0043-curl-backport-CC-version.patch 29 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875
  1. From: Matthias Schiffer <mschiffer@universe-factory.net>
  2. Date: Sun, 16 Aug 2015 10:50:20 +0200
  3. Subject: curl: backport CC version
  4. diff --git a/package/network/utils/curl/Config.in b/package/network/utils/curl/Config.in
  5. index 086f5c2..11cfa39 100644
  6. --- a/package/network/utils/curl/Config.in
  7. +++ b/package/network/utils/curl/Config.in
  8. @@ -1,112 +1,154 @@
  9. -menu "Configuration"
  10. - depends on PACKAGE_libcurl
  11. +if PACKAGE_libcurl
  12. +
  13. +comment "SSL support"
  14. choice
  15. - prompt "SSL library"
  16. + prompt "Selected SSL library"
  17. default LIBCURL_POLARSSL
  18. -config LIBCURL_POLARSSL
  19. - bool "PolarSSL"
  20. + config LIBCURL_POLARSSL
  21. + bool "PolarSSL"
  22. -config LIBCURL_CYASSL
  23. - bool "CyaSSL"
  24. + config LIBCURL_CYASSL
  25. + bool "CyaSSL"
  26. -config LIBCURL_AXTLS
  27. - bool "axTLS"
  28. + config LIBCURL_AXTLS
  29. + bool "axTLS"
  30. -config LIBCURL_OPENSSL
  31. - bool "OpenSSL"
  32. + config LIBCURL_OPENSSL
  33. + bool "OpenSSL"
  34. -config LIBCURL_GNUTLS
  35. - bool "GNUTLS"
  36. + config LIBCURL_GNUTLS
  37. + bool "GNUTLS"
  38. -config LIBCURL_NOSSL
  39. - bool "No SSL support"
  40. + config LIBCURL_NOSSL
  41. + bool "No SSL support"
  42. endchoice
  43. -config LIBCURL_COOKIES
  44. - bool "Enable cookies support"
  45. - default y
  46. -
  47. -config LIBCURL_CRYPTO_AUTH
  48. - bool "Enable cryptographic authentication"
  49. - default n
  50. +comment "Supported protocols"
  51. config LIBCURL_DICT
  52. - bool "Enable DICT support"
  53. + bool "DICT protocol"
  54. default n
  55. config LIBCURL_FILE
  56. - bool "Enable FILE support"
  57. + bool "FILE protocol"
  58. default y
  59. config LIBCURL_FTP
  60. - bool "Enable FTP support"
  61. + bool "FTP / FTPS protocol"
  62. default y
  63. config LIBCURL_GOPHER
  64. - bool "Enable Gopher support"
  65. + bool "Gopher protocol"
  66. default n
  67. config LIBCURL_HTTP
  68. - bool "Enable HTTP support"
  69. + bool "HTTP / HTTPS protocol"
  70. + default y
  71. +
  72. +config LIBCURL_COOKIES
  73. + bool "Enable Cookies support"
  74. + depends on LIBCURL_HTTP
  75. default y
  76. config LIBCURL_IMAP
  77. - bool "Enable IMAP support"
  78. + bool "IMAP / IMAPS protocol"
  79. default n
  80. config LIBCURL_LDAP
  81. - bool "Enable LDAP support"
  82. + bool "LDAP protocol"
  83. default n
  84. config LIBCURL_LDAPS
  85. bool "Enable LDAPS support"
  86. - default n
  87. -
  88. -config LIBCURL_LIBCURL_OPTION
  89. - bool "Enable --libcurl C code generation support"
  90. - default n
  91. + depends on LIBCURL_LDAP && !LIBCURL_NOSSL
  92. + default y
  93. config LIBCURL_POP3
  94. - bool "Enable POP3 support"
  95. + bool "POP3 / POP3S protocol"
  96. default n
  97. -config LIBCURL_PROXY
  98. - bool "Enable proxy support"
  99. +config LIBCURL_RTSP
  100. + bool "RTSP protocol"
  101. + depends on LIBCURL_HTTP
  102. default n
  103. +config LIBCURL_NO_RTSP
  104. + string "RTSP require HTTP protocol"
  105. + depends on !LIBCURL_HTTP
  106. + default "!"
  107. -config LIBCURL_RTSP
  108. - bool "Enable RTSP support"
  109. +config LIBCURL_SSH2
  110. + bool "SCP / SFTP protocol"
  111. default n
  112. -config LIBCURL_SMTP
  113. - bool "Enable SMTP support"
  114. +config LIBCURL_SMB
  115. + bool "SMB protocol (CIFS)"
  116. + depends on LIBCURL_CRYPTO_AUTH && (LIBCURL_GNUTLS || LIBCURL_OPENSSL)
  117. default n
  118. +config LIBCURL_NO_SMB
  119. + string "SMB require 'cryptographic authentication' and either 'GnuTLS' or 'OpenSSL'"
  120. + depends on !LIBCURL_CRYPTO_AUTH || (!LIBCURL_GNUTLS && !LIBCURL_OPENSSL)
  121. + default "!"
  122. -config LIBCURL_SSPI
  123. - bool "Enable SSPI"
  124. +config LIBCURL_SMTP
  125. + bool "SMTP / SMTPS protocol"
  126. default n
  127. config LIBCURL_TELNET
  128. - bool "Enable TELNET support"
  129. + bool "TELNET protocol"
  130. default n
  131. config LIBCURL_TFTP
  132. - bool "Enable TFTP support"
  133. + bool "TFTP protocol"
  134. default n
  135. -config LIBCURL_THREADED_RESOLVER
  136. - bool "Enable threaded resolver"
  137. +comment "Miscellaneous"
  138. +
  139. +config LIBCURL_PROXY
  140. + bool "Enable proxy support"
  141. + default y
  142. +
  143. +config LIBCURL_CRYPTO_AUTH
  144. + bool "Enable cryptographic authentication"
  145. default n
  146. -config LIBCURL_TLS-SRP
  147. +config LIBCURL_TLS_SRP
  148. bool "Enable TLS-SRP authentication"
  149. default n
  150. +config LIBCURL_LIBIDN
  151. + bool "Enable IDN support"
  152. + default n
  153. +
  154. +config LIBCURL_THREADED_RESOLVER
  155. + bool "Enable threaded DNS resolver"
  156. + default n
  157. + help
  158. + Enable POSIX threaded asynchronous DNS resolution
  159. +
  160. config LIBCURL_ZLIB
  161. - bool "Use zlib"
  162. + bool "Enable zlib support"
  163. + default n
  164. +
  165. +config LIBCURL_UNIX_SOCKETS
  166. + bool "Enable unix domain socket support"
  167. + default n
  168. + help
  169. + Enable HTTP over unix domain sockets.
