All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH] libcurl: security bump to version 7.42.0
@ 2015-04-23  5:46 Gustavo Zacarias
  2015-04-23  7:47 ` Thomas Petazzoni
  0 siblings, 1 reply; 2+ messages in thread
From: Gustavo Zacarias @ 2015-04-23  5:46 UTC (permalink / raw)
  To: buildroot

Fixes:
CVE-2015-3144 - host name out of boundary memory access
CVE-2015-3145 - cookie parser out of boundary memory access
CVE-2015-3148 - Negotiate not treated as connection-oriented
CVE-2015-3143 - Re-using authenticated connection when unauthenticated

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
 ...1-connectionexists-fix-build-without-NTLM.patch | 54 ++++++++++++++++++++++
 ...connectionexists-follow-up-to-fd9d3a1ef1f.patch | 48 +++++++++++++++++++
 package/libcurl/libcurl.hash                       |  2 +-
 package/libcurl/libcurl.mk                         |  2 +-
 4 files changed, 104 insertions(+), 2 deletions(-)
 create mode 100644 package/libcurl/0001-connectionexists-fix-build-without-NTLM.patch
 create mode 100644 package/libcurl/0002-connectionexists-follow-up-to-fd9d3a1ef1f.patch

diff --git a/package/libcurl/0001-connectionexists-fix-build-without-NTLM.patch b/package/libcurl/0001-connectionexists-fix-build-without-NTLM.patch
new file mode 100644
index 0000000..4f91372
--- /dev/null
+++ b/package/libcurl/0001-connectionexists-fix-build-without-NTLM.patch
@@ -0,0 +1,54 @@
+From fd9d3a1ef1f7b1cb5812d04bad07818efc6f3b3a Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 22 Apr 2015 13:31:35 +0200
+Subject: [PATCH 1/2] connectionexists: fix build without NTLM
+
+Do not access NTLM-specific struct fields when built without NTLM
+enabled!
+
+bug: http://curl.haxx.se/?i=231
+Reported-by: Patrick Rapin
+Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
+---
+ lib/url.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index f033dbc..93f15f1 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -3069,9 +3069,11 @@ ConnectionExists(struct SessionHandle *data,
+   struct connectdata *check;
+   struct connectdata *chosen = 0;
+   bool canPipeline = IsPipeliningPossible(data, needle);
++#ifdef USE_NTLM
+   bool wantNTLMhttp = ((data->state.authhost.want & CURLAUTH_NTLM) ||
+                        (data->state.authhost.want & CURLAUTH_NTLM_WB)) &&
+     (needle->handler->protocol & PROTO_FAMILY_HTTP) ? TRUE : FALSE;
++#endif
+   struct connectbundle *bundle;
+ 
+   *force_reuse = FALSE;
+@@ -3208,6 +3210,7 @@ ConnectionExists(struct SessionHandle *data,
+           continue;
+       }
+ 
++#if defined(USE_NTLM)
+       if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) ||
+          (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)) {
+         /* This protocol requires credentials per connection or is HTTP+NTLM,
+@@ -3217,10 +3220,9 @@ ConnectionExists(struct SessionHandle *data,
+           /* one of them was different */
+           continue;
+         }
+-#if defined(USE_NTLM)
+         credentialsMatch = TRUE;
+-#endif
+       }
++#endif
+ 
+       if(!needle->bits.httpproxy || needle->handler->flags&PROTOPT_SSL ||
+          (needle->bits.httpproxy && check->bits.httpproxy &&
+-- 
+2.0.5
+
diff --git a/package/libcurl/0002-connectionexists-follow-up-to-fd9d3a1ef1f.patch b/package/libcurl/0002-connectionexists-follow-up-to-fd9d3a1ef1f.patch
new file mode 100644
index 0000000..28eaeb9
--- /dev/null
+++ b/package/libcurl/0002-connectionexists-follow-up-to-fd9d3a1ef1f.patch
@@ -0,0 +1,48 @@
+From 85c45d153b901d3f69dd5713924039c011477612 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 22 Apr 2015 13:58:10 +0200
+Subject: [PATCH 2/2] connectionexists: follow-up to fd9d3a1ef1f
+
+PROTOPT_CREDSPERREQUEST still needs to be checked even when NTLM is not
+enabled.
+
+Mistake-caught-by: Kamil Dudka
+Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
+---
+ lib/url.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index 93f15f1..7dc5c45 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -3210,9 +3210,11 @@ ConnectionExists(struct SessionHandle *data,
+           continue;
+       }
+ 
+-#if defined(USE_NTLM)
+-      if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) ||
+-         (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)) {
++      if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST))
++#ifdef USE_NTLM
++         || (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)
++#endif
++        ) {
+         /* This protocol requires credentials per connection or is HTTP+NTLM,
+            so verify that we're using the same name and password as well */
+         if(!strequal(needle->user, check->user) ||
+@@ -3220,9 +3222,10 @@ ConnectionExists(struct SessionHandle *data,
+           /* one of them was different */
+           continue;
+         }
++#if defined(USE_NTLM)
+         credentialsMatch = TRUE;
+-      }
+ #endif
++      }
+ 
+       if(!needle->bits.httpproxy || needle->handler->flags&PROTOPT_SSL ||
+          (needle->bits.httpproxy && check->bits.httpproxy &&
+-- 
+2.0.5
+
diff --git a/package/libcurl/libcurl.hash b/package/libcurl/libcurl.hash
index 3b00f0d..e2bd83d 100644
--- a/package/libcurl/libcurl.hash
+++ b/package/libcurl/libcurl.hash
@@ -1,2 +1,2 @@
 # Locally calculated after checking pgp signature
-sha256	9f8b546bdc5c57d959151acae7ce6610fe929d82b8d0fc5b25a3a2296e5f8bea	curl-7.41.0.tar.bz2
+sha256	32557d68542f5c6cc8437b5b8a945857b4c5c6b6276da909e35b783d1d66d08f	curl-7.42.0.tar.bz2
diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
index 69cd8df..acb2b42 100644
--- a/package/libcurl/libcurl.mk
+++ b/package/libcurl/libcurl.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBCURL_VERSION = 7.41.0
+LIBCURL_VERSION = 7.42.0
 LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.bz2
 LIBCURL_SITE = http://curl.haxx.se/download
 LIBCURL_DEPENDENCIES = host-pkgconf \
-- 
2.0.5

