main/curl: patch for CVE-2017-2629

2 files changed, 49 insertions, 7 deletions

diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD
index 5325e4137e..83cba1da6c 100644
--- a/main/curl/APKBUILD
+++ b/main/curl/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=curl
 pkgver=7.52.1
-pkgrel=1
+pkgrel=2
 pkgdesc="An URL retrival utility and library"
 url="http://curl.haxx.se"
 arch="all"
@@ -12,10 +12,13 @@ depends="ca-certificates"
 depends_dev="zlib-dev libressl-dev libssh2-dev"
 makedepends="$depends_dev groff perl"
 source="http://curl.haxx.se/download/$pkgname-$pkgver.tar.bz2
-	0001-vtls-s-SSLEAY-OPENSSL.patch"
+	0001-vtls-s-SSLEAY-OPENSSL.patch
+	CVE-2017-2629.patch"
 subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev libcurl"
 
 # secfixes:
+#   7.52.1-r2:
+#     - CVE-2017-2629
 #   7.52.1:
 #     - CVE-2016-9594
 #   7.51.0:
@@ -72,9 +75,6 @@ libcurl() {
 	mv "$pkgdir"/usr/lib "$subpkgdir"/usr
 }
 
-md5sums="dd014df06ff1d12e173de86873f9f77a  curl-7.52.1.tar.bz2
-3c3fdedadb124e347b17b94a7001f6a6  0001-vtls-s-SSLEAY-OPENSSL.patch"
-sha256sums="d16185a767cb2c1ba3d5b9096ec54e5ec198b213f45864a38b3bda4bbf87389b  curl-7.52.1.tar.bz2
-0c493c6602ca8562167a96e6596ba58c83c489d69a15d79c1bccbf0c9541eded  0001-vtls-s-SSLEAY-OPENSSL.patch"
 sha512sums="cf36563c77d096f2c6084354ed6d45ccca7c557828ceab21204e4e8be0d4f0d287839c8cfac906174b86d51a1ee816c2769fc78ef88f039c9645bd2c27982a75  curl-7.52.1.tar.bz2
-ee4bf94e4cf1e1cd3c887ab001e1fad94728ba6d86afeed760e4e91c0f096ebc42c9b6972c8ac6ff254d34571ca335eca6c0ab49b68ac4cdb899ebfdf3e94c3e  0001-vtls-s-SSLEAY-OPENSSL.patch"
+ee4bf94e4cf1e1cd3c887ab001e1fad94728ba6d86afeed760e4e91c0f096ebc42c9b6972c8ac6ff254d34571ca335eca6c0ab49b68ac4cdb899ebfdf3e94c3e  0001-vtls-s-SSLEAY-OPENSSL.patch
+94b3419b4366f1c404d2f2634485e05d45c9e2ad3bed4a7eba53c17253373ce9b848fc6123b55561f8dac471ab0b2a77f12e22dba8bee9a11d5c531f22fb4b18  CVE-2017-2629.patch"
diff --git a/main/curl/CVE-2017-2629.patch b/main/curl/CVE-2017-2629.patch
new file mode 100644
index 0000000000..1682d167ed
--- /dev/null
+++ b/main/curl/CVE-2017-2629.patch
@@ -0,0 +1,42 @@
+From a00a42b4abe8363a46071bb3b43b1b7138f5259b Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 22 Jan 2017 18:11:55 +0100
+Subject: [PATCH] TLS: make SSL_VERIFYSTATUS work again
+
+The CURLOPT_SSL_VERIFYSTATUS option was not properly handled by libcurl
+and thus even if the status couldn't be verified, the connection would
+be allowed and the user would not be told about the failed verification.
+
+Regression since cb4e2be7c6d42ca
+
+CVE-2017-2629
+Bug: https://curl.haxx.se/docs/adv_20170222.html
+
+Reported-by: Marcus Hoffmann
+---
+ lib/url.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/url.c b/lib/url.c
+index 8d1c0cc7f..7a2274d50 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -4169,12 +4169,15 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
+ 
+   conn->bits.user_passwd = (data->set.str[STRING_USERNAME]) ? TRUE : FALSE;
+   conn->bits.ftp_use_epsv = data->set.ftp_use_epsv;
+   conn->bits.ftp_use_eprt = data->set.ftp_use_eprt;
+ 
++  conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus;
+   conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer;
+   conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost;
++  conn->proxy_ssl_config.verifystatus =
++    data->set.proxy_ssl.primary.verifystatus;
+   conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer;
+   conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost;
+ 
+   conn->ip_version = data->set.ipver;
+ 
+-- 
+2.11.0
+