diff mbox series

[1/2] curl: upgrade 8.10.1 -> 8.11.0

Message ID 20241211180953.3369248-2-peter.marko@siemens.com
State Accepted, archived
Commit 86dd3aca63248e1982c2d8c9dc68ae34a358cf8b
Headers show
Series curl: upgrade 8.10.1 -> 8.11.1 | expand

Commit Message

Peter Marko Dec. 11, 2024, 6:09 p.m. UTC 
From: Peter Marko <peter.marko@siemens.com>

Solves CVE-2024-9681

* refresh patch
* add patch for buildpaths issue
* add new options for ipfs and websockets, keep them configure as they
  were previously configures
* drop notexists.pl from ptest install as it was removed and code was
  integrated into the test framework in [1]
* add ptest dependency on perl-module-i18n-langinfo due to [2]

[1] https://github.com/curl/curl/commit/56183c1d6f7f4d0c18d9065cf870c4cd3fc329eb
[2] https://github.com/curl/curl/commit/0b70b23ef4d007031bc2ae4fc63d5ed9136bc2b5

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 ...pc.in-drop-LDFLAGS-from-Libs.private.patch | 39 +++++++++++++++++++
 .../curl/curl/no-test-timeout.patch           |  2 +-
 .../curl/{curl_8.10.1.bb => curl_8.11.0.bb}   |  9 +++--
 3 files changed, 46 insertions(+), 4 deletions(-)
 create mode 100644 meta/recipes-support/curl/curl/0001-libcurl.pc.in-drop-LDFLAGS-from-Libs.private.patch
 rename meta/recipes-support/curl/{curl_8.10.1.bb => curl_8.11.0.bb} (93%)

Comments

patchtest@automation.yoctoproject.org Dec. 11, 2024, 6:18 p.m. UTC | #1 
Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch /home/patchtest/share/mboxes/1-2-curl-upgrade-8.10.1---8.11.0.patch

FAIL: test CVE tag format: Missing or incorrectly formatted CVE tag in patch file. Correct or include the CVE tag in the patch with format: "CVE: CVE-YYYY-XXXX" (test_patch.TestPatch.test_cve_tag_format)

PASS: pretest src uri left files (test_metadata.TestMetadata.pretest_src_uri_left_files)
PASS: test CVE check ignore (test_metadata.TestMetadata.test_cve_check_ignore)
PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test Signed-off-by presence (test_patch.TestPatch.test_signed_off_by_presence)
PASS: test Upstream-Status presence (test_patch.TestPatch.test_upstream_status_presence_format)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence)
PASS: test commit message user tags (test_mbox.TestMbox.test_commit_message_user_tags)
PASS: test lic files chksum modified not mentioned (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)
PASS: test max line length (test_metadata.TestMetadata.test_max_line_length)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
PASS: test src uri left files (test_metadata.TestMetadata.test_src_uri_left_files)
PASS: test target mailing list (test_mbox.TestMbox.test_target_mailing_list)

SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint)
SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test lic files chksum presence: No added recipes, skipping test (test_metadata.TestMetadata.test_lic_files_chksum_presence)
SKIP: test license presence: No added recipes, skipping test (test_metadata.TestMetadata.test_license_presence)
SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head)
SKIP: test summary presence: No added recipes, skipping test (test_metadata.TestMetadata.test_summary_presence)

---

Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!
Peter Marko Dec. 11, 2024, 6:25 p.m. UTC | #2 
This seems to be a false positive.
When upgrading recipe, CVE patches are not added but solved CVEs are being mentioned.

