commit: 1c3ddb715a8fef34061123bf33389dad977c5636 Author: Matt Jolly <kangie <AT> gentoo <DOT> org> AuthorDate: Thu Dec 12 21:19:01 2024 +0000 Commit: Matt Jolly <kangie <AT> gentoo <DOT> org> CommitDate: Thu Dec 12 21:26:29 2024 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1c3ddb71
net-misc/curl: add 8.11.1-r1 This revbump includes a patch to fix a crash that can be triggered by closing a fd twice. Signed-off-by: Matt Jolly <kangie <AT> gentoo.org> net-misc/curl/curl-8.11.1-r1.ebuild | 384 +++++++++++++++++++++ .../curl-8.11.1-async-thread-close-eventfd.patch | 33 ++ 2 files changed, 417 insertions(+) diff --git a/net-misc/curl/curl-8.11.1-r1.ebuild b/net-misc/curl/curl-8.11.1-r1.ebuild new file mode 100644 index 000000000000..ddd74bc97377 --- /dev/null +++ b/net-misc/curl/curl-8.11.1-r1.ebuild @@ -0,0 +1,384 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# Maintainers should subscribe to the 'curl-distros' ML for backports etc +# https://daniel.haxx.se/blog/2024/03/25/curl-distro-report/ +# https://lists.haxx.se/listinfo/curl-distros + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/danielstenberg.asc +inherit autotools multilib-minimal multiprocessing prefix toolchain-funcs verify-sig + +DESCRIPTION="A Client that groks URLs" +HOMEPAGE="https://curl.se/"; + +if [[ ${PV} == 9999 ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/curl/curl.git"; +else + SRC_URI=" + https://curl.se/download/${P}.tar.xz + verify-sig? ( https://curl.se/download/${P}.tar.xz.asc ) + " + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +fi + +LICENSE="BSD curl ISC test? ( BSD-4 )" +SLOT="0" +IUSE="+adns +alt-svc brotli debug +ftp gnutls gopher +hsts +http2 +http3 idn +imap kerberos ldap mbedtls +openssl +pop3" +IUSE+=" +psl +progress-meter +quic rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp +websockets zstd" +# These select the default tls implementation / which quic impl to use +IUSE+=" +curl_quic_openssl curl_quic_ngtcp2 curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls" +RESTRICT="!test? ( test )" + +# Only one default ssl / quic provider can be enabled +# The default provider needs its USE satisfied +# HTTP/3 and MultiSSL are mutually exclusive; it's not clear if MultiSSL offers any benefit at all in the modern day. +# https://github.com/curl/curl/commit/65ece771f4602107d9cdd339dff4b420280a2c2e +REQUIRED_USE=" + quic? ( + ^^ ( + curl_quic_openssl + curl_quic_ngtcp2 + ) + http3 + ssl + ) + ssl? ( + ^^ ( + curl_ssl_gnutls + curl_ssl_mbedtls + curl_ssl_openssl + curl_ssl_rustls + ) + ) + curl_quic_openssl? ( + curl_ssl_openssl + quic + !gnutls + !mbedtls + !rustls + ) + curl_quic_ngtcp2? ( + curl_ssl_gnutls + quic + !mbedtls + !openssl + !rustls + ) + curl_ssl_gnutls? ( gnutls ) + curl_ssl_mbedtls? ( mbedtls ) + curl_ssl_openssl? ( openssl ) + curl_ssl_rustls? ( rustls ) + http3? ( alt-svc quic ) +" + +# cURL's docs and CI/CD are great resources for confirming supported versions +# particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.: +# - https://github.com/curl/curl/blob/master/docs/INTERNALS.md (core dependencies + minimum versions) +# - https://github.com/curl/curl/blob/master/docs/HTTP3.md (example of a feature that moves quickly) +# - https://github.com/curl/curl/blob/master/.github/workflows/http3-linux.yml (CI/CD for TCP/2) +# However 'supported' vs 'works' are two entirely different things; be sane but +# don't be afraid to require a later version. +# ngtcp2 = https://bugs.gentoo.org/912029 - can only build with one tls backend at a time. +RDEPEND=" + >=sys-libs/zlib-1.1.4[${MULTILIB_USEDEP}] + adns? ( >=net-dns/c-ares-1.16.0:=[${MULTILIB_USEDEP}] ) + brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] ) + http2? ( >=net-libs/nghttp2-1.15.0:=[${MULTILIB_USEDEP}] ) + http3? ( >=net-libs/nghttp3-1.1.0[${MULTILIB_USEDEP}] ) + idn? ( >=net-dns/libidn2-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] ) + kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] ) + ldap? ( >=net-nds/openldap-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] ) + psl? ( net-libs/libpsl[${MULTILIB_USEDEP}] ) + quic? ( + curl_quic_openssl? ( >=dev-libs/openssl-3.3.0:=[quic,${MULTILIB_USEDEP}] ) + curl_quic_ngtcp2? ( >=net-libs/ngtcp2-1.2.0[gnutls,ssl,-openssl,${MULTILIB_USEDEP}] ) + ) + rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] ) + ssh? ( >=net-libs/libssh2-1.0.0[${MULTILIB_USEDEP}] ) + ssl? ( + gnutls? ( + app-misc/ca-certificates + >=net-libs/gnutls-3.1.10:=[static-libs?,${MULTILIB_USEDEP}] + dev-libs/nettle:=[${MULTILIB_USEDEP}] + ) + mbedtls? ( + app-misc/ca-certificates + net-libs/mbedtls:=[${MULTILIB_USEDEP}] + ) + openssl? ( + >=dev-libs/openssl-0.9.7:=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}] + ) + rustls? ( + >=net-libs/rustls-ffi-0.14.0:=[${MULTILIB_USEDEP}] + ) + ) + zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] ) +" + +DEPEND="${RDEPEND}" + +BDEPEND=" + dev-lang/perl + virtual/pkgconfig + test? ( + sys-apps/diffutils + http2? ( >=net-libs/nghttp2-1.15.0:=[utils,${MULTILIB_USEDEP}] ) + http3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] ) + ) + verify-sig? ( sec-keys/openpgp-keys-danielstenberg ) +" + +DOCS=( README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} ) + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/curl/curlbuild.h +) + +MULTILIB_CHOST_TOOLS=( + /usr/bin/curl-config +) + +QA_CONFIG_IMPL_DECL_SKIP=( + __builtin_available + closesocket + CloseSocket + getpass_r + ioctlsocket + IoctlSocket + mach_absolute_time + setmode + _fseeki64 + # custom AC_LINK_IFELSE code fails to link even without -Werror + OSSL_QUIC_client_method +) + +PATCHES=( + "${FILESDIR}/${PN}-prefix-3.patch" + "${FILESDIR}/${PN}-respect-cflags-3.patch" + "${FILESDIR}/${P}-async-thread-close-eventfd.patch" +) + +src_prepare() { + default + + eprefixify curl-config.in + eautoreconf +} + +multilib_src_configure() { + # We make use of the fact that later flags override earlier ones + # So start with all ssl providers off until proven otherwise + # TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/) + local myconf=() + + myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt ) + if use ssl; then + myconf+=( --without-gnutls --without-mbedtls --without-rustls ) + + if use gnutls; then + multilib_is_native_abi && einfo "SSL provided by gnutls" + myconf+=( --with-gnutls ) + fi + if use mbedtls; then + multilib_is_native_abi && einfo "SSL provided by mbedtls" + myconf+=( --with-mbedtls ) + fi + if use openssl; then + multilib_is_native_abi && einfo "SSL provided by openssl" + myconf+=( --with-ssl --with-ca-path="${EPREFIX}"/etc/ssl/certs ) + fi + if use rustls; then + multilib_is_native_abi && einfo "SSL provided by rustls" + myconf+=( --with-rustls ) + fi + if use curl_ssl_gnutls; then + multilib_is_native_abi && einfo "Default SSL provided by gnutls" + myconf+=( --with-default-ssl-backend=gnutls ) + elif use curl_ssl_mbedtls; then + multilib_is_native_abi && einfo "Default SSL provided by mbedtls" + myconf+=( --with-default-ssl-backend=mbedtls ) + elif use curl_ssl_openssl; then + multilib_is_native_abi && einfo "Default SSL provided by openssl" + myconf+=( --with-default-ssl-backend=openssl ) + elif use curl_ssl_rustls; then + multilib_is_native_abi && einfo "Default SSL provided by rustls" + myconf+=( --with-default-ssl-backend=rustls ) + else + eerror "We can't be here because of REQUIRED_USE." + die "Please file a bug, hit impossible condition w/ USE=ssl handling." + fi + + else + myconf+=( --without-ssl ) + einfo "SSL disabled" + fi + + # These configuration options are organized alphabetically + # within each category. This should make it easier if we + # ever decide to make any of them contingent on USE flags: + # 1) protocols first. To see them all do + # 'grep SUPPORT_PROTOCOLS configure.ac' + # 2) --enable/disable options second. + # 'grep -- --enable configure | grep Check | awk '{ print $4 }' | sort + # 3) --with/without options third. + # grep -- --with configure | grep Check | awk '{ print $4 }' | sort + + myconf+=( + $(use_enable alt-svc) + --enable-basic-auth + --enable-bearer-auth + --enable-digest-auth + --enable-kerberos-auth + --enable-negotiate-auth + --enable-aws + --enable-dict + --disable-ech + --enable-file + $(use_enable ftp) + $(use_enable gopher) + $(use_enable hsts) + --enable-http + $(use_enable imap) + $(use_enable ldap) + $(use_enable ldap ldaps) + --enable-ntlm + $(use_enable pop3) + --enable-rt + --enable-rtsp + $(use_enable samba smb) + $(use_with ssh libssh2) + $(use_enable smtp) + $(use_enable telnet) + $(use_enable tftp) + --enable-tls-srp + $(use_enable adns ares) + --enable-cookies + --enable-dateparse + --enable-dnsshuffle + --enable-doh + --enable-symbol-hiding + --enable-http-auth + --enable-ipv6 + --enable-largefile + --enable-manual + --enable-mime + --enable-netrc + $(use_enable progress-meter) + --enable-proxy + --enable-socketpair + --disable-sspi + $(use_enable static-libs static) + --enable-pthreads + --enable-threaded-resolver + --disable-versioned-symbols + --without-amissl + --without-bearssl + $(use_with brotli) + --with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d + $(use_with http2 nghttp2) + --without-hyper + $(use_with idn libidn2) + $(use_with kerberos gssapi "${EPREFIX}"/usr) + --without-libgsasl + $(use_with psl libpsl) + --without-msh3 + $(use_with http3 nghttp3) + $(use_with curl_quic_ngtcp2 ngtcp2) + $(use_with curl_quic_openssl openssl-quic) + --without-quiche + $(use_with rtmp librtmp) + --without-schannel + --without-secure-transport + --without-test-caddy + --without-test-httpd + --without-test-nghttpx + $(use_enable websockets) + --without-winidn + --without-wolfssl + --with-zlib + $(use_with zstd) + --with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions + ) + + if use debug; then + myconf+=( + --enable-debug + ) + fi + + if use test && multilib_is_native_abi && ( use http2 || use http3 ); then + myconf+=( + --with-test-nghttpx="${BROOT}/usr/bin/nghttpx" + ) + fi + + if [[ ${CHOST} == *mingw* ]] ; then + myconf+=( + --disable-pthreads + ) + fi + + ECONF_SOURCE="${S}" econf "${myconf[@]}" + + if ! multilib_is_native_abi; then + # Avoid building the client (we just want libcurl for multilib) + sed -i -e '/SUBDIRS/s:src::' Makefile || die + sed -i -e '/SUBDIRS/s:scripts::' Makefile || die + fi + +} + +multilib_src_compile() { + default + + if multilib_is_native_abi; then + # Shell completions + ! tc-is-cross-compiler && emake -C scripts + fi +} + +# There is also a pytest harness that tests for bugs in some very specific +# situations; we can rely on upstream for this rather than adding additional test deps. +multilib_src_test() { + # See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721 + # -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches) + # -v: verbose + # -a: keep going on failure (so we see everything that breaks, not just 1st test) + # -k: keep test files after completion + # -am: automake style TAP output + # -p: print logs if test fails + # Note: if needed, we can skip specific tests. See e.g. Fedora's packaging + # or just read https://github.com/curl/curl/tree/master/tests#run. + # Note: we don't run the testsuite for cross-compilation. + # Upstream recommend 7*nproc as a starting point for parallel tests, but + # this ends up breaking when nproc is huge (like -j80). + # The network sandbox causes tests 241 and 1083 to fail; these are typically skipped + # as most gentoo users don't have an 'ip6-localhost' + multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083" +} + +multilib_src_install() { + emake DESTDIR="${D}" install + + if multilib_is_native_abi; then + # Shell completions + ! tc-is-cross-compiler && emake -C scripts DESTDIR="${D}" install + fi +} + +multilib_src_install_all() { + einstalldocs + find "${ED}" -type f -name '*.la' -delete || die + rm -rf "${ED}"/etc/ || die +} + +pkg_postinst() { + if use debug; then + ewarn "USE=debug has been selected, enabling debug codepaths and making cURL extra verbose." + ewarn "Use this _only_ for testing. Debug builds should _not_ be used in anger." + ewarn "hic sunt dracones; you have been warned." + fi +} diff --git a/net-misc/curl/files/curl-8.11.1-async-thread-close-eventfd.patch b/net-misc/curl/files/curl-8.11.1-async-thread-close-eventfd.patch new file mode 100644 index 000000000000..2bdfc51838d7 --- /dev/null +++ b/net-misc/curl/files/curl-8.11.1-async-thread-close-eventfd.patch @@ -0,0 +1,33 @@ +https://github.com/curl/curl/commit/ff5091aa9f73802e894b1cbdf24ab84e103200e2 +From: Andy Pan <[email protected]> +Date: Thu, 12 Dec 2024 12:48:56 +0000 +Subject: [PATCH] async-thread: avoid closing eventfd twice + +When employing eventfd for socketpair, there is only one file +descriptor. Closing that fd twice might result in fd corruption. +Thus, we should avoid closing the eventfd twice, following the +pattern in lib/multi.c. + +Fixes #15725 +Closes #15727 +Reported-by: Christian Heusel +--- + lib/asyn-thread.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c +index a58e4b790494ab..32d496b107cb0a 100644 +--- a/lib/asyn-thread.c ++++ b/lib/asyn-thread.c +@@ -195,9 +195,11 @@ void destroy_thread_sync_data(struct thread_sync_data *tsd) + * close one end of the socket pair (may be done in resolver thread); + * the other end (for reading) is always closed in the parent thread. + */ ++#ifndef USE_EVENTFD + if(tsd->sock_pair[1] != CURL_SOCKET_BAD) { + wakeup_close(tsd->sock_pair[1]); + } ++#endif + #endif + memset(tsd, 0, sizeof(*tsd)); + }