  170. + To use this with the curl command line, you specify the socket path to the new --unix-domain option.
  171. + This feature is actually not limited to HTTP, you can do all the TCP-based protocols
  172. + except FTP over the unix domain socket, but it is only HTTP that is regularly used this way.
  173. + The reason FTP isn't supported is of course its use of two connections
  174. + which would be even weirder to do like this.
  175. +
  176. +config LIBCURL_LIBCURL_OPTION
  177. + bool "Enable generation of C code"
  178. + default n
  179. +
  180. +config LIBCURL_VERBOSE
  181. + bool "Enable verbose error strings"
  182. default n
  183. -endmenu
  184. +endif
  185. diff --git a/package/network/utils/curl/Makefile b/package/network/utils/curl/Makefile
  186. index 0bb8323..7f6d355 100644
  187. --- a/package/network/utils/curl/Makefile
  188. +++ b/package/network/utils/curl/Makefile
  189. @@ -1,5 +1,5 @@
  190. #
  191. -# Copyright (C) 2007-2014 OpenWrt.org
  192. +# Copyright (C) 2007-2015 OpenWrt.org
  193. #
  194. # This is free software, licensed under the GNU General Public License v2.
  195. # See /LICENSE for more information.
  196. @@ -8,8 +8,8 @@
  197. include $(TOPDIR)/rules.mk
  198. PKG_NAME:=curl
  199. -PKG_VERSION:=7.38.0
  200. -PKG_RELEASE:=1
  201. +PKG_VERSION:=7.40.0
  202. +PKG_RELEASE:=3
  203. PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
  204. PKG_SOURCE_URL:=http://curl.haxx.se/download/ \
  205. @@ -18,7 +18,7 @@ PKG_SOURCE_URL:=http://curl.haxx.se/download/ \
  206. ftp://ftp.planetmirror.com/pub/curl/ \
  207. http://www.mirrormonster.com/curl/download/ \
  208. http://curl.mirrors.cyberservers.net/download/
  209. -PKG_MD5SUM:=af6b3c299bd891f43cb5f76c4091b7b4
  210. +PKG_MD5SUM:=8d30594212e65657a5c32030f0998fa9
  211. PKG_LICENSE:=MIT
  212. PKG_LICENSE_FILES:=COPYING
  213. @@ -26,34 +26,45 @@ PKG_LICENSE_FILES:=COPYING
  214. PKG_FIXUP:=autoreconf
  215. PKG_BUILD_PARALLEL:=1
  216. -PKG_CONFIG_DEPENDS := \
  217. - LIBCURL_AXTLS \
  218. - LIBCURL_COOKIES \
  219. - LIBCURL_CRYPTO_AUTH \
  220. - LIBCURL_CYASSL \
  221. - LIBCURL_DICT \
  222. - LIBCURL_FILE \
  223. - LIBCURL_FTP \
  224. - LIBCURL_GNUTLS \
  225. - LIBCURL_GOPHER \
  226. - LIBCURL_HTTP \
  227. - LIBCURL_IMAP \
  228. - LIBCURL_LDAP \
  229. - LIBCURL_LDAPS \
  230. - LIBCURL_LIBCURL_OPTION \
  231. - LIBCURL_NOSSL \
  232. - LIBCURL_OPENSSL \
  233. - LIBCURL_POLARSSL \
  234. - LIBCURL_POP3 \
  235. - LIBCURL_PROXY \
  236. - LIBCURL_RTSP \
  237. - LIBCURL_SMTP \
  238. - LIBCURL_SSPI \
  239. - LIBCURL_TELNET \
  240. - LIBCURL_TFTP \
  241. - LIBCURL_THREADED_RESOLVER \
  242. - LIBCURL_TLS-SRP \
  243. - LIBCURL_ZLIB
  244. +PKG_CONFIG_DEPENDS:= \
  245. + CONFIG_IPV6 \
  246. + \
  247. + CONFIG_LIBCURL_AXTLS \
  248. + CONFIG_LIBCURL_CYASSL \
  249. + CONFIG_LIBCURL_GNUTLS \
  250. + CONFIG_LIBCURL_OPENSSL \
  251. + CONFIG_LIBCURL_POLARSSL \
  252. + CONFIG_LIBCURL_NOSSL \
  253. + \
  254. + CONFIG_LIBCURL_LIBIDN \
  255. + CONFIG_LIBCURL_SSH2 \
  256. + CONFIG_LIBCURL_ZLIB \
  257. + \
  258. + CONFIG_LIBCURL_DICT \
  259. + CONFIG_LIBCURL_FILE \
  260. + CONFIG_LIBCURL_FTP \
  261. + CONFIG_LIBCURL_GOPHER \
  262. + CONFIG_LIBCURL_HTTP \
  263. + CONFIG_LIBCURL_IMAP \
  264. + CONFIG_LIBCURL_LDAP \
  265. + CONFIG_LIBCURL_LDAPS \
  266. + CONFIG_LIBCURL_POP3 \
  267. + CONFIG_LIBCURL_RTSP \
  268. + CONFIG_LIBCURL_NO_RTSP \
  269. + CONFIG_LIBCURL_SMB \
  270. + CONFIG_LIBCURL_NO_SMB \
  271. + CONFIG_LIBCURL_SMTP \
  272. + CONFIG_LIBCURL_TELNET \
  273. + CONFIG_LIBCURL_TFTP \
  274. + \
  275. + CONFIG_LIBCURL_COOKIES \
  276. + CONFIG_LIBCURL_CRYPTO_AUTH \
  277. + CONFIG_LIBCURL_LIBCURL_OPTION \
  278. + CONFIG_LIBCURL_PROXY \
  279. + CONFIG_LIBCURL_THREADED_RESOLVER \
  280. + CONFIG_LIBCURL_TLS_SRP \
  281. + CONFIG_LIBCURL_UNIX_SOCKETS \
  282. + CONFIG_LIBCURL_VERBOSE
  283. include $(INCLUDE_DIR)/package.mk
  284. @@ -75,8 +86,9 @@ define Package/libcurl
  285. $(call Package/curl/Default)
  286. SECTION:=libs
  287. CATEGORY:=Libraries
