From 1afbf91ed8872d31b45777b22106ba770bfc631fab2a15b131fc8283ee7db4f2 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Wed, 15 Sep 2021 08:46:22 +0000 Subject: [PATCH 1/2] Accepting request 919068 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - Update to 7.79.0: [bsc#1190213, CVE-2021-22945] [bsc#1190373, CVE-2021-22946] [bsc#1190374, CVE-2021-22947] * Changes: - bearssl: support CURLOPT_CAINFO_BLOB - http: consider cookies over localhost to be secure - secure transport: support CURLINFO_CERTINFO * Bugfixes: - CVE-2021-22945: clear the leftovers pointer when sending succeeds - CVE-2021-22946: do not ignore --ssl-reqd - CVE-2021-22947: reject STARTTLS server response pipelining - auth: do not append zero-terminator to authorisation id in kerberos - auth: properly handle byte order in kerberos security message - auth: use sasl authzid option in kerberos - auth: we do not support a security layer after kerberos authentication - c-hyper: deal with Expect: 100-continue combined with POSTFIELDS - c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection - c-hyper: initial step for 100-continue support - c-hyper: initial support for "dumping" 1xx HTTP responses - curl-openssl.m4: show correct output for OpenSSL v3 - docs/MQTT: update state of username/password support - docs: the security list is reached at security at curl.se now - getparameter: fix the --local-port number parser - hostip: Make Curl_ipv6works function independent of getaddrinfo - http_proxy: fix the User-Agent inclusion in CONNECT - http_proxy: fix user-agent and custom headers for CONNECT with hyper - http_proxy: only wait for writable socket while sending request - mailing lists: move from cool.haxx.se to lists.haxx.se - mbedtls: avoid using a large buffer on the stack - mbedTLS: initial 3.0.0 support - ngtcp2: remove the acked_crypto_offset struct field init OBS-URL: https://build.opensuse.org/request/show/919068 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=301 --- curl-7.78.0.tar.xz | 3 -- curl-7.78.0.tar.xz.asc | 11 ------ curl-7.79.0.tar.xz | 3 ++ curl-7.79.0.tar.xz.asc | 11 ++++++ curl.changes | 47 ++++++++++++++++++++++++ curl.spec | 2 +- libcurl-ocloexec.patch | 82 +++++++++++++++++++++--------------------- 7 files changed, 103 insertions(+), 56 deletions(-) delete mode 100644 curl-7.78.0.tar.xz delete mode 100644 curl-7.78.0.tar.xz.asc create mode 100644 curl-7.79.0.tar.xz create mode 100644 curl-7.79.0.tar.xz.asc diff --git a/curl-7.78.0.tar.xz b/curl-7.78.0.tar.xz deleted file mode 100644 index 8dfcadf..0000000 --- a/curl-7.78.0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:be42766d5664a739c3974ee3dfbbcbe978a4ccb1fe628bb1d9b59ac79e445fb5 -size 2440640 diff --git a/curl-7.78.0.tar.xz.asc b/curl-7.78.0.tar.xz.asc deleted file mode 100644 index 479d347..0000000 --- a/curl-7.78.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmD3wwYACgkQXMkI/bce -EsIFMggAt5xxRun4gxld2xZB0shI8fDhjGwMK+uQNpDnnt509j/UZ9+yfDra3Stl -BHeQXSnTE6y4dKfXIkq4q3sSX2XZUuFRLHMhzH99FsY6bxgOSnZi/iIZv/RLLXTX -NGlDR93OfsYg9UNkZVeZlFo9262f6rz7P5EsHa4HlCS0xpvLCU7q2dtkDu8SQSW1 -sQiEZOhsyXoiqqrLAgTIP9psHt6dE7qoYh1hS6b+7S9d87MSkL5MEnHukFkemlzC -7d9cYD9Bah1LfAaYunvzPuC9FoF6gonGPrw3tLECdl2P9PpnrGeV1Z/Nhmu0d5mN -E2A1BXBqLs8UVo4vUbiNLk0gB3TmHg== -=yVDK ------END PGP SIGNATURE----- diff --git a/curl-7.79.0.tar.xz b/curl-7.79.0.tar.xz new file mode 100644 index 0000000..06cf3b2 --- /dev/null +++ b/curl-7.79.