new upstream release - 8.6.0

Resolves: CVE-2024-0853 - OCSP verification bypass with TLS session reuse
2024-02-01 13:07:37 +01:00 · 2024-02-01 13:07:37 +01:00 · 98780da3f8
commit 98780da3f8
parent 3c4671bd88
6 changed files with 138 additions and 181 deletions
--- a/.gitignore
+++ b/.gitignore
@ -2,3 +2,4 @@
 /curl-[0-9.]*.tar.lzma.asc
 /curl-[0-9.]*.tar.xz
 /curl-[0-9.]*.tar.xz.asc
+/curl-[0-9].[0-9].[0-9]/
--- a/0001-curl-8.6.0-remove-duplicate-content.patch
+++ b/0001-curl-8.6.0-remove-duplicate-content.patch
@ -0,0 +1,108 @@
+From 960cf3ceb40cf875b146d4d1065d9267ccb83da1 Mon Sep 17 00:00:00 2001
+From: Jan Macku <jamacku@redhat.com>
+Date: Thu, 1 Feb 2024 12:56:31 +0100
+Subject: [PATCH 1/2] doc: remove duplicate content from curl-config.1
+
+This will be resolved in next release by:
+https://github.com/curl/curl/pull/12818
+
+see also: https://github.com/curl/curl/issues/12840
+
+Signed-off-by: Jan Macku <jamacku@redhat.com>
+---
+ docs/curl-config.1 | 82 ----------------------------------------------
+ 1 file changed, 82 deletions(-)
+
+diff --git a/docs/curl-config.1 b/docs/curl-config.1
+index 186ba3a..c142cb9 100644
+--- a/docs/curl-config.1
+++ b/docs/curl-config.1
+@@ -80,85 +80,3 @@ How do I build a single file with a one\-line command?
+ .fi
+ .SH SEE ALSO
+ .BR curl (1)
+-.\" generated by cd2nroff 0.1 from curl-config.md
+-.TH curl-config 1 "January 26 2024" curl-config
+-.SH NAME
+-curl\-config \- Get information about a libcurl installation
+-.SH SYNOPSIS
+-\fBcurl\-config [options]\fP
+-.SH DESCRIPTION
+-\fBcurl\-config\fP
+-displays information about the curl and libcurl installation.
+-.SH OPTIONS
+-.IP --ca
+-Displays the built\-in path to the CA cert bundle this libcurl uses.
+-.IP --cc
+-Displays the compiler used to build libcurl.
+-.IP --cflags
+-Set of compiler options (CFLAGS) to use when compiling files that use
+-libcurl. Currently that is only the include path to the curl include files.
+-.IP "--checkfor [version]"
+-Specify the oldest possible libcurl version string you want, and this
+-script will return 0 if the current installation is new enough or it
+-returns 1 and outputs a text saying that the current version is not new
+-enough. (Added in 7.15.4)
+-.IP --configure
+-Displays the arguments given to configure when building curl.
+-.IP --feature
+-Lists what particular main features the installed libcurl was built with. At
+-the time of writing, this list may include SSL, KRB4 or IPv6. Do not assume
+-any particular order. The keywords will be separated by newlines. There may be
+-none, one, or several keywords in the list.
+-.IP --help
+-Displays the available options.
+-.IP --libs
+-Shows the complete set of libs and other linker options you will need in order
+-to link your application with libcurl.
+-.IP --prefix
+-This is the prefix used when libcurl was installed. Libcurl is then installed
+-in $prefix/lib and its header files are installed in $prefix/include and so
+-on. The prefix is set with "configure \--prefix".
+-.IP --protocols
+-Lists what particular protocols the installed libcurl was built to support. At
+-the time of writing, this list may include HTTP, HTTPS, FTP, FTPS, FILE,
+-TELNET, LDAP, DICT and many more. Do not assume any particular order. The
+-protocols will be listed using uppercase and are separated by newlines. There
+-may be none, one, or several protocols in the list. (Added in 7.13.0)
+-.IP --ssl-backends
+-Lists the SSL backends that were enabled when libcurl was built. It might be
+-no, one or several names. If more than one name, they will appear
+-comma\-separated. (Added in 7.58.0)
+-.IP --static-libs
+-Shows the complete set of libs and other linker options you will need in order
