From 13ee88b017ecd8c894a60178235598a526d5e4a6 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Fri, 11 Aug 2017 08:59:36 +0000 Subject: main/curl: security upgrade to 7.55.0 CVE-2017-1000099 CVE-2017-1000100 CVE-2017-1000101 fixes #7653 --- main/curl/APKBUILD | 14 +- main/curl/CVE-2017-7407.patch | 197 --------------------- ...do-bounds-check-using-a-double-comparison.patch | 32 ++++ 3 files changed, 44 insertions(+), 199 deletions(-) delete mode 100644 main/curl/CVE-2017-7407.patch create mode 100644 main/curl/curl-do-bounds-check-using-a-double-comparison.patch (limited to 'main') diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD index 5b86edcf73..e348036839 100644 --- a/main/curl/APKBUILD +++ b/main/curl/APKBUILD @@ -3,7 +3,7 @@ # Contributor: Ɓukasz Jendrysik # Maintainer: Natanael Copa pkgname=curl -pkgver=7.54.1 +pkgver=7.55.0 pkgrel=0 pkgdesc="An URL retrival utility and library" url="http://curl.haxx.se" @@ -12,10 +12,15 @@ license="MIT" depends="ca-certificates" makedepends="zlib-dev libressl-dev libssh2-dev groff perl" source="http://curl.haxx.se/download/$pkgname-$pkgver.tar.bz2 + curl-do-bounds-check-using-a-double-comparison.patch " subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev libcurl" # secfixes: +# 7.55.0-r0: +# - CVE-2017-1000099 +# - CVE-2017-1000100 +# - CVE-2017-1000101 # 7.54.0-r0: # - CVE-2017-7468 # 7.53.1-r2: @@ -52,6 +57,10 @@ builddir="$srcdir/$pkgname-$pkgver" build() { cd "$builddir" + + # see https://curl.haxx.se/mail/lib-2017-08/0050.html + rm docs/libcurl/opts/CURLOPT_STRIP_PATH_SLASH.3 + ./configure \ --build=$CBUILD \ --host=$CHOST \ @@ -82,4 +91,5 @@ libcurl() { mv "$pkgdir"/usr/lib "$subpkgdir"/usr } -sha512sums="eb9639677f0ca1521ca631c520ab83ad071c52b31690e5e7f31546f6a44b2f11d1bb62282056cffb570eb290bf1e7830e87cb536295ac6a54a904663e795f2da curl-7.54.1.tar.bz2" +sha512sums="4975864621219e937585aaf5a9a54bba112b58bbf5a8acd92e1e972ea747a15a5564143548c5d8930b8c0d0e9d27d28225d0c81e52a1ba71e4c6f9e3859c978b curl-7.55.0.tar.bz2 +d0f102fdbc2174169b2fea9248c3187d8c546d3a788447769dceec5fb7e063adbebbc967b88d208af1355cfda600f837abdae6d2e057a096eededc1857d2b8d3 curl-do-bounds-check-using-a-double-comparison.patch" diff --git a/main/curl/CVE-2017-7407.patch b/main/curl/CVE-2017-7407.patch deleted file mode 100644 index d3cdf0aa5a..0000000000 --- a/main/curl/CVE-2017-7407.patch +++ /dev/null @@ -1,197 +0,0 @@ -From 6019f1795b4e3b72507b84b0e02dc8c32024f562 Mon Sep 17 00:00:00 2001 -From: Dan Fandrich -Date: Sat, 11 Mar 2017 10:59:34 +0100 -Subject: [PATCH] CVE-2017-7407: fixed - -Bug: https://curl.haxx.se/docs/adv_20170403.html - -Reported-by: Brian Carpenter ---- - src/tool_writeout.c | 6 +++--- - tests/data/Makefile.inc | 2 +- - tests/data/test1440 | 31 +++++++++++++++++++++++++++++++ - tests/data/test1441 | 31 +++++++++++++++++++++++++++++++ - tests/data/test1442 | 35 +++++++++++++++++++++++++++++++++++ - 5 files changed, 101 insertions(+), 4 deletions(-) - create mode 100644 tests/data/test1440 - create mode 100644 tests/data/test1441 - create mode 100644 tests/data/test1442 - -diff --git a/src/tool_writeout.c b/src/tool_writeout.c -index 2fb77742a..5d92bd278 100644 ---- a/src/tool_writeout.c -+++ b/src/tool_writeout.c -@@ -3,11 +3,11 @@ - * Project ___| | | | _ \| | - * / __| | | | |_) | | - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * -- * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. -+ * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms - * are also available at https://curl.haxx.se/docs/copyright.html. - * -@@ -111,11 +111,11 @@ void ourWriteOut(CURL *curl, struct OutStruct *outs, const char *writeinfo) - char *stringp = NULL; - long longinfo; - double doubleinfo; - - while(ptr && *ptr) { -- if('%' == *ptr) { -+ if('%' == *ptr && ptr[1]) { - if('%' == ptr[1]) { - /* an escaped %-letter */ - fputc('%', stream); - ptr += 2; - } -@@ -339,11 +339,11 @@ void ourWriteOut(CURL *curl, struct OutStruct *outs, const char *writeinfo) - fputc(ptr[1], stream); - ptr += 2; - } - } - } -- else if('\\' == *ptr) { -+ else if('\\' == *ptr && ptr[1]) { - switch(ptr[1]) { - case 'r': - fputc('\r', stream); - break; - case 'n': -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index 8251ab9a4..267ff6aef 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -149,11 +149,11 @@ test1396 test1397 test1398 \ - test1400 test1401 test1402 test1403 test1404 test1405 test1406 test1407 \ - test1408 test1409 test1410 test1411 test1412 test1413 test1414 test1415 \ - test1416 test1417 test1418 test1419 test1420 test1421 test1422 test1423 \ - test1424 \ - test1428 test1429 test1430 test1431 test1432 test1433 test1434 test1435 \ --test1436 test1437 test1438 test1439 \ -+test1436 test1437 test1438 test1439 test1440 test1441 test1442 \ - \ - test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \ - test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \ - test1516 test1517 \ - \ -diff --git a/tests/data/test1440 b/tests/data/test1440 -new file mode 100644 -index 000000000..7ed0c4d5f ---- /dev/null -+++ b/tests/data/test1440 -@@ -0,0 +1,31 @@ -+ -+ -+ -+--write-out -+ -+ -+# Server-side -+ -+ -+ -+# Client-side -+ -+ -+file -+ -+ -+ -+Check --write-out with trailing %{ -+ -+ -+file://localhost/%PWD/log/ --write-out '%{' -+ -+ -+ -+# Verify data -+ -+ -+%{ -+ -+ -+ -diff --git a/tests/data/test1441 b/tests/data/test1441 -new file mode 100644 -index 000000000..6e253a690 ---- /dev/null -+++ b/tests/data/test1441 -@@ -0,0 +1,31 @@ -+ -+ -+ -+--write-out -+ -+ -+# Server-side -+ -+ -+ -+# Client-side -+ -+ -+file -+ -+ -+ -+Check --write-out with trailing % -+ -+ -+file://localhost/%PWD/log/ --write-out '%' -+ -+ -+ -+# Verify data -+ -+ -+% -+ -+ -+ -diff --git a/tests/data/test1442 b/tests/data/test1442 -new file mode 100644 -index 000000000..255a4c9ff ---- /dev/null -+++ b/tests/data/test1442 -@@ -0,0 +1,35 @@ -+ -+ -+ -+--write-out -+FILE -+ -+ -+# Server-side -+ -+ -+ -+# Client-side -+ -+ -+file -+ -+ -+ -+Check --write-out with trailing \ -+ -+ -+file://localhost/%PWD/log/non-existent-file.txt --write-out '\' -+ -+ -+ -+# Verify data -+ -+ -+37 -+ -+ -+\ -+ -+ -+ --- -2.11.0 - diff --git a/main/curl/curl-do-bounds-check-using-a-double-comparison.patch b/main/curl/curl-do-bounds-check-using-a-double-comparison.patch new file mode 100644 index 0000000000..34e2b6c717 --- /dev/null +++ b/main/curl/curl-do-bounds-check-using-a-double-comparison.patch @@ -0,0 +1,32 @@ +From 45a560390c4356bcb81d933bbbb229c8ea2acb63 Mon Sep 17 00:00:00 2001 +From: Adam Sampson +Date: Wed, 9 Aug 2017 14:11:17 +0100 +Subject: [PATCH] curl: do bounds check using a double comparison + +The fix for this in 8661a0aacc01492e0436275ff36a21734f2541bb wasn't +complete: if the parsed number in num is larger than will fit in a long, +the conversion is undefined behaviour (causing test1427 to fail for me +on IA32 with GCC 7.1, although it passes on AMD64 and ARMv7). Getting +rid of the cast means the comparison will be done using doubles. + +It might make more sense for the max argument to also be a double... + +Fixes #1750 +Closes #1749 +--- + src/tool_paramhlp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tool_paramhlp.c b/src/tool_paramhlp.c +index b9dedc989e..85c5e79a7e 100644 +--- a/src/tool_paramhlp.c ++++ b/src/tool_paramhlp.c +@@ -218,7 +218,7 @@ static ParameterError str2double(double *val, const char *str, long max) + num = strtod(str, &endptr); + if(errno == ERANGE) + return PARAM_NUMBER_TOO_LARGE; +- if((long)num > max) { ++ if(num > max) { + /* too large */ + return PARAM_NUMBER_TOO_LARGE; + } -- cgit v1.2.3