gentoo auto-resync : 11:10:2023 - 12:12:04

author: V3n3RiX <venerix@koprulu.sector> 2023-10-11 12:12:04 +0100
committer: V3n3RiX <venerix@koprulu.sector> 2023-10-11 12:12:04 +0100
commit: 656415c9ea59def40c02f7dff6e0650186b509f3 (patch)
tree: 0fabd97ffdc789e947a3bf164c55c1bf183457de /net-misc/curl
parent: 8d839e24e6b6e9a28d945d1dc094e65e2b0ccc2d (diff)
6 files changed, 445 insertions, 95 deletions
diff --git a/net-misc/curl/Manifest b/net-misc/curl/Manifest
index dacb2e2caeaa..0298d91a54b9 100644
--- a/net-misc/curl/Manifest
+++ b/net-misc/curl/Manifest
@@ -1,19 +1,19 @@
 AUX curl-8.0.1-onion-resolution.patch 4036 BLAKE2B 7f9a693f5090585c46d596133e915b67cf6a0b0a78ee164f987de166f24fb3d64a968f6263110c119710735363429447d52e5cc52df90d0f3830cf0e10c3673b SHA512 72efe3cd6d594cd2b73a19596e587c88a7ca89ed6f9a7325df98df2e18a1e85f26232ea48e80097d2d1e2f8db2c1cd945896311cd70ee830c8838afbcb7628d9
+AUX curl-8.3.0-CVE-2023-38545.patch 4345 BLAKE2B b3519d1fdccecf40e9a49cd96bf61e53c2a8ab44b2ca05543ea431da6a00125ccc9b6f7cdde0371db30e741b19a8c86cc90038987750744d2f02a0b1c1f0bec0 SHA512 1b0d3f4d4475bf4d579d4a99504a1e488b4a64e956497dc9558206234f67c60a6006ec9c93df89dc5b18c8d60312877838564adbcb834af5d6389f2f7be856d8
+AUX curl-8.3.0-CVE-2023-38546.patch 4852 BLAKE2B 316a6ca5a05c55ffa029aa97ad9c23844bf9dce2a0220cdce324c678baa8f1bfef6dcb21a6460c80345d2fe81e7738055d207a76e3d0c920c6bbb827869b02c5 SHA512 1a0d047c9c661d39caf4f4f47177aa804b8b8689f68f1f14e83163ce311b5783b58ae3d216e84dbec6bf93b6b0ba7a838831121282702e613ab4c00c1874730d
 AUX curl-8.3.0-tests-arm-musl.patch 3472 BLAKE2B 6722ff38b03191a9c26b90b9a2d4dc9d439cfb0d7227e10f1f100bec4a4d8709878bfab89ef9cfa854955dd44462eef66b8eb3a31db75b4555d9eccaa4457729 SHA512 3beaf54c017c9c13e023bdcaa7e187b1689f988ff2837c2e9a998ed9e7beb850e8baf9dafb0a506b60018b853c8039763d59f2849f1772a8bc8b63843111d769
 AUX curl-prefix.patch 880 BLAKE2B 5b7552a8339014221864a585d174b02a96ec7dd7fe8762d331d1981834044f8ec4db64d527a4ded3f5f4cccc86f281576668de092439eb19f5477d5fcf8369cf SHA512 c7cd13b9ccbd12ed01ea121ffece9c23b898a5b34698bae59ae1dd23b1cf2445180b84d80c4a640981f16dba5018df944f405dd5c660addab54ca21e0e673b7f
 AUX curl-respect-cflags-3.patch 406 BLAKE2B 1b533144858aff5566150c4a2648ad2e48e8ff29849ae285592edfee4b3332d06e750395dea7190ee6a01d2b5ee2c2c42c10400c2e5defa09963a90a1a10417d SHA512 3219e4e67d534e35012909243fc8d69d58989462db44dd507c502e7aaa299f1d9a01392e2c83797cc2bdb53d503470c5d6e7bf94572a6ccc6e5eafcc0466bc54
-DIST curl-8.0.1.tar.xz 2575544 BLAKE2B 67d82e9d71f0a351b5c2ed3ad5eab02e367ded872658a295179b935729d5105015f8c29569c396e11cd14036656af894ded85c8838cba260d9f6f1a8dcb5e22b SHA512 3bb777982659ed697ae90f113ff7b65d6ce8ba9fe6a8984cfd6769d2f051a72ba953c911abe234c204ec2cc5a35d68b4d033037fad7fba31bb92a52543f8d13d
-DIST curl-8.0.1.tar.xz.asc 488 BLAKE2B 452e1bebe1028e7621bbf8829e50cf56e254cd63a8cf2a4c0332176b9f18fb2821304ae556a203996d273c986bddbd04db2218c18fd34dee66e9155861ba50ce SHA512 92c6a0570e9a8a708fe2f717b8b37a68dcb9cd4520ca50c9baafec5891bda103bce2d2dcb67f1387bf11bd7e51e0e64ccd52d196e61d58b598ad3aa1960386cf
-DIST curl-8.1.2.tar.xz 2612652 BLAKE2B 66d0828912bb9971dac99025aa8b5c1c2fac1f8b568f2a8a97bd9f66986bdb164b603b539ec3e123cd6a26ea65829e58c90fc9852be88b42074cf40c89c566d1 SHA512 532ab96eba6dea66d272f3be56f5af5c5da922480f9a10e203de98037c311f12f8145ba6bf813831e42815e068874ccfd108f84f7650743f5dbb3ebc3bc9c4f4
-DIST curl-8.1.2.tar.xz.asc 488 BLAKE2B 304dbdb51aa113c0b70b2662e29b1be3294b04f5f00264ce60703756363999cd567dcd0301e27b294d1d53f16ecc016ba429fcbea240949b372750f7e6e7375a SHA512 d120299a2d59259aeb19ae0fa3a3e181e25b6927677187037c61a0901879956177ce8dda10764073a47848f81dcbbcb94e0b6008742994042b6b8fd194e169c3
 DIST curl-8.2.1.tar.xz 2631932 BLAKE2B 77c0b067935397afb3961378f2fe349fa988c6379c1ab7437c5d5f967710b2e9ba7aec91df8fe58a8b26c00c0164d4db9bd095ca27d1bf52b768c8d83cc0ecaf SHA512 3f78c9330c52d32b166f17829fc2be13418ef925e88f75aacad7f369e7afe00dc4a56566418730dbb845b2b284d721b08f639df322e2e1ef2dfab165c4189094
 DIST curl-8.2.1.tar.xz.asc 488 BLAKE2B 569a7c8d338f7175b5035fa281861b57cce7f5327ec6437d79e215e5a806619c9432d7960687e5463787f681cc408371c1eb1f0db7fb8678b8ef34ec50ef69d0 SHA512 31ee66a09e7bd14de949ae991c23a0b905d38407b73ae39bae6d01854d8708355c14bc4d0eab3ff931b85986d0236dd34e934eef6061f4b70739137fd0525084
