Merge branch 'master' into private-kdudka-libcurl-minimal

2017-03-14 13:54:42 +01:00 · 2017-03-14 13:54:42 +01:00 · 8bab5c452b
parent 927009397f 4832a02ce4
commit 8bab5c452b
8 changed files with 131 additions and 125 deletions
--- a/0001-curl-7.47.1-psl-localhost.patch
+++ b/0001-curl-7.47.1-psl-localhost.patch
@ -1,47 +0,0 @@
-From 090ee789dda468fe0d9b715ec4e5dc47a948a239 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
-Date: Wed, 2 Mar 2016 11:07:16 +0100
-Subject: [PATCH] cookie: do not refuse cookies for localhost
-
-Closes #658
---
- lib/cookie.c        | 10 ++++++----
- tests/data/test1136 |  1 +
- 2 files changed, 7 insertions(+), 4 deletions(-)
-
-diff --git a/lib/cookie.c b/lib/cookie.c
-index d62f446..e5c7b7e 100644
--- a/lib/cookie.c
-+++ b/lib/cookie.c
-@@ -788,10 +788,12 @@ Curl_cookie_add(struct SessionHandle *data,
- #ifdef USE_LIBPSL
-   /* Check if the domain is a Public Suffix and if yes, ignore the cookie.
-      This needs a libpsl compiled with builtin data. */
-  if(co->domain && !isip(co->domain) && (psl = psl_builtin()) != NULL) {
-    if(psl_is_public_suffix(psl, co->domain)) {
-      infof(data, "cookie '%s' dropped, domain '%s' is a public suffix\n",
-            co->name, co->domain);
-+  if(domain && co->domain && !isip(co->domain)) {
-+    if (((psl = psl_builtin()) != NULL)
-+        && !psl_is_cookie_domain_acceptable(psl, domain, co->domain)) {
-+      infof(data,
-+            "cookie '%s' dropped, domain '%s' must not set cookies for '%s'\n",
-+            co->name, domain, co->domain);
-       freecookie(co);
-       return NULL;
-     }
-diff --git a/tests/data/test1136 b/tests/data/test1136
-index e42ca06..d3327e8 100644
--- a/tests/data/test1136
-+++ b/tests/data/test1136
-@@ -58,6 +58,7 @@ http://www.example.ck/1136 http://www.ck/1136 http://z-1.compute-1.amazonaws.com
- 
- .www.example.ck	TRUE	/	FALSE	0	test2	allowed2
- .www.ck	TRUE	/	FALSE	0	test4	allowed4
-+.z-1.compute-1.amazonaws.com	TRUE	/	FALSE	0	test5	forbidden5
- </file>
- </verify>
- </testcase>
-- 
-2.5.0
-
--- a/0102-curl-7.36.0-debug.patch
+++ b/0102-curl-7.36.0-debug.patch
@ -12,7 +12,7 @@ diff --git a/configure b/configure
 index 8f079a3..53b4774 100755
 --- a/configure
 +++ b/configure
-@@ -16017,18 +16017,11 @@ $as_echo "yes" >&6; }
+@@ -16623,18 +16623,11 @@ $as_echo "yes" >&6; }
     gccvhi=`echo $gccver | cut -d . -f1`
     gccvlo=`echo $gccver | cut -d . -f2`
     compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
@ -33,7 +33,7 @@ index 8f079a3..53b4774 100755
 +    flags_opt_yes=""
     flags_opt_off="-O0"
 
