add patch from upstream to fix possible buffer overflow in URL parser

(CVE-2013-2174), bump PKGREV

3 files changed, 20 insertions, 3 deletions

diff --git a/www/curl/Makefile b/www/curl/Makefile
index 276d882264b..53b76606748 100644
--- a/www/curl/Makefile
+++ b/www/curl/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.128 2013/05/31 12:42:31 wiz Exp $
+# $NetBSD: Makefile,v 1.129 2013/06/29 12:08:50 drochner Exp $
 
 DISTNAME=	curl-7.30.0
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	www
 MASTER_SITES=	http://curl.haxx.se/download/ \
 		ftp://ftp.sunet.se/pub/www/utilities/curl/
diff --git a/www/curl/distinfo b/www/curl/distinfo
index d16c90e3887..c7e6b3a98a9 100644
--- a/www/curl/distinfo
+++ b/www/curl/distinfo
@@ -1,7 +1,8 @@
-$NetBSD: distinfo,v 1.85 2013/04/14 16:39:48 wiz Exp $
+$NetBSD: distinfo,v 1.86 2013/06/29 12:08:50 drochner Exp $
 
 SHA1 (curl-7.30.0.tar.bz2) = 23fdc215558023b943cea9dfab04b86020037b0d
 RMD160 (curl-7.30.0.tar.bz2) = 858e772c17fc05d7114856f09fc34e696f1ef595
 Size (curl-7.30.0.tar.bz2) = 2625976 bytes
+SHA1 (patch-CVE-2013-2174) = 30b9f66fbc1112ba1dc361002768a0597ac1456b
 SHA1 (patch-aa) = 07e12cd0576b87cfed74a6a2bf8dd42cb2f5a570
 SHA1 (patch-curl-config.in) = c685dd4fd85fc9d97c6e6ff8dbf871c35dd57046
diff --git a/www/curl/patches/patch-CVE-2013-2174 b/www/curl/patches/patch-CVE-2013-2174
new file mode 100644
index 00000000000..8a5ea0f664b
--- /dev/null
+++ b/www/curl/patches/patch-CVE-2013-2174
@@ -0,0 +1,16 @@
+$NetBSD: patch-CVE-2013-2174,v 1.1 2013/06/29 12:08:50 drochner Exp $
+
+see http://curl.haxx.se/docs/adv_20130622.html
+
+--- lib/escape.c.orig	2013-01-16 22:05:56.000000000 +0000
++++ lib/escape.c
+@@ -159,7 +159,8 @@ CURLcode Curl_urldecode(struct SessionHa
+ 
+   while(--alloc > 0) {
+     in = *string;
+-    if(('%' == in) && ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
++    if(('%' == in) && (alloc > 2) &&
++       ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
+       /* this is two hexadecimal digits following a '%' */
+       char hexstr[3];
+       char *ptr;