 DIST curl-8.3.0.tar.xz 2641764 BLAKE2B 6875b20e27ed86f9b6ab256210d85e9fb3b39645e8be710b2e6fe29fba40220f870e06bc21e8a92244670fed0a08c7716e4806a267ede49c4ed6d66e03f5fcd4 SHA512 6404b4c74fe1185cb482631ca3a143996cb7298d0d8a76bfafd7696e7729c00559999a069bdba782dee3f3eb273fb678a4438cb27d3deca54022878cdff83a51
 DIST curl-8.3.0.tar.xz.asc 488 BLAKE2B ef5a749e579710d45db9f73da0cbcb58d77a9dfe73be622536496997fa792fe5cbd0331a31f01e21cbdb36c6384dca44baa647c9f3d20effabb5bfc275b1b491 SHA512 b7d45722640ac50181b20a6d663168ec6eec6691c5604ddfe9c7177f07da598cb2de688c631043dc428c311774d781ccd16bd1e2fb4f038be651e3bee383aec4
-EBUILD curl-8.0.1.ebuild 8726 BLAKE2B 0d9ac7063eb37637fc6d99f092dce9a58c37eb2135319147e24e4aeb1eaca62f352272d963c2122586207d9ce3b7d650e0b317d10cff0811283cedd3993530de SHA512 82c0db5ad5cea9781459da9e3faa296d3a870965b89b4c26881ef950671fe8071b55599910a009e07391e9c42d0794f24369a162d54fe52860fb8a8793027e29
-EBUILD curl-8.1.2.ebuild 9542 BLAKE2B 4afcd794d213bbc26610681b0e668e3c9d93d33765b28550e42f30db1d5d555a6447ae79911e909d737e7e74b7fe933a0fc75c950a4518f8f0dedaf76079367e SHA512 dfa218e14946e4d0c468aab1ff8018917d9191c50c5ac2ff146b13efa0c2c1118c21110be2f902d7ad78006d2cd06e86506728d1dc28115e7a312ce39d4da39f
+DIST curl-8.4.0.tar.xz 2658376 BLAKE2B ea5ebecc3c1aeac3ae8fd0cf7d8ff3298149b9c4c556fb85ed8d9310e3613228eb6fca133b0dfb9268988f93d694779fab8d53510cfa5710c1320bb6638f05eb SHA512 7027dbf3b759b39d6ec9c4da58fadd254e84bb93bff599541b3bc3135bad4c2955c6237d7ddd60973f9f1a6948bc32d7e312985fb50658bc958b9f22fee74f2b
+DIST curl-8.4.0.tar.xz.asc 488 BLAKE2B 0fd4ea46a0942b9bc440e91e8f9323bba6d0eb02fbc87c227004c90e5be14cc644446bc235ab67f857b617975cdeada6ce38a647da9e0bd783e57d58f354cdb4 SHA512 b8b7a5b76be816e7b1552354f267f335fdc608cdadbd2c40ab44faf6450c6bbd2853b6de5c2746a1292aad33a8ee1c367380d32bb1a8282540b38c3b985a320e
 EBUILD curl-8.2.1.ebuild 10403 BLAKE2B 7eda879bb571b9ea002069e6ab93da988ea69fd7ed900bd6318bc6cee954fb05b9b29d43b01e2b2ae5d46673129cbd07245f4ee6f70748bb6e28be66f2a53ba2 SHA512 f03b6d6d7131f0fa41a0bdc19bfca06e90aa4272604f02d2e0433f68ab77b890c2e838e302a186e710156cd85f2a903dcc44d822fd3f4fabe7f4cf366603e5c4
 EBUILD curl-8.3.0-r1.ebuild 10529 BLAKE2B 113f2dde79d5463ce1fc0d2bf36c85830cd63a06a171bdeb86c631425cffee1840136224105254836dda8f3ea7a5607cd7bb25e3b4583bd17ff14fb50b0b0663 SHA512 fd175e2c58652341a2ed416246d4b88d7a7adacb4949284e4a670ddf3f7e88c7b854bf2168f8283d2a9003a3f4e888bc195a6108454e66bb1ee220552ac80bf3
+EBUILD curl-8.3.0-r2.ebuild 10612 BLAKE2B 7440f5638251a86a60aa5285d80cb8a16cdaa2036cee80bebc5141fbbc42304baff6291746f485f8a57f94b33564c4536e5c9a66d47f6e95bdd80dcfd07a3cc8 SHA512 d5d38bead2bbbf8507b60350e363d6d5c5ebc08808c649084c14b70dc67e5d7663d325eb97b700ad7f641338989bee5497e4bf2ee0401c4e97b94b2d929ccd15
 EBUILD curl-8.3.0.ebuild 10496 BLAKE2B 66826576bb5eeb4b2117ab45546716c3bae90fa90e6725d81e570e24e42da6a7762d1709ac0891caacab40ffdd6b3dd6dcc561f56105ea1bf704c23aae8afa32 SHA512 2233d6514572c4f5c71d1e1016fb972b51ca7f06ec5523e233aecb053163ad11a25334ce69d617e2a98d3da8d323fd2df68520cc39033d29de5c28b3e43bcacf
-EBUILD curl-9999.ebuild 10496 BLAKE2B 66826576bb5eeb4b2117ab45546716c3bae90fa90e6725d81e570e24e42da6a7762d1709ac0891caacab40ffdd6b3dd6dcc561f56105ea1bf704c23aae8afa32 SHA512 2233d6514572c4f5c71d1e1016fb972b51ca7f06ec5523e233aecb053163ad11a25334ce69d617e2a98d3da8d323fd2df68520cc39033d29de5c28b3e43bcacf
+EBUILD curl-8.4.0.ebuild 10709 BLAKE2B 1505d7a18b01b85e5e18a047bb8886456acb7ef824887065ab3d927497db7098a024122be62c77d1ef3c7670ab885331d112679098c8a8536057fee5f7bdf3eb SHA512 ad34f0c768f512ca32b5898f9507052f38a11aa77007ed17da8f745270293c54bbe76e8f886d046ca95b71ff5aec3ee20851d67167fe8fcb439613f6ea135758
+EBUILD curl-9999.ebuild 10713 BLAKE2B 44d2b7f5a059708ad8f6f63508baac8a3b62cd2820001cbc319b12cd6f054bcd6e308f89b1458ec14770f478432cd15a06d6258272773ef1b98014266f405557 SHA512 c40206f8fd31bc5e9b622ad3ec2bf37537e3a53dd3b84d0eefca934624223a0a1dc28c7b832c887ae9e71a745b8b5ad96358537a67f77d80cee0f00e9987c8a2
 MISC metadata.xml 2203 BLAKE2B 939a2ec06ec2155b88d510abdfaa00eafcd5a7e5f6f7983e456ccfc7cf4179d58adbcc7f282a11bb74d217640c93896fb5038206f7c76ea2c2e2543fe0db378e SHA512 c81d7159c0851dab0ae099c7129d965d3d3bd5cc7f7f3240052a4afab0eaa1e15efbf79265bbad5f2d257cc14b5d30daacd3aa5c3099c2ac264560e23ec797f1
diff --git a/net-misc/curl/curl-8.1.2.ebuild b/net-misc/curl/curl-8.3.0-r2.ebuild
index 0cba350a0eaa..dfbc4a1a6e17 100644
--- a/net-misc/curl/curl-8.1.2.ebuild
+++ b/net-misc/curl/curl-8.3.0-r2.ebuild
@@ -4,7 +4,7 @@
 EAPI=8
 
 VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/danielstenberg.asc
-inherit autotools multilib-minimal prefix verify-sig
+inherit autotools multilib-minimal multiprocessing prefix toolchain-funcs verify-sig
 
 DESCRIPTION="A Client that groks URLs"
 HOMEPAGE="https://curl.se/"
@@ -17,36 +17,43 @@ else
 		https://curl.se/download/${P}.tar.xz
 		verify-sig? ( https://curl.se/download/${P}.tar.xz.asc )
 	"
-	KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+	KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ~ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
 fi
 
 LICENSE="BSD curl ISC test? ( BSD-4 )"
 SLOT="0"
-IUSE="+adns alt-svc brotli +ftp gnutls gopher hsts +http2 idn +imap kerberos ldap mbedtls nss +openssl +pop3 +progress-meter rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp websockets zstd"
+IUSE="+adns alt-svc brotli +ftp gnutls gopher hsts +http2 idn +imap kerberos ldap mbedtls +openssl +pop3 +progress-meter rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp websockets zstd"
 # These select the default SSL implementation
-IUSE+=" curl_ssl_gnutls curl_ssl_mbedtls curl_ssl_nss +curl_ssl_openssl curl_ssl_rustls"
+IUSE+=" curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls"
 IUSE+=" nghttp3"
 RESTRICT="!test? ( test )"
 
 # Only one default ssl provider can be enabled
 # The default ssl provider needs its USE satisfied
+# nghttp3 = https://bugs.gentoo.org/912029
 REQUIRED_USE="
 	ssl? (
 		^^ (
 			curl_ssl_gnutls
 			curl_ssl_mbedtls
-			curl_ssl_nss
 			curl_ssl_openssl
 			curl_ssl_rustls
 		)
 	)
 	curl_ssl_gnutls? ( gnutls )
 	curl_ssl_mbedtls? ( mbedtls )
-	curl_ssl_nss? ( nss )
 	curl_ssl_openssl? ( openssl )
 	curl_ssl_rustls? ( rustls )
+	nghttp3? ( !openssl )
 "
 
+# cURL's docs and CI/CD are great resources for confirming supported versions
+# particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.:
+# - https://github.com/curl/curl/blob/master/docs/HTTP3.md
+# - https://github.com/curl/curl/blob/master/.github/workflows/quiche-linux.yml
+# However 'supported' vs 'works' are two entirely different things; be sane but
+# don't be afraid to require a later version.
+
 RDEPEND="
 	sys-libs/zlib[${MULTILIB_USEDEP}]
 	adns? ( net-dns/c-ares:=[${MULTILIB_USEDEP}] )
@@ -56,8 +63,8 @@ RDEPEND="
 	kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] )
 	ldap? ( net-nds/openldap:=[static-libs?,${MULTILIB_USEDEP}] )
 	nghttp3? (
-		>=net-libs/nghttp3-0.11.0[${MULTILIB_USEDEP}]
-		>=net-libs/ngtcp2-0.15.0[gnutls,ssl,-openssl,${MULTILIB_USEDEP}]
+		>=net-libs/nghttp3-0.15.0[${MULTILIB_USEDEP}]
+		>=net-libs/ngtcp2-0.19.1[gnutls,ssl,-openssl,${MULTILIB_USEDEP}]
 	)
 	rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] )
 	ssh? ( net-libs/libssh2[${MULTILIB_USEDEP}] )
@@ -71,11 +78,6 @@ RDEPEND="
 			app-misc/ca-certificates
 			net-libs/mbedtls:=[${MULTILIB_USEDEP}]
 		)
-		nss? (
-			app-misc/ca-certificates
-			dev-libs/nss[${MULTILIB_USEDEP}]
-			dev-libs/nss-pem
-		)
 		openssl? (
 			dev-libs/openssl:=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}]
 		)
@@ -85,13 +87,15 @@ RDEPEND="
 	)
 	zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )
 "
+
 DEPEND="${RDEPEND}"
+
 BDEPEND="
 	dev-lang/perl
 	virtual/pkgconfig
 	test? (
 		sys-apps/diffutils
-		http2? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] )
+		http2? ( >=net-libs/nghttp2-1.15.0:=[utils,${MULTILIB_USEDEP}] )
 		nghttp3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] )
 	)
 	verify-sig? ( sec-keys/openpgp-keys-danielstenberg )
@@ -121,6 +125,9 @@ QA_CONFIG_IMPL_DECL_SKIP=(
 PATCHES=(
 	"${FILESDIR}"/${PN}-prefix.patch
 	"${FILESDIR}"/${PN}-respect-cflags-3.patch
+	"${FILESDIR}"/${P}-tests-arm-musl.patch
+	"${FILESDIR}"/${P}-CVE-2023-38545.patch
+	"${FILESDIR}"/${P}-CVE-2023-38546.patch
 )
 
