Update to gnutls 3.7.3

Resolves: #2033220
Signed-off-by: Daiki Ueno <dueno@redhat.com>

.gitignore

@@ -135,3 +135,5 @@ gnutls-2.10.1-nosrp.tar.bz2
 /gnutls-3.7.1.tar.xz.sig
 /gnutls-3.7.2.tar.xz
 /gnutls-3.7.2.tar.xz.sig
+/gnutls-3.7.3.tar.xz
+/gnutls-3.7.3.tar.xz.sig

gnutls-3.7.1-aggressive-realloc-fixes.patch

@@ -1,84 +0,0 @@
-From e1cf5b8694b23cdc88f4a4a344f8262aa8ab0f8e Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Wed, 10 Mar 2021 16:11:29 +0100
-Subject: [PATCH 1/2] _gnutls_buffer_resize: account for unused area if
- AGGRESSIVE_REALLOC
-
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
----
- lib/str.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/lib/str.c b/lib/str.c
-index 506fe1721..bc20ebb04 100644
---- a/lib/str.c
-+++ b/lib/str.c
-@@ -155,12 +155,12 @@ int _gnutls_buffer_resize(gnutls_buffer_st * dest, size_t new_size)
- 
- 	unused = MEMSUB(dest->data, dest->allocd);
- 	dest->allocd =
--	    gnutls_realloc_fast(dest->allocd, new_size);
-+	    gnutls_realloc_fast(dest->allocd, new_size + unused);
- 	if (dest->allocd == NULL) {
- 		gnutls_assert();
- 		return GNUTLS_E_MEMORY_ERROR;
- 	}
--	dest->max_length = new_size;
-+	dest->max_length = new_size + unused;
- 	dest->data = dest->allocd + unused;
- 
- 	return 0;
--- 
-2.30.2
-
-
-From 78691bfe4555c4d610b405173987ed7515515d20 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Wed, 10 Mar 2021 16:12:23 +0100
-Subject: [PATCH 2/2] str: suppress -Wunused-function if AGGRESSIVE_REALLOC is
- defined
-
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
----
- lib/str.c | 18 +++++++++---------
- 1 file changed, 9 insertions(+), 9 deletions(-)
-
-diff --git a/lib/str.c b/lib/str.c
-index bc20ebb04..8007340f1 100644
---- a/lib/str.c
-+++ b/lib/str.c
-@@ -87,15 +87,6 @@ void _gnutls_buffer_clear(gnutls_buffer_st * str)
- 
- #define MIN_CHUNK 1024
- 
--static void align_allocd_with_data(gnutls_buffer_st * dest)
--{
--	assert(dest->allocd != NULL);
--	assert(dest->data != NULL);
--	if (dest->length)
--		memmove(dest->allocd, dest->data, dest->length);
--	dest->data = dest->allocd;
--}
--
- /**
-  * gnutls_buffer_append_data:
-  * @dest: the buffer to append to
-@@ -168,6 +159,15 @@ int _gnutls_buffer_resize(gnutls_buffer_st * dest, size_t new_size)
- 
- #else
- 
-+static void align_allocd_with_data(gnutls_buffer_st * dest)
-+{
-+	assert(dest->allocd != NULL);
-+	assert(dest->data != NULL);
-+	if (dest->length)
-+		memmove(dest->allocd, dest->data, dest->length);
-+	dest->data = dest->allocd;
-+}
-+
- int _gnutls_buffer_resize(gnutls_buffer_st * dest, size_t new_size)
- {
- 	if (unlikely(dest->data != NULL && dest->allocd == NULL))
--- 
-2.30.2
-

