From 98780da3f86dec6140fef3b7a408fe17434b0727 Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Thu, 1 Feb 2024 13:07:37 +0100 Subject: [PATCH] new upstream release - 8.6.0 Resolves: CVE-2024-0853 - OCSP verification bypass with TLS session reuse --- .gitignore | 1 + ...-curl-8.6.0-remove-duplicate-content.patch | 108 ++++++++++++ ...d-tests-errorcodes.pl-to-the-tarball.patch | 162 ------------------ 0101-curl-7.32.0-multilib.patch | 26 +-- curl.spec | 18 +- sources | 4 +- 6 files changed, 138 insertions(+), 181 deletions(-) create mode 100644 0001-curl-8.6.0-remove-duplicate-content.patch delete mode 100644 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch diff --git a/.gitignore b/.gitignore index c5a82f4..505a7d9 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ /curl-[0-9.]*.tar.lzma.asc /curl-[0-9.]*.tar.xz /curl-[0-9.]*.tar.xz.asc +/curl-[0-9].[0-9].[0-9]/ diff --git a/0001-curl-8.6.0-remove-duplicate-content.patch b/0001-curl-8.6.0-remove-duplicate-content.patch new file mode 100644 index 0000000..bbbb7ff --- /dev/null +++ b/0001-curl-8.6.0-remove-duplicate-content.patch @@ -0,0 +1,108 @@ +From 960cf3ceb40cf875b146d4d1065d9267ccb83da1 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Thu, 1 Feb 2024 12:56:31 +0100 +Subject: [PATCH 1/2] doc: remove duplicate content from curl-config.1 + +This will be resolved in next release by: +https://github.com/curl/curl/pull/12818 + +see also: https://github.com/curl/curl/issues/12840 + +Signed-off-by: Jan Macku +--- + docs/curl-config.1 | 82 ---------------------------------------------- + 1 file changed, 82 deletions(-) + +diff --git a/docs/curl-config.1 b/docs/curl-config.1 +index 186ba3a..c142cb9 100644 +--- a/docs/curl-config.1 ++++ b/docs/curl-config.1 +@@ -80,85 +80,3 @@ How do I build a single file with a one\-line command? + .fi + .SH SEE ALSO + .BR curl (1) +-.\" generated by cd2nroff 0.1 from curl-config.md +-.TH curl-config 1 "January 26 2024" curl-config +-.SH NAME +-curl\-config \- Get information about a libcurl installation +-.SH SYNOPSIS +-\fBcurl\-config [options]\fP +-.SH DESCRIPTION +-\fBcurl\-config\fP +-displays information about the curl and libcurl installation. +-.SH OPTIONS +-.IP --ca +-Displays the built\-in path to the CA cert bundle this libcurl uses. +-.IP --cc +-Displays the compiler used to build libcurl. +-.IP --cflags +-Set of compiler options (CFLAGS) to use when compiling files that use +-libcurl. Currently that is only the include path to the curl include files. +-.IP "--checkfor [version]" +-Specify the oldest possible libcurl version string you want, and this +-script will return 0 if the current installation is new enough or it +-returns 1 and outputs a text saying that the current version is not new +-enough. (Added in 7.15.4) +-.IP --configure +-Displays the arguments given to configure when building curl. +-.IP --feature +-Lists what particular main features the installed libcurl was built with. At +-the time of writing, this list may include SSL, KRB4 or IPv6. Do not assume +-any particular order. The keywords will be separated by newlines. There may be +-none, one, or several keywords in the list. +-.IP --help +-Displays the available options. +-.IP --libs +-Shows the complete set of libs and other linker options you will need in order +-to link your application with libcurl. +-.IP --prefix +-This is the prefix used when libcurl was installed. Libcurl is then installed +-in $prefix/lib and its header files are installed in $prefix/include and so +-on. The prefix is set with "configure \--prefix". +-.IP --protocols +-Lists what particular protocols the installed libcurl was built to support. At +-the time of writing, this list may include HTTP, HTTPS, FTP, FTPS, FILE, +-TELNET, LDAP, DICT and many