Commit Graph

70 Commits

Author SHA1 Message Date
Vicente Olivert Riera
5c913c17b2 libcurl: security bump version to 7.49.1
Fixes CVE-2016-4802, https://curl.haxx.se/docs/adv_20160530.html

Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-05-31 12:59:10 +02:00
Vicente Olivert Riera
4e58fe16b2 libcurl: bump version to 7.49.0
Fixes CVE-2016-3739, https://curl.haxx.se/docs/adv_20160518.html.

Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
[Thomas: add reference to the CVE being fixed, pointed by Gustavo.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-05-23 17:05:24 +02:00
Gustavo Zacarias
98e28b564e libcurl: bump to version 7.48.0
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-03-25 20:54:27 +01:00
Gustavo Zacarias
0af16e3a92 libcurl: enable mbedtls support
Now that we've got an mbedtls package in the tree we can enable the
optional support for it in libcurl.

We also remove the comment about polarssl support needing version
1.3.x. Indeed, polarssl was renamed to mbedtls when bought by ARM,
which was circa the 1.3.x polarssl release. Due to this referring to
polarssl 1.3.x doesn't make a lot of sense, and we'll probably never
package polarssl 1.3.x in Buildroot now that mbedtls replaces it.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Tested-by: Luca Ceresoli <luca@lucaceresoli.net>
[Thomas: slightly improve commit log as suggested by Luca, using
explanations from Gustavo.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-03-08 21:24:53 +01:00
Gustavo Zacarias
ee467ccd63 libcurl: bump to version 7.47.1
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-02-08 21:26:09 +01:00
Bernd Kuhls
4adae5d2ea package/libcurl: security bump version to 7.47.0
Fixes
CVE-2016-0754: remote file name path traversal in curl tool for Windows
CVE-2016-0755: NTLM credentials not-checked for proxy connection re-use

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-01-28 22:29:08 +01:00
Vicente Olivert Riera
b97525bd61 libcurl: bump version to 7.46.0
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-12-02 21:27:30 +01:00
Yann E. MORIN
71b1d39726 package/libcurl: carefully override LD_LIBRARY_PATH
To build libcurl, we need to override LD_LIBRARY and force it to a sane
value, otherwise libcurl is confused when target == host (see a51ce319,
libcurl: fix configure with openssl when target == host).

That is currently OK, since we always set LD_LIBRARY_PATH to a non-empty
value.

However, we're soon to stop setting it at all.

So, if the user has an empty (or no) LD_LIBRARY_PATH in his envirnment,
we'd end up adding the current working directory to LD_LIBRARY_PATH (as
an empty entry in a colon-separated list is most probably interpreted as
meaning the current working directory, which we do know can cause issue,
and which we expressely check against in support/dependencies/dependencies.sh

Fix that by only using an existing LD_LIBRARY_PATH if it is not empty.
Also use a Makefile construct as it is easier to read than a shell one
(we can do that, as all variables from the environment are available as
make variables).

Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Peter Korsgaard <jacmet@uclibc.org>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-11-17 10:00:26 +01:00
Ryan Barnett
83cd80d580 libcurl: fix license typo
The license for libcurl is actually 'ISC' not 'ICS'.

Signed-off-by: Ryan Barnett <ryan.barnett@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-10-27 22:50:56 +01:00
Vicente Olivert Riera
7f4b13cc52 libcurl: bump to version 7.45.0
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-10-08 17:06:51 +02:00
Gustavo Zacarias
cf0fb42a42 libcurl: bump to version 7.44.0
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Reviewed-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Tested-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-09-04 11:57:05 +02:00
Vicente Olivert Riera
fc91ffa2f9 libcurl: bump to version 7.43.0
- Bump to version 7.43.0
- Update hash file

Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Acked-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-06-18 22:41:32 +02:00
John Keeping
ff05e241f8 libcurl: use c-ares if available
By default libcurl uses the C library's DNS resolver which is
synchronous, even if an application is using libcurl's non-blocking mode
of operation.

Configure libcurl to use c-ares if it is selected so that it can resolve
addresses asynchronously if required.

[Peter: explicitly disable c-ares support if not enabled]
Signed-off-by: John Keeping <john@keeping.me.uk>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-05-03 19:25:24 +02:00
Gustavo Zacarias
62592bb660 libcurl: security bump to version 7.42.1
Fixes:
CVE-2013-3153 - sensitive HTTP server headers also sent to proxies.

And drop upstream patches.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-04-29 23:27:02 +02:00
Gustavo Zacarias
63b1fa81ec libcurl: disable curldebug
curldebug is a more advanced form of debugging for curl which audits
source code with the checksource.pl tool, and treats warnings as errors.
Normally users won't want/need this so disable it since it leads to
failed builds when debug info is enabled (which is what people normally
want).
When buildroot does --enable-debug curl inherently enables curldebug too.

Solves bug .