gnutls-3.7.2-config-allowlisting-race.patch

@@ -1,254 +0,0 @@
-From dbdcc29ee9e31acaa8286f633a4f0c23abd09d03 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Tue, 26 Oct 2021 12:56:52 +0200
-Subject: [PATCH] priority: fix race condition when resolving SYSTEM in
- allowlisting
-
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
----
- lib/priority.c | 65 +++++++++++++++++++++++++++++++-------------------
- 1 file changed, 41 insertions(+), 24 deletions(-)
-
-diff --git a/lib/priority.c b/lib/priority.c
-index 20230e46d1..606443f1f9 100644
---- a/lib/priority.c
-+++ b/lib/priority.c
-@@ -39,6 +39,7 @@
- #include "profiles.h"
- #include "c-strcase.h"
- #include "inih/ini.h"
-+#include "locks.h"
- #include "profiles.h"
- #include "name_val_array.h"
- 
-@@ -1001,6 +1002,7 @@ static void dummy_func(gnutls_priority_t c)
- #include <priority_options.h>
- 
- static gnutls_certificate_verification_profiles_t system_wide_verification_profile = GNUTLS_PROFILE_UNKNOWN;
-+GNUTLS_STATIC_MUTEX(system_wide_priority_strings_mutex);
- static name_val_array_t system_wide_priority_strings = NULL;
- static char *system_wide_priority_string = NULL;
- static unsigned system_wide_priority_strings_init = 0;
-@@ -1727,6 +1729,9 @@ static int cfg_ini_handler(void *ctx, const char *section, const char *name, con
- 	return 1;
- }
- 
-+static int
-+resolve_priorities_from_system_wide_allowlisting(void);
-+
- static void _gnutls_update_system_priorities(void)
- {
- 	int ret;
-@@ -1734,17 +1739,19 @@ static void _gnutls_update_system_priorities(void)
- 	FILE *fp;
- 	struct cfg cfg;
- 
-+	GNUTLS_STATIC_MUTEX_LOCK(system_wide_priority_strings_mutex);
-+
- 	if (stat(system_priority_file, &sb) < 0) {
- 		_gnutls_debug_log("cfg: unable to access: %s: %d\n",
- 				  system_priority_file, errno);
--		return;
-+		goto out;
- 	}
- 
- 	if (system_wide_priority_strings_init != 0 &&
- 	    sb.st_mtime == system_priority_last_mod) {
- 		_gnutls_debug_log("cfg: system priority %s has not changed\n",
- 				  system_priority_file);
--		return;
-+		goto out;
- 	}
- 
- 	if (system_wide_priority_strings_init != 0)
-@@ -1757,7 +1764,7 @@ static void _gnutls_update_system_priorities(void)
- 	if (fp == NULL) {
- 		_gnutls_debug_log("cfg: unable to open: %s: %d\n",
- 				  system_priority_file, errno);
--		return;
-+		goto out;
- 	}
- 	/* Parsing the configuration file needs to be done in 2 phases: first
- 	 * parsing the [global] section and then the other sections, because the
-@@ -1781,16 +1788,30 @@ static void _gnutls_update_system_priorities(void)
- 				  system_priority_file, ret);
- 		if (fail_on_invalid_config)
- 			exit(1);
--		return;
-+		goto out;
- 	}
- 	cfg_apply(&cfg);
- 	cfg_deinit(&cfg);
- 
-+	if (system_wide_allowlisting) {
-+		ret = resolve_priorities_from_system_wide_allowlisting();
-+		if (ret < 0) {
-+			_gnutls_debug_log("cfg: unable to resolve system priority string: %s\n",
-+					  gnutls_strerror(ret));
-+			if (fail_on_invalid_config)
-+				exit(1);
-+			goto out;
-+		}
-+	}
-+
- 	_gnutls_debug_log("cfg: loaded system priority %s mtime %lld\n",
- 			  system_priority_file,
- 			  (unsigned long long)sb.st_mtime);
- 
- 	system_priority_last_mod = sb.st_mtime;
-+
-+ out:
-+	GNUTLS_STATIC_MUTEX_UNLOCK(system_wide_priority_strings_mutex);
- }
- 
- void _gnutls_load_system_priorities(void)
-@@ -1835,17 +1856,13 @@ const char *gnutls_get_system_config_file(void)
- 		return NULL;
- }
- 
--static const char *
-+static int
- resolve_priorities_from_system_wide_allowlisting(void)
- {
- 	gnutls_buffer_st buf;
- 	int ret;
- 	size_t i;
- 
--	if (system_wide_priority_string) {
