diff --git a/0001-curl-7.51.0-ssh-md5.patch b/0001-curl-7.51.0-ssh-md5.patch new file mode 100644 index 0000000..6ed3e0e --- /dev/null +++ b/0001-curl-7.51.0-ssh-md5.patch @@ -0,0 +1,33 @@ +From a57cd03551cb373bd69278d7281026ac147bb4b4 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 7 Nov 2016 12:54:40 +0100 +Subject: [PATCH 1/2] ssh: check md5 fingerprints case insensitively + (regression) + +Revert the change from ce8d09483eea but use the new function + +Reported-by: Kamil Dudka +Bug: https://github.com/curl/curl/commit/ce8d09483eea2fcb1b50e323e1a8ed1f3613b2e3#commitcomment-19666146 + +Upstream-commit: 50aded1cd4bb751cad52c39c4fa1f06ebc5e133e +Signed-off-by: Kamil Dudka +--- + lib/ssh.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/ssh.c b/lib/ssh.c +index 43c8283..0df030d 100644 +--- a/lib/ssh.c ++++ b/lib/ssh.c +@@ -676,7 +676,7 @@ static CURLcode ssh_check_fingerprint(struct connectdata *conn) + * against a known fingerprint, if available. + */ + if(pubkey_md5 && strlen(pubkey_md5) == 32) { +- if(!fingerprint || strcmp(md5buffer, pubkey_md5)) { ++ if(!fingerprint || !strcasecompare(md5buffer, pubkey_md5)) { + if(fingerprint) + failf(data, + "Denied establishing ssh session: mismatch md5 fingerprint. " +-- +2.7.4 + diff --git a/curl.spec b/curl.spec index 4bf6787..b862d09 100644 --- a/curl.spec +++ b/curl.spec @@ -1,11 +1,14 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.51.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Group: Applications/Internet Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma +# ssh: check md5 fingerprints case insensitively +Patch1: 0001-curl-7.51.0-ssh-md5.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -122,6 +125,7 @@ documentation of the library, too. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 @@ -229,6 +233,9 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/aclocal/libcurl.m4 %changelog +* Tue Nov 15 2016 Kamil Dudka 7.51.0-2 +- ssh: check md5 fingerprints case insensitively + * Wed Nov 02 2016 Kamil Dudka 7.51.0-1 - temporarily disable failing libidn2 test-cases - new upstream release, which fixes the following vulnerabilities