rpms/curl
8
0
Fork 1
Code Issues Pull Requests Releases Activity

new upstream release - 8.5.0

Browse Source 
Resolves: CVE-2023-46218 - cookie mixed case PSL bypass
Resolves: CVE-2023-46219 - HSTS long file name clears contents
This commit is contained in:
Jan Macku 2023-12-06 08:50:13 +01:00
parent cb17cbc66a
commit 7d149f66f5
3 changed files with 173 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

162
001-dist-add-tests-errorcodes.pl-to-the-tarball.patch Normal file
View File

@ -0,0 +1,162 @@
From 8ed817e84e3a24b5902416718cf445009a032ea9 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 6 Dec 2023 09:40:30 +0100
Subject: [PATCH] dist: add tests/errorcodes.pl to the tarball
Used by test 1477
Reported-by: Xi Ruoyao
Follow-up to 0ca3a4ec9a7
Fixes #12462
Closes #12463
(cherry picked from commit da8c1d15782c8161b455a7ee90197c16ae5edb90)
also include missing tests/errorcodes.pl
Signed-off-by: Jan Macku <jamacku@redhat.com>
---
tests/Makefile.am | 20 ++++-----
tests/errorcodes.pl | 99 +++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 110 insertions(+), 9 deletions(-)
create mode 100755 tests/errorcodes.pl
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 17e9ad049..c6ae7a97a 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -26,15 +26,17 @@ HTMLPAGES = testcurl.html runtests.html
PDFPAGES = testcurl.pdf runtests.pdf
MANDISTPAGES = runtests.1.dist testcurl.1.dist
-EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl CMakeLists.txt \
- devtest.pl dictserver.py directories.pm disable-scan.pl error-codes.pl extern-scan.pl FILEFORMAT.md \
- processhelp.pm ftpserver.pl getpart.pm globalconfig.pm http-server.pl http2-server.pl \
- http3-server.pl manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl \
- memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl options-scan.pl \
- pathhelp.pm README.md rtspserver.pl runner.pm runtests.1 runtests.pl secureserver.pl \
- serverhelp.pm servers.pm smbserver.py sshhelp.pm sshserver.pl stunnel.pem symbol-scan.pl \
- testcurl.1 testcurl.pl testutil.pm tftpserver.pl util.py valgrind.pm \
- valgrind.supp version-scan.pl check-translatable-options.pl
+EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl \
+ CMakeLists.txt devtest.pl dictserver.py directories.pm disable-scan.pl \
+ error-codes.pl extern-scan.pl FILEFORMAT.md processhelp.pm ftpserver.pl \
+ getpart.pm globalconfig.pm http-server.pl http2-server.pl http3-server.pl \
+ manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl \
+ memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl \
+ options-scan.pl pathhelp.pm README.md rtspserver.pl runner.pm runtests.1 \
+ runtests.pl secureserver.pl serverhelp.pm servers.pm smbserver.py sshhelp.pm \
+ sshserver.pl stunnel.pem symbol-scan.pl testcurl.1 testcurl.pl testutil.pm \
+ tftpserver.pl util.py valgrind.pm valgrind.supp version-scan.pl \
+ check-translatable-options.pl errorcodes.pl
DISTCLEANFILES = configurehelp.pm
diff --git a/tests/errorcodes.pl b/tests/errorcodes.pl
new file mode 100755
index 000000000..9c8f9e882
--- /dev/null
+++ b/tests/errorcodes.pl
@@ -0,0 +1,99 @@
+#!/usr/bin/env perl
+#***************************************************************************
+# _ _ ____ _
+# Project ___| | | | _ \| |
+# / __| | | | |_) | |
+# | (__| |_| | _ <| |___
+# \___|\___/|_| \_\_____|
+#
+# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at https://curl.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+# SPDX-License-Identifier: curl
+#
+###########################################################################
+
+# Check that libcurl-errors.3 and the public header files have the same set of
+# error codes.
+
+use strict;
+use warnings;
+
+# we may get the dir roots pointed out
+my $root=$ARGV[0] || ".";
+my $manpge = "$root/docs/libcurl/libcurl-errors.3";
+my $curlh = "$root/include/curl";
+my $errors=0;
+
+my @hnames;
+my %wherefrom;
+my @mnames;
+my %manfrom;
+
+sub scanheader {
+ my ($file)=@_;
+ open H, "<$file";
+ my $line = 0;
+ while(<H>) {
+ $line++;
+ if($_ =~ /^ (CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) {
+ my ($name)=($1);
+ if(($name !~ /OBSOLETE/) && ($name !~ /_LAST\z/)) {
+ push @hnames, $name;
+ if($wherefrom{$name}) {
+ print STDERR "double: $name\n";
+ }
+ $wherefrom{$name}="$file:$line";
+ }
+ }
+ }
+ close(H);
+}
+
+sub scanmanpage {
+ my ($file)=@_;
+ open H, "<$file";
+ my $line = 0;
+ while(<H>) {
+ $line++;
+ if($_ =~ /^\.IP \"(CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) {
+ my ($name)=($1);
+ push @mnames, $name;
+ $manfrom{$name}="$file:$line";
+ }
+ }
+ close(H);
+}
+
+
+opendir(my $dh, $curlh) || die "Can't opendir $curlh: $!";
+my @hfiles = grep { /\.h$/ } readdir($dh);
+closedir $dh;
+
+for(sort @hfiles) {
+ scanheader("$curlh/$_");
+}
+scanmanpage($manpge);
+
+print "Result\n";
+for my $h (sort @hnames) {
+ if(!$manfrom{$h}) {
+ printf "$h from %s, not in man page\n", $wherefrom{$h};
+ }
+}
+
+for my $m (sort @mnames) {
+ if(!$wherefrom{$m}) {
+ printf "$m from %s, not in any header\n", $manfrom{$m};
+ }
+}
--
2.43.0