--		return system_wide_priority_string;
--	}
--
- 	assert(system_wide_allowlisting);
- 
- 	_gnutls_buffer_init(&buf);
-@@ -1853,21 +1870,21 @@ resolve_priorities_from_system_wide_allowlisting(void)
- 	ret = _gnutls_buffer_append_str(&buf, "NONE");
- 	if (ret < 0) {
- 		_gnutls_buffer_clear(&buf);
--		return NULL;
-+		return ret;
- 	}
- 
- 	for (i = 0; system_wide_tls_kxs[i] != 0; i++) {
- 		ret = _gnutls_buffer_append_str(&buf, ":+");
- 		if (ret < 0) {
- 			_gnutls_buffer_clear(&buf);
--			return NULL;
-+			return ret;
- 		}
- 
- 		ret = _gnutls_buffer_append_str(&buf,
- 						gnutls_kx_get_name(system_wide_tls_kxs[i]));
- 		if (ret < 0) {
- 			_gnutls_buffer_clear(&buf);
--			return NULL;
-+			return ret;
- 		}
- 	}
- 
-@@ -1875,14 +1892,14 @@ resolve_priorities_from_system_wide_allowlisting(void)
- 		ret = _gnutls_buffer_append_str(&buf, ":+GROUP-");
- 		if (ret < 0) {
- 			_gnutls_buffer_clear(&buf);
--			return NULL;
-+			return ret;
- 		}
- 
- 		ret = _gnutls_buffer_append_str(&buf,
- 						gnutls_group_get_name(system_wide_tls_groups[i]));
- 		if (ret < 0) {
- 			_gnutls_buffer_clear(&buf);
--			return NULL;
-+			return ret;
- 		}
- 	}
- 
-@@ -1890,14 +1907,14 @@ resolve_priorities_from_system_wide_allowlisting(void)
- 		ret = _gnutls_buffer_append_str(&buf, ":+");
- 		if (ret < 0) {
- 			_gnutls_buffer_clear(&buf);
--			return NULL;
-+			return ret;
- 		}
- 
- 		ret = _gnutls_buffer_append_str(&buf,
- 						gnutls_cipher_get_name(system_wide_tls_ciphers[i]));
- 		if (ret < 0) {
- 			_gnutls_buffer_clear(&buf);
--			return NULL;
-+			return ret;
- 		}
- 	}
- 
-@@ -1905,14 +1922,14 @@ resolve_priorities_from_system_wide_allowlisting(void)
- 		ret = _gnutls_buffer_append_str(&buf, ":+");
- 		if (ret < 0) {
- 			_gnutls_buffer_clear(&buf);
--			return NULL;
-+			return ret;
- 		}
- 
- 		ret = _gnutls_buffer_append_str(&buf,
- 						gnutls_mac_get_name(system_wide_tls_macs[i]));
- 		if (ret < 0) {
- 			_gnutls_buffer_clear(&buf);
--			return NULL;
-+			return ret;
- 		}
- 	}
- 
-@@ -1920,14 +1937,14 @@ resolve_priorities_from_system_wide_allowlisting(void)
- 		ret = _gnutls_buffer_append_str(&buf, ":+SIGN-");
- 		if (ret < 0) {
- 			_gnutls_buffer_clear(&buf);
--			return NULL;
-+			return ret;
- 		}
- 
- 		ret = _gnutls_buffer_append_str(&buf,
- 						gnutls_sign_get_name(system_wide_tls_sigs[i]));
- 		if (ret < 0) {
- 			_gnutls_buffer_clear(&buf);
--			return NULL;
-+			return ret;
- 		}
- 	}
- 
-@@ -1935,14 +1952,14 @@ resolve_priorities_from_system_wide_allowlisting(void)
- 		ret = _gnutls_buffer_append_str(&buf, ":+VERS-");
- 		if (ret < 0) {
- 			_gnutls_buffer_clear(&buf);
--			return NULL;
-+			return ret;
- 		}
- 
- 		ret = _gnutls_buffer_append_str(&buf,
- 						gnutls_protocol_get_name(system_wide_tls_vers[i]));
- 		if (ret < 0) {
- 			_gnutls_buffer_clear(&buf);
--			return NULL;
-+			return ret;
- 		}
- 	}
- 
-@@ -1950,7 +1967,7 @@ resolve_priorities_from_system_wide_allowlisting(void)
- 	system_wide_priority_string = gnutls_strdup((char *)buf.data);
- 	_gnutls_buffer_clear(&buf);
- 
--	return system_wide_priority_string;
-+	return ret;
- }
- 
- #define S(str) ((str!=NULL)?str:"")
-@@ -2010,7 +2027,7 @@ char *_gnutls_resolve_priorities(const char* priorities)
- 			if (system_wide_allowlisting &&
- 			    ss_len == sizeof(LEVEL_SYSTEM) - 1 &&
- 			    strncmp(LEVEL_SYSTEM, ss, ss_len) == 0) {
--				p = resolve_priorities_from_system_wide_allowlisting();
-+				p = system_wide_priority_string;
- 			} else {
- 				p = _name_val_array_value(system_wide_priority_strings, ss, ss_len);
- 			}
--- 
-2.31.1
-

