Accepting request 298500 from home:vitezslav_cizek:branches:devel:libraries:c_c++

- update to 7.42.0
  * refresh libcurl-ocloexec.patch
- fixes security vulnerabilities:
  * CVE-2015-3143 (bnc#927556)
    - Re-using authenticated connection when unauthenticated
  * CVE-2015-3144 (bnc#927608)
    - host name out of boundary memory access
  * CVE-2015-3145 (bnc#927607)
    - cookie parser out of boundary memory access
  * CVE-2015-3148 (bnc#927746)
    - Negotiate not treated as connection-oriented

OBS-URL: https://build.opensuse.org/request/show/298500
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=130

curl-7.41.0.tar.lzma

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c2c40bcc1eb3e598387a1d1243b01117cd0f253e79247bd4f0f17fd760dec722
-size 2722527

curl-7.41.0.tar.lzma.asc

@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iEYEABECAAYFAlTte8QACgkQeOEcayedXJFByQCdEIZG6sOcXOhbe9JGSTZowdMR
-72cAoLu08rLq83AkywThzrxFG6qb7K0z
-=U309
------END PGP SIGNATURE-----

curl-7.42.0.tar.lzma

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:dd2251de6f2682dfc29ed18e86ff2f34c14e65fc03fddb62b0157e76932be649
+size 2731954

curl-7.42.0.tar.lzma.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iEYEABECAAYFAlU3ONsACgkQeOEcayedXJE4lQCeMzC0F+JUqFKRGut7+qXAbVlN
+wJkAoLFPfw7cZS/mWrJipz23Gql4WYa9
+=r9g2
+-----END PGP SIGNATURE-----

curl.changes

@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Wed Apr 22 08:03:02 UTC 2015 - vcizek@suse.com
+
+- update to 7.42.0
+  * refresh libcurl-ocloexec.patch
+- fixes security vulnerabilities:
+  * CVE-2015-3143 (bnc#927556)
+    - Re-using authenticated connection when unauthenticated
+  * CVE-2015-3144 (bnc#927608)
+    - host name out of boundary memory access
+  * CVE-2015-3145 (bnc#927607)
+    - cookie parser out of boundary memory access
+  * CVE-2015-3148 (bnc#927746)
+    - Negotiate not treated as connection-oriented
+
 -------------------------------------------------------------------
 Tue Mar 24 12:49:35 UTC 2015 - lnussel@suse.de
 

curl.spec

@@ -20,7 +20,7 @@
 %bcond_with mozilla_nss
 %bcond_without testsuite
 Name:           curl
-Version:        7.41.0
+Version:        7.42.0
 Release:        0
 Summary:        A Tool for Transferring Data from URLs
 License:        BSD-3-Clause and MIT

libcurl-ocloexec.patch

@@ -9,9 +9,9 @@ compile time is not enough.
 
 Index: lib/cookie.c
 ===================================================================
---- lib/cookie.c.orig	2014-12-10 00:01:02.000000000 +0100
-+++ lib/cookie.c	2015-01-08 11:33:25.855588512 +0100
-@@ -932,7 +932,7 @@ struct CookieInfo *Curl_cookie_init(stru
+--- lib/cookie.c.orig	2015-04-22 10:05:04.652863265 +0200
++++ lib/cookie.c	2015-04-22 10:05:08.225915413 +0200
+@@ -914,7 +914,7 @@ struct CookieInfo *Curl_cookie_init(stru
      fp = NULL;
    }
    else
@@ -20,7 +20,7 @@ Index: lib/cookie.c
  
    c->newsession = newsession; /* new session? */
  
-@@ -1281,7 +1281,7 @@ static int cookie_output(struct CookieIn
+@@ -1262,7 +1262,7 @@ static int cookie_output(struct CookieIn
      use_stdout=TRUE;
    }
    else {
@@ -31,9 +31,9 @@ Index: lib/cookie.c
    }
 Index: lib/file.c
 ===================================================================
---- lib/file.c.orig	2014-11-20 18:42:17.000000000 +0100
-+++ lib/file.c	2015-01-08 11:33:25.855588512 +0100
-@@ -240,7 +240,7 @@ static CURLcode file_connect(struct conn
+--- lib/file.c.orig	2015-04-22 10:05:04.652863265 +0200
++++ lib/file.c	2015-04-22 10:05:08.226915427 +0200
+@@ -238,7 +238,7 @@ static CURLcode file_connect(struct conn
      /* binary zeroes indicate foul play */
      return CURLE_URL_MALFORMAT;
  
@@ -42,7 +42,7 @@ Index: lib/file.c
    file->path = real_path;
  #endif
    file->freepath = real_path; /* free this when done */
-@@ -338,7 +338,7 @@ static CURLcode file_upload(struct conne
+@@ -336,7 +336,7 @@ static CURLcode file_upload(struct conne
    else
      mode = MODE_DEFAULT|O_TRUNC;
  
