author | Rich Burridge <rich.burridge@oracle.com> |
Mon, 17 Mar 2014 13:28:32 -0700 | |
branch | s11u1-sru |
changeset 2988 | 83fae5048c6c |
permissions | -rw-r--r-- |
2988
83fae5048c6c
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
1 |
CVE-2014-0015: libcurl can in some circumstances re-use the wrong |
83fae5048c6c
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
2 |
connection when asked to do an NTLM-authenticated HTTP or HTTPS request. |
83fae5048c6c
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
3 |
|
83fae5048c6c
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
4 |
More information at: |
83fae5048c6c
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
5 |
http://curl.haxx.se/docs/adv_20140129.html |
83fae5048c6c
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
6 |
|
83fae5048c6c
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
7 |
Closest relevant upstream patch at: |
83fae5048c6c
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
8 |
http://curl.haxx.se/CVE-2014-0015-7-27.patch |
83fae5048c6c
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
9 |
|
83fae5048c6c
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
10 |
--- lib/url.c.orig 2014-02-04 12:41:29.827372361 -0800 |
83fae5048c6c
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
11 |
+++ lib/url.c 2014-02-04 12:56:44.394433387 -0800 |
83fae5048c6c
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
12 |
@@ -2998,7 +2998,7 @@ |
83fae5048c6c
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
13 |
} |
83fae5048c6c
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
14 |
if((needle->protocol & PROT_FTP) || |
83fae5048c6c
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
15 |
((needle->protocol & PROT_HTTP) && |
83fae5048c6c
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
16 |
- (data->state.authhost.want==CURLAUTH_NTLM))) { |
83fae5048c6c
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
17 |
+ (data->state.authhost.want & CURLAUTH_NTLM))) { |
83fae5048c6c
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
18 |
/* This is FTP or HTTP+NTLM, verify that we're using the same name |
83fae5048c6c
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
19 |
and password as well */ |
83fae5048c6c
17335413 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
20 |
if(!strequal(needle->user, check->user) || |