From a18af43f0621eb8fc07eba1e389d701cdb0da7f4ca5b944d241e3171780eb39a Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Wed, 11 Oct 2023 07:00:14 +0000 Subject: [PATCH] Accepting request 1116809 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - Update to 8.4.0: * Security fixes: - SOCKS5 heap buffer overflow [bsc#1215888, CVE-2023-38545] - cookie injection with none file [bsc#1215889, CVE-2023-38546] * Changes: - curl: add support for the IPFS protocols via HTTP gateway - curl_multi_get_handles: get easy handles from a multi handle - mingw: delete support for legacy mingw.org toolchain * Bugfixes: - base64: also build for curl - cf-socket: simulate slow/blocked receives in debug - configure: check for the capath by default - connect: expire the timeout when trying next - connect: only start the happy eyeballs timer when needed - cookie: do not store the expire or max-age strings - cookie: remove unnecessary struct fields - cookie: set ->running in cookie_init even if data is NULL - create-dirs.d: clarify it also uses --output-dirs - http2: refused stream handling for retry - http: h1/h2 proxy unification - http: use per-request counter to check too large headers - idn: if idn2_check_version returns NULL, return error - lib: enable hmac for digest as well - lib: let the max filesize option stop too big transfers too - lib: move handling of 'data->req.writer_stack' into Curl_client_write() - lib: provide and use Curl_hexencode - lib: use wrapper for curl_mime_data fseek callback - libssh2: fix error message on failed pubkey-from-file - libssh: cap SFTP packet size sent - MQTT: improve receive of ACKs OBS-URL: https://build.opensuse.org/request/show/1116809 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=346 --- curl-8.3.0.tar.xz | 3 --- curl-8.3.0.tar.xz.asc | 11 --------- curl-8.4.0.tar.xz | 3 +++ curl-8.4.0.tar.xz.asc | 11 +++++++++ curl.changes | 52 ++++++++++++++++++++++++++++++++++++++++++ curl.spec | 2 +- libcurl-ocloexec.patch | 42 +++++++++++++++++----------------- 7 files changed, 88 insertions(+), 36 deletions(-) delete mode 100644 curl-8.3.0.tar.xz delete mode 100644 curl-8.3.0.tar.xz.asc create mode 100644 curl-8.4.0.tar.xz create mode 100644 curl-8.4.0.tar.xz.asc diff --git a/curl-8.3.0.tar.xz b/curl-8.3.0.tar.xz deleted file mode 100644 index cf58284..0000000 --- a/curl-8.3.0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:376d627767d6c4f05105ab6d497b0d9aba7111770dd9d995225478209c37ea63 -size 2641764 diff --git a/curl-8.3.0.tar.xz.asc b/curl-8.3.0.tar.xz.asc deleted file mode 100644 index b1c37b9..0000000 --- a/curl-8.3.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmUBVMsACgkQXMkI/bce -EsLSqAf/Su2NkC5/WveXmP4ShKJ/fqO8nJO+YqPo0TOF9o+15iMQY6Y4D0TY4J7F -EL4s2BCJ3N+mQatyy8vftBIXSBWJE+f/ulCzIpfptx2vA5m1F6rPxpoWgiuaD/xw -QYaOHoIzIGsPZ9LKse/VWCwJdzvK6Sq731v4YKFr9O3l0f+F++zc04ACq8lJH205 -KYuLKJZfDOjlaozC9uhblpHpf2qgskSvSi5FmzTFlABLcFA4gYTJ3f7dKF0yvMQ2 -SEZm+zN1UTwRHeLU3mP6RCyUvle/8zkZf6+vfJ78OXS7OTt+BcNyHSJOwSl9dmE1 -outJHEDrtt3RU6IDhAFEIT1zL3ifng== -=xYP1 ------END PGP SIGNATURE----- diff --git a/curl-8.4.0.tar.xz b/curl-8.4.0.tar.xz new file mode 100644 index 0000000..55f76a5 --- /dev/null +++ b/curl-8.4.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:16c62a9c4af0f703d28bda6d7bbf37ba47055ad3414d70dec63e2e6336f2a82d +size 2658376 diff --git a/curl-8.4.0.tar.xz.asc b/curl-8.4.0.tar.xz.asc new file mode 100644 index 0000000..14d0b0a --- /dev/null +++ b/curl-8.4.