Hello community, here is the log from the commit of package curl.13862 for openSUSE:Leap:15.1:Update checked in at 2020-09-05 14:23:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.1:Update/curl.13862 (Old) and /work/SRC/openSUSE:Leap:15.1:Update/.curl.13862.new.3399 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "curl.13862" Sat Sep 5 14:23:26 2020 rev:1 rq:831426 version:7.60.0 Changes: -------- New Changes file: --- /dev/null 2020-08-06 00:20:10.149648038 +0200 +++ /work/SRC/openSUSE:Leap:15.1:Update/.curl.13862.new.3399/curl-mini.changes 2020-09-05 14:23:27.710269136 +0200 @@ -0,0 +1,2835 @@ +------------------------------------------------------------------- +Thu Aug 13 09:32:49 UTC 2020 - Pedro Monreal <[email protected]> + +- Security fix: [bsc#1175109, CVE-2020-8231] + * An application that performs multiple requests with libcurl's + multi API and sets the 'CURLOPT_CONNECT_ONLY' option, might in + rare circumstances experience that when subsequently using the + setup connect-only transfer, libcurl will pick and use the wrong + connection and instead pick another one the application has + created since then. +- Add curl-CVE-2020-8231.patch + +------------------------------------------------------------------- +Wed Jun 17 08:43:40 UTC 2020 - Pedro Monreal Gonzalez <[email protected]> + +- Security fix: [bsc#1173027, CVE-2020-8177] + * curl can be tricked my a malicious server to overwrite a local + file when using '-J' ('--remote-header-name') and '-i' ('--head') + in the same command line. +- Add curl-CVE-2020-8177.patch + +------------------------------------------------------------------- +Tue Oct 22 13:06:39 UTC 2019 - Pedro Monreal Gonzalez <[email protected]> + +- Disable flaky test 1456 [bsc#1154019] + +------------------------------------------------------------------- +Thu Sep 5 11:20:01 UTC 2019 - Pedro Monreal Gonzalez <[email protected]> + +- Security fix: [bsc#1149496,CVE-2019-5482] + * TFTP small blocksize heap buffer overflow + * Added curl-CVE-2019-5482.patch + +------------------------------------------------------------------- +Thu Sep 5 11:17:53 UTC 2019 - Pedro Monreal Gonzalez <[email protected]> + +- Security fix: [bsc#1149495,CVE-2019-5481] + * FTP-KRB: double-free during kerberos FTP data transfer + * Added curl-CVE-2019-5481.patch + +------------------------------------------------------------------- +Thu May 16 17:39:49 UTC 2019 - Pedro Monreal Gonzalez <[email protected]> + +- Security fix [bsc#1135170, CVE-2019-5436] + * A heap buffer overflow exists in tftp_receive_packet that + receives data from a TFTP server + * Added curl-CVE-2019-5436.patch + +------------------------------------------------------------------- +Tue Jan 29 10:23:34 UTC 2019 - Pedro Monreal Gonzalez <[email protected]> + +- Security fix [bsc#1123378, CVE-2019-3823] + * SMTP end-of-response out-of-bounds read + * Added patch curl-CVE-2019-3823.patch + +------------------------------------------------------------------- +Tue Jan 29 10:20:16 UTC 2019 - Pedro Monreal Gonzalez <[email protected]> + +- Security fix [bsc#1123377, CVE-2019-3822] + * NTLMv2 type-3 header stack buffer overflow + * Added patch curl-CVE-2019-3822.patch + +------------------------------------------------------------------- +Mon Jan 28 15:41:05 UTC 2019 - Pedro Monreal Gonzalez <[email protected]> + +- Security fix [bsc#1123371, CVE-2018-16890] + * NTLM type-2 out-of-bounds buffer read + * Added patch curl-CVE-2018-16890.patch + +------------------------------------------------------------------- +Mon Oct 29 09:17:14 UTC 2018 - Pedro Monreal Gonzalez <[email protected]> + +- Security fix [bsc#1113660, CVE-2018-16842] + * Fixed Out-of-bounds Read in tool_msgs.c + * Added curl-CVE-2018-16842.patch + +------------------------------------------------------------------- +Wed Oct 24 09:20:23 UTC 2018 - Pedro Monreal Gonzalez <[email protected]> + +- Security fix [bsc#1113029, CVE-2018-16840] + * use-after-free in handle close + * Added curl-CVE-2018-16840.patch + +------------------------------------------------------------------- +Wed Oct 24 09:19:02 UTC 2018 - Pedro Monreal Gonzalez <[email protected]> + +- Security fix [bsc#1112758, CVE-2018-16839] + * SASL password overflow via integer overflow + * Added curl-CVE-2018-16839.patch + +------------------------------------------------------------------- +Wed Sep 5 09:50:25 UTC 2018 - [email protected] + +- Security fix [CVE-2018-14618, bsc#1106019] + * NTLM password overflow via integer overflow + * Added patch curl-CVE-2018-14618.patch + +------------------------------------------------------------------- +Wed Jul 18 07:09:52 UTC 2018 - [email protected] + +- security update + * CVE-2018-0500 [bsc#1099793] + + curl-CVE-2018-0500.patch + +------------------------------------------------------------------- +Fri May 18 11:47:00 UTC 2018 - [email protected] + +- Use OPENSSL_config instead of CONF_modules_load_file() to avoid + crashes due to openssl engines conflicts (bsc#1086367) + * add curl-use_OPENSSL_config.patch + +------------------------------------------------------------------- +Wed May 16 08:41:48 UTC 2018 - [email protected] + +- Update to version 7.60.0 + [bsc#1092094, CVE-2018-1000300][bsc#1092098, CVE-2018-1000301] + Changes: + * Add CURLOPT_HAPROXYPROTOCOL, support for the HAProxy PROXY protocol + * Add --haproxy-protocol for the command line tool + * Add CURLOPT_DNS_SHUFFLE_ADDRESSES, shuffle returned IP addresses + Bugfixes: + * FTP: shutdown response buffer overflow CVE-2018-1000300 + * RTSP: bad headers buffer over-read CVE-2018-1000301 + * FTP: fix typo in recursive callback detection for seeking + * test1208: marked flaky + * HTTP: make header-less responses still count correct body size + * user-agent.d:: mention --proxy-header as well + * http2: fixes typo + * cleanup: misc typos in strings and comments + * rate-limit: use three second window to better handle high speeds + * examples/hiperfifo.c: improved + * pause: when changing pause state, update socket state + * multi: improved pending transfers handling => improved performance + * curl_version_info.3: fix ssl_version description + * add_handle/easy_perform: clear errorbuffer on start if set + * cmake: add support for brotli + * parsedate: support UT timezone + * vauth/ntlm.h: fix the #ifdef header guard + * lib/curl_path.h: added #ifdef header guard + * vauth/cleartext: fix integer overflow check + * CURLINFO_COOKIELIST.3: made the example not leak memory + * cookie.d: mention that "-" as filename means stdin + * CURLINFO_SSL_VERIFYRESULT.3: fixed the example + * http2: read pending frames (including GOAWAY) in connection-check + * timeval: remove compilation warning by casting + * cmake: avoid warn-as-error during config checks + * travis-ci: enable -Werror for CMake builds + * openldap: fix for NULL return from ldap_get_attribute_ber() + * threaded resolver: track resolver time and set suitable timeout values + * cmake: Add advapi32 as explicit link library for win32 + * docs: fix CURLINFO_*_T examples use of CURL_FORMAT_CURL_OFF_T + * test1148: set a fixed locale for the test + * cookies: when reading from a file, only remove_expired once + * cookie: store cookies per top-level-domain-specific hash table + * openssl: fix build with LibreSSL 2.7 + * tls: fix mbedTLS 2.7.0 build + handle sha256 failures + * openssl: RESTORED verify locations when verifypeer==0 + * file: restore old behavior for file:////foo/bar URLs + * FTP: allow PASV on IPv6 connections when a proxy is being used + * build-openssl.bat: allow custom paths for VS and perl + * winbuild: make the clean target work without build-type + * build-openssl.bat: Refer to VS2017 as VC14.1 instead of VC15 + * curl: retry on FTP 4xx, ignore other protocols + * configure: detect (and use) sa_family_t + * examples/sftpuploadresume: Fix Windows large file seek + * build: cleanup to fix clang warnings/errors + * winbuild: updated the documentation + * lib: silence null-dereference warnings + * travis: bump to clang 6 and gcc 7 + * travis: build libpsl and make builds use it + * proxy: show getenv proxy use in verbose output + * duphandle: make sure CURLOPT_RESOLVE is duplicated + * all: Refactor malloc+memset to use calloc + * checksrc: Fix typo + * system.h: Add sparcv8plus to oracle/sunpro 32-bit detection + * vauth: Fix typo + * ssh: show libSSH2 error code when closing fails + * test1148: tolerate progress updates better + * urldata: make service names unconditional + * configure: keep LD_LIBRARY_PATH changes local + * ntlm_sspi: fix authentication using Credential Manager + * schannel: add client certificate authentication + * winbuild: Support custom devel paths for each dependency + * schannel: add support for CURLOPT_CAINFO + * http2: handle on_begin_headers() called more than once + * openssl: support OpenSSL 1.1.1 verbose-mode trace messages + * openssl: fix subjectAltName check on non-ASCII platforms + * http2: avoid strstr() on data not zero terminated + * http2: clear the "drain counter" when a stream is closed + * http2: handle GOAWAY properly + * tool_help: clarify --max-time unit of time is seconds + * curl.1: clarify that options and URLs can be mixed + * http2: convert an assert to run-time check + * curl_global_sslset: always provide available backends + * ftplistparser: keep state between invokes + * Curl_memchr: zero length input can't match + * examples/sftpuploadresume: typecast fseek argument to long ++++ 2638 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Leap:15.1:Update/.curl.13862.new.3399/curl-mini.changes New Changes file: curl.changes: same change New: ---- baselibs.conf curl-7.60.0.tar.gz curl-7.60.0.tar.gz.asc curl-CVE-2018-0500.patch curl-CVE-2018-14618.patch curl-CVE-2018-16839.patch curl-CVE-2018-16840.patch curl-CVE-2018-16842.patch curl-CVE-2018-16890.patch curl-CVE-2019-3822.patch curl-CVE-2019-3823.patch curl-CVE-2019-5436.patch curl-CVE-2019-5481.patch curl-CVE-2019-5482.patch curl-CVE-2020-8177.patch curl-CVE-2020-8231.patch curl-disabled-redirect-protocol-message.patch curl-mini.changes curl-mini.spec curl-secure-getenv.patch curl-use_OPENSSL_config.patch curl.changes curl.keyring curl.spec dont-mess-with-rpmoptflags.diff ignore_runtests_failure.patch libcurl-ocloexec.patch pre_checkin.sh ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ curl-mini.spec ++++++ # # spec file for package curl-mini # # Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # ##### WARNING: please do not edit this auto generated spec file. Use the curl.spec! ##### %define bootstrap 1 ##### WARNING: please do not edit this auto generated spec file. Use the curl.spec! ##### %define mini -mini %if 0%{?bootstrap} %bcond_with testsuite %else %bcond_without testsuite %endif %bcond_with mozilla_nss # need ssl always for python-pycurl %bcond_without openssl Name: curl-mini Version: 7.60.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl Group: Productivity/Networking/Web/Utilities URL: https://curl.haxx.se/ Source: https://curl.haxx.se/download/curl-%{version}.tar.gz Source2: https://curl.haxx.se/download/curl-%{version}.tar.gz.asc Source3: baselibs.conf Source4: https://daniel.haxx.se/mykey.asc#/curl.keyring Patch0: libcurl-ocloexec.patch Patch1: dont-mess-with-rpmoptflags.diff Patch2: curl-secure-getenv.patch Patch3: ignore_runtests_failure.patch # PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled Patch4: curl-disabled-redirect-protocol-message.patch Patch5: curl-use_OPENSSL_config.patch Patch6: curl-CVE-2018-0500.patch Patch7: curl-CVE-2018-14618.patch # PATCH-FIX-UPSTREAM bsc#1112758 CVE-2018-16839 SASL password overflow via integer overflow Patch8: curl-CVE-2018-16839.patch # PATCH-FIX-UPSTREAM bsc#1113029 CVE-2018-16840 use-after-free in handle close Patch9: curl-CVE-2018-16840.patch # PATCH-FIX-UPSTREAM bsc#1113660 CVE-2018-16842 Out-of-bounds Read Patch10: curl-CVE-2018-16842.patch # PATCH-FIX-UPSTREAM bsc#1123371 CVE-2018-16890 NTLM type-2 out-of-bounds buffer read Patch11: curl-CVE-2018-16890.patch # PATCH-FIX-UPSTREAM bsc#1123377 CVE-2019-3822 NTLMv2 type-3 header stack buffer overflow Patch12: curl-CVE-2019-3822.patch # PATCH-FIX-UPSTREAM bsc#1123378 CVE-2019-3823 SMTP end-of-response out-of-bounds read Patch13: curl-CVE-2019-3823.patch # PATCH-FIX-UPSTREAM bsc#1135170 CVE-2019-5436 heap buffer overflow in tftp_receive_packet Patch14: curl-CVE-2019-5436.patch # PATCH-FIX-UPSTREAM bsc#1149495 CVE-2019-5481 FTP-KRB double-free Patch15: curl-CVE-2019-5481.patch # PATCH-FIX-UPSTREAM bsc#1149496 CVE-2019-5482 TFTP small blocksize heap buffer overflow Patch16: curl-CVE-2019-5482.patch # PATCH-FIX-UPSTREAM bsc#1173027 CVE-2020-8177 Curl overwrites local files when using -J with -i Patch17: curl-CVE-2020-8177.patch # PATCH-FIX-UPSTREAM bsc#1175109 CVE-2020-8231 Wrong connect-only connection Patch18: curl-CVE-2020-8231.patch BuildRequires: libtool BuildRequires: pkgconfig Requires: libcurl4%{?mini} = %{version} %if !0%{?bootstrap} BuildRequires: groff BuildRequires: krb5-mini-devel BuildRequires: libidn2-devel BuildRequires: lzma BuildRequires: openldap2-devel BuildRequires: pkgconfig(libmetalink) BuildRequires: pkgconfig(libnghttp2) BuildRequires: pkgconfig(libpsl) BuildRequires: pkgconfig(libssh) BuildRequires: pkgconfig(zlib) %else Requires: this-is-only-for-build-envs Conflicts: curl # The -mini package is sufficient for the build hosts Provides: curl = %{version} %endif %if %{with openssl} BuildRequires: pkgconfig(libssl) %endif %if %{with mozilla_nss} BuildRequires: mozilla-nss-devel %endif #BuildRequires: openssh %if 0%{?