From 56d1c05470d088c0b4b3ff824c2dc3ab23143f62ca1304e8c870bab1ef07dadf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ismail=20D=C3=B6nmez?= Date: Sat, 13 Apr 2013 15:46:54 +0000 Subject: [PATCH] Accepting request 163742 from home:vitezslav_cizek:branches:devel:libraries:c_c++ - update to 7.30.0 includes security fixes for CVE-2013-0249 and CVE-2013-1944 (bugs bnc#814655 and bnc#802411 respectively) (dropped curl-CVE-2013-0249.patch) - Changes: imap: Changed response tag generation to be completely unique imap: Added support for SASL-IR extension imap: Added support for the list command imap: Added support for the append command imap: Added custom request parsing imap: Added support to the fetch command for UID and SECTION properties imap: Added parsing and verification of the UIDVALIDITY mailbox attribute imap/pop3/smtp: Added support for the STARTTLS capability checksrc: ban use of sprintf, vsprintf, strcat, strncat and gets curl_global_init() now accepts the CURL_GLOBAL_ACK_EINTR flag Added CURLMOPT_MAX_HOST_CONNECTIONS, CURLMOPT_MAX_TOTAL_CONNECTIONS for new multi interface connection handling Added CURLMOPT_MAX_PIPELINE_LENGTH, CURLMOPT_CONTENT_LENGTH_PENALTY_SIZE, CURLMOPT_CHUNK_LENGTH_PENALTY_SIZE, CURLMOPT_PIPELINING_SITE_BL and CURLMOPT_PIPELI NING_SERVER_BL for new pipelining control test: offer "automake" output and check for perl better always-multi: always use non-blocking internals imap: Added support for sasl digest-md5 authentication imap: Added support for sasl cram-md5 authentication imap: Added support for sasl ntlm authentication imap: Added support for sasl login authentication imap: Added support for sasl plain text authentication imap: Added support for login disabled server capability mk-ca-bundle: add -f, support passing to stdout and more writeout: -w now supports remote_ip/port and local_ip/port OBS-URL: https://build.opensuse.org/request/show/163742 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=92 --- curl-7.28.1.tar.lzma | 3 -- curl-7.28.1.tar.lzma.asc | 7 ---- curl-7.30.0.tar.lzma | 3 ++ curl-7.30.0.tar.lzma.asc | 7 ++++ curl-CVE-2013-0249.patch | 62 ----------------------------- curl-secure-getenv.patch | 24 +++++++----- curl.changes | 35 +++++++++++++++++ curl.spec | 9 +++-- libcurl-ocloexec.patch | 85 +++++++++++++++++----------------------- 9 files changed, 101 insertions(+), 134 deletions(-) delete mode 100644 curl-7.28.1.tar.lzma delete mode 100644 curl-7.28.1.tar.lzma.asc create mode 100644 curl-7.30.0.tar.lzma create mode 100644 curl-7.30.0.tar.lzma.asc delete mode 100644 curl-CVE-2013-0249.patch diff --git a/curl-7.28.1.tar.lzma b/curl-7.28.1.tar.lzma deleted file mode 100644 index 9681441..0000000 --- a/curl-7.28.1.tar.lzma +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:dda2516ffdf991ec0a7bfae319527d40aaefb8ec78c60c85f6c0381f8876708d -size 2059467 diff --git a/curl-7.28.1.tar.lzma.asc b/curl-7.28.1.tar.lzma.asc deleted file mode 100644 index 4480f66..0000000 --- a/curl-7.28.1.tar.lzma.