From 1db8ad8d42ad034ecf8b5c2c8d2193c1dafae4d2 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Wed, 7 Sep 2016 10:18:49 +0200
Subject: [PATCH] new upstream release - 7.50.2

---
 0001-curl-7.51.0-cert-reuse.patch      | 45 ------------
 0002-curl-7.51.0-find-slot-race.patch  | 97 --------------------------
 0102-curl-7.36.0-debug.patch           |  2 +-
 0107-curl-7.21.4-libidn-valgrind.patch |  4 +-
 curl-7.50.1.tar.lzma.asc               | 11 ---
 curl-7.50.2.tar.lzma.asc               | 10 +++
 curl.spec                              | 20 ++----
 sources                                |  2 +-
 8 files changed, 21 insertions(+), 170 deletions(-)
 delete mode 100644 0001-curl-7.51.0-cert-reuse.patch
 delete mode 100644 0002-curl-7.51.0-find-slot-race.patch
 delete mode 100644 curl-7.50.1.tar.lzma.asc
 create mode 100644 curl-7.50.2.tar.lzma.asc

diff --git a/0001-curl-7.51.0-cert-reuse.patch b/0001-curl-7.51.0-cert-reuse.patch
deleted file mode 100644
index fff6c7b..0000000
--- a/0001-curl-7.51.0-cert-reuse.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From ec122e23098aad8b6e3d97070cca5858b72558e2 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Mon, 22 Aug 2016 10:24:35 +0200
-Subject: [PATCH] nss: refuse previously loaded certificate from file
-
-... when we are not asked to use a certificate from file
-
-Upstream-commit: 7700fcba64bf5806de28f6c1c7da3b4f0b38567d
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/vtls/nss.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
-index ad33f25..e467360 100644
---- a/lib/vtls/nss.c
-+++ b/lib/vtls/nss.c
-@@ -1004,10 +1004,10 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
-   struct ssl_connect_data *connssl = (struct ssl_connect_data *)arg;
-   struct Curl_easy *data = connssl->data;
-   const char *nickname = connssl->client_nickname;
-+  static const char pem_slotname[] = "PEM Token #1";
- 
-   if(connssl->obj_clicert) {
-     /* use the cert/key provided by PEM reader */
--    static const char pem_slotname[] = "PEM Token #1";
-     SECItem cert_der = { 0, NULL, 0 };
-     void *proto_win = SSL_RevealPinArg(sock);
-     struct CERTCertificateStr *cert;
-@@ -1069,6 +1069,12 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
-   if(NULL == nickname)
-     nickname = "[unknown]";
- 
-+  if(!strncmp(nickname, pem_slotname, sizeof(pem_slotname) - 1U)) {
-+    failf(data, "NSS: refusing previously loaded certificate from file: %s",
-+          nickname);
-+    return SECFailure;
-+  }
-+
-   if(NULL == *pRetKey) {
-     failf(data, "NSS: private key not found for certificate: %s", nickname);
-     return SECFailure;
--- 
-2.7.4
-
diff --git a/0002-curl-7.51.0-find-slot-race.patch b/0002-curl-7.51.0-find-slot-race.patch
deleted file mode 100644
index fcdbe95..0000000
--- a/0002-curl-7.51.0-find-slot-race.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From 5812a71c283936b85a77bd2745d4c6bb673cb55f Mon Sep 17 00:00:00 2001
-From: Peter Wang <novalazy@gmail.com>
-Date: Fri, 26 Aug 2016 16:28:39 +1000
-Subject: [PATCH] nss: work around race condition in PK11_FindSlotByName()
-
-Serialise the call to PK11_FindSlotByName() to avoid spurious errors in
-a multi-threaded environment. The underlying cause is a race condition
-in nssSlot_IsTokenPresent().
-
-Bug: https://bugzilla.mozilla.org/1297397
-
-Closes #985
-
-Upstream-commit: 3a5d5de9ef52ebe8ca2bda2165edc1b34c242e54
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/vtls/nss.c | 22 +++++++++++++++++++---
- 1 file changed, 19 insertions(+), 3 deletions(-)
-
-diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
