diff --git a/0001-curl-7.51.0-ssh-md5.patch b/0001-curl-7.51.0-ssh-md5.patch deleted file mode 100644 index 6ed3e0e..0000000 --- a/0001-curl-7.51.0-ssh-md5.patch +++ /dev/null @@ -1,33 +0,0 @@ -From a57cd03551cb373bd69278d7281026ac147bb4b4 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 7 Nov 2016 12:54:40 +0100 -Subject: [PATCH 1/2] ssh: check md5 fingerprints case insensitively - (regression) - -Revert the change from ce8d09483eea but use the new function - -Reported-by: Kamil Dudka -Bug: https://github.com/curl/curl/commit/ce8d09483eea2fcb1b50e323e1a8ed1f3613b2e3#commitcomment-19666146 - -Upstream-commit: 50aded1cd4bb751cad52c39c4fa1f06ebc5e133e -Signed-off-by: Kamil Dudka ---- - lib/ssh.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/ssh.c b/lib/ssh.c -index 43c8283..0df030d 100644 ---- a/lib/ssh.c -+++ b/lib/ssh.c -@@ -676,7 +676,7 @@ static CURLcode ssh_check_fingerprint(struct connectdata *conn) - * against a known fingerprint, if available. - */ - if(pubkey_md5 && strlen(pubkey_md5) == 32) { -- if(!fingerprint || strcmp(md5buffer, pubkey_md5)) { -+ if(!fingerprint || !strcasecompare(md5buffer, pubkey_md5)) { - if(fingerprint) - failf(data, - "Denied establishing ssh session: mismatch md5 fingerprint. " --- -2.7.4 - diff --git a/0002-curl-7.51.0-file-host.patch b/0002-curl-7.51.0-file-host.patch deleted file mode 100644 index 987caee..0000000 --- a/0002-curl-7.51.0-file-host.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 93d20cffd3b6b8dc9705f3252c09c9269d8ac705 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Fri, 11 Nov 2016 08:09:04 +0100 -Subject: [PATCH 2/2] URL-parser: for file://[host]/ URLs, the [host] must be - localhost - -Previously, the [host] part was just ignored which made libcurl accept -strange URLs misleading users. like "file://etc/passwd" which might've -looked like it refers to "/etc/passwd" but is just "/passwd" since the -"etc" is an ignored host name. - -Reported-by: Mike Crowe -Assisted-by: Kamil Dudka - -Upstream-commit: 346340808c89db33803ef7461dee191ff7c3d07f -Signed-off-by: Kamil Dudka ---- - lib/url.c | 55 ++++++++++++++++++++++++++++++------------------------- - 1 file changed, 30 insertions(+), 25 deletions(-) - -diff --git a/lib/url.c b/lib/url.c -index b997f41..9a8f6e3 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -4065,33 +4065,38 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, - * the URL protocols specified in RFC 1738 - */ - if(path[0] != '/') { -- /* the URL included a host name, we ignore host names in file:// URLs -- as the standards don't define what to do with them */ -- char *ptr=strchr(path, '/'); -- if(ptr) { -- /* there was a slash present -- -- RFC1738 (section 3.1, page 5) says: -- -- The rest of the locator consists of data specific to the scheme, -- and is known as the "url-path". It supplies the details of how the -- specified resource can be accessed. Note that the "/" between the -- host (or port) and the url-path is NOT part of the url-path. -- -- As most agents use file://localhost/foo to get '/foo' although the -- slash preceding foo is a separator and not a slash for the path, -- a URL as file://localhost//foo must be valid as well, to refer to -- the same file with an absolute path. -- */ -+ /* the URL includes a host name, it must match "localhost" or -+ "127.0.0.1" to be valid */ -+ char *ptr; -+ if(!checkprefix("localhost/", path) && -+ !checkprefix("127.0.0.1/", path)) { -+ failf(data, "Valid host name with slash missing in URL"); -+ return CURLE_URL_MALFORMAT; -+ } -+ ptr = &path[9]; /* now points to the slash after the host */ - -- if(ptr[1] && ('/' == ptr[1])) -- /* if there was two slashes, we skip the first one as that is then -- used truly as a separator */ -- ptr++; -+ /* there was a host name and slash present - -- /* This cannot be made with strcpy, as the memory chunks overlap! */ -- memmove(path, ptr, strlen(ptr)+1); -- } -+ RFC1738 (section 3.1, page 5) says: -+ -+ The rest of the locator consists of data specific to the scheme, -+ and is known as the "url-path". It supplies the details of how the -+ specified resource can be accessed. Note that the "/" between the -+ host (or port) and the url-path is NOT part of the url-path. -+ -+ As most agents use file://localhost/foo to get '/foo' although the -+ slash preceding foo is a separator and not a slash for the path, -+ a URL as file://localhost//foo must be valid as well, to refer to -+ the same file with an absolute path. -+ */ -+ -+ if('/' == ptr[1]) -+ /* if there was two slashes, we skip the first one as that is then -+ used truly as a separator */ -+ ptr++; -+ -+ /* This cannot be made with strcpy, as the memory chunks overlap! */ -+ memmove(path, ptr, strlen(ptr)+1); - } - - protop = "file"; /* protocol string */ --- -2.7.4 - diff --git a/0003-curl-7.51.0-tls-version.patch b/0003-curl-7.51.0-tls-version.patch deleted file mode 100644 index 1e3d788..0000000 --- a/0003-curl-7.51.0-tls-version.patch +++ /dev/null @@ -1,285 +0,0 @@ -From 53782619bae773a4034bc53b3b0bd858f90190dc Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Thu, 27 Oct 2016 14:27:25 +0200 -Subject: [PATCH 1/4] nss: map CURL_SSLVERSION_DEFAULT to NSS default - -... but make sure we use at least TLSv1.0 according to libcurl API - -Reported-by: Cure53 -Reviewed-by: Ray Satiro - -Upstream-commit: 5d45ced7a45ea38e32f1cbf73d7c63a3e4f241e7 -Signed-off-by: Kamil Dudka ---- - lib/vtls/nss.c | 14 +++++++++++++- - 1 file changed, 13 insertions(+), 1 deletion(-) - -diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c -index dff1575..5abb574 100644 ---- a/lib/vtls/nss.c -+++ b/lib/vtls/nss.c -@@ -1489,10 +1489,18 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, - struct Curl_easy *data) - { - switch(data->set.ssl.version) { -- default: - case CURL_SSLVERSION_DEFAULT: -+ /* map CURL_SSLVERSION_DEFAULT to NSS default */ -+ if(SSL_VersionRangeGetDefault(ssl_variant_stream, sslver) != SECSuccess) -+ return CURLE_SSL_CONNECT_ERROR; -+ /* ... but make sure we use at least TLSv1.0 according to libcurl API */ -+ if(sslver->min < SSL_LIBRARY_VERSION_TLS_1_0) -+ sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; -+ return CURLE_OK; -+ - case CURL_SSLVERSION_TLSv1: - sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; -+ /* TODO: set sslver->max to SSL_LIBRARY_VERSION_TLS_1_3 once stable */ - #ifdef SSL_LIBRARY_VERSION_TLS_1_2 - sslver->max = SSL_LIBRARY_VERSION_TLS_1_2; - #elif defined SSL_LIBRARY_VERSION_TLS_1_1 -@@ -1532,6 +1540,10 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, - return CURLE_OK; - #endif - break; -+ -+ default: -+ /* unsupported SSL/TLS version */ -+ break; - } - - failf(data, "TLS minor version cannot be set"); --- -2.7.4 - - -From 6a42abb03de6e5afe859313b236f2b776ca51722 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Thu, 27 Oct 2016 14:57:11 +0200 -Subject: [PATCH 2/4] vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3 - -Fully implemented with the NSS backend only for now. - -Reviewed-by: Ray Satiro - -Upstream-commit: 6ad3add60654182a747f5971afb40817488ef0e8 -Signed-off-by: Kamil Dudka ---- - docs/libcurl/opts/CURLOPT_SSLVERSION.3 | 2 ++ - docs/libcurl/symbols-in-versions | 1 + - include/curl/curl.h | 1 + - lib/vtls/nss.c | 8 ++++++++ - 4 files changed, 12 insertions(+) - -diff --git a/docs/libcurl/opts/CURLOPT_SSLVERSION.3 b/docs/libcurl/opts/CURLOPT_SSLVERSION.3 -index 2f40e46..1854af0 100644 ---- a/docs/libcurl/opts/CURLOPT_SSLVERSION.3 -+++ b/docs/libcurl/opts/CURLOPT_SSLVERSION.3 -@@ -48,6 +48,8 @@ TLSv1.0 (Added in 7.34.0) - TLSv1.1 (Added in 7.34.0) - .IP CURL_SSLVERSION_TLSv1_2 - TLSv1.2 (Added in 7.34.0) -+.IP CURL_SSLVERSION_TLSv1_3 -+TLSv1.3 (Added in 7.51.1) - .RE - .SH DEFAULT - CURL_SSLVERSION_DEFAULT -diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions -index f6365ae..a77fde4 100644 ---- a/docs/libcurl/symbols-in-versions -+++ b/docs/libcurl/symbols-in-versions -@@ -773,6 +773,7 @@ CURL_SSLVERSION_TLSv1 7.9.2 - CURL_SSLVERSION_TLSv1_0 7.34.0 - CURL_SSLVERSION_TLSv1_1 7.34.0 - CURL_SSLVERSION_TLSv1_2 7.34.0 -+CURL_SSLVERSION_TLSv1_3 7.51.1 - CURL_TIMECOND_IFMODSINCE 7.9.7 - CURL_TIMECOND_IFUNMODSINCE 7.9.7 - CURL_TIMECOND_LASTMOD 7.9.7 -diff --git a/include/curl/curl.h b/include/curl/curl.h -index 9c09cb9..03fcfeb 100644 ---- a/include/curl/curl.h -+++ b/include/curl/curl.h -@@ -1805,6 +1805,7 @@ enum { - CURL_SSLVERSION_TLSv1_0, - CURL_SSLVERSION_TLSv1_1, - CURL_SSLVERSION_TLSv1_2, -+ CURL_SSLVERSION_TLSv1_3, - - CURL_SSLVERSION_LAST /* never use, keep last */ - }; -diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c -index 5abb574..5e52727 100644 ---- a/lib/vtls/nss.c -+++ b/lib/vtls/nss.c -@@ -1541,6 +1541,14 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, - #endif - break; - -+ case CURL_SSLVERSION_TLSv1_3: -+#ifdef SSL_LIBRARY_VERSION_TLS_1_3 -+ sslver->min = SSL_LIBRARY_VERSION_TLS_1_3; -+ sslver->max = SSL_LIBRARY_VERSION_TLS_1_3; -+ return CURLE_OK; -+#endif -+ break; -+ - default: - /* unsupported SSL/TLS version */ - break; --- -2.7.4 - - -From d930268ab522ac7ea7ccd83671d22f57148f3d21 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Thu, 27 Oct 2016 14:58:43 +0200 -Subject: [PATCH 3/4] curl: introduce the --tlsv1.3 option to force TLS 1.3 - -Fully implemented with the NSS backend only for now. - -Reviewed-by: Ray Satiro - -Upstream-commit: a110a03b43057879643046538c79cc9dd20d399a -Signed-off-by: Kamil Dudka ---- - docs/curl.1 | 10 +++++++--- - src/tool_getparam.c | 5 +++++ - src/tool_help.c | 1 + - src/tool_setopt.c | 1 + - 4 files changed, 14 insertions(+), 3 deletions(-) - -diff --git a/docs/curl.1 b/docs/curl.1 -index f5375ed..e9c6150 100644 ---- a/docs/curl.1 -+++ b/docs/curl.1 -@@ -176,9 +176,9 @@ HTTP 2 to negotiate HTTP 2 support with the server during https sessions. - .IP "-1, --tlsv1" - (SSL) - Forces curl to use TLS version 1.x when negotiating with a remote TLS server. --You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, and \fI--tlsv1.2\fP to --control the TLS version more precisely (if the SSL backend in use supports such --a level of control). -+You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, \fI--tlsv1.2\fP, and -+\fI--tlsv1.3\fP to control the TLS version more precisely (if the SSL backend -+in use supports such a level of control). - .IP "-2, --sslv2" - (SSL) Forces curl to use SSL version 2 when negotiating with a remote SSL - server. Sometimes curl is built without SSLv2 support. SSLv2 is widely -@@ -1820,6 +1820,10 @@ Forces curl