Commit Graph

137 Commits

Author SHA1 Message Date
Bernd Kuhls
87f8356a2b package/libcurl: bump version to 7.75.0
Updated license hash due to copyright year bump:
275c28e650

Changelog: https://curl.se/changes.html

Release notes:
https://daniel.haxx.se/blog/2021/02/03/curl-7-75-0-is-smaller/
"No new security advisories this time!"

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-05 08:05:06 +01:00
Fabrice Fontaine
4b6202f721 Replace LIBFOO_CPE_ID_NAME by LIBFOO_CPE_ID_PRODUCT
Replace LIBFOO_CPE_ID_NAME by LIBFOO_CPE_ID_PRODUCT to better "comply"
with the official "Well-Formed CPE Name Data Model" parameters:
 - https://csrc.nist.gov/publications/detail/nistir/7695/final
 - https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-01-21 22:43:24 +01:00
Matt Weber
63332c33aa package: provide CPE ID details for numerous packages
This patch adds CPE ID information for a significant number of
packages.

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-01-04 21:43:54 +01:00
Baruch Siach
365ab82008 libcurl: security bump to version 7.74.0
Fixes security issues:

CVE-2020-8286: Inferior OCSP verification

CVE-2020-8285: FTP wildcard stack overflow

CVE-2020-8284: trusting FTP PASV responses

Drop upstream patch.

Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-12-25 22:16:01 +01:00
Baruch Siach
0fa9af8be0 package/libcurl: fix build with libssh2 and disabled proxy
Add patch fixing build of libssh2 support when
BR2_PACKAGE_LIBCURL_PROXY_SUPPORT is disabled.

Fixes:
http://autobuild.buildroot.net/results/113407c1721b601cf2b721d0b78392622000cc3f/
http://autobuild.buildroot.net/results/a5abdcc6a12d2326da0fe3daf9ecbb96e5c6cac3/
http://autobuild.buildroot.net/results/ab1f7b9837ac74fad359e6c239f45ed25ad31df3/

Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-10-26 08:12:26 +01:00
Baruch Siach
2d0be6577e package/libcurl: bump to version 7.73.0
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-10-24 22:51:01 +02:00
Titouan Christophe
4a55c2743b package/libcurl: security bump to 7.72.0
This new version fixes, amongst many other things, CVE-2020-8231
(https://curl.haxx.se/docs/CVE-2020-8231.html). See the full changelog
on https://curl.haxx.se/changes.html#7_72_0 .

Also drop the 4 patches, that have all been released upstream.

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-23 22:36:10 +02:00
Baruch Siach
30a73893f5 package/libcurl: fix build against gnutls with proxy disabled
Add upstream patch (#4) fixing build with gnutls when
BR2_PACKAGE_LIBCURL_PROXY_SUPPORT is disabled.

Patch #4 depends on #3 to apply so add this one as well.

Fixes:
http://autobuild.buildroot.net/results/31d7204869ff71319ea055688c919a646bfb200b/
http://autobuild.buildroot.net/results/f8d2fb919475cdff4a36ad93071048ee09193b98/
http://autobuild.buildroot.net/results/2f07a0ac1240a6040a3509d2ebf06906a31fd172/

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-07-28 22:57:47 +02:00
Baruch Siach
645ecd0dcc package/libcurl: fix no-proxy build with bearssl and nss
Add two patches fixing build against BearSSL and NSS TLS implementations
when BR2_PACKAGE_LIBCURL_PROXY_SUPPORT is disabled.

Fixes:
http://autobuild.buildroot.net/results/4d37d9163bfece536974f15f16b2ebfc5fabc539/
http://autobuild.buildroot.net/results/387e8baa13d0f07ed4dfd5b6ee3b933d4843c0e8/

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-07-09 22:17:58 +02:00
Baruch Siach
8360886fb2 package/libcurl: bump to version 7.71.1
This release fixes build with BR2_PACKAGE_LIBCURL_PROXY_SUPPORT disabled
and mbedtls enabled.

Add reference to upstream tarball signature.

Fixes:
http://autobuild.buildroot.net/results/f32b6ab927560839cacaa1b9e6b64ced92b9ffe3/
http://autobuild.buildroot.net/results/566f0db496f6d1feefd9d3e6b6955a2539670735/
http://autobuild.buildroot.net/results/19de1111318aea863118c9b0b44dc282f011918f/

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-07-03 21:28:35 +02:00
Baruch Siach
8370769d4a package/libcurl: security bump to version 7.71.0
CVE-2020-8177: curl overwrite local file with -J.

