Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

gnurl: update source to 7.43.0

Browse source 
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This commit is contained in:
Daniel Golle 2015-08-13 10:24:14 +02:00
parent 8511e62ff0
commit 3741ec4945
7 changed files with 4 additions and 315 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
net/gnurl/Makefile
View file

@ -8,13 +8,13 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=gnurl
PKG_VERSION:=7.40.0
PKG_RELEASE:=6
PKG_VERSION:=7.43.0
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=https://gnunet.org/sites/default/files
PKG_MD5SUM:=f816deb0c1401c841780ec6b91985a14
PKG_MD5SUM:=67c6667d8843cc514b230f2ce8d80f0e
PKG_LICENSE:=MIT
PKG_LICENSE_FILES:=COPYING

89
net/gnurl/patches/010-backport-gtls-add-support-for-CURLOPT_CAPATH.patch
View file

@ -1,89 +0,0 @@
From 5a1614cecdd57cab8b4ae3e9bc19dfff5ba77e80 Mon Sep 17 00:00:00 2001
From: Alessandro Ghedini <alessandro@ghedini.me>
Date: Sun, 8 Mar 2015 20:11:06 +0100
Subject: [PATCH] gtls: add support for CURLOPT_CAPATH
---
acinclude.m4 | 4 ++--
docs/libcurl/opts/CURLOPT_CAPATH.3 | 5 ++---
lib/vtls/gtls.c | 22 ++++++++++++++++++++++
lib/vtls/gtls.h | 3 +++
4 files changed, 29 insertions(+), 5 deletions(-)
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -2614,8 +2614,8 @@ AC_HELP_STRING([--without-ca-path], [Don
capath="no"
elif test "x$want_capath" != "xno" -a "x$want_capath" != "xunset"; then
dnl --with-ca-path given
- if test "x$OPENSSL_ENABLED" != "x1" -a "x$POLARSSL_ENABLED" != "x1"; then
- AC_MSG_ERROR([--with-ca-path only works with openSSL or PolarSSL])
+ if test "x$OPENSSL_ENABLED" != "x1" -a "x$GNUTLS_ENABLED" != "x1" -a "x$POLARSSL_ENABLED" != "x1"; then
+ AC_MSG_ERROR([--with-ca-path only works with OpenSSL, GnuTLS or PolarSSL])
fi
capath="$want_capath"
ca="no"
--- a/docs/libcurl/opts/CURLOPT_CAPATH.3
+++ b/docs/libcurl/opts/CURLOPT_CAPATH.3
@@ -43,9 +43,8 @@ All TLS based protocols: HTTPS, FTPS, IM
.SH EXAMPLE
TODO
.SH AVAILABILITY
-This option is OpenSSL-specific and does nothing if libcurl is built to use
-GnuTLS. NSS-powered libcurl provides the option only for backward
-compatibility.
+This option is supported by the OpenSSL, GnuTLS and PolarSSL backends. The NSS
+backend provides the option only for backward compatibility.
.SH RETURN VALUE
Returns CURLE_OK if TLS enabled, and CURLE_UNKNOWN_OPTION if not, or
CURLE_OUT_OF_MEMORY if there was insufficient heap space.
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -98,6 +98,10 @@ static bool gtls_inited = FALSE;
# define HAS_ALPN
# endif
# endif
+
+# if (GNUTLS_VERSION_NUMBER >= 0x030306)
+# define HAS_CAPATH
+# endif
#endif
/*
@@ -463,6 +467,24 @@ gtls_connect_step1(struct connectdata *c
rc, data->set.ssl.CAfile);
}
+#ifdef HAS_CAPATH
+ if(data->set.ssl.CApath) {
+ /* set the trusted CA cert directory */
+ rc = gnutls_certificate_set_x509_trust_dir(conn->ssl[sockindex].cred,
+ data->set.ssl.CApath,
+ GNUTLS_X509_FMT_PEM);
+ if(rc < 0) {
+ infof(data, "error reading ca cert file %s (%s)\n",
+ data->set.ssl.CAfile, gnutls_strerror(rc));
+ if(data->set.ssl.verifypeer)
+ return CURLE_SSL_CACERT_BADFILE;
+ }
+ else
+ infof(data, "found %d certificates in %s\n",
+ rc, data->set.ssl.CApath);
+ }
+#endif
+
if(data->set.ssl.CRLfile) {
/* set the CRL list file */
rc = gnutls_certificate_set_x509_crl_file(conn->ssl[sockindex].cred,
--- a/lib/vtls/gtls.h
+++ b/lib/vtls/gtls.h
@@ -53,6 +53,9 @@ void Curl_gtls_md5sum(unsigned char *tmp
unsigned char *md5sum, /* output */
size_t md5len);
+/* this backend supports the CAPATH option */
+#define have_curlssl_ca_path 1
+
/* API setup for GnuTLS */
#define curlssl_init Curl_gtls_init
#define curlssl_cleanup Curl_gtls_cleanup

