From 656415c9ea59def40c02f7dff6e0650186b509f3 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Wed, 11 Oct 2023 12:12:04 +0100 Subject: gentoo auto-resync : 11:10:2023 - 12:12:04 --- net-misc/Manifest.gz | Bin 54487 -> 54479 bytes net-misc/curl/Manifest | 14 +- net-misc/curl/curl-8.0.1.ebuild | 316 ------------------ net-misc/curl/curl-8.1.2.ebuild | 330 ------------------- net-misc/curl/curl-8.3.0-r2.ebuild | 363 +++++++++++++++++++++ net-misc/curl/curl-8.4.0.ebuild | 363 +++++++++++++++++++++ net-misc/curl/curl-9999.ebuild | 23 +- .../curl/files/curl-8.3.0-CVE-2023-38545.patch | 136 ++++++++ .../curl/files/curl-8.3.0-CVE-2023-38546.patch | 131 ++++++++ 9 files changed, 1013 insertions(+), 663 deletions(-) delete mode 100644 net-misc/curl/curl-8.0.1.ebuild delete mode 100644 net-misc/curl/curl-8.1.2.ebuild create mode 100644 net-misc/curl/curl-8.3.0-r2.ebuild create mode 100644 net-misc/curl/curl-8.4.0.ebuild create mode 100644 net-misc/curl/files/curl-8.3.0-CVE-2023-38545.patch create mode 100644 net-misc/curl/files/curl-8.3.0-CVE-2023-38546.patch (limited to 'net-misc') diff --git a/net-misc/Manifest.gz b/net-misc/Manifest.gz index 577ddb79930a..eb2b82b14ee2 100644 Binary files a/net-misc/Manifest.gz and b/net-misc/Manifest.gz differ diff --git a/net-misc/curl/Manifest b/net-misc/curl/Manifest index dacb2e2caeaa..0298d91a54b9 100644 --- a/net-misc/curl/Manifest +++ b/net-misc/curl/Manifest @@ -1,19 +1,19 @@ AUX curl-8.0.1-onion-resolution.patch 4036 BLAKE2B 7f9a693f5090585c46d596133e915b67cf6a0b0a78ee164f987de166f24fb3d64a968f6263110c119710735363429447d52e5cc52df90d0f3830cf0e10c3673b SHA512 72efe3cd6d594cd2b73a19596e587c88a7ca89ed6f9a7325df98df2e18a1e85f26232ea48e80097d2d1e2f8db2c1cd945896311cd70ee830c8838afbcb7628d9 +AUX curl-8.3.0-CVE-2023-38545.patch 4345 BLAKE2B b3519d1fdccecf40e9a49cd96bf61e53c2a8ab44b2ca05543ea431da6a00125ccc9b6f7cdde0371db30e741b19a8c86cc90038987750744d2f02a0b1c1f0bec0 SHA512 1b0d3f4d4475bf4d579d4a99504a1e488b4a64e956497dc9558206234f67c60a6006ec9c93df89dc5b18c8d60312877838564adbcb834af5d6389f2f7be856d8 +AUX curl-8.3.0-CVE-2023-38546.patch 4852 BLAKE2B 316a6ca5a05c55ffa029aa97ad9c23844bf9dce2a0220cdce324c678baa8f1bfef6dcb21a6460c80345d2fe81e7738055d207a76e3d0c920c6bbb827869b02c5 SHA512 1a0d047c9c661d39caf4f4f47177aa804b8b8689f68f1f14e83163ce311b5783b58ae3d216e84dbec6bf93b6b0ba7a838831121282702e613ab4c00c1874730d AUX curl-8.3.0-tests-arm-musl.patch 3472 BLAKE2B 6722ff38b03191a9c26b90b9a2d4dc9d439cfb0d7227e10f1f100bec4a4d8709878bfab89ef9cfa854955dd44462eef66b8eb3a31db75b4555d9eccaa4457729 SHA512 3beaf54c017c9c13e023bdcaa7e187b1689f988ff2837c2e9a998ed9e7beb850e8baf9dafb0a506b60018b853c8039763d59f2849f1772a8bc8b63843111d769 AUX curl-prefix.patch 880 BLAKE2B 5b7552a8339014221864a585d174b02a96ec7dd7fe8762d331d1981834044f8ec4db64d527a4ded3f5f4cccc86f281576668de092439eb19f5477d5fcf8369cf SHA512 c7cd13b9ccbd12ed01ea121ffece9c23b898a5b34698bae59ae1dd23b1cf2445180b84d80c4a640981f16dba5018df944f405dd5c660addab54ca21e0e673b7f AUX curl-respect-cflags-3.patch 406 BLAKE2B 1b533144858aff5566150c4a2648ad2e48e8ff29849ae285592edfee4b3332d06e750395dea7190ee6a01d2b5ee2c2c42c10400c2e5defa09963a90a1a10417d SHA512 3219e4e67d534e35012909243fc8d69d58989462db44dd507c502e7aaa299f1d9a01392e2c83797cc2bdb53d503470c5d6e7bf94572a6ccc6e5eafcc0466bc54 -DIST curl-8.0.1.tar.xz 2575544 BLAKE2B 67d82e9d71f0a351b5c2ed3ad5eab02e367ded872658a295179b935729d5105015f8c29569c396e11cd14036656af894ded85c8838cba260d9f6f1a8dcb5e22b SHA512 3bb777982659ed697ae90f113ff7b65d6ce8ba9fe6a8984cfd6769d2f051a72ba953c911abe234c204ec2cc5a35d68b4d033037fad7fba31bb92a52543f8d13d -DIST curl-8.0.1.tar.xz.asc 488 BLAKE2B 452e1bebe1028e7621bbf8829e50cf56e254cd63a8cf2a4c0332176b9f18fb2821304ae556a203996d273c986bddbd04db2218c18fd34dee66e9155861ba50ce SHA512 92c6a0570e9a8a708fe2f717b8b37a68dcb9cd4520ca50c9baafec5891bda103bce2d2dcb67f1387bf11bd7e51e0e64ccd52d196e61d58b598ad3aa1960386cf -DIST curl-8.1.2.tar.xz 2612652 BLAKE2B 66d0828912bb9971dac99025aa8b5c1c2fac1f8b568f2a8a97bd9f66986bdb164b603b539ec3e123cd6a26ea65829e58c90fc9852be88b42074cf40c89c566d1 SHA512 532ab96eba6dea66d272f3be56f5af5c5da922480f9a10e203de98037c311f12f8145ba6bf813831e42815e068874ccfd108f84f7650743f5dbb3ebc3bc9c4f4 -DIST curl-8.1.2.tar.xz.asc 488 BLAKE2B 304dbdb51aa113c0b70b2662e29b1be3294b04f5f00264ce60703756363999cd567dcd0301e27b294d1d53f16ecc016ba429fcbea240949b372750f7e6e7375a SHA512 d120299a2d59259aeb19ae0fa3a3e181e25b6927677187037c61a0901879956177ce8dda10764073a47848f81dcbbcb94e0b6008742994042b6b8fd194e169c3 DIST curl-8.2.1.tar.xz 2631932 BLAKE2B 77c0b067935397afb3961378f2fe349fa988c6379c1ab7437c5d5f967710b2e9ba7aec91df8fe58a8b26c00c0164d4db9bd095ca27d1bf52b768c8d83cc0ecaf SHA512 3f78c9330c52d32b166f17829fc2be13418ef925e88f75aacad7f369e7afe00dc4a56566418730dbb845b2b284d721b08f639df322e2e1ef2dfab165c4189094 DIST curl-8.2.1.tar.xz.asc 488 BLAKE2B 569a7c8d338f7175b5035fa281861b57cce7f5327ec6437d79e215e5a806619c9432d7960687e5463787f681cc408371c1eb1f0db7fb8678b8ef34ec50ef69d0 SHA512 31ee66a09e7bd14de949ae991c23a0b905d38407b73ae39bae6d01854d8708355c14bc4d0eab3ff931b85986d0236dd34e934eef6061f4b70739137fd0525084 DIST curl-8.3.0.tar.xz 2641764 BLAKE2B 6875b20e27ed86f9b6ab256210d85e9fb3b39645e8be710b2e6fe29fba40220f870e06bc21e8a92244670fed0a08c7716e4806a267ede49c4ed6d66e03f5fcd4 SHA512 6404b4c74fe1185cb482631ca3a143996cb7298d0d8a76bfafd7696e7729c00559999a069bdba782dee3f3eb273fb678a4438cb27d3deca54022878cdff83a51 DIST curl-8.3.0.tar.xz.asc 488 BLAKE2B ef5a749e579710d45db9f73da0cbcb58d77a9dfe73be622536496997fa792fe5cbd0331a31f01e21cbdb36c6384dca44baa647c9f3d20effabb5bfc275b1b491 SHA512 b7d45722640ac50181b20a6d663168ec6eec6691c5604ddfe9c7177f07da598cb2de688c631043dc428c311774d781ccd16bd1e2fb4f038be651e3bee383aec4 -EBUILD curl-8.0.1.ebuild 8726 BLAKE2B 0d9ac7063eb37637fc6d99f092dce9a58c37eb2135319147e24e4aeb1eaca62f352272d963c2122586207d9ce3b7d650e0b317d10cff0811283cedd3993530de SHA512 82c0db5ad5cea9781459da9e3faa296d3a870965b89b4c26881ef950671fe8071b55599910a009e07391e9c42d0794f24369a162d54fe52860fb8a8793027e29 -EBUILD curl-8.1.2.ebuild 9542 BLAKE2B 4afcd794d213bbc26610681b0e668e3c9d93d33765b28550e42f30db1d5d555a6447ae79911e909d737e7e74b7fe933a0fc75c950a4518f8f0dedaf76079367e SHA512 dfa218e14946e4d0c468aab1ff8018917d9191c50c5ac2ff146b13efa0c2c1118c21110be2f902d7ad78006d2cd06e86506728d1dc28115e7a312ce39d4da39f +DIST curl-8.4.0.tar.xz 2658376 BLAKE2B ea5ebecc3c1aeac3ae8fd0cf7d8ff3298149b9c4c556fb85ed8d9310e3613228eb6fca133b0dfb9268988f93d694779fab8d53510cfa5710c1320bb6638f05eb SHA512 7027dbf3b759b39d6ec9c4da58fadd254e84bb93bff599541b3bc3135bad4c2955c6237d7ddd60973f9f1a6948bc32d7e312985fb50658bc958b9f22fee74f2b +DIST curl-8.4.0.tar.xz.asc 488 BLAKE2B 0fd4ea46a0942b9bc440e91e8f9323bba6d0eb02fbc87c227004c90e5be14cc644446bc235ab67f857b617975cdeada6ce38a647da9e0bd783e57d58f354cdb4 SHA512 b8b7a5b76be816e7b1552354f267f335fdc608cdadbd2c40ab44faf6450c6bbd2853b6de5c2746a1292aad33a8ee1c367380d32bb1a8282540b38c3b985a320e EBUILD curl-8.2.1.ebuild 10403 BLAKE2B 7eda879bb571b9ea002069e6ab93da988ea69fd7ed900bd6318bc6cee954fb05b9b29d43b01e2b2ae5d46673129cbd07245f4ee6f70748bb6e28be66f2a53ba2 SHA512 f03b6d6d7131f0fa41a0bdc19bfca06e90aa4272604f02d2e0433f68ab77b890c2e838e302a186e710156cd85f2a903dcc44d822fd3f4fabe7f4cf366603e5c4 EBUILD curl-8.3.0-r1.ebuild 10529 BLAKE2B 113f2dde79d5463ce1fc0d2bf36c85830cd63a06a171bdeb86c631425cffee1840136224105254836dda8f3ea7a5607cd7bb25e3b4583bd17ff14fb50b0b0663 SHA512 fd175e2c58652341a2ed416246d4b88d7a7adacb4949284e4a670ddf3f7e88c7b854bf2168f8283d2a9003a3f4e888bc195a6108454e66bb1ee220552ac80bf3 +EBUILD curl-8.3.0-r2.ebuild 10612 