new upstream release - 7.72.0

Resolves: CVE-2020-8231 - libcurl: wrong connect-only connection
2020-08-19 12:06:12 +02:00 · 2020-08-19 12:06:12 +02:00 · e7a12a6b7b
commit e7a12a6b7b
parent 840be82e6f
8 changed files with 20 additions and 237 deletions
--- a/0001-curl-7.71.1-tool-krb-opt.patch
+++ b/0001-curl-7.71.1-tool-krb-opt.patch
@ -1,65 +0,0 @@
 From a58654cbc5bea608b9c8729703a6d866ffaae8d8 Mon Sep 17 00:00:00 2001
 From: Kamil Dudka <kdudka@redhat.com>
 Date: Thu, 2 Jul 2020 17:41:37 +0200
 Subject: [PATCH 1/2] tool_getparam: make --krb option work again
 It was disabled by mistake in commit curl-7_37_1-23-ge38ba4301.
 Bug: https://bugzilla.redhat.com/1833193
 Closes #5640
 Upstream-commit: d2fd845c35922ca73b89c617597dd5c59772e16a
 Signed-off-by: Kamil Dudka <kdudka@redhat.com>
 ---
 src/tool_getparam.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/tool_getparam.c b/src/tool_getparam.c
 index 3409621..9c6bc8a 100644
 --- a/src/tool_getparam.c
 +++ b/src/tool_getparam.c
@@ -813,7 +813,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
         break;
       case 'x': /* --krb */
         /* kerberos level string */
 -        if(curlinfo->features & CURL_VERSION_KERBEROS4)
 +        if(curlinfo->features & CURL_VERSION_SPNEGO)
           GetStr(&config->krblevel, nextarg);
         else
           return PARAM_LIBCURL_DOESNT_SUPPORT;
 -- 
 2.21.3
 From 0be44560dfe3597a12b21b95798f69714ff0459a Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Thu, 2 Jul 2020 23:46:40 +0200
 Subject: [PATCH 2/2] curl_version_info.3: CURL_VERSION_KERBEROS4 is deprecated
 This came up in #5640. It make sense to clarify this in the docs!
 Reminded-by: Kamil Dudka
 Closes #5642
 Upstream-commit: 54f21be2e3a64b9e57130cf6d1eb4f17c44d7967
 Signed-off-by: Kamil Dudka <kdudka@redhat.com>
 ---
 docs/libcurl/curl_version_info.3 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/docs/libcurl/curl_version_info.3 b/docs/libcurl/curl_version_info.3
 index 2d21dfb..0d26e87 100644
 --- a/docs/libcurl/curl_version_info.3
 +++ b/docs/libcurl/curl_version_info.3
@@ -151,7 +151,7 @@ letters. (Added in 7.12.0)
 .IP CURL_VERSION_IPV6
 supports IPv6
 .IP CURL_VERSION_KERBEROS4
 -supports Kerberos V4 (when using FTP)
 +supports Kerberos V4 (when using FTP). Legacy bit. Deprecated since 7.33.0.
 .IP CURL_VERSION_KERBEROS5
 supports Kerberos V5 authentication for FTP, IMAP, POP3, SMTP and SOCKSv5 proxy
 (Added in 7.40.0)
 -- 
 2.21.3
--- a/0002-curl-7.71.1-unset-nobody.patch
+++ b/0002-curl-7.71.1-unset-nobody.patch
@ -1,148 +0,0 @@
 From 750188fc8eb239f51255d6f3510f544377e78ecd Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Mon, 27 Jul 2020 11:44:01 +0200
 Subject: [PATCH 1/3] setopt: unset NOBODY switches to GET if still HEAD
 Unsetting CURLOPT_NOBODY with 0L when doing HTTP has no documented
 action but before 7.71.0 that used to switch back to GET and with this
 change (assuming the method is still set to HEAD) this behavior is
 brought back.