 src_prepare() {
@@ -137,8 +144,8 @@ multilib_src_configure() {
 	local myconf=()
 
 	myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt  )
-	if use ssl ; then
-		myconf+=( --without-gnutls --without-mbedtls --without-nss --without-rustls )
+	if use ssl; then
+		myconf+=( --without-gnutls --without-mbedtls --without-rustls )
 
 		if use gnutls; then
 			multilib_is_native_abi && einfo "SSL provided by gnutls"
@@ -148,10 +155,6 @@ multilib_src_configure() {
 			multilib_is_native_abi && einfo "SSL provided by mbedtls"
 			myconf+=( --with-mbedtls )
 		fi
-		if use nss; then
-			multilib_is_native_abi && einfo "SSL provided by nss"
-			myconf+=( --with-nss --with-nss-deprecated )
-		fi
 		if use openssl; then
 			multilib_is_native_abi && einfo "SSL provided by openssl"
 			myconf+=( --with-ssl --with-ca-path="${EPREFIX}"/etc/ssl/certs )
@@ -166,9 +169,6 @@ multilib_src_configure() {
 		elif use curl_ssl_mbedtls; then
 			multilib_is_native_abi && einfo "Default SSL provided by mbedtls"
 			myconf+=( --with-default-ssl-backend=mbedtls )
-		elif use curl_ssl_nss; then
-			multilib_is_native_abi && einfo "Default SSL provided by nss"
-			myconf+=( --with-default-ssl-backend=nss )
 		elif use curl_ssl_openssl; then
 			multilib_is_native_abi && einfo "Default SSL provided by openssl"
 			myconf+=( --with-default-ssl-backend=openssl )
@@ -177,6 +177,7 @@ multilib_src_configure() {
 			myconf+=( --with-default-ssl-backend=rustls )
 		else
 			eerror "We can't be here because of REQUIRED_USE."
+			die "Please file a bug, hit impossible condition w/ USE=ssl handling."
 		fi
 
 	else
@@ -196,7 +197,12 @@ multilib_src_configure() {
 
 	myconf+=(
 		$(use_enable alt-svc)
-		--enable-crypto-auth
+		--enable-basic-auth
+		--enable-bearer-auth
+		--enable-digest-auth
+		--enable-kerberos-auth
+		--enable-negotiate-auth
+		--enable-aws
 		--enable-dict
 		--disable-ech
 		--enable-file
@@ -241,7 +247,7 @@ multilib_src_configure() {
 		--without-amissl
 		--without-bearssl
 		$(use_with brotli)
-		--without-fish-functions-dir
+		--with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d
 		$(use_with http2 nghttp2)
 		--without-hyper
 		$(use_with idn libidn2)
@@ -263,6 +269,7 @@ multilib_src_configure() {
 		--without-wolfssl
 		--with-zlib
 		$(use_with zstd)
+		--with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions
 	)
 
 	if use test && multilib_is_native_abi && ( use http2 || use nghttp3 ); then
@@ -271,6 +278,12 @@ multilib_src_configure() {
 		)
 	fi
 
+	if [[ ${CHOST} == *mingw* ]] ; then
+		myconf+=(
+			--disable-pthreads
+		)
+	fi
+
 	ECONF_SOURCE="${S}" econf "${myconf[@]}"
 
 	if ! multilib_is_native_abi; then
@@ -305,6 +318,15 @@ multilib_src_configure() {
 	echo "Requires.private: ${priv[*]}" >> libcurl.pc || die
 }
 
+multilib_src_compile() {
+	default
+
+	if multilib_is_native_abi; then
+		# Shell completions
+		! tc-is-cross-compiler && emake -C scripts
+	fi
+}
+
 # There is also a pytest harness that tests for bugs in some very specific
 # situations; we can rely on upstream for this rather than adding additional test deps.
 multilib_src_test() {
@@ -318,9 +340,20 @@ multilib_src_test() {
 	# Note: if needed, we can skip specific tests. See e.g. Fedora's packaging
 	# or just read https://github.com/curl/curl/tree/master/tests#run.
 	# Note: we don't run the testsuite for cross-compilation.
+	# Upstream recommend 7*nproc as a starting point for parallel tests, but
+	# this ends up breaking when nproc is huge (like -j80).
 	# The network sandbox causes tests 241 and 1083 to fail; these are typically skipped
 	# as most gentoo users don't have an 'ip6-localhost'
-	multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p !241 !1083"
+	multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083"
+}
+
+multilib_src_install() {
+	emake DESTDIR="${D}" install
+
+	if multilib_is_native_abi; then
+		# Shell completions
+		! tc-is-cross-compiler && emake -C scripts DESTDIR="${D}" install
+	fi
 }
 
 multilib_src_install_all() {
diff --git a/net-misc/curl/curl-8.0.1.ebuild b/net-misc/curl/curl-8.4.0.ebuild
index d55ecb0e531c..a4d26adfd053 100644
--- a/net-misc/curl/curl-8.0.1.ebuild
+++ b/net-misc/curl/curl-8.4.0.ebuild
@@ -4,67 +4,85 @@
 EAPI=8
 
 VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/danielstenberg.asc
-inherit autotools multilib-minimal prefix verify-sig
+inherit autotools multilib-minimal multiprocessing prefix toolchain-funcs verify-sig
 
 DESCRIPTION="A Client that groks URLs"
 HOMEPAGE="https://curl.se/"
-SRC_URI="
-	https://curl.se/download/${P}.tar.xz
-	verify-sig? ( https://curl.se/download/${P}.tar.xz.asc )
-"
+
+if [[ ${PV} == 9999 ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/curl/curl.git"
+else
+	SRC_URI="
+		https://curl.se/download/${P}.tar.xz
+		verify-sig? ( https://curl.se/download/${P}.tar.xz.asc )
+	"
+	KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+fi
 
