +#PATCH-FIX-UPSTREAM sigpipe: init the struct so that first apply ignores +Patch4: curl-sigpipe.patch +BuildRequires: groff BuildRequires: libtool BuildRequires: pkgconfig -Requires: libcurl4 = %{version} -BuildRequires: groff -BuildRequires: lzma -BuildRequires: openldap2-devel -BuildRequires: pkgconfig(krb5) -BuildRequires: pkgconfig(libbrotlidec) BuildRequires: pkgconfig(libidn2) # Disable metalink [bsc#1188218, CVE-2021-22923][bsc#1188217, CVE-2021-22922] # BuildRequires: pkgconfig(libmetalink) BuildRequires: pkgconfig(libnghttp2) BuildRequires: pkgconfig(libpsl) -BuildRequires: pkgconfig(libssh) BuildRequires: pkgconfig(libzstd) BuildRequires: pkgconfig(zlib) +Requires: libcurl4 = %{version} %if %{with openssl} BuildRequires: pkgconfig(libssl) %endif -%if %{with mozilla_nss} -BuildRequires: mozilla-nss-devel +%if !%{with mini} +BuildRequires: openldap2-devel +BuildRequires: pkgconfig(krb5) +BuildRequires: pkgconfig(libbrotlidec) +BuildRequires: pkgconfig(libssh) %endif -#BuildRequires: openssh %if 0%{?_with_stunnel:1} # used by the testsuite BuildRequires: stunnel @@ -87,13 +76,19 @@ server using any of the supported protocols (HTTP, HTTPS, FTP, FTPS, TFTP, DICT, TELNET, LDAP, or FILE). The command is designed to work without user interaction or any kind of interactivity. -%package -n libcurl4 +%package -n libcurl%{?psuffix}4 Summary: Library for transferring data from URLs +%if %{with mini} +Provides: libcurl4 = %{version} +%else +Obsoletes: libcurl-mini4 <= %{version} +%endif -%description -n libcurl4 +%description -n libcurl%{?psuffix}4 The cURL shared library for accessing data using different network protocols. +%if !%{with mini} %package -n libcurl-devel Summary: Development files for the curl library Requires: glibc-devel @@ -107,8 +102,37 @@ server using any of the supported protocols (HTTP, HTTPS, FTP, GOPHER, DICT, TELNET, LDAP, or FILE). The command is designed to work without user interaction or any kind of interactivity. +%package -n libcurl-devel-doc +Summary: Manual pages for libcurl +Provides: libcurl-devel:%{_mandir}/man1/curl-config.1%{?ext_man} +BuildArch: noarch + +%description -n libcurl-devel-doc +Manual pages for the libcurl C API. + +%package fish-completion +Summary: Fish completion for curl +Group: System/Shells +Requires: fish +Supplements: (curl and fish) +BuildArch: noarch + +%description fish-completion +Fish command line completion support for %name. + +%package zsh-completion +Summary: Zsh Completion for %name +Group: System/Shells +Requires: zsh +Supplements: (curl and zsh) +BuildArch: noarch + +%description zsh-completion +ZSH command line completion support for %name. +%endif + %prep -%autosetup -p1 +%autosetup -p1 -n curl-%{version} %build # curl complains if macro definition is contained in CFLAGS @@ -123,7 +147,9 @@ autoreconf -fiv # (currently, libtool sets link_all_deplibs=(yes|unknown) everywhere, # will hopefully change in the future) sed -i 's/\(link_all_deplibs=\)unknown/\1no/' configure + %configure \ + --enable-hsts \ --enable-ipv6 \ %if %{with openssl} --with-openssl \ @@ -132,16 +158,37 @@ sed -i 's/\(link_all_deplibs=\)unknown/\1no/' configure --without-ca-bundle \ %else --without-openssl \ -%if %{with mozilla_nss} - --with-nss \ %endif -%endif - --with-gssapi=$(krb5-config --prefix) \ --with-libidn2 \ + --with-nghttp2 \ + --enable-docs \ +%if %{with mini} + --disable-dict \ + --disable-ftp \ + --disable-gopher \ + --disable-imap \ + --disable-mqtt \ + --disable-ntlm \ + --disable-ntlm-wb \ + --disable-pop3 \ + --disable-rtsp \ + --disable-smtp \ + --disable-telnet \ + --disable-tftp \ + --disable-tls-srp \ + --disable-websockets \ + --without-brotli \ + --without-libssh \ +%else + --with-gssapi=$(krb5-config --prefix) \ + --with-brotli \ --with-libssh \ +%endif --enable-symbol-hiding \ --disable-static \ - --enable-threaded-resolver + --enable-threaded-resolver \ + --with-zsh-functions-dir=%{_datadir}/zsh/site-functions/ \ + --with-fish-functions-dir=%{_datadir}/fish/vendor_completions.d # if this fails, the above sed hack did not work ./libtool --config | grep -q link_all_deplibs=no @@ -163,31 +210,39 @@ popd %install %make_install rm -f %{buildroot}%{_libdir}/libcurl.la +%if %{with mini} +rm -rv %{buildroot}%{_includedir}/curl %{buildroot}/%{_libdir}/pkgconfig %{buildroot}%{_datadir} +rm -v %{buildroot}%{_bindir}/curl %{buildroot}%{_bindir}/curl-config %{buildroot}%{_libdir}/libcurl.so +%else install -Dm 0644 docs/libcurl/libcurl.m4 %{buildroot}%{_datadir}/aclocal/libcurl.m4 pushd scripts %make_install popd +%endif -%post -n libcurl4 -p /sbin/ldconfig -%postun -n libcurl4 -p /sbin/ldconfig +%ldconfig_scriptlets -n libcurl%{?psuffix}4 +%files -n libcurl%{?psuffix}4 +%license COPYING +%{_libdir}/libcurl.so.4* + +%if !%{with mini} %files %doc README RELEASE-NOTES CHANGES %doc docs/{BUGS.md,FAQ,FEATURES.md,TODO,TheArtOfHttpScripting.md} %{_bindir}/curl -%{_datadir}/zsh/site-functions/_curl %{_mandir}/man1/curl.1%{?ext_man} -%{_mandir}/man1/mk-ca-bundle.1%{?ext_man} + +%files zsh-completion %dir %{_datadir}/zsh %dir %{_datadir}/zsh/site-functions +%{_datadir}/zsh/site-functions/_curl + +%files fish-completion %dir %{_datadir}/fish/ %dir %{_datadir}/fish/vendor_completions.d/ %{_datadir}/fish/vendor_completions.d/curl.fish -%files -n libcurl4 -%license COPYING -%{_libdir}/libcurl.so.4* - %files -n libcurl-devel %{_bindir}/curl-config %{_includedir}/curl @@ -195,8 +250,11 @@ popd %{_datadir}/aclocal/libcurl.m4 %{_libdir}/libcurl.so %{_libdir}/pkgconfig/libcurl.pc + +%files -n libcurl-devel-doc %{_mandir}/man1/curl-config.1%{?ext_man} %{_mandir}/man3/* %doc docs/libcurl/symbols-in-versions +%endif %changelog diff --git a/libcurl-ocloexec.patch b/libcurl-ocloexec.patch index 971ccd6..870706b 100644 --- a/libcurl-ocloexec.patch +++ b/libcurl-ocloexec.patch @@ -7,11 +7,11 @@ To make it portable you have to test O_CLOEXEC support at *runtime* compile time is not enough. -Index: curl-8.4.0/lib/file.c +Index: curl-8.9.0/lib/file.c =================================================================== ---- curl-8.4.0.orig/lib/file.c -+++ curl-8.4.0/lib/file.c -@@ -232,7 +232,7 @@ static CURLcode file_connect(struct Curl +--- curl-8.9.0.orig/lib/file.c ++++ curl-8.9.0/lib/file.c +@@ -242,7 +242,7 @@ static CURLcode file_connect(struct Curl } } #else @@ -20,19 +20,19 @@ Index: curl-8.4.0/lib/file.c file->path = real_path; #endif #endif -@@ -318,7 +318,7 @@ static CURLcode file_upload(struct Curl_ +@@ -329,7 +329,7 @@ static CURLcode file_upload(struct Curl_ else mode = MODE_DEFAULT|O_TRUNC; - fd = open(file->path, mode, data->set.new_file_perms); + fd = open(file->path, mode|O_CLOEXEC, data->set.new_file_perms); if(fd < 0) { - failf(data, "Can't open %s for writing", file->path); + failf(data, "cannot open %s for writing", file->path); return CURLE_WRITE_ERROR; -Index: curl-8.4.0/lib/if2ip.c +Index: curl-8.9.0/lib/if2ip.c =================================================================== ---- curl-8.4.0.orig/lib/if2ip.c -+++ curl-8.4.0/lib/if2ip.c +--- curl-8.9.0.orig/lib/if2ip.c ++++ curl-8.9.0/lib/if2ip.c @@ -208,7 +208,7 @@ if2ip_result_t Curl_if2ip(int af, if(len >= sizeof(req.ifr_name)) return IF2IP_NOT_FOUND; @@ -42,11 +42,11 @@ Index: curl-8.4.0/lib/if2ip.c if(CURL_SOCKET_BAD == dummy) return IF2IP_NOT_FOUND; -Index: curl-8.4.0/configure.ac +Index: curl-8.9.0/configure.ac =================================================================== ---- curl-8.4.0.orig/configure.ac -+++ curl-8.4.0/configure.ac -@@ -428,6 +428,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m +--- curl-8.9.0.orig/configure.ac ++++ curl-8.9.0/configure.ac +@@ -441,6 +441,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m # Silence warning: ar: 'u' modifier ignored since 'D' is the default AC_SUBST(AR_FLAGS, [cr]) @@ -55,10 +55,10 @@ Index: curl-8.4.0/configure.ac dnl This defines _ALL_SOURCE for AIX CURL_CHECK_AIX_ALL_SOURCE -Index: curl-8.4.0/lib/hostip.c +Index: curl-8.9.0/lib/hostip.c =================================================================== ---- curl-8.4.0.orig/lib/hostip.c -+++ curl-8.4.0/lib/hostip.c +--- curl-8.9.0.orig/lib/hostip.c ++++ curl-8.9.0/lib/hostip.c @@ -44,6 +44,7 @@ #include #include @@ -67,20 +67,20 @@ Index: curl-8.4.0/lib/hostip.c #include "urldata.h" #include "sendf.h" #include "hostip.h" -@@ -609,7 +610,7 @@ bool Curl_ipv6works(struct Curl_easy *da +@@ -616,7 +617,7 @@ bool Curl_ipv6works(struct Curl_easy *da else { int ipv6_works = -1; /* probe to see if we have a working IPv6 stack */ - curl_socket_t s = socket(PF_INET6, SOCK_DGRAM, 0); + curl_socket_t s = socket(PF_INET6, SOCK_DGRAM|SOCK_CLOEXEC, 0); if(s == CURL_SOCKET_BAD) - /* an IPv6 address was requested but we can't get/use one */ + /* an IPv6 address was requested but we cannot get/use one */ ipv6_works = 0; -Index: curl-8.4.0/lib/cf-socket.c +Index: curl-8.9.0/lib/cf-socket.c =================================================================== ---- curl-8.4.0.orig/lib/cf-socket.c -+++ curl-8.4.0/lib/cf-socket.c -@@ -274,7 +274,9 @@ static CURLcode socket_open(struct Curl_ +--- curl-8.9.0.orig/lib/cf-socket.c ++++ curl-8.9.0/lib/cf-socket.c +@@ -360,7 +360,9 @@ static CURLcode socket_open(struct Curl_ } else { /* opensocket callback not set, so simply create the socket now */