15941200 curl "gmake test" failures
16658714 problem in LIBRARY/CURL
17799440 problem in LIBRARY/CURL
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/010-CVE-2013-4545.patch Tue Nov 19 07:55:28 2013 -0800
@@ -0,0 +1,21 @@
+CVE-2013-4545: Setting only CURLOPT_SSL_VERIFYHOST without
+CURLOPT_SSL_VERIFYPEER set should still verify that the host
+name fields in the server certificate is fine or return failure.
+
+Bug: http://curl.haxx.se/mail/lib-2013-10/0002.html
+Reported-by: Ishan SinghLevett
+
+Relevant upstream patch at:
+https://github.com/bagder/curl/commit/3c3622b6
+
+--- lib/ssluse.c.orig 2013-11-18 06:59:53.408117483 -0800
++++ lib/ssluse.c 2013-11-18 07:00:26.212993187 -0800
+@@ -2357,7 +2357,7 @@
+ * operations.
+ */
+
+- if(!data->set.ssl.verifypeer)
++ if(!data->set.ssl.verifypeer && !data->set.ssl.verifyhost)
+ (void)servercert(conn, connssl, FALSE);
+ else
+ retcode = servercert(conn, connssl, TRUE);
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/011-runtests.pl.patch Tue Nov 19 07:55:28 2013 -0800
@@ -0,0 +1,37 @@
+The various curl NTLM tests try to LD_PRELOAD a test library
+called .../tests/libtest/.libs/libhostname.so that's been
+created as a pre-requisite to running the numerous Perl tests.
+
+This patch adjusts LD_PRELOAD to be LD_PRELOAD_32 or LD_PRELOAD_64
+depending upon whether we are running the 32 or 64 bit tests.
+
+As this is Solaris specific, this patch will not be pushed upstream.
+
+--- tests/runtests.pl.orig 2013-11-18 07:12:48.748872794 -0800
++++ tests/runtests.pl 2013-11-18 07:15:32.604982653 -0800
+@@ -2405,10 +2405,21 @@
+ delete $ENV{$var} if($ENV{$var});
+ }
+ else {
+- if(($var =~ /^LD_PRELOAD/) &&
+- ($debug_build || ($has_shared ne "yes"))) {
+- # print "Skipping LD_PRELOAD due to no release shared build\n";
+- next;
++ if($var =~ /^LD_PRELOAD/) {
++ if(exe_ext() && (exe_ext() eq '.exe')) {
++ # print "Skipping LD_PRELOAD due to lack of OS support\n";
++ next;
++ }
++ if($debug_build || ($has_shared ne "yes")) {
++ # print "Skipping LD_PRELOAD due to no release shared build\n";
++ next;
++ }
++ # make this LD_PRELOAD_{bits}
++ open(FP, "/bin/file $content |");
++ my $bits = <FP>;
++ if ($bits =~ /^.+ELF\s(\d\d)-bit.+$/) {
++ $var .= '_'.$1;
++ }
+ }
+ $ENV{$var} = "$content";
+ }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/012-CVE-2013-1944.patch Tue Nov 19 07:55:28 2013 -0800
@@ -0,0 +1,49 @@
+From 3604fde3d3c9b0d0e389e079aecf470d123ba180 Mon Sep 17 00:00:00 2001
+From: YAMADA Yasuharu <[email protected]>
+Date: Thu, 11 Apr 2013 00:17:15 +0200
+Subject: [PATCH] cookie: fix tailmatching to prevent cross-domain leakage
+
+Cookies set for 'example.com' could accidentaly also be sent by libcurl
+to the 'bexample.com' (ie with a prefix to the first domain name).
+
+This is a security vulnerabilty, CVE-2013-1944.
+
+Bug: http://curl.haxx.se/docs/adv_20130412.html
+
+--- lib/cookie.c.orig 2013-11-18 14:05:59.517749330 -0800
++++ lib/cookie.c 2013-11-18 14:08:09.852442022 -0800
+@@ -122,15 +122,29 @@
+ free(co);
+ }
+
+-static bool tailmatch(const char *little, const char *bigone)
++static bool tailmatch(const char *cooke_domain, const char *hostname)
+ {
+- size_t littlelen = strlen(little);
+- size_t biglen = strlen(bigone);
++ size_t cookie_domain_len = strlen(cooke_domain);
++ size_t hostname_len = strlen(hostname);
+
+- if(littlelen > biglen)
++ if(hostname_len < cookie_domain_len)
+ return FALSE;
+
+- return (bool)Curl_raw_equal(little, bigone+biglen-littlelen);
++ if(!Curl_raw_equal(cooke_domain, hostname+hostname_len-cookie_domain_len))
++ return FALSE;
++
++ /* A lead char of cookie_domain is not '.'.
++ RFC6265 4.1.2.3. The Domain Attribute says:
++ For example, if the value of the Domain attribute is
++ "example.com", the user agent will include the cookie in the Cookie
++ header when making HTTP requests to example.com, www.example.com, and
++ www.corp.example.com.
++ */
++ if(hostname_len == cookie_domain_len)
++ return TRUE;
++ if('.' == *(hostname + hostname_len - cookie_domain_len - 1))
++ return TRUE;
++ return FALSE;
+ }
+
+ /*