gnurl: fix vulnerabilities, refresh patches

being based on curl 0.70.0 gnurl is affected by CVE-2015-3144 CVE-2015-3145 CVE-2015-3153 CVE-2015-3236 Import patches from curl package to fix that. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
10 years ago · 31474cc739
--- a/net/gnurl/Makefile
+++ b/net/gnurl/Makefile
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=gnurl
 PKG_VERSION:=7.40.0
 PKG_RELEASE:=5
 PKG_RELEASE:=6

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=https://gnunet.org/sites/default/files
--- a/net/gnurl/patches/010-backport-gtls-add-support-for-CURLOPT_CAPATH.patch
+++ b/net/gnurl/patches/010-backport-gtls-add-support-for-CURLOPT_CAPATH.patch
@ -10,11 +10,9 @@ Subject: [PATCH] gtls: add support for CURLOPT_CAPATH
 lib/vtls/gtls.h                    |  3 +++
 4 files changed, 29 insertions(+), 5 deletions(-)

 diff --git a/acinclude.m4 b/acinclude.m4
 index 6ed7ffb..ca01869 100644
 --- a/acinclude.m4
 +++ b/acinclude.m4
@@ -2615,8 +2615,8 @@ AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]),
@@ -2614,8 +2614,8 @@ AC_HELP_STRING([--without-ca-path], [Don
     capath="no"
   elif test "x$want_capath" != "xno" -a "x$want_capath" != "xunset"; then
     dnl --with-ca-path given
@ -25,11 +23,9 @@ index 6ed7ffb..ca01869 100644
     fi
     capath="$want_capath"
     ca="no"
 diff --git a/docs/libcurl/opts/CURLOPT_CAPATH.3 b/docs/libcurl/opts/CURLOPT_CAPATH.3
 index 642953d..6695f9f 100644
 --- a/docs/libcurl/opts/CURLOPT_CAPATH.3
 +++ b/docs/libcurl/opts/CURLOPT_CAPATH.3
@@ -43,9 +43,8 @@ All TLS based protocols: HTTPS, FTPS, IMAPS, POP3, SMTPS etc.
@@ -43,9 +43,8 @@ All TLS based protocols: HTTPS, FTPS, IM
 .SH EXAMPLE
 TODO
 .SH AVAILABILITY
@ -41,13 +37,11 @@ index 642953d..6695f9f 100644
 .SH RETURN VALUE
 Returns CURLE_OK if TLS enabled, and CURLE_UNKNOWN_OPTION if not, or
 CURLE_OUT_OF_MEMORY if there was insufficient heap space.
 diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
 index 05aef19..c792540 100644
 --- a/lib/vtls/gtls.c
 +++ b/lib/vtls/gtls.c
@@ -97,6 +97,10 @@ static bool gtls_inited = FALSE;
 #  if (GNUTLS_VERSION_NUMBER >= 0x03020d)
 #    define HAS_OCSP
@@ -98,6 +98,10 @@ static bool gtls_inited = FALSE;
 #      define HAS_ALPN
 #    endif
 #  endif
 +
 +#  if (GNUTLS_VERSION_NUMBER >= 0x030306)
@ -55,8 +49,8 @@ index 05aef19..c792540 100644
 +#  endif
 #endif
 
 #ifdef HAS_OCSP
@@ -462,6 +466,24 @@ gtls_connect_step1(struct connectdata *conn,
 /*
@@ -463,6 +467,24 @@ gtls_connect_step1(struct connectdata *c
             rc, data->set.ssl.CAfile);
   }
 
@ -81,13 +75,11 @@ index 05aef19..c792540 100644
   if(data->set.ssl.CRLfile) {
     /* set the CRL list file */
     rc = gnutls_certificate_set_x509_crl_file(conn->ssl[sockindex].cred,
 diff --git a/lib/vtls/gtls.h b/lib/vtls/gtls.h
 index c3867e5..af1cb5b 100644
 --- a/lib/vtls/gtls.h
 +++ b/lib/vtls/gtls.h
@@ -54,6 +54,9 @@ bool Curl_gtls_cert_status_request(void);
 /* Set the API backend definition to GnuTLS */
 #define CURL_SSL_BACKEND CURLSSLBACKEND_GNUTLS
@@ -53,6 +53,9 @@ void Curl_gtls_md5sum(unsigned char *tmp
                       unsigned char *md5sum, /* output */
                       size_t md5len);
 
