Accepting request 1131466 from devel:libraries:c_c++

OBS-URL: https://build.opensuse.org/request/show/1131466
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/curl?expand=0&rev=191

curl-8.4.0.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:16c62a9c4af0f703d28bda6d7bbf37ba47055ad3414d70dec63e2e6336f2a82d
-size 2658376

curl-8.4.0.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmUmNUkACgkQXMkI/bce
-EsIiwQgAjbpDysDBbuhdQekitabLu9vEk5rIk1wAM1cYLGKgEU+8oDIUTa1HFJCV
-zb9fGNdnOpwYHOGiOiX5rec4cHcZrL/w92ctP9kgTY97VU3puESn2JO4abVuLtD6
-lPfzIsSFnvYoawWKWLp8Vkia87r+Au9ZiUhM2NPiuZuBleWhk1RWSWoTN8FalK4x
-pa/aUumd3niCfv5xdQ9fn//CrVJTKc7S18IC+vdlVYM3UgYVghRihTglEEg/7KAj
-Hy73sgU2LtQUuuyL42K942bbKd92/OGvCDbPu3CZ8zL0TXHSFmcbMZrl90RPSCXE
-qJiuih+EQxYKh3CGZxNftSI4iV7aag==
-=wuw5
------END PGP SIGNATURE-----

curl-8.5.0.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:42ab8db9e20d8290a3b633e7fbb3cec15db34df65fd1015ef8ac1e4723750eeb
+size 2658520

curl-8.5.0.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmVwH74ACgkQXMkI/bce
+EsJTjQgApzxL4B3UzTgozV3zElM2bE1tVeAnWzBvvgBr66n8Avj3qJv0OStRTm5I
+GATuiWLFBKHEzrKJbApWiH8nwsKK/ZvlrAe6SyJ5jehK1l51da1LSnI/SkFt7him
+EX2R9Eq8HWD5jhiHOYETFZ9U7aqf+OOnrRevzFs+GCcZqn6M4DKXc9gJCc2qgill
+y9PfHrxLELJscPCw19fw9Hoo4QkcHKP1oOy4uha4iqDUmnFW9WTexVHAGOTMrJwl
+6OZ+5apsaBB7+rambVnyeOx2DfpAsScmaXtaLNIBBDfNbBPkOA3lgmDZr/6KiSP1
+Pr9Y2WDkGKgodo7NeRAHJl/WE+CMmQ==
+=XAIZ
+-----END PGP SIGNATURE-----

curl-secure-getenv.patch

@@ -1,8 +1,8 @@
-Index: curl-7.82.0/lib/getenv.c
+Index: curl-8.5.0/lib/getenv.c
 ===================================================================
---- curl-7.82.0.orig/lib/getenv.c
-+++ curl-7.82.0/lib/getenv.c
-@@ -27,6 +27,14 @@
+--- curl-8.5.0.orig/lib/getenv.c
++++ curl-8.5.0/lib/getenv.c
+@@ -29,6 +29,14 @@
  
  #include "memdebug.h"
  
@@ -16,8 +16,8 @@ Index: curl-7.82.0/lib/getenv.c
 +
  static char *GetEnv(const char *variable)
  {
- #if defined(_WIN32_WCE) || defined(CURL_WINDOWS_APP)
-@@ -66,7 +74,7 @@ static char *GetEnv(const char *variable
+ #if defined(_WIN32_WCE) || defined(CURL_WINDOWS_APP) || \
+@@ -69,7 +77,7 @@ static char *GetEnv(const char *variable
      /* else rc is bytes needed, try again */
    }
  #else
@@ -26,11 +26,11 @@ Index: curl-7.82.0/lib/getenv.c
    return (env && env[0])?strdup(env):NULL;
  #endif
  }
-Index: curl-7.82.0/configure.ac
+Index: curl-8.5.0/configure.ac
 ===================================================================
---- curl-7.82.0.orig/configure.ac
-+++ curl-7.82.0/configure.ac
-@@ -4271,6 +4271,8 @@ if test "x$want_curldebug_assumed" = "xy
+--- curl-8.5.0.orig/configure.ac
++++ curl-8.5.0/configure.ac
+@@ -4767,6 +4767,8 @@ if test "x$want_curldebug_assumed" = "xy
    ac_configure_args="$ac_configure_args --enable-curldebug"
  fi
  

