configure.ac | 11 +++++------
download.lst | 4 ++--
external/curl/ExternalProject_curl.mk | 22 +++++++++-------------
external/curl/README | 2 +-
external/curl/UnpackedTarball_curl.mk | 12 ------------
external/curl/asan-poison-nsspem.patch.0 | 11 -----------
external/curl/curl-nss.patch.1 | 17 -----------------
ucb/qa/cppunit/webdav/webdav_local_neon.cxx | 8 ++++----
8 files changed, 21 insertions(+), 66 deletions(-)
New commits:
commit 7349c6f03cb2bb38dd65666e02ca3fbfa4fcf83c
Author: Taichi Haradaguchi <20001...@ymail.ne.jp>
AuthorDate: Sat Jun 10 15:57:28 2023 +0900
Commit: Andras Timar <andras.ti...@collabora.com>
CommitDate: Mon Jun 24 23:45:56 2024 +0200
upgrade to curl 8.6.0
via...
curl: upgrade to release 8.1.2
Fixes CVE-2023-28321, CVE-2023-28322, and 2 more CVEs that
probably don't affect LibreOffice.
Change-Id: If8720ba3647216063bffc8678aa64dad9a317128
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/152809
Tested-by: Jenkins
Reviewed-by: Taichi Haradaguchi <20001...@ymail.ne.jp>
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit dc19ef0d42e89edffcc21795194eb1eeb5957d0f)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/152888
Reviewed-by: Xisco Fauli <xiscofa...@libreoffice.org>
(cherry picked from commit cbdb9359bc77ebe7f79340cf0322fb2e4d78b125)
Update to curl-8.2.1.tar.xz
...obtained from <https://curl.se/download/curl-8.2.1.tar.xz>
Change-Id: I7260f79e2f72501869ff58c77f0d9dfa3ebdece1
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/155116
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sberg...@redhat.com>
(cherry picked from commit 85c07891ad9424661d8e1adb8e93364e3964ce34)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/155133
Reviewed-by: Xisco Fauli <xiscofa...@libreoffice.org>
(cherry picked from commit 52d9d30371247f7d613dd9d1fd5f0c4fdf94682a)
remove configure arguments to curl that no longer exist
Change-Id: Ic6995dfcc11c872092c5e1a53c84dfed5d254eea
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/141955
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caol...@redhat.com>
(cherry picked from commit 6f00aef4fe3242a1ff3a7f9fa31e8a6663162ca3)
ofz: build-failure use with-tls result for curl
otherwise with (default due to --disable-dynamic-loading) --disable-nss
we get:
configure: error: select TLS backend(s) or disable TLS with --without-ssl.
Select from these:
--with-amissl
--with-bearssl
--with-gnutls
--with-mbedtls
--with-nss
--with-openssl (also works for BoringSSL and libressl)
--with-rustls
--with-schannel
--with-secure-transport
--with-wolfssl
alternative we could --without-ssl entirely without nss
Change-Id: Iea25b918c135664dffacfb74089d7c7c0818695e
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/141956
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caol...@redhat.com>
(cherry picked from commit 2c0997900d35e54466d479c9c5437d447ba9b165)
curl: upgrade to release 8.3.0
Fixes CVE-2023-38039
* NSS support was removed in this release, so NSS related patches are not
necessary now.
* add configure options for curl.
Change-Id: I71e09bac3c69ce4b13deee770a32225f39f79c46
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/156917
Tested-by: Jenkins
Reviewed-by: Taichi Haradaguchi <20001...@ymail.ne.jp>
(cherry picked from commit c2930ebff82c4f7ffe8377ab82627131f8544226)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/157311
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit 609d4a6b8d66d02a36c57de99efd36a4b1c2b789)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/157313
Reviewed-by: Caolán McNamara <caolan.mcnam...@collabora.com>
(cherry picked from commit 5d9a942721ea683b3684e71c470d338599a80eb1)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/157828
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoff...@gmail.com>
Reviewed-by: Andras Timar <andras.ti...@collabora.com>
(cherry picked from commit 5a113f2376344062ff1a71debecf7a7b112c8e25)
curl: upgrade to release 8.4.0
Fixes CVE-2023-38546 and CVE-2023-38545
Minor amount of bugfixes, nothing that immediately affects us. New
feature: IPFS protocols via HTTP gateway now supported, with the right
URL.
