new upstream release - 8.5.0

Resolves: CVE-2023-46218 - cookie mixed case PSL bypass Resolves: CVE-2023-46219 - HSTS long file name clears contents
2023-12-06 08:50:13 +01:00 · 2023-12-06 08:50:13 +01:00 · 7d149f66f5
commit 7d149f66f5
parent cb17cbc66a
3 changed files with 173 additions and 3 deletions
--- a/001-dist-add-tests-errorcodes.pl-to-the-tarball.patch
+++ b/001-dist-add-tests-errorcodes.pl-to-the-tarball.patch
@ -0,0 +1,162 @@
+From 8ed817e84e3a24b5902416718cf445009a032ea9 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 6 Dec 2023 09:40:30 +0100
+Subject: [PATCH] dist: add tests/errorcodes.pl to the tarball
+
+Used by test 1477
+
+Reported-by: Xi Ruoyao
+Follow-up to 0ca3a4ec9a7
+Fixes #12462
+Closes #12463
+
+(cherry picked from commit da8c1d15782c8161b455a7ee90197c16ae5edb90)
+
+also include missing tests/errorcodes.pl
+
+Signed-off-by: Jan Macku <jamacku@redhat.com>
+---
+ tests/Makefile.am   | 20 ++++-----
+ tests/errorcodes.pl | 99 +++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 110 insertions(+), 9 deletions(-)
+ create mode 100755 tests/errorcodes.pl
+
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 17e9ad049..c6ae7a97a 100644
+--- a/tests/Makefile.am
+++ b/tests/Makefile.am
+@@ -26,15 +26,17 @@ HTMLPAGES = testcurl.html runtests.html
+ PDFPAGES = testcurl.pdf runtests.pdf
+ MANDISTPAGES = runtests.1.dist testcurl.1.dist
+ 
+-EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl CMakeLists.txt \
+- devtest.pl dictserver.py directories.pm disable-scan.pl error-codes.pl extern-scan.pl FILEFORMAT.md \
+- processhelp.pm ftpserver.pl getpart.pm globalconfig.pm http-server.pl http2-server.pl \
+- http3-server.pl manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl \
+- memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl options-scan.pl \
+- pathhelp.pm README.md rtspserver.pl runner.pm runtests.1 runtests.pl secureserver.pl \
+- serverhelp.pm servers.pm smbserver.py sshhelp.pm sshserver.pl stunnel.pem symbol-scan.pl \
+- testcurl.1 testcurl.pl testutil.pm tftpserver.pl util.py valgrind.pm \
+- valgrind.supp version-scan.pl check-translatable-options.pl
+EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl           \
+ CMakeLists.txt devtest.pl dictserver.py directories.pm disable-scan.pl       \
+ error-codes.pl extern-scan.pl FILEFORMAT.md processhelp.pm ftpserver.pl      \
+ getpart.pm globalconfig.pm http-server.pl http2-server.pl http3-server.pl    \
+ manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl  \
+ memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl               \
+ options-scan.pl pathhelp.pm README.md rtspserver.pl runner.pm runtests.1     \
+ runtests.pl secureserver.pl serverhelp.pm servers.pm smbserver.py sshhelp.pm \
+ sshserver.pl stunnel.pem symbol-scan.pl testcurl.1 testcurl.pl testutil.pm   \
+ tftpserver.pl util.py valgrind.pm valgrind.supp version-scan.pl              \
+ check-translatable-options.pl errorcodes.pl
+ 
+ DISTCLEANFILES = configurehelp.pm
+ 
+diff --git a/tests/errorcodes.pl b/tests/errorcodes.pl
+new file mode 100755
+index 000000000..9c8f9e882
+--- /dev/null
+++ b/tests/errorcodes.pl
+@@ -0,0 +1,99 @@
+#!/usr/bin/env perl
+#***************************************************************************
+#                                  _   _ ____  _
+#  Project                     ___| | | |  _ \| |
+#                             / __| | | | |_) | |
+#                            | (__| |_| |  _ <| |___
+#                             \___|\___/|_| \_\_____|
+#
+# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+#
+# This software is licensed as described in the file COPYING, which
+# you should have received as part of this distribution. The terms
+# are also available at https://curl.se/docs/copyright.html.
+#
+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
+# copies of the Software, and permit persons to whom the Software is
+# furnished to do so, under the terms of the COPYING file.
+#
+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+# KIND, either express or implied.
+#
+# SPDX-License-Identifier: curl
+#
+###########################################################################
+
+# Check that libcurl-errors.3 and the public header files have the same set of
+# error codes.
+
+use strict;
+use warnings;
+
+# we may get the dir roots pointed out
+my $root=$ARGV[0] || ".";
+my $manpge = "$root/docs/libcurl/libcurl-errors.3";
+my $curlh = "$root/include/curl";
+my $errors=0;
+
+my @hnames;
+my %wherefrom;
+my @mnames;
+my %manfrom;
+
+sub scanheader {
+    my ($file)=@_;
+    open H, "<$file";
+    my $line = 0;
+    while(<H>) {
+        $line++;
+        if($_ =~ /^  (CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) {
+            my ($name)=($1);
+            if(($name !~ /OBSOLETE/) && ($name !~ /_LAST\z/)) {
+                push @hnames, $name;
+                if($wherefrom{$name}) {
+                    print STDERR "double: $name\n";
+                }
+                $wherefrom{$name}="$file:$line";
+            }
+        }
+    }
+    close(H);
+}
+
+sub scanmanpage {
+    my ($file)=@_;
+    open H, "<$file";
+    my $line = 0;
+    while(<H>) {
+        $line++;
+        if($_ =~ /^\.IP \"(CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) {
+            my ($name)=($1);
+            push @mnames, $name;
+            $manfrom{$name}="$file:$line";
+        }
+    }
+    close(H);
+}
+
+
+opendir(my $dh, $curlh) || die "Can't opendir $curlh: $!";
+my @hfiles = grep { /\.h$/ } readdir($dh);
+closedir $dh;
+
+for(sort @hfiles) {
+    scanheader("$curlh/$_");
+}
+scanmanpage($manpge);
+
+print "Result\n";
+for my $h (sort @hnames) {
+    if(!$manfrom{$h}) {
+        printf "$h from %s, not in man page\n", $wherefrom{$h};
+    }
+}
+
+for my $m (sort @mnames) {
+    if(!$wherefrom{$m}) {
+        printf "$m from %s, not in any header\n", $manfrom{$m};
+    }
+}
+-- 
+2.43.0
+
--- a/curl.spec
+++ b/curl.spec
@ -1,6 +1,6 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 8.4.0
+Version: 8.5.0
 Release: 1%{?dist}
 License: curl
 Source0: https://curl.se/download/%{name}-%{version}.tar.xz
@ -10,6 +10,9 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
 # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc
 Source2: mykey.asc

