Accepting request 1243598 from devel:libraries:c_c++

OBS-URL: https://build.opensuse.org/request/show/1243598
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/curl?expand=0&rev=207

curl-8.11.1.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmdZOq0ACgkQXMkI/bce
-EsLzzQgAgcHNuFJ9GItp9dQxzcvXsnvozNy77WMmVKyprUvrUlSRXRXDMc/FTmtV
-pqtTT8XyyTxh8iSY31uvH4firhfunK49Z94SK7R95yp8nCPQOKXJXKyqdzf9i8sm
-MlT3W8RCiVG0wGvmatIdHCAEStjQZsdplyiTNGytgp+4C9iLmXhaxD6sw9JYZWh+
-BryeOnsC9MCjrxhtTc/vD0g+wdhhvBzd5kiqLYsxptdcBdCPlWHoK+FYsQN91oDq
-25G82kpCkzz4tKRhSQmjowJ2kw+pQ3QYC9/5VEeDckaFlRM0tZNJ3TwcpAFxbYBW
-Uni36T510ri+vHBpCrl9ur9mAkbTZA==
-=PffT
------END PGP SIGNATURE-----

curl-8.12.0.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9a4628c764be6b1a9909567c13e8e771041609df43b2158fcac4e05ea7097e5d
+size 2777552

curl-8.12.0.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmejHBkACgkQXMkI/bce
+EsL+5wgAj2JdxoOAfIUzFDOuMAzNNP4tus8zwLpjIOOYqA8pe13h70fvZDLW8COQ
+tGPUItuRetUp0fVxLdsvpZcBa3WnRFYB0BhvEq+pl8bWMo0QptvwxROqW4xra5m2
++sGTzdXfcDdpbB24JTW+dbb9co6ArFuxR8bOgVaoBTuLzmtnXqXaC8mdHI8Bxb5z
+UEb3LImtt+nIeijMxz8umQ4ESX4YpbdhCaRag6GQLiR+qq0rUcJYBbUSbXBGLpfW
+TZpMmMzO1zHetlj3vSSgyGwAWYQGBpV2lR1jGdN9NBpwI36UUikt8fDPmSnsSu2o
+uCMMVe1BwZIJopsuWg/wKNXSWfgd3w==
+=n4b5
+-----END PGP SIGNATURE-----