Change-Id: I24af4d17b570685081aa031c50a87bb8dcf1833d
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/157829
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoff...@gmail.com>
Reviewed-by: Andras Timar <andras.ti...@collabora.com>
(cherry picked from commit d97184677471565f3987a5d0fe1ef96503c0b099)
curl: upgrade to release 8.5.0
Fixes CVE-2023-46218 (cookies apparently used by libcmis)
Change-Id: I6f903ab63589d3318c0cc7d47f5183f7ae55f52b
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/160592
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit 0a2df11fb563177951db1e8890d67cee8d44246a)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/160577
Reviewed-by: Xisco Fauli <xiscofa...@libreoffice.org>
(cherry picked from commit 04eddbaa4530d75c4984125dab7bb3f58113a3ff)
curl: upgrade to release 8.6.0
Fixes CVE-2024-0853
Change-Id: Iabba0748f7c48ee03a8223aef9ca81bf379738e9
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/162793
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit 9667ea7e274c4e29cf7c35d9e124a8fbcb2af3da)
(cherry picked from commit a990e726efb2bcb4cb8de9aaade0f35e429ea330)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/169120
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoff...@gmail.com>
Reviewed-by: Andras Timar <andras.ti...@collabora.com>
diff --git a/configure.ac b/configure.ac
index d7fc37217fb7..4fc222611915 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2094,12 +2094,11 @@ AC_ARG_WITH(package-format,
AC_ARG_WITH(tls,
AS_HELP_STRING([--with-tls],
[Decides which TLS/SSL and cryptographic implementations to use for
- LibreOffice's code. Notice that this doesn't apply for depending
- libraries like "neon", for example. Default is to use NSS
- although OpenSSL is also possible. Notice that selecting NSS restricts
- the usage of OpenSSL in LO's code but selecting OpenSSL doesn't
- restrict by now the usage of NSS in LO's code. Possible values:
- openssl, nss. Example: --with-tls="nss"]),
+ LibreOffice's code. Default is to use NSS although OpenSSL is also
+ possible. Notice that selecting NSS restricts the usage of OpenSSL
+ in LO's code but selecting OpenSSL doesn't restrict by now the
+ usage of NSS in LO's code. Possible values: openssl, nss.
+ Example: --with-tls="nss"]),
,)
AC_ARG_WITH(system-libs,
diff --git a/download.lst b/download.lst
index 3c27bcbe0942..bf5ce1596416 100644
--- a/download.lst
+++ b/download.lst
@@ -37,8 +37,8 @@ export CPPUNIT_SHA256SUM :=
89c5c6665337f56fd2db36bc3805a5619709d51fb136e5193707
export CPPUNIT_TARBALL := cppunit-1.15.1.tar.gz
export CT2N_SHA256SUM :=
71b238efd2734be9800af07566daea8d6685aeed28db5eb5fa0e6453f4d85de3
export CT2N_TARBALL :=
1f467e5bb703f12cbbb09d5cf67ecf4a-converttexttonumber-1-5-0.oxt
-export CURL_SHA256SUM :=
0a381cd82f4d00a9a334438b8ca239afea5bfefcfa9a1025f2bf118e79e0b5f0
-export CURL_TARBALL := curl-8.0.1.tar.xz
+export CURL_SHA256SUM :=
3ccd55d91af9516539df80625f818c734dc6f2ecf9bada33c76765e99121db15
+export CURL_TARBALL := curl-8.6.0.tar.xz