 +/* this backend supports the CAPATH option */
 +#define have_curlssl_ca_path 1
@ -95,6 +87,3 @@ index c3867e5..af1cb5b 100644
 /* API setup for GnuTLS */
 #define curlssl_init Curl_gtls_init
 #define curlssl_cleanup Curl_gtls_cleanup
 -- 
 2.4.4

--- a/net/gnurl/patches/011-CVE-2015-3144.patch
+++ b/net/gnurl/patches/011-CVE-2015-3144.patch
@ -0,0 +1,32 @@
 From 6218ded6001ea330e589f92b6b2fa12777752b5d Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Thu, 16 Apr 2015 23:52:04 +0200
 Subject: [PATCH] fix_hostname: zero length host name caused -1 index offset
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

 If a URL is given with a zero-length host name, like in "http://:80" or
 just ":80", `fix_hostname()` will index the host name pointer with a -1
 offset (as it blindly assumes a non-zero length) and both read and
 assign that address.

 CVE-2015-3144

 Bug: http://curl.haxx.se/docs/adv_20150422D.html
 Reported-by: Hanno Böck
 ---
 lib/url.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

 --- a/lib/url.c
 +++ b/lib/url.c
@@ -3602,7 +3602,7 @@ static void fix_hostname(struct SessionH
   host->dispname = host->name;
 
   len = strlen(host->name);
 -  if(host->name[len-1] == '.')
 +  if(len && (host->name[len-1] == '.'))
     /* strip off a single trailing dot if present, primarily for SNI but
        there's no use for it */
     host->name[len-1]=0;
--- a/net/gnurl/patches/012-CVE-2015-3145.patch
+++ b/net/gnurl/patches/012-CVE-2015-3145.patch
@ -0,0 +1,53 @@
 From ea595c516bc936a514753597aa6c59fd6eb0765e Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Thu, 16 Apr 2015 16:37:40 +0200
 Subject: [PATCH] cookie: cookie parser out of boundary memory access
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

 The internal libcurl function called sanitize_cookie_path() that cleans
 up the path element as given to it from a remote site or when read from
 a file, did not properly validate the input. If given a path that
 consisted of a single double-quote, libcurl would index a newly
 allocated memory area with index -1 and assign a zero to it, thus
 destroying heap memory it wasn't supposed to.

 CVE-2015-3145

 Bug: http://curl.haxx.se/docs/adv_20150422C.html
 Reported-by: Hanno Böck
 ---
 lib/cookie.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

 --- a/lib/cookie.c
 +++ b/lib/cookie.c
@@ -236,11 +236,14 @@ static char *sanitize_cookie_path(const
     return NULL;
 
   /* some stupid site sends path attribute with '"'. */
 +  len = strlen(new_path);
   if(new_path[0] == '\"') {
 -    memmove((void *)new_path, (const void *)(new_path + 1), strlen(new_path));
 +    memmove((void *)new_path, (const void *)(new_path + 1), len);
 +    len--;
   }
 -  if(new_path[strlen(new_path) - 1] == '\"') {
 -    new_path[strlen(new_path) - 1] = 0x0;
 +  if(len && (new_path[len - 1] == '\"')) {
 +    new_path[len - 1] = 0x0;
 +    len--;
   }
 
   /* RFC6265 5.2.4 The Path Attribute */
@@ -252,8 +255,7 @@ static char *sanitize_cookie_path(const
   }
 
   /* convert /hoge/ to /hoge */
 -  len = strlen(new_path);
 -  if(1 < len && new_path[len - 1] == '/') {
 +  if(len && new_path[len - 1] == '/') {
     new_path[len - 1] = 0x0;
   }
 
--- a/net/gnurl/patches/014-CVE-2015-3153.patch
+++ b/net/gnurl/patches/014-CVE-2015-3153.patch
@ -0,0 +1,95 @@
 From 69a2e8d7ec581695a62527cb2252e7350f314ffa Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Thu, 23 Apr 2015 15:58:21 +0200
 Subject: [PATCH] CURLOPT_HEADEROPT: default to separate

 Make the HTTP headers separated by default for improved security and
 reduced risk for information leakage.

