RepositoryExternal.mk | 2
download.lst | 12
external/curl/CVE-2017-1000254.patch | 50
external/curl/CVE-2017-8816.patch | 67 -
external/curl/CVE-2018-1000005.patch | 36
external/curl/CVE-2018-1000007.patch | 110 -
external/curl/CVE-2018-1000120.patch | 67 -
external/curl/CVE-2018-14618.patch | 66 -
external/curl/CVE-2018-16890.patch | 39
external/curl/CVE-2019-3822.patch | 35
external/curl/ExternalPackage_curl.mk | 4
external/curl/ExternalProject_curl.mk | 38
external/curl/UnpackedTarball_curl.mk | 21
external/curl/clang-cl.patch.0 | 11
external/curl/curl-7.26.0_win-proxy.patch | 49
external/curl/curl-msvc-disable-protocols.patch.1 | 18
external/curl/curl-msvc-schannel.patch.1 | 22
external/curl/curl-msvc.patch.1 | 48
external/curl/curl-osx.patch.1 | 285 ----
external/curl/curl-xp.patch.1 | 12
external/curl/zlib.patch.0 | 90 +
external/expat/expat-winapi.patch | 14
external/libxml2/libxml2-config.patch.1 | 4
external/libxml2/libxml2-global-symbols.patch | 4
external/openssl/UnpackedTarball_openssl.mk | 2
external/openssl/ccb0a11145ee72b042d10593a64eaf9e8a55ec12.patch.1 | 56
external/openssl/openssl-1.0.2k-cve-2020-1971.patch.1 | 578
++++++++++
27 files changed, 855 insertions(+), 885 deletions(-)
New commits:
commit 6be764e8c35008c7efeac96bfcc4a060e7a8c766
Author: Andras Timar <andras.ti...@collabora.com>
AuthorDate: Thu Sep 9 13:23:43 2021 +0200
Commit: Andras Timar <andras.ti...@collabora.com>
CommitDate: Thu Sep 9 13:23:43 2021 +0200
curl: upgrade to release 7.78.0
Change-Id: Ie736220197663b22a39840459c21230192925e3e
diff --git a/download.lst b/download.lst
index 34ee34fc40cb..f882b6d05f13 100644
--- a/download.lst
+++ b/download.lst
@@ -30,8 +30,8 @@ export CPPUNIT_SHA256SUM :=
3d569869d27b48860210c758c4f313082103a5e58219a7669b52
export CPPUNIT_TARBALL := cppunit-1.14.0.tar.gz
export CT2N_SHA256SUM :=
71b238efd2734be9800af07566daea8d6685aeed28db5eb5fa0e6453f4d85de3
export CT2N_TARBALL :=
1f467e5bb703f12cbbb09d5cf67ecf4a-converttexttonumber-1-5-0.oxt
-export CURL_SHA256SUM :=
a8984e8b20880b621f61a62d95ff3c0763a3152093a9f9ce4287cfd614add6ae
-export CURL_TARBALL := curl-7.52.1.tar.gz
+export CURL_SHA256SUM :=
be42766d5664a739c3974ee3dfbbcbe978a4ccb1fe628bb1d9b59ac79e445fb5
+export CURL_TARBALL := curl-7.78.0.tar.xz
export EBOOK_SHA256SUM :=
b710a57c633205b933015474d0ac0862253d1c52114d535dd09b20939a0d1850
export EBOOK_TARBALL := libe-book-0.1.2.tar.bz2
export EPOXY_SHA256SUM :=
1d8668b0a259c709899e1c4bab62d756d9002d546ce4f59c9665e2fc5f001a64
diff --git a/external/curl/CVE-2017-1000254.patch
b/external/curl/CVE-2017-1000254.patch
deleted file mode 100644
index 2e2af20f7258..000000000000
--- a/external/curl/CVE-2017-1000254.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 29b251362e1839d7094993edbed8f9467069773f Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <dan...@haxx.se>
-Date: Mon, 25 Sep 2017 00:35:22 +0200
-Subject: [PATCH] FTP: zero terminate the entry path even on bad input
-
-... a single double quote could leave the entry path buffer without a zero
-terminating byte. CVE-2017-1000254
-
-Test 1152 added to verify.
-
-Reported-by: Max Dymond
-Bug: https://curl.haxx.se/docs/adv_20171004.html
----
- lib/ftp.c | 7 ++++--
- tests/data/Makefile.inc | 1 +
- tests/data/test1152 | 61 +++++++++++++++++++++++++++++++++++++++++++++++++
- 3 files changed, 67 insertions(+), 2 deletions(-)
- create mode 100644 tests/data/test1152
-
-diff -urN curl.org/lib/ftp.c curl/lib/ftp.c
---- curl.org/lib/ftp.c 2016-12-19 09:15:11.000000000 +0100
-+++ curl/lib/ftp.c 2018-09-10 05:52:32.148633155 +0200
-@@ -2825,6 +2825,7 @@
- char *ptr=&data->state.buffer[4]; /* start on the first letter */
- char *dir;
- char *store;
-+ bool entry_extracted = FALSE;
-
- dir = malloc(nread + 1);
- if(!dir)
-@@ -2856,7 +2857,7 @@
- }
- else {
- /* end of path */
-- *store = '\0'; /* zero terminate */
-+ entry_extracted = TRUE;
- break; /* get out of this loop */
- }
- }
-@@ -2865,7 +2866,9 @@
- store++;
- ptr++;
- }
--
-+ *store = '\0'; /* zero terminate */
-+ }
-+ if(entry_extracted) {
- /* If the path name does not look like an absolute path (i.e.: it
- does not start with a '/'), we probably need some
server-dependent
- adjustments. For example, this is the case when connecting to
diff --git a/external/curl/CVE-2017-8816.patch
b/external/curl/CVE-2017-8816.patch
deleted file mode 100644
index dd4fa677e03f..000000000000
--- a/external/curl/CVE-2017-8816.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <dan...@haxx.se>
-Date: Mon, 6 Nov 2017 23:51:52 +0100
-Subject: [PATCH] ntlm: avoid integer overflow for malloc size
-
-Reported-by: Alex Nichols
-Assisted-by: Kamil Dudka and Max Dymond
-
-CVE-2017-8816
-
-Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
----
- lib/curl_ntlm_core.c | 23 +++++++++++++++++++++--
- 1 file changed, 21 insertions(+), 2 deletions(-)
-
-diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
-index 1309bf0d9..e8962769c 100644
---- a/lib/curl_ntlm_core.c
-+++ b/lib/curl_ntlm_core.c
-@@ -644,23 +644,42 @@ CURLcode Curl_hmac_md5(const unsigned char *key,
unsigned int keylen,
- Curl_HMAC_final(ctxt, output);
-
- return CURLE_OK;
- }
-
-+#ifndef SIZE_T_MAX
-+/* some limits.h headers have this defined, some don't */
-+#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
-+#define SIZE_T_MAX 18446744073709551615U
-+#else
-+#define SIZE_T_MAX 4294967295U
-+#endif
-+#endif
-+
- /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
- * (uppercase UserName + Domain) as the data
- */
- CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen,
- const char *domain, size_t domlen,
- unsigned char *ntlmhash,
- unsigned char *ntlmv2hash)
- {
- /* Unicode representation */
-- size_t identity_len = (userlen + domlen) * 2;
-- unsigned char *identity = malloc(identity_len);
-+ size_t identity_len;
-+ unsigned char *identity;
- CURLcode result = CURLE_OK;
-
-+ /* we do the length checks below separately to avoid integer overflow risk
-+ on extreme data lengths */
-+ if((userlen > SIZE_T_MAX/2) ||
-+ (domlen > SIZE_T_MAX/2) ||
-+ ((userlen + domlen) > SIZE_T_MAX/2))
-+ return CURLE_OUT_OF_MEMORY;
-+
-+ identity_len = (userlen + domlen) * 2;
-+ identity = malloc(identity_len);
-+
- if(!identity)
- return CURLE_OUT_OF_MEMORY;
-
- ascii_uppercase_to_unicode_le(identity, user, userlen);
- ascii_to_unicode_le(identity + (userlen << 1), domain, domlen);
---
-2.15.0
-
diff --git a/external/curl/CVE-2018-1000005.patch
b/external/curl/CVE-2018-1000005.patch
deleted file mode 100644
index 7b5578b1aacc..000000000000
--- a/external/curl/CVE-2018-1000005.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From fa3dbb9a147488a2943bda809c66fc497efe06cb Mon Sep 17 00:00:00 2001
-From: Zhouyihai Ding <ddyi...@ddyihai.svl.corp.google.com>
-Date: Wed, 10 Jan 2018 10:12:18 -0800
-Subject: [PATCH] http2: fix incorrect trailer buffer size
-
-Prior to this change the stored byte count of each trailer was
-miscalculated and 1 less than required. It appears any trailer
-after the first that was passed to Curl_client_write would be truncated
-or corrupted as well as the size. Potentially the size of some
-subsequent trailer could be erroneously extracted from the contents of
-that trailer, and since that size is used by client write an
-out-of-bounds read could occur and cause a crash or be otherwise
-processed by client write.
-
-The bug appears to have been born in 0761a51 (precedes 7.49.0).
-
-Closes https://github.com/curl/curl/pull/2231
----
- lib/http2.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/lib/http2.c b/lib/http2.c
-index 8e2fc71996..699287940e 100644
---- a/lib/http2.c
-+++ b/lib/http2.c
-@@ -925,8 +925,8 @@ static int on_header(nghttp2_session *session, const
nghttp2_frame *frame,
-
- if(stream->bodystarted) {
- /* This is trailer fields. */
-- /* 3 is for ":" and "\r\n". */
-- uint32_t n = (uint32_t)(namelen + valuelen + 3);
-+ /* 4 is for ": " and "\r\n". */
-+ uint32_t n = (uint32_t)(namelen + valuelen + 4);
-
- DEBUGF(infof(data_s, "h2 trailer: %.*s: %.*s\n", namelen, name, valuelen,
- value));
diff --git a/external/curl/CVE-2018-1000007.patch
b/external/curl/CVE-2018-1000007.patch
deleted file mode 100644
index c474370c78ad..000000000000
--- a/external/curl/CVE-2018-1000007.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-From af32cd3859336ab963591ca0df9b1e33a7ee066b Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <dan...@haxx.se>
-Date: Fri, 19 Jan 2018 13:19:25 +0100
-Subject: [PATCH] http: prevent custom Authorization headers in redirects
-
-... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how
-curl already handles Authorization headers created internally.
-
-Note: this changes behavior slightly, for the sake of reducing mistakes.
-
-Added test 317 and 318 to verify.
-
-Reported-by: Craig de Stigter
-Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
----
- docs/libcurl/opts/CURLOPT_HTTPHEADER.3 | 12 ++++-
- lib/http.c | 10 +++-
- lib/setopt.c | 2 +-
- lib/urldata.h | 2 +-
- tests/data/Makefile.inc | 2 +-
- tests/data/test317 | 94 +++++++++++++++++++++++++++++++++
- tests/data/test318 | 95 ++++++++++++++++++++++++++++++++++
- 7 files changed, 212 insertions(+), 5 deletions(-)
- create mode 100644 tests/data/test317
- create mode 100644 tests/data/test318
-
-diff --git a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
-index c5ccb1a53d..c9f29e393e 100644
---- a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
-+++ b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
-@@ -5,7 +5,7 @@
- .\" * | (__| |_| | _ <| |___
- .\" * \___|\___/|_| \_\_____|
- .\" *
--.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <dan...@haxx.se>, et al.
-+.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <dan...@haxx.se>, et al.
- .\" *
- .\" * This software is licensed as described in the file COPYING, which
- .\" * you should have received as part of this distribution. The terms
-@@ -77,6 +77,16 @@ the headers. They may be private or otherwise sensitive to
leak.
-
- Use \fICURLOPT_HEADEROPT(3)\fP to make the headers only get sent to where you
- intend them to get sent.
-+
-+Custom headers are sent in all requests done by the easy handles, which
-+implies that if you tell libcurl to follow redirects
-+(\fBCURLOPT_FOLLOWLOCATION(3)\fP), the same set of custom headers will be sent
-+in the subsequent request. Redirects can of course go to other hosts and thus
-+those servers will get all the contents of your custom headers too.
-+
-+Starting in 7.58.0, libcurl will specifically prevent "Authorization:" headers
-+from being sent to other hosts than the first used one, unless specifically
-+permitted with the \fBCURLOPT_UNRESTRICTED_AUTH(3)\fP option.