32
net/gnurl/patches/011-CVE-2015-3144.patch
View file

@ -1,32 +0,0 @@
From 6218ded6001ea330e589f92b6b2fa12777752b5d Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 16 Apr 2015 23:52:04 +0200
Subject: [PATCH] fix_hostname: zero length host name caused -1 index offset
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If a URL is given with a zero-length host name, like in "http://:80" or
just ":80", `fix_hostname()` will index the host name pointer with a -1
offset (as it blindly assumes a non-zero length) and both read and
assign that address.
CVE-2015-3144
Bug: http://curl.haxx.se/docs/adv_20150422D.html
Reported-by: Hanno Böck
---
lib/url.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/lib/url.c
+++ b/lib/url.c
@@ -3602,7 +3602,7 @@ static void fix_hostname(struct SessionH
host->dispname = host->name;
len = strlen(host->name);
- if(host->name[len-1] == '.')
+ if(len && (host->name[len-1] == '.'))
/* strip off a single trailing dot if present, primarily for SNI but
there's no use for it */
host->name[len-1]=0;

53
net/gnurl/patches/012-CVE-2015-3145.patch
View file

@ -1,53 +0,0 @@
From ea595c516bc936a514753597aa6c59fd6eb0765e Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 16 Apr 2015 16:37:40 +0200
Subject: [PATCH] cookie: cookie parser out of boundary memory access
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The internal libcurl function called sanitize_cookie_path() that cleans
up the path element as given to it from a remote site or when read from
a file, did not properly validate the input. If given a path that
consisted of a single double-quote, libcurl would index a newly
allocated memory area with index -1 and assign a zero to it, thus
destroying heap memory it wasn't supposed to.
CVE-2015-3145
Bug: http://curl.haxx.se/docs/adv_20150422C.html
Reported-by: Hanno Böck
---
lib/cookie.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -236,11 +236,14 @@ static char *sanitize_cookie_path(const
return NULL;
/* some stupid site sends path attribute with '"'. */
+ len = strlen(new_path);
if(new_path[0] == '\"') {
- memmove((void *)new_path, (const void *)(new_path + 1), strlen(new_path));
+ memmove((void *)new_path, (const void *)(new_path + 1), len);
+ len--;
}
- if(new_path[strlen(new_path) - 1] == '\"') {
- new_path[strlen(new_path) - 1] = 0x0;
+ if(len && (new_path[len - 1] == '\"')) {
+ new_path[len - 1] = 0x0;
+ len--;
}
/* RFC6265 5.2.4 The Path Attribute */
@@ -252,8 +255,7 @@ static char *sanitize_cookie_path(const
}
/* convert /hoge/ to /hoge */
- len = strlen(new_path);
- if(1 < len && new_path[len - 1] == '/') {
+ if(len && new_path[len - 1] == '/') {
new_path[len - 1] = 0x0;
}