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.12 (GNU/Linux) - -iEYEABECAAYFAlCrLdwACgkQeOEcayedXJEWfACgwzpFlCeVscTbj9lVpcDstIeH -Jy4AnjMtLsxo3wBfcLQg2vS/RqGVvLyq -=NHEU ------END PGP SIGNATURE----- diff --git a/curl-7.30.0.tar.lzma b/curl-7.30.0.tar.lzma new file mode 100644 index 0000000..0786b0e --- /dev/null +++ b/curl-7.30.0.tar.lzma @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2cc427333447208c34d5afab29e4b1617a4f219e5787b74ec7ef6e89f6edac2a +size 2145655 diff --git a/curl-7.30.0.tar.lzma.asc b/curl-7.30.0.tar.lzma.asc new file mode 100644 index 0000000..3d23d8f --- /dev/null +++ b/curl-7.30.0.tar.lzma.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.12 (GNU/Linux) + +iEYEABECAAYFAlFntDMACgkQeOEcayedXJE9vwCg2icVm/xDjGiK9lDvBN2Yck5h +jwIAn2UNo1J6RyA3TRqpnXWMXr1Jjq4g +=7Wds +-----END PGP SIGNATURE----- diff --git a/curl-CVE-2013-0249.patch b/curl-CVE-2013-0249.patch deleted file mode 100644 index 90d450d..0000000 --- a/curl-CVE-2013-0249.patch +++ /dev/null @@ -1,62 +0,0 @@ -From ee45a34907ffeb5fd95b0513040d8491d565b663 Mon Sep 17 00:00:00 2001 -From: Eldar Zaitov -Date: Wed, 30 Jan 2013 23:22:27 +0100 -Subject: [PATCH] Curl_sasl_create_digest_md5_message: fix buffer overflow - -When negotiating SASL DIGEST-MD5 authentication, the function -Curl_sasl_create_digest_md5_message() uses the data provided from the -server without doing the proper length checks and that data is then -appended to a local fixed-size buffer on the stack. - -This vulnerability can be exploited by someone who is in control of a -server that a libcurl based program is accessing with POP3, SMTP or -IMAP. For applications that accept user provided URLs, it is also -thinkable that a malicious user would feed an application with a URL to -a server hosting code targetting this flaw. - -Bug: http://curl.haxx.se/docs/adv_20130206.html ---- - lib/curl_sasl.c | 23 ++++++----------------- - 1 file changed, 6 insertions(+), 17 deletions(-) - -Index: curl-7.28.1/lib/curl_sasl.c -=================================================================== ---- curl-7.28.1.orig/lib/curl_sasl.c 2012-08-08 22:45:18.000000000 +0200 -+++ curl-7.28.1/lib/curl_sasl.c 2013-02-07 11:55:15.183277599 +0100 -@@ -345,9 +345,7 @@ CURLcode Curl_sasl_create_digest_md5_mes - snprintf(&HA1_hex[2 * i], 3, "%02x", digest[i]); - - /* Prepare the URL string */ -- strcpy(uri, service); -- strcat(uri, "/"); -- strcat(uri, realm); -+ snprintf(uri, sizeof(uri), "%s/%s", service, realm); - - /* Calculate H(A2) */ - ctxt = Curl_MD5_init(Curl_DIGEST_MD5); -@@ -391,20 +389,11 @@ CURLcode Curl_sasl_create_digest_md5_mes - for(i = 0; i < MD5_DIGEST_LEN; i++) - snprintf(&resp_hash_hex[2 * i], 3, "%02x", digest[i]); - -- strcpy(response, "username=\""); -- strcat(response, userp); -- strcat(response, "\",realm=\""); -- strcat(response, realm); -- strcat(response, "\",nonce=\""); -- strcat(response, nonce); -- strcat(response, "\",cnonce=\""); -- strcat(response, cnonce); -- strcat(response, "\",nc="); -- strcat(response, nonceCount); -- strcat(response, ",digest-uri=\""); -- strcat(response, uri); -- strcat(response, "\",response="); -- strcat(response, resp_hash_hex); -+ snprintf(response, sizeof(response), -+ "username=\"%s\",realm=\"%s\",nonce=\"%s\"," -+ "cnonce=\"%s\",nc=\"%s\",digest-uri=\"%s\",response=%s", -+ userp, realm, nonce, -+ cnonce, nonceCount, uri, resp_hash_hex); - - /* Base64 encode the reply */ - return Curl_base64_encode(data, response, 0, outptr, outlen); diff --git a/curl-secure-getenv.patch b/curl-secure-getenv.patch index 04e3d73..65bd3e0 100644 --- a/curl-secure-getenv.patch +++ b/curl-secure-getenv.patch @@ -1,6 +1,8 @@ ---- lib/getenv.c.orig -+++ lib/getenv.c -@@ -31,6 +31,14 @@ +Index: lib/getenv.c +=================================================================== +--- lib/getenv.c.orig 2013-04-12 13:31:59.056761437 +0200 ++++ lib/getenv.c 2013-04-12 13:36:25.654762399 +0200 +@@ -27,6 +27,14 @@ #include "memdebug.h" @@ -15,18 +17,20 @@ static char *GetEnv(const char *variable) { -@@ -45,7 +53,7 @@ char *GetEnv(const char *variable) +@@ -41,7 +49,7 @@ char *GetEnv(const char *variable) ExpandEnvironmentStringsA(temp, env, sizeof(env)); return (env[0] != '\0')?strdup(env):NULL; #else - char *env = getenv(variable); + char *env = secure_getenv(variable); - #ifdef __VMS - if(env && strcmp("HOME",variable) == 0) - env = decc_translate_vms(env); ---- configure.ac.orig -+++ configure.ac -@@ -3480,6 +3480,8 @@ if test "x$want_curldebug_assumed" = "xy + return (env && env[0])?strdup(env):NULL; + #endif + #endif +Index: configure.ac +=================================================================== +--- configure.ac.orig 2013-04-12 13:31:59.057761467 +0200 ++++ configure.ac 2013-04-12 13:32:00.823814454 +0200 +@@ -3475,6 +3475,8 @@ if test "x$want_curldebug_assumed" = "xy ac_configure_args="$ac_configure_args --enable-curldebug" fi diff --git a/curl.changes b/curl.changes index c79b2e0..2c55a21 100644 --- a/curl.changes +++ b/curl.changes @@ -1,3 +1,38 @@ +------------------------------------------------------------------- +Fri Apr 12 11:36:47 UTC 2013 - vcizek@suse.com + +- update to 7.30.0 + includes security fixes for CVE-2013-0249 and CVE-2013-1944 + (bugs bnc#814655 and bnc#802411 respectively) + (dropped curl-CVE-2013-0249.patch) +- Changes: + imap: Changed response tag generation to be completely unique + imap: Added support for SASL-IR extension + imap: Added support for the list command + imap: Added support for the append command + imap: Added custom request parsing + imap: Added support to the fetch command for UID and SECTION properties + imap: Added parsing and verification of the UIDVALIDITY mailbox attribute + imap/pop3/smtp: Added support for the STARTTLS capability + checksrc: ban use of sprintf, vsprintf, strcat, strncat and gets + curl_global_init() now accepts the CURL_GLOBAL_ACK_EINTR flag + Added CURLMOPT_MAX_HOST_CONNECTIONS, CURLMOPT_MAX_TOTAL_CONNECTIONS + for new multi interface connection handling + Added CURLMOPT_MAX_PIPELINE_LENGTH, CURLMOPT_CONTENT_LENGTH_PENALTY_SIZE, + CURLMOPT_CHUNK_LENGTH_PENALTY_SIZE, CURLMOPT_PIPELINING_SITE_BL + and CURLMOPT_PIPELI NING_SERVER_BL for new pipelining control + test: offer "automake" output and check