- .SH DEFAULT
- NULL
- .SH PROTOCOLS
-diff --git a/lib/http.c b/lib/http.c
-index c1cdf2da02..a5007670d7 100644
---- a/lib/http.c
-+++ b/lib/http.c
-@@ -714,7 +714,7 @@ Curl_http_output_auth(struct connectdata *conn,
- if(!data->state.this_is_a_follow ||
- conn->bits.netrc ||
- !data->state.first_host ||
-- data->set.http_disable_hostname_check_before_authentication ||
-+ data->set.allow_auth_to_other_hosts ||
- strcasecompare(data->state.first_host, conn->host.name)) {
- result = output_auth_headers(conn, authhost, request, path, FALSE);
- }
-@@ -1636,6 +1636,14 @@ CURLcode Curl_add_custom_headers(struct connectdata
*conn,
- checkprefix("Transfer-Encoding:", headers->data))
- /* HTTP/2 doesn't support chunked requests */
- ;
-+ else if(checkprefix("Authorization:", headers->data) &&
-+ /* be careful of sending this potentially sensitive header
to
-+ other hosts */
-+ (data->state.this_is_a_follow &&
-+ data->state.first_host &&
-+ !data->set.allow_auth_to_other_hosts &&
-+ !strcasecompare(data->state.first_host, conn->host.name)))
-+ ;
- else {
- CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n",
- headers->data);
-diff --git a/lib/setopt.c b/lib/setopt.c
-index 66f30ea653..a5ef75c722 100644
---- a/lib/url.c
-+++ b/lib/url.c
-@@ -976,7 +976,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption
option,
- * Send authentication (user+password) when following locations, even when
- * hostname changed.
- */
-- data->set.http_disable_hostname_check_before_authentication =
-+ data->set.allow_auth_to_other_hosts =
- (0 != va_arg(param, long)) ? TRUE : FALSE;
- break;
-
-diff --git a/lib/urldata.h b/lib/urldata.h
-index 4dcd1a322c..5c04ad1720 100644
---- a/lib/urldata.h
-+++ b/lib/urldata.h
-@@ -1599,7 +1599,7 @@ struct UserDefined {
- bool http_keep_sending_on_error; /* for HTTP status codes >= 300 */
- bool http_follow_location; /* follow HTTP redirects */
- bool http_transfer_encoding; /* request compressed HTTP transfer-encoding */
-- bool http_disable_hostname_check_before_authentication;
-+ bool allow_auth_to_other_hosts;
- bool include_header; /* include received protocol headers in data output
*/
- bool http_set_referer; /* is a custom referer used */
- bool http_auto_referer; /* set "correct" referer when following location: */
diff --git a/external/curl/CVE-2018-1000120.patch
b/external/curl/CVE-2018-1000120.patch
deleted file mode 100644
index 6da1b1b3dcce..000000000000
--- a/external/curl/CVE-2018-1000120.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From a6ae0fbe9c50733e0f645f5bd16e1db38c592c3d Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <dan...@haxx.se>
-Date: Wed, 31 Jan 2018 08:40:11 +0100
-Subject: [PATCH] FTP: reject path components with control codes
-
-Refuse to operate when given path components featuring byte values lower
-than 32.
-
-Previously, inserting a %00 sequence early in the directory part when
-using the 'singlecwd' ftp method could make curl write a zero byte
-outside of the allocated buffer.
-
-Test case 340 verifies.
-
-CVE-2018-1000120
-Reported-by: Duy Phan Thanh
-Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
----
- lib/ftp.c | 8 ++++----
- tests/data/Makefile.inc | 3 +++
- tests/data/test340 | 40 ++++++++++++++++++++++++++++++++++++++++
- 3 files changed, 47 insertions(+), 4 deletions(-)
- create mode 100644 tests/data/test340
-
-diff --git a/lib/ftp.c b/lib/ftp.c
-index fec591918..e2cc38b62 100644
---- a/lib/ftp.c
-+++ b/lib/ftp.c
-@@ -3192,11 +3192,11 @@ static CURLcode ftp_done(struct connectdata *conn,
CURLcode status,
- ftpc->known_filesize = -1;
- }
-
- if(!result)
- /* get the "raw" path */
-- result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE);
-+ result = Curl_urldecode(data, path_to_use, 0, &path, NULL, TRUE);
- if(result) {
- /* We can limp along anyway (and should try to since we may already be in
- * the error path) */
- ftpc->ctl_valid = FALSE; /* mark control connection as bad */
- connclose(conn, "FTP: out of memory!"); /* mark for connection closure */
-@@ -4153,11 +4153,11 @@ CURLcode ftp_parse_url_path(struct connectdata *conn)
- dirlen++;
-
- result = Curl_urldecode(conn->data, slash_pos ? cur_pos : "/",
- slash_pos ? dirlen : 1,
- &ftpc->dirs[0], NULL,
-- FALSE);
-+ TRUE);
- if(result) {
- freedirs(ftpc);
- return result;
- }
- ftpc->dirdepth = 1; /* we consider it to be a single dir */
-@@ -4260,11 +4260,11 @@ CURLcode ftp_parse_url_path(struct connectdata *conn)
- /* prevpath is "raw" so we convert the input path before we compare the
- strings */
- size_t dlen;
- char *path;
- CURLcode result =
-- Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, FALSE);
-+ Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, TRUE);
- if(result) {
- freedirs(ftpc);
- return result;
- }
-
diff --git a/external/curl/CVE-2018-14618.patch
b/external/curl/CVE-2018-14618.patch
deleted file mode 100644
index 40f08e7305c1..000000000000
--- a/external/curl/CVE-2018-14618.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From 57d299a499155d4b327e341c6024e293b0418243 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <dan...@haxx.se>
-Date: Mon, 13 Aug 2018 10:35:52 +0200
-Subject: [PATCH] Curl_ntlm_core_mk_nt_hash: return error on too long password
-
-... since it would cause an integer overflow if longer than (max size_t
-/ 2).
-
-This is CVE-2018-14618
-
-Bug: https://curl.haxx.se/docs/CVE-2018-14618.html
-Closes #2756
-Reported-by: Zhaoyang Wu
----
- lib/curl_ntlm_core.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
-index e27cab353c..922e85a926 100644
---- a/lib/curl_ntlm_core.c
-+++ b/lib/curl_ntlm_core.c
-@@ -526,6 +526,15 @@
-
- #endif /* USE_NTLM_V2 && !USE_WINDOWS_SSPI */
-
-+#ifndef SIZE_T_MAX
-+/* some limits.h headers have this defined, some don't */
-+#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
-+#define SIZE_T_MAX 18446744073709551615U
-+#else
-+#define SIZE_T_MAX 4294967295U
-+#endif
-+#endif
-+
- /*
- * Set up nt hashed passwords
- * @unittest: 1600
-@@ -557,8 +557,11 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct Curl_easy *data,
- unsigned char *ntbuffer /* 21 bytes */)
- {
- size_t len = strlen(password);
-- unsigned char *pw = malloc(len * 2);
-+ unsigned char *pw;
- CURLcode result;
-+ if(len > SIZE_T_MAX/2) /* avoid integer overflow */
-+ return CURLE_OUT_OF_MEMORY;
-+ pw = len ? malloc(len * 2) : strdup("");
- if(!pw)
- return CURLE_OUT_OF_MEMORY;
-
-@@ -621,15 +630,6 @@
- return CURLE_OK;
- }
-
--#ifndef SIZE_T_MAX
--/* some limits.h headers have this defined, some don't */
--#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
--#define SIZE_T_MAX 18446744073709551615U
--#else
--#define SIZE_T_MAX 4294967295U
--#endif
--#endif
--
- /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
- * (uppercase UserName + Domain) as the data
- */
diff --git a/external/curl/CVE-2018-16890.patch
b/external/curl/CVE-2018-16890.patch
deleted file mode 100644
index dabb229c2e6f..000000000000
--- a/external/curl/CVE-2018-16890.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From b780b30d1377adb10bbe774835f49e9b237fb9bb Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <dan...@haxx.se>
-Date: Wed, 2 Jan 2019 20:33:08 +0100
-Subject: [PATCH] NTLM: fix size check condition for type2 received data
-
-Bug: https://curl.haxx.se/docs/CVE-2018-16890.html
-Reported-by: Wenxiang Qian
-CVE-2018-16890
----
- lib/vauth/ntlm.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
-index c3d55ed251..0ad4d972e3 100644
---- a/lib/vauth/ntlm.c
-+++ b/lib/vauth/ntlm.c
-@@ -5,7 +5,7 @@
- * | (__| |_| | _ <| |___
- * \___|\___/|_| \_\_____|
- *
-- * Copyright (C) 1998 - 2016, Daniel Stenberg, <dan...@haxx.se>, et al.
-+ * Copyright (C) 1998 - 2019, Daniel Stenberg, <dan...@haxx.se>, et al.
- *
- * This software is licensed as described in the file COPYING, which
- * you should have received as part of this distribution. The terms
-@@ -182,10 +182,11 @@ static CURLcode ntlm_decode_type2_target(struct
Curl_easy *data,
- target_info_len = Curl_read16_le(&buffer[40]);
- target_info_offset = Curl_read32_le(&buffer[44]);
- if(target_info_len > 0) {
-- if(((target_info_offset + target_info_len) > size) ||
-+ if((target_info_offset >= size) ||
-+ ((target_info_offset + target_info_len) > size) ||
- (target_info_offset < 48)) {
- infof(data, "NTLM handshake failure (bad type-2 message). "
-- "Target Info Offset Len is set incorrect by the peer\n");
-+ "Target Info Offset Len is set incorrect by the peer\n");
- return CURLE_BAD_CONTENT_ENCODING;
- }
-
diff --git a/external/curl/CVE-2019-3822.patch
b/external/curl/CVE-2019-3822.patch
deleted file mode 100644
index deb3edb3bccf..000000000000
--- a/external/curl/CVE-2019-3822.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 50c9484278c63b958655a717844f0721263939cc Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <dan...@haxx.se>
-Date: Thu, 3 Jan 2019 12:59:28 +0100
-Subject: [PATCH] ntlm: fix *_type3_message size check to avoid buffer overflow
-
-Bug: https://curl.haxx.se/docs/CVE-2019-3822.html
-Reported-by: Wenxiang Qian
-CVE-2019-3822
----
- lib/vauth/ntlm.c | 11 +++++++----
- 1 file changed, 7 insertions(+), 4 deletions(-)
-
-diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
-index 0ad4d972e3..6a8fc5ab3d 100644
---- a/lib/vauth/ntlm.c
-+++ b/lib/vauth/ntlm.c
-@@ -779,11 +779,14 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct
Curl_easy *data,
- });
-
- #if USE_NTRESPONSES
-- if(size < (NTLM_BUFSIZE - ntresplen)) {
