rpms/curl
6
0
Fork 1
Code Issues Pull Requests Releases Activity

new upstream release - 7.52.1 (fixes CVE-2016-9586)

Browse Source
This commit is contained in:
Kamil Dudka 2016-12-21 09:44:58 +01:00
parent c38149da81
commit 00369df034
7 changed files with 19 additions and 436 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
0001-curl-7.51.0-ssh-md5.patch
View File

@ -1,33 +0,0 @@
From a57cd03551cb373bd69278d7281026ac147bb4b4 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 7 Nov 2016 12:54:40 +0100
Subject: [PATCH 1/2] ssh: check md5 fingerprints case insensitively
(regression)
Revert the change from ce8d09483eea but use the new function
Reported-by: Kamil Dudka
Bug: https://github.com/curl/curl/commit/ce8d09483eea2fcb1b50e323e1a8ed1f3613b2e3#commitcomment-19666146
Upstream-commit: 50aded1cd4bb751cad52c39c4fa1f06ebc5e133e
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/ssh.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/ssh.c b/lib/ssh.c
index 43c8283..0df030d 100644
--- a/lib/ssh.c
+++ b/lib/ssh.c
@@ -676,7 +676,7 @@ static CURLcode ssh_check_fingerprint(struct connectdata *conn)
* against a known fingerprint, if available.
*/
if(pubkey_md5 && strlen(pubkey_md5) == 32) {
- if(!fingerprint || strcmp(md5buffer, pubkey_md5)) {
+ if(!fingerprint || !strcasecompare(md5buffer, pubkey_md5)) {
if(fingerprint)
failf(data,
"Denied establishing ssh session: mismatch md5 fingerprint. "
--
2.7.4

91
0002-curl-7.51.0-file-host.patch
View File

@ -1,91 +0,0 @@
From 93d20cffd3b6b8dc9705f3252c09c9269d8ac705 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 11 Nov 2016 08:09:04 +0100
Subject: [PATCH 2/2] URL-parser: for file://[host]/ URLs, the [host] must be
localhost
Previously, the [host] part was just ignored which made libcurl accept
strange URLs misleading users. like "file://etc/passwd" which might've
looked like it refers to "/etc/passwd" but is just "/passwd" since the
"etc" is an ignored host name.
Reported-by: Mike Crowe
Assisted-by: Kamil Dudka
Upstream-commit: 346340808c89db33803ef7461dee191ff7c3d07f
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/url.c | 55 ++++++++++++++++++++++++++++++-------------------------
1 file changed, 30 insertions(+), 25 deletions(-)
diff --git a/lib/url.c b/lib/url.c
index b997f41..9a8f6e3 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -4065,33 +4065,38 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
* the URL protocols specified in RFC 1738
*/
if(path[0] != '/') {
- /* the URL included a host name, we ignore host names in file:// URLs
- as the standards don't define what to do with them */
- char *ptr=strchr(path, '/');
- if(ptr) {
- /* there was a slash present
-
- RFC1738 (section 3.1, page 5) says:
-
- The rest of the locator consists of data specific to the scheme,
- and is known as the "url-path". It supplies the details of how the
- specified resource can be accessed. Note that the "/" between the
- host (or port) and the url-path is NOT part of the url-path.
-
- As most agents use file://localhost/foo to get '/foo' although the
- slash preceding foo is a separator and not a slash for the path,
- a URL as file://localhost//foo must be valid as well, to refer to
- the same file with an absolute path.
- */
+ /* the URL includes a host name, it must match "localhost" or
+ "127.0.0.1" to be valid */
+ char *ptr;
+ if(!checkprefix("localhost/", path) &&
+ !checkprefix("127.0.0.1/", path)) {
+ failf(data, "Valid host name with slash missing in URL");
+ return CURLE_URL_MALFORMAT;
+ }
+ ptr = &path[9]; /* now points to the slash after the host */
- if(ptr[1] && ('/' == ptr[1]))
- /* if there was two slashes, we skip the first one as that is then
- used truly as a separator */
- ptr++;
+ /* there was a host name and slash present
- /* This cannot be made with strcpy, as the memory chunks overlap! */
- memmove(path, ptr, strlen(ptr)+1);
- }
+ RFC1738 (section 3.1, page 5) says:
+
+ The rest of the locator consists of data specific to the scheme,
+ and is known as the "url-path". It supplies the details of how the
+ specified resource can be accessed. Note that the "/" between the
+ host (or port) and the url-path is NOT part of the url-path.
+
+ As most agents use file://localhost/foo to get '/foo' although the
+ slash preceding foo is a separator and not a slash for the path,
+ a URL as file://localhost//foo must be valid as well, to refer to
+ the same file with an absolute path.
+ */
+
+ if('/' == ptr[1])
+ /* if there was two slashes, we skip the first one as that is then
+ used truly as a separator */
+ ptr++;
+
+ /* This cannot be made with strcpy, as the memory chunks overlap! */
+ memmove(path, ptr, strlen(ptr)+1);
}
protop = "file"; /* protocol string */
--
2.7.4