-       if test -z "$SED"; then
+     OLDCPPFLAGS=$CPPFLAGS
 diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4
 index 0cbba7a..9175b5b 100644
 --- a/m4/curl-compilers.m4
--- a/0107-curl-7.21.4-libidn-valgrind.patch
+++ b/0107-curl-7.21.4-libidn-valgrind.patch
@ -1,26 +0,0 @@
-From d6c42a5bf66d4d458b20836573d6989e53f7d423 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Fri, 18 Feb 2011 17:49:59 +0100
-Subject: [PATCH] curl: work around valgrind bug (RHBZ#678518)
-
-https://bugs.kde.org/show_bug.cgi?id=264936
---
- tests/data/test165 |    3 +++
- 1 files changed, 3 insertions(+), 0 deletions(-)
-
-diff --git a/tests/data/test165 b/tests/data/test165
-index ddfe1e9..b2cbc4f 100644
--- a/tests/data/test165
-+++ b/tests/data/test165
-@@ -54,5 +54,8 @@ Accept: */*
- Proxy-Connection: Keep-Alive
- 
- </protocol>
-+<valgrind>
-+disable
-+</valgrind>
- </verify>
- </testcase>
-- 
-1.7.4
-
--- a/curl-7.47.1.tar.lzma.asc
+++ b/curl-7.47.1.tar.lzma.asc
@ -1,7 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iEYEABECAAYFAla4X80ACgkQeOEcayedXJFLWACglcsd1JCV1a5mQlzMVI166llH
-66oAn3wjtUvix9Gn59EGwBz1k5Kby2gH
-=Zg6S
-----END PGP SIGNATURE-----
--- a/curl-7.53.1.tar.lzma.asc
+++ b/curl-7.53.1.tar.lzma.asc
@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAliv5c0ACgkQXMkI/bce
+EsIhQAf+MnT0c/mIi2ADpOgYq4+3Hf8hypkuWkICSWwyH8j2mRJCRDPO3yAOU8U9
+RlVEzPm+Tb13zCLWPLgRu1T75YMHPwJ6+q9wnNNGzBFJ5ShWs/JxL1rhj21ZFQoA
+3l/as6qm8iXkbZOfePWNbgr7W+NyasxHjf9L6O31oWauY3X9FYLcYr9nzUTFHFSh
+gzOAxb7/oYkZTtYccvRSI75Eohqi2kSx6gAkMhcWwbqU1QCU80c+vX2PlptaPNP/
+GGpe3IH66q8v/ExfIL/Tu6LfhdV+ulP2c3m++dYiOvT3wUMSuqHt0WzosOHEUjh5
+SFi75fQRJLkA0fn/3luoj9B+PO7G8g==
+=xg39
+-----END PGP SIGNATURE-----
--- a/curl.spec
+++ b/curl.spec
@ -1,14 +1,10 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 7.47.1
-Release: 4.2%{?dist}
+Version: 7.53.1
+Release: 3.3%{?dist}
 License: MIT
 Group: Applications/Internet
-Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
-Source2: curlbuild.h
-
-# do not refuse cookies for localhost (#1308791)
-Patch1: 0001-curl-7.47.1-psl-localhost.patch
+Source: https://curl.haxx.se/download/%{name}-%{version}.tar.lzma

 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
@ -19,19 +15,17 @@ Patch102: 0102-curl-7.36.0-debug.patch
 # use localhost6 instead of ip6-localhost in the curl test-suite
 Patch104: 0104-curl-7.19.7-localhost6.patch

-# work around valgrind bug (#678518)
-Patch107: 0107-curl-7.21.4-libidn-valgrind.patch
-
 Provides: webclient
-URL: http://curl.haxx.se/
+URL: https://curl.haxx.se/
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
 BuildRequires: groff
 BuildRequires: krb5-devel
-BuildRequires: libidn-devel
+BuildRequires: libidn2-devel
 BuildRequires: libmetalink-devel
 BuildRequires: libnghttp2-devel
 BuildRequires: libpsl-devel
 BuildRequires: libssh2-devel
+BuildRequires: multilib-rpm-config
 BuildRequires: nss-devel
 BuildRequires: openldap-devel
 BuildRequires: openssh-clients
@ -41,6 +35,9 @@ BuildRequires: python
 BuildRequires: stunnel
 BuildRequires: zlib-devel

+# nghttpx (an HTTP/2 proxy) is used by the upstream test-suite
+BuildRequires: nghttp2
+
 # perl modules used in the test suite
 BuildRequires: perl(Cwd)
 BuildRequires: perl(Digest::MD5)
@ -62,7 +59,7 @@ BuildRequires: perl(vars)
 # to be less reliable, in order to avoid unnecessary build failures (see RHBZ
 # #810992, #816175, and #886891).  Nevertheless developers are free to install
 # valgrind manually to improve test coverage on any architecture.
-%ifarch %{ix86} x86_64
+%ifarch x86_64 %{ix86}
 BuildRequires: valgrind
 %endif

@ -85,6 +82,10 @@ Summary: A library for getting files from web servers
 Group: Development/Libraries
 Requires: libssh2%{?_isa} >= %{libssh2_version}

+# libnsspem.so is no longer included in the nss package (#1347336)
+BuildRequires: nss-pem
+Requires: nss-pem%{?_isa}
+
 %description -n libcurl
 libcurl is a free and easy-to-use client-side URL transfer library, supporting
 FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP,
@ -145,17 +146,11 @@ be installed.
 %setup -q

