This is an automated email from the ASF dual-hosted git repository.
alexey pushed a commit to branch branch-1.18.x
in repository https://gitbox.apache.org/repos/asf/kudu.git
The following commit(s) were added to refs/heads/branch-1.18.x by this push:
new 60c286913 [thirdparty] update curl up to 8.11.1 version
60c286913 is described below
commit 60c286913fdae7cb4694ecd453d2ff6fd20bbb66
Author: Alexey Serbin <[email protected]>
AuthorDate: Wed Dec 11 17:55:55 2024 -0800
[thirdparty] update curl up to 8.11.1 version
A couple of minor security vulnerabilities [1][2] and a bunch of other
bugs [3][4][5] have been fixed in curl 8.11.1 since 8.10.1.
[1] https://curl.se/docs/CVE-2024-11053.html
[2] https://curl.se/docs/CVE-2024-9681.html
[3] https://curl.se/ch/8.11.0.html
[4] https://curl.se/ch/8.11.1.html
[5] https://curl.se/docs/releases.html
Change-Id: I84694c85bdf0987f2084787b6e7691a1d056d523
Reviewed-on: http://gerrit.cloudera.org:8080/22202
Tested-by: Alexey Serbin <[email protected]>
Reviewed-by: Abhishek Chennaka <[email protected]>
(cherry picked from commit baa1e95848de59ef48f825b8b60a80b212f516d1)
Reviewed-on: http://gerrit.cloudera.org:8080/22207
Tested-by: Kudu Jenkins
---
thirdparty/build-definitions.sh | 2 ++
thirdparty/download-thirdparty.sh | 3 +-
.../patches/curl-custom-openssl-library.patch | 12 ++++----
thirdparty/patches/curl-eventfd-double-close.patch | 31 ++++++++++++++++++++
.../patches/curl-handle-openssl-errors.patch | 33 +++++++++++++---------
thirdparty/vars.sh | 2 +-
6 files changed, 62 insertions(+), 21 deletions(-)
diff --git a/thirdparty/build-definitions.sh b/thirdparty/build-definitions.sh
index 42522648d..000a3444f 100644
--- a/thirdparty/build-definitions.sh
+++ b/thirdparty/build-definitions.sh
@@ -773,6 +773,7 @@ build_curl() {
--disable-httpsrr \
--disable-gopher \
--disable-imap \
+ --disable-ipfs \
--disable-ipv6 \
--disable-ldap \
--disable-ldaps \
@@ -788,6 +789,7 @@ build_curl() {
--disable-smtp \
--disable-telnet \
--disable-tftp \
+ --disable-websockets \
--without-apple-idn \
--without-brotli \
--without-libidn2 \
diff --git a/thirdparty/download-thirdparty.sh
b/thirdparty/download-thirdparty.sh
index c90a93146..74d356d88 100755
--- a/thirdparty/download-thirdparty.sh
+++ b/thirdparty/download-thirdparty.sh
@@ -302,13 +302,14 @@ fetch_and_patch \
$GCOVR_SOURCE \
$GCOVR_PATCHLEVEL
-CURL_PATCHLEVEL=2
+CURL_PATCHLEVEL=3
fetch_and_patch \
curl-${CURL_VERSION}.tar.gz \
$CURL_SOURCE \
$CURL_PATCHLEVEL \
"patch -p1 < $TP_DIR/patches/curl-custom-openssl-library.patch" \
"patch -p1 < $TP_DIR/patches/curl-handle-openssl-errors.patch" \
+ "patch -p1 < $TP_DIR/patches/curl-eventfd-double-close.patch" \
"autoreconf -fvi"
CRCUTIL_PATCHLEVEL=0
diff --git a/thirdparty/patches/curl-custom-openssl-library.patch
b/thirdparty/patches/curl-custom-openssl-library.patch
index 082b8680f..f293f18f1 100644
--- a/thirdparty/patches/curl-custom-openssl-library.patch
+++ b/thirdparty/patches/curl-custom-openssl-library.patch
@@ -1,14 +1,13 @@
-diff --git a/m4/curl-openssl.m4 b/m4/curl-openssl.m4
-index a4811d2a3..a465ffacb 100644
---- a/m4/curl-openssl.m4
-+++ b/m4/curl-openssl.m4
-@@ -136,9 +136,13 @@ if test "x$OPT_OPENSSL" != xno; then
+--- a/m4/curl-openssl.m4 2024-12-11 18:13:35
++++ b/m4/curl-openssl.m4 2024-12-11 18:15:27
+@@ -137,10 +137,14 @@
fi
fi
- dnl finally, set flags to use SSL
- CPPFLAGS="$CPPFLAGS $SSL_CPPFLAGS"
- LDFLAGS="$LDFLAGS $SSL_LDFLAGS"
+- LDFLAGSPC="$LDFLAGSPC $SSL_LDFLAGS"
+ dnl Finally, set flags to use SSL.