_with_stunnel:1} # used by the testsuite BuildRequires: stunnel %endif %description Curl is a client to get documents and files from or send documents to a server using any of the supported protocols (HTTP, HTTPS, FTP, FTPS, TFTP, DICT, TELNET, LDAP, or FILE). The command is designed to work without user interaction or any kind of interactivity. %package -n libcurl4%{?mini} Summary: Version 4 of cURL shared library Group: Productivity/Networking/Web/Utilities %if 0%{?bootstrap} Requires: this-is-only-for-build-envs Conflicts: libcurl4 %endif %description -n libcurl4%{?mini} The cURL shared library version 4 for accessing data using different network protocols. %package -n libcurl%{?mini}-devel Summary: A Tool for Transferring Data from URLs Group: Development/Libraries/C and C++ Requires: glibc-devel Requires: libcurl4%{?mini} = %{version} # curl-devel (v 7.15.5) was last used in 10.2 Provides: curl-devel <= 7.15.5 Obsoletes: curl-devel < 7.16.2 %if 0%{?bootstrap} Requires: this-is-only-for-build-envs Conflicts: libcurl-devel Provides: libcurl-devel = %{version}-%{release} %endif %description -n libcurl%{?mini}-devel Curl is a client to get documents and files from or send documents to a server using any of the supported protocols (HTTP, HTTPS, FTP, GOPHER, DICT, TELNET, LDAP, or FILE). The command is designed to work without user interaction or any kind of interactivity. %prep %setup -q -n curl-%{version} %patch0 %patch1 %patch2 %ifarch ppc ppc64 ppc64le %patch3 -p1 %endif %patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 %patch10 -p1 %patch11 -p1 %patch12 -p1 %patch13 -p1 %patch14 -p1 %patch15 -p1 %patch16 -p1 %patch17 -p1 %patch18 -p1 # disable flaky test 1456 bsc#1154019 echo "1456" >> tests/data/DISABLED %build # curl complains if macro definition is contained in CFLAGS # see m4/xc-val-flgs.m4 CPPFLAGS="-D_FORTIFY_SOURCE=2" CFLAGS=$(echo "%{optflags}" | sed -e 's/-D_FORTIFY_SOURCE=2//') export CPPFLAGS CFLAGS export CFLAGS="$CFLAGS -fPIE" export LDFLAGS="$LDFLAGS -pie" autoreconf -fiv # local hack to make curl-config --libs stop printing libraries it depends on # (currently, libtool sets link_all_deplibs=(yes|unknown) everywhere, # will hopefully change in the future) sed -i 's/\(link_all_deplibs=\)unknown/\1no/' configure %configure \ --enable-ipv6 \ %if %{with openssl} --with-ssl \ --with-ca-fallback \ --without-ca-path \ --without-ca-bundle \ %else --without-ssl \ %if %{with mozilla_nss} --with-nss \ %endif %endif %if !0%{?bootstrap} --with-gssapi=%{_libexecdir}/mit \ --with-libidn2 \ --with-libssh \ --with-libmetalink \ %endif --enable-hidden-symbols \ --disable-static \ --enable-threaded-resolver # if this fails, the above sed hack did not work ./libtool --config | grep -q link_all_deplibs=no # enable-hidden-symbols needs gcc4 and causes that curl exports only its API make %{?_smp_mflags} V=1 %if %{with testsuite} %check pushd tests make %{?_smp_mflags} # make sure the testsuite runs don't race on MP machines in autobuild if test -z "$BUILD_INCARNATION" -a -r /.buildenv; then . /.buildenv fi if test -z "$BUILD_INCARNATION"; then BUILD_INCARNATION=0 fi base=$((8990 + $BUILD_INCARNATION * 20)) # bug940009 do not run flaky tests for any architecture # at least test 1510 do fail for i586 and ppc64le perl ./runtests.pl -a -b$base '!flaky' || exit popd %endif %install %make_install rm -f %{buildroot}%{_libdir}/libcurl.la install -Dm 0644 docs/libcurl/libcurl.m4 %{buildroot}%{_datadir}/aclocal/libcurl.m4 pushd scripts %make_install popd %post -n libcurl4%{?mini} -p /sbin/ldconfig %postun -n libcurl4%{?mini} -p /sbin/ldconfig %files %doc README RELEASE-NOTES %doc docs/{BUGS,FAQ,FEATURES,MANUAL,RESOURCES,TODO,TheArtOfHttpScripting} %{_bindir}/curl %{_datadir}/zsh/site-functions/_curl %{_mandir}/man1/curl.1%{ext_man} %dir %{_datadir}/zsh %dir %{_datadir}/zsh/site-functions %files -n libcurl4%{?mini} %license COPYING %{_libdir}/libcurl.so.4* %files -n libcurl%{?mini}-devel %{_bindir}/curl-config %{_includedir}/curl %dir %{_datadir}/aclocal/ %{_datadir}/aclocal/libcurl.m4 %{_libdir}/libcurl.so %{_libdir}/pkgconfig/libcurl.pc %{_mandir}/man1/curl-config.1%{ext_man} %{_mandir}/man3/* %doc docs/libcurl/symbols-in-versions %changelog ++++++ curl.spec ++++++ # # spec file for package curl # # Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # %define bootstrap 0 %define mini %{nil} %if 0%{?bootstrap} %bcond_with testsuite %else %bcond_without testsuite %endif %bcond_with mozilla_nss # need ssl always for python-pycurl %bcond_without openssl Name: curl Version: 7.60.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl Group: Productivity/Networking/Web/Utilities URL: https://curl.haxx.se/ Source: https://curl.haxx.se/download/curl-%{version}.tar.gz Source2: https://curl.haxx.se/download/curl-%{version}.tar.gz.asc Source3: baselibs.conf Source4: https://daniel.haxx.se/mykey.asc#/curl.keyring Patch0: libcurl-ocloexec.patch Patch1: dont-mess-with-rpmoptflags.diff Patch2: curl-secure-getenv.patch Patch3: ignore_runtests_failure.patch # PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled Patch4: curl-disabled-redirect-protocol-message.patch Patch5: curl-use_OPENSSL_config.patch Patch6: curl-CVE-2018-0500.patch Patch7: curl-CVE-2018-14618.patch # PATCH-FIX-UPSTREAM bsc#1112758 CVE-2018-16839 SASL password overflow via integer overflow Patch8: curl-CVE-2018-16839.patch # PATCH-FIX-UPSTREAM bsc#1113029 CVE-2018-16840 use-after-free in handle close Patch9: curl-CVE-2018-16840.patch # PATCH-FIX-UPSTREAM bsc#1113660 CVE-2018-16842 Out-of-bounds Read Patch10: curl-CVE-2018-16842.patch # PATCH-FIX-UPSTREAM bsc#1123371 CVE-2018-16890 NTLM type-2 out-of-bounds buffer read Patch11: curl-CVE-2018-16890.patch # PATCH-FIX-UPSTREAM bsc#1123377 CVE-2019-3822 NTLMv2 type-3 header stack buffer overflow Patch12: curl-CVE-2019-3822.patch # PATCH-FIX-UPSTREAM bsc#1123378 CVE-2019-3823 SMTP end-of-response out-of-bounds read Patch13: curl-CVE-2019-3823.patch # PATCH-FIX-UPSTREAM bsc#1135170 CVE-2019-5436 heap buffer overflow in tftp_receive_packet Patch14: curl-CVE-2019-5436.patch # PATCH-FIX-UPSTREAM