95
net/gnurl/patches/014-CVE-2015-3153.patch
View file

@ -1,95 +0,0 @@
From 69a2e8d7ec581695a62527cb2252e7350f314ffa Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 23 Apr 2015 15:58:21 +0200
Subject: [PATCH] CURLOPT_HEADEROPT: default to separate
Make the HTTP headers separated by default for improved security and
reduced risk for information leakage.
Bug: http://curl.haxx.se/docs/adv_20150429.html
Reported-by: Yehezkel Horowitz, Oren Souroujon
---
docs/libcurl/opts/CURLOPT_HEADEROPT.3 | 12 ++++++------
lib/url.c | 1 +
tests/data/test1527 | 2 +-
tests/data/test287 | 2 +-
tests/libtest/lib1527.c | 1 +
5 files changed, 10 insertions(+), 8 deletions(-)
--- a/docs/libcurl/opts/CURLOPT_HEADEROPT.3
+++ b/docs/libcurl/opts/CURLOPT_HEADEROPT.3
@@ -5,7 +5,7 @@
.\" * | (__| |_| | _ <| |___
.\" * \___|\___/|_| \_\_____|
.\" *
-.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
.\" *
.\" * This software is licensed as described in the file COPYING, which
.\" * you should have received as part of this distribution. The terms
@@ -31,10 +31,10 @@ CURLcode curl_easy_setopt(CURL *handle,
Pass a long that is a bitmask of options of how to deal with headers. The two
mutually exclusive options are:
-\fBCURLHEADER_UNIFIED\fP - keep working as before. This means
-\fICURLOPT_HTTPHEADER(3)\fP headers will be used in requests both to servers
-and proxies. With this option enabled, \fICURLOPT_PROXYHEADER(3)\fP will not
-have any effect.
+\fBCURLHEADER_UNIFIED\fP - the headers specified in
+\fICURLOPT_HTTPHEADER(3)\fP will be used in requests both to servers and
+proxies. With this option enabled, \fICURLOPT_PROXYHEADER(3)\fP will not have
+any effect.
\fBCURLHEADER_SEPARATE\fP - makes \fICURLOPT_HTTPHEADER(3)\fP headers only get
sent to a server and not to a proxy. Proxy headers must be set with
@@ -44,7 +44,7 @@ headers. When doing CONNECT, libcurl wil
headers only to the proxy and then \fICURLOPT_HTTPHEADER(3)\fP headers only to
the server.
.SH DEFAULT
-CURLHEADER_UNIFIED
+CURLHEADER_SEPARATE (changed in 7.42.1, ased CURLHEADER_UNIFIED before then)
.SH PROTOCOLS
HTTP
.SH EXAMPLE
--- a/lib/url.c
+++ b/lib/url.c
@@ -605,6 +605,7 @@ CURLcode Curl_init_userdefined(struct Us
set->ssl_enable_alpn = TRUE;
set->expect_100_timeout = 1000L; /* Wait for a second by default. */
+ set->sep_headers = TRUE; /* separated header lists by default */
return result;
}
--- a/tests/data/test1527
+++ b/tests/data/test1527
@@ -45,7 +45,7 @@ http-proxy
lib1527
</tool>
<name>
-Check same headers are generated without CURLOPT_PROXYHEADER
+Check same headers are generated with CURLOPT_HEADEROPT == CURLHEADER_UNIFIED
</name>
<command>
http://the.old.moo.1527:%HTTPPORT/1527 %HOSTIP:%PROXYPORT
--- a/tests/data/test287
+++ b/tests/data/test287
@@ -28,7 +28,7 @@ http
HTTP proxy CONNECT with custom User-Agent header
</name>
<command>
-http://test.remote.example.com.287:%HTTPPORT/path/287 -H "User-Agent: looser/2007" --proxy http://%HOSTIP:%HTTPPORT --proxytunnel
+http://test.remote.example.com.287:%HTTPPORT/path/287 -H "User-Agent: looser/2015" --proxy http://%HOSTIP:%HTTPPORT --proxytunnel --proxy-header "User-Agent: looser/2007"
</command>
</client>
--- a/tests/libtest/lib1527.c
+++ b/tests/libtest/lib1527.c
@@ -83,6 +83,7 @@ int test(char *URL)
test_setopt(curl, CURLOPT_READFUNCTION, read_callback);
test_setopt(curl, CURLOPT_HTTPPROXYTUNNEL, 1L);
test_setopt(curl, CURLOPT_INFILESIZE, strlen(data));
+ test_setopt(curl, CURLOPT_HEADEROPT, CURLHEADER_UNIFIED);
res = curl_easy_perform(curl);

42
net/gnurl/patches/015-CVE-2015-3236.patch
View file

@ -1,42 +0,0 @@
From e6d7c30734487246e83b95520e81bc1ccf0a2376 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Thu, 28 May 2015 20:04:35 +0200
Subject: [PATCH] http: do not leak basic auth credentials on re-used
connections
CVE-2015-3236
This partially reverts commit curl-7_39_0-237-g87c4abb
Bug: http://curl.haxx.se/docs/adv_20150617A.html
---
lib/http.c | 16 ++++------------
1 file changed, 4 insertions(+), 12 deletions(-)
--- a/lib/http.c
+++ b/lib/http.c
@@ -2327,20 +2327,12 @@ CURLcode Curl_http(struct connectdata *c
te
);
- /*
- * Free userpwd for Negotiate/NTLM. Cannot reuse as it is associated with
- * the connection and shouldn't be repeated over it either.
- */
- switch (data->state.authhost.picked) {
- case CURLAUTH_NEGOTIATE:
- case CURLAUTH_NTLM:
- case CURLAUTH_NTLM_WB:
- Curl_safefree(conn->allocptr.userpwd);
- break;
- }
+ /* clear userpwd to avoid re-using credentials from re-used connections */
+ Curl_safefree(conn->allocptr.userpwd);
/*
- * Same for proxyuserpwd
+ * Free proxyuserpwd for Negotiate/NTLM. Cannot reuse as it is associated
+ * with the connection and shouldn't be repeated over it either.
*/
switch (data->state.authproxy.picked) {
case CURLAUTH_NEGOTIATE:

2
net/gnurl/patches/100-check_long_long.patch
View file

@ -1,6 +1,6 @@
--- a/configure.ac
+++ b/configure.ac
@@ -2879,6 +2879,7 @@ CURL_VERIFY_RUNTIMELIBS
@@ -2954,6 +2954,7 @@ CURL_VERIFY_RUNTIMELIBS
AC_CHECK_SIZEOF(size_t)
AC_CHECK_SIZEOF(long)