Commit 13ee88b0 authored by Natanael Copa's avatar Natanael Copa

main/curl: security upgrade to 7.55.0

CVE-2017-1000099
CVE-2017-1000100
CVE-2017-1000101

fixes #7653
parent c4181213
......@@ -3,7 +3,7 @@
# Contributor: Łukasz Jendrysik <scadu@yandex.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=curl
pkgver=7.54.1
pkgver=7.55.0
pkgrel=0
pkgdesc="An URL retrival utility and library"
url="http://curl.haxx.se"
......@@ -12,10 +12,15 @@ license="MIT"
depends="ca-certificates"
makedepends="zlib-dev libressl-dev libssh2-dev groff perl"
source="http://curl.haxx.se/download/$pkgname-$pkgver.tar.bz2
curl-do-bounds-check-using-a-double-comparison.patch
"
subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev libcurl"
# secfixes:
# 7.55.0-r0:
# - CVE-2017-1000099
# - CVE-2017-1000100
# - CVE-2017-1000101
# 7.54.0-r0:
# - CVE-2017-7468
# 7.53.1-r2:
......@@ -52,6 +57,10 @@ builddir="$srcdir/$pkgname-$pkgver"
build() {
cd "$builddir"
# see https://curl.haxx.se/mail/lib-2017-08/0050.html
rm docs/libcurl/opts/CURLOPT_STRIP_PATH_SLASH.3
./configure \
--build=$CBUILD \
--host=$CHOST \
......@@ -82,4 +91,5 @@ libcurl() {
mv "$pkgdir"/usr/lib "$subpkgdir"/usr
}
sha512sums="eb9639677f0ca1521ca631c520ab83ad071c52b31690e5e7f31546f6a44b2f11d1bb62282056cffb570eb290bf1e7830e87cb536295ac6a54a904663e795f2da curl-7.54.1.tar.bz2"
sha512sums="4975864621219e937585aaf5a9a54bba112b58bbf5a8acd92e1e972ea747a15a5564143548c5d8930b8c0d0e9d27d28225d0c81e52a1ba71e4c6f9e3859c978b curl-7.55.0.tar.bz2
d0f102fdbc2174169b2fea9248c3187d8c546d3a788447769dceec5fb7e063adbebbc967b88d208af1355cfda600f837abdae6d2e057a096eededc1857d2b8d3 curl-do-bounds-check-using-a-double-comparison.patch"
From 6019f1795b4e3b72507b84b0e02dc8c32024f562 Mon Sep 17 00:00:00 2001
From: Dan Fandrich <dan@coneharvesters.com>
Date: Sat, 11 Mar 2017 10:59:34 +0100
Subject: [PATCH] CVE-2017-7407: fixed
Bug: https://curl.haxx.se/docs/adv_20170403.html
Reported-by: Brian Carpenter
---
src/tool_writeout.c | 6 +++---
tests/data/Makefile.inc | 2 +-
tests/data/test1440 | 31 +++++++++++++++++++++++++++++++
tests/data/test1441 | 31 +++++++++++++++++++++++++++++++
tests/data/test1442 | 35 +++++++++++++++++++++++++++++++++++
5 files changed, 101 insertions(+), 4 deletions(-)
create mode 100644 tests/data/test1440
create mode 100644 tests/data/test1441
create mode 100644 tests/data/test1442
diff --git a/src/tool_writeout.c b/src/tool_writeout.c
index 2fb77742a..5d92bd278 100644
--- a/src/tool_writeout.c
+++ b/src/tool_writeout.c
@@ -3,11 +3,11 @@
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.haxx.se/docs/copyright.html.
*
@@ -111,11 +111,11 @@ void ourWriteOut(CURL *curl, struct OutStruct *outs, const char *writeinfo)
char *stringp = NULL;
long longinfo;
double doubleinfo;
while(ptr && *ptr) {
- if('%' == *ptr) {
+ if('%' == *ptr && ptr[1]) {
if('%' == ptr[1]) {
/* an escaped %-letter */
fputc('%', stream);
ptr += 2;
}
@@ -339,11 +339,11 @@ void ourWriteOut(CURL *curl, struct OutStruct *outs, const char *writeinfo)
fputc(ptr[1], stream);
ptr += 2;
}
}
}
- else if('\\' == *ptr) {
+ else if('\\' == *ptr && ptr[1]) {
switch(ptr[1]) {
case 'r':
fputc('\r', stream);
break;
case 'n':
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index 8251ab9a4..267ff6aef 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -149,11 +149,11 @@ test1396 test1397 test1398 \
