diff --git a/0001-curl-7.65.0-speed-limit-timeout.patch b/0001-curl-7.65.0-speed-limit-timeout.patch new file mode 100644 index 0000000..f9e155b --- /dev/null +++ b/0001-curl-7.65.0-speed-limit-timeout.patch @@ -0,0 +1,203 @@ +From f2cc9d8d194c4eef706cb5470bdf6f7483b4e3cf Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 22 May 2019 23:15:34 +0200 +Subject: [PATCH] Revert "progress: CURL_DISABLE_PROGRESS_METER" + +This reverts commit 3b06e68b7734cb10a555f9d7e804dd5d808236a4. + +Clearly this change wasn't good enough as it broke CURLOPT_LOW_SPEED_LIMIT + +CURLOPT_LOW_SPEED_TIME + +Reported-by: Dave Reisner + +Fixes #3927 +Closes #3928 + +Upstream-commit: c6b58137237a89081b4efc33ae0ecf7282e40132 +Signed-off-by: Kamil Dudka +--- + lib/progress.c | 110 ++++++++++++++++++++++--------------------------- + 1 file changed, 49 insertions(+), 61 deletions(-) + +diff --git a/lib/progress.c b/lib/progress.c +index f586d59b4..fe9929bb9 100644 +--- a/lib/progress.c ++++ b/lib/progress.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -31,7 +31,6 @@ + /* check rate limits within this many recent milliseconds, at minimum. */ + #define MIN_RATE_LIMIT_PERIOD 3000 + +-#ifndef CURL_DISABLE_PROGRESS_METER + /* Provide a string that is 2 + 1 + 2 + 1 + 2 = 8 letters long (plus the zero + byte) */ + static void time2str(char *r, curl_off_t seconds) +@@ -120,7 +119,6 @@ static char *max5data(curl_off_t bytes, char *max5) + + return max5; + } +-#endif + + /* + +@@ -364,13 +362,17 @@ void Curl_pgrsSetUploadSize(struct Curl_easy *data, curl_off_t size) + } + } + +-#ifndef CURL_DISABLE_PROGRESS_METER +-static void progress_meter(struct connectdata *conn) ++/* ++ * Curl_pgrsUpdate() returns 0 for success or the value returned by the ++ * progress callback! ++ */ ++int Curl_pgrsUpdate(struct connectdata *conn) + { + struct curltime now; + curl_off_t timespent; + curl_off_t timespent_ms; /* milliseconds */ + struct Curl_easy *data = conn->data; ++ int nowindex = data->progress.speeder_c% CURR_TIME; + bool shownow = FALSE; + curl_off_t dl = data->progress.downloaded; + curl_off_t ul = data->progress.uploaded; +@@ -397,9 +399,7 @@ static void progress_meter(struct connectdata *conn) + /* Calculations done at most once a second, unless end is reached */ + if(data->progress.lastshow != now.tv_sec) { + int countindex; /* amount of seconds stored in the speeder array */ +- int nowindex = data->progress.speeder_c% CURR_TIME; +- if(!(data->progress.flags & PGRS_HIDE)) +- shownow = TRUE; ++ shownow = TRUE; + + data->progress.lastshow = now.tv_sec; + +@@ -461,12 +461,8 @@ static void progress_meter(struct connectdata *conn) + data->progress.ulspeed + data->progress.dlspeed; + + } /* Calculations end */ +- if(!shownow) +- /* only show the internal progress meter once per second */ +- return; +- else { +- /* If there's no external callback set, use internal code to show +- progress */ ++ ++ if(!(data->progress.flags & PGRS_HIDE)) { + /* progress meter has not been shut off */ + char max5[6][10]; + curl_off_t dlpercen = 0; +@@ -481,6 +477,42 @@ static void progress_meter(struct connectdata *conn) + curl_off_t dlestimate = 0; + curl_off_t total_estimate; + ++ if(data->set.fxferinfo) { ++ int result; ++ /* There's a callback set, call that */ ++ Curl_set_in_callback(data, true); ++ result = data->set.fxferinfo(data->set.progress_client, ++ data->progress.size_dl, ++ data->progress.downloaded, ++ data->progress.size_ul, ++ data->progress.uploaded); ++ Curl_set_in_callback(data, false); ++ if(result) ++ failf(data, "Callback aborted"); ++ return result; ++ } ++ if(data->set.fprogress) { ++ int result; ++ /* The older deprecated callback is set, call that */ ++ Curl_set_in_callback(data, true); ++ result = data->set.fprogress(data->set.progress_client, ++ (double)data->progress.size_dl, ++ (double)data->progress.downloaded, ++ (double)data->progress.size_ul, ++ (double)data->progress.uploaded); ++ Curl_set_in_callback(data, false); ++ if(result) ++ failf(data, "Callback aborted"); ++ return result; ++ } ++ ++ if(!shownow) ++ /* only show the internal progress meter once per second */ ++ return 0; ++ ++ /* If there's no external callback set, use internal code to show ++ progress */ ++ + if(!(data->progress.flags & PGRS_HEADERS_OUT)) { + if(data->state.resume_from) { + fprintf(data->set.err, +@@ -563,57 +595,13 @@ static void progress_meter(struct connectdata *conn) + time_total, /* 8 letters */ /* total time */ + time_spent, /* 8 letters */ /* time spent */ + time_left, /* 8 letters */ /* time left */ +- max5data(data->progress.current_speed, max5[5]) +- ); ++ max5data(data->progress.current_speed, max5[5]) /* current speed */ ++ ); + + /* we flush the output stream to make it appear as soon as possible */ + fflush(data->set.err); +- } /* don't show now */ +-} +-#else +- /* progress bar disabled */ +-#define progress_meter(x) +-#endif +- + +-/* +- * Curl_pgrsUpdate() returns 0 for success or the value returned by the +- * progress callback! +- */ +-int Curl_pgrsUpdate(struct connectdata *conn) +-{ +- struct Curl_easy *data = conn->data; +- if(!(data->progress.flags & PGRS_HIDE)) { +- if(data->set.fxferinfo) { +- int result; +- /* There's a callback set, call that */ +- Curl_set_in_callback(data, true); +- result = data->set.fxferinfo(data->set.progress_client, +- data->progress.size_dl, +- data->progress.downloaded, +- data->progress.size_ul, +- data->progress.uploaded); +- Curl_set_in_callback(data, false); +- if(result) +- failf(data, "Callback aborted"); +- return result; +- } +- if(data->set.fprogress) { +- int result; +- /* The older deprecated callback is set, call that */ +- Curl_set_in_callback(data, true); +- result = data->set.fprogress(data->set.progress_client, +- (double)data->progress.size_dl, +- (double)data->progress.downloaded, +- (double)data->progress.size_ul, +- (double)data->progress.uploaded); +- Curl_set_in_callback(data, false); +- if(result) +- failf(data, "Callback aborted"); +- return result; +- } +- } +- progress_meter(conn); ++ } /* !(data->progress.flags & PGRS_HIDE) */ + + return 0; + } +-- +2.20.1 + diff --git a/curl.spec b/curl.spec index cb35ee2..79eb8a9 100644 --- a/curl.spec +++ b/curl.spec @@ -1,10 +1,13 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.65.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz +# fix spurious timeout events with speed-limit (#1714893) +Patch1: 0001-curl-7.65.0-speed-limit-timeout.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -171,6 +174,7 @@ be installed. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 @@ -346,6 +350,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Thu May 30 2019 Kamil Dudka - 7.65.0-2 +- fix spurious timeout events with speed-limit (#1714893) + * Wed May 22 2019 Kamil Dudka - 7.65.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2019-5436 - TFTP receive buffer overflow