import curl-7.61.1-14.el8_3.1

SOURCES/0023-curl-7.61.1-no-https-proxy-crash.patch

@@ -0,0 +1,60 @@
+From 9d5903ebcbcbcc4f3a997ec7d5552721c5383b9f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Martin=20Ba=C5=A1ti?= <mbasti@redhat.com>
+Date: Thu, 27 Aug 2020 23:09:56 +0200
+Subject: [PATCH] http_proxy: do not crash with HTTPS_PROXY and NO_PROXY set
+
+... in case NO_PROXY takes an effect
+
+Without this patch, the following command crashes:
+
+    $ GIT_CURL_VERBOSE=1 NO_PROXY=github.com HTTPS_PROXY=https://example.com \
+        git clone https://github.com/curl/curl.git
+
+Minimal libcurl-based reproducer:
+
+    #include <curl/curl.h>
+
+    int main() {
+      CURL *curl = curl_easy_init();
+      if(curl) {
+        CURLcode ret;
+        curl_easy_setopt(curl, CURLOPT_URL, "https://github.com/");
+        curl_easy_setopt(curl, CURLOPT_PROXY, "example.com");
+        /* set the proxy type */
+        curl_easy_setopt(curl, CURLOPT_PROXYTYPE, CURLPROXY_HTTPS);
+        curl_easy_setopt(curl, CURLOPT_NOPROXY, "github.com");
+        curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
+        ret = curl_easy_perform(curl);
+        curl_easy_cleanup(curl);
+        return ret;
+      }
+      return -1;
+    }
+
+Assisted-by: Kamil Dudka
+Bug: https://bugzilla.redhat.com/1873327
+Closes #5902
+
+Upstream-commit: 3eff1c5092e542819ac7e6454a70c94b36ab2a40
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/url.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/url.c b/lib/url.c
+index d65d17d..e77f391 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -3074,6 +3074,9 @@ static CURLcode create_conn_helper_init_proxy(struct connectdata *conn)
+     conn->bits.socksproxy = FALSE;
+     conn->bits.proxy_user_passwd = FALSE;
+     conn->bits.tunnel_proxy = FALSE;
++    /* CURLPROXY_HTTPS does not have its own flag in conn->bits, yet we need
++       to signal that CURLPROXY_HTTPS is not used for this connection */
++    conn->http_proxy.proxytype = CURLPROXY_HTTP;
+   }
+ 
+ out:
+-- 
+2.25.4
+

SPECS/curl.spec

@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.61.1
-Release: 14%{?dist}
+Release: 14%{?dist}.1
 License: MIT
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
 
@@ -58,6 +58,9 @@ Patch20:  0020-curl-7.61.1-openssl-engines.patch
 # avoid overwriting a local file with -J (CVE-2020-8177)
 Patch21:  0021-curl-7.61.1-CVE-2020-8177.patch
 
+# do not crash when HTTPS_PROXY and NO_PROXY are used together (#1873327)
+Patch23:  0023-curl-7.61.1-no-https-proxy-crash.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -242,6 +245,7 @@ git apply %{PATCH4}
 %patch19 -p1
 %patch20 -p1
 %patch21 -p1
+%patch23 -p1
 
 # make tests/*.py use Python 3
 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
@@ -402,6 +406,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
+* Mon Nov 23 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-14.el8_3.1
+- do not crash when HTTPS_PROXY and NO_PROXY are used together (#1873327)
+
 * Tue Jul 28 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-14
 - avoid overwriting a local file with -J (CVE-2020-8177)