curl.changes

@@ -1,3 +1,88 @@
+-------------------------------------------------------------------
+Thu Feb  6 07:52:21 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 8.12.0:
+  * Security fixes:
+    - [bsc#1234068, CVE-2024-11053] curl could leak the password used
+      for the first host to the followed-to host under certain circumstances.
+    - [bsc#1232528, CVE-2024-9681] HSTS subdomain overwrites parent cache entry
+    - [bsc#1236589, CVE-2025-0665] eventfd double close
+  * Changes:
+    - curl: add byte range support to --variable reading from file
+    - curl: make --etag-save acknowledge --create-dirs
+    - getinfo: fix CURLINFO_QUEUE_TIME_T and add 'time_queue' var
+    - getinfo: provide info which auth was used for HTTP and proxy
+    - hyper: drop support
+    - openssl: add support to use keys and certificates from PKCS#11 provider
+    - QUIC: 0RTT for gnutls via CURLSSLOPT_EARLYDATA
+    - vtls: feature ssls-export for SSL session im-/export
+  * Bugfixes:
+    - altsvc: avoid integer overflow in expire calculation
+    - asyn-ares: acknowledge CURLOPT_DNS_SERVERS set to NULL
+    - asyn-ares: fix memory leak
+    - asyn-ares: initial HTTPS resolve support
+    - asyn-thread: use c-ares to resolve HTTPS RR
+    - async-thread: avoid closing eventfd twice
+    - cd2nroff: do not insist on quoted <> within backticks
+    - cd2nroff: support "none" as a TLS backend
+    - conncache: count shutdowns against host and max limits
+    - content_encoding: drop support for zlib before 1.2.0.4
+    - content_encoding: namespace GZIP flag constants
+    - content_encoding: put the decomp buffers into the writer structs
+    - content_encoding: support use of custom libzstd memory functions
+    - cookie: cap expire times to 400 days
+    - cookie: parse only the exact expire date
+    - curl: return error if etag options are used with multiple URLs
+    - curl_multi_fdset: include the shutdown connections in the set
+    - curl_sha512_256: rename symbols to the curl namespace
+    - curl_url_set.md: adjust the added-in to 7.62.0
+    - doh: send HTTPS RR requests for all HTTP(S) transfers
+    - easy: allow connect-only handle reuse with easy_perform
+    - easy: make curl_easy_perform() return error if connection still there
+    - easy_lock: use Sleep(1) for thread yield on old Windows
+    - ECH: update APIs to those agreed with OpenSSL maintainers
+    - GnuTLS: fix 'time_appconnect' for early data
+    - HTTP/2: strip TE request header
+    - http2: fix data_pending check
+    - http2: fix value stored to 'result' is never read
+    - http: ignore invalid Retry-After times
+    - http_aws_sigv4: Fix invalid compare function handling zero-length pairs
+    - https-connect: start next immediately on failure
+    - lib: redirect handling by protocol handler
+    - multi: fix curl_multi_waitfds reporting of fd_count
+    - netrc: 'default' with no credentials is not a match
+    - netrc: fix password-only entries
+    - netrc: restore _netrc fallback logic
+    - ngtcp2: fix memory leak on connect failure
+    - openssl: define `HAVE_KEYLOG_CALLBACK` before use
+    - openssl: fix ECH logic
+    - osslq: use SSL_poll to determine writeability of QUIC streams
+    - sectransp: free certificate on error
+    - select: avoid a NULL deref in cwfds_add_sock
+    - src: omit hugehelp and ca-embed from libcurltool
+    - ssl session cache: change cache dimensions
+    - system.h: add 64-bit curl_off_t definitions for NonStop
+    - telnet: handle single-byte input option
+    - TLS: check connection for SSL use, not handler
+    - tool_formparse.c: make curlx_uztoso a static in here
+    - tool_formparse: accept digits in --form type= strings
+    - tool_getparam: ECH param parsing refix
+    - tool_getparam: fail --hostpubsha256 if libssh2 is not used
+    - tool_getparam: fix "Ignored Return Value"
+    - tool_getparam: fix memory leak on error in parse_ech
+    - tool_getparam: fix the ECH parser
+    - tool_operate: make --etag-compare always accept a non-existing file
+    - transfer: fix CURLOPT_CURLU override logic
+    - urlapi: fix redirect to a new fragment or query (only)
+    - vquic: make vquic_send_packets not return without setting psent
+    - vtls: fix default SSL backend as a fallback
+    - vtls: only remember the expiry timestamp in session cache
+    - websocket: fix message send corruption
+    - x509asn1: add parse recursion limit
+  * Rebase pathes:
+    - libcurl-ocloexec.patch
+    - dont-mess-with-rpmoptflags.patch
+
 -------------------------------------------------------------------
 Wed Dec 11 07:42:31 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
 

curl.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package curl
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -29,7 +29,7 @@
 %endif
 
 Name:           curl%{?psuffix}
-Version:        8.11.1
+Version:        8.12.0
 Release:        0
 Summary:        A Tool for Transferring Data from URLs
 License:        curl

dont-mess-with-rpmoptflags.patch

@@ -1,15 +1,16 @@
-Index: curl-8.6.0/configure.ac
+Index: curl-8.12.0/configure.ac
 ===================================================================
---- curl-8.6.0.orig/configure.ac
-+++ curl-8.6.0/configure.ac
-@@ -506,10 +506,6 @@ dnl ************************************
+--- curl-8.12.0.orig/configure.ac
++++ curl-8.12.0/configure.ac
+@@ -502,11 +502,6 @@ if test "$curl_cv_native_windows" = "yes
+   esac
+ fi
  
- CURL_CHECK_COMPILER
- CURL_CHECK_NATIVE_WINDOWS
 -CURL_SET_COMPILER_BASIC_OPTS
 -CURL_SET_COMPILER_DEBUG_OPTS
 -CURL_SET_COMPILER_OPTIMIZE_OPTS
 -CURL_SET_COMPILER_WARNING_OPTS
- 
+-
  if test "$compiler_id" = "INTEL_UNIX_C"; then
    #
+   if test "$compiler_num" -ge "1000"; then

libcurl-ocloexec.patch

@@ -7,32 +7,35 @@ To make it portable you have to test O_CLOEXEC support at *runtime*
 compile time is not enough.
 