+-to link your application with libcurl statically. (Added in 7.17.1)
+-.IP --version
+-Outputs version information about the installed libcurl.
+-.IP --vernum
+-Outputs version information about the installed libcurl, in numerical mode.
+-This shows the version number, in hexadecimal, using 8 bits for each part:
+-major, minor, and patch numbers. This makes libcurl 7.7.4 appear as 070704 and
+-libcurl 12.13.14 appear as 0c0d0e... Note that the initial zero might be
+-omitted. (This option was broken in the 7.15.0 release.)
+-.SH EXAMPLES
+-What linker options do I need when I link with libcurl?
+-.nf
+-  $ curl-config --libs
+-.fi
+-What compiler options do I need when I compile using libcurl functions?
+-.nf
+-  $ curl-config --cflags
+-.fi
+-How do I know if libcurl was built with SSL support?
+-.nf
+-  $ curl-config --feature | grep SSL
+-.fi
+-What\(aqs the installed libcurl version?
+-.nf
+-  $ curl-config --version
+-.fi
+-How do I build a single file with a one\-line command?
+-.nf
+-  $ `curl-config --cc --cflags` -o example source.c `curl-config --libs`
+-.fi
+-.SH SEE ALSO
+-.BR curl (1)
+-- 
+2.43.0
+
--- a/001-dist-add-tests-errorcodes.pl-to-the-tarball.patch
+++ b/001-dist-add-tests-errorcodes.pl-to-the-tarball.patch
@ -1,162 +0,0 @@
-From 8ed817e84e3a24b5902416718cf445009a032ea9 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Wed, 6 Dec 2023 09:40:30 +0100
-Subject: [PATCH] dist: add tests/errorcodes.pl to the tarball
-
-Used by test 1477
-
-Reported-by: Xi Ruoyao
-Follow-up to 0ca3a4ec9a7
-Fixes #12462
-Closes #12463
-
-(cherry picked from commit da8c1d15782c8161b455a7ee90197c16ae5edb90)
-
-also include missing tests/errorcodes.pl
-
-Signed-off-by: Jan Macku <jamacku@redhat.com>
---
- tests/Makefile.am   | 20 ++++-----
- tests/errorcodes.pl | 99 +++++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 110 insertions(+), 9 deletions(-)
- create mode 100755 tests/errorcodes.pl
-
-diff --git a/tests/Makefile.am b/tests/Makefile.am
-index 17e9ad049..c6ae7a97a 100644
--- a/tests/Makefile.am
-+++ b/tests/Makefile.am
-@@ -26,15 +26,17 @@ HTMLPAGES = testcurl.html runtests.html
- PDFPAGES = testcurl.pdf runtests.pdf
- MANDISTPAGES = runtests.1.dist testcurl.1.dist
- 
-EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl CMakeLists.txt \
- devtest.pl dictserver.py directories.pm disable-scan.pl error-codes.pl extern-scan.pl FILEFORMAT.md \
- processhelp.pm ftpserver.pl getpart.pm globalconfig.pm http-server.pl http2-server.pl \
- http3-server.pl manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl \
- memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl options-scan.pl \
- pathhelp.pm README.md rtspserver.pl runner.pm runtests.1 runtests.pl secureserver.pl \
- serverhelp.pm servers.pm smbserver.py sshhelp.pm sshserver.pl stunnel.pem symbol-scan.pl \
- testcurl.1 testcurl.pl testutil.pm tftpserver.pl util.py valgrind.pm \
- valgrind.supp version-scan.pl check-translatable-options.pl
-+EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl           \
-+ CMakeLists.txt devtest.pl dictserver.py directories.pm disable-scan.pl       \
-+ error-codes.pl extern-scan.pl FILEFORMAT.md processhelp.pm ftpserver.pl      \
-+ getpart.pm globalconfig.pm http-server.pl http2-server.pl http3-server.pl    \
-+ manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl  \
-+ memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl               \
-+ options-scan.pl pathhelp.pm README.md rtspserver.pl runner.pm runtests.1     \
-+ runtests.pl secureserver.pl serverhelp.pm servers.pm smbserver.py sshhelp.pm \
-+ sshserver.pl stunnel.pem symbol-scan.pl testcurl.1 testcurl.pl testutil.pm   \
