[oe-commits] [openembedded-core] 19/24: curl: 7.54.1 -> 7.57.0
Martin Jansa
martin.jansa at gmail.com
Sat Jan 27 17:41:50 UTC 2018
It got removed from curl by this commit:
https://github.com/curl/curl/commit/d1da545a6881dbeafff86077f696f0dc22d3fc81
as mentioned in curl-7.57.0/CHANGES:
Daniel Stenberg (6 Sep 2017)
- configure: remove --enable-soname-bump and SONAME_BUMP
Back in 2008, (and commit 3f3d6ebe665f3) we changed the logic in how we
determine the native type for `curl_off_t`. To really make sure we
didn't break ABI without bumping SONAME, we introduced logic that
attempted to detect that it would use a different size and thus not be
compatible. We also provided a manual switch that allowed users to tell
configure to bump SONAME by force.
Today, we know of no one who ever got a SONAME bump auto-detected and we
don't know of anyone who's using the manual bump feature. The auto-
detection is also no longer working since we introduced defining
curl_off_t in system.h (7.55.0).
Finally, this bumping logic is not present in the cmake build.
Closes #1861
On Fri, Jan 26, 2018 at 10:11 PM, Martin Jansa <martin.jansa at gmail.com>
wrote:
> Be aware that this upgrade might change your libcurl5 to libcurl4
>
> With Yocto 1.7 Dizzy we used to have libcurl5, because of
> different SIZEOF_OFF_T value.
>
> Then in Yocto 1.8 Fido SIZEOF_OFF_T was changed in oe-core and curl
> started to use libcurl4 again automatically.
>
> Back then I've added simple workaround in our bbappend to keep libcurl5
> (until we can rebuild all prebuilt binaries from 3rd party vendors):
>
> # Force to use libcurl5 instead of libcurl4 (like we had with Yocto 1.7
> Dizzy)
> # The SONAME isn't bumped automatically since oe-core commit
> 49c848018484827c433e1bcf9c63416640456f3e
> # which changed SIZEOF_OFF_T to 8
> EXTRA_OECONF += "--enable-soname-bump"
>
> and it was working fine until this upgrade to 7.57.0. I haven't checked
> yet why enable-soname-bump stopped working (it's still recognized by
> configure script).
>
>
> On Fri, Jan 26, 2018 at 2:10 PM, <git at git.openembedded.org> wrote:
>
>> This is an automated email from the git hooks/post-receive script.
>>
>> rpurdie pushed a commit to branch master
>> in repository openembedded-core.
>>
>> commit 215d5677004537fc190b5381157ac8b94db6d7e8
>> Author: Huang Qiyu <huangqy.fnst at cn.fujitsu.com>
>> AuthorDate: Wed Jan 24 11:01:36 2018 +0800
>>
>> curl: 7.54.1 -> 7.57.0
>>
>> 1.Upgrade curl from 7.54.1 to 7.57.0.
>> 2.Delete CVE-2017-1000099.patch, CVE-2017-1000100.patch,
>> CVE-2017-1000101.patch, CVE-2017-1000254.patch, reproducible-mkhelp.patch,
>> since it is integrated upstream.
>> 3.Remove "do_install_append()" from curl_7.57.0.bb, since
>> curl/curlbuild.h has been removed.
