From ce6f51d0bc09c72954ec477331e78cddc17edf08e813bf9cf734e18df2d2b232 Mon Sep 17 00:00:00 2001 From: David Anes Date: Wed, 31 Jan 2024 12:17:58 +0000 Subject: [PATCH] Accepting request 1142991 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - Update to 8.6.0: [bsc#1219149, CVE-2024-0853] * Security fixes: - CVE-2024-0853: OCSP verification bypass with TLS session reuse * Changes: - add CURLE_TOO_LARGE, CURLINFO_QUEUE_TIME_T * Bugfixes: - altsvc: free 'as' when returning error - asyn-ares: with modern c-ares, use its default timeout - cf-socket: show errno in tcpkeepalive error messages - cmdline-opts: update availability for the *-ca-native options - configure: when enabling QUIC, check that TLS supports QUIC - content_encoding: change return code to typedef'ed enum - curl: show ipfs and ipns as supported "protocols" - CURLINFO_REFERER.3: clarify that it is the *request* header - dist: add tests/errorcodes.pl to the tarball - gen.pl: support ## for doing .IP in table-like lists - GHA: bump ngtcp2, gnutls, mod_h2, quiche - hostip: return error immediately when Curl_ip2addr() fails - http3/quiche: fix result code on a stream reset - http3: initial support for OpenSSL 3.2 QUIC stack - http: check for "Host:" case insensitively - http: fix off-by-one error in request method length check - http: only act on 101 responses when they are HTTP/1.1 - lib: add debug log outputs for CURLE_BAD_FUNCTION_ARGUMENT - lib: error out on multissl + http3 - lib: fix variable undeclared error caused by `infof` changes - lib: rename Curl_strndup to Curl_memdup0 to avoid misunderstanding - lib: strndup/memdup instead of malloc, memcpy and null-terminate - libssh2: use `libssh2_session_callback_set2()` with v1.11.1 - ngtcp2: put h3 at the front of alpn OBS-URL: https://build.opensuse.org/request/show/1142991 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=352 --- curl-8.5.0.tar.xz | 3 - curl-8.5.0.tar.xz.asc | 11 --- curl-8.6.0.tar.xz | 3 + curl-8.6.0.tar.xz.asc | 11 +++ curl-adjust-pollset-fix.patch | 74 --------------- curl-tests-errorcodes.patch | 150 ------------------------------- curl.changes | 50 +++++++++++ curl.spec | 7 +- dont-mess-with-rpmoptflags.patch | 10 +-- 9 files changed, 71 insertions(+), 248 deletions(-) delete mode 100644 curl-8.5.0.tar.xz delete mode 100644 curl-8.5.0.tar.xz.asc create mode 100644 curl-8.6.0.tar.xz create mode 100644 curl-8.6.0.tar.xz.asc delete mode 100644 curl-adjust-pollset-fix.patch delete mode 100644 curl-tests-errorcodes.patch diff --git a/curl-8.5.0.tar.xz b/curl-8.5.0.tar.xz deleted file mode 100644 index 497c78e..0000000 --- a/curl-8.5.0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:42ab8db9e20d8290a3b633e7fbb3cec15db34df65fd1015ef8ac1e4723750eeb -size 2658520 diff --git a/curl-8.5.0.tar.xz.asc b/curl-8.5.0.tar.xz.asc deleted file mode 100644 index ef7676b..0000000 --- a/curl-8.5.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmVwH74ACgkQXMkI/bce -EsJTjQgApzxL4B3UzTgozV3zElM2bE1tVeAnWzBvvgBr66n8Avj3qJv0OStRTm5I -GATuiWLFBKHEzrKJbApWiH8nwsKK/ZvlrAe6SyJ5jehK1l51da1LSnI/SkFt7him -EX2R9Eq8HWD5jhiHOYETFZ9U7aqf+OOnrRevzFs+GCcZqn6M4DKXc9gJCc2qgill -y9PfHrxLELJscPCw19fw9Hoo4QkcHKP1oOy4uha4iqDUmnFW9WTexVHAGOTMrJwl -6OZ+5apsaBB7+rambVnyeOx2DfpAsScmaXtaLNIBBDfNbBPkOA3lgmDZr/6KiSP1 -Pr9Y2WDkGKgodo7NeRAHJl/WE+CMmQ== -=XAIZ ------END PGP SIGNATURE----- diff --git a/curl-8.6.0.tar.xz b/curl-8.6.0.tar.xz new file mode 100644 index 0000000..2299c12 --- /dev/null +++ b/curl-8.6.