From 1a66a3e0e86dca4f727f9b545bfd2831c52cc7df Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Mon, 16 Oct 2023 19:06:29 +0530 Subject: [PATCH] backport curl CVE to flatcar-3033 (LTS-2022) CVEs for which patches are added CVE-2023-38545 CVE-2023-38546 Signed-off-by: Sayan Chowdhury --- .../coreos-overlay/net-misc/curl/Manifest | 3 + .../net-misc/curl/curl-7.78.0-r1.ebuild | 290 +++++++++++++++++ .../net-misc/curl/curl-7.78.0-r3.ebuild | 290 +++++++++++++++++ .../net-misc/curl/curl-7.79.0.ebuild | 293 ++++++++++++++++++ .../net-misc/curl/curl-7.79.1.ebuild | 293 ++++++++++++++++++ .../curl/files/curl-7.30.0-prefix.patch | 21 ++ ...url-7.79.0-http-3digit-response-code.patch | 47 +++ .../curl-7.79.0-http2-connection-data.patch | 43 +++ .../files/curl-7.79.1-CVE-2023-38545.patch | 136 ++++++++ .../files/curl-7.79.1-CVE-2023-38546.patch | 134 ++++++++ .../curl/files/curl-respect-cflags-3.patch | 14 + .../coreos-overlay/net-misc/curl/metadata.xml | 40 +++ 12 files changed, 1604 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/curl/Manifest create mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/curl/curl-7.78.0-r1.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/curl/curl-7.78.0-r3.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/curl/curl-7.79.0.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/curl/curl-7.79.1.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/curl/files/curl-7.30.0-prefix.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/curl/files/curl-7.79.0-http-3digit-response-code.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/curl/files/curl-7.79.0-http2-connection-data.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/curl/files/curl-7.79.1-CVE-2023-38545.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/curl/files/curl-7.79.1-CVE-2023-38546.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/curl/files/curl-respect-cflags-3.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/curl/metadata.xml diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/curl/Manifest b/sdk_container/src/third_party/coreos-overlay/net-misc/curl/Manifest new file mode 100644 index 00000000000..6ee95e4498c --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/curl/Manifest @@ -0,0 +1,3 @@ +DIST curl-7.78.0.tar.xz 2440640 BLAKE2B 0422071ce22d38b89652c702989674a2257dd18b05004245c4f2d7494ccdd24b5b52f330629ce6a411a059d5990e8c879cbbdf23d873b881141f9d2b9ad07f7f SHA512 f72e822a0b5e28320ef547c7a441c07f3b4870579a70ab4c428751baba435a1385cb89a22b9ed4b84a7fafecf620f155911e4131e3463ec1bdad80ecde47bb7a +DIST curl-7.79.0.tar.xz 2463072 BLAKE2B c3a8a60d3c04965272b1a439a4719cfaca903daaecd6265869b9188d1b6b13be63817b9daa77260673d67330baa3d9c2d917274f939cdadc467ac64d8fcf3203 SHA512 68bccba61f18de9f94c311b0d92cfa6572bb7e55e8773917c13b25203164a5a9f4ef6b8ad84a14d3d5dcb286271bf18c3dd84c4ca353866763c726f9defce808 +DIST curl-7.79.1.tar.xz 2465212 BLAKE2B 2b694f96661c0aa0a136fdae4159e0ca8e811557c5a1f0b47cccaaad122f3ddbdaa6450c3835290955baf9357e872ee105a8cb0912064af3d3e38d16beb124ad SHA512 1edb71647a7f4dbb070baf1a019b4751aefeda793ff523c504410bb5cc74e5bffc52f20dd889697d1585f9ca3c4e81b1a9caadd182c30c8358ffd25f33e4db4d diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/curl/curl-7.78.0-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/net-misc/curl/curl-7.78.0-r1.ebuild new file mode 100644 index 00000000000..8711f462b1d --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/curl/curl-7.78.0-r1.ebuild @@ -0,0 +1,290 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" + +inherit autotools prefix multilib-minimal + +DESCRIPTION="A Client that groks URLs" +HOMEPAGE="https://curl.haxx.se/" +SRC_URI="https://curl.haxx.se/download/${P}.tar.xz" + +LICENSE="curl" +SLOT="0" +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +IUSE="adns alt-svc brotli +ftp gnutls gopher hsts +http2 idn +imap ipv6 kerberos ldap mbedtls nss +openssl +pop3 +progress-meter rtmp samba +smtp ssh ssl sslv3 static-libs test telnet +tftp threads winssl zstd" +IUSE+=" curl_ssl_gnutls curl_ssl_mbedtls curl_ssl_nss +curl_ssl_openssl curl_ssl_winssl" +IUSE+=" nghttp3 quiche" +IUSE+=" elibc_Winnt" + +# c-ares must be disabled for threads +# only one default ssl provider can be enabled +REQUIRED_USE=" + winssl? ( elibc_Winnt ) + threads? ( !adns ) + ssl? ( + ^^ ( + curl_ssl_gnutls + curl_ssl_mbedtls + curl_ssl_nss + curl_ssl_openssl + curl_ssl_winssl + ) + )" + +# lead to lots of false negatives, bug #285669 +RESTRICT="!test? ( test )" + +RDEPEND="ldap? ( net-nds/openldap[${MULTILIB_USEDEP}] ) + brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] ) + ssl? ( + gnutls? ( + net-libs/gnutls:0=[static-libs?,${MULTILIB_USEDEP}] + dev-libs/nettle:0=[${MULTILIB_USEDEP}] + app-misc/ca-certificates + ) + mbedtls? ( + net-libs/mbedtls:0=[${MULTILIB_USEDEP}] + app-misc/ca-certificates + ) + openssl? ( + dev-libs/openssl:0=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}] + ) + nss? ( + dev-libs/nss:0[${MULTILIB_USEDEP}] + app-misc/ca-certificates + ) + ) + http2? ( net-libs/nghttp2:=[${MULTILIB_USEDEP}] ) + nghttp3? ( + net-libs/nghttp3[${MULTILIB_USEDEP}] + net-libs/ngtcp2[ssl,${MULTILIB_USEDEP}] + ) + quiche? ( >=net-libs/quiche-0.3.0[${MULTILIB_USEDEP}] ) + idn? ( net-dns/libidn2:0=[static-libs?,${MULTILIB_USEDEP}] ) + adns? ( net-dns/c-ares:0=[${MULTILIB_USEDEP}] ) + kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] ) + rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] ) + ssh? ( net-libs/libssh2[${MULTILIB_USEDEP}] ) + sys-libs/zlib[${MULTILIB_USEDEP}] + zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )" + +# Do we need to enforce the same ssl backend for curl and rtmpdump? Bug #423303 +# rtmp? ( +# media-video/rtmpdump +# curl_ssl_gnutls? ( media-video/rtmpdump[gnutls] ) +# curl_ssl_openssl? ( media-video/rtmpdump[-gnutls,ssl] ) +# ) + +# ssl providers to be added: +# fbopenssl $(use_with spnego) + +DEPEND="${RDEPEND}" +BDEPEND="virtual/pkgconfig + test? ( + sys-apps/diffutils + dev-lang/perl + )" + +DOCS=( CHANGES README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} ) + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/curl/curlbuild.h +) + +MULTILIB_CHOST_TOOLS=( + /usr/bin/curl-config +) + +PATCHES=( + "${FILESDIR}"/${PN}-7.30.0-prefix.patch + "${FILESDIR}"/${PN}-respect-cflags-3.patch +) + +src_prepare() { + default + + eprefixify curl-config.in + eautoreconf +} + +multilib_src_configure() { + # We make use