new upstream release - 7.85.0

Resolves: CVE-2022-35252 - control code in cookie denial of service
This commit is contained in:
Kamil Dudka 2022-09-01 13:38:12 +02:00
parent f58874c271
commit 1322e86ddb
6 changed files with 18 additions and 209 deletions

View File

@ -1,32 +0,0 @@
From 711902d9e591947d5d8ec9568beab0c7d36b7dd0 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 27 Jun 2022 08:46:21 +0200
Subject: [PATCH] easy_lock.h: include sched.h if available to fix build
Patched-by: Harry Sintonen
Closes #9054
Upstream-commit: e2e7f54b7bea521fa8373095d0f43261a720cda0
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/easy_lock.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/easy_lock.h b/lib/easy_lock.h
index 819f50c..1f54289 100644
--- a/lib/easy_lock.h
+++ b/lib/easy_lock.h
@@ -36,6 +36,9 @@
#elif defined (HAVE_ATOMIC)
#include <stdatomic.h>
+#if defined(HAVE_SCHED_YIELD)
+#include <sched.h>
+#endif
#define curl_simple_lock atomic_bool
#define CURL_SIMPLE_LOCK_INIT false
--
2.35.3

View File

@ -1,156 +0,0 @@
From 221905eca9fb4b82822b6a14ef6d82c98c5702d9 Mon Sep 17 00:00:00 2001
From: Jay Satiro <raysatiro@yahoo.com>
Date: Thu, 25 Aug 2022 03:46:42 -0400
Subject: [PATCH] tests: fix http2 tests to use CRLF headers
Prior to this change some tests that rely on nghttpx proxy did not use
CRLF headers everywhere. Recent changes in nghttp2 (??? ref here)
requires curl's HTTP/1.1 test server to use CRLF headers.
Fixes https://github.com/curl/curl/issues/9364
Closes https://github.com/curl/curl/pull/9365
---
tests/data/test1700 | 34 +++++++++++++++++-----------------
tests/data/test1701 | 22 +++++++++++-----------
tests/data/test358 | 16 ++++++++--------
tests/data/test359 | 16 ++++++++--------
4 files changed, 44 insertions(+), 44 deletions(-)
diff --git a/tests/data/test1700 b/tests/data/test1700
index 8b1ef4ae3..7f78bcf5f 100644
--- a/tests/data/test1700
+++ b/tests/data/test1700
@@ -11,26 +11,26 @@ HTTP/2
# Server-side
<reply>
<data nocheck="yes">
-HTTP/1.1 200 OK
-Date: Tue, 09 Nov 2010 14:49:00 GMT
-Server: test-server/fake
-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
-ETag: "21025-dc7-39462498"
-Accept-Ranges: bytes
-Content-Length: 6
-Connection: close
-Content-Type: text/html
-Funny-head: yesyes
-
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+ETag: "21025-dc7-39462498"
+Accept-Ranges: bytes
+Content-Length: 6
+Connection: close
+Content-Type: text/html
+Funny-head: yesyes
+
-foo-
</data>
<data1>
-HTTP/1.1 200 OK
-Date: Tue, 09 Nov 2010 14:49:00 GMT
-Content-Length: 6
-Connection: close
-Content-Type: text/html
-
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Content-Length: 6
+Connection: close
+Content-Type: text/html
+
-maa-
</data1>
</reply>
diff --git a/tests/data/test1701 b/tests/data/test1701
index 3c1a2bd0b..22f6147d0 100644
--- a/tests/data/test1701
+++ b/tests/data/test1701
@@ -11,17 +11,17 @@ HTTP/2
# Server-side
<reply>
<data nocheck="yes">
-HTTP/1.1 200 OK
-Date: Tue, 09 Nov 2010 14:49:00 GMT
-Server: test-server/fake
-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
-ETag: "21025-dc7-39462498"
-Accept-Ranges: bytes
-Content-Length: 6
-Connection: close
-Content-Type: text/html
-Funny-head: yesyes
-
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+ETag: "21025-dc7-39462498"
+Accept-Ranges: bytes
+Content-Length: 6
+Connection: close
+Content-Type: text/html
+Funny-head: yesyes
+
-foo-
</data>
</reply>
diff --git a/tests/data/test358 b/tests/data/test358
index 8b4f66062..0f8a9801b 100644
--- a/tests/data/test358
+++ b/tests/data/test358
@@ -12,14 +12,14 @@ HTTP/2
# Server-side
<reply>
<data nocheck="yes">
-HTTP/1.1 200 OK
-Date: Tue, 09 Nov 2010 14:49:00 GMT
-Content-Length: 6
-Connection: close
-Content-Type: text/html
-Funny-head: yesyes
-Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0
-
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Content-Length: 6
+Connection: close
+Content-Type: text/html
+Funny-head: yesyes
+Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0
+
-foo-
</data>
</reply>
diff --git a/tests/data/test359 b/tests/data/test359
index a5ba4e3ae..0e684e39e 100644
--- a/tests/data/test359
+++ b/tests/data/test359
@@ -12,14 +12,14 @@ HTTP/2
# Server-side
<reply>
<data nocheck="yes">
-HTTP/1.1 200 OK
-Date: Tue, 09 Nov 2010 14:49:00 GMT
-Content-Length: 6
-Connection: close
-Content-Type: text/html
-Funny-head: yesyes
-Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0
-
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Content-Length: 6
+Connection: close
+Content-Type: text/html
+Funny-head: yesyes
+Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0
+
-foo-
</data>
</reply>
--
2.37.1