 # upstream patches
-%patch1 -p1

 # Fedora patches
 %patch101 -p1
 %patch102 -p1
 %patch104 -p1
-%patch107 -p1
-
-# use RSA instead of DSA for host authentication in SCP and SFTP test-cases
-# because DSA is no longer supported by OpenSSH
-sed -e 's/ds[as]/rsa/g' -i tests/ssh{help.pm,server.pl}

 # disable test 1112 (#565305) and test 1801
 # <https://github.com/bagder/curl/commit/21e82bd6#commitcomment-12226582>
@ -166,6 +161,9 @@ printf "1112\n1801\n" >> tests/data/DISABLED
 echo "1319" >> tests/data/DISABLED
 %endif

+# temporarily disable failing libidn2 test-cases
+printf "1034\n1035\n2046\n2047\n" >> tests/data/DISABLED
+
 %build
 [ -x /usr/kerberos/bin/krb5-config ] && KRB5_PREFIX="=/usr/kerberos"
 mkdir build-{full,minimal}
@ -179,15 +177,16 @@ export common_configure_opts=" \
    --with-gssapi${KRB5_PREFIX} \
    --without-ssl --with-nss"

+%global _configure ../configure
+
 # configure minimal build
 (
    cd build-minimal
-    ln -s ../configure
    %configure $common_configure_opts \
        --disable-ldap \
        --disable-ldaps \
        --disable-manual \
-        --without-libidn \
+        --without-libidn2 \
        --without-libmetalink \
        --without-libpsl \
        --without-libssh2 \
@ -197,7 +196,6 @@ export common_configure_opts=" \
 # configure full build
 (
    cd build-full
-    ln -s ../configure
    %configure $common_configure_opts \
        --enable-ldap \
        --enable-ldaps \
@ -244,21 +242,19 @@ mv -v ${RPM_BUILD_ROOT}%{_bindir}/curl{,.minimal}

 make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C build-full

+# install zsh completion for curl
+# (we have to override LD_LIBRARY_PATH because we eliminated rpath)
+LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \
+    make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" \
+    install -C build-full/scripts
+
 rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la

 install -d $RPM_BUILD_ROOT%{_datadir}/aclocal
 install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal

 # Make libcurl-devel multilib-ready (bug #488922)
-%if 0%{?__isa_bits} == 64
-%global _curlbuild_h curlbuild-64.h
-%else
-%global _curlbuild_h curlbuild-32.h
-%endif
-mv $RPM_BUILD_ROOT%{_includedir}/curl/curlbuild.h \
-   $RPM_BUILD_ROOT%{_includedir}/curl/%{_curlbuild_h}
-
-install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_includedir}/curl/curlbuild.h
+%multilib_fix_c_header --file %{_includedir}/curl/curlbuild.h

 %clean
 rm -rf $RPM_BUILD_ROOT
@ -283,8 +279,8 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/libcurl.so.[0-9].[0-9].[0-9]

 %files -n libcurl-devel
-%doc docs/examples/*.c docs/examples/Makefile.example docs/INTERNALS
-%doc docs/CONTRIBUTE docs/libcurl/ABI
+%doc docs/examples/*.c docs/examples/Makefile.example docs/INTERNALS.md
+%doc docs/CONTRIBUTE.md docs/libcurl/ABI
 %{_bindir}/curl-config*
 %{_includedir}/curl
 %{_libdir}/*.so
@ -304,6 +300,94 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/libcurl.so.[0-9].[0-9].[0-9].minimal

