kpriv/pkgsrc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Update to 7.24.0:

Browse source 
Fixed in 7.24.0 - January 24 2012

 Release contains security-related bug fix

 Changes:
   * CURLOPT_QUOTE: SFTP supports the '*'-prefix now
   * CURLOPT_DNS_SERVERS: set name servers if possible
   * Add support for using nettle instead of gcrypt as gnutls backend
   * CURLOPT_INTERFACE: avoid resolving interfaces names with magic prefixes
   * Added CURLOPT_ACCEPTTIMEOUT_MS
   * configure: add symbols versioning option --enable-versioned-symbols

 Bugfixes:
   * curl was vulnerable to a data injection attack for certain protocols CVE-2012-0036
   * curl was vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL
   * SSL session share: move the age counter to the share object
   * -J -O: use -O name if no Content-Disposition header comes!
   * protocol_connect: show verbose connect and set connect time
   * query-part: ignore the URI part for given protocols
   * gnutls: only translate winsock errors for old versions
   * POP3: fix end of body detection
   * POP3: detect when LIST returns no mails
   * TELNET: improved treatment of options
   * configure: add support for pkg-config detection of libidn
   * CyaSSL 2.0+ library initialization adjustment
   * multi interface: only use non-NULL socker function pointer
   * call opensocket callback properly for active FTP
   * don't call close socket callback for sockets created with accept()
   * differentiate better between host/proxy errors
   * SSH: fix CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 and --hostpubmd5
   * multi: handle timeouts on DNS servers by checking for new sockets
   * CURLOPT_DNS_SERVERS: fix return code
   * POP3: fixed escaped dot not being stripped out
   * OpenSSL: check for the SSLv2 function in configure
   * MakefileBuild: fix the static build
   * create_conn: don't switch to HTTP protocol if tunneling is enabled
   * multi interface: fix block when CONNECT_ONLY option is used
   * Fix connection reuse for TLS upgraded connections
   * multiple file upload with -F and custom type
   * multi interface: active FTP connections are no longer blocking
   * Android build fix
   * timer: restore PRETRANSFER timing
   * libcurl.m4: Fix quoting arguments of AC_LANG_PROGRAM
   * appconnect time fixed for non-blocking connect ssl backends
   * do not include SSL handshake into time spent waiting for 100-continue
   * handle dns cache case insensitive
   * use new host name casing for subsequent HTTP requests
   * CURLOPT_RESOLVE: avoid adding already present host names
   * SFTP mkdir: use correct permission
   * resolve: don't leak pre-populated dns entries
   * --retry: Retry transfers on timeout and DNS errors
   * negotiate with SSPI backend: use the correct buffer for input
   * SFTP dir: increase buffer size counter to avoid cut off file names
   * TFTP: fix resending (again)
   * c-ares: don't include getaddrinfo-using code
   * FTP: CURLE_PARTIAL_FILE will not close the control channel
   * win32-threaded-resolver: stop using a dummy socket
   * OpenSSL: remove reference to openssl internal struct
   * OpenSSL: SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option no longer enabled
   * OpenSSL: fix PKCS#12 certificate parsing related memory leak
   * OpenLDAP: fix LDAP connection phase memory leak
   * Telnet: Use correct file descriptor for telnet upload
   * Telnet: Remove bogus optimisation of telnet upload
   * URL parse: user name with ipv6 numerical address
   * polarssl: show cipher suite name correctly with 1.1.0
   * polarssl: havege_rand is not present in version 1.1.0 WARNING, we still use the old API which is said to be
     insecure
   * gnutls: enforced use of SSLv3
This commit is contained in:
wiz 2012-01-28 14:41:14 +00:00
parent 75e153b90b
commit dfc93a6bc9
10 changed files with 37 additions and 289 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
www/curl/Makefile
View file