curl-tests-errorcodes.patch

@@ -0,0 +1,150 @@
+From da8c1d15782c8161b455a7ee90197c16ae5edb90 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 6 Dec 2023 09:40:30 +0100
+Subject: [PATCH] dist: add tests/errorcodes.pl to the tarball
+
+Used by test 1477
+
+Reported-by: Xi Ruoyao
+Follow-up to 0ca3a4ec9a7
+Fixes #12462
+Closes #12463
+---
+ tests/Makefile.am | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+Index: curl-8.5.0/tests/Makefile.am
+===================================================================
+--- curl-8.5.0.orig/tests/Makefile.am
++++ curl-8.5.0/tests/Makefile.am
+@@ -26,15 +26,17 @@ HTMLPAGES = testcurl.html runtests.html
+ PDFPAGES = testcurl.pdf runtests.pdf
+ MANDISTPAGES = runtests.1.dist testcurl.1.dist
+ 
+-EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl CMakeLists.txt \
+- devtest.pl dictserver.py directories.pm disable-scan.pl error-codes.pl extern-scan.pl FILEFORMAT.md \
+- processhelp.pm ftpserver.pl getpart.pm globalconfig.pm http-server.pl http2-server.pl \
+- http3-server.pl manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl \
+- memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl options-scan.pl \
+- pathhelp.pm README.md rtspserver.pl runner.pm runtests.1 runtests.pl secureserver.pl \
+- serverhelp.pm servers.pm smbserver.py sshhelp.pm sshserver.pl stunnel.pem symbol-scan.pl \
+- testcurl.1 testcurl.pl testutil.pm tftpserver.pl util.py valgrind.pm \
+- valgrind.supp version-scan.pl check-translatable-options.pl
++EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl           \
++ CMakeLists.txt devtest.pl dictserver.py directories.pm disable-scan.pl       \
++ error-codes.pl extern-scan.pl FILEFORMAT.md processhelp.pm ftpserver.pl      \
++ getpart.pm globalconfig.pm http-server.pl http2-server.pl http3-server.pl    \
++ manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl  \
++ memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl               \
++ options-scan.pl pathhelp.pm README.md rtspserver.pl runner.pm runtests.1     \
++ runtests.pl secureserver.pl serverhelp.pm servers.pm smbserver.py sshhelp.pm \
++ sshserver.pl stunnel.pem symbol-scan.pl testcurl.1 testcurl.pl testutil.pm   \
++ tftpserver.pl util.py valgrind.pm valgrind.supp version-scan.pl              \
++ check-translatable-options.pl errorcodes.pl
+ 
+ DISTCLEANFILES = configurehelp.pm
+ 
+Index: curl-8.5.0/tests/errorcodes.pl
+===================================================================
+--- /dev/null
++++ curl-8.5.0/tests/errorcodes.pl
+@@ -0,0 +1,99 @@
++#!/usr/bin/env perl
++#***************************************************************************
++#                                  _   _ ____  _
++#  Project                     ___| | | |  _ \| |
++#                             / __| | | | |_) | |
++#                            | (__| |_| |  _ <| |___
++#                             \___|\___/|_| \_\_____|
++#
++# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
++#
++# This software is licensed as described in the file COPYING, which
++# you should have received as part of this distribution. The terms
++# are also available at https://curl.se/docs/copyright.html.
++#
++# You may opt to use, copy, modify, merge, publish, distribute and/or sell
++# copies of the Software, and permit persons to whom the Software is
++# furnished to do so, under the terms of the COPYING file.
++#
++# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++# KIND, either express or implied.
++#
++# SPDX-License-Identifier: curl
++#
++###########################################################################
++
++# Check that libcurl-errors.3 and the public header files have the same set of
++# error codes.
++
++use strict;
++use warnings;
++
++# we may get the dir roots pointed out
++my $root=$ARGV[0] || ".";
++my $manpge = "$root/docs/libcurl/libcurl-errors.3";
++my $curlh = "$root/include/curl";
++my $errors=0;
++
++my @hnames;
++my %wherefrom;
++my @mnames;
++my %manfrom;
++
++sub scanheader {
++    my ($file)=@_;
++    open H, "<$file";
++    my $line = 0;
++    while(<H>) {
++        $line++;
++        if($_ =~ /^  (CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) {
++            my ($name)=($1);
++            if(($name !~ /OBSOLETE/) && ($name !~ /_LAST\z/)) {
++                push @hnames, $name;
++                if($wherefrom{$name}) {
++                    print STDERR "double: $name\n";
++                }
++                $wherefrom{$name}="$file:$line";
++            }
++        }
++    }
++    close(H);
++}
++
++sub scanmanpage {
++    my ($file)=@_;
++    open H, "<$file";
++    my $line = 0;
++    while(<H>) {
++        $line++;
++        if($_ =~ /^\.IP \"(CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) {
++            my ($name)=($1);
++            push @mnames, $name;
++            $manfrom{$name}="$file:$line";
++        }
++    }
++    close(H);
++}
++
++
++opendir(my $dh, $curlh) || die "Can't opendir $curlh: $!";
++my @hfiles = grep { /\.h$/ } readdir($dh);
++closedir $dh;
++
++for(sort @hfiles) {
++    scanheader("$curlh/$_");
++}
++scanmanpage($manpge);
++
++print "Result\n";
++for my $h (sort @hnames) {
++    if(!$manfrom{$h}) {
++        printf "$h from %s, not in man page\n", $wherefrom{$h};
++    }
++}
++
++for my $m (sort @mnames) {
++    if(!$wherefrom{$m}) {
++        printf "$m from %s, not in any header\n", $manfrom{$m};
++    }
++}