more. Do not assume any particular order. The +-protocols will be listed using uppercase and are separated by newlines. There +-may be none, one, or several protocols in the list. (Added in 7.13.0) +-.IP --ssl-backends +-Lists the SSL backends that were enabled when libcurl was built. It might be +-no, one or several names. If more than one name, they will appear +-comma\-separated. (Added in 7.58.0) +-.IP --static-libs +-Shows the complete set of libs and other linker options you will need in order +-to link your application with libcurl statically. (Added in 7.17.1) +-.IP --version +-Outputs version information about the installed libcurl. +-.IP --vernum +-Outputs version information about the installed libcurl, in numerical mode. +-This shows the version number, in hexadecimal, using 8 bits for each part: +-major, minor, and patch numbers. This makes libcurl 7.7.4 appear as 070704 and +-libcurl 12.13.14 appear as 0c0d0e... Note that the initial zero might be +-omitted. (This option was broken in the 7.15.0 release.) +-.SH EXAMPLES +-What linker options do I need when I link with libcurl? +-.nf +- $ curl-config --libs +-.fi +-What compiler options do I need when I compile using libcurl functions? +-.nf +- $ curl-config --cflags +-.fi +-How do I know if libcurl was built with SSL support? +-.nf +- $ curl-config --feature | grep SSL +-.fi +-What\(aqs the installed libcurl version? +-.nf +- $ curl-config --version +-.fi +-How do I build a single file with a one\-line command? +-.nf +- $ `curl-config --cc --cflags` -o example source.c `curl-config --libs` +-.fi +-.SH SEE ALSO +-.BR curl (1) +-- +2.43.0 + diff --git a/001-dist-add-tests-errorcodes.pl-to-the-tarball.patch b/001-dist-add-tests-errorcodes.pl-to-the-tarball.patch deleted file mode 100644 index 4fd5490..0000000 --- a/001-dist-add-tests-errorcodes.pl-to-the-tarball.patch +++ /dev/null @@ -1,162 +0,0 @@ -From 8ed817e84e3a24b5902416718cf445009a032ea9 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Wed, 6 Dec 2023 09:40:30 +0100 -Subject: [PATCH] dist: add tests/errorcodes.pl to the tarball - -Used by test 1477 - -Reported-by: Xi Ruoyao -Follow-up to 0ca3a4ec9a7 -Fixes #12462 -Closes #12463 - -(cherry picked from commit da8c1d15782c8161b455a7ee90197c16ae5edb90) - -also include missing tests/errorcodes.pl - -Signed-off-by: Jan Macku ---- - tests/Makefile.am | 20 ++++----- - tests/errorcodes.pl | 99 +++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 110 insertions(+), 9 deletions(-) - create mode 100755 tests/errorcodes.pl - -diff --git a/tests/Makefile.am b/tests/Makefile.am -index 17e9ad049..c6ae7a97a 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -26,15 +26,17 @@ HTMLPAGES = testcurl.html runtests.html - PDFPAGES = testcurl.pdf runtests.pdf - MANDISTPAGES = runtests.1.dist testcurl.1.dist - --EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl CMakeLists.txt \ -- devtest.pl dictserver.py directories.pm disable-scan.pl error-codes.pl extern-scan.pl FILEFORMAT.md \ -- processhelp.pm ftpserver.pl getpart.pm globalconfig.pm http-server.pl http2-server.pl \ -- http3-server.pl manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl \ -- memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl options-scan.pl \ -- pathhelp.pm README.md rtspserver.pl runner.pm runtests.1 runtests.pl secureserver.pl \ -- serverhelp.pm servers.pm smbserver.py sshhelp.pm sshserver.pl stunnel.pem symbol-scan.pl \ -- testcurl.1 testcurl.pl testutil.pm tftpserver.pl util.py valgrind.pm \ -- valgrind.supp version-scan.pl check-translatable-options.pl -+EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl \ -+ CMakeLists.txt devtest.pl dictserver.py directories.pm disable-scan.pl \ -+ error-codes.pl extern-scan.pl FILEFORMAT.md processhelp.pm