for perl better + always-multi: always use non-blocking internals + imap: Added support for sasl digest-md5 authentication + imap: Added support for sasl cram-md5 authentication + imap: Added support for sasl ntlm authentication + imap: Added support for sasl login authentication + imap: Added support for sasl plain text authentication + imap: Added support for login disabled server capability + mk-ca-bundle: add -f, support passing to stdout and more + writeout: -w now supports remote_ip/port and local_ip/port +- refreshed patches + ------------------------------------------------------------------- Sun Feb 17 17:04:34 UTC 2013 - crrodriguez@opensuse.org diff --git a/curl.spec b/curl.spec index 509abc7..e1be40e 100644 --- a/curl.spec +++ b/curl.spec @@ -21,7 +21,7 @@ %bcond_without testsuite Name: curl -Version: 7.28.1 +Version: 7.30.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: BSD-3-Clause and MIT @@ -33,7 +33,6 @@ Source3: baselibs.conf Source4: %{name}.keyring Patch: libcurl-ocloexec.patch Patch1: dont-mess-with-rpmoptflags.diff -Patch2: curl-CVE-2013-0249.patch Patch3: curl-secure-getenv.patch # Use rpmbuild -D 'VERIFY_SIG 1' to verify signature during build or run one-shot check by "gpg-offline --verify --package=curl curl-*.asc". %if 0%{?VERIFY_SIG} @@ -100,9 +99,13 @@ user interaction or any kind of interactivity. %setup -q %patch %patch1 -%patch2 -p1 %patch3 %build +# curl complains if macro definition is contained in CFLAGS +# see m4/xc-val-flgs.m4 +CPPFLAGS="-D_FORTIFY_SOURCE=2" +CFLAGS=$(echo $RPM_OPT_FLAGS | sed 's/-D_FORTIFY_SOURCE=2//') +export CPPFLAGS CFLAGS autoreconf -fi # local hack to make curl-config --libs stop printing libraries it depends on # (currently, libtool sets link_all_deplibs=(yes|unknown) everywhere, diff --git a/libcurl-ocloexec.patch b/libcurl-ocloexec.patch index d7a1d2f..26cdfb2 100644 --- a/libcurl-ocloexec.patch +++ b/libcurl-ocloexec.patch @@ -9,9 +9,9 @@ compile time is not enough. Index: lib/cookie.c =================================================================== ---- lib/cookie.c.orig 2012-08-08 23:38:25.000000000 +0200 -+++ lib/cookie.c 2013-02-07 11:55:15.146276477 +0100 -@@ -736,7 +736,7 @@ struct CookieInfo *Curl_cookie_init(stru +--- lib/cookie.c.orig 2013-04-12 13:25:07.866367012 +0200 ++++ lib/cookie.c 2013-04-12 13:25:29.391017340 +0200 +@@ -750,7 +750,7 @@ struct CookieInfo *Curl_cookie_init(stru fp = NULL; } else @@ -20,7 +20,7 @@ Index: lib/cookie.c c->newsession = newsession; /* new session? */ -@@ -1060,7 +1060,7 @@ static int cookie_output(struct CookieIn +@@ -1091,7 +1091,7 @@ static int cookie_output(struct CookieIn use_stdout=TRUE; } else { @@ -31,9 +31,9 @@ Index: lib/cookie.c } Index: lib/file.c =================================================================== ---- lib/file.c.orig 2012-11-13 22:04:27.000000000 +0100 -+++ lib/file.c 2013-02-07 11:55:15.147276507 +0100 -@@ -249,7 +249,7 @@ static CURLcode file_connect(struct conn +--- lib/file.c.orig 2013-04-12 13:25:07.867367042 +0200 ++++ lib/file.c 2013-04-12 13:25:29.391017340 +0200 +@@ -243,7 +243,7 @@ static CURLcode file_connect(struct conn fd = open_readonly(actual_path, O_RDONLY|O_BINARY); file->path = actual_path; #else @@ -42,7 +42,7 @@ Index: lib/file.c file->path = real_path; #endif file->freepath = real_path; /* free this when done */ -@@ -347,7 +347,7 @@ static CURLcode file_upload(struct conne +@@ -341,7 +341,7 @@ static CURLcode file_upload(struct conne else mode = MODE_DEFAULT|O_TRUNC; @@ -53,9 +53,9 @@ Index: lib/file.c return CURLE_WRITE_ERROR; Index: lib/formdata.c =================================================================== ---- lib/formdata.c.orig 2012-08-08 22:45:18.000000000 +0200 -+++ lib/formdata.c 2013-02-07 11:55:15.147276507 +0100 -@@ -1207,7 +1207,7 @@ CURLcode Curl_getformdata(struct Session +--- lib/formdata.c.orig 2013-04-12 13:25:07.868367072 +0200 ++++ lib/formdata.c 2013-04-12 13:25:29.392017370 +0200 +@@ -1234,7 +1234,7 @@ CURLcode Curl_getformdata(struct Session FILE *fileread; fileread = strequal("-", file->contents)? @@ -64,7 +64,7 @@ Index: lib/formdata.c /* * VMS: This only allows for stream files on VMS. Stream files are -@@ -1338,7 +1338,7 @@ static size_t readfromfile(struct Form * +@@ -1365,7 +1365,7 @@ static size_t readfromfile(struct Form * else { if(!form->fp) { /* this file hasn't yet been opened */ @@ -75,9 +75,9 @@ Index: lib/formdata.c } Index: lib/hostip6.c =================================================================== ---- lib/hostip6.c.orig 2012-03-08 20:35:24.000000000 +0100 -+++ lib/hostip6.c 2013-02-07 11:55:15.147276507 +0100 -@@ -45,7 +45,7 @@ +--- lib/hostip6.c.orig 2013-04-12 13:25:07.868367072 +0200 ++++ lib/hostip6.c 2013-04-12 13:25:29.392017370 +0200 +@@ -39,7 +39,7 @@ #ifdef HAVE_PROCESS_H #include #endif @@ -86,7 +86,7 @@ Index: lib/hostip6.c #include "urldata.h" #include "sendf.h" #include "hostip.h" -@@ -113,7 +113,7 @@ bool Curl_ipv6works(void) +@@ -107,7 +107,7 @@ bool Curl_ipv6works(void) static int ipv6_works = -1; if(-1 == ipv6_works) { /* probe to see if we have a working IPv6 stack */ @@ -97,22 +97,22 @@ Index: lib/hostip6.c ipv6_works = 0; Index: lib/if2ip.c =================================================================== ---- lib/if2ip.c.orig 2012-03-08 20:35:24.000000000 +0100 -+++ lib/if2ip.c 2013-02-07 11:55:15.148276537 +0100 -@@ -153,7 +153,7 @@ char *Curl_if2ip(int af, const char *int +--- lib/if2ip.c.orig 2013-04-12 13:25:07.869367102 +0200 ++++ lib/if2ip.c 2013-04-12 13:25:29.393017400 +0200 +@@ -171,7 +171,7 @@ if2ip_result_t Curl_if2ip(int af, unsign if(len >= sizeof(req.ifr_name)) - return NULL; + return IF2IP_NOT_FOUND; - dummy = socket(AF_INET, SOCK_STREAM, 0); + dummy = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0); if(CURL_SOCKET_BAD == dummy) - return NULL; + return IF2IP_NOT_FOUND; Index: lib/netrc.c =================================================================== ---- lib/netrc.c.orig 2012-08-08 22:45:18.000000000 +0200 -+++ lib/netrc.c 2013-02-07 11:55:15.148276537 +0100 -@@ -107,7 +107,7 @@ int Curl_parsenetrc(const char *host, +--- lib/netrc.c.orig 2013-04-12 13:25:07.869367102 +0200 ++++ lib/netrc.c 