SHA256
1
0
forked from pool/curl
curl/libcurl-ocloexec.patch
Pedro Monreal Gonzalez 4a9f41fa87 Accepting request 1073050 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Update to 8.0.0:
  * Security fixes:
    - TELNET option IAC injection [bsc#1209209, CVE-2023-27533]
    - SFTP path ~ resolving discrepancy [bsc#1209210, CVE-2023-27534]
    - FTP too eager connection reuse [bsc#1209211, CVE-2023-27535]
    - GSS delegation too eager connection re-use [bsc#1209212, CVE-2023-27536]
    - HSTS double-free [bsc#1209213, CVE-2023-27537]
    - SSH connection too eager reuse still [bsc#1209214, CVE-2023-27538]
  * Changes:
    - build: remove support for curl_off_t < 8 bytes 
  * Bugfixes:
    - aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3
    - BINDINGS: add Fortran binding
    - cf-socket: use port 80 when resolving name for local bind
    - cookie: don't load cookies again when flushing
    - curl_path: create the new path with dynbuf
    - CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe
    - DYNBUF.md: note Curl_dyn_add* calls Curl_dyn_free on failure
    - ftp: active mode with SSL, add the filter
    - hostip: avoid sscanf and extra buffer copies
    - http2: fix for http2-prior-knowledge when reusing connections
    - http2: fix handling of RST and GOAWAY to recognize partial transfers
    - http: don't send 100-continue for short PUT requests
    - http: fix unix domain socket use in https connects
    - libssh: use dynbuf instead of realloc
    - ngtcp2-gnutls.yml: bump to gnutls 3.8.0
    - sectransp: make read_cert() use a dynbuf when loading
    - telnet: only accept option arguments in ascii
    - telnet: parse telnet options without sscanf
    - url: fix the SSH connection reuse check

OBS-URL: https://build.opensuse.org/request/show/1073050
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=330
2023-03-20 08:30:14 +00:00

94 lines
3.0 KiB
Diff

Open library file descriptors with O_CLOEXEC
This patch is non-portable, it needs linux 2.6.23 and glibc 2.7
or later, different combinations (old linux, new glibc and vice-versa)
will result in a crash.
To make it portable you have to test O_CLOEXEC support at *runtime*
compile time is not enough.
Index: curl-8.0.0/lib/file.c
===================================================================
--- curl-8.0.0.orig/lib/file.c
+++ curl-8.0.0/lib/file.c
@@ -232,7 +232,7 @@ static CURLcode file_connect(struct Curl
}
}
#else
- fd = open_readonly(real_path, O_RDONLY);
+ fd = open_readonly(real_path, O_RDONLY|O_CLOEXEC);
file->path = real_path;
#endif
#endif
@@ -318,7 +318,7 @@ static CURLcode file_upload(struct Curl_
else
mode = MODE_DEFAULT|O_TRUNC;
- fd = open(file->path, mode, data->set.new_file_perms);
+ fd = open(file->path, mode|O_CLOEXEC, data->set.new_file_perms);
if(fd < 0) {
failf(data, "Can't open %s for writing", file->path);
return CURLE_WRITE_ERROR;
Index: curl-8.0.0/lib/if2ip.c
===================================================================
--- curl-8.0.0.orig/lib/if2ip.c
+++ curl-8.0.0/lib/if2ip.c
@@ -206,7 +206,7 @@ if2ip_result_t Curl_if2ip(int af,
if(len >= sizeof(req.ifr_name))
return IF2IP_NOT_FOUND;
- dummy = socket(AF_INET, SOCK_STREAM, 0);
+ dummy = socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC, 0);
if(CURL_SOCKET_BAD == dummy)
return IF2IP_NOT_FOUND;
Index: curl-8.0.0/configure.ac
===================================================================
--- curl-8.0.0.orig/configure.ac
+++ curl-8.0.0/configure.ac
@@ -420,6 +420,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m
# Silence warning: ar: 'u' modifier ignored since 'D' is the default
AC_SUBST(AR_FLAGS, [cr])
+AC_USE_SYSTEM_EXTENSIONS
+
dnl This defines _ALL_SOURCE for AIX
CURL_CHECK_AIX_ALL_SOURCE
Index: curl-8.0.0/lib/hostip.c
===================================================================
--- curl-8.0.0.orig/lib/hostip.c
+++ curl-8.0.0/lib/hostip.c
@@ -48,6 +48,7 @@
#include <signal.h>
#endif
+#include <fcntl.h>
#include "urldata.h"
#include "sendf.h"
#include "hostip.h"
@@ -582,7 +583,7 @@ bool Curl_ipv6works(struct Curl_easy *da
else {
int ipv6_works = -1;
/* probe to see if we have a working IPv6 stack */
- curl_socket_t s = socket(PF_INET6, SOCK_DGRAM, 0);
+ curl_socket_t s = socket(PF_INET6, SOCK_DGRAM|SOCK_CLOEXEC, 0);
if(s == CURL_SOCKET_BAD)
/* an IPv6 address was requested but we can't get/use one */
ipv6_works = 0;
Index: curl-8.0.0/lib/cf-socket.c
===================================================================
--- curl-8.0.0.orig/lib/cf-socket.c
+++ curl-8.0.0/lib/cf-socket.c
@@ -252,7 +252,9 @@ static CURLcode socket_open(struct Curl_
}
else {
/* opensocket callback not set, so simply create the socket now */
- *sockfd = socket(addr->family, addr->socktype, addr->protocol);
+ *sockfd = socket(addr->family,
+ addr->socktype|SOCK_CLOEXEC,
+ addr->protocol);
}
if(*sockfd == CURL_SOCKET_BAD)