PaulHowarth/Blog/2023-12

Paul's Blog Entries for December 2023

Friday 1st December 2023

Fedora Project

  • Updated perl-Test-Simple to 1.302198 in Rawhide:

    • Remove use of defined-or operator

Local Packages

  • Updated perl-Test-Simple to 1.302198 as per the Fedora version

Monday 4th December 2023

Local Packages

  • Updated c-ares to 1.23.0:

  • This is a feature and bugfix release
  • Features:

    • Introduce optional (but on by default) thread-safety for the c-ares library; this has no API nor ABI implications

    • resolv.conf in modern systems uses attempts and timeouts options instead of the old retrans and retry options

    • Query caching support based on TTL of responses: can be enabled via ares_init_options() with ARES_OPT_QUERY_CACHE

  • Bug Fixes:

    • ares_init_options() for ARES_OPT_UDP_PORT and ARES_OPT_TCP_PORT accept the port in host byte order, but it was reading it as network byte order (regression introduced in 1.20.0)

    • ares_init_options() for ARES_FLAG_NOSEARCH was not being honoured for ares_getaddrinfo() or ares_gethostbyname() (regression introduced in 1.16.0)

    • Autotools MacOS and iOS version check was failing

    • Environment variables passed to c-ares are meant to be an override for system configuration (regression introduced in 1.22.0)

    • Spelling fixes as detected by codespell

    • The timeout returned by ares_timeout() was truncated to milliseconds but validated to microseconds, which could cause a user to attempt to process timeouts prior to the timeout actually expiring

    • CMake was not honouring CXXFLAGS passed in via the environment, which could cause compile and link errors with distribution hardening flags during packaging

    • Fix Windows UWP and Cygwin compilation

    • ares_set_servers_*() for legacy reasons needs to accept an empty server list and zero out all servers, which results in an inoperable channel and thus is only used in simulation testing, but we don't want to break users (regression introduced in 1.21.0)

Wednesday 6th December 2023

Local Packages

  • Updated curl to 8.5.0:

    • gnutls: Support CURLSSLOPT_NATIVE_CA

    • HTTP3: ngtcp2 builds are no longer experimental

    • appveyor: Make VS2008-built curl tool runnable

    • asyn-thread: Use pipe instead of socketpair for IPC when available

    • autotools: Accept linker flags via 'CURL_LDFLAGS_{LIB,BIN}'

    • autotools: Avoid passing 'LDFLAGS' twice to libcurl

    • autotools: Delete LCC compiler support bits

    • autotools: Fix/improve gcc and Apple clang version detection

    • autotools: Stop setting '-std=gnu89' with '--enable-warnings'

    • autotools: Update references to deleted 'crypt-auth' option

    • BINDINGS: Add V binding

    • build: Add 'src/.checksrc' to source tarball

    • build: Add more picky warnings and fix them

    • build: Always revert '#pragma GCC diagnostic' after use

    • build: Delete 'HAVE_STDINT_H' and 'HAVE_INTTYPES_H'

    • build: Delete support bits for obsolete Windows compilers

    • build: Fix 'threadsafe' feature detection for older gcc

    • build: Fix builds that disable protocols but not digest auth
    • build: Fix compiler warning with auths disabled

    • build: Fix libssh2 + 'CURL_DISABLE_DIGEST_AUTH' + 'CURL_DISABLE_AWS'

    • build: Picky warning updates
    • build: Require Windows XP or newer

    • cfilter: Provide call to tell connection to forget a socket

    • checksrc.pl: Support #line instructions

    • CI: Add autotools, out-of-tree, debug build to distro check job

    • CI: Ignore test 286 on Appveyor gcc 9 build

    • cmake: Add 'CURL_DISABLE_BINDLOCAL' option

    • cmake: Add test for 'DISABLE' options, add 'CURL_DISABLE_HEADERS_API'

