Pullup ticket 1250 - requested by Marc Recht

security update for curl

Revisions pulled up:
- pkgsrc/www/curl/Makefile		1.62, 1.63
- pkgsrc/www/curl/PLIST			1.19
- pkgsrc/www/curl/distinfo		1.43, 1.44
- pkgsrc/www/curl/patches/patch-aa	removed
- pkgsrc/www/curl/patches/patch-ac	removed

   Module Name:		pkgsrc
   Committed By:	wiz
   Date:		Fri Mar  3 22:26:08 UTC 2006

   Modified Files:
   	pkgsrc/www/curl: Makefile PLIST distinfo
   Removed Files:
   	pkgsrc/www/curl/patches: patch-aa

   Log Message:
   Update to 7.15.2:

   Version 7.15.2 (27 February 2005)

   Daniel (22 February 2006)
   - Lots of work and analysis by "xbx___" in bug #1431750
     (http://curl.haxx.se/bug/view.cgi?id=1431750) helped me identify and fix two
     different but related bugs:

     1) Removing an easy handle from a multi handle before the transfer is done
        could leave a connection in the connection cache for that handle that is
        in a state that isn't suitable for re-use. A subsequent re-use could then
        read from a NULL pointer and segfault.

     2) When an easy handle was removed from the multi handle, there could be an
        outstanding c-ares DNS name resolve request. When the response arrived,
        it caused havoc since the connection struct it "belonged" to could've
        been freed already.

     Now Curl_done() is called when an easy handle is removed from a multi handle
     pre-maturely (that is, before the transfer was complteted). Curl_done() also
     makes sure to cancel all (if any) outstanding c-ares requests.

   Daniel (21 February 2006)
   - Peter Su added support for SOCKS4 proxies. Enable this by setting the proxy
     type to the already provided type CURLPROXY_SOCKS4.

     I added a --socks4 option that works like the current --socks5 option but
     instead use the socks4 protocol.

   Daniel (20 February 2006)
   - Shmulik Regev fixed an issue with multi-pass authentication and compressed
     content when libcurl didn't honor the internal ignorebody flag.

   Daniel (18 February 2006)
   - Ulf Härnhammar fixed a format string (printf style) problem in the Negotiate
     code. It should however not be the cause of any troubles. He also fixed a
     few similar problems in the HTTP test server code.

   Daniel (17 February 2006)
   - Shmulik Regev provided a fix for the DNS cache when using short life times,
     as previously it could be holding on to old cached entries longer than
     requested.

   Daniel (11 February 2006)
   - Karl Moerder added the CURLOPT_CONNECT_ONLY and CURLINFO_LASTSOCKET options
     that an app can use to let libcurl only connect to a remote host and then
     extract the socket from libcurl. libcurl will then not attempt to do any
     transfer at all after the connect is done.

   - Kent Boortz improved the configure check for GnuTLS to properly set LIBS
     instead of LDFLAGS.

   Daniel (8 February 2006)
   - Philippe Vaucher provided a brilliant piece of test code that show a problem
     with re-used FTP connections. If the second request on the same connection
     was set not to fetch a "body", libcurl could get confused and consider it an
     attempt to use a dead connection and would go acting mighty strange.

   Daniel (2 February 2006)
   - Make --limit-rate [num] mean bytes. It used to be that but it broke in my
     change done in November 2005.

   Daniel (30 January 2006)
   - Added CURLOPT_LOCALPORT and CURLOPT_LOCALPORTRANGE to libcurl. Set with the
     curl tool with --local-port. Plain and simply set the range of ports to bind
     the local end of connections to. Implemented on to popular demand.

   - Based on an error report by Philippe Vaucher, we no longer count a retried
     connection setup as a follow-redirect. It turns out 1) this fails when a FTP
     connection is re-setup and 2) it does make the max-redirs counter behave
     wrong.

   Daniel (24 January 2006)
   - Michal Marek provided a patch for FTP that makes libcurl continue to try
     PASV even after EPSV returned a positive response code, if libcurl failed to
     connect to the port number the EPSV response said. Obviously some people are
     going through protocol-sensitive firewalls (or similar) that don't
     understand EPSV and then they don't allow the second connection unless PASV
     was used. This also called for a minor fix of test case 238.

   Daniel (20 January 2006)
   - Duane Cathey was one of our friends who reported that curl -P [IP]
     (CURLOPT_FTPPORT) didn't work for ipv6-enabed curls if the IP wasn't a
     "native" IP while it works fine for ipv6-disabled builds!

     In the process of fixing this, I removed the support for LPRT since I can't
     think of many reasons to keep doing it and asking on the mailing list didn't
     reveal anyone else that could either. The code that sends EPRT and PORT is
     now also a lot simpler than before (IMHO).

