head 1.2; access; symbols pkgsrc-2013Q2:1.2.0.4 pkgsrc-2013Q2-base:1.2 pkgsrc-2012Q4:1.2.0.2 pkgsrc-2012Q4-base:1.2 pkgsrc-2011Q4:1.1.0.2; locks; strict; comment @# @; 1.2 date 2012.01.28.14.41.15; author wiz; state dead; branches; next 1.1; 1.1 date 2012.01.26.11.25.55; author drochner; state Exp; branches 1.1.2.1; next ; 1.1.2.1 date 2012.01.26.11.25.55; author sbd; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2012.01.28.06.26.19; author sbd; state Exp; branches; next ; desc @@ 1.2 log @Update to 7.24.0: Fixed in 7.24.0 - January 24 2012 Release contains security-related bug fix Changes: * CURLOPT_QUOTE: SFTP supports the '*'-prefix now * CURLOPT_DNS_SERVERS: set name servers if possible * Add support for using nettle instead of gcrypt as gnutls backend * CURLOPT_INTERFACE: avoid resolving interfaces names with magic prefixes * Added CURLOPT_ACCEPTTIMEOUT_MS * configure: add symbols versioning option --enable-versioned-symbols Bugfixes: * curl was vulnerable to a data injection attack for certain protocols CVE-2012-0036 * curl was vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL * SSL session share: move the age counter to the share object * -J -O: use -O name if no Content-Disposition header comes! * protocol_connect: show verbose connect and set connect time * query-part: ignore the URI part for given protocols * gnutls: only translate winsock errors for old versions * POP3: fix end of body detection * POP3: detect when LIST returns no mails * TELNET: improved treatment of options * configure: add support for pkg-config detection of libidn * CyaSSL 2.0+ library initialization adjustment * multi interface: only use non-NULL socker function pointer * call opensocket callback properly for active FTP * don't call close socket callback for sockets created with accept() * differentiate better between host/proxy errors * SSH: fix CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 and --hostpubmd5 * multi: handle timeouts on DNS servers by checking for new sockets * CURLOPT_DNS_SERVERS: fix return code * POP3: fixed escaped dot not being stripped out * OpenSSL: check for the SSLv2 function in configure * MakefileBuild: fix the static build * create_conn: don't switch to HTTP protocol if tunneling is enabled * multi interface: fix block when CONNECT_ONLY option is used * Fix connection reuse for TLS upgraded connections * multiple file upload with -F and custom type * multi interface: active FTP connections are no longer blocking * Android build fix * timer: restore PRETRANSFER timing * libcurl.m4: Fix quoting arguments of AC_LANG_PROGRAM * appconnect time fixed for non-blocking connect ssl backends * do not include SSL handshake into time spent waiting for 100-continue * handle dns cache case insensitive * use new host name casing for subsequent HTTP requests * CURLOPT_RESOLVE: avoid adding already present host names * SFTP mkdir: use correct permission * resolve: don't leak pre-populated dns entries * --retry: Retry transfers on timeout and DNS errors * negotiate with SSPI backend: use the correct buffer for input * SFTP dir: increase buffer size counter to avoid cut off file names * TFTP: fix resending (again) * c-ares: don't include getaddrinfo-using code * FTP: CURLE_PARTIAL_FILE will not close the control channel * win32-threaded-resolver: stop using a dummy socket * OpenSSL: remove reference to openssl internal struct * OpenSSL: SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option no longer enabled * OpenSSL: fix PKCS#12 certificate parsing related memory leak * OpenLDAP: fix LDAP connection phase memory leak * Telnet: Use correct file descriptor for telnet upload * Telnet: Remove bogus optimisation of telnet upload * URL parse: user name