From 4faea07c93f095679ac344723d928487efc4166834e342e0a30b6c215ffbea6f Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Sat, 19 Dec 2020 18:24:38 +0000 Subject: [PATCH] Accepting request 856452 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - Update to 7.74.0 * Changes: hsts: add experimental support for Strict-Transport-Security * Bugfixes: - Inferior OCSP verification [bsc#1179593, CVE-2020-8286] - FTP wildcard stack overflow [bsc#1179399, CVE-2020-8285] - trusting FTP PASV responses [bsc#1179398, CVE-2020-8284] - Revert "multi: implement wait using winsock events" - openssl: free mem_buf in error path - ntlm: avoid malloc(0) on zero length user and domain - ngtcp2: use the minimal version of QUIC supported by ngtcp2 - ngtcp2: advertise h3 ALPN unconditionally - file: avoid duplicated code sequence - openssl: guard against OOM on context creation - docs: document the 8MB input string limit for curl_easy_escape and curl_easy_setopt() - hsts: add read/write callbacks - hsts: add support for Strict-Transport-Security - alt-svc: enable by default - checksrc: warn on empty line before open brace - connect: repair build without ipv6 availability - curl.se: new home - ftp: retry getpeername for FTP with TCP_FASTOPEN - gnutls: fix memory leaks (certfields memory wasn't released) - http: pass correct header size to debug callback for chunked post - libssh2: fix transport over HTTPS proxy - openssl: guard against OOM on context creation - openssl: use OPENSSL_init_ssl() with >= 1.1.0 - Revert "multi: implement wait using winsock events" - socks: check for DNS entries with the right port number OBS-URL: https://build.opensuse.org/request/show/856452 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=288 --- curl-7.73.0.tar.xz | 3 -- curl-7.73.0.tar.xz.asc | 11 ---- curl-7.74.0.tar.xz | 3 ++ curl-7.74.0.tar.xz.asc | 11 ++++ curl-disabled-redirect-protocol-message.patch | 4 +- curl-use_OPENSSL_config.patch | 32 ------------ curl.changes | 52 +++++++++++++++++++ curl.spec | 39 +++++--------- libcurl-ocloexec.patch | 6 ++- 9 files changed, 85 insertions(+), 76 deletions(-) delete mode 100644 curl-7.73.0.tar.xz delete mode 100644 curl-7.73.0.tar.xz.asc create mode 100644 curl-7.74.0.tar.xz create mode 100644 curl-7.74.0.tar.xz.asc delete mode 100644 curl-use_OPENSSL_config.patch diff --git a/curl-7.73.0.tar.xz b/curl-7.73.0.tar.xz deleted file mode 100644 index e2dd514..0000000 --- a/curl-7.73.0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:7c4c7ca4ea88abe00fea4740dcf81075c031b1d0bb23aff2d5efde20a3c2408a -size 2394228 diff --git a/curl-7.73.0.tar.xz.asc b/curl-7.73.0.tar.xz.asc deleted file mode 100644 index f2f2fb6..0000000 --- a/curl-7.73.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl+GkkYACgkQXMkI/bce -EsI5vwf+NwIw3Jmn9lW7/VHNgFWB1Qa0gB4KlDISM2qG9CHzeIW8K50g2JiIAuLa -CVOfuMi/jg1r2INRLErZzdGDtD71TzjaEv6A/dxWL+k5/ieFxmH5iC80rYWi8EE9 -sv/bx8vEq8ikIqqV7KxYPlX8xMJBMfCs+TNQbzYM3WUDMLYJLpuNiWrzS6h8+mPq -4w8qYyrNI5x/J3HSJuzyoJy0ueQOQ6CaZwV/ViGBLmFkMKgsAXJu9ImRMmJXKAk5 -MLiVUKI1KpHJNHZS5pLIP5wrjIN3z7FIRxThJ6f/IqUF1mIc6MNnqcER6lBtxeq4 -SuRq9Dx5W2en/g+I5iic8GwkDD+U6A== -=W3Yh ------END PGP SIGNATURE----- diff --git a/curl-7.74.0.tar.xz b/curl-7.74.0.tar.xz new file mode 100644 index 0000000..2ffb1d6 --- /dev/null +++ b/curl-7.74.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:999d5f2c403cf6e25d58319fdd596611e455dd195208746bc6e6d197a77e878b +size 2400972 diff --git a/curl-7.74.0.tar.xz.asc b/curl-7.74.0.tar.xz.asc new file mode 100644 index 0000000..7f48ca4 --- /dev/null +++ b/curl-7.74.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl/QcZ8ACgkQXMkI/bce +EsJYnggAs5MbJByXsUEI3LzdRvjb2s/dNS/+ubJ98GL+ed8uVsLmGxdF0fS9EPVX ++KoaYbaZwjZJH43+UyqtoFr4GQKhxxhcyZi3477s9Ws9x60yEA21oIggkQLF6X+E +OEymG0YmNUn/6vvWizCWZtE7TkoWAXEzPLyVbBzoFzfmgzxiQ9//usKCaDh/nCWA +kouxubBJbpdjk8KTnVf5HMP5PJKs9LeiVh9B2F+Rq1cEvzLrxNlDYptEgH/ml5Sd +WsWeWttngs2pnZu0pMQNGhdXp6XC5lteN21C1/3hy3KVFUnkqaA+1IHm39wBE73j +Bmnoi36d+Ub6ZT3Va84Dp/tWJ65Xig== +=9ka/ +-----END PGP SIGNATURE----- diff --git a/curl-disabled-redirect-protocol-message.patch b/curl-disabled-redirect-protocol-message.patch index 7813090..2655cb7 100644 --- a/curl-disabled-redirect-protocol-message.patch +++ b/curl-disabled-redirect-protocol-message.patch @@ -10,8 +10,8 @@ Index: curl-7.63.0/lib/url.c + !