@@ -53,9 +53,9 @@ Index: lib/file.c
      return CURLE_WRITE_ERROR;
 Index: lib/formdata.c
 ===================================================================
---- lib/formdata.c.orig	2014-11-20 18:42:17.000000000 +0100
-+++ lib/formdata.c	2015-01-08 11:33:25.856588523 +0100
-@@ -1261,7 +1261,7 @@ CURLcode Curl_getformdata(struct Session
+--- lib/formdata.c.orig	2015-04-22 10:05:04.652863265 +0200
++++ lib/formdata.c	2015-04-22 10:05:08.226915427 +0200
+@@ -1256,7 +1256,7 @@ CURLcode Curl_getformdata(struct Session
          FILE *fileread;
  
          fileread = strequal("-", file->contents)?
@@ -64,7 +64,7 @@ Index: lib/formdata.c
  
          /*
           * VMS: This only allows for stream files on VMS.  Stream files are
-@@ -1420,7 +1420,7 @@ static size_t readfromfile(struct Form *
+@@ -1415,7 +1415,7 @@ static size_t readfromfile(struct Form *
    else {
      if(!form->fp) {
        /* this file hasn't yet been opened */
@@ -75,8 +75,8 @@ Index: lib/formdata.c
      }
 Index: lib/hostip6.c
 ===================================================================
---- lib/hostip6.c.orig	2014-12-28 14:36:05.000000000 +0100
-+++ lib/hostip6.c	2015-01-08 11:33:25.856588523 +0100
+--- lib/hostip6.c.orig	2015-04-22 10:05:04.652863265 +0200
++++ lib/hostip6.c	2015-04-22 10:05:08.226915427 +0200
 @@ -39,7 +39,7 @@
  #ifdef HAVE_PROCESS_H
  #include <process.h>
@@ -86,7 +86,7 @@ Index: lib/hostip6.c
  #include "urldata.h"
  #include "sendf.h"
  #include "hostip.h"
-@@ -107,7 +107,7 @@ bool Curl_ipv6works(void)
+@@ -104,7 +104,7 @@ bool Curl_ipv6works(void)
    static int ipv6_works = -1;
    if(-1 == ipv6_works) {
      /* probe to see if we have a working IPv6 stack */
@@ -97,9 +97,9 @@ Index: lib/hostip6.c
        ipv6_works = 0;
 Index: lib/if2ip.c
 ===================================================================
---- lib/if2ip.c.orig	2014-12-28 14:36:05.000000000 +0100
-+++ lib/if2ip.c	2015-01-08 11:33:25.856588523 +0100
-@@ -224,7 +224,7 @@ if2ip_result_t Curl_if2ip(int af, unsign
+--- lib/if2ip.c.orig	2015-04-22 10:05:04.652863265 +0200
++++ lib/if2ip.c	2015-04-22 10:05:08.227915442 +0200
+@@ -222,7 +222,7 @@ if2ip_result_t Curl_if2ip(int af, unsign
    if(len >= sizeof(req.ifr_name))
      return IF2IP_NOT_FOUND;
  
@@ -110,22 +110,22 @@ Index: lib/if2ip.c
  
 Index: lib/netrc.c
 ===================================================================
---- lib/netrc.c.orig	2014-11-04 13:51:16.000000000 +0100
-+++ lib/netrc.c	2015-01-08 11:33:25.856588523 +0100
-@@ -111,7 +111,7 @@ int Curl_parsenetrc(const char *host,
+--- lib/netrc.c.orig	2015-04-22 10:05:04.652863265 +0200
++++ lib/netrc.c	2015-04-22 10:05:08.227915442 +0200
+@@ -109,7 +109,7 @@ int Curl_parsenetrc(const char *host,
      netrc_alloc = TRUE;
    }
  
 -  file = fopen(netrcfile, "r");
 +  file = fopen(netrcfile, "re");
    if(netrc_alloc)
-     Curl_safefree(netrcfile);
+     free(netrcfile);
    if(file) {
 Index: lib/connect.c
 ===================================================================
---- lib/connect.c.orig	2014-12-28 14:36:05.000000000 +0100
-+++ lib/connect.c	2015-01-08 11:33:25.856588523 +0100
-@@ -1314,7 +1314,7 @@ CURLcode Curl_socket(struct connectdata
+--- lib/connect.c.orig	2015-04-22 10:05:04.652863265 +0200
++++ lib/connect.c	2015-04-22 10:05:08.227915442 +0200
+@@ -1334,7 +1334,7 @@ CURLcode Curl_socket(struct connectdata
                                      (struct curl_sockaddr *)addr);
    else
      /* opensocket callback not set, so simply create the socket now */
@@ -136,8 +136,8 @@ Index: lib/connect.c
      /* no socket, no connection */
 Index: configure.ac
 ===================================================================
---- configure.ac.orig	2014-12-28 14:36:05.000000000 +0100
-+++ configure.ac	2015-01-08 11:33:55.103922543 +0100
+--- configure.ac.orig	2015-04-22 10:05:04.652863265 +0200
++++ configure.ac	2015-04-22 10:05:08.228915457 +0200
 @@ -182,6 +182,7 @@ AC_CANONICAL_HOST
  dnl Get system canonical name
  AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-machine-OS])