  288. - DEPENDS:=+LIBCURL_POLARSSL:libpolarssl +LIBCURL_CYASSL:libcyassl +LIBCURL_AXTLS:libaxtls +LIBCURL_OPENSSL:libopenssl +LIBCURL_GNUTLS:libgnutls +LIBCURL_ZLIB:zlib +LIBCURL_THREADED_RESOLVER:libpthread
  289. - TITLE:=A client-side URL transfer library using $(if $(CONFIG_LIBCURL_POLARSSL),PolarSSL)$(if $(CONFIG_LIBCURL_OPENSSL),OpenSSL)$(if $(CONFIG_LIBCURL_GNUTLS),GNUTLS)$(if $(CONFIG_LIBCURL_NOSSL),no SSL)
  290. + DEPENDS:=+LIBCURL_POLARSSL:libpolarssl +LIBCURL_CYASSL:libcyassl +LIBCURL_AXTLS:libaxtls +LIBCURL_OPENSSL:libopenssl +LIBCURL_GNUTLS:libgnutls
  291. + DEPENDS += +LIBCURL_ZLIB:zlib +LIBCURL_THREADED_RESOLVER:libpthread +LIBCURL_LDAP:libopenldap +LIBCURL_LIBIDN:libidn +LIBCURL_SSH2:libssh2
  292. + TITLE:=A client-side URL transfer library
  293. MENU:=1
  294. endef
  295. @@ -88,46 +100,51 @@ endef
  296. TARGET_CFLAGS += $(FPIC)
  297. CONFIGURE_ARGS += \
  298. + --disable-debug \
  299. + --disable-ares \
  300. --enable-shared \
  301. --enable-static \
  302. - --disable-thread \
  303. - --enable-nonblocking \
  304. - --disable-ares \
  305. - --disable-debug \
  306. --disable-manual \
  307. - --disable-verbose \
  308. --without-ca-bundle \
  309. - --without-krb4 \
  310. - --without-libidn \
  311. --without-nss \
  312. - --without-libssh2 \
  313. + --without-libmetalink \
  314. + --without-librtmp \
  315. + \
  316. $(call autoconf_bool,CONFIG_IPV6,ipv6) \
  317. - $(if $(CONFIG_LIBCURL_AXTLS),--with-axtls="$(STAGING_DIR)/usr",--without-axtls) \
  318. - $(if $(CONFIG_LIBCURL_COOKIES),--enable,--disable)-cookies \
  319. - $(if $(CONFIG_LIBCURL_CRYPTO-AUTH),--enable,--disable)-crypto-auth \
  320. - $(if $(CONFIG_LIBCURL_CYASSL),--with-cyassl="$(STAGING_DIR)/usr",--without-cyassl) \
  321. - $(if $(CONFIG_LIBCURL_DICT),--enable,--disable)-dict \
  322. - $(if $(CONFIG_LIBCURL_FILE),--enable,--disable)-file \
  323. - $(if $(CONFIG_LIBCURL_FTP),--enable,--disable)-ftp \
  324. - $(if $(CONFIG_LIBCURL_GOPHER),--enable,--disable)-gopher \
  325. - $(if $(CONFIG_LIBCURL_GNUTLS),--with-gnutls="$(STAGING_DIR)/usr",--without-gnutls) \
  326. - $(if $(CONFIG_LIBCURL_HTTP),--enable,--disable)-http \
  327. - $(if $(CONFIG_LIBCURL_IMAP),--enable,--disable)-imap \
  328. - $(if $(CONFIG_LIBCURL_LDAP),--enable,--disable)-ldap \
  329. - $(if $(CONFIG_LIBCURL_LDAPS),--enable,--disable)-ldaps \
  330. - $(if $(CONFIG_LIBCURL_LIBCURL-OPTION),--enable,--disable)-libcurl-option \
  331. - $(if $(CONFIG_LIBCURL_OPENSSL),--with-ssl="$(STAGING_DIR)/usr",--without-ssl) \
  332. - $(if $(CONFIG_LIBCURL_POLARSSL),--with-polarssl="$(STAGING_DIR)/usr",--without-polarssl) \
  333. - $(if $(CONFIG_LIBCURL_POP3),--enable,--disable)-pop3 \
  334. - $(if $(CONFIG_LIBCURL_PROXY),--enable,--disable)-proxy \
  335. - $(if $(CONFIG_LIBCURL_RTSP),--enable,--disable)-rtsp \
  336. - $(if $(CONFIG_LIBCURL_TELNET),--enable,--disable)-telnet \
  337. - $(if $(CONFIG_LIBCURL_TFTP),--enable,--disable)-tftp \
  338. - $(if $(CONFIG_LIBCURL_SMTP),--enable,--disable)-smtp \
  339. - $(if $(CONFIG_LIBCURL_SSPI),--enable,--disable)-sspi \
  340. - $(if $(CONFIG_LIBCURL_THREADED_RESOLVER),--enable,--disable)-threaded-resolver \
  341. - $(if $(CONFIG_LIBCURL_TLS-SRP),--enable,--disable)-tls-srp \
  342. + \
  343. + $(if $(CONFIG_LIBCURL_AXTLS),--with-axtls="$(STAGING_DIR)/usr" --without-ca-path,--without-axtls) \
  344. + $(if $(CONFIG_LIBCURL_CYASSL),--with-cyassl="$(STAGING_DIR)/usr" --without-ca-path,--without-cyassl) \
  345. + $(if $(CONFIG_LIBCURL_GNUTLS),--with-gnutls="$(STAGING_DIR)/usr" --without-ca-path,--without-gnutls) \
  346. + $(if $(CONFIG_LIBCURL_OPENSSL),--with-ssl="$(STAGING_DIR)/usr" --with-ca-path=/etc/ssl/certs,--without-ssl) \
  347. + $(if $(CONFIG_LIBCURL_POLARSSL),--with-polarssl="$(STAGING_DIR)/usr" --with-ca-path=/etc/ssl/certs,--without-polarssl) \
  348. + \
  349. + $(if $(CONFIG_LIBCURL_LIBIDN),--with-libidn="$(STAGING_DIR)/usr",--without-libidn) \
  350. + $(if $(CONFIG_LIBCURL_SSH2),--with-libssh2="$(STAGING_DIR)/usr",--without-libssh2) \
  351. $(if $(CONFIG_LIBCURL_ZLIB),--with-zlib="$(STAGING_DIR)/usr",--without-zlib) \
  352. + \
  353. + $(call autoconf_bool,CONFIG_LIBCURL_DICT,dict) \
  354. + $(call autoconf_bool,CONFIG_LIBCURL_FILE,file) \