bsc#1149495 CVE-2019-5481 FTP-KRB double-free Patch15: curl-CVE-2019-5481.patch # PATCH-FIX-UPSTREAM bsc#1149496 CVE-2019-5482 TFTP small blocksize heap buffer overflow Patch16: curl-CVE-2019-5482.patch # PATCH-FIX-UPSTREAM bsc#1173027 CVE-2020-8177 Curl overwrites local files when using -J with -i Patch17: curl-CVE-2020-8177.patch # PATCH-FIX-UPSTREAM bsc#1175109 CVE-2020-8231 Wrong connect-only connection Patch18: curl-CVE-2020-8231.patch BuildRequires: libtool BuildRequires: pkgconfig Requires: libcurl4%{?mini} = %{version} %if !0%{?bootstrap} BuildRequires: groff BuildRequires: krb5-mini-devel BuildRequires: libidn2-devel BuildRequires: lzma BuildRequires: openldap2-devel BuildRequires: pkgconfig(libmetalink) BuildRequires: pkgconfig(libnghttp2) BuildRequires: pkgconfig(libpsl) BuildRequires: pkgconfig(libssh) BuildRequires: pkgconfig(zlib) %else Requires: this-is-only-for-build-envs Conflicts: curl # The -mini package is sufficient for the build hosts Provides: curl = %{version} %endif %if %{with openssl} BuildRequires: pkgconfig(libssl) %endif %if %{with mozilla_nss} BuildRequires: mozilla-nss-devel %endif #BuildRequires: openssh %if 0%{?_with_stunnel:1} # used by the testsuite BuildRequires: stunnel %endif %description Curl is a client to get documents and files from or send documents to a server using any of the supported protocols (HTTP, HTTPS, FTP, FTPS, TFTP, DICT, TELNET, LDAP, or FILE). The command is designed to work without user interaction or any kind of interactivity. %package -n libcurl4%{?mini} Summary: Version 4 of cURL shared library Group: Productivity/Networking/Web/Utilities %if 0%{?bootstrap} Requires: this-is-only-for-build-envs Conflicts: libcurl4 %endif %description -n libcurl4%{?mini} The cURL shared library version 4 for accessing data using different network protocols. %package -n libcurl%{?mini}-devel Summary: A Tool for Transferring Data from URLs Group: Development/Libraries/C and C++ Requires: glibc-devel Requires: libcurl4%{?mini} = %{version} # curl-devel (v 7.15.5) was last used in 10.2 Provides: curl-devel <= 7.15.5 Obsoletes: curl-devel < 7.16.2 %if 0%{?bootstrap} Requires: this-is-only-for-build-envs Conflicts: libcurl-devel Provides: libcurl-devel = %{version}-%{release} %endif %description -n libcurl%{?mini}-devel Curl is a client to get documents and files from or send documents to a server using any of the supported protocols (HTTP, HTTPS, FTP, GOPHER, DICT, TELNET, LDAP, or FILE). The command is designed to work without user interaction or any kind of interactivity. %prep %setup -q -n curl-%{version} %patch0 %patch1 %patch2 %ifarch ppc ppc64 ppc64le %patch3 -p1 %endif %patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 %patch10 -p1 %patch11 -p1 %patch12 -p1 %patch13 -p1 %patch14 -p1 %patch15 -p1 %patch16 -p1 %patch17 -p1 %patch18 -p1 # disable flaky test 1456 bsc#1154019 echo "1456" >> tests/data/DISABLED %build # curl complains if macro definition is contained in CFLAGS # see m4/xc-val-flgs.m4 CPPFLAGS="-D_FORTIFY_SOURCE=2" CFLAGS=$(echo "%{optflags}" | sed -e 's/-D_FORTIFY_SOURCE=2//') export CPPFLAGS CFLAGS export CFLAGS="$CFLAGS -fPIE" export LDFLAGS="$LDFLAGS -pie" autoreconf -fiv # local hack to make curl-config --libs stop printing libraries it depends on # (currently, libtool sets link_all_deplibs=(yes|unknown) everywhere, # will hopefully change in the future) sed -i 's/\(link_all_deplibs=\)unknown/\1no/' configure %configure \ --enable-ipv6 \ %if %{with openssl} --with-ssl \ --with-ca-fallback \ --without-ca-path \ --without-ca-bundle \ %else --without-ssl \ %if %{with mozilla_nss} --with-nss \ %endif %endif %if !0%{?bootstrap} --with-gssapi=%{_libexecdir}/mit \ --with-libidn2 \ --with-libssh \ --with-libmetalink \ %endif --enable-hidden-symbols \ --disable-static \ --enable-threaded-resolver # if this fails, the above sed hack did not work ./libtool --config | grep -q link_all_deplibs=no # enable-hidden-symbols needs gcc4 and causes that curl exports only its API make %{?_smp_mflags} V=1 %if %{with testsuite} %check pushd tests make %{?_smp_mflags} # make sure the testsuite runs don't race on MP machines in autobuild if test -z "$BUILD_INCARNATION" -a -r /.buildenv; then . /.buildenv fi if test -z "$BUILD_INCARNATION"; then BUILD_INCARNATION=0 fi base=$((8990 + $BUILD_INCARNATION * 20)) # bug940009 do not run flaky tests for any architecture # at least test 1510 do fail for i586 and ppc64le perl ./runtests.pl -a -b$base '!flaky' || exit popd %endif %install %make_install rm -f %{buildroot}%{_libdir}/libcurl.la install -Dm 0644 docs/libcurl/libcurl.m4 %{buildroot}%{_datadir}/aclocal/libcurl.m4 pushd scripts %make_install popd %post -n libcurl4%{?mini} -p /sbin/ldconfig %postun -n libcurl4%{?mini} -p /sbin/ldconfig %files %doc README RELEASE-NOTES %doc docs/{BUGS,FAQ,FEATURES,MANUAL,RESOURCES,TODO,TheArtOfHttpScripting} %{_bindir}/curl %{_datadir}/zsh/site-functions/_curl %{_mandir}/man1/curl.1%{ext_man} %dir %{_datadir}/zsh %dir %{_datadir}/zsh/site-functions %files -n libcurl4%{?mini} %license COPYING %{_libdir}/libcurl.so.4* %files -n libcurl%{?mini}-devel %{_bindir}/curl-config %{_includedir}/curl %dir %{_datadir}/aclocal/ %{_datadir}/aclocal/libcurl.m4 %{_libdir}/libcurl.so %{_libdir}/pkgconfig/libcurl.pc %{_mandir}/man1/curl-config.1%{ext_man} %{_mandir}/man3/* %doc docs/libcurl/symbols-in-versions %changelog ++++++ baselibs.conf ++++++ libcurl4 obsoletes "curl-<targettype> <= <version>" provides "curl-<targettype> = <version>" libcurl-devel requires -curl-<targettype> requires "libcurl4-<targettype> = <version>" ++++++ curl-CVE-2018-0500.patch ++++++ @@ -, +, @@ --- lib/smtp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/lib/smtp.c +++ a/lib/smtp.c @@ -1561,17 +1561,18 @@ CURLcode Curl_smtp_escape_eob(struct connectdata *conn, const ssize_t nread) /* Do we need to allocate a scratch buffer? */ if(!scratch || data->set.crlf) { oldscratch = scratch; - scratch = newscratch = malloc(2 * data->set.buffer_size); + scratch = newscratch = malloc(2 * UPLOAD_BUFSIZE); if(!newscratch) { failf(data, "Failed to alloc scratch buffer!"); return CURLE_OUT_OF_MEMORY; } } + DEBUGASSERT(UPLOAD_BUFSIZE >= nread); /* Have we already sent part of the EOB? */ eob_sent = smtp->eob; /* This loop can be improved by some kind of Boyer-Moore style of -- ++++++ curl-CVE-2018-14618.patch ++++++ >From 57d299a499155d4b327e341c6024e293b0418243 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <[email protected]> Date: Mon, 13 Aug 2018 10:35:52 +0200 Subject: [PATCH] Curl_ntlm_core_mk_nt_hash: return error on too long password ... since it would cause an integer overflow if longer than (max size_t / 2). This is CVE-2018-14618 Bug: https://curl.haxx.se/docs/CVE-2018-14618.html Closes #2756 Reported-by: Zhaoyang Wu --- lib/curl_ntlm_core.