10
curl.spec
View File

@ -1,6 +1,6 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl Name: curl
Version: 8.4.0 Version: 8.5.0
Release: 1%{?dist} Release: 1%{?dist}
License: curl License: curl
Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source0: https://curl.se/download/%{name}-%{version}.tar.xz
@ -10,6 +10,9 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
# which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc
Source2: mykey.asc Source2: mykey.asc
# add missing test script tests/errorcodes.pl to the tarball
Patch001: 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch
# patch making libcurl multilib ready # patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch Patch101: 0101-curl-7.32.0-multilib.patch
@ -410,6 +413,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog %changelog
* Wed Dec 06 2023 Jan Macku <jamacku@redhat.com> - 8.5.0-1
- new upstream release, which fixes the following vulnerabilities
CVE-2023-46218 - cookie mixed case PSL bypass
CVE-2023-46219 - HSTS long file name clears contents
* Wed Oct 11 2023 Jan Macku <jamacku@redhat.com> - 8.4.0-1 * Wed Oct 11 2023 Jan Macku <jamacku@redhat.com> - 8.4.0-1
- new upstream release, which fixes the following vulnerabilities - new upstream release, which fixes the following vulnerabilities
CVE-2023-38545 - SOCKS5 heap buffer overflow CVE-2023-38545 - SOCKS5 heap buffer overflow

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (curl-8.4.0.tar.xz) = 7027dbf3b759b39d6ec9c4da58fadd254e84bb93bff599541b3bc3135bad4c2955c6237d7ddd60973f9f1a6948bc32d7e312985fb50658bc958b9f22fee74f2b SHA512 (curl-8.5.0.tar.xz) = acffa2cf61d9b8e4188575a1b40227da8d722df2e5fe8bb82a222b4eb2fd64bf8aebd90852ce050c79fb5e517d5cee2546bf7de92ede1dd394263e231cb741a3
SHA512 (curl-8.4.0.tar.xz.asc) = b8b7a5b76be816e7b1552354f267f335fdc608cdadbd2c40ab44faf6450c6bbd2853b6de5c2746a1292aad33a8ee1c367380d32bb1a8282540b38c3b985a320e SHA512 (curl-8.5.0.tar.xz.asc) = 9c6a2e61860878cd731d951fac1bb52cd314db20439a5173a95b48da1742737e02bfb9978d65e25de6535f839e281235203599a29f252e78e0d7a83769727329