pool/curl
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1131465 from home:pmonrealgonzalez:branches:devel:libraries:c_c++

Browse Source 
- Update to 8.5.0:
  * Security fixes:
    - [bsc#1217573, CVE-2023-46218] cookie mixed case PSL bypass
    - [bsc#1217574, CVE-2023-46219] HSTS long file name clears contents
  * Changes:
    - gnutls: support CURLSSLOPT_NATIVE_CA
    - HTTP3: ngtcp2 builds are no longer experimental
  * Bugfixes:
    - asyn-thread: use pipe instead of socketpair for IPC when available
    - cmake: fix OpenSSL quic detection in quiche builds
    - conncache: use the closure handle when disconnecting surplus connections
    - content_encoding: make Curl_all_content_encodings allocless
    - cookie: lowercase the domain names before PSL checks
    - Curl_http_body: cleanup properly when Curl_getformdata errors
    - CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range
    - doh: provide better return code for responses w/o addresses
    - doh: use PIPEWAIT when HTTP/2 is attempted
    - duphandle: also free 'outcurl->cookies' in error path
    - duphandle: make dupset() not return with pointers to old alloced data
    - duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set
    - easy: in duphandle, init the cookies for the new handle
    - easy_lock: add a pthread_mutex_t fallback
    - fopen: create new file using old file's mode
    - fopen: create short(er) temporary file name
    - getenv: PlayStation doesn't have getenv()
    - hostip: show the list of IPs when resolving is done
    - hsts: skip single-dot hostname
    - HTTP/2, HTTP/3: handle detach of onoing transfers
    - http: allow longer HTTP/2 request method names
    - hyper: temporarily remove HTTP/2 support
    - IPFS: fix IPFS_PATH and file parsing
    - multi: during ratelimit multi_getsock should return no sockets
    - multi: use pipe instead of socketpair to *wakeup()
    - ngtcp2: fix races in stream handling
    - ntlm_wb: use pipe instead of socketpair when possible
    - openssl: avoid BN_num_bits() NULL pointer derefs
    - openssl: fix building with v3 `no-deprecated` + add CI test
    - openssl: fix infof() to avoid compiler warning for %s with null
    - openssl: identify the "quictls" backend correctly
    - openssl: include SIG and KEM algorithms in verbose
    - openssl: two multi pointer checks should probably rather be asserts
    - openssl: when a session-ID is reused, skip OCSP stapling
    - quic: make eyeballers connect retries stop at weird replies
    - quic: manage connection idle timeouts
    - setopt: check CURLOPT_TFTP_BLKSIZE range on set
    - socks: better buffer size checks for socks4a user and hostname
    - socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice
    - tool: fix --capath when proxy support is disabled
    - tool_getparam: limit --rate to be smaller than number of ms
    - transfer: abort pause send when connection is marked for closing
    - transfer: avoid calling the read callback again after EOF
    - transfer: only reset the FTP wildcard engine in CLEAR state
    - url: don't touch the multi handle when closing internal handles
    - urlapi: avoid null deref if setting blank host to url encode
    - urlapi: skip appending NULL pointer query
    - urlapi: when URL encoding the fragment, pass in the right length
    - vtls: cleanup SSL config management
    - vtls: consistently use typedef names for OpenSSL structs
    - vtls: late clone of connection ssl config
    - vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0
  * Rebase curl-secure-getenv.patch
  * Add curl-tests-errorcodes.patch

OBS-URL: https://build.opensuse.org/request/show/1131465
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=348
This commit is contained in:
Pedro Monreal Gonzalez 2023-12-06 17:31:56 +00:00 committed by Git OBS Bridge
parent a18af43f06
commit 358aba2f66
8 changed files with 243 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
curl-8.4.0.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:16c62a9c4af0f703d28bda6d7bbf37ba47055ad3414d70dec63e2e6336f2a82d
size 2658376