@ -1,7 +1,6 @@
# $NetBSD: Makefile,v 1.110 2012/01/26 11:25:55 drochner Exp $
# $NetBSD: Makefile,v 1.111 2012/01/28 14:41:14 wiz Exp $
DISTNAME= curl-7.23.1
PKGREVISION= 1
DISTNAME= curl-7.24.0
CATEGORIES= www
MASTER_SITES= http://curl.haxx.se/download/ \
ftp://ftp.sunet.se/pub/www/utilities/curl/

6
www/curl/PLIST
View file

@ -1,4 +1,4 @@
@comment $NetBSD: PLIST,v 1.34 2011/11/30 20:56:08 wiz Exp $
@comment $NetBSD: PLIST,v 1.35 2012/01/28 14:41:15 wiz Exp $
bin/curl
bin/curl-config
include/curl/curl.h
@ -101,6 +101,7 @@ share/examples/curl/http-post.c
share/examples/curl/httpcustomheader.c
share/examples/curl/httpput.c
share/examples/curl/https.c
share/examples/curl/imap.c
share/examples/curl/multi-app.c
share/examples/curl/multi-debugcallback.c
share/examples/curl/multi-double.c
@ -109,6 +110,8 @@ share/examples/curl/multi-single.c
share/examples/curl/multithread.c
share/examples/curl/opensslthreadlock.c
share/examples/curl/persistant.c
share/examples/curl/pop3s.c
share/examples/curl/pop3slist.c
share/examples/curl/post-callback.c
share/examples/curl/postit2.c
share/examples/curl/progressfunc.c
@ -126,3 +129,4 @@ share/examples/curl/smtp-multi.c
share/examples/curl/smtp-tls.c
share/examples/curl/synctime.c
share/examples/curl/threaded-ssl.c
share/examples/curl/url2file.c

16
www/curl/distinfo
View file

@ -1,12 +1,6 @@
$NetBSD: distinfo,v 1.73 2012/01/26 11:25:55 drochner Exp $
$NetBSD: distinfo,v 1.74 2012/01/28 14:41:15 wiz Exp $
SHA1 (curl-7.23.1.tar.bz2) = 9bac69696446ead85e59d8488098ee84cf897b7e
RMD160 (curl-7.23.1.tar.bz2) = 96c45f38361d04a939e135c9e5fcf27ca1180abe
Size (curl-7.23.1.tar.bz2) = 2376653 bytes
SHA1 (patch-aa) = 14a1854429e12d0f7d0da040a09ef6d173a6dff2
SHA1 (patch-ba) = b247fed2f7224a2d584f5370a18d8a609706859a
SHA1 (patch-bb) = 86fd7e1d100b1991be43d3aa415be5a37a81db5f
SHA1 (patch-bc) = 7ac1cf45003c541078b5deb96b8a373ce0631fcc
SHA1 (patch-bd) = ab1b25ce6c5a057d6429d4ba4d79b1db27c2a3ae
SHA1 (patch-be) = a5cf52d7ccc768c8be41e4f2ae53e90f998708a2
SHA1 (patch-bf) = 7ae4442ea7e81293d91b7415b767708f1e2e8321
SHA1 (curl-7.24.0.tar.bz2) = 2f2775a67de9fc91b47f5bb70fb7d359f7db55e7
RMD160 (curl-7.24.0.tar.bz2) = b2b3116318813478b4683ae479cb889c4fc05cea
Size (curl-7.24.0.tar.bz2) = 2406936 bytes
SHA1 (patch-aa) = 29e7a24fe828c88dd2f5435edcfe6dace44f18b3