 Bug: http://curl.haxx.se/docs/adv_20150429.html
 Reported-by: Yehezkel Horowitz, Oren Souroujon
 ---
 docs/libcurl/opts/CURLOPT_HEADEROPT.3 | 12 ++++++------
 lib/url.c                             |  1 +
 tests/data/test1527                   |  2 +-
 tests/data/test287                    |  2 +-
 tests/libtest/lib1527.c               |  1 +
 5 files changed, 10 insertions(+), 8 deletions(-)

 --- a/docs/libcurl/opts/CURLOPT_HEADEROPT.3
 +++ b/docs/libcurl/opts/CURLOPT_HEADEROPT.3
@@ -5,7 +5,7 @@
 .\" *                            | (__| |_| |  _ <| |___
 .\" *                             \___|\___/|_| \_\_____|
 .\" *
 -.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
 +.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 .\" *
 .\" * This software is licensed as described in the file COPYING, which
 .\" * you should have received as part of this distribution. The terms
@@ -31,10 +31,10 @@ CURLcode curl_easy_setopt(CURL *handle,
 Pass a long that is a bitmask of options of how to deal with headers. The two
 mutually exclusive options are:
 
 -\fBCURLHEADER_UNIFIED\fP - keep working as before. This means
 -\fICURLOPT_HTTPHEADER(3)\fP headers will be used in requests both to servers
 -and proxies. With this option enabled, \fICURLOPT_PROXYHEADER(3)\fP will not
 -have any effect.
 +\fBCURLHEADER_UNIFIED\fP - the headers specified in
 +\fICURLOPT_HTTPHEADER(3)\fP will be used in requests both to servers and
 +proxies. With this option enabled, \fICURLOPT_PROXYHEADER(3)\fP will not have
 +any effect.
 
 \fBCURLHEADER_SEPARATE\fP - makes \fICURLOPT_HTTPHEADER(3)\fP headers only get
 sent to a server and not to a proxy. Proxy headers must be set with
@@ -44,7 +44,7 @@ headers. When doing CONNECT, libcurl wil
 headers only to the proxy and then \fICURLOPT_HTTPHEADER(3)\fP headers only to
 the server.
 .SH DEFAULT
 -CURLHEADER_UNIFIED
 +CURLHEADER_SEPARATE (changed in 7.42.1, ased CURLHEADER_UNIFIED before then)
 .SH PROTOCOLS
 HTTP
 .SH EXAMPLE
 --- a/lib/url.c
 +++ b/lib/url.c
@@ -605,6 +605,7 @@ CURLcode Curl_init_userdefined(struct Us
   set->ssl_enable_alpn = TRUE;
 
   set->expect_100_timeout = 1000L; /* Wait for a second by default. */
 +  set->sep_headers = TRUE; /* separated header lists by default */
   return result;
 }
 
 --- a/tests/data/test1527
 +++ b/tests/data/test1527
@@ -45,7 +45,7 @@ http-proxy
 lib1527
 </tool>
  <name>
 -Check same headers are generated without CURLOPT_PROXYHEADER
 +Check same headers are generated with CURLOPT_HEADEROPT == CURLHEADER_UNIFIED
  </name>
  <command>
  http://the.old.moo.1527:%HTTPPORT/1527 %HOSTIP:%PROXYPORT
 --- a/tests/data/test287
 +++ b/tests/data/test287
@@ -28,7 +28,7 @@ http
 HTTP proxy CONNECT with custom User-Agent header
  </name>
  <command>
 -http://test.remote.example.com.287:%HTTPPORT/path/287 -H "User-Agent: looser/2007" --proxy http://%HOSTIP:%HTTPPORT --proxytunnel
 +http://test.remote.example.com.287:%HTTPPORT/path/287 -H "User-Agent: looser/2015" --proxy http://%HOSTIP:%HTTPPORT --proxytunnel --proxy-header "User-Agent: looser/2007"
 </command>
 </client>
 
 --- a/tests/libtest/lib1527.c
 +++ b/tests/libtest/lib1527.c
@@ -83,6 +83,7 @@ int test(char *URL)
   test_setopt(curl, CURLOPT_READFUNCTION, read_callback);
   test_setopt(curl, CURLOPT_HTTPPROXYTUNNEL, 1L);
   test_setopt(curl, CURLOPT_INFILESIZE, strlen(data));
 +  test_setopt(curl, CURLOPT_HEADEROPT, CURLHEADER_UNIFIED);
 
   res = curl_easy_perform(curl);
 
