aboutsummaryrefslogtreecommitdiffstats
path: root/main/curl
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2014-02-04 15:34:13 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2014-02-04 15:34:48 +0000
commit87695382a0912cb2c7bc8593f3b6fce6c4335334 (patch)
tree97482272f49605825419b24b28abf286cfac6461 /main/curl
parentb5fc277743e9099821e70da285fdb56d5c9d5e79 (diff)
downloadaports-87695382a0912cb2c7bc8593f3b6fce6c4335334.tar.bz2
aports-87695382a0912cb2c7bc8593f3b6fce6c4335334.tar.xz
main/curl: fix CVE-2014-0015
fixes #2675
Diffstat (limited to 'main/curl')
-rw-r--r--main/curl/APKBUILD15
-rw-r--r--main/curl/CVE-2014-0015.patch47
2 files changed, 57 insertions, 5 deletions
diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD
index ea453f6245..ec69ddd7d8 100644
--- a/main/curl/APKBUILD
+++ b/main/curl/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=curl
pkgver=7.33.0
-pkgrel=1
+pkgrel=2
pkgdesc="An URL retrival utility and library"
url="http://curl.haxx.se"
arch="all"
@@ -9,7 +9,9 @@ license="MIT"
depends="ca-certificates"
depends_dev="zlib-dev openssl-dev libssh2-dev"
makedepends="$depends_dev"
-source="http://curl.haxx.se/download/curl-$pkgver.tar.bz2"
+source="http://curl.haxx.se/download/curl-$pkgver.tar.bz2
+ CVE-2014-0015.patch
+ "
subpackages="$pkgname-doc $pkgname-dev"
_builddir="$srcdir/$pkgname-$pkgver"
@@ -43,6 +45,9 @@ package() {
rm "$pkgdir"/usr/lib/*.la || return 1
}
-md5sums="57409d6bf0bd97053b8378dbe0cadcef curl-7.33.0.tar.bz2"
-sha256sums="0afde4cd949e2658eddc3cda675b19b165eea1af48ac5f3e1ec160792255d1b3 curl-7.33.0.tar.bz2"
-sha512sums="13f61e8255859f3d1138bf7cc935bda90af5f51103f1660b9e9cc6dd63d37b7672752900f3a76f8c80d47a7c02061077c6417d53617576f4030e180552b75076 curl-7.33.0.tar.bz2"
+md5sums="57409d6bf0bd97053b8378dbe0cadcef curl-7.33.0.tar.bz2
+bab6cc59679fbb496c2c3034418b70d8 CVE-2014-0015.patch"
+sha256sums="0afde4cd949e2658eddc3cda675b19b165eea1af48ac5f3e1ec160792255d1b3 curl-7.33.0.tar.bz2
+4d7e468cbd699fe0fc15635ab496d97761976b38f480b38075c7b9646e8e73a0 CVE-2014-0015.patch"
+sha512sums="13f61e8255859f3d1138bf7cc935bda90af5f51103f1660b9e9cc6dd63d37b7672752900f3a76f8c80d47a7c02061077c6417d53617576f4030e180552b75076 curl-7.33.0.tar.bz2
+607591592932c317a40bb8fe7c2cab58b97eb08de14bd890c8b56fb49e49274a76fad52af3e29dc529d8537cc782b08d3471f30f7e90e0ff25500019fa961524 CVE-2014-0015.patch"
diff --git a/main/curl/CVE-2014-0015.patch b/main/curl/CVE-2014-0015.patch
new file mode 100644
index 0000000000..745db00e7b
--- /dev/null
+++ b/main/curl/CVE-2014-0015.patch
@@ -0,0 +1,47 @@
+From 8ae35102c43d8d06572c3a1292eb6e27e663c78d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 7 Jan 2014 09:33:54 +0100
+Subject: [PATCH] ConnectionExists: fix NTLM check for new connection
+
+When the requested authentication bitmask includes NTLM, we cannot
+re-use a connection for another username/password as we then risk
+re-using NTLM (connection-based auth).
+
+This has the unfortunate downside that if you include NTLM as a possible
+auth, you cannot re-use connections for other usernames/passwords even
+if NTLM doesn't end up the auth type used.
+
+Reported-by: Paras S
+Patched-by: Paras S
+Bug: http://curl.haxx.se/mail/lib-2014-01/0046.html
+---
+ lib/url.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index 74d0893..3f85502 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -5,7 +5,7 @@
+ * | (__| |_| | _ <| |___
+ * \___|\___/|_| \_\_____|
+ *
+- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+@@ -2886,8 +2886,8 @@ static void signalPipeClose(struct curl_llist *pipeline, bool pipe_broke)
+ struct connectdata *check;
+ struct connectdata *chosen = 0;
+ bool canPipeline = IsPipeliningPossible(data, needle);
+- bool wantNTLM = (data->state.authhost.want==CURLAUTH_NTLM) ||
+- (data->state.authhost.want==CURLAUTH_NTLM_WB) ? TRUE : FALSE;
++ bool wantNTLM = (data->state.authhost.want & CURLAUTH_NTLM) ||
++ (data->state.authhost.want & CURLAUTH_NTLM_WB) ? TRUE : FALSE;
+ struct connectbundle *bundle;
+
+ *force_reuse = FALSE;
+--
+1.8.5.1
+