1
0
forked from rpms/curl

import curl-7.61.1-14.el8

This commit is contained in:
CentOS Sources 2020-11-03 06:51:11 -05:00 committed by Andrew Lukoshko
parent 2f86b67ef9
commit 239d821966
3 changed files with 107 additions and 1 deletions

View File

@ -0,0 +1,33 @@
From 032843be4cefcb163d15573d15a228680e771106 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 24 Sep 2018 08:26:58 +0200
Subject: [PATCH] openssl: load built-in engines too
Regression since 38203f1
Reported-by: Jean Fabrice
Fixes #3023
Closes #3040
Upstream-commit: e2dd435d473cdc97785df95d032276fafb4b7746
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/vtls/openssl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 78970d1..d8bcc4f 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -979,7 +979,7 @@ static int Curl_ossl_init(void)
OPENSSL_load_builtin_modules();
-#ifdef HAVE_ENGINE_LOAD_BUILTIN_ENGINES
+#ifdef USE_OPENSSL_ENGINE
ENGINE_load_builtin_engines();
#endif
--
2.25.4

View File

@ -0,0 +1,59 @@
From a6fcd8a32f3b1c5d80e524f8b2c1de32e6ecdb2b Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 31 May 2020 23:09:59 +0200
Subject: [PATCH] tool_getparam: -i is not OK if -J is used
Reported-by: sn on hackerone
Bug: https://curl.haxx.se/docs/CVE-2020-8177.html
Upstream-commit: 8236aba58542c5f89f1d41ca09d84579efb05e22
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
src/tool_cb_hdr.c | 13 ++++---------
src/tool_getparam.c | 5 +++++
2 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c
index 3b10238..b80707f 100644
--- a/src/tool_cb_hdr.c
+++ b/src/tool_cb_hdr.c
@@ -132,16 +132,11 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata)
filename = parse_filename(p, len);
if(filename) {
if(outs->stream) {
- /* already opened and possibly written to */
- if(outs->fopened)
- fclose(outs->stream);
- outs->stream = NULL;
-
- /* rename the initial file name to the new file name */
- rename(outs->filename, filename);
- if(outs->alloc_filename)
- free(outs->filename);
+ /* indication of problem, get out! */
+ free(filename);
+ return failure;
}
+
outs->is_cd_filename = TRUE;
outs->s_isreg = TRUE;
outs->fopened = FALSE;
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index 764caa2..c5c7429 100644
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -1745,6 +1745,11 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
}
break;
case 'i':
+ if(config->content_disposition) {
+ warnf(global,
+ "--include and --remote-header-name cannot be combined.\n");
+ return PARAM_BAD_USE;
+ }
config->show_headers = toggle; /* show the headers as well in the
general output stream */
break;
--
2.21.3

View File

@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl Name: curl
Version: 7.61.1 Version: 7.61.1
Release: 12%{?dist} Release: 14%{?dist}
License: MIT License: MIT
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
@ -52,6 +52,12 @@ Patch18: 0018-curl-7.65.3-CVE-2019-5482.patch
# double free due to subsequent call of realloc() (CVE-2019-5481) # double free due to subsequent call of realloc() (CVE-2019-5481)
Patch19: 0019-curl-7.65.3-CVE-2019-5481.patch Patch19: 0019-curl-7.65.3-CVE-2019-5481.patch
# load built-in openssl engines (#1854369)
Patch20: 0020-curl-7.61.1-openssl-engines.patch
# avoid overwriting a local file with -J (CVE-2020-8177)
Patch21: 0021-curl-7.61.1-CVE-2020-8177.patch
# patch making libcurl multilib ready # patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch Patch101: 0101-curl-7.32.0-multilib.patch
@ -234,6 +240,8 @@ git apply %{PATCH4}
%patch17 -p1 %patch17 -p1
%patch18 -p1 %patch18 -p1
%patch19 -p1 %patch19 -p1
%patch20 -p1
%patch21 -p1
# make tests/*.py use Python 3 # make tests/*.py use Python 3
sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
@ -394,6 +402,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog %changelog
* Tue Jul 28 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-14
- avoid overwriting a local file with -J (CVE-2020-8177)
* Wed Jul 15 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-13
- load built-in openssl engines (#1854369)
* Wed Sep 11 2019 Kamil Dudka <kdudka@redhat.com> - 7.61.1-12 * Wed Sep 11 2019 Kamil Dudka <kdudka@redhat.com> - 7.61.1-12
- double free due to subsequent call of realloc() (CVE-2019-5481) - double free due to subsequent call of realloc() (CVE-2019-5481)
- fix heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482) - fix heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482)