Fix two CVEs.

OBS-URL: https://build.opensuse.org/request/show/1294248
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libmicrohttpd?expand=0&rev=48

libmicrohttpd-1.0.1-curl-8.13.0.patch

@@ -0,0 +1,63 @@
+From 036f8fdec2802e48e2555b2caf381bb1c565ab82 Mon Sep 17 00:00:00 2001
+From: "Evgeny Grin (Karlson2k)" <k2k@narod.ru>
+Date: Fri, 11 Apr 2025 20:13:48 +0300
+Subject: test_tricky.c: applied a minimal fix for the libcurl >= 8.13.0
+
+---
+ src/testcurl/test_tricky.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/src/testcurl/test_tricky.c b/src/testcurl/test_tricky.c
+index 8cb53a80..bcbcf1ce 100644
+--- a/src/testcurl/test_tricky.c
++++ b/src/testcurl/test_tricky.c
+@@ -452,6 +452,11 @@ struct curlQueryParams
+   CURLU *url;
+ #endif /* CURL_AT_LEAST_VERSION(7, 62, 0) */
+ 
++#if CURL_AT_LEAST_VERSION (7, 55, 0)
++  /* A string used as the request target directly, without modifications */
++  const char *queryTarget;
++#endif /* CURL_AT_LEAST_VERSION(7, 55, 0) */
++
+   /* Custom query method, NULL for default */
+   const char *method;
+ 
+@@ -520,6 +525,16 @@ curlEasyInitForTest (struct curlQueryParams *p,
+       libcurlErrorExitDesc ("curl_easy_setopt() failed");
+   }
+ #endif /* CURL_AT_LEAST_VERSION(7, 62, 0) */
++
++#if CURL_AT_LEAST_VERSION (7, 55, 0)
++  if (NULL != p->queryTarget)
++  {
++    if (CURLE_OK != curl_easy_setopt (c, CURLOPT_REQUEST_TARGET,
++                                      p->queryTarget))
++      libcurlErrorExitDesc ("curl_easy_setopt() failed");
++  }
++#endif /* CURL_AT_LEAST_VERSION(7, 55, 0) */
++
+   return c;
+ }
+ 
+@@ -738,6 +753,9 @@ performTestQueries (struct MHD_Daemon *d, uint16_t d_port,
+   qParam.queryPort = d_port;
+   qParam.method = NULL;  /* Use libcurl default: GET */
+   qParam.queryPath = URL_SCHEME_HOST EXPECTED_URI_BASE_PATH;
++#if CURL_AT_LEAST_VERSION (7, 55, 0)
++  qParam.queryTarget = NULL;
++#endif /* CURL_AT_LEAST_VERSION(7, 55, 0) */
+ #if CURL_AT_LEAST_VERSION (7, 62, 0)
+   qParam.url = NULL;
+ #endif /* CURL_AT_LEAST_VERSION(7, 62, 0) */
+@@ -781,6 +799,7 @@ performTestQueries (struct MHD_Daemon *d, uint16_t d_port,
+       libcurlErrorExit ();
+ 
+     qParam.queryPath = NULL;
++    qParam.queryTarget = EXPECTED_URI_BASE_PATH_TRICKY;
+     uri_cb_param->uri = EXPECTED_URI_BASE_PATH_TRICKY;
+     ahc_param->rq_url = EXPECTED_URI_BASE_PATH_TRICKY;
+ 
+-- 
+cgit v1.2.3
+

libmicrohttpd.changes

@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Fri Nov 21 20:45:31 UTC 2025 - Martin Jungblut Schreiner <martin.schreiner@suse.com>
+
+- Fix for the following bugs:
+  * bsc#1253177 CVE-2025-59777
+  * bsc#1253178 CVE-2025-62689
+- Add patch:
+  * CVE-2025-59777.patch
+  * this same patch fixes both CVEs
+  * git commit ff13abc1c1d7d2b30d69d5c0bd4a237e1801c50b
+
+-------------------------------------------------------------------
+Fri Apr 11 18:04:05 UTC 2025 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- fix build with curl 8.13.0 (boo#1241036)
+  add libmicrohttpd-1.0.1-curl-8.13.0.patch
+
 -------------------------------------------------------------------
 Sat Feb 24 18:15:45 UTC 2024 - Andreas Stieger <andreas.stieger@gmx.de>
 
@@ -30,7 +47,7 @@ Wed May 31 04:59:03 UTC 2023 - Andreas Stieger <Andreas.Stieger@gmx.de>
   * fix processing of folded headers in requests
   * fix functionality with blocking sockets
 - update upstream signing key
- 
+
 -------------------------------------------------------------------
 Tue Feb 28 21:20:34 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de>
 
@@ -98,7 +115,7 @@ Sat Jul  4 17:40:48 UTC 2020 - Andreas Stieger <andreas.stieger@gmx.de>
 - libmicrohttpd 0.9.71:
   * Fix buffer overflow issue in URL parser [boo#1173718]
   * Fixed PostProcessor bug
-  * Documentation and example fixes  
+  * Documentation and example fixes
 
 -------------------------------------------------------------------
 Sun Feb  9 10:15:21 UTC 2020 - Martin Hauke <mardnh@gmx.de>
@@ -490,7 +507,7 @@ Sun May  3 10:26:32 UTC 2015 - astieger@suse.com
 
 - update to 0.9.41:
  * fix bugs relating to various threading modes
- * fix some HTTP 1.0 tests 
+ * fix some HTTP 1.0 tests
 
 -------------------------------------------------------------------
 Mon Apr 13 11:39:23 UTC 2015 - meissner@suse.com

libmicrohttpd.spec

@@ -3,7 +3,7 @@
 #
 # Copyright (c) 2023 SUSE LLC
 # Copyright (c) 2010,2011,2012  Stephan Kleine
-# Copyright (c) 2024 Andreas Stieger <Andreas.Stieger@gmx.de>
+# Copyright (c) 2025 Andreas Stieger <Andreas.Stieger@gmx.de>
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -32,6 +32,9 @@ URL:            https://www.gnu.org/software/libmicrohttpd/
 Source0:        https://ftp.gnu.org/gnu/libmicrohttpd/%{name}-%{version}.tar.gz
 Source1:        https://ftp.gnu.org/gnu/libmicrohttpd/%{name}-%{version}.tar.gz.sig
 Source2:        https://savannah.gnu.org/people/viewgpg.php?user_id=90068#/%{name}.keyring
+Patch0:         libmicrohttpd-1.0.1-curl-8.13.0.patch
+Patch1:         CVE-2025-59777.patch
+BuildRequires:  autoconf
 BuildRequires:  libtool
 BuildRequires:  makeinfo
 BuildRequires:  pkgconfig >= 0.9.0
@@ -89,6 +92,7 @@ Headers, pkg-config files, so link and other development files for %{name}
 %autosetup -p1
 
 %build
+autoreconf
 %configure \
   --enable-bauth \
   --enable-dauth \
@@ -98,8 +102,8 @@ Headers, pkg-config files, so link and other development files for %{name}
   --enable-https \
   --enable-curl \
   --disable-static \
-  --disable-examples
-
+  --disable-examples \
+  %{nil}
 %make_build
 
 %install