Hello community, here is the log from the commit of package curl for openSUSE:Factory checked in at 2017-08-24 18:20:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/curl (Old) and /work/SRC/openSUSE:Factory/.curl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "curl" Thu Aug 24 18:20:44 2017 rev:125 rq:515970 version:7.55.0 Changes: -------- --- /work/SRC/openSUSE:Factory/curl/curl-mini.changes 2017-06-29 15:00:46.218722736 +0200 +++ /work/SRC/openSUSE:Factory/.curl.new/curl-mini.changes 2017-08-24 18:21:04.378161026 +0200 @@ -1,0 +2,125 @@ +Thu Aug 10 11:08:46 UTC 2017 - pmonrealgonza...@suse.com + +- Upstream fix to build libcurl man3 pages + * Added patch curl-man3.patch + +------------------------------------------------------------------- +Thu Aug 10 10:53:23 UTC 2017 - pmonrealgonza...@suse.com + +- Disabled test1425 that fails in i586 architecture + * Added patch curl-disable-test1427-i586.patch + +------------------------------------------------------------------- +Wed Aug 9 09:34:25 UTC 2017 - pmonrealgonza...@suse.com + +- Update to 7.55.0 + Changes: + * curl: allow --header and --proxy-header read from file + * getinfo: provide sizes as curl_off_t + * curl: prevent binary output spewed to terminal + * curl: added --request-target + * curl: added --socks5-{basic,gssapi}: control socks5 auth + * libcurl: added CURLOPT_REQUEST_TARGET + * libcurl: added CURLOPT_SOCKS5_AUTH + Bugfixes: + * Security Fixes: + - glob: do not parse after a strtoul() overflow range + (CVE-2017-1000101, bsc#1051643) + - tftp: reject file name lengths that don't fit + (CVE-2017-1000100, bsc#1051644) + - file: output the correct buffer to the user + (CVE-2017-1000099, bsc#1051645) + * includes: remove curl/curlbuild.h and curl/curlrules.h + * dist: make the hugehelp.c not get regenerated unnecessarily + * timers: store internal time stamps as time_t instead of doubles + * progress: let "current speed" be UL + DL speeds combined + * http-proxy: do the HTTP CONNECT process entirely non-blocking + * lib/curl_setup.h: remove CURL_WANTS_CA_BUNDLE_ENV + * fuzz: bring oss-fuzz initial code converted to C89 + * configure: disable nghttp2 too if HTTP has been disabled + * mk-ca-bundle.pl: Check curl's exit code after certdata download + * test1148: verify the -# progressbar + * tests: stabilize test 2032 and 2033 + * HTTPS-Proxy: don't offer h2 for https proxy connections + * http-proxy: only attempt FTP over HTTP proxy + * curl-compilers.m4: enable vla warning for clang + * curl-compilers.m4: enable double-promotion warning + * curl-compilers.m4: enable missing-variable-declarations clang + warning + * curl-compilers.m4: enable comma clang warning + * CURLOPT_PREQUOTE: not supported for SFTP + * http2: fix OOM crash + * PIPELINING_SERVER_BL: cleanup the internal list use + * mkhelp.pl: fix script name in usage text + * lib1521: add curl_easy_getinfo calls to the test set + * travis: do the distcheck test build out-of-tree as well + * if2ip: fix compiler warning in ISO C90 mode + * lib: fix the djgpp build + * typecheck-gcc: add support for CURLINFO_OFF_T + * travis: enable typecheck-gcc warnings + * maketgz: switch to xz instead of lzma + * CURLINFO_REDIRECT_URL.3: mention the CURLOPT_MAXREDIRS case + * curl/system.h: add check for XTENSA for 32bit gcc + * test1537: fixed memory leak on OOM + * test1521: fix compiler warnings + * curl: fix memory leak on test 1147 OOM + * libtest/make: generate lib1521.c dynamically at build-time + * curl_strequal.3: fix typo in SYNOPSIS + * progress: prevent resetting t_starttransfer + * openssl: improve fallback seed of PRNG with a time based hash + * http2: improved PING frame handling + * test1450: add simple testing for DICT + * make: build the docs subdir only from within src + * gtls: fix build when sizeof(long) < sizeof(void *) + * url: make the original string get used on subsequent transfers + * timeval.c: Use long long constant type for timeval