>>
>> Signed-off-by: Huang Qiyu <huangqy.fnst at cn.fujitsu.com>
>> Signed-off-by: Ross Burton <ross.burton at intel.com>
>> ---
>> .../curl/curl/CVE-2017-1000099.patch | 41 ------
>> .../curl/curl/CVE-2017-1000100.patch | 51 --------
>> .../curl/curl/CVE-2017-1000101.patch | 99 ---------------
>> .../curl/curl/CVE-2017-1000254.patch | 138
>> ---------------------
>> .../curl/curl/reproducible-mkhelp.patch | 32 -----
>> .../curl/{curl_7.54.1.bb => curl_7.57.0.bb} | 14 +--
>> 6 files changed, 2 insertions(+), 373 deletions(-)
>>
>> diff --git a/meta/recipes-support/curl/curl/CVE-2017-1000099.patch
>> b/meta/recipes-support/curl/curl/CVE-2017-1000099.patch
>> deleted file mode 100644
>> index 96ff1b0..0000000
>> --- a/meta/recipes-support/curl/curl/CVE-2017-1000099.patch
>> +++ /dev/null
>> @@ -1,41 +0,0 @@
>> -From c9332fa5e84f24da300b42b1a931ade929d3e27d Mon Sep 17 00:00:00 2001
>> -From: Even Rouault <even.rouault at spatialys.com>
>> -Date: Tue, 1 Aug 2017 17:17:06 +0200
>> -Subject: [PATCH] file: output the correct buffer to the user
>> -
>> -Regression brought by 7c312f84ea930d8 (April 2017)
>> -
>> -CVE: CVE-2017-1000099
>> -
>> -Bug: https://curl.haxx.se/docs/adv_20170809C.html
>> -
>> -Credit to OSS-Fuzz for the discovery
>> -
>> -Upstream-Status: Backport
>> -https://github.com/curl/curl/commit/c9332fa5e84f24da300b42b
>> 1a931ade929d3e27d
>> -
>> -Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
>> ----
>> - lib/file.c | 2 +-
>> - 1 file changed, 1 insertion(+), 1 deletion(-)
>> -
>> -diff --git a/lib/file.c b/lib/file.c
>> -index bd426eac2..666cbe75b 100644
>> ---- a/lib/file.c
>> -+++ b/lib/file.c
>> -@@ -499,11 +499,11 @@ static CURLcode file_do(struct connectdata *conn,
>> bool *done)
>> - Curl_month[tm->tm_mon],
>> - tm->tm_year + 1900,
>> - tm->tm_hour,
>> - tm->tm_min,
>> - tm->tm_sec);
>> -- result = Curl_client_write(conn, CLIENTWRITE_BOTH, buf, 0);
>> -+ result = Curl_client_write(conn, CLIENTWRITE_BOTH, header, 0);
>> - if(!result)
>> - /* set the file size to make it available post transfer */
>> - Curl_pgrsSetDownloadSize(data, expected_size);
>> - return result;
>> - }
>> ---
>> -2.13.3
>> -
>> diff --git a/meta/recipes-support/curl/curl/CVE-2017-1000100.patch
>> b/meta/recipes-support/curl/curl/CVE-2017-1000100.patch
>> deleted file mode 100644
>> index f74f1dd..0000000
>> --- a/meta/recipes-support/curl/curl/CVE-2017-1000100.patch
>> +++ /dev/null
>> @@ -1,51 +0,0 @@
>> -From 358b2b131ad6c095696f20dcfa62b8305263f898 Mon Sep 17 00:00:00 2001
>> -From: Daniel Stenberg <daniel at haxx.se>
>> -Date: Tue, 1 Aug 2017 17:16:46 +0200
>> -Subject: [PATCH] tftp: reject file name lengths that don't fit
>> -
>> -... and thereby avoid telling send() to send off more bytes than the
>> -size of the buffer!
>> -
>> -CVE: CVE-2017-1000100
>> -
>> -Bug: https://curl.haxx.se/docs/adv_20170809B.html
>> -Reported-by: Even Rouault
>> -
>> -Credit to OSS-Fuzz for the discovery
>> -
>> -Upstream-Status: Backport
>> -https://github.com/curl/curl/commit/358b2b131ad6c095696f20d
>> cfa62b8305263f898
>> -
>> -Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
>> ----
>> - lib/tftp.c | 7 ++++++-
>> - 1 file changed, 6 insertions(+), 1 deletion(-)
>> -
>> -diff --git a/lib/tftp.c b/lib/tftp.c
>> -index 02bd842..f6f4bce 100644
>> ---- a/lib/tftp.c
>> -+++ b/lib/tftp.c
>> -@@ -5,7 +5,7 @@
>> - * | (__| |_| | _ <| |___
>> - * \___|\___/|_| \_\_____|
>> - *
>> -- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel at haxx.se>, et al.
