Package: curl / 7.52.1-5+deb9u9

Metadata

Package Version Patches format
curl 7.52.1-5+deb9u9 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
01_runtests_gdb.patch | (download)

tests/runtests.pl | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 runtests_gdb.
03_keep_symbols_compat.patch | (download)

lib/libcurl.vers.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 keep versioned symbols backwards compatibility.
04_workaround_as_needed_bug.patch | (download)

ltmain.sh | 14 14 + 0 - 0 !
1 file changed, 14 insertions(+)

 work around libtool --as-needed reordering bug
06_always disable valgrind.patch | (download)

tests/Makefile.am | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 always disable valgrind tests
07_do not disable debug symbols.patch | (download)

m4/curl-compilers.m4 | 11 0 + 11 - 0 !
1 file changed, 11 deletions(-)

 do not disable debug symbols without --enable-debug
08_enable zsh.patch | (download)

Makefile.am | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 enable zsh completion generation
09_fix typo.patch | (download)

docs/libcurl/libcurl-tutorial.3 | 2 1 + 1 - 0 !
docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3 | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 fix typos in man pages
11_omit directories from config.patch | (download)

curl-config.in | 15 3 + 12 - 0 !
1 file changed, 3 insertions(+), 12 deletions(-)

 in order to (partially) multi-arch-ify curl-config, remove all
 mention of @includedir@ and @libdir@ from the script.  On Debian, the actual
 header and library directories are architecture-dependent, but will always be
 in the C compiler's default search path, so -I and -L options are not
 necessary (and may be harmful in multi-arch environments.)
12_fix openssl connection timeout.patch | (download)

lib/vtls/vtls.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] vtls: s/ssleay/openssl

Fixed an old leftover use of the USE_SSLEAY define which would make a
socket get removed from the applications sockets to monitor when the
multi_socket API was used, leading to timeouts.

Bug: #1174

13_CVE 2017 2629.patch | (download)

lib/url.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 [patch] tls: make ssl_verifystatus work again

The CURLOPT_SSL_VERIFYSTATUS option was not properly handled by libcurl
and thus even if the status couldn't be verified, the connection would
be allowed and the user would not be told about the failed verification.

Regression since cb4e2be7c6d42ca

CVE-2017-2629
Bug: https://curl.haxx.se/docs/adv_20170222.html

Reported-by: Marcus Hoffmann

14_fix connect regression.patch | (download)

lib/http_proxy.c | 41 21 + 20 - 0 !
tests/data/Makefile.inc | 2 1 + 1 - 0 !
tests/data/test1287 | 90 90 + 0 - 0 !
3 files changed, 112 insertions(+), 21 deletions(-)

 [patch] http_proxy: ignore te and cl in connect 2xx responses

A client MUST ignore any Content-Length or Transfer-Encoding header
fields received in a successful response to CONNECT.
"Successful" described as: 2xx (Successful). RFC 7231 4.3.6

Prior to this change such a case would cause an error.

In some ways this bug appears to be a regression since c50b878. Prior to
that libcurl may have appeared to function correctly in such cases by
acting on those headers instead of causing an error. But that behavior
was also incorrect.

Bug: https://github.com/curl/curl/issues/1317
Reported-by: mkzero@users.noreply.github.com

15_CVE 2017 7407.patch | (download)

src/tool_writeout.c | 2 1 + 1 - 0 !
tests/data/Makefile.inc | 2 1 + 1 - 0 !
tests/data/test1440 | 31 31 + 0 - 0 !
tests/data/test1441 | 31 31 + 0 - 0 !
4 files changed, 64 insertions(+), 2 deletions(-)

 [patch] tool_writeout: fixed a buffer read overrun on --write-out

If a % ended the statement, the string's trailing NUL would be skipped
and memory past the end of the buffer would be accessed and potentially
displayed as part of the --write-out output. Added tests 1440 and 1441
to check for this kind of condition.

