Accepting request 1066056 from home:pmonrealgonzalez:branches:devel:libraries:c_c++

- Update to 7.88.0: [bsc#1207990, CVE-2023-23914]
  [bsc#1207991, CVE-2023-23915] [bsc#1207992, CVE-2023-23916]
  * Security fixes:
    - CVE-2023-23914: HSTS ignored on multiple requests
    - CVE-2023-23915: HSTS amnesia with --parallel
    - CVE-2023-23916: HTTP multi-header compression denial of service
  * Changes:
    - curl.h: add CURL_HTTP_VERSION_3ONLY
    - share: add sharing of HSTS cache among handles
    - src: add --http3-only
    - tool_operate: share HSTS between handles
    - urlapi: add CURLU_PUNYCODE
    - writeout: add %{certs} and %{num_certs}
  * Bugfixes:
    - cf-socket: keep sockaddr local in the socket filters
    - cfilters:Curl_conn_get_select_socks: use the first non-connected filter
    - curl.h: allow up to 10M buffer size
    - curl.h: mark CURLSSLBACKEND_MESALINK as deprecated
    - curl/websockets.h: extend the websocket frame struct
    - curl: output warning at --verbose output for debug-enabled version
    - curl_free.3: fix return type of `curl_free`
    - curl_log: for failf/infof and debug logging implementations
    - dict: URL decode the entire path always
    - docs/DEPRECATE.md: deprecate gskit
    - easyoptions: fix header printing in generation script
    - haxproxy: send before TLS handhshake
    - hsts.d: explain hsts more
    - hsts: handle adding the same host name again
    - HTTP/[23]: continue upload when state.drain is set
    - http: decode transfer encoding first

OBS-URL: https://build.opensuse.org/request/show/1066056
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=327

curl-7.87.0.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ee5f1a1955b0ed413435ef79db28b834ea5f0fb7c8cfb1ce47175cc3bee08fff
-size 2547932

curl-7.87.0.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmOisGkACgkQXMkI/bce
-EsKLAAf/WdvGEmSBxxwitr1Rum4jYt95082FWrRR/C6bhGtMI/K2DE8gpmywONQ8
-NsM0p91wu/sgXG5+mnkyZsD3e5d4ykpGzYBVJS81dcXnKKdCko35p6vZC+gmxy+p
-MGeYyOalhWCvubCCOeATownD70u4qNgl+8qGBWCes33OyEfyeVjXyNVQWqQU1vpP
-ZY54egD3dyVIWF7r61Fdi1zZEeHo3zF6RQwV1alnezqSBcvZFQDHKBIGwl3h9cUk
-iImyEoNvuWs0IVbPlBw7A4WtlW7shLAICyI9hVdmPBmeAbBGmdFum+RhBgSkzUnp
-XbveJQQzTnI6pg7BeFYUNUA4ZuhWIQ==
-=h6dJ
------END PGP SIGNATURE-----

curl-7.88.0.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fd17432cf28714a4cf39d89e26b8ace0d8901199fe5d01d75eb0ae3bbfcc731f
+size 2571564

curl-7.88.0.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmPsh9UACgkQXMkI/bce
+EsKToQf/SgYuDYqTtBfcBRAkhngL+9BC+ggUtyY9ok7xdJsZWcYMNVv734otqCQ5
+WBp8X46NSgzsMvlsqwHZjuxiSkHpWr/a+io7V9Tauv8JSa4q4JXGq34OwlP/2QEP
+hyH2IlySeLv2mEmAq26tT0v8xLzwlTZz5EO8+upN7RgDefLOGOe1uefRO67RsFIq
+NtogAfiBFfPbQvyGR9Lux6rXV5jE5fJHPlxeVC9uogb9mnnYDeT2GmwMtZC00+8M
+hJ9PEkB/YmLU1UEykgylvTOJlCOmffd681qReJoEk7v+sdB2U4di2/VBImSX4GYo
+o2B7cDZZSK44Y2hUWHCMOhxpGzGwzA==
+=V4pB
+-----END PGP SIGNATURE-----

curl-fix-uninitialized-value-in-tests.patch

@@ -0,0 +1,36 @@
+From f1d09231adfc695d15995b9ef2c8c6e568c28091 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 15 Feb 2023 13:03:21 +0100
+Subject: [PATCH] runtests: fix "uninitialized value $port"
+
+by using a more appropriate variable
+
+Reported-by: fundawang on github
+Fixes #10518
+Closes #10520
+---
+ tests/runtests.pl | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/runtests.pl b/tests/runtests.pl
+index 71644ad18e855..5cd87897a393c 100755
+--- a/tests/runtests.pl
++++ b/tests/runtests.pl
+@@ -1740,7 +1740,7 @@ sub runhttpserver {
+     }
+ 
+     # where is it?
+-    my $port;
++    my $port = 0;
+     if(!$port_or_path) {
+         $port = $port_or_path = pidfromfile($portfile);
+     }
+@@ -1758,7 +1758,7 @@ sub runhttpserver {
+     $pid2 = $pid3;
+ 
+     if($verbose) {
+-        logmsg "RUN: $srvrname server is on PID $httppid port $port\n";
++        logmsg "RUN: $srvrname server is on PID $httppid port $port_or_path\n";
+     }
+ 
+     return ($httppid, $pid2, $port);

