diff options
author | Patrick J Volkerding <volkerdi@slackware.com> | 2022-04-27 21:43:51 +0000 |
---|---|---|
committer | Eric Hameleers <alien@slackware.com> | 2022-04-28 13:29:49 +0200 |
commit | cf5d75750640be00bf9d826189628a96ed17248c (patch) | |
tree | 96506a3841148bd122e784b6b524df0096236cbf /patches | |
parent | dfafa379401441229ad529bfa45564a368ef575a (diff) | |
download | current-cf5d75750640be00bf9d826189628a96ed17248c.tar.gz |
Wed Apr 27 21:43:51 UTC 202220220427214351_15.0
patches/packages/curl-7.83.0-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
OAUTH2 bearer bypass in connection re-use.
Credential leak on redirect.
Bad local IPv6 connection reuse.
Auth/cookie leak on redirect.
For more information, see:
https://curl.se/docs/CVE-2022-22576.html
https://curl.se/docs/CVE-2022-27774.html
https://curl.se/docs/CVE-2022-27775.html
https://curl.se/docs/CVE-2022-27776.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22576
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27774
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27775
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27776
(* Security fix *)
Diffstat (limited to 'patches')
-rw-r--r-- | patches/packages/curl-7.83.0-x86_64-1_slack15.0.txt | 11 | ||||
-rwxr-xr-x | patches/source/curl/curl.SlackBuild | 158 | ||||
-rw-r--r-- | patches/source/curl/curl.url | 1 | ||||
-rw-r--r-- | patches/source/curl/slack-desc | 19 |
4 files changed, 189 insertions, 0 deletions
diff --git a/patches/packages/curl-7.83.0-x86_64-1_slack15.0.txt b/patches/packages/curl-7.83.0-x86_64-1_slack15.0.txt new file mode 100644 index 00000000..54c4e875 --- /dev/null +++ b/patches/packages/curl-7.83.0-x86_64-1_slack15.0.txt @@ -0,0 +1,11 @@ +curl: curl (command line URL data transfer tool) +curl: +curl: Curl is a command line tool for transferring data specified with URL +curl: syntax. The command is designed to work without user interaction or +curl: any kind of interactivity. Curl offers a busload of useful tricks +curl: like proxy support, user authentication, ftp upload, HTTP post, SSL +curl: (https:) connections, cookies, file transfer resume and more. +curl: +curl: libcurl is a library that Curl uses to do its job. It is readily +curl: available to be used by your software, too. +curl: diff --git a/patches/source/curl/curl.SlackBuild b/patches/source/curl/curl.SlackBuild new file mode 100755 index 00000000..0e4f4063 --- /dev/null +++ b/patches/source/curl/curl.SlackBuild @@ -0,0 +1,158 @@ +#!/bin/bash + +# Copyright 2008, 2009, 2010, 2011, 2013, 2014, 2016, 2017, 2018, 2020, 2021 Patrick J. Volkerding, Sebeka, MN, USA +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +cd $(dirname $0) ; CWD=$(pwd) + +PKGNAM=curl +VERSION=${VERSION:-$(echo curl-*.tar.xz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} +BUILD=${BUILD:-1_slack15.0} + +# Automatically determine the architecture we're building on: +if [ -z "$ARCH" ]; then + case "$( uname -m )" in + i?86) export ARCH=i586 ;; + arm*) export ARCH=arm ;; + # Unless $ARCH is already set, use uname -m for all other archs: + *) export ARCH=$( uname -m ) ;; + esac +fi + +# If the variable PRINT_PACKAGE_NAME is set, then this script will report what +# the name of the created package would be, and then exit. This information +# could be useful to other scripts. +if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then + echo "$PKGNAM-$VERSION-$ARCH-$BUILD.txz" + exit 0 +fi + +NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "} + +TMP=${TMP:-/tmp} +PKG=$TMP/package-curl + +# Set this variable to "--without-ssl" to build a no-SSL version: +SSLOPT=${SSLOPT:-"--with-openssl"} + +if [ "$ARCH" = "i586" ]; then + SLKCFLAGS="-O2 -march=i586 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "s390" ]; then + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" +else + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +fi + +rm -rf $PKG +mkdir -p $PKG +cd $TMP +rm -rf curl-$VERSION +tar xvf $CWD/curl-$VERSION.tar.xz || exit 1 +cd curl-$VERSION || exit 1 + +chown -R root:root . +find . \ + \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ + -exec chmod 755 {} \+ -o \ + \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ + -exec chmod 644 {} \+ + +CFLAGS="$SLKCFLAGS" \ +./configure \ + --prefix=/usr \ + --libdir=/usr/lib${LIBDIRSUFFIX} \ + --mandir=/usr/man \ + --with-libssh2 \ + --with-gssapi \ + --enable-ares \ + --enable-static=no \ + --without-ca-bundle \ + --with-ca-path=/etc/ssl/certs \ + $SSLOPT || exit 1 + +make $NUMJOBS || make || exit 1 +make install DESTDIR=$PKG || exit 1 + +# Don't ship .la files: +rm -f $PKG/{,usr/}lib${LIBDIRSUFFIX}/*.la + +# We have always installed the man3 documentation, so we'll keep doing it +# even though these are no longer installed by default. No || exit 1, if +# it works, it works, and if it doesn't, we tried. +( cd docs/libcurl + make install-man3 DESTDIR=$PKG + cd opts + make install-man3 DESTDIR=$PKG +) + +# We don't ship the related perl script (yet): +rm -f $PKG/usr/man/man1/mk-ca-bundle.1 + +find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF \ + | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null + +strip -g $PKG/usr/lib${LIBDIRSUFFIX}/libcurl.a + +mkdir -p $PKG/usr/doc/curl-$VERSION +cp -a \ + COPYING* README* UPGRADE \ + $PKG/usr/doc/curl-$VERSION +( cd docs + cp -a \ + BUGS CONTRIBUTE FAQ FEATURES INSTALL INTERNALS MANUAL README* RESOURCES THANKS TODO examples \ + $PKG/usr/doc/curl-$VERSION ) +# Get rid of .deps cruft: +rm -rf $PKG/usr/doc/curl-$VERSION/examples/.deps + +# If there's a CHANGES file, installing at least part of the recent history +# is useful, but don't let it get totally out of control: +if [ -r CHANGES ]; then + DOCSDIR=$(echo $PKG/usr/doc/${PKGNAM}-$VERSION) + cat CHANGES | head -n 1000 > $DOCSDIR/ChangeLog + touch -r CHANGES $DOCSDIR/ChangeLog +fi + +# Compress and if needed symlink the man pages: +if [ -d $PKG/usr/man ]; then + ( cd $PKG/usr/man + for manpagedir in $(find . -type d -name "man*") ; do + ( cd $manpagedir + for eachpage in $( find . -type l -maxdepth 1) ; do + ln -s $( readlink $eachpage ).gz $eachpage.gz + rm $eachpage + done + gzip -9 *.? + ) + done + ) +fi + +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc + +cd $PKG +/sbin/makepkg -l y -c n $TMP/curl-$VERSION-$ARCH-$BUILD.txz + diff --git a/patches/source/curl/curl.url b/patches/source/curl/curl.url new file mode 100644 index 00000000..bea0d39b --- /dev/null +++ b/patches/source/curl/curl.url @@ -0,0 +1 @@ +https://curl.haxx.se/download diff --git a/patches/source/curl/slack-desc b/patches/source/curl/slack-desc new file mode 100644 index 00000000..27c6abb7 --- /dev/null +++ b/patches/source/curl/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. Line +# up the first '|' above the ':' following the base package name, and the '|' +# on the right side marks the last column you can put a character in. You must +# make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':'. + + |-----handy-ruler------------------------------------------------------| +curl: curl (command line URL data transfer tool) +curl: +curl: Curl is a command line tool for transferring data specified with URL +curl: syntax. The command is designed to work without user interaction or +curl: any kind of interactivity. Curl offers a busload of useful tricks +curl: like proxy support, user authentication, ftp upload, HTTP post, SSL +curl: (https:) connections, cookies, file transfer resume and more. +curl: +curl: libcurl is a library that Curl uses to do its job. It is readily +curl: available to be used by your software, too. +curl: |