of the fact that later flags override earlier ones + # So start with all ssl providers off until proven otherwise + # TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/) + local myconf=() + + myconf+=( --without-gnutls --without-mbedtls --without-nss --without-polarssl --without-ssl --without-winssl ) + myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt ) + #myconf+=( --without-default-ssl-backend ) + if use ssl ; then + if use gnutls || use curl_ssl_gnutls; then + einfo "SSL provided by gnutls" + myconf+=( --with-gnutls --with-nettle ) + fi + if use mbedtls || use curl_ssl_mbedtls; then + einfo "SSL provided by mbedtls" + myconf+=( --with-mbedtls ) + fi + if use nss || use curl_ssl_nss; then + einfo "SSL provided by nss" + myconf+=( --with-nss ) + fi + if use openssl || use curl_ssl_openssl; then + einfo "SSL provided by openssl" + myconf+=( --with-ssl --with-ca-path="${EPREFIX}"/etc/ssl/certs ) + fi + if use winssl || use curl_ssl_winssl; then + einfo "SSL provided by Windows" + myconf+=( --with-winssl ) + fi + + if use curl_ssl_gnutls; then + einfo "Default SSL provided by gnutls" + myconf+=( --with-default-ssl-backend=gnutls ) + elif use curl_ssl_mbedtls; then + einfo "Default SSL provided by mbedtls" + myconf+=( --with-default-ssl-backend=mbedtls ) + elif use curl_ssl_nss; then + einfo "Default SSL provided by nss" + myconf+=( --with-default-ssl-backend=nss ) + elif use curl_ssl_openssl; then + einfo "Default SSL provided by openssl" + myconf+=( --with-default-ssl-backend=openssl ) + elif use curl_ssl_winssl; then + einfo "Default SSL provided by Windows" + myconf+=( --with-default-ssl-backend=winssl ) + else + eerror "We can't be here because of REQUIRED_USE." + fi + + else + einfo "SSL disabled" + fi + + # These configuration options are organized alphabetically + # within each category. This should make it easier if we + # ever decide to make any of them contingent on USE flags: + # 1) protocols first. To see them all do + # 'grep SUPPORT_PROTOCOLS configure.ac' + # 2) --enable/disable options second. + # 'grep -- --enable configure | grep Check | awk '{ print $4 }' | sort + # 3) --with/without options third. + # grep -- --with configure | grep Check | awk '{ print $4 }' | sort + + myconf+=( + $(use_enable alt-svc) + --enable-crypto-auth + --enable-dict + --disable-ech + --enable-file + $(use_enable ftp) + $(use_enable gopher) + $(use_enable hsts) + --enable-http + $(use_enable imap) + $(use_enable ldap) + $(use_enable ldap ldaps) + --disable-ntlm + --disable-ntlm-wb + $(use_enable pop3) + --enable-rt + --enable-rtsp + $(use_enable samba smb) + $(use_with ssh libssh2) + $(use_enable smtp) + $(use_enable telnet) + $(use_enable tftp) + --enable-tls-srp + $(use_enable adns ares) + --enable-cookies + --enable-dateparse + --enable-dnsshuffle + --enable-doh + --enable-hidden-symbols + --enable-http-auth + $(use_enable ipv6) + --enable-largefile + --enable-manual + --enable-mime + --enable-netrc + $(use_enable progress-meter) + --enable-proxy + --disable-sspi + $(use_enable static-libs static) + $(use_enable threads threaded-resolver) + $(use_enable threads pthreads) + --disable-versioned-symbols + --without-amissl + --without-bearssl + $(use_with brotli) + --without-cyassl + --without-fish-functions-dir + $(use_with http2 nghttp2) + --without-hyper + $(use_with idn libidn2) + $(use_with kerberos gssapi "${EPREFIX}"/usr) + --without-libgsasl + --without-libpsl + $(use_with nghttp3) + $(use_with nghttp3 ngtcp2) + $(use_with quiche) + $(use_with rtmp librtmp) + --without-rustls + --without-schannel + --without-secure-transport + --without-spnego + --without-winidn + --without-wolfssl + --with-zlib + $(use_with zstd) + ) + + ECONF_SOURCE="${S}" \ + econf "${myconf[@]}" + + if ! multilib_is_native_abi; then + # avoid building the client + sed -i -e '/SUBDIRS/s:src::' Makefile || die + sed -i -e '/SUBDIRS/s:scripts::' Makefile || die + fi + + # Fix up the pkg-config file to be more robust. + # https://github.com/curl/curl/issues/864 + local priv=() libs=() + # We always enable zlib. + libs+=( "-lz" ) + priv+=( "zlib" ) + if use http2; then + libs+=( "-lnghttp2" ) + priv+=( "libnghttp2" ) + fi + if use quiche; then + libs+=( "-lquiche" ) + priv+=( "quiche" ) + fi + if use nghttp3; then + libs+=( "-lnghttp3" "-lngtcp2" ) + priv+=( "libnghttp3" "-libtcp2" ) + fi + if use ssl && use curl_ssl_openssl; then + libs+=( "-lssl" "-lcrypto" ) + priv+=( "openssl" ) + fi + grep -q Requires.private libcurl.pc && die "need to update ebuild" + libs=$(printf '|%s' "${libs[@]}") + sed -i -r \ + -e "/^Libs.private/s:(${libs#|})( |$)::g" \ + libcurl.pc || die + echo "Requires.private: ${priv[*]}" >> libcurl.pc +} + +multilib_src_test() { + multilib_is_native_abi && default_src_test +} + +multilib_src_install_all() { + einstalldocs + find "${ED}" -type f -name '*.la' -delete || die + rm -rf "${ED}"/etc/ || die +} diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/curl/curl-7.78.0-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/net-misc/curl/curl-7.78.0-r3.ebuild new file mode 100644 index 00000000000..2859ae2efd9 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/curl/curl-7.78.0-r3.ebuild @@ -0,0 +1,290 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" + +inherit autotools prefix multilib-minimal + +DESCRIPTION="A Client that groks URLs" +HOMEPAGE="https://curl.haxx.se/" +SRC_URI="https://curl.haxx.se/download/${P}.tar.xz" + +LICENSE="curl" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +IUSE="adns alt-svc brotli +ftp gnutls gopher hsts +http2 idn +imap ipv6 kerberos ldap mbedtls nss +openssl +pop3 +progress-meter rtmp samba +smtp ssh ssl sslv3 static-libs test telnet +tftp threads winssl zstd" +IUSE+=" curl_ssl_gnutls curl_ssl_mbedtls curl_ssl_nss +curl_ssl_openssl curl_ssl_winssl" +IUSE+=" nghttp3 quiche" +IUSE+=" elibc_Winnt" + +# c-ares must be disabled for threads +# only one default ssl provider can be enabled +REQUIRED_USE=" + winssl? ( elibc_Winnt ) + threads? ( !adns ) + ssl? ( + ^^ ( + curl_ssl_gnutls + curl_ssl_mbedtls + curl_ssl_nss + curl_ssl_openssl + curl_ssl_winssl + ) + )" + +# lead to lots of false negatives, bug #285669 +RESTRICT="!test? ( test )" + +RDEPEND="ldap? ( net-nds/openldap[${MULTILIB_USEDEP}] ) + brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] ) + ssl? ( + gnutls? ( + net-libs/gnutls:0=[static-libs?,${MULTILIB_USEDEP}] + dev-libs/nettle:0=[${MULTILIB_USEDEP}] + app-misc/ca-certificates + ) + mbedtls? ( + net-libs/mbedtls:0=[${MULTILIB_USEDEP}] + app-misc/ca-certificates + ) + openssl? ( + dev-libs/openssl:0=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}] + ) + nss? ( + dev-libs/nss:0[${MULTILIB_USEDEP}] + app-misc/ca-certificates + ) + ) + http2? ( net-libs/nghttp2:=[${MULTILIB_USEDEP}] ) + nghttp3? ( + net-libs/nghttp3[${MULTILIB_USEDEP}] + net-libs/ngtcp2[ssl,${MULTILIB_USEDEP}] + ) + quiche? ( >=net-libs/quiche-0.3.0[${MULTILIB_USEDEP}] ) + idn? ( net-dns/libidn2:0=[static-libs?,${MULTILIB_USEDEP}] ) + adns? ( net-dns/c-ares:0=[${MULTILIB_USEDEP}] ) + kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] ) + rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] ) + ssh? ( net-libs/libssh2[${MULTILIB_USEDEP}] ) + sys-libs/zlib[${MULTILIB_USEDEP}] + zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )" + +# Do we need to enforce the same ssl backend for curl and rtmpdump? Bug #423303 +# rtmp? ( +# media-video/rtmpdump +# curl_ssl_gnutls? ( media-video/rtmpdump[gnutls] ) +# curl_ssl_openssl? ( media-video/rtmpdump[-gnutls,ssl] ) +# ) + +# ssl providers to be added: +# fbopenssl $(use_with spnego) + +DEPEND="${RDEPEND}" +BDEPEND="virtual/pkgconfig + test? ( + sys-apps/diffutils + dev-lang/perl + )" + +DOCS=( CHANGES README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} ) + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/curl/curlbuild.h +) + +MULTILIB_CHOST_TOOLS=( + /usr/bin/curl-config +) + +PATCHES=( + "${FILESDIR}"/${PN}-7.30.0-prefix.patch + "${FILESDIR}"/${PN}-respect-cflags-3.patch +) + +src_prepare() { + default + + eprefixify curl-config.in + eautoreconf +} + +multilib_src_configure() { + # We make use of the fact that later flags override earlier ones + # So start with all ssl providers off until proven otherwise + # TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/) + local myconf=() + + myconf+=( --without-gnutls --without-mbedtls --without-nss --without-polarssl --without-ssl --without-winssl ) + myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt ) + #myconf+=( --without-default-ssl-backend ) + if use ssl ; then + if use gnutls || use curl_ssl_gnutls; then + einfo "SSL provided by gnutls" + myconf+=( --with-gnutls --with-nettle ) + fi + if use mbedtls || use curl_ssl_mbedtls; then + einfo "SSL provided by mbedtls" + myconf+=( --with-mbedtls ) + fi + if use nss || use curl_ssl_nss; then + einfo "SSL provided by nss" + myconf+=( --with-nss ) + fi + if use openssl || use curl_ssl_openssl; then + einfo "SSL provided by openssl" + myconf+=( --with-ssl --with-ca-path="${EPREFIX}"/etc/ssl/certs ) + fi + if use winssl || use curl_ssl_winssl; then + einfo "SSL provided by Windows" + myconf+=( --with-winssl ) + fi + + if use curl_ssl_gnutls; then + einfo "Default SSL provided by gnutls" + myconf+=( --with-default-ssl-backend=gnutls ) + elif use curl_ssl_mbedtls; then + einfo "Default SSL provided by mbedtls" + myconf+=( --with-default-ssl-backend=mbedtls ) + elif use curl_ssl_nss; then + einfo "Default SSL provided by nss" + myconf+=( --with-default-ssl-backend=nss ) + elif use curl_ssl_openssl; then + einfo "Default SSL provided by openssl" + myconf+=( --with-default-ssl-backend=openssl ) + elif use curl_ssl_winssl; then + einfo "Default SSL provided by Windows" + myconf+=( --with-default-ssl-backend=winssl ) + else + eerror "We can't be here because of REQUIRED_USE." + fi + + else + einfo "SSL disabled" + fi + + # These configuration options are organized alphabetically + # within each category. This should make it easier if we + # ever decide to make any of them contingent on USE flags: + # 1) protocols first. To see them all do + # 'grep SUPPORT_PROTOCOLS configure.ac' + # 2) --enable/disable options second. + # 'grep -- --enable configure | grep Check | awk '{ print $4 }' | sort + # 3) --with/without options third. + # grep -- --with configure | grep Check | awk '{ print $4 }' | sort + + myconf+=( + $(use_enable alt-svc) + --enable-crypto-auth + --enable-dict + --disable-ech + --enable-file + $(use_enable ftp) + $(use_enable gopher) + $(use_enable hsts) + --enable-http + $(use_enable imap) + $(use_enable ldap) + $(use_enable ldap ldaps) + --enable-ntlm + --disable-ntlm-wb + $(use_enable pop3) + --enable-rt + --enable-rtsp + $(use_enable samba smb) + $(use_with ssh libssh2) + $(use_enable smtp) + $(use_enable telnet) + $(use_enable tftp) + --enable-tls-srp + $(use_enable adns ares) + --enable-cookies + --enable-dateparse + --enable-dnsshuffle + --enable-doh + --enable-hidden-symbols + --enable-http-auth + $(use_enable ipv6) + --enable-largefile + --enable-manual + --enable-mime + --enable-netrc + $(use_enable progress-meter) + --enable-proxy + --disable-sspi + $(use_enable static-libs static) + $(use_enable threads threaded-resolver) + $(use_enable threads pthreads) + --disable-versioned-symbols + --without-amissl + --without-bearssl + $(use_with brotli) + --without-cyassl + --without-fish-functions-dir + $(use_with http2 nghttp2) + --without-hyper + $(use_with idn libidn2) + $(use_with kerberos gssapi "${EPREFIX}"/usr) + --without-libgsasl + --without-libpsl + $(use_with nghttp3) + $(use_with nghttp3 ngtcp2) + $(use_with quiche) + $(use_with rtmp librtmp) + --without-rustls + --without-schannel + --without-secure-transport + --without-spnego + --without-winidn + --without-wolfssl + --with-zlib + $(use_with zstd) + ) + + ECONF_SOURCE="${S}" \ + econf "${myconf[@]}" + + if ! multilib_is_native_abi; then + # avoid building the client + sed -i -e '/SUBDIRS/s:src::' Makefile || die + sed -i -e '/SUBDIRS/s:scripts::' Makefile || die + fi + + # Fix up the pkg-config file to be more robust. + # https://github.com/curl/curl/issues/864 + local priv=() libs=() + # We always enable zlib. + libs+=( "-lz" ) + priv+=( "zlib" ) + if use http2; then + libs+=( "-lnghttp2" ) + priv+=( "libnghttp2" ) + fi + if use quiche; then + libs+=( "-lquiche" ) + priv+=( "quiche" ) + fi + if use nghttp3; then + libs+=( "-lnghttp3" "-lngtcp2" ) + priv+=( "libnghttp3" "-libtcp2" ) + fi + if use ssl && use curl_ssl_openssl; then + libs+=( "-lssl" "-lcrypto" ) + priv+=( "openssl" ) + fi + grep -q Requires.private libcurl.pc && die "need to update ebuild" + libs=$(printf '|%s' "${libs[@]}") + sed -i -r \ + -e "/^Libs.private/s:(${libs#|})( |$)::g" \ + libcurl.pc || die + echo "Requires.private: ${priv[*]}" >> libcurl.pc +} + +multilib_src_test() { + multilib_is_native_abi && default_src_test +} + +multilib_src_install_all() { + einstalldocs + find "${ED}" -type f -name '*.la' -delete || die + rm -rf "${ED}"/etc/ || die +} diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/curl/curl-7.79.0.ebuild b/sdk_container/src/third_party/coreos-overlay/net-misc/curl/curl-7.79.0.ebuild new file mode 100644 index 00000000000..380b1da5a4e --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/curl/curl-7.79.0.ebuild @@ -0,0 +1,293 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" + +inherit autotools prefix multilib-minimal + +DESCRIPTION="A Client that groks URLs" +HOMEPAGE="https://curl.haxx.se/" +SRC_URI="https://curl.haxx.se/download/${P}.tar.xz" + +LICENSE="curl" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +IUSE="adns alt-svc brotli +ftp gnutls gopher hsts +http2 idn +imap ipv6 kerberos ldap mbedtls nss +openssl +pop3 +progress-meter rtmp samba +smtp ssh ssl sslv3 static-libs test telnet +tftp threads winssl zstd" +IUSE+=" curl_ssl_gnutls curl_ssl_mbedtls curl_ssl_nss +curl_ssl_openssl curl_ssl_winssl" +IUSE+=" nghttp3 quiche" +IUSE+=" elibc_Winnt" + +# c-ares must be disabled for threads +# only one default ssl provider can be enabled +REQUIRED_USE=" + winssl? ( elibc_Winnt ) + threads? ( !adns ) + ssl? ( + ^^ ( + curl_ssl_gnutls + curl_ssl_mbedtls + curl_ssl_nss + curl_ssl_openssl + curl_ssl_winssl + ) + )" + +# lead to lots of false negatives, bug #285669 +RESTRICT="!test? ( test )" + +RDEPEND="ldap? ( net-nds/openldap[${MULTILIB_USEDEP}] ) + brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] ) + ssl? ( + gnutls? ( + net-libs/gnutls:0=[static-libs?,${MULTILIB_USEDEP}] + dev-libs/nettle:0=[${MULTILIB_USEDEP}] + app-misc/ca-certificates + ) + mbedtls? ( + net-libs/mbedtls:0=[${MULTILIB_USEDEP}] + app-misc/ca-certificates + ) + openssl? ( + dev-libs/openssl:0=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}] + ) + nss? ( + dev-libs/nss:0[${MULTILIB_USEDEP}] + app-misc/ca-certificates + ) + ) + http2? ( net-libs/nghttp2:=[${MULTILIB_USEDEP}] ) + nghttp3? ( + net-libs/nghttp3[${MULTILIB_USEDEP}] + net-libs/ngtcp2[ssl,${MULTILIB_USEDEP}] + ) + quiche? ( >=net-libs/quiche-0.3.0[${MULTILIB_USEDEP}] ) + idn? ( net-dns/libidn2:0=[static-libs?,${MULTILIB_USEDEP}] ) + adns? ( net-dns/c-ares:0=[${MULTILIB_USEDEP}] ) + kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] ) + rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] ) + ssh? ( net-libs/libssh2[${MULTILIB_USEDEP}] ) + sys-libs/zlib[${MULTILIB_USEDEP}] + zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )" + +# Do we need to enforce the same ssl backend for curl and rtmpdump? Bug #423303 +# rtmp? ( +# media-video/rtmpdump +# curl_ssl_gnutls? ( media-video/rtmpdump[gnutls] ) +# curl_ssl_openssl? ( media-video/rtmpdump[-gnutls,ssl] ) +# ) + +# ssl providers to be added: +# fbopenssl $(use_with spnego) + +DEPEND="${RDEPEND}" +BDEPEND="virtual/pkgconfig + test? ( + sys-apps/diffutils + dev-lang/perl + )" + +DOCS=( CHANGES README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} ) + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/curl/curlbuild.h +) + +MULTILIB_CHOST_TOOLS=( + /usr/bin/curl-config +) + +PATCHES=( + "${FILESDIR}"/${PN}-7.30.0-prefix.patch + "${FILESDIR}"/${PN}-respect-cflags-3.patch + # Backported patches to 7.79.0 + "${FILESDIR}"/${P}-http2-connection-data.patch + "${FILESDIR}"/${P}-http-3digit-response-code.patch +) + +src_prepare() { + default + + eprefixify curl-config.in + eautoreconf +} + +multilib_src_configure() { + # We make use of the fact that later flags override earlier ones + # So start with all ssl providers off until proven otherwise + # TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/) + local myconf=() + + myconf+=( --without-gnutls --without-mbedtls --without-nss --without-polarssl --without-ssl --without-winssl ) + myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt ) + #myconf+=( --without-default-ssl-backend ) + if use ssl ; then + if use gnutls || use curl_ssl_gnutls; then + einfo "SSL provided by gnutls" + myconf+=( --with-gnutls --with-nettle ) + fi + if use mbedtls || use curl_ssl_mbedtls; then + einfo "SSL provided by mbedtls" + myconf+=( --with-mbedtls ) + fi + if use nss || use curl_ssl_nss; then + einfo "SSL provided by nss" + myconf+=( --with-nss ) + fi + if use openssl || use curl_ssl_openssl; then + einfo "SSL provided by openssl" + myconf+=( --with-ssl --with-ca-path="${EPREFIX}"/etc/ssl/certs ) + fi + if use winssl || use curl_ssl_winssl; then + einfo "SSL provided by Windows" + myconf+=( --with-winssl ) + fi + + if use curl_ssl_gnutls; then + einfo "Default SSL provided by gnutls" + myconf+=( --with-default-ssl-backend=gnutls ) + elif use curl_ssl_mbedtls; then + einfo "Default SSL provided by mbedtls" + myconf+=( --with-default-ssl-backend=mbedtls ) + elif use curl_ssl_nss; then + einfo "Default SSL provided by nss" + myconf+=( --with-default-ssl-backend=nss ) + elif use curl_ssl_openssl; then + einfo "Default SSL provided by openssl" + myconf+=( --with-default-ssl-backend=openssl ) + elif use curl_ssl_winssl; then + einfo "Default SSL provided by Windows" + myconf+=( --with-default-ssl-backend=winssl ) + else + eerror "We can't be here because of REQUIRED_USE." + fi + + else + einfo "SSL disabled" + fi + + # These configuration options are organized alphabetically + # within each category. This should make it easier if we + # ever decide to make any of them contingent on USE flags: + # 1) protocols first. To see them all do + # 'grep SUPPORT_PROTOCOLS configure.ac' + # 2) --enable/disable options second. + # 'grep -- --enable configure | grep Check | awk '{ print $4 }' | sort + # 3) --with/without options third. + # grep -- --with configure | grep Check | awk '{ print $4 }' | sort + + myconf+=( + $(use_enable alt-svc) + --enable-crypto-auth + --enable-dict + --disable-ech + --enable-file + $(use_enable ftp) + $(use_enable gopher) + $(use_enable hsts) + --enable-http + $(use_enable imap) + $(use_enable ldap) + $(use_enable ldap ldaps) + --enable-ntlm + --disable-ntlm-wb + $(use_enable pop3) + --enable-rt + --enable-rtsp + $(use_enable samba smb) + $(use_with ssh libssh2) + $(use_enable smtp) + $(use_enable telnet) + $(use_enable tftp) + --enable-tls-srp + $(use_enable adns ares) + --enable-cookies + --enable-dateparse + --enable-dnsshuffle + --enable-doh + --enable-hidden-symbols + --enable-http-auth + $(use_enable ipv6) + --enable-largefile + --enable-manual + --enable-mime + --enable-netrc + $(use_enable progress-meter) + --enable-proxy + --disable-sspi + $(use_enable static-libs static) + $(use_enable threads threaded-resolver) + $(use_enable threads pthreads) + --disable-versioned-symbols + --without-amissl + --without-bearssl + $(use_with brotli) + --without-cyassl + --without-fish-functions-dir + $(use_with http2 nghttp2) + --without-hyper + $(use_with idn libidn2) + $(use_with kerberos gssapi "${EPREFIX}"/usr) + --without-libgsasl + --without-libpsl + $(use_with nghttp3) + $(use_with nghttp3 ngtcp2) + $(use_with quiche) + $(use_with rtmp librtmp) + --without-rustls + --without-schannel + --without-secure-transport + --without-spnego + --without-winidn + --without-wolfssl + --with-zlib + $(use_with zstd) + ) + + ECONF_SOURCE="${S}" \ + econf "${myconf[@]}" + + if ! multilib_is_native_abi; then + # avoid building the client + sed -i -e '/SUBDIRS/s:src::' Makefile || die + sed -i -e '/SUBDIRS/s:scripts::' Makefile || die + fi + + # Fix up the pkg-config file to be more robust. + # https://github.com/curl/curl/issues/864 + local priv=() libs=() + # We always enable zlib. + libs+=( "-lz" ) + priv+=( "zlib" ) + if use http2; then + libs+=( "-lnghttp2" ) + priv+=( "libnghttp2" ) + fi + if use quiche; then + libs+=( "-lquiche" ) + priv+=( "quiche" ) + fi + if use nghttp3; then + libs+=( "-lnghttp3" "-lngtcp2" ) + priv+=( "libnghttp3" "-libtcp2" ) + fi + if use ssl && use curl_ssl_openssl; then + libs+=( "-lssl" "-lcrypto" ) + priv+=( "openssl" ) + fi + grep -q Requires.private libcurl.pc && die "need to update ebuild" + libs=$(printf '|%s' "${libs[@]}") + sed -i -r \ + -e "/^Libs.private/s:(${libs#|})( |$)::g" \ + libcurl.pc || die + echo "Requires.private: ${priv[*]}" >> libcurl.pc +} + +multilib_src_test() { + multilib_is_native_abi && default_src_test +} + +multilib_src_install_all() { + einstalldocs + find "${ED}" -type f -name '*.la' -delete || die + rm -rf "${ED}"/etc/ || die +} diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/curl/curl-7.79.1.ebuild b/sdk_container/src/third_party/coreos-overlay/net-misc/curl/curl-7.79.1.ebuild new file mode 100644 index 00000000000..c87322710ea --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/curl/curl-7.79.1.ebuild @@ -0,0 +1,293 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" + +inherit autotools prefix multilib-minimal + +DESCRIPTION="A Client that groks URLs" +HOMEPAGE="https://curl.haxx.se/" +SRC_URI="https://curl.haxx.se/download/${P}.tar.xz" + +LICENSE="curl" +SLOT="0" +KEYWORDS="~alpha amd64 ~arm ~arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +IUSE="adns alt-svc brotli +ftp gnutls gopher hsts +http2 idn +imap ipv6 kerberos ldap mbedtls nss +openssl +pop3 +progress-meter rtmp samba +smtp ssh ssl sslv3 static-libs test telnet +tftp threads winssl zstd" +IUSE+=" curl_ssl_gnutls curl_ssl_mbedtls curl_ssl_nss +curl_ssl_openssl curl_ssl_winssl" +IUSE+=" nghttp3 quiche" +IUSE+=" elibc_Winnt" + +# c-ares must be disabled for threads +# only one default ssl provider can be enabled +REQUIRED_USE=" + winssl? ( elibc_Winnt ) + threads? ( !adns ) + ssl? ( + ^^ ( + curl_ssl_gnutls + curl_ssl_mbedtls + curl_ssl_nss + curl_ssl_openssl + curl_ssl_winssl + ) + )" + +# lead to lots of false negatives, bug #285669 +RESTRICT="!test? ( test )" + +RDEPEND="ldap? ( net-nds/openldap[${MULTILIB_USEDEP}] ) + brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] ) + ssl? ( + gnutls? ( + net-libs/gnutls:0=[static-libs?,${MULTILIB_USEDEP}] + dev-libs/nettle:0=[${MULTILIB_USEDEP}] + app-misc/ca-certificates + ) + mbedtls? ( + net-libs/mbedtls:0=[${MULTILIB_USEDEP}] + app-misc/ca-certificates + ) + openssl? ( + dev-libs/openssl:0=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}] + ) + nss? ( + dev-libs/nss:0[${MULTILIB_USEDEP}] + app-misc/ca-certificates + ) + ) + http2? ( net-libs/nghttp2:=[${MULTILIB_USEDEP}] ) + nghttp3? ( + net-libs/nghttp3[${MULTILIB_USEDEP}] + net-libs/ngtcp2[ssl,${MULTILIB_USEDEP}] + ) + quiche? ( >=net-libs/quiche-0.3.0[${MULTILIB_USEDEP}] ) + idn? ( net-dns/libidn2:0=[static-libs?,${MULTILIB_USEDEP}] ) + adns? ( net-dns/c-ares:0=[${MULTILIB_USEDEP}] ) + kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] ) + rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] ) + ssh? ( net-libs/libssh2[${MULTILIB_USEDEP}] ) + sys-libs/zlib[${MULTILIB_USEDEP}] + zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )" + +# Do we need to enforce the same ssl backend for curl and rtmpdump? Bug #423303 +# rtmp? ( +# media-video/rtmpdump +# curl_ssl_gnutls? ( media-video/rtmpdump[gnutls] ) +# curl_ssl_openssl? ( media-video/rtmpdump[-gnutls,ssl] ) +# ) + +# ssl providers to be added: +# fbopenssl $(use_with spnego) + +DEPEND="${RDEPEND}" +BDEPEND="virtual/pkgconfig + test? ( + sys-apps/diffutils + dev-lang/perl + )" + +DOCS=( CHANGES README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} ) + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/curl/curlbuild.h +) + +MULTILIB_CHOST_TOOLS=( + /usr/bin/curl-config +) + +PATCHES=( + "${FILESDIR}"/${PN}-7.30.0-prefix.patch + "${FILESDIR}"/${PN}-respect-cflags-3.patch + + "${FILESDIR}"/${P}-CVE-2023-38545.patch + "${FILESDIR}"/${P}-CVE-2023-38546.patch +) + +src_prepare() { + default + + eprefixify curl-config.in + eautoreconf +} + +multilib_src_configure() { + # We make use of the fact that later flags override earlier ones + # So start with all ssl providers off until proven otherwise + # TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/) + local myconf=() + + myconf+=( --without-gnutls --without-mbedtls --without-nss --without-polarssl --without-ssl --without-winssl ) + myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt ) + #myconf+=( --without-default-ssl-backend ) + if use ssl ; then + if use gnutls || use curl_ssl_gnutls; then + einfo "SSL provided by gnutls" + myconf+=( --with-gnutls --with-nettle ) + fi + if use mbedtls || use curl_ssl_mbedtls; then + einfo "SSL provided by mbedtls" + myconf+=( --with-mbedtls ) + fi + if use nss || use curl_ssl_nss; then + einfo "SSL provided by nss" + myconf+=( --with-nss ) + fi + if use openssl || use curl_ssl_openssl; then + einfo "SSL provided by openssl" + myconf+=( --with-ssl --with-ca-path="${EPREFIX}"/etc/ssl/certs ) + fi + if use winssl || use curl_ssl_winssl; then + einfo "SSL provided by Windows" + myconf+=( --with-winssl ) + fi + + if use curl_ssl_gnutls; then + einfo "Default SSL