+ dnl If another version of OpenSSL library is present under the 'standard'
+ dnl system paths, it's necessary to pick up the header and binary files
@@ -16,6 +15,7 @@ index a4811d2a3..a465ffacb 100644
+ dnl for both the preprocessor and the linker.
+ CPPFLAGS="$SSL_CPPFLAGS $CPPFLAGS"
+ LDFLAGS="$SSL_LDFLAGS $LDFLAGS"
++ LDFLAGSPC="$SSL_LDFLAGS $LDFLAGSPC"
AC_CHECK_LIB(crypto, HMAC_Update,[
- HAVECRYPTO="yes"
+ HAVECRYPTO="yes"
diff --git a/thirdparty/patches/curl-eventfd-double-close.patch
b/thirdparty/patches/curl-eventfd-double-close.patch
new file mode 100644
index 000000000..e274db643
--- /dev/null
+++ b/thirdparty/patches/curl-eventfd-double-close.patch
@@ -0,0 +1,31 @@
+commit ff5091aa9f73802e894b1cbdf24ab84e103200e2
+Author: Andy Pan <[email protected]>
+Date: Thu Dec 12 12:48:56 2024 +0000
+
+ async-thread: avoid closing eventfd twice
+
+ When employing eventfd for socketpair, there is only one file
+ descriptor. Closing that fd twice might result in fd corruption.
+ Thus, we should avoid closing the eventfd twice, following the
+ pattern in lib/multi.c.
+
+ Fixes #15725
+ Closes #15727
+ Reported-by: Christian Heusel
+
+diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c
+index a58e4b790..32d496b10 100644
+--- a/lib/asyn-thread.c
++++ b/lib/asyn-thread.c
+@@ -195,9 +195,11 @@ void destroy_thread_sync_data(struct thread_sync_data
*tsd)
+ * close one end of the socket pair (may be done in resolver thread);
+ * the other end (for reading) is always closed in the parent thread.
+ */
++#ifndef USE_EVENTFD
+ if(tsd->sock_pair[1] != CURL_SOCKET_BAD) {
+ wakeup_close(tsd->sock_pair[1]);
+ }
++#endif
+ #endif
+ memset(tsd, 0, sizeof(*tsd));
+ }
diff --git a/thirdparty/patches/curl-handle-openssl-errors.patch
b/thirdparty/patches/curl-handle-openssl-errors.patch
index 9d9e4aed2..ecf6f333e 100644
--- a/thirdparty/patches/curl-handle-openssl-errors.patch
+++ b/thirdparty/patches/curl-handle-openssl-errors.patch
@@ -1,8 +1,14 @@
+commit 82ae546ef4dc7a5ff9e823f91d1c2ebfa16b9f32
+Author: Alexey Serbin <[email protected]>
+Date: Wed Dec 11 18:55:02 2024 -0800
+
+ openssl: more robust error handling for edge cases
+
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
-index 9f9c8d136..446d54bcd 100644
+index 1b0e8dd5f..37ac97ccb 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
-@@ -954,6 +954,19 @@ static char *ossl_strerror(unsigned long error, char
*buf, size_t size)
+@@ -995,6 +995,19 @@ static char *ossl_strerror(unsigned long error, char
*buf, size_t size)
return buf;
}
@@ -22,7 +28,7 @@ index 9f9c8d136..446d54bcd 100644
static int passwd_callback(char *buf, int num, int encrypting,
void *global_passwd)
{
-@@ -1456,14 +1469,17 @@ int cert_stuff(struct Curl_easy *data,
+@@ -1484,14 +1497,17 @@ int cert_stuff(struct Curl_easy *data,
}
if(SSL_CTX_use_PrivateKey(ctx, pri) != 1) {
