aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeo <thinkabit.ukim@gmail.com>2020-09-15 11:10:22 -0300
committerLeo <thinkabit.ukim@gmail.com>2020-09-15 11:37:29 -0300
commit3e7a2f098769d9aa2865cffcf969b13c9ef56c38 (patch)
treefcb229a31bfb8f9a82248a4118ab98bdd56a8ca1
parent877a2f9d6c5208ca001dbb2bdcf7dcb31450abea (diff)
main/curl: fix CVE-2020-8169 and CVE-2020-8177
See: #11682
-rw-r--r--main/curl/APKBUILD14
-rw-r--r--main/curl/CVE-2020-8169.patch21
-rw-r--r--main/curl/CVE-2020-8177.patch50
3 files changed, 82 insertions, 3 deletions
diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD
index a674002942f..adc14c8de54 100644
--- a/main/curl/APKBUILD
+++ b/main/curl/APKBUILD
@@ -4,7 +4,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=curl
pkgver=7.66.0
-pkgrel=0
+pkgrel=1
pkgdesc="URL retrival utility and library"
url="https://curl.haxx.se/"
arch="all"
@@ -14,9 +14,15 @@ depends_dev="openssl-dev nghttp2-dev zlib-dev"
checkdepends="python3"
makedepends="$depends_dev autoconf automake groff libtool perl"
subpackages="$pkgname-dbg $pkgname-static $pkgname-doc $pkgname-dev libcurl"
-source="https://curl.haxx.se/download/$pkgname-$pkgver.tar.xz"
+source="https://curl.haxx.se/download/$pkgname-$pkgver.tar.xz
+ CVE-2020-8169.patch
+ CVE-2020-8177.patch
+ "
# secfixes:
+# 7.66.0-r1:
+# - CVE-2020-8169
+# - CVE-2020-8177
# 7.66.0-r0:
# - CVE-2019-5481
# - CVE-2019-5482
@@ -123,4 +129,6 @@ libcurl() {
mv "$pkgdir"/usr/lib "$subpkgdir"/usr
}
-sha512sums="81170e7e4fa9d99ee2038d96d7f2ab10dcf52435331c818c7565c1a733891720f845a08029915e52ba532c6a344c346e1678474624aac1cc333aea6d1eacde35 curl-7.66.0.tar.xz"
+sha512sums="81170e7e4fa9d99ee2038d96d7f2ab10dcf52435331c818c7565c1a733891720f845a08029915e52ba532c6a344c346e1678474624aac1cc333aea6d1eacde35 curl-7.66.0.tar.xz
+4950975d59bdf8398dd5f4b8338e5f76ae3752247be9054a28753351bcddb46f71a8bd601dba31da1b6b3fbbfbe6192f33a6500144d89f2cfdfb47161e3addba CVE-2020-8169.patch
+964b6bece2d748ac5dca6afe4689341e677b3c0961237485167157567526a898b8371104a7e075cd3c255ead50ea8658d8760d4a2eab4e5de11558372c4d189c CVE-2020-8177.patch"
diff --git a/main/curl/CVE-2020-8169.patch b/main/curl/CVE-2020-8169.patch
new file mode 100644
index 00000000000..d89e21f4d79
--- /dev/null
+++ b/main/curl/CVE-2020-8169.patch
@@ -0,0 +1,21 @@
+diff --git a/lib/url.c b/lib/url.c
+index 47fc66a..a826f8a 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -2776,12 +2776,14 @@ static CURLcode override_login(struct Curl_easy *data,
+
+ /* for updated strings, we update them in the URL */
+ if(user_changed) {
+- uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp, 0);
++ uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp,
++ CURLU_URLENCODE);
+ if(uc)
+ return Curl_uc_to_curlcode(uc);
+ }
+ if(passwd_changed) {
+- uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp, 0);
++ uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp,
++ CURLU_URLENCODE);
+ if(uc)
+ return Curl_uc_to_curlcode(uc);
+ }
diff --git a/main/curl/CVE-2020-8177.patch b/main/curl/CVE-2020-8177.patch
new file mode 100644
index 00000000000..6966d837939
--- /dev/null
+++ b/main/curl/CVE-2020-8177.patch
@@ -0,0 +1,50 @@
+diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c
+index b0880f1..e992bcc 100644
+--- a/src/tool_cb_hdr.c
++++ b/src/tool_cb_hdr.c
+@@ -134,25 +134,11 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata)
+ filename = parse_filename(p, len);
+ if(filename) {
+ if(outs->stream) {
+- int rc;
+- /* already opened and possibly written to */
+- if(outs->fopened)
+- fclose(outs->stream);
+- outs->stream = NULL;
+-
+- /* rename the initial file name to the new file name */
+- rc = rename(outs->filename, filename);
+- if(rc != 0) {
+- warnf(outs->config->global, "Failed to rename %s -> %s: %s\n",
+- outs->filename, filename, strerror(errno));
+- }
+- if(outs->alloc_filename)
+- Curl_safefree(outs->filename);
+- if(rc != 0) {
+- free(filename);
+- return failure;
+- }
++ /* indication of problem, get out! */
++ free(filename);
++ return failure;
+ }
++
+ outs->is_cd_filename = TRUE;
+ outs->s_isreg = TRUE;
+ outs->fopened = FALSE;
+diff --git a/src/tool_getparam.c b/src/tool_getparam.c
+index 2c18683..986172c 100644
+--- a/src/tool_getparam.c
++++ b/src/tool_getparam.c
+@@ -1784,6 +1784,11 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
+ }
+ break;
+ case 'i':
++ if(config->content_disposition) {
++ warnf(global,
++ "--include and --remote-header-name cannot be combined.\n");
++ return PARAM_BAD_USE;
++ }
+ config->show_headers = toggle; /* show the headers as well in the
+ general output stream */
+ break;