285
0003-curl-7.51.0-tls-version.patch
View File

@ -1,285 +0,0 @@
From 53782619bae773a4034bc53b3b0bd858f90190dc Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Thu, 27 Oct 2016 14:27:25 +0200
Subject: [PATCH 1/4] nss: map CURL_SSLVERSION_DEFAULT to NSS default
... but make sure we use at least TLSv1.0 according to libcurl API
Reported-by: Cure53
Reviewed-by: Ray Satiro
Upstream-commit: 5d45ced7a45ea38e32f1cbf73d7c63a3e4f241e7
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/vtls/nss.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index dff1575..5abb574 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1489,10 +1489,18 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
struct Curl_easy *data)
{
switch(data->set.ssl.version) {
- default:
case CURL_SSLVERSION_DEFAULT:
+ /* map CURL_SSLVERSION_DEFAULT to NSS default */
+ if(SSL_VersionRangeGetDefault(ssl_variant_stream, sslver) != SECSuccess)
+ return CURLE_SSL_CONNECT_ERROR;
+ /* ... but make sure we use at least TLSv1.0 according to libcurl API */
+ if(sslver->min < SSL_LIBRARY_VERSION_TLS_1_0)
+ sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
+ return CURLE_OK;
+
case CURL_SSLVERSION_TLSv1:
sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
+ /* TODO: set sslver->max to SSL_LIBRARY_VERSION_TLS_1_3 once stable */
#ifdef SSL_LIBRARY_VERSION_TLS_1_2
sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;
#elif defined SSL_LIBRARY_VERSION_TLS_1_1
@@ -1532,6 +1540,10 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
return CURLE_OK;
#endif
break;
+
+ default:
+ /* unsupported SSL/TLS version */
+ break;
}
failf(data, "TLS minor version cannot be set");
--
2.7.4
From 6a42abb03de6e5afe859313b236f2b776ca51722 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Thu, 27 Oct 2016 14:57:11 +0200
Subject: [PATCH 2/4] vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3
Fully implemented with the NSS backend only for now.
Reviewed-by: Ray Satiro
Upstream-commit: 6ad3add60654182a747f5971afb40817488ef0e8
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
docs/libcurl/opts/CURLOPT_SSLVERSION.3 | 2 ++
docs/libcurl/symbols-in-versions | 1 +
include/curl/curl.h | 1 +
lib/vtls/nss.c | 8 ++++++++
4 files changed, 12 insertions(+)
diff --git a/docs/libcurl/opts/CURLOPT_SSLVERSION.3 b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
index 2f40e46..1854af0 100644
--- a/docs/libcurl/opts/CURLOPT_SSLVERSION.3
+++ b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
@@ -48,6 +48,8 @@ TLSv1.0 (Added in 7.34.0)
TLSv1.1 (Added in 7.34.0)
.IP CURL_SSLVERSION_TLSv1_2
TLSv1.2 (Added in 7.34.0)
+.IP CURL_SSLVERSION_TLSv1_3
+TLSv1.3 (Added in 7.51.1)
.RE
.SH DEFAULT
CURL_SSLVERSION_DEFAULT
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
index f6365ae..a77fde4 100644
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -773,6 +773,7 @@ CURL_SSLVERSION_TLSv1 7.9.2
CURL_SSLVERSION_TLSv1_0 7.34.0
CURL_SSLVERSION_TLSv1_1 7.34.0
CURL_SSLVERSION_TLSv1_2 7.34.0
+CURL_SSLVERSION_TLSv1_3 7.51.1