with ipv6 numerical address * polarssl: show cipher suite name correctly with 1.1.0 * polarssl: havege_rand is not present in version 1.1.0 WARNING, we still use the old API which is said to be insecure * gnutls: enforced use of SSLv3 @ text @$NetBSD: patch-ba,v 1.1 2012/01/26 11:25:55 drochner Exp $ CVE-2012-0036 --- lib/escape.c.orig 2011-11-04 22:32:56.000000000 +0000 +++ lib/escape.c @@@@ -31,6 +31,7 @@@@ #include "urldata.h" #include "warnless.h" #include "non-ascii.h" +#include "escape.h" #define _MPRINTF_REPLACE /* use our functions only */ #include @@@@ -84,7 +85,7 @@@@ char *curl_easy_escape(CURL *handle, con char *testing_ptr = NULL; unsigned char in; /* we need to treat the characters unsigned */ size_t newlen = alloc; - int strindex=0; + size_t strindex=0; size_t length; CURLcode res; @@@@ -132,23 +133,29 @@@@ char *curl_easy_escape(CURL *handle, con } /* - * Unescapes the given URL escaped string of given length. Returns a - * pointer to a malloced string with length given in *olen. - * If length == 0, the length is assumed to be strlen(string). - * If olen == NULL, no output length is stored. + * Curl_urldecode() URL decodes the given string. + * + * Optionally detects control characters (byte codes lower than 32) in the + * data and rejects such data. + * + * Returns a pointer to a malloced string in *ostring with length given in + * *olen. If length == 0, the length is assumed to be strlen(string). + * */ -char *curl_easy_unescape(CURL *handle, const char *string, int length, - int *olen) +CURLcode Curl_urldecode(struct SessionHandle *data, + const char *string, size_t length, + char **ostring, size_t *olen, + bool reject_ctrl) { - int alloc = (length?length:(int)strlen(string))+1; + size_t alloc = (length?length:strlen(string))+1; char *ns = malloc(alloc); unsigned char in; - int strindex=0; + size_t strindex=0; unsigned long hex; CURLcode res; if(!ns) - return NULL; + return CURLE_OUT_OF_MEMORY; while(--alloc > 0) { in = *string; @@@@ -164,16 +171,20 @@@@ char *curl_easy_unescape(CURL *handle, c in = curlx_ultouc(hex); /* this long is never bigger than 255 anyway */ - res = Curl_convert_from_network(handle, &in, 1); + res = Curl_convert_from_network(data, &in, 1); if(res) { /* Curl_convert_from_network calls failf if unsuccessful */ free(ns); - return NULL; + return res; } string+=2; alloc-=2; } + if(reject_ctrl && (in < 0x20)) { + free(ns); + return CURLE_URL_MALFORMAT; + } ns[strindex++] = in; string++; @@@@ -183,7 +194,33 @@@@ char *curl_easy_unescape(CURL *handle, c if(olen) /* store output size */ *olen = strindex; - return ns; + + if(ostring) + /* store output string */ + *ostring = ns; + + return CURLE_OK; +} + +/* + * Unescapes the given URL escaped string of given length. Returns a + * pointer to a malloced string with length given in *olen. + * If length == 0, the length is assumed to be strlen(string). + * If olen == NULL, no output length is stored. + */ +char *curl_easy_unescape(CURL *handle, const char *string, int length, + int *olen) +{ + char *str = NULL; + size_t inputlen = length; + size_t outputlen; + CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen, + FALSE); + if(res) + return NULL; + if(olen) + *olen = curlx_uztosi(outputlen); + return str; } /* For operating systems/environments that use different malloc/free @ 1.1 log @add patches from upstream to fix 2 security problems: -data injection attack for certain protocols (CVE-2012-0036) -SSL CBC IV vulnerability (OpenSSL related, CVE-2011-3389) bump PKGREV @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-ba was added on branch pkgsrc-2011Q4 on 2012-01-28 06:26:19 +0000 @ text @d1 120 @ 1.1.2.2 log @Pullup ticket #3663 - requested by drochner www/curl security