Hello community, here is the log from the commit of package curl.2733 for openSUSE:12.3:Update checked in at 2014-05-02 14:19:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.3:Update/curl.2733 (Old) and /work/SRC/openSUSE:12.3:Update/.curl.2733.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "curl.2733" Changes: -------- New Changes file: --- /dev/null 2014-04-28 00:21:37.460033756 +0200 +++ /work/SRC/openSUSE:12.3:Update/.curl.2733.new/curl.changes 2014-05-02 14:19:42.000000000 +0200 @@ -0,0 +1,1105 @@ +------------------------------------------------------------------- +Wed Apr 2 10:43:38 UTC 2014 - vcizek@suse.com + +- fixes for two security vulnerabilities: + * CVE-2014-0138 (bnc#868627) + - curl: wrong re-use of connections + - added: curl-CVE-2014-0138.patch + - removed: curl-CVE-2014-138-bad-reuse.patch + * CVE-2014-0139 (bnc#868629) + - curl: IP address wildcard certificate validation + - added: curl-CVE-2014-0139.patch + - removed: curl-CVE-2014-139-reject-cert-ip-wildcards.patch + +------------------------------------------------------------------- +Mon Mar 17 11:16:10 UTC 2014 - vcizek@suse.com + +- fixes for two security vulnerabilities: + * CVE-2014-138 (bnc#868627) + - curl: wrong re-use of connections + - added curl-CVE-2014-138-bad-reuse.patch + * CVE-2014-139 (bnc#868629) + - curl: IP address wildcard certificate validation + - curl-CVE-2014-139-reject-cert-ip-wildcards.patch + +------------------------------------------------------------------- +Tue Jan 14 12:33:28 UTC 2014 - vcizek@suse.com + +- fix for CVE-2014-0015 (bnc#858673) + * re-use of wrong HTTP NTLM connection in libcurl + * added curl-CVE-2014-0015-NTLM_connection_reuse.patch +- fix test failure because of an expired cookie (bnc#862144) + * added curl-test172_cookie_expiration.patch + +------------------------------------------------------------------- +Mon Dec 2 11:26:06 UTC 2013 - vcizek@suse.com + +- fix CVE-2013-4545 (bnc#849596) + = acknowledge VERIFYHOST without VERIFYPEER + +------------------------------------------------------------------- +Thu Jun 13 10:06:23 UTC 2013 - vcizek@suse.com + +- fix for CVE-2013-2174 (bnc#824517) + added curl-CVE-2013-2174.patch + +------------------------------------------------------------------- +Fri Apr 12 11:01:51 UTC 2013 - vcizek@suse.com + +- fixed CVE-2013-1944 (bnc#814655) + added curl-CVE-2013-1944.patch + +------------------------------------------------------------------- +Thu Feb 7 10:54:15 UTC 2013 - vcizek@suse.com + +- fixed CVE-2013-0249 (bnc#802411) +- refreshed patches + +------------------------------------------------------------------- +Fri Jan 11 21:34:38 CET 2013 - sbrabec@suse.cz + +- Break build loop and make GPG signature verification optional. + +------------------------------------------------------------------- +Tue Nov 27 20:05:00 CET 2012 - sbrabec@suse.cz + +- Verify GPG signature. + +------------------------------------------------------------------- +Tue Nov 20 23:43:24 UTC 2012 - crrodriguez@opensuse.org + +- Curl 7.28.1 +* FTP: prevent the multi interface from blocking Obsoletes + curl-ftp-prevent-the-multi-interface-from-blocking.patch +* don't send '#' fragments when using proxy +* OpenSSL: Disable SSL/TLS compression - avoid the "CRIME" attack +* TFTP: handle resend +* memory leak: CURLOPT_RESOLVE with multi interface +* SSL: Several SSL-backend related fixes + +------------------------------------------------------------------- +Sun Nov 4 19:57:33 UTC 2012 - gber@opensuse.org + +- added