external/curl/0001-curl_sasl-if-redirected-require-permission-to-use-be.patch | 39 --- external/curl/0001-ldap-call-ldap_init-before-setting-the-options.patch | 115 ---------- external/curl/0001-libssh-require-private-key-or-user-agent-for-public-.patch | 30 -- external/curl/0001-libssh-set-both-knownhosts-options-to-the-same-file.patch | 31 -- external/curl/0001-openssl-toggling-CURLSSLOPT_NO_PARTIALCHAIN-makes-a-.patch | 73 ------ external/curl/0001-vquic-tls-gnutls-call-Curl_gtls_verifyserver-uncondi.patch | 36 --- external/curl/UnpackedTarball_curl.mk | 6 7 files changed, 330 deletions(-)
New commits: commit 093bf0786c45e7514320ccb1c8b1232691028717 Author: Xisco Fauli <[email protected]> AuthorDate: Thu Jan 15 09:04:25 2026 +0100 Commit: Xisco Fauli <[email protected]> CommitDate: Thu Jan 15 12:47:05 2026 +0100 Revert "curl: patch CVE fixes from curl 8.18.0" This reverts commit 7ae82489e853d495ea3abc1473785533fd777604. Reason for revert: None of the CVEs patched is affecting LibreOffice. See comments from Michael Stahl in https://gerrit.libreoffice.org/c/core/+/196909 Change-Id: I5bcb106e21c7ee7c7c3d38c2f3153151d786e381 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/197317 Tested-by: Jenkins Reviewed-by: Xisco Fauli <[email protected]> diff --git a/external/curl/0001-curl_sasl-if-redirected-require-permission-to-use-be.patch b/external/curl/0001-curl_sasl-if-redirected-require-permission-to-use-be.patch deleted file mode 100644 index 5ca576782127..000000000000 --- a/external/curl/0001-curl_sasl-if-redirected-require-permission-to-use-be.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 1a822275d333dc6da6043497160fd04c8fa48640 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <[email protected]> -Date: Wed, 10 Dec 2025 11:40:47 +0100 -Subject: [PATCH] curl_sasl: if redirected, require permission to use bearer - -Closes #19933 ---- - lib/curl_sasl.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c -index 3e4bafc19a..b93bafbefa 100644 ---- a/lib/curl_sasl.c -+++ b/lib/curl_sasl.c -@@ -356,7 +356,9 @@ - data->set.str[STRING_SERVICE_NAME] : - sasl->params->service; - #endif -- const char *oauth_bearer = data->set.str[STRING_BEARER]; -+ const char *oauth_bearer = -+ (!data->state.this_is_a_follow || data->set.allow_auth_to_other_hosts) ? -+ data->set.str[STRING_BEARER] : NULL; - struct bufref nullmsg; - - Curl_conn_get_host(data, FIRSTSOCKET, &hostname, &disp_hostname, &port); -@@ -543,7 +545,9 @@ - data->set.str[STRING_SERVICE_NAME] : - sasl->params->service; - #endif -- const char *oauth_bearer = data->set.str[STRING_BEARER]; -+ const char *oauth_bearer = -+ (!data->state.this_is_a_follow || data->set.allow_auth_to_other_hosts) ? -+ data->set.str[STRING_BEARER] : NULL; - struct bufref serverdata; - - Curl_conn_get_host(data, FIRSTSOCKET, &hostname, &disp_hostname, &port); --- -2.39.5 - diff --git a/external/curl/0001-ldap-call-ldap_init-before-setting-the-options.patch b/external/curl/0001-ldap-call-ldap_init-before-setting-the-options.patch deleted file mode 100644 index 186e3f9a5ae5..000000000000 --- a/external/curl/0001-ldap-call-ldap_init-before-setting-the-options.