provided by gnutls" + myconf+=( --with-default-ssl-backend=gnutls ) + elif use curl_ssl_mbedtls; then + einfo "Default SSL provided by mbedtls" + myconf+=( --with-default-ssl-backend=mbedtls ) + elif use curl_ssl_nss; then + einfo "Default SSL provided by nss" + myconf+=( --with-default-ssl-backend=nss ) + elif use curl_ssl_openssl; then + einfo "Default SSL provided by openssl" + myconf+=( --with-default-ssl-backend=openssl ) + elif use curl_ssl_winssl; then + einfo "Default SSL provided by Windows" + myconf+=( --with-default-ssl-backend=winssl ) + else + eerror "We can't be here because of REQUIRED_USE." + fi + + else + einfo "SSL disabled" + fi + + # These configuration options are organized alphabetically + # within each category. This should make it easier if we + # ever decide to make any of them contingent on USE flags: + # 1) protocols first. To see them all do + # 'grep SUPPORT_PROTOCOLS configure.ac' + # 2) --enable/disable options second. + # 'grep -- --enable configure | grep Check | awk '{ print $4 }' | sort + # 3) --with/without options third. + # grep -- --with configure | grep Check | awk '{ print $4 }' | sort + + myconf+=( + $(use_enable alt-svc) + --enable-crypto-auth + --enable-dict + --disable-ech + --enable-file + $(use_enable ftp) + $(use_enable gopher) + $(use_enable hsts) + --enable-http + $(use_enable imap) + $(use_enable ldap) + $(use_enable ldap ldaps) + --enable-ntlm + --disable-ntlm-wb + $(use_enable pop3) + --enable-rt + --enable-rtsp + $(use_enable samba smb) + $(use_with ssh libssh2) + $(use_enable smtp) + $(use_enable telnet) + $(use_enable tftp) + --enable-tls-srp + $(use_enable adns ares) + --enable-cookies + --enable-dateparse + --enable-dnsshuffle + --enable-doh + --enable-hidden-symbols + --enable-http-auth + $(use_enable ipv6) + --enable-largefile + --enable-manual + --enable-mime + --enable-netrc + $(use_enable progress-meter) + --enable-proxy + --disable-sspi + $(use_enable static-libs static) + $(use_enable threads threaded-resolver) + $(use_enable threads pthreads) + --disable-versioned-symbols + --without-amissl + --without-bearssl + $(use_with brotli) + --without-cyassl + --without-fish-functions-dir + $(use_with http2 nghttp2) + --without-hyper + $(use_with idn libidn2) + $(use_with kerberos gssapi "${EPREFIX}"/usr) + --without-libgsasl + --without-libpsl + $(use_with nghttp3) + $(use_with nghttp3 ngtcp2) + $(use_with quiche) + $(use_with rtmp librtmp) + --without-rustls + --without-schannel + --without-secure-transport + --without-spnego + --without-winidn + --without-wolfssl + --with-zlib + $(use_with zstd) + ) + + ECONF_SOURCE="${S}" \ + econf "${myconf[@]}" + + if ! multilib_is_native_abi; then + # avoid building the client + sed -i -e '/SUBDIRS/s:src::' Makefile || die + sed -i -e '/SUBDIRS/s:scripts::' Makefile || die + fi + + # Fix up the pkg-config file to be more robust. + # https://github.com/curl/curl/issues/864 + local priv=() libs=() + # We always enable zlib. + libs+=( "-lz" ) + priv+=( "zlib" ) + if use http2; then + libs+=( "-lnghttp2" ) + priv+=( "libnghttp2" ) + fi + if use quiche; then + libs+=( "-lquiche" ) + priv+=( "quiche" ) + fi + if use nghttp3; then + libs+=( "-lnghttp3" "-lngtcp2" ) + priv+=( "libnghttp3" "-libtcp2" ) + fi + if use ssl && use curl_ssl_openssl; then + libs+=( "-lssl" "-lcrypto" ) + priv+=( "openssl" ) + fi + grep -q Requires.private libcurl.pc && die "need to update ebuild" + libs=$(printf '|%s' "${libs[@]}") + sed -i -r \ + -e "/^Libs.private/s:(${libs#|})( |$)::g" \ + libcurl.pc || die + echo "Requires.private: ${priv[*]}" >> libcurl.pc +} + +multilib_src_test() { + multilib_is_native_abi && default_src_test +} + +multilib_src_install_all() { + einstalldocs + find "${ED}" -type f -name '*.la' -delete || die + rm -rf "${ED}"/etc/ || die +} diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/curl/files/curl-7.30.0-prefix.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/curl/files/curl-7.30.0-prefix.patch new file mode 100644 index 00000000000..fd495c49b13 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/curl/files/curl-7.30.0-prefix.patch @@ -0,0 +1,21 @@ +diff -Naur curl-7.30.0.orig/curl-config.in curl-7.30.0/curl-config.in +--- curl-7.30.0.orig/curl-config.in 2013-02-06 09:44:37.000000000 -0500 ++++ curl-7.30.0/curl-config.in 2013-04-17 18:43:56.000000000 -0400 +@@ -134,7 +134,7 @@ + else + CPPFLAG_CURL_STATICLIB="" + fi +- if test "X@includedir@" = "X/usr/include"; then ++ if test "X@includedir@" = "X@GENTOO_PORTAGE_EPREFIX@/usr/include"; then + echo "$CPPFLAG_CURL_STATICLIB" + else + echo "${CPPFLAG_CURL_STATICLIB}-I@includedir@" +@@ -142,7 +142,7 @@ + ;; + + --libs) +- if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then ++ if test "X@libdir@" != "X@GENTOO_PORTAGE_EPREFIX@/usr/lib" -a "X@libdir@" != "X@GENTOO_PORTAGE_EPREFIX@/usr/lib64"; then + CURLLIBDIR="-L@libdir@ " + else + CURLLIBDIR="" diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/curl/files/curl-7.79.0-http-3digit-response-code.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/curl/files/curl-7.79.0-http-3digit-response-code.patch new file mode 100644 index 00000000000..4fa70113265 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/curl/files/curl-7.79.0-http-3digit-response-code.patch @@ -0,0 +1,47 @@ +https://github.com/curl/curl/commit/beb8990d934a01acf103871e463d4e61afc9ded2 + +From: Daniel Stenberg +Date: Fri, 17 Sep 2021 16:31:25 +0200 +Subject: [PATCH] http: fix the broken >3 digit response code detection + +When the "reason phrase" in the HTTP status line starts with a digit, +that was treated as the forth response code digit and curl would claim +the response to be non-compliant. + +Added test 1466 to verify this case. + +Regression brought by 5dc594e44f73b17 +Reported-by: Glenn de boer +Fixes #7738 +Closes #7739 +--- a/lib/http.c ++++ b/lib/http.c +@@ -4232,9 +4232,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, + char separator; + char twoorthree[2]; + int httpversion = 0; +- int digit4 = -1; /* should remain untouched to be good */ ++ char digit4 = 0; + nc = sscanf(HEADER1, +- " HTTP/%1d.%1d%c%3d%1d", ++ " HTTP/%1d.