--- a/net/gnurl/patches/015-CVE-2015-3236.patch
+++ b/net/gnurl/patches/015-CVE-2015-3236.patch
@ -0,0 +1,42 @@
 From e6d7c30734487246e83b95520e81bc1ccf0a2376 Mon Sep 17 00:00:00 2001
 From: Kamil Dudka <kdudka@redhat.com>
 Date: Thu, 28 May 2015 20:04:35 +0200
 Subject: [PATCH] http: do not leak basic auth credentials on re-used
 connections

 CVE-2015-3236

 This partially reverts commit curl-7_39_0-237-g87c4abb

 Bug: http://curl.haxx.se/docs/adv_20150617A.html
 ---
 lib/http.c | 16 ++++------------
 1 file changed, 4 insertions(+), 12 deletions(-)

 --- a/lib/http.c
 +++ b/lib/http.c
@@ -2327,20 +2327,12 @@ CURLcode Curl_http(struct connectdata *c
                      te
       );
 
 -  /*
 -   * Free userpwd for Negotiate/NTLM. Cannot reuse as it is associated with
 -   * the connection and shouldn't be repeated over it either.
 -   */
 -  switch (data->state.authhost.picked) {
 -  case CURLAUTH_NEGOTIATE:
 -  case CURLAUTH_NTLM:
 -  case CURLAUTH_NTLM_WB:
 -    Curl_safefree(conn->allocptr.userpwd);
 -    break;
 -  }
 +  /* clear userpwd to avoid re-using credentials from re-used connections */
 +  Curl_safefree(conn->allocptr.userpwd);
 
   /*
 -   * Same for proxyuserpwd
 +   * Free proxyuserpwd for Negotiate/NTLM. Cannot reuse as it is associated
 +   * with the connection and shouldn't be repeated over it either.
    */
   switch (data->state.authproxy.picked) {
   case CURLAUTH_NEGOTIATE:
--- a/net/gnurl/patches/100-check_long_long.patch
+++ b/net/gnurl/patches/100-check_long_long.patch
@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
@@ -2885,6 +2885,7 @@ CURL_VERIFY_RUNTIMELIBS
@@ -2879,6 +2879,7 @@ CURL_VERIFY_RUNTIMELIBS
 
 AC_CHECK_SIZEOF(size_t)
 AC_CHECK_SIZEOF(long)
--- a/net/gnurl/patches/200-no_docs_tests.patch
+++ b/net/gnurl/patches/200-no_docs_tests.patch
@ -1,22 +1,22 @@
 --- a/Makefile.am
 +++ b/Makefile.am
@@ -129,7 +129,7 @@ CLEANFILES = $(VC6_LIBDSP) $(VC6_SRCDSP) $(VC7_LIBVCPROJ) $(VC7_SRCVCPROJ)	\
 bin_SCRIPTS = curl-config
@@ -129,7 +129,7 @@ CLEANFILES = $(VC6_LIBDSP) $(VC6_SRCDSP)
 bin_SCRIPTS = gnurl-config
 
 SUBDIRS = lib src include
 -DIST_SUBDIRS = $(SUBDIRS) tests packages docs
 +DIST_SUBDIRS = $(SUBDIRS) packages
 
 pkgconfigdir = $(libdir)/pkgconfig
 pkgconfig_DATA = libcurl.pc
 pkgconfig_DATA = libgnurl.pc
 --- a/Makefile.in
 +++ b/Makefile.in
@@ -577,7 +577,7 @@ CLEANFILES = $(VC6_LIBDSP) $(VC6_SRCDSP) $(VC7_LIBVCPROJ) $(VC7_SRCVCPROJ)	\
@@ -577,7 +577,7 @@ CLEANFILES = $(VC6_LIBDSP) $(VC6_SRCDSP)
 
 bin_SCRIPTS = curl-config
 bin_SCRIPTS = gnurl-config
 SUBDIRS = lib src include
 -DIST_SUBDIRS = $(SUBDIRS) tests packages docs
 +DIST_SUBDIRS = $(SUBDIRS) packages
 pkgconfigdir = $(libdir)/pkgconfig
 pkgconfig_DATA = libcurl.pc
 pkgconfig_DATA = libgnurl.pc
 LIB_VTLS_CFILES = vtls/openssl.c vtls/gtls.c vtls/vtls.c vtls/nss.c     \