curl: upgrade to 7.88.1 (#5053)

Co-authored-by: Mykhailo Bykhovtsev <mbykhovtsev@microsoft.com>
2023-03-10 09:21:47 -08:00 · 2023-03-10 09:21:47 -08:00 · fc9a7a6e92
parent d79838a794
commit fc9a7a6e92
9 changed files with 23 additions and 150 deletions
--- a/SPECS/curl/CVE-2022-43551.patch
+++ b/SPECS/curl/CVE-2022-43551.patch
@ -1,34 +0,0 @@
-From 760fa138c776df94cd5d0f836cb07a284fd9ac25 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 21 Nov 2022 11:19:54 +0100
-Subject: [PATCH] http: use the IDN decoded name in HSTS checks
-
-Otherwise it stores the info HSTS into the persistent cache for the IDN
-name which will not match when the HSTS status is later checked for
-using the decoded name.
-
-Reported-by: Hiroki Kurosawa
---
- lib/http.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/lib/http.c b/lib/http.c
-index 85528a221..a784745a8 100644
--- a/lib/http.c
-+++ b/lib/http.c
-@@ -3644,11 +3644,11 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn,
- #else
-            0
- #endif
-             )) {
-     CURLcode check =
-      Curl_hsts_parse(data->hsts, data->state.up.hostname,
-+      Curl_hsts_parse(data->hsts, conn->host.name,
-                       headp + strlen("Strict-Transport-Security:"));
-     if(check)
-       infof(data, "Illegal STS header skipped");
- #ifdef DEBUGBUILD
-     else
-- 
-2.38.1
-
--- a/SPECS/curl/CVE-2022-43552.patch
+++ b/SPECS/curl/CVE-2022-43552.patch
@ -1,94 +0,0 @@
-From f3b4c5edf97c157a8ad3727827d1ac94062cfff8 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 7 Nov 2022 17:09:48 +0100
-Subject: [PATCH] smb/telnet: do not free the protocol struct in *_done()
-
-It is managed by the generic layer.
---
- lib/smb.c    | 14 ++------------
- lib/telnet.c |  3 ---
- 2 files changed, 2 insertions(+), 15 deletions(-)
-
-diff --git a/lib/smb.c b/lib/smb.c
-index 2cfe041df..48d5a2fe0 100644
--- a/lib/smb.c
-+++ b/lib/smb.c
-@@ -56,12 +56,10 @@ static CURLcode smb_setup_connection(struct Curl_easy *data,
-                                      struct connectdata *conn);
- static CURLcode smb_connect(struct Curl_easy *data, bool *done);
- static CURLcode smb_connection_state(struct Curl_easy *data, bool *done);
- static CURLcode smb_do(struct Curl_easy *data, bool *done);
- static CURLcode smb_request_state(struct Curl_easy *data, bool *done);
-static CURLcode smb_done(struct Curl_easy *data, CURLcode status,
-                         bool premature);
- static CURLcode smb_disconnect(struct Curl_easy *data,
-                                struct connectdata *conn, bool dead);
- static int smb_getsock(struct Curl_easy *data, struct connectdata *conn,
-                        curl_socket_t *socks);
- static CURLcode smb_parse_url_path(struct Curl_easy *data,
-@@ -72,11 +70,11 @@ static CURLcode smb_parse_url_path(struct Curl_easy *data,
-  */
- const struct Curl_handler Curl_handler_smb = {
-   "SMB",                                /* scheme */
-   smb_setup_connection,                 /* setup_connection */
-   smb_do,                               /* do_it */
-  smb_done,                             /* done */
