17335413 problem in LIBRARY/CURL s11u1-sru 0.175.1.18.0.3.0 S11.1SRU18.3
authorRich Burridge <rich.burridge@oracle.com>
Mon, 17 Mar 2014 13:28:32 -0700
branchs11u1-sru
changeset 2988 83fae5048c6c
parent 2984 d5dcbb6d3c06
child 2990 946e9428cb03
17335413 problem in LIBRARY/CURL 15941200 curl "gmake test" failures 16658714 problem in LIBRARY/CURL 17799440 problem in LIBRARY/CURL 18183059 problem in LIBRARY/CURL
components/curl/patches/009-CVE-2013-2174.patch
components/curl/patches/010-CVE-2013-4545.patch
components/curl/patches/011-runtests.pl.patch
components/curl/patches/012-CVE-2013-1944.patch
components/curl/patches/013-CVE-2014-0015.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/009-CVE-2013-2174.patch	Mon Mar 17 13:28:32 2014 -0700
@@ -0,0 +1,33 @@
+CVE-2013-2174: Heap-based buffer overflow in the curl_easy_unescape function
+in lib/escape.c in cURL and libcurl 7.7 through 7.30.0 allows remote
+attackers to cause a denial of service (application crash) or possibly
+execute arbitrary code via a crafted string ending in a "%" (percent)
+character.
+
+CVE webpage for this problem:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2174
+
+Relevant upstream patch at:
+https://github.com/bagder/curl/commit/192c4f788d48f82c03e9cef40013f34370e90737
+
+--- lib/escape.c.orig	2013-08-27 05:41:07.197713748 -0700
++++ lib/escape.c	2013-08-27 05:42:54.003927843 -0700
[email protected]@ -5,7 +5,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2010, Daniel Stenberg, <[email protected]>, et al.
++ * Copyright (C) 1998 - 2013, Daniel Stenberg, <[email protected]>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
[email protected]@ -165,7 +165,8 @@
+ 
+   while(--alloc > 0) {
+     in = *string;
+-    if(('%' == in) && ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
++    if(('%' == in) && (alloc > 2) &&
++       ISXDIGIT(string[1]) && ISXDIGIT(string[2])) {
+       /* this is two hexadecimal digits following a '%' */
+       char hexstr[3];
+       char *ptr;
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/010-CVE-2013-4545.patch	Mon Mar 17 13:28:32 2014 -0700
@@ -0,0 +1,21 @@
+CVE-2013-4545: Setting only CURLOPT_SSL_VERIFYHOST without 
+CURLOPT_SSL_VERIFYPEER set should still verify that the host 
+name fields in the server certificate is fine or return failure.
+
+Bug: http://curl.haxx.se/mail/lib-2013-10/0002.html
+Reported-by: Ishan SinghLevett
+
+Relevant upstream patch at:
+https://github.com/bagder/curl/commit/3c3622b6
+
+--- lib/ssluse.c.orig	2013-11-18 06:59:53.408117483 -0800
++++ lib/ssluse.c	2013-11-18 07:00:26.212993187 -0800
[email protected]@ -2357,7 +2357,7 @@
+    * operations.
+    */
+ 
+-  if(!data->set.ssl.verifypeer)
++  if(!data->set.ssl.verifypeer && !data->set.ssl.verifyhost)
+     (void)servercert(conn, connssl, FALSE);
+   else
+     retcode = servercert(conn, connssl, TRUE);
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/011-runtests.pl.patch	Mon Mar 17 13:28:32 2014 -0700
@@ -0,0 +1,37 @@
+The various curl NTLM tests try to LD_PRELOAD a test library
+called .../tests/libtest/.libs/libhostname.so that's been
+created as a pre-requisite to running the numerous Perl tests.
+
+This patch adjusts LD_PRELOAD to be LD_PRELOAD_32 or LD_PRELOAD_64
+depending upon whether we are running the 32 or 64 bit tests.
+
+As this is Solaris specific, this patch will not be pushed upstream.
