new upstream release - 7.85.0

Resolves: CVE-2022-35252 - control code in cookie denial of service
2022-09-01 13:38:12 +02:00 · 2022-09-01 13:38:12 +02:00 · 1322e86ddb
parent f58874c271
commit 1322e86ddb
6 changed files with 18 additions and 209 deletions
--- a/0001-curl-7.84.0-sched-yield.patch
+++ b/0001-curl-7.84.0-sched-yield.patch
@ -1,32 +0,0 @@
-From 711902d9e591947d5d8ec9568beab0c7d36b7dd0 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 27 Jun 2022 08:46:21 +0200
-Subject: [PATCH] easy_lock.h: include sched.h if available to fix build
-
-Patched-by: Harry Sintonen
-
-Closes #9054
-
-Upstream-commit: e2e7f54b7bea521fa8373095d0f43261a720cda0
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
- lib/easy_lock.h | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/lib/easy_lock.h b/lib/easy_lock.h
-index 819f50c..1f54289 100644
--- a/lib/easy_lock.h
-+++ b/lib/easy_lock.h
-@@ -36,6 +36,9 @@
- 
- #elif defined (HAVE_ATOMIC)
- #include <stdatomic.h>
-+#if defined(HAVE_SCHED_YIELD)
-+#include <sched.h>
-+#endif
- 
- #define curl_simple_lock atomic_bool
- #define CURL_SIMPLE_LOCK_INIT false
-- 
-2.35.3
-
--- a/0002-curl-7.84.0-tests-http2.patch
+++ b/0002-curl-7.84.0-tests-http2.patch
@ -1,156 +0,0 @@
-From 221905eca9fb4b82822b6a14ef6d82c98c5702d9 Mon Sep 17 00:00:00 2001
-From: Jay Satiro <raysatiro@yahoo.com>
-Date: Thu, 25 Aug 2022 03:46:42 -0400
-Subject: [PATCH] tests: fix http2 tests to use CRLF headers
-
-Prior to this change some tests that rely on nghttpx proxy did not use
-CRLF headers everywhere. Recent changes in nghttp2 (??? ref here)
-requires curl's HTTP/1.1 test server to use CRLF headers.
-
-Fixes https://github.com/curl/curl/issues/9364
-Closes https://github.com/curl/curl/pull/9365
---
- tests/data/test1700 | 34 +++++++++++++++++-----------------
- tests/data/test1701 | 22 +++++++++++-----------
- tests/data/test358  | 16 ++++++++--------
- tests/data/test359  | 16 ++++++++--------
- 4 files changed, 44 insertions(+), 44 deletions(-)
-
-diff --git a/tests/data/test1700 b/tests/data/test1700
-index 8b1ef4ae3..7f78bcf5f 100644
--- a/tests/data/test1700
-+++ b/tests/data/test1700
-@@ -11,26 +11,26 @@ HTTP/2
- # Server-side
- <reply>
- <data nocheck="yes">
-HTTP/1.1 200 OK
-Date: Tue, 09 Nov 2010 14:49:00 GMT
-Server: test-server/fake
-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
-ETag: "21025-dc7-39462498"
-Accept-Ranges: bytes
-Content-Length: 6
-Connection: close
-Content-Type: text/html
-Funny-head: yesyes
-
-+HTTP/1.1 200 OK
-+Date: Tue, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
-+ETag: "21025-dc7-39462498"
-+Accept-Ranges: bytes
-+Content-Length: 6
-+Connection: close
-+Content-Type: text/html
-+Funny-head: yesyes
-+
- -foo-
- </data>
- <data1>
-HTTP/1.1 200 OK
-Date: Tue, 09 Nov 2010 14:49:00 GMT
-Content-Length: 6
-Connection: close
-Content-Type: text/html
-
-+HTTP/1.1 200 OK
-+Date: Tue, 09 Nov 2010 14:49:00 GMT
-+Content-Length: 6
-+Connection: close
-+Content-Type: text/html
-+
- -maa-
- </data1>
- </reply>
-diff --git a/tests/data/test1701 b/tests/data/test1701
-index 3c1a2bd0b..22f6147d0 100644
--- a/tests/data/test1701
-+++ b/tests/data/test1701
-@@ -11,17 +11,17 @@ HTTP/2
- # Server-side
- <reply>
- <data nocheck="yes">
-HTTP/1.1 200 OK
-Date: Tue, 09 Nov 2010 14:49:00 GMT
-Server: test-server/fake
-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
-ETag: "21025-dc7-39462498"
-Accept-Ranges: bytes
-Content-Length: 6
-Connection: close
-Content-Type: text/html
-Funny-head: yesyes
-
-+HTTP/1.1 200 OK
-+Date: Tue, 09 Nov 2010 14:49:00 GMT
-+Server: test-server/fake
-+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
-+ETag: "21025-dc7-39462498"
-+Accept-Ranges: bytes
-+Content-Length: 6
-+Connection: close
-+Content-Type: text/html
-+Funny-head: yesyes
-+
- -foo-
- </data>
- </reply>
-diff --git a/tests/data/test358 b/tests/data/test358
-index 8b4f66062..0f8a9801b 100644
--- a/tests/data/test358
-+++ b/tests/data/test358
-@@ -12,14 +12,14 @@ HTTP/2
- # Server-side
- <reply>
- <data nocheck="yes">
-HTTP/1.1 200 OK
-Date: Tue, 09 Nov 2010 14:49:00 GMT
-Content-Length: 6
-Connection: close
-Content-Type: text/html
-Funny-head: yesyes
-Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0
-
-+HTTP/1.1 200 OK
-+Date: Tue, 09 Nov 2010 14:49:00 GMT
-+Content-Length: 6
-+Connection: close
-+Content-Type: text/html
-+Funny-head: yesyes