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c index e27cab353c..922e85a926 100644 --- a/lib/curl_ntlm_core.c +++ b/lib/curl_ntlm_core.c @@ -557,8 +557,11 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct Curl_easy *data, unsigned char *ntbuffer /* 21 bytes */) { size_t len = strlen(password); - unsigned char *pw = len ? malloc(len * 2) : strdup(""); + unsigned char *pw; CURLcode result; + if(len > SIZE_T_MAX/2) /* avoid integer overflow */ + return CURLE_OUT_OF_MEMORY; + pw = len ? malloc(len * 2) : strdup(""); if(!pw) return CURLE_OUT_OF_MEMORY; ++++++ curl-CVE-2018-16839.patch ++++++ >From 92acf6a2df83285a397919506a0a45a638564b9c Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <[email protected]> Date: Fri, 28 Sep 2018 16:08:16 +0200 Subject: [PATCH] Curl_auth_create_plain_message: fix too-large-input-check Reported-by: Harry Sintonen --- lib/vauth/cleartext.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c index a10edbdc7..be6d6111e 100644 --- a/lib/vauth/cleartext.c +++ b/lib/vauth/cleartext.c @@ -72,11 +72,11 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data, *outptr = NULL; ulen = strlen(userp); plen = strlen(passwdp); /* Compute binary message length. Check for overflows. */ - if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2))) + if((ulen > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2))) return CURLE_OUT_OF_MEMORY; plainlen = 2 * ulen + plen + 2; plainauth = malloc(plainlen); if(!plainauth) -- 2.19.1 ++++++ curl-CVE-2018-16840.patch ++++++ >From c6a379a2088884561ad2dc7c12a15cbf1a300c2f Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <[email protected]> Date: Thu, 18 Oct 2018 15:07:15 +0200 Subject: [PATCH] Curl_close: clear data->multi_easy on free to avoid use-after-free Regression from b46cfbc068 (7.59.0) Reported-by: Brian Carpenter (Geeknik Labs) --- lib/url.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/url.c b/lib/url.c index 0cc7d591a..a6e315fdc 100644 --- a/lib/url.c +++ b/lib/url.c @@ -329,14 +329,16 @@ CURLcode Curl_close(struct Curl_easy *data) if(m) /* This handle is still part of a multi handle, take care of this first and detach this handle from there. */ curl_multi_remove_handle(data->multi, data); - if(data->multi_easy) + if(data->multi_easy) { /* when curl_easy_perform() is used, it creates its own multi handle to use and this is the one */ curl_multi_cleanup(data->multi_easy); + data->multi_easy = NULL; + } /* Destroy the timeout list that is held in the easy handle. It is /normally/ done by curl_multi_remove_handle() but this is "just in case" */ Curl_llist_destroy(&data->state.timeoutlist, NULL); -- 2.19.1 ++++++ curl-CVE-2018-16842.patch ++++++ >From 8490ab449e98b9861a8afdc04f06956e94692ebf Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <[email protected]> Date: Sun, 28 Oct 2018 01:33:23 +0200 Subject: [PATCH] voutf: fix bad arethmetic when outputting warnings to stderr Reported-by: Brian Carpenter --- src/tool_msgs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tool_msgs.c b/src/tool_msgs.c index 832ed8147..f5e1df25f 100644 --- a/src/tool_msgs.c +++ b/src/tool_msgs.c @@ -65,11 +65,11 @@ static void voutf(struct GlobalConfig *config, cut = width-1; (void)fwrite(ptr, cut + 1, 1, config->errors); fputs("\n", config->errors); ptr += cut + 1; /* skip the space too */ - len -= cut; + len -= cut + 1; } else { fputs(ptr, config->errors); len = 0; } -- 2.19.1 ++++++ curl-CVE-2018-16890.patch ++++++ >From a54ba07a3a01f21de64ecabaafcc01b40b9db5a4 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <[email protected]> Date: Wed, 2 Jan 2019 20:33:08 +0100 Subject: [PATCH 1/3] NTLM: fix size check condition for type2 received data Reported-by: Wenxiang Qian --- lib/vauth/ntlm.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) Index: curl-7.60.0/lib/vauth/ntlm.c =================================================================== --- curl-7.60.0.orig/lib/vauth/ntlm.c +++ curl-7.60.0/lib/vauth/ntlm.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2017, Daniel Stenberg, <[email protected]>, et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, <[email protected]>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -182,10 +182,11 @@ static CURLcode ntlm_decode_type2_target target_info_len = Curl_read16_le(&buffer[40]); target_info_offset = Curl_read32_le(&buffer[44]); if(target_info_len > 0) { - if(((target_info_offset + target_info_len) > size) || + if((target_info_offset >= size) || + ((target_info_offset + target_info_len) > size) || (target_info_offset < 48)) { infof(data, "NTLM handshake failure (bad type-2 message). " - "Target Info Offset Len is set incorrect by the peer\n"); + "Target Info Offset Len is set incorrect by the peer\n"); return CURLE_BAD_CONTENT_ENCODING; } ++++++ curl-CVE-2019-3822.patch ++++++ >From ea9e76bc934ace9e260ab3d99438320b1f2ef501 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <[email protected]> Date: Thu, 3 Jan 2019 12:59:28 +0100 Subject: [PATCH 2/3] ntlm: fix *_type3_message size check to avoid buffer overflow --- lib/vauth/ntlm.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c index 0ad4d972e..6a8fc5ab3 100644 --- a/lib/vauth/ntlm.c +++ b/lib/vauth/ntlm.c @@ -777,15 +777,18 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data, fprintf(stderr, "**** TYPE3 header lmresp="); ntlm_print_hex(stderr, (char *)&ntlmbuf[lmrespoff], 0x18); }); #ifdef USE_NTRESPONSES - if(size < (NTLM_BUFSIZE - ntresplen)) { - DEBUGASSERT(size == (size_t)ntrespoff); - memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen); - size += ntresplen; + /* ntresplen + size should not be risking an integer overflow here */ + if(ntresplen + size > sizeof(ntlmbuf)) { + failf(data, "incoming NTLM message too big"); + return CURLE_OUT_OF_MEMORY; } + DEBUGASSERT(size == (size_t)ntrespoff); + memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen); + size += ntresplen; DEBUG_OUT({ fprintf(stderr, "\n ntresp="); ntlm_print_hex(stderr, (char *)&ntlmbuf[ntrespoff], ntresplen); }); -- 2.20.1 ++++++ curl-CVE-2019-3823.patch ++++++ >From 89dd3f49e1248d7f39401ecc9eecb4e82885e629 Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson <[email protected]> Date: Sat, 19 Jan 2019 00:42:47 +0100 Subject: [PATCH 3/3] smtp: avoid risk of buffer overflow in strtol If the incoming len 5, but the buffer does not have a termination after 5 bytes, the strtol() call may keep reading through the line buffer until is exceeds its boundary. Fix by ensuring that we are using a bounded read with a temporary buffer on the stack. Reported-by: Brian Carpenter (Geeknik Labs) --- lib/smtp.