17891653 problem in LIBRARY/CURL
authorRich Burridge <rich.burridge@oracle.com>
Wed, 04 Dec 2013 06:55:26 -0800
changeset 1579 59f52cde58cc
parent 1578 86b02d5137e8
child 1580 dece556dd5e7
17891653 problem in LIBRARY/CURL
components/curl/patches/011-gtls.c.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/011-gtls.c.patch	Wed Dec 04 06:55:26 2013 -0800
@@ -0,0 +1,50 @@
+From 71c9842a710787145ff31603f100e4269dd676c1 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <[email protected]>
+Date: Fri, 29 Nov 2013 22:46:05 +0100
+Subject: [PATCH] gtls: respect *VERIFYHOST independently of *VERIFYPEER
+
+This is basically the same fix that 3c3622b6 brought to the OpenSSL
+backend and that resulted in CVE-2013-4545.
+
+This version of the problem was independently introduced to the GnuTLS
+backend with commit 59cf93cc, present in the code since the libcurl
+7.21.4 release.
+
+Bug: http://curl.haxx.se/mail/lib-2013-11/0214.html
+Reported-by: Marc Deslauriers
+---
+ lib/gtls.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- lib/gtls.c.orig	2013-12-03 16:28:01.281292080 -0800
++++ lib/gtls.c	2013-12-03 16:28:09.281423499 -0800
[email protected]@ -5,7 +5,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2012, Daniel Stenberg, <[email protected]>, et al.
++ * Copyright (C) 1998 - 2013, Daniel Stenberg, <[email protected]>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
[email protected]@ -609,10 +609,8 @@
+     else
+       infof(data, "\t server certificate verification OK\n");
+   }
+-  else {
++  else
+     infof(data, "\t server certificate verification SKIPPED\n");
+-    goto after_server_cert_verification;
+-  }
+ 
+   /* initialize an X.509 certificate structure. */
+   gnutls_x509_crt_init(&x509_cert);
[email protected]@ -742,8 +740,6 @@
+ 
+   gnutls_x509_crt_deinit(x509_cert);
+ 
+-after_server_cert_verification:
+-
+   /* compression algorithm (if any) */
+   ptr = gnutls_compression_get_name(gnutls_compression_get(session));
+   /* the *_get_name() says "NULL" if GNUTLS_COMP_NULL is returned */