CURL_TIMECOND_IFMODSINCE 7.9.7
CURL_TIMECOND_IFUNMODSINCE 7.9.7
CURL_TIMECOND_LASTMOD 7.9.7
diff --git a/include/curl/curl.h b/include/curl/curl.h
index 9c09cb9..03fcfeb 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -1805,6 +1805,7 @@ enum {
CURL_SSLVERSION_TLSv1_0,
CURL_SSLVERSION_TLSv1_1,
CURL_SSLVERSION_TLSv1_2,
+ CURL_SSLVERSION_TLSv1_3,
CURL_SSLVERSION_LAST /* never use, keep last */
};
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 5abb574..5e52727 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1541,6 +1541,14 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
#endif
break;
+ case CURL_SSLVERSION_TLSv1_3:
+#ifdef SSL_LIBRARY_VERSION_TLS_1_3
+ sslver->min = SSL_LIBRARY_VERSION_TLS_1_3;
+ sslver->max = SSL_LIBRARY_VERSION_TLS_1_3;
+ return CURLE_OK;
+#endif
+ break;
+
default:
/* unsupported SSL/TLS version */
break;
--
2.7.4
From d930268ab522ac7ea7ccd83671d22f57148f3d21 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Thu, 27 Oct 2016 14:58:43 +0200
Subject: [PATCH 3/4] curl: introduce the --tlsv1.3 option to force TLS 1.3
Fully implemented with the NSS backend only for now.
Reviewed-by: Ray Satiro
Upstream-commit: a110a03b43057879643046538c79cc9dd20d399a
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
docs/curl.1 | 10 +++++++---
src/tool_getparam.c | 5 +++++
src/tool_help.c | 1 +
src/tool_setopt.c | 1 +
4 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/docs/curl.1 b/docs/curl.1
index f5375ed..e9c6150 100644
--- a/docs/curl.1
+++ b/docs/curl.1
@@ -176,9 +176,9 @@ HTTP 2 to negotiate HTTP 2 support with the server during https sessions.
.IP "-1, --tlsv1"
(SSL)
Forces curl to use TLS version 1.x when negotiating with a remote TLS server.
-You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, and \fI--tlsv1.2\fP to
-control the TLS version more precisely (if the SSL backend in use supports such
-a level of control).
+You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, \fI--tlsv1.2\fP, and
+\fI--tlsv1.3\fP to control the TLS version more precisely (if the SSL backend
+in use supports such a level of control).
.IP "-2, --sslv2"
(SSL) Forces curl to use SSL version 2 when negotiating with a remote SSL
server. Sometimes curl is built without SSLv2 support. SSLv2 is widely
@@ -1820,6 +1820,10 @@ Forces curl to use TLS version 1.1 when negotiating with a remote TLS server.
(SSL)
Forces curl to use TLS version 1.2 when negotiating with a remote TLS server.
(Added in 7.34.0)
+.IP "--tlsv1.3"
+(SSL)
+Forces curl to use TLS version 1.3 when negotiating with a remote TLS server.
+(Added in 7.51.1)
.IP "--tr-encoding"
(HTTP) Request a compressed Transfer-Encoding response using one of the
algorithms curl supports, and uncompress the data while receiving it.
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index 95dd455..2d16e06 100644
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -190,6 +190,7 @@ static const struct LongShort aliases[]= {
{"10", "tlsv1.0", FALSE},
{"11", "tlsv1.1", FALSE},
{"12", "tlsv1.2", FALSE},
