OpenPKG CVS Repository http://cvs.openpkg.org/ ____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 10-Dec-2005 21:54:29 Branch: OPENPKG_2_3_SOLID Handle: 2005121020542800 Added files: (Branch: OPENPKG_2_3_SOLID) openpkg-src/openpkg curl.patch Modified files: (Branch: OPENPKG_2_3_SOLID) openpkg-src/openpkg openpkg.spec Log: Security Fix (CVE-2005-4077, OpenPKG-SA-2005.028-curl) Summary: Revision Changes Path 1.4.2.3 +27 -0 openpkg-src/openpkg/curl.patch 1.397.2.10 +5 -1 openpkg-src/openpkg/openpkg.spec ____________________________________________________________________________ patch -p0 <<'@@ .' Index: openpkg-src/openpkg/curl.patch ============================================================================ $ cvs diff -u -r0 -r1.4.2.3 curl.patch --- /dev/null 2005-12-10 21:54:25 +0100 +++ curl.patch 2005-12-10 21:54:28 +0100 @@ -0,0 +1,27 @@ +Security Fix (CVE-2005-4077, OpenPKG-SA-2005.028-curl) +http://curl.haxx.se/docs/adv_20051207.html + +Index: lib/url.c +--- lib/url.c.orig 2005-09-30 22:04:10 +0200 ++++ lib/url.c 2005-12-10 20:24:40 +0100 +@@ -2372,12 +2372,18 @@ + if(urllen < LEAST_PATH_ALLOC) + urllen=LEAST_PATH_ALLOC; + +- conn->pathbuffer=(char *)malloc(urllen); ++ /* ++ * We malloc() the buffers below urllen+2 to make room for to possibilities: ++ * 1 - an extra terminating zero ++ * 2 - an extra slash (in case a syntax like "www.host.com?moo" is used) ++ */ ++ ++ conn->pathbuffer=(char *)malloc(urllen+2); + if(NULL == conn->pathbuffer) + return CURLE_OUT_OF_MEMORY; /* really bad error */ + conn->path = conn->pathbuffer; + +- conn->host.rawalloc=(char *)malloc(urllen); ++ conn->host.rawalloc=(char *)malloc(urllen+2); + if(NULL == conn->host.rawalloc) + return CURLE_OUT_OF_MEMORY; + conn->host.name = conn->host.rawalloc; @@ . patch -p0 <<'@@ .' Index: openpkg-src/openpkg/openpkg.spec ============================================================================ $ cvs diff -u -r1.397.2.9 -r1.397.2.10 openpkg.spec --- openpkg-src/openpkg/openpkg.spec 28 Jul 2005 06:31:33 -0000 1.397.2.9 +++ openpkg-src/openpkg/openpkg.spec 10 Dec 2005 20:54:28 -0000 1.397.2.10 @@ -39,7 +39,7 @@ # o any cc(1) # the package version/release -%define V_openpkg 2.3.5 +%define V_openpkg 2.3.6 # the used software versions %define V_rpm 4.2.1 @@ -134,6 +134,7 @@ Source62: uuid.sh Source63: gzip.c Source64: zlib.patch +Source65: curl.patch # build information Prefix: %{l_prefix} @@ -558,6 +559,9 @@ ( cd bzip2-%{V_bzip2} ${l_patch} -p0 <`SOURCE bzip2.patch` ) || exit $? + ( cd curl-%{V_curl} + ${l_patch} -p0 <`SOURCE curl.patch` + ) || exit $? # display verbosity header set +x; VERBOSE "PREPARATION: Build GNU make (Build Tool)"; set -x @@ . ______________________________________________________________________ The OpenPKG Project www.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org