gnutls-3.7.2-doc-hash-copy.patch

@@ -1,75 +0,0 @@
-From b64c8b2aa75e6668ee9115afda8e54d48b2143ac Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Wed, 22 Dec 2021 17:19:27 +0100
-Subject: [PATCH 2/2] gnutls-3.7.2-doc-hash-copy.patch
-
----
- doc/functions/gnutls_hash_copy  | 4 +++-
- doc/functions/gnutls_hmac_copy  | 4 +++-
- doc/manpages/gnutls_hash_copy.3 | 4 +++-
- doc/manpages/gnutls_hmac_copy.3 | 4 +++-
- 4 files changed, 12 insertions(+), 4 deletions(-)
-
-diff --git a/doc/functions/gnutls_hash_copy b/doc/functions/gnutls_hash_copy
-index 600c0e7..aac7d5d 100644
---- a/doc/functions/gnutls_hash_copy
-+++ b/doc/functions/gnutls_hash_copy
-@@ -8,7 +8,9 @@
- This function will create a copy of Message Digest context, containing all
- its current state. Copying contexts for Message Digests registered using
- @code{gnutls_crypto_register_digest()}  is not supported and will always result in
--an error.
-+an error. In addition to that, some of the Message Digest implementations do
-+not support this operation. Applications should check the return value and
-+provide a proper fallback.
- 
- @strong{Returns:} new Message Digest context or NULL in case of an error.
- 
-diff --git a/doc/functions/gnutls_hmac_copy b/doc/functions/gnutls_hmac_copy
-index a219b21..93b20d5 100644
---- a/doc/functions/gnutls_hmac_copy
-+++ b/doc/functions/gnutls_hmac_copy
-@@ -8,7 +8,9 @@
- This function will create a copy of MAC context, containing all its current
- state. Copying contexts for MACs registered using
- @code{gnutls_crypto_register_mac()}  is not supported and will always result in an
--error.
-+error. In addition to that, some of the MAC implementations do not support
-+this operation. Applications should check the return value and provide a
-+proper fallback.
- 
- @strong{Returns:} new MAC context or NULL in case of an error.
- 
-diff --git a/doc/manpages/gnutls_hash_copy.3 b/doc/manpages/gnutls_hash_copy.3
-index fcf0983..19bb8c4 100644
---- a/doc/manpages/gnutls_hash_copy.3
-+++ b/doc/manpages/gnutls_hash_copy.3
-@@ -13,7 +13,9 @@ is a \fBgnutls_hash_hd_t\fP type
- This function will create a copy of Message Digest context, containing all
- its current state. Copying contexts for Message Digests registered using
- \fBgnutls_crypto_register_digest()\fP is not supported and will always result in
--an error.
-+an error. In addition to that, some of the Message Digest implementations do
-+not support this operation. Applications should check the return value and
-+provide a proper fallback.
- .SH "RETURNS"
- new Message Digest context or NULL in case of an error.
- .SH "SINCE"
-diff --git a/doc/manpages/gnutls_hmac_copy.3 b/doc/manpages/gnutls_hmac_copy.3
-index ba5a40d..32b0114 100644
---- a/doc/manpages/gnutls_hmac_copy.3
-+++ b/doc/manpages/gnutls_hmac_copy.3
-@@ -13,7 +13,9 @@ is a \fBgnutls_hmac_hd_t\fP type
- This function will create a copy of MAC context, containing all its current
- state. Copying contexts for MACs registered using
- \fBgnutls_crypto_register_mac()\fP is not supported and will always result in an
--error.
-+error. In addition to that, some of the MAC implementations do not support
-+this operation. Applications should check the return value and provide a
-+proper fallback.
- .SH "RETURNS"
- new MAC context or NULL in case of an error.
- .SH "SINCE"
--- 
-2.31.1
-

