--- a/components/curl/Makefile Wed Jan 27 17:18:04 2016 -0800
+++ b/components/curl/Makefile Wed Jan 27 20:55:37 2016 -0800
@@ -84,6 +84,9 @@
'-e "s|^.*$(CC).*$$|XXX_CC_XXX|g" ' \
'-e "s|^.*source=.*libtool=no.*$$|XXX_CC_XXX|g" ' \
'-e "s|^.*DEPDIR=.deps.*$$|XXX_CC_XXX|g" ' \
+ '-e "s|^make.*: Leaving directory.*$$|XXX_CC_XXX|g" ' \
+ '-e "s|^make.*: Entering directory.*$$|XXX_CC_XXX|g" ' \
+ '-e "s|^make.*: Nothing to be done for.*$$|XXX_CC_XXX|g" ' \
'-e "/^XXX_CC_XXX$$/d" ' \
'-e "s|\(^/bin/bash ../../libtool\).*|\1|" ' \
'-e "s|\(^libtool: link:\).*|\1|" ' \
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/001-CVE-2016-0755.patch Wed Jan 27 20:55:37 2016 -0800
@@ -0,0 +1,136 @@
+CVE-2016-0755: libcurl will reuse NTLM-authenticated proxy connections without
+properly making sure that the connection was authenticated with the same
+credentials as set for this transfer.
+
+CVE webpage for this problem:
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-0755
+
+Relevant upstream patch:
+http://curl.haxx.se/CVE-2016-0755.patch
+
+--- lib/url.c.orig
++++ lib/url.c
+@@ -3126,15 +3126,20 @@ ConnectionExists(struct SessionHandle *data,
+ {
+ struct connectdata *check;
+ struct connectdata *chosen = 0;
+ bool canPipeline = IsPipeliningPossible(data, needle);
++ struct connectbundle *bundle;
++
+ #ifdef USE_NTLM
+- bool wantNTLMhttp = ((data->state.authhost.want & CURLAUTH_NTLM) ||
+- (data->state.authhost.want & CURLAUTH_NTLM_WB)) &&
+- (needle->handler->protocol & PROTO_FAMILY_HTTP) ? TRUE : FALSE;
++ bool wantNTLMhttp = ((data->state.authhost.want &
++ (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) &&
++ (needle->handler->protocol & PROTO_FAMILY_HTTP));
++ bool wantProxyNTLMhttp = (needle->bits.proxy_user_passwd &&
++ ((data->state.authproxy.want &
++ (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) &&
++ (needle->handler->protocol & PROTO_FAMILY_HTTP)));
+ #endif
+- struct connectbundle *bundle;
+
+ *force_reuse = FALSE;
+ *waitpipe = FALSE;
+
+ /* We can't pipe if the site is blacklisted */
+@@ -3186,13 +3191,10 @@ ConnectionExists(struct SessionHandle *data,
+ }
+
+ curr = bundle->conn_list->head;
+ while(curr) {
+ bool match = FALSE;
+-#if defined(USE_NTLM)
+- bool credentialsMatch = FALSE;
+-#endif
+ size_t pipeLen;
+
+ /*
+ * Note that if we use a HTTP proxy, we check connections to that
+ * proxy and not to the actual remote server.