-- DEBUGASSERT(size == (size_t)ntrespoff);
-- memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
-- size += ntresplen;
-+ /* ntresplen + size should not be risking an integer overflow here */
-+ if(ntresplen + size > sizeof(ntlmbuf)) {
-+ failf(data, "incoming NTLM message too big");
-+ return CURLE_OUT_OF_MEMORY;
- }
-+ DEBUGASSERT(size == (size_t)ntrespoff);
-+ memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
-+ size += ntresplen;
-
- DEBUG_OUT({
- fprintf(stderr, "\n ntresp=");
diff --git a/external/curl/ExternalPackage_curl.mk
b/external/curl/ExternalPackage_curl.mk
index 18907f4e5a54..1fb360c85ca9 100644
--- a/external/curl/ExternalPackage_curl.mk
+++ b/external/curl/ExternalPackage_curl.mk
@@ -14,13 +14,13 @@ $(eval $(call
gb_ExternalPackage_use_external_project,curl,curl))
ifneq ($(DISABLE_DYNLOADING),TRUE)
ifeq ($(COM),MSC)
-$(eval $(call gb_ExternalPackage_add_file,curl,$(LIBO_LIB_FOLDER)/libcurl$(if
$(MSVC_USE_DEBUG_RUNTIME),d).dll,lib/$(if
$(MSVC_USE_DEBUG_RUNTIME),debug-dll,release-dll)/libcurl$(if
$(MSVC_USE_DEBUG_RUNTIME),d).dll))
+$(eval $(call gb_ExternalPackage_add_file,curl,$(LIBO_LIB_FOLDER)/libcurl$(if
$(MSVC_USE_DEBUG_RUNTIME),_debug).dll,builds/libcurl-vc12-$(if $(filter
X86_64,$(CPUNAME)),x64,x86)-$(if
$(MSVC_USE_DEBUG_RUNTIME),debug,release)-dll-ipv6-sspi-schannel/bin/libcurl$(if
$(MSVC_USE_DEBUG_RUNTIME),_debug).dll))
else ifeq ($(OS),MACOSX)
$(eval $(call
gb_ExternalPackage_add_file,curl,$(LIBO_LIB_FOLDER)/libcurl.4.dylib,lib/.libs/libcurl.4.dylib))
else ifeq ($(OS),AIX)
$(eval $(call
gb_ExternalPackage_add_file,curl,$(LIBO_LIB_FOLDER)/libcurl.so,lib/.libs/libcurl.so.4))
else
-$(eval $(call
gb_ExternalPackage_add_file,curl,$(LIBO_LIB_FOLDER)/libcurl.so.4,lib/.libs/libcurl.so.4.4.0))
+$(eval $(call
gb_ExternalPackage_add_file,curl,$(LIBO_LIB_FOLDER)/libcurl.so.4,lib/.libs/libcurl.so.4.7.0))
endif
endif # $(DISABLE_DYNLOADING)
diff --git a/external/curl/ExternalProject_curl.mk
b/external/curl/ExternalProject_curl.mk
index 155ad3c31834..81886b36fbc5 100644
--- a/external/curl/ExternalProject_curl.mk
+++ b/external/curl/ExternalProject_curl.mk
@@ -21,7 +21,7 @@ $(eval $(call gb_ExternalProject_register_targets,curl,\
ifneq ($(OS),WNT)
curl_CPPFLAGS :=
-curl_LDFLAGS := $(if $(filter LINUX
FREEBSD,$(OS)),"-Wl$(COMMA)-z$(COMMA)origin
-Wl$(COMMA)-rpath$(COMMA)\\"\$$\$$ORIGIN)
+curl_LDFLAGS := $(if $(filter LINUX FREEBSD,$(OS)),-Wl$(COMMA)-z$(COMMA)origin
-Wl$(COMMA)-rpath$(COMMA)\$$$$ORIGIN)
ifneq ($(OS),ANDROID)
ifneq ($(SYSBASE),)
@@ -35,22 +35,22 @@ ifeq ($(SYSTEM_NSS),)
curl_CPPFLAGS += -I$(call gb_UnpackedTarball_get_dir,nss)/dist/public/nss
endif
-# use --with-darwinssl on Mac OS X >10.5 and iOS to get a native UI for SSL
certs for CMIS usage
+# use --with-secure-transport on Mac OS X >10.5 and iOS to get a native UI for
SSL certs for CMIS usage
# use --with-nss only on platforms other than Mac OS X and iOS
$(call gb_ExternalProject_get_state_target,curl,build):
$(call gb_ExternalProject_run,build,\
- CPPFLAGS="$(curl_CPPFLAGS)" \
- LDFLAGS=$(curl_LDFLAGS) \
./configure \
$(if $(filter IOS MACOSX,$(OS)),\
- --with-darwinssl,\
+ --with-secure-transport,\
$(if $(ENABLE_NSS),--with-nss$(if
$(SYSTEM_NSS),,="$(call
gb_UnpackedTarball_get_dir,nss)/dist/out"),--without-nss)) \
- --without-ssl --without-gnutls --without-polarssl
--without-cyassl --without-axtls \
+ --without-ssl --without-gnutls --without-polarssl
--without-cyassl --without-axtls --without-mbedtls \
--enable-ftp --enable-http --enable-ipv6 \
- --without-libidn \
--without-libidn2 --without-libpsl --without-librtmp \
--without-libssh2 --without-metalink --without-nghttp2 \
- --disable-ares \
+ --without-libssh --without-brotli \
+ --without-ngtcp2 --without-quiche \
+ --without-zstd --without-hyper --without-gsasl
--without-gssapi \
+ --disable-mqtt --disable-ares \
--disable-dict --disable-file --disable-gopher
--disable-imap \
--disable-ldap --disable-ldaps --disable-manual
--disable-pop3 \
--disable-rtsp --disable-smb --disable-smtp
--disable-telnet \
@@ -59,19 +59,33 @@ $(call gb_ExternalProject_get_state_target,curl,build):
$(if $(CROSS_COMPILING),--build=$(BUILD_PLATFORM)
--host=$(HOST_PLATFORM)) \
$(if $(filter
TRUE,$(DISABLE_DYNLOADING)),--disable-shared,--disable-static) \
$(if $(ENABLE_DEBUG),--enable-debug) \
+ $(if
$(verbose),--disable-silent-rules,--enable-silent-rules) \
$(if $(filter
MACOSX,$(OS)),--prefix=/@.__________________________________________________OOO)
\
+ $(if $(filter MACOSX,$(OS)),CFLAGS='$(CFLAGS) \
+
-mmacosx-version-min=$(MAC_OS_X_VERSION_MIN_REQUIRED_DOTS)') \
+ CPPFLAGS='$(curl_CPPFLAGS)' \
+ LDFLAGS='$(curl_LDFLAGS)' \
+ ZLIB_CFLAGS='$(ZLIB_CFLAGS)' ZLIB_LIBS='$(ZLIB_LIBS)' \
&& cd lib \
&& $(MAKE) \
)
else ifeq ($(COM),MSC)
+$(eval $(call gb_ExternalProject_use_nmake,curl,build))
+
$(call gb_ExternalProject_get_state_target,curl,build):
$(call gb_ExternalProject_run,build,\
- MAKEFLAGS= LIB="$(ILIB)" nmake -f Makefile.vc12 \
- cfg=$(if
$(MSVC_USE_DEBUG_RUNTIME),debug-dll,release-dll) \
- EXCFLAGS="/EHs /D_CRT_SECURE_NO_DEPRECATE
/DUSE_WINDOWS_SSPI /D_USING_V110_SDK71_ $(SOLARINC)" $(if $(filter
X86_64,$(CPUNAME)),MACHINE=X64) \
- ,lib)
+ nmake -f Makefile.vc \
+ mode=dll \
+ VC=12 \
+ $(if $(filter
X86_64,$(CPUNAME)),MACHINE=x64,MACHINE=x86) \
+ GEN_PDB=$(if $(gb_SYMBOL),yes,no) \
+ DEBUG=$(if $(MSVC_USE_DEBUG_RUNTIME),yes,no) \
+ ENABLE_IPV6=yes \
+ ENABLE_SSPI=yes \
+ ENABLE_WINSSL=yes \
+ ,winbuild)
endif
diff --git a/external/curl/UnpackedTarball_curl.mk
b/external/curl/UnpackedTarball_curl.mk
index 9e6dbac0fa28..1cdb64c0bca2 100644
--- a/external/curl/UnpackedTarball_curl.mk
+++ b/external/curl/UnpackedTarball_curl.mk
@@ -14,23 +14,14 @@ $(eval $(call
gb_UnpackedTarball_set_tarball,curl,$(CURL_TARBALL),,curl))
$(eval $(call gb_UnpackedTarball_set_patchlevel,curl,1))
$(eval $(call gb_UnpackedTarball_fix_end_of_line,curl,\
- lib/Makefile.vc12 \
+ winbuild/MakefileBuild.vc \
))
$(eval $(call gb_UnpackedTarball_add_patches,curl,\
external/curl/curl-msvc.patch.1 \
external/curl/curl-msvc-disable-protocols.patch.1 \
- external/curl/curl-msvc-schannel.patch.1 \
external/curl/curl-7.26.0_win-proxy.patch \
- external/curl/curl-xp.patch.1 \
- external/curl/CVE-2017-8816.patch \
- external/curl/CVE-2018-1000005.patch \
- external/curl/CVE-2018-1000007.patch \
- external/curl/CVE-2018-14618.patch \
- external/curl/CVE-2017-1000254.patch \
- external/curl/CVE-2018-1000120.patch \
- external/curl/CVE-2018-16890.patch \
- external/curl/CVE-2019-3822.patch \
+ external/curl/zlib.patch.0 \
))
ifeq ($(SYSTEM_NSS),)
@@ -39,12 +30,10 @@ $(eval $(call gb_UnpackedTarball_add_patches,curl,\
))
endif
-ifeq ($(OS),MACOSX)
-ifneq ($(filter 1090 101000,$(MAC_OS_X_VERSION_MIN_REQUIRED)),)
-$(eval $(call gb_UnpackedTarball_add_patches,curl,\
- external/curl/curl-osx.patch.1 \
+ifeq ($(OS)-$(COM_IS_CLANG),WNT-TRUE)
+$(eval $(call gb_UnpackedTarball_add_patches,curl, \
+ external/curl/clang-cl.patch.0 \
))
endif
-endif
# vim: set noet sw=4 ts=4:
diff --git a/external/curl/clang-cl.patch.0 b/external/curl/clang-cl.patch.0
new file mode 100644
index 000000000000..2fbb10c2a9aa
--- /dev/null
+++ b/external/curl/clang-cl.patch.0
@@ -0,0 +1,11 @@
+--- winbuild/MakefileBuild.vc
++++ winbuild/MakefileBuild.vc
+@@ -60,7 +60,7 @@
+ !ELSE
+ CC_NODEBUG = $(CC) /O2 /DNDEBUG
+ CC_DEBUG = $(CC) /Od /D_DEBUG /RTC1 /Z7 /LDd
+-CFLAGS = /I. /I ../lib /I../include /nologo /W4 /EHsc /DWIN32 /FD /c
/DBUILDING_LIBCURL $(SOLARINC)
++CFLAGS = /I. /I ../lib /I../include /nologo /W4 /EHsc /DWIN32 /c
/DBUILDING_LIBCURL $(SOLARINC)
+ !ENDIF
+
+ LFLAGS = /nologo /machine:$(MACHINE)
diff --git a/external/curl/curl-7.26.0_win-proxy.patch
b/external/curl/curl-7.26.0_win-proxy.patch
index 1c478868d7d2..5bb98fa04741 100644
--- a/external/curl/curl-7.26.0_win-proxy.patch
+++ b/external/curl/curl-7.26.0_win-proxy.patch
@@ -1,14 +1,14 @@
---- curl-7.26.0/lib/Makefile.vc12
-+++ misc/build/curl-7.26.0/lib/Makefile.vc12
-@@ -118,7 +118,7 @@
- WINSSLLIBS = crypt32.lib
- ZLIBLIBSDLL = zdll.lib
- ZLIBLIBS = zlib.lib
--WINLIBS = ws2_32.lib wldap32.lib advapi32.lib
-+WINLIBS = ws2_32.lib wldap32.lib advapi32.lib winhttp.lib crypt32.lib
- CFLAGS = $(CFLAGS) $(EXCFLAGS)
+--- curl/winbuild/MakefileBuild.vc.orig 2017-10-23 17:15:22.969492548
+0200
++++ curl/winbuild/MakefileBuild.vc 2017-10-23 17:16:38.491490679 +0200
+@@ -72,7 +72,7 @@
- CFGSET = FALSE
+ CFLAGS_LIBCURL_STATIC = /DCURL_STATICLIB
+
+-WIN_LIBS = ws2_32.lib wldap32.lib advapi32.lib crypt32.lib
++WIN_LIBS = ws2_32.lib wldap32.lib advapi32.lib crypt32.lib winhttp.lib
+
+ BASE_NAME = libcurl
+ BASE_NAME_DEBUG = $(BASE_NAME)_debug
--- curl-7.26.0/lib/url.c
+++ misc/build/curl-7.26.0/lib/url.c
@@ -78,6 +78,10 @@
@@ -23,9 +23,9 @@
#include "netrc.h"
@@ -4586,6 +4590,21 @@
- return FALSE;
}
+ #ifndef CURL_DISABLE_HTTP
+#ifdef _WIN32
+static char *wstrToCstr(LPWSTR wStr)
+{
@@ -44,20 +44,12 @@
/****************************************************************
* Detect what (if any) proxy to use. Remember that this selects a host
* name and is not limited to HTTP proxies only.
-@@ -4594,6 +4613,7 @@
- static char *detect_proxy(struct connectdata *conn)
- {
- char *proxy = NULL;
-+ char *no_proxy=NULL;
-
- #ifndef CURL_DISABLE_HTTP
- /* If proxy was not specified, we check for default proxy environment
-@@ -4613,7 +4633,64 @@
+@@ -4613,6 +4633,66 @@
* For compatibility, the all-uppercase versions of these variables are
* checked if the lowercase versions don't exist.