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-04-23 22:59:05 +02:00
Gustavo Zacarias
4c8e679681 libcurl: security bump to version 7.42.0
Fixes:
CVE-2015-3144 - host name out of boundary memory access
CVE-2015-3145 - cookie parser out of boundary memory access
CVE-2015-3148 - Negotiate not treated as connection-oriented
CVE-2015-3143 - Re-using authenticated connection when unauthenticated

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-04-23 09:45:03 +02:00
Gustavo Zacarias
1f556833c3 libcurl: bump to version 7.41.0
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-02-25 17:25:54 +01:00
Gustavo Zacarias
4073d1515f libcurl: drop curl* aliases
They're unused hence not useful.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-01-12 12:31:55 +01:00
Gustavo Zacarias
d71a51d0e5 libcurl: security bump to version 7.40.0
Fixes:
CVE-2014-8150 - When libcurl sends a request to a server via a HTTP
proxy, it copies the entire URL into the request and sends if off.
If the given URL contains line feeds and carriage returns those will be
sent along to the proxy too, which allows the program to for example
send a separate HTTP request injected embedded in the URL.

CVE-2014-8151 - libcurl stores TLS Session IDs in its associated Session
ID cache when it connects to TLS servers. In subsequent connects it
re-uses the entry in the cache to resume the TLS connection faster than
when doing a full TLS handshake. The actual implementation for the
Session ID caching varies depending on the underlying TLS backend.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-01-08 19:19:15 +01:00
Gustavo Zacarias
c30e017a1a libcurl: security bump to version 7.39.0
Fixes:
CVE-2014-3707 - libcurl's function curl_easy_duphandle() has a bug that
can lead to libcurl eventually sending off sensitive data that was not
intended for sending.

Removed patch that was upstream and now in the release.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Reviewed-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Tested-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-11-06 09:09:20 +01:00
Gustavo Zacarias
dbf74f631d libcurl: add hash file
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2014-10-19 17:35:17 +02:00
Thomas De Schampheleire
aaffd209fa packages: rename FOO_CONF_OPT into FOO_CONF_OPTS
To be consistent with the recent change of FOO_MAKE_OPT into FOO_MAKE_OPTS,
make the same change for FOO_CONF_OPT.

Sed command used:
   find * -type f | xargs sed -i 's#_CONF_OPT\>#&S#g'

Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2014-10-04 18:54:16 +02:00
Bernd Kuhls
e15cb988e7 package/libcurl: Backport patch to fix xbmc-related timeout bug
For details see
82d923895a (commitcomment-7952726)

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-09-28 21:54:48 +02:00
Bernd Kuhls
48849055b9 package/libcurl: Remove autoreconf
When libcurl-0001-build-link-curl-to-NSS-libraries-when-NSS-support.patch
was removed the corresponding autoreconf was left behind:
http://git.buildroot.net/buildroot/commit/?id=9185b64ed5599622cb89ca4ee6ee29440b02ec8a

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-09-28 21:53:39 +02:00
Gustavo Zacarias
9185b64ed5 libcurl: security bump to version 7.38.0
Fixes:
CVE-2014-3613 cookie leak with IP address as domain
CVE-2014-3620 cookie leak for TLDs

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-09-11 22:45:20 +02:00
Gustavo Zacarias
c8da1bce78 libcurl: fix nss related build failure
Patch is a reduced set from upstream (removed RELEASE-NOTES chunk or it
doesn't apply, cosmetic only). Fixes:
http://autobuild.buildroot.net/results/d0b/d0bf614006e7c7de749dcea7abd584f0aa142418/

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2014-07-21 21:51:53 +02:00
Gustavo Zacarias
57c303f624 libcurl: bump to version 7.37.1
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2014-07-18 19:51:27 +02:00
Gustavo Zacarias
3ea2555944 libcurl: bump to version 7.37.0
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-05-23 22:07:13 +02:00
Gustavo Zacarias
f475b9fc8e libcurl: drop polarssl support
As of curl 7.36.0 it doesn't support polarssl < 1.3 any longer. Fixes:
http://autobuild.buildroot.net/results/d82/d82c3618e9dde3da7e36ba2b58545a9a8de5e442/

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2014-04-15 21:54:47 +02:00
Gustavo Zacarias
71878d2972 libcurl: security bump to version 7.36.0
Fixes CVE-2014-0005, CVE-2014-0319, CVE-2014-1263 and CVE-2014-2522.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2014-04-01 14:45:20 +02:00
Gustavo Zacarias
8abdd5fa3e libcurl: security bump to version 7.35.0
Fixes CVE-2014-0015.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-01-29 21:44:00 +01:00
Maxime Hadjinlian
f873de877d libcurl: Add rtmp support
Signed-off-by: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Cc: Bernd Kuhls <berndkuhls@hotmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-01-26 21:24:19 +01:00
Thomas De Schampheleire
35eaed8d07 Config.in files: use if/endif instead of 'depends on' for main symbol
In the Config.in file of package foo, it often happens that there are other
symbols besides BR2_PACKAGE_FOO. Typically, these symbols only make sense
when foo itself is enabled. There are two ways to express this: with
    depends on BR2_PACKAGE_FOO
in each extra symbol, or with
    if BR2_PACKAGE_FOO
        ...
    endif
around the entire set of extra symbols.