(data->set.redir_protocols & p->protocol)) { /* nope, get out */ - ; -+ failf(data, "Redirect to protocol \"%s\" not supported or disabled in " LIBCURL_NAME, -+ protostr); ++ failf(data, "Redirect to protocol \"%s\" not supported or disabled in " ++ LIBCURL_NAME, protostr); + + return CURLE_UNSUPPORTED_PROTOCOL; + } diff --git a/curl-use_OPENSSL_config.patch b/curl-use_OPENSSL_config.patch deleted file mode 100644 index f17a5f0..0000000 --- a/curl-use_OPENSSL_config.patch +++ /dev/null @@ -1,32 +0,0 @@ -This basically reverts https://github.com/curl/curl/commit/7d2f61f66ab4e047fc9aefc2effc1ac6d340a66a - -Index: curl-7.65.2/lib/vtls/openssl.c -=================================================================== ---- curl-7.65.2.orig/lib/vtls/openssl.c -+++ curl-7.65.2/lib/vtls/openssl.c -@@ -1026,22 +1026,12 @@ static int Curl_ossl_init(void) - ENGINE_load_builtin_engines(); - #endif - --/* CONF_MFLAGS_DEFAULT_SECTION was introduced some time between 0.9.8b and -- 0.9.8e */ --#ifndef CONF_MFLAGS_DEFAULT_SECTION --#define CONF_MFLAGS_DEFAULT_SECTION 0x0 --#endif -- --#ifndef CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG -- CONF_modules_load_file(NULL, NULL, -- CONF_MFLAGS_DEFAULT_SECTION| -- CONF_MFLAGS_IGNORE_MISSING_FILE); --#endif -- - #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ - !defined(LIBRESSL_VERSION_NUMBER) -- /* OpenSSL 1.1.0+ takes care of initialization itself */ -+ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); - #else -+ OPENSSL_config(NULL); -+ - /* Lets get nice error messages */ - SSL_load_error_strings(); - diff --git a/curl.changes b/curl.changes index 01dc3ab..ffe534a 100644 --- a/curl.changes +++ b/curl.changes @@ -1,3 +1,55 @@ +------------------------------------------------------------------- +Mon Dec 14 15:25:07 UTC 2020 - Pedro Monreal + +- Update to 7.74.0 + * Changes: + hsts: add experimental support for Strict-Transport-Security + * Bugfixes: + - Inferior OCSP verification [bsc#1179593, CVE-2020-8286] + - FTP wildcard stack overflow [bsc#1179399, CVE-2020-8285] + - trusting FTP PASV responses [bsc#1179398, CVE-2020-8284] + - Revert "multi: implement wait using winsock events" + - openssl: free mem_buf in error path + - ntlm: avoid malloc(0) on zero length user and domain + - ngtcp2: use the minimal version of QUIC supported by ngtcp2 + - ngtcp2: advertise h3 ALPN unconditionally + - file: avoid duplicated code sequence + - openssl: guard against OOM on context creation + - docs: document the 8MB input string limit for curl_easy_escape + and curl_easy_setopt() + - hsts: add read/write callbacks + - hsts: add support for Strict-Transport-Security + - alt-svc: enable by default + - checksrc: warn on empty line before open brace + - connect: repair build without ipv6 availability + - curl.se: new home + - ftp: retry getpeername for FTP with TCP_FASTOPEN + - gnutls: fix memory leaks (certfields memory wasn't released) + - http: pass correct header size to debug callback for chunked post + - libssh2: fix transport over HTTPS proxy + - openssl: guard against OOM on context creation + - openssl: use OPENSSL_init_ssl() with >= 1.1.0 + - Revert "multi: implement wait using winsock events" + - socks: check for DNS entries with the right port number + - tool_operate: --retry for HTTP 408 responses too + - tool_operate: bail out proper on errors during parallel transfers + - urlapi: don't accept blank port number field without scheme + - urlapi: URL encode a '+' in the query part + - vquic/ngtcp2.h: define local_addr as sockaddr_storage +- Update check section: + * runtests now supports dynamically base64 encoded sections in tests + * Replace env interpreter for perl and python3 +- Remove curl-use_OPENSSL_config.patch since the OpenSSL initialization + has been updated to use OPENSSL_init_ssl() with >= 1.1.0 + +------------------------------------------------------------------- +Tue Oct 20 10:33:34 UTC 2020 - Pedro Monreal + +- Update patches to fix compiling warnings: + * curl-disabled-redirect-protocol-message.patch + * libcurl-ocloexec.patch +- Enable test 1165 + ------------------------------------------------------------------- Wed Oct 14 21:29:48 UTC 2020 - Pedro Monreal diff --git a/curl.spec b/curl.spec index 466aaea..6e83275 100644 --- a/curl.spec +++ b/curl.spec @@ -21,21 +21,20 @@ # need ssl always for python-pycurl %bcond_without openssl Name: curl -Version: 7.73.0 +Version: 7.74.