OpenPKG CVS Repository http://cvs.openpkg.org/ ____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 10-Dec-2005 20:54:13 Branch: OPENPKG_2_5_SOLID Handle: 2005121019541200 Added files: (Branch: OPENPKG_2_5_SOLID) openpkg-src/openpkg curl.patch Modified files: (Branch: OPENPKG_2_5_SOLID) openpkg-src/openpkg openpkg.spec Log: Security Fix (CVE-2005-4077, OpenPKG-SA-2005.028-curl) Summary: Revision Changes Path 1.6.4.1 +27 -0 openpkg-src/openpkg/curl.patch 1.454.2.4 +5 -1 openpkg-src/openpkg/openpkg.spec ____________________________________________________________________________ patch -p0 <<'@@ .' Index: openpkg-src/openpkg/curl.patch ============================================================================ $ cvs diff -u -r0 -r1.6.4.1 curl.patch --- /dev/null 2005-12-10 20:54:11 +0100 +++ curl.patch 2005-12-10 20:54:13 +0100 @@ -0,0 +1,27 @@ +Security Fix (CVE-2005-4077, OpenPKG-SA-2005.028-curl) +http://curl.haxx.se/docs/adv_20051207.html + +Index: lib/url.c +--- lib/url.c.orig 2005-09-30 22:04:10 +0200 ++++ lib/url.c 2005-12-10 20:24:40 +0100 +@@ -2372,12 +2372,18 @@ + if(urllen < LEAST_PATH_ALLOC) + urllen=LEAST_PATH_ALLOC; + +- conn->pathbuffer=(char *)malloc(urllen); ++ /* ++ * We malloc() the buffers below urllen+2 to make room for to possibilities: ++ * 1 - an extra terminating zero ++ * 2 - an extra slash (in case a syntax like "www.host.com?moo" is used) ++ */ ++ ++ conn->pathbuffer=(char *)malloc(urllen+2); + if(NULL == conn->pathbuffer) + return CURLE_OUT_OF_MEMORY; /* really bad error */ + conn->path = conn->pathbuffer; + +- conn->host.rawalloc=(char *)malloc(urllen); ++ conn->host.rawalloc=(char *)malloc(urllen+2); + if(NULL == conn->host.rawalloc) + return CURLE_OUT_OF_MEMORY; + conn->host.name = conn->host.rawalloc; @@ . patch -p0 <<'@@ .' Index: openpkg-src/openpkg/openpkg.spec ============================================================================ $ cvs diff -u -r1.454.2.3 -r1.454.2.4 openpkg.spec --- openpkg-src/openpkg/openpkg.spec 16 Oct 2005 09:15:24 -0000 1.454.2.3 +++ openpkg-src/openpkg/openpkg.spec 10 Dec 2005 19:54:12 -0000 1.454.2.4 @@ -38,7 +38,7 @@ # o any cc(1) # the package version/release -%define V_openpkg 2.5.0 +%define V_openpkg 2.5.1 # the used software versions %define V_rpm 4.2.1 @@ -131,6 +131,7 @@ Source60: uuid.8 Source61: uuid.pod Source62: uuid.sh +Source63: curl.patch # build information Prefix: %{l_prefix} @@ -586,6 +587,9 @@ -e '/LINENO: error: C[+]* preprocessor/{N;N;N;N;s/.*/:/;}' \ configure ) || exit $? + ( cd curl-%{V_curl} + ${l_patch} -p0 <`SOURCE curl.patch` + ) || exit $? # display verbosity header set +x; VERBOSE "PREPARATION: Build GNU make (Build Tool)"; set -x @@ . ______________________________________________________________________ The OpenPKG Project www.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org