+ {"13", "tlsv1.3", FALSE},
{"2", "sslv2", FALSE},
{"3", "sslv3", FALSE},
{"4", "ipv4", FALSE},
@@ -1061,6 +1062,10 @@ ParameterError getparameter(char *flag, /* f or -long-flag */
/* TLS version 1.2 */
config->ssl_version = CURL_SSLVERSION_TLSv1_2;
break;
+ case '3':
+ /* TLS version 1.3 */
+ config->ssl_version = CURL_SSLVERSION_TLSv1_3;
+ break;
}
break;
case '2':
diff --git a/src/tool_help.c b/src/tool_help.c
index fb428c9..9890cc8 100644
--- a/src/tool_help.c
+++ b/src/tool_help.c
@@ -232,6 +232,7 @@ static const char *const helptext[] = {
" --tlsv1.0 Use TLSv1.0 (SSL)",
" --tlsv1.1 Use TLSv1.1 (SSL)",
" --tlsv1.2 Use TLSv1.2 (SSL)",
+ " --tlsv1.3 Use TLSv1.3 (SSL)",
" --trace FILE Write a debug trace to FILE",
" --trace-ascii FILE Like --trace, but without hex output",
" --trace-time Add time stamps to trace/verbose output",
diff --git a/src/tool_setopt.c b/src/tool_setopt.c
index c854225..f3de09d 100644
--- a/src/tool_setopt.c
+++ b/src/tool_setopt.c
@@ -83,6 +83,7 @@ const NameValue setopt_nv_CURL_SSLVERSION[] = {
NV(CURL_SSLVERSION_TLSv1_0),
NV(CURL_SSLVERSION_TLSv1_1),
NV(CURL_SSLVERSION_TLSv1_2),
+ NV(CURL_SSLVERSION_TLSv1_3),
NVEND,
};
--
2.7.4
From 2fce531638a12f44ea1fbc52e86ca795a3a4e4e2 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Tue, 15 Nov 2016 12:21:00 +0100
Subject: [PATCH 4/4] docs: the next release will be 7.52.0
Upstream-commit: cfd69c133984a5df3de63b4f8c5f64885c6e33ae
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
docs/curl.1 | 2 +-
docs/libcurl/opts/CURLOPT_SSLVERSION.3 | 2 +-
docs/libcurl/symbols-in-versions | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/docs/curl.1 b/docs/curl.1
index e9c6150..05d1a8d 100644
--- a/docs/curl.1
+++ b/docs/curl.1
@@ -1823,7 +1823,7 @@ Forces curl to use TLS version 1.2 when negotiating with a remote TLS server.
.IP "--tlsv1.3"
(SSL)
Forces curl to use TLS version 1.3 when negotiating with a remote TLS server.
-(Added in 7.51.1)
+(Added in 7.52.0)
.IP "--tr-encoding"
(HTTP) Request a compressed Transfer-Encoding response using one of the
algorithms curl supports, and uncompress the data while receiving it.
diff --git a/docs/libcurl/opts/CURLOPT_SSLVERSION.3 b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
index 1854af0..77dfcd4 100644
--- a/docs/libcurl/opts/CURLOPT_SSLVERSION.3
+++ b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
@@ -49,7 +49,7 @@ TLSv1.1 (Added in 7.34.0)
.IP CURL_SSLVERSION_TLSv1_2
TLSv1.2 (Added in 7.34.0)
.IP CURL_SSLVERSION_TLSv1_3
-TLSv1.3 (Added in 7.51.1)
+TLSv1.3 (Added in 7.52.0)
.RE
.SH DEFAULT
CURL_SSLVERSION_DEFAULT
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
index a77fde4..ef730c8 100644
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -773,7 +773,7 @@ CURL_SSLVERSION_TLSv1 7.9.2
CURL_SSLVERSION_TLSv1_0 7.34.0
CURL_SSLVERSION_TLSv1_1 7.34.0
CURL_SSLVERSION_TLSv1_2 7.34.0
-CURL_SSLVERSION_TLSv1_3 7.51.1
+CURL_SSLVERSION_TLSv1_3 7.52.0
CURL_TIMECOND_IFMODSINCE 7.9.7
CURL_TIMECOND_IFUNMODSINCE 7.9.7
CURL_TIMECOND_LASTMOD 7.9.7
--
2.7.4

