Accepting request 586981 from home:pmonrealgonzalez:branches:devel:libraries:c_c++

- Added message about protocol redirection not supported or
  disabled to the function findprotocol() [bsc#1076446]
  * Added curl-disabled-redirect-protocol-message.patch

- Update to version 7.59.0
  [bsc#1084521, CVE-2018-1000120][bsc#1084524, CVE-2018-1000121]
  [bsc#1084532, CVE-2018-1000122]
  Changes:
   * curl: add --proxy-pinnedpubkey
   * added: CURLOPT_TIMEVALUE_LARGE and CURLINFO_FILETIME_T
   * CURLOPT_RESOLVE: Add support for multiple IP addresses per entry
   * Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS
   * Add new tool option --happy-eyeballs-timeout-ms
   * Add CURLOPT_RESOLVER_START_FUNCTION and CURLOPT_RESOLVER_START_DATA 
  Bugfixes: 
   * openldap: check ldap_get_attribute_ber() results for NULL before using
   * FTP: reject path components with control codes
   * readwrite: make sure excess reads don't go beyond buffer end
   * lib555: drop text conversion and encode data as ascii codes
   * lib517: make variable static to avoid compiler warning
   * lib544: sync ascii code data with textual data
   * GSKit: restore pinnedpubkey functionality
   * darwinssl: Don't import client certificates into Keychain on macOS
   * parsedate: fix date parsing for systems with 32 bit long
   * openssl: fix pinned public key build error in FIPS mode
   * SChannel/WinSSL: Implement public key pinning
   * cookies: remove verbose "cookie size:" output
   * progress-bar: don't use stderr explicitly, use bar->out
   * build: open VC15 projects with VS 2017
   * curl_ctype: private is*() type macros and functions

OBS-URL: https://build.opensuse.org/request/show/586981
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=222

curl-7.58.0.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:cc245bf9a1a42a45df491501d97d5593392a03f7b4f07b952793518d97666115
-size 3879728

curl-7.58.0.tar.gz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlpoMGoACgkQXMkI/bce
-EsIpBAf/YL7L3NkhDMC6TMhGMwuI1gzF8nrQdOv75wb09t6kZ3Lnx3pXcAjLpJlS
-TjpP4b7LqAzuSaCC1MH1idXlFxbZExnnRXxQjVL/6kOqO3vyTyUALtA7R8x/aN2z
-1Dymcl82SH+nGkMoB9eh9xyOzg4yUGF+zu7CLm8tEANJdvKGwE2qfx+nI557FNV0
-rlW9SwAMH3XUhEo78HGDfqOUYSU/c/LiLXZtBinJPeKmpJzcqgZlw8libSyzWLpe
-doMo7nbHdRV12zedhYrwlM0EPi0Fhyb14tlhl8TsSrhXfZoai1r2DaxhWDOXgTvV
-cmvsfTaj6N2GHUZFLGB/Bs/ksiMDxg==
-=Ebn1
------END PGP SIGNATURE-----

curl-7.59.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:099d9c32dc7b8958ca592597c9fabccdf4c08cfb7c114ff1afbbc4c6f13c9e9e
+size 3907587

curl-7.59.0.tar.gz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlqoxTsACgkQXMkI/bce
+EsIreAf/UH3RUVhgKPZ/83zR+tK0M3gLZQW4oNcPYqslBFxi8ETDDgzQybbIUmA9
+CWzqB0j5+OsEA7bLFig6qx0VJxJZbrbNF8rMWArWld2bUjIxAbFxh7MYYf6W+yKZ
+1EDgzFEdahlCsN2qaRGlq2eBk1qUDNQIDwrn4lI2p6RfbC0InVKUV3eVcZQZZL0F
+WBVqLORYEv9Nl9umLKLsw6GDfs4INwyUcbv3muf/SlmgJ5JNIuEyVsZfd21ZFaDm
+oN1WK4s+7IL41RUl34stE7idgUry38InR9BD11vpsbLtQA29Sb3s+74osYkaxSI/
+MPltGnxrmhldDYiPGwszWvlCiOJ7YA==
+=Di6w
+-----END PGP SIGNATURE-----