assignment + * tool_sleep: typecast to avoid macos compiler warning + * travis.yml: use --enable-werror on debug builds + * test1451: add SMB support to the testbed + * configure: remove checks for 5 functions never used + * configure: try ldap/lber in reversed order first + * smb: fix build for djgpp/MSDOS + * travis: install nghttp2 on linux builds + * smb: add support for CURLOPT_FILETIME + * select.h: avoid macro redefinition harder + * runtests: support "threaded-resolver" as a feature + * test506: skip if threaded-resolver + * cmake: remove spurious "-l" from linker flags + * cmake: add CURL_WERROR for enabling "warning as errors" + * memdebug: don't setbuf() if the file open failed + * curl_easy_escape.3: mention the (lack of) encoding + * test1452: add telnet negotiation + * CURLOPT_POSTFIELDS.3: explain the 100-continue magic better + * cmake: offer CMAKE_DEBUG_POSTFIX when building with MSVC + * tests/valgrind.supp: supress OpenSSL false positive seen on + travis + * curl_setup_once: Remove ERRNO/SET_ERRNO macros + * rtspd: fix MSVC level 4 warning + * sockfilt: suppress conversion warning with explicit cast + * libtest: fix MSVC warning C4706 + * tests/server/resolve.c: fix deprecation warning + * nss: fix a possible use-after-free in SelectClientCert() + * checksrc: escape open brace in regex + * multi: mention integer overflow risk if using > 500 million + sockets + * timeval: struct curltime is a struct timeval replacement + * curl_rtmp: fix a compiler warning + * include.d: clarify that it concerns the response headers + * cmake: support make uninstall + * include.d: clarify --include is only for response headers + * libcurl: Stop using error codes defined under CURL_NO_OLDIES + * http: fix response code parser to avoid integer overflow + * configure: fix the check for IdnToUnicode + * multi: fix request timer management + * curl_threads: fix MSVC compiler warning + * cmake: set MSVC warning level to 4 + * netrc: skip lines starting with '#' + * FTP: skip unnecessary CWD when in nocwd mode + * gssapi: fix memory leak of output token in multi round context + * getparameter: avoid returning uninitialized 'usedarg' + * curl (debug build) easy_events: make event data static + * curl: detect and bail out early on parameter integer overflows + +- Removed patch curl-invalid-free.patch + +------------------------------------------------------------------- curl.changes: same change Old: ---- curl-7.54.1.tar.lzma curl-7.54.1.tar.lzma.asc curl-invalid-free.patch New: ---- curl-7.55.0.tar.gz curl-7.55.0.tar.gz.asc curl-disable-test1427-i586.patch curl-man3.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ curl-mini.spec ++++++ --- /var/tmp/diff_new_pack.pwd56e/_old 2017-08-24 18:21:08.769542705 +0200 +++ /var/tmp/diff_new_pack.pwd56e/_new 2017-08-24 18:21:08.777541578 +0200 @@ -32,20 +32,23 @@ %endif Name: curl-mini -Version: 7.54.1 +Version: 7.55.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl Group: Productivity/Networking/Web/Utilities Url: https://curl.haxx.se/ -Source: https://curl.haxx.se/download/curl-%{version}.tar.lzma -Source2: https://curl.haxx.se/download/curl-%{version}.tar.lzma.asc +Source: https://curl.haxx.se/download/curl-%{version}.tar.gz +Source2: https://curl.haxx.se/download/curl-%{version}.tar.gz.asc Source3: baselibs.conf Source4: https://daniel.haxx.se/mykey.asc#/curl.keyring Patch0: libcurl-ocloexec.patch Patch1: dont-mess-with-rpmoptflags.diff Patch2: curl-secure-getenv.patch -Patch3: curl-invalid-free.patch +# PATCH-FIX-OPENSUSE curl-disable-test1427-i586.patch - Disabled test1425 that fails in i586 architecture +Patch3: curl-disable-test1427-i586.patch +# PATCH-FIX-UPSTREAM curl-man3.patch - Fix to build libcurl man3 pages +Patch4: curl-man3.patch BuildRequires: libtool BuildRequires: pkgconfig %if !0%{?bootstrap} @@ -126,7 +129,8 @@ %patch0 %patch1 %patch2 -%patch3 -p1 +%patch3 -p1 -R +%patch4 -p1 %build # curl complains if macro definition is contained in CFLAGS ++++++ curl.spec ++++++ --- /var/tmp/diff_new_pack.pwd56e/_old 2017-08-24 18:21:08.813536510 +0200 +++ /var/tmp/diff_new_pack.pwd56e/_new 2017-08-24 18:21:08.817535947 +0200 @@ -30,20 +30,23 @@ %endif Name: curl -Version: 7.54.1 +Version: 7.55.