to use TLS version 1.1 when negotiating with a remote TLS server. - (SSL) - Forces curl to use TLS version 1.2 when negotiating with a remote TLS server. - (Added in 7.34.0) -+.IP "--tlsv1.3" -+(SSL) -+Forces curl to use TLS version 1.3 when negotiating with a remote TLS server. -+(Added in 7.51.1) - .IP "--tr-encoding" - (HTTP) Request a compressed Transfer-Encoding response using one of the - algorithms curl supports, and uncompress the data while receiving it. -diff --git a/src/tool_getparam.c b/src/tool_getparam.c -index 95dd455..2d16e06 100644 ---- a/src/tool_getparam.c -+++ b/src/tool_getparam.c -@@ -190,6 +190,7 @@ static const struct LongShort aliases[]= { - {"10", "tlsv1.0", FALSE}, - {"11", "tlsv1.1", FALSE}, - {"12", "tlsv1.2", FALSE}, -+ {"13", "tlsv1.3", FALSE}, - {"2", "sslv2", FALSE}, - {"3", "sslv3", FALSE}, - {"4", "ipv4", FALSE}, -@@ -1061,6 +1062,10 @@ ParameterError getparameter(char *flag, /* f or -long-flag */ - /* TLS version 1.2 */ - config->ssl_version = CURL_SSLVERSION_TLSv1_2; - break; -+ case '3': -+ /* TLS version 1.3 */ -+ config->ssl_version = CURL_SSLVERSION_TLSv1_3; -+ break; - } - break; - case '2': -diff --git a/src/tool_help.c b/src/tool_help.c -index fb428c9..9890cc8 100644 ---- a/src/tool_help.c -+++ b/src/tool_help.c -@@ -232,6 +232,7 @@ static const char *const helptext[] = { - " --tlsv1.0 Use TLSv1.0 (SSL)", - " --tlsv1.1 Use TLSv1.1 (SSL)", - " --tlsv1.2 Use TLSv1.2 (SSL)", -+ " --tlsv1.3 Use TLSv1.3 (SSL)", - " --trace FILE Write a debug trace to FILE", - " --trace-ascii FILE Like --trace, but without hex output", - " --trace-time Add time stamps to trace/verbose output", -diff --git a/src/tool_setopt.c b/src/tool_setopt.c -index c854225..f3de09d 100644 ---- a/src/tool_setopt.c -+++ b/src/tool_setopt.c -@@ -83,6 +83,7 @@ const NameValue setopt_nv_CURL_SSLVERSION[] = { - NV(CURL_SSLVERSION_TLSv1_0), - NV(CURL_SSLVERSION_TLSv1_1), - NV(CURL_SSLVERSION_TLSv1_2), -+ NV(CURL_SSLVERSION_TLSv1_3), - NVEND, - }; - --- -2.7.4 - - -From 2fce531638a12f44ea1fbc52e86ca795a3a4e4e2 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Tue, 15 Nov 2016 12:21:00 +0100 -Subject: [PATCH 4/4] docs: the next release will be 7.52.0 - -Upstream-commit: cfd69c133984a5df3de63b4f8c5f64885c6e33ae -Signed-off-by: Kamil Dudka ---- - docs/curl.1 | 2 +- - docs/libcurl/opts/CURLOPT_SSLVERSION.3 | 2 +- - docs/libcurl/symbols-in-versions | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/docs/curl.1 b/docs/curl.1 -index e9c6150..05d1a8d 100644 ---- a/docs/curl.1 -+++ b/docs/curl.1 -@@ -1823,7 +1823,7 @@ Forces curl to use TLS version 1.2 when negotiating with a remote TLS server. - .IP "--tlsv1.3" - (SSL) - Forces curl to use TLS version 1.3 when negotiating with a remote TLS server. --(Added in 7.51.1) -+(Added in 7.52.0) - .IP "--tr-encoding" - (HTTP) Request a compressed Transfer-Encoding response using one of the - algorithms curl supports, and uncompress the data while receiving it. -diff --git a/docs/libcurl/opts/CURLOPT_SSLVERSION.3 b/docs/libcurl/opts/CURLOPT_SSLVERSION.3 -index 1854af0..77dfcd4 100644 ---- a/docs/libcurl/opts/CURLOPT_SSLVERSION.3 -+++ b/docs/libcurl/opts/CURLOPT_SSLVERSION.3 -@@ -49,7 +49,7 @@ TLSv1.1 (Added in 7.34.0) - .IP CURL_SSLVERSION_TLSv1_2 - TLSv1.2 (Added in 7.34.0) - .IP CURL_SSLVERSION_TLSv1_3 --TLSv1.3 (Added in 7.51.1) -+TLSv1.3 (Added in 7.52.0) - .RE - .SH DEFAULT - CURL_SSLVERSION_DEFAULT -diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions -index a77fde4..ef730c8 100644 ---- a/docs/libcurl/symbols-in-versions -+++ b/docs/libcurl/symbols-in-versions -@@ -773,7 +773,7 @@ CURL_SSLVERSION_TLSv1 7.9.2 - CURL_SSLVERSION_TLSv1_0 7.34.0 - CURL_SSLVERSION_TLSv1_1 7.34.0 - CURL_SSLVERSION_TLSv1_2 7.34.0 --CURL_SSLVERSION_TLSv1_3 7.51.1 -+CURL_SSLVERSION_TLSv1_3 7.52.0 - CURL_TIMECOND_IFMODSINCE 7.9.7 - CURL_TIMECOND_IFUNMODSINCE 7.9.7 - CURL_TIMECOND_LASTMOD 7.9.7 --- -2.7.4 - diff --git a/curl-7.51.0.tar.lzma.asc b/curl-7.51.0.tar.lzma.asc deleted file mode 100644 index e52e6c9..0000000 --- a/curl-7.51.0.tar.lzma.asc +++ /dev/null @@ -1,10 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEcBAABCgAGBQJYGY4MAAoJEFzJCP23HhLCNkQH/0AjH+fRd4vuv9/AoO2CjZGf -JEXOPF2ZfKeBKc14dPfxhNj/klX3JvmLG9Z1jZLySWYl1/be0CM0LSoxh11rtioO -FiScVNNdUOUnJ6b8m0qVoX1wx9lCn3pjVKGzkfCx4pZ3eZDhtSRBbKNe+92fSOTk -nnMEDDj9q9C++yO8EMifDBfyX2u+JCpvnUu3EFa/znRjZB88Uyrc9Li+fl4aBfo1 -IyH8EGmM0QkYBuGZhQBGg6mYg8LkG0JROHpk+j3lh9hZNA2An7tIEhbqoktaLW2i -Ude6R2g2/AdqfZrifY3fBXHc4d0XO4T7GIGREmo4TKDHTLDthKSNTTHt2a9dpiI= -=v+YR ------END PGP SIGNATURE----- diff --git a/curl-7.52.1.tar.lzma.asc b/curl-7.52.1.tar.lzma.asc new file mode 100644 index 0000000..0c6d563 --- /dev/null +++ b/curl-7.52.1.tar.lzma.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlhc0OoACgkQXMkI/bce +EsISngf/adTW6+PCMHxPISnBqoCzO6/3YAH52WDZ1Z0A11VaCAkIbcsqXFF9K1xX +1W/cRt2ZR+eyAhm7gpulUJfxOy1ak5VuguebEY4vENmEpNg94+7iS9yldYJ4m0Q8 +t6MeYW+twMazzKarU2CvRJBHW1H+olt0G/3+K6o8LPoLyuqHhGGssvm2c24hb8RZ +Kj9m027qg3KVi89cL5eND0OeLW5mMjNr0TjokicWE7/AP7Wd181ag/jMU3BTX/yh +n5KYp562kDR34AIgV2xbHe8Rmfce9lGNAMW90+xnDbKo3Gjm8I8Cq4UkVBspazV5 +hieNGVze2dodGIh+O37iKhaoAoOJsg== +=2ZM9 +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index d80dffd..6b2703c 100644 --- a/curl.spec +++ b/curl.spec @@ -1,19 +1,10 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.51.0 -Release: 3%{?dist} +Version: 7.52.1 +Release: 1%{?dist} License: MIT Group: Applications/Internet -Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma - -# ssh: check md5 fingerprints case insensitively -Patch1: 0001-curl-7.51.0-ssh-md5.patch - -# stricter host name checking for file:// URLs -Patch2: 0002-curl-7.51.0-file-host.patch - -# map CURL_SSLVERSION_DEFAULT to NSS default, add support for TLS 1.3 (#1396719) -Patch3: 0003-curl-7.51.0-tls-version.patch +Source: https://curl.haxx.se/download/%{name}-%{version}.tar.lzma # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -25,7 +16,7 @@ Patch102: 0102-curl-7.36.0-debug.patch Patch104: 0104-curl-7.19.7-localhost6.patch Provides: webclient -URL: http://curl.haxx.se/ +URL: https://curl.haxx.se/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildRequires: groff BuildRequires: krb5-devel @@ -131,9 +122,6 @@ documentation of the library, too. %setup -q # upstream patches -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 # Fedora patches %patch101 -p1 @@ -241,6 +229,9 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/aclocal/libcurl.m4 %changelog +* Fri Dec 23 2016 Kamil Dudka 7.52.1-1 +- new upstream release (fixes CVE-2016-9586) + * Mon Nov 21 2016 Kamil Dudka 7.51.0-3 - map CURL_SSLVERSION_DEFAULT to NSS default, add support for TLS 1.3 (#1396719) diff --git a/sources b/sources index a427d2d..ee7e7eb 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -0f876ef6d5776d96b08510461d57db1b curl-7.51.0.tar.lzma +SHA512 (curl-7.52.1.tar.lzma) = 721d98cffd5089044bd32e6450df45ca5bd0df8f58d23fe3716285cffdfff5b64adb0b9971d73d3740d0cdba16c3029730416c53071cb18248da7749f075c03e