>> -+ * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel at haxx.se>, et al.
>> - *
>> - * This software is licensed as described in the file COPYING, which
>> - * you should have received as part of this distribution. The terms
>> -@@ -491,6 +491,11 @@ static CURLcode tftp_send_first(tftp_state_data_t
>> *state, tftp_event_t event)
>> - if(result)
>> - return result;
>> -
>> -+ if(strlen(filename) > (state->blksize - strlen(mode) - 4)) {
>> -+ failf(data, "TFTP file name too long\n");
>> -+ return CURLE_TFTP_ILLEGAL; /* too long file name field */
>> -+ }
>> -+
>> - snprintf((char *)state->spacket.data+2,
>> - state->blksize,
>> - "%s%c%s%c", filename, '\0', mode, '\0');
>> ---
>> -1.7.9.5
>> -
>> diff --git a/meta/recipes-support/curl/curl/CVE-2017-1000101.patch
>> b/meta/recipes-support/curl/curl/CVE-2017-1000101.patch
>> deleted file mode 100644
>> index c300fff..0000000
>> --- a/meta/recipes-support/curl/curl/CVE-2017-1000101.patch
>> +++ /dev/null
>> @@ -1,99 +0,0 @@
>> -From 453e7a7a03a2cec749abd3878a48e728c515cca7 Mon Sep 17 00:00:00 2001
>> -From: Daniel Stenberg <daniel at haxx.se>
>> -Date: Tue, 1 Aug 2017 17:16:07 +0200
>> -Subject: [PATCH] glob: do not continue parsing after a strtoul() overflow
>> - range
>> -
>> -Added test 1289 to verify.
>> -
>> -CVE: CVE-2017-1000101
>> -
>> -Bug: https://curl.haxx.se/docs/adv_20170809A.html
>> -Reported-by: Brian Carpenter
>> -
>> -Upstream-Status: Backport
>> -https://github.com/curl/curl/commit/453e7a7a03a2cec749abd38
>> 78a48e728c515cca7
>> -
>> -Rebase the tests/data/Makefile.inc changes for curl 7.54.1.
>> -
>> -Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
>> ----
>> - src/tool_urlglob.c | 5 ++++-
>> - tests/data/Makefile.inc | 2 +-
>> - tests/data/test1289 | 35 +++++++++++++++++++++++++++++++++++
>> - 3 files changed, 40 insertions(+), 2 deletions(-)
>> - create mode 100644 tests/data/test1289
>> -
>> -diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
>> -index 6b1ece0..d56dcd9 100644
>> ---- a/src/tool_urlglob.c
>> -+++ b/src/tool_urlglob.c
>> -@@ -273,7 +273,10 @@ static CURLcode glob_range(URLGlob *glob, char
>> **patternp,
>> - }
>> - errno = 0;
>> - max_n = strtoul(pattern, &endp, 10);
>> -- if(errno || (*endp == ':')) {
>> -+ if(errno)
>> -+ /* overflow */
>> -+ endp = NULL;
>> -+ else if(*endp == ':') {
>> - pattern = endp+1;
>> - errno = 0;
>> - step_n = strtoul(pattern, &endp, 10);
>> -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
>> -index 155320a..7adbee6 100644
>> ---- a/tests/data/Makefile.inc
>> -+++ b/tests/data/Makefile.inc
>> -@@ -132,7 +132,7 @@ test1252 test1253 test1254 test1255 test1256
>> test1257 test1258 test1259 \
>> - test1260 test1261 test1262 \
>> - \
>> - test1280 test1281 test1282 test1283 test1284 test1285 test1286 test1287
>> \
>> --test1288 \
>> -+test1288 test1289 \
>> - \
>> - test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307
>> \
>> - test1308 test1309 test1310 test1311 test1312 test1313 test1314 test1315
