From 8c661bb9d7bae4bd4a9036e3a9b88648a2ba44d0 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Wed, 24 Jun 2020 09:27:34 +0200
Subject: [PATCH] new upstream release - 7.71.0

Resolves: CVE-2020-8169 - curl: Partial password leak over DNS on HTTP redirect
Resolves: CVE-2020-8177 - curl: overwrite local file with -J
---
 0001-curl-7.70.0-tests-build-dir.patch  | 63 -------------------------
 0101-curl-7.32.0-multilib.patch         | 14 +++---
 0105-curl-7.63.0-lib1560-valgrind.patch |  2 +-
 curl-7.70.0.tar.xz.asc                  | 11 -----
 curl-7.71.0.tar.xz.asc                  | 11 +++++
 curl.spec                               | 13 ++---
 sources                                 |  2 +-
 7 files changed, 28 insertions(+), 88 deletions(-)
 delete mode 100644 0001-curl-7.70.0-tests-build-dir.patch
 delete mode 100644 curl-7.70.0.tar.xz.asc
 create mode 100644 curl-7.71.0.tar.xz.asc

diff --git a/0001-curl-7.70.0-tests-build-dir.patch b/0001-curl-7.70.0-tests-build-dir.patch
deleted file mode 100644
index b4c2d16..0000000
--- a/0001-curl-7.70.0-tests-build-dir.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From a6d36d6795d18895a63ced7b01a2b1ba2e9e04e5 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Wed, 29 Apr 2020 13:26:14 +0200
-Subject: [PATCH 1/2] tests: look for preprocessed tests in build directory
-
-... which is not always the same directory as source directory
-
-Closes #5310
-
-Upstream-commit: 1066f5f0d4b304f7ba46f912cf13e12f45e39553
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- tests/server/util.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tests/server/util.c b/tests/server/util.c
-index f576b9c..09bb515 100644
---- a/tests/server/util.c
-+++ b/tests/server/util.c
-@@ -199,7 +199,7 @@ FILE *test2fopen(long testno)
-   FILE *stream;
-   char filename[256];
-   /* first try the alternative, preprocessed, file */
--  msnprintf(filename, sizeof(filename), ALTTEST_DATA_PATH, path, testno);
-+  msnprintf(filename, sizeof(filename), ALTTEST_DATA_PATH, ".", testno);
-   stream = fopen(filename, "rb");
-   if(stream)
-     return stream;
--- 
-2.21.1
-
-
-From 540709d145c875c4cf67ce0c7acd6416c05f773c Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Wed, 29 Apr 2020 13:27:20 +0200
-Subject: [PATCH 2/2] test1177: look for curl.h in source directory
-
-If we use a separate build directory, there is no copy of the header.
-
-Closes #5310
-
-Upstream-commit: 68774da9ca5f39dbb403d63a7d9326b28263bdcb
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- tests/data/test1177 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tests/data/test1177 b/tests/data/test1177
-index 75a1ab3..85b520c 100644
---- a/tests/data/test1177
-+++ b/tests/data/test1177
-@@ -18,7 +18,7 @@ Verify that CURL_VERSION_* in headers and docs are in sync
-  </name>
- 
- <command type="perl">
--%SRCDIR/version-scan.pl %SRCDIR/../docs/libcurl/curl_version_info.3 ../include/curl/curl.h
-+%SRCDIR/version-scan.pl %SRCDIR/../docs/libcurl/curl_version_info.3 %SRCDIR/../include/curl/curl.h
- </command>
- </client>
- 
--- 
-2.21.1
-
diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch
index 613106d..b4de30d 100644
--- a/0101-curl-7.32.0-multilib.patch
+++ b/0101-curl-7.32.0-multilib.patch
@@ -4,10 +4,10 @@ Date: Fri, 12 Apr 2013 12:04:05 +0200
 Subject: [PATCH] prevent multilib conflicts on the curl-config script
 
 ---
- curl-config.in     |   21 +++------------------
- docs/curl-config.1 |    4 +++-
- libcurl.pc.in      |    1 +
- 3 files changed, 7 insertions(+), 19 deletions(-)
+ curl-config.in     | 23 +++++------------------
+ docs/curl-config.1 |  4 +++-
+ libcurl.pc.in      |  1 +
+ 3 files changed, 9 insertions(+), 19 deletions(-)
 
 diff --git a/curl-config.in b/curl-config.in
 index 150004d..95d0759 100644
@@ -22,7 +22,7 @@ index 150004d..95d0759 100644
          ;;
  
      --prefix)
-@@ -155,32 +155,17 @@ while test $# -gt 0; do
+@@ -155,32 +155,19 @@ while test $# -gt 0; do
          ;;
  
      --libs)
@@ -31,7 +31,7 @@ index 150004d..95d0759 100644
 -        else
 -           CURLLIBDIR=""
 -        fi
--        if test "X@REQUIRE_LIB_DEPS@" = "Xyes"; then
+-        if test "X@ENABLE_SHARED@" = "Xno" -o "X@REQUIRE_LIB_DEPS@" = "Xyes"; then
 -          echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@
 -        else
 -          echo ${CURLLIBDIR}-lcurl
@@ -49,6 +49,8 @@ index 150004d..95d0759 100644
 -          echo "curl was built with static libraries disabled" >&2
 -          exit 1
 -        fi
++        echo "curl was built with static libraries disabled" >&2
++        exit 1
          ;;
  
