Accepting request 163742 from home:vitezslav_cizek:branches:devel:libraries:c_c++

- update to 7.30.0 includes security fixes for CVE-2013-0249 and CVE-2013-1944 (bugs bnc#814655 and bnc#802411 respectively) (dropped curl-CVE-2013-0249.patch) - Changes: imap: Changed response tag generation to be completely unique imap: Added support for SASL-IR extension imap: Added support for the list command imap: Added support for the append command imap: Added custom request parsing imap: Added support to the fetch command for UID and SECTION properties imap: Added parsing and verification of the UIDVALIDITY mailbox attribute imap/pop3/smtp: Added support for the STARTTLS capability checksrc: ban use of sprintf, vsprintf, strcat, strncat and gets curl_global_init() now accepts the CURL_GLOBAL_ACK_EINTR flag Added CURLMOPT_MAX_HOST_CONNECTIONS, CURLMOPT_MAX_TOTAL_CONNECTIONS for new multi interface connection handling Added CURLMOPT_MAX_PIPELINE_LENGTH, CURLMOPT_CONTENT_LENGTH_PENALTY_SIZE, CURLMOPT_CHUNK_LENGTH_PENALTY_SIZE, CURLMOPT_PIPELINING_SITE_BL and CURLMOPT_PIPELI NING_SERVER_BL for new pipelining control test: offer "automake" output and check for perl better always-multi: always use non-blocking internals imap: Added support for sasl digest-md5 authentication imap: Added support for sasl cram-md5 authentication imap: Added support for sasl ntlm authentication imap: Added support for sasl login authentication imap: Added support for sasl plain text authentication imap: Added support for login disabled server capability mk-ca-bundle: add -f, support passing to stdout and more writeout: -w now supports remote_ip/port and local_ip/port OBS-URL: https://build.opensuse.org/request/show/163742 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=92
2013-04-13 15:46:54 +00:00 · 2013-04-13 15:46:54 +00:00 · 56d1c05470
commit 56d1c05470
parent 8581e3aee5
9 changed files with 101 additions and 134 deletions
--- a/curl-7.28.1.tar.lzma
+++ b/curl-7.28.1.tar.lzma
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:dda2516ffdf991ec0a7bfae319527d40aaefb8ec78c60c85f6c0381f8876708d
-size 2059467
--- a/curl-7.28.1.tar.lzma.asc
+++ b/curl-7.28.1.tar.lzma.asc
@ -1,7 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.12 (GNU/Linux)
-
-iEYEABECAAYFAlCrLdwACgkQeOEcayedXJEWfACgwzpFlCeVscTbj9lVpcDstIeH
-Jy4AnjMtLsxo3wBfcLQg2vS/RqGVvLyq
-=NHEU
-----END PGP SIGNATURE-----
--- a/curl-7.30.0.tar.lzma
+++ b/curl-7.30.0.tar.lzma
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2cc427333447208c34d5afab29e4b1617a4f219e5787b74ec7ef6e89f6edac2a
+size 2145655
--- a/curl-7.30.0.tar.lzma.asc
+++ b/curl-7.30.0.tar.lzma.asc
@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.12 (GNU/Linux)
+
+iEYEABECAAYFAlFntDMACgkQeOEcayedXJE9vwCg2icVm/xDjGiK9lDvBN2Yck5h
+jwIAn2UNo1J6RyA3TRqpnXWMXr1Jjq4g
+=7Wds
+-----END PGP SIGNATURE-----
--- a/curl-CVE-2013-0249.patch
+++ b/curl-CVE-2013-0249.patch
@ -1,62 +0,0 @@