 LICENSE="BSD curl ISC test? ( BSD-4 )"
 SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
-IUSE="+adns alt-svc brotli +ftp gnutls gopher hsts +http2 idn +imap kerberos ldap mbedtls nss +openssl +pop3 +progress-meter rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp websockets zstd"
-IUSE+=" curl_ssl_gnutls curl_ssl_mbedtls curl_ssl_nss +curl_ssl_openssl curl_ssl_rustls"
-IUSE+=" nghttp3"
+IUSE="+adns +alt-svc brotli +ftp gnutls gopher +hsts +http2 idn +imap kerberos ldap mbedtls nghttp3 +openssl +pop3"
+IUSE+=" +progress-meter rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp websockets zstd"
+# These select the default SSL implementation
+IUSE+=" curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls"
 RESTRICT="!test? ( test )"
 
 # Only one default ssl provider can be enabled
+# The default ssl provider needs its USE satisfied
+# nghttp3 = https://bugs.gentoo.org/912029
 REQUIRED_USE="
 	ssl? (
 		^^ (
 			curl_ssl_gnutls
 			curl_ssl_mbedtls
-			curl_ssl_nss
 			curl_ssl_openssl
 			curl_ssl_rustls
 		)
 	)
+	curl_ssl_gnutls? ( gnutls )
+	curl_ssl_mbedtls? ( mbedtls )
+	curl_ssl_openssl? ( openssl )
+	curl_ssl_rustls? ( rustls )
+	nghttp3? (
+		!openssl
+		alt-svc )
 "
 
+# cURL's docs and CI/CD are great resources for confirming supported versions
+# particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.:
+# - https://github.com/curl/curl/blob/master/docs/INTERNALS.md (core dependencies + minimum versions)
+# - https://github.com/curl/curl/blob/master/docs/HTTP3.md (example of a feature that moves quickly)
+# - https://github.com/curl/curl/blob/master/.github/workflows/quiche-linux.yml (CI/CD for TCP/2)
+# However 'supported' vs 'works' are two entirely different things; be sane but
+# don't be afraid to require a later version.
+
 RDEPEND="
-	sys-libs/zlib[${MULTILIB_USEDEP}]
+	>=sys-libs/zlib-1.1.4[${MULTILIB_USEDEP}]
 	adns? ( net-dns/c-ares:=[${MULTILIB_USEDEP}] )
 	brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] )
-	http2? ( net-libs/nghttp2:=[${MULTILIB_USEDEP}] )
+	http2? ( >=net-libs/nghttp2-1.12.0:=[${MULTILIB_USEDEP}] )
 	idn? ( net-dns/libidn2:=[static-libs?,${MULTILIB_USEDEP}] )
 	kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] )
-	ldap? ( net-nds/openldap:=[${MULTILIB_USEDEP}] )
+	ldap? ( >=net-nds/openldap-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] )
 	nghttp3? (
-		net-libs/nghttp3[${MULTILIB_USEDEP}]
-		net-libs/ngtcp2[ssl,${MULTILIB_USEDEP}]
+		>=net-libs/nghttp3-0.15.0[${MULTILIB_USEDEP}]
+		>=net-libs/ngtcp2-0.19.1[gnutls,ssl,-openssl,${MULTILIB_USEDEP}]
 	)
 	rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] )
-	ssh? ( net-libs/libssh2[${MULTILIB_USEDEP}] )
+	ssh? ( >=net-libs/libssh2-1.0.0[${MULTILIB_USEDEP}] )
 	ssl? (
 		gnutls? (
 			app-misc/ca-certificates
-			net-libs/gnutls:=[static-libs?,${MULTILIB_USEDEP}]
+			>=net-libs/gnutls-3.1.10:=[static-libs?,${MULTILIB_USEDEP}]
 			dev-libs/nettle:=[${MULTILIB_USEDEP}]
 		)
 		mbedtls? (
 			app-misc/ca-certificates
 			net-libs/mbedtls:=[${MULTILIB_USEDEP}]
 		)
-		nss? (
-			app-misc/ca-certificates
-			dev-libs/nss[${MULTILIB_USEDEP}]
-			dev-libs/nss-pem
-		)
 		openssl? (
-			dev-libs/openssl:=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}]
+			>=dev-libs/openssl-0.9.7:=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}]
 		)
 		rustls? (
 			net-libs/rustls-ffi:=[${MULTILIB_USEDEP}]
@@ -72,13 +90,15 @@ RDEPEND="
 	)
 	zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )
 "
+
 DEPEND="${RDEPEND}"
+
 BDEPEND="
 	dev-lang/perl
 	virtual/pkgconfig
 	test? (
 		sys-apps/diffutils
-		http2? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] )
+		http2? ( >=net-libs/nghttp2-1.15.0:=[utils,${MULTILIB_USEDEP}] )
 		nghttp3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] )
 	)
 	verify-sig? ( sec-keys/openpgp-keys-danielstenberg )
@@ -108,9 +128,6 @@ QA_CONFIG_IMPL_DECL_SKIP=(
 PATCHES=(
 	"${FILESDIR}"/${PN}-prefix.patch
 	"${FILESDIR}"/${PN}-respect-cflags-3.patch
-
-	# Backports
-	"${FILESDIR}"/${PN}-8.0.1-onion-resolution.patch
 )
 
 src_prepare() {
@@ -127,47 +144,40 @@ multilib_src_configure() {
 	local myconf=()
 
 	myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt  )
-	#myconf+=( --without-default-ssl-backend )
-	if use ssl ; then
-		myconf+=( --without-gnutls --without-mbedtls --without-nss --without-rustls )
+	if use ssl; then
+		myconf+=( --without-gnutls --without-mbedtls --without-rustls )
 