*/
-- char *no_proxy=NULL;
+#ifdef _WIN32
++ char *no_proxy = NULL;
+ WINHTTP_CURRENT_USER_IE_PROXY_CONFIG *ieProxyConfig;
+ ieProxyConfig = (WINHTTP_CURRENT_USER_IE_PROXY_CONFIG *)
+ malloc(sizeof(WINHTTP_CURRENT_USER_IE_PROXY_CONFIG));
@@ -114,15 +106,16 @@
+ GlobalFree(ieProxyConfig->lpszProxy);
+ GlobalFree(ieProxyConfig->lpszProxyBypass);
+ }
++ free(no_proxy);
+#else /* !WIN32 */
char proxy_env[128];
-
- no_proxy=curl_getenv("no_proxy");
+ const char *protop = conn->handler->scheme;
+ char *envp = proxy_env;
@@ -4663,6 +4739,7 @@
- }
- } /* if(!check_noproxy(conn->host.name, no_proxy)) - it wasn't specified
- non-proxy */
+ }
+ if(proxy)
+ infof(data, "Uses proxy env variable %s == '%s'", envp, proxy);
+#endif /* WIN32 */
- free(no_proxy);
- #else /* !CURL_DISABLE_HTTP */
+ return proxy;
+ }
diff --git a/external/curl/curl-msvc-disable-protocols.patch.1
b/external/curl/curl-msvc-disable-protocols.patch.1
index 38ff5ccb5ac0..a6d06c69b004 100644
--- a/external/curl/curl-msvc-disable-protocols.patch.1
+++ b/external/curl/curl-msvc-disable-protocols.patch.1
@@ -2,18 +2,19 @@ disable protocols nobody needs in MSVC build
--- curl/lib/config-win32.h.orig 2017-08-09 16:43:29.464000000 +0200
+++ curl/lib/config-win32.h 2017-08-09 16:47:38.549200000 +0200
-@@ -733,4 +733,19 @@
+@@ -733,4 +733,20 @@
# define ENABLE_IPV6 1
#endif
+#define CURL_DISABLE_DICT 1
+#define CURL_DISABLE_FILE 1
-+//#undef CURL_DISABLE_FTP
++#undef CURL_DISABLE_FTP
+#define CURL_DISABLE_GOPHER 1
-+//#undef CURL_DISABLE_HTTP
++#undef CURL_DISABLE_HTTP
+#define CURL_DISABLE_IMAP 1
+#define CURL_DISABLE_LDAP 1
+#define CURL_DISABLE_LDAPS 1
++#define CURL_DISABLE_MQTT 1
+#define CURL_DISABLE_POP3 1
+#define CURL_DISABLE_RTSP 1
+#define CURL_DISABLE_SMB 1
@@ -22,3 +23,14 @@ disable protocols nobody needs in MSVC build
+#define CURL_DISABLE_TFTP 1
+
#endif /* HEADER_CURL_CONFIG_WIN32_H */
+--- curl/winbuild/MakefileBuild.vc.orig 2017-10-23 23:41:21.393200000
+0200
++++ curl/winbuild/MakefileBuild.vc 2017-10-23 23:34:16.028000000 +0200
+@@ -431,7 +431,7 @@
+
+ EXE_OBJS = $(CURL_OBJS) $(CURL_DIROBJ)\curl.res
+
+-all : $(TARGET) $(PROGRAM_NAME)
++all : $(TARGET)
+
+ package: $(TARGET)
+ @cd $(DIRDIST)
diff --git a/external/curl/curl-msvc-schannel.patch.1
b/external/curl/curl-msvc-schannel.patch.1
deleted file mode 100644
index 96768aa3f92c..000000000000
--- a/external/curl/curl-msvc-schannel.patch.1
+++ /dev/null
@@ -1,22 +0,0 @@
-MSVC: use WNT native Schannel SSL/TLS implementation
-
---- curl/lib/Makefile.vc12.old 2013-11-19 00:00:29.044499752 +0100
-+++ curl/lib/Makefile.vc12 2013-11-19 00:01:29.135499684 +0100
-@@ -260,7 +260,7 @@
- TARGET = $(LIBCURL_DYN_LIB_REL)
- DIROBJ = $(CFG)
- LNK = $(LNKDLL) $(WINLIBS) /out:$(DIROBJ)\$(TARGET)
/IMPLIB:$(DIROBJ)\$(LIBCURL_IMP_LIB_REL)
--CC = $(CCNODBG) $(RTLIB)
-+CC = $(CCNODBG) $(RTLIB) $(CFLAGSWINSSL)
- CFGSET = TRUE
- RESOURCE = $(DIROBJ)\libcurl.res
- !ENDIF
-@@ -427,7 +427,7 @@
- TARGET = $(LIBCURL_DYN_LIB_DBG)
- DIROBJ = $(CFG)
- LNK = $(LNKDLL) $(WINLIBS) /DEBUG /out:$(DIROBJ)\$(TARGET)
/IMPLIB:$(DIROBJ)\$(LIBCURL_IMP_LIB_DBG) /PDB:$(DIROBJ)\$(LIBCURL_DYN_LIB_PDB)
--CC = $(CCDEBUG) $(RTLIBD)
-+CC = $(CCDEBUG) $(RTLIBD) $(CFLAGSWINSSL)
- CFGSET = TRUE
- RESOURCE = $(DIROBJ)\libcurl.res
- !ENDIF
diff --git a/external/curl/curl-msvc.patch.1 b/external/curl/curl-msvc.patch.1
index 57a292bb69a3..a5b79a8e9c49 100644
--- a/external/curl/curl-msvc.patch.1
+++ b/external/curl/curl-msvc.patch.1
@@ -1,27 +1,27 @@
-MSVC: using SOLARINC and EXCFLAGS
+MSVC: using SOLARINC
---- curl/lib/Makefile.vc12 2012-05-24 12:07:02.000000000 -0400
-+++ curl/lib/Makefile.vc12 2012-10-29 11:53:44.658809300 -0400
-@@ -117,7 +117,7 @@
- ZLIBLIBSDLL = zdll.lib
- ZLIBLIBS = zlib.lib
- WINLIBS = ws2_32.lib wldap32.lib advapi32.lib
--CFLAGS = $(CFLAGS)
-+CFLAGS = $(CFLAGS) $(EXCFLAGS)
+--- curl/winbuild/MakefileBuild.vc.orig 2017-10-23 16:36:07.713550851
+0200
++++ curl/winbuild/MakefileBuild.vc 2017-10-23 16:38:19.301547594 +0200
+@@ -60,7 +60,7 @@
+ !ELSE
+ CC_NODEBUG = $(CC) /O2 /DNDEBUG
+ CC_DEBUG = $(CC) /Od /D_DEBUG /RTC1 /Z7 /LDd
+-CFLAGS = /I. /I ../lib /I../include /nologo /W4 /EHsc /DWIN32 /FD /c
/DBUILDING_LIBCURL
++CFLAGS = /I. /I ../lib /I../include /nologo /W4 /EHsc /DWIN32 /FD /c
/DBUILDING_LIBCURL $(SOLARINC)
+ !ENDIF
- CFGSET = FALSE
+ LFLAGS = /nologo /machine:$(MACHINE)
+@@ -300,11 +300,11 @@
+ # CURL_XX macros are for the curl.exe command
-@@ -620,11 +620,11 @@
- debug-dll-ssl-dll\libcurl.res \
- debug-dll-zlib-dll\libcurl.res \
- debug-dll-ssl-dll-zlib-dll\libcurl.res: libcurl.rc
-- rc /dDEBUGBUILD=1 /Fo $@ libcurl.rc
-+ rc $(SOLARINC) /dDEBUGBUILD=1 /Fo $@ libcurl.rc
-
- release-dll\libcurl.res \
- release-dll-ssl-dll\libcurl.res \
- release-dll-zlib-dll\libcurl.res \
- release-dll-ssl-dll-zlib-dll\libcurl.res: libcurl.rc
-- rc /dDEBUGBUILD=0 /Fo $@ libcurl.rc
-+ rc $(SOLARINC) /dDEBUGBUILD=0 /Fo $@ libcurl.rc
- !ENDIF # End of case where a config was provided.
+ !IF "$(DEBUG)"=="yes"
+-RC_FLAGS = /dDEBUGBUILD=1 /Fo $@ $(LIBCURL_SRC_DIR)\libcurl.rc
++RC_FLAGS = $(SOLARINC) /dDEBUGBUILD=1 /Fo $@ $(LIBCURL_SRC_DIR)\libcurl.rc
+ CURL_CC = $(CC_DEBUG) $(RTLIB_DEBUG)
+ CURL_RC_FLAGS = $(CURL_RC_FLAGS) /i../include /dDEBUGBUILD=1 /Fo $@
$(CURL_SRC_DIR)\curl.rc
+ !ELSE
+-RC_FLAGS = /dDEBUGBUILD=0 /Fo $@ $(LIBCURL_SRC_DIR)\libcurl.rc
++RC_FLAGS = $(SOLARINC) /dDEBUGBUILD=0 /Fo $@ $(LIBCURL_SRC_DIR)\libcurl.rc
+ CURL_CC = $(CC_NODEBUG) $(RTLIB)
+ CURL_RC_FLAGS = $(CURL_RC_FLAGS) /i../include /dDEBUGBUILD=0 /Fo $@
$(CURL_SRC_DIR)\curl.rc
+ !ENDIF
diff --git a/external/curl/curl-osx.patch.1 b/external/curl/curl-osx.patch.1
deleted file mode 100644
index 7694a1dcda2c..000000000000
--- a/external/curl/curl-osx.patch.1
+++ /dev/null
@@ -1,285 +0,0 @@
-From efebf4d4f882a57a98a0653d21d543cd4132d23d Mon Sep 17 00:00:00 2001
-From: Palo Markovic <pavol.marko...@kompiler.info>
-Date: Sat, 18 Mar 2017 16:37:02 +1300
-Subject: [PATCH] macOS: Fixed crash on 10.8 caused by missing connectx()
- function
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The connectx() function call appeared in Darwin 15.0.0
-That covers OS X 10.11, iOS 9 and tvOS 9.
-
-Because connectx is not declared with weak_import attribute it’s not possible
-to build libcurl on OS X 10.11 and later and target systems which don’t have
-_connectx symbol declared in libsystem_kernel.dylib (i.e. OS 10.8 and earlier).
-
-Solution is to use connectx only on platforms that officially support it
-i.e. by defining CFLAGS="-mmacosx-version-min=10.11" in configure step.
-
-Note: It is possible to conditionally use connectx() in libcurl targeting
-range of systems based on availability determined during runtime using dlsym().
-
-[Bug: https://github.com/curl/curl/issues/1330]
----
- lib/connect.c | 2 +-
- lib/curl_setup.h | 16 ++++++++++++++++
- lib/url.c | 2 +-
- 3 files changed, 18 insertions(+), 2 deletions(-)
-
-diff --git a/lib/connect.c b/lib/connect.c
-index 197eff242f..33251914b8 100644
---- a/lib/connect.c
-+++ b/lib/connect.c
-@@ -1075,7 +1075,7 @@ static CURLcode singleipconnect(struct connectdata *conn,
- /* Connect TCP sockets, bind UDP */
- if(!isconnected && (conn->socktype == SOCK_STREAM)) {
- if(conn->bits.tcp_fastopen) {
--#if defined(CONNECT_DATA_IDEMPOTENT) /* OS X */
-+#if defined(HAVE_DARWIN_CONNECTX) /* Darwin */
- sa_endpoints_t endpoints;
- endpoints.sae_srcif = 0;
- endpoints.sae_srcaddr = NULL;
-diff --git a/lib/curl_setup.h b/lib/curl_setup.h
-index 0fe3633ec7..8643e1fd28 100644
---- a/lib/curl_setup.h
-+++ b/lib/curl_setup.h
-@@ -762,4 +762,20 @@ endings either CRLF or LF so 't' is appropriate.
- # endif
- # endif
-
-+/* Detect Darwin connectx() function availability.
-+ * The connectx() function call appeared in Darwin 15.0.0
-+ * but it's not declared using availability attribute.