-index e467360..1465c03 100644
---- a/lib/vtls/nss.c
-+++ b/lib/vtls/nss.c
-@@ -81,6 +81,7 @@ PRFileDesc *PR_ImportTCPSocket(PRInt32 osfd);
- 
- PRLock * nss_initlock = NULL;
- PRLock * nss_crllock = NULL;
-+PRLock *nss_findslot_lock = NULL;
- struct curl_llist *nss_crl_list = NULL;
- NSSInitContext * nss_context = NULL;
- 
-@@ -340,6 +341,19 @@ static char* dup_nickname(struct Curl_easy *data, enum dupstring cert_kind)
-   return NULL;
- }
- 
-+/* Lock/unlock wrapper for PK11_FindSlotByName() to work around race condition
-+ * in nssSlot_IsTokenPresent() causing spurious SEC_ERROR_NO_TOKEN.  For more
-+ * details, go to <https://bugzilla.mozilla.org/1297397>.
-+ */
-+static PK11SlotInfo* nss_find_slot_by_name(const char *slot_name)
-+{
-+  PK11SlotInfo *slot;
-+  PR_Lock(nss_initlock);
-+  slot = PK11_FindSlotByName(slot_name);
-+  PR_Unlock(nss_initlock);
-+  return slot;
-+}
-+
- /* Call PK11_CreateGenericObject() with the given obj_class and filename.  If
-  * the call succeeds, append the object handle to the list of objects so that
-  * the object can be destroyed in Curl_nss_close(). */
-@@ -362,7 +376,7 @@ static CURLcode nss_create_object(struct ssl_connect_data *ssl,
-   if(!slot_name)
-     return CURLE_OUT_OF_MEMORY;
- 
--  slot = PK11_FindSlotByName(slot_name);
-+  slot = nss_find_slot_by_name(slot_name);
-   free(slot_name);
-   if(!slot)
-     return result;
-@@ -563,7 +577,7 @@ static CURLcode nss_load_key(struct connectdata *conn, int sockindex,
-     return result;
-   }
- 
--  slot = PK11_FindSlotByName("PEM Token #1");
-+  slot = nss_find_slot_by_name("PEM Token #1");
-   if(!slot)
-     return CURLE_SSL_CERTPROBLEM;
- 
-@@ -1013,7 +1027,7 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
-     struct CERTCertificateStr *cert;
-     struct SECKEYPrivateKeyStr *key;
- 
--    PK11SlotInfo *slot = PK11_FindSlotByName(pem_slotname);
-+    PK11SlotInfo *slot = nss_find_slot_by_name(pem_slotname);
-     if(NULL == slot) {
-       failf(data, "NSS: PK11 slot not found: %s", pem_slotname);
-       return SECFailure;
-@@ -1249,6 +1263,7 @@ int Curl_nss_init(void)
-     PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 256);
-     nss_initlock = PR_NewLock();
-     nss_crllock = PR_NewLock();
-+    nss_findslot_lock = PR_NewLock();
-   }
- 
-   /* We will actually initialize NSS later */
-@@ -1303,6 +1318,7 @@ void Curl_nss_cleanup(void)
- 
-   PR_DestroyLock(nss_initlock);
-   PR_DestroyLock(nss_crllock);
-+  PR_DestroyLock(nss_findslot_lock);
-   nss_initlock = NULL;
- 
-   initialized = 0;
--- 
-2.7.4
-
diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch
index 5a54f13..b74da0b 100644
--- a/0102-curl-7.36.0-debug.patch
+++ b/0102-curl-7.36.0-debug.patch
@@ -12,7 +12,7 @@ diff --git a/configure b/configure
 index 8f079a3..53b4774 100755
 --- a/configure
 +++ b/configure
-@@ -16617,18 +16617,11 @@ $as_echo "yes" >&6; }
+@@ -16620,18 +16620,11 @@ $as_echo "yes" >&6; }
      gccvhi=`echo $gccver | cut -d . -f1`
      gccvlo=`echo $gccver | cut -d . -f2`
      compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
diff --git a/0107-curl-7.21.4-libidn-valgrind.patch b/0107-curl-7.21.4-libidn-valgrind.patch
index e00e409..719b3a6 100644
--- a/0107-curl-7.21.4-libidn-valgrind.patch
+++ b/0107-curl-7.21.4-libidn-valgrind.patch
@@ -12,8 +12,8 @@ diff --git a/tests/data/test165 b/tests/data/test165
 index ddfe1e9..b2cbc4f 100644
 --- a/tests/data/test165
 +++ b/tests/data/test165
-@@ -53,5 +53,8 @@ Host: www.xn--4cab6c.se
- Accept: */*
+@@ -54,5 +54,8 @@ Accept: */*
+ Proxy-Connection: Keep-Alive
  
