new upstream release - 7.72.0

Resolves: CVE-2020-8231 - libcurl: wrong connect-only connection
2020-08-19 12:06:12 +02:00 · 2020-08-19 12:06:12 +02:00 · e7a12a6b7b
commit e7a12a6b7b
parent 840be82e6f
8 changed files with 20 additions and 237 deletions
--- a/0001-curl-7.71.1-tool-krb-opt.patch
+++ b/0001-curl-7.71.1-tool-krb-opt.patch
@ -1,65 +0,0 @@
-From a58654cbc5bea608b9c8729703a6d866ffaae8d8 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Thu, 2 Jul 2020 17:41:37 +0200
-Subject: [PATCH 1/2] tool_getparam: make --krb option work again
-
-It was disabled by mistake in commit curl-7_37_1-23-ge38ba4301.
-
-Bug: https://bugzilla.redhat.com/1833193
-Closes #5640
-
-Upstream-commit: d2fd845c35922ca73b89c617597dd5c59772e16a
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
- src/tool_getparam.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/tool_getparam.c b/src/tool_getparam.c
-index 3409621..9c6bc8a 100644
--- a/src/tool_getparam.c
-+++ b/src/tool_getparam.c
-@@ -813,7 +813,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
-         break;
-       case 'x': /* --krb */
-         /* kerberos level string */
-        if(curlinfo->features & CURL_VERSION_KERBEROS4)
-+        if(curlinfo->features & CURL_VERSION_SPNEGO)
-           GetStr(&config->krblevel, nextarg);
-         else
-           return PARAM_LIBCURL_DOESNT_SUPPORT;
-- 
-2.21.3
-
-
-From 0be44560dfe3597a12b21b95798f69714ff0459a Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Thu, 2 Jul 2020 23:46:40 +0200
-Subject: [PATCH 2/2] curl_version_info.3: CURL_VERSION_KERBEROS4 is deprecated
-
-This came up in #5640. It make sense to clarify this in the docs!
-
-Reminded-by: Kamil Dudka
-Closes #5642
-
-Upstream-commit: 54f21be2e3a64b9e57130cf6d1eb4f17c44d7967
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
- docs/libcurl/curl_version_info.3 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/docs/libcurl/curl_version_info.3 b/docs/libcurl/curl_version_info.3
-index 2d21dfb..0d26e87 100644
--- a/docs/libcurl/curl_version_info.3
-+++ b/docs/libcurl/curl_version_info.3
-@@ -151,7 +151,7 @@ letters. (Added in 7.12.0)
- .IP CURL_VERSION_IPV6
- supports IPv6
- .IP CURL_VERSION_KERBEROS4
-supports Kerberos V4 (when using FTP)
-+supports Kerberos V4 (when using FTP). Legacy bit. Deprecated since 7.33.0.
- .IP CURL_VERSION_KERBEROS5
- supports Kerberos V5 authentication for FTP, IMAP, POP3, SMTP and SOCKSv5 proxy
- (Added in 7.40.0)
-- 
-2.21.3
-
--- a/0002-curl-7.71.1-unset-nobody.patch
+++ b/0002-curl-7.71.1-unset-nobody.patch
@ -1,148 +0,0 @@
-From 750188fc8eb239f51255d6f3510f544377e78ecd Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 27 Jul 2020 11:44:01 +0200
-Subject: [PATCH 1/3] setopt: unset NOBODY switches to GET if still HEAD
-
-Unsetting CURLOPT_NOBODY with 0L when doing HTTP has no documented
-action but before 7.71.0 that used to switch back to GET and with this
-change (assuming the method is still set to HEAD) this behavior is
-brought back.
-
-Reported-by: causal-agent on github
-Fixes #5725
-Closes #5728
-
-Upstream-commit: 91cb16b21faa556d4467399781379ad3abafd3fe
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
- lib/setopt.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/lib/setopt.c b/lib/setopt.c
-index 90edf6a..d621335 100644
--- a/lib/setopt.c
-+++ b/lib/setopt.c
-@@ -274,6 +274,8 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
-     if(data->set.opt_no_body)
-       /* in HTTP lingo, no body means using the HEAD request... */
-       data->set.method = HTTPREQ_HEAD;
-+    else if(data->set.method == HTTPREQ_HEAD)
-+      data->set.method = HTTPREQ_GET;
-     break;
-   case CURLOPT_FAILONERROR:
-     /*
-- 
-2.25.4
-
-
-From 44add6f66c7ddec9f002fb52ce8e893a8ca9165d Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 27 Jul 2020 11:54:29 +0200
-Subject: [PATCH 2/3] CURLOPT_NOBODY.3: clarify what setting to 0 means
-
-... and mention that HTTP with other methods than HEAD might get a body and
-there's no option available to stop that.
-
-Closes #5729
-
-Upstream-commit: e1bac81cc815f3fe968e009eb69b8e0236dcd82c
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
- docs/libcurl/opts/CURLOPT_NOBODY.3 | 22 ++++++++++++++++------
- 1 file changed, 16 insertions(+), 6 deletions(-)
-
-diff --git a/docs/libcurl/opts/CURLOPT_NOBODY.3 b/docs/libcurl/opts/CURLOPT_NOBODY.3
-index f720f49..3674dde 100644
--- a/docs/libcurl/opts/CURLOPT_NOBODY.3
-+++ b/docs/libcurl/opts/CURLOPT_NOBODY.3
-@@ -5,7 +5,7 @@
- .\" *                            | (__| |_| |  _ <| |___
