From ca9a926d612d769063476630f594c017dc2e72f0 Mon Sep 17 00:00:00 2001 From: tron Date: Sun, 15 Mar 2009 15:07:22 +0000 Subject: Pullup ticket 2722 - requested by bouyer curl: build fix Revisions pulled up: - www/curl/Makefile patch - www/curl/distinfo patch - www/curl/patches/patch-ab patch - www/curl/patches/patch-ac patch - www/curl/patches/patch-ad patch - www/curl/patches/patch-ae patch - www/curl/patches/patch-af patch --- The security patch for CVE-2009-0037 has changed on the master site which changed the checksum and size of "curl-7.18.1-CVE-2009-0037.patch". Update to the latest version and integrate it directly to avoid further build breaks. --- www/curl/Makefile | 7 ++---- www/curl/distinfo | 10 +++++--- www/curl/patches/patch-ab | 44 ++++++++++++++++++++++++++++++++ www/curl/patches/patch-ac | 47 ++++++++++++++++++++++++++++++++++ www/curl/patches/patch-ad | 64 +++++++++++++++++++++++++++++++++++++++++++++++ www/curl/patches/patch-ae | 55 ++++++++++++++++++++++++++++++++++++++++ www/curl/patches/patch-af | 20 +++++++++++++++ 7 files changed, 238 insertions(+), 9 deletions(-) create mode 100644 www/curl/patches/patch-ab create mode 100644 www/curl/patches/patch-ac create mode 100644 www/curl/patches/patch-ad create mode 100644 www/curl/patches/patch-ae create mode 100644 www/curl/patches/patch-af (limited to 'www') diff --git a/www/curl/Makefile b/www/curl/Makefile index 8c7432beba0..d3c31f4ae56 100644 --- a/www/curl/Makefile +++ b/www/curl/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.85.4.1 2009/03/13 04:51:54 rtr Exp $ +# $NetBSD: Makefile,v 1.85.4.2 2009/03/15 15:07:22 tron Exp $ DISTNAME= curl-7.18.0 -PKGREVISION= 4 +PKGREVISION= 5 CATEGORIES= www MASTER_SITES= http://curl.haxx.se/download/ \ ftp://ftp.sunet.se/pub/www/utilities/curl/ @@ -11,9 +11,6 @@ MAINTAINER= recht@NetBSD.org HOMEPAGE= http://curl.haxx.se/ COMMENT= Client that groks URLs -PATCH_SITES= http://curl.haxx.se/CVE-2009-0037/ -PATCHFILES= curl-7.18.1-CVE-2009-0037.patch - PKG_INSTALLATION_TYPES= overwrite pkgviews PKG_DESTDIR_SUPPORT= user-destdir diff --git a/www/curl/distinfo b/www/curl/distinfo index 5461e82008b..ff476d41918 100644 --- a/www/curl/distinfo +++ b/www/curl/distinfo @@ -1,9 +1,11 @@ -$NetBSD: distinfo,v 1.55.10.1 2009/03/13 04:51:54 rtr Exp $ +$NetBSD: distinfo,v 1.55.10.2 2009/03/15 15:07:22 tron Exp $ SHA1 (curl-7.18.0.tar.bz2) = f561a6a1f285c22d1f6a54b4dfa19b6cb9362c2a RMD160 (curl-7.18.0.tar.bz2) = f25ec844e7ef6221719439b3214fd3c3a42f5604 Size (curl-7.18.0.tar.bz2) = 1779421 bytes -SHA1 (curl-7.18.1-CVE-2009-0037.patch) = d29ad61313f884a6e973612868b40cadc918a455 -RMD160 (curl-7.18.1-CVE-2009-0037.patch) = 05b91a9f07b8ac35fe6db4ad83c6660e0e0f91f4 -Size (curl-7.18.1-CVE-2009-0037.patch) = 9332 bytes SHA1 (patch-aa) = e9bf335832b55aa3a0ff12fa6a958594c961b3ad +SHA1 (patch-ab) = f7bd7038ff19ba06a6ef3d5449d438c6b7771a3b +SHA1 (patch-ac) = 6091842001ef3f9dafd4ad73302f05db9f560e56 +SHA1 (patch-ad) = ebd5a7e6b237f1e42c4fd351eb04778adaf96fda +SHA1 (patch-ae) = f0afde3a632d0a11cb67a2e6eab4d490a9b8cda2 +SHA1 (patch-af) = a54ee40178e093dddd7e5a765b82513e46d82a05 diff --git a/www/curl/patches/patch-ab b/www/curl/patches/patch-ab new file mode 100644 index 00000000000..c233ada8130 --- /dev/null +++ b/www/curl/patches/patch-ab @@ -0,0 +1,44 @@ +$NetBSD: patch-ab,v 