[v2] curl: Update to 8.9.1

Message ID	20240808040726.1461912-1-robert.joslyn@redrectangle.org
State	Accepted, archived
Commit	ff607f50f1e15ca713048bba83ca15d1e4e08b6a
Headers	show Return-Path: <robert.joslyn@redrectangle.org> ip: 212.3.242.68, mailfrom: robert.joslyn@redrectangle.org) From: robert.joslyn@redrectangle.org To: openembedded-core@lists.openembedded.org Cc: Robert Joslyn <robert.joslyn@redrectangle.org> Subject: [PATCH v2] curl: Update to 8.9.1 Date: Wed, 7 Aug 2024 21:07:26 -0700 Message-ID: <20240808040726.1461912-1-robert.joslyn@redrectangle.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable
Series	[v2] curl: Update to 8.9.1 \| expand [v2] curl: Update to 8.9.1

Message ID

20240808040726.1461912-1-robert.joslyn@redrectangle.org

State

Accepted, archived

Commit

ff607f50f1e15ca713048bba83ca15d1e4e08b6a

Headers

From: robert.joslyn@redrectangle.org
To: openembedded-core@lists.openembedded.org
Cc: Robert Joslyn <robert.joslyn@redrectangle.org>
Subject: [PATCH v2] curl: Update to 8.9.1
Date: Wed,  7 Aug 2024 21:07:26 -0700
Message-ID: <20240808040726.1461912-1-robert.joslyn@redrectangle.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Series

[v2] curl: Update to 8.9.1 | expand

Commit Message

Robert Joslyn Aug. 8, 2024, 4:07 a.m. UTC

From: Robert Joslyn <robert.joslyn@redrectangle.org>

This update contains minor features, bugfixes, and addresses several CVEs:
* https://curl.se/docs/CVE-2024-6197.html
* https://curl.se/docs/CVE-2024-6874.html
* https://curl.se/docs/CVE-2024-7264.html

Full relese notes available at https://curl.se/ch/8.9.1.html

Backport a patch to fix a SIGPIPE issue found shortly after release:
https://curl.se/mail/distros-2024-08/0002.html

Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
---
 ...e-struct-so-that-first-apply-ignores.patch | 38 +++++++++++++++++++
 .../curl/{curl_8.8.0.bb => curl_8.9.1.bb}     |  3 +-
 2 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-support/curl/curl/0001-sigpipe-init-the-struct-so-that-first-apply-ignores.patch
 rename meta/recipes-support/curl/{curl_8.8.0.bb => curl_8.9.1.bb} (97%)

Comments

patchtest@automation.yoctoproject.org Aug. 8, 2024, 4:18 a.m. UTC | #1

Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch /home/patchtest/share/mboxes/v2-curl-Update-to-8.9.1.patch

FAIL: test CVE tag format: Missing or incorrectly formatted CVE tag in patch file. Correct or include the CVE tag in the patch with format: "CVE: CVE-YYYY-XXXX" (test_patch.TestPatch.test_cve_tag_format)

PASS: pretest src uri left files (test_metadata.TestMetadata.pretest_src_uri_left_files)
PASS: test CVE check ignore (test_metadata.TestMetadata.test_cve_check_ignore)
PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test Signed-off-by presence (test_patch.TestPatch.test_signed_off_by_presence)
PASS: test Upstream-Status presence (test_patch.TestPatch.test_upstream_status_presence_format)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence)
PASS: test lic files chksum modified not mentioned (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)
PASS: test max line length (test_metadata.TestMetadata.test_max_line_length)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
PASS: test src uri left files (test_metadata.TestMetadata.test_src_uri_left_files)

SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint)
SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test lic files chksum presence: No added recipes, skipping test (test_metadata.TestMetadata.test_lic_files_chksum_presence)
SKIP: test license presence: No added recipes, skipping test (test_metadata.TestMetadata.test_license_presence)
SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head)
SKIP: test summary presence: No added recipes, skipping test (test_metadata.TestMetadata.test_summary_presence)
SKIP: test target mailing list: Series merged, no reason to check other mailing lists (test_mbox.TestMbox.test_target_mailing_list)

---

Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!

diff --git a/meta/recipes-support/curl/curl/0001-sigpipe-init-the-struct-so-that-first-apply-ignores.patch b/meta/recipes-support/curl/curl/0001-sigpipe-init-the-struct-so-that-first-apply-ignores.patch
new file mode 100644
index 0000000000..15c69e1430
--- /dev/null
+++ b/meta/recipes-support/curl/curl/0001-sigpipe-init-the-struct-so-that-first-apply-ignores.patch
@@ -0,0 +1,38 @@ 
+From 3eec5afbd0b6377eca893c392569b2faf094d970 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 5 Aug 2024 00:17:17 +0200
+Subject: [PATCH] sigpipe: init the struct so that first apply ignores
+
+Initializes 'no_signal' to TRUE, so that a call to sigpipe_apply() after
+init ignores the signal (unless CURLOPT_NOSIGNAL) is set.
+
+I have read the existing code multiple times now and I think it gets the
+initial state reversed this missing to ignore.
+
+Regression from 17e6f06ea37136c36d27
+
+Reported-by: Rasmus Thomsen
+Fixes #14344
+Closes #14390
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/3eec5afbd0b6377eca893c392569b2faf094d970]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/sigpipe.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/sigpipe.h b/lib/sigpipe.h
+index b91a2f513..d78afd905 100644
+--- a/lib/sigpipe.h
++++ b/lib/sigpipe.h
+@@ -39,6 +39,7 @@ struct sigpipe_ignore {
+ static void sigpipe_init(struct sigpipe_ignore *ig)
+ {
+   memset(ig, 0, sizeof(*ig));
++  ig->no_signal = TRUE;
+ }
+ 
+ /*
+-- 
+2.44.2
+
diff --git a/meta/recipes-support/curl/curl_8.8.0.bb b/meta/recipes-support/curl/curl_8.9.1.bb
similarity index 97%
rename from meta/recipes-support/curl/curl_8.8.0.bb
rename to meta/recipes-support/curl/curl_8.9.1.bb
index 2b058e4e82..72ef4fab62 100644
--- a/meta/recipes-support/curl/curl_8.8.0.bb
+++ b/meta/recipes-support/curl/curl_8.9.1.bb
@@ -14,8 +14,9 @@  SRC_URI = " \
     file://run-ptest \
     file://disable-tests \
     file://no-test-timeout.patch \
+    file://0001-sigpipe-init-the-struct-so-that-first-apply-ignores.patch \
 "
-SRC_URI[sha256sum] = "0f58bb95fc330c8a46eeb3df5701b0d90c9d9bfcc42bd1cd08791d12551d4400"
+SRC_URI[sha256sum] = "f292f6cc051d5bbabf725ef85d432dfeacc8711dd717ea97612ae590643801e5"
 
 # Curl has used many names over the years...
 CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"