ftpserver.pl \ -+ getpart.pm globalconfig.pm http-server.pl http2-server.pl http3-server.pl \ -+ manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl \ -+ memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl \ -+ options-scan.pl pathhelp.pm README.md rtspserver.pl runner.pm runtests.1 \ -+ runtests.pl secureserver.pl serverhelp.pm servers.pm smbserver.py sshhelp.pm \ -+ sshserver.pl stunnel.pem symbol-scan.pl testcurl.1 testcurl.pl testutil.pm \ -+ tftpserver.pl util.py valgrind.pm valgrind.supp version-scan.pl \ -+ check-translatable-options.pl errorcodes.pl - - DISTCLEANFILES = configurehelp.pm - -diff --git a/tests/errorcodes.pl b/tests/errorcodes.pl -new file mode 100755 -index 000000000..9c8f9e882 ---- /dev/null -+++ b/tests/errorcodes.pl -@@ -0,0 +1,99 @@ -+#!/usr/bin/env perl -+#*************************************************************************** -+# _ _ ____ _ -+# Project ___| | | | _ \| | -+# / __| | | | |_) | | -+# | (__| |_| | _ <| |___ -+# \___|\___/|_| \_\_____| -+# -+# Copyright (C) Daniel Stenberg, , et al. -+# -+# This software is licensed as described in the file COPYING, which -+# you should have received as part of this distribution. The terms -+# are also available at https://curl.se/docs/copyright.html. -+# -+# You may opt to use, copy, modify, merge, publish, distribute and/or sell -+# copies of the Software, and permit persons to whom the Software is -+# furnished to do so, under the terms of the COPYING file. -+# -+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -+# KIND, either express or implied. -+# -+# SPDX-License-Identifier: curl -+# -+########################################################################### -+ -+# Check that libcurl-errors.3 and the public header files have the same set of -+# error codes. -+ -+use strict; -+use warnings; -+ -+# we may get the dir roots pointed out -+my $root=$ARGV[0] || "."; -+my $manpge = "$root/docs/libcurl/libcurl-errors.3"; -+my $curlh = "$root/include/curl"; -+my $errors=0; -+ -+my @hnames; -+my %wherefrom; -+my @mnames; -+my %manfrom; -+ -+sub scanheader { -+ my ($file)=@_; -+ open H, "<$file"; -+ my $line = 0; -+ while() { -+ $line++; -+ if($_ =~ /^ (CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) { -+ my ($name)=($1); -+ if(($name !~ /OBSOLETE/) && ($name !~ /_LAST\z/)) { -+ push @hnames, $name; -+ if($wherefrom{$name}) { -+ print STDERR "double: $name\n"; -+ } -+ $wherefrom{$name}="$file:$line"; -+ } -+ } -+ } -+ close(H); -+} -+ -+sub scanmanpage { -+ my ($file)=@_; -+ open H, "<$file"; -+ my $line = 0; -+ while() { -+ $line++; -+ if($_ =~ /^\.IP \"(CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) { -+ my ($name)=($1); -+ push @mnames, $name; -+ $manfrom{$name}="$file:$line"; -+ } -+ } -+ close(H); -+} -+ -+ -+opendir(my $dh, $curlh) || die "Can't opendir $curlh: $!"; -+my @hfiles = grep { /\.h$/ } readdir($dh); -+closedir $dh; -+ -+for(sort @hfiles) { -+ scanheader("$curlh/$_"); -+} -+scanmanpage($manpge); -+ -+print "Result\n"; -+for my $h (sort @hnames) { -+ if(!$manfrom{$h}) { -+ printf "$h from %s, not in man page\n", $wherefrom{$h}; -+ } -+} -+ -+for my $m (sort @mnames) { -+ if(!$wherefrom{$m}) { -+ printf "$m from %s, not in any header\n", $manfrom{$m}; -+ } -+} --- -2.43.0 - diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index b4f8e2a..328d3a4 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,7 +1,7 @@ -From 2a4754a3a7cf60ecc36d83cbe50b8c337cb87632 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Fri, 12 Apr 2013 12:04:05 +0200 -Subject: [PATCH] prevent multilib conflicts on the curl-config script +From 84b7e1cf486761e99361f5dcf5879cd7baf51b58 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Thu, 1 Feb 2024 13:01:23 +0100 +Subject: [PATCH 2/2] prevent multilib