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl Group: Productivity/Networking/Web/Utilities Url: https://curl.haxx.se/ -Source: https://curl.haxx.se/download/curl-%{version}.tar.lzma -Source2: https://curl.haxx.se/download/curl-%{version}.tar.lzma.asc +Source: https://curl.haxx.se/download/curl-%{version}.tar.gz +Source2: https://curl.haxx.se/download/curl-%{version}.tar.gz.asc Source3: baselibs.conf Source4: https://daniel.haxx.se/mykey.asc#/curl.keyring Patch0: libcurl-ocloexec.patch Patch1: dont-mess-with-rpmoptflags.diff Patch2: curl-secure-getenv.patch -Patch3: curl-invalid-free.patch +# PATCH-FIX-OPENSUSE curl-disable-test1427-i586.patch - Disabled test1425 that fails in i586 architecture +Patch3: curl-disable-test1427-i586.patch +# PATCH-FIX-UPSTREAM curl-man3.patch - Fix to build libcurl man3 pages +Patch4: curl-man3.patch BuildRequires: libtool BuildRequires: pkgconfig %if !0%{?bootstrap} @@ -124,7 +127,8 @@ %patch0 %patch1 %patch2 -%patch3 -p1 +%patch3 -p1 -R +%patch4 -p1 %build # curl complains if macro definition is contained in CFLAGS ++++++ curl-disable-test1427-i586.patch ++++++ >From 581011a3d2bb7d2c6f74e4f4dea9f8c12e7cc382 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <dan...@haxx.se> Date: Sun, 6 Aug 2017 21:33:25 +0200 Subject: [PATCH] test1427: verify command line parser integer overflow detection --- tests/data/Makefile.inc | 2 +- tests/data/test1427 | 29 +++++++++++++++++++++++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 tests/data/test1427 diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc index 59f692e8f4..1c637f8f0e 100644 --- a/tests/data/Makefile.inc +++ b/tests/data/Makefile.inc @@ -151,7 +151,7 @@ test1396 test1397 test1398 test1399 \ test1400 test1401 test1402 test1403 test1404 test1405 test1406 test1407 \ test1408 test1409 test1410 test1411 test1412 test1413 test1414 test1415 \ test1416 test1417 test1418 test1419 test1420 test1421 test1422 test1423 \ -test1424 test1425 test1426 \ +test1424 test1425 test1426 test1427 \ test1428 test1429 test1430 test1431 test1432 test1433 test1434 test1435 \ test1436 test1437 test1438 test1439 test1440 test1441 test1442 test1443 \ test1444 test1445 test1446 test1450 test1451 \ diff --git a/tests/data/test1427 b/tests/data/test1427 new file mode 100644 index 0000000000..03cab4b93b --- /dev/null +++ b/tests/data/test1427 @@ -0,0 +1,29 @@ +<testcase> +<info> +<keywords> +integer overflow +</keywords> +</info> + +# +# Client-side +<client> +<server> +none +</server> + <name> +too large -m timeout value + </name> + <command> +http://%HOSTIP:%HTTPPORT/1427 -m 184467440737095510 +</command> +</client> + +# +# Verify data after the test has been "shot" +<verify> +<errorcode> +2 +</errorcode> +</verify> +</testcase> ++++++ curl-man3.patch ++++++ >From f864bd8c880d5a916379aa4f26f1c45fe370b282 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <dan...@haxx.se> Date: Wed, 9 Aug 2017 10:28:06 +0200 Subject: [PATCH] build: fix 'make install' with configure, install docs/libcurl/* too Broken since d24838d4da9faa Reported-by: Bernard Spil --- Makefile.am | 2 ++ 1 file changed, 2 insertions(+) Index: curl-7.55.0/Makefile.am =================================================================== --- curl-7.55.0.orig/Makefile.am +++ curl-7.55.0/Makefile.am @@ -276,11 +276,13 @@ cygwinbin: install-data-hook: cd include && $(MAKE) install cd docs && $(MAKE) install + cd docs/libcurl && $(MAKE) install # We extend the standard uninstall with a custom hook: uninstall-hook: cd include && $(MAKE) uninstall cd docs && $(MAKE) uninstall + cd docs/libcurl && $(MAKE) uninstall ca-bundle: lib/mk-ca-bundle.pl @echo "generating a fresh ca-bundle.crt"