-+ */
-+#if defined(__MAC_OS_X_VERSION_MIN_REQUIRED)
-+# if (__MAC_OS_X_VERSION_MIN_REQUIRED >= 101100)
-+# define HAVE_DARWIN_CONNECTX 1
-+# endif
-+#elif defined(__IPHONE_OS_VERSION_MIN_REQUIRED)
-+# if (__IPHONE_OS_VERSION_MIN_REQUIRED >= 90000)
-+# define HAVE_DARWIN_CONNECTX 1
-+# endif
-+#elif defined(CONNECT_DATA_IDEMPOTENT) /* Fallback for other Darwin OS */
-+# define HAVE_DARWIN_CONNECTX 1
-+#endif
-+
- #endif /* HEADER_CURL_SETUP_H */
-diff --git a/lib/url.c b/lib/url.c
-index 03feaa20f7..08fbe5132b 100644
---- a/lib/url.c
-+++ b/lib/url.c
-@@ -2834,7 +2834,7 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption
option,
- data->set.tcp_keepintvl = va_arg(param, long);
- break;
- case CURLOPT_TCP_FASTOPEN:
--#if defined(CONNECT_DATA_IDEMPOTENT) || defined(MSG_FASTOPEN)
-+#if defined(HAVE_DARWIN_CONNECTX) || defined(MSG_FASTOPEN)
- data->set.tcp_fastopen = (0 != va_arg(param, long))?TRUE:FALSE;
- #else
- result = CURLE_NOT_BUILT_IN;
-From 45756a8a23967570da1390f9b1475c1db38a52d1 Mon Sep 17 00:00:00 2001
-From: Palo Markovic <pavol.marko...@kompiler.info>
-Date: Sat, 25 Mar 2017 13:20:51 +1300
-Subject: [PATCH] macOS: moved connectx check to configuration phase
-
----
- acinclude.m4 | 40 ++++++++++++++++++++++++++++++++++++++++
- configure.ac | 1 +
- lib/connect.c | 2 +-
- lib/curl_setup.h | 16 ----------------
- lib/url.c | 2 +-
- 5 files changed, 43 insertions(+), 18 deletions(-)
-
-diff --git a/acinclude.m4 b/acinclude.m4
-index 2abae8d8ad..769e67c510 100644
---- a/acinclude.m4
-+++ b/acinclude.m4
-@@ -3243,3 +3243,43 @@ AC_DEFUN([CURL_MAC_CFLAGS], [
- fi
-
- ])
-+
-+
-+dnl CURL_CHECK_FUNC_CONNECTX
-+dnl
-+dnl Check if connectx() function is present.
-+dnl The connectx() function call appeared in Darwin 15.0.0
-+dnl but it's not declared using availability attribute.
-+dnl Additionally _connectx symbol is part of OS X 10.9/10.10
-+dnl system lib but does not have specified functionality.
-+dnl
-+
-+AC_DEFUN([CURL_CHECK_FUNC_CONNECTX], [
-+ AC_REQUIRE([CURL_MAC_CFLAGS])dnl
-+ AC_CHECK_FUNCS([connectx])
-+ AC_MSG_CHECKING([if connectx is available in deployment target])
-+ AC_COMPILE_IFELSE(
-+ [AC_LANG_PROGRAM([[
-+#if defined(HAVE_CONNECTX)
-+# include <Availability.h>
-+# if defined(__MAC_OS_X_VERSION_MIN_REQUIRED)
-+# if (__MAC_OS_X_VERSION_MIN_REQUIRED < 101100)
-+# error Function requires deployment target OS X 10.11 or later
-+# endif
-+# elif defined(__IPHONE_OS_VERSION_MIN_REQUIRED)
-+# if (__IPHONE_OS_VERSION_MIN_REQUIRED < 90000)
-+# error Function requires deployment target iOS 9.0 or later
-+# endif
-+# endif
-+#else
-+# error Function not present in the headers
-+#endif
-+ ]])],
-+ [
-+ AC_DEFINE(HAVE_VALID_CONNECTX, 1,
-+ [Set to 1 if connectx() function have specified functionality.])
-+ AC_MSG_RESULT([yes])
-+ ],
-+ [AC_MSG_RESULT([no])]
-+ )
-+])
-diff --git a/configure.ac b/configure.ac
-index abd0def369..a3930447c3 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -3226,6 +3226,7 @@ CURL_CHECK_FUNC_BASENAME
- CURL_CHECK_FUNC_CLOSESOCKET
- CURL_CHECK_FUNC_CLOSESOCKET_CAMEL
- CURL_CHECK_FUNC_CONNECT
-+CURL_CHECK_FUNC_CONNECTX
- CURL_CHECK_FUNC_FCNTL
- CURL_CHECK_FUNC_FDOPEN
- CURL_CHECK_FUNC_FREEADDRINFO
-diff --git a/lib/connect.c b/lib/connect.c
-index 33251914b8..8c5e45aea5 100644
---- a/lib/connect.c
-+++ b/lib/connect.c
-@@ -1075,7 +1075,7 @@ static CURLcode singleipconnect(struct connectdata *conn,
- /* Connect TCP sockets, bind UDP */
- if(!isconnected && (conn->socktype == SOCK_STREAM)) {
- if(conn->bits.tcp_fastopen) {
--#if defined(HAVE_DARWIN_CONNECTX) /* Darwin */
-+#if defined(HAVE_VALID_CONNECTX) /* Darwin */
- sa_endpoints_t endpoints;
- endpoints.sae_srcif = 0;
- endpoints.sae_srcaddr = NULL;
-diff --git a/lib/curl_setup.h b/lib/curl_setup.h
-index 8643e1fd28..0fe3633ec7 100644
---- a/lib/curl_setup.h
-+++ b/lib/curl_setup.h
-@@ -762,20 +762,4 @@ endings either CRLF or LF so 't' is appropriate.
- # endif
- # endif
-
--/* Detect Darwin connectx() function availability.
-- * The connectx() function call appeared in Darwin 15.0.0
-- * but it's not declared using availability attribute.
-- */
--#if defined(__MAC_OS_X_VERSION_MIN_REQUIRED)
--# if (__MAC_OS_X_VERSION_MIN_REQUIRED >= 101100)
--# define HAVE_DARWIN_CONNECTX 1
--# endif
--#elif defined(__IPHONE_OS_VERSION_MIN_REQUIRED)
--# if (__IPHONE_OS_VERSION_MIN_REQUIRED >= 90000)
--# define HAVE_DARWIN_CONNECTX 1
--# endif
--#elif defined(CONNECT_DATA_IDEMPOTENT) /* Fallback for other Darwin OS */
--# define HAVE_DARWIN_CONNECTX 1
--#endif
--
- #endif /* HEADER_CURL_SETUP_H */
-diff --git a/lib/url.c b/lib/url.c
-index 08fbe5132b..7160ae041d 100644
---- a/lib/url.c
-+++ b/lib/url.c
-@@ -2834,7 +2834,7 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption
option,
- data->set.tcp_keepintvl = va_arg(param, long);
- break;
- case CURLOPT_TCP_FASTOPEN:
--#if defined(HAVE_DARWIN_CONNECTX) || defined(MSG_FASTOPEN)
-+#if defined(HAVE_VALID_CONNECTX) || defined(MSG_FASTOPEN)
- data->set.tcp_fastopen = (0 != va_arg(param, long))?TRUE:FALSE;
- #else
- result = CURLE_NOT_BUILT_IN;
-From 113088ac81edbb9d51582a114d006bf60e3e6a87 Mon Sep 17 00:00:00 2001
-From: Palo Markovic <pavol.marko...@kompiler.info>
-Date: Wed, 5 Apr 2017 06:04:42 +1200
-Subject: [PATCH] macOS: added connectx check for cmake
-
----
- CMake/CurlTests.c | 18 ++++++++++++++++++
- CMakeLists.txt | 9 +++++++++
- lib/curl_config.h.cmake | 6 ++++++
- 3 files changed, 33 insertions(+)
-
-diff --git a/CMake/CurlTests.c b/CMake/CurlTests.c
-index bc36c8ef7d..7077059f9c 100644
---- a/CMake/CurlTests.c
-+++ b/CMake/CurlTests.c
-@@ -533,3 +533,21 @@ main() {
- return 0;
- }
- #endif
-+#ifdef HAVE_VALID_CONNECTX
-+# include <Availability.h>
-+# include <sys/socket.h>
-+# if defined(__MAC_OS_X_VERSION_MIN_REQUIRED)
-+# if (__MAC_OS_X_VERSION_MIN_REQUIRED < 101100)
-+# error Function requires deployment target OS X 10.11 or later
-+# endif
-+# elif defined(__IPHONE_OS_VERSION_MIN_REQUIRED)
-+# if (__IPHONE_OS_VERSION_MIN_REQUIRED < 90000)
-+# error Function requires deployment target iOS 9.0 or later
-+# endif
-+# endif
-+
-+main() {
-+ connectx(0, 0, 0, 0, 0, 0, 0, 0);
-+ return 0;
-+}
-+#endif
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 8390c38c99..ab8be51ebc 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -849,6 +849,15 @@ check_symbol_exists(fcntl "${CURL_INCLUDES}"
HAVE_FCNTL)
- check_symbol_exists(ioctl "${CURL_INCLUDES}" HAVE_IOCTL)
- check_symbol_exists(setsockopt "${CURL_INCLUDES}" HAVE_SETSOCKOPT)
-
-+# The connectx() function call appeared in Darwin 15.0.0
-+# but it's not declared using availability attribute.
-+# Additionally _connectx symbol is part of OS X 10.9/10.10
-+# system lib but does not have specified functionality.
-+check_symbol_exists(connectx "${CURL_INCLUDES}" HAVE_CONNECTX)
-+if(HAVE_CONNECTX)
-+ curl_internal_test_run(HAVE_VALID_CONNECTX)
-+endif(HAVE_CONNECTX)
-+
- # symbol exists in win32, but function does not.
- check_function_exists(inet_pton HAVE_INET_PTON)
-
-diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake
-index 9fcdd97f98..6fc4415a8d 100644
---- a/lib/curl_config.h.cmake
-+++ b/lib/curl_config.h.cmake
-@@ -130,6 +130,9 @@
- /* Define to 1 if bool is an available type. */
- #cmakedefine HAVE_BOOL_T 1
-
-+/* Define to 1 if you have the connectx function. */
-+#cmakedefine HAVE_CONNECTX 1
-+
- /* Define to 1 if you have the clock_gettime function and monotonic timer. */
- #cmakedefine HAVE_CLOCK_GETTIME_MONOTONIC 1
-
-@@ -719,6 +722,9 @@
- /* Define to 1 if you have the <utime.h> header file. */
- #cmakedefine HAVE_UTIME_H 1
-
-+/* Define to 1 if you have valid connectx function. */
-+#cmakedefine HAVE_VALID_CONNECTX 1
-+
- /* Define to 1 if compiler supports C99 variadic macro style. */
- #cmakedefine HAVE_VARIADIC_MACROS_C99 1
-
diff --git a/external/curl/curl-xp.patch.1 b/external/curl/curl-xp.patch.1
deleted file mode 100644
index 9e4163e3eab1..000000000000
--- a/external/curl/curl-xp.patch.1
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -ur curl.org/src/Makefile.vc10 curl/src/Makefile.vc10
---- curl.org/src/Makefile.vc10 2016-07-04 03:45:24.102995951 +0200
-+++ curl/src/Makefile.vc10 2016-07-04 03:48:00.547835559 +0200
-@@ -127,7 +127,7 @@
- LINKD = link.exe /incremental:yes /debug /libpath:"../lib"
- RCD = rc.exe /dDEBUGBUILD=1
-
--CFLAGS = /I../lib /I../include /nologo /W3 /EHsc /DWIN32 /FD /c
/D_BIND_TO_CURRENT_VCLIBS_VERSION=1
-+CFLAGS = /I../lib /I../include /nologo /W3 /EHsc /DWIN32 /FD /c
/D_BIND_TO_CURRENT_VCLIBS_VERSION=1 /D_WIN32_WINNT=0x0502
- LFLAGS = /nologo /out:$(PROGRAM_NAME) /subsystem:console /machine:$(MACHINE)
- RESFLAGS = /i../include
-
diff --git a/external/curl/zlib.patch.0 b/external/curl/zlib.patch.0
new file mode 100644
index 000000000000..f4a0ad4b152f
--- /dev/null
+++ b/external/curl/zlib.patch.0
@@ -0,0 +1,90 @@
+--- configure
++++ configure
+@@ -20709,7 +20709,6 @@
+ clean_CPPFLAGS=$CPPFLAGS
+ clean_LDFLAGS=$LDFLAGS
+ clean_LIBS=$LIBS
+-ZLIB_LIBS=""
+
+ # Check whether --with-zlib was given.
