From 946f457c885bd10ff1a7281c351f3981f035f5a7 Mon Sep 17 00:00:00 2001
From: Michael Stahl <michael.stahl@allotropia.de>
Date: Wed, 21 Jul 2021 11:57:51 +0200
Subject: curl: upgrade to release 7.78.0

* Fixes CVE-2020-8284 CVE-2021-22924
* Also fixes these which don't look relevant to LO:
  CVE-2020-8231
  CVE-2020-8285 CVE-2020-8286
  CVE-2021-22876 CVE-2021-22890
  CVE-2021-22897 CVE-2021-22898 CVE-2021-22901
  CVE-2021-22922 CVE-2021-22923 CVE-2021-22925 CVE-2021-22926
* disable some new protocols and dependencies
* remove curl-ios.patch.1 as the code no longer exists upstream

Change-Id: I12d5f87f4d503a5f9859226a05cfe2a07e46d993
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/119313
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
---
 external/curl/ExternalPackage_curl.mk             |  4 ++--
 external/curl/ExternalProject_curl.mk             |  7 ++++---
 external/curl/UnpackedTarball_curl.mk             |  1 -
 external/curl/curl-7.26.0_win-proxy.patch         |  2 +-
 external/curl/curl-ios.patch.1                    | 17 -----------------
 external/curl/curl-msvc-disable-protocols.patch.1 |  7 ++++---
 external/curl/zlib.patch.0                        |  4 ++--
 7 files changed, 13 insertions(+), 29 deletions(-)
 delete mode 100644 external/curl/curl-ios.patch.1

(limited to 'external')

diff --git a/external/curl/ExternalPackage_curl.mk b/external/curl/ExternalPackage_curl.mk
index 79a89a24a52c..924fc53ebd62 100644
--- a/external/curl/ExternalPackage_curl.mk
+++ b/external/curl/ExternalPackage_curl.mk
@@ -14,13 +14,13 @@ $(eval $(call gb_ExternalPackage_use_external_project,curl,curl))
 ifneq ($(DISABLE_DYNLOADING),TRUE)
 
 ifeq ($(COM),MSC)
-$(eval $(call gb_ExternalPackage_add_file,curl,$(LIBO_LIB_FOLDER)/libcurl$(if $(MSVC_USE_DEBUG_RUNTIME),_debug).dll,builds/libcurl-vc12-$(gb_MSBUILD_PLATFORM)-$(gb_MSBUILD_CONFIG)-dll-ipv6-sspi-winssl/bin/libcurl$(if $(MSVC_USE_DEBUG_RUNTIME),_debug).dll))
+$(eval $(call gb_ExternalPackage_add_file,curl,$(LIBO_LIB_FOLDER)/libcurl$(if $(MSVC_USE_DEBUG_RUNTIME),_debug).dll,builds/libcurl-vc12-$(gb_MSBUILD_PLATFORM)-$(gb_MSBUILD_CONFIG)-dll-ipv6-sspi-schannel/bin/libcurl$(if $(MSVC_USE_DEBUG_RUNTIME),_debug).dll))
 else ifeq ($(OS),MACOSX)
 $(eval $(call gb_ExternalPackage_add_file,curl,$(LIBO_LIB_FOLDER)/libcurl.4.dylib,lib/.libs/libcurl.4.dylib))
 else ifeq ($(OS),AIX)
 $(eval $(call gb_ExternalPackage_add_file,curl,$(LIBO_LIB_FOLDER)/libcurl.so,lib/.libs/libcurl.so.4))
 else
-$(eval $(call gb_ExternalPackage_add_file,curl,$(LIBO_LIB_FOLDER)/libcurl.so.4,lib/.libs/libcurl.so.4.6.0))
+$(eval $(call gb_ExternalPackage_add_file,curl,$(LIBO_LIB_FOLDER)/libcurl.so.4,lib/.libs/libcurl.so.4.7.0))
 endif
 
 endif # $(DISABLE_DYNLOADING)
diff --git a/external/curl/ExternalProject_curl.mk b/external/curl/ExternalProject_curl.mk
index 11d1fcc57d4a..11beda8c7c5c 100644
--- a/external/curl/ExternalProject_curl.mk
+++ b/external/curl/ExternalProject_curl.mk
@@ -35,14 +35,14 @@ ifeq ($(SYSTEM_NSS),)
 curl_CPPFLAGS += -I$(call gb_UnpackedTarball_get_dir,nss)/dist/public/nss
 endif
 