  355. + $(call autoconf_bool,CONFIG_LIBCURL_FTP,ftp) \
  356. + $(call autoconf_bool,CONFIG_LIBCURL_GOPHER,gopher) \
  357. + $(call autoconf_bool,CONFIG_LIBCURL_HTTP,http) \
  358. + $(call autoconf_bool,CONFIG_LIBCURL_IMAP,imap) \
  359. + $(call autoconf_bool,CONFIG_LIBCURL_LDAP,ldap) \
  360. + $(call autoconf_bool,CONFIG_LIBCURL_LDAPS,ldaps) \
  361. + $(call autoconf_bool,CONFIG_LIBCURL_POP3,pop3) \
  362. + $(call autoconf_bool,CONFIG_LIBCURL_RTSP,rtsp) \
  363. + $(call autoconf_bool,CONFIG_LIBCURL_SMB,smb) \
  364. + $(call autoconf_bool,CONFIG_LIBCURL_SMTP,smtp) \
  365. + $(call autoconf_bool,CONFIG_LIBCURL_TELNET,telnet) \
  366. + $(call autoconf_bool,CONFIG_LIBCURL_TFTP,tftp) \
  367. + \
  368. + $(call autoconf_bool,CONFIG_LIBCURL_COOKIES,cookies) \
  369. + $(call autoconf_bool,CONFIG_LIBCURL_CRYPTO_AUTH,crypto-auth) \
  370. + $(call autoconf_bool,CONFIG_LIBCURL_LIBCURL_OPTION,libcurl-option) \
  371. + $(call autoconf_bool,CONFIG_LIBCURL_PROXY,proxy) \
  372. + $(call autoconf_bool,CONFIG_LIBCURL_THREADED_RESOLVER,threaded-resolver) \
  373. + $(call autoconf_bool,CONFIG_LIBCURL_TLS_SRP,tls-srp) \
  374. + $(call autoconf_bool,CONFIG_LIBCURL_UNIX_SOCKETS,unix-sockets) \
  375. + $(call autoconf_bool,CONFIG_LIBCURL_VERBOSE,verbose) \
  376. define Build/Compile
  377. +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
  378. @@ -144,7 +161,7 @@ define Build/InstallDev
  379. $(CP) $(PKG_BUILD_DIR)/libcurl.pc $(1)/usr/lib/pkgconfig/
  380. $(SED) 's,-L$$$${exec_prefix}/lib,,g' $(1)/usr/bin/curl-config
  381. [ -n "$(TARGET_LDFLAGS)" ] && $(SED) 's#$(TARGET_LDFLAGS)##g' $(1)/usr/lib/pkgconfig/libcurl.pc || true
  382. - ln -sf $(STAGING_DIR)/usr/bin/curl-config $(2)/bin/
  383. + $(LN) $(STAGING_DIR)/usr/bin/curl-config $(2)/bin/
  384. endef
  385. define Package/curl/install
  386. diff --git a/package/network/utils/curl/patches/010-CVE-2015-3143.patch b/package/network/utils/curl/patches/010-CVE-2015-3143.patch
  387. new file mode 100644
  388. index 0000000..697c9c9
  389. --- /dev/null
  390. +++ b/package/network/utils/curl/patches/010-CVE-2015-3143.patch
  391. @@ -0,0 +1,28 @@
  392. +From d7d1bc8f08eea1a85ab0d794bc1561659462d937 Mon Sep 17 00:00:00 2001
  393. +From: Daniel Stenberg <daniel@haxx.se>
  394. +Date: Thu, 16 Apr 2015 13:26:46 +0200
  395. +Subject: [PATCH] ConnectionExists: for NTLM re-use, require credentials to
  396. + match
  397. +
  398. +CVE-2015-3143
  399. +
  400. +Bug: http://curl.haxx.se/docs/adv_20150422A.html
  401. +Reported-by: Paras Sethia
  402. +---
  403. + lib/url.c | 2 +-
  404. + 1 file changed, 1 insertion(+), 1 deletion(-)
  405. +
  406. +--- a/lib/url.c
  407. ++++ b/lib/url.c
  408. +@@ -3184,7 +3184,11 @@ ConnectionExists(struct SessionHandle *d
  409. + }
  410. +
  411. + if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) ||
  412. ++#if defined(USE_NTLM)
  413. ++ (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)) {
  414. ++#else
  415. + wantNTLMhttp) {
  416. ++#endif
  417. + /* This protocol requires credentials per connection or is HTTP+NTLM,
  418. + so verify that we're using the same name and password as well */
  419. + if(!strequal(needle->user, check->user) ||
  420. diff --git a/package/network/utils/curl/patches/011-CVE-2015-3144.patch b/package/network/utils/curl/patches/011-CVE-2015-3144.patch
  421. new file mode 100644
  422. index 0000000..7da9489
  423. --- /dev/null
  424. +++ b/package/network/utils/curl/patches/011-CVE-2015-3144.patch
  425. @@ -0,0 +1,32 @@
  426. +From 6218ded6001ea330e589f92b6b2fa12777752b5d Mon Sep 17 00:00:00 2001
  427. +From: Daniel Stenberg <daniel@haxx.se>
  428. +Date: Thu, 16 Apr 2015 23:52:04 +0200
  429. +Subject: [PATCH] fix_hostname: zero length host name caused -1 index offset
  430. +MIME-Version: 1.0
  431. +Content-Type: text/plain; charset=UTF-8
  432. +Content-Transfer-Encoding: 8bit
  433. +
  434. +If a URL is given with a zero-length host name, like in "http://:80" or
  435. +just ":80", `fix_hostname()` will index the host name pointer with a -1
  436. +offset (as it blindly assumes a non-zero length) and both read and
  437. +assign that address.
