commit e70580baf2dac894568cbdf488b930072ef27f0f
author Oleksandr Tymoshenko <ovt@google.com> Fri Feb 16 03:52:16 2024 +0000
committer Oleksandr Tymoshenko <ovt@google.com> Sat Feb 17 01:13:40 2024 +0000
tree fe4a8bf1bc8b3008c9458e8a7e589c63cd4d91a4
parent b3a67f36cf036ef568df69a398b143844bb8f4f3

curl: upgraded package to upstream

Upgraded net-misc/curl to version 8.6.0.

BUG=b/324989804
TEST=presubmit
RELEASE_NOTE=Upgraded net-misc/curl to version 8.6.0. This fixes CVE-2024-0853.

cos-patch: security-moderate
Change-Id: Ia0351425c0b0b8d11d77e13607bbaf762ee41928
Reviewed-on: https://cos-review.googlesource.com/c/third_party/overlays/portage-stable/+/65156
Main-Branch-Verified: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: Arnav Kansal <rnv@google.com>

net-misc/curl/Manifest

diff --git a/net-misc/curl/Manifest b/net-misc/curl/Manifest
index cf734b4..6df789c 100644
--- a/net-misc/curl/Manifest
+++ b/net-misc/curl/Manifest
@@ -1,6 +1,2 @@
-DIST curl-8.3.0.tar.xz 2641764 BLAKE2B 6875b20e27ed86f9b6ab256210d85e9fb3b39645e8be710b2e6fe29fba40220f870e06bc21e8a92244670fed0a08c7716e4806a267ede49c4ed6d66e03f5fcd4 SHA512 6404b4c74fe1185cb482631ca3a143996cb7298d0d8a76bfafd7696e7729c00559999a069bdba782dee3f3eb273fb678a4438cb27d3deca54022878cdff83a51
-DIST curl-8.3.0.tar.xz.asc 488 BLAKE2B ef5a749e579710d45db9f73da0cbcb58d77a9dfe73be622536496997fa792fe5cbd0331a31f01e21cbdb36c6384dca44baa647c9f3d20effabb5bfc275b1b491 SHA512 b7d45722640ac50181b20a6d663168ec6eec6691c5604ddfe9c7177f07da598cb2de688c631043dc428c311774d781ccd16bd1e2fb4f038be651e3bee383aec4
-DIST curl-8.4.0.tar.xz 2658376 BLAKE2B ea5ebecc3c1aeac3ae8fd0cf7d8ff3298149b9c4c556fb85ed8d9310e3613228eb6fca133b0dfb9268988f93d694779fab8d53510cfa5710c1320bb6638f05eb SHA512 7027dbf3b759b39d6ec9c4da58fadd254e84bb93bff599541b3bc3135bad4c2955c6237d7ddd60973f9f1a6948bc32d7e312985fb50658bc958b9f22fee74f2b
-DIST curl-8.4.0.tar.xz.asc 488 BLAKE2B 0fd4ea46a0942b9bc440e91e8f9323bba6d0eb02fbc87c227004c90e5be14cc644446bc235ab67f857b617975cdeada6ce38a647da9e0bd783e57d58f354cdb4 SHA512 b8b7a5b76be816e7b1552354f267f335fdc608cdadbd2c40ab44faf6450c6bbd2853b6de5c2746a1292aad33a8ee1c367380d32bb1a8282540b38c3b985a320e
-DIST curl-8.5.0.tar.xz 2658520 BLAKE2B cfd591f9703b9c63712dbe74494b05a80ce5a4fc4f8fc0fbf57058578eed5f33d71277f688d5d9f409bcd82e3a4cacaa5615a44f2a7c554559c6be7dd5188893 SHA512 acffa2cf61d9b8e4188575a1b40227da8d722df2e5fe8bb82a222b4eb2fd64bf8aebd90852ce050c79fb5e517d5cee2546bf7de92ede1dd394263e231cb741a3
-DIST curl-8.5.0.tar.xz.asc 488 BLAKE2B d706c401aecf345398411b94c87b8f1ecc752d73d24e1a578c8c0e62732e8e476333a2a4772428c6425eb0d124b1ceee8e377cf41d60a54b6f2df5cccc0b9f23 SHA512 9c6a2e61860878cd731d951fac1bb52cd314db20439a5173a95b48da1742737e02bfb9978d65e25de6535f839e281235203599a29f252e78e0d7a83769727329
+DIST curl-8.6.0.tar.xz 2630108 BLAKE2B 1b01de396008d57e154e2b5fc1acf1dd000703fa5d70b913dafea5487f0166bd8fdb63eee5c9b5af08a1ca40dd026144a791016f67c2395fcfc9c6b555929034 SHA512 359c08d88a5dec441255b36afe1a821730eca0ca8800ba52f57132b9e7d21f32457623907b4ae4876904b5e505eb1a59652372bb7de8dbd8db429dae9785e036
+DIST curl-8.6.0.tar.xz.asc 488 BLAKE2B 18d7583a9aa6a278bea5a8a74461ff06f45ec418cd4542b015c74091c353b340afcc5dfe7e5e99f0b9fac7de9251164044a85e4f6665bf042636868a2c613d0a SHA512 2b835bb4b307e5e1c929b7136c5acfb9f6f06efa471ac27060336cabcfac40e02143f40434986c5e6817d4a9562b09efa8ff3168beed310a45453148cc1b5c8f