update Revisions pulled up: - www/curl/Makefile 1.110 - www/curl/distinfo 1.73 - www/curl/patches/patch-ba 1.1 - www/curl/patches/patch-bb 1.1 - www/curl/patches/patch-bc 1.1 - www/curl/patches/patch-bd 1.1 - www/curl/patches/patch-be 1.1 - www/curl/patches/patch-bf 1.1 --- Module Name: pkgsrc Committed By: drochner Date: Thu Jan 26 11:25:55 UTC 2012 Modified Files: pkgsrc/www/curl: Makefile distinfo Added Files: pkgsrc/www/curl/patches: patch-ba patch-bb patch-bc patch-bd patch-be patch-bf Log Message: add patches from upstream to fix 2 security problems: -data injection attack for certain protocols (CVE-2012-0036) -SSL CBC IV vulnerability (OpenSSL related, CVE-2011-3389) bump PKGREV @ text @a0 120 $NetBSD$ CVE-2012-0036 --- lib/escape.c.orig 2011-11-04 22:32:56.000000000 +0000 +++ lib/escape.c @@@@ -31,6 +31,7 @@@@ #include "urldata.h" #include "warnless.h" #include "non-ascii.h" +#include "escape.h" #define _MPRINTF_REPLACE /* use our functions only */ #include @@@@ -84,7 +85,7 @@@@ char *curl_easy_escape(CURL *handle, con char *testing_ptr = NULL; unsigned char in; /* we need to treat the characters unsigned */ size_t newlen = alloc; - int strindex=0; + size_t strindex=0; size_t length; CURLcode res; @@@@ -132,23 +133,29 @@@@ char *curl_easy_escape(CURL *handle, con } /* - * Unescapes the given URL escaped string of given length. Returns a - * pointer to a malloced string with length given in *olen. - * If length == 0, the length is assumed to be strlen(string). - * If olen == NULL, no output length is stored. + * Curl_urldecode() URL decodes the given string. + * + * Optionally detects control characters (byte codes lower than 32) in the + * data and rejects such data. + * + * Returns a pointer to a malloced string in *ostring with length given in + * *olen. If length == 0, the length is assumed to be strlen(string). + * */ -char *curl_easy_unescape(CURL *handle, const char *string, int length, - int *olen) +CURLcode Curl_urldecode(struct SessionHandle *data, + const char *string, size_t length, + char **ostring, size_t *olen, + bool reject_ctrl) { - int alloc = (length?length:(int)strlen(string))+1; + size_t alloc = (length?length:strlen(string))+1; char *ns = malloc(alloc); unsigned char in; - int strindex=0; + size_t strindex=0; unsigned long hex; CURLcode res; if(!ns) - return NULL; + return CURLE_OUT_OF_MEMORY; while(--alloc > 0) { in = *string; @@@@ -164,16 +171,20 @@@@ char *curl_easy_unescape(CURL *handle, c in = curlx_ultouc(hex); /* this long is never bigger than 255 anyway */ - res = Curl_convert_from_network(handle, &in, 1); + res = Curl_convert_from_network(data, &in, 1); if(res) { /* Curl_convert_from_network calls failf if unsuccessful */ free(ns); - return NULL; + return res; } string+=2; alloc-=2; } + if(reject_ctrl && (in < 0x20)) { + free(ns); + return CURLE_URL_MALFORMAT; + } ns[strindex++] = in; string++; @@@@ -183,7 +194,33 @@@@ char *curl_easy_unescape(CURL *handle, c if(olen) /* store output size */ *olen = strindex; - return ns; + + if(ostring) + /* store output string */ + *ostring = ns; + + return CURLE_OK; +} + +/* + * Unescapes the given URL escaped string of given length. Returns a + * pointer to a malloced string with length given in *olen. + * If length == 0, the length is assumed to be strlen(string). + * If olen == NULL, no output length is stored. + */ +char *curl_easy_unescape(CURL *handle, const char *string, int length, + int *olen) +{ + char *str = NULL; + size_t inputlen = length; + size_t outputlen; + CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen, + FALSE); + if(res) + return NULL; + if(olen) + *olen = curlx_uztosi(outputlen); + return str; } /* For operating systems/environments that use different malloc/free @