  438. +
  439. +CVE-2015-3144
  440. +
  441. +Bug: http://curl.haxx.se/docs/adv_20150422D.html
  442. +Reported-by: Hanno Böck
  443. +---
  444. + lib/url.c | 2 +-
  445. + 1 file changed, 1 insertion(+), 1 deletion(-)
  446. +
  447. +--- a/lib/url.c
  448. ++++ b/lib/url.c
  449. +@@ -3606,7 +3606,7 @@ static void fix_hostname(struct SessionH
  450. + host->dispname = host->name;
  451. +
  452. + len = strlen(host->name);
  453. +- if(host->name[len-1] == '.')
  454. ++ if(len && (host->name[len-1] == '.'))
  455. + /* strip off a single trailing dot if present, primarily for SNI but
  456. + there's no use for it */
  457. + host->name[len-1]=0;
  458. diff --git a/package/network/utils/curl/patches/012-CVE-2015-3145.patch b/package/network/utils/curl/patches/012-CVE-2015-3145.patch
  459. new file mode 100644
  460. index 0000000..c7ecbe9
  461. --- /dev/null
  462. +++ b/package/network/utils/curl/patches/012-CVE-2015-3145.patch
  463. @@ -0,0 +1,53 @@
  464. +From ea595c516bc936a514753597aa6c59fd6eb0765e Mon Sep 17 00:00:00 2001
  465. +From: Daniel Stenberg <daniel@haxx.se>
  466. +Date: Thu, 16 Apr 2015 16:37:40 +0200
  467. +Subject: [PATCH] cookie: cookie parser out of boundary memory access
  468. +MIME-Version: 1.0
  469. +Content-Type: text/plain; charset=UTF-8
  470. +Content-Transfer-Encoding: 8bit
  471. +
  472. +The internal libcurl function called sanitize_cookie_path() that cleans
  473. +up the path element as given to it from a remote site or when read from
  474. +a file, did not properly validate the input. If given a path that
  475. +consisted of a single double-quote, libcurl would index a newly
  476. +allocated memory area with index -1 and assign a zero to it, thus
  477. +destroying heap memory it wasn't supposed to.
  478. +
  479. +CVE-2015-3145
  480. +
  481. +Bug: http://curl.haxx.se/docs/adv_20150422C.html
  482. +Reported-by: Hanno Böck
  483. +---
  484. + lib/cookie.c | 12 +++++++-----
  485. + 1 file changed, 7 insertions(+), 5 deletions(-)
  486. +
  487. +--- a/lib/cookie.c
  488. ++++ b/lib/cookie.c
  489. +@@ -236,11 +236,14 @@ static char *sanitize_cookie_path(const
  490. + return NULL;
  491. +
  492. + /* some stupid site sends path attribute with '"'. */
  493. ++ len = strlen(new_path);
  494. + if(new_path[0] == '\"') {
  495. +- memmove((void *)new_path, (const void *)(new_path + 1), strlen(new_path));
  496. ++ memmove((void *)new_path, (const void *)(new_path + 1), len);
  497. ++ len--;
  498. + }
  499. +- if(new_path[strlen(new_path) - 1] == '\"') {
  500. +- new_path[strlen(new_path) - 1] = 0x0;
  501. ++ if(len && (new_path[len - 1] == '\"')) {
  502. ++ new_path[len - 1] = 0x0;
  503. ++ len--;
  504. + }
  505. +
  506. + /* RFC6265 5.2.4 The Path Attribute */
  507. +@@ -252,8 +255,7 @@ static char *sanitize_cookie_path(const
  508. + }
  509. +
  510. + /* convert /hoge/ to /hoge */
  511. +- len = strlen(new_path);
  512. +- if(1 < len && new_path[len - 1] == '/') {
  513. ++ if(len && new_path[len - 1] == '/') {
  514. + new_path[len - 1] = 0x0;
  515. + }
  516. +
  517. diff --git a/package/network/utils/curl/patches/013-CVE-2015-3148.patch b/package/network/utils/curl/patches/013-CVE-2015-3148.patch
  518. new file mode 100644
  519. index 0000000..ed52160
  520. --- /dev/null
  521. +++ b/package/network/utils/curl/patches/013-CVE-2015-3148.patch
  522. @@ -0,0 +1,37 @@
  523. +From 6abfb512ed22c2de891a4398616d81a2a0690b5a Mon Sep 17 00:00:00 2001
  524. +From: Daniel Stenberg <daniel@haxx.se>
  525. +Date: Sat, 18 Apr 2015 23:50:16 +0200
  526. +Subject: [PATCH] http_done: close Negotiate connections when done
  527. +
  528. +When doing HTTP requests Negotiate authenticated, the entire connnection
  529. +may become authenticated and not just the specific HTTP request which is
  530. +otherwise how HTTP works, as Negotiate can basically use NTLM under the
  531. +hood. curl was not adhering to this fact but would assume that such
  532. +requests would also be authenticated per request.
