libcurl: security bump to version 7.42.0

Fixes:
CVE-2015-3144 - host name out of boundary memory access
CVE-2015-3145 - cookie parser out of boundary memory access
CVE-2015-3148 - Negotiate not treated as connection-oriented
CVE-2015-3143 - Re-using authenticated connection when unauthenticated

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This commit is contained in:
Gustavo Zacarias 2015-04-23 02:46:07 -03:00 committed by Thomas Petazzoni
parent 096772d430
commit 4c8e679681
4 changed files with 104 additions and 2 deletions

View File

@ -0,0 +1,54 @@
From fd9d3a1ef1f7b1cb5812d04bad07818efc6f3b3a Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 22 Apr 2015 13:31:35 +0200
Subject: [PATCH 1/2] connectionexists: fix build without NTLM
Do not access NTLM-specific struct fields when built without NTLM
enabled!
bug: http://curl.haxx.se/?i=231
Reported-by: Patrick Rapin
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
lib/url.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/lib/url.c b/lib/url.c
index f033dbc..93f15f1 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -3069,9 +3069,11 @@ ConnectionExists(struct SessionHandle *data,
struct connectdata *check;
struct connectdata *chosen = 0;
bool canPipeline = IsPipeliningPossible(data, needle);
+#ifdef USE_NTLM
bool wantNTLMhttp = ((data->state.authhost.want & CURLAUTH_NTLM) ||
(data->state.authhost.want & CURLAUTH_NTLM_WB)) &&
(needle->handler->protocol & PROTO_FAMILY_HTTP) ? TRUE : FALSE;
+#endif
struct connectbundle *bundle;
*force_reuse = FALSE;
@@ -3208,6 +3210,7 @@ ConnectionExists(struct SessionHandle *data,
continue;
}
+#if defined(USE_NTLM)
if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) ||
(wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)) {
/* This protocol requires credentials per connection or is HTTP+NTLM,
@@ -3217,10 +3220,9 @@ ConnectionExists(struct SessionHandle *data,
/* one of them was different */
continue;
}
-#if defined(USE_NTLM)
credentialsMatch = TRUE;
-#endif
}
+#endif
if(!needle->bits.httpproxy || needle->handler->flags&PROTOPT_SSL ||
(needle->bits.httpproxy && check->bits.httpproxy &&
--
2.0.5

View File

@ -0,0 +1,48 @@
From 85c45d153b901d3f69dd5713924039c011477612 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 22 Apr 2015 13:58:10 +0200
Subject: [PATCH 2/2] connectionexists: follow-up to fd9d3a1ef1f
PROTOPT_CREDSPERREQUEST still needs to be checked even when NTLM is not
enabled.
Mistake-caught-by: Kamil Dudka
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
lib/url.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/lib/url.c b/lib/url.c
index 93f15f1..7dc5c45 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -3210,9 +3210,11 @@ ConnectionExists(struct SessionHandle *data,
continue;
}
-#if defined(USE_NTLM)
- if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) ||
- (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)) {
+ if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST))
+#ifdef USE_NTLM
+ || (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)
+#endif
+ ) {
/* This protocol requires credentials per connection or is HTTP+NTLM,
so verify that we're using the same name and password as well */
if(!strequal(needle->user, check->user) ||
@@ -3220,9 +3222,10 @@ ConnectionExists(struct SessionHandle *data,
/* one of them was different */
continue;
}
+#if defined(USE_NTLM)
credentialsMatch = TRUE;
- }
#endif
+ }
if(!needle->bits.httpproxy || needle->handler->flags&PROTOPT_SSL ||
(needle->bits.httpproxy && check->bits.httpproxy &&
--
2.0.5

View File

@ -1,2 +1,2 @@
# Locally calculated after checking pgp signature
sha256 9f8b546bdc5c57d959151acae7ce6610fe929d82b8d0fc5b25a3a2296e5f8bea curl-7.41.0.tar.bz2
sha256 32557d68542f5c6cc8437b5b8a945857b4c5c6b6276da909e35b783d1d66d08f curl-7.42.0.tar.bz2

View File

@ -4,7 +4,7 @@
#
################################################################################
LIBCURL_VERSION = 7.41.0
LIBCURL_VERSION = 7.42.0
LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.bz2
LIBCURL_SITE = http://curl.haxx.se/download
LIBCURL_DEPENDENCIES = host-pkgconf \