From ff607f50f1e15ca713048bba83ca15d1e4e08b6a Mon Sep 17 00:00:00 2001 From: Robert Joslyn Date: Wed, 7 Aug 2024 21:07:26 -0700 Subject: [PATCH] curl: Update to 8.9.1 This update contains minor features, bugfixes, and addresses several CVEs: * https://curl.se/docs/CVE-2024-6197.html * https://curl.se/docs/CVE-2024-6874.html * https://curl.se/docs/CVE-2024-7264.html Full relese notes available at https://curl.se/ch/8.9.1.html Backport a patch to fix a SIGPIPE issue found shortly after release: https://curl.se/mail/distros-2024-08/0002.html Signed-off-by: Robert Joslyn Signed-off-by: Richard Purdie --- ...e-struct-so-that-first-apply-ignores.patch | 38 +++++++++++++++++++ .../curl/{curl_8.8.0.bb => curl_8.9.1.bb} | 3 +- 2 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-support/curl/curl/0001-sigpipe-init-the-struct-so-that-first-apply-ignores.patch rename meta/recipes-support/curl/{curl_8.8.0.bb => curl_8.9.1.bb} (97%) diff --git a/meta/recipes-support/curl/curl/0001-sigpipe-init-the-struct-so-that-first-apply-ignores.patch b/meta/recipes-support/curl/curl/0001-sigpipe-init-the-struct-so-that-first-apply-ignores.patch new file mode 100644 index 00000000000..15c69e1430a --- /dev/null +++ b/meta/recipes-support/curl/curl/0001-sigpipe-init-the-struct-so-that-first-apply-ignores.patch @@ -0,0 +1,38 @@ +From 3eec5afbd0b6377eca893c392569b2faf094d970 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 5 Aug 2024 00:17:17 +0200 +Subject: [PATCH] sigpipe: init the struct so that first apply ignores + +Initializes 'no_signal' to TRUE, so that a call to sigpipe_apply() after +init ignores the signal (unless CURLOPT_NOSIGNAL) is set. + +I have read the existing code multiple times now and I think it gets the +initial state reversed this missing to ignore. + +Regression from 17e6f06ea37136c36d27 + +Reported-by: Rasmus Thomsen +Fixes #14344 +Closes #14390 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/3eec5afbd0b6377eca893c392569b2faf094d970] +Signed-off-by: Robert Joslyn +--- + lib/sigpipe.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/sigpipe.h b/lib/sigpipe.h +index b91a2f513..d78afd905 100644 +--- a/lib/sigpipe.h ++++ b/lib/sigpipe.h +@@ -39,6 +39,7 @@ struct sigpipe_ignore { + static void sigpipe_init(struct sigpipe_ignore *ig) + { + memset(ig, 0, sizeof(*ig)); ++ ig->no_signal = TRUE; + } + + /* +-- +2.44.2 + diff --git a/meta/recipes-support/curl/curl_8.8.0.bb b/meta/recipes-support/curl/curl_8.9.1.bb similarity index 97% rename from meta/recipes-support/curl/curl_8.8.0.bb rename to meta/recipes-support/curl/curl_8.9.1.bb index 533c2ac199b..4d96a4e0344 100644 --- a/meta/recipes-support/curl/curl_8.8.0.bb +++ b/meta/recipes-support/curl/curl_8.9.1.bb @@ -14,8 +14,9 @@ SRC_URI = " \ file://run-ptest \ file://disable-tests \ file://no-test-timeout.patch \ + file://0001-sigpipe-init-the-struct-so-that-first-apply-ignores.patch \ " -SRC_URI[sha256sum] = "0f58bb95fc330c8a46eeb3df5701b0d90c9d9bfcc42bd1cd08791d12551d4400" +SRC_URI[sha256sum] = "f292f6cc051d5bbabf725ef85d432dfeacc8711dd717ea97612ae590643801e5" # Curl has used many names over the years... CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl" -- 2.47.3