>> \
>> -diff --git a/tests/data/test1289 b/tests/data/test1289
>> -new file mode 100644
>> -index 0000000..d679cc0
>> ---- /dev/null
>> -+++ b/tests/data/test1289
>> -@@ -0,0 +1,35 @@
>> -+<testcase>
>> -+<info>
>> -+<keywords>
>> -+HTTP
>> -+HTTP GET
>> -+globbing
>> -+</keywords>
>> -+</info>
>> -+
>> -+#
>> -+# Server-side
>> -+<reply>
>> -+</reply>
>> -+
>> -+# Client-side
>> -+<client>
>> -+<server>
>> -+http
>> -+</server>
>> -+<name>
>> -+globbing with overflow and bad syntxx
>> -+</name>
>> -+<command>
>> -+http://ur%20[0-60000000000000000000
>> -+</command>
>> -+</client>
>> -+
>> -+# Verify data after the test has been "shot"
>> -+<verify>
>> -+# curl: (3) [globbing] bad range in column
>> -+<errorcode>
>> -+3
>> -+</errorcode>
>> -+</verify>
>> -+</testcase>
>> ---
>> -2.11.0
>> -
>> diff --git a/meta/recipes-support/curl/curl/CVE-2017-1000254.patch
>> b/meta/recipes-support/curl/curl/CVE-2017-1000254.patch
>> deleted file mode 100644
>> index 2b0798b..0000000
>> --- a/meta/recipes-support/curl/curl/CVE-2017-1000254.patch
>> +++ /dev/null
>> @@ -1,138 +0,0 @@
>> -From 1b2eba6f9745c064f7283e0ada8f46df9d9d6e42 Mon Sep 17 00:00:00 2001
>> -From: Li Zhou <li.zhou at windriver.com>
>> -Date: Mon, 23 Oct 2017 00:26:50 -0700
>> -Subject: [PATCH] FTP: zero terminate the entry path even on bad input
>> -
>> -... a single double quote could leave the entry path buffer without a
>> zero
>> -terminating byte. CVE-2017-1000254
>> -
>> -Test 1152 added to verify.
>> -
>> -Reported-by: Max Dymond
>> -Bug: https://curl.haxx.se/docs/adv_20171004.html
>> -
>> -Upstream-Status: Backport
>> -CVE: CVE-2017-1000254
>> -Signed-off-by: Li Zhou <li.zhou at windriver.com>
>> ----
>> - lib/ftp.c | 7 ++++--
>> - tests/data/Makefile.inc | 2 ++
>> - tests/data/test1152 | 61 ++++++++++++++++++++++++++++++
>> +++++++++++++++++++
>> - 3 files changed, 68 insertions(+), 2 deletions(-)
>> - create mode 100644 tests/data/test1152
>> -
>> -diff --git a/lib/ftp.c b/lib/ftp.c
>> -index 5edec37..493dbf9 100644
>> ---- a/lib/ftp.c
>> -+++ b/lib/ftp.c
>> -@@ -2826,6 +2826,7 @@ static CURLcode ftp_statemach_act(struct
>> connectdata *conn)
>> - const size_t buf_size = data->set.buffer_size;
>> - char *dir;
>> - char *store;
>> -+ bool entry_extracted = FALSE;
>> -
>> - dir = malloc(nread + 1);
>> - if(!dir)
>> -@@ -2857,7 +2858,7 @@ static CURLcode ftp_statemach_act(struct
>> connectdata *conn)
>> - }
>> - else {
>> - /* end of path */
>> -- *store = '\0'; /* zero terminate */
>> -+ entry_extracted = TRUE;
>> - break; /* get out of this loop */
>> - }
>> - }
>> -@@ -2866,7 +2867,9 @@ static CURLcode ftp_statemach_act(struct
>> connectdata *conn)
>> - store++;
>> - ptr++;
>> - }
>> --
>> -+ *store = '\0'; /* zero terminate */
>> -+ }
>> -+ if(entry_extracted) {
>> - /* If the path name does not look like an absolute path
>> (i.e.: it
>> - does not start with a '/'), we probably need some
>> server-dependent
>> - adjustments. For example, this is the case when connecting
