main/curl: security fixes (CVE-2016-5419, CVE-2016-5420, CVE-2016-5421)

Fixes #6005

main/curl/APKBUILD

@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=curl
 pkgver=7.49.1
-pkgrel=0
+pkgrel=1
 pkgdesc="An URL retrival utility and library"
 url="http://curl.haxx.se"
 arch="all"
@@ -10,11 +10,21 @@ license="MIT"
 depends="ca-certificates"
 depends_dev="zlib-dev openssl-dev libssh2-dev"
 makedepends="groff $depends_dev perl"
-source="http://curl.haxx.se/download/curl-$pkgver.tar.bz2"
 subpackages="$pkgname-doc $pkgname-dev"
+source="http://curl.haxx.se/download/curl-$pkgver.tar.bz2
+	CVE-2016-5419.patch
+	CVE-2016-5420.patch
+	CVE-2016-5421.patch
+	"
 
 _builddir="$srcdir/$pkgname-$pkgver"
 
+# security fixes:
+#   7.49.1-r1:
+#   - CVE-2016-5419
+#   - CVE-2016-5420
+#   - CVE-2016-5421
+
 prepare() {
 	local i
 	cd "$_builddir"
@@ -44,6 +54,15 @@ package() {
 	make DESTDIR="$pkgdir" install || return 1
 }
 
-md5sums="6bb1f7af5b58b30e4e6414b8c1abccab  curl-7.49.1.tar.bz2"
-sha256sums="eb63cec4bef692eab9db459033f409533e6d10e20942f4b060b32819e81885f1  curl-7.49.1.tar.bz2"
-sha512sums="665ef178c282c14f429498547b3711ef79faf85f6db7f4ec24259e2c6247f6ee234dda158ebc207d03f08b5198c5844480e054f24f054b2de6c6a15d4f1ce6e6  curl-7.49.1.tar.bz2"
+md5sums="6bb1f7af5b58b30e4e6414b8c1abccab  curl-7.49.1.tar.bz2
+290f6b37d95c9731849fc805a2ece53b  CVE-2016-5419.patch
+150e3c110d6eb85187e109d04317b9e3  CVE-2016-5420.patch
+0524664bc926374f6a7b057046924bd2  CVE-2016-5421.patch"
+sha256sums="eb63cec4bef692eab9db459033f409533e6d10e20942f4b060b32819e81885f1  curl-7.49.1.tar.bz2
+d3499aaf331fca2303749bdffbedf5677a555a37ada187c1a734926c7cb718e5  CVE-2016-5419.patch
+23e1fbd27860c6f46bec094c06b5618da2ab71b091945f587c0d7e8d143472f7  CVE-2016-5420.patch
+bca78667ac9110920c5ce31c8d82a784fe327eb184460c1b87fab4de004e6692  CVE-2016-5421.patch"
+sha512sums="665ef178c282c14f429498547b3711ef79faf85f6db7f4ec24259e2c6247f6ee234dda158ebc207d03f08b5198c5844480e054f24f054b2de6c6a15d4f1ce6e6  curl-7.49.1.tar.bz2
+a596e489b0b566d9dcc8292ccec4d90dfbeae7cb11e250871217ff90d1c9525d602f40e112eb0d47a0a597e5768c105423d1cb0cb2825c39a319ea9d582269d0  CVE-2016-5419.patch
+9578f13c5d8e5a5d184b5b08dd7d59de596644084f2de04c025ad8cd78e11dadcff45bf4fab02b8942d7ed19977dec4d220893f675d64ed13b27284d63dfa5f1  CVE-2016-5420.patch
+2b5e77dda11dbb77cbfe760da5377c94a1664b04f254c9fa642f49da119d93123ef6ee27e4c08d0ba9094240791ac09273c8be23fa8ca5982f8ed14d6b29ad7e  CVE-2016-5421.patch"