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3ccd55d91af9516539df80625f818c734dc6f2ecf9bada33c76765e99121db15 +size 2630108 diff --git a/curl-8.6.0.tar.xz.asc b/curl-8.6.0.tar.xz.asc new file mode 100644 index 0000000..2cfe8a7 --- /dev/null +++ b/curl-8.6.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmW58RcACgkQXMkI/bce +EsKLvgf9Em0etBEnbJzkhmCiKUOfn3sTKhIHA4y1/O+anaNfEx0E89VUQuFZRcUz +i4ENOVjTXxVy4zZUobOOWz7RXrvv6XnX9A++RYkBoEk4mmNB3A6ShsTeCR2mS4yi +dL5UfH2YEu7B6x/ONROKKuGawsqw0D6wzVgrD+J1e8Bu+1P8YOUqsQWVJmJFlYMN +2A8NP4GZHnmP3rnupx1RY3/MgJU0FjlQ428BOA7PIiYKEVto0dp6cqd4AQsLgQPy +J1RBcge1Uwqe+k/IenUx7bUaQfr+NY34ryrMxbLPghPimfeyjjsDxyr+OwoQM1aw +64WqLXBgQmhluT0STyHdD0Tc/JHYrw== +=GboB +-----END PGP SIGNATURE----- diff --git a/curl-adjust-pollset-fix.patch b/curl-adjust-pollset-fix.patch deleted file mode 100644 index 1d75e9c..0000000 --- a/curl-adjust-pollset-fix.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 3a24ef09af5fe7fdd672dee72ff760f871105a03 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Thu, 4 Jan 2024 10:06:17 +0100 -Subject: [PATCH] adjust_pollset fix - -- do not add a socket for POLLIN when the transfer does not - want to send (for example is paused). -- refs #12632 ---- - lib/cf-socket.c | 2 +- - lib/http2.c | 4 ++-- - lib/vquic/curl_ngtcp2.c | 7 ++++--- - lib/vquic/curl_quiche.c | 2 +- - 4 files changed, 8 insertions(+), 7 deletions(-) - -diff --git a/lib/cf-socket.c b/lib/cf-socket.c -index bd4f0d1e97e2d3..c86aa7e7c2a969 100644 ---- a/lib/cf-socket.c -+++ b/lib/cf-socket.c -@@ -1243,7 +1243,7 @@ static void cf_socket_adjust_pollset(struct Curl_cfilter *cf, - if(ctx->sock != CURL_SOCKET_BAD) { - if(!cf->connected) - Curl_pollset_set_out_only(data, ps, ctx->sock); -- else -+ else if(CURL_WANT_RECV(data)) - Curl_pollset_add_in(data, ps, ctx->sock); - CURL_TRC_CF(data, cf, "adjust_pollset -> %d socks", ps->num); - } -diff --git a/lib/http2.c b/lib/http2.c -index dcc24ea102302c..b7a08607945357 100644 ---- a/lib/http2.c -+++ b/lib/http2.c -@@ -2341,8 +2341,8 @@ static void cf_h2_adjust_pollset(struct Curl_cfilter *cf, - bool c_exhaust, s_exhaust; - - CF_DATA_SAVE(save, cf, data); -- c_exhaust = !nghttp2_session_get_remote_window_size(ctx->h2); -- s_exhaust = stream && stream->id >= 0 && -+ c_exhaust = want_send && !nghttp2_session_get_remote_window_size(ctx->h2); -+ s_exhaust = want_send && stream && stream->id >= 0 && - !nghttp2_session_get_stream_remote_window_size(ctx->h2, - stream->id); - want_recv = (want_recv || c_exhaust || s_exhaust); -diff --git a/lib/vquic/curl_ngtcp2.c b/lib/vquic/curl_ngtcp2.c -index f4edf2d636ef93..89f690462d640b 100644 ---- a/lib/vquic/curl_ngtcp2.c -+++ b/lib/vquic/curl_ngtcp2.c -@@ -1166,9 +1166,10 @@ static void cf_ngtcp2_adjust_pollset(struct Curl_cfilter *cf, - bool c_exhaust, s_exhaust; - - CF_DATA_SAVE(save, cf, data); -- c_exhaust = !ngtcp2_conn_get_cwnd_left(ctx->qconn) || -- !ngtcp2_conn_get_max_data_left(ctx->qconn); -- s_exhaust = stream && stream->id >= 0 && stream->quic_flow_blocked; -+ c_exhaust = want_send && (!ngtcp2_conn_get_cwnd_left(ctx->qconn) || -+ !ngtcp2_conn_get_max_data_left(ctx->qconn)); -+ s_exhaust = want_send && stream && stream->id >= 0 && -+ stream->quic_flow_blocked; - want_recv = (want_recv || c_exhaust || s_exhaust); - want_send = (!s_exhaust && want_send) || - !Curl_bufq_is_empty(&ctx->q.sendbuf); -diff --git a/lib/vquic/curl_quiche.c b/lib/vquic/curl_quiche.c -index 33c2621dc8bf63..9c4df2df0f6955 100644 ---- a/lib/vquic/curl_quiche.c -+++ b/lib/vquic/curl_quiche.c -@@ -1189,7 +1189,7 @@ static void cf_quiche_adjust_pollset(struct Curl_cfilter *cf, - - c_exhaust = FALSE; /* Have not found any call in quiche that tells - us if the connection itself is blocked */ -- s_exhaust = stream && stream->id >= 0 && -+ s_exhaust = want_send && stream && stream->id >= 0 && - (stream->quic_flow_blocked || !stream_is_writeable(cf, data)); - want_recv = (want_recv || c_exhaust || s_exhaust); - want_send = (!s_exhaust && want_send) || diff --git a/curl-tests-errorcodes.patch b/curl-tests-errorcodes.patch deleted file mode 100644 index cad472d..0000000 --- a/curl-tests-errorcodes.patch +++ /dev/null @@ -1,150 +0,0 @@ -From da8c1d15782c8161b455a7ee90197c16ae5edb90 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Wed, 6 Dec 2023 09:40:30 +0100 -Subject: [PATCH] dist: add tests/errorcodes.pl to the tarball - -Used by test 1477 - -Reported-by: Xi Ruoyao -Follow-up to 0ca3a4ec9a7 -Fixes #12462 -Closes #12463 ---- - tests/Makefile.am | 20 +++++++++++--------- - 1 file changed, 11 insertions(+), 9 deletions(-) - -Index: curl-8.5.0/tests/Makefile.am -=================================================================== ---- curl-8.5.0.orig/tests/Makefile.am -+++ curl-8.5.0/tests/Makefile.am -@@ -26,15 +26,17 @@ HTMLPAGES = testcurl.html runtests.html - PDFPAGES = testcurl.pdf runtests.pdf - MANDISTPAGES = runtests.1.dist testcurl.1.dist - --EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl CMakeLists.txt \ -- devtest.pl dictserver.py directories.pm disable-scan.pl error-codes.pl extern-scan.pl FILEFORMAT.md \ -- processhelp.pm ftpserver.pl getpart.pm globalconfig.pm http-server.pl http2-server.pl \ -- http3-server.pl manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl \ -- memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl options-scan.pl \ -- pathhelp.pm README.md rtspserver.pl runner.pm runtests.1 runtests.pl secureserver.pl \ -- serverhelp.pm servers.pm smbserver.py sshhelp.pm sshserver.pl stunnel.pem symbol-scan.pl \ -- testcurl.1 testcurl.pl testutil.pm tftpserver.pl util.py valgrind.pm \ -- valgrind.supp version-scan.pl check-translatable-options.pl -+EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl \ -+ CMakeLists.txt devtest.pl dictserver.py directories.pm disable-scan.pl \ -+ error-codes.pl extern-scan.pl FILEFORMAT.md processhelp.pm ftpserver.pl \ -+ getpart.pm globalconfig.pm http-server.pl http2-server.pl http3-server.pl \ -+ manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl \ -+ memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl \ -+ options-scan.pl pathhelp.pm README.md rtspserver.pl runner.pm runtests.1 \ -+ runtests.pl secureserver.pl serverhelp.pm servers.pm smbserver.py sshhelp.pm \ -+ sshserver.pl stunnel.pem symbol-scan.pl testcurl.1 testcurl.pl testutil.pm \ -+ tftpserver.pl util.py valgrind.pm valgrind.supp version-scan.pl \ -+ check-translatable-options.pl errorcodes.pl - - DISTCLEANFILES = configurehelp.pm - -Index: curl-8.5.0/tests/errorcodes.pl -=================================================================== ---- /dev/null -+++ curl-8.5.0/tests/errorcodes.pl -@@ -0,0 +1,99 @@ -+#!