kumquat-buildroot/package/libcurl/0001-connectionexists-fix-build-without-NTLM.patch
Gustavo Zacarias 4c8e679681 libcurl: security bump to version 7.42.0
Fixes:
CVE-2015-3144 - host name out of boundary memory access
CVE-2015-3145 - cookie parser out of boundary memory access
CVE-2015-3148 - Negotiate not treated as connection-oriented
CVE-2015-3143 - Re-using authenticated connection when unauthenticated

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-04-23 09:45:03 +02:00

55 lines
1.7 KiB
Diff

From fd9d3a1ef1f7b1cb5812d04bad07818efc6f3b3a Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 22 Apr 2015 13:31:35 +0200
Subject: [PATCH 1/2] connectionexists: fix build without NTLM
Do not access NTLM-specific struct fields when built without NTLM
enabled!
bug: http://curl.haxx.se/?i=231
Reported-by: Patrick Rapin
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
lib/url.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/lib/url.c b/lib/url.c
index f033dbc..93f15f1 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -3069,9 +3069,11 @@ ConnectionExists(struct SessionHandle *data,
struct connectdata *check;
struct connectdata *chosen = 0;
bool canPipeline = IsPipeliningPossible(data, needle);
+#ifdef USE_NTLM
bool wantNTLMhttp = ((data->state.authhost.want & CURLAUTH_NTLM) ||
(data->state.authhost.want & CURLAUTH_NTLM_WB)) &&
(needle->handler->protocol & PROTO_FAMILY_HTTP) ? TRUE : FALSE;
+#endif
struct connectbundle *bundle;
*force_reuse = FALSE;
@@ -3208,6 +3210,7 @@ ConnectionExists(struct SessionHandle *data,
continue;
}
+#if defined(USE_NTLM)
if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) ||
(wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)) {
/* This protocol requires credentials per connection or is HTTP+NTLM,
@@ -3217,10 +3220,9 @@ ConnectionExists(struct SessionHandle *data,
/* one of them was different */
continue;
}
-#if defined(USE_NTLM)
credentialsMatch = TRUE;
-#endif
}
+#endif
if(!needle->bits.httpproxy || needle->handler->flags&PROTOPT_SSL ||
(needle->bits.httpproxy && check->bits.httpproxy &&
--
2.0.5