  </protocol>
 +<valgrind>
diff --git a/curl-7.50.1.tar.lzma.asc b/curl-7.50.1.tar.lzma.asc
deleted file mode 100644
index 670265f..0000000
--- a/curl-7.50.1.tar.lzma.asc
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v2
-
-iQEcBAABCgAGBQJXoZGzAAoJEFzJCP23HhLCmj4IAIThxlJHbnqX+vPMHdAj4o/6
-Rr946YLOyQl41eJCwjsCYLbFGj0c2uy0ipKuSTB1aodyOwwuybHGJbsJxE9TKJTd
-eWgZ1sG9clE5S5YBHYqJK32PmYLEo7pSoNgamzoXOFKdxdK4OSNnPJBrJy2wDQRY
-+FfRR+xOvUDvj3K84eEEeKKbGgXqKSgQ7594s7BFSGxDQEzUIkmpEiMQv9S4ZCOL
-03FR8f0PXs4N8/tKSRBmhPc7BwCfTgK1XVpd+puYOTMi7niW3rentnqCONOSQbqo
-xvN/XDvvEVN+P17DWAkYPwHkjFCC9L+3uR1OCzFgFgGcoN1Yv9nK/bqRGGGRGr8=
-=uBU6
------END PGP SIGNATURE-----
diff --git a/curl-7.50.2.tar.lzma.asc b/curl-7.50.2.tar.lzma.asc
new file mode 100644
index 0000000..f31caa1
--- /dev/null
+++ b/curl-7.50.2.tar.lzma.asc
@@ -0,0 +1,10 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEcBAABCgAGBQJXz6qdAAoJEFzJCP23HhLC6twH/3QeGbEA0pOOaA77CBI83SgY
+76BieyDb2WPz1krUv09zMijIhKyy9+F+aCygBotzcUMDsrT0cLf/6xZKI3chAcGo
+H6S/ewRJvcx0IxAuaVlj+r3K5ZB7PY4GoDqGIngRgHSDyMkHEioOnUeG57FuTNJ3
+1gmeFnfkwtDGUcctGNndG7XbfUcFCyN60q6BAFUn5eXaHEm19xNiveeo9+mt2jse
+phsvmKrzTqCMFNZgeU0OoFQnVPL41J9nBcHlGDzpv5yAW8gM46dS9pV8t2lSUW02
+jGtGpLQLLDOgmJrpkQEDUp/xWKFifPmNog8NsUQ4lxe8fGf1DkHrmIRVPKsge/k=
+=L2bZ
+-----END PGP SIGNATURE-----
diff --git a/curl.spec b/curl.spec
index 5a2e0c3..0623c29 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,18 +1,11 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 7.50.1
-Release: 2%{?dist}
+Version: 7.50.2
+Release: 1%{?dist}
 License: MIT
 Group: Applications/Internet
 Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
 
-# fix incorrect use of a previously loaded certificate from file
-# (related to CVE-2016-5420)
-Patch1:   0001-curl-7.51.0-cert-reuse.patch
-
-# work around race condition in PK11_FindSlotByName()
-Patch2:   0002-curl-7.51.0-find-slot-race.patch
-
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -135,8 +128,6 @@ documentation of the library, too.
 %setup -q
 
 # upstream patches
-%patch1 -p1
-%patch2 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -230,8 +221,8 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/libcurl.so.*
 
 %files -n libcurl-devel
-%doc docs/examples/*.c docs/examples/Makefile.example docs/INTERNALS
-%doc docs/CONTRIBUTE docs/libcurl/ABI
+%doc docs/examples/*.c docs/examples/Makefile.example docs/INTERNALS.md
+%doc docs/CONTRIBUTE.md docs/libcurl/ABI
 %{_bindir}/curl-config*
 %{_includedir}/curl
 %{_libdir}/*.so
@@ -241,6 +232,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_datadir}/aclocal/libcurl.m4
 
 %changelog
+* Wed Sep 07 2016 Kamil Dudka <kdudka@redhat.com> 7.50.2-1
+- new upstream release
+
 * Fri Aug 26 2016 Kamil Dudka <kdudka@redhat.com> 7.50.1-2
 - work around race condition in PK11_FindSlotByName()
 - fix incorrect use of a previously loaded certificate from file
diff --git a/sources b/sources
index bb7cfd9..f7e4858 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-01ac668b9f78266d72bdb86aa9db0849  curl-7.50.1.tar.lzma
+440fb3aa31a9e97f95394fd2022552c3  curl-7.50.2.tar.lzma