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmUmNUkACgkQXMkI/bce +EsIiwQgAjbpDysDBbuhdQekitabLu9vEk5rIk1wAM1cYLGKgEU+8oDIUTa1HFJCV +zb9fGNdnOpwYHOGiOiX5rec4cHcZrL/w92ctP9kgTY97VU3puESn2JO4abVuLtD6 +lPfzIsSFnvYoawWKWLp8Vkia87r+Au9ZiUhM2NPiuZuBleWhk1RWSWoTN8FalK4x +pa/aUumd3niCfv5xdQ9fn//CrVJTKc7S18IC+vdlVYM3UgYVghRihTglEEg/7KAj +Hy73sgU2LtQUuuyL42K942bbKd92/OGvCDbPu3CZ8zL0TXHSFmcbMZrl90RPSCXE +qJiuih+EQxYKh3CGZxNftSI4iV7aag== +=wuw5 +-----END PGP SIGNATURE----- diff --git a/curl.changes b/curl.changes index 877bb6f..6870467 100644 --- a/curl.changes +++ b/curl.changes @@ -1,3 +1,55 @@ +------------------------------------------------------------------- +Wed Oct 11 06:33:28 UTC 2023 - Pedro Monreal + +- Update to 8.4.0: + * Security fixes: + - SOCKS5 heap buffer overflow [bsc#1215888, CVE-2023-38545] + - cookie injection with none file [bsc#1215889, CVE-2023-38546] + * Changes: + - curl: add support for the IPFS protocols via HTTP gateway + - curl_multi_get_handles: get easy handles from a multi handle + - mingw: delete support for legacy mingw.org toolchain + * Bugfixes: + - base64: also build for curl + - cf-socket: simulate slow/blocked receives in debug + - configure: check for the capath by default + - connect: expire the timeout when trying next + - connect: only start the happy eyeballs timer when needed + - cookie: do not store the expire or max-age strings + - cookie: remove unnecessary struct fields + - cookie: set ->running in cookie_init even if data is NULL + - create-dirs.d: clarify it also uses --output-dirs + - http2: refused stream handling for retry + - http: h1/h2 proxy unification + - http: use per-request counter to check too large headers + - idn: if idn2_check_version returns NULL, return error + - lib: enable hmac for digest as well + - lib: let the max filesize option stop too big transfers too + - lib: move handling of 'data->req.writer_stack' into Curl_client_write() + - lib: provide and use Curl_hexencode + - lib: use wrapper for curl_mime_data fseek callback + - libssh2: fix error message on failed pubkey-from-file + - libssh: cap SFTP packet size sent + - MQTT: improve receive of ACKs + - multi: do CURLM_CALL_MULTI_PERFORM at two more places + - multi: round the timeout up to prevent early wakeups + - openssl: improve ssl shutdown handling + - openssl: use X509_ALGOR_get0 instead of reaching into X509_ALGOR + - pytest: exclude test_03_goaway in CI runs due to timing dependency + - quic: set ciphers/curves the same way regular TLS does + - quiche: fix build error with --with-ca-fallback + - socks: return error if hostname too long for remote resolve + - tftpd: always use curl's own tftp.h + - tool_getparam: accept variable expansion on file names too + - upload-file.d: describe the file name slash/backslash handling + - url: fall back to http/https proxy env-variable if ws/wss not set + - url: fix netrc info message + - wolfssh: do cleanup in Curl_ssh_cleanup + - wolfssl: allow capath with CURLOPT_CAINFO_BLOB + - wolfssl: if CURLOPT_CAINFO_BLOB is set, ignore the CA files + - wolfssl: ignore errors in CA path + * Rebase libcurl-ocloexec.patch + ------------------------------------------------------------------- Wed Sep 13 06:45:33 UTC 2023 - Pedro Monreal diff --git a/curl.spec b/curl.spec index 6a19ae0..dba9487 100644 --- a/curl.spec +++ b/curl.spec @@ -21,7 +21,7 @@ # need ssl always for python-pycurl %bcond_without openssl Name: curl -Version: 8.3.0 +Version: 8.4.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl diff --git a/libcurl-ocloexec.patch b/libcurl-ocloexec.patch index 891ce95..971ccd6 100644 --- a/libcurl-ocloexec.patch +++ b/libcurl-ocloexec.patch @@ -7,10 +7,10 @@ To make it portable you have to test O_CLOEXEC support at *runtime* compile time is not enough. -Index: curl-8.0.0/lib/file.c +Index: curl-8.4.0/lib/file.c =================================================================== ---- curl-8.0.0.orig/lib/file.c -+++ curl-8.0.0/lib/file.c +--- curl-8.4.0.orig/lib/file.c ++++ curl-8.4.0/lib/file.c @@ -232,7 +232,7 @@ static CURLcode file_connect(struct Curl } } @@ -29,11 +29,11 @@ Index: curl-8.0.0/lib/file.c if(fd < 0) { failf(data, "Can't open %s for writing", file->path); return CURLE_WRITE_ERROR; -Index: curl-8.0.0/lib/if2ip.c +Index: curl-8.4.0/lib/if2ip.c =================================================================== ---- curl-8.0.0.orig/lib/if2ip.c -+++ curl-8.0.0/lib/if2ip.c -@@ -206,7 +206,7 @@ if2ip_result_t Curl_if2ip(int af, +--- curl-8.4.0.orig/lib/if2ip.c ++++ curl-8.4.0/lib/if2ip.c +@@ -208,7 +208,7 @@ if2ip_result_t Curl_if2ip(int af, if(len >= sizeof(req.ifr_name)) return IF2IP_NOT_FOUND; @@ -42,11 +42,11 @@ Index: curl-8.0.0/lib/if2ip.c if(CURL_SOCKET_BAD == dummy) return IF2IP_NOT_FOUND; -Index: curl-8.0.0/configure.ac +Index: curl-8.4.0/configure.ac =================================================================== ---- curl-8.0.0.orig/configure.ac -+++ curl-8.0.0/configure.ac -@@ -420,6 +420,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m +--- curl-8.4.0.orig/configure.ac ++++ curl-8.4.0/configure.ac +@@ -428,6 +428,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m # Silence warning: ar: 'u' modifier ignored since 'D' is the default AC_SUBST(AR_FLAGS, [cr]) @@ -55,19 +55,19 @@ Index: curl-8.0.0/configure.ac dnl This defines _ALL_SOURCE for AIX CURL_CHECK_AIX_ALL_SOURCE -Index: curl-8.0.0/lib/hostip.c +Index: curl-8.4.0/lib/hostip.c =================================================================== ---- curl-8.0.0.orig/lib/hostip.c -+++ curl-8.0.0/lib/hostip.c -@@ -48,6 +48,7 @@ +--- curl-8.4.0.orig/lib/hostip.c ++++ curl-8.4.0/lib/hostip.c +@@ -44,6 +44,7 @@ + #include #include - #endif +#include #include "urldata.h" #include "sendf.h" #include "hostip.h" -@@ -582,7 +583,7 @@ bool Curl_ipv6works(struct Curl_easy *da +@@ -609,7 +610,7 @@ bool Curl_ipv6works(struct Curl_easy *da else { int ipv6_works = -1; /* probe to see if we have a working IPv6 stack */ @@ -76,11 +76,11 @@ Index: curl-8.0.0/lib/hostip.c if(s == CURL_SOCKET_BAD) /* an IPv6 address was requested but we can't get/use one */ ipv6_works = 0; -Index: curl-8.0.0/lib/cf-socket.c +Index: curl-8.4.0/lib/cf-socket.c =================================================================== ---- curl-8.0.0.orig/lib/cf-socket.c -+++ curl-8.0.0/lib/cf-socket.c -@@ -252,7 +252,9 @@ static CURLcode socket_open(struct Curl_ +--- curl-8.4.0.orig/lib/cf-socket.c ++++ curl-8.4.0/lib/cf-socket.c +@@ -274,7 +274,9 @@ static CURLcode socket_open(struct Curl_ } else { /* opensocket callback not set, so simply create the socket now */