curl.changes

@@ -1,3 +1,78 @@
+-------------------------------------------------------------------
+Wed Feb 15 08:39:24 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 7.88.0: [bsc#1207990, CVE-2023-23914]
+  [bsc#1207991, CVE-2023-23915] [bsc#1207992, CVE-2023-23916]
+  * Security fixes:
+    - CVE-2023-23914: HSTS ignored on multiple requests
+    - CVE-2023-23915: HSTS amnesia with --parallel
+    - CVE-2023-23916: HTTP multi-header compression denial of service
+  * Changes:
+    - curl.h: add CURL_HTTP_VERSION_3ONLY
+    - share: add sharing of HSTS cache among handles
+    - src: add --http3-only
+    - tool_operate: share HSTS between handles
+    - urlapi: add CURLU_PUNYCODE
+    - writeout: add %{certs} and %{num_certs}
+  * Bugfixes:
+    - cf-socket: keep sockaddr local in the socket filters
+    - cfilters:Curl_conn_get_select_socks: use the first non-connected filter
+    - curl.h: allow up to 10M buffer size
+    - curl.h: mark CURLSSLBACKEND_MESALINK as deprecated
+    - curl/websockets.h: extend the websocket frame struct
+    - curl: output warning at --verbose output for debug-enabled version
+    - curl_free.3: fix return type of `curl_free`
+    - curl_log: for failf/infof and debug logging implementations
+    - dict: URL decode the entire path always
+    - docs/DEPRECATE.md: deprecate gskit
+    - easyoptions: fix header printing in generation script
+    - haxproxy: send before TLS handhshake
+    - hsts.d: explain hsts more
+    - hsts: handle adding the same host name again
+    - HTTP/[23]: continue upload when state.drain is set
+    - http: decode transfer encoding first
+    - http_aws_sigv4: remove typecasts from HMAC_SHA256 macro
+    - http_proxy: do not assign data->req.p.http use local copy
+    - lib: connect/h2/h3 refactor
+    - libssh2: try sha2 algos for hostkey methods
+    - md4: fix build with GnuTLS + OpenSSL v1
+    - ngtcp2: replace removed define and stop using removed function
+    - noproxy: support for space-separated names is deprecated
+    - nss: implement data_pending method
+    - openldap: fix missing sasl symbols at build in specific configs
+    - openssl: adapt to boringssl's error code type
+    - openssl: don't ignore CA paths when using Windows CA store (redux)
+    - openssl: don't log raw record headers
+    - openssl: make the BIO_METHOD a local variable in the connection filter
+    - openssl: only use CA_BLOB if verifying peer
+    - openssl: remove attached easy handles from SSL instances
+    - openssl: store the CA after first send (ClientHello)
+    - setopt: use >, not >=, when checking if uarg is larger than uint-max
+    - smb: return error on upload without size
+    - socketpair: allow localhost MITM sniffers
+    - strdup: name it Curl_strdup
+    - tool_getparam: fix hiding of command line secrets
+    - tool_operate: fix error codes on bad URL & OOM
+    - tool_operate: repair --rate
+    - transfer: break the read loop when RECV is cleared
+    - typecheck: accept expressions for option/info parameters
+    - urlapi: avoid Curl_dyn_addf() for hex outputs
+    - urlapi: skip path checks if path is just "/"
+    - urlapi: skip the extra dedotdot alloc if no dot in path
+    - urldata: cease storing TLS auth type
+    - urldata: make 'ftp_create_missing_dirs' depend on FTP || SFTP
+    - urldata: make set.http200aliases conditional on HTTP being present
+    - urldata: move the cookefilelist to the 'set' struct
+    - urldata: remove unused struct fields, made more conditional
+    - vquic: stabilization and improvements
+    - vtls: fix hostname handling in filters
+    - vtls: manage current easy handle in nested cfilter calls
+    - vtls: use ALPN HTTP/1.0 when HTTP/1.0 is used
+  * Rebase libcurl-ocloexec.patch
+  * Fix regression tests: f1d09231adfc695d15995b9ef2c8c6e568c28091
+    - runtests: fix "uninitialized value $port"
+    - Add curl-fix-uninitialized-value-in-tests.patch
+
 -------------------------------------------------------------------
 Wed Dec 21 08:19:23 UTC 2022 - David Anes <david.anes@suse.com>
 

curl.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package curl
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -21,7 +21,7 @@
 # need ssl always for python-pycurl
 %bcond_without openssl
 Name:           curl
-Version:        7.87.0
+Version:        7.88.0
 Release:        0
 Summary:        A Tool for Transferring Data from URLs
 License:        curl
@@ -35,6 +35,8 @@ Patch1:         dont-mess-with-rpmoptflags.patch
 Patch2:         curl-secure-getenv.patch
 #PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled
 Patch3:         curl-disabled-redirect-protocol-message.patch
+#PATCH-FIX-UPSTREAM runtests: fix "uninitialized value port"
+Patch4:         curl-fix-uninitialized-value-in-tests.patch
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
 Requires:       libcurl4 = %{version}

libcurl-ocloexec.patch

@@ -7,10 +7,10 @@ To make it portable you have to test O_CLOEXEC support at *runtime*
 compile time is not enough.
 
