commit aab35ef35648250da1f37e8b60574b9359dff976
Author: Marc Olzheim <marc@iphion.nl>
Date:   Wed Aug 12 11:42:50 2009 +0200

    Add curl 7.19.6 and fix CVE-2009-2417 for the rest
    http://curl.haxx.se/docs/adv_20090812.html

diff --git a/conf/checksums.ini b/conf/checksums.ini
index 60d9729..f277e29 100644
--- a/conf/checksums.ini
+++ b/conf/checksums.ini
@@ -4390,6 +4390,10 @@ sha256=fb3436280dedbc8f8141d3841a5964c4491dd6457bc5b7123854aed0b794be86
 md5=426d161661dce70c8ea9ad8f553363a3
 sha256=05ad84a9c8d340917370f357ad9fdce5ea595deb11f4cb70f946fa48c7b02cd0
 
+[http://curl.haxx.se/download/curl-7.19.6.tar.bz2]
+md5=8402c1f654c51ad7287aad57c3aa79be
+sha256=ea88f48c8415f7d3af482e4d241277b2bdbfaffaf285e8001c88c1376cbc1021
+
 [http://downloads.sourceforge.net/curlftpfs/curlftpfs-0.9.2.tar.gz]
 md5=b452123f755114cd4461d56c648d9f12
 sha256=4eb44739c7078ba0edde177bdd266c4cfb7c621075f47f64c85a06b12b3c6958
diff --git a/recipes/curl/curl-native_7.18.2.bb b/recipes/curl/curl-native_7.18.2.bb
index c95591b..00c6215 100644
--- a/recipes/curl/curl-native_7.18.2.bb
+++ b/recipes/curl/curl-native_7.18.2.bb
@@ -1,7 +1,9 @@
 require curl-common.inc
 inherit native
 DEPENDS = "zlib-native"
-PR = "r1"
+PR = "r2"
+
+SRC_URI += "file://curl-7.18.1-CVE-2009-2417.patch;patch=1;pnum=0"
 
 do_stage () {
 	autotools_stage_all
diff --git a/recipes/curl/curl-sdk_7.18.2.bb b/recipes/curl/curl-sdk_7.18.2.bb
index 35b0d88..8c667fa 100644
--- a/recipes/curl/curl-sdk_7.18.2.bb
+++ b/recipes/curl/curl-sdk_7.18.2.bb
@@ -1,7 +1,9 @@
 require curl-common.inc
 inherit sdk
 DEPENDS = "zlib-sdk"
-PR = "r1"
+PR = "r2"
+
+SRC_URI += "file://curl-7.18.1-CVE-2009-2417.patch;patch=1;pnum=0"
 
 do_stage () {
         install -d ${STAGING_INCDIR}/curl
diff --git a/recipes/curl/curl_7.18.2.bb b/recipes/curl/curl_7.18.2.bb
index 3de6da4..2d32f6b 100644
--- a/recipes/curl/curl_7.18.2.bb
+++ b/recipes/curl/curl_7.18.2.bb
@@ -1,4 +1,6 @@
 require curl-common.inc
 require curl-target.inc
 
-PR = "r1"
+SRC_URI += "file://curl-7.18.1-CVE-2009-2417.patch;patch=1;pnum=0"
+
+PR = "r2"
diff --git a/recipes/curl/curl_7.19.5.bb b/recipes/curl/curl_7.19.5.bb
index b5b6182..61914e1 100644
--- a/recipes/curl/curl_7.19.5.bb
+++ b/recipes/curl/curl_7.19.5.bb
@@ -2,5 +2,6 @@ require curl-common.inc
 require curl-target.inc
 
