From 2fd0a39aeee14b008394d76efa73719d7c3742f6 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 3 Aug 2016 10:04:16 +0200 Subject: [PATCH] new upstream release - 7.50.1 Resolves: CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 --- CURLINFO_HTTP_VERSION.3 | 56 -------- curl-7.50.0.tar.lzma.asc | 11 -- curl-7.50.1.tar.lzma.asc | 11 ++ curl.spec | 18 +-- http2-server.pl | 75 ---------- manpage-scan.pl | 287 --------------------------------------- nroff-scan.pl | 104 -------------- sources | 2 +- 8 files changed, 18 insertions(+), 546 deletions(-) delete mode 100644 CURLINFO_HTTP_VERSION.3 delete mode 100644 curl-7.50.0.tar.lzma.asc create mode 100644 curl-7.50.1.tar.lzma.asc delete mode 100644 http2-server.pl delete mode 100644 manpage-scan.pl delete mode 100644 nroff-scan.pl diff --git a/CURLINFO_HTTP_VERSION.3 b/CURLINFO_HTTP_VERSION.3 deleted file mode 100644 index b0f43e5..0000000 --- a/CURLINFO_HTTP_VERSION.3 +++ /dev/null @@ -1,56 +0,0 @@ -.\" ************************************************************************** -.\" * _ _ ____ _ -.\" * Project ___| | | | _ \| | -.\" * / __| | | | |_) | | -.\" * | (__| |_| | _ <| |___ -.\" * \___|\___/|_| \_\_____| -.\" * -.\" * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. -.\" * -.\" * This software is licensed as described in the file COPYING, which -.\" * you should have received as part of this distribution. The terms -.\" * are also available at https://curl.haxx.se/docs/copyright.html. -.\" * -.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell -.\" * copies of the Software, and permit persons to whom the Software is -.\" * furnished to do so, under the terms of the COPYING file. -.\" * -.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -.\" * KIND, either express or implied. -.\" * -.\" ************************************************************************** -.\" -.TH CURLINFO_HTTP_VERSION 3 "11 May 2016" "libcurl 7.50.0" "curl_easy_getinfo options" -.SH NAME -CURLINFO_HTTP_VERSION \- get the http version used in the connection -.SH SYNOPSIS -#include - -CURLcode curl_easy_getinfo(CURL *handle, CURLINFO_HTTP_VERSION, long *p); -.SH DESCRIPTION -Pass a pointer to a long to receive the version used in the last http connection. -The returned value will be CURL_HTTP_VERSION_1_0, CURL_HTTP_VERSION_1_1, or -CURL_HTTP_VERSION_2_0, or 0 if the version can't be determined. -.SH PROTOCOLS -HTTP -.SH EXAMPLE -.nf -CURL *curl = curl_easy_init(); -if(curl) { - CURLcode res; - curl_easy_setopt(curl, CURLOPT_URL, "http://example.com"); - res = curl_easy_perform(curl); - if(res == CURLE_OK) { - long http_version; - curl_easy_getinfo(curl, CURLINFO_HTTP_VERSION, &http_version); - } - curl_easy_cleanup(curl); -} -.fi -.SH AVAILABILITY -Added in 7.50.0 -.SH RETURN VALUE -Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not. -.SH "SEE ALSO" -.BR CURLINFO_RESPONSE_CODE "(3), " -.BR curl_easy_getinfo "(3), " curl_easy_setopt "(3), " diff --git a/curl-7.50.0.tar.lzma.asc b/curl-7.50.0.tar.lzma.asc deleted file mode 100644 index e94e318..0000000 --- a/curl-7.50.0.tar.lzma.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v2 - -iQEcBAABCgAGBQJXkI6pAAoJEFzJCP23HhLC6F4H/2M0xB4iDTUy14+6ilY6hhvF -jZw6VPkN5upjN660koECvycRtTDry94ZoGcTcifHba3NjixkpfpY1Xa3qixoyqos -IlyyqG77NcrMGs3us6dEpqxUlQ+I2F+LXGLm9Uz/A7c6NN1dh2esXeJD911Dhmbs -Ko4qbB1+m1FYxTjv9X2m99+93QtfKVnFGfjfF7mR6ZUKLsq+Ix8djzlmQ3p/d0XK -LhmkO3kfvHiE83ENRVTj/oplqLFTd7MOAkzc22OQ267GwqntlM0K2YsdGR2DEEiZ -ReI4KGzNwkG/VIeEBRHV38NpcGjNzm3lUcJPXSQ5xON5rGvsjsLvyWN4yS+MbT8= -=NWkR ------END PGP SIGNATURE----- diff --git a/curl-7.50.1.tar.lzma.asc b/curl-7.50.1.tar.lzma.asc new file mode 100644 index 0000000..670265f --- /dev/null +++ b/curl-7.50.1.tar.lzma.