18183059 problem in LIBRARY/CURL s11-update
authorRich Burridge <rich.burridge@oracle.com>
Fri, 07 Feb 2014 05:41:08 -0800
branchs11-update
changeset 2939 e9aeb41ecd7a
parent 2938 9f9845a938fd
child 2941 b04a7202dbf6
18183059 problem in LIBRARY/CURL
components/curl/patches/013-CVE-2014-0015.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/013-CVE-2014-0015.patch	Fri Feb 07 05:41:08 2014 -0800
@@ -0,0 +1,20 @@
+CVE-2014-0015: libcurl can in some circumstances re-use the wrong
+connection when asked to do an NTLM-authenticated HTTP or HTTPS request.
+
+More information at:
+http://curl.haxx.se/docs/adv_20140129.html
+
+Closest relevant upstream patch at:
+http://curl.haxx.se/CVE-2014-0015-7-27.patch
+
+--- lib/url.c.orig	2014-02-04 12:41:29.827372361 -0800
++++ lib/url.c	2014-02-04 12:56:44.394433387 -0800
[email protected]@ -2998,7 +2998,7 @@
+         }
+         if((needle->protocol & PROT_FTP) ||
+            ((needle->protocol & PROT_HTTP) &&
+-            (data->state.authhost.want==CURLAUTH_NTLM))) {
++            (data->state.authhost.want & CURLAUTH_NTLM))) {
+           /* This is FTP or HTTP+NTLM, verify that we're using the same name
+              and password as well */
+           if(!strequal(needle->user, check->user) ||