    • cmake: Dedupe Windows system libs

    • cmake: Fix 'HAVE_H_ERRNO_ASSIGNABLE' detection

    • cmake: Fix CURL_DISABLE_GETOPTIONS

    • cmake: Fix multiple include of CURL package
    • cmake: Fix OpenSSL quic detection in quiche builds

    • cmake: Option to disable install and drop 'curlu' target when unused

    • cmake: Pre-fill rest of detection values for Windows

    • cmake: Replace 'check_library_exists_concat()'

    • cmake: Speed up threads setup for Windows

    • cmake: Speed up zstd detection

    • config-win32: Set 'HAVE_SNPRINTF' for mingw-w64

    • configure: Better --disable-http

    • configure: Check for the fseeko declaration too

    • conncache: Use the closure handle when disconnecting surplus connections

    • content_encoding: Make Curl_all_content_encodings allocless

    • cookie: Lowercase the domain names before PSL checks (CVE-2023-46218)

    • curl.h: Delete Symbian OS references

    • curl.h: On FreeBSD include sys/param.h instead of osreldate.h

    • curl.rc: Switch out the copyright symbol for plain ASCII

    • curl: Improved IPFS and IPNS URL support

    • curl_easy_duphandle.3: Clarify how HSTS and alt-svc are duped

    • Curl_http_body: Clean up properly when Curl_getformdata errors

    • curl_setup: Disallow Windows IPv6 builds missing getaddrinfo

    • curl_sspi: Support more revocation error names in error messages

    • CURLINFO_PRETRANSFER_TIME_T.3: Fix time explanation

    • CURLMOPT_MAX_CONCURRENT_STREAMS: Make sure the set value is within range

    • CURLOPT_CAINFO_BLOB.3: Explain what CURL_BLOB_COPY does

    • CURLOPT_WRITEFUNCTION.3: Clarify libcurl returns for CURL_WRITEFUNC_ERROR

    • CURPOST_POSTFIELDS.3: Add CURLOPT_COPYPOSTFIELDS in SEE ALSO

    • docs/example/keepalive.c: Show TCP keep-alive options

    • docs/example/localport.c: Show off CURLOPT_LOCALPORT

    • docs/examples/interface.c: Show CURLOPT_INTERFACE use

    • docs/libcurl: Fix three minor man page format mistakes

    • docs/libcurl: SYNOPSIS clean up

    • docs: Add supported version for the json write-out

    • docs: Clarify that curl passes on input unfiltered

    • docs: Fix function typo in curl_easy_option_next.3

    • docs: KNOWN_BUGS clean up

    • docs: Make all examples in all libcurl man pages compile

    • docs: Preserve the modification date when copying the prebuilt man page

    • docs: Remove bold from some man page SYNOPSIS sections

    • docs: Use SOURCE_DATE_EPOCH for generated manpages

    • doh: Provide better return code for responses w/o addresses

    • doh: Use PIPEWAIT when HTTP/2 is attempted

    • duphandle: Also free 'outcurl->cookies' in error path

    • duphandle: Make dupset() not return with pointers to old alloced data

    • duphandle: Use strdup to clone *COPYPOSTFIELDS if size is not set

    • easy: In duphandle, init the cookies for the new handle

    • easy: Remove duplicate wolfSSH init call

    • easy_lock: Add a pthread_mutex_t fallback

    • examples/rtsp-options.c: Add

    • fopen: Create new file using old file's mode

    • fopen: Create short(er) temporary file name (CVE-2023-46219)

    • getenv: PlayStation doesn't have getenv()

    • GHA: Move mod_h2 version in CI to v2.0.25

    • hostip: Show the list of IPs when resolving is done

    • hostip: Silence compiler warning '-Wparentheses-equality'

    • hsts: Skip single-dot hostname
    • HTTP/2, HTTP/3: Handle detach of ongoing transfers
    • http2: Header conversion tightening

