author | Mike Sullivan <Mike.Sullivan@Oracle.COM> |
Mon, 01 Sep 2014 09:20:27 -0700 | |
changeset 2062 | cc09b5cf2427 |
parent 1688 | 3f0c67b12bf7 |
permissions | -rw-r--r-- |
1688
3f0c67b12bf7
18183059 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
1 |
CVE-2014-0015: libcurl can in some circumstances re-use the wrong |
3f0c67b12bf7
18183059 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
2 |
connection when asked to do an NTLM-authenticated HTTP or HTTPS request. |
3f0c67b12bf7
18183059 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
3 |
|
3f0c67b12bf7
18183059 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
4 |
More information at: |
3f0c67b12bf7
18183059 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
5 |
http://curl.haxx.se/docs/adv_20140129.html |
3f0c67b12bf7
18183059 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
6 |
|
3f0c67b12bf7
18183059 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
7 |
Relevant upstream patch at: |
3f0c67b12bf7
18183059 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
8 |
http://curl.haxx.se/CVE-2014-0015-7-27.patch |
3f0c67b12bf7
18183059 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
9 |
|
3f0c67b12bf7
18183059 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
10 |
--- lib/url.c.orig 2014-02-04 12:20:53.704898398 -0800 |
3f0c67b12bf7
18183059 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
11 |
+++ lib/url.c 2014-02-04 12:28:14.698044886 -0800 |
3f0c67b12bf7
18183059 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
12 |
@@ -3103,8 +3103,8 @@ |
3f0c67b12bf7
18183059 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
13 |
} |
3f0c67b12bf7
18183059 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
14 |
if((needle->handler->protocol & CURLPROTO_FTP) || |
3f0c67b12bf7
18183059 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
15 |
((needle->handler->protocol & CURLPROTO_HTTP) && |
3f0c67b12bf7
18183059 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
16 |
- ((data->state.authhost.want==CURLAUTH_NTLM) || |
3f0c67b12bf7
18183059 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
17 |
- (data->state.authhost.want==CURLAUTH_NTLM_WB)))) { |
3f0c67b12bf7
18183059 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
18 |
+ ((data->state.authhost.want & CURLAUTH_NTLM) || |
3f0c67b12bf7
18183059 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
19 |
+ (data->state.authhost.want & CURLAUTH_NTLM_WB)))) { |
3f0c67b12bf7
18183059 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
20 |
/* This is FTP or HTTP+NTLM, verify that we're using the same name |
3f0c67b12bf7
18183059 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
21 |
and password as well */ |
3f0c67b12bf7
18183059 problem in LIBRARY/CURL
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
22 |
if(!strequal(needle->user, check->user) || |