   Daniel (19 January 2006)
   - Jon Turner pointed out that doing -P [hostname] (CURLOPT_FTPPORT) with curl
     (built ipv4-only) didn't work.

   Daniel (18 January 2006)
   - As reported in bug #1408742 (http://curl.haxx.se/bug/view.cgi?id=1408742),
     the configure script complained about a missing "missing" script if you ran
     configure within a path whose name included one or more spaces. This is due
     to a flaw in automake (1.9.6 and earlier). I've now worked around it by
     including an "overloaded" version of the AM_MISSING_HAS_RUN script that'll
     be used instead of the one automake ships with. This kludge needs to be
     removed once we get an automake version with this problem corrected.
     Possibly we'll then need to convert this into a kludge depending on what
     automake version that is used and that is gonna be painful and I don't even
     want to think about that now...!

   Daniel (17 January 2006)
   - David Shaw: Here is the latest libcurl.m4 autoconf tests. It is updated with
     the latest features and protocols that libcurl supports and has a minor fix
     to better deal with the obscure case where someone has more than one libcurl
     installed at the same time.

   Daniel (16 January 2006)
   - David Shaw finally removed all traces of Gopher and we are now officially
     not supporting it. It hasn't been functioning for years anyway, so this is
     just finally stating what already was true. And a cleanup at the same time.

   - Bryan Henderson turned the 'initialized' variable for curl_global_init()
     into a counter, and thus you can now do multiple curl_global_init() and you
     are then supposed to dot of calls to curl_global_cleanup().
     Bryan has also updated the docs accordingly.

   Daniel (13 January 2006)
   - Andrew Benham fixed a race condition in the test suite that could cause the
    ript to kill all processes in the current process group!

   Daniel (12 January 2006)
   - Michael Jahn:

     Fixed FTP_SKIP_PASV_IP and FTP_USE_EPSV to "do right" when used on FTP thru
     HTTP proxh a proxy.  It would
     previously overwrite internal memory and cause unpredicted behaviour!

   Daniel (11 January 2006)
   - I decided to document the "secret option" here now, as I've receivedts from November 2005:

     I'm looking for feedback and comments. I added some experimental code the
     other day, that allows a libcurl user to select what method libcurl should
     use to reality is available in CVS code and in recent daily snapshots.

     Let me explain...

     The current name for the option is CURLOPT_FTP_FILEMETHOD (--ftp-method for
     the command line tool) andt do this:

     1 multicwd - like today, curl will do a single CWD operation for each path
              part in the given URL. For deep hierarchies this means very many
              commands. This is how RFC1738 says it should be done. This is the
             - no CWD at all is done, curl will do SIZE, RETR, STOR etc and give
              a full path to the server.

     3 singlecwd - make one CWD with the full target directory and then operate
             on the file "normally".

     (With the command line tool you do --ftp-method [METHOD], where [METHOD] is
     one of "multicwd", "nocwd" or "singlecwd".)

     What feedback I'm interested in:vers where one of these don't work?

     2 - What would proper names for the option and its arguments be, if we
         consider this feature good enough to get included and documented in
        ses?

     3 - Should we make libcurl able to "walk through" these options in case of
         (path related) failures, or should it fail and let the user redo any
         possible retries?

     (Thi any man page just yet since I'm not sure
     these names will be used or if the functionality will end up exactly like
     this.  And for the same reasons we have no test cases for these yet.)

   Daniel (10 January 2006)
   - When using a bad path over FTP, asinto all
     given subdirs, libcurl would still "remember" the full path as if it is the
     current directory libcurl is in so that the next curl_easy_perform() would
     get really confused if
---
   Module Name:		pkgsrc
   Committed By:	recht
   Date:		Tue Mar 21 21:49:47 UTC 2006

   Modified Files:
   	pkgsrc/www/curl: Makefile distinfo
   Removed Files:
   	pkgsrc/www/curl/patches: patch-ac

   Log Message:
   update to curl 7.15.3

   Fixes a TFTP packet buffer overflow vulnerability.
   See http://curl.haxx.se/docs/adv_20060320.html for details.