 
-Index: curl-8.9.0/lib/file.c
+Index: curl-8.12.0/lib/file.c
 ===================================================================
---- curl-8.9.0.orig/lib/file.c
-+++ curl-8.9.0/lib/file.c
-@@ -242,7 +242,7 @@ static CURLcode file_connect(struct Curl
+--- curl-8.12.0.orig/lib/file.c
++++ curl-8.12.0/lib/file.c
+@@ -237,7 +237,7 @@ static CURLcode file_connect(struct Curl
      }
    }
    #else
--  fd = open_readonly(real_path, O_RDONLY);
-+  fd = open_readonly(real_path, O_RDONLY|O_CLOEXEC);
+-  fd = open(real_path, O_RDONLY);
++  fd = open(real_path, O_RDONLY|O_CLOEXEC);
    file->path = real_path;
    #endif
  #endif
-@@ -329,7 +329,7 @@ static CURLcode file_upload(struct Curl_
-   else
-     mode = MODE_DEFAULT|O_TRUNC;
+@@ -321,9 +321,9 @@ static CURLcode file_upload(struct Curl_
  
+ #if (defined(ANDROID) || defined(__ANDROID__)) && \
+     (defined(__i386__) || defined(__arm__))
+-  fd = open(file->path, mode, (mode_t)data->set.new_file_perms);
++  fd = open(file->path, mode|O_CLOEXEC, (mode_t)data->set.new_file_perms);
+ #else
 -  fd = open(file->path, mode, data->set.new_file_perms);
 +  fd = open(file->path, mode|O_CLOEXEC, data->set.new_file_perms);
+ #endif
    if(fd < 0) {
      failf(data, "cannot open %s for writing", file->path);
-     return CURLE_WRITE_ERROR;
-Index: curl-8.9.0/lib/if2ip.c
+Index: curl-8.12.0/lib/if2ip.c
 ===================================================================
---- curl-8.9.0.orig/lib/if2ip.c
-+++ curl-8.9.0/lib/if2ip.c
+--- curl-8.12.0.orig/lib/if2ip.c
++++ curl-8.12.0/lib/if2ip.c
 @@ -208,7 +208,7 @@ if2ip_result_t Curl_if2ip(int af,
    if(len >= sizeof(req.ifr_name))
      return IF2IP_NOT_FOUND;
@@ -42,11 +45,11 @@ Index: curl-8.9.0/lib/if2ip.c
    if(CURL_SOCKET_BAD == dummy)
      return IF2IP_NOT_FOUND;
  
-Index: curl-8.9.0/configure.ac
+Index: curl-8.12.0/configure.ac
 ===================================================================
---- curl-8.9.0.orig/configure.ac
-+++ curl-8.9.0/configure.ac
-@@ -441,6 +441,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m
+--- curl-8.12.0.orig/configure.ac
++++ curl-8.12.0/configure.ac
+@@ -426,6 +426,8 @@ AC_DEFINE_UNQUOTED(CURL_OS, "${host}", [
  # Silence warning: ar: 'u' modifier ignored since 'D' is the default
  AC_SUBST(AR_FLAGS, [cr])
  
@@ -55,10 +58,10 @@ Index: curl-8.9.0/configure.ac
  dnl This defines _ALL_SOURCE for AIX
  CURL_CHECK_AIX_ALL_SOURCE
  
-Index: curl-8.9.0/lib/hostip.c
+Index: curl-8.12.0/lib/hostip.c
 ===================================================================
---- curl-8.9.0.orig/lib/hostip.c
-+++ curl-8.9.0/lib/hostip.c
+--- curl-8.12.0.orig/lib/hostip.c
++++ curl-8.12.0/lib/hostip.c
 @@ -44,6 +44,7 @@
  #include <setjmp.h>
  #include <signal.h>
@@ -67,7 +70,7 @@ Index: curl-8.9.0/lib/hostip.c
  #include "urldata.h"
  #include "sendf.h"
  #include "hostip.h"
-@@ -616,7 +617,7 @@ bool Curl_ipv6works(struct Curl_easy *da
+@@ -624,7 +625,7 @@ bool Curl_ipv6works(struct Curl_easy *da
    else {
      int ipv6_works = -1;
      /* probe to see if we have a working IPv6 stack */
@@ -76,11 +79,11 @@ Index: curl-8.9.0/lib/hostip.c
      if(s == CURL_SOCKET_BAD)
        /* an IPv6 address was requested but we cannot get/use one */
        ipv6_works = 0;
-Index: curl-8.9.0/lib/cf-socket.c
+Index: curl-8.12.0/lib/cf-socket.c
 ===================================================================
---- curl-8.9.0.orig/lib/cf-socket.c
-+++ curl-8.9.0/lib/cf-socket.c
-@@ -360,7 +360,9 @@ static CURLcode socket_open(struct Curl_
+--- curl-8.12.0.orig/lib/cf-socket.c
++++ curl-8.12.0/lib/cf-socket.c
+@@ -367,7 +367,9 @@ static CURLcode socket_open(struct Curl_
    }
    else {
      /* opensocket callback not set, so simply create the socket now */