curl-disabled-redirect-protocol-message.patch

@@ -0,0 +1,18 @@
+--- a/lib/url.c	
++++ a/lib/url.c	
+@@ -1955,9 +1955,13 @@ static CURLcode findprotocol(struct Curl_easy *data,
+       /* it is allowed for "normal" request, now do an extra check if this is
+          the result of a redirect */
+       if(data->state.this_is_a_follow &&
+-         !(data->set.redir_protocols & p->protocol))
++         !(data->set.redir_protocols & p->protocol)) {
+         /* nope, get out */
+-        break;
++        failf(data, "Redirect to protocol \"%s\" not supported or disabled in " LIBCURL_NAME,
++              protostr);
++
++        return CURLE_UNSUPPORTED_PROTOCOL;
++      }
+ 
+       /* Perform setup complement if some. */
+       conn->handler = conn->given = p;

curl-mini.changes

@@ -1,3 +1,97 @@
+-------------------------------------------------------------------
+Wed Mar 14 14:23:22 UTC 2018 - pmonrealgonzalez@suse.com
+
+- Added message about protocol redirection not supported or
+  disabled to the function findprotocol() [bsc#1076446]
+  * Added curl-disabled-redirect-protocol-message.patch
+
+-------------------------------------------------------------------
+Wed Mar 14 13:08:33 UTC 2018 - pmonrealgonzalez@suse.com
+
+- Update to version 7.59.0
+  [bsc#1084521, CVE-2018-1000120][bsc#1084524, CVE-2018-1000121]
+  [bsc#1084532, CVE-2018-1000122]
+  Changes:
+   * curl: add --proxy-pinnedpubkey
+   * added: CURLOPT_TIMEVALUE_LARGE and CURLINFO_FILETIME_T
+   * CURLOPT_RESOLVE: Add support for multiple IP addresses per entry
+   * Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS
+   * Add new tool option --happy-eyeballs-timeout-ms
+   * Add CURLOPT_RESOLVER_START_FUNCTION and CURLOPT_RESOLVER_START_DATA 
+  Bugfixes: 
+   * openldap: check ldap_get_attribute_ber() results for NULL before using
+   * FTP: reject path components with control codes
+   * readwrite: make sure excess reads don't go beyond buffer end
+   * lib555: drop text conversion and encode data as ascii codes
+   * lib517: make variable static to avoid compiler warning
+   * lib544: sync ascii code data with textual data
+   * GSKit: restore pinnedpubkey functionality
+   * darwinssl: Don't import client certificates into Keychain on macOS
+   * parsedate: fix date parsing for systems with 32 bit long
+   * openssl: fix pinned public key build error in FIPS mode
+   * SChannel/WinSSL: Implement public key pinning
+   * cookies: remove verbose "cookie size:" output
+   * progress-bar: don't use stderr explicitly, use bar->out
+   * build: open VC15 projects with VS 2017
+   * curl_ctype: private is*() type macros and functions
+   * configure: set PATH_SEPARATOR to colon for PATH w/o separator
+   * curl_easy_reset: clear digest auth state
+   * curl/curl.h: fix comment typo for CURLOPT_DNS_LOCAL_IP6
+   * range: commonize FTP and FILE range handling
+   * progress-bar docs: update to match implementation
+   * fnmatch: do not match the empty string with a character set
+   * fnmatch: accept an alphanum to be followed by a non-alphanum in char set
+   * build: fix termios issue on android cross-compile
+   * getdate: return -1 for out of range
+   * formdata: use the mime-content type function
+   * openssl: Don't add verify locations when verifypeer==0
+   * fnmatch: optimize processing of consecutive *s and ?s pattern characters
+   * schannel: fix compiler warnings
+   * content_encoding: Add "none" alias to "identity"
+   * get_posix_time: only check for overflows if they can happen
+   * http_chunks: don't write chunks twice with CURLOPT_HTTP_TRANSFER_DECODING
+   * README: language fix
+   * sha256: build with OpenSSL < 0.9.8
+   * smtp: fix processing of initial dot in data
+   * --tlsauthtype: works only if libcurl is built with TLS-SRP support
+   * tests: new tests for http raw mode
+   * libcurl-security.3: man page discussion security concerns when using libcurl
+   * curl_gssapi: make sure this file too uses our *printf()
+   * BINDINGS: fix curb link (and remove ruby-curl-multi)
+   * nss: use PK11_CreateManagedGenericObject() if available
+   * travis: add build with iconv enabled
+   * ssh: add two missing state names
+   * CURLOPT_HEADERFUNCTION.3: mention folded headers
+   * http: fix the max header length detection logic
+   * header callback: don't chop headers into smaller pieces
+   * CURLOPT_HEADER.3: clarify problems with different data sizes
+   * curl --version: show PSL if the run-time lib has it enabled
+   * examples/sftpuploadresume: resume upload via CURLOPT_APPEND
+   * Return error if called recursively from within callbacks
+   * sasl: prefer PLAIN mechanism over LOGIN
+   * winbuild: Use CALL to run batch scripts
+   * curl_share_setopt.3: connection cache is shared within multi handles
+   * projects/README: remove reference to dead IDN link/package
+   * lib655: silence compiler warning
+   * configure: Fix version check for OpenSSL 1.1.1
+   * docs/MANUAL: formfind.pl is not accessible on the site anymore
+   * unit1307: proper cleanup on OOM to fix torture tests
+   * curl_ctype: fix macro redefinition warnings
+   * build: get CFLAGS (including -werror) used for examples and tests
+   * NO_PROXY: fix for IPv6 numericals in the URL
+   * krb5: use nondeprecated functions
+   * http2: mark the connection for close on GOAWAY
+   * limit-rate: kick in even before "limit" data has been received
+   * HTTP: allow "header;" to replace an internal header with a blank one
+   * http2: verbose output new MAX_CONCURRENT_STREAMS values
+   * SECURITY: distros' max embargo time is 14 days
+   * curl tool: accept --compressed also if Brotli is enabled and zlib is not
+   * WolfSSL: adding TLSv1.3
+   * checksrc.pl: add -i and -m options
+   * CURLOPT_COOKIEFILE.3: "-" as file name means stdin 
+
+- Refreshed patch libcurl-ocloexec.patch
+
 -------------------------------------------------------------------
 Tue Feb 20 09:48:49 UTC 2018 - tchvatal@suse.com
 