   Changes:
   - added docs for --ftp-method and CURLOPT_FTP_FILEMETHOD

   Bugfixes:
   - TFTP Packet Buffer Overflow Vulnerability
   - properly detecting problems with sending the FTP command USER
   - wrong error message shown when certificate verification failed
   - multi-part formpost with multi interface crash
   - the CURLFTPSSL_CONTROL setting for CURLOPT_FTP_SSL is acknowledged
   - "SSL: couldn't set callback" is now treated as a less serious problem
   - Interix build fix
   - fixed curl "hang" when out of file handles at start
   - prevent FTP uploads to URLs with trailing slash

5 files changed, 8 insertions, 40 deletions

diff --git a/www/curl/Makefile b/www/curl/Makefile
index 5a9cf2cf32a..1d9b4a61c84 100644
--- a/www/curl/Makefile
+++ b/www/curl/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.60 2005/12/10 17:57:29 salo Exp $
+# $NetBSD: Makefile,v 1.60.2.1 2006/03/24 15:52:28 salo Exp $
 
-DISTNAME=	curl-7.15.1
+DISTNAME=	curl-7.15.3
 CATEGORIES=	www
 MASTER_SITES=	http://curl.haxx.se/download/ \
 		ftp://ftp.sunet.se/pub/www/utilities/curl/ \
diff --git a/www/curl/PLIST b/www/curl/PLIST
index 192f62bc7fe..6cf97160ce4 100644
--- a/www/curl/PLIST
+++ b/www/curl/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.18 2005/12/10 17:57:29 salo Exp $
+@comment $NetBSD: PLIST,v 1.18.2.1 2006/03/24 15:52:28 salo Exp $
 bin/curl
 bin/curl-config
 include/curl/curl.h
@@ -93,6 +93,7 @@ share/examples/curl/sepheaders.c
 share/examples/curl/simple.c
 share/examples/curl/simplepost.c
 share/examples/curl/simplessl.c
+share/examples/curl/synctime.c
 @dirrm share/examples/curl
 @dirrm share/doc/curl
 @dirrm share/curl
diff --git a/www/curl/distinfo b/www/curl/distinfo
index 76ac8c37210..4839429b9c5 100644
--- a/www/curl/distinfo
+++ b/www/curl/distinfo
@@ -1,7 +1,5 @@
-$NetBSD: distinfo,v 1.42 2005/12/10 17:57:29 salo Exp $
+$NetBSD: distinfo,v 1.42.2.1 2006/03/24 15:52:28 salo Exp $
 
-SHA1 (curl-7.15.1.tar.bz2) = 2b94192557954bba396bfbb980feed17aadc6295
-RMD160 (curl-7.15.1.tar.bz2) = c733937754b579d45de8c26cf4dfa6c5cec82fae
-Size (curl-7.15.1.tar.bz2) = 1437950 bytes
-SHA1 (patch-aa) = 83b1b2ec0d9531ef85c42d5ba1b5319415168d3e
-SHA1 (patch-ac) = 94d0f45a269b1de9cfe3353044ee9cd95bb2ada7
+SHA1 (curl-7.15.3.tar.bz2) = 7e764126ce564429fe2f142428a27cbfc8fb69ee
+RMD160 (curl-7.15.3.tar.bz2) = 35172fe66d5e6cc1df05e6160ffdf086448730f3
+Size (curl-7.15.3.tar.bz2) = 1467043 bytes
diff --git a/www/curl/patches/patch-aa b/www/curl/patches/patch-aa
deleted file mode 100644
index 5a6e1f33e51..00000000000
--- a/www/curl/patches/patch-aa
+++ /dev/null
@@ -1,18 +0,0 @@
-$NetBSD: patch-aa,v 1.10 2005/06/12 13:43:36 jmmv Exp $
-
---- include/curl/multi.h.orig	2005-04-18 13:45:13.000000000 +0200
-+++ include/curl/multi.h
-@@ -52,12 +52,7 @@
- #endif
- #else
- 
--/* HP-UX systems version 9, 10 and 11 lack sys/select.h and so does oldish
--   libc5-based Linux systems. Only include it on system that are known to
--   require it! */
--#if defined(_AIX) || defined(NETWARE)
--#include <sys/select.h>
--#endif
-+__INCLUDE_SYS_SELECT_H__
- 
- #ifndef _WIN32_WCE
- #include <sys/socket.h>
diff --git a/www/curl/patches/patch-ac b/www/curl/patches/patch-ac
deleted file mode 100644
index 8ab133ed1b9..00000000000
--- a/www/curl/patches/patch-ac
+++ /dev/null
@@ -1,13 +0,0 @@
-$NetBSD: patch-ac,v 1.3 2005/11/04 19:48:45 tv Exp $
-
---- lib/if2ip.h.orig	2005-03-31 02:02:03.000000000 -0500
-+++ lib/if2ip.h
-@@ -27,6 +27,8 @@
- extern char *Curl_if2ip(const char *interf, char *buf, int buf_size);
- 
- #ifdef __INTERIX
-+#include <sys/socket.h>
-+
- /* Nedelcho Stanev's work-around for SFU 3.0 */
- struct ifreq {
- #define IFNAMSIZ 16