# HG changeset patch # User yiteng.zhang@oracle.com # Date 1453956937 28800 # Node ID 94c0413a88fc21e1d0b66c541501ca44fbb105d5 # Parent 5ccf97c2878d0cf1c6929b9a6cf6ece44eb5b56c 22599190 problem in LIBRARY/CURL diff -r 5ccf97c2878d -r 94c0413a88fc components/curl/Makefile --- a/components/curl/Makefile Wed Jan 27 17:18:04 2016 -0800 +++ b/components/curl/Makefile Wed Jan 27 20:55:37 2016 -0800 @@ -84,6 +84,9 @@ '-e "s|^.*$(CC).*$$|XXX_CC_XXX|g" ' \ '-e "s|^.*source=.*libtool=no.*$$|XXX_CC_XXX|g" ' \ '-e "s|^.*DEPDIR=.deps.*$$|XXX_CC_XXX|g" ' \ + '-e "s|^make.*: Leaving directory.*$$|XXX_CC_XXX|g" ' \ + '-e "s|^make.*: Entering directory.*$$|XXX_CC_XXX|g" ' \ + '-e "s|^make.*: Nothing to be done for.*$$|XXX_CC_XXX|g" ' \ '-e "/^XXX_CC_XXX$$/d" ' \ '-e "s|\(^/bin/bash ../../libtool\).*|\1|" ' \ '-e "s|\(^libtool: link:\).*|\1|" ' \ diff -r 5ccf97c2878d -r 94c0413a88fc components/curl/patches/001-CVE-2016-0755.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/curl/patches/001-CVE-2016-0755.patch Wed Jan 27 20:55:37 2016 -0800 @@ -0,0 +1,136 @@ +CVE-2016-0755: libcurl will reuse NTLM-authenticated proxy connections without +properly making sure that the connection was authenticated with the same +credentials as set for this transfer. + +CVE webpage for this problem: +http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-0755 + +Relevant upstream patch: +http://curl.haxx.se/CVE-2016-0755.patch + +--- lib/url.c.orig ++++ lib/url.c +@@ -3126,15 +3126,20 @@ ConnectionExists(struct SessionHandle *data, + { + struct connectdata *check; + struct connectdata *chosen = 0; + bool canPipeline = IsPipeliningPossible(data, needle); ++ struct connectbundle *bundle; ++ + #ifdef USE_NTLM +- bool wantNTLMhttp = ((data->state.authhost.want & CURLAUTH_NTLM) || +- (data->state.authhost.want & CURLAUTH_NTLM_WB)) && +- (needle->handler->protocol & PROTO_FAMILY_HTTP) ? TRUE : FALSE; ++ bool wantNTLMhttp = ((data->state.authhost.want & ++ (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) && ++ (needle->handler->protocol & PROTO_FAMILY_HTTP)); ++ bool wantProxyNTLMhttp = (needle->bits.proxy_user_passwd && ++ ((data->state.authproxy.want & ++ (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) && ++ (needle->handler->protocol & PROTO_FAMILY_HTTP))); + #endif +- struct connectbundle *bundle; + + *force_reuse = FALSE; + *waitpipe = FALSE; + + /* We can't pipe if the site is blacklisted */ +@@ -3186,13 +3191,10 @@ ConnectionExists(struct SessionHandle *data, + } + + curr = bundle->conn_list->head; + while(curr) { + bool match = FALSE; +-#if defined(USE_NTLM) +- bool credentialsMatch = FALSE; +-#endif + size_t pipeLen; + + /* + * Note that if we use a HTTP proxy, we check connections to that + * proxy and not to the actual remote server. +@@ -3298,25 +3300,18 @@ ConnectionExists(struct SessionHandle *data, + !needle->localdev || + strcmp(check->localdev, needle->localdev)) + continue; + } + +- if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) +-#ifdef USE_NTLM +- || (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE) +-#endif +- ) { +- /* This protocol requires credentials per connection or is HTTP+NTLM, ++ if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) { ++ /* This protocol requires credentials per connection, + so verify that we're using the same