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2a1420076f9ffc35c982c78e85b7a69e2ef5d532267895fdb2eac16ad9b680c9 +size 2463072 diff --git a/curl-7.79.0.tar.xz.asc b/curl-7.79.0.tar.xz.asc new file mode 100644 index 0000000..29f9b20 --- /dev/null +++ b/curl-7.79.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmFBj6gACgkQXMkI/bce +EsJkpQgAuTRPniJDsiVa9yqtfgSNq2BG3u+JpcKFC3bJ/PB2DAtNVORNrTYkk3B1 +wIgfVWYBBJiCXoy5Ivof0MIfUM8kMFJXwHfy0Gs5/60GCy5mXOvVC7IEmKZ24lOU +7cNNzNkyR69z1yWM1VFfaDNmO3+GWIvM2YJTEdHlAxABR71FfW/ARtXjSFEJ01FL +t9IyDiH56cCkWEFFvM2YxNo0IjduvC5pLBiGfrBe5bAKV63Z0/Qtp18zoVaYgv6Y ++yLxv4jgteN/wrTHXVQ5o6FiqoTP/OEpJOLe1Zd4sJhMBkobCPwi5HHAjbavqeFc +3zs3aRTNMaVdvv4VqFhO5o8u2kZEbg== +=2Tq/ +-----END PGP SIGNATURE----- diff --git a/curl.changes b/curl.changes index 0a96c5a..d11a077 100644 --- a/curl.changes +++ b/curl.changes @@ -1,3 +1,50 @@ +------------------------------------------------------------------- +Wed Sep 15 06:21:42 UTC 2021 - Pedro Monreal + +- Update to 7.79.0: [bsc#1190213, CVE-2021-22945] + [bsc#1190373, CVE-2021-22946] [bsc#1190374, CVE-2021-22947] + * Changes: + - bearssl: support CURLOPT_CAINFO_BLOB + - http: consider cookies over localhost to be secure + - secure transport: support CURLINFO_CERTINFO + * Bugfixes: + - CVE-2021-22945: clear the leftovers pointer when sending succeeds + - CVE-2021-22946: do not ignore --ssl-reqd + - CVE-2021-22947: reject STARTTLS server response pipelining + - auth: do not append zero-terminator to authorisation id in kerberos + - auth: properly handle byte order in kerberos security message + - auth: use sasl authzid option in kerberos + - auth: we do not support a security layer after kerberos authentication + - c-hyper: deal with Expect: 100-continue combined with POSTFIELDS + - c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection + - c-hyper: initial step for 100-continue support + - c-hyper: initial support for "dumping" 1xx HTTP responses + - curl-openssl.m4: show correct output for OpenSSL v3 + - docs/MQTT: update state of username/password support + - docs: the security list is reached at security at curl.se now + - getparameter: fix the --local-port number parser + - hostip: Make Curl_ipv6works function independent of getaddrinfo + - http_proxy: fix the User-Agent inclusion in CONNECT + - http_proxy: fix user-agent and custom headers for CONNECT with hyper + - http_proxy: only wait for writable socket while sending request + - mailing lists: move from cool.haxx.se to lists.haxx.se + - mbedtls: avoid using a large buffer on the stack + - mbedTLS: initial 3.0.0 support + - ngtcp2: remove the acked_crypto_offset struct field init + - ngtcp2: replace deprecated functions with nghttp3_conn_shutdown_stream_read + - ngtcp2: reset the oustanding send buffer again when drained + - ngtcp2: rework the return value handling of ngtcp2_conn_writev_stream + - ngtcp2: stop buffering crypto data + - ngtcp2: utilize crypto API functions to simplify + - openssl: when creating a new context, there cannot be an old one + - scripts: invoke interpreters through /usr/bin/env + - tests/runtests.pl: cleanup copy&paste mistakes and unused code + - tests: be explicit about using 