-From ee45a34907ffeb5fd95b0513040d8491d565b663 Mon Sep 17 00:00:00 2001
-From: Eldar Zaitov <kyprizel@volema.com>
-Date: Wed, 30 Jan 2013 23:22:27 +0100
-Subject: [PATCH] Curl_sasl_create_digest_md5_message: fix buffer overflow
-
-When negotiating SASL DIGEST-MD5 authentication, the function
-Curl_sasl_create_digest_md5_message() uses the data provided from the
-server without doing the proper length checks and that data is then
-appended to a local fixed-size buffer on the stack.
-
-This vulnerability can be exploited by someone who is in control of a
-server that a libcurl based program is accessing with POP3, SMTP or
-IMAP. For applications that accept user provided URLs, it is also
-thinkable that a malicious user would feed an application with a URL to
-a server hosting code targetting this flaw.
-
-Bug: http://curl.haxx.se/docs/adv_20130206.html
---
- lib/curl_sasl.c |   23 ++++++-----------------
- 1 file changed, 6 insertions(+), 17 deletions(-)
-
-Index: curl-7.28.1/lib/curl_sasl.c
-===================================================================
--- curl-7.28.1.orig/lib/curl_sasl.c	2012-08-08 22:45:18.000000000 +0200
-+++ curl-7.28.1/lib/curl_sasl.c	2013-02-07 11:55:15.183277599 +0100
-@@ -345,9 +345,7 @@ CURLcode Curl_sasl_create_digest_md5_mes
-     snprintf(&HA1_hex[2 * i], 3, "%02x", digest[i]);
- 
-   /* Prepare the URL string */
-  strcpy(uri, service);
-  strcat(uri, "/");
-  strcat(uri, realm);
-+  snprintf(uri, sizeof(uri), "%s/%s", service, realm);
- 
-   /* Calculate H(A2) */
-   ctxt = Curl_MD5_init(Curl_DIGEST_MD5);
-@@ -391,20 +389,11 @@ CURLcode Curl_sasl_create_digest_md5_mes
-   for(i = 0; i < MD5_DIGEST_LEN; i++)
-     snprintf(&resp_hash_hex[2 * i], 3, "%02x", digest[i]);
- 
-  strcpy(response, "username=\"");
-  strcat(response, userp);
-  strcat(response, "\",realm=\"");
-  strcat(response, realm);
-  strcat(response, "\",nonce=\"");
-  strcat(response, nonce);
-  strcat(response, "\",cnonce=\"");
-  strcat(response, cnonce);
-  strcat(response, "\",nc=");
-  strcat(response, nonceCount);
-  strcat(response, ",digest-uri=\"");
-  strcat(response, uri);
-  strcat(response, "\",response=");
-  strcat(response, resp_hash_hex);
-+  snprintf(response, sizeof(response),
-+           "username=\"%s\",realm=\"%s\",nonce=\"%s\","
-+           "cnonce=\"%s\",nc=\"%s\",digest-uri=\"%s\",response=%s",
-+           userp, realm, nonce,
-+           cnonce, nonceCount, uri, resp_hash_hex);
- 
-   /* Base64 encode the reply */
-   return Curl_base64_encode(data, response, 0, outptr, outlen);
--- a/curl-secure-getenv.patch
+++ b/curl-secure-getenv.patch
@ -1,6 +1,8 @@
--- lib/getenv.c.orig
-+++ lib/getenv.c
-@@ -31,6 +31,14 @@
+Index: lib/getenv.c
+===================================================================
+--- lib/getenv.c.orig	2013-04-12 13:31:59.056761437 +0200
+++ lib/getenv.c	2013-04-12 13:36:25.654762399 +0200
+@@ -27,6 +27,14 @@
 
 #include "memdebug.h"
 
@ -15,18 +17,20 @@
 static
 char *GetEnv(const char *variable)
 {
-@@ -45,7 +53,7 @@ char *GetEnv(const char *variable)
+@@ -41,7 +49,7 @@ char *GetEnv(const char *variable)
     ExpandEnvironmentStringsA(temp, env, sizeof(env));
   return (env[0] != '\0')?strdup(env):NULL;
 #else
 -  char *env = getenv(variable);
 +  char *env = secure_getenv(variable);
- #ifdef __VMS
-   if(env && strcmp("HOME",variable) == 0)
-     env = decc_translate_vms(env);
--- configure.ac.orig
-+++ configure.ac
-@@ -3480,6 +3480,8 @@ if test "x$want_curldebug_assumed" = "xy
+   return (env && env[0])?strdup(env):NULL;
+ #endif
+ #endif
+Index: configure.ac
+===================================================================
+--- configure.ac.orig	2013-04-12 13:31:59.057761467 +0200
+++ configure.ac	2013-04-12 13:32:00.823814454 +0200
+@@ -3475,6 +3475,8 @@ if test "x$want_curldebug_assumed" = "xy
   ac_configure_args="$ac_configure_args --enable-curldebug"
 fi
 
--- a/curl.changes
+++ b/curl.changes
@ -1,3 +1,38 @@
+-------------------------------------------------------------------
+Fri Apr 12 11:36:47 UTC 2013 - vcizek@suse.com
+
+- update to 7.30.0
+  includes security fixes for CVE-2013-0249 and CVE-2013-1944
+  (bugs bnc#814655 and bnc#802411 respectively)
+  (dropped curl-CVE-2013-0249.patch)
+- Changes:
+  imap: Changed response tag generation to be completely unique
+  imap: Added support for SASL-IR extension
+  imap: Added support for the list command
+  imap: Added support for the append command
+  imap: Added custom request parsing
+  imap: Added support to the fetch command for UID and SECTION properties
+  imap: Added parsing and verification of the UIDVALIDITY mailbox attribute
+  imap/pop3/smtp: Added support for the STARTTLS capability
+  checksrc: ban use of sprintf, vsprintf, strcat, strncat and gets
+  curl_global_init() now accepts the CURL_GLOBAL_ACK_EINTR flag
+  Added CURLMOPT_MAX_HOST_CONNECTIONS, CURLMOPT_MAX_TOTAL_CONNECTIONS
+    for new multi interface connection handling
+  Added CURLMOPT_MAX_PIPELINE_LENGTH, CURLMOPT_CONTENT_LENGTH_PENALTY_SIZE,
+    CURLMOPT_CHUNK_LENGTH_PENALTY_SIZE, CURLMOPT_PIPELINING_SITE_BL
+    and CURLMOPT_PIPELI NING_SERVER_BL for new pipelining control
+  test: offer "automake" output and check for perl better
+  always-multi: always use non-blocking internals
+  imap: Added support for sasl digest-md5 authentication
+  imap: Added support for sasl cram-md5 authentication
+  imap: Added support for sasl ntlm authentication
+  imap: Added support for sasl login authentication
+  imap: Added support for sasl plain text authentication
+  imap: Added support for login disabled server capability
+  mk-ca-bundle: add -f, support passing to stdout and more
+  writeout: -w now supports remote_ip/port and local_ip/port
+- refreshed patches
+
 -------------------------------------------------------------------
 Sun Feb 17 17:04:34 UTC 2013 - crrodriguez@opensuse.org

--- a/curl.spec
+++ b/curl.spec
@ -21,7 +21,7 @@
 %bcond_without testsuite

 Name:           curl
-Version:        7.28.1
+Version:        7.30.0
 Release:        0
 Summary:        A Tool for Transferring Data from URLs
 License:        BSD-3-Clause and MIT
@ -33,7 +33,6 @@ Source3:        baselibs.conf
 Source4:        %{name}.keyring
 Patch:          libcurl-ocloexec.patch
 Patch1:         dont-mess-with-rpmoptflags.diff
-Patch2:         curl-CVE-2013-0249.patch
 Patch3:         curl-secure-getenv.patch
 # Use rpmbuild -D 'VERIFY_SIG 1' to verify signature during build or run one-shot check by "gpg-offline --verify --package=curl curl-*.asc".
 %if 0%{?VERIFY_SIG}
@ -100,9 +99,13 @@ user interaction or any kind of interactivity.
 %setup -q
 %patch
 %patch1
-%patch2 -p1
 %patch3
 %build
+# curl complains if macro definition is contained in CFLAGS
+# see m4/xc-val-flgs.m4
+CPPFLAGS="-D_FORTIFY_SOURCE=2"
+CFLAGS=$(echo $RPM_OPT_FLAGS | sed 's/-D_FORTIFY_SOURCE=2//')
+export CPPFLAGS CFLAGS
 autoreconf -fi
 # local hack to make curl-config --libs stop printing libraries it depends on
 # (currently, libtool sets link_all_deplibs=(yes|unknown) everywhere,
--- a/libcurl-ocloexec.patch
+++ b/libcurl-ocloexec.patch
@ -9,9 +9,9 @@ compile time is not enough.

 Index: lib/cookie.c
 ===================================================================
--- lib/cookie.c.orig	2012-08-08 23:38:25.000000000 +0200
-+++ lib/cookie.c	2013-02-07 11:55:15.146276477 +0100
-@@ -736,7 +736,7 @@ struct CookieInfo *Curl_cookie_init(stru
+--- lib/cookie.c.orig	2013-04-12 13:25:07.866367012 +0200
+++ lib/cookie.c	2013-04-12 13:25:29.391017340 +0200
+@@ -750,7 +750,7 @@ struct CookieInfo *Curl_cookie_init(stru
     fp = NULL;
   }
   else
@ -20,7 +20,7 @@ Index: lib/cookie.c
 
