Mercurial Mercurial > upstream > oracle > userland-gate / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/curl/patches/012-CVE-2014-0015.patch
author Rich Burridge <rich.burridge@oracle.com>
Wed, 05 Feb 2014 07:08:28 -0800
changeset 1688 3f0c67b12bf7
permissions -rw-r--r--
18183059 problem in LIBRARY/CURL

CVE-2014-0015: libcurl can in some circumstances re-use the wrong
connection when asked to do an NTLM-authenticated HTTP or HTTPS request.

More information at:
http://curl.haxx.se/docs/adv_20140129.html

Relevant upstream patch at:
http://curl.haxx.se/CVE-2014-0015-7-27.patch

--- lib/url.c.orig	2014-02-04 12:20:53.704898398 -0800
+++ lib/url.c	2014-02-04 12:28:14.698044886 -0800
@@ -3103,8 +3103,8 @@
         }
         if((needle->handler->protocol & CURLPROTO_FTP) ||
            ((needle->handler->protocol & CURLPROTO_HTTP) &&
-            ((data->state.authhost.want==CURLAUTH_NTLM) ||
-             (data->state.authhost.want==CURLAUTH_NTLM_WB)))) {
+            ((data->state.authhost.want & CURLAUTH_NTLM) ||
+             (data->state.authhost.want & CURLAUTH_NTLM_WB)))) {
           /* This is FTP or HTTP+NTLM, verify that we're using the same name
              and password as well */
           if(!strequal(needle->user, check->user) ||
upstream/oracle/userland-gate