debian/0000755000000000000000000000000013426035674007200 5ustar debian/curl.install0000644000000000000000000000001512272152435011522 0ustar usr/bin/curl debian/libcurl3-nss.lintian-overrides0000644000000000000000000000007512272152435015073 0ustar libcurl3-nss: package-name-doesnt-match-sonames libcurl-nss4 debian/rules0000755000000000000000000000542112272152435010253 0ustar #! /usr/bin/make -f # this will avoid unneded dependencies export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed # this will catch miss-linking. (e.g. undefined symbols) #export DEB_LDFLAGS_MAINT_APPEND = -Wl,-z,defs CONFIGURE_ARGS = -- --disable-dependency-tracking \ --disable-symbol-hiding --enable-versioned-symbols \ --enable-threaded-resolver --with-lber-lib=lber --with-gssapi=/usr %: dh $@ override_dh_auto_configure: mkdir -p debian/build debian/build-gnutls debian/build-nss # pop the last patch (nss) quilt pop # pop the second last patch (gnutls) quilt pop # get the source without nss and gnutls patches tar -cf - --exclude=debian/build* --exclude=.pc . \ | tar -xf - -C debian/build # push the second last patch which must be gnutls quilt push # get the source with gnutls patch applied tar -cf - --exclude=debian/build* --exclude=.pc . \ | tar -xf - -C debian/build-gnutls # push the last patch which must be nss quilt push # get the source with nss patch applied tar -cf - --exclude=debian/build* --exclude=.pc . \ | tar -xf - -C debian/build-nss # run buildconf and make sure to copy the patched ltmain.sh for flavour in build build-gnutls build-nss; do \ (cd debian/$$flavour && ./buildconf && cp ../../ltmain.sh .) \ done cd debian/build && dh_auto_configure ${CONFIGURE_ARGS} \ --with-ca-path=/etc/ssl/certs cd debian/build-gnutls && dh_auto_configure ${CONFIGURE_ARGS} \ --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt \ --without-ssl --with-gnutls cd debian/build-nss && dh_auto_configure ${CONFIGURE_ARGS} \ --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt \ --without-ssl --with-nss override_dh_auto_build: cd debian/build && dh_auto_build cd debian/build-gnutls && dh_auto_build cd debian/build-nss && dh_auto_build override_dh_auto_test: -cd debian/build && dh_auto_test -cd debian/build-gnutls && dh_auto_test -cd debian/build-nss && dh_auto_test override_dh_install: ${MAKE} -C debian/build \ DESTDIR=$(shell pwd)/debian/tmp install ${MAKE} -C debian/build-gnutls \ DESTDIR=$(shell pwd)/debian/tmp-gnutls install ${MAKE} -C debian/build-nss \ DESTDIR=$(shell pwd)/debian/tmp-nss install dh_install -plibcurl3-gnutls -plibcurl4-gnutls-dev \ --sourcedir=debian/tmp-gnutls dh_install -plibcurl3-nss -plibcurl4-nss-dev \ --sourcedir=debian/tmp-nss dh_install -pcurl -plibcurl3 -plibcurl4-openssl-dev -plibcurl4-doc \ --sourcedir=debian/tmp sed -i "/dependency_libs/ s/'.*'/''/" `find . -name '*.la'` override_dh_installchangelogs: dh_installchangelogs CHANGES override_dh_compress: dh_compress -X.pdf override_dh_strip: dh_strip -plibcurl3 -plibcurl3-gnutls -plibcurl3-nss \ --dbg-package=libcurl3-dbg dh_strip --remaining-packages override_dh_auto_clean: $(RM) -r debian/build* debian/tmp* dh_auto_clean debian/libcurl3-gnutls.install0000644000000000000000000000003712272152435013612 0ustar usr/lib/*/libcurl-gnutls.so.4* debian/libcurl3-nss.install0000644000000000000000000000003412272152435013076 0ustar usr/lib/*/libcurl-nss.so.4* debian/libcurl4-nss-dev.manpages0000644000000000000000000000002312272152435013776 0ustar docs/curl-config.1 debian/control0000644000000000000000000002641612272724100010577 0ustar Source: curl Section: web Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Alessandro Ghedini Uploaders: Ian Jackson Build-Depends: debhelper (>= 9), autoconf, automake, ca-certificates, groff-base, libgcrypt11-dev, libgnutls-dev, libidn11-dev, libkrb5-dev, libldap2-dev, libnss3-dev, librtmp-dev, libssl-dev, libtool, openssh-server, python, quilt, zlib1g-dev Build-Conflicts: autoconf2.13, automake1.4 Standards-Version: 3.9.5 Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/curl.git Vcs-Git: git://anonscm.debian.org/collab-maint/curl.git Homepage: http://curl.haxx.se Package: curl Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, libcurl3 (= ${binary:Version}) Multi-Arch: foreign Description: command line tool for transferring data with URL syntax curl is a command line tool for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP. . curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer resume, proxy tunneling and a busload of other useful tricks. Package: curl-udeb XC-Package-Type: udeb Section: debian-installer Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, libcurl3-udeb, libcrypto1.0.0-udeb Description: Get a file from an HTTP, HTTPS or FTP server curl is a client to get files from servers using any of the supported protocols. The command is designed to work without user interaction or any kind of interactivity. . curl offers a busload of useful tricks like proxy support, user authentication, FTP upload, HTTP post, file transfer resume and more. . This package contains the curl binary for the Debian Installer (udeb) Package: libcurl3 Architecture: any Section: libs Depends: ${shlibs:Depends}, ${misc:Depends} Recommends: ca-certificates Pre-Depends: ${misc:Pre-Depends} Multi-Arch: same Description: easy-to-use client-side URL transfer library (OpenSSL flavour) libcurl is an easy-to-use client-side URL transfer library, supporting DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP. . libcurl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, Kerberos), file transfer resume, http proxy tunneling and more! . libcurl is free, thread-safe, IPv6 compatible, feature rich, well supported, fast, thoroughly documented and is already used by many known, big and successful companies and numerous applications. . SSL support is provided by OpenSSL. Package: libcurl3-udeb Section: debian-installer XC-Package-Type: udeb Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends} Description: Multi-protocol file transfer library (OpenSSL) libcurl is designed to be a solid, usable, reliable and portable multi-protocol file transfer library. . SSL support is provided by OpenSSL. . This package contains the minimal runtime libraries for the Debian Installer (udeb). Package: libcurl3-gnutls Architecture: any Section: libs Depends: ${shlibs:Depends}, ${misc:Depends} Recommends: ca-certificates Pre-Depends: ${misc:Pre-Depends} Multi-Arch: same Description: easy-to-use client-side URL transfer library (GnuTLS flavour) libcurl is an easy-to-use client-side URL transfer library, supporting DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP. . libcurl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, Kerberos), file transfer resume, http proxy tunneling and more! . libcurl is free, thread-safe, IPv6 compatible, feature rich, well supported, fast, thoroughly documented and is already used by many known, big and successful companies and numerous applications. . SSL support is provided by GnuTLS. Package: libcurl3-nss Architecture: any Section: libs Depends: ${shlibs:Depends}, ${misc:Depends} Recommends: ca-certificates Pre-Depends: ${misc:Pre-Depends} Multi-Arch: same Description: easy-to-use client-side URL transfer library (NSS flavour) libcurl is an easy-to-use client-side URL transfer library, supporting DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP. . libcurl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, Kerberos), file transfer resume, http proxy tunneling and more! . libcurl is free, thread-safe, IPv6 compatible, feature rich, well supported, fast, thoroughly documented and is already used by many known, big and successful companies and numerous applications. . SSL support is provided by NSS. Package: libcurl4-openssl-dev Architecture: any Section: libdevel Suggests: libcurl4-doc, libcurl3-dbg Provides: libcurl-dev, libcurl-ssl-dev, libcurl3-openssl-dev, libcurl4-dev, libcurl3-dev Conflicts: libcurl4-gnutls-dev, libcurl4-nss-dev Depends: ${misc:Depends}, libcurl3 (= ${binary:Version}), libc6-dev | libc-dev, libidn11-dev, libkrb5-dev, libldap2-dev, librtmp-dev, libssl-dev, zlib1g-dev Multi-Arch: same Description: development files and documentation for libcurl (OpenSSL flavour) libcurl is an easy-to-use client-side URL transfer library, supporting DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP. . libcurl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, Kerberos), file transfer resume, http proxy tunneling and more! . libcurl is free, thread-safe, IPv6 compatible, feature rich, well supported, fast, thoroughly documented and is already used by many known, big and successful companies and numerous applications. . This package provides the development files (ie. includes, static library, manual pages) that allow to build software which uses libcurl. . SSL support is provided by OpenSSL. Package: libcurl4-gnutls-dev Architecture: any Section: libdevel Suggests: libcurl4-doc, libcurl3-dbg Provides: libcurl-dev, libcurl-ssl-dev, libcurl3-gnutls-dev, libcurl4-dev Conflicts: libcurl4-openssl-dev, libcurl4-nss-dev Depends: ${misc:Depends}, libcurl3-gnutls (= ${binary:Version}), libc6-dev | libc-dev, libgnutls-dev, libidn11-dev, libkrb5-dev, libldap2-dev, librtmp-dev, zlib1g-dev Multi-Arch: same Description: development files and documentation for libcurl (GnuTLS flavour) libcurl is an easy-to-use client-side URL transfer library, supporting DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP. . libcurl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, Kerberos), file transfer resume, http proxy tunneling and more! . libcurl is free, thread-safe, IPv6 compatible, feature rich, well supported, fast, thoroughly documented and is already used by many known, big and successful companies and numerous applications. . This package provides the development files (ie. includes, static library, manual pages) that allow to build software which uses libcurl. . SSL support is provided by GnuTLS. Package: libcurl4-nss-dev Architecture: any Section: libdevel Suggests: libcurl4-doc, libcurl3-dbg Provides: libcurl-dev, libcurl-ssl-dev, libcurl3-nss-dev, libcurl4-dev Conflicts: libcurl4-openssl-dev, libcurl4-gnutls-dev Depends: ${misc:Depends}, libcurl3-nss (= ${binary:Version}), libc6-dev | libc-dev, libidn11-dev, libkrb5-dev, libldap2-dev, libnss3-dev, librtmp-dev, zlib1g-dev Multi-Arch: same Description: development files and documentation for libcurl (NSS flavour) libcurl is an easy-to-use client-side URL transfer library, supporting DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP. . libcurl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, Kerberos), file transfer resume, http proxy tunneling and more! . libcurl is free, thread-safe, IPv6 compatible, feature rich, well supported, fast, thoroughly documented and is already used by many known, big and successful companies and numerous applications. . This package provides the development files (ie. includes, static library, manual pages) that allow to build software which uses libcurl. . SSL support is provided by NSS. Package: libcurl3-dbg Architecture: any Section: debug Priority: extra Suggests: libc-dbg Provides: libcurl4-dbg Depends: ${misc:Depends}, libcurl3 (= ${binary:Version}) | libcurl3-gnutls (= ${binary:Version}) | libcurl3-nss (= ${binary:Version}) Multi-Arch: same Description: debugging symbols for libcurl (OpenSSL, GnuTLS and NSS flavours) libcurl is an easy-to-use client-side URL transfer library, supporting DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP. . libcurl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, Kerberos), file transfer resume, http proxy tunneling and more! . libcurl is free, thread-safe, IPv6 compatible, feature rich, well supported, fast, thoroughly documented and is already used by many known, big and successful companies and numerous applications. . This package provides the debugging symbols of the OpenSSL, GnuTLS and NSS versions of libcurl3. It might be useful in debug sessions of software which uses libcurl. Package: libcurl4-doc Section: doc Architecture: all Depends: ${misc:Depends} Replaces: libcurl4-openssl-dev (<< 7.30.0-2), libcurl4-gnutls-dev (<< 7.30.0-2), libcurl4-nss-dev (<< 7.30.0-2) Breaks: libcurl4-openssl-dev (<< 7.30.0-2), libcurl4-gnutls-dev (<< 7.30.0-2), libcurl4-nss-dev (<< 7.30.0-2) Description: documentation for libcurl libcurl is an easy-to-use client-side URL transfer library, supporting DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP. . libcurl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, Kerberos), file transfer resume, http proxy tunneling and more! . libcurl is free, thread-safe, IPv6 compatible, feature rich, well supported, fast, thoroughly documented and is already used by many known, big and successful companies and numerous applications. . This package provides the documentation files for libcurl. debian/watch0000644000000000000000000000007512272152435010224 0ustar version=3 http://curl.haxx.se/download/curl-([\d\.]*).tar.gz debian/libcurl4-gnutls-dev.links0000755000000000000000000000043512272152435014046 0ustar #!/bin/sh echo /usr/lib/$DEB_HOST_MULTIARCH/libcurl-gnutls.a /usr/lib/$DEB_HOST_MULTIARCH/libcurl.a echo /usr/lib/$DEB_HOST_MULTIARCH/libcurl-gnutls.la /usr/lib/$DEB_HOST_MULTIARCH/libcurl.la echo /usr/lib/$DEB_HOST_MULTIARCH/libcurl-gnutls.so /usr/lib/$DEB_HOST_MULTIARCH/libcurl.so debian/libcurl4-doc.doc-base0000644000000000000000000000042412272152435013053 0ustar Document: libcurl4-doc Title: libcurl documentation Author: Daniel Stenberg Abstract: HTML version of all the manpages about libcurl Section: Network/File Transfer Format: HTML Index: /usr/share/doc/libcurl4-doc/html/index.html Files: /usr/share/doc/libcurl4-doc/html/*.html debian/patches/0000755000000000000000000000000013424056440010617 5ustar debian/patches/CVE-2017-1000100.patch0000644000000000000000000000224713165155777013467 0ustar Backport of: From 358b2b131ad6c095696f20dcfa62b8305263f898 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 1 Aug 2017 17:16:46 +0200 Subject: [PATCH] tftp: reject file name lengths that don't fit ... and thereby avoid telling send() to send off more bytes than the size of the buffer! CVE-2017-1000100 Bug: https://curl.haxx.se/docs/adv_20170809B.html Reported-by: Even Rouault Credit to OSS-Fuzz for the discovery --- lib/tftp.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) Index: curl-7.35.0/lib/tftp.c =================================================================== --- curl-7.35.0.orig/lib/tftp.c 2017-10-04 09:02:53.462048905 -0400 +++ curl-7.35.0/lib/tftp.c 2017-10-04 09:02:53.458048855 -0400 @@ -492,6 +492,11 @@ static CURLcode tftp_send_first(tftp_sta if(!filename) return CURLE_OUT_OF_MEMORY; + if(strlen(filename) > (state->blksize - strlen(mode) - 4)) { + failf(data, "TFTP file name too long\n"); + return CURLE_TFTP_ILLEGAL; /* too long file name field */ + } + snprintf((char *)state->spacket.data+2, state->blksize, "%s%c%s%c", filename, '\0', mode, '\0'); debian/patches/CVE-2016-5421.patch0000644000000000000000000000202312751127501013230 0ustar Backport of: From ccb7d79b62c8b15a6be446f9c9fd3767c01eb5b6 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sun, 31 Jul 2016 01:09:04 +0200 Subject: [PATCH] curl_multi_cleanup: clear connection pointer for easy handles MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CVE-2016-5421 Bug: https://curl.haxx.se/docs/adv_20160803C.html Reported-by: Marcelo Echeverria and Fernando Muñoz --- lib/multi.c | 2 ++ 1 file changed, 2 insertions(+) Index: curl-7.35.0/lib/multi.c =================================================================== --- curl-7.35.0.orig/lib/multi.c 2016-08-05 11:21:29.356394772 -0400 +++ curl-7.35.0/lib/multi.c 2016-08-05 11:22:22.945055280 -0400 @@ -1798,6 +1798,8 @@ while(conn) { conn->data = multi->closure_handle; + conn->data->easy_conn = NULL; /* clear the easy handle's connection + pointer */ /* This will remove the connection from the cache */ (void)Curl_disconnect(conn, FALSE); debian/patches/CVE-2017-1000101.patch0000644000000000000000000000522413165176071013454 0ustar Backport of: From 453e7a7a03a2cec749abd3878a48e728c515cca7 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 1 Aug 2017 17:16:07 +0200 Subject: [PATCH] glob: do not continue parsing after a strtoul() overflow range Added test 1289 to verify. CVE-2017-1000101 Bug: https://curl.haxx.se/docs/adv_20170809A.html Reported-by: Brian Carpenter --- src/tool_urlglob.c | 5 ++++- tests/data/Makefile.inc | 2 +- tests/data/test1289 | 35 +++++++++++++++++++++++++++++++++++ 3 files changed, 40 insertions(+), 2 deletions(-) create mode 100644 tests/data/test1289 Index: curl-7.35.0/src/tool_urlglob.c =================================================================== --- curl-7.35.0.orig/src/tool_urlglob.c 2017-10-04 11:20:03.839169051 -0400 +++ curl-7.35.0/src/tool_urlglob.c 2017-10-04 11:20:03.835168997 -0400 @@ -271,7 +271,10 @@ static GlobCode glob_range(URLGlob *glob } errno = 0; max_n = strtoul(pattern, &endp, 10); - if(errno || (*endp == ':')) { + if(errno) + /* overflow */ + endp = NULL; + else if(*endp == ':') { pattern = endp+1; errno = 0; step_n = strtoul(pattern, &endp, 10); Index: curl-7.35.0/tests/data/test1289 =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.35.0/tests/data/test1289 2017-10-04 11:20:03.835168997 -0400 @@ -0,0 +1,35 @@ + + + +HTTP +HTTP GET +globbing + + + +# +# Server-side + + + +# Client-side + + +http + + +globbing with overflow and bad syntxx + + +http://ur%20[0-60000000000000000000 + + + +# Verify data after the test has been "shot" + +# curl: (3) [globbing] bad range in column + +3 + + + Index: curl-7.35.0/tests/data/Makefile.am =================================================================== --- curl-7.35.0.orig/tests/data/Makefile.am 2017-10-04 11:20:03.271161396 -0400 +++ curl-7.35.0/tests/data/Makefile.am 2017-10-04 11:20:20.767397216 -0400 @@ -102,7 +102,7 @@ test1208 test1209 test1210 test1211 test test1216 test1217 test1218 test1219 \ test1220 test1221 test1222 test1223 test1224 test1225 test1226 test1227 \ test1228 test1229 test1230 test1231 test1232 test1233 test1234 test1235 \ -test1236 test1237 test1238 test1239 test1240 \ +test1236 test1237 test1238 test1239 test1240 test1289 \ \ test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 \ test1308 test1309 test1310 test1311 test1312 test1313 test1314 test1315 \ debian/patches/series0000644000000000000000000000260313424056440012035 0ustar 01_runtests_gdb.patch 02_art_http_scripting.patch 03_keep_symbols_compat.patch 04_workaround_as_needed_bug.patch 06_always-disable-valgrind.patch 07_do-not-disable-debug-symbols.patch CVE-2014-0138.patch CVE-2014-0139.patch fix_test172.patch CVE-2014-3613.patch CVE-2014-3620.patch CVE-2014-3707.patch CVE-2014-8150.patch CVE-2015-3143.patch CVE-2015-3145.patch CVE-2015-3148.patch CVE-2016-0755.patch libcurl_broken_pkcs12.patch CVE-2016-5419.patch CVE-2016-5420.patch CVE-2016-5421.patch curl-chunk-fix.patch CVE-2016-7141.patch CVE-2016-7167.patch CVE-2016-8615.patch CVE-2016-8616.patch CVE-2016-8617.patch CVE-2016-8618.patch CVE-2016-8619.patch CVE-2016-8620.patch CVE-2016-8621.patch CVE-2016-8622.patch CVE-2016-8623.patch CVE-2016-8624.patch CVE-2016-9586.patch CVE-2017-1000100.patch CVE-2017-1000101.patch CVE-2017-1000254.patch CVE-2017-7407-1.patch CVE-2017-7407-2.patch CVE-2017-1000257.patch CVE-2017-8817.patch CVE-2018-1000007.patch CVE-2018-1000120-pre1.patch CVE-2018-1000120-pre2.patch CVE-2018-1000120-pre3.patch CVE-2018-1000120-pre4.patch CVE-2018-1000120.patch CVE-2018-1000121.patch CVE-2018-1000122.patch CVE-2018-1000301.patch CVE-2018-14618.patch CVE-2018-16839-pre1.patch CVE-2018-16839-pre2.patch CVE-2018-16839.patch oob-read.patch CVE-2019-3823.patch # the following two patches are reverted during build # any new patches must be added before them 90_gnutls.patch 99_nss.patch debian/patches/CVE-2015-3145.patch0000644000000000000000000000350412515711740013237 0ustar From ea595c516bc936a514753597aa6c59fd6eb0765e Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 16 Apr 2015 16:37:40 +0200 Subject: [PATCH] cookie: cookie parser out of boundary memory access MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The internal libcurl function called sanitize_cookie_path() that cleans up the path element as given to it from a remote site or when read from a file, did not properly validate the input. If given a path that consisted of a single double-quote, libcurl would index a newly allocated memory area with index -1 and assign a zero to it, thus destroying heap memory it wasn't supposed to. CVE-2015-3145 Bug: http://curl.haxx.se/docs/adv_20150422C.html Reported-by: Hanno Böck --- lib/cookie.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) Index: curl-7.38.0/lib/cookie.c =================================================================== --- curl-7.38.0.orig/lib/cookie.c 2015-04-22 07:54:11.375422455 -0400 +++ curl-7.38.0/lib/cookie.c 2015-04-22 07:54:11.371422423 -0400 @@ -233,11 +233,14 @@ return NULL; /* some stupid site sends path attribute with '"'. */ + len = strlen(new_path); if(new_path[0] == '\"') { - memmove((void *)new_path, (const void *)(new_path + 1), strlen(new_path)); + memmove((void *)new_path, (const void *)(new_path + 1), len); + len--; } - if(new_path[strlen(new_path) - 1] == '\"') { - new_path[strlen(new_path) - 1] = 0x0; + if(len && (new_path[len - 1] == '\"')) { + new_path[len - 1] = 0x0; + len--; } /* RFC6265 5.2.4 The Path Attribute */ @@ -249,8 +252,7 @@ } /* convert /hoge/ to /hoge */ - len = strlen(new_path); - if(1 < len && new_path[len - 1] == '/') { + if(len && new_path[len - 1] == '/') { new_path[len - 1] = 0x0; } debian/patches/CVE-2017-8817.patch0000644000000000000000000000661413207263053013257 0ustar Backport of: From baf34f6f6916cacfdf9ac01bac27e483f68ca4f6 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 10 Nov 2017 08:52:45 +0100 Subject: [PATCH] wildcardmatch: fix heap buffer overflow in setcharset The code would previous read beyond the end of the pattern string if the match pattern ends with an open bracket when the default pattern matching function is used. Detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161 --- lib/curl_fnmatch.c | 9 +++------ tests/data/Makefile.inc | 2 +- tests/data/test1163 | 52 +++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 56 insertions(+), 7 deletions(-) create mode 100644 tests/data/test1163 Index: curl-7.35.0/lib/curl_fnmatch.c =================================================================== --- curl-7.35.0.orig/lib/curl_fnmatch.c 2017-11-28 08:25:02.600468487 -0500 +++ curl-7.35.0/lib/curl_fnmatch.c 2017-11-28 08:25:02.596468434 -0500 @@ -134,6 +134,9 @@ static int setcharset(unsigned char **p, unsigned char c; for(;;) { c = **p; + if(!c) + return SETCHARSET_FAIL; + switch(state) { case CURLFNM_SCHS_DEFAULT: if(ISALNUM(c)) { /* ASCII value */ @@ -198,9 +201,6 @@ static int setcharset(unsigned char **p, else return SETCHARSET_FAIL; } - else if(c == '\0') { - return SETCHARSET_FAIL; - } else { charset[c] = 1; (*p)++; @@ -279,9 +279,6 @@ static int setcharset(unsigned char **p, else if(c == ']') { return SETCHARSET_OK; } - else if(c == '\0') { - return SETCHARSET_FAIL; - } else if(ISPRINT(c)) { charset[c] = 1; (*p)++; Index: curl-7.35.0/tests/data/test1163 =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.35.0/tests/data/test1163 2017-11-28 08:25:02.596468434 -0500 @@ -0,0 +1,52 @@ + + + +FTP +RETR +LIST +wildcardmatch +ftplistparser +flaky + + + +# +# Server-side + + + + + +# Client-side + + +ftp + + +lib576 + + +FTP wildcard with pattern ending with an open-bracket + + +"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[][" + + + + +USER anonymous +PASS ftp@example.com +PWD +CWD fully_simulated +CWD DOS +EPSV +TYPE A +LIST +QUIT + +# 78 == CURLE_REMOTE_FILE_NOT_FOUND + +78 + + + Index: curl-7.35.0/tests/data/Makefile.am =================================================================== --- curl-7.35.0.orig/tests/data/Makefile.am 2017-11-28 08:24:57.268399953 -0500 +++ curl-7.35.0/tests/data/Makefile.am 2017-11-28 08:35:31.824895121 -0500 @@ -95,7 +95,7 @@ test1096 test1097 test1098 test1099 test test1104 test1105 test1106 test1107 test1108 test1109 test1110 test1111 \ test1112 test1113 test1114 test1115 test1116 test1117 test1118 test1119 \ test1120 test1121 test1122 test1123 test1124 test1125 test1126 test1127 \ -test1128 test1129 test1130 test1131 test1132 test1133 test1152 \ +test1128 test1129 test1130 test1131 test1132 test1133 test1152 test1163 \ \ test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \ debian/patches/CVE-2016-8623.patch0000644000000000000000000001232413006435646013252 0ustar Backport of: From d9d57fe0da6f25d05570fd583520ecd321ed9c3f Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 4 Oct 2016 23:26:13 +0200 Subject: [PATCH] cookies: getlist() now holds deep copies of all cookies Previously it only held references to them, which was reckless as the thread lock was released so the cookies could get modified by other handles that share the same cookie jar over the share interface. CVE-2016-8623 Bug: https://curl.haxx.se/docs/adv_20161102I.html Reported-by: Cure53 --- lib/cookie.c | 61 +++++++++++++++++++++++++++++++++++++++--------------------- lib/cookie.h | 4 ++-- lib/http.c | 2 +- 3 files changed, 43 insertions(+), 24 deletions(-) Index: curl-7.35.0/lib/cookie.c =================================================================== --- curl-7.35.0.orig/lib/cookie.c 2016-11-02 15:13:36.689219869 -0400 +++ curl-7.35.0/lib/cookie.c 2016-11-02 15:15:42.013933823 -0400 @@ -1010,6 +1010,40 @@ return 0; } +#define CLONE(field) \ + do { \ + if(src->field) { \ + dup->field = strdup(src->field); \ + if(!dup->field) \ + goto fail; \ + } \ + } while(0) + +static struct Cookie *dup_cookie(struct Cookie *src) +{ + struct Cookie *dup = calloc(sizeof(struct Cookie), 1); + if(dup) { + CLONE(expirestr); + CLONE(domain); + CLONE(path); + CLONE(spath); + CLONE(name); + CLONE(value); + CLONE(maxage); + CLONE(version); + dup->expires = src->expires; + dup->tailmatch = src->tailmatch; + dup->secure = src->secure; + dup->livecookie = src->livecookie; + dup->httponly = src->httponly; + } + return dup; + + fail: + freecookie(dup); + return NULL; +} + /***************************************************************************** * * Curl_cookie_getlist() @@ -1065,11 +1099,8 @@ /* and now, we know this is a match and we should create an entry for the return-linked-list */ - newco = malloc(sizeof(struct Cookie)); + newco = dup_cookie(co); if(newco) { - /* first, copy the whole source cookie: */ - memcpy(newco, co, sizeof(struct Cookie)); - /* then modify our next */ newco->next = mainco; @@ -1081,12 +1112,7 @@ else { fail: /* failure, clear up the allocated chain and return NULL */ - while(mainco) { - co = mainco->next; - free(mainco); - mainco = co; - } - + Curl_cookie_freelist(mainco); return NULL; } } @@ -1138,7 +1164,7 @@ void Curl_cookie_clearall(struct CookieInfo *cookies) { if(cookies) { - Curl_cookie_freelist(cookies->cookies, TRUE); + Curl_cookie_freelist(cookies->cookies); cookies->cookies = NULL; cookies->numcookies = 0; } @@ -1150,22 +1176,15 @@ * * Free a list of cookies previously returned by Curl_cookie_getlist(); * - * The 'cookiestoo' argument tells this function whether to just free the - * list or actually also free all cookies within the list as well. - * ****************************************************************************/ -void Curl_cookie_freelist(struct Cookie *co, bool cookiestoo) +void Curl_cookie_freelist(struct Cookie *co) { struct Cookie *next; if(co) { while(co) { next = co->next; - if(cookiestoo) - freecookie(co); - else - free(co); /* we only free the struct since the "members" are all just - pointed out in the main cookie list! */ + freecookie(co); co = next; } } Index: curl-7.35.0/lib/cookie.h =================================================================== --- curl-7.35.0.orig/lib/cookie.h 2016-11-02 15:13:36.689219869 -0400 +++ curl-7.35.0/lib/cookie.h 2016-11-02 15:13:36.685219847 -0400 @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2011, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -82,7 +82,7 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *, const char *, const char *, bool); -void Curl_cookie_freelist(struct Cookie *cookies, bool cookiestoo); +void Curl_cookie_freelist(struct Cookie *cookies); void Curl_cookie_clearall(struct CookieInfo *cookies); void Curl_cookie_clearsess(struct CookieInfo *cookies); Index: curl-7.35.0/lib/http.c =================================================================== --- curl-7.35.0.orig/lib/http.c 2016-11-02 15:13:36.689219869 -0400 +++ curl-7.35.0/lib/http.c 2016-11-02 15:13:36.685219847 -0400 @@ -2227,7 +2227,7 @@ } co = co->next; /* next cookie please */ } - Curl_cookie_freelist(store, FALSE); /* free the cookie list */ + Curl_cookie_freelist(store); } if(addcookies && (CURLE_OK == result)) { if(!count) debian/patches/CVE-2016-0755.patch0000644000000000000000000001065112651724171013250 0ustar Backport of: From 54b2c806edc3bbd2dada86055f2be41c4cbed762 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Wed, 13 Jan 2016 11:05:51 +0200 Subject: [PATCH] NTLM: Fix ConnectionExists to compare Proxy credentials Proxy NTLM authentication should compare credentials when re-using a connection similar to host authentication, as it authenticate the connection. Example: curl -v -x http://proxy:port http://host/ -U good_user:good_pwd --proxy-ntlm --next -x http://proxy:port http://host/ [-U fake_user:fake_pwd --proxy-ntlm] --- lib/url.c | 62 ++++++++++++++++++++++++++++++++++++++++---------------------- 1 file changed, 40 insertions(+), 22 deletions(-) Index: curl-7.35.0/lib/url.c =================================================================== --- curl-7.35.0.orig/lib/url.c 2016-01-26 12:05:02.669895552 -0500 +++ curl-7.35.0/lib/url.c 2016-01-26 12:10:04.133350876 -0500 @@ -2897,12 +2897,17 @@ { struct connectdata *check; struct connectdata *chosen = 0; - bool canPipeline = IsPipeliningPossible(data, needle); - bool wantNTLMhttp = ((data->state.authhost.want & CURLAUTH_NTLM) || - (data->state.authhost.want & CURLAUTH_NTLM_WB)) && - (needle->handler->protocol & CURLPROTO_HTTP) ? TRUE : FALSE; struct connectbundle *bundle; + bool canPipeline = IsPipeliningPossible(data, needle); + bool wantNTLMhttp = ((data->state.authhost.want & + (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) && + (needle->handler->protocol & CURLPROTO_HTTP)); + bool wantProxyNTLMhttp = (needle->bits.proxy_user_passwd && + ((data->state.authproxy.want & + (CURLAUTH_NTLM | CURLAUTH_NTLM_WB)) && + (needle->handler->protocol & CURLPROTO_HTTP))); + *force_reuse = FALSE; /* We can't pipe if the site is blacklisted */ @@ -2931,7 +2936,6 @@ curr = bundle->conn_list->head; while(curr) { bool match = FALSE; - bool credentialsMatch = FALSE; size_t pipeLen; /* @@ -3055,16 +3059,14 @@ continue; } - if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) || - (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)) { - /* This protocol requires credentials per connection or is HTTP+NTLM, + if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) { + /* This protocol requires credentials per connection, so verify that we're using the same name and password as well */ if(!strequal(needle->user, check->user) || !strequal(needle->passwd, check->passwd)) { /* one of them was different */ continue; } - credentialsMatch = TRUE; } if(!needle->bits.httpproxy || needle->handler->flags&PROTOPT_SSL || @@ -3122,16 +3124,40 @@ possible. (Especially we must not reuse the same connection if partway through a handshake!) */ if(wantNTLMhttp) { - if(credentialsMatch && check->ntlm.state != NTLMSTATE_NONE) { - chosen = check; + if(!strequal(needle->user, check->user) || + !strequal(needle->passwd, check->passwd)) + continue; + } + else if(check->ntlm.state != NTLMSTATE_NONE) { + /* Connection is using NTLM auth but we don't want NTLM */ + continue; + } + /* Same for Proxy NTLM authentication */ + if(wantProxyNTLMhttp) { + if(!strequal(needle->proxyuser, check->proxyuser) || + !strequal(needle->proxypasswd, check->proxypasswd)) + continue; + } + else if(check->proxyntlm.state != NTLMSTATE_NONE) { + /* Proxy connection is using NTLM auth but we don't want NTLM */ + continue; + } + + if(wantNTLMhttp || wantProxyNTLMhttp) { + /* Credentials are already checked, we can use this connection */ + chosen = check; + + if((wantNTLMhttp && + (check->ntlm.state != NTLMSTATE_NONE)) || + (wantProxyNTLMhttp && + (check->proxyntlm.state != NTLMSTATE_NONE))) { /* We must use this connection, no other */ *force_reuse = TRUE; break; } - else if(credentialsMatch) - /* this is a backup choice */ - chosen = check; + + /* Continue look up for a better connection */ continue; } debian/patches/06_always-disable-valgrind.patch0000644000000000000000000000101512272152435016650 0ustar Description: Always disable valgrind tests Origin: vendor Bug-Debian: http://bugs.debian.org/690968 Forwarded: not-needed Last-Update: 2012-10-22 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -57,7 +57,7 @@ if CROSSCOMPILING TEST = @echo "NOTICE: we can't run the tests when cross-compiling!" else # if not cross-compiling: -TEST = srcdir=$(srcdir) $(PERL) $(PERLFLAGS) $(srcdir)/runtests.pl +TEST = srcdir=$(srcdir) $(PERL) $(PERLFLAGS) $(srcdir)/runtests.pl -n TEST_Q = -a -s TEST_AM = -a -am TEST_F = -a -p -r debian/patches/CVE-2015-3148.patch0000644000000000000000000000400412515714007013235 0ustar Description: fix negotiate not treated as connection-oriented Origin: backport, https://github.com/bagder/curl/commit/f78ae415d24b9bd89d6c121c556e411fdb21c6aa Origin: backport, https://github.com/bagder/curl/commit/79b9d5f1a42578f807a6c94914bc65cbaa304b6d Index: curl-7.35.0/lib/http.c =================================================================== --- curl-7.35.0.orig/lib/http.c 2015-04-22 08:45:34.520218581 -0400 +++ curl-7.35.0/lib/http.c 2015-04-22 08:45:55.408396962 -0400 @@ -1413,6 +1413,18 @@ Curl_unencode_cleanup(conn); +#ifdef USE_HTTP_NEGOTIATE + if(data->state.proxyneg.state == GSS_AUTHSENT || + data->state.negotiate.state == GSS_AUTHSENT) { + /* add forbid re-use if http-code != 401/407 as a WA only needed for + * 401/407 that signal auth failure (empty) otherwise state will be RECV + * with current code */ + if((data->req.httpcode != 401) && (data->req.httpcode != 407)) + conn->bits.close = TRUE; + Curl_cleanup_negotiate(data); + } +#endif + /* set the proper values (possibly modified on POST) */ conn->fread_func = data->set.fread_func; /* restore */ conn->fread_in = data->set.in; /* restore */ Index: curl-7.35.0/lib/http_negotiate.c =================================================================== --- curl-7.35.0.orig/lib/http_negotiate.c 2015-04-22 08:45:34.520218581 -0400 +++ curl-7.35.0/lib/http_negotiate.c 2015-04-22 08:45:34.520218581 -0400 @@ -355,7 +355,6 @@ } Curl_safefree(encoded); - Curl_cleanup_negotiate(conn->data); return (userp == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK; } Index: curl-7.35.0/lib/http_negotiate_sspi.c =================================================================== --- curl-7.35.0.orig/lib/http_negotiate_sspi.c 2015-04-22 08:45:34.520218581 -0400 +++ curl-7.35.0/lib/http_negotiate_sspi.c 2015-04-22 08:45:34.520218581 -0400 @@ -268,7 +268,6 @@ else conn->allocptr.userpwd = userp; free(encoded); - Curl_cleanup_negotiate (conn->data); return (userp == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK; } debian/patches/CVE-2018-1000122.patch0000644000000000000000000000246213252220466013454 0ustar From d52dc4760f6d9ca1937eefa2093058a952465128 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 8 Mar 2018 10:33:16 +0100 Subject: [PATCH] readwrite: make sure excess reads don't go beyond buffer end CVE-2018-1000122 Bug: https://curl.haxx.se/docs/adv_2018-b047.html Detected by OSS-fuzz --- lib/transfer.