-		if use gnutls || use curl_ssl_gnutls; then
-			einfo "SSL provided by gnutls"
+		if use gnutls; then
+			multilib_is_native_abi && einfo "SSL provided by gnutls"
 			myconf+=( --with-gnutls )
 		fi
-		if use mbedtls || use curl_ssl_mbedtls; then
-			einfo "SSL provided by mbedtls"
+		if use mbedtls; then
+			multilib_is_native_abi && einfo "SSL provided by mbedtls"
 			myconf+=( --with-mbedtls )
 		fi
-		if use nss || use curl_ssl_nss; then
-			einfo "SSL provided by nss"
-			myconf+=( --with-nss --with-nss-deprecated )
-		fi
-		if use openssl || use curl_ssl_openssl; then
-			einfo "SSL provided by openssl"
+		if use openssl; then
+			multilib_is_native_abi && einfo "SSL provided by openssl"
 			myconf+=( --with-ssl --with-ca-path="${EPREFIX}"/etc/ssl/certs )
 		fi
-		if use rustls || use curl_ssl_rustls; then
-			einfo "SSL provided by rustls"
+		if use rustls; then
+			multilib_is_native_abi && einfo "SSL provided by rustls"
 			myconf+=( --with-rustls )
 		fi
 		if use curl_ssl_gnutls; then
-			einfo "Default SSL provided by gnutls"
+			multilib_is_native_abi && einfo "Default SSL provided by gnutls"
 			myconf+=( --with-default-ssl-backend=gnutls )
 		elif use curl_ssl_mbedtls; then
-			einfo "Default SSL provided by mbedtls"
+			multilib_is_native_abi && einfo "Default SSL provided by mbedtls"
 			myconf+=( --with-default-ssl-backend=mbedtls )
-		elif use curl_ssl_nss; then
-			einfo "Default SSL provided by nss"
-			myconf+=( --with-default-ssl-backend=nss )
 		elif use curl_ssl_openssl; then
-			einfo "Default SSL provided by openssl"
+			multilib_is_native_abi && einfo "Default SSL provided by openssl"
 			myconf+=( --with-default-ssl-backend=openssl )
 		elif use curl_ssl_rustls; then
-			einfo "Default SSL provided by rustls"
+			multilib_is_native_abi && einfo "Default SSL provided by rustls"
 			myconf+=( --with-default-ssl-backend=rustls )
 		else
 			eerror "We can't be here because of REQUIRED_USE."
+			die "Please file a bug, hit impossible condition w/ USE=ssl handling."
 		fi
 
 	else
@@ -187,7 +197,12 @@ multilib_src_configure() {
 
 	myconf+=(
 		$(use_enable alt-svc)
-		--enable-crypto-auth
+		--enable-basic-auth
+		--enable-bearer-auth
+		--enable-digest-auth
+		--enable-kerberos-auth
+		--enable-negotiate-auth
+		--enable-aws
 		--enable-dict
 		--disable-ech
 		--enable-file
@@ -232,7 +247,7 @@ multilib_src_configure() {
 		--without-amissl
 		--without-bearssl
 		$(use_with brotli)
-		--without-fish-functions-dir
+		--with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d
 		$(use_with http2 nghttp2)
 		--without-hyper
 		$(use_with idn libidn2)
@@ -254,6 +269,7 @@ multilib_src_configure() {
 		--without-wolfssl
 		--with-zlib
 		$(use_with zstd)
+		--with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions
 	)
 
 	if use test && multilib_is_native_abi && ( use http2 || use nghttp3 ); then
@@ -262,6 +278,12 @@ multilib_src_configure() {
 		)
 	fi
 
+	if [[ ${CHOST} == *mingw* ]] ; then
+		myconf+=(
+			--disable-pthreads
+		)
+	fi
+
 	ECONF_SOURCE="${S}" econf "${myconf[@]}"
 
 	if ! multilib_is_native_abi; then
@@ -296,6 +318,17 @@ multilib_src_configure() {
 	echo "Requires.private: ${priv[*]}" >> libcurl.pc || die
 }
 
+multilib_src_compile() {
+	default
+
+	if multilib_is_native_abi; then
+		# Shell completions
+		! tc-is-cross-compiler && emake -C scripts
+	fi
+}
+
+# There is also a pytest harness that tests for bugs in some very specific
+# situations; we can rely on upstream for this rather than adding additional test deps.
 multilib_src_test() {
 	# See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721
 	# -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches)
@@ -306,7 +339,21 @@ multilib_src_test() {
 	# -p: print logs if test fails
 	# Note: if needed, we can skip specific tests. See e.g. Fedora's packaging
 	# or just read https://github.com/curl/curl/tree/master/tests#run.
-	multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p"
+	# Note: we don't run the testsuite for cross-compilation.
+	# Upstream recommend 7*nproc as a starting point for parallel tests, but
+	# this ends up breaking when nproc is huge (like -j80).
+	# The network sandbox causes tests 241 and 1083 to fail; these are typically skipped
+	# as most gentoo users don't have an 'ip6-localhost'
+	multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083"
+}
+
+multilib_src_install() {
+	emake DESTDIR="${D}" install
+
+	if multilib_is_native_abi; then
+		# Shell completions
+		! tc-is-cross-compiler && emake -C scripts DESTDIR="${D}" install
+	fi
 }
 
 multilib_src_install_all() {
diff --git a/net-misc/curl/curl-9999.ebuild b/net-misc/curl/curl-9999.ebuild
index 6f07f5578572..392161f14af2 100644
--- a/net-misc/curl/curl-9999.ebuild
+++ b/net-misc/curl/curl-9999.ebuild
@@ -22,10 +22,10 @@ fi
 
 LICENSE="BSD curl ISC test? ( BSD-4 )"
 SLOT="0"
-IUSE="+adns alt-svc brotli +ftp gnutls gopher hsts +http2 idn +imap kerberos ldap mbedtls +openssl +pop3 +progress-meter rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp websockets zstd"
+IUSE="+adns +alt-svc brotli +ftp gnutls gopher +hsts +http2 idn +imap kerberos ldap mbedtls nghttp3 +openssl +pop3"
+IUSE+=" +progress-meter rtmp rustls samba +smtp ssh ssl sslv3 static-libs test telnet +tftp websockets zstd"
 # These select the default SSL implementation
 IUSE+=" curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls"
-IUSE+=" nghttp3"
 RESTRICT="!test? ( test )"
 
 # Only one default ssl provider can be enabled
@@ -44,34 +44,37 @@ REQUIRED_USE="
 	curl_ssl_mbedtls? ( mbedtls )
 	curl_ssl_openssl? ( openssl )
 	curl_ssl_rustls? ( rustls )
-	nghttp3? ( !openssl )
+	nghttp3? (
+		!openssl
+		alt-svc )
 "
 
 # cURL's docs and CI/CD are great resources for confirming supported versions
 # particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.:
-# - https://github.com/curl/curl/blob/master/docs/HTTP3.md
-# - https://github.com/curl/curl/blob/master/.github/workflows/quiche-linux.yml
+# - https://github.com/curl/curl/blob/master/docs/INTERNALS.md (core dependencies + minimum versions)
+# - https://github.com/curl/curl/blob/master/docs/HTTP3.md (example of a feature that moves quickly)
+# - https://github.com/curl/curl/blob/master/.github/workflows/quiche-linux.yml (CI/CD for TCP/2)
 # However 'supported' vs 'works' are two entirely different things; be sane but
 # don't be afraid to require a later version.
 