 %changelog
+* Tue Mar 14 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-3.3
+- rebase on top of current master
+
+* Mon Mar 06 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-3
+- make the dependency on nss-pem arch-specific (#1428550)
+
+* Thu Mar 02 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-2
+- re-enable valgrind on ix86 because sqlite is fixed (#1428286)
+
+* Fri Feb 24 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-1
+- new upstream release
+
+* Wed Feb 22 2017 Kamil Dudka <kdudka@redhat.com> 7.53.0-1
+- do not use valgrind on ix86 until sqlite is rebuilt by patched GCC (#1423434)
+- new upstream release (fixes CVE-2017-2629)
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 7.52.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Fri Dec 23 2016 Kamil Dudka <kdudka@redhat.com> 7.52.1-1
+- new upstream release (fixes CVE-2016-9586)
+
+* Mon Nov 21 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-3
+- map CURL_SSLVERSION_DEFAULT to NSS default, add support for TLS 1.3 (#1396719)
+
+* Tue Nov 15 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-2
+- stricter host name checking for file:// URLs
+- ssh: check md5 fingerprints case insensitively
+
+* Wed Nov 02 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-1
+- temporarily disable failing libidn2 test-cases
+- new upstream release, which fixes the following vulnerabilities
+    CVE-2016-8615 - Cookie injection for other servers
+    CVE-2016-8616 - Case insensitive password comparison
+    CVE-2016-8617 - Out-of-bounds write via unchecked multiplication
+    CVE-2016-8618 - Double-free in curl_maprintf
+    CVE-2016-8619 - Double-free in krb5 code
+    CVE-2016-8620 - Glob parser write/read out of bounds
+    CVE-2016-8621 - curl_getdate out-of-bounds read
+    CVE-2016-8622 - URL unescape heap overflow via integer truncation
+    CVE-2016-8623 - Use-after-free via shared cookies
+    CVE-2016-8624 - Invalid URL parsing with '#'
+    CVE-2016-8625 - IDNA 2003 makes curl use wrong host
+
+* Thu Oct 20 2016 Kamil Dudka <kdudka@redhat.com> 7.50.3-3
+- drop 0103-curl-7.50.0-stunnel.patch no longer needed
+
+* Fri Oct 07 2016 Kamil Dudka <kdudka@redhat.com> 7.50.3-2
+- use the just built version of libcurl while generating zsh completion
+
+* Wed Sep 14 2016 Kamil Dudka <kdudka@redhat.com> 7.50.3-1
+- new upstream release (fixes CVE-2016-7167)
+
+* Wed Sep 07 2016 Kamil Dudka <kdudka@redhat.com> 7.50.2-1
+- new upstream release
+
+* Fri Aug 26 2016 Kamil Dudka <kdudka@redhat.com> 7.50.1-2
+- work around race condition in PK11_FindSlotByName()
+- fix incorrect use of a previously loaded certificate from file
+  (related to CVE-2016-5420)
+
+* Wed Aug 03 2016 Kamil Dudka <kdudka@redhat.com> 7.50.1-1
+- new upstream release (fixes CVE-2016-5419, CVE-2016-5420, and CVE-2016-5421)
+
+* Tue Jul 26 2016 Kamil Dudka <kdudka@redhat.com> 7.50.0-2
+- run HTTP/2 tests on all architectures (#1360319 now worked around in nghttp2)
+
+* Thu Jul 21 2016 Kamil Dudka <kdudka@redhat.com> 7.50.0-1
+- run HTTP/2 tests only on Intel for now to work around #1358845
+- require nss-pem because it is no longer included in the nss package (#1347336)
+- fix HTTPS and FTPS tests (work around stunnel bug #1358810)
+- new upstream release
+
+* Fri Jun 17 2016 Kamil Dudka <kdudka@redhat.com> 7.49.1-3
+- use multilib-rpm-config to install arch-dependent header files
+
+* Fri Jun 03 2016 Kamil Dudka <kdudka@redhat.com> 7.49.1-2
+- fix SIGSEGV of the curl tool while parsing URL with too many globs (#1340757)
+
+* Mon May 30 2016 Kamil Dudka <kdudka@redhat.com> 7.49.1-1
+- new upstream release
+
+* Wed May 18 2016 Kamil Dudka <kdudka@redhat.com> 7.49.0-1
+- new upstream release
+
+* Wed Mar 23 2016 Kamil Dudka <kdudka@redhat.com> 7.48.0-1
+- new upstream release
+
 * Thu Mar 17 2016 Kamil Dudka <kdudka@redhat.com> 7.47.1-4.2
 - keep the GSS-API support in libcurl-minimal, too

--- a/curlbuild.h
+++ b/curlbuild.h
@ -1,9 +0,0 @@
-#include <bits/wordsize.h>
-
-#if __WORDSIZE == 32
-#include "curlbuild-32.h"
-#elif __WORDSIZE == 64
-#include "curlbuild-64.h"
-#else
-#error "Unknown word size"
-#endif
--- a/2
+++ b/2
@ -1 +1 @@
-8242c073d8e5fc1c2a1aa946f1e903a4  curl-7.47.1.tar.lzma
+SHA512 (curl-7.53.1.tar.lzma) = 1a04904a32b3c8767bcdc629c08446495ed40b7ed20e96d74101a0539bc88eba9a2350712afda94d886520f480172f532f020f0c730deb2bbec0bdc2eb5371ea