#Global macro or variable
%global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0)
%global libssh_version %(pkg-config --modversion libssh 2>/dev/null || echo 0)
%global openssl_version %({ pkg-config --modversion openssl 2>/dev/null || echo 0;} | sed 's|-|-0.|')
%global libnghttp2_version %(pkg-config --modversion libnghttp2 2>/dev/null || echo 0)
%global _configure ../configure
Name: curl
Version: 8.4.0
Release: 15
Summary: Curl is used in command lines or scripts to transfer data
License: curl
URL: https://curl.se/
Source: https://curl.se/download/curl-%{version}.tar.xz
Patch1: backport-0101-curl-7.32.0-multilib.patch
Patch2: backport-curl-7.84.0-test3026.patch
Patch4: backport-curl-7.88.0-tests-warnings.patch
Patch11: backport-CVE-2023-46218.patch
Patch12: backport-0001-CVE-2023-46219.patch
Patch13: backport-0002-CVE-2023-46219.patch
Patch15: backport-openssl-avoid-BN_num_bits-NULL-pointer-derefs.patch
Patch16: backport-pre-CVE-2024-2004.patch
Patch17: backport-CVE-2024-2004.patch
Patch18: backport-CVE-2024-2398.patch
Patch19: backport-tool_cb_rea-limit-rate-unpause-for-T-uploads.patch
#https://github.com/curl/curl/pull/13506
Patch20: backport-paramhlp-fix-CRLF-stripping-files-with-d-file.patch
Patch21: backport-libssh2-set-length-to-0-if-strdup-failed.patch
Patch22: backport-openldap-create-ldap-URLs-correctly-for-IPv6-addresses.patch
Patch23: backport-multi-avoid-memory-leak-risk.patch
Patch24: backport-tool_cfgable-free-proxy_-cipher13_list-on-exit.patch
Patch25: backport-CVE-2024-7264-x509asn1-clean-up-GTime2str.patch
Patch26: backport-CVE-2024-7264-x509asn1-unittests-and-fixes-fo.patch
Patch27: backport-CVE-2024-8096-gtls-fix-OCSP-stapling-management.patch
Patch28: backport-url-allow-DoH-transfers-to-override-max-connection-limit.patch
Patch29: backport-pre-CVE-2024-9681.patch
Patch30: backport-CVE-2024-9681.patch
Patch31: backport-multi-check-that-the-multi-handle-is-valid-in-curl_m.patch
Patch32: backport-cookie-treat-cookie-name-case-sensitively.patch
Patch33: backport-CVE-2024-11053-pre1.patch
Patch34: backport-CVE-2024-11053-pre2.patch
Patch35: backport-CVE-2024-11053-pre3.patch
Patch36: backport-CVE-2024-11053-pre4.patch
Patch37: backport-CVE-2024-11053-pre5.patch
Patch38: backport-CVE-2024-11053.patch
Patch39: backport-CVE-2024-11053-post1.patch
Patch40: backport-CVE-2024-11053-post2.patch
Patch41: backport-CVE-2025-0167.patch
Patch42: backport-CVE-2025-0725.patch
BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel
BuildRequires: libidn2-devel libnghttp2-devel libpsl-devel
BuildRequires: libssh-devel make openldap-devel openssh-clients openssh-server
BuildRequires: openssl-devel perl-interpreter pkgconfig python3-devel sed
BuildRequires: zlib-devel gnutls-utils nghttp2 perl(IO::Compress::Gzip)
BuildRequires: perl(Getopt::Long) perl(Pod::Usage) perl(strict) perl(warnings)
BuildRequires: perl(Cwd) perl(Digest::MD5) perl(Exporter) perl(File::Basename)
BuildRequires: perl(File::Copy) perl(File::Spec) perl(IPC::Open2) perl(MIME::Base64)
BuildRequires: perl(Time::Local) perl(Time::HiRes) perl(vars) perl(Digest::SHA)
%ifnarch aarch64
BuildRequires: stunnel
%endif
Requires: libcurl = %{version}-%{release}
Provides: curl-full = %{version}-%{release} webclient
%description
cURL is a computer software project providing a library (libcurl) and
command-line tool (curl) for transferring data using various protocols.