gnutls-3.7.2-key-share-ecdhx.patch

@@ -1,92 +0,0 @@
-From c9e072236c4e1c290f38aee819ecaff8398e2a16 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Fri, 25 Jun 2021 08:39:12 +0200
-Subject: [PATCH] key_share: treat X25519 and X448 as same PK type when
- advertising
-
-Previously, if both X25519 and X448 groups were enabled in the
-priority string, the client sent both algorithms in a key_share
-extension, while it was only capable of handling one algorithm from
-the same (Edwards curve) category.  This adds an extra check so the
-client should send either X25519 or X448.
-
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
----
- lib/ext/key_share.c     | 24 +++++++++++++++++++++---
- tests/tls13/key_share.c |  3 +++
- 2 files changed, 24 insertions(+), 3 deletions(-)
-
-diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c
-index a8c4bb5cf..a4db3af95 100644
---- a/lib/ext/key_share.c
-+++ b/lib/ext/key_share.c
-@@ -656,6 +656,18 @@ key_share_recv_params(gnutls_session_t session,
- 	return 0;
- }
- 
-+static inline bool
-+pk_type_is_ecdhx(gnutls_pk_algorithm_t pk)
-+{
-+	return pk == GNUTLS_PK_ECDH_X25519 || pk == GNUTLS_PK_ECDH_X448;
-+}
-+
-+static inline bool
-+pk_type_equal(gnutls_pk_algorithm_t a, gnutls_pk_algorithm_t b)
-+{
-+	return a == b || (pk_type_is_ecdhx(a) && pk_type_is_ecdhx(b));
-+}
-+
- /* returns data_size or a negative number on failure
-  */
- static int
-@@ -710,12 +722,18 @@ key_share_send_params(gnutls_session_t session,
- 			/* generate key shares for out top-(max_groups) groups
- 			 * if they are of different PK type. */
- 			for (i = 0; i < session->internals.priorities->groups.size; i++) {
-+				unsigned int j;
-+
- 				group = session->internals.priorities->groups.entry[i];
- 
--				if (generated == 1 && group->pk == selected_groups[0])
--					continue;
--				else if (generated == 2 && (group->pk == selected_groups[1] || group->pk == selected_groups[0]))
-+				for (j = 0; j < generated; j++) {
-+					if (pk_type_equal(group->pk, selected_groups[j])) {
-+						break;
-+					}
-+				}
-+				if (j < generated) {
- 					continue;
-+				}
- 
- 				selected_groups[generated] = group->pk;
- 
-diff --git a/tests/tls13/key_share.c b/tests/tls13/key_share.c
-index 7f8f6295c..816a7d9b5 100644
---- a/tests/tls13/key_share.c
-+++ b/tests/tls13/key_share.c
-@@ -124,6 +124,7 @@ unsigned int tls_id_to_group[] = {
- 	[23] = GNUTLS_GROUP_SECP256R1,
- 	[24] = GNUTLS_GROUP_SECP384R1,
- 	[29] = GNUTLS_GROUP_X25519,
-+	[30] = GNUTLS_GROUP_X448,
- 	[0x100] = GNUTLS_GROUP_FFDHE2048,
- 	[0x101] = GNUTLS_GROUP_FFDHE3072
- };
-@@ -315,11 +316,13 @@ void doit(void)
- 	start("two groups: default secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_SECP256R1, 2);
- 	start("two groups: secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_SECP256R1, 2);
- 	start("two groups: x25519", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_X25519, 2);
-+	start("two groups: x448", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X448:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_X448, 2);
- 	start("two groups: ffdhe2048", "NORMAL:-KX-ALL:+DHE-RSA:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE3072", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_FFDHE2048, 2);
- 
- 	start("three groups: default secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_SECP256R1, 3);
- 	start("three groups: secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_SECP256R1, 3);
- 	start("three groups: x25519", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_X25519, 3);
-+	start("three groups: x448", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X448:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_X448, 3);
- 	start("three groups: ffdhe2048", "NORMAL:-KX-ALL:+DHE-RSA:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE3072", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_FFDHE2048, 3);
- 
- 	/* test default behavior */
--- 
-2.31.1
-