1.11.28.1 2009/03/15 15:07:23 tron Exp $ + +Taken from http://curl.haxx.se/CVE-2009-0037/curl-7.18.1-CVE-2009-0037.patch + +--- docs/libcurl/curl_easy_setopt.3.orig ++++ docs/libcurl/curl_easy_setopt.3 +@@ -432,6 +432,26 @@ The string given to CURLOPT_URL must be + + \fICURLOPT_URL\fP is the only option that \fBmust\fP be set before + \fIcurl_easy_perform(3)\fP is called. ++ ++\fICURLOPT_PROTOCOLS\fP can be used to limit what protocols libcurl will use ++for this transfer, independent of what libcurl has been compiled to ++support. That may be useful if you accept the URL from an external source and ++want to limit the accessibility. ++.IP CURLOPT_PROTOCOLS ++Pass a long that holds a bitmask of CURLPROTO_* defines. If used, this bitmask ++limits what protocols libcurl may use in the transfer. This allows you to have ++a libcurl built to support a wide range of protocols but still limit specific ++transfers to only be allowed to use a subset of them. By default libcurl will ++accept all protocols it supports. See also ++\fICURLOPT_REDIR_PROTOCOLS\fP. (Added in 7.19.4) ++.IP CURLOPT_REDIR_PROTOCOLS ++Pass a long that holds a bitmask of CURLPROTO_* defines. If used, this bitmask ++limits what protocols libcurl may use in a transfer that it follows to in a ++redirect when \fICURLOPT_FOLLOWLOCATION\fP is enabled. This allows you to ++limit specific transfers to only be allowed to use a subset of protocols in ++redirections. By default libcurl will allow all protocols except for FILE and ++SCP. This is a difference compared to pre-7.19.4 versions which ++unconditionally would follow to all protocols supported. (Added in 7.19.4) + .IP CURLOPT_PROXY + Set HTTP proxy to use. The parameter should be a char * to a zero terminated + string holding the host name or dotted IP address. To specify port number in +@@ -671,6 +691,10 @@ This means that the library will re-send + and follow new Location: headers all the way until no more such headers are + returned. \fICURLOPT_MAXREDIRS\fP can be used to limit the number of redirects + libcurl will follow. ++ ++NOTE: since 7.19.4, libcurl can limit to what protocols it will automatically ++follow. The accepted protocols are set with \fICURLOPT_REDIR_PROTOCOLS\fP and ++it excludes the FILE protocol by default. + .IP CURLOPT_UNRESTRICTED_AUTH + A non-zero parameter tells the library it can continue to send authentication + (user+password) when following locations, even when hostname changed. This diff --git a/www/curl/patches/patch-ac b/www/curl/patches/patch-ac new file mode 100644 index 00000000000..713c16dba79 --- /dev/null +++ b/www/curl/patches/patch-ac @@ -0,0 +1,47 @@ +$NetBSD: patch-ac,v 1.4.26.1 2009/03/15 15:07:23 tron Exp $ + +Taken from http://curl.haxx.se/CVE-2009-0037/curl-7.18.1-CVE-2009-0037.patch + +--- include/curl/curl.h.orig ++++ include/curl/curl.h +@@ -580,6 +580,21 @@ typedef enum { + CURLFTPMETHOD_LAST /* not an option, never use */ + } curl_ftpmethod; + ++/* CURLPROTO_ defines are for the CURLOPT_*PROTOCOLS options */ ++#define CURLPROTO_HTTP (1<<0) ++#define CURLPROTO_HTTPS (1<<1) ++#define CURLPROTO_FTP (1<<2) ++#define CURLPROTO_FTPS (1<<3) ++#define CURLPROTO_SCP (1<<4) ++#define CURLPROTO_SFTP (1<<5) ++#define CURLPROTO_TELNET (1<<6) ++#define CURLPROTO_LDAP (1<<7) ++#define CURLPROTO_LDAPS (1<<8) ++#define