curl-mini.spec

@@ -29,7 +29,7 @@
 # need ssl always for python-pycurl
 %bcond_without openssl
 Name:           curl-mini
-Version:        7.58.0
+Version:        7.59.0
 Release:        0
 Summary:        A Tool for Transferring Data from URLs
 License:        curl
@@ -43,6 +43,8 @@ Patch0:         libcurl-ocloexec.patch
 Patch1:         dont-mess-with-rpmoptflags.diff
 Patch2:         curl-secure-getenv.patch
 Patch3:         ignore_runtests_failure.patch
+# PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled
+Patch4:         curl-disabled-redirect-protocol-message.patch
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
 Requires:       libcurl4%{?mini} = %{version}
@@ -121,6 +123,7 @@ user interaction or any kind of interactivity.
 %ifarch ppc ppc64 ppc64le
 %patch3 -p1
 %endif
+%patch4 -p1
 
 %build
 # curl complains if macro definition is contained in CFLAGS

curl.changes

@@ -1,3 +1,97 @@
+-------------------------------------------------------------------
+Wed Mar 14 14:23:22 UTC 2018 - pmonrealgonzalez@suse.com
+
+- Added message about protocol redirection not supported or
+  disabled to the function findprotocol() [bsc#1076446]
+  * Added curl-disabled-redirect-protocol-message.patch
+
+-------------------------------------------------------------------
+Wed Mar 14 13:08:33 UTC 2018 - pmonrealgonzalez@suse.com
+
+- Update to version 7.59.0
+  [bsc#1084521, CVE-2018-1000120][bsc#1084524, CVE-2018-1000121]
+  [bsc#1084532, CVE-2018-1000122]
+  Changes:
+   * curl: add --proxy-pinnedpubkey
+   * added: CURLOPT_TIMEVALUE_LARGE and CURLINFO_FILETIME_T
+   * CURLOPT_RESOLVE: Add support for multiple IP addresses per entry
+   * Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS
+   * Add new tool option --happy-eyeballs-timeout-ms
+   * Add CURLOPT_RESOLVER_START_FUNCTION and CURLOPT_RESOLVER_START_DATA 
+  Bugfixes: 
+   * openldap: check ldap_get_attribute_ber() results for NULL before using
+   * FTP: reject path components with control codes
+   * readwrite: make sure excess reads don't go beyond buffer end
+   * lib555: drop text conversion and encode data as ascii codes
+   * lib517: make variable static to avoid compiler warning
+   * lib544: sync ascii code data with textual data
+   * GSKit: restore pinnedpubkey functionality
+   * darwinssl: Don't import client certificates into Keychain on macOS
+   * parsedate: fix date parsing for systems with 32 bit long
+   * openssl: fix pinned public key build error in FIPS mode
+   * SChannel/WinSSL: Implement public key pinning
+   * cookies: remove verbose "cookie size:" output
+   * progress-bar: don't use stderr explicitly, use bar->out
+   * build: open VC15 projects with VS 2017
+   * curl_ctype: private is*() type macros and functions
+   * configure: set PATH_SEPARATOR to colon for PATH w/o separator
+   * curl_easy_reset: clear digest auth state
+   * curl/curl.h: fix comment typo for CURLOPT_DNS_LOCAL_IP6
+   * range: commonize FTP and FILE range handling
+   * progress-bar docs: update to match implementation