net-misc/curl/curl-8.6.0.ebuild

diff --git a/net-misc/curl/curl-8.5.0.ebuild b/net-misc/curl/curl-8.6.0.ebuild
similarity index 98%
rename from net-misc/curl/curl-8.5.0.ebuild
rename to net-misc/curl/curl-8.6.0.ebuild
index 23bb490..ba1667c 100644
--- a/net-misc/curl/curl-8.5.0.ebuild
+++ b/net-misc/curl/curl-8.6.0.ebuild
@@ -344,8 +344,7 @@
 	# this ends up breaking when nproc is huge (like -j80).
 	# The network sandbox causes tests 241 and 1083 to fail; these are typically skipped
 	# as most gentoo users don't have an 'ip6-localhost'
-	# Required deps for 1477 are not included in the release tarball for 8.5.0
-	multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083 !1477"
+	multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083"
 }
 
 multilib_src_install() {

net-misc/curl/files/curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch

diff --git a/net-misc/curl/files/curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch b/net-misc/curl/files/curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch
new file mode 100644
index 0000000..66e8399
--- /dev/null
+++ b/net-misc/curl/files/curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch
@@ -0,0 +1,68 @@
+https://bugs.gentoo.org/924017
+https://github.com/curl/curl/pull/12848
+
+From ed09a99af57200643d5ae001e815eeab9ffe3f84 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Thu, 1 Feb 2024 18:15:50 +0100
+Subject: [PATCH] vtls: revert "receive max buffer" + add test case
+
+- add test_05_04 for requests using http/1.0, http/1.1 and h2 against an
+  Apache resource that does an unclean TLS shutdown.
+- revert special workarund in openssl.c for suppressing shutdown errors
+  on multiplexed connections
+- vlts.c restore to its state before 9a90c9dd64d2f03601833a70786d485851bd1b53
+
+Fixes #12885
+Fixes #12844
+
+Closes #12848
+---
+ lib/vtls/vtls.c | 27 ++++++---------------------
+ 1 file changed, 6 insertions(+), 21 deletions(-)
+
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index e928ba5d0..f654a9749 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -1715,32 +1715,17 @@ static ssize_t ssl_cf_recv(struct Curl_cfilter *cf,
+ {
+   struct cf_call_data save;
+   ssize_t nread;
+-  size_t ntotal = 0;
+ 
+   CF_DATA_SAVE(save, cf, data);
+   *err = CURLE_OK;
+-  /* Do receive until we fill the buffer somehwhat or EGAIN, error or EOF */
+-  while(!ntotal || (len - ntotal) > (4*1024)) {
++  nread = Curl_ssl->recv_plain(cf, data, buf, len, err);
++  if(nread > 0) {
++    DEBUGASSERT((size_t)nread <= len);
++  }
++  else if(nread == 0) {
++    /* eof */
+     *err = CURLE_OK;
+-    nread = Curl_ssl->recv_plain(cf, data, buf + ntotal, len - ntotal, err);
+-    if(nread < 0) {
+-      if(*err == CURLE_AGAIN && ntotal > 0) {
+-        /* we EAGAINed after having reed data, return the success amount */
+-        *err = CURLE_OK;
+-        break;
+-      }
+-      /* we have a an error to report */
+-      goto out;
+-    }
+-    else if(nread == 0) {
+-      /* eof */
+-      break;
+-    }
+-    ntotal += (size_t)nread;
+-    DEBUGASSERT((size_t)ntotal <= len);
+   }
+-  nread = (ssize_t)ntotal;
+-out:
+   CURL_TRC_CF(data, cf, "cf_recv(len=%zu) -> %zd, %d", len,
+               nread, *err);
+   CF_DATA_RESTORE(cf, save);
+-- 
+2.43.0
+

net-misc/curl/metadata.xml

diff --git a/net-misc/curl/metadata.xml b/net-misc/curl/metadata.xml
index 7f3ef92..b98e894 100644
--- a/net-misc/curl/metadata.xml
+++ b/net-misc/curl/metadata.xml
@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
-	<maintainer type="person" proxied="yes">
-		<email>Matt.Jolly@footclan.ninja</email>
+	<maintainer type="person">
+		<email>kangie@gentoo.org</email>
 		<name>Matt Jolly</name>
 	</maintainer>
 	<maintainer type="project">
@@ -15,7 +15,6 @@
 		<flag name="gnutls">Enable gnutls ssl backend</flag>
 		<flag name="gopher">Enable Gopher protocol support</flag>
 		<flag name="hsts">Enable HTTP Strict Transport Security</flag>
-		<flag name="http2">Enable HTTP/2.0 support</flag>
 		<flag name="imap">Enable Internet Message Access Protocol support</flag>
 		<flag name="mbedtls">Enable mbedtls ssl backend</flag>
 		<flag name="nghttp3">Enable HTTP/3.0 support using <pkg>net-libs/nghttp3</pkg> and <pkg>net-libs/ngtcp2</pkg></flag>