- update to 7.19.4 (fixes CVE-2009-0037)

- fix leak in curl_easy* functions, thanks to Kamil Dudka
- drop nss-fix patch, applied upstream
This commit is contained in:
Jindrich Novy 2009-03-03 07:08:27 +00:00
parent b3c04e1d32
commit 5144908d02
5 changed files with 47 additions and 29 deletions

View File

@ -1,2 +1 @@
curl-7.18.2.tar.bz2
curl-7.19.3.tar.bz2
curl-7.19.4.tar.bz2

View File

@ -1,22 +0,0 @@
diff -ruNp curl-7.19.3.orig/lib/nss.c curl-7.19.3/lib/nss.c
--- curl-7.19.3.orig/lib/nss.c 2009-01-07 15:12:01.000000000 +0100
+++ curl-7.19.3/lib/nss.c 2009-02-16 11:39:41.912075708 +0100
@@ -1140,7 +1140,7 @@ CURLcode Curl_nss_connect(struct connect
n = strrchr(data->set.str[STRING_CERT], '/');
if(n) {
n++; /* skip last slash */
- nickname = aprintf(nickname, "PEM Token #%d:%s", 1, n);
+ nickname = aprintf("PEM Token #%d:%s", 1, n);
if(!nickname)
return CURLE_OUT_OF_MEMORY;
@@ -1171,7 +1171,8 @@ CURLcode Curl_nss_connect(struct connect
if(SSL_GetClientAuthDataHook(model,
(SSLGetClientAuthData) SelectClientCert,
- (void *)connssl) != SECSuccess) {
+ (void *)connssl->client_nickname) !=
+ SECSuccess) {
curlerr = CURLE_SSL_CERTPROBLEM;
goto error;
}

View File

@ -0,0 +1,36 @@
diff -up curl-7.19.4/lib/easy.c.easy-leak curl-7.19.4/lib/easy.c
--- curl-7.19.4/lib/easy.c.easy-leak 2009-01-29 21:41:51.000000000 +0100
+++ curl-7.19.4/lib/easy.c 2009-03-03 07:54:58.000000000 +0100
@@ -352,13 +352,11 @@ CURL *curl_easy_init(void)
struct SessionHandle *data;
/* Make sure we inited the global SSL stuff */
- if(!initialized) {
- res = curl_global_init(CURL_GLOBAL_DEFAULT);
- if(res) {
- /* something in the global init failed, return nothing */
- DEBUGF(fprintf(stderr, "Error: curl_global_init failed\n"));
- return NULL;
- }
+ res = curl_global_init(CURL_GLOBAL_DEFAULT);
+ if(res) {
+ /* something in the global init failed, return nothing */
+ DEBUGF(fprintf(stderr, "Error: curl_global_init failed\n"));
+ return NULL;
}
/* We use curl_open() with undefined URL so far */
@@ -549,10 +547,10 @@ void curl_easy_cleanup(CURL *curl)
{
struct SessionHandle *data = (struct SessionHandle *)curl;
- if(!data)
- return;
+ if(data)
+ Curl_close(data);
- Curl_close(data);
+ curl_global_cleanup();
}
/*

View File

@ -1,14 +1,14 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.19.3
Release: 2%{?dist}
Version: 7.19.4
Release: 1%{?dist}
License: MIT
Group: Applications/Internet
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.bz2
Patch1: curl-7.15.3-multilib.patch
Patch2: curl-7.16.0-privlibs.patch
Patch3: curl-7.17.1-badsocket.patch
Patch4: curl-7.19.3-nss-fix.patch
Patch4: curl-7.19.4-easy-leak.patch
Provides: webclient
URL: http://curl.haxx.se/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -49,7 +49,7 @@ use cURL's capabilities internally.
%patch1 -p1 -b .multilib
%patch2 -p1 -b .privlibs
%patch3 -p1 -b .badsocket
%patch4 -p1 -b .nssfix
%patch4 -p1 -b .easy-leak
# Convert docs to UTF-8
for f in CHANGES README; do
@ -118,6 +118,11 @@ rm -rf $RPM_BUILD_ROOT
%{_datadir}/aclocal/libcurl.m4
%changelog
* Tue Mar 03 2009 Jindrich Novy <jnovy@redhat.com> 7.19.4-1
- update to 7.19.4 (fixes CVE-2009-0037)
- fix leak in curl_easy* functions, thanks to Kamil Dudka
- drop nss-fix patch, applied upstream
* Tue Feb 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 7.19.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild

View File

@ -1 +1 @@
10eb8c13350c735eff20d7b4530be8cd curl-7.19.3.tar.bz2
2734167c1e5f7ce6be99b75d2d371d85 curl-7.19.4.tar.bz2