curl-ftp-prevent-the-multi-interface-from-blocking.patch in + order to prevent the multi interface from blocking when using ftp + and the remote end responds very slowly (sf#3579064) + +------------------------------------------------------------------- +Sun Jul 29 22:14:25 UTC 2012 - crrodriguez@opensuse.org + +- Curl 7.27.0 +* support metalinks +* Add sasl authentication support +* various bugfixes +- Fix previous change, _GNU_SOURCE --> AC_USE_SYSTEM_EXTENSIONS + +------------------------------------------------------------------- +Mon Jul 9 13:12:24 UTC 2012 - dnh@opensuse.org + +- define _GNU_SOURCE for oS/SLES <= 11.4, as O_CLOEXEC is + defined inside a ifdef __USE_GNU + +------------------------------------------------------------------- +Sat May 12 23:24:56 UTC 2012 - jengelh@inai.de + +- Update to new upstream release 7.25.0 +* Added CURLOPT_TCP_KEEPALIVE, CURLOPT_TCP_KEEPIDLE, + CURLOPT_TCP_KEEPINTVL +* use new library-side TCP_KEEPALIVE options +* Added a new CURLOPT_MAIL_AUTH option +* Added support for --mail-auth +* (for more see the shipped CHANGES file) + +------------------------------------------------------------------- +Wed Feb 8 00:45:18 UTC 2012 - crrodriguez@opensuse.org + +- Problem with the c-ares backend, workaround for [bnc#745534] + +------------------------------------------------------------------- +Thu Feb 2 18:47:10 UTC 2012 - crrodriguez@opensuse.org + +- Update to version curl 7.24.0 +- refresh patches to fix broken build + +------------------------------------------------------------------- +Wed Jan 18 13:49:56 CET 2012 - dmueller@suse.de + +- use the rpmoptflags unconditionally, don't do own compiler flag + magic. Fixes debuginfo package built + +------------------------------------------------------------------- +Wed Dec 28 10:30:28 UTC 2011 - mmarek@suse.cz + +- Package /usr/share/aclocal to avoid build dependency on automake. + +------------------------------------------------------------------- +Wed Nov 30 22:39:35 UTC 2011 - crrodriguez@opensuse.org + +- Use O_CLOEXEC in library code. + +------------------------------------------------------------------- +Tue Nov 29 11:51:38 UTC 2011 - jengelh@medozas.de + +- Remove redundant/unwanted tags/section (cf. specfile guidelines) + +------------------------------------------------------------------- +Tue Nov 29 08:20:23 UTC 2011 - idoenmez@suse.de + +- Use original source tarball + +------------------------------------------------------------------- +Mon Nov 28 12:00:00 UTC 2011 - opensuse@dstoecker.de + +- Update to version 7.23.1: + + Empty headers can be sent in HTTP requests by terminating with a semicolon + + SSL session sharing support added to curl_share_setopt() + + Added support to MAIL FROM for the optional SIZE parameter + + smtp: Added support for NTLM authentication + + curl tool: code split into tool_*.[ch] files + + lots of bugfixes +------------------------------------------------------------------- +Mon Oct 3 15:44:17 UTC 2011 - dimstar@opensuse.org + +- Update to version 7.22.0: + + Added CURLOPT_GSSAPI_DELEGATION + + Added support for NTLM delegation to Samba's winbind daemon + helper ntlm_auth + + Display notes from setup file in testcurl.pl + + BSD-style lwIP TCP/IP stack experimental support on Windows + + OpenSSL: Use SSL_MODE_RELEASE_BUFFERS if available + + --delegation was added to set CURLOPT_GSSAPI_DELEGATION + + nss: start with no database if the selected database is broken + + telnet: allow programatic use on Windows + + for a list of bugfixes, see + http://curl.haxx.se/changes.html#7_22_0 +- Drop curl-openssl-release-buffers.patch: fixed upstream. +- Add curl-fix-m4.patch: Use 'x' in configure scripts. Fixes issues + when configure is run with -Werror -Wall. + +------------------------------------------------------------------- +Sun Sep 18 00:10:42 UTC 2011 - jengelh@medozas.de + +- Remove redundant tags/sections from specfile +- Use %_smp_mflags for parallel build + +------------------------------------------------------------------- +Fri Sep 16 17:22:44 UTC 2011 - jengelh@medozas.de + +- Add curl-devel to baselibs + +------------------------------------------------------------------- +Mon Aug 15 05:05:01 UTC 2011 - crrodriguez@opensuse.org + +- Use SSL_MODE_RELEASE_BUFFERS if available, accepted + in upstream as commit 3d919440c80333c496fb + +------------------------------------------------------------------- +Tue Jul 12 06:46:02 UTC 2011 - coolo@novell.com ++++ 908 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.3:Update/.curl.2733.new/curl.changes New: ---- baselibs.conf curl-7.28.1.tar.lzma curl-7.28.1.tar.lzma.asc curl-CVE-2013-0249.patch curl-CVE-2013-1944.patch curl-CVE-2013-2174.patch curl-CVE-2013-4545.patch curl-CVE-2014-0015-NTLM_connection_reuse.patch curl-CVE-2014-0138.patch curl-CVE-2014-0139.patch curl-test172_cookie_expiration.patch curl.changes curl.keyring curl.spec dont-mess-with-rpmoptflags.diff libcurl-ocloexec.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ curl.spec ++++++ # # spec file for package curl # # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %bcond_without openssl %bcond_with mozilla_nss %bcond_without testsuite Name: curl Version: 7.28.1 Release: 0 Summary: A Tool for Transferring Data from URLs License: BSD-3-Clause and MIT Group: Productivity/Networking/Web/Utilities Url: http://curl.haxx.se/ Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma Source2: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma.asc Source3: baselibs.conf Source4: %{name}.keyring Patch: libcurl-ocloexec.patch Patch1: dont-mess-with-rpmoptflags.diff Patch2: curl-CVE-2013-0249.patch Patch3: curl-CVE-2013-1944.patch Patch4: curl-CVE-2013-4545.patch Patch5: curl-CVE-2013-2174.patch Patch6: curl-CVE-2014-0015-NTLM_connection_reuse.patch Patch7: curl-test172_cookie_expiration.patch Patch8: curl-CVE-2014-0138.patch Patch9: curl-CVE-2014-0139.patch # Use rpmbuild -D 'VERIFY_SIG 1' to verify signature during build or run one-shot check by "gpg-offline --verify --package=curl curl-*.asc". %if 0%{?VERIFY_SIG} BuildRequires: gpg-offline %endif BuildRequires: libidn-devel BuildRequires: libtool BuildRequires: lzma BuildRequires: openldap2-devel BuildRequires: pkg-config BuildRequires: zlib-devel %if %{with openssl} BuildRequires: openssl-devel %endif %if %{with mozilla_nss} BuildRequires: mozilla-nss-devel %endif BuildRequires: krb5-devel BuildRequires: libssh2-devel BuildRequires: openssh %if 0%{?_with_stunnel:1} # used by the testsuite BuildRequires: stunnel %endif BuildRoot: %{_tmppath}/%{name}-%{version}-build # bug437293 %ifarch ppc64 Obsoletes: curl-64bit %endif %description Curl is a client to get documents and files from or send documents to a server using any of the supported protocols (HTTP, HTTPS, FTP, FTPS, TFTP, DICT, TELNET, LDAP, or FILE). The command is designed to work without user interaction or any kind of interactivity. %package -n libcurl4 Summary: Version 4 of cURL shared library Group: Productivity/Networking/Web/Utilities %description -n libcurl4 The cURL shared library version 4 for accessing data using