From 780bad3147e7ca91eed65d37f937bfc7d5582157 Mon Sep 17 00:00:00 2001 From: wiz Date: Sat, 28 Jan 2012 14:41:14 +0000 Subject: Update to 7.24.0: Fixed in 7.24.0 - January 24 2012 Release contains security-related bug fix Changes: * CURLOPT_QUOTE: SFTP supports the '*'-prefix now * CURLOPT_DNS_SERVERS: set name servers if possible * Add support for using nettle instead of gcrypt as gnutls backend * CURLOPT_INTERFACE: avoid resolving interfaces names with magic prefixes * Added CURLOPT_ACCEPTTIMEOUT_MS * configure: add symbols versioning option --enable-versioned-symbols Bugfixes: * curl was vulnerable to a data injection attack for certain protocols CVE-2012-0036 * curl was vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL * SSL session share: move the age counter to the share object * -J -O: use -O name if no Content-Disposition header comes! * protocol_connect: show verbose connect and set connect time * query-part: ignore the URI part for given protocols * gnutls: only translate winsock errors for old versions * POP3: fix end of body detection * POP3: detect when LIST returns no mails * TELNET: improved treatment of options * configure: add support for pkg-config detection of libidn * CyaSSL 2.0+ library initialization adjustment * multi interface: only use non-NULL socker function pointer * call opensocket callback properly for active FTP * don't call close socket callback for sockets created with accept() * differentiate better between host/proxy errors * SSH: fix CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 and --hostpubmd5 * multi: handle timeouts on DNS servers by checking for new sockets * CURLOPT_DNS_SERVERS: fix return code * POP3: fixed escaped dot not being stripped out * OpenSSL: check for the SSLv2 function in configure * MakefileBuild: fix the static build * create_conn: don't switch to HTTP protocol if tunneling is enabled * multi interface: fix block when CONNECT_ONLY option is used * Fix connection reuse for TLS upgraded connections * multiple file upload with -F and custom type * multi interface: active FTP connections are no longer blocking * Android build fix * timer: restore PRETRANSFER timing * libcurl.m4: Fix quoting arguments of AC_LANG_PROGRAM * appconnect time fixed for non-blocking connect ssl backends * do not include SSL handshake into time spent waiting for 100-continue * handle dns cache case insensitive * use new host name casing for subsequent HTTP requests * CURLOPT_RESOLVE: avoid adding already present host names * SFTP mkdir: use correct permission * resolve: don't leak pre-populated dns entries * --retry: Retry transfers on timeout and DNS errors * negotiate with SSPI backend: use the correct buffer for input * SFTP dir: increase buffer size counter to avoid cut off file names * TFTP: fix resending (again) * c-ares: don't include getaddrinfo-using code * FTP: CURLE_PARTIAL_FILE will not close the control channel * win32-threaded-resolver: stop using a dummy socket * OpenSSL: remove reference to openssl internal struct * OpenSSL: SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option no longer enabled * OpenSSL: fix PKCS#12 certificate parsing related memory leak * OpenLDAP: fix LDAP connection phase memory leak * Telnet: Use correct file descriptor for telnet upload * Telnet: Remove bogus optimisation of telnet upload * URL parse: user name with ipv6 numerical address * polarssl: show cipher suite name correctly with 1.1.0 * polarssl: havege_rand is not present in version 1.1.0 WARNING, we still use the old API which is said to be insecure * gnutls: enforced use of SSLv3 --- www/curl/Makefile | 5 +- www/curl/PLIST | 6 ++- www/curl/distinfo | 16 ++----- www/curl/patches/patch-aa | 29 +++++++++-- www/curl/patches/patch-ba | 120 ---------------------------------------------- www/curl/patches/patch-bb | 33 ------------- www/curl/patches/patch-bc | 25 ---------- www/curl/patches/patch-bd | 19 -------- www/curl/patches/patch-be | 27 ----------- www/curl/patches/patch-bf | 46 ------------------ 10 files changed, 37 insertions(+), 289 deletions(-) delete mode 100644 www/curl/patches/patch-ba delete mode 100644 www/curl/patches/patch-bb delete mode 100644 www/curl/patches/patch-bc delete mode 100644 www/curl/patches/patch-bd delete mode 100644 www/curl/patches/patch-be delete mode 100644 www/curl/patches/patch-bf (limited to 'www/curl') diff --git a/www/curl/Makefile b/www/curl/Makefile index d28bced1cd6..4db52dd9563 100644 --- a/www/curl/Makefile +++ b/www/curl/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.110 2012/01/26 11:25:55 drochner Exp $ +# $NetBSD: Makefile,v 1.111 2012/01/28 14:41:14 wiz Exp $ -DISTNAME= curl-7.23.1 -PKGREVISION= 1 +DISTNAME= curl-7.24.0 CATEGORIES= www MASTER_SITES= http://curl.haxx.se/download/ \ ftp://ftp.sunet.se/pub/www/utilities/curl/ diff --git a/www/curl/PLIST b/www/curl/PLIST index 317331bf9d6..057320a19c5 100644 --- a/www/curl/PLIST +++ b/www/curl/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.34 2011/11/30 20:56:08 wiz Exp $ +@comment $NetBSD: PLIST,v 1.35 2012/01/28 14:41:15 wiz Exp $ bin/curl bin/curl-config include/curl/curl.h @@ -101,6 +101,7 @@ share/examples/curl/http-post.c share/examples/curl/httpcustomheader.c share/examples/curl/httpput.c share/examples/curl/https.c +share/examples/curl/imap.c share/examples/curl/multi-app.c share/examples/curl/multi-debugcallback.c share/examples/curl/multi-double.c @@ -109,6 +110,8 @@ share/examples/curl/multi-single.c share/examples/curl/multithread.c share/examples/curl/opensslthreadlock.c share/examples/curl/persistant.c +share/examples/curl/pop3s.c +share/examples/curl/pop3slist.c share/examples/curl/post-callback.c share/examples/curl/postit2.c share/examples/curl/progressfunc.c @@ -126,3 +129,4 @@ share/examples/curl/smtp-multi.c share/examples/curl/smtp-tls.c share/examples/curl/synctime.c share/examples/curl/threaded-ssl.c +share/examples/curl/url2file.c diff --git a/www/curl/distinfo b/www/curl/distinfo index efe48fb4128..0deac249c3e 100644 --- a/www/curl/distinfo +++ b/www/curl/distinfo @@ -1,12 +1,6 @@ -$NetBSD: distinfo,v 1.73 2012/01/26 11:25:55 drochner Exp $ +$NetBSD: distinfo,v 1.74 2012/01/28 14:41:15 wiz Exp $ -SHA1 (curl-7.23.1.tar.bz2) = 9bac69696446ead85e59d8488098ee84cf897b7e -RMD160 (curl-7.23.1.tar.bz2) = 96c45f38361d04a939e135c9e5fcf27ca1180abe -Size (curl-7.23.1.tar.bz2) = 2376653 bytes -SHA1 (patch-aa) = 14a1854429e12d0f7d0da040a09ef6d173a6dff2 -SHA1 (patch-ba) = b247fed2f7224a2d584f5370a18d8a609706859a -SHA1 (patch-bb) = 86fd7e1d100b1991be43d3aa415be5a37a81db5f -SHA1 (patch-bc) = 7ac1cf45003c541078b5deb96b8a373ce0631fcc -SHA1 (patch-bd) = ab1b25ce6c5a057d6429d4ba4d79b1db27c2a3ae -SHA1 (patch-be) = a5cf52d7ccc768c8be41e4f2ae53e90f998708a2 -SHA1 (patch-bf) = 7ae4442ea7e81293d91b7415b767708f1e2e8321 +SHA1 (curl-7.24.0.tar.bz2) = 2f2775a67de9fc91b47f5bb70fb7d359f7db55e7 +RMD160 (curl-7.24.0.tar.bz2) = b2b3116318813478b4683ae479cb889c4fc05cea +Size (curl-7.24.0.tar.bz2) = 2406936 bytes +SHA1 (patch-aa) = 29e7a24fe828c88dd2f5435edcfe6dace44f18b3 diff --git a/www/curl/patches/patch-aa b/www/curl/patches/patch-aa index 9d69a0396de..d576d41c61a 100644 --- a/www/curl/patches/patch-aa +++ b/www/curl/patches/patch-aa @@ -1,8 +1,8 @@ -$NetBSD: patch-aa,v 1.17 2010/10/16 23:58:04 wiz Exp $ +$NetBSD: patch-aa,v 1.18 2012/01/28 14:41:15 wiz Exp $ ---- configure.orig 2010-10-01 20:49:17.000000000 +0000 +--- configure.orig 2012-01-23 15:32:37.000000000 +0000 +++ configure -@@ -14766,7 +14766,7 @@ squeeze() { +@@ -15614,7 +15614,7 @@ squeeze() { # @@ -11,7 +11,7 @@ $NetBSD: patch-aa,v 1.17 2010/10/16 23:58:04 wiz Exp $ # if test "$compiler_id" = "GNU_C" || test "$compiler_id" = "CLANG"; then -@@ -19176,15 +19176,15 @@ $as_echo "#define HAVE_GSSAPI 1" >>confd +@@ -20090,15 +20090,15 @@ $as_echo "#define HAVE_GSSAPI 1" >>confd LIBS="$LIBS $gss_libs" elif test "$GSSAPI_ROOT" != "yes"; then LDFLAGS="$LDFLAGS -L$GSSAPI_ROOT/lib$libsuff" @@ -30,3 +30,24 @@ $NetBSD: patch-aa,v 1.17 2010/10/16 23:58:04 wiz Exp $ fi else CPPFLAGS="$save_CPPFLAGS" +@@ -23346,15 +23346,15 @@ if test "${enable_versioned_symbols+set} + $as_echo "yes" >&6; } + if test "x$OPENSSL_ENABLED" = "x1"; then + versioned_symbols_flavour="OPENSSL_" +- elif test "x$GNUTLS_ENABLED" == "x1"; then ++ elif test "x$GNUTLS_ENABLED" = "x1"; then + versioned_symbols_flavour="GNUTLS_" +- elif test "x$NSS_ENABLED" == "x1"; then ++ elif test "x$NSS_ENABLED" = "x1"; then + versioned_symbols_flavour="NSS_" +- elif test "x$POLARSSL_ENABLED" == "x1"; then ++ elif test "x$POLARSSL_ENABLED" = "x1"; then + versioned_symbols_flavour="POLARSSL_" +- elif test "x$CYASSL_ENABLED" == "x1"; then ++ elif test "x$CYASSL_ENABLED" = "x1"; then + versioned_symbols_flavour="CYASSL_" +- elif test "x$AXTLS_ENABLED" == "x1"; then ++ elif test "x$AXTLS_ENABLED" = "x1"; then + versioned_symbols_flavour="AXTLS_" + else + versioned_symbols_flavour="" diff --git a/www/curl/patches/patch-ba b/www/curl/patches/patch-ba deleted file mode 100644 index 2c6ffa1d97a..00000000000 --- a/www/curl/patches/patch-ba +++ /dev/null @@ -1,120 +0,0 @@ -$NetBSD: patch-ba,v 1.1 2012/01/26 11:25:55 drochner Exp $ - -CVE-2012-0036 - ---- lib/escape.c.orig 2011-11-04 22:32:56.000000000 +0000 -+++ lib/escape.c -@@ -31,6 +31,7 @@ - #include "urldata.h" - #include "warnless.h" - #include "non-ascii.h" -+#include "escape.h" - - #define _MPRINTF_REPLACE /* use our functions only */ - #include -@@ -84,7 +85,7 @@ char *curl_easy_escape(CURL *handle, con - char *testing_ptr = NULL; - unsigned char in; /* we need to treat the characters unsigned */ - size_t newlen = alloc; -- int strindex=0; -+ size_t strindex=0; - size_t length; - CURLcode res; - -@@ -132,23 +133,29 @@ char *curl_easy_escape(CURL *handle, con - } - - /* -- * Unescapes the given URL escaped string of given length. Returns a -- * pointer to a malloced string with length given in *olen. -- * If length == 0, the length is assumed to be strlen(string). -- * If olen == NULL, no output length is stored. -+ * Curl_urldecode() URL decodes the given string. -+ * -+ * Optionally detects control characters (byte codes lower than 32) in the -+ * data and rejects such data. -+ * -+ * Returns a pointer to a malloced string in *ostring with length given in -+ * *olen. If length == 0, the length is assumed to be strlen(string). -+ * - */ --char *curl_easy_unescape(CURL *handle, const char *string, int length, -- int *olen) -+CURLcode Curl_urldecode(struct SessionHandle *data, -+ const char *string, size_t length, -+ char **ostring, size_t *olen, -+ bool reject_ctrl) - { -- int alloc = (length?length:(int)strlen(string))+1; -+ size_t alloc = (length?length:strlen(string))+1; - char *ns = malloc(alloc); - unsigned char in; -- int strindex=0; -+ size_t strindex=0; - unsigned long hex; - CURLcode