 SRC_URI += "file://off_t_abi_fix.patch;patch=1;pnum=0 \
-            file://curl-add_all_algorithms.patch;patch=1"
-PR = "r1"
+            file://curl-add_all_algorithms.patch;patch=1 \
+            file://curl-7.19.5-CVE-2009-2417.patch;patch=1;pnum=0"
+PR = "r2"
diff --git a/recipes/curl/curl_7.19.6.bb b/recipes/curl/curl_7.19.6.bb
new file mode 100644
index 0000000..df83fe8
--- /dev/null
+++ b/recipes/curl/curl_7.19.6.bb
@@ -0,0 +1,5 @@
+require curl-common.inc
+require curl-target.inc
+
+SRC_URI += "file://off_t_abi_fix.patch;patch=1;pnum=0"
+PR = "r0"
diff --git a/recipes/curl/files/curl-7.18.1-CVE-2009-2417.patch b/recipes/curl/files/curl-7.18.1-CVE-2009-2417.patch
new file mode 100644
index 0000000..e7c24c0
--- /dev/null
+++ b/recipes/curl/files/curl-7.18.1-CVE-2009-2417.patch
@@ -0,0 +1,83 @@
+---
+ lib/ssluse.c |   40 +++++++++++++++++++++++++++-------------
+ 1 file changed, 27 insertions(+), 13 deletions(-)
+
+--- lib/ssluse.c.orig
++++ lib/ssluse.c
+@@ -1061,7 +1061,7 @@ static CURLcode verifyhost(struct connec
+       if(check->type == target) {
+         /* get data and length */
+         const char *altptr = (char *)ASN1_STRING_data(check->d.ia5);
+-        int altlen;
++        size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5);
+ 
+         switch(target) {
+         case GEN_DNS: /* name/pattern comparison */
+@@ -1075,14 +1075,16 @@ static CURLcode verifyhost(struct connec
+              "I checked the 0.9.6 and 0.9.8 sources before my patch and
+              it always 0-terminates an IA5String."
+           */
+-          if(cert_hostcheck(altptr, conn->host.name))
++          if((altlen == strlen(altptr)) &&
++             /* if this isn't true, there was an embedded zero in the name
++                string and we cannot match it. */
++             cert_hostcheck(altptr, conn->host.name))
+             matched = TRUE;
+           break;
+ 
+         case GEN_IPADD: /* IP address comparison */
+           /* compare alternative IP address if the data chunk is the same size
+              our server IP address is */
+-          altlen = ASN1_STRING_length(check->d.ia5);
+           if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
+             matched = TRUE;
+           break;
+@@ -1122,18 +1124,27 @@ static CURLcode verifyhost(struct connec
+          string manually to avoid the problem. This code can be made
+          conditional in the future when OpenSSL has been fixed. Work-around
+          brought by Alexis S. L. Carvalho. */
+-      if(tmp && ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
+-        j = ASN1_STRING_length(tmp);
+-        if(j >= 0) {
+-          peer_CN = OPENSSL_malloc(j+1);
+-          if(peer_CN) {
+-            memcpy(peer_CN, ASN1_STRING_data(tmp), j);
+-            peer_CN[j] = '\0';
++      if(tmp) {
++        if(ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
++          j = ASN1_STRING_length(tmp);
++          if(j >= 0) {
++            peer_CN = OPENSSL_malloc(j+1);
++            if(peer_CN) {
++              memcpy(peer_CN, ASN1_STRING_data(tmp), j);
++              peer_CN[j] = '\0';
++            }
+           }
+         }
++        else /* not a UTF8 name */
++          j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
++
++        if(peer_CN && ((int)strlen((char *)peer_CN) != j)) {
++          /* there was a terminating zero before the end of string, this
++             cannot match and we return failure! */
++          failf(data, "SSL: illegal cert name field");
++          res = CURLE_PEER_FAILED_VERIFICATION;
++        }
+       }
+-      else /* not a UTF8 name */
+-        j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
+     }
+ 
+     if(peer_CN == nulstr)
+@@ -1151,7 +1162,10 @@ static CURLcode verifyhost(struct connec
+     }
+ #endif /* CURL_DOES_CONVERSIONS */
+ 
+-    if(!peer_CN) {
++    if(res)
++      /* error already detected, pass through */
++      ;
++    else if(!peer_CN) {
+       failf(data,
+             "SSL: unable to obtain common name from peer certificate");
+       return CURLE_PEER_FAILED_VERIFICATION;
diff --git a/recipes/curl/files/curl-7.19.5-CVE-2009-2417.patch b/recipes/curl/files/curl-7.19.5-CVE-2009-2417.patch
new file mode 100644
index 0000000..f64232c
--- /dev/null
+++ b/recipes/curl/files/curl-7.19.5-CVE-2009-2417.patch
@@ -0,0 +1,80 @@
+--- lib/ssluse.c-7.19.5	2009-08-03 16:01:58.000000000 +0200
++++ lib/ssluse.c	2009-08-03 16:07:17.000000000 +0200
+@@ -1092,7 +1092,8 @@
+       if(check->type == target) {
+         /* get data and length */
+         const char *altptr = (char *)ASN1_STRING_data(check->d.ia5);
+-        size_t altlen;
++        size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5);
++
+ 
+         switch(target) {
+         case GEN_DNS: /* name/pattern comparison */
+@@ -1106,14 +1107,16 @@
+              "I checked the 0.9.6 and 0.9.8 sources before my patch and
+              it always 0-terminates an IA5String."
+           */
+-          if(cert_hostcheck(altptr, conn->host.name))
++          if((altlen == strlen(altptr)) &&
++             /* if this isn't true, there was an embedded zero in the name
++                string and we cannot match it. */
++             cert_hostcheck(altptr, conn->host.name))
+             matched = TRUE;
+           break;
+ 
+         case GEN_IPADD: /* IP address comparison */
+           /* compare alternative IP address if the data chunk is the same size
+              our server IP address is */
+-          altlen = (size_t) ASN1_STRING_length(check->d.ia5);
+           if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
+             matched = TRUE;
+           break;
+@@ -1153,18 +1156,27 @@
+          string manually to avoid the problem. This code can be made
+          conditional in the future when OpenSSL has been fixed. Work-around
+          brought by Alexis S. L. Carvalho. */
+-      if(tmp && ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
+-        j = ASN1_STRING_length(tmp);
+-        if(j >= 0) {
+-          peer_CN = OPENSSL_malloc(j+1);
+-          if(peer_CN) {
+-            memcpy(peer_CN, ASN1_STRING_data(tmp), j);
+-            peer_CN[j] = '\0';
++      if(tmp) {
++        if(ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
++          j = ASN1_STRING_length(tmp);
++          if(j >= 0) {
++            peer_CN = OPENSSL_malloc(j+1);
++            if(peer_CN) {
++              memcpy(peer_CN, ASN1_STRING_data(tmp), j);
++              peer_CN[j] = '\0';
++            }
+           }
+         }
++        else /* not a UTF8 name */
++          j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
++
++        if(peer_CN && ((int)strlen((char *)peer_CN) != j)) {
++          /* there was a terminating zero before the end of string, this
++             cannot match and we return failure! */
++          failf(data, "SSL: illegal cert name field");
++          res = CURLE_PEER_FAILED_VERIFICATION;
++        }
+       }
+-      else /* not a UTF8 name */
+-        j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
+     }
+ 
+     if(peer_CN == nulstr)
+@@ -1182,7 +1194,10 @@
+     }
+ #endif /* CURL_DOES_CONVERSIONS */
+ 
+-    if(!peer_CN) {
++    if(res)
++      /* error already detected, pass through */
++      ;
++    else if(!peer_CN) {
+       failf(data,
+             "SSL: unable to obtain common name from peer certificate");
+       return CURLE_PEER_FAILED_VERIFICATION;