+@@ -3298,25 +3300,18 @@ ConnectionExists(struct SessionHandle *data,
+ !needle->localdev ||
+ strcmp(check->localdev, needle->localdev))
+ continue;
+ }
+
+- if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST))
+-#ifdef USE_NTLM
+- || (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)
+-#endif
+- ) {
+- /* This protocol requires credentials per connection or is HTTP+NTLM,
++ if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) {
++ /* This protocol requires credentials per connection,
+ so verify that we're using the same name and password as well */
+ if(!strequal(needle->user, check->user) ||
+ !strequal(needle->passwd, check->passwd)) {
+ /* one of them was different */
+ continue;
+ }
+-#if defined(USE_NTLM)
+- credentialsMatch = TRUE;
+-#endif
+ }
+
+ if(!needle->bits.httpproxy || needle->handler->flags&PROTOPT_SSL ||
+ (needle->bits.httpproxy && check->bits.httpproxy &&
+ needle->bits.tunnel_proxy && check->bits.tunnel_proxy &&
+@@ -3372,24 +3367,47 @@ ConnectionExists(struct SessionHandle *data,
+ already authenticating with the right credentials. If not, keep
+ looking so that we can reuse NTLM connections if
+ possible. (Especially we must not reuse the same connection if
+ partway through a handshake!) */
+ if(wantNTLMhttp) {
+- if(credentialsMatch && check->ntlm.state != NTLMSTATE_NONE) {
+- chosen = check;
++ if(!strequal(needle->user, check->user) ||
++ !strequal(needle->passwd, check->passwd))
++ continue;
++ }
++ else if(check->ntlm.state != NTLMSTATE_NONE) {
++ /* Connection is using NTLM auth but we don't want NTLM */
++ continue;
++ }
++
++ /* Same for Proxy NTLM authentication */
++ if(wantProxyNTLMhttp) {
++ if(!strequal(needle->proxyuser, check->proxyuser) ||
++ !strequal(needle->proxypasswd, check->proxypasswd))
++ continue;
++ }
++ else if(check->proxyntlm.state != NTLMSTATE_NONE) {
++ /* Proxy connection is using NTLM auth but we don't want NTLM */
++ continue;
++ }
++
++ if(wantNTLMhttp || wantProxyNTLMhttp) {
++ /* Credentials are already checked, we can use this connection */
++ chosen = check;
+
++ if((wantNTLMhttp &&
++ (check->ntlm.state != NTLMSTATE_NONE)) ||
++ (wantProxyNTLMhttp &&
++ (check->proxyntlm.state != NTLMSTATE_NONE))) {
+ /* We must use this connection, no other */
+ *force_reuse = TRUE;
+ break;
+ }
+- else if(credentialsMatch)
+- /* this is a backup choice */
+- chosen = check;
++
++ /* Continue look up for a better connection */
+ continue;
+ }
+ #endif
+-
+ if(canPipeline) {
+ /* We can pipeline if we want to. Let's continue looking for
+ the optimal connection to use, i.e the shortest pipe that is not
+ blacklisted. */
+
+--
+2.7.0.rc3
+
--- a/components/curl/test/results-32.master Wed Jan 27 17:18:04 2016 -0800
+++ b/components/curl/test/results-32.master Wed Jan 27 20:55:37 2016 -0800
@@ -1,59 +1,20 @@
-make[1]: Entering directory `$(@D)'
Making check in lib
-make[2]: Entering directory `$(@D)/lib'
-make[2]: Leaving directory `$(@D)/lib'
Making check in src
-make[2]: Entering directory `$(@D)/src'
/usr/gnu/bin/make check-am
-make[3]: Entering directory `$(@D)/src'
-make[3]: Nothing to be done for `check-am'.
-make[3]: Leaving directory `$(@D)/src'
-make[2]: Leaving directory `$(@D)/src'
Making check in include
-make[2]: Entering directory `$(@D)/include'
Making check in curl
-make[3]: Entering directory `$(@D)/include/curl'
-make[4]: Entering directory `$(@D)/include/curl'
touch stamp-h2
-make[4]: Leaving directory `$(@D)/include/curl'
-make[3]: Leaving directory `$(@D)/include/curl'
-make[3]: Entering directory `$(@D)/include'
-make[3]: Nothing to be done for `check-am'.
-make[3]: Leaving directory `$(@D)/include'
-make[2]: Leaving directory `$(@D)/include'
-make[2]: Entering directory `$(@D)'
-make[2]: Nothing to be done for `check-am'.
-make[2]: Leaving directory `$(@D)'
-make[2]: Entering directory `$(@D)/tests'
Making all in certs
-make[3]: Entering directory `$(@D)/tests/certs'
Making all in scripts
-make[4]: Entering directory `$(@D)/tests/certs/scripts'
-make[4]: Nothing to be done for `all'.
