main/curl: fix CVE-2014-0015

fixes #2672

2 files changed, 19 insertions, 3 deletions

diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD
index 13d073efa8..a95a38eb50 100644
--- a/main/curl/APKBUILD
+++ b/main/curl/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=curl
 pkgver=7.25.0
-pkgrel=2
+pkgrel=3
 pkgdesc="An URL retrival utility and library"
 url="http://curl.haxx.se"
 arch="all"
@@ -11,7 +11,9 @@ depends_dev="zlib-dev openssl-dev libssh2-dev"
 makedepends="$depends_dev"
 source="http://curl.haxx.se/download/curl-$pkgver.tar.bz2
 	CVE-2013-1944.patch
-	CVE-2013-4545.patch"
+	CVE-2013-4545.patch
+	CVE-2014-0015-7-27.patch
+	"
 subpackages="$pkgname-doc $pkgname-dev"
 
 _builddir="$srcdir/$pkgname-$pkgver"
@@ -43,4 +45,5 @@ package() {
 
 md5sums="f0303d47d9d3e6e4f08c2863c6504823  curl-7.25.0.tar.bz2
 89747e560198704ab25c21eade95cbd2  CVE-2013-1944.patch
-8bc90390d1cd0d1b7b2cad513ed7e953  CVE-2013-4545.patch"
+8bc90390d1cd0d1b7b2cad513ed7e953  CVE-2013-4545.patch
+236ff7d867165b536049dc13f81c5315  CVE-2014-0015-7-27.patch"
diff --git a/main/curl/CVE-2014-0015-7-27.patch b/main/curl/CVE-2014-0015-7-27.patch
new file mode 100644
index 0000000000..d6e0708050
--- /dev/null
+++ b/main/curl/CVE-2014-0015-7-27.patch
@@ -0,0 +1,13 @@
+--- ./lib/url.c.orig	2014-01-14 16:21:29.832088000 +0200
++++ ./lib/url.c	2014-01-14 16:32:43.074018000 +0200
+@@ -3103,8 +3103,8 @@ ConnectionExists(struct SessionHandle *d
+         }
+         if((needle->handler->protocol & CURLPROTO_FTP) ||
+            ((needle->handler->protocol & CURLPROTO_HTTP) &&
+-            ((data->state.authhost.want==CURLAUTH_NTLM) ||
+-             (data->state.authhost.want==CURLAUTH_NTLM_WB)))) {
++            ((data->state.authhost.want & CURLAUTH_NTLM) ||
++             (data->state.authhost.want & CURLAUTH_NTLM_WB)))) {
+           /* This is FTP or HTTP+NTLM, verify that we're using the same name
+              and password as well */
+           if(!strequal(needle->user, check->user) ||