The if/endif approach avoids the repetition of 'depends on' statements on
multiple symbols, so this is clearly preferred. But even when there is only
one extra symbol, if/endif is a more logical choice:
- it is future-proof for when extra symbols are added
- it allows to have just one strategy instead of two (less confusion)

This patch modifies the Config.in files accordingly.

Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2013-12-25 12:21:39 +01:00
Gustavo Zacarias
cbb6cdc69c libcurl: security bump to version 7.34.0
Fixes CVE-2013-4545.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2013-12-19 23:17:25 +01:00
Gustavo Zacarias
fba3da5638 libcurl: bump to version 7.33.0
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2013-12-02 08:42:38 +01:00
Gustavo Zacarias
6b8aa11205 libcurl: add security patch for CVE-2013-4545
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2013-11-18 13:42:42 +01:00
Gustavo Zacarias
62ebea18be curl: fix homepage
cURL's homepage is curl.haxx.se and not curl.haxx.nu

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2013-11-06 11:59:46 +01:00
Ryan Barnett
d45db95633 libcurl: add support for compiling with libssh2
Adding configuration options that if libssh2 is selected, compile libcurl
with --with-ssh config flag.

Signed-off-by: Ryan Barnett <rjbarnet@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
2013-09-08 21:53:11 +02:00
Gustavo Zacarias
9834bf533e libcurl: extend package support
Add support for gnutls, nss and polarssl backends.
Add support for libidn and zlib.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
2013-09-04 23:50:08 +02:00
Ryan Barnett
9093cc451c libcurl: up revision to 7.32.0
Updating revision of libcurl to version 7.32.0

Signed-off-by: Ryan Barnett <rjbarnet@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
2013-09-02 21:42:41 +02:00
Gustavo Zacarias
6772d5f2f5 curl: add security patch for CVE-2013-2174
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
2013-06-25 09:47:28 +02:00
Alexandre Belloni
8dfd59d114 Normalize separator size to 80
Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
2013-06-06 22:30:24 +02:00
Gustavo Zacarias
0a442d05cf libcurl: add security patch for CVE-2013-1944
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
2013-05-11 21:26:42 +02:00
Shawn J. Goff
4f3c8cf94b libcurl: specify capath
Since openssl's path is '/etc/ssl/' (specified in our openssl package),
we should also make sure that's what curl is using.

Previously, it's hasn't been specified, which means it changes depending
on the host system where it's compiled.

Signed-off-by: Shawn J. Goff <shawn7400@gmail.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
2013-04-21 23:15:08 +02:00
Gustavo Zacarias
f167245f60 libcurl: add SASL security patch
Fixes CVE-2013-0249, see http://curl.haxx.se/docs/adv_20130206.html

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
2013-02-18 13:47:52 +01:00
Thomas Petazzoni
e32c29a098 libcurl: re-enable on non-MMU platforms
In 9229b82d63 ('libcurl: needs MMU'),
the libcurl package was disabled on non-MMU systems, due to the usage
of the fork() function in the library.

However, a deeper inspection reveals that fork() is only used in the
implementation of NTLM, an obscure, undocumented, Microsoft specific
authentication method that apparently isn't common anymore. See
http://curl.haxx.se/docs/manpage.html#--ntlm.

Therefore, this commit re-enables libcurl on non-MMU systems by
explicitly disabling the NTLM support. If someone ever needs NTLM
support in Buildroot's libcurl package, it will always be time to add
a libcurl sub-option to enable it.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
2013-02-17 23:02:01 +01:00
Thomas Petazzoni
a5ce857674 package: use <pkg>_CONFIG_SCRIPTS wherever possible
Use the <pkg>_CONFIG_SCRIPTS mechanism in all packages for which it
does all what the package was doing. A few packages, like libxslt, are
for now left out, since they need some additional fixup (for example a
fixup of includedir).

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
2013-02-08 22:34:26 +01:00
Maxime Ripard
9229b82d63 libcurl: needs MMU
Fixes
http://autobuild.buildroot.org/results/5a502f16ad94a410ca21c9a7f223d6c12086bbb5/build-end.log

Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
2012-12-19 09:52:06 +01:00
Gustavo Zacarias
c0170428f9 libcurl: bump to version 7.28.1
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
2012-12-05 00:40:33 -08:00
Yann E. MORIN
61d322c3d2 package/cURL: fix static link whith openSSL
When openSSL is selected, cURL is configured to use it.

But in this case, the libcurl.pc file /forgets/ to require link
against -ldl.

This can happen, for example, when BR2_PREFER_STATIC_LIB is not set,
but an executable wants to be linked statically (for various reasons
which are irrelevant here).

Fix that by appending a 'Requires: openssl' line to libcurl.pc.in,
but only if openSSL is enabled.

As suggested by Arnout, do it in a post-patch hook, rather as a
post-install hook.

Cc: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
2012-12-02 23:21:00 -08:00