+# add missing test script tests/errorcodes.pl to the tarball
+Patch001: 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch

@ -410,6 +413,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal

 %changelog
+* Wed Dec 06 2023 Jan Macku <jamacku@redhat.com> - 8.5.0-1
+- new upstream release, which fixes the following vulnerabilities
+    CVE-2023-46218 - cookie mixed case PSL bypass
+    CVE-2023-46219 - HSTS long file name clears contents
+
 * Wed Oct 11 2023 Jan Macku <jamacku@redhat.com> - 8.4.0-1
 - new upstream release, which fixes the following vulnerabilities
    CVE-2023-38545 - SOCKS5 heap buffer overflow
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (curl-8.4.0.tar.xz) = 7027dbf3b759b39d6ec9c4da58fadd254e84bb93bff599541b3bc3135bad4c2955c6237d7ddd60973f9f1a6948bc32d7e312985fb50658bc958b9f22fee74f2b
-SHA512 (curl-8.4.0.tar.xz.asc) = b8b7a5b76be816e7b1552354f267f335fdc608cdadbd2c40ab44faf6450c6bbd2853b6de5c2746a1292aad33a8ee1c367380d32bb1a8282540b38c3b985a320e
+SHA512 (curl-8.5.0.tar.xz) = acffa2cf61d9b8e4188575a1b40227da8d722df2e5fe8bb82a222b4eb2fd64bf8aebd90852ce050c79fb5e517d5cee2546bf7de92ede1dd394263e231cb741a3
+SHA512 (curl-8.5.0.tar.xz.asc) = 9c6a2e61860878cd731d951fac1bb52cd314db20439a5173a95b48da1742737e02bfb9978d65e25de6535f839e281235203599a29f252e78e0d7a83769727329