CVE-2020-8169: Partial password leak over DNS on HTTP redirect.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-06-24 21:22:34 +02:00
Matt Weber
88aebf5fcb package/libcurl: bump to 7.70.0
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-09 21:58:11 +02:00
Bernd Kuhls
de3de7e158 package/libcurl: bump version to 7.69.1
Changelog: https://curl.haxx.se/changes.html

Removed polarssl configure options, upstream removed polarssl support:
https://curl.haxx.se/bug/?i=4825

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-20 19:44:33 +01:00
Fabrice Fontaine
984b91447a package/libcurl: add bearssl support
bearssl support is available since version 7.68.0 and
9b879160df

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-15 15:57:23 +01:00
Baruch Siach
2a057339cc package/libcurl: rename curl binary config symbol
Package optional or choice config symbols are usually prefixed with the
package config symbol name. Rename BR2_PACKAGE_CURL to
BR2_PACKAGE_LIBCURL_CURL to conform.

Update references to the old name.

Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-16 11:20:23 +01:00
Peter Korsgaard
2e88c9c085 package/libcurl: bump version to 7.68.0
Notice that 7.68.0 includes a Windows-only security fix:

- CVE-2019-15601: SMB access smuggling via FILE URL on Windows
  https://curl.haxx.se/docs/CVE-2019-15601.html

So not applicable to Buildroot.

Update the license hash for a copyright year update:

-Copyright (c) 1996 - 2019, Daniel Stenberg, <daniel@haxx.se>, and many
+Copyright (c) 1996 - 2020, Daniel Stenberg, <daniel@haxx.se>, and many

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-01-08 09:31:04 +01:00
Yann E. MORIN
4fea071c61 package/libcurl: add option for no SSL/TLS support
Since we already have a choice to select the backend to do crypto, push
the limits even further and add an option to do no crypto.

Usually, we would have added that option first in the choice, but if we
were to do that now, existing defconfigs that previously used openssl
(the first item in the choice) would now default to non crypto, which is
not so nice. So we add the new option last in the choice.

Each crypto backend option is used in a conditional block, each of which
default to disabling said backend. So, selecting none will indeed
disable all.

We can now drop the blind intermediate option that would hide the choice
when no backend library was available; there will now always be at least
the none option in the choice, so we need not hide it.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Baruch Siach <baruch@tkos.co.il>
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Cc: Julien Grossholtz <julien.grossholtz@openest.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-12-31 18:11:45 +01:00
Julien Grossholtz
d08c76e45d libcurl: add wolfssl as an option for TLS
Libcurl recipe allows selecting between various TLS backends. Users can
already select between several options but WolfSSL was missing. WolfSSL
is an efficient TLS library, it supports TLS 1.3 and is used in many
embedded systems.

Add WolfSSL to libcurl "SSL/TLS library to use" choice list when WolfSSL
package is enabled. When selected in the list, use libcurl
--with-wolfssl configure option. Explicitly set --without-wolfssl
when it is not selected.

Signed-off-by: Julien Grossholtz <julien.grossholtz@openest.io>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2019-12-31 17:24:34 +01:00
Matt Weber
e51830407f package/libcurl: bump to 7.67.0
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-11-16 23:44:39 +01:00
Peter Korsgaard
2683200065 package/libcurl: security bump to version 7.66.0
Fixes the following security vulnerabilities:

CVE-2019-5481: FTP-KRB double-free
https://curl.haxx.se/docs/CVE-2019-5481.html

CVE-2019-5482: TFTP small blocksize heap buffer overflow
https://curl.haxx.se/docs/CVE-2019-5482.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-15 09:10:45 +02:00
Thomas De Schampheleire
02e6805010 package/libcurl: introduce options to extend/reduce feature set
Libcurl is more than 250 KiB (libcurl) / 100 KiB (curl binary) in size.
About 50 KiB / 15 KiB of this can be saved by disabling features/protocols
that are not commonly needed:

- proxy support: 15 KiB
- cookies support: 10 KiB
- various less common protocols: 25 KiB (libcurl) + 15 KiB (curl binary)

Note that the exact amount of space saved depends on the architecture,
toolchain, and other factors.

Other packages that are selecting libcurl might require protocols from the
'extra' set. But, there is no clear way to find out which packages are in
this situation, in particular because issues may only be visible at runtime.

Note: remove the text 'enable' on the option for 'verbose strings' as that
is more common in Buildroot.

Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
[Peter: unconditionally remove the libcurl-option to generate C code]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-04 12:11:19 +02:00
Pierre-Jean Texier
3fac250944 package/libcurl: bump to version 7.65.3
A very small fix for the progress meter regression in 7.65.2.

See https://curl.haxx.se/mail/lib-2019-07/0052.html

Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-28 22:40:02 +02:00
Pierre-Jean Texier
28e91cf3a0 package/libcurl: bump to version 7.65.2
Contains a number of fixes for issues discovered post-7.65.1.
For details, see full changelog:

https://curl.haxx.se/changes.html#7_65_2

Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-07-18 22:42:36 +02:00
Peter Korsgaard
1272878fd0 package/libcurl: bump version to 7.65.1
Fixes a number of bugs discovered after the 7.65.0 release.

https://daniel.haxx.se/blog/2019/06/05/7-65-1-patched-up-and-ready-to-go/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 14:17:34 +02:00
Peter Korsgaard
7f60180f5c package/libcurl: security bump to version 7.65.0
Fixes the following security vulnerabilities:

- CVE-2019-5435: Integer overflows in curl_url_set()
  https://curl.haxx.se/docs/CVE-2019-5435.html

- CVE-2019-5436: TFTP receive buffer overflow
  https://curl.haxx.se/docs/CVE-2019-5436.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-05-23 10:03:41 +02:00
Peter Korsgaard
48da1bc9fd package/libcurl: bump to version 7.64.1
Contains a number of fixes for issues discovered post-7.64.0.  For details,
see the list of changes:

https://curl.haxx.se/changes.html#7_64_1

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-03-27 20:13:44 +01:00
Trent Piepho
1f2d3000c4 libcurl: fix typo in configure option w/o OpenSSL
When not using OpenSSL, the correct option to configure is --without-ssl
with two dashes.

Fixes: b8b78e7e6a ("libcurl: Allow selection of TLS package libcurl will use")

Signed-off-by: Trent Piepho <tpiepho@impinj.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2019-02-20 22:32:21 +01:00
Peter Korsgaard
e8a361b8d7 package/libcurl: security bump to version 7.64.0
Fixes the following security issues:

CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
https://curl.haxx.se/docs/CVE-2018-16890.html

CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
https://curl.haxx.se/docs/CVE-2019-3822.html

CVE-2019-3823: SMTP end-of-response out-of-bounds read
https://curl.haxx.se/docs/CVE-2019-3823.html

The copyright year changed in the COPYING file, so update the hash.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-02-06 20:32:55 +01:00
Trent Piepho
43b4d3ae45 package/libcurl: use GnuTLS's default cert path
libcurl doesn't find any trust path for CA certs when it cross-compiles.
When using OpenSSL, it is explicitly configured to use the SSL cert
directory with OpenSSL style hash files in it.  But with GnuTLS, it gets
nothing.

Rather than configure libcurl to use the OpenSSL directory or a bundle
file, configure it to use the GnuTLS default.  This way the CA certs
path can be configured in one place (gnutls) and then libcurl and anyone
else who uses gnutls can default to that.

Also, when libcurl with gnutls is configured to use a directory, it ends
up loading each cert three times.

Signed-off-by: Trent Piepho <tpiepho@impinj.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-12-03 21:26:22 +01:00
Trent Piepho
97060f445e libcurl: Don't need --without-(ssl/gnutls/nss/mbedtls) twice
Remove the --without-* options from the yes side of the TLS libraries
selection checks.

Since the --without-* option is now specified when the corresponding TLS
library is not being used, it's no longer necessary when enabling a TLS
library to explicity list all the other TLS libs that curl should not
use.

Signed-off-by: Trent Piepho <tpiepho@impinj.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-11-13 08:25:36 +01:00
Trent Piepho
b8b78e7e6a libcurl: Allow selection of TLS package libcurl will use
Instead of defaulting to OpenSSL, allow selection of package to use
through a choice in libcurl's config.  The default will be to select the
first enabled TLS provider in the same preference order as is used now,
i.e. no change from current behavior.

Some of the alternative libraries have advantages over OpenSSL in
certain areas.

For example, gnutls has vastly superior PKCS11 support.  One can use
client TLS private keys by supplying a PKCS11 URI instead of a private
key file name.  The TLS server cert trust store can be a PKCS11 URI,
e.g. configure libcurl with a ca-bundle of "pkcs11:model=p11-kit-trust".
Now server certs can be stored in a software and/or hardware HSM(s).
This doesn't work with OpenSSL.

However, some software only supports OpenSSL for TLS or other crypto
functions.  So it might be necessary to enable OpenSSL for that reason.