>> to
>> -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
>> -index 7adbee6..5284654 100644
>> ---- a/tests/data/Makefile.inc
>> -+++ b/tests/data/Makefile.inc
>> -@@ -121,6 +121,8 @@ test1120 test1121 test1122 test1123 test1124
>> test1125 test1126 test1127 \
>> - test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135
>> \
>> - test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143
>> \
>> - test1144 test1145 test1146 \
>> -+test1152 \
>> -+\
>> - test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207
>> \
>> - test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215
>> \
>> - test1216 test1217 test1218 test1219 \
>> -diff --git a/tests/data/test1152 b/tests/data/test1152
>> -new file mode 100644
>> -index 0000000..aa8c0a7
>> ---- /dev/null
>> -+++ b/tests/data/test1152
>> -@@ -0,0 +1,61 @@
>> -+<testcase>
>> -+<info>
>> -+<keywords>
>> -+FTP
>> -+PASV
>> -+LIST
>> -+</keywords>
>> -+</info>
>> -+#
>> -+# Server-side
>> -+<reply>
>> -+<servercmd>
>> -+REPLY PWD 257 "just one
>> -+</servercmd>
>> -+
>> -+# When doing LIST, we get the default list output hard-coded in the test
>> -+# FTP server
>> -+<data mode="text">
>> -+total 20
>> -+drwxr-xr-x 8 98 98 512 Oct 22 13:06 .
>> -+drwxr-xr-x 8 98 98 512 Oct 22 13:06 ..
>> -+drwxr-xr-x 2 98 98 512 May 2 1996 curl-releases
>> -+-r--r--r-- 1 0 1 35 Jul 16 1996 README
>> -+lrwxrwxrwx 1 0 1 7 Dec 9 1999 bin -> usr/bin
>> -+dr-xr-xr-x 2 0 1 512 Oct 1 1997 dev
>> -+drwxrwxrwx 2 98 98 512 May 29 16:04 download.html
>> -+dr-xr-xr-x 2 0 1 512 Nov 30 1995 etc
>> -+drwxrwxrwx 2 98 1 512 Oct 30 14:33 pub
>> -+dr-xr-xr-x 5 0 1 512 Oct 1 1997 usr
>> -+</data>
>> -+</reply>
>> -+
>> -+#
>> -+# Client-side
>> -+<client>
>> -+<server>
>> -+ftp
>> -+</server>
>> -+ <name>
>> -+FTP with uneven quote in PWD response
>> -+ </name>
>> -+ <command>
>> -+ftp://%HOSTIP:%FTPPORT/test-1152/
>> -+</command>
>> -+</client>
>> -+
>> -+#
>> -+# Verify data after the test has been "shot"
>> -+<verify>
>> -+<protocol>
>> -+USER anonymous
>> -+PASS ftp at example.com
>> -+PWD
>> -+CWD test-1152
>> -+EPSV
>> -+TYPE A
>> -+LIST
>> -+QUIT
>> -+</protocol>
>> -+</verify>
>> -+</testcase>
>> ---
>> -2.11.0
>> -
>> diff --git a/meta/recipes-support/curl/curl/reproducible-mkhelp.patch
>> b/meta/recipes-support/curl/curl/reproducible-mkhelp.patch
>> deleted file mode 100644
>> index 268bbeb..0000000
>> --- a/meta/recipes-support/curl/curl/reproducible-mkhelp.patch
>> +++ /dev/null
>> @@ -1,32 +0,0 @@
>> -From 1fe92fd3dd64c7228f6ff41e3fc16c4f2392471a Mon Sep 17 00:00:00 2001
>> -From: Juro Bystricky <juro.bystricky at intel.com>
>> -Date: Fri, 27 Oct 2017 08:28:25 -0700
>> -Subject: mkhelp.pl: support reproducible build
>> -
>> -Do not generate line with the current date, such as:
>> -
>> -* Generation time: Tue Oct-24 18:01:41 2017
>> -
>> -This will improve reproducibility. The generated string is only
>> -part of a comment, so there should be no adverse consequences.
