From bee35a323fd5612f3c5a7e49ee0cc8cae8a00ef6c08b4ae51c26e1329ff53331 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Wed, 15 Feb 2023 21:29:29 +0000 Subject: [PATCH] Accepting request 1066056 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - Update to 7.88.0: [bsc#1207990, CVE-2023-23914] [bsc#1207991, CVE-2023-23915] [bsc#1207992, CVE-2023-23916] * Security fixes: - CVE-2023-23914: HSTS ignored on multiple requests - CVE-2023-23915: HSTS amnesia with --parallel - CVE-2023-23916: HTTP multi-header compression denial of service * Changes: - curl.h: add CURL_HTTP_VERSION_3ONLY - share: add sharing of HSTS cache among handles - src: add --http3-only - tool_operate: share HSTS between handles - urlapi: add CURLU_PUNYCODE - writeout: add %{certs} and %{num_certs} * Bugfixes: - cf-socket: keep sockaddr local in the socket filters - cfilters:Curl_conn_get_select_socks: use the first non-connected filter - curl.h: allow up to 10M buffer size - curl.h: mark CURLSSLBACKEND_MESALINK as deprecated - curl/websockets.h: extend the websocket frame struct - curl: output warning at --verbose output for debug-enabled version - curl_free.3: fix return type of `curl_free` - curl_log: for failf/infof and debug logging implementations - dict: URL decode the entire path always - docs/DEPRECATE.md: deprecate gskit - easyoptions: fix header printing in generation script - haxproxy: send before TLS handhshake - hsts.d: explain hsts more - hsts: handle adding the same host name again - HTTP/[23]: continue upload when state.drain is set - http: decode transfer encoding first OBS-URL: https://build.opensuse.org/request/show/1066056 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=327 --- curl-7.87.0.tar.xz | 3 - curl-7.87.0.tar.xz.asc | 11 --- curl-7.88.0.tar.xz | 3 + curl-7.88.0.tar.xz.asc | 11 +++ curl-fix-uninitialized-value-in-tests.patch | 36 ++++++++++ curl.changes | 75 +++++++++++++++++++++ curl.spec | 6 +- libcurl-ocloexec.patch | 56 +++++++-------- 8 files changed, 157 insertions(+), 44 deletions(-) delete mode 100644 curl-7.87.0.tar.xz delete mode 100644 curl-7.87.0.tar.xz.asc create mode 100644 curl-7.88.0.tar.xz create mode 100644 curl-7.88.0.tar.xz.asc create mode 100644 curl-fix-uninitialized-value-in-tests.patch diff --git a/curl-7.87.0.tar.xz b/curl-7.87.0.tar.xz deleted file mode 100644 index 29739ad..0000000 --- a/curl-7.87.0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ee5f1a1955b0ed413435ef79db28b834ea5f0fb7c8cfb1ce47175cc3bee08fff -size 2547932 diff --git a/curl-7.87.0.tar.xz.asc b/curl-7.87.0.tar.xz.asc deleted file mode 100644 index a308db6..0000000 --- a/curl-7.87.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmOisGkACgkQXMkI/bce -EsKLAAf/WdvGEmSBxxwitr1Rum4jYt95082FWrRR/C6bhGtMI/K2DE8gpmywONQ8 -NsM0p91wu/sgXG5+mnkyZsD3e5d4ykpGzYBVJS81dcXnKKdCko35p6vZC+gmxy+p -MGeYyOalhWCvubCCOeATownD70u4qNgl+8qGBWCes33OyEfyeVjXyNVQWqQU1vpP -ZY54egD3dyVIWF7r61Fdi1zZEeHo3zF6RQwV1alnezqSBcvZFQDHKBIGwl3h9cUk -iImyEoNvuWs0IVbPlBw7A4WtlW7shLAICyI9hVdmPBmeAbBGmdFum+RhBgSkzUnp -XbveJQQzTnI6pg7BeFYUNUA4ZuhWIQ== -=h6dJ ------END PGP SIGNATURE----- diff --git a/curl-7.88.0.tar.xz b/curl-7.88.0.tar.xz new file mode 100644 index 0000000..33c459c --- /dev/null +++ b/curl-7.88.