BLAKE2B 7440f5638251a86a60aa5285d80cb8a16cdaa2036cee80bebc5141fbbc42304baff6291746f485f8a57f94b33564c4536e5c9a66d47f6e95bdd80dcfd07a3cc8 SHA512 d5d38bead2bbbf8507b60350e363d6d5c5ebc08808c649084c14b70dc67e5d7663d325eb97b700ad7f641338989bee5497e4bf2ee0401c4e97b94b2d929ccd15 EBUILD curl-8.3.0.ebuild 10496 BLAKE2B 66826576bb5eeb4b2117ab45546716c3bae90fa90e6725d81e570e24e42da6a7762d1709ac0891caacab40ffdd6b3dd6dcc561f56105ea1bf704c23aae8afa32 SHA512 2233d6514572c4f5c71d1e1016fb972b51ca7f06ec5523e233aecb053163ad11a25334ce69d617e2a98d3da8d323fd2df68520cc39033d29de5c28b3e43bcacf -EBUILD curl-9999.ebuild 10496 BLAKE2B 66826576bb5eeb4b2117ab45546716c3bae90fa90e6725d81e570e24e42da6a7762d1709ac0891caacab40ffdd6b3dd6dcc561f56105ea1bf704c23aae8afa32 SHA512 2233d6514572c4f5c71d1e1016fb972b51ca7f06ec5523e233aecb053163ad11a25334ce69d617e2a98d3da8d323fd2df68520cc39033d29de5c28b3e43bcacf +EBUILD curl-8.4.0.ebuild 10709 BLAKE2B 1505d7a18b01b85e5e18a047bb8886456acb7ef824887065ab3d927497db7098a024122be62c77d1ef3c7670ab885331d112679098c8a8536057fee5f7bdf3eb SHA512 ad34f0c768f512ca32b5898f9507052f38a11aa77007ed17da8f745270293c54bbe76e8f886d046ca95b71ff5aec3ee20851d67167fe8fcb439613f6ea135758 +EBUILD curl-9999.ebuild 10713 BLAKE2B 44d2b7f5a059708ad8f6f63508baac8a3b62cd2820001cbc319b12cd6f054bcd6e308f89b1458ec14770f478432cd15a06d6258272773ef1b98014266f405557 SHA512 c40206f8fd31bc5e9b622ad3ec2bf37537e3a53dd3b84d0eefca934624223a0a1dc28c7b832c887ae9e71a745b8b5ad96358537a67f77d80cee0f00e9987c8a2 MISC metadata.xml 2203 BLAKE2B 939a2ec06ec2155b88d510abdfaa00eafcd5a7e5f6f7983e456ccfc7cf4179d58adbcc7f282a11bb74d217640c93896fb5038206f7c76ea2c2e2543fe0db378e SHA512 c81d7159c0851dab0ae099c7129d965d3d3bd5cc7f7f3240052a4afab0eaa1e15efbf79265bbad5f2d257cc14b5d30daacd3aa5c3099c2ac264560e23ec797f1 diff --git a/net-misc/curl/curl-8.0.1.ebuild b/net-misc/curl/curl-8.0.1.ebuild deleted file mode 100644 index d55ecb0e531c..000000000000 --- a/net-misc/curl/curl-8.0.1.ebuild +++ /dev/null @@ -1,316 +0,0 @@ -# Copyright 1999-2023 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/danielstenberg.asc -inherit autotools multilib-minimal prefix verify-sig - -DESCRIPTION="A Client that groks URLs" -HOMEPAGE="https://curl.se/" -SRC_URI=" - https://curl.se/download/${P}.tar.xz - verify-sig? ( https://curl.se/download/${P}.tar.xz.asc ) -" - -LICENSE="BSD curl ISC test? ( BSD-4 )" -SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" -IUSE="+adns alt-svc brotli +ftp gnutls gopher hsts +http2 idn +imap kerberos ldap mbedtls nss +openssl +pop3 +progress-meter rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp websockets zstd" -IUSE+=" curl_ssl_gnutls curl_ssl_mbedtls curl_ssl_nss +curl_ssl_openssl curl_ssl_rustls" -IUSE+=" nghttp3" -RESTRICT="!test? ( test )" - -# Only one default ssl provider can be enabled -REQUIRED_USE=" - ssl? ( - ^^ ( - curl_ssl_gnutls - curl_ssl_mbedtls - curl_ssl_nss - curl_ssl_openssl - curl_ssl_rustls - ) - ) -" - -RDEPEND=" - sys-libs/zlib[${MULTILIB_USEDEP}] - adns? ( net-dns/c-ares:=[${MULTILIB_USEDEP}] ) - brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] ) - http2? ( net-libs/nghttp2:=[${MULTILIB_USEDEP}] ) - idn? ( net-dns/libidn2:=[static-libs?,${MULTILIB_USEDEP}] ) - kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] ) - ldap? ( net-nds/openldap:=[${MULTILIB_USEDEP}] ) - nghttp3? ( - net-libs/nghttp3[${MULTILIB_USEDEP}] - net-libs/ngtcp2[ssl,${MULTILIB_USEDEP}] - ) - rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] ) - ssh? ( net-libs/libssh2[${MULTILIB_USEDEP}] ) - ssl? ( - gnutls? ( - app-misc/ca-certificates - net-libs/gnutls:=[static-libs?,${MULTILIB_USEDEP}] - dev-libs/nettle:=[${MULTILIB_USEDEP}] - ) - mbedtls? ( - app-misc/ca-certificates - net-libs/mbedtls:=[${MULTILIB_USEDEP}] - ) - nss? ( - app-misc/ca-certificates - dev-libs/nss[${MULTILIB_USEDEP}] - dev-libs/nss-pem - ) - openssl? ( - dev-libs/openssl:=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}] - ) - rustls? ( - net-libs/rustls-ffi:=[${MULTILIB_USEDEP}] - ) - ) - zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] ) -" -DEPEND="${RDEPEND}" -BDEPEND=" - dev-lang/perl - virtual/pkgconfig - test? ( - sys-apps/diffutils - http2? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] ) - nghttp3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] ) - ) - verify-sig? ( sec-keys/openpgp-keys-danielstenberg ) -" - -DOCS=( CHANGES README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} ) - -MULTILIB_WRAPPED_HEADERS=( - /usr/include/curl/curlbuild.h -) - -MULTILIB_CHOST_TOOLS=( - /usr/bin/curl-config -) - -QA_CONFIG_IMPL_DECL_SKIP=( - __builtin_available - closesocket - CloseSocket - getpass_r - ioctlsocket - IoctlSocket - mach_absolute_time - setmode -) - -PATCHES=( - "${FILESDIR}"/${PN}-prefix.patch - "${FILESDIR}"/${PN}-respect-cflags-3.patch - - # Backports - "${FILESDIR}"/${PN}-8.0.1-onion-resolution.patch -) - -src_prepare() { - default - - eprefixify curl-config.in - eautoreconf -} - -multilib_src_configure() { - # We make use of the fact that later flags override earlier ones - # So start with all ssl providers off until proven otherwise - # TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/) - local myconf=() - - myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt ) - #myconf+=( --without-default-ssl-backend ) - if use ssl ; then - myconf+=( --without-gnutls --without-mbedtls --without-nss --without-rustls ) - - if use gnutls || use curl_ssl_gnutls; then - einfo "SSL provided by gnutls" - myconf+=( --with-gnutls ) - fi - if use mbedtls || use curl_ssl_mbedtls; then - einfo "SSL provided by mbedtls" - myconf+=( --with-mbedtls ) - fi - if use nss || use curl_ssl_nss; then - einfo "SSL provided by nss" - myconf+=( --with-nss --with-nss-deprecated ) - fi - if use openssl || use curl_ssl_openssl; then - einfo "SSL provided by openssl" - myconf+=( --with-ssl --with-ca-path="${EPREFIX}"/etc/ssl/certs ) - fi - if use rustls || use curl_ssl_rustls; then - einfo "SSL provided by rustls" - myconf+=( --with-rustls ) - fi - if use curl_ssl_gnutls; then - einfo "Default SSL provided by gnutls" - myconf+=( --with-default-ssl-backend=gnutls ) - elif use curl_ssl_mbedtls; then - einfo "Default SSL provided by mbedtls" - myconf+=( --with-default-ssl-backend=mbedtls ) - elif use curl_ssl_nss; then - einfo "Default SSL provided by nss" - myconf+=( --with-default-ssl-backend=nss ) - elif use curl_ssl_openssl; then - einfo "Default SSL provided by openssl" - myconf+=( --with-default-ssl-backend=openssl ) - elif use curl_ssl_rustls; then - einfo "Default SSL provided by rustls" - myconf+=( --with-default-ssl-backend=rustls ) - else - eerror "We can't be here because of REQUIRED_USE." - fi - - else - myconf+=( --without-ssl ) - einfo "SSL disabled" - fi - - # These configuration options are organized alphabetically - # within each category. This should make it easier if we - # ever decide to make any of them contingent on USE flags: - # 1) protocols first. To see them all do - # 'grep SUPPORT_PROTOCOLS configure.ac' - # 2) --enable/disable options second. - # 'grep -- --enable configure | grep Check | awk '{ print $4 }' | sort - # 3) --with/without options third. - # grep -- --with configure | grep Check | awk '{ print $4 }' | sort - - myconf+=( - $(use_enable alt-svc) - --enable-crypto-auth - --enable-dict - --disable-ech - --enable-file - $(use_enable ftp) - $(use_enable gopher) - $(use_enable hsts) - --enable-http - $(use_enable imap) - $(use_enable ldap) - $(use_enable ldap ldaps) - --enable-ntlm - --disable-ntlm-wb - $(use_enable pop3) - --enable-rt - --enable-rtsp - $(use_enable samba