gnutls-3.7.2-libopts-covscan.patch

@@ -1,72 +0,0 @@
-From de11338de900f5c8840268264bceccbf76cca34f Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Thu, 21 Oct 2021 12:19:30 +0200
-Subject: [PATCH 1/2] autoopts: makeshell: use ferror before fclose
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- src/libopts/makeshell.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/src/libopts/makeshell.c b/src/libopts/makeshell.c
-index b6cb441a..7eb17a1f 100644
---- a/src/libopts/makeshell.c
-+++ b/src/libopts/makeshell.c
-@@ -164,9 +164,8 @@ optionParseShell(tOptions * opts)
- #ifdef HAVE_FCHMOD
-     fchmod(STDOUT_FILENO, 0755);
- #endif
--    fclose(stdout);
- 
--    if (ferror(stdout))
-+    if (ferror(stdout) || fclose(stdout))
-         fserr_exit(opts->pzProgName, zwriting, zstdout_name);
- 
-     AGFREE(script_text);
--- 
-2.31.1
-
-
-From 161097d36b608b615482e42e56a465c9fd740c26 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Thu, 21 Oct 2021 12:43:07 +0200
-Subject: [PATCH 2/2] autoopts: load: fix resource leak in error path
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- src/libopts/load.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/src/libopts/load.c b/src/libopts/load.c
-index 3f1ce2e6..ad1c4584 100644
---- a/src/libopts/load.c
-+++ b/src/libopts/load.c
-@@ -219,8 +219,11 @@ add_prog_path(char * buf, int b_sz, char const * fname, char const * prg_path)
-      *  IF we cannot find a directory name separator,
-      *  THEN we do not have a path name to our executable file.
-      */
--    if (pz == NULL)
-+    if (pz == NULL) {
-+        if (path != prg_path)
-+            AGFREE(path);
-         return false;
-+    }
- 
-     fname    += skip;
-     fname_len = strlen(fname) + 1; // + NUL byte
-@@ -230,8 +233,11 @@ add_prog_path(char * buf, int b_sz, char const * fname, char const * prg_path)
-      *  Concatenate the file name to the end of the executable path.
-      *  The result may be either a file or a directory.
-      */
--    if (dir_len + fname_len > (unsigned)b_sz)
-+    if (dir_len + fname_len > (unsigned)b_sz) {
-+        if (path != prg_path)
-+            AGFREE(path);
-         return false;
-+    }
- 
-     memcpy(buf, path, dir_len);
-     memcpy(buf + dir_len, fname, fname_len);
--- 
-2.31.1
-