different network protocols. %package -n libcurl-devel Summary: A Tool for Transferring Data from URLs Group: Development/Libraries/C and C++ Requires: glibc-devel Requires: libcurl4 = %{version} # curl-devel (v 7.15.5) was last used in 10.2 Provides: curl-devel <= 7.15.5 Obsoletes: curl-devel < 7.16.2 %description -n libcurl-devel Curl is a client to get documents and files from or send documents to a server using any of the supported protocols (HTTP, HTTPS, FTP, GOPHER, DICT, TELNET, LDAP, or FILE). The command is designed to work without user interaction or any kind of interactivity. %prep %if 0%{?VERIFY_SIG} %gpg_verify %{S:2} %endif %setup -q %patch %patch1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 %build autoreconf -fi # local hack to make curl-config --libs stop printing libraries it depends on # (currently, libtool sets link_all_deplibs=(yes|unknown) everywhere, # will hopefully change in the future) sed -i 's/link_all_deplibs=unknown/link_all_deplibs=no/' configure %configure \ --enable-ipv6 \ %if %{with openssl} --with-ssl \ --with-ca-path=/etc/ssl/certs/ \ %else --without-ssl \ %if %{with mozilla_nss} --with-nss \ %endif %endif --with-gssapi=/usr/lib/mit \ --with-libssh2\ --enable-hidden-symbols \ --disable-static \ --enable-threaded-resolver : if this fails, the above sed hack did not work ./libtool --config | grep -q link_all_deplibs=no # enable-hidden-symbols needs gcc4 and causes that curl exports only its API make %{?_smp_mflags} %if %{with testsuite} %check cd tests make # make sure the testsuite runs don't race on MP machines in autobuild if test -z "$BUILD_INCARNATION" -a -r /.buildenv; then . /.buildenv fi if test -z "$BUILD_INCARNATION"; then BUILD_INCARNATION=0 fi base=$((8990 + $BUILD_INCARNATION * 20)) perl ./runtests.pl -a -b$base || { %if 0%{?curl_testsuite_fatal:1} exit %else echo "WARNING: runtests.pl failed with code $?, continuing nevertheless" %endif } %endif %install %{makeinstall} rm $RPM_BUILD_ROOT%_libdir/libcurl.la install -d $RPM_BUILD_ROOT/usr/share/aclocal install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT/usr/share/aclocal/ %post -n libcurl4 -p /sbin/ldconfig %postun -n libcurl4 -p /sbin/ldconfig %files %defattr(-,root,root) %doc README RELEASE-NOTES %doc docs/{BUGS,FAQ,FEATURES,MANUAL,RESOURCES,TODO,TheArtOfHttpScripting} %doc lib/README.curl_off_t %{_prefix}/bin/curl %doc %{_mandir}/man1/curl.1%{ext_man} %files -n libcurl4 %defattr(-,root,root) %{_libdir}/libcurl.so.4* %files -n libcurl-devel %defattr(-,root,root) %{_prefix}/bin/curl-config %{_prefix}/include/curl %dir %{_prefix}/share/aclocal %{_prefix}/share/aclocal/libcurl.m4 %{_libdir}/libcurl.so %{_libdir}/pkgconfig/libcurl.pc %{_mandir}/man1/curl-config.1%{ext_man} %{_mandir}/man1/mk-ca-bundle.1%{ext_man} %{_mandir}/man3/* %doc docs/libcurl/symbols-in-versions %changelog ++++++ baselibs.conf ++++++ libcurl4 obsoletes "curl-<targettype> <= <version>" provides "curl-<targettype> = <version>" curl-devel requires -curl-<targettype> requires "libcurl4-<targettype> = <version>" ++++++ curl-CVE-2013-0249.patch ++++++
From ee45a34907ffeb5fd95b0513040d8491d565b663 Mon Sep 17 00:00:00 2001 From: Eldar Zaitov
Date: Wed, 30 Jan 2013 23:22:27 +0100 Subject: [PATCH] Curl_sasl_create_digest_md5_message: fix buffer overflow
When negotiating SASL DIGEST-MD5 authentication, the function
Curl_sasl_create_digest_md5_message() uses the data provided from the
server without doing the proper length checks and that data is then
appended to a local fixed-size buffer on the stack.