Peter

> -----Original Message-----
> From: patchtest@automation.yoctoproject.org
> <patchtest@automation.yoctoproject.org>
> Sent: Wednesday, December 11, 2024 19:19
> To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> Cc: openembedded-core@lists.openembedded.org
> Subject: Patchtest results for [OE-core][PATCH 1/2] curl: upgrade 8.10.1 -> 8.11.0
> 
> Thank you for your submission. Patchtest identified one
> or more issues with the patch. Please see the log below for
> more information:
> 
> ---
> Testing patch /home/patchtest/share/mboxes/1-2-curl-upgrade-8.10.1---
> 8.11.0.patch
> 
> FAIL: test CVE tag format: Missing or incorrectly formatted CVE tag in patch file.
> Correct or include the CVE tag in the patch with format: "CVE: CVE-YYYY-XXXX"
> (test_patch.TestPatch.test_cve_tag_format)
> 
> PASS: pretest src uri left files
> (test_metadata.TestMetadata.pretest_src_uri_left_files)
> PASS: test CVE check ignore
> (test_metadata.TestMetadata.test_cve_check_ignore)
> PASS: test Signed-off-by presence
> (test_mbox.TestMbox.test_signed_off_by_presence)
> PASS: test Signed-off-by presence
> (test_patch.TestPatch.test_signed_off_by_presence)
> PASS: test Upstream-Status presence
> (test_patch.TestPatch.test_upstream_status_presence_format)
> PASS: test author valid (test_mbox.TestMbox.test_author_valid)
> PASS: test commit message presence
> (test_mbox.TestMbox.test_commit_message_presence)
> PASS: test commit message user tags
> (test_mbox.TestMbox.test_commit_message_user_tags)
> PASS: test lic files chksum modified not mentioned
> (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)
> PASS: test max line length (test_metadata.TestMetadata.test_max_line_length)
> PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
> PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
> PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
> PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
> PASS: test src uri left files (test_metadata.TestMetadata.test_src_uri_left_files)
> PASS: test target mailing list (test_mbox.TestMbox.test_target_mailing_list)
> 
> SKIP: pretest pylint: No python related patches, skipping test
> (test_python_pylint.PyLint.pretest_pylint)
> SKIP: test bugzilla entry format: No bug ID found
> (test_mbox.TestMbox.test_bugzilla_entry_format)
> SKIP: test lic files chksum presence: No added recipes, skipping test
> (test_metadata.TestMetadata.test_lic_files_chksum_presence)
> SKIP: test license presence: No added recipes, skipping test
> (test_metadata.TestMetadata.test_license_presence)
> SKIP: test pylint: No python related patches, skipping test
> (test_python_pylint.PyLint.test_pylint)
> SKIP: test series merge on head: Merge test is disabled for now
> (test_mbox.TestMbox.test_series_merge_on_head)
> SKIP: test summary presence: No added recipes, skipping test
> (test_metadata.TestMetadata.test_summary_presence)
> 
> ---
> 
> Please address the issues identified and
> submit a new revision of the patch, or alternatively, reply to this
> email with an explanation of why the patch should be accepted. If you
> believe these results are due to an error in patchtest, please submit a
> bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
> under 'Yocto Project Subprojects'). For more information on specific
> failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
> you!
diff mbox series

Patch

diff --git a/meta/recipes-support/curl/curl/0001-libcurl.pc.in-drop-LDFLAGS-from-Libs.private.patch b/meta/recipes-support/curl/curl/0001-libcurl.pc.in-drop-LDFLAGS-from-Libs.private.patch
new file mode 100644
index 00000000000..79fc0b316e7
--- /dev/null
+++ b/meta/recipes-support/curl/curl/0001-libcurl.pc.in-drop-LDFLAGS-from-Libs.private.patch
@@ -0,0 +1,39 @@ 
+From cfd5d794fdfcc12e386fdbb14161babf54d2a5ee Mon Sep 17 00:00:00 2001
+From: Peter Marko <peter.marko@siemens.com>
+Date: Sat, 9 Nov 2024 22:26:58 +0100
+Subject: [PATCH] libcurl.pc.in: drop LDFLAGS from Libs.private
+
+Stop passing linker flags to pkg-config.
+
+This was added in v8.11.0 with commit [1].
+There are several problems with this, especially:
+* user may want to link curl and application with different flags
+* user usually adds the same or similar flags in all components, so this
+  will double the flags when linking application
+* when building components in temporary directories, these directories
+  are preserved in pkg-config linker flags and are invalid when building
+  application
+
+[1] https://github.com/curl/curl/commit/9f56bb608ecfbb8978c6cb72a04d9e8b23162d82
+
+Upstream-Status: Submitted [https://github.com/curl/curl/pull/15533]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ libcurl.pc.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libcurl.pc.in b/libcurl.pc.in
+index 4c60a7ec7..7898dae35 100644
+--- a/libcurl.pc.in
++++ b/libcurl.pc.in
+@@ -36,6 +36,6 @@ Version: @CURLVERSION@
+ Requires: @LIBCURL_PC_REQUIRES@
+ Requires.private: @LIBCURL_PC_REQUIRES_PRIVATE@
+ Libs: -L${libdir} -lcurl @LIBCURL_PC_LIBS@
+-Libs.private: @LDFLAGS@ @LIBCURL_PC_LIBS_PRIVATE@
++Libs.private: @LIBCURL_PC_LIBS_PRIVATE@
+ Cflags: -I${includedir} @LIBCURL_PC_CFLAGS@
+ Cflags.private: @LIBCURL_PC_CFLAGS_PRIVATE@
+-- 
+2.30.2
+
diff --git a/meta/recipes-support/curl/curl/no-test-timeout.patch b/meta/recipes-support/curl/curl/no-test-timeout.patch
index 7122b6f0435..fe8efbe6125 100644
--- a/meta/recipes-support/curl/curl/no-test-timeout.patch
+++ b/meta/recipes-support/curl/curl/no-test-timeout.patch
@@ -14,7 +14,7 @@  diff --git a/tests/servers.pm b/tests/servers.pm
 index d4472d5..9999938 100644
 --- a/tests/servers.pm
 +++ b/tests/servers.pm
-@@ -120,7 +120,7 @@ my $sshdverstr;  # for socks server, ssh daemon version string
+@@ -122,7 +122,7 @@ my $sshdverstr;  # for socks server, ssh daemon version string
  my $sshderror;   # for socks server, ssh daemon version error
  my %doesntrun;    # servers that don't work, identified by pidfile
  my %PORT = (nolisten => 47); # port we use for a local non-listening service
diff --git a/meta/recipes-support/curl/curl_8.10.1.bb b/meta/recipes-support/curl/curl_8.11.0.bb
similarity index 93%
rename from meta/recipes-support/curl/curl_8.10.1.bb
rename to meta/recipes-support/curl/curl_8.11.0.bb
index 0252d4475ec..a512aa443c8 100644
--- a/meta/recipes-support/curl/curl_8.10.1.bb
+++ b/meta/recipes-support/curl/curl_8.11.0.bb
@@ -14,8 +14,9 @@  SRC_URI = " \
     file://run-ptest \
     file://disable-tests \
     file://no-test-timeout.patch \
+    file://0001-libcurl.pc.in-drop-LDFLAGS-from-Libs.private.patch \
 "
-SRC_URI[sha256sum] = "73a4b0e99596a09fa5924a4fb7e4b995a85fda0d18a2c02ab9cf134bebce04ee"
+SRC_URI[sha256sum] = "db59cf0d671ca6e7f5c2c5ec177084a33a79e04c97e71cf183a5cdea235054eb"
 
