File curl.spec of Package curl.26475
#
# spec file for package curl
#
# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%bcond_without openssl
%bcond_with mozilla_nss
%bcond_without testsuite
Name: curl
Version: 7.37.0
Release: 0
Summary: A Tool for Transferring Data from URLs
License: BSD-3-Clause AND MIT
Group: Productivity/Networking/Web/Utilities
URL: http://curl.haxx.se/
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
Source2: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma.asc
Source3: baselibs.conf
Source4: %{name}.keyring
Patch: libcurl-ocloexec.patch
Patch1: dont-mess-with-rpmoptflags.diff
Patch3: curl-secure-getenv.patch
Patch6: curl-DEFAULT_CIPHER_SELECTION.patch
Patch7: curl-CVE-2014-3613.patch
Patch8: curl-CVE-2014-3620.patch
Patch9: curl-CVE-2014-8150.patch
Patch10: curl-CVE-2014-3707.patch
Patch11: curl-allow_md4_and_md5_in_fips_mode.patch
Patch12: curl-CVE-2015-3143.patch
Patch13: curl-CVE-2015-3144.patch
Patch14: curl-CVE-2015-3145.patch
Patch15: curl-CVE-2015-3148.patch
Patch16: curl-CVE-2015-3153.patch
Patch17: 0001-test46-update-cookie-expire-time.patch
Patch18: curl-CVE-2016-0755.patch
Patch19: curl-disable_failing_tests.patch
# PATCH-FIX-UPSTREAM fix-return-status-in-Curl_is_connected.patch -- Fixes error handling in Curl_is_connected by backporting some code from upstream
Patch20: fix-return-status-in-Curl_is_connected.patch
# PATCH-FIX-UPSTREAM 0001-Fix-invalid-Network-is-unreachable-errors.patch -- Fixes "network is unreachable" errors in valid situations when ipv6 is not working but ipv4 is
Patch21: 0001-Fix-invalid-Network-is-unreachable-errors.patch
Patch22: curl-CVE-2016-5419.patch
Patch23: curl-CVE-2016-5420.patch
Patch24: curl-CVE-2016-5421.patch
Patch25: curl-bsc991746.patch
# Project cURL Security Advisory, November 2, 2016
Patch26: curl-CVE-2016-8615.patch
Patch27: curl-CVE-2016-8617.patch
Patch28: curl-CVE-2016-8618.patch
Patch29: curl-CVE-2016-8619.patch
Patch32: curl-CVE-2016-8616.patch
Patch33: curl-CVE-2016-7167.patch
Patch40: curl-CVE-2016-8620.patch
Patch41: curl-CVE-2016-8621.patch
Patch42: curl-CVE-2016-8622.patch
Patch43: curl-CVE-2016-8623.patch
Patch44: curl-CVE-2016-8624.patch
# PATCH-FIX-UPSTREAM Bug 1015332
Patch45: curl-7.37-CVE-2016-9586.patch
# PATCH-FIX-UPSTREAM Bug 1032309
Patch46: curl-7.37-CVE-2017-7407.patch
# PATCH-FIX-SUSE Bug 1027712
Patch47: curl-DEFAULT_SUSE_SELECTION.patch
# PATCH-FIX-UPSTREAM bsc#1051644 VUL-0: CVE-2017-1000100 - TFTP sends more than buffer size
Patch48: curl-7.37.0-CVE-2017-1000100.patch
# PATCH-FIX-UPSTREAM bsc#1051643 VUL-0: CVE-2017-1000101 - URL globbing out of bounds read
Patch49: curl-CVE-2017-1000101.patch
# PATCH-FIX-UPSTREAM bsc#1061876 VUL-0: CVE-2017-1000254 - FTP PWD response parser out of bounds read
Patch50: curl-7.37-CVE-2017-1000254.patch