curl.changes

@@ -1,3 +1,69 @@
+-------------------------------------------------------------------
+Wed Dec  6 09:51:20 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 8.5.0:
+  * Security fixes:
+    - [bsc#1217573, CVE-2023-46218] cookie mixed case PSL bypass
+    - [bsc#1217574, CVE-2023-46219] HSTS long file name clears contents
+  * Changes:
+    - gnutls: support CURLSSLOPT_NATIVE_CA
+    - HTTP3: ngtcp2 builds are no longer experimental
+  * Bugfixes:
+    - asyn-thread: use pipe instead of socketpair for IPC when available
+    - cmake: fix OpenSSL quic detection in quiche builds
+    - conncache: use the closure handle when disconnecting surplus connections
+    - content_encoding: make Curl_all_content_encodings allocless
+    - cookie: lowercase the domain names before PSL checks
+    - Curl_http_body: cleanup properly when Curl_getformdata errors
+    - CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range
+    - doh: provide better return code for responses w/o addresses
+    - doh: use PIPEWAIT when HTTP/2 is attempted
+    - duphandle: also free 'outcurl->cookies' in error path
+    - duphandle: make dupset() not return with pointers to old alloced data
+    - duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set
+    - easy: in duphandle, init the cookies for the new handle
+    - easy_lock: add a pthread_mutex_t fallback
+    - fopen: create new file using old file's mode
+    - fopen: create short(er) temporary file name
+    - getenv: PlayStation doesn't have getenv()
+    - hostip: show the list of IPs when resolving is done
+    - hsts: skip single-dot hostname
+    - HTTP/2, HTTP/3: handle detach of onoing transfers
+    - http: allow longer HTTP/2 request method names
+    - hyper: temporarily remove HTTP/2 support
+    - IPFS: fix IPFS_PATH and file parsing
+    - multi: during ratelimit multi_getsock should return no sockets
+    - multi: use pipe instead of socketpair to *wakeup()
+    - ngtcp2: fix races in stream handling
+    - ntlm_wb: use pipe instead of socketpair when possible
+    - openssl: avoid BN_num_bits() NULL pointer derefs
+    - openssl: fix building with v3 `no-deprecated` + add CI test
+    - openssl: fix infof() to avoid compiler warning for %s with null
+    - openssl: identify the "quictls" backend correctly
+    - openssl: include SIG and KEM algorithms in verbose
+    - openssl: two multi pointer checks should probably rather be asserts
+    - openssl: when a session-ID is reused, skip OCSP stapling
+    - quic: make eyeballers connect retries stop at weird replies
+    - quic: manage connection idle timeouts
+    - setopt: check CURLOPT_TFTP_BLKSIZE range on set
+    - socks: better buffer size checks for socks4a user and hostname
+    - socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice
+    - tool: fix --capath when proxy support is disabled
+    - tool_getparam: limit --rate to be smaller than number of ms
+    - transfer: abort pause send when connection is marked for closing
+    - transfer: avoid calling the read callback again after EOF
+    - transfer: only reset the FTP wildcard engine in CLEAR state
+    - url: don't touch the multi handle when closing internal handles
+    - urlapi: avoid null deref if setting blank host to url encode
+    - urlapi: skip appending NULL pointer query
+    - urlapi: when URL encoding the fragment, pass in the right length
+    - vtls: cleanup SSL config management
+    - vtls: consistently use typedef names for OpenSSL structs
+    - vtls: late clone of connection ssl config
+    - vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0
+  * Rebase curl-secure-getenv.patch
+  * Add curl-tests-errorcodes.patch
+
 -------------------------------------------------------------------
 Wed Oct 11 06:33:28 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
 

curl.spec

@@ -21,7 +21,7 @@
 # need ssl always for python-pycurl
 %bcond_without openssl
 Name:           curl
-Version:        8.4.0
+Version:        8.5.0
 Release:        0
 Summary:        A Tool for Transferring Data from URLs
 License:        curl
@@ -35,6 +35,8 @@ Patch1:         dont-mess-with-rpmoptflags.patch
 Patch2:         curl-secure-getenv.patch
 #PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled
 Patch3:         curl-disabled-redirect-protocol-message.patch
+#PATCH-FIX-UPSTREAM dist: add tests/errorcodes.pl to the tarball
+Patch4:         curl-tests-errorcodes.patch
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
 Requires:       libcurl4 = %{version}