From 5a0fa9250ba51f804d18b99133055a4874bf06b7 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 16 May 2018 13:16:56 +0200 Subject: [PATCH] new upstream release, which fixes the following vulnerabilities Resolves: CVE-2018-1000300 - FTP shutdown response buffer overflow Resolves: CVE-2018-1000301 - RTSP bad headers buffer over-read --- ...typo-in-recursive-callback-detection.patch | 29 ------------------- 0102-curl-7.36.0-debug.patch | 2 +- 0103-curl-7.59.0-python3.patch | 2 +- curl-7.59.0.tar.xz.asc | 11 ------- curl-7.60.0.tar.xz.asc | 11 +++++++ curl.spec | 13 +++++---- sources | 2 +- 7 files changed, 21 insertions(+), 49 deletions(-) delete mode 100644 0001-curl-7.58.0-ftp-typo-in-recursive-callback-detection.patch delete mode 100644 curl-7.59.0.tar.xz.asc create mode 100644 curl-7.60.0.tar.xz.asc diff --git a/0001-curl-7.58.0-ftp-typo-in-recursive-callback-detection.patch b/0001-curl-7.58.0-ftp-typo-in-recursive-callback-detection.patch deleted file mode 100644 index 224630c..0000000 --- a/0001-curl-7.58.0-ftp-typo-in-recursive-callback-detection.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 1b02cb2b51148915b2ba025bb262ef34f369fa4b Mon Sep 17 00:00:00 2001 -From: dasimx -Date: Wed, 14 Mar 2018 11:02:05 +0100 -Subject: [PATCH] FTP: fix typo in recursive callback detection for seeking - -Fixes #2380 - -Upstream-commit: 920f73a6906dce87c6ee87c32b109a287189965d -Signed-off-by: Kamil Dudka ---- - lib/ftp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/ftp.c b/lib/ftp.c -index e2cc38b..0cc583b 100644 ---- a/lib/ftp.c -+++ b/lib/ftp.c -@@ -1621,7 +1621,7 @@ static CURLcode ftp_state_ul_setup(struct connectdata *conn, - Curl_set_in_callback(data, true); - seekerr = conn->seek_func(conn->seek_client, data->state.resume_from, - SEEK_SET); -- Curl_set_in_callback(data, true); -+ Curl_set_in_callback(data, false); - } - - if(seekerr != CURL_SEEKFUNC_OK) { --- -2.14.3 - diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch index 13f07df..95670f0 100644 --- a/0102-curl-7.36.0-debug.patch +++ b/0102-curl-7.36.0-debug.patch @@ -12,7 +12,7 @@ diff --git a/configure b/configure index 8f079a3..53b4774 100755 --- a/configure +++ b/configure -@@ -16524,18 +16524,11 @@ $as_echo "yes" >&6; } +@@ -16537,18 +16537,11 @@ $as_echo "yes" >&6; } gccvhi=`echo $gccver | cut -d . -f1` gccvlo=`echo $gccver | cut -d . -f2` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` diff --git a/0103-curl-7.59.0-python3.patch b/0103-curl-7.59.0-python3.patch index 8a39f85..dd10986 100644 --- a/0103-curl-7.59.0-python3.patch +++ b/0103-curl-7.59.0-python3.patch @@ -32,7 +32,7 @@ diff --git a/tests/runtests.pl b/tests/runtests.pl index d6aa5ca..4d395ef 100755 --- a/tests/runtests.pl +++ b/tests/runtests.pl -@@ -1437,7 +1437,7 @@ sub runhttpserver { +@@ -1438,7 +1438,7 @@ sub runhttpserver { elsif($alt eq "pipe") { # basically the same, but another ID $idnum = 3; diff --git a/curl-7.59.0.tar.xz.asc b/curl-7.59.0.tar.xz.asc deleted file mode 100644 index e74f7b2..0000000 --- a/curl-7.59.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlqoxTwACgkQXMkI/bce -EsJrHQf7B0ik8F5dfGYumYWkXHc9poJU+dJ0o6pwzg4QsP+4mwVTw/gnrXDm1hVk -iFPIAdgTkxiIDZi+6mDfZA9dZ8Aq38XbYjRIwXTW4KrjTtEFQXtwlEClrHrJyXfl -+2YC52BcY0D2JVDqUAB9cVSSgaHHf1jd4h32a8YMrwco4jP5rSxbmZe4psU2m8TC -skaZEoSIRJzg5oV+AgDSQMrq+fLsc5lIDKTl+7v6sjnGlcYeRC1SiBePyrh5g/o5 -w4JJH839MyjrYvi6MyCBHeyCFYDrxKvQw8zRwivfZ1oipM2SaSVq8c60PdR85Zw5 -/SNOU/7Qpvhua0GhAfaI/CTwwewy6w== -=OcVv ------END PGP SIGNATURE----- diff --git a/curl-7.60.0.tar.xz.asc b/curl-7.60.0.tar.xz.asc new file mode 100644 index 0000000..53ca282 --- /dev/null +++ b/curl-7.60.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlr7zUoACgkQXMkI/bce +EsK3jgf7Bvnswxxgq4wQWmqRKQvkN/zkuA2GjSm98M7mizVHl/7/imeqDl7S1vp0 +A6KCI99Epf+2EYgxrEbvZqlSQ6H30eBxOvV2yNwPhrS3UnXwNSJsbFr5bDRE4o8S +upyP/tSgEIGJcpq0bstrD7T/DRZ1yFCLB5rOOJx4lQnPuB3C7GAmuOj1ZtIxWIn+ +D/G+X1+/oZlils2TMI7ryjRuFvOSPHdUNldwtvfaRg0i3tNYnPbWq54lhouSn31H +ft8wNd3nnUpueWCWaKKXo+GBVDemDAMEcDbna+woW5SFLI6ZG/c822ljtld05Dk1 +KmwikC7MREQxkODmC10yrgy9I9akNg== +=f++X +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index eb0ad83..348f6db 100644 --- a/curl.spec +++ b/curl.spec @@ -1,13 +1,10 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.59.0 -Release: 3%{?dist} +Version: 7.60.0 +Release: 1%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz -# ftp: fix typo in recursive callback detection for seeking -Patch1: 0001-curl-7.58.0-ftp-typo-in-recursive-callback-detection.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -157,7 +154,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 # Fedora patches %patch101 -p1 @@ -307,6 +303,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed May 16 2018 Kamil Dudka - 7.60.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2018-1000300 - FTP shutdown response buffer overflow + CVE-2018-1000301 - RTSP bad headers buffer over-read + * Thu Mar 15 2018 Kamil Dudka - 7.59.0-3 - make the test-suite use Python 3 diff --git a/sources b/sources index f353b13..4a1cecd 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.59.0.tar.xz) = 6982a5950b564d6b2a4f4b96296b6db3db24a096acc68aa96966821b57f66362f5a69d9f2da762b5d2b1011a4a47478ebacaf05e26604f78bb013098749dd8a6 +SHA512 (curl-7.60.0.tar.xz) = 96a0c32ca846a76bba75e9e560ad4c15df79540992ed1a83713095be94ddba039f289bda9678762fd79fb9691fe810735178fb9dc970c37012dff96b8ce08abf