  533. +
  534. +CVE-2015-3148
  535. +
  536. +Bug: http://curl.haxx.se/docs/adv_20150422B.html
  537. +Reported-by: Isaac Boukris
  538. +---
  539. + lib/http.c | 8 +++++++-
  540. + 1 file changed, 7 insertions(+), 1 deletion(-)
  541. +
  542. +--- a/lib/http.c
  543. ++++ b/lib/http.c
  544. +@@ -1493,8 +1493,14 @@ CURLcode Curl_http_done(struct connectda
  545. +
  546. + #ifdef USE_SPNEGO
  547. + if(data->state.proxyneg.state == GSS_AUTHSENT ||
  548. +- data->state.negotiate.state == GSS_AUTHSENT)
  549. ++ data->state.negotiate.state == GSS_AUTHSENT) {
  550. ++ /* add forbid re-use if http-code != 401 as a WA
  551. ++ * only needed for 401 that failed handling
  552. ++ * otherwie state will be RECV with current code */
  553. ++ if((data->req.httpcode != 401) && (data->req.httpcode != 407))
  554. ++ connclose(conn, "Negotiate transfer completed");
  555. + Curl_cleanup_negotiate(data);
  556. ++ }
  557. + #endif
  558. +
  559. + /* set the proper values (possibly modified on POST) */
  560. diff --git a/package/network/utils/curl/patches/014-CVE-2015-3153.patch b/package/network/utils/curl/patches/014-CVE-2015-3153.patch
  561. new file mode 100644
  562. index 0000000..f6d37d4
  563. --- /dev/null
  564. +++ b/package/network/utils/curl/patches/014-CVE-2015-3153.patch
  565. @@ -0,0 +1,95 @@
  566. +From 69a2e8d7ec581695a62527cb2252e7350f314ffa Mon Sep 17 00:00:00 2001
  567. +From: Daniel Stenberg <daniel@haxx.se>
  568. +Date: Thu, 23 Apr 2015 15:58:21 +0200
  569. +Subject: [PATCH] CURLOPT_HEADEROPT: default to separate
  570. +
  571. +Make the HTTP headers separated by default for improved security and
  572. +reduced risk for information leakage.
  573. +
  574. +Bug: http://curl.haxx.se/docs/adv_20150429.html
  575. +Reported-by: Yehezkel Horowitz, Oren Souroujon
  576. +---
  577. + docs/libcurl/opts/CURLOPT_HEADEROPT.3 | 12 ++++++------
  578. + lib/url.c | 1 +
  579. + tests/data/test1527 | 2 +-
  580. + tests/data/test287 | 2 +-
  581. + tests/libtest/lib1527.c | 1 +
  582. + 5 files changed, 10 insertions(+), 8 deletions(-)
  583. +
  584. +--- a/docs/libcurl/opts/CURLOPT_HEADEROPT.3
  585. ++++ b/docs/libcurl/opts/CURLOPT_HEADEROPT.3
  586. +@@ -5,7 +5,7 @@
  587. + .\" * | (__| |_| | _ <| |___
  588. + .\" * \___|\___/|_| \_\_____|
  589. + .\" *
  590. +-.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  591. ++.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
  592. + .\" *
  593. + .\" * This software is licensed as described in the file COPYING, which
  594. + .\" * you should have received as part of this distribution. The terms
  595. +@@ -31,10 +31,10 @@ CURLcode curl_easy_setopt(CURL *handle,
  596. + Pass a long that is a bitmask of options of how to deal with headers. The two
  597. + mutually exclusive options are:
  598. +
  599. +-\fBCURLHEADER_UNIFIED\fP - keep working as before. This means
  600. +-\fICURLOPT_HTTPHEADER(3)\fP headers will be used in requests both to servers
  601. +-and proxies. With this option enabled, \fICURLOPT_PROXYHEADER(3)\fP will not
  602. +-have any effect.
  603. ++\fBCURLHEADER_UNIFIED\fP - the headers specified in
  604. ++\fICURLOPT_HTTPHEADER(3)\fP will be used in requests both to servers and
  605. ++proxies. With this option enabled, \fICURLOPT_PROXYHEADER(3)\fP will not have
  606. ++any effect.
  607. +
  608. + \fBCURLHEADER_SEPARATE\fP - makes \fICURLOPT_HTTPHEADER(3)\fP headers only get
  609. + sent to a server and not to a proxy. Proxy headers must be set with
  610. +@@ -44,7 +44,7 @@ headers. When doing CONNECT, libcurl wil
  611. + headers only to the proxy and then \fICURLOPT_HTTPHEADER(3)\fP headers only to
  612. + the server.
