From 73128f1a05f6a29adcbd79e0df81c36a8af3c49f5bccf17621857e6ba365b1f2 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Wed, 27 Apr 2022 09:43:43 +0000 Subject: [PATCH] Accepting request 973058 from home:david.anes:branches:devel:libraries:c_c++ - Patches rework: * Refreshed all patches as -p1. * Use autopatch macro. * Renamed: - dont-mess-with-rpmoptflags.diff -> dont-mess-with-rpmoptflags.patch * Removed (already upstream): - curl-fix-verifyhost.patch - Update to 7.83.0: * Security fixes: - (bsc#1198766, CVE-2022-27776) Auth/cookie leak on redirect - (bsc#1198723, CVE-2022-27775) Bad local IPv6 connection reuse - (bsc#1198608, CVE-2022-27774) Credential leak on redirect - (bsc#1198614, CVE-2022-22576) OAUTH2 bearer bypass in connection re-use * Changes: - curl: add %header{name} experimental support in -w handling - curl: add %{header_json} experimental support in -w handling - curl: add --no-clobber - curl: add --remove-on-error - header api: add curl_easy_header and curl_easy_nextheader - msh3: add support for QUIC and HTTP/3 using msh3 * Bugfixes: - appveyor: add Cygwin build - appveyor: only add MSYS2 to PATH where required - BearSSL: add CURLOPT_SSL_CIPHER_LIST support - BearSSL: add CURLOPT_SSL_CTX_FUNCTION support - BINDINGS.md: add Hollywood binding - CI: Do not use buildconf. Instead, just use: autoreconf -fi - CI: install Python package impacket to run SMB test 1451 - configure.ac: move -pthread CFLAGS setting back where it used to be - configure: bump the copyright year range int the generated output OBS-URL: https://build.opensuse.org/request/show/973058 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=310 --- curl-7.82.0.tar.xz | 3 - curl-7.82.0.tar.xz.asc | 11 -- curl-7.83.0.tar.xz | 3 + curl-7.83.0.tar.xz.asc | 11 ++ curl-disabled-redirect-protocol-message.patch | 8 +- curl-fix-verifyhost.patch | 30 ---- curl-secure-getenv.patch | 14 +- curl.changes | 151 ++++++++++++++++++ curl.spec | 12 +- ...s.diff => dont-mess-with-rpmoptflags.patch | 8 +- libcurl-ocloexec.patch | 36 ++--- 11 files changed, 201 insertions(+), 86 deletions(-) delete mode 100644 curl-7.82.0.tar.xz delete mode 100644 curl-7.82.0.tar.xz.asc create mode 100644 curl-7.83.0.tar.xz create mode 100644 curl-7.83.0.tar.xz.asc delete mode 100644 curl-fix-verifyhost.patch rename dont-mess-with-rpmoptflags.diff => dont-mess-with-rpmoptflags.patch (64%) diff --git a/curl-7.82.0.tar.xz b/curl-7.82.0.tar.xz deleted file mode 100644 index cd3ff95..0000000 --- a/curl-7.82.0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c -size 2446764 diff --git a/curl-7.82.0.tar.xz.asc b/curl-7.82.0.tar.xz.asc deleted file mode 100644 index c316e8d..0000000 --- a/curl-7.82.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmIjIysACgkQXMkI/bce -EsK2qQf/bcLm7LXO+Cvh0gbbIS9S5uT2/8g8AJ3/dFijs/BvqW85ajsfSCx9Z4+4 -Bad/CfZvuHoBMKKsSC9uSyBzv3UmupEHxYlIw0oik97Q0NDml5czsLJznGEtRiwh -DzOSl8hwLg3OhHXD/G239oSPk2b7ys1P7KQsdxadaxHaoVjFMT4qI0/1DQBKBb/C -AnzXcQUii3HEsPwnS7OmTvbXcDR6HS0Pq4b0Usop1YVppUlP5rG/gV6o7ogA13Cv -yssbfL8fGN3pSgJWtCLoxbIyZbRUROvR74u0ymlf5oLs4bCWzLR9pGKt+oM9YBGq -m9LkqrxKUEOp36vdLN4UgqGdWLa5zQ== -=/k1v ------END PGP SIGNATURE----- diff --git a/curl-7.83.0.tar.xz b/curl-7.83.0.tar.xz new file mode 100644 index 0000000..782f082 --- /dev/null +++ b/curl-7.83.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bbff0e6b5047e773f3c3b084d80546cc1be4e354c09e419c2d0ef6116253511a +size 2472560 diff --git a/curl-7.83.0.tar.xz.asc b/curl-7.83.0.tar.xz.asc new file mode 100644 index 0000000..62e9049 --- /dev/null +++ b/curl-7.83.