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQEcBAABCgAGBQJXoZGzAAoJEFzJCP23HhLCmj4IAIThxlJHbnqX+vPMHdAj4o/6 +Rr946YLOyQl41eJCwjsCYLbFGj0c2uy0ipKuSTB1aodyOwwuybHGJbsJxE9TKJTd +eWgZ1sG9clE5S5YBHYqJK32PmYLEo7pSoNgamzoXOFKdxdK4OSNnPJBrJy2wDQRY ++FfRR+xOvUDvj3K84eEEeKKbGgXqKSgQ7594s7BFSGxDQEzUIkmpEiMQv9S4ZCOL +03FR8f0PXs4N8/tKSRBmhPc7BwCfTgK1XVpd+puYOTMi7niW3rentnqCONOSQbqo +xvN/XDvvEVN+P17DWAkYPwHkjFCC9L+3uR1OCzFgFgGcoN1Yv9nK/bqRGGGRGr8= +=uBU6 +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index 413aa7e..77ad046 100644 --- a/curl.spec +++ b/curl.spec @@ -1,17 +1,11 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.50.0 -Release: 2%{?dist} +Version: 7.50.1 +Release: 1%{?dist} License: MIT Group: Applications/Internet Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma -# tmp workaround for https://github.com/curl/curl/commit/curl-7_50_0-2-g8b9ba13 -Source1: https://raw.githubusercontent.com/curl/curl/curl-7_50_0/docs/libcurl/opts/CURLINFO_HTTP_VERSION.3 - -# tmp workaround for https://github.com/curl/curl/commit/curl-7_50_0-3-g5e26d9c -Source2: https://raw.githubusercontent.com/curl/curl/curl-7_50_0/tests/http2-server.pl - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -95,6 +89,7 @@ Group: Development/Libraries Requires: libssh2%{?_isa} >= %{libssh2_version} # libnsspem.so is no longer included in the nss package (#1347336) +BuildRequires: nss-pem Requires: nss-pem %description -n libcurl @@ -132,10 +127,6 @@ documentation of the library, too. %prep %setup -q -# files not included in the upstream tarball by mistake -install -p -m0644 %{SOURCE1} docs/libcurl/opts/CURLINFO_HTTP_VERSION.3 -install -p -m0755 %{SOURCE2} tests/http2-server.pl - # upstream patches # Fedora patches @@ -241,6 +232,9 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/aclocal/libcurl.m4 %changelog +* Wed Aug 03 2016 Kamil Dudka 7.50.1-1 +- new upstream release (fixes CVE-2016-5419, CVE-2016-5420, and CVE-2016-5421) + * Tue Jul 26 2016 Kamil Dudka 7.50.0-2 - run HTTP/2 tests on all architectures (#1360319 now worked around in nghttp2) diff --git a/http2-server.pl b/http2-server.pl deleted file mode 100644 index 72ed12e..0000000 --- a/http2-server.pl +++ /dev/null @@ -1,75 +0,0 @@ -#!/usr/bin/env perl -#*************************************************************************** -# _ _ ____ _ -# Project ___| | | | _ \| | -# / __| | | | |_) | | -# | (__| |_| | _ <| |___ -# \___|\___/|_| \_\_____| -# -# Copyright (C) 2016, Daniel Stenberg, , et al. -# -# This software is licensed as described in the file COPYING, which -# you should have received as part of this distribution. The terms -# are also available at https://curl.haxx.se/docs/copyright.html. -# -# You may opt to use, copy, modify, merge, publish, distribute and/or sell -# copies of the Software, and permit persons to whom the Software is -# furnished to do so, under the terms of the COPYING file. -# -# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -# KIND, either express or implied. -# -#*************************************************************************** - -# This script invokes nghttpx properly to have it serve HTTP/2 for us. -# nghttpx runs as a proxy in front of our "actual" HTTP/1 server. - -my $pidfile = "log/nghttpx.pid"; -my $logfile = "log/http2.log"; -my $nghttpx = "nghttpx"; -my $listenport = 9015; - -#*************************************************************************** -# Process command line options -# -while(@ARGV) { - if($ARGV[0] eq '--verbose') { - $verbose = 1; - } - elsif($ARGV[0] eq '--pidfile') { - if($ARGV[1]) { - $pidfile = $ARGV[1]; - shift @ARGV; - } - } - elsif($ARGV[0] eq '--nghttpx') { - if($ARGV[1]) { - $nghttpx = $ARGV[1]; - shift @ARGV; - } - } - elsif($ARGV[0] eq '--port') { - if($ARGV[1]) { - $listenport = $ARGV[1]; - shift @ARGV; - } - } - elsif($ARGV[0] eq '--logfile') { - if($ARGV[1]) { - $logfile = $ARGV[1]; - shift @ARGV; - } - } - else { - print STDERR "\nWarning: http2-server.pl unknown parameter: $ARGV[0]\n"; - } - shift @ARGV; -} - -my $cmdline="$nghttpx --backend=127.0.0.1,8990 ". - "--frontend=\"*,$listenport;no-tls\" ". - "--log-level=INFO ". - "--pid-file=$pidfile ". - "--errorlog-file=$logfile"; -print "RUN: $cmdline\n" if($verbose); -system("$cmdline 2>/dev/null"); diff --git a/manpage-scan.pl b/manpage-scan.pl deleted file mode 100644 index fc6e1e3..0000000 --- a/manpage-scan.pl +++ /dev/null @@ -1,287 +0,0 @@ -#!/usr/bin/env perl -#*************************************************************************** -# _ _ ____ _ -# Project ___| | | | _ \| | -# / __| | | | |_) | | -# | (__| |_| | _ <| |___ -# \___|\___/|_| \_\_____| -# -# Copyright (C) 2016, Daniel Stenberg, , et al. -# -# This software is licensed as described in the file COPYING, which -# you should have received as part of this distribution. The terms -# are also available at https://curl.haxx.se/docs/copyright.html. -# -# You may opt to use, copy, modify, merge, publish, distribute and/or sell -# copies of the Software, and permit persons to whom the Software is -# furnished to do so, under the terms of the COPYING file. -# -# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -# KIND, either express or implied. -# -########################################################################### -# -# Scan symbols-in-version (which is verified to be correct by test 1119), then -# verify that each option mention in there that should have its own man page -# actually does. -# -# In addition, make sure that every current option to curl_easy_setopt, -# curl_easy_getinfo and curl_multi_setopt are also mentioned in their -# corresponding main (index) man page. -# -# src/tool_getparam.c lists all options curl can parse -# docs/curl.1 documents all command line options -# src/tool_help.c outputs all options with curl -h -# - make sure they're all in sync -# -# Output all deviances to stderr. - -use strict; -use warnings; - -# we may get the dir root pointed out -my $root=$ARGV[0] || "."; -my $syms = "$root/docs/libcurl/symbols-in-versions"; -my $curlh = "$root/include/curl/curl.h"; -my $errors=0; - -# the prepopulated alias list is the CURLINFO_* defines that are used for the -# debug function callback and the fact that they use the same prefix as the -# curl_easy_getinfo options was a mistake. -my %alias = ( - 'CURLINFO_DATA_IN' => 'none', - 'CURLINFO_DATA_OUT' => 'none', - 'CURLINFO_END' => 'none', - 'CURLINFO_HEADER_IN' => 'none', - 'CURLINFO_HEADER_OUT' => 'none', - 'CURLINFO_LASTONE' => 'none', - 'CURLINFO_NONE' => 'none', - 'CURLINFO_SSL_DATA_IN' => 'none', - 'CURLINFO_SSL_DATA_OUT' => 'none', - 'CURLINFO_TEXT' => 'none' - ); - -sub scanmanpage { - my ($file, @words) = @_; - - open(M, "<$file"); - my @m = ; - close(M); - - foreach my $m (@words) { - - my @g = grep(/^\.IP $m/, @m); - if(!