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* [Buildroot] [PATCH] libcurl: security bump to version 7.42.0
  2015-04-23  5:46 [Buildroot] [PATCH] libcurl: security bump to version 7.42.0 Gustavo Zacarias
@ 2015-04-23  7:47 ` Thomas Petazzoni
  0 siblings, 0 replies; 2+ messages in thread
From: Thomas Petazzoni @ 2015-04-23  7:47 UTC (permalink / raw)
  To: buildroot

Dear Gustavo Zacarias,

On Thu, 23 Apr 2015 02:46:07 -0300, Gustavo Zacarias wrote:
> Fixes:
> CVE-2015-3144 - host name out of boundary memory access
> CVE-2015-3145 - cookie parser out of boundary memory access
> CVE-2015-3148 - Negotiate not treated as connection-oriented
> CVE-2015-3143 - Re-using authenticated connection when unauthenticated
> 
> Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
> ---
>  ...1-connectionexists-fix-build-without-NTLM.patch | 54 ++++++++++++++++++++++
>  ...connectionexists-follow-up-to-fd9d3a1ef1f.patch | 48 +++++++++++++++++++
>  package/libcurl/libcurl.hash                       |  2 +-
>  package/libcurl/libcurl.mk                         |  2 +-
>  4 files changed, 104 insertions(+), 2 deletions(-)
>  create mode 100644 package/libcurl/0001-connectionexists-fix-build-without-NTLM.patch
>  create mode 100644 package/libcurl/0002-connectionexists-follow-up-to-fd9d3a1ef1f.patch

Applied, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-04-23  7:47 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-04-23  5:46 [Buildroot] [PATCH] libcurl: security bump to version 7.42.0 Gustavo Zacarias
2015-04-23  7:47 ` Thomas Petazzoni

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.