# PATCH-FIX-UPSTREAM bsc#1060653 "error:1408F10B:SSL routines" when connecting to ftps via proxy
Patch51: curl-7.37.0-connect-ftps-via-proxy.patch
# PATCH-FIX-UPSTREAM bsc#1063824 VUL-0: CVE-2017-1000257 - IMAP FETCH response out of bounds read
Patch52: curl-CVE-2017-1000257.patch
# PATCH-FIX-UPSTREAM bsc#1069226 VUL-0: CVE-2017-8816 NTLM buffer overflow via integer overflow
Patch53: curl-7.37.0-CVE-2017-8816.patch
# PATCH-FIX-UPSTREAM bsc#1069222 VUL-0: CVE-2017-8817 FTP wildcard out of bounds read
Patch54: curl-7.37.0-CVE-2017-8817.patch
# PATCH-FIX-UPSTREAM bsc#1077001 VUL-0: CVE-2018-1000007 HTTP authentication leak in redirects
Patch55: curl-7.37.0-CVE-2018-1000007.patch
# PATCH-FIX-UPSTREAM bsc#1084521 CVE-2018-1000120 VUL-1: FTP path trickery leads to NIL byte out of bounds write
Patch56: curl-7.37.0-CVE-2018-1000120.patch
# PATCH-FIX-UPSTREAM bsc#1084524 CVE-2018-1000121 VUL-1: LDAP NULL pointer dereference
Patch57: curl-7.37.0-CVE-2018-1000121.patch
# PATCH-FIX-UPSTREAM bsc#1084532 CVE-2018-1000122 VUL-0: RTSP RTP buffer over-read
Patch58: curl-7.37.0-CVE-2018-1000122.patch
# PATCH-FIX-SUSE bsc#1086825 curl-HIGH-cipher-fallback.patch
Patch59: curl-HIGH-cipher-fallback.patch
# PATCH-FIX-UPSTREAM bsc#1092098 CVE-2018-1000301 curl-CVE-2018-1000301.patch
Patch60: curl-CVE-2018-1000301.patch
# PATCH-FIX-UPSTREAM bsc#1089533 curl-openssl-skip-trace-outputs.patch
Patch61: curl-openssl-skip-trace-outputs.patch
# PATCH-FIX-UPSTREAM bsc#1106019 CVE-2018-14618 - NTLM password overflow via integer overflow
Patch62: curl-7.37.0-CVE-2018-14618.patch
# PATCH-FIX-UPSTREAM bsc#1112758 CVE-2018-16840 use-after-free in handle close
Patch63: curl-CVE-2018-16840.patch
# PATCH-FIX-UPSTREAM bsc#1113660 CVE-2018-16842 Out-of-bounds Read
Patch64: curl-7.37.0-CVE-2018-16842.patch
# PATCH-FIX-UPSTREAM bsc#1123371 CVE-2018-16890 NTLM type-2 out-of-bounds buffer read
Patch65: curl-CVE-2018-16890.patch
# PATCH-FIX-UPSTREAM bsc#1123377 CVE-2019-3822 NTLMv2 type-3 header stack buffer overflow
Patch66: curl-CVE-2019-3822.patch
# PATCH-FIX-UPSTREAM bsc#1123378 CVE-2019-3823 SMTP end-of-response out-of-bounds read
Patch67: curl-CVE-2019-3823.patch
# PATCH-FIX-UPSTREAM bsc#1112758 CVE-2018-16839 SASL password overflow via integer overflow
Patch68: curl-CVE-2018-16839.patch
# PATCH-FIX-UPSTREAM bsc#1135170 CVE-2019-5436 heap buffer overflow in tftp_receive_packet
Patch69: curl-CVE-2019-5436.patch
# PATCH-FIX-UPSTREAM bsc#1149496 CVE-2019-5482 TFTP small blocksize heap buffer overflow
Patch70: curl-CVE-2019-5482.patch
# Use rpmbuild -D 'VERIFY_SIG 1' to verify signature during build or run one-shot check by "gpg-offline --verify --package=curl curl-*.asc".
# PATCH-FIX-UPSTREAM bsc#1173027 CVE-2020-8177 Curl overwrites local files when using -J with -i
Patch71: curl-CVE-2020-8177.patch
# PATCH-FIX-UPSTREAM bsc#1175109 CVE-2020-8231 Wrong connect-only connection
Patch72: curl-CVE-2020-8231.patch
# PATCH-FIX-UPSTREAM bsc#1179398 CVE-2020-8284 Trusting FTP PASV responses
Patch73: curl-CVE-2020-8284.patch
# PATCH-FIX-UPSTREAM bsc#1179399 CVE-2020-8285 FTP wildcard stack overflow
Patch74: curl-CVE-2020-8285.patch
# PATCH-FIX-UPSTREAM bsc#1183933 CVE-2021-22876 Automatic referer leaks credentials
Patch75: curl-CVE-2021-22876-URL-API.patch
Patch76: curl-CVE-2021-22876.patch
# PATCH-FIX-UPSTREAM bsc#1186114 CVE-2021-22898 TELNET stack contents disclosure
Patch77: curl-CVE-2021-22898.patch
# PATCH-FIX-UPSTREAM bsc#1188219 CVE-2021-22924 Bad connection reuse due to flawed path name checks
Patch78: curl-CVE-2021-22924.patch
# PATCH-FIX-UPSTREAM bsc#1188220 CVE-2021-22925 TELNET stack contents disclosure again
Patch79: curl-CVE-2021-22925.patch
# PATCH-FIX-UPSTREAM bsc#1190373 CVE-2021-22946 Protocol downgrade required TLS bypassed
Patch80: curl-CVE-2021-22946.patch
# PATCH-FIX-UPSTREAM bsc#1190374 CVE-2021-22947 STARTTLS protocol injection via MITM
Patch81: curl-CVE-2021-22947.patch
# PATCH-FIX-UPSTREAM [bsc#1198614, CVE-2022-22576] - OAUTH2 bearer bypass in connection re-use
Patch82: curl-CVE-2022-22576.patch
# # PATCH-FIX-UPSTREAM [bsc#1198766, CVE-2022-27776] - Auth/cookie leak on redirect
Patch83: curl-CVE-2022-27776-strcasecompare.patch
Patch84: curl-CVE-2022-27776.patch
# [bsc#1199223, CVE-2022-27781] - CERTINFO never-ending busy-loop
Patch85: curl-CVE-2022-27781.patch
# [bsc#1199224, CVE-2022-27782] - TLS and SSH connection too eager reuse
Patch86: curl-CVE-2022-27782.patch
# [bsc#1200737, CVE-2022-32208] - FTP-KRB bad message verification
Patch87: curl-CVE-2022-32208.patch
#PATCH-FIX-UPSTREAM bsc#1202593 CVE-2022-35252 Reject cookies with control bytes
Patch88: curl-CVE-2022-35252.patch
#PATCH-FIX-UPSTREAM bsc#1204383 CVE-2022-32221 POST following PUT confusion
Patch89: curl-CVE-2022-32221.patch
%if 0%{?VERIFY_SIG}
BuildRequires: gpg-offline
%endif
BuildRequires: libidn-devel
BuildRequires: libtool
BuildRequires: lzma
BuildRequires: openldap2-devel
BuildRequires: pkg-config
BuildRequires: zlib-devel
%if %{with openssl}
BuildRequires: openssl-devel
%endif
%if %{with mozilla_nss}
BuildRequires: mozilla-nss-devel
%endif
BuildRequires: krb5-mini-devel
BuildRequires: libssh2-devel
#BuildRequires: openssh
%if 0%{?_with_stunnel:1}
# used by the testsuite
BuildRequires: stunnel
%endif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
# bug437293
%ifarch ppc64
Obsoletes: curl-64bit
%endif
%description
Curl is a client to get documents and files from or send documents to a
server using any of the supported protocols (HTTP, HTTPS, FTP, FTPS,
TFTP, DICT, TELNET, LDAP, or FILE). The command is designed to work
without user interaction or any kind of interactivity.
%package -n libcurl4
Summary: Version 4 of cURL shared library
Group: Productivity/Networking/Web/Utilities
%description -n libcurl4
The cURL shared library version 4 for accessing data using different
network protocols.
%package -n libcurl-devel
Summary: A Tool for Transferring Data from URLs
Group: Development/Libraries/C and C++
Requires: glibc-devel
Requires: libcurl4 = %{version}
# curl-devel (v 7.15.5) was last used in 10.2
Provides: curl-devel <= 7.15.5
Obsoletes: curl-devel < 7.16.2
%description -n libcurl-devel
Curl is a client to get documents and files from or send documents to a
server using any of the supported protocols (HTTP, HTTPS, FTP, GOPHER,
DICT, TELNET, LDAP, or FILE). The command is designed to work without
user interaction or any kind of interactivity.