    • http2: Provide an error callback and failf the message

    • http2: Safer invocation of populate_binsettings

    • http: Allow longer HTTP/2 request method names

    • http: Avoid Expect: 100-continue if Upgrade: is used

    • http: Consider resume with CURLOPT_FAILONERRROR and 416 to be fine

    • http: Fix '-Wunused-parameter' with no auth and no proxy

    • http: Fix '-Wunused-variable' compiler warning

    • http: Fix empty-body warning

    • http_aws_sigv4: Canonicalise valueless query params

    • hyper: Temporarily remove HTTP/2 support

    • INSTALL: Update list of ports and CPU archs

    • IPFS: Fix IPFS_PATH and file parsing

    • keylog: Disable if unused

    • lib: Add and use Curl_strndup()

    • lib: Apache style infof and trace macros/functions

    • lib: Fix gcc warning in printf call

    • libcurl-errors.3: Sync with current public headers

    • libcurl-thread.3: Simplify the TLS section

    • Makefile.am: Drop vc10, vc11 and vc12 projects from dist

    • Makefile.mk: Fix '-rtmp' option for non-Windows

    • mime: Store "form escape" as a single bit

    • misc: Fix -Walloc-size warnings

    • msh3: Error when built with CURL_DISABLE_SOCKETPAIR set

    • multi: During ratelimit multi_getsock should return no sockets

    • multi: Use pipe instead of socketpair to *wakeup()

    • ngtcp2: Fix races in stream handling
    • ngtcp2: Ignore errors on unknown streams

    • ntlm_wb: Use pipe instead of socketpair when possible

    • openldap: Move the alloc of ldapconninfo to *connect()

    • openldap: Set the callback argument in oldap_do

    • openssl: Avoid BN_num_bits() NULL pointer derefs

    • openssl: Fix building with v3 'no-deprecated' + add CI test

    • openssl: Fix infof() to avoid compiler warning for %s with null

    • openssl: Identify the "quictls" backend correctly

    • openssl: Include SIG and KEM algorithms in verbose

    • openssl: Make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs

    • openssl: Two multi pointer checks should probably rather be asserts

    • openssl: When a session-ID is reused, skip OCSP stapling
    • page-footer: Clarify exit code 25
    • projects: Add VC14.20 project files
    • pytest: Use lower count in repeat tests
    • quic: Make eyeballers connect retries stop at weird replies
    • quic: Manage connection idle timeouts

    • quiche: Use quiche_conn_peer_transport_params()

    • rand: Fix build error with autotools + LibreSSL

    • resolve.d: Drop a multi use-sentence

    • RTSP: Improved RTP parser

    • rustls: Implement connect_blocking

    • sasl: Fix '-Wunused-function' compiler warning

    • schannel: Add CA cache support for files and memory blobs

    • setopt: Check CURLOPT_TFTP_BLKSIZE range on set

    • setopt: Remove outdated cookie comment
    • setopt: Remove superfluous use of ternary expressions
    • socks: Better buffer size checks for socks4a user and hostname

    • socks: Make SOCKS5 use the CURLOPT_IPRESOLVE choice

    • symbols-in-versions: The CLOSEPOLICY options are deprecated

    • test1683: Remove commented-out check alternatives

    • test3103: Add missing quotes around a test tag attribute

    • test613: Stop showing an error on missing output file

    • tests/README: SOCKS tests are not using OpenSSH; it has its own server

    • tests/server: Add more SOCKS5 handshake error checking

    • tests: Fix Windows test helper tool search and use it for handle64

    • tidy-up: Casing typos, delete unused Windows version aliases

    • tool: Fix --capath when proxy support is disabled

    • tool: Support bold headers in Windows

    • tool_cb_hdr: Add an additional parsing check

    • tool_cb_prg: Make the carriage return fit for wide progress bars

    • tool_cb_wrt: Fix write output for very old Windows versions

    • tool_getparam: Limit --rate to be smaller than number of ms

    • tool_operate: Do not mix memory models

    • tool_operate: Fix links in IPFS errors

    • tool_parsecfg: Make warning output propose double-quoting

    • tool_urlglob: Fix build for old gcc versions

    • tool_urlglob: Make multiply() bail out on negative values

    • tool_writeout_json: Fix JSON encoding of non-ascii bytes

    • transfer: Abort pause send when connection is marked for closing
    • transfer: Avoid calling the read callback again after EOF