 Reported-by: causal-agent on github
 Fixes #5725
 Closes #5728
 Upstream-commit: 91cb16b21faa556d4467399781379ad3abafd3fe
 Signed-off-by: Kamil Dudka <kdudka@redhat.com>
 ---
 lib/setopt.c | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/lib/setopt.c b/lib/setopt.c
 index 90edf6a..d621335 100644
 --- a/lib/setopt.c
 +++ b/lib/setopt.c
@@ -274,6 +274,8 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
     if(data->set.opt_no_body)
       /* in HTTP lingo, no body means using the HEAD request... */
       data->set.method = HTTPREQ_HEAD;
 +    else if(data->set.method == HTTPREQ_HEAD)
 +      data->set.method = HTTPREQ_GET;
     break;
   case CURLOPT_FAILONERROR:
     /*
 -- 
 2.25.4
 From 44add6f66c7ddec9f002fb52ce8e893a8ca9165d Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Mon, 27 Jul 2020 11:54:29 +0200
 Subject: [PATCH 2/3] CURLOPT_NOBODY.3: clarify what setting to 0 means
 ... and mention that HTTP with other methods than HEAD might get a body and
 there's no option available to stop that.
 Closes #5729
 Upstream-commit: e1bac81cc815f3fe968e009eb69b8e0236dcd82c
 Signed-off-by: Kamil Dudka <kdudka@redhat.com>
 ---
 docs/libcurl/opts/CURLOPT_NOBODY.3 | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)
 diff --git a/docs/libcurl/opts/CURLOPT_NOBODY.3 b/docs/libcurl/opts/CURLOPT_NOBODY.3
 index f720f49..3674dde 100644
 --- a/docs/libcurl/opts/CURLOPT_NOBODY.3
 +++ b/docs/libcurl/opts/CURLOPT_NOBODY.3
@@ -5,7 +5,7 @@
 .\" *                            | (__| |_| |  _ <| |___
 .\" *                             \___|\___/|_| \_\_____|
 .\" *
 -.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
 +.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
 .\" *
 .\" * This software is licensed as described in the file COPYING, which
 .\" * you should have received as part of this distribution. The terms
@@ -34,7 +34,17 @@ output when doing what would otherwise be a download. For HTTP(S), this makes
 libcurl do a HEAD request. For most other protocols it means just not asking
 to transfer the body data.
 -Enabling this option means asking for a download but without a body.
 +For HTTP operations when \fBCURLOPT_NOBODY(3)\fP has been set, unsetting the
 +option (with 0) will make it a GET again - only if the method is still set to
 +be HEAD. The proper way to get back to a GET request is to set
 +\fBCURLOPT_HTTPGET(3)\fP and for other methods, use the POST ur UPLOAD
 +options.
 +
 +Enabling \fBCURLOPT_NOBODY(3)\fP means asking for a download without a body.
 +
 +If you do a transfer with HTTP that involves a method other than HEAD, you
 +will get a body (unless the resource and server sends a zero byte body for the
 +specific URL you request).
 .SH DEFAULT
 0, the body is transferred
 .SH PROTOCOLS
@@ -43,9 +53,9 @@ Most
 .nf
 curl = curl_easy_init();
 if(curl) {
 -  curl_easy_setopt(curl, CURLOPT_URL, "http://example.com");
 +  curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");
 -  /* get us the resource without a body! */
 +  /* get us the resource without a body - use HEAD! */
   curl_easy_setopt(curl, CURLOPT_NOBODY, 1L);
   /* Perform the request */
@@ -57,5 +67,5 @@ Always
 .SH RETURN VALUE
 Returns CURLE_OK
 .SH "SEE ALSO"
 -.BR CURLOPT_HTTPGET "(3), " CURLOPT_POST "(3), "
 -.BR CURLOPT_REQUEST_TARGET "(3), "
 +.BR CURLOPT_HTTPGET "(3), " CURLOPT_POSTFIELDS "(3), " CURLOPT_UPLOAD "(3), "
 +.BR CURLOPT_REQUEST_TARGET "(3), " CURLOPT_MIMEPOST "(3), "
 -- 
 2.25.4
 From cc8e488c83254013a0ad1149a77565723aee870b Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Mon, 27 Jul 2020 23:59:00 +0200
 Subject: [PATCH 3/3] CURLOPT_NOBODY.3: fix the syntax for referring to options
 As test 1140 fails otherwise!
