rpms/curl
7
0
Fork 1
Code Issues Pull Requests Releases Activity

new upstream release, which fixes the following vulnerabilities

Browse Source 
Resolves: CVE-2018-1000300 - FTP shutdown response buffer overflow
Resolves: CVE-2018-1000301 - RTSP bad headers buffer over-read
This commit is contained in:
Kamil Dudka 2018-05-16 13:16:56 +02:00
parent a1b38730ce
commit 5a0fa9250b
7 changed files with 21 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
0001-curl-7.58.0-ftp-typo-in-recursive-callback-detection.patch
View File

@ -1,29 +0,0 @@
From 1b02cb2b51148915b2ba025bb262ef34f369fa4b Mon Sep 17 00:00:00 2001
From: dasimx <g9264140@trbvm.com>
Date: Wed, 14 Mar 2018 11:02:05 +0100
Subject: [PATCH] FTP: fix typo in recursive callback detection for seeking
Fixes #2380
Upstream-commit: 920f73a6906dce87c6ee87c32b109a287189965d
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/ftp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/ftp.c b/lib/ftp.c
index e2cc38b..0cc583b 100644
--- a/lib/ftp.c
+++ b/lib/ftp.c
@@ -1621,7 +1621,7 @@ static CURLcode ftp_state_ul_setup(struct connectdata *conn,
Curl_set_in_callback(data, true);
seekerr = conn->seek_func(conn->seek_client, data->state.resume_from,
SEEK_SET);
- Curl_set_in_callback(data, true);
+ Curl_set_in_callback(data, false);
}
if(seekerr != CURL_SEEKFUNC_OK) {
--
2.14.3

2
0102-curl-7.36.0-debug.patch
View File

@ -12,7 +12,7 @@ diff --git a/configure b/configure
index 8f079a3..53b4774 100755 index 8f079a3..53b4774 100755
--- a/configure --- a/configure
+++ b/configure +++ b/configure
@@ -16524,18 +16524,11 @@ $as_echo "yes" >&6; } @@ -16537,18 +16537,11 @@ $as_echo "yes" >&6; }
gccvhi=`echo $gccver | cut -d . -f1` gccvhi=`echo $gccver | cut -d . -f1`
gccvlo=`echo $gccver | cut -d . -f2` gccvlo=`echo $gccver | cut -d . -f2`
compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`

2
0103-curl-7.59.0-python3.patch
View File

@ -32,7 +32,7 @@ diff --git a/tests/runtests.pl b/tests/runtests.pl
index d6aa5ca..4d395ef 100755 index d6aa5ca..4d395ef 100755
--- a/tests/runtests.pl --- a/tests/runtests.pl
+++ b/tests/runtests.pl +++ b/tests/runtests.pl
@@ -1437,7 +1437,7 @@ sub runhttpserver { @@ -1438,7 +1438,7 @@ sub runhttpserver {
elsif($alt eq "pipe") { elsif($alt eq "pipe") {
# basically the same, but another ID # basically the same, but another ID
$idnum = 3; $idnum = 3;

11
curl-7.59.0.tar.xz.asc
View File

@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlqoxTwACgkQXMkI/bce
EsJrHQf7B0ik8F5dfGYumYWkXHc9poJU+dJ0o6pwzg4QsP+4mwVTw/gnrXDm1hVk
iFPIAdgTkxiIDZi+6mDfZA9dZ8Aq38XbYjRIwXTW4KrjTtEFQXtwlEClrHrJyXfl
+2YC52BcY0D2JVDqUAB9cVSSgaHHf1jd4h32a8YMrwco4jP5rSxbmZe4psU2m8TC
skaZEoSIRJzg5oV+AgDSQMrq+fLsc5lIDKTl+7v6sjnGlcYeRC1SiBePyrh5g/o5
w4JJH839MyjrYvi6MyCBHeyCFYDrxKvQw8zRwivfZ1oipM2SaSVq8c60PdR85Zw5
/SNOU/7Qpvhua0GhAfaI/CTwwewy6w==
=OcVv
-----END PGP SIGNATURE-----

11
curl-7.60.0.tar.xz.asc Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlr7zUoACgkQXMkI/bce
EsK3jgf7Bvnswxxgq4wQWmqRKQvkN/zkuA2GjSm98M7mizVHl/7/imeqDl7S1vp0
A6KCI99Epf+2EYgxrEbvZqlSQ6H30eBxOvV2yNwPhrS3UnXwNSJsbFr5bDRE4o8S
upyP/tSgEIGJcpq0bstrD7T/DRZ1yFCLB5rOOJx4lQnPuB3C7GAmuOj1ZtIxWIn+
D/G+X1+/oZlils2TMI7ryjRuFvOSPHdUNldwtvfaRg0i3tNYnPbWq54lhouSn31H
ft8wNd3nnUpueWCWaKKXo+GBVDemDAMEcDbna+woW5SFLI6ZG/c822ljtld05Dk1
KmwikC7MREQxkODmC10yrgy9I9akNg==
=f++X
-----END PGP SIGNATURE-----

13
curl.spec
View File

@ -1,13 +1,10 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl Name: curl
Version: 7.59.0 Version: 7.60.0
Release: 3%{?dist} Release: 1%{?dist}
License: MIT License: MIT
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
# ftp: fix typo in recursive callback detection for seeking
Patch1: 0001-curl-7.58.0-ftp-typo-in-recursive-callback-detection.patch
# patch making libcurl multilib ready # patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch Patch101: 0101-curl-7.32.0-multilib.patch
@ -157,7 +154,6 @@ be installed.
%setup -q %setup -q
# upstream patches # upstream patches
%patch1 -p1
# Fedora patches # Fedora patches
%patch101 -p1 %patch101 -p1
@ -307,6 +303,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog %changelog
* Wed May 16 2018 Kamil Dudka <kdudka@redhat.com> - 7.60.0-1
- new upstream release, which fixes the following vulnerabilities
CVE-2018-1000300 - FTP shutdown response buffer overflow
CVE-2018-1000301 - RTSP bad headers buffer over-read
* Thu Mar 15 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-3 * Thu Mar 15 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-3
- make the test-suite use Python 3 - make the test-suite use Python 3

2
sources
View File

@ -1 +1 @@
SHA512 (curl-7.59.0.tar.xz) = 6982a5950b564d6b2a4f4b96296b6db3db24a096acc68aa96966821b57f66362f5a69d9f2da762b5d2b1011a4a47478ebacaf05e26604f78bb013098749dd8a6 SHA512 (curl-7.60.0.tar.xz) = 96a0c32ca846a76bba75e9e560ad4c15df79540992ed1a83713095be94ddba039f289bda9678762fd79fb9691fe810735178fb9dc970c37012dff96b8ce08abf