$g[0]) { - print STDERR "Missing mention of $m in $file\n"; - $errors++; - } - } -} - -# check for define alises -open(R, "<$curlh") || - die "no curl.h"; -while() { - if(/^\#define (CURL(OPT|INFO|MOPT)_\w+) (.*)/) { - $alias{$1}=$3; - } -} -close(R); - -my @curlopt; -my @curlinfo; -my @curlmopt; -open(R, "<$syms") || - die "no input file"; -while() { - chomp; - my $l= $_; - if($l =~ /(CURL(OPT|INFO|MOPT)_\w+) *([0-9.]*) *([0-9.-]*) *([0-9.]*)/) { - my ($opt, $type, $add, $dep, $rem) = ($1, $2, $3, $4, $5); - - if($alias{$opt}) { - #print "$opt => $alias{$opt}\n"; - } - elsif($rem) { - # $opt was removed in $rem - # so don't check for that - } - else { - if($type eq "OPT") { - push @curlopt, $opt, - } - elsif($type eq "INFO") { - push @curlinfo, $opt, - } - elsif($type eq "MOPT") { - push @curlmopt, $opt, - } - if(! -f "$root/docs/libcurl/opts/$opt.3") { - print STDERR "Missing $opt.3\n"; - $errors++; - } - } - } -} -close(R); - -scanmanpage("$root/docs/libcurl/curl_easy_setopt.3", @curlopt); -scanmanpage("$root/docs/libcurl/curl_easy_getinfo.3", @curlinfo); -scanmanpage("$root/docs/libcurl/curl_multi_setopt.3", @curlmopt); - -# using this hash array, we can whitelist specific options -my %opts = ( - # pretend these --no options exists in tool_getparam.c - '--no-alpn' => 1, - '--no-npn' => 1, - '-N, --no-buffer' => 1, - '--no-sessionid' => 1, - '--no-keepalive' => 1, - - # pretend these options without -no exist in curl.1 and tool_help.c - '--alpn' => 6, - '--npn' => 6, - '--eprt' => 6, - '--epsv' => 6, - '--keepalive' => 6, - '-N, --buffer' => 6, - '--sessionid' => 6, - - # deprecated options do not need to be in curl -h output - '--krb4' => 4, - '--ftp-ssl' => 4, - '--ftp-ssl-reqd' => 4, - - # for tests and debug only, can remain hidden - '--test-event' => 6, - '--wdebug' => 6, - ); - - -######################################################################### -# parse the curl code that parses the command line arguments! -open(R, "<$root/src/tool_getparam.c") || - die "no input file"; -my $list; -my @getparam; # store all parsed parameters - -while() { - chomp; - my $l= $_; - if(/struct LongShort aliases/) { - $list=1; - } - elsif($list) { - if( /^ \{([^,]*), *([^ ]*)/) { - my ($s, $l)=($1, $2); - my $sh; - my $lo; - my $title; - if($l =~ /\"(.*)\"/) { - # long option - $lo = $1; - $title="--$lo"; - } - if($s =~ /\"(.)\"/) { - # a short option - $sh = $1; - $title="-$sh, $title"; - } - push @getparam, $title; - $opts{$title} |= 1; - } - } -} -close(R); - -######################################################################### -# parse the curl.1 man page, extract all documented command line options -open(R, "<$root/docs/curl.1") || - die "no input file"; -my @manpage; # store all parsed parameters -while() { - chomp; - my $l= $_; - if(/^\.IP \"(-[^\"]*)\"/) { - my $str = $1; - my $combo; - if($str =~ /^-(.), --([a-z0-9.-]*)/) { - # figure out the -short, --long combo - $combo = "-$1, --$2"; - } - elsif($str =~ /^--([a-z0-9.-]*)/) { - # figure out the --long name - $combo = "--$1"; - } - if($combo) { - push @manpage, $combo; - $opts{$combo} |= 2; - } - } -} -close(R); - - -######################################################################### -# parse the curl code that outputs the curl -h list -open(R, "<$root/src/tool_help.c") || - die "no input file"; -my @toolhelp; # store all parsed parameters -while() { - chomp; - my $l= $_; - if(/^ \" *(.*)/) { - my $str=$1; - my $combo; - if($str =~ /^-(.), --([a-z0-9.-]*)/) { - # figure out the -short, --long combo - $combo = "-$1, --$2"; - } - elsif($str =~ /^--([a-z0-9.