diff --git a/0001-curl-7.66.0-metalink-memleak.patch b/0001-curl-7.66.0-metalink-memleak.patch deleted file mode 100644 index 16c8ae2..0000000 --- a/0001-curl-7.66.0-metalink-memleak.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 855ebacdffbc421b121563ae1ecd9fde736bfaf2 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Wed, 11 Sep 2019 16:32:11 +0200 -Subject: [PATCH] curl: fix memory leaked by parse_metalink() - -This commit fixes a regression introduced by curl-7_65_3-5-gb88940850. -Detected by tests 2005, 2008, 2009, 2010, 2011, and 2012 with valgrind -and libmetalink enabled. - -Closes #4326 - -Upstream-commit: 1ca91bcdb588dc6c25d345f2411fdba314433732 -Signed-off-by: Kamil Dudka ---- - src/tool_metalink.c | 2 +- - src/tool_metalink.h | 3 +++ - src/tool_operate.c | 4 ++++ - 3 files changed, 8 insertions(+), 1 deletion(-) - -diff --git a/src/tool_metalink.c b/src/tool_metalink.c -index 0740407f9..cd5a7d650 100644 ---- a/src/tool_metalink.c -+++ b/src/tool_metalink.c -@@ -965,7 +965,7 @@ static void delete_metalink_resource(metalink_resource *res) - Curl_safefree(res); - } - --static void delete_metalinkfile(metalinkfile *mlfile) -+void delete_metalinkfile(metalinkfile *mlfile) - { - metalink_resource *res; - if(mlfile == NULL) { -diff --git a/src/tool_metalink.h b/src/tool_metalink.h -index 1e367033c..f5ec306f7 100644 ---- a/src/tool_metalink.h -+++ b/src/tool_metalink.h -@@ -105,6 +105,8 @@ extern const digest_params SHA256_DIGEST_PARAMS[1]; - * Counts the resource in the metalinkfile. - */ - int count_next_metalink_resource(metalinkfile *mlfile); -+ -+void delete_metalinkfile(metalinkfile *mlfile); - void clean_metalink(struct OperationConfig *config); - - /* -@@ -158,6 +160,7 @@ void metalink_cleanup(void); - #else /* USE_METALINK */ - - #define count_next_metalink_resource(x) 0 -+#define delete_metalinkfile(x) (void)x - #define clean_metalink(x) (void)x - - /* metalink_cleanup() takes no arguments */ -diff --git a/src/tool_operate.c b/src/tool_operate.c -index d2ad9642d..09dfc0c84 100644 ---- a/src/tool_operate.c -+++ b/src/tool_operate.c -@@ -2073,6 +2073,10 @@ static CURLcode serial_transfers(struct GlobalConfig *global, - result = post_transfer(global, share, per, result, &retry); - if(retry) - continue; -+ -+ /* Release metalink related resources here */ -+ delete_metalinkfile(per->mlfile); -+ - per = del_transfer(per); - - /* Bail out upon critical errors or --fail-early */ --- -2.20.1 - diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch index affe9f0..53022e1 100644 --- a/0102-curl-7.36.0-debug.patch +++ b/0102-curl-7.36.0-debug.patch @@ -12,7 +12,7 @@ diff --git a/configure b/configure index 8f079a3..53b4774 100755 --- a/configure +++ b/configure -@@ -16301,18 +16301,11 @@ $as_echo "yes" >&6; } +@@ -16331,18 +16331,11 @@ $as_echo "yes" >&6; } gccvhi=`echo $gccver | cut -d . -f1` gccvlo=`echo $gccver | cut -d . -f2` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` diff --git a/0103-curl-7.59.0-python3.patch b/0103-curl-7.59.0-python3.patch index 56485fe..55bf4a9 100644 --- a/0103-curl-7.59.0-python3.patch +++ b/0103-curl-7.59.0-python3.patch @@ -9,8 +9,7 @@ there is no 'impacket' module available for Python 3: https://github.com/CoreSecurity/impacket/issues/61 --- tests/negtelnetserver.py | 4 ++-- - tests/smbserver.py | 4 ++-- - 2 files changed, 4 insertions(+), 4 deletions(-) + 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/negtelnetserver.py b/tests/negtelnetserver.py index 8cfd409..72ee771 100755 @@ -30,28 +29,6 @@ index 8cfd409..72ee771 100755 except IOError: log.exception("IOError hit during request") -diff --git a/tests/smbserver.py