export EBOOK_SHA256SUM :=
7e8d8ff34f27831aca3bc6f9cc532c2f90d2057c778963b884ff3d1e34dfe1f9
export EBOOK_TARBALL := libe-book-0.1.3.tar.xz
export EPOXY_SHA256SUM :=
a7ced37f4102b745ac86d6a70a9da399cc139ff168ba6b8002b4d8d43c900c15
diff --git a/external/curl/ExternalProject_curl.mk
b/external/curl/ExternalProject_curl.mk
index 5a516651c608..fa13b93bb3cf 100644
--- a/external/curl/ExternalProject_curl.mk
+++ b/external/curl/ExternalProject_curl.mk
@@ -10,7 +10,7 @@
$(eval $(call gb_ExternalProject_ExternalProject,curl))
$(eval $(call gb_ExternalProject_use_externals,curl,\
- $(if $(ENABLE_NSS),nss3) \
+ $(if $(ENABLE_OPENSSL),openssl) \
zlib \
))
@@ -30,32 +30,28 @@ curl_LDFLAGS += -L$(SYSBASE)/usr/lib
endif
endif
-# there are 2 include paths, the other one is passed to --with-nss below
-ifeq ($(SYSTEM_NSS),)
-curl_CPPFLAGS += -I$(call gb_UnpackedTarball_get_dir,nss)/dist/public/nss
-endif
-
# use --with-secure-transport on macOS >10.5 and iOS to get a native UI for
SSL certs for CMIS usage
-# use --with-nss only on platforms other than macOS and iOS
+# use --with-openssl only on platforms other than macOS and iOS
$(call gb_ExternalProject_get_state_target,curl,build):
$(call gb_Trace_StartRange,curl,EXTERNAL)
$(call gb_ExternalProject_run,build,\
$(gb_RUN_CONFIGURE) ./configure \
- $(if $(filter iOS MACOSX,$(OS)),\
- --with-secure-transport,\
- $(if $(ENABLE_NSS),--with-nss$(if
$(SYSTEM_NSS),,="$(call gb_UnpackedTarball_get_dir,nss)/dist/out")
--with-nss-deprecated,--without-nss)) \
- --without-openssl --without-gnutls --without-polarssl
--without-cyassl --without-axtls --without-mbedtls \
+ --without-amissl --without-bearssl --without-gnutls \
+ --without-mbedtls --without-rustls --without-wolfssl \
--enable-ftp --enable-http --enable-ipv6 \
--without-libidn2 --without-libpsl --without-librtmp \
- --without-libssh2 --without-metalink --without-nghttp2 \
+ --without-libssh2 --without-nghttp2 \
--without-libssh --without-brotli \
--without-ngtcp2 --without-quiche \
- --without-zstd --without-hyper --without-gsasl
--without-gssapi \
+ --without-zstd --without-hyper --without-libgsasl
--without-gssapi \
--disable-mqtt --disable-ares \
--disable-dict --disable-file --disable-gopher
--disable-imap \
--disable-ldap --disable-ldaps --disable-manual
--disable-pop3 \
--disable-rtsp --disable-smb --disable-smtp
--disable-telnet \
--disable-tftp \
+ $(if $(filter iOS MACOSX,$(OS)),\
+ --with-secure-transport,\
+ $(if $(ENABLE_OPENSSL),--with-openssl$(if
$(SYSTEM_OPENSSL),,="$(call gb_UnpackedTarball_get_dir,openssl)"))) \
$(if $(filter LINUX,$(OS)),--without-ca-bundle
--without-ca-path) \
$(if $(CROSS_COMPILING),--build=$(BUILD_PLATFORM)
--host=$(HOST_PLATFORM)) \
$(if $(filter
TRUE,$(DISABLE_DYNLOADING)),--disable-shared,--disable-static) \
diff --git a/external/curl/README b/external/curl/README
index 292e4edf57b6..4a7044623608 100644
--- a/external/curl/README
+++ b/external/curl/README
@@ -1 +1 @@
-A URL manipulation engine from [http://curl.haxx.se/].