-# use --with-darwinssl on macOS >10.5 and iOS to get a native UI for SSL certs for CMIS usage
+# use --with-secure-transport on macOS >10.5 and iOS to get a native UI for SSL certs for CMIS usage
 # use --with-nss only on platforms other than macOS and iOS
 $(call gb_ExternalProject_get_state_target,curl,build):
 	$(call gb_Trace_StartRange,curl,EXTERNAL)
 	$(call gb_ExternalProject_run,build,\
 		$(gb_RUN_CONFIGURE) ./configure \
 			$(if $(filter iOS MACOSX,$(OS)),\
-				--with-darwinssl,\
+				--with-secure-transport,\
 				$(if $(ENABLE_NSS),--with-nss$(if $(SYSTEM_NSS),,="$(call gb_UnpackedTarball_get_dir,nss)/dist/out"),--without-nss)) \
 			--without-ssl --without-gnutls --without-polarssl --without-cyassl --without-axtls --without-mbedtls \
 			--enable-ftp --enable-http --enable-ipv6 \
@@ -50,7 +50,8 @@ $(call gb_ExternalProject_get_state_target,curl,build):
 			--without-libssh2 --without-metalink --without-nghttp2 \
 			--without-libssh --without-brotli \
 			--without-ngtcp2 --without-quiche \
-			--disable-ares \
+			--without-zstd --without-hyper --without-gsasl --without-gssapi \
+			--disable-mqtt --disable-ares \
 			--disable-dict --disable-file --disable-gopher --disable-imap \
 			--disable-ldap --disable-ldaps --disable-manual --disable-pop3 \
 			--disable-rtsp --disable-smb --disable-smtp --disable-telnet  \
diff --git a/external/curl/UnpackedTarball_curl.mk b/external/curl/UnpackedTarball_curl.mk
index 6171f17cba48..2cdfbfc08632 100644
--- a/external/curl/UnpackedTarball_curl.mk
+++ b/external/curl/UnpackedTarball_curl.mk
@@ -24,7 +24,6 @@ $(eval $(call gb_UnpackedTarball_add_patches,curl,\
 	external/curl/curl-msvc-disable-protocols.patch.1 \
 	external/curl/curl-7.26.0_win-proxy.patch \
 	external/curl/zlib.patch.0 \
-    external/curl/curl-ios.patch.1 \
 ))
 
 ifeq ($(SYSTEM_NSS),)
diff --git a/external/curl/curl-7.26.0_win-proxy.patch b/external/curl/curl-7.26.0_win-proxy.patch
index 852881570e36..46cdcc739d80 100644
--- a/external/curl/curl-7.26.0_win-proxy.patch
+++ b/external/curl/curl-7.26.0_win-proxy.patch
@@ -114,7 +114,7 @@
 @@ -4663,6 +4739,7 @@
    }
    if(proxy)
-     infof(conn->data, "Uses proxy env variable %s == '%s'\n", envp, proxy);
+     infof(data, "Uses proxy env variable %s == '%s'", envp, proxy);
 +#endif /* _WIN32 */
  
    return proxy;
diff --git a/external/curl/curl-ios.patch.1 b/external/curl/curl-ios.patch.1
deleted file mode 100644
index 1c8fd8f70566..000000000000
--- a/external/curl/curl-ios.patch.1
+++ /dev/null
@@ -1,17 +0,0 @@
-# -*- Mode: Diff -*-
-#
-# We don't want curl's configure script to add a -mmacosx-version-min
-# option when it is for iOS we are building. In that case already $CC
-# contains a -miphoneos-version-min option.
-
---- curl/configure
-+++ curl/configure
-@@ -18976,7 +18976,7 @@
-     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for *version-min in CFLAGS" >&5
- $as_echo_n "checking for *version-min in CFLAGS... " >&6; }
-     min=""
--    if test -z "$(echo $CFLAGS | grep m.*os.*-version-min)"; then
-+    if test -z "$(echo $CC $CFLAGS | grep m.*os.*-version-min)"; then
-       min="-mmacosx-version-min=10.8"
-       CFLAGS="$CFLAGS $min"
-     fi
diff --git a/external/curl/curl-msvc-disable-protocols.patch.1 b/external/curl/curl-msvc-disable-protocols.patch.1
index c8747a5fcc1d..a6d06c69b004 100644
--- a/external/curl/curl-msvc-disable-protocols.patch.1
+++ b/external/curl/curl-msvc-disable-protocols.patch.1
@@ -2,18 +2,19 @@ disable protocols nobody needs in MSVC build
 
 --- curl/lib/config-win32.h.orig	2017-08-09 16:43:29.464000000 +0200
 +++ curl/lib/config-win32.h	2017-08-09 16:47:38.549200000 +0200
-@@ -733,4 +733,19 @@
+@@ -733,4 +733,20 @@
  #  define ENABLE_IPV6 1
  #endif
  
 +#define CURL_DISABLE_DICT 1
 +#define CURL_DISABLE_FILE 1
-+//#undef CURL_DISABLE_FTP
++#undef CURL_DISABLE_FTP
 +#define CURL_DISABLE_GOPHER 1
-+//#undef CURL_DISABLE_HTTP
++#undef CURL_DISABLE_HTTP
 +#define CURL_DISABLE_IMAP 1
 +#define CURL_DISABLE_LDAP 1
 +#define CURL_DISABLE_LDAPS 1
++#define CURL_DISABLE_MQTT 1
 +#define CURL_DISABLE_POP3 1
 +#define CURL_DISABLE_RTSP 1
 +#define CURL_DISABLE_SMB 1
diff --git a/external/curl/zlib.patch.0 b/external/curl/zlib.patch.0
index 189e820d1afa..f4a0ad4b152f 100644
--- a/external/curl/zlib.patch.0
+++ b/external/curl/zlib.patch.0
@@ -54,8 +54,8 @@
  clean_LIBS=$LIBS
 -ZLIB_LIBS=""
  AC_ARG_WITH(zlib,
- AC_HELP_STRING([--with-zlib=PATH],[search for zlib in PATH])
- AC_HELP_STRING([--without-zlib],[disable use of zlib]),
+ AS_HELP_STRING([--with-zlib=PATH],[search for zlib in PATH])
+ AS_HELP_STRING([--without-zlib],[disable use of zlib]),
                 [OPT_ZLIB="$withval"])
  
  if test "$OPT_ZLIB" = "no" ; then
-- 
cgit