From 46042daf7847952cba2d4b080a44258f656d0049 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Wed, 9 Aug 2017 10:45:36 +0200
Subject: [PATCH] new upstream release - 7.55.0

Resolves: CVE-2017-1000099 - FILE buffer read out of bounds
Resolves: CVE-2017-1000100 - TFTP sends more than buffer size
Resolves: CVE-2017-1000101 - URL globbing out of bounds read
---
 .gitignore                   |  1 +
 0102-curl-7.36.0-debug.patch |  4 ++--
 curl-7.54.1.tar.lzma.asc     | 11 -----------
 curl-7.55.0.tar.xz.asc       | 11 +++++++++++
 curl.spec                    | 12 +++++++++---
 sources                      |  2 +-
 6 files changed, 24 insertions(+), 17 deletions(-)
 delete mode 100644 curl-7.54.1.tar.lzma.asc
 create mode 100644 curl-7.55.0.tar.xz.asc

diff --git a/.gitignore b/.gitignore
index c5a0e59..7dcfd8f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 /curl-[0-9.]*.tar.lzma
+/curl-[0-9.]*.tar.xz
diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch
index bbd4199..c26a03a 100644
--- a/0102-curl-7.36.0-debug.patch
+++ b/0102-curl-7.36.0-debug.patch
@@ -12,7 +12,7 @@ diff --git a/configure b/configure
 index 8f079a3..53b4774 100755
 --- a/configure
 +++ b/configure
-@@ -17044,18 +17044,11 @@ $as_echo "yes" >&6; }
+@@ -17079,18 +17079,11 @@ $as_echo "yes" >&6; }
      gccvhi=`echo $gccver | cut -d . -f1`
      gccvlo=`echo $gccver | cut -d . -f2`
      compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
@@ -38,7 +38,7 @@ diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4
 index 0cbba7a..9175b5b 100644
 --- a/m4/curl-compilers.m4
 +++ b/m4/curl-compilers.m4
-@@ -148,18 +148,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [
+@@ -157,18 +157,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [
      gccvhi=`echo $gccver | cut -d . -f1`
      gccvlo=`echo $gccver | cut -d . -f2`
      compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
diff --git a/curl-7.54.1.tar.lzma.asc b/curl-7.54.1.tar.lzma.asc
deleted file mode 100644
index 7810b61..0000000
--- a/curl-7.54.1.tar.lzma.asc
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAllA1CcACgkQXMkI/bce
-EsIvtQf8CSC7sFHaJzQY0JqrGQwbtO6DT5OShv1lEHlzg/2KC8/yp94n/U9eBkdt
-7/EPnFJ6hY+CVCMSv+LvpEyNTbkqBjwtshlDQTgDiPkSt265Z3qxayITN8fdDZnJ
-ylnDb9c1InprXuqLlhbtWILC25ZcC39dQFWIJcsmfd3ylml4VK7Z9tEhEN8W71MR
-OaQyqSu9jjO5nTof7dVu2aAhG50EoqjuCKUuYfWIJcEM2Lo4RDnicZNrZaOyxuu2
-EKeE9lmnNejgUzPN1WZ2ySocDdZzdA5CTjAbaRwAXBT840OZSUEqktrR4C2ECrTq
-rbhBlEwUKuPNvGpkGymaHf6vQFAqGQ==
-=gmuC
------END PGP SIGNATURE-----
diff --git a/curl-7.55.0.tar.xz.asc b/curl-7.55.0.tar.xz.asc
new file mode 100644
index 0000000..ba351fa
--- /dev/null
+++ b/curl-7.55.0.tar.xz.asc
@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlmKoywACgkQXMkI/bce
+EsJGywgAtxvIgaAeeyGK2LRZnNoY/UQyiPixlSc+3ziOtEGniCOxHvDJ/86DSRAN
+u64Yy7ECNgLiZk50/Dglm90OfvwTjtF/XdXCQKAUfvYyr6YDCneC01NsUdgsO/w1
+eO7zxxxQScNDDLdIHEvaD5LqJ99pACBOEV8cpcF4iX4iC4p6zQp5/rG9Z4X9JWZj
+Ycto4FFTniTw+uV0B6dUPPU2omSTeO0pRMmDMgD+I0FaEaEU0uEgQ28DOMT6YL+x
+EtM33aCjkASS1ZKf5e2Kh7FwWvdRopE83o0OihckaboX9AmOj7WkKCsfu2v7k9PA
+8wR3kMvA4Q6youUpirjFTWzXPrEZ9A==
+=1ymt
+-----END PGP SIGNATURE-----
diff --git a/curl.spec b/curl.spec
index 45edebb..b5aa51b 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,10 +1,10 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 7.54.1
-Release: 8%{?dist}
+Version: 7.55.0
+Release: 1%{?dist}
 License: MIT
 Group: Applications/Internet
-Source: https://curl.haxx.se/download/%{name}-%{version}.tar.lzma
+Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
 
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
@@ -302,6 +302,12 @@ install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal
 %{_libdir}/libcurl.so.[0-9].[0-9].[0-9].minimal
 
 %changelog
+* Wed Aug 09 2017 Kamil Dudka <kdudka@redhat.com> 7.55.0-1
+- new upstream release, which fixes the following vulnerabilities
+    CVE-2017-1000099 - FILE buffer read out of bounds
+    CVE-2017-1000100 - TFTP sends more than buffer size
+    CVE-2017-1000101 - URL globbing out of bounds read
+
 * Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 7.54.1-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
 
diff --git a/sources b/sources
index 044dffe..b67a92c 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (curl-7.54.1.tar.lzma) = 69fe5c78564c3662b6922fad93623b6263af608aa5acdaf5148823ab05278eb3e0e8f1cf87e24345272bfe684aa774d650ceb3f977474a4a1071ab114f4be12a
+SHA512 (curl-7.55.0.tar.xz) = f597fb0f011889b6843e9d4dfe59dda043c9562774be9d882a7e7ae5905c9c23ffc5c008b499162163b1bba2571e0c23138ac2a34cd209c237d8d9366cfeaa6b