From 93c55561d397a9c4ba24e71ee0b9327f38459150 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 24 Jan 2018 11:36:50 +0100 Subject: [PATCH] new upstream release - 7.58.0 Resolves: CVE-2018-1000005 - curl: HTTP/2 trailer out-of-bounds read Resolves: CVE-2018-1000007 - curl: HTTP authentication leak in redirects --- 0101-curl-7.32.0-multilib.patch | 11 +++++++---- 0102-curl-7.36.0-debug.patch | 2 +- curl-7.57.0.tar.xz.asc | 11 ----------- curl-7.58.0.tar.xz.asc | 11 +++++++++++ curl.spec | 7 ++++++- sources | 2 +- 6 files changed, 26 insertions(+), 18 deletions(-) delete mode 100644 curl-7.57.0.tar.xz.asc create mode 100644 curl-7.58.0.tar.xz.asc diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index dc23308..532980e 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -13,7 +13,7 @@ diff --git a/curl-config.in b/curl-config.in index 150004d..95d0759 100644 --- a/curl-config.in +++ b/curl-config.in -@@ -75,7 +75,7 @@ while test $# -gt 0; do +@@ -76,7 +76,7 @@ while test $# -gt 0; do ;; --cc) @@ -22,7 +22,7 @@ index 150004d..95d0759 100644 ;; --prefix) -@@ -142,29 +142,14 @@ while test $# -gt 0; do +@@ -143,32 +143,17 @@ while test $# -gt 0; do ;; --libs) @@ -38,6 +38,9 @@ index 150004d..95d0759 100644 - fi + echo -lcurl ;; + --ssl-backends) + echo "@SSL_BACKENDS@" + ;; --static-libs) - if test "X@ENABLE_STATIC@" != "Xno" ; then @@ -58,8 +61,8 @@ diff --git a/docs/curl-config.1 b/docs/curl-config.1 index 14a9d2b..ffcc004 100644 --- a/docs/curl-config.1 +++ b/docs/curl-config.1 -@@ -66,7 +66,9 @@ be listed using uppercase and are separated by newlines. There may be none, - one, or several protocols in the list. (Added in 7.13.0) +@@ -70,7 +70,9 @@ no, one or several names. If more than one name, they will appear + comma-separated. (Added in 7.58.0) .IP "--static-libs" Shows the complete set of libs and other linker options you will need in order -to link your application with libcurl statically. (Added in 7.17.1) diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch index c8dbaa2..e392a31 100644 --- a/0102-curl-7.36.0-debug.patch +++ b/0102-curl-7.36.0-debug.patch @@ -12,7 +12,7 @@ diff --git a/configure b/configure index 8f079a3..53b4774 100755 --- a/configure +++ b/configure -@@ -16508,18 +16508,11 @@ $as_echo "yes" >&6; } +@@ -16523,18 +16523,11 @@ $as_echo "yes" >&6; } gccvhi=`echo $gccver | cut -d . -f1` gccvlo=`echo $gccver | cut -d . -f2` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` diff --git a/curl-7.57.0.tar.xz.asc b/curl-7.57.0.tar.xz.asc deleted file mode 100644 index 5362dcc..0000000 --- a/curl-7.57.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAloefhsACgkQXMkI/bce -EsJ5Wwf/W2iMekYTk+zF2iCvCSlTT93gRl1RXIi5v3lMO3H13Xv66304ny5/XEI8 -Mf0dfif/+ADV4Cm9Gsfs5Gx3d6IDtzRW66gpoNnEt/u6xLKlJWPAKHBEAOW7bDZU -78qgEAmH1CVbzD+yc1vkSTZWc3ilfezjMfwUa5E5RkTtcoD6mTWzeMLm5doFxc3s -NvPu40IlJ2Ss3jqRoKgvkGeUuOiQYUb7DDDCaSF6jZjB88J1HFYWU+i7zjVoAdD3 -jRVan6R5RJbJqvo9yKT0YWxbR2RKoQIydg8Xa7ocKTM6205vc94AXSHLSkjHMr+H -5UgyAJvkk2FaoJIwLJUSTYE3RDlqog== -=Kzqh ------END PGP SIGNATURE----- diff --git a/curl-7.58.0.tar.xz.asc b/curl-7.58.0.tar.xz.asc new file mode 100644 index 0000000..715eacb --- /dev/null +++ b/curl-7.58.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlpoMGsACgkQXMkI/bce +EsIxtwgAnazhBf4KjF3bw1XNxgjkWVUwqLlLwEElg4tD6g/uYw9VeZQyy2wQGmgc +yKx2WrfqLDmE1gAqKgvGLdS6qvMtv0x/3gNjOy4/LVYBlVqP+k5p0XZhV3jcg929 +Hkv/Fgp1yvtks98CGEIp6xJSjlnL3x5VEsMslXO7dpfq+6gvnbBVBP7QUOb/CYDg +LHHAIZFSQuTeLKAvvl1koZAZnZ5zD3dtwL8rK4CVD0ugwJplJvGbvoIMNu9uagUZ +CpBV0Pyv0AUsMTohszyOovi/RizHWl8xTynreJh+sx++NZEX2KjsnISpZAxmD6r5 +dtt21mdhrRSsAXmHD8q5LnbrKosbvQ== +=ZqfQ +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index a00237e..88dd5db 100644 --- a/curl.spec +++ b/curl.spec @@ -1,6 +1,6 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.57.0 +Version: 7.58.0 Release: 1%{?dist} License: MIT Group: Applications/Internet @@ -298,6 +298,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.[0-9].[0-9].[0-9].minimal %changelog +* Wed Jan 24 2018 Kamil Dudka - 7.58.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2018-1000005 - curl: HTTP/2 trailer out-of-bounds read + CVE-2018-1000007 - curl: HTTP authentication leak in redirects + * Wed Nov 29 2017 Kamil Dudka - 7.57.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2017-8816 - curl: NTLM buffer overflow via integer overflow diff --git a/sources b/sources index cd5eae2..d1edf19 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.57.0.tar.xz) = 200076753e3d7b9f3edd381937cb72710f4051b2f041102b49626e4e82c3f50d2bf4917b9ddb957fde37753e9457c81087c792528077916ae5c04875944a6b8d +SHA512 (curl-7.58.0.tar.xz) = 965affc74ab8f8c94d1b79ebb8012ca4c1a482c7a3282f2661f6382163e47e3ea657398c1a4202008d0c683a3d2266a05a64a26bd514a64a08e4fe83929dcae5