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/smtp.c b/lib/smtp.c index 84fc68e41..d55647b12 100644 --- a/lib/smtp.c +++ b/lib/smtp.c @@ -3,11 +3,11 @@ * Project ___| | | | _ \| | * / __| | | | |_) | | * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2018, Daniel Stenberg, <[email protected]>, et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, <[email protected]>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms * are also available at https://curl.haxx.se/docs/copyright.html. * @@ -205,12 +205,16 @@ static bool smtp_endofresp(struct connectdata *conn, char *line, size_t len, /* Do we have a command response? This should be the response code followed by a space and optionally some text as per RFC-5321 and as outlined in Section 4. Examples of RFC-4954 but some e-mail servers ignore this and only send the response code instead as per Section 4.2. */ if(line[3] == ' ' || len == 5) { + char tmpline[6]; + result = TRUE; - *resp = curlx_sltosi(strtol(line, NULL, 10)); + memset(tmpline, '\0', sizeof(tmpline)); + memcpy(tmpline, line, (len == 5 ? 5 : 3)); + *resp = curlx_sltosi(strtol(tmpline, NULL, 10)); /* Make sure real server never sends internal value */ if(*resp == 1) *resp = 0; } -- 2.20.1 ++++++ curl-CVE-2019-5436.patch ++++++ >From 5c89b6583079cd4cccbdf59929fa14515397430a Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <[email protected]> Date: Fri, 3 May 2019 22:20:37 +0200 Subject: [PATCH] tftp: use the current blksize for recvfrom() bug: CVE-2019-XXXXX Reported-by: l00p3r --- lib/tftp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/tftp.c b/lib/tftp.c index 8b92b7bd6..289cda282 100644 --- a/lib/tftp.c +++ b/lib/tftp.c @@ -1007,11 +1007,11 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done) state->conn = conn; state->sockfd = state->conn->sock[FIRSTSOCKET]; state->state = TFTP_STATE_START; state->error = TFTP_ERR_NONE; - state->blksize = TFTP_BLKSIZE_DEFAULT; + state->blksize = blksize; state->requested_blksize = blksize; ((struct sockaddr *)&state->local_addr)->sa_family = (CURL_SA_FAMILY_T)(conn->ip_addr->ai_family); -- 2.20.1 ++++++ curl-CVE-2019-5481.patch ++++++ >From df710e843f07001ee629ab5b7169c9cb5bef21f8 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <[email protected]> Date: Tue, 3 Sep 2019 22:59:32 +0200 Subject: [PATCH] security:read_data fix bad realloc() ... that could end up a double-free --- lib/security.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/lib/security.c b/lib/security.c index 550ea2da8..c5e4e135d 100644 --- a/lib/security.c +++ b/lib/security.c @@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn, struct krb5buffer *buf) { int len; - void *tmp = NULL; CURLcode result; result = socket_read(fd, &len, sizeof(len)); @@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn, if(len) { /* only realloc if there was a length */ len = ntohl(len); - tmp = Curl_saferealloc(buf->data, len); + buf->data = Curl_saferealloc(buf->data, len); } - if(tmp == NULL) + if(!len || !buf->data) return CURLE_OUT_OF_MEMORY; - buf->data = tmp; result = socket_read(fd, buf->data, len); if(result) return result; -- 2.23.0 ++++++ curl-CVE-2019-5482.patch ++++++ >From 0846bdc0c3f8323b931247ca31c2fb30a3265f00 Mon Sep 17 00:00:00 2001 From: Thomas Vegas <> Date: Sat, 31 Aug 2019 17:30:51 +0200 Subject: [PATCH] tftp: Alloc maximum blksize, and use default unless OACK is received Fixes potential buffer overflow from 'recvfrom()', should the server return an OACK without blksize. --- lib/tftp.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) Index: curl-7.60.0/lib/tftp.c =================================================================== --- curl-7.60.0.orig/lib/tftp.c +++ curl-7.60.0/lib/tftp.c @@ -970,6 +970,7 @@ static CURLcode tftp_connect(struct conn { tftp_state_data_t *state; int blksize, rc; + int need_blksize; blksize = TFTP_BLKSIZE_DEFAULT; @@ -984,15 +985,20 @@ static CURLcode tftp_connect(struct conn return CURLE_TFTP_ILLEGAL; } + need_blksize = blksize; + /* default size is the fallback when no OACK is received */ + if(need_blksize < TFTP_BLKSIZE_DEFAULT) + need_blksize = TFTP_BLKSIZE_DEFAULT; + if(!state->rpacket.data) { - state->rpacket.data = calloc(1, blksize + 2 + 2); + state->rpacket.data = calloc(1, need_blksize + 2 + 2); if(!state->rpacket.data) return CURLE_OUT_OF_MEMORY; } if(!state->spacket.data) { - state->spacket.data = calloc(1, blksize + 2 + 2); + state->spacket.data = calloc(1, need_blksize + 2 + 2); if(!state->spacket.data) return CURLE_OUT_OF_MEMORY; @@ -1006,7 +1012,7 @@ static CURLcode tftp_connect(struct conn state->sockfd = state->conn->sock[FIRSTSOCKET]; state->state = TFTP_STATE_START; state->error = TFTP_ERR_NONE; - state->blksize = blksize; + state->blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */ state->requested_blksize = blksize; ((struct sockaddr *)&state->local_addr)->sa_family = ++++++ curl-CVE-2020-8177.patch ++++++ >From 3b884d1cc588c6cfede9d2f124d43c93e93226e8 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <[email protected]> Date: Sun, 31 May 2020 23:09:59 +0200 Subject: [PATCH] tool_getparam: -i is not OK if -J is used Reported-by: sn on hackerone Bug: https://curl.haxx.se/docs/CVE-2020-8177.html --- src/tool_cb_hdr.c | 22 ++++------------------ src/tool_getparam.c | 5 +++++ 2 files changed, 9 insertions(+), 18 deletions(-) Index: curl-7.60.0/src/tool_cb_hdr.c =================================================================== --- curl-7.60.0.orig/src/tool_cb_hdr.c +++ curl-7.60.0/src/tool_cb_hdr.c @@ -119,6 +119,11 @@ size_t tool_header_cb(char *ptr, size_t len = (ssize_t)cb - (p - str); filename = parse_filename(p, len); if(filename) { + if(outs->stream) { + /* indication of problem, get out! */ + free(filename); + return failure; + } outs->filename = filename; outs->alloc_filename = TRUE; outs->is_cd_filename = TRUE; Index: curl-7.60.0/src/tool_getparam.c =================================================================== --- curl-7.60.0.orig/src/tool_getparam.c +++ curl-7.60.0/src/tool_getparam.c @@ -1722,6 +1722,11 @@ ParameterError getparameter(const char * } break; case 'i': + if(config->content_disposition) { + warnf(global, + "--include and --remote-header-name cannot be combined.