/usr/bin/env perl -+#*************************************************************************** -+# _ _ ____ _ -+# Project ___| | | | _ \| | -+# / __| | | | |_) | | -+# | (__| |_| | _ <| |___ -+# \___|\___/|_| \_\_____| -+# -+# Copyright (C) Daniel Stenberg, , et al. -+# -+# This software is licensed as described in the file COPYING, which -+# you should have received as part of this distribution. The terms -+# are also available at https://curl.se/docs/copyright.html. -+# -+# You may opt to use, copy, modify, merge, publish, distribute and/or sell -+# copies of the Software, and permit persons to whom the Software is -+# furnished to do so, under the terms of the COPYING file. -+# -+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -+# KIND, either express or implied. -+# -+# SPDX-License-Identifier: curl -+# -+########################################################################### -+ -+# Check that libcurl-errors.3 and the public header files have the same set of -+# error codes. -+ -+use strict; -+use warnings; -+ -+# we may get the dir roots pointed out -+my $root=$ARGV[0] || "."; -+my $manpge = "$root/docs/libcurl/libcurl-errors.3"; -+my $curlh = "$root/include/curl"; -+my $errors=0; -+ -+my @hnames; -+my %wherefrom; -+my @mnames; -+my %manfrom; -+ -+sub scanheader { -+ my ($file)=@_; -+ open H, "<$file"; -+ my $line = 0; -+ while() { -+ $line++; -+ if($_ =~ /^ (CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) { -+ my ($name)=($1); -+ if(($name !~ /OBSOLETE/) && ($name !~ /_LAST\z/)) { -+ push @hnames, $name; -+ if($wherefrom{$name}) { -+ print STDERR "double: $name\n"; -+ } -+ $wherefrom{$name}="$file:$line"; -+ } -+ } -+ } -+ close(H); -+} -+ -+sub scanmanpage { -+ my ($file)=@_; -+ open H, "<$file"; -+ my $line = 0; -+ while() { -+ $line++; -+ if($_ =~ /^\.IP \"(CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) { -+ my ($name)=($1); -+ push @mnames, $name; -+ $manfrom{$name}="$file:$line"; -+ } -+ } -+ close(H); -+} -+ -+ -+opendir(my $dh, $curlh) || die "Can't opendir $curlh: $!"; -+my @hfiles = grep { /\.h$/ } readdir($dh); -+closedir $dh; -+ -+for(sort @hfiles) { -+ scanheader("$curlh/$_"); -+} -+scanmanpage($manpge); -+ -+print "Result\n"; -+for my $h (sort @hnames) { -+ if(!$manfrom{$h}) { -+ printf "$h from %s, not in man page\n", $wherefrom{$h}; -+ } -+} -+ -+for my $m (sort @mnames) { -+ if(!$wherefrom{$m}) { -+ printf "$m from %s, not in any header\n", $manfrom{$m}; -+ } -+} diff --git a/curl.changes b/curl.changes index 9f37391..88ee93b 100644 --- a/curl.changes +++ b/curl.changes @@ -1,3 +1,53 @@ +------------------------------------------------------------------- +Wed Jan 31 09:11:56 UTC 2024 - Pedro Monreal + +- Update to 8.6.0: [bsc#1219149, CVE-2024-0853] + * Security fixes: + - CVE-2024-0853: OCSP verification bypass with TLS session reuse + * Changes: + - add CURLE_TOO_LARGE, CURLINFO_QUEUE_TIME_T + * Bugfixes: + - altsvc: free 'as' when returning error + - asyn-ares: with modern c-ares, use its default timeout + - cf-socket: show errno in tcpkeepalive error messages + - cmdline-opts: update availability for the *-ca-native options + - configure: when enabling QUIC, check that TLS supports QUIC + - content_encoding: change return code to typedef'ed enum + - curl: show ipfs and ipns as supported "protocols" + - CURLINFO_REFERER.3: clarify that it is the *request* header + - dist: add tests/errorcodes.pl to the tarball + - gen.pl: support ## for doing .IP in table-like lists + - GHA: bump ngtcp2, gnutls, mod_h2, quiche + - hostip: return error immediately when Curl_ip2addr() fails + - http3/quiche: fix result code on a stream reset + - http3: initial support for OpenSSL 3.2 QUIC stack + - http: check for "Host:" case insensitively + - http: fix off-by-one error in request method length check + - http: only act on 101 responses when they are HTTP/1.1 + - lib: add debug log outputs for CURLE_BAD_FUNCTION_ARGUMENT + - lib: error out on multissl + http3 + - lib: fix variable undeclared error caused by `infof` changes + - lib: rename Curl_strndup to Curl_memdup0 to avoid misunderstanding + - lib: strndup/memdup instead of malloc, memcpy and null-terminate + - libssh2: use `libssh2_session_callback_set2()` with v1.11.1 + - ngtcp2: put h3 at the front of alpn + - openldap: fix an LDAP crash + - openldap: fix STARTTLS + - openssl: re-match LibreSSL deinit with init + - rtsp: deal with borked server responses + - sasl: make login option string override http auth + - tool: prepend output_dir in header callback + - tool_getparam: stop supporting `@filename` style for --cookie + - transfer: fix upload rate limiting, add test cases + - url: don't set default CA paths for Secure Transport backend + - url: for disabled protocols, mention if found in redirect + - vquic: extract TLS setup into own source + - websockets: check for negative payload lengths + * Remove patches fixed upstream: + - curl-adjust-pollset-fix.patch + - curl-tests-errorcodes.patch + * Rebase dont-mess-with-rpmoptflags.patch + ------------------------------------------------------------------- Fri Jan 5 17:54:08 UTC 2024 - Michael Pujos diff --git a/curl.spec b/curl.spec index a1d83bb..749ef75 100644 --- a/curl.spec +++ b/curl.spec @@ -21,7 +21,7 @@ # need ssl always for python-pycurl %bcond_without openssl Name: curl -Version: 8.5.0 +Version: 8.6.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl @@ -35,10 +35,6 @@ Patch1: dont-mess-with-rpmoptflags.patch Patch2: curl-secure-getenv.patch #PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled Patch3: curl-disabled-redirect-protocol-message.patch -#PATCH-FIX-UPSTREAM dist: add tests/errorcodes.pl to the tarball -Patch4: curl-tests-errorcodes.patch -# fix MPD http streaming: https://github.com/curl/curl/issues/12632 -Patch5: curl-adjust-pollset-fix.patch BuildRequires: libtool BuildRequires: pkgconfig Requires: libcurl4 = %{version} @@ -174,6 +170,7 @@ popd %{_bindir}/curl %{_datadir}/zsh/site-functions/_curl %{_mandir}/man1/curl.1%{?ext_man} +%{_mandir}/man1/mk-ca-bundle.1%{?ext_man} %dir %{_datadir}/zsh %dir %{_datadir}/zsh/site-functions %dir %{_datadir}/fish/ diff --git a/dont-mess-with-rpmoptflags.patch b/dont-mess-with-rpmoptflags.patch index 93fdb62..cc7aa75 100644 --- a/dont-mess-with-rpmoptflags.patch +++ b/dont-mess-with-rpmoptflags.patch @@ -1,11 +1,11 @@ -Index: curl-7.82.0/configure.ac +Index: curl-8.6.0/configure.ac =================================================================== ---- curl-7.82.0.orig/configure.ac -+++ curl-7.82.0/configure.ac -@@ -395,10 +395,6 @@ dnl platform/compiler/architecture speci - dnl ********************************************************************** +--- curl-8.6.0.orig/configure.ac ++++ curl-8.6.0/configure.ac +@@ -506,10 +506,6 @@ dnl ************************************ CURL_CHECK_COMPILER + CURL_CHECK_NATIVE_WINDOWS -CURL_SET_COMPILER_BASIC_OPTS -CURL_SET_COMPILER_DEBUG_OPTS -CURL_SET_COMPILER_OPTIMIZE_OPTS