2013-04-12 13:25:29.393017400 +0200 +@@ -97,7 +97,7 @@ int Curl_parsenetrc(const char *host, netrc_alloc = TRUE; } @@ -123,9 +123,9 @@ Index: lib/netrc.c char *tok_buf; Index: lib/ssluse.c =================================================================== ---- lib/ssluse.c.orig 2012-11-13 23:01:17.000000000 +0100 -+++ lib/ssluse.c 2013-02-07 11:55:15.149276568 +0100 -@@ -437,7 +437,7 @@ int cert_stuff(struct connectdata *conn, +--- lib/ssluse.c.orig 2013-04-12 13:25:07.870367132 +0200 ++++ lib/ssluse.c 2013-04-12 13:25:29.394017430 +0200 +@@ -419,7 +419,7 @@ int cert_stuff(struct connectdata *conn, STACK_OF(X509) *ca = NULL; int i; @@ -134,7 +134,7 @@ Index: lib/ssluse.c if(!f) { failf(data, "could not open PKCS12 file '%s'", cert_file); return 0; -@@ -2274,7 +2274,7 @@ static CURLcode servercert(struct connec +@@ -2246,7 +2246,7 @@ static CURLcode servercert(struct connec /* e.g. match issuer name with provided issuer certificate */ if(data->set.str[STRING_SSL_ISSUERCERT]) { @@ -145,9 +145,9 @@ Index: lib/ssluse.c failf(data, "SSL: Unable to open issuer cert (%s)", Index: lib/connect.c =================================================================== ---- lib/connect.c.orig 2012-11-13 22:02:15.000000000 +0100 -+++ lib/connect.c 2013-02-07 11:55:15.149276568 +0100 -@@ -1238,7 +1238,7 @@ CURLcode Curl_socket(struct connectdata +--- lib/connect.c.orig 2013-04-12 13:25:07.871367163 +0200 ++++ lib/connect.c 2013-04-12 13:25:29.394017430 +0200 +@@ -1308,7 +1308,7 @@ CURLcode Curl_socket(struct connectdata (struct curl_sockaddr *)addr); else /* opensocket callback not set, so simply create the socket now */ @@ -158,17 +158,17 @@ Index: lib/connect.c /* no socket, no connection */ Index: configure.ac =================================================================== ---- configure.ac.orig 2012-09-08 22:39:18.000000000 +0200 -+++ configure.ac 2013-02-07 11:58:27.875122101 +0100 -@@ -180,6 +180,7 @@ AC_CANONICAL_HOST +--- configure.ac.orig 2013-04-12 13:25:07.873367223 +0200 ++++ configure.ac 2013-04-12 13:25:29.396017491 +0200 +@@ -183,6 +183,7 @@ AC_CANONICAL_HOST dnl Get system canonical name AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-machine-OS]) +AC_USE_SYSTEM_EXTENSIONS dnl Checks for programs. - CURL_CHECK_PROG_CC -@@ -193,6 +194,7 @@ dnl Our configure and build reentrant se + dnl Our curl_off_t internal and external configure settings +@@ -195,6 +196,7 @@ dnl Our configure and build reentrant se CURL_CONFIGURE_THREAD_SAFE CURL_CONFIGURE_REENTRANT @@ -176,16 +176,3 @@ Index: configure.ac dnl check for how to do large files AC_SYS_LARGEFILE -Index: m4/curl-compilers.m4 -=================================================================== ---- m4/curl-compilers.m4.orig 2012-11-16 13:02:23.000000000 +0100 -+++ m4/curl-compilers.m4 2013-02-07 11:55:15.151276630 +0100 -@@ -1272,7 +1272,7 @@ dnl CPPFLAGS from being unexpectedly cha - AC_DEFUN([CURL_CHECK_PROG_CC], [ - ac_save_CFLAGS="$CFLAGS" - ac_save_CPPFLAGS="$CPPFLAGS" -- AC_PROG_CC -+ AC_PROG_CC_STDC - CFLAGS="$ac_save_CFLAGS" - CPPFLAGS="$ac_save_CPPFLAGS" - ])