-+ tftpserver.pl util.py valgrind.pm valgrind.supp version-scan.pl              \
-+ check-translatable-options.pl errorcodes.pl
- 
- DISTCLEANFILES = configurehelp.pm
- 
-diff --git a/tests/errorcodes.pl b/tests/errorcodes.pl
-new file mode 100755
-index 000000000..9c8f9e882
--- /dev/null
-+++ b/tests/errorcodes.pl
-@@ -0,0 +1,99 @@
-+#!/usr/bin/env perl
-+#***************************************************************************
-+#                                  _   _ ____  _
-+#  Project                     ___| | | |  _ \| |
-+#                             / __| | | | |_) | |
-+#                            | (__| |_| |  _ <| |___
-+#                             \___|\___/|_| \_\_____|
-+#
-+# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
-+#
-+# This software is licensed as described in the file COPYING, which
-+# you should have received as part of this distribution. The terms
-+# are also available at https://curl.se/docs/copyright.html.
-+#
-+# You may opt to use, copy, modify, merge, publish, distribute and/or sell
-+# copies of the Software, and permit persons to whom the Software is
-+# furnished to do so, under the terms of the COPYING file.
-+#
-+# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
-+# KIND, either express or implied.
-+#
-+# SPDX-License-Identifier: curl
-+#
-+###########################################################################
-+
-+# Check that libcurl-errors.3 and the public header files have the same set of
-+# error codes.
-+
-+use strict;
-+use warnings;
-+
-+# we may get the dir roots pointed out
-+my $root=$ARGV[0] || ".";
-+my $manpge = "$root/docs/libcurl/libcurl-errors.3";
-+my $curlh = "$root/include/curl";
-+my $errors=0;
-+
-+my @hnames;
-+my %wherefrom;
-+my @mnames;
-+my %manfrom;
-+
-+sub scanheader {
-+    my ($file)=@_;
-+    open H, "<$file";
-+    my $line = 0;
-+    while(<H>) {
-+        $line++;
-+        if($_ =~ /^  (CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) {
-+            my ($name)=($1);
-+            if(($name !~ /OBSOLETE/) && ($name !~ /_LAST\z/)) {
-+                push @hnames, $name;
-+                if($wherefrom{$name}) {
-+                    print STDERR "double: $name\n";
-+                }
-+                $wherefrom{$name}="$file:$line";
-+            }
-+        }
-+    }
-+    close(H);
-+}
-+
-+sub scanmanpage {
-+    my ($file)=@_;
-+    open H, "<$file";
-+    my $line = 0;
-+    while(<H>) {
-+        $line++;
-+        if($_ =~ /^\.IP \"(CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) {
-+            my ($name)=($1);
-+            push @mnames, $name;
-+            $manfrom{$name}="$file:$line";
-+        }
-+    }
-+    close(H);
-+}
-+
-+
-+opendir(my $dh, $curlh) || die "Can't opendir $curlh: $!";
-+my @hfiles = grep { /\.h$/ } readdir($dh);
-+closedir $dh;
-+
-+for(sort @hfiles) {
-+    scanheader("$curlh/$_");
-+}
-+scanmanpage($manpge);
-+
-+print "Result\n";
-+for my $h (sort @hnames) {
-+    if(!$manfrom{$h}) {
-+        printf "$h from %s, not in man page\n", $wherefrom{$h};
-+    }
-+}
-+
-+for my $m (sort @mnames) {
-+    if(!$wherefrom{$m}) {
-+        printf "$m from %s, not in any header\n", $manfrom{$m};
-+    }
-+}
-- 
-2.43.0
-
--- a/0101-curl-7.32.0-multilib.patch
+++ b/0101-curl-7.32.0-multilib.patch
@ -1,7 +1,7 @@
-From 2a4754a3a7cf60ecc36d83cbe50b8c337cb87632 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Fri, 12 Apr 2013 12:04:05 +0200
-Subject: [PATCH] prevent multilib conflicts on the curl-config script
+From 84b7e1cf486761e99361f5dcf5879cd7baf51b58 Mon Sep 17 00:00:00 2001
+From: Jan Macku <jamacku@redhat.com>
+Date: Thu, 1 Feb 2024 13:01:23 +0100
+Subject: [PATCH 2/2] prevent multilib conflicts on the curl-config script