\n"); + return PARAM_BAD_USE; + } config->include_headers = toggle; /* include the headers as well in the general output stream */ break; ++++++ curl-CVE-2020-8231.patch ++++++ >From 8c899c70575126151628b1455429cdb7224894fc Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <[email protected]> Date: Mon, 3 Aug 2020 14:54:13 +0200 Subject: [PATCH] Curl_easy: remember last connection by id, not by pointer CVE-2020-8231 Bug: https://curl.haxx.se/docs/CVE-2020-8231.html Reported-by: Marc Aldorasi --- lib/connect.c | 19 ++++++++++--------- lib/easy.c | 3 +-- lib/multi.c | 10 ++++++---- lib/url.c | 2 +- lib/urldata.h | 2 +- 5 files changed, 19 insertions(+), 17 deletions(-) Index: curl-7.60.0/lib/connect.c =================================================================== --- curl-7.60.0.orig/lib/connect.c +++ curl-7.60.0/lib/connect.c @@ -1214,15 +1214,15 @@ CURLcode Curl_connecthost(struct connect } struct connfind { - struct connectdata *tofind; - bool found; + long id_tofind; + struct connectdata *found; }; static int conn_is_conn(struct connectdata *conn, void *param) { struct connfind *f = (struct connfind *)param; - if(conn == f->tofind) { - f->found = TRUE; + if(conn->connection_id == f->id_tofind) { + f->found = conn; return 1; } return 0; @@ -1246,21 +1246,22 @@ curl_socket_t Curl_getconnectinfo(struct * - that is associated with a multi handle, and whose connection * was detached with CURLOPT_CONNECT_ONLY */ - if(data->state.lastconnect && (data->multi_easy || data->multi)) { - struct connectdata *c = data->state.lastconnect; + if((data->state.lastconnect_id != -1) && (data->multi_easy || data->multi)) { + struct connectdata *c; struct connfind find; - find.tofind = data->state.lastconnect; - find.found = FALSE; + find.id_tofind = data->state.lastconnect_id; + find.found = NULL; Curl_conncache_foreach(data, data->multi_easy? &data->multi_easy->conn_cache: &data->multi->conn_cache, &find, conn_is_conn); if(!find.found) { - data->state.lastconnect = NULL; + data->state.lastconnect_id = -1; return CURL_SOCKET_BAD; } + c = find.found; if(connp) /* only store this if the caller cares for it */ *connp = c; Index: curl-7.60.0/lib/easy.c =================================================================== --- curl-7.60.0.orig/lib/easy.c +++ curl-7.60.0/lib/easy.c @@ -930,8 +930,7 @@ struct Curl_easy *curl_easy_duphandle(st /* the connection cache is setup on demand */ outcurl->state.conn_cache = NULL; - - outcurl->state.lastconnect = NULL; + outcurl->state.lastconnect_id = -1; outcurl->progress.flags = data->progress.flags; outcurl->progress.callback = data->progress.callback; Index: curl-7.60.0/lib/multi.c =================================================================== --- curl-7.60.0.orig/lib/multi.c +++ curl-7.60.0/lib/multi.c @@ -408,6 +408,7 @@ CURLMcode curl_multi_add_handle(struct C data->state.conn_cache = &data->share->conn_cache; else data->state.conn_cache = &multi->conn_cache; + data->state.lastconnect_id = -1; /* This adds the new entry at the 'end' of the doubly-linked circular list of Curl_easy structs to try and maintain a FIFO queue so @@ -611,11 +612,11 @@ static CURLcode multi_done(struct connec /* the connection is no longer in use */ if(Curl_conncache_return_conn(conn)) { /* remember the most recently used connection */ - data->state.lastconnect = conn; + data->state.lastconnect_id = conn->connection_id; infof(data, "%s\n", buffer); } else - data->state.lastconnect = NULL; + data->state.lastconnect_id = -1; } *connp = NULL; /* to make the caller of this function better detect that Index: curl-7.60.0/lib/url.c =================================================================== --- curl-7.60.0.orig/lib/url.c +++ curl-7.60.0/lib/url.c @@ -594,7 +594,7 @@ CURLcode Curl_open(struct Curl_easy **cu Curl_initinfo(data); /* most recent connection is not yet defined */ - data->state.lastconnect = NULL; + data->state.lastconnect_id = -1; data->progress.flags |= PGRS_HIDE; data->state.current_speed = -1; /* init to negative == impossible */ Index: curl-7.60.0/lib/urldata.h =================================================================== --- curl-7.60.0.orig/lib/urldata.h +++ curl-7.60.0/lib/urldata.h @@ -1216,7 +1216,7 @@ struct UrlState { /* buffers to store authentication data in, as parsed from input options */ struct curltime keeps_speed; /* for the progress meter really */ - struct connectdata *lastconnect; /* The last connection, NULL if undefined */ + long lastconnect_id; /* The last connection, -1 if undefined */ char *headerbuff; /* allocated buffer to store headers in */ size_t headersize; /* size of the allocation */ ++++++ curl-disabled-redirect-protocol-message.patch ++++++ --- a/lib/url.c +++ a/lib/url.c @@ -1955,9 +1955,13 @@ static CURLcode findprotocol(struct Curl_easy *data, /* it is allowed for "normal" request, now do an extra check if this is the result of a redirect */ if(data->state.this_is_a_follow && - !(data->set.redir_protocols & p->protocol)) + !(data->set.redir_protocols & p->protocol)) { /* nope, get out */ - break; + failf(data, "Redirect to protocol \"%s\" not supported or disabled in " LIBCURL_NAME, + protostr); + + return CURLE_UNSUPPORTED_PROTOCOL; + } /* Perform setup complement if some. */ conn->handler = conn->given = p; ++++++ curl-secure-getenv.patch ++++++ Index: lib/getenv.c =================================================================== --- lib/getenv.c.orig 2013-04-12 13:31:59.056761437 +0200 +++ lib/getenv.c 2013-04-12 13:36:25.654762399 +0200 @@ -27,6 +27,14 @@ #include "memdebug.h" +#ifndef HAVE_SECURE_GETENV +# ifdef HAVE___SECURE_GETENV +# define secure_getenv __secure_getenv +# else +# error neither secure_getenv nor __secure_getenv is available +# endif +#endif + static char *GetEnv(const char *variable) { @@ -41,7 +49,7 @@ char *GetEnv(const char *variable) ExpandEnvironmentStringsA(temp, env, sizeof(env)); return (env[0] != '\0')?strdup(env):NULL; #else - char *env = getenv(variable); + char *env = secure_getenv(variable); return (env && env[0])?strdup(env):NULL; #endif #endif Index: configure.ac =================================================================== --- configure.ac.orig 2013-04-12 13:31:59.057761467 +0200 +++ configure.ac 2013-04-12 13:32:00.823814454 +0200 @@ -3475,6 +3475,8 @@ if test "x$want_curldebug_assumed" = "xy ac_configure_args="$ac_configure_args --enable-curldebug" fi +AC_CHECK_FUNCS([__secure_getenv secure_getenv]) + AC_CONFIG_FILES([Makefile \ docs/Makefile \ docs/examples/Makefile \ ++++++ curl-use_OPENSSL_config.patch ++++++ This basically reverts