%package -n libcurl
Summary: A library for getting files from web servers
Requires: libssh >= %{libssh_version} libpsl >= %{libpsl_version}
Requires: openssl-libs >= 1:%{openssl_version}
Requires: libnghttp2 >= %{libnghttp2_version}
Provides: libcurl-full = %{version}-%{release}
Conflicts: curl < 7.66.0-3
%description -n libcurl
A library for getting files from web servers.
%package -n libcurl-devel
Summary: Header files for libcurl
Requires: libcurl = %{version}-%{release}
Provides: curl-devel = %{version}-%{release}
Obsoletes: curl-devel < %{version}-%{release}
%description -n libcurl-devel
Header files for libcurl.
%package_help
%prep
%autosetup -n %{name}-%{version} -p1
echo "1801" >> tests/data/DISABLED
# adapt test 323 for updated OpenSSL
sed -e 's/^35$/35,52/' -i tests/data/test323
# use localhost6 instead of ip6-localhost in the curl test-suite
(
# avoid glob expansion in the trace output of `bash -x`
{ set +x; } 2>/dev/null
cmd="sed -e 's|ip6-localhost|localhost6|' -i tests/data/test[0-9]*"
printf "+ %s\n" "$cmd" >&2
eval "$cmd"
)
%build
# regenerate Makefile.in files
aclocal -I m4
automake
install -d build-full
export common_configure_opts="--cache-file=../config.cache \
--enable-hsts --enable-ipv6 --enable-symbol-hiding --enable-threaded-resolver \
--without-zstd --with-gssapi --with-libidn2 --with-nghttp2 --with-ssl \
--with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt"
%global _configure ../configure
# configure full build
(
cd build-full
%configure $common_configure_opts \
--enable-dict \
--enable-gopher \
--enable-imap \
--enable-ldap \
--enable-ldaps \
--enable-manual \
--enable-mqtt \
--enable-ntlm \
--enable-ntlm-wb \
--enable-pop3 \
--enable-rtsp \
--enable-smb \
--enable-smtp \
--enable-telnet \
--enable-tftp \
--enable-tls-srp \
--with-brotli \
--with-libpsl \
--with-libssh
)
sed -e 's/^runpath_var=.*/runpath_var=/' \
-e 's/^hardcode_libdir_flag_spec=".*"$/hardcode_libdir_flag_spec=""/' \
-i build-full/libtool
%make_build V=1 -C build-full
%check
# compile upstream test-cases
%make_build V=1 -C build-full/tests
# relax crypto policy for the test-suite to make it pass again (#1610888)
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=XXX
export OPENSSL_CONF=
# make runtests.pl work for out-of-tree builds
export srcdir=../../tests
# prevent valgrind from being extremely slow (#1662656)
unset DEBUGINFOD_URLS
# run the upstream test-suite for curl-full
for size in full; do (
cd build-${size}
# we have to override LD_LIBRARY_PATH because we eliminated rpath
export LD_LIBRARY_PATH="${PWD}/lib/.libs"
cd tests
perl -I../../tests ../../tests/runtests.pl -a -n -p -v '!flaky'
)
done
%install
rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.{la,so}
# install libcurl.m4 for devel
install -D -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal/libcurl.m4
# curl file install
cd build-full
%make_install
# install zsh completion for curl
LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" %make_install -C scripts
# do not install /usr/share/fish/completions/curl.fish which is also installed
# by fish-3.0.2-1.module_f31+3716+57207597 and would trigger a conflict
rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish
rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.a
rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%ldconfig_scriptlets
%ldconfig_scriptlets -n libcurl
%files
%defattr(-,root,root)
%license COPYING
%{_bindir}/curl
%{_datadir}/zsh
%files -n libcurl
%defattr(-,root,root)
%{_libdir}/libcurl.so.4
%{_libdir}/libcurl.so.4.[0-9].[0-9]
%files -n libcurl-devel
%defattr(-,root,root)
%doc docs/examples/*.c docs/examples/Makefile.example docs/INTERNALS.md
%doc docs/CONTRIBUTE.md docs/libcurl/ABI.md
%{_bindir}/curl-config*
%{_includedir}/curl
%{_libdir}/*.so
%{_libdir}/pkgconfig/*.pc
%{_datadir}/aclocal/libcurl.m4
%files help
%defattr(-,root,root)
%doc CHANGES README*
%doc docs/BUGS.md docs/FAQ docs/FEATURES.md
%doc docs/TheArtOfHttpScripting.md docs/TODO
%{_mandir}/man1/curl.1*
%{_mandir}/man1/curl-config.1*
%{_mandir}/man3/*
%changelog
* Sat Feb 08 2025 zhouyihang <zhouyihang3@h-partners.com> - 8.4.0-15
- Type:CVE
- CVE:CVE-2025-0167 CVE-2025-0725
- SUG:NA
- DESC:fix CVE-2025-0167 CVE-2025-0725
* Tue Jan 07 2025 zhouyihang <zhouyihang3@h-partners.com> - 8.4.0-14
- Type:CVE
- CVE:CVE-2024-11053
- SUG:NA
- DESC:fix CVE-2024-11053
* Mon Dec 09 2024 zhouyihang <zhouyihang3@h-partners.com> - 8.4.0-13
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:cookie: treat cookie name case sensitively
* Sat Nov 30 2024 zhouyihang <zhouyihang3@h-partners.com> - 8.4.0-12
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:multi: check that the multi handle is valid in curl_multi_assign
* Mon Nov 11 2024 yanglu <yanglu72@h-partners.com> - 8.4.0-11
- Type:CVE
- CVE:CVE-2024-9681
- SUG:NA
- DESC:fix CVE-2024-9681
* Fri Sep 20 2024 zhouyihang <zhouyihang3@h-partners.com> - 8.4.0-10
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:url: allow DoH transfers to override max connection limit
* Thu Sep 12 2024 zhouyihang <zhouyihang3@h-partners.com> - 8.4.0-9
- Type:CVE
- CVE:CVE-2024-8096
- SUG:NA
- DESC:fix CVE-2024-8096
* Thu Sep 05 2024 zhouyihang <zhouyihang3@h-partners.com> - 8.4.0-8
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:revert modify licence from curl to MIT
* Thu Aug 15 2024 zhangxianjun <zhangxianjun@kylinos.cn> - 8.4.0-7
- modify licence from curl to MIT
* Wed Jul 31 2024 yinyongkang <yinyongkang@kylinos.cn> - 8.4.0-6
- Type:CVE
- CVE:CVE-2024-7264
- SUG:NA
- DESC:fix CVE-2024-7264
* Mon Jun 24 2024 zhouyihang <zhouyihang3@h-partners.com> - 8.4.0-5
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:paramhlp: fix CRLF-stripping files with "-d @file"
libssh2: set length to 0 if strdup failed
openldap: create ldap URLs correctly for IPv6 addresses
multi: avoid memory-leak risk
tool_cfgable: free {proxy_}cipher13_list on exit
* Wed Jun 12 2024 zhouyihang <zhouyihang3@h-partners.com> - 8.4.0-4
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:add version require of nghttp2 for libcurl
* Thu May 09 2024 baiguo <baiguo@kylinos.cn> - 8.4.0-3
- DESC: tool_cb_rea: limit rate unpause for -T . uploads
* Mon Apr 01 2024 zhouyihang <zhouyihang3@h-partners.com> - 8.4.0-2
- Type:CVE
- CVE:CVE-2024-2004 CVE-2024-2398
- SUG:NA
- DESC:fix CVE-2024-2004 CVE-2024-2398
* Tue Jan 09 2024 zhouyihang <zhouyihang3@h-partners.com> - 8.4.0-1
- Type:requirement
- CVE:NA
- SUG:NA
- DESC:update curl to 8.4.0
* Thu Dec 28 2023 zhouyihang <zhouyihang3@h-partners.com> - 8.1.2-7