  613. + .SH DEFAULT
  614. +-CURLHEADER_UNIFIED
  615. ++CURLHEADER_SEPARATE (changed in 7.42.1, ased CURLHEADER_UNIFIED before then)
  616. + .SH PROTOCOLS
  617. + HTTP
  618. + .SH EXAMPLE
  619. +--- a/lib/url.c
  620. ++++ b/lib/url.c
  621. +@@ -605,6 +605,7 @@ CURLcode Curl_init_userdefined(struct Us
  622. + set->ssl_enable_alpn = TRUE;
  623. +
  624. + set->expect_100_timeout = 1000L; /* Wait for a second by default. */
  625. ++ set->sep_headers = TRUE; /* separated header lists by default */
  626. + return result;
  627. + }
  628. +
  629. +--- a/tests/data/test1527
  630. ++++ b/tests/data/test1527
  631. +@@ -45,7 +45,7 @@ http-proxy
  632. + lib1527
  633. + </tool>
  634. + <name>
  635. +-Check same headers are generated without CURLOPT_PROXYHEADER
  636. ++Check same headers are generated with CURLOPT_HEADEROPT == CURLHEADER_UNIFIED
  637. + </name>
  638. + <command>
  639. + http://the.old.moo.1527:%HTTPPORT/1527 %HOSTIP:%PROXYPORT
  640. +--- a/tests/data/test287
  641. ++++ b/tests/data/test287
  642. +@@ -28,7 +28,7 @@ http
  643. + HTTP proxy CONNECT with custom User-Agent header
  644. + </name>
  645. + <command>
  646. +-http://test.remote.example.com.287:%HTTPPORT/path/287 -H "User-Agent: looser/2007" --proxy http://%HOSTIP:%HTTPPORT --proxytunnel
  647. ++http://test.remote.example.com.287:%HTTPPORT/path/287 -H "User-Agent: looser/2015" --proxy http://%HOSTIP:%HTTPPORT --proxytunnel --proxy-header "User-Agent: looser/2007"
  648. + </command>
  649. + </client>
  650. +
  651. +--- a/tests/libtest/lib1527.c
  652. ++++ b/tests/libtest/lib1527.c
  653. +@@ -83,6 +83,7 @@ int test(char *URL)
  654. + test_setopt(curl, CURLOPT_READFUNCTION, read_callback);
  655. + test_setopt(curl, CURLOPT_HTTPPROXYTUNNEL, 1L);
  656. + test_setopt(curl, CURLOPT_INFILESIZE, strlen(data));
  657. ++ test_setopt(curl, CURLOPT_HEADEROPT, CURLHEADER_UNIFIED);
  658. +
  659. + res = curl_easy_perform(curl);
  660. +
  661. diff --git a/package/network/utils/curl/patches/015-CVE-2015-3236.patch b/package/network/utils/curl/patches/015-CVE-2015-3236.patch
  662. new file mode 100644
  663. index 0000000..720fb94
  664. --- /dev/null
  665. +++ b/package/network/utils/curl/patches/015-CVE-2015-3236.patch
  666. @@ -0,0 +1,42 @@
  667. +From e6d7c30734487246e83b95520e81bc1ccf0a2376 Mon Sep 17 00:00:00 2001
  668. +From: Kamil Dudka <kdudka@redhat.com>
  669. +Date: Thu, 28 May 2015 20:04:35 +0200
  670. +Subject: [PATCH] http: do not leak basic auth credentials on re-used
  671. + connections
  672. +
  673. +CVE-2015-3236
  674. +
  675. +This partially reverts commit curl-7_39_0-237-g87c4abb
  676. +
  677. +Bug: http://curl.haxx.se/docs/adv_20150617A.html
  678. +---
  679. + lib/http.c | 16 ++++------------
  680. + 1 file changed, 4 insertions(+), 12 deletions(-)
  681. +
  682. +--- a/lib/http.c
  683. ++++ b/lib/http.c
  684. +@@ -2333,20 +2333,12 @@ CURLcode Curl_http(struct connectdata *c
  685. + te
  686. + );
  687. +
  688. +- /*
  689. +- * Free userpwd for Negotiate/NTLM. Cannot reuse as it is associated with
  690. +- * the connection and shouldn't be repeated over it either.
  691. +- */
  692. +- switch (data->state.authhost.picked) {
  693. +- case CURLAUTH_NEGOTIATE:
  694. +- case CURLAUTH_NTLM:
  695. +- case CURLAUTH_NTLM_WB:
  696. +- Curl_safefree(conn->allocptr.userpwd);
  697. +- break;
  698. +- }
  699. ++ /* clear userpwd to avoid re-using credentials from re-used connections */
  700. ++ Curl_safefree(conn->allocptr.userpwd);
  701. +
  702. + /*
  703. +- * Same for proxyuserpwd
  704. ++ * Free proxyuserpwd for Negotiate/NTLM. Cannot reuse as it is associated
  705. ++ * with the connection and shouldn't be repeated over it either.
  706. + */
  707. + switch (data->state.authproxy.picked) {
  708. + case CURLAUTH_NEGOTIATE:
  709. diff --git a/package/network/utils/curl/patches/016-CVE-2015-3237.patch b/package/network/utils/curl/patches/016-CVE-2015-3237.patch
  710. new file mode 100644
  711. index 0000000..6942a04
  712. --- /dev/null
  713. +++ b/package/network/utils/curl/patches/016-CVE-2015-3237.patch
  714. @@ -0,0 +1,35 @@
  715. +From d2f1a8bdce9d77a277d05adae025d369c1bdd9e6 Mon Sep 17 00:00:00 2001
  716. +From: Daniel Stenberg <daniel@haxx.se>
  717. +Date: Fri, 22 May 2015 10:28:21 +0200
  718. +Subject: [PATCH] SMB: rangecheck values read off incoming packet
  719. +
  720. +CVE-2015-3237
  721. +
  722. +Detected by Coverity. CID 1299430.