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) Index: curl-7.35.0/lib/transfer.c =================================================================== --- curl-7.35.0.orig/lib/transfer.c 2018-03-14 09:18:43.922058859 -0400 +++ curl-7.35.0/lib/transfer.c 2018-03-14 09:18:43.918058852 -0400 @@ -753,10 +753,15 @@ static CURLcode readwrite_data(struct Se } /* if(! header and data to read ) */ - if(conn->handler->readwrite && - (excess > 0 && !conn->bits.stream_was_rewound)) { + if(conn->handler->readwrite && excess && !conn->bits.stream_was_rewound) { /* Parse the excess data */ k->str += nread; + + if(&k->str[excess] > &k->buf[data->set.buffer_size]) { + /* the excess amount was too excessive(!), make sure + it doesn't read out of buffer */ + excess = &k->buf[data->set.buffer_size] - k->str; + } nread = (ssize_t)excess; result = conn->handler->readwrite(data, conn, &nread, &readmore); debian/patches/oob-read.patch0000644000000000000000000000160013365574664013346 0ustar Backport of: From 8490ab449e98b9861a8afdc04f06956e94692ebf Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sun, 28 Oct 2018 01:33:23 +0200 Subject: [PATCH] voutf: fix bad arethmetic when outputting warnings to stderr Reported-by: Brian Carpenter --- src/tool_msgs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: curl-7.35.0/src/tool_msgs.c =================================================================== --- curl-7.35.0.orig/src/tool_msgs.c 2018-10-29 08:14:42.004847724 -0400 +++ curl-7.35.0/src/tool_msgs.c 2018-10-29 08:14:42.000847700 -0400 @@ -68,7 +68,7 @@ void warnf(struct Configurable *config, (void)fwrite(ptr, cut + 1, 1, config->errors); fputs("\n", config->errors); ptr += cut+1; /* skip the space too */ - len -= cut; + len -= cut + 1; } else { fputs(ptr, config->errors); debian/patches/CVE-2018-1000120-pre4.patch0000644000000000000000000000250013252220332014303 0ustar From f81a8364618caf99b4691ffd494a9b2d4c9fb1f6 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 2 Nov 2016 07:22:27 +0100 Subject: [PATCH] ftp_done: don't clobber the passed in error code Coverity CID 1374359 pointed out the unused result value. --- lib/ftp.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) Index: curl-7.35.0/lib/ftp.c =================================================================== --- curl-7.35.0.orig/lib/ftp.c 2018-03-14 09:17:12.017881888 -0400 +++ curl-7.35.0/lib/ftp.c 2018-03-14 09:17:12.013881879 -0400 @@ -3247,11 +3247,12 @@ static CURLcode ftp_done(struct connectd ftpc->known_filesize = -1; } - /* get the "raw" path */ - result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE); + if(!result) + /* get the "raw" path */ + result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE); if(result) { - /* out of memory, but we can limp along anyway (and should try to - * since we may already be in the out of memory cleanup path) */ + /* We can limp along anyway (and should try to since we may already be in + * the error path) */ ftpc->ctl_valid = FALSE; /* mark control connection as bad */ conn->bits.close = TRUE; /* mark for connection closure */ ftpc->prevpath = NULL; /* no path remembering */ debian/patches/04_workaround_as_needed_bug.patch0000644000000000000000000000176712272152435017176 0ustar Description: Work around libtool --as-needed reordering bug Origin: vendor Bug-Debian: http://bugs.debian.org/347650 Forwarded: not-needed Author: Alessandro Ghedini Reviewed-by: Alessandro Ghedini Last-Update: 2013-03-22 --- a/ltmain.sh +++ b/ltmain.sh @@ -5800,6 +5800,11 @@ arg=$func_stripname_result ;; + -Wl,--as-needed|-Wl,--no-as-needed) + deplibs="$deplibs $arg" + continue + ;; + -Wl,*) func_stripname '-Wl,' '' "$arg" args=$func_stripname_result @@ -6163,6 +6168,15 @@ lib= found=no case $deplib in + -Wl,--as-needed|-Wl,--no-as-needed) + if test "$linkmode,$pass" = "prog,link"; then + compile_deplibs="$deplib $compile_deplibs" + finalize_deplibs="$deplib $finalize_deplibs" + else + deplibs="$deplib $deplibs" + fi + continue + ;; -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe \ |-threads|-fopenmp|-openmp|-mp|-xopenmp|-omp|-qsmp=*) if test "$linkmode,$pass" = "prog,link"; then debian/patches/90_gnutls.patch0000644000000000000000000001137612272152435013475 0ustar Description: Build with GnuTLS. Origin: vendor Forwarded: not-needed Author: Ramakrishnan Muthukrishnan Reviewed-by: Alessandro Ghedini Last-Update: 2013-04-17 --- a/docs/examples/Makefile.am +++ b/docs/examples/Makefile.am @@ -52,9 +52,9 @@ # Dependencies if USE_EXPLICIT_LIB_DEPS -LDADD = $(LIBDIR)/libcurl.la @LIBCURL_LIBS@ +LDADD = $(LIBDIR)/libcurl-gnutls.la @LIBCURL_LIBS@ else -LDADD = $(LIBDIR)/libcurl.la +LDADD = $(LIBDIR)/libcurl-gnutls.la endif # Makefile.inc provides the check_PROGRAMS and COMPLICATED_EXAMPLES defines --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -36,7 +36,7 @@ firefox-db2pem.sh config-vxworks.h Makefile.vxworks checksrc.pl \ objnames-test08.sh objnames-test10.sh objnames.inc -lib_LTLIBRARIES = libcurl.la +lib_LTLIBRARIES = libcurl-gnutls.la if BUILD_UNITTESTS noinst_LTLIBRARIES = libcurlu.la @@ -106,38 +106,38 @@ AM_LDFLAGS = AM_CFLAGS = -libcurl_la_CPPFLAGS_EXTRA = -libcurl_la_LDFLAGS_EXTRA = -libcurl_la_CFLAGS_EXTRA = +libcurl_gnutls_la_CPPFLAGS_EXTRA = +libcurl_gnutls_la_LDFLAGS_EXTRA = +libcurl_gnutls_la_CFLAGS_EXTRA = if CURL_LT_SHLIB_USE_VERSION_INFO -libcurl_la_LDFLAGS_EXTRA += $(VERSIONINFO) +libcurl_gnutls_la_LDFLAGS_EXTRA += $(VERSIONINFO) endif if CURL_LT_SHLIB_USE_NO_UNDEFINED -libcurl_la_LDFLAGS_EXTRA += -no-undefined +libcurl_gnutls_la_LDFLAGS_EXTRA += -no-undefined endif if CURL_LT_SHLIB_USE_MIMPURE_TEXT -libcurl_la_LDFLAGS_EXTRA += -mimpure-text +libcurl_gnutls_la_LDFLAGS_EXTRA += -mimpure-text endif if CURL_LT_SHLIB_USE_VERSIONED_SYMBOLS -libcurl_la_LDFLAGS_EXTRA += -Wl,--version-script=libcurl.vers +libcurl_gnutls_la_LDFLAGS_EXTRA += -Wl,--version-script=libcurl.vers endif if USE_CPPFLAG_CURL_STATICLIB -libcurl_la_CPPFLAGS_EXTRA += -DCURL_STATICLIB +libcurl_gnutls_la_CPPFLAGS_EXTRA += -DCURL_STATICLIB endif if DOING_CURL_SYMBOL_HIDING -libcurl_la_CPPFLAGS_EXTRA += -DCURL_HIDDEN_SYMBOLS -libcurl_la_CFLAGS_EXTRA += $(CFLAG_CURL_SYMBOL_HIDING) +libcurl_gnutls_la_CPPFLAGS_EXTRA += -DCURL_HIDDEN_SYMBOLS +libcurl_gnutls_la_CFLAGS_EXTRA += $(CFLAG_CURL_SYMBOL_HIDING) endif -libcurl_la_CPPFLAGS = $(AM_CPPFLAGS) $(libcurl_la_CPPFLAGS_EXTRA) -libcurl_la_LDFLAGS = $(AM_LDFLAGS) $(libcurl_la_LDFLAGS_EXTRA) $(LDFLAGS) $(LIBCURL_LIBS) -libcurl_la_CFLAGS = $(AM_CFLAGS) $(libcurl_la_CFLAGS_EXTRA) +libcurl_gnutls_la_CPPFLAGS = $(AM_CPPFLAGS) $(libcurl_gnutls_la_CPPFLAGS_EXTRA) +libcurl_gnutls_la_LDFLAGS = $(AM_LDFLAGS) $(libcurl_gnutls_la_LDFLAGS_EXTRA) $(LDFLAGS) $(LIBCURL_LIBS) +libcurl_gnutls_la_CFLAGS = $(AM_CFLAGS) $(libcurl_gnutls_la_CFLAGS_EXTRA) libcurlu_la_CPPFLAGS = $(AM_CPPFLAGS) -DCURL_STATICLIB -DUNITTESTS libcurlu_la_LDFLAGS = $(AM_LDFLAGS) -static $(LIBCURL_LIBS) @@ -146,7 +146,7 @@ # Makefile.inc provides the CSOURCES and HHEADERS defines include Makefile.inc -libcurl_la_SOURCES = $(CSOURCES) $(HHEADERS) +libcurl_gnutls_la_SOURCES = $(CSOURCES) $(HHEADERS) libcurlu_la_SOURCES = $(CSOURCES) $(HHEADERS) checksrc: --- a/src/Makefile.am +++ b/src/Makefile.am @@ -57,14 +57,14 @@ LIBS = $(BLANK_AT_MAKETIME) if USE_EXPLICIT_LIB_DEPS -curl_LDADD = $(top_builddir)/lib/libcurl.la @LIBMETALINK_LIBS@ @LIBCURL_LIBS@ +curl_LDADD = $(top_builddir)/lib/libcurl-gnutls.la @LIBMETALINK_LIBS@ @LIBCURL_LIBS@ else -curl_LDADD = $(top_builddir)/lib/libcurl.la @LIBMETALINK_LIBS@ @ZLIB_LIBS@ @CURL_NETWORK_AND_TIME_LIBS@ +curl_LDADD = $(top_builddir)/lib/libcurl-gnutls.la @LIBMETALINK_LIBS@ @ZLIB_LIBS@ @CURL_NETWORK_AND_TIME_LIBS@ endif curl_LDFLAGS = @LIBMETALINK_LDFLAGS@ curl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBMETALINK_CPPFLAGS) -curl_DEPENDENCIES = $(top_builddir)/lib/libcurl.la +curl_DEPENDENCIES = $(top_builddir)/lib/libcurl-gnutls.la # if unit tests are enabled, build a static library to link them with if BUILD_UNITTESTS --- a/tests/libtest/Makefile.am +++ b/tests/libtest/Makefile.am @@ -59,16 +59,16 @@ LIBS = $(BLANK_AT_MAKETIME) if USE_EXPLICIT_LIB_DEPS -SUPPORTFILES_LIBS = $(top_builddir)/lib/libcurl.la @LIBCURL_LIBS@ -TESTUTIL_LIBS = $(top_builddir)/lib/libcurl.la @LIBCURL_LIBS@ +SUPPORTFILES_LIBS = $(top_builddir)/lib/libcurl-gnutls.la @LIBCURL_LIBS@ +TESTUTIL_LIBS = $(top_builddir)/lib/libcurl-gnutls.la @LIBCURL_LIBS@ else -SUPPORTFILES_LIBS = $(top_builddir)/lib/libcurl.la @CURL_NETWORK_LIBS@ -TESTUTIL_LIBS = $(top_builddir)/lib/libcurl.la @CURL_NETWORK_AND_TIME_LIBS@ +SUPPORTFILES_LIBS = $(top_builddir)/lib/libcurl-gnutls.la @CURL_NETWORK_LIBS@ +TESTUTIL_LIBS = $(top_builddir)/lib/libcurl-gnutls.la @CURL_NETWORK_AND_TIME_LIBS@ endif # Dependencies (may need to be overriden) LDADD = $(SUPPORTFILES_LIBS) -DEPENDENCIES = $(top_builddir)/lib/libcurl.la +DEPENDENCIES = $(top_builddir)/lib/libcurl-gnutls.la # Makefile.inc provides the source defines (TESTUTIL, SUPPORTFILES, # noinst_PROGRAMS, lib*_SOURCES, and lib*_CFLAGS) debian/patches/curl-chunk-fix.patch0000644000000000000000000000213612760777301014511 0ustar From 0ab97ba0090f2609760c33000181f08757336a48 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 12 Feb 2014 14:33:17 +0100 Subject: [PATCH] chunked decoder: track overflows correctly The code didn't properly check the return codes to detect overflows so it could trigger incorrectly. Like on mingw32. Regression introduced in 345891edba (curl 7.35.0) Bug: http://curl.haxx.se/mail/lib-2014-02/0097.html Reported-by: LM Bug-LP: #1613698 --- lib/http_chunks.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/http_chunks.c b/lib/http_chunks.c index 47de958..83e3f0e 100644 --- a/lib/http_chunks.c +++ b/lib/http_chunks.c @@ -162,8 +162,8 @@ CHUNKcode Curl_httpchunk_read(struct connectdata *conn, } ch->datasize=curlx_strtoofft(ch->hexbuffer, &endptr, 16); - if(errno == ERANGE) - /* over or underflow is an error */ + if((ch->datasize == CURL_OFF_T_MAX) && (errno == ERANGE)) + /* overflow is an error */ return CHUNKE_ILLEGAL_HEX; ch->state = CHUNK_LF; /* now wait for the CRLF */ } debian/patches/CVE-2014-3613.patch0000644000000000000000000002024012404311653013226 0ustar Description: fix incorrect cookie handling via partial literal IP addresses Origin: upstream, http://curl.haxx.se/CVE-2014-3613.patch Warning: this patch contain weird line endings, be careful when editing Index: curl-7.37.1/lib/cookie.c =================================================================== --- curl-7.37.1.orig/lib/cookie.c 2014-06-11 13:52:29.000000000 -0400 +++ curl-7.37.1/lib/cookie.c 2014-09-11 08:10:28.583232398 -0400 @@ -95,6 +95,7 @@ #include "strtoofft.h" #include "rawstr.h" #include "curl_memrchr.h" +#include "inet_pton.h" /* The last #include file should be: */ #include "memdebug.h" @@ -319,6 +320,28 @@ } } +/* + * Return true if the given string is an IP(v4|v6) address. + */ +static bool isip(const char *domain) +{ + struct in_addr addr; +#ifdef ENABLE_IPV6 + struct in6_addr addr6; +#endif + + if(Curl_inet_pton(AF_INET, domain, &addr) +#ifdef ENABLE_IPV6 + || Curl_inet_pton(AF_INET6, domain, &addr6) +#endif + ) { + /* domain name given as IP address */ + return TRUE; + } + + return FALSE; +} + /**************************************************************************** * * Curl_cookie_add() @@ -439,24 +462,27 @@ } } else if(Curl_raw_equal("domain", name)) { + bool is_ip; + /* Now, we make sure that our host is within the given domain, or the given domain is not valid and thus cannot be set. */ if('.' == whatptr[0]) whatptr++; /* ignore preceding dot */ - if(!domain || tailmatch(whatptr, domain)) { - const char *tailptr=whatptr; - if(tailptr[0] == '.') - tailptr++; - strstore(&co->domain, tailptr); /* don't prefix w/dots - internally */ + is_ip = isip(domain ? domain : whatptr); + + if(!domain + || (is_ip && !strcmp(whatptr, domain)) + || (!is_ip && tailmatch(whatptr, domain))) { + strstore(&co->domain, whatptr); if(!co->domain) { badcookie = TRUE; break; } - co->tailmatch=TRUE; /* we always do that if the domain name was - given */ + if(!is_ip) + co->tailmatch=TRUE; /* we always do that if the domain name was + given */ } else { /* we did not get a tailmatch and then the attempted set domain @@ -968,6 +994,7 @@ time_t now = time(NULL); struct Cookie *mainco=NULL; size_t matches = 0; + bool is_ip; if(!c || !c->cookies) return NULL; /* no cookie struct or no cookies in the struct */ @@ -975,6 +1002,9 @@ /* at first, remove expired cookies */ remove_expired(c); + /* check if host is an IP(v4|v6) address */ + is_ip = isip(host); + co = c->cookies; while(co) { @@ -986,8 +1016,8 @@ /* now check if the domain is correct */ if(!co->domain || - (co->tailmatch && tailmatch(co->domain, host)) || - (!co->tailmatch && Curl_raw_equal(host, co->domain)) ) { + (co->tailmatch && !is_ip && tailmatch(co->domain, host)) || + ((!co->tailmatch || is_ip) && Curl_raw_equal(host, co->domain)) ) { /* the right part of the host matches the domain stuff in the cookie data */ Index: curl-7.37.1/tests/data/test1105 =================================================================== --- curl-7.37.1.orig/tests/data/test1105 2014-06-11 13:52:29.000000000 -0400 +++ curl-7.37.1/tests/data/test1105 2014-09-11 08:10:28.583232398 -0400 @@ -59,8 +59,7 @@ # This file was generated by libcurl! Edit at your own risk. 127.0.0.1 FALSE /we/want/ FALSE 0 foobar name -.127.0.0.1 TRUE "/silly/" FALSE 0 mismatch this -.0.0.1 TRUE / FALSE 0 partmatch present +127.0.0.1 FALSE "/silly/" FALSE 0 mismatch this Index: curl-7.37.1/tests/data/test31 =================================================================== --- curl-7.37.1.orig/tests/data/test31 2014-06-11 13:52:30.000000000 -0400 +++ curl-7.37.1/tests/data/test31 2014-09-11 08:13:35.311233452 -0400 @@ -51,7 +51,8 @@ Set-Cookie: test=yes; domain=foo.com; expires=Sat Feb 2 11:56:27 GMT 2030 Set-Cookie: test2=yes; domain=se; expires=Sat Feb 2 11:56:27 GMT 2030 Set-Cookie: magic=yessir; path=/silly/; HttpOnly -Set-Cookie: blexp=yesyes; domain=.0.0.1; domain=.0.0.1; expiry=totally bad; +Set-Cookie: blexp=yesyes; domain=127.0.0.1; domain=127.0.0.1; expiry=totally bad; +Set-Cookie: partialip=nono; domain=.0.0.1; boo @@ -95,34 +96,34 @@ # http://curl.haxx.se/docs/http-cookies.html # This file was generated by libcurl! Edit at your own risk. -.127.0.0.1 TRUE /silly/ FALSE 0 ismatch this -.127.0.0.1 TRUE /overwrite FALSE 0 overwrite this2 -.127.0.0.1 TRUE /secure1/ TRUE 0 sec1value secure1 -.127.0.0.1 TRUE /secure2/ TRUE 0 sec2value secure2 -.127.0.0.1 TRUE /secure3/ TRUE 0 sec3value secure3 -.127.0.0.1 TRUE /secure4/ TRUE 0 sec4value secure4 -.127.0.0.1 TRUE /secure5/ TRUE 0 sec5value secure5 -.127.0.0.1 TRUE /secure6/ TRUE 0 sec6value secure6 -.127.0.0.1 TRUE /secure7/ TRUE 0 sec7value secure7 -.127.0.0.1 TRUE /secure8/ TRUE 0 sec8value secure8 -.127.0.0.1 TRUE /secure9/ TRUE 0 secure very1 -#HttpOnly_.127.0.0.1 TRUE /p1/ FALSE 0 httpo1 value1 -#HttpOnly_.127.0.0.1 TRUE /p2/ FALSE 0 httpo2 value2 -#HttpOnly_.127.0.0.1 TRUE /p3/ FALSE 0 httpo3 value3 -#HttpOnly_.127.0.0.1 TRUE /p4/ FALSE 0 httpo4 value4 -#HttpOnly_.127.0.0.1 TRUE /p4/ FALSE 0 httponly myvalue1 -#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec myvalue2 -#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec2 myvalue3 -#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec3 myvalue4 -#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec4 myvalue5 -#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec5 myvalue6 -#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec6 myvalue7 -#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec7 myvalue8 -#HttpOnly_.127.0.0.1 TRUE /p4/ TRUE 0 httpandsec8 myvalue9 -.127.0.0.1 TRUE / FALSE 0 partmatch present +127.0.0.1 FALSE /silly/ FALSE 0 ismatch this +127.0.0.1 FALSE /overwrite FALSE 0 overwrite this2 +127.0.0.1 FALSE /secure1/ TRUE 0 sec1value secure1 +127.0.0.1 FALSE /secure2/ TRUE 0 sec2value secure2 +127.0.0.1 FALSE /secure3/ TRUE 0 sec3value secure3 +127.0.0.1 FALSE /secure4/ TRUE 0 sec4value secure4 +127.0.0.1 FALSE /secure5/ TRUE 0 sec5value secure5 +127.0.0.1 FALSE /secure6/ TRUE 0 sec6value secure6 +127.0.0.1 FALSE /secure7/ TRUE 0 sec7value secure7 +127.0.0.1 FALSE /secure8/ TRUE 0 sec8value secure8 +127.0.0.1 FALSE /secure9/ TRUE 0 secure very1 +#HttpOnly_127.0.0.1 FALSE /p1/ FALSE 0 httpo1 value1 +#HttpOnly_127.0.0.1 FALSE /p2/ FALSE 0 httpo2 value2 +#HttpOnly_127.0.0.1 FALSE /p3/ FALSE 0 httpo3 value3 +#HttpOnly_127.0.0.1 FALSE /p4/ FALSE 0 httpo4 value4 +#HttpOnly_127.0.0.1 FALSE /p4/ FALSE 0 httponly myvalue1 +#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec myvalue2 +#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec2 myvalue3 +#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec3 myvalue4 +#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec4 myvalue5 +#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec5 myvalue6 +#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec6 myvalue7 +#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec7 myvalue8 +#HttpOnly_127.0.0.1 FALSE /p4/ TRUE 0 httpandsec8 myvalue9 +127.0.0.1 FALSE / FALSE 0 partmatch present 127.0.0.1 FALSE /we/want/ FALSE 2054030187 nodomain value #HttpOnly_127.0.0.1 FALSE /silly/ FALSE 0 magic yessir -.0.0.1 TRUE /we/want/ FALSE 0 blexp yesyes +127.0.0.1 FALSE /we/want/ FALSE 0 blexp yesyes Index: curl-7.37.1/tests/data/test8 =================================================================== --- curl-7.37.1.orig/tests/data/test8 2014-06-11 13:52:30.000000000 -0400 +++ curl-7.37.1/tests/data/test8 2014-09-11 08:10:28.583232398 -0400 @@ -42,7 +42,8 @@ Set-Cookie: cookie=yes; path=/we; Set-Cookie: cookie=perhaps; path=/we/want; Set-Cookie: nocookie=yes; path=/WE; -Set-Cookie: blexp=yesyes; domain=.0.0.1; domain=.0.0.1; expiry=totally bad; +Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad; +Set-Cookie: partialip=nono; domain=.0.0.1; debian/patches/03_keep_symbols_compat.patch0000644000000000000000000000056512272152435016210 0ustar Description: Keep versioned symbols backwards compatibility. Origin: vendor Forwarded: not-needed Author: Alessandro Ghedini Last-Update: 2013-04-16 --- a/lib/libcurl.vers.in +++ b/lib/libcurl.vers.in @@ -6,7 +6,7 @@ _save*; }; -CURL_@CURL_LT_SHLIB_VERSIONED_FLAVOUR@4 +CURL_@CURL_LT_SHLIB_VERSIONED_FLAVOUR@3 { global: curl_*; local: *; debian/patches/CVE-2016-8622.patch0000644000000000000000000000532213006435321013237 0ustar Backport of: From 71da91453899ba20b28ee9712620e323145a0ee5 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 4 Oct 2016 18:56:45 +0200 Subject: [PATCH] unescape: avoid integer overflow CVE-2016-8622 Bug: https://curl.haxx.se/docs/adv_20161102H.html Reported-by: Cure53 --- docs/libcurl/curl_easy_unescape.3 | 7 +++++-- lib/dict.c | 10 +++++----- lib/escape.c | 10 ++++++++-- 3 files changed, 18 insertions(+), 9 deletions(-) Index: curl-7.35.0/docs/libcurl/curl_easy_unescape.3 =================================================================== --- curl-7.35.0.orig/docs/libcurl/curl_easy_unescape.3 2016-11-02 15:12:17.088766399 -0400 +++ curl-7.35.0/docs/libcurl/curl_easy_unescape.3 2016-11-02 15:12:17.088766399 -0400 @@ -40,7 +40,10 @@ If \fBoutlength\fP is non-NULL, the function will write the length of the returned string in the integer it points to. This allows an escaped string -containing %00 to still get used properly after unescaping. +containing %00 to still get used properly after unescaping. Since this is a +pointer to an \fIint\fP type, it can only return a value up to INT_MAX so no +longer string can be unescaped if the string length is returned in this +parameter. You must \fIcurl_free(3)\fP the returned string when you're done with it. .SH AVAILABILITY Index: curl-7.35.0/lib/dict.c =================================================================== --- curl-7.35.0.orig/lib/dict.c 2016-11-02 15:12:17.088766399 -0400 +++ curl-7.35.0/lib/dict.c 2016-11-02 15:13:06.025045181 -0400 @@ -52,7 +52,7 @@ #include #include "transfer.h" #include "sendf.h" - +#include "escape.h" #include "progress.h" #include "strequal.h" #include "dict.h" @@ -100,12 +100,12 @@ char *newp; char *dictp; char *ptr; - int len; + size_t len; char byte; int olen=0; - newp = curl_easy_unescape(data, inputbuff, 0, &len); - if(!newp) + CURLcode result = Curl_urldecode(data, inputbuff, 0, &newp, &len, FALSE); + if(!newp || result) return NULL; dictp = malloc(((size_t)len)*2 + 1); /* add one for terminating zero */ Index: curl-7.35.0/lib/escape.c =================================================================== --- curl-7.35.0.orig/lib/escape.c 2016-11-02 15:12:17.088766399 -0400 +++ curl-7.35.0/lib/escape.c 2016-11-02 15:12:17.088766399 -0400 @@ -226,8 +226,14 @@ FALSE); if(res) return NULL; - if(olen) - *olen = curlx_uztosi(outputlen); + + if(olen) { + if(outputlen <= (size_t) INT_MAX) + *olen = curlx_uztosi(outputlen); + else + /* too large to return in an int, fail! */ + Curl_safefree(str); + } } return str; } debian/patches/CVE-2018-1000120.patch0000644000000000000000000000767513252220447013464 0ustar WARNING: this patch contains both CRLF and LF line terminators, editing may break it. Backport of: From 535432c0adb62fe167ec09621500470b6fa4eb0f Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 31 Jan 2018 08:40:11 +0100 Subject: [PATCH] FTP: reject path components with control codes Refuse to operate when given path components featuring byte values lower than 32. Previously, inserting a %00 sequence early in the directory part when using the 'singlecwd' ftp method could make curl write a zero byte outside of the allocated buffer. Test case 340 verifies. CVE-2018-1000120 Reported-by: Duy Phan Thanh Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html --- lib/ftp.c | 8 ++++---- tests/data/Makefile.inc | 3 +++ tests/data/test340 | 40 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 47 insertions(+), 4 deletions(-) create mode 100644 tests/data/test340 Index: curl-7.35.0/lib/ftp.c =================================================================== --- curl-7.35.0.orig/lib/ftp.c 2018-03-14 09:17:25.421908516 -0400 +++ curl-7.35.0/lib/ftp.c 2018-03-14 09:17:25.417908509 -0400 @@ -1484,7 +1484,7 @@ static CURLcode ftp_state_list(struct co slashPos = strrchr(inpath, '/'); n = slashPos - inpath; } - result = Curl_urldecode(data, inpath, n, &lstArg, NULL, FALSE); + result = Curl_urldecode(data, inpath, n, &lstArg, NULL, TRUE); if(result) return result; } @@ -3249,7 +3249,7 @@ static CURLcode ftp_done(struct connectd if(!result) /* get the "raw" path */ - result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE); + result = Curl_urldecode(data, path_to_use, 0, &path, NULL, TRUE); if(result) { /* We can limp along anyway (and should try to since we may already be in * the error path) */ @@ -4251,7 +4251,7 @@ CURLcode ftp_parse_url_path(struct conne result = Curl_urldecode(conn->data, slash_pos ? cur_pos : "/", slash_pos ? dirlen : 1, &ftpc->dirs[0], NULL, - FALSE); + TRUE); if(result) { freedirs(ftpc); return result; @@ -4359,7 +4359,7 @@ CURLcode ftp_parse_url_path(struct conne size_t dlen; char *path; CURLcode result = - Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, FALSE); + Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, TRUE); if(result) { freedirs(ftpc); return result; Index: curl-7.35.0/tests/data/test340 =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.35.0/tests/data/test340 2018-03-14 09:17:25.417908509 -0400 @@ -0,0 +1,40 @@ + + + +FTP +PASV +CWD +--ftp-method +singlecwd + + +# +# Server-side + + + +# Client-side + + +ftp + + +FTP using %00 in path with singlecwd + + +--ftp-method singlecwd ftp://%HOSTIP:%FTPPORT/%00first/second/third/340 + + + +# Verify data after the test has been "shot" + + +USER anonymous +PASS ftp@example.com +PWD + + +3 + + + Index: curl-7.35.0/tests/data/Makefile.am =================================================================== --- curl-7.35.0.orig/tests/data/Makefile.am 2018-03-14 09:16:48.177833783 -0400 +++ curl-7.35.0/tests/data/Makefile.am 2018-03-14 09:18:26.762026775 -0400 @@ -38,6 +38,7 @@ test289 test290 test291 test292 test293 test298 test299 test300 test301 test302 test303 test304 test305 test306 \ test307 test308 test309 test310 test311 test312 test313 \ test317 test318 test320 test321 test322 test323 test324 \ +test340 \ test350 test351 test352 test353 test354 \ \ test400 test401 test402 test403 test404 test405 test406 test407 test408 \ debian/patches/CVE-2016-7141.patch0000644000000000000000000000276413006433527013247 0ustar Backport of: From 7700fcba64bf5806de28f6c1c7da3b4f0b38567d Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 22 Aug 2016 10:24:35 +0200 Subject: [PATCH] nss: refuse previously loaded certificate from file ... when we are not asked to use a certificate from file --- lib/vtls/nss.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) Index: curl-7.35.0/lib/vtls/nss.c =================================================================== --- curl-7.35.0.orig/lib/vtls/nss.c 2016-11-02 14:58:29.464051557 -0400 +++ curl-7.35.0/lib/vtls/nss.c 2016-11-02 14:58:29.460051534 -0400 @@ -784,10 +784,10 @@ struct ssl_connect_data *connssl = (struct ssl_connect_data *)arg; struct SessionHandle *data = connssl->data; const char *nickname = connssl->client_nickname; + static const char pem_slotname[] = "PEM Token #1"; if(connssl->obj_clicert) { /* use the cert/key provided by PEM reader */ - static const char pem_slotname[] = "PEM Token #1"; SECItem cert_der = { 0, NULL, 0 }; void *proto_win = SSL_RevealPinArg(sock); struct CERTCertificateStr *cert; @@ -849,6 +849,12 @@ if(NULL == nickname) nickname = "[unknown]"; + if(!strncmp(nickname, pem_slotname, sizeof(pem_slotname) - 1U)) { + failf(data, "NSS: refusing previously loaded certificate from file: %s", + nickname); + return SECFailure; + } + if(NULL == *pRetKey) { failf(data, "NSS: private key not found for certificate: %s", nickname); return SECFailure; debian/patches/CVE-2017-1000257.patch0000644000000000000000000000166513171441715013472 0ustar From 2d119e90f8669e3c358468298941f48c15253f97 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sat, 7 Oct 2017 00:11:31 +0200 Subject: [PATCH] imap: if a FETCH response has no size, don't call write callback --- lib/imap.c | 5 +++++ 1 file changed, 5 insertions(+) Index: curl-7.35.0/lib/imap.c =================================================================== --- curl-7.35.0.orig/lib/imap.c 2017-10-17 13:54:19.496658243 -0400 +++ curl-7.35.0/lib/imap.c 2017-10-17 13:54:19.480658065 -0400 @@ -1508,6 +1508,11 @@ static CURLcode imap_state_fetch_resp(st /* The conversion from curl_off_t to size_t is always fine here */ chunk = (size_t)size; + if(!chunk) { + /* no size, we're done with the data */ + state(conn, IMAP_STOP); + return CURLE_OK; + } result = Curl_client_write(conn, CLIENTWRITE_BODY, pp->cache, chunk); if(result) return result; debian/patches/CVE-2018-16839-pre1.patch0000644000000000000000000000364313364076624014221 0ustar Backport of: From 945f60e8a7f08aedb0eede5e3574f1972fc86ec8 Mon Sep 17 00:00:00 2001 From: Patrick Monnerat Date: Thu, 24 Nov 2016 14:28:39 +0100 Subject: [PATCH] Limit ASN.1 structure sizes to 256K. Prevent some allocation size overflows. See CRL-01-006. --- lib/vauth/cleartext.c | 24 +++++++++++++++++------- lib/vtls/cyassl.c | 3 ++- lib/vtls/gskit.c | 3 +-- lib/x509asn1.c | 33 +++++++++++++++++++++------------ lib/x509asn1.h | 9 ++++++--- 5 files changed, 47 insertions(+), 25 deletions(-) Index: curl-7.35.0/lib/curl_sasl.c =================================================================== --- curl-7.35.0.orig/lib/curl_sasl.c 2018-10-24 10:09:36.090591179 -0400 +++ curl-7.35.0/lib/curl_sasl.c 2018-10-24 10:10:03.498667488 -0400 @@ -104,16 +104,27 @@ CURLcode Curl_sasl_create_plain_message( char *plainauth; size_t ulen; size_t plen; + size_t plainlen; + *outlen = 0; + *outptr = NULL; ulen = strlen(userp); plen = strlen(passwdp); - plainauth = malloc(2 * ulen + plen + 2); - if(!plainauth) { - *outlen = 0; - *outptr = NULL; + /* Compute binary message length, checking for overflows. */ + plainlen = 2 * ulen; + if(plainlen < ulen) + return CURLE_OUT_OF_MEMORY; + plainlen += plen; + if(plainlen < plen) + return CURLE_OUT_OF_MEMORY; + plainlen += 2; + if(plainlen < 2) + return CURLE_OUT_OF_MEMORY; + + plainauth = malloc(plainlen); + if(!plainauth) return CURLE_OUT_OF_MEMORY; - } /* Calculate the reply */ memcpy(plainauth, userp, ulen); @@ -123,7 +134,7 @@ CURLcode Curl_sasl_create_plain_message( memcpy(plainauth + 2 * ulen + 2, passwdp, plen); /* Base64 encode the reply */ - result = Curl_base64_encode(data, plainauth, 2 * ulen + plen + 2, outptr, + result = Curl_base64_encode(data, plainauth, plainlen, outptr, outlen); Curl_safefree(plainauth); return result; debian/patches/CVE-2019-3823.patch0000644000000000000000000000260113424056424013244 0ustar Backport of: From 89dd3f49e1248d7f39401ecc9eecb4e82885e629 Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Sat, 19 Jan 2019 00:42:47 +0100 Subject: [PATCH 3/3] smtp: avoid risk of buffer overflow in strtol If the incoming len 5, but the buffer does not have a termination after 5 bytes, the strtol() call may keep reading through the line buffer until is exceeds its boundary. Fix by ensuring that we are using a bounded read with a temporary buffer on the stack. Reported-by: Brian Carpenter (Geeknik Labs) --- lib/smtp.