%1d%c%3d%c", + &httpversion_major, + &httpversion, + &separator, +@@ -4250,13 +4250,13 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, + + /* There can only be a 4th response code digit stored in 'digit4' if + all the other fields were parsed and stored first, so nc is 5 when +- digit4 is not -1 */ +- else if(digit4 != -1) { ++ digit4 a digit */ ++ else if(ISDIGIT(digit4)) { + failf(data, "Unsupported response code in HTTP response"); + return CURLE_UNSUPPORTED_PROTOCOL; + } + +- if((nc == 4) && (' ' == separator)) { ++ if((nc >= 4) && (' ' == separator)) { + httpversion += 10 * httpversion_major; + switch(httpversion) { + case 10: diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/curl/files/curl-7.79.0-http2-connection-data.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/curl/files/curl-7.79.0-http2-connection-data.patch new file mode 100644 index 00000000000..bdb1484d1b1 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/curl/files/curl-7.79.0-http2-connection-data.patch @@ -0,0 +1,43 @@ +https://github.com/curl/curl/commit/901804ef95777b8e735a55b77f8dd630a58c575b + +From: Daniel Stenberg +Date: Thu, 16 Sep 2021 08:50:54 +0200 +Subject: [PATCH] Curl_http2_setup: don't change connection data on repeat + invokes + +Regression from 3cb8a748670ab88c (releasde in 7.79.0). That change moved +transfer oriented inits to before the check but also erroneously moved a +few connection oriented ones, which causes problems. + +Reported-by: Evangelos Foutras +Fixes #7730 +Closes #7731 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -2221,12 +2221,6 @@ CURLcode Curl_http2_setup(struct Curl_easy *data, + stream->mem = data->state.buffer; + stream->len = data->set.buffer_size; + +- httpc->inbuflen = 0; +- httpc->nread_inbuf = 0; +- +- httpc->pause_stream_id = 0; +- httpc->drain_total = 0; +- + multi_connchanged(data->multi); + /* below this point only connection related inits are done, which only needs + to be done once per connection */ +@@ -2252,6 +2246,12 @@ CURLcode Curl_http2_setup(struct Curl_easy *data, + conn->httpversion = 20; + conn->bundle->multiuse = BUNDLE_MULTIPLEX; + ++ httpc->inbuflen = 0; ++ httpc->nread_inbuf = 0; ++ ++ httpc->pause_stream_id = 0; ++ httpc->drain_total = 0; ++ + infof(data, "Connection state changed (HTTP/2 confirmed)"); + + return CURLE_OK; + diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/curl/files/curl-7.79.1-CVE-2023-38545.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/curl/files/curl-7.79.1-CVE-2023-38545.patch new file mode 100644 index 00000000000..c14314049db --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/curl/files/curl-7.79.1-CVE-2023-38545.patch @@ -0,0 +1,136 @@ +From e478fb5f5f2e26e2b060a51939dd2746041459ab Mon Sep 17 00:00:00 2001 +From: Jay Satiro +Date: Mon, 9 Oct 2023 16:34:27 -0400 +Subject: [PATCH] socks: return error if hostname too long for remote resolve + +Prior to this change the state machine attempted to change the remote +resolve to a local resolve if the hostname was longer than 255 +characters. Unfortunately that did not work as intended and caused a +security issue. + +This patch applies to curl versions 7.78.0 - 7.80.0. Other versions +that are affected take a different patch. Refer to the CVE advisory +for more information. + +Bug: https://curl.se/docs/CVE-2023-38545.html +--- + lib/socks.c | 8 +++--- + tests/data/Makefile.inc | 2 +- + tests/data/test728 | 67 +++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 72 insertions(+), 5 deletions(-) + create mode 100644 tests/data/test728 + +diff --git a/lib/socks.c b/lib/socks.c +index 91c4223..222660c 100644 +--- a/lib/socks.c ++++ b/lib/socks.c +@@ -535,9 +535,9 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user, + + /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */ + if(!socks5_resolve_local && hostname_len > 255) { +- infof(data, "SOCKS5: server resolving disabled for hostnames of " +- "length > 255 [actual len=%zu]", hostname_len); +- socks5_resolve_local = TRUE; ++ failf(data, "SOCKS5: the destination hostname is too long to be " ++ "resolved remotely by the proxy."); ++ return CURLPX_LONG_HOSTNAME; + } + + if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI)) +@@ -857,7 +857,7 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user, + + if(!socks5_resolve_local) { + socksreq[len++] = 3; /* ATYP: domain name = 3 */ +- socksreq[len++] = (char) hostname_len; /* one byte address length */ ++ socksreq[len++] = (unsigned char) hostname_len; /* one byte length */ + memcpy(&socksreq[len], hostname, hostname_len); /* address w/o NULL */ + len += hostname_len; + infof(data, "SOCKS5 connect to %s:%d (remotely resolved)", +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 1636969..1067005 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -94,7 +94,7 @@ test670 test671 test672 test673 test674 test675 test676 test677 test678 \ + \ + test700 test701 test702 test703 test704 test705 test706 test707 test708 \ + test709 test710 test711 test712 test713 test714 test715 test716 test717 \ +-test718 \ ++test718 test728 \ + \ + test800 test801 test802 test803 test804 test805 test806 test807 test808 \ + test809 test810 test811 test812 test813 test814 test815 test816 test817 \ +diff --git a/tests/data/test728 b/tests/data/test728 +new file mode 100644 +index 0000000..8673613 +--- /dev/null ++++ b/tests/data/test728 +@@ -0,0 +1,67 @@ ++ ++ ++ ++HTTP ++HTTP GET ++SOCKS5 ++SOCKS5h ++followlocation ++ ++ ++ ++# ++# Server-side ++ ++# The hostname in this redirect is 256 characters and too long (> 255) for ++# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case. ++ ++HTTP/1.1 301 Moved Permanently ++Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ ++Content-Length: 0 ++Connection: close ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++proxy ++ ++ ++http ++socks5 ++ ++ ++SOCKS5h with HTTP redirect to hostname too long ++ ++ ++--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/%TESTNUMBER ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++s/\r\n$/\n/ ++ ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++ ++ ++97 ++ ++# the error message is verified because error code CURLE_PROXY (97) may be ++# returned for any number of reasons and we need to make sure it is ++# specifically for the reason below so that we know the check is working. ++ ++curl: (97) SOCKS5: the destination hostname is too long to be resolved remotely by the proxy. ++ ++ ++ +-- +2.7.4 diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/curl/files/curl-7.79.1-CVE-2023-38546.