  723. +
  724. +Bug: http://curl.haxx.se/docs/adv_20150617B.html
  725. +---
  726. + lib/smb.c | 12 +++++++++---
  727. + 1 file changed, 9 insertions(+), 3 deletions(-)
  728. +
  729. +--- a/lib/smb.c
  730. ++++ b/lib/smb.c
  731. +@@ -783,9 +783,15 @@ static CURLcode smb_request_state(struct
  732. + off = Curl_read16_le(((unsigned char *) msg) +
  733. + sizeof(struct smb_header) + 13);
  734. + if(len > 0) {
  735. +- result = Curl_client_write(conn, CLIENTWRITE_BODY,
  736. +- (char *)msg + off + sizeof(unsigned int),
  737. +- len);
  738. ++ struct smb_conn *smbc = &conn->proto.smbc;
  739. ++ if(off + sizeof(unsigned int) + len > smbc->got) {
  740. ++ failf(conn->data, "Invalid input packet");
  741. ++ result = CURLE_RECV_ERROR;
  742. ++ }
  743. ++ else
  744. ++ result = Curl_client_write(conn, CLIENTWRITE_BODY,
  745. ++ (char *)msg + off + sizeof(unsigned int),
  746. ++ len);
  747. + if(result) {
  748. + req->result = result;
  749. + next_state = SMB_CLOSE;
  750. diff --git a/package/network/utils/curl/patches/100-check_long_long.patch b/package/network/utils/curl/patches/100-check_long_long.patch
  751. index 05fb1bf..2dd8cc7 100644
  752. --- a/package/network/utils/curl/patches/100-check_long_long.patch
  753. +++ b/package/network/utils/curl/patches/100-check_long_long.patch
  754. @@ -1,6 +1,6 @@
  755. --- a/configure.ac
  756. +++ b/configure.ac
  757. -@@ -2877,6 +2877,7 @@ CURL_VERIFY_RUNTIMELIBS
  758. +@@ -2885,6 +2885,7 @@ CURL_VERIFY_RUNTIMELIBS
  759. AC_CHECK_SIZEOF(size_t)
  760. AC_CHECK_SIZEOF(long)
  761. diff --git a/package/network/utils/curl/patches/200-no_docs_tests.patch b/package/network/utils/curl/patches/200-no_docs_tests.patch
  762. index 42619a3..2845577 100644
  763. --- a/package/network/utils/curl/patches/200-no_docs_tests.patch
  764. +++ b/package/network/utils/curl/patches/200-no_docs_tests.patch
  765. @@ -1,6 +1,6 @@
  766. --- a/Makefile.am
  767. +++ b/Makefile.am
  768. -@@ -128,7 +128,7 @@ CLEANFILES = $(VC6_LIBDSP) $(VC6_SRCDSP)
  769. +@@ -129,7 +129,7 @@ CLEANFILES = $(VC6_LIBDSP) $(VC6_SRCDSP)
  770. bin_SCRIPTS = curl-config
  771. SUBDIRS = lib src include
  772. @@ -11,7 +11,7 @@
  773. pkgconfig_DATA = libcurl.pc
  774. --- a/Makefile.in
  775. +++ b/Makefile.in
  776. -@@ -574,7 +574,7 @@ CLEANFILES = $(VC6_LIBDSP) $(VC6_SRCDSP)
  777. +@@ -577,7 +577,7 @@ CLEANFILES = $(VC6_LIBDSP) $(VC6_SRCDSP)
  778. bin_SCRIPTS = curl-config
  779. SUBDIRS = lib src include
  780. @@ -19,4 +19,4 @@
  781. +DIST_SUBDIRS = $(SUBDIRS) packages
  782. pkgconfigdir = $(libdir)/pkgconfig
  783. pkgconfig_DATA = libcurl.pc
  784. - LIB_VTLS_CFILES = vtls/openssl.c vtls/gtls.c vtls/vtls.c vtls/nss.c \
  785. + LIB_VTLS_CFILES = vtls/openssl.c vtls/gtls.c vtls/vtls.c vtls/nss.c \
  786. diff --git a/package/network/utils/curl/patches/300-fix-disable-crypto-auth.patch b/package/network/utils/curl/patches/300-fix-disable-crypto-auth.patch
  787. new file mode 100644
  788. index 0000000..3f88861
  789. --- /dev/null
  790. +++ b/package/network/utils/curl/patches/300-fix-disable-crypto-auth.patch
  791. @@ -0,0 +1,25 @@
  792. +--- a/lib/curl_ntlm_msgs.c
  793. ++++ b/lib/curl_ntlm_msgs.c
  794. +@@ -571,7 +571,7 @@ CURLcode Curl_sasl_create_ntlm_type3_mes
  795. + else
  796. + #endif
  797. +
  798. +-#if USE_NTRESPONSES && USE_NTLM2SESSION
  799. ++#if USE_NTRESPONSES && USE_NTLM2SESSION && !defined(CURL_DISABLE_CRYPTO_AUTH)
  800. + /* We don't support NTLM2 if we don't have USE_NTRESPONSES */
  801. + if(ntlm->flags & NTLMFLAG_NEGOTIATE_NTLM2_KEY) {
  802. + unsigned char ntbuffer[0x18];
  803. +--- a/lib/vtls/vtls.c
  804. ++++ b/lib/vtls/vtls.c
  805. +@@ -835,9 +835,9 @@ void Curl_ssl_md5sum(unsigned char *tmp,
  806. + unsigned char *md5sum, /* output */
  807. + size_t md5len)
  808. + {
  809. +-#ifdef curlssl_md5sum
  810. ++#if defined(curlssl_md5sum)
  811. + curlssl_md5sum(tmp, tmplen, md5sum, md5len);
  812. +-#else
  813. ++#elif !defined(CURL_DISABLE_CRYPTO_AUTH)
  814. + MD5_context *MD5pw;
  815. +
  816. + (void) md5len;
  817. diff --git a/package/network/utils/curl/patches/310-polarssl-disable-runtime-version-check.patch b/package/network/utils/curl/patches/310-polarssl-disable-runtime-version-check.patch
  818. new file mode 100644
  819. index 0000000..d008227
  820. --- /dev/null
  821. +++ b/package/network/utils/curl/patches/310-polarssl-disable-runtime-version-check.patch
  822. @@ -0,0 +1,11 @@
  823. +--- a/lib/vtls/polarssl.c
  824. ++++ b/lib/vtls/polarssl.c
  825. +@@ -591,7 +591,7 @@ void Curl_polarssl_session_free(void *pt
  826. +
  827. + size_t Curl_polarssl_version(char *buffer, size_t size)
  828. + {
  829. +- unsigned int version = version_get_number();
  830. ++ unsigned int version = POLARSSL_VERSION_NUMBER;
  831. + return snprintf(buffer, size, "PolarSSL/%d.%d.%d", version>>24,
  832. + (version>>16)&0xff, (version>>8)&0xff);
  833. + }