View File

@ -44,7 +44,7 @@ index 150004d..95d0759 100644
--static-libs)
- if test "X@ENABLE_STATIC@" != "Xno" ; then
- echo @libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_LIBS@
- echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_LIBS@
- else
- echo "curl was built with static libraries disabled" >&2
- exit 1

View File

@ -34,8 +34,9 @@ It fails on x86_64 with:
[...]
```
---
tests/data/test3026 | 3 +++
1 file changed, 3 insertions(+)
tests/data/test3026 | 3 +++
tests/libtest/lib3026.c | 4 ++--
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/tests/data/test3026 b/tests/data/test3026
index fb80cc8..01f2ba5 100644
@ -50,16 +51,13 @@ index fb80cc8..01f2ba5 100644
+</valgrind>
</verify>
</testcase>
--
2.35.3
diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c
index 43fe335..70cd7a4 100644
--- a/tests/libtest/lib3026.c
+++ b/tests/libtest/lib3026.c
@@ -63,8 +63,8 @@ int test(char *URL)
for(i = 0; i < tid_count; i++) {
int res = pthread_create(&tids[i], NULL, run_thread, &results[i]);
@@ -123,8 +123,8 @@ int test(char *URL)
results[i] = CURL_LAST; /* initialize with invalid value */
res = pthread_create(&tids[i], NULL, run_thread, &results[i]);
if(res) {
- fprintf(stderr, "%s:%d Couldn't create thread, errno %d\n",
- __FILE__, __LINE__, res);
@ -68,3 +66,6 @@ index 43fe335..70cd7a4 100644
tid_count = i;
test_failure = -1;
goto cleanup;
--
2.37.1

View File

@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.84.0
Release: 3%{?dist}
Version: 7.85.0
Release: 1%{?dist}
License: MIT
Source0: https://curl.se/download/%{name}-%{version}.tar.xz
Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
@ -10,12 +10,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
# which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc
Source2: mykey.asc
# easy_lock.h: include sched.h if available to fix build
Patch1: 0001-curl-7.84.0-sched-yield.patch
# tests: fix http2 tests to use CRLF headers to make it work with nghttp2-1.49.0
Patch2: 0002-curl-7.84.0-tests-http2.patch
# patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch
@ -194,8 +188,6 @@ be installed.
%setup -q
# upstream patches
%patch1 -p1
%patch2 -p1
# Fedora patches
%patch101 -p1
@ -429,6 +421,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog
* Thu Sep 01 2022 Kamil Dudka <kdudka@redhat.com> - 7.85.0-3
- new upstream release, which fixes the following vulnerability
CVE-2022-35252 - control code in cookie denial of service
* Thu Aug 25 2022 Kamil Dudka <kdudka@redhat.com> - 7.84.0-3
- tests: fix http2 tests to use CRLF headers to make it work with nghttp2-1.49.0

View File

@ -1,2 +1,2 @@
SHA512 (curl-7.84.0.tar.xz) = 86231866a35593a1637fbc0c6af3b6761bdfd99fb35580cc52970c36f19604f93dce59fea67a1d5bb4b455f719307599c7916c77d14f2b661f6bf7fb1ca716ce
SHA512 (curl-7.84.0.tar.xz.asc) = 80ff5274277ad97448fa53511bab6e8a1c302bcb25fc0916d78b8dc6c6af43d944c37c4ed46668b651cc639ec4964780725117ca0e85168ea66ad7cc98d29702
SHA512 (curl-7.85.0.tar.xz) = b57cc31649a4f47cc4b482f56a85c86c8e8aaeaf01bc1b51b065fdb9145a9092bc52535e52a85a66432eb163605b2edbf5bc5c33ea6e40e50f26a69ad1365cbd
SHA512 (curl-7.85.0.tar.xz.asc) = 7022daf84b330b24112d595edee715cdeb881a4ba8a4fa7eec23aed28292e5d943af778f03aadd036d44d875f9e226096ea142d18afe516b6bdbd475fcd3aca6