29
www/curl/patches/patch-aa
View file

@ -1,8 +1,8 @@
$NetBSD: patch-aa,v 1.17 2010/10/16 23:58:04 wiz Exp $
$NetBSD: patch-aa,v 1.18 2012/01/28 14:41:15 wiz Exp $
--- configure.orig 2010-10-01 20:49:17.000000000 +0000
--- configure.orig 2012-01-23 15:32:37.000000000 +0000
+++ configure
@@ -14766,7 +14766,7 @@ squeeze() {
@@ -15614,7 +15614,7 @@ squeeze() {
#
@ -11,7 +11,7 @@ $NetBSD: patch-aa,v 1.17 2010/10/16 23:58:04 wiz Exp $
#
if test "$compiler_id" = "GNU_C" ||
test "$compiler_id" = "CLANG"; then
@@ -19176,15 +19176,15 @@ $as_echo "#define HAVE_GSSAPI 1" >>confd
@@ -20090,15 +20090,15 @@ $as_echo "#define HAVE_GSSAPI 1" >>confd
LIBS="$LIBS $gss_libs"
elif test "$GSSAPI_ROOT" != "yes"; then
LDFLAGS="$LDFLAGS -L$GSSAPI_ROOT/lib$libsuff"
@ -30,3 +30,24 @@ $NetBSD: patch-aa,v 1.17 2010/10/16 23:58:04 wiz Exp $
fi
else
CPPFLAGS="$save_CPPFLAGS"
@@ -23346,15 +23346,15 @@ if test "${enable_versioned_symbols+set}
$as_echo "yes" >&6; }
if test "x$OPENSSL_ENABLED" = "x1"; then
versioned_symbols_flavour="OPENSSL_"
- elif test "x$GNUTLS_ENABLED" == "x1"; then
+ elif test "x$GNUTLS_ENABLED" = "x1"; then
versioned_symbols_flavour="GNUTLS_"
- elif test "x$NSS_ENABLED" == "x1"; then
+ elif test "x$NSS_ENABLED" = "x1"; then
versioned_symbols_flavour="NSS_"
- elif test "x$POLARSSL_ENABLED" == "x1"; then
+ elif test "x$POLARSSL_ENABLED" = "x1"; then
versioned_symbols_flavour="POLARSSL_"
- elif test "x$CYASSL_ENABLED" == "x1"; then
+ elif test "x$CYASSL_ENABLED" = "x1"; then
versioned_symbols_flavour="CYASSL_"
- elif test "x$AXTLS_ENABLED" == "x1"; then
+ elif test "x$AXTLS_ENABLED" = "x1"; then
versioned_symbols_flavour="AXTLS_"
else
versioned_symbols_flavour=""