   c->newsession = newsession; /* new session? */
 
-@@ -1060,7 +1060,7 @@ static int cookie_output(struct CookieIn
+@@ -1091,7 +1091,7 @@ static int cookie_output(struct CookieIn
     use_stdout=TRUE;
   }
   else {
@ -31,9 +31,9 @@ Index: lib/cookie.c
   }
 Index: lib/file.c
 ===================================================================
--- lib/file.c.orig	2012-11-13 22:04:27.000000000 +0100
-+++ lib/file.c	2013-02-07 11:55:15.147276507 +0100
-@@ -249,7 +249,7 @@ static CURLcode file_connect(struct conn
+--- lib/file.c.orig	2013-04-12 13:25:07.867367042 +0200
+++ lib/file.c	2013-04-12 13:25:29.391017340 +0200
+@@ -243,7 +243,7 @@ static CURLcode file_connect(struct conn
   fd = open_readonly(actual_path, O_RDONLY|O_BINARY);
   file->path = actual_path;
 #else
@ -42,7 +42,7 @@ Index: lib/file.c
   file->path = real_path;
 #endif
   file->freepath = real_path; /* free this when done */
-@@ -347,7 +347,7 @@ static CURLcode file_upload(struct conne
+@@ -341,7 +341,7 @@ static CURLcode file_upload(struct conne
   else
     mode = MODE_DEFAULT|O_TRUNC;
 
@ -53,9 +53,9 @@ Index: lib/file.c
     return CURLE_WRITE_ERROR;
 Index: lib/formdata.c
 ===================================================================
--- lib/formdata.c.orig	2012-08-08 22:45:18.000000000 +0200
-+++ lib/formdata.c	2013-02-07 11:55:15.147276507 +0100
-@@ -1207,7 +1207,7 @@ CURLcode Curl_getformdata(struct Session
+--- lib/formdata.c.orig	2013-04-12 13:25:07.868367072 +0200
+++ lib/formdata.c	2013-04-12 13:25:29.392017370 +0200
+@@ -1234,7 +1234,7 @@ CURLcode Curl_getformdata(struct Session
         FILE *fileread;
 
         fileread = strequal("-", file->contents)?
@ -64,7 +64,7 @@ Index: lib/formdata.c
 
         /*
          * VMS: This only allows for stream files on VMS.  Stream files are
-@@ -1338,7 +1338,7 @@ static size_t readfromfile(struct Form *
+@@ -1365,7 +1365,7 @@ static size_t readfromfile(struct Form *
   else {
     if(!form->fp) {
       /* this file hasn't yet been opened */
@ -75,9 +75,9 @@ Index: lib/formdata.c
     }
 Index: lib/hostip6.c
 ===================================================================
--- lib/hostip6.c.orig	2012-03-08 20:35:24.000000000 +0100
-+++ lib/hostip6.c	2013-02-07 11:55:15.147276507 +0100
-@@ -45,7 +45,7 @@
+--- lib/hostip6.c.orig	2013-04-12 13:25:07.868367072 +0200
+++ lib/hostip6.c	2013-04-12 13:25:29.392017370 +0200
+@@ -39,7 +39,7 @@
 #ifdef HAVE_PROCESS_H
 #include <process.h>
 #endif
@ -86,7 +86,7 @@ Index: lib/hostip6.c
 #include "urldata.h"
 #include "sendf.h"
 #include "hostip.h"
-@@ -113,7 +113,7 @@ bool Curl_ipv6works(void)
+@@ -107,7 +107,7 @@ bool Curl_ipv6works(void)
   static int ipv6_works = -1;
   if(-1 == ipv6_works) {
     /* probe to see if we have a working IPv6 stack */
@ -97,22 +97,22 @@ Index: lib/hostip6.c
       ipv6_works = 0;
 Index: lib/if2ip.c
 ===================================================================
--- lib/if2ip.c.orig	2012-03-08 20:35:24.000000000 +0100
-+++ lib/if2ip.c	2013-02-07 11:55:15.148276537 +0100
-@@ -153,7 +153,7 @@ char *Curl_if2ip(int af, const char *int
+--- lib/if2ip.c.orig	2013-04-12 13:25:07.869367102 +0200
+++ lib/if2ip.c	2013-04-12 13:25:29.393017400 +0200
+@@ -171,7 +171,7 @@ if2ip_result_t Curl_if2ip(int af, unsign
   if(len >= sizeof(req.ifr_name))
-     return NULL;
+     return IF2IP_NOT_FOUND;
 
 -  dummy = socket(AF_INET, SOCK_STREAM, 0);
 +  dummy = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
   if(CURL_SOCKET_BAD == dummy)
-     return NULL;
+     return IF2IP_NOT_FOUND;
 