-+Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0
-+
- -foo-
- </data>
- </reply>
-diff --git a/tests/data/test359 b/tests/data/test359
-index a5ba4e3ae..0e684e39e 100644
--- a/tests/data/test359
-+++ b/tests/data/test359
-@@ -12,14 +12,14 @@ HTTP/2
- # Server-side
- <reply>
- <data nocheck="yes">
-HTTP/1.1 200 OK
-Date: Tue, 09 Nov 2010 14:49:00 GMT
-Content-Length: 6
-Connection: close
-Content-Type: text/html
-Funny-head: yesyes
-Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0
-
-+HTTP/1.1 200 OK
-+Date: Tue, 09 Nov 2010 14:49:00 GMT
-+Content-Length: 6
-+Connection: close
-+Content-Type: text/html
-+Funny-head: yesyes
-+Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0
-+
- -foo-
- </data>
- </reply>
-- 
-2.37.1
-
--- a/0101-curl-7.32.0-multilib.patch
+++ b/0101-curl-7.32.0-multilib.patch
@ -44,7 +44,7 @@ index 150004d..95d0759 100644
 
     --static-libs)
 -        if test "X@ENABLE_STATIC@" != "Xno" ; then
-          echo @libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_LIBS@
+-          echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_LIBS@
 -        else
 -          echo "curl was built with static libraries disabled" >&2
 -          exit 1
--- a/0102-curl-7.84.0-test3026.patch
+++ b/0102-curl-7.84.0-test3026.patch
@ -34,8 +34,9 @@ It fails on x86_64 with:
 [...]
 ```
 ---
- tests/data/test3026 | 3 +++
- 1 file changed, 3 insertions(+)
+ tests/data/test3026     | 3 +++
+ tests/libtest/lib3026.c | 4 ++--
+ 2 files changed, 5 insertions(+), 2 deletions(-)

 diff --git a/tests/data/test3026 b/tests/data/test3026
 index fb80cc8..01f2ba5 100644
@ -50,16 +51,13 @@ index fb80cc8..01f2ba5 100644
 +</valgrind>
 </verify>
 </testcase>
-- 
-2.35.3
-
 diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c
 index 43fe335..70cd7a4 100644
 --- a/tests/libtest/lib3026.c
 +++ b/tests/libtest/lib3026.c
-@@ -63,8 +63,8 @@ int test(char *URL)
-   for(i = 0; i < tid_count; i++) {
-     int res = pthread_create(&tids[i], NULL, run_thread, &results[i]);
+@@ -123,8 +123,8 @@ int test(char *URL)
+     results[i] = CURL_LAST; /* initialize with invalid value */
+     res = pthread_create(&tids[i], NULL, run_thread, &results[i]);
     if(res) {
 -      fprintf(stderr, "%s:%d Couldn't create thread, errno %d\n",
 -              __FILE__, __LINE__, res);
@ -68,3 +66,6 @@ index 43fe335..70cd7a4 100644
       tid_count = i;
       test_failure = -1;
       goto cleanup;
+-- 
+2.37.1
+
--- a/curl.spec
+++ b/curl.spec
@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 7.84.0
-Release: 3%{?dist}
+Version: 7.85.0
+Release: 1%{?dist}
 License: MIT
 Source0: https://curl.se/download/%{name}-%{version}.tar.xz
 Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
@ -10,12 +10,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
 # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc
 Source2: mykey.asc

-# easy_lock.h: include sched.h if available to fix build
-Patch1:   0001-curl-7.84.0-sched-yield.patch
-
-# tests: fix http2 tests to use CRLF headers to make it work with nghttp2-1.49.0
-Patch2:   0002-curl-7.84.0-tests-http2.patch
-
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch

@ -194,8 +188,6 @@ be installed.
 %setup -q

 # upstream patches
-%patch1 -p1
-%patch2 -p1

 # Fedora patches
 %patch101 -p1
@ -429,6 +421,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal

 %changelog
+* Thu Sep 01 2022 Kamil Dudka <kdudka@redhat.com> - 7.85.0-3
+- new upstream release, which fixes the following vulnerability
+    CVE-2022-35252 - control code in cookie denial of service
+
 * Thu Aug 25 2022 Kamil Dudka <kdudka@redhat.com> - 7.84.0-3
 - tests: fix http2 tests to use CRLF headers to make it work with nghttp2-1.49.0

--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (curl-7.84.0.tar.xz) = 86231866a35593a1637fbc0c6af3b6761bdfd99fb35580cc52970c36f19604f93dce59fea67a1d5bb4b455f719307599c7916c77d14f2b661f6bf7fb1ca716ce
-SHA512 (curl-7.84.0.tar.xz.asc) = 80ff5274277ad97448fa53511bab6e8a1c302bcb25fc0916d78b8dc6c6af43d944c37c4ed46668b651cc639ec4964780725117ca0e85168ea66ad7cc98d29702
+SHA512 (curl-7.85.0.tar.xz) = b57cc31649a4f47cc4b482f56a85c86c8e8aaeaf01bc1b51b065fdb9145a9092bc52535e52a85a66432eb163605b2edbf5bc5c33ea6e40e50f26a69ad1365cbd
+SHA512 (curl-7.85.0.tar.xz.asc) = 7022daf84b330b24112d595edee715cdeb881a4ba8a4fa7eec23aed28292e5d943af778f03aadd036d44d875f9e226096ea142d18afe516b6bdbd475fcd3aca6