diff options
| author | Sergey Lukin <sergej.lukin@gmail.com> | 2016-12-09 08:23:32 +0000 |
|---|---|---|
| committer | Timo Teräs <timo.teras@iki.fi> | 2016-12-26 09:46:12 +0000 |
| commit | ba3dc3d210189d8b88c35c3b6850f54f8041f3fa (patch) | |
| tree | b1ecf74c7594105573debcf6ccfd2f67522c03c6 /main/curl/CVE-2016-8616.patch | |
| parent | f7fb6eb9c7b2bdc8ac41b605df86bb2fa114e89a (diff) | |
| download | aports-3.1-stable.tar.bz2 aports-3.1-stable.tar.xz | |
main/curl: security upgrade - fixes #64373.1-stable
CVE-2016-8615, CVE-2016-8616, CVE-2016-8617, CVE-2016-8618, CVE-2016-8619,
CVE-2016-8620, CVE-2016-8621 CVE-2016-8622, CVE-2016-8623, CVE-2016-8624
Diffstat (limited to 'main/curl/CVE-2016-8616.patch')
| -rw-r--r-- | main/curl/CVE-2016-8616.patch | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/main/curl/CVE-2016-8616.patch b/main/curl/CVE-2016-8616.patch new file mode 100644 index 0000000000..67309bf97f --- /dev/null +++ b/main/curl/CVE-2016-8616.patch @@ -0,0 +1,66 @@ +From cef510beb222ab5750afcac2c74fcbcdc31ada64 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 27 Sep 2016 18:01:53 +0200 +Subject: [PATCH] connectionexists: use case sensitive user/password + comparisons + +CVE-2016-8616 + +Bug: https://curl.haxx.se/docs/adv_20161102B.html +Reported-by: Cure53 +--- + lib/url.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index 91b2bf8..cd3335c 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -3401,12 +3401,12 @@ ConnectionExists(struct Curl_easy *data, + } + + if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) { + /* This protocol requires credentials per connection, + so verify that we're using the same name and password as well */ +- if(!strequal(needle->user, check->user) || +- !strequal(needle->passwd, check->passwd)) { ++ if(strcmp(needle->user, check->user) || ++ strcmp(needle->passwd, check->passwd)) { + /* one of them was different */ + continue; + } + } + +@@ -3462,12 +3462,12 @@ ConnectionExists(struct Curl_easy *data, + already authenticating with the right credentials. If not, keep + looking so that we can reuse NTLM connections if + possible. (Especially we must not reuse the same connection if + partway through a handshake!) */ + if(wantNTLMhttp) { +- if(!strequal(needle->user, check->user) || +- !strequal(needle->passwd, check->passwd)) ++ if(strcmp(needle->user, check->user) || ++ strcmp(needle->passwd, check->passwd)) + continue; + } + else if(check->ntlm.state != NTLMSTATE_NONE) { + /* Connection is using NTLM auth but we don't want NTLM */ + continue; +@@ -3477,12 +3477,12 @@ ConnectionExists(struct Curl_easy *data, + if(wantProxyNTLMhttp) { + /* Both check->proxyuser and check->proxypasswd can be NULL */ + if(!check->proxyuser || !check->proxypasswd) + continue; + +- if(!strequal(needle->proxyuser, check->proxyuser) || +- !strequal(needle->proxypasswd, check->proxypasswd)) ++ if(strcmp(needle->proxyuser, check->proxyuser) || ++ strcmp(needle->proxypasswd, check->proxypasswd)) + continue; + } + else if(check->proxyntlm.state != NTLMSTATE_NONE) { + /* Proxy connection is using NTLM auth but we don't want NTLM */ + continue; +-- +2.9.3 + |