smb) - $(use_with ssh libssh2) - $(use_enable smtp) - $(use_enable telnet) - $(use_enable tftp) - --enable-tls-srp - $(use_enable adns ares) - --enable-cookies - --enable-dateparse - --enable-dnsshuffle - --enable-doh - --enable-symbol-hiding - --enable-http-auth - --enable-ipv6 - --enable-largefile - --enable-manual - --enable-mime - --enable-netrc - $(use_enable progress-meter) - --enable-proxy - --enable-socketpair - --disable-sspi - $(use_enable static-libs static) - --enable-pthreads - --enable-threaded-resolver - --disable-versioned-symbols - --without-amissl - --without-bearssl - $(use_with brotli) - --without-fish-functions-dir - $(use_with http2 nghttp2) - --without-hyper - $(use_with idn libidn2) - $(use_with kerberos gssapi "${EPREFIX}"/usr) - --without-libgsasl - --without-libpsl - --without-msh3 - $(use_with nghttp3) - $(use_with nghttp3 ngtcp2) - --without-quiche - $(use_with rtmp librtmp) - --without-schannel - --without-secure-transport - --without-test-caddy - --without-test-httpd - --without-test-nghttpx - $(use_enable websockets) - --without-winidn - --without-wolfssl - --with-zlib - $(use_with zstd) - ) - - if use test && multilib_is_native_abi && ( use http2 || use nghttp3 ); then - myconf+=( - --with-test-nghttpx="${BROOT}/usr/bin/nghttpx" - ) - fi - - ECONF_SOURCE="${S}" econf "${myconf[@]}" - - if ! multilib_is_native_abi; then - # Avoid building the client (we just want libcurl for multilib) - sed -i -e '/SUBDIRS/s:src::' Makefile || die - sed -i -e '/SUBDIRS/s:scripts::' Makefile || die - fi - - # Fix up the pkg-config file to be more robust. - # https://github.com/curl/curl/issues/864 - local priv=() libs=() - # We always enable zlib. - libs+=( "-lz" ) - priv+=( "zlib" ) - if use http2; then - libs+=( "-lnghttp2" ) - priv+=( "libnghttp2" ) - fi - if use nghttp3; then - libs+=( "-lnghttp3" "-lngtcp2" ) - priv+=( "libnghttp3" "libngtcp2" ) - fi - if use ssl && use curl_ssl_openssl; then - libs+=( "-lssl" "-lcrypto" ) - priv+=( "openssl" ) - fi - grep -q Requires.private libcurl.pc && die "need to update ebuild" - libs=$(printf '|%s' "${libs[@]}") - sed -i -r \ - -e "/^Libs.private/s:(${libs#|})( |$)::g" \ - libcurl.pc || die - echo "Requires.private: ${priv[*]}" >> libcurl.pc || die -} - -multilib_src_test() { - # See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721 - # -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches) - # -v: verbose - # -a: keep going on failure (so we see everything which breaks, not just 1st test) - # -k: keep test files after completion - # -am: automake style TAP output - # -p: print logs if test fails - # Note: if needed, we can skip specific tests. See e.g. Fedora's packaging - # or just read https://github.com/curl/curl/tree/master/tests#run. - multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p" -} - -multilib_src_install_all() { - einstalldocs - find "${ED}" -type f -name '*.la' -delete || die - rm -rf "${ED}"/etc/ || die -} diff --git a/net-misc/curl/curl-8.1.2.ebuild b/net-misc/curl/curl-8.1.2.ebuild deleted file mode 100644 index 0cba350a0eaa..000000000000 --- a/net-misc/curl/curl-8.1.2.ebuild +++ /dev/null @@ -1,330 +0,0 @@ -# Copyright 1999-2023 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/danielstenberg.asc -inherit autotools multilib-minimal prefix verify-sig - -DESCRIPTION="A Client that groks URLs" -HOMEPAGE="https://curl.se/" - -if [[ ${PV} == 9999 ]]; then - inherit git-r3 - EGIT_REPO_URI="https://github.com/curl/curl.git" -else - SRC_URI=" - https://curl.se/download/${P}.tar.xz - verify-sig? ( https://curl.se/download/${P}.tar.xz.asc ) - " - KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" -fi - -LICENSE="BSD curl ISC test? ( BSD-4 )" -SLOT="0" -IUSE="+adns alt-svc brotli +ftp gnutls gopher hsts +http2 idn +imap kerberos ldap mbedtls nss +openssl +pop3 +progress-meter rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp websockets zstd" -# These select the default SSL implementation -IUSE+=" curl_ssl_gnutls curl_ssl_mbedtls curl_ssl_nss +curl_ssl_openssl curl_ssl_rustls" -IUSE+=" nghttp3" -RESTRICT="!test? ( test )" - -# Only one default ssl provider can be enabled -# The default ssl provider needs its USE satisfied -REQUIRED_USE=" - ssl? ( - ^^ ( - curl_ssl_gnutls - curl_ssl_mbedtls - curl_ssl_nss - curl_ssl_openssl - curl_ssl_rustls - ) - ) - curl_ssl_gnutls? ( gnutls ) - curl_ssl_mbedtls? ( mbedtls ) - curl_ssl_nss? ( nss ) - curl_ssl_openssl? ( openssl ) - curl_ssl_rustls? ( rustls ) -" - -RDEPEND=" - sys-libs/zlib[${MULTILIB_USEDEP}] - adns? ( net-dns/c-ares:=[${MULTILIB_USEDEP}] ) - brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] ) - http2? ( >=net-libs/nghttp2-1.12.0:=[${MULTILIB_USEDEP}] ) - idn? ( net-dns/libidn2:=[static-libs?,${MULTILIB_USEDEP}] ) - kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] ) - ldap? ( net-nds/openldap:=[static-libs?,${MULTILIB_USEDEP}] ) - nghttp3? ( - >=net-libs/nghttp3-0.11.0[${MULTILIB_USEDEP}] - >=net-libs/ngtcp2-0.15.0[gnutls,ssl,-openssl,${MULTILIB_USEDEP}] - ) - rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] ) - ssh? ( net-libs/libssh2[${MULTILIB_USEDEP}] ) - ssl? ( - gnutls? ( - app-misc/ca-certificates - net-libs/gnutls:=[static-libs?,${MULTILIB_USEDEP}] - dev-libs/nettle:=[${MULTILIB_USEDEP}] - ) - mbedtls? ( - app-misc/ca-certificates - net-libs/mbedtls:=[${MULTILIB_USEDEP}] - ) - nss? ( - app-misc/ca-certificates - dev-libs/nss[${MULTILIB_USEDEP}] - dev-libs/nss-pem - ) - openssl? ( - dev-libs/openssl:=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}] - ) - rustls? ( - net-libs/rustls-ffi:=[${MULTILIB_USEDEP}] - ) - ) - zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] ) -" -DEPEND="${RDEPEND}" -BDEPEND=" - dev-lang/perl - virtual/pkgconfig - test? ( - sys-apps/diffutils - http2? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] ) - nghttp3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] ) - ) - verify-sig? ( sec-keys/openpgp-keys-danielstenberg ) -" - -DOCS=( CHANGES README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} ) - -MULTILIB_WRAPPED_HEADERS=( - /usr/include/curl/curlbuild.h -) - -MULTILIB_CHOST_TOOLS=( - /usr/bin/curl-config -) - -QA_CONFIG_IMPL_DECL_SKIP=( - __builtin_available - closesocket - CloseSocket - getpass_r - ioctlsocket - IoctlSocket - mach_absolute_time - setmode -) - -PATCHES=( - "${FILESDIR}"/${PN}-prefix.patch - "${FILESDIR}"/${PN}-respect-cflags-3.patch -) - -src_prepare() { - default - - eprefixify curl-config.in - eautoreconf -} - -multilib_src_configure() { - # We make use of the fact that later flags override earlier ones - # So start with all ssl providers off until proven otherwise - # TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/) - local myconf=() - - myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt ) - if use ssl ; then - myconf+=( --without-gnutls --without-mbedtls --without-nss --without-rustls ) - - if use gnutls; then - multilib_is_native_abi && einfo "SSL provided by gnutls" - myconf+=( --with-gnutls ) - fi - if use mbedtls; then - multilib_is_native_abi && einfo "SSL provided by mbedtls" - myconf+=( --with-mbedtls ) - fi - if use nss; then - multilib_is_native_abi && einfo "SSL provided by nss" - myconf+=( --with-nss --with-nss-deprecated ) - fi - if use openssl; then - multilib_is_native_abi && einfo "SSL provided by openssl" - myconf+=( --with-ssl --with-ca-path="${EPREFIX}"/etc/ssl/certs ) - fi - if use rustls; then - multilib_is_native_abi && einfo "SSL provided by rustls" - myconf+=( --with-rustls ) - fi - if use curl_ssl_gnutls; then - multilib_is_native_abi && einfo "Default SSL provided by