From: Armin Kuster <akuster808@gmail.com>
To: akuster808@gmail.com, openembedded-core@lists.openembedded.org
Subject: [PATCH 05/13] curl: update to 7.61.1
Date: Mon, 22 Oct 2018 15:05:04 +0100 [thread overview]
Message-ID: <1540217112-24479-6-git-send-email-akuster808@gmail.com> (raw)
In-Reply-To: <1540217112-24479-1-git-send-email-akuster808@gmail.com>
drop patch for CVE-2018-14618 now included
Notable: INTERNALS: require GnuTLS >= 2.11.3
See: https://curl.haxx.se/changes.html#7_61_0
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../recipes-support/curl/curl/CVE-2018-14618.patch | 37 ----------------------
.../curl/{curl_7.61.0.bb => curl_7.61.1.bb} | 5 ++-
2 files changed, 2 insertions(+), 40 deletions(-)
delete mode 100644 meta/recipes-support/curl/curl/CVE-2018-14618.patch
rename meta/recipes-support/curl/{curl_7.61.0.bb => curl_7.61.1.bb} (94%)
diff --git a/meta/recipes-support/curl/curl/CVE-2018-14618.patch b/meta/recipes-support/curl/curl/CVE-2018-14618.patch
deleted file mode 100644
index db07b43..0000000
--- a/meta/recipes-support/curl/curl/CVE-2018-14618.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 57d299a499155d4b327e341c6024e293b0418243 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 13 Aug 2018 10:35:52 +0200
-Subject: [PATCH] Curl_ntlm_core_mk_nt_hash: return error on too long password
-
-... since it would cause an integer overflow if longer than (max size_t
-/ 2).
-
-This is CVE-2018-14618
-
-Bug: https://curl.haxx.se/docs/CVE-2018-14618.html
-Closes #2756
-Reported-by: Zhaoyang Wu
-
-CVE: CVE-2018-14618
-Upstream-Status: Backport
-Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
----
- lib/curl_ntlm_core.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
-index e27cab353c..922e85a926 100644
---- a/lib/curl_ntlm_core.c
-+++ b/lib/curl_ntlm_core.c
-@@ -557,8 +557,11 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct Curl_easy *data,
- unsigned char *ntbuffer /* 21 bytes */)
- {
- size_t len = strlen(password);
-- unsigned char *pw = len ? malloc(len * 2) : strdup("");
-+ unsigned char *pw;
- CURLcode result;
-+ if(len > SIZE_T_MAX/2) /* avoid integer overflow */
-+ return CURLE_OUT_OF_MEMORY;
-+ pw = len ? malloc(len * 2) : strdup("");
- if(!pw)
- return CURLE_OUT_OF_MEMORY;
diff --git a/meta/recipes-support/curl/curl_7.61.0.bb b/meta/recipes-support/curl/curl_7.61.1.bb
similarity index 94%
rename from meta/recipes-support/curl/curl_7.61.0.bb
rename to meta/recipes-support/curl/curl_7.61.1.bb
index 9b6406b..7a51bfa 100644
--- a/meta/recipes-support/curl/curl_7.61.0.bb
+++ b/meta/recipes-support/curl/curl_7.61.1.bb
@@ -7,11 +7,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=ef889a37a5a874490ac7ce116396f29a"
SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://0001-replace-krb5-config-with-pkg-config.patch \
- file://CVE-2018-14618.patch \
"
-SRC_URI[md5sum] = "31d0a9f48dc796a7db351898a1e5058a"
-SRC_URI[sha256sum] = "5f6f336921cf5b84de56afbd08dfb70adeef2303751ffb3e570c936c6d656c9c"
+SRC_URI[md5sum] = "593432e5ff863474d8d880f74b705d6d"
+SRC_URI[sha256sum] = "a308377dbc9a16b2e994abd55455e5f9edca4e31666f8f8fcfe7a1a4aea419b9"
CVE_PRODUCT = "libcurl"
inherit autotools pkgconfig binconfig multilib_header
--
2.7.4
next prev parent reply other threads:[~2018-10-22 14:05 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-22 14:04 [PATCH 00/13] Master package updates Armin Kuster
2018-10-22 14:05 ` [PATCH 01/13] nss: update to 3.39 includes CVE-2018-12384 Armin Kuster
2018-10-22 14:05 ` [PATCH 02/13] nspr: Update to 4.20 Armin Kuster
2018-10-23 13:41 ` Khem Raj
2018-10-22 14:05 ` [PATCH 03/13] gnutls: update to 2.6.4 Armin Kuster
2018-10-22 20:06 ` Andre McCurdy
2018-10-23 7:42 ` akuster808
2018-11-01 10:02 ` Andre McCurdy
2018-10-22 14:05 ` [PATCH 04/13] libpcre2: update to 10.32 Armin Kuster
2018-10-22 14:05 ` Armin Kuster [this message]
2018-10-22 14:05 ` [PATCH 06/13] openssh: Update to 7.9 primarily bug fixes Armin Kuster
2018-10-22 14:05 ` [PATCH 07/13] libsm: update to 1.2.3 Armin Kuster
2018-10-22 14:05 ` [PATCH 08/13] libx11: update to 1.6.7 and sytle cleanup Armin Kuster
2018-10-22 14:05 ` [PATCH 09/13] libxcb: update to 1.13.1 Armin Kuster
2018-10-22 14:05 ` [PATCH 10/13] xkeyboard-config: update to 2.25 Armin Kuster
2018-10-22 14:05 ` [PATCH 11/13] xf86-input-libinput: update to 0.28.1 Armin Kuster
2018-10-22 14:05 ` [PATCH 12/13] tzcode: update to 2018f Armin Kuster
2018-10-22 14:05 ` [PATCH 13/13] tzdata: " Armin Kuster
2018-10-22 14:33 ` ✗ patchtest: failure for Master package updates (rev3) Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1540217112-24479-6-git-send-email-akuster808@gmail.com \
--to=akuster808@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox