diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2014-02-04 15:34:13 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2014-02-04 15:35:39 +0000 |
commit | 545244e5705b148757f8a437d4e5a08fb280af83 (patch) | |
tree | 299799373369ee1a249d228dda6c4f4c36d42789 /main/curl | |
parent | 605940ad82635dced8c63ab3069aca84a858795c (diff) | |
download | aports-545244e5705b148757f8a437d4e5a08fb280af83.tar.bz2 aports-545244e5705b148757f8a437d4e5a08fb280af83.tar.xz |
main/curl: fix CVE-2014-0015
fixes #2674
Diffstat (limited to 'main/curl')
-rw-r--r-- | main/curl/APKBUILD | 15 | ||||
-rw-r--r-- | main/curl/CVE-2014-0015.patch | 47 |
2 files changed, 57 insertions, 5 deletions
diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD index f06b61aaa4..35cfac6483 100644 --- a/main/curl/APKBUILD +++ b/main/curl/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=curl pkgver=7.33.0 -pkgrel=0 +pkgrel=1 pkgdesc="An URL retrival utility and library" url="http://curl.haxx.se" arch="all" @@ -9,7 +9,9 @@ license="MIT" depends= depends_dev="zlib-dev openssl-dev libssh2-dev" makedepends="$depends_dev" -source="http://curl.haxx.se/download/curl-$pkgver.tar.bz2" +source="http://curl.haxx.se/download/curl-$pkgver.tar.bz2 + CVE-2014-0015.patch + " subpackages="$pkgname-doc $pkgname-dev" _builddir="$srcdir/$pkgname-$pkgver" @@ -39,6 +41,9 @@ package() { rm "$pkgdir"/usr/lib/*.la || return 1 } -md5sums="57409d6bf0bd97053b8378dbe0cadcef curl-7.33.0.tar.bz2" -sha256sums="0afde4cd949e2658eddc3cda675b19b165eea1af48ac5f3e1ec160792255d1b3 curl-7.33.0.tar.bz2" -sha512sums="13f61e8255859f3d1138bf7cc935bda90af5f51103f1660b9e9cc6dd63d37b7672752900f3a76f8c80d47a7c02061077c6417d53617576f4030e180552b75076 curl-7.33.0.tar.bz2" +md5sums="57409d6bf0bd97053b8378dbe0cadcef curl-7.33.0.tar.bz2 +bab6cc59679fbb496c2c3034418b70d8 CVE-2014-0015.patch" +sha256sums="0afde4cd949e2658eddc3cda675b19b165eea1af48ac5f3e1ec160792255d1b3 curl-7.33.0.tar.bz2 +4d7e468cbd699fe0fc15635ab496d97761976b38f480b38075c7b9646e8e73a0 CVE-2014-0015.patch" +sha512sums="13f61e8255859f3d1138bf7cc935bda90af5f51103f1660b9e9cc6dd63d37b7672752900f3a76f8c80d47a7c02061077c6417d53617576f4030e180552b75076 curl-7.33.0.tar.bz2 +607591592932c317a40bb8fe7c2cab58b97eb08de14bd890c8b56fb49e49274a76fad52af3e29dc529d8537cc782b08d3471f30f7e90e0ff25500019fa961524 CVE-2014-0015.patch" diff --git a/main/curl/CVE-2014-0015.patch b/main/curl/CVE-2014-0015.patch new file mode 100644 index 0000000000..745db00e7b --- /dev/null +++ b/main/curl/CVE-2014-0015.patch @@ -0,0 +1,47 @@ +From 8ae35102c43d8d06572c3a1292eb6e27e663c78d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 7 Jan 2014 09:33:54 +0100 +Subject: [PATCH] ConnectionExists: fix NTLM check for new connection + +When the requested authentication bitmask includes NTLM, we cannot +re-use a connection for another username/password as we then risk +re-using NTLM (connection-based auth). + +This has the unfortunate downside that if you include NTLM as a possible +auth, you cannot re-use connections for other usernames/passwords even +if NTLM doesn't end up the auth type used. + +Reported-by: Paras S +Patched-by: Paras S +Bug: http://curl.haxx.se/mail/lib-2014-01/0046.html +--- + lib/url.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index 74d0893..3f85502 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al. ++ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -2886,8 +2886,8 @@ static void signalPipeClose(struct curl_llist *pipeline, bool pipe_broke) + struct connectdata *check; + struct connectdata *chosen = 0; + bool canPipeline = IsPipeliningPossible(data, needle); +- bool wantNTLM = (data->state.authhost.want==CURLAUTH_NTLM) || +- (data->state.authhost.want==CURLAUTH_NTLM_WB) ? TRUE : FALSE; ++ bool wantNTLM = (data->state.authhost.want & CURLAUTH_NTLM) || ++ (data->state.authhost.want & CURLAUTH_NTLM_WB) ? TRUE : FALSE; + struct connectbundle *bundle; + + *force_reuse = FALSE; +-- +1.8.5.1 + |