-make[4]: Leaving directory `$(@D)/tests/certs/scripts'
-make[4]: Entering directory `$(@D)/tests/certs'
-make[4]: Nothing to be done for `all-am'.
-make[4]: Leaving directory `$(@D)/tests/certs'
-make[3]: Leaving directory `$(@D)/tests/certs'
Making all in data
-make[3]: Entering directory `$(@D)/tests/data'
-make[3]: Nothing to be done for `all'.
-make[3]: Leaving directory `$(@D)/tests/data'
Making all in server
-make[3]: Entering directory `$(@D)/tests/server'
-make[3]: Leaving directory `$(@D)/tests/server'
Making all in libtest
-make[3]: Entering directory `$(@D)/tests/libtest'
source='sethostname.c' object='libhostname_la-sethostname.lo' libtool=yes \
libtool: link:
-make[3]: Leaving directory `$(@D)/tests/libtest'
-make[3]: Entering directory `$(@D)/tests'
-make[3]: Nothing to be done for `all-am'.
-make[3]: Leaving directory `$(@D)/tests'
srcdir=$(SOURCE_DIR)/tests /usr/bin/perl -I$(SOURCE_DIR)/tests $(SOURCE_DIR)/tests/runtests.pl -a -s
********* System characteristics ********
* curl 7.45.0
-* libcurl/7.45.0 OpenSSL/1.0.2d zlib/1.2.8-T4mods libidn/1.19 libssh2/1.4.2
+* libcurl/7.45.0 OpenSSL/1.0.2e zlib/1.2.8-T4mods libidn/1.19 libssh2/1.4.2
* Features: IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets
* Host:
* System: SunOS
@@ -441,10 +402,6 @@
=== Start of file log/sftp_server.log
No credentials cache file found
-mech_dh: No secret key
-
-mech_dh: No secret key
-
Connection reset by 127.0.0.1
Connection closed
=== End of file log/sftp_server.log
@@ -1029,26 +986,14 @@
test 2045...OK (984 out of 984, remaining: xx:xx)
TESTDONE: 802 tests out of 802 reported OK: 100%
TESTDONE: 994 tests were considered during
-make[2]: Leaving directory `$(@D)/tests'
-make[2]: Entering directory `$(@D)/docs/examples'
/usr/gnu/bin/make 10-at-a-time anyauthput cookie_interface debug fileupload fopen ftpget ftpgetresp ftpupload getinfo getinmemory http-post httpput https multi-app multi-debugcallback multi-double multi-post multi-single persistant post-callback postit2 sepheaders simple simplepost simplessl sendrecv httpcustomheader certinfo chkspeed ftpgetinfo ftp-wildcard smtp-mail smtp-multi smtp-ssl smtp-tls smtp-vrfy smtp-expn rtsp externalsocket resolve progressfunc pop3-retr pop3-list pop3-uidl pop3-dele pop3-top pop3-stat pop3-noop pop3-ssl pop3-tls pop3-multi imap-list imap-lsub imap-fetch imap-store imap-append imap-examine imap-search imap-create imap-delete imap-copy imap-noop imap-ssl imap-tls imap-multi url2file sftpget ftpsget postinmemory http2-download http2-upload http2-serverpush
-make[3]: Entering directory `$(@D)/docs/examples'
"$(SOURCE_DIR)/docs/examples/pop3-multi.c", line 96: warning: implicit function declaration: memset
"$(SOURCE_DIR)/docs/examples/imap-multi.c", line 96: warning: implicit function declaration: memset
"$(SOURCE_DIR)/docs/examples/http2-download.c", line 226: warning: implicit function declaration: memset
"$(SOURCE_DIR)/docs/examples/http2-upload.c", line 290: warning: implicit function declaration: memset
"$(SOURCE_DIR)/docs/examples/http2-serverpush.c", line 236: warning: implicit function declaration: memset
-make[3]: Leaving directory `$(@D)/docs/examples'
-make[2]: Leaving directory `$(@D)/docs/examples'
-make[2]: Entering directory `$(@D)/docs/libcurl'
Making check in opts
-make[3]: Entering directory `$(@D)/docs/libcurl/opts'
-make[3]: Nothing to be done for `check'.