+
+--- tests/runtests.pl.orig	2013-11-18 07:12:48.748872794 -0800
++++ tests/runtests.pl	2013-11-18 07:15:32.604982653 -0800
[email protected]@ -2405,10 +2405,21 @@
+                     delete $ENV{$var} if($ENV{$var});
+                 }
+                 else {
+-                    if(($var =~ /^LD_PRELOAD/) &&
+-                       ($debug_build || ($has_shared ne "yes"))) {
+-                        # print "Skipping LD_PRELOAD due to no release shared build\n";
+-                        next;
++                    if($var =~ /^LD_PRELOAD/) {
++                        if(exe_ext() && (exe_ext() eq '.exe')) {
++                            # print "Skipping LD_PRELOAD due to lack of OS support\n";
++                            next;
++                        }
++                        if($debug_build || ($has_shared ne "yes")) {
++                            # print "Skipping LD_PRELOAD due to no release shared build\n";
++                            next;
++                        }
++                        # make this LD_PRELOAD_{bits}
++                        open(FP, "/bin/file $content |");
++                        my $bits = <FP>;
++                        if ($bits =~ /^.+ELF\s(\d\d)-bit.+$/) {
++                            $var .= '_'.$1;
++                        }
+                     }
+                     $ENV{$var} = "$content";
+                 }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/012-CVE-2013-1944.patch	Mon Mar 17 13:28:32 2014 -0700
@@ -0,0 +1,49 @@
+From 3604fde3d3c9b0d0e389e079aecf470d123ba180 Mon Sep 17 00:00:00 2001
+From: YAMADA Yasuharu <[email protected]>
+Date: Thu, 11 Apr 2013 00:17:15 +0200
+Subject: [PATCH] cookie: fix tailmatching to prevent cross-domain leakage
+
+Cookies set for 'example.com' could accidentaly also be sent by libcurl
+to the 'bexample.com' (ie with a prefix to the first domain name).
+
+This is a security vulnerabilty, CVE-2013-1944.
+
+Bug: http://curl.haxx.se/docs/adv_20130412.html
+
+--- lib/cookie.c.orig	2013-11-18 14:05:59.517749330 -0800
++++ lib/cookie.c	2013-11-18 14:08:09.852442022 -0800
[email protected]@ -122,15 +122,29 @@
+   free(co);
+ }
+ 
+-static bool tailmatch(const char *little, const char *bigone)
++static bool tailmatch(const char *cooke_domain, const char *hostname)
+ {
+-  size_t littlelen = strlen(little);
+-  size_t biglen = strlen(bigone);
++  size_t cookie_domain_len = strlen(cooke_domain);
++  size_t hostname_len = strlen(hostname);
+ 
+-  if(littlelen > biglen)
++  if(hostname_len < cookie_domain_len)
+     return FALSE;
+ 
+-  return (bool)Curl_raw_equal(little, bigone+biglen-littlelen);
++  if(!Curl_raw_equal(cooke_domain, hostname+hostname_len-cookie_domain_len))
++    return FALSE;
++
++  /* A lead char of cookie_domain is not '.'.
++     RFC6265 4.1.2.3. The Domain Attribute says:
++       For example, if the value of the Domain attribute is
++       "example.com", the user agent will include the cookie in the Cookie
++       header when making HTTP requests to example.com, www.example.com, and
++       www.corp.example.com.
++   */
++  if(hostname_len == cookie_domain_len)
++    return TRUE;
++  if('.' == *(hostname + hostname_len - cookie_domain_len - 1))
++    return TRUE;
++  return FALSE;
+ }
+ 
+ /*
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/013-CVE-2014-0015.patch	Mon Mar 17 13:28:32 2014 -0700
@@ -0,0 +1,20 @@
+CVE-2014-0015: libcurl can in some circumstances re-use the wrong
+connection when asked to do an NTLM-authenticated HTTP or HTTPS request.
+
+More information at:
+http://curl.haxx.se/docs/adv_20140129.html
+
+Closest relevant upstream patch at:
+http://curl.haxx.se/CVE-2014-0015-7-27.patch
+
+--- lib/url.c.orig	2014-02-04 12:41:29.827372361 -0800
++++ lib/url.c	2014-02-04 12:56:44.394433387 -0800
[email protected]@ -2998,7 +2998,7 @@
+         }
+         if((needle->protocol & PROT_FTP) ||
+            ((needle->protocol & PROT_HTTP) &&
+-            (data->state.authhost.want==CURLAUTH_NTLM))) {
++            (data->state.authhost.want & CURLAUTH_NTLM))) {
+           /* This is FTP or HTTP+NTLM, verify that we're using the same name
+              and password as well */
+           if(!strequal(needle->user, check->user) ||