120
www/curl/patches/patch-ba
View file

@ -1,120 +0,0 @@
$NetBSD: patch-ba,v 1.1 2012/01/26 11:25:55 drochner Exp $
CVE-2012-0036
--- lib/escape.c.orig 2011-11-04 22:32:56.000000000 +0000
+++ lib/escape.c
@@ -31,6 +31,7 @@
#include "urldata.h"
#include "warnless.h"
#include "non-ascii.h"
+#include "escape.h"
#define _MPRINTF_REPLACE /* use our functions only */
#include <curl/mprintf.h>
@@ -84,7 +85,7 @@ char *curl_easy_escape(CURL *handle, con
char *testing_ptr = NULL;
unsigned char in; /* we need to treat the characters unsigned */
size_t newlen = alloc;
- int strindex=0;
+ size_t strindex=0;
size_t length;
CURLcode res;
@@ -132,23 +133,29 @@ char *curl_easy_escape(CURL *handle, con
}
/*
- * Unescapes the given URL escaped string of given length. Returns a
- * pointer to a malloced string with length given in *olen.
- * If length == 0, the length is assumed to be strlen(string).
- * If olen == NULL, no output length is stored.
+ * Curl_urldecode() URL decodes the given string.
+ *
+ * Optionally detects control characters (byte codes lower than 32) in the
+ * data and rejects such data.
+ *
+ * Returns a pointer to a malloced string in *ostring with length given in
+ * *olen. If length == 0, the length is assumed to be strlen(string).
+ *
*/
-char *curl_easy_unescape(CURL *handle, const char *string, int length,
- int *olen)
+CURLcode Curl_urldecode(struct SessionHandle *data,
+ const char *string, size_t length,
+ char **ostring, size_t *olen,
+ bool reject_ctrl)
{
- int alloc = (length?length:(int)strlen(string))+1;
+ size_t alloc = (length?length:strlen(string))+1;
char *ns = malloc(alloc);
unsigned char in;
- int strindex=0;
+ size_t strindex=0;
unsigned long hex;
CURLcode res;
if(!ns)
- return NULL;
+ return CURLE_OUT_OF_MEMORY;
while(--alloc > 0) {
in = *string;
@@ -164,16 +171,20 @@ char *curl_easy_unescape(CURL *handle, c
in = curlx_ultouc(hex); /* this long is never bigger than 255 anyway */
- res = Curl_convert_from_network(handle, &in, 1);
+ res = Curl_convert_from_network(data, &in, 1);
if(res) {
/* Curl_convert_from_network calls failf if unsuccessful */
free(ns);
- return NULL;
+ return res;
}
string+=2;
alloc-=2;
}
+ if(reject_ctrl && (in < 0x20)) {
+ free(ns);
+ return CURLE_URL_MALFORMAT;
+ }
ns[strindex++] = in;
string++;
@@ -183,7 +194,33 @@ char *curl_easy_unescape(CURL *handle, c
if(olen)
/* store output size */
*olen = strindex;
- return ns;
+
+ if(ostring)
+ /* store output string */
+ *ostring = ns;
+
+ return CURLE_OK;
+}
+
+/*
+ * Unescapes the given URL escaped string of given length. Returns a
+ * pointer to a malloced string with length given in *olen.
+ * If length == 0, the length is assumed to be strlen(string).
+ * If olen == NULL, no output length is stored.
+ */
+char *curl_easy_unescape(CURL *handle, const char *string, int length,
+ int *olen)
+{
+ char *str = NULL;
+ size_t inputlen = length;
+ size_t outputlen;
+ CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen,
+ FALSE);
+ if(res)
+ return NULL;
+ if(olen)
+ *olen = curlx_uztosi(outputlen);
+ return str;
}
/* For operating systems/environments that use different malloc/free

33
www/curl/patches/patch-bb
View file

@ -1,33 +0,0 @@
$NetBSD: patch-bb,v 1.1 2012/01/26 11:25:55 drochner Exp $
CVE-2012-0036
--- lib/escape.h.orig 2011-03-19 15:16:07.000000000 +0000
+++ lib/escape.h
@@ -1,5 +1,5 @@
-#ifndef __ESCAPE_H
-#define __ESCAPE_H
+#ifndef HEADER_CURL_ESCAPE_H
+#define HEADER_CURL_ESCAPE_H
/***************************************************************************
* _ _ ____ _
@@ -8,7 +8,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2006, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -25,5 +25,9 @@
/* Escape and unescape URL encoding in strings. The functions return a new
* allocated string or NULL if an error occurred. */
+CURLcode Curl_urldecode(struct SessionHandle *data,
+ const char *string, size_t length,
+ char **ostring, size_t *olen,
+ bool reject_crlf);
#endif

25
www/curl/patches/patch-bc
View file

@ -1,25 +0,0 @@
$NetBSD: patch-bc,v 1.1 2012/01/26 11:25:55 drochner Exp $
CVE-2012-0036
--- lib/imap.c.orig 2011-11-04 22:32:56.000000000 +0000
+++ lib/imap.c
@@ -947,17 +947,12 @@ static CURLcode imap_parse_url_path(stru
struct imap_conn *imapc = &conn->proto.imapc;
struct SessionHandle *data = conn->data;
const char *path = data->state.path;
- int len;
if(!*path)
path = "INBOX";
/* url decode the path and use this mailbox */
- imapc->mailbox = curl_easy_unescape(data, path, 0, &len);
- if(!imapc->mailbox)
- return CURLE_OUT_OF_MEMORY;
-
- return CURLE_OK;
+ return Curl_urldecode(data, path, 0, &imapc->mailbox, NULL, TRUE);
}
/* call this when the DO phase has completed */

