From 104dece0d50464089f3554ba0133284ce21bbe0c Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Sat, 22 Jun 2013 21:39:26 +0200 Subject: [PATCH] new upstream release (fixes CVE-2013-2174) --- 0001-curl-7.30.0-ddbda328.patch | 131 -------------------------------- 0002-curl-7.30.0-b37b5233.patch | 35 --------- 0101-curl-7.30.0-multilib.patch | 13 +++- 0102-curl-7.30.0-debug.patch | 2 +- 0108-curl-7.30.0-utf8.patch | 2 +- curl-7.30.0.tar.lzma.asc | 7 -- curl-7.31.0.tar.lzma.asc | 7 ++ curl.spec | 15 ++-- sources | 2 +- 9 files changed, 24 insertions(+), 190 deletions(-) delete mode 100644 0001-curl-7.30.0-ddbda328.patch delete mode 100644 0002-curl-7.30.0-b37b5233.patch delete mode 100644 curl-7.30.0.tar.lzma.asc create mode 100644 curl-7.31.0.tar.lzma.asc diff --git a/0001-curl-7.30.0-ddbda328.patch b/0001-curl-7.30.0-ddbda328.patch deleted file mode 100644 index e6047d9..0000000 --- a/0001-curl-7.30.0-ddbda328.patch +++ /dev/null @@ -1,131 +0,0 @@ -From c5c7d61620e1d9ebd039b9931898635659a0a356 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Fri, 12 Apr 2013 14:13:42 +0200 -Subject: [PATCH] tests: prevent test206, test1060, and test1061 from failing - -... in case runtests.pl is invoked with non-default -b option - -Fixes a regression caused by 1e29d275c643ef6aab7948f0f55a7a9397e56b42. - -[upstream commit ddbda328b37eb4b5f43fbd1dd8248c301fd2b30e] ---- - tests/data/test1060 | 14 +++++++------- - tests/data/test1061 | 14 +++++++------- - tests/data/test206 | 14 +++++++------- - 3 files changed, 21 insertions(+), 21 deletions(-) - -diff --git a/tests/data/test1060 b/tests/data/test1060 -index da1be78..e303a89 100644 ---- a/tests/data/test1060 -+++ b/tests/data/test1060 -@@ -874,7 +874,7 @@ crypto - HTTP proxy CONNECT auth Digest, large headers and data - - --http://test.remote.haxx.se.1060:%HTTPPORT/path/10600002 --proxy http://%HOSTIP:%HTTPPORT --proxy-user silly:person --proxy-digest --proxytunnel -+http://test.remote.haxx.se.1060:8990/path/10600002 --proxy http://%HOSTIP:%HTTPPORT --proxy-user silly:person --proxy-digest --proxytunnel - - - -@@ -884,17 +884,17 @@ http://test.remote.haxx.se.1060:%HTTPPORT/path/10600002 --proxy http://%HOSTIP:% - ^User-Agent: curl/.* - - --CONNECT test.remote.haxx.se.1060:%HTTPPORT HTTP/1.1 --Host: test.remote.haxx.se.1060:%HTTPPORT -+CONNECT test.remote.haxx.se.1060:8990 HTTP/1.1 -+Host: test.remote.haxx.se.1060:8990 - Proxy-Connection: Keep-Alive - --CONNECT test.remote.haxx.se.1060:%HTTPPORT HTTP/1.1 --Host: test.remote.haxx.se.1060:%HTTPPORT --Proxy-Authorization: Digest username="silly", realm="weirdorealm", nonce="12345", uri="test.remote.haxx.se.1060:%HTTPPORT", response="e1fbed39c26f4efe284adc0e576ff638" -+CONNECT test.remote.haxx.se.1060:8990 HTTP/1.1 -+Host: test.remote.haxx.se.1060:8990 -+Proxy-Authorization: Digest username="silly", realm="weirdorealm", nonce="12345", uri="test.remote.haxx.se.1060:8990", response="e1fbed39c26f4efe284adc0e576ff638" - Proxy-Connection: Keep-Alive - - GET /path/10600002 HTTP/1.1 --Host: test.remote.haxx.se.1060:%HTTPPORT -+Host: test.remote.haxx.se.1060:8990 - Accept: */* - - -diff --git a/tests/data/test1061 b/tests/data/test1061 -index 05c3209..a1d7286 100644 ---- a/tests/data/test1061 -+++ b/tests/data/test1061 -@@ -879,7 +879,7 @@ crypto - HTTP proxy CONNECT auth Digest, large headers and chunked data - - --http://test.remote.haxx.se.1061:%HTTPPORT/path/10610002 --proxy http://%HOSTIP:%HTTPPORT --proxy-user silly:person --proxy-digest --proxytunnel -+http://test.remote.haxx.se.1061:8990/path/10610002 --proxy http://%HOSTIP:%HTTPPORT --proxy-user silly:person --proxy-digest --proxytunnel - - - -@@ -889,17 +889,17 @@ http://test.remote.haxx.se.1061:%HTTPPORT/path/10610002 --proxy http://%HOSTIP:% - ^User-Agent: curl/.