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/curl/files/curl-7.79.1-CVE-2023-38546.patch new file mode 100644 index 00000000000..6ad883b1b06 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/curl/files/curl-7.79.1-CVE-2023-38546.patch @@ -0,0 +1,134 @@ +From be1d056dba65e1ffd14242cd8caa688ce880ab49 Mon Sep 17 00:00:00 2001 +From: Sayan Chowdhury +Date: Fri, 13 Oct 2023 20:54:44 +0530 +Subject: [PATCH] cookie: remove unnecessary struct fields + +Plus: reduce the hash table size from 256 to 63. It seems unlikely to +make much of a speed difference for most use cases but saves 1.5KB of +data per instance. + +Closes #11862 + +Signed-off-by: Sayan Chowdhury +--- + lib/cookie.c | 13 +------------ + lib/cookie.h | 14 ++++---------- + lib/easy.c | 4 +--- + 3 files changed, 6 insertions(+), 25 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index b7531f742..b45e6f57e 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -115,7 +115,6 @@ static void freecookie(struct Cookie *co) + free(co->name); + free(co->value); + free(co->maxage); +- free(co->version); + free(co); + } + +@@ -666,11 +665,7 @@ Curl_cookie_add(struct Curl_easy *data, + } + } + else if(strcasecompare("version", name)) { +- strstore(&co->version, whatptr); +- if(!co->version) { +- badcookie = TRUE; +- break; +- } ++ /* just ignore */ + } + else if(strcasecompare("max-age", name)) { + /* +@@ -1091,7 +1086,6 @@ Curl_cookie_add(struct Curl_easy *data, + free(clist->path); + free(clist->spath); + free(clist->expirestr); +- free(clist->version); + free(clist->maxage); + + *clist = *co; /* then store all the new data */ +@@ -1169,9 +1163,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data, + c = calloc(1, sizeof(struct CookieInfo)); + if(!c) + return NULL; /* failed to get memory */ +- c->filename = strdup(file?file:"none"); /* copy the name just in case */ +- if(!c->filename) +- goto fail; /* failed to get memory */ + /* + * Initialize the next_expiration time to signal that we don't have enough + * information yet. +@@ -1322,7 +1313,6 @@ static struct Cookie *dup_cookie(struct Cookie *src) + CLONE(name); + CLONE(value); + CLONE(maxage); +- CLONE(version); + d->expires = src->expires; + d->tailmatch = src->tailmatch; + d->secure = src->secure; +@@ -1532,7 +1522,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c) + { + if(c) { + unsigned int i; +- free(c->filename); + for(i = 0; i < COOKIE_HASH_SIZE; i++) + Curl_cookie_freelist(c->cookies[i]); + free(c); /* free the base struct as well */ +diff --git a/lib/cookie.h b/lib/cookie.h +index 0ffe08e63..0b0c0cfe8 100644 +--- a/lib/cookie.h ++++ b/lib/cookie.h +@@ -34,11 +34,7 @@ struct Cookie { + char *domain; /* domain = */ + curl_off_t expires; /* expires = */ + char *expirestr; /* the plain text version */ +- +- /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */ +- char *version; /* Version = */ + char *maxage; /* Max-Age = */ +- + bool tailmatch; /* whether we do tail-matching of the domain name */ + bool secure; /* whether the 'secure' keyword was used */ + bool livecookie; /* updated from a server, not a stored file */ +@@ -54,18 +50,16 @@ struct Cookie { + #define COOKIE_PREFIX__SECURE (1<<0) + #define COOKIE_PREFIX__HOST (1<<1) + +-#define COOKIE_HASH_SIZE 256 ++#define COOKIE_HASH_SIZE 63 + + struct CookieInfo { + /* linked list of cookies we know of */ + struct Cookie *cookies[COOKIE_HASH_SIZE]; +- +- char *filename; /* file we read from/write to */ +- long numcookies; /* number of cookies in the "jar" */ ++ curl_off_t next_expiration; /* the next time at which expiration happens */ ++ int numcookies; /* number of cookies in the "jar" */ ++ int lastct; /* last creation-time used in the jar */ + bool running; /* state info, for cookie adding information */ + bool newsession; /* new session, discard session cookies on load */ +- int lastct; /* last creation-time used in the jar */ +- curl_off_t next_expiration; /* the next time at which expiration happens */ + }; + + /* This is the maximum line length we accept for a cookie line. RFC 2109 +diff --git a/lib/easy.c b/lib/easy.c +index 2aca93845..812a0dc36 100644 +--- a/lib/easy.c ++++ b/lib/easy.c +@@ -848,9 +848,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data) + if(data->cookies) { + /* If cookies are enabled in the parent handle, we enable them + in the clone as well! */ +- outcurl->cookies = Curl_cookie_init(data, +- data->cookies->filename, +- outcurl->cookies, ++ outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies, + data->set.cookiesession); + if(!outcurl->cookies) + goto fail; +-- +2.40.0 + diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/curl/files/curl-respect-cflags-3.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/curl/files/curl-respect-cflags-3.patch new file mode 100644 index 00000000000..4a4a614ee49 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/curl/files/curl-respect-cflags-3.patch @@ -0,0 +1,14 @@ +diff --git a/configure.ac b/configure.ac +index e9b49c7..e374ab6 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -280,9 +280,6 @@ dnl ********************************************************************** + + CURL_CHECK_COMPILER + CURL_SET_COMPILER_BASIC_OPTS +-CURL_SET_COMPILER_DEBUG_OPTS +-CURL_SET_COMPILER_OPTIMIZE_OPTS +-CURL_SET_COMPILER_WARNING_OPTS + + if test "$compiler_id" = "INTEL_UNIX_C"; then + # diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/curl/metadata.xml b/sdk_container/src/third_party/coreos-overlay/net-misc/curl/metadata.xml new file mode 100644 index 00000000000..48461136292 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/curl/metadata.xml @@ -0,0 +1,40 @@ + + + + + blueness@gentoo.org + Anthony G. Basile + + + Enable alt-svc support + Enable brotli compression support + Enable FTP support + Enable gnutls ssl backend + Enable Gopher protocol support + Enable HTTP Strict Transport Security + Enable HTTP/2.0 support + Enable Internet Message Access Protocol support + Enable mbedtls ssl backend + Enable HTTP/3.0 support using net-libs/nghttp3 and net-libs/ngtcp2 + Enable HTTP/3.0 support using net-libs/quiche + Enable nss ssl backend + Enable openssl ssl backend + Enable Post Office Protocol 3 support + Enable the progress meter + Enable RTMP Streaming Media support + Enable Simple Mail Transfer Protocol support + Enable SSH urls in curl using libssh2 + Enable crypto engine support (via openssl if USE='-gnutls -nss') + Support for the old/insecure SSLv3 protocol + Enable Telnet protocol support + Enable TFTP support + Enable winssl ssl backend + Enable zstd compression + + + cpe:/a:curl:curl + cpe:/a:curl:libcurl + cpe:/a:haxx:curl + cpe:/a:haxx:libcurl + +