 # Curl has used many names over the years...
 CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"
@@ -23,7 +24,7 @@  CVE_STATUS[CVE-2024-32928] = "ignored: CURLOPT_SSL_VERIFYPEER was disabled on go
 
 inherit autotools pkgconfig binconfig multilib_header ptest
 
-COMMON_PACKAGECONFIG = "basic-auth bearer-auth digest-auth negotiate-auth openssl proxy threaded-resolver verbose zlib"
+COMMON_PACKAGECONFIG = "basic-auth bearer-auth digest-auth ipfs negotiate-auth openssl proxy threaded-resolver verbose zlib"
 PACKAGECONFIG ??= "${COMMON_PACKAGECONFIG} ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} aws libidn"
 PACKAGECONFIG:class-native = "${COMMON_PACKAGECONFIG} ipv6"
 PACKAGECONFIG:class-nativesdk = "${COMMON_PACKAGECONFIG} ipv6"
@@ -43,6 +44,7 @@  PACKAGECONFIG[gnutls] = "--with-gnutls,--without-gnutls,gnutls"
 PACKAGECONFIG[gopher] = "--enable-gopher,--disable-gopher,"
 PACKAGECONFIG[imap] = "--enable-imap,--disable-imap,"
 PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
+PACKAGECONFIG[ipfs] = "--enable-ipfs,--disable-ipfs,"
 PACKAGECONFIG[kerberos-auth] = "--enable-kerberos-auth,--disable-kerberos-auth"
 PACKAGECONFIG[krb5] = "--with-gssapi,--without-gssapi,krb5"
 PACKAGECONFIG[ldap] = "--enable-ldap,--disable-ldap,openldap"
@@ -65,6 +67,7 @@  PACKAGECONFIG[telnet] = "--enable-telnet,--disable-telnet,"
 PACKAGECONFIG[tftp] = "--enable-tftp,--disable-tftp,"
 PACKAGECONFIG[threaded-resolver] = "--enable-threaded-resolver,--disable-threaded-resolver,,,,ares"
 PACKAGECONFIG[verbose] = "--enable-verbose,--disable-verbose"
+PACKAGECONFIG[websockets] = "--enable-websockets,--disable-websockets"
 PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_LIBDIR}/../,--without-zlib,zlib"
 PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd"
 
@@ -106,7 +109,6 @@  do_install_ptest() {
 	for name in $(makefile-getvar ${B}/tests/libtest/Makefile noinst_PROGRAMS noinst_LTLIBRARIES); do
 		${B}/libtool --mode=install install ${B}/tests/libtest/$name ${D}${PTEST_PATH}/tests/libtest
 	done
-	cp ${S}/tests/libtest/notexists.pl ${D}${PTEST_PATH}/tests/libtest
 	rm -f ${D}${PTEST_PATH}/tests/libtest/libhostname.la
 
 	install -d ${D}${PTEST_PATH}/tests/server
@@ -131,6 +133,7 @@  RDEPENDS:${PN}-ptest += " \
 	perl-module-file-basename \
 	perl-module-file-spec \
 	perl-module-file-temp \
+	perl-module-i18n-langinfo \
 	perl-module-io-socket \
 	perl-module-ipc-open2 \
 	perl-module-list-util \