main/curl/CVE-2016-5419.patch

+From 416ad90afc50d9cbcb50ba4ab28f88d260774f6d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 1 Jul 2016 13:32:31 +0200
+Subject: [PATCH] TLS: switch off SSL session id when client cert is used
+
+CVE-2016-5419
+Bug: https://curl.haxx.se/docs/adv_20160803A.html
+Reported-by: Bru Rom
+Contributions-by: Eric Rescorla and Ray Satiro
+---
+ lib/url.c       |  1 +
+ lib/urldata.h   |  1 +
+ lib/vtls/vtls.c | 10 ++++++++++
+ 3 files changed, 12 insertions(+)
+
+diff --git a/lib/url.c b/lib/url.c
+index 258a286..e547e5c 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -6121,10 +6121,11 @@ static CURLcode create_conn(struct Curl_easy *data,
+   data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
+   data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
+   data->set.ssl.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
+   data->set.ssl.egdsocket = data->set.str[STRING_SSL_EGDSOCKET];
+   data->set.ssl.cipher_list = data->set.str[STRING_SSL_CIPHER_LIST];
++  data->set.ssl.clientcert = data->set.str[STRING_CERT];
+ #ifdef USE_TLS_SRP
+   data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME];
+   data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD];
+ #endif
+ 
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 611c5a7..3cf7ed9 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -349,10 +349,11 @@ struct ssl_config_data {
+   bool verifystatus;     /* set TRUE if certificate status must be checked */
+   char *CApath;          /* certificate dir (doesn't work on windows) */
+   char *CAfile;          /* certificate to verify peer against */
+   const char *CRLfile;   /* CRL to check certificate revocation */
+   const char *issuercert;/* optional issuer certificate filename */
++  char *clientcert;
+   char *random_file;     /* path to file containing "random" data */
+   char *egdsocket;       /* path to file containing the EGD daemon socket */
+   char *cipher_list;     /* list of ciphers to use */
+   size_t max_ssl_sessions; /* SSL session id cache size */
+   curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index d3e41cd..33e209d 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -154,20 +154,30 @@ Curl_clone_ssl_config(struct ssl_config_data *source,
+       return FALSE;
+   }
+   else
+     dest->random_file = NULL;
+ 
++  if(source->clientcert) {
++    dest->clientcert = strdup(source->clientcert);
++    if(!dest->clientcert)
++      return FALSE;
++    dest->sessionid = FALSE;
++  }
++  else
++    dest->clientcert = NULL;
++
+   return TRUE;
+ }
+ 
+ void Curl_free_ssl_config(struct ssl_config_data* sslc)
+ {
+   Curl_safefree(sslc->CAfile);
+   Curl_safefree(sslc->CApath);
+   Curl_safefree(sslc->cipher_list);
+   Curl_safefree(sslc->egdsocket);
+   Curl_safefree(sslc->random_file);
++  Curl_safefree(sslc->clientcert);
+ }
+ 
+ 
+ /*
+  * Curl_rand() returns a random unsigned integer, 32bit.
+-- 
+2.8.1
+

main/curl/CVE-2016-5420.patch

+From f6474ff3bfb38c28b70b5ba01048edc41f654376 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 31 Jul 2016 00:51:48 +0200
+Subject: [PATCH] TLS: only reuse connections with the same client cert
+
+CVE-2016-5420
+Bug: https://curl.haxx.se/docs/adv_20160803B.html
+---
+ lib/vtls/vtls.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index 33e209d..3863777 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -97,10 +97,11 @@ Curl_ssl_config_matches(struct ssl_config_data* data,
+   if((data->version == needle->version) &&
+      (data->verifypeer == needle->verifypeer) &&
+      (data->verifyhost == needle->verifyhost) &&
+      safe_strequal(data->CApath, needle->CApath) &&
+      safe_strequal(data->CAfile, needle->CAfile) &&
++     safe_strequal(data->clientcert, needle->clientcert) &&
+      safe_strequal(data->random_file, needle->random_file) &&
+      safe_strequal(data->egdsocket, needle->egdsocket) &&
+      safe_strequal(data->cipher_list, needle->cipher_list))
+     return TRUE;
+ 
+-- 
+2.8.1
+

main/curl/CVE-2016-5421.patch

+From ccb7d79b62c8b15a6be446f9c9fd3767c01eb5b6 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 31 Jul 2016 01:09:04 +0200
+Subject: [PATCH] curl_multi_cleanup: clear connection pointer for easy handles
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2016-5421
+Bug: https://curl.haxx.se/docs/adv_20160803C.html
+Reported-by: Marcelo Echeverria and Fernando Muñoz
+---
+ lib/multi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/multi.c b/lib/multi.c
+index 9ee3523..8bb9366 100644
+--- a/lib/multi.c
++++ b/lib/multi.c
+@@ -2155,10 +2155,12 @@ static void close_all_connections(struct Curl_multi *multi)
+   while(conn) {
+     SIGPIPE_VARIABLE(pipe_st);
+     conn->data = multi->closure_handle;
+ 
+     sigpipe_ignore(conn->data, &pipe_st);
++    conn->data->easy_conn = NULL; /* clear the easy handle's connection
++                                     pointer */
+     /* This will remove the connection from the cache */
+     (void)Curl_disconnect(conn, FALSE);
+     sigpipe_restore(&pipe_st);
+ 
+     conn = Curl_conncache_find_first_connection(&multi->conn_cache);
+-- 
+2.8.1
+