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmJo38QACgkQXMkI/bce +EsL1Uwf/Xg8Prwzathb3KeW0GJl3nvXrsxVgiZ8dKN/21GlYVmDAJqKW9ZvY/z43 +uihaO9OI8p7D7ZAM4JxqOWmYf6e9PadMdCP4nNN00GrZaktV54H7yrdcS7UJrFL8 +ASG0Cjg/gRlZS9O7HtIBVikKaugGc9X2j0n7UbuDlgY8eyUL98dxDxuAHf5QOYCX +8xvIDQrfHb5y3ZrPJDuxHyeyWUh9lnxv35L6SVFxhaXqxZdFZOWddFsQX4/6xgJ2 +JSOpafG3bGB6YsTZ8fFUgu/5CivEORr4jYMWnnYaruCCCFLbIwXr3a5jOrMmg0Hj +U7YBDim0fx4Hs1th03Myqkq5QAUXxQ== +=LoEG +-----END PGP SIGNATURE----- diff --git a/curl-disabled-redirect-protocol-message.patch b/curl-disabled-redirect-protocol-message.patch index 2655cb7..93003a3 100644 --- a/curl-disabled-redirect-protocol-message.patch +++ b/curl-disabled-redirect-protocol-message.patch @@ -1,8 +1,8 @@ -Index: curl-7.63.0/lib/url.c +Index: curl-7.82.0/lib/url.c =================================================================== ---- curl-7.63.0.orig/lib/url.c -+++ curl-7.63.0/lib/url.c -@@ -1976,9 +1976,13 @@ static CURLcode findprotocol(struct Curl +--- curl-7.82.0.orig/lib/url.c ++++ curl-7.82.0/lib/url.c +@@ -1832,9 +1832,13 @@ static CURLcode findprotocol(struct Curl /* it is allowed for "normal" request, now do an extra check if this is the result of a redirect */ if(data->state.this_is_a_follow && diff --git a/curl-fix-verifyhost.patch b/curl-fix-verifyhost.patch deleted file mode 100644 index adcefe3..0000000 --- a/curl-fix-verifyhost.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 911714d617c106ed5d553bf003e34ec94ab6a136 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Tue, 8 Mar 2022 13:38:13 +0100 -Subject: [PATCH] openssl: fix CN check error code - -Due to a missing 'else' this returns error too easily. - -Regressed in: d15692ebb - -Reported-by: Kristoffer Gleditsch -Fixes #8559 -Closes #8560 ---- - lib/vtls/openssl.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c -index 0b79fc50a9c5..4618beeb3867 100644 ---- a/lib/vtls/openssl.c -+++ b/lib/vtls/openssl.c -@@ -1817,7 +1817,8 @@ CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn, - memcpy(peer_CN, ASN1_STRING_get0_data(tmp), peerlen); - peer_CN[peerlen] = '\0'; - } -- result = CURLE_OUT_OF_MEMORY; -+ else -+ result = CURLE_OUT_OF_MEMORY; - } - } - else /* not a UTF8 name */ diff --git a/curl-secure-getenv.patch b/curl-secure-getenv.patch index ec5f125..0de5d7e 100644 --- a/curl-secure-getenv.patch +++ b/curl-secure-getenv.patch @@ -1,7 +1,7 @@ -Index: lib/getenv.c +Index: curl-7.82.0/lib/getenv.c =================================================================== ---- lib/getenv.c.orig -+++ lib/getenv.c +--- curl-7.82.0.orig/lib/getenv.c ++++ curl-7.82.0/lib/getenv.c @@ -27,6 +27,14 @@ #include "memdebug.h" @@ -26,11 +26,11 @@ Index: lib/getenv.c return (env && env[0])?strdup(env):NULL; #endif } -Index: configure.ac +Index: curl-7.82.0/configure.ac =================================================================== ---- configure.ac.orig -+++ configure.ac -@@ -4836,6 +4836,8 @@ if test "x$want_curldebug_assumed" = "xy +--- curl-7.82.0.orig/configure.ac ++++ curl-7.82.0/configure.ac +@@ -4271,6 +4271,8 @@ if test "x$want_curldebug_assumed" = "xy ac_configure_args="$ac_configure_args --enable-curldebug" fi diff --git a/curl.changes b/curl.changes index bcf6a00..8127f9b 100644 --- a/curl.changes +++ b/curl.changes @@ -1,3 +1,154 @@ +------------------------------------------------------------------- +Fri Apr 22 11:39:46 UTC 2022 - David Anes + +- Patches rework: + * Refreshed all patches as -p1. + * Use autopatch macro. + * Renamed: + - dont-mess-with-rpmoptflags.diff -> dont-mess-with-rpmoptflags.patch + * Removed (already upstream): + - curl-fix-verifyhost.patch + +- Update to 7.83.0: + * Security fixes: + - (bsc#1198766, CVE-2022-27776) Auth/cookie leak on redirect + - (bsc#1198723, CVE-2022-27775) Bad local IPv6 connection reuse + - (bsc#1198608, CVE-2022-27774) Credential leak on redirect + - (bsc#1198614, CVE-2022-22576) OAUTH2 bearer bypass in connection re-use + * Changes: + - curl: add %header{name} experimental support in -w handling + - curl: add %{header_json} experimental support in -w handling + - curl: add --no-clobber + - curl: add --remove-on-error + - header api: add