 
-Index: curl-7.87.0/lib/file.c
+Index: curl-7.88.0/lib/file.c
 ===================================================================
---- curl-7.87.0.orig/lib/file.c
-+++ curl-7.87.0/lib/file.c
+--- curl-7.88.0.orig/lib/file.c
++++ curl-7.88.0/lib/file.c
 @@ -232,7 +232,7 @@ static CURLcode file_connect(struct Curl
      }
    }
@@ -29,10 +29,10 @@ Index: curl-7.87.0/lib/file.c
    if(fd < 0) {
      failf(data, "Can't open %s for writing", file->path);
      return CURLE_WRITE_ERROR;
-Index: curl-7.87.0/lib/if2ip.c
+Index: curl-7.88.0/lib/if2ip.c
 ===================================================================
---- curl-7.87.0.orig/lib/if2ip.c
-+++ curl-7.87.0/lib/if2ip.c
+--- curl-7.88.0.orig/lib/if2ip.c
++++ curl-7.88.0/lib/if2ip.c
 @@ -206,7 +206,7 @@ if2ip_result_t Curl_if2ip(int af,
    if(len >= sizeof(req.ifr_name))
      return IF2IP_NOT_FOUND;
@@ -42,26 +42,11 @@ Index: curl-7.87.0/lib/if2ip.c
    if(CURL_SOCKET_BAD == dummy)
      return IF2IP_NOT_FOUND;
  
-Index: curl-7.87.0/lib/connect.c
+Index: curl-7.88.0/configure.ac
 ===================================================================
---- curl-7.87.0.orig/lib/connect.c
-+++ curl-7.87.0/lib/connect.c
-@@ -1559,7 +1559,9 @@ CURLcode Curl_socket(struct Curl_easy *d
-   }
-   else
-     /* opensocket callback not set, so simply create the socket now */
--    *sockfd = socket(addr->family, addr->socktype, addr->protocol);
-+    *sockfd = socket(addr->family,
-+                     addr->socktype|SOCK_CLOEXEC,
-+                     addr->protocol);
- 
-   if(*sockfd == CURL_SOCKET_BAD)
-     /* no socket, no connection */
-Index: curl-7.87.0/configure.ac
-===================================================================
---- curl-7.87.0.orig/configure.ac
-+++ curl-7.87.0/configure.ac
-@@ -347,6 +347,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m
+--- curl-7.88.0.orig/configure.ac
++++ curl-7.88.0/configure.ac
+@@ -420,6 +420,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m
  # Silence warning: ar: 'u' modifier ignored since 'D' is the default
  AC_SUBST(AR_FLAGS, [cr])
  
@@ -70,10 +55,10 @@ Index: curl-7.87.0/configure.ac
  dnl This defines _ALL_SOURCE for AIX
  CURL_CHECK_AIX_ALL_SOURCE
  
-Index: curl-7.87.0/lib/hostip.c
+Index: curl-7.88.0/lib/hostip.c
 ===================================================================
---- curl-7.87.0.orig/lib/hostip.c
-+++ curl-7.87.0/lib/hostip.c
+--- curl-7.88.0.orig/lib/hostip.c
++++ curl-7.88.0/lib/hostip.c
 @@ -48,6 +48,7 @@
  #include <signal.h>
  #endif
@@ -91,3 +76,18 @@ Index: curl-7.87.0/lib/hostip.c
      if(s == CURL_SOCKET_BAD)
        /* an IPv6 address was requested but we can't get/use one */
        ipv6_works = 0;
+Index: curl-7.88.0/lib/cf-socket.c
+===================================================================
+--- curl-7.88.0.orig/lib/cf-socket.c
++++ curl-7.88.0/lib/cf-socket.c
+@@ -252,7 +252,9 @@ static CURLcode socket_open(struct Curl_
+   }
+   else {
+     /* opensocket callback not set, so simply create the socket now */
+-    *sockfd = socket(addr->family, addr->socktype, addr->protocol);
++    *sockfd = socket(addr->family,
++                     addr->socktype|SOCK_CLOEXEC,
++                     addr->protocol);
+     if(!*sockfd && addr->socktype == SOCK_DGRAM) {
+       /* This is icky and seems, at least, to happen on macOS:
+        * we get sockfd == 0 and if called again, we get a valid one > 0.