CURLPROTO_DICT (1<<9) ++#define CURLPROTO_FILE (1<<10) ++#define CURLPROTO_TFTP (1<<11) ++#define CURLPROTO_ALL (~0) /* enable everything */ ++ + /* long may be 32 or 64 bits, but we should never depend on anything else + but 32 */ + #define CURLOPTTYPE_LONG 0 +@@ -1188,6 +1203,18 @@ typedef enum { + CINIT(SEEKFUNCTION, FUNCTIONPOINT, 167), + CINIT(SEEKDATA, OBJECTPOINT, 168), + ++ /* set the bitmask for the protocols that are allowed to be used for the ++ transfer, which thus helps the app which takes URLs from users or other ++ external inputs and want to restrict what protocol(s) to deal ++ with. Defaults to CURLPROTO_ALL. */ ++ CINIT(PROTOCOLS, LONG, 181), ++ ++ /* set the bitmask for the protocols that libcurl is allowed to follow to, ++ as a subset of the CURLOPT_PROTOCOLS ones. That means the protocol needs ++ to be set in both bitmasks to be allowed to get redirected to. Defaults ++ to CURLPROTO_ALL & ~CURLPROTO_FILE. */ ++ CINIT(REDIR_PROTOCOLS, LONG, 182), ++ + CURLOPT_LASTENTRY /* the last unused */ + } CURLoption; + diff --git a/www/curl/patches/patch-ad b/www/curl/patches/patch-ad new file mode 100644 index 00000000000..408c930e5e9 --- /dev/null +++ b/www/curl/patches/patch-ad @@ -0,0 +1,64 @@ +$NetBSD: patch-ad,v 1.1.2.1 2009/03/15 15:07:23 tron Exp $ + +Taken from http://curl.haxx.se/CVE-2009-0037/curl-7.18.1-CVE-2009-0037.patch + +--- lib/url.c.orig ++++ lib/url.c +@@ -734,6 +734,13 @@ CURLcode Curl_open(struct SessionHandle + data->set.new_file_perms = 0644; /* Default permissions */ + data->set.new_directory_perms = 0755; /* Default permissions */ + ++ /* for the *protocols fields we don't use the CURLPROTO_ALL convenience ++ define since we internally only use the lower 16 bits for the passed ++ in bitmask to not conflict with the private bits */ ++ data->set.allowed_protocols = PROT_EXTMASK; ++ data->set.redir_protocols = ++ PROT_EXTMASK & ~(CURLPROTO_FILE|CURLPROTO_SCP); /* not FILE or SCP */ ++ + /* most recent connection is not yet defined */ + data->state.lastconnect = -1; + +@@ -2075,6 +2082,22 @@ CURLcode Curl_setopt(struct SessionHandl + } + break; + ++ case CURLOPT_PROTOCOLS: ++ /* set the bitmask for the protocols that are allowed to be used for the ++ transfer, which thus helps the app which takes URLs from users or other ++ external inputs and want to restrict what protocol(s) to deal ++ with. Defaults to CURLPROTO_ALL. */ ++ data->set.allowed_protocols = va_arg(param, long) & PROT_EXTMASK; ++ break; ++ ++ case CURLOPT_REDIR_PROTOCOLS: ++ /* set the bitmask for the protocols that libcurl is allowed to follow to, ++ as a subset of the CURLOPT_PROTOCOLS ones. That means the protocol needs ++ to be set in both bitmasks to be allowed to get redirected to. Defaults ++ to CURLPROTO_ALL & ~CURLPROTO_FILE. */ ++ data->set.redir_protocols = va_arg(param, long) & PROT_EXTMASK; ++ break; ++ + default: + /* unknown tag and its companion, just ignore: */ + result = CURLE_FAILED_INIT; /* correct this */ +@@ -3128,7 +3151,19 @@ static CURLcode setup_connection_interna + + for (pp = protocols; (p = *pp) != NULL; pp++) + if(strequal(p->scheme, conn->protostr)) { +- /* Protocol found in table. Perform setup complement if some. */ ++ /* Protocol found in table. Check if allowed */ ++ if(!