diff options
author | Sören Tempel <soeren+git@soeren-tempel.net> | 2017-02-22 14:48:38 +0100 |
---|---|---|
committer | Sören Tempel <soeren+git@soeren-tempel.net> | 2017-02-22 14:48:38 +0100 |
commit | 3a9b05fb1b75a7bdcd82bc4d8020fe0b138ba0ef (patch) | |
tree | 47b6ab5e8580426d1bf36b143ce0d629cfc35751 | |
parent | 9eedb1462483dddad2de55715f16558844a078c5 (diff) | |
download | aports-3a9b05fb1b75a7bdcd82bc4d8020fe0b138ba0ef.tar.bz2 aports-3a9b05fb1b75a7bdcd82bc4d8020fe0b138ba0ef.tar.xz |
main/curl: patch for CVE-2017-2629
-rw-r--r-- | main/curl/APKBUILD | 14 | ||||
-rw-r--r-- | main/curl/CVE-2017-2629.patch | 42 |
2 files changed, 49 insertions, 7 deletions
diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD index 5325e4137e..83cba1da6c 100644 --- a/main/curl/APKBUILD +++ b/main/curl/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=curl pkgver=7.52.1 -pkgrel=1 +pkgrel=2 pkgdesc="An URL retrival utility and library" url="http://curl.haxx.se" arch="all" @@ -12,10 +12,13 @@ depends="ca-certificates" depends_dev="zlib-dev libressl-dev libssh2-dev" makedepends="$depends_dev groff perl" source="http://curl.haxx.se/download/$pkgname-$pkgver.tar.bz2 - 0001-vtls-s-SSLEAY-OPENSSL.patch" + 0001-vtls-s-SSLEAY-OPENSSL.patch + CVE-2017-2629.patch" subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev libcurl" # secfixes: +# 7.52.1-r2: +# - CVE-2017-2629 # 7.52.1: # - CVE-2016-9594 # 7.51.0: @@ -72,9 +75,6 @@ libcurl() { mv "$pkgdir"/usr/lib "$subpkgdir"/usr } -md5sums="dd014df06ff1d12e173de86873f9f77a curl-7.52.1.tar.bz2 -3c3fdedadb124e347b17b94a7001f6a6 0001-vtls-s-SSLEAY-OPENSSL.patch" -sha256sums="d16185a767cb2c1ba3d5b9096ec54e5ec198b213f45864a38b3bda4bbf87389b curl-7.52.1.tar.bz2 -0c493c6602ca8562167a96e6596ba58c83c489d69a15d79c1bccbf0c9541eded 0001-vtls-s-SSLEAY-OPENSSL.patch" sha512sums="cf36563c77d096f2c6084354ed6d45ccca7c557828ceab21204e4e8be0d4f0d287839c8cfac906174b86d51a1ee816c2769fc78ef88f039c9645bd2c27982a75 curl-7.52.1.tar.bz2 -ee4bf94e4cf1e1cd3c887ab001e1fad94728ba6d86afeed760e4e91c0f096ebc42c9b6972c8ac6ff254d34571ca335eca6c0ab49b68ac4cdb899ebfdf3e94c3e 0001-vtls-s-SSLEAY-OPENSSL.patch" +ee4bf94e4cf1e1cd3c887ab001e1fad94728ba6d86afeed760e4e91c0f096ebc42c9b6972c8ac6ff254d34571ca335eca6c0ab49b68ac4cdb899ebfdf3e94c3e 0001-vtls-s-SSLEAY-OPENSSL.patch +94b3419b4366f1c404d2f2634485e05d45c9e2ad3bed4a7eba53c17253373ce9b848fc6123b55561f8dac471ab0b2a77f12e22dba8bee9a11d5c531f22fb4b18 CVE-2017-2629.patch" diff --git a/main/curl/CVE-2017-2629.patch b/main/curl/CVE-2017-2629.patch new file mode 100644 index 0000000000..1682d167ed --- /dev/null +++ b/main/curl/CVE-2017-2629.patch @@ -0,0 +1,42 @@ +From a00a42b4abe8363a46071bb3b43b1b7138f5259b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Sun, 22 Jan 2017 18:11:55 +0100 +Subject: [PATCH] TLS: make SSL_VERIFYSTATUS work again + +The CURLOPT_SSL_VERIFYSTATUS option was not properly handled by libcurl +and thus even if the status couldn't be verified, the connection would +be allowed and the user would not be told about the failed verification. + +Regression since cb4e2be7c6d42ca + +CVE-2017-2629 +Bug: https://curl.haxx.se/docs/adv_20170222.html + +Reported-by: Marcus Hoffmann +--- + lib/url.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/url.c b/lib/url.c +index 8d1c0cc7f..7a2274d50 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -4169,12 +4169,15 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) + + conn->bits.user_passwd = (data->set.str[STRING_USERNAME]) ? TRUE : FALSE; + conn->bits.ftp_use_epsv = data->set.ftp_use_epsv; + conn->bits.ftp_use_eprt = data->set.ftp_use_eprt; + ++ conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus; + conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer; + conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost; ++ conn->proxy_ssl_config.verifystatus = ++ data->set.proxy_ssl.primary.verifystatus; + conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer; + conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost; + + conn->ip_version = data->set.ipver; + +-- +2.11.0 + |