This vulnerability can be exploited by someone who is in control of a
server that a libcurl based program is accessing with POP3, SMTP or
IMAP. For applications that accept user provided URLs, it is also
thinkable that a malicious user would feed an application with a URL to
a server hosting code targetting this flaw.
Bug: http://curl.haxx.se/docs/adv_20130206.html
---
lib/curl_sasl.c | 23 ++++++-----------------
1 file changed, 6 insertions(+), 17 deletions(-)
Index: curl-7.28.1/lib/curl_sasl.c
===================================================================
--- curl-7.28.1.orig/lib/curl_sasl.c 2012-08-08 22:45:18.000000000 +0200
+++ curl-7.28.1/lib/curl_sasl.c 2013-02-07 11:55:15.183277599 +0100
@@ -345,9 +345,7 @@ CURLcode Curl_sasl_create_digest_md5_mes
snprintf(&HA1_hex[2 * i], 3, "%02x", digest[i]);
/* Prepare the URL string */
- strcpy(uri, service);
- strcat(uri, "/");
- strcat(uri, realm);
+ snprintf(uri, sizeof(uri), "%s/%s", service, realm);
/* Calculate H(A2) */
ctxt = Curl_MD5_init(Curl_DIGEST_MD5);
@@ -391,20 +389,11 @@ CURLcode Curl_sasl_create_digest_md5_mes
for(i = 0; i < MD5_DIGEST_LEN; i++)
snprintf(&resp_hash_hex[2 * i], 3, "%02x", digest[i]);
- strcpy(response, "username=\"");
- strcat(response, userp);
- strcat(response, "\",realm=\"");
- strcat(response, realm);
- strcat(response, "\",nonce=\"");
- strcat(response, nonce);
- strcat(response, "\",cnonce=\"");
- strcat(response, cnonce);
- strcat(response, "\",nc=");
- strcat(response, nonceCount);
- strcat(response, ",digest-uri=\"");
- strcat(response, uri);
- strcat(response, "\",response=");
- strcat(response, resp_hash_hex);
+ snprintf(response, sizeof(response),
+ "username=\"%s\",realm=\"%s\",nonce=\"%s\","
+ "cnonce=\"%s\",nc=\"%s\",digest-uri=\"%s\",response=%s",
+ userp, realm, nonce,
+ cnonce, nonceCount, uri, resp_hash_hex);
/* Base64 encode the reply */
return Curl_base64_encode(data, response, 0, outptr, outlen);
++++++ curl-CVE-2013-1944.patch ++++++
diff --git a/lib/cookie.c b/lib/cookie.c
index 35a3731..1aaf669 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -118,15 +118,29 @@ static void freecookie(struct Cookie *co)
free(co);
}
-static bool tailmatch(const char *little, const char *bigone)
+static bool tailmatch(const char *cooke_domain, const char *hostname)
{
- size_t littlelen = strlen(little);
- size_t biglen = strlen(bigone);
+ size_t cookie_domain_len = strlen(cooke_domain);
+ size_t hostname_len = strlen(hostname);
- if(littlelen > biglen)
+ if(hostname_len < cookie_domain_len)
return FALSE;
- return Curl_raw_equal(little, bigone+biglen-littlelen) ? TRUE : FALSE;
+ if(!Curl_raw_equal(cooke_domain, hostname+hostname_len-cookie_domain_len))
+ return FALSE;
+
+ /* A lead char of cookie_domain is not '.'.
+ RFC6265 4.1.2.3. The Domain Attribute says:
+ For example, if the value of the Domain attribute is
+ "example.com", the user agent will include the cookie in the Cookie
+ header when making HTTP requests to example.com, www.example.com, and
+ www.corp.example.com.