-+  ZERO_NULL,                            /* done */
-   ZERO_NULL,                            /* do_more */
-   smb_connect,                          /* connect_it */
-   smb_connection_state,                 /* connecting */
-   smb_request_state,                    /* doing */
-   smb_getsock,                          /* proto_getsock */
-@@ -99,11 +97,11 @@ const struct Curl_handler Curl_handler_smb = {
-  */
- const struct Curl_handler Curl_handler_smbs = {
-   "SMBS",                               /* scheme */
-   smb_setup_connection,                 /* setup_connection */
-   smb_do,                               /* do_it */
-  smb_done,                             /* done */
-+  ZERO_NULL,                            /* done */
-   ZERO_NULL,                            /* do_more */
-   smb_connect,                          /* connect_it */
-   smb_connection_state,                 /* connecting */
-   smb_request_state,                    /* doing */
-   smb_getsock,                          /* proto_getsock */
-@@ -934,18 +932,10 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done)
-   request_state(data, next_state);
- 
-   return CURLE_OK;
- }
- 
-static CURLcode smb_done(struct Curl_easy *data, CURLcode status,
-                         bool premature)
-{
-  (void) premature;
-  Curl_safefree(data->req.p.smb);
-  return status;
-}
-
- static CURLcode smb_disconnect(struct Curl_easy *data,
-                                struct connectdata *conn, bool dead)
- {
-   struct smb_conn *smbc = &conn->proto.smbc;
-   (void) dead;
-diff --git a/lib/telnet.c b/lib/telnet.c
-index 24d3f1efb..22bc81e75 100644
--- a/lib/telnet.c
-+++ b/lib/telnet.c
-@@ -1246,13 +1246,10 @@ static CURLcode telnet_done(struct Curl_easy *data,
-   if(!tn)
-     return CURLE_OK;
- 
-   curl_slist_free_all(tn->telnet_vars);
-   tn->telnet_vars = NULL;
-
-  Curl_safefree(data->req.p.telnet);
-
-   return CURLE_OK;
- }
- 
- static CURLcode telnet_do(struct Curl_easy *data, bool *done)
- {
-- 
-2.38.1
-
--- a/SPECS/curl/curl.signatures.json
+++ b/SPECS/curl/curl.signatures.json
@ -1,5 +1,5 @@
 {
  "Signatures": {
-    "curl-7.86.0.tar.gz": "3dfdd39ba95e18847965cd3051ea6d22586609d9011d91df7bc5521288987a82"
+    "curl-7.88.1.tar.gz": "cdb38b72e36bc5d33d5b8810f8018ece1baa29a8f215b4495e495ded82bbf3c7"
  }
 }
--- a/SPECS/curl/curl.spec
+++ b/SPECS/curl/curl.spec
@ -1,16 +1,13 @@
 Summary:        An URL retrieval utility and library
 Name:           curl
-Version:        7.86.0
-Release:        3%{?dist}
+Version:        7.88.1
+Release:        1%{?dist}
 License:        curl
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          System Environment/NetworkingLibraries
 URL:            https://curl.haxx.se
 Source0:        https://curl.haxx.se/download/%{name}-%{version}.tar.gz
-# CVE-2022-43551 and CVE-2022-43552 will be resolved by version 7.87.0
-Patch0:         CVE-2022-43551.patch
-Patch1:         CVE-2022-43552.patch
 BuildRequires:  krb5-devel
 BuildRequires:  libssh2-devel
 BuildRequires:  nghttp2-devel
@ -88,6 +85,10 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_libdir}/libcurl.so.*

 %changelog
+* Thu Mar 09 2023 Nan Liu <liunan@microsoft.com> - 7.88.1-1
+- Upgrade to version 7.88.1 to fix CVE-2023-23914, CVE-2023-23915, CVE-2023-23916
+- Removing old patches that are fixed in version 7.87.0
+
 * Tue Jan 10 2023 Olivia Crain <oliviacrain@microsoft.com> - 7.86.0-3
 - Build with HTTP/2 support
 - Remove comment about metalink- no longer supported
--- a/cgmanifest.json
+++ b/cgmanifest.json
@ -2357,8 +2357,8 @@
        "type": "other",
        "other": {
          "name": "curl",
-          "version": "7.86.0",
-          "downloadUrl": "https://curl.haxx.se/download/curl-7.86.0.tar.gz"
+          "version": "7.88.1",
+          "downloadUrl": "https://curl.haxx.se/download/curl-7.88.1.tar.gz"
        }
      }
    },
--- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@ -190,9 +190,9 @@ libssh2-1.9.0-2.cm2.aarch64.rpm
 libssh2-devel-1.9.0-2.cm2.aarch64.rpm
 krb5-1.19.4-1.cm2.aarch64.rpm
 nghttp2-1.46.0-2.cm2.aarch64.rpm
-curl-7.86.0-3.cm2.aarch64.rpm
-curl-devel-7.86.0-3.cm2.aarch64.rpm
-curl-libs-7.86.0-3.cm2.aarch64.rpm
+curl-7.88.1-1.cm2.aarch64.rpm
+curl-devel-7.88.1-1.cm2.aarch64.rpm
+curl-libs-7.88.1-1.cm2.aarch64.rpm
 tdnf-3.2.2-4.cm2.aarch64.rpm
 tdnf-cli-libs-3.2.2-4.cm2.aarch64.rpm
 tdnf-devel-3.2.2-4.cm2.aarch64.rpm
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@ -190,9 +190,9 @@ libssh2-1.9.0-2.cm2.x86_64.rpm
 libssh2-devel-1.9.0-2.cm2.x86_64.rpm
 krb5-1.19.4-1.cm2.x86_64.rpm
 nghttp2-1.46.0-2.cm2.x86_64.rpm
-curl-7.86.0-3.cm2.x86_64.rpm
-curl-devel-7.86.0-3.cm2.x86_64.rpm
-curl-libs-7.86.0-3.cm2.x86_64.rpm
+curl-7.88.1-1.cm2.x86_64.rpm
+curl-devel-7.88.1-1.cm2.x86_64.rpm
+curl-libs-7.88.1-1.cm2.x86_64.rpm
 tdnf-3.2.2-4.cm2.x86_64.rpm
 tdnf-cli-libs-3.2.2-4.cm2.x86_64.rpm
 tdnf-devel-3.2.2-4.cm2.x86_64.rpm
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@ -46,10 +46,10 @@ cracklib-lang-2.9.7-5.cm2.aarch64.rpm
 createrepo_c-0.17.5-1.cm2.aarch64.rpm
 createrepo_c-debuginfo-0.17.5-1.cm2.aarch64.rpm
 createrepo_c-devel-0.17.5-1.cm2.aarch64.rpm
-curl-7.86.0-3.cm2.aarch64.rpm
-curl-debuginfo-7.86.0-3.cm2.aarch64.rpm
-curl-devel-7.86.0-3.cm2.aarch64.rpm
-curl-libs-7.86.0-3.cm2.aarch64.rpm
+curl-7.88.1-1.cm2.aarch64.rpm
+curl-debuginfo-7.88.1-1.cm2.aarch64.rpm
+curl-devel-7.88.1-1.cm2.aarch64.rpm
+curl-libs-7.88.1-1.cm2.aarch64.rpm
 Cython-debuginfo-0.29.33-1.cm2.aarch64.rpm
 debugedit-5.0-1.cm2.aarch64.rpm
 debugedit-debuginfo-5.0-1.cm2.aarch64.rpm
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@ -46,10 +46,10 @@ cracklib-lang-2.9.7-5.cm2.x86_64.rpm
 createrepo_c-0.17.5-1.cm2.x86_64.rpm
 createrepo_c-debuginfo-0.17.5-1.cm2.x86_64.rpm
 createrepo_c-devel-0.17.5-1.cm2.x86_64.rpm
-curl-7.86.0-3.cm2.x86_64.rpm
-curl-debuginfo-7.86.0-3.cm2.x86_64.rpm
-curl-devel-7.86.0-3.cm2.x86_64.rpm
-curl-libs-7.86.0-3.cm2.x86_64.rpm
+curl-7.88.1-1.cm2.x86_64.rpm
+curl-debuginfo-7.88.1-1.cm2.x86_64.rpm
+curl-devel-7.88.1-1.cm2.x86_64.rpm
+curl-libs-7.88.1-1.cm2.x86_64.rpm
 Cython-debuginfo-0.29.33-1.cm2.x86_64.rpm
 debugedit-5.0-1.cm2.x86_64.rpm
 debugedit-debuginfo-5.0-1.cm2.x86_64.rpm