11
curl-8.4.0.tar.xz.asc
View File

@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmUmNUkACgkQXMkI/bce
EsIiwQgAjbpDysDBbuhdQekitabLu9vEk5rIk1wAM1cYLGKgEU+8oDIUTa1HFJCV
zb9fGNdnOpwYHOGiOiX5rec4cHcZrL/w92ctP9kgTY97VU3puESn2JO4abVuLtD6
lPfzIsSFnvYoawWKWLp8Vkia87r+Au9ZiUhM2NPiuZuBleWhk1RWSWoTN8FalK4x
pa/aUumd3niCfv5xdQ9fn//CrVJTKc7S18IC+vdlVYM3UgYVghRihTglEEg/7KAj
Hy73sgU2LtQUuuyL42K942bbKd92/OGvCDbPu3CZ8zL0TXHSFmcbMZrl90RPSCXE
qJiuih+EQxYKh3CGZxNftSI4iV7aag==
=wuw5
-----END PGP SIGNATURE-----

3
curl-8.5.0.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:42ab8db9e20d8290a3b633e7fbb3cec15db34df65fd1015ef8ac1e4723750eeb
size 2658520

11
curl-8.5.0.tar.xz.asc Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmVwH74ACgkQXMkI/bce
EsJTjQgApzxL4B3UzTgozV3zElM2bE1tVeAnWzBvvgBr66n8Avj3qJv0OStRTm5I
GATuiWLFBKHEzrKJbApWiH8nwsKK/ZvlrAe6SyJ5jehK1l51da1LSnI/SkFt7him
EX2R9Eq8HWD5jhiHOYETFZ9U7aqf+OOnrRevzFs+GCcZqn6M4DKXc9gJCc2qgill
y9PfHrxLELJscPCw19fw9Hoo4QkcHKP1oOy4uha4iqDUmnFW9WTexVHAGOTMrJwl
6OZ+5apsaBB7+rambVnyeOx2DfpAsScmaXtaLNIBBDfNbBPkOA3lgmDZr/6KiSP1
Pr9Y2WDkGKgodo7NeRAHJl/WE+CMmQ==
=XAIZ
-----END PGP SIGNATURE-----

20
curl-secure-getenv.patch
View File

@ -1,8 +1,8 @@
Index: curl-7.82.0/lib/getenv.c
Index: curl-8.5.0/lib/getenv.c
===================================================================
--- curl-7.82.0.orig/lib/getenv.c
+++ curl-7.82.0/lib/getenv.c
@@ -27,6 +27,14 @@
--- curl-8.5.0.orig/lib/getenv.c
+++ curl-8.5.0/lib/getenv.c
@@ -29,6 +29,14 @@
#include "memdebug.h"
@ -16,8 +16,8 @@ Index: curl-7.82.0/lib/getenv.c
+
static char *GetEnv(const char *variable)
{
#if defined(_WIN32_WCE) || defined(CURL_WINDOWS_APP)
@@ -66,7 +74,7 @@ static char *GetEnv(const char *variable
#if defined(_WIN32_WCE) || defined(CURL_WINDOWS_APP) || \
@@ -69,7 +77,7 @@ static char *GetEnv(const char *variable
/* else rc is bytes needed, try again */
}
#else
@ -26,11 +26,11 @@ Index: curl-7.82.0/lib/getenv.c
return (env && env[0])?strdup(env):NULL;
#endif
}
Index: curl-7.82.0/configure.ac
Index: curl-8.5.0/configure.ac
===================================================================
--- curl-7.82.0.orig/configure.ac
+++ curl-7.82.0/configure.ac
@@ -4271,6 +4271,8 @@ if test "x$want_curldebug_assumed" = "xy
--- curl-8.5.0.orig/configure.ac
+++ curl-8.5.0/configure.ac
@@ -4767,6 +4767,8 @@ if test "x$want_curldebug_assumed" = "xy
ac_configure_args="$ac_configure_args --enable-curldebug"
fi