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 39d1976b7f709a516e3243338ebc0443bdd8d56d Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <[email protected]> -Date: Thu, 4 Dec 2025 00:14:20 +0100 -Subject: [PATCH] ldap: call ldap_init() before setting the options - -Closes #19830 ---- - lib/ldap.c | 50 +++++++++++++++++++------------------------------- - 1 file changed, 19 insertions(+), 31 deletions(-) - -diff --git a/lib/ldap.c b/lib/ldap.c -index 63b2cbc414..0911a9239a 100644 ---- a/lib/ldap.c -+++ b/lib/ldap.c -@@ -374,17 +374,30 @@ - user = conn->user; - passwd = conn->passwd; - } -+ -+#ifdef USE_WIN32_LDAP -+ if(ldap_ssl) -+ server = ldap_sslinit(host, (curl_ldap_num_t)conn->primary.remote_port, 1); -+ else -+#else -+ server = ldap_init(host, (curl_ldap_num_t)conn->primary.remote_port); -+#endif -+ if(!server) { -+ failf(data, "LDAP: cannot setup connect to %s:%u", -+ conn->host.dispname, conn->primary.remote_port); -+ result = CURLE_COULDNT_CONNECT; -+ goto quit; -+ } - - #ifdef LDAP_OPT_NETWORK_TIMEOUT -- ldap_set_option(NULL, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout); -+ ldap_set_option(server, LDAP_OPT_NETWORK_TIMEOUT, &ldap_timeout); - #endif -- ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto); -+ ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto); - - if(ldap_ssl) { - #ifdef HAVE_LDAP_SSL - #ifdef USE_WIN32_LDAP - /* Win32 LDAP SDK does not support insecure mode without CA! */ -- server = ldap_sslinit(host, (curl_ldap_num_t)conn->primary.remote_port, 1); - ldap_set_option(server, LDAP_OPT_SSL, LDAP_OPT_ON); - #else - int ldap_option; -@@ -404,7 +417,7 @@ - goto quit; - } - infof(data, "LDAP local: using PEM CA cert: %s", ldap_ca); -- rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca); -+ rc = ldap_set_option(server, LDAP_OPT_X_TLS_CACERTFILE, ldap_ca); - if(rc != LDAP_SUCCESS) { - failf(data, "LDAP local: ERROR setting PEM CA cert: %s", - ldap_err2string(rc)); -@@ -416,20 +429,13 @@ - else - ldap_option = LDAP_OPT_X_TLS_NEVER; - -- rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option); -+ rc = ldap_set_option(server, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_option); - if(rc != LDAP_SUCCESS) { - failf(data, "LDAP local: ERROR setting cert verify mode: %s", - ldap_err2string(rc)); - result = CURLE_SSL_CERTPROBLEM; - goto quit; - } -- server = ldap_init(host, conn->primary.remote_port); -- if(!server) { -- failf(data, "LDAP local: Cannot connect to %s:%u", -- conn->host.dispname, conn->primary.remote_port); -- result = CURLE_COULDNT_CONNECT; -- goto quit; -- } - ldap_option = LDAP_OPT_X_TLS_HARD; - rc = ldap_set_option(server, LDAP_OPT_X_TLS, &ldap_option); - if(rc != LDAP_SUCCESS) { -@@ -438,15 +444,6 @@ - result = CURLE_SSL_CERTPROBLEM; - goto quit; - } --/* -- rc = ldap_start_tls_s(server, NULL, NULL); -- if(rc != LDAP_SUCCESS) { -- failf(data, "LDAP local: ERROR starting SSL/TLS mode: %s", -- ldap_err2string(rc)); -- result = CURLE_SSL_CERTPROBLEM; -- goto quit; -- } --*/ - #else - (void)ldap_option; - (void)ldap_ca; -@@ -465,15 +462,7 @@ - result = CURLE_NOT_BUILT_IN; - goto quit; - } -- else { -- server = ldap_init(host, (curl_ldap_num_t)conn->primary.remote_port); -- if(!server) { -- failf(data, "LDAP local: Cannot connect to %s:%u", -- conn->host.dispname, conn->primary.remote_port); -- result = CURLE_COULDNT_CONNECT; -- goto quit; -- } -- } -+ - #ifdef USE_WIN32_LDAP - ldap_set_option(server, LDAP_OPT_PROTOCOL_VERSION, &ldap_proto); - rc = ldap_win_bind(data, server, user, passwd); --- -2.39.5 - diff --git a/external/curl/0001-libssh-require-private-key-or-user-agent-for-public-.patch b/external/curl/0001-libssh-require-private-key-or-user-agent-for-public-.patch deleted file mode 100644 index 2a974112c62f..000000000000 --- a/external/curl/0001-libssh-require-private-key-or-user-agent-for-public-.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 16d5f2a5660c61cc27bd5f1c7f512391d1c927aa Mon Sep 17 00:00:00 2001 -From: Harry Sintonen <[email protected]> -Date: Mon, 29 Dec 2025 16:56:39 +0100 -Subject: [PATCH] libssh: require private key or user-agent for public key auth - -Closes #20110 ---- - lib/vssh/libssh.