-make[3]: Leaving directory `$(@D)/docs/libcurl/opts'
-make[3]: Entering directory `$(@D)/docs/libcurl'
/usr/gnu/bin/make check-TESTS
-make[4]: Entering directory `$(@D)/docs/libcurl'
-make[5]: Entering directory `$(@D)/docs/libcurl'
OPTS="$(ls $(SOURCE_DIR)/docs/libcurl/opts/CURLOPT*.3 | /usr/bin/sed -e 's,^.*/,,' -e 's,\.3$,,')" && \
for opt in $OPTS; do grep "^\.IP $opt$" $(SOURCE_DIR)/docs/libcurl/curl_easy_setopt.3 >/dev/null || echo Missing $opt; done > check-easy
PASS: check-easy
@@ -1066,8 +1011,3 @@
# XPASS: 0
# ERROR: 0
============================================================================
-make[5]: Leaving directory `$(@D)/docs/libcurl'
-make[4]: Leaving directory `$(@D)/docs/libcurl'
-make[3]: Leaving directory `$(@D)/docs/libcurl'
-make[2]: Leaving directory `$(@D)/docs/libcurl'
-make[1]: Leaving directory `$(@D)'
--- a/components/curl/test/results-64.master Wed Jan 27 17:18:04 2016 -0800
+++ b/components/curl/test/results-64.master Wed Jan 27 20:55:37 2016 -0800
@@ -1,59 +1,20 @@
-make[1]: Entering directory `$(@D)'
Making check in lib
-make[2]: Entering directory `$(@D)/lib'
-make[2]: Leaving directory `$(@D)/lib'
Making check in src
-make[2]: Entering directory `$(@D)/src'
/usr/gnu/bin/make check-am
-make[3]: Entering directory `$(@D)/src'
-make[3]: Nothing to be done for `check-am'.
-make[3]: Leaving directory `$(@D)/src'
-make[2]: Leaving directory `$(@D)/src'
Making check in include
-make[2]: Entering directory `$(@D)/include'
Making check in curl
-make[3]: Entering directory `$(@D)/include/curl'
-make[4]: Entering directory `$(@D)/include/curl'
touch stamp-h2
-make[4]: Leaving directory `$(@D)/include/curl'
-make[3]: Leaving directory `$(@D)/include/curl'
-make[3]: Entering directory `$(@D)/include'
-make[3]: Nothing to be done for `check-am'.
-make[3]: Leaving directory `$(@D)/include'
-make[2]: Leaving directory `$(@D)/include'
-make[2]: Entering directory `$(@D)'
-make[2]: Nothing to be done for `check-am'.
-make[2]: Leaving directory `$(@D)'
-make[2]: Entering directory `$(@D)/tests'
Making all in certs
-make[3]: Entering directory `$(@D)/tests/certs'
Making all in scripts
-make[4]: Entering directory `$(@D)/tests/certs/scripts'
-make[4]: Nothing to be done for `all'.
-make[4]: Leaving directory `$(@D)/tests/certs/scripts'
-make[4]: Entering directory `$(@D)/tests/certs'
-make[4]: Nothing to be done for `all-am'.
-make[4]: Leaving directory `$(@D)/tests/certs'
-make[3]: Leaving directory `$(@D)/tests/certs'
Making all in data
-make[3]: Entering directory `$(@D)/tests/data'
-make[3]: Nothing to be done for `all'.
-make[3]: Leaving directory `$(@D)/tests/data'
Making all in server
-make[3]: Entering directory `$(@D)/tests/server'
-make[3]: Leaving directory `$(@D)/tests/server'
Making all in libtest
-make[3]: Entering directory `$(@D)/tests/libtest'
source='sethostname.c' object='libhostname_la-sethostname.lo' libtool=yes \
libtool: link:
-make[3]: Leaving directory `$(@D)/tests/libtest'
-make[3]: Entering directory `$(@D)/tests'
-make[3]: Nothing to be done for `all-am'.