Reported-by: Brian Carpenter

16_CVE 2017 7468.patch | (download)

lib/url.c | 5 3 + 2 - 0 !
lib/urldata.h | 2 1 + 1 - 0 !
lib/vtls/axtls.c | 4 2 + 2 - 0 !
lib/vtls/cyassl.c | 4 2 + 2 - 0 !
lib/vtls/darwinssl.c | 2 1 + 1 - 0 !
lib/vtls/gtls.c | 4 2 + 2 - 0 !
lib/vtls/mbedtls.c | 4 2 + 2 - 0 !
lib/vtls/nss.c | 2 1 + 1 - 0 !
lib/vtls/openssl.c | 4 2 + 2 - 0 !
lib/vtls/polarssl.c | 4 2 + 2 - 0 !
lib/vtls/schannel.c | 4 2 + 2 - 0 !
lib/vtls/vtls.c | 9 6 + 3 - 0 !
12 files changed, 26 insertions(+), 22 deletions(-)

 [patch] tls: fix switching off ssl session id when client cert is
 used

- Move the sessionid flag to ssl_primary_config so that ssl and
  proxy_ssl will each have their own sessionid flag.

Regression since HTTPS-Proxy support was added in cb4e2be. Prior to that
this issue had been fixed in 247d890, CVE-2016-5419.

Bug: https://github.com/curl/curl/issues/1341
Reported-by: lijian996@users.noreply.github.com

17_CVE 2017 1000100.patch | (download)

lib/tftp.c | 7 6 + 1 - 0 !
1 file changed, 6 insertions(+), 1 deletion(-)

 [patch] tftp: reject file name lengths that don't fit

... and thereby avoid telling send() to send off more bytes than the
size of the buffer!

Bug:
Reported-by: Even Rouault

18_CVE 2017 1000101.patch | (download)

src/tool_urlglob.c | 5 4 + 1 - 0 !
tests/data/test1289 | 35 35 + 0 - 0 !
2 files changed, 39 insertions(+), 1 deletion(-)

 [patch] glob: do not continue parsing after a strtoul() overflow
 range

Added test 1289 to verify.

CVE-2017-1000101

Bug: https://curl.haxx.se/docs/adv_20170809A.html
Reported-by: Brian Carpenter

19_CVE 2017 1000254.patch | (download)

lib/ftp.c | 7 5 + 2 - 0 !
tests/data/test1152 | 61 61 + 0 - 0 !
2 files changed, 66 insertions(+), 2 deletions(-)

 [patch v2] ftp: zero terminate the entry path even on bad input

... a single double quote could leave the entry path buffer without a zero
terminating byte.

Test 1152 added to verify.

Reported-by: Max Dymond

20_CVE 2017 1000257.patch | (download)

lib/imap.c | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 [patch] imap: if a fetch response has no size, don't call write
 callback


21_CVE 2017 8816.patch | (download)

lib/curl_ntlm_core.c | 20 18 + 2 - 0 !
1 file changed, 18 insertions(+), 2 deletions(-)

 [patch] ntlm: avoid integer overflow for malloc size

Reported-by: Alex Nichols
Assisted-by: Kamil Dudka and Max Dymond

22_CVE 2017 8817.patch | (download)

lib/curl_fnmatch.c | 9 3 + 6 - 0 !
tests/data/Makefile.inc | 1 1 + 0 - 0 !
tests/data/test1163 | 52 52 + 0 - 0 !
3 files changed, 56 insertions(+), 6 deletions(-)

 [patch] wildcardmatch: fix heap buffer overflow in setcharset

The code would previous read beyond the end of the pattern string if the
match pattern ends with an open bracket when the default pattern
matching function is used.

Detected by OSS-Fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161

23_CVE 2018 1000005.patch | (download)

lib/http2.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] http2: fix incorrect trailer buffer size

Prior to this change the stored byte count of each trailer was
miscalculated and 1 less than required. It appears any trailer
after the first that was passed to Curl_client_write would be truncated
or corrupted as well as the size. Potentially the size of some
subsequent trailer could be erroneously extracted from the contents of
that trailer, and since that size is used by client write an
out-of-bounds read could occur and cause a crash or be otherwise
processed by client write.

The bug appears to have been born in 0761a51 (precedes 7.49.0).

Closes https://github.com/curl/curl/pull/2231

24_CVE 2018 1000007.patch | (download)

docs/libcurl/opts/CURLOPT_HTTPHEADER.3 | 12 11 + 1 - 0 !
lib/http.c | 10 9 + 1 - 0 !
lib/url.c | 2 1 + 1 - 0 !
lib/urldata.h | 2 1 + 1 - 0 !
tests/data/Makefile.inc | 2 1 + 1 - 0 !
tests/data/test317 | 94 94 + 0 - 0 !
tests/data/test318 | 95 95 + 0 - 0 !
7 files changed, 212 insertions(+), 5 deletions(-)

 [patch] http: prevent custom authorization headers in redirects

... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how
curl already handles Authorization headers created internally.

