new upstream release - 7.88.0

Resolves: CVE-2023-23916 - HTTP multi-header compression denial of service
Resolves: CVE-2023-23915 - HSTS amnesia with --parallel
Resolves: CVE-2023-23914 - HSTS ignored on multiple requests
This commit is contained in:
Kamil Dudka 2023-02-15 10:05:29 +01:00
parent 8ff989f4fd
commit 98c91c9f34
3 changed files with 10 additions and 63 deletions

View File

@ -1,55 +0,0 @@
From 613d3c45879636e88b88fcebee48dc77de345291 Mon Sep 17 00:00:00 2001
From: Patrick Monnerat <patrick@monnerat.net>
Date: Fri, 23 Dec 2022 15:35:27 +0100
Subject: [PATCH] typecheck: accept expressions for option/info parameters
As expressions can have side effects, evaluate only once.
To enable deprecation reporting only once, get rid of the __typeof__
use to define the local temporary variable and use the target type
(CURLoption/CURLINFO). This also avoids multiple reports on type
conflicts (if some) by the curlcheck_* macros.
Note that CURLOPT_* and CURLINFO_* symbols may be deprecated, but not
their values: a curl_easy_setopt call with an integer constant as option
will never report a deprecation.
Reported-by: Thomas Klausner
Fixes #10148
Closes #10149
Upstream-commit: e2aed004302e51cfa5b6ce8c8ab65ef92aa83196
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
include/curl/typecheck-gcc.h | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h
index bf655bb..85aa8b7 100644
--- a/include/curl/typecheck-gcc.h
+++ b/include/curl/typecheck-gcc.h
@@ -42,9 +42,8 @@
*/
#define curl_easy_setopt(handle, option, value) \
__extension__({ \
- CURL_IGNORE_DEPRECATION(__typeof__(option) _curl_opt = option;) \
+ CURLoption _curl_opt = (option); \
if(__builtin_constant_p(_curl_opt)) { \
- (void) option; \
CURL_IGNORE_DEPRECATION( \
if(curlcheck_long_option(_curl_opt)) \
if(!curlcheck_long(value)) \
@@ -120,9 +119,8 @@
/* wraps curl_easy_getinfo() with typechecking */
#define curl_easy_getinfo(handle, info, arg) \
__extension__({ \
- CURL_IGNORE_DEPRECATION(__typeof__(info) _curl_info = info;) \
+ CURLINFO _curl_info = (info); \
if(__builtin_constant_p(_curl_info)) { \
- (void) info; \
CURL_IGNORE_DEPRECATION( \
if(curlcheck_string_info(_curl_info)) \
if(!curlcheck_arr((arg), char *)) \
--
2.39.0

View File

@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl Name: curl
Version: 7.87.0 Version: 7.88.0
Release: 4%{?dist} Release: 1%{?dist}
License: MIT License: MIT
Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source0: https://curl.se/download/%{name}-%{version}.tar.xz
Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
@ -10,9 +10,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
# which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc
Source2: mykey.asc Source2: mykey.asc
# fix regression in a public header file (#2162716)
Patch1: 0001-curl-7.87.0-header-file-regression.patch
# patch making libcurl multilib ready # patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch Patch101: 0101-curl-7.32.0-multilib.patch
@ -200,7 +197,6 @@ be installed.
%setup -q %setup -q
# upstream patches # upstream patches
%patch1 -p1
# Fedora patches # Fedora patches
%patch101 -p1 %patch101 -p1
@ -435,6 +431,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog %changelog
* Wed Feb 15 2023 Kamil Dudka <kdudka@redhat.com> - 7.88.0-1
- new upstream release, which fixes the following vulnerabilities
CVE-2023-23916 - HTTP multi-header compression denial of service
CVE-2023-23915 - HSTS amnesia with --parallel
CVE-2023-23914 - HSTS ignored on multiple requests
* Fri Jan 20 2023 Kamil Dudka <kdudka@redhat.com> - 7.87.0-4 * Fri Jan 20 2023 Kamil Dudka <kdudka@redhat.com> - 7.87.0-4
- fix regression in a public header file (#2162716) - fix regression in a public header file (#2162716)

View File

@ -1,2 +1,2 @@
SHA512 (curl-7.87.0.tar.xz) = aa125991592667280dce3788aabe81487cf8c55b0afc59d675cc30b76055bb7114f5380b4a0e3b6461a8f81bf9812fa26d493a85f7e01d84263d484a0d699ee7 SHA512 (curl-7.88.0.tar.xz) = 2008cbc67694f746b7449f087a19b2a9a4950333d6bac1cdc7d80351aa38d8d9b442087dedbc7b0909a419d3b10f510521c942aac012d04a53c32bdb15dce5f0
SHA512 (curl-7.87.0.tar.xz.asc) = 0bcc12bafc4ae50d80128af2cf4bf1a1ec6018ebb8d5b9c49f52b51c0c25acc77e820858965656549ef43c1f923f4e5fe75b0a3523623154b4cfb9dc8a1d76e4 SHA512 (curl-7.88.0.tar.xz.asc) = 6f3d9a5f8fcec64652f872adf994ff3d0162fba1b483a0e359522173bf29ef3d26eeda7c328207fa1fa974a45e62674a3a8ebec21830ab3981b56851d5804ade