+A URL manipulation engine from [https://curl.se/].
diff --git a/external/curl/UnpackedTarball_curl.mk
b/external/curl/UnpackedTarball_curl.mk
index e78adabb8d07..4412857d36a0 100644
--- a/external/curl/UnpackedTarball_curl.mk
+++ b/external/curl/UnpackedTarball_curl.mk
@@ -27,22 +27,10 @@ $(eval $(call gb_UnpackedTarball_add_patches,curl,\
external/curl/configurable-z-option.patch.0 \
))
-ifeq ($(SYSTEM_NSS),)
-$(eval $(call gb_UnpackedTarball_add_patches,curl,\
- external/curl/curl-nss.patch.1 \
-))
-endif
-
ifeq ($(OS)-$(COM_IS_CLANG),WNT-TRUE)
$(eval $(call gb_UnpackedTarball_add_patches,curl, \
external/curl/clang-cl.patch.0 \
))
endif
-ifneq ($(filter -fsanitize=%,$(CC)),)
-$(eval $(call gb_UnpackedTarball_add_patches,curl, \
- external/curl/asan-poison-nsspem.patch.0 \
-))
-endif
-
# vim: set noet sw=4 ts=4:
diff --git a/external/curl/asan-poison-nsspem.patch.0
b/external/curl/asan-poison-nsspem.patch.0
deleted file mode 100644
index b348d44ee573..000000000000
--- a/external/curl/asan-poison-nsspem.patch.0
+++ /dev/null
@@ -1,11 +0,0 @@
---- lib/vtls/nss.c
-+++ lib/vtls/nss.c
-@@ -1926,7 +1926,7 @@
-
- PK11_SetPasswordFunc(nss_get_password);
-
-- result = nss_load_module(&pem_module, pem_library, "PEM");
-+ result = CURLE_FAILED_INIT;
- PR_Unlock(nss_initlock);
- if(result == CURLE_FAILED_INIT)
- infof(data, "WARNING: failed to load NSS PEM library %s. Using "
diff --git a/external/curl/curl-nss.patch.1 b/external/curl/curl-nss.patch.1
deleted file mode 100644
index 2e8766b3d45f..000000000000
--- a/external/curl/curl-nss.patch.1
+++ /dev/null
@@ -1,17 +0,0 @@
-diff -ur curl.org/configure curl/configure
---- curl.orig/configure 2023-02-20 16:11:55.000000000 +0900
-+++ curl/configure 2023-02-23 15:40:58.617432471 +0900
-@@ -28675,7 +28675,12 @@
- { printf "%s
" "$as_me:${as_lineno-$LINENO}: WARNING: Using hard-wired libraries and
compilation flags for NSS." >&5
- printf "%s
" "$as_me: WARNING: Using hard-wired libraries and compilation flags for NSS."
>&2;}
- addld="-L$OPT_NSS/lib"
-- addlib="-lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4"
-+ addlib="-lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4 -lnssutil3"
-+ case $host_os in
-+ *android*)
-+ addlib="${addlib} -llog"
-+ ;;
-+ esac
- addcflags="-I$OPT_NSS/include"
- version="unknown"
- nssprefix=$OPT_NSS
commit 2b3b868f66bea547863a4528a68e56527d1391a0
Author: Stephan Bergmann <sberg...@redhat.com>
AuthorDate: Mon Jul 31 17:09:32 2023 +0200
Commit: Andras Timar <andras.ti...@collabora.com>
CommitDate: Mon Jun 24 23:45:48 2024 +0200
Adapt test code to cURL 8.2.0
...for which CppunitTest_ucb_webdav_core would fail with
> ucb/qa/cppunit/webdav/webdav_local_neon.cxx:60:(anonymous
namespace)::webdav_local_test::WebdavUriTest
> equality assertion failed
> - Expected: ?query#fragment
> - Actual : /?query#fragment
and
> ucb/qa/cppunit/webdav/webdav_local_neon.cxx:89:(anonymous
namespace)::webdav_local_test::WebdavUriTest2
> equality assertion failed
> - Expected: ?query
> - Actual : /?query
because of
<https://github.com/bch/curl/commit/5752e71080cb3aafa8b24c3261419345b832bc92>
"urlapi: have *set(PATH) prepend a slash if one is missing".