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) Index: curl-7.35.0/lib/smtp.c =================================================================== --- curl-7.35.0.orig/lib/smtp.c 2019-01-29 09:02:58.061513434 -0500 +++ curl-7.35.0/lib/smtp.c 2019-01-29 09:02:58.057513406 -0500 @@ -245,8 +245,12 @@ static bool smtp_endofresp(struct connec Section 4. Examples of RFC-4954 but some e-mail servers ignore this and only send the response code instead as per Section 4.2. */ if(line[3] == ' ' || len == 5) { + char tmpline[6]; + result = TRUE; - *resp = curlx_sltosi(strtol(line, NULL, 10)); + memset(tmpline, '\0', sizeof(tmpline)); + memcpy(tmpline, line, (len == 5 ? 5 : 3)); + *resp = curlx_sltosi(strtol(tmpline, NULL, 10)); /* Make sure real server never sends internal value */ if(*resp == 1) debian/patches/CVE-2016-8615.patch0000644000000000000000000000342113006434050013235 0ustar Backport of: From 1620f552a277ed5b23a48b9c27dbf07663cac068 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 27 Sep 2016 17:36:19 +0200 Subject: [PATCH] cookie: replace use of fgets() with custom version ... that will ignore lines that are too long to fit in the buffer. CVE-2016-8615 Bug: https://curl.haxx.se/docs/adv_20161102A.html Reported-by: Cure53 --- lib/cookie.c | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) Index: curl-7.35.0/lib/cookie.c =================================================================== --- curl-7.35.0.orig/lib/cookie.c 2016-11-02 15:00:12.820640362 -0400 +++ curl-7.35.0/lib/cookie.c 2016-11-02 15:01:16.233001612 -0400 @@ -875,6 +875,35 @@ return co; } +/* + * get_line() makes sure to only return complete whole lines that fit in 'len' + * bytes and end with a newline. + */ +static char *get_line(char *buf, int len, FILE *input) +{ + bool partial = FALSE; + while(1) { + char *b = fgets(buf, len, input); + if(b) { + size_t rlen = strlen(b); + if(rlen && (b[rlen-1] == '\n')) { + if(partial) { + partial = FALSE; + continue; + } + return b; + } + else + /* read a partial, discard the next piece that ends with newline */ + partial = TRUE; + } + else + break; + } + return NULL; +} + + /***************************************************************************** * * Curl_cookie_init() @@ -926,7 +955,7 @@ char *line = malloc(MAX_COOKIE_LINE); if(line) { - while(fgets(line, MAX_COOKIE_LINE, fp)) { + while(get_line(line, MAX_COOKIE_LINE, fp)) { if(checkprefix("Set-Cookie:", line)) { /* This is a cookie line, get it! */ lineptr=&line[11]; debian/patches/01_runtests_gdb.patch0000644000000000000000000000237012272152435014646 0ustar Description: runtests_gdb. Origin: vendor Forwarded: no Author: Ramakrishnan Muthukrishnan Reviewed-by: Alessandro Ghedini Last-Update: 2011-11-01 --- a/tests/runtests.pl +++ b/tests/runtests.pl @@ -3412,11 +3412,11 @@ # run the command line we built if ($torture) { $cmdres = torture($CMDLINE, - "$gdb --directory libtest $DBGCURL -x $LOGDIR/gdbcmd"); + "libtool --mode=execute gdb --directory libtest $DBGCURL -x $LOGDIR/gdbcmd"); } elsif($gdbthis) { my $GDBW = ($gdbxwin) ? "-w" : ""; - runclient("$gdb --directory libtest $DBGCURL $GDBW -x $LOGDIR/gdbcmd"); + runclient("libtool --mode=execute gdb --directory libtest $DBGCURL -x $LOGDIR/gdbcmd"); $cmdres=0; # makes it always continue after a debugged run } else { @@ -3450,7 +3450,7 @@ open(GDBCMD, ">$LOGDIR/gdbcmd2"); print GDBCMD "bt\n"; close(GDBCMD); - runclient("$gdb --directory libtest -x $LOGDIR/gdbcmd2 -batch $DBGCURL core "); + runclient("libtool --mode=execute gdb --directory libtest -x $LOGDIR/gdbcmd2 -batch $DBGCURL core "); # unlink("$LOGDIR/gdbcmd2"); } } debian/patches/CVE-2018-1000121.patch0000644000000000000000000000276313252220457013457 0ustar From 9889db043393092e9d4b5a42720bba0b3d58deba Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 6 Mar 2018 23:02:16 +0100 Subject: [PATCH] openldap: check ldap_get_attribute_ber() results for NULL before using CVE-2018-1000121 Reported-by: Dario Weisser Bug: https://curl.haxx.se/docs/adv_2018-97a2.html --- lib/openldap.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) Index: curl-7.35.0/lib/openldap.c =================================================================== --- curl-7.35.0.orig/lib/openldap.c 2018-03-14 09:18:37.758047383 -0400 +++ curl-7.35.0/lib/openldap.c 2018-03-14 09:18:37.754047375 -0400 @@ -435,7 +435,7 @@ static ssize_t ldap_recv(struct connectd for(ent = ldap_first_message(li->ld, result); ent; ent = ldap_next_message(li->ld, ent)) { - struct berval bv, *bvals, **bvp = &bvals; + struct berval bv, *bvals; int binary = 0, msgtype; msgtype = ldap_msgtype(ent); @@ -481,9 +481,9 @@ static ssize_t ldap_recv(struct connectd Curl_client_write(conn, CLIENTWRITE_BODY, (char *)"\n", 1); data->req.bytecount += bv.bv_len + 5; - for(rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, bvp); - rc == LDAP_SUCCESS; - rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, bvp)) { + for(rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, &bvals); + (rc == LDAP_SUCCESS) && bvals; + rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, &bvals)) { int i; if(bv.bv_val == NULL) break; debian/patches/99_nss.patch0000644000000000000000000001155312272152435012772 0ustar Description: Build with NSS. Origin: vendor Forwarded: not-needed Author: Ramakrishnan Muthukrishnan Reviewed-by: Alessandro Ghedini Last-Update: 2013-04-17 --- a/docs/examples/Makefile.am +++ b/docs/examples/Makefile.am @@ -52,9 +52,9 @@ # Dependencies if USE_EXPLICIT_LIB_DEPS -LDADD = $(LIBDIR)/libcurl-gnutls.la @LIBCURL_LIBS@ +LDADD = $(LIBDIR)/libcurl-nss.la @LIBCURL_LIBS@ else -LDADD = $(LIBDIR)/libcurl-gnutls.la +LDADD = $(LIBDIR)/libcurl-nss.la endif # Makefile.inc provides the check_PROGRAMS and COMPLICATED_EXAMPLES defines --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -36,7 +36,7 @@ firefox-db2pem.sh config-vxworks.h Makefile.vxworks checksrc.pl \ objnames-test08.sh objnames-test10.sh objnames.inc -lib_LTLIBRARIES = libcurl-gnutls.la +lib_LTLIBRARIES = libcurl-nss.la if BUILD_UNITTESTS noinst_LTLIBRARIES = libcurlu.la @@ -106,38 +106,38 @@ AM_LDFLAGS = AM_CFLAGS = -libcurl_gnutls_la_CPPFLAGS_EXTRA = -libcurl_gnutls_la_LDFLAGS_EXTRA = -libcurl_gnutls_la_CFLAGS_EXTRA = +libcurl_nss_la_CPPFLAGS_EXTRA = +libcurl_nss_la_LDFLAGS_EXTRA = +libcurl_nss_la_CFLAGS_EXTRA = if CURL_LT_SHLIB_USE_VERSION_INFO -libcurl_gnutls_la_LDFLAGS_EXTRA += $(VERSIONINFO) +libcurl_nss_la_LDFLAGS_EXTRA += $(VERSIONINFO) endif if CURL_LT_SHLIB_USE_NO_UNDEFINED -libcurl_gnutls_la_LDFLAGS_EXTRA += -no-undefined +libcurl_nss_la_LDFLAGS_EXTRA += -no-undefined endif if CURL_LT_SHLIB_USE_MIMPURE_TEXT -libcurl_gnutls_la_LDFLAGS_EXTRA += -mimpure-text +libcurl_nss_la_LDFLAGS_EXTRA += -mimpure-text endif if CURL_LT_SHLIB_USE_VERSIONED_SYMBOLS -libcurl_gnutls_la_LDFLAGS_EXTRA += -Wl,--version-script=libcurl.vers +libcurl_nss_la_LDFLAGS_EXTRA += -Wl,--version-script=libcurl.vers endif if USE_CPPFLAG_CURL_STATICLIB -libcurl_gnutls_la_CPPFLAGS_EXTRA += -DCURL_STATICLIB +libcurl_nss_la_CPPFLAGS_EXTRA += -DCURL_STATICLIB endif if DOING_CURL_SYMBOL_HIDING -libcurl_gnutls_la_CPPFLAGS_EXTRA += -DCURL_HIDDEN_SYMBOLS -libcurl_gnutls_la_CFLAGS_EXTRA += $(CFLAG_CURL_SYMBOL_HIDING) +libcurl_nss_la_CPPFLAGS_EXTRA += -DCURL_HIDDEN_SYMBOLS +libcurl_nss_la_CFLAGS_EXTRA += $(CFLAG_CURL_SYMBOL_HIDING) endif -libcurl_gnutls_la_CPPFLAGS = $(AM_CPPFLAGS) $(libcurl_gnutls_la_CPPFLAGS_EXTRA) -libcurl_gnutls_la_LDFLAGS = $(AM_LDFLAGS) $(libcurl_gnutls_la_LDFLAGS_EXTRA) $(LDFLAGS) $(LIBCURL_LIBS) -libcurl_gnutls_la_CFLAGS = $(AM_CFLAGS) $(libcurl_gnutls_la_CFLAGS_EXTRA) +libcurl_nss_la_CPPFLAGS = $(AM_CPPFLAGS) $(libcurl_nss_la_CPPFLAGS_EXTRA) +libcurl_nss_la_LDFLAGS = $(AM_LDFLAGS) $(libcurl_nss_la_LDFLAGS_EXTRA) $(LDFLAGS) $(LIBCURL_LIBS) +libcurl_nss_la_CFLAGS = $(AM_CFLAGS) $(libcurl_nss_la_CFLAGS_EXTRA) libcurlu_la_CPPFLAGS = $(AM_CPPFLAGS) -DCURL_STATICLIB -DUNITTESTS libcurlu_la_LDFLAGS = $(AM_LDFLAGS) -static $(LIBCURL_LIBS) @@ -146,7 +146,7 @@ # Makefile.inc provides the CSOURCES and HHEADERS defines include Makefile.inc -libcurl_gnutls_la_SOURCES = $(CSOURCES) $(HHEADERS) +libcurl_nss_la_SOURCES = $(CSOURCES) $(HHEADERS) libcurlu_la_SOURCES = $(CSOURCES) $(HHEADERS) checksrc: --- a/src/Makefile.am +++ b/src/Makefile.am @@ -57,14 +57,14 @@ LIBS = $(BLANK_AT_MAKETIME) if USE_EXPLICIT_LIB_DEPS -curl_LDADD = $(top_builddir)/lib/libcurl-gnutls.la @LIBMETALINK_LIBS@ @LIBCURL_LIBS@ +curl_LDADD = $(top_builddir)/lib/libcurl-nss.la @LIBMETALINK_LIBS@ @LIBCURL_LIBS@ else -curl_LDADD = $(top_builddir)/lib/libcurl-gnutls.la @LIBMETALINK_LIBS@ @ZLIB_LIBS@ @CURL_NETWORK_AND_TIME_LIBS@ +curl_LDADD = $(top_builddir)/lib/libcurl-nss.la @LIBMETALINK_LIBS@ @ZLIB_LIBS@ @CURL_NETWORK_AND_TIME_LIBS@ endif curl_LDFLAGS = @LIBMETALINK_LDFLAGS@ curl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBMETALINK_CPPFLAGS) -curl_DEPENDENCIES = $(top_builddir)/lib/libcurl-gnutls.la +curl_DEPENDENCIES = $(top_builddir)/lib/libcurl-nss.la # if unit tests are enabled, build a static library to link them with if BUILD_UNITTESTS --- a/tests/libtest/Makefile.am +++ b/tests/libtest/Makefile.am @@ -59,16 +59,16 @@ LIBS = $(BLANK_AT_MAKETIME) if USE_EXPLICIT_LIB_DEPS -SUPPORTFILES_LIBS = $(top_builddir)/lib/libcurl-gnutls.la @LIBCURL_LIBS@ -TESTUTIL_LIBS = $(top_builddir)/lib/libcurl-gnutls.la @LIBCURL_LIBS@ +SUPPORTFILES_LIBS = $(top_builddir)/lib/libcurl-nss.la @LIBCURL_LIBS@ +TESTUTIL_LIBS = $(top_builddir)/lib/libcurl-nss.la @LIBCURL_LIBS@ else -SUPPORTFILES_LIBS = $(top_builddir)/lib/libcurl-gnutls.la @CURL_NETWORK_LIBS@ -TESTUTIL_LIBS = $(top_builddir)/lib/libcurl-gnutls.la @CURL_NETWORK_AND_TIME_LIBS@ +SUPPORTFILES_LIBS = $(top_builddir)/lib/libcurl-nss.la @CURL_NETWORK_LIBS@ +TESTUTIL_LIBS = $(top_builddir)/lib/libcurl-nss.la @CURL_NETWORK_AND_TIME_LIBS@ endif # Dependencies (may need to be overriden) LDADD = $(SUPPORTFILES_LIBS) -DEPENDENCIES = $(top_builddir)/lib/libcurl-gnutls.la +DEPENDENCIES = $(top_builddir)/lib/libcurl-nss.la # Makefile.inc provides the source defines (TESTUTIL, SUPPORTFILES, # noinst_PROGRAMS, lib*_SOURCES, and lib*_CFLAGS) debian/patches/CVE-2016-8618.patch0000644000000000000000000000241513006434077013253 0ustar From 31106a073882656a2a5ab56c4ce2847e9a334c3c Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 28 Sep 2016 10:15:34 +0200 Subject: [PATCH] aprintf: detect wrap-around when growing allocation On 32bit systems we could otherwise wrap around after 2GB and allocate 0 bytes and crash. CVE-2016-8618 Bug: https://curl.haxx.se/docs/adv_20161102D.html Reported-by: Cure53 --- lib/mprintf.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) Index: curl-7.47.0/lib/mprintf.c =================================================================== --- curl-7.47.0.orig/lib/mprintf.c 2016-11-02 14:20:01.578903915 -0400 +++ curl-7.47.0/lib/mprintf.c 2016-11-02 14:20:01.574903893 -0400 @@ -1011,16 +1011,19 @@ infop->len =0; } else if(infop->len+1 >= infop->alloc) { - char *newptr; + char *newptr = NULL; + size_t newsize = infop->alloc*2; - newptr = realloc(infop->buffer, infop->alloc*2); + /* detect wrap-around or other overflow problems */ + if(newsize > infop->alloc) + newptr = realloc(infop->buffer, newsize); if(!newptr) { infop->fail = 1; return -1; /* fail */ } infop->buffer = newptr; - infop->alloc *= 2; + infop->alloc = newsize; } infop->buffer[ infop->len ] = outc; debian/patches/CVE-2016-8624.patch0000644000000000000000000000412013006435666013250 0ustar Backport of: From 6604d4df30aec66db6f5bd51ee3c341dd7329fcf Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 11 Oct 2016 00:48:35 +0200 Subject: [PATCH] urlparse: accept '#' as end of host name MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 'http://example.com#@127.0.0.1/x.txt' equals a request to example.com for the '/' document with the rest of the URL being a fragment. CVE-2016-8624 Bug: https://curl.haxx.se/docs/adv_20161102J.html Reported-by: Fernando Muñoz --- lib/url.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) Index: curl-7.35.0/lib/url.c =================================================================== --- curl-7.35.0.orig/lib/url.c 2016-11-02 15:17:08.130424415 -0400 +++ curl-7.35.0/lib/url.c 2016-11-02 15:17:08.126424393 -0400 @@ -3806,7 +3806,7 @@ path[0]=0; if(2 > sscanf(data->change.url, - "%15[^\n:]://%[^\n/?]%[^\n]", + "%15[^\n:]://%[^\n/?#]%[^\n]", protobuf, conn->host.name, path)) { @@ -3814,7 +3814,7 @@ * The URL was badly formatted, let's try the browser-style _without_ * protocol specified like 'http://'. */ - rc = sscanf(data->change.url, "%[^\n/?]%[^\n]", conn->host.name, path); + rc = sscanf(data->change.url, "%[^\n/?#]%[^\n]", conn->host.name, path); if(1 > rc) { /* * We couldn't even get this format. @@ -3901,10 +3901,10 @@ } /* If the URL is malformatted (missing a '/' after hostname before path) we - * insert a slash here. The only letter except '/' we accept to start a path - * is '?'. + * insert a slash here. The only letters except '/' that can start a path is + * '?' and '#' - as controlled by the two sscanf() patterns above. */ - if(path[0] == '?') { + if(path[0] != '/') { /* We need this function to deal with overlapping memory areas. We know that the memory area 'path' points to is 'urllen' bytes big and that is bigger than the path. Use +1 to move the zero byte too. */ debian/patches/CVE-2018-1000007.patch0000644000000000000000000002040213233704641013451 0ustar Backport of: From af32cd3859336ab963591ca0df9b1e33a7ee066b Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 19 Jan 2018 13:19:25 +0100 Subject: [PATCH] http: prevent custom Authorization headers in redirects ... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how curl already handles Authorization headers created internally. Note: this changes behavior slightly, for the sake of reducing mistakes. Added test 317 and 318 to verify. Reported-by: Craig de Stigter Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html --- lib/http.c | 11 +++++- lib/url.c | 2 +- lib/urldata.h | 2 +- tests/data/Makefile.am | 2 +- tests/data/test317 | 95 ++++++++++++++++++++++++++++++++++++++++++++++++++ tests/data/test318 | 95 ++++++++++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 203 insertions(+), 4 deletions(-) create mode 100644 tests/data/test317 create mode 100644 tests/data/test318 diff --git a/lib/http.c b/lib/http.c index ed8817b..ae7581d 100644 --- a/lib/http.c +++ b/lib/http.c @@ -683,7 +683,7 @@ Curl_http_output_auth(struct connectdata *conn, if(!data->state.this_is_a_follow || conn->bits.netrc || !data->state.first_host || - data->set.http_disable_hostname_check_before_authentication || + data->set.allow_auth_to_other_hosts || Curl_raw_equal(data->state.first_host, conn->host.name)) { result = output_auth_headers(conn, authhost, request, path, FALSE); } @@ -1528,6 +1528,7 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn, { char *ptr; struct curl_slist *headers=conn->data->set.headers; + struct SessionHandle *data = conn->data; while(headers) { ptr = strchr(headers->data, ':'); @@ -1560,6 +1561,14 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn, Connection: */ checkprefix("Connection", headers->data)) ; + else if(checkprefix("Authorization:", headers->data) && + /* be careful of sending this potentially sensitive header to + other hosts */ + (data->state.this_is_a_follow && + data->state.first_host && + !data->set.allow_auth_to_other_hosts && + !Curl_raw_equal(data->state.first_host, conn->host.name))) + ; else { CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n", headers->data); diff --git a/lib/url.c b/lib/url.c index ee07060..b92d570 100644 --- a/lib/url.c +++ b/lib/url.c @@ -908,7 +908,7 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, * Send authentication (user+password) when following locations, even when * hostname changed. */ - data->set.http_disable_hostname_check_before_authentication = + data->set.allow_auth_to_other_hosts = (0 != va_arg(param, long))?TRUE:FALSE; break; diff --git a/lib/urldata.h b/lib/urldata.h index 3465644..46a1606 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -1518,7 +1518,7 @@ struct UserDefined { bool http_fail_on_error; /* fail on HTTP error codes >= 300 */ bool http_follow_location; /* follow HTTP redirects */ bool http_transfer_encoding; /* request compressed HTTP transfer-encoding */ - bool http_disable_hostname_check_before_authentication; + bool allow_auth_to_other_hosts; bool include_header; /* include received protocol headers in data output */ bool http_set_referer; /* is a custom referer used */ bool http_auto_referer; /* set "correct" referer when following location: */ diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am index 27dc019..0d3749d 100644 --- a/tests/data/Makefile.am +++ b/tests/data/Makefile.am @@ -37,7 +37,7 @@ test280 test281 test282 test283 test284 test285 test286 test287 test288 \ test289 test290 test291 test292 test293 test294 test295 test296 test297 \ test298 test299 test300 test301 test302 test303 test304 test305 test306 \ test307 test308 test309 test310 test311 test312 test313 \ - test320 test321 test322 test323 test324 \ + test317 test318 test320 test321 test322 test323 test324 \ test350 test351 test352 test353 test354 \ \ test400 test401 test402 test403 test404 test405 test406 test407 test408 \ diff --git a/tests/data/test317 b/tests/data/test317 new file mode 100644 index 0000000..4d4c9cf --- /dev/null +++ b/tests/data/test317 @@ -0,0 +1,95 @@ + + + +HTTP +HTTP proxy +HTTP Basic auth +HTTP proxy Basic auth +followlocation + + +# +# Server-side + + +HTTP/1.1 302 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake swsclose +Content-Type: text/html +Funny-head: yesyes +Location: http://goto.second.host.now/3170002 +Content-Length: 8 +Connection: close + +contents + + +HTTP/1.1 200 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake swsclose +Content-Type: text/html +Funny-head: yesyes +Content-Length: 9 + +contents + + + +HTTP/1.1 302 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake swsclose +Content-Type: text/html +Funny-head: yesyes +Location: http://goto.second.host.now/3170002 +Content-Length: 8 +Connection: close + +HTTP/1.1 200 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake swsclose +Content-Type: text/html +Funny-head: yesyes +Content-Length: 9 + +contents + + + +# +# Client-side + + +http + + +HTTP with custom Authorization: and redirect to new host + + +http://first.host.it.is/we/want/that/page/317 -x %HOSTIP:%HTTPPORT -H "Authorization: s3cr3t" --proxy-user testing:this --location + + + +# +# Verify data after the test has been "shot" + + +^User-Agent:.* + + +GET http://first.host.it.is/we/want/that/page/317 HTTP/1.1 +Proxy-Authorization: Basic dGVzdGluZzp0aGlz +Host: first.host.it.is +Accept: */* +Proxy-Connection: Keep-Alive +Authorization: s3cr3t + +GET http://goto.second.host.now/3170002 HTTP/1.1 +Proxy-Authorization: Basic dGVzdGluZzp0aGlz +Host: goto.second.host.now +Accept: */* +Proxy-Connection: Keep-Alive + + + + + diff --git a/tests/data/test318 b/tests/data/test318 new file mode 100644 index 0000000..20406b1 --- /dev/null +++ b/tests/data/test318 @@ -0,0 +1,95 @@ + + + +HTTP +HTTP proxy +HTTP Basic auth +HTTP proxy Basic auth +followlocation + + +# +# Server-side + + +HTTP/1.1 302 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake swsclose +Content-Type: text/html +Funny-head: yesyes +Location: http://goto.second.host.now/3180002 +Content-Length: 8 +Connection: close + +contents + + +HTTP/1.1 200 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake swsclose +Content-Type: text/html +Funny-head: yesyes +Content-Length: 9 + +contents + + + +HTTP/1.1 302 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake swsclose +Content-Type: text/html +Funny-head: yesyes +Location: http://goto.second.host.now/3180002 +Content-Length: 8 +Connection: close + +HTTP/1.1 200 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake swsclose +Content-Type: text/html +Funny-head: yesyes +Content-Length: 9 + +contents + + + +# +# Client-side + + +http + + +HTTP with custom Authorization: and redirect to new host + + +http://first.host.it.is/we/want/that/page/318 -x %HOSTIP:%HTTPPORT -H "Authorization: s3cr3t" --proxy-user testing:this --location-trusted + + + +# +# Verify data after the test has been "shot" + + +^User-Agent:.* + + +GET http://first.host.it.is/we/want/that/page/318 HTTP/1.1 +Proxy-Authorization: Basic dGVzdGluZzp0aGlz +Host: first.host.it.is +Accept: */* +Proxy-Connection: Keep-Alive +Authorization: s3cr3t + +GET http://goto.second.host.now/3180002 HTTP/1.1 +Proxy-Authorization: Basic dGVzdGluZzp0aGlz +Host: goto.second.host.now +Accept: */* +Proxy-Connection: Keep-Alive +Authorization: s3cr3t + + + + -- 2.7.4 debian/patches/CVE-2018-1000301.patch0000644000000000000000000000240213274363355013456 0ustar From 8268099b7146450fe508231842bb1549f0e3ccf1 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sat, 24 Mar 2018 23:47:41 +0100 Subject: [PATCH] http: restore buffer pointer when bad response-line is parsed ... leaving the k->str could lead to buffer over-reads later on. Assisted-by: Max Dymond Detected by OSS-Fuzz. Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105 --- lib/http.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) Index: curl-7.35.0/lib/http.c =================================================================== --- curl-7.35.0.orig/lib/http.c 2018-05-08 14:05:26.637462653 -0400 +++ curl-7.35.0/lib/http.c 2018-05-08 14:05:26.633462654 -0400 @@ -2790,6 +2790,8 @@ CURLcode Curl_http_readwrite_headers(str { CURLcode result; struct SingleRequest *k = &data->req; + ssize_t onread = *nread; + char *ostr = k->str; /* header line within buffer loop */ do { @@ -2854,7 +2856,9 @@ CURLcode Curl_http_readwrite_headers(str else { /* this was all we read so it's all a bad header */ k->badheader = HEADER_ALLBAD; - *nread = (ssize_t)rest_length; + *nread = onread; + k->str = ostr; + return CURLE_OK; } break; } debian/patches/CVE-2016-8621.patch0000644000000000000000000000615513006435203013242 0ustar Backport of: From 8a6d9ded5f02f0294ae63a007e26087316c1998e Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 4 Oct 2016 16:59:38 +0200 Subject: [PATCH] parsedate: handle cut off numbers better MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ... and don't read outside of the given buffer! CVE-2016-8621 bug: https://curl.haxx.se/docs/adv_20161102G.html Reported-by: Luật Nguyễn --- lib/parsedate.c | 12 +++++++----- tests/data/test517 | 6 ++++++ tests/libtest/lib517.c | 8 +++++++- 3 files changed, 20 insertions(+), 6 deletions(-) Index: curl-7.35.0/lib/parsedate.c =================================================================== --- curl-7.35.0.orig/lib/parsedate.c 2016-11-02 15:11:49.548609507 -0400 +++ curl-7.35.0/lib/parsedate.c 2016-11-02 15:11:49.548609507 -0400 @@ -384,15 +384,17 @@ /* a digit */ int val; char *end; + int len=0; if((secnum == -1) && - (3 == sscanf(date, "%02d:%02d:%02d", &hournum, &minnum, &secnum))) { + (3 == sscanf(date, "%02d:%02d:%02d%n", + &hournum, &minnum, &secnum, &len))) { /* time stamp! */ - date += 8; + date += len; } else if((secnum == -1) && - (2 == sscanf(date, "%02d:%02d", &hournum, &minnum))) { + (2 == sscanf(date, "%02d:%02d%n", &hournum, &minnum, &len))) { /* time stamp without seconds */ - date += 5; + date += len; secnum = 0; } else { Index: curl-7.35.0/tests/data/test517 =================================================================== --- curl-7.35.0.orig/tests/data/test517 2016-11-02 15:11:49.548609507 -0400 +++ curl-7.35.0/tests/data/test517 2016-11-02 15:11:49.548609507 -0400 @@ -110,6 +110,12 @@ 81: 20111323 12:34:56 => -1 82: 20110623 12:34:79 => -1 83: Wed, 31 Dec 2008 23:59:60 GMT => 1230768000 +84: 20110623 12:3 => 1308830580 +85: 20110623 1:3 => 1308790980 +86: 20110623 1:30 => 1308792600 +87: 20110623 12:12:3 => 1308831123 +88: 20110623 01:12:3 => 1308791523 +89: 20110623 01:99:30 => -1 # This test case previously tested an overflow case ("2094 Nov 6 => Index: curl-7.35.0/tests/libtest/lib517.c =================================================================== --- curl-7.35.0.orig/tests/libtest/lib517.c 2016-11-02 15:11:49.548609507 -0400 +++ curl-7.35.0/tests/libtest/lib517.c 2016-11-02 15:11:49.548609507 -0400 @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2011, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -116,6 +116,12 @@ "20111323 12:34:56", "20110623 12:34:79", "Wed, 31 Dec 2008 23:59:60 GMT", /* leap second */ + "20110623 12:3", + "20110623 1:3", + "20110623 1:30", + "20110623 12:12:3", + "20110623 01:12:3", + "20110623 01:99:30", NULL }; debian/patches/CVE-2018-1000120-pre2.patch0000644000000000000000000001035213252220304014304 0ustar WARNING: this patch contains both CRLF and LF line terminators, editing may break it. Backport of: From ecf21c551fa3426579463abe34b623111b8d487c Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 10 Oct 2017 12:02:11 +0200 Subject: [PATCH] FTP: URL decode path for dir listing in nocwd mode Reported-by: Zenju on github Test 244 added to verify Fixes #1974 Closes #1976 --- lib/ftp.c | 21 +++++++++---------- tests/data/Makefile.inc | 2 +- tests/data/test244 | 54 +++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 64 insertions(+), 13 deletions(-) create mode 100644 tests/data/test244 Index: curl-7.35.0/lib/ftp.c =================================================================== --- curl-7.35.0.orig/lib/ftp.c 2018-03-14 09:13:35.713404747 -0400 +++ curl-7.35.0/lib/ftp.c 2018-03-14 09:14:52.861586227 -0400 @@ -1471,25 +1471,22 @@ static CURLcode ftp_state_list(struct co then just do LIST (in that case: nothing to do here) */ char *cmd,*lstArg,*slashPos; + const char *inpath = data->state.path; lstArg = NULL; if((data->set.ftp_filemethod == FTPFILE_NOCWD) && - data->state.path && - data->state.path[0] && - strchr(data->state.path,'/')) { - - lstArg = strdup(data->state.path); - if(!lstArg) - return CURLE_OUT_OF_MEMORY; + inpath && inpath[0] && strchr(inpath, '/')) { + size_t n = strlen(inpath); /* Check if path does not end with /, as then we cut off the file part */ - if(lstArg[strlen(lstArg) - 1] != '/') { - + if(inpath[n - 1] != '/') { /* chop off the file part if format is dir/dir/file */ - slashPos = strrchr(lstArg,'/'); - if(slashPos) - *(slashPos+1) = '\0'; + slashPos = strrchr(inpath, '/'); + n = slashPos - inpath; } + result = Curl_urldecode(data, inpath, n, &lstArg, NULL, FALSE); + if(result) + return result; } cmd = aprintf( "%s%s%s", Index: curl-7.35.0/tests/data/test244 =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.35.0/tests/data/test244 2018-03-14 09:13:35.713404747 -0400 @@ -0,0 +1,54 @@ + + + +FTP +PASV +CWD +--ftp-method +nocwd + + +# +# Server-side + + +total 20 +drwxr-xr-x 8 98 98 512 Oct 22 13:06 . +drwxr-xr-x 8 98 98 512 Oct 22 13:06 .. +drwxr-xr-x 2 98 98 512 May 2 1996 .NeXT +-r--r--r-- 1 0 1 35 Jul 16 1996 README +lrwxrwxrwx 1 0 1 7 Dec 9 1999 bin -> usr/bin +dr-xr-xr-x 2 0 1 512 Oct 1 1997 dev +drwxrwxrwx 2 98 98 512 May 29 16:04 download.html +dr-xr-xr-x 2 0 1 512 Nov 30 1995 etc +drwxrwxrwx 2 98 1 512 Oct 30 14:33 pub +dr-xr-xr-x 5 0 1 512 Oct 1 1997 usr + + + +# Client-side + + +ftp + + +FTP dir listing with nocwd and URL encoded path + + +--ftp-method nocwd ftp://%HOSTIP:%FTPPORT/fir%23t/th%69rd/244/ + + + +# Verify data after the test has been "shot" + + +USER anonymous +PASS ftp@example.com +PWD +EPSV +TYPE A +LIST fir#t/third/244/ +QUIT + + + Index: curl-7.35.0/tests/data/Makefile.am =================================================================== --- curl-7.35.0.orig/tests/data/Makefile.am 2018-03-14 07:49:58.000000000 -0400 +++ curl-7.35.0/tests/data/Makefile.am 2018-03-14 09:16:48.177833783 -0400 @@ -29,7 +29,7 @@ test208 test209 test210 test211 test212 test217 test218 test220 test221 test222 test223 test224 test225 \ test226 test227 test228 test229 test231 test233 test234 \ test235 test236 test237 test238 test239 test240 test241 test242 test243 \ - test245 test246 test247 test248 test249 test250 test251 test252 \ +test244 test245 test246 test247 test248 test249 test250 test251 test252 \ test253 test254 test255 test256 test257 test258 test259 test260 test261 \ test262 test263 test264 test265 test266 test267 test268 test269 test270 \ test271 test272 test273 test274 test275 test276 test277 test278 test279 \ debian/patches/CVE-2016-7167.patch0000644000000000000000000000343113006433614013244 0ustar Backport of: From bf0bb3849422c043f21f56fae57c1cf85e41a272 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 8 Sep 2016 22:59:54 +0200 Subject: [PATCH] CVE-2016-7167: deny negative string length inputs Bug: https://curl.haxx.se/docs/adv_20160914.html --- lib/escape.c | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) Index: curl-7.35.0/lib/escape.c =================================================================== --- curl-7.35.0.orig/lib/escape.c 2016-11-02 14:58:42.552126118 -0400 +++ curl-7.35.0/lib/escape.c 2016-11-02 14:59:16.268318193 -0400 @@ -80,15 +80,21 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength) { - size_t alloc = (inlength?(size_t)inlength:strlen(string))+1; + size_t alloc; char *ns; char *testing_ptr = NULL; unsigned char in; /* we need to treat the characters unsigned */ - size_t newlen = alloc; + size_t newlen; size_t strindex=0; size_t length; CURLcode res; + if(inlength < 0) + return NULL; + + alloc = (inlength?