 Follow-up to e1bac81cc815
 Upstream-commit: 34e5ad21d2cb98475acdbf7a3a6ea973d8c12249
 Signed-off-by: Kamil Dudka <kdudka@redhat.com>
 ---
 docs/libcurl/opts/CURLOPT_NOBODY.3 | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/docs/libcurl/opts/CURLOPT_NOBODY.3 b/docs/libcurl/opts/CURLOPT_NOBODY.3
 index 3674dde..112fb1a 100644
 --- a/docs/libcurl/opts/CURLOPT_NOBODY.3
 +++ b/docs/libcurl/opts/CURLOPT_NOBODY.3
@@ -34,13 +34,13 @@ output when doing what would otherwise be a download. For HTTP(S), this makes
 libcurl do a HEAD request. For most other protocols it means just not asking
 to transfer the body data.
 -For HTTP operations when \fBCURLOPT_NOBODY(3)\fP has been set, unsetting the
 +For HTTP operations when \fICURLOPT_NOBODY(3)\fP has been set, unsetting the
 option (with 0) will make it a GET again - only if the method is still set to
 be HEAD. The proper way to get back to a GET request is to set
 -\fBCURLOPT_HTTPGET(3)\fP and for other methods, use the POST ur UPLOAD
 +\fICURLOPT_HTTPGET(3)\fP and for other methods, use the POST ur UPLOAD
 options.
 -Enabling \fBCURLOPT_NOBODY(3)\fP means asking for a download without a body.
 +Enabling \fICURLOPT_NOBODY(3)\fP means asking for a download without a body.
 If you do a transfer with HTTP that involves a method other than HEAD, you
 will get a body (unless the resource and server sends a zero byte body for the
 -- 
 2.25.4
--- a/0101-curl-7.32.0-multilib.patch
+++ b/0101-curl-7.32.0-multilib.patch
@ -31,7 +31,7 @@ index 150004d..95d0759 100644
 -        else
 -           CURLLIBDIR=""
 -        fi
-        if test "X@ENABLE_SHARED@" = "Xno" -o "X@REQUIRE_LIB_DEPS@" = "Xyes"; then
+-        if test "X@ENABLE_SHARED@" = "Xno"; then
 -          echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@
 -        else
 -          echo ${CURLLIBDIR}-lcurl
--- a/0105-curl-7.63.0-lib1560-valgrind.patch
+++ b/0105-curl-7.63.0-lib1560-valgrind.patch
@ -26,7 +26,7 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
 index 080421b..ea3b806 100644
 --- a/tests/libtest/Makefile.inc
 +++ b/tests/libtest/Makefile.inc
-@@ -590,6 +590,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+@@ -594,6 +594,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
 lib1559_LDADD = $(TESTUTIL_LIBS)
 lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
--- a/curl-7.71.1.tar.xz.asc
+++ b/curl-7.71.1.tar.xz.asc
@ -1,11 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl78MUgACgkQXMkI/bce
 EsJkEgf/ZDR7QKw9aPQoT2dOyqoCTKip1fLCtJBEOmctjS86zF+1caPABYLV1kq6
 9baz7L2qWOmDdHkxF4poTpPH9CkcG3Krq6lHFjbFQ0GxMC+MEnnFYKfDVrRopaKq