    • transfer: Only reset the FTP wildcard engine in CLEAR state

    • url: Don't touch the multi handle when closing internal handles
    • url: Find scheme with a "perfect hash"

    • url: Fix '-Wzero-length-array' with no protocols

    • url: Fix builds with 'CURL_DISABLE_HTTP'

    • url: Protocol handler lookup tidy-up
    • url: Proxy ssl connection reuse fix
    • urlapi: Avoid null deref if setting blank host to url encode
    • urlapi: Skip appending NULL pointer query
    • urlapi: When URL encoding the fragment, pass in the right length

    • urldata: Make maxconnects a 32-bit value

    • urldata: Move async resolver state from easy handle to connectdata

    • urldata: Move cookielist from UserDefined to UrlState

    • urldata: Move hstslist from 'set' to 'state'

    • urldata: Move the 'internal' boolean to the state struct

    • vssh: Remove the #ifdef for Curl_ssh_init, use empty macro

    • vtls: Clean up SSL config management

    • vtls: Consistently use typedef names for OpenSSL structs

    • vtls: Late clone of connection ssl config
    • vtls: Use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0

    • VULN-DISCLOSURE-POLICY: Escape sequences are not a security flaw

    • windows: Use built-in '_WIN32' macro to detect Windows

    • wolfssh: Remove redundant static prototypes

    • wolfssl: Add default case for wolfssl_connect_step1 switch

    • wolfssl: Require WOLFSSL_SYS_CA_CERTS for loading system CA

  • I had to locally include errorcodes.pl, missing from tarball (GH#12462), to get the test suite to pass

  • Updated curl (8.2.1) to fix cookie mixed case PSL bypass (CVE-2023-46218) and HSTS long file name clears contents (CVE-2023-46219)

  • Updated libxml2 to 2.12.2:

  • Regressions:

    • parser: Fix invalid free in xmlParseBalancedChunkMemoryRecover

    • globals: Disable TLS in static Windows builds
    • html: Re-enable buggy detection of XML declarations
    • tree: Fix regression when copying DTDs
    • parser: Make CRLF increment line number
  • Build fixes:
    • build: Disable compiler TLS by default

    • cmake: Update config.h.cmake.in

    • tests: Fix tests --with-valid --without-xinclude

  • I also enabled the W3C XML Conformance and Schema test suites, which required separate sources

Thursday 11th December 2023

Fedora Project

  • Updated libssh2 from 1.10.0 to 1.11.0 in EPEL-9 (lots of updates for more modern cryptography features - Bug #2253412)

Monday 11th December 2023

Fedora Project

  • Updated perl-Mail-Message to 3.015 in Rawhide:

    • Accept empty fields without complaint

    • Fix counting epilogue trailing blank (GH#18, CPAN RT#150141

Tuesday 12th December 2023

Fedora Project

  • Updated gtk+ (1.2.10) to fix incompatible pointer type in call to XmbTextListToTextProperty

Local Packages

  • Updated gtk+ (1.2.10) as per the Fedora version

Wednesday 13th December 2023

Fedora Project

  • Updated bluefish (2.2.14) in Rawhide:

  • Updated perl-IO-AIO (4.8) in Rawhide to fix use of incompatible pointer type in configure test for fexecve(): 

  • Fix this error:

conftest.c: In function 'main':
conftest.c:61:27: error: passing argument 2 of 'fexecve' from incompatible pointer type
   61 |    int res = fexecve (-1, "argv", 0);
      |                           ^~~~~~
      |                           |
      |                           char *
In file included from conftest.c:58:
/usr/include/unistd.h:578:43: note: expected 'char * const*' but argument is of type 'char *'
  578 | extern int fexecve (int __fd, char *const __argv[], char *const __envp[])
      |