%prep
%if 0%{?VERIFY_SIG}
%gpg_verify %{S:2}
%endif
%setup -q
%patch
%patch1
%patch3
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch25 -p1
%patch26 -p1
%patch27 -p1
%patch28 -p1
%patch29 -p1
%patch32 -p1
%patch33 -p1
%patch40 -p1
%patch41 -p1
%patch42 -p1
%patch43 -p1
%patch44 -p1
%patch45 -p1
%patch46 -p1
%patch47 -p1
%patch48 -p1
%patch49 -p1
%patch50 -p1
%patch51 -p1
%patch52 -p1
%patch53 -p1
%patch54 -p1
%patch55 -p1
%patch56 -p1
%patch57 -p1
%patch58 -p1
%patch59 -p1
%patch60 -p1
%patch61
%patch62 -p1
%patch63 -p1
%patch64 -p1
%patch65 -p1
%patch66 -p1
%patch67 -p1
%patch68 -p1
%patch69 -p1
%patch70 -p1
%patch71 -p1
%patch72 -p1
%patch73 -p1
%patch74 -p1
%patch75 -p1
%patch76 -p1
%patch77 -p1
%patch78 -p1
%patch79 -p1
%patch80 -p1
%patch81 -p1
%patch82 -p1
%patch83 -p1
%patch84 -p1
%patch85 -p1
%patch86 -p1
%patch87 -p1
%patch88 -p1
%patch89 -p1
%build
# curl complains if macro definition is contained in CFLAGS
# see m4/xc-val-flgs.m4
CPPFLAGS="-D_FORTIFY_SOURCE=2"
CFLAGS=$(echo $RPM_OPT_FLAGS | sed 's/-D_FORTIFY_SOURCE=2//')
export CPPFLAGS CFLAGS
autoreconf -fi
# local hack to make curl-config --libs stop printing libraries it depends on
# (currently, libtool sets link_all_deplibs=(yes|unknown) everywhere,
# will hopefully change in the future)
sed -i 's/link_all_deplibs=unknown/link_all_deplibs=no/' configure
# Disable metalink [bsc#1188217, CVE-2021-22922][bsc#1188218, CVE-2021-22923]
%configure \
--enable-ipv6 \
%if %{with openssl}
--with-ssl \
--with-ca-path=/etc/ssl/certs/ \
%else
--without-ssl \
%if %{with mozilla_nss}
--with-nss \
%endif
%endif
--with-gssapi=/usr/lib/mit \
--with-libssh2\
--without-libmetalink \
--enable-hidden-symbols \
--disable-static \
--enable-threaded-resolver
: if this fails, the above sed hack did not work
./libtool --config | grep -q link_all_deplibs=no
# enable-hidden-symbols needs gcc4 and causes that curl exports only its API
make %{?_smp_mflags}
%if %{with testsuite}
%check
cd tests
make
# make sure the testsuite runs don't race on MP machines in autobuild
if test -z "$BUILD_INCARNATION" -a -r /.buildenv; then
. /.buildenv
fi
if test -z "$BUILD_INCARNATION"; then
BUILD_INCARNATION=0
fi
base=$((8990 + $BUILD_INCARNATION * 20))
# bug940009 do not run flaky tests for any architecture
# at least test 1510 does fail for i586 and ppc64le
perl ./runtests.pl -a -b$base '!flaky' || exit
%endif
%install
%{makeinstall}
rm $RPM_BUILD_ROOT%_libdir/libcurl.la
install -d $RPM_BUILD_ROOT/usr/share/aclocal
install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT/usr/share/aclocal/
%post -n libcurl4 -p /sbin/ldconfig
%postun -n libcurl4 -p /sbin/ldconfig
%files
%defattr(-,root,root)
%doc README RELEASE-NOTES
%doc docs/{BUGS,FAQ,FEATURES,MANUAL,RESOURCES,TODO,TheArtOfHttpScripting}
%doc lib/README.curl_off_t
%{_prefix}/bin/curl
%doc %{_mandir}/man1/curl.1%{ext_man}
%files -n libcurl4
%defattr(-,root,root)
%{_libdir}/libcurl.so.4*
%files -n libcurl-devel
%defattr(-,root,root)
%{_prefix}/bin/curl-config
%{_prefix}/include/curl
%dir %{_prefix}/share/aclocal
%{_prefix}/share/aclocal/libcurl.m4
%{_libdir}/libcurl.so
%{_libdir}/pkgconfig/libcurl.pc
%{_mandir}/man1/curl-config.1%{ext_man}
%{_mandir}/man3/*
%doc docs/libcurl/symbols-in-versions
%changelog