 Index: lib/netrc.c
 ===================================================================
--- lib/netrc.c.orig	2012-08-08 22:45:18.000000000 +0200
-+++ lib/netrc.c	2013-02-07 11:55:15.148276537 +0100
-@@ -107,7 +107,7 @@ int Curl_parsenetrc(const char *host,
+--- lib/netrc.c.orig	2013-04-12 13:25:07.869367102 +0200
+++ lib/netrc.c	2013-04-12 13:25:29.393017400 +0200
+@@ -97,7 +97,7 @@ int Curl_parsenetrc(const char *host,
     netrc_alloc = TRUE;
   }
 
@ -123,9 +123,9 @@ Index: lib/netrc.c
     char *tok_buf;
 Index: lib/ssluse.c
 ===================================================================
--- lib/ssluse.c.orig	2012-11-13 23:01:17.000000000 +0100
-+++ lib/ssluse.c	2013-02-07 11:55:15.149276568 +0100
-@@ -437,7 +437,7 @@ int cert_stuff(struct connectdata *conn,
+--- lib/ssluse.c.orig	2013-04-12 13:25:07.870367132 +0200
+++ lib/ssluse.c	2013-04-12 13:25:29.394017430 +0200
+@@ -419,7 +419,7 @@ int cert_stuff(struct connectdata *conn,
       STACK_OF(X509) *ca = NULL;
       int i;
 
@ -134,7 +134,7 @@ Index: lib/ssluse.c
       if(!f) {
         failf(data, "could not open PKCS12 file '%s'", cert_file);
         return 0;
-@@ -2274,7 +2274,7 @@ static CURLcode servercert(struct connec
+@@ -2246,7 +2246,7 @@ static CURLcode servercert(struct connec
 
     /* e.g. match issuer name with provided issuer certificate */
     if(data->set.str[STRING_SSL_ISSUERCERT]) {
@ -145,9 +145,9 @@ Index: lib/ssluse.c
           failf(data, "SSL: Unable to open issuer cert (%s)",
 Index: lib/connect.c
 ===================================================================
--- lib/connect.c.orig	2012-11-13 22:02:15.000000000 +0100
-+++ lib/connect.c	2013-02-07 11:55:15.149276568 +0100
-@@ -1238,7 +1238,7 @@ CURLcode Curl_socket(struct connectdata
+--- lib/connect.c.orig	2013-04-12 13:25:07.871367163 +0200
+++ lib/connect.c	2013-04-12 13:25:29.394017430 +0200
+@@ -1308,7 +1308,7 @@ CURLcode Curl_socket(struct connectdata
                                     (struct curl_sockaddr *)addr);
   else
     /* opensocket callback not set, so simply create the socket now */
@ -158,17 +158,17 @@ Index: lib/connect.c
     /* no socket, no connection */
 Index: configure.ac
 ===================================================================
--- configure.ac.orig	2012-09-08 22:39:18.000000000 +0200
-+++ configure.ac	2013-02-07 11:58:27.875122101 +0100
-@@ -180,6 +180,7 @@ AC_CANONICAL_HOST
+--- configure.ac.orig	2013-04-12 13:25:07.873367223 +0200
+++ configure.ac	2013-04-12 13:25:29.396017491 +0200
+@@ -183,6 +183,7 @@ AC_CANONICAL_HOST
 dnl Get system canonical name
 AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-machine-OS])
 
 +AC_USE_SYSTEM_EXTENSIONS
 dnl Checks for programs.
- CURL_CHECK_PROG_CC
 
-@@ -193,6 +194,7 @@ dnl Our configure and build reentrant se
+ dnl Our curl_off_t internal and external configure settings
+@@ -195,6 +196,7 @@ dnl Our configure and build reentrant se
 CURL_CONFIGURE_THREAD_SAFE
 CURL_CONFIGURE_REENTRANT
 
@ -176,16 +176,3 @@ Index: configure.ac
 dnl check for how to do large files
 AC_SYS_LARGEFILE
 
-Index: m4/curl-compilers.m4
-===================================================================
--- m4/curl-compilers.m4.orig	2012-11-16 13:02:23.000000000 +0100
-+++ m4/curl-compilers.m4	2013-02-07 11:55:15.151276630 +0100
-@@ -1272,7 +1272,7 @@ dnl CPPFLAGS from being unexpectedly cha
- AC_DEFUN([CURL_CHECK_PROG_CC], [
-   ac_save_CFLAGS="$CFLAGS"
-   ac_save_CPPFLAGS="$CPPFLAGS"
-  AC_PROG_CC
-+  AC_PROG_CC_STDC
-   CFLAGS="$ac_save_CFLAGS"
-   CPPFLAGS="$ac_save_CPPFLAGS"
- ])