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:transfer: also stop the sending on closed connection
openssl: avoid BN_num_bits() NULL pointer derefs
* Fri Dec 08 2023 zhouyihang <zhouyihang3@h-partners.com> - 8.1.2-6
- Type:CVE
- CVE:CVE-2023-46218 CVE-2023-46219
- SUG:NA
- DESC:fix CVE-2023-46218 CVE-2023-46219
* Thu Oct 12 2023 zhouyihang <zhouyihang3@h-partners.com> - 8.1.2-5
- Type:CVE
- CVE:CVE-2023-38545 CVE-2023-38546
- SUG:NA
- DESC:fix CVE-2023-38545 CVE-2023-38546
* Thu Sep 14 2023 gaihuiying <eaglegai@163.com> - 8.1.2-4
- Type:CVE
- CVE:CVE-2023-38039
- SUG:NA
- DESC:fix CVE-2023-38039
* Wed Sep 06 2023 yanglu <yanglu72@h-partners.com> - 8.1.2-3
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:vtls:avoid memory leak if sha256 call fails
urlapi:make sure zoneid is also duplicated in curl_url_dup
* Thu Jul 20 2023 zhouyihang <zhouyihang3@h-partners.com> - 8.1.2-2
- Type:CVE
- CVE:CVE-2023-32001
- SUG:NA
- DESC:fix CVE-2023-32001
* Sat Jul 15 2023 gaihuiying <eaglegai@163.com> - 8.1.2-1
- Type:requirement
- CVE:NA
- SUG:NA
- DESC:update to curl 8.1.2
* Sat Jun 10 2023 zhouyihang <zhouyihang3@h-partners.com> - 7.88.1-4
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:disable valgrind in tests
* Thu Jun 08 2023 xingwei <xingwei14@h-partners.com> - 7.88.1-3
- Type:CVE
- CVE:CVE-2023-28320,CVE-2023-28321,CVE-2023-28322
- SUG:NA
- DESC:fix CVE-2023-28320,CVE-2023-28321,CVE-2023-28322
* Wed Mar 22 2023 zengwefeng <zwfeng@huawei.com> - 7.88.1-2
- Type:cves
- ID:CVE-2023-27533 CVE-2023-27534 CVE-2023-27535 CVE-2023-27536 CVE-2023-27537 CVE-2023-27538
- SUG:NA
- DESC:fix CVE-2023-27533 CVE-2023-27534 CVE-2023-27535 CVE-2023-27536 CVE-2023-27537 CVE-2023-27538
* Thu Mar 02 2023 xinghe <xinghe2@h-partners.com> - 7.88.1-1
- Type:requirements
- ID:NA
- SUG:NA
- DESC:upgrade to 7.88.1
* Sat Feb 18 2023 xinghe <xinghe2@h-partners.com> - 7.86.0-3
- Type:cves
- ID:CVE-2023-23914 CVE-2023-23915 CVE-2023-23916
- SUG:NA
- DESC:fix CVE-2023-23914 CVE-2023-23915 CVE-2023-23916
* Thu Dec 22 2022 zhouyihang <zhouyihang3@h-partners.com> - 7.86.0-2
- Type:cves
- ID:CVE-2022-43551 CVE-2022-43552
- SUG:NA
- DESC:fix CVE-2022-43551 CVE-2022-43552
* Wed Nov 16 2022 xinghe <xinghe2@h-partners.com> - 7.86.0-1
- Type:requirements
- ID:NA
- SUG:NA
- DESC:upgrade to 7.86.0
* Thu Oct 27 2022 yanglu <yanglu72@h-partners.com> - 7.79.1-12
- Type:cves
- CVE:CVE-2022-32221 CVE-2022-42915 CVE-2022-42916
- SUG:NA
- DESC:fix CVE-2022-32221 CVE-2022-42915 CVE-2022-42916
* Tue Oct 11 2022 huangduirong <huangduirong@huawei.com> - 7.79.1-11
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:Move autoreconf to build
* Thu Sep 01 2022 zhouyihang <zhouyihang@h-partners.com> - 7.79.1-10
- Type:cves
- CVE:CVE-2022-35252
- SUG:NA
- DESC:fix CVE-2022-35252
* Thu Jul 28 2022 gaihuiying <eaglegai@163.com> - 7.79.1-9
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:just rebuild release to 7.79.1-9
* Mon Jul 25 2022 gaihuiying <eaglegai@163.com> - 7.79.1-8
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:fix build error when add --disable-http-auth configure option
* Tue Jul 05 2022 gaihuiying <eaglegai@163.com> - 7.79.1-7
- Type:cves
- CVE:CVE-2022-32207
- SUG:NA
- DESC:fix CVE-2022-32207 better
