new upstream release - 7.78.0

Resolves: CVE-2021-22925 - TELNET stack contents disclosure again Resolves: CVE-2021-22924 - bad connection reuse due to flawed path name checks Resolves: CVE-2021-22923 - metalink download sends credentials Resolves: CVE-2021-22922 - wrong content via metalink not discarded
2021-07-21 10:15:27 +02:00 · 2021-07-21 10:15:27 +02:00 · 64bcb4bcc1
parent ece67bdd2f
commit 64bcb4bcc1
6 changed files with 22 additions and 81 deletions
--- a/0102-curl-7.36.0-debug.patch
+++ b/0102-curl-7.36.0-debug.patch
@ -1,61 +0,0 @@
-From 3602ee9dcc74683f91fe4f9ca228aa17a6474403 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Wed, 31 Oct 2012 11:38:30 +0100
-Subject: [PATCH] prevent configure script from discarding -g in CFLAGS
- (#496778)
-
---
- m4/curl-compilers.m4 | 26 ++++++--------------------
- 1 file changed, 6 insertions(+), 20 deletions(-)
-
-diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4
-index c64db4bc6..d115a4aed 100644
--- a/m4/curl-compilers.m4
-+++ b/m4/curl-compilers.m4
-@@ -106,18 +106,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_CLANG], [
-     clangvhi=`echo $clangver | cut -d . -f1`
-     clangvlo=`echo $clangver | cut -d . -f2`
-     compiler_num=`(expr $clangvhi "*" 100 + $clangvlo) 2>/dev/null`
-    flags_dbg_all="-g -g0 -g1 -g2 -g3"
-    flags_dbg_all="$flags_dbg_all -ggdb"
-    flags_dbg_all="$flags_dbg_all -gstabs"
-    flags_dbg_all="$flags_dbg_all -gstabs+"
-    flags_dbg_all="$flags_dbg_all -gcoff"
-    flags_dbg_all="$flags_dbg_all -gxcoff"
-    flags_dbg_all="$flags_dbg_all -gdwarf-2"
-    flags_dbg_all="$flags_dbg_all -gvms"
-+    flags_dbg_all=""
-     flags_dbg_yes="-g"
-     flags_dbg_off=""
-    flags_opt_all="-O -O0 -O1 -O2 -Os -O3 -O4"
-    flags_opt_yes="-Os"
-+    flags_opt_all=""
-+    flags_opt_yes=""
-     flags_opt_off="-O0"
-   else
-     AC_MSG_RESULT([no])
-@@ -175,18 +168,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [
-     gccvhi=`echo $gccver | cut -d . -f1`
-     gccvlo=`echo $gccver | cut -d . -f2`
-     compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
-    flags_dbg_all="-g -g0 -g1 -g2 -g3"
-    flags_dbg_all="$flags_dbg_all -ggdb"
-    flags_dbg_all="$flags_dbg_all -gstabs"
-    flags_dbg_all="$flags_dbg_all -gstabs+"
-    flags_dbg_all="$flags_dbg_all -gcoff"
-    flags_dbg_all="$flags_dbg_all -gxcoff"
-    flags_dbg_all="$flags_dbg_all -gdwarf-2"
-    flags_dbg_all="$flags_dbg_all -gvms"
-+    flags_dbg_all=""
-     flags_dbg_yes="-g"
-     flags_dbg_off=""
-    flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast"
-    flags_opt_yes="-O2"
-+    flags_opt_all=""
-+    flags_opt_yes=""
-     flags_opt_off="-O0"
-     CURL_CHECK_DEF([_WIN32], [], [silent])
-   else
-- 
-1.7.1
-
--- a/0105-curl-7.63.0-lib1560-valgrind.patch
+++ b/0105-curl-7.63.0-lib1560-valgrind.patch
@ -26,7 +26,7 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
 index 080421b..ea3b806 100644
 --- a/tests/libtest/Makefile.inc
 +++ b/tests/libtest/Makefile.inc
-@@ -600,6 +600,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+@@ -601,6 +601,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
 lib1559_LDADD = $(TESTUTIL_LIBS)
 
 lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
--- a/curl-7.77.0.tar.xz.asc
+++ b/curl-7.77.0.tar.xz.asc
@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmCt6IwACgkQXMkI/bce
-EsJd+Af/YCvzoV76IFh2aJpoi74XOglG327GQWnJRAt6VooIXvBPddundYOSepAw
-OQbReLSQgzmWIICjp4GnV/+gkNodpqJPB1uFHo8AHEBsiVJBTNO7c/mGirQlp5TM
-f5xGP8cf1OxwDJ6PBAHAYl4s71t6CWm0C2nf8x24ROlDsO85lz+yFCg1665IbZvp
-PFSfeIGHwyUoZesBmBFznm5KI5yc+Yn9gxsq3ujPYMvjMH7KFdw7zQu3SzYjT1+w
-bHqVul6+SC8laHuIqZfKnvrjLJMcIhe0vADoyV0/P64ZJ/4X2tGBrpxtXUJJ9S9C
-Cif/PNjYIGKg9Mk8odMjXzo8EcVFGA==
-=+IKy
-----END PGP SIGNATURE-----
--- a/curl-7.78.0.tar.xz.asc
+++ b/curl-7.78.0.tar.xz.asc
@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmD3wwYACgkQXMkI/bce
+EsIFMggAt5xxRun4gxld2xZB0shI8fDhjGwMK+uQNpDnnt509j/UZ9+yfDra3Stl
+BHeQXSnTE6y4dKfXIkq4q3sSX2XZUuFRLHMhzH99FsY6bxgOSnZi/iIZv/RLLXTX
+NGlDR93OfsYg9UNkZVeZlFo9262f6rz7P5EsHa4HlCS0xpvLCU7q2dtkDu8SQSW1
+sQiEZOhsyXoiqqrLAgTIP9psHt6dE7qoYh1hS6b+7S9d87MSkL5MEnHukFkemlzC
+7d9cYD9Bah1LfAaYunvzPuC9FoF6gonGPrw3tLECdl2P9PpnrGeV1Z/Nhmu0d5mN
+E2A1BXBqLs8UVo4vUbiNLk0gB3TmHg==
+=yVDK
+-----END PGP SIGNATURE-----
--- a/curl.spec
+++ b/curl.spec
@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 7.77.0
-Release: 2%{?dist}
+Version: 7.78.0
+Release: 1%{?dist}
 License: MIT
 Source0: https://curl.se/download/%{name}-%{version}.tar.xz
 Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
@ -13,9 +13,6 @@ Source2: mykey.asc
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch

-# prevent configure script from discarding -g in CFLAGS (#496778)
-Patch102: 0102-curl-7.36.0-debug.patch
-
 # prevent valgrind from reporting false positives on x86_64
 Patch105: 0105-curl-7.63.0-lib1560-valgrind.patch

@ -191,7 +188,6 @@ be installed.

 # Fedora patches
 %patch101 -p1
-%patch102 -p1
 %patch105 -p1

 # disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed
@ -237,7 +233,6 @@ export common_configure_opts=" \
    --enable-symbol-hiding \
    --enable-ipv6 \
    --enable-threaded-resolver \
-    --without-libmetalink \
    --with-gssapi \
    --with-nghttp2 \
    --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt"
@ -367,6 +362,13 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal

 %changelog
+* Wed Jul 21 2021 Kamil Dudka <kdudka@redhat.com> - 7.78.0-1
+- new upstream release, which fixes the following vulnerabilities
+    CVE-2021-22925 - TELNET stack contents disclosure again
+    CVE-2021-22924 - bad connection reuse due to flawed path name checks
+    CVE-2021-22923 - metalink download sends credentials
+    CVE-2021-22922 - wrong content via metalink not discarded
+
 * Wed Jun 02 2021 Kamil Dudka <kdudka@redhat.com> - 7.77.0-2
 - build the curl tool without metalink support (#1967213)

--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (curl-7.77.0.tar.xz) = aef92a0e3f8ce8491b258a9a1c4dcea3c07c29b139a1f68f08619caa0295cfde76335d2dfb9cdf434525daea7dd05d8acd22f203f5ccc7735bd317964ec1da76
+SHA512 (curl-7.78.0.tar.xz) = f72e822a0b5e28320ef547c7a441c07f3b4870579a70ab4c428751baba435a1385cb89a22b9ed4b84a7fafecf620f155911e4131e3463ec1bdad80ecde47bb7a