[Buildroot] [PATCH] libcurl: security bump to version 7.42.1

Gustavo Zacarias gustavo at zacarias.com.ar
Wed Apr 29 18:47:56 UTC 2015


Fixes:
CVE-2013-3153 - sensitive HTTP server headers also sent to proxies.

And drop upstream patches.

Signed-off-by: Gustavo Zacarias <gustavo at zacarias.com.ar>
---
 ...1-connectionexists-fix-build-without-NTLM.patch | 54 ----------------------
 ...connectionexists-follow-up-to-fd9d3a1ef1f.patch | 48 -------------------
 package/libcurl/libcurl.hash                       |  2 +-
 package/libcurl/libcurl.mk                         |  2 +-
 4 files changed, 2 insertions(+), 104 deletions(-)
 delete mode 100644 package/libcurl/0001-connectionexists-fix-build-without-NTLM.patch
 delete mode 100644 package/libcurl/0002-connectionexists-follow-up-to-fd9d3a1ef1f.patch

diff --git a/package/libcurl/0001-connectionexists-fix-build-without-NTLM.patch b/package/libcurl/0001-connectionexists-fix-build-without-NTLM.patch
deleted file mode 100644
index 4f91372..0000000
--- a/package/libcurl/0001-connectionexists-fix-build-without-NTLM.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From fd9d3a1ef1f7b1cb5812d04bad07818efc6f3b3a Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel at haxx.se>
-Date: Wed, 22 Apr 2015 13:31:35 +0200
-Subject: [PATCH 1/2] connectionexists: fix build without NTLM
-
-Do not access NTLM-specific struct fields when built without NTLM
-enabled!
-
-bug: http://curl.haxx.se/?i=231
-Reported-by: Patrick Rapin
-Signed-off-by: Gustavo Zacarias <gustavo at zacarias.com.ar>
----
- lib/url.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/lib/url.c b/lib/url.c
-index f033dbc..93f15f1 100644
---- a/lib/url.c
-+++ b/lib/url.c
-@@ -3069,9 +3069,11 @@ ConnectionExists(struct SessionHandle *data,
-   struct connectdata *check;
-   struct connectdata *chosen = 0;
-   bool canPipeline = IsPipeliningPossible(data, needle);
-+#ifdef USE_NTLM
-   bool wantNTLMhttp = ((data->state.authhost.want & CURLAUTH_NTLM) ||
-                        (data->state.authhost.want & CURLAUTH_NTLM_WB)) &&
-     (needle->handler->protocol & PROTO_FAMILY_HTTP) ? TRUE : FALSE;
-+#endif
-   struct connectbundle *bundle;
- 
-   *force_reuse = FALSE;
-@@ -3208,6 +3210,7 @@ ConnectionExists(struct SessionHandle *data,
-           continue;
-       }
- 
-+#if defined(USE_NTLM)
-       if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) ||
-          (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)) {
-         /* This protocol requires credentials per connection or is HTTP+NTLM,
-@@ -3217,10 +3220,9 @@ ConnectionExists(struct SessionHandle *data,
-           /* one of them was different */
-           continue;
-         }
--#if defined(USE_NTLM)
-         credentialsMatch = TRUE;
--#endif
-       }
-+#endif
- 
-       if(!needle->bits.httpproxy || needle->handler->flags&PROTOPT_SSL ||
-          (needle->bits.httpproxy && check->bits.httpproxy &&
--- 
-2.0.5
-
diff --git a/package/libcurl/0002-connectionexists-follow-up-to-fd9d3a1ef1f.patch b/package/libcurl/0002-connectionexists-follow-up-to-fd9d3a1ef1f.patch
deleted file mode 100644
index 28eaeb9..0000000
--- a/package/libcurl/0002-connectionexists-follow-up-to-fd9d3a1ef1f.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 85c45d153b901d3f69dd5713924039c011477612 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel at haxx.se>
-Date: Wed, 22 Apr 2015 13:58:10 +0200
-Subject: [PATCH 2/2] connectionexists: follow-up to fd9d3a1ef1f
-
-PROTOPT_CREDSPERREQUEST still needs to be checked even when NTLM is not
-enabled.
-
-Mistake-caught-by: Kamil Dudka
-Signed-off-by: Gustavo Zacarias <gustavo at zacarias.com.ar>
----
- lib/url.c | 11 +++++++----
- 1 file changed, 7 insertions(+), 4 deletions(-)
-
-diff --git a/lib/url.c b/lib/url.c
-index 93f15f1..7dc5c45 100644
---- a/lib/url.c
-+++ b/lib/url.c
-@@ -3210,9 +3210,11 @@ ConnectionExists(struct SessionHandle *data,
-           continue;
-       }
- 
--#if defined(USE_NTLM)
--      if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) ||
--         (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)) {
-+      if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST))
-+#ifdef USE_NTLM
-+         || (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)
-+#endif
-+        ) {
-         /* This protocol requires credentials per connection or is HTTP+NTLM,
-            so verify that we're using the same name and password as well */
-         if(!strequal(needle->user, check->user) ||
-@@ -3220,9 +3222,10 @@ ConnectionExists(struct SessionHandle *data,
-           /* one of them was different */
-           continue;
-         }
-+#if defined(USE_NTLM)
-         credentialsMatch = TRUE;
--      }
- #endif
-+      }
- 
-       if(!needle->bits.httpproxy || needle->handler->flags&PROTOPT_SSL ||
-          (needle->bits.httpproxy && check->bits.httpproxy &&
--- 
-2.0.5
-
diff --git a/package/libcurl/libcurl.hash b/package/libcurl/libcurl.hash
index e2bd83d..59a458e 100644
--- a/package/libcurl/libcurl.hash
+++ b/package/libcurl/libcurl.hash
@@ -1,2 +1,2 @@
 # Locally calculated after checking pgp signature
-sha256	32557d68542f5c6cc8437b5b8a945857b4c5c6b6276da909e35b783d1d66d08f	curl-7.42.0.tar.bz2
+sha256	e2905973391ec2dfd7743a8034ad10eeb58dab8b3a297e7892a41a7999cac887	curl-7.42.1.tar.bz2
diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
index 3390399..f0d7bac 100644
--- a/package/libcurl/libcurl.mk
+++ b/package/libcurl/libcurl.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBCURL_VERSION = 7.42.0
+LIBCURL_VERSION = 7.42.1
 LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.bz2
 LIBCURL_SITE = http://curl.haxx.se/download
 LIBCURL_DEPENDENCIES = host-pkgconf \
-- 
2.0.5



More information about the buildroot mailing list