res; - - if(!ns) -- return NULL; -+ return CURLE_OUT_OF_MEMORY; - - while(--alloc > 0) { - in = *string; -@@ -164,16 +171,20 @@ char *curl_easy_unescape(CURL *handle, c - - in = curlx_ultouc(hex); /* this long is never bigger than 255 anyway */ - -- res = Curl_convert_from_network(handle, &in, 1); -+ res = Curl_convert_from_network(data, &in, 1); - if(res) { - /* Curl_convert_from_network calls failf if unsuccessful */ - free(ns); -- return NULL; -+ return res; - } - - string+=2; - alloc-=2; - } -+ if(reject_ctrl && (in < 0x20)) { -+ free(ns); -+ return CURLE_URL_MALFORMAT; -+ } - - ns[strindex++] = in; - string++; -@@ -183,7 +194,33 @@ char *curl_easy_unescape(CURL *handle, c - if(olen) - /* store output size */ - *olen = strindex; -- return ns; -+ -+ if(ostring) -+ /* store output string */ -+ *ostring = ns; -+ -+ return CURLE_OK; -+} -+ -+/* -+ * Unescapes the given URL escaped string of given length. Returns a -+ * pointer to a malloced string with length given in *olen. -+ * If length == 0, the length is assumed to be strlen(string). -+ * If olen == NULL, no output length is stored. -+ */ -+char *curl_easy_unescape(CURL *handle, const char *string, int length, -+ int *olen) -+{ -+ char *str = NULL; -+ size_t inputlen = length; -+ size_t outputlen; -+ CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen, -+ FALSE); -+ if(res) -+ return NULL; -+ if(olen) -+ *olen = curlx_uztosi(outputlen); -+ return str; - } - - /* For operating systems/environments that use different malloc/free diff --git a/www/curl/patches/patch-bb b/www/curl/patches/patch-bb deleted file mode 100644 index fbe0a501371..00000000000 --- a/www/curl/patches/patch-bb +++ /dev/null @@ -1,33 +0,0 @@ -$NetBSD: patch-bb,v 1.1 2012/01/26 11:25:55 drochner Exp $ - -CVE-2012-0036 - ---- lib/escape.h.orig 2011-03-19 15:16:07.000000000 +0000 -+++ lib/escape.h -@@ -1,5 +1,5 @@ --#ifndef __ESCAPE_H --#define __ESCAPE_H -+#ifndef HEADER_CURL_ESCAPE_H -+#define HEADER_CURL_ESCAPE_H - - /*************************************************************************** - * _ _ ____ _ -@@ -8,7 +8,7 @@ - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * -- * Copyright (C) 1998 - 2006, Daniel Stenberg, , et al. -+ * Copyright (C) 1998 - 2011, Daniel Stenberg, , et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms -@@ -25,5 +25,9 @@ - /* Escape and unescape URL encoding in strings. The functions return a new - * allocated string or NULL if an error occurred. */ - -+CURLcode Curl_urldecode(struct SessionHandle *data, -+ const char *string, size_t length, -+ char **ostring, size_t *olen, -+ bool reject_crlf); - - #endif diff --git a/www/curl/patches/patch-bc b/www/curl/patches/patch-bc deleted file mode 100644 index e06d98857a2..00000000000 --- a/www/curl/patches/patch-bc +++ /dev/null @@ -1,25 +0,0 @@ -$NetBSD: patch-bc,v 1.1 2012/01/26 11:25:55 drochner Exp $ - -CVE-2012-0036 - ---- lib/imap.c.orig 2011-11-04 22:32:56.000000000 +0000 -+++ lib/imap.c -@@ -947,17 +947,12 @@ static CURLcode imap_parse_url_path(stru - struct imap_conn *imapc = &conn->proto.imapc; - struct SessionHandle *data = conn->data; - const char *path = data->state.path; -- int len; - - if(!