gnutls.spec

@@ -1,15 +1,9 @@
-# This spec file has been automatically updated
-Version:	3.7.2
-Release: 10%{?dist}
+Version: 3.7.3
+Release: 1%{?dist}
 Patch1:	gnutls-3.6.7-no-now-guile.patch
 Patch2:	gnutls-3.2.7-rpath.patch
-Patch3:	gnutls-3.7.2-config-allowlisting.patch
-Patch4:	gnutls-3.7.2-key-share-ecdhx.patch
-Patch5:	gnutls-3.7.2-enable-intel-cet.patch
-Patch6: gnutls-3.7.2-libopts-covscan.patch
-Patch7: gnutls-3.7.2-config-allowlisting-race.patch
-Patch8: gnutls-3.7.2-no-explicit-init.patch
-Patch9: gnutls-3.7.2-doc-hash-copy.patch
+Patch3:	gnutls-3.7.2-enable-intel-cet.patch
+Patch4: gnutls-3.7.2-no-explicit-init.patch
 %bcond_with bootstrap
 %bcond_without dane
 %if 0%{?rhel}
@@ -30,7 +24,6 @@ BuildRequires: p11-kit-devel >= 0.21.3, gettext-devel
 BuildRequires: zlib-devel, readline-devel, libtasn1-devel >= 4.3
 %if %{with bootstrap}
 BuildRequires: automake, autoconf, gperf, libtool, texinfo
-BuildRequires: autogen-libopts-devel >= 5.18, autogen
 %endif
 BuildRequires: nettle-devel >= 3.5.1
 %if %{with tpm12}
@@ -170,24 +163,6 @@ rm -f lib/minitasn1/*.c lib/minitasn1/*.h
 
 echo "SYSTEM=NORMAL" >> tests/system.prio
 
-%if !%{with bootstrap}
-# These are ordered by dependency:
-touch doc/functions/* doc/enums/*
-touch doc/enums.texi doc/gnutls-api.texi
-touch doc/invoke-gnutls-cli.texi
-touch doc/invoke-gnutls-cli-debug.texi
-touch doc/invoke-gnutls-serv.texi
-touch doc/invoke-certtool.texi
-touch doc/invoke-ocsptool.texi
-touch doc/invoke-danetool.texi
-touch doc/invoke-srptool.texi
-touch doc/invoke-psktool.texi
-touch doc/invoke-p11tool.texi
-touch doc/invoke-tpmtool.texi
-touch doc/stamp_functions doc/stamp_enums
-touch doc/gnutls.info doc/gnutls.html doc/manpages/stamp_mans
-%endif
-
 # Note that we explicitly enable SHA1, as SHA1 deprecation is handled
 # via the crypto policies
 
@@ -325,6 +300,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
 %endif
 
 %changelog
+* Tue Jan 18 2022 Daiki Ueno <dueno@redhat.com> - 3.7.3-1
+- Update to gnutls 3.7.3 (#2033220)
+
 * Wed Dec 22 2021 Daiki Ueno <dueno@redhat.com> - 3.7.2-10
 - Update gnutls_{hash,hmac}_copy man-pages as well (#1999639)
 

sources

@@ -1,3 +1,3 @@
-SHA512 (gnutls-3.7.2.tar.xz) = 5d01d561a05379da71e4847e30ba13c2abe09f7a5c4359fd539d8bd19abad0ce87120f82ee7b6264e787bd3edbc5ae16beffa892983cbc3d59f11a1811c10329
-SHA512 (gnutls-3.7.2.tar.xz.sig) = fc3314c0ce5fb608352fcd8e19efd14435e4cfa5c0eb843d86febb6053fec7d46774b637037b96c5a621a7001f89d6c110f75bff96f94c2a77caf5d9c3aa9447
+SHA512 (gnutls-3.7.3.tar.xz) = 3ace744affe23e284342658d6d2d2de49dd50065489cbc8be18fc7d38187253e5268ca54027ce5cd517056c249ac039a7481e4548cec04325de37ae85617d077
+SHA512 (gnutls-3.7.3.tar.xz.sig) = 93e62730570a6f65ec98538e812ed9c0bd35c25f0906b22f2ae3e762981b0e01bfb7ffcb747c64b42c586d6f0d5c90a7c3abfdc39088cc05f9975b865c309d50
 SHA512 (gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg) = a74b92826fd0e5388c9f6d9231959e38b26aeef83138648fab66df951d8e1a4db5302b569d08515d4d6443e5e4f6c466f98319f330c820790260d22a9b9f7173