* Wed Jun 29 2022 gaihuiying <eaglegai@163.com> - 7.79.1-6
- Type:cves
- CVE:CVE-2022-32205 CVE-2022-32206 CVE-2022-32207 CVE-2022-32208
- SUG:NA
- DESC:fix CVE-2022-32205 CVE-2022-32206 CVE-2022-32207 CVE-2022-32208
* Tue May 17 2022 gaihuiying <eaglegai@163.com> - 7.79.1-5
- Type:cves
- CVE:CVE-2022-27781 CVE-2022-27782
- SUG:NA
- DESC:fix CVE-2022-27781 CVE-2022-27782
* Sat May 14 2022 gaoxingwang <gaoxingwang1@huawei.com> - 7.79.1-4
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:fix dict and neg telnet server start fail in upstream testcase
* Fri May 06 2022 gaihuiying <eaglegai@163.com> - 7.79.1-3
- Type:cves
- CVE:CVE-2022-22576 CVE-2022-27774 CVE-2022-27775 CVE-2022-27776
- SUG:NA
- DESC:fix CVE-2022-22576 CVE-2022-27774 CVE-2022-27775 CVE-2022-27776
* Mon Apr 25 2022 gaoxingwang <gaoxingwang1@huawei.com> - 7.79.1-2
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:enable check in spec
* Thu Jan 20 2022 gaoxingwang <gaoxingwang@huawei.com> - 7.79.1-1
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:update curl to 7.79.1
* Wed Sep 29 2021 yanglu <yanglu72@huawei.com> - 7.77.0-3
- Type:CVE
- CVE:CVE-2021-22945 CVE-2021-22946 CVE-2021-22947
- SUG:NA
- DESC:fix CVE-2021-22945 CVE-2021-22946CVE-2021-22947
* Fri Aug 13 2021 gaihuiying <gaihuiying1@huawei.com> - 7.77.0-2
- Type:CVE
- CVE:CVE-2021-22925 CVE-2021-22926
- SUG:NA
- DESC:fix CVE-2021-22925 CVE-2021-22926
* Thu Jul 8 2021 gaihuiying <gaihuiying1@huawei.com> - 7.77.0-1
- Type:requirement
- CVE:NA
- SUG:NA
- DESC:update curl to 7.77.0
* Tue Jun 8 2021 gaihuiying <gaihuiying1@huawei.com> - 7.71.1-9
- Type:CVE
- CVE:CVE-2021-22897 CVE-2021-22898
- SUG:NA
- DESC:fix CVE-2021-22897 CVE-2021-22898
* Tue Apr 20 2021 gaihuiying <gaihuiying1@huawei.com> - 7.71.1-8
- Type:CVE
- CVE:CVE-2021-22890
- SUG:NA
- DESC:fix CVE-2021-22890
* Thu Apr 8 2021 xieliuhua <xieliuhua@huawei.com> - 7.71.1-7
- Type:CVE
- CVE:CVE-2021-22876
- SUG:NA
- DESC:fix CVE-2021-22876
* Tue Jan 26 2021 wangxiaopeng <wangxiaopeng7@huawei.com> - 7.71.1-6
- Type:CVE
- CVE:CVE-2020-8285
- SUG:NA
- DESC:fix CVE-2020-8285
* Tue Jan 19 2021 xielh2000 <xielh2000@163.com> - 7.71.1-5
- Type:CVE
- CVE:CVE-2020-8286
- SUG:NA
- DESC:fix CVE-2020-8286
* Mon Jan 18 2021 xihaochen <xihaochen@huawei.com> - 7.71.1-4
- Type:CVE
- CVE:CVE-2020-8284
- SUG:NA
- DESC:fix CVE-2020-8284
* Tue Jan 5 2021 gaihuiying <gaihuiying1@huawei.com> - 7.71.1-3
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:fix downgrade error
* Mon Dec 28 2020 liuxin <liuxin264@huawei.com> - 7.71.1-2
- Type:cves
- ID:CVE-2020-8231
- SUG:NA
- DESC:fix CVE-2020-8231
* Fri Jul 24 2020 zhujunhao <zhujunhao8@huawei.com> - 7.71.1-1
- Update to 7.71.1
* Thu Apr 9 2020 songnannan <songnannan2@huawei.com> - 7.66.0-3
- split out the libcurl and libcurl-devel package
* Tue Mar 17 2020 chenzhen <chenzhen44@huawei.com> - 7.66.0-2
- Type:cves
- ID:CVE-2019-15601
- SUG:NA
- DESC:fix CVE-2019-15601
* Sat Jan 11 2020 openEuler Buildteam <buildteam@openeuler.org> - 7.66.0-1
- update to 7.66.0
* Sat Dec 21 2019 openEuler Buildteam <buildteam@openeuler.org> - 7.61.1-4
- Type:cves
- ID:CVE-2019-5481 CVE-2019-5482
- SUG:NA
- DESC:fix CVE-2019-5481 CVE-2019-5482
* Wed Sep 18 2019 guanyanjie <guanyanjie@huawei.com> - 7.61.1-3
- Init for openEuler