-]*)/) { - # figure out the --long name - $combo = "--$1"; - } - if($combo) { - push @toolhelp, $combo; - $opts{$combo} |= 4; - } - - } -} -close(R); - -# -# Now we have three arrays with options to cross-reference. - -foreach my $o (keys %opts) { - my $where = $opts{$o}; - - if($where != 7) { - # this is not in all three places - $errors++; - my $exists; - my $missing; - if($where & 1) { - $exists=" tool_getparam.c"; - } - else { - $missing=" tool_getparam.c"; - } - if($where & 2) { - $exists.= " curl.1"; - } - else { - $missing.= " curl.1"; - } - if($where & 4) { - $exists .= " tool_help.c"; - } - else { - $missing .= " tool_help.c"; - } - - print STDERR "$o is not in$missing (but in$exists)\n"; - } -} - -exit $errors; diff --git a/nroff-scan.pl b/nroff-scan.pl deleted file mode 100644 index 393068c..0000000 --- a/nroff-scan.pl +++ /dev/null @@ -1,104 +0,0 @@ -#!/usr/bin/env perl -#*************************************************************************** -# _ _ ____ _ -# Project ___| | | | _ \| | -# / __| | | | |_) | | -# | (__| |_| | _ <| |___ -# \___|\___/|_| \_\_____| -# -# Copyright (C) 2016, Daniel Stenberg, , et al. -# -# This software is licensed as described in the file COPYING, which -# you should have received as part of this distribution. The terms -# are also available at https://curl.haxx.se/docs/copyright.html. -# -# You may opt to use, copy, modify, merge, publish, distribute and/or sell -# copies of the Software, and permit persons to whom the Software is -# furnished to do so, under the terms of the COPYING file. -# -# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -# KIND, either express or implied. -# -########################################################################### -# -# scan nroff pages to find basic syntactic problems such as unbalanced \f -# codes or references to non-existing curl man pages. - -my $docsroot = $ARGV[0]; - -if(!$docsroot || ($docsroot eq "-g")) { - print "Usage: nroff-scan.pl [nroff files]\n"; - exit; -} - - -shift @ARGV; - -my @f = @ARGV; - -my %manp; - -sub manpresent { - my ($man) = @_; - if($manp{$man}) { - return 1; - } - elsif(-r "$docsroot/$man" || - -r "$docsroot/libcurl/$man" || - -r "$docsroot/libcurl/opts/$man") { - $manp{$man}=1; - return 1; - } - return 0; -} - -sub file { - my ($f) = @_; - open(F, "<$f") || - die "no file"; - my $line = 1; - while() { - chomp; - my $l = $_; - while($l =~ s/\\f(.)([^ ]*)\\f(.)//) { - my ($pre, $str, $post)=($1, $2, $3); - if($post ne "P") { - print STDERR "error: $f:$line: missing \\fP after $str\n"; - $errors++; - } - if($str =~ /((libcurl|curl)([^ ]*))\(3\)/i) { - my $man = "$1.3"; - if(!manpresent($man)) { - print STDERR "error: $f:$line: refering to non-existing man page $man\n"; - $errors++; - } - if($pre ne "I") { - print STDERR "error: $f:$line: use \\fI before $str\n"; - $errors++; - } - } - } - if($l =~ /(curl([^ ]*)\(3\))/i) { - print STDERR "error: $f:$line: non-referencing $1\n"; - $errors++; - } - if($l =~ /^\.BR (.*)/) { - my $i= $1; - while($i =~ s/((lib|)curl([^ ]*)) *\"\(3\)(,|) *\" *//i ) { - my $man = "$1.3"; - if(!manpresent($man)) { - print STDERR "error: $f:$line: refering to non-existing man page $man\n"; - $errors++; - } - } - } - $line++; - } - close(F); -} - -foreach my $f (@f) { - file($f); -} - -exit $errors?1:0; diff --git a/sources b/sources index c7e5e36..bb7cfd9 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -ecb8d3699c7087146b2953fee1bdaa41 curl-7.50.0.tar.lzma +01ac668b9f78266d72bdb86aa9db0849 curl-7.50.1.tar.lzma