150
curl-tests-errorcodes.patch Normal file
View File

@ -0,0 +1,150 @@
From da8c1d15782c8161b455a7ee90197c16ae5edb90 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 6 Dec 2023 09:40:30 +0100
Subject: [PATCH] dist: add tests/errorcodes.pl to the tarball
Used by test 1477
Reported-by: Xi Ruoyao
Follow-up to 0ca3a4ec9a7
Fixes #12462
Closes #12463
---
tests/Makefile.am | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
Index: curl-8.5.0/tests/Makefile.am
===================================================================
--- curl-8.5.0.orig/tests/Makefile.am
+++ curl-8.5.0/tests/Makefile.am
@@ -26,15 +26,17 @@ HTMLPAGES = testcurl.html runtests.html
PDFPAGES = testcurl.pdf runtests.pdf
MANDISTPAGES = runtests.1.dist testcurl.1.dist
-EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl CMakeLists.txt \
- devtest.pl dictserver.py directories.pm disable-scan.pl error-codes.pl extern-scan.pl FILEFORMAT.md \
- processhelp.pm ftpserver.pl getpart.pm globalconfig.pm http-server.pl http2-server.pl \
- http3-server.pl manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl \
- memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl options-scan.pl \
- pathhelp.pm README.md rtspserver.pl runner.pm runtests.1 runtests.pl secureserver.pl \
- serverhelp.pm servers.pm smbserver.py sshhelp.pm sshserver.pl stunnel.pem symbol-scan.pl \
- testcurl.1 testcurl.pl testutil.pm tftpserver.pl util.py valgrind.pm \
- valgrind.supp version-scan.pl check-translatable-options.pl
+EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl \
+ CMakeLists.txt devtest.pl dictserver.py directories.pm disable-scan.pl \
+ error-codes.pl extern-scan.pl FILEFORMAT.md processhelp.pm ftpserver.pl \
+ getpart.pm globalconfig.pm http-server.pl http2-server.pl http3-server.pl \
+ manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl \
+ memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl \
+ options-scan.pl pathhelp.pm README.md rtspserver.pl runner.pm runtests.1 \
+ runtests.pl secureserver.pl serverhelp.pm servers.pm smbserver.py sshhelp.pm \
+ sshserver.pl stunnel.pem symbol-scan.pl testcurl.1 testcurl.pl testutil.pm \
+ tftpserver.pl util.py valgrind.pm valgrind.supp version-scan.pl \
+ check-translatable-options.pl errorcodes.pl
DISTCLEANFILES = configurehelp.pm
Index: curl-8.5.0/tests/errorcodes.pl
===================================================================
--- /dev/null
+++ curl-8.5.0/tests/errorcodes.pl
@@ -0,0 +1,99 @@
+#!/usr/bin/env perl
+#***************************************************************************
+# _ _ ____ _
+# Project ___| | | | _ \| |
+# / __| | | | |_) | |
+# | (__| |_| | _ <| |___
+# \___|\___/|_| \_\_____|
+#
+# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at https://curl.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+# SPDX-License-Identifier: curl
+#
+###########################################################################
+
+# Check that libcurl-errors.3 and the public header files have the same set of
+# error codes.
+
+use strict;
+use warnings;
+
+# we may get the dir roots pointed out
+my $root=$ARGV[0] || ".";
+my $manpge = "$root/docs/libcurl/libcurl-errors.3";
+my $curlh = "$root/include/curl";
+my $errors=0;
+
+my @hnames;
+my %wherefrom;
+my @mnames;
+my %manfrom;
+
+sub scanheader {
+ my ($file)=@_;
+ open H, "<$file";
+ my $line = 0;
+ while(<H>) {
+ $line++;
+ if($_ =~ /^ (CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) {
+ my ($name)=($1);
+ if(($name !~ /OBSOLETE/) && ($name !~ /_LAST\z/)) {
+ push @hnames, $name;
+ if($wherefrom{$name}) {
+ print STDERR "double: $name\n";
+ }
+ $wherefrom{$name}="$file:$line";
+ }
+ }
+ }
+ close(H);
+}
+
+sub scanmanpage {
+ my ($file)=@_;
+ open H, "<$file";
+ my $line = 0;
+ while(<H>) {
+ $line++;
+ if($_ =~ /^\.IP \"(CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) {
+ my ($name)=($1);
+ push @mnames, $name;
+ $manfrom{$name}="$file:$line";
+ }
+ }
+ close(H);
+}
+
+
+opendir(my $dh, $curlh) || die "Can't opendir $curlh: $!";
+my @hfiles = grep { /\.h$/ } readdir($dh);
+closedir $dh;
+
+for(sort @hfiles) {
+ scanheader("$curlh/$_");
+}
+scanmanpage($manpge);
+
+print "Result\n";
+for my $h (sort @hnames) {
+ if(!$manfrom{$h}) {
+ printf "$h from %s, not in man page\n", $wherefrom{$h};
+ }
+}
+
+for my $m (sort @mnames) {
+ if(!$wherefrom{$m}) {
+ printf "$m from %s, not in any header\n", $manfrom{$m};
+ }
+}