gnutls" - myconf+=( --with-default-ssl-backend=gnutls ) - elif use curl_ssl_mbedtls; then - multilib_is_native_abi && einfo "Default SSL provided by mbedtls" - myconf+=( --with-default-ssl-backend=mbedtls ) - elif use curl_ssl_nss; then - multilib_is_native_abi && einfo "Default SSL provided by nss" - myconf+=( --with-default-ssl-backend=nss ) - elif use curl_ssl_openssl; then - multilib_is_native_abi && einfo "Default SSL provided by openssl" - myconf+=( --with-default-ssl-backend=openssl ) - elif use curl_ssl_rustls; then - multilib_is_native_abi && einfo "Default SSL provided by rustls" - myconf+=( --with-default-ssl-backend=rustls ) - else - eerror "We can't be here because of REQUIRED_USE." - fi - - else - myconf+=( --without-ssl ) - einfo "SSL disabled" - fi - - # These configuration options are organized alphabetically - # within each category. This should make it easier if we - # ever decide to make any of them contingent on USE flags: - # 1) protocols first. To see them all do - # 'grep SUPPORT_PROTOCOLS configure.ac' - # 2) --enable/disable options second. - # 'grep -- --enable configure | grep Check | awk '{ print $4 }' | sort - # 3) --with/without options third. - # grep -- --with configure | grep Check | awk '{ print $4 }' | sort - - myconf+=( - $(use_enable alt-svc) - --enable-crypto-auth - --enable-dict - --disable-ech - --enable-file - $(use_enable ftp) - $(use_enable gopher) - $(use_enable hsts) - --enable-http - $(use_enable imap) - $(use_enable ldap) - $(use_enable ldap ldaps) - --enable-ntlm - --disable-ntlm-wb - $(use_enable pop3) - --enable-rt - --enable-rtsp - $(use_enable samba smb) - $(use_with ssh libssh2) - $(use_enable smtp) - $(use_enable telnet) - $(use_enable tftp) - --enable-tls-srp - $(use_enable adns ares) - --enable-cookies - --enable-dateparse - --enable-dnsshuffle - --enable-doh - --enable-symbol-hiding - --enable-http-auth - --enable-ipv6 - --enable-largefile - --enable-manual - --enable-mime - --enable-netrc - $(use_enable progress-meter) - --enable-proxy - --enable-socketpair - --disable-sspi - $(use_enable static-libs static) - --enable-pthreads - --enable-threaded-resolver - --disable-versioned-symbols - --without-amissl - --without-bearssl - $(use_with brotli) - --without-fish-functions-dir - $(use_with http2 nghttp2) - --without-hyper - $(use_with idn libidn2) - $(use_with kerberos gssapi "${EPREFIX}"/usr) - --without-libgsasl - --without-libpsl - --without-msh3 - $(use_with nghttp3) - $(use_with nghttp3 ngtcp2) - --without-quiche - $(use_with rtmp librtmp) - --without-schannel - --without-secure-transport - --without-test-caddy - --without-test-httpd - --without-test-nghttpx - $(use_enable websockets) - --without-winidn - --without-wolfssl - --with-zlib - $(use_with zstd) - ) - - if use test && multilib_is_native_abi && ( use http2 || use nghttp3 ); then - myconf+=( - --with-test-nghttpx="${BROOT}/usr/bin/nghttpx" - ) - fi - - ECONF_SOURCE="${S}" econf "${myconf[@]}" - - if ! multilib_is_native_abi; then - # Avoid building the client (we just want libcurl for multilib) - sed -i -e '/SUBDIRS/s:src::' Makefile || die - sed -i -e '/SUBDIRS/s:scripts::' Makefile || die - fi - - # Fix up the pkg-config file to be more robust. - # https://github.com/curl/curl/issues/864 - local priv=() libs=() - # We always enable zlib. - libs+=( "-lz" ) - priv+=( "zlib" ) - if use http2; then - libs+=( "-lnghttp2" ) - priv+=( "libnghttp2" ) - fi - if use nghttp3; then - libs+=( "-lnghttp3" "-lngtcp2" ) - priv+=( "libnghttp3" "libngtcp2" ) - fi - if use ssl && use curl_ssl_openssl; then - libs+=( "-lssl" "-lcrypto" ) - priv+=( "openssl" ) - fi - grep -q Requires.private libcurl.pc && die "need to update ebuild" - libs=$(printf '|%s' "${libs[@]}") - sed -i -r \ - -e "/^Libs.private/s:(${libs#|})( |$)::g" \ - libcurl.pc || die - echo "Requires.private: ${priv[*]}" >> libcurl.pc || die -} - -# There is also a pytest harness that tests for bugs in some very specific -# situations; we can rely on upstream for this rather than adding additional test deps. -multilib_src_test() { - # See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721 - # -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches) - # -v: verbose - # -a: keep going on failure (so we see everything which breaks, not just 1st test) - # -k: keep test files after completion - # -am: automake style TAP output - # -p: print logs if test fails - # Note: if needed, we can skip specific tests. See e.g. Fedora's packaging - # or just read https://github.com/curl/curl/tree/master/tests#run. - # Note: we don't run the testsuite for cross-compilation. - # The network sandbox causes tests 241 and 1083 to fail; these are typically skipped - # as most gentoo users don't have an 'ip6-localhost' - multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p !241 !1083" -} - -multilib_src_install_all() { - einstalldocs - find "${ED}" -type f -name '*.la' -delete || die - rm -rf "${ED}"/etc/ || die -} diff --git a/net-misc/curl/curl-8.3.0-r2.ebuild b/net-misc/curl/curl-8.3.0-r2.ebuild new file mode 100644 index 000000000000..dfbc4a1a6e17 --- /dev/null +++ b/net-misc/curl/curl-8.3.0-r2.ebuild @@ -0,0 +1,363 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/danielstenberg.asc +inherit autotools multilib-minimal multiprocessing prefix toolchain-funcs verify-sig + +DESCRIPTION="A Client that groks URLs" +HOMEPAGE="https://curl.se/" + +if [[ ${PV} == 9999 ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/curl/curl.git" +else + SRC_URI=" + https://curl.se/download/${P}.tar.xz + verify-sig? ( https://curl.se/download/${P}.tar.xz.asc ) + " + KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ~ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +fi + +LICENSE="BSD curl ISC test? ( BSD-4 )" +SLOT="0" +IUSE="+adns alt-svc brotli +ftp gnutls gopher hsts +http2 idn +imap kerberos ldap mbedtls +openssl +pop3 +progress-meter rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp websockets zstd" +# These select the default SSL implementation +IUSE+=" curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls" +IUSE+=" nghttp3" +RESTRICT="!test? ( test )" + +# Only one default ssl provider can be enabled +# The default ssl provider needs its USE satisfied +# nghttp3 = https://bugs.gentoo.org/912029 +REQUIRED_USE=" + ssl? ( + ^^ ( + curl_ssl_gnutls + curl_ssl_mbedtls + curl_ssl_openssl + curl_ssl_rustls + ) + ) + curl_ssl_gnutls? ( gnutls ) + curl_ssl_mbedtls? ( mbedtls ) + curl_ssl_openssl? ( openssl ) + curl_ssl_rustls? ( rustls ) + nghttp3? ( !openssl ) +" + +# cURL's docs and CI/CD are great resources for confirming supported versions +# particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.: +# - https://github.com/curl/curl/blob/master/docs/HTTP3.md +# - https://github.com/curl/curl/blob/master/.github/workflows/quiche-linux.yml +# However 'supported' vs 'works' are two entirely different things; be sane but +# don't be afraid to require a later version. + +RDEPEND=" + sys-libs/zlib[${MULTILIB_USEDEP}] + adns? ( net-dns/c-ares:=[${MULTILIB_USEDEP}] ) + brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] ) + http2? ( >=net-libs/nghttp2-1.12.0:=[${MULTILIB_USEDEP}] ) + idn? ( net-dns/libidn2:=[static-libs?,${MULTILIB_USEDEP}] ) + kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] ) + ldap? ( net-nds/openldap:=[static-libs?,${MULTILIB_USEDEP}] ) + nghttp3? ( + >=net-libs/nghttp3-0.15.0[${MULTILIB_USEDEP}] + >=net-libs/ngtcp2-0.19.1[gnutls,ssl,-openssl,${MULTILIB_USEDEP}] + ) + rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] ) + ssh? ( net-libs/libssh2[${MULTILIB_USEDEP}] ) + ssl? ( + gnutls? ( + app-misc/ca-certificates + net-libs/gnutls:=[static-libs?,${MULTILIB_USEDEP}] + dev-libs/nettle:=[${MULTILIB_USEDEP}] + ) + mbedtls? ( + app-misc/ca-certificates + net-libs/mbedtls:=[${MULTILIB_USEDEP}] + ) + openssl? ( + dev-libs/openssl:=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}] + ) + rustls? ( + net-libs/rustls-ffi:=[${MULTILIB_USEDEP}] + ) + ) + zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] ) +" + +DEPEND="${RDEPEND}" + +BDEPEND=" + dev-lang/perl + virtual/pkgconfig + test? ( + sys-apps/diffutils + http2? ( >=net-libs/nghttp2-1.15.0:=[utils,${MULTILIB_USEDEP}] ) + nghttp3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] ) + ) + verify-sig? ( sec-keys/openpgp-keys-danielstenberg ) +" + +DOCS=( CHANGES README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} ) + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/curl/curlbuild.h +) + +MULTILIB_CHOST_TOOLS=( + /usr/bin/curl-config +) + +QA_CONFIG_IMPL_DECL_SKIP=( + __builtin_available + closesocket + CloseSocket + getpass_r + ioctlsocket + IoctlSocket + mach_absolute_time + setmode +) + +PATCHES=( + "${FILESDIR}"/${PN}-prefix.patch + "${FILESDIR}"/${PN}-respect-cflags-3.patch + "${FILESDIR}"/${P}-tests-arm-musl.patch + "${FILESDIR}"/${P}-CVE-2023-38545.patch + "${FILESDIR}"/${P}-CVE-2023-38546.patch +) + +src_prepare() { + default + + eprefixify curl-config.in + eautoreconf +} + +multilib_src_configure() { + # We make use of the fact that later flags override earlier ones + # So start with all ssl providers off until proven otherwise + # TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/) + local myconf=() + + myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt ) + if use ssl; then + myconf+=( --without-gnutls --without-mbedtls --without-rustls ) + + if use gnutls; then + multilib_is_native_abi && einfo "SSL provided by gnutls" + myconf+=( --with-gnutls ) + fi + if use mbedtls; then + multilib_is_native_abi && einfo "SSL provided by mbedtls" + myconf+=( --with-mbedtls ) + fi + if use openssl; then + multilib_is_native_abi && einfo "SSL provided by openssl" + myconf+=( --with-ssl --with-ca-path="${EPREFIX}"/etc/ssl/certs ) + fi + if use rustls; then + multilib_is_native_abi && einfo "SSL provided by rustls" + myconf+=( --with-rustls ) + fi + if use curl_ssl_gnutls; then + multilib_is_native_abi && einfo "Default SSL provided by gnutls" + myconf+=( --with-default-ssl-backend=gnutls ) + elif use curl_ssl_mbedtls; then + multilib_is_native_abi && einfo "Default SSL provided by mbedtls" + myconf+=( --with-default-ssl-backend=mbedtls ) + elif use curl_ssl_openssl; then + multilib_is_native_abi && einfo "Default SSL provided by openssl" + myconf+=( --with-default-ssl-backend=openssl ) + elif use curl_ssl_rustls; then + multilib_is_native_abi && einfo "Default SSL provided by rustls" + myconf+=( --with-default-ssl-backend=rustls ) + else + eerror "We can't be here because of REQUIRED_USE." + die "Please file a bug, hit impossible condition w/ USE=ssl handling." + fi + + else + myconf+=( --without-ssl ) + einfo "SSL disabled" + fi + + # These configuration options are organized alphabetically + # within each category. This should make it easier if we + # ever decide to make any of them contingent on USE flags: + # 1) protocols first. To see them all do + # 'grep SUPPORT_PROTOCOLS configure.ac' + # 2) --enable/disable options second. + # 'grep -- --enable configure | grep Check | awk '{ print $4 }' | sort + # 3) --with/without options third. + # grep -- --with configure | grep Check | awk '{ print $4 }' | sort + + myconf+=( + $(use_enable alt-svc) + --enable-basic-auth + --enable-bearer-auth + --enable-digest-auth + --enable-kerberos-auth + --enable-negotiate-auth + --enable-aws + --enable-dict + --disable-ech + --enable-file + $(use_enable ftp) + $(use_enable gopher) + $(use_enable hsts) + --enable-http + $(use_enable imap) + $(use_enable ldap) + $(use_enable ldap ldaps) + --enable-ntlm + --disable-ntlm-wb + $(use_enable pop3) + --enable-rt + --enable-rtsp + $(use_enable samba smb) + $(use_with ssh libssh2) + $(use_enable smtp) + $(use_enable telnet) + $(use_enable tftp) + --enable-tls-srp + $(use_enable adns ares) + --enable-cookies + --enable-dateparse + --enable-dnsshuffle + --enable-doh + --enable-symbol-hiding + --enable-http-auth + --enable-ipv6 + --enable-largefile + --enable-manual + --enable-mime + --enable-netrc + $(use_enable progress-meter) + --enable-proxy + --enable-socketpair + --disable-sspi + $(use_enable static-libs static) + --enable-pthreads + --enable-threaded-resolver + --disable-versioned-symbols + --without-amissl + --without-bearssl + $(use_with brotli) + --with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d + $(use_with http2 nghttp2) + --without-hyper + $(use_with idn libidn2) + $(use_with kerberos gssapi "${EPREFIX}"/usr) + --without-libgsasl + --without-libpsl + --without-msh3 + $(use_with nghttp3) + $(use_with nghttp3 ngtcp2) + --without-quiche + $(use_with rtmp librtmp) + --without-schannel + --without-secure-transport + --without-test-caddy + --without-test-httpd + --without-test-nghttpx + $(use_enable websockets) + --without-winidn + --without-wolfssl + --with-zlib + $(use_with zstd) + --with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions + ) + + if use test && multilib_is_native_abi && ( use http2 || use nghttp3 ); then + myconf+=( + --with-test-nghttpx="${BROOT}/usr/bin/nghttpx" + ) + fi + + if [[ ${CHOST} == *mingw* ]] ; then + myconf+=( + --disable-pthreads + ) + fi + + ECONF_SOURCE="${S}" econf "${myconf[@]}" + + if ! multilib_is_native_abi; then + # Avoid building the client (we just want libcurl for multilib) + sed -i -e '/SUBDIRS/s:src::' Makefile || die + sed -i -e '/SUBDIRS/s:scripts::' Makefile || die + fi + + # Fix up the pkg-config file to be more robust. + # https://github.com/curl/curl/issues/864 + local priv=() libs=() + # We always enable zlib. + libs+=( "-lz" ) + priv+=( "zlib" ) + if use http2; then + libs+=( "-lnghttp2" ) + priv+=( "libnghttp2" ) + fi + if use nghttp3; then + libs+=( "-lnghttp3" "-lngtcp2" ) + priv+=( "libnghttp3" "libngtcp2" ) + fi + if use ssl && use curl_ssl_openssl; then + libs+=( "-lssl" "-lcrypto" ) + priv+=( "openssl" ) + fi + grep -q Requires.private libcurl.pc && die "need to update ebuild" + libs=$(printf '|%s' "${libs[@]}") + sed -i -r \ + -e "/^Libs.private/s:(${libs#|})( |$)::g" \ + libcurl.pc || die + echo "Requires.private: ${priv[*]}" >> libcurl.pc || die +} + +multilib_src_compile() { + default + + if multilib_is_native_abi; then + # Shell completions + ! tc-is-cross-compiler && emake -C scripts + fi +} + +# There is also a pytest harness that tests for bugs in some very specific +# situations; we can rely on upstream for this rather than adding additional test deps. +multilib_src_test() { + # See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721 + # -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches) + # -v: verbose + # -a: keep going on failure (so we see everything which breaks, not just 1st test) + # -k: keep test files after completion + # -am: automake style TAP output + # -p: print logs if test fails + # Note: if needed, we can skip specific tests. See e.g. Fedora's packaging + # or just read https://github.com/curl/curl/tree/master/tests#run. + # Note: we don't run the testsuite for cross-compilation. + # Upstream recommend 7*nproc as a starting point for parallel tests, but + # this ends up breaking when nproc is huge (like -j80). + # The network sandbox causes tests 241 and 1083 to fail; these are typically skipped + # as most gentoo users