(size_t)inlength:strlen(string))+1; + newlen = alloc; + ns = malloc(alloc); if(!ns) return NULL; @@ -213,14 +219,16 @@ int *olen) { char *str = NULL; - size_t inputlen = length; - size_t outputlen; - CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen, - FALSE); - if(res) - return NULL; - if(olen) - *olen = curlx_uztosi(outputlen); + if(length >= 0) { + size_t inputlen = length; + size_t outputlen; + CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen, + FALSE); + if(res) + return NULL; + if(olen) + *olen = curlx_uztosi(outputlen); + } return str; } debian/patches/CVE-2018-16839-pre2.patch0000644000000000000000000000506213364076711014214 0ustar Backport of: From c1366571b609407cf0d4d9f4a2769d29e1313151 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 20 Mar 2018 15:15:14 +0100 Subject: [PATCH] vauth/cleartext: fix integer overflow check Make the integer overflow check not rely on the undefined behavior that a size_t wraps around on overflow. Detected by lgtm.com Closes #2408 --- lib/curl_ntlm_core.c | 11 +---------- lib/curl_setup.h | 9 +++++++++ lib/vauth/cleartext.c | 14 ++++---------- 3 files changed, 14 insertions(+), 20 deletions(-) Index: curl-7.35.0/lib/curl_ntlm_core.c =================================================================== --- curl-7.35.0.orig/lib/curl_ntlm_core.c 2018-10-24 10:11:50.470965408 -0400 +++ curl-7.35.0/lib/curl_ntlm_core.c 2018-10-24 10:12:17.051039454 -0400 @@ -377,15 +377,6 @@ static void ascii_to_unicode_le(unsigned } } -#ifndef SIZE_T_MAX -/* some limits.h headers have this defined, some don't */ -#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) -#define SIZE_T_MAX 18446744073709551615U -#else -#define SIZE_T_MAX 4294967295U -#endif -#endif - /* * Set up nt hashed passwords */ Index: curl-7.35.0/lib/curl_setup.h =================================================================== --- curl-7.35.0.orig/lib/curl_setup.h 2018-10-24 10:11:53.062972628 -0400 +++ curl-7.35.0/lib/curl_setup.h 2018-10-24 10:11:53.062972628 -0400 @@ -409,6 +409,15 @@ # endif #endif +#ifndef SIZE_T_MAX +/* some limits.h headers have this defined, some don't */ +#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) +#define SIZE_T_MAX 18446744073709551615U +#else +#define SIZE_T_MAX 4294967295U +#endif +#endif + /* * Arg 2 type for gethostname in case it hasn't been defined in config file. */ Index: curl-7.35.0/lib/curl_sasl.c =================================================================== --- curl-7.35.0.orig/lib/curl_sasl.c 2018-10-24 10:11:53.062972628 -0400 +++ curl-7.35.0/lib/curl_sasl.c 2018-10-24 10:11:53.062972628 -0400 @@ -111,16 +111,10 @@ CURLcode Curl_sasl_create_plain_message( ulen = strlen(userp); plen = strlen(passwdp); - /* Compute binary message length, checking for overflows. */ - plainlen = 2 * ulen; - if(plainlen < ulen) - return CURLE_OUT_OF_MEMORY; - plainlen += plen; - if(plainlen < plen) - return CURLE_OUT_OF_MEMORY; - plainlen += 2; - if(plainlen < 2) + /* Compute binary message length. Check for overflows. */ + if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2))) return CURLE_OUT_OF_MEMORY; + plainlen = 2 * ulen + plen + 2; plainauth = malloc(plainlen); if(!plainauth) debian/patches/CVE-2016-8617.patch0000644000000000000000000000156013006434074013247 0ustar Backport of: From 3599341dd611303ee9544839d30f603f606d1082 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 28 Sep 2016 00:05:12 +0200 Subject: [PATCH] base64: check for integer overflow on large input CVE-2016-8617 Bug: https://curl.haxx.se/docs/adv_20161102C.html Reported-by: Cure53 --- lib/base64.c | 5 +++++ 1 file changed, 5 insertions(+) Index: curl-7.35.0/lib/base64.c =================================================================== --- curl-7.35.0.orig/lib/base64.c 2016-11-02 15:02:18.889358555 -0400 +++ curl-7.35.0/lib/base64.c 2016-11-02 15:02:18.885358532 -0400 @@ -205,6 +205,11 @@ if(0 == insize) insize = strlen(indata); +#if SIZEOF_SIZE_T == 4 + if(insize > UINT_MAX/4) + return CURLE_OUT_OF_MEMORY; +#endif + base64data = output = malloc(insize*4/3+4); if(NULL == output) return CURLE_OUT_OF_MEMORY; debian/patches/07_do-not-disable-debug-symbols.patch0000644000000000000000000000541512272152435017527 0ustar Description: Do not disable debug symbols without --enable-debug Origin: vendor Bug-Debian: http://bugs.debian.org/693110 Forwarded: not-needed Author: Alessandro Ghedini Reviewed-by: Alessandro Ghedini Last-Update: 2012-11-16 --- a/m4/curl-compilers.m4 +++ b/m4/curl-compilers.m4 @@ -97,7 +97,6 @@ flags_dbg_all="$flags_dbg_all -gdwarf-2" flags_dbg_all="$flags_dbg_all -gvms" flags_dbg_yes="-g" - flags_dbg_off="" flags_opt_all="-O -O0 -O1 -O2 -Os -O3 -O4" flags_opt_yes="-Os" flags_opt_off="-O0" @@ -121,7 +120,6 @@ compiler_id="DEC_C" flags_dbg_all="-g -g0 -g1 -g2 -g3" flags_dbg_yes="-g2" - flags_dbg_off="" flags_opt_all="-O -O0 -O1 -O2 -O3 -O4" flags_opt_yes="-O1" flags_opt_off="-O0" @@ -157,7 +155,6 @@ flags_dbg_all="$flags_dbg_all -gdwarf-2" flags_dbg_all="$flags_dbg_all -gvms" flags_dbg_yes="-g" - flags_dbg_off="" flags_opt_all="-O -O0 -O1 -O2 -O3 -Os" flags_opt_yes="-O2" flags_opt_off="-O0" @@ -202,7 +199,6 @@ compiler_id="IBM_C" flags_dbg_all="-g -g0 -g1 -g2 -g3" flags_dbg_yes="-g" - flags_dbg_off="" flags_opt_all="-O -O0 -O1 -O2 -O3 -O4 -O5" flags_opt_all="$flags_opt_all -qnooptimize" flags_opt_all="$flags_opt_all -qoptimize=0" @@ -236,7 +232,6 @@ compiler_id="INTEL_UNIX_C" flags_dbg_all="-g -g0" flags_dbg_yes="-g" - flags_dbg_off="" flags_opt_all="-O -O0 -O1 -O2 -O3 -Os" flags_opt_yes="-O2" flags_opt_off="-O0" @@ -274,7 +269,6 @@ compiler_id="LCC" flags_dbg_all="-g" flags_dbg_yes="-g" - flags_dbg_off="" flags_opt_all="" flags_opt_yes="" flags_opt_off="" @@ -300,7 +294,6 @@ compiler_id="SGI_MIPS_C" flags_dbg_all="-g -g0 -g1 -g2 -g3" flags_dbg_yes="-g" - flags_dbg_off="" flags_opt_all="-O -O0 -O1 -O2 -O3 -Ofast" flags_opt_yes="-O2" flags_opt_off="-O0" @@ -327,7 +320,6 @@ compiler_id="SGI_MIPSPRO_C" flags_dbg_all="-g -g0 -g1 -g2 -g3" flags_dbg_yes="-g" - flags_dbg_off="" flags_opt_all="-O -O0 -O1 -O2 -O3 -Ofast" flags_opt_yes="-O2" flags_opt_off="-O0" @@ -371,7 +363,6 @@ compiler_id="TINY_C" flags_dbg_all="-g -b" flags_dbg_yes="-g" - flags_dbg_off="" flags_opt_all="" flags_opt_yes="" flags_opt_off="" @@ -395,7 +386,6 @@ compiler_id="WATCOM_UNIX_C" flags_dbg_all="-g1 -g1+ -g2 -g3" flags_dbg_yes="-g2" - flags_dbg_off="" flags_opt_all="-O0 -O1 -O2 -O3" flags_opt_yes="-O2" flags_opt_off="-O0" @@ -403,7 +393,6 @@ compiler_id="WATCOM_WINDOWS_C" flags_dbg_all="" flags_dbg_yes="" - flags_dbg_off="" flags_opt_all="" flags_opt_yes="" flags_opt_off="" debian/patches/CVE-2014-0139.patch0000644000000000000000000001753212315315472013244 0ustar Description: fix incorrect wildcard SSL certificate validation with literal IP addresses Origin: backport, https://github.com/bagder/curl/commit/5019c780958c3a8dbe64123aa90e6eaff1b84cfa Origin: backport, https://github.com/bagder/curl/commit/965690f67e190b5069cb0b16eef6917cb0d8ae18 Origin: backport, https://github.com/bagder/curl/commit/4d06b27921bde6d0caba0c84c1e50f8495ed48ee Origin: backport, https://github.com/bagder/curl/commit/7cb763cf576e9d6ab93fcc1fbfb02c95766a1334 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742728 Index: curl-7.35.0/lib/hostcheck.c =================================================================== --- curl-7.35.0.orig/lib/hostcheck.c 2014-01-05 17:07:54.000000000 -0500 +++ curl-7.35.0/lib/hostcheck.c 2014-03-28 11:42:42.415557290 -0400 @@ -28,6 +28,11 @@ #include "hostcheck.h" #include "rawstr.h" +#include "inet_pton.h" + +#include "curl_memory.h" +/* The last #include file should be: */ +#include "memdebug.h" /* * Match a hostname against a wildcard pattern. @@ -36,18 +41,50 @@ * * We use the matching rule described in RFC6125, section 6.4.3. * http://tools.ietf.org/html/rfc6125#section-6.4.3 + * + * In addition: ignore trailing dots in the host names and wildcards, so that + * the names are used normalized. This is what the browsers do. + * + * Do not allow wildcard matching on IP numbers. There are apparently + * certificates being used with an IP address in the CN field, thus making no + * apparent distinction between a name and an IP. We need to detect the use of + * an IP address and not wildcard match on such names. + * + * NOTE: hostmatch() gets called with copied buffers so that it can modify the + * contents at will. */ -static int hostmatch(const char *hostname, const char *pattern) +static int hostmatch(char *hostname, char *pattern) { const char *pattern_label_end, *pattern_wildcard, *hostname_label_end; int wildcard_enabled; size_t prefixlen, suffixlen; + struct in_addr ignored; +#ifdef ENABLE_IPV6 + struct sockaddr_in6 si6; +#endif + + /* normalize pattern and hostname by stripping off trailing dots */ + size_t len = strlen(hostname); + if(hostname[len-1]=='.') + hostname[len-1]=0; + len = strlen(pattern); + if(pattern[len-1]=='.') + pattern[len-1]=0; + pattern_wildcard = strchr(pattern, '*'); if(pattern_wildcard == NULL) return Curl_raw_equal(pattern, hostname) ? CURL_HOST_MATCH : CURL_HOST_NOMATCH; + /* detect IP address as hostname and fail the match if so */ + if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0) + return CURL_HOST_NOMATCH; +#ifdef ENABLE_IPV6 + else if(Curl_inet_pton(AF_INET6, hostname, &si6.sin6_addr) > 0) + return CURL_HOST_NOMATCH; +#endif + /* We require at least 2 dots in pattern to avoid too wide wildcard match. */ wildcard_enabled = 1; @@ -82,16 +119,26 @@ int Curl_cert_hostcheck(const char *match_pattern, const char *hostname) { + char *matchp; + char *hostp; + int res = 0; if(!match_pattern || !*match_pattern || !hostname || !*hostname) /* sanity check */ - return 0; - - if(Curl_raw_equal(hostname, match_pattern)) /* trivial case */ - return 1; + ; + else { + matchp = strdup(match_pattern); + if(matchp) { + hostp = strdup(hostname); + if(hostp) { + if(hostmatch(hostp, matchp) == CURL_HOST_MATCH) + res= 1; + free(hostp); + } + free(matchp); + } + } - if(hostmatch(hostname,match_pattern) == CURL_HOST_MATCH) - return 1; - return 0; + return res; } #endif /* SSLEAY or AXTLS or QSOSSL or GSKIT or NSS */ Index: curl-7.35.0/tests/data/Makefile.am =================================================================== --- curl-7.35.0.orig/tests/data/Makefile.am 2014-03-28 11:42:24.919557007 -0400 +++ curl-7.35.0/tests/data/Makefile.am 2014-03-28 11:42:44.779557328 -0400 @@ -116,7 +116,7 @@ test1372 test1373 test1374 test1375 test1376 test1377 test1378 test1379 \ test1380 test1381 test1382 test1383 test1384 test1385 test1386 test1387 \ test1388 test1389 test1390 test1391 test1392 test1393 test1394 test1395 \ -test1396 \ +test1396 test1397 \ \ test1400 test1401 test1402 test1403 test1404 test1405 test1406 test1407 \ test1408 test1409 test1410 test1412 test1413 test1414 test1415 \ Index: curl-7.35.0/tests/data/test1397 =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.35.0/tests/data/test1397 2014-03-28 11:42:44.783557329 -0400 @@ -0,0 +1,27 @@ + + + +unittest +ssl +wildcard + + + +# +# Client-side + + +none + + +unittest + + +Check wildcard certificate matching function Curl_cert_hostcheck + + +unit1397 + + + + Index: curl-7.35.0/tests/unit/Makefile.inc =================================================================== --- curl-7.35.0.orig/tests/unit/Makefile.inc 2014-01-05 17:07:54.000000000 -0500 +++ curl-7.35.0/tests/unit/Makefile.inc 2014-03-28 11:42:44.783557329 -0400 @@ -6,7 +6,7 @@ # These are all unit test programs UNITPROGS = unit1300 unit1301 unit1302 unit1303 unit1304 unit1305 unit1307 \ - unit1308 unit1309 unit1330 unit1394 unit1395 unit1396 + unit1308 unit1309 unit1330 unit1394 unit1395 unit1396 unit1397 unit1300_SOURCES = unit1300.c $(UNITFILES) unit1300_CPPFLAGS = $(AM_CPPFLAGS) @@ -49,3 +49,6 @@ unit1396_SOURCES = unit1396.c $(UNITFILES) unit1396_CPPFLAGS = $(AM_CPPFLAGS) + +unit1397_SOURCES = unit1397.c $(UNITFILES) +unit1397_CPPFLAGS = $(AM_CPPFLAGS) Index: curl-7.35.0/tests/unit/unit1397.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.35.0/tests/unit/unit1397.c 2014-03-28 11:42:47.147557367 -0400 @@ -0,0 +1,52 @@ +#include "curlcheck.h" + +#include "hostcheck.h" /* from the lib dir */ + +static CURLcode unit_setup(void) +{ + return CURLE_OK; +} + +static void unit_stop( void ) +{ + /* done before shutting down and exiting */ +} + +UNITTEST_START + +/* only these backends define the tested functions */ +#if defined(USE_SSLEAY) || defined(USE_AXTLS) || defined(USE_QSOSSL) || \ + defined(USE_GSKIT) + + /* here you start doing things and checking that the results are good */ + +fail_unless( Curl_cert_hostcheck("www.example.com", "www.example.com"), "good 1" ); +fail_unless( Curl_cert_hostcheck("*.example.com", "www.example.com"), "good 2" ); +fail_unless( Curl_cert_hostcheck("xxx*.example.com", "xxxwww.example.com"), "good 3" ); +fail_unless( Curl_cert_hostcheck("f*.example.com", "foo.example.com"), "good 4" ); +fail_unless( Curl_cert_hostcheck("192.168.0.0", "192.168.0.0"), "good 5" ); + +fail_if( Curl_cert_hostcheck("xxx.example.com", "www.example.com"), "bad 1" ); +fail_if( Curl_cert_hostcheck("*", "www.example.com"), "bad 2" ); +fail_if( Curl_cert_hostcheck("*.*.com", "www.example.com"), "bad 3" ); +fail_if( Curl_cert_hostcheck("*.example.com", "baa.foo.example.com"), "bad 4" ); +fail_if( Curl_cert_hostcheck("f*.example.com", "baa.example.com"), "bad 5" ); +fail_if( Curl_cert_hostcheck("*.com", "example.com"), "bad 6" ); +fail_if( Curl_cert_hostcheck("*fail.com", "example.com"), "bad 7" ); +fail_if( Curl_cert_hostcheck("*.example.", "www.example."), "bad 8" ); +fail_if( Curl_cert_hostcheck("*.example.", "www.example"), "bad 9" ); +fail_if( Curl_cert_hostcheck("", "www"), "bad 10" ); +fail_if( Curl_cert_hostcheck("*", "www"), "bad 11" ); +fail_if( Curl_cert_hostcheck("*.168.0.0", "192.168.0.0"), "bad 12" ); +fail_if( Curl_cert_hostcheck("www.example.com", "192.168.0.0"), "bad 13" ); + +#ifdef ENABLE_IPV6 +fail_if( Curl_cert_hostcheck("*::3285:a9ff:fe46:b619", "fe80::3285:a9ff:fe46:b619"), "bad 14" ); +fail_unless( Curl_cert_hostcheck("fe80::3285:a9ff:fe46:b619", "fe80::3285:a9ff:fe46:b619"), "good 6" ); +#endif + +#endif + + /* you end the test code like this: */ + +UNITTEST_STOP debian/patches/CVE-2016-8619.patch0000644000000000000000000000236313006434227013253 0ustar Backport of: From 91239f7040b1f026d4d15765e7e3f58e92e93761 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 28 Sep 2016 12:56:02 +0200 Subject: [PATCH] krb5: avoid realloc(0) If the requested size is zero, bail out with error instead of doing a realloc() that would cause a double-free: realloc(0) acts as a free() and then there's a second free in the cleanup path. CVE-2016-8619 Bug: https://curl.haxx.se/docs/adv_20161102E.html Reported-by: Cure53 --- lib/security.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) Index: curl-7.35.0/lib/security.c =================================================================== --- curl-7.35.0.orig/lib/security.c 2016-11-02 15:02:31.077427989 -0400 +++ curl-7.35.0/lib/security.c 2016-11-02 15:03:06.721631047 -0400 @@ -199,15 +199,18 @@ struct krb5buffer *buf) { int len; - void* tmp; + void *tmp = NULL; CURLcode ret; ret = socket_read(fd, &len, sizeof(len)); if(ret != CURLE_OK) return ret; - len = ntohl(len); - tmp = realloc(buf->data, len); + if(len) { + /* only realloc if there was a length */ + len = ntohl(len); + tmp = realloc(buf->data, len); + } if(tmp == NULL) return CURLE_OUT_OF_MEMORY; debian/patches/CVE-2018-16839.patch0000644000000000000000000000164513364076722013353 0ustar Backport of: From 92acf6a2df83285a397919506a0a45a638564b9c Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 28 Sep 2018 16:08:16 +0200 Subject: [PATCH] Curl_auth_create_plain_message: fix too-large-input-check Reported-by: Harry Sintonen --- lib/vauth/cleartext.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: curl-7.35.0/lib/curl_sasl.c =================================================================== --- curl-7.35.0.orig/lib/curl_sasl.c 2018-10-24 10:12:32.715083094 -0400 +++ curl-7.35.0/lib/curl_sasl.c 2018-10-24 10:12:32.715083094 -0400 @@ -112,7 +112,7 @@ CURLcode Curl_sasl_create_plain_message( plen = strlen(passwdp); /* Compute binary message length. Check for overflows. */ - if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2))) + if((ulen > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2))) return CURLE_OUT_OF_MEMORY; plainlen = 2 * ulen + plen + 2; debian/patches/CVE-2014-0138.patch0000644000000000000000000002142012315605072013230 0ustar Description: fix wrong re-use of connections Origin: backport, https://github.com/bagder/curl/commit/378af08c99299683eb728fd8f9d3d3ab05f73ec0 Origin: backport, https://github.com/bagder/curl/commit/d765099813f58153cb859279c743e6494d179341 Origin: backport, https://github.com/bagder/curl/commit/517b06d657aceb11a234b05cc891170c367ab80d Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742728 WARNING: this patch contains weird line endings, editing it may break tests. Index: curl-7.35.0/lib/http.c =================================================================== --- curl-7.35.0.orig/lib/http.c 2014-03-29 13:59:11.203519268 -0400 +++ curl-7.35.0/lib/http.c 2014-03-29 13:59:11.195519268 -0400 @@ -145,7 +145,7 @@ ZERO_NULL, /* readwrite */ PORT_HTTPS, /* defport */ CURLPROTO_HTTP | CURLPROTO_HTTPS, /* protocol */ - PROTOPT_SSL /* flags */ + PROTOPT_SSL | PROTOPT_CREDSPERREQUEST /* flags */ }; #endif Index: curl-7.35.0/lib/url.c =================================================================== --- curl-7.35.0.orig/lib/url.c 2014-03-29 13:59:11.203519268 -0400 +++ curl-7.35.0/lib/url.c 2014-03-29 13:59:11.199519268 -0400 @@ -2885,8 +2885,9 @@ struct connectdata *check; struct connectdata *chosen = 0; bool canPipeline = IsPipeliningPossible(data, needle); - bool wantNTLM = (data->state.authhost.want & CURLAUTH_NTLM) || - (data->state.authhost.want & CURLAUTH_NTLM_WB) ? TRUE : FALSE; + bool wantNTLMhttp = ((data->state.authhost.want & CURLAUTH_NTLM) || + (data->state.authhost.want & CURLAUTH_NTLM_WB)) && + (needle->handler->protocol & CURLPROTO_HTTP) ? TRUE : FALSE; struct connectbundle *bundle; *force_reuse = FALSE; @@ -3041,16 +3042,16 @@ continue; } - if((needle->handler->protocol & CURLPROTO_FTP) || - ((needle->handler->protocol & CURLPROTO_HTTP) && wantNTLM)) { - /* This is FTP or HTTP+NTLM, verify that we're using the same name - and password as well */ - if(!strequal(needle->user, check->user) || - !strequal(needle->passwd, check->passwd)) { - /* one of them was different */ - continue; - } - credentialsMatch = TRUE; + if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) || + wantNTLMhttp) { + /* This protocol requires credentials per connection or is HTTP+NTLM, + so verify that we're using the same name and password as well */ + if(!strequal(needle->user, check->user) || + !strequal(needle->passwd, check->passwd)) { + /* one of them was different */ + continue; + } + credentialsMatch = TRUE; } if(!needle->bits.httpproxy || needle->handler->flags&PROTOPT_SSL || @@ -3102,12 +3103,12 @@ } if(match) { - /* If we are looking for an NTLM connection, check if this is already - authenticating with the right credentials. If not, keep looking so - that we can reuse NTLM connections if possible. (Especially we - must not reuse the same connection if partway through - a handshake!) */ - if(wantNTLM) { + /* If we are looking for an HTTP+NTLM connection, check if this is + already authenticating with the right credentials. If not, keep + looking so that we can reuse NTLM connections if + possible. (Especially we must not reuse the same connection if + partway through a handshake!) */ + if(wantNTLMhttp) { if(credentialsMatch && check->ntlm.state != NTLMSTATE_NONE) { chosen = check; @@ -3115,8 +3116,10 @@ *force_reuse = TRUE; break; } - else - continue; + else if(credentialsMatch) + /* this is a backup choice */ + chosen = check; + continue; } if(canPipeline) { Index: curl-7.35.0/lib/urldata.h =================================================================== --- curl-7.35.0.orig/lib/urldata.h 2014-03-29 13:59:11.203519268 -0400 +++ curl-7.35.0/lib/urldata.h 2014-03-29 13:59:11.199519268 -0400 @@ -785,6 +785,8 @@ gets a default */ #define PROTOPT_NOURLQUERY (1<<6) /* protocol can't handle url query strings (?foo=bar) ! */ +#define PROTOPT_CREDSPERREQUEST (1<<7) /* requires login creditials per request + as opposed to per connection */ /* return the count of bytes sent, or -1 on error */ Index: curl-7.35.0/tests/data/Makefile.am =================================================================== --- curl-7.35.0.orig/tests/data/Makefile.am 2014-03-29 13:59:11.203519268 -0400 +++ curl-7.35.0/tests/data/Makefile.am 2014-03-29 13:59:11.199519268 -0400 @@ -120,7 +120,7 @@ \ test1400 test1401 test1402 test1403 test1404 test1405 test1406 test1407 \ test1408 test1409 test1410 test1412 test1413 test1414 test1415 \ -test1416 test1417 \ +test1416 test1417 test1418 test1419 \ \ test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \ test1508 test1509 test1510 test1511 test1512 test1513 test1514 \ Index: curl-7.35.0/tests/data/test1418 =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.35.0/tests/data/test1418 2014-03-29 13:59:23.695519603 -0400 @@ -0,0 +1,107 @@ + + + +HTTP +HTTP GET +HTTP NTLM auth +connection re-use + + +# Server-side + + +connection-monitor + + + +HTTP/1.1 401 Authentication please! +Content-Length: 20 +WWW-Authenticate: Digest realm="loonie", nonce="314156592" +WWW-Authenticate: Basic + +Please auth with me + + +# This is supposed to be returned when the server gets the second +# Authorization: NTLM line passed-in from the client + +HTTP/1.1 200 Things are fine in server land +Server: Microsoft-IIS/5.0 +Content-Length: 4 + +moo + + + +HTTP/1.1 200 OK +Server: Another one/1.0 +Content-Length: 4 + +boo + + +# This is the first reply after the redirection + +HTTP/1.1 200 OK +Server: Microsoft-IIS/5.0 +Content-Type: text/html; charset=iso-8859-1 +Content-Length: 34 + +This is not the real page either! + + + +HTTP/1.1 401 Authentication please! +Content-Length: 20 +WWW-Authenticate: Digest realm="loonie", nonce="314156592" +WWW-Authenticate: Basic + +HTTP/1.1 200 Things are fine in server land +Server: Microsoft-IIS/5.0 +Content-Length: 4 + +moo + + + + +# Client-side + + +http + + +crypto + + +HTTP with --anyauth and connection re-use + + +http://%HOSTIP:%HTTPPORT/1418 -u testuser:testpass --anyauth http://%HOSTIP:%HTTPPORT/14180003 + + + +# Verify data after the test has been "shot" + + +^User-Agent:.* + + +GET /1418 HTTP/1.1 +Host: %HOSTIP:%HTTPPORT +Accept: */* + +GET /1418 HTTP/1.1 +Authorization: Digest username="testuser", realm="loonie", nonce="314156592", uri="/1418", response="986238b7e0077754944c966f56d9bc77" +Host: %HOSTIP:%HTTPPORT +Accept: */* + +GET /14180003 HTTP/1.1 +Authorization: Digest username="testuser", realm="loonie", nonce="314156592", uri="/14180003", response="1c6390a67bac3283a9b023402f3b3540" +Host: %HOSTIP:%HTTPPORT +Accept: */* + +[DISCONNECT] + + + Index: curl-7.35.0/tests/data/test1419 =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.35.0/tests/data/test1419 2014-03-29 13:59:27.219519697 -0400 @@ -0,0 +1,69 @@ + + + +HTTP +HTTP GET +HTTP NTLM auth +connection re-use + + +# Server-side + + +connection-monitor + + + +HTTP/1.1 200 fine! +Content-Length: 20 + +Feel free to get it + + + +HTTP/1.1 200 OK +Server: Another one/1.0 +Content-Length: 4 + +boo + + + +HTTP/1.1 200 fine! +Content-Length: 20 + +Feel free to get it + + + +# Client-side + + +http + + +HTTP with --anyauth (but no auth!) and connection re-use + + +http://%HOSTIP:%HTTPPORT/1419 --anyauth http://%HOSTIP:%HTTPPORT/14190003 + + + +# Verify data after the test has been "shot" + + +^User-Agent:.* + + +GET /1419 HTTP/1.1 +Host: %HOSTIP:%HTTPPORT +Accept: */* + +GET /14190003 HTTP/1.1 +Host: %HOSTIP:%HTTPPORT +Accept: */* + +[DISCONNECT] + + + debian/patches/CVE-2016-9586.patch0000644000000000000000000002122613165422505013260 0ustar Backport of: From 3ab3c16db6a5674f53cf23d56512a405fde0b2c9 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 8 Nov 2016 15:32:37 +0100 Subject: [PATCH] printf: fix floating point buffer overflow issues ... and add a bunch of floating point printf tests --- lib/mprintf.c | 20 +++++++- tests/data/test557 | 1 + tests/libtest/lib557.c | 136 +++++++++++++++++++++++++++++++++++++++++++++++-- 3 files changed, 152 insertions(+), 5 deletions(-) Index: curl-7.35.0/lib/mprintf.c =================================================================== --- curl-7.35.0.orig/lib/mprintf.c 2017-10-04 09:02:46.893967145 -0400 +++ curl-7.35.0/lib/mprintf.c 2017-10-04 09:02:46.889967095 -0400 @@ -97,7 +97,8 @@ # define mp_uintmax_t unsigned long #endif -#define BUFFSIZE 256 /* buffer for long-to-str and float-to-str calcs */ +#define BUFFSIZE 326 /* buffer for long-to-str and float-to-str calcs, should + fit negative DBL_MAX (317 letters) */ #define MAX_PARAMETERS 128 /* lame static limit */ #ifdef __AMIGA__ @@ -306,7 +307,6 @@ static long dprintf_Pass1(const char *fo flags |= FLAGS_ALT; break; case '.': - flags |= FLAGS_PREC; if('*' == *fmt) { /* The precision is picked from a specified parameter */ @@ -892,12 +892,25 @@ static int dprintf_formatf( *fptr = 0; if(width >= 0) { + if(width >= (long)sizeof(work)) + width = sizeof(work)-1; /* RECURSIVE USAGE */ len = curl_msnprintf(fptr, left, "%ld", width); fptr += len; left -= len; } if(prec >= 0) { + /* for each digit in the integer part, we can have one less + precision */ + size_t maxprec = sizeof(work) - 2; + double val = p->data.dnum; + while(val >= 10.0) { + val /= 10; + maxprec--; + } + + if(prec > (long)maxprec) + prec = maxprec-1; /* RECURSIVE USAGE */ len = curl_msnprintf(fptr, left, ".%ld", prec); fptr += len; @@ -917,7 +930,9 @@ static int dprintf_formatf( /* NOTE NOTE NOTE!! Not all sprintf implementations return number of output characters */ (sprintf)(work, formatbuf, p->data.dnum); - +#ifdef CURLDEBUG + assert(strlen(work) <= sizeof(work)); +#endif for(fptr=work; *fptr; fptr++) OUTCHAR(*fptr); } Index: curl-7.35.0/tests/data/test557 =================================================================== --- curl-7.35.0.orig/tests/data/test557 2017-10-04 09:02:46.893967145 -0400 +++ curl-7.35.0/tests/data/test557 2017-10-04 09:02:46.889967095 -0400 @@ -33,6 +33,7 @@ All curl_mprintf() signed int tests OK! All curl_mprintf() unsigned long tests OK! All curl_mprintf() signed long tests OK! All curl_mprintf() curl_off_t tests OK! +All float strings tests OK! Index: curl-7.35.0/tests/libtest/lib557.c =================================================================== --- curl-7.35.0.orig/tests/libtest/lib557.c 2017-10-04 09:02:46.893967145 -0400 +++ curl-7.35.0/tests/libtest/lib557.c 2017-10-04 09:02:46.889967095 -0400 @@ -1374,6 +1374,145 @@ static int test_curl_off_t_formatting(vo return failed; } +static int _string_check(int linenumber, char *buf, const char *buf2) +{ + if(strcmp(buf, buf2)) { + /* they shouldn't differ */ + printf("sprintf line %d failed:\nwe '%s'\nsystem: '%s'\n", + linenumber, buf, buf2); + return 1; + } + return 0; +} +#define string_check(x,y) _string_check(__LINE__, x, y) + +static int _strlen_check(int linenumber, char *buf, size_t len) +{ + size_t buflen = strlen(buf); + if(len != buflen) { + /* they shouldn't differ */ + printf("sprintf strlen:%d failed:\nwe '%d'\nsystem: '%d'\n", + linenumber, buflen, len); + return 1; + } + return 0; +} + +#define strlen_check(x,y) _strlen_check(__LINE__, x, y) + +/* DBL_MAX value from Linux */ +#define MAXIMIZE -1.7976931348623157081452E+308 + +static int test_float_formatting(void) +{ + int errors = 0; + char buf[512]; /* larger than max float size */ + curl_msnprintf(buf, sizeof(buf), "%f", 9.0); + errors += string_check(buf, "9.000000"); + + curl_msnprintf(buf, sizeof(buf), "%.1f", 9.1); + errors += string_check(buf, "9.1"); + + curl_msnprintf(buf, sizeof(buf), "%.2f", 9.1); + errors += string_check(buf, "9.10"); + + curl_msnprintf(buf, sizeof(buf), "%.0f", 9.1); + errors += string_check(buf, "9"); + + curl_msnprintf(buf, sizeof(buf), "%0f", 9.1); + errors += string_check(buf, "9.100000"); + + curl_msnprintf(buf, sizeof(buf), "%10f", 9.1); + errors += string_check(buf, " 9.100000"); + + curl_msnprintf(buf, sizeof(buf), "%10.3f", 9.1); + errors += string_check(buf, " 9.100"); + + curl_msnprintf(buf, sizeof(buf), "%-10.3f", 9.1); + errors += string_check(buf, "9.100 "); + + curl_msnprintf(buf, sizeof(buf), "%-10.3f", 9.123456); + errors += string_check(buf, "9.123 "); + + curl_msnprintf(buf, sizeof(buf), "%.-2f", 9.1); + errors += string_check(buf, "9.100000"); + + curl_msnprintf(buf, sizeof(buf), "%*f", 10, 9.1); + errors += string_check(buf, " 9.100000"); + + curl_msnprintf(buf, sizeof(buf), "%*f", 3, 9.1); + errors += string_check(buf, "9.100000"); + + curl_msnprintf(buf, sizeof(buf), "%*f", 6, 9.2987654); + errors += string_check(buf, "9.298765"); + + curl_msnprintf(buf, sizeof(buf), "%*f", 6, 9.298765); + errors += string_check(buf, "9.298765"); + + curl_msnprintf(buf, sizeof(buf), "%*f", 6, 9.29876); + errors += string_check(buf, "9.298760"); + + curl_msnprintf(buf, sizeof(buf), "%.*f", 6, 9.2987654); + errors += string_check(buf, "9.298765"); + curl_msnprintf(buf, sizeof(buf), "%.*f", 5, 9.2987654); + errors += string_check(buf, "9.29877"); + curl_msnprintf(buf, sizeof(buf), "%.*f", 4, 9.2987654); + errors += string_check(buf, "9.2988"); + curl_msnprintf(buf, sizeof(buf), "%.*f", 3, 9.2987654); + errors += string_check(buf, "9.299"); + curl_msnprintf(buf, sizeof(buf), "%.*f", 2, 9.2987654); + errors += string_check(buf, "9.30"); + curl_msnprintf(buf, sizeof(buf), "%.*f", 1, 9.2987654); + errors += string_check(buf, "9.3"); + curl_msnprintf(buf, sizeof(buf), "%.*f", 0, 9.2987654); + errors += string_check(buf, "9"); + + /* very large precisions easily turn into system specific outputs so we only + check the output buffer length here as we know the internal limit */ + + curl_msnprintf(buf, sizeof(buf), "%.*f", (1<<30), 9.2987654); + errors += strlen_check(buf, 325); + + curl_msnprintf(buf, sizeof(buf), "%10000.10000f", 9.2987654); + errors += strlen_check(buf, 325); + + curl_msnprintf(buf, sizeof(buf), "%240.10000f", + 123456789123456789123456789.2987654); + errors += strlen_check(buf, 325); + + /* 1<<31 turns negative (-2147483648) when used signed */ + curl_msnprintf(buf, sizeof(buf), "%*f", (1<<31), 9.1); + errors += string_check(buf, "9.100000"); + + /* curl_msnprintf() limits a single float output to 325 bytes maximum + width */ + curl_msnprintf(buf, sizeof(buf), "%*f", (1<<30), 9.1); + errors += string_check(buf, " 9.100000"); + curl_msnprintf(buf, sizeof(buf), "%100000f", 9.1); + errors += string_check(buf, " 9.100000"); + + curl_msnprintf(buf, sizeof(buf), "%f", MAXIMIZE); + errors += strlen_check(buf, 317); + + curl_msnprintf(buf, 2, "%f", MAXIMIZE); + errors += strlen_check(buf, 1); + curl_msnprintf(buf, 3, "%f", MAXIMIZE); + errors += strlen_check(buf, 2); + curl_msnprintf(buf, 4, "%f", MAXIMIZE); + errors += strlen_check(buf, 3); + curl_msnprintf(buf, 5, "%f", MAXIMIZE); + errors += strlen_check(buf, 4); + curl_msnprintf(buf, 6, "%f", MAXIMIZE); + errors += strlen_check(buf, 5); + + if(!errors) + printf("All float strings tests OK!\n"); + else + printf("test_float_formatting Failed!\n"); + + return errors; +} + int test(char *URL) { @@ -1394,6 +1533,8 @@ int test(char *URL) errors += test_curl_off_t_formatting(); + errors += test_float_formatting(); + if(errors) return TEST_ERR_MAJOR_BAD; else debian/patches/CVE-2018-1000120-pre1.patch0000644000000000000000000001173213252217757014330 0ustar Partial backport of: From 46133aa536f7f5bf552b83369e3851b6f811299e Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sat, 8 Oct 2016 11:21:38 +0200 Subject: [PATCH] escape: avoid using curl_easy_unescape() internally Since the internal Curl_urldecode() function has a better API. --- lib/file.c | 9 +++++---- lib/ftp.c | 60 +++++++++++++++++++++++++++++------------------------------- lib/gopher.c | 5 +++-- lib/ldap.c | 26 +++++++++++++++----------- lib/ssh.c | 12 ++++++------ lib/tftp.c | 9 +++++---- lib/url.c | 55 +++++++++++++++++++++++++++---------------------------- 7 files changed, 90 insertions(+), 86 deletions(-) Index: curl-7.35.0/lib/ftp.c =================================================================== --- curl-7.35.0.orig/lib/ftp.c 2018-03-14 09:13:16.997358526 -0400 +++ curl-7.35.0/lib/ftp.c 2018-03-14 09:13:16.997358526 -0400 @@ -3251,8 +3251,8 @@ static CURLcode ftp_done(struct connectd } /* get the "raw" path */ - path = curl_easy_unescape(data, path_to_use, 0, NULL); - if(!path) { + result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE); + if(result) { /* out of memory, but we can limp along anyway (and should try to * since we may already be in the out of memory cleanup path) */ if(!result) @@ -4243,6 +4243,7 @@ CURLcode ftp_parse_url_path(struct conne slash_pos=strrchr(cur_pos, '/'); if(slash_pos || !*cur_pos) { size_t dirlen = slash_pos-cur_pos; + CURLcode result; ftpc->dirs = calloc(1, sizeof(ftpc->dirs[0])); if(!ftpc->dirs) @@ -4251,12 +4252,13 @@ CURLcode ftp_parse_url_path(struct conne if(!dirlen) dirlen++; - ftpc->dirs[0] = curl_easy_unescape(conn->data, slash_pos ? cur_pos : "/", - slash_pos ? curlx_uztosi(dirlen) : 1, - NULL); - if(!ftpc->dirs[0]) { + result = Curl_urldecode(conn->data, slash_pos ? cur_pos : "/", + slash_pos ? dirlen : 1, + &ftpc->dirs[0], NULL, + FALSE); + if(result) { freedirs(ftpc); - return CURLE_OUT_OF_MEMORY; + return result; } ftpc->dirdepth = 1; /* we consider it to be a single dir */ filename = slash_pos ? slash_pos+1 : cur_pos; /* rest is file name */ @@ -4291,18 +4293,15 @@ CURLcode ftp_parse_url_path(struct conne /* we skip empty path components, like "x//y" since the FTP command CWD requires a parameter and a non-existent parameter a) doesn't work on many servers and b) has no effect on the others. */ - int len = curlx_sztosi(slash_pos - cur_pos + absolute_dir); - ftpc->dirs[ftpc->dirdepth] = - curl_easy_unescape(conn->data, cur_pos - absolute_dir, len, NULL); - if(!ftpc->dirs[ftpc->dirdepth]) { /* run out of memory ... */ - failf(data, "no memory"); - freedirs(ftpc); - return CURLE_OUT_OF_MEMORY; - } - if(isBadFtpString(ftpc->dirs[ftpc->dirdepth])) { + size_t len = slash_pos - cur_pos + absolute_dir; + CURLcode result = + Curl_urldecode(conn->data, cur_pos - absolute_dir, len, + &ftpc->dirs[ftpc->dirdepth], NULL, + TRUE); + if(result) { free(ftpc->dirs[ftpc->dirdepth]); freedirs(ftpc); - return CURLE_URL_MALFORMAT; + return result; } } else { @@ -4338,15 +4337,12 @@ CURLcode ftp_parse_url_path(struct conne } /* switch */ if(filename && *filename) { - ftpc->file = curl_easy_unescape(conn->data, filename, 0, NULL); - if(NULL == ftpc->file) { - freedirs(ftpc); - failf(data, "no memory"); - return CURLE_OUT_OF_MEMORY; - } - if(isBadFtpString(ftpc->file)) { + CURLcode result = + Curl_urldecode(conn->data, filename, 0, &ftpc->file, NULL, TRUE); + + if(result) { freedirs(ftpc); - return CURLE_URL_MALFORMAT; + return result; } } else @@ -4364,15 +4360,17 @@ CURLcode ftp_parse_url_path(struct conne if(ftpc->prevpath) { /* prevpath is "raw" so we convert the input path before we compare the strings */ - int dlen; - char *path = curl_easy_unescape(conn->data, data->state.path, 0, &dlen); - if(!path) { + size_t dlen; + char *path; + CURLcode result = + Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, FALSE); + if(result) { freedirs(ftpc); - return CURLE_OUT_OF_MEMORY; + return result; } - dlen -= ftpc->file?curlx_uztosi(strlen(ftpc->file)):0; - if((dlen == curlx_uztosi(strlen(ftpc->prevpath))) && + dlen -= ftpc->file?strlen(ftpc->file):0; + if((dlen == strlen(ftpc->prevpath)) && strnequal(path, ftpc->prevpath, dlen)) { infof(data, "Request has same path as previous transfer\n"); ftpc->cwddone = TRUE; debian/patches/fix_test172.patch0000644000000000000000000000201012316537101013705 0ustar From ffb8a21d85bde8b626e5dc52ce25f0447ee49f89 Mon Sep 17 00:00:00 2001 From: Steve Holme Date: Sun, 2 Feb 2014 11:01:10 +0000 Subject: [PATCH] tests: Fixed test172 cookie expiry The test contains a cookie jar file where one of the cookies has an expiry date of 1391252187 -- Sat, 1 Feb 2014 10:56:27 GMT which has now expired. Updated to Wed, 14 Oct 2037 16:36:33 GMT as per test 179. Reported-by: Adam Sampson Bug: http://curl.haxx.se/bug/view.cgi?id=1330 --- tests/data/test172 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data/test172 b/tests/data/test172 index b3efae9..3d53418 100644 --- a/tests/data/test172 +++ b/tests/data/test172 @@ -36,7 +36,7 @@ http://%HOSTIP:%HTTPPORT/we/want/172 -b log/jar172.txt -b "tool=curl; name=fool" .%HOSTIP TRUE /silly/ FALSE 0 ismatch this .%HOSTIP TRUE / FALSE 0 partmatch present -%HOSTIP FALSE /we/want/ FALSE 1391252187 nodomain value +%HOSTIP FALSE /we/want/ FALSE 2139150993 nodomain value -- 1.9.1 debian/patches/CVE-2016-5419.patch0000644000000000000000000000474212751127355013260 0ustar From 416ad90afc50d9cbcb50ba4ab28f88d260774f6d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 1 Jul 2016 13:32:31 +0200 Subject: [PATCH] TLS: switch off SSL session id when client cert is used CVE-2016-5419 Bug: https://curl.haxx.se/docs/adv_20160803A.html Reported-by: Bru Rom Contributions-by: Eric Rescorla and Ray Satiro --- lib/url.c | 1 + lib/urldata.h | 1 + lib/vtls/vtls.c | 10 ++++++++++ 3 files changed, 12 insertions(+) Index: curl-7.35.0/lib/url.c =================================================================== --- curl-7.35.0.orig/lib/url.c 2016-08-05 11:21:14.124206286 -0400 +++ curl-7.35.0/lib/url.c 2016-08-05 11:21:14.120206237 -0400 @@ -5404,6 +5404,7 @@ data->set.ssl.random_file = data->set.str[STRING_SSL_RANDOM_FILE]; data->set.ssl.egdsocket = data->set.str[STRING_SSL_EGDSOCKET]; data->set.ssl.cipher_list = data->set.str[STRING_SSL_CIPHER_LIST]; + data->set.ssl.clientcert = data->set.str[STRING_CERT]; #ifdef USE_TLS_SRP data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME]; data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD]; Index: curl-7.35.0/lib/urldata.h =================================================================== --- curl-7.35.0.orig/lib/urldata.h 2016-08-05 11:21:14.124206286 -0400 +++ curl-7.35.0/lib/urldata.h 2016-08-05 11:21:14.120206237 -0400 @@ -366,6 +366,7 @@ char *CAfile; /* certificate to verify peer against */ const char *CRLfile; /* CRL to check certificate revocation */ const char *issuercert;/* optional issuer certificate filename */ + char *clientcert; char *random_file; /* path to file containing "random" data */ char *egdsocket; /* path to file containing the EGD daemon socket */ char *cipher_list; /* list of ciphers to use */ Index: curl-7.35.0/lib/vtls/vtls.c =================================================================== --- curl-7.35.0.orig/lib/vtls/vtls.c 2016-08-05 11:21:14.124206286 -0400 +++ curl-7.35.0/lib/vtls/vtls.c 2016-08-05 11:21:14.120206237 -0400 @@ -166,6 +166,15 @@ else dest->random_file = NULL; + if(source->clientcert) { + dest->clientcert = strdup(source->clientcert); + if(!dest->clientcert) + return FALSE; + dest->sessionid = FALSE; + } + else + dest->clientcert = NULL; + return TRUE; } @@ -176,6 +185,7 @@ Curl_safefree(sslc->cipher_list); Curl_safefree(sslc->egdsocket); Curl_safefree(sslc->random_file); + Curl_safefree(sslc->clientcert); } debian/patches/CVE-2018-1000120-pre3.patch0000644000000000000000000000170013252220320014300 0ustar From 3c6c2bcd5af8a111738f9190093dbf8a440d167b Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 2 Nov 2016 07:18:24 +0100 Subject: [PATCH] ftp: remove dead code in ftp_done Coverity CID 1374358 --- lib/ftp.c | 2 -- 1 file changed, 2 deletions(-) Index: curl-7.35.0/lib/ftp.c =================================================================== --- curl-7.35.0.orig/lib/ftp.c 2018-03-14 09:17:02.625863052 -0400 +++ curl-7.35.0/lib/ftp.c 2018-03-14 09:17:02.621863044 -0400 @@ -3252,8 +3252,6 @@ static CURLcode ftp_done(struct connectd if(result) { /* out of memory, but we can limp along anyway (and should try to * since we may already be in the out of memory cleanup path) */ - if(!result) - result = CURLE_OUT_OF_MEMORY; ftpc->ctl_valid = FALSE; /* mark control connection as bad */ conn->bits.close = TRUE; /* mark for connection closure */ ftpc->prevpath = NULL; /* no path remembering */ debian/patches/CVE-2016-5420.patch0000644000000000000000000000176012751127362013243 0ustar From f6474ff3bfb38c28b70b5ba01048edc41f654376 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sun, 31 Jul 2016 00:51:48 +0200 Subject: [PATCH] TLS: only reuse connections with the same client cert CVE-2016-5420 Bug: https://curl.haxx.se/docs/adv_20160803B.html --- lib/vtls/vtls.c | 1 + 1 file changed, 1 insertion(+) Index: curl-7.35.0/lib/vtls/vtls.c =================================================================== --- curl-7.35.0.orig/lib/vtls/vtls.c 2016-08-05 11:21:21.068292257 -0400 +++ curl-7.35.0/lib/vtls/vtls.c 2016-08-05 11:21:21.068292257 -0400 @@ -109,6 +109,7 @@ (data->verifyhost == needle->verifyhost) && safe_strequal(data->CApath, needle->CApath) && safe_strequal(data->CAfile, needle->CAfile) && + safe_strequal(data->clientcert, needle->clientcert) && safe_strequal(data->random_file, needle->random_file) && safe_strequal(data->egdsocket, needle->egdsocket) && safe_strequal(data->cipher_list, needle->cipher_list)) debian/patches/CVE-2017-1000254.patch0000644000000000000000000001033213165156144013460 0ustar Backport of: From 5ff2c5ff25750aba1a8f64fbcad8e5b891512584 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 25 Sep 2017 00:35:22 +0200 Subject: [PATCH] FTP: zero terminate the entry path even on bad input ... a single double quote could leave the entry path buffer without a zero terminating byte. CVE-2017-1000254 Test 1152 added to verify. Reported-by: Max Dymond Bug: https://curl.haxx.se/docs/adv_20171004.html --- lib/ftp.c | 7 ++++-- tests/data/Makefile.inc | 1 + tests/data/test1152 | 61 +++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 67 insertions(+), 2 deletions(-) create mode 100644 tests/data/test1152 Index: curl-7.35.0/lib/ftp.c =================================================================== --- curl-7.35.0.orig/lib/ftp.c 2017-10-04 09:03:06.842215438 -0400 +++ curl-7.35.0/lib/ftp.c 2017-10-04 09:03:06.842215438 -0400 @@ -2834,6 +2834,7 @@ static CURLcode ftp_statemach_act(struct char *ptr=&data->state.buffer[4]; /* start on the first letter */ char *dir; char *store; + bool entry_extracted = FALSE; dir = malloc(nread + 1); if(!dir) @@ -2865,7 +2866,7 @@ static CURLcode ftp_statemach_act(struct } else { /* end of path */ - *store = '\0'; /* zero terminate */ + entry_extracted = TRUE; break; /* get out of this loop */ } } @@ -2874,7 +2875,9 @@ static CURLcode ftp_statemach_act(struct store++; ptr++; } - + *store = '\0'; /* zero terminate */ + } + if(entry_extracted) { /* If the path name does not look like an absolute path (i.e.: it does not start with a '/'), we probably need some server-dependent adjustments. For example, this is the case when connecting to Index: curl-7.35.0/tests/data/test1152 =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.35.0/tests/data/test1152 2017-10-04 09:03:06.842215438 -0400 @@ -0,0 +1,61 @@ + + + +FTP +PASV +LIST + + +# +# Server-side + + +REPLY PWD 257 "just one + + +# When doing LIST, we get the default list output hard-coded in the test +# FTP server + +total 20 +drwxr-xr-x 8 98 98 512 Oct 22 13:06 . +drwxr-xr-x 8 98 98 512 Oct 22 13:06 .. +drwxr-xr-x 2 98 98 512 May 2 1996 curl-releases +-r--r--r-- 1 0 1 35 Jul 16 1996 README +lrwxrwxrwx 1 0 1 7 Dec 9 1999 bin -> usr/bin +dr-xr-xr-x 2 0 1 512 Oct 1 1997 dev +drwxrwxrwx 2 98 98 512 May 29 16:04 download.html +dr-xr-xr-x 2 0 1 512 Nov 30 1995 etc +drwxrwxrwx 2 98 1 512 Oct 30 14:33 pub +dr-xr-xr-x 5 0 1 512 Oct 1 1997 usr + + + +# +# Client-side + + +ftp + + +FTP with uneven quote in PWD response + + +ftp://%HOSTIP:%FTPPORT/test-1152/ + + + +# +# Verify data after the test has been "shot" + + +USER anonymous +PASS ftp@example.com +PWD +CWD test-1152 +EPSV +TYPE A +LIST +QUIT + + + Index: curl-7.35.0/tests/data/Makefile.am =================================================================== --- curl-7.35.0.orig/tests/data/Makefile.am 2017-10-04 09:02:46.461961766 -0400 +++ curl-7.35.0/tests/data/Makefile.am 2017-10-04 09:04:31.883273114 -0400 @@ -95,7 +95,7 @@ test1096 test1097 test1098 test1099 test test1104 test1105 test1106 test1107 test1108 test1109 test1110 test1111 \ test1112 test1113 test1114 test1115 test1116 test1117 test1118 test1119 \ test1120 test1121 test1122 test1123 test1124 test1125 test1126 test1127 \ -test1128 test1129 test1130 test1131 test1132 test1133 \ +test1128 test1129 test1130 test1131 test1132 test1133 test1152 \ \ test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \ debian/patches/CVE-2016-8620.patch0000644000000000000000000001066613006434410013242 0ustar Backport of: From 52f3e1d1092c81a4f574c9fc6cb3818b88434c8d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 3 Oct 2016 17:27:16 +0200 Subject: [PATCH 1/3] range: prevent negative end number in a glob range MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CVE-2016-8620 Bug: https://curl.haxx.se/docs/adv_20161102F.html Reported-by: Luật Nguyễn From e97ebe97c2b53d3617c1f4082a2aaa4f1b593ef9 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 3 Oct 2016 18:23:22 +0200 Subject: [PATCH 2/3] glob_next_url: make sure to stay within the given output buffer From 9ce377051290c83176f235b526b87904cad6b388 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 4 Oct 2016 17:25:09 +0200 Subject: [PATCH 3/3] range: reject char globs with missing end like '[L-]' MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ... which previously would lead to out of boundary reads. Reported-by: Luật Nguyễn Index: curl-7.35.0/src/tool_urlglob.c =================================================================== --- curl-7.35.0.orig/src/tool_urlglob.c 2016-11-02 15:04:04.217958594 -0400 +++ curl-7.35.0/src/tool_urlglob.c 2016-11-02 15:05:34.050470356 -0400 @@ -191,32 +191,36 @@ /* character range detected */ char min_c; char max_c; + char end_c; int step=1; pat->type = UPTCharRange; - rc = sscanf(pattern, "%c-%c", &min_c, &max_c); + rc = sscanf(pattern, "%c-%c%c", &min_c, &max_c, &end_c); - if((rc == 2) && (pattern[3] == ':')) { - char *endp; - unsigned long lstep; - errno = 0; - lstep = strtoul(&pattern[3], &endp, 10); - if(errno || (*endp != ']')) - step = -1; - else { - pattern = endp+1; - step = (int)lstep; - if(step > (max_c - min_c)) + if(rc == 3) { + if(end_c == ':') { + char *endp; + unsigned long lstep; + errno = 0; + lstep = strtoul(&pattern[4], &endp, 10); + if(errno || (*endp != ']')) step = -1; + else { + pattern = endp+1; + step = (int)lstep; + if(step > (max_c - min_c)) + step = -1; + } } + else if(end_c != ']') + /* then this is wrong */ + rc = 0; } - else - pattern += 4; *posp += (pattern - *patternp); - if((rc != 2) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) || + if((rc != 3) || (min_c >= max_c) || ((max_c - min_c) > ('z' - 'a')) || (step < 0) ) /* the pattern is not well-formed */ return GLOBERROR("bad range", *posp, GLOB_ERROR); @@ -259,6 +263,12 @@ endp = NULL; else { pattern = endp+1; + while(*pattern && ISBLANK(*pattern)) + pattern++; + if(!ISDIGIT(*pattern)) { + endp = NULL; + goto fail; + } errno = 0; max_n = strtoul(pattern, &endp, 10); if(errno || (*endp == ':')) { @@ -279,6 +289,7 @@ } } + fail: *posp += (pattern - *patternp); if(!endp || (min_n > max_n) || (step_n > (max_n - min_n))) @@ -381,6 +392,7 @@ glob_buffer = malloc(strlen(url) + 1); if(!glob_buffer) return CURLE_OUT_OF_MEMORY; + glob_buffer[0]=0; glob_expand = calloc(1, sizeof(URLGlob)); if(!glob_expand) { @@ -498,20 +510,25 @@ switch(pat->type) { case UPTSet: if(pat->content.Set.elements) { - len = strlen(pat->content.Set.elements[pat->content.Set.ptr_s]); snprintf(buf, buflen, "%s", pat->content.Set.elements[pat->content.Set.ptr_s]); + len = strlen(buf); buf += len; buflen -= len; } break; case UPTCharRange: - *buf++ = pat->content.CharRange.ptr_c; + if(buflen) { + *buf++ = pat->content.CharRange.ptr_c; + *buf = '\0'; + buflen--; + } break; case UPTNumRange: - len = snprintf(buf, buflen, "%0*ld", - pat->content.NumRange.padlength, - pat->content.NumRange.ptr_n); + snprintf(buf, buflen, "%0*ld", + pat->content.NumRange.padlength, + pat->content.NumRange.ptr_n); + len = strlen(buf); buf += len; buflen -= len; break; @@ -520,7 +537,6 @@ return CURLE_FAILED_INIT; } } - *buf = '\0'; *globbed = strdup(glob->glob_buffer); if(!*globbed) debian/patches/CVE-2017-7407-1.patch0000644000000000000000000000637013165156250013411 0ustar Backport of: From 1890d59905414ab84a35892b2e45833654aa5c13 Mon Sep 17 00:00:00 2001 From: Dan Fandrich Date: Sat, 11 Mar 2017 10:59:34 +0100 Subject: [PATCH] tool_writeout: fixed a buffer read overrun on --write-out If a % ended the statement, the string's trailing NUL would be skipped and memory past the end of the buffer would be accessed and potentially displayed as part of the --write-out output. Added tests 1440 and 1441 to check for this kind of condition. Reported-by: Brian Carpenter --- src/tool_writeout.c | 2 +- tests/data/Makefile.inc | 2 +- tests/data/test1440 | 31 +++++++++++++++++++++++++++++++ tests/data/test1441 | 31 +++++++++++++++++++++++++++++++ 4 files changed, 64 insertions(+), 2 deletions(-) create mode 100644 tests/data/test1440 create mode 100644 tests/data/test1441 Index: curl-7.35.0/src/tool_writeout.c =================================================================== --- curl-7.35.0.orig/src/tool_writeout.c 2017-10-04 09:05:19.087859644 -0400 +++ curl-7.35.0/src/tool_writeout.c 2017-10-04 09:05:19.083859595 -0400 @@ -108,7 +108,7 @@ void ourWriteOut(CURL *curl, struct OutS double doubleinfo; while(ptr && *ptr) { - if('%' == *ptr) { + if('%' == *ptr && ptr[1]) { if('%' == ptr[1]) { /* an escaped %-letter */ fputc('%', stream); Index: curl-7.35.0/tests/data/test1440 =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.35.0/tests/data/test1440 2017-10-04 09:05:19.083859595 -0400 @@ -0,0 +1,31 @@ + + + +--write-out + + +# Server-side + + + +# Client-side + + +file + + + +Check --write-out with trailing %{ + + +file://localhost/%PWD/log/ --write-out '%{' + + + +# Verify data + + +%{ + + + Index: curl-7.35.0/tests/data/test1441 =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.35.0/tests/data/test1441 2017-10-04 09:05:19.083859595 -0400 @@ -0,0 +1,31 @@ + + + +--write-out + + +# Server-side + + + +# Client-side + + +file + + + +Check --write-out with trailing % + + +file://localhost/%PWD/log/ --write-out '%' + + + +# Verify data + + +% + + + Index: curl-7.35.0/tests/data/Makefile.am =================================================================== --- curl-7.35.0.orig/tests/data/Makefile.am 2017-10-04 09:05:01.887645973 -0400 +++ curl-7.35.0/tests/data/Makefile.am 2017-10-04 09:05:40.840129788 -0400 @@ -120,7 +120,7 @@ test1396 test1397 \ \ test1400 test1401 test1402 test1403 test1404 test1405 test1406 test1407 \ test1408 test1409 test1410 test1412 test1413 test1414 test1415 \ -test1416 test1417 test1418 test1419 \ +test1416 test1417 test1418 test1419 test1440 test1441 \ \ test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \ test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1529 \ debian/patches/CVE-2014-3620.patch0000644000000000000000000000304312404311672013227 0ustar Description: fix incorrect cookie handling for TLDs Origin: upstream, http://curl.haxx.se/CVE-2014-3620.patch Warning: this patch contain weird line endings, be careful when editing Index: curl-7.37.1/lib/cookie.c =================================================================== --- curl-7.37.1.orig/lib/cookie.c 2014-09-11 08:14:04.287233616 -0400 +++ curl-7.37.1/lib/cookie.c 2014-09-11 08:14:26.591233742 -0400 @@ -463,6 +463,7 @@ } else if(Curl_raw_equal("domain", name)) { bool is_ip; + const char *dotp; /* Now, we make sure that our host is within the given domain, or the given domain is not valid and thus cannot be set. */ @@ -472,6 +473,11 @@ is_ip = isip(domain ? domain : whatptr); + /* check for more dots */ + dotp = strchr(whatptr, '.'); + if(!dotp) + domain=":"; + if(!domain || (is_ip && !strcmp(whatptr, domain)) || (!is_ip && tailmatch(whatptr, domain))) { Index: curl-7.37.1/tests/data/test61 =================================================================== --- curl-7.37.1.orig/tests/data/test61 2014-06-11 13:52:30.000000000 -0400 +++ curl-7.37.1/tests/data/test61 2014-09-11 08:15:23.283234062 -0400 @@ -23,6 +23,7 @@ Set-Cookie: test4=no; domain=nope.foo.com; path=/moo; secure Set-Cookie: test5=name; domain=anything.com; path=/ ; secure Set-Cookie: fake=fooledyou; domain=..com; path=/; +Set-Cookie: supercookie=fooledyou; domain=.com; path=/; Content-Length: 4 boo debian/patches/CVE-2015-3143.patch0000644000000000000000000000177212515711554013245 0ustar From d7d1bc8f08eea1a85ab0d794bc1561659462d937 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 16 Apr 2015 13:26:46 +0200 Subject: [PATCH] ConnectionExists: for NTLM re-use, require credentials to match CVE-2015-3143 Bug: http://curl.haxx.se/docs/adv_20150422A.html Reported-by: Paras Sethia --- lib/url.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: curl-7.35.0/lib/url.c =================================================================== --- curl-7.35.0.orig/lib/url.c 2015-04-22 08:26:17.858887595 -0400 +++ curl-7.35.0/lib/url.c 2015-04-22 08:26:17.854887563 -0400 @@ -3056,7 +3056,7 @@ } if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) || - wantNTLMhttp) { + (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)) { /* This protocol requires credentials per connection or is HTTP+NTLM, so verify that we're using the same name and password as well */ if(!strequal(needle->user, check->user) || debian/patches/CVE-2017-7407-2.patch0000644000000000000000000000457113165156311013411 0ustar Backport of: From 8e65877870c1fac920b65219adec720df810aab9 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 24 Mar 2017 10:14:21 +0100 Subject: [PATCH] curl: check for end of input in writeout backslash handling Reported-by: Brian Carpenter Added test 1442 to verify --- src/tool_writeout.c | 4 ++-- tests/data/Makefile.inc | 2 +- tests/data/test1442 | 35 +++++++++++++++++++++++++++++++++++ 3 files changed, 38 insertions(+), 3 deletions(-) create mode 100644 tests/data/test1442 Index: curl-7.35.0/src/tool_writeout.c =================================================================== --- curl-7.35.0.orig/src/tool_writeout.c 2017-10-04 09:05:52.560275308 -0400 +++ curl-7.35.0/src/tool_writeout.c 2017-10-04 09:05:52.560275308 -0400 @@ -299,7 +299,7 @@ void ourWriteOut(CURL *curl, struct OutS } } } - else if('\\' == *ptr) { + else if('\\' == *ptr && ptr[1]) { switch(ptr[1]) { case 'r': fputc('\r', stream); Index: curl-7.35.0/tests/data/test1442 =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.35.0/tests/data/test1442 2017-10-04 09:05:52.560275308 -0400 @@ -0,0 +1,35 @@ + + + +--write-out +FILE + + +# Server-side + + + +# Client-side + + +file + + + +Check --write-out with trailing \ + + +file://localhost/%PWD/log/non-existent-file.txt --write-out '\' + + + +# Verify data + + +37 + + +\ + + + Index: curl-7.35.0/tests/data/Makefile.am =================================================================== --- curl-7.35.0.orig/tests/data/Makefile.am 2017-10-04 09:05:40.840129788 -0400 +++ curl-7.35.0/tests/data/Makefile.am 2017-10-04 09:06:13.396533953 -0400 @@ -120,7 +120,7 @@ test1396 test1397 \ \ test1400 test1401 test1402 test1403 test1404 test1405 test1406 test1407 \ test1408 test1409 test1410 test1412 test1413 test1414 test1415 \ -test1416 test1417 test1418 test1419 test1440 test1441 \ +test1416 test1417 test1418 test1419 test1440 test1441 test1442 \ \ test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \ test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1529 \ debian/patches/02_art_http_scripting.patch0000644000000000000000000000115212272152435016050 0ustar Description: Fix path to "TheArtOfHttpScripting" in docs. Origin: vendor Forwarded: not-needed Author: Ramakrishnan Muthukrishnan Reviewed-by: Alessandro Ghedini Last-Update: 2011-11-01 --- a/docs/index.html +++ b/docs/index.html @@ -12,7 +12,7 @@
curl

Tutorial

-The Art Of Scripting HTTP Requests Using Curl (plain text) +The Art Of Scripting HTTP Requests Using Curl (plain text)

libcurl

See the libcurl section debian/patches/CVE-2014-3707.patch0000644000000000000000000002762412426714617013262 0ustar Description: fix sensitive data disclosure via duphandle read out of bounds Origin: backport, https://github.com/bagder/curl/commit/b3875606925536f82fc61f3114ac42f29eaf6945 Origin: backport, https://github.com/bagder/curl/commit/e8cea8d70fed7ad5e14d8b3e871ebf0ea0bf53b0 Origin: backport, https://github.com/bagder/curl/commit/92e7e346f35b89d89c079403e5aeb16bee0e8836 Origin: backport, https://github.com/bagder/curl/commit/8a2dda312cc916e3ec3d0bc99850d9abe5ae6b92 Index: curl-7.35.0/lib/formdata.c =================================================================== --- curl-7.35.0.orig/lib/formdata.c 2014-11-06 10:53:04.237756718 -0500 +++ curl-7.35.0/lib/formdata.c 2014-11-06 10:53:04.229756651 -0500 @@ -36,6 +36,7 @@ #include "strequal.h" #include "curl_memory.h" #include "sendf.h" +#include "strdup.h" #define _MPRINTF_REPLACE /* use our functions only */ #include @@ -214,46 +215,6 @@ /*************************************************************************** * - * memdup() - * - * Copies the 'source' data to a newly allocated buffer buffer (that is - * returned). Uses buffer_length if not null, else uses strlen to determine - * the length of the buffer to be copied - * - * Returns the new pointer or NULL on failure. - * - ***************************************************************************/ -static char *memdup(const char *src, size_t buffer_length) -{ - size_t length; - bool add = FALSE; - char *buffer; - - if(buffer_length) - length = buffer_length; - else if(src) { - length = strlen(src); - add = TRUE; - } - else - /* no length and a NULL src pointer! */ - return strdup(""); - - buffer = malloc(length+add); - if(!buffer) - return NULL; /* fail */ - - memcpy(buffer, src, length); - - /* if length unknown do null termination */ - if(add) - buffer[length] = '\0'; - - return buffer; -} - -/*************************************************************************** - * * FormAdd() * * Stores a formpost parameter and builds the appropriate linked list. @@ -682,9 +643,12 @@ (form == first_form) ) { /* Note that there's small risk that form->name is NULL here if the app passed in a bad combo, so we better check for that first. */ - if(form->name) + if(form->name) { /* copy name (without strdup; possibly contains null characters) */ - form->name = memdup(form->name, form->namelength); + form->name = Curl_memdup(form->name, form->namelength? + form->namelength: + strlen(form->name)+1); + } if(!form->name) { return_value = CURL_FORMADD_MEMORY; break; @@ -695,7 +659,9 @@ HTTPPOST_PTRCONTENTS | HTTPPOST_PTRBUFFER | HTTPPOST_CALLBACK)) ) { /* copy value (without strdup; possibly contains null characters) */ - form->value = memdup(form->value, form->contentslength); + form->value = Curl_memdup(form->value, form->contentslength? + form->contentslength: + strlen(form->value)+1); if(!form->value) { return_value = CURL_FORMADD_MEMORY; break; Index: curl-7.35.0/lib/strdup.c =================================================================== --- curl-7.35.0.orig/lib/strdup.c 2014-11-06 10:53:04.237756718 -0500 +++ curl-7.35.0/lib/strdup.c 2014-11-06 10:53:04.229756651 -0500 @@ -19,12 +19,12 @@ * KIND, either express or implied. * ***************************************************************************/ -/* - * This file is 'mem-include-scan' clean. See test 1132. - */ #include "curl_setup.h" - #include "strdup.h" +#include "curl_memory.h" + +/* The last #include file should be: */ +#include "memdebug.h" #ifndef HAVE_STRDUP char *curlx_strdup(const char *str) @@ -50,3 +50,24 @@ } #endif + +/*************************************************************************** + * + * Curl_memdup(source, length) + * + * Copies the 'source' data to a newly allocated buffer (that is + * returned). Copies 'length' bytes. + * + * Returns the new pointer or NULL on failure. + * + ***************************************************************************/ +char *Curl_memdup(const char *src, size_t length) +{ + char *buffer = malloc(length); + if(!buffer) + return NULL; /* fail */ + + memcpy(buffer, src, length); + + return buffer; +} Index: curl-7.35.0/lib/strdup.h =================================================================== --- curl-7.35.0.orig/lib/strdup.h 2014-11-06 10:53:04.237756718 -0500 +++ curl-7.35.0/lib/strdup.h 2014-11-06 10:53:04.229756651 -0500 @@ -26,5 +26,6 @@ #ifndef HAVE_STRDUP extern char *curlx_strdup(const char *str); #endif +char *Curl_memdup(const char *src, size_t buffer_length); #endif /* HEADER_CURL_STRDUP_H */ Index: curl-7.35.0/lib/url.c =================================================================== --- curl-7.35.0.orig/lib/url.c 2014-11-06 10:53:04.237756718 -0500 +++ curl-7.35.0/lib/url.c 2014-11-06 10:53:04.233756684 -0500 @@ -125,6 +125,7 @@ #include "multihandle.h" #include "pipeline.h" #include "dotdot.h" +#include "strdup.h" #define _MPRINTF_REPLACE /* use our functions only */ #include @@ -270,8 +271,9 @@ { /* Free all dynamic strings stored in the data->set substructure. */ enum dupstring i; - for(i=(enum dupstring)0; i < STRING_LAST; i++) + for(i=(enum dupstring)0; i < STRING_LAST; i++) { Curl_safefree(data->set.str[i]); + } if(data->change.referer_alloc) { Curl_safefree(data->change.referer); @@ -351,14 +353,25 @@ memset(dst->set.str, 0, STRING_LAST * sizeof(char *)); /* duplicate all strings */ - for(i=(enum dupstring)0; i< STRING_LAST; i++) { + for(i=(enum dupstring)0; i< STRING_LASTZEROTERMINATED; i++) { r = setstropt(&dst->set.str[i], src->set.str[i]); if(r != CURLE_OK) - break; + return r; } - /* If a failure occurred, freeing has to be performed externally. */ - return r; + /* duplicate memory areas pointed to */ + i = STRING_COPYPOSTFIELDS; + if(src->set.postfieldsize && src->set.str[i]) { + /* postfieldsize is curl_off_t, Curl_memdup() takes a size_t ... */ + dst->set.str[i] = Curl_memdup(src->set.str[i], + curlx_sotouz(src->set.postfieldsize)); + if(!dst->set.str[i]) + return CURLE_OUT_OF_MEMORY; + /* point to the new copy */ + dst->set.postfields = dst->set.str[i]; + } + + return CURLE_OK; } /* Index: curl-7.35.0/lib/urldata.h =================================================================== --- curl-7.35.0.orig/lib/urldata.h 2014-11-06 10:53:04.237756718 -0500 +++ curl-7.35.0/lib/urldata.h 2014-11-06 10:53:04.233756684 -0500 @@ -1334,7 +1334,6 @@ STRING_KRB_LEVEL, /* krb security level */ STRING_NETRC_FILE, /* if not NULL, use this instead of trying to find $HOME/.netrc */ - STRING_COPYPOSTFIELDS, /* if POST, set the fields' values here */ STRING_PROXY, /* proxy to use */ STRING_SET_RANGE, /* range, if used */ STRING_SET_REFERER, /* custom string for the HTTP referer field */ @@ -1376,7 +1375,15 @@ STRING_BEARER, /* , if used */ - /* -- end of strings -- */ + /* -- end of zero-terminated strings -- */ + + STRING_LASTZEROTERMINATED, + + /* -- below this are pointers to binary data that cannot be strdup'ed. + Each such pointer must be added manually to Curl_dupset() --- */ + + STRING_COPYPOSTFIELDS, /* if POST, set the fields' values here */ + STRING_LAST /* not used, just an end-of-list marker */ }; Index: curl-7.35.0/src/Makefile.inc =================================================================== --- curl-7.35.0.orig/src/Makefile.inc 2014-11-06 10:53:04.237756718 -0500 +++ curl-7.35.0/src/Makefile.inc 2014-11-06 10:53:04.233756684 -0500 @@ -11,7 +11,6 @@ # the official API, but we re-use the code here to avoid duplication. CURLX_ONES = \ ../lib/strtoofft.c \ - ../lib/strdup.c \ ../lib/rawstr.c \ ../lib/nonblock.c @@ -46,6 +45,7 @@ tool_panykey.c \ tool_paramhlp.c \ tool_parsecfg.c \ + tool_strdup.c \ tool_setopt.c \ tool_sleep.c \ tool_urlglob.c \ @@ -90,6 +90,7 @@ tool_setopt.h \ tool_setup.h \ tool_sleep.h \ + tool_strdup.h \ tool_urlglob.h \ tool_util.h \ tool_version.h \ Index: curl-7.35.0/src/tool_setup.h =================================================================== --- curl-7.35.0.orig/src/tool_setup.h 2014-11-06 10:53:04.237756718 -0500 +++ curl-7.35.0/src/tool_setup.h 2014-11-06 10:53:04.233756684 -0500 @@ -67,8 +67,7 @@ #endif #ifndef HAVE_STRDUP -# include "strdup.h" -# define strdup(ptr) curlx_strdup(ptr) +# include "tool_strdup.h" #endif #endif /* HEADER_CURL_TOOL_SETUP_H */ Index: curl-7.35.0/src/tool_strdup.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.35.0/src/tool_strdup.c 2014-11-06 10:53:04.233756684 -0500 @@ -0,0 +1,47 @@ +/*************************************************************************** + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * + * Copyright (C) 1998 - 2014, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at http://curl.haxx.se/docs/copyright.html. + * + * You may opt to use, copy, modify, merge, publish, distribute and/or sell + * copies of the Software, and permit persons to whom the Software is + * furnished to do so, under the terms of the COPYING file. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + ***************************************************************************/ +#include "tool_strdup.h" + +#ifndef HAVE_STRDUP +char *strdup(const char *str) +{ + size_t len; + char *newstr; + + if(!str) + return (char *)NULL; + + len = strlen(str); + + if(len >= ((size_t)-1) / sizeof(char)) + return (char *)NULL; + + newstr = malloc((len+1)*sizeof(char)); + if(!newstr) + return (char *)NULL; + + memcpy(newstr,str,(len+1)*sizeof(char)); + + return newstr; + +} +#endif Index: curl-7.35.0/src/tool_strdup.h =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.35.0/src/tool_strdup.h 2014-11-06 10:53:04.233756684 -0500 @@ -0,0 +1,30 @@ +#ifndef HEADER_TOOL_STRDUP_H +#define HEADER_TOOL_STRDUP_H +/*************************************************************************** + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * + * Copyright (C) 1998 - 2014, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at http://curl.haxx.se/docs/copyright.html. + * + * You may opt to use, copy, modify, merge, publish, distribute and/or sell + * copies of the Software, and permit persons to whom the Software is + * furnished to do so, under the terms of the COPYING file. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + ***************************************************************************/ +#include "tool_setup.h" + +#ifndef HAVE_STRDUP +extern char *strdup(const char *str); +#endif + +#endif /* HEADER_TOOL_STRDUP_H */ debian/patches/CVE-2018-14618.patch0000644000000000000000000000257313346254275013346 0ustar Backported of: From 57d299a499155d4b327e341c6024e293b0418243 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 13 Aug 2018 10:35:52 +0200 Subject: [PATCH] Curl_ntlm_core_mk_nt_hash: return error on too long password ... since it would cause an integer overflow if longer than (max size_t / 2). This is CVE-2018-14618 Bug: https://curl.haxx.se/docs/CVE-2018-14618.html Closes #2756 Reported-by: Zhaoyang Wu diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c index 79aeb08..9638949 100644 --- a/lib/curl_ntlm_core.c +++ b/lib/curl_ntlm_core.c @@ -377,6 +377,15 @@ static void ascii_to_unicode_le(unsigned char *dest, const char *src, } } +#ifndef SIZE_T_MAX +/* some limits.h headers have this defined, some don't */ +#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) +#define SIZE_T_MAX 18446744073709551615U +#else +#define SIZE_T_MAX 4294967295U +#endif +#endif + /* * Set up nt hashed passwords */ @@ -385,8 +394,11 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct SessionHandle *data, unsigned char *ntbuffer /* 21 bytes */) { size_t len = strlen(password); - unsigned char *pw = malloc(len * 2); + unsigned char *pw; CURLcode result; + if(len > SIZE_T_MAX/2) /* avoid integer overflow */ + return CURLE_OUT_OF_MEMORY; + pw = len ? malloc(len * 2) : strdup(""); if(!pw) return CURLE_OUT_OF_MEMORY; debian/patches/CVE-2014-8150.patch0000644000000000000000000001263312455471714013251 0ustar Description: fix URL request injection Origin: backport, https://github.com/bagder/curl/commit/178bd7db34f77e020fb8562890c5625ccbd67093 Origin: backport, https://github.com/bagder/curl/commit/3df8e78860d3a3d3cf95252bd2b4ad5fd53360cd Index: curl-7.35.0/lib/url.c =================================================================== --- curl-7.35.0.orig/lib/url.c 2015-01-14 08:48:08.506540363 -0500 +++ curl-7.35.0/lib/url.c 2015-01-14 08:48:08.502540334 -0500 @@ -3710,6 +3710,13 @@ *prot_missing = FALSE; + /* We might pass the entire URL into the request so we need to make sure + * there are no bad characters in there.*/ + if(strpbrk(data->change.url, "\r\n")) { + failf(data, "Illegal characters found in URL"); + return CURLE_URL_MALFORMAT; + } + /************************************************************* * Parse the URL. * Index: curl-7.35.0/tests/data/Makefile.am =================================================================== --- curl-7.35.0.orig/tests/data/Makefile.am 2015-01-14 08:48:08.506540363 -0500 +++ curl-7.35.0/tests/data/Makefile.am 2015-01-14 08:48:35.486745922 -0500 @@ -123,7 +123,7 @@ test1416 test1417 test1418 test1419 \ \ test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \ -test1508 test1509 test1510 test1511 test1512 test1513 test1514 \ +test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1529 \ \ test1900 test1901 test1902 test1903 \ \ Index: curl-7.35.0/tests/data/test1529 =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.35.0/tests/data/test1529 2015-01-14 08:48:08.502540334 -0500 @@ -0,0 +1,43 @@ + + + +HTTP +HTTP GET +HTTP proxy + + + +# Server-side + + +HTTP/1.1 200 OK +We-are: good + + + + +# Client-side + + +http +http-proxy + + +lib1529 + + +HTTP request-injection in URL sent over proxy + + + "http://the.old.moo:%HTTPPORT/1529" %HOSTIP:%PROXYPORT + + + +# it should be detected and an error should be reported + +# 3 == CURLE_URL_MALFORMAT + +3 + + + Index: curl-7.35.0/tests/libtest/Makefile.inc =================================================================== --- curl-7.35.0.orig/tests/libtest/Makefile.inc 2015-01-14 08:48:08.506540363 -0500 +++ curl-7.35.0/tests/libtest/Makefile.inc 2015-01-14 08:48:45.318820813 -0500 @@ -21,7 +21,7 @@ lib571 lib572 lib573 lib574 lib575 lib576 lib578 lib579 lib582 \ lib583 lib585 lib586 lib587 lib590 lib591 lib597 lib598 lib599 \ lib1500 lib1501 lib1502 lib1503 lib1504 lib1505 lib1506 lib1507 lib1508 \ - lib1509 lib1510 lib1511 lib1512 lib1513 lib1514 \ + lib1509 lib1510 lib1511 lib1512 lib1513 lib1514 lib1529 \ lib1900 \ lib2033 @@ -351,6 +351,10 @@ lib1514_LDADD = $(TESTUTIL_LIBS) lib1514_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1514 +lib1529_SOURCES = lib1529.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) +lib1529_LDADD = $(TESTUTIL_LIBS) +lib1529_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1529 + lib1900_SOURCES = lib1900.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) lib1900_LDADD = $(TESTUTIL_LIBS) lib1900_CPPFLAGS = $(AM_CPPFLAGS) Index: curl-7.35.0/tests/libtest/lib1529.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ curl-7.35.0/tests/libtest/lib1529.c 2015-01-14 08:48:08.502540334 -0500 @@ -0,0 +1,59 @@ +/*************************************************************************** + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * + * Copyright (C) 1998 - 2014, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at http://curl.haxx.se/docs/copyright.html. + * + * You may opt to use, copy, modify, merge, publish, distribute and/or sell + * copies of the Software, and permit persons to whom the Software is + * furnished to do so, under the terms of the COPYING file. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + ***************************************************************************/ + +#include "test.h" + +#include "memdebug.h" + +int test(char *URL) +{ + CURL *curl = NULL; + CURLcode res = CURLE_FAILED_INIT; + char bURL[512]; + snprintf(bURL, sizeof(bURL), "%s HTTP/1.1\r\nGET http://1529.com/1529", URL); + + if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { + fprintf(stderr, "curl_global_init() failed\n"); + return TEST_ERR_MAJOR_BAD; + } + + if((curl = curl_easy_init()) == NULL) { + fprintf(stderr, "curl_easy_init() failed\n"); + curl_global_cleanup(); + return TEST_ERR_MAJOR_BAD; + } + + test_setopt(curl, CURLOPT_URL, bURL); + test_setopt(curl, CURLOPT_PROXY, libtest_arg2); + test_setopt(curl, CURLOPT_VERBOSE, 1L); + test_setopt(curl, CURLOPT_PROXYTYPE, CURLPROXY_HTTP); + test_setopt(curl, CURLOPT_HEADER, 1L); + + res = curl_easy_perform(curl); + +test_cleanup: + + curl_easy_cleanup(curl); + curl_global_cleanup(); + + return (int)res; +} debian/patches/CVE-2016-8616.patch0000644000000000000000000000404013006434066013243 0ustar Backport of: From cef510beb222ab5750afcac2c74fcbcdc31ada64 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 27 Sep 2016 18:01:53 +0200 Subject: [PATCH] connectionexists: use case sensitive user/password comparisons CVE-2016-8616 Bug: https://curl.haxx.se/docs/adv_20161102B.html Reported-by: Cure53 --- lib/url.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) Index: curl-7.35.0/lib/url.c =================================================================== --- curl-7.35.0.orig/lib/url.c 2016-11-02 15:02:12.133320067 -0400 +++ curl-7.35.0/lib/url.c 2016-11-02 15:02:12.133320067 -0400 @@ -3062,8 +3062,8 @@ if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) { /* This protocol requires credentials per connection, so verify that we're using the same name and password as well */ - if(!strequal(needle->user, check->user) || - !strequal(needle->passwd, check->passwd)) { + if(strcmp(needle->user, check->user) || + strcmp(needle->passwd, check->passwd)) { /* one of them was different */ continue; } @@ -3124,8 +3124,8 @@ possible. (Especially we must not reuse the same connection if partway through a handshake!) */ if(wantNTLMhttp) { - if(!strequal(needle->user, check->user) || - !strequal(needle->passwd, check->passwd)) + if(strcmp(needle->user, check->user) || + strcmp(needle->passwd, check->passwd)) continue; } else if(check->ntlm.state != NTLMSTATE_NONE) { @@ -3135,8 +3135,8 @@ /* Same for Proxy NTLM authentication */ if(wantProxyNTLMhttp) { - if(!strequal(needle->proxyuser, check->proxyuser) || - !strequal(needle->proxypasswd, check->proxypasswd)) + if(strcmp(needle->proxyuser, check->proxyuser) || + strcmp(needle->proxypasswd, check->proxypasswd)) continue; } else if(check->proxyntlm.state != NTLMSTATE_NONE) { debian/patches/libcurl_broken_pkcs12.patch0000644000000000000000000000122112703163614016014 0ustar commit 52d16c84d21ceb670914b56275b579535b271550 Author: Daniel Stenberg Date: Mon May 12 13:04:27 2014 +0200 openssl: unbreak PKCS12 support Regression introduced in ce362e8eb9c (7.31.0) Bug: http://curl.haxx.se/bug/view.cgi?id=1371 Reported-by: Dmitry diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 5a66566..d13436d 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -538,6 +538,7 @@ int cert_stuff(struct connectdata *conn, if(!cert_done) return 0; /* failure! */ + break; #else failf(data, "file type P12 for certificate not supported"); return 0; debian/libcurl3.links0000755000000000000000000000014212272152435011752 0ustar #!/bin/sh echo usr/lib/$DEB_HOST_MULTIARCH/libcurl.so.4 usr/lib/$DEB_HOST_MULTIARCH/libcurl.so.3 debian/libcurl4-nss-dev.links0000755000000000000000000000042412272152435013333 0ustar #!/bin/sh echo /usr/lib/$DEB_HOST_MULTIARCH/libcurl-nss.a /usr/lib/$DEB_HOST_MULTIARCH/libcurl.a echo /usr/lib/$DEB_HOST_MULTIARCH/libcurl-nss.la /usr/lib/$DEB_HOST_MULTIARCH/libcurl.la echo /usr/lib/$DEB_HOST_MULTIARCH/libcurl-nss.so /usr/lib/$DEB_HOST_MULTIARCH/libcurl.so debian/libcurl4-doc.docs0000644000000000000000000000030012272152435012317 0ustar README docs/BINDINGS docs/BUGS docs/CONTRIBUTE docs/FAQ docs/FEATURES docs/HISTORY docs/INTERNALS docs/KNOWN_BUGS docs/RESOURCES docs/THANKS docs/TODO docs/VERSIONS docs/TheArtOfHttpScripting debian/libcurl3-gnutls.links0000755000000000000000000000016012272152435013264 0ustar #!/bin/sh echo usr/lib/$DEB_HOST_MULTIARCH/libcurl-gnutls.so.4 usr/lib/$DEB_HOST_MULTIARCH/libcurl-gnutls.so.3 debian/libcurl3-nss.symbols0000644000000000000000000000427412272152435013132 0ustar libcurl-nss.so.4 libcurl3-nss #MINVER# CURL_NSS_3@CURL_NSS_3 7.23.1 HIDDEN@HIDDEN 7.23.1 curl_easy_cleanup@CURL_NSS_3 7.23.1 curl_easy_duphandle@CURL_NSS_3 7.23.1 curl_easy_escape@CURL_NSS_3 7.23.1 curl_easy_getinfo@CURL_NSS_3 7.23.1 curl_easy_init@CURL_NSS_3 7.23.1 curl_easy_pause@CURL_NSS_3 7.23.1 curl_easy_perform@CURL_NSS_3 7.23.1 curl_easy_recv@CURL_NSS_3 7.23.1 curl_easy_reset@CURL_NSS_3 7.23.1 curl_easy_send@CURL_NSS_3 7.23.1 curl_easy_setopt@CURL_NSS_3 7.23.1 curl_easy_strerror@CURL_NSS_3 7.23.1 curl_easy_unescape@CURL_NSS_3 7.23.1 curl_escape@CURL_NSS_3 7.23.1 curl_formadd@CURL_NSS_3 7.23.1 curl_formfree@CURL_NSS_3 7.23.1 curl_formget@CURL_NSS_3 7.23.1 curl_free@CURL_NSS_3 7.23.1 curl_getdate@CURL_NSS_3 7.23.1 curl_getenv@CURL_NSS_3 7.23.1 curl_global_cleanup@CURL_NSS_3 7.23.1 curl_global_init@CURL_NSS_3 7.23.1 curl_global_init_mem@CURL_NSS_3 7.23.1 curl_jmpenv@CURL_NSS_3 7.23.1 curl_maprintf@CURL_NSS_3 7.23.1 curl_mfprintf@CURL_NSS_3 7.23.1 curl_mprintf@CURL_NSS_3 7.23.1 curl_msnprintf@CURL_NSS_3 7.23.1 curl_msprintf@CURL_NSS_3 7.23.1 curl_multi_add_handle@CURL_NSS_3 7.23.1 curl_multi_assign@CURL_NSS_3 7.23.1 curl_multi_cleanup@CURL_NSS_3 7.23.1 curl_multi_fdset@CURL_NSS_3 7.23.1 curl_multi_info_read@CURL_NSS_3 7.23.1 curl_multi_init@CURL_NSS_3 7.23.1 curl_multi_perform@CURL_NSS_3 7.23.1 curl_multi_remove_handle@CURL_NSS_3 7.23.1 curl_multi_setopt@CURL_NSS_3 7.23.1 curl_multi_socket@CURL_NSS_3 7.23.1 curl_multi_socket_action@CURL_NSS_3 7.23.1 curl_multi_socket_all@CURL_NSS_3 7.23.1 curl_multi_strerror@CURL_NSS_3 7.23.1 curl_multi_timeout@CURL_NSS_3 7.23.1 curl_multi_wait@CURL_NSS_3 7.28.0 curl_mvaprintf@CURL_NSS_3 7.23.1 curl_mvfprintf@CURL_NSS_3 7.23.1 curl_mvprintf@CURL_NSS_3 7.23.1 curl_mvsnprintf@CURL_NSS_3 7.23.1 curl_mvsprintf@CURL_NSS_3 7.23.1 curl_share_cleanup@CURL_NSS_3 7.23.1 curl_share_init@CURL_NSS_3 7.23.1 curl_share_setopt@CURL_NSS_3 7.23.1 curl_share_strerror@CURL_NSS_3 7.23.1 curl_slist_append@CURL_NSS_3 7.23.1 curl_slist_free_all@CURL_NSS_3 7.23.1 curl_strequal@CURL_NSS_3 7.23.1 curl_strnequal@CURL_NSS_3 7.23.1 curl_unescape@CURL_NSS_3 7.23.1 curl_version@CURL_NSS_3 7.23.1 curl_version_info@CURL_NSS_3 7.23.1 debian/curl.manpages0000644000000000000000000000001412272152435011646 0ustar docs/curl.1 debian/libcurl4-doc.install0000644000000000000000000000034612272152435013047 0ustar ../../docs/*.html usr/share/doc/libcurl4-doc/html ../../docs/*.pdf usr/share/doc/libcurl4-doc/pdf ../../docs/libcurl/*.html usr/share/doc/libcurl4-doc/libcurl/html ../../docs/libcurl/*.pdf usr/share/doc/libcurl4-doc/libcurl/pdf debian/libcurl4-nss-dev.install0000644000000000000000000000027112272152435013656 0ustar usr/bin/curl-config usr/lib/*/libcurl-nss.a usr/lib/*/libcurl-nss.la usr/lib/*/libcurl-nss.so usr/lib/*/pkgconfig/libcurl.pc usr/include ../../docs/libcurl/libcurl.m4 usr/share/aclocal debian/compat0000644000000000000000000000000212272152435010367 0ustar 9 debian/copyright0000644000000000000000000002661312272152435011134 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: curl Source: http://curl.haxx.se Files: * Copyright: 1996-2013, Daniel Stenberg License: curl Files: lib/axtls.* Copyright: 2010, DirecTV License: curl Files: lib/curl_darwinssl.* Copyright: 2012, Nick Zitzmann 2012, Daniel Stenberg License: curl Files: lib/curl_rtmp.* Copyright: 2010, Howard Chu License: curl Files: lib/curl_schannel.* Copyright: 2012, Marc Hoersken 2012, Mark Salisbury 2012, Daniel Stenberg License: curl Files: lib/inet_pton.c lib/inet_ntop.c Copyright: 1996-2001 Internet Software Consortium License: ISC Files: lib/krb5.c lib/krb4.c lib/security.c Copyright: 2004-2011 Daniel Stenberg 1995-1999 Kungliga Tekniska Högskolan License: BSD-3-Clause Files: lib/md4.c Copyright: 1990-1992, RSA Data Security, Inc License: License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD4 Message-Digest Algorithm" in all material mentioning or referencing this software or this function. . License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD4 Message-Digest Algorithm" in all material mentioning or referencing the derived work. . RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind. . These notices must be retained in any copies of any part of this documentation and/or software. Files: lib/openldap.* Copyright: 2011-2012, Daniel Stenberg 2010, Howard Chu License: curl Files: lib/polarssl.* Copyright: 2010-2011, Hoi-Ho Chan 2012, Daniel Stenberg License: curl Files: lib/socks_gssapi.c lib/socks_sspi.* Copyright: 2009, 2011, Markus Moeller, 2012, Daniel Stenberg, License: curl Files: tests/certs/scripts/genroot.sh tests/certs/scripts/genserv.sh Copyright: 2000-2009, EdelWeb for EdelKey and OpenEvidence License: curl Files: tests/server/tftpd.c Copyright: 1983 Regents of the University of California License: BSD-4-Clause Files: tests/server/fake_ntlm.c Copyright: 1998-2010, Mandy Wu 2011-2012, Daniel Stenberg License: curl Files: docs/examples/fopen.c Copyright: 2003, Simtec Electronics License: BSD-3-Clause Files: docs/examples/rtsp.c Copyright: 2011, Jim Hollinger License: BSD-3-Clause Files: docs/examples/curlgtk.c Copyright: 2003, The OpenEvidence Project License: curl Files: docs/examples/curlx.c Copyright: 2003, The OpenEvidence Project License: Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: . 1. Redistributions of source code must retain the above copyright notice, this list of conditions, the following disclaimer, and the original OpenSSL and SSLeay Licences below. . 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, the following disclaimer and the original OpenSSL and SSLeay Licences below in the documentation and/or other materials provided with the distribution. . 3. All advertising materials mentioning features or use of this software must display the following acknowledgments: "This product includes software developed by the Openevidence Project for use in the OpenEvidence Toolkit. (http://www.openevidence.org/)" This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)" This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com)." . 4. The names "OpenEvidence Toolkit" and "OpenEvidence Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openevidence-core@openevidence.org. . 5. Products derived from this software may not be called "OpenEvidence" nor may "OpenEvidence" appear in their names without prior written permission of the OpenEvidence Project. . 6. Redistributions of any form whatsoever must retain the following acknowledgments: "This product includes software developed by the OpenEvidence Project for use in the OpenEvidence Toolkit (http://www.openevidence.org/) This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)" This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com)." . THIS SOFTWARE IS PROVIDED BY THE OpenEvidence PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenEvidence PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Files: src/macos/src/macos_main.cpp Copyright: 2001, Eric Lavigne License: Permission is granted to anyone to use this software for any purpose on any computer system, and to redistribute it freely, subject to the following restrictions: - The author is not responsible for the consequences of use of this software, no matter how awful, even if they arise from defects in it. - The origin of this software must not be misrepresented, either by explicit claim or by omission. - You are allowed to distributed modified copies of the software, in source and binary form, provided they are marked plainly as altered versions, and are not misrepresented as being the original software. Files: debian/* Copyright: 2000-2010, Domenico Andreoli 2010-2011, Ramakrishnan Muthukrishnan 2011, Alessandro Ghedini License: curl License: curl All rights reserved. . Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. . THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. . Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder. License: BSD-3-Clause Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: . 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. . 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. . 3. Neither the name of the Institute nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. . THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. License: BSD-4-Clause Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: . 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. . 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. . 3. Neither the name of the Institute nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. . 4. Neither the name of the nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. . THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. License: ISC Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. . THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. debian/libcurl4-doc.links0000644000000000000000000000131612272152435012517 0ustar /usr/share/man/man3/curl_strequal.3 /usr/share/man/man3/curl_strnequal.3 /usr/share/man/man3/curl_mprintf.3 /usr/share/man/man3/curl_maprintf.3 /usr/share/man/man3/curl_mprintf.3 /usr/share/man/man3/curl_mfprintf.3 /usr/share/man/man3/curl_mprintf.3 /usr/share/man/man3/curl_msnprintf.3 /usr/share/man/man3/curl_mprintf.3 /usr/share/man/man3/curl_msprintf.3 /usr/share/man/man3/curl_mprintf.3 /usr/share/man/man3/curl_mvaprintf.3 /usr/share/man/man3/curl_mprintf.3 /usr/share/man/man3/curl_mvfprintf.3 /usr/share/man/man3/curl_mprintf.3 /usr/share/man/man3/curl_mvprintf.3 /usr/share/man/man3/curl_mprintf.3 /usr/share/man/man3/curl_mvsnprintf.3 /usr/share/man/man3/curl_mprintf.3 /usr/share/man/man3/curl_mvsprintf.3 debian/libcurl4-doc.manpages0000644000000000000000000000002112272152435013162 0ustar docs/libcurl/*.3 debian/libcurl4-doc.examples0000644000000000000000000000002012272152435013204 0ustar docs/examples/* debian/libcurl4-openssl-dev.install0000644000000000000000000000025512272152435014540 0ustar usr/bin/curl-config usr/lib/*/libcurl.a usr/lib/*/libcurl.la usr/lib/*/libcurl.so usr/lib/*/pkgconfig/libcurl.pc usr/include ../../docs/libcurl/libcurl.m4 usr/share/aclocal debian/source/0000755000000000000000000000000012272152435010471 5ustar debian/source/format0000644000000000000000000000001412272152435011677 0ustar 3.0 (quilt) debian/NEWS0000644000000000000000000000171312272152435007672 0ustar curl (7.32.0-1) unstable; urgency=low From this version the threaded DNS resolver will be used. This allows for asynchronous DNS queries and also fixes possible issues related to handling time outs of DNS lookups. The threaded resolver was chosen instead of the event-based one (which uses the c-ares library) because c-ares currently lacks somewhat important features, such as support for the Name Service Switch system. -- Alessandro Ghedini Mon, 12 Aug 2013 11:08:09 +0200 curl (7.28.1-1) experimental; urgency=low From this version the CURLOPT_SSL_VERIFYHOST option will stop accepting "1" as a valid value. From the documentation: > When the value is 1, libcurl will return a failure. It was previously (in > 7.28.0 and earlier) a debug option of some sorts, but it is no longer > supported due to frequently leading to programmer mistakes. -- Alessandro Ghedini Mon, 26 Nov 2012 17:46:27 +0100 debian/libcurl3-nss.links0000755000000000000000000000015212272152435012554 0ustar #!/bin/sh echo usr/lib/$DEB_HOST_MULTIARCH/libcurl-nss.so.4 usr/lib/$DEB_HOST_MULTIARCH/libcurl-nss.so.3 debian/libcurl3-gnutls.symbols0000644000000000000000000000457412272152435013646 0ustar libcurl-gnutls.so.4 libcurl3-gnutls #MINVER# CURL_GNUTLS_3@CURL_GNUTLS_3 7.16.2 HIDDEN@HIDDEN 7.16.2 curl_easy_cleanup@CURL_GNUTLS_3 7.16.2 curl_easy_duphandle@CURL_GNUTLS_3 7.16.2 curl_easy_escape@CURL_GNUTLS_3 7.16.2 curl_easy_getinfo@CURL_GNUTLS_3 7.16.2 curl_easy_init@CURL_GNUTLS_3 7.16.2 curl_easy_pause@CURL_GNUTLS_3 7.18.0 curl_easy_perform@CURL_GNUTLS_3 7.16.2 curl_easy_recv@CURL_GNUTLS_3 7.18.2 curl_easy_reset@CURL_GNUTLS_3 7.16.2 curl_easy_send@CURL_GNUTLS_3 7.18.2 curl_easy_setopt@CURL_GNUTLS_3 7.16.2 curl_easy_strerror@CURL_GNUTLS_3 7.16.2 curl_easy_unescape@CURL_GNUTLS_3 7.16.2 curl_escape@CURL_GNUTLS_3 7.16.2 curl_formadd@CURL_GNUTLS_3 7.16.2 curl_formfree@CURL_GNUTLS_3 7.16.2 curl_formget@CURL_GNUTLS_3 7.16.2 curl_free@CURL_GNUTLS_3 7.16.2 curl_getdate@CURL_GNUTLS_3 7.16.2 curl_getenv@CURL_GNUTLS_3 7.16.2 curl_global_cleanup@CURL_GNUTLS_3 7.16.2 curl_global_init@CURL_GNUTLS_3 7.16.2 curl_global_init_mem@CURL_GNUTLS_3 7.16.2 curl_jmpenv@CURL_GNUTLS_3 7.16.2 curl_maprintf@CURL_GNUTLS_3 7.16.2 curl_mfprintf@CURL_GNUTLS_3 7.16.2 curl_mprintf@CURL_GNUTLS_3 7.16.2 curl_msnprintf@CURL_GNUTLS_3 7.16.2 curl_msprintf@CURL_GNUTLS_3 7.16.2 curl_multi_add_handle@CURL_GNUTLS_3 7.16.2 curl_multi_assign@CURL_GNUTLS_3 7.16.2 curl_multi_cleanup@CURL_GNUTLS_3 7.16.2 curl_multi_fdset@CURL_GNUTLS_3 7.16.2 curl_multi_info_read@CURL_GNUTLS_3 7.16.2 curl_multi_init@CURL_GNUTLS_3 7.16.2 curl_multi_perform@CURL_GNUTLS_3 7.16.2 curl_multi_remove_handle@CURL_GNUTLS_3 7.16.2 curl_multi_setopt@CURL_GNUTLS_3 7.16.2 curl_multi_socket@CURL_GNUTLS_3 7.16.2 curl_multi_socket_action@CURL_GNUTLS_3 7.16.3 curl_multi_socket_all@CURL_GNUTLS_3 7.16.2 curl_multi_strerror@CURL_GNUTLS_3 7.16.2 curl_multi_timeout@CURL_GNUTLS_3 7.16.2 curl_multi_wait@CURL_GNUTLS_3 7.28.0 curl_mvaprintf@CURL_GNUTLS_3 7.16.2 curl_mvfprintf@CURL_GNUTLS_3 7.16.2 curl_mvprintf@CURL_GNUTLS_3 7.16.2 curl_mvsnprintf@CURL_GNUTLS_3 7.16.2 curl_mvsprintf@CURL_GNUTLS_3 7.16.2 curl_share_cleanup@CURL_GNUTLS_3 7.16.2 curl_share_init@CURL_GNUTLS_3 7.16.2 curl_share_setopt@CURL_GNUTLS_3 7.16.2 curl_share_strerror@CURL_GNUTLS_3 7.16.2 curl_slist_append@CURL_GNUTLS_3 7.16.2 curl_slist_free_all@CURL_GNUTLS_3 7.16.2 curl_strequal@CURL_GNUTLS_3 7.16.2 curl_strnequal@CURL_GNUTLS_3 7.16.2 curl_unescape@CURL_GNUTLS_3 7.16.2 curl_version@CURL_GNUTLS_3 7.16.2 curl_version_info@CURL_GNUTLS_3 7.16.2 debian/libcurl3.install0000644000000000000000000000003012272152435012271 0ustar usr/lib/*/libcurl.so.4* debian/libcurl3.lintian-overrides0000644000000000000000000000006512272152435014271 0ustar libcurl3: package-name-doesnt-match-sonames libcurl4 debian/libcurl4-gnutls-dev.install0000644000000000000000000000030212272152435014362 0ustar usr/bin/curl-config usr/lib/*/libcurl-gnutls.a usr/lib/*/libcurl-gnutls.la usr/lib/*/libcurl-gnutls.so usr/lib/*/pkgconfig/libcurl.pc usr/include ../../docs/libcurl/libcurl.m4 usr/share/aclocal debian/libcurl3.symbols0000644000000000000000000000465412272152435012333 0ustar libcurl.so.4 libcurl3 #MINVER# CURL_OPENSSL_3@CURL_OPENSSL_3 7.16.2 HIDDEN@HIDDEN 7.16.2 curl_easy_cleanup@CURL_OPENSSL_3 7.16.2 curl_easy_duphandle@CURL_OPENSSL_3 7.16.2 curl_easy_escape@CURL_OPENSSL_3 7.16.2 curl_easy_getinfo@CURL_OPENSSL_3 7.16.2 curl_easy_init@CURL_OPENSSL_3 7.16.2 curl_easy_pause@CURL_OPENSSL_3 7.18.0 curl_easy_perform@CURL_OPENSSL_3 7.16.2 curl_easy_recv@CURL_OPENSSL_3 7.18.2 curl_easy_reset@CURL_OPENSSL_3 7.16.2 curl_easy_send@CURL_OPENSSL_3 7.18.2 curl_easy_setopt@CURL_OPENSSL_3 7.16.2 curl_easy_strerror@CURL_OPENSSL_3 7.16.2 curl_easy_unescape@CURL_OPENSSL_3 7.16.2 curl_escape@CURL_OPENSSL_3 7.16.2 curl_formadd@CURL_OPENSSL_3 7.16.2 curl_formfree@CURL_OPENSSL_3 7.16.2 curl_formget@CURL_OPENSSL_3 7.16.2 curl_free@CURL_OPENSSL_3 7.16.2 curl_getdate@CURL_OPENSSL_3 7.16.2 curl_getenv@CURL_OPENSSL_3 7.16.2 curl_global_cleanup@CURL_OPENSSL_3 7.16.2 curl_global_init@CURL_OPENSSL_3 7.16.2 curl_global_init_mem@CURL_OPENSSL_3 7.16.2 curl_jmpenv@CURL_OPENSSL_3 7.16.2 curl_maprintf@CURL_OPENSSL_3 7.16.2 curl_mfprintf@CURL_OPENSSL_3 7.16.2 curl_mprintf@CURL_OPENSSL_3 7.16.2 curl_msnprintf@CURL_OPENSSL_3 7.16.2 curl_msprintf@CURL_OPENSSL_3 7.16.2 curl_multi_add_handle@CURL_OPENSSL_3 7.16.2 curl_multi_assign@CURL_OPENSSL_3 7.16.2 curl_multi_cleanup@CURL_OPENSSL_3 7.16.2 curl_multi_fdset@CURL_OPENSSL_3 7.16.2 curl_multi_info_read@CURL_OPENSSL_3 7.16.2 curl_multi_init@CURL_OPENSSL_3 7.16.2 curl_multi_perform@CURL_OPENSSL_3 7.16.2 curl_multi_remove_handle@CURL_OPENSSL_3 7.16.2 curl_multi_setopt@CURL_OPENSSL_3 7.16.2 curl_multi_socket@CURL_OPENSSL_3 7.16.2 curl_multi_socket_action@CURL_OPENSSL_3 7.16.3 curl_multi_socket_all@CURL_OPENSSL_3 7.16.2 curl_multi_strerror@CURL_OPENSSL_3 7.16.2 curl_multi_timeout@CURL_OPENSSL_3 7.16.2 curl_multi_wait@CURL_OPENSSL_3 7.28.0 curl_mvaprintf@CURL_OPENSSL_3 7.16.2 curl_mvfprintf@CURL_OPENSSL_3 7.16.2 curl_mvprintf@CURL_OPENSSL_3 7.16.2 curl_mvsnprintf@CURL_OPENSSL_3 7.16.2 curl_mvsprintf@CURL_OPENSSL_3 7.16.2 curl_share_cleanup@CURL_OPENSSL_3 7.16.2 curl_share_init@CURL_OPENSSL_3 7.16.2 curl_share_setopt@CURL_OPENSSL_3 7.16.2 curl_share_strerror@CURL_OPENSSL_3 7.16.2 curl_slist_append@CURL_OPENSSL_3 7.16.2 curl_slist_free_all@CURL_OPENSSL_3 7.16.2 curl_strequal@CURL_OPENSSL_3 7.16.2 curl_strnequal@CURL_OPENSSL_3 7.16.2 curl_unescape@CURL_OPENSSL_3 7.16.2 curl_version@CURL_OPENSSL_3 7.16.2 curl_version_info@CURL_OPENSSL_3 7.16.2 debian/libcurl4-gnutls-dev.manpages0000644000000000000000000000002312272152435014507 0ustar docs/curl-config.1 debian/libcurl3-gnutls.lintian-overrides0000644000000000000000000000010312272152435015574 0ustar libcurl3-gnutls: package-name-doesnt-match-sonames libcurl-gnutls4 debian/changelog0000644000000000000000000023651213424056456011062 0ustar curl (7.35.0-1ubuntu2.20) trusty-security; urgency=medium * SECURITY UPDATE: SMTP end-of-response out-of-bounds read - debian/patches/CVE-2019-3823.patch: avoid risk of buffer overflow in strtol in lib/smtp.c. - CVE-2019-3823 -- Marc Deslauriers Tue, 29 Jan 2019 09:03:19 -0500 curl (7.35.0-1ubuntu2.19) trusty-security; urgency=medium * SECURITY UPDATE: SASL password overflow via integer overflow - debian/patches/CVE-2018-16839-pre1.patch: prevent size overflows in lib/curl_sasl.c. - debian/patches/CVE-2018-16839-pre2.patch: fix integer overflow check in lib/curl_ntlm_core.c, lib/curl_setup.h, lib/curl_sasl.c. - debian/patches/CVE-2018-16839.patch: fix check in lib/curl_sasl.c. - CVE-2018-16839 * SECURITY UPDATE: warning message out-of-buffer read - debian/patches/oob-read.patch: fix bad arithmetic in src/tool_msgs.c. - CVE number pending -- Marc Deslauriers Mon, 29 Oct 2018 08:15:06 -0400 curl (7.35.0-1ubuntu2.17) trusty-security; urgency=medium * SECURITY UPDATE: Buffer overrun - debian/patches/CVE-2018-14618.patch: fix in lib/curl_ntlm_core.c. - CVE-2018-14618 -- Leonidas S. Barbosa Wed, 12 Sep 2018 15:20:26 -0300 curl (7.35.0-1ubuntu2.16) trusty-security; urgency=medium * SECURITY UPDATE: RTSP bad headers buffer over-read - debian/patches/CVE-2018-1000301.patch: restore buffer pointer when bad response-line is parsed in lib/http.c. - CVE-2018-1000301 -- Marc Deslauriers Tue, 08 May 2018 14:05:52 -0400 curl (7.35.0-1ubuntu2.15) trusty-security; urgency=medium * SECURITY UPDATE: FTP path trickery leads to NIL byte OOB write - debian/patches/CVE-2018-1000120-pre1.patch: avoid using curl_easy_unescape() internally in lib/ftp.c. - debian/patches/CVE-2018-1000120-pre2.patch: URL decode path for dir listing in nocwd mode in lib/ftp.c, add test to tests/*. - debian/patches/CVE-2018-1000120-pre3.patch: remove dead code in ftp_done in lib/ftp.c. - debian/patches/CVE-2018-1000120-pre4.patch: don't clobber the passed in error code in lib/ftp.c. - debian/patches/CVE-2018-1000120.patch: reject path components with control codes in lib/ftp.c, add test to tests/*. - CVE-2018-1000120 * SECURITY UPDATE: LDAP NULL pointer dereference - debian/patches/CVE-2018-1000121.patch: check ldap_get_attribute_ber() results for NULL before using in lib/openldap.c. - CVE-2018-1000121 * SECURITY UPDATE: RTSP RTP buffer over-read - debian/patches/CVE-2018-1000122.patch: make sure excess reads don't go beyond buffer end in lib/transfer.c. - CVE-2018-1000122 -- Marc Deslauriers Wed, 14 Mar 2018 09:18:48 -0400 curl (7.35.0-1ubuntu2.14) trusty-security; urgency=medium * SECURITY UPDATE: leak authentication data - debian/patches/CVE-2018-1000007.patch: prevent custom authorization headers in redirects in lib/http.c, lib/url.c, lib/urldata.h, tests/data/Makefile.in, tests/data/test317, tests/data/test318. - CVE-2018-1000007 -- Leonidas S. Barbosa Mon, 29 Jan 2018 17:53:40 -0300 curl (7.35.0-1ubuntu2.13) trusty-security; urgency=medium * SECURITY UPDATE: FTP wildcard out of bounds read - debian/patches/CVE-2017-8817.patch: fix heap buffer overflow in setcharset in lib/curl_fnmatch.c, added tests to tests/data/Makefile.am, tests/data/test1163. - CVE-2017-8817 -- Marc Deslauriers Tue, 28 Nov 2017 08:05:35 -0500 curl (7.35.0-1ubuntu2.12) trusty-security; urgency=medium * SECURITY UPDATE: IMAP FETCH response out of bounds read - debian/patches/CVE-2017-1000257.patch: check size in lib/imap.c. - CVE-2017-1000257 -- Marc Deslauriers Tue, 17 Oct 2017 13:54:46 -0400 curl (7.35.0-1ubuntu2.11) trusty-security; urgency=medium * SECURITY UPDATE: printf floating point buffer overflow - debian/patches/CVE-2016-9586.patch: fix floating point buffer overflow issues in lib/mprintf.c, added test to tests/data/test557, tests/libtest/lib557.c. - CVE-2016-9586 * SECURITY UPDATE: TFTP sends more than buffer size - debian/patches/CVE-2017-1000100.patch: reject file name lengths that don't fit in lib/tftp.c. - CVE-2017-1000100 * SECURITY UPDATE: URL globbing out of bounds read - debian/patches/CVE-2017-1000101.patch: do not continue parsing after a strtoul() overflow range in src/tool_urlglob.c, added test to tests/data/Makefile.am, tests/data/test1289. - CVE-2017-1000101 * SECURITY UPDATE: FTP PWD response parser out of bounds read - debian/patches/CVE-2017-1000254.patch: zero terminate the entry path even on bad input in lib/ftp.c, added test to tests/data/Makefile.am, tests/data/test1152. - CVE-2017-1000254 * SECURITY UPDATE: --write-out out of buffer read - debian/patches/CVE-2017-7407-1.patch: fix a buffer read overrun in src/tool_writeout.c added test to tests/data/Makefile.am, tests/data/test1440, tests/data/test1441. - debian/patches/CVE-2017-7407-2.patch: check for end of input in src/tool_writeout.c added test to tests/data/Makefile.am, tests/data/test1442. - CVE-2017-7407 -- Marc Deslauriers Wed, 04 Oct 2017 09:02:01 -0400 curl (7.35.0-1ubuntu2.10) trusty-security; urgency=medium * SECURITY UPDATE: Incorrect reuse of client certificates with NSS - debian/patches/CVE-2016-7141.patch: refuse previously loaded certificate from file in lib/vtls/nss.c. - CVE-2016-7141 * SECURITY UPDATE: curl escape and unescape integer overflows - debian/patches/CVE-2016-7167.patch: deny negative string length inputs in lib/escape.c. - CVE-2016-7167 * SECURITY UPDATE: cookie injection for other servers - debian/patches/CVE-2016-8615.patch: ignore lines that are too long in lib/cookie.c. - CVE-2016-8615 * SECURITY UPDATE: case insensitive password comparison - debian/patches/CVE-2016-8616.patch: use case sensitive user/password comparisons in lib/url.c. - CVE-2016-8616 * SECURITY UPDATE: OOB write via unchecked multiplication - debian/patches/CVE-2016-8617.patch: check for integer overflow on large input in lib/base64.c. - CVE-2016-8617 * SECURITY UPDATE: double-free in curl_maprintf - debian/patches/CVE-2016-8618.patch: detect wrap-around when growing allocation in lib/mprintf.c. - CVE-2016-8618 * SECURITY UPDATE: double-free in krb5 code - debian/patches/CVE-2016-8619.patch: avoid realloc in lib/security.c. - CVE-2016-8619 * SECURITY UPDATE: glob parser write/read out of bounds - debian/patches/CVE-2016-8620.patch: stay within bounds in src/tool_urlglob.c. - CVE-2016-8620 * SECURITY UPDATE: curl_getdate read out of bounds - debian/patches/CVE-2016-8621.patch: handle cut off numbers better in lib/parsedate.c, added tests to tests/data/test517, tests/libtest/lib517.c. - CVE-2016-8621 * SECURITY UPDATE: URL unescape heap overflow via integer truncation - debian/patches/CVE-2016-8622.patch: avoid integer overflow in lib/dict.c, lib/escape.c, update docs/libcurl/curl_easy_unescape.3. - CVE-2016-8622 * SECURITY UPDATE: Use-after-free via shared cookies - debian/patches/CVE-2016-8623.patch: hold deep copies of all cookies in lib/cookie.c, lib/cookie.h, lib/http.c. - CVE-2016-8623 * SECURITY UPDATE: invalid URL parsing with # - debian/patches/CVE-2016-8624.patch: accept # as end of host name in lib/url.c. - CVE-2016-8624 -- Marc Deslauriers Wed, 02 Nov 2016 15:17:12 -0400 curl (7.35.0-1ubuntu2.9) trusty; urgency=medium [ Joe Afflerbach ] * debian/patches/curl-chunk-fix.patch: - fix problem with chunked encoded data (LP: #1613698) -- Gianfranco Costamagna Sun, 28 Aug 2016 21:27:34 +0200 curl (7.35.0-1ubuntu2.8) trusty-security; urgency=medium * SECURITY UPDATE: TLS session resumption client cert bypass - debian/patches/CVE-2016-5419.patch: switch off SSL session id when client cert is used in lib/url.c, lib/urldata.h, lib/vtls/vtls.c. - CVE-2016-5419 * SECURITY UPDATE: re-using connections with wrong client cert - debian/patches/CVE-2016-5420.patch: only reuse connections with the same client cert in lib/vtls/vtls.c. - CVE-2016-5420 * SECURITY UPDATE: use of connection struct after free - debian/patches/CVE-2016-5421.patch: clear connection pointer for easy handles in lib/multi.c. - CVE-2016-5421 -- Marc Deslauriers Fri, 05 Aug 2016 11:23:04 -0400 curl (7.35.0-1ubuntu2.7) trusty; urgency=medium [ Matthew Hall ] * debian/patches/libcurl_broken_pkcs12.patch: - fix p12 client certificates (LP: #1556330) -- Gianfranco Costamagna Sat, 12 Mar 2016 17:22:33 +0100 curl (7.35.0-1ubuntu2.6) trusty-security; urgency=medium * SECURITY UPDATE: NTLM credentials not-checked for proxy connection re-use - debian/patches/CVE-2016-0755.patch: fix ConnectionExists to compare Proxy credentials in lib/url.c. - CVE-2016-0755 -- Marc Deslauriers Tue, 26 Jan 2016 12:10:58 -0500 curl (7.35.0-1ubuntu2.5) trusty-security; urgency=medium * SECURITY UPDATE: NTLM connection reuse when unauthenticated - debian/patches/CVE-2015-3143.patch: require credentials to match in lib/url.c. - CVE-2015-3143 * SECURITY UPDATE: cookie parser out of boundary memory access - debian/patches/CVE-2015-3145.patch: properly handle a single double quote in lib/cookie.c. - CVE-2015-3145 * SECURITY UPDATE: negotiate not treated as connection-oriented - debian/patches/CVE-2015-3148.patch: don't clear GSSAPI state between each exchange and close Negotiate connections when done in lib/http.c, lib/http_negotiate.c, lib/http_negotiate_sspi.c. - CVE-2015-3148 -- Marc Deslauriers Wed, 29 Apr 2015 14:03:00 -0400 curl (7.35.0-1ubuntu2.3) trusty-security; urgency=medium * SECURITY UPDATE: URL request injection - debian/patches/CVE-2014-8150.patch: drop bad chars from URL in lib/url.c, added test to tests/data/Makefile.am, tests/data/test1529, tests/libtest/Makefile.inc, tests/libtest/lib1529.c. - CVE-2014-8150 -- Marc Deslauriers Wed, 14 Jan 2015 08:49:32 -0500 curl (7.35.0-1ubuntu2.2) trusty-security; urgency=medium * SECURITY UPDATE: sensitive data disclosure via duphandle read out of bounds - debian/patches/CVE-2014-3707.patch: properly copy memory aread in lib/formdata.c, lib/strdup.