66
curl.changes
View File

@ -1,3 +1,69 @@
-------------------------------------------------------------------
Wed Dec 6 09:51:20 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- Update to 8.5.0:
* Security fixes:
- [bsc#1217573, CVE-2023-46218] cookie mixed case PSL bypass
- [bsc#1217574, CVE-2023-46219] HSTS long file name clears contents
* Changes:
- gnutls: support CURLSSLOPT_NATIVE_CA
- HTTP3: ngtcp2 builds are no longer experimental
* Bugfixes:
- asyn-thread: use pipe instead of socketpair for IPC when available
- cmake: fix OpenSSL quic detection in quiche builds
- conncache: use the closure handle when disconnecting surplus connections
- content_encoding: make Curl_all_content_encodings allocless
- cookie: lowercase the domain names before PSL checks
- Curl_http_body: cleanup properly when Curl_getformdata errors
- CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range
- doh: provide better return code for responses w/o addresses
- doh: use PIPEWAIT when HTTP/2 is attempted
- duphandle: also free 'outcurl->cookies' in error path
- duphandle: make dupset() not return with pointers to old alloced data
- duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set
- easy: in duphandle, init the cookies for the new handle
- easy_lock: add a pthread_mutex_t fallback
- fopen: create new file using old file's mode
- fopen: create short(er) temporary file name
- getenv: PlayStation doesn't have getenv()
- hostip: show the list of IPs when resolving is done
- hsts: skip single-dot hostname
- HTTP/2, HTTP/3: handle detach of onoing transfers
- http: allow longer HTTP/2 request method names
- hyper: temporarily remove HTTP/2 support
- IPFS: fix IPFS_PATH and file parsing
- multi: during ratelimit multi_getsock should return no sockets
- multi: use pipe instead of socketpair to *wakeup()
- ngtcp2: fix races in stream handling
- ntlm_wb: use pipe instead of socketpair when possible
- openssl: avoid BN_num_bits() NULL pointer derefs
- openssl: fix building with v3 `no-deprecated` + add CI test
- openssl: fix infof() to avoid compiler warning for %s with null
- openssl: identify the "quictls" backend correctly
- openssl: include SIG and KEM algorithms in verbose
- openssl: two multi pointer checks should probably rather be asserts
- openssl: when a session-ID is reused, skip OCSP stapling
- quic: make eyeballers connect retries stop at weird replies
- quic: manage connection idle timeouts
- setopt: check CURLOPT_TFTP_BLKSIZE range on set
- socks: better buffer size checks for socks4a user and hostname
- socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice
- tool: fix --capath when proxy support is disabled
- tool_getparam: limit --rate to be smaller than number of ms
- transfer: abort pause send when connection is marked for closing
- transfer: avoid calling the read callback again after EOF
- transfer: only reset the FTP wildcard engine in CLEAR state
- url: don't touch the multi handle when closing internal handles
- urlapi: avoid null deref if setting blank host to url encode
- urlapi: skip appending NULL pointer query
- urlapi: when URL encoding the fragment, pass in the right length
- vtls: cleanup SSL config management
- vtls: consistently use typedef names for OpenSSL structs
- vtls: late clone of connection ssl config
- vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0
* Rebase curl-secure-getenv.patch
* Add curl-tests-errorcodes.patch
-------------------------------------------------------------------
Wed Oct 11 06:33:28 UTC 2023 - Pedro Monreal <pmonreal@suse.com>

4
curl.spec
View File

@ -21,7 +21,7 @@
# need ssl always for python-pycurl
%bcond_without openssl
Name: curl
Version: 8.4.0
Version: 8.5.0
Release: 0
Summary: A Tool for Transferring Data from URLs
License: curl
@ -35,6 +35,8 @@ Patch1: dont-mess-with-rpmoptflags.patch
Patch2: curl-secure-getenv.patch
#PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled
Patch3: curl-disabled-redirect-protocol-message.patch
#PATCH-FIX-UPSTREAM dist: add tests/errorcodes.pl to the tarball
Patch4: curl-tests-errorcodes.patch
BuildRequires: libtool
BuildRequires: pkgconfig
Requires: libcurl4 = %{version}