Added test 317 and 318 to verify behavior.

Reported-by: Craig de Stigter

25_CVE 2018 1000120.patch | (download)

lib/ftp.c | 6 3 + 3 - 0 !
tests/data/Makefile.inc | 3 3 + 0 - 0 !
tests/data/test340 | 40 40 + 0 - 0 !
3 files changed, 46 insertions(+), 3 deletions(-)

 [patch] ftp: reject path components with control codes

Refuse to operate when given path components featuring byte values lower
than 32.

Previously, inserting a %00 sequence early in the directory part when
using the 'singlecwd' ftp method could make curl write a zero byte
outside of the allocated buffer.

Test case 340 verifies.

26_CVE 2018 1000121.patch | (download)

lib/openldap.c | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 [patch] openldap: check ldap_get_attribute_ber() results for null
 before using

Reported-by: Dario Weisser

27_CVE 2018 1000122.patch | (download)

lib/transfer.c | 9 7 + 2 - 0 !
1 file changed, 7 insertions(+), 2 deletions(-)

 [patch] readwrite: make sure excess reads don't go beyond buffer end

Triggered by RTSP fuzzing.

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6483

Detected by OSS-fuzz

28_CVE 2018 1000301.patch | (download)

lib/pingpong.c | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 [patch] pingpong: fix response cache memcpy overflow

Response data for a handle with a large buffer might be cached and then
used with the "closure" handle when it has a smaller buffer and then the
larger cache will be copied and overflow the new smaller heap based
buffer.

Reported-by: Dario Weisser

29_CVE 2018 14618.patch | (download)

lib/curl_ntlm_core.c | 11 4 + 7 - 0 !
lib/curl_setup.h | 6 6 + 0 - 0 !
2 files changed, 10 insertions(+), 7 deletions(-)

 [patch] curl_ntlm_core_mk_nt_hash: return error on too long password

... since it would cause an integer overflow if longer than (max size_t
/ 2).

This is CVE-2018-14618

Bug: https://curl.haxx.se/docs/CVE-2018-14618.html
Closes #2756
Reported-by: Zhaoyang Wu

30_CVE 2018 16839.patch | (download)

lib/vauth/cleartext.c | 12 3 + 9 - 0 !
1 file changed, 3 insertions(+), 9 deletions(-)

 [patch] curl_auth_create_plain_message: fix too-large-input-check

Reported-by: Harry Sintonen

31_CVE 2018 16842.patch | (download)

src/tool_msgs.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] voutf: fix bad arethmetic when outputting warnings to stderr

Reported-by: Brian Carpenter

32_CVE 2018 16890.patch | (download)

lib/vauth/ntlm.c | 5 3 + 2 - 0 !
1 file changed, 3 insertions(+), 2 deletions(-)

 [patch 1/3] ntlm: fix size check condition for type2 received data

Reported-by: Wenxiang Qian

33_CVE 2019 3822.patch | (download)

lib/vauth/ntlm.c | 13 8 + 5 - 0 !
1 file changed, 8 insertions(+), 5 deletions(-)

 [patch 2/3] ntlm: fix *_type3_message size check to avoid buffer
 overflow


34_CVE 2019 3823.patch | (download)

lib/smtp.c | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

 [patch 3/3] smtp: avoid risk of buffer overflow in strtol

If the incoming len 5, but the buffer does not have a termination
after 5 bytes, the strtol() call may keep reading through the line
buffer until is exceeds its boundary. Fix by ensuring that we are
using a bounded read with a temporary buffer on the stack.

Reported-by: Brian Carpenter (Geeknik Labs)

90_gnutls.patch | (download)

docs/examples/Makefile.am | 4 2 + 2 - 0 !
lib/Makefile.am | 30 15 + 15 - 0 !
src/Makefile.am | 6 3 + 3 - 0 !
tests/libtest/Makefile.am | 10 5 + 5 - 0 !
4 files changed, 25 insertions(+), 25 deletions(-)

 build with gnutls.
99_nss.patch | (download)

docs/examples/Makefile.am | 4 2 + 2 - 0 !
lib/Makefile.am | 30 15 + 15 - 0 !
src/Makefile.am | 6 3 + 3 - 0 !
tests/libtest/Makefile.am | 10 5 + 5 - 0 !
4 files changed, 25 insertions(+), 25 deletions(-)

 build with nss.