 ioBUnZrRSIytgwbiwxB+uxxa4ItzV6tZNVKIiIZOuuVSAZ9azA/swpezet8x2kxg
 yp1Y3oe0R1VCYiCJ2EOB/rMs0ndPHSRuWiCCIBK7uPXA0jJsL4rjhmY5l2qAadfy
 6iDpk85CJvQcGcC8nZMmpbivniOjIjEefjeXviLvg5dZi7f3M028QyGpkkUVzf27
 FiWCDZuZkp9ed2eLIBGWo/wy70f2pw==
 =0YwO
 -----END PGP SIGNATURE-----
--- a/curl-7.72.0.tar.xz.asc
+++ b/curl-7.72.0.tar.xz.asc
@ -0,0 +1,11 @@
 -----BEGIN PGP SIGNATURE-----
 iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl881xgACgkQXMkI/bce
 EsIjuwgAj6aeQgnWkubxxXAQ2kbckLh6QUKZWJQxPjb91kz98cGRcrdGRP292JFN
 qQprls4rFTWWOIVVMP/kdheeNI9LqDvQAfZMCaLFAWUdw1L2pbId7VbV+NuTAce8
 V/ENqh+Xj2q2LsMnj02k0Uc1e6Nh1K4al2hwFiozarI/ltb3q7jZN2P2fAmDX89y
 f3VsVfNZgv7VIwlX2d3b1RvMdppMFrDC3ZsAXlg2GQZ5sE7yfa2Qq+J5RzaNvEDh
 p3pMbPiNgk1ZuGQrzoiYq9tqK/o7pD2t4h2GsftppALxC3SsoneNrdnly910IfKh
 8qczoMpszBs8F7jts6KnfXszyhyyhQ==
 =sC+U
 -----END PGP SIGNATURE-----
--- a/curl.spec
+++ b/curl.spec
@ -1,16 +1,10 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 7.71.1
+Version: 7.72.0
-Release: 5%{?dist}
+Release: 1%{?dist}
 License: MIT
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
 # curl: make the --krb option work again (#1833193)
 Patch1:   0001-curl-7.71.1-tool-krb-opt.patch
 # setopt: unset NOBODY switches to GET if still HEAD
 Patch2:   0002-curl-7.71.1-unset-nobody.patch
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
@ -178,8 +172,6 @@ be installed.
 %setup -q
 # upstream patches
 %patch1 -p1
 %patch2 -p1
 # Fedora patches
 %patch101 -p1
@ -358,6 +350,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 %changelog
 * Wed Aug 19 2020 Kamil Dudka <kdudka@redhat.com> - 7.72.0-1
 - new upstream release, which fixes the following vulnerability
    CVE-2020-8231 - libcurl: wrong connect-only connection
 * Thu Aug 06 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.1-5
 - setopt: unset NOBODY switches to GET if still HEAD
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (curl-7.71.1.tar.xz) = 631e0ee8562e5029fe022bfab4222836a3e6d666e82e2bfbd78311fe5985105218a36d1ea68c93472fc57a12b713957a3bcca6e385eda4e58a47ca8d5d50265b
+SHA512 (curl-7.72.0.tar.xz) = e5025a32eac6108ccb13d1fcce9c2de28b3a6d6e9a258a647c4be45d71718f75653e1ccd477ef5f29242a15588255c4ef43fe47bf9908b938b6769fccfaac107
`@ -1 +1 @@`
	`SHA512 (curl-7.71.1.tar.xz) = 631e0ee8562e5029fe022bfab4222836a3e6d666e82e2bfbd78311fe5985105218a36d1ea68c93472fc57a12b713957a3bcca6e385eda4e58a47ca8d5d50265b`	`SHA512 (curl-7.72.0.tar.xz) = e5025a32eac6108ccb13d1fcce9c2de28b3a6d6e9a258a647c4be45d71718f75653e1ccd477ef5f29242a15588255c4ef43fe47bf9908b938b6769fccfaac107`