@@ -44,12 +50,13 @@ index 9f9c8d136..446d54bcd 100644
goto fail;
}
/* Set Certificate Verification chain */
-@@ -1521,8 +1537,10 @@ fail:
- SSL_CTX_use_PrivateKey_blob(ctx, key_blob, file_type, key_passwd) :
+@@ -1549,9 +1565,10 @@ fail:
+ use_privatekey_blob(ctx, key_blob, file_type, key_passwd) :
SSL_CTX_use_PrivateKey_file(ctx, key_file, file_type);
if(cert_use_result != 1) {
- failf(data, "unable to set private key file: '%s' type %s",
-- key_file?key_file:"(memory blob)", key_type?key_type:"PEM");
+- key_file ? key_file : "(memory blob)",
+- key_type ? key_type : "PEM");
+ failf(data, "unable to set private key file: '%s' type %s: %s",
+ key_file, key_type ? key_type : "PEM",
+ ossl_strerror(ERR_get_error(), error_buffer,
@@ -57,7 +64,7 @@ index 9f9c8d136..446d54bcd 100644
return 0;
}
break;
-@@ -1562,7 +1580,9 @@ fail:
+@@ -1591,7 +1608,9 @@ fail:
return 0;
}
if(SSL_CTX_use_PrivateKey(ctx, priv_key) != 1) {
@@ -68,7 +75,7 @@ index 9f9c8d136..446d54bcd 100644
EVP_PKEY_free(priv_key);
return 0;
}
-@@ -1635,7 +1655,9 @@ fail:
+@@ -1664,7 +1683,9 @@ fail:
/* Now we know that a key and cert have been set against
* the SSL context */
if(!SSL_CTX_check_private_key(ctx)) {
@@ -79,7 +86,7 @@ index 9f9c8d136..446d54bcd 100644
return 0;
}
}
-@@ -3234,17 +3256,19 @@ static CURLcode populate_x509_store(struct
Curl_cfilter *cf,
+@@ -3222,17 +3243,19 @@ static CURLcode populate_x509_store(struct
Curl_cfilter *cf,
/* tell OpenSSL where to find CA certificates that are used to verify
the
server's certificate. */
if(!X509_STORE_load_locations(store, ssl_cafile, ssl_capath)) {
@@ -103,7 +110,7 @@ index 9f9c8d136..446d54bcd 100644
}
}
#endif
-@@ -3268,7 +3292,9 @@ static CURLcode populate_x509_store(struct Curl_cfilter
*cf,
+@@ -3256,7 +3279,9 @@ static CURLcode populate_x509_store(struct Curl_cfilter
*cf,
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
if(!lookup ||
(!X509_load_crl_file(lookup, ssl_crlfile, X509_FILETYPE_PEM)) ) {
@@ -114,9 +121,9 @@ index 9f9c8d136..446d54bcd 100644
return CURLE_SSL_CRL_BADFILE;
}
/* Everything is fine. */
-@@ -3960,6 +3986,8 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter
*cf,
- result = CURLE_SSL_CONNECT_ERROR;
- ossl_strerror(errdetail, error_buffer, sizeof(error_buffer));
+@@ -4251,6 +4276,8 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter
*cf,
+ failf(data, "TLS connect error: %s",
+ ossl_strerror(errdetail, error_buffer, sizeof(error_buffer)));
}
+ // Clear the rest of the errors as well.
+ ERR_clear_error();
diff --git a/thirdparty/vars.sh b/thirdparty/vars.sh
index a086a0f4f..0261fa99a 100644
--- a/thirdparty/vars.sh
+++ b/thirdparty/vars.sh
@@ -122,7 +122,7 @@ GCOVR_VERSION=3.0
GCOVR_NAME=gcovr-$GCOVR_VERSION
GCOVR_SOURCE=$TP_SOURCE_DIR/$GCOVR_NAME
-CURL_VERSION=8.10.1
+CURL_VERSION=8.11.1
CURL_NAME=curl-$CURL_VERSION
CURL_SOURCE=$TP_SOURCE_DIR/$CURL_NAME