+ */
+ if(hostname_len == cookie_domain_len)
+ return TRUE;
+ if('.' == *(hostname + hostname_len - cookie_domain_len - 1))
+ return TRUE;
+ return FALSE;
}
/*
diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
index 0528a25..b51f524 100644
--- a/tests/data/Makefile.am
+++ b/tests/data/Makefile.am
@@ -78,6 +78,7 @@ test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125 \
test1126 test1127 test1128 test1129 test1130 test1131 test1132 \
test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
test1208 test1209 test1210 test1211 \
+test1218 \
test1220 \
test1300 test1301 test1302 test1303 test1304 test1305 \
test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \
diff --git a/tests/data/test1218 b/tests/data/test1218
new file mode 100644
index 0000000..7d86547
--- /dev/null
+++ b/tests/data/test1218
@@ -0,0 +1,61 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+HTTP proxy
+cookies
+</keywords>
+</info>
+
+# This test is very similar to 1216, only that it sets the cookies from the
+# first site instead of reading from a file
+<reply>
+<data>
+HTTP/1.1 200 OK
+Date: Tue, 25 Sep 2001 19:37:44 GMT
+Set-Cookie: domain=.example.fake; bug=fixed;
+Content-Length: 21
+
+This server says moo
+</data>
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+ <name>
+HTTP cookies and domains with same prefix
+ </name>
+ <command>
+http://example.fake/c/1218 http://example.fake/c/1218 http://bexample.fake/c/1218 -b nonexisting -x %HOSTIP:%HTTPPORT
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<strip>
+^User-Agent:.*
+</strip>
+<protocol>
+GET http://example.fake/c/1218 HTTP/1.1
+Host: example.fake
+Accept: */*
+Proxy-Connection: Keep-Alive
+
+GET http://example.fake/c/1218 HTTP/1.1
+Host: example.fake
+Accept: */*
+Proxy-Connection: Keep-Alive
+Cookie: bug=fixed
+
+GET http://bexample.fake/c/1218 HTTP/1.1
+Host: bexample.fake
+Accept: */*
+Proxy-Connection: Keep-Alive
+
+</protocol>
+</verify>
+</testcase>
++++++ curl-CVE-2013-2174.patch ++++++
commit 45030219bf8b44270d40fc62e8a02411612d00cc
Author: Daniel Stenberg
From 9db36827fb5eade403143b36566914ee9dc37d7b Mon Sep 17 00:00:00 2001 From: Steve Holme
Date: Thu, 20 Feb 2014 23:51:36 +0000 Subject: [PATCH] url: Fixed connection re-use when using different log-in credentials
In addition to FTP, other connection based protocols such as IMAP, POP3, SMTP, SCP, SFTP and LDAP require a new connection when different log-in credentials are specified. Fixed the detection logic to include these other protocols. Bug: http://curl.haxx.se/docs/adv_20140326A.html --- lib/http.c | 2 +- lib/url.c | 7 ++++--- lib/urldata.h | 2 ++ 3 files changed, 7 insertions(+), 4 deletions(-) Index: curl-7.28.1/lib/http.c =================================================================== --- curl-7.28.1.orig/lib/http.c 2014-04-10 13:48:24.391462756 +0200 +++ curl-7.28.1/lib/http.c 2014-04-10 13:48:26.799485773 +0200 @@ -148,7 +148,7 @@ const struct Curl_handler Curl_handler_h ZERO_NULL, /* readwrite */ PORT_HTTPS, /* defport */ CURLPROTO_HTTP | CURLPROTO_HTTPS, /* protocol */ - PROTOPT_SSL /* flags */ + PROTOPT_SSL | PROTOPT_CREDSPERREQUEST /* flags */ }; #endif Index: curl-7.28.1/lib/url.c =================================================================== --- curl-7.28.1.orig/lib/url.c 2014-04-10 13:48:26.800485782 +0200 +++ curl-7.28.1/lib/url.c 2014-04-10 13:50:40.772766689 +0200 @@ -3117,10 +3117,10 @@ ConnectionExists(struct SessionHandle *d continue; } } - if((needle->handler->protocol & CURLPROTO_FTP) || - ((needle->handler->protocol & CURLPROTO_HTTP) && wantNTLM)) { - /* This is FTP or HTTP+NTLM, verify that we're using the same name - and password as well */ + if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) || + ((needle->handler->protocol & CURLPROTO_HTTP) && wantNTLM)) { + /* This protocol requires credentials per connection or is HTTP+NTLM, + so verify that we're using the same name and password as well */ if(!strequal(needle->user, check->user) || !strequal(needle->passwd, check->passwd)) { /* one of them was different */ Index: curl-7.28.1/lib/urldata.h =================================================================== --- curl-7.28.1.orig/lib/urldata.h 2014-04-10 13:48:24.392462766 +0200 +++ curl-7.28.1/lib/urldata.h 2014-04-10 13:48:26.801485792 +0200 @@ -755,6 +755,8 @@ struct Curl_handler { gets a default */ #define PROTOPT_NOURLQUERY (1<<6) /* protocol can't handle url query strings (?foo=bar) ! */ +#define PROTOPT_CREDSPERREQUEST (1<<7) /* requires login creditials per request + as opposed to per connection */ /* return the count of bytes sent, or -1 on error */ ++++++ curl-CVE-2014-0139.patch ++++++
From f44e3a4d0df9397278735d1520f7681715b83b59 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg
Date: Mon, 3 Mar 2014 11:46:36 +0100 Subject: [PATCH] Curl_cert_hostcheck: reject IP address wildcard matches
There are server certificates used with IP address in the CN field, but
we MUST not allow wild cart certs for hostnames given as IP addresses
only. Therefore we must make Curl_cert_hostcheck() fail such attempts.
Bug: http://curl.haxx.se/docs/adv_20140326B.html
Reported-by: Richard Moore
---
lib/hostcheck.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/lib/hostcheck.c b/lib/hostcheck.c
index 24ddd89..d144f31 100644
--- a/lib/hostcheck.c
+++ b/lib/hostcheck.c
@@ -28,6 +28,7 @@
#include "hostcheck.h"
#include "rawstr.h"
+#include "inet_pton.h"
/*
* Match a hostname against a wildcard pattern.
@@ -43,11 +44,23 @@ static int hostmatch(const char *hostname, const char *pattern)
const char *pattern_label_end, *pattern_wildcard, *hostname_label_end;
int wildcard_enabled;
size_t prefixlen, suffixlen;
+ struct in_addr ignored;
+#ifdef ENABLE_IPV6
+ struct sockaddr_in6 si6;
+#endif
pattern_wildcard = strchr(pattern, '*');
if(pattern_wildcard == NULL)
return Curl_raw_equal(pattern, hostname) ?
CURL_HOST_MATCH : CURL_HOST_NOMATCH;
+ /* detect IP address as hostname and fail the match if so */
+ if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0)
+ return CURL_HOST_NOMATCH;
+#ifdef ENABLE_IPV6
+ else if(Curl_inet_pton(AF_INET6, hostname, &si6.sin6_addr) > 0)
+ return CURL_HOST_NOMATCH;
+#endif
+
/* We require at least 2 dots in pattern to avoid too wide wildcard
match. */
wildcard_enabled = 1;
--
1.9.0
++++++ curl-test172_cookie_expiration.patch ++++++
Index: curl-7.19.7/tests/data/test172
===================================================================
--- curl-7.19.7.orig/tests/data/test172 2008-11-19 22:12:35.000000000 +0100
+++ curl-7.19.7/tests/data/test172 2014-02-04 15:05:46.817554144 +0100
@@ -36,7 +36,7 @@ http://%HOSTIP:%HTTPPORT/we/want/172 -b
.%HOSTIP TRUE /silly/ FALSE 0 ismatch this
.%HOSTIP TRUE / FALSE 0 partmatch present
-%HOSTIP FALSE /we/want/ FALSE 1391252187 nodomain value
+%HOSTIP FALSE /we/want/ FALSE 2139150993 nodomain value
</file>
</client>
++++++ curl.keyring ++++++
pub 1024D/279D5C91 2003-04-28
uid Daniel Stenberg (Haxx)