* - - --CONNECT test.remote.haxx.se.1061:%HTTPPORT HTTP/1.1 --Host: test.remote.haxx.se.1061:%HTTPPORT -+CONNECT test.remote.haxx.se.1061:8990 HTTP/1.1 -+Host: test.remote.haxx.se.1061:8990 - Proxy-Connection: Keep-Alive - --CONNECT test.remote.haxx.se.1061:%HTTPPORT HTTP/1.1 --Host: test.remote.haxx.se.1061:%HTTPPORT --Proxy-Authorization: Digest username="silly", realm="weirdorealm", nonce="12345", uri="test.remote.haxx.se.1061:%HTTPPORT", response="4e23449fa93224834299e7282a70472c" -+CONNECT test.remote.haxx.se.1061:8990 HTTP/1.1 -+Host: test.remote.haxx.se.1061:8990 -+Proxy-Authorization: Digest username="silly", realm="weirdorealm", nonce="12345", uri="test.remote.haxx.se.1061:8990", response="4e23449fa93224834299e7282a70472c" - Proxy-Connection: Keep-Alive - - GET /path/10610002 HTTP/1.1 --Host: test.remote.haxx.se.1061:%HTTPPORT -+Host: test.remote.haxx.se.1061:8990 - Accept: */* - - -diff --git a/tests/data/test206 b/tests/data/test206 -index 3ddc1d9..902d0a6 100644 ---- a/tests/data/test206 -+++ b/tests/data/test206 -@@ -77,7 +77,7 @@ crypto - HTTP proxy CONNECT auth Digest - - --http://test.remote.haxx.se.206:%HTTPPORT/path/2060002 --proxy http://%HOSTIP:%HTTPPORT --proxy-user silly:person --proxy-digest --proxytunnel -+http://test.remote.haxx.se.206:8990/path/2060002 --proxy http://%HOSTIP:%HTTPPORT --proxy-user silly:person --proxy-digest --proxytunnel - - - -@@ -87,18 +87,18 @@ http://test.remote.haxx.se.206:%HTTPPORT/path/2060002 --proxy http://%HOSTIP:%HT - ^User-Agent: curl/.* - - --CONNECT test.remote.haxx.se.206:%HTTPPORT HTTP/1.1 --Host: test.remote.haxx.se.206:%HTTPPORT -+CONNECT test.remote.haxx.se.206:8990 HTTP/1.1 -+Host: test.remote.haxx.se.206:8990 - Proxy-Connection: Keep-Alive - --CONNECT test.remote.haxx.se.206:%HTTPPORT HTTP/1.1 --Host: test.remote.haxx.se.206:%HTTPPORT --Proxy-Authorization: Digest username="silly", realm="weirdorealm", nonce="12345", uri="test.remote.haxx.se.206:%HTTPPORT", response="003e36decb4dbf6366b3ecb9b87c24ec" -+CONNECT test.remote.haxx.se.206:8990 HTTP/1.1 -+Host: test.remote.haxx.se.206:8990 -+Proxy-Authorization: Digest username="silly", realm="weirdorealm", nonce="12345", uri="test.remote.haxx.se.206:8990", response="003e36decb4dbf6366b3ecb9b87c24ec" - Proxy-Connection: Keep-Alive - - GET /path/2060002 HTTP/1.1 - User-Agent: curl/7.12.3-CVS (i686-pc-linux-gnu) libcurl/7.12.3-CVS OpenSSL/0.9.6b zlib/1.1.4 --Host: test.remote.haxx.se.206:%HTTPPORT -+Host: test.remote.haxx.se.206:8990 - Accept: */* - - [DISCONNECT] --- -1.7.1 - diff --git a/0002-curl-7.30.0-b37b5233.patch b/0002-curl-7.30.0-b37b5233.patch deleted file mode 100644 index 9ce955e..0000000 --- a/0002-curl-7.30.0-b37b5233.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 7a90359b61407cc63e6a8337602ac8ed70775475 Mon Sep 17 00:00:00 2001 -From: Zdenek Pavlas -Date: Fri, 26 Apr 2013 14:56:38 +0200 -Subject: [PATCH] url: initialize speed-check data for file:// protocol - -... in order to prevent an artificial timeout event based on stale -speed-check data from a previous network transfer. This commit fixes -a regression caused by 9dd85bced56f6951107f69e581c872c1e7e3e58e. - -Bug: https://bugzilla.redhat.com/906031 - -[upstream commit b37b5233cab96b5b1f2ab7f6e0b9c3df77320bba] - -Signed-off-by: Kamil Dudka ---- - lib/url.c | 3 +++ - 1 files changed, 3 insertions(+), 0 deletions(-) - -diff --git a/lib/url.c b/lib/url.c -index 4399162..19a3a38 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -5010,6 +5010,9 @@ static CURLcode create_conn(struct SessionHandle *data, - -1, NULL); /* no upload */ - } - -+ /* since we skip do_init() */ -+ Curl_speedinit(data); -+ - return result; - } - #endif --- -1.7.1 - diff --git a/0101-curl-7.30.0-multilib.patch b/0101-curl-7.30.0-multilib.patch index 9f81288..57cd565 100644 --- a/0101-curl-7.30.0-multilib.patch +++ b/0101-curl-7.30.0-multilib.patch @@ -4,10 +4,10 @@ Date: Fri, 12 Apr 2013 12:04:05 +0200 Subject: [PATCH] prevent multilib conflicts on the curl-config script --- - curl-config.in | 16 +++------------- + curl-config.in | 21 +++------------------ docs/curl-config.1 | 4 +++- libcurl.pc.in | 1 + - 3 files changed, 7 insertions(+), 14 deletions(-) + 3 files changed, 7 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in index 150004d..95d0759 100644 @@ -22,7 +22,7 @@ index 150004d..95d0759 100644 ;; --prefix) -@@ -142,24 +142,14 @@ while test $# -gt 0; do +@@ -142,29 +142,14 @@ while test $# -gt 0; do ;; --libs) @@ -40,7 +40,12 @@ index 150004d..95d0759 100644 ;; --static-libs) -- echo @libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_LIBS@ +- if test "X@ENABLE_STATIC@" != "Xno" ; then +- echo @libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_LIBS@ +- else +- echo "curl was built with static libraries disabled" >&2 +- exit 1 +- fi ;; --configure) diff --git a/0102-curl-7.30.0-debug.patch b/0102-curl-7.30.0-debug.patch index 42623cd..b2ef40a 100644 --- a/0102-curl-7.30.0-debug.patch +++ b/0102-curl-7.30.0-debug.patch @@ -12,7 +12,7 @@ diff --git a/configure b/configure index 8f079a3..53b4774 100755 --- a/configure +++ b/configure -@@ -15950,18 +15950,11 @@ $as_echo "yes" >&6; } +@@ -16020,18 +16020,11 @@ $as_echo "yes" >&6; } gccvhi=`echo $gccver | cut -d . -f1` gccvlo=`echo $gccver | cut -d . -f2` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` diff --git a/0108-curl-7.30.0-utf8.patch b/0108-curl-7.30.0-utf8.patch index 221f10c..feb1b2f 100644 --- a/0108-curl-7.30.0-utf8.patch +++ b/0108-curl-7.30.0-utf8.patch @@ -14,7 +14,7 @@ diff --git a/CHANGES b/CHANGES index 4568408..5fc1652 100644 --- a/CHANGES +++ b/CHANGES -@@ -4312,7 +4312,7 @@ Daniel Stenberg (12 Nov 2012) +@@ -5325,7 +5325,7 @@ Daniel Stenberg (12 Nov 2012) - [Gabriel Sjoberg brought this change] diff --git a/curl-7.30.0.tar.lzma.asc b/curl-7.30.0.tar.lzma.asc deleted file mode 100644 index 8faa89d..0000000 --- a/curl-7.30.0.tar.lzma.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.12 (GNU/Linux) - -iEYEABECAAYFAlFntDMACgkQeOEcayedXJE9vwCg2icVm/xDjGiK9lDvBN2Yck5h -jwIAn2UNo1J6RyA3TRqpnXWMXr1Jjq4g -=7Wds ------END PGP SIGNATURE----- diff --git a/curl-7.31.0.tar.lzma.asc b/curl-7.31.0.tar.lzma.asc new file mode 100644 index 0000000..a3a3ad5 --- /dev/null +++ b/curl-7.31.0.tar.lzma.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.12 (GNU/Linux) + +iEYEABECAAYFAlHFb/oACgkQeOEcayedXJFVRACfZw0PkPESVwBmLofyVsmzvawi +hDoAniqfcgXqIiLt8KPz0MkA6uXcol5E +=gOQA +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index 992cf4d..c6b9fec 100644 --- a/curl.spec +++ b/curl.spec @@ -1,18 +1,12 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.30.0 -Release: 2%{?dist} +Version: 7.31.0 +Release: 1%{?dist} License: MIT Group: Applications/Internet Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma Source2: curlbuild.h -# prevent test-suite failure due to using non-default port ranges in tests -Patch1: 0001-curl-7.30.0-ddbda328.patch - -# prevent an artificial timeout event due to stale speed-check data (#906031) -Patch2: 0002-curl-7.30.0-b37b5233.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.30.0-multilib.patch @@ -106,8 +100,6 @@ documentation of the library, too. %setup -q # upstream patches -%patch1 -p1 -%patch2 -p1 # Fedora patches %patch101 -p1 @@ -227,6 +219,9 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/aclocal/libcurl.m4 %changelog +* Sat Jun 22 2013 Kamil Dudka 7.31.0-1 +- new upstream release (fixes CVE-2013-2174) + * Fri Apr 26 2013 Kamil Dudka 7.30.0-2 - prevent an artificial timeout event due to stale speed-check data (#906031) diff --git a/sources b/sources index 49146c2..891eca4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -e47049eaabfbed194bef7ae4960fdc37 curl-7.30.0.tar.lzma +996c1a5004d96cb4baa3f4e1985058b8 curl-7.31.0.tar.lzma