OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /v/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 10-Dec-2005 21:54:29
Branch: OPENPKG_2_3_SOLID Handle: 2005121020542800
Added files: (Branch: OPENPKG_2_3_SOLID)
openpkg-src/openpkg curl.patch
Modified files: (Branch: OPENPKG_2_3_SOLID)
openpkg-src/openpkg openpkg.spec
Log:
Security Fix (CVE-2005-4077, OpenPKG-SA-2005.028-curl)
Summary:
Revision Changes Path
1.4.2.3 +27 -0 openpkg-src/openpkg/curl.patch
1.397.2.10 +5 -1 openpkg-src/openpkg/openpkg.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/openpkg/curl.patch
============================================================================
$ cvs diff -u -r0 -r1.4.2.3 curl.patch
--- /dev/null 2005-12-10 21:54:25 +0100
+++ curl.patch 2005-12-10 21:54:28 +0100
@@ -0,0 +1,27 @@
+Security Fix (CVE-2005-4077, OpenPKG-SA-2005.028-curl)
+http://curl.haxx.se/docs/adv_20051207.html
+
+Index: lib/url.c
+--- lib/url.c.orig 2005-09-30 22:04:10 +0200
++++ lib/url.c 2005-12-10 20:24:40 +0100
+@@ -2372,12 +2372,18 @@
+ if(urllen < LEAST_PATH_ALLOC)
+ urllen=LEAST_PATH_ALLOC;
+
+- conn->pathbuffer=(char *)malloc(urllen);
++ /*
++ * We malloc() the buffers below urllen+2 to make room for to
possibilities:
++ * 1 - an extra terminating zero
++ * 2 - an extra slash (in case a syntax like "www.host.com?moo" is used)
++ */
++
++ conn->pathbuffer=(char *)malloc(urllen+2);
+ if(NULL == conn->pathbuffer)
+ return CURLE_OUT_OF_MEMORY; /* really bad error */
+ conn->path = conn->pathbuffer;
+
+- conn->host.rawalloc=(char *)malloc(urllen);
++ conn->host.rawalloc=(char *)malloc(urllen+2);
+ if(NULL == conn->host.rawalloc)
+ return CURLE_OUT_OF_MEMORY;
+ conn->host.name = conn->host.rawalloc;
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/openpkg/openpkg.spec
============================================================================
$ cvs diff -u -r1.397.2.9 -r1.397.2.10 openpkg.spec
--- openpkg-src/openpkg/openpkg.spec 28 Jul 2005 06:31:33 -0000
1.397.2.9
+++ openpkg-src/openpkg/openpkg.spec 10 Dec 2005 20:54:28 -0000
1.397.2.10
@@ -39,7 +39,7 @@
# o any cc(1)
# the package version/release
-%define V_openpkg 2.3.5
+%define V_openpkg 2.3.6
# the used software versions
%define V_rpm 4.2.1
@@ -134,6 +134,7 @@
Source62: uuid.sh
Source63: gzip.c
Source64: zlib.patch
+Source65: curl.patch
# build information
Prefix: %{l_prefix}
@@ -558,6 +559,9 @@
( cd bzip2-%{V_bzip2}
${l_patch} -p0 <`SOURCE bzip2.patch`
) || exit $?
+ ( cd curl-%{V_curl}
+ ${l_patch} -p0 <`SOURCE curl.patch`
+ ) || exit $?
# display verbosity header
set +x; VERBOSE "PREPARATION: Build GNU make (Build Tool)"; set -x
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List openpkg-cvs@openpkg.org