test1400 test1401 test1402 test1403 test1404 test1405 test1406 test1407 \
test1408 test1409 test1410 test1411 test1412 test1413 test1414 test1415 \
test1416 test1417 test1418 test1419 test1420 test1421 test1422 test1423 \
test1424 \
test1428 test1429 test1430 test1431 test1432 test1433 test1434 test1435 \
-test1436 test1437 test1438 test1439 \
+test1436 test1437 test1438 test1439 test1440 test1441 test1442 \
\
test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \
test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \
test1516 test1517 \
\
diff --git a/tests/data/test1440 b/tests/data/test1440
new file mode 100644
index 000000000..7ed0c4d5f
--- /dev/null
+++ b/tests/data/test1440
@@ -0,0 +1,31 @@
+<testcase>
+<info>
+<keywords>
+--write-out
+</keywords>
+</info>
+# Server-side
+<reply>
+</reply>
+
+# Client-side
+<client>
+<server>
+file
+</server>
+
+<name>
+Check --write-out with trailing %{
+</name>
+<command>
+file://localhost/%PWD/log/ --write-out '%{'
+</command>
+</client>
+
+# Verify data
+<verify>
+<stdout nonewline="yes">
+%{
+</stdout>
+</verify>
+</testcase>
diff --git a/tests/data/test1441 b/tests/data/test1441
new file mode 100644
index 000000000..6e253a690
--- /dev/null
+++ b/tests/data/test1441
@@ -0,0 +1,31 @@
+<testcase>
+<info>
+<keywords>
+--write-out
+</keywords>
+</info>
+# Server-side
+<reply>
+</reply>
+
+# Client-side
+<client>
+<server>
+file
+</server>
+
+<name>
+Check --write-out with trailing %
+</name>
+<command>
+file://localhost/%PWD/log/ --write-out '%'
+</command>
+</client>
+
+# Verify data
+<verify>
+<stdout nonewline="yes">
+%
+</stdout>
+</verify>
+</testcase>
diff --git a/tests/data/test1442 b/tests/data/test1442
new file mode 100644
index 000000000..255a4c9ff
--- /dev/null
+++ b/tests/data/test1442
@@ -0,0 +1,35 @@
+<testcase>
+<info>
+<keywords>
+--write-out
+FILE
+</keywords>
+</info>
+# Server-side
+<reply>
+</reply>
+
+# Client-side
+<client>
+<server>
+file
+</server>
+
+<name>
+Check --write-out with trailing \
+</name>
+<command>
+file://localhost/%PWD/log/non-existent-file.txt --write-out '\'
+</command>
+</client>
+
+# Verify data
+<verify>
+<errorcode>
+37
+</errorcode>
+<stdout nonewline="yes">
+\
+</stdout>
+</verify>
+</testcase>
--
2.11.0
From 45a560390c4356bcb81d933bbbb229c8ea2acb63 Mon Sep 17 00:00:00 2001
From: Adam Sampson <ats@offog.org>
Date: Wed, 9 Aug 2017 14:11:17 +0100
Subject: [PATCH] curl: do bounds check using a double comparison
The fix for this in 8661a0aacc01492e0436275ff36a21734f2541bb wasn't
complete: if the parsed number in num is larger than will fit in a long,
the conversion is undefined behaviour (causing test1427 to fail for me
on IA32 with GCC 7.1, although it passes on AMD64 and ARMv7). Getting
rid of the cast means the comparison will be done using doubles.
It might make more sense for the max argument to also be a double...
Fixes #1750
Closes #1749
---
src/tool_paramhlp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tool_paramhlp.c b/src/tool_paramhlp.c
index b9dedc989e..85c5e79a7e 100644
--- a/src/tool_paramhlp.c
+++ b/src/tool_paramhlp.c
@@ -218,7 +218,7 @@ static ParameterError str2double(double *val, const char *str, long max)
num = strtod(str, &endptr);
if(errno == ERANGE)
return PARAM_NUMBER_TOO_LARGE;
- if((long)num > max) {
+ if(num > max) {
/* too large */
return PARAM_NUMBER_TOO_LARGE;
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment