From 93c55561d397a9c4ba24e71ee0b9327f38459150 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Wed, 24 Jan 2018 11:36:50 +0100
Subject: [PATCH] new upstream release - 7.58.0

Resolves: CVE-2018-1000005 - curl: HTTP/2 trailer out-of-bounds read
Resolves: CVE-2018-1000007 - curl: HTTP authentication leak in redirects
---
 0101-curl-7.32.0-multilib.patch | 11 +++++++----
 0102-curl-7.36.0-debug.patch    |  2 +-
 curl-7.57.0.tar.xz.asc          | 11 -----------
 curl-7.58.0.tar.xz.asc          | 11 +++++++++++
 curl.spec                       |  7 ++++++-
 sources                         |  2 +-
 6 files changed, 26 insertions(+), 18 deletions(-)
 delete mode 100644 curl-7.57.0.tar.xz.asc
 create mode 100644 curl-7.58.0.tar.xz.asc

diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch
index dc23308..532980e 100644
--- a/0101-curl-7.32.0-multilib.patch
+++ b/0101-curl-7.32.0-multilib.patch
@@ -13,7 +13,7 @@ diff --git a/curl-config.in b/curl-config.in
 index 150004d..95d0759 100644
 --- a/curl-config.in
 +++ b/curl-config.in
-@@ -75,7 +75,7 @@ while test $# -gt 0; do
+@@ -76,7 +76,7 @@ while test $# -gt 0; do
          ;;
  
      --cc)
@@ -22,7 +22,7 @@ index 150004d..95d0759 100644
          ;;
  
      --prefix)
-@@ -142,29 +142,14 @@ while test $# -gt 0; do
+@@ -143,32 +143,17 @@ while test $# -gt 0; do
          ;;
  
      --libs)
@@ -38,6 +38,9 @@ index 150004d..95d0759 100644
 -        fi
 +        echo -lcurl
          ;;
+     --ssl-backends)
+         echo "@SSL_BACKENDS@"
+         ;;
  
      --static-libs)
 -        if test "X@ENABLE_STATIC@" != "Xno" ; then
@@ -58,8 +61,8 @@ diff --git a/docs/curl-config.1 b/docs/curl-config.1
 index 14a9d2b..ffcc004 100644
 --- a/docs/curl-config.1
 +++ b/docs/curl-config.1
-@@ -66,7 +66,9 @@ be listed using uppercase and are separated by newlines. There may be none,
- one, or several protocols in the list. (Added in 7.13.0)
+@@ -70,7 +70,9 @@ no, one or several names. If more than one name, they will appear
+ comma-separated. (Added in 7.58.0)
  .IP "--static-libs"
  Shows the complete set of libs and other linker options you will need in order
 -to link your application with libcurl statically. (Added in 7.17.1)
diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch
index c8dbaa2..e392a31 100644
--- a/0102-curl-7.36.0-debug.patch
+++ b/0102-curl-7.36.0-debug.patch
@@ -12,7 +12,7 @@ diff --git a/configure b/configure
 index 8f079a3..53b4774 100755
 --- a/configure
 +++ b/configure
-@@ -16508,18 +16508,11 @@ $as_echo "yes" >&6; }
+@@ -16523,18 +16523,11 @@ $as_echo "yes" >&6; }
      gccvhi=`echo $gccver | cut -d . -f1`
      gccvlo=`echo $gccver | cut -d . -f2`
      compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
diff --git a/curl-7.57.0.tar.xz.asc b/curl-7.57.0.tar.xz.asc
deleted file mode 100644
index 5362dcc..0000000
--- a/curl-7.57.0.tar.xz.asc
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAloefhsACgkQXMkI/bce
-EsJ5Wwf/W2iMekYTk+zF2iCvCSlTT93gRl1RXIi5v3lMO3H13Xv66304ny5/XEI8
-Mf0dfif/+ADV4Cm9Gsfs5Gx3d6IDtzRW66gpoNnEt/u6xLKlJWPAKHBEAOW7bDZU
-78qgEAmH1CVbzD+yc1vkSTZWc3ilfezjMfwUa5E5RkTtcoD6mTWzeMLm5doFxc3s
-NvPu40IlJ2Ss3jqRoKgvkGeUuOiQYUb7DDDCaSF6jZjB88J1HFYWU+i7zjVoAdD3
-jRVan6R5RJbJqvo9yKT0YWxbR2RKoQIydg8Xa7ocKTM6205vc94AXSHLSkjHMr+H
-5UgyAJvkk2FaoJIwLJUSTYE3RDlqog==
-=Kzqh
------END PGP SIGNATURE-----
diff --git a/curl-7.58.0.tar.xz.asc b/curl-7.58.0.tar.xz.asc
new file mode 100644
index 0000000..715eacb
--- /dev/null
+++ b/curl-7.58.0.tar.xz.asc
@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlpoMGsACgkQXMkI/bce
+EsIxtwgAnazhBf4KjF3bw1XNxgjkWVUwqLlLwEElg4tD6g/uYw9VeZQyy2wQGmgc
+yKx2WrfqLDmE1gAqKgvGLdS6qvMtv0x/3gNjOy4/LVYBlVqP+k5p0XZhV3jcg929
+Hkv/Fgp1yvtks98CGEIp6xJSjlnL3x5VEsMslXO7dpfq+6gvnbBVBP7QUOb/CYDg
+LHHAIZFSQuTeLKAvvl1koZAZnZ5zD3dtwL8rK4CVD0ugwJplJvGbvoIMNu9uagUZ
+CpBV0Pyv0AUsMTohszyOovi/RizHWl8xTynreJh+sx++NZEX2KjsnISpZAxmD6r5
+dtt21mdhrRSsAXmHD8q5LnbrKosbvQ==
+=ZqfQ
+-----END PGP SIGNATURE-----
diff --git a/curl.spec b/curl.spec
index a00237e..88dd5db 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,6 +1,6 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 7.57.0
+Version: 7.58.0
 Release: 1%{?dist}
 License: MIT
 Group: Applications/Internet
@@ -298,6 +298,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.[0-9].[0-9].[0-9].minimal
 
 %changelog
+* Wed Jan 24 2018 Kamil Dudka <kdudka@redhat.com> - 7.58.0-1
+- new upstream release, which fixes the following vulnerabilities
+    CVE-2018-1000005 - curl: HTTP/2 trailer out-of-bounds read
+    CVE-2018-1000007 - curl: HTTP authentication leak in redirects
+
 * Wed Nov 29 2017 Kamil Dudka <kdudka@redhat.com> - 7.57.0-1
 - new upstream release, which fixes the following vulnerabilities
     CVE-2017-8816 - curl: NTLM buffer overflow via integer overflow
diff --git a/sources b/sources
index cd5eae2..d1edf19 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (curl-7.57.0.tar.xz) = 200076753e3d7b9f3edd381937cb72710f4051b2f041102b49626e4e82c3f50d2bf4917b9ddb957fde37753e9457c81087c792528077916ae5c04875944a6b8d
+SHA512 (curl-7.58.0.tar.xz) = 965affc74ab8f8c94d1b79ebb8012ca4c1a482c7a3282f2661f6382163e47e3ea657398c1a4202008d0c683a3d2266a05a64a26bd514a64a08e4fe83929dcae5