pool/curl
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1afbf91ed8
curl/libcurl-ocloexec.patch
Pedro Monreal Gonzalez 1afbf91ed8 Accepting request 919068 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ 
- Update to 7.79.0: [bsc#1190213, CVE-2021-22945]
  [bsc#1190373, CVE-2021-22946] [bsc#1190374, CVE-2021-22947]
  * Changes:
    - bearssl: support CURLOPT_CAINFO_BLOB
    - http: consider cookies over localhost to be secure
    - secure transport: support CURLINFO_CERTINFO
  * Bugfixes:
    - CVE-2021-22945: clear the leftovers pointer when sending succeeds
    - CVE-2021-22946: do not ignore --ssl-reqd
    - CVE-2021-22947: reject STARTTLS server response pipelining
    - auth: do not append zero-terminator to authorisation id in kerberos
    - auth: properly handle byte order in kerberos security message
    - auth: use sasl authzid option in kerberos
    - auth: we do not support a security layer after kerberos authentication
    - c-hyper: deal with Expect: 100-continue combined with POSTFIELDS
    - c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection
    - c-hyper: initial step for 100-continue support
    - c-hyper: initial support for "dumping" 1xx HTTP responses
    - curl-openssl.m4: show correct output for OpenSSL v3
    - docs/MQTT: update state of username/password support
    - docs: the security list is reached at security at curl.se now
    - getparameter: fix the --local-port number parser
    - hostip: Make Curl_ipv6works function independent of getaddrinfo
    - http_proxy: fix the User-Agent inclusion in CONNECT
    - http_proxy: fix user-agent and custom headers for CONNECT with hyper
    - http_proxy: only wait for writable socket while sending request
    - mailing lists: move from cool.haxx.se to lists.haxx.se
    - mbedtls: avoid using a large buffer on the stack
    - mbedTLS: initial 3.0.0 support
    - ngtcp2: remove the acked_crypto_offset struct field init

OBS-URL: https://build.opensuse.org/request/show/919068
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=301
2021-09-15 08:46:22 +00:00

95 lines
3.2 KiB
Diff
Raw Blame History

Open library file descriptors with O_CLOEXEC
This patch is non-portable, it needs linux 2.6.23 and glibc 2.7
or later, different combinations (old linux, new glibc and vice-versa)
will result in a crash.
To make it portable you have to test O_CLOEXEC support at *runtime*
compile time is not enough.
Index: curl-7.79.0/lib/file.c
===================================================================
--- curl-7.79.0.orig/lib/file.c
+++ curl-7.79.0/lib/file.c
@@ -194,7 +194,7 @@ static CURLcode file_connect(struct Curl
return CURLE_URL_MALFORMAT;
}
- fd = open_readonly(real_path, O_RDONLY);
+ fd = open_readonly(real_path, O_RDONLY|O_CLOEXEC);
file->path = real_path;
#endif
file->freepath = real_path; /* free this when done */
@@ -278,7 +278,7 @@ static CURLcode file_upload(struct Curl_
else
mode = MODE_DEFAULT|O_TRUNC;
- fd = open(file->path, mode, data->set.new_file_perms);
+ fd = open(file->path, mode|O_CLOEXEC, data->set.new_file_perms);
if(fd < 0) {
failf(data, "Can't open %s for writing", file->path);
return CURLE_WRITE_ERROR;
Index: curl-7.79.0/lib/if2ip.c
===================================================================
--- curl-7.79.0.orig/lib/if2ip.c
+++ curl-7.79.0/lib/if2ip.c
@@ -202,7 +202,7 @@ if2ip_result_t Curl_if2ip(int af, unsign
if(len >= sizeof(req.ifr_name))
return IF2IP_NOT_FOUND;
- dummy = socket(AF_INET, SOCK_STREAM, 0);
+ dummy = socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC, 0);
if(CURL_SOCKET_BAD == dummy)
return IF2IP_NOT_FOUND;
Index: curl-7.79.0/lib/connect.c
===================================================================
--- curl-7.79.0.orig/lib/connect.c
+++ curl-7.79.0/lib/connect.c
@@ -1598,7 +1598,9 @@ CURLcode Curl_socket(struct Curl_easy *d
}
else
/* opensocket callback not set, so simply create the socket now */
- *sockfd = socket(addr->family, addr->socktype, addr->protocol);
+ *sockfd = socket(addr->family,
+ addr->socktype|SOCK_CLOEXEC,
+ addr->protocol);
if(*sockfd == CURL_SOCKET_BAD)
/* no socket, no connection */
Index: curl-7.79.0/configure.ac
===================================================================
--- curl-7.79.0.orig/configure.ac
+++ curl-7.79.0/configure.ac
@@ -297,6 +297,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m
# Silence warning: ar: 'u' modifier ignored since 'D' is the default
AC_SUBST(AR_FLAGS, [cr])
+AC_USE_SYSTEM_EXTENSIONS
+
dnl This defines _ALL_SOURCE for AIX
CURL_CHECK_AIX_ALL_SOURCE
Index: curl-7.79.0/lib/hostip.c
===================================================================
--- curl-7.79.0.orig/lib/hostip.c
+++ curl-7.79.0/lib/hostip.c
@@ -49,7 +49,7 @@
#ifdef HAVE_PROCESS_H
#include <process.h>
#endif
-
+#include <fcntl.h>
#include "urldata.h"
#include "sendf.h"
#include "hostip.h"
@@ -549,7 +549,7 @@ bool Curl_ipv6works(struct Curl_easy *da
else {
int ipv6_works = -1;
/* probe to see if we have a working IPv6 stack */
- curl_socket_t s = socket(PF_INET6, SOCK_DGRAM, 0);
+ curl_socket_t s = socket(PF_INET6, SOCK_DGRAM|SOCK_CLOEXEC, 0);
if(s == CURL_SOCKET_BAD)
/* an IPv6 address was requested but we can't get/use one */
ipv6_works = 0;
Reference in New Issue View Git Blame Copy Permalink