Signed-off-by: Trent Piepho <tpiepho@impinj.com>
[Peter: add BR2_PACKAGE_LIBCURL_TLS_SUPPORT and use it to hide choice &
	comment, explitly pass --without-foo if option is not enabled,
	only do .pc fixup if BR2_PACKAGE_LIBCURL_OPENSSL is enabled]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-11-12 22:24:18 +01:00
Peter Korsgaard
c1a01ac2f1 libcurl: security bump to version 7.62.0
Fixes the following security issues:

CVE-2018-16839: SASL password overflow via integer overflow
https://curl.haxx.se/docs/CVE-2018-16839.html

CVE-2018-16840: use-after-free in handle close
https://curl.haxx.se/docs/CVE-2018-16840.html

CVE-2018-16842: warning message out-of-buffer read
https://curl.haxx.se/docs/CVE-2018-16842.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-10-31 09:48:06 +01:00
Peter Korsgaard
87d58cccf1 libcurl: security bump to version 7.61.1
Fixes CVE-2018-14618: NTLM password overflow via integer overflow

For more details, see the advisory:
https://curl.haxx.se/docs/CVE-2018-14618.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-09-06 09:35:21 +02:00
Michaël Burtin
9b733d45f4 libcurl: add nghttp2 optional dependency
The nghttp2 package has recently been added to buildroot. When
enabled, this adds support for HTTP2 to libcurl.

By default, libcurl configure script will enable HTTP2 if the library
is found using pkg-config. Adding this option makes the build
consistent.

Signed-off-by: Michaël Burtin <michael.burtin@netgem.com>
Signed-off-by: Anisse Astier <anisse.astier.ext@netgem.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-07-19 16:59:55 +02:00
Baruch Siach
bf79731153 libcurl: security bump to version 7.61.0
Fixes CVE-2018-0500: curl might overflow a heap based memory buffer when
sending data over SMTP and using a reduced read buffer.

Drop upstream patch.

Add reference to tarball signature key.

Drop CRYPTO_lock seed. Removed from configure script since 7.45.

Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-07-12 22:18:54 +02:00
Peter Korsgaard
8b0fd3cb49 Merge branch 'next'
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-06-02 11:21:20 +02:00
Fabrice Fontaine
624603328a libcurl: fix build with ssh2 and static mbedtls
The ssh2 pkg-config file could contain the following lines when build
with a static version of mbedtls:
   Libs: -L${libdir} -lssh2 /xxx/libmbedcrypto.a
   Libs.private: /xxx/libmbedcrypto.a

This static mbedtls library must be used to correctly detect ssh2
support and this library must be copied in libcurl.pc otherwise
compilation of any application (such as upmpdcli) with libcurl will fail
when trying to find mbedtls functions included in libssh2.

So, replace pkg-config --libs-only-l by pkg-config --libs.

Fixes:
 - http://autobuild.buildroot.net/results/43e24b22a77f616d6198c10435dcc23cc3b9088a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-05-27 23:42:10 +02:00
Fabrice Fontaine
8451acf298 libcurl: replace libidn by libidn2
libidn has been replaced by libidn2 since 7.51.0 (October 2016):
9c91ec7781

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-05-20 16:10:43 +02:00
Baruch Siach
051e2f2d0b libcurl: security bump to version 7.60.0
Drop upstream patch.

This release fixes the security issues listed below.

CVE-2018-1000300: curl might overflow a heap based memory buffer when
closing down an FTP connection with very long server command replies.

  https://curl.haxx.se/docs/adv_2018-82c2.html

CVE-2018-1000301: curl can be tricked into reading data beyond the end
of a heap based buffer used to store downloaded content.

  https://curl.haxx.se/docs/adv_2018-b138.html

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-05-19 13:47:21 +02:00
Adam Duskett
c4b8832cfc libcurl: fix building against libressl
LibreSSL 2.7.x breaks libcurl 7.59.0 with the error:
error: static declaration of ‘OpenSSL_version_num’ follows non-static
declaration

This failure has since been fixed upstream with commit:
7c90c93c0b

Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-05-01 15:17:39 +02:00
Baruch Siach
e7d658e029 libcurl: add brotli optional dependency
The brotli package has recently been added to Buildroot. Add brotli an
an optional dependency to libcurl to make the build consistent.

It turns out that libcurl configure script uses pkg-config to figure
out link libraries only when --with-brotli is explicitly set. So this
also fixes static build failure.