10
curl-7.51.0.tar.lzma.asc
View File

@ -1,10 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEcBAABCgAGBQJYGY4MAAoJEFzJCP23HhLCNkQH/0AjH+fRd4vuv9/AoO2CjZGf
JEXOPF2ZfKeBKc14dPfxhNj/klX3JvmLG9Z1jZLySWYl1/be0CM0LSoxh11rtioO
FiScVNNdUOUnJ6b8m0qVoX1wx9lCn3pjVKGzkfCx4pZ3eZDhtSRBbKNe+92fSOTk
nnMEDDj9q9C++yO8EMifDBfyX2u+JCpvnUu3EFa/znRjZB88Uyrc9Li+fl4aBfo1
IyH8EGmM0QkYBuGZhQBGg6mYg8LkG0JROHpk+j3lh9hZNA2An7tIEhbqoktaLW2i
Ude6R2g2/AdqfZrifY3fBXHc4d0XO4T7GIGREmo4TKDHTLDthKSNTTHt2a9dpiI=
=v+YR
-----END PGP SIGNATURE-----

11
curl-7.52.1.tar.lzma.asc Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlhc0OoACgkQXMkI/bce
EsISngf/adTW6+PCMHxPISnBqoCzO6/3YAH52WDZ1Z0A11VaCAkIbcsqXFF9K1xX
1W/cRt2ZR+eyAhm7gpulUJfxOy1ak5VuguebEY4vENmEpNg94+7iS9yldYJ4m0Q8
t6MeYW+twMazzKarU2CvRJBHW1H+olt0G/3+K6o8LPoLyuqHhGGssvm2c24hb8RZ
Kj9m027qg3KVi89cL5eND0OeLW5mMjNr0TjokicWE7/AP7Wd181ag/jMU3BTX/yh
n5KYp562kDR34AIgV2xbHe8Rmfce9lGNAMW90+xnDbKo3Gjm8I8Cq4UkVBspazV5
hieNGVze2dodGIh+O37iKhaoAoOJsg==
=2ZM9
-----END PGP SIGNATURE-----

23
curl.spec
View File

@ -1,19 +1,10 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.51.0
Release: 3%{?dist}
Version: 7.52.1
Release: 1%{?dist}
License: MIT
Group: Applications/Internet
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
# ssh: check md5 fingerprints case insensitively
Patch1: 0001-curl-7.51.0-ssh-md5.patch
# stricter host name checking for file:// URLs
Patch2: 0002-curl-7.51.0-file-host.patch
# map CURL_SSLVERSION_DEFAULT to NSS default, add support for TLS 1.3 (#1396719)
Patch3: 0003-curl-7.51.0-tls-version.patch
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.lzma
# patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch
@ -25,7 +16,7 @@ Patch102: 0102-curl-7.36.0-debug.patch
Patch104: 0104-curl-7.19.7-localhost6.patch
Provides: webclient
URL: http://curl.haxx.se/
URL: https://curl.haxx.se/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
BuildRequires: groff
BuildRequires: krb5-devel
@ -131,9 +122,6 @@ documentation of the library, too.
%setup -q
# upstream patches
%patch1 -p1
%patch2 -p1
%patch3 -p1
# Fedora patches
%patch101 -p1
@ -241,6 +229,9 @@ rm -rf $RPM_BUILD_ROOT
%{_datadir}/aclocal/libcurl.m4
%changelog
* Fri Dec 23 2016 Kamil Dudka <kdudka@redhat.com> 7.52.1-1
- new upstream release (fixes CVE-2016-9586)
* Mon Nov 21 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-3
- map CURL_SSLVERSION_DEFAULT to NSS default, add support for TLS 1.3 (#1396719)

2
sources
View File

@ -1 +1 @@
0f876ef6d5776d96b08510461d57db1b curl-7.51.0.tar.lzma
SHA512 (curl-7.52.1.tar.lzma) = 721d98cffd5089044bd32e6450df45ca5bd0df8f58d23fe3716285cffdfff5b64adb0b9971d73d3740d0cdba16c3029730416c53071cb18248da7749f075c03e