From 62592bb66036d520f13c8eefc25dca056a186959 Mon Sep 17 00:00:00 2001 From: Gustavo Zacarias Date: Wed, 29 Apr 2015 15:47:56 -0300 Subject: [PATCH] libcurl: security bump to version 7.42.1 Fixes: CVE-2013-3153 - sensitive HTTP server headers also sent to proxies. And drop upstream patches. Signed-off-by: Gustavo Zacarias Signed-off-by: Peter Korsgaard --- ...nectionexists-fix-build-without-NTLM.patch | 54 ------------------- ...ctionexists-follow-up-to-fd9d3a1ef1f.patch | 48 ----------------- package/libcurl/libcurl.hash | 2 +- package/libcurl/libcurl.mk | 2 +- 4 files changed, 2 insertions(+), 104 deletions(-) delete mode 100644 package/libcurl/0001-connectionexists-fix-build-without-NTLM.patch delete mode 100644 package/libcurl/0002-connectionexists-follow-up-to-fd9d3a1ef1f.patch diff --git a/package/libcurl/0001-connectionexists-fix-build-without-NTLM.patch b/package/libcurl/0001-connectionexists-fix-build-without-NTLM.patch deleted file mode 100644 index 4f91372192..0000000000 --- a/package/libcurl/0001-connectionexists-fix-build-without-NTLM.patch +++ /dev/null @@ -1,54 +0,0 @@ -From fd9d3a1ef1f7b1cb5812d04bad07818efc6f3b3a Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Wed, 22 Apr 2015 13:31:35 +0200 -Subject: [PATCH 1/2] connectionexists: fix build without NTLM - -Do not access NTLM-specific struct fields when built without NTLM -enabled! - -bug: http://curl.haxx.se/?i=231 -Reported-by: Patrick Rapin -Signed-off-by: Gustavo Zacarias ---- - lib/url.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/lib/url.c b/lib/url.c -index f033dbc..93f15f1 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -3069,9 +3069,11 @@ ConnectionExists(struct SessionHandle *data, - struct connectdata *check; - struct connectdata *chosen = 0; - bool canPipeline = IsPipeliningPossible(data, needle); -+#ifdef USE_NTLM - bool wantNTLMhttp = ((data->state.authhost.want & CURLAUTH_NTLM) || - (data->state.authhost.want & CURLAUTH_NTLM_WB)) && - (needle->handler->protocol & PROTO_FAMILY_HTTP) ? TRUE : FALSE; -+#endif - struct connectbundle *bundle; - - *force_reuse = FALSE; -@@ -3208,6 +3210,7 @@ ConnectionExists(struct SessionHandle *data, - continue; - } - -+#if defined(USE_NTLM) - if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) || - (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)) { - /* This protocol requires credentials per connection or is HTTP+NTLM, -@@ -3217,10 +3220,9 @@ ConnectionExists(struct SessionHandle *data, - /* one of them was different */ - continue; - } --#if defined(USE_NTLM) - credentialsMatch = TRUE; --#endif - } -+#endif - - if(!needle->bits.httpproxy || needle->handler->flags&PROTOPT_SSL || - (needle->bits.httpproxy && check->bits.httpproxy && --- -2.0.5 - diff --git a/package/libcurl/0002-connectionexists-follow-up-to-fd9d3a1ef1f.patch b/package/libcurl/0002-connectionexists-follow-up-to-fd9d3a1ef1f.patch deleted file mode 100644 index 28eaeb9c35..0000000000 --- a/package/libcurl/0002-connectionexists-follow-up-to-fd9d3a1ef1f.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 85c45d153b901d3f69dd5713924039c011477612 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Wed, 22 Apr 2015 13:58:10 +0200 -Subject: [PATCH 2/2] connectionexists: follow-up to fd9d3a1ef1f - -PROTOPT_CREDSPERREQUEST still needs to be checked even when NTLM is not -enabled. - -Mistake-caught-by: Kamil Dudka -Signed-off-by: Gustavo Zacarias ---- - lib/url.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/lib/url.c b/lib/url.c -index 93f15f1..7dc5c45 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -3210,9 +3210,11 @@ ConnectionExists(struct SessionHandle *data, - continue; - } - --#if defined(USE_NTLM) -- if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) || -- (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)) { -+ if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) -+#ifdef USE_NTLM -+ || (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE) -+#endif -+ ) { - /* This protocol requires credentials per connection or is HTTP+NTLM, - so verify that we're using the same name and password as well */ - if(!strequal(needle->user, check->user) || -@@ -3220,9 +3222,10 @@ ConnectionExists(struct SessionHandle *data, - /* one of them was different */ - continue; - } -+#if defined(USE_NTLM) - credentialsMatch = TRUE; -- } - #endif -+ } - - if(!needle->bits.httpproxy || needle->handler->flags&PROTOPT_SSL || - (needle->bits.httpproxy && check->bits.httpproxy && --- -2.0.5 - diff --git a/package/libcurl/libcurl.hash b/package/libcurl/libcurl.hash index e2bd83d47f..59a458e476 100644 --- a/package/libcurl/libcurl.hash +++ b/package/libcurl/libcurl.hash @@ -1,2 +1,2 @@ # Locally calculated after checking pgp signature -sha256 32557d68542f5c6cc8437b5b8a945857b4c5c6b6276da909e35b783d1d66d08f curl-7.42.0.tar.bz2 +sha256 e2905973391ec2dfd7743a8034ad10eeb58dab8b3a297e7892a41a7999cac887 curl-7.42.1.tar.bz2 diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk index 33903997cb..f0d7bacaaa 100644 --- a/package/libcurl/libcurl.mk +++ b/package/libcurl/libcurl.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBCURL_VERSION = 7.42.0 +LIBCURL_VERSION = 7.42.1 LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.bz2 LIBCURL_SITE = http://curl.haxx.se/download LIBCURL_DEPENDENCIES = host-pkgconf \