The incompatible pointer type issue is traditionally a warning but is likely to be an
error in GCC 14. See: https://fedoraproject.org/wiki/Changes/PortingToModernC

The presence of the issue in the configure test would be likely to result in
failure to detect fexecve() on some systems where it is actually available.

diff -up ./configure.ac.orig ./configure.ac
--- ./configure.ac.orig 2022-09-28 09:21:39.000000000 +0100
+++ ./configure.ac      2023-12-13 09:22:12.070446241 +0000
@@ -80,7 +80,8 @@ AC_CACHE_CHECK(for fexecve, ac_cv_fexecv
 #include <unistd.h>
 int main (void)
 {
-   int res = fexecve (-1, "argv", 0);
+   char *const argv[] = { "foo", "bar", 0 };
+   int res = fexecve (-1, argv, 0);
    return 0;
 }
 ]])],ac_cv_fexecve=yes,ac_cv_fexecve=no)])
diff -up ./configure.orig ./configure
--- ./configure.orig    2022-09-28 09:23:23.000000000 +0100
+++ ./configure 2023-12-13 09:22:43.887161250 +0000
@@ -4762,7 +4762,8 @@ else $as_nop
 #include <unistd.h>
 int main (void)
 {
-   int res = fexecve (-1, "argv", 0);
+   char *const argv[] = { "foo", "bar", 0 };
+   int res = fexecve (-1, argv, 0);
    return 0;
 }

Local Packages

  • Updated bluefish (2.2.14) as per the Fedora version

  • Updated libxml2 to 2.12.3:

  • Regressions:
    • parser: Fix namespaces redefined from default attributes
  • Build fixes:

    • include: Rename XML_EMPTY helper macro

    • include: Move declaration of xmlInitGlobals

    • include: Add missing includes

    • include: Move globals from xmlsave.h to parser.h

    • include: Re-add circular dependency between tree.h and parser.h

  • I also disabled Xpointer locations support as per the Fedora package; upstream says of this code:
    • This was based on a W3C specification which never got beyond Working Draft status. To my knowledge, there's no software supporting this spec that is still maintained. Be warned that this part of the code base is buggy and had many security issues in the past.

  • Updated perl-IO-AIO (4.8) as per the Fedora version

  • Rebuilt pptp (1.10.0) to sync with Rawhide

  • Updated proftpd (1.3.8a) with an additional C compatibility fix (GH#1754)

Friday 15th December 2023

Fedora Project

  • Updated perl-Business-ISBN-Data to 20231215.001 in Rawhide:

    • Data update for 20231215

Local Packages

  • Updated unrar to 7.00 beta 3

Sunday 17th December 2023

Fedora Project

  • Updated perl-Getopt-Long-Descriptive to 0.113 in Rawhide:

    • Improve line wrapping so spacers (non-option text lines) can use more horizontal characters
    • Replace tabs (generally 8 space) indents in output with four spaces

  • Updated perl-MouseX-Getopt (0.38) in Rawhide to fix compatibility with Getopt::Long::Descriptive 0.113 (GH#15)

Tuesday 19th December 2023

Fedora Project

  • Updated perl-MooseX-Getopt to 0.76 in Rawhide:

    • Adjust tests to deal with formatting changes in Getopt::Long::Descriptive 0.113

Wednesday 20th December 2023

Fedora Project

  • Became main admin of perl-Crypt-DES and perl-String-Util

Thursday 21st December 2023

Fedora Project

  • Updated perl-Business-ISBN-Data to 20231220.001 in Rawhide:

    • Data update for 20231220

  • Updated proftpd to 1.3.8b in Rawhide, F-39, F-38 and EPEL-9:

    • Compiling ProFTPD 1.3.8a mod_sftp, mod_tls using libressl 3.7.3 failed (GH#1735)

    • Build system failed for specific module names (GH#1756)

    • "Terrapin" Prefix Truncation Attacks in SSH Specification affected mod_sftp (CVE-2023-48795, GH#1760)