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl -URL: https://curl.haxx.se/ -Source: https://curl.haxx.se/download/curl-%{version}.tar.xz -Source2: https://curl.haxx.se/download/curl-%{version}.tar.xz.asc +URL: https://curl.se +Source: https://curl.se/download/curl-%{version}.tar.xz +Source2: https://curl.se/download/curl-%{version}.tar.xz.asc Source3: baselibs.conf Source4: https://daniel.haxx.se/mykey.asc#/curl.keyring Patch0: libcurl-ocloexec.patch Patch1: dont-mess-with-rpmoptflags.diff Patch2: curl-secure-getenv.patch # PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled -Patch4: curl-disabled-redirect-protocol-message.patch -Patch5: curl-use_OPENSSL_config.patch +Patch3: curl-disabled-redirect-protocol-message.patch BuildRequires: libtool BuildRequires: pkgconfig Requires: libcurl4 = %{version} @@ -92,18 +91,14 @@ user interaction or any kind of interactivity. %patch0 -p1 %patch1 %patch2 -%patch4 -p1 -%patch5 -p1 - -# disable new failing test 1165 -echo "1165" >> tests/data/DISABLED +%patch3 -p1 %build # curl complains if macro definition is contained in CFLAGS # see m4/xc-val-flgs.m4 CPPFLAGS="-D_FORTIFY_SOURCE=2" CFLAGS=$(echo "%{optflags}" | sed -e 's/-D_FORTIFY_SOURCE=2//') -export CPPFLAGS CFLAGS +export CPPFLAGS export CFLAGS="$CFLAGS -fPIE" export LDFLAGS="$LDFLAGS -pie" autoreconf -fiv @@ -135,25 +130,17 @@ sed -i 's/\(link_all_deplibs=\)unknown/\1no/' configure # if this fails, the above sed hack did not work ./libtool --config | grep -q link_all_deplibs=no # enable-hidden-symbols needs gcc4 and causes that curl exports only its API -make %{?_smp_mflags} V=1 +%make_build %if %{with testsuite} %check pushd tests -make %{?_smp_mflags} V=1 -# make sure the testsuite runs don't race on MP machines in autobuild -if test -z "$BUILD_INCARNATION" -a -r /.buildenv; then - . /.buildenv -fi -if test -z "$BUILD_INCARNATION"; then - BUILD_INCARNATION=0 -fi +%make_build -base=$((8990 + $BUILD_INCARNATION * 20)) -# bug940009 do not run flaky tests for any architecture -# at least test 1510 do fail for i586 and ppc64le -perl ./runtests.pl -a -v -p -b$base '!flaky' || exit +find -type f -name "*.pl" -exec sed -i 's|#!.*/usr/bin/env perl|#!/usr/bin/perl|' "{}" + +find -type f -name "*.py" -exec sed -i 's|#!.*/usr/bin/env python.*|#!/usr/bin/python3|' "{}" + +perl ./runtests.pl -a -v -p '!flaky' || exit popd %endif @@ -170,7 +157,7 @@ popd %files %doc README RELEASE-NOTES CHANGES -%doc docs/{BUGS.md,FAQ,FEATURES,TODO,TheArtOfHttpScripting.md} +%doc docs/{BUGS.md,FAQ,FEATURES.md,TODO,TheArtOfHttpScripting.md} %{_bindir}/curl %{_datadir}/zsh/site-functions/_curl %{_mandir}/man1/curl.1%{?ext_man} diff --git a/libcurl-ocloexec.patch b/libcurl-ocloexec.patch index e4bea0f..38abe6e 100644 --- a/libcurl-ocloexec.patch +++ b/libcurl-ocloexec.patch @@ -68,12 +68,14 @@ Index: curl-7.69.0/lib/connect.c =================================================================== --- curl-7.69.0.orig/lib/connect.c +++ curl-7.69.0/lib/connect.c -@@ -1529,7 +1529,7 @@ CURLcode Curl_socket(struct connectdata +@@ -1529,7 +1529,9 @@ CURLcode Curl_socket(struct connectdata } else /* opensocket callback not set, so simply create the socket now */ - *sockfd = socket(addr->family, addr->socktype, addr->protocol); -+ *sockfd = socket(addr->family, addr->socktype | SOCK_CLOEXEC, addr->protocol); ++ *sockfd = socket(addr->family, ++ addr->socktype | SOCK_CLOEXEC, ++ addr->protocol); if(*sockfd == CURL_SOCKET_BAD) /* no socket, no connection */