Fixes:
http://autobuild.buildroot.net/results/64b/64bc0dfe284206390ae0680b94c0876863a3c0f3/
http://autobuild.buildroot.net/results/233/23376d8653dea6361e42b0f17b6aaab3c14d99cf/
http://autobuild.buildroot.net/results/b19/b198db4b69e18e6d01ec95aae9c6096c1912dd9c/

Cc: Adrian Perez de Castro <aperez@igalia.com>
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-04-03 00:28:45 +02:00
Baruch Siach
bf3476e5b1 libcurl: security bump to version 7.59.0
CVE-2018-1000120: curl could be fooled into writing a zero byte out of
bounds when curl is told to work on an FTP URL with the setting to only
issue a single CWD command, if the directory part of the URL contains a
"%00" sequence.

https://curl.haxx.se/docs/adv_2018-9cd6.html

CVE-2018-1000121: curl might dereference a near-NULL address when
getting an LDAP URL.

https://curl.haxx.se/docs/adv_2018-97a2.html

CVE-2018-1000122: When asked to transfer an RTSP URL, curl could
calculate a wrong data length to copy from the read buffer.

https://curl.haxx.se/docs/adv_2018-b047.html

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-03-16 10:34:28 +01:00
Eric Le Bihan
736e0fc5d6 libcurl: add host variant
Signed-off-by: Eric Le Bihan <eric.le.bihan.dev@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-02-05 14:57:48 +01:00
Baruch Siach
e02dd5a492 libcurl: security bump to version 7.58.0
Fixes CVE-2018-1000007: libcurl might leak authentication data to third
parties.

https://curl.haxx.se/docs/adv_2018-b3bf.html

Fixes CVE-2018-1000005: libcurl contains an out bounds read in code handling
HTTP/2 trailers.

https://curl.haxx.se/docs/adv_2018-824a.html

Update license hash due to copyright year change.

[Peter: also add CVE-2018-1000005 reference]
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-01-26 09:11:23 +01:00
Peter Korsgaard
fb2ed96198 libcurl: security bump to version 7.57.0
Fixes the following security issues:

- CVE-2017-8816: NTLM buffer overflow via integer overflow
- CVE-2017-8817: FTP wildcard out of bounds read
- CVE-2017-8818: SSL out of buffer access

For more details, see the changelog:
https://curl.haxx.se/changes.html#7_57_0

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-11-30 10:29:57 +01:00
Peter Korsgaard
62d4dd2999 libcurl: security bump to version 7.56.1
Fixes CVE-2017-1000257 - IMAP FETCH response out of bounds read

https://curl.haxx.se/docs/adv_20171023.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-10-25 09:44:09 +02:00
Peter Korsgaard
9d95b93e5d libcurl: security bump to version 7.56.0
Drop upstreamed patch.

Fixes CVE-2017-1000254 - FTP PWD response parser out of bounds read:

https://curl.haxx.se/docs/adv_20171004.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-10-05 22:40:14 +02:00
Baruch Siach
10e998e7cc libcurl: fix build without threads
When c-ares is not enabled libcurl enables the threaded DNS resolver by
default. Make sure the threaded resolvers is disabled when the toolchain
does not support threads.

Add upstream patch that fixes the configure option for disabling the
threaded resolver.

Fixes:
http://autobuild.buildroot.net/results/39f/39fa63fb2ecb75e4b2521d1ee3dfa357c4e5c594/
http://autobuild.buildroot.net/results/dfd/dfd296086d0d6bed73b92fe2fa4ba5434dddf796/

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-09-13 08:22:11 +02:00
Baruch Siach
3f6c10df67 libcurl: bump to version 7.55.1
Drop upstream patch.

Add license hash.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-09-09 22:18:10 +02:00
Thomas Petazzoni
6361a50e3f libcurl: fix build on uncommon architectures
Since the bump to 7.55.0, libcurl fails to build on a number of
uncommon architectures (ARC, OpenRISC, etc.). This is due to upstream
commit 73a2fcea0b4adea6ba342cd7ed1149782c214ae3 ("includes: remove
curl/curlbuild.h and curl/curlrules.h"), which makes libcurl rely on
more architecture-specific related defines in include/curl/system.h.

This commit therefore adds a patch that fixes the 32-bit vs. 64-bit
detection for all architecture, using gcc's __SIZEOF_LONG__
definition. It has been tested successfully with test-pkg on all 47
toolchain configurations.

Fixes:

  http://autobuild.buildroot.net/results/bf26c08cf3267214278674472f931603f69951ae/
  (and many similar issues)

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-08-11 22:06:36 +02:00