+ if test "${with_zlib+set}" = set; then :
+@@ -20718,6 +20719,7 @@
+
+
+ if test "$OPT_ZLIB" = "no" ; then
++ ZLIB_LIBS=""
+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: zlib disabled" >&5
+ $as_echo "$as_me: WARNING: zlib disabled" >&2;}
+ else
+@@ -20725,6 +20725,21 @@
+ OPT_ZLIB=""
+ fi
+
++ if test -n "$ZLIB_CFLAGS$ZLIB_LIBS"; then
++ CPPFLAGS="$CPPFLAGS $ZLIB_CFLAGS"
++ LIBS="$ZLIB_LIBS $LIBS"
++ HAVE_LIBZ="1"
++
++
++$as_echo "#define HAVE_ZLIB_H 1" >>confdefs.h
++
++
++$as_echo "#define HAVE_LIBZ 1" >>confdefs.h
++
++ AMFIXLIB="1"
++ else
++ ZLIB_LIBS=""
++
+ if test -z "$OPT_ZLIB" ; then
+
+ if test -n "$PKG_CONFIG"; then
+@@ -21005,6 +21020,7 @@
+ $as_echo "$as_me: found both libz and libz.h header" >&6;}
+ curl_zlib_msg="enabled"
+ fi
++ fi
+ fi
+
+ if test x"$AMFIXLIB" = x1; then
+--- configure.ac
++++ configure.ac
+@@ -880,19 +880,30 @@
+ clean_CPPFLAGS=$CPPFLAGS
+ clean_LDFLAGS=$LDFLAGS
+ clean_LIBS=$LIBS
+-ZLIB_LIBS=""
+ AC_ARG_WITH(zlib,
+ AS_HELP_STRING([--with-zlib=PATH],[search for zlib in PATH])
+ AS_HELP_STRING([--without-zlib],[disable use of zlib]),
+ [OPT_ZLIB="$withval"])
+
+ if test "$OPT_ZLIB" = "no" ; then
++ ZLIB_LIBS=""
+ AC_MSG_WARN([zlib disabled])
+ else
+ if test "$OPT_ZLIB" = "yes" ; then
+ OPT_ZLIB=""
+ fi
+
++ if test -n "$ZLIB_CFLAGS$ZLIB_LIBS"; then
++ CPPFLAGS="$CPPFLAGS $ZLIB_CFLAGS"
++ LIBS="$ZLIB_LIBS $LIBS"
++ HAVE_LIBZ="1"
++ AC_SUBST(HAVE_LIBZ)
++ AC_DEFINE(HAVE_ZLIB_H, 1, [if you have the zlib.h header file])
++ AC_DEFINE(HAVE_LIBZ, 1, [if zlib is available])
++ AMFIXLIB="1"
++ else
++ ZLIB_LIBS=""
++
+ if test -z "$OPT_ZLIB" ; then
+ CURL_CHECK_PKGCONFIG(zlib)
+
+@@ -975,6 +986,7 @@
+ AC_MSG_NOTICE([found both libz and libz.h header])
+ curl_zlib_msg="enabled"
+ fi
++ fi
+ fi
+
+ dnl set variable for use in automakefile(s)
commit 83f4ac88a85fc725aa31f71ed0b0056d9d4fe26d
Author: Michael Stahl <michael.st...@allotropia.de>
AuthorDate: Wed Aug 25 11:32:11 2021 +0200
Commit: Andras Timar <andras.ti...@collabora.com>
CommitDate: Thu Sep 9 13:11:16 2021 +0200
openssl: add patch for CVE-2021-3712
Change-Id: I4061cbac18ddf9c7f932a27bf2b54a2b1c2f9d99
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/121029
Tested-by: Michael Stahl <michael.st...@allotropia.de>
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
diff --git a/external/openssl/UnpackedTarball_openssl.mk
b/external/openssl/UnpackedTarball_openssl.mk
index ba11384bb124..fee20e521e95 100644
--- a/external/openssl/UnpackedTarball_openssl.mk
+++ b/external/openssl/UnpackedTarball_openssl.mk
@@ -21,6 +21,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,openssl,\
external/openssl/openssl-3650-masm.patch.1 \
external/openssl/openssl-fixbuild.patch.1 \
external/openssl/openssl-1.0.2k-cve-2020-1971.patch.1 \
+ external/openssl/ccb0a11145ee72b042d10593a64eaf9e8a55ec12.patch.1 \
))
# vim: set noet sw=4 ts=4:
diff --git a/external/openssl/ccb0a11145ee72b042d10593a64eaf9e8a55ec12.patch.1
b/external/openssl/ccb0a11145ee72b042d10593a64eaf9e8a55ec12.patch.1
new file mode 100644
index 000000000000..cf809750ecfb
--- /dev/null
+++ b/external/openssl/ccb0a11145ee72b042d10593a64eaf9e8a55ec12.patch.1
@@ -0,0 +1,56 @@
+From ccb0a11145ee72b042d10593a64eaf9e8a55ec12 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <m...@openssl.org>
+Date: Tue, 17 Aug 2021 14:41:48 +0100
+Subject: [PATCH] Fix a read buffer overrun in X509_CERT_AUX_print()
+
+This is a backport of commit c5dc9ab965f to 1.0.2. That commit fixed
+the same bug but in master/1.1.1 it is in the function X509_aux_print().
+The original commit had the following description:
+
+Fix a read buffer overrun in X509_aux_print().
+
+The ASN1_STRING_get0_data(3) manual explitely cautions the reader
+that the data is not necessarily NUL-terminated, and the function
+X509_alias_set1(3) does not sanitize the data passed into it in any
+way either, so we must assume the return value from X509_alias_get0(3)
+is merely a byte array and not necessarily a string in the sense
+of the C language.
+
+I found this bug while writing manual pages for X509_print_ex(3)
+and related functions. Theo Buehler <t...@openbsd.org> checked my
+patch to fix the same bug in LibreSSL, see
+
+http://cvsweb.openbsd.org/src/lib/libcrypto/asn1/t_x509a.c#rev1.9
+
+As an aside, note that the function still produces incomplete and
+misleading results when the data contains a NUL byte in the middle
+and that error handling is consistently absent throughout, even
+though the function provides an "int" return value obviously intended
+to be 1 for success and 0 for failure, and even though this function
+is called by another function that also wants to return 1 for success
+and 0 for failure and even does so in many of its code paths, though
+not in others. But let's stay focussed. Many things would be nice
+to have in the wide wild world, but a buffer overflow must not be
+allowed to remain in our backyard.
+
+CVE-2021-3712
+
+Reviewed-by: Paul Dale <pa...@openssl.org>
+---
+ crypto/asn1/t_x509a.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/asn1/t_x509a.c b/crypto/asn1/t_x509a.c
+index d1b897a469fd..b1bc9d0cd28b 100644
+--- a/crypto/asn1/t_x509a.c
++++ b/crypto/asn1/t_x509a.c
+@@ -104,7 +104,8 @@ int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int
indent)
+ } else
+ BIO_printf(out, "%*sNo Rejected Uses.\n", indent, "");
+ if (aux->alias)
+- BIO_printf(out, "%*sAlias: %s\n", indent, "", aux->alias->data);
++ BIO_printf(out, "%*sAlias: %.*s\n", indent, "", aux->alias->length,
++ aux->alias->data);
+ if (aux->keyid) {
+ BIO_printf(out, "%*sKey Id: ", indent, "");
+ for (i = 0; i < aux->keyid->length; i++)
commit 5d70b9ea74fcb2956a6b6953aafc6c5b7eecff37
Author: Stephan Bergmann <sberg...@redhat.com>
AuthorDate: Thu Jan 7 10:15:51 2021 +0100
Commit: Andras Timar <andras.ti...@collabora.com>
CommitDate: Thu Sep 9 13:09:20 2021 +0200
openssl_headers depends on generated opensslconf.h
...at workdir/UnpackedTarball/openssl/include/openssl/opensslconf.h, as can
be
seen with failed builds like
<https://ci.libreoffice.org//job/lo_tb_master_mac/35209>:
[...]
> [build PAT] openssl
> [build C ]
UnpackedTarball/mariadb-connector-c/plugins/auth/caching_sha2_pw.c
> [build C ]
UnpackedTarball/mariadb-connector-c/libmariadb/secure/openssl_crypt.c
> [build DEP] LNK:Library/libclucene.dylib
> [build LNK] Library/libclucene.dylib
> In file included from
/Users/tdf/lode/jenkins/workspace/lo_tb_master_mac/workdir/UnpackedTarball/mariadb-connector-c/libmariadb/secure/openssl_crypt.c:21:
>
/Users/tdf/lode/jenkins/workspace/lo_tb_master_mac/workdir/UnpackedTarball/openssl/include/openssl/evp.h:13:11:
fatal error: 'openssl/opensslconf.h' file not found
> # include <openssl/opensslconf.h>
> ^~~~~~~~~~~~~~~~~~~~~~~
> 1 error generated.
Change-Id: Ied1dcdd0afb6099e9218671c6a06c0edaafc931e
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/108928
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sberg...@redhat.com>
(cherry picked from commit 0f7008e91f45cf8e3cee6f372ce012b38a795e26)
diff --git a/RepositoryExternal.mk b/RepositoryExternal.mk
index a02b399679ff..c28714da5e99 100644
--- a/RepositoryExternal.mk
+++ b/RepositoryExternal.mk
@@ -1516,7 +1516,7 @@ $(call gb_ExternalProject_use_package,$(1),openssl)
endef
define gb_LinkTarget__use_openssl_headers
-$(call gb_LinkTarget_use_external_project,$(1),openssl)
+$(call gb_LinkTarget_use_external_project,$(1),openssl,full)
$(call gb_LinkTarget_set_include,$(1),\
-I$(call gb_UnpackedTarball_get_dir,openssl)/include \
$$(INCLUDE) \
commit b6c6fa12d75f51fa05f7ecfcdad1fa0a3ae4ff84
Author: Michael Stahl <michael.st...@allotropia.de>
AuthorDate: Wed Jan 6 17:39:19 2021 +0100
Commit: Andras Timar <andras.ti...@collabora.com>
CommitDate: Thu Sep 9 13:07:54 2021 +0200
openssl: add patch to fix CVE-2020-1971
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/108884
Tested-by: Jenkins
Reviewed-by: Thorsten Behrens <thorsten.behr...@allotropia.de>
(cherry picked from commit b4c5bd9b330068e8c550e398cf761457ec9b6aa4)
Change-Id: Ia756f1fa642eeb6dcadc867cc9730732a73c11b4
diff --git a/external/openssl/UnpackedTarball_openssl.mk
b/external/openssl/UnpackedTarball_openssl.mk
index 5845e31a436a..ba11384bb124 100644
--- a/external/openssl/UnpackedTarball_openssl.mk
+++ b/external/openssl/UnpackedTarball_openssl.mk
@@ -20,6 +20,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,openssl,\
external/openssl/opensslosxppc.patch \
external/openssl/openssl-3650-masm.patch.1 \
external/openssl/openssl-fixbuild.patch.1 \
+ external/openssl/openssl-1.0.2k-cve-2020-1971.patch.1 \
))
# vim: set noet sw=4 ts=4:
diff --git a/external/openssl/openssl-1.0.2k-cve-2020-1971.patch.1
b/external/openssl/openssl-1.0.2k-cve-2020-1971.patch.1
new file mode 100644
index 000000000000..313f9cd870d7
--- /dev/null
+++ b/external/openssl/openssl-1.0.2k-cve-2020-1971.patch.1
@@ -0,0 +1,578 @@
+diff -up openssl-1.0.2k/crypto/asn1/asn1_err.c.null-dereference
openssl-1.0.2k/crypto/asn1/asn1_err.c
+--- openssl-1.0.2k/crypto/asn1/asn1_err.c.null-dereference 2020-12-04
10:08:08.506247597 +0100
++++ openssl-1.0.2k/crypto/asn1/asn1_err.c 2020-12-04 10:12:31.901956486
+0100
+@@ -1,6 +1,6 @@
+ /* crypto/asn1/asn1_err.c */
+ /* ====================================================================
+- * Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved.