>> -
>> -Upstream-Status: Submitted [ https://github.com/curl/curl/pull/2026 ]
>> -
>> -Signed-off-by: Juro Bystricky <juro.bystricky at intel.com>
>> -
>> -diff --git a/src/mkhelp.pl b/src/mkhelp.pl
>> -index 270daa2..757f024 100755
>> ---- a/src/mkhelp.pl
>> -+++ b/src/mkhelp.pl
>> -@@ -102,11 +102,9 @@ while(<READ>) {
>> - }
>> - close(READ);
>> -
>> --$now = localtime;
>> - print <<HEAD
>> - /*
>> - * NEVER EVER edit this manually, fix the mkhelp.pl script instead!
>> -- * Generation time: $now
>> - */
>> - #ifdef USE_MANUAL
>> - #include "tool_hugehelp.h"
>> diff --git a/meta/recipes-support/curl/curl_7.54.1.bb
>> b/meta/recipes-support/curl/curl_7.57.0.bb
>> similarity index 86%
>> rename from meta/recipes-support/curl/curl_7.54.1.bb
>> rename to meta/recipes-support/curl/curl_7.57.0.bb
>> index 58f0531..47e3d45 100644
>> --- a/meta/recipes-support/curl/curl_7.54.1.bb
>> +++ b/meta/recipes-support/curl/curl_7.57.0.bb
>> @@ -7,23 +7,16 @@ LIC_FILES_CHKSUM = "file://COPYING;beginline=8;md
>> 5=3a34942f4ae3fbf1a303160714e66
>>
>> SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
>> file://0001-replace-krb5-config-with-pkg-config.patch \
>> - file://CVE-2017-1000099.patch \
>> - file://CVE-2017-1000100.patch \
>> - file://CVE-2017-1000101.patch \
>> - file://CVE-2017-1000254.patch \
>> "
>>
>> -SRC_URI_append_class-target = " \
>> - file://reproducible-mkhelp.patch \
>> -"
>>
>> # curl likes to set -g0 in CFLAGS, so we stop it
>> # from mucking around with debug options
>> #
>> SRC_URI += " file://configure_ac.patch"
>>
>> -SRC_URI[md5sum] = "6b6eb722f512e7a24855ff084f54fe55"
>> -SRC_URI[sha256sum] = "fdfc4df2d001ee0c44ec071186e77
>> 0046249263c491fcae48df0e1a3ca8f25a0"
>> +SRC_URI[md5sum] = "dd3e22e923be17663e67f721c2aec054"
>> +SRC_URI[sha256sum] = "c92fe31a348eae079121b73884065
>> e600c533493eb50f1f6cee9c48a3f454826"
>>
>> CVE_PRODUCT = "libcurl"
>> inherit autotools pkgconfig binconfig multilib_header
>> @@ -64,9 +57,6 @@ EXTRA_OECONF = " \
>> --without-libpsl \
>> "
>>
>> -do_install_append() {
>> - oe_multilib_header curl/curlbuild.h
>> -}
>>
>> do_install_append_class-target() {
>> # cleanup buildpaths from curl-config
>>
>> --
>> To stop receiving notification emails like this one, please contact
>> the administrator of this repository.
>> --
>> _______________________________________________
>> Openembedded-commits mailing list
>> Openembedded-commits at lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-commits
>>
>
>
More information about the Openembedded-commits
mailing list