From 95c1e6db8f94b4ace8296812e08e99eb7733ad2f Mon Sep 17 00:00:00 2001 From: Karen Arutyunov Date: Mon, 13 Feb 2023 15:19:29 +0300 Subject: Upgrade to 7.87.0 That in particular fixes CVE-2022-32221 CVE-2022-43552. --- README-DEV | 8 +++---- curl/README-DEV | 6 +----- curl/curl/curl_ctype.c | 1 - curl/curl/tool_hugehelp.c | 28 ------------------------ curl/curl/tool_main.c | 46 ++++++++++++++++++++------------------- curl/manifest | 2 +- libcurl/build/bootstrap.build | 8 +++---- libcurl/libcurl/curl_config.h | 50 +++++++------------------------------------ libcurl/manifest | 2 +- upstream | 2 +- 10 files changed, 44 insertions(+), 109 deletions(-) delete mode 120000 curl/curl/curl_ctype.c delete mode 100644 curl/curl/tool_hugehelp.c diff --git a/README-DEV b/README-DEV index 7e21294..a92bafc 100644 --- a/README-DEV +++ b/README-DEV @@ -28,11 +28,11 @@ Debian and Fedora distributions. The configuration options defining these sets are specified in the Debian's rules and Fedora's RPM .spec files. These files can be obtained as follows: -$ wget http://deb.debian.org/debian/pool/main/c/curl/curl_7.84.0-2.debian.tar.xz -$ tar xf curl_7.84.0-2.debian.tar.xz debian/rules +$wget http://deb.debian.org/debian/pool/main/c/curl/curl_7.87.0-2.debian.tar.xz +$ tar xf curl_7.87.0-2.debian.tar.xz debian/rules -$ wget https://kojipkgs.fedoraproject.org/packages/curl/7.84.0/2.fc37/src/curl-7.84.0-2.fc37.src.rpm -$ rpm2cpio curl-7.84.0-2.fc37.src.rpm | cpio -civ '*.spec' +$ wget https://kojipkgs.fedoraproject.org/packages/curl/7.87.0/1.fc38/src/curl-7.87.0-1.fc38.src.rpm +$ rpm2cpio curl-7.87.0-1.fc38.src.rpm | cpio -civ '*.spec' As a side note, on Debian and Fedora the source, library, headers, and tools are packaged as follows: diff --git a/curl/README-DEV b/curl/README-DEV index df275f1..760e273 100644 --- a/curl/README-DEV +++ b/curl/README-DEV @@ -5,13 +5,9 @@ understanding will be useful when upgrading to a new upstream version. See Symlink the required upstream directories into curl/: $ ln -s ../../upstream/{src,lib} curl -$ ln -s lib/{strtoofft,nonblock,warnless,curl_ctype,dynbuf,version_win32,curl_multibyte}.c curl +$ ln -s lib/{strtoofft,nonblock,warnless,dynbuf,version_win32,curl_multibyte}.c curl $ ln -s ../../libcurl/libcurl/curl_config.h curl -$ cp curl/src/tool_hugehelp.c.cvs curl/tool_hugehelp.c - -Edit tool_hugehelp.c to make hugehelp() be empty. - Patch curl to use CA certificate bundle provided by the libca-certificates-curl package by default: diff --git a/curl/curl/curl_ctype.c b/curl/curl/curl_ctype.c deleted file mode 120000 index 23515cd..0000000 --- a/curl/curl/curl_ctype.c +++ /dev/null @@ -1 +0,0 @@ -lib/curl_ctype.c \ No newline at end of file diff --git a/curl/curl/tool_hugehelp.c b/curl/curl/tool_hugehelp.c deleted file mode 100644 index 8d741f6..0000000 --- a/curl/curl/tool_hugehelp.c +++ /dev/null @@ -1,28 +0,0 @@ -/*************************************************************************** - * _ _ ____ _ - * Project ___| | | | _ \| | - * / __| | | | |_) | | - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * - * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms - * are also available at https://curl.se/docs/copyright.html. - * - * You may opt to use, copy, modify, merge, publish, distribute and/or sell - * copies of the Software, and permit persons to whom the Software is - * furnished to do so, under the terms of the COPYING file. - * - * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY - * KIND, either express or implied. - * - * SPDX-License-Identifier: curl - * - ***************************************************************************/ - -#include "tool_setup.h" -#include "tool_hugehelp.h" - -void hugehelp(void) {} diff --git a/curl/curl/tool_main.c b/curl/curl/tool_main.c index 15caf3c..9b8d498 100644 --- a/curl/curl/tool_main.c +++ b/curl/curl/tool_main.c @@ -33,6 +33,10 @@ #include #endif +#ifdef HAVE_FCNTL_H +#include +#endif + #ifdef USE_NSS #include #include @@ -50,7 +54,6 @@ #include "tool_doswin.h" #include "tool_msgs.h" #include "tool_operate.h" -#include "tool_panykey.h" #include "tool_vms.h" #include "tool_main.h" #include "tool_libinfo.h" @@ -84,29 +87,30 @@ int _CRT_glob = 0; /* if we build a static library for unit tests, there is no main() function */ #ifndef UNITTESTS +#if defined(HAVE_PIPE) && defined(HAVE_FCNTL) /* * Ensure that file descriptors 0, 1 and 2 (stdin, stdout, stderr) are * open before starting to run. Otherwise, the first three network * sockets opened by curl could be used for input sources, downloaded data * or error logs as they will effectively be stdin, stdout and/or stderr. + * + * fcntl's F_GETFD instruction returns -1 if the file descriptor is closed, + * otherwise it returns "the file descriptor flags (which typically can only + * be FD_CLOEXEC, which is not set here). */ -static void main_checkfds(void) +static int main_checkfds(void) { -#ifdef HAVE_PIPE - int fd[2] = { STDIN_FILENO, STDIN_FILENO }; - while(fd[0] == STDIN_FILENO || - fd[0] == STDOUT_FILENO || - fd[0] == STDERR_FILENO || - fd[1] == STDIN_FILENO || - fd[1] == STDOUT_FILENO || - fd[1] == STDERR_FILENO) - if(pipe(fd) < 0) - return; /* Out of handles. This isn't really a big problem now, but - will be when we try to create a socket later. */ - close(fd[0]); - close(fd[1]); -#endif + int fd[2]; + while((fcntl(STDIN_FILENO, F_GETFD) == -1) || + (fcntl(STDOUT_FILENO, F_GETFD) == -1) || + (fcntl(STDERR_FILENO, F_GETFD) == -1)) + if(pipe(fd)) + return 1; + return 0; } +#else +#define main_checkfds() 0 +#endif #ifdef CURLDEBUG static void memory_tracking_init(void) @@ -298,7 +302,10 @@ int main(int argc, char *argv[]) } #endif - main_checkfds(); + if(main_checkfds()) { + fprintf(stderr, "curl: out of file descriptors\n"); + return CURLE_FAILED_INIT; + } #if defined(HAVE_SIGNAL) && defined(SIGPIPE) (void)signal(SIGPIPE, SIG_IGN); @@ -323,11 +330,6 @@ int main(int argc, char *argv[]) fflush(NULL); #endif -#ifdef __NOVELL_LIBC__ - if(!getenv("_IN_NETWARE_BASH_")) - tool_pressanykey(); -#endif - #ifdef __VMS vms_special_exit(result, vms_show); #else diff --git a/curl/manifest b/curl/manifest index 6eb235f..a6bce52 100644 --- a/curl/manifest +++ b/curl/manifest @@ -1,6 +1,6 @@ : 1 name: curl -version: 7.84.0 +version: 7.87.0-a.0.z priority: security summary: Command line tool for transferring data with URLs license: curl ; MIT/X derivate license. diff --git a/libcurl/build/bootstrap.build b/libcurl/build/bootstrap.build index 0675c6c..1d200dd 100644 --- a/libcurl/build/bootstrap.build +++ b/libcurl/build/bootstrap.build @@ -1,4 +1,4 @@ -# file : build/root.build +# file : build/bootstrap.build # license : curl License; see accompanying COPYING file project = libcurl @@ -17,14 +17,14 @@ using dist # https://curl.se/docs/versions.html # # The ABI version doesn't correlate with the release version and is assigned -# via the libtool's -version-info :: option -# (VERSIONINFO in lib/Makefile.am). As it follows from the comment in the +# via the libtool's -version-info :: option (VERSION* +# variables in lib/Makefile.soname). As it follows from the comment in the # makefile, the major version (current - age) is incremented for backwards- # incompatible ABI changes. See also: # # https://curl.se/libcurl/abi.html # -if ($version.major == 7 && $version.minor == 84 && $version.patch == 0) +if ($version.major == 7 && $version.minor == 87 && $version.patch == 0) { abi_version_major = 4 abi_version = "$abi_version_major.8.0" # .. diff --git a/libcurl/libcurl/curl_config.h b/libcurl/libcurl/curl_config.h index 868a327..4d46e69 100644 --- a/libcurl/libcurl/curl_config.h +++ b/libcurl/libcurl/curl_config.h @@ -53,7 +53,6 @@ /* Enabled features. */ #define