 RDEPEND="
-	sys-libs/zlib[${MULTILIB_USEDEP}]
+	>=sys-libs/zlib-1.1.4[${MULTILIB_USEDEP}]
 	adns? ( net-dns/c-ares:=[${MULTILIB_USEDEP}] )
 	brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] )
 	http2? ( >=net-libs/nghttp2-1.12.0:=[${MULTILIB_USEDEP}] )
 	idn? ( net-dns/libidn2:=[static-libs?,${MULTILIB_USEDEP}] )
 	kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] )
-	ldap? ( net-nds/openldap:=[static-libs?,${MULTILIB_USEDEP}] )
+	ldap? ( >=net-nds/openldap-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] )
 	nghttp3? (
 		>=net-libs/nghttp3-0.15.0[${MULTILIB_USEDEP}]
 		>=net-libs/ngtcp2-0.19.1[gnutls,ssl,-openssl,${MULTILIB_USEDEP}]
 	)
 	rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] )
-	ssh? ( net-libs/libssh2[${MULTILIB_USEDEP}] )
+	ssh? ( >=net-libs/libssh2-1.0.0[${MULTILIB_USEDEP}] )
 	ssl? (
 		gnutls? (
 			app-misc/ca-certificates
-			net-libs/gnutls:=[static-libs?,${MULTILIB_USEDEP}]
+			>=net-libs/gnutls-3.1.10:=[static-libs?,${MULTILIB_USEDEP}]
 			dev-libs/nettle:=[${MULTILIB_USEDEP}]
 		)
 		mbedtls? (
@@ -79,7 +82,7 @@ RDEPEND="
 			net-libs/mbedtls:=[${MULTILIB_USEDEP}]
 		)
 		openssl? (
-			dev-libs/openssl:=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}]
+			>=dev-libs/openssl-0.9.7:=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}]
 		)
 		rustls? (
 			net-libs/rustls-ffi:=[${MULTILIB_USEDEP}]
diff --git a/net-misc/curl/files/curl-8.3.0-CVE-2023-38545.patch b/net-misc/curl/files/curl-8.3.0-CVE-2023-38545.patch
new file mode 100644
index 000000000000..04603a8c01dc
--- /dev/null
+++ b/net-misc/curl/files/curl-8.3.0-CVE-2023-38545.patch
@@ -0,0 +1,136 @@
+https://bugs.gentoo.org/915195
+
+From 1e1f915b73ab0895a68348ad1f96a5283a44ffd7 Mon Sep 17 00:00:00 2001
+From: Jay Satiro <raysatiro@yahoo.com>
+Date: Mon, 9 Oct 2023 17:45:07 -0400
+Subject: [PATCH] socks: return error if hostname too long for remote resolve
+
+Prior to this change the state machine attempted to change the remote
+resolve to a local resolve if the hostname was longer than 255
+characters. Unfortunately that did not work as intended and caused a
+security issue.
+
+This patch applies to curl versions 8.2.0 - 8.3.0. Other versions
+that are affected take a different patch. Refer to the CVE advisory
+for more information.
+
+Bug: https://curl.se/docs/CVE-2023-38545.html
+---
+ lib/socks.c             |  8 +++----
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test728      | 64 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 69 insertions(+), 5 deletions(-)
+ create mode 100644 tests/data/test728
+
+diff --git a/lib/socks.c b/lib/socks.c
+index 25a3578..3d41c93 100644
+--- a/lib/socks.c
++++ b/lib/socks.c
+@@ -588,9 +588,9 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf,
+ 
+     /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
+     if(!socks5_resolve_local && hostname_len > 255) {
+-      infof(data, "SOCKS5: server resolving disabled for hostnames of "
+-            "length > 255 [actual len=%zu]", hostname_len);
+-      socks5_resolve_local = TRUE;
++      failf(data, "SOCKS5: the destination hostname is too long to be "
++            "resolved remotely by the proxy.");
++      return CURLPX_LONG_HOSTNAME;
+     }
+ 
+     if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI))
+@@ -904,7 +904,7 @@ CONNECT_RESOLVE_REMOTE:
+       }
+       else {
+         socksreq[len++] = 3;
+-        socksreq[len++] = (char) hostname_len; /* one byte address length */
++        socksreq[len++] = (unsigned char) hostname_len; /* one byte length */
+         memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */
+         len += hostname_len;
+       }
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 8ee1394..3e2094e 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -100,7 +100,7 @@ test679 test680 test681 test682 test683 test684 test685 test686 \
+ \
+ test700 test701 test702 test703 test704 test705 test706 test707 test708 \
+ test709 test710 test711 test712 test713 test714 test715 test716 test717 \
+-test718 test719 test720 test721 \
++test718 test719 test720 test721 test728 \
+ \
+ test799 test800 test801 test802 test803 test804 test805 test806 test807 \
+ test808 test809 test810 test811 test812 test813 test814 test815 test816 \
+diff --git a/tests/data/test728 b/tests/data/test728
+new file mode 100644
+index 0000000..05bcf28
+--- /dev/null
++++ b/tests/data/test728
+@@ -0,0 +1,64 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP GET
++SOCKS5
++SOCKS5h
++followlocation
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++# The hostname in this redirect is 256 characters and too long (> 255) for
++# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case.
++<data>
++HTTP/1.1 301 Moved Permanently
++Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/
++Content-Length: 0
++Connection: close
++
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++proxy
++</features>
++<server>
++http
++socks5
++</server>
++ <name>
++SOCKS5h with HTTP redirect to hostname too long
++ </name>
++ <command>
++--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/%TESTNUMBER
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol crlf="yes">
++GET /%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++User-Agent: curl/%VERSION
++Accept: */*
++
++</protocol>
++<errorcode>
++97
++</errorcode>
++# the error message is verified because error code CURLE_PROXY (97) may be
++# returned for any number of reasons and we need to make sure it is
++# specifically for the reason below so that we know the check is working.
++<stderr mode="text">