      --configure)
diff --git a/0105-curl-7.63.0-lib1560-valgrind.patch b/0105-curl-7.63.0-lib1560-valgrind.patch
index 933b289..c0d390b 100644
--- a/0105-curl-7.63.0-lib1560-valgrind.patch
+++ b/0105-curl-7.63.0-lib1560-valgrind.patch
@@ -26,7 +26,7 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
 index 080421b..ea3b806 100644
 --- a/tests/libtest/Makefile.inc
 +++ b/tests/libtest/Makefile.inc
-@@ -583,6 +583,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+@@ -586,6 +586,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
  lib1559_LDADD = $(TESTUTIL_LIBS)
  
  lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
diff --git a/curl-7.70.0.tar.xz.asc b/curl-7.70.0.tar.xz.asc
deleted file mode 100644
index 06df293..0000000
--- a/curl-7.70.0.tar.xz.asc
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl6pGOwACgkQXMkI/bce
-EsJJvggAoWbMdK1FfuTzNORxiW/UoJmT2HCjuN5nLzlObJbhYQWnKWRfE09c2j3C
-g1GQJ6vUq452DFAYiWFnml4u1E9UVjmLVrsOzsBZD1EvbVaFQF9cP1UoURU7h9n/
-uTcNZ4oxuvnxYX0oDStEx9mVw63Gw+CtyUJoDNmzmVAk0sBfcCa3mRBZwhNnYPXU
-dUxb6bpelcdTDJZGCJIzcmoidbS214GAGomLYrLhKlcYwU4aSKpERAnXK4TbiZjR
-l30qG0HkrP1vQ1UKkUKLbuC4Fy27WgSqYBq/dY9ljmwAXb1txrsbHqA1RE3L4NyA
-7uE/as3hskrUuVFidsTPwoAOPljJpw==
-=g8R9
------END PGP SIGNATURE-----
diff --git a/curl-7.71.0.tar.xz.asc b/curl-7.71.0.tar.xz.asc
new file mode 100644
index 0000000..53797d9
--- /dev/null
+++ b/curl-7.71.0.tar.xz.asc
@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl7y9KMACgkQXMkI/bce
+EsJDYAgAmtxtJ5xPWUQ3zYFzPGVGvAOIzRT0UrdWHR5JH9ED23zXsm8Nw8hgrwX4
+VS6d0olNYNzEVDf+on/p3SbLBnvG4rc+i3hLMYmwfJMZW/+1Z0iwmT+nKFzBqt3n
+KCmvokRzRyztasCiagBagv3qbV8v2o72hfMmEH7AWqafrRvsaAjiJDedUHi5W9rH
+aBFrvuyllA/PfUsM3de4/g2Gs0i882gRmR/BMJNTCYlVRXGDXzO1Vj/jpXWOvV7W
+llT0W3Y8FbPch0/R05q5Dc4k7+slPYP4eQ95qVU7pyMozHFsCiP0P3guk4LDbgW4
+ljK090GRc3xBVPHI5+UYYAnt/BEnwg==
+=ccth
+-----END PGP SIGNATURE-----
diff --git a/curl.spec b/curl.spec
index f75467c..861561b 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,13 +1,10 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 7.70.0
+Version: 7.71.0
 Release: 1%{?dist}
 License: MIT
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
 
-# make test-suite work with separate build dir
-Patch1:   0001-curl-7.70.0-tests-build-dir.patch
-
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -175,7 +172,6 @@ be installed.
 %setup -q
 
 # upstream patches
-%patch1 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -335,7 +331,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 
 %files -n libcurl-devel
 %doc docs/examples/*.c docs/examples/Makefile.example docs/INTERNALS.md
-%doc docs/CONTRIBUTE.md docs/libcurl/ABI
+%doc docs/CONTRIBUTE.md docs/libcurl/ABI.md
 %{_bindir}/curl-config*
 %{_includedir}/curl
 %{_libdir}/*.so
@@ -354,6 +350,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
+* Wed Jun 24 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.0-1
+- new upstream release, which fixes the following vulnerabilities
+    CVE-2020-8169 - curl: Partial password leak over DNS on HTTP redirect
+    CVE-2020-8177 - curl: overwrite local file with -J
+
 * Wed Apr 29 2020 Kamil Dudka <kdudka@redhat.com> - 7.70.0-1
 - new upstream release
 
diff --git a/sources b/sources
index 8f47dc0..1cee95b 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (curl-7.70.0.tar.xz) = ab8796af1bd6f35ae704fd5e3639a8153482615a05c24e2e6d0b9cef8ed9a1e0d497ead2dbf5972cc53f632c2d87f0bf79e9e7cac625452dd24e6c7d8045cfc6
+SHA512 (curl-7.71.0.tar.xz) = f1ea045f23b6a7e2c84ea83954d3299c612f57c3b1e5fee0b39493dc92fc4e95e7af2a5424c2e5bc480659e80cf1adce1fc528fc816f8ff2d0e7bfcfe4c5830a