ENABLE_IPV6 1 -#define HAVE_ZLIB_H 1 #define HAVE_LIBZ 1 #undef CURL_DISABLE_COOKIES @@ -99,8 +98,6 @@ #undef HAVE_LDAP_URL_PARSE #undef USE_LIBSSH #undef USE_LIBSSH2 -#undef HAVE_LIBSSH2_H -#undef HAVE_LIBSSH_LIBSSH_H #undef USE_AMISSL #undef USE_GNUTLS #undef USE_ARES @@ -120,6 +117,7 @@ #undef USE_RUSTLS #undef USE_WOLFSSH #undef USE_MSH3 +#undef USE_WEBSOCKETS /* Specific for (non-) Linux. */ @@ -177,6 +175,7 @@ # define HAVE_POLL_H 1 # define HAVE_PWD_H 1 # define HAVE_ALARM 1 +# define HAVE_FCNTL 1 # define HAVE_FCNTL_O_NONBLOCK 1 # define HAVE_FNMATCH 1 # define HAVE_GETEUID 1 @@ -225,9 +224,6 @@ # define USE_WIN32_LARGE_FILES 1 # define USE_WINDOWS_SSPI 1 -# define WANT_IDN_PROTOTYPES 1 - -# define HAVE_PROCESS_H 1 # define HAVE_CLOSESOCKET 1 # define HAVE_IOCTLSOCKET_FIONBIO 1 # define HAVE_IO_H 1 @@ -294,8 +290,6 @@ # define HAVE_OPENSSL_SRP 1 # define HAVE_FTRUNCATE 1 # define HAVE_SCHED_YIELD 1 - -# define TIME_WITH_SYS_TIME 1 #else # define USE_THREADS_WIN32 1 # undef USE_THREADS_POSIX @@ -305,10 +299,8 @@ /* Common for all supported OSes/compilers. */ -#define HAVE_ASSERT_H 1 #define HAVE_STDBOOL_H 1 #define HAVE_BOOL_T 1 -#define HAVE_ERRNO_H 1 #define HAVE_FCNTL_H 1 #define HAVE_WS2TCPIP_H 1 #define HAVE_SIGNAL_H 1 @@ -317,7 +309,6 @@ #define HAVE_GETADDRINFO 1 #define HAVE_FREEADDRINFO 1 #define HAVE_GETADDRINFO_THREADSAFE 1 -#define HAVE_GETHOSTBYNAME 1 #define HAVE_GETHOSTNAME 1 #define HAVE_GETPEERNAME 1 #define HAVE_GETSOCKNAME 1 @@ -331,26 +322,12 @@ #define HAVE_STRUCT_TIMEVAL 1 #define HAVE_SYS_STAT_H 1 #define HAVE_SYS_TYPES_H 1 -#define HAVE_TIME_H 1 #define HAVE_UTIME 1 #define HAVE_VARIADIC_MACROS_C99 1 #define HAVE_STRICMP 1 - -/* , _Atomic, atomic_*, etc - * - * @@ TMP Note that upstream's package version 7.84.0 fails to compile with - * older versions of Clang with the 'unknown builtin' error (trying to - * use __builtin_ia32_pause()). At the time of this writing this issue - * is fixed but the fixed version is not released yet. When it is - * released, drop the check and define HAVE_ATOMIC - * unconditionally. Until then the curl_global_*() functions will be - * thread-unsafe for Clang versions prior to 6.0 (as they are for - * libcurl versions prior to 7.84.0). - */ -#if !defined(__STDC_NO_ATOMICS__) && \ - (!defined(__clang__) || __clang_major__ >= 6) -# define HAVE_ATOMIC 1 -#endif +#define HAVE_SNPRINTF 1 +#define HAVE_STDATOMIC_H 1 +#define HAVE_ATOMIC 1 #define STDC_HEADERS 1 @@ -365,7 +342,6 @@ #undef HAVE_IDN2_H #undef HAVE_LIBIDN2 #undef HAVE_BROTLI -#undef HAVE_STRUCT_POLLFD #undef HAVE_DECL_GETPWUID_R_MISSING #undef HAVE_GETPASS_R #undef HAVE_GSSAPI @@ -375,7 +351,6 @@ #undef HAVE_PK11_CREATEMANAGEDGENERICOBJECT #undef HAVE_PROTO_BSDSOCKET_H #undef HAVE_RAND_EGD -#undef HAVE_SETSOCKOPT_SO_NONBLOCK #undef HAVE_STRCMPI #undef HAVE_STROPTS_H #undef HAVE_TERMIO_H @@ -393,18 +368,9 @@ #undef HAVE_EXTRA_STRDUP_H #undef HAVE_EXTRA_STRICMP_H #undef HAVE_SSL_GET_SHUTDOWN -#undef RECVFROM_TYPE_ARG6_IS_VOID - -#undef HAVE_RECVFROM -#undef RECVFROM_TYPE_ARG1 -#undef RECVFROM_TYPE_ARG2 -#undef RECVFROM_TYPE_ARG3 -#undef RECVFROM_TYPE_ARG4 -#undef RECVFROM_TYPE_ARG5 -#undef RECVFROM_TYPE_ARG6 -#undef RECVFROM_TYPE_RETV - -#undef NEED_MEMORY_H +#undef HAVE_IOCTLSOCKET_CAMEL +#undef HAVE_WOLFSSL_FULL_BIO + #undef NEED_REENTRANT #undef NEED_THREAD_SAFE diff --git a/libcurl/manifest b/libcurl/manifest index 3a34f66..2a90a25 100644 --- a/libcurl/manifest +++ b/libcurl/manifest @@ -1,6 +1,6 @@ : 1 name: libcurl -version: 7.84.0 +version: 7.87.0-a.0.z project: curl priority: security summary: C library for transferring data with URLs diff --git a/upstream b/upstream index 45ac4d0..c12fb3d 160000 --- a/upstream +++ b/upstream @@ -1 +1 @@ -Subproject commit 45ac4d019475df03562fe0ac54eb67e1d1de0ca7 +Subproject commit c12fb3ddaf48e709a7a4deaa55ec485e4df163ee -- cgit v1.1