++curl: (97) SOCKS5: the destination hostname is too long to be resolved remotely by the proxy.
++</stderr>
++</verify>
++</testcase>
+-- 
+2.7.4
+
diff --git a/net-misc/curl/files/curl-8.3.0-CVE-2023-38546.patch b/net-misc/curl/files/curl-8.3.0-CVE-2023-38546.patch
new file mode 100644
index 000000000000..615ab26cb2a8
--- /dev/null
+++ b/net-misc/curl/files/curl-8.3.0-CVE-2023-38546.patch
@@ -0,0 +1,131 @@
+https://bugs.gentoo.org/915195
+https://github.com/curl/curl/commit/61275672b46d9abb3285740467b882e22ed75da8
+
+From 61275672b46d9abb3285740467b882e22ed75da8 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 14 Sep 2023 23:28:32 +0200
+Subject: [PATCH] cookie: remove unnecessary struct fields
+
+Plus: reduce the hash table size from 256 to 63. It seems unlikely to
+make much of a speed difference for most use cases but saves 1.5KB of
+data per instance.
+
+Closes #11862
+---
+ lib/cookie.c | 13 +------------
+ lib/cookie.h | 13 ++++---------
+ lib/easy.c   |  4 +---
+ 3 files changed, 6 insertions(+), 24 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 4345a84c6fd9d..e39c89a94a960 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -119,7 +119,6 @@ static void freecookie(struct Cookie *co)
+   free(co->name);
+   free(co->value);
+   free(co->maxage);
+-  free(co->version);
+   free(co);
+ }
+ 
+@@ -718,11 +717,7 @@ Curl_cookie_add(struct Curl_easy *data,
+           }
+         }
+         else if((nlen == 7) && strncasecompare("version", namep, 7)) {
+-          strstore(&co->version, valuep, vlen);
+-          if(!co->version) {
+-            badcookie = TRUE;
+-            break;
+-          }
++          /* just ignore */
+         }
+         else if((nlen == 7) && strncasecompare("max-age", namep, 7)) {
+           /*
+@@ -1160,7 +1155,6 @@ Curl_cookie_add(struct Curl_easy *data,
+     free(clist->path);
+     free(clist->spath);
+     free(clist->expirestr);
+-    free(clist->version);
+     free(clist->maxage);
+ 
+     *clist = *co;  /* then store all the new data */
+@@ -1224,9 +1218,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data,
+     c = calloc(1, sizeof(struct CookieInfo));
+     if(!c)
+       return NULL; /* failed to get memory */
+-    c->filename = strdup(file?file:"none"); /* copy the name just in case */
+-    if(!c->filename)
+-      goto fail; /* failed to get memory */
+     /*
+      * Initialize the next_expiration time to signal that we don't have enough
+      * information yet.
+@@ -1378,7 +1369,6 @@ static struct Cookie *dup_cookie(struct Cookie *src)
+     CLONE(name);
+     CLONE(value);
+     CLONE(maxage);
+-    CLONE(version);
+     d->expires = src->expires;
+     d->tailmatch = src->tailmatch;
+     d->secure = src->secure;
+@@ -1595,7 +1585,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c)
+ {
+   if(c) {
+     unsigned int i;
+-    free(c->filename);
+     for(i = 0; i < COOKIE_HASH_SIZE; i++)
+       Curl_cookie_freelist(c->cookies[i]);
+     free(c); /* free the base struct as well */
+diff --git a/lib/cookie.h b/lib/cookie.h
+index b3c0063b2cfb2..41e9e7a6914e0 100644
+--- a/lib/cookie.h
++++ b/lib/cookie.h
+@@ -36,11 +36,7 @@ struct Cookie {
+   char *domain;      /* domain = <this> */
+   curl_off_t expires;  /* expires = <this> */
+   char *expirestr;   /* the plain text version */
+-
+-  /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */
+-  char *version;     /* Version = <value> */
+   char *maxage;      /* Max-Age = <value> */
+-
+   bool tailmatch;    /* whether we do tail-matching of the domain name */
+   bool secure;       /* whether the 'secure' keyword was used */
+   bool livecookie;   /* updated from a server, not a stored file */
+@@ -56,17 +52,16 @@ struct Cookie {
+ #define COOKIE_PREFIX__SECURE (1<<0)
+ #define COOKIE_PREFIX__HOST (1<<1)
+ 
+-#define COOKIE_HASH_SIZE 256
++#define COOKIE_HASH_SIZE 63
+ 
+ struct CookieInfo {
+   /* linked list of cookies we know of */
+   struct Cookie *cookies[COOKIE_HASH_SIZE];
+-  char *filename;  /* file we read from/write to */
+-  long numcookies; /* number of cookies in the "jar" */
++  curl_off_t next_expiration; /* the next time at which expiration happens */
++  int numcookies;  /* number of cookies in the "jar" */
++  int lastct;      /* last creation-time used in the jar */
+   bool running;    /* state info, for cookie adding information */
+   bool newsession; /* new session, discard session cookies on load */
+-  int lastct;      /* last creation-time used in the jar */
+-  curl_off_t next_expiration; /* the next time at which expiration happens */
+ };
+ 
+ /* The maximum sizes we accept for cookies. RFC 6265 section 6.1 says
+diff --git a/lib/easy.c b/lib/easy.c
+index 16bbd35251d40..03195481f9780 100644
+--- a/lib/easy.c
++++ b/lib/easy.c
+@@ -925,9 +925,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data)
+   if(data->cookies) {
+     /* If cookies are enabled in the parent handle, we enable them
+        in the clone as well! */
+-    outcurl->cookies = Curl_cookie_init(data,
+-                                        data->cookies->filename,
+-                                        outcurl->cookies,
++    outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies,
+                                         data->set.cookiesession);
+     if(!outcurl->cookies)
+       goto fail;
author	V3n3RiX <venerix@koprulu.sector>	2023-10-11 12:12:04 +0100
committer	V3n3RiX <venerix@koprulu.sector>	2023-10-11 12:12:04 +0100
commit	656415c9ea59def40c02f7dff6e0650186b509f3 (patch)
tree	0fabd97ffdc789e947a3bf164c55c1bf183457de /net-misc/curl
parent	8d839e24e6b6e9a28d945d1dc094e65e2b0ccc2d (diff)