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fd17432cf28714a4cf39d89e26b8ace0d8901199fe5d01d75eb0ae3bbfcc731f +size 2571564 diff --git a/curl-7.88.0.tar.xz.asc b/curl-7.88.0.tar.xz.asc new file mode 100644 index 0000000..41d30e4 --- /dev/null +++ b/curl-7.88.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmPsh9UACgkQXMkI/bce +EsKToQf/SgYuDYqTtBfcBRAkhngL+9BC+ggUtyY9ok7xdJsZWcYMNVv734otqCQ5 +WBp8X46NSgzsMvlsqwHZjuxiSkHpWr/a+io7V9Tauv8JSa4q4JXGq34OwlP/2QEP +hyH2IlySeLv2mEmAq26tT0v8xLzwlTZz5EO8+upN7RgDefLOGOe1uefRO67RsFIq +NtogAfiBFfPbQvyGR9Lux6rXV5jE5fJHPlxeVC9uogb9mnnYDeT2GmwMtZC00+8M +hJ9PEkB/YmLU1UEykgylvTOJlCOmffd681qReJoEk7v+sdB2U4di2/VBImSX4GYo +o2B7cDZZSK44Y2hUWHCMOhxpGzGwzA== +=V4pB +-----END PGP SIGNATURE----- diff --git a/curl-fix-uninitialized-value-in-tests.patch b/curl-fix-uninitialized-value-in-tests.patch new file mode 100644 index 0000000..8af2b24 --- /dev/null +++ b/curl-fix-uninitialized-value-in-tests.patch @@ -0,0 +1,36 @@ +From f1d09231adfc695d15995b9ef2c8c6e568c28091 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 15 Feb 2023 13:03:21 +0100 +Subject: [PATCH] runtests: fix "uninitialized value $port" + +by using a more appropriate variable + +Reported-by: fundawang on github +Fixes #10518 +Closes #10520 +--- + tests/runtests.pl | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tests/runtests.pl b/tests/runtests.pl +index 71644ad18e855..5cd87897a393c 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -1740,7 +1740,7 @@ sub runhttpserver { + } + + # where is it? +- my $port; ++ my $port = 0; + if(!$port_or_path) { + $port = $port_or_path = pidfromfile($portfile); + } +@@ -1758,7 +1758,7 @@ sub runhttpserver { + $pid2 = $pid3; + + if($verbose) { +- logmsg "RUN: $srvrname server is on PID $httppid port $port\n"; ++ logmsg "RUN: $srvrname server is on PID $httppid port $port_or_path\n"; + } + + return ($httppid, $pid2, $port); diff --git a/curl.changes b/curl.changes index 78944b2..1db7ccc 100644 --- a/curl.changes +++ b/curl.changes @@ -1,3 +1,78 @@ +------------------------------------------------------------------- +Wed Feb 15 08:39:24 UTC 2023 - Pedro Monreal + +- Update to 7.88.0: [bsc#1207990, CVE-2023-23914] + [bsc#1207991, CVE-2023-23915] [bsc#1207992, CVE-2023-23916] + * Security fixes: + - CVE-2023-23914: HSTS ignored on multiple requests + - CVE-2023-23915: HSTS amnesia with --parallel + - CVE-2023-23916: HTTP multi-header compression denial of service + * Changes: + - curl.h: add CURL_HTTP_VERSION_3ONLY + - share: add sharing of HSTS cache among handles + - src: add --http3-only + - tool_operate: share HSTS between handles + - urlapi: add CURLU_PUNYCODE + - writeout: add %{certs} and %{num_certs} + * Bugfixes: + - cf-socket: keep sockaddr local in the socket filters + - cfilters:Curl_conn_get_select_socks: use the first non-connected filter + - curl.h: allow up to 10M buffer size + - curl.h: mark CURLSSLBACKEND_MESALINK as deprecated + - curl/websockets.h: extend the websocket frame struct + - curl: output warning at --verbose output for debug-enabled version + - curl_free.3: fix return type of `curl_free` + - curl_log: for failf/infof and debug logging implementations + - dict: URL decode the entire path always + - docs/DEPRECATE.md: deprecate gskit + - easyoptions: fix header printing in generation script + - haxproxy: send before TLS handhshake + - hsts.d: explain hsts more + - hsts: handle