+   * fnmatch: do not match the empty string with a character set
+   * fnmatch: accept an alphanum to be followed by a non-alphanum in char set
+   * build: fix termios issue on android cross-compile
+   * getdate: return -1 for out of range
+   * formdata: use the mime-content type function
+   * openssl: Don't add verify locations when verifypeer==0
+   * fnmatch: optimize processing of consecutive *s and ?s pattern characters
+   * schannel: fix compiler warnings
+   * content_encoding: Add "none" alias to "identity"
+   * get_posix_time: only check for overflows if they can happen
+   * http_chunks: don't write chunks twice with CURLOPT_HTTP_TRANSFER_DECODING
+   * README: language fix
+   * sha256: build with OpenSSL < 0.9.8
+   * smtp: fix processing of initial dot in data
+   * --tlsauthtype: works only if libcurl is built with TLS-SRP support
+   * tests: new tests for http raw mode
+   * libcurl-security.3: man page discussion security concerns when using libcurl
+   * curl_gssapi: make sure this file too uses our *printf()
+   * BINDINGS: fix curb link (and remove ruby-curl-multi)
+   * nss: use PK11_CreateManagedGenericObject() if available
+   * travis: add build with iconv enabled
+   * ssh: add two missing state names
+   * CURLOPT_HEADERFUNCTION.3: mention folded headers
+   * http: fix the max header length detection logic
+   * header callback: don't chop headers into smaller pieces
+   * CURLOPT_HEADER.3: clarify problems with different data sizes
+   * curl --version: show PSL if the run-time lib has it enabled
+   * examples/sftpuploadresume: resume upload via CURLOPT_APPEND
+   * Return error if called recursively from within callbacks
+   * sasl: prefer PLAIN mechanism over LOGIN
+   * winbuild: Use CALL to run batch scripts
+   * curl_share_setopt.3: connection cache is shared within multi handles
+   * projects/README: remove reference to dead IDN link/package
+   * lib655: silence compiler warning
+   * configure: Fix version check for OpenSSL 1.1.1
+   * docs/MANUAL: formfind.pl is not accessible on the site anymore
+   * unit1307: proper cleanup on OOM to fix torture tests
+   * curl_ctype: fix macro redefinition warnings
+   * build: get CFLAGS (including -werror) used for examples and tests
+   * NO_PROXY: fix for IPv6 numericals in the URL
+   * krb5: use nondeprecated functions
+   * http2: mark the connection for close on GOAWAY
+   * limit-rate: kick in even before "limit" data has been received
+   * HTTP: allow "header;" to replace an internal header with a blank one
+   * http2: verbose output new MAX_CONCURRENT_STREAMS values
+   * SECURITY: distros' max embargo time is 14 days
+   * curl tool: accept --compressed also if Brotli is enabled and zlib is not
+   * WolfSSL: adding TLSv1.3
+   * checksrc.pl: add -i and -m options
+   * CURLOPT_COOKIEFILE.3: "-" as file name means stdin 
+
+- Refreshed patch libcurl-ocloexec.patch
+
 -------------------------------------------------------------------
 Tue Feb 20 09:48:49 UTC 2018 - tchvatal@suse.com
 