All that test code had been added with
b03e070420606d407df2ec5e9dfa7043ecc46177
"ucb: webdav-curl: fix CurlUri::CloneWithRelativeRefPathAbsolute()", and it
looks harmless for our use cases that cURL started to behave differently
there
now. So instead of accepting either of the outcomes depending on what cURL
version is being used, just change the test code to not leave out the
path-absolute in the calls to CloneWithRelativeRefPathAbsolute (which is
documented in ucb/source/ucp/webdav-curl/CurlUri.hxx to take
> /// @param matches: relative-ref = path-absolute [ "?" query ] [ "#"
fragment ]
and path-absolute cannot be empty as per RFC 3986 "Uniform Resource
Identifier
(URI): Generic Syntax").
Change-Id: If07a28598dfa047ebe89d8bcda19e8fcaa36aed0
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/155099
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sberg...@redhat.com>
Signed-off-by: Xisco Fauli <xiscofa...@libreoffice.org>
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/155134
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/169470
Reviewed-by: Andras Timar <andras.ti...@collabora.com>
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoff...@gmail.com>
diff --git a/ucb/qa/cppunit/webdav/webdav_local_neon.cxx
b/ucb/qa/cppunit/webdav/webdav_local_neon.cxx
index bde7652b9ffa..a457bc6d2b28 100644
--- a/ucb/qa/cppunit/webdav/webdav_local_neon.cxx
+++ b/ucb/qa/cppunit/webdav/webdav_local_neon.cxx
@@ -52,12 +52,12 @@ namespace
CPPUNIT_ASSERT_EQUAL( OUString("/foo/bar"),
uri2.GetRelativeReference() );
CPPUNIT_ASSERT_EQUAL(
OUString("http://user%40anothern...@server.biz:8040/foo/bar";), uri2.GetURI() );
- CurlUri
uri3(aURI.CloneWithRelativeRefPathAbsolute(u"?query#fragment"));
+ CurlUri
uri3(aURI.CloneWithRelativeRefPathAbsolute(u"/?query#fragment"));
CPPUNIT_ASSERT_EQUAL( OUString("http"), uri3.GetScheme() );
CPPUNIT_ASSERT_EQUAL( OUString("server.biz"), uri3.GetHost() );
CPPUNIT_ASSERT_EQUAL( OUString("user%40anothername"), uri3.GetUser() );
CPPUNIT_ASSERT_EQUAL( sal_uInt16(8040), uri3.GetPort() );
- CPPUNIT_ASSERT_EQUAL( OUString("?query#fragment"),
uri3.GetRelativeReference() );
+ CPPUNIT_ASSERT_EQUAL( OUString("/?query#fragment"),
uri3.GetRelativeReference() );
CPPUNIT_ASSERT_EQUAL(
OUString("http://user%40anothern...@server.biz:8040/?query#fragment";),
uri3.GetURI() );
}
@@ -80,13 +80,13 @@ namespace
CPPUNIT_ASSERT_EQUAL( OUString("/foo/bar"),
uri2.GetRelativeReference() );
CPPUNIT_ASSERT_EQUAL(
OUString("https://foo:b...@server.biz:8040/foo/bar";), uri2.GetURI() );
- CurlUri uri3(aURI.CloneWithRelativeRefPathAbsolute(u"?query"));
+ CurlUri uri3(aURI.CloneWithRelativeRefPathAbsolute(u"/?query"));
CPPUNIT_ASSERT_EQUAL( OUString("https"), uri3.GetScheme() );
CPPUNIT_ASSERT_EQUAL( OUString("server.biz"), uri3.GetHost() );
CPPUNIT_ASSERT_EQUAL( OUString("foo"), uri3.GetUser() );
CPPUNIT_ASSERT_EQUAL( OUString("bar"), uri3.GetPassword() );
CPPUNIT_ASSERT_EQUAL( sal_uInt16(8040), uri3.GetPort() );
- CPPUNIT_ASSERT_EQUAL( OUString("?query"), uri3.GetRelativeReference()
);
+ CPPUNIT_ASSERT_EQUAL( OUString("/?query"), uri3.GetRelativeReference()
);
CPPUNIT_ASSERT_EQUAL(
OUString("https://foo:b...@server.biz:8040/?query";), uri3.GetURI() );
}