conflicts on the curl-config script --- curl-config.in | 23 +++++------------------ @@ -10,7 +10,7 @@ Subject: [PATCH] prevent multilib conflicts on the curl-config script 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 150004d..95d0759 100644 +index 54f92d9..15a60da 100644 --- a/curl-config.in +++ b/curl-config.in @@ -78,7 +78,7 @@ while test $# -gt 0; do @@ -60,22 +60,22 @@ index 150004d..95d0759 100644 *) diff --git a/docs/curl-config.1 b/docs/curl-config.1 -index 14a9d2b..ffcc004 100644 +index c142cb9..0e189b4 100644 --- a/docs/curl-config.1 +++ b/docs/curl-config.1 -@@ -72,7 +72,9 @@ no, one or several names. If more than one name, they will appear - comma-separated. (Added in 7.58.0) - .IP "--static-libs" +@@ -48,7 +48,9 @@ no, one or several names. If more than one name, they will appear + comma\-separated. (Added in 7.58.0) + .IP --static-libs Shows the complete set of libs and other linker options you will need in order -to link your application with libcurl statically. (Added in 7.17.1) +to link your application with libcurl statically. Note that Fedora/RHEL libcurl +packages do not provide any static libraries, thus cannot be linked statically. +(Added in 7.17.1) - .IP "--version" + .IP --version Outputs version information about the installed libcurl. - .IP "--vernum" + .IP --vernum diff --git a/libcurl.pc.in b/libcurl.pc.in -index 2ba9c39..f8f8b00 100644 +index 9db6b0f..dcac692 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in @@ -31,6 +31,7 @@ libdir=@libdir@ @@ -87,5 +87,5 @@ index 2ba9c39..f8f8b00 100644 Name: libcurl URL: https://curl.se/ -- -2.26.2 +2.43.0 diff --git a/curl.spec b/curl.spec index b5e1ef0..20848b3 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.5.0 -Release: 2%{?dist} +Version: 8.6.0 +Release: 1%{?dist} License: curl Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc @@ -10,8 +10,8 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# add missing test script tests/errorcodes.pl to the tarball -Patch001: 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch +# remove duplicate content from curl-config.1 +Patch001: 0001-curl-8.6.0-remove-duplicate-content.patch # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -371,6 +371,10 @@ rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la +# Don't install man for mk-ca-bundle it's upstream bug +# should be fixed in next release https://github.com/curl/curl/pull/12843 +rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1* + %ldconfig_scriptlets -n libcurl %ldconfig_scriptlets -n libcurl-minimal @@ -413,6 +417,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu Feb 01 2024 Jan Macku - 8.6.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-0853 - OCSP verification bypass with TLS session reuse +- drop 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch (replaced by upstream fix) +- remove accidentally included mk-ca-bundle.1 man page (upstream bug #12843) + * Fri Jan 19 2024 Fedora Release Engineering - 8.5.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild diff --git a/sources b/sources index 6a14222..9c9d4a1 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (curl-8.5.0.tar.xz) = acffa2cf61d9b8e4188575a1b40227da8d722df2e5fe8bb82a222b4eb2fd64bf8aebd90852ce050c79fb5e517d5cee2546bf7de92ede1dd394263e231cb741a3 -SHA512 (curl-8.5.0.tar.xz.asc) = 9c6a2e61860878cd731d951fac1bb52cd314db20439a5173a95b48da1742737e02bfb9978d65e25de6535f839e281235203599a29f252e78e0d7a83769727329 +SHA512 (curl-8.6.0.tar.xz) = 359c08d88a5dec441255b36afe1a821730eca0ca8800ba52f57132b9e7d21f32457623907b4ae4876904b5e505eb1a59652372bb7de8dbd8db429dae9785e036 +SHA512 (curl-8.6.0.tar.xz.asc) = 2b835bb4b307e5e1c929b7136c5acfb9f6f06efa471ac27060336cabcfac40e02143f40434986c5e6817d4a9562b09efa8ff3168beed310a45453148cc1b5c8f