https://github.com/curl/curl/commit/7d2f61f66ab4e047fc9aefc2effc1ac6d340a66a diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 80e9bf940..ba227891f 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -925,26 +925,12 @@ static int Curl_ossl_init(void) ENGINE_load_builtin_engines(); #endif - /* OPENSSL_config(NULL); is "strongly recommended" to use but unfortunately - that function makes an exit() call on wrongly formatted config files - which makes it hard to use in some situations. OPENSSL_config() itself - calls CONF_modules_load_file() and we use that instead and we ignore - its return code! */ - - /* CONF_MFLAGS_DEFAULT_SECTION introduced some time between 0.9.8b and - 0.9.8e */ -#ifndef CONF_MFLAGS_DEFAULT_SECTION -#define CONF_MFLAGS_DEFAULT_SECTION 0x0 -#endif - - CONF_modules_load_file(NULL, NULL, - CONF_MFLAGS_DEFAULT_SECTION| - CONF_MFLAGS_IGNORE_MISSING_FILE); - #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ !defined(LIBRESSL_VERSION_NUMBER) - /* OpenSSL 1.1.0+ takes care of initialization itself */ + OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); #else + OPENSSL_config(NULL); + /* Lets get nice error messages */ SSL_load_error_strings(); ++++++ dont-mess-with-rpmoptflags.diff ++++++ Index: configure.ac =================================================================== --- configure.ac.orig 2013-02-07 11:55:15.150276599 +0100 +++ configure.ac 2013-02-07 11:55:15.167277116 +0100 @@ -288,10 +288,6 @@ dnl platform/compiler/architecture speci dnl ********************************************************************** CURL_CHECK_COMPILER -CURL_SET_COMPILER_BASIC_OPTS -CURL_SET_COMPILER_DEBUG_OPTS -CURL_SET_COMPILER_OPTIMIZE_OPTS -CURL_SET_COMPILER_WARNING_OPTS if test "$compiler_id" = "INTEL_UNIX_C"; then # ++++++ ignore_runtests_failure.patch ++++++ From: Michel Normand <[email protected]> Subject: ignore runtests failure Date: Thu, 25 Jan 2018 12:29:03 +0100 ignore runtests failures because tests are failing randomly on ppc64le and still failing even if tried in loop and adding lines in spec === %ifarch ppc ppc64 ppc64le echo "# disable few tests for PowerPC bypass boo#1075219" >>data/DISABLED echo "575" >>data/DISABLED echo "576" >>data/DISABLED echo "591" >>data/DISABLED echo "592" >>data/DISABLED echo "714" >>data/DISABLED echo "1206" >>data/DISABLED echo "1207" >>data/DISABLED echo "1238" >>data/DISABLED echo "1319" >>data/DISABLED echo "1388" >>data/DISABLED echo "1501" >>data/DISABLED echo "1514" >>data/DISABLED echo "1525" >>data/DISABLED %endif === Signed-off-by: Michel Normand <[email protected]> --- tests/runtests.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: curl-7.57.0/tests/runtests.pl =================================================================== --- curl-7.57.0.orig/tests/runtests.pl +++ curl-7.57.0/tests/runtests.pl @@ -5881,5 +5881,5 @@ if($skipped && !$short) { } if($total && ($ok != $total)) { - exit 1; + printf "WARNING: ignore any test failures as per applied patch\n"; } ++++++ libcurl-ocloexec.patch ++++++ Open library file descriptors with O_CLOEXEC This patch is non-portable, it needs linux 2.6.23 and glibc 2.7 or later, different combinations (old linux, new glibc and vice-versa) will result in a crash. To make it portable you have to test O_CLOEXEC support at *runtime* compile time is not enough. Index: lib/file.c =================================================================== --- lib/file.c.orig +++ lib/file.c @@ -190,7 +190,7 @@ static CURLcode file_connect(struct conn return CURLE_URL_MALFORMAT; } - fd = open_readonly(real_path, O_RDONLY); + fd = open_readonly(real_path, O_RDONLY|O_CLOEXEC); file->path = real_path; #endif file->freepath = real_path; /* free this when done */ @@ -285,7 +285,7 @@ static CURLcode file_upload(struct conne else mode = MODE_DEFAULT|O_TRUNC; - fd = open(file->path, mode, conn->data->set.new_file_perms); + fd = open(file->path, mode | O_CLOEXEC, conn->data->set.new_file_perms); if(fd < 0) { failf(data, "Can't open %s for writing", file->path); return CURLE_WRITE_ERROR; Index: lib/hostip6.c =================================================================== --- lib/hostip6.c.orig +++ lib/hostip6.c @@ -44,7 +44,7 @@ #ifdef HAVE_PROCESS_H #include <process.h> #endif - +#include <fcntl.h> #include "urldata.h" #include "sendf.h" #include "hostip.h" @@ -103,7 +103,7 @@ bool Curl_ipv6works(void) static int ipv6_works = -1; if(-1 == ipv6_works) { /* probe to see if we have a working IPv6 stack */ - curl_socket_t s = socket(PF_INET6, SOCK_DGRAM, 0); + curl_socket_t s = socket(PF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0); if(s == CURL_SOCKET_BAD) /* an IPv6 address was requested but we can't get/use one */ ipv6_works = 0; Index: lib/if2ip.c =================================================================== --- lib/if2ip.c.orig +++ lib/if2ip.c @@ -225,7 +225,7 @@ if2ip_result_t Curl_if2ip(int af, unsign if(len >= sizeof(req.ifr_name)) return IF2IP_NOT_FOUND; - dummy = socket(AF_INET, SOCK_STREAM, 0); + dummy = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0); if(CURL_SOCKET_BAD == dummy) return IF2IP_NOT_FOUND; Index: lib/connect.c =================================================================== --- lib/connect.c.orig +++ lib/connect.c @@ -1389,7 +1389,7 @@ CURLcode Curl_socket(struct connectdata } else /* opensocket callback not set, so simply create the socket now */ - *sockfd = socket(addr->family, addr->socktype, addr->protocol); + *sockfd = socket(addr->family, addr->socktype | SOCK_CLOEXEC, addr->protocol); if(*sockfd == CURL_SOCKET_BAD) /* no socket, no connection */ Index: configure.ac =================================================================== --- configure.ac.orig +++ configure.ac @@ -188,6 +188,7 @@ AC_CANONICAL_HOST dnl Get system canonical name AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-machine-OS]) +AC_USE_SYSTEM_EXTENSIONS dnl Checks for programs. dnl This defines _ALL_SOURCE for AIX ++++++ pre_checkin.sh ++++++ #!/bin/sh # This script is based on libcdio_spec-prepare.sh (thanks to [email protected]) # create a -mini spec for systemd for bootstrapping ORIG_SPEC=curl EDIT_WARNING="##### WARNING: please do not edit this auto generated spec file. Use the ${ORIG_SPEC}.spec! #####\n" sed "s/^%define bootstrap .*$/${EDIT_WARNING}%define bootstrap 1/; s/^%define mini .*$/${EDIT_WARNING}%define mini -mini/; s/^Name:.*/&-mini/ " < ${ORIG_SPEC}.spec > ${ORIG_SPEC}-mini.spec cp ${ORIG_SPEC}.changes ${ORIG_SPEC}-mini.changes #cp ${ORIG_SPEC}-rpmlintrc ${ORIG_SPEC}-mini-rpmlintrc osc service localrun format_spec_file