curl_easy_header and curl_easy_nextheader + - msh3: add support for QUIC and HTTP/3 using msh3 + * Bugfixes: + - appveyor: add Cygwin build + - appveyor: only add MSYS2 to PATH where required + - BearSSL: add CURLOPT_SSL_CIPHER_LIST support + - BearSSL: add CURLOPT_SSL_CTX_FUNCTION support + - BINDINGS.md: add Hollywood binding + - CI: Do not use buildconf. Instead, just use: autoreconf -fi + - CI: install Python package impacket to run SMB test 1451 + - configure.ac: move -pthread CFLAGS setting back where it used to be + - configure: bump the copyright year range int the generated output + - conncache: include the zone id in the "bundle" hashkey + - connecache: remove duplicate connc->closure_handle check + - connect: make Curl_getconnectinfo work with conn cache from share handle + - connect: use TCP_KEEPALIVE only if TCP_KEEPIDLE is not defined + - cookie.d: clarify when cookies are sent + - cookies: improve errorhandling for reading cookiefile + - curl/system.h: update ifdef condition for MCST-LCC compiler + - curl: error out if -T and -d are used for the same URL + - curl: error out when options need features not present in libcurl + - curl: escape '?' in generated --libcurl code + - curl: fix segmentation fault for empty output file names. + - curl_easy_header: fix typos in documentation + - CURLINFO_PRIMARY_PORT.3: clarify which port this is + - CURLOPT*TLSAUTH.3: they only work with OpenSSL or GnuTLS + - CURLOPT_DISALLOW_USERNAME_IN_URL.3: use uppercase URL + - CURLOPT_PREQUOTE.3: only works for FTP file transfers, not dirs + - CURLOPT_PROGRESSFUNCTION.3: fix typo in example + - CURLOPT_UNRESTRICTED_AUTH.3: extended explanation + - CURLSHOPT_UNLOCKFUNC.3: fix the callback prototype + - docs/HYPER.md: updated to reflect current hyper build needs + - docs/opts: Mention Schannel client cert type is P12 + - docs: Fix missing semicolon in example code + - docs: lots of minor language polish + - English: use American spelling consistently + - fail.d: tweak the description + - firefox-db2pem.sh: make the shell script safer + - ftp: fix error message for partial file upload + - gen.pl: change wording for mutexed options + - GHA: add openssl3 jobs moved over from zuul + - GHA: build hyper with nightly rustc + - GHA: move bearssl jobs over from zuul + - gha: move the event-based test over from Zuul + - gtls: fix build for disabled TLS-SRP + - http2: handle DONE called for the paused stream + - http2: RST the stream if we stop it on our own will + - http: avoid auth/cookie on redirects same host diff port + - http: close the stream (not connection) on time condition abort + - http: reject header contents with nul bytes + - http: return error on colon-less HTTP headers + - http: streamclose "already downloaded" + - hyper: fix status_line() return code + - hyper: fix tests 580 and 581 for hyper + - hyper: no h2c support + - infof: consistent capitalization of warning messages + - ipv4/6.d: clarify that they are about using IP addresses + - json.d: fix typo (overriden -> overridden) + - keepalive-time.d: It takes many probes to detect brokenness + - lib/warnless.[ch]: only check for WIN32 and ignore _WIN32 + - lib670: avoid double check result + - lib: #ifdef on USE_HTTP2 better + - lib: fix some misuse of curlx_convert_wchar_to_UTF8 + - lib: remove exclamation marks + - libssh2: compare sha256 strings case sensitively + - libssh2: make the md5 comparison fail if wrong length + - libssh: fix build with old libssh versions + - libssh: fix double close + - libssh: Improve fix for missing SSH_S_ stat macros + - libssh: unstick SFTP transfers when done event-based + - macos: set .plist version in autoconf + - mbedtls: remove 'protocols' array from backend when ALPN is not used + - mbedtls: remove server_fd from backend + - mk-ca-bundle.pl: Use stricter logic to process the certificates + - mk-ca-bundle.vbs: delete this script in favor of mk-ca-bundle.pl + - mlc_config.json: add file to ignore known troublesome URLs + - mqtt: better handling of TCP disconnect mid-message + - ngtcp2: add client certificate authentication for OpenSSL + - ngtcp2: avoid busy loop in low CWND situation + - ngtcp2: deal with sub-millisecond timeout + - ngtcp2: disconnect the QUIC connection proper + - ngtcp2: enlarge H3_SEND_SIZE + - ngtcp2: fix HTTP/3 upload stall and avoid busy loop + - ngtcp2: fix memory leak + - ngtcp2: fix QUIC_IDLE_TIMEOUT + - ngtcp2: make curl 1ms faster + - ngtcp2: remove remote_addr which is not used in a meaningful way + - ngtcp2: update to work after recent ngtcp2 updates + - ngtcp2: use token when detecting :status header field + - nonblock: restore setsockopt method to curlx_nonblock + - openssl: check SSL_get_peer_cert_chain return value + - openssl: enable CURLOPT_SSL_EC_CURVES with BoringSSL + - openssl: fix CN check error code + - options: remove mistaken space before paren in prototype + - perl: removed a double semicolon at end of line + - pop3/smtp: return *WEIRD_SERVER_REPLY when not understood + - projects/README: converted to markdown + - projects: Update VC version names for VS2017, VS2022 + - rtsp: don't let CSeq error override earlier errors + - runtests: add 'bearssl' as testable feature + - runtests: make 'oldlibssh' be before 0.9.4 + - schannel: remove dead code that will never run + - scripts/copyright.pl: ignore the new mlc_config.json file + - scripts: move three scripts from lib/ to scripts/ + - test1135: sync with recent API updates + - test1459: disable for oldlibssh + - test375: fix line endings on Windows + - test386: Fix an incorrect test markup tag + - test718: edited slightly to return better HTTP + - tests/server/util.h: align WIN32 condition with util.c + - tests: refactor server/socksd.c to support --unix-socket + - timediff.[ch]: add curlx helper functions for timeval conversions + - tls: make mbedtls and NSS check for h2, not nghttp2 + - tool and tests: force flush of all buffers at end of program + - tool_cb_hdr: Turn the Location: into a terminal hyperlink + - tool_getparam: error out on missing -K file + - tool_listhelp.c: uppercase URL + - tool_operate: fix a scan-build warning + - tool_paramhlp: use feof(3) to identify EOF correctly when using fread(3) + - transfer: redirects to other protocols or ports clear auth + - unit1620: call global_init before calling Curl_open + - url: check sasl additional parameters for connection reuse. + - vtls: provide a unified APLN-disagree string for all backends + - vtls: use a backend standard message for "ALPN: offers %s" + - vtls: use a generic "ALPN, server accepted" message + - winbuild/README.md: fixup dead link + - winbuild: Add a Visual Studio example to the README + - wolfssl: fix compiler error without IPv6 + ------------------------------------------------------------------- Fri Mar 11 16:36:50 UTC 2022 - Pedro Monreal diff --git a/curl.spec b/curl.spec index d613eff..14c3a40 100644 --- a/curl.spec +++ b/curl.spec @@ -21,7 +21,7 @@ # need ssl always for python-pycurl %bcond_without openssl Name: curl -Version: 7.82.0 +Version: 7.83.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl @@ -31,12 +31,10 @@ Source2: https://curl.se/download/curl-%{version}.tar.xz.asc Source3: baselibs.conf Source4: https://daniel.haxx.se/mykey.asc#/curl.keyring Patch0: libcurl-ocloexec.patch -Patch1: dont-mess-with-rpmoptflags.diff +Patch1: dont-mess-with-rpmoptflags.patch Patch2: curl-secure-getenv.patch #PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled Patch3: curl-disabled-redirect-protocol-message.patch -#PATCH-FIX-UPSTREAM Fix: openssl: fix CN check error code -Patch4: curl-fix-verifyhost.patch BuildRequires: libtool BuildRequires: pkgconfig Requires: libcurl4 = %{version} @@ -93,11 +91,7 @@ user interaction or any kind of interactivity. %prep %setup -q -n curl-%{version} -%patch0 -p1 -%patch1 -%patch2 -%patch3 -p1 -%patch4 -p1 +%autopatch -p1 %build # curl complains if macro definition is contained in CFLAGS diff --git a/dont-mess-with-rpmoptflags.diff b/dont-mess-with-rpmoptflags.patch similarity index 64% rename from dont-mess-with-rpmoptflags.diff rename to dont-mess-with-rpmoptflags.patch index d5a4646..93fdb62 100644 --- a/dont-mess-with-rpmoptflags.diff +++ b/dont-mess-with-rpmoptflags.patch @@ -1,8 +1,8 @@ -Index: configure.ac +Index: curl-7.82.0/configure.ac =================================================================== ---- configure.ac.orig 2013-02-07 11:55:15.150276599 +0100 -+++ configure.ac 2013-02-07 11:55:15.167277116 +0100 -@@ -288,10 +288,6 @@ dnl platform/compiler/architecture speci +--- curl-7.82.0.orig/configure.ac ++++ curl-7.82.0/configure.ac +@@ -395,10 +395,6 @@ dnl platform/compiler/architecture speci dnl ********************************************************************** CURL_CHECK_COMPILER diff --git a/libcurl-ocloexec.patch b/libcurl-ocloexec.patch index 7f580f8..9a54a5d 100644 --- a/libcurl-ocloexec.patch +++ b/libcurl-ocloexec.patch @@ -7,10 +7,10 @@ To make it portable you have to test O_CLOEXEC support at *runtime* compile time is not enough. -Index: curl-7.79.0/lib/file.c +Index: curl-7.82.0/lib/file.c =================================================================== ---- curl-7.79.0.orig/lib/file.c -+++ curl-7.79.0/lib/file.c +--- curl-7.82.0.orig/lib/file.c ++++ curl-7.82.0/lib/file.c @@ -194,7 +194,7 @@ static CURLcode file_connect(struct Curl return CURLE_URL_MALFORMAT; } @@ -29,11 +29,11 @@ Index: curl-7.79.0/lib/file.c if(fd < 0) { failf(data, "Can't open %s for writing", file->path); return CURLE_WRITE_ERROR; -Index: curl-7.79.0/lib/if2ip.c +Index: curl-7.82.0/lib/if2ip.c =================================================================== ---- curl-7.79.0.orig/lib/if2ip.c -+++ curl-7.79.0/lib/if2ip.c -@@ -202,7 +202,7 @@ if2ip_result_t Curl_if2ip(int af, unsign +--- curl-7.82.0.orig/lib/if2ip.c ++++ curl-7.82.0/lib/if2ip.c +@@ -204,7 +204,7 @@ if2ip_result_t Curl_if2ip(int af, if(len >= sizeof(req.ifr_name)) return IF2IP_NOT_FOUND; @@ -42,11 +42,11 @@ Index: curl-7.79.0/lib/if2ip.c if(CURL_SOCKET_BAD == dummy) return IF2IP_NOT_FOUND; -Index: curl-7.79.0/lib/connect.c +Index: curl-7.82.0/lib/connect.c =================================================================== ---- curl-7.79.0.orig/lib/connect.c -+++ curl-7.79.0/lib/connect.c -@@ -1598,7 +1598,9 @@ CURLcode Curl_socket(struct Curl_easy *d +--- curl-7.82.0.orig/lib/connect.c ++++ curl-7.82.0/lib/connect.c +@@ -1622,7 +1622,9 @@ CURLcode Curl_socket(struct Curl_easy *d } else /* opensocket callback not set, so simply create the socket now */ @@ -57,11 +57,11 @@ Index: curl-7.79.0/lib/connect.c if(*sockfd == CURL_SOCKET_BAD) /* no socket, no connection */ -Index: curl-7.79.0/configure.ac +Index: curl-7.82.0/configure.ac =================================================================== ---- curl-7.79.0.orig/configure.ac -+++ curl-7.79.0/configure.ac -@@ -297,6 +297,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m +--- curl-7.82.0.orig/configure.ac ++++ curl-7.82.0/configure.ac +@@ -320,6 +320,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m # Silence warning: ar: 'u' modifier ignored since 'D' is the default AC_SUBST(AR_FLAGS, [cr]) @@ -70,10 +70,10 @@ Index: curl-7.79.0/configure.ac dnl This defines _ALL_SOURCE for AIX CURL_CHECK_AIX_ALL_SOURCE -Index: curl-7.79.0/lib/hostip.c +Index: curl-7.82.0/lib/hostip.c =================================================================== ---- curl-7.79.0.orig/lib/hostip.c -+++ curl-7.79.0/lib/hostip.c +--- curl-7.82.0.orig/lib/hostip.c ++++ curl-7.82.0/lib/hostip.c @@ -49,7 +49,7 @@ #ifdef HAVE_PROCESS_H #include