{c,h}, lib/url.c, lib/urldata.h, src/Makefile.inc, src/tool_setup.h, src/tool_strdup.{c,h}. - CVE-2014-3707 -- Marc Deslauriers Thu, 06 Nov 2014 10:53:58 -0500 curl (7.35.0-1ubuntu2.1) trusty-security; urgency=medium * SECURITY UPDATE: incorrect cookie handling via partial literal IP addresses - debian/patches/CVE-2014-3613.patch: only use full host matches for hosts used as IP address in lib/cookie.c, added tests to tests/data/test1105, tests/data/test31, tests/data/test8. - CVE-2014-3613 * SECURITY UPDATE: incorrect cookie handling for TLDs - debian/patches/CVE-2014-3620.patch: reject incoming cookies set for TLDs in lib/cookie.c, added test to tests/data/test61. - CVE-2014-3620 -- Marc Deslauriers Thu, 11 Sep 2014 08:21:24 -0400 curl (7.35.0-1ubuntu2) trusty; urgency=medium * SECURITY UPDATE: wrong re-use of connections - debian/patches/CVE-2014-0138.patch: fix possible issues with NTLM HTTP logic, and extend new connection logic to other protocols in lib/http.c, lib/url.c, lib/urldata.h, add new tests to tests/data/Makefile.am, tests/data/test1418, tests/data/test1419. - CVE-2014-0138 * SECURITY UPDATE: incorrect wildcard SSL certificate validation with literal IP addresses - debian/patches/CVE-2014-0139.patch: fix wildcard logic in lib/hostcheck.c, added tests to tests/data/Makefile.am, tests/data/test1397, tests/unit/Makefile.inc, tests/unit/unit1397.c. - CVE-2014-0139 * debian/patches/fix_test172.path: fix expired cookie causing test to fail. -- Marc Deslauriers Tue, 01 Apr 2014 09:25:23 -0400 curl (7.35.0-1ubuntu1) trusty; urgency=medium * Resynchronize on Debian, remaining changes: - Drop dependencies not in main: + Build-Depends: Drop stunnel4 and libssh2-1-dev. + Drop libssh2-1-dev from binary package Depends. - Add new libcurl3-udeb package. - Add new curl-udeb package. -- Marc Deslauriers Fri, 31 Jan 2014 08:42:28 -0500 curl (7.35.0-1) unstable; urgency=high * New upstream release - Fix re-use of wrong HTTP NTLM connection as per CVE-2014-0015 http://curl.haxx.se/docs/adv_20140129.html - Set urgency=high accordingly * Refresh patches -- Alessandro Ghedini Wed, 29 Jan 2014 11:16:57 +0100 curl (7.34.0-1ubuntu1) trusty; urgency=low * Resynchronize on Debian, remaining changes - Drop dependencies not in main: + Build-Depends: Drop stunnel4 and libssh2-1-dev. + Drop libssh2-1-dev from binary package Depends. - Add new libcurl3-udeb package. - Add new curl-udeb package. * Dropped undocumented Build-Depends change to automake1.9. -- Marc Deslauriers Fri, 20 Dec 2013 09:13:22 -0500 curl (7.34.0-1) unstable; urgency=high * New upstream release - Fix GnuTLS checking of a certificate CN or SAN name field when the digital signature verification is turned off as per CVE-2013-6422 http://curl.haxx.se/docs/adv_20131217.html - Set urgency=high accordingly * Drop patches merged upstream: - 08_fix-typo.patch - 09_fix-urlglob.patch -- Alessandro Ghedini Tue, 17 Dec 2013 13:16:19 +0100 curl (7.33.0-2) unstable; urgency=low * Make -dev packages Multi-Arch: same too (Closes: #731309) * Bump Standards-Version to 3.9.5 (no changes needed) * Add 09_fix-urlglob.patch to fix URL globbing (Closes: #731855) -- Alessandro Ghedini Wed, 11 Dec 2013 18:44:37 +0100 curl (7.33.0-1ubuntu1) trusty; urgency=low * Resynchronize on Debian, remaining changes - Drop dependencies not in main: + Build-Depends: Drop stunnel4 and libssh2-1-dev. + Drop libssh2-1-dev from binary package Depends. - Add new libcurl3-udeb package. - Add new curl-udeb package. -- Sebastien Bacher Wed, 06 Nov 2013 10:45:28 +0100 curl (7.33.0-1) unstable; urgency=low * New upstream release - Handle arbitrary-length username and password (Closes: #719856) * Remove Luk from Uploaders as per his request (Closes: #723603) * Do not Build-Depends on specific automake version (Closes: #724361) * Fix lintian vcs-field-not-canonical * Add 08_fix-typo.patch * Refresh patches -- Alessandro Ghedini Mon, 14 Oct 2013 22:11:14 +0200 curl (7.32.0-1ubuntu1) saucy; urgency=low * Merge from Debian unstable. Remaining changes: - Drop dependencies not in main: + Build-Depends: Drop stunnel4 and libssh2-1-dev. + Drop libssh2-1-dev from binary package Depends. - Add new libcurl3-udeb package. - Add new curl-udeb package. * Fixes freeipa-client join. (LP: #1220928) -- Ubuntu Merge-o-Matic Mon, 12 Aug 2013 15:39:32 +0000 curl (7.32.0-1) unstable; urgency=low * New upstream release * Fix typo in changelog entry for 7.31.0-1 (Closes: #714502) * Drop 08_typo.patch (merged upstream) * Drop 09_openssl-recv.patch (merged upstream) * Refresh 90_gnutls.patch and 99_nss.patch * Refresh 06_always-disable-valgrind.patch * Enable threaded DNS resolver (Closes: #570436) See NEWS.Debian for more info -- Alessandro Ghedini Mon, 12 Aug 2013 12:19:05 +0200 curl (7.31.0-2ubuntu1) saucy; urgency=low * Merge from Debian, Remaining changes: - Drop dependencies not in main: + Build-Depends: Drop stunnel4 and libssh2-1-dev. + Drop libssh2-1-dev from binary package Depends. - Add new libcurl3-udeb package. - Add new curl-udeb package. -- Oussama Bounaim Tue, 23 Jul 2013 18:42:00 +0100 curl (7.31.0-2) unstable; urgency=high * Add 09_openssl-recv.patch to fix incorrect OpenSSL usage (Closes: #714050) * Set urgency=high because of the security fix in the previous upload -- Alessandro Ghedini Wed, 26 Jun 2013 11:47:00 +0200 curl (7.31.0-1ubuntu1) saucy; urgency=low * Resynchronize on Debian. Remaining changes: - Drop dependencies not in main: + Build-Depends: Drop stunnel4 and libssh2-1-dev. + Drop libssh2-1-dev from binary package Depends. - Add new libcurl3-udeb package. - Add new curl-udeb package. -- Sebastien Bacher Mon, 24 Jun 2013 13:36:52 +0200 curl (7.31.0-1) unstable; urgency=low * New upstream release - Fix URL decode buffer boundary flaw as per CVE-2013-2174 http://curl.haxx.se/docs/adv_20130622.html * Make curl Multi-Arch: foreign (Closes: #712585) * Drop 08_reset-timecond.patch (merged upstream) * Refresh patches * Add 08_typo.patch to fix a couple of typos in one of the manpages -- Alessandro Ghedini Sat, 22 Jun 2013 15:46:53 +0200 curl (7.30.0-2) unstable; urgency=low * Move textual docs to the -doc package too * Move manpages from -dev packages to -doc as well - Add Breaks+Replaces accordingly * Remove outdated Replaces/Conflicts * Update watch file version to 3 * Add 08_reset-timecond.patch (Closes: #705783) -- Alessandro Ghedini Fri, 10 May 2013 17:46:46 +0200 curl (7.30.0-1ubuntu1) saucy; urgency=low * Resynchronize on Debian. Remaining changes: - Drop dependencies not in main: + Build-Depends: Drop stunnel4 and libssh2-1-dev. + Drop libssh2-1-dev from binary package Depends. - Add new libcurl3-udeb package. - Add new curl-udeb package. * Add warning to debian/patches/series. -- Sebastien Bacher Tue, 07 May 2013 12:16:37 +0200 curl (7.30.0-1) unstable; urgency=low * New upstream release * Update upstream copyright years * Drop patches merged upstream: - 08_NULL-pointer-dereference-on-close.patch - 09_CVE-213-1944.patch - 10_test1218-another-cookie-tailmatch-test.patch * Update patches: - 03_keep_symbols_compat.patch - 90_gnutls.patch - 99_nss.patch * Add libcurl4-doc package: - Move *.pdf and *.html files to the libcurl4-doc package - Add Suggests for -doc package to -dev packages - Move examples to the -doc package * Add Build-Depends on python which is used by some tests -- Alessandro Ghedini Thu, 18 Apr 2013 12:55:09 +0200 curl (7.29.0-2.1) unstable; urgency=high * Non-maintainer upload. [ Alessandro Ghedini ] * Do not compress *.pdf files (Closes: #704093) [ Salvatore Bonaccorso ] * Add 09_CVE-213-1944.patch. Fix CVE-2013-1944: fix tailmatching to prevent cross-domain leakage. Cookies set for 'example.com' could accidentaly also be sent by libcurl to the 'bexample.com' (ie with a prefix to the first domain name). (Closes: #705274) * Add testcase for CVE-2013-1944. -- Salvatore Bonaccorso Fri, 12 Apr 2013 13:55:34 +0200 curl (7.29.0-2) unstable; urgency=low * Fix a segfault when closing an unused multi handle (Closes: #701713) * Mention LDAPS in packages' long descriptions * Clean-up d/rules - Switch to short-form dh - Enable test suite on hurd and kfreebsd too - Enable GSSAPI support on hurd too -- Alessandro Ghedini Mon, 11 Mar 2013 19:02:56 +0100 curl (7.29.0-1ubuntu3) raring; urgency=low * SECURITY UPDATE: Incorrect cookie domain handling in tailmatch() - debian/patches/09_curl-tailmatch.patch: enforce strict subdomain match when sending cookies. Patch from YAMADA Yasuharu. - http://curl.haxx.se/curl-tailmatch.patch - CVE-2013-1944 -- Seth Arnold Wed, 10 Apr 2013 15:16:17 -0700 curl (7.29.0-1ubuntu2) raring; urgency=low * debian/patches/08_lp1124508.patch: Backport fix for upstream bug 1194, segfault in curl_multi_cleanup() when multi->closure_handle is NULL. (LP: #1124508) -- Barry Warsaw Wed, 03 Apr 2013 17:26:06 -0400 curl (7.29.0-1ubuntu1) raring; urgency=low * Resynchronise with Debian. Remaining changes: - Drop dependencies not in main: + Build-Depends: Drop stunnel4 and libssh2-1-dev. + Drop libssh2-1-dev from binary package Depends. - Add new libcurl3-udeb package. - Add new curl-udeb package. * Add warning to debian/patches/series. -- Marc Deslauriers Tue, 12 Feb 2013 08:54:32 -0500 curl (7.29.0-1) unstable; urgency=high * New upstream release - Fix buffer overflow when negotiating SASL DIGEST-MD5 authentication as per CVE-2013-0249 (Closes: #700002) http://curl.haxx.se/docs/adv_20130206.html - Set urgency=high accordingly * Install all the examples * Update 90_gnutls.patch and 99_nss.patch * Refresh patches * Correctly pass CPPFLAGS to ./configure * Upload to unstable -- Alessandro Ghedini Mon, 11 Feb 2013 14:48:03 +0100 curl (7.28.1-1) experimental; urgency=low * New upstream release * Drop 05_fix-git-over-https.patch and 08_fix-git-auth.patch (merged upstream) * Update 07_do-not-disable-debug-symbols.patch * Refresh patches * Add NEWS entry about change in CURLOPT_SSL_VERIFYHOST semantics -- Alessandro Ghedini Mon, 26 Nov 2012 17:51:27 +0100 curl (7.28.0-3ubuntu1) raring; urgency=low * Resynchronise with Debian. Remaining changes: - Drop dependencies not in main: + Build-Depends: Drop stunnel4 and libssh2-1-dev. + Drop libssh2-1-dev from binary package Depends. - Add new libcurl3-udeb package. - Add new curl-udeb package. -- Colin Watson Wed, 28 Nov 2012 17:56:05 +0000 curl (7.28.0-3) unstable; urgency=low * Add 07_do-not-disable-debug-symbols.patch, do not pass --enable-debug anymore (Closes: #693110) * Update 05_fix-git-over-https.patch to reflect new upstream patch * Add 08_fix-git-auth.patch to fix HTTPS authentication (Closes: #690764) -- Alessandro Ghedini Sat, 17 Nov 2012 14:07:21 +0100 curl (7.28.0-2ubuntu2) raring; urgency=low * Turn debian/libcurl3-udeb.install and debian/libcurl3-udeb.links back into symlinks. -- Colin Watson Wed, 31 Oct 2012 10:55:24 +0000 curl (7.28.0-2ubuntu1) raring; urgency=low * Resynchronise with Debian. Remaining changes: - Drop dependencies not in main: + Build-Depends: Drop stunnel4 and libssh2-1-dev. + Drop libssh2-1-dev from binary package Depends. - Add new libcurl3-udeb package. - Add new curl-udeb package. -- Colin Watson Wed, 31 Oct 2012 06:51:15 +0000 curl (7.28.0-2) unstable; urgency=low * Add 05_fix-git-over-https.patch (Closes: #690551) * Add 06_always-disable-valgrind.patch (Closes: #690968) -- Alessandro Ghedini Mon, 22 Oct 2012 14:35:02 +0200 curl (7.28.0-1) unstable; urgency=low * New upstream release - gnutls: do not fail on non-fatal handshake errors (Closes: #685402) * Remove versioned build depends on libssh2 (already in stable) * Bump Standards-Version to 3.9.4 (no changes needed) * Refresh 01_runtests_gdb.patch * Update *.symbols files * Build depend on ca-certifcates to avoid test failure -- Alessandro Ghedini Thu, 11 Oct 2012 19:11:09 +0200 curl (7.27.0-1ubuntu1) quantal; urgency=low * Resynchronise with Debian. Remaining changes: - Drop dependencies not in main: + Build-Depends: Drop stunnel4 and libssh2-1-dev. + Drop libssh2-1-dev from binary package Depends. - Add new libcurl3-udeb package. - Add new curl-udeb package. -- Colin Watson Mon, 20 Aug 2012 13:54:01 +0100 curl (7.27.0-1) unstable; urgency=low * New upstream release * Update upstream copyright * Refresh 01_runtests_gdb.patch, 90_gnutls.patch and 99_nss.patch -- Alessandro Ghedini Wed, 08 Aug 2012 17:22:00 +0200 curl (7.26.0-1ubuntu1) quantal; urgency=low * Resynchronise with Debian. Remaining changes: - Drop dependencies not in main: + Build-Depends: Drop stunnel4 and libssh2-1-dev. + Drop libssh2-1-dev from binary package Depends. - Add new libcurl3-udeb package. - Add new curl-udeb package. * Adjust udeb configure flags handling to something easier to merge in future. -- Colin Watson Mon, 28 May 2012 12:21:13 +0100 curl (7.26.0-1) unstable; urgency=low * New upstream release - Reject numerical IPv6 addresses outside brackets (Closes: #670126) * Email change: Alessandro Ghedini -> ghedo@debian.org * Stricter Depends on libcurl3 (Closes: #666089) * Remove Ramakrishnan (as per his request), move myself to Maintainer Thank you for all your work so far * Disable memory tracking, but keep debug enabled - Remove memdebug symbols (used by curl only) * Refresh 01_runtests_gdb.patch, 90_gnutls.patch and 99_nss.patch * Disable not-quite-working symbols hiding -- Alessandro Ghedini Fri, 25 May 2012 15:19:51 +0200 curl (7.25.0-1ubuntu2) quantal; urgency=low * Drop libssh2-1-dev Depends (not in main) from libcurl4-gnutls-dev and libcurl4-nss-dev too. -- Colin Watson Tue, 22 May 2012 22:58:51 +0100 curl (7.25.0-1ubuntu1) quantal; urgency=low * Merge from Debian testing (LP: #1003049). Remaining changes: - Drop dependencies not in main: + Build-Depends: Drop stunnel4 and libssh2-1-dev. + Drop libssh2-1-dev from libcurl4-openssl-dev's Depends. - Add new libcurl3-udeb package. - Add new curl-udeb package. - Also closes (LP: #855291) * debian/patches/CVE-2012-0036.patch: Dropped. CVE resolved upstream. -- Andres Rodriguez Tue, 22 May 2012 14:53:29 -0400 curl (7.25.0-1) unstable; urgency=low * New upstream release - Add --ssl-allow-beast and CURLOPT_SSL_OPTIONS (Closes: #658276) - Allow negative numbers as option value (Closes: #659591) * Add libssh2-1-dev to libcurl4-gnutls-dev and libcurl4-nss-dev Depends * Bump debhelper compat level to 9 - Make *.links files executable to simplify rules file * Pass --as-needed ld flag to avoid unneeded dependencies - Add workaround_as_needed_bug to workaround a libtool bug - Drop dont_link_to_krb5 (not needed because of --as-needed) * Do some clean-up in debian/rules * Update debian/copyright format as in Debian Policy 3.9.3 * Bump Standards-Version to 3.9.3 * Explicit Conflicts in -dev packages (fixes binaries-have-file-conflict) * Add openssh-server to build depends to enable some more tests * Update upstream copyright years * Refresh patches -- Alessandro Ghedini Fri, 23 Mar 2012 16:24:51 +0100 curl (7.24.0-1) unstable; urgency=high * New upstream release - Improve documentation for the --capath option (Closes: #628697) - Fix URL sanitization vulnerability as per CVE-2012-0036 http://curl.haxx.se/docs/adv_20120124.html - Fix SSL CBC IV vulnerability as per CVE-2011-3389 http://curl.haxx.se/docs/adv_20120124B.html - Set urgency=high accordingly * Remove curl_links_with_rt patch (curl links to librt anyway) * Improve descriptions of -dev and -dbg packages * Drop fix_manpage_spelling and versioned patches (merged upstream) * Refresh patches * Add keep_symbols_compat patch to not break backwards ABI compatibility * Enable libssh2 support for GnuTLS and NSS flavours too (libssh2 now uses libgcrypt instead of libssl) -- Alessandro Ghedini Tue, 24 Jan 2012 12:04:04 +0100 curl (7.23.1-3) unstable; urgency=low * Enable security hardening flags * Remove libdb-dev from B-D (not used) * Improve short and long descriptions * Provide proper *.symbols files (Closes: #651619) * Do not version Curl_* symbols (for internal use only) * Do not override dh_makeshlibs version anymore -- Alessandro Ghedini Tue, 13 Dec 2011 19:55:31 +0100 curl (7.23.1-2) unstable; urgency=low * Bump shlibs version for libcurl3-nss (Closes: #650498) -- Alessandro Ghedini Thu, 01 Dec 2011 22:32:19 +0100 curl (7.23.1-1) unstable; urgency=low * New upstream release - Do not use gnutls_priority_set_direct and gnutls_certificate_type_set_priority anymore (Closes: #624024) * Refresh patches * Add --enable-debug flag to configure (Closes: #648902) * One Provides/Replaces per line * libcurl4-openssl-dev Provides libcurl4-dev too (Closes: #644126) * Specify only 3 components for Standards-Version (the fourth is not really needed) * Move ca-certificates to Recommends in lib* packages (Closes: #546607) * Add NSS flavour to versioned symbols -- Alessandro Ghedini Sun, 27 Nov 2011 18:45:01 +0100 curl (7.22.0-3ubuntu4) precise; urgency=low * debian/control: Add missing Depends on libcrypto1.0.0-udeb. -- Andres Rodriguez Thu, 22 Mar 2012 18:40:30 -0400 curl (7.22.0-3ubuntu3) precise; urgency=low [ Andres Rodriguez ] * Add curl-udeb package (LP: #940425) [ Dave Walker (Daviey) ] * debian/rules: Remove --add-udeb= for libcurl3, and appended to debian/shlibs.local at build time, which this package seems to be using for undocumented reasoning. -- Dave Walker (Daviey) Fri, 09 Mar 2012 23:45:09 +0000 curl (7.22.0-3ubuntu2) precise; urgency=low * SECURITY UPDATE: URL sanitization vulnerability - debian/patches/CVE-2012-0036.patch: reject URLs with embedded control codes in lib/{escape.h,escape.c,imap.c,pop3.c,smtp.c}. - CVE-2012-0036 -- Marc Deslauriers Tue, 24 Jan 2012 08:26:50 -0500 curl (7.22.0-3ubuntu1) precise; urgency=low * Merge from Debian unstable, remaining changes: - Drop dependencies not in main: + Build-Depends: Drop stunnel4 and libssh2-1-dev. + Drop libssh2-1-dev from libcurl4-openssl-dev's Depends. - Add new libcurl3-udeb package. -- Timo Aaltonen Fri, 25 Nov 2011 17:30:45 +0200 curl (7.22.0-3) unstable; urgency=low [ Ramakrishnan Muthukrishnan ] * Add new Uploaders, Ian and Alessandro. (Closes: #647255) [ Luk Claes ] * Install lintian overrides with dh_lintian. * Install all files with dh_install and get rid of dh_installdirs. [ Alessandro Ghedini ] * New upstream release. * Bump debhelper compat level to 8. * debian/control: - One (Build-)Depends per line. - Sort (Build-)Depends. - Remove Build-Depends on binutils (v2.18 is already in oldstable and it is Build-Essential: yes). - Build depends on stunnel4 instead of stunnel (stunnel is just a dummy package). - Remove duplicate Section field in package curl. - Add Luk to Uploaders too, sort names. * debian/patches: - Update runtests_gdb patch, add DEP3 headers. - Update gnutls and nss patches, add DEP3 headers. - Refresh other patches. - Add DEP3 headers to all the patches. - Remove libtool patch (not applied anyway) - Set Forwarded: not-needed for Debian specific patches * Replace dh_clean -k call with dh_prep (dh_clean -k is deprecated since debhelper 7). * Add fix_manpage_spelling patch * debian/copyright: - Switch to DEP5 format - Update copyright information * Add librtmp-dev to libcurl4-nss-dev too -- Alessandro Ghedini Sun, 13 Nov 2011 21:07:32 +0100 curl (7.21.7-3ubuntu1) precise; urgency=low * Merge from Debian testing, remaining changes: - Drop dependencies not in main: + Build-Depends: Drop stunnel and libssh2-1-dev. + Drop libssh2-1-dev from libcurl4-openssl-dev's Depends. - Add new libcurl3-udeb package, stripped down for use during installation (LP: #831496). * Dropped changes: - debian/patches/timeout_bug_736216: applied upstream. -- James Page Thu, 20 Oct 2011 09:28:24 +0100 curl (7.21.7-3) unstable; urgency=low * debian/rules: Build only curl and libcurl3 with rtmp support. Rest of the packages do not need to be built with rtmp support. (closes: #641173) -- Ramakrishnan Muthukrishnan Sun, 11 Sep 2011 22:08:08 +0200 curl (7.21.7-2) unstable; urgency=low * debian/control: libcurl*-dev packages should depend on librtmp-dev. (closes: #640260) * debian/rules: add build-arch and build-indep targets. -- Ramakrishnan Muthukrishnan Mon, 05 Sep 2011 16:12:42 +0200 curl (7.21.7-1) unstable; urgency=low * New Upstream release which fixes the following bugs. - libcurl3-gnutls: HTTPS over HTTP still broken in Git (closes: #627335) - git-core: gnutls_handshake() fail when using https:// over a proxy (closes: #559371) * debian/control: capitalize 'ftp'. (closes: #587338) * debian/rules: add build-arch and build-indep targets. -- Ramakrishnan Muthukrishnan Sat, 30 Jul 2011 17:57:08 +0530 curl (7.21.6-3ubuntu3) oneiric; urgency=low [ James Page, Colin Watson ] * Add new libcurl3-udeb package, stripped down for use during installation (LP: #831496). -- James Page Wed, 14 Sep 2011 17:31:37 +0100 curl (7.21.6-3ubuntu2) oneiric; urgency=low * debian/patches/timeout_bug_736216: cherry pick upstream git revision d4e000906ac4ef243258a5c9a819a7cde247d16a to fix handshake timeout bug (LP: #736216). Thanks to Sidnei da Silva and Michael Vogt -- Jamie Strandboge Wed, 13 Jul 2011 12:08:54 -0500 curl (7.21.6-3ubuntu1) oneiric; urgency=low * Restore Ubuntu changes accidentally dropped in previous sync: - Drop dependencies not in main: + Build-Depends: Replace libssh2-1-dev with openssh-server. Drop stunnel since it's in universe, as well. + Drop libssh2-1-dev from libcurl4-openssl-dev's Depends. -- Steve Langasek Thu, 30 Jun 2011 23:40:23 +0000 curl (7.21.6-3) unstable; urgency=low * Apply the Multiarch patch from Steve Langasek. (closes: #631946) -- Ramakrishnan Muthukrishnan Wed, 29 Jun 2011 08:26:56 +0530 curl (7.21.6-2) unstable; urgency=high * Fix for the inappropriate GSSAPI delegation vulnerability (CVE-2011-2192). (closes: #631615) -- Ramakrishnan Muthukrishnan Sat, 25 Jun 2011 23:37:04 +0530 curl (7.21.6-1) unstable; urgency=low * New upstream release to fix a HTTPS over a HTTP proxy bug on 7.21.5. -- Ramakrishnan Muthukrishnan Sat, 23 Apr 2011 07:12:57 +0530 curl (7.21.5-1) unstable; urgency=low * New Upstream version. (closes: #623459) * debian/patches/{sslv2_disable, error_code}: removed as these patches were backported earlier from new upstream and this release incorporates them. -- Ramakrishnan Muthukrishnan Fri, 22 Apr 2011 13:14:41 +0530 curl (7.21.4-2) unstable; urgency=low * debian/patches/{sslv2-disable, series}: Apply the upstream commit c66b0b32fba175d5f096c944d8ec8f9f06299f4a. (closes: #622016) * debian/{rules, control}: enable rtmp. (closes: #622328) * debian/control: removing hurd from dependencies. Hurd is an 'essential' package. -- Ramakrishnan Muthukrishnan Wed, 13 Apr 2011 16:15:27 -0700 curl (7.21.4-1) unstable; urgency=low * New upstream release. * debian/control: downgraded the version number of libdb-dev required to 4.6 from 4.7, based on the inputs from Erik Schanze . -- Ramakrishnan Muthukrishnan Mon, 28 Feb 2011 19:35:36 +0530 curl (7.21.3-1) unstable; urgency=low * New upstream release. * debian/*.manpages: adding all manpages for the curl library. (closes: #605651) * gnutls->handshake: improved timeout handling. See #594150 for details. -- Ramakrishnan Muthukrishnan Wed, 15 Dec 2010 23:39:26 +0530 curl (7.21.2-4) unstable; urgency=low * support for curl library built against nss. (closes: #606244) * honour DEB_BUILD_OPTIONS=nocheck option. (closes: #606059) -- Ramakrishnan Muthukrishnan Thu, 09 Dec 2010 20:11:37 +0530 curl (7.21.2-3) unstable; urgency=low * debian/rules: reverting changes related to c-ares inclusion. * debian/control: removing libc-ares-dev for now. (closes: #605558) -- Ramakrishnan Muthukrishnan Thu, 02 Dec 2010 10:56:36 +0530 curl (7.21.2-2) unstable; urgency=low * debian/control: add libc-ares-dev as build dependency. * debian/rules: invoke configure with --enable-ares. (closes: #570436) * debian/copyright: add copyright notice of `lib/security.c' to the copyright file. (closes: #603712) -- Ramakrishnan Muthukrishnan Tue, 30 Nov 2010 17:35:29 +0530 curl (7.21.2-1) unstable; urgency=low * New upstream release. -- Ramakrishnan Muthukrishnan Mon, 18 Oct 2010 11:13:17 +0530 curl (7.21.1-1) unstable; urgency=low * New upstream release. -- Ramakrishnan Muthukrishnan Thu, 12 Aug 2010 08:20:48 +0530 curl (7.21.0-1) unstable; urgency=low * New upstream. -- Ramakrishnan Muthukrishnan Wed, 16 Jun 2010 19:25:37 +0530 curl (7.20.1-2) unstable; urgency=low * debian/rules: Removed the custom LDFLAGS variable. This is not required as we are no longer using the libtool patch. (closes: #578774) -- Ramakrishnan Muthukrishnan Wed, 28 Apr 2010 18:40:27 +0530 curl (7.20.1-1) unstable; urgency=low * New upstream release. * debian/patches/missing-double-quote: No longer needed as it has been fixed by the upstream. * debian/patches/no_com_err: Reworked the patches for the new release. * debian/patches/versioned: fix for build failure of 'make test'. (closes: #576237) * debian/rules: removed --enable-ldaps option from the configure as LDAP SSL (Novell extensions to openldap) is not available as Debian packages. * lib/http.c: chunked-encoding with Content-Length header problem has been fixed in the upstream. (closes: #572276) -- Ramakrishnan Muthukrishnan Mon, 19 Apr 2010 09:21:35 +0530 curl (7.20.0-3) unstable; urgency=low * debian/control: Vcs* tags added. * docs/libcurl/libcurl.m4: added the missing double quote (closes: #576518). -- Ramakrishnan Muthukrishnan Mon, 05 Apr 2010 18:56:40 +0530 curl (7.20.0-2) unstable; urgency=low * New Maintainer (closes: #574137). * Bug #533669 (curl segmentation fault in addbyter()) is fixed from release 7.19.7 onwards (closes: #533669). * Bug #510559 (curl sends whitespace unencoded in the url) can't be reproduced in the 7.20.0 release (closes: #510559). -- Ramakrishnan Muthukrishnan Thu, 18 Mar 2010 08:55:19 +0530 curl (7.20.0-1) unstable; urgency=low * Package is orphaned. * New upstream release. * Switch to dpkg-source 3.0 (quilt) format (closes: #538547). * Fixed build error with binutils-gold (closes: #554296). -- Domenico Andreoli Tue, 09 Feb 2010 13:06:39 +0100 curl (7.19.7-1) unstable; urgency=low * New upstream release: - curl_getdate(3) now correctly manages single letter military timezones as specified in RFC 822 (closes: #551461). * build depends on generic libdb-dev (closes: #548476). * build depends on libssh2-1-dev (>= 1.2) to enable new curl options. -- Domenico Andreoli Thu, 05 Nov 2009 10:11:57 +0100 curl (7.19.5-1) unstable; urgency=low * New upstream release * Fix "libcurl3-gnutls has memory corruption" by upgrading to new upstream release, which fixes this bug (Closes: #530131) * update standards version to 3.8.1 * adjust overrides from libdevel to debug for -dbg package * adjust doc-base section -- Andreas Schuldei Sun, 24 May 2009 21:12:19 +0200 curl (7.19.4-1) unstable; urgency=low * New upstream release * Fix "newer bdb version" (Closes: #517277) * resolve libtool version confusion, thanks to Stefanos Harhalakis * add new dependency on libgcrypt11-dev due to newly arising binary symbols -- Andreas Schuldei Thu, 02 Apr 2009 23:35:45 +0200 curl (7.18.2-8lenny1) stable-security; urgency=high * Applied upstream patch to fix arbitrary file access (CVE-2009-0037). -- Domenico Andreoli Tue, 03 Mar 2009 10:29:03 +0100 curl (7.18.2-8) unstable; urgency=low * Fix "Please add support for ldap/ldaps protocols" by changing the linker option for liblber (Closes: #506096) -- Andreas Schuldei Fri, 26 Dec 2008 23:48:19 +0100 curl (7.18.2-7) unstable; urgency=low * disable c-ares support again, no fix yet, just get stuff working again. -- Andreas Schuldei Tue, 15 Jul 2008 01:17:29 +0200 curl (7.18.2-6) unstable; urgency=low * enable c-ares support, with ipv6 support -- Andreas Schuldei Fri, 11 Jul 2008 02:05:16 +0200 curl (7.18.2-5) unstable; urgency=low * /usr/lib/pkgconfig/libcurl.pc: "pkg-config --libs libcurl" returns "-Wl, -z, defs" (Closes: #488701), closing same bug again for curl-config --libs command -- Andreas Schuldei Wed, 02 Jul 2008 11:24:40 +0200 curl (7.18.2-4) unstable; urgency=medium * /usr/lib/pkgconfig/libcurl.pc: "pkg-config --libs libcurl" returns "-Wl, -z, defs" (Closes: #488701) -- Andreas Schuldei Mon, 30 Jun 2008 23:59:55 +0200 curl (7.18.2-3) unstable; urgency=low * removing c-ares from the dependencies -- Andreas Schuldei Sat, 28 Jun 2008 03:34:50 +0200 curl (7.18.2-2) unstable; urgency=medium * blanking the "dependency_libs" line in lib*.la file to keep all the listed libs from being linked to other libs linking to curl. * fixing miss-linking problem by specifying liblber as a configure argument * disabling c-ares again for stability reasons * correcting libgssapi linking in configure.ac (patch no_com_err) -- Andreas Schuldei Fri, 27 Jun 2008 03:40:18 +0200 curl (7.18.2-1e1) experimental; urgency=low * testing c-ares-ipv6 integration patch -- Andreas Schuldei Mon, 23 Jun 2008 08:48:31 +0200 curl (7.18.2-1) unstable; urgency=low * New upstream release: - removed patches/ftp-response, it is already in the upstream release - fixed issues with kerberos ftp (closes: #478864). * Disable c-ares support, it is still not ready for Debian's wide user base (closes: #478864, #481189). * Standards-Version bumped to 3.8.0: - added support for parallel builds to debian/rules * Removal of $QUILT_PC's override makes this package ready for new source format 3.0 (quilt) (closes: #485023). * Configure build with --with-ca-path but only for OpenSSL flavour, GnuTLS supports only --with-ca-bundle (closes: #482814, #483999). Both libcurl3 and libcurl3-gnutls now depend on ca-certificates. -- Domenico Andreoli Mon, 09 Jun 2008 14:09:42 +0200 curl (7.18.1-1) unstable; urgency=low * New upstream release. * Fixed crossbuilding bug (closes: #465089). * Improved error reporting in case of failing FTP (closes: #474224). * Enable c-ares support (closes: #352694). * libcurl3-dbg now depends on either libcurl3 or libcurl3-gnutls (closes: #463173). -- Domenico Andreoli Thu, 17 Apr 2008 10:22:28 +0200 curl (7.18.0-1) unstable; urgency=low * New upstream release. * Use Homepage field in debian/control. -- Domenico Andreoli Tue, 29 Jan 2008 02:16:25 +0100 curl (7.17.1-1) unstable; urgency=low * New upstream release: - fixed bad use of "its" in curl.1 (closes: #443734) - fixed curl_easy_escape() with input bytes that are >= 0x80 (closes: #445214) -- Domenico Andreoli Wed, 31 Oct 2007 01:12:54 +0100 curl (7.17.0-1) unstable; urgency=low * New upstream release. * Updated to use libssh2-1-dev (closes: #441979, #442198). * Do not run the test suite on hurd (closes: #433834). * Enabled support for LDAPS protocol. -- Domenico Andreoli Fri, 14 Sep 2007 00:24:21 +0200 curl (7.16.4-5) unstable; urgency=low * libcurl4-openssl-dev now depends on libssh2-0-dev. closes: #439317, #439326. -- Domenico Andreoli Fri, 24 Aug 2007 18:13:17 +0200 curl (7.16.4-4) unstable; urgency=low * Build libcurl/GnuTLS without libssh2 because of the usual OpenSSL vs. GPL software lincense conflict (closes: #439176). -- Domenico Andreoli Thu, 23 Aug 2007 23:47:35 +0200 curl (7.16.4-3) unstable; urgency=low * Added support for scp and SFTP protocols. -- Domenico Andreoli Wed, 22 Aug 2007 00:48:32 +0200 curl (7.16.4-2) unstable; urgency=low * Fixed regression with FTP sites not requesting PASS (closes: #435771). -- Domenico Andreoli Sat, 04 Aug 2007 02:04:40 +0200 curl (7.16.4-1) unstable; urgency=low * New upstream release (closes: #432514). * Welcome Andreas to the curl packagers! * Build-Depends is now more backporting friendly. -- Domenico Andreoli Wed, 18 Jul 2007 16:44:30 +0200 curl (7.16.2-6) unstable; urgency=low * Added missing libcurl3 symlinks (closes: #429945) Patch courtesy of Bryan Donlan. -- Domenico Andreoli Sat, 23 Jun 2007 00:39:20 +0200 curl (7.16.2-5) unstable; urgency=low [ Steve Langasek ] * Re-introduce curl3 symbol versions and rename the packages back to libcurl3*, restoring ABI compatibility with the etch version of the package. [ Domenico Andreoli ] * Package libcurl4-gnutls-dev now suggests libcurl3-dbg. * libcurl3-dbg replaces/conflict/provide libcurl4-dbg. * Properly use ${binary:Version} in control file. -- Domenico Andreoli Wed, 20 Jun 2007 17:52:38 +0200 curl (7.16.2-4) unstable; urgency=low * Fixed configure.ac in case of build with GNUTLS (closes: #425013). * Fixed double-free bug (closes: #424894). Patch courtesy of Daniel Stenberg. -- Domenico Andreoli Sun, 20 May 2007 01:15:01 +0200 curl (7.16.2-3) unstable; urgency=low * Updated to db4.5 (closes: #421933). * Got rid of unused libcomerr2 dependency (closes: #392294). -- Domenico Andreoli Tue, 08 May 2007 08:46:21 +0200 curl (7.16.2-2) experimental; urgency=low * Improved package descriptions (closes: #410472). * Updated package Provides to ease the soname transition. -- Domenico Andreoli Fri, 27 Apr 2007 15:37:44 +0200 curl (7.16.2-1) experimental; urgency=low * New upstream release. * libcurl4-openssl-dev now depends on libcurl4-openssl (closes: #419774). * Bumped shlibs version to 7.16.2-1. * Patches are now managed with quilt. -- Domenico Andreoli Wed, 18 Apr 2007 09:29:48 +0200 curl (7.16.1-1) experimental; urgency=low * New upstream release. * Bumped shlibs version to 7.16.1-1. * Added HIDDEN section to version script to handle any __*, _rest or _save* local symbol. * Gopher protocol is not supported since 7.15.2. Removed any reference in package description (closes: #408704). * Moved libcurl/openssl to the new package libcurl4-openssl, now libcurl4 contains a version with no SSL or GSSAPI support (any future cryptographic stuff will be kept out of there). * Package libcurl4-dev now contains the matching headers for libcurl4 (so crypto stuff). -- Domenico Andreoli Thu, 1 Feb 2007 12:49:32 +0100 curl (7.16.0-1) experimental; urgency=low * New upstream release. * Bumped shlibs version to 7.16.0-1. * libcurl4 and libcurl4-gnutls now only recommend ca-certificates (closes: #404103). * pkg-config .pc file now uses Libs.private (closes: #405226). -- Domenico Andreoli Fri, 26 Jan 2007 14:26:55 +0100 curl (7.15.5-1) unstable; urgency=low * New upstream release: - fixed nodes removal from the splay tree (closes: #375076). * Make package build also if $TAPE is set (closes: #377470). * Bumped shlibs version to 7.15.5-1. -- Domenico Andreoli Mon, 7 Aug 2006 10:26:13 +0200 curl (7.15.4-1ubuntu1) edgy; urgency=low * Synchronize to Debian. Only change left: Removal of stunnel and libdb4.2-dev build dependencies. -- Martin Pitt Thu, 29 Jun 2006 15:04:24 +0200 curl (7.15.4-1) unstable; urgency=low * New upstream release. * Bumped shlibs version to 7.15.4-1. -- Domenico Andreoli Wed, 14 Jun 2006 14:41:16 +0200 curl (7.15.3-2) unstable; urgency=low * Fixed bug in configure.ac that makes FTBFS (closes: #367954). -- Domenico Andreoli Wed, 31 May 2006 15:18:26 +0200 curl (7.15.3-1) unstable; urgency=high * New upstream release: - fixed TFTP packet buffer overflow vulnerability [lib/tftp.c, CVE-2006-1061]. - improved curl_getenv.3 manpage grammar (closes: #357388). -- Domenico Andreoli Mon, 20 Mar 2006 11:46:25 +0100 curl (7.15.2-3) unstable; urgency=low * Applied upstream patch to fix multi interface and multi-part formposts (closes: #355715). * Build back with -O2, gcc 4.0.2-10 fixed the previously trigged bug. -- Domenico Andreoli Wed, 8 Mar 2006 15:29:15 +0100 curl (7.15.2-2) unstable; urgency=low * Added missing autotools invocation. Re-added versioned symbols (closes: #355241). * Bumped shlibs version to 7.15.2-2. * Build with -O3 to work around sospicious segfaults on tests 253 and 255. -- Domenico Andreoli Sat, 4 Mar 2006 22:47:23 +0100 curl (7.15.2-1) unstable; urgency=low * New upstream release. * Bumped shlibs version to 7.15.2-1. * Adopted debhelper's compatibility level 5. -- Domenico Andreoli Wed, 1 Mar 2006 16:12:51 +0100 curl (7.15.1-1ubuntu2) dapper; urgency=low * SECURITY UPDATE: Arbitrary remote code execution with long tftp:// URLs. * lib/tftp.c: Fix unbounded sprintf() to avoid buffer overflow. Thanks to Ulf Harnhammar for discovering this. * CVE-2006-1061 -- Martin Pitt Thu, 16 Mar 2006 11:30:25 +0100 curl (7.15.1-1ubuntu1) dapper; urgency=low * Resynchronise with Debian to get URL parser overflow fix from 7.15.1 (CVE-2005-4077). -- Martin Pitt Mon, 12 Dec 2005 15:04:52 +0100 curl (7.15.1-1) unstable; urgency=low * New upstream release: - fixed buffer overflow in URL parser function (closes: #342339). -- Domenico Andreoli Wed, 7 Dec 2005 11:11:38 +0100 curl (7.15.0-5.1) unstable; urgency=high * Non-maintainer upload. * Urgency high for RC bug fix. * Let libcurl3-*-dev depend on libkrb5-dev (closes: #340784, #340916). -- Luk Claes Sun, 4 Dec 2005 11:59:20 +0100 curl (7.15.0-5) unstable; urgency=low * libcurl3-gnutls-dev and libcurl3-openssl-dev now only recommend libkrb5-dev (closes: #334888). * Applied upstream patch to fix error message in case FTP-path does not exist (closes: #338680). * Applied upstream patch to fix parsing of --limit-rate command line option (closes: #338681). -- Domenico Andreoli Fri, 25 Nov 2005 10:30:25 +0100 curl (7.15.0-4ubuntu1) dapper; urgency=low * Resynchronise with Debian (only change left: Removal of stunnel build dependency). * Remove libdb4.2-dev build dependency. -- Martin Pitt Thu, 10 Nov 2005 17:44:35 -0500 curl (7.15.0-4) unstable; urgency=low * Fixed output of curl-config --vernum (closes: #335296). * libcurl3-openssl-dev now replaces libcurl3-dev older than 7.14.1-1 (closes: #335277). -- Domenico Andreoli Tue, 25 Oct 2005 11:48:53 +0200 curl (7.15.0-3) unstable; urgency=low * libcurl3 and libcurl3-gnutls now suggest libldap2 (closes: #294407). * Re-introduced libcurl3-dev package for transition reasons. -- Domenico Andreoli Wed, 19 Oct 2005 12:45:43 +0200 curl (7.15.0-2) unstable; urgency=low * Fixed depends of libcurl3-*-dev packages (closes: #334021, #333609, #334048). * Bumped shlibs version to 7.15.0-1 (closes: #334053). -- Domenico Andreoli Sun, 16 Oct 2005 15:34:40 +0200 curl (7.15.0-1) unstable; urgency=low * New upstream release: - fixed user+domain name buffer overflow in the NTLM code (CAN-2005-3185, closes: #333734). - libcurl3-*-dev packages now depend on libkrb5-dev (closes: #333609). - improved docs about curl_easy_setopt() and ERRORBUFFER (closes: #329313). -- Domenico Andreoli Fri, 14 Oct 2005 13:32:06 +0200 curl (7.14.1-5) unstable; urgency=low * Added build dependency on libtool (closes: #332729, #333174). -- Domenico Andreoli Tue, 11 Oct 2005 10:05:36 +0200 curl (7.14.1-4) unstable; urgency=low * Fixed SEE ALSO section in curl_excape.3 (closes: #331505). * Fixed configure.ac when --host=i586-mingw32msvc is given (closes: #329444). * Added missing example files (closes: #331722). * Updated build dependency for OpenSSL 0.9.8 transition. -- Domenico Andreoli Mon, 10 Oct 2005 12:43:25 +0200 curl (7.14.1-3) experimental; urgency=low * Fixed soname of libcurl-gnutls.so* variant. * Fixed broken sentence (closes: #329305). * Fixed reference to TheArtOfHttpScripting.gz (closes: #329299). * Added clarification about WRITEFUNCTION and WRITEDATA (closes: #329311). -- Domenico Andreoli Wed, 28 Sep 2005 17:13:51 +0200 curl (7.14.1-2) experimental; urgency=low * Started using the system-wide CA certificate file (closes: #308514). * Fixed apostrophe typos in the curl man page (closes: #326511). * Only curl_* symbols are now globally visible outside of libcurl. -- Domenico Andreoli Sat, 17 Sep 2005 23:52:28 +0200 curl (7.14.1-1) experimental; urgency=low * New upstream release. * libcurl3-gnutls has a modified soname and may be installed together with libcurl3 (closes: #318590). * Both libcurl3 and libcurl3-gnutls are built with versioned symbols and with support of GSSAPI authentication. * Renamed libcurl3-dev to libcurl3-openssl-dev. * Dropped package libcurl3-gssapi. -- Domenico Andreoli Thu, 15 Sep 2005 23:59:32 +0200 curl (7.14.0-5) unstable; urgency=low * Added libcurl3-gnutls and libcurl3-gnutls-dev packages (closes: #318590). * libcurl3-gssapi now has its own shlibs file. Packages built with this package installed will depend on it. -- Domenico Andreoli Thu, 18 Aug 2005 02:26:38 +0200 curl (7.14.0-4) unstable; urgency=low * OpenSSL is back (closes: #321294, #321391). -- Domenico Andreoli Fri, 5 Aug 2005 23:34:45 +0200 curl (7.14.0-3) unstable; urgency=low * Updated the use of dpkg-architecture (closes: #320046). * Added missing aclocal file libcurl.m4 to libcurl3-dev (closes: #315848). * Added (many) missing man pages (closes: #315850). * OpenSSL is replaced by GnuTLS in providing SSL support (closes: #318590). * Heimdal is replaced by MIT Kerberos in providing GSSAPI support. -- Domenico Andreoli Tue, 2 Aug 2005 22:34:01 +0200 curl (7.14.0-2ubuntu1) breezy; urgency=low * Synchronize with Debian. -- Matthias Klose Tue, 26 Jul 2005 19:03:01 +0200 curl (7.14.0-2) unstable; urgency=low * Rebuilt and uploaded to unstable. -- Domenico Andreoli Wed, 15 Jun 2005 11:41:32 +0200 curl (7.14.0-1) experimental; urgency=low * New upstream release. -- Domenico Andreoli Tue, 17 May 2005 10:42:35 +0200 curl (7.13.2-3) unstable; urgency=high * HTTP response headers with null bytes are now correctly managed (closes: #310948). -- Domenico Andreoli Fri, 3 Jun 2005 23:59:30 +0200 curl (7.13.2-2) unstable; urgency=low * Fixed conditional build of package libcurl3-gssapi (closes: #303939, #303953). -- Domenico Andreoli Mon, 11 Apr 2005 19:00:27 +0200 curl (7.13.2-1) unstable; urgency=low * New upstream release: - fixed curl man page typos (closes: #302820). -- Domenico Andreoli Tue, 5 Apr 2005 14:41:13 +0200 curl (7.13.1-3) unstable; urgency=low * Fixed hanging of some SSL connections (closes: #302366). -- Domenico Andreoli Thu, 31 Mar 2005 16:27:41 +0200 curl (7.13.1-2) unstable; urgency=low * Rebuilt to get the correct libidn11 dependency (closes: #299348). * Added some missing documentation files (closes: #298855). -- Domenico Andreoli Wed, 16 Mar 2005 14:30:03 +0100 curl (7.13.1-1) unstable; urgency=low * New upstream release. * Bumped up shlibs version for libcurl3 because of new curl options. -- Domenico Andreoli Fri, 4 Mar 2005 16:03:17 +0100 curl (7.13.0-2) unstable; urgency=high * Fixed NTLM Authentication buffer overflow (closes: #296678). Patch courtesy of Daniel Stenberg. This handles CAN-2005-0490. * Removed libcurl2* packages and all the scary stuff used to build them (closes: #274631). -- Domenico Andreoli Thu, 24 Feb 2005 10:07:22 +0100 curl (7.13.0-1) unstable; urgency=low * New upstream release. * libcurl3 now suggests package libldap2-dev to enable support for LDAP protocol. * Bumped up shlibs version for libcurl3 because of new curl options. -- Domenico Andreoli Sat, 5 Feb 2005 10:39:52 +0100 curl (7.12.3-2ubuntu3) hoary; urgency=low * Fix the version numbers internal to debian/rules. Closes; #8088 -- LaMont Jones Wed, 23 Mar 2005 18:41:29 -0700 curl (7.12.3-2) unstable; urgency=low * Disabled test suite on m68k, it stalls. -- Domenico Andreoli Thu, 30 Dec 2004 11:11:48 +0100 curl (7.12.3-1) unstable; urgency=low * New upstream release: - fixed debug tracing to network socket is stderr is closed (closes: #278691). * Applied patch to fix getpass license problems (closes: #286794). Patch courtesy of Daniel Stenberg. * Bumped up shlibs version for libcurl3 because of new curl options. -- Domenico Andreoli Mon, 27 Dec 2004 12:50:30 +0100 curl (7.12.2-2) unstable; urgency=low * libcurl3-dbg package is now built by dh_strip --dbg-package (closes: #274710). * Added build dependency on libdb4.2-dev. -- Domenico Andreoli Thu, 4 Nov 2004 11:36:17 +0100 curl (7.12.2-1) unstable; urgency=low * New upstream release. * Update diff to 7.11.2. * Add debian/watch file. * Add myself as a uploader. -- Matthias Klose Wed, 3 Nov 2004 00:55:52 +0100 curl (7.12.1-1) unstable; urgency=low * New upstream release: - workaround for ASN1_STRING_to_UTF8 failing if input is already UTF-8 encoded (closes: #264711). * Bumped up shlibs version for libcurl3 because of the introduction of FTP 3rd party transfer support options. -- Domenico Andreoli Tue, 10 Aug 2004 11:40:29 +0200 curl (7.12.0.rel-6) unstable; urgency=low * In rebuilding the 7.11.2 tree starting from the 7.12.0 one, lib/getdate.y is patched before lib/getdate.c (closes: #262597). -- Domenico Andreoli Sun, 1 Aug 2004 17:59:57 +0200 curl (7.12.0.rel-5) unstable; urgency=low * Tests are performed only if build target and building host are the same and are not kfreebsd-gnu or knetbsd-gnu (closes: #261591). * On hurd-i386 libcurl3-gssapi is not built. -- Domenico Andreoli Thu, 29 Jul 2004 15:17:51 +0200 curl (7.12.0.rel-4) unstable; urgency=low * Added build dependency on groff-base to really build the built-in manual. * libcurl3 now replaces old libcurl2 versions (closes: #255262). -- Domenico Andreoli Tue, 20 Jul 2004 11:40:09 +0200 curl (7.12.0.rel-3) unstable; urgency=low * Enabled curl's built-in manual. * configure script for 7.11.2 is now managed correctly. -- Domenico Andreoli Sun, 18 Jul 2004 22:25:00 +0200 curl (7.12.0.rel-2) unstable; urgency=low * libcurl2 uses curl-ca-bundle-7.11.2.crt (closes: #255262). Yes, it is a hack to not add libcurl-common package right now. -- Domenico Andreoli Sun, 18 Jul 2004 16:40:45 +0200 curl (7.12.0.rel-1) experimental; urgency=low * Version 7.12.0 is back with proper libcurl3* packages. * libcurl2* 7.11.2 packages are still provided (closes: #252879). * Enabled again the support for libidn. -- Domenico Andreoli Sun, 6 Jun 2004 23:09:33 +0200 curl (7.12.0.is.7.11.2-1) unstable; urgency=low * Reverted to version 7.11.2 (closes: #252348). * Disabled support for libidn (closes: #252367). This is to leave curl in unstable as much similar as possible to the one in testing. -- Domenico Andreoli Fri, 4 Jun 2004 19:09:25 +0200 curl (7.12.0-1) unstable; urgency=low * New upstream release: - fixed minor man page problem (closes: #232928) - improved --create-dirs description in curl man page (closes: #251351) * Enabled support for libidn. -- Domenico Andreoli Wed, 2 Jun 2004 18:06:05 +0200 curl (7.11.2-2) unstable; urgency=low * Fixed curl.1 man page (closes: #232928). Patch courtesy of Daniel Stenberg, the upstream developer. -- Domenico Andreoli Tue, 27 Apr 2004 19:47:09 +0200 curl (7.11.2-1) unstable; urgency=low * New upstream release. * Bumped up shlibs version because of the introduction of CURLOPT_TCP_NODELAY option. -- Domenico Andreoli Mon, 26 Apr 2004 14:14:20 +0200 curl (7.11.1-2) unstable; urgency=low * Added GSSAPI support to package libcurl2-gssapi (closes: #241553). -- Domenico Andreoli Fri, 2 Apr 2004 18:03:15 +0200 curl (7.11.1-1) unstable; urgency=low * New upstream release. * Bumped up shlibs version because of the introduction of CURLOPT_POSTFIELDSIZE_LARGE option. -- Domenico Andreoli Fri, 19 Mar 2004 11:39:07 +0100 curl (7.11.0-4) unstable; urgency=low * Applied fix from upstream's CVS which adds another CRLF in chunked-transfers. -- Domenico Andreoli Sun, 1 Feb 2004 13:19:02 +0100 curl (7.11.0-3) unstable; urgency=low * "Fixed" build process, now the right file is searched for CA certificates (closes: #228182). -- Domenico Andreoli Sat, 31 Jan 2004 20:06:10 +0100 curl (7.11.0-2) unstable; urgency=low * Test suite is still performed but is not critical for the build being successful any more. -- Domenico Andreoli Fri, 30 Jan 2004 13:03:03 +0100 curl (7.11.0-1) unstable; urgency=low * New upstream release. -- Domenico Andreoli Sun, 25 Jan 2004 17:50:43 +0100 curl (7.10.8+7.11.0-pre1-1) unstable; urgency=low * New upstream pre-release: - proxy+ssl now passes post variables (closes: #222901) - various test case problems exposed in #222140 should now be fixed. * Bumped up shlibs version because of the introduction of CURLOPT_NETRC_FILE and CURLOPT_FTP_SSL options in libcurl. -- Domenico Andreoli Wed, 14 Jan 2004 17:35:46 +0100 curl (7.10.8-1) unstable; urgency=low * New upstream release: - fixed LDAP support (closes: #149609) - cleaner environment for testsuite execution (closes: #210253) - fixed lib/Makefile.am's use of LDFLAGS (closes: #212086) - fixed name clash in curl.h with respect to unistd.h (closes: #213180) - fixed typo in curl manpage (closes: #218046). * Bumped up shlibs version because of new libcurl options. * Added stunnel to the Build-Depends in order to enable SSL test cases. -- Domenico Andreoli Mon, 3 Nov 2003 10:26:12 +0100 curl (7.10.7-2) unstable; urgency=low * Fixed bug in cache_resolv_response on alpha and ia64 (closes: #207174). Patch courtesy of Jurij Smakov. -- Domenico Andreoli Mon, 8 Sep 2003 21:55:46 +0200 curl (7.10.7-1) unstable; urgency=low * New upstream release. * Bumped up shlibs version because of the introduction of CURLOPT_PROXYAUTH and CURLOPT_FTP_CREATE_MISSING_DIRS options in libcurl. -- Domenico Andreoli Mon, 18 Aug 2003 00:19:43 +0200 curl (7.10.6-3) unstable; urgency=low * Applied patch to fix test 60 on ia64. -- Domenico Andreoli Sat, 9 Aug 2003 04:26:15 +0200 curl (7.10.6-2) unstable; urgency=low * Applied patch from upstream to fix url globbing (closes: #203827). * make test is still performed on building debug stuff but errors are ignored. -- Domenico Andreoli Thu, 7 Aug 2003 02:20:46 +0200 curl (7.10.6-1) unstable; urgency=low * New upstream release: - added spport for http_proxy env var with name:passwd (closes: #193630). * make test is invoked after build -- Domenico Andreoli Tue, 29 Jul 2003 01:26:50 +0200 curl (7.10.5-1) unstable; urgency=low * New upstream release: - fixed typo in curl's man page (closes: #189272). * New libcurl option CURLOPT_FTP_USE_EPRT has been added, bumped up shlibs. -- Domenico Andreoli Mon, 19 May 2003 23:57:12 +0200 curl (7.10.4-1) unstable; urgency=low * New upstream release: - now uses new settings properly when re-using an existing connection (closes: #185254) - curl man page now refers to MANUAL (closes: #178509). * Changed section of libcurl2-dev and libcurl2-dbg to libdevel. -- Domenico Andreoli Wed, 2 Apr 2003 21:25:24 +0200 curl (7.10.3-3) unstable; urgency=low * Rebuilt to link against libssl0.9.7. * Improved package descriptions thanks to suggestions provided by Filip Van Raemdonck (closes: #177995). -- Domenico Andreoli Fri, 14 Mar 2003 16:08:38 +0100 curl (7.10.3-2) unstable; urgency=low * Development package is now named libcurl2-dev, it provides libcurl-dev. People can now safely make their build dependencies and be sure to use the right stuff. * New package libcurl2-dbg is provided to help in debugging sessions. -- Domenico Andreoli Mon, 20 Jan 2003 22:04:32 +0100 curl (7.10.3-1) unstable; urgency=low * New upstream release. * It now suggests ca-certificates package. -- Domenico Andreoli Thu, 16 Jan 2003 00:27:48 +0100 curl (7.10.2-2) unstable; urgency=low * Added AM_MAINTAINER_MODE to configure.in (closes: #170050). -- Domenico Andreoli Fri, 22 Nov 2002 14:28:22 +0100 curl (7.10.2-1) unstable; urgency=low * New upstream release: - fixed segfault on retrieving relative redirects (closes: #165382) - fixed a leak of debug output (closes: #167678). * Updated config.guess and config.sub (closes: #166153). * Added zlib1g-dev to build and libcurl-dev dependencies (closes: #169654). * Added HTML and PDF versions of all manpages in libcurl-dev package. -- Domenico Andreoli Wed, 20 Nov 2002 23:38:24 +0100 curl (7.10.1-1) unstable; urgency=low * New upstream release. -- Domenico Andreoli Fri, 11 Oct 2002 23:26:50 +0200 curl (7.10-1) unstable; urgency=low * New upstream release: - new way to use option -x to prevent curl from using any proxy server (closes: #161153). -- Domenico Andreoli Wed, 2 Oct 2002 01:04:20 +0200 curl (7.9.8-2) unstable; urgency=low * Added again libcurl2-ssl to the libcurl2 conflicts. -- Domenico Andreoli Thu, 4 Jul 2002 02:35:24 +0200 curl (7.9.8-1) unstable; urgency=low * New upstream release. * Double flavor of curl to support both non-SSL and SSL is gone. Now curl comes only with SSL. Who needs SSL can require curl version >= 7.9.8 . -- Domenico Andreoli Mon, 24 Jun 2002 23:04:37 +0200 curl (7.9.7-2) unstable; urgency=low * Fixed the bashism in debian/rules (closes: #147352). * SSL and non-SSL series of curl packages are now built from the same source. thanks crypto-in-main! :) -- Domenico Andreoli Mon, 20 May 2002 23:28:05 +0200 curl (7.9.7-1) unstable; urgency=low * New upstream release. -- Domenico Andreoli Wed, 15 May 2002 21:09:19 +0200 curl (7.9.6-1) unstable; urgency=low * New upstream release. * libcurl.3 manpage is now installed by libcurl-dev instead of libcurl2. Indeed it provides an overview on how to use libcurl in C programs. -- Domenico Andreoli Sat, 20 Apr 2002 17:06:51 +0200 curl (7.9.5-2) unstable; urgency=low * curl-ssl stuff moved from non-US to main. -- Domenico Andreoli Mon, 25 Mar 2002 23:40:02 +0100 curl (7.9.5-1) unstable; urgency=low * New upstream release (closes: #134608). * Added autotools-dev to the build dependencies. config.{guess,sub} can now be updated automatically in the build process. -- Domenico Andreoli Tue, 12 Mar 2002 19:06:21 +0100 curl (7.9.3-2) unstable; urgency=low * Upstream source code has been correctly imported in my CVS repository (closes: #130906). -- Domenico Andreoli Sun, 27 Jan 2002 22:23:54 +0100 curl (7.9.3-1) unstable; urgency=low * New upstream release: - fixed wrong assumption on char signedness (closes: #127011) - missing header added accordingly (closes: #130401) * Fixed a typo in curl description (closes: #124526). -- Domenico Andreoli Thu, 24 Jan 2002 20:04:04 +0100 curl (7.9.2-1) unstable; urgency=low * New upstream release: - two bad timeout matters in libcurl2 are now solved (closes: #118595). -- Domenico Andreoli Fri, 7 Dec 2001 16:58:45 +0100 curl (7.9.1-3) unstable; urgency=low * Fixed return type of Curl_ftpsendf(...) to CURLcode (closes: #120485). * Versions in debian/libcurl2.shlibs have been incremented to ">= 7.9.1-1". -- Domenico Andreoli Thu, 22 Nov 2001 15:35:40 +0100 curl (7.9.1-2) unstable; urgency=low * Reverted to unpatched released 7.9.1 source tree, patch behavior was weird. -- Domenico Andreoli Thu, 15 Nov 2001 18:05:58 +0100 curl (7.9.1-1) unstable; urgency=low * New upstream release. * Applied upstream patch #478780 found on sourceforge, fixes libcurl which didn't restore SIGALRM handler (closes: #118595). * Applied patch for patch #478780 of above, see bug #118595 in BTS. Patch courtesy of Enrik Berkhan . * Build-Depends reduced to what is strictly required for building. autoconf, automake and libtool build dependencies are gone. -- Domenico Andreoli Fri, 9 Nov 2001 13:56:36 +0100 curl (7.9-1) unstable; urgency=low * New upstream release: - output of "curl-config --libs" now includes -lcurl. -- Domenico Andreoli Tue, 25 Sep 2001 18:38:46 +0200 curl (7.8-3) unstable; urgency=low * Added libc6-dev to libcurl2-dev dependencies. * Fixed lack of some FD_ZERO(...)s in lib/transfer.c (closes: #105516). -- Domenico Andreoli Fri, 3 Aug 2001 16:32:20 +0200 curl (7.8-2) unstable; urgency=low * libcurl2.shlibs now includes version numbers. some new symbols have been introduced in libcurl 7.8, so program linked against 7.8 cannot work with older ones. * IPv6 support is now enabled * configure.in has been renamed to autoconf.ac to force the use of autoconf 2.50 -- Domenico Andreoli Thu, 5 Jul 2001 01:38:24 +0200 curl (7.8-1) unstable; urgency=low * New upstream release. * Applied patch for correct shared library versioning of libcurl, curl 7.8 comes with broken shared library version out of the box. Patch provided by upstream developer. -- Domenico Andreoli Sat, 9 Jun 2001 21:12:05 +0200 curl (7.7.3-3) unstable; urgency=low * Fixed manpages libcurl-dev with required simlinks (closes: 99610). -- Domenico Andreoli Mon, 4 Jun 2001 14:37:49 +0200 curl (7.7.3-2) unstable; urgency=low * lib/url.c and lib/version.c are now fixed (closes: #97709). * install upstream changelog (closes: #97628). -- Domenico Andreoli Fri, 18 May 2001 10:32:25 +0200 curl (7.7.3-1) unstable; urgency=low * New upstream release. * Using dh_installman instead dh_installmanpages. * Installing libcurl examples with dh_installexamples. * Policy 3.5.3.0 compliant. -- Domenico Andreoli Thu, 10 May 2001 09:45:05 +0200 curl (7.7.2-1) unstable; urgency=low * New upstream release. -- Domenico Andreoli Tue, 24 Apr 2001 09:14:51 +0200 curl (7.7.1-2) unstable; urgency=low * Fixed debian/rules (closes: #78232, #93837). -- Domenico Andreoli Tue, 17 Apr 2001 17:12:19 +0200 curl (7.7.1-1) unstable; urgency=low * New upstream release. -- Domenico Andreoli Tue, 10 Apr 2001 13:26:09 +0200 curl (7.7-1) unstable; urgency=low * New upstream release. * Fixed formatting errors in curl.1 (closes: #90281). -- Domenico Andreoli Fri, 23 Mar 2001 18:25:26 +0100 curl (7.6.1-5) unstable; urgency=low * Fixed debian/libcurl1.shlibs in order to solve any problem for those packages which should depend on either libcurl1 or libcurl1-ssl. I should have done it long time ago. -- Domenico Andreoli Tue, 13 Mar 2001 18:29:06 +0100 curl (7.6.1-4) unstable; urgency=low * Added versioned Build-Depend for debhelper. -- Domenico Andreoli Tue, 6 Mar 2001 15:16:02 +0100 curl (7.6.1-3) unstable; urgency=low * Refining the transition to debhelper compatibility 2. I forgot the executable in the curl package (closes: #87886). -- Domenico Andreoli Wed, 28 Feb 2001 14:31:43 +0100 curl (7.6.1-2) unstable; urgency=low * Switched to debhelper compatibility version 2. -- Domenico Andreoli Fri, 23 Feb 2001 18:24:02 +0100 curl (7.6.1-1) unstable; urgency=low * New upstream release. -- Domenico Andreoli Tue, 13 Feb 2001 18:04:04 +0100 curl (7.6-2) unstable; urgency=low * Adjusted dependencies in order to let curl-ssl package manage a smooth upgrade from potato. -- Domenico Andreoli Fri, 9 Feb 2001 13:36:11 +0100 curl (7.6-1) unstable; urgency=low * New upstream release. -- Domenico Andreoli Mon, 29 Jan 2001 16:00:59 +0100 curl (7.5.2-2) unstable; urgency=low * This is a service upload in order to fix dependencies problems arose for a ill-formed upload of 7.5.2-1. -- Domenico Andreoli Mon, 29 Jan 2001 14:54:57 +0100 curl (7.5.2-1) unstable; urgency=low * New upstream release. * It needed to be recompiled against the new libc (closes: #80256). -- Domenico Andreoli Mon, 15 Jan 2001 13:08:15 +0100 curl (7.5-1) unstable; urgency=low * New upstream release. -- Domenico Andreoli Mon, 4 Dec 2000 13:15:33 +0100 curl (7.4.2-2) unstable; urgency=low * curl replaces curl-ssl. curl is only a frontend for libcurl and is not aware of any protocol, libcurl is. so what is really different whether ssl is enable or not is only libcurl. * curl now depends on (libcurl0 | libcurl0-ssl). * The workaround for libtool -rpath parameter is not required, so it has been removed from configure.in. * Removed "Suggests: " field in control file for libcurl0. It suggested to install curl and libcurl-dev too but it really doesn't make sense (this change was really applied in -1). -- Domenico Andreoli Tue, 28 Nov 2000 14:27:29 +0100 curl (7.4.2-1) unstable; urgency=low * New upstream release. -- Domenico Andreoli Fri, 17 Nov 2000 16:19:23 +0100 curl (7.2.1-1) unstable; urgency=low * New upstream release. -- Domenico Andreoli Mon, 4 Sep 2000 01:22:44 +0200 curl (7.1-3) unstable; urgency=low * Added "Suggests: " field in control file for libcurl0. Now curl and libcurl-dev are suggested upon installation of libcurl0. -- Domenico Andreoli Mon, 14 Aug 2000 15:01:08 +0200 curl (7.1-2) unstable; urgency=low * Fixed a line that did not install development manpages. -- Domenico Andreoli Thu, 10 Aug 2000 14:32:23 +0200 curl (7.1-1) unstable; urgency=low * New upstream release. * libcurl is now a separate package, it provides shared libraries and includes to allow developing for other applications. -- Domenico Andreoli Wed, 9 Aug 2000 01:21:25 +0200 curl (6.5.2-4) unstable; urgency=low * Some missing build dependencies (autoconf, automake, libtool) added. -- Domenico Andreoli Sat, 8 Jul 2000 00:13:16 +0200 curl (6.5.2-3) unstable; urgency=low * Due to some policy and technical restrictions, curl's source package has been splitted again in two, one for main archive and one for non-US. -- Domenico Andreoli Tue, 4 Jul 2000 15:52:14 +0200 curl (6.5.2-2) unstable; urgency=low * Added a Build-Depends in order to compile curl-ssl only if libssl09-dev is installed. * Documentation reflects the new location of curl debian packages home page (http://curl-deb.sourceforge.net). * Corrected minor spelling errors in README.Debian. -- Domenico Andreoli Sat, 17 Jun 2000 01:13:19 +0200 curl (6.5.2-1) unstable; urgency=low * New upstream release. * Now curl and curl-ssl binary packages are generated from the same debian source package. * Uploads and downloads are now performed simultaneously (closes: #56627). -- Domenico Andreoli Sat, 25 Mar 2000 01:06:35 +0100 curl (6.4-1) unstable; urgency=low * New upstream release. -- Domenico Andreoli Sun, 30 Jan 2000 02:21:32 +0100 curl (6.3.1-1) unstable; urgency=low * New upstream release. -- Domenico Andreoli Sat, 11 Dec 1999 17:38:13 +0100 curl (6.2-1) unstable; urgency=low * New upstream release. * No hack to compile without SSL is required anymore. Fixed by upstream maintainer. -- Domenico Andreoli Mon, 1 Nov 1999 00:37:32 +0100 curl (6.0-1) unstable; urgency=low * New upstream release. -- Domenico Andreoli Mon, 27 Sep 1999 22:28:13 +0200 curl (5.11-1.1) unstable; urgency=low * Put sources into the right section. -- Domenico Andreoli Mon, 30 Aug 1999 03:14:21 +0200 curl (5.11-1) unstable; urgency=low * New upstream release. * New debian maintainer. -- Domenico Andreoli Fri, 27 Aug 1999 11:50:04 +0200 curl (5.9-2) unstable; urgency=low * Moved to non-US, and compiled against ssl (closes: #40099). -- Leon Breedt Sat, 3 Jul 1999 15:46:54 +0200 curl (5.9-1) unstable; urgency=low * New upstream release. -- Leon Breedt Sun, 23 May 1999 21:51:30 +0200 curl (5.8-1) unstable; urgency=low * Initial Release. -- Leon Breedt Sun, 9 May 1999 18:55:48 +0200 debian/libcurl4-openssl-dev.manpages0000644000000000000000000000002312272152435014656 0ustar docs/curl-config.1