++ * Copyright (c) 1999-2020 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+@@ -103,6 +103,7 @@ static ERR_STRING_DATA ASN1_str_functs[]
+ {ERR_FUNC(ASN1_F_ASN1_ITEM_DUP), "ASN1_item_dup"},
+ {ERR_FUNC(ASN1_F_ASN1_ITEM_EX_COMBINE_NEW), "ASN1_ITEM_EX_COMBINE_NEW"},
+ {ERR_FUNC(ASN1_F_ASN1_ITEM_EX_D2I), "ASN1_ITEM_EX_D2I"},
++ {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ITEM_EX_I2D, 0),
"ASN1_item_ex_i2d"},
+ {ERR_FUNC(ASN1_F_ASN1_ITEM_I2D_BIO), "ASN1_item_i2d_bio"},
+ {ERR_FUNC(ASN1_F_ASN1_ITEM_I2D_FP), "ASN1_item_i2d_fp"},
+ {ERR_FUNC(ASN1_F_ASN1_ITEM_PACK), "ASN1_item_pack"},
+@@ -202,6 +203,7 @@ static ERR_STRING_DATA ASN1_str_reasons[
+ {ERR_REASON(ASN1_R_AUX_ERROR), "aux error"},
+ {ERR_REASON(ASN1_R_BAD_CLASS), "bad class"},
+ {ERR_REASON(ASN1_R_BAD_OBJECT_HEADER), "bad object header"},
++ {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BAD_TEMPLATE), "bad template"},
+ {ERR_REASON(ASN1_R_BAD_PASSWORD_READ), "bad password read"},
+ {ERR_REASON(ASN1_R_BAD_TAG), "bad tag"},
+ {ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH),
+diff -up openssl-1.0.2k/crypto/asn1/asn1.h.null-dereference
openssl-1.0.2k/crypto/asn1/asn1.h
+--- openssl-1.0.2k/crypto/asn1/asn1.h.null-dereference 2020-12-04
11:00:06.896637900 +0100
++++ openssl-1.0.2k/crypto/asn1/asn1.h 2020-12-04 11:04:47.079562987 +0100
+@@ -1202,6 +1202,7 @@ void ERR_load_ASN1_strings(void);
+ # define ASN1_F_ASN1_ITEM_DUP 191
+ # define ASN1_F_ASN1_ITEM_EX_COMBINE_NEW 121
+ # define ASN1_F_ASN1_ITEM_EX_D2I 120
++# define ASN1_F_ASN1_ITEM_EX_I2D 231
+ # define ASN1_F_ASN1_ITEM_I2D_BIO 192
+ # define ASN1_F_ASN1_ITEM_I2D_FP 193
+ # define ASN1_F_ASN1_ITEM_PACK 198
+@@ -1298,6 +1299,7 @@ void ERR_load_ASN1_strings(void);
+ # define ASN1_R_AUX_ERROR 100
+ # define ASN1_R_BAD_CLASS 101
+ # define ASN1_R_BAD_OBJECT_HEADER 102
++# define ASN1_R_BAD_TEMPLATE 230
+ # define ASN1_R_BAD_PASSWORD_READ 103
+ # define ASN1_R_BAD_TAG 104
+ # define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 214
+diff -up openssl-1.0.2k/crypto/asn1/tasn_dec.c.null-dereference
openssl-1.0.2k/crypto/asn1/tasn_dec.c
+--- openssl-1.0.2k/crypto/asn1/tasn_dec.c.null-dereference 2020-12-04
10:12:42.036057323 +0100
++++ openssl-1.0.2k/crypto/asn1/tasn_dec.c 2020-12-04 10:17:45.685035333
+0100
+@@ -223,6 +223,15 @@ static int asn1_item_ex_d2i(ASN1_VALUE *
+ break;
+
+ case ASN1_ITYPE_MSTRING:
++ /*
++ * It never makes sense for multi-strings to have implicit tagging, so
++ * if tag != -1, then this looks like an error in the template.
++ */
++ if (tag != -1) {
++ ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_BAD_TEMPLATE);
++ goto err;
++ }
++
+ p = *in;
+ /* Just read in tag and class */
+ ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL,
+@@ -240,6 +249,7 @@ static int asn1_item_ex_d2i(ASN1_VALUE *
+ ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MSTRING_NOT_UNIVERSAL);
+ goto err;
+ }
++
+ /* Check tag matches bit map */
+ if (!(ASN1_tag2bit(otag) & it->utype)) {
+ /* If OPTIONAL, assume this is OK */
+@@ -316,6 +326,15 @@ static int asn1_item_ex_d2i(ASN1_VALUE *
+ goto err;
+
+ case ASN1_ITYPE_CHOICE:
++ /*
++ * It never makes sense for CHOICE types to have implicit tagging, so
++ * if tag != -1, then this looks like an error in the template.
++ */
++ if (tag != -1) {
++ ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_BAD_TEMPLATE);
++ goto err;
++ }
++
+ if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
+ goto auxerr;
+ if (*pval) {
+diff -up openssl-1.0.2k/crypto/asn1/tasn_enc.c.null-dereference
openssl-1.0.2k/crypto/asn1/tasn_enc.c
+--- openssl-1.0.2k/crypto/asn1/tasn_enc.c.null-dereference 2020-12-04
10:18:30.261472002 +0100
++++ openssl-1.0.2k/crypto/asn1/tasn_enc.c 2020-12-04 10:21:14.310078987
+0100
+@@ -151,9 +151,25 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval,
+ break;
+
+ case ASN1_ITYPE_MSTRING:
++ /*
++ * It never makes sense for multi-strings to have implicit tagging, so
++ * if tag != -1, then this looks like an error in the template.
++ */
++ if (tag != -1) {
++ ASN1err(ASN1_F_ASN1_ITEM_EX_I2D, ASN1_R_BAD_TEMPLATE);
++ return -1;
++ }
+ return asn1_i2d_ex_primitive(pval, out, it, -1, aclass);
+
+ case ASN1_ITYPE_CHOICE:
++ /*
++ * It never makes sense for CHOICE types to have implicit tagging, so
++ * if tag != -1, then this looks like an error in the template.
++ */
++ if (tag != -1) {
++ ASN1err(ASN1_F_ASN1_ITEM_EX_I2D, ASN1_R_BAD_TEMPLATE);
++ return -1;
++ }
+ if (asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it, NULL))
+ return 0;
+ i = asn1_get_choice_selector(pval, it);
+diff -up openssl-1.0.2k/crypto/x509v3/v3_genn.c.null-dereference
openssl-1.0.2k/crypto/x509v3/v3_genn.c
+--- openssl-1.0.2k/crypto/x509v3/v3_genn.c.null-dereference 2020-12-04
10:28:02.374237945 +0100
++++ openssl-1.0.2k/crypto/x509v3/v3_genn.c 2020-12-04 10:36:51.156138263
+0100
+@@ -72,8 +72,9 @@ ASN1_SEQUENCE(OTHERNAME) = {
+ IMPLEMENT_ASN1_FUNCTIONS(OTHERNAME)
+
+ ASN1_SEQUENCE(EDIPARTYNAME) = {
+- ASN1_IMP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0),
+- ASN1_IMP_OPT(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1)
++ /* DirectoryString is a CHOICE type so use explicit tagging */
++ ASN1_EXP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0),
++ ASN1_EXP(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1)
+ } ASN1_SEQUENCE_END(EDIPARTYNAME)
+
+ IMPLEMENT_ASN1_FUNCTIONS(EDIPARTYNAME)
+@@ -107,6 +108,37 @@ GENERAL_NAME *GENERAL_NAME_dup(GENERAL_N
+ (char *)a);
+ }
+
++static int edipartyname_cmp(const EDIPARTYNAME *a, const EDIPARTYNAME *b)
++{
++ int res;
++
++ if (a == NULL || b == NULL) {
++ /*
++ * Shouldn't be possible in a valid GENERAL_NAME, but we handle it
++ * anyway. OTHERNAME_cmp treats NULL != NULL so we do the same here
++ */
++ return -1;
++ }
++ if (a->nameAssigner == NULL && b->nameAssigner != NULL)
++ return -1;
++ if (a->nameAssigner != NULL && b->nameAssigner == NULL)
++ return 1;
++ /* If we get here then both have nameAssigner set, or both unset */
++ if (a->nameAssigner != NULL) {
++ res = ASN1_STRING_cmp(a->nameAssigner, b->nameAssigner);
++ if (res != 0)
++ return res;
++ }
++ /*
++ * partyName is required, so these should never be NULL. We treat it in
++ * the same way as the a == NULL || b == NULL case above
++ */
++ if (a->partyName == NULL || b->partyName == NULL)
++ return -1;
++
++ return ASN1_STRING_cmp(a->partyName, b->partyName);
++}
++
+ /* Returns 0 if they are equal, != 0 otherwise. */
+ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
+ {
+@@ -116,8 +148,11 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GE
+ return -1;
+ switch (a->type) {
+ case GEN_X400:
++ result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
++ break;
++
+ case GEN_EDIPARTY:
+- result = ASN1_TYPE_cmp(a->d.other, b->d.other);
++ result = edipartyname_cmp(a->d.ediPartyName, b->d.ediPartyName);
+ break;
+
+ case GEN_OTHERNAME:
+@@ -164,8 +199,11 @@ void GENERAL_NAME_set0_value(GENERAL_NAM
+ {
+ switch (type) {
+ case GEN_X400:
++ a->d.x400Address = value;
++ break;
++
+ case GEN_EDIPARTY:
+- a->d.other = value;
++ a->d.ediPartyName = value;
+ break;
+
+ case GEN_OTHERNAME:
+@@ -199,8 +237,10 @@ void *GENERAL_NAME_get0_value(GENERAL_NA
+ *ptype = a->type;
+ switch (a->type) {
+ case GEN_X400:
++ return a->d.x400Address;
++
+ case GEN_EDIPARTY:
+- return a->d.other;
++ return a->d.ediPartyName;
+
+ case GEN_OTHERNAME:
+ return a->d.otherName;
+diff -up openssl-1.0.2k/crypto/x509v3/v3nametest.c.null-dereference
openssl-1.0.2k/crypto/x509v3/v3nametest.c
+--- openssl-1.0.2k/crypto/x509v3/v3nametest.c.null-dereference 2020-12-04
10:28:02.374237945 +0100
++++ openssl-1.0.2k/crypto/x509v3/v3nametest.c 2020-12-04 10:36:51.156138263
+0100
+@@ -321,6 +321,356 @@ static void run_cert(X509 *crt, const ch
+ }
+ }
+
++struct gennamedata {
++ const unsigned char der[22];
++ size_t derlen;
++} gennames[] = {
++ {
++ /*
++ * [0] {
++ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }
++ * [0] {
++ * SEQUENCE {}
++ * }
++ * }
++ */
++ {
++ 0xa0, 0x13, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,
++ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x02, 0x30, 0x00
++ },
++ 21
++ }, {
++ /*
++ * [0] {
++ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }
++ * [0] {
++ * [APPLICATION 0] {}
++ * }
++ * }
++ */
++ {
++ 0xa0, 0x13, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,
++ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x02, 0x60, 0x00
++ },
++ 21
++ }, {
++ /*
++ * [0] {
++ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }
++ * [0] {
++ * UTF8String { "a" }
++ * }
++ * }
++ */
++ {
++ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,
++ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x0c, 0x01, 0x61
++ },
++ 22
++ }, {
++ /*
++ * [0] {
++ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.2 }
++ * [0] {
++ * UTF8String { "a" }
++ * }
++ * }
++ */
++ {
++ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,
++ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x02, 0xa0, 0x03, 0x0c, 0x01, 0x61
++ },
++ 22
++ }, {
++ /*
++ * [0] {
++ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }
++ * [0] {
++ * UTF8String { "b" }
++ * }
++ * }
++ */
++ {
++ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,
++ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x0c, 0x01, 0x62
++ },
++ 22
++ }, {
++ /*
++ * [0] {
++ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }
++ * [0] {
++ * BOOLEAN { TRUE }
++ * }
++ * }
++ */
++ {
++ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,
++ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x01, 0x01, 0xff
++ },
++ 22
++ }, {
++ /*
++ * [0] {
++ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }
++ * [0] {
++ * BOOLEAN { FALSE }
++ * }
++ * }
++ */
++ {
++ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,
++ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x01, 0x01, 0x00
++ },
++ 22
++ }, {
++ /* [1 PRIMITIVE] { "a" } */
++ {
++ 0x81, 0x01, 0x61
++ },
++ 3
++ }, {
++ /* [1 PRIMITIVE] { "b" } */
++ {
++ 0x81, 0x01, 0x62
++ },
++ 3
++ }, {
++ /* [2 PRIMITIVE] { "a" } */
++ {
++ 0x82, 0x01, 0x61
++ },
++ 3
++ }, {
++ /* [2 PRIMITIVE] { "b" } */
++ {
++ 0x82, 0x01, 0x62
++ },
++ 3
++ }, {
++ /*
++ * [4] {
++ * SEQUENCE {
++ * SET {
++ * SEQUENCE {
++ * # commonName
++ * OBJECT_IDENTIFIER { 2.5.4.3 }
++ * UTF8String { "a" }
++ * }
++ * }
++ * }
++ * }
++ */
++ {
++ 0xa4, 0x0e, 0x30, 0x0c, 0x31, 0x0a, 0x30, 0x08, 0x06, 0x03, 0x55,
++ 0x04, 0x03, 0x0c, 0x01, 0x61
++ },
++ 16
++ }, {
++ /*
++ * [4] {
++ * SEQUENCE {
++ * SET {
++ * SEQUENCE {
++ * # commonName
++ * OBJECT_IDENTIFIER { 2.5.4.3 }
++ * UTF8String { "b" }
++ * }
++ * }
++ * }
++ * }
++ */
++ {
++ 0xa4, 0x0e, 0x30, 0x0c, 0x31, 0x0a, 0x30, 0x08, 0x06, 0x03, 0x55,
++ 0x04, 0x03, 0x0c, 0x01, 0x62
++ },
++ 16
++ }, {
++ /*
++ * [5] {
++ * [1] {
++ * UTF8String { "a" }
++ * }
++ * }
++ */
++ {
++ 0xa5, 0x05, 0xa1, 0x03, 0x0c, 0x01, 0x61
++ },
++ 7
++ }, {
++ /*
++ * [5] {
++ * [1] {
++ * UTF8String { "b" }
++ * }
++ * }
++ */
++ {
++ 0xa5, 0x05, 0xa1, 0x03, 0x0c, 0x01, 0x62
++ },
++ 7
++ }, {
++ /*
++ * [5] {
++ * [0] {
++ * UTF8String {}
++ * }
++ * [1] {
++ * UTF8String { "a" }
++ * }
++ * }
++ */
++ {
++ 0xa5, 0x09, 0xa0, 0x02, 0x0c, 0x00, 0xa1, 0x03, 0x0c, 0x01, 0x61
++ },
++ 11
++ }, {
++ /*
++ * [5] {
++ * [0] {
++ * UTF8String { "a" }
++ * }
++ * [1] {
++ * UTF8String { "a" }
++ * }
++ * }
++ */
++ {
++ 0xa5, 0x0a, 0xa0, 0x03, 0x0c, 0x01, 0x61, 0xa1, 0x03, 0x0c, 0x01,
++ 0x61
++ },
++ 12
++ }, {
++ /*
++ * [5] {
++ * [0] {
++ * UTF8String { "b" }
++ * }
++ * [1] {
++ * UTF8String { "a" }
++ * }
++ * }
++ */
++ {
++ 0xa5, 0x0a, 0xa0, 0x03, 0x0c, 0x01, 0x62, 0xa1, 0x03, 0x0c, 0x01,
++ 0x61
++ },
++ 12
++ }, {
++ /* [6 PRIMITIVE] { "a" } */
++ {
++ 0x86, 0x01, 0x61
++ },
++ 3
++ }, {
++ /* [6 PRIMITIVE] { "b" } */
++ {
++ 0x86, 0x01, 0x62
++ },
++ 3
++ }, {
++ /* [7 PRIMITIVE] { `11111111` } */
++ {
++ 0x87, 0x04, 0x11, 0x11, 0x11, 0x11
++ },
++ 6
++ }, {
++ /* [7 PRIMITIVE] { `22222222`} */
++ {
++ 0x87, 0x04, 0x22, 0x22, 0x22, 0x22
++ },
++ 6
++ }, {
++ /* [7 PRIMITIVE] { `11111111111111111111111111111111` } */
++ {
++ 0x87, 0x10, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
++ 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11
++ },
++ 18
++ }, {
++ /* [7 PRIMITIVE] { `22222222222222222222222222222222` } */
++ {
++ 0x87, 0x10, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
++ 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22
++ },
++ 18
++ }, {
++ /* [8 PRIMITIVE] { 1.2.840.113554.4.1.72585.2.1 } */
++ {
++ 0x88, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, 0x01, 0x84,
++ 0xb7, 0x09, 0x02, 0x01
++ },
++ 15
++ }, {
++ /* [8 PRIMITIVE] { 1.2.840.113554.4.1.72585.2.2 } */
++ {
++ 0x88, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, 0x01, 0x84,
++ 0xb7, 0x09, 0x02, 0x02
++ },
++ 15
++ }
++};
++
++#define OSSL_NELEM(x) (sizeof(x)/sizeof((x)[0]))
++
++static int test_GENERAL_NAME_cmp(void)
++{
++ size_t i, j;
++ GENERAL_NAME **namesa = OPENSSL_malloc(sizeof(*namesa)
++ * OSSL_NELEM(gennames));
++ GENERAL_NAME **namesb = OPENSSL_malloc(sizeof(*namesb)
++ * OSSL_NELEM(gennames));
++ int testresult = 0;
++
++ if (namesa == NULL || namesb == NULL)
++ goto end;
++
++ for (i = 0; i < OSSL_NELEM(gennames); i++) {
++ const unsigned char *derp = gennames[i].der;
++
++ /*
++ * We create two versions of each GENERAL_NAME so that we ensure when
++ * we compare them they are always different pointers.
++ */
++ namesa[i] = d2i_GENERAL_NAME(NULL, &derp, gennames[i].derlen);
++ derp = gennames[i].der;
++ namesb[i] = d2i_GENERAL_NAME(NULL, &derp, gennames[i].derlen);
++ if (namesa[i] == NULL || namesb[i] == NULL)
++ goto end;
++ }
++
++ /* Every name should be equal to itself and not equal to any others. */
++ for (i = 0; i < OSSL_NELEM(gennames); i++) {
++ for (j = 0; j < OSSL_NELEM(gennames); j++) {
++ if (i == j) {
++ if (GENERAL_NAME_cmp(namesa[i], namesb[j]) != 0)
++ goto end;
++ } else {
++ if (GENERAL_NAME_cmp(namesa[i], namesb[j]) == 0)
++ goto end;
++ }
++ }
++ }
++ testresult = 1;
++
++ end:
++ for (i = 0; i < OSSL_NELEM(gennames); i++) {
++ if (namesa != NULL)
++ GENERAL_NAME_free(namesa[i]);
++ if (namesb != NULL)
++ GENERAL_NAME_free(namesb[i]);
++ }
++ OPENSSL_free(namesa);
++ OPENSSL_free(namesb);
++
++ if (!testresult)
++ fprintf(stderr, "test of GENERAL_NAME_cmp failed\n");
++
++ return testresult;
++}
++
++
++
+ int main(void)
+ {
+ const struct set_name_fn *pfn = name_fns;
+@@ -342,5 +692,8 @@ int main(void)
+ }
+ ++pfn;
+ }
++
++ errors += !test_GENERAL_NAME_cmp();
++
+ return errors > 0 ? 1 : 0;
+ }
commit bd98f525b5284a3b1f93488e0ccf9035cfe4b8ea
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Tue May 25 10:44:13 2021 +0100
Commit: Andras Timar <andras.ti...@collabora.com>
CommitDate: Thu Sep 9 12:51:36 2021 +0200
upgrade to Expat 2.4.1
drop ubsan patch in favour of fix applied as
https://github.com/libexpat/libexpat/pull/398
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/116102
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit 740d12d8a8294d4bfd28e6c3e4cf1e0ed560b198)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/119426
Tested-by: Thorsten Behrens <thorsten.behr...@allotropia.de>
Reviewed-by: Thorsten Behrens <thorsten.behr...@allotropia.de>
Change-Id: I59eb9e24206b9a4cf323b7f7d48d8df0792a1c46
diff --git a/download.lst b/download.lst
index 8845610781a3..34ee34fc40cb 100644
--- a/download.lst
+++ b/download.lst
@@ -41,8 +41,8 @@ export EPM_TARBALL :=
3ade8cfe7e59ca8e65052644fed9fca4-epm-3.7.tar.gz
export ETONYEK_SHA256SUM :=
032f53e8d7691e48a73ddbe74fa84c906ff6ff32a33e6ee2a935b6fdb6aecb78
export ETONYEK_VERSION_MICRO := 6
export ETONYEK_TARBALL := libetonyek-0.1.$(ETONYEK_VERSION_MICRO).tar.bz2
-export EXPAT_SHA256SUM :=
9a130948b05a82da34e4171d5f5ae5d321d9630277af02c8fa51e431f6475102
-export EXPAT_TARBALL := expat-2.2.8.tar.bz2
+export EXPAT_SHA256SUM :=
2f9b6a580b94577b150a7d5617ad4643a4301a6616ff459307df3e225bcfbf40
+export EXPAT_TARBALL := expat-2.4.1.tar.bz2
export FIREBIRD_SHA256SUM :=
6994be3555e23226630c587444be19d309b25b0fcf1f87df3b4e3f88943e5860
export FIREBIRD_TARBALL := Firebird-3.0.0.32483-0.tar.bz2
export FONTCONFIG_SHA256SUM :=
b449a3e10c47e1d1c7a6ec6e2016cca73d3bd68fbbd4f0ae5cc6b573f7d6c7f3
diff --git a/external/expat/expat-winapi.patch
b/external/expat/expat-winapi.patch
index b33c12b83b4c..bd4da1472fc8 100644
--- a/external/expat/expat-winapi.patch
+++ b/external/expat/expat-winapi.patch
@@ -11,3 +11,17 @@
# endif
#endif /* not defined XML_STATIC */
+--- misc/expat-2.1.0/lib/xmlparse.c 2021-05-23 16:56:25.000000000 +0100
++++ misc/build/expat-2.1.0/lib/xmlparse.c 2021-05-25 12:42:11.997173600
+0100
+@@ -92,6 +92,11 @@
+
+ #include <expat_config.h>
+
++#ifdef _WIN32
++# undef HAVE_GETRANDOM
++# undef HAVE_SYSCALL_GETRANDOM
++#endif
++
+ #include "ascii.h"
+ #include "expat.h"
+ #include "siphash.h"
commit 4abddfd6499404f06b719741ec3579de4150758e
Author: Michael Stahl <michael.st...@allotropia.de>
AuthorDate: Fri May 21 13:33:26 2021 +0200
Commit: Andras Timar <andras.ti...@collabora.com>
CommitDate: Thu Sep 9 12:48:45 2021 +0200
libxml2: upgrade to release 2.9.12
Fixes:
CVE-2021-3516 CVE-2021-3517 CVE-2021-3518 CVE-2021-3537 CVE-2021-3541
* external/libxml2/ubsan.patch.0: remove, fixed upstream
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/115913
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit bf0c6a98ae38cd2188d7f7e94f1563e5ce6a8ce4)
Change-Id: I347dc854b862e78bde87d3e57cf5fdb584ca5673
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/115935
Tested-by: Michael Stahl <michael.st...@allotropia.de>
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
diff --git a/download.lst b/download.lst
index 376f8b7f3fd2..8845610781a3 100644
--- a/download.lst
+++ b/download.lst
@@ -139,8 +139,8 @@ export LIBTOMMATH_SHA256SUM :=
083daa92d8ee6f4af96a6143b12d7fc8fe1a547e14f862304
export LIBTOMMATH_TARBALL := ltm-1.0.zip
export LIBXMLSEC_SHA256SUM :=
99a8643f118bb1261a72162f83e2deba0f4f690893b4b90e1be4f708e8d481cc
export LIBXMLSEC_TARBALL := xmlsec1-1.2.24.tar.gz
-export LIBXML_SHA256SUM :=
aafee193ffb8fe0c82d4afef6ef91972cbaf5feea100edc2f262750611b4be1f
-export LIBXML_VERSION_MICRO := 10
+export LIBXML_SHA256SUM :=
c8d6681e38c56f172892c85ddc0852e1fd4b53b4209e7f4ebf17f7e2eae71d92
+export LIBXML_VERSION_MICRO := 12
export LIBXML_TARBALL := libxml2-2.9.$(LIBXML_VERSION_MICRO).tar.gz
export LIBXSLT_SHA256SUM :=
98b1bd46d6792925ad2dfe9a87452ea2adebf69dcb9919ffd55bf926a7f93f7f
export LIBXSLT_VERSION_MICRO := 34
diff --git a/external/libxml2/libxml2-config.patch.1
b/external/libxml2/libxml2-config.patch.1
index 7ad61923ebee..28ac8f2809a7 100644
--- a/external/libxml2/libxml2-config.patch.1
+++ b/external/libxml2/libxml2-config.patch.1
@@ -18,9 +18,9 @@ Hack the xml2-config to return paths into WORKDIR.
+exec_prefix=${WORKDIR}/UnpackedTarball/xml2
+includedir=${WORKDIR}/UnpackedTarball/xml2/include
+libdir=${WORKDIR}/UnpackedTarball/xml2/.libs
+ cflags=
+ libs=
- usage()
- {
@@ -67,7 +72,8 @@
;;
diff --git a/external/libxml2/libxml2-global-symbols.patch
b/external/libxml2/libxml2-global-symbols.patch
index 49ee73731562..cfec9c530281 100644
--- a/external/libxml2/libxml2-global-symbols.patch
+++ b/external/libxml2/libxml2-global-symbols.patch
@@ -14,8 +14,8 @@
LIBXML2_2.6.32 {
@@ -2231,3 +2231,43 @@
- xmlHashDefaultDeallocator;
- } LIBXML2_2.9.1;
+ xmlPopOutputCallbacks;
+ } LIBXML2_2.9.8;
+# HACK: export global variable accessor functions (globals.h)
+LIBXML2_GLOBAL_VARIABLES {