name and password as well */ + if(!strequal(needle->user, check->user) || + !strequal(needle->passwd, check->passwd)) { + /* one of them was different */ + continue; + } +-#if defined(USE_NTLM) +- credentialsMatch = TRUE; +-#endif + } + + if(!needle->bits.httpproxy || needle->handler->flags&PROTOPT_SSL || + (needle->bits.httpproxy && check->bits.httpproxy && + needle->bits.tunnel_proxy && check->bits.tunnel_proxy && +@@ -3372,24 +3367,47 @@ ConnectionExists(struct SessionHandle *data, + already authenticating with the right credentials. If not, keep + looking so that we can reuse NTLM connections if + possible. (Especially we must not reuse the same connection if + partway through a handshake!) */ + if(wantNTLMhttp) { +- if(credentialsMatch && check->ntlm.state != NTLMSTATE_NONE) { +- chosen = check; ++ if(!strequal(needle->user, check->user) || ++ !strequal(needle->passwd, check->passwd)) ++ continue; ++ } ++ else if(check->ntlm.state != NTLMSTATE_NONE) { ++ /* Connection is using NTLM auth but we don't want NTLM */ ++ continue; ++ } ++ ++ /* Same for Proxy NTLM authentication */ ++ if(wantProxyNTLMhttp) { ++ if(!strequal(needle->proxyuser, check->proxyuser) || ++ !strequal(needle->proxypasswd, check->proxypasswd)) ++ continue; ++ } ++ else if(check->proxyntlm.state != NTLMSTATE_NONE) { ++ /* Proxy connection is using NTLM auth but we don't want NTLM */ ++ continue; ++ } ++ ++ if(wantNTLMhttp || wantProxyNTLMhttp) { ++ /* Credentials are already checked, we can use this connection */ ++ chosen = check; + ++ if((wantNTLMhttp && ++ (check->ntlm.state != NTLMSTATE_NONE)) || ++ (wantProxyNTLMhttp && ++ (check->proxyntlm.state != NTLMSTATE_NONE))) { + /* We must use this connection, no other */ + *force_reuse = TRUE; + break; + } +- else if(credentialsMatch) +- /* this is a backup choice */ +- chosen = check; ++ ++ /* Continue look up for a better connection */ + continue; + } + #endif +- + if(canPipeline) { + /* We can pipeline if we want to. Let's continue looking for + the optimal connection to use, i.e the shortest pipe that is not + blacklisted. */ + +-- +2.7.0.rc3 + diff -r 5ccf97c2878d -r 94c0413a88fc components/curl/test/results-32.master --- a/components/curl/test/results-32.master Wed Jan 27 17:18:04 2016 -0800 +++ b/components/curl/test/results-32.master Wed Jan 27 20:55:37 2016 -0800 @@ -1,59 +1,20 @@ -make[1]: Entering directory `$(@D)' Making check in lib -make[2]: Entering directory `$(@D)/lib' -make[2]: Leaving directory `$(@D)/lib' Making check in src -make[2]: Entering directory `$(@D)/src' /usr/gnu/bin/make check-am -make[3]: Entering directory `$(@D)/src' -make[3]: Nothing to be done for `check-am'. -make[3]: Leaving directory `$(@D)/src' -make[2]: Leaving directory `$(@D)/src' Making check in include -make[2]: Entering directory `$(@D)/include' Making check in curl -make[3]: Entering directory `$(@D)/include/curl' -make[4]: Entering directory `$(@D)/include/curl' touch stamp-h2 -make[4]: Leaving directory `$(@D)/include/curl' -make[3]: Leaving directory `$(@D)/include/curl' -make[3]: Entering directory `$(@D)/include' -make[3]: Nothing to be done for `check-am'. -make[3]: Leaving directory `$(@D)/include' -make[2]: Leaving directory `$(@D)/include' -make[2]: Entering directory `$(@D)' -make[2]: Nothing to be done for `check-am'. -make[2]: Leaving directory `$(@D)' -make[2]: Entering directory `$(@D)/tests' Making all in certs -make[3]: Entering directory `$(@D)/tests/certs' Making all in scripts -make[4]: Entering directory `$(@D)/tests/certs/scripts' -make[4]: Nothing to be done for `all'. -make[4]: Leaving directory `$(@D)/tests/certs/scripts' -make[4]: Entering directory `$(@D)/tests/certs' -make[4]: Nothing to be done for `all-am'. -make[4]: Leaving directory `$(@D)/tests/certs' -make[3]: Leaving directory `$(@D)/tests/certs' Making all in data -make[3]: Entering directory `$(@D)/tests/data' -make[3]: Nothing to be done for `all'. -make[3]: Leaving directory `$(@D)/tests/data' Making all in server -make[3]: Entering directory `$(@D)/tests/server' -make[3]: Leaving directory `$(@D)/tests/server' Making all in libtest -make[3]: Entering directory `$(@D)/tests/libtest' source='sethostname.c' object='libhostname_la-sethostname.lo' libtool=yes \ libtool: link: -make[3]: Leaving directory `$(@D)/tests/libtest' -make[3]: Entering directory `$(@D)/tests' -make[3]: Nothing to be done for `all-am'. -make[3]: Leaving directory `$(@D)/tests' srcdir=$(SOURCE_DIR)/tests /usr/bin/perl -I$(SOURCE_DIR)/tests $(SOURCE_DIR)/tests/runtests.pl -a -s ********* System characteristics ******** * curl 7.45.0 -* libcurl/7.45.0 OpenSSL/1.0.2d zlib/1.2.8-T4mods libidn/1.19 libssh2/1.4.2 +* libcurl/7.45.0 OpenSSL/1.0.2e zlib/1.2.8-T4mods libidn/1.19 libssh2/1.4.2 * Features: IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets * Host: * System: SunOS @@ -441,10 +402,6 @@ === Start of file log/sftp_server.log No credentials cache file found -mech_dh: No secret key - -mech_dh: No secret key - Connection reset by 127.0.0.1 Connection closed === End of file log/sftp_server.log @@ -1029,26 +986,14 @@ test 2045...OK (984 out of 984, remaining: xx:xx) TESTDONE: 802 tests out of 802 reported OK: 100% TESTDONE: 994 tests were considered during -make[2]: Leaving directory `$(@D)/tests' -make[2]: Entering directory `$(@D)/docs/examples' /usr/gnu/bin/make 10-at-a-time anyauthput cookie_interface debug fileupload fopen ftpget ftpgetresp ftpupload getinfo getinmemory http-post httpput https multi-app multi-debugcallback multi-double multi-post multi-single persistant post-callback postit2 sepheaders simple simplepost simplessl sendrecv httpcustomheader certinfo chkspeed ftpgetinfo ftp-wildcard smtp-mail smtp-multi smtp-ssl smtp-tls smtp-vrfy smtp-expn rtsp externalsocket resolve progressfunc pop3-retr pop3-list pop3-uidl pop3-dele pop3-top pop3-stat pop3-noop pop3-ssl pop3-tls pop3-multi imap-list imap-lsub imap-fetch imap-store imap-append imap-examine imap-search imap-create imap-delete imap-copy imap-noop imap-ssl imap-tls imap-multi url2file sftpget ftpsget postinmemory http2-download http2-upload http2-serverpush -make[3]: Entering directory `$(@D)/docs/examples' "$(SOURCE_DIR)/docs/examples/pop3-multi.c", line 96: warning: implicit function declaration: memset "$(SOURCE_DIR)/docs/examples/imap-multi.c", line 96: warning: implicit function declaration: memset "$(SOURCE_DIR)/docs/examples/http2-download.c", line 226: warning: implicit function declaration: memset "$(SOURCE_DIR)/docs/examples/http2-upload.c", line 290: warning: implicit function declaration: memset "$(SOURCE_DIR)/docs/examples/http2-serverpush.c", line 