Local Packages

  • Updated proftpd to 1.3.8b as per the Fedora version

  • Updated proftpd (1.3.9) to 1.3.9rc2:

    • 1.3.9rc1 mod_sftp failed to compile if EVP_chacha20 was unavailable, as when using older OpenSSL versions (GH#1730)

    • Error resolving DNS name for implicit "server config" vhost lead to DelayTable not being found (GH#1746)

    • Log message for exceeding quota did not include the user/group/class quota type (GH#1749)

    • Build system failed for specific module names (GH#1756)

    • "Terrapin" Prefix Truncation Attacks in SSH Specification affected mod_sftp (CVE-2023-48795, GH#1760)

Sunday 24th December 2023

Local Packages

  • Updated c-ares to 1.24.0 (Fedora 30 onwards):

  • This is a feature and bugfix release
  • Features:

    • Add support for IPv6 link-local DNS servers; nameserver formats can now accept the %iface suffix, and a new ares_get_servers_csv() function was added to return servers that can contain the link-local interface name

  • Changes:

    • Unbundle GoogleTest for test cases; package maintainers will now need to require GoogleTest (GMock) as a build dependency if building tests (new GoogleTest versions require C++14 or later)

    • Replace nameserver parsing code to use new memory-safe functions

    • Replace the sortlist parser with new memory-safe functions

    • Various warning fixes and dead code removal
  • Bug Fixes:

    • Old Linux versions require POSIX_C_SOURCE or _GNU_SOURCE to compile with thread safety support

    • A non-responsive DNS server that caused timeouts wouldn't increment the failure count, which would lead to other servers not being tried (regression introduced in 1.22.0)

    • Some projects that depend on c-ares expect invalid parameter option values passed into ares_init_options() to simply be ignored; this behaviour has been restored

    • On linux, getrandom() can fail if the kernel doesn't support the syscall: fall back to another random source

    • ares_cancel() when performing ares_gethostbyname() or ares_getaddrinfo() with AF_UNSPEC, if called after one address class was returned but before the other address class, would return ARES_SUCCESS rather than ARES_ECANCELLED

  • Note: building without cmake is broken in this release (GH#670), which is why builds for releases older than Fedora 30 are unavailable

Thursday 28th December 2023

Fedora Project

  • Updated perl-YAML to 1.31 in Rawhide:

    • Update docs to recommend YAML::PP

  • Updated proftpd (1.3.6e) in EPEL-8 to fix one-byte out-of-bounds read, and daemon crash, because of mishandling of quote/backslash semantics (GH#1683, CVE-2023-51713)

Local Packages

  • Updated perl-Net-DNS to 1.42:

  • Updated perl-YAML to 1.31 as per the Fedora version

Friday 29th December 2023

Fedora Project

  • Updated perl-IO-Tty to 1.20 in Rawhide:

    • Remove --no-undefined from compiler test, which is not compatible with all platforms (GH#37)

    • Skip t/pty_get_winsize.t tests on AIX (GH#32)

    • Fix patchlevel check for util.h (GH#27)

Local Packages

  • Updated perl-autodie to 2.37:

    • Deprecate smartmatch handling (GH#117)

    • Remove mention of cpanratings.perl.org (GH#118)

    • Fix typo in changelog (GH#119)

  • Updated perl-IO-Tty to 1.20 as per the Fedora version

Saturday 30th December 2023

Fedora Project

  • Updated perl-Spreadsheet-ParseExcel to 0.66 in F-38, F-39 and Rawhide:

    • Fix for CVE-2023-7101 (unvalidated input can lead to arbitrary code execution vulnerability) (GH#33)

Sunday 31st December 2023

Fedora Project

Local Packages

  • Updated perl-DateTime-TimeZone to 2.61:

    • This release is based on version 2023d of the Olson database
    • Contemporary changes for Antarctica, Greenland, and Palestine

  • Updated perl-Module-CoreList to 5.20231230:

    • Updated for v5.39.6

Previous Month: November 2023
Next Month: January 2024

Recent