19
www/curl/patches/patch-bd
View file

@ -1,19 +0,0 @@
$NetBSD: patch-bd,v 1.1 2012/01/26 11:25:55 drochner Exp $
CVE-2012-0036
--- lib/pop3.c.orig 2011-11-04 22:32:56.000000000 +0000
+++ lib/pop3.c
@@ -899,11 +899,7 @@ static CURLcode pop3_parse_url_path(stru
const char *path = data->state.path;
/* url decode the path and use this mailbox */
- pop3c->mailbox = curl_easy_unescape(data, path, 0, NULL);
- if(!pop3c->mailbox)
- return CURLE_OUT_OF_MEMORY;
-
- return CURLE_OK;
+ return Curl_urldecode(data, path, 0, &pop3c->mailbox, NULL, TRUE);
}
/* call this when the DO phase has completed */

27
www/curl/patches/patch-be
View file

@ -1,27 +0,0 @@
$NetBSD: patch-be,v 1.1 2012/01/26 11:25:55 drochner Exp $
CVE-2012-0036
--- lib/smtp.c.orig 2011-11-04 22:32:57.000000000 +0000
+++ lib/smtp.c
@@ -1243,7 +1243,6 @@ static CURLcode smtp_connect(struct conn
struct SessionHandle *data = conn->data;
struct pingpong *pp = &smtpc->pp;
const char *path = conn->data->state.path;
- int len;
char localhost[HOSTNAME_MAX + 1];
*done = FALSE; /* default to not done yet */
@@ -1315,9 +1314,9 @@ static CURLcode smtp_connect(struct conn
}
/* url decode the path and use it as domain with EHLO */
- smtpc->domain = curl_easy_unescape(conn->data, path, 0, &len);
- if(!smtpc->domain)
- return CURLE_OUT_OF_MEMORY;
+ result = Curl_urldecode(conn->data, path, 0, &smtpc->domain, NULL, TRUE);
+ if(result)
+ return result;
/* When we connect, we start in the state where we await the server greeting
*/

46
www/curl/patches/patch-bf
View file

@ -1,46 +0,0 @@
$NetBSD: patch-bf,v 1.1 2012/01/26 11:25:55 drochner Exp $
CVE-2011-3389
--- lib/ssluse.c.orig 2011-11-06 15:58:24.000000000 +0000
+++ lib/ssluse.c
@@ -1420,6 +1420,7 @@ ossl_connect_step1(struct connectdata *c
X509_LOOKUP *lookup=NULL;
curl_socket_t sockfd = conn->sock[sockindex];
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+ long ctx_options;
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
bool sni;
#ifdef ENABLE_IPV6
@@ -1525,16 +1526,27 @@ ossl_connect_step1(struct connectdata *c
If someone writes an application with libcurl and openssl who wants to
enable the feature, one can do this in the SSL callback.
+ OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
+ (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to
+ SSL_OP_ALL that _disables_ that work-around despite the fact that
+ SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to
+ keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit
+ must not be set.
+
*/
+
+ ctx_options = SSL_OP_ALL;
+
#ifdef SSL_OP_NO_TICKET
/* expect older openssl releases to not have this define so only use it if
present */
-#define CURL_CTX_OPTIONS SSL_OP_ALL|SSL_OP_NO_TICKET
-#else
-#define CURL_CTX_OPTIONS SSL_OP_ALL
+ ctx_options |= SSL_OP_NO_TICKET;
+#endif
+#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
+ ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
#endif
- SSL_CTX_set_options(connssl->ctx, CURL_CTX_OPTIONS);
+ SSL_CTX_set_options(connssl->ctx, ctx_options);
/* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)