From c0b70e927f358df34598d6ab38da54ea04676a2e Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Wed, 17 May 2023 09:28:55 +0200
Subject: [PATCH] new upstream release - 8.1.0

Resolves: CVE-2023-28321 - IDN wildcard match
Resolves: CVE-2023-28322 - more POST-after-PUT confusion
---
 0103-curl-7.87.0-test3012.patch          |  2 +-
 0104-curl-7.88.0-tests-warnings.patch    | 10 +--
 0105-curl-8.0.1-tests-stunnel-port.patch | 97 ------------------------
 curl.spec                                | 13 ++--
 sources                                  |  4 +-
 5 files changed, 16 insertions(+), 110 deletions(-)
 delete mode 100644 0105-curl-8.0.1-tests-stunnel-port.patch

diff --git a/0103-curl-7.87.0-test3012.patch b/0103-curl-7.87.0-test3012.patch
index 108d715..1de7ff3 100644
--- a/0103-curl-7.87.0-test3012.patch
+++ b/0103-curl-7.87.0-test3012.patch
@@ -38,7 +38,7 @@ index 1889c93..ea43a49 100644
 --- a/tests/data/test3012
 +++ b/tests/data/test3012
 @@ -56,5 +56,9 @@ Accept: */*
- <file name="log/MMM%TESTNUMBERMMM">
+ <file name="%LOGDIR/MMM%TESTNUMBERMMM">
  -foo-
  </file>
 +
diff --git a/0104-curl-7.88.0-tests-warnings.patch b/0104-curl-7.88.0-tests-warnings.patch
index dff89f9..04b2ba2 100644
--- a/0104-curl-7.88.0-tests-warnings.patch
+++ b/0104-curl-7.88.0-tests-warnings.patch
@@ -15,16 +15,16 @@ diff --git a/tests/runtests.pl b/tests/runtests.pl
 index 71644ad18..0cf85c3fe 100755
 --- a/tests/runtests.pl
 +++ b/tests/runtests.pl
-@@ -75,8 +75,7 @@ BEGIN {
- }
+@@ -55,8 +55,7 @@
+ # given, this won't be a problem.
  
  use strict;
 -# Promote all warnings to fatal
 -use warnings FATAL => 'all';
 +use warnings;
- use Cwd;
- use Digest::MD5 qw(md5);
- use MIME::Base64;
+ use 5.006;
+ 
+ # These should be the only variables that might be needed to get edited:
 -- 
 2.39.1
 