*path) - path = "INBOX"; - - /* url decode the path and use this mailbox */ -- imapc->mailbox = curl_easy_unescape(data, path, 0, &len); -- if(!imapc->mailbox) -- return CURLE_OUT_OF_MEMORY; -- -- return CURLE_OK; -+ return Curl_urldecode(data, path, 0, &imapc->mailbox, NULL, TRUE); - } - - /* call this when the DO phase has completed */ diff --git a/www/curl/patches/patch-bd b/www/curl/patches/patch-bd deleted file mode 100644 index cd51f6b2c66..00000000000 --- a/www/curl/patches/patch-bd +++ /dev/null @@ -1,19 +0,0 @@ -$NetBSD: patch-bd,v 1.1 2012/01/26 11:25:55 drochner Exp $ - -CVE-2012-0036 - ---- lib/pop3.c.orig 2011-11-04 22:32:56.000000000 +0000 -+++ lib/pop3.c -@@ -899,11 +899,7 @@ static CURLcode pop3_parse_url_path(stru - const char *path = data->state.path; - - /* url decode the path and use this mailbox */ -- pop3c->mailbox = curl_easy_unescape(data, path, 0, NULL); -- if(!pop3c->mailbox) -- return CURLE_OUT_OF_MEMORY; -- -- return CURLE_OK; -+ return Curl_urldecode(data, path, 0, &pop3c->mailbox, NULL, TRUE); - } - - /* call this when the DO phase has completed */ diff --git a/www/curl/patches/patch-be b/www/curl/patches/patch-be deleted file mode 100644 index d7a7210e7a9..00000000000 --- a/www/curl/patches/patch-be +++ /dev/null @@ -1,27 +0,0 @@ -$NetBSD: patch-be,v 1.1 2012/01/26 11:25:55 drochner Exp $ - -CVE-2012-0036 - ---- lib/smtp.c.orig 2011-11-04 22:32:57.000000000 +0000 -+++ lib/smtp.c -@@ -1243,7 +1243,6 @@ static CURLcode smtp_connect(struct conn - struct SessionHandle *data = conn->data; - struct pingpong *pp = &smtpc->pp; - const char *path = conn->data->state.path; -- int len; - char localhost[HOSTNAME_MAX + 1]; - - *done = FALSE; /* default to not done yet */ -@@ -1315,9 +1314,9 @@ static CURLcode smtp_connect(struct conn - } - - /* url decode the path and use it as domain with EHLO */ -- smtpc->domain = curl_easy_unescape(conn->data, path, 0, &len); -- if(!smtpc->domain) -- return CURLE_OUT_OF_MEMORY; -+ result = Curl_urldecode(conn->data, path, 0, &smtpc->domain, NULL, TRUE); -+ if(result) -+ return result; - - /* When we connect, we start in the state where we await the server greeting - */ diff --git a/www/curl/patches/patch-bf b/www/curl/patches/patch-bf deleted file mode 100644 index faac69c000d..00000000000 --- a/www/curl/patches/patch-bf +++ /dev/null @@ -1,46 +0,0 @@ -$NetBSD: patch-bf,v 1.1 2012/01/26 11:25:55 drochner Exp $ - -CVE-2011-3389 - ---- lib/ssluse.c.orig 2011-11-06 15:58:24.000000000 +0000 -+++ lib/ssluse.c -@@ -1420,6 +1420,7 @@ ossl_connect_step1(struct connectdata *c - X509_LOOKUP *lookup=NULL; - curl_socket_t sockfd = conn->sock[sockindex]; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; -+ long ctx_options; - #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME - bool sni; - #ifdef ENABLE_IPV6 -@@ -1525,16 +1526,27 @@ ossl_connect_step1(struct connectdata *c - If someone writes an application with libcurl and openssl who wants to - enable the feature, one can do this in the SSL callback. - -+ OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability -+ (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to -+ SSL_OP_ALL that _disables_ that work-around despite the fact that -+ SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to -+ keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit -+ must not be set. -+ - */ -+ -+ ctx_options = SSL_OP_ALL; -+ - #ifdef SSL_OP_NO_TICKET - /* expect older openssl releases to not have this define so only use it if - present */ --#define CURL_CTX_OPTIONS SSL_OP_ALL|SSL_OP_NO_TICKET --#else --#define CURL_CTX_OPTIONS SSL_OP_ALL -+ ctx_options |= SSL_OP_NO_TICKET; -+#endif -+#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS -+ ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; - #endif - -- SSL_CTX_set_options(connssl->ctx, CURL_CTX_OPTIONS); -+ SSL_CTX_set_options(connssl->ctx, ctx_options); - - /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */ - if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT) -- cgit v1.2.3