(data->set.allowed_protocols & p->protocol)) ++ /* nope, get out */ ++ break; ++ ++ /* it is allowed for "normal" request, now do an extra check if this is ++ the result of a redirect */ ++ if(data->state.this_is_a_follow && ++ !(data->set.redir_protocols & p->protocol)) ++ /* nope, get out */ ++ break; ++ ++ /* Perform setup complement if some. */ + conn->handler = p; + + if(p->setup_connection) { diff --git a/www/curl/patches/patch-ae b/www/curl/patches/patch-ae new file mode 100644 index 00000000000..bf5001b9d3b --- /dev/null +++ b/www/curl/patches/patch-ae @@ -0,0 +1,55 @@ +$NetBSD: patch-ae,v 1.1.2.1 2009/03/15 15:07:23 tron Exp $ + +Taken from http://curl.haxx.se/CVE-2009-0037/curl-7.18.1-CVE-2009-0037.patch + +--- lib/urldata.h.orig ++++ lib/urldata.h +@@ -863,19 +863,26 @@ struct connectdata { + long connectindex; /* what index in the connection cache connects index this + particular struct has */ + long protocol; /* PROT_* flags concerning the protocol set */ +-#define PROT_MISSING (1<<0) +-#define PROT_HTTP (1<<2) +-#define PROT_HTTPS (1<<3) +-#define PROT_FTP (1<<4) +-#define PROT_TELNET (1<<5) +-#define PROT_DICT (1<<6) +-#define PROT_LDAP (1<<7) +-#define PROT_FILE (1<<8) +-#define PROT_FTPS (1<<9) +-#define PROT_SSL (1<<10) /* protocol requires SSL */ +-#define PROT_TFTP (1<<11) +-#define PROT_SCP (1<<12) +-#define PROT_SFTP (1<<13) ++#define PROT_HTTP CURLPROTO_HTTP ++#define PROT_HTTPS CURLPROTO_HTTPS ++#define PROT_FTP CURLPROTO_FTP ++#define PROT_TELNET CURLPROTO_TELNET ++#define PROT_DICT CURLPROTO_DICT ++#define PROT_LDAP CURLPROTO_LDAP ++#define PROT_FILE CURLPROTO_FILE ++#define PROT_FTPS CURLPROTO_FTPS ++#define PROT_TFTP CURLPROTO_TFTP ++#define PROT_SCP CURLPROTO_SCP ++#define PROT_SFTP CURLPROTO_SFTP ++ ++/* CURLPROTO_TFTP (1<<11) is currently the highest used bit in the public ++ bitmask. We make sure we use "private bits" above the first 16 to make ++ things easier. */ ++ ++#define PROT_EXTMASK 0xffff ++ ++#define PROT_SSL (1<<22) /* protocol requires SSL */ ++#define PROT_MISSING (1<<23) + + #define PROT_CLOSEACTION PROT_FTP /* these ones need action before socket + close */ +@@ -1467,6 +1474,8 @@ struct UserDefined { + bool proxy_transfer_mode; /* set transfer mode (;type=) when doing FTP + via an HTTP proxy */ + char *str[STRING_LAST]; /* array of strings, pointing to allocated memory */ ++ long allowed_protocols; ++ long redir_protocols; + }; + + struct Names { diff --git a/www/curl/patches/patch-af b/www/curl/patches/patch-af new file mode 100644 index 00000000000..0486921ad29 --- /dev/null +++ b/www/curl/patches/patch-af @@ -0,0 +1,20 @@ +$NetBSD: patch-af,v 1.1.2.1 2009/03/15 15:07:23 tron Exp $ + +Taken from http://curl.haxx.se/CVE-2009-0037/curl-7.18.1-CVE-2009-0037.patch + +--- lib/easy.c.orig ++++ lib/easy.c +@@ -756,6 +756,13 @@ void curl_easy_reset(CURL *curl) + type */ + data->set.new_file_perms = 0644; /* Default permissions */ + data->set.new_directory_perms = 0755; /* Default permissions */ ++ ++ /* for the *protocols fields we don't use the CURLPROTO_ALL convenience ++ define since we internally only use the lower 16 bits for the passed ++ in bitmask to not conflict with the private bits */ ++ data->set.allowed_protocols = PROT_EXTMASK; ++ data->set.redir_protocols = ++ PROT_EXTMASK & ~(CURLPROTO_FILE|CURLPROTO_SCP); /* not FILE or SCP */ + } + + /* -- cgit v1.2.3