adding the same host name again + - HTTP/[23]: continue upload when state.drain is set + - http: decode transfer encoding first + - http_aws_sigv4: remove typecasts from HMAC_SHA256 macro + - http_proxy: do not assign data->req.p.http use local copy + - lib: connect/h2/h3 refactor + - libssh2: try sha2 algos for hostkey methods + - md4: fix build with GnuTLS + OpenSSL v1 + - ngtcp2: replace removed define and stop using removed function + - noproxy: support for space-separated names is deprecated + - nss: implement data_pending method + - openldap: fix missing sasl symbols at build in specific configs + - openssl: adapt to boringssl's error code type + - openssl: don't ignore CA paths when using Windows CA store (redux) + - openssl: don't log raw record headers + - openssl: make the BIO_METHOD a local variable in the connection filter + - openssl: only use CA_BLOB if verifying peer + - openssl: remove attached easy handles from SSL instances + - openssl: store the CA after first send (ClientHello) + - setopt: use >, not >=, when checking if uarg is larger than uint-max + - smb: return error on upload without size + - socketpair: allow localhost MITM sniffers + - strdup: name it Curl_strdup + - tool_getparam: fix hiding of command line secrets + - tool_operate: fix error codes on bad URL & OOM + - tool_operate: repair --rate + - transfer: break the read loop when RECV is cleared + - typecheck: accept expressions for option/info parameters + - urlapi: avoid Curl_dyn_addf() for hex outputs + - urlapi: skip path checks if path is just "/" + - urlapi: skip the extra dedotdot alloc if no dot in path + - urldata: cease storing TLS auth type + - urldata: make 'ftp_create_missing_dirs' depend on FTP || SFTP + - urldata: make set.http200aliases conditional on HTTP being present + - urldata: move the cookefilelist to the 'set' struct + - urldata: remove unused struct fields, made more conditional + - vquic: stabilization and improvements + - vtls: fix hostname handling in filters + - vtls: manage current easy handle in nested cfilter calls + - vtls: use ALPN HTTP/1.0 when HTTP/1.0 is used + * Rebase libcurl-ocloexec.patch + * Fix regression tests: f1d09231adfc695d15995b9ef2c8c6e568c28091 + - runtests: fix "uninitialized value $port" + - Add curl-fix-uninitialized-value-in-tests.patch + ------------------------------------------------------------------- Wed Dec 21 08:19:23 UTC 2022 - David Anes diff --git a/curl.spec b/curl.spec index 5b21571..a0ab5d4 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ # # spec file for package curl # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -21,7 +21,7 @@ # need ssl always for python-pycurl %bcond_without openssl Name: curl -Version: 7.87.0 +Version: 7.88.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl @@ -35,6 +35,8 @@ Patch1: dont-mess-with-rpmoptflags.patch Patch2: curl-secure-getenv.patch #PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled Patch3: curl-disabled-redirect-protocol-message.patch +#PATCH-FIX-UPSTREAM runtests: fix "uninitialized value port" +Patch4: curl-fix-uninitialized-value-in-tests.patch BuildRequires: libtool BuildRequires: pkgconfig Requires: libcurl4 = %{version} diff --git a/libcurl-ocloexec.patch b/libcurl-ocloexec.patch index d5b6970..527c98b 100644 --- a/libcurl-ocloexec.patch +++ b/libcurl-ocloexec.patch @@ -7,10 +7,10 @@ To make it portable you have to test O_CLOEXEC support at *runtime* compile time is not enough. -Index: curl-7.87.0/lib/file.c +Index: curl-7.88.0/lib/file.c =================================================================== ---- curl-7.87.0.orig/lib/file.c -+++ curl-7.87.0/lib/file.c +--- curl-7.88.0.orig/lib/file.c ++++ curl-7.88.0/lib/file.c @@ -232,7 +232,7 @@ static CURLcode file_connect(struct Curl } } @@ -29,10 +29,10 @@ Index: curl-7.87.0/lib/file.c if(fd < 0) { failf(data, "Can't open %s for writing", file->path); return CURLE_WRITE_ERROR; -Index: curl-7.87.0/lib/if2ip.c +Index: curl-7.88.0/lib/if2ip.c =================================================================== ---- curl-7.87.0.orig/lib/if2ip.c -+++ curl-7.87.0/lib/if2ip.c +--- curl-7.88.0.orig/lib/if2ip.c ++++ curl-7.88.0/lib/if2ip.c @@ -206,7 +206,7 @@ if2ip_result_t Curl_if2ip(int af, if(len >= sizeof(req.ifr_name)) return IF2IP_NOT_FOUND; @@ -42,26 +42,11 @@ Index: curl-7.87.0/lib/if2ip.c if(CURL_SOCKET_BAD == dummy) return IF2IP_NOT_FOUND; -Index: curl-7.87.0/lib/connect.c +Index: curl-7.88.0/configure.ac =================================================================== ---- curl-7.87.0.orig/lib/connect.c -+++ curl-7.87.0/lib/connect.c -@@ -1559,7 +1559,9 @@ CURLcode Curl_socket(struct Curl_easy *d - } - else - /* opensocket callback not set, so simply create the socket now */ -- *sockfd = socket(addr->family, addr->socktype, addr->protocol); -+ *sockfd = socket(addr->family, -+ addr->socktype|SOCK_CLOEXEC, -+ addr->protocol); - - if(*sockfd == CURL_SOCKET_BAD) - /* no socket, no connection */ -Index: curl-7.87.0/configure.ac -=================================================================== ---- curl-7.87.0.orig/configure.ac -+++ curl-7.87.0/configure.ac -@@ -347,6 +347,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m +--- curl-7.88.0.orig/configure.ac ++++ curl-7.88.0/configure.ac +@@ -420,6 +420,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m # Silence warning: ar: 'u' modifier ignored since 'D' is the default AC_SUBST(AR_FLAGS, [cr]) @@ -70,10 +55,10 @@ Index: curl-7.87.0/configure.ac dnl This defines _ALL_SOURCE for AIX CURL_CHECK_AIX_ALL_SOURCE -Index: curl-7.87.0/lib/hostip.c +Index: curl-7.88.0/lib/hostip.c =================================================================== ---- curl-7.87.0.orig/lib/hostip.c -+++ curl-7.87.0/lib/hostip.c +--- curl-7.88.0.orig/lib/hostip.c ++++ curl-7.88.0/lib/hostip.c @@ -48,6 +48,7 @@ #include #endif @@ -91,3 +76,18 @@ Index: curl-7.87.0/lib/hostip.c if(s == CURL_SOCKET_BAD) /* an IPv6 address was requested but we can't get/use one */ ipv6_works = 0; +Index: curl-7.88.0/lib/cf-socket.c +=================================================================== +--- curl-7.88.0.orig/lib/cf-socket.c ++++ curl-7.88.0/lib/cf-socket.c +@@ -252,7 +252,9 @@ static CURLcode socket_open(struct Curl_ + } + else { + /* opensocket callback not set, so simply create the socket now */ +- *sockfd = socket(addr->family, addr->socktype, addr->protocol); ++ *sockfd = socket(addr->family, ++ addr->socktype|SOCK_CLOEXEC, ++ addr->protocol); + if(!*sockfd && addr->socktype == SOCK_DGRAM) { + /* This is icky and seems, at least, to happen on macOS: + * we get sockfd == 0 and if called again, we get a valid one > 0.