Upgrade to 7.87.0

That in particular fixes CVE-2022-32221 CVE-2022-43552.

5 files changed, 26 insertions, 57 deletions

diff --git a/curl/README-DEV b/curl/README-DEV
index df275f1..760e273 100644
--- a/curl/README-DEV
+++ b/curl/README-DEV
@@ -5,13 +5,9 @@ understanding will be useful when upgrading to a new upstream version. See
 Symlink the required upstream directories into curl/:
 
 $ ln -s ../../upstream/{src,lib} curl
-$ ln -s lib/{strtoofft,nonblock,warnless,curl_ctype,dynbuf,version_win32,curl_multibyte}.c curl
+$ ln -s lib/{strtoofft,nonblock,warnless,dynbuf,version_win32,curl_multibyte}.c curl
 $ ln -s ../../libcurl/libcurl/curl_config.h curl
 
-$ cp curl/src/tool_hugehelp.c.cvs curl/tool_hugehelp.c
-
-Edit tool_hugehelp.c to make hugehelp() be empty.
-
 Patch curl to use CA certificate bundle provided by the
 libca-certificates-curl package by default:
 
diff --git a/curl/curl/curl_ctype.c b/curl/curl/curl_ctype.c
deleted file mode 120000
index 23515cd..0000000
--- a/curl/curl/curl_ctype.c
+++ /dev/null
@@ -1 +0,0 @@
-lib/curl_ctype.c
\ No newline at end of file
diff --git a/curl/curl/tool_hugehelp.c b/curl/curl/tool_hugehelp.c
deleted file mode 100644
index 8d741f6..0000000
--- a/curl/curl/tool_hugehelp.c
+++ /dev/null
@@ -1,28 +0,0 @@
-/***************************************************************************
- *                                  _   _ ____  _
- *  Project                     ___| | | |  _ \| |
- *                             / __| | | | |_) | |
- *                            | (__| |_| |  _ <| |___
- *                             \___|\___/|_| \_\_____|
- *
- * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
- *
- * This software is licensed as described in the file COPYING, which
- * you should have received as part of this distribution. The terms
- * are also available at https://curl.se/docs/copyright.html.
- *
- * You may opt to use, copy, modify, merge, publish, distribute and/or sell
- * copies of the Software, and permit persons to whom the Software is
- * furnished to do so, under the terms of the COPYING file.
- *
- * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
- * KIND, either express or implied.
- *
- * SPDX-License-Identifier: curl
- *
- ***************************************************************************/
-
-#include "tool_setup.h"
-#include "tool_hugehelp.h"
-
-void hugehelp(void) {}
diff --git a/curl/curl/tool_main.c b/curl/curl/tool_main.c
index 15caf3c..9b8d498 100644
--- a/curl/curl/tool_main.c
+++ b/curl/curl/tool_main.c
@@ -33,6 +33,10 @@
 #include <signal.h>
 #endif
 
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+
 #ifdef USE_NSS
 #include <nspr.h>
 #include <plarenas.h>
@@ -50,7 +54,6 @@
 #include "tool_doswin.h"
 #include "tool_msgs.h"
 #include "tool_operate.h"
-#include "tool_panykey.h"
 #include "tool_vms.h"
 #include "tool_main.h"
 #include "tool_libinfo.h"
@@ -84,29 +87,30 @@ int _CRT_glob = 0;
 /* if we build a static library for unit tests, there is no main() function */
 #ifndef UNITTESTS
 
+#if defined(HAVE_PIPE) && defined(HAVE_FCNTL)
 /*
  * Ensure that file descriptors 0, 1 and 2 (stdin, stdout, stderr) are
  * open before starting to run.  Otherwise, the first three network
  * sockets opened by curl could be used for input sources, downloaded data
  * or error logs as they will effectively be stdin, stdout and/or stderr.
+ *
+ * fcntl's F_GETFD instruction returns -1 if the file descriptor is closed,
+ * otherwise it returns "the file descriptor flags (which typically can only
+ * be FD_CLOEXEC, which is not set here).
  */
-static void main_checkfds(void)
+static int main_checkfds(void)
 {
-#ifdef HAVE_PIPE
-  int fd[2] = { STDIN_FILENO, STDIN_FILENO };
-  while(fd[0] == STDIN_FILENO ||
-        fd[0] == STDOUT_FILENO ||
-        fd[0] == STDERR_FILENO ||
-        fd[1] == STDIN_FILENO ||
-        fd[1] == STDOUT_FILENO ||
-        fd[1] == STDERR_FILENO)
-    if(pipe(fd) < 0)
-      return;   /* Out of handles. This isn't really a big problem now, but
-                   will be when we try to create a socket later. */
-  close(fd[0]);
-  close(fd[1]);
-#endif
+  int fd[2];
+  while((fcntl(STDIN_FILENO, F_GETFD) == -1) ||
+        (fcntl(STDOUT_FILENO, F_GETFD) == -1) ||
+        (fcntl(STDERR_FILENO, F_GETFD) == -1))
+    if(pipe(fd))
+      return 1;
+  return 0;
 }
+#else
+#define main_checkfds() 0
+#endif
 
 #ifdef CURLDEBUG
 static void memory_tracking_init(void)
@@ -298,7 +302,10 @@ int main(int argc, char *argv[])
   }
 #endif
 
-  main_checkfds();
+  if(main_checkfds()) {
+    fprintf(stderr, "curl: out of file descriptors\n");
+    return CURLE_FAILED_INIT;
+  }
 
 #if defined(HAVE_SIGNAL) && defined(SIGPIPE)
   (void)signal(SIGPIPE, SIG_IGN);
@@ -323,11 +330,6 @@ int main(int argc, char *argv[])
   fflush(NULL);
 #endif
 
-#ifdef __NOVELL_LIBC__
-  if(!getenv("_IN_NETWARE_BASH_"))
-    tool_pressanykey();
-#endif
-
 #ifdef __VMS
   vms_special_exit(result, vms_show);
 #else
diff --git a/curl/manifest b/curl/manifest
index 6eb235f..a6bce52 100644
--- a/curl/manifest
+++ b/curl/manifest
@@ -1,6 +1,6 @@
 : 1
 name: curl
-version: 7.84.0
+version: 7.87.0-a.0.z
 priority: security
 summary: Command line tool for transferring data with URLs
 license: curl ; MIT/X derivate license.