don't have an 'ip6-localhost' + multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083" +} + +multilib_src_install() { + emake DESTDIR="${D}" install + + if multilib_is_native_abi; then + # Shell completions + ! tc-is-cross-compiler && emake -C scripts DESTDIR="${D}" install + fi +} + +multilib_src_install_all() { + einstalldocs + find "${ED}" -type f -name '*.la' -delete || die + rm -rf "${ED}"/etc/ || die +} diff --git a/net-misc/curl/curl-8.4.0.ebuild b/net-misc/curl/curl-8.4.0.ebuild new file mode 100644 index 000000000000..a4d26adfd053 --- /dev/null +++ b/net-misc/curl/curl-8.4.0.ebuild @@ -0,0 +1,363 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/danielstenberg.asc +inherit autotools multilib-minimal multiprocessing prefix toolchain-funcs verify-sig + +DESCRIPTION="A Client that groks URLs" +HOMEPAGE="https://curl.se/" + +if [[ ${PV} == 9999 ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/curl/curl.git" +else + SRC_URI=" + https://curl.se/download/${P}.tar.xz + verify-sig? ( https://curl.se/download/${P}.tar.xz.asc ) + " + KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +fi + +LICENSE="BSD curl ISC test? ( BSD-4 )" +SLOT="0" +IUSE="+adns +alt-svc brotli +ftp gnutls gopher +hsts +http2 idn +imap kerberos ldap mbedtls nghttp3 +openssl +pop3" +IUSE+=" +progress-meter rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp websockets zstd" +# These select the default SSL implementation +IUSE+=" curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls" +RESTRICT="!test? ( test )" + +# Only one default ssl provider can be enabled +# The default ssl provider needs its USE satisfied +# nghttp3 = https://bugs.gentoo.org/912029 +REQUIRED_USE=" + ssl? ( + ^^ ( + curl_ssl_gnutls + curl_ssl_mbedtls + curl_ssl_openssl + curl_ssl_rustls + ) + ) + curl_ssl_gnutls? ( gnutls ) + curl_ssl_mbedtls? ( mbedtls ) + curl_ssl_openssl? ( openssl ) + curl_ssl_rustls? ( rustls ) + nghttp3? ( + !openssl + alt-svc ) +" + +# cURL's docs and CI/CD are great resources for confirming supported versions +# particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.: +# - https://github.com/curl/curl/blob/master/docs/INTERNALS.md (core dependencies + minimum versions) +# - https://github.com/curl/curl/blob/master/docs/HTTP3.md (example of a feature that moves quickly) +# - https://github.com/curl/curl/blob/master/.github/workflows/quiche-linux.yml (CI/CD for TCP/2) +# However 'supported' vs 'works' are two entirely different things; be sane but +# don't be afraid to require a later version. + +RDEPEND=" + >=sys-libs/zlib-1.1.4[${MULTILIB_USEDEP}] + adns? ( net-dns/c-ares:=[${MULTILIB_USEDEP}] ) + brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] ) + http2? ( >=net-libs/nghttp2-1.12.0:=[${MULTILIB_USEDEP}] ) + idn? ( net-dns/libidn2:=[static-libs?,${MULTILIB_USEDEP}] ) + kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] ) + ldap? ( >=net-nds/openldap-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] ) + nghttp3? ( + >=net-libs/nghttp3-0.15.0[${MULTILIB_USEDEP}] + >=net-libs/ngtcp2-0.19.1[gnutls,ssl,-openssl,${MULTILIB_USEDEP}] + ) + rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] ) + ssh? ( >=net-libs/libssh2-1.0.0[${MULTILIB_USEDEP}] ) + ssl? ( + gnutls? ( + app-misc/ca-certificates + >=net-libs/gnutls-3.1.10:=[static-libs?,${MULTILIB_USEDEP}] + dev-libs/nettle:=[${MULTILIB_USEDEP}] + ) + mbedtls? ( + app-misc/ca-certificates + net-libs/mbedtls:=[${MULTILIB_USEDEP}] + ) + openssl? ( + >=dev-libs/openssl-0.9.7:=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}] + ) + rustls? ( + net-libs/rustls-ffi:=[${MULTILIB_USEDEP}] + ) + ) + zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] ) +" + +DEPEND="${RDEPEND}" + +BDEPEND=" + dev-lang/perl + virtual/pkgconfig + test? ( + sys-apps/diffutils + http2? ( >=net-libs/nghttp2-1.15.0:=[utils,${MULTILIB_USEDEP}] ) + nghttp3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] ) + ) + verify-sig? ( sec-keys/openpgp-keys-danielstenberg ) +" + +DOCS=( CHANGES README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} ) + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/curl/curlbuild.h +) + +MULTILIB_CHOST_TOOLS=( + /usr/bin/curl-config +) + +QA_CONFIG_IMPL_DECL_SKIP=( + __builtin_available + closesocket + CloseSocket + getpass_r + ioctlsocket + IoctlSocket + mach_absolute_time + setmode +) + +PATCHES=( + "${FILESDIR}"/${PN}-prefix.patch + "${FILESDIR}"/${PN}-respect-cflags-3.patch +) + +src_prepare() { + default + + eprefixify curl-config.in + eautoreconf +} + +multilib_src_configure() { + # We make use of the fact that later flags override earlier ones + # So start with all ssl providers off until proven otherwise + # TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/) + local myconf=() + + myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt ) + if use ssl; then + myconf+=( --without-gnutls --without-mbedtls --without-rustls ) + + if use gnutls; then + multilib_is_native_abi && einfo "SSL provided by gnutls" + myconf+=( --with-gnutls ) + fi + if use mbedtls; then + multilib_is_native_abi && einfo "SSL provided by mbedtls" + myconf+=( --with-mbedtls ) + fi + if use openssl; then + multilib_is_native_abi && einfo "SSL provided by openssl" + myconf+=( --with-ssl --with-ca-path="${EPREFIX}"/etc/ssl/certs ) + fi + if use rustls; then + multilib_is_native_abi && einfo "SSL provided by rustls" + myconf+=( --with-rustls ) + fi + if use curl_ssl_gnutls; then + multilib_is_native_abi && einfo "Default SSL provided by gnutls" + myconf+=( --with-default-ssl-backend=gnutls ) + elif use curl_ssl_mbedtls; then + multilib_is_native_abi && einfo "Default SSL provided by mbedtls" + myconf+=( --with-default-ssl-backend=mbedtls ) + elif use curl_ssl_openssl; then + multilib_is_native_abi && einfo "Default SSL provided by openssl" + myconf+=( --with-default-ssl-backend=openssl ) + elif use curl_ssl_rustls; then + multilib_is_native_abi && einfo "Default SSL provided by rustls" + myconf+=( --with-default-ssl-backend=rustls ) + else + eerror "We can't be here because of REQUIRED_USE." + die "Please file a bug, hit impossible condition w/ USE=ssl handling." + fi + + else + myconf+=( --without-ssl ) + einfo "SSL disabled" + fi + + # These configuration options are organized alphabetically + # within each category. This should make it easier if we + # ever decide to make any of them contingent on USE flags: + # 1) protocols first. To see them all do + # 'grep SUPPORT_PROTOCOLS configure.ac' + # 2) --enable/disable options second. + # 'grep -- --enable configure | grep Check | awk '{ print $4 }' | sort + # 3) --with/without options third. + # grep -- --with configure | grep Check | awk '{ print $4 }' | sort + + myconf+=( + $(use_enable alt-svc) + --enable-basic-auth + --enable-bearer-auth + --enable-digest-auth + --enable-kerberos-auth + --enable-negotiate-auth + --enable-aws + --enable-dict + --disable-ech + --enable-file + $(use_enable ftp) + $(use_enable gopher) + $(use_enable hsts) + --enable-http + $(use_enable imap) + $(use_enable ldap) + $(use_enable ldap ldaps) + --enable-ntlm + --disable-ntlm-wb + $(use_enable pop3) + --enable-rt + --enable-rtsp + $(use_enable samba smb) + $(use_with ssh libssh2) + $(use_enable smtp) + $(use_enable telnet) + $(use_enable tftp) + --enable-tls-srp + $(use_enable adns ares) + --enable-cookies + --enable-dateparse + --enable-dnsshuffle + --enable-doh + --enable-symbol-hiding + --enable-http-auth + --enable-ipv6 + --enable-largefile + --enable-manual + --enable-mime + --enable-netrc + $(use_enable progress-meter) + --enable-proxy + --enable-socketpair + --disable-sspi + $(use_enable static-libs static) + --enable-pthreads + --enable-threaded-resolver + --disable-versioned-symbols + --without-amissl + --without-bearssl + $(use_with brotli) + --with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d + $(use_with http2 nghttp2) + --without-hyper + $(use_with idn libidn2) + $(use_with kerberos gssapi "${EPREFIX}"/usr) + --without-libgsasl + --without-libpsl + --without-msh3 + $(use_with nghttp3) + $(use_with nghttp3 ngtcp2) + --without-quiche + $(use_with rtmp librtmp) + --without-schannel + --without-secure-transport + --without-test-caddy + --without-test-httpd + --without-test-nghttpx + $(use_enable websockets) + --without-winidn + --without-wolfssl + --with-zlib + $(use_with zstd) + --with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions + ) + + if use test && multilib_is_native_abi && ( use http2 || use nghttp3 ); then + myconf+=( + --with-test-nghttpx="${BROOT}/usr/bin/nghttpx" + ) + fi + + if [[ ${CHOST} == *mingw* ]] ; then + myconf+=( + --disable-pthreads + ) + fi + + ECONF_SOURCE="${S}" econf "${myconf[@]}" + + if ! multilib_is_native_abi; then + # Avoid building the client (we just want libcurl for multilib) + sed -i -e '/SUBDIRS/s:src::' Makefile || die + sed -i -e '/SUBDIRS/s:scripts::' Makefile || die + fi + + # Fix up the pkg-config file to be more robust. + # https://github.com/curl/curl/issues/864 + local priv=() libs=() + # We always enable zlib. + libs+=( "-lz" ) + priv+=( "zlib" ) + if use http2; then + libs+=( "-lnghttp2" ) + priv+=( "libnghttp2" ) + fi + if use nghttp3; then + libs+=( "-lnghttp3" "-lngtcp2" ) + priv+=( "libnghttp3" "libngtcp2" ) + fi + if use ssl && use curl_ssl_openssl; then + libs+=( "-lssl" "-lcrypto" ) + priv+=( "openssl" ) + fi + grep -q Requires.private libcurl.pc && die "need to update ebuild" + libs=$(printf '|%s' "${libs[@]}") + sed -i -r \ + -e "/^Libs.private/s:(${libs#|})( |$)::g" \ + libcurl.pc || die + echo "Requires.private: ${priv[*]}" >> libcurl.pc || die +} + +multilib_src_compile() { + default + + if multilib_is_native_abi; then + # Shell completions + ! tc-is-cross-compiler && emake -C scripts + fi +} + +# There is also a pytest harness that tests for bugs in some very specific +# situations; we can rely on upstream for this rather than adding additional test deps. +multilib_src_test() { + # See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721 + # -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches) + # -v: verbose + # -a: keep going on failure (so we see everything which breaks, not just 1st test) + # -k: keep test files after completion + # -am: automake style TAP output + # -p: print logs if test fails + # Note: if needed, we can skip specific tests. See e.g. Fedora's packaging + # or just read https://github.com/curl/curl/tree/master/tests#run. + # Note: we don't run the testsuite for cross-compilation. + # Upstream recommend 7*nproc as a starting point for parallel tests, but + # this ends up breaking when nproc is huge (like -j80). + # The network sandbox causes tests 241 and 1083 to fail; these are typically skipped + # as most gentoo users don't have an 'ip6-localhost' + multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083" +} + +multilib_src_install() { + emake DESTDIR="${D}" install + + if multilib_is_native_abi; then + # Shell completions + ! tc-is-cross-compiler && emake -C scripts DESTDIR="${D}" install + fi +} + +multilib_src_install_all() { + einstalldocs + find "${ED}" -type f -name '*.la' -delete || die + rm -rf "${ED}"/etc/ || die +} diff --git a/net-misc/curl/curl-9999.ebuild b/net-misc/curl/curl-9999.ebuild index 6f07f5578572..392161f14af2 100644 --- a/net-misc/curl/curl-9999.ebuild +++ b/net-misc/curl/curl-9999.ebuild @@ -22,10 +22,10 @@ fi LICENSE="BSD curl ISC test? ( BSD-4 )" SLOT="0" -IUSE="+adns alt-svc brotli +ftp gnutls gopher hsts +http2 idn +imap kerberos ldap mbedtls +openssl +pop3 +progress-meter rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp websockets zstd" +IUSE="+adns +alt-svc brotli +ftp gnutls gopher +hsts +http2 idn +imap kerberos ldap mbedtls nghttp3 +openssl +pop3" +IUSE+=" +progress-meter rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp websockets zstd" # These select the default SSL implementation IUSE+=" curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls" -IUSE+=" nghttp3" RESTRICT="!test? ( test )" # Only one default ssl provider can be enabled @@ -44,34 +44,37 @@ REQUIRED_USE=" curl_ssl_mbedtls? ( mbedtls ) curl_ssl_openssl? ( openssl ) curl_ssl_rustls? ( rustls ) - nghttp3? ( !openssl ) + nghttp3? ( + !openssl + alt-svc ) " # cURL's docs and CI/CD are great resources for confirming supported versions # particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.: -# - https://github.com/curl/curl/blob/master/docs/HTTP3.md -# - https://github.com/curl/curl/blob/master/.github/workflows/quiche-linux.yml +# - https://github.com/curl/curl/blob/master/docs/INTERNALS.md (core dependencies + minimum versions) +# - https://github.com/curl/curl/blob/master/docs/HTTP3.md (example of a feature that moves quickly) +# - https://github.com/curl/curl/blob/master/.github/workflows/quiche-linux.yml (CI/CD for TCP/2) # However 'supported' vs 'works' are two entirely different things; be sane but # don't be afraid to require a later version. RDEPEND=" - sys-libs/zlib[${MULTILIB_USEDEP}] + >=sys-libs/zlib-1.1.4[${MULTILIB_USEDEP}] adns? ( net-dns/c-ares:=[${MULTILIB_USEDEP}] ) brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] ) http2? ( >=net-libs/nghttp2-1.12.0:=[${MULTILIB_USEDEP}] ) idn? ( net-dns/libidn2:=[static-libs?,${MULTILIB_USEDEP}] ) kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] ) - ldap? ( net-nds/openldap:=[static-libs?,${MULTILIB_USEDEP}] ) + ldap? ( >=net-nds/openldap-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] ) nghttp3? ( >=net-libs/nghttp3-0.15.0[${MULTILIB_USEDEP}] >=net-libs/ngtcp2-0.19.1[gnutls,ssl,-openssl,${MULTILIB_USEDEP}] ) rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] ) - ssh? ( net-libs/libssh2[${MULTILIB_USEDEP}] ) + ssh? ( >=net-libs/libssh2-1.0.0[${MULTILIB_USEDEP}] ) ssl? ( gnutls? ( app-misc/ca-certificates - net-libs/gnutls:=[static-libs?,${MULTILIB_USEDEP}] + >=net-libs/gnutls-3.1.10:=[static-libs?,${MULTILIB_USEDEP}] dev-libs/nettle:=[${MULTILIB_USEDEP}] ) mbedtls? ( @@ -79,7 +82,7 @@ RDEPEND=" net-libs/mbedtls:=[${MULTILIB_USEDEP}] ) openssl? ( - dev-libs/openssl:=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}] + >=dev-libs/openssl-0.9.7:=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}] ) rustls? ( net-libs/rustls-ffi:=[${MULTILIB_USEDEP}] diff --git a/net-misc/curl/files/curl-8.3.0-CVE-2023-38545.patch b/net-misc/curl/files/curl-8.3.0-CVE-2023-38545.patch new file mode 100644 index 000000000000..04603a8c01dc --- /dev/null +++ b/net-misc/curl/files/curl-8.3.0-CVE-2023-38545.patch @@ -0,0 +1,136 @@ +https://bugs.gentoo.org/915195 + +From 1e1f915b73ab0895a68348ad1f96a5283a44ffd7 Mon Sep 17 00:00:00 2001 +From: Jay Satiro +Date: Mon, 9 Oct 2023 17:45:07 -0400 +Subject: [PATCH] socks: return error if hostname too long for remote resolve + +Prior to this change the state machine attempted to change the remote +resolve to a local resolve if the hostname was longer than 255 +characters. Unfortunately that did not work as intended and caused a +security issue. + +This patch applies to curl versions 8.2.0 - 8.3.0. Other versions +that are affected take a different patch. Refer to the CVE advisory +for more information. + +Bug: https://curl.se/docs/CVE-2023-38545.html +--- + lib/socks.c | 8 +++---- + tests/data/Makefile.inc | 2 +- + tests/data/test728 | 64 +++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 69 insertions(+), 5 deletions(-) + create mode 100644 tests/data/test728 + +diff --git a/lib/socks.c b/lib/socks.c +index 25a3578..3d41c93 100644 +--- a/lib/socks.c ++++ b/lib/socks.c +@@ -588,9 +588,9 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf, + + /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */ + if(!socks5_resolve_local && hostname_len > 255) { +- infof(data, "SOCKS5: server resolving disabled for hostnames of " +- "length > 255 [actual len=%zu]", hostname_len); +- socks5_resolve_local = TRUE; ++ failf(data, "SOCKS5: the destination hostname is too long to be " ++ "resolved remotely by the proxy."); ++ return CURLPX_LONG_HOSTNAME; + } + + if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI)) +@@ -904,7 +904,7 @@ CONNECT_RESOLVE_REMOTE: + } + else { + socksreq[len++] = 3; +- socksreq[len++] = (char) hostname_len; /* one byte address length */ ++ socksreq[len++] = (unsigned char) hostname_len; /* one byte length */ + memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */ + len += hostname_len; + } +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 8ee1394..3e2094e 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -100,7 +100,7 @@ test679 test680 test681 test682 test683 test684 test685 test686 \ + \ + test700 test701 test702 test703 test704 test705 test706 test707 test708 \ + test709 test710 test711 test712 test713 test714 test715 test716 test717 \ +-test718 test719 test720 test721 \ ++test718 test719 test720 test721 test728 \ + \ + test799 test800 test801 test802 test803 test804 test805 test806 test807 \ + test808 test809 test810 test811 test812 test813 test814 test815 test816 \ +diff --git a/tests/data/test728 b/tests/data/test728 +new file mode 100644 +index 0000000..05bcf28 +--- /dev/null ++++ b/tests/data/test728 +@@ -0,0 +1,64 @@ ++ ++ ++ ++HTTP ++HTTP GET ++SOCKS5 ++SOCKS5h ++followlocation ++ ++ ++ ++# ++# Server-side ++ ++# The hostname in this redirect is 256 characters and too long (> 255) for ++# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case. ++ ++HTTP/1.1 301 Moved Permanently ++Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ ++Content-Length: 0 ++Connection: close ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++proxy ++ ++ ++http ++socks5 ++ ++ ++SOCKS5h with HTTP redirect to hostname too long ++ ++ ++--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/%TESTNUMBER ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++ ++ ++97 ++ ++# the error message is verified because error code CURLE_PROXY (97) may be ++# returned for any number of reasons and we need to make sure it is ++# specifically for the reason below so that we know the check is working. ++ ++curl: (97) SOCKS5: the destination hostname is too long to be resolved remotely by the proxy. ++ ++ ++ +-- +2.7.4 + diff --git a/net-misc/curl/files/curl-8.3.0-CVE-2023-38546.patch b/net-misc/curl/files/curl-8.3.0-CVE-2023-38546.patch new file mode 100644 index 000000000000..615ab26cb2a8 --- /dev/null +++ b/net-misc/curl/files/curl-8.3.0-CVE-2023-38546.patch @@ -0,0 +1,131 @@ +https://bugs.gentoo.org/915195 +https://github.com/curl/curl/commit/61275672b46d9abb3285740467b882e22ed75da8 + +From 61275672b46d9abb3285740467b882e22ed75da8 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 14 Sep 2023 23:28:32 +0200 +Subject: [PATCH] cookie: remove unnecessary struct fields + +Plus: reduce the hash table size from 256 to 63. It seems unlikely to +make much of a speed difference for most use cases but saves 1.5KB of +data per instance. + +Closes #11862 +--- + lib/cookie.c | 13 +------------ + lib/cookie.h | 13 ++++--------- + lib/easy.c | 4 +--- + 3 files changed, 6 insertions(+), 24 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index 4345a84c6fd9d..e39c89a94a960 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -119,7 +119,6 @@ static void freecookie(struct Cookie *co) + free(co->name); + free(co->value); + free(co->maxage); +- free(co->version); + free(co); + } + +@@ -718,11 +717,7 @@ Curl_cookie_add(struct Curl_easy *data, + } + } + else if((nlen == 7) && strncasecompare("version", namep, 7)) { +- strstore(&co->version, valuep, vlen); +- if(!co->version) { +- badcookie = TRUE; +- break; +- } ++ /* just ignore */ + } + else if((nlen == 7) && strncasecompare("max-age", namep, 7)) { + /* +@@ -1160,7 +1155,6 @@ Curl_cookie_add(struct Curl_easy *data, + free(clist->path); + free(clist->spath); + free(clist->expirestr); +- free(clist->version); + free(clist->maxage); + + *clist = *co; /* then store all the new data */ +@@ -1224,9 +1218,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data, + c = calloc(1, sizeof(struct CookieInfo)); + if(!c) + return NULL; /* failed to get memory */ +- c->filename = strdup(file?file:"none"); /* copy the name just in case */ +- if(!c->filename) +- goto fail; /* failed to get memory */ + /* + * Initialize the next_expiration time to signal that we don't have enough + * information yet. +@@ -1378,7 +1369,6 @@ static struct Cookie *dup_cookie(struct Cookie *src) + CLONE(name); + CLONE(value); + CLONE(maxage); +- CLONE(version); + d->expires = src->expires; + d->tailmatch = src->tailmatch; + d->secure = src->secure; +@@ -1595,7 +1585,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c) + { + if(c) { + unsigned int i; +- free(c->filename); + for(i = 0; i < COOKIE_HASH_SIZE; i++) + Curl_cookie_freelist(c->cookies[i]); + free(c); /* free the base struct as well */ +diff --git a/lib/cookie.h b/lib/cookie.h +index b3c0063b2cfb2..41e9e7a6914e0 100644 +--- a/lib/cookie.h ++++ b/lib/cookie.h +@@ -36,11 +36,7 @@ struct Cookie { + char *domain; /* domain = */ + curl_off_t expires; /* expires = */ + char *expirestr; /* the plain text version */ +- +- /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */ +- char *version; /* Version = */ + char *maxage; /* Max-Age = */ +- + bool tailmatch; /* whether we do tail-matching of the domain name */ + bool secure; /* whether the 'secure' keyword was used */ + bool livecookie; /* updated from a server, not a stored file */ +@@ -56,17 +52,16 @@ struct Cookie { + #define COOKIE_PREFIX__SECURE (1<<0) + #define COOKIE_PREFIX__HOST (1<<1) + +-#define COOKIE_HASH_SIZE 256 ++#define COOKIE_HASH_SIZE 63 + + struct CookieInfo { + /* linked list of cookies we know of */ + struct Cookie *cookies[COOKIE_HASH_SIZE]; +- char *filename; /* file we read from/write to */ +- long numcookies; /* number of cookies in the "jar" */ ++ curl_off_t next_expiration; /* the next time at which expiration happens */ ++ int numcookies; /* number of cookies in the "jar" */ ++ int lastct; /* last creation-time used in the jar */ + bool running; /* state info, for cookie adding information */ + bool newsession; /* new session, discard session cookies on load */ +- int lastct; /* last creation-time used in the jar */ +- curl_off_t next_expiration; /* the next time at which expiration happens */ + }; + + /* The maximum sizes we accept for cookies. RFC 6265 section 6.1 says +diff --git a/lib/easy.c b/lib/easy.c +index 16bbd35251d40..03195481f9780 100644 +--- a/lib/easy.c ++++ b/lib/easy.c +@@ -925,9 +925,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data) + if(data->cookies) { + /* If cookies are enabled in the parent handle, we enable them + in the clone as well! */ +- outcurl->cookies = Curl_cookie_init(data, +- data->cookies->filename, +- outcurl->cookies, ++ outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies, + data->set.cookiesession); + if(!outcurl->cookies) + goto fail; -- cgit v1.2.3