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c -index 5d5125b526..bde6355f73 100644 ---- a/lib/vssh/libssh.c -+++ b/lib/vssh/libssh.c -@@ -698,7 +698,11 @@ - "keyboard-interactive, " : "", - sshc->auth_methods & SSH_AUTH_METHOD_PASSWORD ? - "password": ""); -- if(sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) { -+ /* For public key auth we need either the private key or -+ CURLSSH_AUTH_AGENT. */ -+ if((sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) && -+ (data->set.str[STRING_SSH_PRIVATE_KEY] || -+ (data->set.ssh_auth_types & CURLSSH_AUTH_AGENT))) { - myssh_state(data, sshc, SSH_AUTH_PKEY_INIT); - infof(data, "Authentication using SSH public key file"); - } --- -2.39.5 - diff --git a/external/curl/0001-libssh-set-both-knownhosts-options-to-the-same-file.patch b/external/curl/0001-libssh-set-both-knownhosts-options-to-the-same-file.patch deleted file mode 100644 index 2b3c7683b786..000000000000 --- a/external/curl/0001-libssh-set-both-knownhosts-options-to-the-same-file.patch +++ /dev/null @@ -1,31 +0,0 @@ -From adca486c125d9a6d9565b9607a19dce803a8b479 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <[email protected]> -Date: Wed, 24 Dec 2025 17:47:03 +0100 -Subject: [PATCH] libssh: set both knownhosts options to the same file - -Reported-by: Harry Sintonen - -Closes #20092 ---- - lib/vssh/libssh.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c -index 7d5905c83d..98c109ab59 100644 ---- a/lib/vssh/libssh.c -+++ b/lib/vssh/libssh.c -@@ -2629,6 +2629,11 @@ static CURLcode myssh_connect(struct Curl_easy *data, bool *done) - infof(data, "Known hosts: %s", data->set.str[STRING_SSH_KNOWNHOSTS]); - rc = ssh_options_set(sshc->ssh_session, SSH_OPTIONS_KNOWNHOSTS, - data->set.str[STRING_SSH_KNOWNHOSTS]); -+ if(rc == SSH_OK) -+ /* libssh has two separate options for this. Set both to the same file -+ to avoid surprises */ -+ rc = ssh_options_set(sshc->ssh_session, SSH_OPTIONS_GLOBAL_KNOWNHOSTS, -+ data->set.str[STRING_SSH_KNOWNHOSTS]); - if(rc != SSH_OK) { - failf(data, "Could not set known hosts file path"); - return CURLE_FAILED_INIT; --- -2.39.5 - diff --git a/external/curl/0001-openssl-toggling-CURLSSLOPT_NO_PARTIALCHAIN-makes-a-.patch b/external/curl/0001-openssl-toggling-CURLSSLOPT_NO_PARTIALCHAIN-makes-a-.patch deleted file mode 100644 index 6613d80c9ae3..000000000000 --- a/external/curl/0001-openssl-toggling-CURLSSLOPT_NO_PARTIALCHAIN-makes-a-.patch +++ /dev/null @@ -1,73 +0,0 @@ -From cd046f6c93b39d673a58c18648d8906e954c4f5d Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <[email protected]> -Date: Wed, 17 Dec 2025 10:54:16 +0100 -Subject: [PATCH] openssl: toggling CURLSSLOPT_NO_PARTIALCHAIN makes a - different CA cache - -Reported-by: Stanislav Fort - -Closes #20009 ---- - lib/vtls/openssl.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c -index a7f169d641..7563d9a090 100644 ---- a/lib/vtls/openssl.c -+++ b/lib/vtls/openssl.c -@@ -3457,6 +3457,7 @@ - char *CAfile; /* CAfile path used to generate X509 store */ - X509_STORE *store; /* cached X509 store or NULL if none */ - struct curltime time; /* when the cached store was created */ -+ BIT(no_partialchain); /* keep partial chain state */ - }; - - static void oss_x509_share_free(void *key, size_t key_len, void *p) -@@ -3491,12 +3492,16 @@ - - static bool - ossl_cached_x509_store_different(struct Curl_cfilter *cf, -+ const struct Curl_easy *data, - const struct ossl_x509_share *mb) - { - struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); -+ struct ssl_config_data *ssl_config = -+ Curl_ssl_cf_get_config(cf, CURL_UNCONST(data)); -+ if(mb->no_partialchain != ssl_config->no_partialchain) -+ return TRUE; - if(!mb->CAfile || !conn_config->CAfile) - return mb->CAfile != conn_config->CAfile; -- - return strcmp(mb->CAfile, conn_config->CAfile); - } - -@@ -3513,7 +3518,7 @@ - sizeof(MPROTO_OSSL_X509_KEY)-1) : NULL; - if(share && share->store && - !ossl_cached_x509_store_expired(data, share) && -- !ossl_cached_x509_store_different(cf, share)) { -+ !ossl_cached_x509_store_different(cf, data, share)) { - store = share->store; - } - -@@ -3550,6 +3555,8 @@ - - if(X509_STORE_up_ref(store)) { - char *CAfile = NULL; -+ struct ssl_config_data *ssl_config = -+ Curl_ssl_cf_get_config(cf, CURL_UNCONST(data)); - - if(conn_config->CAfile) { - CAfile = strdup(conn_config->CAfile); -@@ -3567,6 +3574,7 @@ - share->time = curlx_now(); - share->store = store; - share->CAfile = CAfile; -+ share->no_partialchain = ssl_config->no_partialchain; - } - } - - --- -2.39.5 - diff --git a/external/curl/0001-vquic-tls-gnutls-call-Curl_gtls_verifyserver-uncondi.patch b/external/curl/0001-vquic-tls-gnutls-call-Curl_gtls_verifyserver-uncondi.patch deleted file mode 100644 index b73f23c1a3ae..000000000000 --- a/external/curl/0001-vquic-tls-gnutls-call-Curl_gtls_verifyserver-uncondi.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 3d91ca8cdb3b434226e743946d428b4dd3acf2c9 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <[email protected]> -Date: Fri, 14 Nov 2025 16:42:23 +0100 -Subject: [PATCH] vquic-tls/gnutls: call Curl_gtls_verifyserver unconditionally - -Closes #19531 ---- - lib/vquic/vquic-tls.c | 12 +++++------- - 1 file changed, 5 insertions(+), 7 deletions(-) - -diff --git a/lib/vquic/vquic-tls.c b/lib/vquic/vquic-tls.c -index f4ef06c33b..46bb4c7d4c 100644 ---- a/lib/vquic/vquic-tls.c -+++ b/lib/vquic/vquic-tls.c -@@ -169,13 +169,11 @@ - (void)conn_config; - result = Curl_oss_check_peer_cert(cf, data, &ctx->ossl, peer); - #elif defined(USE_GNUTLS) -- if(conn_config->verifyhost) { -- result = Curl_gtls_verifyserver(data, ctx->gtls.session, -- conn_config, &data->set.ssl, peer, -- data->set.str[STRING_SSL_PINNEDPUBLICKEY]); -- if(result) -- return result; -- } -+ result = Curl_gtls_verifyserver(cf, data, ctx->gtls.session, -+ conn_config, &data->set.ssl, peer, -+ data->set.str[STRING_SSL_PINNEDPUBLICKEY]); -+ if(result) -+ return result; - #elif defined(USE_WOLFSSL) - (void)data; - if(conn_config->verifyhost) { --- -2.39.5 - diff --git a/external/curl/UnpackedTarball_curl.mk b/external/curl/UnpackedTarball_curl.mk index 27b8d2b84783..51bec9c4f659 100644 --- a/external/curl/UnpackedTarball_curl.mk +++ b/external/curl/UnpackedTarball_curl.mk @@ -30,12 +30,6 @@ $(eval $(call gb_UnpackedTarball_add_patches,curl,\ external/curl/0001-const-up-readonly-H2_NON_FIELD.patch.1 \ external/curl/0001-cookie-don-t-treat-the-leading-slash-as-trailing.patch \ external/curl/0001-ws-get-a-new-mask-for-each-new-outgoing-frame.patch \ - external/curl/0001-libssh-require-private-key-or-user-agent-for-public-.patch \ - external/curl/0001-libssh-set-both-knownhosts-options-to-the-same-file.patch \ - external/curl/0001-openssl-toggling-CURLSSLOPT_NO_PARTIALCHAIN-makes-a-.patch \ - external/curl/0001-curl_sasl-if-redirected-require-permission-to-use-be.patch \ - external/curl/0001-ldap-call-ldap_init-before-setting-the-options.patch \ - external/curl/0001-vquic-tls-gnutls-call-Curl_gtls_verifyserver-uncondi.patch \ )) ifeq ($(OS)-$(COM_IS_CLANG),WNT-TRUE)