- .\" *                             \___|\___/|_| \_\_____|
- .\" *
-.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
-+.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
- .\" *
- .\" * This software is licensed as described in the file COPYING, which
- .\" * you should have received as part of this distribution. The terms
-@@ -34,7 +34,17 @@ output when doing what would otherwise be a download. For HTTP(S), this makes
- libcurl do a HEAD request. For most other protocols it means just not asking
- to transfer the body data.
- 
-Enabling this option means asking for a download but without a body.
-+For HTTP operations when \fBCURLOPT_NOBODY(3)\fP has been set, unsetting the
-+option (with 0) will make it a GET again - only if the method is still set to
-+be HEAD. The proper way to get back to a GET request is to set
-+\fBCURLOPT_HTTPGET(3)\fP and for other methods, use the POST ur UPLOAD
-+options.
-+
-+Enabling \fBCURLOPT_NOBODY(3)\fP means asking for a download without a body.
-+
-+If you do a transfer with HTTP that involves a method other than HEAD, you
-+will get a body (unless the resource and server sends a zero byte body for the
-+specific URL you request).
- .SH DEFAULT
- 0, the body is transferred
- .SH PROTOCOLS
-@@ -43,9 +53,9 @@ Most
- .nf
- curl = curl_easy_init();
- if(curl) {
-  curl_easy_setopt(curl, CURLOPT_URL, "http://example.com");
-+  curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");
- 
-  /* get us the resource without a body! */
-+  /* get us the resource without a body - use HEAD! */
-   curl_easy_setopt(curl, CURLOPT_NOBODY, 1L);
- 
-   /* Perform the request */
-@@ -57,5 +67,5 @@ Always
- .SH RETURN VALUE
- Returns CURLE_OK
- .SH "SEE ALSO"
-.BR CURLOPT_HTTPGET "(3), " CURLOPT_POST "(3), "
-.BR CURLOPT_REQUEST_TARGET "(3), "
-+.BR CURLOPT_HTTPGET "(3), " CURLOPT_POSTFIELDS "(3), " CURLOPT_UPLOAD "(3), "
-+.BR CURLOPT_REQUEST_TARGET "(3), " CURLOPT_MIMEPOST "(3), "
-- 
-2.25.4
-
-
-From cc8e488c83254013a0ad1149a77565723aee870b Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 27 Jul 2020 23:59:00 +0200
-Subject: [PATCH 3/3] CURLOPT_NOBODY.3: fix the syntax for referring to options
-
-As test 1140 fails otherwise!
-
-Follow-up to e1bac81cc815
-
-Upstream-commit: 34e5ad21d2cb98475acdbf7a3a6ea973d8c12249
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
- docs/libcurl/opts/CURLOPT_NOBODY.3 | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/docs/libcurl/opts/CURLOPT_NOBODY.3 b/docs/libcurl/opts/CURLOPT_NOBODY.3
-index 3674dde..112fb1a 100644
--- a/docs/libcurl/opts/CURLOPT_NOBODY.3
-+++ b/docs/libcurl/opts/CURLOPT_NOBODY.3
-@@ -34,13 +34,13 @@ output when doing what would otherwise be a download. For HTTP(S), this makes
- libcurl do a HEAD request. For most other protocols it means just not asking
- to transfer the body data.
- 
-For HTTP operations when \fBCURLOPT_NOBODY(3)\fP has been set, unsetting the
-+For HTTP operations when \fICURLOPT_NOBODY(3)\fP has been set, unsetting the
- option (with 0) will make it a GET again - only if the method is still set to
- be HEAD. The proper way to get back to a GET request is to set
-\fBCURLOPT_HTTPGET(3)\fP and for other methods, use the POST ur UPLOAD
-+\fICURLOPT_HTTPGET(3)\fP and for other methods, use the POST ur UPLOAD
- options.
- 
-Enabling \fBCURLOPT_NOBODY(3)\fP means asking for a download without a body.
-+Enabling \fICURLOPT_NOBODY(3)\fP means asking for a download without a body.
- 
- If you do a transfer with HTTP that involves a method other than HEAD, you
- will get a body (unless the resource and server sends a zero byte body for the
-- 
-2.25.4
-
--- a/0101-curl-7.32.0-multilib.patch
+++ b/0101-curl-7.32.0-multilib.patch
@ -31,7 +31,7 @@ index 150004d..95d0759 100644
 -        else
 -           CURLLIBDIR=""
 -        fi
-        if test "X@ENABLE_SHARED@" = "Xno" -o "X@REQUIRE_LIB_DEPS@" = "Xyes"; then
+-        if test "X@ENABLE_SHARED@" = "Xno"; then
 -          echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@
 -        else
 -          echo ${CURLLIBDIR}-lcurl
--- a/0105-curl-7.63.0-lib1560-valgrind.patch
+++ b/0105-curl-7.63.0-lib1560-valgrind.patch
@ -26,7 +26,7 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
 index 080421b..ea3b806 100644
 --- a/tests/libtest/Makefile.inc
 +++ b/tests/libtest/Makefile.inc
-@@ -590,6 +590,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+@@ -594,6 +594,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
 lib1559_LDADD = $(TESTUTIL_LIBS)
 
 lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
--- a/curl-7.71.1.tar.xz.asc
+++ b/curl-7.71.1.tar.xz.asc
@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl78MUgACgkQXMkI/bce
-EsJkEgf/ZDR7QKw9aPQoT2dOyqoCTKip1fLCtJBEOmctjS86zF+1caPABYLV1kq6
-9baz7L2qWOmDdHkxF4poTpPH9CkcG3Krq6lHFjbFQ0GxMC+MEnnFYKfDVrRopaKq
-ioBUnZrRSIytgwbiwxB+uxxa4ItzV6tZNVKIiIZOuuVSAZ9azA/swpezet8x2kxg
-yp1Y3oe0R1VCYiCJ2EOB/rMs0ndPHSRuWiCCIBK7uPXA0jJsL4rjhmY5l2qAadfy
-6iDpk85CJvQcGcC8nZMmpbivniOjIjEefjeXviLvg5dZi7f3M028QyGpkkUVzf27
-FiWCDZuZkp9ed2eLIBGWo/wy70f2pw==
-=0YwO
-----END PGP SIGNATURE-----
--- a/curl-7.72.0.tar.xz.asc
+++ b/curl-7.72.0.tar.xz.asc
@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl881xgACgkQXMkI/bce
+EsIjuwgAj6aeQgnWkubxxXAQ2kbckLh6QUKZWJQxPjb91kz98cGRcrdGRP292JFN
+qQprls4rFTWWOIVVMP/kdheeNI9LqDvQAfZMCaLFAWUdw1L2pbId7VbV+NuTAce8
+V/ENqh+Xj2q2LsMnj02k0Uc1e6Nh1K4al2hwFiozarI/ltb3q7jZN2P2fAmDX89y
+f3VsVfNZgv7VIwlX2d3b1RvMdppMFrDC3ZsAXlg2GQZ5sE7yfa2Qq+J5RzaNvEDh
+p3pMbPiNgk1ZuGQrzoiYq9tqK/o7pD2t4h2GsftppALxC3SsoneNrdnly910IfKh
+8qczoMpszBs8F7jts6KnfXszyhyyhQ==
+=sC+U
+-----END PGP SIGNATURE-----
--- a/curl.spec
+++ b/curl.spec
@ -1,16 +1,10 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 7.71.1
-Release: 5%{?dist}
+Version: 7.72.0
+Release: 1%{?dist}
 License: MIT
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz

-# curl: make the --krb option work again (#1833193)
-Patch1:   0001-curl-7.71.1-tool-krb-opt.patch
-
-# setopt: unset NOBODY switches to GET if still HEAD
-Patch2:   0002-curl-7.71.1-unset-nobody.patch
-
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch

@ -178,8 +172,6 @@ be installed.
 %setup -q

 # upstream patches
-%patch1 -p1
-%patch2 -p1

 # Fedora patches
 %patch101 -p1
@ -358,6 +350,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal

 %changelog
+* Wed Aug 19 2020 Kamil Dudka <kdudka@redhat.com> - 7.72.0-1
+- new upstream release, which fixes the following vulnerability
+    CVE-2020-8231 - libcurl: wrong connect-only connection
+
 * Thu Aug 06 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.1-5
 - setopt: unset NOBODY switches to GET if still HEAD

--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (curl-7.71.1.tar.xz) = 631e0ee8562e5029fe022bfab4222836a3e6d666e82e2bfbd78311fe5985105218a36d1ea68c93472fc57a12b713957a3bcca6e385eda4e58a47ca8d5d50265b
+SHA512 (curl-7.72.0.tar.xz) = e5025a32eac6108ccb13d1fcce9c2de28b3a6d6e9a258a647c4be45d71718f75653e1ccd477ef5f29242a15588255c4ef43fe47bf9908b938b6769fccfaac107