236: warning: implicit function declaration: memset -make[3]: Leaving directory `$(@D)/docs/examples' -make[2]: Leaving directory `$(@D)/docs/examples' -make[2]: Entering directory `$(@D)/docs/libcurl' Making check in opts -make[3]: Entering directory `$(@D)/docs/libcurl/opts' -make[3]: Nothing to be done for `check'. -make[3]: Leaving directory `$(@D)/docs/libcurl/opts' -make[3]: Entering directory `$(@D)/docs/libcurl' /usr/gnu/bin/make check-TESTS -make[4]: Entering directory `$(@D)/docs/libcurl' -make[5]: Entering directory `$(@D)/docs/libcurl' OPTS="$(ls $(SOURCE_DIR)/docs/libcurl/opts/CURLOPT*.3 | /usr/bin/sed -e 's,^.*/,,' -e 's,\.3$,,')" && \ for opt in $OPTS; do grep "^\.IP $opt$" $(SOURCE_DIR)/docs/libcurl/curl_easy_setopt.3 >/dev/null || echo Missing $opt; done > check-easy PASS: check-easy @@ -1066,8 +1011,3 @@ # XPASS: 0 # ERROR: 0 ============================================================================ -make[5]: Leaving directory `$(@D)/docs/libcurl' -make[4]: Leaving directory `$(@D)/docs/libcurl' -make[3]: Leaving directory `$(@D)/docs/libcurl' -make[2]: Leaving directory `$(@D)/docs/libcurl' -make[1]: Leaving directory `$(@D)' diff -r 5ccf97c2878d -r 94c0413a88fc components/curl/test/results-64.master --- a/components/curl/test/results-64.master Wed Jan 27 17:18:04 2016 -0800 +++ b/components/curl/test/results-64.master Wed Jan 27 20:55:37 2016 -0800 @@ -1,59 +1,20 @@ -make[1]: Entering directory `$(@D)' Making check in lib -make[2]: Entering directory `$(@D)/lib' -make[2]: Leaving directory `$(@D)/lib' Making check in src -make[2]: Entering directory `$(@D)/src' /usr/gnu/bin/make check-am -make[3]: Entering directory `$(@D)/src' -make[3]: Nothing to be done for `check-am'. -make[3]: Leaving directory `$(@D)/src' -make[2]: Leaving directory `$(@D)/src' Making check in include -make[2]: Entering directory `$(@D)/include' Making check in curl -make[3]: Entering directory `$(@D)/include/curl' -make[4]: Entering directory `$(@D)/include/curl' touch stamp-h2 -make[4]: Leaving directory `$(@D)/include/curl' -make[3]: Leaving directory `$(@D)/include/curl' -make[3]: Entering directory `$(@D)/include' -make[3]: Nothing to be done for `check-am'. -make[3]: Leaving directory `$(@D)/include' -make[2]: Leaving directory `$(@D)/include' -make[2]: Entering directory `$(@D)' -make[2]: Nothing to be done for `check-am'. -make[2]: Leaving directory `$(@D)' -make[2]: Entering directory `$(@D)/tests' Making all in certs -make[3]: Entering directory `$(@D)/tests/certs' Making all in scripts -make[4]: Entering directory `$(@D)/tests/certs/scripts' -make[4]: Nothing to be done for `all'. -make[4]: Leaving directory `$(@D)/tests/certs/scripts' -make[4]: Entering directory `$(@D)/tests/certs' -make[4]: Nothing to be done for `all-am'. -make[4]: Leaving directory `$(@D)/tests/certs' -make[3]: Leaving directory `$(@D)/tests/certs' Making all in data -make[3]: Entering directory `$(@D)/tests/data' -make[3]: Nothing to be done for `all'. -make[3]: Leaving directory `$(@D)/tests/data' Making all in server -make[3]: Entering directory `$(@D)/tests/server' -make[3]: Leaving directory `$(@D)/tests/server' Making all in libtest -make[3]: Entering directory `$(@D)/tests/libtest' source='sethostname.c' object='libhostname_la-sethostname.lo' libtool=yes \ libtool: link: -make[3]: Leaving directory `$(@D)/tests/libtest' -make[3]: Entering directory `$(@D)/tests' -make[3]: Nothing to be done for `all-am'. -make[3]: Leaving directory `$(@D)/tests' srcdir=$(SOURCE_DIR)/tests /usr/bin/perl -I$(SOURCE_DIR)/tests $(SOURCE_DIR)/tests/runtests.pl -a -s ********* System characteristics ******** * curl 7.45.0 -* libcurl/7.45.0 OpenSSL/1.0.2d zlib/1.2.8-T4mods libidn/1.19 libssh2/1.4.2 +* libcurl/7.45.0 OpenSSL/1.0.2e zlib/1.2.8-T4mods libidn/1.19 libssh2/1.4.2 * Features: IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets * Host: * System: SunOS @@ -882,26 +843,14 @@ test 2045...OK (984 out of 984, remaining: xx:xx) TESTDONE: 803 tests out of 803 reported OK: 100% TESTDONE: 994 tests were considered during -make[2]: Leaving directory `$(@D)/tests' -make[2]: Entering directory `$(@D)/docs/examples' /usr/gnu/bin/make 10-at-a-time anyauthput cookie_interface debug fileupload fopen ftpget ftpgetresp ftpupload getinfo getinmemory http-post httpput https multi-app multi-debugcallback multi-double multi-post multi-single persistant post-callback postit2 sepheaders simple simplepost simplessl sendrecv httpcustomheader certinfo chkspeed ftpgetinfo ftp-wildcard smtp-mail smtp-multi smtp-ssl smtp-tls smtp-vrfy smtp-expn rtsp externalsocket resolve progressfunc pop3-retr pop3-list pop3-uidl pop3-dele pop3-top pop3-stat pop3-noop pop3-ssl pop3-tls pop3-multi imap-list imap-lsub imap-fetch imap-store imap-append imap-examine imap-search imap-create imap-delete imap-copy imap-noop imap-ssl imap-tls imap-multi url2file sftpget ftpsget postinmemory http2-download http2-upload http2-serverpush -make[3]: Entering directory `$(@D)/docs/examples' "$(SOURCE_DIR)/docs/examples/pop3-multi.c", line 96: warning: implicit function declaration: memset "$(SOURCE_DIR)/docs/examples/imap-multi.c", line 96: warning: implicit function declaration: memset "$(SOURCE_DIR)/docs/examples/http2-download.c", line 226: warning: implicit function declaration: memset "$(SOURCE_DIR)/docs/examples/http2-upload.c", line 290: warning: implicit function declaration: memset "$(SOURCE_DIR)/docs/examples/http2-serverpush.c", line 236: warning: implicit function declaration: memset -make[3]: Leaving directory `$(@D)/docs/examples' -make[2]: Leaving directory `$(@D)/docs/examples' -make[2]: Entering directory `$(@D)/docs/libcurl' Making check in opts -make[3]: Entering directory `$(@D)/docs/libcurl/opts' -make[3]: Nothing to be done for `check'. -make[3]: Leaving directory `$(@D)/docs/libcurl/opts' -make[3]: Entering directory `$(@D)/docs/libcurl' /usr/gnu/bin/make check-TESTS -make[4]: Entering directory `$(@D)/docs/libcurl' -make[5]: Entering directory `$(@D)/docs/libcurl' OPTS="$(ls $(SOURCE_DIR)/docs/libcurl/opts/CURLOPT*.3 | /usr/bin/sed -e 's,^.*/,,' -e 's,\.3$,,')" && \ for opt in $OPTS; do grep "^\.IP $opt$" $(SOURCE_DIR)/docs/libcurl/curl_easy_setopt.3 >/dev/null || echo Missing $opt; done > check-easy PASS: check-easy @@ -919,8 +868,3 @@ # XPASS: 0 # ERROR: 0 ============================================================================ -make[5]: Leaving directory `$(@D)/docs/libcurl' -make[4]: Leaving directory `$(@D)/docs/libcurl' -make[3]: Leaving directory `$(@D)/docs/libcurl' -make[2]: Leaving directory `$(@D)/docs/libcurl' -make[1]: Leaving directory `$(@D)'