'python3' instead of 'python' + - tool/tests: fix potential year 2038 issues + - tool_operate: Fix --fail-early with parallel transfers + - x509asn1: fix heap over-read when parsing x509 certificates + * Rebase libcurl-ocloexec.patch + ------------------------------------------------------------------- Wed Jul 21 06:50:22 UTC 2021 - Pedro Monreal diff --git a/curl.spec b/curl.spec index 708a918..bbdf00a 100644 --- a/curl.spec +++ b/curl.spec @@ -21,7 +21,7 @@ # need ssl always for python-pycurl %bcond_without openssl Name: curl -Version: 7.78.0 +Version: 7.79.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl diff --git a/libcurl-ocloexec.patch b/libcurl-ocloexec.patch index a9155d3..7f580f8 100644 --- a/libcurl-ocloexec.patch +++ b/libcurl-ocloexec.patch @@ -7,11 +7,11 @@ To make it portable you have to test O_CLOEXEC support at *runtime* compile time is not enough. -Index: curl-7.75.0/lib/file.c +Index: curl-7.79.0/lib/file.c =================================================================== ---- curl-7.75.0.orig/lib/file.c -+++ curl-7.75.0/lib/file.c -@@ -193,7 +193,7 @@ static CURLcode file_connect(struct Curl +--- curl-7.79.0.orig/lib/file.c ++++ curl-7.79.0/lib/file.c +@@ -194,7 +194,7 @@ static CURLcode file_connect(struct Curl return CURLE_URL_MALFORMAT; } @@ -20,70 +20,48 @@ Index: curl-7.75.0/lib/file.c file->path = real_path; #endif file->freepath = real_path; /* free this when done */ -@@ -277,7 +277,7 @@ static CURLcode file_upload(struct Curl_ +@@ -278,7 +278,7 @@ static CURLcode file_upload(struct Curl_ else mode = MODE_DEFAULT|O_TRUNC; - fd = open(file->path, mode, data->set.new_file_perms); -+ fd = open(file->path, mode | O_CLOEXEC, data->set.new_file_perms); ++ fd = open(file->path, mode|O_CLOEXEC, data->set.new_file_perms); if(fd < 0) { failf(data, "Can't open %s for writing", file->path); return CURLE_WRITE_ERROR; -Index: curl-7.75.0/lib/hostip6.c +Index: curl-7.79.0/lib/if2ip.c =================================================================== ---- curl-7.75.0.orig/lib/hostip6.c -+++ curl-7.75.0/lib/hostip6.c -@@ -44,7 +44,7 @@ - #ifdef HAVE_PROCESS_H - #include - #endif -- -+#include - #include "urldata.h" - #include "sendf.h" - #include "hostip.h" -@@ -75,7 +75,7 @@ bool Curl_ipv6works(struct Curl_easy *da - else { - int ipv6_works = -1; - /* probe to see if we have a working IPv6 stack */ -- curl_socket_t s = socket(PF_INET6, SOCK_DGRAM, 0); -+ curl_socket_t s = socket(PF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0); - if(s == CURL_SOCKET_BAD) - /* an IPv6 address was requested but we can't get/use one */ - ipv6_works = 0; -Index: curl-7.75.0/lib/if2ip.c -=================================================================== ---- curl-7.75.0.orig/lib/if2ip.c -+++ curl-7.75.0/lib/if2ip.c +--- curl-7.79.0.orig/lib/if2ip.c ++++ curl-7.79.0/lib/if2ip.c @@ -202,7 +202,7 @@ if2ip_result_t Curl_if2ip(int af, unsign if(len >= sizeof(req.ifr_name)) return IF2IP_NOT_FOUND; - dummy = socket(AF_INET, SOCK_STREAM, 0); -+ dummy = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0); ++ dummy = socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC, 0); if(CURL_SOCKET_BAD == dummy) return IF2IP_NOT_FOUND; -Index: curl-7.75.0/lib/connect.c +Index: curl-7.79.0/lib/connect.c =================================================================== ---- curl-7.75.0.orig/lib/connect.c -+++ curl-7.75.0/lib/connect.c -@@ -1575,7 +1575,9 @@ CURLcode Curl_socket(struct Curl_easy *d +--- curl-7.79.0.orig/lib/connect.c ++++ curl-7.79.0/lib/connect.c +@@ -1598,7 +1598,9 @@ CURLcode Curl_socket(struct Curl_easy *d } else /* opensocket callback not set, so simply create the socket now */ - *sockfd = socket(addr->family, addr->socktype, addr->protocol); + *sockfd = socket(addr->family, -+ addr->socktype | SOCK_CLOEXEC, ++ addr->socktype|SOCK_CLOEXEC, + addr->protocol); if(*sockfd == CURL_SOCKET_BAD) /* no socket, no connection */ -Index: curl-7.75.0/configure.ac +Index: curl-7.79.0/configure.ac =================================================================== ---- curl-7.75.0.orig/configure.ac -+++ curl-7.75.0/configure.ac -@@ -189,6 +189,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m +--- curl-7.79.0.orig/configure.ac ++++ curl-7.79.0/configure.ac +@@ -297,6 +297,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m # Silence warning: ar: 'u' modifier ignored since 'D' is the default AC_SUBST(AR_FLAGS, [cr]) @@ -92,3 +70,25 @@ Index: curl-7.75.0/configure.ac dnl This defines _ALL_SOURCE for AIX CURL_CHECK_AIX_ALL_SOURCE +Index: curl-7.79.0/lib/hostip.c +=================================================================== +--- curl-7.79.0.orig/lib/hostip.c ++++ curl-7.79.0/lib/hostip.c +@@ -49,7 +49,7 @@ + #ifdef HAVE_PROCESS_H + #include + #endif +- ++#include + #include "urldata.h" + #include "sendf.h" + #include "hostip.h" +@@ -549,7 +549,7 @@ bool Curl_ipv6works(struct Curl_easy *da + else { + int ipv6_works = -1; + /* probe to see if we have a working IPv6 stack */ +- curl_socket_t s = socket(PF_INET6, SOCK_DGRAM, 0); ++ curl_socket_t s = socket(PF_INET6, SOCK_DGRAM|SOCK_CLOEXEC, 0); + if(s == CURL_SOCKET_BAD) + /* an IPv6 address was requested but we can't get/use one */ + ipv6_works = 0; From da230172cc4d9f060a0a691e3fda6e6850bce99d1dbd782fea3f7477ab6f252c Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Wed, 15 Sep 2021 15:41:06 +0000 Subject: [PATCH 2/2] Accepting request 919261 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - Temporarily disable flaky test 1184 * See https://github.com/curl/curl/issues/7725 OBS-URL: https://build.opensuse.org/request/show/919261 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=302 --- curl.changes | 6 ++++++ curl.spec | 3 +++ 2 files changed, 9 insertions(+) diff --git a/curl.changes b/curl.changes index d11a077..519c9d6 100644 --- a/curl.changes +++ b/curl.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Sep 15 15:08:18 UTC 2021 - Pedro Monreal + +- Temporarily disable flaky test 1184 + * See https://github.com/curl/curl/issues/7725 + ------------------------------------------------------------------- Wed Sep 15 06:21:42 UTC 2021 - Pedro Monreal diff --git a/curl.spec b/curl.spec index bbdf00a..95181d2 100644 --- a/curl.spec +++ b/curl.spec @@ -142,6 +142,9 @@ pushd tests find -type f -name "*.pl" -exec sed -i 's|#!.*/usr/bin/env perl|#!/usr/bin/perl|' "{}" + find -type f -name "*.py" -exec sed -i 's|#!.*/usr/bin/env python.*|#!/usr/bin/python3|' "{}" + +# temporarily disable flaky test 1184, see https://github.com/curl/curl/issues/7725 +printf "1184\n" >> data/DISABLED + perl ./runtests.pl -a -v -p '!flaky' || exit popd %endif