curl.spec

@@ -27,7 +27,7 @@
 # need ssl always for python-pycurl
 %bcond_without openssl
 Name:           curl
-Version:        7.58.0
+Version:        7.59.0
 Release:        0
 Summary:        A Tool for Transferring Data from URLs
 License:        curl
@@ -41,6 +41,8 @@ Patch0:         libcurl-ocloexec.patch
 Patch1:         dont-mess-with-rpmoptflags.diff
 Patch2:         curl-secure-getenv.patch
 Patch3:         ignore_runtests_failure.patch
+# PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled
+Patch4:         curl-disabled-redirect-protocol-message.patch
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
 Requires:       libcurl4%{?mini} = %{version}
@@ -119,6 +121,7 @@ user interaction or any kind of interactivity.
 %ifarch ppc ppc64 ppc64le
 %patch3 -p1
 %endif
+%patch4 -p1
 
 %build
 # curl complains if macro definition is contained in CFLAGS

libcurl-ocloexec.patch

@@ -11,7 +11,7 @@ Index: lib/file.c
 ===================================================================
 --- lib/file.c.orig
 +++ lib/file.c
-@@ -248,7 +248,7 @@ static CURLcode file_connect(struct conn
+@@ -190,7 +190,7 @@ static CURLcode file_connect(struct conn
      return CURLE_URL_MALFORMAT;
    }
  
@@ -20,7 +20,7 @@ Index: lib/file.c
    file->path = real_path;
  #endif
    file->freepath = real_path; /* free this when done */
-@@ -343,7 +343,7 @@ static CURLcode file_upload(struct conne
+@@ -285,7 +285,7 @@ static CURLcode file_upload(struct conne
    else
      mode = MODE_DEFAULT|O_TRUNC;
  
@@ -33,7 +33,7 @@ Index: lib/hostip6.c
 ===================================================================
 --- lib/hostip6.c.orig
 +++ lib/hostip6.c
-@@ -39,7 +39,7 @@
+@@ -44,7 +44,7 @@
  #ifdef HAVE_PROCESS_H
  #include <process.h>
  #endif
@@ -68,8 +68,8 @@ Index: lib/connect.c
 ===================================================================
 --- lib/connect.c.orig
 +++ lib/connect.c
-@@ -1355,7 +1355,7 @@ CURLcode Curl_socket(struct connectdata
-                                     (struct curl_sockaddr *)addr);
+@@ -1389,7 +1389,7 @@ CURLcode Curl_socket(struct connectdata
+   }
    else
      /* opensocket callback not set, so simply create the socket now */
 -    *sockfd = socket(addr->family, addr->socktype, addr->protocol);
@@ -81,7 +81,7 @@ Index: configure.ac
 ===================================================================
 --- configure.ac.orig
 +++ configure.ac
-@@ -182,6 +182,7 @@ AC_CANONICAL_HOST
+@@ -188,6 +188,7 @@ AC_CANONICAL_HOST
  dnl Get system canonical name
  AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-machine-OS])