diff --git a/0105-curl-8.0.1-tests-stunnel-port.patch b/0105-curl-8.0.1-tests-stunnel-port.patch
deleted file mode 100644
index 47d1419..0000000
--- a/0105-curl-8.0.1-tests-stunnel-port.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From c9a1d18e5f8f28b90c1b2fcc1f15699327067e59 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Fri, 21 Apr 2023 17:44:10 +0200
-Subject: [PATCH] tests/runtests.pl: attempt to fix a conflict on port numbers
-
-... where stunnel listens for legacy HTTPS and HTTP/2, which manifests
-as a hard-to-explain failure of the following tests: 1630 1631 1632 1904
-1941 1945 2050 2055 3028
-```
-[...]
-startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https_server.pid" --logfile "log/https_stunnel.log" --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 42917 --accept 24642
-RUN: HTTPS server is PID 114398 port 24642
-* pid https => 114398 114402
-[...]
-startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https2_server.pid" --logfile "log/https2_stunnel.log" --id 2 --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 36763 --accept 24642
-startnew: child process has died, server might start up
-Warning: http2 server unexpectedly alive
-RUN: Process with pid 73992 signalled to die
-RUN: Process with pid 73992 forced to die with SIGKILL
-== Contents of files in the log/ dir after test 1630
-=== Start of file http2_server.log
- 14:01:21.881018 exit_signal_handler: 15
- 14:01:21.881372 signalled to die
- 14:01:21.881511 ========> IPv4 sws (port 36763 pid: 73992) exits with signal (15)
-=== End of file http2_server.log
-=== Start of file https2_stunnel.log
- [ ] Initializing inetd mode configuration
- [ ] Clients allowed=500
- [.] stunnel 5.69 on x86_64-redhat-linux-gnu platform
- [.] Compiled/running with OpenSSL 3.0.8 7 Feb 2023
- [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
- [ ] errno: (*__errno_location ())
- [ ] Initializing inetd mode configuration
- [.] Reading configuration from file /builddir/build/BUILD/curl-8.0.1/build-minimal/tests/https_stunnel.conf
- [.] UTF-8 byte order mark not detected
- [.] FIPS mode disabled
- [ ] Compression disabled
- [ ] No PRNG seeding was required
- [ ] Initializing service [curltest]
- [ ] Using the default TLS minimum version as specified in crypto policies. Not setting explicitly.
- [ ] Using the default TLS maximum version as specified in crypto policies. Not setting explicitly
- [ ] stunnel default security level set: 2
- [ ] Ciphers: PROFILE=SYSTEM
- [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
- [ ] TLS options: 0x2100000 (+0x0, -0x0)
- [ ] Session resumption enabled
- [ ] Loading certificate from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem
- [ ] Certificate loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem
- [ ] Loading private key from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem
- [ ] Private key loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem
- [ ] Private key check succeeded
- [!] No trusted certificates found
- [ ] DH initialization needed for DHE-RSA-AES256-GCM-SHA384
- [ ] DH initialization
- [ ] Could not load DH parameters from /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem
- [ ] Using dynamic DH parameters
- [ ] ECDH initialization
- [ ] ECDH initialized with curves X25519:P-256:X448:P-521:P-384
- [.] Configuration successful
- [ ] Deallocating deployed section defaults
- [ ] Binding service [curltest]
- [ ] Listening file descriptor created (FD=8)
- [ ] Setting accept socket options (FD=8)
- [ ] Option SO_REUSEADDR set on accept socket
- [.] Binding service [curltest] to 0.0.0.0:24642: Address already in use (98)
- [ ] Listening file descriptor created (FD=8)
- [ ] Setting accept socket options (FD=8)
- [ ] Option SO_REUSEADDR set on accept socket
- [.] Binding service [curltest] to :::24642: Address already in use (98)
- [!] Binding service [curltest] failed
- [ ] Unbinding service [curltest]
- [ ] Service [curltest] closed
- [ ] Deallocating deployed section defaults
- [ ] Deallocating section [curltest]
- [ ] Initializing inetd mode configuration
-=== End of file https2_stunnel.log
-```
----
- tests/runtests.pl | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tests/runtests.pl b/tests/runtests.pl
-index 54f6923..bb362c9 100755
---- a/tests/runtests.pl
-+++ b/tests/runtests.pl
-@@ -1802,7 +1802,7 @@ sub runhttpsserver {
- 
-     my $pid2;
-     my $httpspid;
--    my $port = 24512; # start attempt
-+    my $port = 24512 * $idnum; # start attempt
-     for (1 .. 10) {
-         $port += int(rand(600));
-         my $options = "$flags --accept $port";
--- 
-2.39.2
-
diff --git a/curl.spec b/curl.spec
index b41cf59..6caa923 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 8.0.1
-Release: 3%{?dist}
+Version: 8.1.0
+Release: 1%{?dist}
 License: curl
 Source0: https://curl.se/download/%{name}-%{version}.tar.xz
 Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
@@ -22,9 +22,6 @@ Patch103: 0103-curl-7.87.0-test3012.patch
 # do not fail on warnings in the upstream test driver
 Patch104: 0104-curl-7.88.0-tests-warnings.patch
 
-# tests: attempt to fix a conflict on port numbers
-Patch105: 0105-curl-8.0.1-tests-stunnel-port.patch
-
 Provides: curl-full = %{version}-%{release}
 Provides: webclient
 URL: https://curl.se/
@@ -84,6 +81,7 @@ BuildRequires: perl(File::Basename)
 BuildRequires: perl(File::Copy)
 BuildRequires: perl(File::Spec)
 BuildRequires: perl(IPC::Open2)
+BuildRequires: perl(Memoize)
 BuildRequires: perl(MIME::Base64)
 BuildRequires: perl(Time::Local)
 BuildRequires: perl(Time::HiRes)
@@ -407,6 +405,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
+* Wed May 17 2023 Kamil Dudka <kdudka@redhat.com> - 8.1.0-1
+- new upstream release, which fixes the following vulnerabilities
+    CVE-2023-28321 - IDN wildcard match
+    CVE-2023-28322 - more POST-after-PUT confusion
+
 * Fri Apr 21 2023 Kamil Dudka <kdudka@redhat.com> - 8.0.1-3
 - tests: re-enable temporarily disabled test-cases
 - tests: attempt to fix a conflict on port numbers
diff --git a/sources b/sources
index fe0a4ce..f60ca98 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (curl-8.0.1.tar.xz) = 3bb777982659ed697ae90f113ff7b65d6ce8ba9fe6a8984cfd6769d2f051a72ba953c911abe234c204ec2cc5a35d68b4d033037fad7fba31bb92a52543f8d13d
-SHA512 (curl-8.0.1.tar.xz.asc) = 92c6a0570e9a8a708fe2f717b8b37a68dcb9cd4520ca50c9baafec5891bda103bce2d2dcb67f1387bf11bd7e51e0e64ccd52d196e61d58b598ad3aa1960386cf
+SHA512 (curl-8.1.0.tar.xz) = b99926f372ddd715cd1d2b54d8fb96b26b085e6501715e25aa57b6c6a7f8452473506ddb284e2f280f8afdb301b7f0c3bfde7ad7ed393b12c022430a9301096d
+SHA512 (curl-8.1.0.tar.xz.asc) = 191a74c7a6b6aa78b7f36e1535fda0701bde8b333a61c90343e1f1b2d65cc5097b5febc5fa42b2f373795ef1b34078790deaaa71c8aaa45eed1c753729a45f3d