Package: curl / 7.64.0-4

Metadata

Package Version Patches format
curl 7.64.0-4 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
04_workaround_as_needed_bug.patch | (download)

ltmain.sh | 14 14 + 0 - 0 !
1 file changed, 14 insertions(+)

 work around libtool --as-needed reordering bug
06_always disable valgrind.patch | (download)

tests/Makefile.am | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 always disable valgrind tests
07_do not disable debug symbols.patch | (download)

m4/curl-compilers.m4 | 11 0 + 11 - 0 !
1 file changed, 11 deletions(-)

 do not disable debug symbols without --enable-debug
08_enable zsh.patch | (download)

Makefile.am | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 enable zsh completion generation
11_omit directories from config.patch | (download)

curl-config.in | 15 3 + 12 - 0 !
1 file changed, 3 insertions(+), 12 deletions(-)

 in order to (partially) multi-arch-ify curl-config, remove all
 mention of @includedir@ and @libdir@ from the script.  On Debian, the actual
 header and library directories are architecture-dependent, but will always be
 in the C compiler's default search path, so -I and -L options are not
 necessary (and may be harmful in multi-arch environments.)
12_zsh.patch | (download)

scripts/zsh.pl | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 fixes for zsh completion generator
13_singlesocket fix the sincebefore placement.patch | (download)

lib/multi.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] singlesocket: fix the 'sincebefore' placement

The variable wasn't properly reset within the loop and thus could remain
set for sockets that hadn't been set before and miss notifying the app.

This is a follow-up to 4c35574 (shipped in curl 7.64.0)

Reported-by: buzo-ffm on github
Detected-by: Jan Alexander Steffens
Fixes #3585
Closes #3589

14_connection_check set data to the transfer doing the .patch | (download)

lib/url.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch] connection_check: set ->data to the transfer doing the check

The http2 code for connection checking needs a transfer to use. Make
sure a working one is set before handler->connection_check() is called.

Reported-by: jnbr on github
Fixes #3541
Closes #3547

15_connection_check restore original conn data after th.patch | (download)

lib/url.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch] connection_check: restore original conn->data after the check

- Save the original conn->data before it's changed to the specified
  data transfer for the connection check and then restore it afterwards.

This is a follow-up to 38d8e1b 2019-02-11.

History:

It was discovered a month ago that before checking whether to extract a
dead connection that that connection should be associated with a "live"
transfer for the check (ie original conn->data ignored and set to the
passed in data). A fix was landed in 54b201b which did that and also
cleared conn->data after the check. The original conn->data was not
restored, so presumably it was thought that a valid conn->data was no
longer needed.

Several days later it was discovered that a valid conn->data was needed
after the check and follow-up fix was landed in bbae24c which partially
reverted the original fix and attempted to limit the scope of when
conn->data was changed to only when pruning dead connections. In that
case conn->data was not cleared and the original conn->data not
restored.

A month later it was discovered that the original fix was somewhat
correct; a "live" transfer is needed for the check in all cases
because original conn->data could be null which could cause a bad deref
at arbitrary points in the check. A fix was landed in 38d8e1b which
expanded the scope to all cases. conn->data was not cleared and the
original conn->data not restored.

A day later it was discovered that not restoring the original conn->data
may lead to busy loops in applications that use the event interface, and
given this observation it's a pretty safe assumption that there is some
code path that still needs the original conn->data. This commit is the
follow-up fix for that, it restores the original conn->data after the
connection check.

Assisted-by: tholin@users.noreply.github.com
Reported-by: tholin@users.noreply.github.com

Fixes https://github.com/curl/curl/issues/3542
Closes #3559

16_tftp use the current blksize for recvfrom.patch | (download)

lib/tftp.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] tftp: use the current blksize for recvfrom()

bug: https://curl.haxx.se/docs/CVE-2019-5436.html
Reported-by: l00p3r on hackerone
CVE-2019-5436

17_CURL_MAX_INPUT_LENGTH largest acceptable string inpu.patch | (download)

lib/setopt.c | 7 7 + 0 - 0 !
lib/urlapi.c | 8 8 + 0 - 0 !
lib/urldata.h | 4 4 + 0 - 0 !
tests/data/Makefile.inc | 2 1 + 1 - 0 !
tests/data/test1559 | 44 44 + 0 - 0 !
tests/libtest/Makefile.inc | 6 4 + 2 - 0 !
tests/libtest/lib1559.c | 78 78 + 0 - 0 !
7 files changed, 146 insertions(+), 3 deletions(-)

 [patch] curl_max_input_length: largest acceptable string input size

This limits all accepted input strings passed to libcurl to be less than
CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls:
curl_easy_setopt() and curl_url_set().

The 8000000 number is arbitrary picked and is meant to detect mistakes
or abuse, not to limit actual practical use cases. By limiting the
acceptable string lengths we also reduce the risk of integer overflows
all over.

NOTE: This does not apply to `CURLOPT_POSTFIELDS`.

Test 1559 verifies.

Closes #3805

90_gnutls.patch | (download)

docs/examples/Makefile.am | 4 2 + 2 - 0 !
lib/Makefile.am | 32 16 + 16 - 0 !
lib/libcurl.vers.in | 2 1 + 1 - 0 !
src/Makefile.am | 4 2 + 2 - 0 !
tests/libtest/Makefile.am | 8 4 + 4 - 0 !
5 files changed, 25 insertions(+), 25 deletions(-)

 build with gnutls.
99_nss.patch | (download)

docs/examples/Makefile.am | 4 2 + 2 - 0 !
lib/Makefile.am | 32 16 + 16 - 0 !
src/Makefile.am | 4 2 + 2 - 0 !
tests/libtest/Makefile.am | 8 4 + 4 - 0 !
4 files changed, 24 insertions(+), 24 deletions(-)

 build with nss.