-make[3]: Leaving directory `$(@D)/tests'
srcdir=$(SOURCE_DIR)/tests /usr/bin/perl -I$(SOURCE_DIR)/tests $(SOURCE_DIR)/tests/runtests.pl -a -s
********* System characteristics ********
* curl 7.45.0
-* libcurl/7.45.0 OpenSSL/1.0.2d zlib/1.2.8-T4mods libidn/1.19 libssh2/1.4.2
+* libcurl/7.45.0 OpenSSL/1.0.2e zlib/1.2.8-T4mods libidn/1.19 libssh2/1.4.2
* Features: IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets
* Host:
* System: SunOS
@@ -882,26 +843,14 @@
test 2045...OK (984 out of 984, remaining: xx:xx)
TESTDONE: 803 tests out of 803 reported OK: 100%
TESTDONE: 994 tests were considered during
-make[2]: Leaving directory `$(@D)/tests'
-make[2]: Entering directory `$(@D)/docs/examples'
/usr/gnu/bin/make 10-at-a-time anyauthput cookie_interface debug fileupload fopen ftpget ftpgetresp ftpupload getinfo getinmemory http-post httpput https multi-app multi-debugcallback multi-double multi-post multi-single persistant post-callback postit2 sepheaders simple simplepost simplessl sendrecv httpcustomheader certinfo chkspeed ftpgetinfo ftp-wildcard smtp-mail smtp-multi smtp-ssl smtp-tls smtp-vrfy smtp-expn rtsp externalsocket resolve progressfunc pop3-retr pop3-list pop3-uidl pop3-dele pop3-top pop3-stat pop3-noop pop3-ssl pop3-tls pop3-multi imap-list imap-lsub imap-fetch imap-store imap-append imap-examine imap-search imap-create imap-delete imap-copy imap-noop imap-ssl imap-tls imap-multi url2file sftpget ftpsget postinmemory http2-download http2-upload http2-serverpush
-make[3]: Entering directory `$(@D)/docs/examples'
"$(SOURCE_DIR)/docs/examples/pop3-multi.c", line 96: warning: implicit function declaration: memset
"$(SOURCE_DIR)/docs/examples/imap-multi.c", line 96: warning: implicit function declaration: memset
"$(SOURCE_DIR)/docs/examples/http2-download.c", line 226: warning: implicit function declaration: memset
"$(SOURCE_DIR)/docs/examples/http2-upload.c", line 290: warning: implicit function declaration: memset
"$(SOURCE_DIR)/docs/examples/http2-serverpush.c", line 236: warning: implicit function declaration: memset
-make[3]: Leaving directory `$(@D)/docs/examples'
-make[2]: Leaving directory `$(@D)/docs/examples'
-make[2]: Entering directory `$(@D)/docs/libcurl'
Making check in opts
-make[3]: Entering directory `$(@D)/docs/libcurl/opts'
-make[3]: Nothing to be done for `check'.
-make[3]: Leaving directory `$(@D)/docs/libcurl/opts'
-make[3]: Entering directory `$(@D)/docs/libcurl'
/usr/gnu/bin/make check-TESTS
-make[4]: Entering directory `$(@D)/docs/libcurl'
-make[5]: Entering directory `$(@D)/docs/libcurl'
OPTS="$(ls $(SOURCE_DIR)/docs/libcurl/opts/CURLOPT*.3 | /usr/bin/sed -e 's,^.*/,,' -e 's,\.3$,,')" && \
for opt in $OPTS; do grep "^\.IP $opt$" $(SOURCE_DIR)/docs/libcurl/curl_easy_setopt.3 >/dev/null || echo Missing $opt; done > check-easy
PASS: check-easy
@@ -919,8 +868,3 @@
# XPASS: 0
# ERROR: 0
============================================================================
-make[5]: Leaving directory `$(@D)/docs/libcurl'
-make[4]: Leaving directory `$(@D)/docs/libcurl'
-make[3]: Leaving directory `$(@D)/docs/libcurl'
-make[2]: Leaving directory `$(@D)/docs/libcurl'
-make[1]: Leaving directory `$(@D)'