b/tests/smbserver.py -index 195ae39..b09cd44 100755 ---- a/tests/smbserver.py -+++ b/tests/smbserver.py -@@ -24,7 +24,7 @@ - from __future__ import (absolute_import, division, print_function) - # unicode_literals) - import argparse --import ConfigParser -+import configparser - import os - import sys - import logging -@@ -58,7 +58,7 @@ def smbserver(options): - f.write("{0}".format(pid)) - - # Here we write a mini config for the server -- smb_config = ConfigParser.ConfigParser() -+ smb_config = configparser.ConfigParser() - smb_config.add_section("global") - smb_config.set("global", "server_name", "SERVICE") - smb_config.set("global", "server_os", "UNIX") -- 2.14.3 diff --git a/0105-curl-7.63.0-lib1560-valgrind.patch b/0105-curl-7.63.0-lib1560-valgrind.patch index 6d05c67..8121ee6 100644 --- a/0105-curl-7.63.0-lib1560-valgrind.patch +++ b/0105-curl-7.63.0-lib1560-valgrind.patch @@ -26,7 +26,7 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc index 080421b..ea3b806 100644 --- a/tests/libtest/Makefile.inc +++ b/tests/libtest/Makefile.inc -@@ -531,6 +531,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) +@@ -534,6 +534,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) lib1559_LDADD = $(TESTUTIL_LIBS) lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) diff --git a/curl-7.66.0.tar.xz.asc b/curl-7.66.0.tar.xz.asc deleted file mode 100644 index 83e8258..0000000 --- a/curl-7.66.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl14i4AACgkQXMkI/bce -EsJwgwf/WauX31s687pdOgpPE4ymPuxIrdVl+NovWdOBdQQfIA0c/4lu4onJYPAT -K6wq86me5y8fj/Q3ymqQ3H1EcJE2vTHPx/w+zEHNsEILtBMFHdm84CJzhdLlI1GC -9iBkjVKk/2s0tBOdC3HuskYLY2y02dHACvTvDJjx42nK4IbsdjoamVdMa7vep1TG -abmLRNHkOHKjioYWi0N04c5H5YDpdWOOjFY+EPO+m+YQuJlYkgw90nlmOaqiLcHL -3zGCMNXb209wxuNEVKenlhPQ/3FQZ9+8a4b6mMqBX7PDwhDiZLhqIJgVseWdw1r0 -Qm2suW4eUtlC2DTqTMtusG7EMN8pag== -=pFLb ------END PGP SIGNATURE----- diff --git a/curl-7.67.0.tar.xz.asc b/curl-7.67.0.tar.xz.asc new file mode 100644 index 0000000..e44cfc6 --- /dev/null +++ b/curl-7.67.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl3CauAACgkQXMkI/bce +EsKe7Qf+Py/Wufz3AqqpJ1Xr0oigaV1Sa5AAyRD+KX8jwSJTRaRahaECGMhmR9vh +kBaMFtycctCKcK1masI9GSeTX5nCtmaWzELLsBXynm/l2W+hrW1AD2R++YuM384t +O078GxgsgRH0m8MacSKoV5yPOv/h9URnVMTavkAIfnW50vw17akDZ9MW2NhJzKpP +s6GgWTMB5gomTHlnlHjTjtNoVbKKrV4v9YyRwqzI3XHXYtYOA7iufP4wnT+dpSm5 +ZLdbg5Nq+1pCTEiMg3KZKYNriypoLJuWuSF+bKc54CGN63eoUxXgU6js9ViHS5JS +3dPfzzRA8wgROem58QhHnrR9c2CmdQ== +=5gov +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index 62a4980..9d85067 100644 --- a/curl.spec +++ b/curl.spec @@ -1,13 +1,10 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.66.0 +Version: 7.67.0 Release: 1%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz -# fix memory leaked by parse_metalink() -Patch1: 0001-curl-7.66.0-metalink-memleak.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -174,7 +171,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 # Fedora patches %patch101 -p1 @@ -350,6 +346,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Nov 06 2019 Kamil Dudka - 7.67.1-1 +- new upstream release + * Wed Sep 11 2019 Kamil Dudka - 7.66.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2019-5481 - double free due to subsequent call of realloc() diff --git a/sources b/sources index aea53b9..16e8545 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.66.0.tar.xz) = 81170e7e4fa9d99ee2038d96d7f2ab10dcf52435331c818c7565c1a733891720f845a08029915e52ba532c6a344c346e1678474624aac1cc333aea6d1eacde35 +SHA512 (curl-7.67.0.tar.xz) = 1d5a344be92dd61b1ba5189eff0fe337e492f2e850794943570fe71c985d0af60bd412082be646e07aaa8639908593e1ce4bb2d07db35394ec377e8ce8b9ae29