 ---
 curl-config.in     | 23 +++++------------------
@ -10,7 +10,7 @@ Subject: [PATCH] prevent multilib conflicts on the curl-config script
 3 files changed, 9 insertions(+), 19 deletions(-)

 diff --git a/curl-config.in b/curl-config.in
-index 150004d..95d0759 100644
+index 54f92d9..15a60da 100644
 --- a/curl-config.in
 +++ b/curl-config.in
@@ -78,7 +78,7 @@ while test $# -gt 0; do
@ -60,22 +60,22 @@ index 150004d..95d0759 100644
 
     *)
 diff --git a/docs/curl-config.1 b/docs/curl-config.1
-index 14a9d2b..ffcc004 100644
+index c142cb9..0e189b4 100644
 --- a/docs/curl-config.1
 +++ b/docs/curl-config.1
-@@ -72,7 +72,9 @@ no, one or several names. If more than one name, they will appear
- comma-separated. (Added in 7.58.0)
- .IP "--static-libs"
+@@ -48,7 +48,9 @@ no, one or several names. If more than one name, they will appear
+ comma\-separated. (Added in 7.58.0)
+ .IP --static-libs
 Shows the complete set of libs and other linker options you will need in order
 -to link your application with libcurl statically. (Added in 7.17.1)
 +to link your application with libcurl statically. Note that Fedora/RHEL libcurl
 +packages do not provide any static libraries, thus cannot be linked statically.
 +(Added in 7.17.1)
- .IP "--version"
+ .IP --version
 Outputs version information about the installed libcurl.
- .IP "--vernum"
+ .IP --vernum
 diff --git a/libcurl.pc.in b/libcurl.pc.in
-index 2ba9c39..f8f8b00 100644
+index 9db6b0f..dcac692 100644
 --- a/libcurl.pc.in
 +++ b/libcurl.pc.in
@@ -31,6 +31,7 @@ libdir=@libdir@
@ -87,5 +87,5 @@ index 2ba9c39..f8f8b00 100644
 Name: libcurl
 URL: https://curl.se/
 -- 
-2.26.2
+2.43.0

--- a/curl.spec
+++ b/curl.spec
@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 8.5.0
-Release: 2%{?dist}
+Version: 8.6.0
+Release: 1%{?dist}
 License: curl
 Source0: https://curl.se/download/%{name}-%{version}.tar.xz
 Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
@ -10,8 +10,8 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
 # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc
 Source2: mykey.asc

-# add missing test script tests/errorcodes.pl to the tarball
-Patch001: 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch
+# remove duplicate content from curl-config.1
+Patch001: 0001-curl-8.6.0-remove-duplicate-content.patch

 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
@ -371,6 +371,10 @@ rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish

 rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la

+# Don't install man for mk-ca-bundle it's upstream bug
+# should be fixed in next release https://github.com/curl/curl/pull/12843
+rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1*
+
 %ldconfig_scriptlets -n libcurl

 %ldconfig_scriptlets -n libcurl-minimal
@ -413,6 +417,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal

 %changelog
+* Thu Feb 01 2024 Jan Macku <jamacku@redhat.com> - 8.6.0-1
+- new upstream release, which fixes the following vulnerabilities
+    CVE-2024-0853 - OCSP verification bypass with TLS session reuse
+- drop 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch (replaced by upstream fix)
+- remove accidentally included mk-ca-bundle.1 man page (upstream bug #12843)
+
 * Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 8.5.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild

--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (curl-8.5.0.tar.xz) = acffa2cf61d9b8e4188575a1b40227da8d722df2e5fe8bb82a222b4eb2fd64bf8aebd90852ce050c79fb5e517d5cee2546bf7de92ede1dd394263e231cb741a3
-SHA512 (curl-8.5.0.tar.xz.asc) = 9c6a2e61860878cd731d951fac1bb52cd314db20439a5173a95b48da1742737e02bfb9978d65e25de6535f839e281235203599a29f252e78e0d7a83769727329
+SHA512 (curl-8.6.0.tar.xz) = 359c08d88a5dec441255b36afe1a821730eca0ca8800ba52f57132b9e7d21f32457623907b4ae4876904b5e505eb1a59652372bb7de8dbd8db429dae9785e036
+SHA512 (curl-8.6.0.tar.xz.asc) = 2b835bb4b307e5e1c929b7136c5acfb9f6f06efa471ac27060336cabcfac40e02143f40434986c5e6817d4a9562b09efa8ff3168beed310a45453148cc1b5c8f